From: Greg Kroah-Hartman Date: Sat, 24 Jun 2023 14:12:01 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.14.320~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cfe34867727c390e8f709dda0e05eb4056047c07;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arm64-dts-rockchip-fix-rk356x-pcie-register-and-range-mappings.patch io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch --- diff --git a/queue-6.1/arm64-dts-rockchip-fix-rk356x-pcie-register-and-range-mappings.patch b/queue-6.1/arm64-dts-rockchip-fix-rk356x-pcie-register-and-range-mappings.patch new file mode 100644 index 00000000000..dccd7f55adb --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-fix-rk356x-pcie-register-and-range-mappings.patch @@ -0,0 +1,82 @@ +From 568a67e742dfa90b19a23305317164c5c350b71e Mon Sep 17 00:00:00 2001 +From: Andrew Powers-Holmes +Date: Thu, 1 Jun 2023 15:25:16 +0200 +Subject: arm64: dts: rockchip: Fix rk356x PCIe register and range mappings + +From: Andrew Powers-Holmes + +commit 568a67e742dfa90b19a23305317164c5c350b71e upstream. + +The register and range mappings for the PCIe controller in Rockchip's +RK356x SoCs are incorrect. Replace them with corrected values from the +vendor BSP sources, updated to match current DT schema. + +These values are also used in u-boot. + +Fixes: 66b51ea7d70f ("arm64: dts: rockchip: Add rk3568 PCIe2x1 controller") +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Powers-Holmes +Signed-off-by: Jonas Karlman +Signed-off-by: Nicolas Frattaroli +Tested-by: Diederik de Haas +Link: https://lore.kernel.org/r/20230601132516.153934-1-frattaroli.nicolas@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3568.dtsi | 14 ++++++++------ + arch/arm64/boot/dts/rockchip/rk356x.dtsi | 7 ++++--- + 2 files changed, 12 insertions(+), 9 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3568.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3568.dtsi +@@ -94,9 +94,10 @@ + power-domains = <&power RK3568_PD_PIPE>; + reg = <0x3 0xc0400000 0x0 0x00400000>, + <0x0 0xfe270000 0x0 0x00010000>, +- <0x3 0x7f000000 0x0 0x01000000>; +- ranges = <0x01000000 0x0 0x3ef00000 0x3 0x7ef00000 0x0 0x00100000>, +- <0x02000000 0x0 0x00000000 0x3 0x40000000 0x0 0x3ef00000>; ++ <0x0 0xf2000000 0x0 0x00100000>; ++ ranges = <0x01000000 0x0 0xf2100000 0x0 0xf2100000 0x0 0x00100000>, ++ <0x02000000 0x0 0xf2200000 0x0 0xf2200000 0x0 0x01e00000>, ++ <0x03000000 0x0 0x40000000 0x3 0x40000000 0x0 0x40000000>; + reg-names = "dbi", "apb", "config"; + resets = <&cru SRST_PCIE30X1_POWERUP>; + reset-names = "pipe"; +@@ -146,9 +147,10 @@ + power-domains = <&power RK3568_PD_PIPE>; + reg = <0x3 0xc0800000 0x0 0x00400000>, + <0x0 0xfe280000 0x0 0x00010000>, +- <0x3 0xbf000000 0x0 0x01000000>; +- ranges = <0x01000000 0x0 0x3ef00000 0x3 0xbef00000 0x0 0x00100000>, +- <0x02000000 0x0 0x00000000 0x3 0x80000000 0x0 0x3ef00000>; ++ <0x0 0xf0000000 0x0 0x00100000>; ++ ranges = <0x01000000 0x0 0xf0100000 0x0 0xf0100000 0x0 0x00100000>, ++ <0x02000000 0x0 0xf0200000 0x0 0xf0200000 0x0 0x01e00000>, ++ <0x03000000 0x0 0x40000000 0x3 0x80000000 0x0 0x40000000>; + reg-names = "dbi", "apb", "config"; + resets = <&cru SRST_PCIE30X2_POWERUP>; + reset-names = "pipe"; +--- a/arch/arm64/boot/dts/rockchip/rk356x.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk356x.dtsi +@@ -951,7 +951,7 @@ + compatible = "rockchip,rk3568-pcie"; + reg = <0x3 0xc0000000 0x0 0x00400000>, + <0x0 0xfe260000 0x0 0x00010000>, +- <0x3 0x3f000000 0x0 0x01000000>; ++ <0x0 0xf4000000 0x0 0x00100000>; + reg-names = "dbi", "apb", "config"; + interrupts = , + , +@@ -981,8 +981,9 @@ + phys = <&combphy2 PHY_TYPE_PCIE>; + phy-names = "pcie-phy"; + power-domains = <&power RK3568_PD_PIPE>; +- ranges = <0x01000000 0x0 0x3ef00000 0x3 0x3ef00000 0x0 0x00100000 +- 0x02000000 0x0 0x00000000 0x3 0x00000000 0x0 0x3ef00000>; ++ ranges = <0x01000000 0x0 0xf4100000 0x0 0xf4100000 0x0 0x00100000>, ++ <0x02000000 0x0 0xf4200000 0x0 0xf4200000 0x0 0x01e00000>, ++ <0x03000000 0x0 0x40000000 0x3 0x00000000 0x0 0x40000000>; + resets = <&cru SRST_PCIE20_POWERUP>; + reset-names = "pipe"; + #address-cells = <3>; diff --git a/queue-6.1/io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch b/queue-6.1/io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch new file mode 100644 index 00000000000..1b2311d89be --- /dev/null +++ b/queue-6.1/io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch @@ -0,0 +1,71 @@ +From 43721de4aa349adcf785e00ceecddcc4a70ac9f2 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sat, 17 Jun 2023 19:50:24 -0600 +Subject: io_uring/poll: serialize poll linked timer start with poll removal + +From: Jens Axboe + +Commit ef7dfac51d8ed961b742218f526bd589f3900a59 upstream. + +We selectively grab the ctx->uring_lock for poll update/removal, but +we really should grab it from the start to fully synchronize with +linked timeouts. Normally this is indeed the case, but if requests +are forced async by the application, we don't fully cover removal +and timer disarm within the uring_lock. + +Make this simpler by having consistent locking state for poll removal. + +Cc: stable@vger.kernel.org # 6.1+ +Reported-by: Querijn Voet +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -993,8 +993,9 @@ int io_poll_remove(struct io_kiocb *req, + struct io_hash_bucket *bucket; + struct io_kiocb *preq; + int ret2, ret = 0; +- bool locked; ++ bool locked = true; + ++ io_ring_submit_lock(ctx, issue_flags); + preq = io_poll_find(ctx, true, &cd, &ctx->cancel_table, &bucket); + ret2 = io_poll_disarm(preq); + if (bucket) +@@ -1006,12 +1007,10 @@ int io_poll_remove(struct io_kiocb *req, + goto out; + } + +- io_ring_submit_lock(ctx, issue_flags); + preq = io_poll_find(ctx, true, &cd, &ctx->cancel_table_locked, &bucket); + ret2 = io_poll_disarm(preq); + if (bucket) + spin_unlock(&bucket->lock); +- io_ring_submit_unlock(ctx, issue_flags); + if (ret2) { + ret = ret2; + goto out; +@@ -1035,7 +1034,7 @@ found: + if (poll_update->update_user_data) + preq->cqe.user_data = poll_update->new_user_data; + +- ret2 = io_poll_add(preq, issue_flags); ++ ret2 = io_poll_add(preq, issue_flags & ~IO_URING_F_UNLOCKED); + /* successfully updated, don't complete poll request */ + if (!ret2 || ret2 == -EIOCBQUEUED) + goto out; +@@ -1043,9 +1042,9 @@ found: + + req_set_fail(preq); + io_req_set_res(preq, -ECANCELED, 0); +- locked = !(issue_flags & IO_URING_F_UNLOCKED); + io_req_task_complete(preq, &locked); + out: ++ io_ring_submit_unlock(ctx, issue_flags); + if (ret < 0) { + req_set_fail(req); + return ret; diff --git a/queue-6.1/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch b/queue-6.1/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch new file mode 100644 index 00000000000..a492ac8fd18 --- /dev/null +++ b/queue-6.1/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch @@ -0,0 +1,56 @@ +From 782e53d0c14420858dbf0f8f797973c150d3b6d7 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Mon, 12 Jun 2023 11:14:56 +0900 +Subject: nilfs2: prevent general protection fault in nilfs_clear_dirty_page() + +From: Ryusuke Konishi + +commit 782e53d0c14420858dbf0f8f797973c150d3b6d7 upstream. + +In a syzbot stress test that deliberately causes file system errors on +nilfs2 with a corrupted disk image, it has been reported that +nilfs_clear_dirty_page() called from nilfs_clear_dirty_pages() can cause a +general protection fault. + +In nilfs_clear_dirty_pages(), when looking up dirty pages from the page +cache and calling nilfs_clear_dirty_page() for each dirty page/folio +retrieved, the back reference from the argument page to "mapping" may have +been changed to NULL (and possibly others). It is necessary to check this +after locking the page/folio. + +So, fix this issue by not calling nilfs_clear_dirty_page() on a page/folio +after locking it in nilfs_clear_dirty_pages() if the back reference +"mapping" from the page/folio is different from the "mapping" that held +the page/folio just before. + +Link: https://lkml.kernel.org/r/20230612021456.3682-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+53369d11851d8f26735c@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/000000000000da4f6b05eb9bf593@google.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/page.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/page.c ++++ b/fs/nilfs2/page.c +@@ -369,7 +369,15 @@ void nilfs_clear_dirty_pages(struct addr + struct page *page = pvec.pages[i]; + + lock_page(page); +- nilfs_clear_dirty_page(page, silent); ++ ++ /* ++ * This page may have been removed from the address ++ * space by truncation or invalidation when the lock ++ * was acquired. Skip processing in that case. ++ */ ++ if (likely(page->mapping == mapping)) ++ nilfs_clear_dirty_page(page, silent); ++ + unlock_page(page); + } + pagevec_release(&pvec); diff --git a/queue-6.1/series b/queue-6.1/series index 60de73c9f91..d0be1693a1d 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -72,3 +72,6 @@ wifi-iwlwifi-pcie-handle-so-f-device-for-pci-id-0x7af0.patch spi-spi-geni-qcom-correctly-handle-eprobe_defer-from.patch regulator-pca9450-fix-ldo3out-and-ldo4out-mask.patch regmap-spi-avmm-fix-regmap_bus-max_raw_write.patch +arm64-dts-rockchip-fix-rk356x-pcie-register-and-range-mappings.patch +io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch +nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch