From: Sasha Levin Date: Sun, 19 Mar 2023 22:25:14 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.14.311~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d1b0533a4690c23fab9f78d21a140f30b8f69cfe;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/drm-amdkfd-fix-an-illegal-memory-access.patch b/queue-4.19/drm-amdkfd-fix-an-illegal-memory-access.patch new file mode 100644 index 00000000000..43fa86ff801 --- /dev/null +++ b/queue-4.19/drm-amdkfd-fix-an-illegal-memory-access.patch @@ -0,0 +1,82 @@ +From aca107507ab38ac43560e4e41952e350159becfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Feb 2023 11:35:16 +0000 +Subject: drm/amdkfd: Fix an illegal memory access + +From: Qu Huang + +[ Upstream commit 4fc8fff378b2f2039f2a666d9f8c570f4e58352c ] + +In the kfd_wait_on_events() function, the kfd_event_waiter structure is +allocated by alloc_event_waiters(), but the event field of the waiter +structure is not initialized; When copy_from_user() fails in the +kfd_wait_on_events() function, it will enter exception handling to +release the previously allocated memory of the waiter structure; +Due to the event field of the waiters structure being accessed +in the free_waiters() function, this results in illegal memory access +and system crash, here is the crash log: + +localhost kernel: RIP: 0010:native_queued_spin_lock_slowpath+0x185/0x1e0 +localhost kernel: RSP: 0018:ffffaa53c362bd60 EFLAGS: 00010082 +localhost kernel: RAX: ff3d3d6bff4007cb RBX: 0000000000000282 RCX: 00000000002c0000 +localhost kernel: RDX: ffff9e855eeacb80 RSI: 000000000000279c RDI: ffffe7088f6a21d0 +localhost kernel: RBP: ffffe7088f6a21d0 R08: 00000000002c0000 R09: ffffaa53c362be64 +localhost kernel: R10: ffffaa53c362bbd8 R11: 0000000000000001 R12: 0000000000000002 +localhost kernel: R13: ffff9e7ead15d600 R14: 0000000000000000 R15: ffff9e7ead15d698 +localhost kernel: FS: 0000152a3d111700(0000) GS:ffff9e855ee80000(0000) knlGS:0000000000000000 +localhost kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +localhost kernel: CR2: 0000152938000010 CR3: 000000044d7a4000 CR4: 00000000003506e0 +localhost kernel: Call Trace: +localhost kernel: _raw_spin_lock_irqsave+0x30/0x40 +localhost kernel: remove_wait_queue+0x12/0x50 +localhost kernel: kfd_wait_on_events+0x1b6/0x490 [hydcu] +localhost kernel: ? ftrace_graph_caller+0xa0/0xa0 +localhost kernel: kfd_ioctl+0x38c/0x4a0 [hydcu] +localhost kernel: ? kfd_ioctl_set_trap_handler+0x70/0x70 [hydcu] +localhost kernel: ? kfd_ioctl_create_queue+0x5a0/0x5a0 [hydcu] +localhost kernel: ? ftrace_graph_caller+0xa0/0xa0 +localhost kernel: __x64_sys_ioctl+0x8e/0xd0 +localhost kernel: ? syscall_trace_enter.isra.18+0x143/0x1b0 +localhost kernel: do_syscall_64+0x33/0x80 +localhost kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 +localhost kernel: RIP: 0033:0x152a4dff68d7 + +Allocate the structure with kcalloc, and remove redundant 0-initialization +and a redundant loop condition check. + +Signed-off-by: Qu Huang +Signed-off-by: Felix Kuehling +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_events.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c +index 892077377339a..8f23192b67095 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c +@@ -529,16 +529,13 @@ static struct kfd_event_waiter *alloc_event_waiters(uint32_t num_events) + struct kfd_event_waiter *event_waiters; + uint32_t i; + +- event_waiters = kmalloc_array(num_events, +- sizeof(struct kfd_event_waiter), +- GFP_KERNEL); ++ event_waiters = kcalloc(num_events, sizeof(struct kfd_event_waiter), ++ GFP_KERNEL); + if (!event_waiters) + return NULL; + +- for (i = 0; (event_waiters) && (i < num_events) ; i++) { ++ for (i = 0; i < num_events; i++) + init_wait(&event_waiters[i].wait); +- event_waiters[i].activated = false; +- } + + return event_waiters; + } +-- +2.39.2 + diff --git a/queue-4.19/ext4-fail-ext4_iget-if-special-inode-unallocated.patch b/queue-4.19/ext4-fail-ext4_iget-if-special-inode-unallocated.patch new file mode 100644 index 00000000000..6fe8f42f02d --- /dev/null +++ b/queue-4.19/ext4-fail-ext4_iget-if-special-inode-unallocated.patch @@ -0,0 +1,76 @@ +From c938861db47b05752b219339cc43cda764e5bf92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 11:21:25 +0800 +Subject: ext4: fail ext4_iget if special inode unallocated +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baokun Li + +[ Upstream commit 5cd740287ae5e3f9d1c46f5bfe8778972fd6d3fe ] + +In ext4_fill_super(), EXT4_ORPHAN_FS flag is cleared after +ext4_orphan_cleanup() is executed. Therefore, when __ext4_iget() is +called to get an inode whose i_nlink is 0 when the flag exists, no error +is returned. If the inode is a special inode, a null pointer dereference +may occur. If the value of i_nlink is 0 for any inodes (except boot loader +inodes) got by using the EXT4_IGET_SPECIAL flag, the current file system +is corrupted. Therefore, make the ext4_iget() function return an error if +it gets such an abnormal special inode. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199179 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216541 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216539 +Reported-by: Luís Henriques +Suggested-by: Theodore Ts'o +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230107032126.4165860-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inode.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 6e7989b04d2bf..e844d91c461b0 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4947,13 +4947,6 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + goto bad_inode; + raw_inode = ext4_raw_inode(&iloc); + +- if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { +- ext4_error_inode(inode, function, line, 0, +- "iget: root inode unallocated"); +- ret = -EFSCORRUPTED; +- goto bad_inode; +- } +- + if ((flags & EXT4_IGET_HANDLE) && + (raw_inode->i_links_count == 0) && (raw_inode->i_mode == 0)) { + ret = -ESTALE; +@@ -5024,11 +5017,16 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + * NeilBrown 1999oct15 + */ + if (inode->i_nlink == 0) { +- if ((inode->i_mode == 0 || ++ if ((inode->i_mode == 0 || flags & EXT4_IGET_SPECIAL || + !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS)) && + ino != EXT4_BOOT_LOADER_INO) { +- /* this inode is deleted */ +- ret = -ESTALE; ++ /* this inode is deleted or unallocated */ ++ if (flags & EXT4_IGET_SPECIAL) { ++ ext4_error_inode(inode, function, line, 0, ++ "iget: special inode unallocated"); ++ ret = -EFSCORRUPTED; ++ } else ++ ret = -ESTALE; + goto bad_inode; + } + /* The only unlinked inodes we let through here have +-- +2.39.2 + diff --git a/queue-4.19/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch b/queue-4.19/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch new file mode 100644 index 00000000000..42e0f86f431 --- /dev/null +++ b/queue-4.19/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch @@ -0,0 +1,97 @@ +From 2a65328d2d133a006abe31cfea4b360194edf92c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 21:34:36 +0800 +Subject: ext4: fix task hung in ext4_xattr_delete_inode + +From: Baokun Li + +[ Upstream commit 0f7bfd6f8164be32dbbdf36aa1e5d00485c53cd7 ] + +Syzbot reported a hung task problem: +================================================================== +INFO: task syz-executor232:5073 blocked for more than 143 seconds. + Not tainted 6.2.0-rc2-syzkaller-00024-g512dee0c00ad #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-exec232 state:D stack:21024 pid:5073 ppid:5072 flags:0x00004004 +Call Trace: + + context_switch kernel/sched/core.c:5244 [inline] + __schedule+0x995/0xe20 kernel/sched/core.c:6555 + schedule+0xcb/0x190 kernel/sched/core.c:6631 + __wait_on_freeing_inode fs/inode.c:2196 [inline] + find_inode_fast+0x35a/0x4c0 fs/inode.c:950 + iget_locked+0xb1/0x830 fs/inode.c:1273 + __ext4_iget+0x22e/0x3ed0 fs/ext4/inode.c:4861 + ext4_xattr_inode_iget+0x68/0x4e0 fs/ext4/xattr.c:389 + ext4_xattr_inode_dec_ref_all+0x1a7/0xe50 fs/ext4/xattr.c:1148 + ext4_xattr_delete_inode+0xb04/0xcd0 fs/ext4/xattr.c:2880 + ext4_evict_inode+0xd7c/0x10b0 fs/ext4/inode.c:296 + evict+0x2a4/0x620 fs/inode.c:664 + ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474 + __ext4_fill_super fs/ext4/super.c:5516 [inline] + ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644 + get_tree_bdev+0x400/0x620 fs/super.c:1282 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fa5406fd5ea +RSP: 002b:00007ffc7232f968 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa5406fd5ea +RDX: 0000000020000440 RSI: 0000000020000000 RDI: 00007ffc7232f970 +RBP: 00007ffc7232f970 R08: 00007ffc7232f9b0 R09: 0000000000000432 +R10: 0000000000804a03 R11: 0000000000000202 R12: 0000000000000004 +R13: 0000555556a7a2c0 R14: 00007ffc7232f9b0 R15: 0000000000000000 + +================================================================== + +The problem is that the inode contains an xattr entry with ea_inum of 15 +when cleaning up an orphan inode <15>. When evict inode <15>, the reference +counting of the corresponding EA inode is decreased. When EA inode <15> is +found by find_inode_fast() in __ext4_iget(), it is found that the EA inode +holds the I_FREEING flag and waits for the EA inode to complete deletion. +As a result, when inode <15> is being deleted, we wait for inode <15> to +complete the deletion, resulting in an infinite loop and triggering Hung +Task. To solve this problem, we only need to check whether the ino of EA +inode and parent is the same before getting EA inode. + +Link: https://syzkaller.appspot.com/bug?extid=77d6fcc37bbb92f26048 +Reported-by: syzbot+77d6fcc37bbb92f26048@syzkaller.appspotmail.com +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230110133436.996350-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/xattr.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 2a70b7556e419..a91b02091b160 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -384,6 +384,17 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino, + struct inode *inode; + int err; + ++ /* ++ * We have to check for this corruption early as otherwise ++ * iget_locked() could wait indefinitely for the state of our ++ * parent inode. ++ */ ++ if (parent->i_ino == ea_ino) { ++ ext4_error(parent->i_sb, ++ "Parent and EA inode have the same ino %lu", ea_ino); ++ return -EFSCORRUPTED; ++ } ++ + inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); +-- +2.39.2 + diff --git a/queue-4.19/hwmon-adt7475-display-smoothing-attributes-in-correc.patch b/queue-4.19/hwmon-adt7475-display-smoothing-attributes-in-correc.patch new file mode 100644 index 00000000000..f00a360c980 --- /dev/null +++ b/queue-4.19/hwmon-adt7475-display-smoothing-attributes-in-correc.patch @@ -0,0 +1,44 @@ +From faf63df2260532b44ee290fcf49dc65c747cec7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 13:52:27 +1300 +Subject: hwmon: (adt7475) Display smoothing attributes in correct order + +From: Tony O'Brien + +[ Upstream commit 5f8d1e3b6f9b5971f9c06d5846ce00c49e3a8d94 ] + +Throughout the ADT7475 driver, attributes relating to the temperature +sensors are displayed in the order Remote 1, Local, Remote 2. Make +temp_st_show() conform to this expectation so that values set by +temp_st_store() can be displayed using the correct attribute. + +Fixes: 8f05bcc33e74 ("hwmon: (adt7475) temperature smoothing") +Signed-off-by: Tony O'Brien +Link: https://lore.kernel.org/r/20230222005228.158661-2-tony.obrien@alliedtelesis.co.nz +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/adt7475.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/adt7475.c b/drivers/hwmon/adt7475.c +index 0a87c5b512862..bde5fe10a95a5 100644 +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -554,11 +554,11 @@ static ssize_t show_temp_st(struct device *dev, struct device_attribute *attr, + val = data->enh_acoustics[0] & 0xf; + break; + case 1: +- val = (data->enh_acoustics[1] >> 4) & 0xf; ++ val = data->enh_acoustics[1] & 0xf; + break; + case 2: + default: +- val = data->enh_acoustics[1] & 0xf; ++ val = (data->enh_acoustics[1] >> 4) & 0xf; + break; + } + +-- +2.39.2 + diff --git a/queue-4.19/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch b/queue-4.19/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch new file mode 100644 index 00000000000..8340ced08b3 --- /dev/null +++ b/queue-4.19/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch @@ -0,0 +1,42 @@ +From f1b880f2f815c935b1e8059e243457d8416bd584 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 13:52:28 +1300 +Subject: hwmon: (adt7475) Fix masking of hysteresis registers + +From: Tony O'Brien + +[ Upstream commit 48e8186870d9d0902e712d601ccb7098cb220688 ] + +The wrong bits are masked in the hysteresis register; indices 0 and 2 +should zero bits [7:4] and preserve bits [3:0], and index 1 should zero +bits [3:0] and preserve bits [7:4]. + +Fixes: 1c301fc5394f ("hwmon: Add a driver for the ADT7475 hardware monitoring chip") +Signed-off-by: Tony O'Brien +Link: https://lore.kernel.org/r/20230222005228.158661-3-tony.obrien@alliedtelesis.co.nz +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/adt7475.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/adt7475.c b/drivers/hwmon/adt7475.c +index bde5fe10a95a5..2db2665dcd4dc 100644 +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -485,10 +485,10 @@ static ssize_t set_temp(struct device *dev, struct device_attribute *attr, + val = (temp - val) / 1000; + + if (sattr->index != 1) { +- data->temp[HYSTERSIS][sattr->index] &= 0xF0; ++ data->temp[HYSTERSIS][sattr->index] &= 0x0F; + data->temp[HYSTERSIS][sattr->index] |= (val & 0xF) << 4; + } else { +- data->temp[HYSTERSIS][sattr->index] &= 0x0F; ++ data->temp[HYSTERSIS][sattr->index] &= 0xF0; + data->temp[HYSTERSIS][sattr->index] |= (val & 0xF); + } + +-- +2.39.2 + diff --git a/queue-4.19/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch b/queue-4.19/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch new file mode 100644 index 00000000000..bdfc63a40df --- /dev/null +++ b/queue-4.19/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch @@ -0,0 +1,52 @@ +From 42801d24a5887f28105db4eec1be86b30b2f9908 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 16:40:07 +0800 +Subject: hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to + race condition + +From: Zheng Wang + +[ Upstream commit cb090e64cf25602b9adaf32d5dfc9c8bec493cd1 ] + +In xgene_hwmon_probe, &ctx->workq is bound with xgene_hwmon_evt_work. +Then it will be started. + +If we remove the driver which will call xgene_hwmon_remove to clean up, +there may be unfinished work. + +The possible sequence is as follows: + +Fix it by finishing the work before cleanup in xgene_hwmon_remove. + +CPU0 CPU1 + + |xgene_hwmon_evt_work +xgene_hwmon_remove | +kfifo_free(&ctx->async_msg_fifo);| + | + |kfifo_out_spinlocked + |//use &ctx->async_msg_fifo +Fixes: 2ca492e22cb7 ("hwmon: (xgene) Fix crash when alarm occurs before driver probe") +Signed-off-by: Zheng Wang +Link: https://lore.kernel.org/r/20230310084007.1403388-1-zyytlz.wz@163.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/xgene-hwmon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c +index a3cd91f232679..2dd19a4203052 100644 +--- a/drivers/hwmon/xgene-hwmon.c ++++ b/drivers/hwmon/xgene-hwmon.c +@@ -780,6 +780,7 @@ static int xgene_hwmon_remove(struct platform_device *pdev) + { + struct xgene_hwmon_dev *ctx = platform_get_drvdata(pdev); + ++ cancel_work_sync(&ctx->workq); + hwmon_device_unregister(ctx->hwmon_dev); + kfifo_free(&ctx->async_msg_fifo); + if (acpi_disabled) +-- +2.39.2 + diff --git a/queue-4.19/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch b/queue-4.19/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch new file mode 100644 index 00000000000..d938ba534f1 --- /dev/null +++ b/queue-4.19/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch @@ -0,0 +1,115 @@ +From d2f4d79ba36b69e7dd26468dc82299e6dfa92a18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 15:53:12 +0000 +Subject: jffs2: correct logic when creating a hole in jffs2_write_begin + +From: Yifei Liu + +[ Upstream commit 23892d383bee15b64f5463bd7195615734bb2415 ] + +Bug description and fix: + +1. Write data to a file, say all 1s from offset 0 to 16. + +2. Truncate the file to a smaller size, say 8 bytes. + +3. Write new bytes (say 2s) from an offset past the original size of the +file, say at offset 20, for 4 bytes. This is supposed to create a "hole" +in the file, meaning that the bytes from offset 8 (where it was truncated +above) up to the new write at offset 20, should all be 0s (zeros). + +4. Flush all caches using "echo 3 > /proc/sys/vm/drop_caches" (or unmount +and remount) the f/s. + +5. Check the content of the file. It is wrong. The 1s that used to be +between bytes 9 and 16, before the truncation, have REAPPEARED (they should +be 0s). + +We wrote a script and helper C program to reproduce the bug +(reproduce_jffs2_write_begin_issue.sh, write_file.c, and Makefile). We can +make them available to anyone. + +The above example is shown when writing a small file within the same first +page. But the bug happens for larger files, as long as steps 1, 2, and 3 +above all happen within the same page. + +The problem was traced to the jffs2_write_begin code, where it goes into an +'if' statement intended to handle writes past the current EOF (i.e., writes +that may create a hole). The code computes a 'pageofs' that is the floor +of the write position (pos), aligned to the page size boundary. In other +words, 'pageofs' will never be larger than 'pos'. The code then sets the +internal jffs2_raw_inode->isize to the size of max(current inode size, +pageofs) but that is wrong: the new file size should be the 'pos', which is +larger than both the current inode size and pageofs. + +Similarly, the code incorrectly sets the internal jffs2_raw_inode->dsize to +the difference between the pageofs minus current inode size; instead it +should be the current pos minus the current inode size. Finally, +inode->i_size was also set incorrectly. + +The patch below fixes this bug. The bug was discovered using a new tool +for finding f/s bugs using model checking, called MCFS (Model Checking File +Systems). + +Signed-off-by: Yifei Liu +Signed-off-by: Erez Zadok +Signed-off-by: Manish Adkar +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/file.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c +index 3047872fdac9b..bf3d8a4516a52 100644 +--- a/fs/jffs2/file.c ++++ b/fs/jffs2/file.c +@@ -137,19 +137,18 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); + struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); + pgoff_t index = pos >> PAGE_SHIFT; +- uint32_t pageofs = index << PAGE_SHIFT; + int ret = 0; + + jffs2_dbg(1, "%s()\n", __func__); + +- if (pageofs > inode->i_size) { +- /* Make new hole frag from old EOF to new page */ ++ if (pos > inode->i_size) { ++ /* Make new hole frag from old EOF to new position */ + struct jffs2_raw_inode ri; + struct jffs2_full_dnode *fn; + uint32_t alloc_len; + +- jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new page\n", +- (unsigned int)inode->i_size, pageofs); ++ jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new position\n", ++ (unsigned int)inode->i_size, (uint32_t)pos); + + ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, + ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); +@@ -169,10 +168,10 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + ri.mode = cpu_to_jemode(inode->i_mode); + ri.uid = cpu_to_je16(i_uid_read(inode)); + ri.gid = cpu_to_je16(i_gid_read(inode)); +- ri.isize = cpu_to_je32(max((uint32_t)inode->i_size, pageofs)); ++ ri.isize = cpu_to_je32((uint32_t)pos); + ri.atime = ri.ctime = ri.mtime = cpu_to_je32(JFFS2_NOW()); + ri.offset = cpu_to_je32(inode->i_size); +- ri.dsize = cpu_to_je32(pageofs - inode->i_size); ++ ri.dsize = cpu_to_je32((uint32_t)pos - inode->i_size); + ri.csize = cpu_to_je32(0); + ri.compr = JFFS2_COMPR_ZERO; + ri.node_crc = cpu_to_je32(crc32(0, &ri, sizeof(ri)-8)); +@@ -202,7 +201,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + goto out_err; + } + jffs2_complete_reservation(c); +- inode->i_size = pageofs; ++ inode->i_size = pos; + mutex_unlock(&f->sem); + } + +-- +2.39.2 + diff --git a/queue-4.19/media-m5mols-fix-off-by-one-loop-termination-error.patch b/queue-4.19/media-m5mols-fix-off-by-one-loop-termination-error.patch new file mode 100644 index 00000000000..c8ceb7205db --- /dev/null +++ b/queue-4.19/media-m5mols-fix-off-by-one-loop-termination-error.patch @@ -0,0 +1,62 @@ +From b8744174c6cbf5bc910285c1ffda2739bd1a4e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 13:51:17 -0700 +Subject: media: m5mols: fix off-by-one loop termination error + +From: Linus Torvalds + +[ Upstream commit efbcbb12ee99f750c9f25c873b55ad774871de2a ] + +The __find_restype() function loops over the m5mols_default_ffmt[] +array, and the termination condition ends up being wrong: instead of +stopping when the iterator becomes the size of the array it traverses, +it stops after it has already overshot the array. + +Now, in practice this doesn't likely matter, because the code will +always find the entry it looks for, and will thus return early and never +hit that last extra iteration. + +But it turns out that clang will unroll the loop fully, because it has +only two iterations (well, three due to the off-by-one bug), and then +clang will end up just giving up in the middle of the loop unrolling +when it notices that the code walks past the end of the array. + +And that made 'objtool' very unhappy indeed, because the generated code +just falls off the edge of the universe, and ends up falling through to +the next function, causing this warning: + + drivers/media/i2c/m5mols/m5mols.o: warning: objtool: m5mols_set_fmt() falls through to next function m5mols_get_frame_desc() + +Fix the loop ending condition. + +Reported-by: Jens Axboe +Analyzed-by: Miguel Ojeda +Analyzed-by: Nick Desaulniers +Link: https://lore.kernel.org/linux-block/CAHk-=wgTSdKYbmB1JYM5vmHMcD9J9UZr0mn7BOYM_LudrP+Xvw@mail.gmail.com/ +Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP") +Cc: HeungJun, Kim +Cc: Sylwester Nawrocki +Cc: Kyungmin Park +Cc: Mauro Carvalho Chehab +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/m5mols/m5mols_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c +index d9a9644306096..9e6827dedab30 100644 +--- a/drivers/media/i2c/m5mols/m5mols_core.c ++++ b/drivers/media/i2c/m5mols/m5mols_core.c +@@ -492,7 +492,7 @@ static enum m5mols_restype __find_restype(u32 code) + do { + if (code == m5mols_default_ffmt[type].code) + return type; +- } while (type++ != SIZE_DEFAULT_FFMT); ++ } while (++type != SIZE_DEFAULT_FFMT); + + return 0; + } +-- +2.39.2 + diff --git a/queue-4.19/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch b/queue-4.19/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch new file mode 100644 index 00000000000..5c2c81f2626 --- /dev/null +++ b/queue-4.19/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch @@ -0,0 +1,58 @@ +From 153b9cf275dad8e0582c90b0330e0b8177d2e98d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Dec 2022 20:43:15 +0100 +Subject: mmc: atmel-mci: fix race between stop command and start of next + command + +From: Tobias Schramm + +[ Upstream commit eca5bd666b0aa7dc0bca63292e4778968241134e ] + +This commit fixes a race between completion of stop command and start of a +new command. +Previously the command ready interrupt was enabled before stop command +was written to the command register. This caused the command ready +interrupt to fire immediately since the CMDRDY flag is asserted constantly +while there is no command in progress. +Consequently the command state machine will immediately advance to the +next state when the tasklet function is executed again, no matter +actual completion state of the stop command. +Thus a new command can then be dispatched immediately, interrupting and +corrupting the stop command on the CMD line. +Fix that by dropping the command ready interrupt enable before calling +atmci_send_stop_cmd. atmci_send_stop_cmd does already enable the +command ready interrupt, no further writes to ATMCI_IER are necessary. + +Signed-off-by: Tobias Schramm +Acked-by: Ludovic Desroches +Link: https://lore.kernel.org/r/20221230194315.809903-2-t.schramm@manjaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/atmel-mci.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/mmc/host/atmel-mci.c b/drivers/mmc/host/atmel-mci.c +index d40bab3d9f4af..fb435a8d37213 100644 +--- a/drivers/mmc/host/atmel-mci.c ++++ b/drivers/mmc/host/atmel-mci.c +@@ -1857,7 +1857,6 @@ static void atmci_tasklet_func(unsigned long priv) + atmci_writel(host, ATMCI_IER, ATMCI_NOTBUSY); + state = STATE_WAITING_NOTBUSY; + } else if (host->mrq->stop) { +- atmci_writel(host, ATMCI_IER, ATMCI_CMDRDY); + atmci_send_stop_cmd(host, data); + state = STATE_SENDING_STOP; + } else { +@@ -1890,8 +1889,6 @@ static void atmci_tasklet_func(unsigned long priv) + * command to send. + */ + if (host->mrq->stop) { +- atmci_writel(host, ATMCI_IER, +- ATMCI_CMDRDY); + atmci_send_stop_cmd(host, data); + state = STATE_SENDING_STOP; + } else { +-- +2.39.2 + diff --git a/queue-4.19/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch b/queue-4.19/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch new file mode 100644 index 00000000000..31ca1e53d1d --- /dev/null +++ b/queue-4.19/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch @@ -0,0 +1,53 @@ +From 4cd7b8184f841ac7054c8842e070fbdafc54d8d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Dec 2022 12:44:35 +0800 +Subject: rust: arch/um: Disable FP/SIMD instruction to match x86 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Gow + +[ Upstream commit 8849818679478933dd1d9718741f4daa3f4e8b86 ] + +The kernel disables all SSE and similar FP/SIMD instructions on +x86-based architectures (partly because we shouldn't be using floats in +the kernel, and partly to avoid the need for stack alignment, see: +https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53383 ) + +UML does not do the same thing, which isn't in itself a problem, but +does add to the list of differences between UML and "normal" x86 builds. + +In addition, there was a crash bug with LLVM < 15 / rustc < 1.65 when +building with SSE, so disabling it fixes rust builds with earlier +compiler versions, see: +https://github.com/Rust-for-Linux/linux/pull/881 + +Signed-off-by: David Gow +Reviewed-by: Sergio González Collado +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/x86/Makefile.um | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/x86/Makefile.um b/arch/x86/Makefile.um +index 91085a08de6cb..3694beda02c8a 100644 +--- a/arch/x86/Makefile.um ++++ b/arch/x86/Makefile.um +@@ -1,6 +1,12 @@ + # SPDX-License-Identifier: GPL-2.0 + core-y += arch/x86/crypto/ + ++# ++# Disable SSE and other FP/SIMD instructions to match normal x86 ++# ++KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx ++KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2 ++ + ifeq ($(CONFIG_X86_32),y) + START := 0x8048000 + +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 9365a6c3c1a..b7c352adcd8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -14,3 +14,14 @@ ipv4-fix-incorrect-table-id-in-ioctl-path.patch net-usb-smsc75xx-move-packet-length-check-to-prevent.patch net-iucv-fix-size-of-interrupt-data.patch ethernet-sun-add-check-for-the-mdesc_grab.patch +hwmon-adt7475-display-smoothing-attributes-in-correc.patch +hwmon-adt7475-fix-masking-of-hysteresis-registers.patch +hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch +media-m5mols-fix-off-by-one-loop-termination-error.patch +mmc-atmel-mci-fix-race-between-stop-command-and-star.patch +jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch +rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch +ext4-fail-ext4_iget-if-special-inode-unallocated.patch +ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch +drm-amdkfd-fix-an-illegal-memory-access.patch +sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch diff --git a/queue-4.19/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch b/queue-4.19/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch new file mode 100644 index 00000000000..ad8c950be08 --- /dev/null +++ b/queue-4.19/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch @@ -0,0 +1,51 @@ +From 77c2f92f33a28b5bc41c4a7d12780885c737ffb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 22:48:16 +0100 +Subject: sh: intc: Avoid spurious sizeof-pointer-div warning + +From: Michael Karcher + +[ Upstream commit 250870824c1cf199b032b1ef889c8e8d69d9123a ] + +GCC warns about the pattern sizeof(void*)/sizeof(void), as it looks like +the abuse of a pattern to calculate the array size. This pattern appears +in the unevaluated part of the ternary operator in _INTC_ARRAY if the +parameter is NULL. + +The replacement uses an alternate approach to return 0 in case of NULL +which does not generate the pattern sizeof(void*)/sizeof(void), but still +emits the warning if _INTC_ARRAY is called with a nonarray parameter. + +This patch is required for successful compilation with -Werror enabled. + +The idea to use _Generic for type distinction is taken from Comment #7 +in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108483 by Jakub Jelinek + +Signed-off-by: Michael Karcher +Acked-by: Randy Dunlap # build-tested +Link: https://lore.kernel.org/r/619fa552-c988-35e5-b1d7-fe256c46a272@mkarcher.dialup.fu-berlin.de +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + include/linux/sh_intc.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/sh_intc.h b/include/linux/sh_intc.h +index c255273b02810..37ad81058d6ae 100644 +--- a/include/linux/sh_intc.h ++++ b/include/linux/sh_intc.h +@@ -97,7 +97,10 @@ struct intc_hw_desc { + unsigned int nr_subgroups; + }; + +-#define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a) ++#define _INTC_SIZEOF_OR_ZERO(a) (_Generic(a, \ ++ typeof(NULL): 0, \ ++ default: sizeof(a))) ++#define _INTC_ARRAY(a) a, _INTC_SIZEOF_OR_ZERO(a)/sizeof(*a) + + #define INTC_HW_DESC(vectors, groups, mask_regs, \ + prio_regs, sense_regs, ack_regs) \ +-- +2.39.2 +