From: Greg Kroah-Hartman Date: Sat, 18 Feb 2023 08:06:34 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.14.306~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d487fe728e7703f014f3cda5680cbdc4cbbcee28;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch alsa-hda-fix-codec-device-field-initializan.patch alsa-hda-realtek-enable-mute-micmute-leds-and-speaker-support-for-hp-laptops.patch alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-a-hp-platform.patch alsa-hda-realtek-fixed-wrong-gpio-assigned.patch ata-ahci-add-tiger-lake-up-3-4-ahci-controller.patch ata-libata-core-disable-read-log-dma-ext-for-samsung-mz7lh.patch freezer-umh-fix-call_usermode_helper_exec-vs-sigkill.patch gpio-sim-fix-a-memory-leak.patch hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch mm-filemap-fix-page-end-in-filemap_get_read_batch.patch mm-madv_collapse-set-eagain-on-unexpected-page-refcount.patch mm-migrate-fix-wrongly-apply-write-bit-after-mkdirty-on-sparc64.patch mmc-jz4740-work-around-bug-on-jz4760-b.patch mmc-meson-gx-fix-sdio-mode-if-cap_sdio_irq-isn-t-set.patch mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch nilfs2-fix-underflow-in-second-superblock-position-calculations.patch sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch --- diff --git a/queue-6.1/alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch b/queue-6.1/alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch new file mode 100644 index 00000000000..42528f37063 --- /dev/null +++ b/queue-6.1/alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch @@ -0,0 +1,31 @@ +From 18d7e16c917a08f08778ecf2b780d63648d5d923 Mon Sep 17 00:00:00 2001 +From: Bo Liu +Date: Thu, 9 Feb 2023 10:13:48 +0800 +Subject: ALSA: hda/conexant: add a new hda codec SN6180 + +From: Bo Liu + +commit 18d7e16c917a08f08778ecf2b780d63648d5d923 upstream. + +The current kernel does not support the SN6180 codec chip. +Add the SN6180 codec configuration item to kernel. + +Signed-off-by: Bo Liu +Cc: +Link: https://lore.kernel.org/r/1675908828-1012-1-git-send-email-bo.liu@senarytech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -1125,6 +1125,7 @@ static const struct hda_device_id snd_hd + HDA_CODEC_ENTRY(0x14f11f87, "SN6140", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f120d0, "CX11970", patch_conexant_auto), ++ HDA_CODEC_ENTRY(0x14f120d1, "SN6180", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15045, "CX20549 (Venice)", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15047, "CX20551 (Waikiki)", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15051, "CX20561 (Hermosa)", patch_conexant_auto), diff --git a/queue-6.1/alsa-hda-fix-codec-device-field-initializan.patch b/queue-6.1/alsa-hda-fix-codec-device-field-initializan.patch new file mode 100644 index 00000000000..b760c573152 --- /dev/null +++ b/queue-6.1/alsa-hda-fix-codec-device-field-initializan.patch @@ -0,0 +1,56 @@ +From 3af4a4f7a20c94009adba65764fa5a0269d70a82 Mon Sep 17 00:00:00 2001 +From: Cezary Rojewski +Date: Fri, 10 Feb 2023 17:55:41 +0100 +Subject: ALSA: hda: Fix codec device field initializan + +From: Cezary Rojewski + +commit 3af4a4f7a20c94009adba65764fa5a0269d70a82 upstream. + +Commit f2bd1c5ae2cb ("ALSA: hda: Fix page fault in +snd_hda_codec_shutdown()") relocated initialization of several codec +device fields. Due to differences between codec_exec_verb() and +snd_hdac_bus_exec_bus() in how they handle VERB execution - the latter +does not touch PM - assigning ->exec_verb to codec_exec_verb() causes PM +to be engaged before it is configured for the device. Configuration of +PM for the ASoC HDAudio sound card is done with snd_hda_set_power_save() +during skl_hda_audio_probe() whereas the assignment happens early, in +snd_hda_codec_device_init(). + +Revert to previous behavior to avoid problems caused by too early PM +manipulation. + +Suggested-by: Jason Montleon +Link: https://lore.kernel.org/regressions/CALFERdzKUodLsm6=Ub3g2+PxpNpPtPq3bGBLbff=eZr9_S=YVA@mail.gmail.com +Fixes: f2bd1c5ae2cb ("ALSA: hda: Fix page fault in snd_hda_codec_shutdown()") +Signed-off-by: Cezary Rojewski +Link: https://lore.kernel.org/r/20230210165541.3543604-1-cezary.rojewski@intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_codec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index ac1cc7c5290e..2e728aad6771 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -927,7 +927,6 @@ snd_hda_codec_device_init(struct hda_bus *bus, unsigned int codec_addr, + codec->depop_delay = -1; + codec->fixup_id = HDA_FIXUP_ID_NOT_SET; + codec->core.dev.release = snd_hda_codec_dev_release; +- codec->core.exec_verb = codec_exec_verb; + codec->core.type = HDA_DEV_LEGACY; + + mutex_init(&codec->spdif_mutex); +@@ -998,6 +997,7 @@ int snd_hda_codec_device_new(struct hda_bus *bus, struct snd_card *card, + if (snd_BUG_ON(codec_addr > HDA_MAX_CODEC_ADDRESS)) + return -EINVAL; + ++ codec->core.exec_verb = codec_exec_verb; + codec->card = card; + codec->addr = codec_addr; + +-- +2.39.1 + diff --git a/queue-6.1/alsa-hda-realtek-enable-mute-micmute-leds-and-speaker-support-for-hp-laptops.patch b/queue-6.1/alsa-hda-realtek-enable-mute-micmute-leds-and-speaker-support-for-hp-laptops.patch new file mode 100644 index 00000000000..e895c58b4f0 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-enable-mute-micmute-leds-and-speaker-support-for-hp-laptops.patch @@ -0,0 +1,36 @@ +From 9251584af09285133bec0595e5c7218fe2e595c9 Mon Sep 17 00:00:00 2001 +From: Andy Chi +Date: Tue, 14 Feb 2023 22:04:31 +0800 +Subject: ALSA: hda/realtek: Enable mute/micmute LEDs and speaker support for HP Laptops + +From: Andy Chi + +commit 9251584af09285133bec0595e5c7218fe2e595c9 upstream. + +On HP Laptops, requires the ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED quirk to +make its audio LEDs and speaker work. + +Signed-off-by: Andy Chi +Cc: +Link: https://lore.kernel.org/r/20230214140432.39654-1-andy.chi@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9432,6 +9432,12 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b42, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b43, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b44, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b45, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b46, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b47, "HP", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b5d, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b5e, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-a-hp-platform.patch b/queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-a-hp-platform.patch new file mode 100644 index 00000000000..cf33cc5190e --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-a-hp-platform.patch @@ -0,0 +1,31 @@ +From 5007b848ff2234ff7ea55755cb315766888988da Mon Sep 17 00:00:00 2001 +From: Andy Chi +Date: Tue, 14 Feb 2023 11:58:51 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs don't work for a HP platform. + +From: Andy Chi + +commit 5007b848ff2234ff7ea55755cb315766888988da upstream. + +There is a HP platform needs ALC236_FIXUP_HP_GPIO_LED quirk to +make mic-mute/audio-mute working. + +Signed-off-by: Andy Chi +Cc: +Link: https://lore.kernel.org/r/20230214035853.31217-1-andy.chi@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9436,6 +9436,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8b5e, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8b7a, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b7d, "HP", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8b87, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b8a, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b8b, "HP", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8b8d, "HP", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.1/alsa-hda-realtek-fixed-wrong-gpio-assigned.patch b/queue-6.1/alsa-hda-realtek-fixed-wrong-gpio-assigned.patch new file mode 100644 index 00000000000..330ad1d760d --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-fixed-wrong-gpio-assigned.patch @@ -0,0 +1,32 @@ +From 2bdccfd290d421b50df4ec6a68d832dad1310748 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Mon, 13 Feb 2023 14:54:22 +0800 +Subject: ALSA: hda/realtek - fixed wrong gpio assigned + +From: Kailang Yang + +commit 2bdccfd290d421b50df4ec6a68d832dad1310748 upstream. + +GPIO2 PIN use for output. Mask Dir and Data need to assign for 0x4. Not 0x3. +This fixed was for Lenovo Desktop(0x17aa1056). GPIO2 use for AMP enable. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/8d02bb9ac8134f878cd08607fdf088fd@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -832,7 +832,7 @@ do_sku: + alc_setup_gpio(codec, 0x02); + break; + case 7: +- alc_setup_gpio(codec, 0x03); ++ alc_setup_gpio(codec, 0x04); + break; + case 5: + default: diff --git a/queue-6.1/ata-ahci-add-tiger-lake-up-3-4-ahci-controller.patch b/queue-6.1/ata-ahci-add-tiger-lake-up-3-4-ahci-controller.patch new file mode 100644 index 00000000000..78af631bcf9 --- /dev/null +++ b/queue-6.1/ata-ahci-add-tiger-lake-up-3-4-ahci-controller.patch @@ -0,0 +1,37 @@ +From 104ff59af73aba524e57ae0fef70121643ff270e Mon Sep 17 00:00:00 2001 +From: Simon Gaiser +Date: Mon, 13 Feb 2023 11:24:49 +0100 +Subject: ata: ahci: Add Tiger Lake UP{3,4} AHCI controller + +From: Simon Gaiser + +commit 104ff59af73aba524e57ae0fef70121643ff270e upstream. + +Mark the Tiger Lake UP{3,4} AHCI controller as "low_power". This enables +S0ix to work out of the box. Otherwise this isn't working unless the +user manually sets /sys/class/scsi_host/*/link_power_management_policy. + +Intel lists a total of 4 SATA controller IDs in [1] for those mobile +PCHs. This commit just adds the "AHCI" variant since I only tested +those. + +[1]: https://cdrdv2.intel.com/v1/dl/getContent/631119 + +Signed-off-by: Simon Gaiser +CC: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -422,6 +422,7 @@ static const struct pci_device_id ahci_p + { PCI_VDEVICE(INTEL, 0x34d3), board_ahci_low_power }, /* Ice Lake LP AHCI */ + { PCI_VDEVICE(INTEL, 0x02d3), board_ahci_low_power }, /* Comet Lake PCH-U AHCI */ + { PCI_VDEVICE(INTEL, 0x02d7), board_ahci_low_power }, /* Comet Lake PCH RAID */ ++ { PCI_VDEVICE(INTEL, 0xa0d3), board_ahci_low_power }, /* Tiger Lake UP{3,4} AHCI */ + + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, diff --git a/queue-6.1/ata-libata-core-disable-read-log-dma-ext-for-samsung-mz7lh.patch b/queue-6.1/ata-libata-core-disable-read-log-dma-ext-for-samsung-mz7lh.patch new file mode 100644 index 00000000000..3b08d8ec77d --- /dev/null +++ b/queue-6.1/ata-libata-core-disable-read-log-dma-ext-for-samsung-mz7lh.patch @@ -0,0 +1,42 @@ +From ead089577e0f55b238f980d9f62eaa90b7b64672 Mon Sep 17 00:00:00 2001 +From: Patrick McLean +Date: Fri, 10 Feb 2023 13:51:51 -0800 +Subject: ata: libata-core: Disable READ LOG DMA EXT for Samsung MZ7LH + +From: Patrick McLean + +commit ead089577e0f55b238f980d9f62eaa90b7b64672 upstream. + +Samsung MZ7LH drives are spewing messages like this in to dmesg with AMD +SATA controllers: + +ata1.00: exception Emask 0x0 SAct 0x7e0000 SErr 0x0 action 0x6 frozen +ata1.00: failed command: SEND FPDMA QUEUED +ata1.00: cmd 64/01:88:00:00:00/00:00:00:00:00/a0 tag 17 ncq dma 512 out + res 40/00:01:01:4f:c2/00:00:00:00:00/00 Emask + 0x4 (timeout) + +Since this was seen previously with SSD 840 EVO drives in +https://bugzilla.kernel.org/show_bug.cgi?id=203475 let's add the same +fix for these drives as the EVOs have, since they likely have very +similar firmwares. + +Signed-off-by: Patrick McLean +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4044,6 +4044,9 @@ static const struct ata_blacklist_entry + { "Samsung SSD 870*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM | + ATA_HORKAGE_NO_NCQ_ON_ATI }, ++ { "SAMSUNG*MZ7LH*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NO_NCQ_ON_ATI, }, + { "FCCT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM }, + diff --git a/queue-6.1/freezer-umh-fix-call_usermode_helper_exec-vs-sigkill.patch b/queue-6.1/freezer-umh-fix-call_usermode_helper_exec-vs-sigkill.patch new file mode 100644 index 00000000000..1b6f06b3dea --- /dev/null +++ b/queue-6.1/freezer-umh-fix-call_usermode_helper_exec-vs-sigkill.patch @@ -0,0 +1,70 @@ +From eedeb787ebb53de5c5dcf7b7b39d01bf1b0f037d Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 3 Feb 2023 15:31:11 +0100 +Subject: freezer,umh: Fix call_usermode_helper_exec() vs SIGKILL + +From: Peter Zijlstra + +commit eedeb787ebb53de5c5dcf7b7b39d01bf1b0f037d upstream. + +Tetsuo-San noted that commit f5d39b020809 ("freezer,sched: Rewrite +core freezer logic") broke call_usermodehelper_exec() for the KILLABLE +case. + +Specifically it was missed that the second, unconditional, +wait_for_completion() was not optional and ensures the on-stack +completion is unused before going out-of-scope. + +Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic") +Reported-by: syzbot+6cd18e123583550cf469@syzkaller.appspotmail.com +Reported-by: Tetsuo Handa +Debugged-by: Tetsuo Handa +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/Y90ar35uKQoUrLEK@hirez.programming.kicks-ass.net +Signed-off-by: Greg Kroah-Hartman +--- + kernel/umh.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/kernel/umh.c b/kernel/umh.c +index 850631518665..fbf872c624cb 100644 +--- a/kernel/umh.c ++++ b/kernel/umh.c +@@ -438,21 +438,27 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait) + if (wait == UMH_NO_WAIT) /* task has freed sub_info */ + goto unlock; + +- if (wait & UMH_KILLABLE) +- state |= TASK_KILLABLE; +- + if (wait & UMH_FREEZABLE) + state |= TASK_FREEZABLE; + +- retval = wait_for_completion_state(&done, state); +- if (!retval) +- goto wait_done; +- + if (wait & UMH_KILLABLE) { ++ retval = wait_for_completion_state(&done, state | TASK_KILLABLE); ++ if (!retval) ++ goto wait_done; ++ + /* umh_complete() will see NULL and free sub_info */ + if (xchg(&sub_info->complete, NULL)) + goto unlock; ++ ++ /* ++ * fallthrough; in case of -ERESTARTSYS now do uninterruptible ++ * wait_for_completion_state(). Since umh_complete() shall call ++ * complete() in a moment if xchg() above returned NULL, this ++ * uninterruptible wait_for_completion_state() will not block ++ * SIGKILL'ed processes for long. ++ */ + } ++ wait_for_completion_state(&done, state); + + wait_done: + retval = sub_info->retval; +-- +2.39.1 + diff --git a/queue-6.1/gpio-sim-fix-a-memory-leak.patch b/queue-6.1/gpio-sim-fix-a-memory-leak.patch new file mode 100644 index 00000000000..fdc0b5a12c2 --- /dev/null +++ b/queue-6.1/gpio-sim-fix-a-memory-leak.patch @@ -0,0 +1,32 @@ +From 79eeab1d85e0fee4c0bc36f3b6ddf3920f39f74b Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 17 Feb 2023 12:02:26 +0100 +Subject: gpio: sim: fix a memory leak + +From: Bartosz Golaszewski + +commit 79eeab1d85e0fee4c0bc36f3b6ddf3920f39f74b upstream. + +Fix an inverted logic bug in gpio_sim_remove_hogs() that leads to GPIO +hog structures never being freed. + +Fixes: cb8c474e79be ("gpio: sim: new testing module") +Reported-by: Mirsad Goran Todorovac +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-sim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-sim.c ++++ b/drivers/gpio/gpio-sim.c +@@ -732,7 +732,7 @@ static void gpio_sim_remove_hogs(struct + + gpiod_remove_hogs(dev->hogs); + +- for (hog = dev->hogs; !hog->chip_label; hog++) { ++ for (hog = dev->hogs; hog->chip_label; hog++) { + kfree(hog->chip_label); + kfree(hog->line_name); + } diff --git a/queue-6.1/hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch b/queue-6.1/hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch new file mode 100644 index 00000000000..95eb365aeef --- /dev/null +++ b/queue-6.1/hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch @@ -0,0 +1,63 @@ +From ec4288fe63966b26d53907212ecd05dfa81dd2cc Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Wed, 15 Feb 2023 17:35:42 -0800 +Subject: hugetlb: check for undefined shift on 32 bit architectures + +From: Mike Kravetz + +commit ec4288fe63966b26d53907212ecd05dfa81dd2cc upstream. + +Users can specify the hugetlb page size in the mmap, shmget and +memfd_create system calls. This is done by using 6 bits within the flags +argument to encode the base-2 logarithm of the desired page size. The +routine hstate_sizelog() uses the log2 value to find the corresponding +hugetlb hstate structure. Converting the log2 value (page_size_log) to +potential hugetlb page size is the simple statement: + + 1UL << page_size_log + +Because only 6 bits are used for page_size_log, the left shift can not be +greater than 63. This is fine on 64 bit architectures where a long is 64 +bits. However, if a value greater than 31 is passed on a 32 bit +architecture (where long is 32 bits) the shift will result in undefined +behavior. This was generally not an issue as the result of the undefined +shift had to exactly match hugetlb page size to proceed. + +Recent improvements in runtime checking have resulted in this undefined +behavior throwing errors such as reported below. + +Fix by comparing page_size_log to BITS_PER_LONG before doing shift. + +Link: https://lkml.kernel.org/r/20230216013542.138708-1-mike.kravetz@oracle.com +Link: https://lore.kernel.org/lkml/CA+G9fYuei_Tr-vN9GS7SfFyU1y9hNysnf=PB7kT0=yv4MiPgVg@mail.gmail.com/ +Fixes: 42d7395feb56 ("mm: support more pagesizes for MAP_HUGETLB/SHM_HUGETLB") +Signed-off-by: Mike Kravetz +Reported-by: Naresh Kamboju +Reviewed-by: Jesper Juhl +Acked-by: Muchun Song +Tested-by: Linux Kernel Functional Testing +Tested-by: Naresh Kamboju +Cc: Anders Roxell +Cc: Andi Kleen +Cc: Sasha Levin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hugetlb.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -753,7 +753,10 @@ static inline struct hstate *hstate_size + if (!page_size_log) + return &default_hstate; + +- return size_to_hstate(1UL << page_size_log); ++ if (page_size_log < BITS_PER_LONG) ++ return size_to_hstate(1UL << page_size_log); ++ ++ return NULL; + } + + static inline struct hstate *hstate_vma(struct vm_area_struct *vma) diff --git a/queue-6.1/mm-filemap-fix-page-end-in-filemap_get_read_batch.patch b/queue-6.1/mm-filemap-fix-page-end-in-filemap_get_read_batch.patch new file mode 100644 index 00000000000..696bac45c2e --- /dev/null +++ b/queue-6.1/mm-filemap-fix-page-end-in-filemap_get_read_batch.patch @@ -0,0 +1,57 @@ +From 5956592ce337330cdff0399a6f8b6a5aea397a8e Mon Sep 17 00:00:00 2001 +From: Qian Yingjin +Date: Wed, 8 Feb 2023 10:24:00 +0800 +Subject: mm/filemap: fix page end in filemap_get_read_batch + +From: Qian Yingjin + +commit 5956592ce337330cdff0399a6f8b6a5aea397a8e upstream. + +I was running traces of the read code against an RAID storage system to +understand why read requests were being misaligned against the underlying +RAID strips. I found that the page end offset calculation in +filemap_get_read_batch() was off by one. + +When a read is submitted with end offset 1048575, then it calculates the +end page for read of 256 when it should be 255. "last_index" is the index +of the page beyond the end of the read and it should be skipped when get a +batch of pages for read in @filemap_get_read_batch(). + +The below simple patch fixes the problem. This code was introduced in +kernel 5.12. + +Link: https://lkml.kernel.org/r/20230208022400.28962-1-coolqyj@163.com +Fixes: cbd59c48ae2b ("mm/filemap: use head pages in generic_file_buffered_read") +Signed-off-by: Qian Yingjin +Reviewed-by: Matthew Wilcox (Oracle) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2569,18 +2569,19 @@ static int filemap_get_pages(struct kioc + struct folio *folio; + int err = 0; + ++ /* "last_index" is the index of the page beyond the end of the read */ + last_index = DIV_ROUND_UP(iocb->ki_pos + iter->count, PAGE_SIZE); + retry: + if (fatal_signal_pending(current)) + return -EINTR; + +- filemap_get_read_batch(mapping, index, last_index, fbatch); ++ filemap_get_read_batch(mapping, index, last_index - 1, fbatch); + if (!folio_batch_count(fbatch)) { + if (iocb->ki_flags & IOCB_NOIO) + return -EAGAIN; + page_cache_sync_readahead(mapping, ra, filp, index, + last_index - index); +- filemap_get_read_batch(mapping, index, last_index, fbatch); ++ filemap_get_read_batch(mapping, index, last_index - 1, fbatch); + } + if (!folio_batch_count(fbatch)) { + if (iocb->ki_flags & (IOCB_NOWAIT | IOCB_WAITQ)) diff --git a/queue-6.1/mm-madv_collapse-set-eagain-on-unexpected-page-refcount.patch b/queue-6.1/mm-madv_collapse-set-eagain-on-unexpected-page-refcount.patch new file mode 100644 index 00000000000..43acfdd2d9e --- /dev/null +++ b/queue-6.1/mm-madv_collapse-set-eagain-on-unexpected-page-refcount.patch @@ -0,0 +1,42 @@ +From ae63c898f4004bbc7d212f4adcb3bb14852c30d6 Mon Sep 17 00:00:00 2001 +From: Zach O'Keefe +Date: Tue, 24 Jan 2023 17:57:37 -0800 +Subject: mm/MADV_COLLAPSE: set EAGAIN on unexpected page refcount + +From: Zach O'Keefe + +commit ae63c898f4004bbc7d212f4adcb3bb14852c30d6 upstream. + +During collapse, in a few places we check to see if a given small page has +any unaccounted references. If the refcount on the page doesn't match our +expectations, it must be there is an unknown user concurrently interested +in the page, and so it's not safe to move the contents elsewhere. +However, the unaccounted pins are likely an ephemeral state. + +In this situation, MADV_COLLAPSE returns -EINVAL when it should return +-EAGAIN. This could cause userspace to conclude that the syscall +failed, when it in fact could succeed by retrying. + +Link: https://lkml.kernel.org/r/20230125015738.912924-1-zokeefe@google.com +Fixes: 7d8faaf15545 ("mm/madvise: introduce MADV_COLLAPSE sync hugepage collapse") +Signed-off-by: Zach O'Keefe +Reported-by: Hugh Dickins +Acked-by: Hugh Dickins +Reviewed-by: Yang Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/khugepaged.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -2608,6 +2608,7 @@ static int madvise_collapse_errno(enum s + case SCAN_CGROUP_CHARGE_FAIL: + return -EBUSY; + /* Resource temporary unavailable - trying again might succeed */ ++ case SCAN_PAGE_COUNT: + case SCAN_PAGE_LOCK: + case SCAN_PAGE_LRU: + case SCAN_DEL_PAGE_LRU: diff --git a/queue-6.1/mm-migrate-fix-wrongly-apply-write-bit-after-mkdirty-on-sparc64.patch b/queue-6.1/mm-migrate-fix-wrongly-apply-write-bit-after-mkdirty-on-sparc64.patch new file mode 100644 index 00000000000..f643694b28b --- /dev/null +++ b/queue-6.1/mm-migrate-fix-wrongly-apply-write-bit-after-mkdirty-on-sparc64.patch @@ -0,0 +1,80 @@ +From 96a9c287e25d690fd9623b5133703b8e310fbed1 Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Thu, 16 Feb 2023 10:30:59 -0500 +Subject: mm/migrate: fix wrongly apply write bit after mkdirty on sparc64 + +From: Peter Xu + +commit 96a9c287e25d690fd9623b5133703b8e310fbed1 upstream. + +Nick Bowler reported another sparc64 breakage after the young/dirty +persistent work for page migration (per "Link:" below). That's after a +similar report [2]. + +It turns out page migration was overlooked, and it wasn't failing before +because page migration was not enabled in the initial report test +environment. + +David proposed another way [2] to fix this from sparc64 side, but that +patch didn't land somehow. Neither did I check whether there's any other +arch that has similar issues. + +Let's fix it for now as simple as moving the write bit handling to be +after dirty, like what we did before. + +Note: this is based on mm-unstable, because the breakage was since 6.1 and +we're at a very late stage of 6.2 (-rc8), so I assume for this specific +case we should target this at 6.3. + +[1] https://lore.kernel.org/all/20221021160603.GA23307@u164.east.ru/ +[2] https://lore.kernel.org/all/20221212130213.136267-1-david@redhat.com/ + +Link: https://lkml.kernel.org/r/20230216153059.256739-1-peterx@redhat.com +Fixes: 2e3468778dbe ("mm: remember young/dirty bit for page migrations") +Link: https://lore.kernel.org/all/CADyTPExpEqaJiMGoV+Z6xVgL50ZoMJg49B10LcZ=8eg19u34BA@mail.gmail.com/ +Signed-off-by: Peter Xu +Reported-by: Nick Bowler +Acked-by: David Hildenbrand +Tested-by: Nick Bowler +Cc: +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 6 ++++-- + mm/migrate.c | 2 ++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -3253,8 +3253,6 @@ void remove_migration_pmd(struct page_vm + pmde = mk_huge_pmd(new, READ_ONCE(vma->vm_page_prot)); + if (pmd_swp_soft_dirty(*pvmw->pmd)) + pmde = pmd_mksoft_dirty(pmde); +- if (is_writable_migration_entry(entry)) +- pmde = maybe_pmd_mkwrite(pmde, vma); + if (pmd_swp_uffd_wp(*pvmw->pmd)) + pmde = pmd_wrprotect(pmd_mkuffd_wp(pmde)); + if (!is_migration_entry_young(entry)) +@@ -3262,6 +3260,10 @@ void remove_migration_pmd(struct page_vm + /* NOTE: this may contain setting soft-dirty on some archs */ + if (PageDirty(new) && is_migration_entry_dirty(entry)) + pmde = pmd_mkdirty(pmde); ++ if (is_writable_migration_entry(entry)) ++ pmde = maybe_pmd_mkwrite(pmde, vma); ++ else ++ pmde = pmd_wrprotect(pmde); + + if (PageAnon(new)) { + rmap_t rmap_flags = RMAP_COMPOUND; +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -215,6 +215,8 @@ static bool remove_migration_pte(struct + pte = maybe_mkwrite(pte, vma); + else if (pte_swp_uffd_wp(*pvmw.pte)) + pte = pte_mkuffd_wp(pte); ++ else ++ pte = pte_wrprotect(pte); + + if (folio_test_anon(folio) && !is_readable_migration_entry(entry)) + rmap_flags |= RMAP_EXCLUSIVE; diff --git a/queue-6.1/mmc-jz4740-work-around-bug-on-jz4760-b.patch b/queue-6.1/mmc-jz4740-work-around-bug-on-jz4760-b.patch new file mode 100644 index 00000000000..3f5eb39dfd8 --- /dev/null +++ b/queue-6.1/mmc-jz4740-work-around-bug-on-jz4760-b.patch @@ -0,0 +1,44 @@ +From 3f18c5046e633cc4bbad396b74c05d46d353033d Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Tue, 31 Jan 2023 21:02:28 +0000 +Subject: mmc: jz4740: Work around bug on JZ4760(B) + +From: Paul Cercueil + +commit 3f18c5046e633cc4bbad396b74c05d46d353033d upstream. + +On JZ4760 and JZ4760B, SD cards fail to run if the maximum clock +rate is set to 50 MHz, even though the controller officially does +support it. + +Until the actual bug is found and fixed, limit the maximum clock rate to +24 MHz. + +Signed-off-by: Paul Cercueil +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230131210229.68129-1-paul@crapouillou.net +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/jz4740_mmc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/mmc/host/jz4740_mmc.c ++++ b/drivers/mmc/host/jz4740_mmc.c +@@ -1053,6 +1053,16 @@ static int jz4740_mmc_probe(struct platf + mmc->ops = &jz4740_mmc_ops; + if (!mmc->f_max) + mmc->f_max = JZ_MMC_CLK_RATE; ++ ++ /* ++ * There seems to be a problem with this driver on the JZ4760 and ++ * JZ4760B SoCs. There, when using the maximum rate supported (50 MHz), ++ * the communication fails with many SD cards. ++ * Until this bug is sorted out, limit the maximum rate to 24 MHz. ++ */ ++ if (host->version == JZ_MMC_JZ4760 && mmc->f_max > JZ_MMC_CLK_RATE) ++ mmc->f_max = JZ_MMC_CLK_RATE; ++ + mmc->f_min = mmc->f_max / 128; + mmc->ocr_avail = MMC_VDD_32_33 | MMC_VDD_33_34; + diff --git a/queue-6.1/mmc-meson-gx-fix-sdio-mode-if-cap_sdio_irq-isn-t-set.patch b/queue-6.1/mmc-meson-gx-fix-sdio-mode-if-cap_sdio_irq-isn-t-set.patch new file mode 100644 index 00000000000..de9dc4f2fab --- /dev/null +++ b/queue-6.1/mmc-meson-gx-fix-sdio-mode-if-cap_sdio_irq-isn-t-set.patch @@ -0,0 +1,84 @@ +From 6ea6b95a7e3ec2015954cb514ee9dbc6dc80ec8f Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Mon, 13 Feb 2023 21:55:56 +0100 +Subject: mmc: meson-gx: fix SDIO mode if cap_sdio_irq isn't set + +From: Heiner Kallweit + +commit 6ea6b95a7e3ec2015954cb514ee9dbc6dc80ec8f upstream. + +Some SDIO WiFi modules stopped working after SDIO interrupt mode +was added if cap_sdio_irq isn't set in device tree. This patch was +confirmed to fix the issue. + +Fixes: 066ecde6d826 ("mmc: meson-gx: add SDIO interrupt support") +Reported-by: Geraldo Nascimento +Tested-by: Geraldo Nascimento +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/816cba9f-ff92-31a2-60f0-aca542d1d13e@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/meson-gx-mmc.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -435,7 +435,8 @@ static int meson_mmc_clk_init(struct mes + clk_reg |= FIELD_PREP(CLK_CORE_PHASE_MASK, CLK_PHASE_180); + clk_reg |= FIELD_PREP(CLK_TX_PHASE_MASK, CLK_PHASE_0); + clk_reg |= FIELD_PREP(CLK_RX_PHASE_MASK, CLK_PHASE_0); +- clk_reg |= CLK_IRQ_SDIO_SLEEP(host); ++ if (host->mmc->caps & MMC_CAP_SDIO_IRQ) ++ clk_reg |= CLK_IRQ_SDIO_SLEEP(host); + writel(clk_reg, host->regs + SD_EMMC_CLOCK); + + /* get the mux parents */ +@@ -948,16 +949,18 @@ static irqreturn_t meson_mmc_irq(int irq + { + struct meson_host *host = dev_id; + struct mmc_command *cmd; +- u32 status, raw_status; ++ u32 status, raw_status, irq_mask = IRQ_EN_MASK; + irqreturn_t ret = IRQ_NONE; + ++ if (host->mmc->caps & MMC_CAP_SDIO_IRQ) ++ irq_mask |= IRQ_SDIO; + raw_status = readl(host->regs + SD_EMMC_STATUS); +- status = raw_status & (IRQ_EN_MASK | IRQ_SDIO); ++ status = raw_status & irq_mask; + + if (!status) { + dev_dbg(host->dev, +- "Unexpected IRQ! irq_en 0x%08lx - status 0x%08x\n", +- IRQ_EN_MASK | IRQ_SDIO, raw_status); ++ "Unexpected IRQ! irq_en 0x%08x - status 0x%08x\n", ++ irq_mask, raw_status); + return IRQ_NONE; + } + +@@ -1204,6 +1207,11 @@ static int meson_mmc_probe(struct platfo + goto free_host; + } + ++ mmc->caps |= MMC_CAP_CMD23; ++ ++ if (mmc->caps & MMC_CAP_SDIO_IRQ) ++ mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD; ++ + host->data = (struct meson_mmc_data *) + of_device_get_match_data(&pdev->dev); + if (!host->data) { +@@ -1277,11 +1285,6 @@ static int meson_mmc_probe(struct platfo + + spin_lock_init(&host->lock); + +- mmc->caps |= MMC_CAP_CMD23; +- +- if (mmc->caps & MMC_CAP_SDIO_IRQ) +- mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD; +- + if (host->dram_access_quirk) { + /* Limit segments to 1 due to low available sram memory */ + mmc->max_segs = 1; diff --git a/queue-6.1/mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch b/queue-6.1/mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch new file mode 100644 index 00000000000..aaf67880807 --- /dev/null +++ b/queue-6.1/mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch @@ -0,0 +1,64 @@ +From cf4c9d2ac1e42c7d18b921bec39486896645b714 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Tue, 31 Jan 2023 09:38:35 +0800 +Subject: mmc: mmc_spi: fix error handling in mmc_spi_probe() + +From: Yang Yingliang + +commit cf4c9d2ac1e42c7d18b921bec39486896645b714 upstream. + +If mmc_add_host() fails, it doesn't need to call mmc_remove_host(), +or it will cause null-ptr-deref, because of deleting a not added +device in mmc_remove_host(). + +To fix this, goto label 'fail_glue_init', if mmc_add_host() fails, +and change the label 'fail_add_host' to 'fail_gpiod_request'. + +Fixes: 15a0580ced08 ("mmc_spi host driver") +Signed-off-by: Yang Yingliang +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230131013835.3564011-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mmc_spi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -1437,7 +1437,7 @@ static int mmc_spi_probe(struct spi_devi + + status = mmc_add_host(mmc); + if (status != 0) +- goto fail_add_host; ++ goto fail_glue_init; + + /* + * Index 0 is card detect +@@ -1445,7 +1445,7 @@ static int mmc_spi_probe(struct spi_devi + */ + status = mmc_gpiod_request_cd(mmc, NULL, 0, false, 1000); + if (status == -EPROBE_DEFER) +- goto fail_add_host; ++ goto fail_gpiod_request; + if (!status) { + /* + * The platform has a CD GPIO signal that may support +@@ -1460,7 +1460,7 @@ static int mmc_spi_probe(struct spi_devi + /* Index 1 is write protect/read only */ + status = mmc_gpiod_request_ro(mmc, NULL, 1, 0); + if (status == -EPROBE_DEFER) +- goto fail_add_host; ++ goto fail_gpiod_request; + if (!status) + has_ro = true; + +@@ -1474,7 +1474,7 @@ static int mmc_spi_probe(struct spi_devi + ? ", cd polling" : ""); + return 0; + +-fail_add_host: ++fail_gpiod_request: + mmc_remove_host(mmc); + fail_glue_init: + mmc_spi_dma_free(host); diff --git a/queue-6.1/mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch b/queue-6.1/mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch new file mode 100644 index 00000000000..d096d364299 --- /dev/null +++ b/queue-6.1/mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch @@ -0,0 +1,127 @@ +From 605d9fb9556f8f5fb4566f4df1480f280f308ded Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 30 Jan 2023 20:58:08 +0800 +Subject: mmc: sdio: fix possible resource leaks in some error paths + +From: Yang Yingliang + +commit 605d9fb9556f8f5fb4566f4df1480f280f308ded upstream. + +If sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can +not release the resources, because the sdio function is not presented +in these two cases, it won't call of_node_put() or put_device(). + +To fix these leaks, make sdio_func_present() only control whether +device_del() needs to be called or not, then always call of_node_put() +and put_device(). + +In error case in sdio_init_func(), the reference of 'card->dev' is +not get, to avoid redundant put in sdio_free_func_cis(), move the +get_device() to sdio_alloc_func() and put_device() to sdio_release_func(), +it can keep the get/put function be balanced. + +Without this patch, while doing fault inject test, it can get the +following leak reports, after this fix, the leak is gone. + +unreferenced object 0xffff888112514000 (size 2048): + comm "kworker/3:2", pid 65, jiffies 4294741614 (age 124.774s) + hex dump (first 32 bytes): + 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X...... + 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q..... + backtrace: + [<000000009e5931da>] kmalloc_trace+0x21/0x110 + [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core] + [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core] + [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core] + [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core] + +unreferenced object 0xffff888112511000 (size 2048): + comm "kworker/3:2", pid 65, jiffies 4294741623 (age 124.766s) + hex dump (first 32 bytes): + 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X...... + 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q..... + backtrace: + [<000000009e5931da>] kmalloc_trace+0x21/0x110 + [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core] + [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core] + [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core] + +Fixes: 3d10a1ba0d37 ("sdio: fix reference counting in sdio_remove_func()") +Signed-off-by: Yang Yingliang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230130125808.3471254-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sdio_bus.c | 17 ++++++++++++++--- + drivers/mmc/core/sdio_cis.c | 12 ------------ + 2 files changed, 14 insertions(+), 15 deletions(-) + +--- a/drivers/mmc/core/sdio_bus.c ++++ b/drivers/mmc/core/sdio_bus.c +@@ -294,6 +294,12 @@ static void sdio_release_func(struct dev + if (!(func->card->quirks & MMC_QUIRK_NONSTD_SDIO)) + sdio_free_func_cis(func); + ++ /* ++ * We have now removed the link to the tuples in the ++ * card structure, so remove the reference. ++ */ ++ put_device(&func->card->dev); ++ + kfree(func->info); + kfree(func->tmpbuf); + kfree(func); +@@ -324,6 +330,12 @@ struct sdio_func *sdio_alloc_func(struct + + device_initialize(&func->dev); + ++ /* ++ * We may link to tuples in the card structure, ++ * we need make sure we have a reference to it. ++ */ ++ get_device(&func->card->dev); ++ + func->dev.parent = &card->dev; + func->dev.bus = &sdio_bus_type; + func->dev.release = sdio_release_func; +@@ -377,10 +389,9 @@ int sdio_add_func(struct sdio_func *func + */ + void sdio_remove_func(struct sdio_func *func) + { +- if (!sdio_func_present(func)) +- return; ++ if (sdio_func_present(func)) ++ device_del(&func->dev); + +- device_del(&func->dev); + of_node_put(func->dev.of_node); + put_device(&func->dev); + } +--- a/drivers/mmc/core/sdio_cis.c ++++ b/drivers/mmc/core/sdio_cis.c +@@ -404,12 +404,6 @@ int sdio_read_func_cis(struct sdio_func + return ret; + + /* +- * Since we've linked to tuples in the card structure, +- * we must make sure we have a reference to it. +- */ +- get_device(&func->card->dev); +- +- /* + * Vendor/device id is optional for function CIS, so + * copy it from the card structure as needed. + */ +@@ -434,11 +428,5 @@ void sdio_free_func_cis(struct sdio_func + } + + func->tuples = NULL; +- +- /* +- * We have now removed the link to the tuples in the +- * card structure, so remove the reference. +- */ +- put_device(&func->card->dev); + } + diff --git a/queue-6.1/nilfs2-fix-underflow-in-second-superblock-position-calculations.patch b/queue-6.1/nilfs2-fix-underflow-in-second-superblock-position-calculations.patch new file mode 100644 index 00000000000..f0d3eb91241 --- /dev/null +++ b/queue-6.1/nilfs2-fix-underflow-in-second-superblock-position-calculations.patch @@ -0,0 +1,135 @@ +From 99b9402a36f0799f25feee4465bfa4b8dfa74b4d Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Wed, 15 Feb 2023 07:40:43 +0900 +Subject: nilfs2: fix underflow in second superblock position calculations + +From: Ryusuke Konishi + +commit 99b9402a36f0799f25feee4465bfa4b8dfa74b4d upstream. + +Macro NILFS_SB2_OFFSET_BYTES, which computes the position of the second +superblock, underflows when the argument device size is less than 4096 +bytes. Therefore, when using this macro, it is necessary to check in +advance that the device size is not less than a lower limit, or at least +that underflow does not occur. + +The current nilfs2 implementation lacks this check, causing out-of-bound +block access when mounting devices smaller than 4096 bytes: + + I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0 + phys_seg 1 prio class 2 + NILFS (loop0): unable to read secondary superblock (blocksize = 1024) + +In addition, when trying to resize the filesystem to a size below 4096 +bytes, this underflow occurs in nilfs_resize_fs(), passing a huge number +of segments to nilfs_sufile_resize(), corrupting parameters such as the +number of segments in superblocks. This causes excessive loop iterations +in nilfs_sufile_resize() during a subsequent resize ioctl, causing +semaphore ns_segctor_sem to block for a long time and hang the writer +thread: + + INFO: task segctord:5067 blocked for more than 143 seconds. + Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:segctord state:D stack:23456 pid:5067 ppid:2 + flags:0x00004000 + Call Trace: + + context_switch kernel/sched/core.c:5293 [inline] + __schedule+0x1409/0x43f0 kernel/sched/core.c:6606 + schedule+0xc3/0x190 kernel/sched/core.c:6682 + rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190 + nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357 + nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline] + nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570 + kthread+0x270/0x300 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + + ... + Call Trace: + + folio_mark_accessed+0x51c/0xf00 mm/swap.c:515 + __nilfs_get_page_block fs/nilfs2/page.c:42 [inline] + nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61 + nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121 + nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176 + nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251 + nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline] + nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline] + nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777 + nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422 + nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline] + nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301 + ... + +This fixes these issues by inserting appropriate minimum device size +checks or anti-underflow checks, depending on where the macro is used. + +Link: https://lkml.kernel.org/r/0000000000004e1dfa05f4a48e6b@google.com +Link: https://lkml.kernel.org/r/20230214224043.24141-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/ioctl.c | 7 +++++++ + fs/nilfs2/super.c | 9 +++++++++ + fs/nilfs2/the_nilfs.c | 8 +++++++- + 3 files changed, 23 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/ioctl.c ++++ b/fs/nilfs2/ioctl.c +@@ -1114,7 +1114,14 @@ static int nilfs_ioctl_set_alloc_range(s + + minseg = range[0] + segbytes - 1; + do_div(minseg, segbytes); ++ ++ if (range[1] < 4096) ++ goto out; ++ + maxseg = NILFS_SB2_OFFSET_BYTES(range[1]); ++ if (maxseg < segbytes) ++ goto out; ++ + do_div(maxseg, segbytes); + maxseg--; + +--- a/fs/nilfs2/super.c ++++ b/fs/nilfs2/super.c +@@ -409,6 +409,15 @@ int nilfs_resize_fs(struct super_block * + goto out; + + /* ++ * Prevent underflow in second superblock position calculation. ++ * The exact minimum size check is done in nilfs_sufile_resize(). ++ */ ++ if (newsize < 4096) { ++ ret = -ENOSPC; ++ goto out; ++ } ++ ++ /* + * Write lock is required to protect some functions depending + * on the number of segments, the number of reserved segments, + * and so forth. +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -544,9 +544,15 @@ static int nilfs_load_super_block(struct + { + struct nilfs_super_block **sbp = nilfs->ns_sbp; + struct buffer_head **sbh = nilfs->ns_sbh; +- u64 sb2off = NILFS_SB2_OFFSET_BYTES(bdev_nr_bytes(nilfs->ns_bdev)); ++ u64 sb2off, devsize = bdev_nr_bytes(nilfs->ns_bdev); + int valid[2], swp = 0; + ++ if (devsize < NILFS_SEG_MIN_BLOCKS * NILFS_MIN_BLOCK_SIZE + 4096) { ++ nilfs_err(sb, "device size too small"); ++ return -EINVAL; ++ } ++ sb2off = NILFS_SB2_OFFSET_BYTES(devsize); ++ + sbp[0] = nilfs_read_super_block(sb, NILFS_SB_OFFSET_BYTES, blocksize, + &sbh[0]); + sbp[1] = nilfs_read_super_block(sb, sb2off, blocksize, &sbh[1]); diff --git a/queue-6.1/sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch b/queue-6.1/sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch new file mode 100644 index 00000000000..dd1287a9ff3 --- /dev/null +++ b/queue-6.1/sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch @@ -0,0 +1,135 @@ +From c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe Mon Sep 17 00:00:00 2001 +From: Munehisa Kamata +Date: Tue, 14 Feb 2023 13:27:05 -0800 +Subject: sched/psi: Fix use-after-free in ep_remove_wait_queue() + +From: Munehisa Kamata + +commit c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe upstream. + +If a non-root cgroup gets removed when there is a thread that registered +trigger and is polling on a pressure file within the cgroup, the polling +waitqueue gets freed in the following path: + + do_rmdir + cgroup_rmdir + kernfs_drain_open_files + cgroup_file_release + cgroup_pressure_release + psi_trigger_destroy + +However, the polling thread still has a reference to the pressure file and +will access the freed waitqueue when the file is closed or upon exit: + + fput + ep_eventpoll_release + ep_free + ep_remove_wait_queue + remove_wait_queue + +This results in use-after-free as pasted below. + +The fundamental problem here is that cgroup_file_release() (and +consequently waitqueue's lifetime) is not tied to the file's real lifetime. +Using wake_up_pollfree() here might be less than ideal, but it is in line +with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()") +since the waitqueue's lifetime is not tied to file's one and can be +considered as another special case. While this would be fixable by somehow +making cgroup_file_release() be tied to the fput(), it would require +sizable refactoring at cgroups or higher layer which might be more +justifiable if we identify more cases like this. + + BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0 + Write of size 4 at addr ffff88810e625328 by task a.out/4404 + + CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38 + Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017 + Call Trace: + + dump_stack_lvl+0x73/0xa0 + print_report+0x16c/0x4e0 + kasan_report+0xc3/0xf0 + kasan_check_range+0x2d2/0x310 + _raw_spin_lock_irqsave+0x60/0xc0 + remove_wait_queue+0x1a/0xa0 + ep_free+0x12c/0x170 + ep_eventpoll_release+0x26/0x30 + __fput+0x202/0x400 + task_work_run+0x11d/0x170 + do_exit+0x495/0x1130 + do_group_exit+0x100/0x100 + get_signal+0xd67/0xde0 + arch_do_signal_or_restart+0x2a/0x2b0 + exit_to_user_mode_prepare+0x94/0x100 + syscall_exit_to_user_mode+0x20/0x40 + do_syscall_64+0x52/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + + Allocated by task 4404: + + kasan_set_track+0x3d/0x60 + __kasan_kmalloc+0x85/0x90 + psi_trigger_create+0x113/0x3e0 + pressure_write+0x146/0x2e0 + cgroup_file_write+0x11c/0x250 + kernfs_fop_write_iter+0x186/0x220 + vfs_write+0x3d8/0x5c0 + ksys_write+0x90/0x110 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + Freed by task 4407: + + kasan_set_track+0x3d/0x60 + kasan_save_free_info+0x27/0x40 + ____kasan_slab_free+0x11d/0x170 + slab_free_freelist_hook+0x87/0x150 + __kmem_cache_free+0xcb/0x180 + psi_trigger_destroy+0x2e8/0x310 + cgroup_file_release+0x4f/0xb0 + kernfs_drain_open_files+0x165/0x1f0 + kernfs_drain+0x162/0x1a0 + __kernfs_remove+0x1fb/0x310 + kernfs_remove_by_name_ns+0x95/0xe0 + cgroup_addrm_files+0x67f/0x700 + cgroup_destroy_locked+0x283/0x3c0 + cgroup_rmdir+0x29/0x100 + kernfs_iop_rmdir+0xd1/0x140 + vfs_rmdir+0xfe/0x240 + do_rmdir+0x13d/0x280 + __x64_sys_rmdir+0x2c/0x30 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: 0e94682b73bf ("psi: introduce psi monitor") +Signed-off-by: Munehisa Kamata +Signed-off-by: Mengchi Cheng +Signed-off-by: Ingo Molnar +Acked-by: Suren Baghdasaryan +Acked-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/lkml/20230106224859.4123476-1-kamatam@amazon.com/ +Link: https://lore.kernel.org/r/20230214212705.4058045-1-kamatam@amazon.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/psi.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -1278,10 +1278,11 @@ void psi_trigger_destroy(struct psi_trig + + group = t->group; + /* +- * Wakeup waiters to stop polling. Can happen if cgroup is deleted +- * from under a polling process. ++ * Wakeup waiters to stop polling and clear the queue to prevent it from ++ * being accessed later. Can happen if cgroup is deleted from under a ++ * polling process. + */ +- wake_up_interruptible(&t->event_wait); ++ wake_up_pollfree(&t->event_wait); + + mutex_lock(&group->trigger_lock); + diff --git a/queue-6.1/series b/queue-6.1/series index 1d809fd870d..99a34ecf0a3 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -52,3 +52,22 @@ drm-amd-amdgpu-fix-warning-during-suspend.patch drm-amd-display-fail-atomic_check-early-on-normalize_zpos-error.patch drm-vmwgfx-stop-accessing-buffer-objects-which-failed-init.patch drm-vmwgfx-do-not-drop-the-reference-to-the-handle-too-soon.patch +mmc-jz4740-work-around-bug-on-jz4760-b.patch +mmc-meson-gx-fix-sdio-mode-if-cap_sdio_irq-isn-t-set.patch +mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch +mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch +alsa-hda-fix-codec-device-field-initializan.patch +alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch +alsa-hda-realtek-fixed-wrong-gpio-assigned.patch +alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-a-hp-platform.patch +alsa-hda-realtek-enable-mute-micmute-leds-and-speaker-support-for-hp-laptops.patch +ata-ahci-add-tiger-lake-up-3-4-ahci-controller.patch +ata-libata-core-disable-read-log-dma-ext-for-samsung-mz7lh.patch +sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch +hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch +nilfs2-fix-underflow-in-second-superblock-position-calculations.patch +mm-madv_collapse-set-eagain-on-unexpected-page-refcount.patch +mm-filemap-fix-page-end-in-filemap_get_read_batch.patch +mm-migrate-fix-wrongly-apply-write-bit-after-mkdirty-on-sparc64.patch +gpio-sim-fix-a-memory-leak.patch +freezer-umh-fix-call_usermode_helper_exec-vs-sigkill.patch