From eb6c969c2b1e40aa2ea5f9bc934663c70e8eba11 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 18 Feb 2023 09:06:01 +0100 Subject: [PATCH] 5.4-stable patches added patches: alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch alsa-hda-realtek-fixed-wrong-gpio-assigned.patch hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch mmc-jz4740-work-around-bug-on-jz4760-b.patch mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch --- ...-conexant-add-a-new-hda-codec-sn6180.patch | 31 ++++ ...da-realtek-fixed-wrong-gpio-assigned.patch | 32 +++++ ...efined-shift-on-32-bit-architectures.patch | 63 ++++++++ ...c-jz4740-work-around-bug-on-jz4760-b.patch | 44 ++++++ ...-fix-error-handling-in-mmc_spi_probe.patch | 64 +++++++++ ...e-resource-leaks-in-some-error-paths.patch | 127 ++++++++++++++++ ...e-after-free-in-ep_remove_wait_queue.patch | 135 ++++++++++++++++++ queue-5.4/series | 7 + 8 files changed, 503 insertions(+) create mode 100644 queue-5.4/alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch create mode 100644 queue-5.4/alsa-hda-realtek-fixed-wrong-gpio-assigned.patch create mode 100644 queue-5.4/hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch create mode 100644 queue-5.4/mmc-jz4740-work-around-bug-on-jz4760-b.patch create mode 100644 queue-5.4/mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch create mode 100644 queue-5.4/mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch create mode 100644 queue-5.4/sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch diff --git a/queue-5.4/alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch b/queue-5.4/alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch new file mode 100644 index 00000000000..59ca65d36e3 --- /dev/null +++ b/queue-5.4/alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch @@ -0,0 +1,31 @@ +From 18d7e16c917a08f08778ecf2b780d63648d5d923 Mon Sep 17 00:00:00 2001 +From: Bo Liu +Date: Thu, 9 Feb 2023 10:13:48 +0800 +Subject: ALSA: hda/conexant: add a new hda codec SN6180 + +From: Bo Liu + +commit 18d7e16c917a08f08778ecf2b780d63648d5d923 upstream. + +The current kernel does not support the SN6180 codec chip. +Add the SN6180 codec configuration item to kernel. + +Signed-off-by: Bo Liu +Cc: +Link: https://lore.kernel.org/r/1675908828-1012-1-git-send-email-bo.liu@senarytech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -1093,6 +1093,7 @@ static const struct hda_device_id snd_hd + HDA_CODEC_ENTRY(0x14f11f86, "CX8070", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f120d0, "CX11970", patch_conexant_auto), ++ HDA_CODEC_ENTRY(0x14f120d1, "SN6180", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15045, "CX20549 (Venice)", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15047, "CX20551 (Waikiki)", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15051, "CX20561 (Hermosa)", patch_conexant_auto), diff --git a/queue-5.4/alsa-hda-realtek-fixed-wrong-gpio-assigned.patch b/queue-5.4/alsa-hda-realtek-fixed-wrong-gpio-assigned.patch new file mode 100644 index 00000000000..287e1cefd41 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-fixed-wrong-gpio-assigned.patch @@ -0,0 +1,32 @@ +From 2bdccfd290d421b50df4ec6a68d832dad1310748 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Mon, 13 Feb 2023 14:54:22 +0800 +Subject: ALSA: hda/realtek - fixed wrong gpio assigned + +From: Kailang Yang + +commit 2bdccfd290d421b50df4ec6a68d832dad1310748 upstream. + +GPIO2 PIN use for output. Mask Dir and Data need to assign for 0x4. Not 0x3. +This fixed was for Lenovo Desktop(0x17aa1056). GPIO2 use for AMP enable. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/8d02bb9ac8134f878cd08607fdf088fd@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -770,7 +770,7 @@ do_sku: + alc_setup_gpio(codec, 0x02); + break; + case 7: +- alc_setup_gpio(codec, 0x03); ++ alc_setup_gpio(codec, 0x04); + break; + case 5: + default: diff --git a/queue-5.4/hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch b/queue-5.4/hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch new file mode 100644 index 00000000000..7c28e20aa82 --- /dev/null +++ b/queue-5.4/hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch @@ -0,0 +1,63 @@ +From ec4288fe63966b26d53907212ecd05dfa81dd2cc Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Wed, 15 Feb 2023 17:35:42 -0800 +Subject: hugetlb: check for undefined shift on 32 bit architectures + +From: Mike Kravetz + +commit ec4288fe63966b26d53907212ecd05dfa81dd2cc upstream. + +Users can specify the hugetlb page size in the mmap, shmget and +memfd_create system calls. This is done by using 6 bits within the flags +argument to encode the base-2 logarithm of the desired page size. The +routine hstate_sizelog() uses the log2 value to find the corresponding +hugetlb hstate structure. Converting the log2 value (page_size_log) to +potential hugetlb page size is the simple statement: + + 1UL << page_size_log + +Because only 6 bits are used for page_size_log, the left shift can not be +greater than 63. This is fine on 64 bit architectures where a long is 64 +bits. However, if a value greater than 31 is passed on a 32 bit +architecture (where long is 32 bits) the shift will result in undefined +behavior. This was generally not an issue as the result of the undefined +shift had to exactly match hugetlb page size to proceed. + +Recent improvements in runtime checking have resulted in this undefined +behavior throwing errors such as reported below. + +Fix by comparing page_size_log to BITS_PER_LONG before doing shift. + +Link: https://lkml.kernel.org/r/20230216013542.138708-1-mike.kravetz@oracle.com +Link: https://lore.kernel.org/lkml/CA+G9fYuei_Tr-vN9GS7SfFyU1y9hNysnf=PB7kT0=yv4MiPgVg@mail.gmail.com/ +Fixes: 42d7395feb56 ("mm: support more pagesizes for MAP_HUGETLB/SHM_HUGETLB") +Signed-off-by: Mike Kravetz +Reported-by: Naresh Kamboju +Reviewed-by: Jesper Juhl +Acked-by: Muchun Song +Tested-by: Linux Kernel Functional Testing +Tested-by: Naresh Kamboju +Cc: Anders Roxell +Cc: Andi Kleen +Cc: Sasha Levin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hugetlb.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -397,7 +397,10 @@ static inline struct hstate *hstate_size + if (!page_size_log) + return &default_hstate; + +- return size_to_hstate(1UL << page_size_log); ++ if (page_size_log < BITS_PER_LONG) ++ return size_to_hstate(1UL << page_size_log); ++ ++ return NULL; + } + + static inline struct hstate *hstate_vma(struct vm_area_struct *vma) diff --git a/queue-5.4/mmc-jz4740-work-around-bug-on-jz4760-b.patch b/queue-5.4/mmc-jz4740-work-around-bug-on-jz4760-b.patch new file mode 100644 index 00000000000..501f4851131 --- /dev/null +++ b/queue-5.4/mmc-jz4740-work-around-bug-on-jz4760-b.patch @@ -0,0 +1,44 @@ +From 3f18c5046e633cc4bbad396b74c05d46d353033d Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Tue, 31 Jan 2023 21:02:28 +0000 +Subject: mmc: jz4740: Work around bug on JZ4760(B) + +From: Paul Cercueil + +commit 3f18c5046e633cc4bbad396b74c05d46d353033d upstream. + +On JZ4760 and JZ4760B, SD cards fail to run if the maximum clock +rate is set to 50 MHz, even though the controller officially does +support it. + +Until the actual bug is found and fixed, limit the maximum clock rate to +24 MHz. + +Signed-off-by: Paul Cercueil +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230131210229.68129-1-paul@crapouillou.net +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/jz4740_mmc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/mmc/host/jz4740_mmc.c ++++ b/drivers/mmc/host/jz4740_mmc.c +@@ -1006,6 +1006,16 @@ static int jz4740_mmc_probe(struct platf + mmc->ops = &jz4740_mmc_ops; + if (!mmc->f_max) + mmc->f_max = JZ_MMC_CLK_RATE; ++ ++ /* ++ * There seems to be a problem with this driver on the JZ4760 and ++ * JZ4760B SoCs. There, when using the maximum rate supported (50 MHz), ++ * the communication fails with many SD cards. ++ * Until this bug is sorted out, limit the maximum rate to 24 MHz. ++ */ ++ if (host->version == JZ_MMC_JZ4760 && mmc->f_max > JZ_MMC_CLK_RATE) ++ mmc->f_max = JZ_MMC_CLK_RATE; ++ + mmc->f_min = mmc->f_max / 128; + mmc->ocr_avail = MMC_VDD_32_33 | MMC_VDD_33_34; + diff --git a/queue-5.4/mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch b/queue-5.4/mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch new file mode 100644 index 00000000000..01e8d23d452 --- /dev/null +++ b/queue-5.4/mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch @@ -0,0 +1,64 @@ +From cf4c9d2ac1e42c7d18b921bec39486896645b714 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Tue, 31 Jan 2023 09:38:35 +0800 +Subject: mmc: mmc_spi: fix error handling in mmc_spi_probe() + +From: Yang Yingliang + +commit cf4c9d2ac1e42c7d18b921bec39486896645b714 upstream. + +If mmc_add_host() fails, it doesn't need to call mmc_remove_host(), +or it will cause null-ptr-deref, because of deleting a not added +device in mmc_remove_host(). + +To fix this, goto label 'fail_glue_init', if mmc_add_host() fails, +and change the label 'fail_add_host' to 'fail_gpiod_request'. + +Fixes: 15a0580ced08 ("mmc_spi host driver") +Signed-off-by: Yang Yingliang +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230131013835.3564011-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mmc_spi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -1420,7 +1420,7 @@ static int mmc_spi_probe(struct spi_devi + + status = mmc_add_host(mmc); + if (status != 0) +- goto fail_add_host; ++ goto fail_glue_init; + + /* + * Index 0 is card detect +@@ -1428,7 +1428,7 @@ static int mmc_spi_probe(struct spi_devi + */ + status = mmc_gpiod_request_cd(mmc, NULL, 0, false, 1, NULL); + if (status == -EPROBE_DEFER) +- goto fail_add_host; ++ goto fail_gpiod_request; + if (!status) { + /* + * The platform has a CD GPIO signal that may support +@@ -1443,7 +1443,7 @@ static int mmc_spi_probe(struct spi_devi + /* Index 1 is write protect/read only */ + status = mmc_gpiod_request_ro(mmc, NULL, 1, 0, NULL); + if (status == -EPROBE_DEFER) +- goto fail_add_host; ++ goto fail_gpiod_request; + if (!status) + has_ro = true; + +@@ -1457,7 +1457,7 @@ static int mmc_spi_probe(struct spi_devi + ? ", cd polling" : ""); + return 0; + +-fail_add_host: ++fail_gpiod_request: + mmc_remove_host(mmc); + fail_glue_init: + if (host->dma_dev) diff --git a/queue-5.4/mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch b/queue-5.4/mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch new file mode 100644 index 00000000000..19f8e31e434 --- /dev/null +++ b/queue-5.4/mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch @@ -0,0 +1,127 @@ +From 605d9fb9556f8f5fb4566f4df1480f280f308ded Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 30 Jan 2023 20:58:08 +0800 +Subject: mmc: sdio: fix possible resource leaks in some error paths + +From: Yang Yingliang + +commit 605d9fb9556f8f5fb4566f4df1480f280f308ded upstream. + +If sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can +not release the resources, because the sdio function is not presented +in these two cases, it won't call of_node_put() or put_device(). + +To fix these leaks, make sdio_func_present() only control whether +device_del() needs to be called or not, then always call of_node_put() +and put_device(). + +In error case in sdio_init_func(), the reference of 'card->dev' is +not get, to avoid redundant put in sdio_free_func_cis(), move the +get_device() to sdio_alloc_func() and put_device() to sdio_release_func(), +it can keep the get/put function be balanced. + +Without this patch, while doing fault inject test, it can get the +following leak reports, after this fix, the leak is gone. + +unreferenced object 0xffff888112514000 (size 2048): + comm "kworker/3:2", pid 65, jiffies 4294741614 (age 124.774s) + hex dump (first 32 bytes): + 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X...... + 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q..... + backtrace: + [<000000009e5931da>] kmalloc_trace+0x21/0x110 + [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core] + [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core] + [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core] + [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core] + +unreferenced object 0xffff888112511000 (size 2048): + comm "kworker/3:2", pid 65, jiffies 4294741623 (age 124.766s) + hex dump (first 32 bytes): + 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X...... + 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q..... + backtrace: + [<000000009e5931da>] kmalloc_trace+0x21/0x110 + [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core] + [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core] + [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core] + +Fixes: 3d10a1ba0d37 ("sdio: fix reference counting in sdio_remove_func()") +Signed-off-by: Yang Yingliang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230130125808.3471254-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sdio_bus.c | 17 ++++++++++++++--- + drivers/mmc/core/sdio_cis.c | 12 ------------ + 2 files changed, 14 insertions(+), 15 deletions(-) + +--- a/drivers/mmc/core/sdio_bus.c ++++ b/drivers/mmc/core/sdio_bus.c +@@ -269,6 +269,12 @@ static void sdio_release_func(struct dev + if (!(func->card->quirks & MMC_QUIRK_NONSTD_SDIO)) + sdio_free_func_cis(func); + ++ /* ++ * We have now removed the link to the tuples in the ++ * card structure, so remove the reference. ++ */ ++ put_device(&func->card->dev); ++ + kfree(func->info); + kfree(func->tmpbuf); + kfree(func); +@@ -299,6 +305,12 @@ struct sdio_func *sdio_alloc_func(struct + + device_initialize(&func->dev); + ++ /* ++ * We may link to tuples in the card structure, ++ * we need make sure we have a reference to it. ++ */ ++ get_device(&func->card->dev); ++ + func->dev.parent = &card->dev; + func->dev.bus = &sdio_bus_type; + func->dev.release = sdio_release_func; +@@ -352,10 +364,9 @@ int sdio_add_func(struct sdio_func *func + */ + void sdio_remove_func(struct sdio_func *func) + { +- if (!sdio_func_present(func)) +- return; ++ if (sdio_func_present(func)) ++ device_del(&func->dev); + +- device_del(&func->dev); + of_node_put(func->dev.of_node); + put_device(&func->dev); + } +--- a/drivers/mmc/core/sdio_cis.c ++++ b/drivers/mmc/core/sdio_cis.c +@@ -384,12 +384,6 @@ int sdio_read_func_cis(struct sdio_func + return ret; + + /* +- * Since we've linked to tuples in the card structure, +- * we must make sure we have a reference to it. +- */ +- get_device(&func->card->dev); +- +- /* + * Vendor/device id is optional for function CIS, so + * copy it from the card structure as needed. + */ +@@ -414,11 +408,5 @@ void sdio_free_func_cis(struct sdio_func + } + + func->tuples = NULL; +- +- /* +- * We have now removed the link to the tuples in the +- * card structure, so remove the reference. +- */ +- put_device(&func->card->dev); + } + diff --git a/queue-5.4/sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch b/queue-5.4/sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch new file mode 100644 index 00000000000..06a52c1783e --- /dev/null +++ b/queue-5.4/sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch @@ -0,0 +1,135 @@ +From c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe Mon Sep 17 00:00:00 2001 +From: Munehisa Kamata +Date: Tue, 14 Feb 2023 13:27:05 -0800 +Subject: sched/psi: Fix use-after-free in ep_remove_wait_queue() + +From: Munehisa Kamata + +commit c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe upstream. + +If a non-root cgroup gets removed when there is a thread that registered +trigger and is polling on a pressure file within the cgroup, the polling +waitqueue gets freed in the following path: + + do_rmdir + cgroup_rmdir + kernfs_drain_open_files + cgroup_file_release + cgroup_pressure_release + psi_trigger_destroy + +However, the polling thread still has a reference to the pressure file and +will access the freed waitqueue when the file is closed or upon exit: + + fput + ep_eventpoll_release + ep_free + ep_remove_wait_queue + remove_wait_queue + +This results in use-after-free as pasted below. + +The fundamental problem here is that cgroup_file_release() (and +consequently waitqueue's lifetime) is not tied to the file's real lifetime. +Using wake_up_pollfree() here might be less than ideal, but it is in line +with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()") +since the waitqueue's lifetime is not tied to file's one and can be +considered as another special case. While this would be fixable by somehow +making cgroup_file_release() be tied to the fput(), it would require +sizable refactoring at cgroups or higher layer which might be more +justifiable if we identify more cases like this. + + BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0 + Write of size 4 at addr ffff88810e625328 by task a.out/4404 + + CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38 + Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017 + Call Trace: + + dump_stack_lvl+0x73/0xa0 + print_report+0x16c/0x4e0 + kasan_report+0xc3/0xf0 + kasan_check_range+0x2d2/0x310 + _raw_spin_lock_irqsave+0x60/0xc0 + remove_wait_queue+0x1a/0xa0 + ep_free+0x12c/0x170 + ep_eventpoll_release+0x26/0x30 + __fput+0x202/0x400 + task_work_run+0x11d/0x170 + do_exit+0x495/0x1130 + do_group_exit+0x100/0x100 + get_signal+0xd67/0xde0 + arch_do_signal_or_restart+0x2a/0x2b0 + exit_to_user_mode_prepare+0x94/0x100 + syscall_exit_to_user_mode+0x20/0x40 + do_syscall_64+0x52/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + + Allocated by task 4404: + + kasan_set_track+0x3d/0x60 + __kasan_kmalloc+0x85/0x90 + psi_trigger_create+0x113/0x3e0 + pressure_write+0x146/0x2e0 + cgroup_file_write+0x11c/0x250 + kernfs_fop_write_iter+0x186/0x220 + vfs_write+0x3d8/0x5c0 + ksys_write+0x90/0x110 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + Freed by task 4407: + + kasan_set_track+0x3d/0x60 + kasan_save_free_info+0x27/0x40 + ____kasan_slab_free+0x11d/0x170 + slab_free_freelist_hook+0x87/0x150 + __kmem_cache_free+0xcb/0x180 + psi_trigger_destroy+0x2e8/0x310 + cgroup_file_release+0x4f/0xb0 + kernfs_drain_open_files+0x165/0x1f0 + kernfs_drain+0x162/0x1a0 + __kernfs_remove+0x1fb/0x310 + kernfs_remove_by_name_ns+0x95/0xe0 + cgroup_addrm_files+0x67f/0x700 + cgroup_destroy_locked+0x283/0x3c0 + cgroup_rmdir+0x29/0x100 + kernfs_iop_rmdir+0xd1/0x140 + vfs_rmdir+0xfe/0x240 + do_rmdir+0x13d/0x280 + __x64_sys_rmdir+0x2c/0x30 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: 0e94682b73bf ("psi: introduce psi monitor") +Signed-off-by: Munehisa Kamata +Signed-off-by: Mengchi Cheng +Signed-off-by: Ingo Molnar +Acked-by: Suren Baghdasaryan +Acked-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/lkml/20230106224859.4123476-1-kamatam@amazon.com/ +Link: https://lore.kernel.org/r/20230214212705.4058045-1-kamatam@amazon.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/psi.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -1092,10 +1092,11 @@ void psi_trigger_destroy(struct psi_trig + + group = t->group; + /* +- * Wakeup waiters to stop polling. Can happen if cgroup is deleted +- * from under a polling process. ++ * Wakeup waiters to stop polling and clear the queue to prevent it from ++ * being accessed later. Can happen if cgroup is deleted from under a ++ * polling process. + */ +- wake_up_interruptible(&t->event_wait); ++ wake_up_pollfree(&t->event_wait); + + mutex_lock(&group->trigger_lock); + diff --git a/queue-5.4/series b/queue-5.4/series index 9a7c49c5872..c6f68412d1c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -126,3 +126,10 @@ xfs-prevent-uaf-in-xfs_log_item_in_current_chkpt.patch xfs-sync-lazy-sb-accounting-on-quiesce-of-read-only-mounts.patch revert-ipv4-fix-incorrect-route-flushing-when-source-address-is-deleted.patch ipv4-fix-incorrect-route-flushing-when-source-address-is-deleted.patch +mmc-jz4740-work-around-bug-on-jz4760-b.patch +mmc-sdio-fix-possible-resource-leaks-in-some-error-paths.patch +mmc-mmc_spi-fix-error-handling-in-mmc_spi_probe.patch +alsa-hda-conexant-add-a-new-hda-codec-sn6180.patch +alsa-hda-realtek-fixed-wrong-gpio-assigned.patch +sched-psi-fix-use-after-free-in-ep_remove_wait_queue.patch +hugetlb-check-for-undefined-shift-on-32-bit-architectures.patch -- 2.47.2