From f62fe8ed76193ce517dcda45e8b00fd25f9f73b6 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 19 Mar 2023 18:25:10 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...fix-shift-out-of-bounds-in-calculate.patch | 49 ++++++ ...tm_bo-calltrace-warning-in-psp_hw_fi.patch | 76 +++++++++ ...-amdkfd-fix-an-illegal-memory-access.patch | 82 ++++++++++ ...t4_iget-if-special-inode-unallocated.patch | 76 +++++++++ ...task-hung-in-ext4_xattr_delete_inode.patch | 97 ++++++++++++ ...urnal_inum-if-it-changes-after-journ.patch | 52 ++++++ ...266-set-can_sleep-flag-for-gpio-chip.patch | 40 +++++ ...splay-smoothing-attributes-in-correc.patch | 44 ++++++ ...-fix-masking-of-hysteresis-registers.patch | 42 +++++ ...mon-ina3221-return-prober-error-code.patch | 37 +++++ ...992-set-can_sleep-flag-for-gpio-chip.patch | 40 +++++ ...mp512-drop-of_match_ptr-for-id-table.patch | 44 ++++++ ...dd-minimum-delay-between-bus-accesse.patch | 148 ++++++++++++++++++ ...use-after-free-bug-in-xgene_hwmon_re.patch | 52 ++++++ ...gic-when-creating-a-hole-in-jffs2_wr.patch | 115 ++++++++++++++ ...onfig-changed-flag-before-calling-ca.patch | 50 ++++++ ...all-get_timer_irq-once-in-constant_c.patch | 103 ++++++++++++ ...ix-off-by-one-loop-termination-error.patch | 62 ++++++++ ...x-race-between-stop-command-and-star.patch | 58 +++++++ ...t-9p-fix-bug-in-client-create-for-.l.patch | 37 +++++ ...able-fp-simd-instruction-to-match-x8.patch | 53 +++++++ queue-6.1/series | 23 +++ ...-spurious-sizeof-pointer-div-warning.patch | 51 ++++++ ...-svs-keep-svs-alive-if-config_debug_.patch | 75 +++++++++ 24 files changed, 1506 insertions(+) create mode 100644 queue-6.1/drm-amd-display-fix-shift-out-of-bounds-in-calculate.patch create mode 100644 queue-6.1/drm-amdgpu-fix-ttm_bo-calltrace-warning-in-psp_hw_fi.patch create mode 100644 queue-6.1/drm-amdkfd-fix-an-illegal-memory-access.patch create mode 100644 queue-6.1/ext4-fail-ext4_iget-if-special-inode-unallocated.patch create mode 100644 queue-6.1/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch create mode 100644 queue-6.1/ext4-update-s_journal_inum-if-it-changes-after-journ.patch create mode 100644 queue-6.1/hwmon-adm1266-set-can_sleep-flag-for-gpio-chip.patch create mode 100644 queue-6.1/hwmon-adt7475-display-smoothing-attributes-in-correc.patch create mode 100644 queue-6.1/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch create mode 100644 queue-6.1/hwmon-ina3221-return-prober-error-code.patch create mode 100644 queue-6.1/hwmon-ltc2992-set-can_sleep-flag-for-gpio-chip.patch create mode 100644 queue-6.1/hwmon-tmp512-drop-of_match_ptr-for-id-table.patch create mode 100644 queue-6.1/hwmon-ucd90320-add-minimum-delay-between-bus-accesse.patch create mode 100644 queue-6.1/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch create mode 100644 queue-6.1/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch create mode 100644 queue-6.1/kconfig-update-config-changed-flag-before-calling-ca.patch create mode 100644 queue-6.1/loongarch-only-call-get_timer_irq-once-in-constant_c.patch create mode 100644 queue-6.1/media-m5mols-fix-off-by-one-loop-termination-error.patch create mode 100644 queue-6.1/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch create mode 100644 queue-6.1/net-9p-fix-bug-in-client-create-for-.l.patch create mode 100644 queue-6.1/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch create mode 100644 queue-6.1/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch create mode 100644 queue-6.1/soc-mediatek-mtk-svs-keep-svs-alive-if-config_debug_.patch diff --git a/queue-6.1/drm-amd-display-fix-shift-out-of-bounds-in-calculate.patch b/queue-6.1/drm-amd-display-fix-shift-out-of-bounds-in-calculate.patch new file mode 100644 index 00000000000..eb860edc59b --- /dev/null +++ b/queue-6.1/drm-amd-display-fix-shift-out-of-bounds-in-calculate.patch @@ -0,0 +1,49 @@ +From b5c8b61da09e51983064b6122f2d0810c4c51f55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 09:54:11 -0700 +Subject: drm/amd/display: fix shift-out-of-bounds in CalculateVMAndRowBytes + +From: Alex Hung + +[ Upstream commit 031f196d1b1b6d5dfcb0533b431e3ab1750e6189 ] + +[WHY] +When PTEBufferSizeInRequests is zero, UBSAN reports the following +warning because dml_log2 returns an unexpected negative value: + + shift exponent 4294966273 is too large for 32-bit type 'int' + +[HOW] + +In the case PTEBufferSizeInRequests is zero, skip the dml_log2() and +assign the result directly. + +Reviewed-by: Jun Lei +Acked-by: Qingqing Zhuo +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +index 479e2c1a13018..49da8119b28e9 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +@@ -1802,7 +1802,10 @@ static unsigned int CalculateVMAndRowBytes( + } + + if (SurfaceTiling == dm_sw_linear) { +- *dpte_row_height = dml_min(128, 1 << (unsigned int) dml_floor(dml_log2(PTEBufferSizeInRequests * *PixelPTEReqWidth / Pitch), 1)); ++ if (PTEBufferSizeInRequests == 0) ++ *dpte_row_height = 1; ++ else ++ *dpte_row_height = dml_min(128, 1 << (unsigned int) dml_floor(dml_log2(PTEBufferSizeInRequests * *PixelPTEReqWidth / Pitch), 1)); + *dpte_row_width_ub = (dml_ceil(((double) SwathWidth - 1) / *PixelPTEReqWidth, 1) + 1) * *PixelPTEReqWidth; + *PixelPTEBytesPerRow = *dpte_row_width_ub / *PixelPTEReqWidth * *PTERequestSize; + } else if (ScanDirection != dm_vert) { +-- +2.39.2 + diff --git a/queue-6.1/drm-amdgpu-fix-ttm_bo-calltrace-warning-in-psp_hw_fi.patch b/queue-6.1/drm-amdgpu-fix-ttm_bo-calltrace-warning-in-psp_hw_fi.patch new file mode 100644 index 00000000000..9a6ad2ab9cb --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-ttm_bo-calltrace-warning-in-psp_hw_fi.patch @@ -0,0 +1,76 @@ +From 30d6179ce4f942dd9b89912649b78579647cf97e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Feb 2023 13:55:44 +0800 +Subject: drm/amdgpu: fix ttm_bo calltrace warning in psp_hw_fini + +From: Horatio Zhang + +[ Upstream commit 23f4a2d29ba57bf88095f817de5809d427fcbe7e ] + +The call trace occurs when the amdgpu is removed after +the mode1 reset. During mode1 reset, from suspend to resume, +there is no need to reinitialize the ta firmware buffer +which caused the bo pin_count increase redundantly. + +[ 489.885525] Call Trace: +[ 489.885525] +[ 489.885526] amdttm_bo_put+0x34/0x50 [amdttm] +[ 489.885529] amdgpu_bo_free_kernel+0xe8/0x130 [amdgpu] +[ 489.885620] psp_free_shared_bufs+0xb7/0x150 [amdgpu] +[ 489.885720] psp_hw_fini+0xce/0x170 [amdgpu] +[ 489.885815] amdgpu_device_fini_hw+0x2ff/0x413 [amdgpu] +[ 489.885960] ? blocking_notifier_chain_unregister+0x56/0xb0 +[ 489.885962] amdgpu_driver_unload_kms+0x51/0x60 [amdgpu] +[ 489.886049] amdgpu_pci_remove+0x5a/0x140 [amdgpu] +[ 489.886132] ? __pm_runtime_resume+0x60/0x90 +[ 489.886134] pci_device_remove+0x3e/0xb0 +[ 489.886135] __device_release_driver+0x1ab/0x2a0 +[ 489.886137] driver_detach+0xf3/0x140 +[ 489.886138] bus_remove_driver+0x6c/0xf0 +[ 489.886140] driver_unregister+0x31/0x60 +[ 489.886141] pci_unregister_driver+0x40/0x90 +[ 489.886142] amdgpu_exit+0x15/0x451 [amdgpu] + +Signed-off-by: Horatio Zhang +Signed-off-by: longlyao +Reviewed-by: Guchun Chen +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +index 087147f09933a..3b8825a3e2336 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -1695,7 +1695,7 @@ static int psp_hdcp_initialize(struct psp_context *psp) + psp->hdcp_context.context.mem_context.shared_mem_size = PSP_HDCP_SHARED_MEM_SIZE; + psp->hdcp_context.context.ta_load_type = GFX_CMD_ID_LOAD_TA; + +- if (!psp->hdcp_context.context.initialized) { ++ if (!psp->hdcp_context.context.mem_context.shared_buf) { + ret = psp_ta_init_shared_buf(psp, &psp->hdcp_context.context.mem_context); + if (ret) + return ret; +@@ -1762,7 +1762,7 @@ static int psp_dtm_initialize(struct psp_context *psp) + psp->dtm_context.context.mem_context.shared_mem_size = PSP_DTM_SHARED_MEM_SIZE; + psp->dtm_context.context.ta_load_type = GFX_CMD_ID_LOAD_TA; + +- if (!psp->dtm_context.context.initialized) { ++ if (!psp->dtm_context.context.mem_context.shared_buf) { + ret = psp_ta_init_shared_buf(psp, &psp->dtm_context.context.mem_context); + if (ret) + return ret; +@@ -1830,7 +1830,7 @@ static int psp_rap_initialize(struct psp_context *psp) + psp->rap_context.context.mem_context.shared_mem_size = PSP_RAP_SHARED_MEM_SIZE; + psp->rap_context.context.ta_load_type = GFX_CMD_ID_LOAD_TA; + +- if (!psp->rap_context.context.initialized) { ++ if (!psp->rap_context.context.mem_context.shared_buf) { + ret = psp_ta_init_shared_buf(psp, &psp->rap_context.context.mem_context); + if (ret) + return ret; +-- +2.39.2 + diff --git a/queue-6.1/drm-amdkfd-fix-an-illegal-memory-access.patch b/queue-6.1/drm-amdkfd-fix-an-illegal-memory-access.patch new file mode 100644 index 00000000000..7d2be512164 --- /dev/null +++ b/queue-6.1/drm-amdkfd-fix-an-illegal-memory-access.patch @@ -0,0 +1,82 @@ +From cd5876d2f9789c10ed4428169f21c0fbb4627c47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Feb 2023 11:35:16 +0000 +Subject: drm/amdkfd: Fix an illegal memory access + +From: Qu Huang + +[ Upstream commit 4fc8fff378b2f2039f2a666d9f8c570f4e58352c ] + +In the kfd_wait_on_events() function, the kfd_event_waiter structure is +allocated by alloc_event_waiters(), but the event field of the waiter +structure is not initialized; When copy_from_user() fails in the +kfd_wait_on_events() function, it will enter exception handling to +release the previously allocated memory of the waiter structure; +Due to the event field of the waiters structure being accessed +in the free_waiters() function, this results in illegal memory access +and system crash, here is the crash log: + +localhost kernel: RIP: 0010:native_queued_spin_lock_slowpath+0x185/0x1e0 +localhost kernel: RSP: 0018:ffffaa53c362bd60 EFLAGS: 00010082 +localhost kernel: RAX: ff3d3d6bff4007cb RBX: 0000000000000282 RCX: 00000000002c0000 +localhost kernel: RDX: ffff9e855eeacb80 RSI: 000000000000279c RDI: ffffe7088f6a21d0 +localhost kernel: RBP: ffffe7088f6a21d0 R08: 00000000002c0000 R09: ffffaa53c362be64 +localhost kernel: R10: ffffaa53c362bbd8 R11: 0000000000000001 R12: 0000000000000002 +localhost kernel: R13: ffff9e7ead15d600 R14: 0000000000000000 R15: ffff9e7ead15d698 +localhost kernel: FS: 0000152a3d111700(0000) GS:ffff9e855ee80000(0000) knlGS:0000000000000000 +localhost kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +localhost kernel: CR2: 0000152938000010 CR3: 000000044d7a4000 CR4: 00000000003506e0 +localhost kernel: Call Trace: +localhost kernel: _raw_spin_lock_irqsave+0x30/0x40 +localhost kernel: remove_wait_queue+0x12/0x50 +localhost kernel: kfd_wait_on_events+0x1b6/0x490 [hydcu] +localhost kernel: ? ftrace_graph_caller+0xa0/0xa0 +localhost kernel: kfd_ioctl+0x38c/0x4a0 [hydcu] +localhost kernel: ? kfd_ioctl_set_trap_handler+0x70/0x70 [hydcu] +localhost kernel: ? kfd_ioctl_create_queue+0x5a0/0x5a0 [hydcu] +localhost kernel: ? ftrace_graph_caller+0xa0/0xa0 +localhost kernel: __x64_sys_ioctl+0x8e/0xd0 +localhost kernel: ? syscall_trace_enter.isra.18+0x143/0x1b0 +localhost kernel: do_syscall_64+0x33/0x80 +localhost kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 +localhost kernel: RIP: 0033:0x152a4dff68d7 + +Allocate the structure with kcalloc, and remove redundant 0-initialization +and a redundant loop condition check. + +Signed-off-by: Qu Huang +Signed-off-by: Felix Kuehling +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_events.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c +index 729d26d648af3..2880ed96ac2e3 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c +@@ -778,16 +778,13 @@ static struct kfd_event_waiter *alloc_event_waiters(uint32_t num_events) + struct kfd_event_waiter *event_waiters; + uint32_t i; + +- event_waiters = kmalloc_array(num_events, +- sizeof(struct kfd_event_waiter), +- GFP_KERNEL); ++ event_waiters = kcalloc(num_events, sizeof(struct kfd_event_waiter), ++ GFP_KERNEL); + if (!event_waiters) + return NULL; + +- for (i = 0; (event_waiters) && (i < num_events) ; i++) { ++ for (i = 0; i < num_events; i++) + init_wait(&event_waiters[i].wait); +- event_waiters[i].activated = false; +- } + + return event_waiters; + } +-- +2.39.2 + diff --git a/queue-6.1/ext4-fail-ext4_iget-if-special-inode-unallocated.patch b/queue-6.1/ext4-fail-ext4_iget-if-special-inode-unallocated.patch new file mode 100644 index 00000000000..84ee9c5d3d4 --- /dev/null +++ b/queue-6.1/ext4-fail-ext4_iget-if-special-inode-unallocated.patch @@ -0,0 +1,76 @@ +From 1e53de4ca2a9c440a07ed2179d6a4e5d2236332a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 11:21:25 +0800 +Subject: ext4: fail ext4_iget if special inode unallocated +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baokun Li + +[ Upstream commit 5cd740287ae5e3f9d1c46f5bfe8778972fd6d3fe ] + +In ext4_fill_super(), EXT4_ORPHAN_FS flag is cleared after +ext4_orphan_cleanup() is executed. Therefore, when __ext4_iget() is +called to get an inode whose i_nlink is 0 when the flag exists, no error +is returned. If the inode is a special inode, a null pointer dereference +may occur. If the value of i_nlink is 0 for any inodes (except boot loader +inodes) got by using the EXT4_IGET_SPECIAL flag, the current file system +is corrupted. Therefore, make the ext4_iget() function return an error if +it gets such an abnormal special inode. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199179 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216541 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216539 +Reported-by: Luís Henriques +Suggested-by: Theodore Ts'o +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230107032126.4165860-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inode.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 34c87fcfd0617..eea11ad84e680 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4807,13 +4807,6 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + goto bad_inode; + raw_inode = ext4_raw_inode(&iloc); + +- if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { +- ext4_error_inode(inode, function, line, 0, +- "iget: root inode unallocated"); +- ret = -EFSCORRUPTED; +- goto bad_inode; +- } +- + if ((flags & EXT4_IGET_HANDLE) && + (raw_inode->i_links_count == 0) && (raw_inode->i_mode == 0)) { + ret = -ESTALE; +@@ -4886,11 +4879,16 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + * NeilBrown 1999oct15 + */ + if (inode->i_nlink == 0) { +- if ((inode->i_mode == 0 || ++ if ((inode->i_mode == 0 || flags & EXT4_IGET_SPECIAL || + !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS)) && + ino != EXT4_BOOT_LOADER_INO) { +- /* this inode is deleted */ +- ret = -ESTALE; ++ /* this inode is deleted or unallocated */ ++ if (flags & EXT4_IGET_SPECIAL) { ++ ext4_error_inode(inode, function, line, 0, ++ "iget: special inode unallocated"); ++ ret = -EFSCORRUPTED; ++ } else ++ ret = -ESTALE; + goto bad_inode; + } + /* The only unlinked inodes we let through here have +-- +2.39.2 + diff --git a/queue-6.1/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch b/queue-6.1/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch new file mode 100644 index 00000000000..06446a1da29 --- /dev/null +++ b/queue-6.1/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch @@ -0,0 +1,97 @@ +From d9268b0ac5313ede034c27e22a9371981261ef7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 21:34:36 +0800 +Subject: ext4: fix task hung in ext4_xattr_delete_inode + +From: Baokun Li + +[ Upstream commit 0f7bfd6f8164be32dbbdf36aa1e5d00485c53cd7 ] + +Syzbot reported a hung task problem: +================================================================== +INFO: task syz-executor232:5073 blocked for more than 143 seconds. + Not tainted 6.2.0-rc2-syzkaller-00024-g512dee0c00ad #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-exec232 state:D stack:21024 pid:5073 ppid:5072 flags:0x00004004 +Call Trace: + + context_switch kernel/sched/core.c:5244 [inline] + __schedule+0x995/0xe20 kernel/sched/core.c:6555 + schedule+0xcb/0x190 kernel/sched/core.c:6631 + __wait_on_freeing_inode fs/inode.c:2196 [inline] + find_inode_fast+0x35a/0x4c0 fs/inode.c:950 + iget_locked+0xb1/0x830 fs/inode.c:1273 + __ext4_iget+0x22e/0x3ed0 fs/ext4/inode.c:4861 + ext4_xattr_inode_iget+0x68/0x4e0 fs/ext4/xattr.c:389 + ext4_xattr_inode_dec_ref_all+0x1a7/0xe50 fs/ext4/xattr.c:1148 + ext4_xattr_delete_inode+0xb04/0xcd0 fs/ext4/xattr.c:2880 + ext4_evict_inode+0xd7c/0x10b0 fs/ext4/inode.c:296 + evict+0x2a4/0x620 fs/inode.c:664 + ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474 + __ext4_fill_super fs/ext4/super.c:5516 [inline] + ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644 + get_tree_bdev+0x400/0x620 fs/super.c:1282 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fa5406fd5ea +RSP: 002b:00007ffc7232f968 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa5406fd5ea +RDX: 0000000020000440 RSI: 0000000020000000 RDI: 00007ffc7232f970 +RBP: 00007ffc7232f970 R08: 00007ffc7232f9b0 R09: 0000000000000432 +R10: 0000000000804a03 R11: 0000000000000202 R12: 0000000000000004 +R13: 0000555556a7a2c0 R14: 00007ffc7232f9b0 R15: 0000000000000000 + +================================================================== + +The problem is that the inode contains an xattr entry with ea_inum of 15 +when cleaning up an orphan inode <15>. When evict inode <15>, the reference +counting of the corresponding EA inode is decreased. When EA inode <15> is +found by find_inode_fast() in __ext4_iget(), it is found that the EA inode +holds the I_FREEING flag and waits for the EA inode to complete deletion. +As a result, when inode <15> is being deleted, we wait for inode <15> to +complete the deletion, resulting in an infinite loop and triggering Hung +Task. To solve this problem, we only need to check whether the ino of EA +inode and parent is the same before getting EA inode. + +Link: https://syzkaller.appspot.com/bug?extid=77d6fcc37bbb92f26048 +Reported-by: syzbot+77d6fcc37bbb92f26048@syzkaller.appspotmail.com +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230110133436.996350-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/xattr.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index e0eb6eb02a834..b17c1b90e1224 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -386,6 +386,17 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino, + struct inode *inode; + int err; + ++ /* ++ * We have to check for this corruption early as otherwise ++ * iget_locked() could wait indefinitely for the state of our ++ * parent inode. ++ */ ++ if (parent->i_ino == ea_ino) { ++ ext4_error(parent->i_sb, ++ "Parent and EA inode have the same ino %lu", ea_ino); ++ return -EFSCORRUPTED; ++ } ++ + inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); +-- +2.39.2 + diff --git a/queue-6.1/ext4-update-s_journal_inum-if-it-changes-after-journ.patch b/queue-6.1/ext4-update-s_journal_inum-if-it-changes-after-journ.patch new file mode 100644 index 00000000000..897524166a3 --- /dev/null +++ b/queue-6.1/ext4-update-s_journal_inum-if-it-changes-after-journ.patch @@ -0,0 +1,52 @@ +From 274268788b8568af6f41a46216f19b4b89f7362b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 11:21:26 +0800 +Subject: ext4: update s_journal_inum if it changes after journal replay +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baokun Li + +[ Upstream commit 3039d8b8692408438a618fac2776b629852663c3 ] + +When mounting a crafted ext4 image, s_journal_inum may change after journal +replay, which is obviously unreasonable because we have successfully loaded +and replayed the journal through the old s_journal_inum. And the new +s_journal_inum bypasses some of the checks in ext4_get_journal(), which +may trigger a null pointer dereference problem. So if s_journal_inum +changes after the journal replay, we ignore the change, and rewrite the +current journal_inum to the superblock. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216541 +Reported-by: Luís Henriques +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230107032126.4165860-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 8011600999586..2528e8216c334 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5967,8 +5967,11 @@ static int ext4_load_journal(struct super_block *sb, + if (!really_read_only && journal_devnum && + journal_devnum != le32_to_cpu(es->s_journal_dev)) { + es->s_journal_dev = cpu_to_le32(journal_devnum); +- +- /* Make sure we flush the recovery flag to disk. */ ++ ext4_commit_super(sb); ++ } ++ if (!really_read_only && journal_inum && ++ journal_inum != le32_to_cpu(es->s_journal_inum)) { ++ es->s_journal_inum = cpu_to_le32(journal_inum); + ext4_commit_super(sb); + } + +-- +2.39.2 + diff --git a/queue-6.1/hwmon-adm1266-set-can_sleep-flag-for-gpio-chip.patch b/queue-6.1/hwmon-adm1266-set-can_sleep-flag-for-gpio-chip.patch new file mode 100644 index 00000000000..9efc59700c1 --- /dev/null +++ b/queue-6.1/hwmon-adm1266-set-can_sleep-flag-for-gpio-chip.patch @@ -0,0 +1,40 @@ +From 94dc223eafb6d8f32fdee060dcf891cc7188d005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 02:31:45 -0700 +Subject: hwmon: (adm1266) Set `can_sleep` flag for GPIO chip + +From: Lars-Peter Clausen + +[ Upstream commit a5bb73b3f5db1a4e91402ad132b59b13d2651ed9 ] + +The adm1266 driver uses I2C bus access in its GPIO chip `set` and `get` +implementation. This means these functions can sleep and the GPIO chip +should set the `can_sleep` property to true. + +This will ensure that a warning is printed when trying to set or get the +GPIO value from a context that potentially can't sleep. + +Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20230314093146.2443845-1-lars@metafoo.de +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/adm1266.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c +index ec5f932fc6f0f..1ac2b2f4c5705 100644 +--- a/drivers/hwmon/pmbus/adm1266.c ++++ b/drivers/hwmon/pmbus/adm1266.c +@@ -301,6 +301,7 @@ static int adm1266_config_gpio(struct adm1266_data *data) + data->gc.label = name; + data->gc.parent = &data->client->dev; + data->gc.owner = THIS_MODULE; ++ data->gc.can_sleep = true; + data->gc.base = -1; + data->gc.names = data->gpio_names; + data->gc.ngpio = ARRAY_SIZE(data->gpio_names); +-- +2.39.2 + diff --git a/queue-6.1/hwmon-adt7475-display-smoothing-attributes-in-correc.patch b/queue-6.1/hwmon-adt7475-display-smoothing-attributes-in-correc.patch new file mode 100644 index 00000000000..06a63e048d0 --- /dev/null +++ b/queue-6.1/hwmon-adt7475-display-smoothing-attributes-in-correc.patch @@ -0,0 +1,44 @@ +From 7b686ab86f564e99d25dacca12a41bda74b4a94f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 13:52:27 +1300 +Subject: hwmon: (adt7475) Display smoothing attributes in correct order + +From: Tony O'Brien + +[ Upstream commit 5f8d1e3b6f9b5971f9c06d5846ce00c49e3a8d94 ] + +Throughout the ADT7475 driver, attributes relating to the temperature +sensors are displayed in the order Remote 1, Local, Remote 2. Make +temp_st_show() conform to this expectation so that values set by +temp_st_store() can be displayed using the correct attribute. + +Fixes: 8f05bcc33e74 ("hwmon: (adt7475) temperature smoothing") +Signed-off-by: Tony O'Brien +Link: https://lore.kernel.org/r/20230222005228.158661-2-tony.obrien@alliedtelesis.co.nz +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/adt7475.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/adt7475.c b/drivers/hwmon/adt7475.c +index 51b3d16c32233..77222c35a38ec 100644 +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -556,11 +556,11 @@ static ssize_t temp_st_show(struct device *dev, struct device_attribute *attr, + val = data->enh_acoustics[0] & 0xf; + break; + case 1: +- val = (data->enh_acoustics[1] >> 4) & 0xf; ++ val = data->enh_acoustics[1] & 0xf; + break; + case 2: + default: +- val = data->enh_acoustics[1] & 0xf; ++ val = (data->enh_acoustics[1] >> 4) & 0xf; + break; + } + +-- +2.39.2 + diff --git a/queue-6.1/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch b/queue-6.1/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch new file mode 100644 index 00000000000..0c972c3fee5 --- /dev/null +++ b/queue-6.1/hwmon-adt7475-fix-masking-of-hysteresis-registers.patch @@ -0,0 +1,42 @@ +From c897b6e32d04ef3c3a16b26a6a46730a858d5186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 13:52:28 +1300 +Subject: hwmon: (adt7475) Fix masking of hysteresis registers + +From: Tony O'Brien + +[ Upstream commit 48e8186870d9d0902e712d601ccb7098cb220688 ] + +The wrong bits are masked in the hysteresis register; indices 0 and 2 +should zero bits [7:4] and preserve bits [3:0], and index 1 should zero +bits [3:0] and preserve bits [7:4]. + +Fixes: 1c301fc5394f ("hwmon: Add a driver for the ADT7475 hardware monitoring chip") +Signed-off-by: Tony O'Brien +Link: https://lore.kernel.org/r/20230222005228.158661-3-tony.obrien@alliedtelesis.co.nz +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/adt7475.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/adt7475.c b/drivers/hwmon/adt7475.c +index 77222c35a38ec..6e4c92b500b8e 100644 +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -488,10 +488,10 @@ static ssize_t temp_store(struct device *dev, struct device_attribute *attr, + val = (temp - val) / 1000; + + if (sattr->index != 1) { +- data->temp[HYSTERSIS][sattr->index] &= 0xF0; ++ data->temp[HYSTERSIS][sattr->index] &= 0x0F; + data->temp[HYSTERSIS][sattr->index] |= (val & 0xF) << 4; + } else { +- data->temp[HYSTERSIS][sattr->index] &= 0x0F; ++ data->temp[HYSTERSIS][sattr->index] &= 0xF0; + data->temp[HYSTERSIS][sattr->index] |= (val & 0xF); + } + +-- +2.39.2 + diff --git a/queue-6.1/hwmon-ina3221-return-prober-error-code.patch b/queue-6.1/hwmon-ina3221-return-prober-error-code.patch new file mode 100644 index 00000000000..a78e63d371e --- /dev/null +++ b/queue-6.1/hwmon-ina3221-return-prober-error-code.patch @@ -0,0 +1,37 @@ +From d487baf951c93f4762c4d6509120dd94a69305ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 08:50:35 +0100 +Subject: hwmon: (ina3221) return prober error code + +From: Marcus Folkesson + +[ Upstream commit c93f5e2ab53243b17febabb9422a697017d3d49a ] + +ret is set to 0 which do not indicate an error. +Return -EINVAL instead. + +Fixes: a9e9dd9c6de5 ("hwmon: (ina3221) Read channel input source info from DT") +Signed-off-by: Marcus Folkesson +Link: https://lore.kernel.org/r/20230310075035.246083-1-marcus.folkesson@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina3221.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/ina3221.c b/drivers/hwmon/ina3221.c +index e06186986444e..f3a4c5633b1ea 100644 +--- a/drivers/hwmon/ina3221.c ++++ b/drivers/hwmon/ina3221.c +@@ -772,7 +772,7 @@ static int ina3221_probe_child_from_dt(struct device *dev, + return ret; + } else if (val > INA3221_CHANNEL3) { + dev_err(dev, "invalid reg %d of %pOFn\n", val, child); +- return ret; ++ return -EINVAL; + } + + input = &ina->inputs[val]; +-- +2.39.2 + diff --git a/queue-6.1/hwmon-ltc2992-set-can_sleep-flag-for-gpio-chip.patch b/queue-6.1/hwmon-ltc2992-set-can_sleep-flag-for-gpio-chip.patch new file mode 100644 index 00000000000..7693415de91 --- /dev/null +++ b/queue-6.1/hwmon-ltc2992-set-can_sleep-flag-for-gpio-chip.patch @@ -0,0 +1,40 @@ +From f8380212a2906a5f09033f4f36875cc36f5b78da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 02:31:46 -0700 +Subject: hwmon: (ltc2992) Set `can_sleep` flag for GPIO chip + +From: Lars-Peter Clausen + +[ Upstream commit ab00709310eedcd8dae0df1f66d332f9bc64c99e ] + +The ltc2992 drivers uses a mutex and I2C bus access in its GPIO chip `set` +and `get` implementation. This means these functions can sleep and the GPIO +chip should set the `can_sleep` property to true. + +This will ensure that a warning is printed when trying to set or get the +GPIO value from a context that potentially can't sleep. + +Fixes: 9ca26df1ba25 ("hwmon: (ltc2992) Add support for GPIOs.") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20230314093146.2443845-2-lars@metafoo.de +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ltc2992.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/ltc2992.c b/drivers/hwmon/ltc2992.c +index 72489d5d7eaf9..d88e883c7492c 100644 +--- a/drivers/hwmon/ltc2992.c ++++ b/drivers/hwmon/ltc2992.c +@@ -323,6 +323,7 @@ static int ltc2992_config_gpio(struct ltc2992_state *st) + st->gc.label = name; + st->gc.parent = &st->client->dev; + st->gc.owner = THIS_MODULE; ++ st->gc.can_sleep = true; + st->gc.base = -1; + st->gc.names = st->gpio_names; + st->gc.ngpio = ARRAY_SIZE(st->gpio_names); +-- +2.39.2 + diff --git a/queue-6.1/hwmon-tmp512-drop-of_match_ptr-for-id-table.patch b/queue-6.1/hwmon-tmp512-drop-of_match_ptr-for-id-table.patch new file mode 100644 index 00000000000..f65ae3602e0 --- /dev/null +++ b/queue-6.1/hwmon-tmp512-drop-of_match_ptr-for-id-table.patch @@ -0,0 +1,44 @@ +From c09cffc8af6044adc5cc84ef5fd963bb41a8cde1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Mar 2023 20:37:23 +0100 +Subject: hwmon: tmp512: drop of_match_ptr for ID table +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +[ Upstream commit 00d85e81796b17a29a0e096c5a4735daa47adef8 ] + +The driver will match mostly by DT table (even thought there is regular +ID table) so there is little benefit in of_match_ptr (this also allows +ACPI matching via PRP0001, even though it might not be relevant here). +This also fixes !CONFIG_OF error: + + drivers/hwmon/tmp513.c:610:34: error: ‘tmp51x_of_match’ defined but not used [-Werror=unused-const-variable=] + +Fixes: 59dfa75e5d82 ("hwmon: Add driver for Texas Instruments TMP512/513 sensor chips.") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230312193723.478032-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp513.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/tmp513.c b/drivers/hwmon/tmp513.c +index 47bbe47e062fd..7d5f7441aceb1 100644 +--- a/drivers/hwmon/tmp513.c ++++ b/drivers/hwmon/tmp513.c +@@ -758,7 +758,7 @@ static int tmp51x_probe(struct i2c_client *client) + static struct i2c_driver tmp51x_driver = { + .driver = { + .name = "tmp51x", +- .of_match_table = of_match_ptr(tmp51x_of_match), ++ .of_match_table = tmp51x_of_match, + }, + .probe_new = tmp51x_probe, + .id_table = tmp51x_id, +-- +2.39.2 + diff --git a/queue-6.1/hwmon-ucd90320-add-minimum-delay-between-bus-accesse.patch b/queue-6.1/hwmon-ucd90320-add-minimum-delay-between-bus-accesse.patch new file mode 100644 index 00000000000..576cfbabd66 --- /dev/null +++ b/queue-6.1/hwmon-ucd90320-add-minimum-delay-between-bus-accesse.patch @@ -0,0 +1,148 @@ +From a42d0cece21df1188e4d60d20fb3398b99ce641b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Mar 2023 09:03:12 -0700 +Subject: hwmon: (ucd90320) Add minimum delay between bus accesses + +From: Lars-Peter Clausen + +[ Upstream commit 8d655e65237643c48ada2c131b83679bf1105373 ] + +When probing the ucd90320 access to some of the registers randomly fails. +Sometimes it NACKs a transfer, sometimes it returns just random data and +the PEC check fails. + +Experimentation shows that this seems to be triggered by a register access +directly back to back with a previous register write. Experimentation also +shows that inserting a small delay after register writes makes the issue go +away. + +Use a similar solution to what the max15301 driver does to solve the same +problem. Create a custom set of bus read and write functions that make sure +that the delay is added. + +Fixes: a470f11c5ba2 ("hwmon: (pmbus/ucd9000) Add support for UCD90320 Power Sequencer") +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20230312160312.2227405-1-lars@metafoo.de +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/ucd9000.c | 75 +++++++++++++++++++++++++++++++++++ + 1 file changed, 75 insertions(+) + +diff --git a/drivers/hwmon/pmbus/ucd9000.c b/drivers/hwmon/pmbus/ucd9000.c +index 75fc770c9e403..3daaf22378322 100644 +--- a/drivers/hwmon/pmbus/ucd9000.c ++++ b/drivers/hwmon/pmbus/ucd9000.c +@@ -7,6 +7,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -16,6 +17,7 @@ + #include + #include + #include ++#include + #include "pmbus.h" + + enum chips { ucd9000, ucd90120, ucd90124, ucd90160, ucd90320, ucd9090, +@@ -65,6 +67,7 @@ struct ucd9000_data { + struct gpio_chip gpio; + #endif + struct dentry *debugfs; ++ ktime_t write_time; + }; + #define to_ucd9000_data(_info) container_of(_info, struct ucd9000_data, info) + +@@ -73,6 +76,73 @@ struct ucd9000_debugfs_entry { + u8 index; + }; + ++/* ++ * It has been observed that the UCD90320 randomly fails register access when ++ * doing another access right on the back of a register write. To mitigate this ++ * make sure that there is a minimum delay between a write access and the ++ * following access. The 250us is based on experimental data. At a delay of ++ * 200us the issue seems to go away. Add a bit of extra margin to allow for ++ * system to system differences. ++ */ ++#define UCD90320_WAIT_DELAY_US 250 ++ ++static inline void ucd90320_wait(const struct ucd9000_data *data) ++{ ++ s64 delta = ktime_us_delta(ktime_get(), data->write_time); ++ ++ if (delta < UCD90320_WAIT_DELAY_US) ++ udelay(UCD90320_WAIT_DELAY_US - delta); ++} ++ ++static int ucd90320_read_word_data(struct i2c_client *client, int page, ++ int phase, int reg) ++{ ++ const struct pmbus_driver_info *info = pmbus_get_driver_info(client); ++ struct ucd9000_data *data = to_ucd9000_data(info); ++ ++ if (reg >= PMBUS_VIRT_BASE) ++ return -ENXIO; ++ ++ ucd90320_wait(data); ++ return pmbus_read_word_data(client, page, phase, reg); ++} ++ ++static int ucd90320_read_byte_data(struct i2c_client *client, int page, int reg) ++{ ++ const struct pmbus_driver_info *info = pmbus_get_driver_info(client); ++ struct ucd9000_data *data = to_ucd9000_data(info); ++ ++ ucd90320_wait(data); ++ return pmbus_read_byte_data(client, page, reg); ++} ++ ++static int ucd90320_write_word_data(struct i2c_client *client, int page, ++ int reg, u16 word) ++{ ++ const struct pmbus_driver_info *info = pmbus_get_driver_info(client); ++ struct ucd9000_data *data = to_ucd9000_data(info); ++ int ret; ++ ++ ucd90320_wait(data); ++ ret = pmbus_write_word_data(client, page, reg, word); ++ data->write_time = ktime_get(); ++ ++ return ret; ++} ++ ++static int ucd90320_write_byte(struct i2c_client *client, int page, u8 value) ++{ ++ const struct pmbus_driver_info *info = pmbus_get_driver_info(client); ++ struct ucd9000_data *data = to_ucd9000_data(info); ++ int ret; ++ ++ ucd90320_wait(data); ++ ret = pmbus_write_byte(client, page, value); ++ data->write_time = ktime_get(); ++ ++ return ret; ++} ++ + static int ucd9000_get_fan_config(struct i2c_client *client, int fan) + { + int fan_config = 0; +@@ -598,6 +668,11 @@ static int ucd9000_probe(struct i2c_client *client) + info->read_byte_data = ucd9000_read_byte_data; + info->func[0] |= PMBUS_HAVE_FAN12 | PMBUS_HAVE_STATUS_FAN12 + | PMBUS_HAVE_FAN34 | PMBUS_HAVE_STATUS_FAN34; ++ } else if (mid->driver_data == ucd90320) { ++ info->read_byte_data = ucd90320_read_byte_data; ++ info->read_word_data = ucd90320_read_word_data; ++ info->write_byte = ucd90320_write_byte; ++ info->write_word_data = ucd90320_write_word_data; + } + + ucd9000_probe_gpio(client, mid, data); +-- +2.39.2 + diff --git a/queue-6.1/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch b/queue-6.1/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch new file mode 100644 index 00000000000..5f90529265d --- /dev/null +++ b/queue-6.1/hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch @@ -0,0 +1,52 @@ +From fdd0b6cf4b5f51c0e230572573b4b0e637b9f133 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 16:40:07 +0800 +Subject: hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to + race condition + +From: Zheng Wang + +[ Upstream commit cb090e64cf25602b9adaf32d5dfc9c8bec493cd1 ] + +In xgene_hwmon_probe, &ctx->workq is bound with xgene_hwmon_evt_work. +Then it will be started. + +If we remove the driver which will call xgene_hwmon_remove to clean up, +there may be unfinished work. + +The possible sequence is as follows: + +Fix it by finishing the work before cleanup in xgene_hwmon_remove. + +CPU0 CPU1 + + |xgene_hwmon_evt_work +xgene_hwmon_remove | +kfifo_free(&ctx->async_msg_fifo);| + | + |kfifo_out_spinlocked + |//use &ctx->async_msg_fifo +Fixes: 2ca492e22cb7 ("hwmon: (xgene) Fix crash when alarm occurs before driver probe") +Signed-off-by: Zheng Wang +Link: https://lore.kernel.org/r/20230310084007.1403388-1-zyytlz.wz@163.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/xgene-hwmon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c +index 5cde837bfd094..d1abea49f01be 100644 +--- a/drivers/hwmon/xgene-hwmon.c ++++ b/drivers/hwmon/xgene-hwmon.c +@@ -761,6 +761,7 @@ static int xgene_hwmon_remove(struct platform_device *pdev) + { + struct xgene_hwmon_dev *ctx = platform_get_drvdata(pdev); + ++ cancel_work_sync(&ctx->workq); + hwmon_device_unregister(ctx->hwmon_dev); + kfifo_free(&ctx->async_msg_fifo); + if (acpi_disabled) +-- +2.39.2 + diff --git a/queue-6.1/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch b/queue-6.1/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch new file mode 100644 index 00000000000..52b70974e6e --- /dev/null +++ b/queue-6.1/jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch @@ -0,0 +1,115 @@ +From 1a566300b38f27df497dc30df86c97bfe7da38c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 15:53:12 +0000 +Subject: jffs2: correct logic when creating a hole in jffs2_write_begin + +From: Yifei Liu + +[ Upstream commit 23892d383bee15b64f5463bd7195615734bb2415 ] + +Bug description and fix: + +1. Write data to a file, say all 1s from offset 0 to 16. + +2. Truncate the file to a smaller size, say 8 bytes. + +3. Write new bytes (say 2s) from an offset past the original size of the +file, say at offset 20, for 4 bytes. This is supposed to create a "hole" +in the file, meaning that the bytes from offset 8 (where it was truncated +above) up to the new write at offset 20, should all be 0s (zeros). + +4. Flush all caches using "echo 3 > /proc/sys/vm/drop_caches" (or unmount +and remount) the f/s. + +5. Check the content of the file. It is wrong. The 1s that used to be +between bytes 9 and 16, before the truncation, have REAPPEARED (they should +be 0s). + +We wrote a script and helper C program to reproduce the bug +(reproduce_jffs2_write_begin_issue.sh, write_file.c, and Makefile). We can +make them available to anyone. + +The above example is shown when writing a small file within the same first +page. But the bug happens for larger files, as long as steps 1, 2, and 3 +above all happen within the same page. + +The problem was traced to the jffs2_write_begin code, where it goes into an +'if' statement intended to handle writes past the current EOF (i.e., writes +that may create a hole). The code computes a 'pageofs' that is the floor +of the write position (pos), aligned to the page size boundary. In other +words, 'pageofs' will never be larger than 'pos'. The code then sets the +internal jffs2_raw_inode->isize to the size of max(current inode size, +pageofs) but that is wrong: the new file size should be the 'pos', which is +larger than both the current inode size and pageofs. + +Similarly, the code incorrectly sets the internal jffs2_raw_inode->dsize to +the difference between the pageofs minus current inode size; instead it +should be the current pos minus the current inode size. Finally, +inode->i_size was also set incorrectly. + +The patch below fixes this bug. The bug was discovered using a new tool +for finding f/s bugs using model checking, called MCFS (Model Checking File +Systems). + +Signed-off-by: Yifei Liu +Signed-off-by: Erez Zadok +Signed-off-by: Manish Adkar +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/file.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c +index ba86acbe12d3f..0479096b96e4c 100644 +--- a/fs/jffs2/file.c ++++ b/fs/jffs2/file.c +@@ -137,19 +137,18 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); + struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); + pgoff_t index = pos >> PAGE_SHIFT; +- uint32_t pageofs = index << PAGE_SHIFT; + int ret = 0; + + jffs2_dbg(1, "%s()\n", __func__); + +- if (pageofs > inode->i_size) { +- /* Make new hole frag from old EOF to new page */ ++ if (pos > inode->i_size) { ++ /* Make new hole frag from old EOF to new position */ + struct jffs2_raw_inode ri; + struct jffs2_full_dnode *fn; + uint32_t alloc_len; + +- jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new page\n", +- (unsigned int)inode->i_size, pageofs); ++ jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new position\n", ++ (unsigned int)inode->i_size, (uint32_t)pos); + + ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, + ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); +@@ -169,10 +168,10 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + ri.mode = cpu_to_jemode(inode->i_mode); + ri.uid = cpu_to_je16(i_uid_read(inode)); + ri.gid = cpu_to_je16(i_gid_read(inode)); +- ri.isize = cpu_to_je32(max((uint32_t)inode->i_size, pageofs)); ++ ri.isize = cpu_to_je32((uint32_t)pos); + ri.atime = ri.ctime = ri.mtime = cpu_to_je32(JFFS2_NOW()); + ri.offset = cpu_to_je32(inode->i_size); +- ri.dsize = cpu_to_je32(pageofs - inode->i_size); ++ ri.dsize = cpu_to_je32((uint32_t)pos - inode->i_size); + ri.csize = cpu_to_je32(0); + ri.compr = JFFS2_COMPR_ZERO; + ri.node_crc = cpu_to_je32(crc32(0, &ri, sizeof(ri)-8)); +@@ -202,7 +201,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + goto out_err; + } + jffs2_complete_reservation(c); +- inode->i_size = pageofs; ++ inode->i_size = pos; + mutex_unlock(&f->sem); + } + +-- +2.39.2 + diff --git a/queue-6.1/kconfig-update-config-changed-flag-before-calling-ca.patch b/queue-6.1/kconfig-update-config-changed-flag-before-calling-ca.patch new file mode 100644 index 00000000000..e4d6c5cc658 --- /dev/null +++ b/queue-6.1/kconfig-update-config-changed-flag-before-calling-ca.patch @@ -0,0 +1,50 @@ +From f9a48937a56b48a499fdb33a06880cb9c4cd221f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 20:40:39 +0100 +Subject: kconfig: Update config changed flag before calling callback + +From: Jurica Vukadin + +[ Upstream commit ee06a3ef7e3cddb62b90ac40aa661d3c12f7cabc ] + +Prior to commit 5ee546594025 ("kconfig: change sym_change_count to a +boolean flag"), the conf_updated flag was set to the new value *before* +calling the callback. xconfig's save action depends on this behaviour, +because xconfig calls conf_get_changed() directly from the callback and +now sees the old value, thus never enabling the save button or the +shortcut. + +Restore the previous behaviour. + +Fixes: 5ee546594025 ("kconfig: change sym_change_count to a boolean flag") +Signed-off-by: Jurica Vukadin +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/confdata.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c +index b7c9f1dd5e422..992575f1e9769 100644 +--- a/scripts/kconfig/confdata.c ++++ b/scripts/kconfig/confdata.c +@@ -1226,10 +1226,12 @@ static void (*conf_changed_callback)(void); + + void conf_set_changed(bool val) + { +- if (conf_changed_callback && conf_changed != val) +- conf_changed_callback(); ++ bool changed = conf_changed != val; + + conf_changed = val; ++ ++ if (conf_changed_callback && changed) ++ conf_changed_callback(); + } + + bool conf_get_changed(void) +-- +2.39.2 + diff --git a/queue-6.1/loongarch-only-call-get_timer_irq-once-in-constant_c.patch b/queue-6.1/loongarch-only-call-get_timer_irq-once-in-constant_c.patch new file mode 100644 index 00000000000..ad20525ff66 --- /dev/null +++ b/queue-6.1/loongarch-only-call-get_timer_irq-once-in-constant_c.patch @@ -0,0 +1,103 @@ +From 29f0875eecc8da1fd3f96cf932f59fe4606d5371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 15:52:56 +0800 +Subject: LoongArch: Only call get_timer_irq() once in + constant_clockevent_init() + +From: Tiezhu Yang + +[ Upstream commit bb7a78e343468873bf00b2b181fcfd3c02d8cb56 ] + +Under CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_DEBUG_PREEMPT=y, we can see +the following messages on LoongArch, this is because using might_sleep() +in preemption disable context. + +[ 0.001127] smp: Bringing up secondary CPUs ... +[ 0.001222] Booting CPU#1... +[ 0.001244] 64-bit Loongson Processor probed (LA464 Core) +[ 0.001247] CPU1 revision is: 0014c012 (Loongson-64bit) +[ 0.001250] FPU1 revision is: 00000000 +[ 0.001252] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 +[ 0.001255] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 +[ 0.001257] preempt_count: 1, expected: 0 +[ 0.001258] RCU nest depth: 0, expected: 0 +[ 0.001259] Preemption disabled at: +[ 0.001261] [<9000000000223800>] arch_dup_task_struct+0x20/0x110 +[ 0.001272] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc7+ #43 +[ 0.001275] Hardware name: Loongson Loongson-3A5000-7A1000-1w-A2101/Loongson-LS3A5000-7A1000-1w-A2101, BIOS vUDK2018-LoongArch-V4.0.05132-beta10 12/13/202 +[ 0.001277] Stack : 0072617764726148 0000000000000000 9000000000222f1c 90000001001e0000 +[ 0.001286] 90000001001e3be0 90000001001e3be8 0000000000000000 0000000000000000 +[ 0.001292] 90000001001e3be8 0000000000000040 90000001001e3cb8 90000001001e3a50 +[ 0.001297] 9000000001642000 90000001001e3be8 be694d10ce4139dd 9000000100174500 +[ 0.001303] 0000000000000001 0000000000000001 00000000ffffe0a2 0000000000000020 +[ 0.001309] 000000000000002f 9000000001354116 00000000056b0000 ffffffffffffffff +[ 0.001314] 0000000000000000 0000000000000000 90000000014f6e90 9000000001642000 +[ 0.001320] 900000000022b69c 0000000000000001 0000000000000000 9000000001736a90 +[ 0.001325] 9000000100038000 0000000000000000 9000000000222f34 0000000000000000 +[ 0.001331] 00000000000000b0 0000000000000004 0000000000000000 0000000000070000 +[ 0.001337] ... +[ 0.001339] Call Trace: +[ 0.001342] [<9000000000222f34>] show_stack+0x5c/0x180 +[ 0.001346] [<90000000010bdd80>] dump_stack_lvl+0x60/0x88 +[ 0.001352] [<9000000000266418>] __might_resched+0x180/0x1cc +[ 0.001356] [<90000000010c742c>] mutex_lock+0x20/0x64 +[ 0.001359] [<90000000002a8ccc>] irq_find_matching_fwspec+0x48/0x124 +[ 0.001364] [<90000000002259c4>] constant_clockevent_init+0x68/0x204 +[ 0.001368] [<900000000022acf4>] start_secondary+0x40/0xa8 +[ 0.001371] [<90000000010c0124>] smpboot_entry+0x60/0x64 + +Here are the complete call chains: + +smpboot_entry() + start_secondary() + constant_clockevent_init() + get_timer_irq() + irq_find_matching_fwnode() + irq_find_matching_fwspec() + mutex_lock() + might_sleep() + __might_sleep() + __might_resched() + +In order to avoid the above issue, we should break the call chains, +using timer_irq_installed variable as check condition to only call +get_timer_irq() once in constant_clockevent_init() is a simple and +proper way. + +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/time.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/loongarch/kernel/time.c b/arch/loongarch/kernel/time.c +index 786735dcc8d67..d2b7d5df132a9 100644 +--- a/arch/loongarch/kernel/time.c ++++ b/arch/loongarch/kernel/time.c +@@ -135,16 +135,17 @@ static int get_timer_irq(void) + + int constant_clockevent_init(void) + { +- int irq; + unsigned int cpu = smp_processor_id(); + unsigned long min_delta = 0x600; + unsigned long max_delta = (1UL << 48) - 1; + struct clock_event_device *cd; +- static int timer_irq_installed = 0; ++ static int irq = 0, timer_irq_installed = 0; + +- irq = get_timer_irq(); +- if (irq < 0) +- pr_err("Failed to map irq %d (timer)\n", irq); ++ if (!timer_irq_installed) { ++ irq = get_timer_irq(); ++ if (irq < 0) ++ pr_err("Failed to map irq %d (timer)\n", irq); ++ } + + cd = &per_cpu(constant_clockevent_device, cpu); + +-- +2.39.2 + diff --git a/queue-6.1/media-m5mols-fix-off-by-one-loop-termination-error.patch b/queue-6.1/media-m5mols-fix-off-by-one-loop-termination-error.patch new file mode 100644 index 00000000000..a868c563788 --- /dev/null +++ b/queue-6.1/media-m5mols-fix-off-by-one-loop-termination-error.patch @@ -0,0 +1,62 @@ +From 92ceb5ba1ccae3a57d94301c49f739254522c2a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 13:51:17 -0700 +Subject: media: m5mols: fix off-by-one loop termination error + +From: Linus Torvalds + +[ Upstream commit efbcbb12ee99f750c9f25c873b55ad774871de2a ] + +The __find_restype() function loops over the m5mols_default_ffmt[] +array, and the termination condition ends up being wrong: instead of +stopping when the iterator becomes the size of the array it traverses, +it stops after it has already overshot the array. + +Now, in practice this doesn't likely matter, because the code will +always find the entry it looks for, and will thus return early and never +hit that last extra iteration. + +But it turns out that clang will unroll the loop fully, because it has +only two iterations (well, three due to the off-by-one bug), and then +clang will end up just giving up in the middle of the loop unrolling +when it notices that the code walks past the end of the array. + +And that made 'objtool' very unhappy indeed, because the generated code +just falls off the edge of the universe, and ends up falling through to +the next function, causing this warning: + + drivers/media/i2c/m5mols/m5mols.o: warning: objtool: m5mols_set_fmt() falls through to next function m5mols_get_frame_desc() + +Fix the loop ending condition. + +Reported-by: Jens Axboe +Analyzed-by: Miguel Ojeda +Analyzed-by: Nick Desaulniers +Link: https://lore.kernel.org/linux-block/CAHk-=wgTSdKYbmB1JYM5vmHMcD9J9UZr0mn7BOYM_LudrP+Xvw@mail.gmail.com/ +Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP") +Cc: HeungJun, Kim +Cc: Sylwester Nawrocki +Cc: Kyungmin Park +Cc: Mauro Carvalho Chehab +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/m5mols/m5mols_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c +index 2201d2a26353a..c90442feb6dca 100644 +--- a/drivers/media/i2c/m5mols/m5mols_core.c ++++ b/drivers/media/i2c/m5mols/m5mols_core.c +@@ -488,7 +488,7 @@ static enum m5mols_restype __find_restype(u32 code) + do { + if (code == m5mols_default_ffmt[type].code) + return type; +- } while (type++ != SIZE_DEFAULT_FFMT); ++ } while (++type != SIZE_DEFAULT_FFMT); + + return 0; + } +-- +2.39.2 + diff --git a/queue-6.1/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch b/queue-6.1/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch new file mode 100644 index 00000000000..51647181238 --- /dev/null +++ b/queue-6.1/mmc-atmel-mci-fix-race-between-stop-command-and-star.patch @@ -0,0 +1,58 @@ +From 02efd600a46c339188e16a1b97b259495529a6b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Dec 2022 20:43:15 +0100 +Subject: mmc: atmel-mci: fix race between stop command and start of next + command + +From: Tobias Schramm + +[ Upstream commit eca5bd666b0aa7dc0bca63292e4778968241134e ] + +This commit fixes a race between completion of stop command and start of a +new command. +Previously the command ready interrupt was enabled before stop command +was written to the command register. This caused the command ready +interrupt to fire immediately since the CMDRDY flag is asserted constantly +while there is no command in progress. +Consequently the command state machine will immediately advance to the +next state when the tasklet function is executed again, no matter +actual completion state of the stop command. +Thus a new command can then be dispatched immediately, interrupting and +corrupting the stop command on the CMD line. +Fix that by dropping the command ready interrupt enable before calling +atmci_send_stop_cmd. atmci_send_stop_cmd does already enable the +command ready interrupt, no further writes to ATMCI_IER are necessary. + +Signed-off-by: Tobias Schramm +Acked-by: Ludovic Desroches +Link: https://lore.kernel.org/r/20221230194315.809903-2-t.schramm@manjaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/atmel-mci.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/mmc/host/atmel-mci.c b/drivers/mmc/host/atmel-mci.c +index bb9bbf1c927b6..dd18440a90c58 100644 +--- a/drivers/mmc/host/atmel-mci.c ++++ b/drivers/mmc/host/atmel-mci.c +@@ -1817,7 +1817,6 @@ static void atmci_tasklet_func(struct tasklet_struct *t) + atmci_writel(host, ATMCI_IER, ATMCI_NOTBUSY); + state = STATE_WAITING_NOTBUSY; + } else if (host->mrq->stop) { +- atmci_writel(host, ATMCI_IER, ATMCI_CMDRDY); + atmci_send_stop_cmd(host, data); + state = STATE_SENDING_STOP; + } else { +@@ -1850,8 +1849,6 @@ static void atmci_tasklet_func(struct tasklet_struct *t) + * command to send. + */ + if (host->mrq->stop) { +- atmci_writel(host, ATMCI_IER, +- ATMCI_CMDRDY); + atmci_send_stop_cmd(host, data); + state = STATE_SENDING_STOP; + } else { +-- +2.39.2 + diff --git a/queue-6.1/net-9p-fix-bug-in-client-create-for-.l.patch b/queue-6.1/net-9p-fix-bug-in-client-create-for-.l.patch new file mode 100644 index 00000000000..2669b3f7654 --- /dev/null +++ b/queue-6.1/net-9p-fix-bug-in-client-create-for-.l.patch @@ -0,0 +1,37 @@ +From c28b29c8fe49d51e44d884ee1ed0f5f26b4f720a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Dec 2022 17:57:27 +0000 +Subject: net/9p: fix bug in client create for .L + +From: Eric Van Hensbergen + +[ Upstream commit 3866584a1c56a2bbc8c0981deb4476d0b801969e ] + +We are supposed to set fid->mode to reflect the flags +that were used to open the file. We were actually setting +it to the creation mode which is the default perms of the +file not the flags the file was opened with. + +Signed-off-by: Eric Van Hensbergen +Reviewed-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/9p/client.c b/net/9p/client.c +index 554a4b11f4fec..af59c3f2ec2e7 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -1284,7 +1284,7 @@ int p9_client_create_dotl(struct p9_fid *ofid, const char *name, u32 flags, + qid->type, qid->path, qid->version, iounit); + + memmove(&ofid->qid, qid, sizeof(struct p9_qid)); +- ofid->mode = mode; ++ ofid->mode = flags; + ofid->iounit = iounit; + + free_and_error: +-- +2.39.2 + diff --git a/queue-6.1/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch b/queue-6.1/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch new file mode 100644 index 00000000000..fd65281942a --- /dev/null +++ b/queue-6.1/rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch @@ -0,0 +1,53 @@ +From c6a7f4d5d37f8da42115de3fdca089b9619b3af7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Dec 2022 12:44:35 +0800 +Subject: rust: arch/um: Disable FP/SIMD instruction to match x86 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Gow + +[ Upstream commit 8849818679478933dd1d9718741f4daa3f4e8b86 ] + +The kernel disables all SSE and similar FP/SIMD instructions on +x86-based architectures (partly because we shouldn't be using floats in +the kernel, and partly to avoid the need for stack alignment, see: +https://gcc.gnu.org/bugzilla/show_bug.cgi?id=53383 ) + +UML does not do the same thing, which isn't in itself a problem, but +does add to the list of differences between UML and "normal" x86 builds. + +In addition, there was a crash bug with LLVM < 15 / rustc < 1.65 when +building with SSE, so disabling it fixes rust builds with earlier +compiler versions, see: +https://github.com/Rust-for-Linux/linux/pull/881 + +Signed-off-by: David Gow +Reviewed-by: Sergio González Collado +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/x86/Makefile.um | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/x86/Makefile.um b/arch/x86/Makefile.um +index b3c1ae084180d..d2e95d1d4db77 100644 +--- a/arch/x86/Makefile.um ++++ b/arch/x86/Makefile.um +@@ -1,6 +1,12 @@ + # SPDX-License-Identifier: GPL-2.0 + core-y += arch/x86/crypto/ + ++# ++# Disable SSE and other FP/SIMD instructions to match normal x86 ++# ++KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx ++KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2 ++ + ifeq ($(CONFIG_X86_32),y) + START := 0x8048000 + +-- +2.39.2 + diff --git a/queue-6.1/series b/queue-6.1/series index 1708e0696c0..b9ac2e3c40c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -90,3 +90,26 @@ net-dsa-microchip-fix-rgmii-delay-configuration-on-k.patch ethernet-sun-add-check-for-the-mdesc_grab.patch bonding-restore-iff_master-slave-flags-on-bond-ensla.patch bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch +hwmon-adt7475-display-smoothing-attributes-in-correc.patch +hwmon-adt7475-fix-masking-of-hysteresis-registers.patch +hwmon-xgene-fix-use-after-free-bug-in-xgene_hwmon_re.patch +hwmon-ina3221-return-prober-error-code.patch +hwmon-ucd90320-add-minimum-delay-between-bus-accesse.patch +hwmon-tmp512-drop-of_match_ptr-for-id-table.patch +kconfig-update-config-changed-flag-before-calling-ca.patch +hwmon-adm1266-set-can_sleep-flag-for-gpio-chip.patch +hwmon-ltc2992-set-can_sleep-flag-for-gpio-chip.patch +media-m5mols-fix-off-by-one-loop-termination-error.patch +mmc-atmel-mci-fix-race-between-stop-command-and-star.patch +soc-mediatek-mtk-svs-keep-svs-alive-if-config_debug_.patch +jffs2-correct-logic-when-creating-a-hole-in-jffs2_wr.patch +rust-arch-um-disable-fp-simd-instruction-to-match-x8.patch +ext4-fail-ext4_iget-if-special-inode-unallocated.patch +ext4-update-s_journal_inum-if-it-changes-after-journ.patch +ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch +drm-amdkfd-fix-an-illegal-memory-access.patch +net-9p-fix-bug-in-client-create-for-.l.patch +loongarch-only-call-get_timer_irq-once-in-constant_c.patch +sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch +drm-amdgpu-fix-ttm_bo-calltrace-warning-in-psp_hw_fi.patch +drm-amd-display-fix-shift-out-of-bounds-in-calculate.patch diff --git a/queue-6.1/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch b/queue-6.1/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch new file mode 100644 index 00000000000..fe0b71ad078 --- /dev/null +++ b/queue-6.1/sh-intc-avoid-spurious-sizeof-pointer-div-warning.patch @@ -0,0 +1,51 @@ +From bf07d597f6b837081e1cd9aad5fff2d3807e8329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 22:48:16 +0100 +Subject: sh: intc: Avoid spurious sizeof-pointer-div warning + +From: Michael Karcher + +[ Upstream commit 250870824c1cf199b032b1ef889c8e8d69d9123a ] + +GCC warns about the pattern sizeof(void*)/sizeof(void), as it looks like +the abuse of a pattern to calculate the array size. This pattern appears +in the unevaluated part of the ternary operator in _INTC_ARRAY if the +parameter is NULL. + +The replacement uses an alternate approach to return 0 in case of NULL +which does not generate the pattern sizeof(void*)/sizeof(void), but still +emits the warning if _INTC_ARRAY is called with a nonarray parameter. + +This patch is required for successful compilation with -Werror enabled. + +The idea to use _Generic for type distinction is taken from Comment #7 +in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108483 by Jakub Jelinek + +Signed-off-by: Michael Karcher +Acked-by: Randy Dunlap # build-tested +Link: https://lore.kernel.org/r/619fa552-c988-35e5-b1d7-fe256c46a272@mkarcher.dialup.fu-berlin.de +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + include/linux/sh_intc.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/sh_intc.h b/include/linux/sh_intc.h +index c255273b02810..37ad81058d6ae 100644 +--- a/include/linux/sh_intc.h ++++ b/include/linux/sh_intc.h +@@ -97,7 +97,10 @@ struct intc_hw_desc { + unsigned int nr_subgroups; + }; + +-#define _INTC_ARRAY(a) a, __same_type(a, NULL) ? 0 : sizeof(a)/sizeof(*a) ++#define _INTC_SIZEOF_OR_ZERO(a) (_Generic(a, \ ++ typeof(NULL): 0, \ ++ default: sizeof(a))) ++#define _INTC_ARRAY(a) a, _INTC_SIZEOF_OR_ZERO(a)/sizeof(*a) + + #define INTC_HW_DESC(vectors, groups, mask_regs, \ + prio_regs, sense_regs, ack_regs) \ +-- +2.39.2 + diff --git a/queue-6.1/soc-mediatek-mtk-svs-keep-svs-alive-if-config_debug_.patch b/queue-6.1/soc-mediatek-mtk-svs-keep-svs-alive-if-config_debug_.patch new file mode 100644 index 00000000000..fb57de41b13 --- /dev/null +++ b/queue-6.1/soc-mediatek-mtk-svs-keep-svs-alive-if-config_debug_.patch @@ -0,0 +1,75 @@ +From 8303ce150ae1167ade20feda19ee7ee668845f8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 15:45:21 +0800 +Subject: soc: mediatek: mtk-svs: keep svs alive if CONFIG_DEBUG_FS not + supported + +From: Roger Lu + +[ Upstream commit 8bf305087629a98224aa97769587434ea4016767 ] + +Some projects might not support CONFIG_DEBUG_FS but still needs svs to be +alive. Therefore, enclose debug cmd codes with CONFIG_DEBUG_FS to make sure +svs can be alive when CONFIG_DEBUG_FS not supported. + +Signed-off-by: Roger Lu +Link: https://lore.kernel.org/r/20230111074528.29354-8-roger.lu@mediatek.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + drivers/soc/mediatek/mtk-svs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/soc/mediatek/mtk-svs.c b/drivers/soc/mediatek/mtk-svs.c +index 00526fd37d7b8..e55fb16fdc5ac 100644 +--- a/drivers/soc/mediatek/mtk-svs.c ++++ b/drivers/soc/mediatek/mtk-svs.c +@@ -138,6 +138,7 @@ + + static DEFINE_SPINLOCK(svs_lock); + ++#ifdef CONFIG_DEBUG_FS + #define debug_fops_ro(name) \ + static int svs_##name##_debug_open(struct inode *inode, \ + struct file *filp) \ +@@ -170,6 +171,7 @@ static DEFINE_SPINLOCK(svs_lock); + } + + #define svs_dentry_data(name) {__stringify(name), &svs_##name##_debug_fops} ++#endif + + /** + * enum svsb_phase - svs bank phase enumeration +@@ -628,6 +630,7 @@ static int svs_adjust_pm_opp_volts(struct svs_bank *svsb) + return ret; + } + ++#ifdef CONFIG_DEBUG_FS + static int svs_dump_debug_show(struct seq_file *m, void *p) + { + struct svs_platform *svsp = (struct svs_platform *)m->private; +@@ -843,6 +846,7 @@ static int svs_create_debug_cmds(struct svs_platform *svsp) + + return 0; + } ++#endif /* CONFIG_DEBUG_FS */ + + static u32 interpolate(u32 f0, u32 f1, u32 v0, u32 v1, u32 fx) + { +@@ -2444,11 +2448,13 @@ static int svs_probe(struct platform_device *pdev) + goto svs_probe_iounmap; + } + ++#ifdef CONFIG_DEBUG_FS + ret = svs_create_debug_cmds(svsp); + if (ret) { + dev_err(svsp->dev, "svs create debug cmds fail: %d\n", ret); + goto svs_probe_iounmap; + } ++#endif + + return 0; + +-- +2.39.2 + -- 2.47.3