From: Greg Kroah-Hartman Date: Sat, 12 Aug 2023 06:22:19 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.14.323~66 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=507f53dd5a7ce324c11118b11bd764c51ec2846c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch riscv-mmio-fix-readx-to-delay-ordering.patch --- diff --git a/queue-5.15/dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch b/queue-5.15/dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch new file mode 100644 index 00000000000..0b543d24537 --- /dev/null +++ b/queue-5.15/dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch @@ -0,0 +1,98 @@ +From 8cda3ececf07d374774f6a13e5a94bc2dc04c26c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Fri, 26 May 2023 13:54:34 +0300 +Subject: dmaengine: pl330: Return DMA_PAUSED when transaction is paused +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 8cda3ececf07d374774f6a13e5a94bc2dc04c26c upstream. + +pl330_pause() does not set anything to indicate paused condition which +causes pl330_tx_status() to return DMA_IN_PROGRESS. This breaks 8250 +DMA flush after the fix in commit 57e9af7831dc ("serial: 8250_dma: Fix +DMA Rx rearm race"). The function comment for pl330_pause() claims +pause is supported but resume is not which is enough for 8250 DMA flush +to work as long as DMA status reports DMA_PAUSED when appropriate. + +Add PAUSED state for descriptor and mark BUSY descriptors with PAUSED +in pl330_pause(). Return DMA_PAUSED from pl330_tx_status() when the +descriptor is PAUSED. + +Reported-by: Richard Tresidder +Tested-by: Richard Tresidder +Fixes: 88987d2c7534 ("dmaengine: pl330: add DMA_PAUSE feature") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/linux-serial/f8a86ecd-64b1-573f-c2fa-59f541083f1a@electromag.com.au/ +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20230526105434.14959-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -404,6 +404,12 @@ enum desc_status { + */ + BUSY, + /* ++ * Pause was called while descriptor was BUSY. Due to hardware ++ * limitations, only termination is possible for descriptors ++ * that have been paused. ++ */ ++ PAUSED, ++ /* + * Sitting on the channel work_list but xfer done + * by PL330 core + */ +@@ -2041,7 +2047,7 @@ static inline void fill_queue(struct dma + list_for_each_entry(desc, &pch->work_list, node) { + + /* If already submitted */ +- if (desc->status == BUSY) ++ if (desc->status == BUSY || desc->status == PAUSED) + continue; + + ret = pl330_submit_req(pch->thread, desc); +@@ -2326,6 +2332,7 @@ static int pl330_pause(struct dma_chan * + { + struct dma_pl330_chan *pch = to_pchan(chan); + struct pl330_dmac *pl330 = pch->dmac; ++ struct dma_pl330_desc *desc; + unsigned long flags; + + pm_runtime_get_sync(pl330->ddma.dev); +@@ -2335,6 +2342,10 @@ static int pl330_pause(struct dma_chan * + _stop(pch->thread); + spin_unlock(&pl330->lock); + ++ list_for_each_entry(desc, &pch->work_list, node) { ++ if (desc->status == BUSY) ++ desc->status = PAUSED; ++ } + spin_unlock_irqrestore(&pch->lock, flags); + pm_runtime_mark_last_busy(pl330->ddma.dev); + pm_runtime_put_autosuspend(pl330->ddma.dev); +@@ -2425,7 +2436,7 @@ pl330_tx_status(struct dma_chan *chan, d + else if (running && desc == running) + transferred = + pl330_get_current_xferred_count(pch, desc); +- else if (desc->status == BUSY) ++ else if (desc->status == BUSY || desc->status == PAUSED) + /* + * Busy but not running means either just enqueued, + * or finished and not yet marked done +@@ -2442,6 +2453,9 @@ pl330_tx_status(struct dma_chan *chan, d + case DONE: + ret = DMA_COMPLETE; + break; ++ case PAUSED: ++ ret = DMA_PAUSED; ++ break; + case PREP: + case BUSY: + ret = DMA_IN_PROGRESS; diff --git a/queue-5.15/drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch b/queue-5.15/drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch new file mode 100644 index 00000000000..5ef1a63256a --- /dev/null +++ b/queue-5.15/drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch @@ -0,0 +1,48 @@ +From 96b020e2163fb2197266b2f71b1007495206e6bb Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Mon, 31 Jul 2023 07:35:05 -0100 +Subject: drm/amd/display: check attr flag before set cursor degamma on DCN3+ + +From: Melissa Wen + +commit 96b020e2163fb2197266b2f71b1007495206e6bb upstream. + +Don't set predefined degamma curve to cursor plane if the cursor +attribute flag is not set. Applying a degamma curve to the cursor by +default breaks userspace expectation. Checking the flag before +performing any color transformation prevents too dark cursor gamma in +DCN3+ on many Linux desktop environment (KDE Plasma, GNOME, +wlroots-based, etc.) as reported at: +- https://gitlab.freedesktop.org/drm/amd/-/issues/1513 + +This is the same approach followed by DCN2 drivers where the issue is +not present. + +Fixes: 03f54d7d3448 ("drm/amd/display: Add DCN3 DPP") +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1513 +Signed-off-by: Melissa Wen +Reviewed-by: Harry Wentland +Tested-by: Alex Hung +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dpp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dpp.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dpp.c +@@ -355,8 +355,11 @@ void dpp3_set_cursor_attributes( + int cur_rom_en = 0; + + if (color_format == CURSOR_MODE_COLOR_PRE_MULTIPLIED_ALPHA || +- color_format == CURSOR_MODE_COLOR_UN_PRE_MULTIPLIED_ALPHA) +- cur_rom_en = 1; ++ color_format == CURSOR_MODE_COLOR_UN_PRE_MULTIPLIED_ALPHA) { ++ if (cursor_attributes->attribute_flags.bits.ENABLE_CURSOR_DEGAMMA) { ++ cur_rom_en = 1; ++ } ++ } + + REG_UPDATE_3(CURSOR0_CONTROL, + CUR0_MODE, color_format, diff --git a/queue-5.15/drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch b/queue-5.15/drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch new file mode 100644 index 00000000000..c9dd834998b --- /dev/null +++ b/queue-5.15/drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch @@ -0,0 +1,112 @@ +From 1cb9e2ef66d53b020842b18762e30d0eb4384de8 Mon Sep 17 00:00:00 2001 +From: Karol Herbst +Date: Thu, 22 Jun 2023 17:20:17 +0200 +Subject: drm/nouveau/gr: enable memory loads on helper invocation on all channels + +From: Karol Herbst + +commit 1cb9e2ef66d53b020842b18762e30d0eb4384de8 upstream. + +We have a lurking bug where Fragment Shader Helper Invocations can't load +from memory. But this is actually required in OpenGL and is causing random +hangs or failures in random shaders. + +It is unknown how widespread this issue is, but shaders hitting this can +end up with infinite loops. + +We enable those only on all Kepler and newer GPUs where we use our own +Firmware. + +Nvidia's firmware provides a way to set a kernelspace controlled list of +mmio registers in the gr space from push buffers via MME macros. + +v2: drop code for gm200 and newer. + +Cc: Ben Skeggs +Cc: David Airlie +Cc: nouveau@lists.freedesktop.org +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Karol Herbst +Reviewed-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20230622152017.2512101-1-kherbst@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgf100.h | 1 + + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk104.c | 4 +++- + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110.c | 10 ++++++++++ + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110b.c | 1 + + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk208.c | 1 + + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm107.c | 1 + + 6 files changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgf100.h ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgf100.h +@@ -123,6 +123,7 @@ void gk104_grctx_generate_r418800(struct + + extern const struct gf100_grctx_func gk110_grctx; + void gk110_grctx_generate_r419eb0(struct gf100_gr *); ++void gk110_grctx_generate_r419f78(struct gf100_gr *); + + extern const struct gf100_grctx_func gk110b_grctx; + extern const struct gf100_grctx_func gk208_grctx; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk104.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk104.c +@@ -916,7 +916,9 @@ static void + gk104_grctx_generate_r419f78(struct gf100_gr *gr) + { + struct nvkm_device *device = gr->base.engine.subdev.device; +- nvkm_mask(device, 0x419f78, 0x00000001, 0x00000000); ++ ++ /* bit 3 set disables loads in fp helper invocations, we need it enabled */ ++ nvkm_mask(device, 0x419f78, 0x00000009, 0x00000000); + } + + void +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110.c +@@ -820,6 +820,15 @@ gk110_grctx_generate_r419eb0(struct gf10 + nvkm_mask(device, 0x419eb0, 0x00001000, 0x00001000); + } + ++void ++gk110_grctx_generate_r419f78(struct gf100_gr *gr) ++{ ++ struct nvkm_device *device = gr->base.engine.subdev.device; ++ ++ /* bit 3 set disables loads in fp helper invocations, we need it enabled */ ++ nvkm_mask(device, 0x419f78, 0x00000008, 0x00000000); ++} ++ + const struct gf100_grctx_func + gk110_grctx = { + .main = gf100_grctx_generate_main, +@@ -852,4 +861,5 @@ gk110_grctx = { + .gpc_tpc_nr = gk104_grctx_generate_gpc_tpc_nr, + .r418800 = gk104_grctx_generate_r418800, + .r419eb0 = gk110_grctx_generate_r419eb0, ++ .r419f78 = gk110_grctx_generate_r419f78, + }; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110b.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110b.c +@@ -101,4 +101,5 @@ gk110b_grctx = { + .gpc_tpc_nr = gk104_grctx_generate_gpc_tpc_nr, + .r418800 = gk104_grctx_generate_r418800, + .r419eb0 = gk110_grctx_generate_r419eb0, ++ .r419f78 = gk110_grctx_generate_r419f78, + }; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk208.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk208.c +@@ -566,4 +566,5 @@ gk208_grctx = { + .dist_skip_table = gf117_grctx_generate_dist_skip_table, + .gpc_tpc_nr = gk104_grctx_generate_gpc_tpc_nr, + .r418800 = gk104_grctx_generate_r418800, ++ .r419f78 = gk110_grctx_generate_r419f78, + }; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm107.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm107.c +@@ -991,4 +991,5 @@ gm107_grctx = { + .r406500 = gm107_grctx_generate_r406500, + .gpc_tpc_nr = gk104_grctx_generate_gpc_tpc_nr, + .r419e00 = gm107_grctx_generate_r419e00, ++ .r419f78 = gk110_grctx_generate_r419f78, + }; diff --git a/queue-5.15/drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch b/queue-5.15/drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch new file mode 100644 index 00000000000..cc6fe6501fc --- /dev/null +++ b/queue-5.15/drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch @@ -0,0 +1,45 @@ +From 07dd476f6116966cb2006e25fdcf48f0715115ff Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Mon, 24 Jul 2023 13:26:10 +0200 +Subject: drm/shmem-helper: Reset vma->vm_ops before calling dma_buf_mmap() + +From: Boris Brezillon + +commit 07dd476f6116966cb2006e25fdcf48f0715115ff upstream. + +The dma-buf backend is supposed to provide its own vm_ops, but some +implementation just have nothing special to do and leave vm_ops +untouched, probably expecting this field to be zero initialized (this +is the case with the system_heap implementation for instance). +Let's reset vma->vm_ops to NULL to keep things working with these +implementations. + +Fixes: 26d3ac3cb04d ("drm/shmem-helpers: Redirect mmap for imported dma-buf") +Cc: +Cc: Daniel Vetter +Reported-by: Roman Stratiienko +Signed-off-by: Boris Brezillon +Tested-by: Roman Stratiienko +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230724112610.60974-1-boris.brezillon@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -591,7 +591,13 @@ int drm_gem_shmem_mmap(struct drm_gem_sh + int ret; + + if (obj->import_attach) { ++ /* Reset both vm_ops and vm_private_data, so we don't end up with ++ * vm_ops pointing to our implementation if the dma-buf backend ++ * doesn't set those fields. ++ */ + vma->vm_private_data = NULL; ++ vma->vm_ops = NULL; ++ + ret = dma_buf_mmap(obj->dma_buf, vma, 0); + + /* Drop the reference drm_gem_mmap_obj() acquired.*/ diff --git a/queue-5.15/hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch b/queue-5.15/hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch new file mode 100644 index 00000000000..2d86b9ea8eb --- /dev/null +++ b/queue-5.15/hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch @@ -0,0 +1,62 @@ +From f38963b9cd0645a336cf30c5da2e89e34e34fec3 Mon Sep 17 00:00:00 2001 +From: Tao Ren +Date: Fri, 4 Aug 2023 15:14:03 -0700 +Subject: hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100 + +From: Tao Ren + +commit f38963b9cd0645a336cf30c5da2e89e34e34fec3 upstream. + +Skip status check for both pfe1100 and pfe3000 because the communication +error is also observed on pfe1100 devices. + +Signed-off-by: Tao Ren +Fixes: 626bb2f3fb3c hwmon: (pmbus) add driver for BEL PFE1100 and PFE3000 +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230804221403.28931-1-rentao.bupt@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/bel-pfe.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/hwmon/pmbus/bel-pfe.c ++++ b/drivers/hwmon/pmbus/bel-pfe.c +@@ -17,12 +17,13 @@ + enum chips {pfe1100, pfe3000}; + + /* +- * Disable status check for pfe3000 devices, because some devices report +- * communication error (invalid command) for VOUT_MODE command (0x20) +- * although correct VOUT_MODE (0x16) is returned: it leads to incorrect +- * exponent in linear mode. ++ * Disable status check because some devices report communication error ++ * (invalid command) for VOUT_MODE command (0x20) although the correct ++ * VOUT_MODE (0x16) is returned: it leads to incorrect exponent in linear ++ * mode. ++ * This affects both pfe3000 and pfe1100. + */ +-static struct pmbus_platform_data pfe3000_plat_data = { ++static struct pmbus_platform_data pfe_plat_data = { + .flags = PMBUS_SKIP_STATUS_CHECK, + }; + +@@ -94,16 +95,15 @@ static int pfe_pmbus_probe(struct i2c_cl + int model; + + model = (int)i2c_match_id(pfe_device_id, client)->driver_data; ++ client->dev.platform_data = &pfe_plat_data; + + /* + * PFE3000-12-069RA devices may not stay in page 0 during device + * probe which leads to probe failure (read status word failed). + * So let's set the device to page 0 at the beginning. + */ +- if (model == pfe3000) { +- client->dev.platform_data = &pfe3000_plat_data; ++ if (model == pfe3000) + i2c_smbus_write_byte_data(client, PMBUS_PAGE, 0); +- } + + return pmbus_do_probe(client, &pfe_driver_info[model]); + } diff --git a/queue-5.15/nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch b/queue-5.15/nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch new file mode 100644 index 00000000000..4d98cd2c33f --- /dev/null +++ b/queue-5.15/nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch @@ -0,0 +1,120 @@ +From f8654743a0e6909dc634cbfad6db6816f10f3399 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 29 Jul 2023 04:13:18 +0900 +Subject: nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput + +From: Ryusuke Konishi + +commit f8654743a0e6909dc634cbfad6db6816f10f3399 upstream. + +During unmount process of nilfs2, nothing holds nilfs_root structure after +nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously, +nilfs_evict_inode() could cause use-after-free read for nilfs_root if +inodes are left in "garbage_list" and released by nilfs_dispose_list at +the end of nilfs_detach_log_writer(), and this bug was fixed by commit +9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in +nilfs_evict_inode()"). + +However, it turned out that there is another possibility of UAF in the +call path where mark_inode_dirty_sync() is called from iput(): + +nilfs_detach_log_writer() + nilfs_dispose_list() + iput() + mark_inode_dirty_sync() + __mark_inode_dirty() + nilfs_dirty_inode() + __nilfs_mark_inode_dirty() + nilfs_load_inode_block() --> causes UAF of nilfs_root struct + +This can happen after commit 0ae45f63d4ef ("vfs: add support for a +lazytime mount option"), which changed iput() to call +mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME +flag and i_nlink is non-zero. + +This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty +data after degenerating to read-only") when using the syzbot reproducer, +but the issue has potentially existed before. + +Fix this issue by adding a "purging flag" to the nilfs structure, setting +that flag while disposing the "garbage_list" and checking it in +__nilfs_mark_inode_dirty(). + +Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root +in nilfs_evict_inode()"), this patch does not rely on ns_writer to +determine whether to skip operations, so as not to break recovery on +mount. The nilfs_salvage_orphan_logs routine dirties the buffer of +salvaged data before attaching the log writer, so changing +__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL +will cause recovery write to fail. The purpose of using the cleanup-only +flag is to allow for narrowing of such conditions. + +Link: https://lkml.kernel.org/r/20230728191318.33047-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+74db8b3087f293d3a13a@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/000000000000b4e906060113fd63@google.com +Fixes: 0ae45f63d4ef ("vfs: add support for a lazytime mount option") +Tested-by: Ryusuke Konishi +Cc: # 4.0+ +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 8 ++++++++ + fs/nilfs2/segment.c | 2 ++ + fs/nilfs2/the_nilfs.h | 2 ++ + 3 files changed, 12 insertions(+) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -1105,9 +1105,17 @@ int nilfs_set_file_dirty(struct inode *i + + int __nilfs_mark_inode_dirty(struct inode *inode, int flags) + { ++ struct the_nilfs *nilfs = inode->i_sb->s_fs_info; + struct buffer_head *ibh; + int err; + ++ /* ++ * Do not dirty inodes after the log writer has been detached ++ * and its nilfs_root struct has been freed. ++ */ ++ if (unlikely(nilfs_purging(nilfs))) ++ return 0; ++ + err = nilfs_load_inode_block(inode, &ibh); + if (unlikely(err)) { + nilfs_warn(inode->i_sb, +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -2845,6 +2845,7 @@ void nilfs_detach_log_writer(struct supe + nilfs_segctor_destroy(nilfs->ns_writer); + nilfs->ns_writer = NULL; + } ++ set_nilfs_purging(nilfs); + + /* Force to free the list of dirty files */ + spin_lock(&nilfs->ns_inode_lock); +@@ -2857,4 +2858,5 @@ void nilfs_detach_log_writer(struct supe + up_write(&nilfs->ns_segctor_sem); + + nilfs_dispose_list(nilfs, &garbage_list, 1); ++ clear_nilfs_purging(nilfs); + } +--- a/fs/nilfs2/the_nilfs.h ++++ b/fs/nilfs2/the_nilfs.h +@@ -29,6 +29,7 @@ enum { + THE_NILFS_DISCONTINUED, /* 'next' pointer chain has broken */ + THE_NILFS_GC_RUNNING, /* gc process is running */ + THE_NILFS_SB_DIRTY, /* super block is dirty */ ++ THE_NILFS_PURGING, /* disposing dirty files for cleanup */ + }; + + /** +@@ -208,6 +209,7 @@ THE_NILFS_FNS(INIT, init) + THE_NILFS_FNS(DISCONTINUED, discontinued) + THE_NILFS_FNS(GC_RUNNING, gc_running) + THE_NILFS_FNS(SB_DIRTY, sb_dirty) ++THE_NILFS_FNS(PURGING, purging) + + /* + * Mount option operations diff --git a/queue-5.15/radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch b/queue-5.15/radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch new file mode 100644 index 00000000000..c9adc2dfbbb --- /dev/null +++ b/queue-5.15/radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch @@ -0,0 +1,41 @@ +From cac7ea57a06016e4914848b707477fb07ee4ae1c Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 27 Jul 2023 17:09:30 +0100 +Subject: radix tree test suite: fix incorrect allocation size for pthreads + +From: Colin Ian King + +commit cac7ea57a06016e4914848b707477fb07ee4ae1c upstream. + +Currently the pthread allocation for each array item is based on the size +of a pthread_t pointer and should be the size of the pthread_t structure, +so the allocation is under-allocating the correct size. Fix this by using +the size of each element in the pthreads array. + +Static analysis cppcheck reported: +tools/testing/radix-tree/regression1.c:180:2: warning: Size of pointer +'threads' used instead of size of its data. [pointerSize] + +Link: https://lkml.kernel.org/r/20230727160930.632674-1-colin.i.king@gmail.com +Fixes: 1366c37ed84b ("radix tree test harness") +Signed-off-by: Colin Ian King +Cc: Konstantin Khlebnikov +Cc: Matthew Wilcox (Oracle) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/radix-tree/regression1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/radix-tree/regression1.c ++++ b/tools/testing/radix-tree/regression1.c +@@ -177,7 +177,7 @@ void regression1_test(void) + nr_threads = 2; + pthread_barrier_init(&worker_barrier, NULL, nr_threads); + +- threads = malloc(nr_threads * sizeof(pthread_t *)); ++ threads = malloc(nr_threads * sizeof(*threads)); + + for (i = 0; i < nr_threads; i++) { + arg = i; diff --git a/queue-5.15/riscv-mmio-fix-readx-to-delay-ordering.patch b/queue-5.15/riscv-mmio-fix-readx-to-delay-ordering.patch new file mode 100644 index 00000000000..20ebf6d3f49 --- /dev/null +++ b/queue-5.15/riscv-mmio-fix-readx-to-delay-ordering.patch @@ -0,0 +1,68 @@ +From 4eb2eb1b4c0eb07793c240744843498564a67b83 Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Thu, 3 Aug 2023 06:27:38 +0200 +Subject: riscv,mmio: Fix readX()-to-delay() ordering + +From: Andrea Parri + +commit 4eb2eb1b4c0eb07793c240744843498564a67b83 upstream. + +Section 2.1 of the Platform Specification [1] states: + + Unless otherwise specified by a given I/O device, I/O devices are on + ordering channel 0 (i.e., they are point-to-point strongly ordered). + +which is not sufficient to guarantee that a readX() by a hart completes +before a subsequent delay() on the same hart (cf. memory-barriers.txt, +"Kernel I/O barrier effects"). + +Set the I(nput) bit in __io_ar() to restore the ordering, align inline +comments. + +[1] https://github.com/riscv/riscv-platform-specs + +Signed-off-by: Andrea Parri +Link: https://lore.kernel.org/r/20230803042738.5937-1-parri.andrea@gmail.com +Fixes: fab957c11efe ("RISC-V: Atomic and Locking Code") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/mmio.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/riscv/include/asm/mmio.h ++++ b/arch/riscv/include/asm/mmio.h +@@ -101,9 +101,9 @@ static inline u64 __raw_readq(const vola + * Relaxed I/O memory access primitives. These follow the Device memory + * ordering rules but do not guarantee any ordering relative to Normal memory + * accesses. These are defined to order the indicated access (either a read or +- * write) with all other I/O memory accesses. Since the platform specification +- * defines that all I/O regions are strongly ordered on channel 2, no explicit +- * fences are required to enforce this ordering. ++ * write) with all other I/O memory accesses to the same peripheral. Since the ++ * platform specification defines that all I/O regions are strongly ordered on ++ * channel 0, no explicit fences are required to enforce this ordering. + */ + /* FIXME: These are now the same as asm-generic */ + #define __io_rbr() do {} while (0) +@@ -125,14 +125,14 @@ static inline u64 __raw_readq(const vola + #endif + + /* +- * I/O memory access primitives. Reads are ordered relative to any +- * following Normal memory access. Writes are ordered relative to any prior +- * Normal memory access. The memory barriers here are necessary as RISC-V ++ * I/O memory access primitives. Reads are ordered relative to any following ++ * Normal memory read and delay() loop. Writes are ordered relative to any ++ * prior Normal memory write. The memory barriers here are necessary as RISC-V + * doesn't define any ordering between the memory space and the I/O space. + */ + #define __io_br() do {} while (0) +-#define __io_ar(v) __asm__ __volatile__ ("fence i,r" : : : "memory") +-#define __io_bw() __asm__ __volatile__ ("fence w,o" : : : "memory") ++#define __io_ar(v) ({ __asm__ __volatile__ ("fence i,ir" : : : "memory"); }) ++#define __io_bw() ({ __asm__ __volatile__ ("fence w,o" : : : "memory"); }) + #define __io_aw() mmiowb_set_pending() + + #define readb(c) ({ u8 __v; __io_br(); __v = readb_cpu(c); __io_ar(__v); __v; }) diff --git a/queue-5.15/series b/queue-5.15/series index f1efaeb740b..40d728fb248 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -3,3 +3,11 @@ ksmbd-fix-wrong-next-length-validation-of-ea-buffer-in-smb2_set_ea.patch wireguard-allowedips-expand-maximum-node-depth.patch mmc-moxart-read-scr-register-without-changing-byte-order.patch ipv6-adjust-ndisc_is_useropt-to-also-return-true-for-pio.patch +dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch +riscv-mmio-fix-readx-to-delay-ordering.patch +drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch +drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch +drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch +hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch +radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch +nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch