From 8e2b6262a3eb4b99be5bdc981dc81573d012e561 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 16 Oct 2022 09:39:28 +0200 Subject: [PATCH] 5.10-stable patches added patches: asoc-wcd9335-fix-order-of-slimbus-unprepare-disable.patch asoc-wcd934x-fix-order-of-slimbus-unprepare-disable.patch fs-dlm-fix-race-between-test_bit-and-queue_work.patch fs-dlm-handle-ebusy-first-in-lock-arg-validation.patch hid-multitouch-add-memory-barriers.patch hwmon-gsc-hwmon-call-of_node_get-before-of_find_xxx-api.patch platform-chrome-cros_ec_proto-update-version-on-get_next_event-failure.patch quota-check-next-prev-free-block-number-after-reading-from-quota-file.patch regulator-qcom_rpm-fix-circular-deferral-regression.patch --- ...x-order-of-slimbus-unprepare-disable.patch | 38 +++++ ...x-order-of-slimbus-unprepare-disable.patch | 38 +++++ ...race-between-test_bit-and-queue_work.patch | 53 ++++++ ...e-ebusy-first-in-lock-arg-validation.patch | 57 +++++++ .../hid-multitouch-add-memory-barriers.patch | 59 +++++++ ...l-of_node_get-before-of_find_xxx-api.patch | 35 ++++ ...te-version-on-get_next_event-failure.patch | 82 +++++++++ ...number-after-reading-from-quota-file.patch | 157 ++++++++++++++++++ ...rpm-fix-circular-deferral-regression.patch | 99 +++++++++++ queue-5.10/series | 9 + 10 files changed, 627 insertions(+) create mode 100644 queue-5.10/asoc-wcd9335-fix-order-of-slimbus-unprepare-disable.patch create mode 100644 queue-5.10/asoc-wcd934x-fix-order-of-slimbus-unprepare-disable.patch create mode 100644 queue-5.10/fs-dlm-fix-race-between-test_bit-and-queue_work.patch create mode 100644 queue-5.10/fs-dlm-handle-ebusy-first-in-lock-arg-validation.patch create mode 100644 queue-5.10/hid-multitouch-add-memory-barriers.patch create mode 100644 queue-5.10/hwmon-gsc-hwmon-call-of_node_get-before-of_find_xxx-api.patch create mode 100644 queue-5.10/platform-chrome-cros_ec_proto-update-version-on-get_next_event-failure.patch create mode 100644 queue-5.10/quota-check-next-prev-free-block-number-after-reading-from-quota-file.patch create mode 100644 queue-5.10/regulator-qcom_rpm-fix-circular-deferral-regression.patch diff --git a/queue-5.10/asoc-wcd9335-fix-order-of-slimbus-unprepare-disable.patch b/queue-5.10/asoc-wcd9335-fix-order-of-slimbus-unprepare-disable.patch new file mode 100644 index 00000000000..a0b4f988c67 --- /dev/null +++ b/queue-5.10/asoc-wcd9335-fix-order-of-slimbus-unprepare-disable.patch @@ -0,0 +1,38 @@ +From ea8ef003aa53ad23e7705c5cab1c4e664faa6c79 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 21 Sep 2022 16:53:53 +0200 +Subject: ASoC: wcd9335: fix order of Slimbus unprepare/disable + +From: Krzysztof Kozlowski + +commit ea8ef003aa53ad23e7705c5cab1c4e664faa6c79 upstream. + +Slimbus streams are first prepared and then enabled, so the cleanup path +should reverse it. The unprepare sets stream->num_ports to 0 and frees +the stream->ports. Calling disable after unprepare was not really +effective (channels was not deactivated) and could lead to further +issues due to making transfers on unprepared stream. + +Fixes: 20aedafdf492 ("ASoC: wcd9335: add support to wcd9335 codec") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220921145354.1683791-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd9335.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd9335.c ++++ b/sound/soc/codecs/wcd9335.c +@@ -1971,8 +1971,8 @@ static int wcd9335_trigger(struct snd_pc + case SNDRV_PCM_TRIGGER_STOP: + case SNDRV_PCM_TRIGGER_SUSPEND: + case SNDRV_PCM_TRIGGER_PAUSE_PUSH: +- slim_stream_unprepare(dai_data->sruntime); + slim_stream_disable(dai_data->sruntime); ++ slim_stream_unprepare(dai_data->sruntime); + break; + default: + break; diff --git a/queue-5.10/asoc-wcd934x-fix-order-of-slimbus-unprepare-disable.patch b/queue-5.10/asoc-wcd934x-fix-order-of-slimbus-unprepare-disable.patch new file mode 100644 index 00000000000..bd0a9d72d4d --- /dev/null +++ b/queue-5.10/asoc-wcd934x-fix-order-of-slimbus-unprepare-disable.patch @@ -0,0 +1,38 @@ +From e96bca7eaa5747633ec638b065630ff83728982a Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 21 Sep 2022 16:53:54 +0200 +Subject: ASoC: wcd934x: fix order of Slimbus unprepare/disable + +From: Krzysztof Kozlowski + +commit e96bca7eaa5747633ec638b065630ff83728982a upstream. + +Slimbus streams are first prepared and then enabled, so the cleanup path +should reverse it. The unprepare sets stream->num_ports to 0 and frees +the stream->ports. Calling disable after unprepare was not really +effective (channels was not deactivated) and could lead to further +issues due to making transfers on unprepared stream. + +Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220921145354.1683791-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -1829,8 +1829,8 @@ static int wcd934x_trigger(struct snd_pc + case SNDRV_PCM_TRIGGER_STOP: + case SNDRV_PCM_TRIGGER_SUSPEND: + case SNDRV_PCM_TRIGGER_PAUSE_PUSH: +- slim_stream_unprepare(dai_data->sruntime); + slim_stream_disable(dai_data->sruntime); ++ slim_stream_unprepare(dai_data->sruntime); + break; + default: + break; diff --git a/queue-5.10/fs-dlm-fix-race-between-test_bit-and-queue_work.patch b/queue-5.10/fs-dlm-fix-race-between-test_bit-and-queue_work.patch new file mode 100644 index 00000000000..48c7fc6a2f2 --- /dev/null +++ b/queue-5.10/fs-dlm-fix-race-between-test_bit-and-queue_work.patch @@ -0,0 +1,53 @@ +From eef6ec9bf390e836a6c4029f3620fe49528aa1fe Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Mon, 15 Aug 2022 15:43:14 -0400 +Subject: fs: dlm: fix race between test_bit() and queue_work() + +From: Alexander Aring + +commit eef6ec9bf390e836a6c4029f3620fe49528aa1fe upstream. + +This patch fixes a race by using ls_cb_mutex around the bit +operations and conditional code blocks for LSFL_CB_DELAY. + +The function dlm_callback_stop() expects to stop all callbacks and +flush all currently queued onces. The set_bit() is not enough because +there can still be queue_work() after the workqueue was flushed. +To avoid queue_work() after set_bit(), surround both by ls_cb_mutex. + +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/ast.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/dlm/ast.c ++++ b/fs/dlm/ast.c +@@ -198,13 +198,13 @@ void dlm_add_cb(struct dlm_lkb *lkb, uin + if (!prev_seq) { + kref_get(&lkb->lkb_ref); + ++ mutex_lock(&ls->ls_cb_mutex); + if (test_bit(LSFL_CB_DELAY, &ls->ls_flags)) { +- mutex_lock(&ls->ls_cb_mutex); + list_add(&lkb->lkb_cb_list, &ls->ls_cb_delay); +- mutex_unlock(&ls->ls_cb_mutex); + } else { + queue_work(ls->ls_callback_wq, &lkb->lkb_cb_work); + } ++ mutex_unlock(&ls->ls_cb_mutex); + } + out: + mutex_unlock(&lkb->lkb_cb_mutex); +@@ -284,7 +284,9 @@ void dlm_callback_stop(struct dlm_ls *ls + + void dlm_callback_suspend(struct dlm_ls *ls) + { ++ mutex_lock(&ls->ls_cb_mutex); + set_bit(LSFL_CB_DELAY, &ls->ls_flags); ++ mutex_unlock(&ls->ls_cb_mutex); + + if (ls->ls_callback_wq) + flush_workqueue(ls->ls_callback_wq); diff --git a/queue-5.10/fs-dlm-handle-ebusy-first-in-lock-arg-validation.patch b/queue-5.10/fs-dlm-handle-ebusy-first-in-lock-arg-validation.patch new file mode 100644 index 00000000000..0d3b80e37f3 --- /dev/null +++ b/queue-5.10/fs-dlm-handle-ebusy-first-in-lock-arg-validation.patch @@ -0,0 +1,57 @@ +From 44637ca41d551d409a481117b07fa209b330fca9 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Mon, 15 Aug 2022 15:43:15 -0400 +Subject: fs: dlm: handle -EBUSY first in lock arg validation + +From: Alexander Aring + +commit 44637ca41d551d409a481117b07fa209b330fca9 upstream. + +During lock arg validation, first check for -EBUSY cases, then for +-EINVAL cases. The -EINVAL checks look at lkb state variables +which are not stable when an lkb is busy and would cause an +-EBUSY result, e.g. lkb->lkb_grmode. + +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lock.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -2888,24 +2888,24 @@ static int set_unlock_args(uint32_t flag + static int validate_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb, + struct dlm_args *args) + { +- int rv = -EINVAL; ++ int rv = -EBUSY; + + if (args->flags & DLM_LKF_CONVERT) { +- if (lkb->lkb_flags & DLM_IFL_MSTCPY) ++ if (lkb->lkb_status != DLM_LKSTS_GRANTED) + goto out; + +- if (args->flags & DLM_LKF_QUECVT && +- !__quecvt_compat_matrix[lkb->lkb_grmode+1][args->mode+1]) ++ if (lkb->lkb_wait_type) + goto out; + +- rv = -EBUSY; +- if (lkb->lkb_status != DLM_LKSTS_GRANTED) ++ if (is_overlap(lkb)) + goto out; + +- if (lkb->lkb_wait_type) ++ rv = -EINVAL; ++ if (lkb->lkb_flags & DLM_IFL_MSTCPY) + goto out; + +- if (is_overlap(lkb)) ++ if (args->flags & DLM_LKF_QUECVT && ++ !__quecvt_compat_matrix[lkb->lkb_grmode+1][args->mode+1]) + goto out; + } + diff --git a/queue-5.10/hid-multitouch-add-memory-barriers.patch b/queue-5.10/hid-multitouch-add-memory-barriers.patch new file mode 100644 index 00000000000..46b843ad2b2 --- /dev/null +++ b/queue-5.10/hid-multitouch-add-memory-barriers.patch @@ -0,0 +1,59 @@ +From be6e2b5734a425941fcdcdbd2a9337be498ce2cf Mon Sep 17 00:00:00 2001 +From: Andri Yngvason +Date: Wed, 7 Sep 2022 15:01:59 +0000 +Subject: HID: multitouch: Add memory barriers + +From: Andri Yngvason + +commit be6e2b5734a425941fcdcdbd2a9337be498ce2cf upstream. + +This fixes broken atomic checks which cause a race between the +release-timer and processing of hid input. + +I noticed that contacts were sometimes sticking, even with the "sticky +fingers" quirk enabled. This fixes that problem. + +Cc: stable@vger.kernel.org +Fixes: 9609827458c3 ("HID: multitouch: optimize the sticky fingers timer") +Signed-off-by: Andri Yngvason +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20220907150159.2285460-1-andri@yngvason.is +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-multitouch.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1155,7 +1155,7 @@ static void mt_touch_report(struct hid_d + int contact_count = -1; + + /* sticky fingers release in progress, abort */ +- if (test_and_set_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags)) ++ if (test_and_set_bit_lock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags)) + return; + + scantime = *app->scantime; +@@ -1236,7 +1236,7 @@ static void mt_touch_report(struct hid_d + del_timer(&td->release_timer); + } + +- clear_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags); ++ clear_bit_unlock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags); + } + + static int mt_touch_input_configured(struct hid_device *hdev, +@@ -1671,11 +1671,11 @@ static void mt_expired_timeout(struct ti + * An input report came in just before we release the sticky fingers, + * it will take care of the sticky fingers. + */ +- if (test_and_set_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags)) ++ if (test_and_set_bit_lock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags)) + return; + if (test_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags)) + mt_release_contacts(hdev); +- clear_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags); ++ clear_bit_unlock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags); + } + + static int mt_probe(struct hid_device *hdev, const struct hid_device_id *id) diff --git a/queue-5.10/hwmon-gsc-hwmon-call-of_node_get-before-of_find_xxx-api.patch b/queue-5.10/hwmon-gsc-hwmon-call-of_node_get-before-of_find_xxx-api.patch new file mode 100644 index 00000000000..ea4cb1f2c81 --- /dev/null +++ b/queue-5.10/hwmon-gsc-hwmon-call-of_node_get-before-of_find_xxx-api.patch @@ -0,0 +1,35 @@ +From 7f62cf781e6567d59c8935dc8c6068ce2bb904b7 Mon Sep 17 00:00:00 2001 +From: Liang He +Date: Fri, 16 Sep 2022 23:47:08 +0800 +Subject: hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API + +From: Liang He + +commit 7f62cf781e6567d59c8935dc8c6068ce2bb904b7 upstream. + +In gsc_hwmon_get_devtree_pdata(), we should call of_node_get() before +the of_find_compatible_node() which will automatically call +of_node_put() for the 'from' argument. + +Fixes: 3bce5377ef66 ("hwmon: Add Gateworks System Controller support") +Signed-off-by: Liang He +Co-developed-by: Mengda Chen +Signed-off-by: Mengda Chen +Link: https://lore.kernel.org/r/20220916154708.3084515-1-chenmengda2009@163.com +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/gsc-hwmon.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hwmon/gsc-hwmon.c ++++ b/drivers/hwmon/gsc-hwmon.c +@@ -267,6 +267,7 @@ gsc_hwmon_get_devtree_pdata(struct devic + pdata->nchannels = nchannels; + + /* fan controller base address */ ++ of_node_get(dev->parent->of_node); + fan = of_find_compatible_node(dev->parent->of_node, NULL, "gw,gsc-fan"); + if (fan && of_property_read_u32(fan, "reg", &pdata->fan_base)) { + dev_err(dev, "fan node without base\n"); diff --git a/queue-5.10/platform-chrome-cros_ec_proto-update-version-on-get_next_event-failure.patch b/queue-5.10/platform-chrome-cros_ec_proto-update-version-on-get_next_event-failure.patch new file mode 100644 index 00000000000..2e9b732d990 --- /dev/null +++ b/queue-5.10/platform-chrome-cros_ec_proto-update-version-on-get_next_event-failure.patch @@ -0,0 +1,82 @@ +From f74c7557ed0d321947e8bb4e9d47c1013f8b2227 Mon Sep 17 00:00:00 2001 +From: Patryk Duda +Date: Tue, 2 Aug 2022 17:41:28 +0200 +Subject: platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure + +From: Patryk Duda + +commit f74c7557ed0d321947e8bb4e9d47c1013f8b2227 upstream. + +Some EC based devices (e.g. Fingerpint MCU) can jump to RO part of the +firmware (intentionally or due to device reboot). The RO part doesn't +change during the device lifecycle, so it won't support newer version +of EC_CMD_GET_NEXT_EVENT command. + +Function cros_ec_query_all() is responsible for finding maximum +supported MKBP event version. It's usually called when the device is +running RW part of the firmware, so the command version can be +potentially higher than version supported by the RO. + +The problem was fixed by updating maximum supported version when the +device returns EC_RES_INVALID_VERSION (mapped to -ENOPROTOOPT). That way +the kernel will use highest common version supported by RO and RW. + +Fixes: 3300fdd630d4 ("platform/chrome: cros_ec: handle MKBP more events flag") +Cc: # 5.10+ +Reviewed-by: Guenter Roeck +Signed-off-by: Patryk Duda +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20220802154128.21175-1-pdk@semihalf.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec_proto.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +--- a/drivers/platform/chrome/cros_ec_proto.c ++++ b/drivers/platform/chrome/cros_ec_proto.c +@@ -748,6 +748,7 @@ int cros_ec_get_next_event(struct cros_e + u8 event_type; + u32 host_event; + int ret; ++ u32 ver_mask; + + /* + * Default value for wake_event. +@@ -769,6 +770,37 @@ int cros_ec_get_next_event(struct cros_e + return get_keyboard_state_event(ec_dev); + + ret = get_next_event(ec_dev); ++ /* ++ * -ENOPROTOOPT is returned when EC returns EC_RES_INVALID_VERSION. ++ * This can occur when EC based device (e.g. Fingerprint MCU) jumps to ++ * the RO image which doesn't support newer version of the command. In ++ * this case we will attempt to update maximum supported version of the ++ * EC_CMD_GET_NEXT_EVENT. ++ */ ++ if (ret == -ENOPROTOOPT) { ++ dev_dbg(ec_dev->dev, ++ "GET_NEXT_EVENT returned invalid version error.\n"); ++ ret = cros_ec_get_host_command_version_mask(ec_dev, ++ EC_CMD_GET_NEXT_EVENT, ++ &ver_mask); ++ if (ret < 0 || ver_mask == 0) ++ /* ++ * Do not change the MKBP supported version if we can't ++ * obtain supported version correctly. Please note that ++ * calling EC_CMD_GET_NEXT_EVENT returned ++ * EC_RES_INVALID_VERSION which means that the command ++ * is present. ++ */ ++ return -ENOPROTOOPT; ++ ++ ec_dev->mkbp_event_supported = fls(ver_mask); ++ dev_dbg(ec_dev->dev, "MKBP support version changed to %u\n", ++ ec_dev->mkbp_event_supported - 1); ++ ++ /* Try to get next event with new MKBP support version set. */ ++ ret = get_next_event(ec_dev); ++ } ++ + if (ret <= 0) + return ret; + diff --git a/queue-5.10/quota-check-next-prev-free-block-number-after-reading-from-quota-file.patch b/queue-5.10/quota-check-next-prev-free-block-number-after-reading-from-quota-file.patch new file mode 100644 index 00000000000..f9d3a2a067e --- /dev/null +++ b/queue-5.10/quota-check-next-prev-free-block-number-after-reading-from-quota-file.patch @@ -0,0 +1,157 @@ +From 6c8ea8b8cd4722efd419f91ca46a2dc81b7d89a3 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Fri, 23 Sep 2022 21:45:52 +0800 +Subject: quota: Check next/prev free block number after reading from quota file + +From: Zhihao Cheng + +commit 6c8ea8b8cd4722efd419f91ca46a2dc81b7d89a3 upstream. + +Following process: + Init: v2_read_file_info: <3> dqi_free_blk 0 dqi_free_entry 5 dqi_blks 6 + + Step 1. chown bin f_a -> dquot_acquire -> v2_write_dquot: + qtree_write_dquot + do_insert_tree + find_free_dqentry + get_free_dqblk + write_blk(info->dqi_blocks) // info->dqi_blocks = 6, failure. The + content in physical block (corresponding to blk 6) is random. + + Step 2. chown root f_a -> dquot_transfer -> dqput_all -> dqput -> + ext4_release_dquot -> v2_release_dquot -> qtree_delete_dquot: + dquot_release + remove_tree + free_dqentry + put_free_dqblk(6) + info->dqi_free_blk = blk // info->dqi_free_blk = 6 + + Step 3. drop cache (buffer head for block 6 is released) + + Step 4. chown bin f_b -> dquot_acquire -> commit_dqblk -> v2_write_dquot: + qtree_write_dquot + do_insert_tree + find_free_dqentry + get_free_dqblk + dh = (struct qt_disk_dqdbheader *)buf + blk = info->dqi_free_blk // 6 + ret = read_blk(info, blk, buf) // The content of buf is random + info->dqi_free_blk = le32_to_cpu(dh->dqdh_next_free) // random blk + + Step 5. chown bin f_c -> notify_change -> ext4_setattr -> dquot_transfer: + dquot = dqget -> acquire_dquot -> ext4_acquire_dquot -> dquot_acquire -> + commit_dqblk -> v2_write_dquot -> dq_insert_tree: + do_insert_tree + find_free_dqentry + get_free_dqblk + blk = info->dqi_free_blk // If blk < 0 and blk is not an error + code, it will be returned as dquot + + transfer_to[USRQUOTA] = dquot // A random negative value + __dquot_transfer(transfer_to) + dquot_add_inodes(transfer_to[cnt]) + spin_lock(&dquot->dq_dqb_lock) // page fault + +, which will lead to kernel page fault: + Quota error (device sda): qtree_write_dquot: Error -8000 occurred + while creating quota + BUG: unable to handle page fault for address: ffffffffffffe120 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + Oops: 0002 [#1] PREEMPT SMP + CPU: 0 PID: 5974 Comm: chown Not tainted 6.0.0-rc1-00004 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) + RIP: 0010:_raw_spin_lock+0x3a/0x90 + Call Trace: + dquot_add_inodes+0x28/0x270 + __dquot_transfer+0x377/0x840 + dquot_transfer+0xde/0x540 + ext4_setattr+0x405/0x14d0 + notify_change+0x68e/0x9f0 + chown_common+0x300/0x430 + __x64_sys_fchownat+0x29/0x40 + +In order to avoid accessing invalid quota memory address, this patch adds +block number checking of next/prev free block read from quota file. + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216372 +Fixes: 1da177e4c3f4152 ("Linux-2.6.12-rc2") +CC: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220923134555.2623931-2-chengzhihao1@huawei.com +Signed-off-by: Zhihao Cheng +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/quota/quota_tree.c | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +--- a/fs/quota/quota_tree.c ++++ b/fs/quota/quota_tree.c +@@ -80,6 +80,35 @@ static ssize_t write_blk(struct qtree_me + return ret; + } + ++static inline int do_check_range(struct super_block *sb, const char *val_name, ++ uint val, uint min_val, uint max_val) ++{ ++ if (val < min_val || val > max_val) { ++ quota_error(sb, "Getting %s %u out of range %u-%u", ++ val_name, val, min_val, max_val); ++ return -EUCLEAN; ++ } ++ ++ return 0; ++} ++ ++static int check_dquot_block_header(struct qtree_mem_dqinfo *info, ++ struct qt_disk_dqdbheader *dh) ++{ ++ int err = 0; ++ ++ err = do_check_range(info->dqi_sb, "dqdh_next_free", ++ le32_to_cpu(dh->dqdh_next_free), 0, ++ info->dqi_blocks - 1); ++ if (err) ++ return err; ++ err = do_check_range(info->dqi_sb, "dqdh_prev_free", ++ le32_to_cpu(dh->dqdh_prev_free), 0, ++ info->dqi_blocks - 1); ++ ++ return err; ++} ++ + /* Remove empty block from list and return it */ + static int get_free_dqblk(struct qtree_mem_dqinfo *info) + { +@@ -94,6 +123,9 @@ static int get_free_dqblk(struct qtree_m + ret = read_blk(info, blk, buf); + if (ret < 0) + goto out_buf; ++ ret = check_dquot_block_header(info, dh); ++ if (ret) ++ goto out_buf; + info->dqi_free_blk = le32_to_cpu(dh->dqdh_next_free); + } + else { +@@ -241,6 +273,9 @@ static uint find_free_dqentry(struct qtr + *err = read_blk(info, blk, buf); + if (*err < 0) + goto out_buf; ++ *err = check_dquot_block_header(info, dh); ++ if (*err) ++ goto out_buf; + } else { + blk = get_free_dqblk(info); + if ((int)blk < 0) { +@@ -433,6 +468,9 @@ static int free_dqentry(struct qtree_mem + goto out_buf; + } + dh = (struct qt_disk_dqdbheader *)buf; ++ ret = check_dquot_block_header(info, dh); ++ if (ret) ++ goto out_buf; + le16_add_cpu(&dh->dqdh_entries, -1); + if (!le16_to_cpu(dh->dqdh_entries)) { /* Block got free? */ + ret = remove_free_dqentry(info, buf, blk); diff --git a/queue-5.10/regulator-qcom_rpm-fix-circular-deferral-regression.patch b/queue-5.10/regulator-qcom_rpm-fix-circular-deferral-regression.patch new file mode 100644 index 00000000000..7481c3d3ad3 --- /dev/null +++ b/queue-5.10/regulator-qcom_rpm-fix-circular-deferral-regression.patch @@ -0,0 +1,99 @@ +From 8478ed5844588703a1a4c96a004b1525fbdbdd5e Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 9 Sep 2022 13:25:29 +0200 +Subject: regulator: qcom_rpm: Fix circular deferral regression + +From: Linus Walleij + +commit 8478ed5844588703a1a4c96a004b1525fbdbdd5e upstream. + +On recent kernels, the PM8058 L16 (or any other PM8058 LDO-regulator) +does not come up if they are supplied by an SMPS-regulator. This +is not very strange since the regulators are registered in a long +array and the L-regulators are registered before the S-regulators, +and if an L-regulator defers, it will never get around to registering +the S-regulator that it needs. + +See arch/arm/boot/dts/qcom-apq8060-dragonboard.dts: + +pm8058-regulators { + (...) + vdd_l13_l16-supply = <&pm8058_s4>; + (...) + +Ooops. + +Fix this by moving the PM8058 S-regulators first in the array. + +Do the same for the PM8901 S-regulators (though this is currently +not causing any problems with out device trees) so that the pattern +of registration order is the same on all PMnnnn chips. + +Fixes: 087a1b5cdd55 ("regulator: qcom: Rework to single platform device") +Cc: stable@vger.kernel.org +Cc: Andy Gross +Cc: Bjorn Andersson +Cc: Konrad Dybcio +Cc: linux-arm-msm@vger.kernel.org +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20220909112529.239143-1-linus.walleij@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/qcom_rpm-regulator.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/regulator/qcom_rpm-regulator.c ++++ b/drivers/regulator/qcom_rpm-regulator.c +@@ -802,6 +802,12 @@ static const struct rpm_regulator_data r + }; + + static const struct rpm_regulator_data rpm_pm8058_regulators[] = { ++ { "s0", QCOM_RPM_PM8058_SMPS0, &pm8058_smps, "vdd_s0" }, ++ { "s1", QCOM_RPM_PM8058_SMPS1, &pm8058_smps, "vdd_s1" }, ++ { "s2", QCOM_RPM_PM8058_SMPS2, &pm8058_smps, "vdd_s2" }, ++ { "s3", QCOM_RPM_PM8058_SMPS3, &pm8058_smps, "vdd_s3" }, ++ { "s4", QCOM_RPM_PM8058_SMPS4, &pm8058_smps, "vdd_s4" }, ++ + { "l0", QCOM_RPM_PM8058_LDO0, &pm8058_nldo, "vdd_l0_l1_lvs" }, + { "l1", QCOM_RPM_PM8058_LDO1, &pm8058_nldo, "vdd_l0_l1_lvs" }, + { "l2", QCOM_RPM_PM8058_LDO2, &pm8058_pldo, "vdd_l2_l11_l12" }, +@@ -829,12 +835,6 @@ static const struct rpm_regulator_data r + { "l24", QCOM_RPM_PM8058_LDO24, &pm8058_nldo, "vdd_l23_l24_l25" }, + { "l25", QCOM_RPM_PM8058_LDO25, &pm8058_nldo, "vdd_l23_l24_l25" }, + +- { "s0", QCOM_RPM_PM8058_SMPS0, &pm8058_smps, "vdd_s0" }, +- { "s1", QCOM_RPM_PM8058_SMPS1, &pm8058_smps, "vdd_s1" }, +- { "s2", QCOM_RPM_PM8058_SMPS2, &pm8058_smps, "vdd_s2" }, +- { "s3", QCOM_RPM_PM8058_SMPS3, &pm8058_smps, "vdd_s3" }, +- { "s4", QCOM_RPM_PM8058_SMPS4, &pm8058_smps, "vdd_s4" }, +- + { "lvs0", QCOM_RPM_PM8058_LVS0, &pm8058_switch, "vdd_l0_l1_lvs" }, + { "lvs1", QCOM_RPM_PM8058_LVS1, &pm8058_switch, "vdd_l0_l1_lvs" }, + +@@ -843,6 +843,12 @@ static const struct rpm_regulator_data r + }; + + static const struct rpm_regulator_data rpm_pm8901_regulators[] = { ++ { "s0", QCOM_RPM_PM8901_SMPS0, &pm8901_ftsmps, "vdd_s0" }, ++ { "s1", QCOM_RPM_PM8901_SMPS1, &pm8901_ftsmps, "vdd_s1" }, ++ { "s2", QCOM_RPM_PM8901_SMPS2, &pm8901_ftsmps, "vdd_s2" }, ++ { "s3", QCOM_RPM_PM8901_SMPS3, &pm8901_ftsmps, "vdd_s3" }, ++ { "s4", QCOM_RPM_PM8901_SMPS4, &pm8901_ftsmps, "vdd_s4" }, ++ + { "l0", QCOM_RPM_PM8901_LDO0, &pm8901_nldo, "vdd_l0" }, + { "l1", QCOM_RPM_PM8901_LDO1, &pm8901_pldo, "vdd_l1" }, + { "l2", QCOM_RPM_PM8901_LDO2, &pm8901_pldo, "vdd_l2" }, +@@ -851,12 +857,6 @@ static const struct rpm_regulator_data r + { "l5", QCOM_RPM_PM8901_LDO5, &pm8901_pldo, "vdd_l5" }, + { "l6", QCOM_RPM_PM8901_LDO6, &pm8901_pldo, "vdd_l6" }, + +- { "s0", QCOM_RPM_PM8901_SMPS0, &pm8901_ftsmps, "vdd_s0" }, +- { "s1", QCOM_RPM_PM8901_SMPS1, &pm8901_ftsmps, "vdd_s1" }, +- { "s2", QCOM_RPM_PM8901_SMPS2, &pm8901_ftsmps, "vdd_s2" }, +- { "s3", QCOM_RPM_PM8901_SMPS3, &pm8901_ftsmps, "vdd_s3" }, +- { "s4", QCOM_RPM_PM8901_SMPS4, &pm8901_ftsmps, "vdd_s4" }, +- + { "lvs0", QCOM_RPM_PM8901_LVS0, &pm8901_switch, "lvs0_in" }, + { "lvs1", QCOM_RPM_PM8901_LVS1, &pm8901_switch, "lvs1_in" }, + { "lvs2", QCOM_RPM_PM8901_LVS2, &pm8901_switch, "lvs2_in" }, diff --git a/queue-5.10/series b/queue-5.10/series index 6b4b6c7b496..4c9fa8cbea7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -20,3 +20,12 @@ can-kvaser_usb_leaf-fix-overread-with-an-invalid-command.patch can-kvaser_usb_leaf-fix-tx-queue-out-of-sync-after-restart.patch can-kvaser_usb_leaf-fix-can-state-after-restart.patch mmc-sdhci-sprd-fix-minimum-clock-limit.patch +fs-dlm-fix-race-between-test_bit-and-queue_work.patch +fs-dlm-handle-ebusy-first-in-lock-arg-validation.patch +hid-multitouch-add-memory-barriers.patch +quota-check-next-prev-free-block-number-after-reading-from-quota-file.patch +platform-chrome-cros_ec_proto-update-version-on-get_next_event-failure.patch +asoc-wcd9335-fix-order-of-slimbus-unprepare-disable.patch +asoc-wcd934x-fix-order-of-slimbus-unprepare-disable.patch +hwmon-gsc-hwmon-call-of_node_get-before-of_find_xxx-api.patch +regulator-qcom_rpm-fix-circular-deferral-regression.patch -- 2.47.3