--- /dev/null
+From 4aa3b75c74603c3374877d5fd18ad9cc3a9a62ed Mon Sep 17 00:00:00 2001
+From: William Breathitt Gray <william.gray@linaro.org>
+Date: Sun, 12 Mar 2023 19:15:49 -0400
+Subject: counter: 104-quad-8: Fix race condition between FLAG and CNTR reads
+
+From: William Breathitt Gray <william.gray@linaro.org>
+
+commit 4aa3b75c74603c3374877d5fd18ad9cc3a9a62ed upstream.
+
+The Counter (CNTR) register is 24 bits wide, but we can have an
+effective 25-bit count value by setting bit 24 to the XOR of the Borrow
+flag and Carry flag. The flags can be read from the FLAG register, but a
+race condition exists: the Borrow flag and Carry flag are instantaneous
+and could change by the time the count value is read from the CNTR
+register.
+
+Since the race condition could result in an incorrect 25-bit count
+value, remove support for 25-bit count values from this driver;
+hard-coded maximum count values are replaced by a LS7267_CNTR_MAX define
+for consistency and clarity.
+
+Fixes: 28e5d3bb0325 ("iio: 104-quad-8: Add IIO support for the ACCES 104-QUAD-8")
+Cc: <stable@vger.kernel.org> # 6.1.x
+Cc: <stable@vger.kernel.org> # 6.2.x
+Link: https://lore.kernel.org/r/20230312231554.134858-1-william.gray@linaro.org/
+Signed-off-by: William Breathitt Gray <william.gray@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/counter/104-quad-8.c | 28 ++++------------------------
+ 1 file changed, 4 insertions(+), 24 deletions(-)
+
+--- a/drivers/counter/104-quad-8.c
++++ b/drivers/counter/104-quad-8.c
+@@ -62,10 +62,6 @@ struct quad8_iio {
+ #define QUAD8_REG_CHAN_OP 0x11
+ #define QUAD8_REG_INDEX_INPUT_LEVELS 0x16
+ #define QUAD8_DIFF_ENCODER_CABLE_STATUS 0x17
+-/* Borrow Toggle flip-flop */
+-#define QUAD8_FLAG_BT BIT(0)
+-/* Carry Toggle flip-flop */
+-#define QUAD8_FLAG_CT BIT(1)
+ /* Error flag */
+ #define QUAD8_FLAG_E BIT(4)
+ /* Up/Down flag */
+@@ -104,9 +100,6 @@ static int quad8_read_raw(struct iio_dev
+ {
+ struct quad8_iio *const priv = iio_priv(indio_dev);
+ const int base_offset = priv->base + 2 * chan->channel;
+- unsigned int flags;
+- unsigned int borrow;
+- unsigned int carry;
+ int i;
+
+ switch (mask) {
+@@ -117,12 +110,7 @@ static int quad8_read_raw(struct iio_dev
+ return IIO_VAL_INT;
+ }
+
+- flags = inb(base_offset + 1);
+- borrow = flags & QUAD8_FLAG_BT;
+- carry = !!(flags & QUAD8_FLAG_CT);
+-
+- /* Borrow XOR Carry effectively doubles count range */
+- *val = (borrow ^ carry) << 24;
++ *val = 0;
+
+ mutex_lock(&priv->lock);
+
+@@ -643,17 +631,9 @@ static int quad8_count_read(struct count
+ {
+ struct quad8_iio *const priv = counter->priv;
+ const int base_offset = priv->base + 2 * count->id;
+- unsigned int flags;
+- unsigned int borrow;
+- unsigned int carry;
+ int i;
+
+- flags = inb(base_offset + 1);
+- borrow = flags & QUAD8_FLAG_BT;
+- carry = !!(flags & QUAD8_FLAG_CT);
+-
+- /* Borrow XOR Carry effectively doubles count range */
+- *val = (unsigned long)(borrow ^ carry) << 24;
++ *val = 0;
+
+ mutex_lock(&priv->lock);
+
+@@ -1198,8 +1178,8 @@ static ssize_t quad8_count_ceiling_read(
+
+ mutex_unlock(&priv->lock);
+
+- /* By default 0x1FFFFFF (25 bits unsigned) is maximum count */
+- return sprintf(buf, "33554431\n");
++ /* By default 0xFFFFFF (24 bits unsigned) is maximum count */
++ return sprintf(buf, "16777215\n");
+ }
+
+ static ssize_t quad8_count_ceiling_write(struct counter_device *counter,
--- /dev/null
+From a25bc8486f9c01c1af6b6c5657234b2eee2c39d6 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Wed, 19 Apr 2023 13:16:13 +0300
+Subject: KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit a25bc8486f9c01c1af6b6c5657234b2eee2c39d6 upstream.
+
+The KVM_REG_SIZE() comes from the ioctl and it can be a power of two
+between 0-32768 but if it is more than sizeof(long) this will corrupt
+memory.
+
+Fixes: 99adb567632b ("KVM: arm/arm64: Add save/restore support for firmware workaround state")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/4efbab8c-640f-43b2-8ac6-6d68e08280fe@kili.mountain
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+[will: kvm_arm_set_fw_reg() lives in psci.c not hypercalls.c]
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/psci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/kvm/psci.c
++++ b/arch/arm64/kvm/psci.c
+@@ -499,6 +499,8 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu *
+ u64 val;
+ int wa_level;
+
++ if (KVM_REG_SIZE(reg->id) != sizeof(val))
++ return -ENOENT;
+ if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id)))
+ return -EFAULT;
+
Link: https://lore.kernel.org/r/20220823154532.82913-1-kuniyu@amazon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- kernel/fork.c | 17 +++++++++++------
+ kernel/fork.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
-diff --git a/kernel/fork.c b/kernel/fork.c
-index a5bc0c6a00fd..c6a289317e89 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
-@@ -441,6 +441,9 @@ void put_task_stack(struct task_struct *tsk)
+@@ -441,6 +441,9 @@ void put_task_stack(struct task_struct *
void free_task(struct task_struct *tsk)
{
scs_release(tsk);
#ifndef CONFIG_THREAD_INFO_IN_TASK
-@@ -2248,12 +2251,6 @@ static __latent_entropy struct task_struct *copy_process(
+@@ -2248,12 +2251,6 @@ static __latent_entropy struct task_stru
spin_lock(¤t->sighand->siglock);
rseq_fork(p, clone_flags);
/* Don't start children in a dying pid namespace */
-@@ -2268,6 +2265,14 @@ static __latent_entropy struct task_struct *copy_process(
+@@ -2268,6 +2265,14 @@ static __latent_entropy struct task_stru
goto bad_fork_cancel_cgroup;
}
init_task_pid_links(p);
if (likely(p->pid)) {
ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
---
-2.30.2
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
