--- /dev/null
+From 8b3d743fc9e2542822826890b482afabf0e7522a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Mon, 20 Jun 2022 19:18:15 +0200
+Subject: clk: Fix pointer casting to prevent oops in devm_clk_release()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 8b3d743fc9e2542822826890b482afabf0e7522a upstream.
+
+The release function is called with a pointer to the memory returned by
+devres_alloc(). I was confused about that by the code before the
+generalization that used a struct clk **ptr.
+
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20220620171815.114212-1-u.kleine-koenig@pengutronix.de
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-devres.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/clk-devres.c
++++ b/drivers/clk/clk-devres.c
+@@ -16,7 +16,7 @@ struct devm_clk_state {
+
+ static void devm_clk_release(struct device *dev, void *res)
+ {
+- struct devm_clk_state *state = *(struct devm_clk_state **)res;
++ struct devm_clk_state *state = res;
+
+ if (state->exit)
+ state->exit(state->clk);
--- /dev/null
+From 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 Mon Sep 17 00:00:00 2001
+From: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Date: Sat, 5 Aug 2023 11:48:47 +0300
+Subject: clk: Fix slab-out-of-bounds error in devm_clk_release()
+
+From: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+
+commit 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 upstream.
+
+Problem can be reproduced by unloading snd_soc_simple_card, because in
+devm_get_clk_from_child() devres data is allocated as `struct clk`, but
+devm_clk_release() expects devres data to be `struct devm_clk_state`.
+
+KASAN report:
+ ==================================================================
+ BUG: KASAN: slab-out-of-bounds in devm_clk_release+0x20/0x54
+ Read of size 8 at addr ffffff800ee09688 by task (udev-worker)/287
+
+ Call trace:
+ dump_backtrace+0xe8/0x11c
+ show_stack+0x1c/0x30
+ dump_stack_lvl+0x60/0x78
+ print_report+0x150/0x450
+ kasan_report+0xa8/0xf0
+ __asan_load8+0x78/0xa0
+ devm_clk_release+0x20/0x54
+ release_nodes+0x84/0x120
+ devres_release_all+0x144/0x210
+ device_unbind_cleanup+0x1c/0xac
+ really_probe+0x2f0/0x5b0
+ __driver_probe_device+0xc0/0x1f0
+ driver_probe_device+0x68/0x120
+ __driver_attach+0x140/0x294
+ bus_for_each_dev+0xec/0x160
+ driver_attach+0x38/0x44
+ bus_add_driver+0x24c/0x300
+ driver_register+0xf0/0x210
+ __platform_driver_register+0x48/0x54
+ asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
+ do_one_initcall+0xac/0x340
+ do_init_module+0xd0/0x300
+ load_module+0x2ba4/0x3100
+ __do_sys_init_module+0x2c8/0x300
+ __arm64_sys_init_module+0x48/0x5c
+ invoke_syscall+0x64/0x190
+ el0_svc_common.constprop.0+0x124/0x154
+ do_el0_svc+0x44/0xdc
+ el0_svc+0x14/0x50
+ el0t_64_sync_handler+0xec/0x11c
+ el0t_64_sync+0x14c/0x150
+
+ Allocated by task 287:
+ kasan_save_stack+0x38/0x60
+ kasan_set_track+0x28/0x40
+ kasan_save_alloc_info+0x20/0x30
+ __kasan_kmalloc+0xac/0xb0
+ __kmalloc_node_track_caller+0x6c/0x1c4
+ __devres_alloc_node+0x44/0xb4
+ devm_get_clk_from_child+0x44/0xa0
+ asoc_simple_parse_clk+0x1b8/0x1dc [snd_soc_simple_card_utils]
+ simple_parse_node.isra.0+0x1ec/0x230 [snd_soc_simple_card]
+ simple_dai_link_of+0x1bc/0x334 [snd_soc_simple_card]
+ __simple_for_each_link+0x2ec/0x320 [snd_soc_simple_card]
+ asoc_simple_probe+0x468/0x4dc [snd_soc_simple_card]
+ platform_probe+0x90/0xf0
+ really_probe+0x118/0x5b0
+ __driver_probe_device+0xc0/0x1f0
+ driver_probe_device+0x68/0x120
+ __driver_attach+0x140/0x294
+ bus_for_each_dev+0xec/0x160
+ driver_attach+0x38/0x44
+ bus_add_driver+0x24c/0x300
+ driver_register+0xf0/0x210
+ __platform_driver_register+0x48/0x54
+ asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
+ do_one_initcall+0xac/0x340
+ do_init_module+0xd0/0x300
+ load_module+0x2ba4/0x3100
+ __do_sys_init_module+0x2c8/0x300
+ __arm64_sys_init_module+0x48/0x5c
+ invoke_syscall+0x64/0x190
+ el0_svc_common.constprop.0+0x124/0x154
+ do_el0_svc+0x44/0xdc
+ el0_svc+0x14/0x50
+ el0t_64_sync_handler+0xec/0x11c
+ el0t_64_sync+0x14c/0x150
+
+ The buggy address belongs to the object at ffffff800ee09600
+ which belongs to the cache kmalloc-256 of size 256
+ The buggy address is located 136 bytes inside of
+ 256-byte region [ffffff800ee09600, ffffff800ee09700)
+
+ The buggy address belongs to the physical page:
+ page:000000002d97303b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ee08
+ head:000000002d97303b order:1 compound_mapcount:0 compound_pincount:0
+ flags: 0x10200(slab|head|zone=0)
+ raw: 0000000000010200 0000000000000000 dead000000000122 ffffff8002c02480
+ raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffffff800ee09580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffff800ee09600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffffff800ee09680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffffff800ee09700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffff800ee09780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ==================================================================
+
+Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
+Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Link: https://lore.kernel.org/r/20230805084847.3110586-1-andrej.skvortzov@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-devres.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/clk/clk-devres.c
++++ b/drivers/clk/clk-devres.c
+@@ -163,18 +163,19 @@ EXPORT_SYMBOL(devm_clk_put);
+ struct clk *devm_get_clk_from_child(struct device *dev,
+ struct device_node *np, const char *con_id)
+ {
+- struct clk **ptr, *clk;
++ struct devm_clk_state *state;
++ struct clk *clk;
+
+- ptr = devres_alloc(devm_clk_release, sizeof(*ptr), GFP_KERNEL);
+- if (!ptr)
++ state = devres_alloc(devm_clk_release, sizeof(*state), GFP_KERNEL);
++ if (!state)
+ return ERR_PTR(-ENOMEM);
+
+ clk = of_clk_get_by_name(np, con_id);
+ if (!IS_ERR(clk)) {
+- *ptr = clk;
+- devres_add(dev, ptr);
++ state->clk = clk;
++ devres_add(dev, state);
+ } else {
+- devres_free(ptr);
++ devres_free(state);
+ }
+
+ return clk;
--- /dev/null
+From b7eca940322f47fd30dafb70da04d193a0154090 Mon Sep 17 00:00:00 2001
+From: Shani Shapp <shanish@mellanox.com>
+Date: Tue, 12 Nov 2019 15:10:00 +0200
+Subject: net/mlx5: Update the list of the PCI supported devices
+
+From: Shani Shapp <shanish@mellanox.com>
+
+commit b7eca940322f47fd30dafb70da04d193a0154090 upstream.
+
+Add the upcoming ConnectX-6 LX device ID.
+
+Fixes: 85327a9c4150 ("net/mlx5: Update the list of the PCI supported devices")
+Signed-off-by: Shani Shapp <shanish@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1644,6 +1644,7 @@ static const struct pci_device_id mlx5_c
+ { PCI_VDEVICE(MELLANOX, 0x101c), MLX5_PCI_DEV_IS_VF}, /* ConnectX-6 VF */
+ { PCI_VDEVICE(MELLANOX, 0x101d) }, /* ConnectX-6 Dx */
+ { PCI_VDEVICE(MELLANOX, 0x101e), MLX5_PCI_DEV_IS_VF}, /* ConnectX Family mlx5Gen Virtual Function */
++ { PCI_VDEVICE(MELLANOX, 0x101f) }, /* ConnectX-6 LX */
+ { PCI_VDEVICE(MELLANOX, 0xa2d2) }, /* BlueField integrated ConnectX-5 network controller */
+ { PCI_VDEVICE(MELLANOX, 0xa2d3), MLX5_PCI_DEV_IS_VF}, /* BlueField integrated ConnectX-5 network controller VF */
+ { PCI_VDEVICE(MELLANOX, 0xa2d6) }, /* BlueField-2 integrated ConnectX-6 Dx network controller */
projects / thirdparty / kernel / stable-queue.git / commitdiff
