Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/ca8210-fix-mac_len-negative-array-access.patch b/queue-5.4/ca8210-fix-mac_len-negative-array-access.patch
new file mode 100644 (file)
index 0000000..9e3cb7b
--- /dev/null
+++ b/queue-5.4/ca8210-fix-mac_len-negative-array-access.patch
@@ -0,0 +1,37 @@
+From 4ce51eb0cc7df7def18dc29dd1c3373124ca64b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Feb 2023 23:25:04 -0500
+Subject: ca8210: fix mac_len negative array access
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6c993779ea1d0cccdb3a5d7d45446dd229e610a3 ]
+
+This patch fixes a buffer overflow access of skb->data if
+ieee802154_hdr_peek_addrs() fails.
+
+Reported-by: lianhui tang <bluetlh@gmail.com>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index 66cf09e637e4e..498a82ab4eaf4 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -1955,6 +1955,8 @@ static int ca8210_skb_tx(
+        * packet
+        */
+       mac_len = ieee802154_hdr_peek_addrs(skb, &header);
++      if (mac_len < 0)
++              return mac_len;
+ 
+       secspec.security_level = header.sec.level;
+       secspec.key_id_mode = header.sec.key_id_mode;
+-- 
+2.39.2
+

diff --git a/queue-5.4/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch b/queue-5.4/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch
new file mode 100644 (file)
index 0000000..d3c2af7
--- /dev/null
+++ b/queue-5.4/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch
@@ -0,0 +1,75 @@
+From f1dc0807f20de72a0768d4e75ec56072d9787d38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 15:11:07 +1300
+Subject: m68k: Only force 030 bus error if PC not in exception table
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit e36a82bebbf7da814530d5a179bef9df5934b717 ]
+
+__get_kernel_nofault() does copy data in supervisor mode when
+forcing a task backtrace log through /proc/sysrq_trigger.
+This is expected cause a bus error exception on e.g. NULL
+pointer dereferencing when logging a kernel task has no
+workqueue associated. This bus error ought to be ignored.
+
+Our 030 bus error handler is ill equipped to deal with this:
+
+Whenever ssw indicates a kernel mode access on a data fault,
+we don't even attempt to handle the fault and instead always
+send a SEGV signal (or panic). As a result, the check
+for exception handling at the fault PC (buried in
+send_sig_fault() which gets called from do_page_fault()
+eventually) is never used.
+
+In contrast, both 040 and 060 access error handlers do not
+care whether a fault happened on supervisor mode access,
+and will call do_page_fault() on those, ultimately honoring
+the exception table.
+
+Add a check in bus_error030 to call do_page_fault() in case
+we do have an entry for the fault PC in our exception table.
+
+I had attempted a fix for this earlier in 2019 that did rely
+on testing pagefault_disabled() (see link below) to achieve
+the same thing, but this patch should be more generic.
+
+Tested on 030 Atari Falcon.
+
+Reported-by: Eero Tamminen <oak@helsinkinet.fi>
+Link: https://lore.kernel.org/r/alpine.LNX.2.21.1904091023540.25@nippy.intranet
+Link: https://lore.kernel.org/r/63130691-1984-c423-c1f2-73bfd8d3dcd3@gmail.com
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20230301021107.26307-1-schmitzmic@gmail.com
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/traps.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/m68k/kernel/traps.c b/arch/m68k/kernel/traps.c
+index a245c1933d418..5bf314871e9f6 100644
+--- a/arch/m68k/kernel/traps.c
++++ b/arch/m68k/kernel/traps.c
+@@ -30,6 +30,7 @@
+ #include <linux/init.h>
+ #include <linux/ptrace.h>
+ #include <linux/kallsyms.h>
++#include <linux/extable.h>
+ 
+ #include <asm/setup.h>
+ #include <asm/fpu.h>
+@@ -550,7 +551,8 @@ static inline void bus_error030 (struct frame *fp)
+                       errorcode |= 2;
+ 
+               if (mmusr & (MMU_I | MMU_WP)) {
+-                      if (ssw & 4) {
++                      /* We might have an exception table for this PC */
++                      if (ssw & 4 && !search_exception_tables(fp->ptregs.pc)) {
+                               pr_err("Data %s fault at %#010lx in %s (pc=%#lx)\n",
+                                      ssw & RW ? "read" : "write",
+                                      fp->un.fmtb.daddr,
+-- 
+2.39.2
+

diff --git a/queue-5.4/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch b/queue-5.4/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
new file mode 100644 (file)
index 0000000..82ea852
--- /dev/null
+++ b/queue-5.4/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
@@ -0,0 +1,39 @@
+From 018a90315465a79a8179b3294b27227fe5a76220 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 12:59:33 +0100
+Subject: net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990
+
+From: Enrico Sau <enrico.sau@gmail.com>
+
+[ Upstream commit 418383e6ed6b4624a54ec05c535f13d184fbf33b ]
+
+Add quirk CDC_MBIM_FLAG_AVOID_ALTSETTING_TOGGLE for Telit FE990
+0x1081 composition in order to avoid bind error.
+
+Signed-off-by: Enrico Sau <enrico.sau@gmail.com>
+Link: https://lore.kernel.org/r/20230306115933.198259-1-enrico.sau@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_mbim.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c
+index 414341c9cf5ae..6ad1fb00a35cd 100644
+--- a/drivers/net/usb/cdc_mbim.c
++++ b/drivers/net/usb/cdc_mbim.c
+@@ -663,6 +663,11 @@ static const struct usb_device_id mbim_devs[] = {
+         .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle,
+       },
+ 
++      /* Telit FE990 */
++      { USB_DEVICE_AND_INTERFACE_INFO(0x1bc7, 0x1081, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
++        .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle,
++      },
++
+       /* default entry */
+       { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
+         .driver_info = (unsigned long)&cdc_mbim_info_zlp,
+-- 
+2.39.2
+

diff --git a/queue-5.4/net-usb-qmi_wwan-add-telit-0x1080-composition.patch b/queue-5.4/net-usb-qmi_wwan-add-telit-0x1080-composition.patch
new file mode 100644 (file)
index 0000000..1f0cfc0
--- /dev/null
+++ b/queue-5.4/net-usb-qmi_wwan-add-telit-0x1080-composition.patch
@@ -0,0 +1,36 @@
+From 33d60c22cb412b4fda904cb4b0ea82abdb51f777 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 13:05:28 +0100
+Subject: net: usb: qmi_wwan: add Telit 0x1080 composition
+
+From: Enrico Sau <enrico.sau@gmail.com>
+
+[ Upstream commit 382e363d5bed0cec5807b35761d14e55955eee63 ]
+
+Add the following Telit FE990 composition:
+
+0x1080: tty, adb, rmnet, tty, tty, tty, tty
+
+Signed-off-by: Enrico Sau <enrico.sau@gmail.com>
+Link: https://lore.kernel.org/r/20230306120528.198842-1-enrico.sau@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index c310cdbfd583e..c2307cfaf4009 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1319,6 +1319,7 @@ static const struct usb_device_id products[] = {
+       {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */
+       {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */
+       {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */
++      {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */
+       {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)},    /* Telit ME910 */
+       {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)},    /* Telit ME910 dual modem */
+       {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)},    /* Telit LE920 */
+-- 
+2.39.2
+

diff --git a/queue-5.4/riscv-bump-command_line_size-value-to-1024.patch b/queue-5.4/riscv-bump-command_line_size-value-to-1024.patch
new file mode 100644 (file)
index 0000000..bb8e307
--- /dev/null
+++ b/queue-5.4/riscv-bump-command_line_size-value-to-1024.patch
@@ -0,0 +1,46 @@
+From 61590fa459639282050e355f5b4e0e1e1cdc373d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 15:34:20 -0400
+Subject: riscv: Bump COMMAND_LINE_SIZE value to 1024
+
+From: Alexandre Ghiti <alex@ghiti.fr>
+
+[ Upstream commit 61fc1ee8be26bc192d691932b0a67eabee45d12f ]
+
+Increase COMMAND_LINE_SIZE as the current default value is too low
+for syzbot kernel command line.
+
+There has been considerable discussion on this patch that has led to a
+larger patch set removing COMMAND_LINE_SIZE from the uapi headers on all
+ports.  That's not quite done yet, but it's gotten far enough we're
+confident this is not a uABI change so this is safe.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
+Link: https://lore.kernel.org/r/20210316193420.904-1-alex@ghiti.fr
+[Palmer: it's not uabi]
+Link: https://lore.kernel.org/linux-riscv/874b8076-b0d1-4aaa-bcd8-05d523060152@app.fastmail.com/#t
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/uapi/asm/setup.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+ create mode 100644 arch/riscv/include/uapi/asm/setup.h
+
+diff --git a/arch/riscv/include/uapi/asm/setup.h b/arch/riscv/include/uapi/asm/setup.h
+new file mode 100644
+index 0000000000000..66b13a5228808
+--- /dev/null
++++ b/arch/riscv/include/uapi/asm/setup.h
+@@ -0,0 +1,8 @@
++/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */
++
++#ifndef _UAPI_ASM_RISCV_SETUP_H
++#define _UAPI_ASM_RISCV_SETUP_H
++
++#define COMMAND_LINE_SIZE     1024
++
++#endif /* _UAPI_ASM_RISCV_SETUP_H */
+-- 
+2.39.2
+

diff --git a/queue-5.4/scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch b/queue-5.4/scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch
new file mode 100644 (file)
index 0000000..a67b445
--- /dev/null
+++ b/queue-5.4/scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch
@@ -0,0 +1,61 @@
+From 0ba78d2b381b12f734bc4b247bd87b623396dd85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 18:19:14 +0100
+Subject: scsi: lpfc: Avoid usage of list iterator variable after loop
+
+From: Jakob Koschel <jkl820.git@gmail.com>
+
+[ Upstream commit 2850b23e9f9ae3696e472d2883ea1b43aafa884e ]
+
+If the &epd_pool->list is empty when executing
+lpfc_get_io_buf_from_expedite_pool() the function would return an invalid
+pointer. Even in the case if the list is guaranteed to be populated, the
+iterator variable should not be used after the loop to be more robust for
+future changes.
+
+Linus proposed to avoid any use of the list iterator variable after the
+loop, in the attempt to move the list iterator variable declaration into
+the macro to avoid any potential misuse after the loop [1].
+
+Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ [1]
+Signed-off-by: Jakob Koschel <jkl820.git@gmail.com>
+Link: https://lore.kernel.org/r/20230301-scsi-lpfc-avoid-list-iterator-after-loop-v1-1-325578ae7561@gmail.com
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index bd908dd273078..e489c68cfb631 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -20407,20 +20407,20 @@ lpfc_get_io_buf_from_private_pool(struct lpfc_hba *phba,
+ static struct lpfc_io_buf *
+ lpfc_get_io_buf_from_expedite_pool(struct lpfc_hba *phba)
+ {
+-      struct lpfc_io_buf *lpfc_ncmd;
++      struct lpfc_io_buf *lpfc_ncmd = NULL, *iter;
+       struct lpfc_io_buf *lpfc_ncmd_next;
+       unsigned long iflag;
+       struct lpfc_epd_pool *epd_pool;
+ 
+       epd_pool = &phba->epd_pool;
+-      lpfc_ncmd = NULL;
+ 
+       spin_lock_irqsave(&epd_pool->lock, iflag);
+       if (epd_pool->count > 0) {
+-              list_for_each_entry_safe(lpfc_ncmd, lpfc_ncmd_next,
++              list_for_each_entry_safe(iter, lpfc_ncmd_next,
+                                        &epd_pool->list, list) {
+-                      list_del(&lpfc_ncmd->list);
++                      list_del(&iter->list);
+                       epd_pool->count--;
++                      lpfc_ncmd = iter;
+                       break;
+               }
+       }
+-- 
+2.39.2
+

diff --git a/queue-5.4/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch b/queue-5.4/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch
new file mode 100644 (file)
index 0000000..9a5d59d
--- /dev/null
+++ b/queue-5.4/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch
@@ -0,0 +1,55 @@
+From 3c51c327f4906da3e46abd9ff8ddfabe559d1d38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 15:15:56 +0100
+Subject: scsi: target: iscsi: Fix an error message in iscsi_check_key()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 6cc55c969b7ce8d85e09a636693d4126c3676c11 ]
+
+The first half of the error message is printed by pr_err(), the second half
+is printed by pr_debug(). The user will therefore see only the first part
+of the message and will miss some useful information.
+
+Link: https://lore.kernel.org/r/20230214141556.762047-1-mlombard@redhat.com
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target_parameters.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
+index 7a461fbb15668..31cd3c02e5176 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -1262,18 +1262,20 @@ static struct iscsi_param *iscsi_check_key(
+               return param;
+ 
+       if (!(param->phase & phase)) {
+-              pr_err("Key \"%s\" may not be negotiated during ",
+-                              param->name);
++              char *phase_name;
++
+               switch (phase) {
+               case PHASE_SECURITY:
+-                      pr_debug("Security phase.\n");
++                      phase_name = "Security";
+                       break;
+               case PHASE_OPERATIONAL:
+-                      pr_debug("Operational phase.\n");
++                      phase_name = "Operational";
+                       break;
+               default:
+-                      pr_debug("Unknown phase.\n");
++                      phase_name = "Unknown";
+               }
++              pr_err("Key \"%s\" may not be negotiated during %s phase.\n",
++                              param->name, phase_name);
+               return NULL;
+       }
+ 
+-- 
+2.39.2
+

diff --git a/queue-5.4/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch b/queue-5.4/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch
new file mode 100644 (file)
index 0000000..ca89b4f
--- /dev/null
+++ b/queue-5.4/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch
@@ -0,0 +1,36 @@
+From 3b85fa3d58964469331c1161f875a2d6edc2a787 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Feb 2023 09:07:40 -0500
+Subject: scsi: ufs: core: Add soft dependency on governor_simpleondemand
+
+From: Adrien Thierry <athierry@redhat.com>
+
+[ Upstream commit 2ebe16155dc8bd4e602cad5b5f65458d2eaa1a75 ]
+
+The ufshcd driver uses simpleondemand governor for devfreq. Add it to the
+list of ufshcd softdeps to allow userspace initramfs tools like dracut to
+automatically pull the governor module into the initramfs together with UFS
+drivers.
+
+Link: https://lore.kernel.org/r/20230220140740.14379-1-athierry@redhat.com
+Signed-off-by: Adrien Thierry <athierry@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 670f4c7934f85..9d13226d2324a 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -8530,5 +8530,6 @@ EXPORT_SYMBOL_GPL(ufshcd_init);
+ MODULE_AUTHOR("Santosh Yaragnavi <santosh.sy@samsung.com>");
+ MODULE_AUTHOR("Vinayak Holikatti <h.vinayak@samsung.com>");
+ MODULE_DESCRIPTION("Generic UFS host controller driver Core");
++MODULE_SOFTDEP("pre: governor_simpleondemand");
+ MODULE_LICENSE("GPL");
+ MODULE_VERSION(UFSHCD_DRIVER_VERSION);
+-- 
+2.39.2
+

diff --git a/queue-5.4/selftests-bpf-check-that-modifier-resolves-after-poi.patch b/queue-5.4/selftests-bpf-check-that-modifier-resolves-after-poi.patch
new file mode 100644 (file)
index 0000000..5261ad4
--- /dev/null
+++ b/queue-5.4/selftests-bpf-check-that-modifier-resolves-after-poi.patch
@@ -0,0 +1,63 @@
+From 7114557e19f32ebf86f9ce5bcbfd5c7b62cdc243 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 11:21:38 +0000
+Subject: selftests/bpf: check that modifier resolves after pointer
+
+From: Lorenz Bauer <lorenz.bauer@isovalent.com>
+
+[ Upstream commit dfdd608c3b365f0fd49d7e13911ebcde06b9865b ]
+
+Add a regression test that ensures that a VAR pointing at a
+modifier which follows a PTR (or STRUCT or ARRAY) is resolved
+correctly by the datasec validator.
+
+Signed-off-by: Lorenz Bauer <lmb@isovalent.com>
+Link: https://lore.kernel.org/r/20230306112138.155352-3-lmb@isovalent.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_btf.c | 28 ++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/test_btf.c b/tools/testing/selftests/bpf/test_btf.c
+index 996eca57bc977..f641eb292a885 100644
+--- a/tools/testing/selftests/bpf/test_btf.c
++++ b/tools/testing/selftests/bpf/test_btf.c
+@@ -920,6 +920,34 @@ static struct btf_raw_test raw_tests[] = {
+       .btf_load_err = true,
+       .err_str = "Invalid elem",
+ },
++{
++      .descr = "var after datasec, ptr followed by modifier",
++      .raw_types = {
++              /* .bss section */                              /* [1] */
++              BTF_TYPE_ENC(NAME_TBD, BTF_INFO_ENC(BTF_KIND_DATASEC, 0, 2),
++                      sizeof(void*)+4),
++              BTF_VAR_SECINFO_ENC(4, 0, sizeof(void*)),
++              BTF_VAR_SECINFO_ENC(6, sizeof(void*), 4),
++              /* int */                                       /* [2] */
++              BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4),
++              /* int* */                                      /* [3] */
++              BTF_TYPE_ENC(0, BTF_INFO_ENC(BTF_KIND_PTR, 0, 0), 2),
++              BTF_VAR_ENC(NAME_TBD, 3, 0),                    /* [4] */
++              /* const int */                                 /* [5] */
++              BTF_TYPE_ENC(0, BTF_INFO_ENC(BTF_KIND_CONST, 0, 0), 2),
++              BTF_VAR_ENC(NAME_TBD, 5, 0),                    /* [6] */
++              BTF_END_RAW,
++      },
++      .str_sec = "\0a\0b\0c\0",
++      .str_sec_size = sizeof("\0a\0b\0c\0"),
++      .map_type = BPF_MAP_TYPE_ARRAY,
++      .map_name = ".bss",
++      .key_size = sizeof(int),
++      .value_size = sizeof(void*)+4,
++      .key_type_id = 0,
++      .value_type_id = 1,
++      .max_entries = 1,
++},
+ /* Test member exceeds the size of struct.
+  *
+  * struct A {
+-- 
+2.39.2
+

diff --git a/queue-5.4/series b/queue-5.4/series
index fd80b943de41e0126fc4fda31f88984908e9dbb1..aae1bfdc5b541c740070b113d16dcd0cee3af95c 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -29,3 +29,13 @@ hwmon-it87-fix-voltage-scaling-for-chips-with-10.9mv.patch
 scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch
 uas-add-us_fl_no_report_opcodes-for-jmicron-jms583gen-2.patch
 thunderbolt-use-const-qualifier-for-ring_interrupt_index.patch
+riscv-bump-command_line_size-value-to-1024.patch
+ca8210-fix-mac_len-negative-array-access.patch
+m68k-only-force-030-bus-error-if-pc-not-in-exception.patch
+selftests-bpf-check-that-modifier-resolves-after-poi.patch
+scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch
+scsi-ufs-core-add-soft-dependency-on-governor_simple.patch
+scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch
+net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
+net-usb-qmi_wwan-add-telit-0x1080-composition.patch
+sh-sanitize-the-flags-on-sigreturn.patch

diff --git a/queue-5.4/sh-sanitize-the-flags-on-sigreturn.patch b/queue-5.4/sh-sanitize-the-flags-on-sigreturn.patch
new file mode 100644 (file)
index 0000000..06da017
--- /dev/null
+++ b/queue-5.4/sh-sanitize-the-flags-on-sigreturn.patch
@@ -0,0 +1,58 @@
+From ba9fd1765f01b7f4dae38058a52bcf7c53821aef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 01:20:30 +0000
+Subject: sh: sanitize the flags on sigreturn
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 573b22ccb7ce9ab7f0539a2e11a9d3609a8783f5 ]
+
+We fetch %SR value from sigframe; it might have been modified by signal
+handler, so we can't trust it with any bits that are not modifiable in
+user mode.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Rich Felker <dalias@libc.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/asm/processor_32.h | 1 +
+ arch/sh/kernel/signal_32.c         | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/arch/sh/include/asm/processor_32.h b/arch/sh/include/asm/processor_32.h
+index 0e0ecc0132e3b..58ae979798fa8 100644
+--- a/arch/sh/include/asm/processor_32.h
++++ b/arch/sh/include/asm/processor_32.h
+@@ -51,6 +51,7 @@
+ #define SR_FD         0x00008000
+ #define SR_MD         0x40000000
+ 
++#define SR_USER_MASK  0x00000303      // M, Q, S, T bits
+ /*
+  * DSP structure and data
+  */
+diff --git a/arch/sh/kernel/signal_32.c b/arch/sh/kernel/signal_32.c
+index 24473fa6c3b63..f6e1a47ad7ca0 100644
+--- a/arch/sh/kernel/signal_32.c
++++ b/arch/sh/kernel/signal_32.c
+@@ -116,6 +116,7 @@ static int
+ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p)
+ {
+       unsigned int err = 0;
++      unsigned int sr = regs->sr & ~SR_USER_MASK;
+ 
+ #define COPY(x)               err |= __get_user(regs->x, &sc->sc_##x)
+                       COPY(regs[1]);
+@@ -131,6 +132,8 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p
+       COPY(sr);       COPY(pc);
+ #undef COPY
+ 
++      regs->sr = (regs->sr & SR_USER_MASK) | sr;
++
+ #ifdef CONFIG_SH_FPU
+       if (boot_cpu_data.flags & CPU_HAS_FPU) {
+               int owned_fp;
+-- 
+2.39.2
+