Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/series b/queue-5.4/series
index 796dd06c29f86a81ef0d8bd587be7972bb0cca8c..16a9a1ec6f1528ce68feca44c2f1161b5706dd26 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -52,3 +52,6 @@ net-ncsi-fix-gma-flag-setting-after-response.patch
 net-ncsi-change-from-ndo_set_mac_address-to-dev_set_.patch
 nfsd4-kill-warnings-on-testing-stateids-with-mismatc.patch
 nfsd-remove-incorrect-check-in-nfsd4_validate_statei.patch
+virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch
+virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
+virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch

diff --git a/queue-5.4/virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch b/queue-5.4/virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch
new file mode 100644 (file)
index 0000000..e63948c
--- /dev/null
+++ b/queue-5.4/virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch
@@ -0,0 +1,60 @@
+From 14ceb0bc0bf77b814735a9164678f1d0826aec5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Dec 2019 19:08:39 +0000
+Subject: virtio-mmio: convert to devm_platform_ioremap_resource
+
+From: Yangtao Li <tiny.windzz@gmail.com>
+
+[ Upstream commit c64eb62cfce242a57a7276ca8280ae0baab29d05 ]
+
+Use devm_platform_ioremap_resource() to simplify code, which
+contains platform_get_resource, devm_request_mem_region and
+devm_ioremap.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_mmio.c | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
+index e781e5e9215f0..dd8fec8738564 100644
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -554,18 +554,9 @@ static void virtio_mmio_release_dev(struct device *_d)
+ static int virtio_mmio_probe(struct platform_device *pdev)
+ {
+       struct virtio_mmio_device *vm_dev;
+-      struct resource *mem;
+       unsigned long magic;
+       int rc;
+ 
+-      mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+-      if (!mem)
+-              return -EINVAL;
+-
+-      if (!devm_request_mem_region(&pdev->dev, mem->start,
+-                      resource_size(mem), pdev->name))
+-              return -EBUSY;
+-
+       vm_dev = devm_kzalloc(&pdev->dev, sizeof(*vm_dev), GFP_KERNEL);
+       if (!vm_dev)
+               return -ENOMEM;
+@@ -577,9 +568,9 @@ static int virtio_mmio_probe(struct platform_device *pdev)
+       INIT_LIST_HEAD(&vm_dev->virtqueues);
+       spin_lock_init(&vm_dev->lock);
+ 
+-      vm_dev->base = devm_ioremap(&pdev->dev, mem->start, resource_size(mem));
+-      if (vm_dev->base == NULL)
+-              return -EFAULT;
++      vm_dev->base = devm_platform_ioremap_resource(pdev, 0);
++      if (IS_ERR(vm_dev->base))
++              return PTR_ERR(vm_dev->base);
+ 
+       /* Check magic value */
+       magic = readl(vm_dev->base + VIRTIO_MMIO_MAGIC_VALUE);
+-- 
+2.40.1
+

diff --git a/queue-5.4/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch b/queue-5.4/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
new file mode 100644 (file)
index 0000000..340eb7f
--- /dev/null
+++ b/queue-5.4/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
@@ -0,0 +1,60 @@
+From 7766a34749c42359b40225d2709442944abd2854 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jun 2023 14:05:26 +0200
+Subject: virtio-mmio: don't break lifecycle of vm_dev
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a ]
+
+vm_dev has a separate lifecycle because it has a 'struct device'
+embedded. Thus, having a release callback for it is correct.
+
+Allocating the vm_dev struct with devres totally breaks this protection,
+though. Instead of waiting for the vm_dev release callback, the memory
+is freed when the platform_device is removed. Resulting in a
+use-after-free when finally the callback is to be called.
+
+To easily see the problem, compile the kernel with
+CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.
+
+The fix is easy, don't use devres in this case.
+
+Found during my research about object lifetime problems.
+
+Fixes: 7eb781b1bbb7 ("virtio_mmio: add cleanup for virtio_mmio_probe")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Message-Id: <20230629120526.7184-1-wsa+renesas@sang-engineering.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_mmio.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
+index e39b530b218a2..aee8b5ce8b63c 100644
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -543,9 +543,8 @@ static void virtio_mmio_release_dev(struct device *_d)
+       struct virtio_device *vdev =
+                       container_of(_d, struct virtio_device, dev);
+       struct virtio_mmio_device *vm_dev = to_virtio_mmio_device(vdev);
+-      struct platform_device *pdev = vm_dev->pdev;
+ 
+-      devm_kfree(&pdev->dev, vm_dev);
++      kfree(vm_dev);
+ }
+ 
+ /* Platform device */
+@@ -556,7 +555,7 @@ static int virtio_mmio_probe(struct platform_device *pdev)
+       unsigned long magic;
+       int rc;
+ 
+-      vm_dev = devm_kzalloc(&pdev->dev, sizeof(*vm_dev), GFP_KERNEL);
++      vm_dev = kzalloc(sizeof(*vm_dev), GFP_KERNEL);
+       if (!vm_dev)
+               return -ENOMEM;
+ 
+-- 
+2.40.1
+

diff --git a/queue-5.4/virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch b/queue-5.4/virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
new file mode 100644 (file)
index 0000000..8d84bcd
--- /dev/null
+++ b/queue-5.4/virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
@@ -0,0 +1,38 @@
+From 9b36c3848a5d3108803e51ac4d9f3701e0389b84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Feb 2021 13:57:24 +0800
+Subject: virtio-mmio: Use to_virtio_mmio_device() to simply code
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+[ Upstream commit da98b54d02981de5b07d8044b2a632bf6ba3ac45 ]
+
+The file virtio_mmio.c has defined the function to_virtio_mmio_device,
+so use it instead of container_of() to simply code.
+
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Link: https://lore.kernel.org/r/20210222055724.220-1-tangbin@cmss.chinamobile.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_mmio.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
+index dd8fec8738564..e39b530b218a2 100644
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -542,8 +542,7 @@ static void virtio_mmio_release_dev(struct device *_d)
+ {
+       struct virtio_device *vdev =
+                       container_of(_d, struct virtio_device, dev);
+-      struct virtio_mmio_device *vm_dev =
+-                      container_of(vdev, struct virtio_mmio_device, vdev);
++      struct virtio_mmio_device *vm_dev = to_virtio_mmio_device(vdev);
+       struct platform_device *pdev = vm_dev->pdev;
+ 
+       devm_kfree(&pdev->dev, vm_dev);
+-- 
+2.40.1
+