--- /dev/null
+From e7067a446264a7514fa1cfaa4052cdb6803bc6a2 Mon Sep 17 00:00:00 2001
+From: David Disseldorp <ddiss@suse.de>
+Date: Thu, 13 Apr 2023 23:49:57 +0900
+Subject: ksmbd: avoid out of bounds access in decode_preauth_ctxt()
+
+From: David Disseldorp <ddiss@suse.de>
+
+commit e7067a446264a7514fa1cfaa4052cdb6803bc6a2 upstream.
+
+Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within
+the SMB request boundary; deassemble_neg_contexts() only checks that the
+eight byte smb2_neg_context header + (client controlled) DataLength are
+within the packet boundary, which is insufficient.
+
+Checking for sizeof(struct smb2_preauth_neg_context) is overkill given
+that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt.
+
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -880,17 +880,21 @@ static void assemble_neg_contexts(struct
+ }
+
+ static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn,
+- struct smb2_preauth_neg_context *pneg_ctxt)
++ struct smb2_preauth_neg_context *pneg_ctxt,
++ int len_of_ctxts)
+ {
+- __le32 err = STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;
++ /*
++ * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt,
++ * which may not be present. Only check for used HashAlgorithms[1].
++ */
++ if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN)
++ return STATUS_INVALID_PARAMETER;
+
+- if (pneg_ctxt->HashAlgorithms == SMB2_PREAUTH_INTEGRITY_SHA512) {
+- conn->preauth_info->Preauth_HashId =
+- SMB2_PREAUTH_INTEGRITY_SHA512;
+- err = STATUS_SUCCESS;
+- }
++ if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512)
++ return STATUS_NO_PREAUTH_INTEGRITY_HASH_OVERLAP;
+
+- return err;
++ conn->preauth_info->Preauth_HashId = SMB2_PREAUTH_INTEGRITY_SHA512;
++ return STATUS_SUCCESS;
+ }
+
+ static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
+@@ -1018,7 +1022,8 @@ static __le32 deassemble_neg_contexts(st
+ break;
+
+ status = decode_preauth_ctxt(conn,
+- (struct smb2_preauth_neg_context *)pctx);
++ (struct smb2_preauth_neg_context *)pctx,
++ len_of_ctxts);
+ if (status != STATUS_SUCCESS)
+ break;
+ } else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) {
--- /dev/null
+From a4506722dc39ca840593f14e3faa4c9ba9408211 Mon Sep 17 00:00:00 2001
+From: "Radu Pirea (OSS)" <radu-nicolae.pirea@oss.nxp.com>
+Date: Thu, 6 Apr 2023 12:59:04 +0300
+Subject: net: phy: nxp-c45-tja11xx: add remove callback
+
+From: Radu Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+
+commit a4506722dc39ca840593f14e3faa4c9ba9408211 upstream.
+
+Unregister PTP clock when the driver is removed.
+Purge the RX and TX skb queues.
+
+Fixes: 514def5dd339 ("phy: nxp-c45-tja11xx: add timestamping support")
+CC: stable@vger.kernel.org # 5.15+
+Signed-off-by: Radu Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230406095904.75456-1-radu-nicolae.pirea@oss.nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/nxp-c45-tja11xx.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/net/phy/nxp-c45-tja11xx.c
++++ b/drivers/net/phy/nxp-c45-tja11xx.c
+@@ -1117,6 +1117,17 @@ no_ptp_support:
+ return ret;
+ }
+
++static void nxp_c45_remove(struct phy_device *phydev)
++{
++ struct nxp_c45_phy *priv = phydev->priv;
++
++ if (priv->ptp_clock)
++ ptp_clock_unregister(priv->ptp_clock);
++
++ skb_queue_purge(&priv->tx_queue);
++ skb_queue_purge(&priv->rx_queue);
++}
++
+ static struct phy_driver nxp_c45_driver[] = {
+ {
+ PHY_ID_MATCH_MODEL(PHY_ID_TJA_1103),
+@@ -1139,6 +1150,7 @@ static struct phy_driver nxp_c45_driver[
+ .set_loopback = genphy_c45_loopback,
+ .get_sqi = nxp_c45_get_sqi,
+ .get_sqi_max = nxp_c45_get_sqi_max,
++ .remove = nxp_c45_remove,
+ },
+ };
+
--- /dev/null
+From bdaaecc127d471c422ee9e994978617c8aa79e1e Mon Sep 17 00:00:00 2001
+From: "Radu Pirea (OSS)" <radu-nicolae.pirea@oss.nxp.com>
+Date: Thu, 6 Apr 2023 12:59:53 +0300
+Subject: net: phy: nxp-c45-tja11xx: fix unsigned long multiplication overflow
+
+From: Radu Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+
+commit bdaaecc127d471c422ee9e994978617c8aa79e1e upstream.
+
+Any multiplication between GENMASK(31, 0) and a number bigger than 1
+will be truncated because of the overflow, if the size of unsigned long
+is 32 bits.
+
+Replaced GENMASK with GENMASK_ULL to make sure that multiplication will
+be between 64 bits values.
+
+Cc: <stable@vger.kernel.org> # 5.15+
+Fixes: 514def5dd339 ("phy: nxp-c45-tja11xx: add timestamping support")
+Signed-off-by: Radu Pirea (OSS) <radu-nicolae.pirea@oss.nxp.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230406095953.75622-1-radu-nicolae.pirea@oss.nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/nxp-c45-tja11xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/nxp-c45-tja11xx.c
++++ b/drivers/net/phy/nxp-c45-tja11xx.c
+@@ -168,7 +168,7 @@
+ #define MAX_ID_PS 2260U
+ #define DEFAULT_ID_PS 2000U
+
+-#define PPM_TO_SUBNS_INC(ppb) div_u64(GENMASK(31, 0) * (ppb) * \
++#define PPM_TO_SUBNS_INC(ppb) div_u64(GENMASK_ULL(31, 0) * (ppb) * \
+ PTP_CLK_PERIOD_100BT1, NSEC_PER_SEC)
+
+ #define NXP_C45_SKB_CB(skb) ((struct nxp_c45_skb_cb *)(skb)->cb)
--- /dev/null
+From 813c2dd78618f108fdcf9cd726ea90f081ee2881 Mon Sep 17 00:00:00 2001
+From: Ivan Bornyakov <i.bornyakov@metrotek.ru>
+Date: Thu, 6 Apr 2023 16:08:32 +0300
+Subject: net: sfp: initialize sfp->i2c_block_size at sfp allocation
+
+From: Ivan Bornyakov <i.bornyakov@metrotek.ru>
+
+commit 813c2dd78618f108fdcf9cd726ea90f081ee2881 upstream.
+
+sfp->i2c_block_size is initialized at SFP module insertion in
+sfp_sm_mod_probe(). Because of that, if SFP module was never inserted
+since boot, sfp_read() call will lead to zero-length I2C read attempt,
+and not all I2C controllers are happy with zero-length reads.
+
+One way to issue sfp_read() on empty SFP cage is to execute ethtool -m.
+If SFP module was never plugged since boot, there will be a zero-length
+I2C read attempt.
+
+ # ethtool -m xge0
+ i2c i2c-3: adapter quirk: no zero length (addr 0x0050, size 0, read)
+ Cannot get Module EEPROM data: Operation not supported
+
+If SFP module was plugged then removed at least once,
+sfp->i2c_block_size will be initialized and ethtool -m will fail with
+different exit code and without I2C error
+
+ # ethtool -m xge0
+ Cannot get Module EEPROM data: Remote I/O error
+
+Fix this by initializing sfp->i2_block_size at struct sfp allocation
+stage so no wild sfp_read() could issue zero-length I2C read.
+
+Signed-off-by: Ivan Bornyakov <i.bornyakov@metrotek.ru>
+Fixes: 0d035bed2a4a ("net: sfp: VSOL V2801F / CarlitoxxPro CPGOS03-0490 v2.0 workaround")
+Cc: stable@vger.kernel.org
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/sfp.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -208,6 +208,12 @@ static const enum gpiod_flags gpio_flags
+ */
+ #define SFP_PHY_ADDR 22
+
++/* SFP_EEPROM_BLOCK_SIZE is the size of data chunk to read the EEPROM
++ * at a time. Some SFP modules and also some Linux I2C drivers do not like
++ * reads longer than 16 bytes.
++ */
++#define SFP_EEPROM_BLOCK_SIZE 16
++
+ struct sff_data {
+ unsigned int gpios;
+ bool (*module_supported)(const struct sfp_eeprom_id *id);
+@@ -1806,11 +1812,7 @@ static int sfp_sm_mod_probe(struct sfp *
+ u8 check;
+ int ret;
+
+- /* Some SFP modules and also some Linux I2C drivers do not like reads
+- * longer than 16 bytes, so read the EEPROM in chunks of 16 bytes at
+- * a time.
+- */
+- sfp->i2c_block_size = 16;
++ sfp->i2c_block_size = SFP_EEPROM_BLOCK_SIZE;
+
+ ret = sfp_read(sfp, false, 0, &id.base, sizeof(id.base));
+ if (ret < 0) {
+@@ -2462,6 +2464,7 @@ static struct sfp *sfp_alloc(struct devi
+ return ERR_PTR(-ENOMEM);
+
+ sfp->dev = dev;
++ sfp->i2c_block_size = SFP_EEPROM_BLOCK_SIZE;
+
+ mutex_init(&sfp->sm_mutex);
+ mutex_init(&sfp->st_mutex);
--- /dev/null
+From 8d736482749f6d350892ef83a7a11d43cd49981e Mon Sep 17 00:00:00 2001
+From: Mathis Salmen <mathis.salmen@matsal.de>
+Date: Thu, 6 Apr 2023 12:11:31 +0200
+Subject: riscv: add icache flush for nommu sigreturn trampoline
+
+From: Mathis Salmen <mathis.salmen@matsal.de>
+
+commit 8d736482749f6d350892ef83a7a11d43cd49981e upstream.
+
+In a NOMMU kernel, sigreturn trampolines are generated on the user
+stack by setup_rt_frame. Currently, these trampolines are not instruction
+fenced, thus their visibility to ifetch is not guaranteed.
+
+This patch adds a flush_icache_range in setup_rt_frame to fix this
+problem.
+
+Signed-off-by: Mathis Salmen <mathis.salmen@matsal.de>
+Fixes: 6bd33e1ece52 ("riscv: add nommu support")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230406101130.82304-1-mathis.salmen@matsal.de
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/signal.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/signal.c
++++ b/arch/riscv/kernel/signal.c
+@@ -16,6 +16,7 @@
+ #include <asm/vdso.h>
+ #include <asm/switch_to.h>
+ #include <asm/csr.h>
++#include <asm/cacheflush.h>
+
+ extern u32 __user_rt_sigreturn[2];
+
+@@ -178,6 +179,7 @@ static int setup_rt_frame(struct ksignal
+ {
+ struct rt_sigframe __user *frame;
+ long err = 0;
++ unsigned long __maybe_unused addr;
+
+ frame = get_sigframe(ksig, regs, sizeof(*frame));
+ if (!access_ok(frame, sizeof(*frame)))
+@@ -206,7 +208,12 @@ static int setup_rt_frame(struct ksignal
+ if (copy_to_user(&frame->sigreturn_code, __user_rt_sigreturn,
+ sizeof(frame->sigreturn_code)))
+ return -EFAULT;
+- regs->ra = (unsigned long)&frame->sigreturn_code;
++
++ addr = (unsigned long)&frame->sigreturn_code;
++ /* Make sure the two instructions are pushed to icache. */
++ flush_icache_range(addr, addr + sizeof(frame->sigreturn_code));
++
++ regs->ra = addr;
+ #endif /* CONFIG_MMU */
+
+ /*
--- /dev/null
+From f1581626071c8e37c58c5e8f0b4126b17172a211 Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Wed, 29 Mar 2023 10:19:31 +0200
+Subject: riscv: Do not set initial_boot_params to the linear address of the dtb
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit f1581626071c8e37c58c5e8f0b4126b17172a211 upstream.
+
+early_init_dt_verify() is already called in parse_dtb() and since the dtb
+address does not change anymore (it is now in the fixmap region), no need
+to reset initial_boot_params by calling early_init_dt_verify() again.
+
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20230329081932.79831-3-alexghiti@rivosinc.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/setup.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -286,10 +286,7 @@ void __init setup_arch(char **cmdline_p)
+ #if IS_ENABLED(CONFIG_BUILTIN_DTB)
+ unflatten_and_copy_device_tree();
+ #else
+- if (early_init_dt_verify(__va(XIP_FIXUP(dtb_early_pa))))
+- unflatten_device_tree();
+- else
+- pr_err("No DTB found in kernel mappings\n");
++ unflatten_device_tree();
+ #endif
+ early_init_fdt_scan_reserved_mem();
+ misc_mem_init();
--- /dev/null
+From 1b50f956c8fe9082bdee4a9cfd798149c52f7043 Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Wed, 29 Mar 2023 10:19:32 +0200
+Subject: riscv: No need to relocate the dtb as it lies in the fixmap region
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit 1b50f956c8fe9082bdee4a9cfd798149c52f7043 upstream.
+
+We used to access the dtb via its linear mapping address but now that the
+dtb early mapping was moved in the fixmap region, we can keep using this
+address since it is present in swapper_pg_dir, and remove the dtb
+relocation.
+
+Note that the relocation was wrong anyway since early_memremap() is
+restricted to 256K whereas the maximum fdt size is 2MB.
+
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Tested-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20230329081932.79831-4-alexghiti@rivosinc.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/mm/init.c | 21 ++-------------------
+ 1 file changed, 2 insertions(+), 19 deletions(-)
+
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -222,25 +222,8 @@ static void __init setup_bootmem(void)
+ * early_init_fdt_reserve_self() since __pa() does
+ * not work for DTB pointers that are fixmap addresses
+ */
+- if (!IS_ENABLED(CONFIG_BUILTIN_DTB)) {
+- /*
+- * In case the DTB is not located in a memory region we won't
+- * be able to locate it later on via the linear mapping and
+- * get a segfault when accessing it via __va(dtb_early_pa).
+- * To avoid this situation copy DTB to a memory region.
+- * Note that memblock_phys_alloc will also reserve DTB region.
+- */
+- if (!memblock_is_memory(dtb_early_pa)) {
+- size_t fdt_size = fdt_totalsize(dtb_early_va);
+- phys_addr_t new_dtb_early_pa = memblock_phys_alloc(fdt_size, PAGE_SIZE);
+- void *new_dtb_early_va = early_memremap(new_dtb_early_pa, fdt_size);
+-
+- memcpy(new_dtb_early_va, dtb_early_va, fdt_size);
+- early_memunmap(new_dtb_early_va, fdt_size);
+- _dtb_early_pa = new_dtb_early_pa;
+- } else
+- memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va));
+- }
++ if (!IS_ENABLED(CONFIG_BUILTIN_DTB))
++ memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va));
+
+ dma_contiguous_reserve(dma32_phys_limit);
+ if (IS_ENABLED(CONFIG_64BIT))
tracing-have-tracing_snapshot_instance_cond-write-er.patch
i915-perf-replace-drm_debug-with-driver-specific-drm.patch
drm-i915-fix-race-condition-uaf-in-i915_perf_add_con.patch
+ksmbd-avoid-out-of-bounds-access-in-decode_preauth_ctxt.patch
+riscv-do-not-set-initial_boot_params-to-the-linear-address-of-the-dtb.patch
+riscv-no-need-to-relocate-the-dtb-as-it-lies-in-the-fixmap-region.patch
+riscv-add-icache-flush-for-nommu-sigreturn-trampoline.patch
+net-sfp-initialize-sfp-i2c_block_size-at-sfp-allocation.patch
+net-phy-nxp-c45-tja11xx-add-remove-callback.patch
+net-phy-nxp-c45-tja11xx-fix-unsigned-long-multiplication-overflow.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
