+++ /dev/null
-From 1f8b72e5e5d33ab397ca101e1150fceb45f97857 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 22 Apr 2024 13:52:27 -0600
-Subject: drm/amd/display: Skip finding free audio for unknown engine_id
-
-From: Alex Hung <alex.hung@amd.com>
-
-[ Upstream commit 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 ]
-
-[WHY]
-ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it
-also means it is uninitialized and does not need free audio.
-
-[HOW]
-Skip and return NULL.
-
-This fixes 2 OVERRUN issues reported by Coverity.
-
-Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
-Acked-by: Wayne Lin <wayne.lin@amd.com>
-Signed-off-by: Alex Hung <alex.hung@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
-index 6896d69b8c240..8b4337794d1ef 100644
---- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
-+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
-@@ -1703,6 +1703,9 @@ static struct audio *find_first_free_audio(
- {
- int i, available_audio_count;
-
-+ if (id == ENGINE_ID_UNKNOWN)
-+ return NULL;
-+
- available_audio_count = pool->audio_count;
-
- for (i = 0; i < available_audio_count; i++) {
---
-2.43.0
-
+++ /dev/null
-From c89e427fe29f6bd58a2a25645b3f34ac8703286e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 30 Apr 2024 18:29:32 +0200
-Subject: firmware: dmi: Stop decoding on broken entry
-
-From: Jean Delvare <jdelvare@suse.de>
-
-[ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ]
-
-If a DMI table entry is shorter than 4 bytes, it is invalid. Due to
-how DMI table parsing works, it is impossible to safely recover from
-such an error, so we have to stop decoding the table.
-
-Signed-off-by: Jean Delvare <jdelvare@suse.de>
-Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/
-Reviewed-by: Michael Kelley <mhklinux@outlook.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/firmware/dmi_scan.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
-index 0dc0c78f1fdb2..311c396bdda7d 100644
---- a/drivers/firmware/dmi_scan.c
-+++ b/drivers/firmware/dmi_scan.c
-@@ -95,6 +95,17 @@ static void dmi_decode_table(u8 *buf,
- (data - buf + sizeof(struct dmi_header)) <= dmi_len) {
- const struct dmi_header *dm = (const struct dmi_header *)data;
-
-+ /*
-+ * If a short entry is found (less than 4 bytes), not only it
-+ * is invalid, but we cannot reliably locate the next entry.
-+ */
-+ if (dm->length < sizeof(struct dmi_header)) {
-+ pr_warn(FW_BUG
-+ "Corrupted DMI table, offset %zd (only %d entries processed)\n",
-+ data - buf, i);
-+ break;
-+ }
-+
- /*
- * We want to know the total length (formatted area and
- * strings) before decoding to make sure we won't run off the
---
-2.43.0
-
+++ /dev/null
-From 6be3eedf90ef4371afb3b090a6b0cfedd46ad0a3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 12 Apr 2024 12:21:58 +0200
-Subject: i2c: i801: Annotate apanel_addr as __ro_after_init
-
-From: Heiner Kallweit <hkallweit1@gmail.com>
-
-[ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ]
-
-Annotate this variable as __ro_after_init to protect it from being
-overwritten later.
-
-Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
-Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/busses/i2c-i801.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
-index c18b899e510ec..c1e2539b79502 100644
---- a/drivers/i2c/busses/i2c-i801.c
-+++ b/drivers/i2c/busses/i2c-i801.c
-@@ -1039,7 +1039,7 @@ static const struct pci_device_id i801_ids[] = {
- MODULE_DEVICE_TABLE(pci, i801_ids);
-
- #if defined CONFIG_X86 && defined CONFIG_DMI
--static unsigned char apanel_addr;
-+static unsigned char apanel_addr __ro_after_init;
-
- /* Scan the system ROM for the signature "FJKEYINF" */
- static __init const void __iomem *bios_signature(const void __iomem *bios)
---
-2.43.0
-
+++ /dev/null
-From 0f11b7c189be1e71ae089bef17aa9bddc4c6f595 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 16 Apr 2024 15:01:44 +0300
-Subject: IB/core: Implement a limit on UMAD receive List
-
-From: Michael Guralnik <michaelgur@nvidia.com>
-
-[ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ]
-
-The existing behavior of ib_umad, which maintains received MAD
-packets in an unbounded list, poses a risk of uncontrolled growth.
-As user-space applications extract packets from this list, the rate
-of extraction may not match the rate of incoming packets, leading
-to potential list overflow.
-
-To address this, we introduce a limit to the size of the list. After
-considering typical scenarios, such as OpenSM processing, which can
-handle approximately 100k packets per second, and the 1-second retry
-timeout for most packets, we set the list size limit to 200k. Packets
-received beyond this limit are dropped, assuming they are likely timed
-out by the time they are handled by user-space.
-
-Notably, packets queued on the receive list due to reasons like
-timed-out sends are preserved even when the list is full.
-
-Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
-Reviewed-by: Mark Zhang <markzhang@nvidia.com>
-Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org
-Signed-off-by: Leon Romanovsky <leon@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/infiniband/core/user_mad.c | 21 +++++++++++++++------
- 1 file changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
-index 471a824be86c4..bac1a589c822f 100644
---- a/drivers/infiniband/core/user_mad.c
-+++ b/drivers/infiniband/core/user_mad.c
-@@ -62,6 +62,8 @@ MODULE_AUTHOR("Roland Dreier");
- MODULE_DESCRIPTION("InfiniBand userspace MAD packet access");
- MODULE_LICENSE("Dual BSD/GPL");
-
-+#define MAX_UMAD_RECV_LIST_SIZE 200000
-+
- enum {
- IB_UMAD_MAX_PORTS = RDMA_MAX_PORTS,
- IB_UMAD_MAX_AGENTS = 32,
-@@ -113,6 +115,7 @@ struct ib_umad_file {
- struct mutex mutex;
- struct ib_umad_port *port;
- struct list_head recv_list;
-+ atomic_t recv_list_size;
- struct list_head send_list;
- struct list_head port_list;
- spinlock_t send_lock;
-@@ -168,24 +171,28 @@ static struct ib_mad_agent *__get_agent(struct ib_umad_file *file, int id)
- return file->agents_dead ? NULL : file->agent[id];
- }
-
--static int queue_packet(struct ib_umad_file *file,
-- struct ib_mad_agent *agent,
-- struct ib_umad_packet *packet)
-+static int queue_packet(struct ib_umad_file *file, struct ib_mad_agent *agent,
-+ struct ib_umad_packet *packet, bool is_recv_mad)
- {
- int ret = 1;
-
- mutex_lock(&file->mutex);
-
-+ if (is_recv_mad &&
-+ atomic_read(&file->recv_list_size) > MAX_UMAD_RECV_LIST_SIZE)
-+ goto unlock;
-+
- for (packet->mad.hdr.id = 0;
- packet->mad.hdr.id < IB_UMAD_MAX_AGENTS;
- packet->mad.hdr.id++)
- if (agent == __get_agent(file, packet->mad.hdr.id)) {
- list_add_tail(&packet->list, &file->recv_list);
-+ atomic_inc(&file->recv_list_size);
- wake_up_interruptible(&file->recv_wait);
- ret = 0;
- break;
- }
--
-+unlock:
- mutex_unlock(&file->mutex);
-
- return ret;
-@@ -212,7 +219,7 @@ static void send_handler(struct ib_mad_agent *agent,
- if (send_wc->status == IB_WC_RESP_TIMEOUT_ERR) {
- packet->length = IB_MGMT_MAD_HDR;
- packet->mad.hdr.status = ETIMEDOUT;
-- if (!queue_packet(file, agent, packet))
-+ if (!queue_packet(file, agent, packet, false))
- return;
- }
- kfree(packet);
-@@ -272,7 +279,7 @@ static void recv_handler(struct ib_mad_agent *agent,
- rdma_destroy_ah_attr(&ah_attr);
- }
-
-- if (queue_packet(file, agent, packet))
-+ if (queue_packet(file, agent, packet, true))
- goto err2;
- return;
-
-@@ -391,6 +398,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf,
-
- packet = list_entry(file->recv_list.next, struct ib_umad_packet, list);
- list_del(&packet->list);
-+ atomic_dec(&file->recv_list_size);
-
- mutex_unlock(&file->mutex);
-
-@@ -403,6 +411,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf,
- /* Requeue packet */
- mutex_lock(&file->mutex);
- list_add(&packet->list, &file->recv_list);
-+ atomic_inc(&file->recv_list_size);
- mutex_unlock(&file->mutex);
- } else {
- if (packet->recv_wc)
---
-2.43.0
-
+++ /dev/null
-From fa8197276f1fa560aae88bb343d1e93205cba24d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 27 Apr 2024 17:05:56 +0200
-Subject: Input: ff-core - prefer struct_size over open coded arithmetic
-
-From: Erick Archer <erick.archer@outlook.com>
-
-[ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ]
-
-This is an effort to get rid of all multiplications from allocation
-functions in order to prevent integer overflows [1][2].
-
-As the "ff" variable is a pointer to "struct ff_device" and this
-structure ends in a flexible array:
-
-struct ff_device {
- [...]
- struct file *effect_owners[] __counted_by(max_effects);
-};
-
-the preferred way in the kernel is to use the struct_size() helper to
-do the arithmetic instead of the calculation "size + count * size" in
-the kzalloc() function.
-
-The struct_size() helper returns SIZE_MAX on overflow. So, refactor
-the comparison to take advantage of this.
-
-This way, the code is more readable and safer.
-
-This code was detected with the help of Coccinelle, and audited and
-modified manually.
-
-Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
-Link: https://github.com/KSPP/linux/issues/160 [2]
-Signed-off-by: Erick Archer <erick.archer@outlook.com>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/input/ff-core.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c
-index 66a46c84e28f5..7d83de2c536dd 100644
---- a/drivers/input/ff-core.c
-+++ b/drivers/input/ff-core.c
-@@ -24,8 +24,10 @@
- /* #define DEBUG */
-
- #include <linux/input.h>
-+#include <linux/limits.h>
- #include <linux/module.h>
- #include <linux/mutex.h>
-+#include <linux/overflow.h>
- #include <linux/sched.h>
- #include <linux/slab.h>
-
-@@ -330,9 +332,8 @@ int input_ff_create(struct input_dev *dev, unsigned int max_effects)
- return -EINVAL;
- }
-
-- ff_dev_size = sizeof(struct ff_device) +
-- max_effects * sizeof(struct file *);
-- if (ff_dev_size < max_effects) /* overflow */
-+ ff_dev_size = struct_size(ff, effect_owners, max_effects);
-+ if (ff_dev_size == SIZE_MAX) /* overflow */
- return -EINVAL;
-
- ff = kzalloc(ff_dev_size, GFP_KERNEL);
---
-2.43.0
-
+++ /dev/null
-From 755959e2b1af22abbf5a264c0407266b6eac9750 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 18 Apr 2024 14:10:53 +0800
-Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
-
-From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
-
-[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ]
-
-This BUG_ON() is useless, because the same effect will be obtained
-by letting the code run its course and vm being dereferenced,
-triggering an exception.
-
-So just remove this check.
-
-Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
-Acked-by: Marc Zyngier <maz@kernel.org>
-Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/irqchip/irq-gic-v3-its.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
-index 6b58194c1e346..2e0478e8be747 100644
---- a/drivers/irqchip/irq-gic-v3-its.c
-+++ b/drivers/irqchip/irq-gic-v3-its.c
-@@ -2958,8 +2958,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
- struct page *vprop_page;
- int base, nr_ids, i, err = 0;
-
-- BUG_ON(!vm);
--
- bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
- if (!bitmap)
- return -ENOMEM;
---
-2.43.0
-
+++ /dev/null
-From 5168ebbefdf87aace681356a973220f22b17ca0f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 May 2024 15:00:46 +0800
-Subject: jffs2: Fix potential illegal address access in jffs2_free_inode
-
-From: Wang Yong <wang.yong12@zte.com.cn>
-
-[ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ]
-
-During the stress testing of the jffs2 file system,the following
-abnormal printouts were found:
-[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948
-[ 2430.649622] Mem abort info:
-[ 2430.649829] ESR = 0x96000004
-[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits
-[ 2430.650564] SET = 0, FnV = 0
-[ 2430.650795] EA = 0, S1PTW = 0
-[ 2430.651032] FSC = 0x04: level 0 translation fault
-[ 2430.651446] Data abort info:
-[ 2430.651683] ISV = 0, ISS = 0x00000004
-[ 2430.652001] CM = 0, WnR = 0
-[ 2430.652558] [0069696969696948] address between user and kernel address ranges
-[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP
-[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33
-[ 2430.655008] Hardware name: linux,dummy-virt (DT)
-[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
-[ 2430.656142] pc : kfree+0x78/0x348
-[ 2430.656630] lr : jffs2_free_inode+0x24/0x48
-[ 2430.657051] sp : ffff800009eebd10
-[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000
-[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000
-[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14
-[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000
-[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000
-[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19
-[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14
-[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302
-[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342
-[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000
-[ 2430.664217] Call trace:
-[ 2430.664528] kfree+0x78/0x348
-[ 2430.664855] jffs2_free_inode+0x24/0x48
-[ 2430.665233] i_callback+0x24/0x50
-[ 2430.665528] rcu_do_batch+0x1ac/0x448
-[ 2430.665892] rcu_core+0x28c/0x3c8
-[ 2430.666151] rcu_core_si+0x18/0x28
-[ 2430.666473] __do_softirq+0x138/0x3cc
-[ 2430.666781] irq_exit+0xf0/0x110
-[ 2430.667065] handle_domain_irq+0x6c/0x98
-[ 2430.667447] gic_handle_irq+0xac/0xe8
-[ 2430.667739] call_on_irq_stack+0x28/0x54
-The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of
-the jffs_inode_info structure. It was found that all variables in the jffs_inode_info
-structure were 5a5a5a5a, except for the first member sem. It is suspected that these
-variables are not initialized because they were set to 5a5a5a5a during memory testing,
-which is meant to detect uninitialized memory.The sem variable is initialized in the
-function jffs2_i_init_once, while other members are initialized in
-the function jffs2_init_inode_info.
-
-The function jffs2_init_inode_info is called after iget_locked,
-but in the iget_locked function, the destroy_inode process is triggered,
-which releases the inode and consequently, the target member of the inode
-is not initialized.In concurrent high pressure scenarios, iget_locked
-may enter the destroy_inode branch as described in the code.
-
-Since the destroy_inode functionality of jffs2 only releases the target,
-the fix method is to set target to NULL in jffs2_i_init_once.
-
-Signed-off-by: Wang Yong <wang.yong12@zte.com.cn>
-Reviewed-by: Lu Zhongjun <lu.zhongjun@zte.com.cn>
-Reviewed-by: Yang Tao <yang.tao172@zte.com.cn>
-Cc: Xu Xin <xu.xin16@zte.com.cn>
-Cc: Yang Yang <yang.yang29@zte.com.cn>
-Signed-off-by: Richard Weinberger <richard@nod.at>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/jffs2/super.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
-index 05d892c79339f..12cd7682e4c9b 100644
---- a/fs/jffs2/super.c
-+++ b/fs/jffs2/super.c
-@@ -63,6 +63,7 @@ static void jffs2_i_init_once(void *foo)
- struct jffs2_inode_info *f = foo;
-
- mutex_init(&f->sem);
-+ f->target = NULL;
- inode_init_once(&f->vfs_inode);
- }
-
---
-2.43.0
-
+++ /dev/null
-From e11c63f8049976e2c51da812f6a283c037fdb31e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 10 Apr 2024 12:24:37 +0000
-Subject: media: dvb: as102-fe: Fix as10x_register_addr packing
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit 309422d280748c74f57f471559980268ac27732a ]
-
-This structure is embedded in multiple other structures that are packed,
-which conflicts with it being aligned.
-
-drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access]
-
-Mark it as being packed.
-
-Marking the inner struct as 'packed' does not change the layout, since the
-whole struct is already packed, it just silences the clang warning. See
-also this llvm discussion:
-
-https://github.com/llvm/llvm-project/issues/55520
-
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/dvb-frontends/as102_fe_types.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/dvb-frontends/as102_fe_types.h b/drivers/media/dvb-frontends/as102_fe_types.h
-index 80a5398b580fe..661d7574a6c73 100644
---- a/drivers/media/dvb-frontends/as102_fe_types.h
-+++ b/drivers/media/dvb-frontends/as102_fe_types.h
-@@ -183,6 +183,6 @@ struct as10x_register_addr {
- uint32_t addr;
- /* register mode access */
- uint8_t mode;
--};
-+} __packed;
-
- #endif
---
-2.43.0
-
+++ /dev/null
-From 6c1994b43194e3de5caa7923baa09d949dfdd3f9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 29 Apr 2024 16:05:04 +0100
-Subject: media: dvb-frontends: tda10048: Fix integer overflow
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ]
-
-state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer
-when multiplied by pll_mfactor.
-
-Create a new 64 bit variable to hold the calculations.
-
-Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org
-Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/dvb-frontends/tda10048.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/dvb-frontends/tda10048.c b/drivers/media/dvb-frontends/tda10048.c
-index 6ca1b25542c5c..888ae41b76857 100644
---- a/drivers/media/dvb-frontends/tda10048.c
-+++ b/drivers/media/dvb-frontends/tda10048.c
-@@ -422,6 +422,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw)
- struct tda10048_config *config = &state->config;
- int i;
- u32 if_freq_khz;
-+ u64 sample_freq;
-
- dprintk(1, "%s(bw = %d)\n", __func__, bw);
-
-@@ -463,9 +464,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw)
- dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor);
-
- /* Calculate the sample frequency */
-- state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45);
-- state->sample_freq /= (state->pll_nfactor + 1);
-- state->sample_freq /= (state->pll_pfactor + 4);
-+ sample_freq = state->xtal_hz;
-+ sample_freq *= state->pll_mfactor + 45;
-+ do_div(sample_freq, state->pll_nfactor + 1);
-+ do_div(sample_freq, state->pll_pfactor + 4);
-+ state->sample_freq = sample_freq;
- dprintk(1, "- sample_freq = %d\n", state->sample_freq);
-
- /* Update the I/F */
---
-2.43.0
-
+++ /dev/null
-From 07c77df9be1099fc7cd26323ed42338582944002 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 29 Apr 2024 16:04:47 +0100
-Subject: media: dvb-frontends: tda18271c2dd: Remove casting during div
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ]
-
-do_div() divides 64 bits by 32. We were adding a casting to the divider
-to 64 bits, for a number that fits perfectly in 32 bits. Remove it.
-
-Found by cocci:
-drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead.
-drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead.
-
-Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/dvb-frontends/tda18271c2dd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c
-index 5ce58612315da..c399338908d0a 100644
---- a/drivers/media/dvb-frontends/tda18271c2dd.c
-+++ b/drivers/media/dvb-frontends/tda18271c2dd.c
-@@ -345,7 +345,7 @@ static int CalcMainPLL(struct tda_state *state, u32 freq)
-
- OscFreq = (u64) freq * (u64) Div;
- OscFreq *= (u64) 16384;
-- do_div(OscFreq, (u64)16000000);
-+ do_div(OscFreq, 16000000);
- MainDiv = OscFreq;
-
- state->m_Regs[MPD] = PostDiv & 0x77;
-@@ -369,7 +369,7 @@ static int CalcCalPLL(struct tda_state *state, u32 freq)
- OscFreq = (u64)freq * (u64)Div;
- /* CalDiv = u32( OscFreq * 16384 / 16000000 ); */
- OscFreq *= (u64)16384;
-- do_div(OscFreq, (u64)16000000);
-+ do_div(OscFreq, 16000000);
- CalDiv = OscFreq;
-
- state->m_Regs[CPD] = PostDiv;
---
-2.43.0
-
+++ /dev/null
-From f37166a174a23118900638d423749e2649fe0472 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 11 Apr 2024 21:17:56 +0000
-Subject: media: dvb-usb: dib0700_devices: Add missing release_firmware()
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ]
-
-Add missing release_firmware on the error paths.
-
-drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415.
-drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497.
-
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/usb/dvb-usb/dib0700_devices.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c
-index c8d79502827b7..e2ac9eec34d7c 100644
---- a/drivers/media/usb/dvb-usb/dib0700_devices.c
-+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
-@@ -2427,7 +2427,12 @@ static int stk9090m_frontend_attach(struct dvb_usb_adapter *adap)
-
- adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &stk9090m_config);
-
-- return adap->fe_adap[0].fe == NULL ? -ENODEV : 0;
-+ if (!adap->fe_adap[0].fe) {
-+ release_firmware(state->frontend_firmware);
-+ return -ENODEV;
-+ }
-+
-+ return 0;
- }
-
- static int dib9090_tuner_attach(struct dvb_usb_adapter *adap)
-@@ -2500,8 +2505,10 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap)
- dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, 0x80);
- adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &nim9090md_config[0]);
-
-- if (adap->fe_adap[0].fe == NULL)
-+ if (!adap->fe_adap[0].fe) {
-+ release_firmware(state->frontend_firmware);
- return -ENODEV;
-+ }
-
- i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_3_4, 0);
- dib9000_i2c_enumeration(i2c, 1, 0x12, 0x82);
-@@ -2509,7 +2516,12 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap)
- fe_slave = dvb_attach(dib9000_attach, i2c, 0x82, &nim9090md_config[1]);
- dib9000_set_slave_frontend(adap->fe_adap[0].fe, fe_slave);
-
-- return fe_slave == NULL ? -ENODEV : 0;
-+ if (!fe_slave) {
-+ release_firmware(state->frontend_firmware);
-+ return -ENODEV;
-+ }
-+
-+ return 0;
- }
-
- static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap)
---
-2.43.0
-
+++ /dev/null
-From 26d6e9800b0d240dbd0f049cdc836ef3b638f1bb Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 16 Jan 2022 11:22:36 +0000
-Subject: media: dw2102: Don't translate i2c read into write
-
-From: Michael Bunk <micha@freedict.org>
-
-[ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ]
-
-The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed
-an i2c transaction with a single message must be a write operation and a
-transaction with two messages would be a read operation.
-
-Though this works for the driver code, it leads to problems once the i2c
-device is exposed to code not knowing this convention. For example,
-I did "insmod i2c-dev" and issued read requests from userspace, which
-were translated into write requests and destroyed the EEPROM of my
-device.
-
-So, just check and respect the I2C_M_READ flag, which indicates a read
-when set on a message. If it is absent, it is a write message.
-
-Incidentally, changing from the case statement to a while loop allows
-the code to lift the limitation to two i2c messages per transaction.
-
-There are 4 more *_i2c_transfer functions affected by the same behaviour
-and limitation that should be fixed in the same way.
-
-Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org
-Signed-off-by: Michael Bunk <micha@freedict.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/usb/dvb-usb/dw2102.c | 120 ++++++++++++++++++-----------
- 1 file changed, 73 insertions(+), 47 deletions(-)
-
-diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
-index a3c5261f9aa41..aba5396742a85 100644
---- a/drivers/media/usb/dvb-usb/dw2102.c
-+++ b/drivers/media/usb/dvb-usb/dw2102.c
-@@ -719,6 +719,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
- {
- struct dvb_usb_device *d = i2c_get_adapdata(adap);
- struct dw2102_state *state;
-+ int j;
-
- if (!d)
- return -ENODEV;
-@@ -732,11 +733,11 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
- return -EAGAIN;
- }
-
-- switch (num) {
-- case 1:
-- switch (msg[0].addr) {
-+ j = 0;
-+ while (j < num) {
-+ switch (msg[j].addr) {
- case SU3000_STREAM_CTRL:
-- state->data[0] = msg[0].buf[0] + 0x36;
-+ state->data[0] = msg[j].buf[0] + 0x36;
- state->data[1] = 3;
- state->data[2] = 0;
- if (dvb_usb_generic_rw(d, state->data, 3,
-@@ -748,61 +749,86 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
- if (dvb_usb_generic_rw(d, state->data, 1,
- state->data, 2, 0) < 0)
- err("i2c transfer failed.");
-- msg[0].buf[1] = state->data[0];
-- msg[0].buf[0] = state->data[1];
-+ msg[j].buf[1] = state->data[0];
-+ msg[j].buf[0] = state->data[1];
- break;
- default:
-- if (3 + msg[0].len > sizeof(state->data)) {
-- warn("i2c wr: len=%d is too big!\n",
-- msg[0].len);
-+ /* if the current write msg is followed by a another
-+ * read msg to/from the same address
-+ */
-+ if ((j+1 < num) && (msg[j+1].flags & I2C_M_RD) &&
-+ (msg[j].addr == msg[j+1].addr)) {
-+ /* join both i2c msgs to one usb read command */
-+ if (4 + msg[j].len > sizeof(state->data)) {
-+ warn("i2c combined wr/rd: write len=%d is too big!\n",
-+ msg[j].len);
-+ num = -EOPNOTSUPP;
-+ break;
-+ }
-+ if (1 + msg[j+1].len > sizeof(state->data)) {
-+ warn("i2c combined wr/rd: read len=%d is too big!\n",
-+ msg[j+1].len);
-+ num = -EOPNOTSUPP;
-+ break;
-+ }
-+
-+ state->data[0] = 0x09;
-+ state->data[1] = msg[j].len;
-+ state->data[2] = msg[j+1].len;
-+ state->data[3] = msg[j].addr;
-+ memcpy(&state->data[4], msg[j].buf, msg[j].len);
-+
-+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 4,
-+ state->data, msg[j+1].len + 1, 0) < 0)
-+ err("i2c transfer failed.");
-+
-+ memcpy(msg[j+1].buf, &state->data[1], msg[j+1].len);
-+ j++;
-+ break;
-+ }
-+
-+ if (msg[j].flags & I2C_M_RD) {
-+ /* single read */
-+ if (1 + msg[j].len > sizeof(state->data)) {
-+ warn("i2c rd: len=%d is too big!\n", msg[j].len);
-+ num = -EOPNOTSUPP;
-+ break;
-+ }
-+
-+ state->data[0] = 0x09;
-+ state->data[1] = 0;
-+ state->data[2] = msg[j].len;
-+ state->data[3] = msg[j].addr;
-+ memcpy(&state->data[4], msg[j].buf, msg[j].len);
-+
-+ if (dvb_usb_generic_rw(d, state->data, 4,
-+ state->data, msg[j].len + 1, 0) < 0)
-+ err("i2c transfer failed.");
-+
-+ memcpy(msg[j].buf, &state->data[1], msg[j].len);
-+ break;
-+ }
-+
-+ /* single write */
-+ if (3 + msg[j].len > sizeof(state->data)) {
-+ warn("i2c wr: len=%d is too big!\n", msg[j].len);
- num = -EOPNOTSUPP;
- break;
- }
-
-- /* always i2c write*/
- state->data[0] = 0x08;
-- state->data[1] = msg[0].addr;
-- state->data[2] = msg[0].len;
-+ state->data[1] = msg[j].addr;
-+ state->data[2] = msg[j].len;
-
-- memcpy(&state->data[3], msg[0].buf, msg[0].len);
-+ memcpy(&state->data[3], msg[j].buf, msg[j].len);
-
-- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3,
-+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 3,
- state->data, 1, 0) < 0)
- err("i2c transfer failed.");
-+ } // switch
-+ j++;
-
-- }
-- break;
-- case 2:
-- /* always i2c read */
-- if (4 + msg[0].len > sizeof(state->data)) {
-- warn("i2c rd: len=%d is too big!\n",
-- msg[0].len);
-- num = -EOPNOTSUPP;
-- break;
-- }
-- if (1 + msg[1].len > sizeof(state->data)) {
-- warn("i2c rd: len=%d is too big!\n",
-- msg[1].len);
-- num = -EOPNOTSUPP;
-- break;
-- }
--
-- state->data[0] = 0x09;
-- state->data[1] = msg[0].len;
-- state->data[2] = msg[1].len;
-- state->data[3] = msg[0].addr;
-- memcpy(&state->data[4], msg[0].buf, msg[0].len);
--
-- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4,
-- state->data, msg[1].len + 1, 0) < 0)
-- err("i2c transfer failed.");
--
-- memcpy(msg[1].buf, &state->data[1], msg[1].len);
-- break;
-- default:
-- warn("more than 2 i2c messages at a time is not handled yet.");
-- break;
-- }
-+ } // while
- mutex_unlock(&d->data_mutex);
- mutex_unlock(&d->i2c_mutex);
- return num;
---
-2.43.0
-
+++ /dev/null
-From 7f9fdeeb5c70be5280c574d5e4ab451c5aa0a06b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 29 Apr 2024 16:04:50 +0100
-Subject: media: s2255: Use refcount_t instead of atomic_t for num_channels
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ]
-
-Use an API that resembles more the actual use of num_channels.
-
-Found by cocci:
-drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363.
-drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558.
-
-Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/usb/s2255/s2255drv.c | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c
-index 3e3ecf214762a..9f9f2e231de61 100644
---- a/drivers/media/usb/s2255/s2255drv.c
-+++ b/drivers/media/usb/s2255/s2255drv.c
-@@ -256,7 +256,7 @@ struct s2255_vc {
- struct s2255_dev {
- struct s2255_vc vc[MAX_CHANNELS];
- struct v4l2_device v4l2_dev;
-- atomic_t num_channels;
-+ refcount_t num_channels;
- int frames;
- struct mutex lock; /* channels[].vdev.lock */
- struct mutex cmdlock; /* protects cmdbuf */
-@@ -1574,11 +1574,11 @@ static void s2255_video_device_release(struct video_device *vdev)
- container_of(vdev, struct s2255_vc, vdev);
-
- dprintk(dev, 4, "%s, chnls: %d\n", __func__,
-- atomic_read(&dev->num_channels));
-+ refcount_read(&dev->num_channels));
-
- v4l2_ctrl_handler_free(&vc->hdl);
-
-- if (atomic_dec_and_test(&dev->num_channels))
-+ if (refcount_dec_and_test(&dev->num_channels))
- s2255_destroy(dev);
- return;
- }
-@@ -1681,7 +1681,7 @@ static int s2255_probe_v4l(struct s2255_dev *dev)
- "failed to register video device!\n");
- break;
- }
-- atomic_inc(&dev->num_channels);
-+ refcount_inc(&dev->num_channels);
- v4l2_info(&dev->v4l2_dev, "V4L2 device registered as %s\n",
- video_device_node_name(&vc->vdev));
-
-@@ -1689,11 +1689,11 @@ static int s2255_probe_v4l(struct s2255_dev *dev)
- pr_info("Sensoray 2255 V4L driver Revision: %s\n",
- S2255_VERSION);
- /* if no channels registered, return error and probe will fail*/
-- if (atomic_read(&dev->num_channels) == 0) {
-+ if (refcount_read(&dev->num_channels) == 0) {
- v4l2_device_unregister(&dev->v4l2_dev);
- return ret;
- }
-- if (atomic_read(&dev->num_channels) != MAX_CHANNELS)
-+ if (refcount_read(&dev->num_channels) != MAX_CHANNELS)
- pr_warn("s2255: Not all channels available.\n");
- return 0;
- }
-@@ -2242,7 +2242,7 @@ static int s2255_probe(struct usb_interface *interface,
- goto errorFWDATA1;
- }
-
-- atomic_set(&dev->num_channels, 0);
-+ refcount_set(&dev->num_channels, 0);
- dev->pid = id->idProduct;
- dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL);
- if (!dev->fw_data)
-@@ -2362,12 +2362,12 @@ static void s2255_disconnect(struct usb_interface *interface)
- {
- struct s2255_dev *dev = to_s2255_dev(usb_get_intfdata(interface));
- int i;
-- int channels = atomic_read(&dev->num_channels);
-+ int channels = refcount_read(&dev->num_channels);
- mutex_lock(&dev->lock);
- v4l2_device_disconnect(&dev->v4l2_dev);
- mutex_unlock(&dev->lock);
- /*see comments in the uvc_driver.c usb disconnect function */
-- atomic_inc(&dev->num_channels);
-+ refcount_inc(&dev->num_channels);
- /* unregister each video device. */
- for (i = 0; i < channels; i++)
- video_unregister_device(&dev->vc[i].vdev);
-@@ -2380,7 +2380,7 @@ static void s2255_disconnect(struct usb_interface *interface)
- dev->vc[i].vidstatus_ready = 1;
- wake_up(&dev->vc[i].wait_vidstatus);
- }
-- if (atomic_dec_and_test(&dev->num_channels))
-+ if (refcount_dec_and_test(&dev->num_channels))
- s2255_destroy(dev);
- dev_info(&interface->dev, "%s\n", __func__);
- }
---
-2.43.0
-
+++ /dev/null
-From 807197e955ccc90810577b8020b5cb041777d0e3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 30 Apr 2024 18:46:45 +0100
-Subject: net: dsa: mv88e6xxx: Correct check for empty list
-
-From: Simon Horman <horms@kernel.org>
-
-[ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ]
-
-Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO
-busses") mv88e6xxx_default_mdio_bus() has checked that the
-return value of list_first_entry() is non-NULL.
-
-This appears to be intended to guard against the list chip->mdios being
-empty. However, it is not the correct check as the implementation of
-list_first_entry is not designed to return NULL for empty lists.
-
-Instead, use list_first_entry_or_null() which does return NULL if the
-list is empty.
-
-Flagged by Smatch.
-Compile tested only.
-
-Reviewed-by: Andrew Lunn <andrew@lunn.ch>
-Signed-off-by: Simon Horman <horms@kernel.org>
-Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/dsa/mv88e6xxx/chip.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
-index c401ee34159ad..e57d7bd6e58d6 100644
---- a/drivers/net/dsa/mv88e6xxx/chip.c
-+++ b/drivers/net/dsa/mv88e6xxx/chip.c
-@@ -231,8 +231,8 @@ struct mii_bus *mv88e6xxx_default_mdio_bus(struct mv88e6xxx_chip *chip)
- {
- struct mv88e6xxx_mdio_bus *mdio_bus;
-
-- mdio_bus = list_first_entry(&chip->mdios, struct mv88e6xxx_mdio_bus,
-- list);
-+ mdio_bus = list_first_entry_or_null(&chip->mdios,
-+ struct mv88e6xxx_mdio_bus, list);
- if (!mdio_bus)
- return NULL;
-
---
-2.43.0
-
+++ /dev/null
-From 5784d0512b4f8f69a836427d7c135034e90df452 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 9 May 2024 07:14:29 +0900
-Subject: nilfs2: convert BUG_ON() in nilfs_finish_roll_forward() to WARN_ON()
-
-From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
-
-[ Upstream commit 0a73eac1ed10097d1799c10dff2172605fd40c75 ]
-
-The BUG_ON check performed on the return value of __getblk() in
-nilfs_finish_roll_forward() assumes that a buffer that has been
-successfully read once is retrieved with the same parameters and does not
-fail (__getblk() does not return an error due to memory allocation
-failure). Also, nilfs_finish_roll_forward() is called at most once during
-mount.
-
-Taking these into consideration, rewrite the check to use WARN_ON() to
-avoid using BUG_ON().
-
-Link: https://lkml.kernel.org/r/20240508221429.7559-1-konishi.ryusuke@gmail.com
-Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/nilfs2/recovery.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/fs/nilfs2/recovery.c b/fs/nilfs2/recovery.c
-index 0923231e9e605..8c78e18ed2d36 100644
---- a/fs/nilfs2/recovery.c
-+++ b/fs/nilfs2/recovery.c
-@@ -698,7 +698,9 @@ static void nilfs_finish_roll_forward(struct the_nilfs *nilfs,
- return;
-
- bh = __getblk(nilfs->ns_bdev, ri->ri_lsegs_start, nilfs->ns_blocksize);
-- BUG_ON(!bh);
-+ if (WARN_ON(!bh))
-+ return; /* should never happen */
-+
- memset(bh->b_data, 0, bh->b_size);
- set_buffer_dirty(bh);
- err = sync_dirty_buffer(bh);
---
-2.43.0
-
+++ /dev/null
-From 4f9212e2ef27bd0d052a33c3e7a43d47975d7f12 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 1 May 2024 16:20:36 -0400
-Subject: orangefs: fix out-of-bounds fsid access
-
-From: Mike Marshall <hubcap@omnibond.com>
-
-[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ]
-
-Arnd Bergmann sent a patch to fsdevel, he says:
-
-"orangefs_statfs() copies two consecutive fields of the superblock into
-the statfs structure, which triggers a warning from the string fortification
-helpers"
-
-Jan Kara suggested an alternate way to do the patch to make it more readable.
-
-I ran both ideas through xfstests and both seem fine. This patch
-is based on Jan Kara's suggestion.
-
-Signed-off-by: Mike Marshall <hubcap@omnibond.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/orangefs/super.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c
-index 524fd95173b3a..571eebf1a263b 100644
---- a/fs/orangefs/super.c
-+++ b/fs/orangefs/super.c
-@@ -186,7 +186,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf)
- (long)new_op->downcall.resp.statfs.files_avail);
-
- buf->f_type = sb->s_magic;
-- memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid));
-+ buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id;
-+ buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id;
- buf->f_bsize = new_op->downcall.resp.statfs.block_size;
- buf->f_namelen = ORANGEFS_NAME_MAX;
-
---
-2.43.0
-
+++ /dev/null
-From e9d7a78e289f322dc4876e86245a8e90a4f76ace Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 3 May 2024 17:56:19 +1000
-Subject: powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for
- CONFIG_PCI=n
-
-From: Michael Ellerman <mpe@ellerman.id.au>
-
-[ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ]
-
-There is code that builds with calls to IO accessors even when
-CONFIG_PCI=n, but the actual calls are guarded by runtime checks.
-
-If not those calls would be faulting, because the page at virtual
-address zero is (usually) not mapped into the kernel. As Arnd pointed
-out, it is possible a large port value could cause the address to be
-above mmap_min_addr which would then access userspace, which would be
-a bug.
-
-To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That
-is a value chosen to point into unmapped space between the kernel and
-userspace, so any access will always fault.
-
-Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an
-effect on 64-bit.
-
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/include/asm/io.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h
-index 5ff8ab12f56c7..c90ece28a0199 100644
---- a/arch/powerpc/include/asm/io.h
-+++ b/arch/powerpc/include/asm/io.h
-@@ -47,7 +47,7 @@ extern struct pci_dev *isa_bridge_pcidev;
- * define properly based on the platform
- */
- #ifndef CONFIG_PCI
--#define _IO_BASE 0
-+#define _IO_BASE POISON_POINTER_DELTA
- #define _ISA_MEM_BASE 0
- #define PCI_DRAM_OFFSET 0
- #elif defined(CONFIG_PPC32)
---
-2.43.0
-
+++ /dev/null
-From 100e11cafb6fa96d33370020d88605c2fa02fc76 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 9 Mar 2021 19:11:10 +0100
-Subject: powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Greg Kurz <groug@kaod.org>
-
-[ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ]
-
-All these commands end up peeking into the PACA using the user
-originated cpu id as an index. Check the cpu id is valid in order
-to prevent xmon to crash. Instead of printing an error, this follows
-the same behavior as the "lp s #" command : ignore the buggy cpu id
-parameter and fall back to the #-less version of the command.
-
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/xmon/xmon.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
-index 3291e5fb94bcc..cd6df90dc6720 100644
---- a/arch/powerpc/xmon/xmon.c
-+++ b/arch/powerpc/xmon/xmon.c
-@@ -1154,7 +1154,7 @@ static int cpu_cmd(void)
- unsigned long cpu, first_cpu, last_cpu;
- int timeout;
-
-- if (!scanhex(&cpu)) {
-+ if (!scanhex(&cpu) || cpu >= num_possible_cpus()) {
- /* print cpus waiting or in xmon */
- printf("cpus stopped:");
- last_cpu = first_cpu = NR_CPUS;
-@@ -2485,7 +2485,7 @@ static void dump_pacas(void)
-
- termch = c; /* Put c back, it wasn't 'a' */
-
-- if (scanhex(&num))
-+ if (scanhex(&num) && num < num_possible_cpus())
- dump_one_paca(num);
- else
- dump_one_paca(xmon_owner);
-@@ -2568,7 +2568,7 @@ static void dump_xives(void)
-
- termch = c; /* Put c back, it wasn't 'a' */
-
-- if (scanhex(&num))
-+ if (scanhex(&num) && num < num_possible_cpus())
- dump_one_xive(num);
- else
- dump_one_xive(xmon_owner);
---
-2.43.0
-
+++ /dev/null
-From 6e0e43ad0692645ed2f8f6b8f1a135bbbfa1abbe Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 30 Apr 2024 16:30:01 +0200
-Subject: s390: Mark psw in __load_psw_mask() as __unitialized
-
-From: Sven Schnelle <svens@linux.ibm.com>
-
-[ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ]
-
-Without __unitialized, the following code is generated when
-INIT_STACK_ALL_ZERO is enabled:
-
-86: d7 0f f0 a0 f0 a0 xc 160(16,%r15), 160(%r15)
-8c: e3 40 f0 a0 00 24 stg %r4, 160(%r15)
-92: c0 10 00 00 00 08 larl %r1, 0xa2
-98: e3 10 f0 a8 00 24 stg %r1, 168(%r15)
-9e: b2 b2 f0 a0 lpswe 160(%r15)
-
-The xc is not adding any security because psw is fully initialized
-with the following instructions. Add __unitialized to the psw
-definitiation to avoid the superfluous clearing of psw.
-
-Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
-Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
-Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/include/asm/processor.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h
-index 7f2953c15c37b..93ba3befd6d40 100644
---- a/arch/s390/include/asm/processor.h
-+++ b/arch/s390/include/asm/processor.h
-@@ -289,8 +289,8 @@ static inline void __load_psw(psw_t psw)
- */
- static inline void __load_psw_mask(unsigned long mask)
- {
-+ psw_t psw __uninitialized;
- unsigned long addr;
-- psw_t psw;
-
- psw.mask = mask;
-
---
-2.43.0
-
+++ /dev/null
-From a5e6e03426169bcefb671b71c00cf573891f8714 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 May 2024 17:03:18 +0200
-Subject: s390/pkey: Wipe sensitive data on failure
-
-From: Holger Dengler <dengler@linux.ibm.com>
-
-[ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ]
-
-Wipe sensitive data from stack also if the copy_to_user() fails.
-
-Suggested-by: Heiko Carstens <hca@linux.ibm.com>
-Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
-Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
-Acked-by: Heiko Carstens <hca@linux.ibm.com>
-Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/s390/crypto/pkey_api.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
-index b16344479959b..fa97e666f19e6 100644
---- a/drivers/s390/crypto/pkey_api.c
-+++ b/drivers/s390/crypto/pkey_api.c
-@@ -1089,7 +1089,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
- if (rc)
- break;
- if (copy_to_user(ucs, &kcs, sizeof(kcs)))
-- return -EFAULT;
-+ rc = -EFAULT;
- memzero_explicit(&kcs, sizeof(kcs));
- break;
- }
-@@ -1120,7 +1120,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
- if (rc)
- break;
- if (copy_to_user(ucp, &kcp, sizeof(kcp)))
-- return -EFAULT;
-+ rc = -EFAULT;
- memzero_explicit(&kcp, sizeof(kcp));
- break;
- }
---
-2.43.0
-
+++ /dev/null
-From caf424dd68c434c7912325cd9cca76b7181096bd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 27 Apr 2024 19:23:36 +0200
-Subject: sctp: prefer struct_size over open coded arithmetic
-
-From: Erick Archer <erick.archer@outlook.com>
-
-[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ]
-
-This is an effort to get rid of all multiplications from allocation
-functions in order to prevent integer overflows [1][2].
-
-As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
-structure ends in a flexible array:
-
-struct sctp_assoc_ids {
- [...]
- sctp_assoc_t gaids_assoc_id[];
-};
-
-the preferred way in the kernel is to use the struct_size() helper to
-do the arithmetic instead of the calculation "size + size * count" in
-the kmalloc() function.
-
-Also, refactor the code adding the "ids_size" variable to avoid sizing
-twice.
-
-This way, the code is more readable and safer.
-
-This code was detected with the help of Coccinelle, and audited and
-modified manually.
-
-Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
-Link: https://github.com/KSPP/linux/issues/160 [2]
-Signed-off-by: Erick Archer <erick.archer@outlook.com>
-Acked-by: Xin Long <lucien.xin@gmail.com>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/sctp/socket.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index f954d3c8876db..c429a1a2bfe23 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -6801,6 +6801,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
- struct sctp_sock *sp = sctp_sk(sk);
- struct sctp_association *asoc;
- struct sctp_assoc_ids *ids;
-+ size_t ids_size;
- u32 num = 0;
-
- if (sctp_style(sk, TCP))
-@@ -6813,11 +6814,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
- num++;
- }
-
-- if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)
-+ ids_size = struct_size(ids, gaids_assoc_id, num);
-+ if (len < ids_size)
- return -EINVAL;
-
-- len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
--
-+ len = ids_size;
- ids = kmalloc(len, GFP_USER | __GFP_NOWARN);
- if (unlikely(!ids))
- return -ENOMEM;
---
-2.43.0
-
+++ /dev/null
-media-dvb-as102-fe-fix-as10x_register_addr-packing.patch
-media-dvb-usb-dib0700_devices-add-missing-release_fi.patch
-ib-core-implement-a-limit-on-umad-receive-list.patch
-irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
-drm-amd-display-skip-finding-free-audio-for-unknown-.patch
-media-dw2102-don-t-translate-i2c-read-into-write.patch
-sctp-prefer-struct_size-over-open-coded-arithmetic.patch
-firmware-dmi-stop-decoding-on-broken-entry.patch
-input-ff-core-prefer-struct_size-over-open-coded-ari.patch
-net-dsa-mv88e6xxx-correct-check-for-empty-list.patch
-media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch
-media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch
-media-dvb-frontends-tda10048-fix-integer-overflow.patch
-i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch
-powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch
-orangefs-fix-out-of-bounds-fsid-access.patch
-powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch
-nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch
-jffs2-fix-potential-illegal-address-access-in-jffs2_.patch
-s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch
-s390-pkey-wipe-sensitive-data-on-failure.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
