--- /dev/null
+From 44d9b3f584c59a606b521e7274e658d5b866c699 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 15 Apr 2025 13:39:01 +0100
+Subject: comedi: jr3_pci: Fix synchronous deletion of timer
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 44d9b3f584c59a606b521e7274e658d5b866c699 upstream.
+
+When `jr3_pci_detach()` is called during device removal, it calls
+`timer_delete_sync()` to stop the timer, but the timer expiry function
+always reschedules the timer, so the synchronization is ineffective.
+
+Call `timer_shutdown_sync()` instead. It does not matter that the timer
+expiry function pointer is cleared, because the device is being removed.
+
+Fixes: 07b509e6584a5 ("Staging: comedi: add jr3_pci driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250415123901.13483-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/jr3_pci.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/comedi/drivers/jr3_pci.c
++++ b/drivers/comedi/drivers/jr3_pci.c
+@@ -87,6 +87,7 @@ struct jr3_pci_poll_delay {
+ struct jr3_pci_dev_private {
+ struct timer_list timer;
+ struct comedi_device *dev;
++ bool timer_enable;
+ };
+
+ union jr3_pci_single_range {
+@@ -596,10 +597,11 @@ static void jr3_pci_poll_dev(struct time
+ delay = sub_delay.max;
+ }
+ }
++ if (devpriv->timer_enable) {
++ devpriv->timer.expires = jiffies + msecs_to_jiffies(delay);
++ add_timer(&devpriv->timer);
++ }
+ spin_unlock_irqrestore(&dev->spinlock, flags);
+-
+- devpriv->timer.expires = jiffies + msecs_to_jiffies(delay);
+- add_timer(&devpriv->timer);
+ }
+
+ static struct jr3_pci_subdev_private *
+@@ -748,6 +750,7 @@ static int jr3_pci_auto_attach(struct co
+ devpriv->dev = dev;
+ timer_setup(&devpriv->timer, jr3_pci_poll_dev, 0);
+ devpriv->timer.expires = jiffies + msecs_to_jiffies(1000);
++ devpriv->timer_enable = true;
+ add_timer(&devpriv->timer);
+
+ return 0;
+@@ -757,8 +760,12 @@ static void jr3_pci_detach(struct comedi
+ {
+ struct jr3_pci_dev_private *devpriv = dev->private;
+
+- if (devpriv)
+- del_timer_sync(&devpriv->timer);
++ if (devpriv) {
++ spin_lock_bh(&dev->spinlock);
++ devpriv->timer_enable = false;
++ spin_unlock_bh(&dev->spinlock);
++ timer_delete_sync(&devpriv->timer);
++ }
+
+ comedi_pci_detach(dev);
+ }
--- /dev/null
+From 8006aff15516a170640239c5a8e6696c0ba18d8e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Tue, 22 Apr 2025 11:57:18 +0200
+Subject: crypto: atmel-sha204a - Set hwrng quality to lowest possible
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 8006aff15516a170640239c5a8e6696c0ba18d8e upstream.
+
+According to the review by Bill Cox [1], the Atmel SHA204A random number
+generator produces random numbers with very low entropy.
+
+Set the lowest possible entropy for this chip just to be safe.
+
+[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
+
+Fixes: da001fb651b00e1d ("crypto: atmel-i2c - add support for SHA204A random number generator")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Marek Behún <kabel@kernel.org>
+---
+ drivers/crypto/atmel-sha204a.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/atmel-sha204a.c
++++ b/drivers/crypto/atmel-sha204a.c
+@@ -107,7 +107,12 @@ static int atmel_sha204a_probe(struct i2
+
+ i2c_priv->hwrng.name = dev_name(&client->dev);
+ i2c_priv->hwrng.read = atmel_sha204a_rng_read;
+- i2c_priv->hwrng.quality = 1024;
++
++ /*
++ * According to review by Bill Cox [1], this HWRNG has very low entropy.
++ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
++ */
++ i2c_priv->hwrng.quality = 1;
+
+ ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng);
+ if (ret)
--- /dev/null
+From 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Thu, 15 Feb 2024 06:33:46 -0800
+Subject: net/sched: act_mirred: don't override retval if we already lost the skb
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 upstream.
+
+If we're redirecting the skb, and haven't called tcf_mirred_forward(),
+yet, we need to tell the core to drop the skb by setting the retcode
+to SHOT. If we have called tcf_mirred_forward(), however, the skb
+is out of our hands and returning SHOT will lead to UaF.
+
+Move the retval override to the error path which actually need it.
+
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[Minor conflict resolved due to code context change.]
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_mirred.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -255,31 +255,31 @@ static int tcf_mirred_act(struct sk_buff
+
+ m_mac_header_xmit = READ_ONCE(m->tcfm_mac_header_xmit);
+ m_eaction = READ_ONCE(m->tcfm_eaction);
++ is_redirect = tcf_mirred_is_act_redirect(m_eaction);
+ retval = READ_ONCE(m->tcf_action);
+ dev = rcu_dereference_bh(m->tcfm_dev);
+ if (unlikely(!dev)) {
+ pr_notice_once("tc mirred: target device is gone\n");
+- goto out;
++ goto err_cant_do;
+ }
+
+ if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) {
+ net_notice_ratelimited("tc mirred to Houston: device %s is down\n",
+ dev->name);
+- goto out;
++ goto err_cant_do;
+ }
+
+ /* we could easily avoid the clone only if called by ingress and clsact;
+ * since we can't easily detect the clsact caller, skip clone only for
+ * ingress - that covers the TC S/W datapath.
+ */
+- is_redirect = tcf_mirred_is_act_redirect(m_eaction);
+ at_ingress = skb_at_tc_ingress(skb);
+ use_reinsert = at_ingress && is_redirect &&
+ tcf_mirred_can_reinsert(retval);
+ if (!use_reinsert) {
+ skb2 = skb_clone(skb, GFP_ATOMIC);
+ if (!skb2)
+- goto out;
++ goto err_cant_do;
+ }
+
+ want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
+@@ -321,12 +321,16 @@ static int tcf_mirred_act(struct sk_buff
+ }
+
+ err = tcf_mirred_forward(want_ingress, skb2);
+- if (err) {
+-out:
++ if (err)
+ tcf_action_inc_overlimit_qstats(&m->common);
+- if (tcf_mirred_is_act_redirect(m_eaction))
+- retval = TC_ACT_SHOT;
+- }
++ __this_cpu_dec(mirred_nest_level);
++
++ return retval;
++
++err_cant_do:
++ if (is_redirect)
++ retval = TC_ACT_SHOT;
++ tcf_action_inc_overlimit_qstats(&m->common);
+ __this_cpu_dec(mirred_nest_level);
+
+ return retval;
spi-spi-imx-add-check-for-spi_imx_setupxfer.patch
of-module-add-buffer-overflow-check-in-of_modalias.patch
jfs-define-xtree-root-and-page-independently.patch
+comedi-jr3_pci-fix-synchronous-deletion-of-timer.patch
+crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch
+net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
