--- /dev/null
+From 1b5d0f952e88f1dd9c962a39eebf6a3eca0a5d43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Feb 2024 13:55:34 -0800
+Subject: drm/crtc: fix uninitialized variable use even harder
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit b6802b61a9d0e99dcfa6fff7c50db7c48a9623d3 ]
+
+DRM_MODESET_LOCK_ALL_BEGIN() has a hidden trap-door (aka retry loop),
+which means we can't rely too much on variable initializers.
+
+Fixes: 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable use")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> # sc7180, sdm845
+Link: https://patchwork.freedesktop.org/patch/msgid/20240212215534.190682-1-robdclark@gmail.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_crtc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
+index 82ad38ee3fea7..e8d5fc8408c59 100644
+--- a/drivers/gpu/drm/drm_crtc.c
++++ b/drivers/gpu/drm/drm_crtc.c
+@@ -768,6 +768,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
+ connector_set = NULL;
+ fb = NULL;
+ mode = NULL;
++ num_connectors = 0;
+
+ if (ret == -EDEADLK) {
+ ret = drm_modeset_backoff(&ctx);
+--
+2.43.0
+
--- /dev/null
+From e249b97260327c71dbc080276a18b9f5e3948cac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Nov 2018 10:04:15 -0500
+Subject: drm: Move drm_mode_setcrtc() local re-init to failure path
+
+From: Sean Paul <seanpaul@chromium.org>
+
+[ Upstream commit c232e9f41b136c141df9938024e521191a7b910d ]
+
+Instead of always re-initializing the variables we need to clean up on
+out, move the re-initialization into the branch that goes back to retry
+label.
+
+This is a lateral move right now, but will allow us to pull out the
+modeset locking into common code. I kept this change separate to make
+things easier to review.
+
+Changes in v2:
+- None
+
+Reviewed-by: Daniel Vetter <daniel@ffwll.ch>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181129150423.239081-2-sean@poorly.run
+Stable-dep-of: b6802b61a9d0 ("drm/crtc: fix uninitialized variable use even harder")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_crtc.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
+index 22eba10af165d..82ad38ee3fea7 100644
+--- a/drivers/gpu/drm/drm_crtc.c
++++ b/drivers/gpu/drm/drm_crtc.c
+@@ -567,9 +567,9 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
+ struct drm_mode_crtc *crtc_req = data;
+ struct drm_crtc *crtc;
+ struct drm_plane *plane;
+- struct drm_connector **connector_set, *connector;
+- struct drm_framebuffer *fb;
+- struct drm_display_mode *mode;
++ struct drm_connector **connector_set = NULL, *connector;
++ struct drm_framebuffer *fb = NULL;
++ struct drm_display_mode *mode = NULL;
+ struct drm_mode_set set;
+ uint32_t __user *set_connectors_ptr;
+ struct drm_modeset_acquire_ctx ctx;
+@@ -601,10 +601,6 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
+ mutex_lock(&crtc->dev->mode_config.mutex);
+ drm_modeset_acquire_init(&ctx, DRM_MODESET_ACQUIRE_INTERRUPTIBLE);
+ retry:
+- connector_set = NULL;
+- fb = NULL;
+- mode = NULL;
+-
+ ret = drm_modeset_lock_all_ctx(crtc->dev, &ctx);
+ if (ret)
+ goto out;
+@@ -767,6 +763,12 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data,
+ }
+ kfree(connector_set);
+ drm_mode_destroy(dev, mode);
++
++ /* In case we need to retry... */
++ connector_set = NULL;
++ fb = NULL;
++ mode = NULL;
++
+ if (ret == -EDEADLK) {
+ ret = drm_modeset_backoff(&ctx);
+ if (!ret)
+--
+2.43.0
+
--- /dev/null
+From 8a6e5f8218bd782b14818952d7ca84bfa4bd4330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 05:42:21 +0000
+Subject: Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal
+
+From: Mathias Krause <minipli@grsecurity.net>
+
+commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream.
+
+Calling irq_domain_remove() will lead to freeing the IRQ domain
+prematurely. The domain is still referenced and will be attempted to get
+used via rmi_free_function_list() -> rmi_unregister_function() ->
+irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer.
+
+With PaX's MEMORY_SANITIZE this will lead to an access fault when
+attempting to dereference embedded pointers, as in Torsten's report that
+was faulting on the 'domain->ops->unmap' test.
+
+Fix this by releasing the IRQ domain only after all related IRQs have
+been deactivated.
+
+Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain")
+Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Signed-off-by: Mathias Krause <minipli@grsecurity.net>
+Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/rmi4/rmi_driver.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
+index 0da814b41e72b..75cd4c813cbb4 100644
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -981,12 +981,12 @@ static int rmi_driver_remove(struct device *dev)
+
+ rmi_disable_irq(rmi_dev, false);
+
+- irq_domain_remove(data->irqdomain);
+- data->irqdomain = NULL;
+-
+ rmi_f34_remove_sysfs(rmi_dev);
+ rmi_free_function_list(rmi_dev);
+
++ irq_domain_remove(data->irqdomain);
++ data->irqdomain = NULL;
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2c9061415006c3f439d0acff0ff202c66a29ce2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jan 2024 01:12:22 +0100
+Subject: net: ethernet: cortina: Drop TSO support
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit ac631873c9e7a50d2a8de457cfc4b9f86666403e ]
+
+The recent change to allow large frames without hardware checksumming
+slotted in software checksumming in the driver if hardware could not
+do it.
+
+This will however upset TSO (TCP Segment Offloading). Typical
+error dumps includes this:
+
+skb len=2961 headroom=222 headlen=66 tailroom=0
+(...)
+WARNING: CPU: 0 PID: 956 at net/core/dev.c:3259 skb_warn_bad_offload+0x7c/0x108
+gemini-ethernet-port: caps=(0x0000010000154813, 0x00002007ffdd7889)
+
+And the packets do not go through.
+
+The TSO implementation is bogus: a TSO enabled driver must propagate
+the skb_shinfo(skb)->gso_size value to the TSO engine on the NIC.
+
+Drop the size check and TSO offloading features for now: this
+needs to be fixed up properly.
+
+After this ethernet works fine on Gemini devices with a direct connected
+PHY such as D-Link DNS-313.
+
+Also tested to still be working with a DSA switch using the Gemini
+ethernet as conduit interface.
+
+Link: https://lore.kernel.org/netdev/CANn89iJLfxng1sYL5Zk0mknXpyYQPCp83m3KgD2KJ2_hKCpEUg@mail.gmail.com/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Fixes: d4d0c5b4d279 ("net: ethernet: cortina: Handle large frames")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index d464dec9825ad..556600e425b36 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -81,8 +81,7 @@ MODULE_PARM_DESC(debug, "Debug level (0=none,...,16=all)");
+ #define GMAC0_IRQ4_8 (GMAC0_MIB_INT_BIT | GMAC0_RX_OVERRUN_INT_BIT)
+
+ #define GMAC_OFFLOAD_FEATURES (NETIF_F_SG | NETIF_F_IP_CSUM | \
+- NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM | \
+- NETIF_F_TSO | NETIF_F_TSO_ECN | NETIF_F_TSO6)
++ NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM)
+
+ /**
+ * struct gmac_queue_page - page buffer per-page info
+@@ -1156,23 +1155,13 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb,
+ struct gmac_txdesc *txd;
+ skb_frag_t *skb_frag;
+ dma_addr_t mapping;
+- unsigned short mtu;
+ void *buffer;
+ int ret;
+
+- mtu = ETH_HLEN;
+- mtu += netdev->mtu;
+- if (skb->protocol == htons(ETH_P_8021Q))
+- mtu += VLAN_HLEN;
+-
++ /* TODO: implement proper TSO using MTU in word3 */
+ word1 = skb->len;
+ word3 = SOF_BIT;
+
+- if (word1 > mtu) {
+- word1 |= TSS_MTU_ENABLE_BIT;
+- word3 |= mtu;
+- }
+-
+ if (skb->len >= ETH_FRAME_LEN) {
+ /* Hardware offloaded checksumming isn't working on frames
+ * bigger than 1514 bytes. A hypothesis about this is that the
+--
+2.43.0
+
acpi-battery-simplify-battery-hook-locking.patch
acpi-battery-fix-possible-crash-when-unregistering-a.patch
ext4-fix-inode-tree-inconsistency-caused-by-enomem.patch
+net-ethernet-cortina-drop-tso-support.patch
+tracing-remove-precision-vsnprintf-check-from-print-.patch
+drm-move-drm_mode_setcrtc-local-re-init-to-failure-p.patch
+drm-crtc-fix-uninitialized-variable-use-even-harder.patch
+virtio_console-fix-misc-probe-bugs.patch
+input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch
--- /dev/null
+From fe8aef5089cfb88aea88b1aded938aa6df049b40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 17:43:41 -0500
+Subject: tracing: Remove precision vsnprintf() check from print event
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+[ Upstream commit 5efd3e2aef91d2d812290dcb25b2058e6f3f532c ]
+
+This reverts 60be76eeabb3d ("tracing: Add size check when printing
+trace_marker output"). The only reason the precision check was added
+was because of a bug that miscalculated the write size of the string into
+the ring buffer and it truncated it removing the terminating nul byte. On
+reading the trace it crashed the kernel. But this was due to the bug in
+the code that happened during development and should never happen in
+practice. If anything, the precision can hide bugs where the string in the
+ring buffer isn't nul terminated and it will not be checked.
+
+Link: https://lore.kernel.org/all/C7E7AF1A-D30F-4D18-B8E5-AF1EF58004F5@linux.ibm.com/
+Link: https://lore.kernel.org/linux-trace-kernel/20240227125706.04279ac2@gandalf.local.home
+Link: https://lore.kernel.org/all/20240302111244.3a1674be@gandalf.local.home/
+Link: https://lore.kernel.org/linux-trace-kernel/20240304174341.2a561d9f@gandalf.local.home
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Fixes: 60be76eeabb3d ("tracing: Add size check when printing trace_marker output")
+Reported-by: Sachin Sant <sachinp@linux.ibm.com>
+Tested-by: Sachin Sant <sachinp@linux.ibm.com>
+Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_output.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
+index 43fb832d26d23..62015d62dd6f5 100644
+--- a/kernel/trace/trace_output.c
++++ b/kernel/trace/trace_output.c
+@@ -1320,12 +1320,11 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter,
+ {
+ struct print_entry *field;
+ struct trace_seq *s = &iter->seq;
+- int max = iter->ent_size - offsetof(struct print_entry, buf);
+
+ trace_assign_type(field, iter->ent);
+
+ seq_print_ip_sym(s, field->ip, flags);
+- trace_seq_printf(s, ": %.*s", max, field->buf);
++ trace_seq_printf(s, ": %s", field->buf);
+
+ return trace_handle_return(s);
+ }
+@@ -1334,11 +1333,10 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags,
+ struct trace_event *event)
+ {
+ struct print_entry *field;
+- int max = iter->ent_size - offsetof(struct print_entry, buf);
+
+ trace_assign_type(field, iter->ent);
+
+- trace_seq_printf(&iter->seq, "# %lx %.*s", field->ip, max, field->buf);
++ trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf);
+
+ return trace_handle_return(&iter->seq);
+ }
+--
+2.43.0
+
--- /dev/null
+From 7b8296a7673e94fece9a88505bcf6a2cd28375b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 14:16:44 -0400
+Subject: virtio_console: fix misc probe bugs
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+[ Upstream commit b9efbe2b8f0177fa97bfab290d60858900aa196b ]
+
+This fixes the following issue discovered by code review:
+
+after vqs have been created, a buggy device can send an interrupt.
+
+A control vq callback will then try to schedule control_work which has
+not been initialized yet. Similarly for config interrupt. Further, in
+and out vq callbacks invoke find_port_by_vq which attempts to take
+ports_lock which also has not been initialized.
+
+To fix, init all locks and work before creating vqs.
+
+Message-ID: <ad982e975a6160ad110c623c016041311ca15b4f.1726511547.git.mst@redhat.com>
+Fixes: 17634ba25544 ("virtio: console: Add a new MULTIPORT feature, support for generic ports")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/virtio_console.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
+index d3937d6904000..ad9e266652607 100644
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -2075,25 +2075,27 @@ static int virtcons_probe(struct virtio_device *vdev)
+ multiport = true;
+ }
+
+- err = init_vqs(portdev);
+- if (err < 0) {
+- dev_err(&vdev->dev, "Error %d initializing vqs\n", err);
+- goto free_chrdev;
+- }
+-
+ spin_lock_init(&portdev->ports_lock);
+ INIT_LIST_HEAD(&portdev->ports);
+ INIT_LIST_HEAD(&portdev->list);
+
+- virtio_device_ready(portdev->vdev);
+-
+ INIT_WORK(&portdev->config_work, &config_work_handler);
+ INIT_WORK(&portdev->control_work, &control_work_handler);
+
+ if (multiport) {
+ spin_lock_init(&portdev->c_ivq_lock);
+ spin_lock_init(&portdev->c_ovq_lock);
++ }
+
++ err = init_vqs(portdev);
++ if (err < 0) {
++ dev_err(&vdev->dev, "Error %d initializing vqs\n", err);
++ goto free_chrdev;
++ }
++
++ virtio_device_ready(portdev->vdev);
++
++ if (multiport) {
+ err = fill_queue(portdev->c_ivq, &portdev->c_ivq_lock);
+ if (err < 0) {
+ dev_err(&vdev->dev,
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
