--- /dev/null
+From 282a4b71816b6076029017a7bab3a9dcee12a920 Mon Sep 17 00:00:00 2001
+From: Eli Billauer <eli.billauer@gmail.com>
+Date: Sun, 30 Oct 2022 11:42:09 +0200
+Subject: char: xillybus: Prevent use-after-free due to race condition
+
+From: Eli Billauer <eli.billauer@gmail.com>
+
+commit 282a4b71816b6076029017a7bab3a9dcee12a920 upstream.
+
+The driver for XillyUSB devices maintains a kref reference count on each
+xillyusb_dev structure, which represents a physical device. This reference
+count reaches zero when the device has been disconnected and there are no
+open file descriptors that are related to the device. When this occurs,
+kref_put() calls cleanup_dev(), which clears up the device's data,
+including the structure itself.
+
+However, when xillyusb_open() is called, this reference count becomes
+tricky: This function needs to obtain the xillyusb_dev structure that
+relates to the inode's major and minor (as there can be several such).
+xillybus_find_inode() (which is defined in xillybus_class.c) is called
+for this purpose. xillybus_find_inode() holds a mutex that is global in
+xillybus_class.c to protect the list of devices, and releases this
+mutex before returning. As a result, nothing protects the xillyusb_dev's
+reference counter from being decremented to zero before xillyusb_open()
+increments it on its own behalf. Hence the structure can be freed
+due to a rare race condition.
+
+To solve this, a mutex is added. It is locked by xillyusb_open() before
+the call to xillybus_find_inode() and is released only after the kref
+counter has been incremented on behalf of the newly opened inode. This
+protects the kref reference counters of all xillyusb_dev structs from
+being decremented by xillyusb_disconnect() during this time segment, as
+the call to kref_put() in this function is done with the same lock held.
+
+There is no need to hold the lock on other calls to kref_put(), because
+if xillybus_find_inode() finds a struct, xillyusb_disconnect() has not
+made the call to remove it, and hence not made its call to kref_put(),
+which takes place afterwards. Hence preventing xillyusb_disconnect's
+call to kref_put() is enough to ensure that the reference doesn't reach
+zero before it's incremented by xillyusb_open().
+
+It would have been more natural to increment the reference count in
+xillybus_find_inode() of course, however this function is also called by
+Xillybus' driver for PCIe / OF, which registers a completely different
+structure. Therefore, xillybus_find_inode() treats these structures as
+void pointers, and accordingly can't make any changes.
+
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
+Link: https://lore.kernel.org/r/20221030094209.65916-1-eli.billauer@gmail.com
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/xillybus/xillyusb.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/xillybus/xillyusb.c
++++ b/drivers/char/xillybus/xillyusb.c
+@@ -185,6 +185,14 @@ struct xillyusb_dev {
+ struct mutex process_in_mutex; /* synchronize wakeup_all() */
+ };
+
++/*
++ * kref_mutex is used in xillyusb_open() to prevent the xillyusb_dev
++ * struct from being freed during the gap between being found by
++ * xillybus_find_inode() and having its reference count incremented.
++ */
++
++static DEFINE_MUTEX(kref_mutex);
++
+ /* FPGA to host opcodes */
+ enum {
+ OPCODE_DATA = 0,
+@@ -1234,9 +1242,16 @@ static int xillyusb_open(struct inode *i
+ int rc;
+ int index;
+
++ mutex_lock(&kref_mutex);
++
+ rc = xillybus_find_inode(inode, (void **)&xdev, &index);
+- if (rc)
++ if (rc) {
++ mutex_unlock(&kref_mutex);
+ return rc;
++ }
++
++ kref_get(&xdev->kref);
++ mutex_unlock(&kref_mutex);
+
+ chan = &xdev->channels[index];
+ filp->private_data = chan;
+@@ -1272,8 +1287,6 @@ static int xillyusb_open(struct inode *i
+ ((filp->f_mode & FMODE_WRITE) && chan->open_for_write))
+ goto unmutex_fail;
+
+- kref_get(&xdev->kref);
+-
+ if (filp->f_mode & FMODE_READ)
+ chan->open_for_read = 1;
+
+@@ -1410,6 +1423,7 @@ unopen:
+ return rc;
+
+ unmutex_fail:
++ kref_put(&xdev->kref, cleanup_dev);
+ mutex_unlock(&chan->lock);
+ return rc;
+ }
+@@ -2244,7 +2258,9 @@ static void xillyusb_disconnect(struct u
+
+ xdev->dev = NULL;
+
++ mutex_lock(&kref_mutex);
+ kref_put(&xdev->kref, cleanup_dev);
++ mutex_unlock(&kref_mutex);
+ }
+
+ static struct usb_driver xillyusb_driver = {
--- /dev/null
+From 406e8845356d18bdf3d3a23b347faf67706472ec Mon Sep 17 00:00:00 2001
+From: "Lin.Cao" <lincao12@amd.com>
+Date: Wed, 25 Oct 2023 11:32:41 +0800
+Subject: drm/amd: check num of link levels when update pcie param
+
+From: Lin.Cao <lincao12@amd.com>
+
+commit 406e8845356d18bdf3d3a23b347faf67706472ec upstream.
+
+In SR-IOV environment, the value of pcie_table->num_of_link_levels will
+be 0, and num_of_levels - 1 will cause array index out of bounds
+
+Signed-off-by: Lin.Cao <lincao12@amd.com>
+Acked-by: Jingwen Chen <Jingwen.Chen2@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[ Resolve minor conflicts to fix CVE-2023-52812 ]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+@@ -2498,6 +2498,9 @@ int smu_v13_0_update_pcie_parameters(str
+ uint32_t smu_pcie_arg;
+ int ret, i;
+
++ if (!num_of_levels)
++ return 0;
++
+ if (!amdgpu_device_pcie_dynamic_switching_supported()) {
+ if (pcie_table->pcie_gen[num_of_levels - 1] < pcie_gen_cap)
+ pcie_gen_cap = pcie_table->pcie_gen[num_of_levels - 1];
--- /dev/null
+From a2db328b0839312c169eb42746ec46fc1ab53ed2 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Thu, 23 May 2024 23:39:34 +0800
+Subject: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit a2db328b0839312c169eb42746ec46fc1ab53ed2 upstream.
+
+Writing 'power' and 'submit_queues' concurrently will trigger kernel
+panic:
+
+Test script:
+
+modprobe null_blk nr_devices=0
+mkdir -p /sys/kernel/config/nullb/nullb0
+while true; do echo 1 > submit_queues; echo 4 > submit_queues; done &
+while true; do echo 1 > power; echo 0 > power; done
+
+Test result:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000148
+Oops: 0000 [#1] PREEMPT SMP
+RIP: 0010:__lock_acquire+0x41d/0x28f0
+Call Trace:
+ <TASK>
+ lock_acquire+0x121/0x450
+ down_write+0x5f/0x1d0
+ simple_recursive_removal+0x12f/0x5c0
+ blk_mq_debugfs_unregister_hctxs+0x7c/0x100
+ blk_mq_update_nr_hw_queues+0x4a3/0x720
+ nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
+ nullb_device_submit_queues_store+0x79/0xf0 [null_blk]
+ configfs_write_iter+0x119/0x1e0
+ vfs_write+0x326/0x730
+ ksys_write+0x74/0x150
+
+This is because del_gendisk() can concurrent with
+blk_mq_update_nr_hw_queues():
+
+nullb_device_power_store nullb_apply_submit_queues
+ null_del_dev
+ del_gendisk
+ nullb_update_nr_hw_queues
+ if (!dev->nullb)
+ // still set while gendisk is deleted
+ return 0
+ blk_mq_update_nr_hw_queues
+ dev->nullb = NULL
+
+Fix this problem by resuing the global mutex to protect
+nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.
+
+Fixes: 45919fbfe1c4 ("null_blk: Enable modifying 'submit_queues' after an instance has been configured")
+Reported-and-tested-by: Yi Zhang <yi.zhang@redhat.com>
+Closes: https://lore.kernel.org/all/CAHj4cs9LgsHLnjg8z06LQ3Pr5cax-+Ps+xT7AP7TPnEjStuwZA@mail.gmail.com/
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Link: https://lore.kernel.org/r/20240523153934.1937851-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/null_blk/main.c | 40 ++++++++++++++++++++++++++--------------
+ 1 file changed, 26 insertions(+), 14 deletions(-)
+
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@ -392,13 +392,25 @@ static int nullb_update_nr_hw_queues(str
+ static int nullb_apply_submit_queues(struct nullb_device *dev,
+ unsigned int submit_queues)
+ {
+- return nullb_update_nr_hw_queues(dev, submit_queues, dev->poll_queues);
++ int ret;
++
++ mutex_lock(&lock);
++ ret = nullb_update_nr_hw_queues(dev, submit_queues, dev->poll_queues);
++ mutex_unlock(&lock);
++
++ return ret;
+ }
+
+ static int nullb_apply_poll_queues(struct nullb_device *dev,
+ unsigned int poll_queues)
+ {
+- return nullb_update_nr_hw_queues(dev, dev->submit_queues, poll_queues);
++ int ret;
++
++ mutex_lock(&lock);
++ ret = nullb_update_nr_hw_queues(dev, dev->submit_queues, poll_queues);
++ mutex_unlock(&lock);
++
++ return ret;
+ }
+
+ NULLB_DEVICE_ATTR(size, ulong, NULL);
+@@ -444,28 +456,31 @@ static ssize_t nullb_device_power_store(
+ if (ret < 0)
+ return ret;
+
++ ret = count;
++ mutex_lock(&lock);
+ if (!dev->power && newp) {
+ if (test_and_set_bit(NULLB_DEV_FL_UP, &dev->flags))
+- return count;
++ goto out;
++
+ ret = null_add_dev(dev);
+ if (ret) {
+ clear_bit(NULLB_DEV_FL_UP, &dev->flags);
+- return ret;
++ goto out;
+ }
+
+ set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
+ dev->power = newp;
+ } else if (dev->power && !newp) {
+ if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) {
+- mutex_lock(&lock);
+ dev->power = newp;
+ null_del_dev(dev->nullb);
+- mutex_unlock(&lock);
+ }
+ clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
+ }
+
+- return count;
++out:
++ mutex_unlock(&lock);
++ return ret;
+ }
+
+ CONFIGFS_ATTR(nullb_device_, power);
+@@ -2102,15 +2117,12 @@ static int null_add_dev(struct nullb_dev
+ blk_queue_flag_set(QUEUE_FLAG_NONROT, nullb->q);
+ blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, nullb->q);
+
+- mutex_lock(&lock);
+ rv = ida_alloc(&nullb_indexes, GFP_KERNEL);
+- if (rv < 0) {
+- mutex_unlock(&lock);
++ if (rv < 0)
+ goto out_cleanup_zone;
+- }
++
+ nullb->index = rv;
+ dev->index = rv;
+- mutex_unlock(&lock);
+
+ blk_queue_logical_block_size(nullb->q, dev->blocksize);
+ blk_queue_physical_block_size(nullb->q, dev->blocksize);
+@@ -2134,9 +2146,7 @@ static int null_add_dev(struct nullb_dev
+ if (rv)
+ goto out_ida_free;
+
+- mutex_lock(&lock);
+ list_add_tail(&nullb->list, &nullb_list);
+- mutex_unlock(&lock);
+
+ pr_info("disk %s created\n", nullb->disk_name);
+
+@@ -2185,7 +2195,9 @@ static int null_create_dev(void)
+ if (!dev)
+ return -ENOMEM;
+
++ mutex_lock(&lock);
+ ret = null_add_dev(dev);
++ mutex_unlock(&lock);
+ if (ret) {
+ null_free_dev(dev);
+ return ret;
--- /dev/null
+From d9ff882b54f99f96787fa3df7cd938966843c418 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Mon, 27 May 2024 13:34:45 +0900
+Subject: null_blk: Fix return value of nullb_device_power_store()
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit d9ff882b54f99f96787fa3df7cd938966843c418 upstream.
+
+When powering on a null_blk device that is not already on, the return
+value ret that is initialized to be count is reused to check the return
+value of null_add_dev(), leading to nullb_device_power_store() to return
+null_add_dev() return value (0 on success) instead of "count".
+So make sure to set ret to be equal to count when there are no errors.
+
+Fixes: a2db328b0839 ("null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'")
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
+Link: https://lore.kernel.org/r/20240527043445.235267-1-dlemoal@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/null_blk/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@ -470,6 +470,7 @@ static ssize_t nullb_device_power_store(
+
+ set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
+ dev->power = newp;
++ ret = count;
+ } else if (dev->power && !newp) {
+ if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) {
+ dev->power = newp;
--- /dev/null
+From 95931a245b44ee04f3359ec432e73614d44d8b38 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 14 Jan 2024 10:00:59 +0100
+Subject: null_blk: Remove usage of the deprecated ida_simple_xx() API
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 95931a245b44ee04f3359ec432e73614d44d8b38 upstream.
+
+ida_alloc() and ida_free() should be preferred to the deprecated
+ida_simple_get() and ida_simple_remove().
+
+This is less verbose.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/bf257b1078475a415cdc3344c6a750842946e367.1705222845.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/null_blk/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@ -1764,7 +1764,7 @@ static void null_del_dev(struct nullb *n
+
+ dev = nullb->dev;
+
+- ida_simple_remove(&nullb_indexes, nullb->index);
++ ida_free(&nullb_indexes, nullb->index);
+
+ list_del_init(&nullb->list);
+
+@@ -2103,7 +2103,7 @@ static int null_add_dev(struct nullb_dev
+ blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, nullb->q);
+
+ mutex_lock(&lock);
+- rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL);
++ rv = ida_alloc(&nullb_indexes, GFP_KERNEL);
+ if (rv < 0) {
+ mutex_unlock(&lock);
+ goto out_cleanup_zone;
--- /dev/null
+From 7ae04ba36b381bffe2471eff3a93edced843240f Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sat, 27 Jul 2024 20:22:52 +0200
+Subject: parisc: fix a possible DMA corruption
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 7ae04ba36b381bffe2471eff3a93edced843240f upstream.
+
+ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may be
+possible that two unrelated 16-byte allocations share a cache line. If
+one of these allocations is written using DMA and the other is written
+using cached write, the value that was written with DMA may be
+corrupted.
+
+This commit changes ARCH_DMA_MINALIGN to be 128 on PA20 and 32 on PA1.1 -
+that's the largest possible cache line size.
+
+As different parisc microarchitectures have different cache line size, we
+define arch_slab_minalign(), cache_line_size() and
+dma_get_cache_alignment() so that the kernel may tune slab cache
+parameters dynamically, based on the detected cache line size.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/Kconfig | 1 +
+ arch/parisc/include/asm/cache.h | 11 ++++++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/Kconfig
++++ b/arch/parisc/Kconfig
+@@ -18,6 +18,7 @@ config PARISC
+ select ARCH_SUPPORTS_HUGETLBFS if PA20
+ select ARCH_SUPPORTS_MEMORY_FAILURE
+ select ARCH_STACKWALK
++ select ARCH_HAS_CACHE_LINE_SIZE
+ select ARCH_HAS_DEBUG_VM_PGTABLE
+ select HAVE_RELIABLE_STACKTRACE
+ select DMA_OPS
+--- a/arch/parisc/include/asm/cache.h
++++ b/arch/parisc/include/asm/cache.h
+@@ -20,7 +20,16 @@
+
+ #define SMP_CACHE_BYTES L1_CACHE_BYTES
+
+-#define ARCH_DMA_MINALIGN L1_CACHE_BYTES
++#ifdef CONFIG_PA20
++#define ARCH_DMA_MINALIGN 128
++#else
++#define ARCH_DMA_MINALIGN 32
++#endif
++#define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */
++
++#define arch_slab_minalign() ((unsigned)dcache_stride)
++#define cache_line_size() dcache_stride
++#define dma_get_cache_alignment cache_line_size
+
+ #define __read_mostly __section(".data..read_mostly")
+
mm-unconditionally-close-vmas-on-error.patch
mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch
mm-resolve-faulty-mmap_region-error-path-behaviour.patch
+drm-amd-check-num-of-link-levels-when-update-pcie-param.patch
+char-xillybus-prevent-use-after-free-due-to-race-condition.patch
+null_blk-remove-usage-of-the-deprecated-ida_simple_xx-api.patch
+null_blk-fix-null-ptr-dereference-while-configuring-power-and-submit_queues.patch
+null_blk-fix-return-value-of-nullb_device_power_store.patch
+parisc-fix-a-possible-dma-corruption.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
