--- /dev/null
+From 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 Mon Sep 17 00:00:00 2001
+From: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Date: Sat, 5 Aug 2023 11:48:47 +0300
+Subject: clk: Fix slab-out-of-bounds error in devm_clk_release()
+
+From: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+
+commit 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 upstream.
+
+Problem can be reproduced by unloading snd_soc_simple_card, because in
+devm_get_clk_from_child() devres data is allocated as `struct clk`, but
+devm_clk_release() expects devres data to be `struct devm_clk_state`.
+
+KASAN report:
+ ==================================================================
+ BUG: KASAN: slab-out-of-bounds in devm_clk_release+0x20/0x54
+ Read of size 8 at addr ffffff800ee09688 by task (udev-worker)/287
+
+ Call trace:
+ dump_backtrace+0xe8/0x11c
+ show_stack+0x1c/0x30
+ dump_stack_lvl+0x60/0x78
+ print_report+0x150/0x450
+ kasan_report+0xa8/0xf0
+ __asan_load8+0x78/0xa0
+ devm_clk_release+0x20/0x54
+ release_nodes+0x84/0x120
+ devres_release_all+0x144/0x210
+ device_unbind_cleanup+0x1c/0xac
+ really_probe+0x2f0/0x5b0
+ __driver_probe_device+0xc0/0x1f0
+ driver_probe_device+0x68/0x120
+ __driver_attach+0x140/0x294
+ bus_for_each_dev+0xec/0x160
+ driver_attach+0x38/0x44
+ bus_add_driver+0x24c/0x300
+ driver_register+0xf0/0x210
+ __platform_driver_register+0x48/0x54
+ asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
+ do_one_initcall+0xac/0x340
+ do_init_module+0xd0/0x300
+ load_module+0x2ba4/0x3100
+ __do_sys_init_module+0x2c8/0x300
+ __arm64_sys_init_module+0x48/0x5c
+ invoke_syscall+0x64/0x190
+ el0_svc_common.constprop.0+0x124/0x154
+ do_el0_svc+0x44/0xdc
+ el0_svc+0x14/0x50
+ el0t_64_sync_handler+0xec/0x11c
+ el0t_64_sync+0x14c/0x150
+
+ Allocated by task 287:
+ kasan_save_stack+0x38/0x60
+ kasan_set_track+0x28/0x40
+ kasan_save_alloc_info+0x20/0x30
+ __kasan_kmalloc+0xac/0xb0
+ __kmalloc_node_track_caller+0x6c/0x1c4
+ __devres_alloc_node+0x44/0xb4
+ devm_get_clk_from_child+0x44/0xa0
+ asoc_simple_parse_clk+0x1b8/0x1dc [snd_soc_simple_card_utils]
+ simple_parse_node.isra.0+0x1ec/0x230 [snd_soc_simple_card]
+ simple_dai_link_of+0x1bc/0x334 [snd_soc_simple_card]
+ __simple_for_each_link+0x2ec/0x320 [snd_soc_simple_card]
+ asoc_simple_probe+0x468/0x4dc [snd_soc_simple_card]
+ platform_probe+0x90/0xf0
+ really_probe+0x118/0x5b0
+ __driver_probe_device+0xc0/0x1f0
+ driver_probe_device+0x68/0x120
+ __driver_attach+0x140/0x294
+ bus_for_each_dev+0xec/0x160
+ driver_attach+0x38/0x44
+ bus_add_driver+0x24c/0x300
+ driver_register+0xf0/0x210
+ __platform_driver_register+0x48/0x54
+ asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
+ do_one_initcall+0xac/0x340
+ do_init_module+0xd0/0x300
+ load_module+0x2ba4/0x3100
+ __do_sys_init_module+0x2c8/0x300
+ __arm64_sys_init_module+0x48/0x5c
+ invoke_syscall+0x64/0x190
+ el0_svc_common.constprop.0+0x124/0x154
+ do_el0_svc+0x44/0xdc
+ el0_svc+0x14/0x50
+ el0t_64_sync_handler+0xec/0x11c
+ el0t_64_sync+0x14c/0x150
+
+ The buggy address belongs to the object at ffffff800ee09600
+ which belongs to the cache kmalloc-256 of size 256
+ The buggy address is located 136 bytes inside of
+ 256-byte region [ffffff800ee09600, ffffff800ee09700)
+
+ The buggy address belongs to the physical page:
+ page:000000002d97303b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ee08
+ head:000000002d97303b order:1 compound_mapcount:0 compound_pincount:0
+ flags: 0x10200(slab|head|zone=0)
+ raw: 0000000000010200 0000000000000000 dead000000000122 ffffff8002c02480
+ raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffffff800ee09580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffff800ee09600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffffff800ee09680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffffff800ee09700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffff800ee09780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ==================================================================
+
+Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
+Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Link: https://lore.kernel.org/r/20230805084847.3110586-1-andrej.skvortzov@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/clk-devres.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/clk/clk-devres.c
++++ b/drivers/clk/clk-devres.c
+@@ -205,18 +205,19 @@ EXPORT_SYMBOL(devm_clk_put);
+ struct clk *devm_get_clk_from_child(struct device *dev,
+ struct device_node *np, const char *con_id)
+ {
+- struct clk **ptr, *clk;
++ struct devm_clk_state *state;
++ struct clk *clk;
+
+- ptr = devres_alloc(devm_clk_release, sizeof(*ptr), GFP_KERNEL);
+- if (!ptr)
++ state = devres_alloc(devm_clk_release, sizeof(*state), GFP_KERNEL);
++ if (!state)
+ return ERR_PTR(-ENOMEM);
+
+ clk = of_clk_get_by_name(np, con_id);
+ if (!IS_ERR(clk)) {
+- *ptr = clk;
+- devres_add(dev, ptr);
++ state->clk = clk;
++ devres_add(dev, state);
+ } else {
+- devres_free(ptr);
++ devres_free(state);
+ }
+
+ return clk;
--- /dev/null
+From bfedba3b2c7793ce127680bc8f70711e05ec7a17 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 23 Aug 2023 14:51:39 +1000
+Subject: ibmveth: Use dcbf rather than dcbfl
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit bfedba3b2c7793ce127680bc8f70711e05ec7a17 upstream.
+
+When building for power4, newer binutils don't recognise the "dcbfl"
+extended mnemonic.
+
+dcbfl RA, RB is equivalent to dcbf RA, RB, 1.
+
+Switch to "dcbf" to avoid the build error.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -196,7 +196,7 @@ static inline void ibmveth_flush_buffer(
+ unsigned long offset;
+
+ for (offset = 0; offset < length; offset += SMP_CACHE_BYTES)
+- asm("dcbfl %0,%1" :: "b" (addr), "r" (offset));
++ asm("dcbf %0,%1,1" :: "b" (addr), "r" (offset));
+ }
+
+ /* replenish the buffers for a pool. note that we don't need to
--- /dev/null
+From 1cbc11aaa01f80577b67ae02c73ee781112125fd Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Fri, 30 Jun 2023 09:18:13 -0400
+Subject: NFSv4: Fix dropped lock for racing OPEN and delegation return
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit 1cbc11aaa01f80577b67ae02c73ee781112125fd upstream.
+
+Commmit f5ea16137a3f ("NFSv4: Retry LOCK on OLD_STATEID during delegation
+return") attempted to solve this problem by using nfs4's generic async error
+handling, but introduced a regression where v4.0 lock recovery would hang.
+The additional complexity introduced by overloading that error handling is
+not necessary for this case. This patch expects that commit to be
+reverted.
+
+The problem as originally explained in the above commit is:
+
+ There's a small window where a LOCK sent during a delegation return can
+ race with another OPEN on client, but the open stateid has not yet been
+ updated. In this case, the client doesn't handle the OLD_STATEID error
+ from the server and will lose this lock, emitting:
+ "NFS: nfs4_handle_delegation_recall_error: unhandled error -10024".
+
+Fix this by using the old_stateid refresh helpers if the server replies
+with OLD_STATEID.
+
+Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -7152,8 +7152,15 @@ static void nfs4_lock_done(struct rpc_ta
+ } else if (!nfs4_update_lock_stateid(lsp, &data->res.stateid))
+ goto out_restart;
+ break;
+- case -NFS4ERR_BAD_STATEID:
+ case -NFS4ERR_OLD_STATEID:
++ if (data->arg.new_lock_owner != 0 &&
++ nfs4_refresh_open_old_stateid(&data->arg.open_stateid,
++ lsp->ls_state))
++ goto out_restart;
++ if (nfs4_refresh_lock_old_stateid(&data->arg.lock_stateid, lsp))
++ goto out_restart;
++ fallthrough;
++ case -NFS4ERR_BAD_STATEID:
+ case -NFS4ERR_STALE_STATEID:
+ case -NFS4ERR_EXPIRED:
+ if (data->arg.new_lock_owner != 0) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
