--- /dev/null
+From a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 5 Apr 2024 15:43:45 -0400
+Subject: Bluetooth: RFCOMM: Fix not validating setsockopt user input
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 upstream.
+
+syzbot reported rfcomm_sock_setsockopt_old() is copying data without
+checking user input length.
+
+BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset
+include/linux/sockptr.h:49 [inline]
+BUG: KASAN: slab-out-of-bounds in copy_from_sockptr
+include/linux/sockptr.h:55 [inline]
+BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old
+net/bluetooth/rfcomm/sock.c:632 [inline]
+BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70
+net/bluetooth/rfcomm/sock.c:673
+Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064
+
+Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level")
+Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/rfcomm/sock.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -631,7 +631,7 @@ static int rfcomm_sock_setsockopt_old(st
+
+ switch (optname) {
+ case RFCOMM_LM:
+- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
++ if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) {
+ err = -EFAULT;
+ break;
+ }
+@@ -666,7 +666,6 @@ static int rfcomm_sock_setsockopt(struct
+ struct sock *sk = sock->sk;
+ struct bt_security sec;
+ int err = 0;
+- size_t len;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -688,11 +687,9 @@ static int rfcomm_sock_setsockopt(struct
+
+ sec.level = BT_SECURITY_LOW;
+
+- len = min_t(unsigned int, sizeof(sec), optlen);
+- if (copy_from_sockptr(&sec, optval, len)) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
++ if (err)
+ break;
+- }
+
+ if (sec.level > BT_SECURITY_HIGH) {
+ err = -EINVAL;
+@@ -708,10 +705,9 @@ static int rfcomm_sock_setsockopt(struct
+ break;
+ }
+
+- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ if (err)
+ break;
+- }
+
+ if (opt)
+ set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
--- /dev/null
+From 2f8dea1692eef2b7ba6a256246ed82c365fdc686 Mon Sep 17 00:00:00 2001
+From: Koichiro Den <koichiro.den@canonical.com>
+Date: Fri, 20 Dec 2024 22:44:21 +0900
+Subject: hrtimers: Handle CPU state correctly on hotplug
+
+From: Koichiro Den <koichiro.den@canonical.com>
+
+commit 2f8dea1692eef2b7ba6a256246ed82c365fdc686 upstream.
+
+Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway
+through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to
+CPUHP_ONLINE:
+
+Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set
+to 1 throughout. However, during a CPU unplug operation, the tick and the
+clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online
+state, for instance CFS incorrectly assumes that the hrtick is already
+active, and the chance of the clockevent device to transition to oneshot
+mode is also lost forever for the CPU, unless it goes back to a lower state
+than CPUHP_HRTIMERS_PREPARE once.
+
+This round-trip reveals another issue; cpu_base.online is not set to 1
+after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().
+
+Aside of that, the bulk of the per CPU state is not reset either, which
+means there are dangling pointers in the worst case.
+
+Address this by adding a corresponding startup() callback, which resets the
+stale per CPU state and sets the online flag.
+
+[ tglx: Make the new callback unconditionally available, remove the online
+ modification in the prepare() callback and clear the remaining
+ state in the starting callback instead of the prepare callback ]
+
+Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier")
+Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20241220134421.3809834-1-koichiro.den@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hrtimer.h | 1 +
+ kernel/cpu.c | 2 +-
+ kernel/time/hrtimer.c | 11 ++++++++++-
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -527,6 +527,7 @@ extern void __init hrtimers_init(void);
+ extern void sysrq_timer_list_show(void);
+
+ int hrtimers_prepare_cpu(unsigned int cpu);
++int hrtimers_cpu_starting(unsigned int cpu);
+ #ifdef CONFIG_HOTPLUG_CPU
+ int hrtimers_cpu_dying(unsigned int cpu);
+ #else
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -1664,7 +1664,7 @@ static struct cpuhp_step cpuhp_hp_states
+ },
+ [CPUHP_AP_HRTIMERS_DYING] = {
+ .name = "hrtimers:dying",
+- .startup.single = NULL,
++ .startup.single = hrtimers_cpu_starting,
+ .teardown.single = hrtimers_cpu_dying,
+ },
+
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -2074,6 +2074,15 @@ int hrtimers_prepare_cpu(unsigned int cp
+ }
+
+ cpu_base->cpu = cpu;
++ hrtimer_cpu_base_init_expiry_lock(cpu_base);
++ return 0;
++}
++
++int hrtimers_cpu_starting(unsigned int cpu)
++{
++ struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases);
++
++ /* Clear out any left over state from a CPU down operation */
+ cpu_base->active_bases = 0;
+ cpu_base->hres_active = 0;
+ cpu_base->hang_detected = 0;
+@@ -2082,7 +2091,6 @@ int hrtimers_prepare_cpu(unsigned int cp
+ cpu_base->expires_next = KTIME_MAX;
+ cpu_base->softirq_expires_next = KTIME_MAX;
+ cpu_base->online = 1;
+- hrtimer_cpu_base_init_expiry_lock(cpu_base);
+ return 0;
+ }
+
+@@ -2160,6 +2168,7 @@ int hrtimers_cpu_dying(unsigned int dyin
+ void __init hrtimers_init(void)
+ {
+ hrtimers_prepare_cpu(smp_processor_id());
++ hrtimers_cpu_starting(smp_processor_id());
+ open_softirq(HRTIMER_SOFTIRQ, hrtimer_run_softirq);
+ }
+
--- /dev/null
+From 0d62a49ab55c99e8deb4593b8d9f923de1ab5c18 Mon Sep 17 00:00:00 2001
+From: Yogesh Lal <quic_ylal@quicinc.com>
+Date: Fri, 20 Dec 2024 15:09:07 +0530
+Subject: irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly
+
+From: Yogesh Lal <quic_ylal@quicinc.com>
+
+commit 0d62a49ab55c99e8deb4593b8d9f923de1ab5c18 upstream.
+
+When a CPU attempts to enter low power mode, it disables the redistributor
+and Group 1 interrupts and reinitializes the system registers upon wakeup.
+
+If the transition into low power mode fails, then the CPU_PM framework
+invokes the PM notifier callback with CPU_PM_ENTER_FAILED to allow the
+drivers to undo the state changes.
+
+The GIC V3 driver ignores CPU_PM_ENTER_FAILED, which leaves the GIC in
+disabled state.
+
+Handle CPU_PM_ENTER_FAILED in the same way as CPU_PM_EXIT to restore normal
+operation.
+
+[ tglx: Massage change log, add Fixes tag ]
+
+Fixes: 3708d52fc6bb ("irqchip: gic-v3: Implement CPU PM notifier")
+Signed-off-by: Yogesh Lal <quic_ylal@quicinc.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20241220093907.2747601-1-quic_ylal@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -1309,7 +1309,7 @@ static int gic_retrigger(struct irq_data
+ static int gic_cpu_pm_notifier(struct notifier_block *self,
+ unsigned long cmd, void *v)
+ {
+- if (cmd == CPU_PM_EXIT) {
++ if (cmd == CPU_PM_EXIT || cmd == CPU_PM_ENTER_FAILED) {
+ if (gic_dist_security_disabled())
+ gic_enable_redist(true);
+ gic_cpu_sys_reg_init();
--- /dev/null
+From 9322d1915f9d976ee48c09d800fbd5169bc2ddcc Mon Sep 17 00:00:00 2001
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Date: Sun, 15 Dec 2024 12:39:45 +0900
+Subject: irqchip: Plug a OF node reference leak in platform_irqchip_probe()
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+commit 9322d1915f9d976ee48c09d800fbd5169bc2ddcc upstream.
+
+platform_irqchip_probe() leaks a OF node when irq_init_cb() fails. Fix it
+by declaring par_np with the __free(device_node) cleanup construct.
+
+This bug was found by an experimental static analysis tool that I am
+developing.
+
+Fixes: f8410e626569 ("irqchip: Add IRQCHIP_PLATFORM_DRIVER_BEGIN/END and IRQCHIP_MATCH helper macros")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20241215033945.3414223-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irqchip.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/irqchip/irqchip.c
++++ b/drivers/irqchip/irqchip.c
+@@ -35,11 +35,10 @@ void __init irqchip_init(void)
+ int platform_irqchip_probe(struct platform_device *pdev)
+ {
+ struct device_node *np = pdev->dev.of_node;
+- struct device_node *par_np = of_irq_find_parent(np);
++ struct device_node *par_np __free(device_node) = of_irq_find_parent(np);
+ of_irq_init_cb_t irq_init_cb = of_device_get_match_data(&pdev->dev);
+
+ if (!irq_init_cb) {
+- of_node_put(par_np);
+ return -EINVAL;
+ }
+
+@@ -55,7 +54,6 @@ int platform_irqchip_probe(struct platfo
+ * interrupt controller can check for specific domains as necessary.
+ */
+ if (par_np && !irq_find_matching_host(par_np, DOMAIN_BUS_ANY)) {
+- of_node_put(par_np);
+ return -EPROBE_DEFER;
+ }
+
--- /dev/null
+From stable+bounces-109388-greg=kroah.com@vger.kernel.org Fri Jan 17 16:16:38 2025
+From: Terry Tritton <terry.tritton@linaro.org>
+Date: Fri, 17 Jan 2025 15:15:51 +0000
+Subject: Revert "PCI: Use preserve_config in place of pci_flags"
+To: stable <stable@vger.kernel.org>
+Cc: Terry Tritton <ttritton@google.com>, Greg KH <gregkh@linuxfoundation.org>, Vidya Sagar <vidyas@nvidia.com>, Sasha Levin <sashal@kernel.org>, Daniel Verkamp <dverkamp@chromium.org>, Terry Tritton <terry.tritton@linaro.org>
+Message-ID: <20250117151551.6409-1-terry.tritton@linaro.org>
+
+From: Terry Tritton <terry.tritton@linaro.org>
+
+This reverts commit 0dde3ae52a0dcc5cdfe2185ec58ec52b43fda22e which is
+commit 7246a4520b4bf1494d7d030166a11b5226f6d508 upstream.
+
+This patch causes a regression in cuttlefish/crossvm boot on arm64.
+
+The patch was part of a series that when applied will not cause a regression
+but this patch was backported to the 5.10 branch by itself.
+
+The other patches do not apply cleanly to the 5.10 branch.
+
+Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pci-host-common.c | 4 ++++
+ drivers/pci/probe.c | 20 +++++++++++---------
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/pci/controller/pci-host-common.c
++++ b/drivers/pci/controller/pci-host-common.c
+@@ -71,6 +71,10 @@ int pci_host_common_probe(struct platfor
+ if (IS_ERR(cfg))
+ return PTR_ERR(cfg);
+
++ /* Do not reassign resources if probe only */
++ if (!pci_has_flag(PCI_PROBE_ONLY))
++ pci_add_flags(PCI_REASSIGN_ALL_BUS);
++
+ bridge->sysdata = cfg;
+ bridge->ops = (struct pci_ops *)&ops->pci_ops;
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -3018,18 +3018,20 @@ int pci_host_probe(struct pci_host_bridg
+
+ bus = bridge->bus;
+
+- /* If we must preserve the resource configuration, claim now */
+- if (bridge->preserve_config)
+- pci_bus_claim_resources(bus);
+-
+ /*
+- * Assign whatever was left unassigned. If we didn't claim above,
+- * this will reassign everything.
++ * We insert PCI resources into the iomem_resource and
++ * ioport_resource trees in either pci_bus_claim_resources()
++ * or pci_bus_assign_resources().
+ */
+- pci_assign_unassigned_root_bus_resources(bus);
++ if (pci_has_flag(PCI_PROBE_ONLY)) {
++ pci_bus_claim_resources(bus);
++ } else {
++ pci_bus_size_bridges(bus);
++ pci_bus_assign_resources(bus);
+
+- list_for_each_entry(child, &bus->children, node)
+- pcie_bus_configure_settings(child);
++ list_for_each_entry(child, &bus->children, node)
++ pcie_bus_configure_settings(child);
++ }
+
+ pci_bus_add_devices(bus);
+ return 0;
vsock-reset-socket-state-when-de-assigning-the-transport.patch
fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch
gpiolib-cdev-fix-use-after-free-in-lineinfo_changed_notify.patch
+bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch
+irqchip-plug-a-of-node-reference-leak-in-platform_irqchip_probe.patch
+irqchip-gic-v3-handle-cpu_pm_enter_failed-correctly.patch
+hrtimers-handle-cpu-state-correctly-on-hotplug.patch
+revert-pci-use-preserve_config-in-place-of-pci_flags.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
