Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch b/queue-4.14/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch
new file mode 100644 (file)
index 0000000..3100401
--- /dev/null
+++ b/queue-4.14/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch
@@ -0,0 +1,49 @@
+From 39073af5e57389d49810639f5e9407d04117193e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Apr 2022 17:15:08 +0200
+Subject: ALSA: usb-audio: Fix undefined behavior due to shift overflowing the
+ constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit 1ef8715975de8bd481abbd0839ed4f49d9e5b0ff ]
+
+Fix:
+
+  sound/usb/midi.c: In function ‘snd_usbmidi_out_endpoint_create’:
+  sound/usb/midi.c:1389:2: error: case label does not reduce to an integer constant
+    case USB_ID(0xfc08, 0x0101): /* Unknown vendor Cable */
+    ^~~~
+
+See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory
+details as to why it triggers with older gccs only.
+
+[ A slight correction with parentheses around the argument by tiwai ]
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20220405151517.29753-3-bp@alien8.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/usbaudio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
+index 62456a806bb4..4b8f1c46420d 100644
+--- a/sound/usb/usbaudio.h
++++ b/sound/usb/usbaudio.h
+@@ -22,7 +22,7 @@
+  */
+ 
+ /* handling of USB vendor/product ID pairs as 32-bit numbers */
+-#define USB_ID(vendor, product) (((vendor) << 16) | (product))
++#define USB_ID(vendor, product) (((unsigned int)(vendor) << 16) | (product))
+ #define USB_ID_VENDOR(id) ((id) >> 16)
+ #define USB_ID_PRODUCT(id) ((u16)(id))
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch b/queue-4.14/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch
new file mode 100644 (file)
index 0000000..5541200
--- /dev/null
+++ b/queue-4.14/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch
@@ -0,0 +1,58 @@
+From 070dbacf8bf6c201f7acaa29234b79f494610f7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Mar 2022 12:04:43 -0700
+Subject: ARM: vexpress/spc: Avoid negative array index when !SMP
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit b3f1dd52c991d79118f35e6d1bf4d7cb09882e38 ]
+
+When building multi_v7_defconfig+CONFIG_SMP=n, -Warray-bounds exposes
+a couple negative array index accesses:
+
+arch/arm/mach-vexpress/spc.c: In function 've_spc_clk_init':
+arch/arm/mach-vexpress/spc.c:583:21: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds]
+  583 |   if (init_opp_table[cluster])
+      |       ~~~~~~~~~~~~~~^~~~~~~~~
+arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table'
+  556 |  bool init_opp_table[MAX_CLUSTERS] = { false };
+      |       ^~~~~~~~~~~~~~
+arch/arm/mach-vexpress/spc.c:592:18: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds]
+  592 |    init_opp_table[cluster] = true;
+      |    ~~~~~~~~~~~~~~^~~~~~~~~
+arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table'
+  556 |  bool init_opp_table[MAX_CLUSTERS] = { false };
+      |       ^~~~~~~~~~~~~~
+
+Skip this logic when built !SMP.
+
+Link: https://lore.kernel.org/r/20220331190443.851661-1-keescook@chromium.org
+Cc: Liviu Dudau <liviu.dudau@arm.com>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: linux-arm-kernel@lists.infradead.org
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-vexpress/spc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c
+index 635b0d549487..c16f39614003 100644
+--- a/arch/arm/mach-vexpress/spc.c
++++ b/arch/arm/mach-vexpress/spc.c
+@@ -584,7 +584,7 @@ static int __init ve_spc_clk_init(void)
+               }
+ 
+               cluster = topology_physical_package_id(cpu_dev->id);
+-              if (init_opp_table[cluster])
++              if (cluster < 0 || init_opp_table[cluster])
+                       continue;
+ 
+               if (ve_init_opp_table(cpu_dev))
+-- 
+2.35.1
+

diff --git a/queue-4.14/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch b/queue-4.14/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch
new file mode 100644 (file)
index 0000000..7aa8824
--- /dev/null
+++ b/queue-4.14/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch
@@ -0,0 +1,59 @@
+From 86f7c4093024bdff6f5bb56fa3cb98d14ad8382f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Apr 2022 18:55:37 +0200
+Subject: brcmfmac: sdio: Fix undefined behavior due to shift overflowing the
+ constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@alien8.de>
+
+[ Upstream commit 6fb3a5868b2117611f41e421e10e6a8c2a13039a ]
+
+Fix:
+
+  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c: In function ‘brcmf_sdio_drivestrengthinit’:
+  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3798:2: error: case label does not reduce to an integer constant
+    case SDIOD_DRVSTR_KEY(BRCM_CC_43143_CHIP_ID, 17):
+    ^~~~
+  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3809:2: error: case label does not reduce to an integer constant
+    case SDIOD_DRVSTR_KEY(BRCM_CC_43362_CHIP_ID, 13):
+    ^~~~
+
+See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory
+details as to why it triggers with older gccs only.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Arend van Spriel <aspriel@gmail.com>
+Cc: Franky Lin <franky.lin@broadcom.com>
+Cc: Hante Meuleman <hante.meuleman@broadcom.com>
+Cc: Kalle Valo <kvalo@kernel.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: brcm80211-dev-list.pdl@broadcom.com
+Cc: netdev@vger.kernel.org
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/Ykx0iRlvtBnKqtbG@zn.tnic
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+index d198a8780b96..8fa4ffff7c32 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -552,7 +552,7 @@ enum brcmf_sdio_frmtype {
+       BRCMF_SDIO_FT_SUB,
+ };
+ 
+-#define SDIOD_DRVSTR_KEY(chip, pmu)     (((chip) << 16) | (pmu))
++#define SDIOD_DRVSTR_KEY(chip, pmu)     (((unsigned int)(chip) << 16) | (pmu))
+ 
+ /* SDIO Pad drive strength to select value mappings */
+ struct sdiod_drive_str {
+-- 
+2.35.1
+

diff --git a/queue-4.14/cifs-check-the-iocb_direct-flag-not-o_direct.patch b/queue-4.14/cifs-check-the-iocb_direct-flag-not-o_direct.patch
new file mode 100644 (file)
index 0000000..75c6eed
--- /dev/null
+++ b/queue-4.14/cifs-check-the-iocb_direct-flag-not-o_direct.patch
@@ -0,0 +1,39 @@
+From a1647bb21db89c1b2e4b22104cd6e77497bda198 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 00:03:14 +0100
+Subject: cifs: Check the IOCB_DIRECT flag, not O_DIRECT
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 994fd530a512597ffcd713b0f6d5bc916c5698f0 ]
+
+Use the IOCB_DIRECT indicator flag on the I/O context rather than checking to
+see if the file was opened O_DIRECT.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Steve French <sfrench@samba.org>
+cc: Shyam Prasad N <nspmangalore@gmail.com>
+cc: Rohith Surabattula <rohiths.msft@gmail.com>
+cc: linux-cifs@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifsfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
+index dba0d12c3db1..1d3f98572068 100644
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -773,7 +773,7 @@ cifs_loose_read_iter(struct kiocb *iocb, struct iov_iter *iter)
+       ssize_t rc;
+       struct inode *inode = file_inode(iocb->ki_filp);
+ 
+-      if (iocb->ki_filp->f_flags & O_DIRECT)
++      if (iocb->ki_flags & IOCB_DIRECT)
+               return cifs_user_readv(iocb, iter);
+ 
+       rc = cifs_revalidate_mapping(inode);
+-- 
+2.35.1
+

diff --git a/queue-4.14/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch b/queue-4.14/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch
new file mode 100644 (file)
index 0000000..ed5c2b2
--- /dev/null
+++ b/queue-4.14/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch
@@ -0,0 +1,46 @@
+From dc7048449299964580d48f3c3eb7a93db4030431 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Mar 2022 06:49:51 +0000
+Subject: dmaengine: imx-sdma: Fix error checking in sdma_event_remap
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 7104b9cb35a33ad803a1adbbfa50569b008faf15 ]
+
+of_parse_phandle() returns NULL on errors, rather than error
+pointers. Using NULL check on grp_np to fix this.
+
+Fixes: d078cd1b4185 ("dmaengine: imx-sdma: Add imx6sx platform support")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220308064952.15743-1-linmq006@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/imx-sdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
+index 99f3f22ed647..02d13a44ba45 100644
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -1528,7 +1528,7 @@ static int sdma_event_remap(struct sdma_engine *sdma)
+       u32 reg, val, shift, num_map, i;
+       int ret = 0;
+ 
+-      if (IS_ERR(np) || IS_ERR(gpr_np))
++      if (IS_ERR(np) || !gpr_np)
+               goto out;
+ 
+       event_remap = of_find_property(np, propname, NULL);
+@@ -1576,7 +1576,7 @@ static int sdma_event_remap(struct sdma_engine *sdma)
+       }
+ 
+ out:
+-      if (!IS_ERR(gpr_np))
++      if (gpr_np)
+               of_node_put(gpr_np);
+ 
+       return ret;
+-- 
+2.35.1
+

diff --git a/queue-4.14/drm-msm-mdp5-check-the-return-of-kzalloc.patch b/queue-4.14/drm-msm-mdp5-check-the-return-of-kzalloc.patch
new file mode 100644 (file)
index 0000000..8f69a10
--- /dev/null
+++ b/queue-4.14/drm-msm-mdp5-check-the-return-of-kzalloc.patch
@@ -0,0 +1,45 @@
+From 8081aa968b2fb73aa79a24b04bb74f1004cf5036 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 10:31:51 +0800
+Subject: drm/msm/mdp5: check the return of kzalloc()
+
+From: Xiaoke Wang <xkernel.wang@foxmail.com>
+
+[ Upstream commit 047ae665577776b7feb11bd4f81f46627cff95e7 ]
+
+kzalloc() is a memory allocation function which can return NULL when
+some internal memory errors happen. So it is better to check it to
+prevent potential wrong memory access.
+
+Besides, since mdp5_plane_reset() is void type, so we should better
+set `plane-state` to NULL after releasing it.
+
+Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/481055/
+Link: https://lore.kernel.org/r/tencent_8E2A1C78140EE1784AB2FF4B2088CC0AB908@qq.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c
+index 4b22ac3413a1..1f9e3c5ea47d 100644
+--- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c
++++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_plane.c
+@@ -197,7 +197,10 @@ static void mdp5_plane_reset(struct drm_plane *plane)
+               drm_framebuffer_unreference(plane->state->fb);
+ 
+       kfree(to_mdp5_plane_state(plane->state));
++      plane->state = NULL;
+       mdp5_state = kzalloc(sizeof(*mdp5_state), GFP_KERNEL);
++      if (!mdp5_state)
++              return;
+ 
+       /* assign default blend parameters */
+       mdp5_state->alpha = 255;
+-- 
+2.35.1
+

diff --git a/queue-4.14/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch b/queue-4.14/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch
new file mode 100644 (file)
index 0000000..9d5693a
--- /dev/null
+++ b/queue-4.14/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch
@@ -0,0 +1,64 @@
+From 8168f5d5e491a78d2f8d0c95049aa2a6b040769b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 19:16:59 +0300
+Subject: net: macb: Restart tx only if queue pointer is lagging
+
+From: Tomas Melin <tomas.melin@vaisala.com>
+
+[ Upstream commit 5ad7f18cd82cee8e773d40cc7a1465a526f2615c ]
+
+commit 4298388574da ("net: macb: restart tx after tx used bit read")
+added support for restarting transmission. Restarting tx does not work
+in case controller asserts TXUBR interrupt and TQBP is already at the end
+of the tx queue. In that situation, restarting tx will immediately cause
+assertion of another TXUBR interrupt. The driver will end up in an infinite
+interrupt loop which it cannot break out of.
+
+For cases where TQBP is at the end of the tx queue, instead
+only clear TX_USED interrupt. As more data gets pushed to the queue,
+transmission will resume.
+
+This issue was observed on a Xilinx Zynq-7000 based board.
+During stress test of the network interface,
+driver would get stuck on interrupt loop within seconds or minutes
+causing CPU to stall.
+
+Signed-off-by: Tomas Melin <tomas.melin@vaisala.com>
+Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20220407161659.14532-1-tomas.melin@vaisala.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 045ab0ec5ca2..456d84cbcc6b 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1265,6 +1265,7 @@ static void macb_tx_restart(struct macb_queue *queue)
+       unsigned int head = queue->tx_head;
+       unsigned int tail = queue->tx_tail;
+       struct macb *bp = queue->bp;
++      unsigned int head_idx, tbqp;
+ 
+       if (bp->caps & MACB_CAPS_ISR_CLEAR_ON_WRITE)
+               queue_writel(queue, ISR, MACB_BIT(TXUBR));
+@@ -1272,6 +1273,13 @@ static void macb_tx_restart(struct macb_queue *queue)
+       if (head == tail)
+               return;
+ 
++      tbqp = queue_readl(queue, TBQP) / macb_dma_desc_get_size(bp);
++      tbqp = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, tbqp));
++      head_idx = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, head));
++
++      if (tbqp == head_idx)
++              return;
++
+       macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART));
+ }
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/net-packet-fix-packet_sock-xmit-return-value-checkin.patch b/queue-4.14/net-packet-fix-packet_sock-xmit-return-value-checkin.patch
new file mode 100644 (file)
index 0000000..1bca278
--- /dev/null
+++ b/queue-4.14/net-packet-fix-packet_sock-xmit-return-value-checkin.patch
@@ -0,0 +1,59 @@
+From 9655e514b1578403b81fcdb76514d50ec64da446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Apr 2022 16:49:25 +0800
+Subject: net/packet: fix packet_sock xmit return value checking
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 29e8e659f984be00d75ec5fef4e37c88def72712 ]
+
+packet_sock xmit could be dev_queue_xmit, which also returns negative
+errors. So only checking positive errors is not enough, or userspace
+sendmsg may return success while packet is not send out.
+
+Move the net_xmit_errno() assignment in the braces as checkpatch.pl said
+do not use assignment in if condition.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Flavio Leitner <fbl@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index b0dd17d1992e..61093ce76b61 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2829,8 +2829,9 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ 
+               status = TP_STATUS_SEND_REQUEST;
+               err = po->xmit(skb);
+-              if (unlikely(err > 0)) {
+-                      err = net_xmit_errno(err);
++              if (unlikely(err != 0)) {
++                      if (err > 0)
++                              err = net_xmit_errno(err);
+                       if (err && __packet_get_status(po, ph) ==
+                                  TP_STATUS_AVAILABLE) {
+                               /* skb was destructed already */
+@@ -3029,8 +3030,12 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+               skb->no_fcs = 1;
+ 
+       err = po->xmit(skb);
+-      if (err > 0 && (err = net_xmit_errno(err)) != 0)
+-              goto out_unlock;
++      if (unlikely(err != 0)) {
++              if (err > 0)
++                      err = net_xmit_errno(err);
++              if (err)
++                      goto out_unlock;
++      }
+ 
+       dev_put(dev);
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/netlink-reset-network-and-mac-headers-in-netlink_dum.patch b/queue-4.14/netlink-reset-network-and-mac-headers-in-netlink_dum.patch
new file mode 100644 (file)
index 0000000..7182d72
--- /dev/null
+++ b/queue-4.14/netlink-reset-network-and-mac-headers-in-netlink_dum.patch
@@ -0,0 +1,136 @@
+From 0f76527697f6076855641118ac422ab3634fcbf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Apr 2022 11:14:42 -0700
+Subject: netlink: reset network and mac headers in netlink_dump()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 99c07327ae11e24886d552dddbe4537bfca2765d ]
+
+netlink_dump() is allocating an skb, reserves space in it
+but forgets to reset network header.
+
+This allows a BPF program, invoked later from sk_filter()
+to access uninitialized kernel memory from the reserved
+space.
+
+Theorically mac header reset could be omitted, because
+it is set to a special initial value.
+bpf_internal_load_pointer_neg_helper calls skb_mac_header()
+without checking skb_mac_header_was_set().
+Relying on skb->len not being too big seems fragile.
+We also could add a sanity check in bpf_internal_load_pointer_neg_helper()
+to avoid surprises in the future.
+
+syzbot report was:
+
+BUG: KMSAN: uninit-value in ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637
+ ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637
+ __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796
+ bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline]
+ __bpf_prog_run include/linux/filter.h:626 [inline]
+ bpf_prog_run include/linux/filter.h:633 [inline]
+ __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756
+ bpf_prog_run_save_cb include/linux/filter.h:770 [inline]
+ sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150
+ sk_filter include/linux/filter.h:905 [inline]
+ netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276
+ netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002
+ sock_recvmsg_nosec net/socket.c:948 [inline]
+ sock_recvmsg net/socket.c:966 [inline]
+ sock_read_iter+0x5a9/0x630 net/socket.c:1039
+ do_iter_readv_writev+0xa7f/0xc70
+ do_iter_read+0x52c/0x14c0 fs/read_write.c:786
+ vfs_readv fs/read_write.c:906 [inline]
+ do_readv+0x432/0x800 fs/read_write.c:943
+ __do_sys_readv fs/read_write.c:1034 [inline]
+ __se_sys_readv fs/read_write.c:1031 [inline]
+ __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Uninit was stored to memory at:
+ ___bpf_prog_run+0x96c/0xb420 kernel/bpf/core.c:1558
+ __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796
+ bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline]
+ __bpf_prog_run include/linux/filter.h:626 [inline]
+ bpf_prog_run include/linux/filter.h:633 [inline]
+ __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756
+ bpf_prog_run_save_cb include/linux/filter.h:770 [inline]
+ sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150
+ sk_filter include/linux/filter.h:905 [inline]
+ netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276
+ netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002
+ sock_recvmsg_nosec net/socket.c:948 [inline]
+ sock_recvmsg net/socket.c:966 [inline]
+ sock_read_iter+0x5a9/0x630 net/socket.c:1039
+ do_iter_readv_writev+0xa7f/0xc70
+ do_iter_read+0x52c/0x14c0 fs/read_write.c:786
+ vfs_readv fs/read_write.c:906 [inline]
+ do_readv+0x432/0x800 fs/read_write.c:943
+ __do_sys_readv fs/read_write.c:1034 [inline]
+ __se_sys_readv fs/read_write.c:1031 [inline]
+ __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slab.h:737 [inline]
+ slab_alloc_node mm/slub.c:3244 [inline]
+ __kmalloc_node_track_caller+0xde3/0x14f0 mm/slub.c:4972
+ kmalloc_reserve net/core/skbuff.c:354 [inline]
+ __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
+ alloc_skb include/linux/skbuff.h:1158 [inline]
+ netlink_dump+0x30f/0x16c0 net/netlink/af_netlink.c:2242
+ netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002
+ sock_recvmsg_nosec net/socket.c:948 [inline]
+ sock_recvmsg net/socket.c:966 [inline]
+ sock_read_iter+0x5a9/0x630 net/socket.c:1039
+ do_iter_readv_writev+0xa7f/0xc70
+ do_iter_read+0x52c/0x14c0 fs/read_write.c:786
+ vfs_readv fs/read_write.c:906 [inline]
+ do_readv+0x432/0x800 fs/read_write.c:943
+ __do_sys_readv fs/read_write.c:1034 [inline]
+ __se_sys_readv fs/read_write.c:1031 [inline]
+ __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+CPU: 0 PID: 3470 Comm: syz-executor751 Not tainted 5.17.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: db65a3aaf29e ("netlink: Trim skb to alloc size to avoid MSG_TRUNC")
+Fixes: 9063e21fb026 ("netlink: autosize skb lengthes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20220415181442.551228-1-eric.dumazet@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 24e8ac2b724e..979cd7dff40a 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2212,6 +2212,13 @@ static int netlink_dump(struct sock *sk)
+        * single netdev. The outcome is MSG_TRUNC error.
+        */
+       skb_reserve(skb, skb_tailroom(skb) - alloc_size);
++
++      /* Make sure malicious BPF programs can not read unitialized memory
++       * from skb->head -> skb->data
++       */
++      skb_reset_network_header(skb);
++      skb_reset_mac_header(skb);
++
+       netlink_skb_set_owner_r(skb, sk);
+ 
+       if (nlk->dump_done_errno > 0)
+-- 
+2.35.1
+

diff --git a/queue-4.14/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch b/queue-4.14/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch
new file mode 100644 (file)
index 0000000..650f3f8
--- /dev/null
+++ b/queue-4.14/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch
@@ -0,0 +1,41 @@
+From d78274a79453aacb3d0cd29f6968ddefe29ad41d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Mar 2022 14:18:30 +0800
+Subject: platform/x86: samsung-laptop: Fix an unsigned comparison which can
+ never be negative
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 0284d4d1be753f648f28b77bdfbe6a959212af5c ]
+
+Eliminate the follow smatch warnings:
+
+drivers/platform/x86/samsung-laptop.c:1124 kbd_led_set() warn: unsigned
+'value' is never less than zero.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20220322061830.105579-1-jiapeng.chong@linux.alibaba.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/samsung-laptop.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
+index d3cb26f6df73..c1c34b495519 100644
+--- a/drivers/platform/x86/samsung-laptop.c
++++ b/drivers/platform/x86/samsung-laptop.c
+@@ -1125,8 +1125,6 @@ static void kbd_led_set(struct led_classdev *led_cdev,
+ 
+       if (value > samsung->kbd_led.max_brightness)
+               value = samsung->kbd_led.max_brightness;
+-      else if (value < 0)
+-              value = 0;
+ 
+       samsung->kbd_led_wk = value;
+       queue_work(samsung->led_workqueue, &samsung->kbd_led_work);
+-- 
+2.35.1
+

diff --git a/queue-4.14/series b/queue-4.14/series
index 69b8235e1e358c3b405ffe7e0e3cfaa359e76631..54d0d6571097bdcfbc47dff12ba43b4ddffedaa8 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -7,3 +7,15 @@ gfs2-assign-rgrp-glock-before-compute_bitstructs.patch
 alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch
 tcp-fix-race-condition-when-creating-child-sockets-f.patch
 tcp-fix-potential-use-after-free-due-to-double-kfree.patch
+dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch
+net-packet-fix-packet_sock-xmit-return-value-checkin.patch
+netlink-reset-network-and-mac-headers-in-netlink_dum.patch
+arm-vexpress-spc-avoid-negative-array-index-when-smp.patch
+platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch
+alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch
+vxlan-fix-error-return-code-in-vxlan_fdb_append.patch
+cifs-check-the-iocb_direct-flag-not-o_direct.patch
+brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch
+drm-msm-mdp5-check-the-return-of-kzalloc.patch
+net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch
+stat-fix-inconsistency-between-struct-stat-and-struc.patch

diff --git a/queue-4.14/stat-fix-inconsistency-between-struct-stat-and-struc.patch b/queue-4.14/stat-fix-inconsistency-between-struct-stat-and-struc.patch
new file mode 100644 (file)
index 0000000..2430f5f
--- /dev/null
+++ b/queue-4.14/stat-fix-inconsistency-between-struct-stat-and-struc.patch
@@ -0,0 +1,138 @@
+From f3ae73808d560f7a03e96d43fbcce00e3caf14bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 05:41:00 -0400
+Subject: stat: fix inconsistency between struct stat and struct compat_stat
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 932aba1e169090357a77af18850a10c256b50819 ]
+
+struct stat (defined in arch/x86/include/uapi/asm/stat.h) has 32-bit
+st_dev and st_rdev; struct compat_stat (defined in
+arch/x86/include/asm/compat.h) has 16-bit st_dev and st_rdev followed by
+a 16-bit padding.
+
+This patch fixes struct compat_stat to match struct stat.
+
+[ Historical note: the old x86 'struct stat' did have that 16-bit field
+  that the compat layer had kept around, but it was changes back in 2003
+  by "struct stat - support larger dev_t":
+
+    https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=e95b2065677fe32512a597a79db94b77b90c968d
+
+  and back in those days, the x86_64 port was still new, and separate
+  from the i386 code, and had already picked up the old version with a
+  16-bit st_dev field ]
+
+Note that we can't change compat_dev_t because it is used by
+compat_loop_info.
+
+Also, if the st_dev and st_rdev values are 32-bit, we don't have to use
+old_valid_dev to test if the value fits into them.  This fixes
+-EOVERFLOW on filesystems that are on NVMe because NVMe uses the major
+number 259.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Andreas Schwab <schwab@linux-m68k.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/compat.h |  6 ++----
+ fs/stat.c                     | 19 ++++++++++---------
+ 2 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
+index 2cbd75dd2fd3..ea142936bf11 100644
+--- a/arch/x86/include/asm/compat.h
++++ b/arch/x86/include/asm/compat.h
+@@ -57,15 +57,13 @@ struct compat_timeval {
+ };
+ 
+ struct compat_stat {
+-      compat_dev_t    st_dev;
+-      u16             __pad1;
++      u32             st_dev;
+       compat_ino_t    st_ino;
+       compat_mode_t   st_mode;
+       compat_nlink_t  st_nlink;
+       __compat_uid_t  st_uid;
+       __compat_gid_t  st_gid;
+-      compat_dev_t    st_rdev;
+-      u16             __pad2;
++      u32             st_rdev;
+       u32             st_size;
+       u32             st_blksize;
+       u32             st_blocks;
+diff --git a/fs/stat.c b/fs/stat.c
+index 873785dae022..0fda4b6b8fb2 100644
+--- a/fs/stat.c
++++ b/fs/stat.c
+@@ -286,9 +286,6 @@ SYSCALL_DEFINE2(fstat, unsigned int, fd, struct __old_kernel_stat __user *, stat
+ #  define choose_32_64(a,b) b
+ #endif
+ 
+-#define valid_dev(x)  choose_32_64(old_valid_dev(x),true)
+-#define encode_dev(x) choose_32_64(old_encode_dev,new_encode_dev)(x)
+-
+ #ifndef INIT_STRUCT_STAT_PADDING
+ #  define INIT_STRUCT_STAT_PADDING(st) memset(&st, 0, sizeof(st))
+ #endif
+@@ -297,7 +294,9 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf)
+ {
+       struct stat tmp;
+ 
+-      if (!valid_dev(stat->dev) || !valid_dev(stat->rdev))
++      if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev))
++              return -EOVERFLOW;
++      if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev))
+               return -EOVERFLOW;
+ #if BITS_PER_LONG == 32
+       if (stat->size > MAX_NON_LFS)
+@@ -305,7 +304,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf)
+ #endif
+ 
+       INIT_STRUCT_STAT_PADDING(tmp);
+-      tmp.st_dev = encode_dev(stat->dev);
++      tmp.st_dev = new_encode_dev(stat->dev);
+       tmp.st_ino = stat->ino;
+       if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino)
+               return -EOVERFLOW;
+@@ -315,7 +314,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf)
+               return -EOVERFLOW;
+       SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid));
+       SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid));
+-      tmp.st_rdev = encode_dev(stat->rdev);
++      tmp.st_rdev = new_encode_dev(stat->rdev);
+       tmp.st_size = stat->size;
+       tmp.st_atime = stat->atime.tv_sec;
+       tmp.st_mtime = stat->mtime.tv_sec;
+@@ -582,11 +581,13 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
+ {
+       struct compat_stat tmp;
+ 
+-      if (!old_valid_dev(stat->dev) || !old_valid_dev(stat->rdev))
++      if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev))
++              return -EOVERFLOW;
++      if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev))
+               return -EOVERFLOW;
+ 
+       memset(&tmp, 0, sizeof(tmp));
+-      tmp.st_dev = old_encode_dev(stat->dev);
++      tmp.st_dev = new_encode_dev(stat->dev);
+       tmp.st_ino = stat->ino;
+       if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino)
+               return -EOVERFLOW;
+@@ -596,7 +597,7 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
+               return -EOVERFLOW;
+       SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid));
+       SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid));
+-      tmp.st_rdev = old_encode_dev(stat->rdev);
++      tmp.st_rdev = new_encode_dev(stat->rdev);
+       if ((u64) stat->size > MAX_NON_LFS)
+               return -EOVERFLOW;
+       tmp.st_size = stat->size;
+-- 
+2.35.1
+

diff --git a/queue-4.14/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch b/queue-4.14/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch
new file mode 100644 (file)
index 0000000..0f2a9b0
--- /dev/null
+++ b/queue-4.14/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch
@@ -0,0 +1,40 @@
+From 870b7cbd2a1ea728c0d3bfa134d161c5412671c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Apr 2022 22:46:22 -0400
+Subject: vxlan: fix error return code in vxlan_fdb_append
+
+From: Hongbin Wang <wh_bin@126.com>
+
+[ Upstream commit 7cea5560bf656b84f9ed01c0cc829d4eecd0640b ]
+
+When kmalloc and dst_cache_init failed,
+should return ENOMEM rather than ENOBUFS.
+
+Signed-off-by: Hongbin Wang <wh_bin@126.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
+index 066a4654e838..31657f15eb07 100644
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -524,11 +524,11 @@ static int vxlan_fdb_append(struct vxlan_fdb *f,
+ 
+       rd = kmalloc(sizeof(*rd), GFP_ATOMIC);
+       if (rd == NULL)
+-              return -ENOBUFS;
++              return -ENOMEM;
+ 
+       if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) {
+               kfree(rd);
+-              return -ENOBUFS;
++              return -ENOMEM;
+       }
+ 
+       rd->remote_ip = *ip;
+-- 
+2.35.1
+