Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/ca8210-fix-mac_len-negative-array-access.patch b/queue-4.14/ca8210-fix-mac_len-negative-array-access.patch
new file mode 100644 (file)
index 0000000..d927108
--- /dev/null
+++ b/queue-4.14/ca8210-fix-mac_len-negative-array-access.patch
@@ -0,0 +1,37 @@
+From 25eceb89bd3c7678b3220a3bfda85dbcd0e2cb66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Feb 2023 23:25:04 -0500
+Subject: ca8210: fix mac_len negative array access
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6c993779ea1d0cccdb3a5d7d45446dd229e610a3 ]
+
+This patch fixes a buffer overflow access of skb->data if
+ieee802154_hdr_peek_addrs() fails.
+
+Reported-by: lianhui tang <bluetlh@gmail.com>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index eff7571dbea20..76ca8c63bc379 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -1955,6 +1955,8 @@ static int ca8210_skb_tx(
+        * packet
+        */
+       mac_len = ieee802154_hdr_peek_addrs(skb, &header);
++      if (mac_len < 0)
++              return mac_len;
+ 
+       secspec.security_level = header.sec.level;
+       secspec.key_id_mode = header.sec.key_id_mode;
+-- 
+2.39.2
+

diff --git a/queue-4.14/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch b/queue-4.14/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch
new file mode 100644 (file)
index 0000000..712758e
--- /dev/null
+++ b/queue-4.14/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch
@@ -0,0 +1,75 @@
+From b2b9dd1af7ef960fd86099f7aff3b61c0e994933 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 15:11:07 +1300
+Subject: m68k: Only force 030 bus error if PC not in exception table
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit e36a82bebbf7da814530d5a179bef9df5934b717 ]
+
+__get_kernel_nofault() does copy data in supervisor mode when
+forcing a task backtrace log through /proc/sysrq_trigger.
+This is expected cause a bus error exception on e.g. NULL
+pointer dereferencing when logging a kernel task has no
+workqueue associated. This bus error ought to be ignored.
+
+Our 030 bus error handler is ill equipped to deal with this:
+
+Whenever ssw indicates a kernel mode access on a data fault,
+we don't even attempt to handle the fault and instead always
+send a SEGV signal (or panic). As a result, the check
+for exception handling at the fault PC (buried in
+send_sig_fault() which gets called from do_page_fault()
+eventually) is never used.
+
+In contrast, both 040 and 060 access error handlers do not
+care whether a fault happened on supervisor mode access,
+and will call do_page_fault() on those, ultimately honoring
+the exception table.
+
+Add a check in bus_error030 to call do_page_fault() in case
+we do have an entry for the fault PC in our exception table.
+
+I had attempted a fix for this earlier in 2019 that did rely
+on testing pagefault_disabled() (see link below) to achieve
+the same thing, but this patch should be more generic.
+
+Tested on 030 Atari Falcon.
+
+Reported-by: Eero Tamminen <oak@helsinkinet.fi>
+Link: https://lore.kernel.org/r/alpine.LNX.2.21.1904091023540.25@nippy.intranet
+Link: https://lore.kernel.org/r/63130691-1984-c423-c1f2-73bfd8d3dcd3@gmail.com
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20230301021107.26307-1-schmitzmic@gmail.com
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/traps.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/m68k/kernel/traps.c b/arch/m68k/kernel/traps.c
+index 5c72deb117a8e..d75c143d99d0f 100644
+--- a/arch/m68k/kernel/traps.c
++++ b/arch/m68k/kernel/traps.c
+@@ -30,6 +30,7 @@
+ #include <linux/init.h>
+ #include <linux/ptrace.h>
+ #include <linux/kallsyms.h>
++#include <linux/extable.h>
+ 
+ #include <asm/setup.h>
+ #include <asm/fpu.h>
+@@ -550,7 +551,8 @@ static inline void bus_error030 (struct frame *fp)
+                       errorcode |= 2;
+ 
+               if (mmusr & (MMU_I | MMU_WP)) {
+-                      if (ssw & 4) {
++                      /* We might have an exception table for this PC */
++                      if (ssw & 4 && !search_exception_tables(fp->ptregs.pc)) {
+                               pr_err("Data %s fault at %#010lx in %s (pc=%#lx)\n",
+                                      ssw & RW ? "read" : "write",
+                                      fp->un.fmtb.daddr,
+-- 
+2.39.2
+

diff --git a/queue-4.14/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch b/queue-4.14/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
new file mode 100644 (file)
index 0000000..d9d9807
--- /dev/null
+++ b/queue-4.14/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
@@ -0,0 +1,39 @@
+From 0718fbdc709953925e6ec2c82078d6b6a50ea3b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 12:59:33 +0100
+Subject: net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990
+
+From: Enrico Sau <enrico.sau@gmail.com>
+
+[ Upstream commit 418383e6ed6b4624a54ec05c535f13d184fbf33b ]
+
+Add quirk CDC_MBIM_FLAG_AVOID_ALTSETTING_TOGGLE for Telit FE990
+0x1081 composition in order to avoid bind error.
+
+Signed-off-by: Enrico Sau <enrico.sau@gmail.com>
+Link: https://lore.kernel.org/r/20230306115933.198259-1-enrico.sau@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_mbim.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c
+index 41bac861ca99d..72a93dc2df868 100644
+--- a/drivers/net/usb/cdc_mbim.c
++++ b/drivers/net/usb/cdc_mbim.c
+@@ -665,6 +665,11 @@ static const struct usb_device_id mbim_devs[] = {
+         .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle,
+       },
+ 
++      /* Telit FE990 */
++      { USB_DEVICE_AND_INTERFACE_INFO(0x1bc7, 0x1081, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
++        .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle,
++      },
++
+       /* default entry */
+       { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
+         .driver_info = (unsigned long)&cdc_mbim_info_zlp,
+-- 
+2.39.2
+

diff --git a/queue-4.14/net-usb-qmi_wwan-add-telit-0x1080-composition.patch b/queue-4.14/net-usb-qmi_wwan-add-telit-0x1080-composition.patch
new file mode 100644 (file)
index 0000000..866394d
--- /dev/null
+++ b/queue-4.14/net-usb-qmi_wwan-add-telit-0x1080-composition.patch
@@ -0,0 +1,36 @@
+From 300f158c4dc9fa3e30e8ff165713ccecf78dc78b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 13:05:28 +0100
+Subject: net: usb: qmi_wwan: add Telit 0x1080 composition
+
+From: Enrico Sau <enrico.sau@gmail.com>
+
+[ Upstream commit 382e363d5bed0cec5807b35761d14e55955eee63 ]
+
+Add the following Telit FE990 composition:
+
+0x1080: tty, adb, rmnet, tty, tty, tty, tty
+
+Signed-off-by: Enrico Sau <enrico.sau@gmail.com>
+Link: https://lore.kernel.org/r/20230306120528.198842-1-enrico.sau@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index a2c3f5ee17808..68547724a1011 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1311,6 +1311,7 @@ static const struct usb_device_id products[] = {
+       {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */
+       {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */
+       {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */
++      {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */
+       {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)},    /* Telit ME910 */
+       {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)},    /* Telit ME910 dual modem */
+       {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)},    /* Telit LE920 */
+-- 
+2.39.2
+

diff --git a/queue-4.14/riscv-bump-command_line_size-value-to-1024.patch b/queue-4.14/riscv-bump-command_line_size-value-to-1024.patch
new file mode 100644 (file)
index 0000000..167ec0a
--- /dev/null
+++ b/queue-4.14/riscv-bump-command_line_size-value-to-1024.patch
@@ -0,0 +1,46 @@
+From 9a75f06ecf4ad74f86d2c9d229519e39e97520b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 15:34:20 -0400
+Subject: riscv: Bump COMMAND_LINE_SIZE value to 1024
+
+From: Alexandre Ghiti <alex@ghiti.fr>
+
+[ Upstream commit 61fc1ee8be26bc192d691932b0a67eabee45d12f ]
+
+Increase COMMAND_LINE_SIZE as the current default value is too low
+for syzbot kernel command line.
+
+There has been considerable discussion on this patch that has led to a
+larger patch set removing COMMAND_LINE_SIZE from the uapi headers on all
+ports.  That's not quite done yet, but it's gotten far enough we're
+confident this is not a uABI change so this is safe.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
+Link: https://lore.kernel.org/r/20210316193420.904-1-alex@ghiti.fr
+[Palmer: it's not uabi]
+Link: https://lore.kernel.org/linux-riscv/874b8076-b0d1-4aaa-bcd8-05d523060152@app.fastmail.com/#t
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/uapi/asm/setup.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+ create mode 100644 arch/riscv/include/uapi/asm/setup.h
+
+diff --git a/arch/riscv/include/uapi/asm/setup.h b/arch/riscv/include/uapi/asm/setup.h
+new file mode 100644
+index 0000000000000..66b13a5228808
+--- /dev/null
++++ b/arch/riscv/include/uapi/asm/setup.h
+@@ -0,0 +1,8 @@
++/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */
++
++#ifndef _UAPI_ASM_RISCV_SETUP_H
++#define _UAPI_ASM_RISCV_SETUP_H
++
++#define COMMAND_LINE_SIZE     1024
++
++#endif /* _UAPI_ASM_RISCV_SETUP_H */
+-- 
+2.39.2
+

diff --git a/queue-4.14/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch b/queue-4.14/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch
new file mode 100644 (file)
index 0000000..69bb252
--- /dev/null
+++ b/queue-4.14/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch
@@ -0,0 +1,55 @@
+From 9c3f3cd63c9bc935e736c6628e370d85e8e7d54f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 15:15:56 +0100
+Subject: scsi: target: iscsi: Fix an error message in iscsi_check_key()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 6cc55c969b7ce8d85e09a636693d4126c3676c11 ]
+
+The first half of the error message is printed by pr_err(), the second half
+is printed by pr_debug(). The user will therefore see only the first part
+of the message and will miss some useful information.
+
+Link: https://lore.kernel.org/r/20230214141556.762047-1-mlombard@redhat.com
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target_parameters.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
+index caab1045742df..d2c8c4929f93a 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -1270,18 +1270,20 @@ static struct iscsi_param *iscsi_check_key(
+               return param;
+ 
+       if (!(param->phase & phase)) {
+-              pr_err("Key \"%s\" may not be negotiated during ",
+-                              param->name);
++              char *phase_name;
++
+               switch (phase) {
+               case PHASE_SECURITY:
+-                      pr_debug("Security phase.\n");
++                      phase_name = "Security";
+                       break;
+               case PHASE_OPERATIONAL:
+-                      pr_debug("Operational phase.\n");
++                      phase_name = "Operational";
+                       break;
+               default:
+-                      pr_debug("Unknown phase.\n");
++                      phase_name = "Unknown";
+               }
++              pr_err("Key \"%s\" may not be negotiated during %s phase.\n",
++                              param->name, phase_name);
+               return NULL;
+       }
+ 
+-- 
+2.39.2
+

diff --git a/queue-4.14/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch b/queue-4.14/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch
new file mode 100644 (file)
index 0000000..7a9d0a2
--- /dev/null
+++ b/queue-4.14/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch
@@ -0,0 +1,36 @@
+From ccdf978be69f61d7f1a75bd861be9947c3321dd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Feb 2023 09:07:40 -0500
+Subject: scsi: ufs: core: Add soft dependency on governor_simpleondemand
+
+From: Adrien Thierry <athierry@redhat.com>
+
+[ Upstream commit 2ebe16155dc8bd4e602cad5b5f65458d2eaa1a75 ]
+
+The ufshcd driver uses simpleondemand governor for devfreq. Add it to the
+list of ufshcd softdeps to allow userspace initramfs tools like dracut to
+automatically pull the governor module into the initramfs together with UFS
+drivers.
+
+Link: https://lore.kernel.org/r/20230220140740.14379-1-athierry@redhat.com
+Signed-off-by: Adrien Thierry <athierry@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 694c0fc31fbf7..fe7db66ab1f3e 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -8087,5 +8087,6 @@ EXPORT_SYMBOL_GPL(ufshcd_init);
+ MODULE_AUTHOR("Santosh Yaragnavi <santosh.sy@samsung.com>");
+ MODULE_AUTHOR("Vinayak Holikatti <h.vinayak@samsung.com>");
+ MODULE_DESCRIPTION("Generic UFS host controller driver Core");
++MODULE_SOFTDEP("pre: governor_simpleondemand");
+ MODULE_LICENSE("GPL");
+ MODULE_VERSION(UFSHCD_DRIVER_VERSION);
+-- 
+2.39.2
+

diff --git a/queue-4.14/series b/queue-4.14/series
index a6e9f24146d82996ac93541d1a1b81d53beccd71..239406e482ebf5bad577ba9fac45551e2c46cd02 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -20,3 +20,11 @@ bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch
 hwmon-it87-fix-voltage-scaling-for-chips-with-10.9mv.patch
 uas-add-us_fl_no_report_opcodes-for-jmicron-jms583gen-2.patch
 thunderbolt-use-const-qualifier-for-ring_interrupt_index.patch
+riscv-bump-command_line_size-value-to-1024.patch
+ca8210-fix-mac_len-negative-array-access.patch
+m68k-only-force-030-bus-error-if-pc-not-in-exception.patch
+scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch
+scsi-ufs-core-add-soft-dependency-on-governor_simple.patch
+net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
+net-usb-qmi_wwan-add-telit-0x1080-composition.patch
+sh-sanitize-the-flags-on-sigreturn.patch

diff --git a/queue-4.14/sh-sanitize-the-flags-on-sigreturn.patch b/queue-4.14/sh-sanitize-the-flags-on-sigreturn.patch
new file mode 100644 (file)
index 0000000..8a5621c
--- /dev/null
+++ b/queue-4.14/sh-sanitize-the-flags-on-sigreturn.patch
@@ -0,0 +1,58 @@
+From d272a2f05b330daee72309dd13b39045d9160d29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 01:20:30 +0000
+Subject: sh: sanitize the flags on sigreturn
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 573b22ccb7ce9ab7f0539a2e11a9d3609a8783f5 ]
+
+We fetch %SR value from sigframe; it might have been modified by signal
+handler, so we can't trust it with any bits that are not modifiable in
+user mode.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Rich Felker <dalias@libc.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/asm/processor_32.h | 1 +
+ arch/sh/kernel/signal_32.c         | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/arch/sh/include/asm/processor_32.h b/arch/sh/include/asm/processor_32.h
+index 95100d8a0b7b4..fc94603724b86 100644
+--- a/arch/sh/include/asm/processor_32.h
++++ b/arch/sh/include/asm/processor_32.h
+@@ -57,6 +57,7 @@
+ #define SR_FD         0x00008000
+ #define SR_MD         0x40000000
+ 
++#define SR_USER_MASK  0x00000303      // M, Q, S, T bits
+ /*
+  * DSP structure and data
+  */
+diff --git a/arch/sh/kernel/signal_32.c b/arch/sh/kernel/signal_32.c
+index c46c0020ff55e..ce93ae78c3002 100644
+--- a/arch/sh/kernel/signal_32.c
++++ b/arch/sh/kernel/signal_32.c
+@@ -116,6 +116,7 @@ static int
+ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p)
+ {
+       unsigned int err = 0;
++      unsigned int sr = regs->sr & ~SR_USER_MASK;
+ 
+ #define COPY(x)               err |= __get_user(regs->x, &sc->sc_##x)
+                       COPY(regs[1]);
+@@ -131,6 +132,8 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p
+       COPY(sr);       COPY(pc);
+ #undef COPY
+ 
++      regs->sr = (regs->sr & SR_USER_MASK) | sr;
++
+ #ifdef CONFIG_SH_FPU
+       if (boot_cpu_data.flags & CPU_HAS_FPU) {
+               int owned_fp;
+-- 
+2.39.2
+