+++ /dev/null
-From b8e2810ec3b386975ca5c2a205f7e0d0e1671e50 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 19 Jun 2022 22:14:54 +0800
-Subject: drivers/net/ethernet/neterion/vxge: Fix a use-after-free bug in
- vxge-main.c
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Wentao_Liang <Wentao_Liang_g@163.com>
-
-[ Upstream commit 8fc74d18639a2402ca52b177e990428e26ea881f ]
-
-The pointer vdev points to a memory region adjacent to a net_device
-structure ndev, which is a field of hldev. At line 4740, the invocation
-to vxge_device_unregister unregisters device hldev, and it also releases
-the memory region pointed by vdev->bar0. At line 4743, the freed memory
-region is referenced (i.e., iounmap(vdev->bar0)), resulting in a
-use-after-free vulnerability. We can fix the bug by calling iounmap
-before vxge_device_unregister.
-
-4721. static void vxge_remove(struct pci_dev *pdev)
-4722. {
-4723. struct __vxge_hw_device *hldev;
-4724. struct vxgedev *vdev;
-…
-4731. vdev = netdev_priv(hldev->ndev);
-…
-4740. vxge_device_unregister(hldev);
-4741. /* Do not call pci_disable_sriov here, as it
- will break child devices */
-4742. vxge_hw_device_terminate(hldev);
-4743. iounmap(vdev->bar0);
-…
-4749 vxge_debug_init(vdev->level_trace, "%s:%d
- Device unregistered",
-4750 __func__, __LINE__);
-4751 vxge_debug_entryexit(vdev->level_trace, "%s:%d
- Exiting...", __func__,
-4752 __LINE__);
-4753. }
-
-This is the screenshot when the vulnerability is triggered by using
-KASAN. We can see that there is a use-after-free reported by KASAN.
-
-/***************************start**************************/
-
-root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove
-[ 178.296316] vxge_remove
-[ 182.057081]
- ==================================================================
-[ 182.057548] BUG: KASAN: use-after-free in vxge_remove+0xe0/0x15c
-[ 182.057760] Read of size 8 at addr ffff888006c76598 by task bash/119
-[ 182.057983]
-[ 182.058747] CPU: 0 PID: 119 Comm: bash Not tainted 5.18.0 #5
-[ 182.058919] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
-rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
-[ 182.059463] Call Trace:
-[ 182.059726] <TASK>
-[ 182.060017] dump_stack_lvl+0x34/0x44
-[ 182.060316] print_report.cold+0xb2/0x6b7
-[ 182.060401] ? kfree+0x89/0x290
-[ 182.060478] ? vxge_remove+0xe0/0x15c
-[ 182.060545] kasan_report+0xa9/0x120
-[ 182.060629] ? vxge_remove+0xe0/0x15c
-[ 182.060706] vxge_remove+0xe0/0x15c
-[ 182.060793] pci_device_remove+0x5d/0xe0
-[ 182.060968] device_release_driver_internal+0xf1/0x180
-[ 182.061063] pci_stop_bus_device+0xae/0xe0
-[ 182.061150] pci_stop_and_remove_bus_device_locked+0x11/0x20
-[ 182.061236] remove_store+0xc6/0xe0
-[ 182.061297] ? subordinate_bus_number_show+0xc0/0xc0
-[ 182.061359] ? __mutex_lock_slowpath+0x10/0x10
-[ 182.061438] ? sysfs_kf_write+0x6d/0xa0
-[ 182.061525] kernfs_fop_write_iter+0x1b0/0x260
-[ 182.061610] ? sysfs_kf_bin_read+0xf0/0xf0
-[ 182.061695] new_sync_write+0x209/0x310
-[ 182.061789] ? new_sync_read+0x310/0x310
-[ 182.061865] ? cgroup_rstat_updated+0x5c/0x170
-[ 182.061937] ? preempt_count_sub+0xf/0xb0
-[ 182.061995] ? pick_next_entity+0x13a/0x220
-[ 182.062063] ? __inode_security_revalidate+0x44/0x80
-[ 182.062155] ? security_file_permission+0x46/0x2a0
-[ 182.062230] vfs_write+0x33f/0x3e0
-[ 182.062303] ksys_write+0xb4/0x150
-[ 182.062369] ? __ia32_sys_read+0x40/0x40
-[ 182.062451] do_syscall_64+0x3b/0x90
-[ 182.062531] entry_SYSCALL_64_after_hwframe+0x46/0xb0
-[ 182.062894] RIP: 0033:0x7f3f37d17274
-[ 182.063558] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f
-80 00 00 00 00 48 8d 05 89 54 0d 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f
-05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 49 89 d4 55 48 89 f5 53
-[ 182.063797] RSP: 002b:00007ffd5ba9e178 EFLAGS: 00000246
-ORIG_RAX: 0000000000000001
-[ 182.064117] RAX: ffffffffffffffda RBX: 0000000000000002
-RCX: 00007f3f37d17274
-[ 182.064219] RDX: 0000000000000002 RSI: 000055bbec327180
-RDI: 0000000000000001
-[ 182.064315] RBP: 000055bbec327180 R08: 000000000000000a
-R09: 00007f3f37de7cf0
-[ 182.064414] R10: 000000000000000a R11: 0000000000000246
-R12: 00007f3f37de8760
-[ 182.064513] R13: 0000000000000002 R14: 00007f3f37de3760
-R15: 0000000000000002
-[ 182.064691] </TASK>
-[ 182.064916]
-[ 182.065224] The buggy address belongs to the physical page:
-[ 182.065804] page:00000000ef31e4f4 refcount:0 mapcount:0
-mapping:0000000000000000 index:0x0 pfn:0x6c76
-[ 182.067419] flags: 0x100000000000000(node=0|zone=1)
-[ 182.068997] raw: 0100000000000000 0000000000000000
-ffffea00001b1d88 0000000000000000
-[ 182.069118] raw: 0000000000000000 0000000000000000
-00000000ffffffff 0000000000000000
-[ 182.069294] page dumped because: kasan: bad access detected
-[ 182.069331]
-[ 182.069360] Memory state around the buggy address:
-[ 182.070006] ffff888006c76480: ff ff ff ff ff ff ff ff ff ff ff
- ff ff ff ff ff
-[ 182.070136] ffff888006c76500: ff ff ff ff ff ff ff ff ff ff ff
- ff ff ff ff ff
-[ 182.070230] >ffff888006c76580: ff ff ff ff ff ff ff ff ff ff ff
- ff ff ff ff ff
-[ 182.070305] ^
-[ 182.070456] ffff888006c76600: ff ff ff ff ff ff ff ff ff ff ff
- ff ff ff ff ff
-[ 182.070505] ffff888006c76680: ff ff ff ff ff ff ff ff ff ff ff
- ff ff ff ff ff
-[ 182.070606]
-==================================================================
-[ 182.071374] Disabling lock debugging due to kernel taint
-
-/*****************************end*****************************/
-
-After fixing the bug as done in the patch, we can find KASAN do not report
- the bug and the device(00:03.0) has been successfully removed.
-
-/*****************************start***************************/
-
-root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove
-root@kernel:~#
-
-/******************************end****************************/
-
-Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/ethernet/neterion/vxge/vxge-main.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c
-index c6950e580883..7fa71a66f19c 100644
---- a/drivers/net/ethernet/neterion/vxge/vxge-main.c
-+++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c
-@@ -4790,10 +4790,10 @@ static void vxge_remove(struct pci_dev *pdev)
- for (i = 0; i < vdev->no_of_vpath; i++)
- vxge_free_mac_add_list(&vdev->vpaths[i]);
-
-+ iounmap(vdev->bar0);
- vxge_device_unregister(hldev);
- /* Do not call pci_disable_sriov here, as it will break child devices */
- vxge_hw_device_terminate(hldev);
-- iounmap(vdev->bar0);
- pci_release_region(pdev, 0);
- pci_disable_device(pdev);
- driver_config->config_dev_cnt--;
---
-2.35.1
-
parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch
cifs-don-t-send-down-the-destination-address-to-sendmsg-for-a-sock_stream.patch
-spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch
-spi-cadence-detect-transmit-fifo-depth.patch
drm-vc4-crtc-use-an-union-to-store-the-page-flip-cal.patch
-drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch
video-fbdev-skeletonfb-fix-syntax-errors-in-comments.patch
video-fbdev-intelfb-use-aperture-size-from-pci_resou.patch
video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch
+++ /dev/null
-From 2991f161280d1acb79edbfa5e241d18415f16dc8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 27 May 2022 11:11:43 +0200
-Subject: spi: cadence: Detect transmit FIFO depth
-
-From: Lars-Peter Clausen <lars@metafoo.de>
-
-[ Upstream commit 7b40322f7183a92c4303457528ae7cda571c60b9 ]
-
-The depth of the transmit FIFO for the Cadence SPI controller is currently
-hardcoded to 128. But the depth is a synthesis configuration parameter of
-the core and can vary between different SoCs.
-
-If the configured FIFO size is less than 128 the driver will busy loop in
-the cdns_spi_fill_tx_fifo() function waiting for FIFO space to become
-available.
-
-Depending on the length and speed of the transfer it can spin for a
-significant amount of time. The cdns_spi_fill_tx_fifo() function is called
-from the drivers interrupt handler, so it can leave interrupts disabled for
-a prolonged amount of time.
-
-In addition the read FIFO will also overflow and data will be discarded.
-
-To avoid this detect the actual size of the FIFO and use that rather than
-the hardcoded value.
-
-To detect the FIFO size the FIFO threshold register is used. The register
-is sized so that it can hold FIFO size - 1 as its maximum value. Bits that
-are not needed to hold the threshold value will always read 0. By writing
-0xffff to the register and then reading back the value in the register we
-get the FIFO size.
-
-Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
-Link: https://lore.kernel.org/r/20220527091143.3780378-1-lars@metafoo.de
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/spi/spi-cadence.c | 27 +++++++++++++++++++++++----
- 1 file changed, 23 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
-index 6d294a1fa5e5..733724e71a30 100644
---- a/drivers/spi/spi-cadence.c
-+++ b/drivers/spi/spi-cadence.c
-@@ -96,9 +96,6 @@
- #define CDNS_SPI_ER_ENABLE 0x00000001 /* SPI Enable Bit Mask */
- #define CDNS_SPI_ER_DISABLE 0x0 /* SPI Disable Bit Mask */
-
--/* SPI FIFO depth in bytes */
--#define CDNS_SPI_FIFO_DEPTH 128
--
- /* Default number of chip select lines */
- #define CDNS_SPI_DEFAULT_NUM_CS 4
-
-@@ -114,6 +111,7 @@
- * @rx_bytes: Number of bytes requested
- * @dev_busy: Device busy flag
- * @is_decoded_cs: Flag for decoder property set or not
-+ * @tx_fifo_depth: Depth of the TX FIFO
- */
- struct cdns_spi {
- void __iomem *regs;
-@@ -127,6 +125,7 @@ struct cdns_spi {
- int rx_bytes;
- u8 dev_busy;
- u32 is_decoded_cs;
-+ unsigned int tx_fifo_depth;
- };
-
- /* Macros for the SPI controller read/write */
-@@ -308,7 +307,7 @@ static void cdns_spi_fill_tx_fifo(struct cdns_spi *xspi)
- {
- unsigned long trans_cnt = 0;
-
-- while ((trans_cnt < CDNS_SPI_FIFO_DEPTH) &&
-+ while ((trans_cnt < xspi->tx_fifo_depth) &&
- (xspi->tx_bytes > 0)) {
- if (xspi->txbuf)
- cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++);
-@@ -463,6 +462,24 @@ static int cdns_unprepare_transfer_hardware(struct spi_master *master)
- return 0;
- }
-
-+/**
-+ * cdns_spi_detect_fifo_depth - Detect the FIFO depth of the hardware
-+ * @xspi: Pointer to the cdns_spi structure
-+ *
-+ * The depth of the TX FIFO is a synthesis configuration parameter of the SPI
-+ * IP. The FIFO threshold register is sized so that its maximum value can be the
-+ * FIFO size - 1. This is used to detect the size of the FIFO.
-+ */
-+static void cdns_spi_detect_fifo_depth(struct cdns_spi *xspi)
-+{
-+ /* The MSBs will get truncated giving us the size of the FIFO */
-+ cdns_spi_write(xspi, CDNS_SPI_THLD, 0xffff);
-+ xspi->tx_fifo_depth = cdns_spi_read(xspi, CDNS_SPI_THLD) + 1;
-+
-+ /* Reset to default */
-+ cdns_spi_write(xspi, CDNS_SPI_THLD, 0x1);
-+}
-+
- /**
- * cdns_spi_probe - Probe method for the SPI driver
- * @pdev: Pointer to the platform_device structure
-@@ -536,6 +553,8 @@ static int cdns_spi_probe(struct platform_device *pdev)
- if (ret < 0)
- xspi->is_decoded_cs = 0;
-
-+ cdns_spi_detect_fifo_depth(xspi);
-+
- /* SPI controller initializations */
- cdns_spi_init_hw(xspi);
-
---
-2.35.1
-
+++ /dev/null
-From a2874c7fe4294710fe1f347212f4d8c262cb3a7c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 6 Jun 2022 11:55:25 +0530
-Subject: spi: spi-cadence: Fix SPI CS gets toggling sporadically
-
-From: Sai Krishna Potthuri <lakshmi.sai.krishna.potthuri@xilinx.com>
-
-[ Upstream commit 21b511ddee09a78909035ec47a6a594349fe3296 ]
-
-As part of unprepare_transfer_hardware, SPI controller will be disabled
-which will indirectly deassert the CS line. This will create a problem
-in some of the devices where message will be transferred with
-cs_change flag set(CS should not be deasserted).
-As per SPI controller implementation, if SPI controller is disabled then
-all output enables are inactive and all pins are set to input mode which
-means CS will go to default state high(deassert). This leads to an issue
-when core explicitly ask not to deassert the CS (cs_change = 1). This
-patch fix the above issue by checking the Slave select status bits from
-configuration register before disabling the SPI.
-
-Signed-off-by: Sai Krishna Potthuri <lakshmi.sai.krishna.potthuri@xilinx.com>
-Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
-Link: https://lore.kernel.org/r/20220606062525.18447-1-amit.kumar-mahapatra@xilinx.com
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/spi/spi-cadence.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
-index e383c6368915..6d294a1fa5e5 100644
---- a/drivers/spi/spi-cadence.c
-+++ b/drivers/spi/spi-cadence.c
-@@ -72,6 +72,7 @@
- #define CDNS_SPI_BAUD_DIV_SHIFT 3 /* Baud rate divisor shift in CR */
- #define CDNS_SPI_SS_SHIFT 10 /* Slave Select field shift in CR */
- #define CDNS_SPI_SS0 0x1 /* Slave Select zero */
-+#define CDNS_SPI_NOSS 0x3C /* No Slave select */
-
- /*
- * SPI Interrupt Registers bit Masks
-@@ -444,15 +445,20 @@ static int cdns_prepare_transfer_hardware(struct spi_master *master)
- * @master: Pointer to the spi_master structure which provides
- * information about the controller.
- *
-- * This function disables the SPI master controller.
-+ * This function disables the SPI master controller when no slave selected.
- *
- * Return: 0 always
- */
- static int cdns_unprepare_transfer_hardware(struct spi_master *master)
- {
- struct cdns_spi *xspi = spi_master_get_devdata(master);
-+ u32 ctrl_reg;
-
-- cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
-+ /* Disable the SPI if slave is deselected */
-+ ctrl_reg = cdns_spi_read(xspi, CDNS_SPI_CR);
-+ ctrl_reg = (ctrl_reg & CDNS_SPI_CR_SSCTRL) >> CDNS_SPI_SS_SHIFT;
-+ if (ctrl_reg == CDNS_SPI_NOSS)
-+ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
-
- return 0;
- }
---
-2.35.1
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
