From: Sasha Levin Date: Mon, 22 Aug 2022 13:27:05 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.9.326~29^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=06c14bc45fd866933870a380df61ee30ce100387;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/alsa-core-add-async-signal-helpers.patch b/queue-4.9/alsa-core-add-async-signal-helpers.patch new file mode 100644 index 00000000000..bf316007b55 --- /dev/null +++ b/queue-4.9/alsa-core-add-async-signal-helpers.patch @@ -0,0 +1,158 @@ +From 96b3d39dc40d4da954a4797155e7af589f012a21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 14:59:42 +0200 +Subject: ALSA: core: Add async signal helpers + +From: Takashi Iwai + +[ Upstream commit ef34a0ae7a2654bc9e58675e36898217fb2799d8 ] + +Currently the call of kill_fasync() from an interrupt handler might +lead to potential spin deadlocks, as spotted by syzkaller. +Unfortunately, it's not so trivial to fix this lock chain as it's +involved with the tasklist_lock that is touched in allover places. + +As a temporary workaround, this patch provides the way to defer the +async signal notification in a work. The new helper functions, +snd_fasync_helper() and snd_kill_faync() are replacements for +fasync_helper() and kill_fasync(), respectively. In addition, +snd_fasync_free() needs to be called at the destructor of the relevant +file object. + +Link: https://lore.kernel.org/r/20220728125945.29533-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/core.h | 8 ++++ + sound/core/misc.c | 94 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+) + +diff --git a/include/sound/core.h b/include/sound/core.h +index 31079ea5e484..d5d0e5e53920 100644 +--- a/include/sound/core.h ++++ b/include/sound/core.h +@@ -457,4 +457,12 @@ snd_pci_quirk_lookup_id(u16 vendor, u16 device, + } + #endif + ++/* async signal helpers */ ++struct snd_fasync; ++ ++int snd_fasync_helper(int fd, struct file *file, int on, ++ struct snd_fasync **fasyncp); ++void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll); ++void snd_fasync_free(struct snd_fasync *fasync); ++ + #endif /* __SOUND_CORE_H */ +diff --git a/sound/core/misc.c b/sound/core/misc.c +index f2e8226c88fb..efe26b8ca57f 100644 +--- a/sound/core/misc.c ++++ b/sound/core/misc.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + + #ifdef CONFIG_SND_DEBUG +@@ -153,3 +154,96 @@ snd_pci_quirk_lookup(struct pci_dev *pci, const struct snd_pci_quirk *list) + } + EXPORT_SYMBOL(snd_pci_quirk_lookup); + #endif ++ ++/* ++ * Deferred async signal helpers ++ * ++ * Below are a few helper functions to wrap the async signal handling ++ * in the deferred work. The main purpose is to avoid the messy deadlock ++ * around tasklist_lock and co at the kill_fasync() invocation. ++ * fasync_helper() and kill_fasync() are replaced with snd_fasync_helper() ++ * and snd_kill_fasync(), respectively. In addition, snd_fasync_free() has ++ * to be called at releasing the relevant file object. ++ */ ++struct snd_fasync { ++ struct fasync_struct *fasync; ++ int signal; ++ int poll; ++ int on; ++ struct list_head list; ++}; ++ ++static DEFINE_SPINLOCK(snd_fasync_lock); ++static LIST_HEAD(snd_fasync_list); ++ ++static void snd_fasync_work_fn(struct work_struct *work) ++{ ++ struct snd_fasync *fasync; ++ ++ spin_lock_irq(&snd_fasync_lock); ++ while (!list_empty(&snd_fasync_list)) { ++ fasync = list_first_entry(&snd_fasync_list, struct snd_fasync, list); ++ list_del_init(&fasync->list); ++ spin_unlock_irq(&snd_fasync_lock); ++ if (fasync->on) ++ kill_fasync(&fasync->fasync, fasync->signal, fasync->poll); ++ spin_lock_irq(&snd_fasync_lock); ++ } ++ spin_unlock_irq(&snd_fasync_lock); ++} ++ ++static DECLARE_WORK(snd_fasync_work, snd_fasync_work_fn); ++ ++int snd_fasync_helper(int fd, struct file *file, int on, ++ struct snd_fasync **fasyncp) ++{ ++ struct snd_fasync *fasync = NULL; ++ ++ if (on) { ++ fasync = kzalloc(sizeof(*fasync), GFP_KERNEL); ++ if (!fasync) ++ return -ENOMEM; ++ INIT_LIST_HEAD(&fasync->list); ++ } ++ ++ spin_lock_irq(&snd_fasync_lock); ++ if (*fasyncp) { ++ kfree(fasync); ++ fasync = *fasyncp; ++ } else { ++ if (!fasync) { ++ spin_unlock_irq(&snd_fasync_lock); ++ return 0; ++ } ++ *fasyncp = fasync; ++ } ++ fasync->on = on; ++ spin_unlock_irq(&snd_fasync_lock); ++ return fasync_helper(fd, file, on, &fasync->fasync); ++} ++EXPORT_SYMBOL_GPL(snd_fasync_helper); ++ ++void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll) ++{ ++ unsigned long flags; ++ ++ if (!fasync || !fasync->on) ++ return; ++ spin_lock_irqsave(&snd_fasync_lock, flags); ++ fasync->signal = signal; ++ fasync->poll = poll; ++ list_move(&fasync->list, &snd_fasync_list); ++ schedule_work(&snd_fasync_work); ++ spin_unlock_irqrestore(&snd_fasync_lock, flags); ++} ++EXPORT_SYMBOL_GPL(snd_kill_fasync); ++ ++void snd_fasync_free(struct snd_fasync *fasync) ++{ ++ if (!fasync) ++ return; ++ fasync->on = 0; ++ flush_work(&snd_fasync_work); ++ kfree(fasync); ++} ++EXPORT_SYMBOL_GPL(snd_fasync_free); +-- +2.35.1 + diff --git a/queue-4.9/alsa-timer-use-deferred-fasync-helper.patch b/queue-4.9/alsa-timer-use-deferred-fasync-helper.patch new file mode 100644 index 00000000000..b090f497742 --- /dev/null +++ b/queue-4.9/alsa-timer-use-deferred-fasync-helper.patch @@ -0,0 +1,83 @@ +From 0f736f398a2c3a6fee7854350367d0cb0632d7f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 14:59:43 +0200 +Subject: ALSA: timer: Use deferred fasync helper + +From: Takashi Iwai + +[ Upstream commit 95cc637c1afd83fb7dd3d7c8a53710488f4caf9c ] + +For avoiding the potential deadlock via kill_fasync() call, use the +new fasync helpers to defer the invocation from PCI API. Note that +it's merely a workaround. + +Reported-by: syzbot+1ee0910eca9c94f71f25@syzkaller.appspotmail.com +Reported-by: syzbot+49b10793b867871ee26f@syzkaller.appspotmail.com +Reported-by: syzbot+8285e973a41b5aa68902@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20220728125945.29533-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/timer.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 596ba572d6c4..1f5f05e76e59 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -74,7 +74,7 @@ struct snd_timer_user { + unsigned int filter; + struct timespec tstamp; /* trigger tstamp */ + wait_queue_head_t qchange_sleep; +- struct fasync_struct *fasync; ++ struct snd_fasync *fasync; + struct mutex ioctl_lock; + }; + +@@ -1293,7 +1293,7 @@ static void snd_timer_user_interrupt(struct snd_timer_instance *timeri, + } + __wake: + spin_unlock(&tu->qlock); +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1330,7 +1330,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, + spin_lock_irqsave(&tu->qlock, flags); + snd_timer_user_append_to_tqueue(tu, &r1); + spin_unlock_irqrestore(&tu->qlock, flags); +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1397,7 +1397,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, + spin_unlock(&tu->qlock); + if (append == 0) + return; +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1439,6 +1439,7 @@ static int snd_timer_user_release(struct inode *inode, struct file *file) + if (tu->timeri) + snd_timer_close(tu->timeri); + mutex_unlock(&tu->ioctl_lock); ++ snd_fasync_free(tu->fasync); + kfree(tu->queue); + kfree(tu->tqueue); + kfree(tu); +@@ -2026,7 +2027,7 @@ static int snd_timer_user_fasync(int fd, struct file * file, int on) + struct snd_timer_user *tu; + + tu = file->private_data; +- return fasync_helper(fd, file, on, &tu->fasync); ++ return snd_fasync_helper(fd, file, on, &tu->fasync); + } + + static ssize_t snd_timer_user_read(struct file *file, char __user *buffer, +-- +2.35.1 + diff --git a/queue-4.9/cxl-fix-a-memory-leak-in-an-error-handling-path.patch b/queue-4.9/cxl-fix-a-memory-leak-in-an-error-handling-path.patch new file mode 100644 index 00000000000..349c3bb3fc2 --- /dev/null +++ b/queue-4.9/cxl-fix-a-memory-leak-in-an-error-handling-path.patch @@ -0,0 +1,36 @@ +From 77bbab87fc1b3ac2e6d65934155f53bf9779688d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 21:14:48 +0200 +Subject: cxl: Fix a memory leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit 3a15b45b5454da862376b5d69a4967f5c6fa1368 ] + +A bitmap_zalloc() must be balanced by a corresponding bitmap_free() in the +error handling path of afu_allocate_irqs(). + +Acked-by: Andrew Donnellan +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/ce5869418f5838187946eb6b11a52715a93ece3d.1657566849.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/irq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/cxl/irq.c b/drivers/misc/cxl/irq.c +index dec60f58a767..99e2bd65825f 100644 +--- a/drivers/misc/cxl/irq.c ++++ b/drivers/misc/cxl/irq.c +@@ -302,6 +302,7 @@ int afu_allocate_irqs(struct cxl_context *ctx, u32 count) + + out: + cxl_ops->release_irq_ranges(&ctx->irqs, ctx->afu->adapter); ++ bitmap_free(ctx->irq_bitmap); + afu_irq_name_free(ctx); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-4.9/drivers-md-fix-a-potential-use-after-free-bug.patch b/queue-4.9/drivers-md-fix-a-potential-use-after-free-bug.patch new file mode 100644 index 00000000000..58d40062157 --- /dev/null +++ b/queue-4.9/drivers-md-fix-a-potential-use-after-free-bug.patch @@ -0,0 +1,44 @@ +From b7659cac45a27d78cffcad8f88c3126e020da1bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 19:39:19 +0800 +Subject: drivers:md:fix a potential use-after-free bug + +From: Wentao_Liang + +[ Upstream commit 104212471b1c1817b311771d817fb692af983173 ] + +In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and +may cause sh to be released. However, sh is subsequently used in lines +2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an +use-after-free bug. + +It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of +the function. + +Signed-off-by: Wentao_Liang +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index b396e78b1b6d..bea171a5e663 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2513,10 +2513,10 @@ static void raid5_end_write_request(struct bio *bi) + if (!test_and_clear_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags)) + clear_bit(R5_LOCKED, &sh->dev[i].flags); + set_bit(STRIPE_HANDLE, &sh->state); +- raid5_release_stripe(sh); + + if (sh->batch_head && sh != sh->batch_head) + raid5_release_stripe(sh->batch_head); ++ raid5_release_stripe(sh); + } + + static void raid5_build_block(struct stripe_head *sh, int i, int previous) +-- +2.35.1 + diff --git a/queue-4.9/ext4-avoid-remove-directory-when-directory-is-corrup.patch b/queue-4.9/ext4-avoid-remove-directory-when-directory-is-corrup.patch new file mode 100644 index 00000000000..b69a75e38c3 --- /dev/null +++ b/queue-4.9/ext4-avoid-remove-directory-when-directory-is-corrup.patch @@ -0,0 +1,43 @@ +From 75abaca4f6001330867868739d3ba23ffeec5b40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jun 2022 17:02:23 +0800 +Subject: ext4: avoid remove directory when directory is corrupted + +From: Ye Bin + +[ Upstream commit b24e77ef1c6d4dbf42749ad4903c97539cc9755a ] + +Now if check directoy entry is corrupted, ext4_empty_dir may return true +then directory will be removed when file system mounted with "errors=continue". +In order not to make things worse just return false when directory is corrupted. + +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220622090223.682234-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 84754700ebe1..1281181215aa 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2793,11 +2793,8 @@ bool ext4_empty_dir(struct inode *inode) + de = (struct ext4_dir_entry_2 *) (bh->b_data + + (offset & (sb->s_blocksize - 1))); + if (ext4_check_dir_entry(inode, NULL, de, bh, +- bh->b_data, bh->b_size, offset)) { +- offset = (offset | (sb->s_blocksize - 1)) + 1; +- continue; +- } +- if (le32_to_cpu(de->inode)) { ++ bh->b_data, bh->b_size, offset) || ++ le32_to_cpu(de->inode)) { + brelse(bh); + return false; + } +-- +2.35.1 + diff --git a/queue-4.9/ext4-avoid-resizing-to-a-partial-cluster-size.patch b/queue-4.9/ext4-avoid-resizing-to-a-partial-cluster-size.patch new file mode 100644 index 00000000000..9ca75de1cc2 --- /dev/null +++ b/queue-4.9/ext4-avoid-resizing-to-a-partial-cluster-size.patch @@ -0,0 +1,47 @@ +From f3f0eafacfd3c4fc32a3b80a3594d46d2029bcc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 04:27:48 +0000 +Subject: ext4: avoid resizing to a partial cluster size + +From: Kiselev, Oleg + +[ Upstream commit 69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd ] + +This patch avoids an attempt to resize the filesystem to an +unaligned cluster boundary. An online resize to a size that is not +integral to cluster size results in the last iteration attempting to +grow the fs by a negative amount, which trips a BUG_ON and leaves the fs +with a corrupted in-memory superblock. + +Signed-off-by: Oleg Kiselev +Link: https://lore.kernel.org/r/0E92A0AB-4F16-4F1A-94B7-702CC6504FDE@amazon.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 60984bc54d55..e4f02572f69d 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1941,6 +1941,16 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + } + brelse(bh); + ++ /* ++ * For bigalloc, trim the requested size to the nearest cluster ++ * boundary to avoid creating an unusable filesystem. We do this ++ * silently, instead of returning an error, to avoid breaking ++ * callers that blindly resize the filesystem to the full size of ++ * the underlying block device. ++ */ ++ if (ext4_has_feature_bigalloc(sb)) ++ n_blocks_count &= ~((1 << EXT4_CLUSTER_BITS(sb)) - 1); ++ + retry: + o_blocks_count = ext4_blocks_count(es); + +-- +2.35.1 + diff --git a/queue-4.9/gadgetfs-ep_io-wait-until-irq-finishes.patch b/queue-4.9/gadgetfs-ep_io-wait-until-irq-finishes.patch new file mode 100644 index 00000000000..d3bf8267baa --- /dev/null +++ b/queue-4.9/gadgetfs-ep_io-wait-until-irq-finishes.patch @@ -0,0 +1,37 @@ +From 0792d55871072c6e0ae202fcc35879068f431314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 09:06:44 +0200 +Subject: gadgetfs: ep_io - wait until IRQ finishes + +From: Jozef Martiniak + +[ Upstream commit 04cb742d4d8f30dc2e83b46ac317eec09191c68e ] + +after usb_ep_queue() if wait_for_completion_interruptible() is +interrupted we need to wait until IRQ gets finished. + +Otherwise complete() from epio_complete() can corrupt stack. + +Signed-off-by: Jozef Martiniak +Link: https://lore.kernel.org/r/20220708070645.6130-1-jomajm@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index 2b30b5a1b577..8d53b3ac31c6 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -365,6 +365,7 @@ ep_io (struct ep_data *epdata, void *buf, unsigned len) + spin_unlock_irq (&epdata->dev->lock); + + DBG (epdata->dev, "endpoint gone\n"); ++ wait_for_completion(&done); + epdata->status = -ENODEV; + } + } +-- +2.35.1 + diff --git a/queue-4.9/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch b/queue-4.9/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch new file mode 100644 index 00000000000..c9b1983c4ff --- /dev/null +++ b/queue-4.9/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch @@ -0,0 +1,76 @@ +From dc7eb49439a390acdf95487928e1cab81f22be3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 22:14:12 +0530 +Subject: irqchip/tegra: Fix overflow implicit truncation warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sai Prakash Ranjan + +[ Upstream commit 443685992bda9bb4f8b17fc02c9f6c60e62b1461 ] + +Fix -Woverflow warnings for tegra irqchip driver which is a result +of moving arm64 custom MMIO accessor macros to asm-generic function +implementations giving a bonus type-checking now and uncovering these +overflow warnings. + +drivers/irqchip/irq-tegra.c: In function ‘tegra_ictlr_suspend’: +drivers/irqchip/irq-tegra.c:151:18: warning: large integer implicitly truncated to unsigned type [-Woverflow] + writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); + ^ + +Suggested-by: Marc Zyngier +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Arnd Bergmann +Cc: Marc Zyngier +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-tegra.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/irqchip/irq-tegra.c b/drivers/irqchip/irq-tegra.c +index 3973a14bb15b..02ffefd5011a 100644 +--- a/drivers/irqchip/irq-tegra.c ++++ b/drivers/irqchip/irq-tegra.c +@@ -157,10 +157,10 @@ static int tegra_ictlr_suspend(void) + lic->cop_iep[i] = readl_relaxed(ictlr + ICTLR_COP_IEP_CLASS); + + /* Disable COP interrupts */ +- writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); + + /* Disable CPU interrupts */ +- writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); + + /* Enable the wakeup sources of ictlr */ + writel_relaxed(lic->ictlr_wake_mask[i], ictlr + ICTLR_CPU_IER_SET); +@@ -181,12 +181,12 @@ static void tegra_ictlr_resume(void) + + writel_relaxed(lic->cpu_iep[i], + ictlr + ICTLR_CPU_IEP_CLASS); +- writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); + writel_relaxed(lic->cpu_ier[i], + ictlr + ICTLR_CPU_IER_SET); + writel_relaxed(lic->cop_iep[i], + ictlr + ICTLR_COP_IEP_CLASS); +- writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); + writel_relaxed(lic->cop_ier[i], + ictlr + ICTLR_COP_IER_SET); + } +@@ -321,7 +321,7 @@ static int __init tegra_ictlr_init(struct device_node *node, + lic->base[i] = base; + + /* Disable all interrupts */ +- writel_relaxed(~0UL, base + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), base + ICTLR_CPU_IER_CLR); + /* All interrupts target IRQ */ + writel_relaxed(0, base + ICTLR_CPU_IEP_CLASS); + +-- +2.35.1 + diff --git a/queue-4.9/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch b/queue-4.9/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch new file mode 100644 index 00000000000..2d49c651b1c --- /dev/null +++ b/queue-4.9/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch @@ -0,0 +1,42 @@ +From 2c5898829b225e9cfddbd4f09560025a853e28da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 20:41:12 +0800 +Subject: mips: cavium-octeon: Fix missing of_node_put() in + octeon2_usb_clocks_start + +From: Liang He + +[ Upstream commit 7a9f743ceead60ed454c46fbc3085ee9a79cbebb ] + +We should call of_node_put() for the reference 'uctl_node' returned by +of_get_parent() which will increase the refcount. Otherwise, there will +be a refcount leak bug. + +Signed-off-by: Liang He +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/octeon-platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/cavium-octeon/octeon-platform.c b/arch/mips/cavium-octeon/octeon-platform.c +index 2ecc8d1b0539..f295be876390 100644 +--- a/arch/mips/cavium-octeon/octeon-platform.c ++++ b/arch/mips/cavium-octeon/octeon-platform.c +@@ -130,11 +130,12 @@ static void octeon2_usb_clocks_start(struct device *dev) + "refclk-frequency", &clock_rate); + if (i) { + dev_err(dev, "No UCTL \"refclk-frequency\"\n"); ++ of_node_put(uctl_node); + goto exit; + } + i = of_property_read_string(uctl_node, + "refclk-type", &clock_type); +- ++ of_node_put(uctl_node); + if (!i && strcmp("crystal", clock_type) == 0) + is_crystal_clock = true; + } +-- +2.35.1 + diff --git a/queue-4.9/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch b/queue-4.9/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch new file mode 100644 index 00000000000..9c5f8c547f9 --- /dev/null +++ b/queue-4.9/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch @@ -0,0 +1,70 @@ +From 3447b378f4ec37600eb5d6e121c8fa1833c9896c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 10:59:36 -0700 +Subject: MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 + +From: Nathan Chancellor + +[ Upstream commit 74de14fe05dd6b151d73cb0c73c8ec874cbdcde6 ] + +When CONFIG_XPA is enabled, Clang warns: + + arch/mips/mm/tlbex.c:629:24: error: converting the result of '<<' to a boolean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) != 0'? [-Werror,-Wint-in-bool-context] + if (cpu_has_rixi && !!_PAGE_NO_EXEC) { + ^ + arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_PAGE_NO_EXEC' + # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) + ^ + arch/mips/mm/tlbex.c:2568:24: error: converting the result of '<<' to a boolean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) != 0'? [-Werror,-Wint-in-bool-context] + if (!cpu_has_rixi || !_PAGE_NO_EXEC) { + ^ + arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_PAGE_NO_EXEC' + # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) + ^ + 2 errors generated. + +_PAGE_NO_EXEC can be '0' or '1 << _PAGE_NO_EXEC_SHIFT' depending on the +build and runtime configuration, which is what the negation operators +are trying to convey. To silence the warning, explicitly compare against +0 so the result of the '<<' operator is not implicitly converted to a +boolean. + +According to its documentation, GCC enables -Wint-in-bool-context with +-Wall but this warning is not visible when building the same +configuration with GCC. It appears GCC only warns when compiling C++, +not C, although the documentation makes no note of this: +https://godbolt.org/z/x39q3brxf + +Reported-by: Sudip Mukherjee (Codethink) +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/tlbex.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c +index f625fd20b21e..65fed205383e 100644 +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -637,7 +637,7 @@ static __maybe_unused void build_convert_pte_to_entrylo(u32 **p, + return; + } + +- if (cpu_has_rixi && !!_PAGE_NO_EXEC) { ++ if (cpu_has_rixi && _PAGE_NO_EXEC != 0) { + if (fill_includes_sw_bits) { + UASM_i_ROTR(p, reg, reg, ilog2(_PAGE_GLOBAL)); + } else { +@@ -2518,7 +2518,7 @@ static void check_pabits(void) + unsigned long entry; + unsigned pabits, fillbits; + +- if (!cpu_has_rixi || !_PAGE_NO_EXEC) { ++ if (!cpu_has_rixi || _PAGE_NO_EXEC == 0) { + /* + * We'll only be making use of the fact that we can rotate bits + * into the fill if the CPU supports RIXI, so don't bother +-- +2.35.1 + diff --git a/queue-4.9/powerpc-64-init-jump-labels-before-parse_early_param.patch b/queue-4.9/powerpc-64-init-jump-labels-before-parse_early_param.patch new file mode 100644 index 00000000000..d4291e0a91e --- /dev/null +++ b/queue-4.9/powerpc-64-init-jump-labels-before-parse_early_param.patch @@ -0,0 +1,65 @@ +From 5597e4257cdb1dc96625dbd3146684f18f846e64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 09:57:47 +0800 +Subject: powerpc/64: Init jump labels before parse_early_param() + +From: Zhouyi Zhou + +[ Upstream commit ca829e05d3d4f728810cc5e4b468d9ebc7745eb3 ] + +On 64-bit, calling jump_label_init() in setup_feature_keys() is too +late because static keys may be used in subroutines of +parse_early_param() which is again subroutine of early_init_devtree(). + +For example booting with "threadirqs": + + static_key_enable_cpuslocked(): static key '0xc000000002953260' used before call to jump_label_init() + WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpuslocked+0xfc/0x120 + ... + NIP static_key_enable_cpuslocked+0xfc/0x120 + LR static_key_enable_cpuslocked+0xf8/0x120 + Call Trace: + static_key_enable_cpuslocked+0xf8/0x120 (unreliable) + static_key_enable+0x30/0x50 + setup_forced_irqthreads+0x28/0x40 + do_early_param+0xa0/0x108 + parse_args+0x290/0x4e0 + parse_early_options+0x48/0x5c + parse_early_param+0x58/0x84 + early_init_devtree+0xd4/0x518 + early_setup+0xb4/0x214 + +So call jump_label_init() just before parse_early_param() in +early_init_devtree(). + +Suggested-by: Michael Ellerman +Signed-off-by: Zhouyi Zhou +[mpe: Add call trace to change log and minor wording edits.] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220726015747.11754-1-zhouzhouyi@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index 11b4ecec04ee..1413d72689d2 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -682,6 +682,13 @@ void __init early_init_devtree(void *params) + of_scan_flat_dt(early_init_dt_scan_root, NULL); + of_scan_flat_dt(early_init_dt_scan_memory_ppc, NULL); + ++ /* ++ * As generic code authors expect to be able to use static keys ++ * in early_param() handlers, we initialize the static keys just ++ * before parsing early params (it's fine to call jump_label_init() ++ * more than once). ++ */ ++ jump_label_init(); + parse_early_param(); + + /* make sure we've parsed cmdline for mem= before this */ +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 9c3b58513a5..c19972d882a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -83,3 +83,18 @@ nios2-restarts-apply-only-to-the-first-sigframe-we-build.patch nios2-add-force_successful_syscall_return.patch netfilter-nf_tables-really-skip-inactive-sets-when-allocating-name.patch fec-fix-timer-capture-timing-in-fec_ptp_enable_pps.patch +irqchip-tegra-fix-overflow-implicit-truncation-warni.patch +usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch +gadgetfs-ep_io-wait-until-irq-finishes.patch +cxl-fix-a-memory-leak-in-an-error-handling-path.patch +drivers-md-fix-a-potential-use-after-free-bug.patch +ext4-avoid-remove-directory-when-directory-is-corrup.patch +ext4-avoid-resizing-to-a-partial-cluster-size.patch +tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch +vfio-clear-the-caps-buf-to-null-after-free.patch +mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch +alsa-core-add-async-signal-helpers.patch +alsa-timer-use-deferred-fasync-helper.patch +powerpc-64-init-jump-labels-before-parse_early_param.patch +video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch +mips-tlbex-explicitly-compare-_page_no_exec-against-.patch diff --git a/queue-4.9/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch b/queue-4.9/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch new file mode 100644 index 00000000000..04ea69fec37 --- /dev/null +++ b/queue-4.9/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch @@ -0,0 +1,38 @@ +From 57210685e8d84fd1472ab2b76fcd1239af2e1f5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jun 2022 14:08:50 +0800 +Subject: tty: serial: Fix refcount leak bug in ucc_uart.c + +From: Liang He + +[ Upstream commit d24d7bb2cd947676f9b71fb944d045e09b8b282f ] + +In soc_info(), of_find_node_by_type() will return a node pointer +with refcount incremented. We should use of_node_put() when it is +not used anymore. + +Acked-by: Timur Tabi +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220618060850.4058525-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/ucc_uart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/ucc_uart.c b/drivers/tty/serial/ucc_uart.c +index 481eb2989a1e..ed1658b61e54 100644 +--- a/drivers/tty/serial/ucc_uart.c ++++ b/drivers/tty/serial/ucc_uart.c +@@ -1143,6 +1143,8 @@ static unsigned int soc_info(unsigned int *rev_h, unsigned int *rev_l) + /* No compatible property, so try the name. */ + soc_string = np->name; + ++ of_node_put(np); ++ + /* Extract the SOC number from the "PowerPC," string */ + if ((sscanf(soc_string, "PowerPC,%u", &soc) != 1) || !soc) + return 0; +-- +2.35.1 + diff --git a/queue-4.9/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch b/queue-4.9/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch new file mode 100644 index 00000000000..e31b731476f --- /dev/null +++ b/queue-4.9/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch @@ -0,0 +1,37 @@ +From 5c058ac03d9e7bf307839faff285a546f83a2cf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 11:46:37 +0800 +Subject: usb: host: ohci-ppc-of: Fix refcount leak bug + +From: Liang He + +[ Upstream commit 40a959d7042bb7711e404ad2318b30e9f92c6b9b ] + +In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return +a node pointer with refcount incremented. We should use of_node_put() +when it is not used anymore. + +Acked-by: Alan Stern +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220617034637.4003115-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-ppc-of.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/host/ohci-ppc-of.c b/drivers/usb/host/ohci-ppc-of.c +index 4f87a5c61b08..d22a70363fbf 100644 +--- a/drivers/usb/host/ohci-ppc-of.c ++++ b/drivers/usb/host/ohci-ppc-of.c +@@ -168,6 +168,7 @@ static int ohci_hcd_ppc_of_probe(struct platform_device *op) + release_mem_region(res.start, 0x4); + } else + pr_debug("%s: cannot get ehci offset from fdt\n", __FILE__); ++ of_node_put(np); + } + + irq_dispose_mapping(irq); +-- +2.35.1 + diff --git a/queue-4.9/vfio-clear-the-caps-buf-to-null-after-free.patch b/queue-4.9/vfio-clear-the-caps-buf-to-null-after-free.patch new file mode 100644 index 00000000000..a5b99bf3f44 --- /dev/null +++ b/queue-4.9/vfio-clear-the-caps-buf-to-null-after-free.patch @@ -0,0 +1,38 @@ +From 04b2816c3f37acd94f8f3782b08aabfec9538c04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 10:29:48 +0800 +Subject: vfio: Clear the caps->buf to NULL after free + +From: Schspa Shi + +[ Upstream commit 6641085e8d7b3f061911517f79a2a15a0a21b97b ] + +On buffer resize failure, vfio_info_cap_add() will free the buffer, +report zero for the size, and return -ENOMEM. As additional +hardening, also clear the buffer pointer to prevent any chance of a +double free. + +Signed-off-by: Schspa Shi +Reviewed-by: Cornelia Huck +Link: https://lore.kernel.org/r/20220629022948.55608-1-schspa@gmail.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index 881fc3a55edc..5798965f42b5 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -1793,6 +1793,7 @@ struct vfio_info_cap_header *vfio_info_cap_add(struct vfio_info_cap *caps, + buf = krealloc(caps->buf, caps->size + size, GFP_KERNEL); + if (!buf) { + kfree(caps->buf); ++ caps->buf = NULL; + caps->size = 0; + return ERR_PTR(-ENOMEM); + } +-- +2.35.1 + diff --git a/queue-4.9/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch b/queue-4.9/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch new file mode 100644 index 00000000000..4fd371690f8 --- /dev/null +++ b/queue-4.9/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch @@ -0,0 +1,67 @@ +From f25f21f136bc136f92257b1f9d7624fa7b53a199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 17:24:19 +0800 +Subject: video: fbdev: i740fb: Check the argument of i740_calc_vclk() + +From: Zheyu Ma + +[ Upstream commit 40bf722f8064f50200b8c4f8946cd625b441dda9 ] + +Since the user can control the arguments of the ioctl() from the user +space, under special arguments that may result in a divide-by-zero bug. + +If the user provides an improper 'pixclock' value that makes the argumet +of i740_calc_vclk() less than 'I740_RFREQ_FIX', it will cause a +divide-by-zero bug in: + drivers/video/fbdev/i740fb.c:353 p_best = min(15, ilog2(I740_MAX_VCO_FREQ / (freq / I740_RFREQ_FIX))); + +The following log can reveal it: + +divide error: 0000 [#1] PREEMPT SMP KASAN PTI +RIP: 0010:i740_calc_vclk drivers/video/fbdev/i740fb.c:353 [inline] +RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:646 [inline] +RIP: 0010:i740fb_set_par+0x163f/0x3b70 drivers/video/fbdev/i740fb.c:742 +Call Trace: + fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 + do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 + fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 + +Fix this by checking the argument of i740_calc_vclk() first. + +Signed-off-by: Zheyu Ma +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/i740fb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c +index 7bc5f6056c77..4147a9534179 100644 +--- a/drivers/video/fbdev/i740fb.c ++++ b/drivers/video/fbdev/i740fb.c +@@ -399,7 +399,7 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, + u32 xres, right, hslen, left, xtotal; + u32 yres, lower, vslen, upper, ytotal; + u32 vxres, xoffset, vyres, yoffset; +- u32 bpp, base, dacspeed24, mem; ++ u32 bpp, base, dacspeed24, mem, freq; + u8 r7; + int i; + +@@ -641,7 +641,12 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, + par->atc[VGA_ATC_OVERSCAN] = 0; + + /* Calculate VCLK that most closely matches the requested dot clock */ +- i740_calc_vclk((((u32)1e9) / var->pixclock) * (u32)(1e3), par); ++ freq = (((u32)1e9) / var->pixclock) * (u32)(1e3); ++ if (freq < I740_RFREQ_FIX) { ++ fb_dbg(info, "invalid pixclock\n"); ++ freq = I740_RFREQ_FIX; ++ } ++ i740_calc_vclk(freq, par); + + /* Since we program the clocks ourselves, always use VCLK2. */ + par->misc |= 0x0C; +-- +2.35.1 +