From: Greg Kroah-Hartman Date: Sat, 17 Jun 2023 08:32:24 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.14.319~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08ae9cfe2e1207b035bd7140de1526cb0bf469b3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch dm-thin-metadata-check-fail_io-before-using-data_sm.patch drm-amd-display-edp-do-not-add-non-edid-timings.patch drm-amdgpu-add-missing-radeon-secondary-pci-id.patch epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch io_uring-hold-uring-mutex-around-poll-removal.patch kexec-support-purgatories-with-.text.hot-sections.patch net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch nios2-dts-fix-tse_mac-max-frame-size-property.patch nouveau-fix-client-work-fence-deletion-race.patch ocfs2-check-new-file-size-on-fallocate-call.patch ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch powerpc-purgatory-remove-pgo-flags.patch rdma-uverbs-restrict-usage-of-privileged-qkeys.patch wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch x86-purgatory-remove-pgo-flags.patch --- diff --git a/queue-5.15/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch b/queue-5.15/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch new file mode 100644 index 00000000000..82ce8fc9669 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch @@ -0,0 +1,30 @@ +From a2a871483161014f1bcc4e9a04354b01aa77cedb Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Fri, 9 Jun 2023 17:10:58 -0300 +Subject: ALSA: hda/realtek: Add a quirk for Compaq N14JP6 + +From: Edson Juliano Drosdeck + +commit a2a871483161014f1bcc4e9a04354b01aa77cedb upstream. + +Add a quirk for Compaq N14JP6 to fixup ALC897 headset MIC no sound. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://lore.kernel.org/r/20230609201058.523499-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11287,6 +11287,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1b0a, 0x01b8, "ACER Veriton", ALC662_FIXUP_ACER_VERITON), + SND_PCI_QUIRK(0x1b35, 0x1234, "CZC ET26", ALC662_FIXUP_CZC_ET26), + SND_PCI_QUIRK(0x1b35, 0x2206, "CZC P10T", ALC662_FIXUP_CZC_P10T), ++ SND_PCI_QUIRK(0x1c6c, 0x1239, "Compaq N14JP6-V2", ALC897_FIXUP_HP_HSMIC_VERB), + + #if 0 + /* Below is a quirk table taken from the old code. diff --git a/queue-5.15/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch b/queue-5.15/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch new file mode 100644 index 00000000000..7dfd23394d3 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch @@ -0,0 +1,39 @@ +From 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b Mon Sep 17 00:00:00 2001 +From: Lukasz Tyl +Date: Wed, 14 Jun 2023 14:25:24 +0200 +Subject: ALSA: usb-audio: Add quirk flag for HEM devices to enable native DSD playback + +From: Lukasz Tyl + +commit 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b upstream. + +This commit adds new DEVICE_FLG with QUIRK_FLAG_DSD_RAW and Vendor Id for +HEM devices which supports native DSD. Prior to this change Linux kernel +was not enabling native DSD playback for HEM devices, and as a result, +DSD audio was being converted to PCM "on the fly". HEM devices, +when connected to the system, would only play audio in PCM format, +even if the source material was in DSD format. With the addition of new +VENDOR_FLG in the quircks.c file, the devices are now correctly +recognized, and raw DSD data is transmitted to the device, +allowing for native DSD playback. + +Signed-off-by: Lukasz Tyl +Cc: +Link: https://lore.kernel.org/r/20230614122524.30271-1-ltyl@hem-e.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1921,6 +1921,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x2ab6, /* T+A devices */ + QUIRK_FLAG_DSD_RAW), ++ VENDOR_FLG(0x3336, /* HEM devices */ ++ QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x3353, /* Khadas devices */ + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x3842, /* EVGA */ diff --git a/queue-5.15/dm-thin-metadata-check-fail_io-before-using-data_sm.patch b/queue-5.15/dm-thin-metadata-check-fail_io-before-using-data_sm.patch new file mode 100644 index 00000000000..b5e9098b880 --- /dev/null +++ b/queue-5.15/dm-thin-metadata-check-fail_io-before-using-data_sm.patch @@ -0,0 +1,101 @@ +From cb65b282c9640c27d3129e2e04b711ce1b352838 Mon Sep 17 00:00:00 2001 +From: Li Lingfeng +Date: Tue, 6 Jun 2023 20:20:24 +0800 +Subject: dm thin metadata: check fail_io before using data_sm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Li Lingfeng + +commit cb65b282c9640c27d3129e2e04b711ce1b352838 upstream. + +Must check pmd->fail_io before using pmd->data_sm since +pmd->data_sm may be destroyed by other processes. + + P1(kworker) P2(message) +do_worker + process_prepared + process_prepared_discard_passdown_pt2 + dm_pool_dec_data_range + pool_message + commit + dm_pool_commit_metadata + ↓ + // commit failed + metadata_operation_failed + abort_transaction + dm_pool_abort_metadata + __open_or_format_metadata + ↓ + dm_sm_disk_open + ↓ + // open failed + // pmd->data_sm is NULL + dm_sm_dec_blocks + ↓ + // try to access pmd->data_sm --> UAF + +As shown above, if dm_pool_commit_metadata() and +dm_pool_abort_metadata() fail in pool_message process, kworker may +trigger UAF. + +Fixes: be500ed721a6 ("dm space maps: improve performance with inc/dec on ranges of blocks") +Cc: stable@vger.kernel.org +Signed-off-by: Li Lingfeng +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin-metadata.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -1778,13 +1778,15 @@ int dm_thin_remove_range(struct dm_thin_ + + int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result) + { +- int r; ++ int r = -EINVAL; + uint32_t ref_count; + + down_read(&pmd->root_lock); +- r = dm_sm_get_count(pmd->data_sm, b, &ref_count); +- if (!r) +- *result = (ref_count > 1); ++ if (!pmd->fail_io) { ++ r = dm_sm_get_count(pmd->data_sm, b, &ref_count); ++ if (!r) ++ *result = (ref_count > 1); ++ } + up_read(&pmd->root_lock); + + return r; +@@ -1792,10 +1794,11 @@ int dm_pool_block_is_shared(struct dm_po + + int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e) + { +- int r = 0; ++ int r = -EINVAL; + + pmd_write_lock(pmd); +- r = dm_sm_inc_blocks(pmd->data_sm, b, e); ++ if (!pmd->fail_io) ++ r = dm_sm_inc_blocks(pmd->data_sm, b, e); + pmd_write_unlock(pmd); + + return r; +@@ -1803,10 +1806,11 @@ int dm_pool_inc_data_range(struct dm_poo + + int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e) + { +- int r = 0; ++ int r = -EINVAL; + + pmd_write_lock(pmd); +- r = dm_sm_dec_blocks(pmd->data_sm, b, e); ++ if (!pmd->fail_io) ++ r = dm_sm_dec_blocks(pmd->data_sm, b, e); + pmd_write_unlock(pmd); + + return r; diff --git a/queue-5.15/drm-amd-display-edp-do-not-add-non-edid-timings.patch b/queue-5.15/drm-amd-display-edp-do-not-add-non-edid-timings.patch new file mode 100644 index 00000000000..2b4058ec62b --- /dev/null +++ b/queue-5.15/drm-amd-display-edp-do-not-add-non-edid-timings.patch @@ -0,0 +1,45 @@ +From e749dd10e5f292061ad63d2b030194bf7d7d452c Mon Sep 17 00:00:00 2001 +From: Hersen Wu +Date: Thu, 25 May 2023 08:37:40 -0400 +Subject: drm/amd/display: edp do not add non-edid timings + +From: Hersen Wu + +commit e749dd10e5f292061ad63d2b030194bf7d7d452c upstream. + +[Why] most edp support only timings from edid. applying +non-edid timings, especially those timings out of edp +bandwidth, may damage edp. + +[How] do not add non-edid timings for edp. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Stylon Wang +Signed-off-by: Hersen Wu +Reviewed-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8177,7 +8177,13 @@ static int amdgpu_dm_connector_get_modes + drm_add_modes_noedid(connector, 640, 480); + } else { + amdgpu_dm_connector_ddc_get_modes(connector, edid); +- amdgpu_dm_connector_add_common_modes(encoder, connector); ++ /* most eDP supports only timings from its edid, ++ * usually only detailed timings are available ++ * from eDP edid. timings which are not from edid ++ * may damage eDP ++ */ ++ if (connector->connector_type != DRM_MODE_CONNECTOR_eDP) ++ amdgpu_dm_connector_add_common_modes(encoder, connector); + amdgpu_dm_connector_add_freesync_modes(connector, edid); + } + amdgpu_dm_fbc_init(connector); diff --git a/queue-5.15/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch b/queue-5.15/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch new file mode 100644 index 00000000000..b1cba2b4fdc --- /dev/null +++ b/queue-5.15/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch @@ -0,0 +1,35 @@ +From e61f67749b351c19455ce3085af2ae9af80023bc Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 6 Jun 2023 11:14:04 -0400 +Subject: drm/amdgpu: add missing radeon secondary PCI ID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit e61f67749b351c19455ce3085af2ae9af80023bc upstream. + +0x5b70 is a missing RV370 secondary id. Add it so +we don't try and probe it with amdgpu. + +Cc: michel@daenzer.net +Reviewed-by: Michel Dänzer +Tested-by: Michel Dänzer +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1557,6 +1557,7 @@ static const u16 amdgpu_unsupported_pcii + 0x5874, + 0x5940, + 0x5941, ++ 0x5b70, + 0x5b72, + 0x5b73, + 0x5b74, diff --git a/queue-5.15/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch b/queue-5.15/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch new file mode 100644 index 00000000000..14fc56e3482 --- /dev/null +++ b/queue-5.15/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch @@ -0,0 +1,42 @@ +From 2192bba03d80f829233bfa34506b428f71e531e7 Mon Sep 17 00:00:00 2001 +From: Benjamin Segall +Date: Tue, 30 May 2023 11:32:28 -0700 +Subject: epoll: ep_autoremove_wake_function should use list_del_init_careful + +From: Benjamin Segall + +commit 2192bba03d80f829233bfa34506b428f71e531e7 upstream. + +autoremove_wake_function uses list_del_init_careful, so should epoll's +more aggressive variant. It only doesn't because it was copied from an +older wait.c rather than the most recent. + +[bsegall@google.com: add comment] + Link: https://lkml.kernel.org/r/xm26bki0ulsr.fsf_-_@google.com +Link: https://lkml.kernel.org/r/xm26pm6hvfer.fsf@google.com +Fixes: a16ceb139610 ("epoll: autoremove wakers even more aggressively") +Signed-off-by: Ben Segall +Cc: Al Viro +Cc: Christian Brauner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1753,7 +1753,11 @@ static int ep_autoremove_wake_function(s + { + int ret = default_wake_function(wq_entry, mode, sync, key); + +- list_del_init(&wq_entry->entry); ++ /* ++ * Pairs with list_empty_careful in ep_poll, and ensures future loop ++ * iterations see the cause of this wakeup. ++ */ ++ list_del_init_careful(&wq_entry->entry); + return ret; + } + diff --git a/queue-5.15/io_uring-hold-uring-mutex-around-poll-removal.patch b/queue-5.15/io_uring-hold-uring-mutex-around-poll-removal.patch new file mode 100644 index 00000000000..68455ce90d5 --- /dev/null +++ b/queue-5.15/io_uring-hold-uring-mutex-around-poll-removal.patch @@ -0,0 +1,42 @@ +From 3f1f052a5f8e2f9c568c4e0a34057b9049e948d9 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Fri, 16 Jun 2023 21:12:06 -0600 +Subject: io_uring: hold uring mutex around poll removal + +From: Jens Axboe + +Snipped from commit 9ca9fb24d5febccea354089c41f96a8ad0d853f8 upstream. + +While reworking the poll hashing in the v6.0 kernel, we ended up +grabbing the ctx->uring_lock in poll update/removal. This also fixed +a bug with linked timeouts racing with timeout expiry and poll +removal. + +Bring back just the locking fix for that. + +Reported-and-tested-by: Querijn Voet +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -6111,6 +6111,8 @@ static int io_poll_update(struct io_kioc + struct io_kiocb *preq; + int ret2, ret = 0; + ++ io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); ++ + spin_lock(&ctx->completion_lock); + preq = io_poll_find(ctx, req->poll_update.old_user_data, true); + if (!preq || !io_poll_disarm(preq)) { +@@ -6142,6 +6144,7 @@ out: + req_set_fail(req); + /* complete update request, we're done with it */ + io_req_complete(req, ret); ++ io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); + return 0; + } + diff --git a/queue-5.15/kexec-support-purgatories-with-.text.hot-sections.patch b/queue-5.15/kexec-support-purgatories-with-.text.hot-sections.patch new file mode 100644 index 00000000000..31ba4d0a465 --- /dev/null +++ b/queue-5.15/kexec-support-purgatories-with-.text.hot-sections.patch @@ -0,0 +1,102 @@ +From 8652d44f466ad5772e7d1756e9457046189b0dfc Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:36 +0200 +Subject: kexec: support purgatories with .text.hot sections + +From: Ricardo Ribalda + +commit 8652d44f466ad5772e7d1756e9457046189b0dfc upstream. + +Patch series "kexec: Fix kexec_file_load for llvm16 with PGO", v7. + +When upreving llvm I realised that kexec stopped working on my test +platform. + +The reason seems to be that due to PGO there are multiple .text sections +on the purgatory, and kexec does not supports that. + + +This patch (of 4): + +Clang16 links the purgatory text in two sections when PGO is in use: + + [ 1] .text PROGBITS 0000000000000000 00000040 + 00000000000011a1 0000000000000000 AX 0 0 16 + [ 2] .rela.text RELA 0000000000000000 00003498 + 0000000000000648 0000000000000018 I 24 1 8 + ... + [17] .text.hot. PROGBITS 0000000000000000 00003220 + 000000000000020b 0000000000000000 AX 0 0 1 + [18] .rela.text.hot. RELA 0000000000000000 00004428 + 0000000000000078 0000000000000018 I 24 17 8 + +And both of them have their range [sh_addr ... sh_addr+sh_size] on the +area pointed by `e_entry`. + +This causes that image->start is calculated twice, once for .text and +another time for .text.hot. The second calculation leaves image->start +in a random location. + +Because of this, the system crashes immediately after: + +kexec_core: Starting new kernel + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-0-b05c520b7296@chromium.org +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-1-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Reviewed-by: Ross Zwisler +Reviewed-by: Steven Rostedt (Google) +Reviewed-by: Philipp Rudo +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Christophe Leroy +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Nicholas Piggin +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Simon Horman +Cc: Thomas Gleixner +Cc: Tom Rix +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kexec_file.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -910,10 +910,22 @@ static int kexec_purgatory_setup_sechdrs + } + + offset = ALIGN(offset, align); ++ ++ /* ++ * Check if the segment contains the entry point, if so, ++ * calculate the value of image->start based on it. ++ * If the compiler has produced more than one .text section ++ * (Eg: .text.hot), they are generally after the main .text ++ * section, and they shall not be used to calculate ++ * image->start. So do not re-calculate image->start if it ++ * is not set to the initial value, and warn the user so they ++ * have a chance to fix their purgatory's linker script. ++ */ + if (sechdrs[i].sh_flags & SHF_EXECINSTR && + pi->ehdr->e_entry >= sechdrs[i].sh_addr && + pi->ehdr->e_entry < (sechdrs[i].sh_addr +- + sechdrs[i].sh_size)) { ++ + sechdrs[i].sh_size) && ++ !WARN_ON(kbuf->image->start != pi->ehdr->e_entry)) { + kbuf->image->start -= sechdrs[i].sh_addr; + kbuf->image->start += kbuf->mem + offset; + } diff --git a/queue-5.15/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch b/queue-5.15/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch new file mode 100644 index 00000000000..c0f86a73349 --- /dev/null +++ b/queue-5.15/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch @@ -0,0 +1,88 @@ +From 863199199713908afaa47ba09332b87621c12496 Mon Sep 17 00:00:00 2001 +From: Wes Huang +Date: Thu, 8 Jun 2023 11:01:42 +0800 +Subject: net: usb: qmi_wwan: add support for Compal RXM-G1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wes Huang + +commit 863199199713908afaa47ba09332b87621c12496 upstream. + +Add support for Compal RXM-G1 which is based on Qualcomm SDX55 chip. +This patch adds support for two compositions: + +0x9091: DIAG + MODEM + QMI_RMNET + ADB +0x90db: DIAG + DUN + RMNET + DPL + QDSS(Trace) + ADB + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=05c6 ProdID=9091 Rev= 4.14 +S: Manufacturer=QCOM +S: Product=SDXPRAIRIE-MTP _SN:719AB680 +S: SerialNumber=719ab680 +C:* #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=896mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=05c6 ProdID=90db Rev= 4.14 +S: Manufacturer=QCOM +S: Product=SDXPRAIRIE-MTP _SN:719AB680 +S: SerialNumber=719ab680 +C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=896mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=8f(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +Cc: stable@vger.kernel.org +Signed-off-by: Wes Huang +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/20230608030141.3546-1-wes.huang@moxa.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1217,7 +1217,9 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x9080, 8)}, + {QMI_FIXED_INTF(0x05c6, 0x9083, 3)}, + {QMI_FIXED_INTF(0x05c6, 0x9084, 4)}, ++ {QMI_QUIRK_SET_DTR(0x05c6, 0x9091, 2)}, /* Compal RXM-G1 */ + {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */ ++ {QMI_QUIRK_SET_DTR(0x05c6, 0x90db, 2)}, /* Compal RXM-G1 */ + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */ diff --git a/queue-5.15/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch b/queue-5.15/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch new file mode 100644 index 00000000000..5db83e98d8b --- /dev/null +++ b/queue-5.15/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch @@ -0,0 +1,53 @@ +From 2f012f2baca140c488e43d27a374029c1e59098d Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 13 May 2023 19:24:28 +0900 +Subject: nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key() + +From: Ryusuke Konishi + +commit 2f012f2baca140c488e43d27a374029c1e59098d upstream. + +A syzbot fault injection test reported that nilfs_btnode_create_block, a +helper function that allocates a new node block for b-trees, causes a +kernel BUG for disk images where the file system block size is smaller +than the page size. + +This was due to unexpected flags on the newly allocated buffer head, and +it turned out to be because the buffer flags were not cleared by +nilfs_btnode_abort_change_key() after an error occurred during a b-tree +update operation and the buffer was later reused in that state. + +Fix this issue by using nilfs_btnode_delete() to abandon the unused +preallocated buffer in nilfs_btnode_abort_change_key(). + +Link: https://lkml.kernel.org/r/20230513102428.10223-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+b0a35a5c1f7e846d3b09@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/000000000000d1d6c205ebc4d512@google.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btnode.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/nilfs2/btnode.c ++++ b/fs/nilfs2/btnode.c +@@ -285,6 +285,14 @@ void nilfs_btnode_abort_change_key(struc + if (nbh == NULL) { /* blocksize == pagesize */ + xa_erase_irq(&btnc->i_pages, newkey); + unlock_page(ctxt->bh->b_page); +- } else +- brelse(nbh); ++ } else { ++ /* ++ * When canceling a buffer that a prepare operation has ++ * allocated to copy a node block to another location, use ++ * nilfs_btnode_delete() to initialize and release the buffer ++ * so that the buffer flags will not be in an inconsistent ++ * state when it is reallocated. ++ */ ++ nilfs_btnode_delete(nbh); ++ } + } diff --git a/queue-5.15/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch b/queue-5.15/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch new file mode 100644 index 00000000000..b26aee731e3 --- /dev/null +++ b/queue-5.15/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch @@ -0,0 +1,62 @@ +From fee5eaecca86afa544355569b831c1f90f334b85 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Wed, 24 May 2023 18:43:48 +0900 +Subject: nilfs2: fix possible out-of-bounds segment allocation in resize ioctl + +From: Ryusuke Konishi + +commit fee5eaecca86afa544355569b831c1f90f334b85 upstream. + +Syzbot reports that in its stress test for resize ioctl, the log writing +function nilfs_segctor_do_construct hits a WARN_ON in +nilfs_segctor_truncate_segments(). + +It turned out that there is a problem with the current implementation of +the resize ioctl, which changes the writable range on the device (the +range of allocatable segments) at the end of the resize process. + +This order is necessary for file system expansion to avoid corrupting the +superblock at trailing edge. However, in the case of a file system +shrink, if log writes occur after truncating out-of-bounds trailing +segments and before the resize is complete, segments may be allocated from +the truncated space. + +The userspace resize tool was fine as it limits the range of allocatable +segments before performing the resize, but it can run into this issue if +the resize ioctl is called alone. + +Fix this issue by changing nilfs_sufile_resize() to update the range of +allocatable segments immediately after successful truncation of segment +space in case of file system shrink. + +Link: https://lkml.kernel.org/r/20230524094348.3784-1-konishi.ryusuke@gmail.com +Fixes: 4e33f9eab07e ("nilfs2: implement resize ioctl") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+33494cd0df2ec2931851@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/0000000000005434c405fbbafdc5@google.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/sufile.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/nilfs2/sufile.c ++++ b/fs/nilfs2/sufile.c +@@ -779,6 +779,15 @@ int nilfs_sufile_resize(struct inode *su + goto out_header; + + sui->ncleansegs -= nsegs - newnsegs; ++ ++ /* ++ * If the sufile is successfully truncated, immediately adjust ++ * the segment allocation space while locking the semaphore ++ * "mi_sem" so that nilfs_sufile_alloc() never allocates ++ * segments in the truncated space. ++ */ ++ sui->allocmax = newnsegs - 1; ++ sui->allocmin = 0; + } + + kaddr = kmap_atomic(header_bh->b_page); diff --git a/queue-5.15/nios2-dts-fix-tse_mac-max-frame-size-property.patch b/queue-5.15/nios2-dts-fix-tse_mac-max-frame-size-property.patch new file mode 100644 index 00000000000..53a13d28876 --- /dev/null +++ b/queue-5.15/nios2-dts-fix-tse_mac-max-frame-size-property.patch @@ -0,0 +1,46 @@ +From 85041e12418fd0c08ff972b7729f7971afb361f8 Mon Sep 17 00:00:00 2001 +From: Janne Grunau +Date: Sun, 12 Feb 2023 13:16:32 +0100 +Subject: nios2: dts: Fix tse_mac "max-frame-size" property + +From: Janne Grunau + +commit 85041e12418fd0c08ff972b7729f7971afb361f8 upstream. + +The given value of 1518 seems to refer to the layer 2 ethernet frame +size without 802.1Q tag. Actual use of the "max-frame-size" including in +the consumer of the "altr,tse-1.0" compatible is the MTU. + +Fixes: 95acd4c7b69c ("nios2: Device tree support") +Fixes: 61c610ec61bb ("nios2: Add Max10 device tree") +Cc: +Signed-off-by: Janne Grunau +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + arch/nios2/boot/dts/10m50_devboard.dts | 2 +- + arch/nios2/boot/dts/3c120_devboard.dts | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/nios2/boot/dts/10m50_devboard.dts ++++ b/arch/nios2/boot/dts/10m50_devboard.dts +@@ -97,7 +97,7 @@ + rx-fifo-depth = <8192>; + tx-fifo-depth = <8192>; + address-bits = <48>; +- max-frame-size = <1518>; ++ max-frame-size = <1500>; + local-mac-address = [00 00 00 00 00 00]; + altr,has-supplementary-unicast; + altr,enable-sup-addr = <1>; +--- a/arch/nios2/boot/dts/3c120_devboard.dts ++++ b/arch/nios2/boot/dts/3c120_devboard.dts +@@ -106,7 +106,7 @@ + interrupt-names = "rx_irq", "tx_irq"; + rx-fifo-depth = <8192>; + tx-fifo-depth = <8192>; +- max-frame-size = <1518>; ++ max-frame-size = <1500>; + local-mac-address = [ 00 00 00 00 00 00 ]; + phy-mode = "rgmii-id"; + phy-handle = <&phy0>; diff --git a/queue-5.15/nouveau-fix-client-work-fence-deletion-race.patch b/queue-5.15/nouveau-fix-client-work-fence-deletion-race.patch new file mode 100644 index 00000000000..be9e3cfc0ce --- /dev/null +++ b/queue-5.15/nouveau-fix-client-work-fence-deletion-race.patch @@ -0,0 +1,60 @@ +From c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 15 Jun 2023 12:22:11 +1000 +Subject: nouveau: fix client work fence deletion race + +From: Dave Airlie + +commit c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 upstream. + +This seems to have existed for ever but is now more apparant after +commit 9bff18d13473 ("drm/ttm: use per BO cleanup workers") + +My analysis: two threads are running, one in the irq signalling the +fence, in dma_fence_signal_timestamp_locked, it has done the +DMA_FENCE_FLAG_SIGNALLED_BIT setting, but hasn't yet reached the +callbacks. + +The second thread in nouveau_cli_work_ready, where it sees the fence is +signalled, so then puts the fence, cleanups the object and frees the +work item, which contains the callback. + +Thread one goes again and tries to call the callback and causes the +use-after-free. + +Proposed fix: lock the fence signalled check in nouveau_cli_work_ready, +so either the callbacks are done or the memory is freed. + +Reviewed-by: Karol Herbst +Fixes: 11e451e74050 ("drm/nouveau: remove fence wait code from deferred client work handler") +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Link: https://lore.kernel.org/dri-devel/20230615024008.1600281-1-airlied@gmail.com/ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_drm.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -126,10 +126,16 @@ nouveau_name(struct drm_device *dev) + static inline bool + nouveau_cli_work_ready(struct dma_fence *fence) + { +- if (!dma_fence_is_signaled(fence)) +- return false; +- dma_fence_put(fence); +- return true; ++ bool ret = true; ++ ++ spin_lock_irq(fence->lock); ++ if (!dma_fence_is_signaled_locked(fence)) ++ ret = false; ++ spin_unlock_irq(fence->lock); ++ ++ if (ret == true) ++ dma_fence_put(fence); ++ return ret; + } + + static void diff --git a/queue-5.15/ocfs2-check-new-file-size-on-fallocate-call.patch b/queue-5.15/ocfs2-check-new-file-size-on-fallocate-call.patch new file mode 100644 index 00000000000..840c13e1bd7 --- /dev/null +++ b/queue-5.15/ocfs2-check-new-file-size-on-fallocate-call.patch @@ -0,0 +1,57 @@ +From 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= +Date: Mon, 29 May 2023 16:26:45 +0100 +Subject: ocfs2: check new file size on fallocate call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luís Henriques + +commit 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 upstream. + +When changing a file size with fallocate() the new size isn't being +checked. In particular, the FSIZE ulimit isn't being checked, which makes +fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes +this issue. + +Link: https://lkml.kernel.org/r/20230529152645.32680-1-lhenriques@suse.de +Signed-off-by: Luís Henriques +Reviewed-by: Mark Fasheh +Reviewed-by: Joseph Qi +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/file.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -2103,14 +2103,20 @@ static long ocfs2_fallocate(struct file + struct ocfs2_space_resv sr; + int change_size = 1; + int cmd = OCFS2_IOC_RESVSP64; ++ int ret = 0; + + if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) + return -EOPNOTSUPP; + if (!ocfs2_writes_unwritten_extents(osb)) + return -EOPNOTSUPP; + +- if (mode & FALLOC_FL_KEEP_SIZE) ++ if (mode & FALLOC_FL_KEEP_SIZE) { + change_size = 0; ++ } else { ++ ret = inode_newsize_ok(inode, offset + len); ++ if (ret) ++ return ret; ++ } + + if (mode & FALLOC_FL_PUNCH_HOLE) + cmd = OCFS2_IOC_UNRESVSP64; diff --git a/queue-5.15/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch b/queue-5.15/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch new file mode 100644 index 00000000000..99f1fce5f89 --- /dev/null +++ b/queue-5.15/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch @@ -0,0 +1,100 @@ +From 50d927880e0f90d5cb25e897e9d03e5edacc79a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= +Date: Mon, 22 May 2023 11:21:12 +0100 +Subject: ocfs2: fix use-after-free when unmounting read-only filesystem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luís Henriques + +commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. + +It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using +fstest generic/452. After a read-only remount, quotas are suspended and +ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting +the filesystem, an UAF access to the oinfo will eventually cause a crash. + +BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 +Read of size 8 at addr ffff8880389a8208 by task umount/669 +... +Call Trace: + + ... + timer_delete+0x54/0xc0 + try_to_grab_pending+0x31/0x230 + __cancel_work_timer+0x6c/0x270 + ocfs2_disable_quotas.isra.0+0x3e/0xf0 [ocfs2] + ocfs2_dismount_volume+0xdd/0x450 [ocfs2] + generic_shutdown_super+0xaa/0x280 + kill_block_super+0x46/0x70 + deactivate_locked_super+0x4d/0xb0 + cleanup_mnt+0x135/0x1f0 + ... + + +Allocated by task 632: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x8b/0x90 + ocfs2_local_read_info+0xe3/0x9a0 [ocfs2] + dquot_load_quota_sb+0x34b/0x680 + dquot_load_quota_inode+0xfe/0x1a0 + ocfs2_enable_quotas+0x190/0x2f0 [ocfs2] + ocfs2_fill_super+0x14ef/0x2120 [ocfs2] + mount_bdev+0x1be/0x200 + legacy_get_tree+0x6c/0xb0 + vfs_get_tree+0x3e/0x110 + path_mount+0xa90/0xe10 + __x64_sys_mount+0x16f/0x1a0 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 650: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0xf9/0x150 + __kmem_cache_free+0x89/0x180 + ocfs2_local_free_info+0x2ba/0x3f0 [ocfs2] + dquot_disable+0x35f/0xa70 + ocfs2_susp_quotas.isra.0+0x159/0x1a0 [ocfs2] + ocfs2_remount+0x150/0x580 [ocfs2] + reconfigure_super+0x1a5/0x3a0 + path_mount+0xc8a/0xe10 + __x64_sys_mount+0x16f/0x1a0 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Link: https://lkml.kernel.org/r/20230522102112.9031-1-lhenriques@suse.de +Signed-off-by: Luís Henriques +Reviewed-by: Joseph Qi +Tested-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -953,8 +953,10 @@ static void ocfs2_disable_quotas(struct + for (type = 0; type < OCFS2_MAXQUOTAS; type++) { + if (!sb_has_quota_loaded(sb, type)) + continue; +- oinfo = sb_dqinfo(sb, type)->dqi_priv; +- cancel_delayed_work_sync(&oinfo->dqi_sync_work); ++ if (!sb_has_quota_suspended(sb, type)) { ++ oinfo = sb_dqinfo(sb, type)->dqi_priv; ++ cancel_delayed_work_sync(&oinfo->dqi_sync_work); ++ } + inode = igrab(sb->s_dquot.files[type]); + /* Turn off quotas. This will remove all dquot structures from + * memory and so they will be automatically synced to global diff --git a/queue-5.15/powerpc-purgatory-remove-pgo-flags.patch b/queue-5.15/powerpc-purgatory-remove-pgo-flags.patch new file mode 100644 index 00000000000..3f9303179e4 --- /dev/null +++ b/queue-5.15/powerpc-purgatory-remove-pgo-flags.patch @@ -0,0 +1,59 @@ +From 20188baceb7a1463dc0bcb0c8678b69c2f447df6 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:38 +0200 +Subject: powerpc/purgatory: remove PGO flags + +From: Ricardo Ribalda + +commit 20188baceb7a1463dc0bcb0c8678b69c2f447df6 upstream. + +If profile-guided optimization is enabled, the purgatory ends up with +multiple .text sections. This is not supported by kexec and crashes the +system. + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-3-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Christophe Leroy +Cc: +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Philipp Rudo +Cc: Ross Zwisler +Cc: Simon Horman +Cc: Steven Rostedt (Google) +Cc: Thomas Gleixner +Cc: Tom Rix +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/purgatory/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/powerpc/purgatory/Makefile ++++ b/arch/powerpc/purgatory/Makefile +@@ -4,6 +4,11 @@ KASAN_SANITIZE := n + + targets += trampoline_$(BITS).o purgatory.ro kexec-purgatory.c + ++# When profile-guided optimization is enabled, llvm emits two different ++# overlapping text sections, which is not supported by kexec. Remove profile ++# optimization flags. ++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS)) ++ + LDFLAGS_purgatory.ro := -e purgatory_start -r --no-undefined + + $(obj)/purgatory.ro: $(obj)/trampoline_$(BITS).o FORCE diff --git a/queue-5.15/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch b/queue-5.15/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch new file mode 100644 index 00000000000..0490a9678e5 --- /dev/null +++ b/queue-5.15/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch @@ -0,0 +1,43 @@ +From 0cadb4db79e1d9eea66711c4031e435c2191907e Mon Sep 17 00:00:00 2001 +From: Edward Srouji +Date: Mon, 5 Jun 2023 13:33:24 +0300 +Subject: RDMA/uverbs: Restrict usage of privileged QKEYs + +From: Edward Srouji + +commit 0cadb4db79e1d9eea66711c4031e435c2191907e upstream. + +According to the IB specification rel-1.6, section 3.5.3: +"QKEYs with the most significant bit set are considered controlled +QKEYs, and a HCA does not allow a consumer to arbitrarily specify a +controlled QKEY." + +Thus, block non-privileged users from setting such a QKEY. + +Cc: stable@vger.kernel.org +Fixes: bc38a6abdd5a ("[PATCH] IB uverbs: core implementation") +Signed-off-by: Edward Srouji +Link: https://lore.kernel.org/r/c00c809ddafaaf87d6f6cb827978670989a511b3.1685960567.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_cmd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -1851,8 +1851,13 @@ static int modify_qp(struct uverbs_attr_ + attr->path_mtu = cmd->base.path_mtu; + if (cmd->base.attr_mask & IB_QP_PATH_MIG_STATE) + attr->path_mig_state = cmd->base.path_mig_state; +- if (cmd->base.attr_mask & IB_QP_QKEY) ++ if (cmd->base.attr_mask & IB_QP_QKEY) { ++ if (cmd->base.qkey & IB_QP_SET_QKEY && !capable(CAP_NET_RAW)) { ++ ret = -EPERM; ++ goto release_qp; ++ } + attr->qkey = cmd->base.qkey; ++ } + if (cmd->base.attr_mask & IB_QP_RQ_PSN) + attr->rq_psn = cmd->base.rq_psn; + if (cmd->base.attr_mask & IB_QP_SQ_PSN) diff --git a/queue-5.15/series b/queue-5.15/series index 23956cf9326..906a5202e71 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -30,3 +30,23 @@ xen-blkfront-only-check-req_fua-for-writes.patch drm-amd-amdgpu-fix-missing-buffer-object-unlock-in-f.patch nvme-add-maxio-1602-to-bogus-nid-list.patch irqchip-gic-correctly-validate-of-quirk-descriptors.patch +io_uring-hold-uring-mutex-around-poll-removal.patch +wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch +wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch +epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch +ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch +ocfs2-check-new-file-size-on-fallocate-call.patch +nios2-dts-fix-tse_mac-max-frame-size-property.patch +nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch +nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch +kexec-support-purgatories-with-.text.hot-sections.patch +x86-purgatory-remove-pgo-flags.patch +powerpc-purgatory-remove-pgo-flags.patch +alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch +dm-thin-metadata-check-fail_io-before-using-data_sm.patch +nouveau-fix-client-work-fence-deletion-race.patch +rdma-uverbs-restrict-usage-of-privileged-qkeys.patch +net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch +drm-amd-display-edp-do-not-add-non-edid-timings.patch +drm-amdgpu-add-missing-radeon-secondary-pci-id.patch +alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch diff --git a/queue-5.15/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch b/queue-5.15/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch new file mode 100644 index 00000000000..35124f56d62 --- /dev/null +++ b/queue-5.15/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch @@ -0,0 +1,34 @@ +From 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 9 Jun 2023 13:48:44 +0300 +Subject: wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid() + +From: Dan Carpenter + +commit 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 upstream. + +The locking was changed recently so now the caller holds the wiphy_lock() +lock. Taking the lock inside the reg_wdev_chan_valid() function will +lead to a deadlock. + +Fixes: f7e60032c661 ("wifi: cfg80211: fix locking in regulatory disconnect") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/40c4114a-6cb4-4abf-b013-300b598aba65@moroto.mountain +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2398,9 +2398,7 @@ static bool reg_wdev_chan_valid(struct w + case NL80211_IFTYPE_AP: + case NL80211_IFTYPE_P2P_GO: + case NL80211_IFTYPE_ADHOC: +- wiphy_lock(wiphy); + ret = cfg80211_reg_can_beacon_relax(wiphy, &chandef, iftype); +- wiphy_unlock(wiphy); + + return ret; + case NL80211_IFTYPE_STATION: diff --git a/queue-5.15/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch b/queue-5.15/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch new file mode 100644 index 00000000000..8c8d2d5f553 --- /dev/null +++ b/queue-5.15/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch @@ -0,0 +1,36 @@ +From f7e60032c6618dfd643c7210d5cba2789e2de2e2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 6 Jun 2023 14:34:48 +0200 +Subject: wifi: cfg80211: fix locking in regulatory disconnect + +From: Johannes Berg + +commit f7e60032c6618dfd643c7210d5cba2789e2de2e2 upstream. + +This should use wiphy_lock() now instead of requiring the +RTNL, since __cfg80211_leave() via cfg80211_leave() is now +requiring that lock to be held. + +Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2423,11 +2423,11 @@ static void reg_leave_invalid_chans(stru + struct wireless_dev *wdev; + struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); + +- ASSERT_RTNL(); +- ++ wiphy_lock(wiphy); + list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) + if (!reg_wdev_chan_valid(wiphy, wdev)) + cfg80211_leave(rdev, wdev); ++ wiphy_unlock(wiphy); + } + + static void reg_check_chans_work(struct work_struct *work) diff --git a/queue-5.15/x86-purgatory-remove-pgo-flags.patch b/queue-5.15/x86-purgatory-remove-pgo-flags.patch new file mode 100644 index 00000000000..450ccc0f5fc --- /dev/null +++ b/queue-5.15/x86-purgatory-remove-pgo-flags.patch @@ -0,0 +1,59 @@ +From 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:37 +0200 +Subject: x86/purgatory: remove PGO flags + +From: Ricardo Ribalda + +commit 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e upstream. + +If profile-guided optimization is enabled, the purgatory ends up with +multiple .text sections. This is not supported by kexec and crashes the +system. + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-2-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Cc: +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Christophe Leroy +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Nicholas Piggin +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Philipp Rudo +Cc: Ross Zwisler +Cc: Simon Horman +Cc: Steven Rostedt (Google) +Cc: Thomas Gleixner +Cc: Tom Rix +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/purgatory/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/purgatory/Makefile ++++ b/arch/x86/purgatory/Makefile +@@ -14,6 +14,11 @@ $(obj)/sha256.o: $(srctree)/lib/crypto/s + + CFLAGS_sha256.o := -D__DISABLE_EXPORTS + ++# When profile-guided optimization is enabled, llvm emits two different ++# overlapping text sections, which is not supported by kexec. Remove profile ++# optimization flags. ++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS)) ++ + # When linking purgatory.ro with -r unresolved symbols are not checked, + # also link a purgatory.chk binary without -r to check for unresolved symbols. + PURGATORY_LDFLAGS := -e purgatory_start -nostdlib -z nodefaultlib