From: Sasha Levin Date: Tue, 24 Jan 2023 11:22:01 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v5.10.166~94 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1206807efb448c86e69670e0af165152c9222683;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/affs-initialize-fsdata-in-affs_truncate.patch b/queue-4.14/affs-initialize-fsdata-in-affs_truncate.patch new file mode 100644 index 00000000000..50de8819a34 --- /dev/null +++ b/queue-4.14/affs-initialize-fsdata-in-affs_truncate.patch @@ -0,0 +1,40 @@ +From 3be7a9572dd41f0115fb5fcfd83b53363f98da55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 13:49:30 +0100 +Subject: affs: initialize fsdata in affs_truncate() + +From: Alexander Potapenko + +[ Upstream commit eef034ac6690118c88f357b00e2b3239c9d8575d ] + +When aops->write_begin() does not initialize fsdata, KMSAN may report +an error passing the latter to aops->write_end(). + +Fix this by unconditionally initializing fsdata. + +Fixes: f2b6a16eb8f5 ("fs: affs convert to new aops") +Suggested-by: Eric Biggers +Signed-off-by: Alexander Potapenko +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/affs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/affs/file.c b/fs/affs/file.c +index ba084b0b214b..82bb38370aa9 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -878,7 +878,7 @@ affs_truncate(struct inode *inode) + if (inode->i_size > AFFS_I(inode)->mmu_private) { + struct address_space *mapping = inode->i_mapping; + struct page *page; +- void *fsdata; ++ void *fsdata = NULL; + loff_t isize = inode->i_size; + int res; + +-- +2.39.0 + diff --git a/queue-4.14/amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch b/queue-4.14/amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch new file mode 100644 index 00000000000..925bd954304 --- /dev/null +++ b/queue-4.14/amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch @@ -0,0 +1,89 @@ +From 7b8ac0d55eaee9c1751b732410c382991a1c6989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:58:51 +0530 +Subject: amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent + +From: Raju Rangoju + +[ Upstream commit 579923d84b04abb6cd4cd1fd9974096a2dd1832b ] + +There is difference in the TX Flow Control registers (TFCR) between the +revisions of the hardware. The older revisions of hardware used to have +single register per queue. Whereas, the newer revision of hardware (from +ver 30H onwards) have one register per priority. + +Update the driver to use the TFCR based on the reported version of the +hardware. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Co-developed-by: Ajith Nayak +Signed-off-by: Ajith Nayak +Signed-off-by: Raju Rangoju +Acked-by: Shyam Sundar S K +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +index 1e4bb33925e6..39d4df40700f 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -523,19 +523,28 @@ static void xgbe_disable_vxlan(struct xgbe_prv_data *pdata) + netif_dbg(pdata, drv, pdata->netdev, "VXLAN acceleration disabled\n"); + } + ++static unsigned int xgbe_get_fc_queue_count(struct xgbe_prv_data *pdata) ++{ ++ unsigned int max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES; ++ ++ /* From MAC ver 30H the TFCR is per priority, instead of per queue */ ++ if (XGMAC_GET_BITS(pdata->hw_feat.version, MAC_VR, SNPSVER) >= 0x30) ++ return max_q_count; ++ else ++ return min_t(unsigned int, pdata->tx_q_count, max_q_count); ++} ++ + static int xgbe_disable_tx_flow_control(struct xgbe_prv_data *pdata) + { +- unsigned int max_q_count, q_count; + unsigned int reg, reg_val; +- unsigned int i; ++ unsigned int i, q_count; + + /* Clear MTL flow control */ + for (i = 0; i < pdata->rx_q_count; i++) + XGMAC_MTL_IOWRITE_BITS(pdata, i, MTL_Q_RQOMR, EHFC, 0); + + /* Clear MAC flow control */ +- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES; +- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count); ++ q_count = xgbe_get_fc_queue_count(pdata); + reg = MAC_Q0TFCR; + for (i = 0; i < q_count; i++) { + reg_val = XGMAC_IOREAD(pdata, reg); +@@ -552,9 +561,8 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata) + { + struct ieee_pfc *pfc = pdata->pfc; + struct ieee_ets *ets = pdata->ets; +- unsigned int max_q_count, q_count; + unsigned int reg, reg_val; +- unsigned int i; ++ unsigned int i, q_count; + + /* Set MTL flow control */ + for (i = 0; i < pdata->rx_q_count; i++) { +@@ -578,8 +586,7 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata) + } + + /* Set MAC flow control */ +- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES; +- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count); ++ q_count = xgbe_get_fc_queue_count(pdata); + reg = MAC_Q0TFCR; + for (i = 0; i < q_count; i++) { + reg_val = XGMAC_IOREAD(pdata, reg); +-- +2.39.0 + diff --git a/queue-4.14/arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch b/queue-4.14/arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch new file mode 100644 index 00000000000..bb7fa84070b --- /dev/null +++ b/queue-4.14/arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch @@ -0,0 +1,48 @@ +From 4c4f56dfcf1e5cb20fc347ac66d0cbf31960ab1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 17:22:59 -0300 +Subject: ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' + +From: Fabio Estevam + +[ Upstream commit 9dfbc72256b5de608ad10989bcbafdbbd1ac8d4e ] + +The following build warning is seen when running: + +make dtbs_check DT_SCHEMA_FILES=fsl-imx-uart.yaml + +arch/arm/boot/dts/imx6dl-gw560x.dtb: serial@2020000: rts-gpios: False schema does not allow [[20, 1, 0]] + From schema: Documentation/devicetree/bindings/serial/fsl-imx-uart.yaml + +The imx6qdl-gw560x board does not expose the UART RTS and CTS +as native UART pins, so 'uart-has-rtscts' should not be used. + +Using 'uart-has-rtscts' with 'rts-gpios' is an invalid combination +detected by serial.yaml. + +Fix the problem by removing the incorrect 'uart-has-rtscts' property. + +Fixes: b8a559feffb2 ("ARM: dts: imx: add Gateworks Ventana GW5600 support") +Signed-off-by: Fabio Estevam +Acked-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-gw560x.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi +index d894dde6e85d..b2fc09fec2be 100644 +--- a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi +@@ -462,7 +462,6 @@ &ssi1 { + &uart1 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_uart1>; +- uart-has-rtscts; + rts-gpios = <&gpio7 1 GPIO_ACTIVE_HIGH>; + status = "okay"; + }; +-- +2.39.0 + diff --git a/queue-4.14/dmaengine-fix-double-increment-of-client_count-in-dm.patch b/queue-4.14/dmaengine-fix-double-increment-of-client_count-in-dm.patch new file mode 100644 index 00000000000..51fa542e3ce --- /dev/null +++ b/queue-4.14/dmaengine-fix-double-increment-of-client_count-in-dm.patch @@ -0,0 +1,126 @@ +From 6ab2ade6f5b3d7f195a85bfaf7104a99b761cb56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 11:00:50 +0800 +Subject: dmaengine: Fix double increment of client_count in dma_chan_get() + +From: Koba Ko + +[ Upstream commit f3dc1b3b4750851a94212dba249703dd0e50bb20 ] + +The first time dma_chan_get() is called for a channel the channel +client_count is incorrectly incremented twice for public channels, +first in balance_ref_count(), and again prior to returning. This +results in an incorrect client count which will lead to the +channel resources not being freed when they should be. A simple + test of repeated module load and unload of async_tx on a Dell + Power Edge R7425 also shows this resulting in a kref underflow + warning. + +[ 124.329662] async_tx: api initialized (async) +[ 129.000627] async_tx: api initialized (async) +[ 130.047839] ------------[ cut here ]------------ +[ 130.052472] refcount_t: underflow; use-after-free. +[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28 +refcount_warn_saturate+0xba/0x110 +[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr +intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm +mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si +syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops +k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat +fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul +libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas +i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash +dm_log dm_mod [last unloaded: async_tx] +[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not +tainted 5.14.0-185.el9.x86_64 #1 +[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS +1.18.0 01/17/2022 +[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110 +[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d +26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a +bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff +48 c7 +[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286 +[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000 +[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0 +[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff +[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970 +[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000) +knlGS:0000000000000000 +[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0 +[ 130.219729] Call Trace: +[ 130.222192] +[ 130.224305] dma_chan_put+0x10d/0x110 +[ 130.227988] dmaengine_put+0x7a/0xa0 +[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280 +[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0 +[ 130.242652] do_syscall_64+0x5c/0x90 +[ 130.246240] ? exc_page_fault+0x62/0x150 +[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 130.255243] RIP: 0033:0x7f6463a3f5ab +[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 +83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 +00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 +01 48 +[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX: +00000000000000b0 +[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab +[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8 +[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000 +[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8 +[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8 +[ 130.320875] +[ 130.323081] ---[ end trace eff7156d56b5cf25 ]--- + +cat /sys/class/dma/dma0chan*/in_use would get the wrong result. +2 +2 +2 + +Fixes: d2f4f99db3e9 ("dmaengine: Rework dma_chan_get") +Signed-off-by: Koba Ko +Reviewed-by: Jie Hai +Test-by: Jie Hai +Reviewed-by: Jerry Snitselaar +Reviewed-by: Dave Jiang +Tested-by: Joel Savitz +Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmaengine.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c +index faaaf10311ec..ef93045d7d7f 100644 +--- a/drivers/dma/dmaengine.c ++++ b/drivers/dma/dmaengine.c +@@ -225,7 +225,8 @@ static int dma_chan_get(struct dma_chan *chan) + /* The channel is already in use, update client count */ + if (chan->client_count) { + __module_get(owner); +- goto out; ++ chan->client_count++; ++ return 0; + } + + if (!try_module_get(owner)) +@@ -238,11 +239,11 @@ static int dma_chan_get(struct dma_chan *chan) + goto err_out; + } + ++ chan->client_count++; ++ + if (!dma_has_cap(DMA_PRIVATE, chan->device->cap_mask)) + balance_ref_count(chan); + +-out: +- chan->client_count++; + return 0; + + err_out: +-- +2.39.0 + diff --git a/queue-4.14/edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch b/queue-4.14/edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch new file mode 100644 index 00000000000..577ad9edaf0 --- /dev/null +++ b/queue-4.14/edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch @@ -0,0 +1,54 @@ +From a744560fc2f6d4a58a29b5636a4a6aded25c4b39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Dec 2022 09:48:24 +0400 +Subject: EDAC/highbank: Fix memory leak in highbank_mc_probe() + +From: Miaoqian Lin + +[ Upstream commit e7a293658c20a7945014570e1921bf7d25d68a36 ] + +When devres_open_group() fails, it returns -ENOMEM without freeing memory +allocated by edac_mc_alloc(). + +Call edac_mc_free() on the error handling path to avoid a memory leak. + + [ bp: Massage commit message. ] + +Fixes: a1b01edb2745 ("edac: add support for Calxeda highbank memory controller") +Signed-off-by: Miaoqian Lin +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Andre Przywara +Link: https://lore.kernel.org/r/20221229054825.1361993-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/edac/highbank_mc_edac.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/edac/highbank_mc_edac.c b/drivers/edac/highbank_mc_edac.c +index 6092e61be605..bcf41601a977 100644 +--- a/drivers/edac/highbank_mc_edac.c ++++ b/drivers/edac/highbank_mc_edac.c +@@ -185,8 +185,10 @@ static int highbank_mc_probe(struct platform_device *pdev) + drvdata = mci->pvt_info; + platform_set_drvdata(pdev, mci); + +- if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) +- return -ENOMEM; ++ if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) { ++ res = -ENOMEM; ++ goto free; ++ } + + r = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!r) { +@@ -254,6 +256,7 @@ static int highbank_mc_probe(struct platform_device *pdev) + edac_mc_del_mc(&pdev->dev); + err: + devres_release_group(&pdev->dev, NULL); ++free: + edac_mc_free(mci); + return res; + } +-- +2.39.0 + diff --git a/queue-4.14/hid-betop-check-shape-of-output-reports.patch b/queue-4.14/hid-betop-check-shape-of-output-reports.patch new file mode 100644 index 00000000000..dd271ac453f --- /dev/null +++ b/queue-4.14/hid-betop-check-shape-of-output-reports.patch @@ -0,0 +1,68 @@ +From c6972643336dacfda195b9b670814c2b7107b244 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 18:12:16 +0000 +Subject: HID: betop: check shape of output reports + +From: Pietro Borrello + +[ Upstream commit 3782c0d6edf658b71354a64d60aa7a296188fc90 ] + +betopff_init() only checks the total sum of the report counts for each +report field to be at least 4, but hid_betopff_play() expects 4 report +fields. +A device advertising an output report with one field and 4 report counts +would pass the check but crash the kernel with a NULL pointer dereference +in hid_betopff_play(). + +Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-betopff.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c +index 9b60efe6ec44..ba386e5aa055 100644 +--- a/drivers/hid/hid-betopff.c ++++ b/drivers/hid/hid-betopff.c +@@ -63,7 +63,6 @@ static int betopff_init(struct hid_device *hid) + struct list_head *report_list = + &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev; +- int field_count = 0; + int error; + int i, j; + +@@ -89,19 +88,21 @@ static int betopff_init(struct hid_device *hid) + * ----------------------------------------- + * Do init them with default value. + */ ++ if (report->maxfield < 4) { ++ hid_err(hid, "not enough fields in the report: %d\n", ++ report->maxfield); ++ return -ENODEV; ++ } + for (i = 0; i < report->maxfield; i++) { ++ if (report->field[i]->report_count < 1) { ++ hid_err(hid, "no values in the field\n"); ++ return -ENODEV; ++ } + for (j = 0; j < report->field[i]->report_count; j++) { + report->field[i]->value[j] = 0x00; +- field_count++; + } + } + +- if (field_count < 4) { +- hid_err(hid, "not enough fields in the report: %d\n", +- field_count); +- return -ENODEV; +- } +- + betopff = kzalloc(sizeof(*betopff), GFP_KERNEL); + if (!betopff) + return -ENOMEM; +-- +2.39.0 + diff --git a/queue-4.14/hid-check-empty-report_list-in-hid_validate_values.patch b/queue-4.14/hid-check-empty-report_list-in-hid_validate_values.patch new file mode 100644 index 00000000000..9b08894f8f1 --- /dev/null +++ b/queue-4.14/hid-check-empty-report_list-in-hid_validate_values.patch @@ -0,0 +1,42 @@ +From c3c78cd38cb5b1ae45a0c8b0f40dd7d12a7249ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 11:11:24 +0000 +Subject: HID: check empty report_list in hid_validate_values() + +From: Pietro Borrello + +[ Upstream commit b12fece4c64857e5fab4290bf01b2e0317a88456 ] + +Add a check for empty report_list in hid_validate_values(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 1b15d2e5b807 ("HID: core: fix validation of report id 0") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index a3debe38d2c7..ab78c1e6f37d 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -984,8 +984,8 @@ struct hid_report *hid_validate_values(struct hid_device *hid, + * Validating on id 0 means we should examine the first + * report in the list. + */ +- report = list_entry( +- hid->report_enum[type].report_list.next, ++ report = list_first_entry_or_null( ++ &hid->report_enum[type].report_list, + struct hid_report, list); + } else { + report = hid->report_enum[type].report_id_hash[id]; +-- +2.39.0 + diff --git a/queue-4.14/hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch b/queue-4.14/hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch new file mode 100644 index 00000000000..7bffdf64433 --- /dev/null +++ b/queue-4.14/hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch @@ -0,0 +1,53 @@ +From 2c43b9ab13a45b52c9336c3f32f52eae91c52f99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 21:48:23 +0800 +Subject: HID: intel_ish-hid: Add check for ishtp_dma_tx_map + +From: Jiasheng Jiang + +[ Upstream commit b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8 ] + +As the kcalloc may return NULL pointer, +it should be better to check the ishtp_dma_tx_map +before use in order to avoid NULL pointer dereference. + +Fixes: 3703f53b99e4 ("HID: intel_ish-hid: ISH Transport layer") +Signed-off-by: Jiasheng Jiang +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/dma-if.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/dma-if.c b/drivers/hid/intel-ish-hid/ishtp/dma-if.c +index 2783f3666114..ff4419c8ed4f 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/dma-if.c ++++ b/drivers/hid/intel-ish-hid/ishtp/dma-if.c +@@ -113,6 +113,11 @@ void *ishtp_cl_get_dma_send_buf(struct ishtp_device *dev, + int required_slots = (size / DMA_SLOT_SIZE) + + 1 * (size % DMA_SLOT_SIZE != 0); + ++ if (!dev->ishtp_dma_tx_map) { ++ dev_err(dev->devc, "Fail to allocate Tx map\n"); ++ return NULL; ++ } ++ + spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags); + for (i = 0; i <= (dev->ishtp_dma_num_slots - required_slots); i++) { + free = 1; +@@ -159,6 +164,11 @@ void ishtp_cl_release_dma_acked_mem(struct ishtp_device *dev, + return; + } + ++ if (!dev->ishtp_dma_tx_map) { ++ dev_err(dev->devc, "Fail to allocate Tx map\n"); ++ return; ++ } ++ + i = (msg_addr - dev->ishtp_host_dma_tx_buf) / DMA_SLOT_SIZE; + spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags); + for (j = 0; j < acked_slots; j++) { +-- +2.39.0 + diff --git a/queue-4.14/ib-hfi1-reject-a-zero-length-user-expected-buffer.patch b/queue-4.14/ib-hfi1-reject-a-zero-length-user-expected-buffer.patch new file mode 100644 index 00000000000..e56a447c569 --- /dev/null +++ b/queue-4.14/ib-hfi1-reject-a-zero-length-user-expected-buffer.patch @@ -0,0 +1,39 @@ +From 6d649e45e6a8ef960950d246aeacbf8b5d7608fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:11 -0500 +Subject: IB/hfi1: Reject a zero-length user expected buffer + +From: Dean Luick + +[ Upstream commit 0a0a6e80472c98947d73c3d13bcd7d101895f55d ] + +A zero length user buffer makes no sense and the code +does not handle it correctly. Instead, reject a +zero length as invalid. + +Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328547120.1472310.6362802432127399257.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index c6d085e1c10d..056ffab86a06 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -323,6 +323,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + + if (!PAGE_ALIGNED(tinfo->vaddr)) + return -EINVAL; ++ if (tinfo->length == 0) ++ return -EINVAL; + + tidbuf = kzalloc(sizeof(*tidbuf), GFP_KERNEL); + if (!tidbuf) +-- +2.39.0 + diff --git a/queue-4.14/ib-hfi1-reserve-user-expected-tids.patch b/queue-4.14/ib-hfi1-reserve-user-expected-tids.patch new file mode 100644 index 00000000000..45efba98cdd --- /dev/null +++ b/queue-4.14/ib-hfi1-reserve-user-expected-tids.patch @@ -0,0 +1,63 @@ +From 065842730328ae00d711b394813e8276a5cb091f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:16 -0500 +Subject: IB/hfi1: Reserve user expected TIDs + +From: Dean Luick + +[ Upstream commit ecf91551cdd2925ed6d9a9d99074fa5f67b90596 ] + +To avoid a race, reserve the number of user expected +TIDs before setup. + +Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328547636.1472310.7419712824785353905.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index 056ffab86a06..b17c1fc59f7e 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -349,16 +349,13 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + /* Find sets of physically contiguous pages */ + tidbuf->n_psets = find_phys_blocks(tidbuf, pinned); + +- /* +- * We don't need to access this under a lock since tid_used is per +- * process and the same process cannot be in hfi1_user_exp_rcv_clear() +- * and hfi1_user_exp_rcv_setup() at the same time. +- */ ++ /* Reserve the number of expected tids to be used. */ + spin_lock(&fd->tid_lock); + if (fd->tid_used + tidbuf->n_psets > fd->tid_limit) + pageset_count = fd->tid_limit - fd->tid_used; + else + pageset_count = tidbuf->n_psets; ++ fd->tid_used += pageset_count; + spin_unlock(&fd->tid_lock); + + if (!pageset_count) +@@ -468,10 +465,11 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + nomem: + hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx, + mapped_pages, ret); ++ /* adjust reserved tid_used to actual count */ ++ spin_lock(&fd->tid_lock); ++ fd->tid_used -= pageset_count - tididx; ++ spin_unlock(&fd->tid_lock); + if (tididx) { +- spin_lock(&fd->tid_lock); +- fd->tid_used += tididx; +- spin_unlock(&fd->tid_lock); + tinfo->tidcnt = tididx; + tinfo->length = mapped_pages * PAGE_SIZE; + +-- +2.39.0 + diff --git a/queue-4.14/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch b/queue-4.14/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch new file mode 100644 index 00000000000..4739f3616f2 --- /dev/null +++ b/queue-4.14/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch @@ -0,0 +1,44 @@ +From 5d5ee277c083dd9b5fe177912aba4e5b6fe6421b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jan 2023 11:54:06 +0100 +Subject: net: mdio: validate parameter addr in mdiobus_get_phy() + +From: Heiner Kallweit + +[ Upstream commit 867dbe784c5010a466f00a7d1467c1c5ea569c75 ] + +The caller may pass any value as addr, what may result in an out-of-bounds +access to array mdio_map. One existing case is stmmac_init_phy() that +may pass -1 as addr. Therefore validate addr before using it. + +Fixes: 7f854420fbfe ("phy: Add API for {un}registering an mdio device to a bus.") +Signed-off-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/cdf664ea-3312-e915-73f8-021678d08887@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 7a813449d0d1..a9a0638a9b7a 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -70,7 +70,12 @@ EXPORT_SYMBOL(mdiobus_unregister_device); + + struct phy_device *mdiobus_get_phy(struct mii_bus *bus, int addr) + { +- struct mdio_device *mdiodev = bus->mdio_map[addr]; ++ struct mdio_device *mdiodev; ++ ++ if (addr < 0 || addr >= ARRAY_SIZE(bus->mdio_map)) ++ return NULL; ++ ++ mdiodev = bus->mdio_map[addr]; + + if (!mdiodev) + return NULL; +-- +2.39.0 + diff --git a/queue-4.14/net-mlx5-eliminate-anonymous-module_init-module_exit.patch b/queue-4.14/net-mlx5-eliminate-anonymous-module_init-module_exit.patch new file mode 100644 index 00000000000..c0cd19d9b0e --- /dev/null +++ b/queue-4.14/net-mlx5-eliminate-anonymous-module_init-module_exit.patch @@ -0,0 +1,76 @@ +From 2298870b056cf412fe93bb785c18435b0e14729d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 20:12:29 -0700 +Subject: net: mlx5: eliminate anonymous module_init & module_exit + +From: Randy Dunlap + +[ Upstream commit 2c1e1b949024989e20907b84e11a731a50778416 ] + +Eliminate anonymous module_init() and module_exit(), which can lead to +confusion or ambiguity when reading System.map, crashes/oops/bugs, +or an initcall_debug log. + +Give each of these init and exit functions unique driver-specific +names to eliminate the anonymous names. + +Example 1: (System.map) + ffffffff832fc78c t init + ffffffff832fc79e t init + ffffffff832fc8f8 t init + +Example 2: (initcall_debug log) + calling init+0x0/0x12 @ 1 + initcall init+0x0/0x12 returned 0 after 15 usecs + calling init+0x0/0x60 @ 1 + initcall init+0x0/0x60 returned 0 after 2 usecs + calling init+0x0/0x9a @ 1 + initcall init+0x0/0x9a returned 0 after 74 usecs + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Randy Dunlap +Cc: Eli Cohen +Cc: Saeed Mahameed +Cc: Leon Romanovsky +Cc: linux-rdma@vger.kernel.org +Reviewed-by: Ira Weiny +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 049d9d19c66d..840ce070bddf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1615,7 +1615,7 @@ static void mlx5_core_verify_params(void) + } + } + +-static int __init init(void) ++static int __init mlx5_init(void) + { + int err; + +@@ -1637,7 +1637,7 @@ static int __init init(void) + return err; + } + +-static void __exit cleanup(void) ++static void __exit mlx5_cleanup(void) + { + #ifdef CONFIG_MLX5_CORE_EN + mlx5e_cleanup(); +@@ -1646,5 +1646,5 @@ static void __exit cleanup(void) + mlx5_unregister_debugfs(); + } + +-module_init(init); +-module_exit(cleanup); ++module_init(mlx5_init); ++module_exit(mlx5_cleanup); +-- +2.39.0 + diff --git a/queue-4.14/net-nfc-fix-use-after-free-in-local_cleanup.patch b/queue-4.14/net-nfc-fix-use-after-free-in-local_cleanup.patch new file mode 100644 index 00000000000..0895970c9d0 --- /dev/null +++ b/queue-4.14/net-nfc-fix-use-after-free-in-local_cleanup.patch @@ -0,0 +1,112 @@ +From 469572f2377d65a6088916440fa51c893781003e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:19:14 +0900 +Subject: net: nfc: Fix use-after-free in local_cleanup() + +From: Jisoo Jang + +[ Upstream commit 4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6 ] + +Fix a use-after-free that occurs in kfree_skb() called from +local_cleanup(). This could happen when killing nfc daemon (e.g. neard) +after detaching an nfc device. +When detaching an nfc device, local_cleanup() called from +nfc_llcp_unregister_device() frees local->rx_pending and decreases +local->ref by kref_put() in nfc_llcp_local_put(). +In the terminating process, nfc daemon releases all sockets and it leads +to decreasing local->ref. After the last release of local->ref, +local_cleanup() called from local_release() frees local->rx_pending +again, which leads to the bug. + +Setting local->rx_pending to NULL in local_cleanup() could prevent +use-after-free when local_cleanup() is called twice. + +Found by a modified version of syzkaller. + +BUG: KASAN: use-after-free in kfree_skb() + +Call Trace: +dump_stack_lvl (lib/dump_stack.c:106) +print_address_description.constprop.0.cold (mm/kasan/report.c:306) +kasan_check_range (mm/kasan/generic.c:189) +kfree_skb (net/core/skbuff.c:955) +local_cleanup (net/nfc/llcp_core.c:159) +nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172) +nfc_llcp_local_put (net/nfc/llcp_core.c:181) +llcp_sock_destruct (net/nfc/llcp_sock.c:959) +__sk_destruct (net/core/sock.c:2133) +sk_destruct (net/core/sock.c:2181) +__sk_free (net/core/sock.c:2192) +sk_free (net/core/sock.c:2203) +llcp_sock_release (net/nfc/llcp_sock.c:646) +__sock_release (net/socket.c:650) +sock_close (net/socket.c:1365) +__fput (fs/file_table.c:306) +task_work_run (kernel/task_work.c:179) +ptrace_notify (kernel/signal.c:2354) +syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278) +syscall_exit_to_user_mode (kernel/entry/common.c:296) +do_syscall_64 (arch/x86/entry/common.c:86) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106) + +Allocated by task 4719: +kasan_save_stack (mm/kasan/common.c:45) +__kasan_slab_alloc (mm/kasan/common.c:325) +slab_post_alloc_hook (mm/slab.h:766) +kmem_cache_alloc_node (mm/slub.c:3497) +__alloc_skb (net/core/skbuff.c:552) +pn533_recv_response (drivers/nfc/pn533/usb.c:65) +__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671) +usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704) +tasklet_action_common.isra.0 (kernel/softirq.c:797) +__do_softirq (kernel/softirq.c:571) + +Freed by task 1901: +kasan_save_stack (mm/kasan/common.c:45) +kasan_set_track (mm/kasan/common.c:52) +kasan_save_free_info (mm/kasan/genericdd.c:518) +__kasan_slab_free (mm/kasan/common.c:236) +kmem_cache_free (mm/slub.c:3809) +kfree_skbmem (net/core/skbuff.c:874) +kfree_skb (net/core/skbuff.c:931) +local_cleanup (net/nfc/llcp_core.c:159) +nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617) +nfc_unregister_device (net/nfc/core.c:1179) +pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846) +pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579) +usb_unbind_interface (drivers/usb/core/driver.c:458) +device_release_driver_internal (drivers/base/dd.c:1279) +bus_remove_device (drivers/base/bus.c:529) +device_del (drivers/base/core.c:3665) +usb_disable_device (drivers/usb/core/message.c:1420) +usb_disconnect (drivers/usb/core.c:2261) +hub_event (drivers/usb/core/hub.c:5833) +process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281) +worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423) +kthread (kernel/kthread.c:319) +ret_from_fork (arch/x86/entry/entry_64.S:301) + +Fixes: 3536da06db0b ("NFC: llcp: Clean local timers and works when removing a device") +Signed-off-by: Jisoo Jang +Link: https://lore.kernel.org/r/20230111131914.3338838-1-jisoo.jang@yonsei.ac.kr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index 7e619ff8a653..150f7ffbf6bc 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -171,6 +171,7 @@ static void local_cleanup(struct nfc_llcp_local *local) + cancel_work_sync(&local->rx_work); + cancel_work_sync(&local->timeout_work); + kfree_skb(local->rx_pending); ++ local->rx_pending = NULL; + del_timer_sync(&local->sdreq_timer); + cancel_work_sync(&local->sdreq_timeout_work); + nfc_llcp_free_sdp_tlv_list(&local->pending_sdreqs); +-- +2.39.0 + diff --git a/queue-4.14/net-usb-sr9700-handle-negative-len.patch b/queue-4.14/net-usb-sr9700-handle-negative-len.patch new file mode 100644 index 00000000000..ea412a20a12 --- /dev/null +++ b/queue-4.14/net-usb-sr9700-handle-negative-len.patch @@ -0,0 +1,41 @@ +From 5bb7f9df7a9f82fc9514c71df1b29440adfae7f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 19:23:26 +0100 +Subject: net: usb: sr9700: Handle negative len + +From: Szymon Heidrich + +[ Upstream commit ecf7cf8efb59789e2b21d2f9ab926142579092b2 ] + +Packet len computed as difference of length word extracted from +skb data and four may result in a negative value. In such case +processing of the buffer should be interrupted rather than +setting sr_skb->len to an unexpectedly large value (due to cast +from signed to unsigned integer) and passing sr_skb to +usbnet_skb_return. + +Fixes: e9da0b56fe27 ("sr9700: sanity check for packet length") +Signed-off-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20230114182326.30479-1-szymon.heidrich@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index a97dd62b9d54..dbdb027abe47 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + /* ignore the CRC length */ + len = (skb->data[1] | (skb->data[2] << 8)) - 4; + +- if (len > ETH_FRAME_LEN || len > skb->len) ++ if (len > ETH_FRAME_LEN || len > skb->len || len < 0) + return 0; + + /* the last packet of current skb */ +-- +2.39.0 + diff --git a/queue-4.14/phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch b/queue-4.14/phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch new file mode 100644 index 00000000000..66ca0812806 --- /dev/null +++ b/queue-4.14/phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch @@ -0,0 +1,41 @@ +From 26266f05b42c7a821494c37d5fa2f2518be7d650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 19:58:23 +0800 +Subject: phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in + rockchip_usb2phy_power_on() + +From: Shang XiaoJing + +[ Upstream commit 5daba914da0e48950e9407ea4d75fa57029c9adc ] + +The clk_disable_unprepare() should be called in the error handling of +rockchip_usb2phy_power_on(). + +Fixes: 0e08d2a727e6 ("phy: rockchip-inno-usb2: add a new driver for Rockchip usb2phy") +Signed-off-by: Shang XiaoJing +Link: https://lore.kernel.org/r/20221205115823.16957-1-shangxiaojing@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +index ee7ce5ee53f9..a088cb027657 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -477,8 +477,10 @@ static int rockchip_usb2phy_power_on(struct phy *phy) + return ret; + + ret = property_enable(base, &rport->port_cfg->phy_sus, false); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(rphy->clk480m); + return ret; ++ } + + /* waiting for the utmi_clk to become stable */ + usleep_range(1500, 2000); +-- +2.39.0 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..9e1346a30ae --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,21 @@ +arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch +hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch +edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch +tomoyo-fix-broken-dependency-on-.conf.default.patch +ib-hfi1-reject-a-zero-length-user-expected-buffer.patch +ib-hfi1-reserve-user-expected-tids.patch +affs-initialize-fsdata-in-affs_truncate.patch +amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch +phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch +net-nfc-fix-use-after-free-in-local_cleanup.patch +wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch +net-usb-sr9700-handle-negative-len.patch +net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch +hid-check-empty-report_list-in-hid_validate_values.patch +usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch +usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch +net-mlx5-eliminate-anonymous-module_init-module_exit.patch +dmaengine-fix-double-increment-of-client_count-in-dm.patch +hid-betop-check-shape-of-output-reports.patch +w1-fix-deadloop-in-__w1_remove_master_device.patch +w1-fix-warning-after-calling-w1_process.patch diff --git a/queue-4.14/tomoyo-fix-broken-dependency-on-.conf.default.patch b/queue-4.14/tomoyo-fix-broken-dependency-on-.conf.default.patch new file mode 100644 index 00000000000..ec5cf3e3bea --- /dev/null +++ b/queue-4.14/tomoyo-fix-broken-dependency-on-.conf.default.patch @@ -0,0 +1,61 @@ +From 7323f68b95cfa8ed53b5ff2bb7171094a3ed05c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 16:47:41 +0900 +Subject: tomoyo: fix broken dependency on *.conf.default + +From: Masahiro Yamada + +[ Upstream commit eaf2213ba563b2d74a1f2c13a6b258273f689802 ] + +If *.conf.default is updated, builtin-policy.h should be rebuilt, +but this does not work when compiled with O= option. + +[Without this commit] + + $ touch security/tomoyo/policy/exception_policy.conf.default + $ make O=/tmp security/tomoyo/ + make[1]: Entering directory '/tmp' + GEN Makefile + CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh + DESCEND objtool + make[1]: Leaving directory '/tmp' + +[With this commit] + + $ touch security/tomoyo/policy/exception_policy.conf.default + $ make O=/tmp security/tomoyo/ + make[1]: Entering directory '/tmp' + GEN Makefile + CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh + DESCEND objtool + POLICY security/tomoyo/builtin-policy.h + CC security/tomoyo/common.o + AR security/tomoyo/built-in.a + make[1]: Leaving directory '/tmp' + +$(srctree)/ is essential because $(wildcard ) does not follow VPATH. + +Fixes: f02dee2d148b ("tomoyo: Do not generate empty policy files") +Signed-off-by: Masahiro Yamada +Signed-off-by: Tetsuo Handa +Signed-off-by: Sasha Levin +--- + security/tomoyo/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/tomoyo/Makefile b/security/tomoyo/Makefile +index b7c6a7ffc058..a1ecf68930c7 100644 +--- a/security/tomoyo/Makefile ++++ b/security/tomoyo/Makefile +@@ -10,7 +10,7 @@ endef + quiet_cmd_policy = POLICY $@ + cmd_policy = ($(call do_policy,profile); $(call do_policy,exception_policy); $(call do_policy,domain_policy); $(call do_policy,manager); $(call do_policy,stat)) >$@ + +-$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(src)/policy/*.conf.default) FORCE ++$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(srctree)/$(src)/policy/*.conf.default) FORCE + $(call if_changed,policy) + + $(obj)/common.o: $(obj)/builtin-policy.h +-- +2.39.0 + diff --git a/queue-4.14/usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch b/queue-4.14/usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch new file mode 100644 index 00000000000..b5a0e2039b3 --- /dev/null +++ b/queue-4.14/usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch @@ -0,0 +1,43 @@ +From e153dfc014a71c944fbcdc8197a40ecf853cdcd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:59:06 +0530 +Subject: usb: gadget: f_fs: Ensure ep0req is dequeued before free_request + +From: Udipto Goswami + +[ Upstream commit ce405d561b020e5a46340eb5146805a625dcacee ] + +As per the documentation, function usb_ep_free_request guarantees +the request will not be queued or no longer be re-queued (or +otherwise used). However, with the current implementation it +doesn't make sure that the request in ep0 isn't reused. + +Fix this by dequeuing the ep0req on functionfs_unbind before +freeing the request to align with the definition. + +Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") +Signed-off-by: Udipto Goswami +Tested-by: Krishna Kurapati +Link: https://lore.kernel.org/r/20221215052906.8993-3-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index df880fe73088..946cf039eddd 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1800,6 +1800,8 @@ static void functionfs_unbind(struct ffs_data *ffs) + ENTER(); + + if (!WARN_ON(!ffs->gadget)) { ++ /* dequeue before freeing ep0req */ ++ usb_ep_dequeue(ffs->gadget->ep0, ffs->ep0req); + mutex_lock(&ffs->mutex); + usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); + ffs->ep0req = NULL; +-- +2.39.0 + diff --git a/queue-4.14/usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch b/queue-4.14/usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch new file mode 100644 index 00000000000..de974e2aad1 --- /dev/null +++ b/queue-4.14/usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch @@ -0,0 +1,61 @@ +From d054b9af60303ed195c8c5e5274264c701c0891f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:59:05 +0530 +Subject: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait + +From: Udipto Goswami + +[ Upstream commit 6a19da111057f69214b97c62fb0ac59023970850 ] + +While performing fast composition switch, there is a possibility that the +process of ffs_ep0_write/ffs_ep0_read get into a race condition +due to ep0req being freed up from functionfs_unbind. + +Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait +by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't +bounded so it can go ahead and mark the ep0req to NULL, and since there +is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. + +Fix this by making a serialized execution between the two functions using +a mutex_lock(ffs->mutex). + +Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") +Signed-off-by: Udipto Goswami +Tested-by: Krishna Kurapati +Link: https://lore.kernel.org/r/20221215052906.8993-2-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 13a38ed806df..df880fe73088 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -274,6 +274,9 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len) + struct usb_request *req = ffs->ep0req; + int ret; + ++ if (!req) ++ return -EINVAL; ++ + req->zero = len < le16_to_cpu(ffs->ev.setup.wLength); + + spin_unlock_irq(&ffs->ev.waitq.lock); +@@ -1797,10 +1800,12 @@ static void functionfs_unbind(struct ffs_data *ffs) + ENTER(); + + if (!WARN_ON(!ffs->gadget)) { ++ mutex_lock(&ffs->mutex); + usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); + ffs->ep0req = NULL; + ffs->gadget = NULL; + clear_bit(FFS_FL_BOUND, &ffs->flags); ++ mutex_unlock(&ffs->mutex); + ffs_data_put(ffs); + } + } +-- +2.39.0 + diff --git a/queue-4.14/w1-fix-deadloop-in-__w1_remove_master_device.patch b/queue-4.14/w1-fix-deadloop-in-__w1_remove_master_device.patch new file mode 100644 index 00000000000..0b7fcb2efda --- /dev/null +++ b/queue-4.14/w1-fix-deadloop-in-__w1_remove_master_device.patch @@ -0,0 +1,83 @@ +From 72a381a21ef29934cd4d2294523297ad0707b49a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 16:04:34 +0800 +Subject: w1: fix deadloop in __w1_remove_master_device() + +From: Yang Yingliang + +[ Upstream commit 25d5648802f12ae486076ceca5d7ddf1fef792b2 ] + +I got a deadloop report while doing device(ds2482) add/remove test: + + [ 162.241881] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1. + [ 163.272251] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1. + [ 164.296157] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1. + ... + +__w1_remove_master_device() can't return, because the dev->refcnt is not zero. + +w1_add_master_device() | + w1_alloc_dev() | + atomic_set(&dev->refcnt, 2) | + kthread_run() | + |__w1_remove_master_device() + | kthread_stop() + // KTHREAD_SHOULD_STOP is set, | + // threadfn(w1_process) won't be | + // called. | + kthread() | + | // refcnt will never be 0, it's deadloop. + | while (atomic_read(&dev->refcnt)) {...} + +After calling w1_add_master_device(), w1_process() is not really +invoked, before w1_process() starting, if kthread_stop() is called +in __w1_remove_master_device(), w1_process() will never be called, +the refcnt can not be decreased, then it causes deadloop in remove +function because of non-zero refcnt. + +We need to make sure w1_process() is really started, so move the +set refcnt into w1_process() to fix this problem. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221205080434.3149205-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/w1.c | 2 ++ + drivers/w1/w1_int.c | 5 ++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 6f9e9505b34c..44315f9fd669 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -1136,6 +1136,8 @@ int w1_process(void *data) + /* remainder if it woke up early */ + unsigned long jremain = 0; + ++ atomic_inc(&dev->refcnt); ++ + for (;;) { + + if (!jremain && dev->search_count) { +diff --git a/drivers/w1/w1_int.c b/drivers/w1/w1_int.c +index 1c776178f598..eb851eb44300 100644 +--- a/drivers/w1/w1_int.c ++++ b/drivers/w1/w1_int.c +@@ -60,10 +60,9 @@ static struct w1_master *w1_alloc_dev(u32 id, int slave_count, int slave_ttl, + dev->search_count = w1_search_count; + dev->enable_pullup = w1_enable_pullup; + +- /* 1 for w1_process to decrement +- * 1 for __w1_remove_master_device to decrement ++ /* For __w1_remove_master_device to decrement + */ +- atomic_set(&dev->refcnt, 2); ++ atomic_set(&dev->refcnt, 1); + + INIT_LIST_HEAD(&dev->slist); + INIT_LIST_HEAD(&dev->async_list); +-- +2.39.0 + diff --git a/queue-4.14/w1-fix-warning-after-calling-w1_process.patch b/queue-4.14/w1-fix-warning-after-calling-w1_process.patch new file mode 100644 index 00000000000..22c682dedf6 --- /dev/null +++ b/queue-4.14/w1-fix-warning-after-calling-w1_process.patch @@ -0,0 +1,55 @@ +From b4f786e96022287f253a7468c4085d2c3cad23fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 18:15:58 +0800 +Subject: w1: fix WARNING after calling w1_process() + +From: Yang Yingliang + +[ Upstream commit 36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b ] + +I got the following WARNING message while removing driver(ds2482): + +------------[ cut here ]------------ +do not call blocking ops when !TASK_RUNNING; state=1 set at [<000000002d50bfb6>] w1_process+0x9e/0x1d0 [wire] +WARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0 +CPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307 +RIP: 0010:__might_sleep+0x98/0xa0 +Call Trace: + exit_signals+0x6c/0x550 + do_exit+0x2b4/0x17e0 + kthread_exit+0x52/0x60 + kthread+0x16d/0x1e0 + ret_from_fork+0x1f/0x30 + +The state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(), +set it to TASK_RUNNING when it breaks out of the loop to avoid the +warning. + +Fixes: 3c52e4e62789 ("W1: w1_process, block or sleep") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221205101558.3599162-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/w1.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 44315f9fd669..4d43c373e5c6 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -1165,8 +1165,10 @@ int w1_process(void *data) + */ + mutex_unlock(&dev->list_mutex); + +- if (kthread_should_stop()) ++ if (kthread_should_stop()) { ++ __set_current_state(TASK_RUNNING); + break; ++ } + + /* Only sleep when the search is active. */ + if (dev->search_count) { +-- +2.39.0 + diff --git a/queue-4.14/wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch b/queue-4.14/wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch new file mode 100644 index 00000000000..2f6bca9a575 --- /dev/null +++ b/queue-4.14/wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch @@ -0,0 +1,75 @@ +From cff838791ad71d51b0f456bc46f3462d5946f956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 18:50:31 +0100 +Subject: wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid + +From: Szymon Heidrich + +[ Upstream commit b870e73a56c4cccbec33224233eaf295839f228c ] + +Since resplen and respoffs are signed integers sufficiently +large values of unsigned int len and offset members of RNDIS +response will result in negative values of prior variables. +This may be utilized to bypass implemented security checks +to either extract memory contents by manipulating offset or +overflow the data buffer via memcpy by manipulating both +offset and len. + +Additionally assure that sum of resplen and respoffs does not +overflow so buffer boundaries are kept. + +Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond") +Signed-off-by: Szymon Heidrich +Reviewed-by: Alexander Duyck +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rndis_wlan.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c +index d4947e3a909e..0376a2a74572 100644 +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -712,8 +712,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) + struct rndis_query *get; + struct rndis_query_c *get_c; + } u; +- int ret, buflen; +- int resplen, respoffs, copylen; ++ int ret; ++ size_t buflen, resplen, respoffs, copylen; + + buflen = *len + sizeof(*u.get); + if (buflen < CONTROL_BUFFER_SIZE) +@@ -748,22 +748,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) + + if (respoffs > buflen) { + /* Device returned data offset outside buffer, error. */ +- netdev_dbg(dev->net, "%s(%s): received invalid " +- "data offset: %d > %d\n", __func__, +- oid_to_string(oid), respoffs, buflen); ++ netdev_dbg(dev->net, ++ "%s(%s): received invalid data offset: %zu > %zu\n", ++ __func__, oid_to_string(oid), respoffs, buflen); + + ret = -EINVAL; + goto exit_unlock; + } + +- if ((resplen + respoffs) > buflen) { +- /* Device would have returned more data if buffer would +- * have been big enough. Copy just the bits that we got. +- */ +- copylen = buflen - respoffs; +- } else { +- copylen = resplen; +- } ++ copylen = min(resplen, buflen - respoffs); + + if (copylen > *len) + copylen = *len; +-- +2.39.0 +