From: Sasha Levin Date: Mon, 22 Aug 2022 13:27:04 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.9.326~29^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b8dfcc55de031c020e35d96ffe4fae71119de20;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alsa-core-add-async-signal-helpers.patch b/queue-4.19/alsa-core-add-async-signal-helpers.patch new file mode 100644 index 00000000000..9017c97c281 --- /dev/null +++ b/queue-4.19/alsa-core-add-async-signal-helpers.patch @@ -0,0 +1,158 @@ +From 5129754460a322a99efc4203fee4cab424cf0211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 14:59:42 +0200 +Subject: ALSA: core: Add async signal helpers + +From: Takashi Iwai + +[ Upstream commit ef34a0ae7a2654bc9e58675e36898217fb2799d8 ] + +Currently the call of kill_fasync() from an interrupt handler might +lead to potential spin deadlocks, as spotted by syzkaller. +Unfortunately, it's not so trivial to fix this lock chain as it's +involved with the tasklist_lock that is touched in allover places. + +As a temporary workaround, this patch provides the way to defer the +async signal notification in a work. The new helper functions, +snd_fasync_helper() and snd_kill_faync() are replacements for +fasync_helper() and kill_fasync(), respectively. In addition, +snd_fasync_free() needs to be called at the destructor of the relevant +file object. + +Link: https://lore.kernel.org/r/20220728125945.29533-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/core.h | 8 ++++ + sound/core/misc.c | 94 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+) + +diff --git a/include/sound/core.h b/include/sound/core.h +index 36a5934cf4b1..b5a8cc4d02cc 100644 +--- a/include/sound/core.h ++++ b/include/sound/core.h +@@ -444,4 +444,12 @@ snd_pci_quirk_lookup_id(u16 vendor, u16 device, + } + #endif + ++/* async signal helpers */ ++struct snd_fasync; ++ ++int snd_fasync_helper(int fd, struct file *file, int on, ++ struct snd_fasync **fasyncp); ++void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll); ++void snd_fasync_free(struct snd_fasync *fasync); ++ + #endif /* __SOUND_CORE_H */ +diff --git a/sound/core/misc.c b/sound/core/misc.c +index 0f818d593c9e..d100feba26b5 100644 +--- a/sound/core/misc.c ++++ b/sound/core/misc.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + + #ifdef CONFIG_SND_DEBUG +@@ -160,3 +161,96 @@ snd_pci_quirk_lookup(struct pci_dev *pci, const struct snd_pci_quirk *list) + } + EXPORT_SYMBOL(snd_pci_quirk_lookup); + #endif ++ ++/* ++ * Deferred async signal helpers ++ * ++ * Below are a few helper functions to wrap the async signal handling ++ * in the deferred work. The main purpose is to avoid the messy deadlock ++ * around tasklist_lock and co at the kill_fasync() invocation. ++ * fasync_helper() and kill_fasync() are replaced with snd_fasync_helper() ++ * and snd_kill_fasync(), respectively. In addition, snd_fasync_free() has ++ * to be called at releasing the relevant file object. ++ */ ++struct snd_fasync { ++ struct fasync_struct *fasync; ++ int signal; ++ int poll; ++ int on; ++ struct list_head list; ++}; ++ ++static DEFINE_SPINLOCK(snd_fasync_lock); ++static LIST_HEAD(snd_fasync_list); ++ ++static void snd_fasync_work_fn(struct work_struct *work) ++{ ++ struct snd_fasync *fasync; ++ ++ spin_lock_irq(&snd_fasync_lock); ++ while (!list_empty(&snd_fasync_list)) { ++ fasync = list_first_entry(&snd_fasync_list, struct snd_fasync, list); ++ list_del_init(&fasync->list); ++ spin_unlock_irq(&snd_fasync_lock); ++ if (fasync->on) ++ kill_fasync(&fasync->fasync, fasync->signal, fasync->poll); ++ spin_lock_irq(&snd_fasync_lock); ++ } ++ spin_unlock_irq(&snd_fasync_lock); ++} ++ ++static DECLARE_WORK(snd_fasync_work, snd_fasync_work_fn); ++ ++int snd_fasync_helper(int fd, struct file *file, int on, ++ struct snd_fasync **fasyncp) ++{ ++ struct snd_fasync *fasync = NULL; ++ ++ if (on) { ++ fasync = kzalloc(sizeof(*fasync), GFP_KERNEL); ++ if (!fasync) ++ return -ENOMEM; ++ INIT_LIST_HEAD(&fasync->list); ++ } ++ ++ spin_lock_irq(&snd_fasync_lock); ++ if (*fasyncp) { ++ kfree(fasync); ++ fasync = *fasyncp; ++ } else { ++ if (!fasync) { ++ spin_unlock_irq(&snd_fasync_lock); ++ return 0; ++ } ++ *fasyncp = fasync; ++ } ++ fasync->on = on; ++ spin_unlock_irq(&snd_fasync_lock); ++ return fasync_helper(fd, file, on, &fasync->fasync); ++} ++EXPORT_SYMBOL_GPL(snd_fasync_helper); ++ ++void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll) ++{ ++ unsigned long flags; ++ ++ if (!fasync || !fasync->on) ++ return; ++ spin_lock_irqsave(&snd_fasync_lock, flags); ++ fasync->signal = signal; ++ fasync->poll = poll; ++ list_move(&fasync->list, &snd_fasync_list); ++ schedule_work(&snd_fasync_work); ++ spin_unlock_irqrestore(&snd_fasync_lock, flags); ++} ++EXPORT_SYMBOL_GPL(snd_kill_fasync); ++ ++void snd_fasync_free(struct snd_fasync *fasync) ++{ ++ if (!fasync) ++ return; ++ fasync->on = 0; ++ flush_work(&snd_fasync_work); ++ kfree(fasync); ++} ++EXPORT_SYMBOL_GPL(snd_fasync_free); +-- +2.35.1 + diff --git a/queue-4.19/alsa-timer-use-deferred-fasync-helper.patch b/queue-4.19/alsa-timer-use-deferred-fasync-helper.patch new file mode 100644 index 00000000000..029d1130336 --- /dev/null +++ b/queue-4.19/alsa-timer-use-deferred-fasync-helper.patch @@ -0,0 +1,83 @@ +From df05577e400093a4ce3ea7d7d84359fcc24fb2a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 14:59:43 +0200 +Subject: ALSA: timer: Use deferred fasync helper + +From: Takashi Iwai + +[ Upstream commit 95cc637c1afd83fb7dd3d7c8a53710488f4caf9c ] + +For avoiding the potential deadlock via kill_fasync() call, use the +new fasync helpers to defer the invocation from PCI API. Note that +it's merely a workaround. + +Reported-by: syzbot+1ee0910eca9c94f71f25@syzkaller.appspotmail.com +Reported-by: syzbot+49b10793b867871ee26f@syzkaller.appspotmail.com +Reported-by: syzbot+8285e973a41b5aa68902@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20220728125945.29533-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/timer.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 4920ec4f4594..f0e8b98f346e 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -75,7 +75,7 @@ struct snd_timer_user { + unsigned int filter; + struct timespec tstamp; /* trigger tstamp */ + wait_queue_head_t qchange_sleep; +- struct fasync_struct *fasync; ++ struct snd_fasync *fasync; + struct mutex ioctl_lock; + }; + +@@ -1306,7 +1306,7 @@ static void snd_timer_user_interrupt(struct snd_timer_instance *timeri, + } + __wake: + spin_unlock(&tu->qlock); +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1343,7 +1343,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, + spin_lock_irqsave(&tu->qlock, flags); + snd_timer_user_append_to_tqueue(tu, &r1); + spin_unlock_irqrestore(&tu->qlock, flags); +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1410,7 +1410,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, + spin_unlock(&tu->qlock); + if (append == 0) + return; +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1476,6 +1476,7 @@ static int snd_timer_user_release(struct inode *inode, struct file *file) + if (tu->timeri) + snd_timer_close(tu->timeri); + mutex_unlock(&tu->ioctl_lock); ++ snd_fasync_free(tu->fasync); + kfree(tu->queue); + kfree(tu->tqueue); + kfree(tu); +@@ -2027,7 +2028,7 @@ static int snd_timer_user_fasync(int fd, struct file * file, int on) + struct snd_timer_user *tu; + + tu = file->private_data; +- return fasync_helper(fd, file, on, &tu->fasync); ++ return snd_fasync_helper(fd, file, on, &tu->fasync); + } + + static ssize_t snd_timer_user_read(struct file *file, char __user *buffer, +-- +2.35.1 + diff --git a/queue-4.19/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch b/queue-4.19/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch new file mode 100644 index 00000000000..ed072a44cb9 --- /dev/null +++ b/queue-4.19/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch @@ -0,0 +1,85 @@ +From f2974cec1c44e841c31004be36b2655fd3f4ba63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 23:00:47 +0200 +Subject: clk: qcom: ipq8074: dont disable gcc_sleep_clk_src + +From: Robert Marko + +[ Upstream commit 1bf7305e79aab095196131bdc87a97796e0e3fac ] + +Once the usb sleep clocks are disabled, clock framework is trying to +disable the sleep clock source also. + +However, it seems that it cannot be disabled and trying to do so produces: +[ 245.436390] ------------[ cut here ]------------ +[ 245.441233] gcc_sleep_clk_src status stuck at 'on' +[ 245.441254] WARNING: CPU: 2 PID: 223 at clk_branch_wait+0x130/0x140 +[ 245.450435] Modules linked in: xhci_plat_hcd xhci_hcd dwc3 dwc3_qcom leds_gpio +[ 245.456601] CPU: 2 PID: 223 Comm: sh Not tainted 5.18.0-rc4 #215 +[ 245.463889] Hardware name: Xiaomi AX9000 (DT) +[ 245.470050] pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 245.474307] pc : clk_branch_wait+0x130/0x140 +[ 245.481073] lr : clk_branch_wait+0x130/0x140 +[ 245.485588] sp : ffffffc009f2bad0 +[ 245.489838] x29: ffffffc009f2bad0 x28: ffffff8003e6c800 x27: 0000000000000000 +[ 245.493057] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800226ef20 +[ 245.500175] x23: ffffffc0089ff550 x22: 0000000000000000 x21: ffffffc008476ad0 +[ 245.507294] x20: 0000000000000000 x19: ffffffc00965ac70 x18: fffffffffffc51a7 +[ 245.514413] x17: 68702e3030303837 x16: 3a6d726f6674616c x15: ffffffc089f2b777 +[ 245.521531] x14: ffffffc0095c9d18 x13: 0000000000000129 x12: 0000000000000129 +[ 245.528649] x11: 00000000ffffffea x10: ffffffc009621d18 x9 : 0000000000000001 +[ 245.535767] x8 : 0000000000000001 x7 : 0000000000017fe8 x6 : 0000000000000001 +[ 245.542885] x5 : ffffff803fdca6d8 x4 : 0000000000000000 x3 : 0000000000000027 +[ 245.550002] x2 : 0000000000000027 x1 : 0000000000000023 x0 : 0000000000000026 +[ 245.557122] Call trace: +[ 245.564229] clk_branch_wait+0x130/0x140 +[ 245.566490] clk_branch2_disable+0x2c/0x40 +[ 245.570656] clk_core_disable+0x60/0xb0 +[ 245.574561] clk_core_disable+0x68/0xb0 +[ 245.578293] clk_disable+0x30/0x50 +[ 245.582113] dwc3_qcom_remove+0x60/0xc0 [dwc3_qcom] +[ 245.585588] platform_remove+0x28/0x60 +[ 245.590361] device_remove+0x4c/0x80 +[ 245.594179] device_release_driver_internal+0x1dc/0x230 +[ 245.597914] device_driver_detach+0x18/0x30 +[ 245.602861] unbind_store+0xec/0x110 +[ 245.607027] drv_attr_store+0x24/0x40 +[ 245.610847] sysfs_kf_write+0x44/0x60 +[ 245.614405] kernfs_fop_write_iter+0x128/0x1c0 +[ 245.618052] new_sync_write+0xc0/0x130 +[ 245.622391] vfs_write+0x1d4/0x2a0 +[ 245.626123] ksys_write+0x58/0xe0 +[ 245.629508] __arm64_sys_write+0x1c/0x30 +[ 245.632895] invoke_syscall.constprop.0+0x5c/0x110 +[ 245.636890] do_el0_svc+0xa0/0x150 +[ 245.641488] el0_svc+0x18/0x60 +[ 245.644872] el0t_64_sync_handler+0xa4/0x130 +[ 245.647914] el0t_64_sync+0x174/0x178 +[ 245.652340] ---[ end trace 0000000000000000 ]--- + +So, add CLK_IS_CRITICAL flag to the clock so that the kernel won't try +to disable the sleep clock. + +Signed-off-by: Robert Marko +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220515210048.483898-10-robimarko@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq8074.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-ipq8074.c b/drivers/clk/qcom/gcc-ipq8074.c +index c93161d6824a..ee41aec106ac 100644 +--- a/drivers/clk/qcom/gcc-ipq8074.c ++++ b/drivers/clk/qcom/gcc-ipq8074.c +@@ -675,6 +675,7 @@ static struct clk_branch gcc_sleep_clk_src = { + }, + .num_parents = 1, + .ops = &clk_branch2_ops, ++ .flags = CLK_IS_CRITICAL, + }, + }, + }; +-- +2.35.1 + diff --git a/queue-4.19/cxl-fix-a-memory-leak-in-an-error-handling-path.patch b/queue-4.19/cxl-fix-a-memory-leak-in-an-error-handling-path.patch new file mode 100644 index 00000000000..c1be7df88d7 --- /dev/null +++ b/queue-4.19/cxl-fix-a-memory-leak-in-an-error-handling-path.patch @@ -0,0 +1,36 @@ +From 5a493431c7713dd331fb75dc1bba21d1903d5caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 21:14:48 +0200 +Subject: cxl: Fix a memory leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit 3a15b45b5454da862376b5d69a4967f5c6fa1368 ] + +A bitmap_zalloc() must be balanced by a corresponding bitmap_free() in the +error handling path of afu_allocate_irqs(). + +Acked-by: Andrew Donnellan +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/ce5869418f5838187946eb6b11a52715a93ece3d.1657566849.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/irq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/cxl/irq.c b/drivers/misc/cxl/irq.c +index ce08a9f22308..0dbe78383f8f 100644 +--- a/drivers/misc/cxl/irq.c ++++ b/drivers/misc/cxl/irq.c +@@ -353,6 +353,7 @@ int afu_allocate_irqs(struct cxl_context *ctx, u32 count) + + out: + cxl_ops->release_irq_ranges(&ctx->irqs, ctx->afu->adapter); ++ bitmap_free(ctx->irq_bitmap); + afu_irq_name_free(ctx); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-4.19/dmaengine-sprd-cleanup-in-.remove-after-pm_runtime_g.patch b/queue-4.19/dmaengine-sprd-cleanup-in-.remove-after-pm_runtime_g.patch new file mode 100644 index 00000000000..844dd35f9c2 --- /dev/null +++ b/queue-4.19/dmaengine-sprd-cleanup-in-.remove-after-pm_runtime_g.patch @@ -0,0 +1,51 @@ +From 5a1955fcee182aed85ea938e5ef4d09b783d55a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 22:40:54 +0200 +Subject: dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() + failed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 1e42f82cbec7b2cc4873751e7791e6611901c5fc ] + +It's not allowed to quit remove early without cleaning up completely. +Otherwise this results in resource leaks that probably yield graver +problems later. Here for example some tasklets might survive the lifetime +of the sprd-dma device and access sdev which is freed after .remove() +returns. + +As none of the device freeing requires an active device, just ignore the +return value of pm_runtime_get_sync(). + +Signed-off-by: Uwe Kleine-König +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/20220721204054.323602-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sprd-dma.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c +index 0fadf6a08494..4ec9a924a338 100644 +--- a/drivers/dma/sprd-dma.c ++++ b/drivers/dma/sprd-dma.c +@@ -987,11 +987,8 @@ static int sprd_dma_remove(struct platform_device *pdev) + { + struct sprd_dma_dev *sdev = platform_get_drvdata(pdev); + struct sprd_dma_chn *c, *cn; +- int ret; + +- ret = pm_runtime_get_sync(&pdev->dev); +- if (ret < 0) +- return ret; ++ pm_runtime_get_sync(&pdev->dev); + + /* explicitly free the irq */ + if (sdev->irq > 0) +-- +2.35.1 + diff --git a/queue-4.19/drivers-md-fix-a-potential-use-after-free-bug.patch b/queue-4.19/drivers-md-fix-a-potential-use-after-free-bug.patch new file mode 100644 index 00000000000..5234a200d4c --- /dev/null +++ b/queue-4.19/drivers-md-fix-a-potential-use-after-free-bug.patch @@ -0,0 +1,44 @@ +From 0e79d809f8e31b1271985827ee48c796031a0c5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 19:39:19 +0800 +Subject: drivers:md:fix a potential use-after-free bug + +From: Wentao_Liang + +[ Upstream commit 104212471b1c1817b311771d817fb692af983173 ] + +In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and +may cause sh to be released. However, sh is subsequently used in lines +2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an +use-after-free bug. + +It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of +the function. + +Signed-off-by: Wentao_Liang +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index dad426cc0f90..6f04473f0838 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2670,10 +2670,10 @@ static void raid5_end_write_request(struct bio *bi) + if (!test_and_clear_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags)) + clear_bit(R5_LOCKED, &sh->dev[i].flags); + set_bit(STRIPE_HANDLE, &sh->state); +- raid5_release_stripe(sh); + + if (sh->batch_head && sh != sh->batch_head) + raid5_release_stripe(sh->batch_head); ++ raid5_release_stripe(sh); + } + + static void raid5_error(struct mddev *mddev, struct md_rdev *rdev) +-- +2.35.1 + diff --git a/queue-4.19/drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch b/queue-4.19/drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch new file mode 100644 index 00000000000..29d1b2f3bfe --- /dev/null +++ b/queue-4.19/drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch @@ -0,0 +1,46 @@ +From bef78e74d0fdad6b8386b4cd34894b610262db7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 09:07:22 +0800 +Subject: drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() + +From: Liang He + +[ Upstream commit 91b3c8dbe898df158fd2a84675f3a284ff6666f7 ] + +In this function, there are two refcount leak bugs: +(1) when breaking out of for_each_endpoint_of_node(), we need call +the of_node_put() for the 'ep'; +(2) we should call of_node_put() for the reference returned by +of_graph_get_remote_port() when it is not used anymore. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Liang He +Acked-by: Martin Blumenstingl +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220726010722.1319416-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index 1887473cdd79..9959522ce802 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -141,8 +141,11 @@ static bool meson_vpu_has_available_connectors(struct device *dev) + for_each_endpoint_of_node(dev->of_node, ep) { + /* If the endpoint node exists, consider it enabled */ + remote = of_graph_get_remote_port(ep); +- if (remote) ++ if (remote) { ++ of_node_put(remote); ++ of_node_put(ep); + return true; ++ } + } + + return false; +-- +2.35.1 + diff --git a/queue-4.19/ext4-avoid-remove-directory-when-directory-is-corrup.patch b/queue-4.19/ext4-avoid-remove-directory-when-directory-is-corrup.patch new file mode 100644 index 00000000000..efa2d7f1700 --- /dev/null +++ b/queue-4.19/ext4-avoid-remove-directory-when-directory-is-corrup.patch @@ -0,0 +1,43 @@ +From 8570a8a5532c7849958c44bf75d060aa6d7af4ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jun 2022 17:02:23 +0800 +Subject: ext4: avoid remove directory when directory is corrupted + +From: Ye Bin + +[ Upstream commit b24e77ef1c6d4dbf42749ad4903c97539cc9755a ] + +Now if check directoy entry is corrupted, ext4_empty_dir may return true +then directory will be removed when file system mounted with "errors=continue". +In order not to make things worse just return false when directory is corrupted. + +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220622090223.682234-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index ebc8e75e1ef1..a878b9a8d9ea 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2842,11 +2842,8 @@ bool ext4_empty_dir(struct inode *inode) + de = (struct ext4_dir_entry_2 *) (bh->b_data + + (offset & (sb->s_blocksize - 1))); + if (ext4_check_dir_entry(inode, NULL, de, bh, +- bh->b_data, bh->b_size, offset)) { +- offset = (offset | (sb->s_blocksize - 1)) + 1; +- continue; +- } +- if (le32_to_cpu(de->inode)) { ++ bh->b_data, bh->b_size, offset) || ++ le32_to_cpu(de->inode)) { + brelse(bh); + return false; + } +-- +2.35.1 + diff --git a/queue-4.19/ext4-avoid-resizing-to-a-partial-cluster-size.patch b/queue-4.19/ext4-avoid-resizing-to-a-partial-cluster-size.patch new file mode 100644 index 00000000000..cc0e09d2953 --- /dev/null +++ b/queue-4.19/ext4-avoid-resizing-to-a-partial-cluster-size.patch @@ -0,0 +1,47 @@ +From 223a245f7864a5aa937efcc20f35d05bef0bc157 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 04:27:48 +0000 +Subject: ext4: avoid resizing to a partial cluster size + +From: Kiselev, Oleg + +[ Upstream commit 69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd ] + +This patch avoids an attempt to resize the filesystem to an +unaligned cluster boundary. An online resize to a size that is not +integral to cluster size results in the last iteration attempting to +grow the fs by a negative amount, which trips a BUG_ON and leaves the fs +with a corrupted in-memory superblock. + +Signed-off-by: Oleg Kiselev +Link: https://lore.kernel.org/r/0E92A0AB-4F16-4F1A-94B7-702CC6504FDE@amazon.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 88f9627225fc..dd23c97ae951 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1981,6 +1981,16 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + } + brelse(bh); + ++ /* ++ * For bigalloc, trim the requested size to the nearest cluster ++ * boundary to avoid creating an unusable filesystem. We do this ++ * silently, instead of returning an error, to avoid breaking ++ * callers that blindly resize the filesystem to the full size of ++ * the underlying block device. ++ */ ++ if (ext4_has_feature_bigalloc(sb)) ++ n_blocks_count &= ~((1 << EXT4_CLUSTER_BITS(sb)) - 1); ++ + retry: + o_blocks_count = ext4_blocks_count(es); + +-- +2.35.1 + diff --git a/queue-4.19/f2fs-fix-to-avoid-use-f2fs_bug_on-in-f2fs_new_node_p.patch b/queue-4.19/f2fs-fix-to-avoid-use-f2fs_bug_on-in-f2fs_new_node_p.patch new file mode 100644 index 00000000000..cd051733a7a --- /dev/null +++ b/queue-4.19/f2fs-fix-to-avoid-use-f2fs_bug_on-in-f2fs_new_node_p.patch @@ -0,0 +1,63 @@ +From ee2c1df0df5d0b19af91c39d0de51f382d413b05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 00:03:23 +0800 +Subject: f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page() + +From: Chao Yu + +[ Upstream commit 141170b759e03958f296033bb7001be62d1d363b ] + +As Dipanjan Das reported, syzkaller +found a f2fs bug as below: + +RIP: 0010:f2fs_new_node_page+0x19ac/0x1fc0 fs/f2fs/node.c:1295 +Call Trace: + write_all_xattrs fs/f2fs/xattr.c:487 [inline] + __f2fs_setxattr+0xe76/0x2e10 fs/f2fs/xattr.c:743 + f2fs_setxattr+0x233/0xab0 fs/f2fs/xattr.c:790 + f2fs_xattr_generic_set+0x133/0x170 fs/f2fs/xattr.c:86 + __vfs_setxattr+0x115/0x180 fs/xattr.c:182 + __vfs_setxattr_noperm+0x125/0x5f0 fs/xattr.c:216 + __vfs_setxattr_locked+0x1cf/0x260 fs/xattr.c:277 + vfs_setxattr+0x13f/0x330 fs/xattr.c:303 + setxattr+0x146/0x160 fs/xattr.c:611 + path_setxattr+0x1a7/0x1d0 fs/xattr.c:630 + __do_sys_lsetxattr fs/xattr.c:653 [inline] + __se_sys_lsetxattr fs/xattr.c:649 [inline] + __x64_sys_lsetxattr+0xbd/0x150 fs/xattr.c:649 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +NAT entry and nat bitmap can be inconsistent, e.g. one nid is free +in nat bitmap, and blkaddr in its NAT entry is not NULL_ADDR, it +may trigger BUG_ON() in f2fs_new_node_page(), fix it. + +Reported-by: Dipanjan Das +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/node.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index ff3f97ba1a55..2c28f488ac2f 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1232,7 +1232,11 @@ struct page *f2fs_new_node_page(struct dnode_of_data *dn, unsigned int ofs) + dec_valid_node_count(sbi, dn->inode, !ofs); + goto fail; + } +- f2fs_bug_on(sbi, new_ni.blk_addr != NULL_ADDR); ++ if (unlikely(new_ni.blk_addr != NULL_ADDR)) { ++ err = -EFSCORRUPTED; ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ goto fail; ++ } + #endif + new_ni.nid = dn->nid; + new_ni.ino = dn->inode->i_ino; +-- +2.35.1 + diff --git a/queue-4.19/gadgetfs-ep_io-wait-until-irq-finishes.patch b/queue-4.19/gadgetfs-ep_io-wait-until-irq-finishes.patch new file mode 100644 index 00000000000..1cd49459c74 --- /dev/null +++ b/queue-4.19/gadgetfs-ep_io-wait-until-irq-finishes.patch @@ -0,0 +1,37 @@ +From 7efcd3da6c8f657eb3e5d9e2b1a2b3163ea8f6da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 09:06:44 +0200 +Subject: gadgetfs: ep_io - wait until IRQ finishes + +From: Jozef Martiniak + +[ Upstream commit 04cb742d4d8f30dc2e83b46ac317eec09191c68e ] + +after usb_ep_queue() if wait_for_completion_interruptible() is +interrupted we need to wait until IRQ gets finished. + +Otherwise complete() from epio_complete() can corrupt stack. + +Signed-off-by: Jozef Martiniak +Link: https://lore.kernel.org/r/20220708070645.6130-1-jomajm@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index 3ebcbd199a79..b0a2b8805f41 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -361,6 +361,7 @@ ep_io (struct ep_data *epdata, void *buf, unsigned len) + spin_unlock_irq (&epdata->dev->lock); + + DBG (epdata->dev, "endpoint gone\n"); ++ wait_for_completion(&done); + epdata->status = -ENODEV; + } + } +-- +2.35.1 + diff --git a/queue-4.19/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch b/queue-4.19/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch new file mode 100644 index 00000000000..f55380dd3d1 --- /dev/null +++ b/queue-4.19/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch @@ -0,0 +1,76 @@ +From 3a0f0a1897514216bbc624810914abedb604baca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 22:14:12 +0530 +Subject: irqchip/tegra: Fix overflow implicit truncation warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sai Prakash Ranjan + +[ Upstream commit 443685992bda9bb4f8b17fc02c9f6c60e62b1461 ] + +Fix -Woverflow warnings for tegra irqchip driver which is a result +of moving arm64 custom MMIO accessor macros to asm-generic function +implementations giving a bonus type-checking now and uncovering these +overflow warnings. + +drivers/irqchip/irq-tegra.c: In function ‘tegra_ictlr_suspend’: +drivers/irqchip/irq-tegra.c:151:18: warning: large integer implicitly truncated to unsigned type [-Woverflow] + writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); + ^ + +Suggested-by: Marc Zyngier +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Arnd Bergmann +Cc: Marc Zyngier +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-tegra.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/irqchip/irq-tegra.c b/drivers/irqchip/irq-tegra.c +index 0abc0cd1c32e..1b3048ecb600 100644 +--- a/drivers/irqchip/irq-tegra.c ++++ b/drivers/irqchip/irq-tegra.c +@@ -157,10 +157,10 @@ static int tegra_ictlr_suspend(void) + lic->cop_iep[i] = readl_relaxed(ictlr + ICTLR_COP_IEP_CLASS); + + /* Disable COP interrupts */ +- writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); + + /* Disable CPU interrupts */ +- writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); + + /* Enable the wakeup sources of ictlr */ + writel_relaxed(lic->ictlr_wake_mask[i], ictlr + ICTLR_CPU_IER_SET); +@@ -181,12 +181,12 @@ static void tegra_ictlr_resume(void) + + writel_relaxed(lic->cpu_iep[i], + ictlr + ICTLR_CPU_IEP_CLASS); +- writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); + writel_relaxed(lic->cpu_ier[i], + ictlr + ICTLR_CPU_IER_SET); + writel_relaxed(lic->cop_iep[i], + ictlr + ICTLR_COP_IEP_CLASS); +- writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); + writel_relaxed(lic->cop_ier[i], + ictlr + ICTLR_COP_IER_SET); + } +@@ -321,7 +321,7 @@ static int __init tegra_ictlr_init(struct device_node *node, + lic->base[i] = base; + + /* Disable all interrupts */ +- writel_relaxed(~0UL, base + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), base + ICTLR_CPU_IER_CLR); + /* All interrupts target IRQ */ + writel_relaxed(0, base + ICTLR_CPU_IEP_CLASS); + +-- +2.35.1 + diff --git a/queue-4.19/lib-list_debug.c-detect-uninitialized-lists.patch b/queue-4.19/lib-list_debug.c-detect-uninitialized-lists.patch new file mode 100644 index 00000000000..c22f8003f15 --- /dev/null +++ b/queue-4.19/lib-list_debug.c-detect-uninitialized-lists.patch @@ -0,0 +1,80 @@ +From 522dc8073fa9b381d794e49d6beb40cb28089eae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 15:29:51 -0700 +Subject: lib/list_debug.c: Detect uninitialized lists + +From: Guenter Roeck + +[ Upstream commit 0cc011c576aaa4de505046f7a6c90933d7c749a9 ] + +In some circumstances, attempts are made to add entries to or to remove +entries from an uninitialized list. A prime example is +amdgpu_bo_vm_destroy(): It is indirectly called from +ttm_bo_init_reserved() if that function fails, and tries to remove an +entry from a list. However, that list is only initialized in +amdgpu_bo_create_vm() after the call to ttm_bo_init_reserved() returned +success. This results in crashes such as + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 1 PID: 1479 Comm: chrome Not tainted 5.10.110-15768-g29a72e65dae5 + Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.11031.149.0 07/15/2020 + RIP: 0010:__list_del_entry_valid+0x26/0x7d + ... + Call Trace: + amdgpu_bo_vm_destroy+0x48/0x8b + ttm_bo_init_reserved+0x1d7/0x1e0 + amdgpu_bo_create+0x212/0x476 + ? amdgpu_bo_user_destroy+0x23/0x23 + ? kmem_cache_alloc+0x60/0x271 + amdgpu_bo_create_vm+0x40/0x7d + amdgpu_vm_pt_create+0xe8/0x24b + ... + +Check if the list's prev and next pointers are NULL to catch such problems. + +Link: https://lkml.kernel.org/r/20220531222951.92073-1-linux@roeck-us.net +Signed-off-by: Guenter Roeck +Cc: Steven Rostedt +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/list_debug.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/list_debug.c b/lib/list_debug.c +index 5d5424b51b74..413daa72a3d8 100644 +--- a/lib/list_debug.c ++++ b/lib/list_debug.c +@@ -20,7 +20,11 @@ + bool __list_add_valid(struct list_head *new, struct list_head *prev, + struct list_head *next) + { +- if (CHECK_DATA_CORRUPTION(next->prev != prev, ++ if (CHECK_DATA_CORRUPTION(prev == NULL, ++ "list_add corruption. prev is NULL.\n") || ++ CHECK_DATA_CORRUPTION(next == NULL, ++ "list_add corruption. next is NULL.\n") || ++ CHECK_DATA_CORRUPTION(next->prev != prev, + "list_add corruption. next->prev should be prev (%px), but was %px. (next=%px).\n", + prev, next->prev, next) || + CHECK_DATA_CORRUPTION(prev->next != next, +@@ -42,7 +46,11 @@ bool __list_del_entry_valid(struct list_head *entry) + prev = entry->prev; + next = entry->next; + +- if (CHECK_DATA_CORRUPTION(next == LIST_POISON1, ++ if (CHECK_DATA_CORRUPTION(next == NULL, ++ "list_del corruption, %px->next is NULL\n", entry) || ++ CHECK_DATA_CORRUPTION(prev == NULL, ++ "list_del corruption, %px->prev is NULL\n", entry) || ++ CHECK_DATA_CORRUPTION(next == LIST_POISON1, + "list_del corruption, %px->next is LIST_POISON1 (%px)\n", + entry, LIST_POISON1) || + CHECK_DATA_CORRUPTION(prev == LIST_POISON2, +-- +2.35.1 + diff --git a/queue-4.19/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch b/queue-4.19/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch new file mode 100644 index 00000000000..86ee00c1578 --- /dev/null +++ b/queue-4.19/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch @@ -0,0 +1,42 @@ +From 57ac0b3ef2bb0ad5f1ba2d709b1de1fcaeb51a06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 20:41:12 +0800 +Subject: mips: cavium-octeon: Fix missing of_node_put() in + octeon2_usb_clocks_start + +From: Liang He + +[ Upstream commit 7a9f743ceead60ed454c46fbc3085ee9a79cbebb ] + +We should call of_node_put() for the reference 'uctl_node' returned by +of_get_parent() which will increase the refcount. Otherwise, there will +be a refcount leak bug. + +Signed-off-by: Liang He +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/octeon-platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/cavium-octeon/octeon-platform.c b/arch/mips/cavium-octeon/octeon-platform.c +index 4d83f5bc7211..54c8389decda 100644 +--- a/arch/mips/cavium-octeon/octeon-platform.c ++++ b/arch/mips/cavium-octeon/octeon-platform.c +@@ -86,11 +86,12 @@ static void octeon2_usb_clocks_start(struct device *dev) + "refclk-frequency", &clock_rate); + if (i) { + dev_err(dev, "No UCTL \"refclk-frequency\"\n"); ++ of_node_put(uctl_node); + goto exit; + } + i = of_property_read_string(uctl_node, + "refclk-type", &clock_type); +- ++ of_node_put(uctl_node); + if (!i && strcmp("crystal", clock_type) == 0) + is_crystal_clock = true; + } +-- +2.35.1 + diff --git a/queue-4.19/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch b/queue-4.19/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch new file mode 100644 index 00000000000..f0a0ea9bce6 --- /dev/null +++ b/queue-4.19/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch @@ -0,0 +1,70 @@ +From 542333d68ae246d128cfe19eac334bc01afd6b19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 10:59:36 -0700 +Subject: MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 + +From: Nathan Chancellor + +[ Upstream commit 74de14fe05dd6b151d73cb0c73c8ec874cbdcde6 ] + +When CONFIG_XPA is enabled, Clang warns: + + arch/mips/mm/tlbex.c:629:24: error: converting the result of '<<' to a boolean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) != 0'? [-Werror,-Wint-in-bool-context] + if (cpu_has_rixi && !!_PAGE_NO_EXEC) { + ^ + arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_PAGE_NO_EXEC' + # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) + ^ + arch/mips/mm/tlbex.c:2568:24: error: converting the result of '<<' to a boolean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) != 0'? [-Werror,-Wint-in-bool-context] + if (!cpu_has_rixi || !_PAGE_NO_EXEC) { + ^ + arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_PAGE_NO_EXEC' + # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) + ^ + 2 errors generated. + +_PAGE_NO_EXEC can be '0' or '1 << _PAGE_NO_EXEC_SHIFT' depending on the +build and runtime configuration, which is what the negation operators +are trying to convey. To silence the warning, explicitly compare against +0 so the result of the '<<' operator is not implicitly converted to a +boolean. + +According to its documentation, GCC enables -Wint-in-bool-context with +-Wall but this warning is not visible when building the same +configuration with GCC. It appears GCC only warns when compiling C++, +not C, although the documentation makes no note of this: +https://godbolt.org/z/x39q3brxf + +Reported-by: Sudip Mukherjee (Codethink) +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/tlbex.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c +index 620abc968624..a97b3e5a1c00 100644 +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -630,7 +630,7 @@ static __maybe_unused void build_convert_pte_to_entrylo(u32 **p, + return; + } + +- if (cpu_has_rixi && !!_PAGE_NO_EXEC) { ++ if (cpu_has_rixi && _PAGE_NO_EXEC != 0) { + if (fill_includes_sw_bits) { + UASM_i_ROTR(p, reg, reg, ilog2(_PAGE_GLOBAL)); + } else { +@@ -2559,7 +2559,7 @@ static void check_pabits(void) + unsigned long entry; + unsigned pabits, fillbits; + +- if (!cpu_has_rixi || !_PAGE_NO_EXEC) { ++ if (!cpu_has_rixi || _PAGE_NO_EXEC == 0) { + /* + * We'll only be making use of the fact that we can rotate bits + * into the fill if the CPU supports RIXI, so don't bother +-- +2.35.1 + diff --git a/queue-4.19/pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch b/queue-4.19/pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch new file mode 100644 index 00000000000..e34ad970c16 --- /dev/null +++ b/queue-4.19/pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch @@ -0,0 +1,44 @@ +From 94d319265c24bb9a5e7329d7e83166845164b7f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 13:41:47 -0400 +Subject: PCI: Add ACS quirk for Broadcom BCM5750x NICs + +From: Pavan Chebbi + +[ Upstream commit afd306a65cedb9589564bdb23a0c368abc4215fd ] + +The Broadcom BCM5750x NICs may be multi-function devices. They do not +advertise ACS capability. Peer-to-peer transactions are not possible +between the individual functions, so it is safe to treat them as fully +isolated. + +Add an ACS quirk for these devices so the functions can be in independent +IOMMU groups and attached individually to userspace applications using +VFIO. + +Link: https://lore.kernel.org/r/1654796507-28610-1-git-send-email-michael.chan@broadcom.com +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 7cd38c9eaa02..f494e76faaa0 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4799,6 +4799,9 @@ static const struct pci_dev_acs_enabled { + { PCI_VENDOR_ID_AMPERE, 0xE00C, pci_quirk_xgene_acs }, + /* Broadcom multi-function device */ + { PCI_VENDOR_ID_BROADCOM, 0x16D7, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1750, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1751, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1752, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, + { 0 } + }; +-- +2.35.1 + diff --git a/queue-4.19/powerpc-64-init-jump-labels-before-parse_early_param.patch b/queue-4.19/powerpc-64-init-jump-labels-before-parse_early_param.patch new file mode 100644 index 00000000000..043260c3f73 --- /dev/null +++ b/queue-4.19/powerpc-64-init-jump-labels-before-parse_early_param.patch @@ -0,0 +1,65 @@ +From 0eb4cf3511c91e2ea4d33f7392cd7d15fcb28025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 09:57:47 +0800 +Subject: powerpc/64: Init jump labels before parse_early_param() + +From: Zhouyi Zhou + +[ Upstream commit ca829e05d3d4f728810cc5e4b468d9ebc7745eb3 ] + +On 64-bit, calling jump_label_init() in setup_feature_keys() is too +late because static keys may be used in subroutines of +parse_early_param() which is again subroutine of early_init_devtree(). + +For example booting with "threadirqs": + + static_key_enable_cpuslocked(): static key '0xc000000002953260' used before call to jump_label_init() + WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpuslocked+0xfc/0x120 + ... + NIP static_key_enable_cpuslocked+0xfc/0x120 + LR static_key_enable_cpuslocked+0xf8/0x120 + Call Trace: + static_key_enable_cpuslocked+0xf8/0x120 (unreliable) + static_key_enable+0x30/0x50 + setup_forced_irqthreads+0x28/0x40 + do_early_param+0xa0/0x108 + parse_args+0x290/0x4e0 + parse_early_options+0x48/0x5c + parse_early_param+0x58/0x84 + early_init_devtree+0xd4/0x518 + early_setup+0xb4/0x214 + +So call jump_label_init() just before parse_early_param() in +early_init_devtree(). + +Suggested-by: Michael Ellerman +Signed-off-by: Zhouyi Zhou +[mpe: Add call trace to change log and minor wording edits.] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220726015747.11754-1-zhouzhouyi@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index f8c49e5d4bd3..c57aeb9f031c 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -737,6 +737,13 @@ void __init early_init_devtree(void *params) + of_scan_flat_dt(early_init_dt_scan_root, NULL); + of_scan_flat_dt(early_init_dt_scan_memory_ppc, NULL); + ++ /* ++ * As generic code authors expect to be able to use static keys ++ * in early_param() handlers, we initialize the static keys just ++ * before parsing early params (it's fine to call jump_label_init() ++ * more than once). ++ */ ++ jump_label_init(); + parse_early_param(); + + /* make sure we've parsed cmdline for mem= before this */ +-- +2.35.1 + diff --git a/queue-4.19/risc-v-add-fast-call-path-of-crash_kexec.patch b/queue-4.19/risc-v-add-fast-call-path-of-crash_kexec.patch new file mode 100644 index 00000000000..504e9fa74c7 --- /dev/null +++ b/queue-4.19/risc-v-add-fast-call-path-of-crash_kexec.patch @@ -0,0 +1,73 @@ +From a2189d4bf391672f21cd27f3ffb8c43b1b274f6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 16:23:08 +0800 +Subject: RISC-V: Add fast call path of crash_kexec() + +From: Xianting Tian + +[ Upstream commit 3f1901110a89b0e2e13adb2ac8d1a7102879ea98 ] + +Currently, almost all archs (x86, arm64, mips...) support fast call +of crash_kexec() when "regs && kexec_should_crash()" is true. But +RISC-V not, it can only enter crash system via panic(). However panic() +doesn't pass the regs of the real accident scene to crash_kexec(), +it caused we can't get accurate backtrace via gdb, + $ riscv64-linux-gnu-gdb vmlinux vmcore + Reading symbols from vmlinux... + [New LWP 95] + #0 console_unlock () at kernel/printk/printk.c:2557 + 2557 if (do_cond_resched) + (gdb) bt + #0 console_unlock () at kernel/printk/printk.c:2557 + #1 0x0000000000000000 in ?? () + +With the patch we can get the accurate backtrace, + $ riscv64-linux-gnu-gdb vmlinux vmcore + Reading symbols from vmlinux... + [New LWP 95] + #0 0xffffffe00063a4e0 in test_thread (data=) at drivers/test_crash.c:81 + 81 *(int *)p = 0xdead; + (gdb) + (gdb) bt + #0 0xffffffe00064d5c0 in test_thread (data=) at drivers/test_crash.c:81 + #1 0x0000000000000000 in ?? () + +Test code to produce NULL address dereference in test_crash.c, + void *p = NULL; + *(int *)p = 0xdead; + +Reviewed-by: Guo Ren +Tested-by: Xianting Tian +Signed-off-by: Xianting Tian +Link: https://lore.kernel.org/r/20220606082308.2883458-1-xianting.tian@linux.alibaba.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/traps.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c +index 24a9333dda2c..7c65750508f2 100644 +--- a/arch/riscv/kernel/traps.c ++++ b/arch/riscv/kernel/traps.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -50,6 +51,9 @@ void die(struct pt_regs *regs, const char *str) + + ret = notify_die(DIE_OOPS, str, regs, 0, regs->scause, SIGSEGV); + ++ if (regs && kexec_should_crash(current)) ++ crash_kexec(regs); ++ + bust_spinlocks(0); + add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE); + spin_unlock_irq(&die_lock); +-- +2.35.1 + diff --git a/queue-4.19/riscv-mmap-with-prot_write-but-no-prot_read-is-inval.patch b/queue-4.19/riscv-mmap-with-prot_write-but-no-prot_read-is-inval.patch new file mode 100644 index 00000000000..48f1a4b2aa7 --- /dev/null +++ b/queue-4.19/riscv-mmap-with-prot_write-but-no-prot_read-is-inval.patch @@ -0,0 +1,47 @@ +From 98725d934fde75df0ee3b942913df0ec8126d693 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 15:56:52 +0800 +Subject: riscv: mmap with PROT_WRITE but no PROT_READ is invalid + +From: Celeste Liu + +[ Upstream commit 2139619bcad7ac44cc8f6f749089120594056613 ] + +As mentioned in Table 4.5 in RISC-V spec Volume 2 Section 4.3, write +but not read is "Reserved for future use.". For now, they are not valid. +In the current code, -wx is marked as invalid, but -w- is not marked +as invalid. +This patch refines that judgment. + +Reported-by: xctan +Co-developed-by: dram +Signed-off-by: dram +Co-developed-by: Ruizhe Pan +Signed-off-by: Ruizhe Pan +Signed-off-by: Celeste Liu +Link: https://lore.kernel.org/r/PH7PR14MB559464DBDD310E755F5B21E8CEDC9@PH7PR14MB5594.namprd14.prod.outlook.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/sys_riscv.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/riscv/kernel/sys_riscv.c b/arch/riscv/kernel/sys_riscv.c +index db44da32701f..516aaa19daf2 100644 +--- a/arch/riscv/kernel/sys_riscv.c ++++ b/arch/riscv/kernel/sys_riscv.c +@@ -26,9 +26,8 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long len, + if (unlikely(offset & (~PAGE_MASK >> page_shift_offset))) + return -EINVAL; + +- if ((prot & PROT_WRITE) && (prot & PROT_EXEC)) +- if (unlikely(!(prot & PROT_READ))) +- return -EINVAL; ++ if (unlikely((prot & PROT_WRITE) && !(prot & PROT_READ))) ++ return -EINVAL; + + return ksys_mmap_pgoff(addr, len, prot, flags, fd, + offset >> (PAGE_SHIFT - page_shift_offset)); +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 4a01df9f358..5c1ff16b83c 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -253,3 +253,30 @@ i40e-fix-to-stop-tx_timeout-recovery-if-globr-fails.patch fec-fix-timer-capture-timing-in-fec_ptp_enable_pps.patch igb-add-lock-to-avoid-data-race.patch gcc-plugins-undefine-latent_entropy_plugin-when-plugin-disabled-for-a-file.patch +drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch +pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch +irqchip-tegra-fix-overflow-implicit-truncation-warni.patch +usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch +usb-renesas-fix-refcount-leak-bug.patch +vboxguest-do-not-use-devm-for-irq.patch +clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch +gadgetfs-ep_io-wait-until-irq-finishes.patch +cxl-fix-a-memory-leak-in-an-error-handling-path.patch +dmaengine-sprd-cleanup-in-.remove-after-pm_runtime_g.patch +drivers-md-fix-a-potential-use-after-free-bug.patch +ext4-avoid-remove-directory-when-directory-is-corrup.patch +ext4-avoid-resizing-to-a-partial-cluster-size.patch +lib-list_debug.c-detect-uninitialized-lists.patch +tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch +vfio-clear-the-caps-buf-to-null-after-free.patch +mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch +riscv-mmap-with-prot_write-but-no-prot_read-is-inval.patch +risc-v-add-fast-call-path-of-crash_kexec.patch +watchdog-export-lockup_detector_reconfigure.patch +alsa-core-add-async-signal-helpers.patch +alsa-timer-use-deferred-fasync-helper.patch +f2fs-fix-to-avoid-use-f2fs_bug_on-in-f2fs_new_node_p.patch +smb3-check-xattr-value-length-earlier.patch +powerpc-64-init-jump-labels-before-parse_early_param.patch +video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch +mips-tlbex-explicitly-compare-_page_no_exec-against-.patch diff --git a/queue-4.19/smb3-check-xattr-value-length-earlier.patch b/queue-4.19/smb3-check-xattr-value-length-earlier.patch new file mode 100644 index 00000000000..3968207427e --- /dev/null +++ b/queue-4.19/smb3-check-xattr-value-length-earlier.patch @@ -0,0 +1,51 @@ +From 99188900bd19620dadf35a663ed5a61e7210efd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 11:43:44 -0500 +Subject: smb3: check xattr value length earlier + +From: Steve French + +[ Upstream commit 5fa2cffba0b82336a2244d941322eb1627ff787b ] + +Coverity complains about assigning a pointer based on +value length before checking that value length goes +beyond the end of the SMB. Although this is even more +unlikely as value length is a single byte, and the +pointer is not dereferenced until laterm, it is clearer +to check the lengths first. + +Addresses-Coverity: 1467704 ("Speculative execution data leak") +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index cc34a28aecbc..f906984eb25b 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -762,9 +762,7 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size, + size_t name_len, value_len, user_name_len; + + while (src_size > 0) { +- name = &src->ea_data[0]; + name_len = (size_t)src->ea_name_length; +- value = &src->ea_data[src->ea_name_length + 1]; + value_len = (size_t)le16_to_cpu(src->ea_value_length); + + if (name_len == 0) { +@@ -777,6 +775,9 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size, + goto out; + } + ++ name = &src->ea_data[0]; ++ value = &src->ea_data[src->ea_name_length + 1]; ++ + if (ea_name) { + if (ea_name_len == name_len && + memcmp(ea_name, name, name_len) == 0) { +-- +2.35.1 + diff --git a/queue-4.19/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch b/queue-4.19/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch new file mode 100644 index 00000000000..c27389bb921 --- /dev/null +++ b/queue-4.19/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch @@ -0,0 +1,38 @@ +From 1e2dfc0180f46ccb5c99335c189433642aba3ca6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jun 2022 14:08:50 +0800 +Subject: tty: serial: Fix refcount leak bug in ucc_uart.c + +From: Liang He + +[ Upstream commit d24d7bb2cd947676f9b71fb944d045e09b8b282f ] + +In soc_info(), of_find_node_by_type() will return a node pointer +with refcount incremented. We should use of_node_put() when it is +not used anymore. + +Acked-by: Timur Tabi +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220618060850.4058525-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/ucc_uart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/ucc_uart.c b/drivers/tty/serial/ucc_uart.c +index 2b6376e6e5ad..eb0d3f55235a 100644 +--- a/drivers/tty/serial/ucc_uart.c ++++ b/drivers/tty/serial/ucc_uart.c +@@ -1141,6 +1141,8 @@ static unsigned int soc_info(unsigned int *rev_h, unsigned int *rev_l) + /* No compatible property, so try the name. */ + soc_string = np->name; + ++ of_node_put(np); ++ + /* Extract the SOC number from the "PowerPC," string */ + if ((sscanf(soc_string, "PowerPC,%u", &soc) != 1) || !soc) + return 0; +-- +2.35.1 + diff --git a/queue-4.19/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch b/queue-4.19/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch new file mode 100644 index 00000000000..d7eb47a43ef --- /dev/null +++ b/queue-4.19/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch @@ -0,0 +1,37 @@ +From 5ecfca3829b5b3f2013bd191dcf33233a2221c9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 11:46:37 +0800 +Subject: usb: host: ohci-ppc-of: Fix refcount leak bug + +From: Liang He + +[ Upstream commit 40a959d7042bb7711e404ad2318b30e9f92c6b9b ] + +In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return +a node pointer with refcount incremented. We should use of_node_put() +when it is not used anymore. + +Acked-by: Alan Stern +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220617034637.4003115-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-ppc-of.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/host/ohci-ppc-of.c b/drivers/usb/host/ohci-ppc-of.c +index 76a9b40b08f1..96c5c7655283 100644 +--- a/drivers/usb/host/ohci-ppc-of.c ++++ b/drivers/usb/host/ohci-ppc-of.c +@@ -169,6 +169,7 @@ static int ohci_hcd_ppc_of_probe(struct platform_device *op) + release_mem_region(res.start, 0x4); + } else + pr_debug("%s: cannot get ehci offset from fdt\n", __FILE__); ++ of_node_put(np); + } + + irq_dispose_mapping(irq); +-- +2.35.1 + diff --git a/queue-4.19/usb-renesas-fix-refcount-leak-bug.patch b/queue-4.19/usb-renesas-fix-refcount-leak-bug.patch new file mode 100644 index 00000000000..a89835cee4b --- /dev/null +++ b/queue-4.19/usb-renesas-fix-refcount-leak-bug.patch @@ -0,0 +1,39 @@ +From 5425ca7a7ef2574174d2c23b9939d986b4259cf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jun 2022 10:32:05 +0800 +Subject: usb: renesas: Fix refcount leak bug + +From: Liang He + +[ Upstream commit 9d6d5303c39b8bc182475b22f45504106a07f086 ] + +In usbhs_rza1_hardware_init(), of_find_node_by_name() will return +a node pointer with refcount incremented. We should use of_node_put() +when it is not used anymore. + +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220618023205.4056548-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/renesas_usbhs/rza.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/renesas_usbhs/rza.c b/drivers/usb/renesas_usbhs/rza.c +index 5b287257ec11..04eeaf6a028a 100644 +--- a/drivers/usb/renesas_usbhs/rza.c ++++ b/drivers/usb/renesas_usbhs/rza.c +@@ -23,6 +23,10 @@ static int usbhs_rza1_hardware_init(struct platform_device *pdev) + extal_clk = of_find_node_by_name(NULL, "extal"); + of_property_read_u32(usb_x1_clk, "clock-frequency", &freq_usb); + of_property_read_u32(extal_clk, "clock-frequency", &freq_extal); ++ ++ of_node_put(usb_x1_clk); ++ of_node_put(extal_clk); ++ + if (freq_usb == 0) { + if (freq_extal == 12000000) { + /* Select 12MHz XTAL */ +-- +2.35.1 + diff --git a/queue-4.19/vboxguest-do-not-use-devm-for-irq.patch b/queue-4.19/vboxguest-do-not-use-devm-for-irq.patch new file mode 100644 index 00000000000..ade0987fe71 --- /dev/null +++ b/queue-4.19/vboxguest-do-not-use-devm-for-irq.patch @@ -0,0 +1,81 @@ +From 82396fafb8594c5174cde84f2afb4a486f4d28bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jun 2022 14:37:44 +0100 +Subject: vboxguest: Do not use devm for irq + +From: Pascal Terjan + +[ Upstream commit 6169525b76764acb81918aa387ac168fb9a55575 ] + +When relying on devm it doesn't get freed early enough which causes the +following warning when unloading the module: + +[249348.837181] remove_proc_entry: removing non-empty directory 'irq/20', leaking at least 'vboxguest' +[249348.837219] WARNING: CPU: 0 PID: 6708 at fs/proc/generic.c:715 remove_proc_entry+0x119/0x140 + +[249348.837379] Call Trace: +[249348.837385] unregister_irq_proc+0xbd/0xe0 +[249348.837392] free_desc+0x23/0x60 +[249348.837396] irq_free_descs+0x4a/0x70 +[249348.837401] irq_domain_free_irqs+0x160/0x1a0 +[249348.837452] mp_unmap_irq+0x5c/0x60 +[249348.837458] acpi_unregister_gsi_ioapic+0x29/0x40 +[249348.837463] acpi_unregister_gsi+0x17/0x30 +[249348.837467] acpi_pci_irq_disable+0xbf/0xe0 +[249348.837473] pcibios_disable_device+0x20/0x30 +[249348.837478] pci_disable_device+0xef/0x120 +[249348.837482] vbg_pci_remove+0x6c/0x70 [vboxguest] + +Reviewed-by: Hans de Goede +Signed-off-by: Pascal Terjan +Link: https://lore.kernel.org/r/20220612133744.4030602-1-pterjan@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/virt/vboxguest/vboxguest_linux.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c +index 94e055ee7ad6..aa65b20883ef 100644 +--- a/drivers/virt/vboxguest/vboxguest_linux.c ++++ b/drivers/virt/vboxguest/vboxguest_linux.c +@@ -341,8 +341,8 @@ static int vbg_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + goto err_vbg_core_exit; + } + +- ret = devm_request_irq(dev, pci->irq, vbg_core_isr, IRQF_SHARED, +- DEVICE_NAME, gdev); ++ ret = request_irq(pci->irq, vbg_core_isr, IRQF_SHARED, DEVICE_NAME, ++ gdev); + if (ret) { + vbg_err("vboxguest: Error requesting irq: %d\n", ret); + goto err_vbg_core_exit; +@@ -352,7 +352,7 @@ static int vbg_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + if (ret) { + vbg_err("vboxguest: Error misc_register %s failed: %d\n", + DEVICE_NAME, ret); +- goto err_vbg_core_exit; ++ goto err_free_irq; + } + + ret = misc_register(&gdev->misc_device_user); +@@ -388,6 +388,8 @@ static int vbg_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + misc_deregister(&gdev->misc_device_user); + err_unregister_misc_device: + misc_deregister(&gdev->misc_device); ++err_free_irq: ++ free_irq(pci->irq, gdev); + err_vbg_core_exit: + vbg_core_exit(gdev); + err_disable_pcidev: +@@ -404,6 +406,7 @@ static void vbg_pci_remove(struct pci_dev *pci) + vbg_gdev = NULL; + mutex_unlock(&vbg_gdev_mutex); + ++ free_irq(pci->irq, gdev); + device_remove_file(gdev->dev, &dev_attr_host_features); + device_remove_file(gdev->dev, &dev_attr_host_version); + misc_deregister(&gdev->misc_device_user); +-- +2.35.1 + diff --git a/queue-4.19/vfio-clear-the-caps-buf-to-null-after-free.patch b/queue-4.19/vfio-clear-the-caps-buf-to-null-after-free.patch new file mode 100644 index 00000000000..118c957ce45 --- /dev/null +++ b/queue-4.19/vfio-clear-the-caps-buf-to-null-after-free.patch @@ -0,0 +1,38 @@ +From 1daa62bba80ec9c72bdb2f2eeb621d04af97edd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 10:29:48 +0800 +Subject: vfio: Clear the caps->buf to NULL after free + +From: Schspa Shi + +[ Upstream commit 6641085e8d7b3f061911517f79a2a15a0a21b97b ] + +On buffer resize failure, vfio_info_cap_add() will free the buffer, +report zero for the size, and return -ENOMEM. As additional +hardening, also clear the buffer pointer to prevent any chance of a +double free. + +Signed-off-by: Schspa Shi +Reviewed-by: Cornelia Huck +Link: https://lore.kernel.org/r/20220629022948.55608-1-schspa@gmail.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index 7a386fb30bf1..0d146b45e0b4 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -1808,6 +1808,7 @@ struct vfio_info_cap_header *vfio_info_cap_add(struct vfio_info_cap *caps, + buf = krealloc(caps->buf, caps->size + size, GFP_KERNEL); + if (!buf) { + kfree(caps->buf); ++ caps->buf = NULL; + caps->size = 0; + return ERR_PTR(-ENOMEM); + } +-- +2.35.1 + diff --git a/queue-4.19/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch b/queue-4.19/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch new file mode 100644 index 00000000000..8bd8482df02 --- /dev/null +++ b/queue-4.19/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch @@ -0,0 +1,67 @@ +From 6a04c9620ffc1e8ab23c9e12caf7d237497986fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 17:24:19 +0800 +Subject: video: fbdev: i740fb: Check the argument of i740_calc_vclk() + +From: Zheyu Ma + +[ Upstream commit 40bf722f8064f50200b8c4f8946cd625b441dda9 ] + +Since the user can control the arguments of the ioctl() from the user +space, under special arguments that may result in a divide-by-zero bug. + +If the user provides an improper 'pixclock' value that makes the argumet +of i740_calc_vclk() less than 'I740_RFREQ_FIX', it will cause a +divide-by-zero bug in: + drivers/video/fbdev/i740fb.c:353 p_best = min(15, ilog2(I740_MAX_VCO_FREQ / (freq / I740_RFREQ_FIX))); + +The following log can reveal it: + +divide error: 0000 [#1] PREEMPT SMP KASAN PTI +RIP: 0010:i740_calc_vclk drivers/video/fbdev/i740fb.c:353 [inline] +RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:646 [inline] +RIP: 0010:i740fb_set_par+0x163f/0x3b70 drivers/video/fbdev/i740fb.c:742 +Call Trace: + fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 + do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 + fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 + +Fix this by checking the argument of i740_calc_vclk() first. + +Signed-off-by: Zheyu Ma +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/i740fb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c +index f6d7b04d6dff..bdbafff4529f 100644 +--- a/drivers/video/fbdev/i740fb.c ++++ b/drivers/video/fbdev/i740fb.c +@@ -399,7 +399,7 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, + u32 xres, right, hslen, left, xtotal; + u32 yres, lower, vslen, upper, ytotal; + u32 vxres, xoffset, vyres, yoffset; +- u32 bpp, base, dacspeed24, mem; ++ u32 bpp, base, dacspeed24, mem, freq; + u8 r7; + int i; + +@@ -642,7 +642,12 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, + par->atc[VGA_ATC_OVERSCAN] = 0; + + /* Calculate VCLK that most closely matches the requested dot clock */ +- i740_calc_vclk((((u32)1e9) / var->pixclock) * (u32)(1e3), par); ++ freq = (((u32)1e9) / var->pixclock) * (u32)(1e3); ++ if (freq < I740_RFREQ_FIX) { ++ fb_dbg(info, "invalid pixclock\n"); ++ freq = I740_RFREQ_FIX; ++ } ++ i740_calc_vclk(freq, par); + + /* Since we program the clocks ourselves, always use VCLK2. */ + par->misc |= 0x0C; +-- +2.35.1 + diff --git a/queue-4.19/watchdog-export-lockup_detector_reconfigure.patch b/queue-4.19/watchdog-export-lockup_detector_reconfigure.patch new file mode 100644 index 00000000000..3f043213b63 --- /dev/null +++ b/queue-4.19/watchdog-export-lockup_detector_reconfigure.patch @@ -0,0 +1,115 @@ +From 2f02597d9d0c9f848f1680a7ea40ad5387889368 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 17:47:27 +0200 +Subject: watchdog: export lockup_detector_reconfigure + +From: Laurent Dufour + +[ Upstream commit 7c56a8733d0a2a4be2438a7512566e5ce552fccf ] + +In some circumstances it may be interesting to reconfigure the watchdog +from inside the kernel. + +On PowerPC, this may helpful before and after a LPAR migration (LPM) is +initiated, because it implies some latencies, watchdog, and especially NMI +watchdog is expected to be triggered during this operation. Reconfiguring +the watchdog with a factor, would prevent it to happen too frequently +during LPM. + +Rename lockup_detector_reconfigure() as __lockup_detector_reconfigure() and +create a new function lockup_detector_reconfigure() calling +__lockup_detector_reconfigure() under the protection of watchdog_mutex. + +Signed-off-by: Laurent Dufour +[mpe: Squash in build fix from Laurent, reported by Sachin] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220713154729.80789-3-ldufour@linux.ibm.com +Signed-off-by: Sasha Levin +--- + include/linux/nmi.h | 2 ++ + kernel/watchdog.c | 21 ++++++++++++++++----- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/include/linux/nmi.h b/include/linux/nmi.h +index 9003e29cde46..e972d1ae1ee6 100644 +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -122,6 +122,8 @@ int watchdog_nmi_probe(void); + int watchdog_nmi_enable(unsigned int cpu); + void watchdog_nmi_disable(unsigned int cpu); + ++void lockup_detector_reconfigure(void); ++ + /** + * touch_nmi_watchdog - restart NMI watchdog timeout. + * +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index 6d60701dc636..44096c4f4d60 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -561,7 +561,7 @@ int lockup_detector_offline_cpu(unsigned int cpu) + return 0; + } + +-static void lockup_detector_reconfigure(void) ++static void __lockup_detector_reconfigure(void) + { + cpus_read_lock(); + watchdog_nmi_stop(); +@@ -581,6 +581,13 @@ static void lockup_detector_reconfigure(void) + __lockup_detector_cleanup(); + } + ++void lockup_detector_reconfigure(void) ++{ ++ mutex_lock(&watchdog_mutex); ++ __lockup_detector_reconfigure(); ++ mutex_unlock(&watchdog_mutex); ++} ++ + /* + * Create the watchdog thread infrastructure and configure the detector(s). + * +@@ -601,13 +608,13 @@ static __init void lockup_detector_setup(void) + return; + + mutex_lock(&watchdog_mutex); +- lockup_detector_reconfigure(); ++ __lockup_detector_reconfigure(); + softlockup_initialized = true; + mutex_unlock(&watchdog_mutex); + } + + #else /* CONFIG_SOFTLOCKUP_DETECTOR */ +-static void lockup_detector_reconfigure(void) ++static void __lockup_detector_reconfigure(void) + { + cpus_read_lock(); + watchdog_nmi_stop(); +@@ -615,9 +622,13 @@ static void lockup_detector_reconfigure(void) + watchdog_nmi_start(); + cpus_read_unlock(); + } ++void lockup_detector_reconfigure(void) ++{ ++ __lockup_detector_reconfigure(); ++} + static inline void lockup_detector_setup(void) + { +- lockup_detector_reconfigure(); ++ __lockup_detector_reconfigure(); + } + #endif /* !CONFIG_SOFTLOCKUP_DETECTOR */ + +@@ -657,7 +668,7 @@ static void proc_watchdog_update(void) + { + /* Remove impossible cpus to keep sysctl output clean. */ + cpumask_and(&watchdog_cpumask, &watchdog_cpumask, cpu_possible_mask); +- lockup_detector_reconfigure(); ++ __lockup_detector_reconfigure(); + } + + /* +-- +2.35.1 +