From: Greg Kroah-Hartman Date: Thu, 25 Aug 2022 12:01:59 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.10.140~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=250f6cbb355f1129de2f0b64db8b539c62549216;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: revert-selftests-bpf-fix-dubious-pointer-arithmetic-test.patch revert-selftests-bpf-fix-test_align-verifier-log-patterns.patch usb-cdns3-fix-issue-for-clear-halt-endpoint.patch --- diff --git a/queue-5.4/revert-selftests-bpf-fix-dubious-pointer-arithmetic-test.patch b/queue-5.4/revert-selftests-bpf-fix-dubious-pointer-arithmetic-test.patch new file mode 100644 index 00000000000..7c2b33fc2c4 --- /dev/null +++ b/queue-5.4/revert-selftests-bpf-fix-dubious-pointer-arithmetic-test.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Aug 25 01:57:26 PM CEST 2022 +From: Jean-Philippe Brucker +Date: Wed, 24 Aug 2022 15:43:27 +0100 +Subject: Revert "selftests/bpf: Fix "dubious pointer arithmetic" test" +To: stable@vger.kernel.org +Cc: gregkh@linuxfoundation.org, raajeshdasari@gmail.com, ovidiu.panait@windriver.com, Jean-Philippe Brucker +Message-ID: <20220824144327.277365-2-jean-philippe@linaro.org> + +From: Jean-Philippe Brucker + +This reverts commit 6098562ed9df1babcc0ba5b89c4fb47715ba3f72. +It shouldn't be in v5.4 because the commit it fixes is only present in +v5.9 onward. + +Signed-off-by: Jean-Philippe Brucker +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_align.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/bpf/test_align.c ++++ b/tools/testing/selftests/bpf/test_align.c +@@ -475,10 +475,10 @@ static struct bpf_align_test tests[] = { + */ + {7, "R5_w=inv(id=0,smin_value=-9223372036854775806,smax_value=9223372036854775806,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"}, + /* Checked s>=0 */ +- {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"}, ++ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, + /* packet pointer + nonnegative (4n+2) */ +- {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"}, +- {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"}, ++ {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, ++ {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, + /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine. + * We checked the bounds, but it might have been able + * to overflow if the packet pointer started in the +@@ -486,7 +486,7 @@ static struct bpf_align_test tests[] = { + * So we did not get a 'range' on R6, and the access + * attempt will fail. + */ +- {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"}, ++ {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, + } + }, + { diff --git a/queue-5.4/revert-selftests-bpf-fix-test_align-verifier-log-patterns.patch b/queue-5.4/revert-selftests-bpf-fix-test_align-verifier-log-patterns.patch new file mode 100644 index 00000000000..55d14358303 --- /dev/null +++ b/queue-5.4/revert-selftests-bpf-fix-test_align-verifier-log-patterns.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Aug 25 01:57:26 PM CEST 2022 +From: Jean-Philippe Brucker +Date: Wed, 24 Aug 2022 15:43:28 +0100 +Subject: Revert "selftests/bpf: Fix test_align verifier log patterns" +To: stable@vger.kernel.org +Cc: gregkh@linuxfoundation.org, raajeshdasari@gmail.com, ovidiu.panait@windriver.com, Jean-Philippe Brucker +Message-ID: <20220824144327.277365-3-jean-philippe@linaro.org> + +From: Jean-Philippe Brucker + +This partially reverts commit 6a9b3f0f3bad4ca6421f8c20e1dde9839699db0f. +The upstream commit addresses multiple verifier changes, only one of +which was backported to v5.4. Therefore only keep the relevant changes +and revert the others. + +Signed-off-by: Jean-Philippe Brucker +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_align.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/tools/testing/selftests/bpf/test_align.c ++++ b/tools/testing/selftests/bpf/test_align.c +@@ -475,10 +475,10 @@ static struct bpf_align_test tests[] = { + */ + {7, "R5_w=inv(id=0,smin_value=-9223372036854775806,smax_value=9223372036854775806,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"}, + /* Checked s>=0 */ +- {9, "R5=inv(id=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, ++ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, + /* packet pointer + nonnegative (4n+2) */ +- {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, +- {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, ++ {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, ++ {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, + /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine. + * We checked the bounds, but it might have been able + * to overflow if the packet pointer started in the +@@ -486,7 +486,7 @@ static struct bpf_align_test tests[] = { + * So we did not get a 'range' on R6, and the access + * attempt will fail. + */ +- {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, ++ {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, + } + }, + { +@@ -580,18 +580,18 @@ static struct bpf_align_test tests[] = { + /* Adding 14 makes R6 be (4n+2) */ + {11, "R6_w=inv(id=0,umin_value=14,umax_value=74,var_off=(0x2; 0x7c))"}, + /* Subtracting from packet pointer overflows ubounds */ +- {13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c)"}, ++ {13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c))"}, + /* New unknown value in R7 is (4n), >= 76 */ + {15, "R7_w=inv(id=0,umin_value=76,umax_value=1096,var_off=(0x0; 0x7fc))"}, + /* Adding it to packet pointer gives nice bounds again */ +- {16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"}, ++ {16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"}, + /* At the time the word size load is performed from R5, + * its total fixed offset is NET_IP_ALIGN + reg->off (0) + * which is 2. Then the variable offset is (4n+2), so + * the total offset is 4-byte aligned and meets the + * load's requirements. + */ +- {20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"}, ++ {20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"}, + }, + }, + }; diff --git a/queue-5.4/series b/queue-5.4/series index d89cfe96b71..fadc36f686c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,3 +1,6 @@ audit-fix-potential-double-free-on-error-path-from-fsnotify_add_inode_mark.patch parisc-fix-exception-handler-for-fldw-and-fstw-instructions.patch kernel-sys_ni-add-compat-entry-for-fadvise64_64.patch +usb-cdns3-fix-issue-for-clear-halt-endpoint.patch +revert-selftests-bpf-fix-dubious-pointer-arithmetic-test.patch +revert-selftests-bpf-fix-test_align-verifier-log-patterns.patch diff --git a/queue-5.4/usb-cdns3-fix-issue-for-clear-halt-endpoint.patch b/queue-5.4/usb-cdns3-fix-issue-for-clear-halt-endpoint.patch new file mode 100644 index 00000000000..3ce779586b6 --- /dev/null +++ b/queue-5.4/usb-cdns3-fix-issue-for-clear-halt-endpoint.patch @@ -0,0 +1,58 @@ +From b3fa25de31fb7e9afebe9599b8ff32eda13d7c94 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Tue, 29 Mar 2022 10:46:05 +0200 +Subject: usb: cdns3: Fix issue for clear halt endpoint + +From: Pawel Laszczak + +commit b3fa25de31fb7e9afebe9599b8ff32eda13d7c94 upstream. + +Path fixes bug which occurs during resetting endpoint in +__cdns3_gadget_ep_clear_halt function. During resetting endpoint +controller will change HW/DMA owned TRB. It set Abort flag in +trb->control and will change trb->length field. If driver want +to use the aborted trb it must update the changed field in +TRB. + +Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") +cc: +Acked-by: Peter Chen +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20220329084605.4022-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/gadget.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/cdns3/gadget.c ++++ b/drivers/usb/cdns3/gadget.c +@@ -2166,6 +2166,7 @@ int __cdns3_gadget_ep_clear_halt(struct + struct usb_request *request; + struct cdns3_request *priv_req; + struct cdns3_trb *trb = NULL; ++ struct cdns3_trb trb_tmp; + int ret; + int val; + +@@ -2175,8 +2176,10 @@ int __cdns3_gadget_ep_clear_halt(struct + if (request) { + priv_req = to_cdns3_request(request); + trb = priv_req->trb; +- if (trb) ++ if (trb) { ++ trb_tmp = *trb; + trb->control = trb->control ^ TRB_CYCLE; ++ } + } + + writel(EP_CMD_CSTALL | EP_CMD_EPRST, &priv_dev->regs->ep_cmd); +@@ -2191,7 +2194,8 @@ int __cdns3_gadget_ep_clear_halt(struct + + if (request) { + if (trb) +- trb->control = trb->control ^ TRB_CYCLE; ++ *trb = trb_tmp; ++ + cdns3_rearm_transfer(priv_ep, 1); + } +