From: Sasha Levin Date: Tue, 24 Jan 2023 11:22:00 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v5.10.166~95 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27bb240e83f18af1d060e5652fa311f7b63a3740;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/affs-initialize-fsdata-in-affs_truncate.patch b/queue-4.19/affs-initialize-fsdata-in-affs_truncate.patch new file mode 100644 index 00000000000..33794351dad --- /dev/null +++ b/queue-4.19/affs-initialize-fsdata-in-affs_truncate.patch @@ -0,0 +1,40 @@ +From d91a34c01e692c032695ea67e97df5532fe1da73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 13:49:30 +0100 +Subject: affs: initialize fsdata in affs_truncate() + +From: Alexander Potapenko + +[ Upstream commit eef034ac6690118c88f357b00e2b3239c9d8575d ] + +When aops->write_begin() does not initialize fsdata, KMSAN may report +an error passing the latter to aops->write_end(). + +Fix this by unconditionally initializing fsdata. + +Fixes: f2b6a16eb8f5 ("fs: affs convert to new aops") +Suggested-by: Eric Biggers +Signed-off-by: Alexander Potapenko +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/affs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/affs/file.c b/fs/affs/file.c +index ba084b0b214b..82bb38370aa9 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -878,7 +878,7 @@ affs_truncate(struct inode *inode) + if (inode->i_size > AFFS_I(inode)->mmu_private) { + struct address_space *mapping = inode->i_mapping; + struct page *page; +- void *fsdata; ++ void *fsdata = NULL; + loff_t isize = inode->i_size; + int res; + +-- +2.39.0 + diff --git a/queue-4.19/amd-xgbe-delay-an-timeout-during-kr-training.patch b/queue-4.19/amd-xgbe-delay-an-timeout-during-kr-training.patch new file mode 100644 index 00000000000..d3ea881845a --- /dev/null +++ b/queue-4.19/amd-xgbe-delay-an-timeout-during-kr-training.patch @@ -0,0 +1,100 @@ +From 958847c416adda3a3cd6e18b650b0b42d3c4ef19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:58:52 +0530 +Subject: amd-xgbe: Delay AN timeout during KR training + +From: Raju Rangoju + +[ Upstream commit 926446ae24c03311a480fb96eb78f0ce7ea6d091 ] + +AN restart triggered during KR training not only aborts the KR training +process but also move the HW to unstable state. Driver has to wait upto +500ms or until the KR training is completed before restarting AN cycle. + +Fixes: 7c12aa08779c ("amd-xgbe: Move the PHY support into amd-xgbe") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Raju Rangoju +Acked-by: Shyam Sundar S K +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 24 +++++++++++++++++++++++ + drivers/net/ethernet/amd/xgbe/xgbe.h | 2 ++ + 2 files changed, 26 insertions(+) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 97167fc9bebe..7840eb4cdb8d 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -496,6 +496,7 @@ static enum xgbe_an xgbe_an73_tx_training(struct xgbe_prv_data *pdata, + reg |= XGBE_KR_TRAINING_ENABLE; + reg |= XGBE_KR_TRAINING_START; + XMDIO_WRITE(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_10GBR_PMD_CTRL, reg); ++ pdata->kr_start_time = jiffies; + + netif_dbg(pdata, link, pdata->netdev, + "KR training initiated\n"); +@@ -632,6 +633,8 @@ static enum xgbe_an xgbe_an73_incompat_link(struct xgbe_prv_data *pdata) + + xgbe_switch_mode(pdata); + ++ pdata->an_result = XGBE_AN_READY; ++ + xgbe_an_restart(pdata); + + return XGBE_AN_INCOMPAT_LINK; +@@ -1275,9 +1278,30 @@ static bool xgbe_phy_aneg_done(struct xgbe_prv_data *pdata) + static void xgbe_check_link_timeout(struct xgbe_prv_data *pdata) + { + unsigned long link_timeout; ++ unsigned long kr_time; ++ int wait; + + link_timeout = pdata->link_check + (XGBE_LINK_TIMEOUT * HZ); + if (time_after(jiffies, link_timeout)) { ++ if ((xgbe_cur_mode(pdata) == XGBE_MODE_KR) && ++ pdata->phy.autoneg == AUTONEG_ENABLE) { ++ /* AN restart should not happen while KR training is in progress. ++ * The while loop ensures no AN restart during KR training, ++ * waits up to 500ms and AN restart is triggered only if KR ++ * training is failed. ++ */ ++ wait = XGBE_KR_TRAINING_WAIT_ITER; ++ while (wait--) { ++ kr_time = pdata->kr_start_time + ++ msecs_to_jiffies(XGBE_AN_MS_TIMEOUT); ++ if (time_after(jiffies, kr_time)) ++ break; ++ /* AN restart is not required, if AN result is COMPLETE */ ++ if (pdata->an_result == XGBE_AN_COMPLETE) ++ return; ++ usleep_range(10000, 11000); ++ } ++ } + netif_dbg(pdata, link, pdata->netdev, "AN link timeout\n"); + xgbe_phy_config_aneg(pdata); + } +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h +index 0c93a552b921..729307a96c50 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -290,6 +290,7 @@ + /* Auto-negotiation */ + #define XGBE_AN_MS_TIMEOUT 500 + #define XGBE_LINK_TIMEOUT 5 ++#define XGBE_KR_TRAINING_WAIT_ITER 50 + + #define XGBE_SGMII_AN_LINK_STATUS BIT(1) + #define XGBE_SGMII_AN_LINK_SPEED (BIT(2) | BIT(3)) +@@ -1266,6 +1267,7 @@ struct xgbe_prv_data { + unsigned int parallel_detect; + unsigned int fec_ability; + unsigned long an_start; ++ unsigned long kr_start_time; + enum xgbe_an_mode an_mode; + + /* I2C support */ +-- +2.39.0 + diff --git a/queue-4.19/amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch b/queue-4.19/amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch new file mode 100644 index 00000000000..82c87723776 --- /dev/null +++ b/queue-4.19/amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch @@ -0,0 +1,89 @@ +From 73b161a48518ec39dc32a55f38858d96509e7700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:58:51 +0530 +Subject: amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent + +From: Raju Rangoju + +[ Upstream commit 579923d84b04abb6cd4cd1fd9974096a2dd1832b ] + +There is difference in the TX Flow Control registers (TFCR) between the +revisions of the hardware. The older revisions of hardware used to have +single register per queue. Whereas, the newer revision of hardware (from +ver 30H onwards) have one register per priority. + +Update the driver to use the TFCR based on the reported version of the +hardware. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Co-developed-by: Ajith Nayak +Signed-off-by: Ajith Nayak +Signed-off-by: Raju Rangoju +Acked-by: Shyam Sundar S K +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +index 4666084eda16..9d6fe5a892d9 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -524,19 +524,28 @@ static void xgbe_disable_vxlan(struct xgbe_prv_data *pdata) + netif_dbg(pdata, drv, pdata->netdev, "VXLAN acceleration disabled\n"); + } + ++static unsigned int xgbe_get_fc_queue_count(struct xgbe_prv_data *pdata) ++{ ++ unsigned int max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES; ++ ++ /* From MAC ver 30H the TFCR is per priority, instead of per queue */ ++ if (XGMAC_GET_BITS(pdata->hw_feat.version, MAC_VR, SNPSVER) >= 0x30) ++ return max_q_count; ++ else ++ return min_t(unsigned int, pdata->tx_q_count, max_q_count); ++} ++ + static int xgbe_disable_tx_flow_control(struct xgbe_prv_data *pdata) + { +- unsigned int max_q_count, q_count; + unsigned int reg, reg_val; +- unsigned int i; ++ unsigned int i, q_count; + + /* Clear MTL flow control */ + for (i = 0; i < pdata->rx_q_count; i++) + XGMAC_MTL_IOWRITE_BITS(pdata, i, MTL_Q_RQOMR, EHFC, 0); + + /* Clear MAC flow control */ +- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES; +- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count); ++ q_count = xgbe_get_fc_queue_count(pdata); + reg = MAC_Q0TFCR; + for (i = 0; i < q_count; i++) { + reg_val = XGMAC_IOREAD(pdata, reg); +@@ -553,9 +562,8 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata) + { + struct ieee_pfc *pfc = pdata->pfc; + struct ieee_ets *ets = pdata->ets; +- unsigned int max_q_count, q_count; + unsigned int reg, reg_val; +- unsigned int i; ++ unsigned int i, q_count; + + /* Set MTL flow control */ + for (i = 0; i < pdata->rx_q_count; i++) { +@@ -579,8 +587,7 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata) + } + + /* Set MAC flow control */ +- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES; +- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count); ++ q_count = xgbe_get_fc_queue_count(pdata); + reg = MAC_Q0TFCR; + for (i = 0; i < q_count; i++) { + reg_val = XGMAC_IOREAD(pdata, reg); +-- +2.39.0 + diff --git a/queue-4.19/arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch b/queue-4.19/arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch new file mode 100644 index 00000000000..03cfc7732dc --- /dev/null +++ b/queue-4.19/arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch @@ -0,0 +1,48 @@ +From 59a0aac7acd572075d5d81fa3d0ef5e40f864b9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 17:22:59 -0300 +Subject: ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' + +From: Fabio Estevam + +[ Upstream commit 9dfbc72256b5de608ad10989bcbafdbbd1ac8d4e ] + +The following build warning is seen when running: + +make dtbs_check DT_SCHEMA_FILES=fsl-imx-uart.yaml + +arch/arm/boot/dts/imx6dl-gw560x.dtb: serial@2020000: rts-gpios: False schema does not allow [[20, 1, 0]] + From schema: Documentation/devicetree/bindings/serial/fsl-imx-uart.yaml + +The imx6qdl-gw560x board does not expose the UART RTS and CTS +as native UART pins, so 'uart-has-rtscts' should not be used. + +Using 'uart-has-rtscts' with 'rts-gpios' is an invalid combination +detected by serial.yaml. + +Fix the problem by removing the incorrect 'uart-has-rtscts' property. + +Fixes: b8a559feffb2 ("ARM: dts: imx: add Gateworks Ventana GW5600 support") +Signed-off-by: Fabio Estevam +Acked-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-gw560x.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi +index b5986efe1090..143d249b821e 100644 +--- a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi +@@ -463,7 +463,6 @@ &ssi1 { + &uart1 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_uart1>; +- uart-has-rtscts; + rts-gpios = <&gpio7 1 GPIO_ACTIVE_HIGH>; + status = "okay"; + }; +-- +2.39.0 + diff --git a/queue-4.19/bpf-fix-pointer-leak-due-to-insufficient-speculative.patch b/queue-4.19/bpf-fix-pointer-leak-due-to-insufficient-speculative.patch new file mode 100644 index 00000000000..4462193d112 --- /dev/null +++ b/queue-4.19/bpf-fix-pointer-leak-due-to-insufficient-speculative.patch @@ -0,0 +1,109 @@ +From 28384516c9fa201309db5c2f6c7eb136fc8d21e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 16:05:46 +0100 +Subject: bpf: Fix pointer-leak due to insufficient speculative store bypass + mitigation + +From: Luis Gerhorst + +[ Upstream commit e4f4db47794c9f474b184ee1418f42e6a07412b6 ] + +To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to +insufficient speculative store bypass mitigation") inserts lfence +instructions after 1) initializing a stack slot and 2) spilling a +pointer to the stack. + +However, this does not cover cases where a stack slot is first +initialized with a pointer (subject to sanitization) but then +overwritten with a scalar (not subject to sanitization because +the slot was already initialized). In this case, the second write +may be subject to speculative store bypass (SSB) creating a +speculative pointer-as-scalar type confusion. This allows the +program to subsequently leak the numerical pointer value using, +for example, a branch-based cache side channel. + +To fix this, also sanitize scalars if they write a stack slot +that previously contained a pointer. Assuming that pointer-spills +are only generated by LLVM on register-pressure, the performance +impact on most real-world BPF programs should be small. + +The following unprivileged BPF bytecode drafts a minimal exploit +and the mitigation: + + [...] + // r6 = 0 or 1 (skalar, unknown user input) + // r7 = accessible ptr for side channel + // r10 = frame pointer (fp), to be leaked + // + r9 = r10 # fp alias to encourage ssb + *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked + // lfence added here because of pointer spill to stack. + // + // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor + // for no r9-r10 dependency. + // + *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr + // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID, + // store may be subject to SSB + // + // fix: also add an lfence when the slot contained a ptr + // + r8 = *(u64 *)(r9 - 8) + // r8 = architecturally a scalar, speculatively a ptr + // + // leak ptr using branch-based cache side channel: + r8 &= 1 // choose bit to leak + if r8 == 0 goto SLOW // no mispredict + // architecturally dead code if input r6 is 0, + // only executes speculatively iff ptr bit is 1 + r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast) +SLOW: + [...] + +After running this, the program can time the access to *(r7 + 0) to +determine whether the chosen pointer bit was 0 or 1. Repeat this 64 +times to recover the whole address on amd64. + +In summary, sanitization can only be skipped if one scalar is +overwritten with another scalar. Scalar-confusion due to speculative +store bypass can not lead to invalid accesses because the pointer +bounds deducted during verification are enforced using branchless +logic. See 979d63d50c0c ("bpf: prevent out of bounds speculation on +pointer arithmetic") for details. + +Do not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks} +because speculative leaks are likely unexpected if these were enabled. +For example, leaking the address to a protected log file may be acceptable +while disabling the mitigation might unintentionally leak the address +into the cached-state of a map that is accessible to unprivileged +processes. + +Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation") +Signed-off-by: Luis Gerhorst +Signed-off-by: Daniel Borkmann +Acked-by: Henriette Hofmeier +Link: https://lore.kernel.org/bpf/edc95bad-aada-9cfc-ffe2-fa9bb206583c@cs.fau.de +Link: https://lore.kernel.org/bpf/20230109150544.41465-1-gerhorst@cs.fau.de +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 694ee0b1fefe..61f3a31abc1a 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1012,7 +1012,9 @@ static int check_stack_write(struct bpf_verifier_env *env, + bool sanitize = reg && is_spillable_regtype(reg->type); + + for (i = 0; i < size; i++) { +- if (state->stack[spi].slot_type[i] == STACK_INVALID) { ++ u8 type = state->stack[spi].slot_type[i]; ++ ++ if (type != STACK_MISC && type != STACK_ZERO) { + sanitize = true; + break; + } +-- +2.39.0 + diff --git a/queue-4.19/dmaengine-fix-double-increment-of-client_count-in-dm.patch b/queue-4.19/dmaengine-fix-double-increment-of-client_count-in-dm.patch new file mode 100644 index 00000000000..40e8f64ea25 --- /dev/null +++ b/queue-4.19/dmaengine-fix-double-increment-of-client_count-in-dm.patch @@ -0,0 +1,126 @@ +From f53e31935485c866f183bbaeb1820c768cfb94f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 11:00:50 +0800 +Subject: dmaengine: Fix double increment of client_count in dma_chan_get() + +From: Koba Ko + +[ Upstream commit f3dc1b3b4750851a94212dba249703dd0e50bb20 ] + +The first time dma_chan_get() is called for a channel the channel +client_count is incorrectly incremented twice for public channels, +first in balance_ref_count(), and again prior to returning. This +results in an incorrect client count which will lead to the +channel resources not being freed when they should be. A simple + test of repeated module load and unload of async_tx on a Dell + Power Edge R7425 also shows this resulting in a kref underflow + warning. + +[ 124.329662] async_tx: api initialized (async) +[ 129.000627] async_tx: api initialized (async) +[ 130.047839] ------------[ cut here ]------------ +[ 130.052472] refcount_t: underflow; use-after-free. +[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28 +refcount_warn_saturate+0xba/0x110 +[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr +intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm +mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si +syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops +k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat +fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul +libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas +i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash +dm_log dm_mod [last unloaded: async_tx] +[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not +tainted 5.14.0-185.el9.x86_64 #1 +[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS +1.18.0 01/17/2022 +[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110 +[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d +26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a +bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff +48 c7 +[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286 +[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000 +[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0 +[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff +[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970 +[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000) +knlGS:0000000000000000 +[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0 +[ 130.219729] Call Trace: +[ 130.222192] +[ 130.224305] dma_chan_put+0x10d/0x110 +[ 130.227988] dmaengine_put+0x7a/0xa0 +[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280 +[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0 +[ 130.242652] do_syscall_64+0x5c/0x90 +[ 130.246240] ? exc_page_fault+0x62/0x150 +[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 130.255243] RIP: 0033:0x7f6463a3f5ab +[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 +83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 +00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 +01 48 +[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX: +00000000000000b0 +[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab +[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8 +[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000 +[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8 +[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8 +[ 130.320875] +[ 130.323081] ---[ end trace eff7156d56b5cf25 ]--- + +cat /sys/class/dma/dma0chan*/in_use would get the wrong result. +2 +2 +2 + +Fixes: d2f4f99db3e9 ("dmaengine: Rework dma_chan_get") +Signed-off-by: Koba Ko +Reviewed-by: Jie Hai +Test-by: Jie Hai +Reviewed-by: Jerry Snitselaar +Reviewed-by: Dave Jiang +Tested-by: Joel Savitz +Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmaengine.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c +index 8a52a5efee4f..e1cf7c250c33 100644 +--- a/drivers/dma/dmaengine.c ++++ b/drivers/dma/dmaengine.c +@@ -223,7 +223,8 @@ static int dma_chan_get(struct dma_chan *chan) + /* The channel is already in use, update client count */ + if (chan->client_count) { + __module_get(owner); +- goto out; ++ chan->client_count++; ++ return 0; + } + + if (!try_module_get(owner)) +@@ -236,11 +237,11 @@ static int dma_chan_get(struct dma_chan *chan) + goto err_out; + } + ++ chan->client_count++; ++ + if (!dma_has_cap(DMA_PRIVATE, chan->device->cap_mask)) + balance_ref_count(chan); + +-out: +- chan->client_count++; + return 0; + + err_out: +-- +2.39.0 + diff --git a/queue-4.19/dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch b/queue-4.19/dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch new file mode 100644 index 00000000000..4b13b8b64ca --- /dev/null +++ b/queue-4.19/dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch @@ -0,0 +1,42 @@ +From bd44dddc441487dbab3e43cff71e9934d7eaa233 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 10:16:12 +0800 +Subject: dmaengine: xilinx_dma: call of_node_put() when breaking out of + for_each_child_of_node() + +From: Liu Shixin + +[ Upstream commit 596b53ccc36a546ab28e8897315c5b4d1d5a0200 ] + +Since for_each_child_of_node() will increase the refcount of node, we need +to call of_node_put() manually when breaking out of the iteration. + +Fixes: 9cd4360de609 ("dma: Add Xilinx AXI Video Direct Memory Access Engine driver support") +Signed-off-by: Liu Shixin +Acked-by: Peter Korsgaard +Link: https://lore.kernel.org/r/20221122021612.1908866-1-liushixin2@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index c56ce7cd1f6f..5f9945651e95 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -2759,8 +2759,10 @@ static int xilinx_dma_probe(struct platform_device *pdev) + /* Initialize the channels */ + for_each_child_of_node(node, child) { + err = xilinx_dma_child_probe(xdev, child); +- if (err < 0) ++ if (err < 0) { ++ of_node_put(child); + goto error; ++ } + } + + if (xdev->dma_config->dmatype == XDMA_TYPE_VDMA) { +-- +2.39.0 + diff --git a/queue-4.19/dmaengine-xilinx_dma-commonize-dma-copy-size-calcula.patch b/queue-4.19/dmaengine-xilinx_dma-commonize-dma-copy-size-calcula.patch new file mode 100644 index 00000000000..0e33d218a90 --- /dev/null +++ b/queue-4.19/dmaengine-xilinx_dma-commonize-dma-copy-size-calcula.patch @@ -0,0 +1,140 @@ +From 2ec73aab118bba64b359f19441f0ca5cbaa254e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Nov 2018 16:31:45 +0100 +Subject: dmaengine: xilinx_dma: commonize DMA copy size calculation + +From: Andrea Merello + +[ Upstream commit 616f0f81d857e248a72b5af45ab185196556ae2e ] + +This patch removes a bit of duplicated code by introducing a new +function that implements calculations for DMA copy size, and +prepares for changes to the copy size calculation that will +happen in following patches. + +Suggested-by: Vinod Koul +Signed-off-by: Andrea Merello +Reviewed-by: Radhey Shyam Pandey +Signed-off-by: Vinod Koul +Stable-dep-of: 596b53ccc36a ("dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node()") +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 39 ++++++++++++++++++++++++++------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 0ba70be4ea85..e4ea94b93400 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -428,6 +428,7 @@ struct xilinx_dma_config { + * @rxs_clk: DMA s2mm stream clock + * @nr_channels: Number of channels DMA device supports + * @chan_id: DMA channel identifier ++ * @max_buffer_len: Max buffer length + */ + struct xilinx_dma_device { + void __iomem *regs; +@@ -447,6 +448,7 @@ struct xilinx_dma_device { + struct clk *rxs_clk; + u32 nr_channels; + u32 chan_id; ++ u32 max_buffer_len; + }; + + /* Macros */ +@@ -969,6 +971,25 @@ static int xilinx_dma_alloc_chan_resources(struct dma_chan *dchan) + return 0; + } + ++/** ++ * xilinx_dma_calc_copysize - Calculate the amount of data to copy ++ * @chan: Driver specific DMA channel ++ * @size: Total data that needs to be copied ++ * @done: Amount of data that has been already copied ++ * ++ * Return: Amount of data that has to be copied ++ */ ++static int xilinx_dma_calc_copysize(struct xilinx_dma_chan *chan, ++ int size, int done) ++{ ++ size_t copy; ++ ++ copy = min_t(size_t, size - done, ++ chan->xdev->max_buffer_len); ++ ++ return copy; ++} ++ + /** + * xilinx_dma_tx_status - Get DMA transaction status + * @dchan: DMA channel +@@ -1002,7 +1023,7 @@ static enum dma_status xilinx_dma_tx_status(struct dma_chan *dchan, + list_for_each_entry(segment, &desc->segments, node) { + hw = &segment->hw; + residue += (hw->control - hw->status) & +- XILINX_DMA_MAX_TRANS_LEN; ++ chan->xdev->max_buffer_len; + } + } + spin_unlock_irqrestore(&chan->lock, flags); +@@ -1262,7 +1283,7 @@ static void xilinx_cdma_start_transfer(struct xilinx_dma_chan *chan) + + /* Start the transfer */ + dma_ctrl_write(chan, XILINX_DMA_REG_BTT, +- hw->control & XILINX_DMA_MAX_TRANS_LEN); ++ hw->control & chan->xdev->max_buffer_len); + } + + list_splice_tail_init(&chan->pending_list, &chan->active_list); +@@ -1365,7 +1386,7 @@ static void xilinx_dma_start_transfer(struct xilinx_dma_chan *chan) + + /* Start the transfer */ + dma_ctrl_write(chan, XILINX_DMA_REG_BTT, +- hw->control & XILINX_DMA_MAX_TRANS_LEN); ++ hw->control & chan->xdev->max_buffer_len); + } + + list_splice_tail_init(&chan->pending_list, &chan->active_list); +@@ -1729,7 +1750,7 @@ xilinx_cdma_prep_memcpy(struct dma_chan *dchan, dma_addr_t dma_dst, + struct xilinx_cdma_tx_segment *segment; + struct xilinx_cdma_desc_hw *hw; + +- if (!len || len > XILINX_DMA_MAX_TRANS_LEN) ++ if (!len || len > chan->xdev->max_buffer_len) + return NULL; + + desc = xilinx_dma_alloc_tx_descriptor(chan); +@@ -1819,8 +1840,8 @@ static struct dma_async_tx_descriptor *xilinx_dma_prep_slave_sg( + * Calculate the maximum number of bytes to transfer, + * making sure it is less than the hw limit + */ +- copy = min_t(size_t, sg_dma_len(sg) - sg_used, +- XILINX_DMA_MAX_TRANS_LEN); ++ copy = xilinx_dma_calc_copysize(chan, sg_dma_len(sg), ++ sg_used); + hw = &segment->hw; + + /* Fill in the descriptor */ +@@ -1924,8 +1945,8 @@ static struct dma_async_tx_descriptor *xilinx_dma_prep_dma_cyclic( + * Calculate the maximum number of bytes to transfer, + * making sure it is less than the hw limit + */ +- copy = min_t(size_t, period_len - sg_used, +- XILINX_DMA_MAX_TRANS_LEN); ++ copy = xilinx_dma_calc_copysize(chan, period_len, ++ sg_used); + hw = &segment->hw; + xilinx_axidma_buf(chan, hw, buf_addr, sg_used, + period_len * i); +@@ -2645,6 +2666,8 @@ static int xilinx_dma_probe(struct platform_device *pdev) + + /* Retrieve the DMA engine properties from the device tree */ + xdev->has_sg = of_property_read_bool(node, "xlnx,include-sg"); ++ xdev->max_buffer_len = XILINX_DMA_MAX_TRANS_LEN; ++ + if (xdev->dma_config->dmatype == XDMA_TYPE_AXIDMA) + xdev->mcdma = of_property_read_bool(node, "xlnx,mcdma"); + +-- +2.39.0 + diff --git a/queue-4.19/dmaengine-xilinx_dma-fix-devm_platform_ioremap_resou.patch b/queue-4.19/dmaengine-xilinx_dma-fix-devm_platform_ioremap_resou.patch new file mode 100644 index 00000000000..018dfa8930a --- /dev/null +++ b/queue-4.19/dmaengine-xilinx_dma-fix-devm_platform_ioremap_resou.patch @@ -0,0 +1,68 @@ +From 6c1b3a6a58ef9b271d20c299201235528889b934 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 11:41:23 +0530 +Subject: dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error + handling + +From: Swati Agarwal + +[ Upstream commit 91df7751eb890e970afc08f50b8f0fa5ea39e03d ] + +Add missing cleanup in devm_platform_ioremap_resource(). +When probe fails remove dma channel resources and disable clocks in +accordance with the order of resources allocated . + +Signed-off-by: Swati Agarwal +Link: https://lore.kernel.org/r/20220817061125.4720-2-swati.agarwal@xilinx.com +Signed-off-by: Vinod Koul +Stable-dep-of: 596b53ccc36a ("dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node()") +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 6687cee26843..c56ce7cd1f6f 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -2663,9 +2663,10 @@ static int xilinx_dma_probe(struct platform_device *pdev) + /* Request and map I/O memory */ + io = platform_get_resource(pdev, IORESOURCE_MEM, 0); + xdev->regs = devm_ioremap_resource(&pdev->dev, io); +- if (IS_ERR(xdev->regs)) +- return PTR_ERR(xdev->regs); +- ++ if (IS_ERR(xdev->regs)) { ++ err = PTR_ERR(xdev->regs); ++ goto disable_clks; ++ } + /* Retrieve the DMA engine properties from the device tree */ + xdev->has_sg = of_property_read_bool(node, "xlnx,include-sg"); + xdev->max_buffer_len = GENMASK(XILINX_DMA_MAX_TRANS_LEN_MAX - 1, 0); +@@ -2759,7 +2760,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + for_each_child_of_node(node, child) { + err = xilinx_dma_child_probe(xdev, child); + if (err < 0) +- goto disable_clks; ++ goto error; + } + + if (xdev->dma_config->dmatype == XDMA_TYPE_VDMA) { +@@ -2792,12 +2793,12 @@ static int xilinx_dma_probe(struct platform_device *pdev) + + return 0; + +-disable_clks: +- xdma_disable_allclks(xdev); + error: + for (i = 0; i < xdev->nr_channels; i++) + if (xdev->chan[i]) + xilinx_dma_chan_remove(xdev->chan[i]); ++disable_clks: ++ xdma_disable_allclks(xdev); + + return err; + } +-- +2.39.0 + diff --git a/queue-4.19/dmaengine-xilinx_dma-program-hardware-supported-buff.patch b/queue-4.19/dmaengine-xilinx_dma-program-hardware-supported-buff.patch new file mode 100644 index 00000000000..b02422a6609 --- /dev/null +++ b/queue-4.19/dmaengine-xilinx_dma-program-hardware-supported-buff.patch @@ -0,0 +1,81 @@ +From 54d901bb07ec4a5895b36f24c68d14b59face162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Nov 2018 16:31:48 +0100 +Subject: dmaengine: xilinx_dma: program hardware supported buffer length + +From: Radhey Shyam Pandey + +[ Upstream commit ae809690b46a71dc56cda5b3b8884c8c41a0df15 ] + +AXI-DMA IP supports configurable (c_sg_length_width) buffer length +register width, hence read buffer length (xlnx,sg-length-width) DT +property and ensure that driver doesn't program buffer length +exceeding the supported limit. For VDMA and CDMA there is no change. + +Cc: Rob Herring +Cc: Mark Rutland +Cc: devicetree@vger.kernel.org +Signed-off-by: Radhey Shyam Pandey +Signed-off-by: Michal Simek +Signed-off-by: Andrea Merello [rebase, reword] +Signed-off-by: Vinod Koul +Stable-dep-of: 596b53ccc36a ("dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node()") +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index e4ea94b93400..6687cee26843 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -164,7 +164,9 @@ + #define XILINX_DMA_REG_BTT 0x28 + + /* AXI DMA Specific Masks/Bit fields */ +-#define XILINX_DMA_MAX_TRANS_LEN GENMASK(22, 0) ++#define XILINX_DMA_MAX_TRANS_LEN_MIN 8 ++#define XILINX_DMA_MAX_TRANS_LEN_MAX 23 ++#define XILINX_DMA_V2_MAX_TRANS_LEN_MAX 26 + #define XILINX_DMA_CR_COALESCE_MAX GENMASK(23, 16) + #define XILINX_DMA_CR_CYCLIC_BD_EN_MASK BIT(4) + #define XILINX_DMA_CR_COALESCE_SHIFT 16 +@@ -2634,7 +2636,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + struct xilinx_dma_device *xdev; + struct device_node *child, *np = pdev->dev.of_node; + struct resource *io; +- u32 num_frames, addr_width; ++ u32 num_frames, addr_width, len_width; + int i, err; + + /* Allocate and initialize the DMA engine structure */ +@@ -2666,10 +2668,24 @@ static int xilinx_dma_probe(struct platform_device *pdev) + + /* Retrieve the DMA engine properties from the device tree */ + xdev->has_sg = of_property_read_bool(node, "xlnx,include-sg"); +- xdev->max_buffer_len = XILINX_DMA_MAX_TRANS_LEN; ++ xdev->max_buffer_len = GENMASK(XILINX_DMA_MAX_TRANS_LEN_MAX - 1, 0); + +- if (xdev->dma_config->dmatype == XDMA_TYPE_AXIDMA) ++ if (xdev->dma_config->dmatype == XDMA_TYPE_AXIDMA) { + xdev->mcdma = of_property_read_bool(node, "xlnx,mcdma"); ++ if (!of_property_read_u32(node, "xlnx,sg-length-width", ++ &len_width)) { ++ if (len_width < XILINX_DMA_MAX_TRANS_LEN_MIN || ++ len_width > XILINX_DMA_V2_MAX_TRANS_LEN_MAX) { ++ dev_warn(xdev->dev, ++ "invalid xlnx,sg-length-width property value. Using default width\n"); ++ } else { ++ if (len_width > XILINX_DMA_MAX_TRANS_LEN_MAX) ++ dev_warn(xdev->dev, "Please ensure that IP supports buffer length > 23 bits\n"); ++ xdev->max_buffer_len = ++ GENMASK(len_width - 1, 0); ++ } ++ } ++ } + + if (xdev->dma_config->dmatype == XDMA_TYPE_VDMA) { + err = of_property_read_u32(node, "xlnx,num-fstores", +-- +2.39.0 + diff --git a/queue-4.19/edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch b/queue-4.19/edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch new file mode 100644 index 00000000000..3d8ba342090 --- /dev/null +++ b/queue-4.19/edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch @@ -0,0 +1,54 @@ +From 6e6dfbdac96d3782fb1ab2e2a4aa2a86393beec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Dec 2022 09:48:24 +0400 +Subject: EDAC/highbank: Fix memory leak in highbank_mc_probe() + +From: Miaoqian Lin + +[ Upstream commit e7a293658c20a7945014570e1921bf7d25d68a36 ] + +When devres_open_group() fails, it returns -ENOMEM without freeing memory +allocated by edac_mc_alloc(). + +Call edac_mc_free() on the error handling path to avoid a memory leak. + + [ bp: Massage commit message. ] + +Fixes: a1b01edb2745 ("edac: add support for Calxeda highbank memory controller") +Signed-off-by: Miaoqian Lin +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Andre Przywara +Link: https://lore.kernel.org/r/20221229054825.1361993-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/edac/highbank_mc_edac.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/edac/highbank_mc_edac.c b/drivers/edac/highbank_mc_edac.c +index 6092e61be605..bcf41601a977 100644 +--- a/drivers/edac/highbank_mc_edac.c ++++ b/drivers/edac/highbank_mc_edac.c +@@ -185,8 +185,10 @@ static int highbank_mc_probe(struct platform_device *pdev) + drvdata = mci->pvt_info; + platform_set_drvdata(pdev, mci); + +- if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) +- return -ENOMEM; ++ if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) { ++ res = -ENOMEM; ++ goto free; ++ } + + r = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!r) { +@@ -254,6 +256,7 @@ static int highbank_mc_probe(struct platform_device *pdev) + edac_mc_del_mc(&pdev->dev); + err: + devres_release_group(&pdev->dev, NULL); ++free: + edac_mc_free(mci); + return res; + } +-- +2.39.0 + diff --git a/queue-4.19/hid-betop-check-shape-of-output-reports.patch b/queue-4.19/hid-betop-check-shape-of-output-reports.patch new file mode 100644 index 00000000000..c066a937513 --- /dev/null +++ b/queue-4.19/hid-betop-check-shape-of-output-reports.patch @@ -0,0 +1,68 @@ +From 5d51ee2a9ee156abec0b53134f3329e3a431a38c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 18:12:16 +0000 +Subject: HID: betop: check shape of output reports + +From: Pietro Borrello + +[ Upstream commit 3782c0d6edf658b71354a64d60aa7a296188fc90 ] + +betopff_init() only checks the total sum of the report counts for each +report field to be at least 4, but hid_betopff_play() expects 4 report +fields. +A device advertising an output report with one field and 4 report counts +would pass the check but crash the kernel with a NULL pointer dereference +in hid_betopff_play(). + +Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-betopff.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c +index 9b60efe6ec44..ba386e5aa055 100644 +--- a/drivers/hid/hid-betopff.c ++++ b/drivers/hid/hid-betopff.c +@@ -63,7 +63,6 @@ static int betopff_init(struct hid_device *hid) + struct list_head *report_list = + &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev; +- int field_count = 0; + int error; + int i, j; + +@@ -89,19 +88,21 @@ static int betopff_init(struct hid_device *hid) + * ----------------------------------------- + * Do init them with default value. + */ ++ if (report->maxfield < 4) { ++ hid_err(hid, "not enough fields in the report: %d\n", ++ report->maxfield); ++ return -ENODEV; ++ } + for (i = 0; i < report->maxfield; i++) { ++ if (report->field[i]->report_count < 1) { ++ hid_err(hid, "no values in the field\n"); ++ return -ENODEV; ++ } + for (j = 0; j < report->field[i]->report_count; j++) { + report->field[i]->value[j] = 0x00; +- field_count++; + } + } + +- if (field_count < 4) { +- hid_err(hid, "not enough fields in the report: %d\n", +- field_count); +- return -ENODEV; +- } +- + betopff = kzalloc(sizeof(*betopff), GFP_KERNEL); + if (!betopff) + return -ENOMEM; +-- +2.39.0 + diff --git a/queue-4.19/hid-check-empty-report_list-in-hid_validate_values.patch b/queue-4.19/hid-check-empty-report_list-in-hid_validate_values.patch new file mode 100644 index 00000000000..b299f4649b2 --- /dev/null +++ b/queue-4.19/hid-check-empty-report_list-in-hid_validate_values.patch @@ -0,0 +1,42 @@ +From 9a49c071b7ffc44e959c01151af26e0e91e181de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 11:11:24 +0000 +Subject: HID: check empty report_list in hid_validate_values() + +From: Pietro Borrello + +[ Upstream commit b12fece4c64857e5fab4290bf01b2e0317a88456 ] + +Add a check for empty report_list in hid_validate_values(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 1b15d2e5b807 ("HID: core: fix validation of report id 0") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 62656636d30c..8cc79d0d11fb 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -980,8 +980,8 @@ struct hid_report *hid_validate_values(struct hid_device *hid, + * Validating on id 0 means we should examine the first + * report in the list. + */ +- report = list_entry( +- hid->report_enum[type].report_list.next, ++ report = list_first_entry_or_null( ++ &hid->report_enum[type].report_list, + struct hid_report, list); + } else { + report = hid->report_enum[type].report_id_hash[id]; +-- +2.39.0 + diff --git a/queue-4.19/hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch b/queue-4.19/hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch new file mode 100644 index 00000000000..76dad9f5e44 --- /dev/null +++ b/queue-4.19/hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch @@ -0,0 +1,53 @@ +From ef451e88a2ac2efb256985fce544663b06d3b824 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 21:48:23 +0800 +Subject: HID: intel_ish-hid: Add check for ishtp_dma_tx_map + +From: Jiasheng Jiang + +[ Upstream commit b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8 ] + +As the kcalloc may return NULL pointer, +it should be better to check the ishtp_dma_tx_map +before use in order to avoid NULL pointer dereference. + +Fixes: 3703f53b99e4 ("HID: intel_ish-hid: ISH Transport layer") +Signed-off-by: Jiasheng Jiang +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/dma-if.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/dma-if.c b/drivers/hid/intel-ish-hid/ishtp/dma-if.c +index 2783f3666114..ff4419c8ed4f 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/dma-if.c ++++ b/drivers/hid/intel-ish-hid/ishtp/dma-if.c +@@ -113,6 +113,11 @@ void *ishtp_cl_get_dma_send_buf(struct ishtp_device *dev, + int required_slots = (size / DMA_SLOT_SIZE) + + 1 * (size % DMA_SLOT_SIZE != 0); + ++ if (!dev->ishtp_dma_tx_map) { ++ dev_err(dev->devc, "Fail to allocate Tx map\n"); ++ return NULL; ++ } ++ + spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags); + for (i = 0; i <= (dev->ishtp_dma_num_slots - required_slots); i++) { + free = 1; +@@ -159,6 +164,11 @@ void ishtp_cl_release_dma_acked_mem(struct ishtp_device *dev, + return; + } + ++ if (!dev->ishtp_dma_tx_map) { ++ dev_err(dev->devc, "Fail to allocate Tx map\n"); ++ return; ++ } ++ + i = (msg_addr - dev->ishtp_host_dma_tx_buf) / DMA_SLOT_SIZE; + spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags); + for (j = 0; j < acked_slots; j++) { +-- +2.39.0 + diff --git a/queue-4.19/ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch b/queue-4.19/ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch new file mode 100644 index 00000000000..08b033d8bd6 --- /dev/null +++ b/queue-4.19/ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch @@ -0,0 +1,170 @@ +From 6f13e21934fc717299413637d2d1d480e9e700b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:21 -0500 +Subject: IB/hfi1: Fix expected receive setup error exit issues + +From: Dean Luick + +[ Upstream commit e0c4a422f5246abefbf7c178ef99a1f2dc3c5f62 ] + +Fix three error exit issues in expected receive setup. +Re-arrange error exits to increase readability. + +Issues and fixes: +1. Possible missed page unpin if tidlist copyout fails and + not all pinned pages where made part of a TID. + Fix: Unpin the unused pages. + +2. Return success with unset return values tidcnt and length + when no pages were pinned. + Fix: Return -ENOSPC if no pages were pinned. + +3. Return success with unset return values tidcnt and length when + no rcvarray entries available. + Fix: Return -ENOSPC if no rcvarray entries are available. + +Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body") +Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres") +Fixes: f404ca4c7ea8 ("IB/hfi1: Refactor hfi_user_exp_rcv_setup() IOCTL") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328548150.1472310.1492305874804187634.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 83 ++++++++++++++--------- + 1 file changed, 50 insertions(+), 33 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index 0a118f2963fb..dab823aac95e 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -337,15 +337,14 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + tidbuf->psets = kcalloc(uctxt->expected_count, sizeof(*tidbuf->psets), + GFP_KERNEL); + if (!tidbuf->psets) { +- kfree(tidbuf); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto fail_release_mem; + } + + pinned = pin_rcv_pages(fd, tidbuf); + if (pinned <= 0) { +- kfree(tidbuf->psets); +- kfree(tidbuf); +- return pinned; ++ ret = (pinned < 0) ? pinned : -ENOSPC; ++ goto fail_unpin; + } + + /* Find sets of physically contiguous pages */ +@@ -360,14 +359,16 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + fd->tid_used += pageset_count; + spin_unlock(&fd->tid_lock); + +- if (!pageset_count) +- goto bail; ++ if (!pageset_count) { ++ ret = -ENOSPC; ++ goto fail_unreserve; ++ } + + ngroups = pageset_count / dd->rcv_entries.group_size; + tidlist = kcalloc(pageset_count, sizeof(*tidlist), GFP_KERNEL); + if (!tidlist) { + ret = -ENOMEM; +- goto nomem; ++ goto fail_unreserve; + } + + tididx = 0; +@@ -463,44 +464,60 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + } + unlock: + mutex_unlock(&uctxt->exp_mutex); +-nomem: + hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx, + mapped_pages, ret); ++ ++ /* fail if nothing was programmed, set error if none provided */ ++ if (tididx == 0) { ++ if (ret >= 0) ++ ret = -ENOSPC; ++ goto fail_unreserve; ++ } ++ + /* adjust reserved tid_used to actual count */ + spin_lock(&fd->tid_lock); + fd->tid_used -= pageset_count - tididx; + spin_unlock(&fd->tid_lock); +- if (tididx) { +- tinfo->tidcnt = tididx; +- tinfo->length = mapped_pages * PAGE_SIZE; + +- if (copy_to_user(u64_to_user_ptr(tinfo->tidlist), +- tidlist, sizeof(tidlist[0]) * tididx)) { +- /* +- * On failure to copy to the user level, we need to undo +- * everything done so far so we don't leak resources. +- */ +- tinfo->tidlist = (unsigned long)&tidlist; +- hfi1_user_exp_rcv_clear(fd, tinfo); +- tinfo->tidlist = 0; +- ret = -EFAULT; +- goto bail; +- } ++ /* unpin all pages not covered by a TID */ ++ unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages, pinned - mapped_pages, ++ false); ++ ++ tinfo->tidcnt = tididx; ++ tinfo->length = mapped_pages * PAGE_SIZE; ++ ++ if (copy_to_user(u64_to_user_ptr(tinfo->tidlist), ++ tidlist, sizeof(tidlist[0]) * tididx)) { ++ ret = -EFAULT; ++ goto fail_unprogram; + } + +- /* +- * If not everything was mapped (due to insufficient RcvArray entries, +- * for example), unpin all unmapped pages so we can pin them nex time. +- */ +- if (mapped_pages != pinned) +- unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages, +- (pinned - mapped_pages), false); +-bail: ++ kfree(tidbuf->pages); + kfree(tidbuf->psets); ++ kfree(tidbuf); + kfree(tidlist); ++ return 0; ++ ++fail_unprogram: ++ /* unprogram, unmap, and unpin all allocated TIDs */ ++ tinfo->tidlist = (unsigned long)tidlist; ++ hfi1_user_exp_rcv_clear(fd, tinfo); ++ tinfo->tidlist = 0; ++ pinned = 0; /* nothing left to unpin */ ++ pageset_count = 0; /* nothing left reserved */ ++fail_unreserve: ++ spin_lock(&fd->tid_lock); ++ fd->tid_used -= pageset_count; ++ spin_unlock(&fd->tid_lock); ++fail_unpin: ++ if (pinned > 0) ++ unpin_rcv_pages(fd, tidbuf, NULL, 0, pinned, false); ++fail_release_mem: + kfree(tidbuf->pages); ++ kfree(tidbuf->psets); + kfree(tidbuf); +- return ret > 0 ? 0 : ret; ++ kfree(tidlist); ++ return ret; + } + + int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd, +-- +2.39.0 + diff --git a/queue-4.19/ib-hfi1-reject-a-zero-length-user-expected-buffer.patch b/queue-4.19/ib-hfi1-reject-a-zero-length-user-expected-buffer.patch new file mode 100644 index 00000000000..73c056aae02 --- /dev/null +++ b/queue-4.19/ib-hfi1-reject-a-zero-length-user-expected-buffer.patch @@ -0,0 +1,39 @@ +From ec7d2512e2ccbee0219b4f67fbf6ff9b6f6df65d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:11 -0500 +Subject: IB/hfi1: Reject a zero-length user expected buffer + +From: Dean Luick + +[ Upstream commit 0a0a6e80472c98947d73c3d13bcd7d101895f55d ] + +A zero length user buffer makes no sense and the code +does not handle it correctly. Instead, reject a +zero length as invalid. + +Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328547120.1472310.6362802432127399257.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index 4e417ed08b09..4e0f7cd14c57 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -325,6 +325,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + + if (!PAGE_ALIGNED(tinfo->vaddr)) + return -EINVAL; ++ if (tinfo->length == 0) ++ return -EINVAL; + + tidbuf = kzalloc(sizeof(*tidbuf), GFP_KERNEL); + if (!tidbuf) +-- +2.39.0 + diff --git a/queue-4.19/ib-hfi1-reserve-user-expected-tids.patch b/queue-4.19/ib-hfi1-reserve-user-expected-tids.patch new file mode 100644 index 00000000000..eecb750e299 --- /dev/null +++ b/queue-4.19/ib-hfi1-reserve-user-expected-tids.patch @@ -0,0 +1,63 @@ +From cfc69fc28fb640b865f6d2ef6b84b7ace03c6898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:16 -0500 +Subject: IB/hfi1: Reserve user expected TIDs + +From: Dean Luick + +[ Upstream commit ecf91551cdd2925ed6d9a9d99074fa5f67b90596 ] + +To avoid a race, reserve the number of user expected +TIDs before setup. + +Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328547636.1472310.7419712824785353905.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index 4e0f7cd14c57..0a118f2963fb 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -351,16 +351,13 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + /* Find sets of physically contiguous pages */ + tidbuf->n_psets = find_phys_blocks(tidbuf, pinned); + +- /* +- * We don't need to access this under a lock since tid_used is per +- * process and the same process cannot be in hfi1_user_exp_rcv_clear() +- * and hfi1_user_exp_rcv_setup() at the same time. +- */ ++ /* Reserve the number of expected tids to be used. */ + spin_lock(&fd->tid_lock); + if (fd->tid_used + tidbuf->n_psets > fd->tid_limit) + pageset_count = fd->tid_limit - fd->tid_used; + else + pageset_count = tidbuf->n_psets; ++ fd->tid_used += pageset_count; + spin_unlock(&fd->tid_lock); + + if (!pageset_count) +@@ -469,10 +466,11 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + nomem: + hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx, + mapped_pages, ret); ++ /* adjust reserved tid_used to actual count */ ++ spin_lock(&fd->tid_lock); ++ fd->tid_used -= pageset_count - tididx; ++ spin_unlock(&fd->tid_lock); + if (tididx) { +- spin_lock(&fd->tid_lock); +- fd->tid_used += tididx; +- spin_unlock(&fd->tid_lock); + tinfo->tidcnt = tididx; + tinfo->length = mapped_pages * PAGE_SIZE; + +-- +2.39.0 + diff --git a/queue-4.19/memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch b/queue-4.19/memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch new file mode 100644 index 00000000000..49677e60693 --- /dev/null +++ b/queue-4.19/memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch @@ -0,0 +1,52 @@ +From da36ef1273dd9bd9a06c554e84abf12b3157b6b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 15:37:57 +0800 +Subject: memory: atmel-sdramc: Fix missing clk_disable_unprepare in + atmel_ramc_probe() + +From: Gaosheng Cui + +[ Upstream commit 340cb392a038cf70540a4cdf2e98a247c66b6df4 ] + +The clk_disable_unprepare() should be called in the error handling +of caps->has_mpddr_clk, fix it by replacing devm_clk_get and +clk_prepare_enable by devm_clk_get_enabled. + +Fixes: e81b6abebc87 ("memory: add a driver for atmel ram controllers") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221125073757.3535219-1-cuigaosheng1@huawei.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/atmel-sdramc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/memory/atmel-sdramc.c b/drivers/memory/atmel-sdramc.c +index b418b39af180..ae2c0b3fb552 100644 +--- a/drivers/memory/atmel-sdramc.c ++++ b/drivers/memory/atmel-sdramc.c +@@ -59,19 +59,17 @@ static int atmel_ramc_probe(struct platform_device *pdev) + caps = of_device_get_match_data(&pdev->dev); + + if (caps->has_ddrck) { +- clk = devm_clk_get(&pdev->dev, "ddrck"); ++ clk = devm_clk_get_enabled(&pdev->dev, "ddrck"); + if (IS_ERR(clk)) + return PTR_ERR(clk); +- clk_prepare_enable(clk); + } + + if (caps->has_mpddr_clk) { +- clk = devm_clk_get(&pdev->dev, "mpddr"); ++ clk = devm_clk_get_enabled(&pdev->dev, "mpddr"); + if (IS_ERR(clk)) { + pr_err("AT91 RAMC: couldn't get mpddr clock\n"); + return PTR_ERR(clk); + } +- clk_prepare_enable(clk); + } + + return 0; +-- +2.39.0 + diff --git a/queue-4.19/memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch b/queue-4.19/memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch new file mode 100644 index 00000000000..fcde5a4d026 --- /dev/null +++ b/queue-4.19/memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch @@ -0,0 +1,42 @@ +From 52133d336da1b2a2fea42bd67a06a671d3be8797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 12:49:11 +0800 +Subject: memory: mvebu-devbus: Fix missing clk_disable_unprepare in + mvebu_devbus_probe() + +From: Gaosheng Cui + +[ Upstream commit cb8fd6f75775165390ededea8799b60d93d9fe3e ] + +The clk_disable_unprepare() should be called in the error handling +of devbus_get_timing_params() and of_platform_populate(), fix it by +replacing devm_clk_get and clk_prepare_enable by devm_clk_get_enabled. + +Fixes: e81b6abebc87 ("memory: add a driver for atmel ram controllers") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221126044911.7226-1-cuigaosheng1@huawei.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/mvebu-devbus.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/memory/mvebu-devbus.c b/drivers/memory/mvebu-devbus.c +index 981860879d02..ddd2e50814b7 100644 +--- a/drivers/memory/mvebu-devbus.c ++++ b/drivers/memory/mvebu-devbus.c +@@ -294,10 +294,9 @@ static int mvebu_devbus_probe(struct platform_device *pdev) + if (IS_ERR(devbus->base)) + return PTR_ERR(devbus->base); + +- clk = devm_clk_get(&pdev->dev, NULL); ++ clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(clk)) + return PTR_ERR(clk); +- clk_prepare_enable(clk); + + /* + * Obtain clock period in picoseconds, +-- +2.39.0 + diff --git a/queue-4.19/mmc-sdhci-esdhc-imx-clear-esdhc_std_tuning_en-for-ma.patch b/queue-4.19/mmc-sdhci-esdhc-imx-clear-esdhc_std_tuning_en-for-ma.patch new file mode 100644 index 00000000000..4716c8ada35 --- /dev/null +++ b/queue-4.19/mmc-sdhci-esdhc-imx-clear-esdhc_std_tuning_en-for-ma.patch @@ -0,0 +1,47 @@ +From c90a9e41db8d4938aa668da5bddbb4e4469a2d9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Dec 2018 11:57:41 +0000 +Subject: mmc: sdhci-esdhc-imx: clear ESDHC_STD_TUNING_EN for manual tuning + method + +From: BOUGH CHEN + +[ Upstream commit a98c557e2af3e12e38dee6019a5cf210156d629e ] + +The bit ESDHC_STD_TUNING_EN may be configed by bootloader code if it +choose to use standard tuning method. So on linux side, if choose to +use manual tuning method, need to clear the bit ESDHC_STD_TUNING_EN, +remove the impact of bootloader code. + +Signed-off-by: Haibo Chen +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Stable-dep-of: 1e336aa0c025 ("mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting") +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index f8a4791e64f8..71ca97c696b1 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -1141,6 +1141,15 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host) + << ESDHC_TUNING_STEP_SHIFT; + } + writel(tmp, host->ioaddr + ESDHC_TUNING_CTRL); ++ } else if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) { ++ /* ++ * ESDHC_STD_TUNING_EN may be configed in bootloader ++ * or ROM code, so clear this bit here to make sure ++ * the manual tuning can work. ++ */ ++ tmp = readl(host->ioaddr + ESDHC_TUNING_CTRL); ++ tmp &= ~ESDHC_STD_TUNING_EN; ++ writel(tmp, host->ioaddr + ESDHC_TUNING_CTRL); + } + } + } +-- +2.39.0 + diff --git a/queue-4.19/mmc-sdhci-esdhc-imx-clear-pending-interrupt-and-halt.patch b/queue-4.19/mmc-sdhci-esdhc-imx-clear-pending-interrupt-and-halt.patch new file mode 100644 index 00000000000..d9f2412b729 --- /dev/null +++ b/queue-4.19/mmc-sdhci-esdhc-imx-clear-pending-interrupt-and-halt.patch @@ -0,0 +1,101 @@ +From 621203bec98eef58da6ebe60418aa2fa71e2dd2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2020 16:25:54 +0800 +Subject: mmc: sdhci-esdhc-imx: clear pending interrupt and halt cqhci + +From: Haibo Chen + +[ Upstream commit 982cf37da3ee0f1e3e20d97e19f13cba79be51c7 ] + +On i.MX8MM, we are running Dual Linux OS, with 1st Linux using SD Card +as rootfs storage, 2nd Linux using eMMC as rootfs storage. We let the +the 1st linux configure power/clock for the 2nd Linux. + +When the 2nd Linux is booting into rootfs stage, we let the 1st Linux +to destroy the 2nd linux, then restart the 2nd linux, we met SDHCI dump +as following, after we clear the pending interrupt and halt CQCTL, issue +gone. + +[ 1.334594] mmc2: Got command interrupt 0x00000001 even though no command operation was in progress. +[ 1.334595] mmc2: sdhci: ============ SDHCI REGISTER DUMP =========== +[ 1.334599] mmc2: sdhci: Sys addr: 0xa05dcc00 | Version: 0x00000002 +[ 1.345538] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000000 +[ 1.345541] mmc2: sdhci: Argument: 0x00018000 | Trn mode: 0x00000033 +[ 1.345543] mmc2: sdhci: Present: 0x01f88008 | Host ctl: 0x00000031 +[ 1.345547] mmc2: sdhci: Power: 0x00000002 | Blk gap: 0x00000080 +[ 1.357903] mmc2: sdhci: Wake-up: 0x00000008 | Clock: 0x0000003f +[ 1.357905] mmc2: sdhci: Timeout: 0x0000008f | Int stat: 0x00000000 +[ 1.357908] mmc2: sdhci: Int enab: 0x107f100b | Sig enab: 0x107f100b +[ 1.357911] mmc2: sdhci: AC12 err: 0x00000000 | Slot int: 0x00000502 +[ 1.370268] mmc2: sdhci: Caps: 0x07eb0000 | Caps_1: 0x0000b400 +[ 1.370270] mmc2: sdhci: Cmd: 0x00000d1a | Max curr: 0x00ffffff +[ 1.370273] mmc2: sdhci: Resp[0]: 0x00000b00 | Resp[1]: 0xffffffff +[ 1.370276] mmc2: sdhci: Resp[2]: 0x328f5903 | Resp[3]: 0x00d00f00 +[ 1.382132] mmc2: sdhci: Host ctl2: 0x00000000 +[ 1.382135] mmc2: sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0xa2040208 + +[ 2.060932] mmc2: Unexpected interrupt 0x00004000. +[ 2.065538] mmc2: sdhci: ============ SDHCI REGISTER DUMP =========== +[ 2.071720] mmc2: sdhci: Sys addr: 0x00000000 | Version: 0x00000002 +[ 2.077902] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000001 +[ 2.084083] mmc2: sdhci: Argument: 0x00000000 | Trn mode: 0x00000000 +[ 2.090264] mmc2: sdhci: Present: 0x01f88009 | Host ctl: 0x00000011 +[ 2.096446] mmc2: sdhci: Power: 0x00000002 | Blk gap: 0x00000080 +[ 2.102627] mmc2: sdhci: Wake-up: 0x00000008 | Clock: 0x000010ff +[ 2.108809] mmc2: sdhci: Timeout: 0x0000008f | Int stat: 0x00004000 +[ 2.114990] mmc2: sdhci: Int enab: 0x007f1003 | Sig enab: 0x007f1003 +[ 2.121171] mmc2: sdhci: AC12 err: 0x00000000 | Slot int: 0x00000502 +[ 2.127353] mmc2: sdhci: Caps: 0x07eb0000 | Caps_1: 0x0000b400 +[ 2.133534] mmc2: sdhci: Cmd: 0x0000371a | Max curr: 0x00ffffff +[ 2.139715] mmc2: sdhci: Resp[0]: 0x00000900 | Resp[1]: 0xffffffff +[ 2.145896] mmc2: sdhci: Resp[2]: 0x328f5903 | Resp[3]: 0x00d00f00 +[ 2.152077] mmc2: sdhci: Host ctl2: 0x00000000 +[ 2.156342] mmc2: sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x00000000 + +Signed-off-by: Haibo Chen +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/1582100757-20683-6-git-send-email-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Stable-dep-of: 1e336aa0c025 ("mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting") +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index 71ca97c696b1..dc0a10a5e2c3 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -1092,6 +1092,7 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host); ++ struct cqhci_host *cq_host = host->mmc->cqe_private; + int tmp; + + if (esdhc_is_usdhc(imx_data)) { +@@ -1151,6 +1152,21 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host) + tmp &= ~ESDHC_STD_TUNING_EN; + writel(tmp, host->ioaddr + ESDHC_TUNING_CTRL); + } ++ ++ /* ++ * On i.MX8MM, we are running Dual Linux OS, with 1st Linux using SD Card ++ * as rootfs storage, 2nd Linux using eMMC as rootfs storage. We let the ++ * the 1st linux configure power/clock for the 2nd Linux. ++ * ++ * When the 2nd Linux is booting into rootfs stage, we let the 1st Linux ++ * to destroy the 2nd linux, then restart the 2nd linux, we met SDHCI dump. ++ * After we clear the pending interrupt and halt CQCTL, issue gone. ++ */ ++ if (cq_host) { ++ tmp = cqhci_readl(cq_host, CQHCI_IS); ++ cqhci_writel(cq_host, tmp, CQHCI_IS); ++ cqhci_writel(cq_host, CQHCI_HALT, CQHCI_CTL); ++ } + } + } + +-- +2.39.0 + diff --git a/queue-4.19/mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and.patch b/queue-4.19/mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and.patch new file mode 100644 index 00000000000..8a4b4db236b --- /dev/null +++ b/queue-4.19/mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and.patch @@ -0,0 +1,78 @@ +From 730ae5e3c6d1397618caab6b69d8b7b5df23da23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 19:23:15 +0800 +Subject: mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting + +From: Haibo Chen + +[ Upstream commit 1e336aa0c0250ec84c6f16efac40c9f0138e367d ] + +Current code logic may be impacted by the setting of ROM/Bootloader, +so unmask these bits first, then setting these bits accordingly. + +Fixes: 2b16cf326b70 ("mmc: sdhci-esdhc-imx: move tuning static configuration into hwinit function") +Signed-off-by: Haibo Chen +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221207112315.1812222-1-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index 30c75a96fce1..97ec4f870e11 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -85,6 +85,7 @@ + #define ESDHC_TUNING_START_TAP_DEFAULT 0x1 + #define ESDHC_TUNING_START_TAP_MASK 0x7f + #define ESDHC_TUNING_CMD_CRC_CHECK_DISABLE (1 << 7) ++#define ESDHC_TUNING_STEP_DEFAULT 0x1 + #define ESDHC_TUNING_STEP_MASK 0x00070000 + #define ESDHC_TUNING_STEP_SHIFT 16 + +@@ -1094,7 +1095,7 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host) + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host); + struct cqhci_host *cq_host = host->mmc->cqe_private; +- int tmp; ++ u32 tmp; + + if (esdhc_is_usdhc(imx_data)) { + /* +@@ -1130,17 +1131,24 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host) + + if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) { + tmp = readl(host->ioaddr + ESDHC_TUNING_CTRL); +- tmp |= ESDHC_STD_TUNING_EN | +- ESDHC_TUNING_START_TAP_DEFAULT; +- if (imx_data->boarddata.tuning_start_tap) { +- tmp &= ~ESDHC_TUNING_START_TAP_MASK; ++ tmp |= ESDHC_STD_TUNING_EN; ++ ++ /* ++ * ROM code or bootloader may config the start tap ++ * and step, unmask them first. ++ */ ++ tmp &= ~(ESDHC_TUNING_START_TAP_MASK | ESDHC_TUNING_STEP_MASK); ++ if (imx_data->boarddata.tuning_start_tap) + tmp |= imx_data->boarddata.tuning_start_tap; +- } ++ else ++ tmp |= ESDHC_TUNING_START_TAP_DEFAULT; + + if (imx_data->boarddata.tuning_step) { +- tmp &= ~ESDHC_TUNING_STEP_MASK; + tmp |= imx_data->boarddata.tuning_step + << ESDHC_TUNING_STEP_SHIFT; ++ } else { ++ tmp |= ESDHC_TUNING_STEP_DEFAULT ++ << ESDHC_TUNING_STEP_SHIFT; + } + + /* Disable the CMD CRC check for tuning, if not, need to +-- +2.39.0 + diff --git a/queue-4.19/mmc-sdhci-esdhc-imx-disable-the-cmd-crc-check-for-st.patch b/queue-4.19/mmc-sdhci-esdhc-imx-disable-the-cmd-crc-check-for-st.patch new file mode 100644 index 00000000000..ae92224e96b --- /dev/null +++ b/queue-4.19/mmc-sdhci-esdhc-imx-disable-the-cmd-crc-check-for-st.patch @@ -0,0 +1,71 @@ +From 6a381e3ed356ba8d7a920f5638848aad3e63c9be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 18:22:02 +0800 +Subject: mmc: sdhci-esdhc-imx: disable the CMD CRC check for standard tuning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haibo Chen + +[ Upstream commit 16e40e5b1e3c6646fd90d0c3186703d209216f03 ] + +In current code, we add 1ms dealy after each tuning command for standard +tuning method. Adding this 1ms dealy is because USDHC default check the +CMD CRC and DATA line. If detect the CMD CRC, USDHC standard tuning +IC logic do not wait for the tuning data sending out by the card, trigger +the buffer read ready interrupt immediately, and step to next cycle. So +when next time the new tuning command send out by USDHC, card may still +not send out the tuning data of the upper command,then some eMMC cards +may stuck, can't response to any command, block the whole tuning procedure. + +If do not check the CMD CRC for tuning, then do not has this issue. USDHC +will wait for the tuning data of each tuning command and check them. If the +tuning data pass the check, it also means the CMD line also okay for tuning. + +So this patch disable the CMD CRC check for tuning, save some time for the +whole tuning procedure. + +Signed-off-by: Haibo Chen +Link: https://lore.kernel.org/r/1590488522-9292-2-git-send-email-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Stable-dep-of: 1e336aa0c025 ("mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting") +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index dc0a10a5e2c3..30c75a96fce1 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -84,6 +84,7 @@ + /* NOTE: the minimum valid tuning start tap for mx6sl is 1 */ + #define ESDHC_TUNING_START_TAP_DEFAULT 0x1 + #define ESDHC_TUNING_START_TAP_MASK 0x7f ++#define ESDHC_TUNING_CMD_CRC_CHECK_DISABLE (1 << 7) + #define ESDHC_TUNING_STEP_MASK 0x00070000 + #define ESDHC_TUNING_STEP_SHIFT 16 + +@@ -1141,6 +1142,18 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host) + tmp |= imx_data->boarddata.tuning_step + << ESDHC_TUNING_STEP_SHIFT; + } ++ ++ /* Disable the CMD CRC check for tuning, if not, need to ++ * add some delay after every tuning command, because ++ * hardware standard tuning logic will directly go to next ++ * step once it detect the CMD CRC error, will not wait for ++ * the card side to finally send out the tuning data, trigger ++ * the buffer read ready interrupt immediately. If usdhc send ++ * the next tuning command some eMMC card will stuck, can't ++ * response, block the tuning procedure or the first command ++ * after the whole tuning procedure always can't get any response. ++ */ ++ tmp |= ESDHC_TUNING_CMD_CRC_CHECK_DISABLE; + writel(tmp, host->ioaddr + ESDHC_TUNING_CTRL); + } else if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) { + /* +-- +2.39.0 + diff --git a/queue-4.19/net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch b/queue-4.19/net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch new file mode 100644 index 00000000000..950125a4ea1 --- /dev/null +++ b/queue-4.19/net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch @@ -0,0 +1,77 @@ +From c0619c63a70bfadc71a4c314b9a614f2c52fd8c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 15:41:33 -0600 +Subject: net: macb: fix PTP TX timestamp failure due to packet padding + +From: Robert Hancock + +[ Upstream commit 7b90f5a665acd46efbbfa677a3a3a18d01ad6487 ] + +PTP TX timestamp handling was observed to be broken with this driver +when using the raw Layer 2 PTP encapsulation. ptp4l was not receiving +the expected TX timestamp after transmitting a packet, causing it to +enter a failure state. + +The problem appears to be due to the way that the driver pads packets +which are smaller than the Ethernet minimum of 60 bytes. If headroom +space was available in the SKB, this caused the driver to move the data +back to utilize it. However, this appears to cause other data references +in the SKB to become inconsistent. In particular, this caused the +ptp_one_step_sync function to later (in the TX completion path) falsely +detect the packet as a one-step SYNC packet, even when it was not, which +caused the TX timestamp to not be processed when it should be. + +Using the headroom for this purpose seems like an unnecessary complexity +as this is not a hot path in the driver, and in most cases it appears +that there is sufficient tailroom to not require using the headroom +anyway. Remove this usage of headroom to prevent this inconsistency from +occurring and causing other problems. + +Fixes: 653e92a9175e ("net: macb: add support for padding and fcs computation") +Signed-off-by: Robert Hancock +Reviewed-by: Jacob Keller +Tested-by: Claudiu Beznea # on SAMA7G5 +Reviewed-by: Claudiu Beznea +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 50331b202f73..324d81516832 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1738,7 +1738,6 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev) + bool cloned = skb_cloned(*skb) || skb_header_cloned(*skb) || + skb_is_nonlinear(*skb); + int padlen = ETH_ZLEN - (*skb)->len; +- int headroom = skb_headroom(*skb); + int tailroom = skb_tailroom(*skb); + struct sk_buff *nskb; + u32 fcs; +@@ -1752,9 +1751,6 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev) + /* FCS could be appeded to tailroom. */ + if (tailroom >= ETH_FCS_LEN) + goto add_fcs; +- /* FCS could be appeded by moving data to headroom. */ +- else if (!cloned && headroom + tailroom >= ETH_FCS_LEN) +- padlen = 0; + /* No room for FCS, need to reallocate skb. */ + else + padlen = ETH_FCS_LEN; +@@ -1763,10 +1759,7 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev) + padlen += ETH_FCS_LEN; + } + +- if (!cloned && headroom + tailroom >= padlen) { +- (*skb)->data = memmove((*skb)->head, (*skb)->data, (*skb)->len); +- skb_set_tail_pointer(*skb, (*skb)->len); +- } else { ++ if (cloned || tailroom < padlen) { + nskb = skb_copy_expand(*skb, 0, padlen, GFP_ATOMIC); + if (!nskb) + return -ENOMEM; +-- +2.39.0 + diff --git a/queue-4.19/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch b/queue-4.19/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch new file mode 100644 index 00000000000..9e2c1a0aff2 --- /dev/null +++ b/queue-4.19/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch @@ -0,0 +1,44 @@ +From 5184bc3b344de16e1144b4a9bb8c44135550539c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jan 2023 11:54:06 +0100 +Subject: net: mdio: validate parameter addr in mdiobus_get_phy() + +From: Heiner Kallweit + +[ Upstream commit 867dbe784c5010a466f00a7d1467c1c5ea569c75 ] + +The caller may pass any value as addr, what may result in an out-of-bounds +access to array mdio_map. One existing case is stmmac_init_phy() that +may pass -1 as addr. Therefore validate addr before using it. + +Fixes: 7f854420fbfe ("phy: Add API for {un}registering an mdio device to a bus.") +Signed-off-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/cdf664ea-3312-e915-73f8-021678d08887@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 1d1fbd7bd6fc..550806351049 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -103,7 +103,12 @@ EXPORT_SYMBOL(mdiobus_unregister_device); + + struct phy_device *mdiobus_get_phy(struct mii_bus *bus, int addr) + { +- struct mdio_device *mdiodev = bus->mdio_map[addr]; ++ struct mdio_device *mdiodev; ++ ++ if (addr < 0 || addr >= ARRAY_SIZE(bus->mdio_map)) ++ return NULL; ++ ++ mdiodev = bus->mdio_map[addr]; + + if (!mdiodev) + return NULL; +-- +2.39.0 + diff --git a/queue-4.19/net-mlx5-eliminate-anonymous-module_init-module_exit.patch b/queue-4.19/net-mlx5-eliminate-anonymous-module_init-module_exit.patch new file mode 100644 index 00000000000..48c247039a4 --- /dev/null +++ b/queue-4.19/net-mlx5-eliminate-anonymous-module_init-module_exit.patch @@ -0,0 +1,76 @@ +From 929f22603be0b660a1b6e1c941e8431a55536ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 20:12:29 -0700 +Subject: net: mlx5: eliminate anonymous module_init & module_exit + +From: Randy Dunlap + +[ Upstream commit 2c1e1b949024989e20907b84e11a731a50778416 ] + +Eliminate anonymous module_init() and module_exit(), which can lead to +confusion or ambiguity when reading System.map, crashes/oops/bugs, +or an initcall_debug log. + +Give each of these init and exit functions unique driver-specific +names to eliminate the anonymous names. + +Example 1: (System.map) + ffffffff832fc78c t init + ffffffff832fc79e t init + ffffffff832fc8f8 t init + +Example 2: (initcall_debug log) + calling init+0x0/0x12 @ 1 + initcall init+0x0/0x12 returned 0 after 15 usecs + calling init+0x0/0x60 @ 1 + initcall init+0x0/0x60 returned 0 after 2 usecs + calling init+0x0/0x9a @ 1 + initcall init+0x0/0x9a returned 0 after 74 usecs + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Randy Dunlap +Cc: Eli Cohen +Cc: Saeed Mahameed +Cc: Leon Romanovsky +Cc: linux-rdma@vger.kernel.org +Reviewed-by: Ira Weiny +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index a2b25afa2472..e09bd059984e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1683,7 +1683,7 @@ static void mlx5_core_verify_params(void) + } + } + +-static int __init init(void) ++static int __init mlx5_init(void) + { + int err; + +@@ -1708,7 +1708,7 @@ static int __init init(void) + return err; + } + +-static void __exit cleanup(void) ++static void __exit mlx5_cleanup(void) + { + #ifdef CONFIG_MLX5_CORE_EN + mlx5e_cleanup(); +@@ -1717,5 +1717,5 @@ static void __exit cleanup(void) + mlx5_unregister_debugfs(); + } + +-module_init(init); +-module_exit(cleanup); ++module_init(mlx5_init); ++module_exit(mlx5_cleanup); +-- +2.39.0 + diff --git a/queue-4.19/net-nfc-fix-use-after-free-in-local_cleanup.patch b/queue-4.19/net-nfc-fix-use-after-free-in-local_cleanup.patch new file mode 100644 index 00000000000..0322c2ca83b --- /dev/null +++ b/queue-4.19/net-nfc-fix-use-after-free-in-local_cleanup.patch @@ -0,0 +1,112 @@ +From 0180f110796e621b20f86accdd2fbaa2a6462fbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:19:14 +0900 +Subject: net: nfc: Fix use-after-free in local_cleanup() + +From: Jisoo Jang + +[ Upstream commit 4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6 ] + +Fix a use-after-free that occurs in kfree_skb() called from +local_cleanup(). This could happen when killing nfc daemon (e.g. neard) +after detaching an nfc device. +When detaching an nfc device, local_cleanup() called from +nfc_llcp_unregister_device() frees local->rx_pending and decreases +local->ref by kref_put() in nfc_llcp_local_put(). +In the terminating process, nfc daemon releases all sockets and it leads +to decreasing local->ref. After the last release of local->ref, +local_cleanup() called from local_release() frees local->rx_pending +again, which leads to the bug. + +Setting local->rx_pending to NULL in local_cleanup() could prevent +use-after-free when local_cleanup() is called twice. + +Found by a modified version of syzkaller. + +BUG: KASAN: use-after-free in kfree_skb() + +Call Trace: +dump_stack_lvl (lib/dump_stack.c:106) +print_address_description.constprop.0.cold (mm/kasan/report.c:306) +kasan_check_range (mm/kasan/generic.c:189) +kfree_skb (net/core/skbuff.c:955) +local_cleanup (net/nfc/llcp_core.c:159) +nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172) +nfc_llcp_local_put (net/nfc/llcp_core.c:181) +llcp_sock_destruct (net/nfc/llcp_sock.c:959) +__sk_destruct (net/core/sock.c:2133) +sk_destruct (net/core/sock.c:2181) +__sk_free (net/core/sock.c:2192) +sk_free (net/core/sock.c:2203) +llcp_sock_release (net/nfc/llcp_sock.c:646) +__sock_release (net/socket.c:650) +sock_close (net/socket.c:1365) +__fput (fs/file_table.c:306) +task_work_run (kernel/task_work.c:179) +ptrace_notify (kernel/signal.c:2354) +syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278) +syscall_exit_to_user_mode (kernel/entry/common.c:296) +do_syscall_64 (arch/x86/entry/common.c:86) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106) + +Allocated by task 4719: +kasan_save_stack (mm/kasan/common.c:45) +__kasan_slab_alloc (mm/kasan/common.c:325) +slab_post_alloc_hook (mm/slab.h:766) +kmem_cache_alloc_node (mm/slub.c:3497) +__alloc_skb (net/core/skbuff.c:552) +pn533_recv_response (drivers/nfc/pn533/usb.c:65) +__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671) +usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704) +tasklet_action_common.isra.0 (kernel/softirq.c:797) +__do_softirq (kernel/softirq.c:571) + +Freed by task 1901: +kasan_save_stack (mm/kasan/common.c:45) +kasan_set_track (mm/kasan/common.c:52) +kasan_save_free_info (mm/kasan/genericdd.c:518) +__kasan_slab_free (mm/kasan/common.c:236) +kmem_cache_free (mm/slub.c:3809) +kfree_skbmem (net/core/skbuff.c:874) +kfree_skb (net/core/skbuff.c:931) +local_cleanup (net/nfc/llcp_core.c:159) +nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617) +nfc_unregister_device (net/nfc/core.c:1179) +pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846) +pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579) +usb_unbind_interface (drivers/usb/core/driver.c:458) +device_release_driver_internal (drivers/base/dd.c:1279) +bus_remove_device (drivers/base/bus.c:529) +device_del (drivers/base/core.c:3665) +usb_disable_device (drivers/usb/core/message.c:1420) +usb_disconnect (drivers/usb/core.c:2261) +hub_event (drivers/usb/core/hub.c:5833) +process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281) +worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423) +kthread (kernel/kthread.c:319) +ret_from_fork (arch/x86/entry/entry_64.S:301) + +Fixes: 3536da06db0b ("NFC: llcp: Clean local timers and works when removing a device") +Signed-off-by: Jisoo Jang +Link: https://lore.kernel.org/r/20230111131914.3338838-1-jisoo.jang@yonsei.ac.kr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index 4fa015208aab..3290f2275b85 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -171,6 +171,7 @@ static void local_cleanup(struct nfc_llcp_local *local) + cancel_work_sync(&local->rx_work); + cancel_work_sync(&local->timeout_work); + kfree_skb(local->rx_pending); ++ local->rx_pending = NULL; + del_timer_sync(&local->sdreq_timer); + cancel_work_sync(&local->sdreq_timeout_work); + nfc_llcp_free_sdp_tlv_list(&local->pending_sdreqs); +-- +2.39.0 + diff --git a/queue-4.19/net-usb-sr9700-handle-negative-len.patch b/queue-4.19/net-usb-sr9700-handle-negative-len.patch new file mode 100644 index 00000000000..512a8888372 --- /dev/null +++ b/queue-4.19/net-usb-sr9700-handle-negative-len.patch @@ -0,0 +1,41 @@ +From 0578fbb6db93ba80a15a9f6ae9fef50850ff51c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 19:23:26 +0100 +Subject: net: usb: sr9700: Handle negative len + +From: Szymon Heidrich + +[ Upstream commit ecf7cf8efb59789e2b21d2f9ab926142579092b2 ] + +Packet len computed as difference of length word extracted from +skb data and four may result in a negative value. In such case +processing of the buffer should be interrupted rather than +setting sr_skb->len to an unexpectedly large value (due to cast +from signed to unsigned integer) and passing sr_skb to +usbnet_skb_return. + +Fixes: e9da0b56fe27 ("sr9700: sanity check for packet length") +Signed-off-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20230114182326.30479-1-szymon.heidrich@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 83640628c47d..8bee8286e41a 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + /* ignore the CRC length */ + len = (skb->data[1] | (skb->data[2] << 8)) - 4; + +- if (len > ETH_FRAME_LEN || len > skb->len) ++ if (len > ETH_FRAME_LEN || len > skb->len || len < 0) + return 0; + + /* the last packet of current skb */ +-- +2.39.0 + diff --git a/queue-4.19/phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch b/queue-4.19/phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch new file mode 100644 index 00000000000..aac22eea0de --- /dev/null +++ b/queue-4.19/phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch @@ -0,0 +1,41 @@ +From c6a4e67a680a27c82c41e89e150739578d0a5660 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 19:58:23 +0800 +Subject: phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in + rockchip_usb2phy_power_on() + +From: Shang XiaoJing + +[ Upstream commit 5daba914da0e48950e9407ea4d75fa57029c9adc ] + +The clk_disable_unprepare() should be called in the error handling of +rockchip_usb2phy_power_on(). + +Fixes: 0e08d2a727e6 ("phy: rockchip-inno-usb2: add a new driver for Rockchip usb2phy") +Signed-off-by: Shang XiaoJing +Link: https://lore.kernel.org/r/20221205115823.16957-1-shangxiaojing@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +index 5049dac79bd0..77c1c3ffaed7 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -477,8 +477,10 @@ static int rockchip_usb2phy_power_on(struct phy *phy) + return ret; + + ret = property_enable(base, &rport->port_cfg->phy_sus, false); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(rphy->clk480m); + return ret; ++ } + + /* waiting for the utmi_clk to become stable */ + usleep_range(1500, 2000); +-- +2.39.0 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..7b6d4f9d3d9 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,36 @@ +memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch +memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch +arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch +hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch +edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch +tomoyo-fix-broken-dependency-on-.conf.default.patch +ib-hfi1-reject-a-zero-length-user-expected-buffer.patch +ib-hfi1-reserve-user-expected-tids.patch +ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch +affs-initialize-fsdata-in-affs_truncate.patch +amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch +amd-xgbe-delay-an-timeout-during-kr-training.patch +bpf-fix-pointer-leak-due-to-insufficient-speculative.patch +phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch +net-nfc-fix-use-after-free-in-local_cleanup.patch +wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch +net-usb-sr9700-handle-negative-len.patch +net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch +hid-check-empty-report_list-in-hid_validate_values.patch +usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch +usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch +net-mlx5-eliminate-anonymous-module_init-module_exit.patch +dmaengine-fix-double-increment-of-client_count-in-dm.patch +net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch +hid-betop-check-shape-of-output-reports.patch +dmaengine-xilinx_dma-commonize-dma-copy-size-calcula.patch +dmaengine-xilinx_dma-program-hardware-supported-buff.patch +dmaengine-xilinx_dma-fix-devm_platform_ioremap_resou.patch +dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch +tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch +w1-fix-deadloop-in-__w1_remove_master_device.patch +w1-fix-warning-after-calling-w1_process.patch +mmc-sdhci-esdhc-imx-clear-esdhc_std_tuning_en-for-ma.patch +mmc-sdhci-esdhc-imx-clear-pending-interrupt-and-halt.patch +mmc-sdhci-esdhc-imx-disable-the-cmd-crc-check-for-st.patch +mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and.patch diff --git a/queue-4.19/tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch b/queue-4.19/tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch new file mode 100644 index 00000000000..ed31e1b7b28 --- /dev/null +++ b/queue-4.19/tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch @@ -0,0 +1,121 @@ +From 6b5da29c2c7a5e76e9759048f9dab79caff958ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 09:59:41 +0800 +Subject: tcp: avoid the lookup process failing to get sk in ehash table + +From: Jason Xing + +[ Upstream commit 3f4ca5fafc08881d7a57daa20449d171f2887043 ] + +While one cpu is working on looking up the right socket from ehash +table, another cpu is done deleting the request socket and is about +to add (or is adding) the big socket from the table. It means that +we could miss both of them, even though it has little chance. + +Let me draw a call trace map of the server side. + CPU 0 CPU 1 + ----- ----- +tcp_v4_rcv() syn_recv_sock() + inet_ehash_insert() + -> sk_nulls_del_node_init_rcu(osk) +__inet_lookup_established() + -> __sk_nulls_add_node_rcu(sk, list) + +Notice that the CPU 0 is receiving the data after the final ack +during 3-way shakehands and CPU 1 is still handling the final ack. + +Why could this be a real problem? +This case is happening only when the final ack and the first data +receiving by different CPUs. Then the server receiving data with +ACK flag tries to search one proper established socket from ehash +table, but apparently it fails as my map shows above. After that, +the server fetches a listener socket and then sends a RST because +it finds a ACK flag in the skb (data), which obeys RST definition +in RFC 793. + +Besides, Eric pointed out there's one more race condition where it +handles tw socket hashdance. Only by adding to the tail of the list +before deleting the old one can we avoid the race if the reader has +already begun the bucket traversal and it would possibly miss the head. + +Many thanks to Eric for great help from beginning to end. + +Fixes: 5e0724d027f0 ("tcp/dccp: fix hashdance race for passive sessions") +Suggested-by: Eric Dumazet +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/lkml/20230112065336.41034-1-kerneljasonxing@gmail.com/ +Link: https://lore.kernel.org/r/20230118015941.1313-1-kerneljasonxing@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 +++++++++++++++-- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 3c58019f0718..d64522af9c3a 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -579,8 +579,20 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_nulls_del_node_init_rcu(osk); +- } else if (found_dup_sk) { ++ ret = sk_hashed(osk); ++ if (ret) { ++ /* Before deleting the node, we insert a new one to make ++ * sure that the look-up-sk process would not miss either ++ * of them and that at least one node would exist in ehash ++ * table all the time. Otherwise there's a tiny chance ++ * that lookup process could find nothing in ehash table. ++ */ ++ __sk_nulls_add_node_tail_rcu(sk, list); ++ sk_nulls_del_node_init_rcu(osk); ++ } ++ goto unlock; ++ } ++ if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -589,6 +601,7 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + ++unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index 88c5069b5d20..fedd19c22b39 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -80,10 +80,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_head_rcu(&tw->tw_node, list); ++ hlist_nulls_add_tail_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -119,7 +119,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_tail_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.0 + diff --git a/queue-4.19/tomoyo-fix-broken-dependency-on-.conf.default.patch b/queue-4.19/tomoyo-fix-broken-dependency-on-.conf.default.patch new file mode 100644 index 00000000000..e9d03508bca --- /dev/null +++ b/queue-4.19/tomoyo-fix-broken-dependency-on-.conf.default.patch @@ -0,0 +1,61 @@ +From 2fa2a39c4226cba4b6e69dc7ce72696f97edba90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 16:47:41 +0900 +Subject: tomoyo: fix broken dependency on *.conf.default + +From: Masahiro Yamada + +[ Upstream commit eaf2213ba563b2d74a1f2c13a6b258273f689802 ] + +If *.conf.default is updated, builtin-policy.h should be rebuilt, +but this does not work when compiled with O= option. + +[Without this commit] + + $ touch security/tomoyo/policy/exception_policy.conf.default + $ make O=/tmp security/tomoyo/ + make[1]: Entering directory '/tmp' + GEN Makefile + CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh + DESCEND objtool + make[1]: Leaving directory '/tmp' + +[With this commit] + + $ touch security/tomoyo/policy/exception_policy.conf.default + $ make O=/tmp security/tomoyo/ + make[1]: Entering directory '/tmp' + GEN Makefile + CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh + DESCEND objtool + POLICY security/tomoyo/builtin-policy.h + CC security/tomoyo/common.o + AR security/tomoyo/built-in.a + make[1]: Leaving directory '/tmp' + +$(srctree)/ is essential because $(wildcard ) does not follow VPATH. + +Fixes: f02dee2d148b ("tomoyo: Do not generate empty policy files") +Signed-off-by: Masahiro Yamada +Signed-off-by: Tetsuo Handa +Signed-off-by: Sasha Levin +--- + security/tomoyo/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/tomoyo/Makefile b/security/tomoyo/Makefile +index cca5a3012fee..221eaadffb09 100644 +--- a/security/tomoyo/Makefile ++++ b/security/tomoyo/Makefile +@@ -10,7 +10,7 @@ endef + quiet_cmd_policy = POLICY $@ + cmd_policy = ($(call do_policy,profile); $(call do_policy,exception_policy); $(call do_policy,domain_policy); $(call do_policy,manager); $(call do_policy,stat)) >$@ + +-$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(src)/policy/*.conf.default) FORCE ++$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(srctree)/$(src)/policy/*.conf.default) FORCE + $(call if_changed,policy) + + $(obj)/common.o: $(obj)/builtin-policy.h +-- +2.39.0 + diff --git a/queue-4.19/usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch b/queue-4.19/usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch new file mode 100644 index 00000000000..78e174dc1fb --- /dev/null +++ b/queue-4.19/usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch @@ -0,0 +1,43 @@ +From 2a4c810f7f62670d20cc5cfd05322e61dde2dd87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:59:06 +0530 +Subject: usb: gadget: f_fs: Ensure ep0req is dequeued before free_request + +From: Udipto Goswami + +[ Upstream commit ce405d561b020e5a46340eb5146805a625dcacee ] + +As per the documentation, function usb_ep_free_request guarantees +the request will not be queued or no longer be re-queued (or +otherwise used). However, with the current implementation it +doesn't make sure that the request in ep0 isn't reused. + +Fix this by dequeuing the ep0req on functionfs_unbind before +freeing the request to align with the definition. + +Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") +Signed-off-by: Udipto Goswami +Tested-by: Krishna Kurapati +Link: https://lore.kernel.org/r/20221215052906.8993-3-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index b3489a3449f6..48bdb2a3972b 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1810,6 +1810,8 @@ static void functionfs_unbind(struct ffs_data *ffs) + ENTER(); + + if (!WARN_ON(!ffs->gadget)) { ++ /* dequeue before freeing ep0req */ ++ usb_ep_dequeue(ffs->gadget->ep0, ffs->ep0req); + mutex_lock(&ffs->mutex); + usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); + ffs->ep0req = NULL; +-- +2.39.0 + diff --git a/queue-4.19/usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch b/queue-4.19/usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch new file mode 100644 index 00000000000..9ffd166ffe4 --- /dev/null +++ b/queue-4.19/usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch @@ -0,0 +1,61 @@ +From 58a9a7ce429e129b9c0685634a2fc7c3aa07c819 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:59:05 +0530 +Subject: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait + +From: Udipto Goswami + +[ Upstream commit 6a19da111057f69214b97c62fb0ac59023970850 ] + +While performing fast composition switch, there is a possibility that the +process of ffs_ep0_write/ffs_ep0_read get into a race condition +due to ep0req being freed up from functionfs_unbind. + +Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait +by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't +bounded so it can go ahead and mark the ep0req to NULL, and since there +is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. + +Fix this by making a serialized execution between the two functions using +a mutex_lock(ffs->mutex). + +Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") +Signed-off-by: Udipto Goswami +Tested-by: Krishna Kurapati +Link: https://lore.kernel.org/r/20221215052906.8993-2-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 49eb4e3c760f..b3489a3449f6 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -271,6 +271,9 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len) + struct usb_request *req = ffs->ep0req; + int ret; + ++ if (!req) ++ return -EINVAL; ++ + req->zero = len < le16_to_cpu(ffs->ev.setup.wLength); + + spin_unlock_irq(&ffs->ev.waitq.lock); +@@ -1807,10 +1810,12 @@ static void functionfs_unbind(struct ffs_data *ffs) + ENTER(); + + if (!WARN_ON(!ffs->gadget)) { ++ mutex_lock(&ffs->mutex); + usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); + ffs->ep0req = NULL; + ffs->gadget = NULL; + clear_bit(FFS_FL_BOUND, &ffs->flags); ++ mutex_unlock(&ffs->mutex); + ffs_data_put(ffs); + } + } +-- +2.39.0 + diff --git a/queue-4.19/w1-fix-deadloop-in-__w1_remove_master_device.patch b/queue-4.19/w1-fix-deadloop-in-__w1_remove_master_device.patch new file mode 100644 index 00000000000..56b3b2df534 --- /dev/null +++ b/queue-4.19/w1-fix-deadloop-in-__w1_remove_master_device.patch @@ -0,0 +1,83 @@ +From a07e6843ed8e5ad1c876ceaeae8a19441fb30ca3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 16:04:34 +0800 +Subject: w1: fix deadloop in __w1_remove_master_device() + +From: Yang Yingliang + +[ Upstream commit 25d5648802f12ae486076ceca5d7ddf1fef792b2 ] + +I got a deadloop report while doing device(ds2482) add/remove test: + + [ 162.241881] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1. + [ 163.272251] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1. + [ 164.296157] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1. + ... + +__w1_remove_master_device() can't return, because the dev->refcnt is not zero. + +w1_add_master_device() | + w1_alloc_dev() | + atomic_set(&dev->refcnt, 2) | + kthread_run() | + |__w1_remove_master_device() + | kthread_stop() + // KTHREAD_SHOULD_STOP is set, | + // threadfn(w1_process) won't be | + // called. | + kthread() | + | // refcnt will never be 0, it's deadloop. + | while (atomic_read(&dev->refcnt)) {...} + +After calling w1_add_master_device(), w1_process() is not really +invoked, before w1_process() starting, if kthread_stop() is called +in __w1_remove_master_device(), w1_process() will never be called, +the refcnt can not be decreased, then it causes deadloop in remove +function because of non-zero refcnt. + +We need to make sure w1_process() is really started, so move the +set refcnt into w1_process() to fix this problem. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221205080434.3149205-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/w1.c | 2 ++ + drivers/w1/w1_int.c | 5 ++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 890c038c25f8..c1d0e723fabc 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -1140,6 +1140,8 @@ int w1_process(void *data) + /* remainder if it woke up early */ + unsigned long jremain = 0; + ++ atomic_inc(&dev->refcnt); ++ + for (;;) { + + if (!jremain && dev->search_count) { +diff --git a/drivers/w1/w1_int.c b/drivers/w1/w1_int.c +index 1c776178f598..eb851eb44300 100644 +--- a/drivers/w1/w1_int.c ++++ b/drivers/w1/w1_int.c +@@ -60,10 +60,9 @@ static struct w1_master *w1_alloc_dev(u32 id, int slave_count, int slave_ttl, + dev->search_count = w1_search_count; + dev->enable_pullup = w1_enable_pullup; + +- /* 1 for w1_process to decrement +- * 1 for __w1_remove_master_device to decrement ++ /* For __w1_remove_master_device to decrement + */ +- atomic_set(&dev->refcnt, 2); ++ atomic_set(&dev->refcnt, 1); + + INIT_LIST_HEAD(&dev->slist); + INIT_LIST_HEAD(&dev->async_list); +-- +2.39.0 + diff --git a/queue-4.19/w1-fix-warning-after-calling-w1_process.patch b/queue-4.19/w1-fix-warning-after-calling-w1_process.patch new file mode 100644 index 00000000000..de5d0aebef6 --- /dev/null +++ b/queue-4.19/w1-fix-warning-after-calling-w1_process.patch @@ -0,0 +1,55 @@ +From e46995484a5bbc32942dfebb801d77bb6bb31a5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 18:15:58 +0800 +Subject: w1: fix WARNING after calling w1_process() + +From: Yang Yingliang + +[ Upstream commit 36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b ] + +I got the following WARNING message while removing driver(ds2482): + +------------[ cut here ]------------ +do not call blocking ops when !TASK_RUNNING; state=1 set at [<000000002d50bfb6>] w1_process+0x9e/0x1d0 [wire] +WARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0 +CPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307 +RIP: 0010:__might_sleep+0x98/0xa0 +Call Trace: + exit_signals+0x6c/0x550 + do_exit+0x2b4/0x17e0 + kthread_exit+0x52/0x60 + kthread+0x16d/0x1e0 + ret_from_fork+0x1f/0x30 + +The state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(), +set it to TASK_RUNNING when it breaks out of the loop to avoid the +warning. + +Fixes: 3c52e4e62789 ("W1: w1_process, block or sleep") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221205101558.3599162-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/w1.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index c1d0e723fabc..cb3650efc29c 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -1169,8 +1169,10 @@ int w1_process(void *data) + */ + mutex_unlock(&dev->list_mutex); + +- if (kthread_should_stop()) ++ if (kthread_should_stop()) { ++ __set_current_state(TASK_RUNNING); + break; ++ } + + /* Only sleep when the search is active. */ + if (dev->search_count) { +-- +2.39.0 + diff --git a/queue-4.19/wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch b/queue-4.19/wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch new file mode 100644 index 00000000000..217609e8a75 --- /dev/null +++ b/queue-4.19/wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch @@ -0,0 +1,75 @@ +From af82c2653a2995ab03aa8e51ae99485e733c9642 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 18:50:31 +0100 +Subject: wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid + +From: Szymon Heidrich + +[ Upstream commit b870e73a56c4cccbec33224233eaf295839f228c ] + +Since resplen and respoffs are signed integers sufficiently +large values of unsigned int len and offset members of RNDIS +response will result in negative values of prior variables. +This may be utilized to bypass implemented security checks +to either extract memory contents by manipulating offset or +overflow the data buffer via memcpy by manipulating both +offset and len. + +Additionally assure that sum of resplen and respoffs does not +overflow so buffer boundaries are kept. + +Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond") +Signed-off-by: Szymon Heidrich +Reviewed-by: Alexander Duyck +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rndis_wlan.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c +index 51e4e92d95a0..0bbeb61ec3a3 100644 +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -712,8 +712,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) + struct rndis_query *get; + struct rndis_query_c *get_c; + } u; +- int ret, buflen; +- int resplen, respoffs, copylen; ++ int ret; ++ size_t buflen, resplen, respoffs, copylen; + + buflen = *len + sizeof(*u.get); + if (buflen < CONTROL_BUFFER_SIZE) +@@ -748,22 +748,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) + + if (respoffs > buflen) { + /* Device returned data offset outside buffer, error. */ +- netdev_dbg(dev->net, "%s(%s): received invalid " +- "data offset: %d > %d\n", __func__, +- oid_to_string(oid), respoffs, buflen); ++ netdev_dbg(dev->net, ++ "%s(%s): received invalid data offset: %zu > %zu\n", ++ __func__, oid_to_string(oid), respoffs, buflen); + + ret = -EINVAL; + goto exit_unlock; + } + +- if ((resplen + respoffs) > buflen) { +- /* Device would have returned more data if buffer would +- * have been big enough. Copy just the bits that we got. +- */ +- copylen = buflen - respoffs; +- } else { +- copylen = resplen; +- } ++ copylen = min(resplen, buflen - respoffs); + + if (copylen > *len) + copylen = *len; +-- +2.39.0 +