From: Greg Kroah-Hartman Date: Thu, 18 Jan 2024 10:41:35 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.1.74~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3c94f2323d7116be3cc00b8f4e5a394acd9ac047;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: binder-fix-comment-on-binder_alloc_new_buf-return-value.patch binder-fix-trivial-typo-of-binder_free_buf_locked.patch binder-use-epollerr-from-eventpoll.h.patch coresight-etm4x-fix-width-of-ccitmin-field.patch parport-parport_serial-add-brainboxes-bar-details.patch parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch uio-fix-use-after-free-in-uio_open.patch --- diff --git a/queue-5.10/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch b/queue-5.10/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch new file mode 100644 index 00000000000..bf3d82b5c4b --- /dev/null +++ b/queue-5.10/binder-fix-comment-on-binder_alloc_new_buf-return-value.patch @@ -0,0 +1,35 @@ +From e1090371e02b601cbfcea175c2a6cc7c955fa830 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:36 +0000 +Subject: binder: fix comment on binder_alloc_new_buf() return value + +From: Carlos Llamas + +commit e1090371e02b601cbfcea175c2a6cc7c955fa830 upstream. + +Update the comments of binder_alloc_new_buf() to reflect that the return +value of the function is now ERR_PTR(-errno) on failure. + +No functional changes in this patch. + +Cc: stable@vger.kernel.org +Fixes: 57ada2fb2250 ("binder: add log information for binder transaction failures") +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-8-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -562,7 +562,7 @@ err_alloc_buf_struct_failed: + * is the sum of the three given sizes (each rounded up to + * pointer-sized boundary) + * +- * Return: The allocated buffer or %NULL if error ++ * Return: The allocated buffer or %ERR_PTR(-errno) if error + */ + struct binder_buffer *binder_alloc_new_buf(struct binder_alloc *alloc, + size_t data_size, diff --git a/queue-5.10/binder-fix-trivial-typo-of-binder_free_buf_locked.patch b/queue-5.10/binder-fix-trivial-typo-of-binder_free_buf_locked.patch new file mode 100644 index 00000000000..db27580cb82 --- /dev/null +++ b/queue-5.10/binder-fix-trivial-typo-of-binder_free_buf_locked.patch @@ -0,0 +1,34 @@ +From 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:35 +0000 +Subject: binder: fix trivial typo of binder_free_buf_locked() + +From: Carlos Llamas + +commit 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 upstream. + +Fix minor misspelling of the function in the comment section. + +No functional changes in this patch. + +Cc: stable@vger.kernel.org +Fixes: 0f966cba95c7 ("binder: add flag to clear buffer on txn complete") +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-7-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -711,7 +711,7 @@ void binder_alloc_free_buf(struct binder + /* + * We could eliminate the call to binder_alloc_clear_buf() + * from binder_alloc_deferred_release() by moving this to +- * binder_alloc_free_buf_locked(). However, that could ++ * binder_free_buf_locked(). However, that could + * increase contention for the alloc mutex if clear_on_free + * is used frequently for large buffers. The mutex is not + * needed for correctness here. diff --git a/queue-5.10/binder-use-epollerr-from-eventpoll.h.patch b/queue-5.10/binder-use-epollerr-from-eventpoll.h.patch new file mode 100644 index 00000000000..0a7c1bfeb65 --- /dev/null +++ b/queue-5.10/binder-use-epollerr-from-eventpoll.h.patch @@ -0,0 +1,38 @@ +From 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Fri, 1 Dec 2023 17:21:30 +0000 +Subject: binder: use EPOLLERR from eventpoll.h + +From: Carlos Llamas + +commit 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 upstream. + +Use EPOLLERR instead of POLLERR to make sure it is cast to the correct +__poll_t type. This fixes the following sparse issue: + + drivers/android/binder.c:5030:24: warning: incorrect type in return expression (different base types) + drivers/android/binder.c:5030:24: expected restricted __poll_t + drivers/android/binder.c:5030:24: got int + +Fixes: f88982679f54 ("binder: check for binder_thread allocation failure in binder_poll()") +Cc: stable@vger.kernel.org +Cc: Eric Biggers +Reviewed-by: Alice Ryhl +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20231201172212.1813387-2-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -5173,7 +5173,7 @@ static __poll_t binder_poll(struct file + + thread = binder_get_thread(proc); + if (!thread) +- return POLLERR; ++ return EPOLLERR; + + binder_inner_proc_lock(thread->proc); + thread->looper |= BINDER_LOOPER_STATE_POLL; diff --git a/queue-5.10/coresight-etm4x-fix-width-of-ccitmin-field.patch b/queue-5.10/coresight-etm4x-fix-width-of-ccitmin-field.patch new file mode 100644 index 00000000000..3d463ecefbb --- /dev/null +++ b/queue-5.10/coresight-etm4x-fix-width-of-ccitmin-field.patch @@ -0,0 +1,47 @@ +From cc0271a339cc70cae914c3ec20edc2a8058407da Mon Sep 17 00:00:00 2001 +From: James Clark +Date: Wed, 1 Nov 2023 11:52:06 +0000 +Subject: coresight: etm4x: Fix width of CCITMIN field + +From: James Clark + +commit cc0271a339cc70cae914c3ec20edc2a8058407da upstream. + +CCITMIN is a 12 bit field and doesn't fit in a u8, so extend it to u16. +This probably wasn't an issue previously because values higher than 255 +never occurred. + +But since commit 4aff040bcc8d ("coresight: etm: Override TRCIDR3.CCITMIN +on errata affected cpus"), a comparison with 256 was done to enable the +errata, generating the following W=1 build error: + + coresight-etm4x-core.c:1188:24: error: result of comparison of + constant 256 with expression of type 'u8' (aka 'unsigned char') is + always false [-Werror,-Wtautological-constant-out-of-range-compare] + + if (drvdata->ccitmin == 256) + +Cc: stable@vger.kernel.org +Fixes: 2e1cdfe184b5 ("coresight-etm4x: Adding CoreSight ETM4x driver") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202310302043.as36UFED-lkp@intel.com/ +Reviewed-by: Mike Leach +Signed-off-by: James Clark +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20231101115206.70810-1-james.clark@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-etm4x.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x.h ++++ b/drivers/hwtracing/coresight/coresight-etm4x.h +@@ -440,7 +440,7 @@ struct etmv4_drvdata { + u8 ctxid_size; + u8 vmid_size; + u8 ccsize; +- u8 ccitmin; ++ u16 ccitmin; + u8 s_ex_level; + u8 ns_ex_level; + u8 q_support; diff --git a/queue-5.10/parport-parport_serial-add-brainboxes-bar-details.patch b/queue-5.10/parport-parport_serial-add-brainboxes-bar-details.patch new file mode 100644 index 00000000000..147862cef05 --- /dev/null +++ b/queue-5.10/parport-parport_serial-add-brainboxes-bar-details.patch @@ -0,0 +1,44 @@ +From 65fde134b0a4ffe838729f9ee11b459a2f6f2815 Mon Sep 17 00:00:00 2001 +From: Cameron Williams +Date: Thu, 2 Nov 2023 21:07:05 +0000 +Subject: parport: parport_serial: Add Brainboxes BAR details + +From: Cameron Williams + +commit 65fde134b0a4ffe838729f9ee11b459a2f6f2815 upstream. + +Add BAR/enum entries for Brainboxes serial/parallel cards. + +Cc: +Signed-off-by: Cameron Williams +Acked-by: Sudip Mukherjee +Link: https://lore.kernel.org/r/AS4PR02MB79035155C2D5C3333AE6FA52C4A6A@AS4PR02MB7903.eurprd02.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parport/parport_serial.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/parport/parport_serial.c ++++ b/drivers/parport/parport_serial.c +@@ -65,6 +65,10 @@ enum parport_pc_pci_cards { + sunix_5069a, + sunix_5079a, + sunix_5099a, ++ brainboxes_uc257, ++ brainboxes_is300, ++ brainboxes_uc414, ++ brainboxes_px263, + }; + + /* each element directly indexed from enum list, above */ +@@ -158,6 +162,10 @@ static struct parport_pc_pci cards[] = { + /* sunix_5069a */ { 1, { { 1, 2 }, } }, + /* sunix_5079a */ { 1, { { 1, 2 }, } }, + /* sunix_5099a */ { 1, { { 1, 2 }, } }, ++ /* brainboxes_uc257 */ { 1, { { 3, -1 }, } }, ++ /* brainboxes_is300 */ { 1, { { 3, -1 }, } }, ++ /* brainboxes_uc414 */ { 1, { { 3, -1 }, } }, ++ /* brainboxes_px263 */ { 1, { { 3, -1 }, } }, + }; + + static struct pci_device_id parport_serial_pci_tbl[] = { diff --git a/queue-5.10/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch b/queue-5.10/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch new file mode 100644 index 00000000000..beb476d3b5f --- /dev/null +++ b/queue-5.10/parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch @@ -0,0 +1,95 @@ +From 6aa1fc5a8085bbc01687aa708dcf2dbe637a5ee3 Mon Sep 17 00:00:00 2001 +From: Cameron Williams +Date: Thu, 2 Nov 2023 21:07:06 +0000 +Subject: parport: parport_serial: Add Brainboxes device IDs and geometry + +From: Cameron Williams + +commit 6aa1fc5a8085bbc01687aa708dcf2dbe637a5ee3 upstream. + +Add device IDs for the Brainboxes UC-203, UC-257, UC-414, UC-475, +IS-300/IS-500 and PX-263/PX-295 and define the relevant "geometry" +for the cards. +This patch requires part 1 of this series. + +Cc: +Signed-off-by: Cameron Williams +Acked-by: Sudip Mukherjee +Link: https://lore.kernel.org/r/AS4PR02MB7903A4094564BE28F1F926A6C4A6A@AS4PR02MB7903.eurprd02.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parport/parport_serial.c | 56 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +--- a/drivers/parport/parport_serial.c ++++ b/drivers/parport/parport_serial.c +@@ -285,6 +285,38 @@ static struct pci_device_id parport_seri + { PCI_VENDOR_ID_SUNIX, PCI_DEVICE_ID_SUNIX_1999, PCI_VENDOR_ID_SUNIX, + 0x0104, 0, 0, sunix_5099a }, + ++ /* Brainboxes UC-203 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0bc1, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0bc2, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ ++ /* Brainboxes UC-257 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0861, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0862, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0863, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ ++ /* Brainboxes UC-414 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0e61, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc414 }, ++ ++ /* Brainboxes UC-475 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0981, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0982, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_uc257 }, ++ ++ /* Brainboxes IS-300/IS-500 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0da0, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_is300 }, ++ ++ /* Brainboxes PX-263/PX-295 */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x402c, ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0, brainboxes_px263 }, ++ + { 0, } /* terminate list */ + }; + MODULE_DEVICE_TABLE(pci,parport_serial_pci_tbl); +@@ -550,6 +582,30 @@ static struct pciserial_board pci_parpor + .base_baud = 921600, + .uart_offset = 0x8, + }, ++ [brainboxes_uc257] = { ++ .flags = FL_BASE2, ++ .num_ports = 2, ++ .base_baud = 115200, ++ .uart_offset = 8, ++ }, ++ [brainboxes_is300] = { ++ .flags = FL_BASE2, ++ .num_ports = 1, ++ .base_baud = 115200, ++ .uart_offset = 8, ++ }, ++ [brainboxes_uc414] = { ++ .flags = FL_BASE2, ++ .num_ports = 4, ++ .base_baud = 115200, ++ .uart_offset = 8, ++ }, ++ [brainboxes_px263] = { ++ .flags = FL_BASE2, ++ .num_ports = 4, ++ .base_baud = 921600, ++ .uart_offset = 8, ++ }, + }; + + struct parport_serial_private { diff --git a/queue-5.10/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch b/queue-5.10/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch new file mode 100644 index 00000000000..8074002901c --- /dev/null +++ b/queue-5.10/pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch @@ -0,0 +1,50 @@ +From e367e3c765f5477b2e79da0f1399aed49e2d1e37 Mon Sep 17 00:00:00 2001 +From: LeoLiuoc +Date: Mon, 11 Dec 2023 17:15:43 +0800 +Subject: PCI: Add ACS quirk for more Zhaoxin Root Ports + +From: LeoLiuoc + +commit e367e3c765f5477b2e79da0f1399aed49e2d1e37 upstream. + +Add more Root Port Device IDs to pci_quirk_zhaoxin_pcie_ports_acs() for +some new Zhaoxin platforms. + +Fixes: 299bd044a6f3 ("PCI: Add ACS quirk for Zhaoxin Root/Downstream Ports") +Link: https://lore.kernel.org/r/20231211091543.735903-1-LeoLiu-oc@zhaoxin.com +Signed-off-by: LeoLiuoc +[bhelgaas: update subject, drop changelog, add Fixes, add stable tag, fix +whitespace, wrap code comment] +Signed-off-by: Bjorn Helgaas +Cc: # 5.7 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4551,17 +4551,21 @@ static int pci_quirk_xgene_acs(struct pc + * But the implementation could block peer-to-peer transactions between them + * and provide ACS-like functionality. + */ +-static int pci_quirk_zhaoxin_pcie_ports_acs(struct pci_dev *dev, u16 acs_flags) ++static int pci_quirk_zhaoxin_pcie_ports_acs(struct pci_dev *dev, u16 acs_flags) + { + if (!pci_is_pcie(dev) || + ((pci_pcie_type(dev) != PCI_EXP_TYPE_ROOT_PORT) && + (pci_pcie_type(dev) != PCI_EXP_TYPE_DOWNSTREAM))) + return -ENOTTY; + ++ /* ++ * Future Zhaoxin Root Ports and Switch Downstream Ports will ++ * implement ACS capability in accordance with the PCIe Spec. ++ */ + switch (dev->device) { + case 0x0710 ... 0x071e: + case 0x0721: +- case 0x0723 ... 0x0732: ++ case 0x0723 ... 0x0752: + return pci_acs_ctrl_enabled(acs_flags, + PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF); + } diff --git a/queue-5.10/series b/queue-5.10/series index 327cb8d51b0..da1520135bd 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -39,3 +39,11 @@ net-qrtr-ns-return-0-if-server-port-is-not-present.patch arm-sun9i-smp-fix-return-code-check-of-of_property_m.patch drm-crtc-fix-uninitialized-variable-use.patch acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch +binder-use-epollerr-from-eventpoll.h.patch +binder-fix-trivial-typo-of-binder_free_buf_locked.patch +binder-fix-comment-on-binder_alloc_new_buf-return-value.patch +uio-fix-use-after-free-in-uio_open.patch +parport-parport_serial-add-brainboxes-bar-details.patch +parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch +pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch +coresight-etm4x-fix-width-of-ccitmin-field.patch diff --git a/queue-5.10/uio-fix-use-after-free-in-uio_open.patch b/queue-5.10/uio-fix-use-after-free-in-uio_open.patch new file mode 100644 index 00000000000..18d493f7e56 --- /dev/null +++ b/queue-5.10/uio-fix-use-after-free-in-uio_open.patch @@ -0,0 +1,74 @@ +From 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 Mon Sep 17 00:00:00 2001 +From: Guanghui Feng +Date: Thu, 21 Dec 2023 17:57:43 +0800 +Subject: uio: Fix use-after-free in uio_open + +From: Guanghui Feng + +commit 0c9ae0b8605078eafc3bea053cc78791e97ba2e2 upstream. + +core-1 core-2 +------------------------------------------------------- +uio_unregister_device uio_open + idev = idr_find() +device_unregister(&idev->dev) +put_device(&idev->dev) +uio_device_release + get_device(&idev->dev) +kfree(idev) +uio_free_minor(minor) + uio_release + put_device(&idev->dev) + kfree(idev) +------------------------------------------------------- + +In the core-1 uio_unregister_device(), the device_unregister will kfree +idev when the idev->dev kobject ref is 1. But after core-1 +device_unregister, put_device and before doing kfree, the core-2 may +get_device. Then: +1. After core-1 kfree idev, the core-2 will do use-after-free for idev. +2. When core-2 do uio_release and put_device, the idev will be double + freed. + +To address this issue, we can get idev atomic & inc idev reference with +minor_lock. + +Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered") +Cc: stable +Signed-off-by: Guanghui Feng +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -464,13 +464,13 @@ static int uio_open(struct inode *inode, + + mutex_lock(&minor_lock); + idev = idr_find(&uio_idr, iminor(inode)); +- mutex_unlock(&minor_lock); + if (!idev) { + ret = -ENODEV; ++ mutex_unlock(&minor_lock); + goto out; + } +- + get_device(&idev->dev); ++ mutex_unlock(&minor_lock); + + if (!try_module_get(idev->owner)) { + ret = -ENODEV; +@@ -1062,9 +1062,8 @@ void uio_unregister_device(struct uio_in + wake_up_interruptible(&idev->wait); + kill_fasync(&idev->async_queue, SIGIO, POLL_HUP); + +- device_unregister(&idev->dev); +- + uio_free_minor(minor); ++ device_unregister(&idev->dev); + + return; + }