From: Greg Kroah-Hartman Date: Mon, 21 Oct 2024 10:19:39 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.10.228~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=47462e257cafc438a1342f39d2bee68eb922e384;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: clk-fix-pointer-casting-to-prevent-oops-in-devm_clk_release.patch clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch net-mlx5-update-the-list-of-the-pci-supported-devices.patch --- diff --git a/queue-4.19/clk-fix-pointer-casting-to-prevent-oops-in-devm_clk_release.patch b/queue-4.19/clk-fix-pointer-casting-to-prevent-oops-in-devm_clk_release.patch new file mode 100644 index 00000000000..b30af08e6e1 --- /dev/null +++ b/queue-4.19/clk-fix-pointer-casting-to-prevent-oops-in-devm_clk_release.patch @@ -0,0 +1,39 @@ +From 8b3d743fc9e2542822826890b482afabf0e7522a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Mon, 20 Jun 2022 19:18:15 +0200 +Subject: clk: Fix pointer casting to prevent oops in devm_clk_release() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 8b3d743fc9e2542822826890b482afabf0e7522a upstream. + +The release function is called with a pointer to the memory returned by +devres_alloc(). I was confused about that by the code before the +generalization that used a struct clk **ptr. + +Reported-by: Marek Szyprowski +Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit") +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20220620171815.114212-1-u.kleine-koenig@pengutronix.de +Tested-by: Marek Szyprowski +Tested-by: Linux Kernel Functional Testing +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-devres.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/clk-devres.c ++++ b/drivers/clk/clk-devres.c +@@ -16,7 +16,7 @@ struct devm_clk_state { + + static void devm_clk_release(struct device *dev, void *res) + { +- struct devm_clk_state *state = *(struct devm_clk_state **)res; ++ struct devm_clk_state *state = res; + + if (state->exit) + state->exit(state->clk); diff --git a/queue-4.19/clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch b/queue-4.19/clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch new file mode 100644 index 00000000000..09cdd5b32ce --- /dev/null +++ b/queue-4.19/clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch @@ -0,0 +1,146 @@ +From 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 Mon Sep 17 00:00:00 2001 +From: Andrey Skvortsov +Date: Sat, 5 Aug 2023 11:48:47 +0300 +Subject: clk: Fix slab-out-of-bounds error in devm_clk_release() + +From: Andrey Skvortsov + +commit 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 upstream. + +Problem can be reproduced by unloading snd_soc_simple_card, because in +devm_get_clk_from_child() devres data is allocated as `struct clk`, but +devm_clk_release() expects devres data to be `struct devm_clk_state`. + +KASAN report: + ================================================================== + BUG: KASAN: slab-out-of-bounds in devm_clk_release+0x20/0x54 + Read of size 8 at addr ffffff800ee09688 by task (udev-worker)/287 + + Call trace: + dump_backtrace+0xe8/0x11c + show_stack+0x1c/0x30 + dump_stack_lvl+0x60/0x78 + print_report+0x150/0x450 + kasan_report+0xa8/0xf0 + __asan_load8+0x78/0xa0 + devm_clk_release+0x20/0x54 + release_nodes+0x84/0x120 + devres_release_all+0x144/0x210 + device_unbind_cleanup+0x1c/0xac + really_probe+0x2f0/0x5b0 + __driver_probe_device+0xc0/0x1f0 + driver_probe_device+0x68/0x120 + __driver_attach+0x140/0x294 + bus_for_each_dev+0xec/0x160 + driver_attach+0x38/0x44 + bus_add_driver+0x24c/0x300 + driver_register+0xf0/0x210 + __platform_driver_register+0x48/0x54 + asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card] + do_one_initcall+0xac/0x340 + do_init_module+0xd0/0x300 + load_module+0x2ba4/0x3100 + __do_sys_init_module+0x2c8/0x300 + __arm64_sys_init_module+0x48/0x5c + invoke_syscall+0x64/0x190 + el0_svc_common.constprop.0+0x124/0x154 + do_el0_svc+0x44/0xdc + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xec/0x11c + el0t_64_sync+0x14c/0x150 + + Allocated by task 287: + kasan_save_stack+0x38/0x60 + kasan_set_track+0x28/0x40 + kasan_save_alloc_info+0x20/0x30 + __kasan_kmalloc+0xac/0xb0 + __kmalloc_node_track_caller+0x6c/0x1c4 + __devres_alloc_node+0x44/0xb4 + devm_get_clk_from_child+0x44/0xa0 + asoc_simple_parse_clk+0x1b8/0x1dc [snd_soc_simple_card_utils] + simple_parse_node.isra.0+0x1ec/0x230 [snd_soc_simple_card] + simple_dai_link_of+0x1bc/0x334 [snd_soc_simple_card] + __simple_for_each_link+0x2ec/0x320 [snd_soc_simple_card] + asoc_simple_probe+0x468/0x4dc [snd_soc_simple_card] + platform_probe+0x90/0xf0 + really_probe+0x118/0x5b0 + __driver_probe_device+0xc0/0x1f0 + driver_probe_device+0x68/0x120 + __driver_attach+0x140/0x294 + bus_for_each_dev+0xec/0x160 + driver_attach+0x38/0x44 + bus_add_driver+0x24c/0x300 + driver_register+0xf0/0x210 + __platform_driver_register+0x48/0x54 + asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card] + do_one_initcall+0xac/0x340 + do_init_module+0xd0/0x300 + load_module+0x2ba4/0x3100 + __do_sys_init_module+0x2c8/0x300 + __arm64_sys_init_module+0x48/0x5c + invoke_syscall+0x64/0x190 + el0_svc_common.constprop.0+0x124/0x154 + do_el0_svc+0x44/0xdc + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xec/0x11c + el0t_64_sync+0x14c/0x150 + + The buggy address belongs to the object at ffffff800ee09600 + which belongs to the cache kmalloc-256 of size 256 + The buggy address is located 136 bytes inside of + 256-byte region [ffffff800ee09600, ffffff800ee09700) + + The buggy address belongs to the physical page: + page:000000002d97303b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ee08 + head:000000002d97303b order:1 compound_mapcount:0 compound_pincount:0 + flags: 0x10200(slab|head|zone=0) + raw: 0000000000010200 0000000000000000 dead000000000122 ffffff8002c02480 + raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffffff800ee09580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffff800ee09600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffffff800ee09680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffffff800ee09700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffff800ee09780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ================================================================== + +Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit") +Signed-off-by: Andrey Skvortsov +Link: https://lore.kernel.org/r/20230805084847.3110586-1-andrej.skvortzov@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-devres.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/clk/clk-devres.c ++++ b/drivers/clk/clk-devres.c +@@ -163,18 +163,19 @@ EXPORT_SYMBOL(devm_clk_put); + struct clk *devm_get_clk_from_child(struct device *dev, + struct device_node *np, const char *con_id) + { +- struct clk **ptr, *clk; ++ struct devm_clk_state *state; ++ struct clk *clk; + +- ptr = devres_alloc(devm_clk_release, sizeof(*ptr), GFP_KERNEL); +- if (!ptr) ++ state = devres_alloc(devm_clk_release, sizeof(*state), GFP_KERNEL); ++ if (!state) + return ERR_PTR(-ENOMEM); + + clk = of_clk_get_by_name(np, con_id); + if (!IS_ERR(clk)) { +- *ptr = clk; +- devres_add(dev, ptr); ++ state->clk = clk; ++ devres_add(dev, state); + } else { +- devres_free(ptr); ++ devres_free(state); + } + + return clk; diff --git a/queue-4.19/net-mlx5-update-the-list-of-the-pci-supported-devices.patch b/queue-4.19/net-mlx5-update-the-list-of-the-pci-supported-devices.patch new file mode 100644 index 00000000000..83e8b4c6c5f --- /dev/null +++ b/queue-4.19/net-mlx5-update-the-list-of-the-pci-supported-devices.patch @@ -0,0 +1,30 @@ +From b7eca940322f47fd30dafb70da04d193a0154090 Mon Sep 17 00:00:00 2001 +From: Shani Shapp +Date: Tue, 12 Nov 2019 15:10:00 +0200 +Subject: net/mlx5: Update the list of the PCI supported devices + +From: Shani Shapp + +commit b7eca940322f47fd30dafb70da04d193a0154090 upstream. + +Add the upcoming ConnectX-6 LX device ID. + +Fixes: 85327a9c4150 ("net/mlx5: Update the list of the PCI supported devices") +Signed-off-by: Shani Shapp +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1644,6 +1644,7 @@ static const struct pci_device_id mlx5_c + { PCI_VDEVICE(MELLANOX, 0x101c), MLX5_PCI_DEV_IS_VF}, /* ConnectX-6 VF */ + { PCI_VDEVICE(MELLANOX, 0x101d) }, /* ConnectX-6 Dx */ + { PCI_VDEVICE(MELLANOX, 0x101e), MLX5_PCI_DEV_IS_VF}, /* ConnectX Family mlx5Gen Virtual Function */ ++ { PCI_VDEVICE(MELLANOX, 0x101f) }, /* ConnectX-6 LX */ + { PCI_VDEVICE(MELLANOX, 0xa2d2) }, /* BlueField integrated ConnectX-5 network controller */ + { PCI_VDEVICE(MELLANOX, 0xa2d3), MLX5_PCI_DEV_IS_VF}, /* BlueField integrated ConnectX-5 network controller VF */ + { PCI_VDEVICE(MELLANOX, 0xa2d6) }, /* BlueField-2 integrated ConnectX-6 Dx network controller */ diff --git a/queue-4.19/series b/queue-4.19/series index 4b150bf4b20..5ebbbfc2145 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -288,3 +288,6 @@ usb-serial-option-add-telit-fn920c04-mbim-compositions.patch parport-proper-fix-for-array-out-of-bounds-access.patch x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch nilfs2-propagate-directory-read-errors-from-nilfs_find_entry.patch +net-mlx5-update-the-list-of-the-pci-supported-devices.patch +clk-fix-pointer-casting-to-prevent-oops-in-devm_clk_release.patch +clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch