From: Greg Kroah-Hartman Date: Mon, 13 Jun 2022 08:11:26 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.9.318~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=53b1da6023b093493d4fdd148f11558599486be3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch drm-ast-create-threshold-values-for-ast2600.patch drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch powerpc-don-t-select-have_irq_exit_on_irq_stack.patch powerpc-mm-switch-obsolete-dssall-to-.long.patch vduse-fix-null-pointer-dereference-on-sysfs-access.patch --- diff --git a/queue-5.15/drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch b/queue-5.15/drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch new file mode 100644 index 00000000000..b0ba28d2418 --- /dev/null +++ b/queue-5.15/drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch @@ -0,0 +1,38 @@ +From 97e50305542f384741a5b45699aba349fe9fca73 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 26 May 2022 16:34:55 -0400 +Subject: drm/amdgpu: update VCN codec support for Yellow Carp + +From: Alex Deucher + +commit 97e50305542f384741a5b45699aba349fe9fca73 upstream. + +Supports AV1. Mesa already has support for this and +doesn't rely on the kernel caps for yellow carp, so +this was already working from an application perspective. + +Fixes: 554398174d98 ("amdgpu/nv.c - Added video codec support for Yellow Carp") +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2002 +Reviewed-by: Leo Liu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/nv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/nv.c b/drivers/gpu/drm/amd/amdgpu/nv.c +index d016e3c3e221..b3fba8dea63c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/nv.c ++++ b/drivers/gpu/drm/amd/amdgpu/nv.c +@@ -170,6 +170,7 @@ static const struct amdgpu_video_codec_info yc_video_codecs_decode_array[] = { + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_AV1, 8192, 4352, 0)}, + }; + + static const struct amdgpu_video_codecs yc_video_codecs_decode = { +-- +2.36.1 + diff --git a/queue-5.15/drm-ast-create-threshold-values-for-ast2600.patch b/queue-5.15/drm-ast-create-threshold-values-for-ast2600.patch new file mode 100644 index 00000000000..53360825e59 --- /dev/null +++ b/queue-5.15/drm-ast-create-threshold-values-for-ast2600.patch @@ -0,0 +1,33 @@ +From bcc77411e8a65929655cef7b63a36000724cdc4b Mon Sep 17 00:00:00 2001 +From: KuoHsiang Chou +Date: Mon, 17 Jan 2022 16:36:43 +0800 +Subject: drm/ast: Create threshold values for AST2600 + +From: KuoHsiang Chou + +commit bcc77411e8a65929655cef7b63a36000724cdc4b upstream. + +The threshold value is used for AST2600 only. + +Signed-off-by: KuoHsiang Chou +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220117083643.41493-1-kuohsiang_chou@aspeedtech.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_mode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -474,7 +474,10 @@ static void ast_set_color_reg(struct ast + static void ast_set_crtthd_reg(struct ast_private *ast) + { + /* Set Threshold */ +- if (ast->chip == AST2300 || ast->chip == AST2400 || ++ if (ast->chip == AST2600) { ++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa7, 0xe0); ++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa6, 0xa0); ++ } else if (ast->chip == AST2300 || ast->chip == AST2400 || + ast->chip == AST2500) { + ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa7, 0x78); + ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa6, 0x60); diff --git a/queue-5.15/drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch b/queue-5.15/drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch new file mode 100644 index 00000000000..19629261fda --- /dev/null +++ b/queue-5.15/drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch @@ -0,0 +1,74 @@ +From e54a4424925a27ed94dff046db3ce5caf4b1e748 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 28 Feb 2022 12:25:32 -0800 +Subject: drm/atomic: Force bridge self-refresh-exit on CRTC switch + +From: Brian Norris + +commit e54a4424925a27ed94dff046db3ce5caf4b1e748 upstream. + +It's possible to change which CRTC is in use for a given +connector/encoder/bridge while we're in self-refresh without fully +disabling the connector/encoder/bridge along the way. This can confuse +the bridge encoder/bridge, because +(a) it needs to track the SR state (trying to perform "active" + operations while the panel is still in SR can be Bad(TM)); and +(b) it tracks the SR state via the CRTC state (and after the switch, the + previous SR state is lost). + +Thus, we need to either somehow carry the self-refresh state over to the +new CRTC, or else force an encoder/bridge self-refresh transition during +such a switch. + +I choose the latter, so we disable the encoder (and exit PSR) before +attaching it to the new CRTC (where we can continue to assume a clean +(non-self-refresh) state). + +This fixes PSR issues seen on Rockchip RK3399 systems with +drivers/gpu/drm/bridge/analogix/analogix_dp_core.c. + +Change in v2: + +- Drop "->enable" condition; this could possibly be "->active" to + reflect the intended hardware state, but it also is a little + over-specific. We want to make a transition through "disabled" any + time we're exiting PSR at the same time as a CRTC switch. + (Thanks Liu Ying) + +Cc: Liu Ying +Cc: +Fixes: 1452c25b0e60 ("drm: Add helpers to kick off self refresh mode in drivers") +Signed-off-by: Brian Norris +Reviewed-by: Sean Paul +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20220228122522.v2.2.Ic15a2ef69c540aee8732703103e2cff51fb9c399@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic_helper.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -996,9 +996,19 @@ crtc_needs_disable(struct drm_crtc_state + return drm_atomic_crtc_effectively_active(old_state); + + /* +- * We need to run through the crtc_funcs->disable() function if the CRTC +- * is currently on, if it's transitioning to self refresh mode, or if +- * it's in self refresh mode and needs to be fully disabled. ++ * We need to disable bridge(s) and CRTC if we're transitioning out of ++ * self-refresh and changing CRTCs at the same time, because the ++ * bridge tracks self-refresh status via CRTC state. ++ */ ++ if (old_state->self_refresh_active && ++ old_state->crtc != new_state->crtc) ++ return true; ++ ++ /* ++ * We also need to run through the crtc_funcs->disable() function if ++ * the CRTC is currently on, if it's transitioning to self refresh ++ * mode, or if it's in self refresh mode and needs to be fully ++ * disabled. + */ + return old_state->active || + (old_state->self_refresh_active && !new_state->active) || diff --git a/queue-5.15/drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch b/queue-5.15/drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch new file mode 100644 index 00000000000..f0ffcff216b --- /dev/null +++ b/queue-5.15/drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch @@ -0,0 +1,109 @@ +From ca871659ec1606d33b1e76de8d4cf924cf627e34 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 28 Feb 2022 12:25:31 -0800 +Subject: drm/bridge: analogix_dp: Support PSR-exit to disable transition + +From: Brian Norris + +commit ca871659ec1606d33b1e76de8d4cf924cf627e34 upstream. + +Most eDP panel functions only work correctly when the panel is not in +self-refresh. In particular, analogix_dp_bridge_disable() tends to hit +AUX channel errors if the panel is in self-refresh. + +Given the above, it appears that so far, this driver assumes that we are +never in self-refresh when it comes time to fully disable the bridge. +Prior to commit 846c7dfc1193 ("drm/atomic: Try to preserve the crtc +enabled state in drm_atomic_remove_fb, v2."), this tended to be true, +because we would automatically disable the pipe when framebuffers were +removed, and so we'd typically disable the bridge shortly after the last +display activity. + +However, that is not guaranteed: an idle (self-refresh) display pipe may +be disabled, e.g., when switching CRTCs. We need to exit PSR first. + +Stable notes: this is definitely a bugfix, and the bug has likely +existed in some form for quite a while. It may predate the "PSR helpers" +refactor, but the code looked very different before that, and it's +probably not worth rewriting the fix. + +Cc: +Fixes: 6c836d965bad ("drm/rockchip: Use the helpers for PSR") +Signed-off-by: Brian Norris +Reviewed-by: Sean Paul +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20220228122522.v2.1.I161904be17ba14526f78536ccd78b85818449b51@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 42 +++++++++++++++++++-- + 1 file changed, 38 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c ++++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c +@@ -1269,6 +1269,25 @@ static int analogix_dp_bridge_attach(str + } + + static ++struct drm_crtc *analogix_dp_get_old_crtc(struct analogix_dp_device *dp, ++ struct drm_atomic_state *state) ++{ ++ struct drm_encoder *encoder = dp->encoder; ++ struct drm_connector *connector; ++ struct drm_connector_state *conn_state; ++ ++ connector = drm_atomic_get_old_connector_for_encoder(state, encoder); ++ if (!connector) ++ return NULL; ++ ++ conn_state = drm_atomic_get_old_connector_state(state, connector); ++ if (!conn_state) ++ return NULL; ++ ++ return conn_state->crtc; ++} ++ ++static + struct drm_crtc *analogix_dp_get_new_crtc(struct analogix_dp_device *dp, + struct drm_atomic_state *state) + { +@@ -1448,14 +1467,16 @@ analogix_dp_bridge_atomic_disable(struct + { + struct drm_atomic_state *old_state = old_bridge_state->base.state; + struct analogix_dp_device *dp = bridge->driver_private; +- struct drm_crtc *crtc; ++ struct drm_crtc *old_crtc, *new_crtc; ++ struct drm_crtc_state *old_crtc_state = NULL; + struct drm_crtc_state *new_crtc_state = NULL; ++ int ret; + +- crtc = analogix_dp_get_new_crtc(dp, old_state); +- if (!crtc) ++ new_crtc = analogix_dp_get_new_crtc(dp, old_state); ++ if (!new_crtc) + goto out; + +- new_crtc_state = drm_atomic_get_new_crtc_state(old_state, crtc); ++ new_crtc_state = drm_atomic_get_new_crtc_state(old_state, new_crtc); + if (!new_crtc_state) + goto out; + +@@ -1464,6 +1485,19 @@ analogix_dp_bridge_atomic_disable(struct + return; + + out: ++ old_crtc = analogix_dp_get_old_crtc(dp, old_state); ++ if (old_crtc) { ++ old_crtc_state = drm_atomic_get_old_crtc_state(old_state, ++ old_crtc); ++ ++ /* When moving from PSR to fully disabled, exit PSR first. */ ++ if (old_crtc_state && old_crtc_state->self_refresh_active) { ++ ret = analogix_dp_disable_psr(dp); ++ if (ret) ++ DRM_ERROR("Failed to disable psr (%d)\n", ret); ++ } ++ } ++ + analogix_dp_bridge_disable(bridge); + } + diff --git a/queue-5.15/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch b/queue-5.15/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch new file mode 100644 index 00000000000..8ab1edb0638 --- /dev/null +++ b/queue-5.15/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch @@ -0,0 +1,55 @@ +From c42e65664390be7c1ef3838cd84956d3a2739d60 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 7 Jun 2022 12:11:33 -0700 +Subject: Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag + +From: Mathias Nyman + +commit c42e65664390be7c1ef3838cd84956d3a2739d60 upstream. + +The bcm5974 driver does the allocation and dma mapping of the usb urb +data buffer, but driver does not set the URB_NO_TRANSFER_DMA_MAP flag +to let usb core know the buffer is already mapped. + +usb core tries to map the already mapped buffer, causing a warning: +"xhci_hcd 0000:00:14.0: rejecting DMA map of vmalloc memory" + +Fix this by setting the URB_NO_TRANSFER_DMA_MAP, letting usb core +know buffer is already mapped by bcm5974 driver + +Signed-off-by: Mathias Nyman +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215890 +Link: https://lore.kernel.org/r/20220606113636.588955-1-mathias.nyman@linux.intel.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/bcm5974.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/input/mouse/bcm5974.c ++++ b/drivers/input/mouse/bcm5974.c +@@ -942,17 +942,22 @@ static int bcm5974_probe(struct usb_inte + if (!dev->tp_data) + goto err_free_bt_buffer; + +- if (dev->bt_urb) ++ if (dev->bt_urb) { + usb_fill_int_urb(dev->bt_urb, udev, + usb_rcvintpipe(udev, cfg->bt_ep), + dev->bt_data, dev->cfg.bt_datalen, + bcm5974_irq_button, dev, 1); + ++ dev->bt_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; ++ } ++ + usb_fill_int_urb(dev->tp_urb, udev, + usb_rcvintpipe(udev, cfg->tp_ep), + dev->tp_data, dev->cfg.tp_datalen, + bcm5974_irq_trackpad, dev, 1); + ++ dev->tp_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; ++ + /* create bcm5974 device */ + usb_make_path(udev, dev->phys, sizeof(dev->phys)); + strlcat(dev->phys, "/input0", sizeof(dev->phys)); diff --git a/queue-5.15/ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch b/queue-5.15/ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch new file mode 100644 index 00000000000..14079d5388f --- /dev/null +++ b/queue-5.15/ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch @@ -0,0 +1,43 @@ +From 803e9895ea2b0fe80bc85980ae2d7a7e44037914 Mon Sep 17 00:00:00 2001 +From: Olivier Matz +Date: Wed, 6 Apr 2022 11:52:51 +0200 +Subject: ixgbe: fix bcast packets Rx on VF after promisc removal + +From: Olivier Matz + +commit 803e9895ea2b0fe80bc85980ae2d7a7e44037914 upstream. + +After a VF requested to remove the promiscuous flag on an interface, the +broadcast packets are not received anymore. This breaks some protocols +like ARP. + +In ixgbe_update_vf_xcast_mode(), we should keep the IXGBE_VMOLR_BAM +bit (Broadcast Accept) on promiscuous removal. + +This flag is already set by default in ixgbe_set_vmolr() on VF reset. + +Fixes: 8443c1a4b192 ("ixgbe, ixgbevf: Add new mbox API xcast mode") +Cc: stable@vger.kernel.org +Cc: Nicolas Dichtel +Signed-off-by: Olivier Matz +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +@@ -1157,9 +1157,9 @@ static int ixgbe_update_vf_xcast_mode(st + + switch (xcast_mode) { + case IXGBEVF_XCAST_MODE_NONE: +- disable = IXGBE_VMOLR_BAM | IXGBE_VMOLR_ROMPE | ++ disable = IXGBE_VMOLR_ROMPE | + IXGBE_VMOLR_MPE | IXGBE_VMOLR_UPE | IXGBE_VMOLR_VPE; +- enable = 0; ++ enable = IXGBE_VMOLR_BAM; + break; + case IXGBEVF_XCAST_MODE_MULTI: + disable = IXGBE_VMOLR_MPE | IXGBE_VMOLR_UPE | IXGBE_VMOLR_VPE; diff --git a/queue-5.15/ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch b/queue-5.15/ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch new file mode 100644 index 00000000000..4568f2327ad --- /dev/null +++ b/queue-5.15/ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch @@ -0,0 +1,68 @@ +From 7bb0fb7c63df95d6027dc50d6af3bc3bbbc25483 Mon Sep 17 00:00:00 2001 +From: Olivier Matz +Date: Wed, 6 Apr 2022 11:52:52 +0200 +Subject: ixgbe: fix unexpected VLAN Rx in promisc mode on VF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Olivier Matz + +commit 7bb0fb7c63df95d6027dc50d6af3bc3bbbc25483 upstream. + +When the promiscuous mode is enabled on a VF, the IXGBE_VMOLR_VPE +bit (VLAN Promiscuous Enable) is set. This means that the VF will +receive packets whose VLAN is not the same than the VLAN of the VF. + +For instance, in this situation: + +┌────────┐ ┌────────┐ ┌────────┐ +│ │ │ │ │ │ +│ │ │ │ │ │ +│ VF0├────┤VF1 VF2├────┤VF3 │ +│ │ │ │ │ │ +└────────┘ └────────┘ └────────┘ + VM1 VM2 VM3 + +vf 0: vlan 1000 +vf 1: vlan 1000 +vf 2: vlan 1001 +vf 3: vlan 1001 + +If we tcpdump on VF3, we see all the packets, even those transmitted +on vlan 1000. + +This behavior prevents to bridge VF1 and VF2 in VM2, because it will +create a loop: packets transmitted on VF1 will be received by VF2 and +vice-versa, and bridged again through the software bridge. + +This patch remove the activation of VLAN Promiscuous when a VF enables +the promiscuous mode. However, the IXGBE_VMOLR_UPE bit (Unicast +Promiscuous) is kept, so that a VF receives all packets that has the +same VLAN, whatever the destination MAC address. + +Fixes: 8443c1a4b192 ("ixgbe, ixgbevf: Add new mbox API xcast mode") +Cc: stable@vger.kernel.org +Cc: Nicolas Dichtel +Signed-off-by: Olivier Matz +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +@@ -1181,9 +1181,9 @@ static int ixgbe_update_vf_xcast_mode(st + return -EPERM; + } + +- disable = 0; ++ disable = IXGBE_VMOLR_VPE; + enable = IXGBE_VMOLR_BAM | IXGBE_VMOLR_ROMPE | +- IXGBE_VMOLR_MPE | IXGBE_VMOLR_UPE | IXGBE_VMOLR_VPE; ++ IXGBE_VMOLR_MPE | IXGBE_VMOLR_UPE; + break; + default: + return -EOPNOTSUPP; diff --git a/queue-5.15/nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch b/queue-5.15/nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch new file mode 100644 index 00000000000..f2cef56d956 --- /dev/null +++ b/queue-5.15/nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch @@ -0,0 +1,131 @@ +From f2e19b36593caed4c977c2f55aeba7408aeb2132 Mon Sep 17 00:00:00 2001 +From: Martin Faltesek +Date: Mon, 6 Jun 2022 21:57:29 -0500 +Subject: nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION + +From: Martin Faltesek + +commit f2e19b36593caed4c977c2f55aeba7408aeb2132 upstream. + +The transaction buffer is allocated by using the size of the packet buf, +and subtracting two which seem intended to remove the two tags which are +not present in the target structure. This calculation leads to under +counting memory because of differences between the packet contents and the +target structure. The aid_len field is a u8 in the packet, but a u32 in +the structure, resulting in at least 3 bytes always being under counted. +Further, the aid data is a variable length field in the packet, but fixed +in the structure, so if this field is less than the max, the difference is +added to the under counting. + +The last validation check for transaction->params_len is also incorrect +since it employs the same accounting error. + +To fix, perform validation checks progressively to safely reach the +next field, to determine the size of both buffers and verify both tags. +Once all validation checks pass, allocate the buffer and copy the data. +This eliminates freeing memory on the error path, as those checks are +moved ahead of memory allocation. + +Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support") +Fixes: 4fbcc1a4cb20 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Faltesek +Reviewed-by: Guenter Roeck +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/st21nfca/se.c | 62 +++++++++++++++++++++++----------------------- + 1 file changed, 31 insertions(+), 31 deletions(-) + +--- a/drivers/nfc/st21nfca/se.c ++++ b/drivers/nfc/st21nfca/se.c +@@ -304,6 +304,8 @@ int st21nfca_connectivity_event_received + int r = 0; + struct device *dev = &hdev->ndev->dev; + struct nfc_evt_transaction *transaction; ++ u32 aid_len; ++ u8 params_len; + + pr_debug("connectivity gate event: %x\n", event); + +@@ -312,50 +314,48 @@ int st21nfca_connectivity_event_received + r = nfc_se_connectivity(hdev->ndev, host); + break; + case ST21NFCA_EVT_TRANSACTION: +- /* +- * According to specification etsi 102 622 ++ /* According to specification etsi 102 622 + * 11.2.2.4 EVT_TRANSACTION Table 52 + * Description Tag Length + * AID 81 5 to 16 + * PARAMETERS 82 0 to 255 ++ * ++ * The key differences are aid storage length is variably sized ++ * in the packet, but fixed in nfc_evt_transaction, and that the aid_len ++ * is u8 in the packet, but u32 in the structure, and the tags in ++ * the packet are not included in nfc_evt_transaction. ++ * ++ * size in bytes: 1 1 5-16 1 1 0-255 ++ * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4 ++ * member name: aid_tag(M) aid_len aid params_tag(M) params_len params ++ * example: 0x81 5-16 X 0x82 0-255 X + */ +- if (skb->len < NFC_MIN_AID_LENGTH + 2 || +- skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) ++ if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) + return -EPROTO; + +- transaction = devm_kzalloc(dev, skb->len - 2, GFP_KERNEL); +- if (!transaction) +- return -ENOMEM; ++ aid_len = skb->data[1]; ++ ++ if (skb->len < aid_len + 4 || aid_len > sizeof(transaction->aid)) ++ return -EPROTO; + +- transaction->aid_len = skb->data[1]; ++ params_len = skb->data[aid_len + 3]; + +- /* Checking if the length of the AID is valid */ +- if (transaction->aid_len > sizeof(transaction->aid)) { +- devm_kfree(dev, transaction); +- return -EINVAL; +- } +- +- memcpy(transaction->aid, &skb->data[2], +- transaction->aid_len); +- +- /* Check next byte is PARAMETERS tag (82) */ +- if (skb->data[transaction->aid_len + 2] != +- NFC_EVT_TRANSACTION_PARAMS_TAG) { +- devm_kfree(dev, transaction); ++ /* Verify PARAMETERS tag is (82), and final check that there is enough ++ * space in the packet to read everything. ++ */ ++ if ((skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG) || ++ (skb->len < aid_len + 4 + params_len)) + return -EPROTO; +- } + +- transaction->params_len = skb->data[transaction->aid_len + 3]; ++ transaction = devm_kzalloc(dev, sizeof(*transaction) + params_len, GFP_KERNEL); ++ if (!transaction) ++ return -ENOMEM; + +- /* Total size is allocated (skb->len - 2) minus fixed array members */ +- if (transaction->params_len > ((skb->len - 2) - +- sizeof(struct nfc_evt_transaction))) { +- devm_kfree(dev, transaction); +- return -EINVAL; +- } ++ transaction->aid_len = aid_len; ++ transaction->params_len = params_len; + +- memcpy(transaction->params, skb->data + +- transaction->aid_len + 4, transaction->params_len); ++ memcpy(transaction->aid, &skb->data[2], aid_len); ++ memcpy(transaction->params, &skb->data[aid_len + 4], params_len); + + r = nfc_se_transaction(hdev->ndev, host, transaction); + break; diff --git a/queue-5.15/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch b/queue-5.15/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch new file mode 100644 index 00000000000..d6442ca358d --- /dev/null +++ b/queue-5.15/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch @@ -0,0 +1,36 @@ +From 77e5fe8f176a525523ae091d6fd0fbb8834c156d Mon Sep 17 00:00:00 2001 +From: Martin Faltesek +Date: Mon, 6 Jun 2022 21:57:27 -0500 +Subject: nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION + +From: Martin Faltesek + +commit 77e5fe8f176a525523ae091d6fd0fbb8834c156d upstream. + +The first validation check for EVT_TRANSACTION has two different checks +tied together with logical AND. One is a check for minimum packet length, +and the other is for a valid aid_tag. If either condition is true (fails), +then an error should be triggered. The fix is to change && to ||. + +Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Faltesek +Reviewed-by: Guenter Roeck +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/st21nfca/se.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nfc/st21nfca/se.c ++++ b/drivers/nfc/st21nfca/se.c +@@ -319,7 +319,7 @@ int st21nfca_connectivity_event_received + * AID 81 5 to 16 + * PARAMETERS 82 0 to 255 + */ +- if (skb->len < NFC_MIN_AID_LENGTH + 2 && ++ if (skb->len < NFC_MIN_AID_LENGTH + 2 || + skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) + return -EPROTO; + diff --git a/queue-5.15/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch b/queue-5.15/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch new file mode 100644 index 00000000000..aa58deb4922 --- /dev/null +++ b/queue-5.15/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch @@ -0,0 +1,59 @@ +From 996419e0594abb311fb958553809f24f38e7abbe Mon Sep 17 00:00:00 2001 +From: Martin Faltesek +Date: Mon, 6 Jun 2022 21:57:28 -0500 +Subject: nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling + +From: Martin Faltesek + +commit 996419e0594abb311fb958553809f24f38e7abbe upstream. + +Error paths do not free previously allocated memory. Add devm_kfree() to +those failure paths. + +Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support") +Fixes: 4fbcc1a4cb20 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Faltesek +Reviewed-by: Guenter Roeck +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/st21nfca/se.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/nfc/st21nfca/se.c ++++ b/drivers/nfc/st21nfca/se.c +@@ -330,22 +330,29 @@ int st21nfca_connectivity_event_received + transaction->aid_len = skb->data[1]; + + /* Checking if the length of the AID is valid */ +- if (transaction->aid_len > sizeof(transaction->aid)) ++ if (transaction->aid_len > sizeof(transaction->aid)) { ++ devm_kfree(dev, transaction); + return -EINVAL; ++ } + + memcpy(transaction->aid, &skb->data[2], + transaction->aid_len); + + /* Check next byte is PARAMETERS tag (82) */ + if (skb->data[transaction->aid_len + 2] != +- NFC_EVT_TRANSACTION_PARAMS_TAG) ++ NFC_EVT_TRANSACTION_PARAMS_TAG) { ++ devm_kfree(dev, transaction); + return -EPROTO; ++ } + + transaction->params_len = skb->data[transaction->aid_len + 3]; + + /* Total size is allocated (skb->len - 2) minus fixed array members */ +- if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction))) ++ if (transaction->params_len > ((skb->len - 2) - ++ sizeof(struct nfc_evt_transaction))) { ++ devm_kfree(dev, transaction); + return -EINVAL; ++ } + + memcpy(transaction->params, skb->data + + transaction->aid_len + 4, transaction->params_len); diff --git a/queue-5.15/powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch b/queue-5.15/powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch new file mode 100644 index 00000000000..644e3b1c636 --- /dev/null +++ b/queue-5.15/powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch @@ -0,0 +1,119 @@ +From 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 7 Jun 2022 00:34:56 +1000 +Subject: powerpc/32: Fix overread/overwrite of thread_struct via ptrace + +From: Michael Ellerman + +commit 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 upstream. + +The ptrace PEEKUSR/POKEUSR (aka PEEKUSER/POKEUSER) API allows a process +to read/write registers of another process. + +To get/set a register, the API takes an index into an imaginary address +space called the "USER area", where the registers of the process are +laid out in some fashion. + +The kernel then maps that index to a particular register in its own data +structures and gets/sets the value. + +The API only allows a single machine-word to be read/written at a time. +So 4 bytes on 32-bit kernels and 8 bytes on 64-bit kernels. + +The way floating point registers (FPRs) are addressed is somewhat +complicated, because double precision float values are 64-bit even on +32-bit CPUs. That means on 32-bit kernels each FPR occupies two +word-sized locations in the USER area. On 64-bit kernels each FPR +occupies one word-sized location in the USER area. + +Internally the kernel stores the FPRs in an array of u64s, or if VSX is +enabled, an array of pairs of u64s where one half of each pair stores +the FPR. Which half of the pair stores the FPR depends on the kernel's +endianness. + +To handle the different layouts of the FPRs depending on VSX/no-VSX and +big/little endian, the TS_FPR() macro was introduced. + +Unfortunately the TS_FPR() macro does not take into account the fact +that the addressing of each FPR differs between 32-bit and 64-bit +kernels. It just takes the index into the "USER area" passed from +userspace and indexes into the fp_state.fpr array. + +On 32-bit there are 64 indexes that address FPRs, but only 32 entries in +the fp_state.fpr array, meaning the user can read/write 256 bytes past +the end of the array. Because the fp_state sits in the middle of the +thread_struct there are various fields than can be overwritten, +including some pointers. As such it may be exploitable. + +It has also been observed to cause systems to hang or otherwise +misbehave when using gdbserver, and is probably the root cause of this +report which could not be easily reproduced: + https://lore.kernel.org/linuxppc-dev/dc38afe9-6b78-f3f5-666b-986939e40fc6@keymile.com/ + +Rather than trying to make the TS_FPR() macro even more complicated to +fix the bug, or add more macros, instead add a special-case for 32-bit +kernels. This is more obvious and hopefully avoids a similar bug +happening again in future. + +Note that because 32-bit kernels never have VSX enabled the code doesn't +need to consider TS_FPRWIDTH/OFFSET at all. Add a BUILD_BUG_ON() to +ensure that 32-bit && VSX is never enabled. + +Fixes: 87fec0514f61 ("powerpc: PTRACE_PEEKUSR/PTRACE_POKEUSER of FPR registers in little endian builds") +Cc: stable@vger.kernel.org # v3.13+ +Reported-by: Ariel Miculas +Tested-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220609133245.573565-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/ptrace/ptrace-fpu.c | 20 ++++++++++++++------ + arch/powerpc/kernel/ptrace/ptrace.c | 3 +++ + 2 files changed, 17 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kernel/ptrace/ptrace-fpu.c ++++ b/arch/powerpc/kernel/ptrace/ptrace-fpu.c +@@ -17,9 +17,13 @@ int ptrace_get_fpr(struct task_struct *c + + #ifdef CONFIG_PPC_FPU_REGS + flush_fp_to_thread(child); +- if (fpidx < (PT_FPSCR - PT_FPR0)) +- memcpy(data, &child->thread.TS_FPR(fpidx), sizeof(long)); +- else ++ if (fpidx < (PT_FPSCR - PT_FPR0)) { ++ if (IS_ENABLED(CONFIG_PPC32)) ++ // On 32-bit the index we are passed refers to 32-bit words ++ *data = ((u32 *)child->thread.fp_state.fpr)[fpidx]; ++ else ++ memcpy(data, &child->thread.TS_FPR(fpidx), sizeof(long)); ++ } else + *data = child->thread.fp_state.fpscr; + #else + *data = 0; +@@ -39,9 +43,13 @@ int ptrace_put_fpr(struct task_struct *c + + #ifdef CONFIG_PPC_FPU_REGS + flush_fp_to_thread(child); +- if (fpidx < (PT_FPSCR - PT_FPR0)) +- memcpy(&child->thread.TS_FPR(fpidx), &data, sizeof(long)); +- else ++ if (fpidx < (PT_FPSCR - PT_FPR0)) { ++ if (IS_ENABLED(CONFIG_PPC32)) ++ // On 32-bit the index we are passed refers to 32-bit words ++ ((u32 *)child->thread.fp_state.fpr)[fpidx] = data; ++ else ++ memcpy(&child->thread.TS_FPR(fpidx), &data, sizeof(long)); ++ } else + child->thread.fp_state.fpscr = data; + #endif + +--- a/arch/powerpc/kernel/ptrace/ptrace.c ++++ b/arch/powerpc/kernel/ptrace/ptrace.c +@@ -446,4 +446,7 @@ void __init pt_regs_check(void) + * real registers. + */ + BUILD_BUG_ON(PT_DSCR < sizeof(struct user_pt_regs) / sizeof(unsigned long)); ++ ++ // ptrace_get/put_fpr() rely on PPC32 and VSX being incompatible ++ BUILD_BUG_ON(IS_ENABLED(CONFIG_PPC32) && IS_ENABLED(CONFIG_VSX)); + } diff --git a/queue-5.15/powerpc-don-t-select-have_irq_exit_on_irq_stack.patch b/queue-5.15/powerpc-don-t-select-have_irq_exit_on_irq_stack.patch new file mode 100644 index 00000000000..50c0ec13106 --- /dev/null +++ b/queue-5.15/powerpc-don-t-select-have_irq_exit_on_irq_stack.patch @@ -0,0 +1,52 @@ +From 1346d00e1bdfd4067f92bc14e8a6131a01de4190 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Wed, 25 May 2022 13:26:39 +1000 +Subject: powerpc: Don't select HAVE_IRQ_EXIT_ON_IRQ_STACK + +From: Michael Ellerman + +commit 1346d00e1bdfd4067f92bc14e8a6131a01de4190 upstream. + +The HAVE_IRQ_EXIT_ON_IRQ_STACK option tells generic code that irq_exit() +is called while still running on the hard irq stack (hardirq_ctx[] in +the powerpc code). + +Selecting the option means the generic code will *not* switch to the +softirq stack before running softirqs, because the code is already +running on the (mostly empty) hard irq stack. + +But since commit 1b1b6a6f4cc0 ("powerpc: handle irq_enter/irq_exit in +interrupt handler wrappers"), irq_exit() is now called on the regular task +stack, not the hard irq stack. + +That's because previously irq_exit() was called in __do_irq() which is +run on the hard irq stack, but now it is called in +interrupt_async_exit_prepare() which is called from do_irq() constructed +by the wrapper macro, which is after the switch back to the task stack. + +So drop HAVE_IRQ_EXIT_ON_IRQ_STACK from the Kconfig. This will mean an +extra stack switch when processing some interrupts, but should +significantly reduce the likelihood of stack overflow. + +It also means the softirq stack will be used for running softirqs from +other interrupts that don't use the hard irq stack, eg. timer interrupts. + +Fixes: 1b1b6a6f4cc0 ("powerpc: handle irq_enter/irq_exit in interrupt handler wrappers") +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220525032639.1947280-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -217,7 +217,6 @@ config PPC + select HAVE_HARDLOCKUP_DETECTOR_PERF if PERF_EVENTS && HAVE_PERF_EVENTS_NMI && !HAVE_HARDLOCKUP_DETECTOR_ARCH + select HAVE_HW_BREAKPOINT if PERF_EVENTS && (PPC_BOOK3S || PPC_8xx) + select HAVE_IOREMAP_PROT +- select HAVE_IRQ_EXIT_ON_IRQ_STACK + select HAVE_IRQ_TIME_ACCOUNTING + select HAVE_KERNEL_GZIP + select HAVE_KERNEL_LZMA if DEFAULT_UIMAGE diff --git a/queue-5.15/powerpc-mm-switch-obsolete-dssall-to-.long.patch b/queue-5.15/powerpc-mm-switch-obsolete-dssall-to-.long.patch new file mode 100644 index 00000000000..45337dedcef --- /dev/null +++ b/queue-5.15/powerpc-mm-switch-obsolete-dssall-to-.long.patch @@ -0,0 +1,152 @@ +From d51f86cfd8e378d4907958db77da3074f6dce3ba Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Tue, 21 Dec 2021 16:59:03 +1100 +Subject: powerpc/mm: Switch obsolete dssall to .long + +From: Alexey Kardashevskiy + +commit d51f86cfd8e378d4907958db77da3074f6dce3ba upstream. + +The dssall ("Data Stream Stop All") instruction is obsolete altogether +with other Data Cache Instructions since ISA 2.03 (year 2006). + +LLVM IAS does not support it but PPC970 seems to be using it. +This switches dssall to .long as there is no much point in fixing LLVM. + +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211221055904.555763-6-aik@ozlabs.ru +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/ppc-opcode.h | 2 ++ + arch/powerpc/kernel/idle.c | 2 +- + arch/powerpc/kernel/idle_6xx.S | 2 +- + arch/powerpc/kernel/l2cr_6xx.S | 6 +++--- + arch/powerpc/kernel/swsusp_32.S | 2 +- + arch/powerpc/kernel/swsusp_asm64.S | 2 +- + arch/powerpc/mm/mmu_context.c | 2 +- + arch/powerpc/platforms/powermac/cache.S | 4 ++-- + 8 files changed, 12 insertions(+), 10 deletions(-) + +--- a/arch/powerpc/include/asm/ppc-opcode.h ++++ b/arch/powerpc/include/asm/ppc-opcode.h +@@ -249,6 +249,7 @@ + #define PPC_INST_COPY 0x7c20060c + #define PPC_INST_DCBA 0x7c0005ec + #define PPC_INST_DCBA_MASK 0xfc0007fe ++#define PPC_INST_DSSALL 0x7e00066c + #define PPC_INST_ISEL 0x7c00001e + #define PPC_INST_ISEL_MASK 0xfc00003e + #define PPC_INST_LSWI 0x7c0004aa +@@ -576,6 +577,7 @@ + #define PPC_DCBZL(a, b) stringify_in_c(.long PPC_RAW_DCBZL(a, b)) + #define PPC_DIVDE(t, a, b) stringify_in_c(.long PPC_RAW_DIVDE(t, a, b)) + #define PPC_DIVDEU(t, a, b) stringify_in_c(.long PPC_RAW_DIVDEU(t, a, b)) ++#define PPC_DSSALL stringify_in_c(.long PPC_INST_DSSALL) + #define PPC_LQARX(t, a, b, eh) stringify_in_c(.long PPC_RAW_LQARX(t, a, b, eh)) + #define PPC_STQCX(t, a, b) stringify_in_c(.long PPC_RAW_STQCX(t, a, b)) + #define PPC_MADDHD(t, a, b, c) stringify_in_c(.long PPC_RAW_MADDHD(t, a, b, c)) +--- a/arch/powerpc/kernel/idle.c ++++ b/arch/powerpc/kernel/idle.c +@@ -82,7 +82,7 @@ void power4_idle(void) + return; + + if (cpu_has_feature(CPU_FTR_ALTIVEC)) +- asm volatile("DSSALL ; sync" ::: "memory"); ++ asm volatile(PPC_DSSALL " ; sync" ::: "memory"); + + power4_idle_nap(); + +--- a/arch/powerpc/kernel/idle_6xx.S ++++ b/arch/powerpc/kernel/idle_6xx.S +@@ -129,7 +129,7 @@ BEGIN_FTR_SECTION + END_FTR_SECTION_IFCLR(CPU_FTR_NO_DPM) + mtspr SPRN_HID0,r4 + BEGIN_FTR_SECTION +- DSSALL ++ PPC_DSSALL + sync + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + lwz r8,TI_LOCAL_FLAGS(r2) /* set napping bit */ +--- a/arch/powerpc/kernel/l2cr_6xx.S ++++ b/arch/powerpc/kernel/l2cr_6xx.S +@@ -96,7 +96,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_L2CR) + + /* Stop DST streams */ + BEGIN_FTR_SECTION +- DSSALL ++ PPC_DSSALL + sync + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + +@@ -292,7 +292,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_L3CR) + isync + + /* Stop DST streams */ +- DSSALL ++ PPC_DSSALL + sync + + /* Get the current enable bit of the L3CR into r4 */ +@@ -401,7 +401,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_L3CR) + _GLOBAL(__flush_disable_L1) + /* Stop pending alitvec streams and memory accesses */ + BEGIN_FTR_SECTION +- DSSALL ++ PPC_DSSALL + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + sync + +--- a/arch/powerpc/kernel/swsusp_32.S ++++ b/arch/powerpc/kernel/swsusp_32.S +@@ -181,7 +181,7 @@ _GLOBAL(swsusp_arch_resume) + #ifdef CONFIG_ALTIVEC + /* Stop pending alitvec streams and memory accesses */ + BEGIN_FTR_SECTION +- DSSALL ++ PPC_DSSALL + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + #endif + sync +--- a/arch/powerpc/kernel/swsusp_asm64.S ++++ b/arch/powerpc/kernel/swsusp_asm64.S +@@ -142,7 +142,7 @@ END_FW_FTR_SECTION_IFCLR(FW_FEATURE_LPAR + _GLOBAL(swsusp_arch_resume) + /* Stop pending alitvec streams and memory accesses */ + BEGIN_FTR_SECTION +- DSSALL ++ PPC_DSSALL + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + sync + +--- a/arch/powerpc/mm/mmu_context.c ++++ b/arch/powerpc/mm/mmu_context.c +@@ -81,7 +81,7 @@ void switch_mm_irqs_off(struct mm_struct + * context + */ + if (cpu_has_feature(CPU_FTR_ALTIVEC)) +- asm volatile ("dssall"); ++ asm volatile (PPC_DSSALL); + + if (!new_on_cpu) + membarrier_arch_switch_mm(prev, next, tsk); +--- a/arch/powerpc/platforms/powermac/cache.S ++++ b/arch/powerpc/platforms/powermac/cache.S +@@ -48,7 +48,7 @@ flush_disable_75x: + + /* Stop DST streams */ + BEGIN_FTR_SECTION +- DSSALL ++ PPC_DSSALL + sync + END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + +@@ -197,7 +197,7 @@ flush_disable_745x: + isync + + /* Stop prefetch streams */ +- DSSALL ++ PPC_DSSALL + sync + + /* Disable L2 prefetching */ diff --git a/queue-5.15/series b/queue-5.15/series index 6ef9e7ab773..1495d0230db 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -225,3 +225,17 @@ mmc-block-fix-cqe-recovery-reset-success.patch net-phy-dp83867-retrigger-sgmii-an-when-link-change.patch net-openvswitch-fix-misuse-of-the-cached-connection-on-tuple-changes.patch writeback-fix-inode-i_io_list-not-be-protected-by-inode-i_lock-error.patch +nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch +nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch +nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch +ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch +ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch +input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch +vduse-fix-null-pointer-dereference-on-sysfs-access.patch +powerpc-don-t-select-have_irq_exit_on_irq_stack.patch +drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch +drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch +drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch +powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch +powerpc-mm-switch-obsolete-dssall-to-.long.patch +drm-ast-create-threshold-values-for-ast2600.patch diff --git a/queue-5.15/vduse-fix-null-pointer-dereference-on-sysfs-access.patch b/queue-5.15/vduse-fix-null-pointer-dereference-on-sysfs-access.patch new file mode 100644 index 00000000000..68b090b491f --- /dev/null +++ b/queue-5.15/vduse-fix-null-pointer-dereference-on-sysfs-access.patch @@ -0,0 +1,68 @@ +From b27ee76c74dc831d6e092eaebc2dfc9c0beed1c9 Mon Sep 17 00:00:00 2001 +From: Xie Yongji +Date: Tue, 26 Apr 2022 15:36:56 +0800 +Subject: vduse: Fix NULL pointer dereference on sysfs access + +From: Xie Yongji + +commit b27ee76c74dc831d6e092eaebc2dfc9c0beed1c9 upstream. + +The control device has no drvdata. So we will get a +NULL pointer dereference when accessing control +device's msg_timeout attribute via sysfs: + +[ 132.841881][ T3644] BUG: kernel NULL pointer dereference, address: 00000000000000f8 +[ 132.850619][ T3644] RIP: 0010:msg_timeout_show (drivers/vdpa/vdpa_user/vduse_dev.c:1271) +[ 132.869447][ T3644] dev_attr_show (drivers/base/core.c:2094) +[ 132.870215][ T3644] sysfs_kf_seq_show (fs/sysfs/file.c:59) +[ 132.871164][ T3644] ? device_remove_bin_file (drivers/base/core.c:2088) +[ 132.872082][ T3644] kernfs_seq_show (fs/kernfs/file.c:164) +[ 132.872838][ T3644] seq_read_iter (fs/seq_file.c:230) +[ 132.873578][ T3644] ? __vmalloc_area_node (mm/vmalloc.c:3041) +[ 132.874532][ T3644] kernfs_fop_read_iter (fs/kernfs/file.c:238) +[ 132.875513][ T3644] __kernel_read (fs/read_write.c:440 (discriminator 1)) +[ 132.876319][ T3644] kernel_read (fs/read_write.c:459) +[ 132.877129][ T3644] kernel_read_file (fs/kernel_read_file.c:94) +[ 132.877978][ T3644] kernel_read_file_from_fd (include/linux/file.h:45 fs/kernel_read_file.c:186) +[ 132.879019][ T3644] __do_sys_finit_module (kernel/module.c:4207) +[ 132.879930][ T3644] __ia32_sys_finit_module (kernel/module.c:4189) +[ 132.880930][ T3644] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132) +[ 132.881847][ T3644] entry_INT80_compat (arch/x86/entry/entry_64_compat.S:419) + +To fix it, don't create the unneeded attribute for +control device anymore. + +Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") +Reported-by: kernel test robot +Cc: stable@vger.kernel.org +Signed-off-by: Xie Yongji +Message-Id: <20220426073656.229-1-xieyongji@bytedance.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/vdpa_user/vduse_dev.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/vdpa/vdpa_user/vduse_dev.c ++++ b/drivers/vdpa/vdpa_user/vduse_dev.c +@@ -1336,9 +1336,9 @@ static int vduse_create_dev(struct vduse + + dev->minor = ret; + dev->msg_timeout = VDUSE_MSG_DEFAULT_TIMEOUT; +- dev->dev = device_create(vduse_class, NULL, +- MKDEV(MAJOR(vduse_major), dev->minor), +- dev, "%s", config->name); ++ dev->dev = device_create_with_groups(vduse_class, NULL, ++ MKDEV(MAJOR(vduse_major), dev->minor), ++ dev, vduse_dev_groups, "%s", config->name); + if (IS_ERR(dev->dev)) { + ret = PTR_ERR(dev->dev); + goto err_dev; +@@ -1585,7 +1585,6 @@ static int vduse_init(void) + return PTR_ERR(vduse_class); + + vduse_class->devnode = vduse_devnode; +- vduse_class->dev_groups = vduse_dev_groups; + + ret = alloc_chrdev_region(&vduse_major, 0, VDUSE_DEV_MAX, "vduse"); + if (ret)