From: Sasha Levin Date: Wed, 10 Apr 2024 15:57:05 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.19.312~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ff794b02ab22332de13ca7f0d74203dcecc1b44;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/arm64-dts-rockchip-fix-rk3328-hdmi-ports-node.patch b/queue-5.4/arm64-dts-rockchip-fix-rk3328-hdmi-ports-node.patch new file mode 100644 index 00000000000..8cfb0efc5f7 --- /dev/null +++ b/queue-5.4/arm64-dts-rockchip-fix-rk3328-hdmi-ports-node.patch @@ -0,0 +1,49 @@ +From 6ed79a096053abe848f6db84cfc5941d2ee2f1f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 22:17:08 +0100 +Subject: arm64: dts: rockchip: fix rk3328 hdmi ports node + +From: Johan Jonker + +[ Upstream commit 1d00ba4700d1e0f88ae70d028d2e17e39078fa1c ] + +Fix rk3328 hdmi ports node so that it matches the +rockchip,dw-hdmi.yaml binding. + +Signed-off-by: Johan Jonker +Link: https://lore.kernel.org/r/e5dea3b7-bf84-4474-9530-cc2da3c41104@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3328.dtsi | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +index 6ddb6b8c1fad5..ef45d5607ea1f 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +@@ -684,11 +684,20 @@ hdmi: hdmi@ff3c0000 { + status = "disabled"; + + ports { +- hdmi_in: port { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ hdmi_in: port@0 { ++ reg = <0>; ++ + hdmi_in_vop: endpoint { + remote-endpoint = <&vop_out_hdmi>; + }; + }; ++ ++ hdmi_out: port@1 { ++ reg = <1>; ++ }; + }; + }; + +-- +2.43.0 + diff --git a/queue-5.4/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch b/queue-5.4/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch new file mode 100644 index 00000000000..7310ac01e17 --- /dev/null +++ b/queue-5.4/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch @@ -0,0 +1,65 @@ +From 9fdf332b53b17b92ed18dded09f5494dad6f049b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 22:17:31 +0100 +Subject: arm64: dts: rockchip: fix rk3399 hdmi ports node + +From: Johan Jonker + +[ Upstream commit f051b6ace7ffcc48d6d1017191f167c0a85799f6 ] + +Fix rk3399 hdmi ports node so that it matches the +rockchip,dw-hdmi.yaml binding. + +Signed-off-by: Johan Jonker +Link: https://lore.kernel.org/r/a6ab6f75-3b80-40b1-bd30-3113e14becdd@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399.dtsi | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +index 4496f7e1c68f8..e5a25bc7d7997 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +@@ -1743,6 +1743,7 @@ simple-audio-card,codec { + hdmi: hdmi@ff940000 { + compatible = "rockchip,rk3399-dw-hdmi"; + reg = <0x0 0xff940000 0x0 0x20000>; ++ reg-io-width = <4>; + interrupts = ; + clocks = <&cru PCLK_HDMI_CTRL>, + <&cru SCLK_HDMI_SFR>, +@@ -1751,13 +1752,16 @@ hdmi: hdmi@ff940000 { + <&cru PLL_VPLL>; + clock-names = "iahb", "isfr", "cec", "grf", "vpll"; + power-domains = <&power RK3399_PD_HDCP>; +- reg-io-width = <4>; + rockchip,grf = <&grf>; + #sound-dai-cells = <0>; + status = "disabled"; + + ports { +- hdmi_in: port { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ hdmi_in: port@0 { ++ reg = <0>; + #address-cells = <1>; + #size-cells = <0>; + +@@ -1770,6 +1774,10 @@ hdmi_in_vopl: endpoint@1 { + remote-endpoint = <&vopl_out_hdmi>; + }; + }; ++ ++ hdmi_out: port@1 { ++ reg = <1>; ++ }; + }; + }; + +-- +2.43.0 + diff --git a/queue-5.4/batman-adv-improve-exception-handling-in-batadv_thro.patch b/queue-5.4/batman-adv-improve-exception-handling-in-batadv_thro.patch new file mode 100644 index 00000000000..46101944239 --- /dev/null +++ b/queue-5.4/batman-adv-improve-exception-handling-in-batadv_thro.patch @@ -0,0 +1,71 @@ +From 68e2162172df8f83a3a8a9f723c6352e12bc848f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jan 2024 07:52:21 +0100 +Subject: batman-adv: Improve exception handling in batadv_throw_uevent() + +From: Markus Elfring + +[ Upstream commit 5593e9abf1cf2bf096366d8c7fd933bc69d561ce ] + +The kfree() function was called in up to three cases by +the batadv_throw_uevent() function during error handling +even if the passed variable contained a null pointer. +This issue was detected by using the Coccinelle software. + +* Thus adjust jump targets. + +* Reorder kfree() calls at the end. + +Signed-off-by: Markus Elfring +Acked-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/main.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c +index 6a183c94cdeb4..62425d19bd598 100644 +--- a/net/batman-adv/main.c ++++ b/net/batman-adv/main.c +@@ -733,29 +733,31 @@ int batadv_throw_uevent(struct batadv_priv *bat_priv, enum batadv_uev_type type, + "%s%s", BATADV_UEV_TYPE_VAR, + batadv_uev_type_str[type]); + if (!uevent_env[0]) +- goto out; ++ goto report_error; + + uevent_env[1] = kasprintf(GFP_ATOMIC, + "%s%s", BATADV_UEV_ACTION_VAR, + batadv_uev_action_str[action]); + if (!uevent_env[1]) +- goto out; ++ goto free_first_env; + + /* If the event is DEL, ignore the data field */ + if (action != BATADV_UEV_DEL) { + uevent_env[2] = kasprintf(GFP_ATOMIC, + "%s%s", BATADV_UEV_DATA_VAR, data); + if (!uevent_env[2]) +- goto out; ++ goto free_second_env; + } + + ret = kobject_uevent_env(bat_kobj, KOBJ_CHANGE, uevent_env); +-out: +- kfree(uevent_env[0]); +- kfree(uevent_env[1]); + kfree(uevent_env[2]); ++free_second_env: ++ kfree(uevent_env[1]); ++free_first_env: ++ kfree(uevent_env[0]); + + if (ret) ++report_error: + batadv_dbg(BATADV_DBG_BATMAN, bat_priv, + "Impossible to send uevent for (%s,%s,%s) event (err: %d)\n", + batadv_uev_type_str[type], +-- +2.43.0 + diff --git a/queue-5.4/batman-adv-return-directly-after-a-failed-batadv_dat.patch b/queue-5.4/batman-adv-return-directly-after-a-failed-batadv_dat.patch new file mode 100644 index 00000000000..dceaea70788 --- /dev/null +++ b/queue-5.4/batman-adv-return-directly-after-a-failed-batadv_dat.patch @@ -0,0 +1,55 @@ +From f27fcbf6221bd122452855ed787af2da2e186aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jan 2024 07:27:45 +0100 +Subject: batman-adv: Return directly after a failed + batadv_dat_select_candidates() in batadv_dat_forward_data() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Elfring + +[ Upstream commit ffc15626c861f811f9778914be004fcf43810a91 ] + +The kfree() function was called in one case by +the batadv_dat_forward_data() function during error handling +even if the passed variable contained a null pointer. +This issue was detected by using the Coccinelle software. + +* Thus return directly after a batadv_dat_select_candidates() call failed + at the beginning. + +* Delete the label “out” which became unnecessary with this refactoring. + +Signed-off-by: Markus Elfring +Acked-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/distributed-arp-table.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c +index dda62dcd59c8a..c5b7e9994a018 100644 +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -682,7 +682,7 @@ static bool batadv_dat_forward_data(struct batadv_priv *bat_priv, + + cand = batadv_dat_select_candidates(bat_priv, ip, vid); + if (!cand) +- goto out; ++ return ret; + + batadv_dbg(BATADV_DBG_DAT, bat_priv, "DHT_SEND for %pI4\n", &ip); + +@@ -726,7 +726,6 @@ static bool batadv_dat_forward_data(struct batadv_priv *bat_priv, + batadv_orig_node_put(cand[i].orig_node); + } + +-out: + kfree(cand); + return ret; + } +-- +2.43.0 + diff --git a/queue-5.4/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch b/queue-5.4/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch new file mode 100644 index 00000000000..1f073fdad92 --- /dev/null +++ b/queue-5.4/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch @@ -0,0 +1,40 @@ +From d5a2ba7f3c05dba0dacb7bfc62bbfbcc74f608d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 16:45:09 +0300 +Subject: block: prevent division by zero in blk_rq_stat_sum() + +From: Roman Smirnov + +[ Upstream commit 93f52fbeaf4b676b21acfe42a5152620e6770d02 ] + +The expression dst->nr_samples + src->nr_samples may +have zero value on overflow. It is necessary to add +a check to avoid division by zero. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Signed-off-by: Roman Smirnov +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20240305134509.23108-1-r.smirnov@omp.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-stat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-stat.c b/block/blk-stat.c +index 940f15d600f8a..af482d8f9f7a4 100644 +--- a/block/blk-stat.c ++++ b/block/blk-stat.c +@@ -28,7 +28,7 @@ void blk_rq_stat_init(struct blk_rq_stat *stat) + /* src is a per-cpu stat, mean isn't initialized */ + void blk_rq_stat_sum(struct blk_rq_stat *dst, struct blk_rq_stat *src) + { +- if (!src->nr_samples) ++ if (dst->nr_samples + src->nr_samples <= dst->nr_samples) + return; + + dst->min = min(dst->min, src->min); +-- +2.43.0 + diff --git a/queue-5.4/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch b/queue-5.4/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch new file mode 100644 index 00000000000..8499e09324a --- /dev/null +++ b/queue-5.4/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch @@ -0,0 +1,36 @@ +From 88eb04b356c85876f9f7cda760c67733f8765196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 12:40:34 +0800 +Subject: Bluetooth: btintel: Fix null ptr deref in btintel_read_version + +From: Edward Adam Davis + +[ Upstream commit b79e040910101b020931ba0c9a6b77e81ab7f645 ] + +If hci_cmd_sync_complete() is triggered and skb is NULL, then +hdev->req_skb is NULL, which will cause this issue. + +Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c +index bb99c8653aabf..5694dd63c1459 100644 +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -340,7 +340,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) + struct sk_buff *skb; + + skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); +- if (IS_ERR(skb)) { ++ if (IS_ERR_OR_NULL(skb)) { + bt_dev_err(hdev, "Reading Intel version information failed (%ld)", + PTR_ERR(skb)); + return PTR_ERR(skb); +-- +2.43.0 + diff --git a/queue-5.4/btrfs-export-handle-invalid-inode-or-root-reference-.patch b/queue-5.4/btrfs-export-handle-invalid-inode-or-root-reference-.patch new file mode 100644 index 00000000000..741c4506d90 --- /dev/null +++ b/queue-5.4/btrfs-export-handle-invalid-inode-or-root-reference-.patch @@ -0,0 +1,48 @@ +From c83981690979dbe7d610b1746cb7e56d8d9ae174 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 21:19:18 +0100 +Subject: btrfs: export: handle invalid inode or root reference in + btrfs_get_parent() + +From: David Sterba + +[ Upstream commit 26b66d1d366a375745755ca7365f67110bbf6bd5 ] + +The get_parent handler looks up a parent of a given dentry, this can be +either a subvolume or a directory. The search is set up with offset -1 +but it's never expected to find such item, as it would break allowed +range of inode number or a root id. This means it's a corruption (ext4 +also returns this error code). + +Reviewed-by: Josef Bacik +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/export.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c +index 6e4727304b7b4..08d1d456e2f0f 100644 +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -182,8 +182,15 @@ struct dentry *btrfs_get_parent(struct dentry *child) + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) + goto fail; ++ if (ret == 0) { ++ /* ++ * Key with offset of -1 found, there would have to exist an ++ * inode with such number or a root with such id. ++ */ ++ ret = -EUCLEAN; ++ goto fail; ++ } + +- BUG_ON(ret == 0); /* Key with offset of -1 found */ + if (path->slots[0] == 0) { + ret = -ENOENT; + goto fail; +-- +2.43.0 + diff --git a/queue-5.4/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch b/queue-5.4/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch new file mode 100644 index 00000000000..5ce8e66f7b4 --- /dev/null +++ b/queue-5.4/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch @@ -0,0 +1,56 @@ +From cea6a0ac777416d4b194b31c01360ddd91d8e1e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2024 23:42:29 +0100 +Subject: btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() + +From: David Sterba + +[ Upstream commit 7411055db5ce64f836aaffd422396af0075fdc99 ] + +The unhandled case in btrfs_relocate_sys_chunks() loop is a corruption, +as it could be caused only by two impossible conditions: + +- at first the search key is set up to look for a chunk tree item, with + offset -1, this is an inexact search and the key->offset will contain + the correct offset upon a successful search, a valid chunk tree item + cannot have an offset -1 + +- after first successful search, the found_key corresponds to a chunk + item, the offset is decremented by 1 before the next loop, it's + impossible to find a chunk item there due to alignment and size + constraints + +Reviewed-by: Josef Bacik +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 5539e672d70a3..d7014b2b28d6a 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -3268,7 +3268,17 @@ static int btrfs_relocate_sys_chunks(struct btrfs_fs_info *fs_info) + mutex_unlock(&fs_info->delete_unused_bgs_mutex); + goto error; + } +- BUG_ON(ret == 0); /* Corruption */ ++ if (ret == 0) { ++ /* ++ * On the first search we would find chunk tree with ++ * offset -1, which is not possible. On subsequent ++ * loops this would find an existing item on an invalid ++ * offset (one less than the previous one, wrong ++ * alignment and size). ++ */ ++ ret = -EUCLEAN; ++ goto error; ++ } + + ret = btrfs_previous_item(chunk_root, path, key.objectid, + key.type); +-- +2.43.0 + diff --git a/queue-5.4/btrfs-send-handle-path-ref-underflow-in-header-itera.patch b/queue-5.4/btrfs-send-handle-path-ref-underflow-in-header-itera.patch new file mode 100644 index 00000000000..2255f18a64e --- /dev/null +++ b/queue-5.4/btrfs-send-handle-path-ref-underflow-in-header-itera.patch @@ -0,0 +1,43 @@ +From 40f6e048140ed9427f4fa71c3afc23bbfa397c26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 22:47:13 +0100 +Subject: btrfs: send: handle path ref underflow in header iterate_inode_ref() + +From: David Sterba + +[ Upstream commit 3c6ee34c6f9cd12802326da26631232a61743501 ] + +Change BUG_ON to proper error handling if building the path buffer +fails. The pointers are not printed so we don't accidentally leak kernel +addresses. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 0dfa88ac01393..576c027909f8a 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -973,7 +973,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path, + ret = PTR_ERR(start); + goto out; + } +- BUG_ON(start < p->buf); ++ if (unlikely(start < p->buf)) { ++ btrfs_err(root->fs_info, ++ "send: path ref buffer underflow for key (%llu %u %llu)", ++ found_key->objectid, ++ found_key->type, ++ found_key->offset); ++ ret = -EINVAL; ++ goto out; ++ } + } + p->start = start; + } else { +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-fix-nanosec-stat-overflow.patch b/queue-5.4/drm-amd-display-fix-nanosec-stat-overflow.patch new file mode 100644 index 00000000000..074040a0852 --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-nanosec-stat-overflow.patch @@ -0,0 +1,45 @@ +From ba003b8ec5283377539f17b06152e0d553abd2e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2019 11:53:52 -0400 +Subject: drm/amd/display: Fix nanosec stat overflow + +From: Aric Cyr + +[ Upstream commit 14d68acfd04b39f34eea7bea65dda652e6db5bf6 ] + +[Why] +Nanosec stats can overflow on long running systems potentially causing +statistic logging issues. + +[How] +Use 64bit types for nanosec stats to ensure no overflow. + +Reviewed-by: Rodrigo Siqueira +Tested-by: Daniel Wheeler +Signed-off-by: Aric Cyr +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/modules/inc/mod_stats.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h b/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h +index 3812094b52e8f..88b312c3eb43a 100644 +--- a/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h ++++ b/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h +@@ -51,10 +51,10 @@ void mod_stats_update_event(struct mod_stats *mod_stats, + unsigned int length); + + void mod_stats_update_flip(struct mod_stats *mod_stats, +- unsigned long timestamp_in_ns); ++ unsigned long long timestamp_in_ns); + + void mod_stats_update_vupdate(struct mod_stats *mod_stats, +- unsigned long timestamp_in_ns); ++ unsigned long long timestamp_in_ns); + + void mod_stats_update_freesync(struct mod_stats *mod_stats, + unsigned int v_total_min, +-- +2.43.0 + diff --git a/queue-5.4/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch b/queue-5.4/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch new file mode 100644 index 00000000000..e49a4a22391 --- /dev/null +++ b/queue-5.4/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch @@ -0,0 +1,47 @@ +From 70e47424f81e2f4d221e857625cedf7ed96aff43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 14:35:43 +0300 +Subject: fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 + +From: Aleksandr Burakov + +[ Upstream commit bc87bb342f106a0402186bcb588fcbe945dced4b ] + +There are some actions with value 'tmp' but 'dst_addr' is checked instead. +It is obvious that a copy-paste error was made here and the value +of variable 'tmp' should be checked here. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Aleksandr Burakov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/via/accel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/via/accel.c b/drivers/video/fbdev/via/accel.c +index 0a1bc7a4d7853..1e04026f08091 100644 +--- a/drivers/video/fbdev/via/accel.c ++++ b/drivers/video/fbdev/via/accel.c +@@ -115,7 +115,7 @@ static int hw_bitblt_1(void __iomem *engine, u8 op, u32 width, u32 height, + + if (op != VIA_BITBLT_FILL) { + tmp = src_mem ? 0 : src_addr; +- if (dst_addr & 0xE0000007) { ++ if (tmp & 0xE0000007) { + printk(KERN_WARNING "hw_bitblt_1: Unsupported source " + "address %X\n", tmp); + return -EINVAL; +@@ -260,7 +260,7 @@ static int hw_bitblt_2(void __iomem *engine, u8 op, u32 width, u32 height, + writel(tmp, engine + 0x18); + + tmp = src_mem ? 0 : src_addr; +- if (dst_addr & 0xE0000007) { ++ if (tmp & 0xE0000007) { + printk(KERN_WARNING "hw_bitblt_2: Unsupported source " + "address %X\n", tmp); + return -EINVAL; +-- +2.43.0 + diff --git a/queue-5.4/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch b/queue-5.4/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch new file mode 100644 index 00000000000..eb7ccce042c --- /dev/null +++ b/queue-5.4/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch @@ -0,0 +1,51 @@ +From d3a7718182a77a220258fad6cb6a59f90c9626c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 11:13:44 +0300 +Subject: fbmon: prevent division by zero in fb_videomode_from_videomode() + +From: Roman Smirnov + +[ Upstream commit c2d953276b8b27459baed1277a4fdd5dd9bd4126 ] + +The expression htotal * vtotal can have a zero value on +overflow. It is necessary to prevent division by zero like in +fb_var_to_videomode(). + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Signed-off-by: Roman Smirnov +Reviewed-by: Sergey Shtylyov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmon.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/fbdev/core/fbmon.c b/drivers/video/fbdev/core/fbmon.c +index 8e2e19f3bf441..dab5fdeafa97d 100644 +--- a/drivers/video/fbdev/core/fbmon.c ++++ b/drivers/video/fbdev/core/fbmon.c +@@ -1311,7 +1311,7 @@ int fb_get_mode(int flags, u32 val, struct fb_var_screeninfo *var, struct fb_inf + int fb_videomode_from_videomode(const struct videomode *vm, + struct fb_videomode *fbmode) + { +- unsigned int htotal, vtotal; ++ unsigned int htotal, vtotal, total; + + fbmode->xres = vm->hactive; + fbmode->left_margin = vm->hback_porch; +@@ -1344,8 +1344,9 @@ int fb_videomode_from_videomode(const struct videomode *vm, + vtotal = vm->vactive + vm->vfront_porch + vm->vback_porch + + vm->vsync_len; + /* prevent division by zero */ +- if (htotal && vtotal) { +- fbmode->refresh = vm->pixelclock / (htotal * vtotal); ++ total = htotal * vtotal; ++ if (total) { ++ fbmode->refresh = vm->pixelclock / total; + /* a mode must have htotal and vtotal != 0 or it is invalid */ + } else { + fbmode->refresh = 0; +-- +2.43.0 + diff --git a/queue-5.4/input-allocate-keycode-for-display-refresh-rate-togg.patch b/queue-5.4/input-allocate-keycode-for-display-refresh-rate-togg.patch new file mode 100644 index 00000000000..4cac077efa6 --- /dev/null +++ b/queue-5.4/input-allocate-keycode-for-display-refresh-rate-togg.patch @@ -0,0 +1,43 @@ +From 34eebdac02f8884ef2a3b84a1d14d3e34e11a031 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Mar 2024 12:31:41 +0100 +Subject: Input: allocate keycode for Display refresh rate toggle +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gergo Koteles + +[ Upstream commit cfeb98b95fff25c442f78a6f616c627bc48a26b7 ] + +Newer Lenovo Yogas and Legions with 60Hz/90Hz displays send a wmi event +when Fn + R is pressed. This is intended for use to switch between the +two refresh rates. + +Allocate a new KEY_REFRESH_RATE_TOGGLE keycode for it. + +Signed-off-by: Gergo Koteles +Acked-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/15a5d08c84cf4d7b820de34ebbcf8ae2502fb3ca.1710065750.git.soyer@irl.hu +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + include/uapi/linux/input-event-codes.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h +index 7f0ae1f411e3a..bf6c2f0b26fdc 100644 +--- a/include/uapi/linux/input-event-codes.h ++++ b/include/uapi/linux/input-event-codes.h +@@ -598,6 +598,7 @@ + + #define KEY_ALS_TOGGLE 0x230 /* Ambient light sensor */ + #define KEY_ROTATE_LOCK_TOGGLE 0x231 /* Display rotation lock */ ++#define KEY_REFRESH_RATE_TOGGLE 0x232 /* Display refresh rate toggle */ + + #define KEY_BUTTONCONFIG 0x240 /* AL Button Configuration */ + #define KEY_TASKMANAGER 0x241 /* AL Task/Project Manager */ +-- +2.43.0 + diff --git a/queue-5.4/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch b/queue-5.4/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch new file mode 100644 index 00000000000..67898c0c610 --- /dev/null +++ b/queue-5.4/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch @@ -0,0 +1,42 @@ +From 28ff9f356165069efb146191f58e5a713d2739de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 11:37:59 -0800 +Subject: Input: synaptics-rmi4 - fail probing if memory allocation for "phys" + fails + +From: Kunwu Chan + +[ Upstream commit bc4996184d56cfaf56d3811ac2680c8a0e2af56e ] + +While input core can work with input->phys set to NULL userspace might +depend on it, so better fail probing if allocation fails. The system must +be in a pretty bad shape for it to happen anyway. + +Signed-off-by: Kunwu Chan +Link: https://lore.kernel.org/r/20240117073124.143636-1-chentao@kylinos.cn +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c +index 258d5fe3d395c..aa32371f04af6 100644 +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -1196,7 +1196,11 @@ static int rmi_driver_probe(struct device *dev) + } + rmi_driver_set_input_params(rmi_dev, data->input); + data->input->phys = devm_kasprintf(dev, GFP_KERNEL, +- "%s/input0", dev_name(dev)); ++ "%s/input0", dev_name(dev)); ++ if (!data->input->phys) { ++ retval = -ENOMEM; ++ goto err; ++ } + } + + retval = rmi_init_functions(data); +-- +2.43.0 + diff --git a/queue-5.4/ionic-set-adminq-irq-affinity.patch b/queue-5.4/ionic-set-adminq-irq-affinity.patch new file mode 100644 index 00000000000..074fb2b19f7 --- /dev/null +++ b/queue-5.4/ionic-set-adminq-irq-affinity.patch @@ -0,0 +1,43 @@ +From 07358e7fb282bfb7e352c5be43d2fe187265bac7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 09:59:01 -0800 +Subject: ionic: set adminq irq affinity + +From: Shannon Nelson + +[ Upstream commit c699f35d658f3c21b69ed24e64b2ea26381e941d ] + +We claim to have the AdminQ on our irq0 and thus cpu id 0, +but we need to be sure we set the affinity hint to try to +keep it there. + +Signed-off-by: Shannon Nelson +Reviewed-by: Brett Creeley +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index d718c1a6d5fc7..e7d868da6a380 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -1874,9 +1874,12 @@ static int ionic_lif_adminq_init(struct ionic_lif *lif) + + napi_enable(&qcq->napi); + +- if (qcq->flags & IONIC_QCQ_F_INTR) ++ if (qcq->flags & IONIC_QCQ_F_INTR) { ++ irq_set_affinity_hint(qcq->intr.vector, ++ &qcq->intr.affinity_mask); + ionic_intr_mask(idev->intr_ctrl, qcq->intr.index, + IONIC_INTR_MASK_CLEAR); ++ } + + qcq->flags |= IONIC_QCQ_F_INITED; + +-- +2.43.0 + diff --git a/queue-5.4/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch b/queue-5.4/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch new file mode 100644 index 00000000000..86d9b050b7e --- /dev/null +++ b/queue-5.4/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch @@ -0,0 +1,60 @@ +From 8d9a378116f28560229ab14d38251d6805632011 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 19:21:32 -0700 +Subject: isofs: handle CDs with bad root inode but good Joliet root directory + +From: Alex Henrie + +[ Upstream commit 4243bf80c79211a8ca2795401add9c4a3b1d37ca ] + +I have a CD copy of the original Tom Clancy's Ghost Recon game from +2001. The disc mounts without error on Windows, but on Linux mounting +fails with the message "isofs_fill_super: get root inode failed". The +error originates in isofs_read_inode, which returns -EIO because de_len +is 0. The superblock on this disc appears to be intentionally corrupt as +a form of copy protection. + +When the root inode is unusable, instead of giving up immediately, try +to continue with the Joliet file table. This fixes the Ghost Recon CD +and probably other copy-protected CDs too. + +Signed-off-by: Alex Henrie +Signed-off-by: Jan Kara +Message-Id: <20240208022134.451490-1-alexhenrie24@gmail.com> +Signed-off-by: Sasha Levin +--- + fs/isofs/inode.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c +index 74e487d63c62c..95c08f3c4b35e 100644 +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -912,8 +912,22 @@ static int isofs_fill_super(struct super_block *s, void *data, int silent) + * we then decide whether to use the Joliet descriptor. + */ + inode = isofs_iget(s, sbi->s_firstdatazone, 0); +- if (IS_ERR(inode)) +- goto out_no_root; ++ ++ /* ++ * Fix for broken CDs with a corrupt root inode but a correct Joliet ++ * root directory. ++ */ ++ if (IS_ERR(inode)) { ++ if (joliet_level && sbi->s_firstdatazone != first_data_zone) { ++ printk(KERN_NOTICE ++ "ISOFS: root inode is unusable. " ++ "Disabling Rock Ridge and switching to Joliet."); ++ sbi->s_rock = 0; ++ inode = NULL; ++ } else { ++ goto out_no_root; ++ } ++ } + + /* + * Fix for broken CDs with Rock Ridge and empty ISO root directory but +-- +2.43.0 + diff --git a/queue-5.4/ktest-force-buildonly-1-for-make_warnings_file-test-.patch b/queue-5.4/ktest-force-buildonly-1-for-make_warnings_file-test-.patch new file mode 100644 index 00000000000..65e5c19b990 --- /dev/null +++ b/queue-5.4/ktest-force-buildonly-1-for-make_warnings_file-test-.patch @@ -0,0 +1,41 @@ +From 8005d02ba4231195359d8f4933b8df5bcd5064eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 12:28:08 -0300 +Subject: ktest: force $buildonly = 1 for 'make_warnings_file' test type + +From: Ricardo B. Marliere + +[ Upstream commit 07283c1873a4d0eaa0e822536881bfdaea853910 ] + +The test type "make_warnings_file" should have no mandatory configuration +parameters other than the ones required by the "build" test type, because +its purpose is to create a file with build warnings that may or may not be +used by other subsequent tests. Currently, the only way to use it as a +stand-alone test is by setting POWER_CYCLE, CONSOLE, SSH_USER, +BUILD_TARGET, TARGET_IMAGE, REBOOT_TYPE and GRUB_MENU. + +Link: https://lkml.kernel.org/r/20240315-ktest-v2-1-c5c20a75f6a3@marliere.net + +Cc: John Hawley +Signed-off-by: Ricardo B. Marliere +Signed-off-by: Steven Rostedt +Signed-off-by: Sasha Levin +--- + tools/testing/ktest/ktest.pl | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl +index 698b99e25f980..d36612c620981 100755 +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -768,6 +768,7 @@ sub set_value { + if ($lvalue =~ /^(TEST|BISECT|CONFIG_BISECT)_TYPE(\[.*\])?$/ && + $prvalue !~ /^(config_|)bisect$/ && + $prvalue !~ /^build$/ && ++ $prvalue !~ /^make_warnings_file$/ && + $buildonly) { + + # Note if a test is something other than build, then we +-- +2.43.0 + diff --git a/queue-5.4/media-sta2x11-fix-irq-handler-cast.patch b/queue-5.4/media-sta2x11-fix-irq-handler-cast.patch new file mode 100644 index 00000000000..3b7902061b3 --- /dev/null +++ b/queue-5.4/media-sta2x11-fix-irq-handler-cast.patch @@ -0,0 +1,62 @@ +From 877b264dce97a2bc42f5f88dcd86f62f5d778f59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 10:54:47 +0100 +Subject: media: sta2x11: fix irq handler cast + +From: Arnd Bergmann + +[ Upstream commit 3de49ae81c3a0f83a554ecbce4c08e019f30168e ] + +clang-16 warns about casting incompatible function pointers: + +drivers/media/pci/sta2x11/sta2x11_vip.c:1057:6: error: cast from 'irqreturn_t (*)(int, struct sta2x11_vip *)' (aka 'enum irqreturn (*)(int, struct sta2x11_vip *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + +Change the prototype of the irq handler to the regular version with a +local variable to adjust the argument type. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +[hverkuil: update argument documentation] +Signed-off-by: Sasha Levin +--- + drivers/media/pci/sta2x11/sta2x11_vip.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/pci/sta2x11/sta2x11_vip.c b/drivers/media/pci/sta2x11/sta2x11_vip.c +index 798574cfad35e..5a77f8ba3a187 100644 +--- a/drivers/media/pci/sta2x11/sta2x11_vip.c ++++ b/drivers/media/pci/sta2x11/sta2x11_vip.c +@@ -760,7 +760,7 @@ static const struct video_device video_dev_template = { + /** + * vip_irq - interrupt routine + * @irq: Number of interrupt ( not used, correct number is assumed ) +- * @vip: local data structure containing all information ++ * @data: local data structure containing all information + * + * check for both frame interrupts set ( top and bottom ). + * check FIFO overflow, but limit number of log messages after open. +@@ -770,8 +770,9 @@ static const struct video_device video_dev_template = { + * + * IRQ_HANDLED, interrupt done. + */ +-static irqreturn_t vip_irq(int irq, struct sta2x11_vip *vip) ++static irqreturn_t vip_irq(int irq, void *data) + { ++ struct sta2x11_vip *vip = data; + unsigned int status; + + status = reg_read(vip, DVP_ITS); +@@ -1053,9 +1054,7 @@ static int sta2x11_vip_init_one(struct pci_dev *pdev, + + spin_lock_init(&vip->slock); + +- ret = request_irq(pdev->irq, +- (irq_handler_t) vip_irq, +- IRQF_SHARED, KBUILD_MODNAME, vip); ++ ret = request_irq(pdev->irq, vip_irq, IRQF_SHARED, KBUILD_MODNAME, vip); + if (ret) { + dev_err(&pdev->dev, "request_irq failed\n"); + ret = -ENODEV; +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-discard-table-flag-update-with-p.patch b/queue-5.4/netfilter-nf_tables-discard-table-flag-update-with-p.patch new file mode 100644 index 00000000000..a82fa239f3b --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-discard-table-flag-update-with-p.patch @@ -0,0 +1,63 @@ +From 324d2cef4bf9cc6d6a6d43761142151960d72901 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 23:21:42 +0200 +Subject: netfilter: nf_tables: discard table flag update with pending + basechain deletion + +From: Pablo Neira Ayuso + +commit 1bc83a019bbe268be3526406245ec28c2458a518 upstream. + +Hook unregistration is deferred to the commit phase, same occurs with +hook updates triggered by the table dormant flag. When both commands are +combined, this results in deleting a basechain while leaving its hook +still registered in the core. + +Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 8dd7efb3b8f7b..b4bb93b9aafc7 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -903,6 +903,24 @@ static void nf_tables_table_disable(struct net *net, struct nft_table *table) + #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ + __NFT_TABLE_F_WAS_AWAKEN) + ++static bool nft_table_pending_update(const struct nft_ctx *ctx) ++{ ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); ++ struct nft_trans *trans; ++ ++ if (ctx->table->flags & __NFT_TABLE_F_UPDATE) ++ return true; ++ ++ list_for_each_entry(trans, &nft_net->commit_list, list) { ++ if (trans->ctx.table == ctx->table && ++ trans->msg_type == NFT_MSG_DELCHAIN && ++ nft_is_base_chain(trans->ctx.chain)) ++ return true; ++ } ++ ++ return false; ++} ++ + static int nf_tables_updtable(struct nft_ctx *ctx) + { + struct nft_trans *trans; +@@ -920,7 +938,7 @@ static int nf_tables_updtable(struct nft_ctx *ctx) + return 0; + + /* No dormant off/on/off/on games in single transaction */ +- if (ctx->table->flags & __NFT_TABLE_F_UPDATE) ++ if (nft_table_pending_update(ctx)) + return -EINVAL; + + trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-reject-new-basechain-after-table.patch b/queue-5.4/netfilter-nf_tables-reject-new-basechain-after-table.patch new file mode 100644 index 00000000000..ba421e4529b --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-reject-new-basechain-after-table.patch @@ -0,0 +1,64 @@ +From a1e06b0359c85296e6b0691f236a342d80e66ec3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 23:21:38 +0200 +Subject: netfilter: nf_tables: reject new basechain after table flag update + +From: Pablo Neira Ayuso + +commit 994209ddf4f430946f6247616b2e33d179243769 upstream. + +When dormant flag is toggled, hooks are disabled in the commit phase by +iterating over current chains in table (existing and new). + +The following configuration allows for an inconsistent state: + + add table x + add chain x y { type filter hook input priority 0; } + add table x { flags dormant; } + add chain x w { type filter hook input priority 1; } + +which triggers the following warning when trying to unregister chain w +which is already unregistered. + +[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260 +[...] +[ 127.322519] Call Trace: +[ 127.322521] +[ 127.322524] ? __warn+0x9f/0x1a0 +[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260 +[ 127.322537] ? report_bug+0x1b1/0x1e0 +[ 127.322545] ? handle_bug+0x3c/0x70 +[ 127.322552] ? exc_invalid_op+0x17/0x40 +[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20 +[ 127.322563] ? kasan_save_free_info+0x3b/0x60 +[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260 +[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260 +[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260 +[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables] +[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables] +[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables] + +Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 7c98536e9eae2..f4821d64c2fd8 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1805,6 +1805,9 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, + struct nft_chain_hook hook; + struct nf_hook_ops *ops; + ++ if (table->flags & __NFT_TABLE_F_UPDATE) ++ return -EINVAL; ++ + err = nft_chain_parse_hook(net, nla, &hook, family, true); + if (err < 0) + return err; +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-release-batch-on-table-validatio.patch b/queue-5.4/netfilter-nf_tables-release-batch-on-table-validatio.patch new file mode 100644 index 00000000000..76d981443ae --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-release-batch-on-table-validatio.patch @@ -0,0 +1,84 @@ +From ad37072269f6340c7188924145f4fd92ac3b77cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 23:21:40 +0200 +Subject: netfilter: nf_tables: release batch on table validation from abort + path + +From: Pablo Neira Ayuso + +commit a45e6889575c2067d3c0212b6bc1022891e65b91 upstream. + +Unlike early commit path stage which triggers a call to abort, an +explicit release of the batch is required on abort, otherwise mutex is +released and commit_list remains in place. + +Add WARN_ON_ONCE to ensure commit_list is empty from the abort path +before releasing the mutex. + +After this patch, commit_list is always assumed to be empty before +grabbing the mutex, therefore + + 03c1f1ef1584 ("netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()") + +only needs to release the pending modules for registration. + +Cc: stable@vger.kernel.org +Fixes: c0391b6ab810 ("netfilter: nf_tables: missing validation from the abort path") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f4821d64c2fd8..b719f3517caf1 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7564,10 +7564,11 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + struct nft_trans_elem *te; ++ int err = 0; + + if (action == NFNL_ABORT_VALIDATE && + nf_tables_validate(net) < 0) +- return -EAGAIN; ++ err = -EAGAIN; + + list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, + list) { +@@ -7700,7 +7701,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + else + nf_tables_module_autoload_cleanup(net); + +- return 0; ++ return err; + } + + static int nf_tables_abort(struct net *net, struct sk_buff *skb, +@@ -7714,6 +7715,8 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb, + ret = __nf_tables_abort(net, action); + nft_gc_seq_end(nft_net, gc_seq); + ++ WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); ++ + mutex_unlock(&nft_net->commit_mutex); + + return ret; +@@ -8400,8 +8403,11 @@ static void __net_exit nf_tables_exit_net(struct net *net) + + gc_seq = nft_gc_seq_begin(nft_net); + +- if (!list_empty(&nft_net->commit_list)) +- __nf_tables_abort(net, NFNL_ABORT_NONE); ++ WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); ++ ++ if (!list_empty(&nft_net->module_list)) ++ nf_tables_module_autoload_cleanup(net); ++ + __nft_release_tables(net); + + nft_gc_seq_end(nft_net, gc_seq); +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch b/queue-5.4/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch new file mode 100644 index 00000000000..81833c5b1f2 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch @@ -0,0 +1,62 @@ +From a68a782128c196d0cdbb6aab69bfdf85b49da39a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 23:21:41 +0200 +Subject: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort + path + +From: Pablo Neira Ayuso + +commit 0d459e2ffb541841714839e8228b845458ed3b27 upstream. + +The commit mutex should not be released during the critical section +between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC +worker could collect expired objects and get the released commit lock +within the same GC sequence. + +nf_tables_module_autoload() temporarily releases the mutex to load +module dependencies, then it goes back to replay the transaction again. +Move it at the end of the abort phase after nft_gc_seq_end() is called. + +Cc: stable@vger.kernel.org +Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path") +Reported-by: Kuan-Ting Chen +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b719f3517caf1..8dd7efb3b8f7b 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7696,11 +7696,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + nf_tables_abort_release(trans); + } + +- if (action == NFNL_ABORT_AUTOLOAD) +- nf_tables_module_autoload(net); +- else +- nf_tables_module_autoload_cleanup(net); +- + return err; + } + +@@ -7717,6 +7712,14 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb, + + WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); + ++ /* module autoload needs to happen after GC sequence update because it ++ * temporarily releases and grabs mutex again. ++ */ ++ if (action == NFNL_ABORT_AUTOLOAD) ++ nf_tables_module_autoload(net); ++ else ++ nf_tables_module_autoload_cleanup(net); ++ + mutex_unlock(&nft_net->commit_mutex); + + return ret; +-- +2.43.0 + diff --git a/queue-5.4/panic-flush-kernel-log-buffer-at-the-end.patch b/queue-5.4/panic-flush-kernel-log-buffer-at-the-end.patch new file mode 100644 index 00000000000..34121aba90e --- /dev/null +++ b/queue-5.4/panic-flush-kernel-log-buffer-at-the-end.patch @@ -0,0 +1,50 @@ +From 65236f947a8e9aa84dae36977afefc06a16a936f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 14:47:02 +0106 +Subject: panic: Flush kernel log buffer at the end + +From: John Ogness + +[ Upstream commit d988d9a9b9d180bfd5c1d353b3b176cb90d6861b ] + +If the kernel crashes in a context where printk() calls always +defer printing (such as in NMI or inside a printk_safe section) +then the final panic messages will be deferred to irq_work. But +if irq_work is not available, the messages will not get printed +unless explicitly flushed. The result is that the final +"end Kernel panic" banner does not get printed. + +Add one final flush after the last printk() call to make sure +the final panic messages make it out as well. + +Signed-off-by: John Ogness +Reviewed-by: Petr Mladek +Link: https://lore.kernel.org/r/20240207134103.1357162-14-john.ogness@linutronix.de +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/panic.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/panic.c b/kernel/panic.c +index cef79466f9417..5559a6e4c4579 100644 +--- a/kernel/panic.c ++++ b/kernel/panic.c +@@ -404,6 +404,14 @@ void panic(const char *fmt, ...) + + /* Do not scroll important messages printed above */ + suppress_printk = 1; ++ ++ /* ++ * The final messages may not have been printed if in a context that ++ * defers printing (such as NMI) and irq_work is not available. ++ * Explicitly flush the kernel log buffer one last time. ++ */ ++ console_flush_on_panic(CONSOLE_FLUSH_PENDING); ++ + local_irq_enable(); + for (i = 0; ; i += PANIC_TIMER_STEP) { + touch_softlockup_watchdog(); +-- +2.43.0 + diff --git a/queue-5.4/revert-acpi-pm-block-asus-b1400ceae-from-suspend-to-.patch b/queue-5.4/revert-acpi-pm-block-asus-b1400ceae-from-suspend-to-.patch new file mode 100644 index 00000000000..b3dfa9e619d --- /dev/null +++ b/queue-5.4/revert-acpi-pm-block-asus-b1400ceae-from-suspend-to-.patch @@ -0,0 +1,58 @@ +From d819f3d6494a6fb36e4a4ab9b1ab246ba001ba1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 08:53:16 +0100 +Subject: Revert "ACPI: PM: Block ASUS B1400CEAE from suspend to idle by + default" + +From: Daniel Drake + +[ Upstream commit cb98555fcd8eee98c30165537c7e394f3a66e809 ] + +This reverts commit d52848620de00cde4a3a5df908e231b8c8868250, which was +originally put in place to work around a s2idle failure on this platform +where the NVMe device was inaccessible upon resume. + +After extended testing, we found that the firmware's implementation of S3 +is buggy and intermittently fails to wake up the system. We need to revert +to s2idle mode. + +The NVMe issue has now been solved more precisely in the commit titled +"PCI: Disable D3cold on Asus B1400 PCI-NVMe bridge" + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215742 +Link: https://lore.kernel.org/r/20240228075316.7404-2-drake@endlessos.org +Signed-off-by: Daniel Drake +Signed-off-by: Bjorn Helgaas +Acked-by: Jian-Hong Pan +Acked-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/sleep.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c +index b9d203569ac1d..5996293f422e3 100644 +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -382,18 +382,6 @@ static const struct dmi_system_id acpisleep_dmi_table[] __initconst = { + DMI_MATCH(DMI_PRODUCT_NAME, "20GGA00L00"), + }, + }, +- /* +- * ASUS B1400CEAE hangs on resume from suspend (see +- * https://bugzilla.kernel.org/show_bug.cgi?id=215742). +- */ +- { +- .callback = init_default_s3, +- .ident = "ASUS B1400CEAE", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK B1400CEAE"), +- }, +- }, + {}, + }; + +-- +2.43.0 + diff --git a/queue-5.4/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch b/queue-5.4/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch new file mode 100644 index 00000000000..a538e05e514 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch @@ -0,0 +1,45 @@ +From 3c04f080f425fc1393871c119a9e55dd9567fc04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 10:50:57 -0800 +Subject: scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() + +From: Justin Tee + +[ Upstream commit 2ae917d4bcab80ab304b774d492e2fcd6c52c06b ] + +The call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an +unsuccessful status. In such cases, the elsiocb is not issued, the +completion is not called, and thus the elsiocb resource is leaked. + +Check return value after calling lpfc_sli4_resume_rpi() and conditionally +release the elsiocb resource. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240131185112.149731-3-justintee8345@gmail.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index e6a94f550a572..1ca3179444d23 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -781,8 +781,10 @@ lpfc_rcv_padisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + /* Save the ELS cmd */ + elsiocb->drvrTimeout = cmd; + +- lpfc_sli4_resume_rpi(ndlp, +- lpfc_mbx_cmpl_resume_rpi, elsiocb); ++ if (lpfc_sli4_resume_rpi(ndlp, ++ lpfc_mbx_cmpl_resume_rpi, ++ elsiocb)) ++ kfree(elsiocb); + goto out; + } + } +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 48b08651836..18a87693d1f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -169,3 +169,36 @@ ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphone.patch x86-mce-make-sure-to-grab-mce_sysfs_mutex-in-set_bank.patch s390-entry-align-system-call-table-on-8-bytes.patch +wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch +batman-adv-return-directly-after-a-failed-batadv_dat.patch +batman-adv-improve-exception-handling-in-batadv_thro.patch +vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch +panic-flush-kernel-log-buffer-at-the-end.patch +arm64-dts-rockchip-fix-rk3328-hdmi-ports-node.patch +arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch +ionic-set-adminq-irq-affinity.patch +tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch +btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch +btrfs-export-handle-invalid-inode-or-root-reference-.patch +btrfs-send-handle-path-ref-underflow-in-header-itera.patch +bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch +input-synaptics-rmi4-fail-probing-if-memory-allocati.patch +sysv-don-t-call-sb_bread-with-pointers_lock-held.patch +scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch +isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch +media-sta2x11-fix-irq-handler-cast.patch +drm-amd-display-fix-nanosec-stat-overflow.patch +sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch +revert-acpi-pm-block-asus-b1400ceae-from-suspend-to-.patch +block-prevent-division-by-zero-in-blk_rq_stat_sum.patch +input-allocate-keycode-for-display-refresh-rate-togg.patch +ktest-force-buildonly-1-for-make_warnings_file-test-.patch +tools-iio-replace-seekdir-in-iio_generic_buffer.patch +usb-typec-tcpci-add-generic-tcpci-fallback-compatibl.patch +usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch +fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch +fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch +netfilter-nf_tables-reject-new-basechain-after-table.patch +netfilter-nf_tables-release-batch-on-table-validatio.patch +netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch +netfilter-nf_tables-discard-table-flag-update-with-p.patch diff --git a/queue-5.4/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch b/queue-5.4/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch new file mode 100644 index 00000000000..3bb211f33a6 --- /dev/null +++ b/queue-5.4/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch @@ -0,0 +1,87 @@ +From 9679c7f6ddbc25a7811c8bf85d37eb9899eabc78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jan 2024 11:38:25 -0800 +Subject: SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to + unsigned int + +From: Dai Ngo + +[ Upstream commit 2c35f43b5a4b9cdfaa6fdd946f5a212615dac8eb ] + +When the NFS client is under extreme load the rpc_wait_queue.qlen counter +can be overflowed. Here is an instant of the backlog queue overflow in a +real world environment shown by drgn helper: + +rpc_task_stats(rpc_clnt): +------------------------- +rpc_clnt: 0xffff92b65d2bae00 +rpc_xprt: 0xffff9275db64f000 + Queue: sending[64887] pending[524] backlog[30441] binding[0] +XMIT task: 0xffff925c6b1d8e98 + WRITE: 750654 + __dta_call_status_580: 65463 + __dta_call_transmit_status_579: 1 + call_reserveresult: 685189 + nfs_client_init_is_complete: 1 + COMMIT: 584 + call_reserveresult: 573 + __dta_call_status_580: 11 + ACCESS: 1 + __dta_call_status_580: 1 + GETATTR: 10 + __dta_call_status_580: 4 + call_reserveresult: 6 +751249 tasks for server 111.222.333.444 +Total tasks: 751249 + +count_rpc_wait_queues(xprt): +---------------------------- +**** rpc_xprt: 0xffff9275db64f000 num_reqs: 65511 +wait_queue: xprt_binding[0] cnt: 0 +wait_queue: xprt_binding[1] cnt: 0 +wait_queue: xprt_binding[2] cnt: 0 +wait_queue: xprt_binding[3] cnt: 0 +rpc_wait_queue[xprt_binding].qlen: 0 maxpriority: 0 +wait_queue: xprt_sending[0] cnt: 0 +wait_queue: xprt_sending[1] cnt: 64887 +wait_queue: xprt_sending[2] cnt: 0 +wait_queue: xprt_sending[3] cnt: 0 +rpc_wait_queue[xprt_sending].qlen: 64887 maxpriority: 3 +wait_queue: xprt_pending[0] cnt: 524 +wait_queue: xprt_pending[1] cnt: 0 +wait_queue: xprt_pending[2] cnt: 0 +wait_queue: xprt_pending[3] cnt: 0 +rpc_wait_queue[xprt_pending].qlen: 524 maxpriority: 0 +wait_queue: xprt_backlog[0] cnt: 0 +wait_queue: xprt_backlog[1] cnt: 685801 +wait_queue: xprt_backlog[2] cnt: 0 +wait_queue: xprt_backlog[3] cnt: 0 +rpc_wait_queue[xprt_backlog].qlen: 30441 maxpriority: 3 [task cnt mismatch] + +There is no effect on operations when this overflow occurs. However +it causes confusion when trying to diagnose the performance problem. + +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/sched.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h +index 5c37fabdec103..61de83be9cc27 100644 +--- a/include/linux/sunrpc/sched.h ++++ b/include/linux/sunrpc/sched.h +@@ -196,7 +196,7 @@ struct rpc_wait_queue { + unsigned char maxpriority; /* maximum priority (0 if queue is not a priority queue) */ + unsigned char priority; /* current priority */ + unsigned char nr; /* # tasks remaining for cookie */ +- unsigned short qlen; /* total # tasks waiting in queue */ ++ unsigned int qlen; /* total # tasks waiting in queue */ + struct rpc_timer timer_list; + #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) || IS_ENABLED(CONFIG_TRACEPOINTS) + const char * name; +-- +2.43.0 + diff --git a/queue-5.4/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch b/queue-5.4/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch new file mode 100644 index 00000000000..d25a93248d5 --- /dev/null +++ b/queue-5.4/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch @@ -0,0 +1,94 @@ +From 813dc43d8a0f9c603fd9a02688a4c3a06415fff4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 21:04:50 +0900 +Subject: sysv: don't call sb_bread() with pointers_lock held + +From: Tetsuo Handa + +[ Upstream commit f123dc86388cb669c3d6322702dc441abc35c31e ] + +syzbot is reporting sleep in atomic context in SysV filesystem [1], for +sb_bread() is called with rw_spinlock held. + +A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug +and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by +"Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12. + +Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the +former bug by moving pointers_lock lock to the callers, but instead +introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made +this problem easier to hit). + +Al Viro suggested that why not to do like get_branch()/get_block()/ +find_shared() in Minix filesystem does. And doing like that is almost a +revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() + from with find_shared() is called without write_lock(&pointers_lock). + +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f +Suggested-by: Al Viro +Signed-off-by: Tetsuo Handa +Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKURA.ne.jp +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/sysv/itree.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c +index e3d1673b8ec97..ef9bcfeec21ad 100644 +--- a/fs/sysv/itree.c ++++ b/fs/sysv/itree.c +@@ -82,9 +82,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh) + return (sysv_zone_t*)((char*)bh->b_data + bh->b_size); + } + +-/* +- * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock) +- */ + static Indirect *get_branch(struct inode *inode, + int depth, + int offsets[], +@@ -104,15 +101,18 @@ static Indirect *get_branch(struct inode *inode, + bh = sb_bread(sb, block); + if (!bh) + goto failure; ++ read_lock(&pointers_lock); + if (!verify_chain(chain, p)) + goto changed; + add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets); ++ read_unlock(&pointers_lock); + if (!p->key) + goto no_block; + } + return NULL; + + changed: ++ read_unlock(&pointers_lock); + brelse(bh); + *err = -EAGAIN; + goto no_block; +@@ -218,9 +218,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b + goto out; + + reread: +- read_lock(&pointers_lock); + partial = get_branch(inode, depth, offsets, chain, &err); +- read_unlock(&pointers_lock); + + /* Simplest case - block found, no allocation needed */ + if (!partial) { +@@ -290,9 +288,9 @@ static Indirect *find_shared(struct inode *inode, + *top = 0; + for (k = depth; k > 1 && !offsets[k-1]; k--) + ; ++ partial = get_branch(inode, k, offsets, chain, &err); + + write_lock(&pointers_lock); +- partial = get_branch(inode, k, offsets, chain, &err); + if (!partial) + partial = chain + k-1; + /* +-- +2.43.0 + diff --git a/queue-5.4/tools-iio-replace-seekdir-in-iio_generic_buffer.patch b/queue-5.4/tools-iio-replace-seekdir-in-iio_generic_buffer.patch new file mode 100644 index 00000000000..ddfe775252e --- /dev/null +++ b/queue-5.4/tools-iio-replace-seekdir-in-iio_generic_buffer.patch @@ -0,0 +1,45 @@ +From 2b0ed4458efad16b85fde01890fe4927740045f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jan 2024 12:32:20 +0200 +Subject: tools: iio: replace seekdir() in iio_generic_buffer + +From: Petre Rodan + +[ Upstream commit 4e6500bfa053dc133021f9c144261b77b0ba7dc8 ] + +Replace seekdir() with rewinddir() in order to fix a localized glibc bug. + +One of the glibc patches that stable Gentoo is using causes an improper +directory stream positioning bug on 32bit arm. That in turn ends up as a +floating point exception in iio_generic_buffer. + +The attached patch provides a fix by using an equivalent function which +should not cause trouble for other distros and is easier to reason about +in general as it obviously always goes back to to the start. + +https://sourceware.org/bugzilla/show_bug.cgi?id=31212 + +Signed-off-by: Petre Rodan +Link: https://lore.kernel.org/r/20240108103224.3986-1-petre.rodan@subdimension.ro +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + tools/iio/iio_utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c +index 48360994c2a13..b8745873928c5 100644 +--- a/tools/iio/iio_utils.c ++++ b/tools/iio/iio_utils.c +@@ -373,7 +373,7 @@ int build_channel_array(const char *device_dir, + goto error_close_dir; + } + +- seekdir(dp, 0); ++ rewinddir(dp); + while (ent = readdir(dp), ent) { + if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"), + "_en") == 0) { +-- +2.43.0 + diff --git a/queue-5.4/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch b/queue-5.4/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch new file mode 100644 index 00000000000..b07f522b0db --- /dev/null +++ b/queue-5.4/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch @@ -0,0 +1,35 @@ +From cb954ca98523df722bd666c0d5e1f0f48eb7d405 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 16:19:56 -0800 +Subject: tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() + +From: Samasth Norway Ananda + +[ Upstream commit f85450f134f0b4ca7e042dc3dc89155656a2299d ] + +In function get_pkg_num() if fopen_or_die() succeeds it returns a file +pointer to be used. But fclose() is never called before returning from +the function. + +Signed-off-by: Samasth Norway Ananda +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +index 3fe1eed900d41..165eb4da8a644 100644 +--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c ++++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +@@ -1111,6 +1111,7 @@ unsigned int get_pkg_num(int cpu) + retval = fscanf(fp, "%d\n", &pkg); + if (retval != 1) + errx(1, "%s: failed to parse", pathname); ++ fclose(fp); + return pkg; + } + +-- +2.43.0 + diff --git a/queue-5.4/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch b/queue-5.4/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch new file mode 100644 index 00000000000..bb5fa510a50 --- /dev/null +++ b/queue-5.4/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch @@ -0,0 +1,47 @@ +From 885c31cebcf5b7a29e24f21ca4583170c254310e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 11:13:51 +0000 +Subject: usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined + +From: Colin Ian King + +[ Upstream commit 12f371e2b6cb4b79c788f1f073992e115f4ca918 ] + +Function checkdone is only required if QUIRK2 is defined, so add +appropriate #if / #endif around the function. + +Cleans up clang scan build warning: +drivers/usb/host/sl811-hcd.c:588:18: warning: unused function +'checkdone' [-Wunused-function] + +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20240307111351.1982382-1-colin.i.king@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/sl811-hcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/sl811-hcd.c b/drivers/usb/host/sl811-hcd.c +index 936fddc6d8207..3cf8fce40c9dc 100644 +--- a/drivers/usb/host/sl811-hcd.c ++++ b/drivers/usb/host/sl811-hcd.c +@@ -585,6 +585,7 @@ done(struct sl811 *sl811, struct sl811h_ep *ep, u8 bank) + finish_request(sl811, ep, urb, urbstat); + } + ++#ifdef QUIRK2 + static inline u8 checkdone(struct sl811 *sl811) + { + u8 ctl; +@@ -616,6 +617,7 @@ static inline u8 checkdone(struct sl811 *sl811) + #endif + return irqstat; + } ++#endif + + static irqreturn_t sl811h_irq(struct usb_hcd *hcd) + { +-- +2.43.0 + diff --git a/queue-5.4/usb-typec-tcpci-add-generic-tcpci-fallback-compatibl.patch b/queue-5.4/usb-typec-tcpci-add-generic-tcpci-fallback-compatibl.patch new file mode 100644 index 00000000000..c82575ec525 --- /dev/null +++ b/queue-5.4/usb-typec-tcpci-add-generic-tcpci-fallback-compatibl.patch @@ -0,0 +1,36 @@ +From baa44040eee8e826ef1fe99cb01bffa6061dbaa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 22:09:01 +0100 +Subject: usb: typec: tcpci: add generic tcpci fallback compatible + +From: Marco Felsch + +[ Upstream commit 8774ea7a553e2aec323170d49365b59af0a2b7e0 ] + +The driver already support the tcpci binding for the i2c_device_id so +add the support for the of_device_id too. + +Signed-off-by: Marco Felsch +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240222210903.208901-3-m.felsch@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm/tcpci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/typec/tcpm/tcpci.c b/drivers/usb/typec/tcpm/tcpci.c +index ccb72875c8ee5..c11c2f71521ce 100644 +--- a/drivers/usb/typec/tcpm/tcpci.c ++++ b/drivers/usb/typec/tcpm/tcpci.c +@@ -634,6 +634,7 @@ MODULE_DEVICE_TABLE(i2c, tcpci_id); + #ifdef CONFIG_OF + static const struct of_device_id tcpci_of_match[] = { + { .compatible = "nxp,ptn5110", }, ++ { .compatible = "tcpci", }, + {}, + }; + MODULE_DEVICE_TABLE(of, tcpci_of_match); +-- +2.43.0 + diff --git a/queue-5.4/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch b/queue-5.4/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch new file mode 100644 index 00000000000..fa71e3e9954 --- /dev/null +++ b/queue-5.4/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch @@ -0,0 +1,80 @@ +From a2ee25c674c3c2a84dc188ac72ee986c1e2c6c61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jan 2024 08:40:00 -0800 +Subject: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() + +From: Harshit Mogalapalli + +[ Upstream commit 19b070fefd0d024af3daa7329cbc0d00de5302ec ] + +Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. + +memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" +at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) + +WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237 +dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237 + +Some code commentry, based on my understanding: + +544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) +/// This is 24 + payload_size + +memcpy(&dg_info->msg, dg, dg_size); + Destination = dg_info->msg ---> this is a 24 byte + structure(struct vmci_datagram) + Source = dg --> this is a 24 byte structure (struct vmci_datagram) + Size = dg_size = 24 + payload_size + +{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32. + + 35 struct delayed_datagram_info { + 36 struct datagram_entry *entry; + 37 struct work_struct work; + 38 bool in_dg_host_queue; + 39 /* msg and msg_payload must be together. */ + 40 struct vmci_datagram msg; + 41 u8 msg_payload[]; + 42 }; + +So those extra bytes of payload are copied into msg_payload[], a run time +warning is seen while fuzzing with Syzkaller. + +One possible way to fix the warning is to split the memcpy() into +two parts -- one -- direct assignment of msg and second taking care of payload. + +Gustavo quoted: +"Under FORTIFY_SOURCE we should not copy data across multiple members +in a structure." + +Reported-by: syzkaller +Suggested-by: Vegard Nossum +Suggested-by: Gustavo A. R. Silva +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_datagram.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_datagram.c b/drivers/misc/vmw_vmci/vmci_datagram.c +index f50d22882476f..d1d8224c8800c 100644 +--- a/drivers/misc/vmw_vmci/vmci_datagram.c ++++ b/drivers/misc/vmw_vmci/vmci_datagram.c +@@ -234,7 +234,8 @@ static int dg_dispatch_as_host(u32 context_id, struct vmci_datagram *dg) + + dg_info->in_dg_host_queue = true; + dg_info->entry = dst_entry; +- memcpy(&dg_info->msg, dg, dg_size); ++ dg_info->msg = *dg; ++ memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size); + + INIT_WORK(&dg_info->work, dg_delayed_dispatch); + schedule_work(&dg_info->work); +-- +2.43.0 + diff --git a/queue-5.4/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch b/queue-5.4/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch new file mode 100644 index 00000000000..07acccdc5d4 --- /dev/null +++ b/queue-5.4/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch @@ -0,0 +1,43 @@ +From 1d0892d27c3967f2a773fa4a12c4f8ac85c80e21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Dec 2023 13:29:03 +0200 +Subject: wifi: ath9k: fix LNA selection in ath_ant_try_scan() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit d6b27eb997ef9a2aa51633b3111bc4a04748e6d3 ] + +In 'ath_ant_try_scan()', (most likely) the 2nd LNA's signal +strength should be used in comparison against RSSI when +selecting first LNA as the main one. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231211172502.25202-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/antenna.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/antenna.c b/drivers/net/wireless/ath/ath9k/antenna.c +index 988222cea9dfe..acc84e6711b0e 100644 +--- a/drivers/net/wireless/ath/ath9k/antenna.c ++++ b/drivers/net/wireless/ath/ath9k/antenna.c +@@ -643,7 +643,7 @@ static void ath_ant_try_scan(struct ath_ant_comb *antcomb, + conf->main_lna_conf = ATH_ANT_DIV_COMB_LNA1; + conf->alt_lna_conf = ATH_ANT_DIV_COMB_LNA1_PLUS_LNA2; + } else if (antcomb->rssi_sub > +- antcomb->rssi_lna1) { ++ antcomb->rssi_lna2) { + /* set to A-B */ + conf->main_lna_conf = ATH_ANT_DIV_COMB_LNA1; + conf->alt_lna_conf = ATH_ANT_DIV_COMB_LNA1_MINUS_LNA2; +-- +2.43.0 +