From: Greg Kroah-Hartman Date: Fri, 24 Nov 2023 13:16:36 +0000 (+0000) Subject: 5.10-stable patches X-Git-Tag: v4.14.331~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=66ab0ba56fff16941925ed1a912d828b20823548;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: f2fs-avoid-format-overflow-warning.patch i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch lsm-fix-default-return-value-for-inode_getsecctx.patch lsm-fix-default-return-value-for-vm_enough_memory.patch media-lirc-drop-trailing-space-from-scancode-transmit.patch media-sharp-fix-sharp-encoding.patch media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch net-phylink-initialize-carrier-state-at-creation.patch nfsd-fix-file-memleak-on-client_opens_release.patch revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch --- diff --git a/queue-5.10/f2fs-avoid-format-overflow-warning.patch b/queue-5.10/f2fs-avoid-format-overflow-warning.patch new file mode 100644 index 00000000000..20565284e79 --- /dev/null +++ b/queue-5.10/f2fs-avoid-format-overflow-warning.patch @@ -0,0 +1,46 @@ +From e0d4e8acb3789c5a8651061fbab62ca24a45c063 Mon Sep 17 00:00:00 2001 +From: Su Hui +Date: Sun, 8 Oct 2023 14:39:30 +0800 +Subject: f2fs: avoid format-overflow warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +commit e0d4e8acb3789c5a8651061fbab62ca24a45c063 upstream. + +With gcc and W=1 option, there's a warning like this: + +fs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’: +fs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between +1 and 7 bytes into a region of size between 5 and 8 +[-Werror=format-overflow=] + 1984 | sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev), + MINOR(dev)); + | ^~ + +String "f2fs_page_array_entry-%u:%u" can up to 35. The first "%u" can up +to 4 and the second "%u" can up to 7, so total size is "24 + 4 + 7 = 35". +slab_name's size should be 35 rather than 32. + +Cc: stable@vger.kernel.org +Signed-off-by: Su Hui +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/compress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -1574,7 +1574,7 @@ unlock: + int f2fs_init_page_array_cache(struct f2fs_sb_info *sbi) + { + dev_t dev = sbi->sb->s_bdev->bd_dev; +- char slab_name[32]; ++ char slab_name[35]; + + sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev), MINOR(dev)); + diff --git a/queue-5.10/i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch b/queue-5.10/i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch new file mode 100644 index 00000000000..ab0b54b1114 --- /dev/null +++ b/queue-5.10/i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch @@ -0,0 +1,69 @@ +From e8183fa10c25c7b3c20670bf2b430ddcc1ee03c0 Mon Sep 17 00:00:00 2001 +From: Tam Nguyen +Date: Thu, 2 Nov 2023 10:30:08 +0700 +Subject: i2c: designware: Disable TX_EMPTY irq while waiting for block length byte + +From: Tam Nguyen + +commit e8183fa10c25c7b3c20670bf2b430ddcc1ee03c0 upstream. + +During SMBus block data read process, we have seen high interrupt rate +because of TX_EMPTY irq status while waiting for block length byte (the +first data byte after the address phase). The interrupt handler does not +do anything because the internal state is kept as STATUS_WRITE_IN_PROGRESS. +Hence, we should disable TX_EMPTY IRQ until I2C DesignWare receives +first data byte from I2C device, then re-enable it to resume SMBus +transaction. + +It takes 0.789 ms for host to receive data length from slave. +Without the patch, i2c_dw_isr() is called 99 times by TX_EMPTY interrupt. +And it is none after applying the patch. + +Cc: stable@vger.kernel.org +Co-developed-by: Chuong Tran +Signed-off-by: Chuong Tran +Signed-off-by: Tam Nguyen +Acked-by: Jarkko Nikula +Reviewed-by: Serge Semin +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-designware-master.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/i2c/busses/i2c-designware-master.c ++++ b/drivers/i2c/busses/i2c-designware-master.c +@@ -362,10 +362,16 @@ i2c_dw_xfer_msg(struct dw_i2c_dev *dev) + + /* + * Because we don't know the buffer length in the +- * I2C_FUNC_SMBUS_BLOCK_DATA case, we can't stop +- * the transaction here. ++ * I2C_FUNC_SMBUS_BLOCK_DATA case, we can't stop the ++ * transaction here. Also disable the TX_EMPTY IRQ ++ * while waiting for the data length byte to avoid the ++ * bogus interrupts flood. + */ +- if (buf_len > 0 || flags & I2C_M_RECV_LEN) { ++ if (flags & I2C_M_RECV_LEN) { ++ dev->status |= STATUS_WRITE_IN_PROGRESS; ++ intr_mask &= ~DW_IC_INTR_TX_EMPTY; ++ break; ++ } else if (buf_len > 0) { + /* more bytes to be written */ + dev->status |= STATUS_WRITE_IN_PROGRESS; + break; +@@ -401,6 +407,13 @@ i2c_dw_recv_len(struct dw_i2c_dev *dev, + msgs[dev->msg_read_idx].len = len; + msgs[dev->msg_read_idx].flags &= ~I2C_M_RECV_LEN; + ++ /* ++ * Received buffer length, re-enable TX_EMPTY interrupt ++ * to resume the SMBUS transaction. ++ */ ++ regmap_update_bits(dev->map, DW_IC_INTR_MASK, DW_IC_INTR_TX_EMPTY, ++ DW_IC_INTR_TX_EMPTY); ++ + return len; + } + diff --git a/queue-5.10/i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch b/queue-5.10/i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch new file mode 100644 index 00000000000..944dcf0824b --- /dev/null +++ b/queue-5.10/i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch @@ -0,0 +1,66 @@ +From f78ca48a8ba9cdec96e8839351e49eec3233b177 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Sat, 9 Sep 2023 22:25:06 +0200 +Subject: i2c: i801: fix potential race in i801_block_transaction_byte_by_byte + +From: Heiner Kallweit + +commit f78ca48a8ba9cdec96e8839351e49eec3233b177 upstream. + +Currently we set SMBHSTCNT_LAST_BYTE only after the host has started +receiving the last byte. If we get e.g. preempted before setting +SMBHSTCNT_LAST_BYTE, the host may be finished with receiving the byte +before SMBHSTCNT_LAST_BYTE is set. +Therefore change the code to set SMBHSTCNT_LAST_BYTE before writing +SMBHSTSTS_BYTE_DONE for the byte before the last byte. Now the code +is also consistent with what we do in i801_isr_byte_done(). + +Reported-by: Jean Delvare +Closes: https://lore.kernel.org/linux-i2c/20230828152747.09444625@endymion.delvare/ +Cc: stable@vger.kernel.org +Acked-by: Andi Shyti +Signed-off-by: Heiner Kallweit +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-i801.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -735,15 +735,11 @@ static int i801_block_transaction_byte_b + return i801_check_post(priv, status); + } + +- for (i = 1; i <= len; i++) { +- if (i == len && read_write == I2C_SMBUS_READ) +- smbcmd |= SMBHSTCNT_LAST_BYTE; +- outb_p(smbcmd, SMBHSTCNT(priv)); +- +- if (i == 1) +- outb_p(inb(SMBHSTCNT(priv)) | SMBHSTCNT_START, +- SMBHSTCNT(priv)); ++ if (len == 1 && read_write == I2C_SMBUS_READ) ++ smbcmd |= SMBHSTCNT_LAST_BYTE; ++ outb_p(smbcmd | SMBHSTCNT_START, SMBHSTCNT(priv)); + ++ for (i = 1; i <= len; i++) { + status = i801_wait_byte_done(priv); + if (status) + goto exit; +@@ -766,9 +762,12 @@ static int i801_block_transaction_byte_b + data->block[0] = len; + } + +- /* Retrieve/store value in SMBBLKDAT */ +- if (read_write == I2C_SMBUS_READ) ++ if (read_write == I2C_SMBUS_READ) { + data->block[i] = inb_p(SMBBLKDAT(priv)); ++ if (i == len - 1) ++ outb_p(smbcmd | SMBHSTCNT_LAST_BYTE, SMBHSTCNT(priv)); ++ } ++ + if (read_write == I2C_SMBUS_WRITE && i+1 <= len) + outb_p(data->block[i+1], SMBBLKDAT(priv)); + diff --git a/queue-5.10/lsm-fix-default-return-value-for-inode_getsecctx.patch b/queue-5.10/lsm-fix-default-return-value-for-inode_getsecctx.patch new file mode 100644 index 00000000000..dd78427e5b3 --- /dev/null +++ b/queue-5.10/lsm-fix-default-return-value-for-inode_getsecctx.patch @@ -0,0 +1,39 @@ +From b36995b8609a5a8fe5cf259a1ee768fcaed919f8 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Tue, 31 Oct 2023 13:32:07 +0100 +Subject: lsm: fix default return value for inode_getsecctx + +From: Ondrej Mosnacek + +commit b36995b8609a5a8fe5cf259a1ee768fcaed919f8 upstream. + +-EOPNOTSUPP is the return value that implements a "no-op" hook, not 0. + +Without this fix having only the BPF LSM enabled (with no programs +attached) can cause uninitialized variable reads in +nfsd4_encode_fattr(), because the BPF hook returns 0 without touching +the 'ctxlen' variable and the corresponding 'contextlen' variable in +nfsd4_encode_fattr() remains uninitialized, yet being treated as valid +based on the 0 return value. + +Cc: stable@vger.kernel.org +Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks") +Reported-by: Benjamin Coddington +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lsm_hook_defs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -255,7 +255,7 @@ LSM_HOOK(void, LSM_RET_VOID, release_sec + LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) + LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen) + LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen) +-LSM_HOOK(int, 0, inode_getsecctx, struct inode *inode, void **ctx, ++LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, void **ctx, + u32 *ctxlen) + + #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) diff --git a/queue-5.10/lsm-fix-default-return-value-for-vm_enough_memory.patch b/queue-5.10/lsm-fix-default-return-value-for-vm_enough_memory.patch new file mode 100644 index 00000000000..153522e3f2d --- /dev/null +++ b/queue-5.10/lsm-fix-default-return-value-for-vm_enough_memory.patch @@ -0,0 +1,31 @@ +From 866d648059d5faf53f1cd960b43fe8365ad93ea7 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Tue, 31 Oct 2023 13:32:06 +0100 +Subject: lsm: fix default return value for vm_enough_memory + +From: Ondrej Mosnacek + +commit 866d648059d5faf53f1cd960b43fe8365ad93ea7 upstream. + +1 is the return value that implements a "no-op" hook, not 0. + +Cc: stable@vger.kernel.org +Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lsm_hook_defs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -48,7 +48,7 @@ LSM_HOOK(int, 0, quota_on, struct dentry + LSM_HOOK(int, 0, syslog, int type) + LSM_HOOK(int, 0, settime, const struct timespec64 *ts, + const struct timezone *tz) +-LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages) ++LSM_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages) + LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm) + LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, struct file *file) + LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) diff --git a/queue-5.10/media-lirc-drop-trailing-space-from-scancode-transmit.patch b/queue-5.10/media-lirc-drop-trailing-space-from-scancode-transmit.patch new file mode 100644 index 00000000000..6a35b2a18a9 --- /dev/null +++ b/queue-5.10/media-lirc-drop-trailing-space-from-scancode-transmit.patch @@ -0,0 +1,37 @@ +From c8a489f820179fb12251e262b50303c29de991ac Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Fri, 6 Oct 2023 22:31:52 +0100 +Subject: media: lirc: drop trailing space from scancode transmit + +From: Sean Young + +commit c8a489f820179fb12251e262b50303c29de991ac upstream. + +When transmitting, infrared drivers expect an odd number of samples; iow +without a trailing space. No problems have been observed so far, so +this is just belt and braces. + +Fixes: 9b6192589be7 ("media: lirc: implement scancode sending") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/lirc_dev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/media/rc/lirc_dev.c ++++ b/drivers/media/rc/lirc_dev.c +@@ -286,7 +286,11 @@ static ssize_t lirc_transmit(struct file + if (ret < 0) + goto out_kfree_raw; + +- count = ret; ++ /* drop trailing space */ ++ if (!(ret % 2)) ++ count = ret - 1; ++ else ++ count = ret; + + txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL); + if (!txbuf) { diff --git a/queue-5.10/media-sharp-fix-sharp-encoding.patch b/queue-5.10/media-sharp-fix-sharp-encoding.patch new file mode 100644 index 00000000000..1042297f85c --- /dev/null +++ b/queue-5.10/media-sharp-fix-sharp-encoding.patch @@ -0,0 +1,48 @@ +From 4f7efc71891462ab7606da7039f480d7c1584a13 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Fri, 6 Oct 2023 12:54:25 +0100 +Subject: media: sharp: fix sharp encoding + +From: Sean Young + +commit 4f7efc71891462ab7606da7039f480d7c1584a13 upstream. + +The Sharp protocol[1] encoding has incorrect timings for bit space. + +[1] https://www.sbprojects.net/knowledge/ir/sharp.php + +Fixes: d35afc5fe097 ("[media] rc: ir-sharp-decoder: Add encode capability") +Cc: stable@vger.kernel.org +Reported-by: Joe Ferner +Closes: https://sourceforge.net/p/lirc/mailman/message/38604507/ +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/ir-sharp-decoder.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/media/rc/ir-sharp-decoder.c ++++ b/drivers/media/rc/ir-sharp-decoder.c +@@ -15,7 +15,9 @@ + #define SHARP_UNIT 40 /* us */ + #define SHARP_BIT_PULSE (8 * SHARP_UNIT) /* 320us */ + #define SHARP_BIT_0_PERIOD (25 * SHARP_UNIT) /* 1ms (680us space) */ +-#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680ms space) */ ++#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680us space) */ ++#define SHARP_BIT_0_SPACE (17 * SHARP_UNIT) /* 680us space */ ++#define SHARP_BIT_1_SPACE (42 * SHARP_UNIT) /* 1680us space */ + #define SHARP_ECHO_SPACE (1000 * SHARP_UNIT) /* 40 ms */ + #define SHARP_TRAILER_SPACE (125 * SHARP_UNIT) /* 5 ms (even longer) */ + +@@ -168,8 +170,8 @@ static const struct ir_raw_timings_pd ir + .header_pulse = 0, + .header_space = 0, + .bit_pulse = SHARP_BIT_PULSE, +- .bit_space[0] = SHARP_BIT_0_PERIOD, +- .bit_space[1] = SHARP_BIT_1_PERIOD, ++ .bit_space[0] = SHARP_BIT_0_SPACE, ++ .bit_space[1] = SHARP_BIT_1_SPACE, + .trailer_pulse = SHARP_BIT_PULSE, + .trailer_space = SHARP_ECHO_SPACE, + .msb_first = 1, diff --git a/queue-5.10/media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch b/queue-5.10/media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch new file mode 100644 index 00000000000..e459223c640 --- /dev/null +++ b/queue-5.10/media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch @@ -0,0 +1,69 @@ +From 8d0b89398b7ebc52103e055bf36b60b045f5258f Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 10 Aug 2023 07:55:03 +0530 +Subject: media: venus: hfi: add checks to handle capabilities from firmware + +From: Vikash Garodia + +commit 8d0b89398b7ebc52103e055bf36b60b045f5258f upstream. + +The hfi parser, parses the capabilities received from venus firmware and +copies them to core capabilities. Consider below api, for example, +fill_caps - In this api, caps in core structure gets updated with the +number of capabilities received in firmware data payload. If the same api +is called multiple times, there is a possibility of copying beyond the max +allocated size in core caps. +Similar possibilities in fill_raw_fmts and fill_profile_level functions. + +Cc: stable@vger.kernel.org +Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") +Signed-off-by: Vikash Garodia +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_parser.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/media/platform/qcom/venus/hfi_parser.c ++++ b/drivers/media/platform/qcom/venus/hfi_parser.c +@@ -89,6 +89,9 @@ static void fill_profile_level(struct ve + { + const struct hfi_profile_level *pl = data; + ++ if (cap->num_pl + num >= HFI_MAX_PROFILE_COUNT) ++ return; ++ + memcpy(&cap->pl[cap->num_pl], pl, num * sizeof(*pl)); + cap->num_pl += num; + } +@@ -114,6 +117,9 @@ fill_caps(struct venus_caps *cap, const + { + const struct hfi_capability *caps = data; + ++ if (cap->num_caps + num >= MAX_CAP_ENTRIES) ++ return; ++ + memcpy(&cap->caps[cap->num_caps], caps, num * sizeof(*caps)); + cap->num_caps += num; + } +@@ -140,6 +146,9 @@ static void fill_raw_fmts(struct venus_c + { + const struct raw_formats *formats = fmts; + ++ if (cap->num_fmts + num_fmts >= MAX_FMT_ENTRIES) ++ return; ++ + memcpy(&cap->fmts[cap->num_fmts], formats, num_fmts * sizeof(*formats)); + cap->num_fmts += num_fmts; + } +@@ -162,6 +171,9 @@ parse_raw_formats(struct venus_core *cor + rawfmts[i].buftype = fmt->buffer_type; + i++; + ++ if (i >= MAX_FMT_ENTRIES) ++ return; ++ + if (pinfo->num_planes > MAX_PLANES) + break; + diff --git a/queue-5.10/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch b/queue-5.10/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch new file mode 100644 index 00000000000..5ffd860209f --- /dev/null +++ b/queue-5.10/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch @@ -0,0 +1,36 @@ +From b18e36dfd6c935da60a971310374f3dfec3c82e1 Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 10 Aug 2023 07:55:02 +0530 +Subject: media: venus: hfi: fix the check to handle session buffer requirement + +From: Vikash Garodia + +commit b18e36dfd6c935da60a971310374f3dfec3c82e1 upstream. + +Buffer requirement, for different buffer type, comes from video firmware. +While copying these requirements, there is an OOB possibility when the +payload from firmware is more than expected size. Fix the check to avoid +the OOB possibility. + +Cc: stable@vger.kernel.org +Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") +Reviewed-by: Nathan Hebert +Signed-off-by: Vikash Garodia +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/venus/hfi_msgs.c ++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c +@@ -351,7 +351,7 @@ session_get_prop_buf_req(struct hfi_msg_ + memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); + idx++; + +- if (idx > HFI_BUFFER_TYPE_MAX) ++ if (idx >= HFI_BUFFER_TYPE_MAX) + return HFI_ERR_SESSION_INVALID_PARAMETER; + + req_bytes -= sizeof(struct hfi_buffer_requirements); diff --git a/queue-5.10/media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch b/queue-5.10/media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch new file mode 100644 index 00000000000..3bb0f74f693 --- /dev/null +++ b/queue-5.10/media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch @@ -0,0 +1,39 @@ +From 0768a9dd809ef52440b5df7dce5a1c1c7e97abbd Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 10 Aug 2023 07:55:04 +0530 +Subject: media: venus: hfi_parser: Add check to keep the number of codecs within range + +From: Vikash Garodia + +commit 0768a9dd809ef52440b5df7dce5a1c1c7e97abbd upstream. + +Supported codec bitmask is populated from the payload from venus firmware. +There is a possible case when all the bits in the codec bitmask is set. In +such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized. +Now while filling the caps for encoder, it can lead to access the caps +array beyong 32 index. Hence leading to OOB write. +The fix counts the supported encoder and decoder. If the count is more than +max, then it skips accessing the caps. + +Cc: stable@vger.kernel.org +Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") +Signed-off-by: Vikash Garodia +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_parser.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/platform/qcom/venus/hfi_parser.c ++++ b/drivers/media/platform/qcom/venus/hfi_parser.c +@@ -19,6 +19,9 @@ static void init_codecs(struct venus_cor + struct venus_caps *caps = core->caps, *cap; + unsigned long bit; + ++ if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM) ++ return; ++ + for_each_set_bit(bit, &core->dec_codecs, MAX_CODEC_NUM) { + cap = &caps[core->codecs_count++]; + cap->codec = BIT(bit); diff --git a/queue-5.10/net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch b/queue-5.10/net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch new file mode 100644 index 00000000000..7d47d3dedd3 --- /dev/null +++ b/queue-5.10/net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch @@ -0,0 +1,171 @@ +From 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Fri, 27 Oct 2023 08:57:38 +0200 +Subject: net: dsa: lan9303: consequently nested-lock physical MDIO + +From: Alexander Sverdlin + +commit 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 upstream. + +When LAN9303 is MDIO-connected two callchains exist into +mdio->bus->write(): + +1. switch ports 1&2 ("physical" PHYs): + +virtual (switch-internal) MDIO bus (lan9303_switch_ops->phy_{read|write})-> + lan9303_mdio_phy_{read|write} -> mdiobus_{read|write}_nested + +2. LAN9303 virtual PHY: + +virtual MDIO bus (lan9303_phy_{read|write}) -> + lan9303_virt_phy_reg_{read|write} -> regmap -> lan9303_mdio_{read|write} + +If the latter functions just take +mutex_lock(&sw_dev->device->bus->mdio_lock) it triggers a LOCKDEP +false-positive splat. It's false-positive because the first +mdio_lock in the second callchain above belongs to virtual MDIO bus, the +second mdio_lock belongs to physical MDIO bus. + +Consequent annotation in lan9303_mdio_{read|write} as nested lock +(similar to lan9303_mdio_phy_{read|write}, it's the same physical MDIO bus) +prevents the following splat: + +WARNING: possible circular locking dependency detected +5.15.71 #1 Not tainted +------------------------------------------------------ +kworker/u4:3/609 is trying to acquire lock: +ffff000011531c68 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}, at: regmap_lock_mutex +but task is already holding lock: +ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read +which lock already depends on the new lock. +the existing dependency chain (in reverse order) is: +-> #1 (&bus->mdio_lock){+.+.}-{3:3}: + lock_acquire + __mutex_lock + mutex_lock_nested + lan9303_mdio_read + _regmap_read + regmap_read + lan9303_probe + lan9303_mdio_probe + mdio_probe + really_probe + __driver_probe_device + driver_probe_device + __device_attach_driver + bus_for_each_drv + __device_attach + device_initial_probe + bus_probe_device + deferred_probe_work_func + process_one_work + worker_thread + kthread + ret_from_fork +-> #0 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}: + __lock_acquire + lock_acquire.part.0 + lock_acquire + __mutex_lock + mutex_lock_nested + regmap_lock_mutex + regmap_read + lan9303_phy_read + dsa_slave_phy_read + __mdiobus_read + mdiobus_read + get_phy_device + mdiobus_scan + __mdiobus_register + dsa_register_switch + lan9303_probe + lan9303_mdio_probe + mdio_probe + really_probe + __driver_probe_device + driver_probe_device + __device_attach_driver + bus_for_each_drv + __device_attach + device_initial_probe + bus_probe_device + deferred_probe_work_func + process_one_work + worker_thread + kthread + ret_from_fork +other info that might help us debug this: + Possible unsafe locking scenario: + CPU0 CPU1 + ---- ---- + lock(&bus->mdio_lock); + lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); + lock(&bus->mdio_lock); + lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock); +*** DEADLOCK *** +5 locks held by kworker/u4:3/609: + #0: ffff000002842938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work + #1: ffff80000bacbd60 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work + #2: ffff000007645178 (&dev->mutex){....}-{3:3}, at: __device_attach + #3: ffff8000096e6e78 (dsa2_mutex){+.+.}-{3:3}, at: dsa_register_switch + #4: ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read +stack backtrace: +CPU: 1 PID: 609 Comm: kworker/u4:3 Not tainted 5.15.71 #1 +Workqueue: events_unbound deferred_probe_work_func +Call trace: + dump_backtrace + show_stack + dump_stack_lvl + dump_stack + print_circular_bug + check_noncircular + __lock_acquire + lock_acquire.part.0 + lock_acquire + __mutex_lock + mutex_lock_nested + regmap_lock_mutex + regmap_read + lan9303_phy_read + dsa_slave_phy_read + __mdiobus_read + mdiobus_read + get_phy_device + mdiobus_scan + __mdiobus_register + dsa_register_switch + lan9303_probe + lan9303_mdio_probe +... + +Cc: stable@vger.kernel.org +Fixes: dc7005831523 ("net: dsa: LAN9303: add MDIO managed mode support") +Signed-off-by: Alexander Sverdlin +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20231027065741.534971-1-alexander.sverdlin@siemens.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/lan9303_mdio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/lan9303_mdio.c ++++ b/drivers/net/dsa/lan9303_mdio.c +@@ -32,7 +32,7 @@ static int lan9303_mdio_write(void *ctx, + struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx; + + reg <<= 2; /* reg num to offset */ +- mutex_lock(&sw_dev->device->bus->mdio_lock); ++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED); + lan9303_mdio_real_write(sw_dev->device, reg, val & 0xffff); + lan9303_mdio_real_write(sw_dev->device, reg + 2, (val >> 16) & 0xffff); + mutex_unlock(&sw_dev->device->bus->mdio_lock); +@@ -50,7 +50,7 @@ static int lan9303_mdio_read(void *ctx, + struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx; + + reg <<= 2; /* reg num to offset */ +- mutex_lock(&sw_dev->device->bus->mdio_lock); ++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED); + *val = lan9303_mdio_real_read(sw_dev->device, reg); + *val |= (lan9303_mdio_real_read(sw_dev->device, reg + 2) << 16); + mutex_unlock(&sw_dev->device->bus->mdio_lock); diff --git a/queue-5.10/net-phylink-initialize-carrier-state-at-creation.patch b/queue-5.10/net-phylink-initialize-carrier-state-at-creation.patch new file mode 100644 index 00000000000..f748643f839 --- /dev/null +++ b/queue-5.10/net-phylink-initialize-carrier-state-at-creation.patch @@ -0,0 +1,47 @@ +From 02d5fdbf4f2b8c406f7a4c98fa52aa181a11d733 Mon Sep 17 00:00:00 2001 +From: Klaus Kudielka +Date: Tue, 7 Nov 2023 18:44:02 +0100 +Subject: net: phylink: initialize carrier state at creation + +From: Klaus Kudielka + +commit 02d5fdbf4f2b8c406f7a4c98fa52aa181a11d733 upstream. + +Background: Turris Omnia (Armada 385); eth2 (mvneta) connected to SFP bus; +SFP module is present, but no fiber connected, so definitely no carrier. + +After booting, eth2 is down, but netdev LED trigger surprisingly reports +link active. Then, after "ip link set eth2 up", the link indicator goes +away - as I would have expected it from the beginning. + +It turns out, that the default carrier state after netdev creation is +"carrier ok". Some ethernet drivers explicitly call netif_carrier_off +during probing, others (like mvneta) don't - which explains the current +behaviour: only when the device is brought up, phylink_start calls +netif_carrier_off. + +Fix this for all drivers using phylink, by calling netif_carrier_off in +phylink_create. + +Fixes: 089381b27abe ("leds: initial support for Turris Omnia LEDs") +Cc: stable@vger.kernel.org +Suggested-by: Andrew Lunn +Signed-off-by: Klaus Kudielka +Reviewed-by: Russell King (Oracle) +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phylink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -838,6 +838,7 @@ struct phylink *phylink_create(struct ph + pl->config = config; + if (config->type == PHYLINK_NETDEV) { + pl->netdev = to_net_dev(config->dev); ++ netif_carrier_off(pl->netdev); + } else if (config->type == PHYLINK_DEV) { + pl->dev = config->dev; + } else { diff --git a/queue-5.10/nfsd-fix-file-memleak-on-client_opens_release.patch b/queue-5.10/nfsd-fix-file-memleak-on-client_opens_release.patch new file mode 100644 index 00000000000..5415db63e32 --- /dev/null +++ b/queue-5.10/nfsd-fix-file-memleak-on-client_opens_release.patch @@ -0,0 +1,34 @@ +From bc1b5acb40201a0746d68a7d7cfc141899937f4f Mon Sep 17 00:00:00 2001 +From: Mahmoud Adam +Date: Fri, 10 Nov 2023 19:21:04 +0100 +Subject: nfsd: fix file memleak on client_opens_release + +From: Mahmoud Adam + +commit bc1b5acb40201a0746d68a7d7cfc141899937f4f upstream. + +seq_release should be called to free the allocated seq_file + +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Mahmoud Adam +Reviewed-by: Jeff Layton +Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens") +Reviewed-by: NeilBrown +Tested-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -2647,7 +2647,7 @@ static int client_opens_release(struct i + + /* XXX: alternatively, we could get/drop in seq start/stop */ + drop_client(clp); +- return 0; ++ return seq_release(inode, file); + } + + static const struct file_operations client_states_fops = { diff --git a/queue-5.10/revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch b/queue-5.10/revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch new file mode 100644 index 00000000000..204dff24b78 --- /dev/null +++ b/queue-5.10/revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch @@ -0,0 +1,46 @@ +From 9e2e7efbbbff69d8340abb56d375dd79d1f5770f Mon Sep 17 00:00:00 2001 +From: Johnathan Mantey +Date: Mon, 13 Nov 2023 08:30:29 -0800 +Subject: Revert ncsi: Propagate carrier gain/loss events to the NCSI controller + +From: Johnathan Mantey + +commit 9e2e7efbbbff69d8340abb56d375dd79d1f5770f upstream. + +This reverts commit 3780bb29311eccb7a1c9641032a112eed237f7e3. + +The cited commit introduced unwanted behavior. + +The intent for the commit was to be able to detect carrier loss/gain +for just the NIC connected to the BMC. The unwanted effect is a +carrier loss for auxiliary paths also causes the BMC to lose +carrier. The BMC never regains carrier despite the secondary NIC +regaining a link. + +This change, when merged, needs to be backported to stable kernels. +5.4-stable, 5.10-stable, 5.15-stable, 6.1-stable, 6.5-stable + +Fixes: 3780bb29311e ("ncsi: Propagate carrier gain/loss events to the NCSI controller") +CC: stable@vger.kernel.org +Signed-off-by: Johnathan Mantey +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-aen.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/net/ncsi/ncsi-aen.c ++++ b/net/ncsi/ncsi-aen.c +@@ -89,11 +89,6 @@ static int ncsi_aen_handler_lsc(struct n + if ((had_link == has_link) || chained) + return 0; + +- if (had_link) +- netif_carrier_off(ndp->ndev.dev); +- else +- netif_carrier_on(ndp->ndev.dev); +- + if (!ndp->multi_package && !nc->package->multi_channel) { + if (had_link) { + ndp->flags |= NCSI_DEV_RESHUFFLE; diff --git a/queue-5.10/s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch b/queue-5.10/s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch new file mode 100644 index 00000000000..d354d066492 --- /dev/null +++ b/queue-5.10/s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch @@ -0,0 +1,88 @@ +From e14aec23025eeb1f2159ba34dbc1458467c4c347 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Mon, 23 Oct 2023 09:57:10 +0200 +Subject: s390/ap: fix AP bus crash on early config change callback invocation + +From: Harald Freudenberger + +commit e14aec23025eeb1f2159ba34dbc1458467c4c347 upstream. + +Fix kernel crash in AP bus code caused by very early invocation of the +config change callback function via SCLP. + +After a fresh IML of the machine the crypto cards are still offline and +will get switched online only with activation of any LPAR which has the +card in it's configuration. A crypto card coming online is reported +to the LPAR via SCLP and the AP bus offers a callback function to get +this kind of information. However, it may happen that the callback is +invoked before the AP bus init function is complete. As the callback +triggers a synchronous AP bus scan, the scan may already run but some +internal states are not initialized by the AP bus init function resulting +in a crash like this: + + [ 11.635859] Unable to handle kernel pointer dereference in virtual kernel address space + [ 11.635861] Failing address: 0000000000000000 TEID: 0000000000000887 + [ 11.635862] Fault in home space mode while using kernel ASCE. + [ 11.635864] AS:00000000894c4007 R3:00000001fece8007 S:00000001fece7800 P:000000000000013d + [ 11.635879] Oops: 0004 ilc:1 [#1] SMP + [ 11.635882] Modules linked in: + [ 11.635884] CPU: 5 PID: 42 Comm: kworker/5:0 Not tainted 6.6.0-rc3-00003-g4dbf7cdc6b42 #12 + [ 11.635886] Hardware name: IBM 3931 A01 751 (LPAR) + [ 11.635887] Workqueue: events_long ap_scan_bus + [ 11.635891] Krnl PSW : 0704c00180000000 0000000000000000 (0x0) + [ 11.635895] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 + [ 11.635897] Krnl GPRS: 0000000001000a00 0000000000000000 0000000000000006 0000000089591940 + [ 11.635899] 0000000080000000 0000000000000a00 0000000000000000 0000000000000000 + [ 11.635901] 0000000081870c00 0000000089591000 000000008834e4e2 0000000002625a00 + [ 11.635903] 0000000081734200 0000038000913c18 000000008834c6d6 0000038000913ac8 + [ 11.635906] Krnl Code:>0000000000000000: 0000 illegal + [ 11.635906] 0000000000000002: 0000 illegal + [ 11.635906] 0000000000000004: 0000 illegal + [ 11.635906] 0000000000000006: 0000 illegal + [ 11.635906] 0000000000000008: 0000 illegal + [ 11.635906] 000000000000000a: 0000 illegal + [ 11.635906] 000000000000000c: 0000 illegal + [ 11.635906] 000000000000000e: 0000 illegal + [ 11.635915] Call Trace: + [ 11.635916] [<0000000000000000>] 0x0 + [ 11.635918] [<000000008834e4e2>] ap_queue_init_state+0x82/0xb8 + [ 11.635921] [<000000008834ba1c>] ap_scan_domains+0x6fc/0x740 + [ 11.635923] [<000000008834c092>] ap_scan_adapter+0x632/0x8b0 + [ 11.635925] [<000000008834c3e4>] ap_scan_bus+0xd4/0x288 + [ 11.635927] [<00000000879a33ba>] process_one_work+0x19a/0x410 + [ 11.635930] Discipline DIAG cannot be used without z/VM + [ 11.635930] [<00000000879a3a2c>] worker_thread+0x3fc/0x560 + [ 11.635933] [<00000000879aea60>] kthread+0x120/0x128 + [ 11.635936] [<000000008792afa4>] __ret_from_fork+0x3c/0x58 + [ 11.635938] [<00000000885ebe62>] ret_from_fork+0xa/0x30 + [ 11.635942] Last Breaking-Event-Address: + [ 11.635942] [<000000008834c6d4>] ap_wait+0xcc/0x148 + +This patch improves the ap_bus_force_rescan() function which is +invoked by the config change callback by checking if a first +initial AP bus scan has been done. If not, the force rescan request +is simple ignored. Anyhow it does not make sense to trigger AP bus +re-scans even before the very first bus scan is complete. + +Cc: stable@vger.kernel.org +Reviewed-by: Holger Dengler +Signed-off-by: Harald Freudenberger +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/ap_bus.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/s390/crypto/ap_bus.c ++++ b/drivers/s390/crypto/ap_bus.c +@@ -787,6 +787,10 @@ EXPORT_SYMBOL(ap_driver_unregister); + + void ap_bus_force_rescan(void) + { ++ /* Only trigger AP bus scans after the initial scan is done */ ++ if (atomic64_read(&ap_scan_bus_count) <= 0) ++ return; ++ + /* processing a asynchronous bus rescan */ + del_timer(&ap_config_timer); + queue_work(system_long_wq, &ap_scan_work); diff --git a/queue-5.10/series b/queue-5.10/series index 349fed7ca9b..1554132ef8d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -167,3 +167,18 @@ pci-dwc-exynos-rework-the-driver-to-support-exynos54.patch pci-exynos-don-t-discard-.remove-callback.patch arm64-dts-qcom-ipq6018-switch-tcsr-mutex-to-mmio.patch arm64-dts-qcom-ipq6018-fix-tcsr_mutex-register-size.patch +revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch +lsm-fix-default-return-value-for-vm_enough_memory.patch +lsm-fix-default-return-value-for-inode_getsecctx.patch +i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch +s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch +net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch +net-phylink-initialize-carrier-state-at-creation.patch +i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch +f2fs-avoid-format-overflow-warning.patch +media-lirc-drop-trailing-space-from-scancode-transmit.patch +media-sharp-fix-sharp-encoding.patch +media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch +media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch +media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch +nfsd-fix-file-memleak-on-client_opens_release.patch