From: Sasha Levin Date: Tue, 28 Mar 2023 10:07:04 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.15.105~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b5fbc03c48eb1b35efb13743d8099f2c1497804;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/ca8210-fix-mac_len-negative-array-access.patch b/queue-4.19/ca8210-fix-mac_len-negative-array-access.patch new file mode 100644 index 00000000000..4cd071831cf --- /dev/null +++ b/queue-4.19/ca8210-fix-mac_len-negative-array-access.patch @@ -0,0 +1,37 @@ +From d3358c596a7791cb73009293d12088c384163ca3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 23:25:04 -0500 +Subject: ca8210: fix mac_len negative array access + +From: Alexander Aring + +[ Upstream commit 6c993779ea1d0cccdb3a5d7d45446dd229e610a3 ] + +This patch fixes a buffer overflow access of skb->data if +ieee802154_hdr_peek_addrs() fails. + +Reported-by: lianhui tang +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 917edb3d04b78..2d4471b77fa7c 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -1954,6 +1954,8 @@ static int ca8210_skb_tx( + * packet + */ + mac_len = ieee802154_hdr_peek_addrs(skb, &header); ++ if (mac_len < 0) ++ return mac_len; + + secspec.security_level = header.sec.level; + secspec.key_id_mode = header.sec.key_id_mode; +-- +2.39.2 + diff --git a/queue-4.19/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch b/queue-4.19/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch new file mode 100644 index 00000000000..38cc08a12d6 --- /dev/null +++ b/queue-4.19/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch @@ -0,0 +1,75 @@ +From 26358b8227862fc62c1ef738f21f82d2e53612e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 15:11:07 +1300 +Subject: m68k: Only force 030 bus error if PC not in exception table + +From: Michael Schmitz + +[ Upstream commit e36a82bebbf7da814530d5a179bef9df5934b717 ] + +__get_kernel_nofault() does copy data in supervisor mode when +forcing a task backtrace log through /proc/sysrq_trigger. +This is expected cause a bus error exception on e.g. NULL +pointer dereferencing when logging a kernel task has no +workqueue associated. This bus error ought to be ignored. + +Our 030 bus error handler is ill equipped to deal with this: + +Whenever ssw indicates a kernel mode access on a data fault, +we don't even attempt to handle the fault and instead always +send a SEGV signal (or panic). As a result, the check +for exception handling at the fault PC (buried in +send_sig_fault() which gets called from do_page_fault() +eventually) is never used. + +In contrast, both 040 and 060 access error handlers do not +care whether a fault happened on supervisor mode access, +and will call do_page_fault() on those, ultimately honoring +the exception table. + +Add a check in bus_error030 to call do_page_fault() in case +we do have an entry for the fault PC in our exception table. + +I had attempted a fix for this earlier in 2019 that did rely +on testing pagefault_disabled() (see link below) to achieve +the same thing, but this patch should be more generic. + +Tested on 030 Atari Falcon. + +Reported-by: Eero Tamminen +Link: https://lore.kernel.org/r/alpine.LNX.2.21.1904091023540.25@nippy.intranet +Link: https://lore.kernel.org/r/63130691-1984-c423-c1f2-73bfd8d3dcd3@gmail.com +Signed-off-by: Michael Schmitz +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230301021107.26307-1-schmitzmic@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/kernel/traps.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/m68k/kernel/traps.c b/arch/m68k/kernel/traps.c +index 9b70a7f5e7058..35f706d836c50 100644 +--- a/arch/m68k/kernel/traps.c ++++ b/arch/m68k/kernel/traps.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -550,7 +551,8 @@ static inline void bus_error030 (struct frame *fp) + errorcode |= 2; + + if (mmusr & (MMU_I | MMU_WP)) { +- if (ssw & 4) { ++ /* We might have an exception table for this PC */ ++ if (ssw & 4 && !search_exception_tables(fp->ptregs.pc)) { + pr_err("Data %s fault at %#010lx in %s (pc=%#lx)\n", + ssw & RW ? "read" : "write", + fp->un.fmtb.daddr, +-- +2.39.2 + diff --git a/queue-4.19/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch b/queue-4.19/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch new file mode 100644 index 00000000000..c49952d87b6 --- /dev/null +++ b/queue-4.19/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch @@ -0,0 +1,39 @@ +From 89072214a63b1f2459537480e26e4dc7dd14ec3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 12:59:33 +0100 +Subject: net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 + +From: Enrico Sau + +[ Upstream commit 418383e6ed6b4624a54ec05c535f13d184fbf33b ] + +Add quirk CDC_MBIM_FLAG_AVOID_ALTSETTING_TOGGLE for Telit FE990 +0x1081 composition in order to avoid bind error. + +Signed-off-by: Enrico Sau +Link: https://lore.kernel.org/r/20230306115933.198259-1-enrico.sau@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_mbim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c +index 41bac861ca99d..72a93dc2df868 100644 +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -665,6 +665,11 @@ static const struct usb_device_id mbim_devs[] = { + .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle, + }, + ++ /* Telit FE990 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x1bc7, 0x1081, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle, ++ }, ++ + /* default entry */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info_zlp, +-- +2.39.2 + diff --git a/queue-4.19/net-usb-qmi_wwan-add-telit-0x1080-composition.patch b/queue-4.19/net-usb-qmi_wwan-add-telit-0x1080-composition.patch new file mode 100644 index 00000000000..87c50801434 --- /dev/null +++ b/queue-4.19/net-usb-qmi_wwan-add-telit-0x1080-composition.patch @@ -0,0 +1,36 @@ +From 666bd695cdbfef4fccc7c6f91cce053cdb31b2c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 13:05:28 +0100 +Subject: net: usb: qmi_wwan: add Telit 0x1080 composition + +From: Enrico Sau + +[ Upstream commit 382e363d5bed0cec5807b35761d14e55955eee63 ] + +Add the following Telit FE990 composition: + +0x1080: tty, adb, rmnet, tty, tty, tty, tty + +Signed-off-by: Enrico Sau +Link: https://lore.kernel.org/r/20230306120528.198842-1-enrico.sau@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 24ce49b311c4c..5417932242e77 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1322,6 +1322,7 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ +-- +2.39.2 + diff --git a/queue-4.19/riscv-bump-command_line_size-value-to-1024.patch b/queue-4.19/riscv-bump-command_line_size-value-to-1024.patch new file mode 100644 index 00000000000..520d5202559 --- /dev/null +++ b/queue-4.19/riscv-bump-command_line_size-value-to-1024.patch @@ -0,0 +1,46 @@ +From f6253e06753d3638a086be2865578b633ea7817a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 15:34:20 -0400 +Subject: riscv: Bump COMMAND_LINE_SIZE value to 1024 + +From: Alexandre Ghiti + +[ Upstream commit 61fc1ee8be26bc192d691932b0a67eabee45d12f ] + +Increase COMMAND_LINE_SIZE as the current default value is too low +for syzbot kernel command line. + +There has been considerable discussion on this patch that has led to a +larger patch set removing COMMAND_LINE_SIZE from the uapi headers on all +ports. That's not quite done yet, but it's gotten far enough we're +confident this is not a uABI change so this is safe. + +Reported-by: Dmitry Vyukov +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20210316193420.904-1-alex@ghiti.fr +[Palmer: it's not uabi] +Link: https://lore.kernel.org/linux-riscv/874b8076-b0d1-4aaa-bcd8-05d523060152@app.fastmail.com/#t +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/uapi/asm/setup.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + create mode 100644 arch/riscv/include/uapi/asm/setup.h + +diff --git a/arch/riscv/include/uapi/asm/setup.h b/arch/riscv/include/uapi/asm/setup.h +new file mode 100644 +index 0000000000000..66b13a5228808 +--- /dev/null ++++ b/arch/riscv/include/uapi/asm/setup.h +@@ -0,0 +1,8 @@ ++/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ ++ ++#ifndef _UAPI_ASM_RISCV_SETUP_H ++#define _UAPI_ASM_RISCV_SETUP_H ++ ++#define COMMAND_LINE_SIZE 1024 ++ ++#endif /* _UAPI_ASM_RISCV_SETUP_H */ +-- +2.39.2 + diff --git a/queue-4.19/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch b/queue-4.19/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch new file mode 100644 index 00000000000..175afc00234 --- /dev/null +++ b/queue-4.19/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch @@ -0,0 +1,55 @@ +From f1724af3b055810b37712d4f7916ee37f878d6ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 15:15:56 +0100 +Subject: scsi: target: iscsi: Fix an error message in iscsi_check_key() + +From: Maurizio Lombardi + +[ Upstream commit 6cc55c969b7ce8d85e09a636693d4126c3676c11 ] + +The first half of the error message is printed by pr_err(), the second half +is printed by pr_debug(). The user will therefore see only the first part +of the message and will miss some useful information. + +Link: https://lore.kernel.org/r/20230214141556.762047-1-mlombard@redhat.com +Signed-off-by: Maurizio Lombardi +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_parameters.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c +index 29a37b242d30a..01f93de93c8c7 100644 +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -1270,18 +1270,20 @@ static struct iscsi_param *iscsi_check_key( + return param; + + if (!(param->phase & phase)) { +- pr_err("Key \"%s\" may not be negotiated during ", +- param->name); ++ char *phase_name; ++ + switch (phase) { + case PHASE_SECURITY: +- pr_debug("Security phase.\n"); ++ phase_name = "Security"; + break; + case PHASE_OPERATIONAL: +- pr_debug("Operational phase.\n"); ++ phase_name = "Operational"; + break; + default: +- pr_debug("Unknown phase.\n"); ++ phase_name = "Unknown"; + } ++ pr_err("Key \"%s\" may not be negotiated during %s phase.\n", ++ param->name, phase_name); + return NULL; + } + +-- +2.39.2 + diff --git a/queue-4.19/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch b/queue-4.19/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch new file mode 100644 index 00000000000..482aecc9245 --- /dev/null +++ b/queue-4.19/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch @@ -0,0 +1,36 @@ +From 4b38a043ea7f79451d095f79896a7aa1061d352e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 09:07:40 -0500 +Subject: scsi: ufs: core: Add soft dependency on governor_simpleondemand + +From: Adrien Thierry + +[ Upstream commit 2ebe16155dc8bd4e602cad5b5f65458d2eaa1a75 ] + +The ufshcd driver uses simpleondemand governor for devfreq. Add it to the +list of ufshcd softdeps to allow userspace initramfs tools like dracut to +automatically pull the governor module into the initramfs together with UFS +drivers. + +Link: https://lore.kernel.org/r/20230220140740.14379-1-athierry@redhat.com +Signed-off-by: Adrien Thierry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index abc156cf05f60..b45cd6c98bad7 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -8228,5 +8228,6 @@ EXPORT_SYMBOL_GPL(ufshcd_init); + MODULE_AUTHOR("Santosh Yaragnavi "); + MODULE_AUTHOR("Vinayak Holikatti "); + MODULE_DESCRIPTION("Generic UFS host controller driver Core"); ++MODULE_SOFTDEP("pre: governor_simpleondemand"); + MODULE_LICENSE("GPL"); + MODULE_VERSION(UFSHCD_DRIVER_VERSION); +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 6ef54332e8d..9ff10ce2524 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -25,3 +25,11 @@ bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch hwmon-it87-fix-voltage-scaling-for-chips-with-10.9mv.patch uas-add-us_fl_no_report_opcodes-for-jmicron-jms583gen-2.patch thunderbolt-use-const-qualifier-for-ring_interrupt_index.patch +riscv-bump-command_line_size-value-to-1024.patch +ca8210-fix-mac_len-negative-array-access.patch +m68k-only-force-030-bus-error-if-pc-not-in-exception.patch +scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch +scsi-ufs-core-add-soft-dependency-on-governor_simple.patch +net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch +net-usb-qmi_wwan-add-telit-0x1080-composition.patch +sh-sanitize-the-flags-on-sigreturn.patch diff --git a/queue-4.19/sh-sanitize-the-flags-on-sigreturn.patch b/queue-4.19/sh-sanitize-the-flags-on-sigreturn.patch new file mode 100644 index 00000000000..9cda755c04a --- /dev/null +++ b/queue-4.19/sh-sanitize-the-flags-on-sigreturn.patch @@ -0,0 +1,58 @@ +From 6ebd73e0ab0dee889bb67c906de0f8b6b8e9f941 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 01:20:30 +0000 +Subject: sh: sanitize the flags on sigreturn + +From: Al Viro + +[ Upstream commit 573b22ccb7ce9ab7f0539a2e11a9d3609a8783f5 ] + +We fetch %SR value from sigframe; it might have been modified by signal +handler, so we can't trust it with any bits that are not modifiable in +user mode. + +Signed-off-by: Al Viro +Cc: Rich Felker +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sh/include/asm/processor_32.h | 1 + + arch/sh/kernel/signal_32.c | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/arch/sh/include/asm/processor_32.h b/arch/sh/include/asm/processor_32.h +index 95100d8a0b7b4..fc94603724b86 100644 +--- a/arch/sh/include/asm/processor_32.h ++++ b/arch/sh/include/asm/processor_32.h +@@ -57,6 +57,7 @@ + #define SR_FD 0x00008000 + #define SR_MD 0x40000000 + ++#define SR_USER_MASK 0x00000303 // M, Q, S, T bits + /* + * DSP structure and data + */ +diff --git a/arch/sh/kernel/signal_32.c b/arch/sh/kernel/signal_32.c +index c46c0020ff55e..ce93ae78c3002 100644 +--- a/arch/sh/kernel/signal_32.c ++++ b/arch/sh/kernel/signal_32.c +@@ -116,6 +116,7 @@ static int + restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p) + { + unsigned int err = 0; ++ unsigned int sr = regs->sr & ~SR_USER_MASK; + + #define COPY(x) err |= __get_user(regs->x, &sc->sc_##x) + COPY(regs[1]); +@@ -131,6 +132,8 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p + COPY(sr); COPY(pc); + #undef COPY + ++ regs->sr = (regs->sr & SR_USER_MASK) | sr; ++ + #ifdef CONFIG_SH_FPU + if (boot_cpu_data.flags & CPU_HAS_FPU) { + int owned_fp; +-- +2.39.2 +