From: Sasha Levin Date: Fri, 10 Mar 2023 10:31:53 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v6.1.17~46^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a08eb1a25de73940007a98562ef002da3a7c24c1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/9p-xen-fix-connection-sequence.patch b/queue-4.14/9p-xen-fix-connection-sequence.patch new file mode 100644 index 00000000000..12e9ebb2e30 --- /dev/null +++ b/queue-4.14/9p-xen-fix-connection-sequence.patch @@ -0,0 +1,117 @@ +From ea3e0c1190c6473d13c924d2d7ba66dbd7e5d576 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 12:30:36 +0100 +Subject: 9p/xen: fix connection sequence + +From: Juergen Gross + +[ Upstream commit c15fe55d14b3b4ded5af2a3260877460a6ffb8ad ] + +Today the connection sequence of the Xen 9pfs frontend doesn't match +the documented sequence. It can work reliably only for a PV 9pfs device +having been added at boot time already, as the frontend is not waiting +for the backend to have set its state to "XenbusStateInitWait" before +reading the backend properties from Xenstore. + +Fix that by following the documented sequence [1] (the documentation +has a bug, so the reference is for the patch fixing that). + +[1]: https://lore.kernel.org/xen-devel/20230130090937.31623-1-jgross@suse.com/T/#u + +Link: https://lkml.kernel.org/r/20230130113036.7087-3-jgross@suse.com +Fixes: 868eb122739a ("xen/9pfs: introduce Xen 9pfs transport driver") +Signed-off-by: Juergen Gross +Reviewed-by: Simon Horman +Signed-off-by: Dominique Martinet +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + net/9p/trans_xen.c | 38 +++++++++++++++++++++++--------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c +index 6bb14f33b1b5d..ebe232fd45f74 100644 +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -380,12 +380,11 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus_device *dev, + return ret; + } + +-static int xen_9pfs_front_probe(struct xenbus_device *dev, +- const struct xenbus_device_id *id) ++static int xen_9pfs_front_init(struct xenbus_device *dev) + { + int ret, i; + struct xenbus_transaction xbt; +- struct xen_9pfs_front_priv *priv = NULL; ++ struct xen_9pfs_front_priv *priv = dev_get_drvdata(&dev->dev); + char *versions, *v; + unsigned int max_rings, max_ring_order, len = 0; + +@@ -411,11 +410,6 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev, + if (max_ring_order < XEN_9PFS_RING_ORDER) + return -EINVAL; + +- priv = kzalloc(sizeof(*priv), GFP_KERNEL); +- if (!priv) +- return -ENOMEM; +- +- priv->dev = dev; + priv->num_rings = XEN_9PFS_NUM_RINGS; + priv->rings = kcalloc(priv->num_rings, sizeof(*priv->rings), + GFP_KERNEL); +@@ -473,23 +467,35 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev, + goto error; + } + +- write_lock(&xen_9pfs_lock); +- list_add_tail(&priv->list, &xen_9pfs_devs); +- write_unlock(&xen_9pfs_lock); +- dev_set_drvdata(&dev->dev, priv); +- xenbus_switch_state(dev, XenbusStateInitialised); +- + return 0; + + error_xenbus: + xenbus_transaction_end(xbt, 1); + xenbus_dev_fatal(dev, ret, "writing xenstore"); + error: +- dev_set_drvdata(&dev->dev, NULL); + xen_9pfs_front_free(priv); + return ret; + } + ++static int xen_9pfs_front_probe(struct xenbus_device *dev, ++ const struct xenbus_device_id *id) ++{ ++ struct xen_9pfs_front_priv *priv = NULL; ++ ++ priv = kzalloc(sizeof(*priv), GFP_KERNEL); ++ if (!priv) ++ return -ENOMEM; ++ ++ priv->dev = dev; ++ dev_set_drvdata(&dev->dev, priv); ++ ++ write_lock(&xen_9pfs_lock); ++ list_add_tail(&priv->list, &xen_9pfs_devs); ++ write_unlock(&xen_9pfs_lock); ++ ++ return 0; ++} ++ + static int xen_9pfs_front_resume(struct xenbus_device *dev) + { + dev_warn(&dev->dev, "suspsend/resume unsupported\n"); +@@ -508,6 +514,8 @@ static void xen_9pfs_front_changed(struct xenbus_device *dev, + break; + + case XenbusStateInitWait: ++ if (!xen_9pfs_front_init(dev)) ++ xenbus_switch_state(dev, XenbusStateInitialised); + break; + + case XenbusStateConnected: +-- +2.39.2 + diff --git a/queue-4.14/9p-xen-fix-version-parsing.patch b/queue-4.14/9p-xen-fix-version-parsing.patch new file mode 100644 index 00000000000..8d80639ef0e --- /dev/null +++ b/queue-4.14/9p-xen-fix-version-parsing.patch @@ -0,0 +1,63 @@ +From b38d04ff9f963f8bef03bb5e5a71cf72b5d66897 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 12:30:35 +0100 +Subject: 9p/xen: fix version parsing + +From: Juergen Gross + +[ Upstream commit f1956f4ec15195ec60976d9b5625326285ab102e ] + +When connecting the Xen 9pfs frontend to the backend, the "versions" +Xenstore entry written by the backend is parsed in a wrong way. + +The "versions" entry is defined to contain the versions supported by +the backend separated by commas (e.g. "1,2"). Today only version "1" +is defined. Unfortunately the frontend doesn't look for "1" being +listed in the entry, but it is expecting the entry to have the value +"1". + +This will result in failure as soon as the backend will support e.g. +versions "1" and "2". + +Fix that by scanning the entry correctly. + +Link: https://lkml.kernel.org/r/20230130113036.7087-2-jgross@suse.com +Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend") +Signed-off-by: Juergen Gross +Reviewed-by: Simon Horman +Signed-off-by: Dominique Martinet +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + net/9p/trans_xen.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c +index ac6a69f6c5e25..6bb14f33b1b5d 100644 +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -386,13 +386,19 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev, + int ret, i; + struct xenbus_transaction xbt; + struct xen_9pfs_front_priv *priv = NULL; +- char *versions; ++ char *versions, *v; + unsigned int max_rings, max_ring_order, len = 0; + + versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len); + if (IS_ERR(versions)) + return PTR_ERR(versions); +- if (strcmp(versions, "1")) { ++ for (v = versions; *v; v++) { ++ if (simple_strtoul(v, &v, 10) == 1) { ++ v = NULL; ++ break; ++ } ++ } ++ if (v) { + kfree(versions); + return -EINVAL; + } +-- +2.39.2 + diff --git a/queue-4.14/arm-dts-spear320-hmi-correct-stmpe-gpio-compatible.patch b/queue-4.14/arm-dts-spear320-hmi-correct-stmpe-gpio-compatible.patch new file mode 100644 index 00000000000..e50821d83f2 --- /dev/null +++ b/queue-4.14/arm-dts-spear320-hmi-correct-stmpe-gpio-compatible.patch @@ -0,0 +1,37 @@ +From ac2fe12e98a00cebb5429850a3f71962148ea38f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 17:22:37 +0100 +Subject: ARM: dts: spear320-hmi: correct STMPE GPIO compatible + +From: Krzysztof Kozlowski + +[ Upstream commit 33a0c1b850c8c85f400531dab3a0b022cdb164b1 ] + +The compatible is st,stmpe-gpio. + +Fixes: e2eb69183ec4 ("ARM: SPEAr320: DT: Add SPEAr 320 HMI board support") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Viresh Kumar +Link: https://lore.kernel.org/r/20230225162237.40242-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/spear320-hmi.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/spear320-hmi.dts b/arch/arm/boot/dts/spear320-hmi.dts +index 0d0da1f65f0e6..1e54748799a6b 100644 +--- a/arch/arm/boot/dts/spear320-hmi.dts ++++ b/arch/arm/boot/dts/spear320-hmi.dts +@@ -248,7 +248,7 @@ + irq-trigger = <0x1>; + + stmpegpio: stmpe-gpio { +- compatible = "stmpe,gpio"; ++ compatible = "st,stmpe-gpio"; + reg = <0>; + gpio-controller; + #gpio-cells = <2>; +-- +2.39.2 + diff --git a/queue-4.14/firmware-efi-sysfb_efi-add-quirk-for-lenovo-ideapad-.patch b/queue-4.14/firmware-efi-sysfb_efi-add-quirk-for-lenovo-ideapad-.patch new file mode 100644 index 00000000000..d9a23235348 --- /dev/null +++ b/queue-4.14/firmware-efi-sysfb_efi-add-quirk-for-lenovo-ideapad-.patch @@ -0,0 +1,43 @@ +From 20a27f7b00301a98c2df47950e705a552397a2ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 11:50:45 +0000 +Subject: firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3 + +From: Darrell Kavanagh + +[ Upstream commit e1d447157f232c650e6f32c9fb89ff3d0207c69a ] + +Another Lenovo convertable which reports a landscape resolution of +1920x1200 with a pitch of (1920 * 4) bytes, while the actual framebuffer +has a resolution of 1200x1920 with a pitch of (1200 * 4) bytes. + +Signed-off-by: Darrell Kavanagh +Reviewed-by: Hans de Goede +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/sysfb_efi.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kernel/sysfb_efi.c b/arch/x86/kernel/sysfb_efi.c +index 897da526e40e6..dd8d7636c5420 100644 +--- a/arch/x86/kernel/sysfb_efi.c ++++ b/arch/x86/kernel/sysfb_efi.c +@@ -265,6 +265,14 @@ static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = { + "Lenovo ideapad D330-10IGM"), + }, + }, ++ { ++ /* Lenovo IdeaPad Duet 3 10IGL5 with 1200x1920 portrait screen */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, ++ "IdeaPad Duet 3 10IGL5"), ++ }, ++ }, + {}, + }; + +-- +2.39.2 + diff --git a/queue-4.14/fs-jfs-fix-shift-exponent-db_agl2size-negative.patch b/queue-4.14/fs-jfs-fix-shift-exponent-db_agl2size-negative.patch new file mode 100644 index 00000000000..de26f785183 --- /dev/null +++ b/queue-4.14/fs-jfs-fix-shift-exponent-db_agl2size-negative.patch @@ -0,0 +1,41 @@ +From a042f3c7ffffbde38065115517f676fcb6833970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 11:01:59 +0800 +Subject: fs/jfs: fix shift exponent db_agl2size negative + +From: Liu Shixin via Jfs-discussion + +[ Upstream commit fad376fce0af58deebc5075b8539dc05bf639af3 ] + +As a shift exponent, db_agl2size can not be less than 0. Add the missing +check to fix the shift-out-of-bounds bug reported by syzkaller: + + UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2227:15 + shift exponent -744642816 is negative + +Reported-by: syzbot+0be96567042453c0c820@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Liu Shixin +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 0ca1ad2610df9..6a0f564e58ddb 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -206,7 +206,8 @@ int dbMount(struct inode *ipbmap) + bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); + bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); + bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); +- if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) { ++ if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG || ++ bmp->db_agl2size < 0) { + err = -EINVAL; + goto err_release_metapage; + } +-- +2.39.2 + diff --git a/queue-4.14/iio-accel-mma9551_core-prevent-uninitialized-variabl.patch b/queue-4.14/iio-accel-mma9551_core-prevent-uninitialized-variabl.patch new file mode 100644 index 00000000000..f045227a378 --- /dev/null +++ b/queue-4.14/iio-accel-mma9551_core-prevent-uninitialized-variabl.patch @@ -0,0 +1,48 @@ +From c93a64712ad4277d9d99c820bfdd94b92ff388af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 07:21:46 -0800 +Subject: iio: accel: mma9551_core: Prevent uninitialized variable in + mma9551_read_status_word() + +From: Harshit Mogalapalli + +[ Upstream commit e56d2c34ce9dc122b1a618172ec0e05e50adb9e9 ] + +Smatch Warns: drivers/iio/accel/mma9551_core.c:357 + mma9551_read_status_word() error: uninitialized symbol 'v'. + +When (offset >= 1 << 12) is true mma9551_transfer() will return -EINVAL +without 'v' being initialized, so check for the error and return. + +Note: Not a bug as such because the caller checks return value and +doesn't not use this parameter in the problem case. + +Signed-off-by: Harshit Mogalapalli +Link: https://lore.kernel.org/r/20230126152147.3585874-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/mma9551_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c +index c34c5ce8123b0..b4bbc83be4310 100644 +--- a/drivers/iio/accel/mma9551_core.c ++++ b/drivers/iio/accel/mma9551_core.c +@@ -362,9 +362,12 @@ int mma9551_read_status_word(struct i2c_client *client, u8 app_id, + + ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_STATUS, + reg, NULL, 0, (u8 *)&v, 2); ++ if (ret < 0) ++ return ret; ++ + *val = be16_to_cpu(v); + +- return ret; ++ return 0; + } + EXPORT_SYMBOL(mma9551_read_status_word); + +-- +2.39.2 + diff --git a/queue-4.14/iio-accel-mma9551_core-prevent-uninitialized-variabl.patch-21890 b/queue-4.14/iio-accel-mma9551_core-prevent-uninitialized-variabl.patch-21890 new file mode 100644 index 00000000000..85ac8386be4 --- /dev/null +++ b/queue-4.14/iio-accel-mma9551_core-prevent-uninitialized-variabl.patch-21890 @@ -0,0 +1,49 @@ +From 3a112099c025faf707588a13fab53586eb892fe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 07:36:09 -0800 +Subject: iio: accel: mma9551_core: Prevent uninitialized variable in + mma9551_read_config_word() + +From: Harshit Mogalapalli + +[ Upstream commit 64a68158738ec8f520347144352f7a09bdb9e169 ] + +Smatch Warns: +drivers/iio/accel/mma9551_core.c:299 + mma9551_read_config_word() error: uninitialized symbol 'v'. + +When (offset >= 1 << 12) is true mma9551_transfer() will return -EINVAL +without 'v' being initialized, so check for the error and return. + +Note: No actual bug as caller checks the return value and does not +use the parameter in the problem case. + +Signed-off-by: Harshit Mogalapalli +Link: https://lore.kernel.org/r/20230126153610.3586243-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/mma9551_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c +index b4bbc83be4310..19b4fbc682e63 100644 +--- a/drivers/iio/accel/mma9551_core.c ++++ b/drivers/iio/accel/mma9551_core.c +@@ -304,9 +304,12 @@ int mma9551_read_config_word(struct i2c_client *client, u8 app_id, + + ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_CONFIG, + reg, NULL, 0, (u8 *)&v, 2); ++ if (ret < 0) ++ return ret; ++ + *val = be16_to_cpu(v); + +- return ret; ++ return 0; + } + EXPORT_SYMBOL(mma9551_read_config_word); + +-- +2.39.2 + diff --git a/queue-4.14/media-uvcvideo-handle-cameras-with-invalid-descripto.patch b/queue-4.14/media-uvcvideo-handle-cameras-with-invalid-descripto.patch new file mode 100644 index 00000000000..b3514dbfeac --- /dev/null +++ b/queue-4.14/media-uvcvideo-handle-cameras-with-invalid-descripto.patch @@ -0,0 +1,36 @@ +From 3f7f271f49a4b1cc645a1ef114e59532beb077a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 16:04:55 +0200 +Subject: media: uvcvideo: Handle cameras with invalid descriptors + +From: Ricardo Ribalda + +[ Upstream commit 41ddb251c68ac75c101d3a50a68c4629c9055e4c ] + +If the source entity does not contain any pads, do not create a link. + +Reported-by: syzbot +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_entity.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_entity.c b/drivers/media/usb/uvc/uvc_entity.c +index f2457953f27c6..0d5aaaa7e2d96 100644 +--- a/drivers/media/usb/uvc/uvc_entity.c ++++ b/drivers/media/usb/uvc/uvc_entity.c +@@ -42,7 +42,7 @@ static int uvc_mc_create_links(struct uvc_video_chain *chain, + continue; + + remote = uvc_entity_by_id(chain->dev, entity->baSourceID[i]); +- if (remote == NULL) ++ if (remote == NULL || remote->num_pads == 0) + return -EINVAL; + + source = (UVC_ENTITY_TYPE(remote) == UVC_TT_STREAMING) +-- +2.39.2 + diff --git a/queue-4.14/net-fix-__dev_kfree_skb_any-vs-drop-monitor.patch b/queue-4.14/net-fix-__dev_kfree_skb_any-vs-drop-monitor.patch new file mode 100644 index 00000000000..ab7869c166b --- /dev/null +++ b/queue-4.14/net-fix-__dev_kfree_skb_any-vs-drop-monitor.patch @@ -0,0 +1,49 @@ +From edcfca411dfafbabb365959e3ba3c4493120a925 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Feb 2023 08:38:45 +0000 +Subject: net: fix __dev_kfree_skb_any() vs drop monitor + +From: Eric Dumazet + +[ Upstream commit ac3ad19584b26fae9ac86e4faebe790becc74491 ] + +dev_kfree_skb() is aliased to consume_skb(). + +When a driver is dropping a packet by calling dev_kfree_skb_any() +we should propagate the drop reason instead of pretending +the packet was consumed. + +Note: Now we have enum skb_drop_reason we could remove +enum skb_free_reason (for linux-6.4) + +v2: added an unlikely(), suggested by Yunsheng Lin. + +Fixes: e6247027e517 ("net: introduce dev_consume_skb_any()") +Signed-off-by: Eric Dumazet +Cc: Yunsheng Lin +Reviewed-by: Yunsheng Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 4741c239af170..86f762a1cf7ac 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2525,8 +2525,10 @@ void __dev_kfree_skb_any(struct sk_buff *skb, enum skb_free_reason reason) + { + if (in_irq() || irqs_disabled()) + __dev_kfree_skb_irq(skb, reason); ++ else if (unlikely(reason == SKB_REASON_DROPPED)) ++ kfree_skb(skb); + else +- dev_kfree_skb(skb); ++ consume_skb(skb); + } + EXPORT_SYMBOL(__dev_kfree_skb_any); + +-- +2.39.2 + diff --git a/queue-4.14/netfilter-ctnetlink-fix-possible-refcount-leak-in-ct.patch b/queue-4.14/netfilter-ctnetlink-fix-possible-refcount-leak-in-ct.patch new file mode 100644 index 00000000000..367beac7ddc --- /dev/null +++ b/queue-4.14/netfilter-ctnetlink-fix-possible-refcount-leak-in-ct.patch @@ -0,0 +1,47 @@ +From 36040838028daaad29e73ac7e3f88173f6ddff44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 15:17:30 +0800 +Subject: netfilter: ctnetlink: fix possible refcount leak in + ctnetlink_create_conntrack() + +From: Hangyu Hua + +[ Upstream commit ac4893980bbe79ce383daf9a0885666a30fe4c83 ] + +nf_ct_put() needs to be called to put the refcount got by +nf_conntrack_find_get() to avoid refcount leak when +nf_conntrack_hash_check_insert() fails. + +Fixes: 7d367e06688d ("netfilter: ctnetlink: fix soft lockup when netlink adds new entries (v2)") +Signed-off-by: Hangyu Hua +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index b084659bd34bc..733e61fc50433 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -1906,12 +1906,15 @@ ctnetlink_create_conntrack(struct net *net, + + err = nf_conntrack_hash_check_insert(ct); + if (err < 0) +- goto err2; ++ goto err3; + + rcu_read_unlock(); + + return ct; + ++err3: ++ if (ct->master) ++ nf_ct_put(ct->master); + err2: + rcu_read_unlock(); + err1: +-- +2.39.2 + diff --git a/queue-4.14/nfc-fix-memory-leak-of-se_io-context-in-nfc_genl_se_.patch b/queue-4.14/nfc-fix-memory-leak-of-se_io-context-in-nfc_genl_se_.patch new file mode 100644 index 00000000000..41339bd4d84 --- /dev/null +++ b/queue-4.14/nfc-fix-memory-leak-of-se_io-context-in-nfc_genl_se_.patch @@ -0,0 +1,85 @@ +From 2f4b9bdacf08ebcc33dd26b70341406917b5b221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Feb 2023 13:56:14 +0300 +Subject: nfc: fix memory leak of se_io context in nfc_genl_se_io + +From: Fedor Pchelkin + +[ Upstream commit 25ff6f8a5a3b8dc48e8abda6f013e8cc4b14ffea ] + +The callback context for sending/receiving APDUs to/from the selected +secure element is allocated inside nfc_genl_se_io and supposed to be +eventually freed in se_io_cb callback function. However, there are several +error paths where the bwi_timer is not charged to call se_io_cb later, and +the cb_context is leaked. + +The patch proposes to free the cb_context explicitly on those error paths. + +At the moment we can't simply check 'dev->ops->se_io()' return value as it +may be negative in both cases: when the timer was charged and was not. + +Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation") +Reported-by: syzbot+df64c0a2e8d68e78a4fa@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 6 ++++++ + drivers/nfc/st21nfca/se.c | 6 ++++++ + net/nfc/netlink.c | 4 ++++ + 3 files changed, 16 insertions(+) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index b1d23b35aac4f..c0fbd88651b12 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -676,6 +676,12 @@ int st_nci_se_io(struct nci_dev *ndev, u32 se_idx, + ST_NCI_EVT_TRANSMIT_DATA, apdu, + apdu_length); + default: ++ /* Need to free cb_context here as at the moment we can't ++ * clearly indicate to the caller if the callback function ++ * would be called (and free it) or not. In both cases a ++ * negative value may be returned to the caller. ++ */ ++ kfree(cb_context); + return -ENODEV; + } + } +diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c +index 21ab3e678cf36..7946a2ee7bff5 100644 +--- a/drivers/nfc/st21nfca/se.c ++++ b/drivers/nfc/st21nfca/se.c +@@ -247,6 +247,12 @@ int st21nfca_hci_se_io(struct nfc_hci_dev *hdev, u32 se_idx, + ST21NFCA_EVT_TRANSMIT_DATA, + apdu, apdu_length); + default: ++ /* Need to free cb_context here as at the moment we can't ++ * clearly indicate to the caller if the callback function ++ * would be called (and free it) or not. In both cases a ++ * negative value may be returned to the caller. ++ */ ++ kfree(cb_context); + return -ENODEV; + } + } +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c +index be06f4e37c436..9898b6a27fefc 100644 +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -1450,7 +1450,11 @@ static int nfc_se_io(struct nfc_dev *dev, u32 se_idx, + rc = dev->ops->se_io(dev, se_idx, apdu, + apdu_length, cb, cb_context); + ++ device_unlock(&dev->dev); ++ return rc; ++ + error: ++ kfree(cb_context); + device_unlock(&dev->dev); + return rc; + } +-- +2.39.2 + diff --git a/queue-4.14/parport_pc-set-up-mode-and-ecr-masks-for-oxford-semi.patch b/queue-4.14/parport_pc-set-up-mode-and-ecr-masks-for-oxford-semi.patch new file mode 100644 index 00000000000..bbb400872c6 --- /dev/null +++ b/queue-4.14/parport_pc-set-up-mode-and-ecr-masks-for-oxford-semi.patch @@ -0,0 +1,140 @@ +From 5be1d59814c8b707e3bcd2ad5f05585912b0c326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jan 2023 21:56:55 +0000 +Subject: parport_pc: Set up mode and ECR masks for Oxford Semiconductor + devices + +From: Maciej W. Rozycki + +[ Upstream commit c087df8d1e7dc2e764d11234d84b5af46d500f16 ] + +No Oxford Semiconductor PCI or PCIe parallel port device supports the +Parallel Port FIFO mode. All support the PS/2 Parallel Port mode and +the Enhanced Parallel Port mode via the ECR register. The original 5V +PCI OX16PCI954 device does not support the Extended Capabilities Port +mode, the Test mode or the Configuration mode, but all the other OxSemi +devices do, including in particular the 3.3V PCI OXmPCI954 device and +the universal voltage PCI OXuPCI954 device. All the unsupported modes +are marked reserved in the relevant datasheets. + +Accordingly enable the `base_hi' BAR for the 954 devices to enable PS2 +and EPP mode support via the ECR register, however mask the COMPAT mode +and, until we have a way to determine what chip variant it is that we +poke at, also the ECP mode, and mask the COMPAT mode only for all the +remaining OxSemi devices, fixing errors like: + +parport0: FIFO is stuck +FIFO write timed out + +and a non-functional port when the Parallel Port FIFO mode is selected. + +Complementing the fix apply an ECR mask for all these devices, which are +documented to only permit writing to the mode field of the ECR register +with a bit pattern of 00001 required to be written to bits 4:0 on mode +field writes. No nFault or service interrupts are implemented, which +will therefore never have to be enabled, though bit 2 does report the +FIFO threshold status to be polled for in the ECP mode where supported. + +We have a documented case of writing 1 to bit 2 causing a lock-up with +at least one OX12PCI840 device (from old drivers/parport/ChangeLog): + +2001-10-10 Tim Waugh + + * parport_pc.c: Support for OX12PCI840 PCI card (reported by + mk@daveg.com). Lock-ups diagnosed by Ronnie Arosa (and now we + just don't trust its ECR). + +which commit adbd321a17cc ("parport_pc: add base_hi BAR for oxsemi_840") +must have broken and by applying an ECR mask here we prevent the lock-up +from triggering. This could have been the reason for requiring 00001 to +be written to bits 4:0 of ECR. + +Update the inline comment accordingly; it has come from Linux 2.4.12 +back in 2001 and predates the introduction of OXmPCI954 and OXuPCI954 +devices that do support ECP. + +References: + +[1] "OX16PCI954 Integrated Quad UART and PCI interface", Oxford + Semiconductor Ltd., Data Sheet Revision 1.3, Feb. 1999, Chapter 9 + "Bidirectional Parallel Port", pp. 53-55 + +[2] "OX16PCI952 Data Sheet, Integrated High Performance Dual UARTs, + Parallel Port and 5.0v PCI interface", Oxford Semiconductor Ltd., + DS_B008A_00, Datasheet rev 1.1, June 2001, Chapter 8 "Bi-directional + Parallel Port", pp. 52-56 + +[3] "OXmPCI954 DATA SHEET Integrated High Performance Quad UARTs, 8-bit + Local Bus/Parallel Port. 3.3v PCI/miniPCI interface.", Oxford + Semiconductor Ltd., DS-0019, June 2005, Chapter 10 "Bidirectional + Parallel Port", pp. 86-90 + +[4] "OXmPCI952 Data Sheet, Integrated High Performance Dual UARTs, 8-bit + Local Bus/Parallel Port. 3.3v PCI/miniPCI interface.", Oxford + Semiconductor Ltd., DS-0020, June 2005, Chapter 8 "Bidirectional + Parallel Port", pp. 73-77 + +[5] "OX12PCI840 Integrated Parallel Port and PCI interface", Oxford + Semiconductor Ltd., DS-0021, Jun 2005, Chapter 5 "Bi-directional + Parallel Port", pp. 18-21 + +[6] "OXPCIe952 PCI Express Bridge to Dual Serial & Parallel Port", + Oxford Semiconductor, Inc., DS-0046, Mar 06 08, Chapter "Parallel + Port Function", pp. 59-62 + +[7] "OXPCIe840 PCI Express Bridge to Parallel Port", Oxford + Semiconductor, Inc., DS-0049, Mar 06 08, Chapter "Parallel Port + Function", pp. 15-18 + +[8] "OXuPCI954 Data Sheet, Integrated High Performance Quad UARTs, 8-bit + Local Bus/Parallel Port, 3.3 V and 5 V (Universal Voltage) PCI + Interface.", Oxford Semiconductor, Inc., DS-0058, 26 Jan 2009, + Chapter 8 "Bidirectional Parallel Port", pp. 62-65 + +[9] "OXuPCI952 Data Sheet, Integrated High Performance Dual UARTs, 8-bit + Local Bus/Parallel Port, 3.3 V and 5.0 V Universal Voltage PCI + Interface.", Oxford Semiconductor, Inc., DS-0059, Sep 2007, Chapter + 8 "Bidirectional Parallel Port", pp. 61-64 + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Sudip Mukherjee +Link: https://lore.kernel.org/r/20230108215656.6433-6-sudipm.mukherjee@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/parport/parport_pc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c +index d99ac73a1d89e..40c29e19f8647 100644 +--- a/drivers/parport/parport_pc.c ++++ b/drivers/parport/parport_pc.c +@@ -2691,12 +2691,19 @@ static struct parport_pc_pci { + /* titan_010l */ { 1, { { 3, -1 }, } }, + /* avlab_1p */ { 1, { { 0, 1}, } }, + /* avlab_2p */ { 2, { { 0, 1}, { 2, 3 },} }, +- /* The Oxford Semi cards are unusual: 954 doesn't support ECP, +- * and 840 locks up if you write 1 to bit 2! */ +- /* oxsemi_952 */ { 1, { { 0, 1 }, } }, +- /* oxsemi_954 */ { 1, { { 0, -1 }, } }, +- /* oxsemi_840 */ { 1, { { 0, 1 }, } }, +- /* oxsemi_pcie_pport */ { 1, { { 0, 1 }, } }, ++ /* The Oxford Semi cards are unusual: older variants of 954 don't ++ * support ECP, and 840 locks up if you write 1 to bit 2! None ++ * implement nFault or service interrupts and all require 00001 ++ * bit pattern to be used for bits 4:0 with ECR writes. */ ++ /* oxsemi_952 */ { 1, { { 0, 1 }, }, ++ PARPORT_MODE_COMPAT, ECR_MODE_MASK }, ++ /* oxsemi_954 */ { 1, { { 0, 1 }, }, ++ PARPORT_MODE_ECP | ++ PARPORT_MODE_COMPAT, ECR_MODE_MASK }, ++ /* oxsemi_840 */ { 1, { { 0, 1 }, }, ++ PARPORT_MODE_COMPAT, ECR_MODE_MASK }, ++ /* oxsemi_pcie_pport */ { 1, { { 0, 1 }, }, ++ PARPORT_MODE_COMPAT, ECR_MODE_MASK }, + /* aks_0100 */ { 1, { { 0, -1 }, } }, + /* mobility_pp */ { 1, { { 0, 1 }, } }, + +-- +2.39.2 + diff --git a/queue-4.14/phy-rockchip-typec-fix-unsigned-comparison-with-less.patch b/queue-4.14/phy-rockchip-typec-fix-unsigned-comparison-with-less.patch new file mode 100644 index 00000000000..a9cee7711a0 --- /dev/null +++ b/queue-4.14/phy-rockchip-typec-fix-unsigned-comparison-with-less.patch @@ -0,0 +1,43 @@ +From 8aa9934af51627b0954104a05c23dd6ae63d4b91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Feb 2023 11:57:09 +0800 +Subject: phy: rockchip-typec: Fix unsigned comparison with less than zero + +From: Jiapeng Chong + +[ Upstream commit f765c59c5a72546a2d74a92ae5d0eb0329d8e247 ] + +The dp and ufp are defined as bool type, the return value type of +function extcon_get_state should be int, so the type of dp and ufp +are modified to int. + +./drivers/phy/rockchip/phy-rockchip-typec.c:827:12-14: WARNING: Unsigned expression compared with zero: dp > 0. + +Reported-by: Abaci Robot +Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3962 +Signed-off-by: Jiapeng Chong +Link: https://lore.kernel.org/r/20230213035709.99027-1-jiapeng.chong@linux.alibaba.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-typec.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-typec.c b/drivers/phy/rockchip/phy-rockchip-typec.c +index a958c9bced019..6e3916424012a 100644 +--- a/drivers/phy/rockchip/phy-rockchip-typec.c ++++ b/drivers/phy/rockchip/phy-rockchip-typec.c +@@ -645,9 +645,8 @@ static int tcphy_get_mode(struct rockchip_typec_phy *tcphy) + struct extcon_dev *edev = tcphy->extcon; + union extcon_property_value property; + unsigned int id; +- bool ufp, dp; + u8 mode; +- int ret; ++ int ret, ufp, dp; + + ufp = extcon_get_state(edev, EXTCON_USB); + dp = extcon_get_state(edev, EXTCON_DISP_DP); +-- +2.39.2 + diff --git a/queue-4.14/pwm-stm32-lp-fix-the-check-on-arr-and-cmp-registers-.patch b/queue-4.14/pwm-stm32-lp-fix-the-check-on-arr-and-cmp-registers-.patch new file mode 100644 index 00000000000..378df13e92d --- /dev/null +++ b/queue-4.14/pwm-stm32-lp-fix-the-check-on-arr-and-cmp-registers-.patch @@ -0,0 +1,44 @@ +From 9494172fdd3e39053aa96c069c0d67845ba6628e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 14:36:52 +0100 +Subject: pwm: stm32-lp: fix the check on arr and cmp registers update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabrice Gasnier + +[ Upstream commit 3066bc2d58be31275afb51a589668f265e419c37 ] + +The ARR (auto reload register) and CMP (compare) registers are +successively written. The status bits to check the update of these +registers are polled together with regmap_read_poll_timeout(). +The condition to end the loop may become true, even if one of the +register isn't correctly updated. +So ensure both status bits are set before clearing them. + +Fixes: e70a540b4e02 ("pwm: Add STM32 LPTimer PWM driver") +Signed-off-by: Fabrice Gasnier +Acked-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-stm32-lp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-stm32-lp.c b/drivers/pwm/pwm-stm32-lp.c +index 3f2e4ef695d75..ba0aa3b8076b1 100644 +--- a/drivers/pwm/pwm-stm32-lp.c ++++ b/drivers/pwm/pwm-stm32-lp.c +@@ -127,7 +127,7 @@ static int stm32_pwm_lp_apply(struct pwm_chip *chip, struct pwm_device *pwm, + + /* ensure CMP & ARR registers are properly written */ + ret = regmap_read_poll_timeout(priv->regmap, STM32_LPTIM_ISR, val, +- (val & STM32_LPTIM_CMPOK_ARROK), ++ (val & STM32_LPTIM_CMPOK_ARROK) == STM32_LPTIM_CMPOK_ARROK, + 100, 1000); + if (ret) { + dev_err(priv->chip.dev, "ARR/CMP registers write issue\n"); +-- +2.39.2 + diff --git a/queue-4.14/scsi-ipr-work-around-fortify-string-warning.patch b/queue-4.14/scsi-ipr-work-around-fortify-string-warning.patch new file mode 100644 index 00000000000..f60787c5a33 --- /dev/null +++ b/queue-4.14/scsi-ipr-work-around-fortify-string-warning.patch @@ -0,0 +1,114 @@ +From 04d57f2e28e01a436ed0189174f74133bf1423d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 14:28:08 +0100 +Subject: scsi: ipr: Work around fortify-string warning + +From: Arnd Bergmann + +[ Upstream commit ee4e7dfe4ffc9ca50c6875757bd119abfe22b5c5 ] + +The ipr_log_vpd_compact() function triggers a fortified memcpy() warning +about a potential string overflow with all versions of clang: + +In file included from drivers/scsi/ipr.c:43: +In file included from include/linux/string.h:254: +include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + __write_overflow_field(p_size_field, size); + ^ +include/linux/fortify-string.h:520:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] +2 errors generated. + +I don't see anything actually wrong with the function, but this is the only +instance I can reproduce of the fortification going wrong in the kernel at +the moment, so the easiest solution may be to rewrite the function into +something that does not trigger the warning. + +Instead of having a combined buffer for vendor/device/serial strings, use +three separate local variables and just truncate the whitespace +individually. + +Link: https://lore.kernel.org/r/20230214132831.2118392-1-arnd@kernel.org +Cc: Kees Cook +Fixes: 8cf093e275d0 ("[SCSI] ipr: Improved dual adapter errors") +Signed-off-by: Arnd Bergmann +Reviewed-by: Damien Le Moal +Reviewed-by: Kees Cook +Acked-by: Brian King +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ipr.c | 41 +++++++++++++++++++++-------------------- + 1 file changed, 21 insertions(+), 20 deletions(-) + +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index 86e2d3033a2db..030d26f7d50c8 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -1531,23 +1531,22 @@ static void ipr_process_ccn(struct ipr_cmnd *ipr_cmd) + } + + /** +- * strip_and_pad_whitespace - Strip and pad trailing whitespace. +- * @i: index into buffer +- * @buf: string to modify ++ * strip_whitespace - Strip and pad trailing whitespace. ++ * @i: size of buffer ++ * @buf: string to modify + * +- * This function will strip all trailing whitespace, pad the end +- * of the string with a single space, and NULL terminate the string. ++ * This function will strip all trailing whitespace and ++ * NUL terminate the string. + * +- * Return value: +- * new length of string + **/ +-static int strip_and_pad_whitespace(int i, char *buf) ++static void strip_whitespace(int i, char *buf) + { ++ if (i < 1) ++ return; ++ i--; + while (i && buf[i] == ' ') + i--; +- buf[i+1] = ' '; +- buf[i+2] = '\0'; +- return i + 2; ++ buf[i+1] = '\0'; + } + + /** +@@ -1562,19 +1561,21 @@ static int strip_and_pad_whitespace(int i, char *buf) + static void ipr_log_vpd_compact(char *prefix, struct ipr_hostrcb *hostrcb, + struct ipr_vpd *vpd) + { +- char buffer[IPR_VENDOR_ID_LEN + IPR_PROD_ID_LEN + IPR_SERIAL_NUM_LEN + 3]; +- int i = 0; ++ char vendor_id[IPR_VENDOR_ID_LEN + 1]; ++ char product_id[IPR_PROD_ID_LEN + 1]; ++ char sn[IPR_SERIAL_NUM_LEN + 1]; + +- memcpy(buffer, vpd->vpids.vendor_id, IPR_VENDOR_ID_LEN); +- i = strip_and_pad_whitespace(IPR_VENDOR_ID_LEN - 1, buffer); ++ memcpy(vendor_id, vpd->vpids.vendor_id, IPR_VENDOR_ID_LEN); ++ strip_whitespace(IPR_VENDOR_ID_LEN, vendor_id); + +- memcpy(&buffer[i], vpd->vpids.product_id, IPR_PROD_ID_LEN); +- i = strip_and_pad_whitespace(i + IPR_PROD_ID_LEN - 1, buffer); ++ memcpy(product_id, vpd->vpids.product_id, IPR_PROD_ID_LEN); ++ strip_whitespace(IPR_PROD_ID_LEN, product_id); + +- memcpy(&buffer[i], vpd->sn, IPR_SERIAL_NUM_LEN); +- buffer[IPR_SERIAL_NUM_LEN + i] = '\0'; ++ memcpy(sn, vpd->sn, IPR_SERIAL_NUM_LEN); ++ strip_whitespace(IPR_SERIAL_NUM_LEN, sn); + +- ipr_hcam_err(hostrcb, "%s VPID/SN: %s\n", prefix, buffer); ++ ipr_hcam_err(hostrcb, "%s VPID/SN: %s %s %s\n", prefix, ++ vendor_id, product_id, sn); + } + + /** +-- +2.39.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 08c228d1686..a6570c1fee8 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -147,3 +147,43 @@ pci-avoid-flr-for-amd-fch-ahci-adapters.patch drm-radeon-fix-edp-for-single-display-imac11-2.patch kbuild-port-silent-mode-detection-to-future-gnu-make.patch net-sched-retire-tcindex-classifier.patch +fs-jfs-fix-shift-exponent-db_agl2size-negative.patch +pwm-stm32-lp-fix-the-check-on-arr-and-cmp-registers-.patch +ubi-ensure-that-vid-header-offset-vid-header-size-al.patch +ubifs-rectify-space-budget-for-ubifs_xrename.patch +ubifs-fix-wrong-dirty-space-budget-for-dirty-inode.patch +ubifs-reserve-one-leb-for-each-journal-head-while-do.patch +ubi-fix-use-after-free-when-volume-resizing-failed.patch +ubi-fix-unreferenced-object-reported-by-kmemleak-in-.patch +ubi-fix-possible-null-ptr-deref-in-ubi_free_volume.patch +ubifs-re-statistic-cleaned-znode-count-if-commit-fai.patch +ubifs-dirty_cow_znode-fix-memleak-in-error-handling-.patch +ubifs-ubifs_writepage-mark-page-dirty-after-writing-.patch +ubi-fix-uaf-wear-leveling-entry-in-eraseblk_count_se.patch +ubi-ubi_wl_put_peb-fix-infinite-loop-when-wear-level.patch +x86-um-vdso-add-rcx-and-r11-to-the-syscall-clobber-l.patch +watchdog-at91sam9_wdt-use-devm_request_irq-to-avoid-.patch +watchdog-fix-kmemleak-in-watchdog_cdev_register.patch +watchdog-pcwd_usb-fix-attempting-to-access-uninitial.patch +netfilter-ctnetlink-fix-possible-refcount-leak-in-ct.patch +net-fix-__dev_kfree_skb_any-vs-drop-monitor.patch +9p-xen-fix-version-parsing.patch +9p-xen-fix-connection-sequence.patch +nfc-fix-memory-leak-of-se_io-context-in-nfc_genl_se_.patch +arm-dts-spear320-hmi-correct-stmpe-gpio-compatible.patch +tcp-tcp_check_req-can-be-called-from-process-context.patch +scsi-ipr-work-around-fortify-string-warning.patch +thermal-intel-quark_dts-fix-error-pointer-dereferenc.patch +tracing-add-null-checks-for-buffer-in-ring_buffer_fr.patch +firmware-efi-sysfb_efi-add-quirk-for-lenovo-ideapad-.patch +media-uvcvideo-handle-cameras-with-invalid-descripto.patch +tty-fix-out-of-bounds-access-in-tty_driver_lookup_tt.patch +tty-serial-fsl_lpuart-disable-the-cts-when-send-brea.patch +parport_pc-set-up-mode-and-ecr-masks-for-oxford-semi.patch +tools-iio-iio_utils-fix-memory-leak.patch +iio-accel-mma9551_core-prevent-uninitialized-variabl.patch +iio-accel-mma9551_core-prevent-uninitialized-variabl.patch-21890 +usb-host-xhci-mvebu-iterate-over-array-indexes-inste.patch +usb-ene_usb6250-allocate-enough-memory-for-full-obje.patch +usb-uvc-enumerate-valid-values-for-color-matching.patch +phy-rockchip-typec-fix-unsigned-comparison-with-less.patch diff --git a/queue-4.14/tcp-tcp_check_req-can-be-called-from-process-context.patch b/queue-4.14/tcp-tcp_check_req-can-be-called-from-process-context.patch new file mode 100644 index 00000000000..2836b1116fa --- /dev/null +++ b/queue-4.14/tcp-tcp_check_req-can-be-called-from-process-context.patch @@ -0,0 +1,68 @@ +From 4293e108df6a0ff9e7f546176082361d033b2a55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 08:33:36 +0000 +Subject: tcp: tcp_check_req() can be called from process context + +From: Eric Dumazet + +[ Upstream commit 580f98cc33a260bb8c6a39ae2921b29586b84fdf ] + +This is a follow up of commit 0a375c822497 ("tcp: tcp_rtx_synack() +can be called from process context"). + +Frederick Lawler reported another "__this_cpu_add() in preemptible" +warning caused by the same reason. + +In my former patch I took care of tcp_rtx_synack() +but forgot that tcp_check_req() also contained some SNMP updates. + +Note that some parts of tcp_check_req() always run in BH context, +I added a comment to clarify this. + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Link: https://lore.kernel.org/netdev/8cd33923-a21d-397c-e46b-2a068c287b03@cloudflare.com/T/ +Signed-off-by: Eric Dumazet +Reported-by: Frederick Lawler +Tested-by: Frederick Lawler +Link: https://lore.kernel.org/r/20230227083336.4153089-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_minisocks.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 61584638dba7f..21fe6f6a0e4fe 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -557,6 +557,9 @@ EXPORT_SYMBOL(tcp_create_openreq_child); + * validation and inside tcp_v4_reqsk_send_ack(). Can we do better? + * + * We don't need to initialize tmp_opt.sack_ok as we don't use the results ++ * ++ * Note: If @fastopen is true, this can be called from process context. ++ * Otherwise, this is from BH context. + */ + + struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, +@@ -709,7 +712,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + &tcp_rsk(req)->last_oow_ack_time)) + req->rsk_ops->send_ack(sk, skb, req); + if (paws_reject) +- __NET_INC_STATS(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED); ++ NET_INC_STATS(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED); + return NULL; + } + +@@ -728,7 +731,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + * "fourth, check the SYN bit" + */ + if (flg & (TCP_FLAG_RST|TCP_FLAG_SYN)) { +- __TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS); ++ TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS); + goto embryonic_reset; + } + +-- +2.39.2 + diff --git a/queue-4.14/thermal-intel-quark_dts-fix-error-pointer-dereferenc.patch b/queue-4.14/thermal-intel-quark_dts-fix-error-pointer-dereferenc.patch new file mode 100644 index 00000000000..ba97935e423 --- /dev/null +++ b/queue-4.14/thermal-intel-quark_dts-fix-error-pointer-dereferenc.patch @@ -0,0 +1,52 @@ +From 8f32d5bc10695531da70d30991e07f858611a420 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 13:06:50 +0300 +Subject: thermal: intel: quark_dts: fix error pointer dereference + +From: Dan Carpenter + +[ Upstream commit f1b930e740811d416de4d2074da48b6633a672c8 ] + +If alloc_soc_dts() fails, then we can just return. Trying to free +"soc_dts" will lead to an Oops. + +Fixes: 8c1876939663 ("thermal: intel Quark SoC X1000 DTS thermal driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel_quark_dts_thermal.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/thermal/intel_quark_dts_thermal.c b/drivers/thermal/intel_quark_dts_thermal.c +index 5d33b350da1c6..ad92d8f0add19 100644 +--- a/drivers/thermal/intel_quark_dts_thermal.c ++++ b/drivers/thermal/intel_quark_dts_thermal.c +@@ -440,22 +440,14 @@ MODULE_DEVICE_TABLE(x86cpu, qrk_thermal_ids); + + static int __init intel_quark_thermal_init(void) + { +- int err = 0; +- + if (!x86_match_cpu(qrk_thermal_ids) || !iosf_mbi_available()) + return -ENODEV; + + soc_dts = alloc_soc_dts(); +- if (IS_ERR(soc_dts)) { +- err = PTR_ERR(soc_dts); +- goto err_free; +- } ++ if (IS_ERR(soc_dts)) ++ return PTR_ERR(soc_dts); + + return 0; +- +-err_free: +- free_soc_dts(soc_dts); +- return err; + } + + static void __exit intel_quark_thermal_exit(void) +-- +2.39.2 + diff --git a/queue-4.14/tools-iio-iio_utils-fix-memory-leak.patch b/queue-4.14/tools-iio-iio_utils-fix-memory-leak.patch new file mode 100644 index 00000000000..c38630c1516 --- /dev/null +++ b/queue-4.14/tools-iio-iio_utils-fix-memory-leak.patch @@ -0,0 +1,154 @@ +From 42ae4e24a9d307750abed5f37541660118ec8a35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 10:51:47 +0800 +Subject: tools/iio/iio_utils:fix memory leak + +From: Yulong Zhang + +[ Upstream commit f2edf0c819a4823cd6c288801ce737e8d4fcde06 ] + +1. fopen sysfs without fclose. +2. asprintf filename without free. +3. if asprintf return error,do not need to free the buffer. + +Signed-off-by: Yulong Zhang +Link: https://lore.kernel.org/r/20230117025147.69890-1-yulong.zhang@metoak.net +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + tools/iio/iio_utils.c | 23 ++++++----------------- + 1 file changed, 6 insertions(+), 17 deletions(-) + +diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c +index d60a252577f0b..d174487b2f226 100644 +--- a/tools/iio/iio_utils.c ++++ b/tools/iio/iio_utils.c +@@ -265,6 +265,7 @@ int iioutils_get_param_float(float *output, const char *param_name, + if (fscanf(sysfsfp, "%f", output) != 1) + ret = errno ? -errno : -ENODATA; + ++ fclose(sysfsfp); + break; + } + error_free_filename: +@@ -345,9 +346,9 @@ int build_channel_array(const char *device_dir, + } + + sysfsfp = fopen(filename, "r"); ++ free(filename); + if (!sysfsfp) { + ret = -errno; +- free(filename); + goto error_close_dir; + } + +@@ -357,7 +358,6 @@ int build_channel_array(const char *device_dir, + if (fclose(sysfsfp)) + perror("build_channel_array(): Failed to close file"); + +- free(filename); + goto error_close_dir; + } + if (ret == 1) +@@ -365,11 +365,9 @@ int build_channel_array(const char *device_dir, + + if (fclose(sysfsfp)) { + ret = -errno; +- free(filename); + goto error_close_dir; + } + +- free(filename); + } + + *ci_array = malloc(sizeof(**ci_array) * (*counter)); +@@ -395,9 +393,9 @@ int build_channel_array(const char *device_dir, + } + + sysfsfp = fopen(filename, "r"); ++ free(filename); + if (!sysfsfp) { + ret = -errno; +- free(filename); + count--; + goto error_cleanup_array; + } +@@ -405,20 +403,17 @@ int build_channel_array(const char *device_dir, + errno = 0; + if (fscanf(sysfsfp, "%i", ¤t_enabled) != 1) { + ret = errno ? -errno : -ENODATA; +- free(filename); + count--; + goto error_cleanup_array; + } + + if (fclose(sysfsfp)) { + ret = -errno; +- free(filename); + count--; + goto error_cleanup_array; + } + + if (!current_enabled) { +- free(filename); + count--; + continue; + } +@@ -429,7 +424,6 @@ int build_channel_array(const char *device_dir, + strlen(ent->d_name) - + strlen("_en")); + if (!current->name) { +- free(filename); + ret = -ENOMEM; + count--; + goto error_cleanup_array; +@@ -439,7 +433,6 @@ int build_channel_array(const char *device_dir, + ret = iioutils_break_up_name(current->name, + ¤t->generic_name); + if (ret) { +- free(filename); + free(current->name); + count--; + goto error_cleanup_array; +@@ -450,17 +443,16 @@ int build_channel_array(const char *device_dir, + scan_el_dir, + current->name); + if (ret < 0) { +- free(filename); + ret = -ENOMEM; + goto error_cleanup_array; + } + + sysfsfp = fopen(filename, "r"); ++ free(filename); + if (!sysfsfp) { + ret = -errno; +- fprintf(stderr, "failed to open %s\n", +- filename); +- free(filename); ++ fprintf(stderr, "failed to open %s/%s_index\n", ++ scan_el_dir, current->name); + goto error_cleanup_array; + } + +@@ -470,17 +462,14 @@ int build_channel_array(const char *device_dir, + if (fclose(sysfsfp)) + perror("build_channel_array(): Failed to close file"); + +- free(filename); + goto error_cleanup_array; + } + + if (fclose(sysfsfp)) { + ret = -errno; +- free(filename); + goto error_cleanup_array; + } + +- free(filename); + /* Find the scale */ + ret = iioutils_get_param_float(¤t->scale, + "scale", +-- +2.39.2 + diff --git a/queue-4.14/tracing-add-null-checks-for-buffer-in-ring_buffer_fr.patch b/queue-4.14/tracing-add-null-checks-for-buffer-in-ring_buffer_fr.patch new file mode 100644 index 00000000000..ace23db0183 --- /dev/null +++ b/queue-4.14/tracing-add-null-checks-for-buffer-in-ring_buffer_fr.patch @@ -0,0 +1,62 @@ +From 34129a7b232f18f5aeb5d52f43091e641aa06421 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jan 2023 20:55:01 +0800 +Subject: tracing: Add NULL checks for buffer in ring_buffer_free_read_page() + +From: Jia-Ju Bai + +[ Upstream commit 3e4272b9954094907f16861199728f14002fcaf6 ] + +In a previous commit 7433632c9ff6, buffer, buffer->buffers and +buffer->buffers[cpu] in ring_buffer_wake_waiters() can be NULL, +and thus the related checks are added. + +However, in the same call stack, these variables are also used in +ring_buffer_free_read_page(): + +tracing_buffers_release() + ring_buffer_wake_waiters(iter->array_buffer->buffer) + cpu_buffer = buffer->buffers[cpu] -> Add checks by previous commit + ring_buffer_free_read_page(iter->array_buffer->buffer) + cpu_buffer = buffer->buffers[cpu] -> No check + +Thus, to avod possible null-pointer derefernces, the related checks +should be added. + +These results are reported by a static tool designed by myself. + +Link: https://lkml.kernel.org/r/20230113125501.760324-1-baijiaju1990@gmail.com + +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 999dae39f12e5..a7808f8b6f56a 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4554,11 +4554,16 @@ EXPORT_SYMBOL_GPL(ring_buffer_alloc_read_page); + */ + void ring_buffer_free_read_page(struct ring_buffer *buffer, int cpu, void *data) + { +- struct ring_buffer_per_cpu *cpu_buffer = buffer->buffers[cpu]; ++ struct ring_buffer_per_cpu *cpu_buffer; + struct buffer_data_page *bpage = data; + struct page *page = virt_to_page(bpage); + unsigned long flags; + ++ if (!buffer || !buffer->buffers || !buffer->buffers[cpu]) ++ return; ++ ++ cpu_buffer = buffer->buffers[cpu]; ++ + /* If the page is still in use someplace else, we can't reuse it */ + if (page_ref_count(page) > 1) + goto out; +-- +2.39.2 + diff --git a/queue-4.14/tty-fix-out-of-bounds-access-in-tty_driver_lookup_tt.patch b/queue-4.14/tty-fix-out-of-bounds-access-in-tty_driver_lookup_tt.patch new file mode 100644 index 00000000000..f99ca8c996b --- /dev/null +++ b/queue-4.14/tty-fix-out-of-bounds-access-in-tty_driver_lookup_tt.patch @@ -0,0 +1,75 @@ +From 4a25138a16274a50bb9f7d0ed68821dfdd653d7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 12:27:36 +0100 +Subject: tty: fix out-of-bounds access in tty_driver_lookup_tty() + +From: Sven Schnelle + +[ Upstream commit db4df8e9d79e7d37732c1a1b560958e8dadfefa1 ] + +When specifying an invalid console= device like console=tty3270, +tty_driver_lookup_tty() returns the tty struct without checking +whether index is a valid number. + +To reproduce: + +qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ +-kernel ../linux-build-x86/arch/x86/boot/bzImage \ +-append "console=ttyS0 console=tty3270" + +This crashes with: + +[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef +[ 0.771265] #PF: supervisor read access in kernel mode +[ 0.771773] #PF: error_code(0x0000) - not-present page +[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI +[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 +[ 0.784013] chrdev_open+0xbd/0x230 +[ 0.784444] ? cdev_device_add+0x80/0x80 +[ 0.784920] do_dentry_open+0x1e0/0x410 +[ 0.785389] path_openat+0xca9/0x1050 +[ 0.785813] do_filp_open+0xaa/0x150 +[ 0.786240] file_open_name+0x133/0x1b0 +[ 0.786746] filp_open+0x27/0x50 +[ 0.787244] console_on_rootfs+0x14/0x4d +[ 0.787800] kernel_init_freeable+0x1e4/0x20d +[ 0.788383] ? rest_init+0xc0/0xc0 +[ 0.788881] kernel_init+0x11/0x120 +[ 0.789356] ret_from_fork+0x22/0x30 + +Signed-off-by: Sven Schnelle +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/20221209112737.3222509-2-svens@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_io.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 463f35273365b..8cbd6fa6351f8 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1154,14 +1154,16 @@ static struct tty_struct *tty_driver_lookup_tty(struct tty_driver *driver, + { + struct tty_struct *tty; + +- if (driver->ops->lookup) ++ if (driver->ops->lookup) { + if (!file) + tty = ERR_PTR(-EIO); + else + tty = driver->ops->lookup(driver, file, idx); +- else ++ } else { ++ if (idx >= driver->num) ++ return ERR_PTR(-EINVAL); + tty = driver->ttys[idx]; +- ++ } + if (!IS_ERR(tty)) + tty_kref_get(tty); + return tty; +-- +2.39.2 + diff --git a/queue-4.14/tty-serial-fsl_lpuart-disable-the-cts-when-send-brea.patch b/queue-4.14/tty-serial-fsl_lpuart-disable-the-cts-when-send-brea.patch new file mode 100644 index 00000000000..0f10f7e77d1 --- /dev/null +++ b/queue-4.14/tty-serial-fsl_lpuart-disable-the-cts-when-send-brea.patch @@ -0,0 +1,76 @@ +From 7aace7e6918c177b7397e3d7f59395c8865bf715 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Dec 2022 11:11:35 +0800 +Subject: tty: serial: fsl_lpuart: disable the CTS when send break signal + +From: Sherry Sun + +[ Upstream commit c4c81db5cf8bc53d6160c3abf26d382c841aa434 ] + +LPUART IP has a bug that it treats the CTS as higher priority than the +break signal, which cause the break signal sending through UARTCTRL_SBK +may impacted by the CTS input if the HW flow control is enabled. + +Add this workaround patch to fix the IP bug, we can disable CTS before +asserting SBK to avoid any interference from CTS, and re-enable it when +break off. + +Such as for the bluetooth chip power save feature, host can let the BT +chip get into sleep state by sending a UART break signal, and wake it up +by turning off the UART break. If the BT chip enters the sleep mode +successfully, it will pull up the CTS line, if the BT chip is woken up, +it will pull down the CTS line. If without this workaround patch, the +UART TX pin cannot send the break signal successfully as it affected by +the BT CTS pin. After adding this patch, the BT power save feature can +work well. + +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20221214031137.28815-2-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index cbbdb94592ce7..20dd476e4d1a1 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1199,12 +1199,32 @@ static void lpuart_break_ctl(struct uart_port *port, int break_state) + + static void lpuart32_break_ctl(struct uart_port *port, int break_state) + { +- unsigned long temp; ++ unsigned long temp, modem; ++ struct tty_struct *tty; ++ unsigned int cflag = 0; ++ ++ tty = tty_port_tty_get(&port->state->port); ++ if (tty) { ++ cflag = tty->termios.c_cflag; ++ tty_kref_put(tty); ++ } + + temp = lpuart32_read(port, UARTCTRL) & ~UARTCTRL_SBK; ++ modem = lpuart32_read(port, UARTMODIR); + +- if (break_state != 0) ++ if (break_state != 0) { + temp |= UARTCTRL_SBK; ++ /* ++ * LPUART CTS has higher priority than SBK, need to disable CTS before ++ * asserting SBK to avoid any interference if flow control is enabled. ++ */ ++ if (cflag & CRTSCTS && modem & UARTMODIR_TXCTSE) ++ lpuart32_write(port, modem & ~UARTMODIR_TXCTSE, UARTMODIR); ++ } else { ++ /* Re-enable the CTS when break off. */ ++ if (cflag & CRTSCTS && !(modem & UARTMODIR_TXCTSE)) ++ lpuart32_write(port, modem | UARTMODIR_TXCTSE, UARTMODIR); ++ } + + lpuart32_write(port, temp, UARTCTRL); + } +-- +2.39.2 + diff --git a/queue-4.14/ubi-ensure-that-vid-header-offset-vid-header-size-al.patch b/queue-4.14/ubi-ensure-that-vid-header-offset-vid-header-size-al.patch new file mode 100644 index 00000000000..63a360f5edf --- /dev/null +++ b/queue-4.14/ubi-ensure-that-vid-header-offset-vid-header-size-al.patch @@ -0,0 +1,131 @@ +From d45cfaf8cff3649cc6cfa4ed240335fdb5eb507c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 10:14:44 -0500 +Subject: ubi: ensure that VID header offset + VID header size <= alloc, size + +From: George Kennedy + +[ Upstream commit 1b42b1a36fc946f0d7088425b90d491b4257ca3e ] + +Ensure that the VID header offset + VID header size does not exceed +the allocated area to avoid slab OOB. + +BUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline] +BUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline] +BUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197 +Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555 + +CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G W +6.0.0-1868 #1 +Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29 +04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x85/0xad lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:317 [inline] + print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433 + kasan_report+0xa7/0x11b mm/kasan/report.c:495 + crc32_body lib/crc32.c:111 [inline] + crc32_le_generic lib/crc32.c:179 [inline] + crc32_le_base+0x58c/0x626 lib/crc32.c:197 + ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067 + create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317 + create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline] + ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 + ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 + ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 + ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0x0 +RIP: 0033:0x7f96d5cf753d +Code: +RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d +RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003 +RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0 +R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 1555: + kasan_save_stack+0x20/0x3d mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:45 [inline] + set_alloc_info mm/kasan/common.c:437 [inline] + ____kasan_kmalloc mm/kasan/common.c:516 [inline] + __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525 + kasan_kmalloc include/linux/kasan.h:234 [inline] + __kmalloc+0x138/0x257 mm/slub.c:4429 + kmalloc include/linux/slab.h:605 [inline] + ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline] + create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295 + create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline] + ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 + ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 + ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 + ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0x0 + +The buggy address belongs to the object at ffff88802bb36e00 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 0 bytes to the right of + 256-byte region [ffff88802bb36e00, ffff88802bb36f00) + +The buggy address belongs to the physical page: +page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000 +index:0x0 pfn:0x2bb36 +head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0 +flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Fixes: 801c135ce73d ("UBI: Unsorted Block Images") +Reported-by: syzkaller +Signed-off-by: George Kennedy +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/build.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index 933c4de39dcea..211fa2770a4eb 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -647,6 +647,12 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024) + ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size); + ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size); + ++ if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) > ++ ubi->vid_hdr_alsize)) { ++ ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset); ++ return -EINVAL; ++ } ++ + dbg_gen("min_io_size %d", ubi->min_io_size); + dbg_gen("max_write_size %d", ubi->max_write_size); + dbg_gen("hdrs_min_io_size %d", ubi->hdrs_min_io_size); +-- +2.39.2 + diff --git a/queue-4.14/ubi-fix-possible-null-ptr-deref-in-ubi_free_volume.patch b/queue-4.14/ubi-fix-possible-null-ptr-deref-in-ubi_free_volume.patch new file mode 100644 index 00000000000..9a27b7a4265 --- /dev/null +++ b/queue-4.14/ubi-fix-possible-null-ptr-deref-in-ubi_free_volume.patch @@ -0,0 +1,89 @@ +From 2cf225ea5778e0367bff740eaf3fea4e0ea55a95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 18:26:24 +0800 +Subject: ubi: Fix possible null-ptr-deref in ubi_free_volume() + +From: Yang Yingliang + +[ Upstream commit c15859bfd326c10230f09cb48a17f8a35f190342 ] + +It willl cause null-ptr-deref in the following case: + +uif_init() + ubi_add_volume() + cdev_add() -> if it fails, call kill_volumes() + device_register() + +kill_volumes() -> if ubi_add_volume() fails call this function + ubi_free_volume() + cdev_del() + device_unregister() -> trying to delete a not added device, + it causes null-ptr-deref + +So in ubi_free_volume(), it delete devices whether they are added +or not, it will causes null-ptr-deref. + +Handle the error case whlie calling ubi_add_volume() to fix this +problem. If add volume fails, set the corresponding vol to null, +so it can not be accessed in kill_volumes() and release the +resource in ubi_add_volume() error path. + +Fixes: 801c135ce73d ("UBI: Unsorted Block Images") +Suggested-by: Zhihao Cheng +Signed-off-by: Yang Yingliang +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/build.c | 1 + + drivers/mtd/ubi/vmt.c | 12 ++++++------ + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index 211fa2770a4eb..c6765210a6fc8 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -480,6 +480,7 @@ static int uif_init(struct ubi_device *ubi) + err = ubi_add_volume(ubi, ubi->volumes[i]); + if (err) { + ubi_err(ubi, "cannot add volume %d", i); ++ ubi->volumes[i] = NULL; + goto out_volumes; + } + } +diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c +index 26dcffb624e87..8815673e2e57d 100644 +--- a/drivers/mtd/ubi/vmt.c ++++ b/drivers/mtd/ubi/vmt.c +@@ -588,6 +588,7 @@ int ubi_add_volume(struct ubi_device *ubi, struct ubi_volume *vol) + if (err) { + ubi_err(ubi, "cannot add character device for volume %d, error %d", + vol_id, err); ++ vol_release(&vol->dev); + return err; + } + +@@ -598,15 +599,14 @@ int ubi_add_volume(struct ubi_device *ubi, struct ubi_volume *vol) + vol->dev.groups = volume_dev_groups; + dev_set_name(&vol->dev, "%s_%d", ubi->ubi_name, vol->vol_id); + err = device_register(&vol->dev); +- if (err) +- goto out_cdev; ++ if (err) { ++ cdev_del(&vol->cdev); ++ put_device(&vol->dev); ++ return err; ++ } + + self_check_volumes(ubi); + return err; +- +-out_cdev: +- cdev_del(&vol->cdev); +- return err; + } + + /** +-- +2.39.2 + diff --git a/queue-4.14/ubi-fix-uaf-wear-leveling-entry-in-eraseblk_count_se.patch b/queue-4.14/ubi-fix-uaf-wear-leveling-entry-in-eraseblk_count_se.patch new file mode 100644 index 00000000000..6a71196beca --- /dev/null +++ b/queue-4.14/ubi-fix-uaf-wear-leveling-entry-in-eraseblk_count_se.patch @@ -0,0 +1,76 @@ +From 5f3b2edbf693c99d5e5759ef680dc3e0a22e23bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Jul 2022 19:28:37 +0800 +Subject: ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() + +From: Zhihao Cheng + +[ Upstream commit a240bc5c43130c6aa50831d7caaa02a1d84e1bce ] + +Wear-leveling entry could be freed in error path, which may be accessed +again in eraseblk_count_seq_show(), for example: + +__erase_worker eraseblk_count_seq_show + wl = ubi->lookuptbl[*block_number] + if (wl) + wl_entry_destroy + ubi->lookuptbl[e->pnum] = NULL + kmem_cache_free(ubi_wl_entry_slab, e) + erase_count = wl->ec // UAF! + +Wear-leveling entry updating/accessing in ubi->lookuptbl should be +protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize +wl entry accessing between wl_entry_destroy() and +eraseblk_count_seq_show(). + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216305 +Fixes: 7bccd12d27b7e3 ("ubi: Add debugfs file for tracking PEB state") +Fixes: 801c135ce73d5d ("UBI: Unsorted Block Images") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/wl.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c +index 545a92eb8f569..e267e0519d94a 100644 +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -878,8 +878,11 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, + + err = do_sync_erase(ubi, e1, vol_id, lnum, 0); + if (err) { +- if (e2) ++ if (e2) { ++ spin_lock(&ubi->wl_lock); + wl_entry_destroy(ubi, e2); ++ spin_unlock(&ubi->wl_lock); ++ } + goto out_ro; + } + +@@ -1103,14 +1106,18 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk) + /* Re-schedule the LEB for erasure */ + err1 = schedule_erase(ubi, e, vol_id, lnum, 0, false); + if (err1) { ++ spin_lock(&ubi->wl_lock); + wl_entry_destroy(ubi, e); ++ spin_unlock(&ubi->wl_lock); + err = err1; + goto out_ro; + } + return err; + } + ++ spin_lock(&ubi->wl_lock); + wl_entry_destroy(ubi, e); ++ spin_unlock(&ubi->wl_lock); + if (err != -EIO) + /* + * If this is not %-EIO, we have no idea what to do. Scheduling +-- +2.39.2 + diff --git a/queue-4.14/ubi-fix-unreferenced-object-reported-by-kmemleak-in-.patch b/queue-4.14/ubi-fix-unreferenced-object-reported-by-kmemleak-in-.patch new file mode 100644 index 00000000000..36d3875dc51 --- /dev/null +++ b/queue-4.14/ubi-fix-unreferenced-object-reported-by-kmemleak-in-.patch @@ -0,0 +1,59 @@ +From 3644bd58f73294993aa95982d04c187810350e64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 18:21:57 +0800 +Subject: ubi: Fix unreferenced object reported by kmemleak in + ubi_resize_volume() + +From: Li Zetao + +[ Upstream commit 1e591ea072df7211f64542a09482b5f81cb3ad27 ] + +There is a memory leaks problem reported by kmemleak: + +unreferenced object 0xffff888102007a00 (size 128): + comm "ubirsvol", pid 32090, jiffies 4298464136 (age 2361.231s) + hex dump (first 32 bytes): +ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ +ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ + backtrace: +[] __kmalloc+0x4d/0x150 +[] ubi_eba_create_table+0x76/0x170 [ubi] +[] ubi_resize_volume+0x1be/0xbc0 [ubi] +[] ubi_cdev_ioctl+0x701/0x1850 [ubi] +[] __x64_sys_ioctl+0x11d/0x170 +[] do_syscall_64+0x35/0x80 +[] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +This is due to a mismatch between create and destroy interfaces, and +in detail that "new_eba_tbl" created by ubi_eba_create_table() but +destroyed by kfree(), while will causing "new_eba_tbl->entries" not +freed. + +Fix it by replacing kfree(new_eba_tbl) with +ubi_eba_destroy_table(new_eba_tbl) + +Fixes: 799dca34ac54 ("UBI: hide EBA internals") +Signed-off-by: Li Zetao +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/vmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c +index bbf4b61733708..26dcffb624e87 100644 +--- a/drivers/mtd/ubi/vmt.c ++++ b/drivers/mtd/ubi/vmt.c +@@ -521,7 +521,7 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs) + return err; + + out_free: +- kfree(new_eba_tbl); ++ ubi_eba_destroy_table(new_eba_tbl); + return err; + } + +-- +2.39.2 + diff --git a/queue-4.14/ubi-fix-use-after-free-when-volume-resizing-failed.patch b/queue-4.14/ubi-fix-use-after-free-when-volume-resizing-failed.patch new file mode 100644 index 00000000000..0c012819b3b --- /dev/null +++ b/queue-4.14/ubi-fix-use-after-free-when-volume-resizing-failed.patch @@ -0,0 +1,74 @@ +From 22a771d10bba3bff99e33bbed9134b5926042ca6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 18:21:56 +0800 +Subject: ubi: Fix use-after-free when volume resizing failed + +From: Li Zetao + +[ Upstream commit 9af31d6ec1a4be4caab2550096c6bd2ba8fba472 ] + +There is an use-after-free problem reported by KASAN: + ================================================================== + BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi] + Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735 + + CPU: 2 PID: 4735 Comm: ubirsvol + Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + BIOS 1.14.0-1.fc33 04/01/2014 + Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report+0x171/0x472 + kasan_report+0xad/0x130 + ubi_eba_copy_table+0x11f/0x1c0 [ubi] + ubi_resize_volume+0x4f9/0xbc0 [ubi] + ubi_cdev_ioctl+0x701/0x1850 [ubi] + __x64_sys_ioctl+0x11d/0x170 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + +When ubi_change_vtbl_record() returns an error in ubi_resize_volume(), +"new_eba_tbl" will be freed on error handing path, but it is holded +by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle +of "vol->eba_tbl" and "vol" are different, so when resizing volume in +next time, it causing an use-after-free fault. + +Fix it by not freeing "new_eba_tbl" after it replaced in +ubi_eba_replace_table(), while will be freed in next volume resizing. + +Fixes: 801c135ce73d ("UBI: Unsorted Block Images") +Signed-off-by: Li Zetao +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/vmt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c +index d32144c0098a9..bbf4b61733708 100644 +--- a/drivers/mtd/ubi/vmt.c ++++ b/drivers/mtd/ubi/vmt.c +@@ -470,7 +470,7 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs) + for (i = 0; i < -pebs; i++) { + err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i); + if (err) +- goto out_acc; ++ goto out_free; + } + spin_lock(&ubi->volumes_lock); + ubi->rsvd_pebs += pebs; +@@ -518,6 +518,8 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int reserved_pebs) + ubi->avail_pebs += pebs; + spin_unlock(&ubi->volumes_lock); + } ++ return err; ++ + out_free: + kfree(new_eba_tbl); + return err; +-- +2.39.2 + diff --git a/queue-4.14/ubi-ubi_wl_put_peb-fix-infinite-loop-when-wear-level.patch b/queue-4.14/ubi-ubi_wl_put_peb-fix-infinite-loop-when-wear-level.patch new file mode 100644 index 00000000000..c51076b7c6f --- /dev/null +++ b/queue-4.14/ubi-ubi_wl_put_peb-fix-infinite-loop-when-wear-level.patch @@ -0,0 +1,90 @@ +From 26985970161c20dd0085f4c96ad40f3eb5394b66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 14:59:04 +0800 +Subject: ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed + +From: Zhihao Cheng + +[ Upstream commit 4d57a7333e26040f2b583983e1970d9d460e56b0 ] + +Following process will trigger an infinite loop in ubi_wl_put_peb(): + + ubifs_bgt ubi_bgt +ubifs_leb_unmap + ubi_leb_unmap + ubi_eba_unmap_leb + ubi_wl_put_peb wear_leveling_worker + e1 = rb_entry(rb_first(&ubi->used) + e2 = get_peb_for_wl(ubi) + ubi_io_read_vid_hdr // return err (flash fault) + out_error: + ubi->move_from = ubi->move_to = NULL + wl_entry_destroy(ubi, e1) + ubi->lookuptbl[e->pnum] = NULL + retry: + e = ubi->lookuptbl[pnum]; // return NULL + if (e == ubi->move_from) { // NULL == NULL gets true + goto retry; // infinite loop !!! + +$ top + PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND + 7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0 + +Fix it by: + 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has + been removed from 'ubi->lookuptbl'. + 2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an + use-after-free problem for wl entry in ubi_wl_put_peb(). + +Fetch a reproducer in [Link]. + +Fixes: 43f9b25a9cdd7b1 ("UBI: bugfix: protect from volume removal") +Fixes: ee59ba8b064f692 ("UBI: Fix stale pointers in ubi->lookuptbl") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216111 +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/wl.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c +index e267e0519d94a..4411ce5d1c8fc 100644 +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -964,11 +964,11 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, + spin_lock(&ubi->wl_lock); + ubi->move_from = ubi->move_to = NULL; + ubi->move_to_put = ubi->wl_scheduled = 0; ++ wl_entry_destroy(ubi, e1); ++ wl_entry_destroy(ubi, e2); + spin_unlock(&ubi->wl_lock); + + ubi_free_vid_buf(vidb); +- wl_entry_destroy(ubi, e1); +- wl_entry_destroy(ubi, e2); + + out_ro: + ubi_ro_mode(ubi); +@@ -1233,6 +1233,18 @@ int ubi_wl_put_peb(struct ubi_device *ubi, int vol_id, int lnum, + retry: + spin_lock(&ubi->wl_lock); + e = ubi->lookuptbl[pnum]; ++ if (!e) { ++ /* ++ * This wl entry has been removed for some errors by other ++ * process (eg. wear leveling worker), corresponding process ++ * (except __erase_worker, which cannot concurrent with ++ * ubi_wl_put_peb) will set ubi ro_mode at the same time, ++ * just ignore this wl entry. ++ */ ++ spin_unlock(&ubi->wl_lock); ++ up_read(&ubi->fm_protect); ++ return 0; ++ } + if (e == ubi->move_from) { + /* + * User is putting the physical eraseblock which was selected to +-- +2.39.2 + diff --git a/queue-4.14/ubifs-dirty_cow_znode-fix-memleak-in-error-handling-.patch b/queue-4.14/ubifs-dirty_cow_znode-fix-memleak-in-error-handling-.patch new file mode 100644 index 00000000000..4319af177d0 --- /dev/null +++ b/queue-4.14/ubifs-dirty_cow_znode-fix-memleak-in-error-handling-.patch @@ -0,0 +1,58 @@ +From eb4fbeae21f34fb06ac6934a1111adfc79f4198c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:02:36 +0800 +Subject: ubifs: dirty_cow_znode: Fix memleak in error handling path + +From: Zhihao Cheng + +[ Upstream commit 122deabfe1428bffe95e2bf364ff8a5059bdf089 ] + +Following process will cause a memleak for copied up znode: + +dirty_cow_znode + zn = copy_znode(c, znode); + err = insert_old_idx(c, zbr->lnum, zbr->offs); + if (unlikely(err)) + return ERR_PTR(err); // No one refers to zn. + +Fix it by adding copied znode back to tnc, then it will be freed +by ubifs_destroy_tnc_subtree() while closing tnc. + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216705 +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/tnc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c +index 20b70e178c4fa..6c4af1cfce346 100644 +--- a/fs/ubifs/tnc.c ++++ b/fs/ubifs/tnc.c +@@ -279,11 +279,18 @@ static struct ubifs_znode *dirty_cow_znode(struct ubifs_info *c, + if (zbr->len) { + err = insert_old_idx(c, zbr->lnum, zbr->offs); + if (unlikely(err)) +- return ERR_PTR(err); ++ /* ++ * Obsolete znodes will be freed by tnc_destroy_cnext() ++ * or free_obsolete_znodes(), copied up znodes should ++ * be added back to tnc and freed by ++ * ubifs_destroy_tnc_subtree(). ++ */ ++ goto out; + err = add_idx_dirt(c, zbr->lnum, zbr->len); + } else + err = 0; + ++out: + zbr->znode = zn; + zbr->lnum = 0; + zbr->offs = 0; +-- +2.39.2 + diff --git a/queue-4.14/ubifs-fix-wrong-dirty-space-budget-for-dirty-inode.patch b/queue-4.14/ubifs-fix-wrong-dirty-space-budget-for-dirty-inode.patch new file mode 100644 index 00000000000..34778ea05e9 --- /dev/null +++ b/queue-4.14/ubifs-fix-wrong-dirty-space-budget-for-dirty-inode.patch @@ -0,0 +1,37 @@ +From ecefe882a93d0f48ba0010de95f24ec916090616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Oct 2022 11:47:30 +0800 +Subject: ubifs: Fix wrong dirty space budget for dirty inode + +From: Zhihao Cheng + +[ Upstream commit b248eaf049d9cdc5eb76b59399e4d3de233f02ac ] + +Each dirty inode should reserve 'c->bi.inode_budget' bytes in space +budget calculation. Currently, space budget for dirty inode reports +more space than what UBIFS actually needs to write. + +Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/budget.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ubifs/budget.c b/fs/ubifs/budget.c +index 11a11b32a2a90..e6b5d61a4e203 100644 +--- a/fs/ubifs/budget.c ++++ b/fs/ubifs/budget.c +@@ -415,7 +415,7 @@ static int calc_dd_growth(const struct ubifs_info *c, + dd_growth = req->dirtied_page ? c->bi.page_budget : 0; + + if (req->dirtied_ino) +- dd_growth += c->bi.inode_budget << (req->dirtied_ino - 1); ++ dd_growth += c->bi.inode_budget * req->dirtied_ino; + if (req->mod_dent) + dd_growth += c->bi.dent_budget; + dd_growth += req->dirtied_ino_d; +-- +2.39.2 + diff --git a/queue-4.14/ubifs-re-statistic-cleaned-znode-count-if-commit-fai.patch b/queue-4.14/ubifs-re-statistic-cleaned-znode-count-if-commit-fai.patch new file mode 100644 index 00000000000..dd5da402bca --- /dev/null +++ b/queue-4.14/ubifs-re-statistic-cleaned-znode-count-if-commit-fai.patch @@ -0,0 +1,86 @@ +From c0284fa3b6644ac5c0ea5e183bceceabbe3fc86b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:02:35 +0800 +Subject: ubifs: Re-statistic cleaned znode count if commit failed + +From: Zhihao Cheng + +[ Upstream commit 944e096aa24071d3fe22822f6249d3ae309e39ea ] + +Dirty znodes will be written on flash in committing process with +following states: + + process A | znode state +------------------------------------------------------ +do_commit | DIRTY_ZNODE + ubifs_tnc_start_commit | DIRTY_ZNODE + get_znodes_to_commit | DIRTY_ZNODE | COW_ZNODE + layout_commit | DIRTY_ZNODE | COW_ZNODE + fill_gap | 0 + write master | 0 or OBSOLETE_ZNODE + + process B | znode state +------------------------------------------------------ +do_commit | DIRTY_ZNODE[1] + ubifs_tnc_start_commit | DIRTY_ZNODE + get_znodes_to_commit | DIRTY_ZNODE | COW_ZNODE + ubifs_tnc_end_commit | DIRTY_ZNODE | COW_ZNODE + write_index | 0 + write master | 0 or OBSOLETE_ZNODE[2] or + | DIRTY_ZNODE[3] + +[1] znode is dirtied without concurrent committing process +[2] znode is copied up (re-dirtied by other process) before cleaned + up in committing process +[3] znode is re-dirtied after cleaned up in committing process + +Currently, the clean znode count is updated in free_obsolete_znodes(), +which is called only in normal path. If do_commit failed, clean znode +count won't be updated, which triggers a failure ubifs assertion[4] in +ubifs_tnc_close(): + ubifs_assert_failed [ubifs]: UBIFS assert failed: freed == n + +[4] Commit 380347e9ca7682 ("UBIFS: Add an assertion for clean_zn_cnt"). + +Fix it by re-statisticing cleaned znode count in tnc_destroy_cnext(). + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216704 +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/tnc.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c +index c7828db206bc0..20b70e178c4fa 100644 +--- a/fs/ubifs/tnc.c ++++ b/fs/ubifs/tnc.c +@@ -3044,6 +3044,21 @@ static void tnc_destroy_cnext(struct ubifs_info *c) + cnext = cnext->cnext; + if (ubifs_zn_obsolete(znode)) + kfree(znode); ++ else if (!ubifs_zn_cow(znode)) { ++ /* ++ * Don't forget to update clean znode count after ++ * committing failed, because ubifs will check this ++ * count while closing tnc. Non-obsolete znode could ++ * be re-dirtied during committing process, so dirty ++ * flag is untrustable. The flag 'COW_ZNODE' is set ++ * for each dirty znode before committing, and it is ++ * cleared as long as the znode become clean, so we ++ * can statistic clean znode count according to this ++ * flag. ++ */ ++ atomic_long_inc(&c->clean_zn_cnt); ++ atomic_long_inc(&ubifs_clean_zn_cnt); ++ } + } while (cnext && cnext != c->cnext); + } + +-- +2.39.2 + diff --git a/queue-4.14/ubifs-rectify-space-budget-for-ubifs_xrename.patch b/queue-4.14/ubifs-rectify-space-budget-for-ubifs_xrename.patch new file mode 100644 index 00000000000..5a8a9032302 --- /dev/null +++ b/queue-4.14/ubifs-rectify-space-budget-for-ubifs_xrename.patch @@ -0,0 +1,51 @@ +From 3d02f84d30aedd1cddacb90b45b8e6749f1e1434 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Oct 2022 11:47:28 +0800 +Subject: ubifs: Rectify space budget for ubifs_xrename() + +From: Zhihao Cheng + +[ Upstream commit 1b2ba09060e41adb356b9ae58ef94a7390928004 ] + +There is no space budget for ubifs_xrename(). It may let +make_reservation() return with -ENOSPC, which could turn +ubifs to read-only mode in do_writepage() process. +Fix it by adding space budget for ubifs_xrename(). + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216569 +Fixes: 9ec64962afb170 ("ubifs: Implement RENAME_EXCHANGE") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c +index 299611052bbf0..99e3692264aea 100644 +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -1605,6 +1605,10 @@ static int ubifs_xrename(struct inode *old_dir, struct dentry *old_dentry, + return err; + } + ++ err = ubifs_budget_space(c, &req); ++ if (err) ++ goto out; ++ + lock_4_inodes(old_dir, new_dir, NULL, NULL); + + time = current_time(old_dir); +@@ -1630,6 +1634,7 @@ static int ubifs_xrename(struct inode *old_dir, struct dentry *old_dentry, + unlock_4_inodes(old_dir, new_dir, NULL, NULL); + ubifs_release_budget(c, &req); + ++out: + fscrypt_free_filename(&fst_nm); + fscrypt_free_filename(&snd_nm); + return err; +-- +2.39.2 + diff --git a/queue-4.14/ubifs-reserve-one-leb-for-each-journal-head-while-do.patch b/queue-4.14/ubifs-reserve-one-leb-for-each-journal-head-while-do.patch new file mode 100644 index 00000000000..1fe78d7d53c --- /dev/null +++ b/queue-4.14/ubifs-reserve-one-leb-for-each-journal-head-while-do.patch @@ -0,0 +1,65 @@ +From 30227dc0ce30bf65f136fe1277ad081cc2e1dd34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Oct 2022 11:47:32 +0800 +Subject: ubifs: Reserve one leb for each journal head while doing budget + +From: Zhihao Cheng + +[ Upstream commit e874dcde1cbf82c786c0e7f2899811c02630cc52 ] + +UBIFS calculates available space by c->main_bytes - c->lst.total_used +(which means non-index lebs' free and dirty space is accounted into +total available), then index lebs and four lebs (one for gc_lnum, one +for deletions, two for journal heads) are deducted. +In following situation, ubifs may get -ENOSPC from make_reservation(): + LEB 84: DATAHD free 122880 used 1920 dirty 2176 dark 6144 + LEB 110:DELETION free 126976 used 0 dirty 0 dark 6144 (empty) + LEB 201:gc_lnum free 126976 used 0 dirty 0 dark 6144 + LEB 272:GCHD free 77824 used 47672 dirty 1480 dark 6144 + LEB 356:BASEHD free 0 used 39776 dirty 87200 dark 6144 + OTHERS: index lebs, zero-available non-index lebs + +UBIFS calculates the available bytes is 6888 (How to calculate it: +126976 * 5[remain main bytes] - 1920[used] - 47672[used] - 39776[used] - +126976 * 1[deletions] - 126976 * 1[gc_lnum] - 126976 * 2[journal heads] +- 6144 * 5[dark] = 6888) after doing budget, however UBIFS cannot use +BASEHD's dirty space(87200), because UBIFS cannot find next BASEHD to +reclaim current BASEHD. (c->bi.min_idx_lebs equals to c->lst.idx_lebs, +the empty leb won't be found by ubifs_find_free_space(), and dirty index +lebs won't be picked as gced lebs. All non-index lebs has dirty space +less then c->dead_wm, non-index lebs won't be picked as gced lebs +either. So new free lebs won't be produced.). See more details in Link. + +To fix it, reserve one leb for each journal head while doing budget. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216562 +Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/budget.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/fs/ubifs/budget.c b/fs/ubifs/budget.c +index e6b5d61a4e203..a06f7f7870740 100644 +--- a/fs/ubifs/budget.c ++++ b/fs/ubifs/budget.c +@@ -224,11 +224,10 @@ long long ubifs_calc_available(const struct ubifs_info *c, int min_idx_lebs) + subtract_lebs += 1; + + /* +- * The GC journal head LEB is not really accessible. And since +- * different write types go to different heads, we may count only on +- * one head's space. ++ * Since different write types go to different heads, we should ++ * reserve one leb for each head. + */ +- subtract_lebs += c->jhead_cnt - 1; ++ subtract_lebs += c->jhead_cnt; + + /* We also reserve one LEB for deletions, which bypass budgeting */ + subtract_lebs += 1; +-- +2.39.2 + diff --git a/queue-4.14/ubifs-ubifs_writepage-mark-page-dirty-after-writing-.patch b/queue-4.14/ubifs-ubifs_writepage-mark-page-dirty-after-writing-.patch new file mode 100644 index 00000000000..a6bd2cfa6be --- /dev/null +++ b/queue-4.14/ubifs-ubifs_writepage-mark-page-dirty-after-writing-.patch @@ -0,0 +1,114 @@ +From a8eb48c10633fb605cfd5b398b6eddd2ed67cd24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 10:59:59 +0800 +Subject: ubifs: ubifs_writepage: Mark page dirty after writing inode failed + +From: Zhihao Cheng + +[ Upstream commit fb8bc4c74ae4526d9489362ab2793a936d072b84 ] + +There are two states for ubifs writing pages: +1. Dirty, Private +2. Not Dirty, Not Private + +There is a third possibility which maybe related to [1] that page is +private but not dirty caused by following process: + + PA +lock(page) +ubifs_write_end + attach_page_private // set Private + __set_page_dirty_nobuffers // set Dirty +unlock(page) + +write_cache_pages + lock(page) + clear_page_dirty_for_io(page) // clear Dirty + ubifs_writepage + write_inode + // fail, goto out, following codes are not executed + // do_writepage + // set_page_writeback // set Writeback + // detach_page_private // clear Private + // end_page_writeback // clear Writeback + out: + unlock(page) // Private, Not Dirty + + PB + ksys_fadvise64_64 + generic_fadvise + invalidate_inode_page + // page is neither Dirty nor Writeback + invalidate_complete_page + // page_has_private is true + try_to_release_page + ubifs_releasepage + ubifs_assert(c, 0) !!! + +Then we may get following assertion failed: + UBIFS error (ubi0:0 pid 1492): ubifs_assert_failed [ubifs]: + UBIFS assert failed: 0, in fs/ubifs/file.c:1499 + UBIFS warning (ubi0:0 pid 1492): ubifs_ro_mode [ubifs]: + switched to read-only mode, error -22 + CPU: 2 PID: 1492 Comm: aa Not tainted 5.16.0-rc2-00012-g7bb767dee0ba-dirty + Call Trace: + dump_stack+0x13/0x1b + ubifs_ro_mode+0x54/0x60 [ubifs] + ubifs_assert_failed+0x4b/0x80 [ubifs] + ubifs_releasepage+0x7e/0x1e0 [ubifs] + try_to_release_page+0x57/0xe0 + invalidate_inode_page+0xfb/0x130 + invalidate_mapping_pagevec+0x12/0x20 + generic_fadvise+0x303/0x3c0 + vfs_fadvise+0x35/0x40 + ksys_fadvise64_64+0x4c/0xb0 + +Jump [2] to find a reproducer. + +[1] https://linux-mtd.infradead.narkive.com/NQoBeT1u/patch-rfc-ubifs-fix-assert-failed-in-ubifs-set-page-dirty +[2] https://bugzilla.kernel.org/show_bug.cgi?id=215357 + +Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/file.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c +index 46e5a58c4b05a..0e9cfeca5daf7 100644 +--- a/fs/ubifs/file.c ++++ b/fs/ubifs/file.c +@@ -1041,7 +1041,7 @@ static int ubifs_writepage(struct page *page, struct writeback_control *wbc) + if (page->index >= synced_i_size >> PAGE_SHIFT) { + err = inode->i_sb->s_op->write_inode(inode, NULL); + if (err) +- goto out_unlock; ++ goto out_redirty; + /* + * The inode has been written, but the write-buffer has + * not been synchronized, so in case of an unclean +@@ -1069,11 +1069,17 @@ static int ubifs_writepage(struct page *page, struct writeback_control *wbc) + if (i_size > synced_i_size) { + err = inode->i_sb->s_op->write_inode(inode, NULL); + if (err) +- goto out_unlock; ++ goto out_redirty; + } + + return do_writepage(page, len); +- ++out_redirty: ++ /* ++ * redirty_page_for_writepage() won't call ubifs_dirty_inode() because ++ * it passes I_DIRTY_PAGES flag while calling __mark_inode_dirty(), so ++ * there is no need to do space budget for dirty inode. ++ */ ++ redirty_page_for_writepage(wbc, page); + out_unlock: + unlock_page(page); + return err; +-- +2.39.2 + diff --git a/queue-4.14/usb-ene_usb6250-allocate-enough-memory-for-full-obje.patch b/queue-4.14/usb-ene_usb6250-allocate-enough-memory-for-full-obje.patch new file mode 100644 index 00000000000..162e08b49ee --- /dev/null +++ b/queue-4.14/usb-ene_usb6250-allocate-enough-memory-for-full-obje.patch @@ -0,0 +1,61 @@ +From 93d6738abc980ef32da073577eb28522207f3e07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Feb 2023 10:35:46 -0800 +Subject: USB: ene_usb6250: Allocate enough memory for full object + +From: Kees Cook + +[ Upstream commit ce33e64c1788912976b61314b56935abd4bc97ef ] + +The allocation of PageBuffer is 512 bytes in size, but the dereferencing +of struct ms_bootblock_idi (also size 512) happens at a calculated offset +within the allocation, which means the object could potentially extend +beyond the end of the allocation. Avoid this case by just allocating +enough space to catch any accesses beyond the end. Seen with GCC 13: + +../drivers/usb/storage/ene_ub6250.c: In function 'ms_lib_process_bootblock': +../drivers/usb/storage/ene_ub6250.c:1050:44: warning: array subscript 'struct ms_bootblock_idi[0]' is partly outside array bounds of 'unsigned char[512]' [-Warray-bounds=] + 1050 | if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF) + | ^~ +../include/uapi/linux/byteorder/little_endian.h:37:51: note: in definition of macro '__le16_to_cpu' + 37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) + | ^ +../drivers/usb/storage/ene_ub6250.c:1050:29: note: in expansion of macro 'le16_to_cpu' + 1050 | if (le16_to_cpu(idi->wIDIgeneralConfiguration) != MS_IDI_GENERAL_CONF) + | ^~~~~~~~~~~ +In file included from ../drivers/usb/storage/ene_ub6250.c:5: +In function 'kmalloc', + inlined from 'ms_lib_process_bootblock' at ../drivers/usb/storage/ene_ub6250.c:942:15: +../include/linux/slab.h:580:24: note: at offset [256, 512] into object of size 512 allocated by 'kmalloc_trace' + 580 | return kmalloc_trace( + | ^~~~~~~~~~~~~~ + 581 | kmalloc_caches[kmalloc_type(flags)][index], + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 582 | flags, size); + | ~~~~~~~~~~~~ + +Cc: Alan Stern +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230204183546.never.849-kees@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/ene_ub6250.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/storage/ene_ub6250.c b/drivers/usb/storage/ene_ub6250.c +index 79f77179fd9b5..08b946d27277a 100644 +--- a/drivers/usb/storage/ene_ub6250.c ++++ b/drivers/usb/storage/ene_ub6250.c +@@ -948,7 +948,7 @@ static int ms_lib_process_bootblock(struct us_data *us, u16 PhyBlock, u8 *PageDa + struct ms_lib_type_extdat ExtraData; + struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra; + +- PageBuffer = kmalloc(MS_BYTES_PER_PAGE, GFP_KERNEL); ++ PageBuffer = kzalloc(MS_BYTES_PER_PAGE * 2, GFP_KERNEL); + if (PageBuffer == NULL) + return (u32)-1; + +-- +2.39.2 + diff --git a/queue-4.14/usb-host-xhci-mvebu-iterate-over-array-indexes-inste.patch b/queue-4.14/usb-host-xhci-mvebu-iterate-over-array-indexes-inste.patch new file mode 100644 index 00000000000..94d6c5668c1 --- /dev/null +++ b/queue-4.14/usb-host-xhci-mvebu-iterate-over-array-indexes-inste.patch @@ -0,0 +1,46 @@ +From b8f18829c75780110cba6261a51c230812285357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Feb 2023 10:36:52 -0800 +Subject: usb: host: xhci: mvebu: Iterate over array indexes instead of using + pointer math + +From: Kees Cook + +[ Upstream commit 0fbd2cda92cdb00f72080665554a586f88bca821 ] + +Walking the dram->cs array was seen as accesses beyond the first array +item by the compiler. Instead, use the array index directly. This allows +for run-time bounds checking under CONFIG_UBSAN_BOUNDS as well. Seen +with GCC 13 with -fstrict-flex-arrays: + +In function 'xhci_mvebu_mbus_config', + inlined from 'xhci_mvebu_mbus_init_quirk' at ../drivers/usb/host/xhci-mvebu.c:66:2: +../drivers/usb/host/xhci-mvebu.c:37:28: warning: array subscript 0 is outside array bounds of 'const struct mbus_dram_window[0]' [-Warray-bounds=] + 37 | writel(((cs->size - 1) & 0xffff0000) | (cs->mbus_attr << 8) | + | ~~^~~~~~ + +Cc: Mathias Nyman +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230204183651.never.663-kees@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mvebu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-mvebu.c b/drivers/usb/host/xhci-mvebu.c +index 85908a3ecb8f6..285a5f75fe048 100644 +--- a/drivers/usb/host/xhci-mvebu.c ++++ b/drivers/usb/host/xhci-mvebu.c +@@ -34,7 +34,7 @@ static void xhci_mvebu_mbus_config(void __iomem *base, + + /* Program each DRAM CS in a seperate window */ + for (win = 0; win < dram->num_cs; win++) { +- const struct mbus_dram_window *cs = dram->cs + win; ++ const struct mbus_dram_window *cs = &dram->cs[win]; + + writel(((cs->size - 1) & 0xffff0000) | (cs->mbus_attr << 8) | + (dram->mbus_dram_target_id << 4) | 1, +-- +2.39.2 + diff --git a/queue-4.14/usb-uvc-enumerate-valid-values-for-color-matching.patch b/queue-4.14/usb-uvc-enumerate-valid-values-for-color-matching.patch new file mode 100644 index 00000000000..884ce2b1a92 --- /dev/null +++ b/queue-4.14/usb-uvc-enumerate-valid-values-for-color-matching.patch @@ -0,0 +1,67 @@ +From 72ec83d1179f4af6c73df0c885b48a5db3e2264e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 11:41:37 +0000 +Subject: usb: uvc: Enumerate valid values for color matching + +From: Daniel Scally + +[ Upstream commit e16cab9c1596e251761d2bfb5e1467950d616963 ] + +The color matching descriptors defined in the UVC Specification +contain 3 fields with discrete numeric values representing particular +settings. Enumerate those values so that later code setting them can +be more readable. + +Reviewed-by: Laurent Pinchart +Signed-off-by: Daniel Scally +Link: https://lore.kernel.org/r/20230202114142.300858-2-dan.scally@ideasonboard.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/uapi/linux/usb/video.h | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/include/uapi/linux/usb/video.h b/include/uapi/linux/usb/video.h +index ff6cc6cb4227c..0c5087c39a9fe 100644 +--- a/include/uapi/linux/usb/video.h ++++ b/include/uapi/linux/usb/video.h +@@ -179,6 +179,36 @@ + #define UVC_CONTROL_CAP_AUTOUPDATE (1 << 3) + #define UVC_CONTROL_CAP_ASYNCHRONOUS (1 << 4) + ++/* 3.9.2.6 Color Matching Descriptor Values */ ++enum uvc_color_primaries_values { ++ UVC_COLOR_PRIMARIES_UNSPECIFIED, ++ UVC_COLOR_PRIMARIES_BT_709_SRGB, ++ UVC_COLOR_PRIMARIES_BT_470_2_M, ++ UVC_COLOR_PRIMARIES_BT_470_2_B_G, ++ UVC_COLOR_PRIMARIES_SMPTE_170M, ++ UVC_COLOR_PRIMARIES_SMPTE_240M, ++}; ++ ++enum uvc_transfer_characteristics_values { ++ UVC_TRANSFER_CHARACTERISTICS_UNSPECIFIED, ++ UVC_TRANSFER_CHARACTERISTICS_BT_709, ++ UVC_TRANSFER_CHARACTERISTICS_BT_470_2_M, ++ UVC_TRANSFER_CHARACTERISTICS_BT_470_2_B_G, ++ UVC_TRANSFER_CHARACTERISTICS_SMPTE_170M, ++ UVC_TRANSFER_CHARACTERISTICS_SMPTE_240M, ++ UVC_TRANSFER_CHARACTERISTICS_LINEAR, ++ UVC_TRANSFER_CHARACTERISTICS_SRGB, ++}; ++ ++enum uvc_matrix_coefficients { ++ UVC_MATRIX_COEFFICIENTS_UNSPECIFIED, ++ UVC_MATRIX_COEFFICIENTS_BT_709, ++ UVC_MATRIX_COEFFICIENTS_FCC, ++ UVC_MATRIX_COEFFICIENTS_BT_470_2_B_G, ++ UVC_MATRIX_COEFFICIENTS_SMPTE_170M, ++ UVC_MATRIX_COEFFICIENTS_SMPTE_240M, ++}; ++ + /* ------------------------------------------------------------------------ + * UVC structures + */ +-- +2.39.2 + diff --git a/queue-4.14/watchdog-at91sam9_wdt-use-devm_request_irq-to-avoid-.patch b/queue-4.14/watchdog-at91sam9_wdt-use-devm_request_irq-to-avoid-.patch new file mode 100644 index 00000000000..53c61c65120 --- /dev/null +++ b/queue-4.14/watchdog-at91sam9_wdt-use-devm_request_irq-to-avoid-.patch @@ -0,0 +1,46 @@ +From 8c38c3f1d6968f4171eca35b0feeb0cfd56048c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 17:49:50 +0800 +Subject: watchdog: at91sam9_wdt: use devm_request_irq to avoid missing + free_irq() in error path + +From: ruanjinjie + +[ Upstream commit 07bec0e09c1afbab4c5674fd2341f4f52d594f30 ] + +free_irq() is missing in case of error in at91_wdt_init(), use +devm_request_irq to fix that. + +Fixes: 5161b31dc39a ("watchdog: at91sam9_wdt: better watchdog support") +Signed-off-by: ruanjinjie +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20221116094950.3141943-1-ruanjinjie@huawei.com +[groeck: Adjust multi-line alignment] +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/at91sam9_wdt.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/watchdog/at91sam9_wdt.c b/drivers/watchdog/at91sam9_wdt.c +index 7e6acaf3ece49..f3d8ae8df7f65 100644 +--- a/drivers/watchdog/at91sam9_wdt.c ++++ b/drivers/watchdog/at91sam9_wdt.c +@@ -209,10 +209,9 @@ static int at91_wdt_init(struct platform_device *pdev, struct at91wdt *wdt) + "min heartbeat and max heartbeat might be too close for the system to handle it correctly\n"); + + if ((tmp & AT91_WDT_WDFIEN) && wdt->irq) { +- err = request_irq(wdt->irq, wdt_interrupt, +- IRQF_SHARED | IRQF_IRQPOLL | +- IRQF_NO_SUSPEND, +- pdev->name, wdt); ++ err = devm_request_irq(dev, wdt->irq, wdt_interrupt, ++ IRQF_SHARED | IRQF_IRQPOLL | IRQF_NO_SUSPEND, ++ pdev->name, wdt); + if (err) + return err; + } +-- +2.39.2 + diff --git a/queue-4.14/watchdog-fix-kmemleak-in-watchdog_cdev_register.patch b/queue-4.14/watchdog-fix-kmemleak-in-watchdog_cdev_register.patch new file mode 100644 index 00000000000..f4e8c768816 --- /dev/null +++ b/queue-4.14/watchdog-fix-kmemleak-in-watchdog_cdev_register.patch @@ -0,0 +1,91 @@ +From 371d1c1759ab5f91d040522f5b4a0e80a99aa440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 01:27:14 +0000 +Subject: watchdog: Fix kmemleak in watchdog_cdev_register + +From: Chen Jun + +[ Upstream commit 13721a2ac66b246f5802ba1b75ad8637e53eeecc ] + +kmemleak reports memory leaks in watchdog_dev_register, as follows: +unreferenced object 0xffff888116233000 (size 2048): + comm ""modprobe"", pid 28147, jiffies 4353426116 (age 61.741s) + hex dump (first 32 bytes): + 80 fa b9 05 81 88 ff ff 08 30 23 16 81 88 ff ff .........0#..... + 08 30 23 16 81 88 ff ff 00 00 00 00 00 00 00 00 .0#............. + backtrace: + [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220 + [<000000006a389304>] kmalloc_trace+0x21/0x110 + [<000000008d640eea>] watchdog_dev_register+0x4e/0x780 [watchdog] + [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog] + [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog] + [<000000001f730178>] 0xffffffffc10880ae + [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0 + [<00000000b98be325>] do_init_module+0x1ca/0x5f0 + [<0000000046d08e7c>] load_module+0x6133/0x70f0 + ... + +unreferenced object 0xffff888105b9fa80 (size 16): + comm ""modprobe"", pid 28147, jiffies 4353426116 (age 61.741s) + hex dump (first 16 bytes): + 77 61 74 63 68 64 6f 67 31 00 b9 05 81 88 ff ff watchdog1....... + backtrace: + [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220 + [<00000000486ab89b>] __kmalloc_node_track_caller+0x44/0x1b0 + [<000000005a39aab0>] kvasprintf+0xb5/0x140 + [<0000000024806f85>] kvasprintf_const+0x55/0x180 + [<000000009276cb7f>] kobject_set_name_vargs+0x56/0x150 + [<00000000a92e820b>] dev_set_name+0xab/0xe0 + [<00000000cec812c6>] watchdog_dev_register+0x285/0x780 [watchdog] + [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog] + [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog] + [<000000001f730178>] 0xffffffffc10880ae + [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0 + [<00000000b98be325>] do_init_module+0x1ca/0x5f0 + [<0000000046d08e7c>] load_module+0x6133/0x70f0 + ... + +The reason is that put_device is not be called if cdev_device_add fails +and wdd->id != 0. + +watchdog_cdev_register + wd_data = kzalloc [1] + err = dev_set_name [2] + .. + err = cdev_device_add + if (err) { + if (wdd->id == 0) { // wdd->id != 0 + .. + } + return err; // [1],[2] would be leaked + +To fix it, call put_device in all wdd->id cases. + +Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev") +Signed-off-by: Chen Jun +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20221116012714.102066-1-chenjun102@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index 21c3ffdc8a09d..337ca3690d622 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -965,8 +965,8 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + if (wdd->id == 0) { + misc_deregister(&watchdog_miscdev); + old_wd_data = NULL; +- put_device(&wd_data->dev); + } ++ put_device(&wd_data->dev); + return err; + } + +-- +2.39.2 + diff --git a/queue-4.14/watchdog-pcwd_usb-fix-attempting-to-access-uninitial.patch b/queue-4.14/watchdog-pcwd_usb-fix-attempting-to-access-uninitial.patch new file mode 100644 index 00000000000..342197a9c98 --- /dev/null +++ b/queue-4.14/watchdog-pcwd_usb-fix-attempting-to-access-uninitial.patch @@ -0,0 +1,64 @@ +From e4c274cd8d4244ba58e6ed229993495042620277 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 10:07:06 +0800 +Subject: watchdog: pcwd_usb: Fix attempting to access uninitialized memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Li Hua + +[ Upstream commit 7d06c07c67100fd0f8e6b3ab7145ce789f788117 ] + +The stack variable msb and lsb may be used uninitialized in function +usb_pcwd_get_temperature and usb_pcwd_get_timeleft when usb card no response. + +The build waring is: +drivers/watchdog/pcwd_usb.c:336:22: error: ‘lsb’ is used uninitialized in this function [-Werror=uninitialized] + *temperature = (lsb * 9 / 5) + 32; + ~~~~^~~ +drivers/watchdog/pcwd_usb.c:328:21: note: ‘lsb’ was declared here + unsigned char msb, lsb; + ^~~ +cc1: all warnings being treated as errors +scripts/Makefile.build:250: recipe for target 'drivers/watchdog/pcwd_usb.o' failed +make[3]: *** [drivers/watchdog/pcwd_usb.o] Error 1 + +Fixes: b7e04f8c61a4 ("mv watchdog tree under drivers") +Signed-off-by: Li Hua +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20221116020706.70847-1-hucool.lihua@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/pcwd_usb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c +index b9e376c8e2e36..277ecfdf09c09 100644 +--- a/drivers/watchdog/pcwd_usb.c ++++ b/drivers/watchdog/pcwd_usb.c +@@ -330,7 +330,8 @@ static int usb_pcwd_set_heartbeat(struct usb_pcwd_private *usb_pcwd, int t) + static int usb_pcwd_get_temperature(struct usb_pcwd_private *usb_pcwd, + int *temperature) + { +- unsigned char msb, lsb; ++ unsigned char msb = 0x00; ++ unsigned char lsb = 0x00; + + usb_pcwd_send_command(usb_pcwd, CMD_READ_TEMP, &msb, &lsb); + +@@ -346,7 +347,8 @@ static int usb_pcwd_get_temperature(struct usb_pcwd_private *usb_pcwd, + static int usb_pcwd_get_timeleft(struct usb_pcwd_private *usb_pcwd, + int *time_left) + { +- unsigned char msb, lsb; ++ unsigned char msb = 0x00; ++ unsigned char lsb = 0x00; + + /* Read the time that's left before rebooting */ + /* Note: if the board is not yet armed then we will read 0xFFFF */ +-- +2.39.2 + diff --git a/queue-4.14/x86-um-vdso-add-rcx-and-r11-to-the-syscall-clobber-l.patch b/queue-4.14/x86-um-vdso-add-rcx-and-r11-to-the-syscall-clobber-l.patch new file mode 100644 index 00000000000..be6938d7cc8 --- /dev/null +++ b/queue-4.14/x86-um-vdso-add-rcx-and-r11-to-the-syscall-clobber-l.patch @@ -0,0 +1,59 @@ +From d9ab999a8a12a80c65e884a07f80b15a5a7ae9b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Dec 2022 00:23:38 +0700 +Subject: x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list + +From: Ammar Faizi + +[ Upstream commit 5541992e512de8c9133110809f767bd1b54ee10d ] + +The 'syscall' instruction clobbers '%rcx' and '%r11', but they are not +listed in the inline Assembly that performs the syscall instruction. + +No real bug is found. It wasn't buggy by luck because '%rcx' and '%r11' +are caller-saved registers, and not used in the functions, and the +functions are never inlined. + +Add them to the clobber list for code correctness. + +Fixes: f1c2bb8b9964ed31de988910f8b1cfb586d30091 ("um: implement a x86_64 vDSO") +Signed-off-by: Ammar Faizi +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/x86/um/vdso/um_vdso.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/um/vdso/um_vdso.c b/arch/x86/um/vdso/um_vdso.c +index 7c441b59d3752..be99ff25c5039 100644 +--- a/arch/x86/um/vdso/um_vdso.c ++++ b/arch/x86/um/vdso/um_vdso.c +@@ -20,8 +20,10 @@ int __vdso_clock_gettime(clockid_t clock, struct timespec *ts) + { + long ret; + +- asm("syscall" : "=a" (ret) : +- "0" (__NR_clock_gettime), "D" (clock), "S" (ts) : "memory"); ++ asm("syscall" ++ : "=a" (ret) ++ : "0" (__NR_clock_gettime), "D" (clock), "S" (ts) ++ : "rcx", "r11", "memory"); + + return ret; + } +@@ -32,8 +34,10 @@ int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz) + { + long ret; + +- asm("syscall" : "=a" (ret) : +- "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory"); ++ asm("syscall" ++ : "=a" (ret) ++ : "0" (__NR_gettimeofday), "D" (tv), "S" (tz) ++ : "rcx", "r11", "memory"); + + return ret; + } +-- +2.39.2 +