From: Sasha Levin Date: Thu, 14 Nov 2024 12:39:20 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.19.324~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a622f9bfa14d415aff295a23a54272edd9bc41f2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/9p-avoid-creating-multiple-slab-caches-with-the-same.patch b/queue-5.4/9p-avoid-creating-multiple-slab-caches-with-the-same.patch new file mode 100644 index 00000000000..3e646892301 --- /dev/null +++ b/queue-5.4/9p-avoid-creating-multiple-slab-caches-with-the-same.patch @@ -0,0 +1,62 @@ +From 2b9f5b9c0a4eb8abd720e9e48a8dc6bd17b52ad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 10:47:25 +0100 +Subject: 9p: Avoid creating multiple slab caches with the same name + +From: Pedro Falcato + +[ Upstream commit 79efebae4afc2221fa814c3cae001bede66ab259 ] + +In the spirit of [1], avoid creating multiple slab caches with the same +name. Instead, add the dev_name into the mix. + +[1]: https://lore.kernel.org/all/20240807090746.2146479-1-pedro.falcato@gmail.com/ + +Signed-off-by: Pedro Falcato +Reported-by: syzbot+3c5d43e97993e1fa612b@syzkaller.appspotmail.com +Message-ID: <20240807094725.2193423-1-pedro.falcato@gmail.com> +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/client.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/9p/client.c b/net/9p/client.c +index 2b54f1cef2b0d..0f5db1f414be1 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -1003,6 +1003,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) + int err; + struct p9_client *clnt; + char *client_id; ++ char *cache_name; + + err = 0; + clnt = kmalloc(sizeof(struct p9_client), GFP_KERNEL); +@@ -1055,15 +1056,22 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) + if (err) + goto close_trans; + ++ cache_name = kasprintf(GFP_KERNEL, "9p-fcall-cache-%s", dev_name); ++ if (!cache_name) { ++ err = -ENOMEM; ++ goto close_trans; ++ } ++ + /* P9_HDRSZ + 4 is the smallest packet header we can have that is + * followed by data accessed from userspace by read + */ + clnt->fcall_cache = +- kmem_cache_create_usercopy("9p-fcall-cache", clnt->msize, ++ kmem_cache_create_usercopy(cache_name, clnt->msize, + 0, 0, P9_HDRSZ + 4, + clnt->msize - (P9_HDRSZ + 4), + NULL); + ++ kfree(cache_name); + return clnt; + + close_trans: +-- +2.43.0 + diff --git a/queue-5.4/bpf-use-kvzmalloc-to-allocate-bpf-verifier-environme.patch b/queue-5.4/bpf-use-kvzmalloc-to-allocate-bpf-verifier-environme.patch new file mode 100644 index 00000000000..c2f815d4a26 --- /dev/null +++ b/queue-5.4/bpf-use-kvzmalloc-to-allocate-bpf-verifier-environme.patch @@ -0,0 +1,52 @@ +From c193206f80bfc75f17849bf36d73a15e6461c864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 17:07:35 -0400 +Subject: bpf: use kvzmalloc to allocate BPF verifier environment + +From: Rik van Riel + +[ Upstream commit 434247637c66e1be2bc71a9987d4c3f0d8672387 ] + +The kzmalloc call in bpf_check can fail when memory is very fragmented, +which in turn can lead to an OOM kill. + +Use kvzmalloc to fall back to vmalloc when memory is too fragmented to +allocate an order 3 sized bpf verifier environment. + +Admittedly this is not a very common case, and only happens on systems +where memory has already been squeezed close to the limit, but this does +not seem like much of a hot path, and it's a simple enough fix. + +Signed-off-by: Rik van Riel +Reviewed-by: Shakeel Butt +Link: https://lore.kernel.org/r/20241008170735.16766766@imladris.surriel.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 0901911b42b56..013b9062c47c3 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -9558,7 +9558,7 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, + /* 'struct bpf_verifier_env' can be global, but since it's not small, + * allocate/free it every time bpf_check() is called + */ +- env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); ++ env = kvzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); + if (!env) + return -ENOMEM; + log = &env->log; +@@ -9728,6 +9728,6 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, + mutex_unlock(&bpf_verifier_lock); + vfree(env->insn_aux_data); + err_free_env: +- kfree(env); ++ kvfree(env); + return ret; + } +-- +2.43.0 + diff --git a/queue-5.4/hid-multitouch-add-quirk-for-honor-magicbook-art-14-.patch b/queue-5.4/hid-multitouch-add-quirk-for-honor-magicbook-art-14-.patch new file mode 100644 index 00000000000..b5d3516f5bf --- /dev/null +++ b/queue-5.4/hid-multitouch-add-quirk-for-honor-magicbook-art-14-.patch @@ -0,0 +1,47 @@ +From 1e2704bc7599ace4416d9687a290f28fe364fd29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 12:08:03 +0800 +Subject: HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad + +From: WangYuli + +[ Upstream commit 7a5ab8071114344f62a8b1e64ed3452a77257d76 ] + +The behavior of HONOR MagicBook Art 14 touchpad is not consistent +after reboots, as sometimes it reports itself as a touchpad, and +sometimes as a mouse. + +Similarly to GLO-GXXX it is possible to call MT_QUIRK_FORCE_GET_FEATURE as a +workaround to force set feature in mt_set_input_mode() for such special touchpad +device. + +[jkosina@suse.com: reword changelog a little bit] +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/1040 +Signed-off-by: Wentao Guan +Signed-off-by: WangYuli +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index c3810e7140a55..5994e7d1b82d9 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -2008,6 +2008,11 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + 0x347d, 0x7853) }, + ++ /* HONOR MagicBook Art 14 touchpad */ ++ { .driver_data = MT_CLS_VTL, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ 0x35cc, 0x0104) }, ++ + /* Ilitek dual touch panel */ + { .driver_data = MT_CLS_NSMU, + MT_USB_DEVICE(USB_VENDOR_ID_ILITEK, +-- +2.43.0 + diff --git a/queue-5.4/powerpc-powernv-free-name-on-error-in-opal_event_ini.patch b/queue-5.4/powerpc-powernv-free-name-on-error-in-opal_event_ini.patch new file mode 100644 index 00000000000..1ad6cf94762 --- /dev/null +++ b/queue-5.4/powerpc-powernv-free-name-on-error-in-opal_event_ini.patch @@ -0,0 +1,39 @@ +From 2663091e76c789f45dca16c19761ad0c3c8a12e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Sep 2024 19:35:20 +1000 +Subject: powerpc/powernv: Free name on error in opal_event_init() + +From: Michael Ellerman + +[ Upstream commit cf8989d20d64ad702a6210c11a0347ebf3852aa7 ] + +In opal_event_init() if request_irq() fails name is not freed, leading +to a memory leak. The code only runs at boot time, there's no way for a +user to trigger it, so there's no security impact. + +Fix the leak by freeing name in the error path. + +Reported-by: 2639161967 <2639161967@qq.com> +Closes: https://lore.kernel.org/linuxppc-dev/87wmjp3wig.fsf@mail.lhotse +Signed-off-by: Michael Ellerman +Link: https://patch.msgid.link/20240920093520.67997-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-irqchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/powernv/opal-irqchip.c b/arch/powerpc/platforms/powernv/opal-irqchip.c +index dcec0f760c8f8..522bda391179a 100644 +--- a/arch/powerpc/platforms/powernv/opal-irqchip.c ++++ b/arch/powerpc/platforms/powernv/opal-irqchip.c +@@ -285,6 +285,7 @@ int __init opal_event_init(void) + name, NULL); + if (rc) { + pr_warn("Error %d requesting OPAL irq %d\n", rc, (int)r->start); ++ kfree(name); + continue; + } + } +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index f2fa57d963f..312673925ad 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -51,3 +51,8 @@ ftrace-fix-possible-use-after-free-issue-in-ftrace_location.patch hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch vsock-virtio-initialization-of-the-dangling-pointer-occurring-in-vsk-trans.patch alsa-usb-audio-add-endianness-annotations.patch +9p-avoid-creating-multiple-slab-caches-with-the-same.patch +hid-multitouch-add-quirk-for-honor-magicbook-art-14-.patch +bpf-use-kvzmalloc-to-allocate-bpf-verifier-environme.patch +sound-make-config_snd-depend-on-indirect_iomem-inste.patch +powerpc-powernv-free-name-on-error-in-opal_event_ini.patch diff --git a/queue-5.4/sound-make-config_snd-depend-on-indirect_iomem-inste.patch b/queue-5.4/sound-make-config_snd-depend-on-indirect_iomem-inste.patch new file mode 100644 index 00000000000..f1638e3cbca --- /dev/null +++ b/queue-5.4/sound-make-config_snd-depend-on-indirect_iomem-inste.patch @@ -0,0 +1,40 @@ +From 3585bb73709bb407b0373816f1039ab669a10a6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 14:46:01 +0200 +Subject: sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML + +From: Julian Vetter + +[ Upstream commit ad6639f143a0b42d7fb110ad14f5949f7c218890 ] + +When building for the UM arch and neither INDIRECT_IOMEM=y, nor +HAS_IOMEM=y is selected, it will fall back to the implementations from +asm-generic/io.h for IO memcpy. But these fall-back functions just do a +memcpy. So, instead of depending on UML, add dependency on 'HAS_IOMEM || +INDIRECT_IOMEM'. + +Reviewed-by: Yann Sionneau +Signed-off-by: Julian Vetter +Link: https://patch.msgid.link/20241010124601.700528-1-jvetter@kalrayinc.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/Kconfig b/sound/Kconfig +index aaf2022ffc57d..cb4cb0d5b9591 100644 +--- a/sound/Kconfig ++++ b/sound/Kconfig +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0-only + menuconfig SOUND + tristate "Sound card support" +- depends on HAS_IOMEM || UML ++ depends on HAS_IOMEM || INDIRECT_IOMEM + help + If you have a sound card in your computer, i.e. if it can say more + than an occasional beep, say Y. +-- +2.43.0 +