From: Greg Kroah-Hartman Date: Mon, 4 Apr 2022 08:29:24 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v5.17.2~85 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b4b746a23bbdec5014389297f474c4be7fc06099;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: arm64-mm-drop-const-from-conditional-arm64_dma_phys_limit-definition.patch asoc-soc-compress-change-the-check-for-codec_dai.patch ax25-fix-uaf-bug-in-ax25_send_control.patch docs-fix-make-htmldocs-warning-in-sctp.rst.patch drm-connector-fix-typo-in-documentation.patch kvm-x86-svm-fix-avic-spec-based-definitions-again.patch reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch scsi-qla2xxx-add-qla2x00_async_done-for-async-routines.patch staging-mt7621-dts-fix-pinctrl-0-items-to-be-size-1-items-on-ethernet.patch tracing-have-type-enum-modifications-copy-the-strings.patch --- diff --git a/queue-5.17/arm64-mm-drop-const-from-conditional-arm64_dma_phys_limit-definition.patch b/queue-5.17/arm64-mm-drop-const-from-conditional-arm64_dma_phys_limit-definition.patch new file mode 100644 index 00000000000..0a3f7c0320b --- /dev/null +++ b/queue-5.17/arm64-mm-drop-const-from-conditional-arm64_dma_phys_limit-definition.patch @@ -0,0 +1,39 @@ +From 770093459b9b333380aa71f2c31c60b14895c1df Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 9 Mar 2022 12:21:37 +0000 +Subject: arm64: mm: Drop 'const' from conditional arm64_dma_phys_limit definition + +From: Will Deacon + +commit 770093459b9b333380aa71f2c31c60b14895c1df upstream. + +Commit 031495635b46 ("arm64: Do not defer reserve_crashkernel() for +platforms with no DMA memory zones") introduced different definitions +for 'arm64_dma_phys_limit' depending on CONFIG_ZONE_DMA{,32} based on +a late suggestion from Pasha. Sadly, this results in a build error when +passing W=1: + + | arch/arm64/mm/init.c:90:19: error: conflicting type qualifiers for 'arm64_dma_phys_limit' + +Drop the 'const' for now and use '__ro_after_init' consistently. + +Link: https://lore.kernel.org/r/202203090241.aj7paWeX-lkp@intel.com +Link: https://lore.kernel.org/r/CA+CK2bDbbx=8R=UthkMesWOST8eJMtOGJdfMRTFSwVmo0Vn0EA@mail.gmail.com +Fixes: 031495635b46 ("arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones") +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -87,7 +87,7 @@ EXPORT_SYMBOL(memstart_addr); + #if IS_ENABLED(CONFIG_ZONE_DMA) || IS_ENABLED(CONFIG_ZONE_DMA32) + phys_addr_t __ro_after_init arm64_dma_phys_limit; + #else +-const phys_addr_t arm64_dma_phys_limit = PHYS_MASK + 1; ++phys_addr_t __ro_after_init arm64_dma_phys_limit = PHYS_MASK + 1; + #endif + + #ifdef CONFIG_KEXEC_CORE diff --git a/queue-5.17/asoc-soc-compress-change-the-check-for-codec_dai.patch b/queue-5.17/asoc-soc-compress-change-the-check-for-codec_dai.patch new file mode 100644 index 00000000000..a286297eb95 --- /dev/null +++ b/queue-5.17/asoc-soc-compress-change-the-check-for-codec_dai.patch @@ -0,0 +1,54 @@ +From ccb4214f7f2a8b75acf493f31128e464ee1a3536 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Thu, 10 Mar 2022 11:00:41 +0800 +Subject: ASoC: soc-compress: Change the check for codec_dai + +From: Jiasheng Jiang + +commit ccb4214f7f2a8b75acf493f31128e464ee1a3536 upstream. + +It should be better to reverse the check on codec_dai +and returned early in order to be easier to understand. + +Fixes: de2c6f98817f ("ASoC: soc-compress: prevent the potentially use of null pointer") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Jiasheng Jiang +Reviewed-by: Charles Keepax +Link: https://lore.kernel.org/r/20220310030041.1556323-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-compress.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/sound/soc/soc-compress.c ++++ b/sound/soc/soc-compress.c +@@ -567,16 +567,19 @@ int snd_soc_new_compress(struct snd_soc_ + return -EINVAL; + } + +- /* check client and interface hw capabilities */ +- if (codec_dai) { +- if (snd_soc_dai_stream_valid(codec_dai, SNDRV_PCM_STREAM_PLAYBACK) && +- snd_soc_dai_stream_valid(cpu_dai, SNDRV_PCM_STREAM_PLAYBACK)) +- playback = 1; +- if (snd_soc_dai_stream_valid(codec_dai, SNDRV_PCM_STREAM_CAPTURE) && +- snd_soc_dai_stream_valid(cpu_dai, SNDRV_PCM_STREAM_CAPTURE)) +- capture = 1; ++ if (!codec_dai) { ++ dev_err(rtd->card->dev, "Missing codec\n"); ++ return -EINVAL; + } + ++ /* check client and interface hw capabilities */ ++ if (snd_soc_dai_stream_valid(codec_dai, SNDRV_PCM_STREAM_PLAYBACK) && ++ snd_soc_dai_stream_valid(cpu_dai, SNDRV_PCM_STREAM_PLAYBACK)) ++ playback = 1; ++ if (snd_soc_dai_stream_valid(codec_dai, SNDRV_PCM_STREAM_CAPTURE) && ++ snd_soc_dai_stream_valid(cpu_dai, SNDRV_PCM_STREAM_CAPTURE)) ++ capture = 1; ++ + /* + * Compress devices are unidirectional so only one of the directions + * should be set, check for that (xor) diff --git a/queue-5.17/ax25-fix-uaf-bug-in-ax25_send_control.patch b/queue-5.17/ax25-fix-uaf-bug-in-ax25_send_control.patch new file mode 100644 index 00000000000..10c374d7c94 --- /dev/null +++ b/queue-5.17/ax25-fix-uaf-bug-in-ax25_send_control.patch @@ -0,0 +1,85 @@ +From 5352a761308397a0e6250fdc629bb3f615b94747 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Mon, 28 Mar 2022 21:00:14 +0800 +Subject: ax25: fix UAF bug in ax25_send_control() + +From: Duoming Zhou + +commit 5352a761308397a0e6250fdc629bb3f615b94747 upstream. + +There are UAF bugs in ax25_send_control(), when we call ax25_release() +to deallocate ax25_dev. The possible race condition is shown below: + + (Thread 1) | (Thread 2) +ax25_dev_device_up() //(1) | + | ax25_kill_by_device() +ax25_bind() //(2) | +ax25_connect() | ... + ax25->state = AX25_STATE_1 | + ... | ax25_dev_device_down() //(3) + + (Thread 3) +ax25_release() | + ax25_dev_put() //(4) FREE | + case AX25_STATE_1: | + ax25_send_control() | + alloc_skb() //USE | + +The refcount of ax25_dev increases in position (1) and (2), and +decreases in position (3) and (4). The ax25_dev will be freed +before dereference sites in ax25_send_control(). + +The following is part of the report: + +[ 102.297448] BUG: KASAN: use-after-free in ax25_send_control+0x33/0x210 +[ 102.297448] Read of size 8 at addr ffff888009e6e408 by task ax25_close/602 +[ 102.297448] Call Trace: +[ 102.303751] ax25_send_control+0x33/0x210 +[ 102.303751] ax25_release+0x356/0x450 +[ 102.305431] __sock_release+0x6d/0x120 +[ 102.305431] sock_close+0xf/0x20 +[ 102.305431] __fput+0x11f/0x420 +[ 102.305431] task_work_run+0x86/0xd0 +[ 102.307130] get_signal+0x1075/0x1220 +[ 102.308253] arch_do_signal_or_restart+0x1df/0xc00 +[ 102.308253] exit_to_user_mode_prepare+0x150/0x1e0 +[ 102.308253] syscall_exit_to_user_mode+0x19/0x50 +[ 102.308253] do_syscall_64+0x48/0x90 +[ 102.308253] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 102.308253] RIP: 0033:0x405ae7 + +This patch defers the free operation of ax25_dev and net_device after +all corresponding dereference sites in ax25_release() to avoid UAF. + +Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") +Signed-off-by: Duoming Zhou +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -991,10 +991,6 @@ static int ax25_release(struct socket *s + sock_orphan(sk); + ax25 = sk_to_ax25(sk); + ax25_dev = ax25->ax25_dev; +- if (ax25_dev) { +- dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker); +- ax25_dev_put(ax25_dev); +- } + + if (sk->sk_type == SOCK_SEQPACKET) { + switch (ax25->state) { +@@ -1056,6 +1052,10 @@ static int ax25_release(struct socket *s + sk->sk_state_change(sk); + ax25_destroy_socket(ax25); + } ++ if (ax25_dev) { ++ dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker); ++ ax25_dev_put(ax25_dev); ++ } + + sock->sk = NULL; + release_sock(sk); diff --git a/queue-5.17/docs-fix-make-htmldocs-warning-in-sctp.rst.patch b/queue-5.17/docs-fix-make-htmldocs-warning-in-sctp.rst.patch new file mode 100644 index 00000000000..5ac28640cf8 --- /dev/null +++ b/queue-5.17/docs-fix-make-htmldocs-warning-in-sctp.rst.patch @@ -0,0 +1,52 @@ +From 70868c6b8fd80db585da57a264c50a69af8fd3c3 Mon Sep 17 00:00:00 2001 +From: Wan Jiabing +Date: Mon, 28 Feb 2022 10:56:41 +0800 +Subject: docs: fix 'make htmldocs' warning in SCTP.rst + +From: Wan Jiabing + +commit 70868c6b8fd80db585da57a264c50a69af8fd3c3 upstream. + +Fix following 'make htmldocs' warnings: +./Documentation/security/SCTP.rst:123: WARNING: Title underline too short. +security_sctp_assoc_established() +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./Documentation/security/SCTP.rst:123: WARNING: Title underline too short. +security_sctp_assoc_established() +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./Documentation/security/SCTP.rst:273: WARNING: Title underline too short. +security_sctp_assoc_established() +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./Documentation/security/SCTP.rst:273: WARNING: Title underline too short. +security_sctp_assoc_established() +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 5e50f5d4ff31 ("security: add sctp_assoc_established hook") +Signed-off-by: Wan Jiabing +Reviewed-by: Xin Long +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/security/SCTP.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/security/SCTP.rst ++++ b/Documentation/security/SCTP.rst +@@ -120,7 +120,7 @@ calls **sctp_peeloff**\(3). + + + security_sctp_assoc_established() +-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Called when a COOKIE ACK is received, and the peer secid will be + saved into ``@asoc->peer_secid`` for client:: + +@@ -270,7 +270,7 @@ sockets sid and peer sid to that contain + + + security_sctp_assoc_established() +-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Called when a COOKIE ACK is received where it sets the connection's peer sid + to that in ``@skb``:: + diff --git a/queue-5.17/drm-connector-fix-typo-in-documentation.patch b/queue-5.17/drm-connector-fix-typo-in-documentation.patch new file mode 100644 index 00000000000..65a034d08ca --- /dev/null +++ b/queue-5.17/drm-connector-fix-typo-in-documentation.patch @@ -0,0 +1,42 @@ +From dca384a3bf5af1c781cfa6aec63904bdb5018c36 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Wed, 2 Feb 2022 10:43:40 +0100 +Subject: drm/connector: Fix typo in documentation + +From: Maxime Ripard + +commit dca384a3bf5af1c781cfa6aec63904bdb5018c36 upstream. + +Commit 4adc33f36d80 ("drm/edid: Split deep color modes between RGB and +YUV444") introduced two new variables in struct drm_display_info and +their documentation, but the documentation part had a typo resulting in +a doc build warning. + +Fixes: 4adc33f36d80 ("drm/edid: Split deep color modes between RGB and YUV444") +Reported-by: Stephen Rothwell +Signed-off-by: Maxime Ripard +Reviewed-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20220202094340.875190-1-maxime@cerno.tech +Signed-off-by: Greg Kroah-Hartman +--- + include/drm/drm_connector.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/drm/drm_connector.h ++++ b/include/drm/drm_connector.h +@@ -592,13 +592,13 @@ struct drm_display_info { + bool rgb_quant_range_selectable; + + /** +- * @edid_hdmi_dc_rgb444_modes: Mask of supported hdmi deep color modes ++ * @edid_hdmi_rgb444_dc_modes: Mask of supported hdmi deep color modes + * in RGB 4:4:4. Even more stuff redundant with @bus_formats. + */ + u8 edid_hdmi_rgb444_dc_modes; + + /** +- * @edid_hdmi_dc_ycbcr444_modes: Mask of supported hdmi deep color ++ * @edid_hdmi_ycbcr444_dc_modes: Mask of supported hdmi deep color + * modes in YCbCr 4:4:4. Even more stuff redundant with @bus_formats. + */ + u8 edid_hdmi_ycbcr444_dc_modes; diff --git a/queue-5.17/kvm-x86-svm-fix-avic-spec-based-definitions-again.patch b/queue-5.17/kvm-x86-svm-fix-avic-spec-based-definitions-again.patch new file mode 100644 index 00000000000..30ba9d28263 --- /dev/null +++ b/queue-5.17/kvm-x86-svm-fix-avic-spec-based-definitions-again.patch @@ -0,0 +1,71 @@ +From 0dacc3df898e219fa774f39e5e10d686364e0a27 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Tue, 22 Mar 2022 19:24:45 +0200 +Subject: KVM: x86: SVM: fix avic spec based definitions again + +From: Maxim Levitsky + +commit 0dacc3df898e219fa774f39e5e10d686364e0a27 upstream. + +Due to wrong rebase, commit +4a204f7895878 ("KVM: SVM: Allow AVIC support on system w/ physical APIC ID > 255") + +moved avic spec #defines back to avic.c. + +Move them back, and while at it extend AVIC_DOORBELL_PHYSICAL_ID_MASK to 12 +bits as well (it will be used in nested avic) + +Signed-off-by: Maxim Levitsky +Message-Id: <20220322172449.235575-5-mlevitsk@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/svm.h | 8 +++++--- + arch/x86/kvm/svm/svm.h | 11 ----------- + 2 files changed, 5 insertions(+), 14 deletions(-) + +--- a/arch/x86/include/asm/svm.h ++++ b/arch/x86/include/asm/svm.h +@@ -222,7 +222,7 @@ struct __attribute__ ((__packed__)) vmcb + + + /* AVIC */ +-#define AVIC_LOGICAL_ID_ENTRY_GUEST_PHYSICAL_ID_MASK (0xFF) ++#define AVIC_LOGICAL_ID_ENTRY_GUEST_PHYSICAL_ID_MASK (0xFFULL) + #define AVIC_LOGICAL_ID_ENTRY_VALID_BIT 31 + #define AVIC_LOGICAL_ID_ENTRY_VALID_MASK (1 << 31) + +@@ -230,9 +230,11 @@ struct __attribute__ ((__packed__)) vmcb + #define AVIC_PHYSICAL_ID_ENTRY_BACKING_PAGE_MASK (0xFFFFFFFFFFULL << 12) + #define AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK (1ULL << 62) + #define AVIC_PHYSICAL_ID_ENTRY_VALID_MASK (1ULL << 63) +-#define AVIC_PHYSICAL_ID_TABLE_SIZE_MASK (0xFF) ++#define AVIC_PHYSICAL_ID_TABLE_SIZE_MASK (0xFFULL) + +-#define AVIC_DOORBELL_PHYSICAL_ID_MASK (0xFF) ++#define AVIC_DOORBELL_PHYSICAL_ID_MASK GENMASK_ULL(11, 0) ++ ++#define VMCB_AVIC_APIC_BAR_MASK 0xFFFFFFFFFF000ULL + + #define AVIC_UNACCEL_ACCESS_WRITE_MASK 1 + #define AVIC_UNACCEL_ACCESS_OFFSET_MASK 0xFF0 +--- a/arch/x86/kvm/svm/svm.h ++++ b/arch/x86/kvm/svm/svm.h +@@ -558,17 +558,6 @@ extern struct kvm_x86_nested_ops svm_nes + + /* avic.c */ + +-#define AVIC_LOGICAL_ID_ENTRY_GUEST_PHYSICAL_ID_MASK (0xFF) +-#define AVIC_LOGICAL_ID_ENTRY_VALID_BIT 31 +-#define AVIC_LOGICAL_ID_ENTRY_VALID_MASK (1 << 31) +- +-#define AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK GENMASK_ULL(11, 0) +-#define AVIC_PHYSICAL_ID_ENTRY_BACKING_PAGE_MASK (0xFFFFFFFFFFULL << 12) +-#define AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK (1ULL << 62) +-#define AVIC_PHYSICAL_ID_ENTRY_VALID_MASK (1ULL << 63) +- +-#define VMCB_AVIC_APIC_BAR_MASK 0xFFFFFFFFFF000ULL +- + int avic_ga_log_notifier(u32 ga_tag); + void avic_vm_destroy(struct kvm *kvm); + int avic_vm_init(struct kvm *kvm); diff --git a/queue-5.17/reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch b/queue-5.17/reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch new file mode 100644 index 00000000000..76794b48f64 --- /dev/null +++ b/queue-5.17/reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch @@ -0,0 +1,91 @@ +From 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 28 Mar 2022 11:37:05 -0700 +Subject: Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 upstream. + +Halil Pasic points out [1] that the full revert of that commit (revert +in bddac7c1e02b), and that a partial revert that only reverts the +problematic case, but still keeps some of the cleanups is probably +better.  + +And that partial revert [2] had already been verified by Oleksandr +Natalenko to also fix the issue, I had just missed that in the long +discussion. + +So let's reinstate the cleanups from commit aa6f8dcbab47 ("swiotlb: +rework "fix info leak with DMA_FROM_DEVICE""), and effectively only +revert the part that caused problems. + +Link: https://lore.kernel.org/all/20220328013731.017ae3e3.pasic@linux.ibm.com/ [1] +Link: https://lore.kernel.org/all/20220324055732.GB12078@lst.de/ [2] +Link: https://lore.kernel.org/all/4386660.LvFx2qVVIh@natalenko.name/ [3] +Suggested-by: Halil Pasic +Tested-by: Oleksandr Natalenko +Cc: Christoph Hellwig" +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/core-api/dma-attributes.rst | 8 -------- + include/linux/dma-mapping.h | 8 -------- + kernel/dma/swiotlb.c | 12 ++++++++---- + 3 files changed, 8 insertions(+), 20 deletions(-) + +--- a/Documentation/core-api/dma-attributes.rst ++++ b/Documentation/core-api/dma-attributes.rst +@@ -130,11 +130,3 @@ accesses to DMA buffers in both privileg + subsystem that the buffer is fully accessible at the elevated privilege + level (and ideally inaccessible or at least read-only at the + lesser-privileged levels). +- +-DMA_ATTR_OVERWRITE +------------------- +- +-This is a hint to the DMA-mapping subsystem that the device is expected to +-overwrite the entire mapped size, thus the caller does not require any of the +-previous buffer contents to be preserved. This allows bounce-buffering +-implementations to optimise DMA_FROM_DEVICE transfers. +--- a/include/linux/dma-mapping.h ++++ b/include/linux/dma-mapping.h +@@ -62,14 +62,6 @@ + #define DMA_ATTR_PRIVILEGED (1UL << 9) + + /* +- * This is a hint to the DMA-mapping subsystem that the device is expected +- * to overwrite the entire mapped size, thus the caller does not require any +- * of the previous buffer contents to be preserved. This allows +- * bounce-buffering implementations to optimise DMA_FROM_DEVICE transfers. +- */ +-#define DMA_ATTR_OVERWRITE (1UL << 10) +- +-/* + * A dma_addr_t can hold any valid DMA or bus address for the platform. It can + * be given to a device to use as a DMA source or target. It is specific to a + * given device and there may be a translation between the CPU physical address +--- a/kernel/dma/swiotlb.c ++++ b/kernel/dma/swiotlb.c +@@ -627,10 +627,14 @@ phys_addr_t swiotlb_tbl_map_single(struc + for (i = 0; i < nr_slots(alloc_size + offset); i++) + mem->slots[index + i].orig_addr = slot_addr(orig_addr, i); + tlb_addr = slot_addr(mem->start, index) + offset; +- if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) && +- (!(attrs & DMA_ATTR_OVERWRITE) || dir == DMA_TO_DEVICE || +- dir == DMA_BIDIRECTIONAL)) +- swiotlb_bounce(dev, tlb_addr, mapping_size, DMA_TO_DEVICE); ++ /* ++ * When dir == DMA_FROM_DEVICE we could omit the copy from the orig ++ * to the tlb buffer, if we knew for sure the device will ++ * overwirte the entire current content. But we don't. Thus ++ * unconditional bounce may prevent leaking swiotlb content (i.e. ++ * kernel memory) to user-space. ++ */ ++ swiotlb_bounce(dev, tlb_addr, mapping_size, DMA_TO_DEVICE); + return tlb_addr; + } + diff --git a/queue-5.17/scsi-qla2xxx-add-qla2x00_async_done-for-async-routines.patch b/queue-5.17/scsi-qla2xxx-add-qla2x00_async_done-for-async-routines.patch new file mode 100644 index 00000000000..f48a239d67a --- /dev/null +++ b/queue-5.17/scsi-qla2xxx-add-qla2x00_async_done-for-async-routines.patch @@ -0,0 +1,60 @@ +From 49b729f58e7a98a006a8a0c1dcca8a1a4f58d2a8 Mon Sep 17 00:00:00 2001 +From: Saurav Kashyap +Date: Tue, 8 Feb 2022 01:39:46 -0800 +Subject: scsi: qla2xxx: Add qla2x00_async_done() for async routines + +From: Saurav Kashyap + +commit 49b729f58e7a98a006a8a0c1dcca8a1a4f58d2a8 upstream. + +This done routine will delete the timer and check for its return value and +decrease the reference count accordingly. This prevents boot hangs reported +after commit 31e6cdbe0eae ("scsi: qla2xxx: Implement ref count for SRB") +was merged. + +Link: https://lore.kernel.org/r/20220208093946.4471-1-njavali@marvell.com +Fixes: 31e6cdbe0eae ("scsi: qla2xxx: Implement ref count for SRB") +Reported-by: Ewan Milne +Tested-by: Ewan D. Milne +Reviewed-by: Himanshu Madhani +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_iocb.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -2560,6 +2560,20 @@ qla24xx_tm_iocb(srb_t *sp, struct tsk_mg + } + } + ++static void ++qla2x00_async_done(struct srb *sp, int res) ++{ ++ if (del_timer(&sp->u.iocb_cmd.timer)) { ++ /* ++ * Successfully cancelled the timeout handler ++ * ref: TMR ++ */ ++ if (kref_put(&sp->cmd_kref, qla2x00_sp_release)) ++ return; ++ } ++ sp->async_done(sp, res); ++} ++ + void + qla2x00_sp_release(struct kref *kref) + { +@@ -2573,7 +2587,8 @@ qla2x00_init_async_sp(srb_t *sp, unsigne + void (*done)(struct srb *sp, int res)) + { + timer_setup(&sp->u.iocb_cmd.timer, qla2x00_sp_timeout, 0); +- sp->done = done; ++ sp->done = qla2x00_async_done; ++ sp->async_done = done; + sp->free = qla2x00_sp_free; + sp->u.iocb_cmd.timeout = qla2x00_async_iocb_timeout; + sp->u.iocb_cmd.timer.expires = jiffies + tmo * HZ; diff --git a/queue-5.17/series b/queue-5.17/series index 7918940bbc8..1351973f00d 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -1065,3 +1065,13 @@ can-isotp-restore-accidentally-removed-msg_peek-feat.patch proc-bootconfig-add-null-pointer-check.patch x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io.patch +drm-connector-fix-typo-in-documentation.patch +scsi-qla2xxx-add-qla2x00_async_done-for-async-routines.patch +staging-mt7621-dts-fix-pinctrl-0-items-to-be-size-1-items-on-ethernet.patch +docs-fix-make-htmldocs-warning-in-sctp.rst.patch +arm64-mm-drop-const-from-conditional-arm64_dma_phys_limit-definition.patch +asoc-soc-compress-change-the-check-for-codec_dai.patch +kvm-x86-svm-fix-avic-spec-based-definitions-again.patch +ax25-fix-uaf-bug-in-ax25_send_control.patch +reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch +tracing-have-type-enum-modifications-copy-the-strings.patch diff --git a/queue-5.17/staging-mt7621-dts-fix-pinctrl-0-items-to-be-size-1-items-on-ethernet.patch b/queue-5.17/staging-mt7621-dts-fix-pinctrl-0-items-to-be-size-1-items-on-ethernet.patch new file mode 100644 index 00000000000..9bf5cdc28c9 --- /dev/null +++ b/queue-5.17/staging-mt7621-dts-fix-pinctrl-0-items-to-be-size-1-items-on-ethernet.patch @@ -0,0 +1,36 @@ +From 25e4f5220efead592c83200241e098e757d37e1f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ar=C4=B1n=C3=A7=20=C3=9CNAL?= +Date: Tue, 15 Feb 2022 11:17:24 +0300 +Subject: staging: mt7621-dts: fix pinctrl-0 items to be size-1 items on ethernet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +commit 25e4f5220efead592c83200241e098e757d37e1f upstream. + +Fix pinctrl-0 items under the ethernet node to be size-1 items. +Current notation would be used on specifications with non-zero cells. + +Fixes: 0a93c0d75809 ("staging: mt7621-dts: fix pinctrl properties for ethernet") +Reported-by: Sander Vanheule +Signed-off-by: Arınç ÜNAL +Link: https://lore.kernel.org/r/20220215081725.3463-1-arinc.unal@arinc9.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/mt7621-dts/mt7621.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/mt7621-dts/mt7621.dtsi ++++ b/drivers/staging/mt7621-dts/mt7621.dtsi +@@ -326,7 +326,7 @@ + mediatek,ethsys = <&sysc>; + + pinctrl-names = "default"; +- pinctrl-0 = <&rgmii1_pins &rgmii2_pins &mdio_pins>; ++ pinctrl-0 = <&mdio_pins>, <&rgmii1_pins>, <&rgmii2_pins>; + + gmac0: mac@0 { + compatible = "mediatek,eth-mac"; diff --git a/queue-5.17/tracing-have-type-enum-modifications-copy-the-strings.patch b/queue-5.17/tracing-have-type-enum-modifications-copy-the-strings.patch new file mode 100644 index 00000000000..96b917e9286 --- /dev/null +++ b/queue-5.17/tracing-have-type-enum-modifications-copy-the-strings.patch @@ -0,0 +1,156 @@ +From 795301d3c28996219d555023ac6863401b6076bc Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Fri, 18 Mar 2022 15:34:32 -0400 +Subject: tracing: Have type enum modifications copy the strings + +From: Steven Rostedt (Google) + +commit 795301d3c28996219d555023ac6863401b6076bc upstream. + +When an enum is used in the visible parts of a trace event that is +exported to user space, the user space applications like perf and +trace-cmd do not have a way to know what the value of the enum is. To +solve this, at boot up (or module load) the printk formats are modified to +replace the enum with their numeric value in the string output. + +Array fields of the event are defined by [] in the type +portion of the format file so that the user space parsers can correctly +parse the array into the appropriate size chunks. But in some trace +events, an enum is used in defining the size of the array, which once +again breaks the parsing of user space tooling. + +This was solved the same way as the print formats were, but it modified +the type strings of the trace event. This caused crashes in some +architectures because, as supposed to the print string, is a const string +value. This was not detected on x86, as it appears that const strings are +still writable (at least in boot up), but other architectures this is not +the case, and writing to a const string will cause a kernel fault. + +To fix this, use kstrdup() to copy the type before modifying it. If the +trace event is for the core kernel there's no need to free it because the +string will be in use for the life of the machine being on line. For +modules, create a link list to store all the strings being allocated for +modules and when the module is removed, free them. + +Link: https://lore.kernel.org/all/yt9dr1706b4i.fsf@linux.ibm.com/ +Link: https://lkml.kernel.org/r/20220318153432.3984b871@gandalf.local.home + +Tested-by: Marc Zyngier +Tested-by: Sven Schnelle +Reported-by: Sven Schnelle +Fixes: b3bc8547d3be ("tracing: Have TRACE_DEFINE_ENUM affect trace event types as well") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events.c | 62 +++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 61 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -40,6 +40,14 @@ static LIST_HEAD(ftrace_generic_fields); + static LIST_HEAD(ftrace_common_fields); + static bool eventdir_initialized; + ++static LIST_HEAD(module_strings); ++ ++struct module_string { ++ struct list_head next; ++ struct module *module; ++ char *str; ++}; ++ + #define GFP_TRACE (GFP_KERNEL | __GFP_ZERO) + + static struct kmem_cache *field_cachep; +@@ -2637,14 +2645,40 @@ static void update_event_printk(struct t + } + } + ++static void add_str_to_module(struct module *module, char *str) ++{ ++ struct module_string *modstr; ++ ++ modstr = kmalloc(sizeof(*modstr), GFP_KERNEL); ++ ++ /* ++ * If we failed to allocate memory here, then we'll just ++ * let the str memory leak when the module is removed. ++ * If this fails to allocate, there's worse problems than ++ * a leaked string on module removal. ++ */ ++ if (WARN_ON_ONCE(!modstr)) ++ return; ++ ++ modstr->module = module; ++ modstr->str = str; ++ ++ list_add(&modstr->next, &module_strings); ++} ++ + static void update_event_fields(struct trace_event_call *call, + struct trace_eval_map *map) + { + struct ftrace_event_field *field; + struct list_head *head; + char *ptr; ++ char *str; + int len = strlen(map->eval_string); + ++ /* Dynamic events should never have field maps */ ++ if (WARN_ON_ONCE(call->flags & TRACE_EVENT_FL_DYNAMIC)) ++ return; ++ + head = trace_get_fields(call); + list_for_each_entry(field, head, link) { + ptr = strchr(field->type, '['); +@@ -2658,9 +2692,26 @@ static void update_event_fields(struct t + if (strncmp(map->eval_string, ptr, len) != 0) + continue; + ++ str = kstrdup(field->type, GFP_KERNEL); ++ if (WARN_ON_ONCE(!str)) ++ return; ++ ptr = str + (ptr - field->type); + ptr = eval_replace(ptr, map, len); + /* enum/sizeof string smaller than value */ +- WARN_ON_ONCE(!ptr); ++ if (WARN_ON_ONCE(!ptr)) { ++ kfree(str); ++ continue; ++ } ++ ++ /* ++ * If the event is part of a module, then we need to free the string ++ * when the module is removed. Otherwise, it will stay allocated ++ * until a reboot. ++ */ ++ if (call->module) ++ add_str_to_module(call->module, str); ++ ++ field->type = str; + } + } + +@@ -2885,6 +2936,7 @@ static void trace_module_add_events(stru + static void trace_module_remove_events(struct module *mod) + { + struct trace_event_call *call, *p; ++ struct module_string *modstr, *m; + + down_write(&trace_event_sem); + list_for_each_entry_safe(call, p, &ftrace_events, list) { +@@ -2893,6 +2945,14 @@ static void trace_module_remove_events(s + if (call->module == mod) + __trace_remove_event_call(call); + } ++ /* Check for any strings allocade for this module */ ++ list_for_each_entry_safe(modstr, m, &module_strings, next) { ++ if (modstr->module != mod) ++ continue; ++ list_del(&modstr->next); ++ kfree(modstr->str); ++ kfree(modstr); ++ } + up_write(&trace_event_sem); + + /*