From: Greg Kroah-Hartman Date: Tue, 11 Feb 2025 10:07:00 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.6.78~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d10b75fcb47d2bfe025562c4b51b11d03720ada6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: crypto-qce-fix-goto-jump-in-error-path.patch crypto-qce-unregister-previously-registered-algos-in-error-path.patch misc-fastrpc-fix-registered-buffer-page-address.patch mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch nvmem-core-improve-range-check-for-nvmem_cell_write.patch ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch ocfs2-handle-a-symlink-read-error-correctly.patch ptp-ensure-info-enable-callback-is-always-set.patch vfio-platform-check-the-bounds-of-read-write-syscalls.patch --- diff --git a/queue-5.4/crypto-qce-fix-goto-jump-in-error-path.patch b/queue-5.4/crypto-qce-fix-goto-jump-in-error-path.patch new file mode 100644 index 0000000000..9945f10df0 --- /dev/null +++ b/queue-5.4/crypto-qce-fix-goto-jump-in-error-path.patch @@ -0,0 +1,33 @@ +From 5278275c1758a38199b43530adfc50098f4b41c7 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 3 Dec 2024 10:19:29 +0100 +Subject: crypto: qce - fix goto jump in error path + +From: Bartosz Golaszewski + +commit 5278275c1758a38199b43530adfc50098f4b41c7 upstream. + +If qce_check_version() fails, we should jump to err_dma as we already +called qce_dma_request() a couple lines before. + +Cc: stable@vger.kernel.org +Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Neil Armstrong +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qce/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/qce/core.c ++++ b/drivers/crypto/qce/core.c +@@ -214,7 +214,7 @@ static int qce_crypto_probe(struct platf + + ret = qce_check_version(qce); + if (ret) +- goto err_clks; ++ goto err_dma; + + spin_lock_init(&qce->lock); + tasklet_init(&qce->done_tasklet, qce_tasklet_req_done, diff --git a/queue-5.4/crypto-qce-unregister-previously-registered-algos-in-error-path.patch b/queue-5.4/crypto-qce-unregister-previously-registered-algos-in-error-path.patch new file mode 100644 index 0000000000..b40d8a020b --- /dev/null +++ b/queue-5.4/crypto-qce-unregister-previously-registered-algos-in-error-path.patch @@ -0,0 +1,52 @@ +From e80cf84b608725303113d6fe98bb727bf7b7a40d Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 3 Dec 2024 10:19:30 +0100 +Subject: crypto: qce - unregister previously registered algos in error path + +From: Bartosz Golaszewski + +commit e80cf84b608725303113d6fe98bb727bf7b7a40d upstream. + +If we encounter an error when registering alorithms with the crypto +framework, we just bail out and don't unregister the ones we +successfully registered in prior iterations of the loop. + +Add code that goes back over the algos and unregisters them before +returning an error from qce_register_algs(). + +Cc: stable@vger.kernel.org +Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Neil Armstrong +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qce/core.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/qce/core.c ++++ b/drivers/crypto/qce/core.c +@@ -40,16 +40,19 @@ static void qce_unregister_algs(struct q + static int qce_register_algs(struct qce_device *qce) + { + const struct qce_algo_ops *ops; +- int i, ret = -ENODEV; ++ int i, j, ret = -ENODEV; + + for (i = 0; i < ARRAY_SIZE(qce_ops); i++) { + ops = qce_ops[i]; + ret = ops->register_algs(qce); +- if (ret) +- break; ++ if (ret) { ++ for (j = i - 1; j >= 0; j--) ++ ops->unregister_algs(qce); ++ return ret; ++ } + } + +- return ret; ++ return 0; + } + + static int qce_handle_request(struct crypto_async_request *async_req) diff --git a/queue-5.4/misc-fastrpc-fix-registered-buffer-page-address.patch b/queue-5.4/misc-fastrpc-fix-registered-buffer-page-address.patch new file mode 100644 index 0000000000..303d2d2acc --- /dev/null +++ b/queue-5.4/misc-fastrpc-fix-registered-buffer-page-address.patch @@ -0,0 +1,48 @@ +From 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 10 Jan 2025 13:42:38 +0000 +Subject: misc: fastrpc: Fix registered buffer page address + +From: Ekansh Gupta + +commit 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 upstream. + +For registered buffers, fastrpc driver sends the buffer information +to remote subsystem. There is a problem with current implementation +where the page address is being sent with an offset leading to +improper buffer address on DSP. This is leads to functional failures +as DSP expects base address in page information and extracts offset +information from remote arguments. Mask the offset and pass the base +page address to DSP. + +This issue is observed is a corner case when some buffer which is registered +with fastrpc framework is passed with some offset by user and then the DSP +implementation tried to read the data. As DSP expects base address and takes +care of offsetting with remote arguments, passing an offsetted address will +result in some unexpected data read in DSP. + +All generic usecases usually pass the buffer as it is hence is problem is +not usually observed. If someone tries to pass offsetted buffer and then +tries to compare data at HLOS and DSP end, then the ambiguity will be observed. + +Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP") +Cc: stable@kernel.org +Signed-off-by: Ekansh Gupta +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -801,7 +801,7 @@ static int fastrpc_get_args(u32 kernel, + + vma = find_vma(current->mm, ctx->args[i].ptr); + if (vma) +- pages[i].addr += ctx->args[i].ptr - ++ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) - + vma->vm_start; + + pg_start = (ctx->args[i].ptr & PAGE_MASK) >> PAGE_SHIFT; diff --git a/queue-5.4/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch b/queue-5.4/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch new file mode 100644 index 0000000000..0dcd22a1b2 --- /dev/null +++ b/queue-5.4/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch @@ -0,0 +1,36 @@ +From 70a71f8151b9879b0950668ce3ad76263261fee0 Mon Sep 17 00:00:00 2001 +From: Ivan Stepchenko +Date: Thu, 14 Nov 2024 16:29:51 +0300 +Subject: mtd: onenand: Fix uninitialized retlen in do_otp_read() + +From: Ivan Stepchenko + +commit 70a71f8151b9879b0950668ce3ad76263261fee0 upstream. + +The function do_otp_read() does not set the output parameter *retlen, +which is expected to contain the number of bytes actually read. +As a result, in onenand_otp_walk(), the tmp_retlen variable remains +uninitialized after calling do_otp_walk() and used to change +the values of the buf, len and retlen variables. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 49dc08eeda70 ("[MTD] [OneNAND] fix numerous races") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Stepchenko +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/onenand/onenand_base.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/onenand/onenand_base.c ++++ b/drivers/mtd/nand/onenand/onenand_base.c +@@ -2921,6 +2921,7 @@ static int do_otp_read(struct mtd_info * + ret = ONENAND_IS_4KB_PAGE(this) ? + onenand_mlc_read_ops_nolock(mtd, from, &ops) : + onenand_read_ops_nolock(mtd, from, &ops); ++ *retlen = ops.retlen; + + /* Exit OTP access mode */ + this->command(mtd, ONENAND_CMD_RESET, 0, 0); diff --git a/queue-5.4/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch b/queue-5.4/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch new file mode 100644 index 0000000000..cbf2bf3e2d --- /dev/null +++ b/queue-5.4/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch @@ -0,0 +1,64 @@ +From 6bb194d036c6e1b329dcdff459338cdd9a54802a Mon Sep 17 00:00:00 2001 +From: Paul Fertser +Date: Thu, 16 Jan 2025 18:29:00 +0300 +Subject: net/ncsi: wait for the last response to Deselect Package before configuring channel + +From: Paul Fertser + +commit 6bb194d036c6e1b329dcdff459338cdd9a54802a upstream. + +The NCSI state machine as it's currently implemented assumes that +transition to the next logical state is performed either explicitly by +calling `schedule_work(&ndp->work)` to re-queue itself or implicitly +after processing the predefined (ndp->pending_req_num) number of +replies. Thus to avoid the configuration FSM from advancing prematurely +and getting out of sync with the process it's essential to not skip +waiting for a reply. + +This patch makes the code wait for reception of the Deselect Package +response for the last package probed before proceeding to channel +configuration. + +Thanks go to Potin Lai and Cosmo Chou for the initial investigation and +testing. + +Fixes: 8e13f70be05e ("net/ncsi: Probe single packages to avoid conflict") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Fertser +Link: https://patch.msgid.link/20250116152900.8656-1-fercerpav@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-manage.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -1295,6 +1295,12 @@ static void ncsi_probe_channel(struct nc + nd->state = ncsi_dev_state_probe_package; + break; + case ncsi_dev_state_probe_package: ++ if (ndp->package_probe_id >= 8) { ++ /* Last package probed, finishing */ ++ ndp->flags |= NCSI_DEV_PROBED; ++ break; ++ } ++ + ndp->pending_req_num = 1; + + nca.type = NCSI_PKT_CMD_SP; +@@ -1373,13 +1379,8 @@ static void ncsi_probe_channel(struct nc + if (ret) + goto error; + +- /* Probe next package */ ++ /* Probe next package after receiving response */ + ndp->package_probe_id++; +- if (ndp->package_probe_id >= 8) { +- /* Probe finished */ +- ndp->flags |= NCSI_DEV_PROBED; +- break; +- } + nd->state = ncsi_dev_state_probe_package; + ndp->active_package = NULL; + break; diff --git a/queue-5.4/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch b/queue-5.4/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch new file mode 100644 index 0000000000..2ea4a517d8 --- /dev/null +++ b/queue-5.4/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch @@ -0,0 +1,36 @@ +From 110b43ef05342d5a11284cc8b21582b698b4ef1c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 17 Jan 2025 12:38:41 +0300 +Subject: NFC: nci: Add bounds checking in nci_hci_create_pipe() + +From: Dan Carpenter + +commit 110b43ef05342d5a11284cc8b21582b698b4ef1c upstream. + +The "pipe" variable is a u8 which comes from the network. If it's more +than 127, then it results in memory corruption in the caller, +nci_hci_connect_gate(). + +Cc: stable@vger.kernel.org +Fixes: a1b0b9415817 ("NFC: nci: Create pipe on specific gate in nci_hci_connect_gate") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/bcf5453b-7204-4297-9c20-4d8c7dacf586@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/hci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -548,6 +548,8 @@ static u8 nci_hci_create_pipe(struct nci + + pr_debug("pipe created=%d\n", pipe); + ++ if (pipe >= NCI_HCI_MAX_PIPES) ++ pipe = NCI_HCI_INVALID_PIPE; + return pipe; + } + diff --git a/queue-5.4/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch b/queue-5.4/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch new file mode 100644 index 0000000000..07acc2170a --- /dev/null +++ b/queue-5.4/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch @@ -0,0 +1,58 @@ +From 6438ef381c183444f7f9d1de18f22661cba1e946 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Sat, 25 Jan 2025 07:20:53 +0900 +Subject: nilfs2: fix possible int overflows in nilfs_fiemap() + +From: Nikita Zhandarovich + +commit 6438ef381c183444f7f9d1de18f22661cba1e946 upstream. + +Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result +by being prepared to go through potentially maxblocks == INT_MAX blocks, +the value in n may experience an overflow caused by left shift of blkbits. + +While it is extremely unlikely to occur, play it safe and cast right hand +expression to wider type to mitigate the issue. + +Found by Linux Verification Center (linuxtesting.org) with static analysis +tool SVACE. + +Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com +Fixes: 622daaff0a89 ("nilfs2: fiemap support") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -1271,7 +1271,7 @@ int nilfs_fiemap(struct inode *inode, st + if (size) { + if (phys && blkphy << blkbits == phys + size) { + /* The current extent goes on */ +- size += n << blkbits; ++ size += (u64)n << blkbits; + } else { + /* Terminate the current extent */ + ret = fiemap_fill_next_extent( +@@ -1284,14 +1284,14 @@ int nilfs_fiemap(struct inode *inode, st + flags = FIEMAP_EXTENT_MERGED; + logical = blkoff << blkbits; + phys = blkphy << blkbits; +- size = n << blkbits; ++ size = (u64)n << blkbits; + } + } else { + /* Start a new extent */ + flags = FIEMAP_EXTENT_MERGED; + logical = blkoff << blkbits; + phys = blkphy << blkbits; +- size = n << blkbits; ++ size = (u64)n << blkbits; + } + blkoff += n; + } diff --git a/queue-5.4/nvmem-core-improve-range-check-for-nvmem_cell_write.patch b/queue-5.4/nvmem-core-improve-range-check-for-nvmem_cell_write.patch new file mode 100644 index 0000000000..a1c8e952e3 --- /dev/null +++ b/queue-5.4/nvmem-core-improve-range-check-for-nvmem_cell_write.patch @@ -0,0 +1,47 @@ +From 31507fc2ad36e0071751a710449db19c85d82a7f Mon Sep 17 00:00:00 2001 +From: Jennifer Berringer +Date: Mon, 30 Dec 2024 14:19:01 +0000 +Subject: nvmem: core: improve range check for nvmem_cell_write() + +From: Jennifer Berringer + +commit 31507fc2ad36e0071751a710449db19c85d82a7f upstream. + +When __nvmem_cell_entry_write() is called for an nvmem cell that does +not need bit shifting, it requires that the len parameter exactly +matches the nvmem cell size. However, when the nvmem cell has a nonzero +bit_offset, it was skipping this check. + +Accepting values of len larger than the cell size results in +nvmem_cell_prepare_write_buffer() trying to write past the end of a heap +buffer that it allocates. Add a check to avoid that problem and instead +return -EINVAL when len doesn't match the number of bits expected by the +nvmem cell when bit_offset is nonzero. + +This check uses cell->nbits in order to allow providing the smaller size +to cells that are shifted into another byte by bit_offset. For example, +a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should +accept a 1-byte write here, although no current callers depend on this. + +Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") +Cc: stable@vger.kernel.org +Signed-off-by: Jennifer Berringer +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-7-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -1083,6 +1083,8 @@ int nvmem_cell_write(struct nvmem_cell * + return -EINVAL; + + if (cell->bit_offset || cell->nbits) { ++ if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes) ++ return -EINVAL; + buf = nvmem_cell_prepare_write_buffer(cell, buf, len); + if (IS_ERR(buf)) + return PTR_ERR(buf); diff --git a/queue-5.4/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch b/queue-5.4/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch new file mode 100644 index 0000000000..b87dfef405 --- /dev/null +++ b/queue-5.4/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch @@ -0,0 +1,41 @@ +From f921da2c34692dfec5f72b5ae347b1bea22bb369 Mon Sep 17 00:00:00 2001 +From: Heming Zhao +Date: Tue, 21 Jan 2025 19:22:03 +0800 +Subject: ocfs2: fix incorrect CPU endianness conversion causing mount failure + +From: Heming Zhao + +commit f921da2c34692dfec5f72b5ae347b1bea22bb369 upstream. + +Commit 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()") +introduced a regression bug. The blksz_bits value is already converted to +CPU endian in the previous code; therefore, the code shouldn't use +le32_to_cpu() anymore. + +Link: https://lkml.kernel.org/r/20250121112204.12834-1-heming.zhao@suse.com +Fixes: 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()") +Signed-off-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -2350,7 +2350,7 @@ static int ocfs2_verify_volume(struct oc + mlog(ML_ERROR, "found superblock with incorrect block " + "size bits: found %u, should be 9, 10, 11, or 12\n", + blksz_bits); +- } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) { ++ } else if ((1 << blksz_bits) != blksz) { + mlog(ML_ERROR, "found superblock with incorrect block " + "size: found %u, should be %u\n", 1 << blksz_bits, blksz); + } else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) != diff --git a/queue-5.4/ocfs2-handle-a-symlink-read-error-correctly.patch b/queue-5.4/ocfs2-handle-a-symlink-read-error-correctly.patch new file mode 100644 index 0000000000..fbfc0c53e3 --- /dev/null +++ b/queue-5.4/ocfs2-handle-a-symlink-read-error-correctly.patch @@ -0,0 +1,65 @@ +From 2b4c2094da6d84e69b843dd3317902e977bf64bd Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Thu, 5 Dec 2024 17:16:29 +0000 +Subject: ocfs2: handle a symlink read error correctly + +From: Matthew Wilcox (Oracle) + +commit 2b4c2094da6d84e69b843dd3317902e977bf64bd upstream. + +Patch series "Convert ocfs2 to use folios". + +Mark did a conversion of ocfs2 to use folios and sent it to me as a +giant patch for review ;-) + +So I've redone it as individual patches, and credited Mark for the patches +where his code is substantially the same. It's not a bad way to do it; +his patch had some bugs and my patches had some bugs. Hopefully all our +bugs were different from each other. And hopefully Mark likes all the +changes I made to his code! + + +This patch (of 23): + +If we can't read the buffer, be sure to unlock the page before returning. + +Link: https://lkml.kernel.org/r/20241205171653.3179945-1-willy@infradead.org +Link: https://lkml.kernel.org/r/20241205171653.3179945-2-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Mark Tinguely +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/symlink.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/symlink.c ++++ b/fs/ocfs2/symlink.c +@@ -66,7 +66,7 @@ static int ocfs2_fast_symlink_readpage(s + + if (status < 0) { + mlog_errno(status); +- return status; ++ goto out; + } + + fe = (struct ocfs2_dinode *) bh->b_data; +@@ -77,9 +77,10 @@ static int ocfs2_fast_symlink_readpage(s + memcpy(kaddr, link, len + 1); + kunmap_atomic(kaddr); + SetPageUptodate(page); ++out: + unlock_page(page); + brelse(bh); +- return 0; ++ return status; + } + + const struct address_space_operations ocfs2_fast_symlink_aops = { diff --git a/queue-5.4/ptp-ensure-info-enable-callback-is-always-set.patch b/queue-5.4/ptp-ensure-info-enable-callback-is-always-set.patch new file mode 100644 index 0000000000..b384b12b9b --- /dev/null +++ b/queue-5.4/ptp-ensure-info-enable-callback-is-always-set.patch @@ -0,0 +1,54 @@ +From fd53aa40e65f518453115b6f56183b0c201db26b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Thu, 23 Jan 2025 08:22:40 +0100 +Subject: ptp: Ensure info->enable callback is always set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit fd53aa40e65f518453115b6f56183b0c201db26b upstream. + +The ioctl and sysfs handlers unconditionally call the ->enable callback. +Not all drivers implement that callback, leading to NULL dereferences. +Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c. + +Instead use a dummy callback if no better was specified by the driver. + +Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Acked-by: Richard Cochran +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/20250123-ptp-enable-v1-1-b015834d3a47@weissschuh.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_clock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -178,6 +178,11 @@ static void ptp_clock_release(struct dev + kfree(ptp); + } + ++static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on) ++{ ++ return -EOPNOTSUPP; ++} ++ + static void ptp_aux_kworker(struct kthread_work *work) + { + struct ptp_clock *ptp = container_of(work, struct ptp_clock, +@@ -223,6 +228,9 @@ struct ptp_clock *ptp_clock_register(str + mutex_init(&ptp->pincfg_mux); + init_waitqueue_head(&ptp->tsev_wq); + ++ if (!ptp->info->enable) ++ ptp->info->enable = ptp_enable; ++ + if (ptp->info->do_aux_work) { + kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker); + ptp->kworker = kthread_create_worker(0, "ptp%d", ptp->index); diff --git a/queue-5.4/series b/queue-5.4/series index acfe76e6bd..9f94d6bf9a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -140,3 +140,15 @@ soc-qcom-smem_state-fix-missing-of_node_put-in-error-path.patch media-ov5640-fix-get_light_freq-on-auto.patch media-uvcvideo-fix-event-flags-in-uvc_ctrl_send_events.patch media-uvcvideo-remove-redundant-null-assignment.patch +crypto-qce-fix-goto-jump-in-error-path.patch +crypto-qce-unregister-previously-registered-algos-in-error-path.patch +nvmem-core-improve-range-check-for-nvmem_cell_write.patch +vfio-platform-check-the-bounds-of-read-write-syscalls.patch +ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch +ocfs2-handle-a-symlink-read-error-correctly.patch +nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch +nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch +mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch +misc-fastrpc-fix-registered-buffer-page-address.patch +net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch +ptp-ensure-info-enable-callback-is-always-set.patch diff --git a/queue-5.4/vfio-platform-check-the-bounds-of-read-write-syscalls.patch b/queue-5.4/vfio-platform-check-the-bounds-of-read-write-syscalls.patch new file mode 100644 index 0000000000..c72b1b5e90 --- /dev/null +++ b/queue-5.4/vfio-platform-check-the-bounds-of-read-write-syscalls.patch @@ -0,0 +1,54 @@ +From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 22 Jan 2025 10:38:30 -0700 +Subject: vfio/platform: check the bounds of read/write syscalls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Williamson + +commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream. + +count and offset are passed from user space and not checked, only +offset is capped to 40 bits, which can be used to read/write out of +bounds of the device. + +Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”) +Cc: stable@vger.kernel.org +Reported-by: Mostafa Saleh +Reviewed-by: Eric Auger +Reviewed-by: Mostafa Saleh +Tested-by: Mostafa Saleh +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -410,6 +410,11 @@ static ssize_t vfio_platform_read_mmio(s + + count = min_t(size_t, count, reg->size - off); + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap_nocache(reg->addr, reg->size); +@@ -489,6 +494,11 @@ static ssize_t vfio_platform_write_mmio( + + if (off >= reg->size) + return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ ++ if (off >= reg->size) ++ return -EINVAL; + + count = min_t(size_t, count, reg->size - off); +