From: Greg Kroah-Hartman Date: Sun, 11 Dec 2022 09:57:46 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.9.336~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d491e8df237c04ddf971f9827cd9031994ec3c9b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bluetooth-btusb-add-debug-message-for-csr-controllers.patch bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch drm-shmem-helper-avoid-vm_open-error-paths.patch drm-shmem-helper-remove-errant-put-in-error-path.patch drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch hid-hid-lg4ff-add-check-for-empty-lbuf.patch hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch hid-usbhid-add-always_poll-quirk-for-some-mice.patch kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch mm-gup-fix-gup_pud_range-for-dax.patch net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch net-mana-fix-race-on-per-cq-variable-napi-work_done.patch revert-arm-dts-imx7-fix-nand-controller-size-cells.patch --- diff --git a/queue-5.15/bluetooth-btusb-add-debug-message-for-csr-controllers.patch b/queue-5.15/bluetooth-btusb-add-debug-message-for-csr-controllers.patch new file mode 100644 index 00000000000..7d9bbb6e997 --- /dev/null +++ b/queue-5.15/bluetooth-btusb-add-debug-message-for-csr-controllers.patch @@ -0,0 +1,42 @@ +From 955aebd445e2b49622f2184b7abb82b05c060549 Mon Sep 17 00:00:00 2001 +From: Ismael Ferreras Morezuelas +Date: Sat, 29 Oct 2022 22:24:53 +0200 +Subject: Bluetooth: btusb: Add debug message for CSR controllers + +From: Ismael Ferreras Morezuelas + +commit 955aebd445e2b49622f2184b7abb82b05c060549 upstream. + +The rationale of showing this is that it's potentially critical +information to diagnose and find more CSR compatibility bugs in the +future and it will save a lot of headaches. + +Given that clones come from a wide array of vendors (some are actually +Barrot, some are something else) and these numbers are what let us find +differences between actual and fake ones, it will be immensely helpful +to scour the Internet looking for this pattern and building an actual +database to find correlations and improve the checks. + +Cc: stable@vger.kernel.org +Cc: Hans de Goede +Signed-off-by: Ismael Ferreras Morezuelas +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1901,6 +1901,11 @@ static int btusb_setup_csr(struct hci_de + + rp = (struct hci_rp_read_local_version *)skb->data; + ++ bt_dev_info(hdev, "CSR: Setting up dongle with HCI ver=%u rev=%04x; LMP ver=%u subver=%04x; manufacturer=%u", ++ le16_to_cpu(rp->hci_ver), le16_to_cpu(rp->hci_rev), ++ le16_to_cpu(rp->lmp_ver), le16_to_cpu(rp->lmp_subver), ++ le16_to_cpu(rp->manufacturer)); ++ + /* Detect a wide host of Chinese controllers that aren't CSR. + * + * Known fake bcdDevices: 0x0100, 0x0134, 0x1915, 0x2520, 0x7558, 0x8891 diff --git a/queue-5.15/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch b/queue-5.15/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch new file mode 100644 index 00000000000..e15498d2bfd --- /dev/null +++ b/queue-5.15/bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch @@ -0,0 +1,82 @@ +From b5ca338751ad4783ec8d37b5d99c3e37b7813e59 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 29 Nov 2022 12:54:13 -0800 +Subject: Bluetooth: Fix crash when replugging CSR fake controllers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit b5ca338751ad4783ec8d37b5d99c3e37b7813e59 upstream. + +It seems fake CSR 5.0 clones can cause the suspend notifier to be +registered twice causing the following kernel panic: + +[ 71.986122] Call Trace: +[ 71.986124] +[ 71.986125] blocking_notifier_chain_register+0x33/0x60 +[ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da] +[ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477] +[ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300 +[ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90 +[ 71.986167] usb_probe_interface+0xe3/0x2b0 +[ 71.986171] really_probe+0xdb/0x380 +[ 71.986174] ? pm_runtime_barrier+0x54/0x90 +[ 71.986177] __driver_probe_device+0x78/0x170 +[ 71.986180] driver_probe_device+0x1f/0x90 +[ 71.986183] __device_attach_driver+0x89/0x110 +[ 71.986186] ? driver_allows_async_probing+0x70/0x70 +[ 71.986189] bus_for_each_drv+0x8c/0xe0 +[ 71.986192] __device_attach+0xb2/0x1e0 +[ 71.986195] bus_probe_device+0x92/0xb0 +[ 71.986198] device_add+0x422/0x9a0 +[ 71.986201] ? sysfs_merge_group+0xd4/0x110 +[ 71.986205] usb_set_configuration+0x57a/0x820 +[ 71.986208] usb_generic_driver_probe+0x4f/0x70 +[ 71.986211] usb_probe_device+0x3a/0x110 +[ 71.986213] really_probe+0xdb/0x380 +[ 71.986216] ? pm_runtime_barrier+0x54/0x90 +[ 71.986219] __driver_probe_device+0x78/0x170 +[ 71.986221] driver_probe_device+0x1f/0x90 +[ 71.986224] __device_attach_driver+0x89/0x110 +[ 71.986227] ? driver_allows_async_probing+0x70/0x70 +[ 71.986230] bus_for_each_drv+0x8c/0xe0 +[ 71.986232] __device_attach+0xb2/0x1e0 +[ 71.986235] bus_probe_device+0x92/0xb0 +[ 71.986237] device_add+0x422/0x9a0 +[ 71.986239] ? _dev_info+0x7d/0x98 +[ 71.986242] ? blake2s_update+0x4c/0xc0 +[ 71.986246] usb_new_device.cold+0x148/0x36d +[ 71.986250] hub_event+0xa8a/0x1910 +[ 71.986255] process_one_work+0x1c4/0x380 +[ 71.986259] worker_thread+0x51/0x390 +[ 71.986262] ? rescuer_thread+0x3b0/0x3b0 +[ 71.986264] kthread+0xdb/0x110 +[ 71.986266] ? kthread_complete_and_exit+0x20/0x20 +[ 71.986268] ret_from_fork+0x1f/0x30 +[ 71.986273] +[ 71.986274] ---[ end trace 0000000000000000 ]--- +[ 71.986284] btusb: probe of 2-1.6:1.0 failed with error -17 + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216683 +Cc: stable@vger.kernel.org +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Leonardo Eugênio +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3985,7 +3985,8 @@ int hci_register_dev(struct hci_dev *hde + hci_sock_dev_event(hdev, HCI_DEV_REG); + hci_dev_hold(hdev); + +- if (!test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) { ++ if (!hdev->suspend_notifier.notifier_call && ++ !test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) { + hdev->suspend_notifier.notifier_call = hci_suspend_notifier; + error = register_pm_notifier(&hdev->suspend_notifier); + if (error) diff --git a/queue-5.15/drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch b/queue-5.15/drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch new file mode 100644 index 00000000000..a64d908d829 --- /dev/null +++ b/queue-5.15/drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch @@ -0,0 +1,94 @@ +From bc21fe9a5844c5bc8f7ec319b11d2671a94eb867 Mon Sep 17 00:00:00 2001 +From: Prike Liang +Date: Thu, 1 Dec 2022 11:17:31 +0800 +Subject: drm/amdgpu/sdma_v4_0: turn off SDMA ring buffer in the s2idle suspend + +From: Prike Liang + +commit bc21fe9a5844c5bc8f7ec319b11d2671a94eb867 upstream. + +In the SDMA s0ix save process requires to turn off SDMA ring buffer for +avoiding the SDMA in-flight request, otherwise will suffer from SDMA page +fault which causes by page request from in-flight SDMA ring accessing at +SDMA restore phase. + +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2248 +Cc: stable@vger.kernel.org # 6.0,5.15+ +Fixes: f8f4e2a51834 ("drm/amdgpu: skipping SDMA hw_init and hw_fini for S0ix.") +Signed-off-by: Prike Liang +Reviewed-by: Alex Deucher +Tested-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -978,13 +978,13 @@ static void sdma_v4_0_ring_emit_fence(st + + + /** +- * sdma_v4_0_gfx_stop - stop the gfx async dma engines ++ * sdma_v4_0_gfx_enable - enable the gfx async dma engines + * + * @adev: amdgpu_device pointer +- * +- * Stop the gfx async dma ring buffers (VEGA10). ++ * @enable: enable SDMA RB/IB ++ * control the gfx async dma ring buffers (VEGA10). + */ +-static void sdma_v4_0_gfx_stop(struct amdgpu_device *adev) ++static void sdma_v4_0_gfx_enable(struct amdgpu_device *adev, bool enable) + { + struct amdgpu_ring *sdma[AMDGPU_MAX_SDMA_INSTANCES]; + u32 rb_cntl, ib_cntl; +@@ -999,10 +999,10 @@ static void sdma_v4_0_gfx_stop(struct am + } + + rb_cntl = RREG32_SDMA(i, mmSDMA0_GFX_RB_CNTL); +- rb_cntl = REG_SET_FIELD(rb_cntl, SDMA0_GFX_RB_CNTL, RB_ENABLE, 0); ++ rb_cntl = REG_SET_FIELD(rb_cntl, SDMA0_GFX_RB_CNTL, RB_ENABLE, enable ? 1 : 0); + WREG32_SDMA(i, mmSDMA0_GFX_RB_CNTL, rb_cntl); + ib_cntl = RREG32_SDMA(i, mmSDMA0_GFX_IB_CNTL); +- ib_cntl = REG_SET_FIELD(ib_cntl, SDMA0_GFX_IB_CNTL, IB_ENABLE, 0); ++ ib_cntl = REG_SET_FIELD(ib_cntl, SDMA0_GFX_IB_CNTL, IB_ENABLE, enable ? 1 : 0); + WREG32_SDMA(i, mmSDMA0_GFX_IB_CNTL, ib_cntl); + } + } +@@ -1129,7 +1129,7 @@ static void sdma_v4_0_enable(struct amdg + int i; + + if (!enable) { +- sdma_v4_0_gfx_stop(adev); ++ sdma_v4_0_gfx_enable(adev, enable); + sdma_v4_0_rlc_stop(adev); + if (adev->sdma.has_page_queue) + sdma_v4_0_page_stop(adev); +@@ -2063,8 +2063,10 @@ static int sdma_v4_0_suspend(void *handl + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + + /* SMU saves SDMA state for us */ +- if (adev->in_s0ix) ++ if (adev->in_s0ix) { ++ sdma_v4_0_gfx_enable(adev, false); + return 0; ++ } + + return sdma_v4_0_hw_fini(adev); + } +@@ -2074,8 +2076,12 @@ static int sdma_v4_0_resume(void *handle + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + + /* SMU restores SDMA state for us */ +- if (adev->in_s0ix) ++ if (adev->in_s0ix) { ++ sdma_v4_0_enable(adev, true); ++ sdma_v4_0_gfx_enable(adev, true); ++ amdgpu_ttm_set_buffer_funcs_status(adev, true); + return 0; ++ } + + return sdma_v4_0_hw_init(adev); + } diff --git a/queue-5.15/drm-shmem-helper-avoid-vm_open-error-paths.patch b/queue-5.15/drm-shmem-helper-avoid-vm_open-error-paths.patch new file mode 100644 index 00000000000..de28c3457c6 --- /dev/null +++ b/queue-5.15/drm-shmem-helper-avoid-vm_open-error-paths.patch @@ -0,0 +1,54 @@ +From 09bf649a74573cb596e211418a4f8008f265c5a9 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Wed, 30 Nov 2022 10:57:48 -0800 +Subject: drm/shmem-helper: Avoid vm_open error paths + +From: Rob Clark + +commit 09bf649a74573cb596e211418a4f8008f265c5a9 upstream. + +vm_open() is not allowed to fail. Fortunately we are guaranteed that +the pages are already pinned, thanks to the initial mmap which is now +being cloned into a forked process, and only need to increment the +refcnt. So just increment it directly. Previously if a signal was +delivered at the wrong time to the forking process, the +mutex_lock_interruptible() could fail resulting in the pages_use_count +not being incremented. + +Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") +Cc: stable@vger.kernel.org +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Signed-off-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-3-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -541,12 +541,20 @@ static void drm_gem_shmem_vm_open(struct + { + struct drm_gem_object *obj = vma->vm_private_data; + struct drm_gem_shmem_object *shmem = to_drm_gem_shmem_obj(obj); +- int ret; + + WARN_ON(shmem->base.import_attach); + +- ret = drm_gem_shmem_get_pages(shmem); +- WARN_ON_ONCE(ret != 0); ++ mutex_lock(&shmem->pages_lock); ++ ++ /* ++ * We should have already pinned the pages when the buffer was first ++ * mmap'd, vm_open() just grabs an additional reference for the new ++ * mm the vma is getting copied into (ie. on fork()). ++ */ ++ if (!WARN_ON_ONCE(!shmem->pages_use_count)) ++ shmem->pages_use_count++; ++ ++ mutex_unlock(&shmem->pages_lock); + + drm_gem_vm_open(vma); + } diff --git a/queue-5.15/drm-shmem-helper-remove-errant-put-in-error-path.patch b/queue-5.15/drm-shmem-helper-remove-errant-put-in-error-path.patch new file mode 100644 index 00000000000..5b5c180554f --- /dev/null +++ b/queue-5.15/drm-shmem-helper-remove-errant-put-in-error-path.patch @@ -0,0 +1,39 @@ +From 24013314be6ee4ee456114a671e9fa3461323de8 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Wed, 30 Nov 2022 10:57:47 -0800 +Subject: drm/shmem-helper: Remove errant put in error path + +From: Rob Clark + +commit 24013314be6ee4ee456114a671e9fa3461323de8 upstream. + +drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM +object getting prematurely freed leading to a later use-after-free. + +Link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d +Reported-by: syzbot+c8ae65286134dd1b800d@syzkaller.appspotmail.com +Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") +Cc: stable@vger.kernel.org +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Signed-off-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-2-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -591,10 +591,8 @@ int drm_gem_shmem_mmap(struct drm_gem_sh + } + + ret = drm_gem_shmem_get_pages(shmem); +- if (ret) { +- drm_gem_vm_close(vma); ++ if (ret) + return ret; +- } + + vma->vm_flags |= VM_MIXEDMAP | VM_DONTEXPAND; + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); diff --git a/queue-5.15/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch b/queue-5.15/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch new file mode 100644 index 00000000000..38652d96d36 --- /dev/null +++ b/queue-5.15/drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch @@ -0,0 +1,43 @@ +From 6e90293618ed476d6b11f82ce724efbb9e9a071b Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Thu, 1 Dec 2022 12:53:41 -0500 +Subject: drm/vmwgfx: Don't use screen objects when SEV is active + +From: Zack Rusin + +commit 6e90293618ed476d6b11f82ce724efbb9e9a071b upstream. + +When SEV is enabled gmr's and mob's are explicitly disabled because +the encrypted system memory can not be used by the hypervisor. + +The driver was disabling GMR's but the presentation code, which depends +on GMR's, wasn't honoring it which lead to black screen on hosts +with SEV enabled. + +Make sure screen objects presentation is not used when guest memory +regions have been disabled to fix presentation on SEV enabled hosts. + +Fixes: 3b0d6458c705 ("drm/vmwgfx: Refuse DMA operation when SEV encryption is active") +Cc: # v5.7+ +Signed-off-by: Zack Rusin +Reported-by: Nicholas Hunt +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20221201175341.491884-1-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +@@ -953,6 +953,10 @@ int vmw_kms_sou_init_display(struct vmw_ + struct drm_device *dev = &dev_priv->drm; + int i, ret; + ++ /* Screen objects won't work if GMR's aren't available */ ++ if (!dev_priv->has_gmr) ++ return -ENOSYS; ++ + if (!(dev_priv->capabilities & SVGA_CAP_SCREEN_OBJECT_2)) { + return -ENOSYS; + } diff --git a/queue-5.15/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch b/queue-5.15/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch new file mode 100644 index 00000000000..9030ccff3f6 --- /dev/null +++ b/queue-5.15/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch @@ -0,0 +1,72 @@ +From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Wed, 16 Nov 2022 07:14:28 +0000 +Subject: HID: core: fix shift-out-of-bounds in hid_report_raw_event + +From: ZhangPeng + +commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream. + +Syzbot reported shift-out-of-bounds in hid_report_raw_event. + +microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > +32! (swapper/0) +====================================================================== +UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 +shift exponent 127 is too large for 32-bit type 'int' +CPU: 0 PID: 0 Comm: swapper/0 Not tainted +6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS +Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 + snto32 drivers/hid/hid-core.c:1323 [inline] + hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] + hid_process_report drivers/hid/hid-core.c:1665 [inline] + hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 + hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 + hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 + __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 + dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 + call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 + expire_timers kernel/time/timer.c:1519 [inline] + __run_timers+0x76a/0x980 kernel/time/timer.c:1790 + run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 + __do_softirq+0x277/0x75b kernel/softirq.c:571 + __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 + sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 +====================================================================== + +If the size of the integer (unsigned n) is bigger than 32 in snto32(), +shift exponent will be too large for 32-bit type 'int', resulting in a +shift-out-of-bounds bug. +Fix this by adding a check on the size of the integer (unsigned n) in +snto32(). To add support for n greater than 32 bits, set n to 32, if n +is greater than 32. + +Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Signed-off-by: ZhangPeng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1310,6 +1310,9 @@ static s32 snto32(__u32 value, unsigned + if (!value || !n) + return 0; + ++ if (n > 32) ++ n = 32; ++ + switch (n) { + case 8: return ((__s8)value); + case 16: return ((__s16)value); diff --git a/queue-5.15/hid-hid-lg4ff-add-check-for-empty-lbuf.patch b/queue-5.15/hid-hid-lg4ff-add-check-for-empty-lbuf.patch new file mode 100644 index 00000000000..837eea2a7f0 --- /dev/null +++ b/queue-5.15/hid-hid-lg4ff-add-check-for-empty-lbuf.patch @@ -0,0 +1,37 @@ +From d180b6496143cd360c5d5f58ae4b9a8229c1f344 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Fri, 11 Nov 2022 15:55:11 +0300 +Subject: HID: hid-lg4ff: Add check for empty lbuf + +From: Anastasia Belova + +commit d180b6496143cd360c5d5f58ae4b9a8229c1f344 upstream. + +If an empty buf is received, lbuf is also empty. So lbuf is +accessed by index -1. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes") +Signed-off-by: Anastasia Belova +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-lg4ff.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -872,6 +872,12 @@ static ssize_t lg4ff_alternate_modes_sto + return -ENOMEM; + + i = strlen(lbuf); ++ ++ if (i == 0) { ++ kfree(lbuf); ++ return -EINVAL; ++ } ++ + if (lbuf[i-1] == '\n') { + if (i == 1) { + kfree(lbuf); diff --git a/queue-5.15/hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch b/queue-5.15/hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch new file mode 100644 index 00000000000..a35f0a98726 --- /dev/null +++ b/queue-5.15/hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch @@ -0,0 +1,51 @@ +From 9ad6645a9dce4d0e42daca6ebf32a154401c59d3 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 8 Nov 2022 16:13:50 +0100 +Subject: HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10 + +From: Hans de Goede + +commit 9ad6645a9dce4d0e42daca6ebf32a154401c59d3 upstream. + +The Acer Aspire Switch V 10 (SW5-017)'s keyboard-dock uses the same +ITE controller setup as other Acer Switch 2-in-1's. + +This needs special handling for the wifi on/off toggle hotkey as well as +to properly report touchpad on/off keypresses. + +Add the USB-ids for the SW5-017's keyboard-dock with a quirk setting of +QUIRK_TOUCHPAD_ON_OFF_REPORT to fix both issues. + +Cc: Rudolf Polzer +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-ite.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1184,6 +1184,7 @@ + #define USB_DEVICE_ID_SYNAPTICS_DELL_K15A 0x6e21 + #define USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1002 0x73f4 + #define USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003 0x73f5 ++#define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_017 0x73f6 + #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5 0x81a7 + + #define USB_VENDOR_ID_TEXAS_INSTRUMENTS 0x2047 +--- a/drivers/hid/hid-ite.c ++++ b/drivers/hid/hid-ite.c +@@ -121,6 +121,11 @@ static const struct hid_device_id ite_de + USB_VENDOR_ID_SYNAPTICS, + USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003), + .driver_data = QUIRK_TOUCHPAD_ON_OFF_REPORT }, ++ /* ITE8910 USB kbd ctlr, with Synaptics touchpad connected to it. */ ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_SYNAPTICS, ++ USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_017), ++ .driver_data = QUIRK_TOUCHPAD_ON_OFF_REPORT }, + { } + }; + MODULE_DEVICE_TABLE(hid, ite_devices); diff --git a/queue-5.15/hid-usbhid-add-always_poll-quirk-for-some-mice.patch b/queue-5.15/hid-usbhid-add-always_poll-quirk-for-some-mice.patch new file mode 100644 index 00000000000..f19aa2d5f0d --- /dev/null +++ b/queue-5.15/hid-usbhid-add-always_poll-quirk-for-some-mice.patch @@ -0,0 +1,78 @@ +From f6d910a89a2391e5ce1f275d205023880a33d3f8 Mon Sep 17 00:00:00 2001 +From: Ankit Patel +Date: Tue, 22 Nov 2022 15:35:20 +0800 +Subject: HID: usbhid: Add ALWAYS_POLL quirk for some mice + +From: Ankit Patel + +commit f6d910a89a2391e5ce1f275d205023880a33d3f8 upstream. + +Some additional USB mouse devices are needing ALWAYS_POLL quirk without +which they disconnect and reconnect every 60s. + +Add below devices to the known quirk list. +CHERRY VID 0x046a, PID 0x000c +MICROSOFT VID 0x045e, PID 0x0783 +PRIMAX VID 0x0461, PID 0x4e2a + +Signed-off-by: Ankit Patel +Signed-off-by: Haotien Hsu +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -261,6 +261,7 @@ + #define USB_DEVICE_ID_CH_AXIS_295 0x001c + + #define USB_VENDOR_ID_CHERRY 0x046a ++#define USB_DEVICE_ID_CHERRY_MOUSE_000C 0x000c + #define USB_DEVICE_ID_CHERRY_CYMOTION 0x0023 + #define USB_DEVICE_ID_CHERRY_CYMOTION_SOLAR 0x0027 + +@@ -892,6 +893,7 @@ + #define USB_DEVICE_ID_MS_XBOX_ONE_S_CONTROLLER 0x02fd + #define USB_DEVICE_ID_MS_PIXART_MOUSE 0x00cb + #define USB_DEVICE_ID_8BITDO_SN30_PRO_PLUS 0x02e0 ++#define USB_DEVICE_ID_MS_MOUSE_0783 0x0783 + + #define USB_VENDOR_ID_MOJO 0x8282 + #define USB_DEVICE_ID_RETRO_ADAPTER 0x3201 +@@ -1338,6 +1340,7 @@ + + #define USB_VENDOR_ID_PRIMAX 0x0461 + #define USB_DEVICE_ID_PRIMAX_MOUSE_4D22 0x4d22 ++#define USB_DEVICE_ID_PRIMAX_MOUSE_4E2A 0x4e2a + #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05 + #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72 + #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -54,6 +54,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_PEDALS), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_THROTTLE), HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHERRY, USB_DEVICE_ID_CHERRY_MOUSE_000C), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB), HID_QUIRK_NO_INIT_REPORTS }, +@@ -122,6 +123,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MCS, USB_DEVICE_ID_MCS_GAMEPADBLOCK), HID_QUIRK_MULTI_INPUT }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_MOUSE_0783), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PIXART_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_SURFACE3_COVER), HID_QUIRK_NO_INIT_REPORTS }, +@@ -146,6 +148,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4E2A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL }, diff --git a/queue-5.15/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch b/queue-5.15/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch new file mode 100644 index 00000000000..43932572331 --- /dev/null +++ b/queue-5.15/kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch @@ -0,0 +1,48 @@ +From 0dd4cdccdab3d74bd86b868768a7dca216bcce7e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Wed, 23 Nov 2022 10:08:33 +0100 +Subject: KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field + +From: Thomas Huth + +commit 0dd4cdccdab3d74bd86b868768a7dca216bcce7e upstream. + +We recently experienced some weird huge time jumps in nested guests when +rebooting them in certain cases. After adding some debug code to the epoch +handling in vsie.c (thanks to David Hildenbrand for the idea!), it was +obvious that the "epdx" field (the multi-epoch extension) did not get set +to 0xff in case the "epoch" field was negative. +Seems like the code misses to copy the value from the epdx field from +the guest to the shadow control block. By doing so, the weird time +jumps are gone in our scenarios. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2140899 +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Signed-off-by: Thomas Huth +Reviewed-by: Christian Borntraeger +Acked-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Reviewed-by: Janosch Frank +Cc: stable@vger.kernel.org # 4.19+ +Link: https://lore.kernel.org/r/20221123090833.292938-1-thuth@redhat.com +Message-Id: <20221123090833.292938-1-thuth@redhat.com> +Signed-off-by: Janosch Frank +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/vsie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -538,8 +538,10 @@ static int shadow_scb(struct kvm_vcpu *v + if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_CEI)) + scb_s->eca |= scb_o->eca & ECA_CEI; + /* Epoch Extension */ +- if (test_kvm_facility(vcpu->kvm, 139)) ++ if (test_kvm_facility(vcpu->kvm, 139)) { + scb_s->ecd |= scb_o->ecd & ECD_MEF; ++ scb_s->epdx = scb_o->epdx; ++ } + + /* etoken */ + if (test_kvm_facility(vcpu->kvm, 156)) diff --git a/queue-5.15/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch b/queue-5.15/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch new file mode 100644 index 00000000000..22f3b1c3246 --- /dev/null +++ b/queue-5.15/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch @@ -0,0 +1,70 @@ +From 5eef2141776da02772c44ec406d6871a790761ee Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 16 Nov 2022 15:07:22 +0000 +Subject: media: v4l2-dv-timings.c: fix too strict blanking sanity checks + +From: Hans Verkuil + +commit 5eef2141776da02772c44ec406d6871a790761ee upstream. + +Sanity checks were added to verify the v4l2_bt_timings blanking fields +in order to avoid integer overflows when userspace passes weird values. + +But that assumed that userspace would correctly fill in the front porch, +backporch and sync values, but sometimes all you know is the total +blanking, which is then assigned to just one of these fields. + +And that can fail with these checks. + +So instead set a maximum for the total horizontal and vertical +blanking and check that each field remains below that. + +That is still sufficient to avoid integer overflows, but it also +allows for more flexibility in how userspace fills in these fields. + +Signed-off-by: Hans Verkuil +Fixes: 4b6d66a45ed3 ("media: v4l2-dv-timings: add sanity checks for blanking values") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-dv-timings.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -145,6 +145,8 @@ bool v4l2_valid_dv_timings(const struct + const struct v4l2_bt_timings *bt = &t->bt; + const struct v4l2_bt_timings_cap *cap = &dvcap->bt; + u32 caps = cap->capabilities; ++ const u32 max_vert = 10240; ++ u32 max_hor = 3 * bt->width; + + if (t->type != V4L2_DV_BT_656_1120) + return false; +@@ -166,14 +168,20 @@ bool v4l2_valid_dv_timings(const struct + if (!bt->interlaced && + (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch)) + return false; +- if (bt->hfrontporch > 2 * bt->width || +- bt->hsync > 1024 || bt->hbackporch > 1024) ++ /* ++ * Some video receivers cannot properly separate the frontporch, ++ * backporch and sync values, and instead they only have the total ++ * blanking. That can be assigned to any of these three fields. ++ * So just check that none of these are way out of range. ++ */ ++ if (bt->hfrontporch > max_hor || ++ bt->hsync > max_hor || bt->hbackporch > max_hor) + return false; +- if (bt->vfrontporch > 4096 || +- bt->vsync > 128 || bt->vbackporch > 4096) ++ if (bt->vfrontporch > max_vert || ++ bt->vsync > max_vert || bt->vbackporch > max_vert) + return false; +- if (bt->interlaced && (bt->il_vfrontporch > 4096 || +- bt->il_vsync > 128 || bt->il_vbackporch > 4096)) ++ if (bt->interlaced && (bt->il_vfrontporch > max_vert || ++ bt->il_vsync > max_vert || bt->il_vbackporch > max_vert)) + return false; + return fnc == NULL || fnc(t, fnc_handle); + } diff --git a/queue-5.15/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch b/queue-5.15/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch new file mode 100644 index 00000000000..0b6ce8cef44 --- /dev/null +++ b/queue-5.15/memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch @@ -0,0 +1,112 @@ +From 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 7 Dec 2022 16:53:15 -1000 +Subject: memcg: fix possible use-after-free in memcg_write_event_control() + +From: Tejun Heo + +commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 upstream. + +memcg_write_event_control() accesses the dentry->d_name of the specified +control fd to route the write call. As a cgroup interface file can't be +renamed, it's safe to access d_name as long as the specified file is a +regular cgroup file. Also, as these cgroup interface files can't be +removed before the directory, it's safe to access the parent too. + +Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a +call to __file_cft() which verified that the specified file is a regular +cgroupfs file before further accesses. The cftype pointer returned from +__file_cft() was no longer necessary and the commit inadvertently dropped +the file type check with it allowing any file to slip through. With the +invarients broken, the d_name and parent accesses can now race against +renames and removals of arbitrary files and cause use-after-free's. + +Fix the bug by resurrecting the file type check in __file_cft(). Now that +cgroupfs is implemented through kernfs, checking the file operations needs +to go through a layer of indirection. Instead, let's check the superblock +and dentry type. + +Link: https://lkml.kernel.org/r/Y5FRm/cfcKPGzWwl@slm.duckdns.org +Fixes: 347c4a874710 ("memcg: remove cgroup_event->cft") +Signed-off-by: Tejun Heo +Reported-by: Jann Horn +Acked-by: Roman Gushchin +Acked-by: Johannes Weiner +Cc: Linus Torvalds +Cc: Michal Hocko +Cc: Muchun Song +Cc: Shakeel Butt +Cc: [3.14+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cgroup.h | 1 + + kernel/cgroup/cgroup-internal.h | 1 - + mm/memcontrol.c | 15 +++++++++++++-- + 3 files changed, 14 insertions(+), 3 deletions(-) + +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -68,6 +68,7 @@ struct css_task_iter { + struct list_head iters_node; /* css_set->task_iters */ + }; + ++extern struct file_system_type cgroup_fs_type; + extern struct cgroup_root cgrp_dfl_root; + extern struct css_set init_css_set; + +--- a/kernel/cgroup/cgroup-internal.h ++++ b/kernel/cgroup/cgroup-internal.h +@@ -169,7 +169,6 @@ extern struct mutex cgroup_mutex; + extern spinlock_t css_set_lock; + extern struct cgroup_subsys *cgroup_subsys[]; + extern struct list_head cgroup_roots; +-extern struct file_system_type cgroup_fs_type; + + /* iterate across the hierarchies */ + #define for_each_root(root) \ +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4789,6 +4789,7 @@ static ssize_t memcg_write_event_control + unsigned int efd, cfd; + struct fd efile; + struct fd cfile; ++ struct dentry *cdentry; + const char *name; + char *endp; + int ret; +@@ -4840,6 +4841,16 @@ static ssize_t memcg_write_event_control + goto out_put_cfile; + + /* ++ * The control file must be a regular cgroup1 file. As a regular cgroup ++ * file can't be renamed, it's safe to access its name afterwards. ++ */ ++ cdentry = cfile.file->f_path.dentry; ++ if (cdentry->d_sb->s_type != &cgroup_fs_type || !d_is_reg(cdentry)) { ++ ret = -EINVAL; ++ goto out_put_cfile; ++ } ++ ++ /* + * Determine the event callbacks and set them in @event. This used + * to be done via struct cftype but cgroup core no longer knows + * about these events. The following is crude but the whole thing +@@ -4847,7 +4858,7 @@ static ssize_t memcg_write_event_control + * + * DO NOT ADD NEW FILES. + */ +- name = cfile.file->f_path.dentry->d_name.name; ++ name = cdentry->d_name.name; + + if (!strcmp(name, "memory.usage_in_bytes")) { + event->register_event = mem_cgroup_usage_register_event; +@@ -4871,7 +4882,7 @@ static ssize_t memcg_write_event_control + * automatically removed on cgroup destruction but the removal is + * asynchronous, so take an extra ref on @css. + */ +- cfile_css = css_tryget_online_from_dir(cfile.file->f_path.dentry->d_parent, ++ cfile_css = css_tryget_online_from_dir(cdentry->d_parent, + &memory_cgrp_subsys); + ret = -EINVAL; + if (IS_ERR(cfile_css)) diff --git a/queue-5.15/mm-gup-fix-gup_pud_range-for-dax.patch b/queue-5.15/mm-gup-fix-gup_pud_range-for-dax.patch new file mode 100644 index 00000000000..e7ac5b6dea9 --- /dev/null +++ b/queue-5.15/mm-gup-fix-gup_pud_range-for-dax.patch @@ -0,0 +1,87 @@ +From fcd0ccd836ffad73d98a66f6fea7b16f735ea920 Mon Sep 17 00:00:00 2001 +From: John Starks +Date: Tue, 6 Dec 2022 22:00:53 -0800 +Subject: mm/gup: fix gup_pud_range() for dax + +From: John Starks + +commit fcd0ccd836ffad73d98a66f6fea7b16f735ea920 upstream. + +For dax pud, pud_huge() returns true on x86. So the function works as long +as hugetlb is configured. However, dax doesn't depend on hugetlb. +Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed +devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as +well. + +This fixes the below kernel panic: + +general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP + < snip > +Call Trace: + +get_user_pages_fast+0x1f/0x40 +iov_iter_get_pages+0xc6/0x3b0 +? mempool_alloc+0x5d/0x170 +bio_iov_iter_get_pages+0x82/0x4e0 +? bvec_alloc+0x91/0xc0 +? bio_alloc_bioset+0x19a/0x2a0 +blkdev_direct_IO+0x282/0x480 +? __io_complete_rw_common+0xc0/0xc0 +? filemap_range_has_page+0x82/0xc0 +generic_file_direct_write+0x9d/0x1a0 +? inode_update_time+0x24/0x30 +__generic_file_write_iter+0xbd/0x1e0 +blkdev_write_iter+0xb4/0x150 +? io_import_iovec+0x8d/0x340 +io_write+0xf9/0x300 +io_issue_sqe+0x3c3/0x1d30 +? sysvec_reschedule_ipi+0x6c/0x80 +__io_queue_sqe+0x33/0x240 +? fget+0x76/0xa0 +io_submit_sqes+0xe6a/0x18d0 +? __fget_light+0xd1/0x100 +__x64_sys_io_uring_enter+0x199/0x880 +? __context_tracking_enter+0x1f/0x70 +? irqentry_exit_to_user_mode+0x24/0x30 +? irqentry_exit+0x1d/0x30 +? __context_tracking_exit+0xe/0x70 +do_syscall_64+0x3b/0x90 +entry_SYSCALL_64_after_hwframe+0x61/0xcb +RIP: 0033:0x7fc97c11a7be + < snip > + +---[ end trace 48b2e0e67debcaeb ]--- +RIP: 0010:internal_get_user_pages_fast+0x340/0x990 + < snip > +Kernel panic - not syncing: Fatal exception +Kernel Offset: disabled + +Link: https://lkml.kernel.org/r/1670392853-28252-1-git-send-email-ssengar@linux.microsoft.com +Fixes: 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") +Signed-off-by: John Starks +Signed-off-by: Saurabh Sengar +Cc: Jan Kara +Cc: Yu Zhao +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: David Hildenbrand +Cc: Dan Williams +Cc: Alistair Popple +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -2721,7 +2721,7 @@ static int gup_pud_range(p4d_t *p4dp, p4 + next = pud_addr_end(addr, end); + if (unlikely(!pud_present(pud))) + return 0; +- if (unlikely(pud_huge(pud))) { ++ if (unlikely(pud_huge(pud) || pud_devmap(pud))) { + if (!gup_huge_pud(pud, pudp, addr, next, flags, + pages, nr)) + return 0; diff --git a/queue-5.15/net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch b/queue-5.15/net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch new file mode 100644 index 00000000000..24079efda34 --- /dev/null +++ b/queue-5.15/net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch @@ -0,0 +1,82 @@ +From f8bac7f9fdb0017b32157957ffffd490f95faa07 Mon Sep 17 00:00:00 2001 +From: "Radu Nicolae Pirea (OSS)" +Date: Wed, 7 Dec 2022 15:23:47 +0200 +Subject: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() + +From: Radu Nicolae Pirea (OSS) + +commit f8bac7f9fdb0017b32157957ffffd490f95faa07 upstream. + +The SJA1105 family has 45 L2 policing table entries +(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 +(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but +accounting for the difference in port count (5 in SJA1105 vs 10 in +SJA1110) does not fully explain the difference. Rather, the SJA1110 also +has L2 ingress policers for multicast traffic. If a packet is classified +as multicast, it will be processed by the policer index 99 + SRCPORT. + +The sja1105_init_l2_policing() function initializes all L2 policers such +that they don't interfere with normal packet reception by default. To have +a common code between SJA1105 and SJA1110, the index of the multicast +policer for the port is calculated because it's an index that is out of +bounds for SJA1105 but in bounds for SJA1110, and a bounds check is +performed. + +The code fails to do the proper thing when determining what to do with the +multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast" +index will be equal to 45, which is also equal to +table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes +through the check. But at the same time, SJA1105 doesn't have multicast +policers. So the code programs the SHARINDX field of an out-of-bounds +element in the L2 Policing table of the static config. + +The comparison between index 45 and 45 entries should have determined the +code to not access this policer index on SJA1105, since its memory wasn't +even allocated. + +With enough bad luck, the out-of-bounds write could even overwrite other +valid kernel data, but in this case, the issue was detected using KASAN. + +Kernel log: + +sja1105 spi5.0: Probed switch chip: SJA1105Q +================================================================== +BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340 +Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8 +... +Workqueue: events_unbound deferred_probe_work_func +Call trace: +... +sja1105_setup+0x1cbc/0x2340 +dsa_register_switch+0x1284/0x18d0 +sja1105_probe+0x748/0x840 +... +Allocated by task 8: +... +sja1105_setup+0x1bcc/0x2340 +dsa_register_switch+0x1284/0x18d0 +sja1105_probe+0x748/0x840 +... + +Fixes: 38fbe91f2287 ("net: dsa: sja1105: configure the multicast policers, if present") +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: Radu Nicolae Pirea (OSS) +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20221207132347.38698-1-radu-nicolae.pirea@oss.nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/sja1105/sja1105_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -1025,7 +1025,7 @@ static int sja1105_init_l2_policing(stru + + policing[bcast].sharindx = port; + /* Only SJA1110 has multicast policers */ +- if (mcast <= table->ops->max_entry_count) ++ if (mcast < table->ops->max_entry_count) + policing[mcast].sharindx = port; + } + diff --git a/queue-5.15/net-mana-fix-race-on-per-cq-variable-napi-work_done.patch b/queue-5.15/net-mana-fix-race-on-per-cq-variable-napi-work_done.patch new file mode 100644 index 00000000000..fa65f11c3eb --- /dev/null +++ b/queue-5.15/net-mana-fix-race-on-per-cq-variable-napi-work_done.patch @@ -0,0 +1,103 @@ +From 18010ff776fa42340efc428b3ea6d19b3e7c7b21 Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Fri, 2 Dec 2022 11:43:10 -0800 +Subject: net: mana: Fix race on per-CQ variable napi work_done + +From: Haiyang Zhang + +commit 18010ff776fa42340efc428b3ea6d19b3e7c7b21 upstream. + +After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be +cleared, and another CPU can start napi thread and access per-CQ variable, +cq->work_done. If the other thread (for example, from busy_poll) sets +it to a value >= budget, this thread will continue to run when it should +stop, and cause memory corruption and panic. + +To fix this issue, save the per-CQ work_done variable in a local variable +before napi_complete_done(), so it won't be corrupted by a possible +concurrent thread after napi_complete_done(). + +Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done +variable race is fixed, so the driver is able to reliably support features +like busy_poll. + +Cc: stable@vger.kernel.org +Fixes: e1b5683ff62e ("net: mana: Move NAPI from EQ to CQ") +Signed-off-by: Haiyang Zhang +Link: https://lore.kernel.org/r/1670010190-28595-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/gdma.h | 9 ++++++++- + drivers/net/ethernet/microsoft/mana/mana_en.c | 16 +++++++++++----- + 2 files changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/gdma.h ++++ b/drivers/net/ethernet/microsoft/mana/gdma.h +@@ -488,7 +488,14 @@ enum { + + #define GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT BIT(0) + +-#define GDMA_DRV_CAP_FLAGS1 GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT ++/* Advertise to the NIC firmware: the NAPI work_done variable race is fixed, ++ * so the driver is able to reliably support features like busy_poll. ++ */ ++#define GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX BIT(2) ++ ++#define GDMA_DRV_CAP_FLAGS1 \ ++ (GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT | \ ++ GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX) + + #define GDMA_DRV_CAP_FLAGS2 0 + +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1071,10 +1071,11 @@ static void mana_poll_rx_cq(struct mana_ + } + } + +-static void mana_cq_handler(void *context, struct gdma_queue *gdma_queue) ++static int mana_cq_handler(void *context, struct gdma_queue *gdma_queue) + { + struct mana_cq *cq = context; + u8 arm_bit; ++ int w; + + WARN_ON_ONCE(cq->gdma_cq != gdma_queue); + +@@ -1083,26 +1084,31 @@ static void mana_cq_handler(void *contex + else + mana_poll_tx_cq(cq); + +- if (cq->work_done < cq->budget && +- napi_complete_done(&cq->napi, cq->work_done)) { ++ w = cq->work_done; ++ ++ if (w < cq->budget && ++ napi_complete_done(&cq->napi, w)) { + arm_bit = SET_ARM_BIT; + } else { + arm_bit = 0; + } + + mana_gd_ring_cq(gdma_queue, arm_bit); ++ ++ return w; + } + + static int mana_poll(struct napi_struct *napi, int budget) + { + struct mana_cq *cq = container_of(napi, struct mana_cq, napi); ++ int w; + + cq->work_done = 0; + cq->budget = budget; + +- mana_cq_handler(cq, cq->gdma_cq); ++ w = mana_cq_handler(cq, cq->gdma_cq); + +- return min(cq->work_done, budget); ++ return min(w, budget); + } + + static void mana_schedule_napi(void *context, struct gdma_queue *gdma_queue) diff --git a/queue-5.15/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch b/queue-5.15/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch new file mode 100644 index 00000000000..8eafd8256e8 --- /dev/null +++ b/queue-5.15/revert-arm-dts-imx7-fix-nand-controller-size-cells.patch @@ -0,0 +1,47 @@ +From ef19964da8a668c683f1d38274f6fb756e047945 Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini +Date: Mon, 5 Dec 2022 16:23:27 +0100 +Subject: Revert "ARM: dts: imx7: Fix NAND controller size-cells" + +From: Francesco Dolcini + +commit ef19964da8a668c683f1d38274f6fb756e047945 upstream. + +This reverts commit 753395ea1e45c724150070b5785900b6a44bd5fb. + +It introduced a boot regression on colibri-imx7, and potentially any +other i.MX7 boards with MTD partition list generated into the fdt by +U-Boot. + +While the commit we are reverting here is not obviously wrong, it fixes +only a dt binding checker warning that is non-functional, while it +introduces a boot regression and there is no obvious fix ready. + +Fixes: 753395ea1e45 ("ARM: dts: imx7: Fix NAND controller size-cells") +Signed-off-by: Francesco Dolcini +Reviewed-by: Miquel Raynal +Acked-by: Marek Vasut +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/Y4dgBTGNWpM6SQXI@francesco-nb.int.toradex.com/ +Link: https://lore.kernel.org/all/20221205144917.6514168a@xps-13/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx7s.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -1252,10 +1252,10 @@ + clocks = <&clks IMX7D_NAND_USDHC_BUS_RAWNAND_CLK>; + }; + +- gpmi: nand-controller@33002000 { ++ gpmi: nand-controller@33002000{ + compatible = "fsl,imx7d-gpmi-nand"; + #address-cells = <1>; +- #size-cells = <0>; ++ #size-cells = <1>; + reg = <0x33002000 0x2000>, <0x33004000 0x4000>; + reg-names = "gpmi-nand", "bch"; + interrupts = ; diff --git a/queue-5.15/series b/queue-5.15/series index ea6ae3898f7..935fb173c65 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -38,4 +38,21 @@ xen-netback-do-some-code-cleanup.patch xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch media-videobuf2-core-take-mmap_lock-in-vb2_get_unmap.patch soundwire-intel-initialize-clock-stop-timeout.patch +revert-arm-dts-imx7-fix-nand-controller-size-cells.patch +media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch +memcg-fix-possible-use-after-free-in-memcg_write_event_control.patch +mm-gup-fix-gup_pud_range-for-dax.patch +bluetooth-btusb-add-debug-message-for-csr-controllers.patch +bluetooth-fix-crash-when-replugging-csr-fake-controllers.patch +net-mana-fix-race-on-per-cq-variable-napi-work_done.patch +kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch +drm-vmwgfx-don-t-use-screen-objects-when-sev-is-active.patch +drm-amdgpu-sdma_v4_0-turn-off-sdma-ring-buffer-in-the-s2idle-suspend.patch +drm-shmem-helper-remove-errant-put-in-error-path.patch +drm-shmem-helper-avoid-vm_open-error-paths.patch +net-dsa-sja1105-avoid-out-of-bounds-access-in-sja1105_init_l2_policing.patch +hid-usbhid-add-always_poll-quirk-for-some-mice.patch +hid-hid-lg4ff-add-check-for-empty-lbuf.patch +hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch +hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch clk-fix-pointer-casting-to-prevent-oops-in-devm_clk_.patch