From: Sasha Levin Date: Sun, 16 Apr 2023 11:53:27 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.14.313~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e48e5ccdd18010bec21c7dc0fce964eec8f40ac6;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch b/queue-5.4/9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch new file mode 100644 index 00000000000..ff4e305c793 --- /dev/null +++ b/queue-5.4/9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch @@ -0,0 +1,61 @@ +From d37d92c39c0878bb8511ca43094a0607dc4a0b25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 22:43:25 +0800 +Subject: 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race + condition + +From: Zheng Wang + +[ Upstream commit ea4f1009408efb4989a0f139b70fb338e7f687d0 ] + +In xen_9pfs_front_probe, it calls xen_9pfs_front_alloc_dataring +to init priv->rings and bound &ring->work with p9_xen_response. + +When it calls xen_9pfs_front_event_handler to handle IRQ requests, +it will finally call schedule_work to start the work. + +When we call xen_9pfs_front_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in xen_9pfs_front_free. + +Note that, this bug is found by static analysis, which might be +false positive. + +CPU0 CPU1 + + |p9_xen_response +xen_9pfs_front_remove| + xen_9pfs_front_free| +kfree(priv) | +//free priv | + |p9_tag_lookup + |//use priv->client + +Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend") +Signed-off-by: Zheng Wang +Reviewed-by: Michal Swiatkowski +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + net/9p/trans_xen.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c +index 67e9a7085e13b..4a16c5dd1576d 100644 +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -299,6 +299,10 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv) + write_unlock(&xen_9pfs_lock); + + for (i = 0; i < priv->num_rings; i++) { ++ struct xen_9pfs_dataring *ring = &priv->rings[i]; ++ ++ cancel_work_sync(&ring->work); ++ + if (!priv->rings[i].intf) + break; + if (priv->rings[i].irq > 0) +-- +2.39.2 + diff --git a/queue-5.4/asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch b/queue-5.4/asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch new file mode 100644 index 00000000000..4dc43a33a5a --- /dev/null +++ b/queue-5.4/asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch @@ -0,0 +1,158 @@ +From fdfb7762b720759815b2f975720c861b527b4090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 12:12:54 -0500 +Subject: asymmetric_keys: log on fatal failures in PE/pkcs7 + +From: Robbie Harwood + +[ Upstream commit 3584c1dbfffdabf8e3dc1dd25748bb38dd01cd43 ] + +These particular errors can be encountered while trying to kexec when +secureboot lockdown is in place. Without this change, even with a +signed debug build, one still needs to reboot the machine to add the +appropriate dyndbg parameters (since lockdown blocks debugfs). + +Accordingly, upgrade all pr_debug() before fatal error into pr_warn(). + +Signed-off-by: Robbie Harwood +Signed-off-by: David Howells +cc: Jarkko Sakkinen +cc: Eric Biederman +cc: Herbert Xu +cc: keyrings@vger.kernel.org +cc: linux-crypto@vger.kernel.org +cc: kexec@lists.infradead.org +Link: https://lore.kernel.org/r/20230220171254.592347-3-rharwood@redhat.com/ # v2 +Signed-off-by: Sasha Levin +--- + crypto/asymmetric_keys/pkcs7_verify.c | 10 +++++----- + crypto/asymmetric_keys/verify_pefile.c | 24 ++++++++++++------------ + 2 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c +index ce49820caa97f..01e54450c846f 100644 +--- a/crypto/asymmetric_keys/pkcs7_verify.c ++++ b/crypto/asymmetric_keys/pkcs7_verify.c +@@ -79,16 +79,16 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, + } + + if (sinfo->msgdigest_len != sig->digest_size) { +- pr_debug("Sig %u: Invalid digest size (%u)\n", +- sinfo->index, sinfo->msgdigest_len); ++ pr_warn("Sig %u: Invalid digest size (%u)\n", ++ sinfo->index, sinfo->msgdigest_len); + ret = -EBADMSG; + goto error; + } + + if (memcmp(sig->digest, sinfo->msgdigest, + sinfo->msgdigest_len) != 0) { +- pr_debug("Sig %u: Message digest doesn't match\n", +- sinfo->index); ++ pr_warn("Sig %u: Message digest doesn't match\n", ++ sinfo->index); + ret = -EKEYREJECTED; + goto error; + } +@@ -488,7 +488,7 @@ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, + const void *data, size_t datalen) + { + if (pkcs7->data) { +- pr_debug("Data already supplied\n"); ++ pr_warn("Data already supplied\n"); + return -EINVAL; + } + pkcs7->data = data; +diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c +index c43b077ba37db..0701bb161b63f 100644 +--- a/crypto/asymmetric_keys/verify_pefile.c ++++ b/crypto/asymmetric_keys/verify_pefile.c +@@ -74,7 +74,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, + break; + + default: +- pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic); ++ pr_warn("Unknown PEOPT magic = %04hx\n", pe32->magic); + return -ELIBBAD; + } + +@@ -95,7 +95,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, + ctx->certs_size = ddir->certs.size; + + if (!ddir->certs.virtual_address || !ddir->certs.size) { +- pr_debug("Unsigned PE binary\n"); ++ pr_warn("Unsigned PE binary\n"); + return -ENODATA; + } + +@@ -127,7 +127,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + unsigned len; + + if (ctx->sig_len < sizeof(wrapper)) { +- pr_debug("Signature wrapper too short\n"); ++ pr_warn("Signature wrapper too short\n"); + return -ELIBBAD; + } + +@@ -142,16 +142,16 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + * rounded up since 0.110. + */ + if (wrapper.length > ctx->sig_len) { +- pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", +- ctx->sig_len, wrapper.length); ++ pr_warn("Signature wrapper bigger than sig len (%x > %x)\n", ++ ctx->sig_len, wrapper.length); + return -ELIBBAD; + } + if (wrapper.revision != WIN_CERT_REVISION_2_0) { +- pr_debug("Signature is not revision 2.0\n"); ++ pr_warn("Signature is not revision 2.0\n"); + return -ENOTSUPP; + } + if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { +- pr_debug("Signature certificate type is not PKCS\n"); ++ pr_warn("Signature certificate type is not PKCS\n"); + return -ENOTSUPP; + } + +@@ -164,7 +164,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + ctx->sig_offset += sizeof(wrapper); + ctx->sig_len -= sizeof(wrapper); + if (ctx->sig_len < 4) { +- pr_debug("Signature data missing\n"); ++ pr_warn("Signature data missing\n"); + return -EKEYREJECTED; + } + +@@ -198,7 +198,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + return 0; + } + not_pkcs7: +- pr_debug("Signature data not PKCS#7\n"); ++ pr_warn("Signature data not PKCS#7\n"); + return -ELIBBAD; + } + +@@ -341,8 +341,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, + digest_size = crypto_shash_digestsize(tfm); + + if (digest_size != ctx->digest_len) { +- pr_debug("Digest size mismatch (%zx != %x)\n", +- digest_size, ctx->digest_len); ++ pr_warn("Digest size mismatch (%zx != %x)\n", ++ digest_size, ctx->digest_len); + ret = -EBADMSG; + goto error_no_desc; + } +@@ -373,7 +373,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, + * PKCS#7 certificate. + */ + if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) { +- pr_debug("Digest mismatch\n"); ++ pr_warn("Digest mismatch\n"); + ret = -EKEYREJECTED; + } else { + pr_debug("The digests match!\n"); +-- +2.39.2 + diff --git a/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch b/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch new file mode 100644 index 00000000000..a99199fcbb0 --- /dev/null +++ b/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch @@ -0,0 +1,55 @@ +From 56d1237ef5a85ce946f06b558f7e88b82e79dc5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 10:52:18 +0100 +Subject: drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F + +From: Hans de Goede + +[ Upstream commit 03aecb1acbcd7a660f97d645ca6c09d9de27ff9d ] + +Like the Windows Lenovo Yoga Book X91F/L the Android Lenovo Yoga Book +X90F/L has a portrait 1200x1920 screen used in landscape mode, +add a quirk for this. + +When the quirk for the X91F/L was initially added it was written to +also apply to the X90F/L but this does not work because the Android +version of the Yoga Book uses completely different DMI strings. +Also adjust the X91F/L quirk to reflect that it only applies to +the X91F/L models. + +Signed-off-by: Hans de Goede +Reviewed-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20230301095218.28457-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 8768073794fbf..6106fa7c43028 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -284,10 +284,17 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "IdeaPad Duet 3 10IGL5"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, +- }, { /* Lenovo Yoga Book X90F / X91F / X91L */ ++ }, { /* Lenovo Yoga Book X90F / X90L */ + .matches = { +- /* Non exact match to match all versions */ +- DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"), ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), ++ }, ++ .driver_data = (void *)&lcd1200x1920_rightside_up, ++ }, { /* Lenovo Yoga Book X91F / X91L */ ++ .matches = { ++ /* Non exact match to match F + L versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, + }, { /* OneGX1 Pro */ +-- +2.39.2 + diff --git a/queue-5.4/efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch b/queue-5.4/efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch new file mode 100644 index 00000000000..b1eefe2dd5b --- /dev/null +++ b/queue-5.4/efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch @@ -0,0 +1,43 @@ +From 975fea3328c8203bb4195f80c13ac62b2e3ff1c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 13:31:03 +0100 +Subject: efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L + +From: Hans de Goede + +[ Upstream commit 5ed213dd64681f84a01ceaa82fb336cf7d59ddcf ] + +Another Lenovo convertable which reports a landscape resolution of +1920x1200 with a pitch of (1920 * 4) bytes, while the actual framebuffer +has a resolution of 1200x1920 with a pitch of (1200 * 4) bytes. + +Signed-off-by: Hans de Goede +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/sysfb_efi.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kernel/sysfb_efi.c b/arch/x86/kernel/sysfb_efi.c +index 9ea65611fba0b..fff04d2859765 100644 +--- a/arch/x86/kernel/sysfb_efi.c ++++ b/arch/x86/kernel/sysfb_efi.c +@@ -272,6 +272,14 @@ static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = { + "IdeaPad Duet 3 10IGL5"), + }, + }, ++ { ++ /* Lenovo Yoga Book X91F / X91L */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ /* Non exact match to match F + L versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"), ++ }, ++ }, + {}, + }; + +-- +2.39.2 + diff --git a/queue-5.4/i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch b/queue-5.4/i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch new file mode 100644 index 00000000000..0a825df025f --- /dev/null +++ b/queue-5.4/i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch @@ -0,0 +1,36 @@ +From 51256b833a32cc9e7617575fd01563aacc472153 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 16:32:46 +0100 +Subject: i2c: imx-lpi2c: clean rx/tx buffers upon new message + +From: Alexander Stein + +[ Upstream commit 987dd36c0141f6ab9f0fbf14d6b2ec3342dedb2f ] + +When start sending a new message clear the Rx & Tx buffer pointers in +order to avoid using stale pointers. + +Signed-off-by: Alexander Stein +Tested-by: Emanuele Ghidoli +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-imx-lpi2c.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c +index 13c17afe7102e..4fac2591b6618 100644 +--- a/drivers/i2c/busses/i2c-imx-lpi2c.c ++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c +@@ -468,6 +468,8 @@ static int lpi2c_imx_xfer(struct i2c_adapter *adapter, + if (num == 1 && msgs[0].len == 0) + goto stop; + ++ lpi2c_imx->rx_buf = NULL; ++ lpi2c_imx->tx_buf = NULL; + lpi2c_imx->delivered = 0; + lpi2c_imx->msglen = msgs[i].len; + init_completion(&lpi2c_imx->complete); +-- +2.39.2 + diff --git a/queue-5.4/net-macb-fix-a-memory-corruption-in-extended-buffer-.patch b/queue-5.4/net-macb-fix-a-memory-corruption-in-extended-buffer-.patch new file mode 100644 index 00000000000..d7565fa45f4 --- /dev/null +++ b/queue-5.4/net-macb-fix-a-memory-corruption-in-extended-buffer-.patch @@ -0,0 +1,150 @@ +From f1fbc2dd9c08a3f6e19061359edd33c9426550d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 16:21:44 -0700 +Subject: net: macb: fix a memory corruption in extended buffer descriptor mode + +From: Roman Gushchin + +[ Upstream commit e8b74453555872851bdd7ea43a7c0ec39659834f ] + +For quite some time we were chasing a bug which looked like a sudden +permanent failure of networking and mmc on some of our devices. +The bug was very sensitive to any software changes and even more to +any kernel debug options. + +Finally we got a setup where the problem was reproducible with +CONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma: + +[ 16.992082] ------------[ cut here ]------------ +[ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes] +[ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900 +[ 17.018977] Modules linked in: xxxxx +[ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28 +[ 17.045345] Hardware name: xxxxx +[ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 17.054322] pc : check_unmap+0x6a0/0x900 +[ 17.058243] lr : check_unmap+0x6a0/0x900 +[ 17.062163] sp : ffffffc010003c40 +[ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c +[ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800 +[ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8 +[ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750 +[ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000 +[ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010 +[ 17.097343] x17: 0000000000000000 x16: 0000000000000000 +[ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720 +[ 17.107959] x13: 0720072007200720 x12: 0720072007200720 +[ 17.113261] x11: 0720072007200720 x10: 0720072007200720 +[ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d +[ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098 +[ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000 +[ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370 +[ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000 +[ 17.145082] Call trace: +[ 17.147524] check_unmap+0x6a0/0x900 +[ 17.151091] debug_dma_unmap_page+0x88/0x90 +[ 17.155266] gem_rx+0x114/0x2f0 +[ 17.158396] macb_poll+0x58/0x100 +[ 17.161705] net_rx_action+0x118/0x400 +[ 17.165445] __do_softirq+0x138/0x36c +[ 17.169100] irq_exit+0x98/0xc0 +[ 17.172234] __handle_domain_irq+0x64/0xc0 +[ 17.176320] gic_handle_irq+0x5c/0xc0 +[ 17.179974] el1_irq+0xb8/0x140 +[ 17.183109] xiic_process+0x5c/0xe30 +[ 17.186677] irq_thread_fn+0x28/0x90 +[ 17.190244] irq_thread+0x208/0x2a0 +[ 17.193724] kthread+0x130/0x140 +[ 17.196945] ret_from_fork+0x10/0x20 +[ 17.200510] ---[ end trace 7240980785f81d6f ]--- + +[ 237.021490] ------------[ cut here ]------------ +[ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b +[ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240 +[ 237.041802] Modules linked in: xxxxx +[ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28 +[ 237.068941] Hardware name: xxxxx +[ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO) +[ 237.077900] pc : add_dma_entry+0x214/0x240 +[ 237.081986] lr : add_dma_entry+0x214/0x240 +[ 237.086072] sp : ffffffc010003c30 +[ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00 +[ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0 +[ 237.099987] x25: 0000000000000002 x24: 0000000000000000 +[ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00 +[ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600 +[ 237.115897] x19: 00000000ffffffef x18: 0000000000000010 +[ 237.121201] x17: 0000000000000000 x16: 0000000000000000 +[ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720 +[ 237.131807] x13: 0720072007200720 x12: 0720072007200720 +[ 237.137111] x11: 0720072007200720 x10: 0720072007200720 +[ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259 +[ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000 +[ 237.153022] x5 : ffffffc010003a20 x4 : 0000000000000001 +[ 237.158325] x3 : 0000000000000006 x2 : 0000000000000007 +[ 237.163628] x1 : 8ac721b3a7dc1c00 x0 : 0000000000000000 +[ 237.168932] Call trace: +[ 237.171373] add_dma_entry+0x214/0x240 +[ 237.175115] debug_dma_map_page+0xf8/0x120 +[ 237.179203] gem_rx_refill+0x190/0x280 +[ 237.182942] gem_rx+0x224/0x2f0 +[ 237.186075] macb_poll+0x58/0x100 +[ 237.189384] net_rx_action+0x118/0x400 +[ 237.193125] __do_softirq+0x138/0x36c +[ 237.196780] irq_exit+0x98/0xc0 +[ 237.199914] __handle_domain_irq+0x64/0xc0 +[ 237.204000] gic_handle_irq+0x5c/0xc0 +[ 237.207654] el1_irq+0xb8/0x140 +[ 237.210789] arch_cpu_idle+0x40/0x200 +[ 237.214444] default_idle_call+0x18/0x30 +[ 237.218359] do_idle+0x200/0x280 +[ 237.221578] cpu_startup_entry+0x20/0x30 +[ 237.225493] rest_init+0xe4/0xf0 +[ 237.228713] arch_call_rest_init+0xc/0x14 +[ 237.232714] start_kernel+0x47c/0x4a8 +[ 237.236367] ---[ end trace 7240980785f81d70 ]--- + +Lars was fast to find an explanation: according to the datasheet +bit 2 of the rx buffer descriptor entry has a different meaning in the +extended mode: + Address [2] of beginning of buffer, or + in extended buffer descriptor mode (DMA configuration register [28] = 1), + indicates a valid timestamp in the buffer descriptor entry. + +The macb driver didn't mask this bit while getting an address and it +eventually caused a memory corruption and a dma failure. + +The problem is resolved by explicitly clearing the problematic bit +if hw timestamping is used. + +Fixes: 7b4296148066 ("net: macb: Add support for PTP timestamps in DMA descriptors") +Signed-off-by: Roman Gushchin +Co-developed-by: Lars-Peter Clausen +Signed-off-by: Lars-Peter Clausen +Acked-by: Nicolas Ferre +Reviewed-by: Jacob Keller +Link: https://lore.kernel.org/r/20230412232144.770336-1-roman.gushchin@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index d948b582f4c97..12dd18cbdba34 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -719,6 +719,10 @@ static dma_addr_t macb_get_addr(struct macb *bp, struct macb_dma_desc *desc) + } + #endif + addr |= MACB_BF(RX_WADDR, MACB_BFEXT(RX_WADDR, desc->addr)); ++#ifdef CONFIG_MACB_USE_HWSTAMP ++ if (bp->hw_dma_cap & HW_DMA_CAP_PTP) ++ addr &= ~GEM_BIT(DMA_RXVALID); ++#endif + return addr; + } + +-- +2.39.2 + diff --git a/queue-5.4/niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch b/queue-5.4/niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch new file mode 100644 index 00000000000..066844b66f6 --- /dev/null +++ b/queue-5.4/niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch @@ -0,0 +1,42 @@ +From 4220436ba35564b00901488b1ec1b16260745d91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 23:31:18 -0700 +Subject: niu: Fix missing unwind goto in niu_alloc_channels() + +From: Harshit Mogalapalli + +[ Upstream commit 8ce07be703456acb00e83d99f3b8036252c33b02 ] + +Smatch reports: drivers/net/ethernet/sun/niu.c:4525 + niu_alloc_channels() warn: missing unwind goto? + +If niu_rbr_fill() fails, then we are directly returning 'err' without +freeing the channels. + +Fix this by changing direct return to a goto 'out_err'. + +Fixes: a3138df9f20e ("[NIU]: Add Sun Neptune ethernet driver.") +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/niu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index 70b9a7bfe4ec6..201470d540d87 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -4503,7 +4503,7 @@ static int niu_alloc_channels(struct niu *np) + + err = niu_rbr_fill(np, rp, GFP_KERNEL); + if (err) +- return err; ++ goto out_err; + } + + tx_rings = kcalloc(num_tx_rings, sizeof(struct tx_ring_info), +-- +2.39.2 + diff --git a/queue-5.4/power-supply-cros_usbpd-reclassify-default-case-as-d.patch b/queue-5.4/power-supply-cros_usbpd-reclassify-default-case-as-d.patch new file mode 100644 index 00000000000..99b3bce5aa4 --- /dev/null +++ b/queue-5.4/power-supply-cros_usbpd-reclassify-default-case-as-d.patch @@ -0,0 +1,42 @@ +From d30c65c26b7c22478a78780cdf24ddfb71967e88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 13:38:57 -0800 +Subject: power: supply: cros_usbpd: reclassify "default case!" as debug + +From: Grant Grundler + +[ Upstream commit 14c76b2e75bca4d96e2b85a0c12aa43e84fe3f74 ] + +This doesn't need to be printed every second as an error: +... +<3>[17438.628385] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case! +<3>[17439.634176] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case! +<3>[17440.640298] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case! +... + +Reduce priority from ERROR to DEBUG. + +Signed-off-by: Grant Grundler +Reviewed-by: Guenter Roeck +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/cros_usbpd-charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/cros_usbpd-charger.c b/drivers/power/supply/cros_usbpd-charger.c +index 6cc7c3910e098..0f80fdf88253c 100644 +--- a/drivers/power/supply/cros_usbpd-charger.c ++++ b/drivers/power/supply/cros_usbpd-charger.c +@@ -282,7 +282,7 @@ static int cros_usbpd_charger_get_power_info(struct port_data *port) + port->psy_current_max = 0; + break; + default: +- dev_err(dev, "Port %d: default case!\n", port->port_number); ++ dev_dbg(dev, "Port %d: default case!\n", port->port_number); + port->psy_usb_type = POWER_SUPPLY_USB_TYPE_SDP; + } + +-- +2.39.2 + diff --git a/queue-5.4/qlcnic-check-pci_reset_function-result.patch b/queue-5.4/qlcnic-check-pci_reset_function-result.patch new file mode 100644 index 00000000000..00761cb7e04 --- /dev/null +++ b/queue-5.4/qlcnic-check-pci_reset_function-result.patch @@ -0,0 +1,49 @@ +From 3e0a68229535018f108c0b4d3f0db7aa753a064c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Apr 2023 10:18:49 +0300 +Subject: qlcnic: check pci_reset_function result + +From: Denis Plotnikov + +[ Upstream commit 7573099e10ca69c3be33995c1fcd0d241226816d ] + +Static code analyzer complains to unchecked return value. +The result of pci_reset_function() is unchecked. +Despite, the issue is on the FLR supported code path and in that +case reset can be done with pcie_flr(), the patch uses less invasive +approach by adding the result check of pci_reset_function(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 7e2cf4feba05 ("qlcnic: change driver hardware interface mechanism") +Signed-off-by: Denis Plotnikov +Reviewed-by: Simon Horman +Reviewed-by: Bjorn Helgaas +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c +index af38d3d73291c..4814046cfc78e 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c +@@ -629,7 +629,13 @@ int qlcnic_fw_create_ctx(struct qlcnic_adapter *dev) + int i, err, ring; + + if (dev->flags & QLCNIC_NEED_FLR) { +- pci_reset_function(dev->pdev); ++ err = pci_reset_function(dev->pdev); ++ if (err) { ++ dev_err(&dev->pdev->dev, ++ "Adapter reset failed (%d). Please reboot\n", ++ err); ++ return err; ++ } + dev->flags &= ~QLCNIC_NEED_FLR; + } + +-- +2.39.2 + diff --git a/queue-5.4/rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch b/queue-5.4/rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch new file mode 100644 index 00000000000..8b11c2c0bce --- /dev/null +++ b/queue-5.4/rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch @@ -0,0 +1,38 @@ +From bb7be809a345fa230e93841125cf53e7bc9f1229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 23:34:24 -0700 +Subject: RDMA/core: Fix GID entry ref leak when create_ah fails + +From: Saravanan Vajravel + +[ Upstream commit aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0 ] + +If AH create request fails, release sgid_attr to avoid GID entry +referrence leak reported while releasing GID table + +Fixes: 1a1f460ff151 ("RDMA: Hold the sgid_attr inside the struct ib_ah/qp") +Link: https://lore.kernel.org/r/20230401063424.342204-1-saravanan.vajravel@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Saravanan Vajravel +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 93a7ff1bd02c7..f61933dacbfd8 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -521,6 +521,8 @@ static struct ib_ah *_rdma_create_ah(struct ib_pd *pd, + + ret = device->ops.create_ah(ah, ah_attr, flags, udata); + if (ret) { ++ if (ah->sgid_attr) ++ rdma_put_gid_attr(ah->sgid_attr); + kfree(ah); + return ERR_PTR(ret); + } +-- +2.39.2 + diff --git a/queue-5.4/sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch b/queue-5.4/sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch new file mode 100644 index 00000000000..368a92ed33d --- /dev/null +++ b/queue-5.4/sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch @@ -0,0 +1,44 @@ +From 8d91b7032b309fcf9085bce4b6ff2ee5236387dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 15:43:30 -0400 +Subject: sctp: fix a potential overflow in sctp_ifwdtsn_skip + +From: Xin Long + +[ Upstream commit 32832a2caf82663870126c5186cf8f86c8b2a649 ] + +Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only +checks the pos against the end of the chunk. However, the data left for +the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference +it as struct sctp_ifwdtsn_skip may cause coverflow. + +This patch fixes it by checking the pos against "the end of the chunk - +sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to +sctp_fwdtsn_skip. + +Fixes: 0fc2ea922c8a ("sctp: implement validate_ftsn for sctp_stream_interleave") +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/2a71bffcd80b4f2c61fac6d344bb2f11c8fd74f7.1681155810.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/stream_interleave.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/stream_interleave.c b/net/sctp/stream_interleave.c +index 40c40be23fcb7..c982f99099dec 100644 +--- a/net/sctp/stream_interleave.c ++++ b/net/sctp/stream_interleave.c +@@ -1165,7 +1165,8 @@ static void sctp_generate_iftsn(struct sctp_outq *q, __u32 ctsn) + + #define _sctp_walk_ifwdtsn(pos, chunk, end) \ + for (pos = chunk->subh.ifwdtsn_hdr->skip; \ +- (void *)pos < (void *)chunk->subh.ifwdtsn_hdr->skip + (end); pos++) ++ (void *)pos <= (void *)chunk->subh.ifwdtsn_hdr->skip + (end) - \ ++ sizeof(struct sctp_ifwdtsn_skip); pos++) + + #define sctp_walk_ifwdtsn(pos, ch) \ + _sctp_walk_ifwdtsn((pos), (ch), ntohs((ch)->chunk_hdr->length) - \ +-- +2.39.2 + diff --git a/queue-5.4/series b/queue-5.4/series index a40d9f6eed1..737e3329f2e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -51,3 +51,16 @@ btrfs-fix-fast-csum-implementation-detection.patch mtdblock-tolerate-corrected-bit-flips.patch mtd-rawnand-meson-fix-bitmask-for-length-in-command-word.patch mtd-rawnand-stm32_fmc2-remove-unsupported-edo-mode.patch +9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch +niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch +qlcnic-check-pci_reset_function-result.patch +sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch +rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch +udp6-fix-potential-access-to-stale-information.patch +net-macb-fix-a-memory-corruption-in-extended-buffer-.patch +power-supply-cros_usbpd-reclassify-default-case-as-d.patch +i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch +efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch +drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch +verify_pefile-relax-wrapper-length-check.patch +asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch diff --git a/queue-5.4/udp6-fix-potential-access-to-stale-information.patch b/queue-5.4/udp6-fix-potential-access-to-stale-information.patch new file mode 100644 index 00000000000..633448c8afe --- /dev/null +++ b/queue-5.4/udp6-fix-potential-access-to-stale-information.patch @@ -0,0 +1,68 @@ +From 75fd8317c57866768812508c3b80ffaeda232142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 13:03:08 +0000 +Subject: udp6: fix potential access to stale information +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +[ Upstream commit 1c5950fc6fe996235f1d18539b9c6b64b597f50f ] + +lena wang reported an issue caused by udpv6_sendmsg() +mangling msg->msg_name and msg->msg_namelen, which +are later read from ____sys_sendmsg() : + + /* + * If this is sendmmsg() and sending to current destination address was + * successful, remember it. + */ + if (used_address && err >= 0) { + used_address->name_len = msg_sys->msg_namelen; + if (msg_sys->msg_name) + memcpy(&used_address->name, msg_sys->msg_name, + used_address->name_len); + } + +udpv6_sendmsg() wants to pretend the remote address family +is AF_INET in order to call udp_sendmsg(). + +A fix would be to modify the address in-place, instead +of using a local variable, but this could have other side effects. + +Instead, restore initial values before we return from udpv6_sendmsg(). + +Fixes: c71d8ebe7a44 ("net: Fix security_socket_sendmsg() bypass problem.") +Reported-by: lena wang +Signed-off-by: Eric Dumazet +Reviewed-by: Maciej Żenczykowski +Link: https://lore.kernel.org/r/20230412130308.1202254-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index fd1ce0405b7ea..3777ab1273f5a 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1283,9 +1283,11 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + msg->msg_name = &sin; + msg->msg_namelen = sizeof(sin); + do_udp_sendmsg: +- if (__ipv6_only_sock(sk)) +- return -ENETUNREACH; +- return udp_sendmsg(sk, msg, len); ++ err = __ipv6_only_sock(sk) ? ++ -ENETUNREACH : udp_sendmsg(sk, msg, len); ++ msg->msg_name = sin6; ++ msg->msg_namelen = addr_len; ++ return err; + } + } + +-- +2.39.2 + diff --git a/queue-5.4/verify_pefile-relax-wrapper-length-check.patch b/queue-5.4/verify_pefile-relax-wrapper-length-check.patch new file mode 100644 index 00000000000..27befd3813e --- /dev/null +++ b/queue-5.4/verify_pefile-relax-wrapper-length-check.patch @@ -0,0 +1,61 @@ +From 635570fcd005b481d2b74851795c343a1c9e8a7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 12:12:53 -0500 +Subject: verify_pefile: relax wrapper length check + +From: Robbie Harwood + +[ Upstream commit 4fc5c74dde69a7eda172514aaeb5a7df3600adb3 ] + +The PE Format Specification (section "The Attribute Certificate Table +(Image Only)") states that `dwLength` is to be rounded up to 8-byte +alignment when used for traversal. Therefore, the field is not required +to be an 8-byte multiple in the first place. + +Accordingly, pesign has not performed this alignment since version +0.110. This causes kexec failure on pesign'd binaries with "PEFILE: +Signature wrapper len wrong". Update the comment and relax the check. + +Signed-off-by: Robbie Harwood +Signed-off-by: David Howells +cc: Jarkko Sakkinen +cc: Eric Biederman +cc: Herbert Xu +cc: keyrings@vger.kernel.org +cc: linux-crypto@vger.kernel.org +cc: kexec@lists.infradead.org +Link: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only +Link: https://github.com/rhboot/pesign +Link: https://lore.kernel.org/r/20230220171254.592347-2-rharwood@redhat.com/ # v2 +Signed-off-by: Sasha Levin +--- + crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c +index cc9dbcecaacaa..c43b077ba37db 100644 +--- a/crypto/asymmetric_keys/verify_pefile.c ++++ b/crypto/asymmetric_keys/verify_pefile.c +@@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + pr_debug("sig wrapper = { %x, %x, %x }\n", + wrapper.length, wrapper.revision, wrapper.cert_type); + +- /* Both pesign and sbsign round up the length of certificate table +- * (in optional header data directories) to 8 byte alignment. ++ /* sbsign rounds up the length of certificate table (in optional ++ * header data directories) to 8 byte alignment. However, the PE ++ * specification states that while entries are 8-byte aligned, this is ++ * not included in their length, and as a result, pesign has not ++ * rounded up since 0.110. + */ +- if (round_up(wrapper.length, 8) != ctx->sig_len) { +- pr_debug("Signature wrapper len wrong\n"); ++ if (wrapper.length > ctx->sig_len) { ++ pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", ++ ctx->sig_len, wrapper.length); + return -ELIBBAD; + } + if (wrapper.revision != WIN_CERT_REVISION_2_0) { +-- +2.39.2 +