From: Sasha Levin <sashal@kernel.org>
Date: Fri, 18 Aug 2023 13:48:27 +0000 (-0400)
Subject: Fixes for 4.19
X-Git-Tag: v6.4.12~86
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f7d3f9cdd88c469838702ea21a7c43678be1e131;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.19/series b/queue-4.19/series
index cef3aca40b2..53bca8e16df 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -51,3 +51,6 @@ pci-endpoint-add-support-to-specify-alignment-for-bu.patch
 pci-rockchip-set-address-alignment-for-endpoint-mode.patch
 nfsd4-kill-warnings-on-testing-stateids-with-mismatc.patch
 nfsd-remove-incorrect-check-in-nfsd4_validate_statei.patch
+virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch
+virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
+virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
diff --git a/queue-4.19/virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch b/queue-4.19/virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch
new file mode 100644
index 00000000000..c40f08d199d
--- /dev/null
+++ b/queue-4.19/virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch
@@ -0,0 +1,60 @@
+From 5ac4002a34d3bebd75822100825150557d82bae8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Dec 2019 19:08:39 +0000
+Subject: virtio-mmio: convert to devm_platform_ioremap_resource
+
+From: Yangtao Li <tiny.windzz@gmail.com>
+
+[ Upstream commit c64eb62cfce242a57a7276ca8280ae0baab29d05 ]
+
+Use devm_platform_ioremap_resource() to simplify code, which
+contains platform_get_resource, devm_request_mem_region and
+devm_ioremap.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_mmio.c | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
+index 17cd682acc22b..c20a678436263 100644
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -548,18 +548,9 @@ static void virtio_mmio_release_dev(struct device *_d)
+ static int virtio_mmio_probe(struct platform_device *pdev)
+ {
+ 	struct virtio_mmio_device *vm_dev;
+-	struct resource *mem;
+ 	unsigned long magic;
+ 	int rc;
+ 
+-	mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+-	if (!mem)
+-		return -EINVAL;
+-
+-	if (!devm_request_mem_region(&pdev->dev, mem->start,
+-			resource_size(mem), pdev->name))
+-		return -EBUSY;
+-
+ 	vm_dev = devm_kzalloc(&pdev->dev, sizeof(*vm_dev), GFP_KERNEL);
+ 	if (!vm_dev)
+ 		return -ENOMEM;
+@@ -571,9 +562,9 @@ static int virtio_mmio_probe(struct platform_device *pdev)
+ 	INIT_LIST_HEAD(&vm_dev->virtqueues);
+ 	spin_lock_init(&vm_dev->lock);
+ 
+-	vm_dev->base = devm_ioremap(&pdev->dev, mem->start, resource_size(mem));
+-	if (vm_dev->base == NULL)
+-		return -EFAULT;
++	vm_dev->base = devm_platform_ioremap_resource(pdev, 0);
++	if (IS_ERR(vm_dev->base))
++		return PTR_ERR(vm_dev->base);
+ 
+ 	/* Check magic value */
+ 	magic = readl(vm_dev->base + VIRTIO_MMIO_MAGIC_VALUE);
+-- 
+2.40.1
+
diff --git a/queue-4.19/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch b/queue-4.19/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
new file mode 100644
index 00000000000..d0b241ae6fb
--- /dev/null
+++ b/queue-4.19/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
@@ -0,0 +1,60 @@
+From a0fbedeefbd12ac6a8b6d1877f5f728bd21286b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jun 2023 14:05:26 +0200
+Subject: virtio-mmio: don't break lifecycle of vm_dev
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a ]
+
+vm_dev has a separate lifecycle because it has a 'struct device'
+embedded. Thus, having a release callback for it is correct.
+
+Allocating the vm_dev struct with devres totally breaks this protection,
+though. Instead of waiting for the vm_dev release callback, the memory
+is freed when the platform_device is removed. Resulting in a
+use-after-free when finally the callback is to be called.
+
+To easily see the problem, compile the kernel with
+CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.
+
+The fix is easy, don't use devres in this case.
+
+Found during my research about object lifetime problems.
+
+Fixes: 7eb781b1bbb7 ("virtio_mmio: add cleanup for virtio_mmio_probe")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Message-Id: <20230629120526.7184-1-wsa+renesas@sang-engineering.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_mmio.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
+index d654e8953b6cb..07be3a374efbb 100644
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -537,9 +537,8 @@ static void virtio_mmio_release_dev(struct device *_d)
+ 	struct virtio_device *vdev =
+ 			container_of(_d, struct virtio_device, dev);
+ 	struct virtio_mmio_device *vm_dev = to_virtio_mmio_device(vdev);
+-	struct platform_device *pdev = vm_dev->pdev;
+ 
+-	devm_kfree(&pdev->dev, vm_dev);
++	kfree(vm_dev);
+ }
+ 
+ /* Platform device */
+@@ -550,7 +549,7 @@ static int virtio_mmio_probe(struct platform_device *pdev)
+ 	unsigned long magic;
+ 	int rc;
+ 
+-	vm_dev = devm_kzalloc(&pdev->dev, sizeof(*vm_dev), GFP_KERNEL);
++	vm_dev = kzalloc(sizeof(*vm_dev), GFP_KERNEL);
+ 	if (!vm_dev)
+ 		return -ENOMEM;
+ 
+-- 
+2.40.1
+
diff --git a/queue-4.19/virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch b/queue-4.19/virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
new file mode 100644
index 00000000000..d435163deaa
--- /dev/null
+++ b/queue-4.19/virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
@@ -0,0 +1,38 @@
+From a210e94bf55aa8d8324e0e04b544af7012e6c829 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Feb 2021 13:57:24 +0800
+Subject: virtio-mmio: Use to_virtio_mmio_device() to simply code
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+[ Upstream commit da98b54d02981de5b07d8044b2a632bf6ba3ac45 ]
+
+The file virtio_mmio.c has defined the function to_virtio_mmio_device,
+so use it instead of container_of() to simply code.
+
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Link: https://lore.kernel.org/r/20210222055724.220-1-tangbin@cmss.chinamobile.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_mmio.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
+index c20a678436263..d654e8953b6cb 100644
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -536,8 +536,7 @@ static void virtio_mmio_release_dev(struct device *_d)
+ {
+ 	struct virtio_device *vdev =
+ 			container_of(_d, struct virtio_device, dev);
+-	struct virtio_mmio_device *vm_dev =
+-			container_of(vdev, struct virtio_mmio_device, vdev);
++	struct virtio_mmio_device *vm_dev = to_virtio_mmio_device(vdev);
+ 	struct platform_device *pdev = vm_dev->pdev;
+ 
+ 	devm_kfree(&pdev->dev, vm_dev);
+-- 
+2.40.1
+