From: Greg Kroah-Hartman Date: Wed, 21 Sep 2022 15:35:54 +0000 (+0200) Subject: drop some 4.9 patches X-Git-Tag: v5.19.11~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f94f1709cd363428881888aa3474b66dc3b2e872;p=thirdparty%2Fkernel%2Fstable-queue.git drop some 4.9 patches They shouldn't have been there, or were there before being in any other stable kernel release, which is odd... --- diff --git a/queue-4.9/drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch b/queue-4.9/drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch deleted file mode 100644 index 4d1555d6149..00000000000 --- a/queue-4.9/drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch +++ /dev/null @@ -1,170 +0,0 @@ -From b8e2810ec3b386975ca5c2a205f7e0d0e1671e50 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 19 Jun 2022 22:14:54 +0800 -Subject: drivers/net/ethernet/neterion/vxge: Fix a use-after-free bug in - vxge-main.c -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Wentao_Liang - -[ Upstream commit 8fc74d18639a2402ca52b177e990428e26ea881f ] - -The pointer vdev points to a memory region adjacent to a net_device -structure ndev, which is a field of hldev. At line 4740, the invocation -to vxge_device_unregister unregisters device hldev, and it also releases -the memory region pointed by vdev->bar0. At line 4743, the freed memory -region is referenced (i.e., iounmap(vdev->bar0)), resulting in a -use-after-free vulnerability. We can fix the bug by calling iounmap -before vxge_device_unregister. - -4721. static void vxge_remove(struct pci_dev *pdev) -4722. { -4723. struct __vxge_hw_device *hldev; -4724. struct vxgedev *vdev; -… -4731. vdev = netdev_priv(hldev->ndev); -… -4740. vxge_device_unregister(hldev); -4741. /* Do not call pci_disable_sriov here, as it - will break child devices */ -4742. vxge_hw_device_terminate(hldev); -4743. iounmap(vdev->bar0); -… -4749 vxge_debug_init(vdev->level_trace, "%s:%d - Device unregistered", -4750 __func__, __LINE__); -4751 vxge_debug_entryexit(vdev->level_trace, "%s:%d - Exiting...", __func__, -4752 __LINE__); -4753. } - -This is the screenshot when the vulnerability is triggered by using -KASAN. We can see that there is a use-after-free reported by KASAN. - -/***************************start**************************/ - -root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove -[ 178.296316] vxge_remove -[ 182.057081] - ================================================================== -[ 182.057548] BUG: KASAN: use-after-free in vxge_remove+0xe0/0x15c -[ 182.057760] Read of size 8 at addr ffff888006c76598 by task bash/119 -[ 182.057983] -[ 182.058747] CPU: 0 PID: 119 Comm: bash Not tainted 5.18.0 #5 -[ 182.058919] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS -rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 -[ 182.059463] Call Trace: -[ 182.059726] -[ 182.060017] dump_stack_lvl+0x34/0x44 -[ 182.060316] print_report.cold+0xb2/0x6b7 -[ 182.060401] ? kfree+0x89/0x290 -[ 182.060478] ? vxge_remove+0xe0/0x15c -[ 182.060545] kasan_report+0xa9/0x120 -[ 182.060629] ? vxge_remove+0xe0/0x15c -[ 182.060706] vxge_remove+0xe0/0x15c -[ 182.060793] pci_device_remove+0x5d/0xe0 -[ 182.060968] device_release_driver_internal+0xf1/0x180 -[ 182.061063] pci_stop_bus_device+0xae/0xe0 -[ 182.061150] pci_stop_and_remove_bus_device_locked+0x11/0x20 -[ 182.061236] remove_store+0xc6/0xe0 -[ 182.061297] ? subordinate_bus_number_show+0xc0/0xc0 -[ 182.061359] ? __mutex_lock_slowpath+0x10/0x10 -[ 182.061438] ? sysfs_kf_write+0x6d/0xa0 -[ 182.061525] kernfs_fop_write_iter+0x1b0/0x260 -[ 182.061610] ? sysfs_kf_bin_read+0xf0/0xf0 -[ 182.061695] new_sync_write+0x209/0x310 -[ 182.061789] ? new_sync_read+0x310/0x310 -[ 182.061865] ? cgroup_rstat_updated+0x5c/0x170 -[ 182.061937] ? preempt_count_sub+0xf/0xb0 -[ 182.061995] ? pick_next_entity+0x13a/0x220 -[ 182.062063] ? __inode_security_revalidate+0x44/0x80 -[ 182.062155] ? security_file_permission+0x46/0x2a0 -[ 182.062230] vfs_write+0x33f/0x3e0 -[ 182.062303] ksys_write+0xb4/0x150 -[ 182.062369] ? __ia32_sys_read+0x40/0x40 -[ 182.062451] do_syscall_64+0x3b/0x90 -[ 182.062531] entry_SYSCALL_64_after_hwframe+0x46/0xb0 -[ 182.062894] RIP: 0033:0x7f3f37d17274 -[ 182.063558] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f -80 00 00 00 00 48 8d 05 89 54 0d 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f -05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 49 89 d4 55 48 89 f5 53 -[ 182.063797] RSP: 002b:00007ffd5ba9e178 EFLAGS: 00000246 -ORIG_RAX: 0000000000000001 -[ 182.064117] RAX: ffffffffffffffda RBX: 0000000000000002 -RCX: 00007f3f37d17274 -[ 182.064219] RDX: 0000000000000002 RSI: 000055bbec327180 -RDI: 0000000000000001 -[ 182.064315] RBP: 000055bbec327180 R08: 000000000000000a -R09: 00007f3f37de7cf0 -[ 182.064414] R10: 000000000000000a R11: 0000000000000246 -R12: 00007f3f37de8760 -[ 182.064513] R13: 0000000000000002 R14: 00007f3f37de3760 -R15: 0000000000000002 -[ 182.064691] -[ 182.064916] -[ 182.065224] The buggy address belongs to the physical page: -[ 182.065804] page:00000000ef31e4f4 refcount:0 mapcount:0 -mapping:0000000000000000 index:0x0 pfn:0x6c76 -[ 182.067419] flags: 0x100000000000000(node=0|zone=1) -[ 182.068997] raw: 0100000000000000 0000000000000000 -ffffea00001b1d88 0000000000000000 -[ 182.069118] raw: 0000000000000000 0000000000000000 -00000000ffffffff 0000000000000000 -[ 182.069294] page dumped because: kasan: bad access detected -[ 182.069331] -[ 182.069360] Memory state around the buggy address: -[ 182.070006] ffff888006c76480: ff ff ff ff ff ff ff ff ff ff ff - ff ff ff ff ff -[ 182.070136] ffff888006c76500: ff ff ff ff ff ff ff ff ff ff ff - ff ff ff ff ff -[ 182.070230] >ffff888006c76580: ff ff ff ff ff ff ff ff ff ff ff - ff ff ff ff ff -[ 182.070305] ^ -[ 182.070456] ffff888006c76600: ff ff ff ff ff ff ff ff ff ff ff - ff ff ff ff ff -[ 182.070505] ffff888006c76680: ff ff ff ff ff ff ff ff ff ff ff - ff ff ff ff ff -[ 182.070606] -================================================================== -[ 182.071374] Disabling lock debugging due to kernel taint - -/*****************************end*****************************/ - -After fixing the bug as done in the patch, we can find KASAN do not report - the bug and the device(00:03.0) has been successfully removed. - -/*****************************start***************************/ - -root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove -root@kernel:~# - -/******************************end****************************/ - -Signed-off-by: Wentao_Liang -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/neterion/vxge/vxge-main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c -index c6950e580883..7fa71a66f19c 100644 ---- a/drivers/net/ethernet/neterion/vxge/vxge-main.c -+++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c -@@ -4790,10 +4790,10 @@ static void vxge_remove(struct pci_dev *pdev) - for (i = 0; i < vdev->no_of_vpath; i++) - vxge_free_mac_add_list(&vdev->vpaths[i]); - -+ iounmap(vdev->bar0); - vxge_device_unregister(hldev); - /* Do not call pci_disable_sriov here, as it will break child devices */ - vxge_hw_device_terminate(hldev); -- iounmap(vdev->bar0); - pci_release_region(pdev, 0); - pci_disable_device(pdev); - driver_config->config_dev_cnt--; --- -2.35.1 - diff --git a/queue-4.9/series b/queue-4.9/series index 4192f5e9e33..07b4a3ea52b 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,9 +1,6 @@ parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch cifs-don-t-send-down-the-destination-address-to-sendmsg-for-a-sock_stream.patch -spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch -spi-cadence-detect-transmit-fifo-depth.patch drm-vc4-crtc-use-an-union-to-store-the-page-flip-cal.patch -drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch video-fbdev-skeletonfb-fix-syntax-errors-in-comments.patch video-fbdev-intelfb-use-aperture-size-from-pci_resou.patch video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch diff --git a/queue-4.9/spi-cadence-detect-transmit-fifo-depth.patch b/queue-4.9/spi-cadence-detect-transmit-fifo-depth.patch deleted file mode 100644 index 9213a8448f0..00000000000 --- a/queue-4.9/spi-cadence-detect-transmit-fifo-depth.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 2991f161280d1acb79edbfa5e241d18415f16dc8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 27 May 2022 11:11:43 +0200 -Subject: spi: cadence: Detect transmit FIFO depth - -From: Lars-Peter Clausen - -[ Upstream commit 7b40322f7183a92c4303457528ae7cda571c60b9 ] - -The depth of the transmit FIFO for the Cadence SPI controller is currently -hardcoded to 128. But the depth is a synthesis configuration parameter of -the core and can vary between different SoCs. - -If the configured FIFO size is less than 128 the driver will busy loop in -the cdns_spi_fill_tx_fifo() function waiting for FIFO space to become -available. - -Depending on the length and speed of the transfer it can spin for a -significant amount of time. The cdns_spi_fill_tx_fifo() function is called -from the drivers interrupt handler, so it can leave interrupts disabled for -a prolonged amount of time. - -In addition the read FIFO will also overflow and data will be discarded. - -To avoid this detect the actual size of the FIFO and use that rather than -the hardcoded value. - -To detect the FIFO size the FIFO threshold register is used. The register -is sized so that it can hold FIFO size - 1 as its maximum value. Bits that -are not needed to hold the threshold value will always read 0. By writing -0xffff to the register and then reading back the value in the register we -get the FIFO size. - -Signed-off-by: Lars-Peter Clausen -Link: https://lore.kernel.org/r/20220527091143.3780378-1-lars@metafoo.de -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-cadence.c | 27 +++++++++++++++++++++++---- - 1 file changed, 23 insertions(+), 4 deletions(-) - -diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c -index 6d294a1fa5e5..733724e71a30 100644 ---- a/drivers/spi/spi-cadence.c -+++ b/drivers/spi/spi-cadence.c -@@ -96,9 +96,6 @@ - #define CDNS_SPI_ER_ENABLE 0x00000001 /* SPI Enable Bit Mask */ - #define CDNS_SPI_ER_DISABLE 0x0 /* SPI Disable Bit Mask */ - --/* SPI FIFO depth in bytes */ --#define CDNS_SPI_FIFO_DEPTH 128 -- - /* Default number of chip select lines */ - #define CDNS_SPI_DEFAULT_NUM_CS 4 - -@@ -114,6 +111,7 @@ - * @rx_bytes: Number of bytes requested - * @dev_busy: Device busy flag - * @is_decoded_cs: Flag for decoder property set or not -+ * @tx_fifo_depth: Depth of the TX FIFO - */ - struct cdns_spi { - void __iomem *regs; -@@ -127,6 +125,7 @@ struct cdns_spi { - int rx_bytes; - u8 dev_busy; - u32 is_decoded_cs; -+ unsigned int tx_fifo_depth; - }; - - /* Macros for the SPI controller read/write */ -@@ -308,7 +307,7 @@ static void cdns_spi_fill_tx_fifo(struct cdns_spi *xspi) - { - unsigned long trans_cnt = 0; - -- while ((trans_cnt < CDNS_SPI_FIFO_DEPTH) && -+ while ((trans_cnt < xspi->tx_fifo_depth) && - (xspi->tx_bytes > 0)) { - if (xspi->txbuf) - cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++); -@@ -463,6 +462,24 @@ static int cdns_unprepare_transfer_hardware(struct spi_master *master) - return 0; - } - -+/** -+ * cdns_spi_detect_fifo_depth - Detect the FIFO depth of the hardware -+ * @xspi: Pointer to the cdns_spi structure -+ * -+ * The depth of the TX FIFO is a synthesis configuration parameter of the SPI -+ * IP. The FIFO threshold register is sized so that its maximum value can be the -+ * FIFO size - 1. This is used to detect the size of the FIFO. -+ */ -+static void cdns_spi_detect_fifo_depth(struct cdns_spi *xspi) -+{ -+ /* The MSBs will get truncated giving us the size of the FIFO */ -+ cdns_spi_write(xspi, CDNS_SPI_THLD, 0xffff); -+ xspi->tx_fifo_depth = cdns_spi_read(xspi, CDNS_SPI_THLD) + 1; -+ -+ /* Reset to default */ -+ cdns_spi_write(xspi, CDNS_SPI_THLD, 0x1); -+} -+ - /** - * cdns_spi_probe - Probe method for the SPI driver - * @pdev: Pointer to the platform_device structure -@@ -536,6 +553,8 @@ static int cdns_spi_probe(struct platform_device *pdev) - if (ret < 0) - xspi->is_decoded_cs = 0; - -+ cdns_spi_detect_fifo_depth(xspi); -+ - /* SPI controller initializations */ - cdns_spi_init_hw(xspi); - --- -2.35.1 - diff --git a/queue-4.9/spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch b/queue-4.9/spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch deleted file mode 100644 index 7209d828a9b..00000000000 --- a/queue-4.9/spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch +++ /dev/null @@ -1,67 +0,0 @@ -From a2874c7fe4294710fe1f347212f4d8c262cb3a7c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 6 Jun 2022 11:55:25 +0530 -Subject: spi: spi-cadence: Fix SPI CS gets toggling sporadically - -From: Sai Krishna Potthuri - -[ Upstream commit 21b511ddee09a78909035ec47a6a594349fe3296 ] - -As part of unprepare_transfer_hardware, SPI controller will be disabled -which will indirectly deassert the CS line. This will create a problem -in some of the devices where message will be transferred with -cs_change flag set(CS should not be deasserted). -As per SPI controller implementation, if SPI controller is disabled then -all output enables are inactive and all pins are set to input mode which -means CS will go to default state high(deassert). This leads to an issue -when core explicitly ask not to deassert the CS (cs_change = 1). This -patch fix the above issue by checking the Slave select status bits from -configuration register before disabling the SPI. - -Signed-off-by: Sai Krishna Potthuri -Signed-off-by: Amit Kumar Mahapatra -Link: https://lore.kernel.org/r/20220606062525.18447-1-amit.kumar-mahapatra@xilinx.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-cadence.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c -index e383c6368915..6d294a1fa5e5 100644 ---- a/drivers/spi/spi-cadence.c -+++ b/drivers/spi/spi-cadence.c -@@ -72,6 +72,7 @@ - #define CDNS_SPI_BAUD_DIV_SHIFT 3 /* Baud rate divisor shift in CR */ - #define CDNS_SPI_SS_SHIFT 10 /* Slave Select field shift in CR */ - #define CDNS_SPI_SS0 0x1 /* Slave Select zero */ -+#define CDNS_SPI_NOSS 0x3C /* No Slave select */ - - /* - * SPI Interrupt Registers bit Masks -@@ -444,15 +445,20 @@ static int cdns_prepare_transfer_hardware(struct spi_master *master) - * @master: Pointer to the spi_master structure which provides - * information about the controller. - * -- * This function disables the SPI master controller. -+ * This function disables the SPI master controller when no slave selected. - * - * Return: 0 always - */ - static int cdns_unprepare_transfer_hardware(struct spi_master *master) - { - struct cdns_spi *xspi = spi_master_get_devdata(master); -+ u32 ctrl_reg; - -- cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE); -+ /* Disable the SPI if slave is deselected */ -+ ctrl_reg = cdns_spi_read(xspi, CDNS_SPI_CR); -+ ctrl_reg = (ctrl_reg & CDNS_SPI_CR_SSCTRL) >> CDNS_SPI_SS_SHIFT; -+ if (ctrl_reg == CDNS_SPI_NOSS) -+ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE); - - return 0; - } --- -2.35.1 -