From 0203c2833fbcd5acc548c4901781833c6d134a25 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 14 Jun 2025 09:34:11 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...rmi-fix-crash-with-unsupported-versi.patch | 262 ++++++++++++++++++ ...-rmi4-convert-to-use-sysfs_emit-apis.patch | 68 +++++ queue-5.4/nfsd-fix-ia_size-underflow.patch | 48 ++++ ...etattr-create-s-handling-of-large-fi.patch | 48 ++++ ...x-error-checking-in-genpd_dev_pm_att.patch | 43 +++ queue-5.4/series | 5 + 6 files changed, 474 insertions(+) create mode 100644 queue-5.4/input-synaptics-rmi-fix-crash-with-unsupported-versi.patch create mode 100644 queue-5.4/input-synaptics-rmi4-convert-to-use-sysfs_emit-apis.patch create mode 100644 queue-5.4/nfsd-fix-ia_size-underflow.patch create mode 100644 queue-5.4/nfsd-fix-nfsv3-setattr-create-s-handling-of-large-fi.patch create mode 100644 queue-5.4/pmdomain-core-fix-error-checking-in-genpd_dev_pm_att.patch diff --git a/queue-5.4/input-synaptics-rmi-fix-crash-with-unsupported-versi.patch b/queue-5.4/input-synaptics-rmi-fix-crash-with-unsupported-versi.patch new file mode 100644 index 0000000000..5eee3b25ad --- /dev/null +++ b/queue-5.4/input-synaptics-rmi-fix-crash-with-unsupported-versi.patch @@ -0,0 +1,262 @@ +From 2e363dac724846174b4c3318c2409f1f040f55f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 15:49:59 -0700 +Subject: Input: synaptics-rmi - fix crash with unsupported versions of F34 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Torokhov + +[ Upstream commit ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 ] + +Sysfs interface for updating firmware for RMI devices is available even +when F34 probe fails. The code checks for presence of F34 "container" +pointer and then tries to use the function data attached to the +sub-device. F34 assigns the function data early, before it knows if +probe will succeed, leaving behind a stale pointer. + +Fix this by expanding checks to not only test for presence of F34 +"container" but also check if there is driver data assigned to the +sub-device, and call dev_set_drvdata() only after we are certain that +probe is successful. + +This is not a complete fix, since F34 will be freed during firmware +update, so there is still a race when fetching and accessing this +pointer. This race will be addressed in follow-up changes. + +Reported-by: Hanno Böck +Fixes: 29fd0ec2bdbe ("Input: synaptics-rmi4 - add support for F34 device reflash") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/aBlAl6sGulam-Qcx@google.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_f34.c | 135 ++++++++++++++++++++--------------- + 1 file changed, 76 insertions(+), 59 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_f34.c b/drivers/input/rmi4/rmi_f34.c +index c26808f10827a..c93a8ccd87c73 100644 +--- a/drivers/input/rmi4/rmi_f34.c ++++ b/drivers/input/rmi4/rmi_f34.c +@@ -4,6 +4,7 @@ + * Copyright (C) 2016 Zodiac Inflight Innovations + */ + ++#include "linux/device.h" + #include + #include + #include +@@ -298,39 +299,30 @@ static int rmi_f34_update_firmware(struct f34_data *f34, + return ret; + } + +-static int rmi_f34_status(struct rmi_function *fn) +-{ +- struct f34_data *f34 = dev_get_drvdata(&fn->dev); +- +- /* +- * The status is the percentage complete, or once complete, +- * zero for success or a negative return code. +- */ +- return f34->update_status; +-} +- + static ssize_t rmi_driver_bootloader_id_show(struct device *dev, + struct device_attribute *dattr, + char *buf) + { + struct rmi_driver_data *data = dev_get_drvdata(dev); +- struct rmi_function *fn = data->f34_container; ++ struct rmi_function *fn; + struct f34_data *f34; + +- if (fn) { +- f34 = dev_get_drvdata(&fn->dev); +- +- if (f34->bl_version == 5) +- return sysfs_emit(buf, "%c%c\n", +- f34->bootloader_id[0], +- f34->bootloader_id[1]); +- else +- return sysfs_emit(buf, "V%d.%d\n", +- f34->bootloader_id[1], +- f34->bootloader_id[0]); +- } ++ fn = data->f34_container; ++ if (!fn) ++ return -ENODEV; + +- return 0; ++ f34 = dev_get_drvdata(&fn->dev); ++ if (!f34) ++ return -ENODEV; ++ ++ if (f34->bl_version == 5) ++ return sysfs_emit(buf, "%c%c\n", ++ f34->bootloader_id[0], ++ f34->bootloader_id[1]); ++ else ++ return sysfs_emit(buf, "V%d.%d\n", ++ f34->bootloader_id[1], ++ f34->bootloader_id[0]); + } + + static DEVICE_ATTR(bootloader_id, 0444, rmi_driver_bootloader_id_show, NULL); +@@ -343,13 +335,16 @@ static ssize_t rmi_driver_configuration_id_show(struct device *dev, + struct rmi_function *fn = data->f34_container; + struct f34_data *f34; + +- if (fn) { +- f34 = dev_get_drvdata(&fn->dev); ++ fn = data->f34_container; ++ if (!fn) ++ return -ENODEV; + +- return sysfs_emit(buf, "%s\n", f34->configuration_id); +- } ++ f34 = dev_get_drvdata(&fn->dev); ++ if (!f34) ++ return -ENODEV; + +- return 0; ++ ++ return sysfs_emit(buf, "%s\n", f34->configuration_id); + } + + static DEVICE_ATTR(configuration_id, 0444, +@@ -365,10 +360,14 @@ static int rmi_firmware_update(struct rmi_driver_data *data, + + if (!data->f34_container) { + dev_warn(dev, "%s: No F34 present!\n", __func__); +- return -EINVAL; ++ return -ENODEV; + } + + f34 = dev_get_drvdata(&data->f34_container->dev); ++ if (!f34) { ++ dev_warn(dev, "%s: No valid F34 present!\n", __func__); ++ return -ENODEV; ++ } + + if (f34->bl_version == 7) { + if (data->pdt_props & HAS_BSR) { +@@ -494,10 +493,18 @@ static ssize_t rmi_driver_update_fw_status_show(struct device *dev, + char *buf) + { + struct rmi_driver_data *data = dev_get_drvdata(dev); +- int update_status = 0; ++ struct f34_data *f34; ++ int update_status = -ENODEV; + +- if (data->f34_container) +- update_status = rmi_f34_status(data->f34_container); ++ /* ++ * The status is the percentage complete, or once complete, ++ * zero for success or a negative return code. ++ */ ++ if (data->f34_container) { ++ f34 = dev_get_drvdata(&data->f34_container->dev); ++ if (f34) ++ update_status = f34->update_status; ++ } + + return sysfs_emit(buf, "%d\n", update_status); + } +@@ -517,33 +524,21 @@ static const struct attribute_group rmi_firmware_attr_group = { + .attrs = rmi_firmware_attrs, + }; + +-static int rmi_f34_probe(struct rmi_function *fn) ++static int rmi_f34v5_probe(struct f34_data *f34) + { +- struct f34_data *f34; +- unsigned char f34_queries[9]; ++ struct rmi_function *fn = f34->fn; ++ u8 f34_queries[9]; + bool has_config_id; +- u8 version = fn->fd.function_version; +- int ret; +- +- f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL); +- if (!f34) +- return -ENOMEM; +- +- f34->fn = fn; +- dev_set_drvdata(&fn->dev, f34); +- +- /* v5 code only supported version 0, try V7 probe */ +- if (version > 0) +- return rmi_f34v7_probe(f34); ++ int error; + + f34->bl_version = 5; + +- ret = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr, +- f34_queries, sizeof(f34_queries)); +- if (ret) { ++ error = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr, ++ f34_queries, sizeof(f34_queries)); ++ if (error) { + dev_err(&fn->dev, "%s: Failed to query properties\n", + __func__); +- return ret; ++ return error; + } + + snprintf(f34->bootloader_id, sizeof(f34->bootloader_id), +@@ -569,11 +564,11 @@ static int rmi_f34_probe(struct rmi_function *fn) + f34->v5.config_blocks); + + if (has_config_id) { +- ret = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr, +- f34_queries, sizeof(f34_queries)); +- if (ret) { ++ error = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr, ++ f34_queries, sizeof(f34_queries)); ++ if (error) { + dev_err(&fn->dev, "Failed to read F34 config ID\n"); +- return ret; ++ return error; + } + + snprintf(f34->configuration_id, sizeof(f34->configuration_id), +@@ -582,12 +577,34 @@ static int rmi_f34_probe(struct rmi_function *fn) + f34_queries[2], f34_queries[3]); + + rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Configuration ID: %s\n", +- f34->configuration_id); ++ f34->configuration_id); + } + + return 0; + } + ++static int rmi_f34_probe(struct rmi_function *fn) ++{ ++ struct f34_data *f34; ++ u8 version = fn->fd.function_version; ++ int error; ++ ++ f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL); ++ if (!f34) ++ return -ENOMEM; ++ ++ f34->fn = fn; ++ ++ /* v5 code only supported version 0 */ ++ error = version == 0 ? rmi_f34v5_probe(f34) : rmi_f34v7_probe(f34); ++ if (error) ++ return error; ++ ++ dev_set_drvdata(&fn->dev, f34); ++ ++ return 0; ++} ++ + int rmi_f34_create_sysfs(struct rmi_device *rmi_dev) + { + return sysfs_create_group(&rmi_dev->dev.kobj, &rmi_firmware_attr_group); +-- +2.39.5 + diff --git a/queue-5.4/input-synaptics-rmi4-convert-to-use-sysfs_emit-apis.patch b/queue-5.4/input-synaptics-rmi4-convert-to-use-sysfs_emit-apis.patch new file mode 100644 index 0000000000..24be088f01 --- /dev/null +++ b/queue-5.4/input-synaptics-rmi4-convert-to-use-sysfs_emit-apis.patch @@ -0,0 +1,68 @@ +From 14ba226b0fcce2932564692fe8a14ed53a42e6ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 08:56:06 -0700 +Subject: Input: synaptics-rmi4 - convert to use sysfs_emit() APIs + +From: zhang songyi + +[ Upstream commit 9dedc915937c33302df7fcab01c45e7936d6195a ] + +Follow the advice of the Documentation/filesystems/sysfs.rst and show() +should only use sysfs_emit() or sysfs_emit_at() when formatting the value +to be returned to user space. + +Reported-by: Zeal Robot +Signed-off-by: zhang songyi +Link: https://lore.kernel.org/r/20220927070936.258300-1-zhang.songyi@zte.com.cn +Signed-off-by: Dmitry Torokhov +Stable-dep-of: ca39500f6af9 ("Input: synaptics-rmi - fix crash with unsupported versions of F34") +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_f34.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_f34.c b/drivers/input/rmi4/rmi_f34.c +index e5dca9868f87f..c26808f10827a 100644 +--- a/drivers/input/rmi4/rmi_f34.c ++++ b/drivers/input/rmi4/rmi_f34.c +@@ -321,13 +321,13 @@ static ssize_t rmi_driver_bootloader_id_show(struct device *dev, + f34 = dev_get_drvdata(&fn->dev); + + if (f34->bl_version == 5) +- return scnprintf(buf, PAGE_SIZE, "%c%c\n", +- f34->bootloader_id[0], +- f34->bootloader_id[1]); ++ return sysfs_emit(buf, "%c%c\n", ++ f34->bootloader_id[0], ++ f34->bootloader_id[1]); + else +- return scnprintf(buf, PAGE_SIZE, "V%d.%d\n", +- f34->bootloader_id[1], +- f34->bootloader_id[0]); ++ return sysfs_emit(buf, "V%d.%d\n", ++ f34->bootloader_id[1], ++ f34->bootloader_id[0]); + } + + return 0; +@@ -346,7 +346,7 @@ static ssize_t rmi_driver_configuration_id_show(struct device *dev, + if (fn) { + f34 = dev_get_drvdata(&fn->dev); + +- return scnprintf(buf, PAGE_SIZE, "%s\n", f34->configuration_id); ++ return sysfs_emit(buf, "%s\n", f34->configuration_id); + } + + return 0; +@@ -499,7 +499,7 @@ static ssize_t rmi_driver_update_fw_status_show(struct device *dev, + if (data->f34_container) + update_status = rmi_f34_status(data->f34_container); + +- return scnprintf(buf, PAGE_SIZE, "%d\n", update_status); ++ return sysfs_emit(buf, "%d\n", update_status); + } + + static DEVICE_ATTR(update_fw_status, 0444, +-- +2.39.5 + diff --git a/queue-5.4/nfsd-fix-ia_size-underflow.patch b/queue-5.4/nfsd-fix-ia_size-underflow.patch new file mode 100644 index 0000000000..947b86eca6 --- /dev/null +++ b/queue-5.4/nfsd-fix-ia_size-underflow.patch @@ -0,0 +1,48 @@ +From ab39defc89221644125fbcadf37c375d5b379263 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 16:53:21 -0700 +Subject: NFSD: Fix ia_size underflow + +From: Chuck Lever + +[ Upstream commit e6faac3f58c7c4176b66f63def17a34232a17b0e ] + +iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and +NFSv4 both define file size as an unsigned 64-bit type. Thus there +is a range of valid file size values an NFS client can send that is +already larger than Linux can handle. + +Currently decode_fattr4() dumps a full u64 value into ia_size. If +that value happens to be larger than S64_MAX, then ia_size +underflows. I'm about to fix up the NFSv3 behavior as well, so let's +catch the underflow in the common code path: nfsd_setattr(). + +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +(cherry picked from commit e6faac3f58c7c4176b66f63def17a34232a17b0e) +[Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 2f221d6f7b88 +attr: handle idmapped mounts] +Signed-off-by: Larry Bassel +Signed-off-by: Sasha Levin +--- + fs/nfsd/vfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c +index 6aa968bee0ce1..bee4fdf6e239a 100644 +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -448,6 +448,10 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, + .ia_size = iap->ia_size, + }; + ++ host_err = -EFBIG; ++ if (iap->ia_size < 0) ++ goto out_unlock; ++ + host_err = notify_change(dentry, &size_attr, NULL); + if (host_err) + goto out_unlock; +-- +2.39.5 + diff --git a/queue-5.4/nfsd-fix-nfsv3-setattr-create-s-handling-of-large-fi.patch b/queue-5.4/nfsd-fix-nfsv3-setattr-create-s-handling-of-large-fi.patch new file mode 100644 index 0000000000..38c3779ff6 --- /dev/null +++ b/queue-5.4/nfsd-fix-nfsv3-setattr-create-s-handling-of-large-fi.patch @@ -0,0 +1,48 @@ +From 98213e3630a0b2800c084be9bf7c7c07fffa7280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 16:55:04 -0700 +Subject: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes + +From: Chuck Lever + +[ Upstream commit a648fdeb7c0e17177a2280344d015dba3fbe3314 ] + +iattr::ia_size is a loff_t, so these NFSv3 procedures must be +careful to deal with incoming client size values that are larger +than s64_max without corrupting the value. + +Silently capping the value results in storing a different value +than the client passed in which is unexpected behavior, so remove +the min_t() check in decode_sattr3(). + +Note that RFC 1813 permits only the WRITE procedure to return +NFS3ERR_FBIG. We believe that NFSv3 reference implementations +also return NFS3ERR_FBIG when ia_size is too large. + +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +(cherry picked from commit a648fdeb7c0e17177a2280344d015dba3fbe3314) +[Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 9cde9360d18d +NFSD: Update the SETATTR3args decoder to use struct xdr_stream] +Signed-off-by: Larry Bassel +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs3xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c +index 03e8c45a52f3c..25b6b4db0af24 100644 +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -122,7 +122,7 @@ decode_sattr3(__be32 *p, struct iattr *iap, struct user_namespace *userns) + + iap->ia_valid |= ATTR_SIZE; + p = xdr_decode_hyper(p, &newsize); +- iap->ia_size = min_t(u64, newsize, NFS_OFFSET_MAX); ++ iap->ia_size = newsize; + } + if ((tmp = ntohl(*p++)) == 1) { /* set to server time */ + iap->ia_valid |= ATTR_ATIME; +-- +2.39.5 + diff --git a/queue-5.4/pmdomain-core-fix-error-checking-in-genpd_dev_pm_att.patch b/queue-5.4/pmdomain-core-fix-error-checking-in-genpd_dev_pm_att.patch new file mode 100644 index 0000000000..3fd1abae81 --- /dev/null +++ b/queue-5.4/pmdomain-core-fix-error-checking-in-genpd_dev_pm_att.patch @@ -0,0 +1,43 @@ +From d1f580308371e239f69325b0e22bb083c1731f93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 09:29:23 +0300 +Subject: pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() + +From: Dan Carpenter + +[ Upstream commit 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe ] + +The error checking for of_count_phandle_with_args() does not handle +negative error codes correctly. The problem is that "index" is a u32 so +in the condition "if (index >= num_domains)" negative error codes stored +in "num_domains" are type promoted to very high positive values and +"index" is always going to be valid. + +Test for negative error codes first and then test if "index" is valid. + +Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain") +Signed-off-by: Dan Carpenter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/aBxPQ8AI8N5v-7rL@stanley.mountain +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/base/power/domain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index eed4c865a4bf8..2ccd0c8003e24 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2509,7 +2509,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev, + /* Verify that the index is within a valid range. */ + num_domains = of_count_phandle_with_args(dev->of_node, "power-domains", + "#power-domain-cells"); +- if (index >= num_domains) ++ if (num_domains < 0 || index >= num_domains) + return NULL; + + /* Allocate and register device on the genpd bus. */ +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 195b787345..c01e5cc285 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -69,3 +69,8 @@ bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch do_change_type-refuse-to-operate-on-unmounted-not-ou.patch +pmdomain-core-fix-error-checking-in-genpd_dev_pm_att.patch +input-synaptics-rmi4-convert-to-use-sysfs_emit-apis.patch +input-synaptics-rmi-fix-crash-with-unsupported-versi.patch +nfsd-fix-ia_size-underflow.patch +nfsd-fix-nfsv3-setattr-create-s-handling-of-large-fi.patch -- 2.47.2