From 0b6eb7f648526d3461c248d552edce907fa240db Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 20 Aug 2023 21:34:10 +0200 Subject: [PATCH] 6.1-stable patches added patches: btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch btrfs-fix-incorrect-splitting-in-btrfs_drop_extent_map_range.patch fbdev-mmp-fix-value-check-in-mmphw_probe.patch i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch i2c-designware-correct-length-byte-validation-logic.patch i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch i2c-hisi-only-handle-the-interrupt-of-the-driver-s-transfer.patch i2c-tegra-fix-i2c-tegra-dma-config-option-processing.patch powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch vdpa-add-features-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch vdpa-add-queue-index-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch vdpa-enable-strict-validation-for-netlinks-ops.patch --- ...on-condition-in-btrfs_cancel_balance.patch | 64 ++++++++++++ ...tting-in-btrfs_drop_extent_map_range.patch | 98 +++++++++++++++++++ ...v-mmp-fix-value-check-in-mmphw_probe.patch | 34 +++++++ ...fix-bcm_iproc_i2c_isr-deadlock-issue.patch | 61 ++++++++++++ ...correct-length-byte-validation-logic.patch | 48 +++++++++ ...bus-block-data-response-length-value.patch | 57 +++++++++++ ...e-interrupt-of-the-driver-s-transfer.patch | 41 ++++++++ ...c-tegra-dma-config-option-processing.patch | 43 ++++++++ ...er-copy-to-flash-block-cache-objects.patch | 68 +++++++++++++ queue-6.1/series | 15 +++ ...by-race-condition-in-gsm_cleanup_mux.patch | 59 +++++++++++ ...-by-writing-1-for-lpuart32-platforms.patch | 37 +++++++ ...pa_nl_policy-for-nlattr-length-check.patch | 40 ++++++++ ...pa_nl_policy-for-nlattr-length-check.patch | 40 ++++++++ ...pa_nl_policy-for-nlattr-length-check.patch | 40 ++++++++ ...e-strict-validation-for-netlinks-ops.patch | 63 ++++++++++++ 16 files changed, 808 insertions(+) create mode 100644 queue-6.1/btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch create mode 100644 queue-6.1/btrfs-fix-incorrect-splitting-in-btrfs_drop_extent_map_range.patch create mode 100644 queue-6.1/fbdev-mmp-fix-value-check-in-mmphw_probe.patch create mode 100644 queue-6.1/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch create mode 100644 queue-6.1/i2c-designware-correct-length-byte-validation-logic.patch create mode 100644 queue-6.1/i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch create mode 100644 queue-6.1/i2c-hisi-only-handle-the-interrupt-of-the-driver-s-transfer.patch create mode 100644 queue-6.1/i2c-tegra-fix-i2c-tegra-dma-config-option-processing.patch create mode 100644 queue-6.1/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch create mode 100644 queue-6.1/tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch create mode 100644 queue-6.1/tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch create mode 100644 queue-6.1/vdpa-add-features-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch create mode 100644 queue-6.1/vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch create mode 100644 queue-6.1/vdpa-add-queue-index-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch create mode 100644 queue-6.1/vdpa-enable-strict-validation-for-netlinks-ops.patch diff --git a/queue-6.1/btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch b/queue-6.1/btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch new file mode 100644 index 00000000000..ebe394dda9c --- /dev/null +++ b/queue-6.1/btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch @@ -0,0 +1,64 @@ +From 29eefa6d0d07e185f7bfe9576f91e6dba98189c2 Mon Sep 17 00:00:00 2001 +From: xiaoshoukui +Date: Tue, 15 Aug 2023 02:55:59 -0400 +Subject: btrfs: fix BUG_ON condition in btrfs_cancel_balance + +From: xiaoshoukui + +commit 29eefa6d0d07e185f7bfe9576f91e6dba98189c2 upstream. + +Pausing and canceling balance can race to interrupt balance lead to BUG_ON +panic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance +does not take this race scenario into account. + +However, the race condition has no other side effects. We can fix that. + +Reproducing it with panic trace like this: + + kernel BUG at fs/btrfs/volumes.c:4618! + RIP: 0010:btrfs_cancel_balance+0x5cf/0x6a0 + Call Trace: + + ? do_nanosleep+0x60/0x120 + ? hrtimer_nanosleep+0xb7/0x1a0 + ? sched_core_clone_cookie+0x70/0x70 + btrfs_ioctl_balance_ctl+0x55/0x70 + btrfs_ioctl+0xa46/0xd20 + __x64_sys_ioctl+0x7d/0xa0 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + Race scenario as follows: + > mutex_unlock(&fs_info->balance_mutex); + > -------------------- + > .......issue pause and cancel req in another thread + > -------------------- + > ret = __btrfs_balance(fs_info); + > + > mutex_lock(&fs_info->balance_mutex); + > if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { + > btrfs_info(fs_info, "balance: paused"); + > btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); + > } + +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: xiaoshoukui +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4652,8 +4652,7 @@ int btrfs_cancel_balance(struct btrfs_fs + } + } + +- BUG_ON(fs_info->balance_ctl || +- test_bit(BTRFS_FS_BALANCE_RUNNING, &fs_info->flags)); ++ ASSERT(!test_bit(BTRFS_FS_BALANCE_RUNNING, &fs_info->flags)); + atomic_dec(&fs_info->balance_cancel_req); + mutex_unlock(&fs_info->balance_mutex); + return 0; diff --git a/queue-6.1/btrfs-fix-incorrect-splitting-in-btrfs_drop_extent_map_range.patch b/queue-6.1/btrfs-fix-incorrect-splitting-in-btrfs_drop_extent_map_range.patch new file mode 100644 index 00000000000..36e795a691b --- /dev/null +++ b/queue-6.1/btrfs-fix-incorrect-splitting-in-btrfs_drop_extent_map_range.patch @@ -0,0 +1,98 @@ +From c962098ca4af146f2625ed64399926a098752c9c Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 17 Aug 2023 16:57:30 -0400 +Subject: btrfs: fix incorrect splitting in btrfs_drop_extent_map_range + +From: Josef Bacik + +commit c962098ca4af146f2625ed64399926a098752c9c upstream. + +In production we were seeing a variety of WARN_ON()'s in the extent_map +code, specifically in btrfs_drop_extent_map_range() when we have to call +add_extent_mapping() for our second split. + +Consider the following extent map layout + + PINNED + [0 16K) [32K, 48K) + +and then we call btrfs_drop_extent_map_range for [0, 36K), with +skip_pinned == true. The initial loop will have + + start = 0 + end = 36K + len = 36K + +we will find the [0, 16k) extent, but since we are pinned we will skip +it, which has this code + + start = em_end; + if (end != (u64)-1) + len = start + len - em_end; + +em_end here is 16K, so now the values are + + start = 16K + len = 16K + 36K - 16K = 36K + +len should instead be 20K. This is a problem when we find the next +extent at [32K, 48K), we need to split this extent to leave [36K, 48k), +however the code for the split looks like this + + split->start = start + len; + split->len = em_end - (start + len); + +In this case we have + + em_end = 48K + split->start = 16K + 36K // this should be 16K + 20K + split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K + +and now we have an invalid extent_map in the tree that potentially +overlaps other entries in the extent map. Even in the non-overlapping +case we will have split->start set improperly, which will cause problems +with any block related calculations. + +We don't actually need len in this loop, we can simply use end as our +end point, and only adjust start up when we find a pinned extent we need +to skip. + +Adjust the logic to do this, which keeps us from inserting an invalid +extent map. + +We only skip_pinned in the relocation case, so this is relatively rare, +except in the case where you are running relocation a lot, which can +happen with auto relocation on. + +Fixes: 55ef68990029 ("Btrfs: Fix btrfs_drop_extent_cache for skip pinned case") +CC: stable@vger.kernel.org # 4.14+ +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_map.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/extent_map.c ++++ b/fs/btrfs/extent_map.c +@@ -784,8 +784,6 @@ void btrfs_drop_extent_map_range(struct + + if (skip_pinned && test_bit(EXTENT_FLAG_PINNED, &em->flags)) { + start = em_end; +- if (end != (u64)-1) +- len = start + len - em_end; + goto next; + } + +@@ -853,8 +851,8 @@ void btrfs_drop_extent_map_range(struct + if (!split) + goto remove_em; + } +- split->start = start + len; +- split->len = em_end - (start + len); ++ split->start = end; ++ split->len = em_end - end; + split->block_start = em->block_start; + split->flags = flags; + split->compress_type = em->compress_type; diff --git a/queue-6.1/fbdev-mmp-fix-value-check-in-mmphw_probe.patch b/queue-6.1/fbdev-mmp-fix-value-check-in-mmphw_probe.patch new file mode 100644 index 00000000000..6430f04b01f --- /dev/null +++ b/queue-6.1/fbdev-mmp-fix-value-check-in-mmphw_probe.patch @@ -0,0 +1,34 @@ +From 0872b2c0abc0e84ac82472959c8e14e35277549c Mon Sep 17 00:00:00 2001 +From: Yuanjun Gong +Date: Fri, 28 Jul 2023 01:03:18 +0800 +Subject: fbdev: mmp: fix value check in mmphw_probe() + +From: Yuanjun Gong + +commit 0872b2c0abc0e84ac82472959c8e14e35277549c upstream. + +in mmphw_probe(), check the return value of clk_prepare_enable() +and return the error code if clk_prepare_enable() returns an +unexpected value. + +Fixes: d63028c38905 ("video: mmp display controller support") +Signed-off-by: Yuanjun Gong +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/mmp/hw/mmp_ctrl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/mmp/hw/mmp_ctrl.c ++++ b/drivers/video/fbdev/mmp/hw/mmp_ctrl.c +@@ -519,7 +519,9 @@ static int mmphw_probe(struct platform_d + "unable to get clk %s\n", mi->clk_name); + goto failed; + } +- clk_prepare_enable(ctrl->clk); ++ ret = clk_prepare_enable(ctrl->clk); ++ if (ret) ++ goto failed; + + /* init global regs */ + ctrl_set_default(ctrl); diff --git a/queue-6.1/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch b/queue-6.1/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch new file mode 100644 index 00000000000..5ef58d99e30 --- /dev/null +++ b/queue-6.1/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch @@ -0,0 +1,61 @@ +From 4caf4cb1eaed469742ef719f2cc024b1ec3fa9e6 Mon Sep 17 00:00:00 2001 +From: Chengfeng Ye +Date: Fri, 7 Jul 2023 08:49:41 +0000 +Subject: i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue + +From: Chengfeng Ye + +commit 4caf4cb1eaed469742ef719f2cc024b1ec3fa9e6 upstream. + +iproc_i2c_rd_reg() and iproc_i2c_wr_reg() are called from both +interrupt context (e.g. bcm_iproc_i2c_isr) and process context +(e.g. bcm_iproc_i2c_suspend). Therefore, interrupts should be +disabled to avoid potential deadlock. To prevent this scenario, +use spin_lock_irqsave(). + +Fixes: 9a1038728037 ("i2c: iproc: add NIC I2C support") +Signed-off-by: Chengfeng Ye +Acked-by: Ray Jui +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-bcm-iproc.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-bcm-iproc.c ++++ b/drivers/i2c/busses/i2c-bcm-iproc.c +@@ -233,13 +233,14 @@ static inline u32 iproc_i2c_rd_reg(struc + u32 offset) + { + u32 val; ++ unsigned long flags; + + if (iproc_i2c->idm_base) { +- spin_lock(&iproc_i2c->idm_lock); ++ spin_lock_irqsave(&iproc_i2c->idm_lock, flags); + writel(iproc_i2c->ape_addr_mask, + iproc_i2c->idm_base + IDM_CTRL_DIRECT_OFFSET); + val = readl(iproc_i2c->base + offset); +- spin_unlock(&iproc_i2c->idm_lock); ++ spin_unlock_irqrestore(&iproc_i2c->idm_lock, flags); + } else { + val = readl(iproc_i2c->base + offset); + } +@@ -250,12 +251,14 @@ static inline u32 iproc_i2c_rd_reg(struc + static inline void iproc_i2c_wr_reg(struct bcm_iproc_i2c_dev *iproc_i2c, + u32 offset, u32 val) + { ++ unsigned long flags; ++ + if (iproc_i2c->idm_base) { +- spin_lock(&iproc_i2c->idm_lock); ++ spin_lock_irqsave(&iproc_i2c->idm_lock, flags); + writel(iproc_i2c->ape_addr_mask, + iproc_i2c->idm_base + IDM_CTRL_DIRECT_OFFSET); + writel(val, iproc_i2c->base + offset); +- spin_unlock(&iproc_i2c->idm_lock); ++ spin_unlock_irqrestore(&iproc_i2c->idm_lock, flags); + } else { + writel(val, iproc_i2c->base + offset); + } diff --git a/queue-6.1/i2c-designware-correct-length-byte-validation-logic.patch b/queue-6.1/i2c-designware-correct-length-byte-validation-logic.patch new file mode 100644 index 00000000000..915dea3f48d --- /dev/null +++ b/queue-6.1/i2c-designware-correct-length-byte-validation-logic.patch @@ -0,0 +1,48 @@ +From 49d4db3953cb9004ff94efc0c176e026c820af5a Mon Sep 17 00:00:00 2001 +From: Quan Nguyen +Date: Wed, 26 Jul 2023 15:00:00 +0700 +Subject: i2c: designware: Correct length byte validation logic + +From: Quan Nguyen + +commit 49d4db3953cb9004ff94efc0c176e026c820af5a upstream. + +Commit 0daede80f870 ("i2c: designware: Convert driver to using regmap API") +changes the logic to validate the whole 32-bit return value of +DW_IC_DATA_CMD register instead of 8-bit LSB without reason. + +Later, commit f53f15ba5a85 ("i2c: designware: Get right data length"), +introduced partial fix but not enough because the "tmp > 0" still test +tmp as 32-bit value and is wrong in case the IC_DATA_CMD[11] is set. + +Revert the logic to just before commit 0daede80f870 +("i2c: designware: Convert driver to using regmap API"). + +Fixes: f53f15ba5a85 ("i2c: designware: Get right data length") +Fixes: 0daede80f870 ("i2c: designware: Convert driver to using regmap API") +Cc: stable@vger.kernel.org +Signed-off-by: Tam Nguyen +Signed-off-by: Quan Nguyen +Acked-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20230726080001.337353-2-tamnguyenchi@os.amperecomputing.com +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-designware-master.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-designware-master.c ++++ b/drivers/i2c/busses/i2c-designware-master.c +@@ -525,9 +525,10 @@ i2c_dw_read(struct dw_i2c_dev *dev) + u32 flags = msgs[dev->msg_read_idx].flags; + + regmap_read(dev->map, DW_IC_DATA_CMD, &tmp); ++ tmp &= DW_IC_DATA_CMD_DAT; + /* Ensure length byte is a valid value */ + if (flags & I2C_M_RECV_LEN && +- (tmp & DW_IC_DATA_CMD_DAT) <= I2C_SMBUS_BLOCK_MAX && tmp > 0) { ++ tmp <= I2C_SMBUS_BLOCK_MAX && tmp > 0) { + len = i2c_dw_recv_len(dev, tmp); + } + *buf++ = tmp; diff --git a/queue-6.1/i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch b/queue-6.1/i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch new file mode 100644 index 00000000000..8063c244f93 --- /dev/null +++ b/queue-6.1/i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch @@ -0,0 +1,57 @@ +From 69f035c480d76f12bf061148ccfd578e1099e5fc Mon Sep 17 00:00:00 2001 +From: Tam Nguyen +Date: Wed, 26 Jul 2023 15:00:01 +0700 +Subject: i2c: designware: Handle invalid SMBus block data response length value + +From: Tam Nguyen + +commit 69f035c480d76f12bf061148ccfd578e1099e5fc upstream. + +In the I2C_FUNC_SMBUS_BLOCK_DATA case, the invalid length byte value +(outside of 1-32) of the SMBus block data response from the Slave device +is not correctly handled by the I2C Designware driver. + +In case IC_EMPTYFIFO_HOLD_MASTER_EN==1, which cannot be detected +from the registers, the Master can be disabled only if the STOP bit +is set. Without STOP bit set, the Master remains active, holding the bus +until receiving a block data response length. This hangs the bus and +is unrecoverable. + +Avoid this by issuing another dump read to reach the stop condition when +an invalid length byte is received. + +Cc: stable@vger.kernel.org +Signed-off-by: Tam Nguyen +Acked-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20230726080001.337353-3-tamnguyenchi@os.amperecomputing.com +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-designware-master.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-designware-master.c ++++ b/drivers/i2c/busses/i2c-designware-master.c +@@ -527,8 +527,19 @@ i2c_dw_read(struct dw_i2c_dev *dev) + regmap_read(dev->map, DW_IC_DATA_CMD, &tmp); + tmp &= DW_IC_DATA_CMD_DAT; + /* Ensure length byte is a valid value */ +- if (flags & I2C_M_RECV_LEN && +- tmp <= I2C_SMBUS_BLOCK_MAX && tmp > 0) { ++ if (flags & I2C_M_RECV_LEN) { ++ /* ++ * if IC_EMPTYFIFO_HOLD_MASTER_EN is set, which cannot be ++ * detected from the registers, the controller can be ++ * disabled if the STOP bit is set. But it is only set ++ * after receiving block data response length in ++ * I2C_FUNC_SMBUS_BLOCK_DATA case. That needs to read ++ * another byte with STOP bit set when the block data ++ * response length is invalid to complete the transaction. ++ */ ++ if (!tmp || tmp > I2C_SMBUS_BLOCK_MAX) ++ tmp = 1; ++ + len = i2c_dw_recv_len(dev, tmp); + } + *buf++ = tmp; diff --git a/queue-6.1/i2c-hisi-only-handle-the-interrupt-of-the-driver-s-transfer.patch b/queue-6.1/i2c-hisi-only-handle-the-interrupt-of-the-driver-s-transfer.patch new file mode 100644 index 00000000000..8452d7991c8 --- /dev/null +++ b/queue-6.1/i2c-hisi-only-handle-the-interrupt-of-the-driver-s-transfer.patch @@ -0,0 +1,41 @@ +From fff67c1b17ee093947bdcbac6f64d072e644159a Mon Sep 17 00:00:00 2001 +From: Yicong Yang +Date: Tue, 1 Aug 2023 20:46:25 +0800 +Subject: i2c: hisi: Only handle the interrupt of the driver's transfer + +From: Yicong Yang + +commit fff67c1b17ee093947bdcbac6f64d072e644159a upstream. + +The controller may be shared with other port, for example the firmware. +Handle the interrupt from other sources will cause crash since some +data are not initialized. So only handle the interrupt of the driver's +transfer and discard others. + +Fixes: d62fbdb99a85 ("i2c: add support for HiSilicon I2C controller") +Signed-off-by: Yicong Yang +Reviewed-by: Andi Shyti +Link: https://lore.kernel.org/r/20230801124625.63587-1-yangyicong@huawei.com +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-hisi.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/i2c/busses/i2c-hisi.c ++++ b/drivers/i2c/busses/i2c-hisi.c +@@ -328,6 +328,14 @@ static irqreturn_t hisi_i2c_irq(int irq, + struct hisi_i2c_controller *ctlr = context; + u32 int_stat; + ++ /* ++ * Don't handle the interrupt if cltr->completion is NULL. We may ++ * reach here because the interrupt is spurious or the transfer is ++ * started by another port (e.g. firmware) rather than us. ++ */ ++ if (!ctlr->completion) ++ return IRQ_NONE; ++ + int_stat = readl(ctlr->iobase + HISI_I2C_INT_MSTAT); + hisi_i2c_clear_int(ctlr, int_stat); + if (!(int_stat & HISI_I2C_INT_ALL)) diff --git a/queue-6.1/i2c-tegra-fix-i2c-tegra-dma-config-option-processing.patch b/queue-6.1/i2c-tegra-fix-i2c-tegra-dma-config-option-processing.patch new file mode 100644 index 00000000000..b942b325bdb --- /dev/null +++ b/queue-6.1/i2c-tegra-fix-i2c-tegra-dma-config-option-processing.patch @@ -0,0 +1,43 @@ +From 27ec43c77b5db780a56fc3a6d6de6bf2f74614f7 Mon Sep 17 00:00:00 2001 +From: Parker Newman +Date: Tue, 8 Aug 2023 16:01:06 +0200 +Subject: i2c: tegra: Fix i2c-tegra DMA config option processing + +From: Parker Newman + +commit 27ec43c77b5db780a56fc3a6d6de6bf2f74614f7 upstream. + +Tegra processors prior to Tegra186 used APB DMA for I2C requiring +CONFIG_TEGRA20_APB_DMA=y while Tegra186 and later use GPC DMA requiring +CONFIG_TEGRA186_GPC_DMA=y. + +The check for if the processor uses APB DMA is inverted and so the wrong +DMA config options are checked. + +This means if CONFIG_TEGRA20_APB_DMA=y but CONFIG_TEGRA186_GPC_DMA=n +with a Tegra186 or later processor the driver will incorrectly think DMA is +enabled and attempt to request DMA channels that will never be availible, +leaving the driver in a perpetual EPROBE_DEFER state. + +Fixes: 48cb6356fae1 ("i2c: tegra: Add GPCDMA support") +Signed-off-by: Parker Newman +Acked-by: Andi Shyti +Acked-by: Akhil R +Link: https://lore.kernel.org/r/fcfcf9b3-c8c4-9b34-2ff8-cd60a3d490bd@connecttech.com +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -449,7 +449,7 @@ static int tegra_i2c_init_dma(struct teg + if (i2c_dev->is_vi) + return 0; + +- if (!i2c_dev->hw->has_apb_dma) { ++ if (i2c_dev->hw->has_apb_dma) { + if (!IS_ENABLED(CONFIG_TEGRA20_APB_DMA)) { + dev_dbg(i2c_dev->dev, "APB DMA support not enabled\n"); + return 0; diff --git a/queue-6.1/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch b/queue-6.1/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch new file mode 100644 index 00000000000..5f779fcaa0d --- /dev/null +++ b/queue-6.1/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch @@ -0,0 +1,68 @@ +From 4f3175979e62de3b929bfa54a0db4b87d36257a7 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Thu, 10 Aug 2023 22:37:55 -0500 +Subject: powerpc/rtas_flash: allow user copy to flash block cache objects + +From: Nathan Lynch + +commit 4f3175979e62de3b929bfa54a0db4b87d36257a7 upstream. + +With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the +/proc/powerpc/rtas/firmware_update interface to prepare a system +firmware update yields a BUG(): + + kernel BUG at mm/usercopy.c:102! + Oops: Exception in kernel mode, sig: 5 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: + CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2 + Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries + NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000 + REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+) + MSR: 8000000000029033 CR: 24002242 XER: 0000000c + CFAR: c0000000001fbd34 IRQMASK: 0 + [ ... GPRs omitted ... ] + NIP usercopy_abort+0xa0/0xb0 + LR usercopy_abort+0x9c/0xb0 + Call Trace: + usercopy_abort+0x9c/0xb0 (unreliable) + __check_heap_object+0x1b4/0x1d0 + __check_object_size+0x2d0/0x380 + rtas_flash_write+0xe4/0x250 + proc_reg_write+0xfc/0x160 + vfs_write+0xfc/0x4e0 + ksys_write+0x90/0x160 + system_call_exception+0x178/0x320 + system_call_common+0x160/0x2c4 + +The blocks of the firmware image are copied directly from user memory +to objects allocated from flash_block_cache, so flash_block_cache must +be created using kmem_cache_create_usercopy() to mark it safe for user +access. + +Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +Signed-off-by: Nathan Lynch +Reviewed-by: Kees Cook +[mpe: Trim and indent oops] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230810-rtas-flash-vs-hardened-usercopy-v2-1-dcf63793a938@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/rtas_flash.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/rtas_flash.c ++++ b/arch/powerpc/kernel/rtas_flash.c +@@ -710,9 +710,9 @@ static int __init rtas_flash_init(void) + if (!rtas_validate_flash_data.buf) + return -ENOMEM; + +- flash_block_cache = kmem_cache_create("rtas_flash_cache", +- RTAS_BLK_SIZE, RTAS_BLK_SIZE, 0, +- NULL); ++ flash_block_cache = kmem_cache_create_usercopy("rtas_flash_cache", ++ RTAS_BLK_SIZE, RTAS_BLK_SIZE, ++ 0, 0, RTAS_BLK_SIZE, NULL); + if (!flash_block_cache) { + printk(KERN_ERR "%s: failed to create block cache\n", + __func__); diff --git a/queue-6.1/series b/queue-6.1/series index a2c9aa34de0..bc77506a964 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -86,3 +86,18 @@ vduse-use-proper-spinlock-for-irq-injection.patch vdpa-mlx5-fix-mr-initialized-semantics.patch vdpa-mlx5-delete-control-vq-iotlb-in-destroy_mr-only.patch cifs-fix-potential-oops-in-cifs_oplock_break.patch +i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch +i2c-hisi-only-handle-the-interrupt-of-the-driver-s-transfer.patch +i2c-tegra-fix-i2c-tegra-dma-config-option-processing.patch +fbdev-mmp-fix-value-check-in-mmphw_probe.patch +powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch +vdpa-add-features-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch +vdpa-add-queue-index-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch +vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch +vdpa-enable-strict-validation-for-netlinks-ops.patch +tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch +tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch +btrfs-fix-incorrect-splitting-in-btrfs_drop_extent_map_range.patch +btrfs-fix-bug_on-condition-in-btrfs_cancel_balance.patch +i2c-designware-correct-length-byte-validation-logic.patch +i2c-designware-handle-invalid-smbus-block-data-response-length-value.patch diff --git a/queue-6.1/tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch b/queue-6.1/tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch new file mode 100644 index 00000000000..427029a6f5b --- /dev/null +++ b/queue-6.1/tty-n_gsm-fix-the-uaf-caused-by-race-condition-in-gsm_cleanup_mux.patch @@ -0,0 +1,59 @@ +From 3c4f8333b582487a2d1e02171f1465531cde53e3 Mon Sep 17 00:00:00 2001 +From: Yi Yang +Date: Fri, 11 Aug 2023 11:11:21 +0800 +Subject: tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux + +From: Yi Yang + +commit 3c4f8333b582487a2d1e02171f1465531cde53e3 upstream. + +In commit 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux"), the UAF +problem is not completely fixed. There is a race condition in +gsm_cleanup_mux(), which caused this UAF. + +The UAF problem is triggered by the following race: +task[5046] task[5054] +----------------------- ----------------------- +gsm_cleanup_mux(); +dlci = gsm->dlci[0]; +mutex_lock(&gsm->mutex); + gsm_cleanup_mux(); + dlci = gsm->dlci[0]; //Didn't take the lock +gsm_dlci_release(gsm->dlci[i]); +gsm->dlci[i] = NULL; +mutex_unlock(&gsm->mutex); + mutex_lock(&gsm->mutex); + dlci->dead = true; //UAF + +Fix it by assigning values after mutex_lock(). + +Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000 +Cc: stable +Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux") +Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command") +Signed-off-by: Yi Yang +Co-developed-by: Qiumiao Zhang +Signed-off-by: Qiumiao Zhang +Link: https://lore.kernel.org/r/20230811031121.153237-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -2481,12 +2481,13 @@ static void gsm_error(struct gsm_mux *gs + static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) + { + int i; +- struct gsm_dlci *dlci = gsm->dlci[0]; ++ struct gsm_dlci *dlci; + struct gsm_msg *txq, *ntxq; + + gsm->dead = true; + mutex_lock(&gsm->mutex); + ++ dlci = gsm->dlci[0]; + if (dlci) { + if (disc && dlci->state != DLCI_CLOSED) { + gsm_dlci_begin_close(dlci); diff --git a/queue-6.1/tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch b/queue-6.1/tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch new file mode 100644 index 00000000000..22cafd1c142 --- /dev/null +++ b/queue-6.1/tty-serial-fsl_lpuart-clear-the-error-flags-by-writing-1-for-lpuart32-platforms.patch @@ -0,0 +1,37 @@ +From 282069845af388b08d622ad192b831dcd0549c62 Mon Sep 17 00:00:00 2001 +From: Sherry Sun +Date: Tue, 1 Aug 2023 10:23:04 +0800 +Subject: tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms + +From: Sherry Sun + +commit 282069845af388b08d622ad192b831dcd0549c62 upstream. + +Do not read the data register to clear the error flags for lpuart32 +platforms, the additional read may cause the receive FIFO underflow +since the DMA has already read the data register. +Actually all lpuart32 platforms support write 1 to clear those error +bits, let's use this method to better clear the error flags. + +Fixes: 42b68768e51b ("serial: fsl_lpuart: DMA support for 32-bit variant") +Cc: stable +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20230801022304.24251-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1125,8 +1125,8 @@ static void lpuart_copy_rx_to_tty(struct + unsigned long sr = lpuart32_read(&sport->port, UARTSTAT); + + if (sr & (UARTSTAT_PE | UARTSTAT_FE)) { +- /* Read DR to clear the error flags */ +- lpuart32_read(&sport->port, UARTDATA); ++ /* Clear the error flags */ ++ lpuart32_write(&sport->port, sr, UARTSTAT); + + if (sr & UARTSTAT_PE) + sport->port.icount.parity++; diff --git a/queue-6.1/vdpa-add-features-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch b/queue-6.1/vdpa-add-features-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch new file mode 100644 index 00000000000..dc5f211ac15 --- /dev/null +++ b/queue-6.1/vdpa-add-features-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch @@ -0,0 +1,40 @@ +From 79c8651587504ba263d2fd67fd4406240fb21f69 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Thu, 27 Jul 2023 20:57:48 +0300 +Subject: vdpa: Add features attr to vdpa_nl_policy for nlattr length check + +From: Lin Ma + +commit 79c8651587504ba263d2fd67fd4406240fb21f69 upstream. + +The vdpa_nl_policy structure is used to validate the nlattr when parsing +the incoming nlmsg. It will ensure the attribute being described produces +a valid nlattr pointer in info->attrs before entering into each handler +in vdpa_nl_ops. + +That is to say, the missing part in vdpa_nl_policy may lead to illegal +nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. + +This patch adds the missing nla_policy for vdpa features attr to avoid +such bugs. + +Fixes: 90fea5a800c3 ("vdpa: device feature provisioning") +Signed-off-by: Lin Ma +Cc: stable@vger.kernel.org +Message-Id: <20230727175757.73988-3-dtatulea@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/vdpa.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/vdpa/vdpa.c ++++ b/drivers/vdpa/vdpa.c +@@ -1174,6 +1174,7 @@ static const struct nla_policy vdpa_nl_p + [VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR, + /* virtio spec 1.1 section 5.1.4.1 for valid MTU range */ + [VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68), ++ [VDPA_ATTR_DEV_FEATURES] = { .type = NLA_U64 }, + }; + + static const struct genl_ops vdpa_nl_ops[] = { diff --git a/queue-6.1/vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch b/queue-6.1/vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch new file mode 100644 index 00000000000..ab8dc759dc4 --- /dev/null +++ b/queue-6.1/vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch @@ -0,0 +1,40 @@ +From 5d6ba607d6cb5c58a4ddf33381e18c83dbb4098f Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Thu, 27 Jul 2023 20:57:52 +0300 +Subject: vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check + +From: Lin Ma + +commit 5d6ba607d6cb5c58a4ddf33381e18c83dbb4098f upstream. + +The vdpa_nl_policy structure is used to validate the nlattr when parsing +the incoming nlmsg. It will ensure the attribute being described produces +a valid nlattr pointer in info->attrs before entering into each handler +in vdpa_nl_ops. + +That is to say, the missing part in vdpa_nl_policy may lead to illegal +nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. + +This patch adds the missing nla_policy for vdpa max vqp attr to avoid +such bugs. + +Fixes: ad69dd0bf26b ("vdpa: Introduce query of device config layout") +Signed-off-by: Lin Ma +Cc: stable@vger.kernel.org +Message-Id: <20230727175757.73988-7-dtatulea@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/vdpa.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/vdpa/vdpa.c ++++ b/drivers/vdpa/vdpa.c +@@ -1172,6 +1172,7 @@ static const struct nla_policy vdpa_nl_p + [VDPA_ATTR_MGMTDEV_DEV_NAME] = { .type = NLA_STRING }, + [VDPA_ATTR_DEV_NAME] = { .type = NLA_STRING }, + [VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR, ++ [VDPA_ATTR_DEV_NET_CFG_MAX_VQP] = { .type = NLA_U16 }, + /* virtio spec 1.1 section 5.1.4.1 for valid MTU range */ + [VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68), + [VDPA_ATTR_DEV_QUEUE_INDEX] = { .type = NLA_U32 }, diff --git a/queue-6.1/vdpa-add-queue-index-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch b/queue-6.1/vdpa-add-queue-index-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch new file mode 100644 index 00000000000..696f04757a5 --- /dev/null +++ b/queue-6.1/vdpa-add-queue-index-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch @@ -0,0 +1,40 @@ +From b3003e1b54e057f5f3124e437b80c3bef26ed3fe Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Thu, 27 Jul 2023 20:57:50 +0300 +Subject: vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check + +From: Lin Ma + +commit b3003e1b54e057f5f3124e437b80c3bef26ed3fe upstream. + +The vdpa_nl_policy structure is used to validate the nlattr when parsing +the incoming nlmsg. It will ensure the attribute being described produces +a valid nlattr pointer in info->attrs before entering into each handler +in vdpa_nl_ops. + +That is to say, the missing part in vdpa_nl_policy may lead to illegal +nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. + +This patch adds the missing nla_policy for vdpa queue index attr to avoid +such bugs. + +Fixes: 13b00b135665 ("vdpa: Add support for querying vendor statistics") +Signed-off-by: Lin Ma +Cc: stable@vger.kernelorg +Message-Id: <20230727175757.73988-5-dtatulea@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/vdpa.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/vdpa/vdpa.c ++++ b/drivers/vdpa/vdpa.c +@@ -1174,6 +1174,7 @@ static const struct nla_policy vdpa_nl_p + [VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR, + /* virtio spec 1.1 section 5.1.4.1 for valid MTU range */ + [VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68), ++ [VDPA_ATTR_DEV_QUEUE_INDEX] = { .type = NLA_U32 }, + [VDPA_ATTR_DEV_FEATURES] = { .type = NLA_U64 }, + }; + diff --git a/queue-6.1/vdpa-enable-strict-validation-for-netlinks-ops.patch b/queue-6.1/vdpa-enable-strict-validation-for-netlinks-ops.patch new file mode 100644 index 00000000000..52a8f2a767a --- /dev/null +++ b/queue-6.1/vdpa-enable-strict-validation-for-netlinks-ops.patch @@ -0,0 +1,63 @@ +From f46c1e1620c6bbc9aad5693082efd1b80822e97c Mon Sep 17 00:00:00 2001 +From: Dragos Tatulea +Date: Thu, 27 Jul 2023 20:57:54 +0300 +Subject: vdpa: Enable strict validation for netlinks ops + +From: Dragos Tatulea + +commit f46c1e1620c6bbc9aad5693082efd1b80822e97c upstream. + +The previous patches added the missing nla policies that were required for +validation to work. + +Now strict validation on netlink ops can be enabled. This patch does it. + +Signed-off-by: Dragos Tatulea +Cc: stable@vger.kernel.org +Message-Id: <20230727175757.73988-9-dtatulea@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/vdpa.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/vdpa/vdpa.c ++++ b/drivers/vdpa/vdpa.c +@@ -1182,37 +1182,31 @@ static const struct nla_policy vdpa_nl_p + static const struct genl_ops vdpa_nl_ops[] = { + { + .cmd = VDPA_CMD_MGMTDEV_GET, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .doit = vdpa_nl_cmd_mgmtdev_get_doit, + .dumpit = vdpa_nl_cmd_mgmtdev_get_dumpit, + }, + { + .cmd = VDPA_CMD_DEV_NEW, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .doit = vdpa_nl_cmd_dev_add_set_doit, + .flags = GENL_ADMIN_PERM, + }, + { + .cmd = VDPA_CMD_DEV_DEL, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .doit = vdpa_nl_cmd_dev_del_set_doit, + .flags = GENL_ADMIN_PERM, + }, + { + .cmd = VDPA_CMD_DEV_GET, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .doit = vdpa_nl_cmd_dev_get_doit, + .dumpit = vdpa_nl_cmd_dev_get_dumpit, + }, + { + .cmd = VDPA_CMD_DEV_CONFIG_GET, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .doit = vdpa_nl_cmd_dev_config_get_doit, + .dumpit = vdpa_nl_cmd_dev_config_get_dumpit, + }, + { + .cmd = VDPA_CMD_DEV_VSTATS_GET, +- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, + .doit = vdpa_nl_cmd_dev_stats_get_doit, + .flags = GENL_ADMIN_PERM, + }, -- 2.47.3