From 2cd3fecfef07ccbb3ba6fd51f42b777027ff45e5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Sep 2024 18:26:23 +0200 Subject: [PATCH] 5.15-stable patches added patches: binder-fix-uaf-caused-by-offsets-overwrite.patch clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch clocksource-drivers-timer-of-remove-percpu-irq-related-code.patch drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch iio-adc-ad7124-fix-chip-id-mismatch.patch iio-adc-ad7124-fix-config-comparison.patch iio-adc-ad7606-remove-frstdata-check-for-serial-mode.patch iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch perf-aux-fix-aux-buffer-serialization.patch staging-iio-frequency-ad9834-validate-frequency-parameter-value.patch uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch uprobes-use-kzalloc-to-allocate-xol-area.patch usb-dwc3-core-update-lc-timer-as-per-usb-spec-v3.2.patch vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch --- ...-fix-uaf-caused-by-offsets-overwrite.patch | 73 ++++++++ ...ext-event-not-taking-effect-sometime.patch | 46 +++++ ...urn-etime-when-delta-exceeds-int_max.patch | 70 +++++++ ...er-of-remove-percpu-irq-related-code.patch | 113 ++++++++++++ ...x-rescind-handling-in-uio_hv_generic.patch | 57 ++++++ .../iio-adc-ad7124-fix-chip-id-mismatch.patch | 41 +++++ ...iio-adc-ad7124-fix-config-comparison.patch | 78 ++++++++ ...emove-frstdata-check-for-serial-mode.patch | 173 ++++++++++++++++++ ...e-fix-releasing-dma-channel-on-error.patch | 42 +++++ ...io_convert_raw_to_processed_unlocked.patch | 48 +++++ ...f-devm_nvmem_device_get-in-kerneldoc.patch | 40 ++++ ...erf-aux-fix-aux-buffer-serialization.patch | 113 ++++++++++++ queue-5.15/series | 17 ++ ...4-validate-frequency-parameter-value.patch | 42 +++++ ...ointer-dereference-in-hv_uio_rescind.patch | 41 +++++ ...bes-use-kzalloc-to-allocate-xol-area.patch | 41 +++++ ...update-lc-timer-as-per-usb-spec-v3.2.patch | 69 +++++++ ...ing-resource-in-vmci_resource_remove.patch | 75 ++++++++ 18 files changed, 1179 insertions(+) create mode 100644 queue-5.15/binder-fix-uaf-caused-by-offsets-overwrite.patch create mode 100644 queue-5.15/clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch create mode 100644 queue-5.15/clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch create mode 100644 queue-5.15/clocksource-drivers-timer-of-remove-percpu-irq-related-code.patch create mode 100644 queue-5.15/drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch create mode 100644 queue-5.15/iio-adc-ad7124-fix-chip-id-mismatch.patch create mode 100644 queue-5.15/iio-adc-ad7124-fix-config-comparison.patch create mode 100644 queue-5.15/iio-adc-ad7606-remove-frstdata-check-for-serial-mode.patch create mode 100644 queue-5.15/iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch create mode 100644 queue-5.15/iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch create mode 100644 queue-5.15/nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch create mode 100644 queue-5.15/perf-aux-fix-aux-buffer-serialization.patch create mode 100644 queue-5.15/staging-iio-frequency-ad9834-validate-frequency-parameter-value.patch create mode 100644 queue-5.15/uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch create mode 100644 queue-5.15/uprobes-use-kzalloc-to-allocate-xol-area.patch create mode 100644 queue-5.15/usb-dwc3-core-update-lc-timer-as-per-usb-spec-v3.2.patch create mode 100644 queue-5.15/vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch diff --git a/queue-5.15/binder-fix-uaf-caused-by-offsets-overwrite.patch b/queue-5.15/binder-fix-uaf-caused-by-offsets-overwrite.patch new file mode 100644 index 00000000000..050c631892f --- /dev/null +++ b/queue-5.15/binder-fix-uaf-caused-by-offsets-overwrite.patch @@ -0,0 +1,73 @@ +From 4df153652cc46545722879415937582028c18af5 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Thu, 22 Aug 2024 18:23:52 +0000 +Subject: binder: fix UAF caused by offsets overwrite + +From: Carlos Llamas + +commit 4df153652cc46545722879415937582028c18af5 upstream. + +Binder objects are processed and copied individually into the target +buffer during transactions. Any raw data in-between these objects is +copied as well. However, this raw data copy lacks an out-of-bounds +check. If the raw data exceeds the data section size then the copy +overwrites the offsets section. This eventually triggers an error that +attempts to unwind the processed objects. However, at this point the +offsets used to index these objects are now corrupted. + +Unwinding with corrupted offsets can result in decrements of arbitrary +nodes and lead to their premature release. Other users of such nodes are +left with a dangling pointer triggering a use-after-free. This issue is +made evident by the following KASAN report (trimmed): + + ================================================================== + BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c + Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 + + CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 + Hardware name: linux,dummy-virt (DT) + Call trace: + _raw_spin_lock+0xe4/0x19c + binder_free_buf+0x128/0x434 + binder_thread_write+0x8a4/0x3260 + binder_ioctl+0x18f0/0x258c + [...] + + Allocated by task 743: + __kmalloc_cache_noprof+0x110/0x270 + binder_new_node+0x50/0x700 + binder_transaction+0x413c/0x6da8 + binder_thread_write+0x978/0x3260 + binder_ioctl+0x18f0/0x258c + [...] + + Freed by task 745: + kfree+0xbc/0x208 + binder_thread_read+0x1c5c/0x37d4 + binder_ioctl+0x16d8/0x258c + [...] + ================================================================== + +To avoid this issue, let's check that the raw data copy is within the +boundaries of the data section. + +Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn") +Cc: Todd Kjos +Cc: stable@vger.kernel.org +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20240822182353.2129600-1-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -3173,6 +3173,7 @@ static void binder_transaction(struct bi + */ + copy_size = object_offset - user_offset; + if (copy_size && (user_offset > object_offset || ++ object_offset > tr->data_size || + binder_alloc_copy_user_to_buffer( + &target_proc->alloc, + t->buffer, user_offset, diff --git a/queue-5.15/clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch b/queue-5.15/clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch new file mode 100644 index 00000000000..f1415d86ad4 --- /dev/null +++ b/queue-5.15/clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch @@ -0,0 +1,46 @@ +From 3d5c2f8e75a55cfb11a85086c71996af0354a1fb Mon Sep 17 00:00:00 2001 +From: Jacky Bai +Date: Thu, 25 Jul 2024 15:33:55 -0400 +Subject: clocksource/drivers/imx-tpm: Fix next event not taking effect sometime + +From: Jacky Bai + +commit 3d5c2f8e75a55cfb11a85086c71996af0354a1fb upstream. + +The value written into the TPM CnV can only be updated into the hardware +when the counter increases. Additional writes to the CnV write buffer are +ignored until the register has been updated. Therefore, we need to check +if the CnV has been updated before continuing. This may require waiting for +1 counter cycle in the worst case. + +Cc: stable@vger.kernel.org +Fixes: 059ab7b82eec ("clocksource/drivers/imx-tpm: Add imx tpm timer support") +Signed-off-by: Jacky Bai +Reviewed-by: Peng Fan +Reviewed-by: Ye Li +Reviewed-by: Jason Liu +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20240725193355.1436005-2-Frank.Li@nxp.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-imx-tpm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/clocksource/timer-imx-tpm.c ++++ b/drivers/clocksource/timer-imx-tpm.c +@@ -91,6 +91,14 @@ static int tpm_set_next_event(unsigned l + now = tpm_read_counter(); + + /* ++ * Need to wait CNT increase at least 1 cycle to make sure ++ * the C0V has been updated into HW. ++ */ ++ if ((next & 0xffffffff) != readl(timer_base + TPM_C0V)) ++ while (now == tpm_read_counter()) ++ ; ++ ++ /* + * NOTE: We observed in a very small probability, the bus fabric + * contention between GPU and A7 may results a few cycles delay + * of writing CNT registers which may cause the min_delta event got diff --git a/queue-5.15/clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch b/queue-5.15/clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch new file mode 100644 index 00000000000..c4377200160 --- /dev/null +++ b/queue-5.15/clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch @@ -0,0 +1,70 @@ +From 5b8843fcd49827813da80c0f590a17ae4ce93c5d Mon Sep 17 00:00:00 2001 +From: Jacky Bai +Date: Thu, 25 Jul 2024 15:33:54 -0400 +Subject: clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX + +From: Jacky Bai + +commit 5b8843fcd49827813da80c0f590a17ae4ce93c5d upstream. + +In tpm_set_next_event(delta), return -ETIME by wrong cast to int when delta +is larger than INT_MAX. + +For example: + +tpm_set_next_event(delta = 0xffff_fffe) +{ + ... + next = tpm_read_counter(); // assume next is 0x10 + next += delta; // next will 0xffff_fffe + 0x10 = 0x1_0000_000e + now = tpm_read_counter(); // now is 0x10 + ... + + return (int)(next - now) <= 0 ? -ETIME : 0; + ^^^^^^^^^^ + 0x1_0000_000e - 0x10 = 0xffff_fffe, which is -2 when + cast to int. So return -ETIME. +} + +To fix this, introduce a 'prev' variable and check if 'now - prev' is +larger than delta. + +Cc: stable@vger.kernel.org +Fixes: 059ab7b82eec ("clocksource/drivers/imx-tpm: Add imx tpm timer support") +Signed-off-by: Jacky Bai +Reviewed-by: Peng Fan +Reviewed-by: Ye Li +Reviewed-by: Jason Liu +Signed-off-by: Frank Li +Link: https://lore.kernel.org/r/20240725193355.1436005-1-Frank.Li@nxp.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-imx-tpm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/clocksource/timer-imx-tpm.c ++++ b/drivers/clocksource/timer-imx-tpm.c +@@ -83,10 +83,10 @@ static u64 notrace tpm_read_sched_clock( + static int tpm_set_next_event(unsigned long delta, + struct clock_event_device *evt) + { +- unsigned long next, now; ++ unsigned long next, prev, now; + +- next = tpm_read_counter(); +- next += delta; ++ prev = tpm_read_counter(); ++ next = prev + delta; + writel(next, timer_base + TPM_C0V); + now = tpm_read_counter(); + +@@ -96,7 +96,7 @@ static int tpm_set_next_event(unsigned l + * of writing CNT registers which may cause the min_delta event got + * missed, so we need add a ETIME check here in case it happened. + */ +- return (int)(next - now) <= 0 ? -ETIME : 0; ++ return (now - prev) >= delta ? -ETIME : 0; + } + + static int tpm_set_state_oneshot(struct clock_event_device *evt) diff --git a/queue-5.15/clocksource-drivers-timer-of-remove-percpu-irq-related-code.patch b/queue-5.15/clocksource-drivers-timer-of-remove-percpu-irq-related-code.patch new file mode 100644 index 00000000000..9951ea542ad --- /dev/null +++ b/queue-5.15/clocksource-drivers-timer-of-remove-percpu-irq-related-code.patch @@ -0,0 +1,113 @@ +From 471ef0b5a8aaca4296108e756b970acfc499ede4 Mon Sep 17 00:00:00 2001 +From: Daniel Lezcano +Date: Mon, 19 Aug 2024 12:03:35 +0200 +Subject: clocksource/drivers/timer-of: Remove percpu irq related code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Lezcano + +commit 471ef0b5a8aaca4296108e756b970acfc499ede4 upstream. + +GCC's named address space checks errors out with: + +drivers/clocksource/timer-of.c: In function ‘timer_of_irq_exit’: +drivers/clocksource/timer-of.c:29:46: error: passing argument 2 of +‘free_percpu_irq’ from pointer to non-enclosed address space + 29 | free_percpu_irq(of_irq->irq, clkevt); + | ^~~~~~ +In file included from drivers/clocksource/timer-of.c:8: +./include/linux/interrupt.h:201:43: note: expected ‘__seg_gs void *’ +but argument is of type ‘struct clock_event_device *’ + 201 | extern void free_percpu_irq(unsigned int, void __percpu *); + | ^~~~~~~~~~~~~~~ +drivers/clocksource/timer-of.c: In function ‘timer_of_irq_init’: +drivers/clocksource/timer-of.c:74:51: error: passing argument 4 of +‘request_percpu_irq’ from pointer to non-enclosed address space + 74 | np->full_name, clkevt) : + | ^~~~~~ +./include/linux/interrupt.h:190:56: note: expected ‘__seg_gs void *’ +but argument is of type ‘struct clock_event_device *’ + 190 | const char *devname, void __percpu *percpu_dev_id) + +Sparse warns about: + +timer-of.c:29:46: warning: incorrect type in argument 2 (different address spaces) +timer-of.c:29:46: expected void [noderef] __percpu * +timer-of.c:29:46: got struct clock_event_device *clkevt +timer-of.c:74:51: warning: incorrect type in argument 4 (different address spaces) +timer-of.c:74:51: expected void [noderef] __percpu *percpu_dev_id +timer-of.c:74:51: got struct clock_event_device *clkevt + +It appears the code is incorrect as reported by Uros Bizjak: + +"The referred code is questionable as it tries to reuse +the clkevent pointer once as percpu pointer and once as generic +pointer, which should be avoided." + +This change removes the percpu related code as no drivers is using it. + +[Daniel: Fixed the description] + +Fixes: dc11bae785295 ("clocksource/drivers: Add timer-of common init routine") +Reported-by: Uros Bizjak +Tested-by: Uros Bizjak +Link: https://lore.kernel.org/r/20240819100335.2394751-1-daniel.lezcano@linaro.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-of.c | 17 ++++------------- + drivers/clocksource/timer-of.h | 1 - + 2 files changed, 4 insertions(+), 14 deletions(-) + +--- a/drivers/clocksource/timer-of.c ++++ b/drivers/clocksource/timer-of.c +@@ -25,10 +25,7 @@ static __init void timer_of_irq_exit(str + + struct clock_event_device *clkevt = &to->clkevt; + +- if (of_irq->percpu) +- free_percpu_irq(of_irq->irq, clkevt); +- else +- free_irq(of_irq->irq, clkevt); ++ free_irq(of_irq->irq, clkevt); + } + + /** +@@ -42,9 +39,6 @@ static __init void timer_of_irq_exit(str + * - Get interrupt number by name + * - Get interrupt number by index + * +- * When the interrupt is per CPU, 'request_percpu_irq()' is called, +- * otherwise 'request_irq()' is used. +- * + * Returns 0 on success, < 0 otherwise + */ + static __init int timer_of_irq_init(struct device_node *np, +@@ -69,12 +63,9 @@ static __init int timer_of_irq_init(stru + return -EINVAL; + } + +- ret = of_irq->percpu ? +- request_percpu_irq(of_irq->irq, of_irq->handler, +- np->full_name, clkevt) : +- request_irq(of_irq->irq, of_irq->handler, +- of_irq->flags ? of_irq->flags : IRQF_TIMER, +- np->full_name, clkevt); ++ ret = request_irq(of_irq->irq, of_irq->handler, ++ of_irq->flags ? of_irq->flags : IRQF_TIMER, ++ np->full_name, clkevt); + if (ret) { + pr_err("Failed to request irq %d for %pOF\n", of_irq->irq, np); + return ret; +--- a/drivers/clocksource/timer-of.h ++++ b/drivers/clocksource/timer-of.h +@@ -11,7 +11,6 @@ + struct of_timer_irq { + int irq; + int index; +- int percpu; + const char *name; + unsigned long flags; + irq_handler_t handler; diff --git a/queue-5.15/drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch b/queue-5.15/drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch new file mode 100644 index 00000000000..28d48fd401b --- /dev/null +++ b/queue-5.15/drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch @@ -0,0 +1,57 @@ +From 6fd28941447bf2c8ca0f26fda612a1cabc41663f Mon Sep 17 00:00:00 2001 +From: Naman Jain +Date: Thu, 29 Aug 2024 12:43:12 +0530 +Subject: Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic + +From: Naman Jain + +commit 6fd28941447bf2c8ca0f26fda612a1cabc41663f upstream. + +Rescind offer handling relies on rescind callbacks for some of the +resources cleanup, if they are registered. It does not unregister +vmbus device for the primary channel closure, when callback is +registered. Without it, next onoffer does not come, rescind flag +remains set and device goes to unusable state. + +Add logic to unregister vmbus for the primary channel in rescind callback +to ensure channel removal and relid release, and to ensure that next +onoffer can be received and handled properly. + +Cc: stable@vger.kernel.org +Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support") +Signed-off-by: Naman Jain +Reviewed-by: Saurabh Sengar +Link: https://lore.kernel.org/r/20240829071312.1595-3-namjain@linux.microsoft.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/vmbus_drv.c | 1 + + drivers/uio/uio_hv_generic.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -2008,6 +2008,7 @@ static umode_t vmbus_chan_attr_is_visibl + + return attr->mode; + } ++EXPORT_SYMBOL_GPL(vmbus_device_unregister); + + static struct attribute_group vmbus_chan_group = { + .attrs = vmbus_chan_attrs, +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -119,6 +119,14 @@ static void hv_uio_rescind(struct vmbus_ + + /* Wake up reader */ + uio_event_notify(&pdata->info); ++ ++ /* ++ * With rescind callback registered, rescind path will not unregister the device ++ * from vmbus when the primary channel is rescinded. ++ * Without it, rescind handling is incomplete and next onoffer msg does not come. ++ * Unregister the device from vmbus here. ++ */ ++ vmbus_device_unregister(channel->device_obj); + } + + /* Sysfs API to allow mmap of the ring buffers diff --git a/queue-5.15/iio-adc-ad7124-fix-chip-id-mismatch.patch b/queue-5.15/iio-adc-ad7124-fix-chip-id-mismatch.patch new file mode 100644 index 00000000000..1d252bc9311 --- /dev/null +++ b/queue-5.15/iio-adc-ad7124-fix-chip-id-mismatch.patch @@ -0,0 +1,41 @@ +From 96f9ab0d5933c1c00142dd052f259fce0bc3ced2 Mon Sep 17 00:00:00 2001 +From: Dumitru Ceclan +Date: Wed, 31 Jul 2024 15:37:22 +0300 +Subject: iio: adc: ad7124: fix chip ID mismatch + +From: Dumitru Ceclan + +commit 96f9ab0d5933c1c00142dd052f259fce0bc3ced2 upstream. + +The ad7124_soft_reset() function has the assumption that the chip will +assert the "power-on reset" bit in the STATUS register after a software +reset without any delay. The POR bit =0 is used to check if the chip +initialization is done. + +A chip ID mismatch probe error appears intermittently when the probe +continues too soon and the ID register does not contain the expected +value. + +Fix by adding a 200us delay after the software reset command is issued. + +Fixes: b3af341bbd96 ("iio: adc: Add ad7124 support") +Signed-off-by: Dumitru Ceclan +Reviewed-by: Nuno Sa +Link: https://patch.msgid.link/20240731-ad7124-fix-v1-1-46a76aa4b9be@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7124.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -690,6 +690,7 @@ static int ad7124_soft_reset(struct ad71 + if (ret < 0) + return ret; + ++ fsleep(200); + timeout = 100; + do { + ret = ad_sd_read_reg(&st->sd, AD7124_STATUS, 1, &readval); diff --git a/queue-5.15/iio-adc-ad7124-fix-config-comparison.patch b/queue-5.15/iio-adc-ad7124-fix-config-comparison.patch new file mode 100644 index 00000000000..417a8591555 --- /dev/null +++ b/queue-5.15/iio-adc-ad7124-fix-config-comparison.patch @@ -0,0 +1,78 @@ +From 2f6b92d0f69f04d9e2ea0db1228ab7f82f3173af Mon Sep 17 00:00:00 2001 +From: Dumitru Ceclan +Date: Wed, 31 Jul 2024 15:37:23 +0300 +Subject: iio: adc: ad7124: fix config comparison + +From: Dumitru Ceclan + +commit 2f6b92d0f69f04d9e2ea0db1228ab7f82f3173af upstream. + +The ad7124_find_similar_live_cfg() computes the compare size by +substracting the address of the cfg struct from the address of the live +field. Because the live field is the first field in the struct, the +result is 0. + +Also, the memcmp() call is made from the start of the cfg struct, which +includes the live and cfg_slot fields, which are not relevant for the +comparison. + +Fix by grouping the relevant fields with struct_group() and use the +size of the group to compute the compare size; make the memcmp() call +from the address of the group. + +Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels") +Signed-off-by: Dumitru Ceclan +Reviewed-by: Nuno Sa +Link: https://patch.msgid.link/20240731-ad7124-fix-v1-2-46a76aa4b9be@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7124.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -144,15 +144,18 @@ struct ad7124_chip_info { + struct ad7124_channel_config { + bool live; + unsigned int cfg_slot; +- enum ad7124_ref_sel refsel; +- bool bipolar; +- bool buf_positive; +- bool buf_negative; +- unsigned int vref_mv; +- unsigned int pga_bits; +- unsigned int odr; +- unsigned int odr_sel_bits; +- unsigned int filter_type; ++ /* Following fields are used to compare equality. */ ++ struct_group(config_props, ++ enum ad7124_ref_sel refsel; ++ bool bipolar; ++ bool buf_positive; ++ bool buf_negative; ++ unsigned int vref_mv; ++ unsigned int pga_bits; ++ unsigned int odr; ++ unsigned int odr_sel_bits; ++ unsigned int filter_type; ++ ); + }; + + struct ad7124_channel { +@@ -331,11 +334,12 @@ static struct ad7124_channel_config *ad7 + ptrdiff_t cmp_size; + int i; + +- cmp_size = (u8 *)&cfg->live - (u8 *)cfg; ++ cmp_size = sizeof_field(struct ad7124_channel_config, config_props); + for (i = 0; i < st->num_channels; i++) { + cfg_aux = &st->channels[i].cfg; + +- if (cfg_aux->live && !memcmp(cfg, cfg_aux, cmp_size)) ++ if (cfg_aux->live && ++ !memcmp(&cfg->config_props, &cfg_aux->config_props, cmp_size)) + return cfg_aux; + } + diff --git a/queue-5.15/iio-adc-ad7606-remove-frstdata-check-for-serial-mode.patch b/queue-5.15/iio-adc-ad7606-remove-frstdata-check-for-serial-mode.patch new file mode 100644 index 00000000000..d952137d3ad --- /dev/null +++ b/queue-5.15/iio-adc-ad7606-remove-frstdata-check-for-serial-mode.patch @@ -0,0 +1,173 @@ +From 90826e08468ba7fb35d8b39645b22d9e80004afe Mon Sep 17 00:00:00 2001 +From: Guillaume Stols +Date: Tue, 2 Jul 2024 12:52:51 +0000 +Subject: iio: adc: ad7606: remove frstdata check for serial mode + +From: Guillaume Stols + +commit 90826e08468ba7fb35d8b39645b22d9e80004afe upstream. + +The current implementation attempts to recover from an eventual glitch +in the clock by checking frstdata state after reading the first +channel's sample: If frstdata is low, it will reset the chip and +return -EIO. + +This will only work in parallel mode, where frstdata pin is set low +after the 2nd sample read starts. + +For the serial mode, according to the datasheet, "The FRSTDATA output +returns to a logic low following the 16th SCLK falling edge.", thus +after the Xth pulse, X being the number of bits in a sample, the check +will always be true, and the driver will not work at all in serial +mode if frstdata(optional) is defined in the devicetree as it will +reset the chip, and return -EIO every time read_sample is called. + +Hence, this check must be removed for serial mode. + +Fixes: b9618c0cacd7 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4") +Signed-off-by: Guillaume Stols +Reviewed-by: Nuno Sa +Link: https://patch.msgid.link/20240702-cleanup-ad7606-v3-1-18d5ea18770e@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7606.c | 28 +------------------------ + drivers/iio/adc/ad7606.h | 2 + + drivers/iio/adc/ad7606_par.c | 48 ++++++++++++++++++++++++++++++++++++++++--- + 3 files changed, 49 insertions(+), 29 deletions(-) + +--- a/drivers/iio/adc/ad7606.c ++++ b/drivers/iio/adc/ad7606.c +@@ -48,7 +48,7 @@ static const unsigned int ad7616_oversam + 1, 2, 4, 8, 16, 32, 64, 128, + }; + +-static int ad7606_reset(struct ad7606_state *st) ++int ad7606_reset(struct ad7606_state *st) + { + if (st->gpio_reset) { + gpiod_set_value(st->gpio_reset, 1); +@@ -59,6 +59,7 @@ static int ad7606_reset(struct ad7606_st + + return -ENODEV; + } ++EXPORT_SYMBOL_NS_GPL(ad7606_reset, IIO_AD7606); + + static int ad7606_reg_access(struct iio_dev *indio_dev, + unsigned int reg, +@@ -87,31 +88,6 @@ static int ad7606_read_samples(struct ad + { + unsigned int num = st->chip_info->num_channels - 1; + u16 *data = st->data; +- int ret; +- +- /* +- * The frstdata signal is set to high while and after reading the sample +- * of the first channel and low for all other channels. This can be used +- * to check that the incoming data is correctly aligned. During normal +- * operation the data should never become unaligned, but some glitch or +- * electrostatic discharge might cause an extra read or clock cycle. +- * Monitoring the frstdata signal allows to recover from such failure +- * situations. +- */ +- +- if (st->gpio_frstdata) { +- ret = st->bops->read_block(st->dev, 1, data); +- if (ret) +- return ret; +- +- if (!gpiod_get_value(st->gpio_frstdata)) { +- ad7606_reset(st); +- return -EIO; +- } +- +- data++; +- num--; +- } + + return st->bops->read_block(st->dev, num, data); + } +--- a/drivers/iio/adc/ad7606.h ++++ b/drivers/iio/adc/ad7606.h +@@ -153,6 +153,8 @@ int ad7606_probe(struct device *dev, int + const char *name, unsigned int id, + const struct ad7606_bus_ops *bops); + ++int ad7606_reset(struct ad7606_state *st); ++ + enum ad7606_supported_device_ids { + ID_AD7605_4, + ID_AD7606_8, +--- a/drivers/iio/adc/ad7606_par.c ++++ b/drivers/iio/adc/ad7606_par.c +@@ -6,6 +6,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -20,8 +21,29 @@ static int ad7606_par16_read_block(struc + struct iio_dev *indio_dev = dev_get_drvdata(dev); + struct ad7606_state *st = iio_priv(indio_dev); + +- insw((unsigned long)st->base_address, buf, count); + ++ /* ++ * On the parallel interface, the frstdata signal is set to high while ++ * and after reading the sample of the first channel and low for all ++ * other channels. This can be used to check that the incoming data is ++ * correctly aligned. During normal operation the data should never ++ * become unaligned, but some glitch or electrostatic discharge might ++ * cause an extra read or clock cycle. Monitoring the frstdata signal ++ * allows to recover from such failure situations. ++ */ ++ int num = count; ++ u16 *_buf = buf; ++ ++ if (st->gpio_frstdata) { ++ insw((unsigned long)st->base_address, _buf, 1); ++ if (!gpiod_get_value(st->gpio_frstdata)) { ++ ad7606_reset(st); ++ return -EIO; ++ } ++ _buf++; ++ num--; ++ } ++ insw((unsigned long)st->base_address, _buf, num); + return 0; + } + +@@ -34,8 +56,28 @@ static int ad7606_par8_read_block(struct + { + struct iio_dev *indio_dev = dev_get_drvdata(dev); + struct ad7606_state *st = iio_priv(indio_dev); +- +- insb((unsigned long)st->base_address, buf, count * 2); ++ /* ++ * On the parallel interface, the frstdata signal is set to high while ++ * and after reading the sample of the first channel and low for all ++ * other channels. This can be used to check that the incoming data is ++ * correctly aligned. During normal operation the data should never ++ * become unaligned, but some glitch or electrostatic discharge might ++ * cause an extra read or clock cycle. Monitoring the frstdata signal ++ * allows to recover from such failure situations. ++ */ ++ int num = count; ++ u16 *_buf = buf; ++ ++ if (st->gpio_frstdata) { ++ insb((unsigned long)st->base_address, _buf, 2); ++ if (!gpiod_get_value(st->gpio_frstdata)) { ++ ad7606_reset(st); ++ return -EIO; ++ } ++ _buf++; ++ num--; ++ } ++ insb((unsigned long)st->base_address, _buf, num * 2); + + return 0; + } diff --git a/queue-5.15/iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch b/queue-5.15/iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch new file mode 100644 index 00000000000..d1d63f796c8 --- /dev/null +++ b/queue-5.15/iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch @@ -0,0 +1,42 @@ +From 84c65d8008764a8fb4e627ff02de01ec4245f2c4 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Tue, 23 Jul 2024 11:32:21 -0500 +Subject: iio: buffer-dmaengine: fix releasing dma channel on error + +From: David Lechner + +commit 84c65d8008764a8fb4e627ff02de01ec4245f2c4 upstream. + +If dma_get_slave_caps() fails, we need to release the dma channel before +returning an error to avoid leaking the channel. + +Fixes: 2d6ca60f3284 ("iio: Add a DMAengine framework based buffer") +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20240723-iio-fix-dmaengine-free-on-error-v1-1-2c7cbc9b92ff@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/buffer/industrialio-buffer-dmaengine.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/buffer/industrialio-buffer-dmaengine.c ++++ b/drivers/iio/buffer/industrialio-buffer-dmaengine.c +@@ -180,7 +180,7 @@ static struct iio_buffer *iio_dmaengine_ + + ret = dma_get_slave_caps(chan, &caps); + if (ret < 0) +- goto err_free; ++ goto err_release; + + /* Needs to be aligned to the maximum of the minimums */ + if (caps.src_addr_widths) +@@ -206,6 +206,8 @@ static struct iio_buffer *iio_dmaengine_ + + return &dmaengine_buffer->queue.buffer; + ++err_release: ++ dma_release_channel(chan); + err_free: + kfree(dmaengine_buffer); + return ERR_PTR(ret); diff --git a/queue-5.15/iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch b/queue-5.15/iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch new file mode 100644 index 00000000000..d36e061d08f --- /dev/null +++ b/queue-5.15/iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch @@ -0,0 +1,48 @@ +From 8a3dcc970dc57b358c8db2702447bf0af4e0d83a Mon Sep 17 00:00:00 2001 +From: Matteo Martelli +Date: Tue, 30 Jul 2024 10:11:53 +0200 +Subject: iio: fix scale application in iio_convert_raw_to_processed_unlocked + +From: Matteo Martelli + +commit 8a3dcc970dc57b358c8db2702447bf0af4e0d83a upstream. + +When the scale_type is IIO_VAL_INT_PLUS_MICRO or IIO_VAL_INT_PLUS_NANO +the scale passed as argument is only applied to the fractional part of +the value. Fix it by also multiplying the integer part by the scale +provided. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Matteo Martelli +Link: https://patch.msgid.link/20240730-iio-fix-scale-v1-1-6246638c8daa@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -629,17 +629,17 @@ static int iio_convert_raw_to_processed_ + break; + case IIO_VAL_INT_PLUS_MICRO: + if (scale_val2 < 0) +- *processed = -raw64 * scale_val; ++ *processed = -raw64 * scale_val * scale; + else +- *processed = raw64 * scale_val; ++ *processed = raw64 * scale_val * scale; + *processed += div_s64(raw64 * (s64)scale_val2 * scale, + 1000000LL); + break; + case IIO_VAL_INT_PLUS_NANO: + if (scale_val2 < 0) +- *processed = -raw64 * scale_val; ++ *processed = -raw64 * scale_val * scale; + else +- *processed = raw64 * scale_val; ++ *processed = raw64 * scale_val * scale; + *processed += div_s64(raw64 * (s64)scale_val2 * scale, + 1000000000LL); + break; diff --git a/queue-5.15/nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch b/queue-5.15/nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch new file mode 100644 index 00000000000..d327b5ad494 --- /dev/null +++ b/queue-5.15/nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch @@ -0,0 +1,40 @@ +From c69f37f6559a8948d70badd2b179db7714dedd62 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 2 Sep 2024 15:25:09 +0100 +Subject: nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc + +From: Geert Uytterhoeven + +commit c69f37f6559a8948d70badd2b179db7714dedd62 upstream. + +devm_nvmem_device_get() returns an nvmem device, not an nvmem cell. + +Fixes: e2a5402ec7c6d044 ("nvmem: Add nvmem_device based consumer apis.") +Cc: stable +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20240902142510.71096-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -1112,13 +1112,13 @@ void nvmem_device_put(struct nvmem_devic + EXPORT_SYMBOL_GPL(nvmem_device_put); + + /** +- * devm_nvmem_device_get() - Get nvmem cell of device form a given id ++ * devm_nvmem_device_get() - Get nvmem device of device form a given id + * + * @dev: Device that requests the nvmem device. + * @id: name id for the requested nvmem device. + * +- * Return: ERR_PTR() on error or a valid pointer to a struct nvmem_cell +- * on success. The nvmem_cell will be freed by the automatically once the ++ * Return: ERR_PTR() on error or a valid pointer to a struct nvmem_device ++ * on success. The nvmem_device will be freed by the automatically once the + * device is freed. + */ + struct nvmem_device *devm_nvmem_device_get(struct device *dev, const char *id) diff --git a/queue-5.15/perf-aux-fix-aux-buffer-serialization.patch b/queue-5.15/perf-aux-fix-aux-buffer-serialization.patch new file mode 100644 index 00000000000..94a4e24b778 --- /dev/null +++ b/queue-5.15/perf-aux-fix-aux-buffer-serialization.patch @@ -0,0 +1,113 @@ +From 2ab9d830262c132ab5db2f571003d80850d56b2a Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Mon, 2 Sep 2024 10:14:24 +0200 +Subject: perf/aux: Fix AUX buffer serialization + +From: Peter Zijlstra + +commit 2ab9d830262c132ab5db2f571003d80850d56b2a upstream. + +Ole reported that event->mmap_mutex is strictly insufficient to +serialize the AUX buffer, add a per RB mutex to fully serialize it. + +Note that in the lock order comment the perf_event::mmap_mutex order +was already wrong, that is, it nesting under mmap_lock is not new with +this patch. + +Fixes: 45bfb2e50471 ("perf: Add AUX area to ring buffer for raw data streams") +Reported-by: Ole +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 18 ++++++++++++------ + kernel/events/internal.h | 1 + + kernel/events/ring_buffer.c | 2 ++ + 3 files changed, 15 insertions(+), 6 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -1368,8 +1368,9 @@ static void put_ctx(struct perf_event_co + * perf_event_context::mutex + * perf_event::child_mutex; + * perf_event_context::lock +- * perf_event::mmap_mutex + * mmap_lock ++ * perf_event::mmap_mutex ++ * perf_buffer::aux_mutex + * perf_addr_filters_head::lock + * + * cpu_hotplug_lock +@@ -6275,12 +6276,11 @@ static void perf_mmap_close(struct vm_ar + event->pmu->event_unmapped(event, vma->vm_mm); + + /* +- * rb->aux_mmap_count will always drop before rb->mmap_count and +- * event->mmap_count, so it is ok to use event->mmap_mutex to +- * serialize with perf_mmap here. ++ * The AUX buffer is strictly a sub-buffer, serialize using aux_mutex ++ * to avoid complications. + */ + if (rb_has_aux(rb) && vma->vm_pgoff == rb->aux_pgoff && +- atomic_dec_and_mutex_lock(&rb->aux_mmap_count, &event->mmap_mutex)) { ++ atomic_dec_and_mutex_lock(&rb->aux_mmap_count, &rb->aux_mutex)) { + /* + * Stop all AUX events that are writing to this buffer, + * so that we can free its AUX pages and corresponding PMU +@@ -6297,7 +6297,7 @@ static void perf_mmap_close(struct vm_ar + rb_free_aux(rb); + WARN_ON_ONCE(refcount_read(&rb->aux_refcount)); + +- mutex_unlock(&event->mmap_mutex); ++ mutex_unlock(&rb->aux_mutex); + } + + if (atomic_dec_and_test(&rb->mmap_count)) +@@ -6385,6 +6385,7 @@ static int perf_mmap(struct file *file, + struct perf_event *event = file->private_data; + unsigned long user_locked, user_lock_limit; + struct user_struct *user = current_user(); ++ struct mutex *aux_mutex = NULL; + struct perf_buffer *rb = NULL; + unsigned long locked, lock_limit; + unsigned long vma_size; +@@ -6433,6 +6434,9 @@ static int perf_mmap(struct file *file, + if (!rb) + goto aux_unlock; + ++ aux_mutex = &rb->aux_mutex; ++ mutex_lock(aux_mutex); ++ + aux_offset = READ_ONCE(rb->user_page->aux_offset); + aux_size = READ_ONCE(rb->user_page->aux_size); + +@@ -6583,6 +6587,8 @@ unlock: + atomic_dec(&rb->mmap_count); + } + aux_unlock: ++ if (aux_mutex) ++ mutex_unlock(aux_mutex); + mutex_unlock(&event->mmap_mutex); + + /* +--- a/kernel/events/internal.h ++++ b/kernel/events/internal.h +@@ -40,6 +40,7 @@ struct perf_buffer { + struct user_struct *mmap_user; + + /* AUX area */ ++ struct mutex aux_mutex; + long aux_head; + unsigned int aux_nest; + long aux_wakeup; /* last aux_watermark boundary crossed by aux_head */ +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -332,6 +332,8 @@ ring_buffer_init(struct perf_buffer *rb, + */ + if (!rb->nr_pages) + rb->paused = 1; ++ ++ mutex_init(&rb->aux_mutex); + } + + void perf_aux_output_flag(struct perf_output_handle *handle, u64 flags) diff --git a/queue-5.15/series b/queue-5.15/series index 75dec7eee90..772cce2cb78 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -173,3 +173,20 @@ mips-cevt-r4k-don-t-call-get_c0_compare_int-if-timer.patch ata-pata_macio-use-warn-instead-of-bug.patch nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch cifs-check-the-lease-context-if-we-actually-got-a-lease.patch +staging-iio-frequency-ad9834-validate-frequency-parameter-value.patch +iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch +iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch +iio-adc-ad7124-fix-config-comparison.patch +iio-adc-ad7606-remove-frstdata-check-for-serial-mode.patch +iio-adc-ad7124-fix-chip-id-mismatch.patch +usb-dwc3-core-update-lc-timer-as-per-usb-spec-v3.2.patch +binder-fix-uaf-caused-by-offsets-overwrite.patch +nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch +uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch +drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch +vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch +clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch +clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch +clocksource-drivers-timer-of-remove-percpu-irq-related-code.patch +uprobes-use-kzalloc-to-allocate-xol-area.patch +perf-aux-fix-aux-buffer-serialization.patch diff --git a/queue-5.15/staging-iio-frequency-ad9834-validate-frequency-parameter-value.patch b/queue-5.15/staging-iio-frequency-ad9834-validate-frequency-parameter-value.patch new file mode 100644 index 00000000000..76714ca0356 --- /dev/null +++ b/queue-5.15/staging-iio-frequency-ad9834-validate-frequency-parameter-value.patch @@ -0,0 +1,42 @@ +From b48aa991758999d4e8f9296c5bbe388f293ef465 Mon Sep 17 00:00:00 2001 +From: Aleksandr Mishin +Date: Wed, 3 Jul 2024 18:45:06 +0300 +Subject: staging: iio: frequency: ad9834: Validate frequency parameter value + +From: Aleksandr Mishin + +commit b48aa991758999d4e8f9296c5bbe388f293ef465 upstream. + +In ad9834_write_frequency() clk_get_rate() can return 0. In such case +ad9834_calc_freqreg() call will lead to division by zero. Checking +'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. +ad9834_write_frequency() is called from ad9834_write(), where fout is +taken from text buffer, which can contain any value. + +Modify parameters checking. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 12b9d5bf76bf ("Staging: IIO: DDS: AD9833 / AD9834 driver") +Suggested-by: Dan Carpenter +Signed-off-by: Aleksandr Mishin +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20240703154506.25584-1-amishin@t-argos.ru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/frequency/ad9834.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/frequency/ad9834.c ++++ b/drivers/staging/iio/frequency/ad9834.c +@@ -114,7 +114,7 @@ static int ad9834_write_frequency(struct + + clk_freq = clk_get_rate(st->mclk); + +- if (fout > (clk_freq / 2)) ++ if (!clk_freq || fout > (clk_freq / 2)) + return -EINVAL; + + regval = ad9834_calc_freqreg(clk_freq, fout); diff --git a/queue-5.15/uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch b/queue-5.15/uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch new file mode 100644 index 00000000000..ec889256c43 --- /dev/null +++ b/queue-5.15/uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch @@ -0,0 +1,41 @@ +From fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e Mon Sep 17 00:00:00 2001 +From: Saurabh Sengar +Date: Thu, 29 Aug 2024 12:43:11 +0530 +Subject: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind + +From: Saurabh Sengar + +commit fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e upstream. + +For primary VM Bus channels, primary_channel pointer is always NULL. This +pointer is valid only for the secondary channels. Also, rescind callback +is meant for primary channels only. + +Fix NULL pointer dereference by retrieving the device_obj from the parent +for the primary channel. + +Cc: stable@vger.kernel.org +Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support") +Signed-off-by: Saurabh Sengar +Signed-off-by: Naman Jain +Link: https://lore.kernel.org/r/20240829071312.1595-2-namjain@linux.microsoft.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio_hv_generic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -104,10 +104,11 @@ static void hv_uio_channel_cb(void *cont + + /* + * Callback from vmbus_event when channel is rescinded. ++ * It is meant for rescind of primary channels only. + */ + static void hv_uio_rescind(struct vmbus_channel *channel) + { +- struct hv_device *hv_dev = channel->primary_channel->device_obj; ++ struct hv_device *hv_dev = channel->device_obj; + struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev); + + /* diff --git a/queue-5.15/uprobes-use-kzalloc-to-allocate-xol-area.patch b/queue-5.15/uprobes-use-kzalloc-to-allocate-xol-area.patch new file mode 100644 index 00000000000..a654e302e1b --- /dev/null +++ b/queue-5.15/uprobes-use-kzalloc-to-allocate-xol-area.patch @@ -0,0 +1,41 @@ +From e240b0fde52f33670d1336697c22d90a4fe33c84 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Tue, 3 Sep 2024 12:23:12 +0200 +Subject: uprobes: Use kzalloc to allocate xol area + +From: Sven Schnelle + +commit e240b0fde52f33670d1336697c22d90a4fe33c84 upstream. + +To prevent unitialized members, use kzalloc to allocate +the xol area. + +Fixes: b059a453b1cf1 ("x86/vdso: Add mremap hook to vm_special_mapping") +Signed-off-by: Sven Schnelle +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Oleg Nesterov +Link: https://lore.kernel.org/r/20240903102313.3402529-1-svens@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/uprobes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1484,7 +1484,7 @@ static struct xol_area *__create_xol_are + uprobe_opcode_t insn = UPROBE_SWBP_INSN; + struct xol_area *area; + +- area = kmalloc(sizeof(*area), GFP_KERNEL); ++ area = kzalloc(sizeof(*area), GFP_KERNEL); + if (unlikely(!area)) + goto out; + +@@ -1494,7 +1494,6 @@ static struct xol_area *__create_xol_are + goto free_area; + + area->xol_mapping.name = "[uprobes]"; +- area->xol_mapping.fault = NULL; + area->xol_mapping.pages = area->pages; + area->pages[0] = alloc_page(GFP_HIGHUSER); + if (!area->pages[0]) diff --git a/queue-5.15/usb-dwc3-core-update-lc-timer-as-per-usb-spec-v3.2.patch b/queue-5.15/usb-dwc3-core-update-lc-timer-as-per-usb-spec-v3.2.patch new file mode 100644 index 00000000000..30bef534b3f --- /dev/null +++ b/queue-5.15/usb-dwc3-core-update-lc-timer-as-per-usb-spec-v3.2.patch @@ -0,0 +1,69 @@ +From 9149c9b0c7e046273141e41eebd8a517416144ac Mon Sep 17 00:00:00 2001 +From: Faisal Hassan +Date: Thu, 29 Aug 2024 15:15:02 +0530 +Subject: usb: dwc3: core: update LC timer as per USB Spec V3.2 + +From: Faisal Hassan + +commit 9149c9b0c7e046273141e41eebd8a517416144ac upstream. + +This fix addresses STAR 9001285599, which only affects DWC_usb3 version +3.20a. The timer value for PM_LC_TIMER in DWC_usb3 3.20a for the Link +ECN changes is incorrect. If the PM TIMER ECN is enabled via GUCTL2[19], +the link compliance test (TD7.21) may fail. If the ECN is not enabled +(GUCTL2[19] = 0), the controller will use the old timer value (5us), +which is still acceptable for the link compliance test. Therefore, clear +GUCTL2[19] to pass the USB link compliance test: TD 7.21. + +Cc: stable@vger.kernel.org +Signed-off-by: Faisal Hassan +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20240829094502.26502-1-quic_faisalh@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 15 +++++++++++++++ + drivers/usb/dwc3/core.h | 2 ++ + 2 files changed, 17 insertions(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1058,6 +1058,21 @@ static int dwc3_core_init(struct dwc3 *d + } + + /* ++ * STAR 9001285599: This issue affects DWC_usb3 version 3.20a ++ * only. If the PM TIMER ECM is enabled through GUCTL2[19], the ++ * link compliance test (TD7.21) may fail. If the ECN is not ++ * enabled (GUCTL2[19] = 0), the controller will use the old timer ++ * value (5us), which is still acceptable for the link compliance ++ * test. Therefore, do not enable PM TIMER ECM in 3.20a by ++ * setting GUCTL2[19] by default; instead, use GUCTL2[19] = 0. ++ */ ++ if (DWC3_VER_IS(DWC3, 320A)) { ++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL2); ++ reg &= ~DWC3_GUCTL2_LC_TIMER; ++ dwc3_writel(dwc->regs, DWC3_GUCTL2, reg); ++ } ++ ++ /* + * When configured in HOST mode, after issuing U3/L2 exit controller + * fails to send proper CRC checksum in CRC5 feild. Because of this + * behaviour Transaction Error is generated, resulting in reset and +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -387,6 +387,7 @@ + + /* Global User Control Register 2 */ + #define DWC3_GUCTL2_RST_ACTBITLATER BIT(14) ++#define DWC3_GUCTL2_LC_TIMER BIT(19) + + /* Global User Control Register 3 */ + #define DWC3_GUCTL3_SPLITDISABLE BIT(14) +@@ -1197,6 +1198,7 @@ struct dwc3 { + #define DWC3_REVISION_290A 0x5533290a + #define DWC3_REVISION_300A 0x5533300a + #define DWC3_REVISION_310A 0x5533310a ++#define DWC3_REVISION_320A 0x5533320a + #define DWC3_REVISION_330A 0x5533330a + + #define DWC31_REVISION_ANY 0x0 diff --git a/queue-5.15/vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch b/queue-5.15/vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch new file mode 100644 index 00000000000..6d0755c75ff --- /dev/null +++ b/queue-5.15/vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch @@ -0,0 +1,75 @@ +From 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 Mon Sep 17 00:00:00 2001 +From: David Fernandez Gonzalez +Date: Wed, 28 Aug 2024 15:43:37 +0000 +Subject: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() + +From: David Fernandez Gonzalez + +commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 upstream. + +When removing a resource from vmci_resource_table in +vmci_resource_remove(), the search is performed using the resource +handle by comparing context and resource fields. + +It is possible though to create two resources with different types +but same handle (same context and resource fields). + +When trying to remove one of the resources, vmci_resource_remove() +may not remove the intended one, but the object will still be freed +as in the case of the datagram type in vmci_datagram_destroy_handle(). +vmci_resource_table will still hold a pointer to this freed resource +leading to a use-after-free vulnerability. + +BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] +BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 +Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 + print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 + __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 + kasan_report+0x38/0x51 mm/kasan/report.c:442 + vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] + vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 + vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 + ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 + kref_put include/linux/kref.h:65 [inline] + vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] + vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 + vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 + __fput+0x261/0xa34 fs/file_table.c:282 + task_work_run+0xf0/0x194 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 + exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 + __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] + syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 + do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x6e/0x0 + +This change ensures the type is also checked when removing +the resource from vmci_resource_table in vmci_resource_remove(). + +Fixes: bc63dedb7d46 ("VMCI: resource object implementation.") +Cc: stable@vger.kernel.org +Reported-by: George Kennedy +Signed-off-by: David Fernandez Gonzalez +Link: https://lore.kernel.org/r/20240828154338.754746-1-david.fernandez.gonzalez@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_resource.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/misc/vmw_vmci/vmci_resource.c ++++ b/drivers/misc/vmw_vmci/vmci_resource.c +@@ -144,7 +144,8 @@ void vmci_resource_remove(struct vmci_re + spin_lock(&vmci_resource_table.lock); + + hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) { +- if (vmci_handle_is_equal(r->handle, resource->handle)) { ++ if (vmci_handle_is_equal(r->handle, resource->handle) && ++ resource->type == r->type) { + hlist_del_init_rcu(&r->node); + break; + } -- 2.47.3