From 562e42992b09ea6cb5a4bc1c133ff7b80668300b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 10 Jul 2022 16:41:11 +0200 Subject: [PATCH] 5.15-stable patches added patches: btrfs-fix-error-pointer-dereference-in-btrfs_ioctl_rm_dev_v2.patch btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch tty-n_gsm-fix-encoding-of-command-response-bit.patch virtio-blk-modify-the-value-type-of-num-in-virtio_queue_rq.patch --- ...dereference-in-btrfs_ioctl_rm_dev_v2.patch | 38 +++++++ ...tialized-variable-at-rm-device-ioctl.patch | 38 +++++++ ...drm-amdgpu-fix-rejecting-tahiti-gpus.patch | 12 +- queue-5.15/series | 4 + ...fix-encoding-of-command-response-bit.patch | 104 ++++++++++++++++++ ...value-type-of-num-in-virtio_queue_rq.patch | 37 +++++++ 6 files changed, 225 insertions(+), 8 deletions(-) create mode 100644 queue-5.15/btrfs-fix-error-pointer-dereference-in-btrfs_ioctl_rm_dev_v2.patch create mode 100644 queue-5.15/btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch create mode 100644 queue-5.15/tty-n_gsm-fix-encoding-of-command-response-bit.patch create mode 100644 queue-5.15/virtio-blk-modify-the-value-type-of-num-in-virtio_queue_rq.patch diff --git a/queue-5.15/btrfs-fix-error-pointer-dereference-in-btrfs_ioctl_rm_dev_v2.patch b/queue-5.15/btrfs-fix-error-pointer-dereference-in-btrfs_ioctl_rm_dev_v2.patch new file mode 100644 index 00000000000..a96dd10cad3 --- /dev/null +++ b/queue-5.15/btrfs-fix-error-pointer-dereference-in-btrfs_ioctl_rm_dev_v2.patch @@ -0,0 +1,38 @@ +From d815b3f2f273537cb8afaf5ab11a46851f6c03e5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 16 Nov 2021 14:50:25 +0300 +Subject: btrfs: fix error pointer dereference in btrfs_ioctl_rm_dev_v2() + +From: Dan Carpenter + +commit d815b3f2f273537cb8afaf5ab11a46851f6c03e5 upstream. + +If memdup_user() fails the error handing will crash when it tries +to kfree() an error pointer. Just return directly because there is +no cleanup required. + +Fixes: 1a15eb724aae ("btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls") +Reviewed-by: Josef Bacik +Signed-off-by: Dan Carpenter +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3231,10 +3231,8 @@ static long btrfs_ioctl_rm_dev_v2(struct + return -EPERM; + + vol_args = memdup_user(arg, sizeof(*vol_args)); +- if (IS_ERR(vol_args)) { +- ret = PTR_ERR(vol_args); +- goto out; +- } ++ if (IS_ERR(vol_args)) ++ return PTR_ERR(vol_args); + + if (vol_args->flags & ~BTRFS_DEVICE_REMOVE_ARGS_MASK) { + ret = -EOPNOTSUPP; diff --git a/queue-5.15/btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch b/queue-5.15/btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch new file mode 100644 index 00000000000..37c95beed0d --- /dev/null +++ b/queue-5.15/btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch @@ -0,0 +1,38 @@ +From 37b4599547e324589e011c20f74b021d6d25cb7f Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Fri, 21 Jan 2022 05:45:22 -0800 +Subject: btrfs: fix use of uninitialized variable at rm device ioctl + +From: Tom Rix + +commit 37b4599547e324589e011c20f74b021d6d25cb7f upstream. + +Clang static analysis reports this problem +ioctl.c:3333:8: warning: 3rd function call argument is an + uninitialized value + ret = exclop_start_or_cancel_reloc(fs_info, + +cancel is only set in one branch of an if-check and is always used. So +initialize to false. + +Fixes: 1a15eb724aae ("btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls") +Reviewed-by: Filipe Manana +Reviewed-by: Anand Jain +Signed-off-by: Tom Rix +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3291,7 +3291,7 @@ static long btrfs_ioctl_rm_dev(struct fi + struct block_device *bdev = NULL; + fmode_t mode; + int ret; +- bool cancel; ++ bool cancel = false; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; diff --git a/queue-5.15/drm-amdgpu-fix-rejecting-tahiti-gpus.patch b/queue-5.15/drm-amdgpu-fix-rejecting-tahiti-gpus.patch index 4d8b840a19e..ad57a9d8501 100644 --- a/queue-5.15/drm-amdgpu-fix-rejecting-tahiti-gpus.patch +++ b/queue-5.15/drm-amdgpu-fix-rejecting-tahiti-gpus.patch @@ -6,6 +6,7 @@ Subject: drm/amdgpu: Fix rejecting Tahiti GPUs From: Lukas Fink [ Upstream commit 3993a799fc971bc9b918bd969aa55864447b5dde ] +[ Upstream commit 5f0754ab2751d1935818459e8e71a8fe26f6403c ] eb4fd29afd4a ("drm/amdgpu: bind to any 0x1002 PCI diplay class device") added generic bindings to amdgpu so that that it binds to all display class devices @@ -21,20 +22,18 @@ was forgotten to be changed. Therefore, it still rejects Tahiti GPUs. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1860 Fixes: eb4fd29afd4a ("drm/amdgpu: bind to any 0x1002 PCI diplay class device") - Cc: stable@vger.kernel.org Signed-off-by: Lukas Fink Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman --- - drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c -index c294081022bd..cb0b5972e7fd 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c -@@ -2009,7 +2009,7 @@ static int amdgpu_pci_probe(struct pci_dev *pdev, +@@ -2009,7 +2009,7 @@ static int amdgpu_pci_probe(struct pci_d return -ENODEV; } @@ -43,6 +42,3 @@ index c294081022bd..cb0b5972e7fd 100644 DRM_INFO("Unsupported asic. Remove me when IP discovery init is in place.\n"); return -ENODEV; } --- -2.35.1 - diff --git a/queue-5.15/series b/queue-5.15/series index 59a5bf1e5d4..045f0c62dc7 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -174,3 +174,7 @@ can-kvaser_usb-kvaser_usb_leaf-fix-can-clock-frequency-regression.patch can-kvaser_usb-kvaser_usb_leaf-fix-bittiming-limits.patch xfs-remove-incorrect-assert-in-xfs_rename.patch revert-serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch +btrfs-fix-error-pointer-dereference-in-btrfs_ioctl_rm_dev_v2.patch +virtio-blk-modify-the-value-type-of-num-in-virtio_queue_rq.patch +btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch +tty-n_gsm-fix-encoding-of-command-response-bit.patch diff --git a/queue-5.15/tty-n_gsm-fix-encoding-of-command-response-bit.patch b/queue-5.15/tty-n_gsm-fix-encoding-of-command-response-bit.patch new file mode 100644 index 00000000000..9daf4915315 --- /dev/null +++ b/queue-5.15/tty-n_gsm-fix-encoding-of-command-response-bit.patch @@ -0,0 +1,104 @@ +From 57435c42400ec147a527b2313188b649e81e449e Mon Sep 17 00:00:00 2001 +From: "daniel.starke@siemens.com" +Date: Thu, 17 Feb 2022 23:31:18 -0800 +Subject: tty: n_gsm: fix encoding of command/response bit + +From: daniel.starke@siemens.com + +commit 57435c42400ec147a527b2313188b649e81e449e upstream. + +n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. +See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 +The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to +the newer 27.010 here. Chapter 5.2.1.2 describes the encoding of the +C/R (command/response) bit. Table 1 shows that the actual encoding of the +C/R bit is inverted if the associated frame is sent by the responder. + +The referenced commit fixed here further broke the internal meaning of this +bit in the outgoing path by always setting the C/R bit regardless of the +frame type. + +This patch fixes both by setting the C/R bit always consistently for +command (1) and response (0) frames and inverting it later for the +responder where necessary. The meaning of this bit in the debug output +is being preserved and shows the bit as if it was encoded by the initiator. +This reflects only the frame type rather than the encoded combination of +communication side and frame type. + +Fixes: cc0f42122a7e ("tty: n_gsm: Modify CR,PF bit when config requester") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220218073123.2121-2-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -471,7 +471,7 @@ static void gsm_hex_dump_bytes(const cha + * gsm_print_packet - display a frame for debug + * @hdr: header to print before decode + * @addr: address EA from the frame +- * @cr: C/R bit from the frame ++ * @cr: C/R bit seen as initiator + * @control: control including PF bit + * @data: following data bytes + * @dlen: length of data +@@ -571,7 +571,7 @@ static int gsm_stuff_frame(const u8 *inp + * gsm_send - send a control frame + * @gsm: our GSM mux + * @addr: address for control frame +- * @cr: command/response bit ++ * @cr: command/response bit seen as initiator + * @control: control byte including PF bit + * + * Format up and transmit a control frame. These do not go via the +@@ -586,11 +586,15 @@ static void gsm_send(struct gsm_mux *gsm + int len; + u8 cbuf[10]; + u8 ibuf[3]; ++ int ocr; ++ ++ /* toggle C/R coding if not initiator */ ++ ocr = cr ^ (gsm->initiator ? 0 : 1); + + switch (gsm->encoding) { + case 0: + cbuf[0] = GSM0_SOF; +- cbuf[1] = (addr << 2) | (cr << 1) | EA; ++ cbuf[1] = (addr << 2) | (ocr << 1) | EA; + cbuf[2] = control; + cbuf[3] = EA; /* Length of data = 0 */ + cbuf[4] = 0xFF - gsm_fcs_add_block(INIT_FCS, cbuf + 1, 3); +@@ -600,7 +604,7 @@ static void gsm_send(struct gsm_mux *gsm + case 1: + case 2: + /* Control frame + packing (but not frame stuffing) in mode 1 */ +- ibuf[0] = (addr << 2) | (cr << 1) | EA; ++ ibuf[0] = (addr << 2) | (ocr << 1) | EA; + ibuf[1] = control; + ibuf[2] = 0xFF - gsm_fcs_add_block(INIT_FCS, ibuf, 2); + /* Stuffing may double the size worst case */ +@@ -630,7 +634,7 @@ static void gsm_send(struct gsm_mux *gsm + + static inline void gsm_response(struct gsm_mux *gsm, int addr, int control) + { +- gsm_send(gsm, addr, 1, control); ++ gsm_send(gsm, addr, 0, control); + } + + /** +@@ -1875,10 +1879,10 @@ static void gsm_queue(struct gsm_mux *gs + goto invalid; + + cr = gsm->address & 1; /* C/R bit */ ++ cr ^= gsm->initiator ? 0 : 1; /* Flip so 1 always means command */ + + gsm_print_packet("<--", address, cr, gsm->control, gsm->buf, gsm->len); + +- cr ^= 1 - gsm->initiator; /* Flip so 1 always means command */ + dlci = gsm->dlci[address]; + + switch (gsm->control) { diff --git a/queue-5.15/virtio-blk-modify-the-value-type-of-num-in-virtio_queue_rq.patch b/queue-5.15/virtio-blk-modify-the-value-type-of-num-in-virtio_queue_rq.patch new file mode 100644 index 00000000000..9d6e19c15ca --- /dev/null +++ b/queue-5.15/virtio-blk-modify-the-value-type-of-num-in-virtio_queue_rq.patch @@ -0,0 +1,37 @@ +From 0466a39bd0b6c462338f10d18076703d14a552de Mon Sep 17 00:00:00 2001 +From: Ye Guojin +Date: Wed, 17 Nov 2021 06:39:55 +0000 +Subject: virtio-blk: modify the value type of num in virtio_queue_rq() + +From: Ye Guojin + +commit 0466a39bd0b6c462338f10d18076703d14a552de upstream. + +This was found by coccicheck: +./drivers/block/virtio_blk.c, 334, 14-17, WARNING Unsigned expression +compared with zero num < 0 + +Reported-by: Zeal Robot +Signed-off-by: Ye Guojin +Link: https://lore.kernel.org/r/20211117063955.160777-1-ye.guojin@zte.com.cn +Signed-off-by: Michael S. Tsirkin +Fixes: 02746e26c39e ("virtio-blk: avoid preallocating big SGL for data") +Reviewed-by: Stefano Garzarella +Reviewed-by: Max Gurtovoy +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/virtio_blk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -308,7 +308,7 @@ static blk_status_t virtio_queue_rq(stru + struct request *req = bd->rq; + struct virtblk_req *vbr = blk_mq_rq_to_pdu(req); + unsigned long flags; +- unsigned int num; ++ int num; + int qid = hctx->queue_num; + int err; + bool notify = false; -- 2.47.3