From 6abee50397e6bb1aa8138ee64dbfd66ed17239c6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 Jun 2024 20:05:42 +0200 Subject: [PATCH] 6.1-stable patches added patches: drivers-core-synchronize-really_probe-and-dev_uevent.patch iio-adc-ad9467-fix-scan-type-sign.patch iio-dac-ad5592r-fix-temperature-channel-scaling-value.patch iio-imu-inv_icm42600-delete-unneeded-update-watermark-call.patch misc-microchip-pci1xxxx-fix-double-free-in-the-error-handling-of-gp_aux_bus_probe.patch x86-boot-don-t-add-the-efi-stub-to-targets-again.patch --- ...chronize-really_probe-and-dev_uevent.patch | 104 ++++++++++++++++++ .../iio-adc-ad9467-fix-scan-type-sign.patch | 41 +++++++ ...ix-temperature-channel-scaling-value.patch | 66 +++++++++++ ...elete-unneeded-update-watermark-call.patch | 49 +++++++++ ...e-error-handling-of-gp_aux_bus_probe.patch | 51 +++++++++ queue-6.1/series | 6 + ...-t-add-the-efi-stub-to-targets-again.patch | 47 ++++++++ 7 files changed, 364 insertions(+) create mode 100644 queue-6.1/drivers-core-synchronize-really_probe-and-dev_uevent.patch create mode 100644 queue-6.1/iio-adc-ad9467-fix-scan-type-sign.patch create mode 100644 queue-6.1/iio-dac-ad5592r-fix-temperature-channel-scaling-value.patch create mode 100644 queue-6.1/iio-imu-inv_icm42600-delete-unneeded-update-watermark-call.patch create mode 100644 queue-6.1/misc-microchip-pci1xxxx-fix-double-free-in-the-error-handling-of-gp_aux_bus_probe.patch create mode 100644 queue-6.1/x86-boot-don-t-add-the-efi-stub-to-targets-again.patch diff --git a/queue-6.1/drivers-core-synchronize-really_probe-and-dev_uevent.patch b/queue-6.1/drivers-core-synchronize-really_probe-and-dev_uevent.patch new file mode 100644 index 00000000000..a44c270a281 --- /dev/null +++ b/queue-6.1/drivers-core-synchronize-really_probe-and-dev_uevent.patch @@ -0,0 +1,104 @@ +From c0a40097f0bc81deafc15f9195d1fb54595cd6d0 Mon Sep 17 00:00:00 2001 +From: Dirk Behme +Date: Mon, 13 May 2024 07:06:34 +0200 +Subject: drivers: core: synchronize really_probe() and dev_uevent() + +From: Dirk Behme + +commit c0a40097f0bc81deafc15f9195d1fb54595cd6d0 upstream. + +Synchronize the dev->driver usage in really_probe() and dev_uevent(). +These can run in different threads, what can result in the following +race condition for dev->driver uninitialization: + +Thread #1: +========== + +really_probe() { +... +probe_failed: +... +device_unbind_cleanup(dev) { + ... + dev->driver = NULL; // <= Failed probe sets dev->driver to NULL + ... + } +... +} + +Thread #2: +========== + +dev_uevent() { +... +if (dev->driver) + // If dev->driver is NULLed from really_probe() from here on, + // after above check, the system crashes + add_uevent_var(env, "DRIVER=%s", dev->driver->name); +... +} + +really_probe() holds the lock, already. So nothing needs to be done +there. dev_uevent() is called with lock held, often, too. But not +always. What implies that we can't add any locking in dev_uevent() +itself. So fix this race by adding the lock to the non-protected +path. This is the path where above race is observed: + + dev_uevent+0x235/0x380 + uevent_show+0x10c/0x1f0 <= Add lock here + dev_attr_show+0x3a/0xa0 + sysfs_kf_seq_show+0x17c/0x250 + kernfs_seq_show+0x7c/0x90 + seq_read_iter+0x2d7/0x940 + kernfs_fop_read_iter+0xc6/0x310 + vfs_read+0x5bc/0x6b0 + ksys_read+0xeb/0x1b0 + __x64_sys_read+0x42/0x50 + x64_sys_call+0x27ad/0x2d30 + do_syscall_64+0xcd/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Similar cases are reported by syzkaller in + +https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a + +But these are regarding the *initialization* of dev->driver + +dev->driver = drv; + +As this switches dev->driver to non-NULL these reports can be considered +to be false-positives (which should be "fixed" by this commit, as well, +though). + +The same issue was reported and tried to be fixed back in 2015 in + +https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/ + +already. + +Fixes: 239378f16aa1 ("Driver core: add uevent vars for devices of a class") +Cc: stable +Cc: syzbot+ffa8143439596313a85a@syzkaller.appspotmail.com +Cc: Ashish Sangwan +Cc: Namjae Jeon +Signed-off-by: Dirk Behme +Link: https://lore.kernel.org/r/20240513050634.3964461-1-dirk.behme@de.bosch.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -2657,8 +2657,11 @@ static ssize_t uevent_show(struct device + if (!env) + return -ENOMEM; + ++ /* Synchronize with really_probe() */ ++ device_lock(dev); + /* let the kset specific function add its keys */ + retval = kset->uevent_ops->uevent(&dev->kobj, env); ++ device_unlock(dev); + if (retval) + goto out; + diff --git a/queue-6.1/iio-adc-ad9467-fix-scan-type-sign.patch b/queue-6.1/iio-adc-ad9467-fix-scan-type-sign.patch new file mode 100644 index 00000000000..fe188366cd3 --- /dev/null +++ b/queue-6.1/iio-adc-ad9467-fix-scan-type-sign.patch @@ -0,0 +1,41 @@ +From 8a01ef749b0a632f0e1f4ead0f08b3310d99fcb1 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Fri, 3 May 2024 14:45:05 -0500 +Subject: iio: adc: ad9467: fix scan type sign + +From: David Lechner + +commit 8a01ef749b0a632f0e1f4ead0f08b3310d99fcb1 upstream. + +According to the IIO documentation, the sign in the scan type should be +lower case. The ad9467 driver was incorrectly using upper case. + +Fix by changing to lower case. + +Fixes: 4606d0f4b05f ("iio: adc: ad9467: add support for AD9434 high-speed ADC") +Fixes: ad6797120238 ("iio: adc: ad9467: add support AD9467 ADC") +Signed-off-by: David Lechner +Link: https://lore.kernel.org/r/20240503-ad9467-fix-scan-type-sign-v1-1-c7a1a066ebb9@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad9467.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/ad9467.c ++++ b/drivers/iio/adc/ad9467.c +@@ -223,11 +223,11 @@ static void __ad9467_get_scale(struct ad + } + + static const struct iio_chan_spec ad9434_channels[] = { +- AD9467_CHAN(0, 0, 12, 'S'), ++ AD9467_CHAN(0, 0, 12, 's'), + }; + + static const struct iio_chan_spec ad9467_channels[] = { +- AD9467_CHAN(0, 0, 16, 'S'), ++ AD9467_CHAN(0, 0, 16, 's'), + }; + + static const struct ad9467_chip_info ad9467_chip_tbl[] = { diff --git a/queue-6.1/iio-dac-ad5592r-fix-temperature-channel-scaling-value.patch b/queue-6.1/iio-dac-ad5592r-fix-temperature-channel-scaling-value.patch new file mode 100644 index 00000000000..9db48e1437a --- /dev/null +++ b/queue-6.1/iio-dac-ad5592r-fix-temperature-channel-scaling-value.patch @@ -0,0 +1,66 @@ +From 279428df888319bf68f2686934897301a250bb84 Mon Sep 17 00:00:00 2001 +From: Marc Ferland +Date: Wed, 1 May 2024 11:05:54 -0400 +Subject: iio: dac: ad5592r: fix temperature channel scaling value + +From: Marc Ferland + +commit 279428df888319bf68f2686934897301a250bb84 upstream. + +The scale value for the temperature channel is (assuming Vref=2.5 and +the datasheet): + + 376.7897513 + +When calculating both val and val2 for the temperature scale we +use (3767897513/25) and multiply it by Vref (here I assume 2500mV) to +obtain: + + 2500 * (3767897513/25) ==> 376789751300 + +Finally we divide with remainder by 10^9 to get: + + val = 376 + val2 = 789751300 + +However, we return IIO_VAL_INT_PLUS_MICRO (should have been NANO) as +the scale type. So when converting the raw temperature value to the +'processed' temperature value we will get (assuming raw=810, +offset=-753): + + processed = (raw + offset) * scale_val + = (810 + -753) * 376 + = 21432 + + processed += div((raw + offset) * scale_val2, 10^6) + += div((810 + -753) * 789751300, 10^6) + += 45015 + ==> 66447 + ==> 66.4 Celcius + +instead of the expected 21.5 Celsius. + +Fix this issue by changing IIO_VAL_INT_PLUS_MICRO to +IIO_VAL_INT_PLUS_NANO. + +Fixes: 56ca9db862bf ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs") +Signed-off-by: Marc Ferland +Link: https://lore.kernel.org/r/20240501150554.1871390-1-marc.ferland@sonatest.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5592r-base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad5592r-base.c ++++ b/drivers/iio/dac/ad5592r-base.c +@@ -410,7 +410,7 @@ static int ad5592r_read_raw(struct iio_d + s64 tmp = *val * (3767897513LL / 25LL); + *val = div_s64_rem(tmp, 1000000000LL, val2); + +- return IIO_VAL_INT_PLUS_MICRO; ++ return IIO_VAL_INT_PLUS_NANO; + } + + mutex_lock(&st->lock); diff --git a/queue-6.1/iio-imu-inv_icm42600-delete-unneeded-update-watermark-call.patch b/queue-6.1/iio-imu-inv_icm42600-delete-unneeded-update-watermark-call.patch new file mode 100644 index 00000000000..94c3faf7a07 --- /dev/null +++ b/queue-6.1/iio-imu-inv_icm42600-delete-unneeded-update-watermark-call.patch @@ -0,0 +1,49 @@ +From 245f3b149e6cc3ac6ee612cdb7042263bfc9e73c Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Mon, 27 May 2024 21:00:08 +0000 +Subject: iio: imu: inv_icm42600: delete unneeded update watermark call + +From: Jean-Baptiste Maneyrol + +commit 245f3b149e6cc3ac6ee612cdb7042263bfc9e73c upstream. + +Update watermark will be done inside the hwfifo_set_watermark callback +just after the update_scan_mode. It is useless to do it here. + +Fixes: 7f85e42a6c54 ("iio: imu: inv_icm42600: add buffer support in iio devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jean-Baptiste Maneyrol +Link: https://lore.kernel.org/r/20240527210008.612932-1-inv.git-commit@tdk.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 4 ---- + drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 4 ---- + 2 files changed, 8 deletions(-) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c +@@ -128,10 +128,6 @@ static int inv_icm42600_accel_update_sca + /* update data FIFO write */ + inv_icm42600_timestamp_apply_odr(ts, 0, 0, 0); + ret = inv_icm42600_buffer_set_fifo_en(st, fifo_en | st->fifo.en); +- if (ret) +- goto out_unlock; +- +- ret = inv_icm42600_buffer_update_watermark(st); + + out_unlock: + mutex_unlock(&st->lock); +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c +@@ -128,10 +128,6 @@ static int inv_icm42600_gyro_update_scan + /* update data FIFO write */ + inv_icm42600_timestamp_apply_odr(ts, 0, 0, 0); + ret = inv_icm42600_buffer_set_fifo_en(st, fifo_en | st->fifo.en); +- if (ret) +- goto out_unlock; +- +- ret = inv_icm42600_buffer_update_watermark(st); + + out_unlock: + mutex_unlock(&st->lock); diff --git a/queue-6.1/misc-microchip-pci1xxxx-fix-double-free-in-the-error-handling-of-gp_aux_bus_probe.patch b/queue-6.1/misc-microchip-pci1xxxx-fix-double-free-in-the-error-handling-of-gp_aux_bus_probe.patch new file mode 100644 index 00000000000..51ec9daf9e5 --- /dev/null +++ b/queue-6.1/misc-microchip-pci1xxxx-fix-double-free-in-the-error-handling-of-gp_aux_bus_probe.patch @@ -0,0 +1,51 @@ +From 086c6cbcc563c81d55257f9b27e14faf1d0963d3 Mon Sep 17 00:00:00 2001 +From: Yongzhi Liu +Date: Thu, 23 May 2024 20:14:33 +0800 +Subject: misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe() + +From: Yongzhi Liu + +commit 086c6cbcc563c81d55257f9b27e14faf1d0963d3 upstream. + +When auxiliary_device_add() returns error and then calls +auxiliary_device_uninit(), callback function +gp_auxiliary_device_release() calls ida_free() and +kfree(aux_device_wrapper) to free memory. We should't +call them again in the error handling path. + +Fix this by skipping the redundant cleanup functions. + +Fixes: 393fc2f5948f ("misc: microchip: pci1xxxx: load auxiliary bus driver for the PIO function in the multi-function endpoint of pci1xxxx device.") +Signed-off-by: Yongzhi Liu +Link: https://lore.kernel.org/r/20240523121434.21855-3-hyperlyzcs@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c ++++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c +@@ -111,6 +111,7 @@ static int gp_aux_bus_probe(struct pci_d + + err_aux_dev_add_1: + auxiliary_device_uninit(&aux_bus->aux_device_wrapper[1]->aux_dev); ++ goto err_aux_dev_add_0; + + err_aux_dev_init_1: + ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[1]->aux_dev.id); +@@ -120,6 +121,7 @@ err_ida_alloc_1: + + err_aux_dev_add_0: + auxiliary_device_uninit(&aux_bus->aux_device_wrapper[0]->aux_dev); ++ goto err_ret; + + err_aux_dev_init_0: + ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[0]->aux_dev.id); +@@ -127,6 +129,7 @@ err_aux_dev_init_0: + err_ida_alloc_0: + kfree(aux_bus->aux_device_wrapper[0]); + ++err_ret: + return retval; + } + diff --git a/queue-6.1/series b/queue-6.1/series index 0c7618ec3a4..34d520263aa 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -160,3 +160,9 @@ net-bridge-mst-fix-suspicious-rcu-usage-in-br_mst_se.patch ionic-fix-use-after-netif_napi_del.patch af_unix-read-with-msg_peek-loops-if-the-first-unread.patch bnxt_en-adjust-logging-of-firmware-messages-in-case-.patch +misc-microchip-pci1xxxx-fix-double-free-in-the-error-handling-of-gp_aux_bus_probe.patch +x86-boot-don-t-add-the-efi-stub-to-targets-again.patch +iio-adc-ad9467-fix-scan-type-sign.patch +iio-dac-ad5592r-fix-temperature-channel-scaling-value.patch +iio-imu-inv_icm42600-delete-unneeded-update-watermark-call.patch +drivers-core-synchronize-really_probe-and-dev_uevent.patch diff --git a/queue-6.1/x86-boot-don-t-add-the-efi-stub-to-targets-again.patch b/queue-6.1/x86-boot-don-t-add-the-efi-stub-to-targets-again.patch new file mode 100644 index 00000000000..252fa3904c0 --- /dev/null +++ b/queue-6.1/x86-boot-don-t-add-the-efi-stub-to-targets-again.patch @@ -0,0 +1,47 @@ +From b2747f108b8034271fd5289bd8f3a7003e0775a3 Mon Sep 17 00:00:00 2001 +From: Benjamin Segall +Date: Wed, 12 Jun 2024 12:44:44 -0700 +Subject: x86/boot: Don't add the EFI stub to targets, again + +From: Benjamin Segall + +commit b2747f108b8034271fd5289bd8f3a7003e0775a3 upstream. + +This is a re-commit of + + da05b143a308 ("x86/boot: Don't add the EFI stub to targets") + +after the tagged patch incorrectly reverted it. + +vmlinux-objs-y is added to targets, with an assumption that they are all +relative to $(obj); adding a $(objtree)/drivers/... path causes the +build to incorrectly create a useless +arch/x86/boot/compressed/drivers/... directory tree. + +Fix this just by using a different make variable for the EFI stub. + +Fixes: cb8bda8ad443 ("x86/boot/compressed: Rename efi_thunk_64.S to efi-mixed.S") +Signed-off-by: Ben Segall +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Ard Biesheuvel +Cc: stable@vger.kernel.org # v6.1+ +Link: https://lore.kernel.org/r/xm267ceukksz.fsf@bsegall.svl.corp.google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -115,9 +115,9 @@ vmlinux-objs-$(CONFIG_INTEL_TDX_GUEST) + + + vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o + vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_mixed.o +-vmlinux-objs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a ++vmlinux-libs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a + +-$(obj)/vmlinux: $(vmlinux-objs-y) FORCE ++$(obj)/vmlinux: $(vmlinux-objs-y) $(vmlinux-libs-y) FORCE + $(call if_changed,ld) + + OBJCOPYFLAGS_vmlinux.bin := -R .comment -S -- 2.47.3