From b19be099f59375a240166d8918ab37f6b4fe6b27 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 19 May 2021 16:26:29 +0200 Subject: [PATCH] 5.12-stable patches added patches: airo-work-around-stack-usage-warning.patch drm-i915-display-fix-compiler-warning-about-array-overrun.patch x86-msr-fix-wr-rdmsr_safe_regs_on_cpu-prototypes.patch --- ...airo-work-around-stack-usage-warning.patch | 164 ++++++++++++++++++ ...compiler-warning-about-array-overrun.patch | 72 ++++++++ ...wr-rdmsr_safe_regs_on_cpu-prototypes.patch | 51 ++++++ 3 files changed, 287 insertions(+) create mode 100644 queue-5.12/airo-work-around-stack-usage-warning.patch create mode 100644 queue-5.12/drm-i915-display-fix-compiler-warning-about-array-overrun.patch create mode 100644 queue-5.12/x86-msr-fix-wr-rdmsr_safe_regs_on_cpu-prototypes.patch diff --git a/queue-5.12/airo-work-around-stack-usage-warning.patch b/queue-5.12/airo-work-around-stack-usage-warning.patch new file mode 100644 index 00000000000..edf7559841a --- /dev/null +++ b/queue-5.12/airo-work-around-stack-usage-warning.patch @@ -0,0 +1,164 @@ +From 7909a590eba6d021f104958857cbc4f0089daceb Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 23 Mar 2021 14:16:28 +0100 +Subject: airo: work around stack usage warning + +From: Arnd Bergmann + +commit 7909a590eba6d021f104958857cbc4f0089daceb upstream. + +gcc-11 with KASAN on 32-bit arm produces a warning about a function +that needs a lot of stack space: + +drivers/net/wireless/cisco/airo.c: In function 'setup_card.constprop': +drivers/net/wireless/cisco/airo.c:3960:1: error: the frame size of 1512 bytes is larger than 1400 bytes [-Werror=frame-larger-than=] + +Most of this is from a single large structure that could be dynamically +allocated or moved into the per-device structure. However, as the callers +all seem to have a fairly well bounded call chain, the easiest change +is to pull out the part of the function that needs the large variables +into a separate function and mark that as noinline_for_stack. This does +not reduce the total stack usage, but it gets rid of the warning and +requires minimal changes otherwise. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210323131634.2669455-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/cisco/airo.c | 117 +++++++++++++++++++++----------------- + 1 file changed, 65 insertions(+), 52 deletions(-) + +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -3817,6 +3817,68 @@ static inline void set_auth_type(struct + local->last_auth = auth_type; + } + ++static int noinline_for_stack airo_readconfig(struct airo_info *ai, u8 *mac, int lock) ++{ ++ int i, status; ++ /* large variables, so don't inline this function, ++ * maybe change to kmalloc ++ */ ++ tdsRssiRid rssi_rid; ++ CapabilityRid cap_rid; ++ ++ kfree(ai->SSID); ++ ai->SSID = NULL; ++ // general configuration (read/modify/write) ++ status = readConfigRid(ai, lock); ++ if (status != SUCCESS) return ERROR; ++ ++ status = readCapabilityRid(ai, &cap_rid, lock); ++ if (status != SUCCESS) return ERROR; ++ ++ status = PC4500_readrid(ai, RID_RSSI, &rssi_rid, sizeof(rssi_rid), lock); ++ if (status == SUCCESS) { ++ if (ai->rssi || (ai->rssi = kmalloc(512, GFP_KERNEL)) != NULL) ++ memcpy(ai->rssi, (u8*)&rssi_rid + 2, 512); /* Skip RID length member */ ++ } ++ else { ++ kfree(ai->rssi); ++ ai->rssi = NULL; ++ if (cap_rid.softCap & cpu_to_le16(8)) ++ ai->config.rmode |= RXMODE_NORMALIZED_RSSI; ++ else ++ airo_print_warn(ai->dev->name, "unknown received signal " ++ "level scale"); ++ } ++ ai->config.opmode = adhoc ? MODE_STA_IBSS : MODE_STA_ESS; ++ set_auth_type(ai, AUTH_OPEN); ++ ai->config.modulation = MOD_CCK; ++ ++ if (le16_to_cpu(cap_rid.len) >= sizeof(cap_rid) && ++ (cap_rid.extSoftCap & cpu_to_le16(1)) && ++ micsetup(ai) == SUCCESS) { ++ ai->config.opmode |= MODE_MIC; ++ set_bit(FLAG_MIC_CAPABLE, &ai->flags); ++ } ++ ++ /* Save off the MAC */ ++ for (i = 0; i < ETH_ALEN; i++) { ++ mac[i] = ai->config.macAddr[i]; ++ } ++ ++ /* Check to see if there are any insmod configured ++ rates to add */ ++ if (rates[0]) { ++ memset(ai->config.rates, 0, sizeof(ai->config.rates)); ++ for (i = 0; i < 8 && rates[i]; i++) { ++ ai->config.rates[i] = rates[i]; ++ } ++ } ++ set_bit (FLAG_COMMIT, &ai->flags); ++ ++ return SUCCESS; ++} ++ ++ + static u16 setup_card(struct airo_info *ai, u8 *mac, int lock) + { + Cmd cmd; +@@ -3863,58 +3925,9 @@ static u16 setup_card(struct airo_info * + if (lock) + up(&ai->sem); + if (ai->config.len == 0) { +- int i; +- tdsRssiRid rssi_rid; +- CapabilityRid cap_rid; +- +- kfree(ai->SSID); +- ai->SSID = NULL; +- // general configuration (read/modify/write) +- status = readConfigRid(ai, lock); +- if (status != SUCCESS) return ERROR; +- +- status = readCapabilityRid(ai, &cap_rid, lock); +- if (status != SUCCESS) return ERROR; +- +- status = PC4500_readrid(ai, RID_RSSI,&rssi_rid, sizeof(rssi_rid), lock); +- if (status == SUCCESS) { +- if (ai->rssi || (ai->rssi = kmalloc(512, GFP_KERNEL)) != NULL) +- memcpy(ai->rssi, (u8*)&rssi_rid + 2, 512); /* Skip RID length member */ +- } +- else { +- kfree(ai->rssi); +- ai->rssi = NULL; +- if (cap_rid.softCap & cpu_to_le16(8)) +- ai->config.rmode |= RXMODE_NORMALIZED_RSSI; +- else +- airo_print_warn(ai->dev->name, "unknown received signal " +- "level scale"); +- } +- ai->config.opmode = adhoc ? MODE_STA_IBSS : MODE_STA_ESS; +- set_auth_type(ai, AUTH_OPEN); +- ai->config.modulation = MOD_CCK; +- +- if (le16_to_cpu(cap_rid.len) >= sizeof(cap_rid) && +- (cap_rid.extSoftCap & cpu_to_le16(1)) && +- micsetup(ai) == SUCCESS) { +- ai->config.opmode |= MODE_MIC; +- set_bit(FLAG_MIC_CAPABLE, &ai->flags); +- } +- +- /* Save off the MAC */ +- for (i = 0; i < ETH_ALEN; i++) { +- mac[i] = ai->config.macAddr[i]; +- } +- +- /* Check to see if there are any insmod configured +- rates to add */ +- if (rates[0]) { +- memset(ai->config.rates, 0, sizeof(ai->config.rates)); +- for (i = 0; i < 8 && rates[i]; i++) { +- ai->config.rates[i] = rates[i]; +- } +- } +- set_bit (FLAG_COMMIT, &ai->flags); ++ status = airo_readconfig(ai, mac, lock); ++ if (status != SUCCESS) ++ return ERROR; + } + + /* Setup the SSIDs if present */ diff --git a/queue-5.12/drm-i915-display-fix-compiler-warning-about-array-overrun.patch b/queue-5.12/drm-i915-display-fix-compiler-warning-about-array-overrun.patch new file mode 100644 index 00000000000..632f394f2d5 --- /dev/null +++ b/queue-5.12/drm-i915-display-fix-compiler-warning-about-array-overrun.patch @@ -0,0 +1,72 @@ +From fec4d42724a1bf3dcba52307e55375fdb967b852 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 8 May 2021 11:30:22 -0700 +Subject: drm/i915/display: fix compiler warning about array overrun +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit fec4d42724a1bf3dcba52307e55375fdb967b852 upstream. + +intel_dp_check_mst_status() uses a 14-byte array to read the DPRX Event +Status Indicator data, but then passes that buffer at offset 10 off as +an argument to drm_dp_channel_eq_ok(). + +End result: there are only 4 bytes remaining of the buffer, yet +drm_dp_channel_eq_ok() wants a 6-byte buffer. gcc-11 correctly warns +about this case: + + drivers/gpu/drm/i915/display/intel_dp.c: In function ‘intel_dp_check_mst_status’: + drivers/gpu/drm/i915/display/intel_dp.c:3491:22: warning: ‘drm_dp_channel_eq_ok’ reading 6 bytes from a region of size 4 [-Wstringop-overread] + 3491 | !drm_dp_channel_eq_ok(&esi[10], intel_dp->lane_count)) { + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/gpu/drm/i915/display/intel_dp.c:3491:22: note: referencing argument 1 of type ‘const u8 *’ {aka ‘const unsigned char *’} + In file included from drivers/gpu/drm/i915/display/intel_dp.c:38: + include/drm/drm_dp_helper.h:1466:6: note: in a call to function ‘drm_dp_channel_eq_ok’ + 1466 | bool drm_dp_channel_eq_ok(const u8 link_status[DP_LINK_STATUS_SIZE], + | ^~~~~~~~~~~~~~~~~~~~ + 6:14 elapsed + +This commit just extends the original array by 2 zero-initialized bytes, +avoiding the warning. + +There may be some underlying bug in here that caused this confusion, but +this is at least no worse than the existing situation that could use +random data off the stack. + +Cc: Jani Nikula +Cc: Ville Syrjälä +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: Daniel Vetter +Cc: Dave Airlie +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dp.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -4488,7 +4488,18 @@ intel_dp_check_mst_status(struct intel_d + drm_WARN_ON_ONCE(&i915->drm, intel_dp->active_mst_links < 0); + + for (;;) { +- u8 esi[DP_DPRX_ESI_LEN] = {}; ++ /* ++ * The +2 is because DP_DPRX_ESI_LEN is 14, but we then ++ * pass in "esi+10" to drm_dp_channel_eq_ok(), which ++ * takes a 6-byte array. So we actually need 16 bytes ++ * here. ++ * ++ * Somebody who knows what the limits actually are ++ * should check this, but for now this is at least ++ * harmless and avoids a valid compiler warning about ++ * using more of the array than we have allocated. ++ */ ++ u8 esi[DP_DPRX_ESI_LEN+2] = {}; + bool handled; + int retry; + diff --git a/queue-5.12/x86-msr-fix-wr-rdmsr_safe_regs_on_cpu-prototypes.patch b/queue-5.12/x86-msr-fix-wr-rdmsr_safe_regs_on_cpu-prototypes.patch new file mode 100644 index 00000000000..8cca31a7b54 --- /dev/null +++ b/queue-5.12/x86-msr-fix-wr-rdmsr_safe_regs_on_cpu-prototypes.patch @@ -0,0 +1,51 @@ +From 396a66aa1172ef2b78c21651f59b40b87b2e5e1e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Mar 2021 17:45:36 +0100 +Subject: x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +commit 396a66aa1172ef2b78c21651f59b40b87b2e5e1e upstream. + +gcc-11 warns about mismatched prototypes here: + + arch/x86/lib/msr-smp.c:255:51: error: argument 2 of type ‘u32 *’ {aka ‘unsigned int *’} declared as a pointer [-Werror=array-parameter=] + 255 | int rdmsr_safe_regs_on_cpu(unsigned int cpu, u32 *regs) + | ~~~~~^~~~ + arch/x86/include/asm/msr.h:347:50: note: previously declared as an array ‘u32[8]’ {aka ‘unsigned int[8]’} + +GCC is right here - fix up the types. + +[ mingo: Twiddled the changelog. ] + +Signed-off-by: Arnd Bergmann +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20210322164541.912261-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/lib/msr-smp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/lib/msr-smp.c ++++ b/arch/x86/lib/msr-smp.c +@@ -252,7 +252,7 @@ static void __wrmsr_safe_regs_on_cpu(voi + rv->err = wrmsr_safe_regs(rv->regs); + } + +-int rdmsr_safe_regs_on_cpu(unsigned int cpu, u32 *regs) ++int rdmsr_safe_regs_on_cpu(unsigned int cpu, u32 regs[8]) + { + int err; + struct msr_regs_info rv; +@@ -265,7 +265,7 @@ int rdmsr_safe_regs_on_cpu(unsigned int + } + EXPORT_SYMBOL(rdmsr_safe_regs_on_cpu); + +-int wrmsr_safe_regs_on_cpu(unsigned int cpu, u32 *regs) ++int wrmsr_safe_regs_on_cpu(unsigned int cpu, u32 regs[8]) + { + int err; + struct msr_regs_info rv; -- 2.47.3