From c21eecc4e326831248c3ca23cd912810d6d1ee0e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 8 Feb 2025 11:15:28 -0500 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...es-have-ghes-honor-the-panic-setting.patch | 72 ++++++ ...g_on-in-btrfs_reloc_cow_block-to-pro.patch | 51 +++++ ...ter-free-when-attempting-to-join-an-.patch | 212 ++++++++++++++++++ ...-eld_mutex-to-protect-access-to-conn.patch | 39 ++++ ...d-wacom-add-pci-wacom-device-support.patch | 46 ++++ queue-5.4/kvm-e500-always-restore-irqs.patch | 47 ++++ ...k-struct-page-dirty-in-kvmppc_e500_s.patch | 75 +++++++ ...k-struct-page-pfn-accessed-before-dr.patch | 46 ++++ ...-__kvm_faultin_pfn-to-handle-page-fa.patch | 66 ++++++ ...another-gemini-lake-isa-bridge-pci-d.patch | 42 ++++ ...-quirk_max_rate-for-non-uhs-sdio-car.patch | 37 +++ ...l8150-enable-basic-endpoint-checking.patch | 121 ++++++++++ .../net-usb-rtl8150-use-new-tasklet-api.patch | 48 ++++ ...d-integer-overflow-when-defining-log.patch | 41 ++++ ...-t-try-to-catch-up-excess-steal-time.patch | 76 +++++++ queue-5.4/series | 22 ++ ...let-introduce-new-initialization-api.patch | 158 +++++++++++++ ...emit-warning-in-tomoyo_write_control.patch | 46 ++++ .../tun-fix-group-permission-check.patch | 72 ++++++ ...eout-argument-in-address_device-usb-.patch | 206 +++++++++++++++++ ...l-pointer-dereference-on-certain-com.patch | 56 +++++ ...d-gain-range-check-to-wlc_phy_iqcal_.patch | 42 ++++ ...ict-init-function-to-amd-based-syste.patch | 40 ++++ 23 files changed, 1661 insertions(+) create mode 100644 queue-5.4/apei-ghes-have-ghes-honor-the-panic-setting.patch create mode 100644 queue-5.4/btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch create mode 100644 queue-5.4/btrfs-fix-use-after-free-when-attempting-to-join-an-.patch create mode 100644 queue-5.4/drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch create mode 100644 queue-5.4/hid-wacom-add-pci-wacom-device-support.patch create mode 100644 queue-5.4/kvm-e500-always-restore-irqs.patch create mode 100644 queue-5.4/kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch create mode 100644 queue-5.4/kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch create mode 100644 queue-5.4/kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch create mode 100644 queue-5.4/mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch create mode 100644 queue-5.4/mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch create mode 100644 queue-5.4/net-usb-rtl8150-enable-basic-endpoint-checking.patch create mode 100644 queue-5.4/net-usb-rtl8150-use-new-tasklet-api.patch create mode 100644 queue-5.4/printk-fix-signed-integer-overflow-when-defining-log.patch create mode 100644 queue-5.4/sched-don-t-try-to-catch-up-excess-steal-time.patch create mode 100644 queue-5.4/tasklet-introduce-new-initialization-api.patch create mode 100644 queue-5.4/tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch create mode 100644 queue-5.4/tun-fix-group-permission-check.patch create mode 100644 queue-5.4/usb-xhci-add-timeout-argument-in-address_device-usb-.patch create mode 100644 queue-5.4/usb-xhci-fix-null-pointer-dereference-on-certain-com.patch create mode 100644 queue-5.4/wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch create mode 100644 queue-5.4/x86-amd_nb-restrict-init-function-to-amd-based-syste.patch diff --git a/queue-5.4/apei-ghes-have-ghes-honor-the-panic-setting.patch b/queue-5.4/apei-ghes-have-ghes-honor-the-panic-setting.patch new file mode 100644 index 0000000000..8bfbbb53bf --- /dev/null +++ b/queue-5.4/apei-ghes-have-ghes-honor-the-panic-setting.patch @@ -0,0 +1,72 @@ +From 47c12ba971589be05947e827cb59dc00514d177e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 13:52:24 +0100 +Subject: APEI: GHES: Have GHES honor the panic= setting + +From: Borislav Petkov + +[ Upstream commit 5c0e00a391dd0099fe95991bb2f962848d851916 ] + +The GHES driver overrides the panic= setting by force-rebooting the +system after a fatal hw error has been reported. The intent being that +such an error would be reported earlier. + +However, this is not optimal when a hard-to-debug issue requires long +time to reproduce and when that happens, the box will get rebooted after +30 seconds and thus destroy the whole hw context of when the error +happened. + +So rip out the default GHES panic timeout and honor the global one. + +In the panic disabled (panic=0) case, the error will still be logged to +dmesg for later inspection and if panic after a hw error is really +required, then that can be controlled the usual way - use panic= on the +cmdline or set it in the kernel .config's CONFIG_PANIC_TIMEOUT. + +Reported-by: Feng Tang +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Feng Tang +Reviewed-by: Ira Weiny +Link: https://patch.msgid.link/20250113125224.GFZ4UMiNtWIJvgpveU@fat_crate.local +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index e0d82fab1f448..50bed5a708125 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -128,8 +128,6 @@ static unsigned long ghes_estatus_pool_size_request; + static struct ghes_estatus_cache *ghes_estatus_caches[GHES_ESTATUS_CACHES_SIZE]; + static atomic_t ghes_estatus_cache_alloced; + +-static int ghes_panic_timeout __read_mostly = 30; +- + static void __iomem *ghes_map(u64 pfn, enum fixed_addresses fixmap_idx) + { + phys_addr_t paddr; +@@ -707,14 +705,16 @@ static void __ghes_panic(struct ghes *ghes, + struct acpi_hest_generic_status *estatus, + u64 buf_paddr, enum fixed_addresses fixmap_idx) + { ++ const char *msg = GHES_PFX "Fatal hardware error"; ++ + __ghes_print_estatus(KERN_EMERG, ghes->generic, estatus); + + ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx); + +- /* reboot to log the error! */ + if (!panic_timeout) +- panic_timeout = ghes_panic_timeout; +- panic("Fatal hardware error!"); ++ pr_emerg("%s but panic disabled\n", msg); ++ ++ panic(msg); + } + + static int ghes_proc(struct ghes *ghes) +-- +2.39.5 + diff --git a/queue-5.4/btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch b/queue-5.4/btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch new file mode 100644 index 0000000000..a982a9bd6e --- /dev/null +++ b/queue-5.4/btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch @@ -0,0 +1,51 @@ +From fa178eed11f3532e28d6f3d4e522efe5ee495d50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2024 11:43:03 -0400 +Subject: btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error + handling + +From: Josef Bacik + +[ Upstream commit 6a4730b325aaa48f7a5d5ba97aff0a955e2d9cec ] + +This BUG_ON is meant to catch backref cache problems, but these can +arise from either bugs in the backref cache or corruption in the extent +tree. Fix it to be a proper error. + +Reviewed-by: Boris Burkov +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/relocation.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 89ad7e12c08bb..062154c6a65f6 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -4789,8 +4789,18 @@ int btrfs_reloc_cow_block(struct btrfs_trans_handle *trans, + WARN_ON(!first_cow && level == 0); + + node = rc->backref_cache.path[level]; +- BUG_ON(node->bytenr != buf->start && +- node->new_bytenr != buf->start); ++ ++ /* ++ * If node->bytenr != buf->start and node->new_bytenr != ++ * buf->start then we've got the wrong backref node for what we ++ * expected to see here and the cache is incorrect. ++ */ ++ if (unlikely(node->bytenr != buf->start && node->new_bytenr != buf->start)) { ++ btrfs_err(fs_info, ++"bytenr %llu was found but our backref cache was expecting %llu or %llu", ++ buf->start, node->bytenr, node->new_bytenr); ++ return -EUCLEAN; ++ } + + drop_node_buffer(node); + extent_buffer_get(cow); +-- +2.39.5 + diff --git a/queue-5.4/btrfs-fix-use-after-free-when-attempting-to-join-an-.patch b/queue-5.4/btrfs-fix-use-after-free-when-attempting-to-join-an-.patch new file mode 100644 index 0000000000..d7add91897 --- /dev/null +++ b/queue-5.4/btrfs-fix-use-after-free-when-attempting-to-join-an-.patch @@ -0,0 +1,212 @@ +From 0e07912de65c5a4683fc07a7d9145b802fc85a58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 17:26:10 +0000 +Subject: btrfs: fix use-after-free when attempting to join an aborted + transaction + +From: Filipe Manana + +[ Upstream commit e2f0943cf37305dbdeaf9846e3c941451bcdef63 ] + +When we are trying to join the current transaction and if it's aborted, +we read its 'aborted' field after unlocking fs_info->trans_lock and +without holding any extra reference count on it. This means that a +concurrent task that is aborting the transaction may free the transaction +before we read its 'aborted' field, leading to a use-after-free. + +Fix this by reading the 'aborted' field while holding fs_info->trans_lock +since any freeing task must first acquire that lock and set +fs_info->running_transaction to NULL before freeing the transaction. + +This was reported by syzbot and Dmitry with the following stack traces +from KASAN: + + ================================================================== + BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 + Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128 + + CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 + Workqueue: events_unbound btrfs_async_reclaim_data_space + Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x169/0x550 mm/kasan/report.c:489 + kasan_report+0x143/0x180 mm/kasan/report.c:602 + join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 + start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 + flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 + btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 + process_one_work kernel/workqueue.c:3236 [inline] + process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 + worker_thread+0x870/0xd30 kernel/workqueue.c:3398 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + + Allocated by task 5315: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 + kmalloc_noprof include/linux/slab.h:901 [inline] + join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 + start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 + btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 + lookup_open fs/namei.c:3649 [inline] + open_last_lookups fs/namei.c:3748 [inline] + path_openat+0x1c03/0x3590 fs/namei.c:3984 + do_filp_open+0x27f/0x4e0 fs/namei.c:4014 + do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 + do_sys_open fs/open.c:1417 [inline] + __do_sys_creat fs/open.c:1495 [inline] + __se_sys_creat fs/open.c:1489 [inline] + __x64_sys_creat+0x123/0x170 fs/open.c:1489 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Freed by task 5336: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2353 [inline] + slab_free mm/slub.c:4613 [inline] + kfree+0x196/0x430 mm/slub.c:4761 + cleanup_transaction fs/btrfs/transaction.c:2063 [inline] + btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 + insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 + btrfs_balance+0x992/0x10c0 fs/btrfs/volumes.c:4633 + btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3670 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:906 [inline] + __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + The buggy address belongs to the object at ffff888011839000 + which belongs to the cache kmalloc-2k of size 2048 + The buggy address is located 36 bytes inside of + freed 2048-byte region [ffff888011839000, ffff888011839800) + + The buggy address belongs to the physical page: + page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11838 + head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 + flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) + page_type: f5(slab) + raw: 00fff00000000040 ffff88801ac42000 ffffea0000493400 dead000000000002 + raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000 + head: 00fff00000000040 ffff88801ac42000 ffffea0000493400 dead000000000002 + head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000 + head: 00fff00000000003 ffffea0000460e01 ffffffffffffffff 0000000000000000 + head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + page_owner tracks the page as allocated + page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 57, tgid 57 (kworker/0:2), ts 67248182943, free_ts 67229742023 + set_page_owner include/linux/page_owner.h:32 [inline] + post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1558 + prep_new_page mm/page_alloc.c:1566 [inline] + get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3476 + __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4753 + alloc_pages_mpol_noprof+0x3e1/0x780 mm/mempolicy.c:2269 + alloc_slab_page+0x6a/0x110 mm/slub.c:2423 + allocate_slab+0x5a/0x2b0 mm/slub.c:2589 + new_slab mm/slub.c:2642 [inline] + ___slab_alloc+0xc27/0x14a0 mm/slub.c:3830 + __slab_alloc+0x58/0xa0 mm/slub.c:3920 + __slab_alloc_node mm/slub.c:3995 [inline] + slab_alloc_node mm/slub.c:4156 [inline] + __do_kmalloc_node mm/slub.c:4297 [inline] + __kmalloc_node_track_caller_noprof+0x2e9/0x4c0 mm/slub.c:4317 + kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609 + __alloc_skb+0x1f3/0x440 net/core/skbuff.c:678 + alloc_skb include/linux/skbuff.h:1323 [inline] + alloc_skb_with_frags+0xc3/0x820 net/core/skbuff.c:6612 + sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2884 + sock_alloc_send_skb include/net/sock.h:1803 [inline] + mld_newpack+0x1c3/0xaf0 net/ipv6/mcast.c:1747 + add_grhead net/ipv6/mcast.c:1850 [inline] + add_grec+0x1492/0x19a0 net/ipv6/mcast.c:1988 + mld_send_cr net/ipv6/mcast.c:2114 [inline] + mld_ifc_work+0x691/0xd90 net/ipv6/mcast.c:2651 + page last free pid 5300 tgid 5300 stack trace: + reset_page_owner include/linux/page_owner.h:25 [inline] + free_pages_prepare mm/page_alloc.c:1127 [inline] + free_unref_page+0xd3f/0x1010 mm/page_alloc.c:2659 + __slab_free+0x2c2/0x380 mm/slub.c:4524 + qlink_free mm/kasan/quarantine.c:163 [inline] + qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 + kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 + __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 + kasan_slab_alloc include/linux/kasan.h:250 [inline] + slab_post_alloc_hook mm/slub.c:4119 [inline] + slab_alloc_node mm/slub.c:4168 [inline] + __do_kmalloc_node mm/slub.c:4297 [inline] + __kmalloc_noprof+0x236/0x4c0 mm/slub.c:4310 + kmalloc_noprof include/linux/slab.h:905 [inline] + kzalloc_noprof include/linux/slab.h:1037 [inline] + fib_create_info+0xc14/0x25b0 net/ipv4/fib_semantics.c:1435 + fib_table_insert+0x1f6/0x1f20 net/ipv4/fib_trie.c:1231 + fib_magic+0x3d8/0x620 net/ipv4/fib_frontend.c:1112 + fib_add_ifaddr+0x40c/0x5e0 net/ipv4/fib_frontend.c:1156 + fib_netdev_event+0x375/0x490 net/ipv4/fib_frontend.c:1494 + notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 + __dev_notify_flags+0x207/0x400 + dev_change_flags+0xf0/0x1a0 net/core/dev.c:9045 + do_setlink+0xc90/0x4210 net/core/rtnetlink.c:3109 + rtnl_changelink net/core/rtnetlink.c:3723 [inline] + __rtnl_newlink net/core/rtnetlink.c:3875 [inline] + rtnl_newlink+0x1bb6/0x2210 net/core/rtnetlink.c:4012 + + Memory state around the buggy address: + ffff888011838f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff888011838f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + >ffff888011839000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888011839080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888011839100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +Reported-by: syzbot+45212e9d87a98c3f5b42@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/678e7da5.050a0220.303755.007c.GAE@google.com/ +Reported-by: Dmitry Vyukov +Link: https://lore.kernel.org/linux-btrfs/CACT4Y+ZFBdo7pT8L2AzM=vegZwjp-wNkVJZQf0Ta3vZqtExaSw@mail.gmail.com/ +Fixes: 871383be592b ("btrfs: add missing unlocks to transaction abort paths") +Reviewed-by: Johannes Thumshirn +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/transaction.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 1d25bf0c55ccf..094b024bbf0cf 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -174,8 +174,10 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info, + cur_trans = fs_info->running_transaction; + if (cur_trans) { + if (TRANS_ABORTED(cur_trans)) { ++ const int abort_error = cur_trans->aborted; ++ + spin_unlock(&fs_info->trans_lock); +- return cur_trans->aborted; ++ return abort_error; + } + if (btrfs_blocked_trans_types[cur_trans->state] & type) { + spin_unlock(&fs_info->trans_lock); +-- +2.39.5 + diff --git a/queue-5.4/drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch b/queue-5.4/drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch new file mode 100644 index 0000000000..4cf57dda90 --- /dev/null +++ b/queue-5.4/drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch @@ -0,0 +1,39 @@ +From 6bb0c61f3781ae68a2a7fe0a71bea37a01608f38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 11:43:12 +0200 +Subject: drm/sti: hdmi: use eld_mutex to protect access to connector->eld + +From: Dmitry Baryshkov + +[ Upstream commit e99c0b517bcd53cf61f998a3c4291333401cb391 ] + +Reading access to connector->eld can happen at the same time the +drm_edid_to_eld() updates the data. Take the newly added eld_mutex in +order to protect connector->eld from concurrent access. + +Reviewed-by: Maxime Ripard +Acked-by: Raphael Gallais-Pou +Link: https://patchwork.freedesktop.org/patch/msgid/20241206-drm-connector-eld-mutex-v2-9-c9bce1ee8bea@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sti/sti_hdmi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c +index c5547fedebe30..ce7cc84499f45 100644 +--- a/drivers/gpu/drm/sti/sti_hdmi.c ++++ b/drivers/gpu/drm/sti/sti_hdmi.c +@@ -1214,7 +1214,9 @@ static int hdmi_audio_get_eld(struct device *dev, void *data, uint8_t *buf, size + struct drm_connector *connector = hdmi->drm_connector; + + DRM_DEBUG_DRIVER("\n"); ++ mutex_lock(&connector->eld_mutex); + memcpy(buf, connector->eld, min(sizeof(connector->eld), len)); ++ mutex_unlock(&connector->eld_mutex); + + return 0; + } +-- +2.39.5 + diff --git a/queue-5.4/hid-wacom-add-pci-wacom-device-support.patch b/queue-5.4/hid-wacom-add-pci-wacom-device-support.patch new file mode 100644 index 0000000000..36abff486d --- /dev/null +++ b/queue-5.4/hid-wacom-add-pci-wacom-device-support.patch @@ -0,0 +1,46 @@ +From cb2c577648b9156a253f34053db594036a5172db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Dec 2024 09:35:27 +0800 +Subject: HID: Wacom: Add PCI Wacom device support + +From: Even Xu + +[ Upstream commit c4c123504a65583e3689b3de04a61dc5272e453a ] + +Add PCI device ID of wacom device into driver support list. + +Signed-off-by: Even Xu +Tested-by: Tatsunosuke Tobita +Reviewed-by: Ping Cheng +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_wac.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index 0ec75848ca805..7851cbec79dc2 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -4851,6 +4851,10 @@ static const struct wacom_features wacom_features_0x94 = + HID_DEVICE(BUS_I2C, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\ + .driver_data = (kernel_ulong_t)&wacom_features_##prod + ++#define PCI_DEVICE_WACOM(prod) \ ++ HID_DEVICE(BUS_PCI, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\ ++ .driver_data = (kernel_ulong_t)&wacom_features_##prod ++ + #define USB_DEVICE_LENOVO(prod) \ + HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, prod), \ + .driver_data = (kernel_ulong_t)&wacom_features_##prod +@@ -5020,6 +5024,7 @@ const struct hid_device_id wacom_ids[] = { + + { USB_DEVICE_WACOM(HID_ANY_ID) }, + { I2C_DEVICE_WACOM(HID_ANY_ID) }, ++ { PCI_DEVICE_WACOM(HID_ANY_ID) }, + { BT_DEVICE_WACOM(HID_ANY_ID) }, + { } + }; +-- +2.39.5 + diff --git a/queue-5.4/kvm-e500-always-restore-irqs.patch b/queue-5.4/kvm-e500-always-restore-irqs.patch new file mode 100644 index 0000000000..ad27d2d70f --- /dev/null +++ b/queue-5.4/kvm-e500-always-restore-irqs.patch @@ -0,0 +1,47 @@ +From 2cb3930e9823f06d7b4a09c7fa4ad8ca577dda41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2025 10:34:44 +0100 +Subject: KVM: e500: always restore irqs + +From: Paolo Bonzini + +[ Upstream commit 87ecfdbc699cc95fac73291b52650283ddcf929d ] + +If find_linux_pte fails, IRQs will not be restored. This is unlikely +to happen in practice since it would have been reported as hanging +hosts, but it should of course be fixed anyway. + +Cc: stable@vger.kernel.org +Reported-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/e500_mmu_host.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c +index 75a9e6132db66..21648d2589a3a 100644 +--- a/arch/powerpc/kvm/e500_mmu_host.c ++++ b/arch/powerpc/kvm/e500_mmu_host.c +@@ -479,7 +479,6 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + if (pte_present(pte)) { + wimg = (pte_val(pte) >> PTE_WIMGE_SHIFT) & + MAS2_WIMGE_MASK; +- local_irq_restore(flags); + } else { + local_irq_restore(flags); + pr_err_ratelimited("%s: pte not present: gfn %lx,pfn %lx\n", +@@ -488,8 +487,9 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + goto out; + } + } +- writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); ++ local_irq_restore(flags); + ++ writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); + kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize, + ref, gvaddr, stlbe); + +-- +2.39.5 + diff --git a/queue-5.4/kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch b/queue-5.4/kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch new file mode 100644 index 0000000000..b5f59246e0 --- /dev/null +++ b/queue-5.4/kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch @@ -0,0 +1,75 @@ +From 60e35439605af017370d267d54e82a8e5685e90a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 11:23:54 -0700 +Subject: KVM: PPC: e500: Mark "struct page" dirty in kvmppc_e500_shadow_map() + +From: Sean Christopherson + +[ Upstream commit c9be85dabb376299504e0d391d15662c0edf8273 ] + +Mark the underlying page as dirty in kvmppc_e500_ref_setup()'s sole +caller, kvmppc_e500_shadow_map(), which will allow converting e500 to +__kvm_faultin_pfn() + kvm_release_faultin_page() without having to do +a weird dance between ref_setup() and shadow_map(). + +Opportunistically drop the redundant kvm_set_pfn_accessed(), as +shadow_map() puts the page via kvm_release_pfn_clean(). + +Signed-off-by: Sean Christopherson +Tested-by: Dmitry Osipenko +Signed-off-by: Paolo Bonzini +Message-ID: <20241010182427.1434605-53-seanjc@google.com> +Stable-dep-of: 87ecfdbc699c ("KVM: e500: always restore irqs") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/e500_mmu_host.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c +index 7154bd424d243..b40d31cd44f7f 100644 +--- a/arch/powerpc/kvm/e500_mmu_host.c ++++ b/arch/powerpc/kvm/e500_mmu_host.c +@@ -242,7 +242,7 @@ static inline int tlbe_is_writable(struct kvm_book3e_206_tlb_entry *tlbe) + return tlbe->mas7_3 & (MAS3_SW|MAS3_UW); + } + +-static inline void kvmppc_e500_ref_setup(struct tlbe_ref *ref, ++static inline bool kvmppc_e500_ref_setup(struct tlbe_ref *ref, + struct kvm_book3e_206_tlb_entry *gtlbe, + kvm_pfn_t pfn, unsigned int wimg) + { +@@ -252,11 +252,7 @@ static inline void kvmppc_e500_ref_setup(struct tlbe_ref *ref, + /* Use guest supplied MAS2_G and MAS2_E */ + ref->flags |= (gtlbe->mas2 & MAS2_ATTRIB_MASK) | wimg; + +- /* Mark the page accessed */ +- kvm_set_pfn_accessed(pfn); +- +- if (tlbe_is_writable(gtlbe)) +- kvm_set_pfn_dirty(pfn); ++ return tlbe_is_writable(gtlbe); + } + + static inline void kvmppc_e500_ref_release(struct tlbe_ref *ref) +@@ -337,6 +333,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + unsigned int wimg = 0; + pgd_t *pgdir; + unsigned long flags; ++ bool writable = false; + + /* used to check for invalidations in progress */ + mmu_seq = kvm->mmu_notifier_seq; +@@ -490,7 +487,9 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + goto out; + } + } +- kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); ++ writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); ++ if (writable) ++ kvm_set_pfn_dirty(pfn); + + kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize, + ref, gvaddr, stlbe); +-- +2.39.5 + diff --git a/queue-5.4/kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch b/queue-5.4/kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch new file mode 100644 index 0000000000..13b6454daf --- /dev/null +++ b/queue-5.4/kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch @@ -0,0 +1,46 @@ +From 2816dd4eaca5820f3b1b03238cfb205b0778c159 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 11:23:55 -0700 +Subject: KVM: PPC: e500: Mark "struct page" pfn accessed before dropping + mmu_lock + +From: Sean Christopherson + +[ Upstream commit 84cf78dcd9d65c45ab73998d4ad50f433d53fb93 ] + +Mark pages accessed before dropping mmu_lock when faulting in guest memory +so that shadow_map() can convert to kvm_release_faultin_page() without +tripping its lockdep assertion on mmu_lock being held. Marking pages +accessed outside of mmu_lock is ok (not great, but safe), but marking +pages _dirty_ outside of mmu_lock can make filesystems unhappy. + +Signed-off-by: Sean Christopherson +Tested-by: Dmitry Osipenko +Signed-off-by: Paolo Bonzini +Message-ID: <20241010182427.1434605-54-seanjc@google.com> +Stable-dep-of: 87ecfdbc699c ("KVM: e500: always restore irqs") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/e500_mmu_host.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c +index b40d31cd44f7f..80f0b30abc74c 100644 +--- a/arch/powerpc/kvm/e500_mmu_host.c ++++ b/arch/powerpc/kvm/e500_mmu_host.c +@@ -498,11 +498,9 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + kvmppc_mmu_flush_icache(pfn); + + out: +- spin_unlock(&kvm->mmu_lock); +- + /* Drop refcount on page, so that mmu notifiers can clear it */ + kvm_release_pfn_clean(pfn); +- ++ spin_unlock(&kvm->mmu_lock); + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.4/kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch b/queue-5.4/kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch new file mode 100644 index 0000000000..c37ebd5d88 --- /dev/null +++ b/queue-5.4/kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch @@ -0,0 +1,66 @@ +From 5ad6ec904ff0ce46f300f73476e9c49aa78cac99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 11:23:56 -0700 +Subject: KVM: PPC: e500: Use __kvm_faultin_pfn() to handle page faults + +From: Sean Christopherson + +[ Upstream commit 419cfb983ca93e75e905794521afefcfa07988bb ] + +Convert PPC e500 to use __kvm_faultin_pfn()+kvm_release_faultin_page(), +and continue the inexorable march towards the demise of +kvm_pfn_to_refcounted_page(). + +Signed-off-by: Sean Christopherson +Tested-by: Dmitry Osipenko +Signed-off-by: Paolo Bonzini +Message-ID: <20241010182427.1434605-55-seanjc@google.com> +Stable-dep-of: 87ecfdbc699c ("KVM: e500: always restore irqs") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/e500_mmu_host.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c +index 80f0b30abc74c..75a9e6132db66 100644 +--- a/arch/powerpc/kvm/e500_mmu_host.c ++++ b/arch/powerpc/kvm/e500_mmu_host.c +@@ -322,6 +322,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + { + struct kvm_memory_slot *slot; + unsigned long pfn = 0; /* silence GCC warning */ ++ struct page *page = NULL; + unsigned long hva; + int pfnmap = 0; + int tsize = BOOK3E_PAGESZ_4K; +@@ -443,7 +444,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + + if (likely(!pfnmap)) { + tsize_pages = 1UL << (tsize + 10 - PAGE_SHIFT); +- pfn = gfn_to_pfn_memslot(slot, gfn); ++ pfn = __kvm_faultin_pfn(slot, gfn, FOLL_WRITE, NULL, &page); + if (is_error_noslot_pfn(pfn)) { + if (printk_ratelimit()) + pr_err("%s: real page not found for gfn %lx\n", +@@ -488,8 +489,6 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + } + } + writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg); +- if (writable) +- kvm_set_pfn_dirty(pfn); + + kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize, + ref, gvaddr, stlbe); +@@ -498,8 +497,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500, + kvmppc_mmu_flush_icache(pfn); + + out: +- /* Drop refcount on page, so that mmu notifiers can clear it */ +- kvm_release_pfn_clean(pfn); ++ kvm_release_faultin_page(kvm, page, !!ret, writable); + spin_unlock(&kvm->mmu_lock); + return ret; + } +-- +2.39.5 + diff --git a/queue-5.4/mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch b/queue-5.4/mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch new file mode 100644 index 0000000000..7355abe8fe --- /dev/null +++ b/queue-5.4/mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch @@ -0,0 +1,42 @@ +From 9ae96063226f4b9bd0fc4e065618a7b673a9c261 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 20:38:08 +0100 +Subject: mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id + +From: Hans de Goede + +[ Upstream commit 1e89d21f8189d286f80b900e1b7cf57cb1f3037e ] + +On N4100 / N4120 Gemini Lake SoCs the ISA bridge PCI device-id is 31e8 +rather the 3197 found on e.g. the N4000 / N4020. + +While at fix the existing GLK PCI-id table entry breaking the table +being sorted by device-id. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20241114193808.110132-1-hdegoede@redhat.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/lpc_ich.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/lpc_ich.c b/drivers/mfd/lpc_ich.c +index 3bbb29a7e7a57..d5a3c1923c0af 100644 +--- a/drivers/mfd/lpc_ich.c ++++ b/drivers/mfd/lpc_ich.c +@@ -685,8 +685,9 @@ static const struct pci_device_id lpc_ich_ids[] = { + { PCI_VDEVICE(INTEL, 0x2917), LPC_ICH9ME}, + { PCI_VDEVICE(INTEL, 0x2918), LPC_ICH9}, + { PCI_VDEVICE(INTEL, 0x2919), LPC_ICH9M}, +- { PCI_VDEVICE(INTEL, 0x3197), LPC_GLK}, + { PCI_VDEVICE(INTEL, 0x2b9c), LPC_COUGARMOUNTAIN}, ++ { PCI_VDEVICE(INTEL, 0x3197), LPC_GLK}, ++ { PCI_VDEVICE(INTEL, 0x31e8), LPC_GLK}, + { PCI_VDEVICE(INTEL, 0x3a14), LPC_ICH10DO}, + { PCI_VDEVICE(INTEL, 0x3a16), LPC_ICH10R}, + { PCI_VDEVICE(INTEL, 0x3a18), LPC_ICH10}, +-- +2.39.5 + diff --git a/queue-5.4/mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch b/queue-5.4/mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch new file mode 100644 index 0000000000..1abbd0375f --- /dev/null +++ b/queue-5.4/mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch @@ -0,0 +1,37 @@ +From 3edb26c01e8f8599cf5d922664665fd7ae5f7a96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 17:37:22 +0800 +Subject: mmc: core: Respect quirk_max_rate for non-UHS SDIO card + +From: Shawn Lin + +[ Upstream commit a2a44f8da29352f76c99c6904ee652911b8dc7dd ] + +The card-quirk was added to limit the clock-rate for a card with UHS-mode +support, although let's respect the quirk for non-UHS mode too, to make the +behaviour consistent. + +Signed-off-by: Shawn Lin +Message-ID: <1732268242-72799-1-git-send-email-shawn.lin@rock-chips.com> +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/sdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c +index e614fd82a32a4..2362a70460f1c 100644 +--- a/drivers/mmc/core/sdio.c ++++ b/drivers/mmc/core/sdio.c +@@ -379,6 +379,8 @@ static unsigned mmc_sdio_get_max_clock(struct mmc_card *card) + if (card->type == MMC_TYPE_SD_COMBO) + max_dtr = min(max_dtr, mmc_sd_get_max_clock(card)); + ++ max_dtr = min_not_zero(max_dtr, card->quirk_max_rate); ++ + return max_dtr; + } + +-- +2.39.5 + diff --git a/queue-5.4/net-usb-rtl8150-enable-basic-endpoint-checking.patch b/queue-5.4/net-usb-rtl8150-enable-basic-endpoint-checking.patch new file mode 100644 index 0000000000..2af7ae5287 --- /dev/null +++ b/queue-5.4/net-usb-rtl8150-enable-basic-endpoint-checking.patch @@ -0,0 +1,121 @@ +From b32ecbce5a2721e8bf6f826ef2e3f846eec65407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2025 01:30:20 -0800 +Subject: net: usb: rtl8150: enable basic endpoint checking + +From: Nikita Zhandarovich + +[ Upstream commit 90b7f2961798793275b4844348619b622f983907 ] + +Syzkaller reports [1] encountering a common issue of utilizing a wrong +usb endpoint type during URB submitting stage. This, in turn, triggers +a warning shown below. + +For now, enable simple endpoint checking (specifically, bulk and +interrupt eps, testing control one is not essential) to mitigate +the issue with a view to do other related cosmetic changes later, +if they are necessary. + +[1] Syzkaller report: +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv> +Modules linked in: +CPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617> +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 +Code: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8> +RSP: 0018:ffffc9000441f740 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9 +RDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001 +RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 +R13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c +FS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733 + __dev_open+0x2d4/0x4e0 net/core/dev.c:1474 + __dev_change_flags+0x561/0x720 net/core/dev.c:8838 + dev_change_flags+0x8f/0x160 net/core/dev.c:8910 + devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177 + inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003 + sock_do_ioctl+0x116/0x280 net/socket.c:1222 + sock_ioctl+0x22e/0x6c0 net/socket.c:1341 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl fs/ioctl.c:893 [inline] + __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fc04ef73d49 +... + +This change has not been tested on real hardware. + +Reported-and-tested-by: syzbot+d7e968426f644b567e31@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d7e968426f644b567e31 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250124093020.234642-1-n.zhandarovich@fintech.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index cbadb53bac441..3829b7eb3fc90 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -71,6 +71,14 @@ + #define MSR_SPEED (1<<3) + #define MSR_LINK (1<<2) + ++/* USB endpoints */ ++enum rtl8150_usb_ep { ++ RTL8150_USB_EP_CONTROL = 0, ++ RTL8150_USB_EP_BULK_IN = 1, ++ RTL8150_USB_EP_BULK_OUT = 2, ++ RTL8150_USB_EP_INT_IN = 3, ++}; ++ + /* Interrupt pipe data */ + #define INT_TSR 0x00 + #define INT_RSR 0x01 +@@ -886,6 +894,13 @@ static int rtl8150_probe(struct usb_interface *intf, + struct usb_device *udev = interface_to_usbdev(intf); + rtl8150_t *dev; + struct net_device *netdev; ++ static const u8 bulk_ep_addr[] = { ++ RTL8150_USB_EP_BULK_IN | USB_DIR_IN, ++ RTL8150_USB_EP_BULK_OUT | USB_DIR_OUT, ++ 0}; ++ static const u8 int_ep_addr[] = { ++ RTL8150_USB_EP_INT_IN | USB_DIR_IN, ++ 0}; + + netdev = alloc_etherdev(sizeof(rtl8150_t)); + if (!netdev) +@@ -899,6 +914,13 @@ static int rtl8150_probe(struct usb_interface *intf, + return -ENOMEM; + } + ++ /* Verify that all required endpoints are present */ ++ if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || ++ !usb_check_int_endpoints(intf, int_ep_addr)) { ++ dev_err(&intf->dev, "couldn't find required endpoints\n"); ++ goto out; ++ } ++ + tasklet_setup(&dev->tl, rx_fixup); + spin_lock_init(&dev->rx_pool_lock); + +-- +2.39.5 + diff --git a/queue-5.4/net-usb-rtl8150-use-new-tasklet-api.patch b/queue-5.4/net-usb-rtl8150-use-new-tasklet-api.patch new file mode 100644 index 0000000000..2432ae4985 --- /dev/null +++ b/queue-5.4/net-usb-rtl8150-use-new-tasklet-api.patch @@ -0,0 +1,48 @@ +From 6bde21625c3bac111f41cd4b6613b04ecc531d36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jan 2021 00:47:30 +0100 +Subject: net: usb: rtl8150: use new tasklet API + +From: Emil Renner Berthing + +[ Upstream commit 1999ad32d4ff00581007543adffc465694b2e77b ] + +This converts the driver to use the new tasklet API introduced in +commit 12cc923f1ccc ("tasklet: Introduce new initialization API") + +Signed-off-by: Emil Renner Berthing +Signed-off-by: Jakub Kicinski +Stable-dep-of: 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index 387091cb91340..cbadb53bac441 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -597,9 +597,9 @@ static void free_skb_pool(rtl8150_t *dev) + dev_kfree_skb(dev->rx_skb_pool[i]); + } + +-static void rx_fixup(unsigned long data) ++static void rx_fixup(struct tasklet_struct *t) + { +- struct rtl8150 *dev = (struct rtl8150 *)data; ++ struct rtl8150 *dev = from_tasklet(dev, t, tl); + struct sk_buff *skb; + int status; + +@@ -899,7 +899,7 @@ static int rtl8150_probe(struct usb_interface *intf, + return -ENOMEM; + } + +- tasklet_init(&dev->tl, rx_fixup, (unsigned long)dev); ++ tasklet_setup(&dev->tl, rx_fixup); + spin_lock_init(&dev->rx_pool_lock); + + dev->udev = udev; +-- +2.39.5 + diff --git a/queue-5.4/printk-fix-signed-integer-overflow-when-defining-log.patch b/queue-5.4/printk-fix-signed-integer-overflow-when-defining-log.patch new file mode 100644 index 0000000000..25712648de --- /dev/null +++ b/queue-5.4/printk-fix-signed-integer-overflow-when-defining-log.patch @@ -0,0 +1,41 @@ +From c8bf2154acac3b61294a7d069575b67fbeaecfcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Sep 2024 19:36:08 +0800 +Subject: printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX + +From: Kuan-Wei Chiu + +[ Upstream commit 3d6f83df8ff2d5de84b50377e4f0d45e25311c7a ] + +Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which +leads to undefined behavior. To prevent this, cast 1 to u32 before +performing the shift, ensuring well-defined behavior. + +This change explicitly avoids any potential overflow by ensuring that +the shift occurs on an unsigned 32-bit integer. + +Signed-off-by: Kuan-Wei Chiu +Acked-by: Petr Mladek +Link: https://lore.kernel.org/r/20240928113608.1438087-1-visitorckw@gmail.com +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index ae1a97dd0c3cb..f6e1e154d9c18 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -457,7 +457,7 @@ static u32 clear_idx; + /* record buffer */ + #define LOG_ALIGN __alignof__(struct printk_log) + #define __LOG_BUF_LEN (1 << CONFIG_LOG_BUF_SHIFT) +-#define LOG_BUF_LEN_MAX (u32)(1 << 31) ++#define LOG_BUF_LEN_MAX ((u32)1 << 31) + static char __log_buf[__LOG_BUF_LEN] __aligned(LOG_ALIGN); + static char *log_buf = __log_buf; + static u32 log_buf_len = __LOG_BUF_LEN; +-- +2.39.5 + diff --git a/queue-5.4/sched-don-t-try-to-catch-up-excess-steal-time.patch b/queue-5.4/sched-don-t-try-to-catch-up-excess-steal-time.patch new file mode 100644 index 0000000000..945bf63a05 --- /dev/null +++ b/queue-5.4/sched-don-t-try-to-catch-up-excess-steal-time.patch @@ -0,0 +1,76 @@ +From 445efa5ebd9786d40b909189e4ec3391efedffe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 13:37:45 +0900 +Subject: sched: Don't try to catch up excess steal time. + +From: Suleiman Souhlal + +[ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ] + +When steal time exceeds the measured delta when updating clock_task, we +currently try to catch up the excess in future updates. +However, this results in inaccurate run times for the future things using +clock_task, in some situations, as they end up getting additional steal +time that did not actually happen. +This is because there is a window between reading the elapsed time in +update_rq_clock() and sampling the steal time in update_rq_clock_task(). +If the VCPU gets preempted between those two points, any additional +steal time is accounted to the outgoing task even though the calculated +delta did not actually contain any of that "stolen" time. +When this race happens, we can end up with steal time that exceeds the +calculated delta, and the previous code would try to catch up that excess +steal time in future clock updates, which is given to the next, +incoming task, even though it did not actually have any time stolen. + +This behavior is particularly bad when steal time can be very long, +which we've seen when trying to extend steal time to contain the duration +that the host was suspended [0]. When this happens, clock_task stays +frozen, during which the running task stays running for the whole +duration, since its run time doesn't increase. +However the race can happen even under normal operation. + +Ideally we would read the elapsed cpu time and the steal time atomically, +to prevent this race from happening in the first place, but doing so +is non-trivial. + +Since the time between those two points isn't otherwise accounted anywhere, +neither to the outgoing task nor the incoming task (because the "end of +outgoing task" and "start of incoming task" timestamps are the same), +I would argue that the right thing to do is to simply drop any excess steal +time, in order to prevent these issues. + +[0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/ + +Signed-off-by: Suleiman Souhlal +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 51ac62637e4ed..39ce8a3d8c573 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -176,13 +176,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta) + #endif + #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING + if (static_key_false((¶virt_steal_rq_enabled))) { +- steal = paravirt_steal_clock(cpu_of(rq)); ++ u64 prev_steal; ++ ++ steal = prev_steal = paravirt_steal_clock(cpu_of(rq)); + steal -= rq->prev_steal_time_rq; + + if (unlikely(steal > delta)) + steal = delta; + +- rq->prev_steal_time_rq += steal; ++ rq->prev_steal_time_rq = prev_steal; + delta -= steal; + } + #endif +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 9b76c24d0f..ae64bf4692 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -77,3 +77,25 @@ hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collectio media-uvcvideo-fix-double-free-in-error-path.patch usb-gadget-f_tcm-don-t-free-command-immediately.patch btrfs-output-the-reason-for-open_ctree-failure.patch +btrfs-fix-use-after-free-when-attempting-to-join-an-.patch +btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch +sched-don-t-try-to-catch-up-excess-steal-time.patch +x86-amd_nb-restrict-init-function-to-amd-based-syste.patch +printk-fix-signed-integer-overflow-when-defining-log.patch +drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch +tun-fix-group-permission-check.patch +mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch +wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch +tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch +mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch +hid-wacom-add-pci-wacom-device-support.patch +apei-ghes-have-ghes-honor-the-panic-setting.patch +kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch +kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch +kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch +kvm-e500-always-restore-irqs.patch +tasklet-introduce-new-initialization-api.patch +net-usb-rtl8150-use-new-tasklet-api.patch +net-usb-rtl8150-enable-basic-endpoint-checking.patch +usb-xhci-add-timeout-argument-in-address_device-usb-.patch +usb-xhci-fix-null-pointer-dereference-on-certain-com.patch diff --git a/queue-5.4/tasklet-introduce-new-initialization-api.patch b/queue-5.4/tasklet-introduce-new-initialization-api.patch new file mode 100644 index 0000000000..f1eae67eaa --- /dev/null +++ b/queue-5.4/tasklet-introduce-new-initialization-api.patch @@ -0,0 +1,158 @@ +From be070df934703d1cb5c7e2a7ea7cb1a49f11834a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Sep 2019 18:30:13 +0200 +Subject: tasklet: Introduce new initialization API + +From: Romain Perier + +[ Upstream commit 12cc923f1ccc1df467e046b02a72c2b3b321b6a2 ] + +Nowadays, modern kernel subsystems that use callbacks pass the data +structure associated with a given callback as argument to the callback. +The tasklet subsystem remains one which passes an arbitrary unsigned +long to the callback function. This has several problems: + +- This keeps an extra field for storing the argument in each tasklet + data structure, it bloats the tasklet_struct structure with a redundant + .data field + +- No type checking can be performed on this argument. Instead of + using container_of() like other callback subsystems, it forces callbacks + to do explicit type cast of the unsigned long argument into the required + object type. + +- Buffer overflows can overwrite the .func and the .data field, so + an attacker can easily overwrite the function and its first argument + to whatever it wants. + +Add a new tasklet initialization API, via DECLARE_TASKLET() and +tasklet_setup(), which will replace the existing ones. + +This work is greatly inspired by the timer_struct conversion series, +see commit e99e88a9d2b0 ("treewide: setup_timer() -> timer_setup()") + +To avoid problems with both -Wcast-function-type (which is enabled in +the kernel via -Wextra is several subsystems), and with mismatched +function prototypes when build with Control Flow Integrity enabled, +this adds the "use_callback" member to let the tasklet caller choose +which union member to call through. Once all old API uses are removed, +this and the .data member will be removed as well. (On 64-bit this does +not grow the struct size as the new member fills the hole after atomic_t, +which is also "int" sized.) + +Signed-off-by: Romain Perier +Co-developed-by: Allen Pais +Signed-off-by: Allen Pais +Reviewed-by: Greg Kroah-Hartman +Acked-by: Thomas Gleixner +Co-developed-by: Kees Cook +Signed-off-by: Kees Cook +Stable-dep-of: 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") +Signed-off-by: Sasha Levin +--- + include/linux/interrupt.h | 28 +++++++++++++++++++++++++++- + kernel/softirq.c | 18 +++++++++++++++++- + 2 files changed, 44 insertions(+), 2 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index 01517747214a4..b70a35b97210d 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -575,6 +575,9 @@ static inline struct task_struct *this_cpu_ksoftirqd(void) + + /* Tasklets --- multithreaded analogue of BHs. + ++ This API is deprecated. Please consider using threaded IRQs instead: ++ https://lore.kernel.org/lkml/20200716081538.2sivhkj4hcyrusem@linutronix.de ++ + Main feature differing them of generic softirqs: tasklet + is running only on one CPU simultaneously. + +@@ -598,10 +601,31 @@ struct tasklet_struct + struct tasklet_struct *next; + unsigned long state; + atomic_t count; +- void (*func)(unsigned long); ++ bool use_callback; ++ union { ++ void (*func)(unsigned long data); ++ void (*callback)(struct tasklet_struct *t); ++ }; + unsigned long data; + }; + ++#define DECLARE_TASKLET(name, _callback) \ ++struct tasklet_struct name = { \ ++ .count = ATOMIC_INIT(0), \ ++ .callback = _callback, \ ++ .use_callback = true, \ ++} ++ ++#define DECLARE_TASKLET_DISABLED(name, _callback) \ ++struct tasklet_struct name = { \ ++ .count = ATOMIC_INIT(1), \ ++ .callback = _callback, \ ++ .use_callback = true, \ ++} ++ ++#define from_tasklet(var, callback_tasklet, tasklet_fieldname) \ ++ container_of(callback_tasklet, typeof(*var), tasklet_fieldname) ++ + #define DECLARE_TASKLET_OLD(name, _func) \ + struct tasklet_struct name = { \ + .count = ATOMIC_INIT(0), \ +@@ -681,6 +705,8 @@ extern void tasklet_kill(struct tasklet_struct *t); + extern void tasklet_kill_immediate(struct tasklet_struct *t, unsigned int cpu); + extern void tasklet_init(struct tasklet_struct *t, + void (*func)(unsigned long), unsigned long data); ++extern void tasklet_setup(struct tasklet_struct *t, ++ void (*callback)(struct tasklet_struct *)); + + /* + * Autoprobing for irqs: +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 0427a86743a46..c5518b39cb4e5 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -520,7 +520,10 @@ static void tasklet_action_common(struct softirq_action *a, + if (!test_and_clear_bit(TASKLET_STATE_SCHED, + &t->state)) + BUG(); +- t->func(t->data); ++ if (t->use_callback) ++ t->callback(t); ++ else ++ t->func(t->data); + tasklet_unlock(t); + continue; + } +@@ -546,6 +549,18 @@ static __latent_entropy void tasklet_hi_action(struct softirq_action *a) + tasklet_action_common(a, this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); + } + ++void tasklet_setup(struct tasklet_struct *t, ++ void (*callback)(struct tasklet_struct *)) ++{ ++ t->next = NULL; ++ t->state = 0; ++ atomic_set(&t->count, 0); ++ t->callback = callback; ++ t->use_callback = true; ++ t->data = 0; ++} ++EXPORT_SYMBOL(tasklet_setup); ++ + void tasklet_init(struct tasklet_struct *t, + void (*func)(unsigned long), unsigned long data) + { +@@ -553,6 +568,7 @@ void tasklet_init(struct tasklet_struct *t, + t->state = 0; + atomic_set(&t->count, 0); + t->func = func; ++ t->use_callback = false; + t->data = data; + } + EXPORT_SYMBOL(tasklet_init); +-- +2.39.5 + diff --git a/queue-5.4/tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch b/queue-5.4/tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch new file mode 100644 index 0000000000..1ac3847045 --- /dev/null +++ b/queue-5.4/tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch @@ -0,0 +1,46 @@ +From f0f0d215ac36624f3cb58d35b5490bcd1f7a1aaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2024 19:38:40 +0900 +Subject: tomoyo: don't emit warning in tomoyo_write_control() + +From: Tetsuo Handa + +[ Upstream commit 3df7546fc03b8f004eee0b9e3256369f7d096685 ] + +syzbot is reporting too large allocation warning at tomoyo_write_control(), +for one can write a very very long line without new line character. To fix +this warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE, +for practically a valid line should be always shorter than 32KB where the +"too small to fail" memory-allocation rule applies. + +One might try to write a valid line that is longer than 32KB, but such +request will likely fail with -ENOMEM. Therefore, I feel that separately +returning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant. +There is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE. + +Reported-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76 +Reported-by: Leo Stone +Closes: https://lkml.kernel.org/r/20241216021459.178759-2-leocstone@gmail.com +Signed-off-by: Tetsuo Handa +Signed-off-by: Sasha Levin +--- + security/tomoyo/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c +index 1b467381986f7..360cf2960f349 100644 +--- a/security/tomoyo/common.c ++++ b/security/tomoyo/common.c +@@ -2674,7 +2674,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, + + if (head->w.avail >= head->writebuf_size - 1) { + const int len = head->writebuf_size * 2; +- char *cp = kzalloc(len, GFP_NOFS); ++ char *cp = kzalloc(len, GFP_NOFS | __GFP_NOWARN); + + if (!cp) { + error = -ENOMEM; +-- +2.39.5 + diff --git a/queue-5.4/tun-fix-group-permission-check.patch b/queue-5.4/tun-fix-group-permission-check.patch new file mode 100644 index 0000000000..115a5f8a05 --- /dev/null +++ b/queue-5.4/tun-fix-group-permission-check.patch @@ -0,0 +1,72 @@ +From 7d3f4dfe985c50e1fc87f76bd1fd760c51b35d7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 10:36:14 +0300 +Subject: tun: fix group permission check + +From: Stas Sergeev + +[ Upstream commit 3ca459eaba1bf96a8c7878de84fa8872259a01e3 ] + +Currently tun checks the group permission even if the user have matched. +Besides going against the usual permission semantic, this has a +very interesting implication: if the tun group is not among the +supplementary groups of the tun user, then effectively no one can +access the tun device. CAP_SYS_ADMIN still can, but its the same as +not setting the tun ownership. + +This patch relaxes the group checking so that either the user match +or the group match is enough. This avoids the situation when no one +can access the device even though the ownership is properly set. + +Also I simplified the logic by removing the redundant inversions: +tun_not_capable() --> !tun_capable() + +Signed-off-by: Stas Sergeev +Reviewed-by: Willem de Bruijn +Acked-by: Jason Wang +Link: https://patch.msgid.link/20241205073614.294773-1-stsp2@yandex.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 0adce9bf7a1e5..87cc7d778c3cf 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -636,14 +636,18 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb, + return ret; + } + +-static inline bool tun_not_capable(struct tun_struct *tun) ++static inline bool tun_capable(struct tun_struct *tun) + { + const struct cred *cred = current_cred(); + struct net *net = dev_net(tun->dev); + +- return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) || +- (gid_valid(tun->group) && !in_egroup_p(tun->group))) && +- !ns_capable(net->user_ns, CAP_NET_ADMIN); ++ if (ns_capable(net->user_ns, CAP_NET_ADMIN)) ++ return 1; ++ if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner)) ++ return 1; ++ if (gid_valid(tun->group) && in_egroup_p(tun->group)) ++ return 1; ++ return 0; + } + + static void tun_set_real_num_queues(struct tun_struct *tun) +@@ -2838,7 +2842,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) + !!(tun->flags & IFF_MULTI_QUEUE)) + return -EINVAL; + +- if (tun_not_capable(tun)) ++ if (!tun_capable(tun)) + return -EPERM; + err = security_tun_dev_open(tun->security); + if (err < 0) +-- +2.39.5 + diff --git a/queue-5.4/usb-xhci-add-timeout-argument-in-address_device-usb-.patch b/queue-5.4/usb-xhci-add-timeout-argument-in-address_device-usb-.patch new file mode 100644 index 0000000000..d870661021 --- /dev/null +++ b/queue-5.4/usb-xhci-add-timeout-argument-in-address_device-usb-.patch @@ -0,0 +1,206 @@ +From 8b85b95d2bee332e72269d6a181af5787a671083 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 17:20:28 +0200 +Subject: usb: xhci: Add timeout argument in address_device USB HCD callback + +From: Hardik Gajjar + +[ Upstream commit a769154c7cac037914ba375ae88aae55b2c853e0 ] + +- The HCD address_device callback now accepts a user-defined timeout value + in milliseconds, providing better control over command execution times. +- The default timeout value for the address_device command has been set + to 5000 ms, aligning with the USB 3.2 specification. However, this + timeout can be adjusted as needed. +- The xhci_setup_device function has been updated to accept the timeout + value, allowing it to specify the maximum wait time for the command + operation to complete. +- The hub driver has also been updated to accommodate the newly added + timeout parameter during the SET_ADDRESS request. + +Signed-off-by: Hardik Gajjar +Reviewed-by: Mathias Nyman +Link: https://lore.kernel.org/r/20231027152029.104363-1-hgajjar@de.adit-jv.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 1e0a19912adb ("usb: xhci: Fix NULL pointer dereference on certain command aborts") +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 2 +- + drivers/usb/host/xhci-mem.c | 2 ++ + drivers/usb/host/xhci-ring.c | 11 ++++++----- + drivers/usb/host/xhci.c | 23 ++++++++++++++++------- + drivers/usb/host/xhci.h | 9 +++++++-- + include/linux/usb/hcd.h | 5 +++-- + 6 files changed, 35 insertions(+), 17 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 686a75c375912..8b21fc44cb344 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4551,7 +4551,7 @@ static int hub_set_address(struct usb_device *udev, int devnum) + if (udev->state != USB_STATE_DEFAULT) + return -EINVAL; + if (hcd->driver->address_device) +- retval = hcd->driver->address_device(hcd, udev); ++ retval = hcd->driver->address_device(hcd, udev, USB_CTRL_SET_TIMEOUT); + else + retval = usb_control_msg(udev, usb_sndaddr0pipe(), + USB_REQ_SET_ADDRESS, 0, devnum, 0, +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index b3ee977fab997..610190bf62da4 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1766,6 +1766,8 @@ struct xhci_command *xhci_alloc_command(struct xhci_hcd *xhci, + } + + command->status = 0; ++ /* set default timeout to 5000 ms */ ++ command->timeout_ms = XHCI_CMD_DEFAULT_TIMEOUT; + INIT_LIST_HEAD(&command->cmd_list); + return command; + } +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 086c567ca7d02..a37b55b2e31f4 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -285,9 +285,10 @@ void xhci_ring_cmd_db(struct xhci_hcd *xhci) + readl(&xhci->dba->doorbell[0]); + } + +-static bool xhci_mod_cmd_timer(struct xhci_hcd *xhci, unsigned long delay) ++static bool xhci_mod_cmd_timer(struct xhci_hcd *xhci) + { +- return mod_delayed_work(system_wq, &xhci->cmd_timer, delay); ++ return mod_delayed_work(system_wq, &xhci->cmd_timer, ++ msecs_to_jiffies(xhci->current_cmd->timeout_ms)); + } + + static struct xhci_command *xhci_next_queued_cmd(struct xhci_hcd *xhci) +@@ -331,7 +332,7 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci, + if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) && + !(xhci->xhc_state & XHCI_STATE_DYING)) { + xhci->current_cmd = cur_cmd; +- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT); ++ xhci_mod_cmd_timer(xhci); + xhci_ring_cmd_db(xhci); + } + } +@@ -1561,7 +1562,7 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, + if (!list_is_singular(&xhci->cmd_list)) { + xhci->current_cmd = list_first_entry(&cmd->cmd_list, + struct xhci_command, cmd_list); +- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT); ++ xhci_mod_cmd_timer(xhci); + } else if (xhci->current_cmd == cmd) { + xhci->current_cmd = NULL; + } +@@ -4096,7 +4097,7 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd, + /* if there are no other commands queued we start the timeout timer */ + if (list_empty(&xhci->cmd_list)) { + xhci->current_cmd = cmd; +- xhci_mod_cmd_timer(xhci, XHCI_CMD_DEFAULT_TIMEOUT); ++ xhci_mod_cmd_timer(xhci); + } + + list_add_tail(&cmd->cmd_list, &xhci->cmd_list); +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index dfc406be08563..3383d7f0c88fb 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4105,12 +4105,18 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev) + return 0; + } + +-/* +- * Issue an Address Device command and optionally send a corresponding +- * SetAddress request to the device. ++/** ++ * xhci_setup_device - issues an Address Device command to assign a unique ++ * USB bus address. ++ * @hcd: USB host controller data structure. ++ * @udev: USB dev structure representing the connected device. ++ * @setup: Enum specifying setup mode: address only or with context. ++ * @timeout_ms: Max wait time (ms) for the command operation to complete. ++ * ++ * Return: 0 if successful; otherwise, negative error code. + */ + static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev, +- enum xhci_setup_dev setup) ++ enum xhci_setup_dev setup, unsigned int timeout_ms) + { + const char *act = setup == SETUP_CONTEXT_ONLY ? "context" : "address"; + unsigned long flags; +@@ -4167,6 +4173,7 @@ static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev, + } + + command->in_ctx = virt_dev->in_ctx; ++ command->timeout_ms = timeout_ms; + + slot_ctx = xhci_get_slot_ctx(xhci, virt_dev->in_ctx); + ctrl_ctx = xhci_get_input_control_ctx(virt_dev->in_ctx); +@@ -4295,14 +4302,16 @@ static int xhci_setup_device(struct usb_hcd *hcd, struct usb_device *udev, + return ret; + } + +-static int xhci_address_device(struct usb_hcd *hcd, struct usb_device *udev) ++static int xhci_address_device(struct usb_hcd *hcd, struct usb_device *udev, ++ unsigned int timeout_ms) + { +- return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ADDRESS); ++ return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ADDRESS, timeout_ms); + } + + static int xhci_enable_device(struct usb_hcd *hcd, struct usb_device *udev) + { +- return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ONLY); ++ return xhci_setup_device(hcd, udev, SETUP_CONTEXT_ONLY, ++ XHCI_CMD_DEFAULT_TIMEOUT); + } + + /* +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 421bc7ad413e6..d27b08d43e398 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -815,6 +815,8 @@ struct xhci_command { + struct completion *completion; + union xhci_trb *command_trb; + struct list_head cmd_list; ++ /* xHCI command response timeout in milliseconds */ ++ unsigned int timeout_ms; + }; + + /* drop context bitmasks */ +@@ -1550,8 +1552,11 @@ struct xhci_td { + bool urb_length_set; + }; + +-/* xHCI command default timeout value */ +-#define XHCI_CMD_DEFAULT_TIMEOUT (5 * HZ) ++/* ++ * xHCI command default timeout value in milliseconds. ++ * USB 3.2 spec, section 9.2.6.1 ++ */ ++#define XHCI_CMD_DEFAULT_TIMEOUT 5000 + + /* command descriptor */ + struct xhci_cd { +diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h +index a57e023755aa9..0c00709ead14d 100644 +--- a/include/linux/usb/hcd.h ++++ b/include/linux/usb/hcd.h +@@ -385,8 +385,9 @@ struct hc_driver { + * or bandwidth constraints. + */ + void (*reset_bandwidth)(struct usb_hcd *, struct usb_device *); +- /* Returns the hardware-chosen device address */ +- int (*address_device)(struct usb_hcd *, struct usb_device *udev); ++ /* Set the hardware-chosen device address */ ++ int (*address_device)(struct usb_hcd *, struct usb_device *udev, ++ unsigned int timeout_ms); + /* prepares the hardware to send commands to the device */ + int (*enable_device)(struct usb_hcd *, struct usb_device *udev); + /* Notifies the HCD after a hub descriptor is fetched. +-- +2.39.5 + diff --git a/queue-5.4/usb-xhci-fix-null-pointer-dereference-on-certain-com.patch b/queue-5.4/usb-xhci-fix-null-pointer-dereference-on-certain-com.patch new file mode 100644 index 0000000000..f45a3a1506 --- /dev/null +++ b/queue-5.4/usb-xhci-fix-null-pointer-dereference-on-certain-com.patch @@ -0,0 +1,56 @@ +From 81a1029210bb011f591aa4f43570750d0de51a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2024 14:01:40 +0200 +Subject: usb: xhci: Fix NULL pointer dereference on certain command aborts + +From: Michal Pecio + +[ Upstream commit 1e0a19912adb68a4b2b74fd77001c96cd83eb073 ] + +If a command is queued to the final usable TRB of a ring segment, the +enqueue pointer is advanced to the subsequent link TRB and no further. +If the command is later aborted, when the abort completion is handled +the dequeue pointer is advanced to the first TRB of the next segment. + +If no further commands are queued, xhci_handle_stopped_cmd_ring() sees +the ring pointers unequal and assumes that there is a pending command, +so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. + +Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell +ring likely is unnecessary too, but it's harmless. Leave it alone. + +This is probably Bug 219532, but no confirmation has been received. + +The issue has been independently reproduced and confirmed fixed using +a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. +Everything continued working normally after several prevented crashes. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219532 +Fixes: c311e391a7ef ("xhci: rework command timeout and cancellation,") +CC: stable@vger.kernel.org +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241227120142.1035206-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index a37b55b2e31f4..08b016864fc08 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -332,7 +332,8 @@ static void xhci_handle_stopped_cmd_ring(struct xhci_hcd *xhci, + if ((xhci->cmd_ring->dequeue != xhci->cmd_ring->enqueue) && + !(xhci->xhc_state & XHCI_STATE_DYING)) { + xhci->current_cmd = cur_cmd; +- xhci_mod_cmd_timer(xhci); ++ if (cur_cmd) ++ xhci_mod_cmd_timer(xhci); + xhci_ring_cmd_db(xhci); + } + } +-- +2.39.5 + diff --git a/queue-5.4/wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch b/queue-5.4/wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch new file mode 100644 index 0000000000..96a71edfde --- /dev/null +++ b/queue-5.4/wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch @@ -0,0 +1,42 @@ +From 7b3cffb88bff491103ff48c3d48504f0da6a7fa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 10:04:41 +0300 +Subject: wifi: brcmsmac: add gain range check to + wlc_phy_iqcal_gainparams_nphy() + +From: Dmitry Antipov + +[ Upstream commit 3f4a0948c3524ae50f166dbc6572a3296b014e62 ] + +In 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN() +instead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access. +Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Antipov +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20241210070441.836362-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c +index a3f094568cfb2..90ae800cbccd0 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c +@@ -23445,6 +23445,9 @@ wlc_phy_iqcal_gainparams_nphy(struct brcms_phy *pi, u16 core_no, + } + } + ++ if (WARN_ON(k == NPHY_IQCAL_NUMGAINS)) ++ return; ++ + params->txgm = tbl_iqcal_gainparams_nphy[band_idx][k][1]; + params->pga = tbl_iqcal_gainparams_nphy[band_idx][k][2]; + params->pad = tbl_iqcal_gainparams_nphy[band_idx][k][3]; +-- +2.39.5 + diff --git a/queue-5.4/x86-amd_nb-restrict-init-function-to-amd-based-syste.patch b/queue-5.4/x86-amd_nb-restrict-init-function-to-amd-based-syste.patch new file mode 100644 index 0000000000..741b66f1a9 --- /dev/null +++ b/queue-5.4/x86-amd_nb-restrict-init-function-to-amd-based-syste.patch @@ -0,0 +1,40 @@ +From e770e5ac6a075936668cdc6a669de21f388fe54d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 16:11:55 +0000 +Subject: x86/amd_nb: Restrict init function to AMD-based systems + +From: Yazen Ghannam + +[ Upstream commit bee9e840609cc67d0a7d82f22a2130fb7a0a766d ] + +The code implicitly operates on AMD-based systems by matching on PCI +IDs. However, the use of these IDs is going away. + +Add an explicit CPU vendor check instead of relying on PCI IDs. + +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20241206161210.163701-3-yazen.ghannam@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/amd_nb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c +index e3b5de7b95988..ead78f981345c 100644 +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -538,6 +538,10 @@ static __init void fix_erratum_688(void) + + static __init int init_amd_nbs(void) + { ++ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && ++ boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) ++ return 0; ++ + amd_cache_northbridges(); + amd_cache_gart(); + +-- +2.39.5 + -- 2.47.2