From c74322d72ad0d1cbbae1d953654314a5aba45dea Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 5 Jul 2024 15:20:45 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...skip-finding-free-audio-for-unknown-.patch | 44 ++++ ...alize-timestamp-for-some-legacy-socs.patch | 46 ++++ ...shared-irq-handling-on-driver-remove.patch | 88 ++++++++ ...re-dmi-stop-decoding-on-broken-entry.patch | 46 ++++ ...otate-apanel_addr-as-__ro_after_init.patch | 35 ++++ ...plement-a-limit-on-umad-receive-list.patch | 125 +++++++++++ ...efer-struct_size-over-open-coded-ari.patch | 73 +++++++ ...ts-remove-bug_on-in-its_vpe_irq_doma.patch | 41 ++++ ...ial-illegal-address-access-in-jffs2_.patch | 94 +++++++++ ...2-fe-fix-as10x_register_addr-packing.patch | 44 ++++ ...ntends-tda10048-fix-integer-overflow.patch | 53 +++++ ...nds-tda18271c2dd-remove-casting-duri.patch | 49 +++++ ...b0700_devices-add-missing-release_fi.patch | 68 ++++++ ...-don-t-translate-i2c-read-into-write.patch | 197 ++++++++++++++++++ ...refcount_t-instead-of-atomic_t-for-n.patch | 109 ++++++++++ ...88e6xxx-correct-check-for-empty-list.patch | 50 +++++ ...ug_on-in-nilfs_finish_roll_forward-t.patch | 45 ++++ ...angefs-fix-out-of-bounds-fsid-access.patch | 43 ++++ ...io_base-to-poison_pointer_delta-not-.patch | 49 +++++ ...check-cpu-id-in-commands-c-dp-and-dx.patch | 61 ++++++ ...-in-__load_psw_mask-as-__unitialized.patch | 47 +++++ ...-pkey-wipe-sensitive-data-on-failure.patch | 47 +++++ ...ake-qedf_execute_tmf-non-preemptible.patch | 54 +++++ ...ruct_size-over-open-coded-arithmetic.patch | 74 +++++++ queue-5.4/series | 24 +++ 25 files changed, 1606 insertions(+) create mode 100644 queue-5.4/drm-amd-display-skip-finding-free-audio-for-unknown-.patch create mode 100644 queue-5.4/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch create mode 100644 queue-5.4/drm-lima-fix-shared-irq-handling-on-driver-remove.patch create mode 100644 queue-5.4/firmware-dmi-stop-decoding-on-broken-entry.patch create mode 100644 queue-5.4/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch create mode 100644 queue-5.4/ib-core-implement-a-limit-on-umad-receive-list.patch create mode 100644 queue-5.4/input-ff-core-prefer-struct_size-over-open-coded-ari.patch create mode 100644 queue-5.4/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch create mode 100644 queue-5.4/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch create mode 100644 queue-5.4/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch create mode 100644 queue-5.4/media-dvb-frontends-tda10048-fix-integer-overflow.patch create mode 100644 queue-5.4/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch create mode 100644 queue-5.4/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch create mode 100644 queue-5.4/media-dw2102-don-t-translate-i2c-read-into-write.patch create mode 100644 queue-5.4/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch create mode 100644 queue-5.4/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch create mode 100644 queue-5.4/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch create mode 100644 queue-5.4/orangefs-fix-out-of-bounds-fsid-access.patch create mode 100644 queue-5.4/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch create mode 100644 queue-5.4/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch create mode 100644 queue-5.4/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch create mode 100644 queue-5.4/s390-pkey-wipe-sensitive-data-on-failure.patch create mode 100644 queue-5.4/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch create mode 100644 queue-5.4/sctp-prefer-struct_size-over-open-coded-arithmetic.patch create mode 100644 queue-5.4/series diff --git a/queue-5.4/drm-amd-display-skip-finding-free-audio-for-unknown-.patch b/queue-5.4/drm-amd-display-skip-finding-free-audio-for-unknown-.patch new file mode 100644 index 00000000000..d28bb3fb919 --- /dev/null +++ b/queue-5.4/drm-amd-display-skip-finding-free-audio-for-unknown-.patch @@ -0,0 +1,44 @@ +From c4e9e5e6884a37381ebfffec3795b5dd8a28655e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 13:52:27 -0600 +Subject: drm/amd/display: Skip finding free audio for unknown engine_id + +From: Alex Hung + +[ Upstream commit 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 ] + +[WHY] +ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it +also means it is uninitialized and does not need free audio. + +[HOW] +Skip and return NULL. + +This fixes 2 OVERRUN issues reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Acked-by: Wayne Lin +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index cdcd5051dd666..2f56684780eb5 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1646,6 +1646,9 @@ static struct audio *find_first_free_audio( + { + int i, available_audio_count; + ++ if (id == ENGINE_ID_UNKNOWN) ++ return NULL; ++ + available_audio_count = pool->audio_count; + + for (i = 0; i < available_audio_count; i++) { +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch b/queue-5.4/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch new file mode 100644 index 00000000000..934e36f8dd8 --- /dev/null +++ b/queue-5.4/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch @@ -0,0 +1,46 @@ +From 8c84a0c4147ddd9ca11f7760185c589af1657f9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 10:07:51 +0800 +Subject: drm/amdgpu: Initialize timestamp for some legacy SOCs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Jun + +[ Upstream commit 2e55bcf3d742a4946d862b86e39e75a95cc6f1c0 ] + +Initialize the interrupt timestamp for some legacy SOCs +to fix the coverity issue "Uninitialized scalar variable" + +Signed-off-by: Ma Jun +Suggested-by: Christian König +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +index 76429932035e1..a803e6a4e3473 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +@@ -384,6 +384,14 @@ void amdgpu_irq_dispatch(struct amdgpu_device *adev, + int r; + + entry.iv_entry = (const uint32_t *)&ih->ring[ring_index]; ++ ++ /* ++ * timestamp is not supported on some legacy SOCs (cik, cz, iceland, ++ * si and tonga), so initialize timestamp and timestamp_src to 0 ++ */ ++ entry.timestamp = 0; ++ entry.timestamp_src = 0; ++ + amdgpu_ih_decode_iv(adev, &entry); + + trace_amdgpu_iv(ih - &adev->irq.ih, &entry); +-- +2.43.0 + diff --git a/queue-5.4/drm-lima-fix-shared-irq-handling-on-driver-remove.patch b/queue-5.4/drm-lima-fix-shared-irq-handling-on-driver-remove.patch new file mode 100644 index 00000000000..120e74adeb3 --- /dev/null +++ b/queue-5.4/drm-lima-fix-shared-irq-handling-on-driver-remove.patch @@ -0,0 +1,88 @@ +From 4506592b1966308989b380ed0094490ea2559498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 00:43:28 +0200 +Subject: drm/lima: fix shared irq handling on driver remove + +From: Erico Nunes + +[ Upstream commit a6683c690bbfd1f371510cb051e8fa49507f3f5e ] + +lima uses a shared interrupt, so the interrupt handlers must be prepared +to be called at any time. At driver removal time, the clocks are +disabled early and the interrupts stay registered until the very end of +the remove process due to the devm usage. +This is potentially a bug as the interrupts access device registers +which assumes clocks are enabled. A crash can be triggered by removing +the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled. +This patch frees the interrupts at each lima device finishing callback +so that the handlers are already unregistered by the time we fully +disable clocks. + +Signed-off-by: Erico Nunes +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/20240401224329.1228468-2-nunes.erico@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_gp.c | 2 ++ + drivers/gpu/drm/lima/lima_mmu.c | 5 +++++ + drivers/gpu/drm/lima/lima_pp.c | 4 ++++ + 3 files changed, 11 insertions(+) + +diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c +index ccf49faedebf8..3fca560087c97 100644 +--- a/drivers/gpu/drm/lima/lima_gp.c ++++ b/drivers/gpu/drm/lima/lima_gp.c +@@ -244,7 +244,9 @@ int lima_gp_init(struct lima_ip *ip) + + void lima_gp_fini(struct lima_ip *ip) + { ++ struct lima_device *dev = ip->dev; + ++ devm_free_irq(dev->dev, ip->irq, ip); + } + + int lima_gp_pipe_init(struct lima_device *dev) +diff --git a/drivers/gpu/drm/lima/lima_mmu.c b/drivers/gpu/drm/lima/lima_mmu.c +index 8e1651d6a61fa..04e6090cce595 100644 +--- a/drivers/gpu/drm/lima/lima_mmu.c ++++ b/drivers/gpu/drm/lima/lima_mmu.c +@@ -97,7 +97,12 @@ int lima_mmu_init(struct lima_ip *ip) + + void lima_mmu_fini(struct lima_ip *ip) + { ++ struct lima_device *dev = ip->dev; ++ ++ if (ip->id == lima_ip_ppmmu_bcast) ++ return; + ++ devm_free_irq(dev->dev, ip->irq, ip); + } + + void lima_mmu_switch_vm(struct lima_ip *ip, struct lima_vm *vm) +diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c +index 8fef224b93c85..1dacca8bffe1a 100644 +--- a/drivers/gpu/drm/lima/lima_pp.c ++++ b/drivers/gpu/drm/lima/lima_pp.c +@@ -251,7 +251,9 @@ int lima_pp_init(struct lima_ip *ip) + + void lima_pp_fini(struct lima_ip *ip) + { ++ struct lima_device *dev = ip->dev; + ++ devm_free_irq(dev->dev, ip->irq, ip); + } + + int lima_pp_bcast_init(struct lima_ip *ip) +@@ -272,7 +274,9 @@ int lima_pp_bcast_init(struct lima_ip *ip) + + void lima_pp_bcast_fini(struct lima_ip *ip) + { ++ struct lima_device *dev = ip->dev; + ++ devm_free_irq(dev->dev, ip->irq, ip); + } + + static int lima_pp_task_validate(struct lima_sched_pipe *pipe, +-- +2.43.0 + diff --git a/queue-5.4/firmware-dmi-stop-decoding-on-broken-entry.patch b/queue-5.4/firmware-dmi-stop-decoding-on-broken-entry.patch new file mode 100644 index 00000000000..9955d5a4cc3 --- /dev/null +++ b/queue-5.4/firmware-dmi-stop-decoding-on-broken-entry.patch @@ -0,0 +1,46 @@ +From 43bf9459da5712dbe01abfb246d7f7f9b030cc74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 18:29:32 +0200 +Subject: firmware: dmi: Stop decoding on broken entry + +From: Jean Delvare + +[ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ] + +If a DMI table entry is shorter than 4 bytes, it is invalid. Due to +how DMI table parsing works, it is impossible to safely recover from +such an error, so we have to stop decoding the table. + +Signed-off-by: Jean Delvare +Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/ +Reviewed-by: Michael Kelley +Signed-off-by: Sasha Levin +--- + drivers/firmware/dmi_scan.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c +index 1e21fc3e9851a..537c104652f71 100644 +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -96,6 +96,17 @@ static void dmi_decode_table(u8 *buf, + (data - buf + sizeof(struct dmi_header)) <= dmi_len) { + const struct dmi_header *dm = (const struct dmi_header *)data; + ++ /* ++ * If a short entry is found (less than 4 bytes), not only it ++ * is invalid, but we cannot reliably locate the next entry. ++ */ ++ if (dm->length < sizeof(struct dmi_header)) { ++ pr_warn(FW_BUG ++ "Corrupted DMI table, offset %zd (only %d entries processed)\n", ++ data - buf, i); ++ break; ++ } ++ + /* + * We want to know the total length (formatted area and + * strings) before decoding to make sure we won't run off the +-- +2.43.0 + diff --git a/queue-5.4/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch b/queue-5.4/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch new file mode 100644 index 00000000000..e845beccd0a --- /dev/null +++ b/queue-5.4/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch @@ -0,0 +1,35 @@ +From bd6bfdcaafbd15a3e5a3a7abcb4e92826d27e958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 12:21:58 +0200 +Subject: i2c: i801: Annotate apanel_addr as __ro_after_init + +From: Heiner Kallweit + +[ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ] + +Annotate this variable as __ro_after_init to protect it from being +overwritten later. + +Signed-off-by: Heiner Kallweit +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-i801.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index 18489940a947b..2c077ffcee607 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -1057,7 +1057,7 @@ static const struct pci_device_id i801_ids[] = { + MODULE_DEVICE_TABLE(pci, i801_ids); + + #if defined CONFIG_X86 && defined CONFIG_DMI +-static unsigned char apanel_addr; ++static unsigned char apanel_addr __ro_after_init; + + /* Scan the system ROM for the signature "FJKEYINF" */ + static __init const void __iomem *bios_signature(const void __iomem *bios) +-- +2.43.0 + diff --git a/queue-5.4/ib-core-implement-a-limit-on-umad-receive-list.patch b/queue-5.4/ib-core-implement-a-limit-on-umad-receive-list.patch new file mode 100644 index 00000000000..09f6e87b924 --- /dev/null +++ b/queue-5.4/ib-core-implement-a-limit-on-umad-receive-list.patch @@ -0,0 +1,125 @@ +From efeaffb067801f9d675bc0c71698701678bd8981 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 15:01:44 +0300 +Subject: IB/core: Implement a limit on UMAD receive List + +From: Michael Guralnik + +[ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ] + +The existing behavior of ib_umad, which maintains received MAD +packets in an unbounded list, poses a risk of uncontrolled growth. +As user-space applications extract packets from this list, the rate +of extraction may not match the rate of incoming packets, leading +to potential list overflow. + +To address this, we introduce a limit to the size of the list. After +considering typical scenarios, such as OpenSM processing, which can +handle approximately 100k packets per second, and the 1-second retry +timeout for most packets, we set the list size limit to 200k. Packets +received beyond this limit are dropped, assuming they are likely timed +out by the time they are handled by user-space. + +Notably, packets queued on the receive list due to reasons like +timed-out sends are preserved even when the list is full. + +Signed-off-by: Michael Guralnik +Reviewed-by: Mark Zhang +Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index 390123f87658b..51ce5b7be0718 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -63,6 +63,8 @@ MODULE_AUTHOR("Roland Dreier"); + MODULE_DESCRIPTION("InfiniBand userspace MAD packet access"); + MODULE_LICENSE("Dual BSD/GPL"); + ++#define MAX_UMAD_RECV_LIST_SIZE 200000 ++ + enum { + IB_UMAD_MAX_PORTS = RDMA_MAX_PORTS, + IB_UMAD_MAX_AGENTS = 32, +@@ -113,6 +115,7 @@ struct ib_umad_file { + struct mutex mutex; + struct ib_umad_port *port; + struct list_head recv_list; ++ atomic_t recv_list_size; + struct list_head send_list; + struct list_head port_list; + spinlock_t send_lock; +@@ -180,24 +183,28 @@ static struct ib_mad_agent *__get_agent(struct ib_umad_file *file, int id) + return file->agents_dead ? NULL : file->agent[id]; + } + +-static int queue_packet(struct ib_umad_file *file, +- struct ib_mad_agent *agent, +- struct ib_umad_packet *packet) ++static int queue_packet(struct ib_umad_file *file, struct ib_mad_agent *agent, ++ struct ib_umad_packet *packet, bool is_recv_mad) + { + int ret = 1; + + mutex_lock(&file->mutex); + ++ if (is_recv_mad && ++ atomic_read(&file->recv_list_size) > MAX_UMAD_RECV_LIST_SIZE) ++ goto unlock; ++ + for (packet->mad.hdr.id = 0; + packet->mad.hdr.id < IB_UMAD_MAX_AGENTS; + packet->mad.hdr.id++) + if (agent == __get_agent(file, packet->mad.hdr.id)) { + list_add_tail(&packet->list, &file->recv_list); ++ atomic_inc(&file->recv_list_size); + wake_up_interruptible(&file->recv_wait); + ret = 0; + break; + } +- ++unlock: + mutex_unlock(&file->mutex); + + return ret; +@@ -224,7 +231,7 @@ static void send_handler(struct ib_mad_agent *agent, + if (send_wc->status == IB_WC_RESP_TIMEOUT_ERR) { + packet->length = IB_MGMT_MAD_HDR; + packet->mad.hdr.status = ETIMEDOUT; +- if (!queue_packet(file, agent, packet)) ++ if (!queue_packet(file, agent, packet, false)) + return; + } + kfree(packet); +@@ -284,7 +291,7 @@ static void recv_handler(struct ib_mad_agent *agent, + rdma_destroy_ah_attr(&ah_attr); + } + +- if (queue_packet(file, agent, packet)) ++ if (queue_packet(file, agent, packet, true)) + goto err2; + return; + +@@ -409,6 +416,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, + + packet = list_entry(file->recv_list.next, struct ib_umad_packet, list); + list_del(&packet->list); ++ atomic_dec(&file->recv_list_size); + + mutex_unlock(&file->mutex); + +@@ -421,6 +429,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, + /* Requeue packet */ + mutex_lock(&file->mutex); + list_add(&packet->list, &file->recv_list); ++ atomic_inc(&file->recv_list_size); + mutex_unlock(&file->mutex); + } else { + if (packet->recv_wc) +-- +2.43.0 + diff --git a/queue-5.4/input-ff-core-prefer-struct_size-over-open-coded-ari.patch b/queue-5.4/input-ff-core-prefer-struct_size-over-open-coded-ari.patch new file mode 100644 index 00000000000..77d9af3dfe6 --- /dev/null +++ b/queue-5.4/input-ff-core-prefer-struct_size-over-open-coded-ari.patch @@ -0,0 +1,73 @@ +From 06606544cc96b4f35c5fedfa3d16df463e02ef03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Apr 2024 17:05:56 +0200 +Subject: Input: ff-core - prefer struct_size over open coded arithmetic + +From: Erick Archer + +[ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ] + +This is an effort to get rid of all multiplications from allocation +functions in order to prevent integer overflows [1][2]. + +As the "ff" variable is a pointer to "struct ff_device" and this +structure ends in a flexible array: + +struct ff_device { + [...] + struct file *effect_owners[] __counted_by(max_effects); +}; + +the preferred way in the kernel is to use the struct_size() helper to +do the arithmetic instead of the calculation "size + count * size" in +the kzalloc() function. + +The struct_size() helper returns SIZE_MAX on overflow. So, refactor +the comparison to take advantage of this. + +This way, the code is more readable and safer. + +This code was detected with the help of Coccinelle, and audited and +modified manually. + +Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] +Link: https://github.com/KSPP/linux/issues/160 [2] +Signed-off-by: Erick Archer +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/ff-core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c +index 1cf5deda06e19..a765e185c7a12 100644 +--- a/drivers/input/ff-core.c ++++ b/drivers/input/ff-core.c +@@ -12,8 +12,10 @@ + /* #define DEBUG */ + + #include ++#include + #include + #include ++#include + #include + #include + +@@ -318,9 +320,8 @@ int input_ff_create(struct input_dev *dev, unsigned int max_effects) + return -EINVAL; + } + +- ff_dev_size = sizeof(struct ff_device) + +- max_effects * sizeof(struct file *); +- if (ff_dev_size < max_effects) /* overflow */ ++ ff_dev_size = struct_size(ff, effect_owners, max_effects); ++ if (ff_dev_size == SIZE_MAX) /* overflow */ + return -EINVAL; + + ff = kzalloc(ff_dev_size, GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-5.4/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-5.4/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch new file mode 100644 index 00000000000..45fc405d878 --- /dev/null +++ b/queue-5.4/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch @@ -0,0 +1,41 @@ +From b7e790929b930f798a0573afbc3c0b28e1c0c17d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 14:10:53 +0800 +Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc + +From: Guanrui Huang + +[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ] + +This BUG_ON() is useless, because the same effect will be obtained +by letting the code run its course and vm being dereferenced, +triggering an exception. + +So just remove this check. + +Signed-off-by: Guanrui Huang +Signed-off-by: Thomas Gleixner +Reviewed-by: Zenghui Yu +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index d16776c6dee7b..ae3378ef469b0 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -3085,8 +3085,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + struct page *vprop_page; + int base, nr_ids, i, err = 0; + +- BUG_ON(!vm); +- + bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); + if (!bitmap) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.4/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch b/queue-5.4/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch new file mode 100644 index 00000000000..41b0c683eee --- /dev/null +++ b/queue-5.4/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch @@ -0,0 +1,94 @@ +From 15c8fec9876c5fc97eebb65914a63ac68e0fd1c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 15:00:46 +0800 +Subject: jffs2: Fix potential illegal address access in jffs2_free_inode + +From: Wang Yong + +[ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ] + +During the stress testing of the jffs2 file system,the following +abnormal printouts were found: +[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 +[ 2430.649622] Mem abort info: +[ 2430.649829] ESR = 0x96000004 +[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits +[ 2430.650564] SET = 0, FnV = 0 +[ 2430.650795] EA = 0, S1PTW = 0 +[ 2430.651032] FSC = 0x04: level 0 translation fault +[ 2430.651446] Data abort info: +[ 2430.651683] ISV = 0, ISS = 0x00000004 +[ 2430.652001] CM = 0, WnR = 0 +[ 2430.652558] [0069696969696948] address between user and kernel address ranges +[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 +[ 2430.655008] Hardware name: linux,dummy-virt (DT) +[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 2430.656142] pc : kfree+0x78/0x348 +[ 2430.656630] lr : jffs2_free_inode+0x24/0x48 +[ 2430.657051] sp : ffff800009eebd10 +[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 +[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 +[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 +[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 +[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 +[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 +[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 +[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 +[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 +[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 +[ 2430.664217] Call trace: +[ 2430.664528] kfree+0x78/0x348 +[ 2430.664855] jffs2_free_inode+0x24/0x48 +[ 2430.665233] i_callback+0x24/0x50 +[ 2430.665528] rcu_do_batch+0x1ac/0x448 +[ 2430.665892] rcu_core+0x28c/0x3c8 +[ 2430.666151] rcu_core_si+0x18/0x28 +[ 2430.666473] __do_softirq+0x138/0x3cc +[ 2430.666781] irq_exit+0xf0/0x110 +[ 2430.667065] handle_domain_irq+0x6c/0x98 +[ 2430.667447] gic_handle_irq+0xac/0xe8 +[ 2430.667739] call_on_irq_stack+0x28/0x54 +The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of +the jffs_inode_info structure. It was found that all variables in the jffs_inode_info +structure were 5a5a5a5a, except for the first member sem. It is suspected that these +variables are not initialized because they were set to 5a5a5a5a during memory testing, +which is meant to detect uninitialized memory.The sem variable is initialized in the +function jffs2_i_init_once, while other members are initialized in +the function jffs2_init_inode_info. + +The function jffs2_init_inode_info is called after iget_locked, +but in the iget_locked function, the destroy_inode process is triggered, +which releases the inode and consequently, the target member of the inode +is not initialized.In concurrent high pressure scenarios, iget_locked +may enter the destroy_inode branch as described in the code. + +Since the destroy_inode functionality of jffs2 only releases the target, +the fix method is to set target to NULL in jffs2_i_init_once. + +Signed-off-by: Wang Yong +Reviewed-by: Lu Zhongjun +Reviewed-by: Yang Tao +Cc: Xu Xin +Cc: Yang Yang +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index 6839a61e8ff1e..3602e368cee07 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -58,6 +58,7 @@ static void jffs2_i_init_once(void *foo) + struct jffs2_inode_info *f = foo; + + mutex_init(&f->sem); ++ f->target = NULL; + inode_init_once(&f->vfs_inode); + } + +-- +2.43.0 + diff --git a/queue-5.4/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch b/queue-5.4/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch new file mode 100644 index 00000000000..ad90754d045 --- /dev/null +++ b/queue-5.4/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch @@ -0,0 +1,44 @@ +From 82e64d7fd1c0bce60572fb5c03e6ac923f587fac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 12:24:37 +0000 +Subject: media: dvb: as102-fe: Fix as10x_register_addr packing + +From: Ricardo Ribalda + +[ Upstream commit 309422d280748c74f57f471559980268ac27732a ] + +This structure is embedded in multiple other structures that are packed, +which conflicts with it being aligned. + +drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access] + +Mark it as being packed. + +Marking the inner struct as 'packed' does not change the layout, since the +whole struct is already packed, it just silences the clang warning. See +also this llvm discussion: + +https://github.com/llvm/llvm-project/issues/55520 + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/as102_fe_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/as102_fe_types.h b/drivers/media/dvb-frontends/as102_fe_types.h +index 297f9520ebf9d..8a4e392c88965 100644 +--- a/drivers/media/dvb-frontends/as102_fe_types.h ++++ b/drivers/media/dvb-frontends/as102_fe_types.h +@@ -174,6 +174,6 @@ struct as10x_register_addr { + uint32_t addr; + /* register mode access */ + uint8_t mode; +-}; ++} __packed; + + #endif +-- +2.43.0 + diff --git a/queue-5.4/media-dvb-frontends-tda10048-fix-integer-overflow.patch b/queue-5.4/media-dvb-frontends-tda10048-fix-integer-overflow.patch new file mode 100644 index 00000000000..9a841859176 --- /dev/null +++ b/queue-5.4/media-dvb-frontends-tda10048-fix-integer-overflow.patch @@ -0,0 +1,53 @@ +From 1bc14f35dd2ddd636f2fb458f20787595c641df3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 16:05:04 +0100 +Subject: media: dvb-frontends: tda10048: Fix integer overflow + +From: Ricardo Ribalda + +[ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ] + +state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer +when multiplied by pll_mfactor. + +Create a new 64 bit variable to hold the calculations. + +Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org +Reported-by: Dan Carpenter +Signed-off-by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/tda10048.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/dvb-frontends/tda10048.c b/drivers/media/dvb-frontends/tda10048.c +index f1d5e77d5dcce..db829754f1359 100644 +--- a/drivers/media/dvb-frontends/tda10048.c ++++ b/drivers/media/dvb-frontends/tda10048.c +@@ -410,6 +410,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) + struct tda10048_config *config = &state->config; + int i; + u32 if_freq_khz; ++ u64 sample_freq; + + dprintk(1, "%s(bw = %d)\n", __func__, bw); + +@@ -451,9 +452,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) + dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor); + + /* Calculate the sample frequency */ +- state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45); +- state->sample_freq /= (state->pll_nfactor + 1); +- state->sample_freq /= (state->pll_pfactor + 4); ++ sample_freq = state->xtal_hz; ++ sample_freq *= state->pll_mfactor + 45; ++ do_div(sample_freq, state->pll_nfactor + 1); ++ do_div(sample_freq, state->pll_pfactor + 4); ++ state->sample_freq = sample_freq; + dprintk(1, "- sample_freq = %d\n", state->sample_freq); + + /* Update the I/F */ +-- +2.43.0 + diff --git a/queue-5.4/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch b/queue-5.4/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch new file mode 100644 index 00000000000..e6aa8616bce --- /dev/null +++ b/queue-5.4/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch @@ -0,0 +1,49 @@ +From fbd84c4367cdbcc71ba90643fbca369089dcebac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 16:04:47 +0100 +Subject: media: dvb-frontends: tda18271c2dd: Remove casting during div + +From: Ricardo Ribalda + +[ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ] + +do_div() divides 64 bits by 32. We were adding a casting to the divider +to 64 bits, for a number that fits perfectly in 32 bits. Remove it. + +Found by cocci: +drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. +drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. + +Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org +Signed-off-by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/tda18271c2dd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c +index 43312bba1aec5..1381681c8fc19 100644 +--- a/drivers/media/dvb-frontends/tda18271c2dd.c ++++ b/drivers/media/dvb-frontends/tda18271c2dd.c +@@ -331,7 +331,7 @@ static int CalcMainPLL(struct tda_state *state, u32 freq) + + OscFreq = (u64) freq * (u64) Div; + OscFreq *= (u64) 16384; +- do_div(OscFreq, (u64)16000000); ++ do_div(OscFreq, 16000000); + MainDiv = OscFreq; + + state->m_Regs[MPD] = PostDiv & 0x77; +@@ -355,7 +355,7 @@ static int CalcCalPLL(struct tda_state *state, u32 freq) + OscFreq = (u64)freq * (u64)Div; + /* CalDiv = u32( OscFreq * 16384 / 16000000 ); */ + OscFreq *= (u64)16384; +- do_div(OscFreq, (u64)16000000); ++ do_div(OscFreq, 16000000); + CalDiv = OscFreq; + + state->m_Regs[CPD] = PostDiv; +-- +2.43.0 + diff --git a/queue-5.4/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch b/queue-5.4/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch new file mode 100644 index 00000000000..0904959b6cc --- /dev/null +++ b/queue-5.4/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch @@ -0,0 +1,68 @@ +From dc3883a25267544dc9789f3b2ac9be580cd8789d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 21:17:56 +0000 +Subject: media: dvb-usb: dib0700_devices: Add missing release_firmware() + +From: Ricardo Ribalda + +[ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ] + +Add missing release_firmware on the error paths. + +drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415. +drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497. + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dib0700_devices.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c +index ab7a100ec84fe..8eecbcdbbad8d 100644 +--- a/drivers/media/usb/dvb-usb/dib0700_devices.c ++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c +@@ -2424,7 +2424,12 @@ static int stk9090m_frontend_attach(struct dvb_usb_adapter *adap) + + adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &stk9090m_config); + +- return adap->fe_adap[0].fe == NULL ? -ENODEV : 0; ++ if (!adap->fe_adap[0].fe) { ++ release_firmware(state->frontend_firmware); ++ return -ENODEV; ++ } ++ ++ return 0; + } + + static int dib9090_tuner_attach(struct dvb_usb_adapter *adap) +@@ -2497,8 +2502,10 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) + dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, 0x80); + adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &nim9090md_config[0]); + +- if (adap->fe_adap[0].fe == NULL) ++ if (!adap->fe_adap[0].fe) { ++ release_firmware(state->frontend_firmware); + return -ENODEV; ++ } + + i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_3_4, 0); + dib9000_i2c_enumeration(i2c, 1, 0x12, 0x82); +@@ -2506,7 +2513,12 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) + fe_slave = dvb_attach(dib9000_attach, i2c, 0x82, &nim9090md_config[1]); + dib9000_set_slave_frontend(adap->fe_adap[0].fe, fe_slave); + +- return fe_slave == NULL ? -ENODEV : 0; ++ if (!fe_slave) { ++ release_firmware(state->frontend_firmware); ++ return -ENODEV; ++ } ++ ++ return 0; + } + + static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap) +-- +2.43.0 + diff --git a/queue-5.4/media-dw2102-don-t-translate-i2c-read-into-write.patch b/queue-5.4/media-dw2102-don-t-translate-i2c-read-into-write.patch new file mode 100644 index 00000000000..aeab0990a6d --- /dev/null +++ b/queue-5.4/media-dw2102-don-t-translate-i2c-read-into-write.patch @@ -0,0 +1,197 @@ +From 711ee813101d9d5ca1cff0df534dbcee8726065d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jan 2022 11:22:36 +0000 +Subject: media: dw2102: Don't translate i2c read into write + +From: Michael Bunk + +[ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ] + +The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed +an i2c transaction with a single message must be a write operation and a +transaction with two messages would be a read operation. + +Though this works for the driver code, it leads to problems once the i2c +device is exposed to code not knowing this convention. For example, +I did "insmod i2c-dev" and issued read requests from userspace, which +were translated into write requests and destroyed the EEPROM of my +device. + +So, just check and respect the I2C_M_READ flag, which indicates a read +when set on a message. If it is absent, it is a write message. + +Incidentally, changing from the case statement to a while loop allows +the code to lift the limitation to two i2c messages per transaction. + +There are 4 more *_i2c_transfer functions affected by the same behaviour +and limitation that should be fixed in the same way. + +Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org +Signed-off-by: Michael Bunk +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dw2102.c | 120 ++++++++++++++++++----------- + 1 file changed, 73 insertions(+), 47 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index 924a6478007a8..ff5b007e2d99d 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -716,6 +716,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + { + struct dvb_usb_device *d = i2c_get_adapdata(adap); + struct dw2102_state *state; ++ int j; + + if (!d) + return -ENODEV; +@@ -729,11 +730,11 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + return -EAGAIN; + } + +- switch (num) { +- case 1: +- switch (msg[0].addr) { ++ j = 0; ++ while (j < num) { ++ switch (msg[j].addr) { + case SU3000_STREAM_CTRL: +- state->data[0] = msg[0].buf[0] + 0x36; ++ state->data[0] = msg[j].buf[0] + 0x36; + state->data[1] = 3; + state->data[2] = 0; + if (dvb_usb_generic_rw(d, state->data, 3, +@@ -745,61 +746,86 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + if (dvb_usb_generic_rw(d, state->data, 1, + state->data, 2, 0) < 0) + err("i2c transfer failed."); +- msg[0].buf[1] = state->data[0]; +- msg[0].buf[0] = state->data[1]; ++ msg[j].buf[1] = state->data[0]; ++ msg[j].buf[0] = state->data[1]; + break; + default: +- if (3 + msg[0].len > sizeof(state->data)) { +- warn("i2c wr: len=%d is too big!\n", +- msg[0].len); ++ /* if the current write msg is followed by a another ++ * read msg to/from the same address ++ */ ++ if ((j+1 < num) && (msg[j+1].flags & I2C_M_RD) && ++ (msg[j].addr == msg[j+1].addr)) { ++ /* join both i2c msgs to one usb read command */ ++ if (4 + msg[j].len > sizeof(state->data)) { ++ warn("i2c combined wr/rd: write len=%d is too big!\n", ++ msg[j].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ if (1 + msg[j+1].len > sizeof(state->data)) { ++ warn("i2c combined wr/rd: read len=%d is too big!\n", ++ msg[j+1].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ ++ state->data[0] = 0x09; ++ state->data[1] = msg[j].len; ++ state->data[2] = msg[j+1].len; ++ state->data[3] = msg[j].addr; ++ memcpy(&state->data[4], msg[j].buf, msg[j].len); ++ ++ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 4, ++ state->data, msg[j+1].len + 1, 0) < 0) ++ err("i2c transfer failed."); ++ ++ memcpy(msg[j+1].buf, &state->data[1], msg[j+1].len); ++ j++; ++ break; ++ } ++ ++ if (msg[j].flags & I2C_M_RD) { ++ /* single read */ ++ if (1 + msg[j].len > sizeof(state->data)) { ++ warn("i2c rd: len=%d is too big!\n", msg[j].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ ++ state->data[0] = 0x09; ++ state->data[1] = 0; ++ state->data[2] = msg[j].len; ++ state->data[3] = msg[j].addr; ++ memcpy(&state->data[4], msg[j].buf, msg[j].len); ++ ++ if (dvb_usb_generic_rw(d, state->data, 4, ++ state->data, msg[j].len + 1, 0) < 0) ++ err("i2c transfer failed."); ++ ++ memcpy(msg[j].buf, &state->data[1], msg[j].len); ++ break; ++ } ++ ++ /* single write */ ++ if (3 + msg[j].len > sizeof(state->data)) { ++ warn("i2c wr: len=%d is too big!\n", msg[j].len); + num = -EOPNOTSUPP; + break; + } + +- /* always i2c write*/ + state->data[0] = 0x08; +- state->data[1] = msg[0].addr; +- state->data[2] = msg[0].len; ++ state->data[1] = msg[j].addr; ++ state->data[2] = msg[j].len; + +- memcpy(&state->data[3], msg[0].buf, msg[0].len); ++ memcpy(&state->data[3], msg[j].buf, msg[j].len); + +- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3, ++ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 3, + state->data, 1, 0) < 0) + err("i2c transfer failed."); ++ } // switch ++ j++; + +- } +- break; +- case 2: +- /* always i2c read */ +- if (4 + msg[0].len > sizeof(state->data)) { +- warn("i2c rd: len=%d is too big!\n", +- msg[0].len); +- num = -EOPNOTSUPP; +- break; +- } +- if (1 + msg[1].len > sizeof(state->data)) { +- warn("i2c rd: len=%d is too big!\n", +- msg[1].len); +- num = -EOPNOTSUPP; +- break; +- } +- +- state->data[0] = 0x09; +- state->data[1] = msg[0].len; +- state->data[2] = msg[1].len; +- state->data[3] = msg[0].addr; +- memcpy(&state->data[4], msg[0].buf, msg[0].len); +- +- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4, +- state->data, msg[1].len + 1, 0) < 0) +- err("i2c transfer failed."); +- +- memcpy(msg[1].buf, &state->data[1], msg[1].len); +- break; +- default: +- warn("more than 2 i2c messages at a time is not handled yet."); +- break; +- } ++ } // while + mutex_unlock(&d->data_mutex); + mutex_unlock(&d->i2c_mutex); + return num; +-- +2.43.0 + diff --git a/queue-5.4/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch b/queue-5.4/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch new file mode 100644 index 00000000000..14918fb84d1 --- /dev/null +++ b/queue-5.4/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch @@ -0,0 +1,109 @@ +From 468d88b607867c35b6f644222220afe0ff9dd061 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 16:04:50 +0100 +Subject: media: s2255: Use refcount_t instead of atomic_t for num_channels + +From: Ricardo Ribalda + +[ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ] + +Use an API that resembles more the actual use of num_channels. + +Found by cocci: +drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363. +drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558. + +Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org +Signed-off-by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/s2255/s2255drv.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c +index 7ed526306816a..845869240abee 100644 +--- a/drivers/media/usb/s2255/s2255drv.c ++++ b/drivers/media/usb/s2255/s2255drv.c +@@ -247,7 +247,7 @@ struct s2255_vc { + struct s2255_dev { + struct s2255_vc vc[MAX_CHANNELS]; + struct v4l2_device v4l2_dev; +- atomic_t num_channels; ++ refcount_t num_channels; + int frames; + struct mutex lock; /* channels[].vdev.lock */ + struct mutex cmdlock; /* protects cmdbuf */ +@@ -1552,11 +1552,11 @@ static void s2255_video_device_release(struct video_device *vdev) + container_of(vdev, struct s2255_vc, vdev); + + dprintk(dev, 4, "%s, chnls: %d\n", __func__, +- atomic_read(&dev->num_channels)); ++ refcount_read(&dev->num_channels)); + + v4l2_ctrl_handler_free(&vc->hdl); + +- if (atomic_dec_and_test(&dev->num_channels)) ++ if (refcount_dec_and_test(&dev->num_channels)) + s2255_destroy(dev); + return; + } +@@ -1661,7 +1661,7 @@ static int s2255_probe_v4l(struct s2255_dev *dev) + "failed to register video device!\n"); + break; + } +- atomic_inc(&dev->num_channels); ++ refcount_inc(&dev->num_channels); + v4l2_info(&dev->v4l2_dev, "V4L2 device registered as %s\n", + video_device_node_name(&vc->vdev)); + +@@ -1669,11 +1669,11 @@ static int s2255_probe_v4l(struct s2255_dev *dev) + pr_info("Sensoray 2255 V4L driver Revision: %s\n", + S2255_VERSION); + /* if no channels registered, return error and probe will fail*/ +- if (atomic_read(&dev->num_channels) == 0) { ++ if (refcount_read(&dev->num_channels) == 0) { + v4l2_device_unregister(&dev->v4l2_dev); + return ret; + } +- if (atomic_read(&dev->num_channels) != MAX_CHANNELS) ++ if (refcount_read(&dev->num_channels) != MAX_CHANNELS) + pr_warn("s2255: Not all channels available.\n"); + return 0; + } +@@ -2222,7 +2222,7 @@ static int s2255_probe(struct usb_interface *interface, + goto errorFWDATA1; + } + +- atomic_set(&dev->num_channels, 0); ++ refcount_set(&dev->num_channels, 0); + dev->pid = id->idProduct; + dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL); + if (!dev->fw_data) +@@ -2342,12 +2342,12 @@ static void s2255_disconnect(struct usb_interface *interface) + { + struct s2255_dev *dev = to_s2255_dev(usb_get_intfdata(interface)); + int i; +- int channels = atomic_read(&dev->num_channels); ++ int channels = refcount_read(&dev->num_channels); + mutex_lock(&dev->lock); + v4l2_device_disconnect(&dev->v4l2_dev); + mutex_unlock(&dev->lock); + /*see comments in the uvc_driver.c usb disconnect function */ +- atomic_inc(&dev->num_channels); ++ refcount_inc(&dev->num_channels); + /* unregister each video device. */ + for (i = 0; i < channels; i++) + video_unregister_device(&dev->vc[i].vdev); +@@ -2360,7 +2360,7 @@ static void s2255_disconnect(struct usb_interface *interface) + dev->vc[i].vidstatus_ready = 1; + wake_up(&dev->vc[i].wait_vidstatus); + } +- if (atomic_dec_and_test(&dev->num_channels)) ++ if (refcount_dec_and_test(&dev->num_channels)) + s2255_destroy(dev); + dev_info(&interface->dev, "%s\n", __func__); + } +-- +2.43.0 + diff --git a/queue-5.4/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch b/queue-5.4/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch new file mode 100644 index 00000000000..915ad81cee1 --- /dev/null +++ b/queue-5.4/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch @@ -0,0 +1,50 @@ +From 8118f8a79ea3a6f8087895f815a1ad663096b97d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 18:46:45 +0100 +Subject: net: dsa: mv88e6xxx: Correct check for empty list + +From: Simon Horman + +[ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ] + +Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO +busses") mv88e6xxx_default_mdio_bus() has checked that the +return value of list_first_entry() is non-NULL. + +This appears to be intended to guard against the list chip->mdios being +empty. However, it is not the correct check as the implementation of +list_first_entry is not designed to return NULL for empty lists. + +Instead, use list_first_entry_or_null() which does return NULL if the +list is empty. + +Flagged by Smatch. +Compile tested only. + +Reviewed-by: Andrew Lunn +Signed-off-by: Simon Horman +Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 81e6227cc8758..cf3d574374376 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -115,8 +115,8 @@ struct mii_bus *mv88e6xxx_default_mdio_bus(struct mv88e6xxx_chip *chip) + { + struct mv88e6xxx_mdio_bus *mdio_bus; + +- mdio_bus = list_first_entry(&chip->mdios, struct mv88e6xxx_mdio_bus, +- list); ++ mdio_bus = list_first_entry_or_null(&chip->mdios, ++ struct mv88e6xxx_mdio_bus, list); + if (!mdio_bus) + return NULL; + +-- +2.43.0 + diff --git a/queue-5.4/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch b/queue-5.4/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch new file mode 100644 index 00000000000..8d66e9e194d --- /dev/null +++ b/queue-5.4/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch @@ -0,0 +1,45 @@ +From 6a09b0d1d18392649302e01f915cb4a3f6e78cc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 07:14:29 +0900 +Subject: nilfs2: convert BUG_ON() in nilfs_finish_roll_forward() to WARN_ON() + +From: Ryusuke Konishi + +[ Upstream commit 0a73eac1ed10097d1799c10dff2172605fd40c75 ] + +The BUG_ON check performed on the return value of __getblk() in +nilfs_finish_roll_forward() assumes that a buffer that has been +successfully read once is retrieved with the same parameters and does not +fail (__getblk() does not return an error due to memory allocation +failure). Also, nilfs_finish_roll_forward() is called at most once during +mount. + +Taking these into consideration, rewrite the check to use WARN_ON() to +avoid using BUG_ON(). + +Link: https://lkml.kernel.org/r/20240508221429.7559-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/recovery.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nilfs2/recovery.c b/fs/nilfs2/recovery.c +index 0923231e9e605..8c78e18ed2d36 100644 +--- a/fs/nilfs2/recovery.c ++++ b/fs/nilfs2/recovery.c +@@ -698,7 +698,9 @@ static void nilfs_finish_roll_forward(struct the_nilfs *nilfs, + return; + + bh = __getblk(nilfs->ns_bdev, ri->ri_lsegs_start, nilfs->ns_blocksize); +- BUG_ON(!bh); ++ if (WARN_ON(!bh)) ++ return; /* should never happen */ ++ + memset(bh->b_data, 0, bh->b_size); + set_buffer_dirty(bh); + err = sync_dirty_buffer(bh); +-- +2.43.0 + diff --git a/queue-5.4/orangefs-fix-out-of-bounds-fsid-access.patch b/queue-5.4/orangefs-fix-out-of-bounds-fsid-access.patch new file mode 100644 index 00000000000..244da7b70ce --- /dev/null +++ b/queue-5.4/orangefs-fix-out-of-bounds-fsid-access.patch @@ -0,0 +1,43 @@ +From e757bd55aa70e89aae6e75ca00ec0498efc21ab5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 May 2024 16:20:36 -0400 +Subject: orangefs: fix out-of-bounds fsid access + +From: Mike Marshall + +[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ] + +Arnd Bergmann sent a patch to fsdevel, he says: + +"orangefs_statfs() copies two consecutive fields of the superblock into +the statfs structure, which triggers a warning from the string fortification +helpers" + +Jan Kara suggested an alternate way to do the patch to make it more readable. + +I ran both ideas through xfstests and both seem fine. This patch +is based on Jan Kara's suggestion. + +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c +index 2f2e430461b21..b48aef43b51d5 100644 +--- a/fs/orangefs/super.c ++++ b/fs/orangefs/super.c +@@ -200,7 +200,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf) + (long)new_op->downcall.resp.statfs.files_avail); + + buf->f_type = sb->s_magic; +- memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid)); ++ buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id; ++ buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id; + buf->f_bsize = new_op->downcall.resp.statfs.block_size; + buf->f_namelen = ORANGEFS_NAME_MAX; + +-- +2.43.0 + diff --git a/queue-5.4/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch b/queue-5.4/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch new file mode 100644 index 00000000000..0dabce7e8bb --- /dev/null +++ b/queue-5.4/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch @@ -0,0 +1,49 @@ +From 81cee44cfb6d299215696780fe6b2aec251091b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 17:56:19 +1000 +Subject: powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for + CONFIG_PCI=n + +From: Michael Ellerman + +[ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ] + +There is code that builds with calls to IO accessors even when +CONFIG_PCI=n, but the actual calls are guarded by runtime checks. + +If not those calls would be faulting, because the page at virtual +address zero is (usually) not mapped into the kernel. As Arnd pointed +out, it is possible a large port value could cause the address to be +above mmap_min_addr which would then access userspace, which would be +a bug. + +To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That +is a value chosen to point into unmapped space between the kernel and +userspace, so any access will always fault. + +Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an +effect on 64-bit. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/io.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h +index e86516ff8f4b3..f5c9504f6071d 100644 +--- a/arch/powerpc/include/asm/io.h ++++ b/arch/powerpc/include/asm/io.h +@@ -46,7 +46,7 @@ extern struct pci_dev *isa_bridge_pcidev; + * define properly based on the platform + */ + #ifndef CONFIG_PCI +-#define _IO_BASE 0 ++#define _IO_BASE POISON_POINTER_DELTA + #define _ISA_MEM_BASE 0 + #define PCI_DRAM_OFFSET 0 + #elif defined(CONFIG_PPC32) +-- +2.43.0 + diff --git a/queue-5.4/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch b/queue-5.4/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch new file mode 100644 index 00000000000..a0d3f51b19b --- /dev/null +++ b/queue-5.4/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch @@ -0,0 +1,61 @@ +From 44e389082f5ce6e511881e63dd99410ae78b5e33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 19:11:10 +0100 +Subject: powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kurz + +[ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ] + +All these commands end up peeking into the PACA using the user +originated cpu id as an index. Check the cpu id is valid in order +to prevent xmon to crash. Instead of printing an error, this follows +the same behavior as the "lp s #" command : ignore the buggy cpu id +parameter and fall back to the #-less version of the command. + +Signed-off-by: Greg Kurz +Reviewed-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan +Signed-off-by: Sasha Levin +--- + arch/powerpc/xmon/xmon.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index 6d130c89fbd85..5991fd06b6525 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -1214,7 +1214,7 @@ static int cpu_cmd(void) + unsigned long cpu, first_cpu, last_cpu; + int timeout; + +- if (!scanhex(&cpu)) { ++ if (!scanhex(&cpu) || cpu >= num_possible_cpus()) { + /* print cpus waiting or in xmon */ + printf("cpus stopped:"); + last_cpu = first_cpu = NR_CPUS; +@@ -2571,7 +2571,7 @@ static void dump_pacas(void) + + termch = c; /* Put c back, it wasn't 'a' */ + +- if (scanhex(&num)) ++ if (scanhex(&num) && num < num_possible_cpus()) + dump_one_paca(num); + else + dump_one_paca(xmon_owner); +@@ -2668,7 +2668,7 @@ static void dump_xives(void) + + termch = c; /* Put c back, it wasn't 'a' */ + +- if (scanhex(&num)) ++ if (scanhex(&num) && num < num_possible_cpus()) + dump_one_xive(num); + else + dump_one_xive(xmon_owner); +-- +2.43.0 + diff --git a/queue-5.4/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch b/queue-5.4/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch new file mode 100644 index 00000000000..7ef9d244ccb --- /dev/null +++ b/queue-5.4/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch @@ -0,0 +1,47 @@ +From d9c609c0561b7675d3b6da5f009581af42686053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 16:30:01 +0200 +Subject: s390: Mark psw in __load_psw_mask() as __unitialized + +From: Sven Schnelle + +[ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ] + +Without __unitialized, the following code is generated when +INIT_STACK_ALL_ZERO is enabled: + +86: d7 0f f0 a0 f0 a0 xc 160(16,%r15), 160(%r15) +8c: e3 40 f0 a0 00 24 stg %r4, 160(%r15) +92: c0 10 00 00 00 08 larl %r1, 0xa2 +98: e3 10 f0 a8 00 24 stg %r1, 168(%r15) +9e: b2 b2 f0 a0 lpswe 160(%r15) + +The xc is not adding any security because psw is fully initialized +with the following instructions. Add __unitialized to the psw +definitiation to avoid the superfluous clearing of psw. + +Reviewed-by: Heiko Carstens +Signed-off-by: Sven Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h +index 48d6ccdef5f77..00bb2d287f740 100644 +--- a/arch/s390/include/asm/processor.h ++++ b/arch/s390/include/asm/processor.h +@@ -256,8 +256,8 @@ static inline void __load_psw(psw_t psw) + */ + static __always_inline void __load_psw_mask(unsigned long mask) + { ++ psw_t psw __uninitialized; + unsigned long addr; +- psw_t psw; + + psw.mask = mask; + +-- +2.43.0 + diff --git a/queue-5.4/s390-pkey-wipe-sensitive-data-on-failure.patch b/queue-5.4/s390-pkey-wipe-sensitive-data-on-failure.patch new file mode 100644 index 00000000000..8777ba6fb58 --- /dev/null +++ b/queue-5.4/s390-pkey-wipe-sensitive-data-on-failure.patch @@ -0,0 +1,47 @@ +From 16b025f7401a7c80e9f413de4558c91ba7a6382b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 17:03:18 +0200 +Subject: s390/pkey: Wipe sensitive data on failure + +From: Holger Dengler + +[ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ] + +Wipe sensitive data from stack also if the copy_to_user() fails. + +Suggested-by: Heiko Carstens +Reviewed-by: Harald Freudenberger +Reviewed-by: Ingo Franzki +Acked-by: Heiko Carstens +Signed-off-by: Holger Dengler +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/pkey_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c +index 0658aa5030c6f..ca090fdec5f2d 100644 +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -784,7 +784,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + if (rc) + break; + if (copy_to_user(ucs, &kcs, sizeof(kcs))) +- return -EFAULT; ++ rc = -EFAULT; + memzero_explicit(&kcs, sizeof(kcs)); + break; + } +@@ -816,7 +816,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + if (rc) + break; + if (copy_to_user(ucp, &kcp, sizeof(kcp))) +- return -EFAULT; ++ rc = -EFAULT; + memzero_explicit(&kcp, sizeof(kcp)); + break; + } +-- +2.43.0 + diff --git a/queue-5.4/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch b/queue-5.4/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch new file mode 100644 index 00000000000..1e4f840c93a --- /dev/null +++ b/queue-5.4/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch @@ -0,0 +1,54 @@ +From 446c7fbe8e28c7f0565a85ff12ad47e51b41e531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 11:01:55 -0400 +Subject: scsi: qedf: Make qedf_execute_tmf() non-preemptible + +From: John Meneghini + +[ Upstream commit 0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec ] + +Stop calling smp_processor_id() from preemptible code in +qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel. + +[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646 +[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf] + +Tested-by: Guangwu Zhang +Cc: Saurav Kashyap +Cc: Nilesh Javali +Signed-off-by: John Meneghini +Link: https://lore.kernel.org/r/20240403150155.412954-1-jmeneghi@redhat.com +Acked-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_io.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c +index d02d1ef0d0116..dc1ba29c16762 100644 +--- a/drivers/scsi/qedf/qedf_io.c ++++ b/drivers/scsi/qedf/qedf_io.c +@@ -2330,9 +2330,6 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd, + io_req->fcport = fcport; + io_req->cmd_type = QEDF_TASK_MGMT_CMD; + +- /* Record which cpu this request is associated with */ +- io_req->cpu = smp_processor_id(); +- + /* Set TM flags */ + io_req->io_req_flags = QEDF_READ; + io_req->data_xfer_len = 0; +@@ -2354,6 +2351,9 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd, + + spin_lock_irqsave(&fcport->rport_lock, flags); + ++ /* Record which cpu this request is associated with */ ++ io_req->cpu = smp_processor_id(); ++ + sqe_idx = qedf_get_sqe_idx(fcport); + sqe = &fcport->sq[sqe_idx]; + memset(sqe, 0, sizeof(struct fcoe_wqe)); +-- +2.43.0 + diff --git a/queue-5.4/sctp-prefer-struct_size-over-open-coded-arithmetic.patch b/queue-5.4/sctp-prefer-struct_size-over-open-coded-arithmetic.patch new file mode 100644 index 00000000000..5750eff9eaf --- /dev/null +++ b/queue-5.4/sctp-prefer-struct_size-over-open-coded-arithmetic.patch @@ -0,0 +1,74 @@ +From 7ee4aafc4ffe8e035959661abf682a68d16afb75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Apr 2024 19:23:36 +0200 +Subject: sctp: prefer struct_size over open coded arithmetic + +From: Erick Archer + +[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ] + +This is an effort to get rid of all multiplications from allocation +functions in order to prevent integer overflows [1][2]. + +As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this +structure ends in a flexible array: + +struct sctp_assoc_ids { + [...] + sctp_assoc_t gaids_assoc_id[]; +}; + +the preferred way in the kernel is to use the struct_size() helper to +do the arithmetic instead of the calculation "size + size * count" in +the kmalloc() function. + +Also, refactor the code adding the "ids_size" variable to avoid sizing +twice. + +This way, the code is more readable and safer. + +This code was detected with the help of Coccinelle, and audited and +modified manually. + +Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] +Link: https://github.com/KSPP/linux/issues/160 [2] +Signed-off-by: Erick Archer +Acked-by: Xin Long +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index cbcbc92748ba9..c188a0acfa594 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7158,6 +7158,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, + struct sctp_sock *sp = sctp_sk(sk); + struct sctp_association *asoc; + struct sctp_assoc_ids *ids; ++ size_t ids_size; + u32 num = 0; + + if (sctp_style(sk, TCP)) +@@ -7170,11 +7171,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, + num++; + } + +- if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num) ++ ids_size = struct_size(ids, gaids_assoc_id, num); ++ if (len < ids_size) + return -EINVAL; + +- len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num; +- ++ len = ids_size; + ids = kmalloc(len, GFP_USER | __GFP_NOWARN); + if (unlikely(!ids)) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..553878f5f02 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,24 @@ +drm-lima-fix-shared-irq-handling-on-driver-remove.patch +media-dvb-as102-fe-fix-as10x_register_addr-packing.patch +media-dvb-usb-dib0700_devices-add-missing-release_fi.patch +ib-core-implement-a-limit-on-umad-receive-list.patch +scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch +irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch +drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch +drm-amd-display-skip-finding-free-audio-for-unknown-.patch +media-dw2102-don-t-translate-i2c-read-into-write.patch +sctp-prefer-struct_size-over-open-coded-arithmetic.patch +firmware-dmi-stop-decoding-on-broken-entry.patch +input-ff-core-prefer-struct_size-over-open-coded-ari.patch +net-dsa-mv88e6xxx-correct-check-for-empty-list.patch +media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch +media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch +media-dvb-frontends-tda10048-fix-integer-overflow.patch +i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch +powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch +orangefs-fix-out-of-bounds-fsid-access.patch +powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch +nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch +jffs2-fix-potential-illegal-address-access-in-jffs2_.patch +s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch +s390-pkey-wipe-sensitive-data-on-failure.patch -- 2.47.3