From cb834c38d4110c908dbac8e83a8fecf6fbea76ef Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 24 Sep 2022 11:10:36 +0200 Subject: [PATCH] 5.10-stable patches added patches: can-flexcan-flexcan_mailbox_read-fix-return-value-for-drop-true.patch gpio-mockup-fix-null-pointer-dereference-when-removing-debugfs.patch gpiolib-cdev-set-lineevent_state-irq-after-irq-register-successfully.patch mm-slub-fix-to-return-errno-if-kmalloc-fails.patch riscv-fix-a-nasty-sigreturn-bug.patch wifi-mt76-fix-reading-current-per-tid-starting-sequence-number-for-aggregation.patch --- ..._read-fix-return-value-for-drop-true.patch | 84 +++++++++++++++++++ ...er-dereference-when-removing-debugfs.patch | 36 ++++++++ ...-irq-after-irq-register-successfully.patch | 65 ++++++++++++++ ...fix-to-return-errno-if-kmalloc-fails.patch | 70 ++++++++++++++++ .../riscv-fix-a-nasty-sigreturn-bug.patch | 40 +++++++++ queue-5.10/series | 6 ++ ...ting-sequence-number-for-aggregation.patch | 33 ++++++++ 7 files changed, 334 insertions(+) create mode 100644 queue-5.10/can-flexcan-flexcan_mailbox_read-fix-return-value-for-drop-true.patch create mode 100644 queue-5.10/gpio-mockup-fix-null-pointer-dereference-when-removing-debugfs.patch create mode 100644 queue-5.10/gpiolib-cdev-set-lineevent_state-irq-after-irq-register-successfully.patch create mode 100644 queue-5.10/mm-slub-fix-to-return-errno-if-kmalloc-fails.patch create mode 100644 queue-5.10/riscv-fix-a-nasty-sigreturn-bug.patch create mode 100644 queue-5.10/wifi-mt76-fix-reading-current-per-tid-starting-sequence-number-for-aggregation.patch diff --git a/queue-5.10/can-flexcan-flexcan_mailbox_read-fix-return-value-for-drop-true.patch b/queue-5.10/can-flexcan-flexcan_mailbox_read-fix-return-value-for-drop-true.patch new file mode 100644 index 00000000000..4509f11839d --- /dev/null +++ b/queue-5.10/can-flexcan-flexcan_mailbox_read-fix-return-value-for-drop-true.patch @@ -0,0 +1,84 @@ +From a09721dd47c8468b3f2fdd73f40422699ffe26dd Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Thu, 11 Aug 2022 10:25:44 +0200 +Subject: can: flexcan: flexcan_mailbox_read() fix return value for drop = true +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +commit a09721dd47c8468b3f2fdd73f40422699ffe26dd upstream. + +The following happened on an i.MX25 using flexcan with many packets on +the bus: + +The rx-offload queue reached a length more than skb_queue_len_max. In +can_rx_offload_offload_one() the drop variable was set to true which +made the call to .mailbox_read() (here: flexcan_mailbox_read()) to +_always_ return ERR_PTR(-ENOBUFS) and drop the rx'ed CAN frame. So +can_rx_offload_offload_one() returned ERR_PTR(-ENOBUFS), too. + +can_rx_offload_irq_offload_fifo() looks as follows: + +| while (1) { +| skb = can_rx_offload_offload_one(offload, 0); +| if (IS_ERR(skb)) +| continue; +| if (!skb) +| break; +| ... +| } + +The flexcan driver wrongly always returns ERR_PTR(-ENOBUFS) if drop is +requested, even if there is no CAN frame pending. As the i.MX25 is a +single core CPU, while the rx-offload processing is active, there is +no thread to process packets from the offload queue. So the queue +doesn't get any shorter and this results is a tight loop. + +Instead of always returning ERR_PTR(-ENOBUFS) if drop is requested, +return NULL if no CAN frame is pending. + +Changes since v1: https://lore.kernel.org/all/20220810144536.389237-1-u.kleine-koenig@pengutronix.de +- don't break in can_rx_offload_irq_offload_fifo() in case of an error, + return NULL in flexcan_mailbox_read() in case of no pending CAN frame + instead + +Fixes: 4e9c9484b085 ("can: rx-offload: Prepare for CAN FD support") +Link: https://lore.kernel.org/all/20220811094254.1864367-1-mkl@pengutronix.de +Cc: stable@vger.kernel.org # v5.5 +Suggested-by: Uwe Kleine-König +Reviewed-by: Uwe Kleine-König +Tested-by: Thorsten Scherer +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/flexcan.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -954,11 +954,6 @@ static struct sk_buff *flexcan_mailbox_r + u32 reg_ctrl, reg_id, reg_iflag1; + int i; + +- if (unlikely(drop)) { +- skb = ERR_PTR(-ENOBUFS); +- goto mark_as_read; +- } +- + mb = flexcan_get_mb(priv, n); + + if (priv->devtype_data->quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) { +@@ -987,6 +982,11 @@ static struct sk_buff *flexcan_mailbox_r + reg_ctrl = priv->read(&mb->can_ctrl); + } + ++ if (unlikely(drop)) { ++ skb = ERR_PTR(-ENOBUFS); ++ goto mark_as_read; ++ } ++ + if (reg_ctrl & FLEXCAN_MB_CNT_EDL) + skb = alloc_canfd_skb(offload->dev, &cfd); + else diff --git a/queue-5.10/gpio-mockup-fix-null-pointer-dereference-when-removing-debugfs.patch b/queue-5.10/gpio-mockup-fix-null-pointer-dereference-when-removing-debugfs.patch new file mode 100644 index 00000000000..fed054897dd --- /dev/null +++ b/queue-5.10/gpio-mockup-fix-null-pointer-dereference-when-removing-debugfs.patch @@ -0,0 +1,36 @@ +From b7df41a6f79dfb18ba2203f8c5f0e9c0b9b57f68 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 20 Sep 2022 09:18:41 +0200 +Subject: gpio: mockup: fix NULL pointer dereference when removing debugfs + +From: Bartosz Golaszewski + +commit b7df41a6f79dfb18ba2203f8c5f0e9c0b9b57f68 upstream. + +We now remove the device's debugfs entries when unbinding the driver. +This now causes a NULL-pointer dereference on module exit because the +platform devices are unregistered *after* the global debugfs directory +has been recursively removed. Fix it by unregistering the devices first. + +Fixes: 303e6da99429 ("gpio: mockup: remove gpio debugfs when remove device") +Cc: Wei Yongjun +Cc: stable@vger.kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mockup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-mockup.c ++++ b/drivers/gpio/gpio-mockup.c +@@ -604,9 +604,9 @@ static int __init gpio_mockup_init(void) + + static void __exit gpio_mockup_exit(void) + { ++ gpio_mockup_unregister_pdevs(); + debugfs_remove_recursive(gpio_mockup_dbg_dir); + platform_driver_unregister(&gpio_mockup_driver); +- gpio_mockup_unregister_pdevs(); + } + + module_init(gpio_mockup_init); diff --git a/queue-5.10/gpiolib-cdev-set-lineevent_state-irq-after-irq-register-successfully.patch b/queue-5.10/gpiolib-cdev-set-lineevent_state-irq-after-irq-register-successfully.patch new file mode 100644 index 00000000000..7c21de50734 --- /dev/null +++ b/queue-5.10/gpiolib-cdev-set-lineevent_state-irq-after-irq-register-successfully.patch @@ -0,0 +1,65 @@ +From 69bef19d6b9700e96285f4b4e28691cda3dcd0d1 Mon Sep 17 00:00:00 2001 +From: Meng Li +Date: Wed, 21 Sep 2022 11:20:20 +0800 +Subject: gpiolib: cdev: Set lineevent_state::irq after IRQ register successfully + +From: Meng Li + +commit 69bef19d6b9700e96285f4b4e28691cda3dcd0d1 upstream. + +When running gpio test on nxp-ls1028 platform with below command +gpiomon --num-events=3 --rising-edge gpiochip1 25 +There will be a warning trace as below: +Call trace: +free_irq+0x204/0x360 +lineevent_free+0x64/0x70 +gpio_ioctl+0x598/0x6a0 +__arm64_sys_ioctl+0xb4/0x100 +invoke_syscall+0x5c/0x130 +...... +el0t_64_sync+0x1a0/0x1a4 +The reason of this issue is that calling request_threaded_irq() +function failed, and then lineevent_free() is invoked to release +the resource. Since the lineevent_state::irq was already set, so +the subsequent invocation of free_irq() would trigger the above +warning call trace. To fix this issue, set the lineevent_state::irq +after the IRQ register successfully. + +Fixes: 468242724143 ("gpiolib: cdev: refactor lineevent cleanup into lineevent_free") +Cc: stable@vger.kernel.org +Signed-off-by: Meng Li +Reviewed-by: Kent Gibson +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-cdev.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -1769,7 +1769,6 @@ static int lineevent_create(struct gpio_ + ret = -ENODEV; + goto out_free_le; + } +- le->irq = irq; + + if (eflags & GPIOEVENT_REQUEST_RISING_EDGE) + irqflags |= test_bit(FLAG_ACTIVE_LOW, &desc->flags) ? +@@ -1783,7 +1782,7 @@ static int lineevent_create(struct gpio_ + init_waitqueue_head(&le->wait); + + /* Request a thread to read the events */ +- ret = request_threaded_irq(le->irq, ++ ret = request_threaded_irq(irq, + lineevent_irq_handler, + lineevent_irq_thread, + irqflags, +@@ -1792,6 +1791,8 @@ static int lineevent_create(struct gpio_ + if (ret) + goto out_free_le; + ++ le->irq = irq; ++ + fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC); + if (fd < 0) { + ret = fd; diff --git a/queue-5.10/mm-slub-fix-to-return-errno-if-kmalloc-fails.patch b/queue-5.10/mm-slub-fix-to-return-errno-if-kmalloc-fails.patch new file mode 100644 index 00000000000..d6214b50363 --- /dev/null +++ b/queue-5.10/mm-slub-fix-to-return-errno-if-kmalloc-fails.patch @@ -0,0 +1,70 @@ +From 7e9c323c52b379d261a72dc7bd38120a761a93cd Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 31 Aug 2022 22:54:54 +0800 +Subject: mm/slub: fix to return errno if kmalloc() fails + +From: Chao Yu + +commit 7e9c323c52b379d261a72dc7bd38120a761a93cd upstream. + +In create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to +out-of-memory, if it fails, return errno correctly rather than +triggering panic via BUG_ON(); + +kernel BUG at mm/slub.c:5893! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP + +Call trace: + sysfs_slab_add+0x258/0x260 mm/slub.c:5973 + __kmem_cache_create+0x60/0x118 mm/slub.c:4899 + create_cache mm/slab_common.c:229 [inline] + kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335 + kmem_cache_create+0x1c/0x28 mm/slab_common.c:390 + f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline] + f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808 + f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149 + mount_bdev+0x1b8/0x210 fs/super.c:1400 + f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512 + legacy_get_tree+0x30/0x74 fs/fs_context.c:610 + vfs_get_tree+0x40/0x140 fs/super.c:1530 + do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040 + path_mount+0x358/0x914 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568 + +Cc: +Fixes: 81819f0fc8285 ("SLUB core") +Reported-by: syzbot+81684812ea68216e08c5@syzkaller.appspotmail.com +Reviewed-by: Muchun Song +Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Signed-off-by: Chao Yu +Acked-by: David Rientjes +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -5559,7 +5559,8 @@ static char *create_unique_id(struct kme + char *name = kmalloc(ID_STR_LENGTH, GFP_KERNEL); + char *p = name; + +- BUG_ON(!name); ++ if (!name) ++ return ERR_PTR(-ENOMEM); + + *p++ = ':'; + /* +@@ -5617,6 +5618,8 @@ static int sysfs_slab_add(struct kmem_ca + * for the symlinks. + */ + name = create_unique_id(s); ++ if (IS_ERR(name)) ++ return PTR_ERR(name); + } + + s->kobj.kset = kset; diff --git a/queue-5.10/riscv-fix-a-nasty-sigreturn-bug.patch b/queue-5.10/riscv-fix-a-nasty-sigreturn-bug.patch new file mode 100644 index 00000000000..a8bdf72826f --- /dev/null +++ b/queue-5.10/riscv-fix-a-nasty-sigreturn-bug.patch @@ -0,0 +1,40 @@ +From 762df359aa5849e010ef04c3ed79d57588ce17d9 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 24 Sep 2021 01:55:27 +0000 +Subject: riscv: fix a nasty sigreturn bug... + +From: Al Viro + +commit 762df359aa5849e010ef04c3ed79d57588ce17d9 upstream. + +riscv has an equivalent of arm bug fixed by 653d48b22166 ("arm: fix +really nasty sigreturn bug"); if signal gets caught by an interrupt that +hits when we have the right value in a0 (-513), *and* another signal +gets delivered upon sigreturn() (e.g. included into the blocked mask for +the first signal and posted while the handler had been running), the +syscall restart logics will see regs->cause equal to EXC_SYSCALL (we are +in a syscall, after all) and a0 already restored to its original value +(-513, which happens to be -ERESTARTNOINTR) and assume that we need to +apply the usual syscall restart logics. + +Signed-off-by: Al Viro +Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/YxJEiSq%2FCGaL6Gm9@ZenIV/ +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/signal.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/riscv/kernel/signal.c ++++ b/arch/riscv/kernel/signal.c +@@ -121,6 +121,8 @@ SYSCALL_DEFINE0(rt_sigreturn) + if (restore_altstack(&frame->uc.uc_stack)) + goto badframe; + ++ regs->cause = -1UL; ++ + return regs->a0; + + badframe: diff --git a/queue-5.10/series b/queue-5.10/series index e509cc65534..88de9739263 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -53,3 +53,9 @@ iommu-vt-d-check-correct-capability-for-sagaw-determination.patch media-flexcop-usb-fix-endpoint-type-check.patch efi-x86-wipe-setup_data-on-pure-efi-boot.patch efi-libstub-check-shim-mode-using-moksbstatert.patch +wifi-mt76-fix-reading-current-per-tid-starting-sequence-number-for-aggregation.patch +gpio-mockup-fix-null-pointer-dereference-when-removing-debugfs.patch +gpiolib-cdev-set-lineevent_state-irq-after-irq-register-successfully.patch +riscv-fix-a-nasty-sigreturn-bug.patch +can-flexcan-flexcan_mailbox_read-fix-return-value-for-drop-true.patch +mm-slub-fix-to-return-errno-if-kmalloc-fails.patch diff --git a/queue-5.10/wifi-mt76-fix-reading-current-per-tid-starting-sequence-number-for-aggregation.patch b/queue-5.10/wifi-mt76-fix-reading-current-per-tid-starting-sequence-number-for-aggregation.patch new file mode 100644 index 00000000000..ba047ca4518 --- /dev/null +++ b/queue-5.10/wifi-mt76-fix-reading-current-per-tid-starting-sequence-number-for-aggregation.patch @@ -0,0 +1,33 @@ +From c3a510e2b53785df31d882a773c4c0780b4c825f Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 26 Aug 2022 20:23:29 +0200 +Subject: wifi: mt76: fix reading current per-tid starting sequence number for aggregation + +From: Felix Fietkau + +commit c3a510e2b53785df31d882a773c4c0780b4c825f upstream. + +The code was accidentally shifting register values down by tid % 32 instead of +(tid * field_size) % 32. + +Cc: stable@vger.kernel.org +Fixes: a28bef561a5c ("mt76: mt7615: re-enable offloading of sequence number assignment") +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220826182329.18155-1-nbd@nbd.name +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +@@ -950,7 +950,7 @@ u32 mt7615_mac_get_sta_tid_sn(struct mt7 + offset %= 32; + + val = mt76_rr(dev, addr); +- val >>= (tid % 32); ++ val >>= offset; + + if (offset > 20) { + addr += 4; -- 2.47.3