--- /dev/null
+From 91e8b74fe6381e083f8aa55217bb0562785ab398 Mon Sep 17 00:00:00 2001
+From: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
+Date: Wed, 19 Oct 2022 16:27:27 +0200
+Subject: arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency
+
+From: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
+
+commit 91e8b74fe6381e083f8aa55217bb0562785ab398 upstream.
+
+CRC errors (code -84 EILSEQ) have been observed for some SanDisk
+Ultra A1 cards when running at 50MHz.
+
+Waveform analysis suggest that the level shifters that are used on the
+RK3399-Q7 module for voltage translation between 3.0 and 3.3V don't
+handle clock rates at or above 48MHz properly. Back off to 40MHz for
+some safety margin.
+
+Cc: stable@vger.kernel.org
+Fixes: 60fd9f72ce8a ("arm64: dts: rockchip: add Haikou baseboard with RK3399-Q7 SoM")
+Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Link: https://lore.kernel.org/r/20221019-upstream-puma-sd-40mhz-v1-0-754a76421518@theobroma-systems.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+@@ -203,7 +203,7 @@
+ cap-sd-highspeed;
+ cd-gpios = <&gpio0 RK_PA7 GPIO_ACTIVE_LOW>;
+ disable-wp;
+- max-frequency = <150000000>;
++ max-frequency = <40000000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&sdmmc_clk &sdmmc_cmd &sdmmc_cd &sdmmc_bus4>;
+ vmmc-supply = <&vcc3v3_baseboard>;
--- /dev/null
+From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Thu, 22 Sep 2022 20:04:34 +0800
+Subject: ext4: fix use-after-free in ext4_ext_shift_extents
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit f6b1a1cf1c3ee430d3f5e47847047ce789a690aa upstream.
+
+If the starting position of our insert range happens to be in the hole
+between the two ext4_extent_idx, because the lblk of the ext4_extent in
+the previous ext4_extent_idx is always less than the start, which leads
+to the "extent" variable access across the boundary, the following UAF is
+triggered:
+==================================================================
+BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790
+Read of size 4 at addr ffff88819807a008 by task fallocate/8010
+CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492
+Call Trace:
+ dump_stack+0x7d/0xa3
+ print_address_description.constprop.0+0x1e/0x220
+ kasan_report.cold+0x67/0x7f
+ ext4_ext_shift_extents+0x257/0x790
+ ext4_insert_range+0x5b6/0x700
+ ext4_fallocate+0x39e/0x3d0
+ vfs_fallocate+0x26f/0x470
+ ksys_fallocate+0x3a/0x70
+ __x64_sys_fallocate+0x4f/0x60
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+==================================================================
+
+For right shifts, we can divide them into the following situations:
+
+1. When the first ee_block of ext4_extent_idx is greater than or equal to
+ start, make right shifts directly from the first ee_block.
+ 1) If it is greater than start, we need to continue searching in the
+ previous ext4_extent_idx.
+ 2) If it is equal to start, we can exit the loop (iterator=NULL).
+
+2. When the first ee_block of ext4_extent_idx is less than start, then
+ traverse from the last extent to find the first extent whose ee_block
+ is less than start.
+ 1) If extent is still the last extent after traversal, it means that
+ the last ee_block of ext4_extent_idx is less than start, that is,
+ start is located in the hole between idx and (idx+1), so we can
+ exit the loop directly (break) without right shifts.
+ 2) Otherwise, make right shifts at the corresponding position of the
+ found extent, and then exit the loop (iterator=NULL).
+
+Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate")
+Cc: stable@vger.kernel.org # v4.2+
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/extents.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -5182,6 +5182,7 @@ ext4_ext_shift_extents(struct inode *ino
+ * and it is decreased till we reach start.
+ */
+ again:
++ ret = 0;
+ if (SHIFT == SHIFT_LEFT)
+ iterator = &start;
+ else
+@@ -5225,14 +5226,21 @@ again:
+ ext4_ext_get_actual_len(extent);
+ } else {
+ extent = EXT_FIRST_EXTENT(path[depth].p_hdr);
+- if (le32_to_cpu(extent->ee_block) > 0)
++ if (le32_to_cpu(extent->ee_block) > start)
+ *iterator = le32_to_cpu(extent->ee_block) - 1;
+- else
+- /* Beginning is reached, end of the loop */
++ else if (le32_to_cpu(extent->ee_block) == start)
+ iterator = NULL;
+- /* Update path extent in case we need to stop */
+- while (le32_to_cpu(extent->ee_block) < start)
++ else {
++ extent = EXT_LAST_EXTENT(path[depth].p_hdr);
++ while (le32_to_cpu(extent->ee_block) >= start)
++ extent--;
++
++ if (extent == EXT_LAST_EXTENT(path[depth].p_hdr))
++ break;
++
+ extent++;
++ iterator = NULL;
++ }
+ path[depth].p_ext = extent;
+ }
+ ret = ext4_ext_shift_path_extents(path, shift, inode,
--- /dev/null
+From 50c697215a8cc22f0e58c88f06f2716c05a26e85 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Wed, 16 Nov 2022 18:26:34 +0000
+Subject: kbuild: fix -Wimplicit-function-declaration in license_is_gpl_compatible
+
+From: Sam James <sam@gentoo.org>
+
+commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 upstream.
+
+Add missing <linux/string.h> include for strcmp.
+
+Clang 16 makes -Wimplicit-function-declaration an error by default.
+Unfortunately, out of tree modules may use this in configure scripts,
+which means failure might cause silent miscompilation or misconfiguration.
+
+For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2],
+or the (new) c-std-porting mailing list [3].
+
+[0] https://lwn.net/Articles/913505/
+[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213
+[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240
+[3] hosted at lists.linux.dev.
+
+[akpm@linux-foundation.org: remember "linux/"]
+Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org
+Signed-off-by: Sam James <sam@gentoo.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/license.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/license.h
++++ b/include/linux/license.h
+@@ -2,6 +2,8 @@
+ #ifndef __LICENSE_H
+ #define __LICENSE_H
+
++#include <linux/string.h>
++
+ static inline int license_is_gpl_compatible(const char *license)
+ {
+ return (strcmp(license, "GPL") == 0
net-enetc-cache-accesses-to-priv-si-hw.patch
net-enetc-preserve-tx-ring-priority-across-reconfigu.patch
lib-vdso-use-grep-e-instead-of-egrep.patch
+usb-dwc3-exynos-fix-remove-function.patch
+ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch
+arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch
+kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch
init-kconfig-fix-cc_has_asm_goto_tied_output-test-wi.patch
nios2-add-force-for-vmlinuz.gz.patch
kvm-x86-emulator-update-the-emulation-mode-after-rsm.patch
--- /dev/null
+From e0481e5b3cc12ea7ccf4552d41518c89d3509004 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 10 Nov 2022 16:41:31 +0100
+Subject: usb: dwc3: exynos: Fix remove() function
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit e0481e5b3cc12ea7ccf4552d41518c89d3509004 upstream.
+
+The core DWC3 device node was not properly removed by the custom
+dwc3_exynos_remove_child() function. Replace it with generic
+of_platform_depopulate() which does that job right.
+
+Fixes: adcf20dcd262 ("usb: dwc3: exynos: Use of_platform API to create dwc3 core pdev")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
+Link: https://lore.kernel.org/r/20221110154131.2577-1-m.szyprowski@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-exynos.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+--- a/drivers/usb/dwc3/dwc3-exynos.c
++++ b/drivers/usb/dwc3/dwc3-exynos.c
+@@ -37,15 +37,6 @@ struct dwc3_exynos {
+ struct regulator *vdd10;
+ };
+
+-static int dwc3_exynos_remove_child(struct device *dev, void *unused)
+-{
+- struct platform_device *pdev = to_platform_device(dev);
+-
+- platform_device_unregister(pdev);
+-
+- return 0;
+-}
+-
+ static int dwc3_exynos_probe(struct platform_device *pdev)
+ {
+ struct dwc3_exynos *exynos;
+@@ -142,7 +133,7 @@ static int dwc3_exynos_remove(struct pla
+ struct dwc3_exynos *exynos = platform_get_drvdata(pdev);
+ int i;
+
+- device_for_each_child(&pdev->dev, NULL, dwc3_exynos_remove_child);
++ of_platform_depopulate(&pdev->dev);
+
+ for (i = exynos->num_clks - 1; i >= 0; i--)
+ clk_disable_unprepare(exynos->clks[i]);
projects / thirdparty / kernel / stable-queue.git / commitdiff
