From: Sasha Levin Date: Sun, 21 Jan 2024 00:19:18 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.19.306~128 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=419f55edb6c34a0d9c0407cc8ae8b7efd2f1c59d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpi-lpit-avoid-u32-multiplication-overflow.patch b/queue-5.4/acpi-lpit-avoid-u32-multiplication-overflow.patch new file mode 100644 index 00000000000..b43f8b946be --- /dev/null +++ b/queue-5.4/acpi-lpit-avoid-u32-multiplication-overflow.patch @@ -0,0 +1,40 @@ +From 8b80945fa10ba58e1bd8a671e7639eda63796610 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 21:08:59 +0300 +Subject: ACPI: LPIT: Avoid u32 multiplication overflow + +From: Nikita Kiryushin + +[ Upstream commit 56d2eeda87995245300836ee4dbd13b002311782 ] + +In lpit_update_residency() there is a possibility of overflow +in multiplication, if tsc_khz is large enough (> UINT_MAX/1000). + +Change multiplication to mul_u32_u32(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: eeb2d80d502a ("ACPI / LPIT: Add Low Power Idle Table (LPIT) support") +Signed-off-by: Nikita Kiryushin +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_lpit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpi_lpit.c b/drivers/acpi/acpi_lpit.c +index 433376e819bb..c79266b8029a 100644 +--- a/drivers/acpi/acpi_lpit.c ++++ b/drivers/acpi/acpi_lpit.c +@@ -98,7 +98,7 @@ static void lpit_update_residency(struct lpit_residency_info *info, + struct acpi_lpit_native *lpit_native) + { + info->frequency = lpit_native->counter_frequency ? +- lpit_native->counter_frequency : tsc_khz * 1000; ++ lpit_native->counter_frequency : mul_u32_u32(tsc_khz, 1000U); + if (!info->frequency) + info->frequency = 1; + +-- +2.43.0 + diff --git a/queue-5.4/acpi-video-check-for-error-while-searching-for-backl.patch b/queue-5.4/acpi-video-check-for-error-while-searching-for-backl.patch new file mode 100644 index 00000000000..091fe9b526f --- /dev/null +++ b/queue-5.4/acpi-video-check-for-error-while-searching-for-backl.patch @@ -0,0 +1,54 @@ +From 306645937af0caa74c2ca196c375dc088ed617bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 16:49:25 +0300 +Subject: ACPI: video: check for error while searching for backlight device + parent + +From: Nikita Kiryushin + +[ Upstream commit ccd45faf4973746c4f30ea41eec864e5cf191099 ] + +If acpi_get_parent() called in acpi_video_dev_register_backlight() +fails, for example, because acpi_ut_acquire_mutex() fails inside +acpi_get_parent), this can lead to incorrect (uninitialized) +acpi_parent handle being passed to acpi_get_pci_dev() for detecting +the parent pci device. + +Check acpi_get_parent() result and set parent device only in case of success. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 9661e92c10a9 ("acpi: tie ACPI backlight devices to PCI devices if possible") +Signed-off-by: Nikita Kiryushin +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index bf18efd49a25..9648ec76de2b 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -1784,12 +1784,12 @@ static void acpi_video_dev_register_backlight(struct acpi_video_device *device) + return; + count++; + +- acpi_get_parent(device->dev->handle, &acpi_parent); +- +- pdev = acpi_get_pci_dev(acpi_parent); +- if (pdev) { +- parent = &pdev->dev; +- pci_dev_put(pdev); ++ if (ACPI_SUCCESS(acpi_get_parent(device->dev->handle, &acpi_parent))) { ++ pdev = acpi_get_pci_dev(acpi_parent); ++ if (pdev) { ++ parent = &pdev->dev; ++ pci_dev_put(pdev); ++ } + } + + memset(&props, 0, sizeof(struct backlight_properties)); +-- +2.43.0 + diff --git a/queue-5.4/arm-davinci-always-select-config_cpu_arm926t.patch b/queue-5.4/arm-davinci-always-select-config_cpu_arm926t.patch new file mode 100644 index 00000000000..44d97703dfd --- /dev/null +++ b/queue-5.4/arm-davinci-always-select-config_cpu_arm926t.patch @@ -0,0 +1,39 @@ +From 4f8b58640feae1b86e13d28c2e401216e6a003b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jan 2024 12:00:36 +0100 +Subject: ARM: davinci: always select CONFIG_CPU_ARM926T + +From: Arnd Bergmann + +[ Upstream commit 40974ee421b4d1fc74ac733d86899ce1b83d8f65 ] + +The select was lost by accident during the multiplatform conversion. +Any davinci-only + +arm-linux-gnueabi-ld: arch/arm/mach-davinci/sleep.o: in function `CACHE_FLUSH': +(.text+0x168): undefined reference to `arm926_flush_kern_cache_all' + +Fixes: f962396ce292 ("ARM: davinci: support multiplatform build for ARM v5") +Acked-by: Bartosz Golaszewski +Link: https://lore.kernel.org/r/20240108110055.1531153-1-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-davinci/Kconfig b/arch/arm/mach-davinci/Kconfig +index 4d3b7d0418c4..68e3788f026c 100644 +--- a/arch/arm/mach-davinci/Kconfig ++++ b/arch/arm/mach-davinci/Kconfig +@@ -3,6 +3,7 @@ + menuconfig ARCH_DAVINCI + bool "TI DaVinci" + depends on ARCH_MULTI_V5 ++ select CPU_ARM926T + select DAVINCI_TIMER + select ZONE_DMA + select PM_GENERIC_DOMAINS if PM +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-qcom-apq8064-correct-xoadc-register-address.patch b/queue-5.4/arm-dts-qcom-apq8064-correct-xoadc-register-address.patch new file mode 100644 index 00000000000..102fa257ae6 --- /dev/null +++ b/queue-5.4/arm-dts-qcom-apq8064-correct-xoadc-register-address.patch @@ -0,0 +1,40 @@ +From f11823fb674f86b694abbf0023c4fb8af893bbc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 14:02:35 +0300 +Subject: ARM: dts: qcom: apq8064: correct XOADC register address + +From: Dmitry Baryshkov + +[ Upstream commit 554557542e709e190eff8a598f0cde02647d533a ] + +The XOADC is present at the address 0x197 rather than just 197. It +doesn't change a lot (since the driver hardcodes all register +addresses), but the DT should present correct address anyway. + +Fixes: c4b70883ee33 ("ARM: dts: add XOADC and IIO HWMON to APQ8064") +Reviewed-by: Konrad Dybcio +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20230928110309.1212221-3-dmitry.baryshkov@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi +index 8c8a576ab9c0..cd200910ccdf 100644 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -759,7 +759,7 @@ pwrkey@1c { + + xoadc: xoadc@197 { + compatible = "qcom,pm8921-adc"; +- reg = <197>; ++ reg = <0x197>; + interrupts-extended = <&pmicintc 78 IRQ_TYPE_EDGE_RISING>; + #address-cells = <2>; + #size-cells = <0>; +-- +2.43.0 + diff --git a/queue-5.4/arm64-dts-qcom-sdm845-db845c-correct-led-panic-indic.patch b/queue-5.4/arm64-dts-qcom-sdm845-db845c-correct-led-panic-indic.patch new file mode 100644 index 00000000000..2d693dd5887 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-sdm845-db845c-correct-led-panic-indic.patch @@ -0,0 +1,41 @@ +From d10e45442dbd6fd85a29abfc0b93f6ec530f802c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Nov 2023 10:56:16 +0100 +Subject: arm64: dts: qcom: sdm845-db845c: correct LED panic indicator + +From: Krzysztof Kozlowski + +[ Upstream commit 0c90c75e663246203a2b7f6dd9e08a110f4c3c43 ] + +There is no "panic-indicator" default trigger but a property with that +name: + + sdm845-db845c.dtb: leds: led-0: Unevaluated properties are not allowed ('linux,default-trigger' was unexpected) + +Fixes: 3f72e2d3e682 ("arm64: dts: qcom: Add Dragonboard 845c") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20231111095617.16496-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts +index bf4fde88011c..e99a58b76d86 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts +@@ -53,8 +53,8 @@ leds { + user4 { + label = "green:user4"; + gpios = <&pm8998_gpio 13 GPIO_ACTIVE_HIGH>; +- linux,default-trigger = "panic-indicator"; + default-state = "off"; ++ panic-indicator; + }; + + wlan { +-- +2.43.0 + diff --git a/queue-5.4/asoc-cs35l33-fix-gpio-name-and-drop-legacy-include.patch b/queue-5.4/asoc-cs35l33-fix-gpio-name-and-drop-legacy-include.patch new file mode 100644 index 00000000000..df14c4fa787 --- /dev/null +++ b/queue-5.4/asoc-cs35l33-fix-gpio-name-and-drop-legacy-include.patch @@ -0,0 +1,64 @@ +From 1bbf3501f71f2e0aa1e72e0cd3c9c9aba9a590dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 14:20:31 +0100 +Subject: ASoC: cs35l33: Fix GPIO name and drop legacy include + +From: Linus Walleij + +[ Upstream commit 50678d339d670a92658e5538ebee30447c88ccb3 ] + +This driver includes the legacy GPIO APIs and + but does not use any symbols from any of +them. + +Drop the includes. + +Further the driver is requesting "reset-gpios" rather than +just "reset" from the GPIO framework. This is wrong because +the gpiolib core will add "-gpios" before processing the +request from e.g. device tree. Drop the suffix. + +The last problem means that the optional RESET GPIO has +never been properly retrieved and used even if it existed, +but nobody noticed. + +Fixes: 3333cb7187b9 ("ASoC: cs35l33: Initial commit of the cs35l33 CODEC driver.") +Acked-by: Charles Keepax +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20231201-descriptors-sound-cirrus-v2-2-ee9f9d4655eb@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs35l33.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs35l33.c b/sound/soc/codecs/cs35l33.c +index 8894369e329a..87b299d24bd8 100644 +--- a/sound/soc/codecs/cs35l33.c ++++ b/sound/soc/codecs/cs35l33.c +@@ -22,13 +22,11 @@ + #include + #include + #include +-#include + #include + #include + #include + #include + #include +-#include + #include + #include + #include +@@ -1168,7 +1166,7 @@ static int cs35l33_i2c_probe(struct i2c_client *i2c_client, + + /* We could issue !RST or skip it based on AMP topology */ + cs35l33->reset_gpio = devm_gpiod_get_optional(&i2c_client->dev, +- "reset-gpios", GPIOD_OUT_HIGH); ++ "reset", GPIOD_OUT_HIGH); + if (IS_ERR(cs35l33->reset_gpio)) { + dev_err(&i2c_client->dev, "%s ERROR: Can't get reset GPIO\n", + __func__); +-- +2.43.0 + diff --git a/queue-5.4/asoc-cs35l34-fix-gpio-name-and-drop-legacy-include.patch b/queue-5.4/asoc-cs35l34-fix-gpio-name-and-drop-legacy-include.patch new file mode 100644 index 00000000000..9699dd6c652 --- /dev/null +++ b/queue-5.4/asoc-cs35l34-fix-gpio-name-and-drop-legacy-include.patch @@ -0,0 +1,65 @@ +From d42ba4ea18e9b3bf5fba5db5d59c67ef52b6fa51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 14:20:32 +0100 +Subject: ASoC: cs35l34: Fix GPIO name and drop legacy include + +From: Linus Walleij + +[ Upstream commit a6122b0b4211d132934ef99e7b737910e6d54d2f ] + +This driver includes the legacy GPIO APIs and + but does not use any symbols from any of +them. + +Drop the includes. + +Further the driver is requesting "reset-gpios" rather than +just "reset" from the GPIO framework. This is wrong because +the gpiolib core will add "-gpios" before processing the +request from e.g. device tree. Drop the suffix. + +The last problem means that the optional RESET GPIO has +never been properly retrieved and used even if it existed, +but nobody noticed. + +Fixes: c1124c09e103 ("ASoC: cs35l34: Initial commit of the cs35l34 CODEC driver.") +Acked-by: Charles Keepax +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20231201-descriptors-sound-cirrus-v2-3-ee9f9d4655eb@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs35l34.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs35l34.c b/sound/soc/codecs/cs35l34.c +index b792c006e530..d9f975b52b21 100644 +--- a/sound/soc/codecs/cs35l34.c ++++ b/sound/soc/codecs/cs35l34.c +@@ -20,14 +20,12 @@ + #include + #include + #include +-#include + #include + #include + #include + #include + #include + #include +-#include + #include + #include + #include +@@ -1058,7 +1056,7 @@ static int cs35l34_i2c_probe(struct i2c_client *i2c_client, + dev_err(&i2c_client->dev, "Failed to request IRQ: %d\n", ret); + + cs35l34->reset_gpio = devm_gpiod_get_optional(&i2c_client->dev, +- "reset-gpios", GPIOD_OUT_LOW); ++ "reset", GPIOD_OUT_LOW); + if (IS_ERR(cs35l34->reset_gpio)) + return PTR_ERR(cs35l34->reset_gpio); + +-- +2.43.0 + diff --git a/queue-5.4/blocklayoutdriver-fix-reference-leak-of-pnfs_device_.patch b/queue-5.4/blocklayoutdriver-fix-reference-leak-of-pnfs_device_.patch new file mode 100644 index 00000000000..73012a53654 --- /dev/null +++ b/queue-5.4/blocklayoutdriver-fix-reference-leak-of-pnfs_device_.patch @@ -0,0 +1,37 @@ +From 5dafaaa54f985f2b2deefb17632d79f14ee206cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 10:05:01 -0500 +Subject: blocklayoutdriver: Fix reference leak of pnfs_device_node + +From: Benjamin Coddington + +[ Upstream commit 1530827b90025cdf80c9b0d07a166d045a0a7b81 ] + +The error path for blocklayout's device lookup is missing a reference drop +for the case where a lookup finds the device, but the device is marked with +NFS_DEVICEID_UNAVAILABLE. + +Fixes: b3dce6a2f060 ("pnfs/blocklayout: handle transient devices") +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/blocklayout.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c +index 690221747b47..9f10b90debec 100644 +--- a/fs/nfs/blocklayout/blocklayout.c ++++ b/fs/nfs/blocklayout/blocklayout.c +@@ -604,6 +604,8 @@ bl_find_get_deviceid(struct nfs_server *server, + nfs4_delete_deviceid(node->ld, node->nfs_client, id); + goto retry; + } ++ ++ nfs4_put_deviceid_node(node); + return ERR_PTR(-ENODEV); + } + +-- +2.43.0 + diff --git a/queue-5.4/bluetooth-btmtkuart-fix-recv_buf-return-value.patch b/queue-5.4/bluetooth-btmtkuart-fix-recv_buf-return-value.patch new file mode 100644 index 00000000000..6df5ff4ed8d --- /dev/null +++ b/queue-5.4/bluetooth-btmtkuart-fix-recv_buf-return-value.patch @@ -0,0 +1,68 @@ +From b5c2685e4b9aed17b62d865554d4d749bd99e96c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 17:40:19 +0100 +Subject: Bluetooth: btmtkuart: fix recv_buf() return value + +From: Francesco Dolcini + +[ Upstream commit 64057f051f20c2a2184b9db7f8037d928d68a4f4 ] + +Serdev recv_buf() callback is supposed to return the amount of bytes +consumed, therefore an int in between 0 and count. + +Do not return negative number in case of issue, just print an error and +return count. This fixes a WARN in ttyport_receive_buf(). + +Link: https://lore.kernel.org/all/087be419-ec6b-47ad-851a-5e1e3ea5cfcc@kernel.org/ +Fixes: 7237c4c9ec92 ("Bluetooth: mediatek: Add protocol support for MediaTek serial devices") +Signed-off-by: Francesco Dolcini +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtkuart.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c +index 2beb2321825e..e7e3c8e0ed0e 100644 +--- a/drivers/bluetooth/btmtkuart.c ++++ b/drivers/bluetooth/btmtkuart.c +@@ -471,7 +471,7 @@ mtk_stp_split(struct btmtkuart_dev *bdev, const unsigned char *data, int count, + return data; + } + +-static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) ++static void btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) + { + struct btmtkuart_dev *bdev = hci_get_drvdata(hdev); + const unsigned char *p_left = data, *p_h4; +@@ -510,25 +510,20 @@ static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) + bt_dev_err(bdev->hdev, + "Frame reassembly failed (%d)", err); + bdev->rx_skb = NULL; +- return err; ++ return; + } + + sz_left -= sz_h4; + p_left += sz_h4; + } +- +- return 0; + } + + static int btmtkuart_receive_buf(struct serdev_device *serdev, const u8 *data, + size_t count) + { + struct btmtkuart_dev *bdev = serdev_device_get_drvdata(serdev); +- int err; + +- err = btmtkuart_recv(bdev->hdev, data, count); +- if (err < 0) +- return err; ++ btmtkuart_recv(bdev->hdev, data, count); + + bdev->hdev->stat.byte_rx += count; + +-- +2.43.0 + diff --git a/queue-5.4/bluetooth-fix-bogus-check-for-re-auth-no-supported-w.patch b/queue-5.4/bluetooth-fix-bogus-check-for-re-auth-no-supported-w.patch new file mode 100644 index 00000000000..e6b9041fa82 --- /dev/null +++ b/queue-5.4/bluetooth-fix-bogus-check-for-re-auth-no-supported-w.patch @@ -0,0 +1,88 @@ +From 48b067203b36a2854299dd0577d2c1c2123df371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 14:58:03 +0100 +Subject: Bluetooth: Fix bogus check for re-auth no supported with non-ssp + +From: Luiz Augusto von Dentz + +[ Upstream commit d03376c185926098cb4d668d6458801eb785c0a5 ] + +This reverts 19f8def031bfa50c579149b200bfeeb919727b27 +"Bluetooth: Fix auth_complete_evt for legacy units" which seems to be +working around a bug on a broken controller rather then any limitation +imposed by the Bluetooth spec, in fact if there ws not possible to +re-auth the command shall fail not succeed. + +Fixes: 19f8def031bf ("Bluetooth: Fix auth_complete_evt for legacy units") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 1 - + net/bluetooth/hci_conn.c | 8 +++----- + net/bluetooth/hci_event.c | 11 ++--------- + 3 files changed, 5 insertions(+), 15 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index b54f17677ac0..26983d26af19 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -673,7 +673,6 @@ void hci_inquiry_cache_flush(struct hci_dev *hdev); + /* ----- HCI Connections ----- */ + enum { + HCI_CONN_AUTH_PEND, +- HCI_CONN_REAUTH_PEND, + HCI_CONN_ENCRYPT_PEND, + HCI_CONN_RSWITCH_PEND, + HCI_CONN_MODE_CHANGE_PEND, +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index e129b7fb6540..d55973cb5b54 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1341,12 +1341,10 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) + hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, + sizeof(cp), &cp); + +- /* If we're already encrypted set the REAUTH_PEND flag, +- * otherwise set the ENCRYPT_PEND. ++ /* Set the ENCRYPT_PEND to trigger encryption after ++ * authentication. + */ +- if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) +- set_bit(HCI_CONN_REAUTH_PEND, &conn->flags); +- else ++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); + } + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 74695df78122..f5b46ea9d4c4 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2806,14 +2806,8 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) + + if (!ev->status) { + clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); +- +- if (!hci_conn_ssp_enabled(conn) && +- test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { +- bt_dev_info(hdev, "re-auth of legacy device is not possible."); +- } else { +- set_bit(HCI_CONN_AUTH, &conn->flags); +- conn->sec_level = conn->pending_sec_level; +- } ++ set_bit(HCI_CONN_AUTH, &conn->flags); ++ conn->sec_level = conn->pending_sec_level; + } else { + if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) + set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); +@@ -2822,7 +2816,6 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) + } + + clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); +- clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); + + if (conn->state == BT_CONFIG) { + if (!ev->status && hci_conn_ssp_enabled(conn)) { +-- +2.43.0 + diff --git a/queue-5.4/bpf-lpm-fix-check-prefixlen-before-walking-trie.patch b/queue-5.4/bpf-lpm-fix-check-prefixlen-before-walking-trie.patch new file mode 100644 index 00000000000..ca4c0df2f91 --- /dev/null +++ b/queue-5.4/bpf-lpm-fix-check-prefixlen-before-walking-trie.patch @@ -0,0 +1,43 @@ +From a3a2d3f387a28764a3e205891a6313632b359ec3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 09:58:01 +0100 +Subject: bpf, lpm: Fix check prefixlen before walking trie + +From: Florian Lehner + +[ Upstream commit 9b75dbeb36fcd9fc7ed51d370310d0518a387769 ] + +When looking up an element in LPM trie, the condition 'matchlen == +trie->max_prefixlen' will never return true, if key->prefixlen is larger +than trie->max_prefixlen. Consequently all elements in the LPM trie will +be visited and no element is returned in the end. + +To resolve this, check key->prefixlen first before walking the LPM trie. + +Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") +Signed-off-by: Florian Lehner +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20231105085801.3742-1-dev@der-flo.net +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index 56e6c75d354d..d78c1afe1273 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -230,6 +230,9 @@ static void *trie_lookup_elem(struct bpf_map *map, void *_key) + struct lpm_trie_node *node, *found = NULL; + struct bpf_lpm_trie_key *key = _key; + ++ if (key->prefixlen > trie->max_prefixlen) ++ return NULL; ++ + /* Start walking the trie from the root node ... */ + + for (node = rcu_dereference(trie->root); node;) { +-- +2.43.0 + diff --git a/queue-5.4/calipso-fix-memory-leak-in-netlbl_calipso_add_pass.patch b/queue-5.4/calipso-fix-memory-leak-in-netlbl_calipso_add_pass.patch new file mode 100644 index 00000000000..6218045e80c --- /dev/null +++ b/queue-5.4/calipso-fix-memory-leak-in-netlbl_calipso_add_pass.patch @@ -0,0 +1,138 @@ +From b84fa06704696f588d30d10984a920823390da60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 09:25:54 +0000 +Subject: calipso: fix memory leak in netlbl_calipso_add_pass() + +From: Gavrilov Ilia + +[ Upstream commit ec4e9d630a64df500641892f4e259e8149594a99 ] + +If IPv6 support is disabled at boot (ipv6.disable=1), +the calipso_init() -> netlbl_calipso_ops_register() function isn't called, +and the netlbl_calipso_ops_get() function always returns NULL. +In this case, the netlbl_calipso_add_pass() function allocates memory +for the doi_def variable but doesn't free it with the calipso_doi_free(). + +BUG: memory leak +unreferenced object 0xffff888011d68180 (size 64): + comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s) + hex dump (first 32 bytes): + 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<...>] kmalloc include/linux/slab.h:552 [inline] + [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline] + [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111 + [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 + [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 + [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515 + [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 + [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339 + [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934 + [<...>] sock_sendmsg_nosec net/socket.c:651 [inline] + [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671 + [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342 + [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396 + [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429 + [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with Syzkaller + +Fixes: cb72d38211ea ("netlabel: Initial support for the CALIPSO netlink protocol.") +Signed-off-by: Gavrilov Ilia +[PM: merged via the LSM tree at Jakub Kicinski request] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_calipso.c | 49 +++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 23 deletions(-) + +diff --git a/net/netlabel/netlabel_calipso.c b/net/netlabel/netlabel_calipso.c +index 33502b1f07c0..1bb2a7404dc4 100644 +--- a/net/netlabel/netlabel_calipso.c ++++ b/net/netlabel/netlabel_calipso.c +@@ -54,6 +54,28 @@ static const struct nla_policy calipso_genl_policy[NLBL_CALIPSO_A_MAX + 1] = { + [NLBL_CALIPSO_A_MTYPE] = { .type = NLA_U32 }, + }; + ++static const struct netlbl_calipso_ops *calipso_ops; ++ ++/** ++ * netlbl_calipso_ops_register - Register the CALIPSO operations ++ * @ops: ops to register ++ * ++ * Description: ++ * Register the CALIPSO packet engine operations. ++ * ++ */ ++const struct netlbl_calipso_ops * ++netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops) ++{ ++ return xchg(&calipso_ops, ops); ++} ++EXPORT_SYMBOL(netlbl_calipso_ops_register); ++ ++static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void) ++{ ++ return READ_ONCE(calipso_ops); ++} ++ + /* NetLabel Command Handlers + */ + /** +@@ -96,15 +118,18 @@ static int netlbl_calipso_add_pass(struct genl_info *info, + * + */ + static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info) +- + { + int ret_val = -EINVAL; + struct netlbl_audit audit_info; ++ const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get(); + + if (!info->attrs[NLBL_CALIPSO_A_DOI] || + !info->attrs[NLBL_CALIPSO_A_MTYPE]) + return -EINVAL; + ++ if (!ops) ++ return -EOPNOTSUPP; ++ + netlbl_netlink_auditinfo(&audit_info); + switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) { + case CALIPSO_MAP_PASS: +@@ -362,28 +387,6 @@ int __init netlbl_calipso_genl_init(void) + return genl_register_family(&netlbl_calipso_gnl_family); + } + +-static const struct netlbl_calipso_ops *calipso_ops; +- +-/** +- * netlbl_calipso_ops_register - Register the CALIPSO operations +- * @ops: ops to register +- * +- * Description: +- * Register the CALIPSO packet engine operations. +- * +- */ +-const struct netlbl_calipso_ops * +-netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops) +-{ +- return xchg(&calipso_ops, ops); +-} +-EXPORT_SYMBOL(netlbl_calipso_ops_register); +- +-static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void) +-{ +- return READ_ONCE(calipso_ops); +-} +- + /** + * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine + * @doi_def: the DOI structure +-- +2.43.0 + diff --git a/queue-5.4/clk-si5341-fix-an-error-code-problem-in-si5341_outpu.patch b/queue-5.4/clk-si5341-fix-an-error-code-problem-in-si5341_outpu.patch new file mode 100644 index 00000000000..28b532cf8a5 --- /dev/null +++ b/queue-5.4/clk-si5341-fix-an-error-code-problem-in-si5341_outpu.patch @@ -0,0 +1,41 @@ +From 5e5c5b9e731d364f4cebbc393875d5a4fa3f460b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Nov 2023 11:16:36 +0800 +Subject: clk: si5341: fix an error code problem in si5341_output_clk_set_rate + +From: Su Hui + +[ Upstream commit 5607068ae5ab02c3ac9cabc6859d36e98004c341 ] + +regmap_bulk_write() return zero or negative error code, return the value +of regmap_bulk_write() rather than '0'. + +Fixes: 3044a860fd09 ("clk: Add Si5341/Si5340 driver") +Acked-by: Mike Looijmans +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20231101031633.996124-1-suhui@nfschina.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-si5341.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/clk/clk-si5341.c b/drivers/clk/clk-si5341.c +index 07ef9995b3cb..31504e52a67c 100644 +--- a/drivers/clk/clk-si5341.c ++++ b/drivers/clk/clk-si5341.c +@@ -732,10 +732,8 @@ static int si5341_output_clk_set_rate(struct clk_hw *hw, unsigned long rate, + r[0] = r_div ? (r_div & 0xff) : 1; + r[1] = (r_div >> 8) & 0xff; + r[2] = (r_div >> 16) & 0xff; +- err = regmap_bulk_write(output->data->regmap, ++ return regmap_bulk_write(output->data->regmap, + SI5341_OUT_R_REG(output), r, 3); +- +- return 0; + } + + static int si5341_output_reparent(struct clk_si5341_output *output, u8 index) +-- +2.43.0 + diff --git a/queue-5.4/crypto-af_alg-disallow-multiple-in-flight-aio-reques.patch b/queue-5.4/crypto-af_alg-disallow-multiple-in-flight-aio-reques.patch new file mode 100644 index 00000000000..34c80a81e5b --- /dev/null +++ b/queue-5.4/crypto-af_alg-disallow-multiple-in-flight-aio-reques.patch @@ -0,0 +1,85 @@ +From 8b764ec6cc75e6ad177b384178467e5a0abe7a93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 16:25:49 +0800 +Subject: crypto: af_alg - Disallow multiple in-flight AIO requests + +From: Herbert Xu + +[ Upstream commit 67b164a871af1d736f131fd6fe78a610909f06f3 ] + +Having multiple in-flight AIO requests results in unpredictable +output because they all share the same IV. Fix this by only allowing +one request at a time. + +Fixes: 83094e5e9e49 ("crypto: af_alg - add async support to algif_aead") +Fixes: a596999b7ddf ("crypto: algif - change algif_skcipher to be asynchronous") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 14 +++++++++++++- + include/crypto/if_alg.h | 3 +++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 4a2e91baabde..bc96a4b21bec 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1029,9 +1029,13 @@ EXPORT_SYMBOL_GPL(af_alg_sendpage); + void af_alg_free_resources(struct af_alg_async_req *areq) + { + struct sock *sk = areq->sk; ++ struct af_alg_ctx *ctx; + + af_alg_free_areq_sgls(areq); + sock_kfree_s(sk, areq, areq->areqlen); ++ ++ ctx = alg_sk(sk)->private; ++ ctx->inflight = false; + } + EXPORT_SYMBOL_GPL(af_alg_free_resources); + +@@ -1095,11 +1099,19 @@ EXPORT_SYMBOL_GPL(af_alg_poll); + struct af_alg_async_req *af_alg_alloc_areq(struct sock *sk, + unsigned int areqlen) + { +- struct af_alg_async_req *areq = sock_kmalloc(sk, areqlen, GFP_KERNEL); ++ struct af_alg_ctx *ctx = alg_sk(sk)->private; ++ struct af_alg_async_req *areq; ++ ++ /* Only one AIO request can be in flight. */ ++ if (ctx->inflight) ++ return ERR_PTR(-EBUSY); + ++ areq = sock_kmalloc(sk, areqlen, GFP_KERNEL); + if (unlikely(!areq)) + return ERR_PTR(-ENOMEM); + ++ ctx->inflight = true; ++ + areq->areqlen = areqlen; + areq->sk = sk; + areq->last_rsgl = NULL; +diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h +index c1a8d4a41bb1..f4ff7ae0128a 100644 +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -137,6 +137,7 @@ struct af_alg_async_req { + * recvmsg is invoked. + * @init: True if metadata has been sent. + * @len: Length of memory allocated for this data structure. ++ * @inflight: Non-zero when AIO requests are in flight. + */ + struct af_alg_ctx { + struct list_head tsgl_list; +@@ -155,6 +156,8 @@ struct af_alg_ctx { + bool init; + + unsigned int len; ++ ++ unsigned int inflight; + }; + + int af_alg_register_type(const struct af_alg_type *type); +-- +2.43.0 + diff --git a/queue-5.4/crypto-ccp-fix-memleak-in-ccp_init_dm_workarea.patch b/queue-5.4/crypto-ccp-fix-memleak-in-ccp_init_dm_workarea.patch new file mode 100644 index 00000000000..a70f4319eeb --- /dev/null +++ b/queue-5.4/crypto-ccp-fix-memleak-in-ccp_init_dm_workarea.patch @@ -0,0 +1,45 @@ +From 06d76043228cde938e9c20e148e91a1794576394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 11:47:10 +0800 +Subject: crypto: ccp - fix memleak in ccp_init_dm_workarea + +From: Dinghao Liu + +[ Upstream commit a1c95dd5bc1d6a5d7a75a376c2107421b7d6240d ] + +When dma_map_single() fails, wa->address is supposed to be freed +by the callers of ccp_init_dm_workarea() through ccp_dm_free(). +However, many of the call spots don't expect to have to call +ccp_dm_free() on failure of ccp_init_dm_workarea(), which may +lead to a memleak. Let's free wa->address in ccp_init_dm_workarea() +when dma_map_single() fails. + +Fixes: 63b945091a07 ("crypto: ccp - CCP device driver and interface support") +Signed-off-by: Dinghao Liu +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-ops.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index e826c4b6b3af..4865eb047866 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -178,8 +178,11 @@ static int ccp_init_dm_workarea(struct ccp_dm_workarea *wa, + + wa->dma.address = dma_map_single(wa->dev, wa->address, len, + dir); +- if (dma_mapping_error(wa->dev, wa->dma.address)) ++ if (dma_mapping_error(wa->dev, wa->dma.address)) { ++ kfree(wa->address); ++ wa->address = NULL; + return -ENOMEM; ++ } + + wa->dma.length = len; + } +-- +2.43.0 + diff --git a/queue-5.4/crypto-sahara-do-not-resize-req-src-when-doing-hash-.patch b/queue-5.4/crypto-sahara-do-not-resize-req-src-when-doing-hash-.patch new file mode 100644 index 00000000000..cdfc0bb357a --- /dev/null +++ b/queue-5.4/crypto-sahara-do-not-resize-req-src-when-doing-hash-.patch @@ -0,0 +1,99 @@ +From b330512f819a64dca9feb9791381f0ae2468a86d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:36 +0200 +Subject: crypto: sahara - do not resize req->src when doing hash operations + +From: Ovidiu Panait + +[ Upstream commit a3c6f4f4d249cecaf2f34471aadbfb4f4ef57298 ] + +When testing sahara sha256 speed performance with tcrypt (mode=404) on +imx53-qsrb board, multiple "Invalid numbers of src SG." errors are +reported. This was traced to sahara_walk_and_recalc() resizing req->src +and causing the subsequent dma_map_sg() call to fail. + +Now that the previous commit fixed sahara_sha_hw_links_create() to take +into account the actual request size, rather than relying on sg->length +values, the resize operation is no longer necessary. + +Therefore, remove sahara_walk_and_recalc() and simplify associated logic. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 38 ++------------------------------------ + 1 file changed, 2 insertions(+), 36 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 0f4bb8574a4a..19186617eafc 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -902,24 +902,6 @@ static int sahara_sha_hw_context_descriptor_create(struct sahara_dev *dev, + return 0; + } + +-static int sahara_walk_and_recalc(struct scatterlist *sg, unsigned int nbytes) +-{ +- if (!sg || !sg->length) +- return nbytes; +- +- while (nbytes && sg) { +- if (nbytes <= sg->length) { +- sg->length = nbytes; +- sg_mark_end(sg); +- break; +- } +- nbytes -= sg->length; +- sg = sg_next(sg); +- } +- +- return nbytes; +-} +- + static int sahara_sha_prepare_request(struct ahash_request *req) + { + struct crypto_ahash *tfm = crypto_ahash_reqtfm(req); +@@ -956,36 +938,20 @@ static int sahara_sha_prepare_request(struct ahash_request *req) + hash_later, 0); + } + +- /* nbytes should now be multiple of blocksize */ +- req->nbytes = req->nbytes - hash_later; +- +- sahara_walk_and_recalc(req->src, req->nbytes); +- ++ rctx->total = len - hash_later; + /* have data from previous operation and current */ + if (rctx->buf_cnt && req->nbytes) { + sg_init_table(rctx->in_sg_chain, 2); + sg_set_buf(rctx->in_sg_chain, rctx->rembuf, rctx->buf_cnt); +- + sg_chain(rctx->in_sg_chain, 2, req->src); +- +- rctx->total = req->nbytes + rctx->buf_cnt; + rctx->in_sg = rctx->in_sg_chain; +- +- req->src = rctx->in_sg_chain; + /* only data from previous operation */ + } else if (rctx->buf_cnt) { +- if (req->src) +- rctx->in_sg = req->src; +- else +- rctx->in_sg = rctx->in_sg_chain; +- /* buf was copied into rembuf above */ ++ rctx->in_sg = rctx->in_sg_chain; + sg_init_one(rctx->in_sg, rctx->rembuf, rctx->buf_cnt); +- rctx->total = rctx->buf_cnt; + /* no data from previous operation */ + } else { + rctx->in_sg = req->src; +- rctx->total = req->nbytes; +- req->src = rctx->in_sg; + } + + /* on next call, we only have the remaining data in the buffer */ +-- +2.43.0 + diff --git a/queue-5.4/crypto-sahara-fix-ahash-reqsize.patch b/queue-5.4/crypto-sahara-fix-ahash-reqsize.patch new file mode 100644 index 00000000000..c658952fad8 --- /dev/null +++ b/queue-5.4/crypto-sahara-fix-ahash-reqsize.patch @@ -0,0 +1,37 @@ +From d68dfcde8d50b60c496c0b390db137220407cf32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:32 +0200 +Subject: crypto: sahara - fix ahash reqsize + +From: Ovidiu Panait + +[ Upstream commit efcb50f41740ac55e6ccc4986c1a7740e21c62b4 ] + +Set the reqsize for sha algorithms to sizeof(struct sahara_sha_reqctx), the +extra space is not needed. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index e505c01b7a05..1284991cd40d 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -1178,8 +1178,7 @@ static int sahara_sha_import(struct ahash_request *req, const void *in) + static int sahara_sha_cra_init(struct crypto_tfm *tfm) + { + crypto_ahash_set_reqsize(__crypto_ahash_cast(tfm), +- sizeof(struct sahara_sha_reqctx) + +- SHA_BUFFER_LEN + SHA256_BLOCK_SIZE); ++ sizeof(struct sahara_sha_reqctx)); + + return 0; + } +-- +2.43.0 + diff --git a/queue-5.4/crypto-sahara-fix-ahash-selftest-failure.patch b/queue-5.4/crypto-sahara-fix-ahash-selftest-failure.patch new file mode 100644 index 00000000000..958f90e7442 --- /dev/null +++ b/queue-5.4/crypto-sahara-fix-ahash-selftest-failure.patch @@ -0,0 +1,41 @@ +From 288106c9941df478bbbda1a079ea5c1ccbb29c2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 19:06:21 +0200 +Subject: crypto: sahara - fix ahash selftest failure + +From: Ovidiu Panait + +[ Upstream commit afffcf3db98b9495114b79d5381f8cc3f69476fb ] + +update() calls should not modify the result buffer, so add an additional +check for "rctx->last" to make sure that only the final hash value is +copied into the buffer. + +Fixes the following selftest failure: +alg: ahash: sahara-sha256 update() used result buffer on test vector 3, +cfg="init+update+final aligned buffer" + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index e44dd34f8559..b48f92c8cd0f 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -1031,7 +1031,7 @@ static int sahara_sha_process(struct ahash_request *req) + + memcpy(rctx->context, dev->context_base, rctx->context_size); + +- if (req->result) ++ if (req->result && rctx->last) + memcpy(req->result, rctx->context, rctx->digest_size); + + return 0; +-- +2.43.0 + diff --git a/queue-5.4/crypto-sahara-fix-error-handling-in-sahara_hw_descri.patch b/queue-5.4/crypto-sahara-fix-error-handling-in-sahara_hw_descri.patch new file mode 100644 index 00000000000..5f660b5ccfd --- /dev/null +++ b/queue-5.4/crypto-sahara-fix-error-handling-in-sahara_hw_descri.patch @@ -0,0 +1,54 @@ +From 3ed4571401322dbdbf415198de015afe7ee8c6ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 19:06:23 +0200 +Subject: crypto: sahara - fix error handling in sahara_hw_descriptor_create() + +From: Ovidiu Panait + +[ Upstream commit ee6e6f0a7f5b39d50a5ef5fcc006f4f693db18a7 ] + +Do not call dma_unmap_sg() for scatterlists that were not mapped +successfully. + +Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index c62f9ce6adc0..e505c01b7a05 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -481,13 +481,14 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + DMA_TO_DEVICE); + if (ret != dev->nb_in_sg) { + dev_err(dev->device, "couldn't map in sg\n"); +- goto unmap_in; ++ return -EINVAL; + } ++ + ret = dma_map_sg(dev->device, dev->out_sg, dev->nb_out_sg, + DMA_FROM_DEVICE); + if (ret != dev->nb_out_sg) { + dev_err(dev->device, "couldn't map out sg\n"); +- goto unmap_out; ++ goto unmap_in; + } + + /* Create input links */ +@@ -535,9 +536,6 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + + return 0; + +-unmap_out: +- dma_unmap_sg(dev->device, dev->out_sg, dev->nb_out_sg, +- DMA_FROM_DEVICE); + unmap_in: + dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg, + DMA_TO_DEVICE); +-- +2.43.0 + diff --git a/queue-5.4/crypto-sahara-fix-processing-hash-requests-with-req-.patch b/queue-5.4/crypto-sahara-fix-processing-hash-requests-with-req-.patch new file mode 100644 index 00000000000..d6688ca9788 --- /dev/null +++ b/queue-5.4/crypto-sahara-fix-processing-hash-requests-with-req-.patch @@ -0,0 +1,56 @@ +From 55619a5e734cc82a5c78100413cfd94b38c46a51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:35 +0200 +Subject: crypto: sahara - fix processing hash requests with req->nbytes < + sg->length + +From: Ovidiu Panait + +[ Upstream commit 7bafa74d1ba35dcc173e1ce915e983d65905f77e ] + +It's not always the case that the entire sg entry needs to be processed. +Currently, when nbytes is less than sg->length, "Descriptor length" errors +are encountered. + +To fix this, take the actual request size into account when populating the +hw links. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index dbccf9264406..0f4bb8574a4a 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -792,6 +792,7 @@ static int sahara_sha_hw_links_create(struct sahara_dev *dev, + int start) + { + struct scatterlist *sg; ++ unsigned int len; + unsigned int i; + int ret; + +@@ -813,12 +814,14 @@ static int sahara_sha_hw_links_create(struct sahara_dev *dev, + if (!ret) + return -EFAULT; + ++ len = rctx->total; + for (i = start; i < dev->nb_in_sg + start; i++) { +- dev->hw_link[i]->len = sg->length; ++ dev->hw_link[i]->len = min(len, sg->length); + dev->hw_link[i]->p = sg->dma_address; + if (i == (dev->nb_in_sg + start - 1)) { + dev->hw_link[i]->next = 0; + } else { ++ len -= min(len, sg->length); + dev->hw_link[i]->next = dev->hw_phys_link[i + 1]; + sg = sg_next(sg); + } +-- +2.43.0 + diff --git a/queue-5.4/crypto-sahara-fix-processing-requests-with-cryptlen-.patch b/queue-5.4/crypto-sahara-fix-processing-requests-with-cryptlen-.patch new file mode 100644 index 00000000000..04ea6c10c76 --- /dev/null +++ b/queue-5.4/crypto-sahara-fix-processing-requests-with-cryptlen-.patch @@ -0,0 +1,72 @@ +From 7cedc0c5c95b4888af3ddf1f991c3f01708eaf8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 19:06:22 +0200 +Subject: crypto: sahara - fix processing requests with cryptlen < sg->length + +From: Ovidiu Panait + +[ Upstream commit 5b8668ce3452827d27f8c34ff6ba080a8f983ed0 ] + +It's not always the case that the entire sg entry needs to be processed. +Currently, when cryptlen is less than sg->legth, "Descriptor length" errors +are encountered. + +The error was noticed when testing xts(sahara-ecb-aes) with arbitrary sized +input data. To fix this, take the actual request size into account when +populating the hw links. + +Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index b48f92c8cd0f..c62f9ce6adc0 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -442,6 +442,7 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + int ret; + int i, j; + int idx = 0; ++ u32 len; + + memcpy(dev->key_base, ctx->key, ctx->keylen); + +@@ -492,12 +493,14 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + /* Create input links */ + dev->hw_desc[idx]->p1 = dev->hw_phys_link[0]; + sg = dev->in_sg; ++ len = dev->total; + for (i = 0; i < dev->nb_in_sg; i++) { +- dev->hw_link[i]->len = sg->length; ++ dev->hw_link[i]->len = min(len, sg->length); + dev->hw_link[i]->p = sg->dma_address; + if (i == (dev->nb_in_sg - 1)) { + dev->hw_link[i]->next = 0; + } else { ++ len -= min(len, sg->length); + dev->hw_link[i]->next = dev->hw_phys_link[i + 1]; + sg = sg_next(sg); + } +@@ -506,12 +509,14 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + /* Create output links */ + dev->hw_desc[idx]->p2 = dev->hw_phys_link[i]; + sg = dev->out_sg; ++ len = dev->total; + for (j = i; j < dev->nb_out_sg + i; j++) { +- dev->hw_link[j]->len = sg->length; ++ dev->hw_link[j]->len = min(len, sg->length); + dev->hw_link[j]->p = sg->dma_address; + if (j == (dev->nb_out_sg + i - 1)) { + dev->hw_link[j]->next = 0; + } else { ++ len -= min(len, sg->length); + dev->hw_link[j]->next = dev->hw_phys_link[j + 1]; + sg = sg_next(sg); + } +-- +2.43.0 + diff --git a/queue-5.4/crypto-sahara-fix-wait_for_completion_timeout-error-.patch b/queue-5.4/crypto-sahara-fix-wait_for_completion_timeout-error-.patch new file mode 100644 index 00000000000..7a76300134b --- /dev/null +++ b/queue-5.4/crypto-sahara-fix-wait_for_completion_timeout-error-.patch @@ -0,0 +1,70 @@ +From 6d3668a4ee54314a524f4d5c2c46a021e54f1991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:33 +0200 +Subject: crypto: sahara - fix wait_for_completion_timeout() error handling + +From: Ovidiu Panait + +[ Upstream commit 2dba8e1d1a7957dcbe7888846268538847b471d1 ] + +The sg lists are not unmapped in case of timeout errors. Fix this. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 1284991cd40d..7d24e802d382 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -580,16 +580,17 @@ static int sahara_aes_process(struct ablkcipher_request *req) + + timeout = wait_for_completion_timeout(&dev->dma_completion, + msecs_to_jiffies(SAHARA_TIMEOUT_MS)); +- if (!timeout) { +- dev_err(dev->device, "AES timeout\n"); +- return -ETIMEDOUT; +- } + + dma_unmap_sg(dev->device, dev->out_sg, dev->nb_out_sg, + DMA_FROM_DEVICE); + dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg, + DMA_TO_DEVICE); + ++ if (!timeout) { ++ dev_err(dev->device, "AES timeout\n"); ++ return -ETIMEDOUT; ++ } ++ + return 0; + } + +@@ -1023,15 +1024,16 @@ static int sahara_sha_process(struct ahash_request *req) + + timeout = wait_for_completion_timeout(&dev->dma_completion, + msecs_to_jiffies(SAHARA_TIMEOUT_MS)); +- if (!timeout) { +- dev_err(dev->device, "SHA timeout\n"); +- return -ETIMEDOUT; +- } + + if (rctx->sg_in_idx) + dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg, + DMA_TO_DEVICE); + ++ if (!timeout) { ++ dev_err(dev->device, "SHA timeout\n"); ++ return -ETIMEDOUT; ++ } ++ + memcpy(rctx->context, dev->context_base, rctx->context_size); + + if (req->result && rctx->last) +-- +2.43.0 + diff --git a/queue-5.4/crypto-sahara-improve-error-handling-in-sahara_sha_p.patch b/queue-5.4/crypto-sahara-improve-error-handling-in-sahara_sha_p.patch new file mode 100644 index 00000000000..0c75f1c28d8 --- /dev/null +++ b/queue-5.4/crypto-sahara-improve-error-handling-in-sahara_sha_p.patch @@ -0,0 +1,51 @@ +From 2ee4c9ac9f1776ef0ca639a58a576ae189faf269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:34 +0200 +Subject: crypto: sahara - improve error handling in sahara_sha_process() + +From: Ovidiu Panait + +[ Upstream commit 5deff027fca49a1eb3b20359333cf2ae562a2343 ] + +sahara_sha_hw_data_descriptor_create() returns negative error codes on +failure, so make sure the errors are correctly handled / propagated. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 7d24e802d382..dbccf9264406 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -1003,7 +1003,10 @@ static int sahara_sha_process(struct ahash_request *req) + return ret; + + if (rctx->first) { +- sahara_sha_hw_data_descriptor_create(dev, rctx, req, 0); ++ ret = sahara_sha_hw_data_descriptor_create(dev, rctx, req, 0); ++ if (ret) ++ return ret; ++ + dev->hw_desc[0]->next = 0; + rctx->first = 0; + } else { +@@ -1011,7 +1014,10 @@ static int sahara_sha_process(struct ahash_request *req) + + sahara_sha_hw_context_descriptor_create(dev, rctx, req, 0); + dev->hw_desc[0]->next = dev->hw_phys_desc[1]; +- sahara_sha_hw_data_descriptor_create(dev, rctx, req, 1); ++ ret = sahara_sha_hw_data_descriptor_create(dev, rctx, req, 1); ++ if (ret) ++ return ret; ++ + dev->hw_desc[1]->next = 0; + } + +-- +2.43.0 + diff --git a/queue-5.4/crypto-sahara-remove-flags_new_key-logic.patch b/queue-5.4/crypto-sahara-remove-flags_new_key-logic.patch new file mode 100644 index 00000000000..ddee7dc4472 --- /dev/null +++ b/queue-5.4/crypto-sahara-remove-flags_new_key-logic.patch @@ -0,0 +1,105 @@ +From 54b300e300e552a0694072f31eac21c65c4ed1b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 19:06:19 +0200 +Subject: crypto: sahara - remove FLAGS_NEW_KEY logic + +From: Ovidiu Panait + +[ Upstream commit 8fd183435728b139248a77978ea3732039341779 ] + +Remove the FLAGS_NEW_KEY logic as it has the following issues: +- the wrong key may end up being used when there are multiple data streams: + t1 t2 + setkey() + encrypt() + setkey() + encrypt() + + encrypt() <--- key from t2 is used +- switching between encryption and decryption with the same key is not + possible, as the hdr flags are only updated when a new setkey() is + performed + +With this change, the key is always sent along with the cryptdata when +performing encryption/decryption operations. + +Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 34 +++++++++++++--------------------- + 1 file changed, 13 insertions(+), 21 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 8ac8ec6decd5..e44dd34f8559 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -43,7 +43,6 @@ + #define FLAGS_MODE_MASK 0x000f + #define FLAGS_ENCRYPT BIT(0) + #define FLAGS_CBC BIT(1) +-#define FLAGS_NEW_KEY BIT(3) + + #define SAHARA_HDR_BASE 0x00800000 + #define SAHARA_HDR_SKHA_ALG_AES 0 +@@ -141,8 +140,6 @@ struct sahara_hw_link { + }; + + struct sahara_ctx { +- unsigned long flags; +- + /* AES-specific context */ + int keylen; + u8 key[AES_KEYSIZE_128]; +@@ -446,26 +443,22 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + int i, j; + int idx = 0; + +- /* Copy new key if necessary */ +- if (ctx->flags & FLAGS_NEW_KEY) { +- memcpy(dev->key_base, ctx->key, ctx->keylen); +- ctx->flags &= ~FLAGS_NEW_KEY; ++ memcpy(dev->key_base, ctx->key, ctx->keylen); + +- if (dev->flags & FLAGS_CBC) { +- dev->hw_desc[idx]->len1 = AES_BLOCK_SIZE; +- dev->hw_desc[idx]->p1 = dev->iv_phys_base; +- } else { +- dev->hw_desc[idx]->len1 = 0; +- dev->hw_desc[idx]->p1 = 0; +- } +- dev->hw_desc[idx]->len2 = ctx->keylen; +- dev->hw_desc[idx]->p2 = dev->key_phys_base; +- dev->hw_desc[idx]->next = dev->hw_phys_desc[1]; ++ if (dev->flags & FLAGS_CBC) { ++ dev->hw_desc[idx]->len1 = AES_BLOCK_SIZE; ++ dev->hw_desc[idx]->p1 = dev->iv_phys_base; ++ } else { ++ dev->hw_desc[idx]->len1 = 0; ++ dev->hw_desc[idx]->p1 = 0; ++ } ++ dev->hw_desc[idx]->len2 = ctx->keylen; ++ dev->hw_desc[idx]->p2 = dev->key_phys_base; ++ dev->hw_desc[idx]->next = dev->hw_phys_desc[1]; ++ dev->hw_desc[idx]->hdr = sahara_aes_key_hdr(dev); + +- dev->hw_desc[idx]->hdr = sahara_aes_key_hdr(dev); ++ idx++; + +- idx++; +- } + + dev->nb_in_sg = sg_nents_for_len(dev->in_sg, dev->total); + if (dev->nb_in_sg < 0) { +@@ -608,7 +601,6 @@ static int sahara_aes_setkey(struct crypto_ablkcipher *tfm, const u8 *key, + /* SAHARA only supports 128bit keys */ + if (keylen == AES_KEYSIZE_128) { + memcpy(ctx->key, key, keylen); +- ctx->flags |= FLAGS_NEW_KEY; + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.4/crypto-scomp-fix-req-dst-buffer-overflow.patch b/queue-5.4/crypto-scomp-fix-req-dst-buffer-overflow.patch new file mode 100644 index 00000000000..f3a40262b93 --- /dev/null +++ b/queue-5.4/crypto-scomp-fix-req-dst-buffer-overflow.patch @@ -0,0 +1,57 @@ +From 1771569a824584bca01cd5015fa9b2b8199e088b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Dec 2023 09:35:23 +0000 +Subject: crypto: scomp - fix req->dst buffer overflow + +From: Chengming Zhou + +[ Upstream commit 744e1885922a9943458954cfea917b31064b4131 ] + +The req->dst buffer size should be checked before copying from the +scomp_scratch->dst to avoid req->dst buffer overflow problem. + +Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface") +Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/ +Signed-off-by: Chengming Zhou +Reviewed-by: Barry Song +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/scompress.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/scompress.c b/crypto/scompress.c +index 4d50750d01c6..ec849790f728 100644 +--- a/crypto/scompress.c ++++ b/crypto/scompress.c +@@ -124,6 +124,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + struct crypto_scomp *scomp = *tfm_ctx; + void **ctx = acomp_request_ctx(req); + struct scomp_scratch *scratch; ++ unsigned int dlen; + int ret; + + if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE) +@@ -135,6 +136,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE) + req->dlen = SCOMP_SCRATCH_SIZE; + ++ dlen = req->dlen; ++ + scratch = raw_cpu_ptr(&scomp_scratch); + spin_lock(&scratch->lock); + +@@ -152,6 +155,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + ret = -ENOMEM; + goto out; + } ++ } else if (req->dlen > dlen) { ++ ret = -ENOSPC; ++ goto out; + } + scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen, + 1); +-- +2.43.0 + diff --git a/queue-5.4/crypto-virtio-don-t-use-default-m.patch b/queue-5.4/crypto-virtio-don-t-use-default-m.patch new file mode 100644 index 00000000000..5b13a6b7a2a --- /dev/null +++ b/queue-5.4/crypto-virtio-don-t-use-default-m.patch @@ -0,0 +1,38 @@ +From 8d6858ae1cb430a76b125101c1d26622c9a9fe73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 12:20:53 -0700 +Subject: crypto: virtio - don't use 'default m' + +From: Ram Muthiah + +[ Upstream commit b1a5c9a620f2b1792e51ae3961b16943e4f874f2 ] + +Drivers shouldn't be enabled by default unless there is a very good +reason to do so. There doesn't seem to be any such reason for the +virtio crypto driver, so change it to the default of 'n'. + +Signed-off-by: Ram Muthiah +[EB: adjusted commit message] +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Stable-dep-of: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet") +Signed-off-by: Sasha Levin +--- + drivers/crypto/virtio/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/crypto/virtio/Kconfig b/drivers/crypto/virtio/Kconfig +index 01b625e4e5ad..6d3deb025b2a 100644 +--- a/drivers/crypto/virtio/Kconfig ++++ b/drivers/crypto/virtio/Kconfig +@@ -5,7 +5,6 @@ config CRYPTO_DEV_VIRTIO + select CRYPTO_AEAD + select CRYPTO_BLKCIPHER + select CRYPTO_ENGINE +- default m + help + This driver provides support for virtio crypto device. If you + choose 'M' here, this module will be called virtio_crypto. +-- +2.43.0 + diff --git a/queue-5.4/crypto-virtio-handle-dataq-logic-with-tasklet.patch b/queue-5.4/crypto-virtio-handle-dataq-logic-with-tasklet.patch new file mode 100644 index 00000000000..ab03ea43f9e --- /dev/null +++ b/queue-5.4/crypto-virtio-handle-dataq-logic-with-tasklet.patch @@ -0,0 +1,99 @@ +From 3cd65dfc43586d5e0c318608bd5bf998ef9eca0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 11:49:45 +0000 +Subject: crypto: virtio - Handle dataq logic with tasklet + +From: Gonglei (Arei) + +[ Upstream commit fed93fb62e05c38152b0fc1dc9609639e63eed76 ] + +Doing ipsec produces a spinlock recursion warning. +This is due to crypto_finalize_request() being called in the upper half. +Move virtual data queue processing of virtio-crypto driver to tasklet. + +Fixes: dbaf0624ffa57 ("crypto: add virtio-crypto driver") +Reported-by: Halil Pasic +Signed-off-by: wangyangxin +Signed-off-by: Gonglei +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/virtio/virtio_crypto_common.h | 2 ++ + drivers/crypto/virtio/virtio_crypto_core.c | 23 +++++++++++--------- + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/crypto/virtio/virtio_crypto_common.h b/drivers/crypto/virtio/virtio_crypto_common.h +index 1c6e00da5a29..947a6e01d93f 100644 +--- a/drivers/crypto/virtio/virtio_crypto_common.h ++++ b/drivers/crypto/virtio/virtio_crypto_common.h +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -27,6 +28,7 @@ struct data_queue { + char name[32]; + + struct crypto_engine *engine; ++ struct tasklet_struct done_task; + }; + + struct virtio_crypto { +diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c +index c8a962c62663..7c64862f1194 100644 +--- a/drivers/crypto/virtio/virtio_crypto_core.c ++++ b/drivers/crypto/virtio/virtio_crypto_core.c +@@ -22,27 +22,28 @@ virtcrypto_clear_request(struct virtio_crypto_request *vc_req) + } + } + +-static void virtcrypto_dataq_callback(struct virtqueue *vq) ++static void virtcrypto_done_task(unsigned long data) + { +- struct virtio_crypto *vcrypto = vq->vdev->priv; ++ struct data_queue *data_vq = (struct data_queue *)data; ++ struct virtqueue *vq = data_vq->vq; + struct virtio_crypto_request *vc_req; +- unsigned long flags; + unsigned int len; +- unsigned int qid = vq->index; + +- spin_lock_irqsave(&vcrypto->data_vq[qid].lock, flags); + do { + virtqueue_disable_cb(vq); + while ((vc_req = virtqueue_get_buf(vq, &len)) != NULL) { +- spin_unlock_irqrestore( +- &vcrypto->data_vq[qid].lock, flags); + if (vc_req->alg_cb) + vc_req->alg_cb(vc_req, len); +- spin_lock_irqsave( +- &vcrypto->data_vq[qid].lock, flags); + } + } while (!virtqueue_enable_cb(vq)); +- spin_unlock_irqrestore(&vcrypto->data_vq[qid].lock, flags); ++} ++ ++static void virtcrypto_dataq_callback(struct virtqueue *vq) ++{ ++ struct virtio_crypto *vcrypto = vq->vdev->priv; ++ struct data_queue *dq = &vcrypto->data_vq[vq->index]; ++ ++ tasklet_schedule(&dq->done_task); + } + + static int virtcrypto_find_vqs(struct virtio_crypto *vi) +@@ -99,6 +100,8 @@ static int virtcrypto_find_vqs(struct virtio_crypto *vi) + ret = -ENOMEM; + goto err_engine; + } ++ tasklet_init(&vi->data_vq[i].done_task, virtcrypto_done_task, ++ (unsigned long)&vi->data_vq[i]); + } + + kfree(names); +-- +2.43.0 + diff --git a/queue-5.4/crypto-virtio-wait-for-tasklet-to-complete-on-device.patch b/queue-5.4/crypto-virtio-wait-for-tasklet-to-complete-on-device.patch new file mode 100644 index 00000000000..39c1a99b640 --- /dev/null +++ b/queue-5.4/crypto-virtio-wait-for-tasklet-to-complete-on-device.patch @@ -0,0 +1,42 @@ +From 4fca80617d3be71a8dcd2ba752e58660f559f99f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 19:42:15 +0800 +Subject: crypto: virtio - Wait for tasklet to complete on device remove + +From: wangyangxin + +[ Upstream commit 67cc511e8d436456cc98033e6d4ba83ebfc8e672 ] + +The scheduled tasklet needs to be executed on device remove. + +Fixes: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet") +Signed-off-by: wangyangxin +Signed-off-by: Gonglei +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/virtio/virtio_crypto_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c +index 7c64862f1194..469da86c4084 100644 +--- a/drivers/crypto/virtio/virtio_crypto_core.c ++++ b/drivers/crypto/virtio/virtio_crypto_core.c +@@ -434,11 +434,14 @@ static void virtcrypto_free_unused_reqs(struct virtio_crypto *vcrypto) + static void virtcrypto_remove(struct virtio_device *vdev) + { + struct virtio_crypto *vcrypto = vdev->priv; ++ int i; + + dev_info(&vdev->dev, "Start virtcrypto_remove.\n"); + + if (virtcrypto_dev_started(vcrypto)) + virtcrypto_dev_stop(vcrypto); ++ for (i = 0; i < vcrypto->max_data_queues; i++) ++ tasklet_kill(&vcrypto->data_vq[i].done_task); + vdev->config->reset(vdev); + virtcrypto_free_unused_reqs(vcrypto); + virtcrypto_clear_crypto_engines(vcrypto); +-- +2.43.0 + diff --git a/queue-5.4/dma-mapping-clear-dev-dma_mem-to-null-after-freeing-.patch b/queue-5.4/dma-mapping-clear-dev-dma_mem-to-null-after-freeing-.patch new file mode 100644 index 00000000000..d036ba9df07 --- /dev/null +++ b/queue-5.4/dma-mapping-clear-dev-dma_mem-to-null-after-freeing-.patch @@ -0,0 +1,44 @@ +From d51d0c8a2dbc63be114a2e5b7c7ae53b63d916f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 16:25:26 +0800 +Subject: dma-mapping: clear dev->dma_mem to NULL after freeing it + +From: Joakim Zhang + +[ Upstream commit b07bc2347672cc8c7293c64499f1488278c5ca3d ] + +Reproduced with below sequence: +dma_declare_coherent_memory()->dma_release_coherent_memory() +->dma_declare_coherent_memory()->"return -EBUSY" error + +It will return -EBUSY from the dma_assign_coherent_memory() +in dma_declare_coherent_memory(), the reason is that dev->dma_mem +pointer has not been set to NULL after it's freed. + +Fixes: cf65a0f6f6ff ("dma-mapping: move all DMA mapping code to kernel/dma") +Signed-off-by: Joakim Zhang +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/coherent.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/coherent.c b/kernel/dma/coherent.c +index 2a0c4985f38e..d164b3dbcd93 100644 +--- a/kernel/dma/coherent.c ++++ b/kernel/dma/coherent.c +@@ -323,8 +323,10 @@ static int rmem_dma_device_init(struct reserved_mem *rmem, struct device *dev) + static void rmem_dma_device_release(struct reserved_mem *rmem, + struct device *dev) + { +- if (dev) ++ if (dev) { + dev->dma_mem = NULL; ++ dev->dma_mem = NULL; ++ } + } + + static const struct reserved_mem_ops rmem_dma_ops = { +-- +2.43.0 + diff --git a/queue-5.4/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch b/queue-5.4/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch new file mode 100644 index 00000000000..42af6da0141 --- /dev/null +++ b/queue-5.4/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch @@ -0,0 +1,48 @@ +From 312e5e74c5a6130079d8976150a7d582db4f98ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 00:24:58 +0800 +Subject: drivers/amd/pm: fix a use-after-free in kv_parse_power_table + +From: Zhipeng Lu + +[ Upstream commit 28dd788382c43b330480f57cd34cde0840896743 ] + +When ps allocated by kzalloc equals to NULL, kv_parse_power_table +frees adev->pm.dpm.ps that allocated before. However, after the control +flow goes through the following call chains: + +kv_parse_power_table + |-> kv_dpm_init + |-> kv_dpm_sw_init + |-> kv_dpm_fini + +The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its +first free in kv_parse_power_table and causes a use-after-free bug. + +Fixes: a2e73f56fa62 ("drm/amdgpu: Add support for CIK parts") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c +index c8a5a5698edd..6eb6f05c1136 100644 +--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c +@@ -2733,10 +2733,8 @@ static int kv_parse_power_table(struct amdgpu_device *adev) + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; + ps = kzalloc(sizeof(struct kv_ps), GFP_KERNEL); +- if (ps == NULL) { +- kfree(adev->pm.dpm.ps); ++ if (ps == NULL) + return -ENOMEM; +- } + adev->pm.dpm.ps[i].ps_priv = ps; + k = 0; + idx = (u8 *)&power_state->v2.clockInfoIndex[0]; +-- +2.43.0 + diff --git a/queue-5.4/drivers-clk-zynqmp-calculate-closest-mux-rate.patch b/queue-5.4/drivers-clk-zynqmp-calculate-closest-mux-rate.patch new file mode 100644 index 00000000000..3d5efd5d8bd --- /dev/null +++ b/queue-5.4/drivers-clk-zynqmp-calculate-closest-mux-rate.patch @@ -0,0 +1,61 @@ +From 958379cf0b336eb3973d16e168d6152fb798ceb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 03:29:15 -0800 +Subject: drivers: clk: zynqmp: calculate closest mux rate + +From: Jay Buddhabhatti + +[ Upstream commit b782921ddd7f84f524723090377903f399fdbbcb ] + +Currently zynqmp clock driver is not calculating closest mux rate and +because of that Linux is not setting proper frequency for CPU and +not able to set given frequency for dynamic frequency scaling. + +E.g., In current logic initial acpu clock parent and frequency as below +apll1 0 0 0 2199999978 0 0 50000 Y + acpu0_mux 0 0 0 2199999978 0 0 50000 Y + acpu0_idiv1 0 0 0 2199999978 0 0 50000 Y + acpu0 0 0 0 2199999978 0 0 50000 Y + +After changing acpu frequency to 549999994 Hz using CPU freq scaling its +selecting incorrect parent which is not closest frequency. +rpll_to_xpd 0 0 0 1599999984 0 0 50000 Y + acpu0_mux 0 0 0 1599999984 0 0 50000 Y + acpu0_div1 0 0 0 533333328 0 0 50000 Y + acpu0 0 0 0 533333328 0 0 50000 Y + +Parent should remain same since 549999994 = 2199999978 / 4. + +So use __clk_mux_determine_rate_closest() generic function to calculate +closest rate for mux clock. After this change its selecting correct +parent and correct clock rate. +apll1 0 0 0 2199999978 0 0 50000 Y + acpu0_mux 0 0 0 2199999978 0 0 50000 Y + acpu0_div1 0 0 0 549999995 0 0 50000 Y + acpu0 0 0 0 549999995 0 0 50000 Y + +Fixes: 3fde0e16d016 ("drivers: clk: Add ZynqMP clock driver") +Signed-off-by: Jay Buddhabhatti +Link: https://lore.kernel.org/r/20231129112916.23125-2-jay.buddhabhatti@amd.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/zynqmp/clk-mux-zynqmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/zynqmp/clk-mux-zynqmp.c b/drivers/clk/zynqmp/clk-mux-zynqmp.c +index 0af8f74c5fa5..880ea34c0038 100644 +--- a/drivers/clk/zynqmp/clk-mux-zynqmp.c ++++ b/drivers/clk/zynqmp/clk-mux-zynqmp.c +@@ -85,7 +85,7 @@ static int zynqmp_clk_mux_set_parent(struct clk_hw *hw, u8 index) + static const struct clk_ops zynqmp_clk_mux_ops = { + .get_parent = zynqmp_clk_mux_get_parent, + .set_parent = zynqmp_clk_mux_set_parent, +- .determine_rate = __clk_mux_determine_rate, ++ .determine_rate = __clk_mux_determine_rate_closest, + }; + + static const struct clk_ops zynqmp_clk_mux_ro_ops = { +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-pm-fix-a-double-free-in-si_dpm_init.patch b/queue-5.4/drm-amd-pm-fix-a-double-free-in-si_dpm_init.patch new file mode 100644 index 00000000000..2e8375bb95c --- /dev/null +++ b/queue-5.4/drm-amd-pm-fix-a-double-free-in-si_dpm_init.patch @@ -0,0 +1,45 @@ +From c3e2eb5c4ac3d40c123aac0386d741f99560112c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 23:24:11 +0800 +Subject: drm/amd/pm: fix a double-free in si_dpm_init + +From: Zhipeng Lu + +[ Upstream commit ac16667237a82e2597e329eb9bc520d1cf9dff30 ] + +When the allocation of +adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails, +amdgpu_free_extended_power_table is called to free some fields of adev. +However, when the control flow returns to si_dpm_sw_init, it goes to +label dpm_failed and calls si_dpm_fini, which calls +amdgpu_free_extended_power_table again and free those fields again. Thus +a double-free is triggered. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/si_dpm.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/si_dpm.c b/drivers/gpu/drm/amd/amdgpu/si_dpm.c +index 9931d5c17cfb..6d7fd45b3129 100644 +--- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c +@@ -7349,10 +7349,9 @@ static int si_dpm_init(struct amdgpu_device *adev) + kcalloc(4, + sizeof(struct amdgpu_clock_voltage_dependency_entry), + GFP_KERNEL); +- if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries) { +- amdgpu_free_extended_power_table(adev); ++ if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries) + return -ENOMEM; +- } ++ + adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.count = 4; + adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].clk = 0; + adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].v = 0; +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-debugfs-fix-error-code-when-smc-register-.patch b/queue-5.4/drm-amdgpu-debugfs-fix-error-code-when-smc-register-.patch new file mode 100644 index 00000000000..34f84b86e73 --- /dev/null +++ b/queue-5.4/drm-amdgpu-debugfs-fix-error-code-when-smc-register-.patch @@ -0,0 +1,48 @@ +From 4a5a398771ad7bc8c50ec06c9ec53bbb449f1a6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 17:26:29 -0500 +Subject: drm/amdgpu/debugfs: fix error code when smc register accessors are + NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit afe58346d5d3887b3e49ff623d2f2e471f232a8d ] + +Should be -EOPNOTSUPP. + +Fixes: 5104fdf50d32 ("drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL") +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +index d81034023144..48b8b5600402 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -393,7 +393,7 @@ static ssize_t amdgpu_debugfs_regs_smc_read(struct file *f, char __user *buf, + int r; + + if (!adev->smc_rreg) +- return -EPERM; ++ return -EOPNOTSUPP; + + if (size & 0x3 || *pos & 0x3) + return -EINVAL; +@@ -435,7 +435,7 @@ static ssize_t amdgpu_debugfs_regs_smc_write(struct file *f, const char __user * + int r; + + if (!adev->smc_wreg) +- return -EPERM; ++ return -EOPNOTSUPP; + + if (size & 0x3 || *pos & 0x3) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-5.4/drm-bridge-fix-typo-in-post_disable-description.patch b/queue-5.4/drm-bridge-fix-typo-in-post_disable-description.patch new file mode 100644 index 00000000000..2ef95c4a15a --- /dev/null +++ b/queue-5.4/drm-bridge-fix-typo-in-post_disable-description.patch @@ -0,0 +1,36 @@ +From 85fc90288bccc13e92aaec6ef001f7eff5e2d449 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Nov 2023 10:42:30 +0100 +Subject: drm/bridge: Fix typo in post_disable() description + +From: Dario Binacchi + +[ Upstream commit 288b039db225676e0c520c981a1b5a2562d893a3 ] + +s/singals/signals/ + +Fixes: 199e4e967af4 ("drm: Extract drm_bridge.h") +Signed-off-by: Dario Binacchi +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20231124094253.658064-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + include/drm/drm_bridge.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h +index 9f7192366cfb..64172de5029d 100644 +--- a/include/drm/drm_bridge.h ++++ b/include/drm/drm_bridge.h +@@ -162,7 +162,7 @@ struct drm_bridge_funcs { + * or &drm_encoder_helper_funcs.dpms hook. + * + * The bridge must assume that the display pipe (i.e. clocks and timing +- * singals) feeding it is no longer running when this callback is ++ * signals) feeding it is no longer running when this callback is + * called. + * + * The post_disable callback is optional. +-- +2.43.0 + diff --git a/queue-5.4/drm-bridge-tc358767-fix-return-value-on-error-case.patch b/queue-5.4/drm-bridge-tc358767-fix-return-value-on-error-case.patch new file mode 100644 index 00000000000..681f37bca09 --- /dev/null +++ b/queue-5.4/drm-bridge-tc358767-fix-return-value-on-error-case.patch @@ -0,0 +1,39 @@ +From 2f5c2c68162c0ef01c3d43e47cdfe8a5d52841c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 15:14:06 +0200 +Subject: drm/bridge: tc358767: Fix return value on error case + +From: Tomi Valkeinen + +[ Upstream commit 32bd29b619638256c5b75fb021d6d9f12fc4a984 ] + +If the hpd_pin is invalid, the driver returns 'ret'. But 'ret' contains +0, instead of an error value. + +Return -EINVAL instead. + +Fixes: f25ee5017e4f ("drm/bridge: tc358767: add IRQ and HPD support") +Acked-by: Maxime Ripard +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-4-c22b2444f5f5@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358767.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c +index 0454675a44cb..a58943115241 100644 +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -1574,7 +1574,7 @@ static int tc_probe(struct i2c_client *client, const struct i2c_device_id *id) + } else { + if (tc->hpd_pin < 0 || tc->hpd_pin > 1) { + dev_err(dev, "failed to parse HPD number\n"); +- return ret; ++ return -EINVAL; + } + } + +-- +2.43.0 + diff --git a/queue-5.4/drm-drv-propagate-errors-from-drm_modeset_register_a.patch b/queue-5.4/drm-drv-propagate-errors-from-drm_modeset_register_a.patch new file mode 100644 index 00000000000..d2643bbabf6 --- /dev/null +++ b/queue-5.4/drm-drv-propagate-errors-from-drm_modeset_register_a.patch @@ -0,0 +1,54 @@ +From a6d24efb6ea75d762a8ef90b516999eff3654209 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Dec 2023 01:55:52 +0300 +Subject: drm/drv: propagate errors from drm_modeset_register_all() + +From: Dmitry Baryshkov + +[ Upstream commit 5f8dec200923a76dc57187965fd59c1136f5d085 ] + +In case the drm_modeset_register_all() function fails, its error code +will be ignored. Instead make the drm_dev_register() bail out in case of +such an error. + +Fixes: 79190ea2658a ("drm: Add callbacks for late registering") +Reviewed-by: Neil Armstrong +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20231202225552.1283638-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_drv.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index 769feefeeeef..c9529a808b8e 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -984,8 +984,11 @@ int drm_dev_register(struct drm_device *dev, unsigned long flags) + goto err_minors; + } + +- if (drm_core_check_feature(dev, DRIVER_MODESET)) +- drm_modeset_register_all(dev); ++ if (drm_core_check_feature(dev, DRIVER_MODESET)) { ++ ret = drm_modeset_register_all(dev); ++ if (ret) ++ goto err_unload; ++ } + + ret = 0; + +@@ -997,6 +1000,9 @@ int drm_dev_register(struct drm_device *dev, unsigned long flags) + + goto out_unlock; + ++err_unload: ++ if (dev->driver->unload) ++ dev->driver->unload(dev); + err_minors: + remove_compat_control_link(dev); + drm_minor_unregister(dev, DRM_MINOR_PRIMARY); +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-dsi-use-pm_runtime_resume_and_get-to-prevent.patch b/queue-5.4/drm-msm-dsi-use-pm_runtime_resume_and_get-to-prevent.patch new file mode 100644 index 00000000000..c732370fe1d --- /dev/null +++ b/queue-5.4/drm-msm-dsi-use-pm_runtime_resume_and_get-to-prevent.patch @@ -0,0 +1,43 @@ +From 5a3291037b3c334a32c5751f41b99f6aa33b0f0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:43:20 +0200 +Subject: drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks + +From: Konrad Dybcio + +[ Upstream commit 3d07a411b4faaf2b498760ccf12888f8de529de0 ] + +This helper has been introduced to avoid programmer errors (missing +_put calls leading to dangling refcnt) when using pm_runtime_get, use it. + +While at it, start checking the return value. + +Signed-off-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Fixes: 5c8290284402 ("drm/msm/dsi: Split PHY drivers to separate files") +Patchwork: https://patchwork.freedesktop.org/patch/543350/ +Link: https://lore.kernel.org/r/20230620-topic-dsiphy_rpm-v2-1-a11a751f34f0@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +index 08a95c3a9444..1582386fe162 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +@@ -464,7 +464,9 @@ static int dsi_phy_enable_resource(struct msm_dsi_phy *phy) + struct device *dev = &phy->pdev->dev; + int ret; + +- pm_runtime_get_sync(dev); ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret) ++ return ret; + + ret = clk_prepare_enable(phy->ahb_clk); + if (ret) { +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-mdp4-flush-vblank-event-on-disable.patch b/queue-5.4/drm-msm-mdp4-flush-vblank-event-on-disable.patch new file mode 100644 index 00000000000..9c78a067959 --- /dev/null +++ b/queue-5.4/drm-msm-mdp4-flush-vblank-event-on-disable.patch @@ -0,0 +1,53 @@ +From f69462c58e6e36d2292f341bf5fa9dd5d4cdd9b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 00:54:01 +0300 +Subject: drm/msm/mdp4: flush vblank event on disable + +From: Dmitry Baryshkov + +[ Upstream commit c6721b3c6423d8a348ae885a0f4c85e14f9bf85c ] + +Flush queued events when disabling the crtc. This avoids timeouts when +we come back and wait for dependencies (like the previous frame's +flip_done). + +Fixes: c8afe684c95c ("drm/msm: basic KMS driver for snapdragon") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/569127/ +Link: https://lore.kernel.org/r/20231127215401.4064128-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c b/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c +index f34dca5d4532..38274227f2d5 100644 +--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c ++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c +@@ -268,6 +268,7 @@ static void mdp4_crtc_atomic_disable(struct drm_crtc *crtc, + { + struct mdp4_crtc *mdp4_crtc = to_mdp4_crtc(crtc); + struct mdp4_kms *mdp4_kms = get_kms(crtc); ++ unsigned long flags; + + DBG("%s", mdp4_crtc->name); + +@@ -280,6 +281,14 @@ static void mdp4_crtc_atomic_disable(struct drm_crtc *crtc, + mdp_irq_unregister(&mdp4_kms->base, &mdp4_crtc->err); + mdp4_disable(mdp4_kms); + ++ if (crtc->state->event && !crtc->state->active) { ++ WARN_ON(mdp4_crtc->event); ++ spin_lock_irqsave(&mdp4_kms->dev->event_lock, flags); ++ drm_crtc_send_vblank_event(crtc, crtc->state->event); ++ crtc->state->event = NULL; ++ spin_unlock_irqrestore(&mdp4_kms->dev->event_lock, flags); ++ } ++ + mdp4_crtc->enabled = false; + } + +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-check-return-value-of-radeon_ring_lock.patch b/queue-5.4/drm-radeon-check-return-value-of-radeon_ring_lock.patch new file mode 100644 index 00000000000..3ad2721dbeb --- /dev/null +++ b/queue-5.4/drm-radeon-check-return-value-of-radeon_ring_lock.patch @@ -0,0 +1,42 @@ +From a1783ab5ba78771091e5d0cb5d9017fde4aec88b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 11:04:16 -0700 +Subject: drm/radeon: check return value of radeon_ring_lock() + +From: Nikita Zhandarovich + +[ Upstream commit 71225e1c930942cb1e042fc08c5cc0c4ef30e95e ] + +In the unlikely event of radeon_ring_lock() failing, its errno return +value should be processed. This patch checks said return value and +prints a debug message in case of an error. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 48c0c902e2e6 ("drm/radeon/kms: add support for CP setup on SI") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/si.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c +index 74cbed9377f0..ae74e8b01ee0 100644 +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -3616,6 +3616,10 @@ static int si_cp_start(struct radeon_device *rdev) + for (i = RADEON_RING_TYPE_GFX_INDEX; i <= CAYMAN_RING_TYPE_CP2_INDEX; ++i) { + ring = &rdev->ring[i]; + r = radeon_ring_lock(rdev, ring, 2); ++ if (r) { ++ DRM_ERROR("radeon: cp failed to lock ring (%d).\n", r); ++ return r; ++ } + + /* clear the compute context state */ + radeon_ring_write(ring, PACKET3_COMPUTE(PACKET3_CLEAR_STATE, 0)); +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-check-the-alloc_workqueue-return-value-in.patch b/queue-5.4/drm-radeon-check-the-alloc_workqueue-return-value-in.patch new file mode 100644 index 00000000000..ff3af4c0145 --- /dev/null +++ b/queue-5.4/drm-radeon-check-the-alloc_workqueue-return-value-in.patch @@ -0,0 +1,46 @@ +From 6c8cff1749e6722b2a707f2b3ec53186e605e0bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 15:50:16 +0800 +Subject: drm/radeon: check the alloc_workqueue return value in + radeon_crtc_init() + +From: Yang Yingliang + +[ Upstream commit 7a2464fac80d42f6f8819fed97a553e9c2f43310 ] + +check the alloc_workqueue return value in radeon_crtc_init() +to avoid null-ptr-deref. + +Fixes: fa7f517cb26e ("drm/radeon: rework page flip handling v4") +Signed-off-by: Yang Yingliang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 27b168936b2a..c7f50d9f7e37 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -682,11 +682,16 @@ static void radeon_crtc_init(struct drm_device *dev, int index) + if (radeon_crtc == NULL) + return; + ++ radeon_crtc->flip_queue = alloc_workqueue("radeon-crtc", WQ_HIGHPRI, 0); ++ if (!radeon_crtc->flip_queue) { ++ kfree(radeon_crtc); ++ return; ++ } ++ + drm_crtc_init(dev, &radeon_crtc->base, &radeon_crtc_funcs); + + drm_mode_crtc_set_gamma_size(&radeon_crtc->base, 256); + radeon_crtc->crtc_id = index; +- radeon_crtc->flip_queue = alloc_workqueue("radeon-crtc", WQ_HIGHPRI, 0); + rdev->mode_info.crtcs[index] = radeon_crtc; + + if (rdev->family >= CHIP_BONAIRE) { +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-dpm-fix-a-memleak-in-sumo_parse_power_tab.patch b/queue-5.4/drm-radeon-dpm-fix-a-memleak-in-sumo_parse_power_tab.patch new file mode 100644 index 00000000000..6c7b8d6cc26 --- /dev/null +++ b/queue-5.4/drm-radeon-dpm-fix-a-memleak-in-sumo_parse_power_tab.patch @@ -0,0 +1,41 @@ +From 137cd8d355436a43e64b49d2f43cbb3d2b594a36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 16:57:56 +0800 +Subject: drm/radeon/dpm: fix a memleak in sumo_parse_power_table + +From: Zhipeng Lu + +[ Upstream commit 0737df9ed0997f5b8addd6e2b9699a8c6edba2e4 ] + +The rdev->pm.dpm.ps allocated by kcalloc should be freed in every +following error-handling path. However, in the error-handling of +rdev->pm.power_state[i].clock_info the rdev->pm.dpm.ps is not freed, +resulting in a memleak in this function. + +Fixes: 80ea2c129c76 ("drm/radeon/kms: add dpm support for sumo asics (v2)") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/sumo_dpm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/sumo_dpm.c b/drivers/gpu/drm/radeon/sumo_dpm.c +index b95d5d390caf..45d04996adf5 100644 +--- a/drivers/gpu/drm/radeon/sumo_dpm.c ++++ b/drivers/gpu/drm/radeon/sumo_dpm.c +@@ -1493,8 +1493,10 @@ static int sumo_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) ++ if (!rdev->pm.power_state[i].clock_info) { ++ kfree(rdev->pm.dpm.ps); + return -EINVAL; ++ } + ps = kzalloc(sizeof(struct sumo_ps), GFP_KERNEL); + if (ps == NULL) { + kfree(rdev->pm.dpm.ps); +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch b/queue-5.4/drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch new file mode 100644 index 00000000000..12cd19373d3 --- /dev/null +++ b/queue-5.4/drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch @@ -0,0 +1,52 @@ +From 214499ef842dbf9a165a6bd6f04ba24496e21d3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 07:22:12 -0800 +Subject: drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check() + +From: Nikita Zhandarovich + +[ Upstream commit b5c5baa458faa5430c445acd9a17481274d77ccf ] + +It may be possible, albeit unlikely, to encounter integer overflow +during the multiplication of several unsigned int variables, the +result being assigned to a variable 'size' of wider type. + +Prevent this potential behaviour by converting one of the multiples +to unsigned long. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 0242f74d29df ("drm/radeon: clean up CS functions in r100.c") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/r100.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index 110fb38004b1..9d2e6112f70a 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -2313,7 +2313,7 @@ int r100_cs_track_check(struct radeon_device *rdev, struct r100_cs_track *track) + switch (prim_walk) { + case 1: + for (i = 0; i < track->num_arrays; i++) { +- size = track->arrays[i].esize * track->max_indx * 4; ++ size = track->arrays[i].esize * track->max_indx * 4UL; + if (track->arrays[i].robj == NULL) { + DRM_ERROR("(PW %u) Vertex array %u no buffer " + "bound\n", prim_walk, i); +@@ -2332,7 +2332,7 @@ int r100_cs_track_check(struct radeon_device *rdev, struct r100_cs_track *track) + break; + case 2: + for (i = 0; i < track->num_arrays; i++) { +- size = track->arrays[i].esize * (nverts - 1) * 4; ++ size = track->arrays[i].esize * (nverts - 1) * 4UL; + if (track->arrays[i].robj == NULL) { + DRM_ERROR("(PW %u) Vertex array %u no buffer " + "bound\n", prim_walk, i); +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-r600_cs-fix-possible-int-overflows-in-r60.patch b/queue-5.4/drm-radeon-r600_cs-fix-possible-int-overflows-in-r60.patch new file mode 100644 index 00000000000..eed16068d66 --- /dev/null +++ b/queue-5.4/drm-radeon-r600_cs-fix-possible-int-overflows-in-r60.patch @@ -0,0 +1,51 @@ +From 54c535480814a3460fd4774dc5070b1907492ccb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 07:22:30 -0800 +Subject: drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg() + +From: Nikita Zhandarovich + +[ Upstream commit 39c960bbf9d9ea862398759e75736cfb68c3446f ] + +While improbable, there may be a chance of hitting integer +overflow when the result of radeon_get_ib_value() gets shifted +left. + +Avoid it by casting one of the operands to larger data type (u64). + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 1729dd33d20b ("drm/radeon/kms: r600 CS parser fixes") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/r600_cs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c +index d6c28a5d77ab..19c9e86b2aaf 100644 +--- a/drivers/gpu/drm/radeon/r600_cs.c ++++ b/drivers/gpu/drm/radeon/r600_cs.c +@@ -1278,7 +1278,7 @@ static int r600_cs_check_reg(struct radeon_cs_parser *p, u32 reg, u32 idx) + return -EINVAL; + } + tmp = (reg - CB_COLOR0_BASE) / 4; +- track->cb_color_bo_offset[tmp] = radeon_get_ib_value(p, idx) << 8; ++ track->cb_color_bo_offset[tmp] = (u64)radeon_get_ib_value(p, idx) << 8; + ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff); + track->cb_color_base_last[tmp] = ib[idx]; + track->cb_color_bo[tmp] = reloc->robj; +@@ -1305,7 +1305,7 @@ static int r600_cs_check_reg(struct radeon_cs_parser *p, u32 reg, u32 idx) + "0x%04X\n", reg); + return -EINVAL; + } +- track->htile_offset = radeon_get_ib_value(p, idx) << 8; ++ track->htile_offset = (u64)radeon_get_ib_value(p, idx) << 8; + ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff); + track->htile_bo = reloc->robj; + track->db_dirty = true; +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-trinity_dpm-fix-a-memleak-in-trinity_pars.patch b/queue-5.4/drm-radeon-trinity_dpm-fix-a-memleak-in-trinity_pars.patch new file mode 100644 index 00000000000..6760d7456c8 --- /dev/null +++ b/queue-5.4/drm-radeon-trinity_dpm-fix-a-memleak-in-trinity_pars.patch @@ -0,0 +1,41 @@ +From cbcd98fb529a5144c78dc9f95644f26ae8626052 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 18:21:54 +0800 +Subject: drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table + +From: Zhipeng Lu + +[ Upstream commit 28c28d7f77c06ac2c0b8f9c82bc04eba22912b3b ] + +The rdev->pm.dpm.ps allocated by kcalloc should be freed in every +following error-handling path. However, in the error-handling of +rdev->pm.power_state[i].clock_info the rdev->pm.dpm.ps is not freed, +resulting in a memleak in this function. + +Fixes: d70229f70447 ("drm/radeon/kms: add dpm support for trinity asics") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/trinity_dpm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/trinity_dpm.c b/drivers/gpu/drm/radeon/trinity_dpm.c +index 65302f9d025e..fbb93d0feb71 100644 +--- a/drivers/gpu/drm/radeon/trinity_dpm.c ++++ b/drivers/gpu/drm/radeon/trinity_dpm.c +@@ -1771,8 +1771,10 @@ static int trinity_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) ++ if (!rdev->pm.power_state[i].clock_info) { ++ kfree(rdev->pm.dpm.ps); + return -EINVAL; ++ } + ps = kzalloc(sizeof(struct sumo_ps), GFP_KERNEL); + if (ps == NULL) { + kfree(rdev->pm.dpm.ps); +-- +2.43.0 + diff --git a/queue-5.4/edac-thunderx-fix-possible-out-of-bounds-string-acce.patch b/queue-5.4/edac-thunderx-fix-possible-out-of-bounds-string-acce.patch new file mode 100644 index 00000000000..500e20da696 --- /dev/null +++ b/queue-5.4/edac-thunderx-fix-possible-out-of-bounds-string-acce.patch @@ -0,0 +1,91 @@ +From b5b8594bd9703bd1e9581a543347ee7382ec421c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 23:19:53 +0100 +Subject: EDAC/thunderx: Fix possible out-of-bounds string access + +From: Arnd Bergmann + +[ Upstream commit 475c58e1a471e9b873e3e39958c64a2d278275c8 ] + +Enabling -Wstringop-overflow globally exposes a warning for a common bug +in the usage of strncat(): + + drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr': + drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=] + 1136 | strncat(msg, other, OCX_MESSAGE_SIZE); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ... + 1145 | strncat(msg, other, OCX_MESSAGE_SIZE); + ... + 1150 | strncat(msg, other, OCX_MESSAGE_SIZE); + + ... + +Apparently the author of this driver expected strncat() to behave the +way that strlcat() does, which uses the size of the destination buffer +as its third argument rather than the length of the source buffer. The +result is that there is no check on the size of the allocated buffer. + +Change it to strlcat(). + + [ bp: Trim compiler output, fixup commit message. ] + +Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver") +Signed-off-by: Arnd Bergmann +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20231122222007.3199885-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/edac/thunderx_edac.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c +index 34be60fe6892..0fffb393415b 100644 +--- a/drivers/edac/thunderx_edac.c ++++ b/drivers/edac/thunderx_edac.c +@@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id) + decode_register(other, OCX_OTHER_SIZE, + ocx_com_errors, ctx->reg_com_int); + +- strncat(msg, other, OCX_MESSAGE_SIZE); ++ strlcat(msg, other, OCX_MESSAGE_SIZE); + + for (lane = 0; lane < OCX_RX_LANES; lane++) + if (ctx->reg_com_int & BIT(lane)) { +@@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id) + lane, ctx->reg_lane_int[lane], + lane, ctx->reg_lane_stat11[lane]); + +- strncat(msg, other, OCX_MESSAGE_SIZE); ++ strlcat(msg, other, OCX_MESSAGE_SIZE); + + decode_register(other, OCX_OTHER_SIZE, + ocx_lane_errors, + ctx->reg_lane_int[lane]); +- strncat(msg, other, OCX_MESSAGE_SIZE); ++ strlcat(msg, other, OCX_MESSAGE_SIZE); + } + + if (ctx->reg_com_int & OCX_COM_INT_CE) +@@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id) + decode_register(other, OCX_OTHER_SIZE, + ocx_com_link_errors, ctx->reg_com_link_int); + +- strncat(msg, other, OCX_MESSAGE_SIZE); ++ strlcat(msg, other, OCX_MESSAGE_SIZE); + + if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE) + edac_device_handle_ue(ocx->edac_dev, 0, 0, msg); +@@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id) + + decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int); + +- strncat(msg, other, L2C_MESSAGE_SIZE); ++ strlcat(msg, other, L2C_MESSAGE_SIZE); + + if (ctx->reg_int & mask_ue) + edac_device_handle_ue(l2c->edac_dev, 0, 0, msg); +-- +2.43.0 + diff --git a/queue-5.4/f2fs-fix-to-avoid-dirent-corruption.patch b/queue-5.4/f2fs-fix-to-avoid-dirent-corruption.patch new file mode 100644 index 00000000000..527ec29fa15 --- /dev/null +++ b/queue-5.4/f2fs-fix-to-avoid-dirent-corruption.patch @@ -0,0 +1,60 @@ +From bd9068f2311d6d131bce9959f786d9ac55789151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 17:25:16 +0800 +Subject: f2fs: fix to avoid dirent corruption + +From: Chao Yu + +[ Upstream commit 53edb549565f55ccd0bdf43be3d66ce4c2d48b28 ] + +As Al reported in link[1]: + +f2fs_rename() +... + if (old_dir != new_dir && !whiteout) + f2fs_set_link(old_inode, old_dir_entry, + old_dir_page, new_dir); + else + f2fs_put_page(old_dir_page, 0); + +You want correct inumber in the ".." link. And cross-directory +rename does move the source to new parent, even if you'd been asked +to leave a whiteout in the old place. + +[1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/ + +With below testcase, it may cause dirent corruption, due to it missed +to call f2fs_set_link() to update ".." link to new directory. +- mkdir -p dir/foo +- renameat2 -w dir/foo bar + +[ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3] +[FSCK] other corrupted bugs [Fail] + +Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT") +Cc: Jan Kara +Reported-by: Al Viro +Signed-off-by: Chao Yu +Reviewed-by: Jan Kara +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index ed95c27e9302..99a91c746b39 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -1009,7 +1009,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry, + } + + if (old_dir_entry) { +- if (old_dir != new_dir && !whiteout) ++ if (old_dir != new_dir) + f2fs_set_link(old_inode, old_dir_entry, + old_dir_page, new_dir); + else +-- +2.43.0 + diff --git a/queue-5.4/firmware-ti_sci-fix-an-off-by-one-in-ti_sci_debugfs_.patch b/queue-5.4/firmware-ti_sci-fix-an-off-by-one-in-ti_sci_debugfs_.patch new file mode 100644 index 00000000000..8bcf54a115b --- /dev/null +++ b/queue-5.4/firmware-ti_sci-fix-an-off-by-one-in-ti_sci_debugfs_.patch @@ -0,0 +1,55 @@ +From 1656c9296b6c5c7d35c6e2bc4da5ff67bca989a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 11:12:26 +0100 +Subject: firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() + +From: Christophe JAILLET + +[ Upstream commit 964946b88887089f447a9b6a28c39ee97dc76360 ] + +The ending NULL is not taken into account by strncat(), so switch to +snprintf() to correctly build 'debug_name'. + +Using snprintf() also makes the code more readable. + +Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol") +Signed-off-by: Christophe JAILLET +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/7158db0a4d7b19855ddd542ec61b666973aad8dc.1698660720.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + drivers/firmware/ti_sci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c +index 54340869e682..00259a5f3b3b 100644 +--- a/drivers/firmware/ti_sci.c ++++ b/drivers/firmware/ti_sci.c +@@ -179,7 +179,7 @@ static int ti_sci_debugfs_create(struct platform_device *pdev, + { + struct device *dev = &pdev->dev; + struct resource *res; +- char debug_name[50] = "ti_sci_debug@"; ++ char debug_name[50]; + + /* Debug region is optional */ + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, +@@ -196,10 +196,10 @@ static int ti_sci_debugfs_create(struct platform_device *pdev, + /* Setup NULL termination */ + info->debug_buffer[info->debug_region_size] = 0; + +- info->d = debugfs_create_file(strncat(debug_name, dev_name(dev), +- sizeof(debug_name) - +- sizeof("ti_sci_debug@")), +- 0444, NULL, info, &ti_sci_debug_fops); ++ snprintf(debug_name, sizeof(debug_name), "ti_sci_debug@%s", ++ dev_name(dev)); ++ info->d = debugfs_create_file(debug_name, 0444, NULL, info, ++ &ti_sci_debug_fops); + if (IS_ERR(info->d)) + return PTR_ERR(info->d); + +-- +2.43.0 + diff --git a/queue-5.4/gfs2-fix-kernel-null-pointer-dereference-in-gfs2_rgr.patch b/queue-5.4/gfs2-fix-kernel-null-pointer-dereference-in-gfs2_rgr.patch new file mode 100644 index 00000000000..24bb1f9bce2 --- /dev/null +++ b/queue-5.4/gfs2-fix-kernel-null-pointer-dereference-in-gfs2_rgr.patch @@ -0,0 +1,40 @@ +From b9210023e473856e518b834add0587c561bc73d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Nov 2023 21:21:29 +0500 +Subject: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump + +From: Osama Muhammad + +[ Upstream commit 8877243beafa7c6bfc42022cbfdf9e39b25bd4fa ] + +Syzkaller has reported a NULL pointer dereference when accessing +rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating +rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in +gfs2_rgrp_dump() to prevent that. + +Reported-and-tested-by: syzbot+da0fc229cc1ff4bb2e6d@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=da0fc229cc1ff4bb2e6d +Fixes: 72244b6bc752 ("gfs2: improve debug information when lvb mismatches are found") +Signed-off-by: Osama Muhammad +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/rgrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index 8153a3eac540..f0a135a48cc3 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -2275,7 +2275,7 @@ void gfs2_rgrp_dump(struct seq_file *seq, struct gfs2_glock *gl, + (unsigned long long)rgd->rd_addr, rgd->rd_flags, + rgd->rd_free, rgd->rd_free_clone, rgd->rd_dinodes, + rgd->rd_reserved, rgd->rd_extfail_pt); +- if (rgd->rd_sbd->sd_args.ar_rgrplvb) { ++ if (rgd->rd_sbd->sd_args.ar_rgrplvb && rgd->rd_rgl) { + struct gfs2_rgrp_lvb *rgl = rgd->rd_rgl; + + gfs2_print_dbg(seq, "%s L: f:%02x b:%u i:%u\n", fs_id_buf, +-- +2.43.0 + diff --git a/queue-5.4/gpu-drm-radeon-fix-two-memleaks-in-radeon_vm_init.patch b/queue-5.4/gpu-drm-radeon-fix-two-memleaks-in-radeon_vm_init.patch new file mode 100644 index 00000000000..afe33332274 --- /dev/null +++ b/queue-5.4/gpu-drm-radeon-fix-two-memleaks-in-radeon_vm_init.patch @@ -0,0 +1,48 @@ +From dfe4b143a8366cea2a21f32550bbf7798199ef00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 00:58:42 +0800 +Subject: gpu/drm/radeon: fix two memleaks in radeon_vm_init + +From: Zhipeng Lu + +[ Upstream commit c2709b2d6a537ca0fa0f1da36fdaf07e48ef447d ] + +When radeon_bo_create and radeon_vm_clear_bo fail, the vm->page_tables +allocated before need to be freed. However, neither radeon_vm_init +itself nor its caller have done such deallocation. + +Fixes: 6d2f2944e95e ("drm/radeon: use normal BOs for the page tables v4") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_vm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_vm.c b/drivers/gpu/drm/radeon/radeon_vm.c +index e0ad547786e8..ef20c1f9b895 100644 +--- a/drivers/gpu/drm/radeon/radeon_vm.c ++++ b/drivers/gpu/drm/radeon/radeon_vm.c +@@ -1206,13 +1206,17 @@ int radeon_vm_init(struct radeon_device *rdev, struct radeon_vm *vm) + r = radeon_bo_create(rdev, pd_size, align, true, + RADEON_GEM_DOMAIN_VRAM, 0, NULL, + NULL, &vm->page_directory); +- if (r) ++ if (r) { ++ kfree(vm->page_tables); ++ vm->page_tables = NULL; + return r; +- ++ } + r = radeon_vm_clear_bo(rdev, vm->page_directory); + if (r) { + radeon_bo_unref(&vm->page_directory); + vm->page_directory = NULL; ++ kfree(vm->page_tables); ++ vm->page_tables = NULL; + return r; + } + +-- +2.43.0 + diff --git a/queue-5.4/ip6_tunnel-fix-nexthdr_fragment-handling-in-ip6_tnl_.patch b/queue-5.4/ip6_tunnel-fix-nexthdr_fragment-handling-in-ip6_tnl_.patch new file mode 100644 index 00000000000..3c1597dccf1 --- /dev/null +++ b/queue-5.4/ip6_tunnel-fix-nexthdr_fragment-handling-in-ip6_tnl_.patch @@ -0,0 +1,173 @@ +From 97a5eb75b66c3ccf8d69fb43bb7f2114f18d58d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jan 2024 17:03:13 +0000 +Subject: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in + ip6_tnl_parse_tlv_enc_lim() + +From: Eric Dumazet + +[ Upstream commit d375b98e0248980681e5e56b712026174d617198 ] + +syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. + +Reading frag_off can only be done if we pulled enough bytes +to skb->head. Currently we might access garbage. + +[1] +BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 +ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 +ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] +ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 +__netdev_start_xmit include/linux/netdevice.h:4940 [inline] +netdev_start_xmit include/linux/netdevice.h:4954 [inline] +xmit_one net/core/dev.c:3548 [inline] +dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 +__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 +dev_queue_xmit include/linux/netdevice.h:3134 [inline] +neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 +neigh_output include/net/neighbour.h:542 [inline] +ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 +ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 +NF_HOOK_COND include/linux/netfilter.h:303 [inline] +ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 +dst_output include/net/dst.h:451 [inline] +ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 +ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] +ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 +rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 +rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 +inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg net/socket.c:745 [inline] +____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 +__sys_sendmsg net/socket.c:2667 [inline] +__do_sys_sendmsg net/socket.c:2676 [inline] +__se_sys_sendmsg net/socket.c:2674 [inline] +__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: +slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 +slab_alloc_node mm/slub.c:3478 [inline] +__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 +__do_kmalloc_node mm/slab_common.c:1006 [inline] +__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 +kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 +pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 +__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 +pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] +pskb_may_pull include/linux/skbuff.h:2681 [inline] +ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 +ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] +ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 +__netdev_start_xmit include/linux/netdevice.h:4940 [inline] +netdev_start_xmit include/linux/netdevice.h:4954 [inline] +xmit_one net/core/dev.c:3548 [inline] +dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 +__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 +dev_queue_xmit include/linux/netdevice.h:3134 [inline] +neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 +neigh_output include/net/neighbour.h:542 [inline] +ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 +ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 +NF_HOOK_COND include/linux/netfilter.h:303 [inline] +ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 +dst_output include/net/dst.h:451 [inline] +ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 +ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] +ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 +rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 +rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 +inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg net/socket.c:745 [inline] +____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 +__sys_sendmsg net/socket.c:2667 [inline] +__do_sys_sendmsg net/socket.c:2676 [inline] +__se_sys_sendmsg net/socket.c:2674 [inline] +__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 + +Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index b97611894882..5319093d9aa6 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -399,7 +399,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) + const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw; + unsigned int nhoff = raw - skb->data; + unsigned int off = nhoff + sizeof(*ipv6h); +- u8 next, nexthdr = ipv6h->nexthdr; ++ u8 nexthdr = ipv6h->nexthdr; + + while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) { + struct ipv6_opt_hdr *hdr; +@@ -410,25 +410,25 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) + + hdr = (struct ipv6_opt_hdr *)(skb->data + off); + if (nexthdr == NEXTHDR_FRAGMENT) { +- struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr; +- if (frag_hdr->frag_off) +- break; + optlen = 8; + } else if (nexthdr == NEXTHDR_AUTH) { + optlen = ipv6_authlen(hdr); + } else { + optlen = ipv6_optlen(hdr); + } +- /* cache hdr->nexthdr, since pskb_may_pull() might +- * invalidate hdr +- */ +- next = hdr->nexthdr; +- if (nexthdr == NEXTHDR_DEST) { +- u16 i = 2; + +- /* Remember : hdr is no longer valid at this point. */ +- if (!pskb_may_pull(skb, off + optlen)) ++ if (!pskb_may_pull(skb, off + optlen)) ++ break; ++ ++ hdr = (struct ipv6_opt_hdr *)(skb->data + off); ++ if (nexthdr == NEXTHDR_FRAGMENT) { ++ struct frag_hdr *frag_hdr = (struct frag_hdr *)hdr; ++ ++ if (frag_hdr->frag_off) + break; ++ } ++ if (nexthdr == NEXTHDR_DEST) { ++ u16 i = 2; + + while (1) { + struct ipv6_tlv_tnl_enc_lim *tel; +@@ -449,7 +449,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) + i++; + } + } +- nexthdr = next; ++ nexthdr = hdr->nexthdr; + off += optlen; + } + return 0; +-- +2.43.0 + diff --git a/queue-5.4/media-cx231xx-fix-a-memleak-in-cx231xx_init_isoc.patch b/queue-5.4/media-cx231xx-fix-a-memleak-in-cx231xx_init_isoc.patch new file mode 100644 index 00000000000..66ae656da35 --- /dev/null +++ b/queue-5.4/media-cx231xx-fix-a-memleak-in-cx231xx_init_isoc.patch @@ -0,0 +1,51 @@ +From 46cad255c653e868f774330da5ddd96e34fc5ecf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 21:22:55 +0800 +Subject: media: cx231xx: fix a memleak in cx231xx_init_isoc + +From: Zhipeng Lu + +[ Upstream commit 5d3c8990e2bbf929cb211563dadd70708f42e4e6 ] + +The dma_q->p_left_data alloced by kzalloc should be freed in all the +following error handling paths. However, it hasn't been freed in the +allocation error paths of dev->video_mode.isoc_ctl.urb and +dev->video_mode.isoc_ctl.transfer_buffer. + +On the other hand, the dma_q->p_left_data did be freed in the +error-handling paths after that of dev->video_mode.isoc_ctl.urb and +dev->video_mode.isoc_ctl.transfer_buffer, by calling +cx231xx_uninit_isoc(dev). So the same free operation should be done in +error-handling paths of those two allocation. + +Fixes: 64fbf4445526 ("[media] cx231xx: Added support for Carraera, Shelby, RDx_253S and VIDEO_GRABBER") +Signed-off-by: Zhipeng Lu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/cx231xx/cx231xx-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/usb/cx231xx/cx231xx-core.c b/drivers/media/usb/cx231xx/cx231xx-core.c +index 982cb56e97e9..0f11f50c0ae4 100644 +--- a/drivers/media/usb/cx231xx/cx231xx-core.c ++++ b/drivers/media/usb/cx231xx/cx231xx-core.c +@@ -1028,6 +1028,7 @@ int cx231xx_init_isoc(struct cx231xx *dev, int max_packets, + if (!dev->video_mode.isoc_ctl.urb) { + dev_err(dev->dev, + "cannot alloc memory for usb buffers\n"); ++ kfree(dma_q->p_left_data); + return -ENOMEM; + } + +@@ -1037,6 +1038,7 @@ int cx231xx_init_isoc(struct cx231xx *dev, int max_packets, + dev_err(dev->dev, + "cannot allocate memory for usbtransfer\n"); + kfree(dev->video_mode.isoc_ctl.urb); ++ kfree(dma_q->p_left_data); + return -ENOMEM; + } + +-- +2.43.0 + diff --git a/queue-5.4/media-dvbdev-drop-refcount-on-error-path-in-dvb_devi.patch b/queue-5.4/media-dvbdev-drop-refcount-on-error-path-in-dvb_devi.patch new file mode 100644 index 00000000000..ecaad3c8790 --- /dev/null +++ b/queue-5.4/media-dvbdev-drop-refcount-on-error-path-in-dvb_devi.patch @@ -0,0 +1,35 @@ +From 32b539a4f75aabfaa54d457672f5243d290dedf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 12:53:33 +0300 +Subject: media: dvbdev: drop refcount on error path in dvb_device_open() + +From: Dan Carpenter + +[ Upstream commit a2dd235df435a05d389240be748909ada91201d2 ] + +If call to file->f_op->open() fails, then call dvb_device_put(dvbdev). + +Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 31b299ced3c1..e7cd7b13fc28 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -114,6 +114,8 @@ static int dvb_device_open(struct inode *inode, struct file *file) + err = file->f_op->open(inode, file); + up_read(&minor_rwsem); + mutex_unlock(&dvbdev_mutex); ++ if (err) ++ dvb_device_put(dvbdev); + return err; + } + fail: +-- +2.43.0 + diff --git a/queue-5.4/media-pvrusb2-fix-use-after-free-on-context-disconne.patch b/queue-5.4/media-pvrusb2-fix-use-after-free-on-context-disconne.patch new file mode 100644 index 00000000000..29e84e3783f --- /dev/null +++ b/queue-5.4/media-pvrusb2-fix-use-after-free-on-context-disconne.patch @@ -0,0 +1,46 @@ +From d7ef6adafe7135851c38a82ffa478ef518427083 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 01:09:12 +0200 +Subject: media: pvrusb2: fix use after free on context disconnection + +From: Ricardo B. Marliere + +[ Upstream commit ded85b0c0edd8f45fec88783d7555a5b982449c1 ] + +Upon module load, a kthread is created targeting the +pvr2_context_thread_func function, which may call pvr2_context_destroy +and thus call kfree() on the context object. However, that might happen +before the usb hub_event handler is able to notify the driver. This +patch adds a sanity check before the invalid read reported by syzbot, +within the context disconnection call stack. + +Reported-and-tested-by: syzbot+621409285c4156a009b3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000a02a4205fff8eb92@google.com/ + +Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") +Signed-off-by: Ricardo B. Marliere +Acked-by: Mike Isely +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-context.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c +index 14170a5d72b3..1764674de98b 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-context.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c +@@ -268,7 +268,8 @@ void pvr2_context_disconnect(struct pvr2_context *mp) + { + pvr2_hdw_disconnect(mp->hdw); + mp->disconnect_flag = !0; +- pvr2_context_notify(mp); ++ if (!pvr2_context_shutok()) ++ pvr2_context_notify(mp); + } + + +-- +2.43.0 + diff --git a/queue-5.4/mmc-sdhci_omap-fix-ti-soc-dependencies.patch b/queue-5.4/mmc-sdhci_omap-fix-ti-soc-dependencies.patch new file mode 100644 index 00000000000..679db312f18 --- /dev/null +++ b/queue-5.4/mmc-sdhci_omap-fix-ti-soc-dependencies.patch @@ -0,0 +1,47 @@ +From fb68a08d4c5c35b067af36fd53f8380e386ac940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Dec 2023 13:59:47 +0000 +Subject: mmc: sdhci_omap: Fix TI SoC dependencies + +From: Peter Robinson + +[ Upstream commit 09f164d393a6671e5ff8342ba6b3cb7fe3f20208 ] + +The sdhci_omap is specific to older TI SoCs, update the +dependencies for those SoCs and compile testing. While we're +at it update the text to reflect the wider range of +supported TI SoCS the driver now supports. + +Fixes: 7d326930d352 ("mmc: sdhci-omap: Add OMAP SDHCI driver") +Signed-off-by: Peter Robinson +Link: https://lore.kernel.org/r/20231220135950.433588-2-pbrobinson@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/Kconfig | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/Kconfig b/drivers/mmc/host/Kconfig +index a93ea23e35da..f0684c6ed8d7 100644 +--- a/drivers/mmc/host/Kconfig ++++ b/drivers/mmc/host/Kconfig +@@ -996,13 +996,14 @@ config MMC_SDHCI_XENON + + config MMC_SDHCI_OMAP + tristate "TI SDHCI Controller Support" ++ depends on ARCH_OMAP2PLUS || ARCH_KEYSTONE || COMPILE_TEST + depends on MMC_SDHCI_PLTFM && OF + select THERMAL + imply TI_SOC_THERMAL + help + This selects the Secure Digital Host Controller Interface (SDHCI) +- support present in TI's DRA7 SOCs. The controller supports +- SD/MMC/SDIO devices. ++ support present in TI's Keystone/OMAP2+/DRA7 SOCs. The controller ++ supports SD/MMC/SDIO devices. + + If you have a controller with this interface, say Y or M here. + +-- +2.43.0 + diff --git a/queue-5.4/mtd-fix-gluebi-null-pointer-dereference-caused-by-ft.patch b/queue-5.4/mtd-fix-gluebi-null-pointer-dereference-caused-by-ft.patch new file mode 100644 index 00000000000..717fffc4a85 --- /dev/null +++ b/queue-5.4/mtd-fix-gluebi-null-pointer-dereference-caused-by-ft.patch @@ -0,0 +1,85 @@ +From 50708c027de3384a0985985857270df03e543290 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Dec 2023 10:46:19 +0800 +Subject: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: ZhaoLong Wang + +[ Upstream commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 ] + +If both ftl.ko and gluebi.ko are loaded, the notifier of ftl +triggers NULL pointer dereference when trying to access +‘gluebi->desc’ in gluebi_read(). + +ubi_gluebi_init + ubi_register_volume_notifier + ubi_enumerate_volumes + ubi_notify_all + gluebi_notify nb->notifier_call() + gluebi_create + mtd_device_register + mtd_device_parse_register + add_mtd_device + blktrans_notify_add not->add() + ftl_add_mtd tr->add_mtd() + scan_header + mtd_read + mtd_read_oob + mtd_read_oob_std + gluebi_read mtd->read() + gluebi->desc - NULL + +Detailed reproduction information available at the Link [1], + +In the normal case, obtain gluebi->desc in the gluebi_get_device(), +and access gluebi->desc in the gluebi_read(). However, +gluebi_get_device() is not executed in advance in the +ftl_add_mtd() process, which leads to NULL pointer dereference. + +The solution for the gluebi module is to run jffs2 on the UBI +volume without considering working with ftl or mtdblock [2]. +Therefore, this problem can be avoided by preventing gluebi from +creating the mtdblock device after creating mtd partition of the +type MTD_UBIVOLUME. + +Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1] +Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2] +Signed-off-by: ZhaoLong Wang +Reviewed-by: Zhihao Cheng +Acked-by: Richard Weinberger +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20231220024619.2138625-1-wangzhaolong1@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtd_blkdevs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c +index 0c05f77f9b21..dd0d0bf5f57f 100644 +--- a/drivers/mtd/mtd_blkdevs.c ++++ b/drivers/mtd/mtd_blkdevs.c +@@ -533,7 +533,7 @@ static void blktrans_notify_add(struct mtd_info *mtd) + { + struct mtd_blktrans_ops *tr; + +- if (mtd->type == MTD_ABSENT) ++ if (mtd->type == MTD_ABSENT || mtd->type == MTD_UBIVOLUME) + return; + + list_for_each_entry(tr, &blktrans_majors, list) +@@ -576,7 +576,7 @@ int register_mtd_blktrans(struct mtd_blktrans_ops *tr) + list_add(&tr->list, &blktrans_majors); + + mtd_for_each_device(mtd) +- if (mtd->type != MTD_ABSENT) ++ if (mtd->type != MTD_ABSENT && mtd->type != MTD_UBIVOLUME) + tr->add_mtd(tr, mtd); + + mutex_unlock(&mtd_table_mutex); +-- +2.43.0 + diff --git a/queue-5.4/mtd-rawnand-increment-ifc_timeout_msecs-for-nand-con.patch b/queue-5.4/mtd-rawnand-increment-ifc_timeout_msecs-for-nand-con.patch new file mode 100644 index 00000000000..0718cab7137 --- /dev/null +++ b/queue-5.4/mtd-rawnand-increment-ifc_timeout_msecs-for-nand-con.patch @@ -0,0 +1,49 @@ +From c26db89c0a524b40e816865c93555f40d24bb0f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Nov 2023 18:31:51 +1000 +Subject: mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller + response + +From: Ronald Monthero + +[ Upstream commit 923fb6238cb3ac529aa2bf13b3b1e53762186a8b ] + +Under heavy load it is likely that the controller is done +with its own task but the thread unlocking the wait is not +scheduled in time. Increasing IFC_TIMEOUT_MSECS allows the +controller to respond within allowable timeslice of 1 sec. + +fsl,ifc-nand 7e800000.nand: Controller is not responding + +[<804b2047>] (nand_get_device) from [<804b5335>] (nand_write_oob+0x1b/0x4a) +[<804b5335>] (nand_write_oob) from [<804a3585>] (mtd_write+0x41/0x5c) +[<804a3585>] (mtd_write) from [<804c1d47>] (ubi_io_write+0x17f/0x22c) +[<804c1d47>] (ubi_io_write) from [<804c047b>] (ubi_eba_write_leb+0x5b/0x1d0) + +Fixes: 82771882d960 ("NAND Machine support for Integrated Flash Controller") +Reviewed-by: Miquel Raynal +Reviewed-by: Andy Shevchenko +Signed-off-by: Ronald Monthero +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20231118083156.776887-1-debug.penguin32@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/fsl_ifc_nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/fsl_ifc_nand.c b/drivers/mtd/nand/raw/fsl_ifc_nand.c +index 2af09edf405b..5c52cf1b7bd4 100644 +--- a/drivers/mtd/nand/raw/fsl_ifc_nand.c ++++ b/drivers/mtd/nand/raw/fsl_ifc_nand.c +@@ -21,7 +21,7 @@ + + #define ERR_BYTE 0xFF /* Value returned for read + bytes when read failed */ +-#define IFC_TIMEOUT_MSECS 500 /* Maximum number of mSecs to wait ++#define IFC_TIMEOUT_MSECS 1000 /* Maximum timeout to wait + for IFC NAND Machine */ + + struct fsl_ifc_ctrl; +-- +2.43.0 + diff --git a/queue-5.4/ncsi-internal.h-fix-a-spello.patch b/queue-5.4/ncsi-internal.h-fix-a-spello.patch new file mode 100644 index 00000000000..09cec8f35ae --- /dev/null +++ b/queue-5.4/ncsi-internal.h-fix-a-spello.patch @@ -0,0 +1,35 @@ +From 6bdde915ad890cc6e4203df85c2178da7ab028d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Mar 2021 04:42:47 +0530 +Subject: ncsi: internal.h: Fix a spello + +From: Bhaskar Chowdhury + +[ Upstream commit 195a8ec4033b4124f6864892e71dcef24ba74a5a ] + +s/Firware/Firmware/ + +Signed-off-by: Bhaskar Chowdhury +Signed-off-by: David S. Miller +Stable-dep-of: 3084b58bfd0b ("net/ncsi: Fix netlink major/minor version numbers") +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index ad3fd7f1da75..9b2bfb87c289 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -83,7 +83,7 @@ enum { + struct ncsi_channel_version { + u32 version; /* Supported BCD encoded NCSI version */ + u32 alpha2; /* Supported BCD encoded NCSI version */ +- u8 fw_name[12]; /* Firware name string */ ++ u8 fw_name[12]; /* Firmware name string */ + u32 fw_version; /* Firmware version */ + u16 pci_ids[4]; /* PCI identification */ + u32 mf_id; /* Manufacture ID */ +-- +2.43.0 + diff --git a/queue-5.4/net-ncsi-fix-netlink-major-minor-version-numbers.patch b/queue-5.4/net-ncsi-fix-netlink-major-minor-version-numbers.patch new file mode 100644 index 00000000000..6fa61078fa4 --- /dev/null +++ b/queue-5.4/net-ncsi-fix-netlink-major-minor-version-numbers.patch @@ -0,0 +1,202 @@ +From c9b5d94f7b010529024f499603d404e13292f1fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 10:07:34 -0600 +Subject: net/ncsi: Fix netlink major/minor version numbers + +From: Peter Delevoryas + +[ Upstream commit 3084b58bfd0b9e4b5e034f31f31b42977db35f12 ] + +The netlink interface for major and minor version numbers doesn't actually +return the major and minor version numbers. + +It reports a u32 that contains the (major, minor, update, alpha1) +components as the major version number, and then alpha2 as the minor +version number. + +For whatever reason, the u32 byte order was reversed (ntohl): maybe it was +assumed that the encoded value was a single big-endian u32, and alpha2 was +the minor version. + +The correct way to get the supported NC-SI version from the network +controller is to parse the Get Version ID response as described in 8.4.44 +of the NC-SI spec[1]. + + Get Version ID Response Packet Format + + Bits + +--------+--------+--------+--------+ + Bytes | 31..24 | 23..16 | 15..8 | 7..0 | + +-------+--------+--------+--------+--------+ + | 0..15 | NC-SI Header | + +-------+--------+--------+--------+--------+ + | 16..19| Response code | Reason code | + +-------+--------+--------+--------+--------+ + |20..23 | Major | Minor | Update | Alpha1 | + +-------+--------+--------+--------+--------+ + |24..27 | reserved | Alpha2 | + +-------+--------+--------+--------+--------+ + | .... other stuff .... | + +The major, minor, and update fields are all binary-coded decimal (BCD) +encoded [2]. The spec provides examples below the Get Version ID response +format in section 8.4.44.1, but for practical purposes, this is an example +from a live network card: + + root@bmc:~# ncsi-util 0x15 + NC-SI Command Response: + cmd: GET_VERSION_ID(0x15) + Response: COMMAND_COMPLETED(0x0000) Reason: NO_ERROR(0x0000) + Payload length = 40 + + 20: 0xf1 0xf1 0xf0 0x00 <<<<<<<<< (major, minor, update, alpha1) + 24: 0x00 0x00 0x00 0x00 <<<<<<<<< (_, _, _, alpha2) + + 28: 0x6d 0x6c 0x78 0x30 + 32: 0x2e 0x31 0x00 0x00 + 36: 0x00 0x00 0x00 0x00 + 40: 0x16 0x1d 0x07 0xd2 + 44: 0x10 0x1d 0x15 0xb3 + 48: 0x00 0x17 0x15 0xb3 + 52: 0x00 0x00 0x81 0x19 + +This should be parsed as "1.1.0". + +"f" in the upper-nibble means to ignore it, contributing zero. + +If both nibbles are "f", I think the whole field is supposed to be ignored. +Major and minor are "required", meaning they're not supposed to be "ff", +but the update field is "optional" so I think it can be ff. I think the +simplest thing to do is just set the major and minor to zero instead of +juggling some conditional logic or something. + +bcd2bin() from "include/linux/bcd.h" seems to assume both nibbles are 0-9, +so I've provided a custom BCD decoding function. + +Alpha1 and alpha2 are ISO/IEC 8859-1 encoded, which just means ASCII +characters as far as I can tell, although the full encoding table for +non-alphabetic characters is slightly different (I think). + +I imagine the alpha fields are just supposed to be alphabetic characters, +but I haven't seen any network cards actually report a non-zero value for +either. + +If people wrote software against this netlink behavior, and were parsing +the major and minor versions themselves from the u32, then this would +definitely break their code. + +[1] https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.0.0.pdf +[2] https://en.wikipedia.org/wiki/Binary-coded_decimal +[2] https://en.wikipedia.org/wiki/ISO/IEC_8859-1 + +Signed-off-by: Peter Delevoryas +Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 7 +++++-- + net/ncsi/ncsi-netlink.c | 4 ++-- + net/ncsi/ncsi-pkt.h | 7 +++++-- + net/ncsi/ncsi-rsp.c | 26 ++++++++++++++++++++++++-- + 4 files changed, 36 insertions(+), 8 deletions(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index 9b2bfb87c289..1dde6dc841b8 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -81,8 +81,11 @@ enum { + + + struct ncsi_channel_version { +- u32 version; /* Supported BCD encoded NCSI version */ +- u32 alpha2; /* Supported BCD encoded NCSI version */ ++ u8 major; /* NCSI version major */ ++ u8 minor; /* NCSI version minor */ ++ u8 update; /* NCSI version update */ ++ char alpha1; /* NCSI version alpha1 */ ++ char alpha2; /* NCSI version alpha2 */ + u8 fw_name[12]; /* Firmware name string */ + u32 fw_version; /* Firmware version */ + u16 pci_ids[4]; /* PCI identification */ +diff --git a/net/ncsi/ncsi-netlink.c b/net/ncsi/ncsi-netlink.c +index 27700887c321..feb0b422d193 100644 +--- a/net/ncsi/ncsi-netlink.c ++++ b/net/ncsi/ncsi-netlink.c +@@ -71,8 +71,8 @@ static int ncsi_write_channel_info(struct sk_buff *skb, + if (nc == nc->package->preferred_channel) + nla_put_flag(skb, NCSI_CHANNEL_ATTR_FORCED); + +- nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MAJOR, nc->version.version); +- nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MINOR, nc->version.alpha2); ++ nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MAJOR, nc->version.major); ++ nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MINOR, nc->version.minor); + nla_put_string(skb, NCSI_CHANNEL_ATTR_VERSION_STR, nc->version.fw_name); + + vid_nest = nla_nest_start_noflag(skb, NCSI_CHANNEL_ATTR_VLAN_LIST); +diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h +index 80938b338fee..3fbea7e74fb1 100644 +--- a/net/ncsi/ncsi-pkt.h ++++ b/net/ncsi/ncsi-pkt.h +@@ -191,9 +191,12 @@ struct ncsi_rsp_gls_pkt { + /* Get Version ID */ + struct ncsi_rsp_gvi_pkt { + struct ncsi_rsp_pkt_hdr rsp; /* Response header */ +- __be32 ncsi_version; /* NCSI version */ ++ unsigned char major; /* NCSI version major */ ++ unsigned char minor; /* NCSI version minor */ ++ unsigned char update; /* NCSI version update */ ++ unsigned char alpha1; /* NCSI version alpha1 */ + unsigned char reserved[3]; /* Reserved */ +- unsigned char alpha2; /* NCSI version */ ++ unsigned char alpha2; /* NCSI version alpha2 */ + unsigned char fw_name[12]; /* f/w name string */ + __be32 fw_version; /* f/w version */ + __be16 pci_ids[4]; /* PCI IDs */ +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index e1c6bb4ab98f..876622e9a5b2 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -19,6 +19,19 @@ + #include "ncsi-pkt.h" + #include "ncsi-netlink.h" + ++/* Nibbles within [0xA, 0xF] add zero "0" to the returned value. ++ * Optional fields (encoded as 0xFF) will default to zero. ++ */ ++static u8 decode_bcd_u8(u8 x) ++{ ++ int lo = x & 0xF; ++ int hi = x >> 4; ++ ++ lo = lo < 0xA ? lo : 0; ++ hi = hi < 0xA ? hi : 0; ++ return lo + hi * 10; ++} ++ + static int ncsi_validate_rsp_pkt(struct ncsi_request *nr, + unsigned short payload) + { +@@ -755,9 +768,18 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr) + if (!nc) + return -ENODEV; + +- /* Update to channel's version info */ ++ /* Update channel's version info ++ * ++ * Major, minor, and update fields are supposed to be ++ * unsigned integers encoded as packed BCD. ++ * ++ * Alpha1 and alpha2 are ISO/IEC 8859-1 characters. ++ */ + ncv = &nc->version; +- ncv->version = ntohl(rsp->ncsi_version); ++ ncv->major = decode_bcd_u8(rsp->major); ++ ncv->minor = decode_bcd_u8(rsp->minor); ++ ncv->update = decode_bcd_u8(rsp->update); ++ ncv->alpha1 = rsp->alpha1; + ncv->alpha2 = rsp->alpha2; + memcpy(ncv->fw_name, rsp->fw_name, 12); + ncv->fw_version = ntohl(rsp->fw_version); +-- +2.43.0 + diff --git a/queue-5.4/net-netlabel-fix-kerneldoc-warnings.patch b/queue-5.4/net-netlabel-fix-kerneldoc-warnings.patch new file mode 100644 index 00000000000..7c70ac4b125 --- /dev/null +++ b/queue-5.4/net-netlabel-fix-kerneldoc-warnings.patch @@ -0,0 +1,36 @@ +From 90969d5ef611778030f5e3c062a847cac932f725 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 01:53:50 +0100 +Subject: net: netlabel: Fix kerneldoc warnings + +From: Andrew Lunn + +[ Upstream commit 294ea29113104487a905d0f81c00dfd64121b3d9 ] + +net/netlabel/netlabel_calipso.c:376: warning: Function parameter or member 'ops' not described in 'netlbl_calipso_ops_register' + +Signed-off-by: Andrew Lunn +Acked-by: Paul Moore +Link: https://lore.kernel.org/r/20201028005350.930299-1-andrew@lunn.ch +Signed-off-by: Jakub Kicinski +Stable-dep-of: ec4e9d630a64 ("calipso: fix memory leak in netlbl_calipso_add_pass()") +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_calipso.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netlabel/netlabel_calipso.c b/net/netlabel/netlabel_calipso.c +index 249da67d50a2..7068b4be4091 100644 +--- a/net/netlabel/netlabel_calipso.c ++++ b/net/netlabel/netlabel_calipso.c +@@ -366,6 +366,7 @@ static const struct netlbl_calipso_ops *calipso_ops; + + /** + * netlbl_calipso_ops_register - Register the CALIPSO operations ++ * @ops: ops to register + * + * Description: + * Register the CALIPSO packet engine operations. +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-mark-newset-as-dead-on-transacti.patch b/queue-5.4/netfilter-nf_tables-mark-newset-as-dead-on-transacti.patch new file mode 100644 index 00000000000..fb23f177108 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-mark-newset-as-dead-on-transacti.patch @@ -0,0 +1,50 @@ +From daee0431f31b927edbc1f2b36106e6c358e9e9a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 11:00:37 +0100 +Subject: netfilter: nf_tables: mark newset as dead on transaction abort + +From: Florian Westphal + +[ Upstream commit 08e4c8c5919fd405a4d709b4ba43d836894a26eb ] + +If a transaction is aborted, we should mark the to-be-released NEWSET dead, +just like commit path does for DEL and DESTROYSET commands. + +In both cases all remaining elements will be released via +set->ops->destroy(). + +The existing abort code does NOT post the actual release to the work queue. +Also the entire __nf_tables_abort() function is wrapped in gc_seq +begin/end pair. + +Therefore, async gc worker will never try to release the pending set +elements, as gc sequence is always stale. + +It might be possible to speed up transaction aborts via work queue too, +this would result in a race and a possible use-after-free. + +So fix this before it becomes an issue. + +Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 915df77161e1..9bd8ed0b62f1 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7604,6 +7604,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + nft_trans_destroy(trans); + break; + } ++ nft_trans_set(trans)->dead = 1; + list_del_rcu(&nft_trans_set(trans)->list); + break; + case NFT_MSG_DELSET: +-- +2.43.0 + diff --git a/queue-5.4/netlabel-remove-unused-parameter-in-netlbl_netlink_a.patch b/queue-5.4/netlabel-remove-unused-parameter-in-netlbl_netlink_a.patch new file mode 100644 index 00000000000..12c50355c10 --- /dev/null +++ b/queue-5.4/netlabel-remove-unused-parameter-in-netlbl_netlink_a.patch @@ -0,0 +1,178 @@ +From ad9d5134d91c1adc797a06d5956f24b24f73396b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 15:34:38 +0800 +Subject: netlabel: remove unused parameter in netlbl_netlink_auditinfo() + +From: Zheng Yejian + +[ Upstream commit f7e0318a314f9271b0f0cdd4bfdc691976976d8c ] + +loginuid/sessionid/secid have been read from 'current' instead of struct +netlink_skb_parms, the parameter 'skb' seems no longer needed. + +Fixes: c53fa1ed92cd ("netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms") +Signed-off-by: Zheng Yejian +Signed-off-by: David S. Miller +Stable-dep-of: ec4e9d630a64 ("calipso: fix memory leak in netlbl_calipso_add_pass()") +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_calipso.c | 4 ++-- + net/netlabel/netlabel_cipso_v4.c | 4 ++-- + net/netlabel/netlabel_mgmt.c | 8 ++++---- + net/netlabel/netlabel_unlabeled.c | 10 +++++----- + net/netlabel/netlabel_user.h | 4 +--- + 5 files changed, 14 insertions(+), 16 deletions(-) + +diff --git a/net/netlabel/netlabel_calipso.c b/net/netlabel/netlabel_calipso.c +index 7068b4be4091..33502b1f07c0 100644 +--- a/net/netlabel/netlabel_calipso.c ++++ b/net/netlabel/netlabel_calipso.c +@@ -105,7 +105,7 @@ static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info) + !info->attrs[NLBL_CALIPSO_A_MTYPE]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) { + case CALIPSO_MAP_PASS: + ret_val = netlbl_calipso_add_pass(info, &audit_info); +@@ -287,7 +287,7 @@ static int netlbl_calipso_remove(struct sk_buff *skb, struct genl_info *info) + if (!info->attrs[NLBL_CALIPSO_A_DOI]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + cb_arg.doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]); + cb_arg.audit_info = &audit_info; + ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain, +diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c +index 1778e4e8ce24..4197a9bcaa96 100644 +--- a/net/netlabel/netlabel_cipso_v4.c ++++ b/net/netlabel/netlabel_cipso_v4.c +@@ -410,7 +410,7 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) + !info->attrs[NLBL_CIPSOV4_A_MTYPE]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) { + case CIPSO_V4_MAP_TRANS: + ret_val = netlbl_cipsov4_add_std(info, &audit_info); +@@ -709,7 +709,7 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) + if (!info->attrs[NLBL_CIPSOV4_A_DOI]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); + cb_arg.audit_info = &audit_info; + ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain, +diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c +index a92ed37d0922..e2801210467f 100644 +--- a/net/netlabel/netlabel_mgmt.c ++++ b/net/netlabel/netlabel_mgmt.c +@@ -435,7 +435,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) + (info->attrs[NLBL_MGMT_A_IPV6MASK] != NULL))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + return netlbl_mgmt_add_common(info, &audit_info); + } +@@ -458,7 +458,7 @@ static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) + if (!info->attrs[NLBL_MGMT_A_DOMAIN]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); + return netlbl_domhsh_remove(domain, AF_UNSPEC, &audit_info); +@@ -558,7 +558,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) + (info->attrs[NLBL_MGMT_A_IPV6MASK] != NULL))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + return netlbl_mgmt_add_common(info, &audit_info); + } +@@ -577,7 +577,7 @@ static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) + { + struct netlbl_audit audit_info; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + return netlbl_domhsh_remove_default(AF_UNSPEC, &audit_info); + } +diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c +index 7b62cdea6163..f4d9a5c796f8 100644 +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -813,7 +813,7 @@ static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) + if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { + value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); + if (value == 1 || value == 0) { +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + netlbl_unlabel_acceptflg_set(value, &audit_info); + return 0; + } +@@ -896,7 +896,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, + !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); + if (ret_val != 0) +@@ -946,7 +946,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, + !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); + if (ret_val != 0) +@@ -993,7 +993,7 @@ static int netlbl_unlabel_staticremove(struct sk_buff *skb, + !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); + if (ret_val != 0) +@@ -1033,7 +1033,7 @@ static int netlbl_unlabel_staticremovedef(struct sk_buff *skb, + !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); + if (ret_val != 0) +diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h +index 3c67afce64f1..32d8f92c9a20 100644 +--- a/net/netlabel/netlabel_user.h ++++ b/net/netlabel/netlabel_user.h +@@ -28,11 +28,9 @@ + + /** + * netlbl_netlink_auditinfo - Fetch the audit information from a NETLINK msg +- * @skb: the packet + * @audit_info: NetLabel audit information + */ +-static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, +- struct netlbl_audit *audit_info) ++static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) + { + security_task_getsecid(current, &audit_info->secid); + audit_info->loginuid = audit_get_loginuid(current); +-- +2.43.0 + diff --git a/queue-5.4/nfsv4.1-pnfs-ensure-we-handle-the-error-nfs4err_retu.patch b/queue-5.4/nfsv4.1-pnfs-ensure-we-handle-the-error-nfs4err_retu.patch new file mode 100644 index 00000000000..e945a120234 --- /dev/null +++ b/queue-5.4/nfsv4.1-pnfs-ensure-we-handle-the-error-nfs4err_retu.patch @@ -0,0 +1,53 @@ +From 572cafa39fd4cb8501995dec6b47dbb88e78863e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Nov 2023 13:55:29 -0500 +Subject: NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT + +From: Trond Myklebust + +[ Upstream commit 037e56a22ff37f9a9c2330b66cff55d3d1ff9b90 ] + +Once the client has processed the CB_LAYOUTRECALL, but has not yet +successfully returned the layout, the server is supposed to switch to +returning NFS4ERR_RETURNCONFLICT. This patch ensures that we handle +that return value correctly. + +Fixes: 183d9e7b112a ("pnfs: rework LAYOUTGET retry handling") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index b7529656b430..31503bade335 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -168,6 +168,7 @@ static int nfs4_map_errors(int err) + case -NFS4ERR_RESOURCE: + case -NFS4ERR_LAYOUTTRYLATER: + case -NFS4ERR_RECALLCONFLICT: ++ case -NFS4ERR_RETURNCONFLICT: + return -EREMOTEIO; + case -NFS4ERR_WRONGSEC: + case -NFS4ERR_WRONG_CRED: +@@ -552,6 +553,7 @@ static int nfs4_do_handle_exception(struct nfs_server *server, + case -NFS4ERR_GRACE: + case -NFS4ERR_LAYOUTTRYLATER: + case -NFS4ERR_RECALLCONFLICT: ++ case -NFS4ERR_RETURNCONFLICT: + exception->delay = 1; + return 0; + +@@ -9159,6 +9161,7 @@ nfs4_layoutget_handle_exception(struct rpc_task *task, + status = -EBUSY; + break; + case -NFS4ERR_RECALLCONFLICT: ++ case -NFS4ERR_RETURNCONFLICT: + status = -ERECALLCONFLICT; + break; + case -NFS4ERR_DELEG_REVOKED: +-- +2.43.0 + diff --git a/queue-5.4/of-fix-double-free-in-of_parse_phandle_with_args_map.patch b/queue-5.4/of-fix-double-free-in-of_parse_phandle_with_args_map.patch new file mode 100644 index 00000000000..8bf23613061 --- /dev/null +++ b/queue-5.4/of-fix-double-free-in-of_parse_phandle_with_args_map.patch @@ -0,0 +1,231 @@ +From 1a3965ca155c1fb16e38311f6294bafd15fe1256 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Dec 2023 11:54:11 +0100 +Subject: of: Fix double free in of_parse_phandle_with_args_map + +From: Christian A. Ehrhardt + +[ Upstream commit 4dde83569832f9377362e50f7748463340c5db6b ] + +In of_parse_phandle_with_args_map() the inner loop that +iterates through the map entries calls of_node_put(new) +to free the reference acquired by the previous iteration +of the inner loop. This assumes that the value of "new" is +NULL on the first iteration of the inner loop. + +Make sure that this is true in all iterations of the outer +loop by setting "new" to NULL after its value is assigned to "cur". + +Extend the unittest to detect the double free and add an additional +test case that actually triggers this path. + +Fixes: bd6f2fd5a1 ("of: Support parsing phandle argument lists through a nexus node") +Cc: Stephen Boyd +Signed-off-by: "Christian A. Ehrhardt" +Link: https://lore.kernel.org/r/20231229105411.1603434-1-lk@c--e.de +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/base.c | 1 + + drivers/of/unittest-data/tests-phandle.dtsi | 10 ++- + drivers/of/unittest.c | 74 ++++++++++++--------- + 3 files changed, 53 insertions(+), 32 deletions(-) + +diff --git a/drivers/of/base.c b/drivers/of/base.c +index c8af9a65f98b..6fa209b3557b 100644 +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1744,6 +1744,7 @@ int of_parse_phandle_with_args_map(const struct device_node *np, + out_args->np = new; + of_node_put(cur); + cur = new; ++ new = NULL; + } + put: + of_node_put(cur); +diff --git a/drivers/of/unittest-data/tests-phandle.dtsi b/drivers/of/unittest-data/tests-phandle.dtsi +index 6b33be4c4416..aa0d7027ffa6 100644 +--- a/drivers/of/unittest-data/tests-phandle.dtsi ++++ b/drivers/of/unittest-data/tests-phandle.dtsi +@@ -38,6 +38,13 @@ provider4: provider4 { + phandle-map-pass-thru = <0x0 0xf0>; + }; + ++ provider5: provider5 { ++ #phandle-cells = <2>; ++ phandle-map = <2 7 &provider4 2 3>; ++ phandle-map-mask = <0xff 0xf>; ++ phandle-map-pass-thru = <0x0 0xf0>; ++ }; ++ + consumer-a { + phandle-list = <&provider1 1>, + <&provider2 2 0>, +@@ -64,7 +71,8 @@ consumer-b { + <&provider4 4 0x100>, + <&provider4 0 0x61>, + <&provider0>, +- <&provider4 19 0x20>; ++ <&provider4 19 0x20>, ++ <&provider5 2 7>; + phandle-list-bad-phandle = <12345678 0 0>; + phandle-list-bad-args = <&provider2 1 0>, + <&provider4 0>; +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 42acbb3668b2..b1924062c939 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -430,6 +430,9 @@ static void __init of_unittest_parse_phandle_with_args(void) + + unittest(passed, "index %i - data error on node %pOF rc=%i\n", + i, args.np, rc); ++ ++ if (rc == 0) ++ of_node_put(args.np); + } + + /* Check for missing list property */ +@@ -471,8 +474,9 @@ static void __init of_unittest_parse_phandle_with_args(void) + + static void __init of_unittest_parse_phandle_with_args_map(void) + { +- struct device_node *np, *p0, *p1, *p2, *p3; ++ struct device_node *np, *p[6] = {}; + struct of_phandle_args args; ++ unsigned int prefs[6]; + int i, rc; + + np = of_find_node_by_path("/testcase-data/phandle-tests/consumer-b"); +@@ -481,34 +485,24 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + return; + } + +- p0 = of_find_node_by_path("/testcase-data/phandle-tests/provider0"); +- if (!p0) { +- pr_err("missing testcase data\n"); +- return; +- } +- +- p1 = of_find_node_by_path("/testcase-data/phandle-tests/provider1"); +- if (!p1) { +- pr_err("missing testcase data\n"); +- return; +- } +- +- p2 = of_find_node_by_path("/testcase-data/phandle-tests/provider2"); +- if (!p2) { +- pr_err("missing testcase data\n"); +- return; +- } +- +- p3 = of_find_node_by_path("/testcase-data/phandle-tests/provider3"); +- if (!p3) { +- pr_err("missing testcase data\n"); +- return; ++ p[0] = of_find_node_by_path("/testcase-data/phandle-tests/provider0"); ++ p[1] = of_find_node_by_path("/testcase-data/phandle-tests/provider1"); ++ p[2] = of_find_node_by_path("/testcase-data/phandle-tests/provider2"); ++ p[3] = of_find_node_by_path("/testcase-data/phandle-tests/provider3"); ++ p[4] = of_find_node_by_path("/testcase-data/phandle-tests/provider4"); ++ p[5] = of_find_node_by_path("/testcase-data/phandle-tests/provider5"); ++ for (i = 0; i < ARRAY_SIZE(p); ++i) { ++ if (!p[i]) { ++ pr_err("missing testcase data\n"); ++ return; ++ } ++ prefs[i] = kref_read(&p[i]->kobj.kref); + } + + rc = of_count_phandle_with_args(np, "phandle-list", "#phandle-cells"); +- unittest(rc == 7, "of_count_phandle_with_args() returned %i, expected 7\n", rc); ++ unittest(rc == 8, "of_count_phandle_with_args() returned %i, expected 7\n", rc); + +- for (i = 0; i < 8; i++) { ++ for (i = 0; i < 9; i++) { + bool passed = true; + + memset(&args, 0, sizeof(args)); +@@ -519,13 +513,13 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + switch (i) { + case 0: + passed &= !rc; +- passed &= (args.np == p1); ++ passed &= (args.np == p[1]); + passed &= (args.args_count == 1); + passed &= (args.args[0] == 1); + break; + case 1: + passed &= !rc; +- passed &= (args.np == p3); ++ passed &= (args.np == p[3]); + passed &= (args.args_count == 3); + passed &= (args.args[0] == 2); + passed &= (args.args[1] == 5); +@@ -536,28 +530,36 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + break; + case 3: + passed &= !rc; +- passed &= (args.np == p0); ++ passed &= (args.np == p[0]); + passed &= (args.args_count == 0); + break; + case 4: + passed &= !rc; +- passed &= (args.np == p1); ++ passed &= (args.np == p[1]); + passed &= (args.args_count == 1); + passed &= (args.args[0] == 3); + break; + case 5: + passed &= !rc; +- passed &= (args.np == p0); ++ passed &= (args.np == p[0]); + passed &= (args.args_count == 0); + break; + case 6: + passed &= !rc; +- passed &= (args.np == p2); ++ passed &= (args.np == p[2]); + passed &= (args.args_count == 2); + passed &= (args.args[0] == 15); + passed &= (args.args[1] == 0x20); + break; + case 7: ++ passed &= !rc; ++ passed &= (args.np == p[3]); ++ passed &= (args.args_count == 3); ++ passed &= (args.args[0] == 2); ++ passed &= (args.args[1] == 5); ++ passed &= (args.args[2] == 3); ++ break; ++ case 8: + passed &= (rc == -ENOENT); + break; + default: +@@ -566,6 +568,9 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + + unittest(passed, "index %i - data error on node %s rc=%i\n", + i, args.np->full_name, rc); ++ ++ if (rc == 0) ++ of_node_put(args.np); + } + + /* Check for missing list property */ +@@ -591,6 +596,13 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + rc = of_parse_phandle_with_args_map(np, "phandle-list-bad-args", + "phandle", 1, &args); + unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc); ++ ++ for (i = 0; i < ARRAY_SIZE(p); ++i) { ++ unittest(prefs[i] == kref_read(&p[i]->kobj.kref), ++ "provider%d: expected:%d got:%d\n", ++ i, prefs[i], kref_read(&p[i]->kobj.kref)); ++ of_node_put(p[i]); ++ } + } + + static void __init of_unittest_property_string(void) +-- +2.43.0 + diff --git a/queue-5.4/of-unittest-fix-of_count_phandle_with_args-expected-.patch b/queue-5.4/of-unittest-fix-of_count_phandle_with_args-expected-.patch new file mode 100644 index 00000000000..0df4821590b --- /dev/null +++ b/queue-5.4/of-unittest-fix-of_count_phandle_with_args-expected-.patch @@ -0,0 +1,38 @@ +From 20294f9945147157e882ef73c64793886891c704 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jan 2024 09:50:25 +0100 +Subject: of: unittest: Fix of_count_phandle_with_args() expected value message + +From: Geert Uytterhoeven + +[ Upstream commit 716089b417cf98d01f0dc1b39f9c47e1d7b4c965 ] + +The expected result value for the call to of_count_phandle_with_args() +was updated from 7 to 8, but the accompanying error message was +forgotten. + +Fixes: 4dde83569832f937 ("of: Fix double free in of_parse_phandle_with_args_map") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20240111085025.2073894-1-geert+renesas@glider.be +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index b1924062c939..1ed470b03cd7 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -500,7 +500,7 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + } + + rc = of_count_phandle_with_args(np, "phandle-list", "#phandle-cells"); +- unittest(rc == 8, "of_count_phandle_with_args() returned %i, expected 7\n", rc); ++ unittest(rc == 8, "of_count_phandle_with_args() returned %i, expected 8\n", rc); + + for (i = 0; i < 9; i++) { + bool passed = true; +-- +2.43.0 + diff --git a/queue-5.4/powerpc-44x-select-i2c-for-currituck.patch b/queue-5.4/powerpc-44x-select-i2c-for-currituck.patch new file mode 100644 index 00000000000..f3593c0448d --- /dev/null +++ b/queue-5.4/powerpc-44x-select-i2c-for-currituck.patch @@ -0,0 +1,43 @@ +From a506d914e5bbfd33284c647d6789cd469d297f61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 21:51:59 -0800 +Subject: powerpc/44x: select I2C for CURRITUCK + +From: Randy Dunlap + +[ Upstream commit 4a74197b65e69c46fe6e53f7df2f4d6ce9ffe012 ] + +Fix build errors when CURRITUCK=y and I2C is not builtin (=m or is +not set). Fixes these build errors: + +powerpc-linux-ld: arch/powerpc/platforms/44x/ppc476.o: in function `avr_halt_system': +ppc476.c:(.text+0x58): undefined reference to `i2c_smbus_write_byte_data' +powerpc-linux-ld: arch/powerpc/platforms/44x/ppc476.o: in function `ppc47x_device_probe': +ppc476.c:(.init.text+0x18): undefined reference to `i2c_register_driver' + +Fixes: 2a2c74b2efcb ("IBM Akebono: Add the Akebono platform") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Closes: lore.kernel.org/r/202312010820.cmdwF5X9-lkp@intel.com +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231201055159.8371-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/44x/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/44x/Kconfig b/arch/powerpc/platforms/44x/Kconfig +index 25ebe634a661..e9d3c6b241a8 100644 +--- a/arch/powerpc/platforms/44x/Kconfig ++++ b/arch/powerpc/platforms/44x/Kconfig +@@ -178,6 +178,7 @@ config ISS4xx + config CURRITUCK + bool "IBM Currituck (476fpe) Support" + depends on PPC_47x ++ select I2C + select SWIOTLB + select 476FPE + select FORCE_PCI +-- +2.43.0 + diff --git a/queue-5.4/powerpc-add-crtsavres.o-to-always-y-instead-of-extra.patch b/queue-5.4/powerpc-add-crtsavres.o-to-always-y-instead-of-extra.patch new file mode 100644 index 00000000000..2d31457f0f5 --- /dev/null +++ b/queue-5.4/powerpc-add-crtsavres.o-to-always-y-instead-of-extra.patch @@ -0,0 +1,50 @@ +From a1b9825e26aa5770b78b5ebfdfd52346664f5e9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 08:23:32 +0900 +Subject: powerpc: add crtsavres.o to always-y instead of extra-y + +From: Masahiro Yamada + +[ Upstream commit 1b1e38002648819c04773647d5242990e2824264 ] + +crtsavres.o is linked to modules. However, as explained in commit +d0e628cd817f ("kbuild: doc: clarify the difference between extra-y +and always-y"), 'make modules' does not build extra-y. + +For example, the following command fails: + + $ make ARCH=powerpc LLVM=1 KBUILD_MODPOST_WARN=1 mrproper ps3_defconfig modules + [snip] + LD [M] arch/powerpc/platforms/cell/spufs/spufs.ko + ld.lld: error: cannot open arch/powerpc/lib/crtsavres.o: No such file or directory + make[3]: *** [scripts/Makefile.modfinal:56: arch/powerpc/platforms/cell/spufs/spufs.ko] Error 1 + make[2]: *** [Makefile:1844: modules] Error 2 + make[1]: *** [/home/masahiro/workspace/linux-kbuild/Makefile:350: __build_one_by_one] Error 2 + make: *** [Makefile:234: __sub-make] Error 2 + +Signed-off-by: Masahiro Yamada +Fixes: baa25b571a16 ("powerpc/64: Do not link crtsavres.o in vmlinux") +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231120232332.4100288-1-masahiroy@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/lib/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/lib/Makefile b/arch/powerpc/lib/Makefile +index 8656b8d2ce55..7c603839fe28 100644 +--- a/arch/powerpc/lib/Makefile ++++ b/arch/powerpc/lib/Makefile +@@ -35,7 +35,7 @@ obj-$(CONFIG_FUNCTION_ERROR_INJECTION) += error-inject.o + # so it is only needed for modules, and only for older linkers which + # do not support --save-restore-funcs + ifeq ($(call ld-ifversion, -lt, 225000000, y),y) +-extra-$(CONFIG_PPC64) += crtsavres.o ++always-$(CONFIG_PPC64) += crtsavres.o + endif + + obj-$(CONFIG_PPC_BOOK3S_64) += copyuser_power7.o copypage_power7.o \ +-- +2.43.0 + diff --git a/queue-5.4/powerpc-imc-pmu-add-a-null-pointer-check-in-update_e.patch b/queue-5.4/powerpc-imc-pmu-add-a-null-pointer-check-in-update_e.patch new file mode 100644 index 00000000000..30abcd61a73 --- /dev/null +++ b/queue-5.4/powerpc-imc-pmu-add-a-null-pointer-check-in-update_e.patch @@ -0,0 +1,55 @@ +From 3af44eabfcb65b52ab9373373432c59612dd7c0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Nov 2023 17:37:19 +0800 +Subject: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() + +From: Kunwu Chan + +[ Upstream commit 0a233867a39078ebb0f575e2948593bbff5826b3 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. + +Fixes: 885dcd709ba9 ("powerpc/perf: Add nest IMC PMU support") +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231126093719.1440305-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/imc-pmu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c +index 872313021eaa..565dc073ceca 100644 +--- a/arch/powerpc/perf/imc-pmu.c ++++ b/arch/powerpc/perf/imc-pmu.c +@@ -292,6 +292,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu) + attr_group->attrs = attrs; + do { + ev_val_str = kasprintf(GFP_KERNEL, "event=0x%x", pmu->events[i].value); ++ if (!ev_val_str) ++ continue; + dev_str = device_str_attr_create(pmu->events[i].name, ev_val_str); + if (!dev_str) + continue; +@@ -299,6 +301,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu) + attrs[j++] = dev_str; + if (pmu->events[i].scale) { + ev_scale_str = kasprintf(GFP_KERNEL, "%s.scale", pmu->events[i].name); ++ if (!ev_scale_str) ++ continue; + dev_str = device_str_attr_create(ev_scale_str, pmu->events[i].scale); + if (!dev_str) + continue; +@@ -308,6 +312,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu) + + if (pmu->events[i].unit) { + ev_unit_str = kasprintf(GFP_KERNEL, "%s.unit", pmu->events[i].name); ++ if (!ev_unit_str) ++ continue; + dev_str = device_str_attr_create(ev_unit_str, pmu->events[i].unit); + if (!dev_str) + continue; +-- +2.43.0 + diff --git a/queue-5.4/powerpc-powernv-add-a-null-pointer-check-in-opal_eve.patch b/queue-5.4/powerpc-powernv-add-a-null-pointer-check-in-opal_eve.patch new file mode 100644 index 00000000000..ad144ee96eb --- /dev/null +++ b/queue-5.4/powerpc-powernv-add-a-null-pointer-check-in-opal_eve.patch @@ -0,0 +1,37 @@ +From 3c88e7c90f34a2c45737cc4df1f0697d0f12b27e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 11:07:55 +0800 +Subject: powerpc/powernv: Add a null pointer check in opal_event_init() + +From: Kunwu Chan + +[ Upstream commit 8649829a1dd25199bbf557b2621cedb4bf9b3050 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. + +Fixes: 2717a33d6074 ("powerpc/opal-irqchip: Use interrupt names if present") +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231127030755.1546750-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-irqchip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/powernv/opal-irqchip.c b/arch/powerpc/platforms/powernv/opal-irqchip.c +index c164419e254d..dcec0f760c8f 100644 +--- a/arch/powerpc/platforms/powernv/opal-irqchip.c ++++ b/arch/powerpc/platforms/powernv/opal-irqchip.c +@@ -278,6 +278,8 @@ int __init opal_event_init(void) + else + name = kasprintf(GFP_KERNEL, "opal"); + ++ if (!name) ++ continue; + /* Install interrupt handler */ + rc = request_irq(r->start, opal_interrupt, r->flags & IRQD_TRIGGER_MASK, + name, NULL); +-- +2.43.0 + diff --git a/queue-5.4/powerpc-powernv-add-a-null-pointer-check-in-opal_pow.patch b/queue-5.4/powerpc-powernv-add-a-null-pointer-check-in-opal_pow.patch new file mode 100644 index 00000000000..616550ef55c --- /dev/null +++ b/queue-5.4/powerpc-powernv-add-a-null-pointer-check-in-opal_pow.patch @@ -0,0 +1,41 @@ +From f9c37475564d454955581b5fc0366d68615b05bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Nov 2023 17:57:39 +0800 +Subject: powerpc/powernv: Add a null pointer check in opal_powercap_init() + +From: Kunwu Chan + +[ Upstream commit e123015c0ba859cf48aa7f89c5016cc6e98e018d ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. + +Fixes: b9ef7b4b867f ("powerpc: Convert to using %pOFn instead of device_node.name") +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231126095739.1501990-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-powercap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/powerpc/platforms/powernv/opal-powercap.c b/arch/powerpc/platforms/powernv/opal-powercap.c +index dc599e787f78..0de530b5fead 100644 +--- a/arch/powerpc/platforms/powernv/opal-powercap.c ++++ b/arch/powerpc/platforms/powernv/opal-powercap.c +@@ -196,6 +196,12 @@ void __init opal_powercap_init(void) + + j = 0; + pcaps[i].pg.name = kasprintf(GFP_KERNEL, "%pOFn", node); ++ if (!pcaps[i].pg.name) { ++ kfree(pcaps[i].pattrs); ++ kfree(pcaps[i].pg.attrs); ++ goto out_pcaps_pattrs; ++ } ++ + if (has_min) { + powercap_add_attr(min, "powercap-min", + &pcaps[i].pattrs[j]); +-- +2.43.0 + diff --git a/queue-5.4/powerpc-powernv-add-a-null-pointer-check-to-scom_deb.patch b/queue-5.4/powerpc-powernv-add-a-null-pointer-check-to-scom_deb.patch new file mode 100644 index 00000000000..33bb03b8166 --- /dev/null +++ b/queue-5.4/powerpc-powernv-add-a-null-pointer-check-to-scom_deb.patch @@ -0,0 +1,41 @@ +From 291c1121f94925adfec3c4f250b4b3c57857d01f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 16:59:37 +0800 +Subject: powerpc/powernv: Add a null pointer check to scom_debug_init_one() + +From: Kunwu Chan + +[ Upstream commit 9a260f2dd827bbc82cc60eb4f4d8c22707d80742 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. +Add a null pointer check, and release 'ent' to avoid memory leaks. + +Fixes: bfd2f0d49aef ("powerpc/powernv: Get rid of old scom_controller abstraction") +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231208085937.107210-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-xscom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/powerpc/platforms/powernv/opal-xscom.c b/arch/powerpc/platforms/powernv/opal-xscom.c +index fd510d961b8c..d5814c5046ba 100644 +--- a/arch/powerpc/platforms/powernv/opal-xscom.c ++++ b/arch/powerpc/platforms/powernv/opal-xscom.c +@@ -165,6 +165,11 @@ static int scom_debug_init_one(struct dentry *root, struct device_node *dn, + ent->chip = chip; + snprintf(ent->name, 16, "%08x", chip); + ent->path.data = (void *)kasprintf(GFP_KERNEL, "%pOF", dn); ++ if (!ent->path.data) { ++ kfree(ent); ++ return -ENOMEM; ++ } ++ + ent->path.size = strlen((char *)ent->path.data); + + dir = debugfs_create_dir(ent->name, root); +-- +2.43.0 + diff --git a/queue-5.4/powerpc-pseries-memhotplug-quieten-some-dlpar-operat.patch b/queue-5.4/powerpc-pseries-memhotplug-quieten-some-dlpar-operat.patch new file mode 100644 index 00000000000..09b070aa9e0 --- /dev/null +++ b/queue-5.4/powerpc-pseries-memhotplug-quieten-some-dlpar-operat.patch @@ -0,0 +1,95 @@ +From 1a9f6aba6703acd13c932ee58944004135cfe986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Dec 2020 15:59:54 +0100 +Subject: powerpc/pseries/memhotplug: Quieten some DLPAR operations + +From: Laurent Dufour + +[ Upstream commit 20e9de85edae3a5866f29b6cce87c9ec66d62a1b ] + +When attempting to remove by index a set of LMBs a lot of messages are +displayed on the console, even when everything goes fine: + + pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 8000002d + Offlined Pages 4096 + pseries-hotplug-mem: Memory at 2d0000000 was hot-removed + +The 2 messages prefixed by "pseries-hotplug-mem" are not really +helpful for the end user, they should be debug outputs. + +In case of error, because some of the LMB's pages couldn't be +offlined, the following is displayed on the console: + + pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 8000003e + pseries-hotplug-mem: Failed to hot-remove memory at 3e0000000 + dlpar: Could not handle DLPAR request "memory remove index 0x8000003e" + +Again, the 2 messages prefixed by "pseries-hotplug-mem" are useless, +and the generic DLPAR prefixed message should be enough. + +These 2 first changes are mainly triggered by the changes introduced +in drmgr: + https://groups.google.com/g/powerpc-utils-devel/c/Y6ef4NB3EzM/m/9cu5JHRxAQAJ + +Also, when adding a bunch of LMBs, a message is displayed in the console per LMB +like these ones: + pseries-hotplug-mem: Memory at 7e0000000 (drc index 8000007e) was hot-added + pseries-hotplug-mem: Memory at 7f0000000 (drc index 8000007f) was hot-added + pseries-hotplug-mem: Memory at 800000000 (drc index 80000080) was hot-added + pseries-hotplug-mem: Memory at 810000000 (drc index 80000081) was hot-added + +When adding 1TB of memory and LMB size is 256MB, this leads to 4096 +messages to be displayed on the console. These messages are not really +helpful for the end user, so moving them to the DEBUG level. + +Signed-off-by: Laurent Dufour +[mpe: Tweak change log wording] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201211145954.90143-1-ldufour@linux.ibm.com +Stable-dep-of: bd68ffce69f6 ("powerpc/pseries/memhp: Fix access beyond end of drmem array") +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/hotplug-memory.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index f364909d0c08..03fb4669a1f0 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -496,7 +496,7 @@ static int dlpar_memory_remove_by_index(u32 drc_index) + int lmb_found; + int rc; + +- pr_info("Attempting to hot-remove LMB, drc index %x\n", drc_index); ++ pr_debug("Attempting to hot-remove LMB, drc index %x\n", drc_index); + + lmb_found = 0; + for_each_drmem_lmb(lmb) { +@@ -514,10 +514,10 @@ static int dlpar_memory_remove_by_index(u32 drc_index) + rc = -EINVAL; + + if (rc) +- pr_info("Failed to hot-remove memory at %llx\n", +- lmb->base_addr); ++ pr_debug("Failed to hot-remove memory at %llx\n", ++ lmb->base_addr); + else +- pr_info("Memory at %llx was hot-removed\n", lmb->base_addr); ++ pr_debug("Memory at %llx was hot-removed\n", lmb->base_addr); + + return rc; + } +@@ -770,8 +770,8 @@ static int dlpar_memory_add_by_count(u32 lmbs_to_add) + if (!drmem_lmb_reserved(lmb)) + continue; + +- pr_info("Memory at %llx (drc index %x) was hot-added\n", +- lmb->base_addr, lmb->drc_index); ++ pr_debug("Memory at %llx (drc index %x) was hot-added\n", ++ lmb->base_addr, lmb->drc_index); + drmem_remove_lmb_reservation(lmb); + } + rc = 0; +-- +2.43.0 + diff --git a/queue-5.4/powerpc-pseries-memhp-fix-access-beyond-end-of-drmem.patch b/queue-5.4/powerpc-pseries-memhp-fix-access-beyond-end-of-drmem.patch new file mode 100644 index 00000000000..72896c5387a --- /dev/null +++ b/queue-5.4/powerpc-pseries-memhp-fix-access-beyond-end-of-drmem.patch @@ -0,0 +1,101 @@ +From 4710ebdaa6fefa30601b14ed942298108d1182aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 11:01:53 -0600 +Subject: powerpc/pseries/memhp: Fix access beyond end of drmem array + +From: Nathan Lynch + +[ Upstream commit bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5 ] + +dlpar_memory_remove_by_index() may access beyond the bounds of the +drmem lmb array when the LMB lookup fails to match an entry with the +given DRC index. When the search fails, the cursor is left pointing to +&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the +last valid entry in the array. The debug message at the end of the +function then dereferences this pointer: + + pr_debug("Failed to hot-remove memory at %llx\n", + lmb->base_addr); + +This was found by inspection and confirmed with KASAN: + + pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 + ================================================================== + BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 + Read of size 8 at addr c000000364e97fd0 by task bash/949 + + dump_stack_lvl+0xa4/0xfc (unreliable) + print_report+0x214/0x63c + kasan_report+0x140/0x2e0 + __asan_load8+0xa8/0xe0 + dlpar_memory+0x298/0x1658 + handle_dlpar_errorlog+0x130/0x1d0 + dlpar_store+0x18c/0x3e0 + kobj_attr_store+0x68/0xa0 + sysfs_kf_write+0xc4/0x110 + kernfs_fop_write_iter+0x26c/0x390 + vfs_write+0x2d4/0x4e0 + ksys_write+0xac/0x1a0 + system_call_exception+0x268/0x530 + system_call_vectored_common+0x15c/0x2ec + + Allocated by task 1: + kasan_save_stack+0x48/0x80 + kasan_set_track+0x34/0x50 + kasan_save_alloc_info+0x34/0x50 + __kasan_kmalloc+0xd0/0x120 + __kmalloc+0x8c/0x320 + kmalloc_array.constprop.0+0x48/0x5c + drmem_init+0x2a0/0x41c + do_one_initcall+0xe0/0x5c0 + kernel_init_freeable+0x4ec/0x5a0 + kernel_init+0x30/0x1e0 + ret_from_kernel_user_thread+0x14/0x1c + + The buggy address belongs to the object at c000000364e80000 + which belongs to the cache kmalloc-128k of size 131072 + The buggy address is located 0 bytes to the right of + allocated 98256-byte region [c000000364e80000, c000000364e97fd0) + + ================================================================== + pseries-hotplug-mem: Failed to hot-remove memory at 0 + +Log failed lookups with a separate message and dereference the +cursor only when it points to a valid entry. + +Signed-off-by: Nathan Lynch +Fixes: 51925fb3c5c9 ("powerpc/pseries: Implement memory hotplug remove in the kernel") +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231114-pseries-memhp-fixes-v1-1-fb8f2bb7c557@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/hotplug-memory.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index 03fb4669a1f0..23dc59e40edc 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -510,14 +510,15 @@ static int dlpar_memory_remove_by_index(u32 drc_index) + } + } + +- if (!lmb_found) ++ if (!lmb_found) { ++ pr_debug("Failed to look up LMB for drc index %x\n", drc_index); + rc = -EINVAL; +- +- if (rc) ++ } else if (rc) { + pr_debug("Failed to hot-remove memory at %llx\n", + lmb->base_addr); +- else ++ } else { + pr_debug("Memory at %llx was hot-removed\n", lmb->base_addr); ++ } + + return rc; + } +-- +2.43.0 + diff --git a/queue-5.4/pstore-ram_core-fix-possible-overflow-in-persistent_.patch b/queue-5.4/pstore-ram_core-fix-possible-overflow-in-persistent_.patch new file mode 100644 index 00000000000..a794823faf1 --- /dev/null +++ b/queue-5.4/pstore-ram_core-fix-possible-overflow-in-persistent_.patch @@ -0,0 +1,46 @@ +From 589516b209d457f08724292d40df9e3c1f3551da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 23:29:36 +0300 +Subject: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() + +From: Sergey Shtylyov + +[ Upstream commit 86222a8fc16ec517de8da2604d904c9df3a08e5d ] + +In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return +64-bit value since persistent_ram_zone::buffer_size has type size_t which +is derived from the 64-bit *unsigned long*, while the ecc_blocks variable +this value gets assigned to has (always 32-bit) *int* type. Even if that +value fits into *int* type, an overflow is still possible when calculating +the size_t typed ecc_total variable further below since there's no cast to +any 64-bit type before multiplication. Declaring the ecc_blocks variable +as *size_t* should fix this mess... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Fixes: 9cc05ad97c57 ("staging: android: persistent_ram: refactor ecc support") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20231105202936.25694-1-s.shtylyov@omp.ru +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/pstore/ram_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c +index 079f1a15cab0..679b250a3912 100644 +--- a/fs/pstore/ram_core.c ++++ b/fs/pstore/ram_core.c +@@ -190,7 +190,7 @@ static int persistent_ram_init_ecc(struct persistent_ram_zone *prz, + { + int numerr; + struct persistent_ram_buffer *buffer = prz->buffer; +- int ecc_blocks; ++ size_t ecc_blocks; + size_t ecc_total; + + if (!ecc_info || !ecc_info->ecc_size) +-- +2.43.0 + diff --git a/queue-5.4/rdma-usnic-silence-uninitialized-symbol-smatch-warni.patch b/queue-5.4/rdma-usnic-silence-uninitialized-symbol-smatch-warni.patch new file mode 100644 index 00000000000..f498affb6ff --- /dev/null +++ b/queue-5.4/rdma-usnic-silence-uninitialized-symbol-smatch-warni.patch @@ -0,0 +1,82 @@ +From 9c0525f217d3d75f3bee5a35545a794d4a18dffe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 11:28:02 +0200 +Subject: RDMA/usnic: Silence uninitialized symbol smatch warnings + +From: Leon Romanovsky + +[ Upstream commit b9a85e5eec126d6ae6c362f94b447c223e8fe6e4 ] + +The patch 1da177e4c3f4: "Linux-2.6.12-rc2" from Apr 16, 2005 +(linux-next), leads to the following Smatch static checker warning: + + drivers/infiniband/hw/mthca/mthca_cmd.c:644 mthca_SYS_EN() + error: uninitialized symbol 'out'. + +drivers/infiniband/hw/mthca/mthca_cmd.c + 636 int mthca_SYS_EN(struct mthca_dev *dev) + 637 { + 638 u64 out; + 639 int ret; + 640 + 641 ret = mthca_cmd_imm(dev, 0, &out, 0, 0, CMD_SYS_EN, CMD_TIME_CLASS_D); + +We pass out here and it gets used without being initialized. + + err = mthca_cmd_post(dev, in_param, + out_param ? *out_param : 0, + ^^^^^^^^^^ + in_modifier, op_modifier, + op, context->token, 1); + +It's the same in mthca_cmd_wait() and mthca_cmd_poll(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/533bc3df-8078-4397-b93d-d1f6cec9b636@moroto.mountain +Link: https://lore.kernel.org/r/c559cb7113158c02d75401ac162652072ef1b5f0.1699867650.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mthca/mthca_cmd.c | 4 ++-- + drivers/infiniband/hw/mthca/mthca_main.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c +index bdf5ed38de22..0307c45aa6d3 100644 +--- a/drivers/infiniband/hw/mthca/mthca_cmd.c ++++ b/drivers/infiniband/hw/mthca/mthca_cmd.c +@@ -635,7 +635,7 @@ void mthca_free_mailbox(struct mthca_dev *dev, struct mthca_mailbox *mailbox) + + int mthca_SYS_EN(struct mthca_dev *dev) + { +- u64 out; ++ u64 out = 0; + int ret; + + ret = mthca_cmd_imm(dev, 0, &out, 0, 0, CMD_SYS_EN, CMD_TIME_CLASS_D); +@@ -1955,7 +1955,7 @@ int mthca_WRITE_MGM(struct mthca_dev *dev, int index, + int mthca_MGID_HASH(struct mthca_dev *dev, struct mthca_mailbox *mailbox, + u16 *hash) + { +- u64 imm; ++ u64 imm = 0; + int err; + + err = mthca_cmd_imm(dev, mailbox->dma, &imm, 0, 0, CMD_MGID_HASH, +diff --git a/drivers/infiniband/hw/mthca/mthca_main.c b/drivers/infiniband/hw/mthca/mthca_main.c +index fe9654a7af71..3acd1372c814 100644 +--- a/drivers/infiniband/hw/mthca/mthca_main.c ++++ b/drivers/infiniband/hw/mthca/mthca_main.c +@@ -382,7 +382,7 @@ static int mthca_init_icm(struct mthca_dev *mdev, + struct mthca_init_hca_param *init_hca, + u64 icm_size) + { +- u64 aux_pages; ++ u64 aux_pages = 0; + int err; + + err = mthca_SET_ICM_SIZE(mdev, icm_size, &aux_pages); +-- +2.43.0 + diff --git a/queue-5.4/rtlwifi-rtl8192de-make-arrays-static-const-makes-obj.patch b/queue-5.4/rtlwifi-rtl8192de-make-arrays-static-const-makes-obj.patch new file mode 100644 index 00000000000..68c33c209e8 --- /dev/null +++ b/queue-5.4/rtlwifi-rtl8192de-make-arrays-static-const-makes-obj.patch @@ -0,0 +1,119 @@ +From 847a5d41949c043ce0c099be1de7bad8e5d5a738 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 15:49:48 +0100 +Subject: rtlwifi: rtl8192de: make arrays static const, makes object smaller + +From: Colin Ian King + +[ Upstream commit b05897ca8c821a16ac03850c4704fe460b3f21a0 ] + +Don't populate arrays the stack but instead make them static const. Replace +array channel_info with channel_all since it contains the same data as +channel_all. Makes object code smaller by 961 bytes. + +Before: + text data bss dec hex filename + 128147 44250 1024 173421 2a56d ../realtek/rtlwifi/rtl8192de/phy.o + +After + text data bss dec hex filename + 127122 44314 1024 172460 2a1ac ../realtek/rtlwifi/rtl8192de/phy.o + +(gcc version 10.2.0) + +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210803144949.79433-2-colin.king@canonical.com +Stable-dep-of: b8b2baad2e65 ("wifi: rtlwifi: rtl8192de: using calculate_bit_shift()") +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8192de/phy.c | 48 ++++++++----------- + 1 file changed, 20 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +index db4f8fde0f17..7ba2aeaf071f 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +@@ -160,6 +160,15 @@ static u32 targetchnl_2g[TARGET_CHNL_NUM_2G] = { + 25711, 25658, 25606, 25554, 25502, 25451, 25328 + }; + ++static const u8 channel_all[59] = { ++ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, ++ 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, ++ 60, 62, 64, 100, 102, 104, 106, 108, 110, 112, ++ 114, 116, 118, 120, 122, 124, 126, 128, 130, ++ 132, 134, 136, 138, 140, 149, 151, 153, 155, ++ 157, 159, 161, 163, 165 ++}; ++ + static u32 _rtl92d_phy_calculate_bit_shift(u32 bitmask) + { + u32 i = ffs(bitmask); +@@ -1356,14 +1365,6 @@ static void _rtl92d_phy_switch_rf_setting(struct ieee80211_hw *hw, u8 channel) + + u8 rtl92d_get_rightchnlplace_for_iqk(u8 chnl) + { +- u8 channel_all[59] = { +- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, +- 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, +- 60, 62, 64, 100, 102, 104, 106, 108, 110, 112, +- 114, 116, 118, 120, 122, 124, 126, 128, 130, +- 132, 134, 136, 138, 140, 149, 151, 153, 155, +- 157, 159, 161, 163, 165 +- }; + u8 place = chnl; + + if (chnl > 14) { +@@ -3218,37 +3219,28 @@ void rtl92d_phy_config_macphymode_info(struct ieee80211_hw *hw) + u8 rtl92d_get_chnlgroup_fromarray(u8 chnl) + { + u8 group; +- u8 channel_info[59] = { +- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, +- 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, +- 58, 60, 62, 64, 100, 102, 104, 106, 108, +- 110, 112, 114, 116, 118, 120, 122, 124, +- 126, 128, 130, 132, 134, 136, 138, 140, +- 149, 151, 153, 155, 157, 159, 161, 163, +- 165 +- }; + +- if (channel_info[chnl] <= 3) ++ if (channel_all[chnl] <= 3) + group = 0; +- else if (channel_info[chnl] <= 9) ++ else if (channel_all[chnl] <= 9) + group = 1; +- else if (channel_info[chnl] <= 14) ++ else if (channel_all[chnl] <= 14) + group = 2; +- else if (channel_info[chnl] <= 44) ++ else if (channel_all[chnl] <= 44) + group = 3; +- else if (channel_info[chnl] <= 54) ++ else if (channel_all[chnl] <= 54) + group = 4; +- else if (channel_info[chnl] <= 64) ++ else if (channel_all[chnl] <= 64) + group = 5; +- else if (channel_info[chnl] <= 112) ++ else if (channel_all[chnl] <= 112) + group = 6; +- else if (channel_info[chnl] <= 126) ++ else if (channel_all[chnl] <= 126) + group = 7; +- else if (channel_info[chnl] <= 140) ++ else if (channel_all[chnl] <= 140) + group = 8; +- else if (channel_info[chnl] <= 153) ++ else if (channel_all[chnl] <= 153) + group = 9; +- else if (channel_info[chnl] <= 159) ++ else if (channel_all[chnl] <= 159) + group = 10; + else + group = 11; +-- +2.43.0 + diff --git a/queue-5.4/rtlwifi-use-ffs-in-foo-_phy_calculate_bit_shift.patch b/queue-5.4/rtlwifi-use-ffs-in-foo-_phy_calculate_bit_shift.patch new file mode 100644 index 00000000000..60d45fd08c8 --- /dev/null +++ b/queue-5.4/rtlwifi-use-ffs-in-foo-_phy_calculate_bit_shift.patch @@ -0,0 +1,203 @@ +From a5dba4741aebf44a1371d4559b5c13535a440c38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 23:37:47 -0700 +Subject: rtlwifi: Use ffs in _phy_calculate_bit_shift + +From: Joe Perches + +[ Upstream commit 6c1d61913570d4255548ac598cfbef6f1e3c3eee ] + +Remove the loop and use the generic ffs instead. + +Signed-off-by: Joe Perches +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/e2ab424d24b74901bc0c39f0c60f75e871adf2ba.camel@perches.com +Stable-dep-of: bc8263083af6 ("wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior") +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8188ee/phy.c | 18 ++++++------------ + .../realtek/rtlwifi/rtl8192c/phy_common.c | 8 ++------ + .../wireless/realtek/rtlwifi/rtl8192de/phy.c | 9 ++------- + .../wireless/realtek/rtlwifi/rtl8192ee/phy.c | 8 ++------ + .../wireless/realtek/rtlwifi/rtl8192se/phy.c | 9 ++------- + .../realtek/rtlwifi/rtl8723com/phy_common.c | 8 ++------ + .../wireless/realtek/rtlwifi/rtl8821ae/phy.c | 18 ++++++------------ + 7 files changed, 22 insertions(+), 56 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c +index 96d8f25b120f..52b0fccc31f8 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c +@@ -16,7 +16,12 @@ static u32 _rtl88e_phy_rf_serial_read(struct ieee80211_hw *hw, + static void _rtl88e_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, + u32 data); +-static u32 _rtl88e_phy_calculate_bit_shift(u32 bitmask); ++static u32 _rtl88e_phy_calculate_bit_shift(u32 bitmask) ++{ ++ u32 i = ffs(bitmask); ++ ++ return i ? i - 1 : 32; ++} + static bool _rtl88e_phy_bb8188e_config_parafile(struct ieee80211_hw *hw); + static bool _rtl88e_phy_config_mac_with_headerfile(struct ieee80211_hw *hw); + static bool phy_config_bb_with_headerfile(struct ieee80211_hw *hw, +@@ -210,17 +215,6 @@ static void _rtl88e_phy_rf_serial_write(struct ieee80211_hw *hw, + rfpath, pphyreg->rf3wire_offset, data_and_addr); + } + +-static u32 _rtl88e_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i; +- +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; +-} +- + bool rtl88e_phy_mac_config(struct ieee80211_hw *hw) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c +index 0efd19aa4fe5..1145cb0ca4af 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c +@@ -145,13 +145,9 @@ EXPORT_SYMBOL(_rtl92c_phy_rf_serial_write); + + u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; ++ u32 i = ffs(bitmask); + +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; ++ return i ? i - 1 : 32; + } + EXPORT_SYMBOL(_rtl92c_phy_calculate_bit_shift); + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +index 667578087af2..db4f8fde0f17 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +@@ -162,14 +162,9 @@ static u32 targetchnl_2g[TARGET_CHNL_NUM_2G] = { + + static u32 _rtl92d_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; +- +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } ++ u32 i = ffs(bitmask); + +- return i; ++ return i ? i - 1 : 32; + } + + u32 rtl92d_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c +index 222abc41669c..420f4984bfb9 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c +@@ -206,13 +206,9 @@ static void _rtl92ee_phy_rf_serial_write(struct ieee80211_hw *hw, + + static u32 _rtl92ee_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; ++ u32 i = ffs(bitmask); + +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; ++ return i ? i - 1 : 32; + } + + bool rtl92ee_phy_mac_config(struct ieee80211_hw *hw) +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c +index d5c0eb462315..9696fa3a08d9 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c +@@ -16,14 +16,9 @@ + + static u32 _rtl92s_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; +- +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } ++ u32 i = ffs(bitmask); + +- return i; ++ return i ? i - 1 : 32; + } + + u32 rtl92s_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723com/phy_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723com/phy_common.c +index aae14c68bf69..964292e82636 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723com/phy_common.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723com/phy_common.c +@@ -53,13 +53,9 @@ EXPORT_SYMBOL_GPL(rtl8723_phy_set_bb_reg); + + u32 rtl8723_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; ++ u32 i = ffs(bitmask); + +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; ++ return i ? i - 1 : 32; + } + EXPORT_SYMBOL_GPL(rtl8723_phy_calculate_bit_shift); + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +index 8647db044366..11f31d006280 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +@@ -27,7 +27,12 @@ static u32 _rtl8821ae_phy_rf_serial_read(struct ieee80211_hw *hw, + static void _rtl8821ae_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, + u32 data); +-static u32 _rtl8821ae_phy_calculate_bit_shift(u32 bitmask); ++static u32 _rtl8821ae_phy_calculate_bit_shift(u32 bitmask) ++{ ++ u32 i = ffs(bitmask); ++ ++ return i ? i - 1 : 32; ++} + static bool _rtl8821ae_phy_bb8821a_config_parafile(struct ieee80211_hw *hw); + /*static bool _rtl8812ae_phy_config_mac_with_headerfile(struct ieee80211_hw *hw);*/ + static bool _rtl8821ae_phy_config_mac_with_headerfile(struct ieee80211_hw *hw); +@@ -274,17 +279,6 @@ static void _rtl8821ae_phy_rf_serial_write(struct ieee80211_hw *hw, + rfpath, pphyreg->rf3wire_offset, data_and_addr); + } + +-static u32 _rtl8821ae_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i; +- +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; +-} +- + bool rtl8821ae_phy_mac_config(struct ieee80211_hw *hw) + { + bool rtstatus = 0; +-- +2.43.0 + diff --git a/queue-5.4/scsi-fnic-return-error-if-vmalloc-failed.patch b/queue-5.4/scsi-fnic-return-error-if-vmalloc-failed.patch new file mode 100644 index 00000000000..4db720609d9 --- /dev/null +++ b/queue-5.4/scsi-fnic-return-error-if-vmalloc-failed.patch @@ -0,0 +1,44 @@ +From 3672c0b333ab014c9e8e3dba83b8c2e488d6b835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 14:10:08 +0300 +Subject: scsi: fnic: Return error if vmalloc() failed + +From: Artem Chernyshev + +[ Upstream commit f5f27a332a14f43463aa0075efa3a0c662c0f4a8 ] + +In fnic_init_module() exists redundant check for return value from +fnic_debugfs_init(), because at moment it only can return zero. It make +sense to process theoretical vmalloc() failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 9730ddfb123d ("scsi: fnic: remove redundant assignment of variable rc") +Signed-off-by: Artem Chernyshev +Link: https://lore.kernel.org/r/20231128111008.2280507-1-artem.chernyshev@red-soft.ru +Reviewed-by: Karan Tilak Kumar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fnic/fnic_debugfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/fnic/fnic_debugfs.c b/drivers/scsi/fnic/fnic_debugfs.c +index 13f7d88d6e57..3f2e164b5068 100644 +--- a/drivers/scsi/fnic/fnic_debugfs.c ++++ b/drivers/scsi/fnic/fnic_debugfs.c +@@ -67,9 +67,10 @@ int fnic_debugfs_init(void) + fc_trc_flag->fnic_trace = 2; + fc_trc_flag->fc_trace = 3; + fc_trc_flag->fc_clear = 4; ++ return 0; + } + +- return 0; ++ return -ENOMEM; + } + + /* +-- +2.43.0 + diff --git a/queue-5.4/scsi-hisi_sas-replace-with-standard-error-code-retur.patch b/queue-5.4/scsi-hisi_sas-replace-with-standard-error-code-retur.patch new file mode 100644 index 00000000000..e91a57092d0 --- /dev/null +++ b/queue-5.4/scsi-hisi_sas-replace-with-standard-error-code-retur.patch @@ -0,0 +1,61 @@ +From 40bf7f93dfcfdf264d0f73d2df5ad9b30fa95394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 11:45:13 +0800 +Subject: scsi: hisi_sas: Replace with standard error code return value + +From: Yihang Li + +[ Upstream commit d34ee535705eb43885bc0f561c63046f697355ad ] + +In function hisi_sas_controller_prereset(), -ENOSYS (Function not +implemented) should be returned if the driver does not support .soft_reset. +Returns -EPERM (Operation not permitted) if HISI_SAS_RESETTING_BIT is +already be set. + +In function _suspend_v3_hw(), returns -EPERM (Operation not permitted) if +HISI_SAS_RESETTING_BIT is already be set. + +Fixes: 4522204ab218 ("scsi: hisi_sas: tidy host controller reset function a bit") +Signed-off-by: Yihang Li +Signed-off-by: Xiang Chen +Link: https://lore.kernel.org/r/1702525516-51258-3-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 4 ++-- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 7135bbe5abb8..9de27c7f6b01 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -1577,10 +1577,10 @@ static int hisi_sas_controller_reset(struct hisi_hba *hisi_hba) + queue_work(hisi_hba->wq, &hisi_hba->debugfs_work); + + if (!hisi_hba->hw->soft_reset) +- return -1; ++ return -ENOENT; + + if (test_and_set_bit(HISI_SAS_RESET_BIT, &hisi_hba->flags)) +- return -1; ++ return -EPERM; + + dev_info(dev, "controller resetting...\n"); + hisi_sas_controller_reset_prepare(hisi_hba); +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index a86aae52d94f..c84d18b23e7b 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -3365,7 +3365,7 @@ static int hisi_sas_v3_suspend(struct pci_dev *pdev, pm_message_t state) + } + + if (test_and_set_bit(HISI_SAS_RESET_BIT, &hisi_hba->flags)) +- return -1; ++ return -EPERM; + + scsi_block_requests(shost); + set_bit(HISI_SAS_REJECT_CMD_BIT, &hisi_hba->flags); +-- +2.43.0 + diff --git a/queue-5.4/selftests-net-fix-grep-checking-for-fib_nexthop_mult.patch b/queue-5.4/selftests-net-fix-grep-checking-for-fib_nexthop_mult.patch new file mode 100644 index 00000000000..13190722d24 --- /dev/null +++ b/queue-5.4/selftests-net-fix-grep-checking-for-fib_nexthop_mult.patch @@ -0,0 +1,68 @@ +From 947c6b2146da889050c8449166bc3403676d6574 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 14:08:49 +0800 +Subject: selftests/net: fix grep checking for fib_nexthop_multiprefix + +From: Hangbin Liu + +[ Upstream commit a33e9da3470499e9ff476138f271fb52d6bfe767 ] + +When running fib_nexthop_multiprefix test I saw all IPv6 test failed. +e.g. + + ]# ./fib_nexthop_multiprefix.sh + TEST: IPv4: host 0 to host 1, mtu 1300 [ OK ] + TEST: IPv6: host 0 to host 1, mtu 1300 [FAIL] + + With -v it shows + + COMMAND: ip netns exec h0 /usr/sbin/ping6 -s 1350 -c5 -w5 2001:db8:101::1 + PING 2001:db8:101::1(2001:db8:101::1) 1350 data bytes + From 2001:db8:100::64 icmp_seq=1 Packet too big: mtu=1300 + + --- 2001:db8:101::1 ping statistics --- + 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms + + Route get + 2001:db8:101::1 via 2001:db8:100::64 dev eth0 src 2001:db8:100::1 metric 1024 expires 599sec mtu 1300 pref medium + Searching for: + 2001:db8:101::1 from :: via 2001:db8:100::64 dev eth0 src 2001:db8:100::1 .* mtu 1300 + +The reason is when CONFIG_IPV6_SUBTREES is not enabled, rt6_fill_node() will +not put RTA_SRC info. After fix: + +]# ./fib_nexthop_multiprefix.sh +TEST: IPv4: host 0 to host 1, mtu 1300 [ OK ] +TEST: IPv6: host 0 to host 1, mtu 1300 [ OK ] + +Fixes: 735ab2f65dce ("selftests: Add test with multiple prefixes using single nexthop") +Signed-off-by: Hangbin Liu +Link: https://lore.kernel.org/r/20231213060856.4030084-7-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_nexthop_multiprefix.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/fib_nexthop_multiprefix.sh b/tools/testing/selftests/net/fib_nexthop_multiprefix.sh +index 51df5e305855..b52d59547fc5 100755 +--- a/tools/testing/selftests/net/fib_nexthop_multiprefix.sh ++++ b/tools/testing/selftests/net/fib_nexthop_multiprefix.sh +@@ -209,12 +209,12 @@ validate_v6_exception() + echo "Route get" + ip -netns h0 -6 ro get ${dst} + echo "Searching for:" +- echo " ${dst} from :: via ${r1} dev eth0 src ${h0} .* mtu ${mtu}" ++ echo " ${dst}.* via ${r1} dev eth0 src ${h0} .* mtu ${mtu}" + echo + fi + + ip -netns h0 -6 ro get ${dst} | \ +- grep -q "${dst} from :: via ${r1} dev eth0 src ${h0} .* mtu ${mtu}" ++ grep -q "${dst}.* via ${r1} dev eth0 src ${h0} .* mtu ${mtu}" + rc=$? + + log_test $rc 0 "IPv6: host 0 to host ${i}, mtu ${mtu}" +-- +2.43.0 + diff --git a/queue-5.4/selftests-powerpc-fix-error-handling-in-fpu-vmx-pree.patch b/queue-5.4/selftests-powerpc-fix-error-handling-in-fpu-vmx-pree.patch new file mode 100644 index 00000000000..8c95ebfa9ac --- /dev/null +++ b/queue-5.4/selftests-powerpc-fix-error-handling-in-fpu-vmx-pree.patch @@ -0,0 +1,88 @@ +From 389001088dbb9554c57c0889ebf527db9b121c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 00:27:44 +1100 +Subject: selftests/powerpc: Fix error handling in FPU/VMX preemption tests + +From: Michael Ellerman + +[ Upstream commit 9dbd5927408c4a0707de73ae9dd9306b184e8fee ] + +The FPU & VMX preemption tests do not check for errors returned by the +low-level asm routines, preempt_fpu() / preempt_vsx() respectively. +That means any register corruption detected by the asm routines does not +result in a test failure. + +Fix it by returning the return value of the asm routines from the +pthread child routines. + +Fixes: e5ab8be68e44 ("selftests/powerpc: Test preservation of FPU and VMX regs across preemption") +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231128132748.1990179-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/math/fpu_preempt.c | 9 +++++---- + tools/testing/selftests/powerpc/math/vmx_preempt.c | 10 ++++++---- + 2 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/math/fpu_preempt.c b/tools/testing/selftests/powerpc/math/fpu_preempt.c +index 5235bdc8c0b1..3e5b5663d244 100644 +--- a/tools/testing/selftests/powerpc/math/fpu_preempt.c ++++ b/tools/testing/selftests/powerpc/math/fpu_preempt.c +@@ -37,19 +37,20 @@ __thread double darray[] = {0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 1.0, + int threads_starting; + int running; + +-extern void preempt_fpu(double *darray, int *threads_starting, int *running); ++extern int preempt_fpu(double *darray, int *threads_starting, int *running); + + void *preempt_fpu_c(void *p) + { ++ long rc; + int i; ++ + srand(pthread_self()); + for (i = 0; i < 21; i++) + darray[i] = rand(); + +- /* Test failed if it ever returns */ +- preempt_fpu(darray, &threads_starting, &running); ++ rc = preempt_fpu(darray, &threads_starting, &running); + +- return p; ++ return (void *)rc; + } + + int test_preempt_fpu(void) +diff --git a/tools/testing/selftests/powerpc/math/vmx_preempt.c b/tools/testing/selftests/powerpc/math/vmx_preempt.c +index 2e059f154e77..397f9da8f1c3 100644 +--- a/tools/testing/selftests/powerpc/math/vmx_preempt.c ++++ b/tools/testing/selftests/powerpc/math/vmx_preempt.c +@@ -37,19 +37,21 @@ __thread vector int varray[] = {{1, 2, 3, 4}, {5, 6, 7, 8}, {9, 10,11,12}, + int threads_starting; + int running; + +-extern void preempt_vmx(vector int *varray, int *threads_starting, int *running); ++extern int preempt_vmx(vector int *varray, int *threads_starting, int *running); + + void *preempt_vmx_c(void *p) + { + int i, j; ++ long rc; ++ + srand(pthread_self()); + for (i = 0; i < 12; i++) + for (j = 0; j < 4; j++) + varray[i][j] = rand(); + +- /* Test fails if it ever returns */ +- preempt_vmx(varray, &threads_starting, &running); +- return p; ++ rc = preempt_vmx(varray, &threads_starting, &running); ++ ++ return (void *)rc; + } + + int test_preempt_vmx(void) +-- +2.43.0 + diff --git a/queue-5.4/selinux-fix-error-priority-for-bind-with-af_unspec-o.patch b/queue-5.4/selinux-fix-error-priority-for-bind-with-af_unspec-o.patch new file mode 100644 index 00000000000..f0f2f603f3f --- /dev/null +++ b/queue-5.4/selinux-fix-error-priority-for-bind-with-af_unspec-o.patch @@ -0,0 +1,55 @@ +From 59361fc9c13b0fec2cf03cd388cc78d4b2810ca8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 17:34:15 +0100 +Subject: selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 + socket +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +[ Upstream commit bbf5a1d0e5d0fb3bdf90205aa872636122692a50 ] + +The IPv6 network stack first checks the sockaddr length (-EINVAL error) +before checking the family (-EAFNOSUPPORT error). + +This was discovered thanks to commit a549d055a22e ("selftests/landlock: +Add network tests"). + +Cc: Eric Paris +Cc: Konstantin Meskhidze +Cc: Paul Moore +Cc: Stephen Smalley +Reported-by: Muhammad Usama Anjum +Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@collabora.com +Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()") +Signed-off-by: Mickaël Salaün +Tested-by: Muhammad Usama Anjum +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/hooks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index d9f15c84aab7..c1bf319b459a 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -4625,6 +4625,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in + return -EINVAL; + addr4 = (struct sockaddr_in *)address; + if (family_sa == AF_UNSPEC) { ++ if (family == PF_INET6) { ++ /* Length check from inet6_bind_sk() */ ++ if (addrlen < SIN6_LEN_RFC2133) ++ return -EINVAL; ++ /* Family check from __inet6_bind() */ ++ goto err_af; ++ } + /* see __inet_bind(), we only want to allow + * AF_UNSPEC if the address is INADDR_ANY + */ +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 59a7c67e695..f39cad96fe8 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -37,3 +37,102 @@ uio-fix-use-after-free-in-uio_open.patch parport-parport_serial-add-brainboxes-bar-details.patch parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch coresight-etm4x-fix-width-of-ccitmin-field.patch +x86-lib-fix-overflow-when-counting-digits.patch +edac-thunderx-fix-possible-out-of-bounds-string-acce.patch +powerpc-add-crtsavres.o-to-always-y-instead-of-extra.patch +powerpc-44x-select-i2c-for-currituck.patch +powerpc-pseries-memhotplug-quieten-some-dlpar-operat.patch +powerpc-pseries-memhp-fix-access-beyond-end-of-drmem.patch +selftests-powerpc-fix-error-handling-in-fpu-vmx-pree.patch +powerpc-powernv-add-a-null-pointer-check-to-scom_deb.patch +powerpc-powernv-add-a-null-pointer-check-in-opal_eve.patch +powerpc-powernv-add-a-null-pointer-check-in-opal_pow.patch +powerpc-imc-pmu-add-a-null-pointer-check-in-update_e.patch +mtd-rawnand-increment-ifc_timeout_msecs-for-nand-con.patch +acpi-video-check-for-error-while-searching-for-backl.patch +acpi-lpit-avoid-u32-multiplication-overflow.patch +net-netlabel-fix-kerneldoc-warnings.patch +netlabel-remove-unused-parameter-in-netlbl_netlink_a.patch +calipso-fix-memory-leak-in-netlbl_calipso_add_pass.patch +spi-sh-msiof-enforce-fixed-dtdl-for-r-car-h3.patch +mtd-fix-gluebi-null-pointer-dereference-caused-by-ft.patch +selinux-fix-error-priority-for-bind-with-af_unspec-o.patch +crypto-virtio-handle-dataq-logic-with-tasklet.patch +crypto-virtio-don-t-use-default-m.patch +virtio_crypto-introduce-virtio_crypto_nospc.patch +crypto-ccp-fix-memleak-in-ccp_init_dm_workarea.patch +crypto-af_alg-disallow-multiple-in-flight-aio-reques.patch +crypto-sahara-remove-flags_new_key-logic.patch +crypto-sahara-fix-ahash-selftest-failure.patch +crypto-sahara-fix-processing-requests-with-cryptlen-.patch +crypto-sahara-fix-error-handling-in-sahara_hw_descri.patch +pstore-ram_core-fix-possible-overflow-in-persistent_.patch +gfs2-fix-kernel-null-pointer-dereference-in-gfs2_rgr.patch +crypto-virtio-wait-for-tasklet-to-complete-on-device.patch +crypto-sahara-fix-ahash-reqsize.patch +crypto-sahara-fix-wait_for_completion_timeout-error-.patch +crypto-sahara-improve-error-handling-in-sahara_sha_p.patch +crypto-sahara-fix-processing-hash-requests-with-req-.patch +crypto-sahara-do-not-resize-req-src-when-doing-hash-.patch +crypto-scomp-fix-req-dst-buffer-overflow.patch +blocklayoutdriver-fix-reference-leak-of-pnfs_device_.patch +nfsv4.1-pnfs-ensure-we-handle-the-error-nfs4err_retu.patch +wifi-rtw88-fix-rx-filter-in-fif_allmulti-flag.patch +bpf-lpm-fix-check-prefixlen-before-walking-trie.patch +wifi-libertas-stop-selecting-wext.patch +arm-dts-qcom-apq8064-correct-xoadc-register-address.patch +ncsi-internal.h-fix-a-spello.patch +net-ncsi-fix-netlink-major-minor-version-numbers.patch +firmware-ti_sci-fix-an-off-by-one-in-ti_sci_debugfs_.patch +rtlwifi-use-ffs-in-foo-_phy_calculate_bit_shift.patch +wifi-rtlwifi-rtl8821ae-phy-fix-an-undefined-bitwise-.patch +scsi-fnic-return-error-if-vmalloc-failed.patch +arm64-dts-qcom-sdm845-db845c-correct-led-panic-indic.patch +scsi-hisi_sas-replace-with-standard-error-code-retur.patch +selftests-net-fix-grep-checking-for-fib_nexthop_mult.patch +virtio-vsock-fix-logic-which-reduces-credit-update-m.patch +dma-mapping-clear-dev-dma_mem-to-null-after-freeing-.patch +wifi-rtlwifi-add-calculate_bit_shift.patch +wifi-rtlwifi-rtl8188ee-phy-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192c-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192cu-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192ce-using-calculate_bit_shift.patch +rtlwifi-rtl8192de-make-arrays-static-const-makes-obj.patch +wifi-rtlwifi-rtl8192de-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192ee-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192se-using-calculate_bit_shift.patch +netfilter-nf_tables-mark-newset-as-dead-on-transacti.patch +bluetooth-fix-bogus-check-for-re-auth-no-supported-w.patch +bluetooth-btmtkuart-fix-recv_buf-return-value.patch +ip6_tunnel-fix-nexthdr_fragment-handling-in-ip6_tnl_.patch +arm-davinci-always-select-config_cpu_arm926t.patch +rdma-usnic-silence-uninitialized-symbol-smatch-warni.patch +media-pvrusb2-fix-use-after-free-on-context-disconne.patch +drm-bridge-fix-typo-in-post_disable-description.patch +f2fs-fix-to-avoid-dirent-corruption.patch +drm-radeon-r600_cs-fix-possible-int-overflows-in-r60.patch +drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch +drm-radeon-check-return-value-of-radeon_ring_lock.patch +asoc-cs35l33-fix-gpio-name-and-drop-legacy-include.patch +asoc-cs35l34-fix-gpio-name-and-drop-legacy-include.patch +drm-msm-mdp4-flush-vblank-event-on-disable.patch +drm-msm-dsi-use-pm_runtime_resume_and_get-to-prevent.patch +drm-drv-propagate-errors-from-drm_modeset_register_a.patch +drm-radeon-check-the-alloc_workqueue-return-value-in.patch +drm-radeon-dpm-fix-a-memleak-in-sumo_parse_power_tab.patch +drm-radeon-trinity_dpm-fix-a-memleak-in-trinity_pars.patch +drm-bridge-tc358767-fix-return-value-on-error-case.patch +media-cx231xx-fix-a-memleak-in-cx231xx_init_isoc.patch +media-dvbdev-drop-refcount-on-error-path-in-dvb_devi.patch +drm-amdgpu-debugfs-fix-error-code-when-smc-register-.patch +drm-amd-pm-fix-a-double-free-in-si_dpm_init.patch +drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch +gpu-drm-radeon-fix-two-memleaks-in-radeon_vm_init.patch +drivers-clk-zynqmp-calculate-closest-mux-rate.patch +watchdog-set-cdev-owner-before-adding.patch +watchdog-hpwdt-only-claim-unknown-nmi-if-from-ilo.patch +watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch +clk-si5341-fix-an-error-code-problem-in-si5341_outpu.patch +mmc-sdhci_omap-fix-ti-soc-dependencies.patch +of-fix-double-free-in-of_parse_phandle_with_args_map.patch +of-unittest-fix-of_count_phandle_with_args-expected-.patch diff --git a/queue-5.4/spi-sh-msiof-enforce-fixed-dtdl-for-r-car-h3.patch b/queue-5.4/spi-sh-msiof-enforce-fixed-dtdl-for-r-car-h3.patch new file mode 100644 index 00000000000..929b7d3ee7f --- /dev/null +++ b/queue-5.4/spi-sh-msiof-enforce-fixed-dtdl-for-r-car-h3.patch @@ -0,0 +1,80 @@ +From 0ae98113dde6fb5d35370388c243364f437b7d87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 09:12:38 +0100 +Subject: spi: sh-msiof: Enforce fixed DTDL for R-Car H3 + +From: Wolfram Sang + +[ Upstream commit e5c7bcb499840551cfbe85c6df177ebc50432bf0 ] + +Documentation says only DTDL of 200 is allowed for this SoC. + +Fixes: 4286db8456f4 ("spi: sh-msiof: Add R-Car Gen 2 and 3 fallback bindings") +Signed-off-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Yoshihiro Shimoda +Link: https://msgid.link/r/20231212081239.14254-1-wsa+renesas@sang-engineering.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sh-msiof.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c +index 8f134735291f..edb26b085706 100644 +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -32,12 +32,15 @@ + + #include + ++#define SH_MSIOF_FLAG_FIXED_DTDL_200 BIT(0) ++ + struct sh_msiof_chipdata { + u32 bits_per_word_mask; + u16 tx_fifo_size; + u16 rx_fifo_size; + u16 ctlr_flags; + u16 min_div_pow; ++ u32 flags; + }; + + struct sh_msiof_spi_priv { +@@ -1072,6 +1075,16 @@ static const struct sh_msiof_chipdata rcar_gen3_data = { + .min_div_pow = 1, + }; + ++static const struct sh_msiof_chipdata rcar_r8a7795_data = { ++ .bits_per_word_mask = SPI_BPW_MASK(8) | SPI_BPW_MASK(16) | ++ SPI_BPW_MASK(24) | SPI_BPW_MASK(32), ++ .tx_fifo_size = 64, ++ .rx_fifo_size = 64, ++ .ctlr_flags = SPI_CONTROLLER_MUST_TX, ++ .min_div_pow = 1, ++ .flags = SH_MSIOF_FLAG_FIXED_DTDL_200, ++}; ++ + static const struct of_device_id sh_msiof_match[] = { + { .compatible = "renesas,sh-mobile-msiof", .data = &sh_data }, + { .compatible = "renesas,msiof-r8a7743", .data = &rcar_gen2_data }, +@@ -1082,6 +1095,7 @@ static const struct of_device_id sh_msiof_match[] = { + { .compatible = "renesas,msiof-r8a7793", .data = &rcar_gen2_data }, + { .compatible = "renesas,msiof-r8a7794", .data = &rcar_gen2_data }, + { .compatible = "renesas,rcar-gen2-msiof", .data = &rcar_gen2_data }, ++ { .compatible = "renesas,msiof-r8a7795", .data = &rcar_r8a7795_data }, + { .compatible = "renesas,msiof-r8a7796", .data = &rcar_gen3_data }, + { .compatible = "renesas,rcar-gen3-msiof", .data = &rcar_gen3_data }, + { .compatible = "renesas,sh-msiof", .data = &sh_data }, /* Deprecated */ +@@ -1317,6 +1331,9 @@ static int sh_msiof_spi_probe(struct platform_device *pdev) + return -ENXIO; + } + ++ if (chipdata->flags & SH_MSIOF_FLAG_FIXED_DTDL_200) ++ info->dtdl = 200; ++ + if (info->mode == MSIOF_SPI_SLAVE) + ctlr = spi_alloc_slave(&pdev->dev, + sizeof(struct sh_msiof_spi_priv)); +-- +2.43.0 + diff --git a/queue-5.4/virtio-vsock-fix-logic-which-reduces-credit-update-m.patch b/queue-5.4/virtio-vsock-fix-logic-which-reduces-credit-update-m.patch new file mode 100644 index 00000000000..a5b9f7c3072 --- /dev/null +++ b/queue-5.4/virtio-vsock-fix-logic-which-reduces-credit-update-m.patch @@ -0,0 +1,69 @@ +From d57b3c5fd48aaf6cc8cc2528f4e4fca6973aa20d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 15:52:28 +0300 +Subject: virtio/vsock: fix logic which reduces credit update messages + +From: Arseniy Krasnov + +[ Upstream commit 93b80887668226180ea5f5349cc728ca6dc700ab ] + +Add one more condition for sending credit update during dequeue from +stream socket: when number of bytes in the rx queue is smaller than +SO_RCVLOWAT value of the socket. This is actual for non-default value +of SO_RCVLOWAT (e.g. not 1) - idea is to "kick" peer to continue data +transmission, because we need at least SO_RCVLOWAT bytes in our rx +queue to wake up user for reading data (in corner case it is also +possible to stuck both tx and rx sides, this is why 'Fixes' is used). + +Fixes: b89d882dc9fc ("vsock/virtio: reduce credit update messages") +Signed-off-by: Arseniy Krasnov +Reviewed-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index e0bb83f5746c..434c5608a75d 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -276,6 +276,8 @@ virtio_transport_stream_do_dequeue(struct vsock_sock *vsk, + struct virtio_vsock_pkt *pkt; + size_t bytes, total = 0; + u32 free_space; ++ u32 fwd_cnt_delta; ++ bool low_rx_bytes; + int err = -EFAULT; + + spin_lock_bh(&vvs->rx_lock); +@@ -307,7 +309,10 @@ virtio_transport_stream_do_dequeue(struct vsock_sock *vsk, + } + } + +- free_space = vvs->buf_alloc - (vvs->fwd_cnt - vvs->last_fwd_cnt); ++ fwd_cnt_delta = vvs->fwd_cnt - vvs->last_fwd_cnt; ++ free_space = vvs->buf_alloc - fwd_cnt_delta; ++ low_rx_bytes = (vvs->rx_bytes < ++ sock_rcvlowat(sk_vsock(vsk), 0, INT_MAX)); + + spin_unlock_bh(&vvs->rx_lock); + +@@ -317,9 +322,11 @@ virtio_transport_stream_do_dequeue(struct vsock_sock *vsk, + * too high causes extra messages. Too low causes transmitter + * stalls. As stalls are in theory more expensive than extra + * messages, we set the limit to a high value. TODO: experiment +- * with different values. ++ * with different values. Also send credit update message when ++ * number of bytes in rx queue is not enough to wake up reader. + */ +- if (free_space < VIRTIO_VSOCK_MAX_PKT_BUF_SIZE) { ++ if (fwd_cnt_delta && ++ (free_space < VIRTIO_VSOCK_MAX_PKT_BUF_SIZE || low_rx_bytes)) { + virtio_transport_send_credit_update(vsk, + VIRTIO_VSOCK_TYPE_STREAM, + NULL); +-- +2.43.0 + diff --git a/queue-5.4/virtio_crypto-introduce-virtio_crypto_nospc.patch b/queue-5.4/virtio_crypto-introduce-virtio_crypto_nospc.patch new file mode 100644 index 00000000000..80bc862df8e --- /dev/null +++ b/queue-5.4/virtio_crypto-introduce-virtio_crypto_nospc.patch @@ -0,0 +1,36 @@ +From be6aa7faebf89d68249a8e80091f343ccfb3acfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 11:39:14 +0800 +Subject: virtio_crypto: Introduce VIRTIO_CRYPTO_NOSPC + +From: zhenwei pi + +[ Upstream commit 13d640a3e9a3ac7ec694843d3d3b785e85fb8cb8 ] + +Base on the lastest virtio crypto spec, define VIRTIO_CRYPTO_NOSPC. + +Reviewed-by: Gonglei +Signed-off-by: zhenwei pi +Link: https://lore.kernel.org/r/20220302033917.1295334-2-pizhenwei@bytedance.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet") +Signed-off-by: Sasha Levin +--- + include/uapi/linux/virtio_crypto.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/uapi/linux/virtio_crypto.h b/include/uapi/linux/virtio_crypto.h +index 50cdc8aebfcf..05330284eb59 100644 +--- a/include/uapi/linux/virtio_crypto.h ++++ b/include/uapi/linux/virtio_crypto.h +@@ -408,6 +408,7 @@ struct virtio_crypto_op_data_req { + #define VIRTIO_CRYPTO_BADMSG 2 + #define VIRTIO_CRYPTO_NOTSUPP 3 + #define VIRTIO_CRYPTO_INVSESS 4 /* Invalid session id */ ++#define VIRTIO_CRYPTO_NOSPC 5 /* no free session ID */ + + /* The accelerator hardware is ready */ + #define VIRTIO_CRYPTO_S_HW_READY (1 << 0) +-- +2.43.0 + diff --git a/queue-5.4/watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch b/queue-5.4/watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch new file mode 100644 index 00000000000..b85407afd22 --- /dev/null +++ b/queue-5.4/watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch @@ -0,0 +1,57 @@ +From 964588858d5d488aadb6065c18f1224edaaa4317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Nov 2023 18:32:51 +0100 +Subject: watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling + +From: Stefan Wahren + +[ Upstream commit f33f5b1fd1be5f5106d16f831309648cb0f1c31d ] + +Users report about the unexpected behavior for setting timeouts above +15 sec on Raspberry Pi. According to watchdog-api.rst the ioctl +WDIOC_SETTIMEOUT shouldn't fail because of hardware limitations. +But looking at the code shows that max_timeout based on the +register value PM_WDOG_TIME_SET, which is the maximum. + +Since 664a39236e71 ("watchdog: Introduce hardware maximum heartbeat +in watchdog core") the watchdog core is able to handle this problem. + +This fix has been tested with watchdog-test from selftests. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217374 +Fixes: 664a39236e71 ("watchdog: Introduce hardware maximum heartbeat in watchdog core") +Signed-off-by: Stefan Wahren +Reviewed-by: Florian Fainelli +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20231112173251.4827-1-wahrenst@gmx.net +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/bcm2835_wdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/bcm2835_wdt.c b/drivers/watchdog/bcm2835_wdt.c +index dec6ca019bea..3a8dec05b591 100644 +--- a/drivers/watchdog/bcm2835_wdt.c ++++ b/drivers/watchdog/bcm2835_wdt.c +@@ -42,6 +42,7 @@ + + #define SECS_TO_WDOG_TICKS(x) ((x) << 16) + #define WDOG_TICKS_TO_SECS(x) ((x) >> 16) ++#define WDOG_TICKS_TO_MSECS(x) ((x) * 1000 >> 16) + + struct bcm2835_wdt { + void __iomem *base; +@@ -140,7 +141,7 @@ static struct watchdog_device bcm2835_wdt_wdd = { + .info = &bcm2835_wdt_info, + .ops = &bcm2835_wdt_ops, + .min_timeout = 1, +- .max_timeout = WDOG_TICKS_TO_SECS(PM_WDOG_TIME_SET), ++ .max_hw_heartbeat_ms = WDOG_TICKS_TO_MSECS(PM_WDOG_TIME_SET), + .timeout = WDOG_TICKS_TO_SECS(PM_WDOG_TIME_SET), + }; + +-- +2.43.0 + diff --git a/queue-5.4/watchdog-hpwdt-only-claim-unknown-nmi-if-from-ilo.patch b/queue-5.4/watchdog-hpwdt-only-claim-unknown-nmi-if-from-ilo.patch new file mode 100644 index 00000000000..b2401e42b84 --- /dev/null +++ b/queue-5.4/watchdog-hpwdt-only-claim-unknown-nmi-if-from-ilo.patch @@ -0,0 +1,51 @@ +From 735bf3465e0c4678bcac5e42c38446aac652b4c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 14:53:38 -0700 +Subject: watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO + +From: Jerry Hoemann + +[ Upstream commit dced0b3e51dd2af3730efe14dd86b5e3173f0a65 ] + +Avoid unnecessary crashes by claiming only NMIs that are due to +ERROR signalling or generated by the hpwdt hardware device. + +The code does this, but only for iLO5. + +The intent was to preserve legacy, Gen9 and earlier, semantics of +using hpwdt for error containtment as hardware/firmware would signal +fatal IO errors as an NMI with the expectation of hpwdt crashing +the system. Howerver, these IO errors should be received by hpwdt +as an NMI_IO_CHECK. So the test is overly permissive and should +not be limited to only ilo5. + +We need to enable this protection for future iLOs not matching the +current PCI IDs. + +Fixes: 62290a5c194b ("watchdog: hpwdt: Claim NMIs generated by iLO5") +Signed-off-by: Jerry Hoemann +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20231213215340.495734-2-jerry.hoemann@hpe.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/hpwdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/hpwdt.c b/drivers/watchdog/hpwdt.c +index 7d34bcf1c45b..53573c3ddd1a 100644 +--- a/drivers/watchdog/hpwdt.c ++++ b/drivers/watchdog/hpwdt.c +@@ -174,7 +174,7 @@ static int hpwdt_pretimeout(unsigned int ulReason, struct pt_regs *regs) + "3. OA Forward Progress Log\n" + "4. iLO Event Log"; + +- if (ilo5 && ulReason == NMI_UNKNOWN && !mynmi) ++ if (ulReason == NMI_UNKNOWN && !mynmi) + return NMI_DONE; + + if (ilo5 && !pretimeout && !mynmi) +-- +2.43.0 + diff --git a/queue-5.4/watchdog-set-cdev-owner-before-adding.patch b/queue-5.4/watchdog-set-cdev-owner-before-adding.patch new file mode 100644 index 00000000000..b93b7c1da90 --- /dev/null +++ b/queue-5.4/watchdog-set-cdev-owner-before-adding.patch @@ -0,0 +1,61 @@ +From bede0c6edda8e85c6c5840b82ba9fd1e87fca483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 11:05:22 -0800 +Subject: watchdog: set cdev owner before adding + +From: Curtis Klein + +[ Upstream commit 38d75297745f04206db9c29bdd75557f0344c7cc ] + +When the new watchdog character device is registered, it becomes +available for opening. This creates a race where userspace may open the +device before the character device's owner is set. This results in an +imbalance in module_get calls as the cdev_get in cdev_open will not +increment the reference count on the watchdog driver module. + +This causes problems when the watchdog character device is released as +the module loader's reference will also be released. This makes it +impossible to open the watchdog device later on as it now appears that +the module is being unloaded. The open will fail with -ENXIO from +chrdev_open. + +The legacy watchdog device will fail with -EBUSY from the try_module_get +in watchdog_open because it's module owner is the watchdog core module +so it can still be opened but it will fail to get a refcount on the +underlying watchdog device driver. + +Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev") +Signed-off-by: Curtis Klein +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20231205190522.55153-1-curtis.klein@hpe.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index c670d13ab3d9..6fb860542c86 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -1007,6 +1007,7 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + + /* Fill in the data structures */ + cdev_init(&wd_data->cdev, &watchdog_fops); ++ wd_data->cdev.owner = wdd->ops->owner; + + /* Add the device */ + err = cdev_device_add(&wd_data->cdev, &wd_data->dev); +@@ -1021,8 +1022,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + return err; + } + +- wd_data->cdev.owner = wdd->ops->owner; +- + /* Record time of most recent heartbeat as 'just before now'. */ + wd_data->last_hw_keepalive = ktime_sub(ktime_get(), 1); + watchdog_set_open_deadline(wd_data); +-- +2.43.0 + diff --git a/queue-5.4/wifi-libertas-stop-selecting-wext.patch b/queue-5.4/wifi-libertas-stop-selecting-wext.patch new file mode 100644 index 00000000000..ba95e93658b --- /dev/null +++ b/queue-5.4/wifi-libertas-stop-selecting-wext.patch @@ -0,0 +1,37 @@ +From a373b707d7e4c5f5337fdee357fdb2f9b969ad5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 16:34:03 +0100 +Subject: wifi: libertas: stop selecting wext + +From: Arnd Bergmann + +[ Upstream commit 8170b04c2c92eee52ea50b96db4c54662197e512 ] + +Libertas no longer references the iw_handler infrastructure or wext_spy, +so neither of the 'select' statements are used any more. + +Fixes: e86dc1ca4676 ("Libertas: cfg80211 support") +Signed-off-by: Arnd Bergmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231108153409.1065286-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/Kconfig | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/Kconfig b/drivers/net/wireless/marvell/libertas/Kconfig +index b9fe598130c3..38347a2e8320 100644 +--- a/drivers/net/wireless/marvell/libertas/Kconfig ++++ b/drivers/net/wireless/marvell/libertas/Kconfig +@@ -2,8 +2,6 @@ + config LIBERTAS + tristate "Marvell 8xxx Libertas WLAN driver support" + depends on CFG80211 +- select WIRELESS_EXT +- select WEXT_SPY + select LIB80211 + select FW_LOADER + ---help--- +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-add-calculate_bit_shift.patch b/queue-5.4/wifi-rtlwifi-add-calculate_bit_shift.patch new file mode 100644 index 00000000000..6b52ebbf491 --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-add-calculate_bit_shift.patch @@ -0,0 +1,43 @@ +From 65e1e6ff4aad612ce98e29717274d59ed123550a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:29 +0800 +Subject: wifi: rtlwifi: add calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 52221dfddbbfb5b4e029bb2efe9bb7da33ec1e46 ] + +There are many same functions like _rtl88e_phy_calculate_bit_shift(), +_rtl92c_phy_calculate_bit_shift() and so on. And these functions can +cause undefined bitwise shift behavior. Add calculate_bit_shift() to +replace them and fix undefined behavior in subsequent patches. + +Signed-off-by: Su Hui +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-2-suhui@nfschina.com +Stable-dep-of: 969bc926f04b ("wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/wifi.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h +index 3bdda1c98339..abec9ceabe28 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -3230,4 +3230,11 @@ static inline struct ieee80211_sta *rtl_find_sta(struct ieee80211_hw *hw, + return ieee80211_find_sta(mac->vif, mac_addr); + } + ++static inline u32 calculate_bit_shift(u32 bitmask) ++{ ++ if (WARN_ON_ONCE(!bitmask)) ++ return 0; ++ ++ return __ffs(bitmask); ++} + #endif +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-rtl8188ee-phy-using-calculate_bit_shift.patch b/queue-5.4/wifi-rtlwifi-rtl8188ee-phy-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..3fa699f3f16 --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-rtl8188ee-phy-using-calculate_bit_shift.patch @@ -0,0 +1,77 @@ +From d45b548b4662671fa9bf8f70f12e5ca8e430a7b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:31 +0800 +Subject: wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 969bc926f04b438676768aeffffffb050e480b62 ] + +Using calculate_bit_shift() to replace _rtl88e_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: f0eb856e0b6c ("rtlwifi: rtl8188ee: Add new driver") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-4-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtlwifi/rtl8188ee/phy.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c +index 52b0fccc31f8..4b8bdf3885db 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c +@@ -16,12 +16,6 @@ static u32 _rtl88e_phy_rf_serial_read(struct ieee80211_hw *hw, + static void _rtl88e_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, + u32 data); +-static u32 _rtl88e_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} + static bool _rtl88e_phy_bb8188e_config_parafile(struct ieee80211_hw *hw); + static bool _rtl88e_phy_config_mac_with_headerfile(struct ieee80211_hw *hw); + static bool phy_config_bb_with_headerfile(struct ieee80211_hw *hw, +@@ -51,7 +45,7 @@ u32 rtl88e_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, + "regaddr(%#x), bitmask(%#x)\n", regaddr, bitmask); + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, +@@ -74,7 +68,7 @@ void rtl88e_phy_set_bb_reg(struct ieee80211_hw *hw, + + if (bitmask != MASKDWORD) { + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + +@@ -100,7 +94,7 @@ u32 rtl88e_phy_query_rf_reg(struct ieee80211_hw *hw, + + + original_value = _rtl88e_phy_rf_serial_read(hw, rfpath, regaddr); +- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags); +@@ -129,7 +123,7 @@ void rtl88e_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl88e_phy_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-rtl8192c-using-calculate_bit_shift.patch b/queue-5.4/wifi-rtlwifi-rtl8192c-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..02b52578699 --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-rtl8192c-using-calculate_bit_shift.patch @@ -0,0 +1,74 @@ +From 4e0d5975816cd246edac9079b12d38d88094cf40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:32 +0800 +Subject: wifi: rtlwifi: rtl8192c: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 1dedc3a6699d827d345019e921b8d8f37f694333 ] + +Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: 4295cd254af3 ("rtlwifi: Move common parts of rtl8192ce/phy.c") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-5-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8192c/phy_common.c | 12 ++---------- + .../wireless/realtek/rtlwifi/rtl8192c/phy_common.h | 1 - + 2 files changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c +index 1145cb0ca4af..62ed75d6e2d3 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c +@@ -17,7 +17,7 @@ u32 rtl92c_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, "regaddr(%#x), bitmask(%#x)\n", + regaddr, bitmask); + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, +@@ -40,7 +40,7 @@ void rtl92c_phy_set_bb_reg(struct ieee80211_hw *hw, + + if (bitmask != MASKDWORD) { + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + +@@ -143,14 +143,6 @@ void _rtl92c_phy_rf_serial_write(struct ieee80211_hw *hw, + } + EXPORT_SYMBOL(_rtl92c_phy_rf_serial_write); + +-u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} +-EXPORT_SYMBOL(_rtl92c_phy_calculate_bit_shift); +- + static void _rtl92c_phy_bb_config_1t(struct ieee80211_hw *hw) + { + rtl_set_bbreg(hw, RFPGA0_TXINFO, 0x3, 0x2); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h +index 75afa6253ad0..e64d377dfe9e 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h +@@ -196,7 +196,6 @@ bool rtl92c_phy_set_rf_power_state(struct ieee80211_hw *hw, + void rtl92ce_phy_set_rf_on(struct ieee80211_hw *hw); + void rtl92c_phy_set_io(struct ieee80211_hw *hw); + void rtl92c_bb_block_on(struct ieee80211_hw *hw); +-u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask); + long _rtl92c_phy_txpwr_idx_to_dbm(struct ieee80211_hw *hw, + enum wireless_mode wirelessmode, + u8 txpwridx); +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-rtl8192ce-using-calculate_bit_shift.patch b/queue-5.4/wifi-rtlwifi-rtl8192ce-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..1234e1a15ab --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-rtl8192ce-using-calculate_bit_shift.patch @@ -0,0 +1,68 @@ +From c3317a72438a57c057fa3ec181fbc54e31484610 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:34 +0800 +Subject: wifi: rtlwifi: rtl8192ce: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 3d03e8231031bcc65a48cd88ef9c71b6524ce70b ] + +Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: 0c8173385e54 ("rtl8192ce: Add new driver") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-7-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c | 6 +++--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h | 1 - + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c +index f6574f31fa3b..e17d97550dbd 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c +@@ -39,7 +39,7 @@ u32 rtl92c_phy_query_rf_reg(struct ieee80211_hw *hw, + rfpath, regaddr); + } + +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock(&rtlpriv->locks.rf_lock); +@@ -110,7 +110,7 @@ void rtl92ce_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +@@ -122,7 +122,7 @@ void rtl92ce_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_fw_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h +index 7582a162bd11..c7a0d4c776f0 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h +@@ -94,7 +94,6 @@ u32 _rtl92c_phy_rf_serial_read(struct ieee80211_hw *hw, enum radio_path rfpath, + u32 offset); + u32 _rtl92c_phy_fw_rf_serial_read(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset); +-u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask); + void _rtl92c_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, u32 data); + void _rtl92c_phy_fw_rf_serial_write(struct ieee80211_hw *hw, +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-rtl8192cu-using-calculate_bit_shift.patch b/queue-5.4/wifi-rtlwifi-rtl8192cu-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..ca76653dc90 --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-rtl8192cu-using-calculate_bit_shift.patch @@ -0,0 +1,55 @@ +From 1821fb8e68836c54b0c7d281505acc8a0bfb8416 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:33 +0800 +Subject: wifi: rtlwifi: rtl8192cu: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit f4088c8fcbabadad9dd17d17ae9ba24e9e3221ec ] + +Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift(). +And fix an undefined bitwise shift behavior problem. + +Fixes: f0a39ae738d6 ("rtlwifi: rtl8192cu: Add routine phy") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-6-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c +index 9cd028cb2239..4043a2c59cd4 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c +@@ -32,7 +32,7 @@ u32 rtl92cu_phy_query_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_fw_rf_serial_read(hw, + rfpath, regaddr); + } +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, + "regaddr(%#x), rfpath(%#x), bitmask(%#x), original_value(%#x)\n", +@@ -56,7 +56,7 @@ void rtl92cu_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +@@ -67,7 +67,7 @@ void rtl92cu_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_fw_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-rtl8192de-using-calculate_bit_shift.patch b/queue-5.4/wifi-rtlwifi-rtl8192de-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..699e14e2d07 --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-rtl8192de-using-calculate_bit_shift.patch @@ -0,0 +1,78 @@ +From 04a4f4181333a3dce6b8978a3cf1defc8c02bc76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:35 +0800 +Subject: wifi: rtlwifi: rtl8192de: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit b8b2baad2e652042cf8b6339939ac2f4e6f53de4 ] + +Using calculate_bit_shift() to replace _rtl92d_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-8-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +index 7ba2aeaf071f..fb9355b2f6be 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +@@ -169,13 +169,6 @@ static const u8 channel_all[59] = { + 157, 159, 161, 163, 165 + }; + +-static u32 _rtl92d_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} +- + u32 rtl92d_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); +@@ -198,7 +191,7 @@ u32 rtl92d_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + } else { + originalvalue = rtl_read_dword(rtlpriv, regaddr); + } +- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, + "BBR MASK=0x%x Addr[0x%x]=0x%x\n", +@@ -230,7 +223,7 @@ void rtl92d_phy_set_bb_reg(struct ieee80211_hw *hw, + dbi_direct); + else + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + if (rtlhal->during_mac1init_radioa || rtlhal->during_mac0init_radiob) +@@ -318,7 +311,7 @@ u32 rtl92d_phy_query_rf_reg(struct ieee80211_hw *hw, + regaddr, rfpath, bitmask); + spin_lock_irqsave(&rtlpriv->locks.rf_lock, flags); + original_value = _rtl92d_phy_rf_serial_read(hw, rfpath, regaddr); +- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags); + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, +@@ -345,7 +338,7 @@ void rtl92d_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath, + if (bitmask != RFREG_OFFSET_MASK) { + original_value = _rtl92d_phy_rf_serial_read(hw, + rfpath, regaddr); +- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((original_value & (~bitmask)) | + (data << bitshift)); + } +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-rtl8192ee-using-calculate_bit_shift.patch b/queue-5.4/wifi-rtlwifi-rtl8192ee-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..93c07aec4dc --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-rtl8192ee-using-calculate_bit_shift.patch @@ -0,0 +1,86 @@ +From f30c136a643da0ebe961435e0894756c84bddcf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:36 +0800 +Subject: wifi: rtlwifi: rtl8192ee: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 63526897fc0d086069bcab67c3a112caaec751cb ] + +Using calculate_bit_shift() to replace _rtl92ee_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: b1a3bfc97cd9 ("rtlwifi: rtl8192ee: Move driver from staging to the regular tree") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-9-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtlwifi/rtl8192ee/phy.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c +index 420f4984bfb9..6fd422fc822d 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c +@@ -16,7 +16,6 @@ static u32 _rtl92ee_phy_rf_serial_read(struct ieee80211_hw *hw, + static void _rtl92ee_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, + u32 data); +-static u32 _rtl92ee_phy_calculate_bit_shift(u32 bitmask); + static bool _rtl92ee_phy_bb8192ee_config_parafile(struct ieee80211_hw *hw); + static bool _rtl92ee_phy_config_mac_with_headerfile(struct ieee80211_hw *hw); + static bool phy_config_bb_with_hdr_file(struct ieee80211_hw *hw, +@@ -46,7 +45,7 @@ u32 rtl92ee_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, + "regaddr(%#x), bitmask(%#x)\n", regaddr, bitmask); + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, +@@ -68,7 +67,7 @@ void rtl92ee_phy_set_bb_reg(struct ieee80211_hw *hw, u32 regaddr, + + if (bitmask != MASKDWORD) { + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + +@@ -93,7 +92,7 @@ u32 rtl92ee_phy_query_rf_reg(struct ieee80211_hw *hw, + spin_lock_irqsave(&rtlpriv->locks.rf_lock, flags); + + original_value = _rtl92ee_phy_rf_serial_read(hw , rfpath, regaddr); +- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags); +@@ -121,7 +120,7 @@ void rtl92ee_phy_set_rf_reg(struct ieee80211_hw *hw, + + if (bitmask != RFREG_OFFSET_MASK) { + original_value = _rtl92ee_phy_rf_serial_read(hw, rfpath, addr); +- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = (original_value & (~bitmask)) | (data << bitshift); + } + +@@ -204,13 +203,6 @@ static void _rtl92ee_phy_rf_serial_write(struct ieee80211_hw *hw, + pphyreg->rf3wire_offset, data_and_addr); + } + +-static u32 _rtl92ee_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} +- + bool rtl92ee_phy_mac_config(struct ieee80211_hw *hw) + { + return _rtl92ee_phy_config_mac_with_headerfile(hw); +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-rtl8192se-using-calculate_bit_shift.patch b/queue-5.4/wifi-rtlwifi-rtl8192se-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..62cb2c1ea32 --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-rtl8192se-using-calculate_bit_shift.patch @@ -0,0 +1,78 @@ +From 369638ad33e0400148670ed3cf4b2eef8b084581 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:37 +0800 +Subject: wifi: rtlwifi: rtl8192se: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit ac32b9317063b101a8ff3d3e885f76f87a280419 ] + +Using calculate_bit_shift() to replace _rtl92s_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: d15853163bea ("rtlwifi: rtl8192se: Merge phy routines") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-10-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtlwifi/rtl8192se/phy.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c +index 9696fa3a08d9..f377531bc2bd 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c +@@ -14,13 +14,6 @@ + #include "hw.h" + #include "table.h" + +-static u32 _rtl92s_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} +- + u32 rtl92s_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); +@@ -30,7 +23,7 @@ u32 rtl92s_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + regaddr, bitmask); + + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, "BBR MASK=0x%x Addr[0x%x]=0x%x\n", +@@ -52,7 +45,7 @@ void rtl92s_phy_set_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask, + + if (bitmask != MASKDWORD) { + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + +@@ -160,7 +153,7 @@ u32 rtl92s_phy_query_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath, + + original_value = _rtl92s_phy_rf_serial_read(hw, rfpath, regaddr); + +- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock(&rtlpriv->locks.rf_lock); +@@ -191,7 +184,7 @@ void rtl92s_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath, + if (bitmask != RFREG_OFFSET_MASK) { + original_value = _rtl92s_phy_rf_serial_read(hw, rfpath, + regaddr); +- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((original_value & (~bitmask)) | (data << bitshift)); + } + +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-rtl8821ae-phy-fix-an-undefined-bitwise-.patch b/queue-5.4/wifi-rtlwifi-rtl8821ae-phy-fix-an-undefined-bitwise-.patch new file mode 100644 index 00000000000..45e0a7ba19a --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-rtl8821ae-phy-fix-an-undefined-bitwise-.patch @@ -0,0 +1,59 @@ +From 1c5e35f53305040f307b75b6a4866b8366f2f745 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 09:35:13 +0800 +Subject: wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift + behavior + +From: Su Hui + +[ Upstream commit bc8263083af60e7e57c6120edbc1f75d6c909a35 ] + +Clang static checker warns: + +drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c:184:49: + The result of the left shift is undefined due to shifting by '32', + which is greater or equal to the width of type 'u32'. + [core.UndefinedBinaryOperatorResult] + +If the value of the right operand is negative or is greater than or +equal to the width of the promoted left operand, the behavior is +undefined.[1][2] + +For example, when using different gcc's compilation optimization options +(-O0 or -O2), the result of '(u32)data << 32' is different. One is 0, the +other is old value of data. Let _rtl8821ae_phy_calculate_bit_shift()'s +return value less than 32 to fix this problem. Warn if bitmask is zero. + +[1] https://stackoverflow.com/questions/11270492/what-does-the-c-standard-say-about-bitshifting-more-bits-than-the-width-of-type +[2] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf + +Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree") +Signed-off-by: Su Hui +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231127013511.26694-2-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +index 11f31d006280..6a5d9d1b2947 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +@@ -29,9 +29,10 @@ static void _rtl8821ae_phy_rf_serial_write(struct ieee80211_hw *hw, + u32 data); + static u32 _rtl8821ae_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i = ffs(bitmask); ++ if (WARN_ON_ONCE(!bitmask)) ++ return 0; + +- return i ? i - 1 : 32; ++ return __ffs(bitmask); + } + static bool _rtl8821ae_phy_bb8821a_config_parafile(struct ieee80211_hw *hw); + /*static bool _rtl8812ae_phy_config_mac_with_headerfile(struct ieee80211_hw *hw);*/ +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtw88-fix-rx-filter-in-fif_allmulti-flag.patch b/queue-5.4/wifi-rtw88-fix-rx-filter-in-fif_allmulti-flag.patch new file mode 100644 index 00000000000..f0a1b657418 --- /dev/null +++ b/queue-5.4/wifi-rtw88-fix-rx-filter-in-fif_allmulti-flag.patch @@ -0,0 +1,42 @@ +From fbf0577b50ace21fa6e8094042b367aa7117595b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 10:08:51 +0800 +Subject: wifi: rtw88: fix RX filter in FIF_ALLMULTI flag + +From: Chih-Kang Chang + +[ Upstream commit 53ee0b3b99edc6a47096bffef15695f5a895386f ] + +The broadcast packets will be filtered in the FIF_ALLMULTI flag in +the original code, which causes beacon packets to be filtered out +and disconnection. Therefore, we fix it. + +Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver") +Signed-off-by: Chih-Kang Chang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231103020851.102238-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/mac80211.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/mac80211.c b/drivers/net/wireless/realtek/rtw88/mac80211.c +index e5e3605bb693..efcfeccee15f 100644 +--- a/drivers/net/wireless/realtek/rtw88/mac80211.c ++++ b/drivers/net/wireless/realtek/rtw88/mac80211.c +@@ -206,9 +206,9 @@ static void rtw_ops_configure_filter(struct ieee80211_hw *hw, + + if (changed_flags & FIF_ALLMULTI) { + if (*new_flags & FIF_ALLMULTI) +- rtwdev->hal.rcr |= BIT_AM | BIT_AB; ++ rtwdev->hal.rcr |= BIT_AM; + else +- rtwdev->hal.rcr &= ~(BIT_AM | BIT_AB); ++ rtwdev->hal.rcr &= ~(BIT_AM); + } + if (changed_flags & FIF_FCSFAIL) { + if (*new_flags & FIF_FCSFAIL) +-- +2.43.0 + diff --git a/queue-5.4/x86-lib-fix-overflow-when-counting-digits.patch b/queue-5.4/x86-lib-fix-overflow-when-counting-digits.patch new file mode 100644 index 00000000000..e5479037b3c --- /dev/null +++ b/queue-5.4/x86-lib-fix-overflow-when-counting-digits.patch @@ -0,0 +1,66 @@ +From 18c6c92e8b595d0a60234efdcd8a0d6ea6b16bc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Nov 2023 17:49:01 +0000 +Subject: x86/lib: Fix overflow when counting digits + +From: Colin Ian King + +[ Upstream commit a24d61c609813963aacc9f6ec8343f4fcaac7243 ] + +tl;dr: The num_digits() function has a theoretical overflow issue. +But it doesn't affect any actual in-tree users. Fix it by using +a larger type for one of the local variables. + +Long version: + +There is an overflow in variable m in function num_digits when val +is >= 1410065408 which leads to the digit calculation loop to +iterate more times than required. This results in either more +digits being counted or in some cases (for example where val is +1932683193) the value of m eventually overflows to zero and the +while loop spins forever). + +Currently the function num_digits is currently only being used for +small values of val in the SMP boot stage for digit counting on the +number of cpus and NUMA nodes, so the overflow is never encountered. +However it is useful to fix the overflow issue in case the function +is used for other purposes in the future. (The issue was discovered +while investigating the digit counting performance in various +kernel helper functions rather than any real-world use-case). + +The simplest fix is to make m a long long, the overhead in +multiplication speed for a long long is very minor for small values +of val less than 10000 on modern processors. The alternative +fix is to replace the multiplication with a constant division +by 10 loop (this compiles down to an multiplication and shift) +without needing to make m a long long, but this is slightly slower +than the fix in this commit when measured on a range of x86 +processors). + +[ dhansen: subject and changelog tweaks ] + +Fixes: 646e29a1789a ("x86: Improve the printout of the SMP bootup CPU table") +Signed-off-by: Colin Ian King +Signed-off-by: Dave Hansen +Link: https://lore.kernel.org/all/20231102174901.2590325-1-colin.i.king%40gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/lib/misc.c b/arch/x86/lib/misc.c +index a018ec4fba53..c97be9a1430a 100644 +--- a/arch/x86/lib/misc.c ++++ b/arch/x86/lib/misc.c +@@ -6,7 +6,7 @@ + */ + int num_digits(int val) + { +- int m = 10; ++ long long m = 10; + int d = 1; + + if (val < 0) { +-- +2.43.0 +