From: Sasha Levin Date: Sun, 21 Jan 2024 00:19:19 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v4.19.306~127 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c95728c3dc408c018d93c6b28b106658ae71399e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-lpit-avoid-u32-multiplication-overflow.patch b/queue-4.19/acpi-lpit-avoid-u32-multiplication-overflow.patch new file mode 100644 index 00000000000..6ad37db5a90 --- /dev/null +++ b/queue-4.19/acpi-lpit-avoid-u32-multiplication-overflow.patch @@ -0,0 +1,40 @@ +From 26a9e673a9661ac7b68288f202a75e65bac8ccb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 21:08:59 +0300 +Subject: ACPI: LPIT: Avoid u32 multiplication overflow + +From: Nikita Kiryushin + +[ Upstream commit 56d2eeda87995245300836ee4dbd13b002311782 ] + +In lpit_update_residency() there is a possibility of overflow +in multiplication, if tsc_khz is large enough (> UINT_MAX/1000). + +Change multiplication to mul_u32_u32(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: eeb2d80d502a ("ACPI / LPIT: Add Low Power Idle Table (LPIT) support") +Signed-off-by: Nikita Kiryushin +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_lpit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpi_lpit.c b/drivers/acpi/acpi_lpit.c +index e43cb71b6972..c39c56904c52 100644 +--- a/drivers/acpi/acpi_lpit.c ++++ b/drivers/acpi/acpi_lpit.c +@@ -106,7 +106,7 @@ static void lpit_update_residency(struct lpit_residency_info *info, + struct acpi_lpit_native *lpit_native) + { + info->frequency = lpit_native->counter_frequency ? +- lpit_native->counter_frequency : tsc_khz * 1000; ++ lpit_native->counter_frequency : mul_u32_u32(tsc_khz, 1000U); + if (!info->frequency) + info->frequency = 1; + +-- +2.43.0 + diff --git a/queue-4.19/acpi-video-check-for-error-while-searching-for-backl.patch b/queue-4.19/acpi-video-check-for-error-while-searching-for-backl.patch new file mode 100644 index 00000000000..afc5bf79fdb --- /dev/null +++ b/queue-4.19/acpi-video-check-for-error-while-searching-for-backl.patch @@ -0,0 +1,54 @@ +From eff6574446daac10ac928969a76a6ca82db98ed4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 16:49:25 +0300 +Subject: ACPI: video: check for error while searching for backlight device + parent + +From: Nikita Kiryushin + +[ Upstream commit ccd45faf4973746c4f30ea41eec864e5cf191099 ] + +If acpi_get_parent() called in acpi_video_dev_register_backlight() +fails, for example, because acpi_ut_acquire_mutex() fails inside +acpi_get_parent), this can lead to incorrect (uninitialized) +acpi_parent handle being passed to acpi_get_pci_dev() for detecting +the parent pci device. + +Check acpi_get_parent() result and set parent device only in case of success. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 9661e92c10a9 ("acpi: tie ACPI backlight devices to PCI devices if possible") +Signed-off-by: Nikita Kiryushin +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index eb7fca6f9444..c22297cce288 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -1797,12 +1797,12 @@ static void acpi_video_dev_register_backlight(struct acpi_video_device *device) + return; + count++; + +- acpi_get_parent(device->dev->handle, &acpi_parent); +- +- pdev = acpi_get_pci_dev(acpi_parent); +- if (pdev) { +- parent = &pdev->dev; +- pci_dev_put(pdev); ++ if (ACPI_SUCCESS(acpi_get_parent(device->dev->handle, &acpi_parent))) { ++ pdev = acpi_get_pci_dev(acpi_parent); ++ if (pdev) { ++ parent = &pdev->dev; ++ pci_dev_put(pdev); ++ } + } + + memset(&props, 0, sizeof(struct backlight_properties)); +-- +2.43.0 + diff --git a/queue-4.19/arm-dts-qcom-apq8064-correct-xoadc-register-address.patch b/queue-4.19/arm-dts-qcom-apq8064-correct-xoadc-register-address.patch new file mode 100644 index 00000000000..50cfaa743b3 --- /dev/null +++ b/queue-4.19/arm-dts-qcom-apq8064-correct-xoadc-register-address.patch @@ -0,0 +1,40 @@ +From bd0d071aef91df325afed213e28337c3c6b116a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 14:02:35 +0300 +Subject: ARM: dts: qcom: apq8064: correct XOADC register address + +From: Dmitry Baryshkov + +[ Upstream commit 554557542e709e190eff8a598f0cde02647d533a ] + +The XOADC is present at the address 0x197 rather than just 197. It +doesn't change a lot (since the driver hardcodes all register +addresses), but the DT should present correct address anyway. + +Fixes: c4b70883ee33 ("ARM: dts: add XOADC and IIO HWMON to APQ8064") +Reviewed-by: Konrad Dybcio +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20230928110309.1212221-3-dmitry.baryshkov@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi +index 3b9d70eadeb9..38c4a0c80063 100644 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -794,7 +794,7 @@ pwrkey@1c { + + xoadc: xoadc@197 { + compatible = "qcom,pm8921-adc"; +- reg = <197>; ++ reg = <0x197>; + interrupts-extended = <&pmicintc 78 IRQ_TYPE_EDGE_RISING>; + #address-cells = <2>; + #size-cells = <0>; +-- +2.43.0 + diff --git a/queue-4.19/asoc-cs35l33-fix-gpio-name-and-drop-legacy-include.patch b/queue-4.19/asoc-cs35l33-fix-gpio-name-and-drop-legacy-include.patch new file mode 100644 index 00000000000..3de425a3baf --- /dev/null +++ b/queue-4.19/asoc-cs35l33-fix-gpio-name-and-drop-legacy-include.patch @@ -0,0 +1,64 @@ +From 0f2d28f9d9a263c948cc452d48b619acb2c60a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 14:20:31 +0100 +Subject: ASoC: cs35l33: Fix GPIO name and drop legacy include + +From: Linus Walleij + +[ Upstream commit 50678d339d670a92658e5538ebee30447c88ccb3 ] + +This driver includes the legacy GPIO APIs and + but does not use any symbols from any of +them. + +Drop the includes. + +Further the driver is requesting "reset-gpios" rather than +just "reset" from the GPIO framework. This is wrong because +the gpiolib core will add "-gpios" before processing the +request from e.g. device tree. Drop the suffix. + +The last problem means that the optional RESET GPIO has +never been properly retrieved and used even if it existed, +but nobody noticed. + +Fixes: 3333cb7187b9 ("ASoC: cs35l33: Initial commit of the cs35l33 CODEC driver.") +Acked-by: Charles Keepax +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20231201-descriptors-sound-cirrus-v2-2-ee9f9d4655eb@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs35l33.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs35l33.c b/sound/soc/codecs/cs35l33.c +index 73fa784646e5..8436df40bbda 100644 +--- a/sound/soc/codecs/cs35l33.c ++++ b/sound/soc/codecs/cs35l33.c +@@ -26,13 +26,11 @@ + #include + #include + #include +-#include + #include + #include + #include + #include + #include +-#include + #include + #include + #include +@@ -1171,7 +1169,7 @@ static int cs35l33_i2c_probe(struct i2c_client *i2c_client, + + /* We could issue !RST or skip it based on AMP topology */ + cs35l33->reset_gpio = devm_gpiod_get_optional(&i2c_client->dev, +- "reset-gpios", GPIOD_OUT_HIGH); ++ "reset", GPIOD_OUT_HIGH); + if (IS_ERR(cs35l33->reset_gpio)) { + dev_err(&i2c_client->dev, "%s ERROR: Can't get reset GPIO\n", + __func__); +-- +2.43.0 + diff --git a/queue-4.19/asoc-cs35l34-fix-gpio-name-and-drop-legacy-include.patch b/queue-4.19/asoc-cs35l34-fix-gpio-name-and-drop-legacy-include.patch new file mode 100644 index 00000000000..49c9f0baaba --- /dev/null +++ b/queue-4.19/asoc-cs35l34-fix-gpio-name-and-drop-legacy-include.patch @@ -0,0 +1,65 @@ +From 4c3866e5e97e2c7e13227c8ee4f19759c6d60adf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 14:20:32 +0100 +Subject: ASoC: cs35l34: Fix GPIO name and drop legacy include + +From: Linus Walleij + +[ Upstream commit a6122b0b4211d132934ef99e7b737910e6d54d2f ] + +This driver includes the legacy GPIO APIs and + but does not use any symbols from any of +them. + +Drop the includes. + +Further the driver is requesting "reset-gpios" rather than +just "reset" from the GPIO framework. This is wrong because +the gpiolib core will add "-gpios" before processing the +request from e.g. device tree. Drop the suffix. + +The last problem means that the optional RESET GPIO has +never been properly retrieved and used even if it existed, +but nobody noticed. + +Fixes: c1124c09e103 ("ASoC: cs35l34: Initial commit of the cs35l34 CODEC driver.") +Acked-by: Charles Keepax +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20231201-descriptors-sound-cirrus-v2-3-ee9f9d4655eb@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs35l34.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs35l34.c b/sound/soc/codecs/cs35l34.c +index 5063c05afa27..72c7c8426f3f 100644 +--- a/sound/soc/codecs/cs35l34.c ++++ b/sound/soc/codecs/cs35l34.c +@@ -24,14 +24,12 @@ + #include + #include + #include +-#include + #include + #include + #include + #include + #include + #include +-#include + #include + #include + #include +@@ -1062,7 +1060,7 @@ static int cs35l34_i2c_probe(struct i2c_client *i2c_client, + dev_err(&i2c_client->dev, "Failed to request IRQ: %d\n", ret); + + cs35l34->reset_gpio = devm_gpiod_get_optional(&i2c_client->dev, +- "reset-gpios", GPIOD_OUT_LOW); ++ "reset", GPIOD_OUT_LOW); + if (IS_ERR(cs35l34->reset_gpio)) + return PTR_ERR(cs35l34->reset_gpio); + +-- +2.43.0 + diff --git a/queue-4.19/blocklayoutdriver-fix-reference-leak-of-pnfs_device_.patch b/queue-4.19/blocklayoutdriver-fix-reference-leak-of-pnfs_device_.patch new file mode 100644 index 00000000000..03de1bb3a9d --- /dev/null +++ b/queue-4.19/blocklayoutdriver-fix-reference-leak-of-pnfs_device_.patch @@ -0,0 +1,37 @@ +From 3e3f36687f331a2989bfeeca510e01fdb0378725 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 10:05:01 -0500 +Subject: blocklayoutdriver: Fix reference leak of pnfs_device_node + +From: Benjamin Coddington + +[ Upstream commit 1530827b90025cdf80c9b0d07a166d045a0a7b81 ] + +The error path for blocklayout's device lookup is missing a reference drop +for the case where a lookup finds the device, but the device is marked with +NFS_DEVICEID_UNAVAILABLE. + +Fixes: b3dce6a2f060 ("pnfs/blocklayout: handle transient devices") +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/blocklayout.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c +index 06cb0c1d9aee..a2bca78b80ab 100644 +--- a/fs/nfs/blocklayout/blocklayout.c ++++ b/fs/nfs/blocklayout/blocklayout.c +@@ -604,6 +604,8 @@ bl_find_get_deviceid(struct nfs_server *server, + nfs4_delete_deviceid(node->ld, node->nfs_client, id); + goto retry; + } ++ ++ nfs4_put_deviceid_node(node); + return ERR_PTR(-ENODEV); + } + +-- +2.43.0 + diff --git a/queue-4.19/bluetooth-btmtkuart-fix-recv_buf-return-value.patch b/queue-4.19/bluetooth-btmtkuart-fix-recv_buf-return-value.patch new file mode 100644 index 00000000000..b918dc45215 --- /dev/null +++ b/queue-4.19/bluetooth-btmtkuart-fix-recv_buf-return-value.patch @@ -0,0 +1,68 @@ +From 4694478806b34e2d968faab5068b1392e6443605 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 17:40:19 +0100 +Subject: Bluetooth: btmtkuart: fix recv_buf() return value + +From: Francesco Dolcini + +[ Upstream commit 64057f051f20c2a2184b9db7f8037d928d68a4f4 ] + +Serdev recv_buf() callback is supposed to return the amount of bytes +consumed, therefore an int in between 0 and count. + +Do not return negative number in case of issue, just print an error and +return count. This fixes a WARN in ttyport_receive_buf(). + +Link: https://lore.kernel.org/all/087be419-ec6b-47ad-851a-5e1e3ea5cfcc@kernel.org/ +Fixes: 7237c4c9ec92 ("Bluetooth: mediatek: Add protocol support for MediaTek serial devices") +Signed-off-by: Francesco Dolcini +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtkuart.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c +index 19eecf198321..cda13194b131 100644 +--- a/drivers/bluetooth/btmtkuart.c ++++ b/drivers/bluetooth/btmtkuart.c +@@ -317,7 +317,7 @@ mtk_stp_split(struct btmtkuart_dev *bdev, const unsigned char *data, int count, + return data; + } + +-static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) ++static void btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) + { + struct btmtkuart_dev *bdev = hci_get_drvdata(hdev); + const unsigned char *p_left = data, *p_h4; +@@ -356,25 +356,20 @@ static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count) + bt_dev_err(bdev->hdev, + "Frame reassembly failed (%d)", err); + bdev->rx_skb = NULL; +- return err; ++ return; + } + + sz_left -= sz_h4; + p_left += sz_h4; + } +- +- return 0; + } + + static int btmtkuart_receive_buf(struct serdev_device *serdev, const u8 *data, + size_t count) + { + struct btmtkuart_dev *bdev = serdev_device_get_drvdata(serdev); +- int err; + +- err = btmtkuart_recv(bdev->hdev, data, count); +- if (err < 0) +- return err; ++ btmtkuart_recv(bdev->hdev, data, count); + + bdev->hdev->stat.byte_rx += count; + +-- +2.43.0 + diff --git a/queue-4.19/bluetooth-fix-bogus-check-for-re-auth-no-supported-w.patch b/queue-4.19/bluetooth-fix-bogus-check-for-re-auth-no-supported-w.patch new file mode 100644 index 00000000000..9dbabf3f344 --- /dev/null +++ b/queue-4.19/bluetooth-fix-bogus-check-for-re-auth-no-supported-w.patch @@ -0,0 +1,88 @@ +From ebc650f5d7c2a2e2ac75c32ed0d2e065ca38d03a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 14:58:03 +0100 +Subject: Bluetooth: Fix bogus check for re-auth no supported with non-ssp + +From: Luiz Augusto von Dentz + +[ Upstream commit d03376c185926098cb4d668d6458801eb785c0a5 ] + +This reverts 19f8def031bfa50c579149b200bfeeb919727b27 +"Bluetooth: Fix auth_complete_evt for legacy units" which seems to be +working around a bug on a broken controller rather then any limitation +imposed by the Bluetooth spec, in fact if there ws not possible to +re-auth the command shall fail not succeed. + +Fixes: 19f8def031bf ("Bluetooth: Fix auth_complete_evt for legacy units") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 1 - + net/bluetooth/hci_conn.c | 8 +++----- + net/bluetooth/hci_event.c | 11 ++--------- + 3 files changed, 5 insertions(+), 15 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index d3503f8c054e..878e7e92d8ef 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -659,7 +659,6 @@ void hci_inquiry_cache_flush(struct hci_dev *hdev); + /* ----- HCI Connections ----- */ + enum { + HCI_CONN_AUTH_PEND, +- HCI_CONN_REAUTH_PEND, + HCI_CONN_ENCRYPT_PEND, + HCI_CONN_RSWITCH_PEND, + HCI_CONN_MODE_CHANGE_PEND, +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 0e837feaa527..b8730c5f1cac 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1338,12 +1338,10 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type) + hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED, + sizeof(cp), &cp); + +- /* If we're already encrypted set the REAUTH_PEND flag, +- * otherwise set the ENCRYPT_PEND. ++ /* Set the ENCRYPT_PEND to trigger encryption after ++ * authentication. + */ +- if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) +- set_bit(HCI_CONN_REAUTH_PEND, &conn->flags); +- else ++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); + } + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 7ce6932d9ca6..9d01874e6b93 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2722,14 +2722,8 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) + + if (!ev->status) { + clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); +- +- if (!hci_conn_ssp_enabled(conn) && +- test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { +- bt_dev_info(hdev, "re-auth of legacy device is not possible."); +- } else { +- set_bit(HCI_CONN_AUTH, &conn->flags); +- conn->sec_level = conn->pending_sec_level; +- } ++ set_bit(HCI_CONN_AUTH, &conn->flags); ++ conn->sec_level = conn->pending_sec_level; + } else { + if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) + set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); +@@ -2738,7 +2732,6 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) + } + + clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); +- clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); + + if (conn->state == BT_CONFIG) { + if (!ev->status && hci_conn_ssp_enabled(conn)) { +-- +2.43.0 + diff --git a/queue-4.19/bpf-lpm-fix-check-prefixlen-before-walking-trie.patch b/queue-4.19/bpf-lpm-fix-check-prefixlen-before-walking-trie.patch new file mode 100644 index 00000000000..6381dcb16e8 --- /dev/null +++ b/queue-4.19/bpf-lpm-fix-check-prefixlen-before-walking-trie.patch @@ -0,0 +1,43 @@ +From 6a740518d24afc198ca65d22632deea277ca60a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 09:58:01 +0100 +Subject: bpf, lpm: Fix check prefixlen before walking trie + +From: Florian Lehner + +[ Upstream commit 9b75dbeb36fcd9fc7ed51d370310d0518a387769 ] + +When looking up an element in LPM trie, the condition 'matchlen == +trie->max_prefixlen' will never return true, if key->prefixlen is larger +than trie->max_prefixlen. Consequently all elements in the LPM trie will +be visited and no element is returned in the end. + +To resolve this, check key->prefixlen first before walking the LPM trie. + +Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") +Signed-off-by: Florian Lehner +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20231105085801.3742-1-dev@der-flo.net +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index 1a8b208f6c55..fcd3a15add41 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -194,6 +194,9 @@ static void *trie_lookup_elem(struct bpf_map *map, void *_key) + struct lpm_trie_node *node, *found = NULL; + struct bpf_lpm_trie_key *key = _key; + ++ if (key->prefixlen > trie->max_prefixlen) ++ return NULL; ++ + /* Start walking the trie from the root node ... */ + + for (node = rcu_dereference(trie->root); node;) { +-- +2.43.0 + diff --git a/queue-4.19/calipso-fix-memory-leak-in-netlbl_calipso_add_pass.patch b/queue-4.19/calipso-fix-memory-leak-in-netlbl_calipso_add_pass.patch new file mode 100644 index 00000000000..001a158c8a4 --- /dev/null +++ b/queue-4.19/calipso-fix-memory-leak-in-netlbl_calipso_add_pass.patch @@ -0,0 +1,138 @@ +From 8c34cfaa46d8efb9bcd648ab4371c1165e513f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 09:25:54 +0000 +Subject: calipso: fix memory leak in netlbl_calipso_add_pass() + +From: Gavrilov Ilia + +[ Upstream commit ec4e9d630a64df500641892f4e259e8149594a99 ] + +If IPv6 support is disabled at boot (ipv6.disable=1), +the calipso_init() -> netlbl_calipso_ops_register() function isn't called, +and the netlbl_calipso_ops_get() function always returns NULL. +In this case, the netlbl_calipso_add_pass() function allocates memory +for the doi_def variable but doesn't free it with the calipso_doi_free(). + +BUG: memory leak +unreferenced object 0xffff888011d68180 (size 64): + comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s) + hex dump (first 32 bytes): + 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<...>] kmalloc include/linux/slab.h:552 [inline] + [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline] + [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111 + [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 + [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 + [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515 + [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 + [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339 + [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934 + [<...>] sock_sendmsg_nosec net/socket.c:651 [inline] + [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671 + [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342 + [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396 + [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429 + [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with Syzkaller + +Fixes: cb72d38211ea ("netlabel: Initial support for the CALIPSO netlink protocol.") +Signed-off-by: Gavrilov Ilia +[PM: merged via the LSM tree at Jakub Kicinski request] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_calipso.c | 49 +++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 23 deletions(-) + +diff --git a/net/netlabel/netlabel_calipso.c b/net/netlabel/netlabel_calipso.c +index 5363e07dbf65..a0b7269cf190 100644 +--- a/net/netlabel/netlabel_calipso.c ++++ b/net/netlabel/netlabel_calipso.c +@@ -68,6 +68,28 @@ static const struct nla_policy calipso_genl_policy[NLBL_CALIPSO_A_MAX + 1] = { + [NLBL_CALIPSO_A_MTYPE] = { .type = NLA_U32 }, + }; + ++static const struct netlbl_calipso_ops *calipso_ops; ++ ++/** ++ * netlbl_calipso_ops_register - Register the CALIPSO operations ++ * @ops: ops to register ++ * ++ * Description: ++ * Register the CALIPSO packet engine operations. ++ * ++ */ ++const struct netlbl_calipso_ops * ++netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops) ++{ ++ return xchg(&calipso_ops, ops); ++} ++EXPORT_SYMBOL(netlbl_calipso_ops_register); ++ ++static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void) ++{ ++ return READ_ONCE(calipso_ops); ++} ++ + /* NetLabel Command Handlers + */ + /** +@@ -110,15 +132,18 @@ static int netlbl_calipso_add_pass(struct genl_info *info, + * + */ + static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info) +- + { + int ret_val = -EINVAL; + struct netlbl_audit audit_info; ++ const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get(); + + if (!info->attrs[NLBL_CALIPSO_A_DOI] || + !info->attrs[NLBL_CALIPSO_A_MTYPE]) + return -EINVAL; + ++ if (!ops) ++ return -EOPNOTSUPP; ++ + netlbl_netlink_auditinfo(&audit_info); + switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) { + case CALIPSO_MAP_PASS: +@@ -375,28 +400,6 @@ int __init netlbl_calipso_genl_init(void) + return genl_register_family(&netlbl_calipso_gnl_family); + } + +-static const struct netlbl_calipso_ops *calipso_ops; +- +-/** +- * netlbl_calipso_ops_register - Register the CALIPSO operations +- * @ops: ops to register +- * +- * Description: +- * Register the CALIPSO packet engine operations. +- * +- */ +-const struct netlbl_calipso_ops * +-netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops) +-{ +- return xchg(&calipso_ops, ops); +-} +-EXPORT_SYMBOL(netlbl_calipso_ops_register); +- +-static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void) +-{ +- return READ_ONCE(calipso_ops); +-} +- + /** + * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine + * @doi_def: the DOI structure +-- +2.43.0 + diff --git a/queue-4.19/crypto-af_alg-disallow-multiple-in-flight-aio-reques.patch b/queue-4.19/crypto-af_alg-disallow-multiple-in-flight-aio-reques.patch new file mode 100644 index 00000000000..e64b04f0ee0 --- /dev/null +++ b/queue-4.19/crypto-af_alg-disallow-multiple-in-flight-aio-reques.patch @@ -0,0 +1,85 @@ +From b0141b7d80f658bc7ddaba3d49db270f797cbf59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 16:25:49 +0800 +Subject: crypto: af_alg - Disallow multiple in-flight AIO requests + +From: Herbert Xu + +[ Upstream commit 67b164a871af1d736f131fd6fe78a610909f06f3 ] + +Having multiple in-flight AIO requests results in unpredictable +output because they all share the same IV. Fix this by only allowing +one request at a time. + +Fixes: 83094e5e9e49 ("crypto: af_alg - add async support to algif_aead") +Fixes: a596999b7ddf ("crypto: algif - change algif_skcipher to be asynchronous") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 14 +++++++++++++- + include/crypto/if_alg.h | 3 +++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index d0276a4ed987..914496b184a9 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1032,9 +1032,13 @@ EXPORT_SYMBOL_GPL(af_alg_sendpage); + void af_alg_free_resources(struct af_alg_async_req *areq) + { + struct sock *sk = areq->sk; ++ struct af_alg_ctx *ctx; + + af_alg_free_areq_sgls(areq); + sock_kfree_s(sk, areq, areq->areqlen); ++ ++ ctx = alg_sk(sk)->private; ++ ctx->inflight = false; + } + EXPORT_SYMBOL_GPL(af_alg_free_resources); + +@@ -1098,11 +1102,19 @@ EXPORT_SYMBOL_GPL(af_alg_poll); + struct af_alg_async_req *af_alg_alloc_areq(struct sock *sk, + unsigned int areqlen) + { +- struct af_alg_async_req *areq = sock_kmalloc(sk, areqlen, GFP_KERNEL); ++ struct af_alg_ctx *ctx = alg_sk(sk)->private; ++ struct af_alg_async_req *areq; ++ ++ /* Only one AIO request can be in flight. */ ++ if (ctx->inflight) ++ return ERR_PTR(-EBUSY); + ++ areq = sock_kmalloc(sk, areqlen, GFP_KERNEL); + if (unlikely(!areq)) + return ERR_PTR(-ENOMEM); + ++ ctx->inflight = true; ++ + areq->areqlen = areqlen; + areq->sk = sk; + areq->last_rsgl = NULL; +diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h +index 11f107df78dc..2c1748dc6640 100644 +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -141,6 +141,7 @@ struct af_alg_async_req { + * @enc: Cryptographic operation to be performed when + * recvmsg is invoked. + * @len: Length of memory allocated for this data structure. ++ * @inflight: Non-zero when AIO requests are in flight. + */ + struct af_alg_ctx { + struct list_head tsgl_list; +@@ -158,6 +159,8 @@ struct af_alg_ctx { + bool enc; + + unsigned int len; ++ ++ unsigned int inflight; + }; + + int af_alg_register_type(const struct af_alg_type *type); +-- +2.43.0 + diff --git a/queue-4.19/crypto-ccp-fix-memleak-in-ccp_init_dm_workarea.patch b/queue-4.19/crypto-ccp-fix-memleak-in-ccp_init_dm_workarea.patch new file mode 100644 index 00000000000..35a5cc91666 --- /dev/null +++ b/queue-4.19/crypto-ccp-fix-memleak-in-ccp_init_dm_workarea.patch @@ -0,0 +1,45 @@ +From ee7371c9b5dc042879ae6ee80de9fa87454b49e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 11:47:10 +0800 +Subject: crypto: ccp - fix memleak in ccp_init_dm_workarea + +From: Dinghao Liu + +[ Upstream commit a1c95dd5bc1d6a5d7a75a376c2107421b7d6240d ] + +When dma_map_single() fails, wa->address is supposed to be freed +by the callers of ccp_init_dm_workarea() through ccp_dm_free(). +However, many of the call spots don't expect to have to call +ccp_dm_free() on failure of ccp_init_dm_workarea(), which may +lead to a memleak. Let's free wa->address in ccp_init_dm_workarea() +when dma_map_single() fails. + +Fixes: 63b945091a07 ("crypto: ccp - CCP device driver and interface support") +Signed-off-by: Dinghao Liu +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-ops.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index 453d27d2a4ff..56c571370486 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -183,8 +183,11 @@ static int ccp_init_dm_workarea(struct ccp_dm_workarea *wa, + + wa->dma.address = dma_map_single(wa->dev, wa->address, len, + dir); +- if (dma_mapping_error(wa->dev, wa->dma.address)) ++ if (dma_mapping_error(wa->dev, wa->dma.address)) { ++ kfree(wa->address); ++ wa->address = NULL; + return -ENOMEM; ++ } + + wa->dma.length = len; + } +-- +2.43.0 + diff --git a/queue-4.19/crypto-sahara-do-not-resize-req-src-when-doing-hash-.patch b/queue-4.19/crypto-sahara-do-not-resize-req-src-when-doing-hash-.patch new file mode 100644 index 00000000000..9b7c2278fc0 --- /dev/null +++ b/queue-4.19/crypto-sahara-do-not-resize-req-src-when-doing-hash-.patch @@ -0,0 +1,99 @@ +From b7e300beae53cb07e50deb7f0b03b735c84fbeb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:36 +0200 +Subject: crypto: sahara - do not resize req->src when doing hash operations + +From: Ovidiu Panait + +[ Upstream commit a3c6f4f4d249cecaf2f34471aadbfb4f4ef57298 ] + +When testing sahara sha256 speed performance with tcrypt (mode=404) on +imx53-qsrb board, multiple "Invalid numbers of src SG." errors are +reported. This was traced to sahara_walk_and_recalc() resizing req->src +and causing the subsequent dma_map_sg() call to fail. + +Now that the previous commit fixed sahara_sha_hw_links_create() to take +into account the actual request size, rather than relying on sg->length +values, the resize operation is no longer necessary. + +Therefore, remove sahara_walk_and_recalc() and simplify associated logic. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 38 ++------------------------------------ + 1 file changed, 2 insertions(+), 36 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 79e0ad0f7d26..6979c30bbd11 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -906,24 +906,6 @@ static int sahara_sha_hw_context_descriptor_create(struct sahara_dev *dev, + return 0; + } + +-static int sahara_walk_and_recalc(struct scatterlist *sg, unsigned int nbytes) +-{ +- if (!sg || !sg->length) +- return nbytes; +- +- while (nbytes && sg) { +- if (nbytes <= sg->length) { +- sg->length = nbytes; +- sg_mark_end(sg); +- break; +- } +- nbytes -= sg->length; +- sg = sg_next(sg); +- } +- +- return nbytes; +-} +- + static int sahara_sha_prepare_request(struct ahash_request *req) + { + struct crypto_ahash *tfm = crypto_ahash_reqtfm(req); +@@ -960,36 +942,20 @@ static int sahara_sha_prepare_request(struct ahash_request *req) + hash_later, 0); + } + +- /* nbytes should now be multiple of blocksize */ +- req->nbytes = req->nbytes - hash_later; +- +- sahara_walk_and_recalc(req->src, req->nbytes); +- ++ rctx->total = len - hash_later; + /* have data from previous operation and current */ + if (rctx->buf_cnt && req->nbytes) { + sg_init_table(rctx->in_sg_chain, 2); + sg_set_buf(rctx->in_sg_chain, rctx->rembuf, rctx->buf_cnt); +- + sg_chain(rctx->in_sg_chain, 2, req->src); +- +- rctx->total = req->nbytes + rctx->buf_cnt; + rctx->in_sg = rctx->in_sg_chain; +- +- req->src = rctx->in_sg_chain; + /* only data from previous operation */ + } else if (rctx->buf_cnt) { +- if (req->src) +- rctx->in_sg = req->src; +- else +- rctx->in_sg = rctx->in_sg_chain; +- /* buf was copied into rembuf above */ ++ rctx->in_sg = rctx->in_sg_chain; + sg_init_one(rctx->in_sg, rctx->rembuf, rctx->buf_cnt); +- rctx->total = rctx->buf_cnt; + /* no data from previous operation */ + } else { + rctx->in_sg = req->src; +- rctx->total = req->nbytes; +- req->src = rctx->in_sg; + } + + /* on next call, we only have the remaining data in the buffer */ +-- +2.43.0 + diff --git a/queue-4.19/crypto-sahara-fix-ahash-reqsize.patch b/queue-4.19/crypto-sahara-fix-ahash-reqsize.patch new file mode 100644 index 00000000000..1c26f6f938d --- /dev/null +++ b/queue-4.19/crypto-sahara-fix-ahash-reqsize.patch @@ -0,0 +1,37 @@ +From 263e97ef710c249d43487a57bc5f7b0f0e312cb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:32 +0200 +Subject: crypto: sahara - fix ahash reqsize + +From: Ovidiu Panait + +[ Upstream commit efcb50f41740ac55e6ccc4986c1a7740e21c62b4 ] + +Set the reqsize for sha algorithms to sizeof(struct sahara_sha_reqctx), the +extra space is not needed. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 011789df3590..a9359b0ed045 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -1182,8 +1182,7 @@ static int sahara_sha_import(struct ahash_request *req, const void *in) + static int sahara_sha_cra_init(struct crypto_tfm *tfm) + { + crypto_ahash_set_reqsize(__crypto_ahash_cast(tfm), +- sizeof(struct sahara_sha_reqctx) + +- SHA_BUFFER_LEN + SHA256_BLOCK_SIZE); ++ sizeof(struct sahara_sha_reqctx)); + + return 0; + } +-- +2.43.0 + diff --git a/queue-4.19/crypto-sahara-fix-ahash-selftest-failure.patch b/queue-4.19/crypto-sahara-fix-ahash-selftest-failure.patch new file mode 100644 index 00000000000..3f3b331fcd1 --- /dev/null +++ b/queue-4.19/crypto-sahara-fix-ahash-selftest-failure.patch @@ -0,0 +1,41 @@ +From be9a2727de892739a7c0706125874a301d25e62f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 19:06:21 +0200 +Subject: crypto: sahara - fix ahash selftest failure + +From: Ovidiu Panait + +[ Upstream commit afffcf3db98b9495114b79d5381f8cc3f69476fb ] + +update() calls should not modify the result buffer, so add an additional +check for "rctx->last" to make sure that only the final hash value is +copied into the buffer. + +Fixes the following selftest failure: +alg: ahash: sahara-sha256 update() used result buffer on test vector 3, +cfg="init+update+final aligned buffer" + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 5bd2c34a9ceb..5232e6a849cc 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -1035,7 +1035,7 @@ static int sahara_sha_process(struct ahash_request *req) + + memcpy(rctx->context, dev->context_base, rctx->context_size); + +- if (req->result) ++ if (req->result && rctx->last) + memcpy(req->result, rctx->context, rctx->digest_size); + + return 0; +-- +2.43.0 + diff --git a/queue-4.19/crypto-sahara-fix-error-handling-in-sahara_hw_descri.patch b/queue-4.19/crypto-sahara-fix-error-handling-in-sahara_hw_descri.patch new file mode 100644 index 00000000000..b2e5b25430b --- /dev/null +++ b/queue-4.19/crypto-sahara-fix-error-handling-in-sahara_hw_descri.patch @@ -0,0 +1,54 @@ +From 325b15d6a3af8d57313eadbb730fe95bc55c68b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 19:06:23 +0200 +Subject: crypto: sahara - fix error handling in sahara_hw_descriptor_create() + +From: Ovidiu Panait + +[ Upstream commit ee6e6f0a7f5b39d50a5ef5fcc006f4f693db18a7 ] + +Do not call dma_unmap_sg() for scatterlists that were not mapped +successfully. + +Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index ef0912b4d28c..011789df3590 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -484,13 +484,14 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + DMA_TO_DEVICE); + if (ret != dev->nb_in_sg) { + dev_err(dev->device, "couldn't map in sg\n"); +- goto unmap_in; ++ return -EINVAL; + } ++ + ret = dma_map_sg(dev->device, dev->out_sg, dev->nb_out_sg, + DMA_FROM_DEVICE); + if (ret != dev->nb_out_sg) { + dev_err(dev->device, "couldn't map out sg\n"); +- goto unmap_out; ++ goto unmap_in; + } + + /* Create input links */ +@@ -538,9 +539,6 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + + return 0; + +-unmap_out: +- dma_unmap_sg(dev->device, dev->out_sg, dev->nb_out_sg, +- DMA_FROM_DEVICE); + unmap_in: + dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg, + DMA_TO_DEVICE); +-- +2.43.0 + diff --git a/queue-4.19/crypto-sahara-fix-processing-hash-requests-with-req-.patch b/queue-4.19/crypto-sahara-fix-processing-hash-requests-with-req-.patch new file mode 100644 index 00000000000..88769d83b71 --- /dev/null +++ b/queue-4.19/crypto-sahara-fix-processing-hash-requests-with-req-.patch @@ -0,0 +1,56 @@ +From 53a573b0a2dd6a9b865ab47a4cc6d4ae48443c9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:35 +0200 +Subject: crypto: sahara - fix processing hash requests with req->nbytes < + sg->length + +From: Ovidiu Panait + +[ Upstream commit 7bafa74d1ba35dcc173e1ce915e983d65905f77e ] + +It's not always the case that the entire sg entry needs to be processed. +Currently, when nbytes is less than sg->length, "Descriptor length" errors +are encountered. + +To fix this, take the actual request size into account when populating the +hw links. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index c69016faff6f..79e0ad0f7d26 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -796,6 +796,7 @@ static int sahara_sha_hw_links_create(struct sahara_dev *dev, + int start) + { + struct scatterlist *sg; ++ unsigned int len; + unsigned int i; + int ret; + +@@ -817,12 +818,14 @@ static int sahara_sha_hw_links_create(struct sahara_dev *dev, + if (!ret) + return -EFAULT; + ++ len = rctx->total; + for (i = start; i < dev->nb_in_sg + start; i++) { +- dev->hw_link[i]->len = sg->length; ++ dev->hw_link[i]->len = min(len, sg->length); + dev->hw_link[i]->p = sg->dma_address; + if (i == (dev->nb_in_sg + start - 1)) { + dev->hw_link[i]->next = 0; + } else { ++ len -= min(len, sg->length); + dev->hw_link[i]->next = dev->hw_phys_link[i + 1]; + sg = sg_next(sg); + } +-- +2.43.0 + diff --git a/queue-4.19/crypto-sahara-fix-processing-requests-with-cryptlen-.patch b/queue-4.19/crypto-sahara-fix-processing-requests-with-cryptlen-.patch new file mode 100644 index 00000000000..c12efe42e62 --- /dev/null +++ b/queue-4.19/crypto-sahara-fix-processing-requests-with-cryptlen-.patch @@ -0,0 +1,72 @@ +From eb6dc6b49f38d030829a9ed52aacacb1dba9f890 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 19:06:22 +0200 +Subject: crypto: sahara - fix processing requests with cryptlen < sg->length + +From: Ovidiu Panait + +[ Upstream commit 5b8668ce3452827d27f8c34ff6ba080a8f983ed0 ] + +It's not always the case that the entire sg entry needs to be processed. +Currently, when cryptlen is less than sg->legth, "Descriptor length" errors +are encountered. + +The error was noticed when testing xts(sahara-ecb-aes) with arbitrary sized +input data. To fix this, take the actual request size into account when +populating the hw links. + +Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 5232e6a849cc..ef0912b4d28c 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -445,6 +445,7 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + int ret; + int i, j; + int idx = 0; ++ u32 len; + + memcpy(dev->key_base, ctx->key, ctx->keylen); + +@@ -495,12 +496,14 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + /* Create input links */ + dev->hw_desc[idx]->p1 = dev->hw_phys_link[0]; + sg = dev->in_sg; ++ len = dev->total; + for (i = 0; i < dev->nb_in_sg; i++) { +- dev->hw_link[i]->len = sg->length; ++ dev->hw_link[i]->len = min(len, sg->length); + dev->hw_link[i]->p = sg->dma_address; + if (i == (dev->nb_in_sg - 1)) { + dev->hw_link[i]->next = 0; + } else { ++ len -= min(len, sg->length); + dev->hw_link[i]->next = dev->hw_phys_link[i + 1]; + sg = sg_next(sg); + } +@@ -509,12 +512,14 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + /* Create output links */ + dev->hw_desc[idx]->p2 = dev->hw_phys_link[i]; + sg = dev->out_sg; ++ len = dev->total; + for (j = i; j < dev->nb_out_sg + i; j++) { +- dev->hw_link[j]->len = sg->length; ++ dev->hw_link[j]->len = min(len, sg->length); + dev->hw_link[j]->p = sg->dma_address; + if (j == (dev->nb_out_sg + i - 1)) { + dev->hw_link[j]->next = 0; + } else { ++ len -= min(len, sg->length); + dev->hw_link[j]->next = dev->hw_phys_link[j + 1]; + sg = sg_next(sg); + } +-- +2.43.0 + diff --git a/queue-4.19/crypto-sahara-fix-wait_for_completion_timeout-error-.patch b/queue-4.19/crypto-sahara-fix-wait_for_completion_timeout-error-.patch new file mode 100644 index 00000000000..b52073e4c8f --- /dev/null +++ b/queue-4.19/crypto-sahara-fix-wait_for_completion_timeout-error-.patch @@ -0,0 +1,70 @@ +From 0459a5bf73fba4b7faad93f29bc74c1179a82184 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:33 +0200 +Subject: crypto: sahara - fix wait_for_completion_timeout() error handling + +From: Ovidiu Panait + +[ Upstream commit 2dba8e1d1a7957dcbe7888846268538847b471d1 ] + +The sg lists are not unmapped in case of timeout errors. Fix this. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index a9359b0ed045..96cb77abbabb 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -583,16 +583,17 @@ static int sahara_aes_process(struct ablkcipher_request *req) + + timeout = wait_for_completion_timeout(&dev->dma_completion, + msecs_to_jiffies(SAHARA_TIMEOUT_MS)); +- if (!timeout) { +- dev_err(dev->device, "AES timeout\n"); +- return -ETIMEDOUT; +- } + + dma_unmap_sg(dev->device, dev->out_sg, dev->nb_out_sg, + DMA_FROM_DEVICE); + dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg, + DMA_TO_DEVICE); + ++ if (!timeout) { ++ dev_err(dev->device, "AES timeout\n"); ++ return -ETIMEDOUT; ++ } ++ + return 0; + } + +@@ -1027,15 +1028,16 @@ static int sahara_sha_process(struct ahash_request *req) + + timeout = wait_for_completion_timeout(&dev->dma_completion, + msecs_to_jiffies(SAHARA_TIMEOUT_MS)); +- if (!timeout) { +- dev_err(dev->device, "SHA timeout\n"); +- return -ETIMEDOUT; +- } + + if (rctx->sg_in_idx) + dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg, + DMA_TO_DEVICE); + ++ if (!timeout) { ++ dev_err(dev->device, "SHA timeout\n"); ++ return -ETIMEDOUT; ++ } ++ + memcpy(rctx->context, dev->context_base, rctx->context_size); + + if (req->result && rctx->last) +-- +2.43.0 + diff --git a/queue-4.19/crypto-sahara-improve-error-handling-in-sahara_sha_p.patch b/queue-4.19/crypto-sahara-improve-error-handling-in-sahara_sha_p.patch new file mode 100644 index 00000000000..2bd35e62794 --- /dev/null +++ b/queue-4.19/crypto-sahara-improve-error-handling-in-sahara_sha_p.patch @@ -0,0 +1,51 @@ +From abcfafd6222cfb5fc01f75f39ef95c945ffa38dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:21:34 +0200 +Subject: crypto: sahara - improve error handling in sahara_sha_process() + +From: Ovidiu Panait + +[ Upstream commit 5deff027fca49a1eb3b20359333cf2ae562a2343 ] + +sahara_sha_hw_data_descriptor_create() returns negative error codes on +failure, so make sure the errors are correctly handled / propagated. + +Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 96cb77abbabb..c69016faff6f 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -1007,7 +1007,10 @@ static int sahara_sha_process(struct ahash_request *req) + return ret; + + if (rctx->first) { +- sahara_sha_hw_data_descriptor_create(dev, rctx, req, 0); ++ ret = sahara_sha_hw_data_descriptor_create(dev, rctx, req, 0); ++ if (ret) ++ return ret; ++ + dev->hw_desc[0]->next = 0; + rctx->first = 0; + } else { +@@ -1015,7 +1018,10 @@ static int sahara_sha_process(struct ahash_request *req) + + sahara_sha_hw_context_descriptor_create(dev, rctx, req, 0); + dev->hw_desc[0]->next = dev->hw_phys_desc[1]; +- sahara_sha_hw_data_descriptor_create(dev, rctx, req, 1); ++ ret = sahara_sha_hw_data_descriptor_create(dev, rctx, req, 1); ++ if (ret) ++ return ret; ++ + dev->hw_desc[1]->next = 0; + } + +-- +2.43.0 + diff --git a/queue-4.19/crypto-sahara-remove-flags_new_key-logic.patch b/queue-4.19/crypto-sahara-remove-flags_new_key-logic.patch new file mode 100644 index 00000000000..9c27d439508 --- /dev/null +++ b/queue-4.19/crypto-sahara-remove-flags_new_key-logic.patch @@ -0,0 +1,105 @@ +From f96db74843a272286b625229e78c511a1b2aef97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 19:06:19 +0200 +Subject: crypto: sahara - remove FLAGS_NEW_KEY logic + +From: Ovidiu Panait + +[ Upstream commit 8fd183435728b139248a77978ea3732039341779 ] + +Remove the FLAGS_NEW_KEY logic as it has the following issues: +- the wrong key may end up being used when there are multiple data streams: + t1 t2 + setkey() + encrypt() + setkey() + encrypt() + + encrypt() <--- key from t2 is used +- switching between encryption and decryption with the same key is not + possible, as the hdr flags are only updated when a new setkey() is + performed + +With this change, the key is always sent along with the cryptdata when +performing encryption/decryption operations. + +Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 34 +++++++++++++--------------------- + 1 file changed, 13 insertions(+), 21 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index e7540a5b8197..5bd2c34a9ceb 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -46,7 +46,6 @@ + #define FLAGS_MODE_MASK 0x000f + #define FLAGS_ENCRYPT BIT(0) + #define FLAGS_CBC BIT(1) +-#define FLAGS_NEW_KEY BIT(3) + + #define SAHARA_HDR_BASE 0x00800000 + #define SAHARA_HDR_SKHA_ALG_AES 0 +@@ -144,8 +143,6 @@ struct sahara_hw_link { + }; + + struct sahara_ctx { +- unsigned long flags; +- + /* AES-specific context */ + int keylen; + u8 key[AES_KEYSIZE_128]; +@@ -449,26 +446,22 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev) + int i, j; + int idx = 0; + +- /* Copy new key if necessary */ +- if (ctx->flags & FLAGS_NEW_KEY) { +- memcpy(dev->key_base, ctx->key, ctx->keylen); +- ctx->flags &= ~FLAGS_NEW_KEY; ++ memcpy(dev->key_base, ctx->key, ctx->keylen); + +- if (dev->flags & FLAGS_CBC) { +- dev->hw_desc[idx]->len1 = AES_BLOCK_SIZE; +- dev->hw_desc[idx]->p1 = dev->iv_phys_base; +- } else { +- dev->hw_desc[idx]->len1 = 0; +- dev->hw_desc[idx]->p1 = 0; +- } +- dev->hw_desc[idx]->len2 = ctx->keylen; +- dev->hw_desc[idx]->p2 = dev->key_phys_base; +- dev->hw_desc[idx]->next = dev->hw_phys_desc[1]; ++ if (dev->flags & FLAGS_CBC) { ++ dev->hw_desc[idx]->len1 = AES_BLOCK_SIZE; ++ dev->hw_desc[idx]->p1 = dev->iv_phys_base; ++ } else { ++ dev->hw_desc[idx]->len1 = 0; ++ dev->hw_desc[idx]->p1 = 0; ++ } ++ dev->hw_desc[idx]->len2 = ctx->keylen; ++ dev->hw_desc[idx]->p2 = dev->key_phys_base; ++ dev->hw_desc[idx]->next = dev->hw_phys_desc[1]; ++ dev->hw_desc[idx]->hdr = sahara_aes_key_hdr(dev); + +- dev->hw_desc[idx]->hdr = sahara_aes_key_hdr(dev); ++ idx++; + +- idx++; +- } + + dev->nb_in_sg = sg_nents_for_len(dev->in_sg, dev->total); + if (dev->nb_in_sg < 0) { +@@ -611,7 +604,6 @@ static int sahara_aes_setkey(struct crypto_ablkcipher *tfm, const u8 *key, + /* SAHARA only supports 128bit keys */ + if (keylen == AES_KEYSIZE_128) { + memcpy(ctx->key, key, keylen); +- ctx->flags |= FLAGS_NEW_KEY; + return 0; + } + +-- +2.43.0 + diff --git a/queue-4.19/crypto-scomp-fix-req-dst-buffer-overflow.patch b/queue-4.19/crypto-scomp-fix-req-dst-buffer-overflow.patch new file mode 100644 index 00000000000..0a222760766 --- /dev/null +++ b/queue-4.19/crypto-scomp-fix-req-dst-buffer-overflow.patch @@ -0,0 +1,57 @@ +From a41c374fb968deb6bc25aee64c4ce139f4a67366 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Dec 2023 09:35:23 +0000 +Subject: crypto: scomp - fix req->dst buffer overflow + +From: Chengming Zhou + +[ Upstream commit 744e1885922a9943458954cfea917b31064b4131 ] + +The req->dst buffer size should be checked before copying from the +scomp_scratch->dst to avoid req->dst buffer overflow problem. + +Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface") +Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/ +Signed-off-by: Chengming Zhou +Reviewed-by: Barry Song +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/scompress.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/scompress.c b/crypto/scompress.c +index 3702f1648ea8..34174f55a6d6 100644 +--- a/crypto/scompress.c ++++ b/crypto/scompress.c +@@ -132,6 +132,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + struct crypto_scomp *scomp = *tfm_ctx; + void **ctx = acomp_request_ctx(req); + struct scomp_scratch *scratch; ++ unsigned int dlen; + int ret; + + if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE) +@@ -143,6 +144,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE) + req->dlen = SCOMP_SCRATCH_SIZE; + ++ dlen = req->dlen; ++ + scratch = raw_cpu_ptr(&scomp_scratch); + spin_lock(&scratch->lock); + +@@ -160,6 +163,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + ret = -ENOMEM; + goto out; + } ++ } else if (req->dlen > dlen) { ++ ret = -ENOSPC; ++ goto out; + } + scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen, + 1); +-- +2.43.0 + diff --git a/queue-4.19/crypto-scompress-return-proper-error-code-for-alloca.patch b/queue-4.19/crypto-scompress-return-proper-error-code-for-alloca.patch new file mode 100644 index 00000000000..b1ad1b8bce3 --- /dev/null +++ b/queue-4.19/crypto-scompress-return-proper-error-code-for-alloca.patch @@ -0,0 +1,43 @@ +From c559624a3f436b1ab6a3939fb74ec68a14c33610 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2019 14:09:55 +0100 +Subject: crypto: scompress - return proper error code for allocation failure + +From: Sebastian Andrzej Siewior + +[ Upstream commit 6a4d1b18ef00a7b182740b7b4d8a0fcd317368f8 ] + +If scomp_acomp_comp_decomp() fails to allocate memory for the +destination then we never copy back the data we compressed. +It is probably best to return an error code instead 0 in case of +failure. +I haven't found any user that is using acomp_request_set_params() +without the `dst' buffer so there is probably no harm. + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Herbert Xu +Stable-dep-of: 744e1885922a ("crypto: scomp - fix req->dst buffer overflow") +Signed-off-by: Sasha Levin +--- + crypto/scompress.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/crypto/scompress.c b/crypto/scompress.c +index 968bbcf65c94..15641c96ff99 100644 +--- a/crypto/scompress.c ++++ b/crypto/scompress.c +@@ -174,8 +174,10 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + if (!ret) { + if (!req->dst) { + req->dst = sgl_alloc(req->dlen, GFP_ATOMIC, NULL); +- if (!req->dst) ++ if (!req->dst) { ++ ret = -ENOMEM; + goto out; ++ } + } + scatterwalk_map_and_copy(scratch_dst, req->dst, 0, req->dlen, + 1); +-- +2.43.0 + diff --git a/queue-4.19/crypto-scompress-use-per-cpu-struct-instead-multiple.patch b/queue-4.19/crypto-scompress-use-per-cpu-struct-instead-multiple.patch new file mode 100644 index 00000000000..832c3fd6d4b --- /dev/null +++ b/queue-4.19/crypto-scompress-use-per-cpu-struct-instead-multiple.patch @@ -0,0 +1,239 @@ +From af67175aec67b7af42238066c2738e7e52340603 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2019 14:09:56 +0100 +Subject: crypto: scompress - Use per-CPU struct instead multiple variables + +From: Sebastian Andrzej Siewior + +[ Upstream commit 71052dcf4be70be4077817297dcde7b155e745f2 ] + +Two per-CPU variables are allocated as pointer to per-CPU memory which +then are used as scratch buffers. +We could be smart about this and use instead a per-CPU struct which +contains the pointers already and then we need to allocate just the +scratch buffers. +Add a lock to the struct. By doing so we can avoid the get_cpu() +statement and gain lockdep coverage (if enabled) to ensure that the lock +is always acquired in the right context. On non-preemptible kernels the +lock vanishes. +It is okay to use raw_cpu_ptr() in order to get a pointer to the struct +since it is protected by the spinlock. + +The diffstat of this is negative and according to size scompress.o: + text data bss dec hex filename + 1847 160 24 2031 7ef dbg_before.o + 1754 232 4 1990 7c6 dbg_after.o + 1799 64 24 1887 75f no_dbg-before.o + 1703 88 4 1795 703 no_dbg-after.o + +The overall size increase difference is also negative. The increase in +the data section is only four bytes without lockdep. + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Herbert Xu +Stable-dep-of: 744e1885922a ("crypto: scomp - fix req->dst buffer overflow") +Signed-off-by: Sasha Levin +--- + crypto/scompress.c | 125 ++++++++++++++++++++------------------------- + 1 file changed, 54 insertions(+), 71 deletions(-) + +diff --git a/crypto/scompress.c b/crypto/scompress.c +index 15641c96ff99..3702f1648ea8 100644 +--- a/crypto/scompress.c ++++ b/crypto/scompress.c +@@ -29,9 +29,17 @@ + #include + #include "internal.h" + ++struct scomp_scratch { ++ spinlock_t lock; ++ void *src; ++ void *dst; ++}; ++ ++static DEFINE_PER_CPU(struct scomp_scratch, scomp_scratch) = { ++ .lock = __SPIN_LOCK_UNLOCKED(scomp_scratch.lock), ++}; ++ + static const struct crypto_type crypto_scomp_type; +-static void * __percpu *scomp_src_scratches; +-static void * __percpu *scomp_dst_scratches; + static int scomp_scratch_users; + static DEFINE_MUTEX(scomp_lock); + +@@ -65,76 +73,53 @@ static void crypto_scomp_show(struct seq_file *m, struct crypto_alg *alg) + seq_puts(m, "type : scomp\n"); + } + +-static void crypto_scomp_free_scratches(void * __percpu *scratches) ++static void crypto_scomp_free_scratches(void) + { ++ struct scomp_scratch *scratch; + int i; + +- if (!scratches) +- return; +- +- for_each_possible_cpu(i) +- vfree(*per_cpu_ptr(scratches, i)); ++ for_each_possible_cpu(i) { ++ scratch = raw_cpu_ptr(&scomp_scratch); + +- free_percpu(scratches); ++ vfree(scratch->src); ++ vfree(scratch->dst); ++ scratch->src = NULL; ++ scratch->dst = NULL; ++ } + } + +-static void * __percpu *crypto_scomp_alloc_scratches(void) ++static int crypto_scomp_alloc_scratches(void) + { +- void * __percpu *scratches; ++ struct scomp_scratch *scratch; + int i; + +- scratches = alloc_percpu(void *); +- if (!scratches) +- return NULL; +- + for_each_possible_cpu(i) { +- void *scratch; +- +- scratch = vmalloc_node(SCOMP_SCRATCH_SIZE, cpu_to_node(i)); +- if (!scratch) +- goto error; +- *per_cpu_ptr(scratches, i) = scratch; +- } +- +- return scratches; +- +-error: +- crypto_scomp_free_scratches(scratches); +- return NULL; +-} ++ void *mem; + +-static void crypto_scomp_free_all_scratches(void) +-{ +- if (!--scomp_scratch_users) { +- crypto_scomp_free_scratches(scomp_src_scratches); +- crypto_scomp_free_scratches(scomp_dst_scratches); +- scomp_src_scratches = NULL; +- scomp_dst_scratches = NULL; +- } +-} ++ scratch = raw_cpu_ptr(&scomp_scratch); + +-static int crypto_scomp_alloc_all_scratches(void) +-{ +- if (!scomp_scratch_users++) { +- scomp_src_scratches = crypto_scomp_alloc_scratches(); +- if (!scomp_src_scratches) +- return -ENOMEM; +- scomp_dst_scratches = crypto_scomp_alloc_scratches(); +- if (!scomp_dst_scratches) { +- crypto_scomp_free_scratches(scomp_src_scratches); +- scomp_src_scratches = NULL; +- return -ENOMEM; +- } ++ mem = vmalloc_node(SCOMP_SCRATCH_SIZE, cpu_to_node(i)); ++ if (!mem) ++ goto error; ++ scratch->src = mem; ++ mem = vmalloc_node(SCOMP_SCRATCH_SIZE, cpu_to_node(i)); ++ if (!mem) ++ goto error; ++ scratch->dst = mem; + } + return 0; ++error: ++ crypto_scomp_free_scratches(); ++ return -ENOMEM; + } + + static int crypto_scomp_init_tfm(struct crypto_tfm *tfm) + { +- int ret; ++ int ret = 0; + + mutex_lock(&scomp_lock); +- ret = crypto_scomp_alloc_all_scratches(); ++ if (!scomp_scratch_users++) ++ ret = crypto_scomp_alloc_scratches(); + mutex_unlock(&scomp_lock); + + return ret; +@@ -146,31 +131,28 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + void **tfm_ctx = acomp_tfm_ctx(tfm); + struct crypto_scomp *scomp = *tfm_ctx; + void **ctx = acomp_request_ctx(req); +- const int cpu = get_cpu(); +- u8 *scratch_src = *per_cpu_ptr(scomp_src_scratches, cpu); +- u8 *scratch_dst = *per_cpu_ptr(scomp_dst_scratches, cpu); ++ struct scomp_scratch *scratch; + int ret; + +- if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE) { +- ret = -EINVAL; +- goto out; +- } ++ if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE) ++ return -EINVAL; + +- if (req->dst && !req->dlen) { +- ret = -EINVAL; +- goto out; +- } ++ if (req->dst && !req->dlen) ++ return -EINVAL; + + if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE) + req->dlen = SCOMP_SCRATCH_SIZE; + +- scatterwalk_map_and_copy(scratch_src, req->src, 0, req->slen, 0); ++ scratch = raw_cpu_ptr(&scomp_scratch); ++ spin_lock(&scratch->lock); ++ ++ scatterwalk_map_and_copy(scratch->src, req->src, 0, req->slen, 0); + if (dir) +- ret = crypto_scomp_compress(scomp, scratch_src, req->slen, +- scratch_dst, &req->dlen, *ctx); ++ ret = crypto_scomp_compress(scomp, scratch->src, req->slen, ++ scratch->dst, &req->dlen, *ctx); + else +- ret = crypto_scomp_decompress(scomp, scratch_src, req->slen, +- scratch_dst, &req->dlen, *ctx); ++ ret = crypto_scomp_decompress(scomp, scratch->src, req->slen, ++ scratch->dst, &req->dlen, *ctx); + if (!ret) { + if (!req->dst) { + req->dst = sgl_alloc(req->dlen, GFP_ATOMIC, NULL); +@@ -179,11 +161,11 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + goto out; + } + } +- scatterwalk_map_and_copy(scratch_dst, req->dst, 0, req->dlen, ++ scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen, + 1); + } + out: +- put_cpu(); ++ spin_unlock(&scratch->lock); + return ret; + } + +@@ -204,7 +186,8 @@ static void crypto_exit_scomp_ops_async(struct crypto_tfm *tfm) + crypto_free_scomp(*ctx); + + mutex_lock(&scomp_lock); +- crypto_scomp_free_all_scratches(); ++ if (!--scomp_scratch_users) ++ crypto_scomp_free_scratches(); + mutex_unlock(&scomp_lock); + } + +-- +2.43.0 + diff --git a/queue-4.19/crypto-virtio-handle-dataq-logic-with-tasklet.patch b/queue-4.19/crypto-virtio-handle-dataq-logic-with-tasklet.patch new file mode 100644 index 00000000000..91211b04c00 --- /dev/null +++ b/queue-4.19/crypto-virtio-handle-dataq-logic-with-tasklet.patch @@ -0,0 +1,99 @@ +From b9371a31c095fa9fc9bb151ec6b6dd713950d278 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 11:49:45 +0000 +Subject: crypto: virtio - Handle dataq logic with tasklet + +From: Gonglei (Arei) + +[ Upstream commit fed93fb62e05c38152b0fc1dc9609639e63eed76 ] + +Doing ipsec produces a spinlock recursion warning. +This is due to crypto_finalize_request() being called in the upper half. +Move virtual data queue processing of virtio-crypto driver to tasklet. + +Fixes: dbaf0624ffa57 ("crypto: add virtio-crypto driver") +Reported-by: Halil Pasic +Signed-off-by: wangyangxin +Signed-off-by: Gonglei +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/virtio/virtio_crypto_common.h | 2 ++ + drivers/crypto/virtio/virtio_crypto_core.c | 23 +++++++++++--------- + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/crypto/virtio/virtio_crypto_common.h b/drivers/crypto/virtio/virtio_crypto_common.h +index 63ef7f7924ea..5b94c60ca461 100644 +--- a/drivers/crypto/virtio/virtio_crypto_common.h ++++ b/drivers/crypto/virtio/virtio_crypto_common.h +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -39,6 +40,7 @@ struct data_queue { + char name[32]; + + struct crypto_engine *engine; ++ struct tasklet_struct done_task; + }; + + struct virtio_crypto { +diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c +index 3c9e120287af..c21770345f5f 100644 +--- a/drivers/crypto/virtio/virtio_crypto_core.c ++++ b/drivers/crypto/virtio/virtio_crypto_core.c +@@ -34,27 +34,28 @@ virtcrypto_clear_request(struct virtio_crypto_request *vc_req) + } + } + +-static void virtcrypto_dataq_callback(struct virtqueue *vq) ++static void virtcrypto_done_task(unsigned long data) + { +- struct virtio_crypto *vcrypto = vq->vdev->priv; ++ struct data_queue *data_vq = (struct data_queue *)data; ++ struct virtqueue *vq = data_vq->vq; + struct virtio_crypto_request *vc_req; +- unsigned long flags; + unsigned int len; +- unsigned int qid = vq->index; + +- spin_lock_irqsave(&vcrypto->data_vq[qid].lock, flags); + do { + virtqueue_disable_cb(vq); + while ((vc_req = virtqueue_get_buf(vq, &len)) != NULL) { +- spin_unlock_irqrestore( +- &vcrypto->data_vq[qid].lock, flags); + if (vc_req->alg_cb) + vc_req->alg_cb(vc_req, len); +- spin_lock_irqsave( +- &vcrypto->data_vq[qid].lock, flags); + } + } while (!virtqueue_enable_cb(vq)); +- spin_unlock_irqrestore(&vcrypto->data_vq[qid].lock, flags); ++} ++ ++static void virtcrypto_dataq_callback(struct virtqueue *vq) ++{ ++ struct virtio_crypto *vcrypto = vq->vdev->priv; ++ struct data_queue *dq = &vcrypto->data_vq[vq->index]; ++ ++ tasklet_schedule(&dq->done_task); + } + + static int virtcrypto_find_vqs(struct virtio_crypto *vi) +@@ -111,6 +112,8 @@ static int virtcrypto_find_vqs(struct virtio_crypto *vi) + ret = -ENOMEM; + goto err_engine; + } ++ tasklet_init(&vi->data_vq[i].done_task, virtcrypto_done_task, ++ (unsigned long)&vi->data_vq[i]); + } + + kfree(names); +-- +2.43.0 + diff --git a/queue-4.19/crypto-virtio-wait-for-tasklet-to-complete-on-device.patch b/queue-4.19/crypto-virtio-wait-for-tasklet-to-complete-on-device.patch new file mode 100644 index 00000000000..2701aa5a0da --- /dev/null +++ b/queue-4.19/crypto-virtio-wait-for-tasklet-to-complete-on-device.patch @@ -0,0 +1,42 @@ +From 465eec2d137040506ca2f3312fbd44abb4937645 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 19:42:15 +0800 +Subject: crypto: virtio - Wait for tasklet to complete on device remove + +From: wangyangxin + +[ Upstream commit 67cc511e8d436456cc98033e6d4ba83ebfc8e672 ] + +The scheduled tasklet needs to be executed on device remove. + +Fixes: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet") +Signed-off-by: wangyangxin +Signed-off-by: Gonglei +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/virtio/virtio_crypto_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c +index c21770345f5f..2515a141c67b 100644 +--- a/drivers/crypto/virtio/virtio_crypto_core.c ++++ b/drivers/crypto/virtio/virtio_crypto_core.c +@@ -446,11 +446,14 @@ static void virtcrypto_free_unused_reqs(struct virtio_crypto *vcrypto) + static void virtcrypto_remove(struct virtio_device *vdev) + { + struct virtio_crypto *vcrypto = vdev->priv; ++ int i; + + dev_info(&vdev->dev, "Start virtcrypto_remove.\n"); + + if (virtcrypto_dev_started(vcrypto)) + virtcrypto_dev_stop(vcrypto); ++ for (i = 0; i < vcrypto->max_data_queues; i++) ++ tasklet_kill(&vcrypto->data_vq[i].done_task); + vdev->config->reset(vdev); + virtcrypto_free_unused_reqs(vcrypto); + virtcrypto_clear_crypto_engines(vcrypto); +-- +2.43.0 + diff --git a/queue-4.19/dma-mapping-clear-dev-dma_mem-to-null-after-freeing-.patch b/queue-4.19/dma-mapping-clear-dev-dma_mem-to-null-after-freeing-.patch new file mode 100644 index 00000000000..2a930f0c68d --- /dev/null +++ b/queue-4.19/dma-mapping-clear-dev-dma_mem-to-null-after-freeing-.patch @@ -0,0 +1,44 @@ +From 06f5be69b93f9bd33ca27c10a7f7253b94dc8d49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 16:25:26 +0800 +Subject: dma-mapping: clear dev->dma_mem to NULL after freeing it + +From: Joakim Zhang + +[ Upstream commit b07bc2347672cc8c7293c64499f1488278c5ca3d ] + +Reproduced with below sequence: +dma_declare_coherent_memory()->dma_release_coherent_memory() +->dma_declare_coherent_memory()->"return -EBUSY" error + +It will return -EBUSY from the dma_assign_coherent_memory() +in dma_declare_coherent_memory(), the reason is that dev->dma_mem +pointer has not been set to NULL after it's freed. + +Fixes: cf65a0f6f6ff ("dma-mapping: move all DMA mapping code to kernel/dma") +Signed-off-by: Joakim Zhang +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/coherent.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/coherent.c b/kernel/dma/coherent.c +index 597d40893862..4c7ffd094a57 100644 +--- a/kernel/dma/coherent.c ++++ b/kernel/dma/coherent.c +@@ -369,8 +369,10 @@ static int rmem_dma_device_init(struct reserved_mem *rmem, struct device *dev) + static void rmem_dma_device_release(struct reserved_mem *rmem, + struct device *dev) + { +- if (dev) ++ if (dev) { + dev->dma_mem = NULL; ++ dev->dma_mem = NULL; ++ } + } + + static const struct reserved_mem_ops rmem_dma_ops = { +-- +2.43.0 + diff --git a/queue-4.19/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch b/queue-4.19/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch new file mode 100644 index 00000000000..a6332047c74 --- /dev/null +++ b/queue-4.19/drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch @@ -0,0 +1,48 @@ +From 1f6b41ff19792d5a0eeb026f937f87b0ff802488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 00:24:58 +0800 +Subject: drivers/amd/pm: fix a use-after-free in kv_parse_power_table + +From: Zhipeng Lu + +[ Upstream commit 28dd788382c43b330480f57cd34cde0840896743 ] + +When ps allocated by kzalloc equals to NULL, kv_parse_power_table +frees adev->pm.dpm.ps that allocated before. However, after the control +flow goes through the following call chains: + +kv_parse_power_table + |-> kv_dpm_init + |-> kv_dpm_sw_init + |-> kv_dpm_fini + +The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its +first free in kv_parse_power_table and causes a use-after-free bug. + +Fixes: a2e73f56fa62 ("drm/amdgpu: Add support for CIK parts") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c +index 91504eccc60c..91a1628cd48f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c +@@ -2734,10 +2734,8 @@ static int kv_parse_power_table(struct amdgpu_device *adev) + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; + ps = kzalloc(sizeof(struct kv_ps), GFP_KERNEL); +- if (ps == NULL) { +- kfree(adev->pm.dpm.ps); ++ if (ps == NULL) + return -ENOMEM; +- } + adev->pm.dpm.ps[i].ps_priv = ps; + k = 0; + idx = (u8 *)&power_state->v2.clockInfoIndex[0]; +-- +2.43.0 + diff --git a/queue-4.19/drm-amd-pm-fix-a-double-free-in-si_dpm_init.patch b/queue-4.19/drm-amd-pm-fix-a-double-free-in-si_dpm_init.patch new file mode 100644 index 00000000000..b9b0a98df18 --- /dev/null +++ b/queue-4.19/drm-amd-pm-fix-a-double-free-in-si_dpm_init.patch @@ -0,0 +1,45 @@ +From 5efd8b05de9b2ccb266d1f0eb1d3d6a98a9b1543 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 23:24:11 +0800 +Subject: drm/amd/pm: fix a double-free in si_dpm_init + +From: Zhipeng Lu + +[ Upstream commit ac16667237a82e2597e329eb9bc520d1cf9dff30 ] + +When the allocation of +adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails, +amdgpu_free_extended_power_table is called to free some fields of adev. +However, when the control flow returns to si_dpm_sw_init, it goes to +label dpm_failed and calls si_dpm_fini, which calls +amdgpu_free_extended_power_table again and free those fields again. Thus +a double-free is triggered. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/si_dpm.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/si_dpm.c b/drivers/gpu/drm/amd/amdgpu/si_dpm.c +index 9f811051ceb0..40a2637045c5 100644 +--- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c +@@ -7346,10 +7346,9 @@ static int si_dpm_init(struct amdgpu_device *adev) + kcalloc(4, + sizeof(struct amdgpu_clock_voltage_dependency_entry), + GFP_KERNEL); +- if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries) { +- amdgpu_free_extended_power_table(adev); ++ if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries) + return -ENOMEM; +- } ++ + adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.count = 4; + adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].clk = 0; + adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].v = 0; +-- +2.43.0 + diff --git a/queue-4.19/drm-amdgpu-debugfs-fix-error-code-when-smc-register-.patch b/queue-4.19/drm-amdgpu-debugfs-fix-error-code-when-smc-register-.patch new file mode 100644 index 00000000000..1bc0a1a6b54 --- /dev/null +++ b/queue-4.19/drm-amdgpu-debugfs-fix-error-code-when-smc-register-.patch @@ -0,0 +1,48 @@ +From 7d6dbc7478d4c8d33f4017e94a22da1f971c9285 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 17:26:29 -0500 +Subject: drm/amdgpu/debugfs: fix error code when smc register accessors are + NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit afe58346d5d3887b3e49ff623d2f2e471f232a8d ] + +Should be -EOPNOTSUPP. + +Fixes: 5104fdf50d32 ("drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL") +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +index 41a9cc9e0f9d..98bd8a23e5b0 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -392,7 +392,7 @@ static ssize_t amdgpu_debugfs_regs_smc_read(struct file *f, char __user *buf, + int r; + + if (!adev->smc_rreg) +- return -EPERM; ++ return -EOPNOTSUPP; + + if (size & 0x3 || *pos & 0x3) + return -EINVAL; +@@ -434,7 +434,7 @@ static ssize_t amdgpu_debugfs_regs_smc_write(struct file *f, const char __user * + int r; + + if (!adev->smc_wreg) +- return -EPERM; ++ return -EOPNOTSUPP; + + if (size & 0x3 || *pos & 0x3) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-4.19/drm-bridge-fix-typo-in-post_disable-description.patch b/queue-4.19/drm-bridge-fix-typo-in-post_disable-description.patch new file mode 100644 index 00000000000..2fa3a2175a9 --- /dev/null +++ b/queue-4.19/drm-bridge-fix-typo-in-post_disable-description.patch @@ -0,0 +1,36 @@ +From 0b9659817fd9508e2f1c0e218115c6a294244739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Nov 2023 10:42:30 +0100 +Subject: drm/bridge: Fix typo in post_disable() description + +From: Dario Binacchi + +[ Upstream commit 288b039db225676e0c520c981a1b5a2562d893a3 ] + +s/singals/signals/ + +Fixes: 199e4e967af4 ("drm: Extract drm_bridge.h") +Signed-off-by: Dario Binacchi +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20231124094253.658064-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + include/drm/drm_bridge.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h +index bd850747ce54..6849e88cd75b 100644 +--- a/include/drm/drm_bridge.h ++++ b/include/drm/drm_bridge.h +@@ -162,7 +162,7 @@ struct drm_bridge_funcs { + * or &drm_encoder_helper_funcs.dpms hook. + * + * The bridge must assume that the display pipe (i.e. clocks and timing +- * singals) feeding it is no longer running when this callback is ++ * signals) feeding it is no longer running when this callback is + * called. + * + * The post_disable callback is optional. +-- +2.43.0 + diff --git a/queue-4.19/drm-drv-propagate-errors-from-drm_modeset_register_a.patch b/queue-4.19/drm-drv-propagate-errors-from-drm_modeset_register_a.patch new file mode 100644 index 00000000000..332bd6dec1b --- /dev/null +++ b/queue-4.19/drm-drv-propagate-errors-from-drm_modeset_register_a.patch @@ -0,0 +1,54 @@ +From e9d314b7a3918822588ff3d0c095fa4fb17d1c95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Dec 2023 01:55:52 +0300 +Subject: drm/drv: propagate errors from drm_modeset_register_all() + +From: Dmitry Baryshkov + +[ Upstream commit 5f8dec200923a76dc57187965fd59c1136f5d085 ] + +In case the drm_modeset_register_all() function fails, its error code +will be ignored. Instead make the drm_dev_register() bail out in case of +such an error. + +Fixes: 79190ea2658a ("drm: Add callbacks for late registering") +Reviewed-by: Neil Armstrong +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20231202225552.1283638-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_drv.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index d8ae4ca129c7..e0c54de615fd 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -818,8 +818,11 @@ int drm_dev_register(struct drm_device *dev, unsigned long flags) + goto err_minors; + } + +- if (drm_core_check_feature(dev, DRIVER_MODESET)) +- drm_modeset_register_all(dev); ++ if (drm_core_check_feature(dev, DRIVER_MODESET)) { ++ ret = drm_modeset_register_all(dev); ++ if (ret) ++ goto err_unload; ++ } + + ret = 0; + +@@ -831,6 +834,9 @@ int drm_dev_register(struct drm_device *dev, unsigned long flags) + + goto out_unlock; + ++err_unload: ++ if (dev->driver->unload) ++ dev->driver->unload(dev); + err_minors: + remove_compat_control_link(dev); + drm_minor_unregister(dev, DRM_MINOR_PRIMARY); +-- +2.43.0 + diff --git a/queue-4.19/drm-msm-mdp4-flush-vblank-event-on-disable.patch b/queue-4.19/drm-msm-mdp4-flush-vblank-event-on-disable.patch new file mode 100644 index 00000000000..d00a464d788 --- /dev/null +++ b/queue-4.19/drm-msm-mdp4-flush-vblank-event-on-disable.patch @@ -0,0 +1,53 @@ +From e06b7c5bc6bd85ea638c3f99651dd574d67b796c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 00:54:01 +0300 +Subject: drm/msm/mdp4: flush vblank event on disable + +From: Dmitry Baryshkov + +[ Upstream commit c6721b3c6423d8a348ae885a0f4c85e14f9bf85c ] + +Flush queued events when disabling the crtc. This avoids timeouts when +we come back and wait for dependencies (like the previous frame's +flip_done). + +Fixes: c8afe684c95c ("drm/msm: basic KMS driver for snapdragon") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/569127/ +Link: https://lore.kernel.org/r/20231127215401.4064128-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c b/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c +index 457c29dba4a1..6d3074db8975 100644 +--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c ++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c +@@ -284,6 +284,7 @@ static void mdp4_crtc_atomic_disable(struct drm_crtc *crtc, + { + struct mdp4_crtc *mdp4_crtc = to_mdp4_crtc(crtc); + struct mdp4_kms *mdp4_kms = get_kms(crtc); ++ unsigned long flags; + + DBG("%s", mdp4_crtc->name); + +@@ -296,6 +297,14 @@ static void mdp4_crtc_atomic_disable(struct drm_crtc *crtc, + mdp_irq_unregister(&mdp4_kms->base, &mdp4_crtc->err); + mdp4_disable(mdp4_kms); + ++ if (crtc->state->event && !crtc->state->active) { ++ WARN_ON(mdp4_crtc->event); ++ spin_lock_irqsave(&mdp4_kms->dev->event_lock, flags); ++ drm_crtc_send_vblank_event(crtc, crtc->state->event); ++ crtc->state->event = NULL; ++ spin_unlock_irqrestore(&mdp4_kms->dev->event_lock, flags); ++ } ++ + mdp4_crtc->enabled = false; + } + +-- +2.43.0 + diff --git a/queue-4.19/drm-radeon-check-return-value-of-radeon_ring_lock.patch b/queue-4.19/drm-radeon-check-return-value-of-radeon_ring_lock.patch new file mode 100644 index 00000000000..9e07e2d1816 --- /dev/null +++ b/queue-4.19/drm-radeon-check-return-value-of-radeon_ring_lock.patch @@ -0,0 +1,42 @@ +From 0cc34982ba7b0d3b3176de05bd2dfbcd1b11e453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 11:04:16 -0700 +Subject: drm/radeon: check return value of radeon_ring_lock() + +From: Nikita Zhandarovich + +[ Upstream commit 71225e1c930942cb1e042fc08c5cc0c4ef30e95e ] + +In the unlikely event of radeon_ring_lock() failing, its errno return +value should be processed. This patch checks said return value and +prints a debug message in case of an error. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 48c0c902e2e6 ("drm/radeon/kms: add support for CP setup on SI") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/si.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c +index 644ddd8d65ad..167dbcef0c38 100644 +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -3612,6 +3612,10 @@ static int si_cp_start(struct radeon_device *rdev) + for (i = RADEON_RING_TYPE_GFX_INDEX; i <= CAYMAN_RING_TYPE_CP2_INDEX; ++i) { + ring = &rdev->ring[i]; + r = radeon_ring_lock(rdev, ring, 2); ++ if (r) { ++ DRM_ERROR("radeon: cp failed to lock ring (%d).\n", r); ++ return r; ++ } + + /* clear the compute context state */ + radeon_ring_write(ring, PACKET3_COMPUTE(PACKET3_CLEAR_STATE, 0)); +-- +2.43.0 + diff --git a/queue-4.19/drm-radeon-check-the-alloc_workqueue-return-value-in.patch b/queue-4.19/drm-radeon-check-the-alloc_workqueue-return-value-in.patch new file mode 100644 index 00000000000..ab0a00a343b --- /dev/null +++ b/queue-4.19/drm-radeon-check-the-alloc_workqueue-return-value-in.patch @@ -0,0 +1,46 @@ +From 11e04d18f816458b65a945b9d25d3896a9119b93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 15:50:16 +0800 +Subject: drm/radeon: check the alloc_workqueue return value in + radeon_crtc_init() + +From: Yang Yingliang + +[ Upstream commit 7a2464fac80d42f6f8819fed97a553e9c2f43310 ] + +check the alloc_workqueue return value in radeon_crtc_init() +to avoid null-ptr-deref. + +Fixes: fa7f517cb26e ("drm/radeon: rework page flip handling v4") +Signed-off-by: Yang Yingliang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 5985efc5a1f3..b7308ed7e266 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -676,11 +676,16 @@ static void radeon_crtc_init(struct drm_device *dev, int index) + if (radeon_crtc == NULL) + return; + ++ radeon_crtc->flip_queue = alloc_workqueue("radeon-crtc", WQ_HIGHPRI, 0); ++ if (!radeon_crtc->flip_queue) { ++ kfree(radeon_crtc); ++ return; ++ } ++ + drm_crtc_init(dev, &radeon_crtc->base, &radeon_crtc_funcs); + + drm_mode_crtc_set_gamma_size(&radeon_crtc->base, 256); + radeon_crtc->crtc_id = index; +- radeon_crtc->flip_queue = alloc_workqueue("radeon-crtc", WQ_HIGHPRI, 0); + rdev->mode_info.crtcs[index] = radeon_crtc; + + if (rdev->family >= CHIP_BONAIRE) { +-- +2.43.0 + diff --git a/queue-4.19/drm-radeon-dpm-fix-a-memleak-in-sumo_parse_power_tab.patch b/queue-4.19/drm-radeon-dpm-fix-a-memleak-in-sumo_parse_power_tab.patch new file mode 100644 index 00000000000..98b88e57801 --- /dev/null +++ b/queue-4.19/drm-radeon-dpm-fix-a-memleak-in-sumo_parse_power_tab.patch @@ -0,0 +1,41 @@ +From 97d1295610598688cfa45b700f8a86e4adf2ac0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 16:57:56 +0800 +Subject: drm/radeon/dpm: fix a memleak in sumo_parse_power_table + +From: Zhipeng Lu + +[ Upstream commit 0737df9ed0997f5b8addd6e2b9699a8c6edba2e4 ] + +The rdev->pm.dpm.ps allocated by kcalloc should be freed in every +following error-handling path. However, in the error-handling of +rdev->pm.power_state[i].clock_info the rdev->pm.dpm.ps is not freed, +resulting in a memleak in this function. + +Fixes: 80ea2c129c76 ("drm/radeon/kms: add dpm support for sumo asics (v2)") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/sumo_dpm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/sumo_dpm.c b/drivers/gpu/drm/radeon/sumo_dpm.c +index 1e4975f3374c..b9dc3805d7fb 100644 +--- a/drivers/gpu/drm/radeon/sumo_dpm.c ++++ b/drivers/gpu/drm/radeon/sumo_dpm.c +@@ -1494,8 +1494,10 @@ static int sumo_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) ++ if (!rdev->pm.power_state[i].clock_info) { ++ kfree(rdev->pm.dpm.ps); + return -EINVAL; ++ } + ps = kzalloc(sizeof(struct sumo_ps), GFP_KERNEL); + if (ps == NULL) { + kfree(rdev->pm.dpm.ps); +-- +2.43.0 + diff --git a/queue-4.19/drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch b/queue-4.19/drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch new file mode 100644 index 00000000000..79a75ce8d68 --- /dev/null +++ b/queue-4.19/drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch @@ -0,0 +1,52 @@ +From a41153d75c2d6d9cc708216d022233cdb7eea039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 07:22:12 -0800 +Subject: drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check() + +From: Nikita Zhandarovich + +[ Upstream commit b5c5baa458faa5430c445acd9a17481274d77ccf ] + +It may be possible, albeit unlikely, to encounter integer overflow +during the multiplication of several unsigned int variables, the +result being assigned to a variable 'size' of wider type. + +Prevent this potential behaviour by converting one of the multiples +to unsigned long. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 0242f74d29df ("drm/radeon: clean up CS functions in r100.c") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/r100.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index b24401f21e93..15241b80e9d2 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -2307,7 +2307,7 @@ int r100_cs_track_check(struct radeon_device *rdev, struct r100_cs_track *track) + switch (prim_walk) { + case 1: + for (i = 0; i < track->num_arrays; i++) { +- size = track->arrays[i].esize * track->max_indx * 4; ++ size = track->arrays[i].esize * track->max_indx * 4UL; + if (track->arrays[i].robj == NULL) { + DRM_ERROR("(PW %u) Vertex array %u no buffer " + "bound\n", prim_walk, i); +@@ -2326,7 +2326,7 @@ int r100_cs_track_check(struct radeon_device *rdev, struct r100_cs_track *track) + break; + case 2: + for (i = 0; i < track->num_arrays; i++) { +- size = track->arrays[i].esize * (nverts - 1) * 4; ++ size = track->arrays[i].esize * (nverts - 1) * 4UL; + if (track->arrays[i].robj == NULL) { + DRM_ERROR("(PW %u) Vertex array %u no buffer " + "bound\n", prim_walk, i); +-- +2.43.0 + diff --git a/queue-4.19/drm-radeon-r600_cs-fix-possible-int-overflows-in-r60.patch b/queue-4.19/drm-radeon-r600_cs-fix-possible-int-overflows-in-r60.patch new file mode 100644 index 00000000000..f914c8e3877 --- /dev/null +++ b/queue-4.19/drm-radeon-r600_cs-fix-possible-int-overflows-in-r60.patch @@ -0,0 +1,51 @@ +From c75bc8290e1503364fe2eeff5217bc7fcda0eda2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 07:22:30 -0800 +Subject: drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg() + +From: Nikita Zhandarovich + +[ Upstream commit 39c960bbf9d9ea862398759e75736cfb68c3446f ] + +While improbable, there may be a chance of hitting integer +overflow when the result of radeon_get_ib_value() gets shifted +left. + +Avoid it by casting one of the operands to larger data type (u64). + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 1729dd33d20b ("drm/radeon/kms: r600 CS parser fixes") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/r600_cs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c +index c96b31950ca7..b6bdfb3f4a7f 100644 +--- a/drivers/gpu/drm/radeon/r600_cs.c ++++ b/drivers/gpu/drm/radeon/r600_cs.c +@@ -1278,7 +1278,7 @@ static int r600_cs_check_reg(struct radeon_cs_parser *p, u32 reg, u32 idx) + return -EINVAL; + } + tmp = (reg - CB_COLOR0_BASE) / 4; +- track->cb_color_bo_offset[tmp] = radeon_get_ib_value(p, idx) << 8; ++ track->cb_color_bo_offset[tmp] = (u64)radeon_get_ib_value(p, idx) << 8; + ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff); + track->cb_color_base_last[tmp] = ib[idx]; + track->cb_color_bo[tmp] = reloc->robj; +@@ -1305,7 +1305,7 @@ static int r600_cs_check_reg(struct radeon_cs_parser *p, u32 reg, u32 idx) + "0x%04X\n", reg); + return -EINVAL; + } +- track->htile_offset = radeon_get_ib_value(p, idx) << 8; ++ track->htile_offset = (u64)radeon_get_ib_value(p, idx) << 8; + ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff); + track->htile_bo = reloc->robj; + track->db_dirty = true; +-- +2.43.0 + diff --git a/queue-4.19/drm-radeon-trinity_dpm-fix-a-memleak-in-trinity_pars.patch b/queue-4.19/drm-radeon-trinity_dpm-fix-a-memleak-in-trinity_pars.patch new file mode 100644 index 00000000000..234b444f2e2 --- /dev/null +++ b/queue-4.19/drm-radeon-trinity_dpm-fix-a-memleak-in-trinity_pars.patch @@ -0,0 +1,41 @@ +From 8d6a34500b01db150dfe686e8ea1949e6149be91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 18:21:54 +0800 +Subject: drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table + +From: Zhipeng Lu + +[ Upstream commit 28c28d7f77c06ac2c0b8f9c82bc04eba22912b3b ] + +The rdev->pm.dpm.ps allocated by kcalloc should be freed in every +following error-handling path. However, in the error-handling of +rdev->pm.power_state[i].clock_info the rdev->pm.dpm.ps is not freed, +resulting in a memleak in this function. + +Fixes: d70229f70447 ("drm/radeon/kms: add dpm support for trinity asics") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/trinity_dpm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/trinity_dpm.c b/drivers/gpu/drm/radeon/trinity_dpm.c +index 5d317f763eea..e9e44df4a22a 100644 +--- a/drivers/gpu/drm/radeon/trinity_dpm.c ++++ b/drivers/gpu/drm/radeon/trinity_dpm.c +@@ -1769,8 +1769,10 @@ static int trinity_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) ++ if (!rdev->pm.power_state[i].clock_info) { ++ kfree(rdev->pm.dpm.ps); + return -EINVAL; ++ } + ps = kzalloc(sizeof(struct sumo_ps), GFP_KERNEL); + if (ps == NULL) { + kfree(rdev->pm.dpm.ps); +-- +2.43.0 + diff --git a/queue-4.19/edac-thunderx-fix-possible-out-of-bounds-string-acce.patch b/queue-4.19/edac-thunderx-fix-possible-out-of-bounds-string-acce.patch new file mode 100644 index 00000000000..6b25f6eec58 --- /dev/null +++ b/queue-4.19/edac-thunderx-fix-possible-out-of-bounds-string-acce.patch @@ -0,0 +1,91 @@ +From 556e70ef687754a1e4334095062d902ef2a6c989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 23:19:53 +0100 +Subject: EDAC/thunderx: Fix possible out-of-bounds string access + +From: Arnd Bergmann + +[ Upstream commit 475c58e1a471e9b873e3e39958c64a2d278275c8 ] + +Enabling -Wstringop-overflow globally exposes a warning for a common bug +in the usage of strncat(): + + drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr': + drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=] + 1136 | strncat(msg, other, OCX_MESSAGE_SIZE); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ... + 1145 | strncat(msg, other, OCX_MESSAGE_SIZE); + ... + 1150 | strncat(msg, other, OCX_MESSAGE_SIZE); + + ... + +Apparently the author of this driver expected strncat() to behave the +way that strlcat() does, which uses the size of the destination buffer +as its third argument rather than the length of the source buffer. The +result is that there is no check on the size of the allocated buffer. + +Change it to strlcat(). + + [ bp: Trim compiler output, fixup commit message. ] + +Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver") +Signed-off-by: Arnd Bergmann +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20231122222007.3199885-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/edac/thunderx_edac.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c +index 34be60fe6892..0fffb393415b 100644 +--- a/drivers/edac/thunderx_edac.c ++++ b/drivers/edac/thunderx_edac.c +@@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id) + decode_register(other, OCX_OTHER_SIZE, + ocx_com_errors, ctx->reg_com_int); + +- strncat(msg, other, OCX_MESSAGE_SIZE); ++ strlcat(msg, other, OCX_MESSAGE_SIZE); + + for (lane = 0; lane < OCX_RX_LANES; lane++) + if (ctx->reg_com_int & BIT(lane)) { +@@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id) + lane, ctx->reg_lane_int[lane], + lane, ctx->reg_lane_stat11[lane]); + +- strncat(msg, other, OCX_MESSAGE_SIZE); ++ strlcat(msg, other, OCX_MESSAGE_SIZE); + + decode_register(other, OCX_OTHER_SIZE, + ocx_lane_errors, + ctx->reg_lane_int[lane]); +- strncat(msg, other, OCX_MESSAGE_SIZE); ++ strlcat(msg, other, OCX_MESSAGE_SIZE); + } + + if (ctx->reg_com_int & OCX_COM_INT_CE) +@@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id) + decode_register(other, OCX_OTHER_SIZE, + ocx_com_link_errors, ctx->reg_com_link_int); + +- strncat(msg, other, OCX_MESSAGE_SIZE); ++ strlcat(msg, other, OCX_MESSAGE_SIZE); + + if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE) + edac_device_handle_ue(ocx->edac_dev, 0, 0, msg); +@@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id) + + decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int); + +- strncat(msg, other, L2C_MESSAGE_SIZE); ++ strlcat(msg, other, L2C_MESSAGE_SIZE); + + if (ctx->reg_int & mask_ue) + edac_device_handle_ue(l2c->edac_dev, 0, 0, msg); +-- +2.43.0 + diff --git a/queue-4.19/f2fs-fix-to-avoid-dirent-corruption.patch b/queue-4.19/f2fs-fix-to-avoid-dirent-corruption.patch new file mode 100644 index 00000000000..df5ba269db7 --- /dev/null +++ b/queue-4.19/f2fs-fix-to-avoid-dirent-corruption.patch @@ -0,0 +1,60 @@ +From 2420a96a405e4119fa2239d9d5db75bb91d6b9e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 17:25:16 +0800 +Subject: f2fs: fix to avoid dirent corruption + +From: Chao Yu + +[ Upstream commit 53edb549565f55ccd0bdf43be3d66ce4c2d48b28 ] + +As Al reported in link[1]: + +f2fs_rename() +... + if (old_dir != new_dir && !whiteout) + f2fs_set_link(old_inode, old_dir_entry, + old_dir_page, new_dir); + else + f2fs_put_page(old_dir_page, 0); + +You want correct inumber in the ".." link. And cross-directory +rename does move the source to new parent, even if you'd been asked +to leave a whiteout in the old place. + +[1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/ + +With below testcase, it may cause dirent corruption, due to it missed +to call f2fs_set_link() to update ".." link to new directory. +- mkdir -p dir/foo +- renameat2 -w dir/foo bar + +[ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3] +[FSCK] other corrupted bugs [Fail] + +Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT") +Cc: Jan Kara +Reported-by: Al Viro +Signed-off-by: Chao Yu +Reviewed-by: Jan Kara +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 9e4c38481830..2eb7b0e2b34a 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -979,7 +979,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry, + } + + if (old_dir_entry) { +- if (old_dir != new_dir && !whiteout) ++ if (old_dir != new_dir) + f2fs_set_link(old_inode, old_dir_entry, + old_dir_page, new_dir); + else +-- +2.43.0 + diff --git a/queue-4.19/firmware-ti_sci-fix-an-off-by-one-in-ti_sci_debugfs_.patch b/queue-4.19/firmware-ti_sci-fix-an-off-by-one-in-ti_sci_debugfs_.patch new file mode 100644 index 00000000000..f86edfd0213 --- /dev/null +++ b/queue-4.19/firmware-ti_sci-fix-an-off-by-one-in-ti_sci_debugfs_.patch @@ -0,0 +1,55 @@ +From 7972f4a7c9a404ef860970517ca7f77711750805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 11:12:26 +0100 +Subject: firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() + +From: Christophe JAILLET + +[ Upstream commit 964946b88887089f447a9b6a28c39ee97dc76360 ] + +The ending NULL is not taken into account by strncat(), so switch to +snprintf() to correctly build 'debug_name'. + +Using snprintf() also makes the code more readable. + +Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol") +Signed-off-by: Christophe JAILLET +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/7158db0a4d7b19855ddd542ec61b666973aad8dc.1698660720.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + drivers/firmware/ti_sci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c +index 46acc6440b9a..639e0481f952 100644 +--- a/drivers/firmware/ti_sci.c ++++ b/drivers/firmware/ti_sci.c +@@ -176,7 +176,7 @@ static int ti_sci_debugfs_create(struct platform_device *pdev, + { + struct device *dev = &pdev->dev; + struct resource *res; +- char debug_name[50] = "ti_sci_debug@"; ++ char debug_name[50]; + + /* Debug region is optional */ + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, +@@ -193,10 +193,10 @@ static int ti_sci_debugfs_create(struct platform_device *pdev, + /* Setup NULL termination */ + info->debug_buffer[info->debug_region_size] = 0; + +- info->d = debugfs_create_file(strncat(debug_name, dev_name(dev), +- sizeof(debug_name) - +- sizeof("ti_sci_debug@")), +- 0444, NULL, info, &ti_sci_debug_fops); ++ snprintf(debug_name, sizeof(debug_name), "ti_sci_debug@%s", ++ dev_name(dev)); ++ info->d = debugfs_create_file(debug_name, 0444, NULL, info, ++ &ti_sci_debug_fops); + if (IS_ERR(info->d)) + return PTR_ERR(info->d); + +-- +2.43.0 + diff --git a/queue-4.19/gpu-drm-radeon-fix-two-memleaks-in-radeon_vm_init.patch b/queue-4.19/gpu-drm-radeon-fix-two-memleaks-in-radeon_vm_init.patch new file mode 100644 index 00000000000..9f5d1729997 --- /dev/null +++ b/queue-4.19/gpu-drm-radeon-fix-two-memleaks-in-radeon_vm_init.patch @@ -0,0 +1,48 @@ +From d788da2a53731bc56fb475cf31b5ac5f09c66df1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 00:58:42 +0800 +Subject: gpu/drm/radeon: fix two memleaks in radeon_vm_init + +From: Zhipeng Lu + +[ Upstream commit c2709b2d6a537ca0fa0f1da36fdaf07e48ef447d ] + +When radeon_bo_create and radeon_vm_clear_bo fail, the vm->page_tables +allocated before need to be freed. However, neither radeon_vm_init +itself nor its caller have done such deallocation. + +Fixes: 6d2f2944e95e ("drm/radeon: use normal BOs for the page tables v4") +Signed-off-by: Zhipeng Lu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_vm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_vm.c b/drivers/gpu/drm/radeon/radeon_vm.c +index 7f1a9c787bd1..cecbd5282a47 100644 +--- a/drivers/gpu/drm/radeon/radeon_vm.c ++++ b/drivers/gpu/drm/radeon/radeon_vm.c +@@ -1206,13 +1206,17 @@ int radeon_vm_init(struct radeon_device *rdev, struct radeon_vm *vm) + r = radeon_bo_create(rdev, pd_size, align, true, + RADEON_GEM_DOMAIN_VRAM, 0, NULL, + NULL, &vm->page_directory); +- if (r) ++ if (r) { ++ kfree(vm->page_tables); ++ vm->page_tables = NULL; + return r; +- ++ } + r = radeon_vm_clear_bo(rdev, vm->page_directory); + if (r) { + radeon_bo_unref(&vm->page_directory); + vm->page_directory = NULL; ++ kfree(vm->page_tables); ++ vm->page_tables = NULL; + return r; + } + +-- +2.43.0 + diff --git a/queue-4.19/ip6_tunnel-fix-nexthdr_fragment-handling-in-ip6_tnl_.patch b/queue-4.19/ip6_tunnel-fix-nexthdr_fragment-handling-in-ip6_tnl_.patch new file mode 100644 index 00000000000..e74fd706def --- /dev/null +++ b/queue-4.19/ip6_tunnel-fix-nexthdr_fragment-handling-in-ip6_tnl_.patch @@ -0,0 +1,173 @@ +From e1c083ad61c78a79e7d4332e83f24dbc4a3bc387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jan 2024 17:03:13 +0000 +Subject: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in + ip6_tnl_parse_tlv_enc_lim() + +From: Eric Dumazet + +[ Upstream commit d375b98e0248980681e5e56b712026174d617198 ] + +syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. + +Reading frag_off can only be done if we pulled enough bytes +to skb->head. Currently we might access garbage. + +[1] +BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 +ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 +ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] +ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 +__netdev_start_xmit include/linux/netdevice.h:4940 [inline] +netdev_start_xmit include/linux/netdevice.h:4954 [inline] +xmit_one net/core/dev.c:3548 [inline] +dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 +__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 +dev_queue_xmit include/linux/netdevice.h:3134 [inline] +neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 +neigh_output include/net/neighbour.h:542 [inline] +ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 +ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 +NF_HOOK_COND include/linux/netfilter.h:303 [inline] +ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 +dst_output include/net/dst.h:451 [inline] +ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 +ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] +ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 +rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 +rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 +inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg net/socket.c:745 [inline] +____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 +__sys_sendmsg net/socket.c:2667 [inline] +__do_sys_sendmsg net/socket.c:2676 [inline] +__se_sys_sendmsg net/socket.c:2674 [inline] +__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: +slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 +slab_alloc_node mm/slub.c:3478 [inline] +__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 +__do_kmalloc_node mm/slab_common.c:1006 [inline] +__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 +kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 +pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 +__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 +pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] +pskb_may_pull include/linux/skbuff.h:2681 [inline] +ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 +ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] +ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 +__netdev_start_xmit include/linux/netdevice.h:4940 [inline] +netdev_start_xmit include/linux/netdevice.h:4954 [inline] +xmit_one net/core/dev.c:3548 [inline] +dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 +__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 +dev_queue_xmit include/linux/netdevice.h:3134 [inline] +neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 +neigh_output include/net/neighbour.h:542 [inline] +ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 +ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 +NF_HOOK_COND include/linux/netfilter.h:303 [inline] +ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 +dst_output include/net/dst.h:451 [inline] +ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 +ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] +ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 +rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 +rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 +inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg net/socket.c:745 [inline] +____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 +__sys_sendmsg net/socket.c:2667 [inline] +__do_sys_sendmsg net/socket.c:2676 [inline] +__se_sys_sendmsg net/socket.c:2674 [inline] +__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 + +Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 48a658b541d7..56309c851928 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -404,7 +404,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) + const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw; + unsigned int nhoff = raw - skb->data; + unsigned int off = nhoff + sizeof(*ipv6h); +- u8 next, nexthdr = ipv6h->nexthdr; ++ u8 nexthdr = ipv6h->nexthdr; + + while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) { + struct ipv6_opt_hdr *hdr; +@@ -415,25 +415,25 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) + + hdr = (struct ipv6_opt_hdr *)(skb->data + off); + if (nexthdr == NEXTHDR_FRAGMENT) { +- struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr; +- if (frag_hdr->frag_off) +- break; + optlen = 8; + } else if (nexthdr == NEXTHDR_AUTH) { + optlen = (hdr->hdrlen + 2) << 2; + } else { + optlen = ipv6_optlen(hdr); + } +- /* cache hdr->nexthdr, since pskb_may_pull() might +- * invalidate hdr +- */ +- next = hdr->nexthdr; +- if (nexthdr == NEXTHDR_DEST) { +- u16 i = 2; + +- /* Remember : hdr is no longer valid at this point. */ +- if (!pskb_may_pull(skb, off + optlen)) ++ if (!pskb_may_pull(skb, off + optlen)) ++ break; ++ ++ hdr = (struct ipv6_opt_hdr *)(skb->data + off); ++ if (nexthdr == NEXTHDR_FRAGMENT) { ++ struct frag_hdr *frag_hdr = (struct frag_hdr *)hdr; ++ ++ if (frag_hdr->frag_off) + break; ++ } ++ if (nexthdr == NEXTHDR_DEST) { ++ u16 i = 2; + + while (1) { + struct ipv6_tlv_tnl_enc_lim *tel; +@@ -454,7 +454,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw) + i++; + } + } +- nexthdr = next; ++ nexthdr = hdr->nexthdr; + off += optlen; + } + return 0; +-- +2.43.0 + diff --git a/queue-4.19/media-cx231xx-fix-a-memleak-in-cx231xx_init_isoc.patch b/queue-4.19/media-cx231xx-fix-a-memleak-in-cx231xx_init_isoc.patch new file mode 100644 index 00000000000..7d521d28a2b --- /dev/null +++ b/queue-4.19/media-cx231xx-fix-a-memleak-in-cx231xx_init_isoc.patch @@ -0,0 +1,51 @@ +From eb40f6d7a28ccdb668cfc22d47b648b16114d361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Dec 2023 21:22:55 +0800 +Subject: media: cx231xx: fix a memleak in cx231xx_init_isoc + +From: Zhipeng Lu + +[ Upstream commit 5d3c8990e2bbf929cb211563dadd70708f42e4e6 ] + +The dma_q->p_left_data alloced by kzalloc should be freed in all the +following error handling paths. However, it hasn't been freed in the +allocation error paths of dev->video_mode.isoc_ctl.urb and +dev->video_mode.isoc_ctl.transfer_buffer. + +On the other hand, the dma_q->p_left_data did be freed in the +error-handling paths after that of dev->video_mode.isoc_ctl.urb and +dev->video_mode.isoc_ctl.transfer_buffer, by calling +cx231xx_uninit_isoc(dev). So the same free operation should be done in +error-handling paths of those two allocation. + +Fixes: 64fbf4445526 ("[media] cx231xx: Added support for Carraera, Shelby, RDx_253S and VIDEO_GRABBER") +Signed-off-by: Zhipeng Lu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/cx231xx/cx231xx-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/usb/cx231xx/cx231xx-core.c b/drivers/media/usb/cx231xx/cx231xx-core.c +index 493c2dca6244..cd60473a981c 100644 +--- a/drivers/media/usb/cx231xx/cx231xx-core.c ++++ b/drivers/media/usb/cx231xx/cx231xx-core.c +@@ -1040,6 +1040,7 @@ int cx231xx_init_isoc(struct cx231xx *dev, int max_packets, + if (!dev->video_mode.isoc_ctl.urb) { + dev_err(dev->dev, + "cannot alloc memory for usb buffers\n"); ++ kfree(dma_q->p_left_data); + return -ENOMEM; + } + +@@ -1049,6 +1050,7 @@ int cx231xx_init_isoc(struct cx231xx *dev, int max_packets, + dev_err(dev->dev, + "cannot allocate memory for usbtransfer\n"); + kfree(dev->video_mode.isoc_ctl.urb); ++ kfree(dma_q->p_left_data); + return -ENOMEM; + } + +-- +2.43.0 + diff --git a/queue-4.19/media-dvbdev-drop-refcount-on-error-path-in-dvb_devi.patch b/queue-4.19/media-dvbdev-drop-refcount-on-error-path-in-dvb_devi.patch new file mode 100644 index 00000000000..abddaf36f46 --- /dev/null +++ b/queue-4.19/media-dvbdev-drop-refcount-on-error-path-in-dvb_devi.patch @@ -0,0 +1,35 @@ +From 2dc939880cb1cb00b784b1565f17feb4172a41b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 12:53:33 +0300 +Subject: media: dvbdev: drop refcount on error path in dvb_device_open() + +From: Dan Carpenter + +[ Upstream commit a2dd235df435a05d389240be748909ada91201d2 ] + +If call to file->f_op->open() fails, then call dvb_device_put(dvbdev). + +Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index e103999711fc..b8335ede6626 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -113,6 +113,8 @@ static int dvb_device_open(struct inode *inode, struct file *file) + err = file->f_op->open(inode, file); + up_read(&minor_rwsem); + mutex_unlock(&dvbdev_mutex); ++ if (err) ++ dvb_device_put(dvbdev); + return err; + } + fail: +-- +2.43.0 + diff --git a/queue-4.19/media-pvrusb2-fix-use-after-free-on-context-disconne.patch b/queue-4.19/media-pvrusb2-fix-use-after-free-on-context-disconne.patch new file mode 100644 index 00000000000..924139266cd --- /dev/null +++ b/queue-4.19/media-pvrusb2-fix-use-after-free-on-context-disconne.patch @@ -0,0 +1,46 @@ +From 0b9927ecc9e23e1ae23c038bf17bb0221b68ebd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 01:09:12 +0200 +Subject: media: pvrusb2: fix use after free on context disconnection + +From: Ricardo B. Marliere + +[ Upstream commit ded85b0c0edd8f45fec88783d7555a5b982449c1 ] + +Upon module load, a kthread is created targeting the +pvr2_context_thread_func function, which may call pvr2_context_destroy +and thus call kfree() on the context object. However, that might happen +before the usb hub_event handler is able to notify the driver. This +patch adds a sanity check before the invalid read reported by syzbot, +within the context disconnection call stack. + +Reported-and-tested-by: syzbot+621409285c4156a009b3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000a02a4205fff8eb92@google.com/ + +Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") +Signed-off-by: Ricardo B. Marliere +Acked-by: Mike Isely +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-context.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c +index d9e8481e9e28..9236463ba269 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-context.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c +@@ -277,7 +277,8 @@ void pvr2_context_disconnect(struct pvr2_context *mp) + { + pvr2_hdw_disconnect(mp->hdw); + mp->disconnect_flag = !0; +- pvr2_context_notify(mp); ++ if (!pvr2_context_shutok()) ++ pvr2_context_notify(mp); + } + + +-- +2.43.0 + diff --git a/queue-4.19/mmc-sdhci_omap-fix-ti-soc-dependencies.patch b/queue-4.19/mmc-sdhci_omap-fix-ti-soc-dependencies.patch new file mode 100644 index 00000000000..6884958a05d --- /dev/null +++ b/queue-4.19/mmc-sdhci_omap-fix-ti-soc-dependencies.patch @@ -0,0 +1,47 @@ +From 0e3048c4614c703ebcda23bcd3ab34f33b42049c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Dec 2023 13:59:47 +0000 +Subject: mmc: sdhci_omap: Fix TI SoC dependencies + +From: Peter Robinson + +[ Upstream commit 09f164d393a6671e5ff8342ba6b3cb7fe3f20208 ] + +The sdhci_omap is specific to older TI SoCs, update the +dependencies for those SoCs and compile testing. While we're +at it update the text to reflect the wider range of +supported TI SoCS the driver now supports. + +Fixes: 7d326930d352 ("mmc: sdhci-omap: Add OMAP SDHCI driver") +Signed-off-by: Peter Robinson +Link: https://lore.kernel.org/r/20231220135950.433588-2-pbrobinson@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/Kconfig | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/Kconfig b/drivers/mmc/host/Kconfig +index d50c9079c036..e9b5d7517d29 100644 +--- a/drivers/mmc/host/Kconfig ++++ b/drivers/mmc/host/Kconfig +@@ -935,13 +935,14 @@ config MMC_SDHCI_XENON + + config MMC_SDHCI_OMAP + tristate "TI SDHCI Controller Support" ++ depends on ARCH_OMAP2PLUS || ARCH_KEYSTONE || COMPILE_TEST + depends on MMC_SDHCI_PLTFM && OF + select THERMAL + imply TI_SOC_THERMAL + help + This selects the Secure Digital Host Controller Interface (SDHCI) +- support present in TI's DRA7 SOCs. The controller supports +- SD/MMC/SDIO devices. ++ support present in TI's Keystone/OMAP2+/DRA7 SOCs. The controller ++ supports SD/MMC/SDIO devices. + + If you have a controller with this interface, say Y or M here. + +-- +2.43.0 + diff --git a/queue-4.19/mtd-fix-gluebi-null-pointer-dereference-caused-by-ft.patch b/queue-4.19/mtd-fix-gluebi-null-pointer-dereference-caused-by-ft.patch new file mode 100644 index 00000000000..614c89e9856 --- /dev/null +++ b/queue-4.19/mtd-fix-gluebi-null-pointer-dereference-caused-by-ft.patch @@ -0,0 +1,85 @@ +From e9707e81849dc29e574a406a1ea07330ecef256f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Dec 2023 10:46:19 +0800 +Subject: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: ZhaoLong Wang + +[ Upstream commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 ] + +If both ftl.ko and gluebi.ko are loaded, the notifier of ftl +triggers NULL pointer dereference when trying to access +‘gluebi->desc’ in gluebi_read(). + +ubi_gluebi_init + ubi_register_volume_notifier + ubi_enumerate_volumes + ubi_notify_all + gluebi_notify nb->notifier_call() + gluebi_create + mtd_device_register + mtd_device_parse_register + add_mtd_device + blktrans_notify_add not->add() + ftl_add_mtd tr->add_mtd() + scan_header + mtd_read + mtd_read_oob + mtd_read_oob_std + gluebi_read mtd->read() + gluebi->desc - NULL + +Detailed reproduction information available at the Link [1], + +In the normal case, obtain gluebi->desc in the gluebi_get_device(), +and access gluebi->desc in the gluebi_read(). However, +gluebi_get_device() is not executed in advance in the +ftl_add_mtd() process, which leads to NULL pointer dereference. + +The solution for the gluebi module is to run jffs2 on the UBI +volume without considering working with ftl or mtdblock [2]. +Therefore, this problem can be avoided by preventing gluebi from +creating the mtdblock device after creating mtd partition of the +type MTD_UBIVOLUME. + +Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1] +Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2] +Signed-off-by: ZhaoLong Wang +Reviewed-by: Zhihao Cheng +Acked-by: Richard Weinberger +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20231220024619.2138625-1-wangzhaolong1@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtd_blkdevs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c +index 6a41dfa3c36b..a9aa1b518d81 100644 +--- a/drivers/mtd/mtd_blkdevs.c ++++ b/drivers/mtd/mtd_blkdevs.c +@@ -521,7 +521,7 @@ static void blktrans_notify_add(struct mtd_info *mtd) + { + struct mtd_blktrans_ops *tr; + +- if (mtd->type == MTD_ABSENT) ++ if (mtd->type == MTD_ABSENT || mtd->type == MTD_UBIVOLUME) + return; + + list_for_each_entry(tr, &blktrans_majors, list) +@@ -564,7 +564,7 @@ int register_mtd_blktrans(struct mtd_blktrans_ops *tr) + list_add(&tr->list, &blktrans_majors); + + mtd_for_each_device(mtd) +- if (mtd->type != MTD_ABSENT) ++ if (mtd->type != MTD_ABSENT && mtd->type != MTD_UBIVOLUME) + tr->add_mtd(tr, mtd); + + mutex_unlock(&mtd_table_mutex); +-- +2.43.0 + diff --git a/queue-4.19/mtd-rawnand-increment-ifc_timeout_msecs-for-nand-con.patch b/queue-4.19/mtd-rawnand-increment-ifc_timeout_msecs-for-nand-con.patch new file mode 100644 index 00000000000..3c61a2ea59a --- /dev/null +++ b/queue-4.19/mtd-rawnand-increment-ifc_timeout_msecs-for-nand-con.patch @@ -0,0 +1,49 @@ +From d797cf1f35459eaaecc12462d84368f408c30e9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Nov 2023 18:31:51 +1000 +Subject: mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller + response + +From: Ronald Monthero + +[ Upstream commit 923fb6238cb3ac529aa2bf13b3b1e53762186a8b ] + +Under heavy load it is likely that the controller is done +with its own task but the thread unlocking the wait is not +scheduled in time. Increasing IFC_TIMEOUT_MSECS allows the +controller to respond within allowable timeslice of 1 sec. + +fsl,ifc-nand 7e800000.nand: Controller is not responding + +[<804b2047>] (nand_get_device) from [<804b5335>] (nand_write_oob+0x1b/0x4a) +[<804b5335>] (nand_write_oob) from [<804a3585>] (mtd_write+0x41/0x5c) +[<804a3585>] (mtd_write) from [<804c1d47>] (ubi_io_write+0x17f/0x22c) +[<804c1d47>] (ubi_io_write) from [<804c047b>] (ubi_eba_write_leb+0x5b/0x1d0) + +Fixes: 82771882d960 ("NAND Machine support for Integrated Flash Controller") +Reviewed-by: Miquel Raynal +Reviewed-by: Andy Shevchenko +Signed-off-by: Ronald Monthero +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20231118083156.776887-1-debug.penguin32@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/fsl_ifc_nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/fsl_ifc_nand.c b/drivers/mtd/nand/raw/fsl_ifc_nand.c +index 70bf8e1552a5..bdb97460257c 100644 +--- a/drivers/mtd/nand/raw/fsl_ifc_nand.c ++++ b/drivers/mtd/nand/raw/fsl_ifc_nand.c +@@ -34,7 +34,7 @@ + + #define ERR_BYTE 0xFF /* Value returned for read + bytes when read failed */ +-#define IFC_TIMEOUT_MSECS 500 /* Maximum number of mSecs to wait ++#define IFC_TIMEOUT_MSECS 1000 /* Maximum timeout to wait + for IFC NAND Machine */ + + struct fsl_ifc_ctrl; +-- +2.43.0 + diff --git a/queue-4.19/ncsi-internal.h-fix-a-spello.patch b/queue-4.19/ncsi-internal.h-fix-a-spello.patch new file mode 100644 index 00000000000..79eb52d41d7 --- /dev/null +++ b/queue-4.19/ncsi-internal.h-fix-a-spello.patch @@ -0,0 +1,35 @@ +From 87708658677cf8f3d7a37023b620d4fe8173c520 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Mar 2021 04:42:47 +0530 +Subject: ncsi: internal.h: Fix a spello + +From: Bhaskar Chowdhury + +[ Upstream commit 195a8ec4033b4124f6864892e71dcef24ba74a5a ] + +s/Firware/Firmware/ + +Signed-off-by: Bhaskar Chowdhury +Signed-off-by: David S. Miller +Stable-dep-of: 3084b58bfd0b ("net/ncsi: Fix netlink major/minor version numbers") +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index 8055e3965cef..176d19df85b3 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -71,7 +71,7 @@ enum { + struct ncsi_channel_version { + u32 version; /* Supported BCD encoded NCSI version */ + u32 alpha2; /* Supported BCD encoded NCSI version */ +- u8 fw_name[12]; /* Firware name string */ ++ u8 fw_name[12]; /* Firmware name string */ + u32 fw_version; /* Firmware version */ + u16 pci_ids[4]; /* PCI identification */ + u32 mf_id; /* Manufacture ID */ +-- +2.43.0 + diff --git a/queue-4.19/net-ncsi-fix-netlink-major-minor-version-numbers.patch b/queue-4.19/net-ncsi-fix-netlink-major-minor-version-numbers.patch new file mode 100644 index 00000000000..7558de77a92 --- /dev/null +++ b/queue-4.19/net-ncsi-fix-netlink-major-minor-version-numbers.patch @@ -0,0 +1,202 @@ +From 86b1ed84006d475a40e5da06b6a74c53852a7fed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 10:07:34 -0600 +Subject: net/ncsi: Fix netlink major/minor version numbers + +From: Peter Delevoryas + +[ Upstream commit 3084b58bfd0b9e4b5e034f31f31b42977db35f12 ] + +The netlink interface for major and minor version numbers doesn't actually +return the major and minor version numbers. + +It reports a u32 that contains the (major, minor, update, alpha1) +components as the major version number, and then alpha2 as the minor +version number. + +For whatever reason, the u32 byte order was reversed (ntohl): maybe it was +assumed that the encoded value was a single big-endian u32, and alpha2 was +the minor version. + +The correct way to get the supported NC-SI version from the network +controller is to parse the Get Version ID response as described in 8.4.44 +of the NC-SI spec[1]. + + Get Version ID Response Packet Format + + Bits + +--------+--------+--------+--------+ + Bytes | 31..24 | 23..16 | 15..8 | 7..0 | + +-------+--------+--------+--------+--------+ + | 0..15 | NC-SI Header | + +-------+--------+--------+--------+--------+ + | 16..19| Response code | Reason code | + +-------+--------+--------+--------+--------+ + |20..23 | Major | Minor | Update | Alpha1 | + +-------+--------+--------+--------+--------+ + |24..27 | reserved | Alpha2 | + +-------+--------+--------+--------+--------+ + | .... other stuff .... | + +The major, minor, and update fields are all binary-coded decimal (BCD) +encoded [2]. The spec provides examples below the Get Version ID response +format in section 8.4.44.1, but for practical purposes, this is an example +from a live network card: + + root@bmc:~# ncsi-util 0x15 + NC-SI Command Response: + cmd: GET_VERSION_ID(0x15) + Response: COMMAND_COMPLETED(0x0000) Reason: NO_ERROR(0x0000) + Payload length = 40 + + 20: 0xf1 0xf1 0xf0 0x00 <<<<<<<<< (major, minor, update, alpha1) + 24: 0x00 0x00 0x00 0x00 <<<<<<<<< (_, _, _, alpha2) + + 28: 0x6d 0x6c 0x78 0x30 + 32: 0x2e 0x31 0x00 0x00 + 36: 0x00 0x00 0x00 0x00 + 40: 0x16 0x1d 0x07 0xd2 + 44: 0x10 0x1d 0x15 0xb3 + 48: 0x00 0x17 0x15 0xb3 + 52: 0x00 0x00 0x81 0x19 + +This should be parsed as "1.1.0". + +"f" in the upper-nibble means to ignore it, contributing zero. + +If both nibbles are "f", I think the whole field is supposed to be ignored. +Major and minor are "required", meaning they're not supposed to be "ff", +but the update field is "optional" so I think it can be ff. I think the +simplest thing to do is just set the major and minor to zero instead of +juggling some conditional logic or something. + +bcd2bin() from "include/linux/bcd.h" seems to assume both nibbles are 0-9, +so I've provided a custom BCD decoding function. + +Alpha1 and alpha2 are ISO/IEC 8859-1 encoded, which just means ASCII +characters as far as I can tell, although the full encoding table for +non-alphabetic characters is slightly different (I think). + +I imagine the alpha fields are just supposed to be alphabetic characters, +but I haven't seen any network cards actually report a non-zero value for +either. + +If people wrote software against this netlink behavior, and were parsing +the major and minor versions themselves from the u32, then this would +definitely break their code. + +[1] https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.0.0.pdf +[2] https://en.wikipedia.org/wiki/Binary-coded_decimal +[2] https://en.wikipedia.org/wiki/ISO/IEC_8859-1 + +Signed-off-by: Peter Delevoryas +Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 7 +++++-- + net/ncsi/ncsi-netlink.c | 4 ++-- + net/ncsi/ncsi-pkt.h | 7 +++++-- + net/ncsi/ncsi-rsp.c | 26 ++++++++++++++++++++++++-- + 4 files changed, 36 insertions(+), 8 deletions(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index 176d19df85b3..2477caf9c967 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -69,8 +69,11 @@ enum { + }; + + struct ncsi_channel_version { +- u32 version; /* Supported BCD encoded NCSI version */ +- u32 alpha2; /* Supported BCD encoded NCSI version */ ++ u8 major; /* NCSI version major */ ++ u8 minor; /* NCSI version minor */ ++ u8 update; /* NCSI version update */ ++ char alpha1; /* NCSI version alpha1 */ ++ char alpha2; /* NCSI version alpha2 */ + u8 fw_name[12]; /* Firmware name string */ + u32 fw_version; /* Firmware version */ + u16 pci_ids[4]; /* PCI identification */ +diff --git a/net/ncsi/ncsi-netlink.c b/net/ncsi/ncsi-netlink.c +index a2f4280e2889..d0169bf0fcce 100644 +--- a/net/ncsi/ncsi-netlink.c ++++ b/net/ncsi/ncsi-netlink.c +@@ -71,8 +71,8 @@ static int ncsi_write_channel_info(struct sk_buff *skb, + if (ndp->force_channel == nc) + nla_put_flag(skb, NCSI_CHANNEL_ATTR_FORCED); + +- nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MAJOR, nc->version.version); +- nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MINOR, nc->version.alpha2); ++ nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MAJOR, nc->version.major); ++ nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MINOR, nc->version.minor); + nla_put_string(skb, NCSI_CHANNEL_ATTR_VERSION_STR, nc->version.fw_name); + + vid_nest = nla_nest_start(skb, NCSI_CHANNEL_ATTR_VLAN_LIST); +diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h +index 91b4b66438df..0bf62b4883d4 100644 +--- a/net/ncsi/ncsi-pkt.h ++++ b/net/ncsi/ncsi-pkt.h +@@ -164,9 +164,12 @@ struct ncsi_rsp_gls_pkt { + /* Get Version ID */ + struct ncsi_rsp_gvi_pkt { + struct ncsi_rsp_pkt_hdr rsp; /* Response header */ +- __be32 ncsi_version; /* NCSI version */ ++ unsigned char major; /* NCSI version major */ ++ unsigned char minor; /* NCSI version minor */ ++ unsigned char update; /* NCSI version update */ ++ unsigned char alpha1; /* NCSI version alpha1 */ + unsigned char reserved[3]; /* Reserved */ +- unsigned char alpha2; /* NCSI version */ ++ unsigned char alpha2; /* NCSI version alpha2 */ + unsigned char fw_name[12]; /* f/w name string */ + __be32 fw_version; /* f/w version */ + __be16 pci_ids[4]; /* PCI IDs */ +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index a43c9a44f870..05dea43bbc66 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -20,6 +20,19 @@ + #include "internal.h" + #include "ncsi-pkt.h" + ++/* Nibbles within [0xA, 0xF] add zero "0" to the returned value. ++ * Optional fields (encoded as 0xFF) will default to zero. ++ */ ++static u8 decode_bcd_u8(u8 x) ++{ ++ int lo = x & 0xF; ++ int hi = x >> 4; ++ ++ lo = lo < 0xA ? lo : 0; ++ hi = hi < 0xA ? hi : 0; ++ return lo + hi * 10; ++} ++ + static int ncsi_validate_rsp_pkt(struct ncsi_request *nr, + unsigned short payload) + { +@@ -611,9 +624,18 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr) + if (!nc) + return -ENODEV; + +- /* Update to channel's version info */ ++ /* Update channel's version info ++ * ++ * Major, minor, and update fields are supposed to be ++ * unsigned integers encoded as packed BCD. ++ * ++ * Alpha1 and alpha2 are ISO/IEC 8859-1 characters. ++ */ + ncv = &nc->version; +- ncv->version = ntohl(rsp->ncsi_version); ++ ncv->major = decode_bcd_u8(rsp->major); ++ ncv->minor = decode_bcd_u8(rsp->minor); ++ ncv->update = decode_bcd_u8(rsp->update); ++ ncv->alpha1 = rsp->alpha1; + ncv->alpha2 = rsp->alpha2; + memcpy(ncv->fw_name, rsp->fw_name, 12); + ncv->fw_version = ntohl(rsp->fw_version); +-- +2.43.0 + diff --git a/queue-4.19/net-netlabel-fix-kerneldoc-warnings.patch b/queue-4.19/net-netlabel-fix-kerneldoc-warnings.patch new file mode 100644 index 00000000000..653bc181b1c --- /dev/null +++ b/queue-4.19/net-netlabel-fix-kerneldoc-warnings.patch @@ -0,0 +1,36 @@ +From 820b690d06714964fc0ac511486dc8d572028940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 01:53:50 +0100 +Subject: net: netlabel: Fix kerneldoc warnings + +From: Andrew Lunn + +[ Upstream commit 294ea29113104487a905d0f81c00dfd64121b3d9 ] + +net/netlabel/netlabel_calipso.c:376: warning: Function parameter or member 'ops' not described in 'netlbl_calipso_ops_register' + +Signed-off-by: Andrew Lunn +Acked-by: Paul Moore +Link: https://lore.kernel.org/r/20201028005350.930299-1-andrew@lunn.ch +Signed-off-by: Jakub Kicinski +Stable-dep-of: ec4e9d630a64 ("calipso: fix memory leak in netlbl_calipso_add_pass()") +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_calipso.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netlabel/netlabel_calipso.c b/net/netlabel/netlabel_calipso.c +index 4d748975117d..5ae9b0f18a7e 100644 +--- a/net/netlabel/netlabel_calipso.c ++++ b/net/netlabel/netlabel_calipso.c +@@ -379,6 +379,7 @@ static const struct netlbl_calipso_ops *calipso_ops; + + /** + * netlbl_calipso_ops_register - Register the CALIPSO operations ++ * @ops: ops to register + * + * Description: + * Register the CALIPSO packet engine operations. +-- +2.43.0 + diff --git a/queue-4.19/netlabel-remove-unused-parameter-in-netlbl_netlink_a.patch b/queue-4.19/netlabel-remove-unused-parameter-in-netlbl_netlink_a.patch new file mode 100644 index 00000000000..2f71f908a80 --- /dev/null +++ b/queue-4.19/netlabel-remove-unused-parameter-in-netlbl_netlink_a.patch @@ -0,0 +1,178 @@ +From 9c21d2c749c479c0e8268bbbf85c9af78d714a3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 15:34:38 +0800 +Subject: netlabel: remove unused parameter in netlbl_netlink_auditinfo() + +From: Zheng Yejian + +[ Upstream commit f7e0318a314f9271b0f0cdd4bfdc691976976d8c ] + +loginuid/sessionid/secid have been read from 'current' instead of struct +netlink_skb_parms, the parameter 'skb' seems no longer needed. + +Fixes: c53fa1ed92cd ("netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms") +Signed-off-by: Zheng Yejian +Signed-off-by: David S. Miller +Stable-dep-of: ec4e9d630a64 ("calipso: fix memory leak in netlbl_calipso_add_pass()") +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_calipso.c | 4 ++-- + net/netlabel/netlabel_cipso_v4.c | 4 ++-- + net/netlabel/netlabel_mgmt.c | 8 ++++---- + net/netlabel/netlabel_unlabeled.c | 10 +++++----- + net/netlabel/netlabel_user.h | 4 +--- + 5 files changed, 14 insertions(+), 16 deletions(-) + +diff --git a/net/netlabel/netlabel_calipso.c b/net/netlabel/netlabel_calipso.c +index 5ae9b0f18a7e..5363e07dbf65 100644 +--- a/net/netlabel/netlabel_calipso.c ++++ b/net/netlabel/netlabel_calipso.c +@@ -119,7 +119,7 @@ static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info) + !info->attrs[NLBL_CALIPSO_A_MTYPE]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) { + case CALIPSO_MAP_PASS: + ret_val = netlbl_calipso_add_pass(info, &audit_info); +@@ -301,7 +301,7 @@ static int netlbl_calipso_remove(struct sk_buff *skb, struct genl_info *info) + if (!info->attrs[NLBL_CALIPSO_A_DOI]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + cb_arg.doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]); + cb_arg.audit_info = &audit_info; + ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain, +diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c +index e252f62bb8c2..a0a145db3fc7 100644 +--- a/net/netlabel/netlabel_cipso_v4.c ++++ b/net/netlabel/netlabel_cipso_v4.c +@@ -420,7 +420,7 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) + !info->attrs[NLBL_CIPSOV4_A_MTYPE]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) { + case CIPSO_V4_MAP_TRANS: + ret_val = netlbl_cipsov4_add_std(info, &audit_info); +@@ -715,7 +715,7 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) + if (!info->attrs[NLBL_CIPSOV4_A_DOI]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); + cb_arg.audit_info = &audit_info; + ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain, +diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c +index 71ba69cb50c9..43c51242dcd2 100644 +--- a/net/netlabel/netlabel_mgmt.c ++++ b/net/netlabel/netlabel_mgmt.c +@@ -447,7 +447,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) + (info->attrs[NLBL_MGMT_A_IPV6MASK] != NULL))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + return netlbl_mgmt_add_common(info, &audit_info); + } +@@ -470,7 +470,7 @@ static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) + if (!info->attrs[NLBL_MGMT_A_DOMAIN]) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); + return netlbl_domhsh_remove(domain, AF_UNSPEC, &audit_info); +@@ -570,7 +570,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) + (info->attrs[NLBL_MGMT_A_IPV6MASK] != NULL))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + return netlbl_mgmt_add_common(info, &audit_info); + } +@@ -589,7 +589,7 @@ static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) + { + struct netlbl_audit audit_info; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + return netlbl_domhsh_remove_default(AF_UNSPEC, &audit_info); + } +diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c +index 0067f472367b..ff52ff2278ed 100644 +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -827,7 +827,7 @@ static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) + if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { + value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); + if (value == 1 || value == 0) { +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + netlbl_unlabel_acceptflg_set(value, &audit_info); + return 0; + } +@@ -910,7 +910,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb, + !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); + if (ret_val != 0) +@@ -960,7 +960,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb, + !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); + if (ret_val != 0) +@@ -1007,7 +1007,7 @@ static int netlbl_unlabel_staticremove(struct sk_buff *skb, + !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); + if (ret_val != 0) +@@ -1047,7 +1047,7 @@ static int netlbl_unlabel_staticremovedef(struct sk_buff *skb, + !info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) + return -EINVAL; + +- netlbl_netlink_auditinfo(skb, &audit_info); ++ netlbl_netlink_auditinfo(&audit_info); + + ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); + if (ret_val != 0) +diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h +index 4a397cde1a48..2c608677b43b 100644 +--- a/net/netlabel/netlabel_user.h ++++ b/net/netlabel/netlabel_user.h +@@ -42,11 +42,9 @@ + + /** + * netlbl_netlink_auditinfo - Fetch the audit information from a NETLINK msg +- * @skb: the packet + * @audit_info: NetLabel audit information + */ +-static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, +- struct netlbl_audit *audit_info) ++static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info) + { + security_task_getsecid(current, &audit_info->secid); + audit_info->loginuid = audit_get_loginuid(current); +-- +2.43.0 + diff --git a/queue-4.19/nfsv4.1-pnfs-ensure-we-handle-the-error-nfs4err_retu.patch b/queue-4.19/nfsv4.1-pnfs-ensure-we-handle-the-error-nfs4err_retu.patch new file mode 100644 index 00000000000..0a112d5c24e --- /dev/null +++ b/queue-4.19/nfsv4.1-pnfs-ensure-we-handle-the-error-nfs4err_retu.patch @@ -0,0 +1,53 @@ +From 8e84a325cb4bd996f792c87fd465e29d0913f689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Nov 2023 13:55:29 -0500 +Subject: NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT + +From: Trond Myklebust + +[ Upstream commit 037e56a22ff37f9a9c2330b66cff55d3d1ff9b90 ] + +Once the client has processed the CB_LAYOUTRECALL, but has not yet +successfully returned the layout, the server is supposed to switch to +returning NFS4ERR_RETURNCONFLICT. This patch ensures that we handle +that return value correctly. + +Fixes: 183d9e7b112a ("pnfs: rework LAYOUTGET retry handling") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index c44efead1a32..c9db9a0fc733 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -163,6 +163,7 @@ static int nfs4_map_errors(int err) + case -NFS4ERR_RESOURCE: + case -NFS4ERR_LAYOUTTRYLATER: + case -NFS4ERR_RECALLCONFLICT: ++ case -NFS4ERR_RETURNCONFLICT: + return -EREMOTEIO; + case -NFS4ERR_WRONGSEC: + case -NFS4ERR_WRONG_CRED: +@@ -509,6 +510,7 @@ static int nfs4_do_handle_exception(struct nfs_server *server, + case -NFS4ERR_GRACE: + case -NFS4ERR_LAYOUTTRYLATER: + case -NFS4ERR_RECALLCONFLICT: ++ case -NFS4ERR_RETURNCONFLICT: + exception->delay = 1; + return 0; + +@@ -8876,6 +8878,7 @@ nfs4_layoutget_handle_exception(struct rpc_task *task, + status = -EBUSY; + break; + case -NFS4ERR_RECALLCONFLICT: ++ case -NFS4ERR_RETURNCONFLICT: + status = -ERECALLCONFLICT; + break; + case -NFS4ERR_DELEG_REVOKED: +-- +2.43.0 + diff --git a/queue-4.19/of-fix-double-free-in-of_parse_phandle_with_args_map.patch b/queue-4.19/of-fix-double-free-in-of_parse_phandle_with_args_map.patch new file mode 100644 index 00000000000..1625b34115f --- /dev/null +++ b/queue-4.19/of-fix-double-free-in-of_parse_phandle_with_args_map.patch @@ -0,0 +1,231 @@ +From fbbdc48945af6a68e1fc70ab099f1fd25c7ed111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Dec 2023 11:54:11 +0100 +Subject: of: Fix double free in of_parse_phandle_with_args_map + +From: Christian A. Ehrhardt + +[ Upstream commit 4dde83569832f9377362e50f7748463340c5db6b ] + +In of_parse_phandle_with_args_map() the inner loop that +iterates through the map entries calls of_node_put(new) +to free the reference acquired by the previous iteration +of the inner loop. This assumes that the value of "new" is +NULL on the first iteration of the inner loop. + +Make sure that this is true in all iterations of the outer +loop by setting "new" to NULL after its value is assigned to "cur". + +Extend the unittest to detect the double free and add an additional +test case that actually triggers this path. + +Fixes: bd6f2fd5a1 ("of: Support parsing phandle argument lists through a nexus node") +Cc: Stephen Boyd +Signed-off-by: "Christian A. Ehrhardt" +Link: https://lore.kernel.org/r/20231229105411.1603434-1-lk@c--e.de +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/base.c | 1 + + drivers/of/unittest-data/tests-phandle.dtsi | 10 ++- + drivers/of/unittest.c | 74 ++++++++++++--------- + 3 files changed, 53 insertions(+), 32 deletions(-) + +diff --git a/drivers/of/base.c b/drivers/of/base.c +index f0dbb7ad88cf..3925da5690d3 100644 +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1634,6 +1634,7 @@ int of_parse_phandle_with_args_map(const struct device_node *np, + out_args->np = new; + of_node_put(cur); + cur = new; ++ new = NULL; + } + put: + of_node_put(cur); +diff --git a/drivers/of/unittest-data/tests-phandle.dtsi b/drivers/of/unittest-data/tests-phandle.dtsi +index 6b33be4c4416..aa0d7027ffa6 100644 +--- a/drivers/of/unittest-data/tests-phandle.dtsi ++++ b/drivers/of/unittest-data/tests-phandle.dtsi +@@ -38,6 +38,13 @@ provider4: provider4 { + phandle-map-pass-thru = <0x0 0xf0>; + }; + ++ provider5: provider5 { ++ #phandle-cells = <2>; ++ phandle-map = <2 7 &provider4 2 3>; ++ phandle-map-mask = <0xff 0xf>; ++ phandle-map-pass-thru = <0x0 0xf0>; ++ }; ++ + consumer-a { + phandle-list = <&provider1 1>, + <&provider2 2 0>, +@@ -64,7 +71,8 @@ consumer-b { + <&provider4 4 0x100>, + <&provider4 0 0x61>, + <&provider0>, +- <&provider4 19 0x20>; ++ <&provider4 19 0x20>, ++ <&provider5 2 7>; + phandle-list-bad-phandle = <12345678 0 0>; + phandle-list-bad-args = <&provider2 1 0>, + <&provider4 0>; +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 2515ce393005..52f2943be5b5 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -426,6 +426,9 @@ static void __init of_unittest_parse_phandle_with_args(void) + + unittest(passed, "index %i - data error on node %pOF rc=%i\n", + i, args.np, rc); ++ ++ if (rc == 0) ++ of_node_put(args.np); + } + + /* Check for missing list property */ +@@ -467,8 +470,9 @@ static void __init of_unittest_parse_phandle_with_args(void) + + static void __init of_unittest_parse_phandle_with_args_map(void) + { +- struct device_node *np, *p0, *p1, *p2, *p3; ++ struct device_node *np, *p[6] = {}; + struct of_phandle_args args; ++ unsigned int prefs[6]; + int i, rc; + + np = of_find_node_by_path("/testcase-data/phandle-tests/consumer-b"); +@@ -477,34 +481,24 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + return; + } + +- p0 = of_find_node_by_path("/testcase-data/phandle-tests/provider0"); +- if (!p0) { +- pr_err("missing testcase data\n"); +- return; +- } +- +- p1 = of_find_node_by_path("/testcase-data/phandle-tests/provider1"); +- if (!p1) { +- pr_err("missing testcase data\n"); +- return; +- } +- +- p2 = of_find_node_by_path("/testcase-data/phandle-tests/provider2"); +- if (!p2) { +- pr_err("missing testcase data\n"); +- return; +- } +- +- p3 = of_find_node_by_path("/testcase-data/phandle-tests/provider3"); +- if (!p3) { +- pr_err("missing testcase data\n"); +- return; ++ p[0] = of_find_node_by_path("/testcase-data/phandle-tests/provider0"); ++ p[1] = of_find_node_by_path("/testcase-data/phandle-tests/provider1"); ++ p[2] = of_find_node_by_path("/testcase-data/phandle-tests/provider2"); ++ p[3] = of_find_node_by_path("/testcase-data/phandle-tests/provider3"); ++ p[4] = of_find_node_by_path("/testcase-data/phandle-tests/provider4"); ++ p[5] = of_find_node_by_path("/testcase-data/phandle-tests/provider5"); ++ for (i = 0; i < ARRAY_SIZE(p); ++i) { ++ if (!p[i]) { ++ pr_err("missing testcase data\n"); ++ return; ++ } ++ prefs[i] = kref_read(&p[i]->kobj.kref); + } + + rc = of_count_phandle_with_args(np, "phandle-list", "#phandle-cells"); +- unittest(rc == 7, "of_count_phandle_with_args() returned %i, expected 7\n", rc); ++ unittest(rc == 8, "of_count_phandle_with_args() returned %i, expected 7\n", rc); + +- for (i = 0; i < 8; i++) { ++ for (i = 0; i < 9; i++) { + bool passed = true; + + memset(&args, 0, sizeof(args)); +@@ -515,13 +509,13 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + switch (i) { + case 0: + passed &= !rc; +- passed &= (args.np == p1); ++ passed &= (args.np == p[1]); + passed &= (args.args_count == 1); + passed &= (args.args[0] == 1); + break; + case 1: + passed &= !rc; +- passed &= (args.np == p3); ++ passed &= (args.np == p[3]); + passed &= (args.args_count == 3); + passed &= (args.args[0] == 2); + passed &= (args.args[1] == 5); +@@ -532,28 +526,36 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + break; + case 3: + passed &= !rc; +- passed &= (args.np == p0); ++ passed &= (args.np == p[0]); + passed &= (args.args_count == 0); + break; + case 4: + passed &= !rc; +- passed &= (args.np == p1); ++ passed &= (args.np == p[1]); + passed &= (args.args_count == 1); + passed &= (args.args[0] == 3); + break; + case 5: + passed &= !rc; +- passed &= (args.np == p0); ++ passed &= (args.np == p[0]); + passed &= (args.args_count == 0); + break; + case 6: + passed &= !rc; +- passed &= (args.np == p2); ++ passed &= (args.np == p[2]); + passed &= (args.args_count == 2); + passed &= (args.args[0] == 15); + passed &= (args.args[1] == 0x20); + break; + case 7: ++ passed &= !rc; ++ passed &= (args.np == p[3]); ++ passed &= (args.args_count == 3); ++ passed &= (args.args[0] == 2); ++ passed &= (args.args[1] == 5); ++ passed &= (args.args[2] == 3); ++ break; ++ case 8: + passed &= (rc == -ENOENT); + break; + default: +@@ -562,6 +564,9 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + + unittest(passed, "index %i - data error on node %s rc=%i\n", + i, args.np->full_name, rc); ++ ++ if (rc == 0) ++ of_node_put(args.np); + } + + /* Check for missing list property */ +@@ -587,6 +592,13 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + rc = of_parse_phandle_with_args_map(np, "phandle-list-bad-args", + "phandle", 1, &args); + unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc); ++ ++ for (i = 0; i < ARRAY_SIZE(p); ++i) { ++ unittest(prefs[i] == kref_read(&p[i]->kobj.kref), ++ "provider%d: expected:%d got:%d\n", ++ i, prefs[i], kref_read(&p[i]->kobj.kref)); ++ of_node_put(p[i]); ++ } + } + + static void __init of_unittest_property_string(void) +-- +2.43.0 + diff --git a/queue-4.19/of-unittest-fix-of_count_phandle_with_args-expected-.patch b/queue-4.19/of-unittest-fix-of_count_phandle_with_args-expected-.patch new file mode 100644 index 00000000000..73470b47894 --- /dev/null +++ b/queue-4.19/of-unittest-fix-of_count_phandle_with_args-expected-.patch @@ -0,0 +1,38 @@ +From 46b045b80ca3811fc7f82c2d4f8e4c8aee425faf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jan 2024 09:50:25 +0100 +Subject: of: unittest: Fix of_count_phandle_with_args() expected value message + +From: Geert Uytterhoeven + +[ Upstream commit 716089b417cf98d01f0dc1b39f9c47e1d7b4c965 ] + +The expected result value for the call to of_count_phandle_with_args() +was updated from 7 to 8, but the accompanying error message was +forgotten. + +Fixes: 4dde83569832f937 ("of: Fix double free in of_parse_phandle_with_args_map") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20240111085025.2073894-1-geert+renesas@glider.be +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 52f2943be5b5..8abd541b811d 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -496,7 +496,7 @@ static void __init of_unittest_parse_phandle_with_args_map(void) + } + + rc = of_count_phandle_with_args(np, "phandle-list", "#phandle-cells"); +- unittest(rc == 8, "of_count_phandle_with_args() returned %i, expected 7\n", rc); ++ unittest(rc == 8, "of_count_phandle_with_args() returned %i, expected 8\n", rc); + + for (i = 0; i < 9; i++) { + bool passed = true; +-- +2.43.0 + diff --git a/queue-4.19/powerpc-44x-select-i2c-for-currituck.patch b/queue-4.19/powerpc-44x-select-i2c-for-currituck.patch new file mode 100644 index 00000000000..e11d7732949 --- /dev/null +++ b/queue-4.19/powerpc-44x-select-i2c-for-currituck.patch @@ -0,0 +1,43 @@ +From ed81f54a95f628a834c7db6bd790dec5b14f5eb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 21:51:59 -0800 +Subject: powerpc/44x: select I2C for CURRITUCK + +From: Randy Dunlap + +[ Upstream commit 4a74197b65e69c46fe6e53f7df2f4d6ce9ffe012 ] + +Fix build errors when CURRITUCK=y and I2C is not builtin (=m or is +not set). Fixes these build errors: + +powerpc-linux-ld: arch/powerpc/platforms/44x/ppc476.o: in function `avr_halt_system': +ppc476.c:(.text+0x58): undefined reference to `i2c_smbus_write_byte_data' +powerpc-linux-ld: arch/powerpc/platforms/44x/ppc476.o: in function `ppc47x_device_probe': +ppc476.c:(.init.text+0x18): undefined reference to `i2c_register_driver' + +Fixes: 2a2c74b2efcb ("IBM Akebono: Add the Akebono platform") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Closes: lore.kernel.org/r/202312010820.cmdwF5X9-lkp@intel.com +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231201055159.8371-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/44x/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/44x/Kconfig b/arch/powerpc/platforms/44x/Kconfig +index f024efd5a4c2..559577065af2 100644 +--- a/arch/powerpc/platforms/44x/Kconfig ++++ b/arch/powerpc/platforms/44x/Kconfig +@@ -177,6 +177,7 @@ config ISS4xx + config CURRITUCK + bool "IBM Currituck (476fpe) Support" + depends on PPC_47x ++ select I2C + select SWIOTLB + select 476FPE + select PPC4xx_PCI_EXPRESS +-- +2.43.0 + diff --git a/queue-4.19/powerpc-add-crtsavres.o-to-always-y-instead-of-extra.patch b/queue-4.19/powerpc-add-crtsavres.o-to-always-y-instead-of-extra.patch new file mode 100644 index 00000000000..302f86c28eb --- /dev/null +++ b/queue-4.19/powerpc-add-crtsavres.o-to-always-y-instead-of-extra.patch @@ -0,0 +1,50 @@ +From 1723d1a66f76d473ca78309274bd42762ad39293 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 08:23:32 +0900 +Subject: powerpc: add crtsavres.o to always-y instead of extra-y + +From: Masahiro Yamada + +[ Upstream commit 1b1e38002648819c04773647d5242990e2824264 ] + +crtsavres.o is linked to modules. However, as explained in commit +d0e628cd817f ("kbuild: doc: clarify the difference between extra-y +and always-y"), 'make modules' does not build extra-y. + +For example, the following command fails: + + $ make ARCH=powerpc LLVM=1 KBUILD_MODPOST_WARN=1 mrproper ps3_defconfig modules + [snip] + LD [M] arch/powerpc/platforms/cell/spufs/spufs.ko + ld.lld: error: cannot open arch/powerpc/lib/crtsavres.o: No such file or directory + make[3]: *** [scripts/Makefile.modfinal:56: arch/powerpc/platforms/cell/spufs/spufs.ko] Error 1 + make[2]: *** [Makefile:1844: modules] Error 2 + make[1]: *** [/home/masahiro/workspace/linux-kbuild/Makefile:350: __build_one_by_one] Error 2 + make: *** [Makefile:234: __sub-make] Error 2 + +Signed-off-by: Masahiro Yamada +Fixes: baa25b571a16 ("powerpc/64: Do not link crtsavres.o in vmlinux") +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231120232332.4100288-1-masahiroy@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/lib/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/lib/Makefile b/arch/powerpc/lib/Makefile +index 36f913084429..6f1e57182876 100644 +--- a/arch/powerpc/lib/Makefile ++++ b/arch/powerpc/lib/Makefile +@@ -22,7 +22,7 @@ obj-$(CONFIG_PPC32) += div64.o copy_32.o crtsavres.o strlen_32.o + # so it is only needed for modules, and only for older linkers which + # do not support --save-restore-funcs + ifeq ($(call ld-ifversion, -lt, 225000000, y),y) +-extra-$(CONFIG_PPC64) += crtsavres.o ++always-$(CONFIG_PPC64) += crtsavres.o + endif + + obj-$(CONFIG_PPC_BOOK3S_64) += copyuser_power7.o copypage_power7.o \ +-- +2.43.0 + diff --git a/queue-4.19/powerpc-imc-pmu-add-a-null-pointer-check-in-update_e.patch b/queue-4.19/powerpc-imc-pmu-add-a-null-pointer-check-in-update_e.patch new file mode 100644 index 00000000000..7fe1c134f94 --- /dev/null +++ b/queue-4.19/powerpc-imc-pmu-add-a-null-pointer-check-in-update_e.patch @@ -0,0 +1,55 @@ +From ecf40b206cc4be0fecb4b94b5cf87463e091cf76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Nov 2023 17:37:19 +0800 +Subject: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() + +From: Kunwu Chan + +[ Upstream commit 0a233867a39078ebb0f575e2948593bbff5826b3 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. + +Fixes: 885dcd709ba9 ("powerpc/perf: Add nest IMC PMU support") +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231126093719.1440305-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/imc-pmu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c +index 555322677074..65ee4fe863b2 100644 +--- a/arch/powerpc/perf/imc-pmu.c ++++ b/arch/powerpc/perf/imc-pmu.c +@@ -261,6 +261,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu) + attr_group->attrs = attrs; + do { + ev_val_str = kasprintf(GFP_KERNEL, "event=0x%x", pmu->events[i].value); ++ if (!ev_val_str) ++ continue; + dev_str = device_str_attr_create(pmu->events[i].name, ev_val_str); + if (!dev_str) + continue; +@@ -268,6 +270,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu) + attrs[j++] = dev_str; + if (pmu->events[i].scale) { + ev_scale_str = kasprintf(GFP_KERNEL, "%s.scale", pmu->events[i].name); ++ if (!ev_scale_str) ++ continue; + dev_str = device_str_attr_create(ev_scale_str, pmu->events[i].scale); + if (!dev_str) + continue; +@@ -277,6 +281,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu) + + if (pmu->events[i].unit) { + ev_unit_str = kasprintf(GFP_KERNEL, "%s.unit", pmu->events[i].name); ++ if (!ev_unit_str) ++ continue; + dev_str = device_str_attr_create(ev_unit_str, pmu->events[i].unit); + if (!dev_str) + continue; +-- +2.43.0 + diff --git a/queue-4.19/powerpc-powernv-add-a-null-pointer-check-in-opal_eve.patch b/queue-4.19/powerpc-powernv-add-a-null-pointer-check-in-opal_eve.patch new file mode 100644 index 00000000000..e155c6dc0d9 --- /dev/null +++ b/queue-4.19/powerpc-powernv-add-a-null-pointer-check-in-opal_eve.patch @@ -0,0 +1,37 @@ +From 160dd27ccb11445c290901e042aa7207a0ee6810 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 11:07:55 +0800 +Subject: powerpc/powernv: Add a null pointer check in opal_event_init() + +From: Kunwu Chan + +[ Upstream commit 8649829a1dd25199bbf557b2621cedb4bf9b3050 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. + +Fixes: 2717a33d6074 ("powerpc/opal-irqchip: Use interrupt names if present") +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231127030755.1546750-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-irqchip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/powernv/opal-irqchip.c b/arch/powerpc/platforms/powernv/opal-irqchip.c +index bc97770a67db..e71f2111c8c0 100644 +--- a/arch/powerpc/platforms/powernv/opal-irqchip.c ++++ b/arch/powerpc/platforms/powernv/opal-irqchip.c +@@ -282,6 +282,8 @@ int __init opal_event_init(void) + else + name = kasprintf(GFP_KERNEL, "opal"); + ++ if (!name) ++ continue; + /* Install interrupt handler */ + rc = request_irq(r->start, opal_interrupt, r->flags & IRQD_TRIGGER_MASK, + name, NULL); +-- +2.43.0 + diff --git a/queue-4.19/powerpc-pseries-memhotplug-quieten-some-dlpar-operat.patch b/queue-4.19/powerpc-pseries-memhotplug-quieten-some-dlpar-operat.patch new file mode 100644 index 00000000000..a69b374e4d0 --- /dev/null +++ b/queue-4.19/powerpc-pseries-memhotplug-quieten-some-dlpar-operat.patch @@ -0,0 +1,95 @@ +From dcc278627b2cba030ed8abbf446601ae332c5418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Dec 2020 15:59:54 +0100 +Subject: powerpc/pseries/memhotplug: Quieten some DLPAR operations + +From: Laurent Dufour + +[ Upstream commit 20e9de85edae3a5866f29b6cce87c9ec66d62a1b ] + +When attempting to remove by index a set of LMBs a lot of messages are +displayed on the console, even when everything goes fine: + + pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 8000002d + Offlined Pages 4096 + pseries-hotplug-mem: Memory at 2d0000000 was hot-removed + +The 2 messages prefixed by "pseries-hotplug-mem" are not really +helpful for the end user, they should be debug outputs. + +In case of error, because some of the LMB's pages couldn't be +offlined, the following is displayed on the console: + + pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 8000003e + pseries-hotplug-mem: Failed to hot-remove memory at 3e0000000 + dlpar: Could not handle DLPAR request "memory remove index 0x8000003e" + +Again, the 2 messages prefixed by "pseries-hotplug-mem" are useless, +and the generic DLPAR prefixed message should be enough. + +These 2 first changes are mainly triggered by the changes introduced +in drmgr: + https://groups.google.com/g/powerpc-utils-devel/c/Y6ef4NB3EzM/m/9cu5JHRxAQAJ + +Also, when adding a bunch of LMBs, a message is displayed in the console per LMB +like these ones: + pseries-hotplug-mem: Memory at 7e0000000 (drc index 8000007e) was hot-added + pseries-hotplug-mem: Memory at 7f0000000 (drc index 8000007f) was hot-added + pseries-hotplug-mem: Memory at 800000000 (drc index 80000080) was hot-added + pseries-hotplug-mem: Memory at 810000000 (drc index 80000081) was hot-added + +When adding 1TB of memory and LMB size is 256MB, this leads to 4096 +messages to be displayed on the console. These messages are not really +helpful for the end user, so moving them to the DEBUG level. + +Signed-off-by: Laurent Dufour +[mpe: Tweak change log wording] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201211145954.90143-1-ldufour@linux.ibm.com +Stable-dep-of: bd68ffce69f6 ("powerpc/pseries/memhp: Fix access beyond end of drmem array") +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/hotplug-memory.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index afabe6918619..93675a0b853b 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -487,7 +487,7 @@ static int dlpar_memory_remove_by_index(u32 drc_index) + int lmb_found; + int rc; + +- pr_info("Attempting to hot-remove LMB, drc index %x\n", drc_index); ++ pr_debug("Attempting to hot-remove LMB, drc index %x\n", drc_index); + + lmb_found = 0; + for_each_drmem_lmb(lmb) { +@@ -505,10 +505,10 @@ static int dlpar_memory_remove_by_index(u32 drc_index) + rc = -EINVAL; + + if (rc) +- pr_info("Failed to hot-remove memory at %llx\n", +- lmb->base_addr); ++ pr_debug("Failed to hot-remove memory at %llx\n", ++ lmb->base_addr); + else +- pr_info("Memory at %llx was hot-removed\n", lmb->base_addr); ++ pr_debug("Memory at %llx was hot-removed\n", lmb->base_addr); + + return rc; + } +@@ -761,8 +761,8 @@ static int dlpar_memory_add_by_count(u32 lmbs_to_add) + if (!drmem_lmb_reserved(lmb)) + continue; + +- pr_info("Memory at %llx (drc index %x) was hot-added\n", +- lmb->base_addr, lmb->drc_index); ++ pr_debug("Memory at %llx (drc index %x) was hot-added\n", ++ lmb->base_addr, lmb->drc_index); + drmem_remove_lmb_reservation(lmb); + } + rc = 0; +-- +2.43.0 + diff --git a/queue-4.19/powerpc-pseries-memhp-fix-access-beyond-end-of-drmem.patch b/queue-4.19/powerpc-pseries-memhp-fix-access-beyond-end-of-drmem.patch new file mode 100644 index 00000000000..3dbb15ed62e --- /dev/null +++ b/queue-4.19/powerpc-pseries-memhp-fix-access-beyond-end-of-drmem.patch @@ -0,0 +1,101 @@ +From a0464a0d9ec06ce88524fb11bfb1fb2f6e1e5a91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 11:01:53 -0600 +Subject: powerpc/pseries/memhp: Fix access beyond end of drmem array + +From: Nathan Lynch + +[ Upstream commit bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5 ] + +dlpar_memory_remove_by_index() may access beyond the bounds of the +drmem lmb array when the LMB lookup fails to match an entry with the +given DRC index. When the search fails, the cursor is left pointing to +&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the +last valid entry in the array. The debug message at the end of the +function then dereferences this pointer: + + pr_debug("Failed to hot-remove memory at %llx\n", + lmb->base_addr); + +This was found by inspection and confirmed with KASAN: + + pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 + ================================================================== + BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 + Read of size 8 at addr c000000364e97fd0 by task bash/949 + + dump_stack_lvl+0xa4/0xfc (unreliable) + print_report+0x214/0x63c + kasan_report+0x140/0x2e0 + __asan_load8+0xa8/0xe0 + dlpar_memory+0x298/0x1658 + handle_dlpar_errorlog+0x130/0x1d0 + dlpar_store+0x18c/0x3e0 + kobj_attr_store+0x68/0xa0 + sysfs_kf_write+0xc4/0x110 + kernfs_fop_write_iter+0x26c/0x390 + vfs_write+0x2d4/0x4e0 + ksys_write+0xac/0x1a0 + system_call_exception+0x268/0x530 + system_call_vectored_common+0x15c/0x2ec + + Allocated by task 1: + kasan_save_stack+0x48/0x80 + kasan_set_track+0x34/0x50 + kasan_save_alloc_info+0x34/0x50 + __kasan_kmalloc+0xd0/0x120 + __kmalloc+0x8c/0x320 + kmalloc_array.constprop.0+0x48/0x5c + drmem_init+0x2a0/0x41c + do_one_initcall+0xe0/0x5c0 + kernel_init_freeable+0x4ec/0x5a0 + kernel_init+0x30/0x1e0 + ret_from_kernel_user_thread+0x14/0x1c + + The buggy address belongs to the object at c000000364e80000 + which belongs to the cache kmalloc-128k of size 131072 + The buggy address is located 0 bytes to the right of + allocated 98256-byte region [c000000364e80000, c000000364e97fd0) + + ================================================================== + pseries-hotplug-mem: Failed to hot-remove memory at 0 + +Log failed lookups with a separate message and dereference the +cursor only when it points to a valid entry. + +Signed-off-by: Nathan Lynch +Fixes: 51925fb3c5c9 ("powerpc/pseries: Implement memory hotplug remove in the kernel") +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231114-pseries-memhp-fixes-v1-1-fb8f2bb7c557@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/hotplug-memory.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index 93675a0b853b..2a26decef8b0 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -501,14 +501,15 @@ static int dlpar_memory_remove_by_index(u32 drc_index) + } + } + +- if (!lmb_found) ++ if (!lmb_found) { ++ pr_debug("Failed to look up LMB for drc index %x\n", drc_index); + rc = -EINVAL; +- +- if (rc) ++ } else if (rc) { + pr_debug("Failed to hot-remove memory at %llx\n", + lmb->base_addr); +- else ++ } else { + pr_debug("Memory at %llx was hot-removed\n", lmb->base_addr); ++ } + + return rc; + } +-- +2.43.0 + diff --git a/queue-4.19/powerpc-remove-redundant-default-n-from-kconfig-s.patch b/queue-4.19/powerpc-remove-redundant-default-n-from-kconfig-s.patch new file mode 100644 index 00000000000..73052eb9f74 --- /dev/null +++ b/queue-4.19/powerpc-remove-redundant-default-n-from-kconfig-s.patch @@ -0,0 +1,808 @@ +From efc2b6aba1a6d57cf31d30cca85197bf6faaa943 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Oct 2018 17:39:46 +0200 +Subject: powerpc: remove redundant 'default n' from Kconfig-s + +From: Bartlomiej Zolnierkiewicz + +[ Upstream commit 719736e1cc12b2fc28eba2122893a449eee66d08 ] + +'default n' is the default value for any bool or tristate Kconfig +setting so there is no need to write it explicitly. + +Also since commit f467c5640c29 ("kconfig: only write '# CONFIG_FOO +is not set' for visible symbols") the Kconfig behavior is the same +regardless of 'default n' being present or not: + + ... + One side effect of (and the main motivation for) this change is making + the following two definitions behave exactly the same: + + config FOO + bool + + config FOO + bool + default n + + With this change, neither of these will generate a + '# CONFIG_FOO is not set' line (assuming FOO isn't selected/implied). + That might make it clearer to people that a bare 'default n' is + redundant. + ... + +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Michael Ellerman +Stable-dep-of: 4a74197b65e6 ("powerpc/44x: select I2C for CURRITUCK") +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 14 -------------- + arch/powerpc/Kconfig.debug | 6 ------ + arch/powerpc/platforms/40x/Kconfig | 9 --------- + arch/powerpc/platforms/44x/Kconfig | 22 ---------------------- + arch/powerpc/platforms/82xx/Kconfig | 1 - + arch/powerpc/platforms/Kconfig | 21 --------------------- + arch/powerpc/platforms/Kconfig.cputype | 4 ---- + arch/powerpc/platforms/cell/Kconfig | 3 --- + arch/powerpc/platforms/maple/Kconfig | 1 - + arch/powerpc/platforms/pasemi/Kconfig | 1 - + arch/powerpc/platforms/powernv/Kconfig | 1 - + arch/powerpc/platforms/ps3/Kconfig | 2 -- + arch/powerpc/platforms/pseries/Kconfig | 2 -- + arch/powerpc/sysdev/Kconfig | 5 ----- + arch/powerpc/sysdev/xive/Kconfig | 3 --- + 15 files changed, 95 deletions(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index 3be56d857d57..f6279728a416 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -288,12 +288,10 @@ config ARCH_MAY_HAVE_PC_FDC + + config PPC_UDBG_16550 + bool +- default n + + config GENERIC_TBSYNC + bool + default y if PPC32 && SMP +- default n + + config AUDIT_ARCH + bool +@@ -312,13 +310,11 @@ config EPAPR_BOOT + bool + help + Used to allow a board to specify it wants an ePAPR compliant wrapper. +- default n + + config DEFAULT_UIMAGE + bool + help + Used to allow a board to specify it wants a uImage built by default +- default n + + config ARCH_HIBERNATION_POSSIBLE + bool +@@ -332,11 +328,9 @@ config ARCH_SUSPEND_POSSIBLE + + config PPC_DCR_NATIVE + bool +- default n + + config PPC_DCR_MMIO + bool +- default n + + config PPC_DCR + bool +@@ -347,7 +341,6 @@ config PPC_OF_PLATFORM_PCI + bool + depends on PCI + depends on PPC64 # not supported on 32 bits yet +- default n + + config ARCH_SUPPORTS_DEBUG_PAGEALLOC + depends on PPC32 || PPC_BOOK3S_64 +@@ -450,14 +443,12 @@ config PPC_TRANSACTIONAL_MEM + depends on SMP + select ALTIVEC + select VSX +- default n + ---help--- + Support user-mode Transactional Memory on POWERPC. + + config LD_HEAD_STUB_CATCH + bool "Reserve 256 bytes to cope with linker stubs in HEAD text" if EXPERT + depends on PPC64 +- default n + help + Very large kernels can cause linker branch stubs to be generated by + code in head_64.S, which moves the head text sections out of their +@@ -560,7 +551,6 @@ config RELOCATABLE + config RELOCATABLE_TEST + bool "Test relocatable kernel" + depends on (PPC64 && RELOCATABLE) +- default n + help + This runs the relocatable kernel at the address it was initially + loaded at, which tends to be non-zero and therefore test the +@@ -772,7 +762,6 @@ config PPC_SUBPAGE_PROT + + config PPC_COPRO_BASE + bool +- default n + + config SCHED_SMT + bool "SMT (Hyperthreading) scheduler support" +@@ -895,7 +884,6 @@ config PPC_INDIRECT_PCI + bool + depends on PCI + default y if 40x || 44x +- default n + + config EISA + bool +@@ -992,7 +980,6 @@ source "drivers/pcmcia/Kconfig" + + config HAS_RAPIDIO + bool +- default n + + config RAPIDIO + tristate "RapidIO support" +@@ -1028,7 +1015,6 @@ endmenu + + config NONSTATIC_KERNEL + bool +- default n + + menu "Advanced setup" + depends on PPC32 +diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug +index 1f54bb93b5cc..356a9e6da385 100644 +--- a/arch/powerpc/Kconfig.debug ++++ b/arch/powerpc/Kconfig.debug +@@ -2,7 +2,6 @@ + + config PPC_DISABLE_WERROR + bool "Don't build arch/powerpc code with -Werror" +- default n + help + This option tells the compiler NOT to build the code under + arch/powerpc with the -Werror flag (which means warnings +@@ -56,7 +55,6 @@ config PPC_EMULATED_STATS + config CODE_PATCHING_SELFTEST + bool "Run self-tests of the code-patching code" + depends on DEBUG_KERNEL +- default n + + config JUMP_LABEL_FEATURE_CHECKS + bool "Enable use of jump label for cpu/mmu_has_feature()" +@@ -70,7 +68,6 @@ config JUMP_LABEL_FEATURE_CHECKS + config JUMP_LABEL_FEATURE_CHECK_DEBUG + bool "Do extra check on feature fixup calls" + depends on DEBUG_KERNEL && JUMP_LABEL_FEATURE_CHECKS +- default n + help + This tries to catch incorrect usage of cpu_has_feature() and + mmu_has_feature() in the code. +@@ -80,16 +77,13 @@ config JUMP_LABEL_FEATURE_CHECK_DEBUG + config FTR_FIXUP_SELFTEST + bool "Run self-tests of the feature-fixup code" + depends on DEBUG_KERNEL +- default n + + config MSI_BITMAP_SELFTEST + bool "Run self-tests of the MSI bitmap code" + depends on DEBUG_KERNEL +- default n + + config PPC_IRQ_SOFT_MASK_DEBUG + bool "Include extra checks for powerpc irq soft masking" +- default n + + config XMON + bool "Include xmon kernel debugger" +diff --git a/arch/powerpc/platforms/40x/Kconfig b/arch/powerpc/platforms/40x/Kconfig +index 60254a321a91..2a9d66254ffc 100644 +--- a/arch/powerpc/platforms/40x/Kconfig ++++ b/arch/powerpc/platforms/40x/Kconfig +@@ -2,7 +2,6 @@ + config ACADIA + bool "Acadia" + depends on 40x +- default n + select PPC40x_SIMPLE + select 405EZ + help +@@ -11,7 +10,6 @@ config ACADIA + config EP405 + bool "EP405/EP405PC" + depends on 40x +- default n + select 405GP + select PCI + help +@@ -20,7 +18,6 @@ config EP405 + config HOTFOOT + bool "Hotfoot" + depends on 40x +- default n + select PPC40x_SIMPLE + select PCI + help +@@ -29,7 +26,6 @@ config HOTFOOT + config KILAUEA + bool "Kilauea" + depends on 40x +- default n + select 405EX + select PPC40x_SIMPLE + select PPC4xx_PCI_EXPRESS +@@ -41,7 +37,6 @@ config KILAUEA + config MAKALU + bool "Makalu" + depends on 40x +- default n + select 405EX + select PCI + select PPC4xx_PCI_EXPRESS +@@ -62,7 +57,6 @@ config WALNUT + config XILINX_VIRTEX_GENERIC_BOARD + bool "Generic Xilinx Virtex board" + depends on 40x +- default n + select XILINX_VIRTEX_II_PRO + select XILINX_VIRTEX_4_FX + select XILINX_INTC +@@ -80,7 +74,6 @@ config XILINX_VIRTEX_GENERIC_BOARD + config OBS600 + bool "OpenBlockS 600" + depends on 40x +- default n + select 405EX + select PPC40x_SIMPLE + help +@@ -90,7 +83,6 @@ config OBS600 + config PPC40x_SIMPLE + bool "Simple PowerPC 40x board support" + depends on 40x +- default n + help + This option enables the simple PowerPC 40x platform support. + +@@ -156,7 +148,6 @@ config IBM405_ERR51 + config APM8018X + bool "APM8018X" + depends on 40x +- default n + select PPC40x_SIMPLE + help + This option enables support for the AppliedMicro APM8018X evaluation +diff --git a/arch/powerpc/platforms/44x/Kconfig b/arch/powerpc/platforms/44x/Kconfig +index a6011422b861..f024efd5a4c2 100644 +--- a/arch/powerpc/platforms/44x/Kconfig ++++ b/arch/powerpc/platforms/44x/Kconfig +@@ -2,7 +2,6 @@ + config PPC_47x + bool "Support for 47x variant" + depends on 44x +- default n + select MPIC + help + This option enables support for the 47x family of processors and is +@@ -11,7 +10,6 @@ config PPC_47x + config BAMBOO + bool "Bamboo" + depends on 44x +- default n + select PPC44x_SIMPLE + select 440EP + select PCI +@@ -21,7 +19,6 @@ config BAMBOO + config BLUESTONE + bool "Bluestone" + depends on 44x +- default n + select PPC44x_SIMPLE + select APM821xx + select PCI_MSI +@@ -44,7 +41,6 @@ config EBONY + config SAM440EP + bool "Sam440ep" + depends on 44x +- default n + select 440EP + select PCI + help +@@ -53,7 +49,6 @@ config SAM440EP + config SEQUOIA + bool "Sequoia" + depends on 44x +- default n + select PPC44x_SIMPLE + select 440EPX + help +@@ -62,7 +57,6 @@ config SEQUOIA + config TAISHAN + bool "Taishan" + depends on 44x +- default n + select PPC44x_SIMPLE + select 440GX + select PCI +@@ -73,7 +67,6 @@ config TAISHAN + config KATMAI + bool "Katmai" + depends on 44x +- default n + select PPC44x_SIMPLE + select 440SPe + select PCI +@@ -86,7 +79,6 @@ config KATMAI + config RAINIER + bool "Rainier" + depends on 44x +- default n + select PPC44x_SIMPLE + select 440GRX + select PCI +@@ -96,7 +88,6 @@ config RAINIER + config WARP + bool "PIKA Warp" + depends on 44x +- default n + select 440EP + help + This option enables support for the PIKA Warp(tm) Appliance. The Warp +@@ -109,7 +100,6 @@ config WARP + config ARCHES + bool "Arches" + depends on 44x +- default n + select PPC44x_SIMPLE + select 460EX # Odd since it uses 460GT but the effects are the same + select PCI +@@ -120,7 +110,6 @@ config ARCHES + config CANYONLANDS + bool "Canyonlands" + depends on 44x +- default n + select 460EX + select PCI + select PPC4xx_PCI_EXPRESS +@@ -134,7 +123,6 @@ config CANYONLANDS + config GLACIER + bool "Glacier" + depends on 44x +- default n + select PPC44x_SIMPLE + select 460EX # Odd since it uses 460GT but the effects are the same + select PCI +@@ -147,7 +135,6 @@ config GLACIER + config REDWOOD + bool "Redwood" + depends on 44x +- default n + select PPC44x_SIMPLE + select 460SX + select PCI +@@ -160,7 +147,6 @@ config REDWOOD + config EIGER + bool "Eiger" + depends on 44x +- default n + select PPC44x_SIMPLE + select 460SX + select PCI +@@ -172,7 +158,6 @@ config EIGER + config YOSEMITE + bool "Yosemite" + depends on 44x +- default n + select PPC44x_SIMPLE + select 440EP + select PCI +@@ -182,7 +167,6 @@ config YOSEMITE + config ISS4xx + bool "ISS 4xx Simulator" + depends on (44x || 40x) +- default n + select 405GP if 40x + select 440GP if 44x && !PPC_47x + select PPC_FPU +@@ -193,7 +177,6 @@ config ISS4xx + config CURRITUCK + bool "IBM Currituck (476fpe) Support" + depends on PPC_47x +- default n + select SWIOTLB + select 476FPE + select PPC4xx_PCI_EXPRESS +@@ -203,7 +186,6 @@ config CURRITUCK + config FSP2 + bool "IBM FSP2 (476fpe) Support" + depends on PPC_47x +- default n + select 476FPE + select IBM_EMAC_EMAC4 if IBM_EMAC + select IBM_EMAC_RGMII if IBM_EMAC +@@ -215,7 +197,6 @@ config FSP2 + config AKEBONO + bool "IBM Akebono (476gtr) Support" + depends on PPC_47x +- default n + select SWIOTLB + select 476FPE + select PPC4xx_PCI_EXPRESS +@@ -241,7 +222,6 @@ config AKEBONO + config ICON + bool "Icon" + depends on 44x +- default n + select PPC44x_SIMPLE + select 440SPe + select PCI +@@ -252,7 +232,6 @@ config ICON + config XILINX_VIRTEX440_GENERIC_BOARD + bool "Generic Xilinx Virtex 5 FXT board support" + depends on 44x +- default n + select XILINX_VIRTEX_5_FXT + select XILINX_INTC + help +@@ -280,7 +259,6 @@ config XILINX_ML510 + config PPC44x_SIMPLE + bool "Simple PowerPC 44x board support" + depends on 44x +- default n + help + This option enables the simple PowerPC 44x platform support. + +diff --git a/arch/powerpc/platforms/82xx/Kconfig b/arch/powerpc/platforms/82xx/Kconfig +index 6e04099361b9..1947a88bc69f 100644 +--- a/arch/powerpc/platforms/82xx/Kconfig ++++ b/arch/powerpc/platforms/82xx/Kconfig +@@ -51,7 +51,6 @@ endif + + config PQ2ADS + bool +- default n + + config 8260 + bool +diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig +index 9914544e6677..1002d4752646 100644 +--- a/arch/powerpc/platforms/Kconfig ++++ b/arch/powerpc/platforms/Kconfig +@@ -23,7 +23,6 @@ source "arch/powerpc/platforms/amigaone/Kconfig" + + config KVM_GUEST + bool "KVM Guest support" +- default n + select EPAPR_PARAVIRT + ---help--- + This option enables various optimizations for running under the KVM +@@ -34,7 +33,6 @@ config KVM_GUEST + + config EPAPR_PARAVIRT + bool "ePAPR para-virtualization support" +- default n + help + Enables ePAPR para-virtualization support for guests. + +@@ -74,7 +72,6 @@ config PPC_DT_CPU_FTRS + config UDBG_RTAS_CONSOLE + bool "RTAS based debug console" + depends on PPC_RTAS +- default n + + config PPC_SMP_MUXED_IPI + bool +@@ -86,16 +83,13 @@ config PPC_SMP_MUXED_IPI + + config IPIC + bool +- default n + + config MPIC + bool +- default n + + config MPIC_TIMER + bool "MPIC Global Timer" + depends on MPIC && FSL_SOC +- default n + help + The MPIC global timer is a hardware timer inside the + Freescale PIC complying with OpenPIC standard. When the +@@ -107,7 +101,6 @@ config MPIC_TIMER + config FSL_MPIC_TIMER_WAKEUP + tristate "Freescale MPIC global timer wakeup driver" + depends on FSL_SOC && MPIC_TIMER && PM +- default n + help + The driver provides a way to wake up the system by MPIC + timer. +@@ -115,43 +108,35 @@ config FSL_MPIC_TIMER_WAKEUP + + config PPC_EPAPR_HV_PIC + bool +- default n + select EPAPR_PARAVIRT + + config MPIC_WEIRD + bool +- default n + + config MPIC_MSGR + bool "MPIC message register support" + depends on MPIC +- default n + help + Enables support for the MPIC message registers. These + registers are used for inter-processor communication. + + config PPC_I8259 + bool +- default n + + config U3_DART + bool + depends on PPC64 +- default n + + config PPC_RTAS + bool +- default n + + config RTAS_ERROR_LOGGING + bool + depends on PPC_RTAS +- default n + + config PPC_RTAS_DAEMON + bool + depends on PPC_RTAS +- default n + + config RTAS_PROC + bool "Proc interface to RTAS" +@@ -164,11 +149,9 @@ config RTAS_FLASH + + config MMIO_NVRAM + bool +- default n + + config MPIC_U3_HT_IRQS + bool +- default n + + config MPIC_BROKEN_REGREAD + bool +@@ -187,15 +170,12 @@ config EEH + + config PPC_MPC106 + bool +- default n + + config PPC_970_NAP + bool +- default n + + config PPC_P7_NAP + bool +- default n + + config PPC_INDIRECT_PIO + bool +@@ -289,7 +269,6 @@ config CPM2 + + config FSL_ULI1575 + bool +- default n + select GENERIC_ISA_DMA + help + Supports for the ULI1575 PCIe south bridge that exists on some +diff --git a/arch/powerpc/platforms/Kconfig.cputype b/arch/powerpc/platforms/Kconfig.cputype +index 67ad128a9a3d..287054778b07 100644 +--- a/arch/powerpc/platforms/Kconfig.cputype ++++ b/arch/powerpc/platforms/Kconfig.cputype +@@ -1,7 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + config PPC64 + bool "64-bit kernel" +- default n + select ZLIB_DEFLATE + help + This option selects whether a 32-bit or a 64-bit kernel +@@ -368,7 +367,6 @@ config PPC_MM_SLICES + bool + default y if PPC_BOOK3S_64 + default y if PPC_8xx && HUGETLB_PAGE +- default n + + config PPC_HAVE_PMU_SUPPORT + bool +@@ -382,7 +380,6 @@ config PPC_PERF_CTRS + config FORCE_SMP + # Allow platforms to force SMP=y by selecting this + bool +- default n + select SMP + + config SMP +@@ -423,7 +420,6 @@ config CHECK_CACHE_COHERENCY + + config PPC_DOORBELL + bool +- default n + + endmenu + +diff --git a/arch/powerpc/platforms/cell/Kconfig b/arch/powerpc/platforms/cell/Kconfig +index 741a8fa8a3e6..3ad42075f1f4 100644 +--- a/arch/powerpc/platforms/cell/Kconfig ++++ b/arch/powerpc/platforms/cell/Kconfig +@@ -1,7 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + config PPC_CELL + bool +- default n + + config PPC_CELL_COMMON + bool +@@ -22,7 +21,6 @@ config PPC_CELL_NATIVE + select IBM_EMAC_RGMII if IBM_EMAC + select IBM_EMAC_ZMII if IBM_EMAC #test only + select IBM_EMAC_TAH if IBM_EMAC #test only +- default n + + config PPC_IBM_CELL_BLADE + bool "IBM Cell Blade" +@@ -55,7 +53,6 @@ config SPU_FS + + config SPU_BASE + bool +- default n + select PPC_COPRO_BASE + + config CBE_RAS +diff --git a/arch/powerpc/platforms/maple/Kconfig b/arch/powerpc/platforms/maple/Kconfig +index 376d0be36b66..2601fac50354 100644 +--- a/arch/powerpc/platforms/maple/Kconfig ++++ b/arch/powerpc/platforms/maple/Kconfig +@@ -13,7 +13,6 @@ config PPC_MAPLE + select PPC_RTAS + select MMIO_NVRAM + select ATA_NONSTANDARD if ATA +- default n + help + This option enables support for the Maple 970FX Evaluation Board. + For more information, refer to +diff --git a/arch/powerpc/platforms/pasemi/Kconfig b/arch/powerpc/platforms/pasemi/Kconfig +index d458a791d35b..98e3bc22bebc 100644 +--- a/arch/powerpc/platforms/pasemi/Kconfig ++++ b/arch/powerpc/platforms/pasemi/Kconfig +@@ -2,7 +2,6 @@ + config PPC_PASEMI + depends on PPC64 && PPC_BOOK3S && CPU_BIG_ENDIAN + bool "PA Semi SoC-based platforms" +- default n + select MPIC + select PCI + select PPC_UDBG_16550 +diff --git a/arch/powerpc/platforms/powernv/Kconfig b/arch/powerpc/platforms/powernv/Kconfig +index f8dc98d3dc01..05ee7b65d40f 100644 +--- a/arch/powerpc/platforms/powernv/Kconfig ++++ b/arch/powerpc/platforms/powernv/Kconfig +@@ -35,7 +35,6 @@ config OPAL_PRD + config PPC_MEMTRACE + bool "Enable removal of RAM from kernel mappings for tracing" + depends on PPC_POWERNV && MEMORY_HOTREMOVE +- default n + help + Enabling this option allows for the removal of memory (RAM) + from the kernel mappings to be used for hardware tracing. +diff --git a/arch/powerpc/platforms/ps3/Kconfig b/arch/powerpc/platforms/ps3/Kconfig +index 6f7525555b19..24864b8aaf5d 100644 +--- a/arch/powerpc/platforms/ps3/Kconfig ++++ b/arch/powerpc/platforms/ps3/Kconfig +@@ -49,7 +49,6 @@ config PS3_HTAB_SIZE + config PS3_DYNAMIC_DMA + depends on PPC_PS3 + bool "PS3 Platform dynamic DMA page table management" +- default n + help + This option will enable kernel support to take advantage of the + per device dynamic DMA page table management provided by the Cell +@@ -89,7 +88,6 @@ config PS3_SYS_MANAGER + config PS3_REPOSITORY_WRITE + bool "PS3 Repository write support" if PS3_ADVANCED + depends on PPC_PS3 +- default n + help + Enables support for writing to the PS3 System Repository. + +diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig +index 0c698fd6d491..39032d9b316c 100644 +--- a/arch/powerpc/platforms/pseries/Kconfig ++++ b/arch/powerpc/platforms/pseries/Kconfig +@@ -28,7 +28,6 @@ config PPC_PSERIES + config PPC_SPLPAR + depends on PPC_PSERIES + bool "Support for shared-processor logical partitions" +- default n + help + Enabling this option will make the kernel run more efficiently + on logically-partitioned pSeries systems which use shared +@@ -99,7 +98,6 @@ config PPC_SMLPAR + bool "Support for shared-memory logical partitions" + depends on PPC_PSERIES + select LPARCFG +- default n + help + Select this option to enable shared memory partition support. + With this option a system running in an LPAR can be given more +diff --git a/arch/powerpc/sysdev/Kconfig b/arch/powerpc/sysdev/Kconfig +index bcef2ac56479..e0dbec780fe9 100644 +--- a/arch/powerpc/sysdev/Kconfig ++++ b/arch/powerpc/sysdev/Kconfig +@@ -6,19 +6,16 @@ + config PPC4xx_PCI_EXPRESS + bool + depends on PCI && 4xx +- default n + + config PPC4xx_HSTA_MSI + bool + depends on PCI_MSI + depends on PCI && 4xx +- default n + + config PPC4xx_MSI + bool + depends on PCI_MSI + depends on PCI && 4xx +- default n + + config PPC_MSI_BITMAP + bool +@@ -37,11 +34,9 @@ config PPC_SCOM + config SCOM_DEBUGFS + bool "Expose SCOM controllers via debugfs" + depends on PPC_SCOM && DEBUG_FS +- default n + + config GE_FPGA + bool +- default n + + config FSL_CORENET_RCPM + bool +diff --git a/arch/powerpc/sysdev/xive/Kconfig b/arch/powerpc/sysdev/xive/Kconfig +index 70ee976e1de0..785c292d104b 100644 +--- a/arch/powerpc/sysdev/xive/Kconfig ++++ b/arch/powerpc/sysdev/xive/Kconfig +@@ -1,17 +1,14 @@ + # SPDX-License-Identifier: GPL-2.0 + config PPC_XIVE + bool +- default n + select PPC_SMP_MUXED_IPI + select HARDIRQS_SW_RESEND + + config PPC_XIVE_NATIVE + bool +- default n + select PPC_XIVE + depends on PPC_POWERNV + + config PPC_XIVE_SPAPR + bool +- default n + select PPC_XIVE +-- +2.43.0 + diff --git a/queue-4.19/pstore-ram_core-fix-possible-overflow-in-persistent_.patch b/queue-4.19/pstore-ram_core-fix-possible-overflow-in-persistent_.patch new file mode 100644 index 00000000000..e3cacb86e18 --- /dev/null +++ b/queue-4.19/pstore-ram_core-fix-possible-overflow-in-persistent_.patch @@ -0,0 +1,46 @@ +From 5e6e2529fee009d4457ba985af9be66c13d59e4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 23:29:36 +0300 +Subject: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() + +From: Sergey Shtylyov + +[ Upstream commit 86222a8fc16ec517de8da2604d904c9df3a08e5d ] + +In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return +64-bit value since persistent_ram_zone::buffer_size has type size_t which +is derived from the 64-bit *unsigned long*, while the ecc_blocks variable +this value gets assigned to has (always 32-bit) *int* type. Even if that +value fits into *int* type, an overflow is still possible when calculating +the size_t typed ecc_total variable further below since there's no cast to +any 64-bit type before multiplication. Declaring the ecc_blocks variable +as *size_t* should fix this mess... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Fixes: 9cc05ad97c57 ("staging: android: persistent_ram: refactor ecc support") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20231105202936.25694-1-s.shtylyov@omp.ru +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/pstore/ram_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c +index efb765b8466f..a6e5022469ab 100644 +--- a/fs/pstore/ram_core.c ++++ b/fs/pstore/ram_core.c +@@ -189,7 +189,7 @@ static int persistent_ram_init_ecc(struct persistent_ram_zone *prz, + { + int numerr; + struct persistent_ram_buffer *buffer = prz->buffer; +- int ecc_blocks; ++ size_t ecc_blocks; + size_t ecc_total; + + if (!ecc_info || !ecc_info->ecc_size) +-- +2.43.0 + diff --git a/queue-4.19/rdma-usnic-silence-uninitialized-symbol-smatch-warni.patch b/queue-4.19/rdma-usnic-silence-uninitialized-symbol-smatch-warni.patch new file mode 100644 index 00000000000..caf9266fee1 --- /dev/null +++ b/queue-4.19/rdma-usnic-silence-uninitialized-symbol-smatch-warni.patch @@ -0,0 +1,82 @@ +From 9dc8f01b32dfaef333a53d81fe6b45e7a9ebfd10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Nov 2023 11:28:02 +0200 +Subject: RDMA/usnic: Silence uninitialized symbol smatch warnings + +From: Leon Romanovsky + +[ Upstream commit b9a85e5eec126d6ae6c362f94b447c223e8fe6e4 ] + +The patch 1da177e4c3f4: "Linux-2.6.12-rc2" from Apr 16, 2005 +(linux-next), leads to the following Smatch static checker warning: + + drivers/infiniband/hw/mthca/mthca_cmd.c:644 mthca_SYS_EN() + error: uninitialized symbol 'out'. + +drivers/infiniband/hw/mthca/mthca_cmd.c + 636 int mthca_SYS_EN(struct mthca_dev *dev) + 637 { + 638 u64 out; + 639 int ret; + 640 + 641 ret = mthca_cmd_imm(dev, 0, &out, 0, 0, CMD_SYS_EN, CMD_TIME_CLASS_D); + +We pass out here and it gets used without being initialized. + + err = mthca_cmd_post(dev, in_param, + out_param ? *out_param : 0, + ^^^^^^^^^^ + in_modifier, op_modifier, + op, context->token, 1); + +It's the same in mthca_cmd_wait() and mthca_cmd_poll(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/533bc3df-8078-4397-b93d-d1f6cec9b636@moroto.mountain +Link: https://lore.kernel.org/r/c559cb7113158c02d75401ac162652072ef1b5f0.1699867650.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mthca/mthca_cmd.c | 4 ++-- + drivers/infiniband/hw/mthca/mthca_main.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c +index 83aa47eb81a9..71b8a4143a2a 100644 +--- a/drivers/infiniband/hw/mthca/mthca_cmd.c ++++ b/drivers/infiniband/hw/mthca/mthca_cmd.c +@@ -641,7 +641,7 @@ void mthca_free_mailbox(struct mthca_dev *dev, struct mthca_mailbox *mailbox) + + int mthca_SYS_EN(struct mthca_dev *dev) + { +- u64 out; ++ u64 out = 0; + int ret; + + ret = mthca_cmd_imm(dev, 0, &out, 0, 0, CMD_SYS_EN, CMD_TIME_CLASS_D); +@@ -1961,7 +1961,7 @@ int mthca_WRITE_MGM(struct mthca_dev *dev, int index, + int mthca_MGID_HASH(struct mthca_dev *dev, struct mthca_mailbox *mailbox, + u16 *hash) + { +- u64 imm; ++ u64 imm = 0; + int err; + + err = mthca_cmd_imm(dev, mailbox->dma, &imm, 0, 0, CMD_MGID_HASH, +diff --git a/drivers/infiniband/hw/mthca/mthca_main.c b/drivers/infiniband/hw/mthca/mthca_main.c +index af7f2083d4d1..82a04a07b384 100644 +--- a/drivers/infiniband/hw/mthca/mthca_main.c ++++ b/drivers/infiniband/hw/mthca/mthca_main.c +@@ -382,7 +382,7 @@ static int mthca_init_icm(struct mthca_dev *mdev, + struct mthca_init_hca_param *init_hca, + u64 icm_size) + { +- u64 aux_pages; ++ u64 aux_pages = 0; + int err; + + err = mthca_SET_ICM_SIZE(mdev, icm_size, &aux_pages); +-- +2.43.0 + diff --git a/queue-4.19/rtlwifi-rtl8192de-make-arrays-static-const-makes-obj.patch b/queue-4.19/rtlwifi-rtl8192de-make-arrays-static-const-makes-obj.patch new file mode 100644 index 00000000000..5688cdec949 --- /dev/null +++ b/queue-4.19/rtlwifi-rtl8192de-make-arrays-static-const-makes-obj.patch @@ -0,0 +1,119 @@ +From d19ad53b68771d10aca5bcd46cf61f278b14cbc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 15:49:48 +0100 +Subject: rtlwifi: rtl8192de: make arrays static const, makes object smaller + +From: Colin Ian King + +[ Upstream commit b05897ca8c821a16ac03850c4704fe460b3f21a0 ] + +Don't populate arrays the stack but instead make them static const. Replace +array channel_info with channel_all since it contains the same data as +channel_all. Makes object code smaller by 961 bytes. + +Before: + text data bss dec hex filename + 128147 44250 1024 173421 2a56d ../realtek/rtlwifi/rtl8192de/phy.o + +After + text data bss dec hex filename + 127122 44314 1024 172460 2a1ac ../realtek/rtlwifi/rtl8192de/phy.o + +(gcc version 10.2.0) + +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210803144949.79433-2-colin.king@canonical.com +Stable-dep-of: b8b2baad2e65 ("wifi: rtlwifi: rtl8192de: using calculate_bit_shift()") +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8192de/phy.c | 48 ++++++++----------- + 1 file changed, 20 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +index 5ff48b47f6ff..89b473caa5f8 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +@@ -182,6 +182,15 @@ static u32 targetchnl_2g[TARGET_CHNL_NUM_2G] = { + 25711, 25658, 25606, 25554, 25502, 25451, 25328 + }; + ++static const u8 channel_all[59] = { ++ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, ++ 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, ++ 60, 62, 64, 100, 102, 104, 106, 108, 110, 112, ++ 114, 116, 118, 120, 122, 124, 126, 128, 130, ++ 132, 134, 136, 138, 140, 149, 151, 153, 155, ++ 157, 159, 161, 163, 165 ++}; ++ + static u32 _rtl92d_phy_calculate_bit_shift(u32 bitmask) + { + u32 i = ffs(bitmask); +@@ -1378,14 +1387,6 @@ static void _rtl92d_phy_switch_rf_setting(struct ieee80211_hw *hw, u8 channel) + + u8 rtl92d_get_rightchnlplace_for_iqk(u8 chnl) + { +- u8 channel_all[59] = { +- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, +- 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, +- 60, 62, 64, 100, 102, 104, 106, 108, 110, 112, +- 114, 116, 118, 120, 122, 124, 126, 128, 130, +- 132, 134, 136, 138, 140, 149, 151, 153, 155, +- 157, 159, 161, 163, 165 +- }; + u8 place = chnl; + + if (chnl > 14) { +@@ -3240,37 +3241,28 @@ void rtl92d_phy_config_macphymode_info(struct ieee80211_hw *hw) + u8 rtl92d_get_chnlgroup_fromarray(u8 chnl) + { + u8 group; +- u8 channel_info[59] = { +- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, +- 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, +- 58, 60, 62, 64, 100, 102, 104, 106, 108, +- 110, 112, 114, 116, 118, 120, 122, 124, +- 126, 128, 130, 132, 134, 136, 138, 140, +- 149, 151, 153, 155, 157, 159, 161, 163, +- 165 +- }; + +- if (channel_info[chnl] <= 3) ++ if (channel_all[chnl] <= 3) + group = 0; +- else if (channel_info[chnl] <= 9) ++ else if (channel_all[chnl] <= 9) + group = 1; +- else if (channel_info[chnl] <= 14) ++ else if (channel_all[chnl] <= 14) + group = 2; +- else if (channel_info[chnl] <= 44) ++ else if (channel_all[chnl] <= 44) + group = 3; +- else if (channel_info[chnl] <= 54) ++ else if (channel_all[chnl] <= 54) + group = 4; +- else if (channel_info[chnl] <= 64) ++ else if (channel_all[chnl] <= 64) + group = 5; +- else if (channel_info[chnl] <= 112) ++ else if (channel_all[chnl] <= 112) + group = 6; +- else if (channel_info[chnl] <= 126) ++ else if (channel_all[chnl] <= 126) + group = 7; +- else if (channel_info[chnl] <= 140) ++ else if (channel_all[chnl] <= 140) + group = 8; +- else if (channel_info[chnl] <= 153) ++ else if (channel_all[chnl] <= 153) + group = 9; +- else if (channel_info[chnl] <= 159) ++ else if (channel_all[chnl] <= 159) + group = 10; + else + group = 11; +-- +2.43.0 + diff --git a/queue-4.19/rtlwifi-use-ffs-in-foo-_phy_calculate_bit_shift.patch b/queue-4.19/rtlwifi-use-ffs-in-foo-_phy_calculate_bit_shift.patch new file mode 100644 index 00000000000..d9c17bd4d2a --- /dev/null +++ b/queue-4.19/rtlwifi-use-ffs-in-foo-_phy_calculate_bit_shift.patch @@ -0,0 +1,203 @@ +From 63580dacb60822a18558335bbe9b0f64aef24eb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 23:37:47 -0700 +Subject: rtlwifi: Use ffs in _phy_calculate_bit_shift + +From: Joe Perches + +[ Upstream commit 6c1d61913570d4255548ac598cfbef6f1e3c3eee ] + +Remove the loop and use the generic ffs instead. + +Signed-off-by: Joe Perches +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/e2ab424d24b74901bc0c39f0c60f75e871adf2ba.camel@perches.com +Stable-dep-of: bc8263083af6 ("wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior") +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8188ee/phy.c | 18 ++++++------------ + .../realtek/rtlwifi/rtl8192c/phy_common.c | 8 ++------ + .../wireless/realtek/rtlwifi/rtl8192de/phy.c | 9 ++------- + .../wireless/realtek/rtlwifi/rtl8192ee/phy.c | 8 ++------ + .../wireless/realtek/rtlwifi/rtl8192se/phy.c | 9 ++------- + .../realtek/rtlwifi/rtl8723com/phy_common.c | 8 ++------ + .../wireless/realtek/rtlwifi/rtl8821ae/phy.c | 18 ++++++------------ + 7 files changed, 22 insertions(+), 56 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c +index 14a256062614..5bbb46f37e71 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c +@@ -38,7 +38,12 @@ static u32 _rtl88e_phy_rf_serial_read(struct ieee80211_hw *hw, + static void _rtl88e_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, + u32 data); +-static u32 _rtl88e_phy_calculate_bit_shift(u32 bitmask); ++static u32 _rtl88e_phy_calculate_bit_shift(u32 bitmask) ++{ ++ u32 i = ffs(bitmask); ++ ++ return i ? i - 1 : 32; ++} + static bool _rtl88e_phy_bb8188e_config_parafile(struct ieee80211_hw *hw); + static bool _rtl88e_phy_config_mac_with_headerfile(struct ieee80211_hw *hw); + static bool phy_config_bb_with_headerfile(struct ieee80211_hw *hw, +@@ -232,17 +237,6 @@ static void _rtl88e_phy_rf_serial_write(struct ieee80211_hw *hw, + rfpath, pphyreg->rf3wire_offset, data_and_addr); + } + +-static u32 _rtl88e_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i; +- +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; +-} +- + bool rtl88e_phy_mac_config(struct ieee80211_hw *hw) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c +index 7c6e5d91439d..7ebd4d60482e 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c +@@ -167,13 +167,9 @@ EXPORT_SYMBOL(_rtl92c_phy_rf_serial_write); + + u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; ++ u32 i = ffs(bitmask); + +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; ++ return i ? i - 1 : 32; + } + EXPORT_SYMBOL(_rtl92c_phy_calculate_bit_shift); + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +index 53734250479c..5ff48b47f6ff 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +@@ -184,14 +184,9 @@ static u32 targetchnl_2g[TARGET_CHNL_NUM_2G] = { + + static u32 _rtl92d_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; +- +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } ++ u32 i = ffs(bitmask); + +- return i; ++ return i ? i - 1 : 32; + } + + u32 rtl92d_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c +index 8b072ee8e0d5..7aeff442bd06 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c +@@ -228,13 +228,9 @@ static void _rtl92ee_phy_rf_serial_write(struct ieee80211_hw *hw, + + static u32 _rtl92ee_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; ++ u32 i = ffs(bitmask); + +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; ++ return i ? i - 1 : 32; + } + + bool rtl92ee_phy_mac_config(struct ieee80211_hw *hw) +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c +index 86cb853f7169..dfc96126a356 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c +@@ -38,14 +38,9 @@ + + static u32 _rtl92s_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; +- +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } ++ u32 i = ffs(bitmask); + +- return i; ++ return i ? i - 1 : 32; + } + + u32 rtl92s_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723com/phy_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723com/phy_common.c +index 43d24e1ee5e6..af9cd74e09d4 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723com/phy_common.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723com/phy_common.c +@@ -75,13 +75,9 @@ EXPORT_SYMBOL_GPL(rtl8723_phy_set_bb_reg); + + u32 rtl8723_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i; ++ u32 i = ffs(bitmask); + +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; ++ return i ? i - 1 : 32; + } + EXPORT_SYMBOL_GPL(rtl8723_phy_calculate_bit_shift); + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +index 502ac10cf251..9ec62fff6f1a 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +@@ -49,7 +49,12 @@ static u32 _rtl8821ae_phy_rf_serial_read(struct ieee80211_hw *hw, + static void _rtl8821ae_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, + u32 data); +-static u32 _rtl8821ae_phy_calculate_bit_shift(u32 bitmask); ++static u32 _rtl8821ae_phy_calculate_bit_shift(u32 bitmask) ++{ ++ u32 i = ffs(bitmask); ++ ++ return i ? i - 1 : 32; ++} + static bool _rtl8821ae_phy_bb8821a_config_parafile(struct ieee80211_hw *hw); + /*static bool _rtl8812ae_phy_config_mac_with_headerfile(struct ieee80211_hw *hw);*/ + static bool _rtl8821ae_phy_config_mac_with_headerfile(struct ieee80211_hw *hw); +@@ -296,17 +301,6 @@ static void _rtl8821ae_phy_rf_serial_write(struct ieee80211_hw *hw, + rfpath, pphyreg->rf3wire_offset, data_and_addr); + } + +-static u32 _rtl8821ae_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i; +- +- for (i = 0; i <= 31; i++) { +- if (((bitmask >> i) & 0x1) == 1) +- break; +- } +- return i; +-} +- + bool rtl8821ae_phy_mac_config(struct ieee80211_hw *hw) + { + bool rtstatus = 0; +-- +2.43.0 + diff --git a/queue-4.19/scsi-hisi_sas-replace-with-standard-error-code-retur.patch b/queue-4.19/scsi-hisi_sas-replace-with-standard-error-code-retur.patch new file mode 100644 index 00000000000..75fbbbd9fd8 --- /dev/null +++ b/queue-4.19/scsi-hisi_sas-replace-with-standard-error-code-retur.patch @@ -0,0 +1,61 @@ +From 202706383eb6753cc4a69a2f22b69d5d5dcb36ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 11:45:13 +0800 +Subject: scsi: hisi_sas: Replace with standard error code return value + +From: Yihang Li + +[ Upstream commit d34ee535705eb43885bc0f561c63046f697355ad ] + +In function hisi_sas_controller_prereset(), -ENOSYS (Function not +implemented) should be returned if the driver does not support .soft_reset. +Returns -EPERM (Operation not permitted) if HISI_SAS_RESETTING_BIT is +already be set. + +In function _suspend_v3_hw(), returns -EPERM (Operation not permitted) if +HISI_SAS_RESETTING_BIT is already be set. + +Fixes: 4522204ab218 ("scsi: hisi_sas: tidy host controller reset function a bit") +Signed-off-by: Yihang Li +Signed-off-by: Xiang Chen +Link: https://lore.kernel.org/r/1702525516-51258-3-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 4 ++-- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index de4f41bce8e9..076abeb11ed4 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -1381,10 +1381,10 @@ static int hisi_sas_controller_reset(struct hisi_hba *hisi_hba) + int rc; + + if (!hisi_hba->hw->soft_reset) +- return -1; ++ return -ENOENT; + + if (test_and_set_bit(HISI_SAS_RESET_BIT, &hisi_hba->flags)) +- return -1; ++ return -EPERM; + + dev_info(dev, "controller resetting...\n"); + hisi_sas_controller_reset_prepare(hisi_hba); +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index 16b7ea556118..c5ffaa32bdd9 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2546,7 +2546,7 @@ static int hisi_sas_v3_suspend(struct pci_dev *pdev, pm_message_t state) + } + + if (test_and_set_bit(HISI_SAS_RESET_BIT, &hisi_hba->flags)) +- return -1; ++ return -EPERM; + + scsi_block_requests(shost); + set_bit(HISI_SAS_REJECT_CMD_BIT, &hisi_hba->flags); +-- +2.43.0 + diff --git a/queue-4.19/selftests-powerpc-fix-error-handling-in-fpu-vmx-pree.patch b/queue-4.19/selftests-powerpc-fix-error-handling-in-fpu-vmx-pree.patch new file mode 100644 index 00000000000..1665e45fb58 --- /dev/null +++ b/queue-4.19/selftests-powerpc-fix-error-handling-in-fpu-vmx-pree.patch @@ -0,0 +1,88 @@ +From 15254ad81d60a3b2b6c24c65af6c8db020c272fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 00:27:44 +1100 +Subject: selftests/powerpc: Fix error handling in FPU/VMX preemption tests + +From: Michael Ellerman + +[ Upstream commit 9dbd5927408c4a0707de73ae9dd9306b184e8fee ] + +The FPU & VMX preemption tests do not check for errors returned by the +low-level asm routines, preempt_fpu() / preempt_vsx() respectively. +That means any register corruption detected by the asm routines does not +result in a test failure. + +Fix it by returning the return value of the asm routines from the +pthread child routines. + +Fixes: e5ab8be68e44 ("selftests/powerpc: Test preservation of FPU and VMX regs across preemption") +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231128132748.1990179-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/math/fpu_preempt.c | 9 +++++---- + tools/testing/selftests/powerpc/math/vmx_preempt.c | 10 ++++++---- + 2 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/math/fpu_preempt.c b/tools/testing/selftests/powerpc/math/fpu_preempt.c +index 0f85b79d883d..c91f3b36e884 100644 +--- a/tools/testing/selftests/powerpc/math/fpu_preempt.c ++++ b/tools/testing/selftests/powerpc/math/fpu_preempt.c +@@ -41,19 +41,20 @@ __thread double darray[] = {0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 1.0, + int threads_starting; + int running; + +-extern void preempt_fpu(double *darray, int *threads_starting, int *running); ++extern int preempt_fpu(double *darray, int *threads_starting, int *running); + + void *preempt_fpu_c(void *p) + { ++ long rc; + int i; ++ + srand(pthread_self()); + for (i = 0; i < 21; i++) + darray[i] = rand(); + +- /* Test failed if it ever returns */ +- preempt_fpu(darray, &threads_starting, &running); ++ rc = preempt_fpu(darray, &threads_starting, &running); + +- return p; ++ return (void *)rc; + } + + int test_preempt_fpu(void) +diff --git a/tools/testing/selftests/powerpc/math/vmx_preempt.c b/tools/testing/selftests/powerpc/math/vmx_preempt.c +index 9ef376c55b13..7ba95ceaaa50 100644 +--- a/tools/testing/selftests/powerpc/math/vmx_preempt.c ++++ b/tools/testing/selftests/powerpc/math/vmx_preempt.c +@@ -41,19 +41,21 @@ __thread vector int varray[] = {{1, 2, 3, 4}, {5, 6, 7, 8}, {9, 10,11,12}, + int threads_starting; + int running; + +-extern void preempt_vmx(vector int *varray, int *threads_starting, int *running); ++extern int preempt_vmx(vector int *varray, int *threads_starting, int *running); + + void *preempt_vmx_c(void *p) + { + int i, j; ++ long rc; ++ + srand(pthread_self()); + for (i = 0; i < 12; i++) + for (j = 0; j < 4; j++) + varray[i][j] = rand(); + +- /* Test fails if it ever returns */ +- preempt_vmx(varray, &threads_starting, &running); +- return p; ++ rc = preempt_vmx(varray, &threads_starting, &running); ++ ++ return (void *)rc; + } + + int test_preempt_vmx(void) +-- +2.43.0 + diff --git a/queue-4.19/selinux-fix-error-priority-for-bind-with-af_unspec-o.patch b/queue-4.19/selinux-fix-error-priority-for-bind-with-af_unspec-o.patch new file mode 100644 index 00000000000..98f07a924c2 --- /dev/null +++ b/queue-4.19/selinux-fix-error-priority-for-bind-with-af_unspec-o.patch @@ -0,0 +1,55 @@ +From 996836ec2c46babe621a0f6c1f0d3f9a808f5dc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 17:34:15 +0100 +Subject: selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 + socket +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +[ Upstream commit bbf5a1d0e5d0fb3bdf90205aa872636122692a50 ] + +The IPv6 network stack first checks the sockaddr length (-EINVAL error) +before checking the family (-EAFNOSUPPORT error). + +This was discovered thanks to commit a549d055a22e ("selftests/landlock: +Add network tests"). + +Cc: Eric Paris +Cc: Konstantin Meskhidze +Cc: Paul Moore +Cc: Stephen Smalley +Reported-by: Muhammad Usama Anjum +Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@collabora.com +Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()") +Signed-off-by: Mickaël Salaün +Tested-by: Muhammad Usama Anjum +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/hooks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 41e24df986eb..749dbf9f2cfc 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -4700,6 +4700,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in + return -EINVAL; + addr4 = (struct sockaddr_in *)address; + if (family_sa == AF_UNSPEC) { ++ if (family == PF_INET6) { ++ /* Length check from inet6_bind_sk() */ ++ if (addrlen < SIN6_LEN_RFC2133) ++ return -EINVAL; ++ /* Family check from __inet6_bind() */ ++ goto err_af; ++ } + /* see __inet_bind(), we only want to allow + * AF_UNSPEC if the address is INADDR_ANY + */ +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index c7a725dce85..fba6603d0ef 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -24,3 +24,88 @@ binder-use-epollerr-from-eventpoll.h.patch binder-fix-comment-on-binder_alloc_new_buf-return-value.patch uio-fix-use-after-free-in-uio_open.patch coresight-etm4x-fix-width-of-ccitmin-field.patch +x86-lib-fix-overflow-when-counting-digits.patch +edac-thunderx-fix-possible-out-of-bounds-string-acce.patch +powerpc-add-crtsavres.o-to-always-y-instead-of-extra.patch +powerpc-remove-redundant-default-n-from-kconfig-s.patch +powerpc-44x-select-i2c-for-currituck.patch +powerpc-pseries-memhotplug-quieten-some-dlpar-operat.patch +powerpc-pseries-memhp-fix-access-beyond-end-of-drmem.patch +selftests-powerpc-fix-error-handling-in-fpu-vmx-pree.patch +powerpc-powernv-add-a-null-pointer-check-in-opal_eve.patch +powerpc-imc-pmu-add-a-null-pointer-check-in-update_e.patch +mtd-rawnand-increment-ifc_timeout_msecs-for-nand-con.patch +acpi-video-check-for-error-while-searching-for-backl.patch +acpi-lpit-avoid-u32-multiplication-overflow.patch +net-netlabel-fix-kerneldoc-warnings.patch +netlabel-remove-unused-parameter-in-netlbl_netlink_a.patch +calipso-fix-memory-leak-in-netlbl_calipso_add_pass.patch +mtd-fix-gluebi-null-pointer-dereference-caused-by-ft.patch +selinux-fix-error-priority-for-bind-with-af_unspec-o.patch +crypto-virtio-handle-dataq-logic-with-tasklet.patch +crypto-ccp-fix-memleak-in-ccp_init_dm_workarea.patch +crypto-af_alg-disallow-multiple-in-flight-aio-reques.patch +crypto-sahara-remove-flags_new_key-logic.patch +crypto-sahara-fix-ahash-selftest-failure.patch +crypto-sahara-fix-processing-requests-with-cryptlen-.patch +crypto-sahara-fix-error-handling-in-sahara_hw_descri.patch +pstore-ram_core-fix-possible-overflow-in-persistent_.patch +crypto-virtio-wait-for-tasklet-to-complete-on-device.patch +crypto-sahara-fix-ahash-reqsize.patch +crypto-sahara-fix-wait_for_completion_timeout-error-.patch +crypto-sahara-improve-error-handling-in-sahara_sha_p.patch +crypto-sahara-fix-processing-hash-requests-with-req-.patch +crypto-sahara-do-not-resize-req-src-when-doing-hash-.patch +crypto-scompress-return-proper-error-code-for-alloca.patch +crypto-scompress-use-per-cpu-struct-instead-multiple.patch +crypto-scomp-fix-req-dst-buffer-overflow.patch +blocklayoutdriver-fix-reference-leak-of-pnfs_device_.patch +nfsv4.1-pnfs-ensure-we-handle-the-error-nfs4err_retu.patch +bpf-lpm-fix-check-prefixlen-before-walking-trie.patch +wifi-libertas-stop-selecting-wext.patch +arm-dts-qcom-apq8064-correct-xoadc-register-address.patch +ncsi-internal.h-fix-a-spello.patch +net-ncsi-fix-netlink-major-minor-version-numbers.patch +firmware-ti_sci-fix-an-off-by-one-in-ti_sci_debugfs_.patch +rtlwifi-use-ffs-in-foo-_phy_calculate_bit_shift.patch +wifi-rtlwifi-rtl8821ae-phy-fix-an-undefined-bitwise-.patch +scsi-hisi_sas-replace-with-standard-error-code-retur.patch +dma-mapping-clear-dev-dma_mem-to-null-after-freeing-.patch +wifi-rtlwifi-add-calculate_bit_shift.patch +wifi-rtlwifi-rtl8188ee-phy-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192c-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192cu-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192ce-using-calculate_bit_shift.patch +rtlwifi-rtl8192de-make-arrays-static-const-makes-obj.patch +wifi-rtlwifi-rtl8192de-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192ee-using-calculate_bit_shift.patch +wifi-rtlwifi-rtl8192se-using-calculate_bit_shift.patch +bluetooth-fix-bogus-check-for-re-auth-no-supported-w.patch +bluetooth-btmtkuart-fix-recv_buf-return-value.patch +ip6_tunnel-fix-nexthdr_fragment-handling-in-ip6_tnl_.patch +rdma-usnic-silence-uninitialized-symbol-smatch-warni.patch +media-pvrusb2-fix-use-after-free-on-context-disconne.patch +drm-bridge-fix-typo-in-post_disable-description.patch +f2fs-fix-to-avoid-dirent-corruption.patch +drm-radeon-r600_cs-fix-possible-int-overflows-in-r60.patch +drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch +drm-radeon-check-return-value-of-radeon_ring_lock.patch +asoc-cs35l33-fix-gpio-name-and-drop-legacy-include.patch +asoc-cs35l34-fix-gpio-name-and-drop-legacy-include.patch +drm-msm-mdp4-flush-vblank-event-on-disable.patch +drm-drv-propagate-errors-from-drm_modeset_register_a.patch +drm-radeon-check-the-alloc_workqueue-return-value-in.patch +drm-radeon-dpm-fix-a-memleak-in-sumo_parse_power_tab.patch +drm-radeon-trinity_dpm-fix-a-memleak-in-trinity_pars.patch +media-cx231xx-fix-a-memleak-in-cx231xx_init_isoc.patch +media-dvbdev-drop-refcount-on-error-path-in-dvb_devi.patch +drm-amdgpu-debugfs-fix-error-code-when-smc-register-.patch +drm-amd-pm-fix-a-double-free-in-si_dpm_init.patch +drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch +gpu-drm-radeon-fix-two-memleaks-in-radeon_vm_init.patch +watchdog-set-cdev-owner-before-adding.patch +watchdog-hpwdt-only-claim-unknown-nmi-if-from-ilo.patch +watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch +mmc-sdhci_omap-fix-ti-soc-dependencies.patch +of-fix-double-free-in-of_parse_phandle_with_args_map.patch +of-unittest-fix-of_count_phandle_with_args-expected-.patch diff --git a/queue-4.19/watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch b/queue-4.19/watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch new file mode 100644 index 00000000000..b27020eb81b --- /dev/null +++ b/queue-4.19/watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch @@ -0,0 +1,57 @@ +From 60bdacfb3747b8d4d6fe516e0bf1a38ac5f28aa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Nov 2023 18:32:51 +0100 +Subject: watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling + +From: Stefan Wahren + +[ Upstream commit f33f5b1fd1be5f5106d16f831309648cb0f1c31d ] + +Users report about the unexpected behavior for setting timeouts above +15 sec on Raspberry Pi. According to watchdog-api.rst the ioctl +WDIOC_SETTIMEOUT shouldn't fail because of hardware limitations. +But looking at the code shows that max_timeout based on the +register value PM_WDOG_TIME_SET, which is the maximum. + +Since 664a39236e71 ("watchdog: Introduce hardware maximum heartbeat +in watchdog core") the watchdog core is able to handle this problem. + +This fix has been tested with watchdog-test from selftests. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217374 +Fixes: 664a39236e71 ("watchdog: Introduce hardware maximum heartbeat in watchdog core") +Signed-off-by: Stefan Wahren +Reviewed-by: Florian Fainelli +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20231112173251.4827-1-wahrenst@gmx.net +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/bcm2835_wdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/bcm2835_wdt.c b/drivers/watchdog/bcm2835_wdt.c +index e6c27b71b136..35389562177b 100644 +--- a/drivers/watchdog/bcm2835_wdt.c ++++ b/drivers/watchdog/bcm2835_wdt.c +@@ -41,6 +41,7 @@ + + #define SECS_TO_WDOG_TICKS(x) ((x) << 16) + #define WDOG_TICKS_TO_SECS(x) ((x) >> 16) ++#define WDOG_TICKS_TO_MSECS(x) ((x) * 1000 >> 16) + + struct bcm2835_wdt { + void __iomem *base; +@@ -137,7 +138,7 @@ static struct watchdog_device bcm2835_wdt_wdd = { + .info = &bcm2835_wdt_info, + .ops = &bcm2835_wdt_ops, + .min_timeout = 1, +- .max_timeout = WDOG_TICKS_TO_SECS(PM_WDOG_TIME_SET), ++ .max_hw_heartbeat_ms = WDOG_TICKS_TO_MSECS(PM_WDOG_TIME_SET), + .timeout = WDOG_TICKS_TO_SECS(PM_WDOG_TIME_SET), + }; + +-- +2.43.0 + diff --git a/queue-4.19/watchdog-hpwdt-only-claim-unknown-nmi-if-from-ilo.patch b/queue-4.19/watchdog-hpwdt-only-claim-unknown-nmi-if-from-ilo.patch new file mode 100644 index 00000000000..43fb02721f8 --- /dev/null +++ b/queue-4.19/watchdog-hpwdt-only-claim-unknown-nmi-if-from-ilo.patch @@ -0,0 +1,51 @@ +From 993a4cfe8a4f1843f29aad370b38fe5ddee2d6a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 14:53:38 -0700 +Subject: watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO + +From: Jerry Hoemann + +[ Upstream commit dced0b3e51dd2af3730efe14dd86b5e3173f0a65 ] + +Avoid unnecessary crashes by claiming only NMIs that are due to +ERROR signalling or generated by the hpwdt hardware device. + +The code does this, but only for iLO5. + +The intent was to preserve legacy, Gen9 and earlier, semantics of +using hpwdt for error containtment as hardware/firmware would signal +fatal IO errors as an NMI with the expectation of hpwdt crashing +the system. Howerver, these IO errors should be received by hpwdt +as an NMI_IO_CHECK. So the test is overly permissive and should +not be limited to only ilo5. + +We need to enable this protection for future iLOs not matching the +current PCI IDs. + +Fixes: 62290a5c194b ("watchdog: hpwdt: Claim NMIs generated by iLO5") +Signed-off-by: Jerry Hoemann +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20231213215340.495734-2-jerry.hoemann@hpe.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/hpwdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/hpwdt.c b/drivers/watchdog/hpwdt.c +index 9dc62a461451..c8e747005728 100644 +--- a/drivers/watchdog/hpwdt.c ++++ b/drivers/watchdog/hpwdt.c +@@ -159,7 +159,7 @@ static int hpwdt_pretimeout(unsigned int ulReason, struct pt_regs *regs) + "3. OA Forward Progress Log\n" + "4. iLO Event Log"; + +- if (ilo5 && ulReason == NMI_UNKNOWN && !mynmi) ++ if (ulReason == NMI_UNKNOWN && !mynmi) + return NMI_DONE; + + if (ilo5 && !pretimeout) +-- +2.43.0 + diff --git a/queue-4.19/watchdog-set-cdev-owner-before-adding.patch b/queue-4.19/watchdog-set-cdev-owner-before-adding.patch new file mode 100644 index 00000000000..72b3c60fc0d --- /dev/null +++ b/queue-4.19/watchdog-set-cdev-owner-before-adding.patch @@ -0,0 +1,61 @@ +From 42efbf53dca3da639292319459e90732193af19c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 11:05:22 -0800 +Subject: watchdog: set cdev owner before adding + +From: Curtis Klein + +[ Upstream commit 38d75297745f04206db9c29bdd75557f0344c7cc ] + +When the new watchdog character device is registered, it becomes +available for opening. This creates a race where userspace may open the +device before the character device's owner is set. This results in an +imbalance in module_get calls as the cdev_get in cdev_open will not +increment the reference count on the watchdog driver module. + +This causes problems when the watchdog character device is released as +the module loader's reference will also be released. This makes it +impossible to open the watchdog device later on as it now appears that +the module is being unloaded. The open will fail with -ENXIO from +chrdev_open. + +The legacy watchdog device will fail with -EBUSY from the try_module_get +in watchdog_open because it's module owner is the watchdog core module +so it can still be opened but it will fail to get a refcount on the +underlying watchdog device driver. + +Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev") +Signed-off-by: Curtis Klein +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20231205190522.55153-1-curtis.klein@hpe.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index 808896c9e1c2..686c9f0f3d63 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -980,6 +980,7 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + + /* Fill in the data structures */ + cdev_init(&wd_data->cdev, &watchdog_fops); ++ wd_data->cdev.owner = wdd->ops->owner; + + /* Add the device */ + err = cdev_device_add(&wd_data->cdev, &wd_data->dev); +@@ -994,8 +995,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + return err; + } + +- wd_data->cdev.owner = wdd->ops->owner; +- + /* Record time of most recent heartbeat as 'just before now'. */ + wd_data->last_hw_keepalive = ktime_sub(ktime_get(), 1); + +-- +2.43.0 + diff --git a/queue-4.19/wifi-libertas-stop-selecting-wext.patch b/queue-4.19/wifi-libertas-stop-selecting-wext.patch new file mode 100644 index 00000000000..fa73d3c2829 --- /dev/null +++ b/queue-4.19/wifi-libertas-stop-selecting-wext.patch @@ -0,0 +1,37 @@ +From c3ed874c59b0590a66ef45a429aa0bcf72ffccfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 16:34:03 +0100 +Subject: wifi: libertas: stop selecting wext + +From: Arnd Bergmann + +[ Upstream commit 8170b04c2c92eee52ea50b96db4c54662197e512 ] + +Libertas no longer references the iw_handler infrastructure or wext_spy, +so neither of the 'select' statements are used any more. + +Fixes: e86dc1ca4676 ("Libertas: cfg80211 support") +Signed-off-by: Arnd Bergmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231108153409.1065286-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/Kconfig | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/libertas/Kconfig b/drivers/net/wireless/marvell/libertas/Kconfig +index e6268ceacbf1..28985cdac541 100644 +--- a/drivers/net/wireless/marvell/libertas/Kconfig ++++ b/drivers/net/wireless/marvell/libertas/Kconfig +@@ -1,8 +1,6 @@ + config LIBERTAS + tristate "Marvell 8xxx Libertas WLAN driver support" + depends on CFG80211 +- select WIRELESS_EXT +- select WEXT_SPY + select LIB80211 + select FW_LOADER + ---help--- +-- +2.43.0 + diff --git a/queue-4.19/wifi-rtlwifi-add-calculate_bit_shift.patch b/queue-4.19/wifi-rtlwifi-add-calculate_bit_shift.patch new file mode 100644 index 00000000000..65f8c4b65ff --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-add-calculate_bit_shift.patch @@ -0,0 +1,43 @@ +From 2c702f903f49b4ffbe6ae08912c36f16bd020dea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:29 +0800 +Subject: wifi: rtlwifi: add calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 52221dfddbbfb5b4e029bb2efe9bb7da33ec1e46 ] + +There are many same functions like _rtl88e_phy_calculate_bit_shift(), +_rtl92c_phy_calculate_bit_shift() and so on. And these functions can +cause undefined bitwise shift behavior. Add calculate_bit_shift() to +replace them and fix undefined behavior in subsequent patches. + +Signed-off-by: Su Hui +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-2-suhui@nfschina.com +Stable-dep-of: 969bc926f04b ("wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/wifi.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h +index 0f3b98c5227f..0287cbb9a719 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -3251,4 +3251,11 @@ static inline struct ieee80211_sta *rtl_find_sta(struct ieee80211_hw *hw, + return ieee80211_find_sta(mac->vif, mac_addr); + } + ++static inline u32 calculate_bit_shift(u32 bitmask) ++{ ++ if (WARN_ON_ONCE(!bitmask)) ++ return 0; ++ ++ return __ffs(bitmask); ++} + #endif +-- +2.43.0 + diff --git a/queue-4.19/wifi-rtlwifi-rtl8188ee-phy-using-calculate_bit_shift.patch b/queue-4.19/wifi-rtlwifi-rtl8188ee-phy-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..a46e4121e10 --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-rtl8188ee-phy-using-calculate_bit_shift.patch @@ -0,0 +1,77 @@ +From d086ec7e5114e980be541dfa865fee475ce742cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:31 +0800 +Subject: wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 969bc926f04b438676768aeffffffb050e480b62 ] + +Using calculate_bit_shift() to replace _rtl88e_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: f0eb856e0b6c ("rtlwifi: rtl8188ee: Add new driver") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-4-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtlwifi/rtl8188ee/phy.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c +index 5bbb46f37e71..44cabfa1ca27 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c +@@ -38,12 +38,6 @@ static u32 _rtl88e_phy_rf_serial_read(struct ieee80211_hw *hw, + static void _rtl88e_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, + u32 data); +-static u32 _rtl88e_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} + static bool _rtl88e_phy_bb8188e_config_parafile(struct ieee80211_hw *hw); + static bool _rtl88e_phy_config_mac_with_headerfile(struct ieee80211_hw *hw); + static bool phy_config_bb_with_headerfile(struct ieee80211_hw *hw, +@@ -73,7 +67,7 @@ u32 rtl88e_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, + "regaddr(%#x), bitmask(%#x)\n", regaddr, bitmask); + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, +@@ -96,7 +90,7 @@ void rtl88e_phy_set_bb_reg(struct ieee80211_hw *hw, + + if (bitmask != MASKDWORD) { + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + +@@ -122,7 +116,7 @@ u32 rtl88e_phy_query_rf_reg(struct ieee80211_hw *hw, + + + original_value = _rtl88e_phy_rf_serial_read(hw, rfpath, regaddr); +- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags); +@@ -151,7 +145,7 @@ void rtl88e_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl88e_phy_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +-- +2.43.0 + diff --git a/queue-4.19/wifi-rtlwifi-rtl8192c-using-calculate_bit_shift.patch b/queue-4.19/wifi-rtlwifi-rtl8192c-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..e2bbefc9411 --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-rtl8192c-using-calculate_bit_shift.patch @@ -0,0 +1,74 @@ +From abfc5918be9fe64241f2f588d2d2e2ee1998afb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:32 +0800 +Subject: wifi: rtlwifi: rtl8192c: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 1dedc3a6699d827d345019e921b8d8f37f694333 ] + +Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: 4295cd254af3 ("rtlwifi: Move common parts of rtl8192ce/phy.c") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-5-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8192c/phy_common.c | 12 ++---------- + .../wireless/realtek/rtlwifi/rtl8192c/phy_common.h | 1 - + 2 files changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c +index 7ebd4d60482e..bc2b3849828d 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c +@@ -39,7 +39,7 @@ u32 rtl92c_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, "regaddr(%#x), bitmask(%#x)\n", + regaddr, bitmask); + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, +@@ -62,7 +62,7 @@ void rtl92c_phy_set_bb_reg(struct ieee80211_hw *hw, + + if (bitmask != MASKDWORD) { + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + +@@ -165,14 +165,6 @@ void _rtl92c_phy_rf_serial_write(struct ieee80211_hw *hw, + } + EXPORT_SYMBOL(_rtl92c_phy_rf_serial_write); + +-u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} +-EXPORT_SYMBOL(_rtl92c_phy_calculate_bit_shift); +- + static void _rtl92c_phy_bb_config_1t(struct ieee80211_hw *hw) + { + rtl_set_bbreg(hw, RFPGA0_TXINFO, 0x3, 0x2); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h +index d11261e05a2e..76f574047c62 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h +@@ -218,7 +218,6 @@ bool rtl92c_phy_set_rf_power_state(struct ieee80211_hw *hw, + void rtl92ce_phy_set_rf_on(struct ieee80211_hw *hw); + void rtl92c_phy_set_io(struct ieee80211_hw *hw); + void rtl92c_bb_block_on(struct ieee80211_hw *hw); +-u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask); + long _rtl92c_phy_txpwr_idx_to_dbm(struct ieee80211_hw *hw, + enum wireless_mode wirelessmode, + u8 txpwridx); +-- +2.43.0 + diff --git a/queue-4.19/wifi-rtlwifi-rtl8192ce-using-calculate_bit_shift.patch b/queue-4.19/wifi-rtlwifi-rtl8192ce-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..0488314824b --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-rtl8192ce-using-calculate_bit_shift.patch @@ -0,0 +1,68 @@ +From 630d8cc4639adeb4c2c8416157949eb464195156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:34 +0800 +Subject: wifi: rtlwifi: rtl8192ce: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 3d03e8231031bcc65a48cd88ef9c71b6524ce70b ] + +Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: 0c8173385e54 ("rtl8192ce: Add new driver") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-7-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c | 6 +++--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h | 1 - + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c +index 7c6d7fc1ef9a..9f478d8af804 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c +@@ -61,7 +61,7 @@ u32 rtl92c_phy_query_rf_reg(struct ieee80211_hw *hw, + rfpath, regaddr); + } + +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock(&rtlpriv->locks.rf_lock); +@@ -132,7 +132,7 @@ void rtl92ce_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +@@ -144,7 +144,7 @@ void rtl92ce_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_fw_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h +index 93f3bc0197b4..e084a91e26d9 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h +@@ -116,7 +116,6 @@ u32 _rtl92c_phy_rf_serial_read(struct ieee80211_hw *hw, enum radio_path rfpath, + u32 offset); + u32 _rtl92c_phy_fw_rf_serial_read(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset); +-u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask); + void _rtl92c_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, u32 data); + void _rtl92c_phy_fw_rf_serial_write(struct ieee80211_hw *hw, +-- +2.43.0 + diff --git a/queue-4.19/wifi-rtlwifi-rtl8192cu-using-calculate_bit_shift.patch b/queue-4.19/wifi-rtlwifi-rtl8192cu-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..65150d6f4f9 --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-rtl8192cu-using-calculate_bit_shift.patch @@ -0,0 +1,55 @@ +From f7173ecac3b6b57f30e2d08f355d05603d0f83c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:33 +0800 +Subject: wifi: rtlwifi: rtl8192cu: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit f4088c8fcbabadad9dd17d17ae9ba24e9e3221ec ] + +Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift(). +And fix an undefined bitwise shift behavior problem. + +Fixes: f0a39ae738d6 ("rtlwifi: rtl8192cu: Add routine phy") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-6-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c +index f068dd5317a7..5a5476a2dc2f 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c +@@ -54,7 +54,7 @@ u32 rtl92cu_phy_query_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_fw_rf_serial_read(hw, + rfpath, regaddr); + } +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, + "regaddr(%#x), rfpath(%#x), bitmask(%#x), original_value(%#x)\n", +@@ -78,7 +78,7 @@ void rtl92cu_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +@@ -89,7 +89,7 @@ void rtl92cu_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = _rtl92c_phy_fw_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +-- +2.43.0 + diff --git a/queue-4.19/wifi-rtlwifi-rtl8192de-using-calculate_bit_shift.patch b/queue-4.19/wifi-rtlwifi-rtl8192de-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..828ea9f9fa8 --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-rtl8192de-using-calculate_bit_shift.patch @@ -0,0 +1,78 @@ +From 7205d080b70675cc1c7594227c51fa70e3249f44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:35 +0800 +Subject: wifi: rtlwifi: rtl8192de: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit b8b2baad2e652042cf8b6339939ac2f4e6f53de4 ] + +Using calculate_bit_shift() to replace _rtl92d_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-8-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +index 89b473caa5f8..2ee779614269 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +@@ -191,13 +191,6 @@ static const u8 channel_all[59] = { + 157, 159, 161, 163, 165 + }; + +-static u32 _rtl92d_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} +- + u32 rtl92d_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); +@@ -220,7 +213,7 @@ u32 rtl92d_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + } else { + originalvalue = rtl_read_dword(rtlpriv, regaddr); + } +- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, + "BBR MASK=0x%x Addr[0x%x]=0x%x\n", +@@ -252,7 +245,7 @@ void rtl92d_phy_set_bb_reg(struct ieee80211_hw *hw, + dbi_direct); + else + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + if (rtlhal->during_mac1init_radioa || rtlhal->during_mac0init_radiob) +@@ -340,7 +333,7 @@ u32 rtl92d_phy_query_rf_reg(struct ieee80211_hw *hw, + regaddr, rfpath, bitmask); + spin_lock_irqsave(&rtlpriv->locks.rf_lock, flags); + original_value = _rtl92d_phy_rf_serial_read(hw, rfpath, regaddr); +- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags); + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, +@@ -367,7 +360,7 @@ void rtl92d_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath, + if (bitmask != RFREG_OFFSET_MASK) { + original_value = _rtl92d_phy_rf_serial_read(hw, + rfpath, regaddr); +- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((original_value & (~bitmask)) | + (data << bitshift)); + } +-- +2.43.0 + diff --git a/queue-4.19/wifi-rtlwifi-rtl8192ee-using-calculate_bit_shift.patch b/queue-4.19/wifi-rtlwifi-rtl8192ee-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..78d2b8f0ab7 --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-rtl8192ee-using-calculate_bit_shift.patch @@ -0,0 +1,86 @@ +From c890c13851269f734ebb84858570b378f5a5fba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:36 +0800 +Subject: wifi: rtlwifi: rtl8192ee: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 63526897fc0d086069bcab67c3a112caaec751cb ] + +Using calculate_bit_shift() to replace _rtl92ee_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: b1a3bfc97cd9 ("rtlwifi: rtl8192ee: Move driver from staging to the regular tree") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-9-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtlwifi/rtl8192ee/phy.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c +index 7aeff442bd06..9a3e88d6a570 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c +@@ -38,7 +38,6 @@ static u32 _rtl92ee_phy_rf_serial_read(struct ieee80211_hw *hw, + static void _rtl92ee_phy_rf_serial_write(struct ieee80211_hw *hw, + enum radio_path rfpath, u32 offset, + u32 data); +-static u32 _rtl92ee_phy_calculate_bit_shift(u32 bitmask); + static bool _rtl92ee_phy_bb8192ee_config_parafile(struct ieee80211_hw *hw); + static bool _rtl92ee_phy_config_mac_with_headerfile(struct ieee80211_hw *hw); + static bool phy_config_bb_with_hdr_file(struct ieee80211_hw *hw, +@@ -68,7 +67,7 @@ u32 rtl92ee_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, + "regaddr(%#x), bitmask(%#x)\n", regaddr, bitmask); + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, +@@ -90,7 +89,7 @@ void rtl92ee_phy_set_bb_reg(struct ieee80211_hw *hw, u32 regaddr, + + if (bitmask != MASKDWORD) { + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + +@@ -115,7 +114,7 @@ u32 rtl92ee_phy_query_rf_reg(struct ieee80211_hw *hw, + spin_lock_irqsave(&rtlpriv->locks.rf_lock, flags); + + original_value = _rtl92ee_phy_rf_serial_read(hw , rfpath, regaddr); +- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags); +@@ -143,7 +142,7 @@ void rtl92ee_phy_set_rf_reg(struct ieee80211_hw *hw, + + if (bitmask != RFREG_OFFSET_MASK) { + original_value = _rtl92ee_phy_rf_serial_read(hw, rfpath, addr); +- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = (original_value & (~bitmask)) | (data << bitshift); + } + +@@ -226,13 +225,6 @@ static void _rtl92ee_phy_rf_serial_write(struct ieee80211_hw *hw, + pphyreg->rf3wire_offset, data_and_addr); + } + +-static u32 _rtl92ee_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} +- + bool rtl92ee_phy_mac_config(struct ieee80211_hw *hw) + { + return _rtl92ee_phy_config_mac_with_headerfile(hw); +-- +2.43.0 + diff --git a/queue-4.19/wifi-rtlwifi-rtl8192se-using-calculate_bit_shift.patch b/queue-4.19/wifi-rtlwifi-rtl8192se-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..e94e6b037c6 --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-rtl8192se-using-calculate_bit_shift.patch @@ -0,0 +1,78 @@ +From 43a872477291d0f8ca578d0de10de155895b354a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:37 +0800 +Subject: wifi: rtlwifi: rtl8192se: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit ac32b9317063b101a8ff3d3e885f76f87a280419 ] + +Using calculate_bit_shift() to replace _rtl92s_phy_calculate_bit_shift(). +And fix the undefined bitwise shift behavior problem. + +Fixes: d15853163bea ("rtlwifi: rtl8192se: Merge phy routines") +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-10-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtlwifi/rtl8192se/phy.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c +index dfc96126a356..0430a3b823d6 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c +@@ -36,13 +36,6 @@ + #include "hw.h" + #include "table.h" + +-static u32 _rtl92s_phy_calculate_bit_shift(u32 bitmask) +-{ +- u32 i = ffs(bitmask); +- +- return i ? i - 1 : 32; +-} +- + u32 rtl92s_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); +@@ -52,7 +45,7 @@ u32 rtl92s_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask) + regaddr, bitmask); + + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + returnvalue = (originalvalue & bitmask) >> bitshift; + + RT_TRACE(rtlpriv, COMP_RF, DBG_TRACE, "BBR MASK=0x%x Addr[0x%x]=0x%x\n", +@@ -74,7 +67,7 @@ void rtl92s_phy_set_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask, + + if (bitmask != MASKDWORD) { + originalvalue = rtl_read_dword(rtlpriv, regaddr); +- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((originalvalue & (~bitmask)) | (data << bitshift)); + } + +@@ -182,7 +175,7 @@ u32 rtl92s_phy_query_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath, + + original_value = _rtl92s_phy_rf_serial_read(hw, rfpath, regaddr); + +- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock(&rtlpriv->locks.rf_lock); +@@ -213,7 +206,7 @@ void rtl92s_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath, + if (bitmask != RFREG_OFFSET_MASK) { + original_value = _rtl92s_phy_rf_serial_read(hw, rfpath, + regaddr); +- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((original_value & (~bitmask)) | (data << bitshift)); + } + +-- +2.43.0 + diff --git a/queue-4.19/wifi-rtlwifi-rtl8821ae-phy-fix-an-undefined-bitwise-.patch b/queue-4.19/wifi-rtlwifi-rtl8821ae-phy-fix-an-undefined-bitwise-.patch new file mode 100644 index 00000000000..2c22047d930 --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-rtl8821ae-phy-fix-an-undefined-bitwise-.patch @@ -0,0 +1,59 @@ +From d9c3d7f01cd1629360a8d6a96abd5939671b29dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 09:35:13 +0800 +Subject: wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift + behavior + +From: Su Hui + +[ Upstream commit bc8263083af60e7e57c6120edbc1f75d6c909a35 ] + +Clang static checker warns: + +drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c:184:49: + The result of the left shift is undefined due to shifting by '32', + which is greater or equal to the width of type 'u32'. + [core.UndefinedBinaryOperatorResult] + +If the value of the right operand is negative or is greater than or +equal to the width of the promoted left operand, the behavior is +undefined.[1][2] + +For example, when using different gcc's compilation optimization options +(-O0 or -O2), the result of '(u32)data << 32' is different. One is 0, the +other is old value of data. Let _rtl8821ae_phy_calculate_bit_shift()'s +return value less than 32 to fix this problem. Warn if bitmask is zero. + +[1] https://stackoverflow.com/questions/11270492/what-does-the-c-standard-say-about-bitshifting-more-bits-than-the-width-of-type +[2] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf + +Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree") +Signed-off-by: Su Hui +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231127013511.26694-2-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +index 9ec62fff6f1a..a972afde40a7 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +@@ -51,9 +51,10 @@ static void _rtl8821ae_phy_rf_serial_write(struct ieee80211_hw *hw, + u32 data); + static u32 _rtl8821ae_phy_calculate_bit_shift(u32 bitmask) + { +- u32 i = ffs(bitmask); ++ if (WARN_ON_ONCE(!bitmask)) ++ return 0; + +- return i ? i - 1 : 32; ++ return __ffs(bitmask); + } + static bool _rtl8821ae_phy_bb8821a_config_parafile(struct ieee80211_hw *hw); + /*static bool _rtl8812ae_phy_config_mac_with_headerfile(struct ieee80211_hw *hw);*/ +-- +2.43.0 + diff --git a/queue-4.19/x86-lib-fix-overflow-when-counting-digits.patch b/queue-4.19/x86-lib-fix-overflow-when-counting-digits.patch new file mode 100644 index 00000000000..11392b90c46 --- /dev/null +++ b/queue-4.19/x86-lib-fix-overflow-when-counting-digits.patch @@ -0,0 +1,66 @@ +From 71cee4d14a1f37b8804b7808917a4aa492755049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Nov 2023 17:49:01 +0000 +Subject: x86/lib: Fix overflow when counting digits + +From: Colin Ian King + +[ Upstream commit a24d61c609813963aacc9f6ec8343f4fcaac7243 ] + +tl;dr: The num_digits() function has a theoretical overflow issue. +But it doesn't affect any actual in-tree users. Fix it by using +a larger type for one of the local variables. + +Long version: + +There is an overflow in variable m in function num_digits when val +is >= 1410065408 which leads to the digit calculation loop to +iterate more times than required. This results in either more +digits being counted or in some cases (for example where val is +1932683193) the value of m eventually overflows to zero and the +while loop spins forever). + +Currently the function num_digits is currently only being used for +small values of val in the SMP boot stage for digit counting on the +number of cpus and NUMA nodes, so the overflow is never encountered. +However it is useful to fix the overflow issue in case the function +is used for other purposes in the future. (The issue was discovered +while investigating the digit counting performance in various +kernel helper functions rather than any real-world use-case). + +The simplest fix is to make m a long long, the overhead in +multiplication speed for a long long is very minor for small values +of val less than 10000 on modern processors. The alternative +fix is to replace the multiplication with a constant division +by 10 loop (this compiles down to an multiplication and shift) +without needing to make m a long long, but this is slightly slower +than the fix in this commit when measured on a range of x86 +processors). + +[ dhansen: subject and changelog tweaks ] + +Fixes: 646e29a1789a ("x86: Improve the printout of the SMP bootup CPU table") +Signed-off-by: Colin Ian King +Signed-off-by: Dave Hansen +Link: https://lore.kernel.org/all/20231102174901.2590325-1-colin.i.king%40gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/lib/misc.c b/arch/x86/lib/misc.c +index a018ec4fba53..c97be9a1430a 100644 +--- a/arch/x86/lib/misc.c ++++ b/arch/x86/lib/misc.c +@@ -6,7 +6,7 @@ + */ + int num_digits(int val) + { +- int m = 10; ++ long long m = 10; + int d = 1; + + if (val < 0) { +-- +2.43.0 +