From: Greg Kroah-Hartman Date: Tue, 29 Nov 2022 17:01:08 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.10.157~66 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3b207ec063949fafc7f4c758958faab10d02f77;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch usb-dwc3-exynos-fix-remove-function.patch --- diff --git a/queue-5.15/arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch b/queue-5.15/arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch new file mode 100644 index 00000000000..683d566b75e --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch @@ -0,0 +1,39 @@ +From 91e8b74fe6381e083f8aa55217bb0562785ab398 Mon Sep 17 00:00:00 2001 +From: Jakob Unterwurzacher +Date: Wed, 19 Oct 2022 16:27:27 +0200 +Subject: arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency + +From: Jakob Unterwurzacher + +commit 91e8b74fe6381e083f8aa55217bb0562785ab398 upstream. + +CRC errors (code -84 EILSEQ) have been observed for some SanDisk +Ultra A1 cards when running at 50MHz. + +Waveform analysis suggest that the level shifters that are used on the +RK3399-Q7 module for voltage translation between 3.0 and 3.3V don't +handle clock rates at or above 48MHz properly. Back off to 40MHz for +some safety margin. + +Cc: stable@vger.kernel.org +Fixes: 60fd9f72ce8a ("arm64: dts: rockchip: add Haikou baseboard with RK3399-Q7 SoM") +Signed-off-by: Jakob Unterwurzacher +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20221019-upstream-puma-sd-40mhz-v1-0-754a76421518@theobroma-systems.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +@@ -207,7 +207,7 @@ + cap-sd-highspeed; + cd-gpios = <&gpio0 RK_PA7 GPIO_ACTIVE_LOW>; + disable-wp; +- max-frequency = <150000000>; ++ max-frequency = <40000000>; + pinctrl-names = "default"; + pinctrl-0 = <&sdmmc_clk &sdmmc_cmd &sdmmc_cd &sdmmc_bus4>; + vmmc-supply = <&vcc3v3_baseboard>; diff --git a/queue-5.15/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch b/queue-5.15/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch new file mode 100644 index 00000000000..eda43af50d2 --- /dev/null +++ b/queue-5.15/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch @@ -0,0 +1,101 @@ +From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 22 Sep 2022 20:04:34 +0800 +Subject: ext4: fix use-after-free in ext4_ext_shift_extents +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baokun Li + +commit f6b1a1cf1c3ee430d3f5e47847047ce789a690aa upstream. + +If the starting position of our insert range happens to be in the hole +between the two ext4_extent_idx, because the lblk of the ext4_extent in +the previous ext4_extent_idx is always less than the start, which leads +to the "extent" variable access across the boundary, the following UAF is +triggered: +================================================================== +BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790 +Read of size 4 at addr ffff88819807a008 by task fallocate/8010 +CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492 +Call Trace: + dump_stack+0x7d/0xa3 + print_address_description.constprop.0+0x1e/0x220 + kasan_report.cold+0x67/0x7f + ext4_ext_shift_extents+0x257/0x790 + ext4_insert_range+0x5b6/0x700 + ext4_fallocate+0x39e/0x3d0 + vfs_fallocate+0x26f/0x470 + ksys_fallocate+0x3a/0x70 + __x64_sys_fallocate+0x4f/0x60 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +================================================================== + +For right shifts, we can divide them into the following situations: + +1. When the first ee_block of ext4_extent_idx is greater than or equal to + start, make right shifts directly from the first ee_block. + 1) If it is greater than start, we need to continue searching in the + previous ext4_extent_idx. + 2) If it is equal to start, we can exit the loop (iterator=NULL). + +2. When the first ee_block of ext4_extent_idx is less than start, then + traverse from the last extent to find the first extent whose ee_block + is less than start. + 1) If extent is still the last extent after traversal, it means that + the last ee_block of ext4_extent_idx is less than start, that is, + start is located in the hole between idx and (idx+1), so we can + exit the loop directly (break) without right shifts. + 2) Otherwise, make right shifts at the corresponding position of the + found extent, and then exit the loop (iterator=NULL). + +Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate") +Cc: stable@vger.kernel.org # v4.2+ +Signed-off-by: Zhihao Cheng +Signed-off-by: Baokun Li +Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5190,6 +5190,7 @@ ext4_ext_shift_extents(struct inode *ino + * and it is decreased till we reach start. + */ + again: ++ ret = 0; + if (SHIFT == SHIFT_LEFT) + iterator = &start; + else +@@ -5233,14 +5234,21 @@ again: + ext4_ext_get_actual_len(extent); + } else { + extent = EXT_FIRST_EXTENT(path[depth].p_hdr); +- if (le32_to_cpu(extent->ee_block) > 0) ++ if (le32_to_cpu(extent->ee_block) > start) + *iterator = le32_to_cpu(extent->ee_block) - 1; +- else +- /* Beginning is reached, end of the loop */ ++ else if (le32_to_cpu(extent->ee_block) == start) + iterator = NULL; +- /* Update path extent in case we need to stop */ +- while (le32_to_cpu(extent->ee_block) < start) ++ else { ++ extent = EXT_LAST_EXTENT(path[depth].p_hdr); ++ while (le32_to_cpu(extent->ee_block) >= start) ++ extent--; ++ ++ if (extent == EXT_LAST_EXTENT(path[depth].p_hdr)) ++ break; ++ + extent++; ++ iterator = NULL; ++ } + path[depth].p_ext = extent; + } + ret = ext4_ext_shift_path_extents(path, shift, inode, diff --git a/queue-5.15/kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch b/queue-5.15/kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch new file mode 100644 index 00000000000..7f88290c213 --- /dev/null +++ b/queue-5.15/kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch @@ -0,0 +1,44 @@ +From 50c697215a8cc22f0e58c88f06f2716c05a26e85 Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Wed, 16 Nov 2022 18:26:34 +0000 +Subject: kbuild: fix -Wimplicit-function-declaration in license_is_gpl_compatible + +From: Sam James + +commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 upstream. + +Add missing include for strcmp. + +Clang 16 makes -Wimplicit-function-declaration an error by default. +Unfortunately, out of tree modules may use this in configure scripts, +which means failure might cause silent miscompilation or misconfiguration. + +For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2], +or the (new) c-std-porting mailing list [3]. + +[0] https://lwn.net/Articles/913505/ +[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213 +[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240 +[3] hosted at lists.linux.dev. + +[akpm@linux-foundation.org: remember "linux/"] +Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org +Signed-off-by: Sam James +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/license.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/license.h ++++ b/include/linux/license.h +@@ -2,6 +2,8 @@ + #ifndef __LICENSE_H + #define __LICENSE_H + ++#include ++ + static inline int license_is_gpl_compatible(const char *license) + { + return (strcmp(license, "GPL") == 0 diff --git a/queue-5.15/series b/queue-5.15/series index 96b20ff556a..8d0c7e304ca 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -138,3 +138,9 @@ mmc-sdhci-brcmstb-re-organize-flags.patch mmc-sdhci-brcmstb-enable-clock-gating-to-save-power.patch mmc-sdhci-brcmstb-fix-sdhci_reset_all-for-cqhci.patch kvm-arm64-pkvm-fixup-boot-mode-to-reflect-that-the-kernel-resumes-from-el1.patch +usb-dwc3-exynos-fix-remove-function.patch +usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch +usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch +ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch +arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch +kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch diff --git a/queue-5.15/usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch b/queue-5.15/usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch new file mode 100644 index 00000000000..2163aa24396 --- /dev/null +++ b/queue-5.15/usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch @@ -0,0 +1,66 @@ +From b25264f22b498dff3fa5c70c9bea840e83fff0d1 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Thu, 10 Nov 2022 01:30:05 -0500 +Subject: usb: cdnsp: Fix issue with Clear Feature Halt Endpoint + +From: Pawel Laszczak + +commit b25264f22b498dff3fa5c70c9bea840e83fff0d1 upstream. + +During handling Clear Halt Endpoint Feature request, driver invokes +Reset Endpoint command. Because this command has some issue with +transition endpoint from Running to Idle state the driver must +stop the endpoint by using Stop Endpoint command. + +cc: +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Reviewed-by: Peter Chen +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20221110063005.370656-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-gadget.c | 12 ++++-------- + drivers/usb/cdns3/cdnsp-ring.c | 3 ++- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-gadget.c ++++ b/drivers/usb/cdns3/cdnsp-gadget.c +@@ -600,11 +600,11 @@ int cdnsp_halt_endpoint(struct cdnsp_dev + + trace_cdnsp_ep_halt(value ? "Set" : "Clear"); + +- if (value) { +- ret = cdnsp_cmd_stop_ep(pdev, pep); +- if (ret) +- return ret; ++ ret = cdnsp_cmd_stop_ep(pdev, pep); ++ if (ret) ++ return ret; + ++ if (value) { + if (GET_EP_CTX_STATE(pep->out_ctx) == EP_STATE_STOPPED) { + cdnsp_queue_halt_endpoint(pdev, pep->idx); + cdnsp_ring_cmd_db(pdev); +@@ -613,10 +613,6 @@ int cdnsp_halt_endpoint(struct cdnsp_dev + + pep->ep_state |= EP_HALTED; + } else { +- /* +- * In device mode driver can call reset endpoint command +- * from any endpoint state. +- */ + cdnsp_queue_reset_ep(pdev, pep->idx); + cdnsp_ring_cmd_db(pdev); + ret = cdnsp_wait_for_cmd_compl(pdev); +--- a/drivers/usb/cdns3/cdnsp-ring.c ++++ b/drivers/usb/cdns3/cdnsp-ring.c +@@ -2076,7 +2076,8 @@ int cdnsp_cmd_stop_ep(struct cdnsp_devic + u32 ep_state = GET_EP_CTX_STATE(pep->out_ctx); + int ret = 0; + +- if (ep_state == EP_STATE_STOPPED || ep_state == EP_STATE_DISABLED) { ++ if (ep_state == EP_STATE_STOPPED || ep_state == EP_STATE_DISABLED || ++ ep_state == EP_STATE_HALTED) { + trace_cdnsp_ep_stopped_or_disabled(pep->out_ctx); + goto ep_stopped; + } diff --git a/queue-5.15/usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch b/queue-5.15/usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch new file mode 100644 index 00000000000..83820c65766 --- /dev/null +++ b/queue-5.15/usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch @@ -0,0 +1,70 @@ +From 7a21b27aafa3edead79ed97e6f22236be6b9f447 Mon Sep 17 00:00:00 2001 +From: Pawel Laszczak +Date: Tue, 15 Nov 2022 04:22:18 -0500 +Subject: usb: cdnsp: fix issue with ZLP - added TD_SIZE = 1 + +From: Pawel Laszczak + +commit 7a21b27aafa3edead79ed97e6f22236be6b9f447 upstream. + +Patch modifies the TD_SIZE in TRB before ZLP TRB. +The TD_SIZE in TRB before ZLP TRB must be set to 1 to force +processing ZLP TRB by controller. + +cc: +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Signed-off-by: Pawel Laszczak +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/20221115092218.421267-1-pawell@cadence.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-ring.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-ring.c ++++ b/drivers/usb/cdns3/cdnsp-ring.c +@@ -1763,10 +1763,15 @@ static u32 cdnsp_td_remainder(struct cdn + int trb_buff_len, + unsigned int td_total_len, + struct cdnsp_request *preq, +- bool more_trbs_coming) ++ bool more_trbs_coming, ++ bool zlp) + { + u32 maxp, total_packet_count; + ++ /* Before ZLP driver needs set TD_SIZE = 1. */ ++ if (zlp) ++ return 1; ++ + /* One TRB with a zero-length data packet. */ + if (!more_trbs_coming || (transferred == 0 && trb_buff_len == 0) || + trb_buff_len == td_total_len) +@@ -1960,7 +1965,8 @@ int cdnsp_queue_bulk_tx(struct cdnsp_dev + /* Set the TRB length, TD size, and interrupter fields. */ + remainder = cdnsp_td_remainder(pdev, enqd_len, trb_buff_len, + full_len, preq, +- more_trbs_coming); ++ more_trbs_coming, ++ zero_len_trb); + + length_field = TRB_LEN(trb_buff_len) | TRB_TD_SIZE(remainder) | + TRB_INTR_TARGET(0); +@@ -2025,7 +2031,7 @@ int cdnsp_queue_ctrl_tx(struct cdnsp_dev + + if (preq->request.length > 0) { + remainder = cdnsp_td_remainder(pdev, 0, preq->request.length, +- preq->request.length, preq, 1); ++ preq->request.length, preq, 1, 0); + + length_field = TRB_LEN(preq->request.length) | + TRB_TD_SIZE(remainder) | TRB_INTR_TARGET(0); +@@ -2226,7 +2232,7 @@ static int cdnsp_queue_isoc_tx(struct cd + /* Set the TRB length, TD size, & interrupter fields. */ + remainder = cdnsp_td_remainder(pdev, running_total, + trb_buff_len, td_len, preq, +- more_trbs_coming); ++ more_trbs_coming, 0); + + length_field = TRB_LEN(trb_buff_len) | TRB_INTR_TARGET(0); + diff --git a/queue-5.15/usb-dwc3-exynos-fix-remove-function.patch b/queue-5.15/usb-dwc3-exynos-fix-remove-function.patch new file mode 100644 index 00000000000..5f2c8b0caaa --- /dev/null +++ b/queue-5.15/usb-dwc3-exynos-fix-remove-function.patch @@ -0,0 +1,51 @@ +From e0481e5b3cc12ea7ccf4552d41518c89d3509004 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 10 Nov 2022 16:41:31 +0100 +Subject: usb: dwc3: exynos: Fix remove() function + +From: Marek Szyprowski + +commit e0481e5b3cc12ea7ccf4552d41518c89d3509004 upstream. + +The core DWC3 device node was not properly removed by the custom +dwc3_exynos_remove_child() function. Replace it with generic +of_platform_depopulate() which does that job right. + +Fixes: adcf20dcd262 ("usb: dwc3: exynos: Use of_platform API to create dwc3 core pdev") +Signed-off-by: Marek Szyprowski +Acked-by: Thinh Nguyen +Cc: stable@vger.kernel.org +Reviewed-by: Sam Protsenko +Link: https://lore.kernel.org/r/20221110154131.2577-1-m.szyprowski@samsung.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-exynos.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-exynos.c ++++ b/drivers/usb/dwc3/dwc3-exynos.c +@@ -37,15 +37,6 @@ struct dwc3_exynos { + struct regulator *vdd10; + }; + +-static int dwc3_exynos_remove_child(struct device *dev, void *unused) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- +- platform_device_unregister(pdev); +- +- return 0; +-} +- + static int dwc3_exynos_probe(struct platform_device *pdev) + { + struct dwc3_exynos *exynos; +@@ -142,7 +133,7 @@ static int dwc3_exynos_remove(struct pla + struct dwc3_exynos *exynos = platform_get_drvdata(pdev); + int i; + +- device_for_each_child(&pdev->dev, NULL, dwc3_exynos_remove_child); ++ of_platform_depopulate(&pdev->dev); + + for (i = exynos->num_clks - 1; i >= 0; i--) + clk_disable_unprepare(exynos->clks[i]);