From: Sasha Levin Date: Sun, 9 Jul 2023 04:58:26 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.4.3~22^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f998c8088669313b6f63afe6d41444b0475b8d91;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch b/queue-5.4/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch new file mode 100644 index 00000000000..f2141457089 --- /dev/null +++ b/queue-5.4/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch @@ -0,0 +1,42 @@ +From 0d9ac228cf66a8fa67c7465ccb21bebc17592794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 10:17:32 +0800 +Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer + +From: Su Hui + +[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ] + +smatch error: +sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error: +we previously assumed 'rac97' could be null (see line 2072) + +remove redundant assignment, return error if rac97 is NULL. + +Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*") +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ac97/ac97_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index 83bb086bf9757..b920c739d6863 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -2006,8 +2006,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, + .dev_disconnect = snd_ac97_dev_disconnect, + }; + +- if (rac97) +- *rac97 = NULL; ++ if (!rac97) ++ return -EINVAL; + if (snd_BUG_ON(!bus || !template)) + return -EINVAL; + if (snd_BUG_ON(template->num >= 4)) +-- +2.39.2 + diff --git a/queue-5.4/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch b/queue-5.4/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch new file mode 100644 index 00000000000..a02e737750e --- /dev/null +++ b/queue-5.4/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch @@ -0,0 +1,62 @@ +From 5609fcb852bae84c9a25bfb1cfe1f4b99face629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 00:50:50 +0900 +Subject: ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ + guard + +From: Masahiro Yamada + +[ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ] + +ASM_NL is useful not only in *.S files but also in .c files for using +inline assembler in C code. + +On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to +a backquote (`) in *.S files, but a semicolon (;) in *.c files because +arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__, +so the definition for C code falls back to the default value defined in +include/linux/linkage.h. + +If ASM_NL is used in inline assembler in .c files, it will result in +wrong assembly code because a semicolon is not an instruction separator, +but the start of a comment for ARC. + +Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef. + +Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro") +Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/linkage.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h +index fe19f1d412e71..284fd513d7c67 100644 +--- a/arch/arc/include/asm/linkage.h ++++ b/arch/arc/include/asm/linkage.h +@@ -8,6 +8,10 @@ + + #include + ++#define ASM_NL ` /* use '`' to mark new line in macro */ ++#define __ALIGN .align 4 ++#define __ALIGN_STR __stringify(__ALIGN) ++ + #ifdef __ASSEMBLY__ + + .macro ST2 e, o, off +@@ -28,10 +32,6 @@ + #endif + .endm + +-#define ASM_NL ` /* use '`' to mark new line in macro */ +-#define __ALIGN .align 4 +-#define __ALIGN_STR __stringify(__ALIGN) +- + /* annotation for data we want in DCCM - if enabled in .config */ + .macro ARCFP_DATA nm + #ifdef CONFIG_ARC_HAS_DCCM +-- +2.39.2 + diff --git a/queue-5.4/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch b/queue-5.4/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch new file mode 100644 index 00000000000..f573ced2493 --- /dev/null +++ b/queue-5.4/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch @@ -0,0 +1,103 @@ +From 6402def2cf5aa40cd02fab84a340ccf05ca5bf4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 19:28:42 +0100 +Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings + +From: Arnd Bergmann + +[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ] + +checker_stack_use_t32strd() and kprobe_handler() can be made static since +they are not used from other files, while coverage_start_registers() +and __kprobes_test_case() are used from assembler code, and just need +a declaration to avoid a warning with the global definition. + +arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd' +arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler' +arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers' +arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start' +arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16' +arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32' + +Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions") +Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation") +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Kees Cook +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/probes/kprobes/checkers-common.c | 2 +- + arch/arm/probes/kprobes/core.c | 2 +- + arch/arm/probes/kprobes/opt-arm.c | 2 -- + arch/arm/probes/kprobes/test-core.c | 2 +- + arch/arm/probes/kprobes/test-core.h | 4 ++++ + 5 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c +index 4d720990cf2a3..eba7ac4725c02 100644 +--- a/arch/arm/probes/kprobes/checkers-common.c ++++ b/arch/arm/probes/kprobes/checkers-common.c +@@ -40,7 +40,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn, + * Different from other insn uses imm8, the real addressing offset of + * STRD in T32 encoding should be imm8 * 4. See ARMARM description. + */ +-enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, ++static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, + struct arch_probes_insn *asi, + const struct decode_header *h) + { +diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c +index 0a783bd4641c5..44b5f7dbcc00f 100644 +--- a/arch/arm/probes/kprobes/core.c ++++ b/arch/arm/probes/kprobes/core.c +@@ -231,7 +231,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) + * kprobe, and that level is reserved for user kprobe handlers, so we can't + * risk encountering a new kprobe in an interrupt handler. + */ +-void __kprobes kprobe_handler(struct pt_regs *regs) ++static void __kprobes kprobe_handler(struct pt_regs *regs) + { + struct kprobe *p, *cur; + struct kprobe_ctlblk *kcb; +diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c +index c78180172120f..e20304f1d8bc9 100644 +--- a/arch/arm/probes/kprobes/opt-arm.c ++++ b/arch/arm/probes/kprobes/opt-arm.c +@@ -145,8 +145,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty) + } + } + +-extern void kprobe_handler(struct pt_regs *regs); +- + static void + optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) + { +diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c +index c562832b86272..171c7076b89f4 100644 +--- a/arch/arm/probes/kprobes/test-core.c ++++ b/arch/arm/probes/kprobes/test-core.c +@@ -720,7 +720,7 @@ static const char coverage_register_lookup[16] = { + [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP, + }; + +-unsigned coverage_start_registers(const struct decode_header *h) ++static unsigned coverage_start_registers(const struct decode_header *h) + { + unsigned regs = 0; + int i; +diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h +index 19a5b2add41e1..805116c2ec27c 100644 +--- a/arch/arm/probes/kprobes/test-core.h ++++ b/arch/arm/probes/kprobes/test-core.h +@@ -453,3 +453,7 @@ void kprobe_thumb32_test_cases(void); + #else + void kprobe_arm_test_cases(void); + #endif ++ ++void __kprobes_test_case_start(void); ++void __kprobes_test_case_end_16(void); ++void __kprobes_test_case_end_32(void); +-- +2.39.2 + diff --git a/queue-5.4/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch b/queue-5.4/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch new file mode 100644 index 00000000000..ee152c11de5 --- /dev/null +++ b/queue-5.4/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch @@ -0,0 +1,42 @@ +From 0096c1e92ba0a406b0fd058c1a62d0e83b2acc16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 14:28:30 +0200 +Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ] + +There is no such property in the SPI controller binding documentation. +Also Linux driver doesn't look for it. + +This fixes: +arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected) + From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm5301x.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi +index 05d67f9769118..bf8154aa203a7 100644 +--- a/arch/arm/boot/dts/bcm5301x.dtsi ++++ b/arch/arm/boot/dts/bcm5301x.dtsi +@@ -511,7 +511,6 @@ spi@18029200 { + "spi_lr_session_done", + "spi_lr_overread"; + clocks = <&iprocmed>; +- clock-names = "iprocmed"; + num-cs = <2>; + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.2 + diff --git a/queue-5.4/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch b/queue-5.4/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch new file mode 100644 index 00000000000..88e6a164920 --- /dev/null +++ b/queue-5.4/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch @@ -0,0 +1,41 @@ +From 30dbdf68579470da0220645c27b82c006145814b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 13:32:25 +0300 +Subject: ARM: dts: gta04: Move model property out of pinctrl node + +From: Tony Lindgren + +[ Upstream commit 4ffec92e70ac5097b9f67ec154065305b16a3b46 ] + +The model property should be at the top level, let's move it out +of the pinctrl node. + +Fixes: d2eaf949d2c3 ("ARM: dts: omap3-gta04a5one: define GTA04A5 variant with OneNAND") +Cc: Andreas Kemnade +Cc: H. Nikolaus Schaller +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap3-gta04a5one.dts | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/omap3-gta04a5one.dts b/arch/arm/boot/dts/omap3-gta04a5one.dts +index 9db9fe67cd63b..95df45cc70c09 100644 +--- a/arch/arm/boot/dts/omap3-gta04a5one.dts ++++ b/arch/arm/boot/dts/omap3-gta04a5one.dts +@@ -5,9 +5,11 @@ + + #include "omap3-gta04a5.dts" + +-&omap3_pmx_core { ++/ { + model = "Goldelico GTA04A5/Letux 2804 with OneNAND"; ++}; + ++&omap3_pmx_core { + gpmc_pins: pinmux_gpmc_pins { + pinctrl-single,pins = < + +-- +2.39.2 + diff --git a/queue-5.4/arm-ep93xx-fix-missing-prototype-warnings.patch b/queue-5.4/arm-ep93xx-fix-missing-prototype-warnings.patch new file mode 100644 index 00000000000..43de680fdc9 --- /dev/null +++ b/queue-5.4/arm-ep93xx-fix-missing-prototype-warnings.patch @@ -0,0 +1,48 @@ +From 685ad03a8c0da4a70dcb9d235a40f508a5ad0af2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 17:30:58 +0200 +Subject: ARM: ep93xx: fix missing-prototype warnings + +From: Arnd Bergmann + +[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ] + +ep93xx_clocksource_read() is only called from the file it is declared in, +while ep93xx_timer_init() is declared in a header that is not included here. + +arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init' +arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read' + +Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS") +Acked-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c +index de998830f534f..b07956883e165 100644 +--- a/arch/arm/mach-ep93xx/timer-ep93xx.c ++++ b/arch/arm/mach-ep93xx/timer-ep93xx.c +@@ -9,6 +9,7 @@ + #include + #include + #include "soc.h" ++#include "platform.h" + + /************************************************************************* + * Timer handling for EP93xx +@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void) + return ret; + } + +-u64 ep93xx_clocksource_read(struct clocksource *c) ++static u64 ep93xx_clocksource_read(struct clocksource *c) + { + u64 ret; + +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch b/queue-5.4/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch new file mode 100644 index 00000000000..1856c045c24 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch @@ -0,0 +1,39 @@ +From d93bb436a0e37af1a78696984562d6cfb1fcd591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 23:18:40 +0200 +Subject: arm64: dts: qcom: msm8916: correct camss unit address + +From: Krzysztof Kozlowski + +[ Upstream commit 48798d992ce276cf0d57bf75318daf8eabd02aa4 ] + +Match unit-address to reg entry to fix dtbs W=1 warnings: + + Warning (simple_bus_reg): /soc@0/camss@1b00000: simple-bus unit address format error, expected "1b0ac00" + +Fixes: 58f479f90a7c ("arm64: dts: qcom: msm8916: Add CAMSS support") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230419211856.79332-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index 301c1c467c0b7..bf40500adef73 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -1451,7 +1451,7 @@ video-encoder { + }; + }; + +- camss: camss@1b00000 { ++ camss: camss@1b0ac00 { + compatible = "qcom,msm8916-camss"; + reg = <0x1b0ac00 0x200>, + <0x1b00030 0x4>, +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch b/queue-5.4/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch new file mode 100644 index 00000000000..cf69bb90633 --- /dev/null +++ b/queue-5.4/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch @@ -0,0 +1,46 @@ +From dabb2fd0846a090677f98cc9ec06cf81fe0e6f29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 10:48:22 +0200 +Subject: arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 + +From: Wolfram Sang + +[ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ] + +The schematics are misleading, the flow control is for HSCIF1. We need +SCIF1 for GNSS/GPS which does not use flow control. + +Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1") +Signed-off-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +index 202177706cdeb..df00acb35263d 100644 +--- a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi ++++ b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +@@ -269,7 +269,7 @@ hscif0_pins: hscif0 { + }; + + scif1_pins: scif1 { +- groups = "scif1_data_b", "scif1_ctrl"; ++ groups = "scif1_data_b"; + function = "scif1"; + }; + +@@ -329,7 +329,6 @@ rsnd_for_pcm3168a_capture: endpoint { + &scif1 { + pinctrl-0 = <&scif1_pins>; + pinctrl-names = "default"; +- uart-has-rtscts; + + status = "okay"; + }; +-- +2.39.2 + diff --git a/queue-5.4/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch b/queue-5.4/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch new file mode 100644 index 00000000000..e08774e1abb --- /dev/null +++ b/queue-5.4/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch @@ -0,0 +1,91 @@ +From 8dee408ced8c40a6774e8d3b300f6704cdb1f0b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:11:39 +0300 +Subject: ASoC: es8316: Do not set rate constraints for unsupported MCLKs + +From: Cristian Ciocaltea + +[ Upstream commit 60413129ee2b38a80347489270af7f6e1c1de4d0 ] + +When using the codec through the generic audio graph card, there are at +least two calls of es8316_set_dai_sysclk(), with the effect of limiting +the allowed sample rates according to the MCLK/LRCK ratios supported by +the codec: + +1. During audio card setup, to set the initial MCLK - see + asoc_simple_init_dai(). + +2. Before opening a stream, to update MCLK, according to the stream + sample rate and the multiplication factor - see + asoc_simple_hw_params(). + +In some cases the initial MCLK might be set to a frequency that doesn't +match any of the supported ratios, e.g. 12287999 instead of 12288000, +which is only 1 Hz below the supported clock, as that is what the +hardware reports. This creates an empty list of rate constraints, which +is further passed to snd_pcm_hw_constraint_list() via +es8316_pcm_startup(), and causes the following error on the very first +access of the sound card: + + $ speaker-test -D hw:Analog,0 -F S16_LE -c 2 -t wav + Broken configuration for playback: no configurations available: Invalid argument + Setting of hwparams failed: Invalid argument + +Note that all subsequent retries succeed thanks to the updated MCLK set +at point 2 above, which uses a computed frequency value instead of a +reading from the hardware registers. Normally this would have mitigated +the issue, but es8316_pcm_startup() executes before the 2nd call to +es8316_set_dai_sysclk(), hence it cannot make use of the updated +constraints. + +Since es8316_pcm_hw_params() performs anyway a final validation of MCLK +against the stream sample rate and the supported MCLK/LRCK ratios, fix +the issue by ensuring that sysclk_constraints list is only set when at +least one supported sample rate is autodetected by the codec. + +Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230530181140.483936-3-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index 9be667e76e552..131f41cccbe65 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -369,13 +369,11 @@ static int es8316_set_dai_sysclk(struct snd_soc_dai *codec_dai, + int count = 0; + + es8316->sysclk = freq; ++ es8316->sysclk_constraints.list = NULL; ++ es8316->sysclk_constraints.count = 0; + +- if (freq == 0) { +- es8316->sysclk_constraints.list = NULL; +- es8316->sysclk_constraints.count = 0; +- ++ if (freq == 0) + return 0; +- } + + ret = clk_set_rate(es8316->mclk, freq); + if (ret) +@@ -391,8 +389,10 @@ static int es8316_set_dai_sysclk(struct snd_soc_dai *codec_dai, + es8316->allowed_rates[count++] = freq / ratio; + } + +- es8316->sysclk_constraints.list = es8316->allowed_rates; +- es8316->sysclk_constraints.count = count; ++ if (count) { ++ es8316->sysclk_constraints.list = es8316->allowed_rates; ++ es8316->sysclk_constraints.count = count; ++ } + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.4/asoc-es8316-increment-max-value-for-alc-capture-targ.patch b/queue-5.4/asoc-es8316-increment-max-value-for-alc-capture-targ.patch new file mode 100644 index 00000000000..8f4e3873764 --- /dev/null +++ b/queue-5.4/asoc-es8316-increment-max-value-for-alc-capture-targ.patch @@ -0,0 +1,91 @@ +From 191a40bb157ade3123cc5c5334ec2eadd0a0dd3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:11:38 +0300 +Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume + control + +From: Cristian Ciocaltea + +[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ] + +The following error occurs when trying to restore a previously saved +ALSA mixer state (tested on a Rock 5B board): + + $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog + $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog + alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument + +According to ES8316 datasheet, the register at address 0x2B, which is +related to the above mixer control, contains by default the value 0xB0. +Considering the corresponding ALC target bits (ALCLVL) are 7:4, the +control is initialized with 11, which is one step above the maximum +value allowed by the driver: + + ALCLVL | dB gain + -------+-------- + 0000 | -16.5 + 0001 | -15.0 + 0010 | -13.5 + .... | ..... + 0111 | -6.0 + 1000 | -4.5 + 1001 | -3.0 + 1010 | -1.5 + .... | ..... + 1111 | -1.5 + +The tests performed using the VU meter feature (--vumeter=TYPE) of +arecord/aplay confirm the specs are correct and there is no measured +gain if the 1011-1111 range would have been mapped to 0 dB: + + dB gain | VU meter % + --------+----------- + -6.0 | 30-31 + -4.5 | 35-36 + -3.0 | 42-43 + -1.5 | 50-51 + 0.0 | 50-51 + +Increment the max value allowed for ALC Capture Target Volume control, +so that it matches the hardware default. Additionally, update the +related TLV to prevent an artificial extension of the dB gain range. + +Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index efeffa0bf2d78..9be667e76e552 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -52,7 +52,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0); +-static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0); ++ ++static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv, ++ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0), ++ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0), ++); ++ + static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv, + 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0), + 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0), +@@ -115,7 +120,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = { + alc_max_gain_tlv), + SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0, + alc_min_gain_tlv), +- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0, ++ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0, + alc_target_tlv), + SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0), + SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0), +-- +2.39.2 + diff --git a/queue-5.4/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch b/queue-5.4/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch new file mode 100644 index 00000000000..156b845b48f --- /dev/null +++ b/queue-5.4/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch @@ -0,0 +1,66 @@ +From c011bb31a4a41e3076ca6e2cd957d4a273572962 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 15:15:09 +0300 +Subject: ASoC: imx-audmix: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit 2f76e1d6ca524a888d29aafe29f2ad2003857971 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: b86ef5367761 ("ASoC: fsl: Add Audio Mixer machine driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230614121509.443926-1-claudiu.beznea@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-audmix.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/soc/fsl/imx-audmix.c b/sound/soc/fsl/imx-audmix.c +index 71590ca6394b9..08c044a72250a 100644 +--- a/sound/soc/fsl/imx-audmix.c ++++ b/sound/soc/fsl/imx-audmix.c +@@ -230,6 +230,8 @@ static int imx_audmix_probe(struct platform_device *pdev) + + dai_name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s%s", + fe_name_pref, args.np->full_name + 1); ++ if (!dai_name) ++ return -ENOMEM; + + dev_info(pdev->dev.parent, "DAI FE name:%s\n", dai_name); + +@@ -238,6 +240,8 @@ static int imx_audmix_probe(struct platform_device *pdev) + capture_dai_name = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s %s", + dai_name, "CPU-Capture"); ++ if (!capture_dai_name) ++ return -ENOMEM; + } + + priv->dai[i].cpus = &dlc[0]; +@@ -268,6 +272,8 @@ static int imx_audmix_probe(struct platform_device *pdev) + "AUDMIX-Playback-%d", i); + be_cp = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "AUDMIX-Capture-%d", i); ++ if (!be_name || !be_pb || !be_cp) ++ return -ENOMEM; + + priv->dai[num_dai + i].cpus = &dlc[3]; + priv->dai[num_dai + i].codecs = &dlc[4]; +@@ -295,6 +301,9 @@ static int imx_audmix_probe(struct platform_device *pdev) + priv->dapm_routes[i].source = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s %s", + dai_name, "CPU-Playback"); ++ if (!priv->dapm_routes[i].source) ++ return -ENOMEM; ++ + priv->dapm_routes[i].sink = be_pb; + priv->dapm_routes[num_dai + i].source = be_pb; + priv->dapm_routes[num_dai + i].sink = be_cp; +-- +2.39.2 + diff --git a/queue-5.4/clk-cdce925-check-return-value-of-kasprintf.patch b/queue-5.4/clk-cdce925-check-return-value-of-kasprintf.patch new file mode 100644 index 00000000000..606d4c27c2a --- /dev/null +++ b/queue-5.4/clk-cdce925-check-return-value-of-kasprintf.patch @@ -0,0 +1,63 @@ +From 06e8c588011192b1a3a5de6047c5a34f5bb296de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:07 +0300 +Subject: clk: cdce925: check return value of kasprintf() + +From: Claudiu Beznea + +[ Upstream commit bb7d09ddbf361d51eae46f38e7c8a2b85914ea2a ] + +kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 19fbbbbcd3a3 ("Add TI CDCE925 I2C controlled clock synthesizer driver") +Depends-on: e665f029a283 ("clk: Convert to using %pOFn instead of device_node.name") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-3-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-cdce925.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/clk/clk-cdce925.c b/drivers/clk/clk-cdce925.c +index 308b353815e17..470d91d7314db 100644 +--- a/drivers/clk/clk-cdce925.c ++++ b/drivers/clk/clk-cdce925.c +@@ -705,6 +705,10 @@ static int cdce925_probe(struct i2c_client *client, + for (i = 0; i < data->chip_info->num_plls; ++i) { + pll_clk_name[i] = kasprintf(GFP_KERNEL, "%pOFn.pll%d", + client->dev.of_node, i); ++ if (!pll_clk_name[i]) { ++ err = -ENOMEM; ++ goto error; ++ } + init.name = pll_clk_name[i]; + data->pll[i].chip = data; + data->pll[i].hw.init = &init; +@@ -746,6 +750,10 @@ static int cdce925_probe(struct i2c_client *client, + init.num_parents = 1; + init.parent_names = &parent_name; /* Mux Y1 to input */ + init.name = kasprintf(GFP_KERNEL, "%pOFn.Y1", client->dev.of_node); ++ if (!init.name) { ++ err = -ENOMEM; ++ goto error; ++ } + data->clk[0].chip = data; + data->clk[0].hw.init = &init; + data->clk[0].index = 0; +@@ -764,6 +772,10 @@ static int cdce925_probe(struct i2c_client *client, + for (i = 1; i < data->chip_info->num_outputs; ++i) { + init.name = kasprintf(GFP_KERNEL, "%pOFn.Y%d", + client->dev.of_node, i+1); ++ if (!init.name) { ++ err = -ENOMEM; ++ goto error; ++ } + data->clk[i].chip = data; + data->clk[i].hw.init = &init; + data->clk[i].index = i; +-- +2.39.2 + diff --git a/queue-5.4/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch b/queue-5.4/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch new file mode 100644 index 00000000000..daf2dafb743 --- /dev/null +++ b/queue-5.4/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch @@ -0,0 +1,40 @@ +From 2656d1bd9c07cc481e64665d3ce063f6bf282881 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:11 +0300 +Subject: clk: keystone: sci-clk: check return value of kasprintf() + +From: Claudiu Beznea + +[ Upstream commit b73ed981da6d25c921aaefa7ca3df85bbd85b7fc ] + +kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: b745c0794e2f ("clk: keystone: Add sci-clk driver support") +Depends-on: 96488c09b0f4 ("clk: keystone: sci-clk: cut down the clock name length") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-7-claudiu.beznea@microchip.com +Reviewed-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/sci-clk.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/keystone/sci-clk.c b/drivers/clk/keystone/sci-clk.c +index 64ea895f1a7df..8e28e3489ded3 100644 +--- a/drivers/clk/keystone/sci-clk.c ++++ b/drivers/clk/keystone/sci-clk.c +@@ -287,6 +287,8 @@ static int _sci_clk_build(struct sci_clk_provider *provider, + + name = kasprintf(GFP_KERNEL, "clk:%d:%d", sci_clk->dev_id, + sci_clk->clk_id); ++ if (!name) ++ return -ENOMEM; + + init.name = name; + +-- +2.39.2 + diff --git a/queue-5.4/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch b/queue-5.4/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..64ed04acfa0 --- /dev/null +++ b/queue-5.4/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch @@ -0,0 +1,45 @@ +From 5ff744f390b62ba363cc4ac655dab5a6724c3e54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 09:41:24 +0000 +Subject: clk: tegra: tegra124-emc: Fix potential memory leak + +From: Yuan Can + +[ Upstream commit 53a06e5924c0d43c11379a08c5a78529c3e61595 ] + +The tegra and tegra needs to be freed in the error handling path, otherwise +it will be leaked. + +Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221209094124.71043-1-yuancan@huawei.com +Acked-by: Thierry Reding +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-emc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/tegra/clk-emc.c b/drivers/clk/tegra/clk-emc.c +index 0c1b83bedb73d..eb2411a4cd783 100644 +--- a/drivers/clk/tegra/clk-emc.c ++++ b/drivers/clk/tegra/clk-emc.c +@@ -459,6 +459,7 @@ static int load_timings_from_dt(struct tegra_clk_emc *tegra, + err = load_one_timing_from_dt(tegra, timing, child); + if (err) { + of_node_put(child); ++ kfree(tegra->timings); + return err; + } + +@@ -510,6 +511,7 @@ struct clk *tegra_clk_register_emc(void __iomem *base, struct device_node *np, + err = load_timings_from_dt(tegra, node, node_ram_code); + if (err) { + of_node_put(node); ++ kfree(tegra); + return ERR_PTR(err); + } + } +-- +2.39.2 + diff --git a/queue-5.4/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch b/queue-5.4/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch new file mode 100644 index 00000000000..4d95ad0ec47 --- /dev/null +++ b/queue-5.4/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch @@ -0,0 +1,81 @@ +From ff8dc93e7429fcd507170d44d712a4c5804cedb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 06:56:11 +0000 +Subject: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe + +From: Feng Mingxi + +[ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ] + +Smatch reports: +drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe() +warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516. + +timer_baseaddr may have the problem of not being released after use, +I replaced it with the devm_of_iomap() function and added the clk_put() +function to cleanup the "clk_ce" and "clk_cs". + +Fixes: e932900a3279 ("arm: zynq: Use standard timer binding") +Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") +Signed-off-by: Feng Mingxi +Reviewed-by: Dongliang Mu +Acked-by: Michal Simek +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-cadence-ttc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c +index df5895e934636..bd49385178d0f 100644 +--- a/drivers/clocksource/timer-cadence-ttc.c ++++ b/drivers/clocksource/timer-cadence-ttc.c +@@ -486,10 +486,10 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + * and use it. Note that the event timer uses the interrupt and it's the + * 2nd TTC hence the irq_of_parse_and_map(,1) + */ +- timer_baseaddr = of_iomap(timer, 0); +- if (!timer_baseaddr) { ++ timer_baseaddr = devm_of_iomap(&pdev->dev, timer, 0, NULL); ++ if (IS_ERR(timer_baseaddr)) { + pr_err("ERROR: invalid timer base address\n"); +- return -ENXIO; ++ return PTR_ERR(timer_baseaddr); + } + + irq = irq_of_parse_and_map(timer, 1); +@@ -513,20 +513,27 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + clk_ce = of_clk_get(timer, clksel); + if (IS_ERR(clk_ce)) { + pr_err("ERROR: timer input clock not found\n"); +- return PTR_ERR(clk_ce); ++ ret = PTR_ERR(clk_ce); ++ goto put_clk_cs; + } + + ret = ttc_setup_clocksource(clk_cs, timer_baseaddr, timer_width); + if (ret) +- return ret; ++ goto put_clk_ce; + + ret = ttc_setup_clockevent(clk_ce, timer_baseaddr + 4, irq); + if (ret) +- return ret; ++ goto put_clk_ce; + + pr_info("%pOFn #0 at %p, irq=%d\n", timer, timer_baseaddr, irq); + + return 0; ++ ++put_clk_ce: ++ clk_put(clk_ce); ++put_clk_cs: ++ clk_put(clk_cs); ++ return ret; + } + + static const struct of_device_id ttc_timer_of_match[] = { +-- +2.39.2 + diff --git a/queue-5.4/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch b/queue-5.4/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch new file mode 100644 index 00000000000..458cb8a918c --- /dev/null +++ b/queue-5.4/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch @@ -0,0 +1,86 @@ +From 9aafc8310ef35dfe631b0ae48e9a39bdf27caf13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 02:36:28 -0800 +Subject: clocksource/drivers/cadence-ttc: Use ttc driver as platform driver + +From: Rajan Vaja + +[ Upstream commit f5ac896b6a23eb46681cdbef440c1d991b04e519 ] + +Currently TTC driver is TIMER_OF_DECLARE type driver. Because of +that, TTC driver may be initialized before other clock drivers. If +TTC driver is dependent on that clock driver then initialization of +TTC driver will failed. + +So use TTC driver as platform driver instead of using +TIMER_OF_DECLARE. + +Signed-off-by: Rajan Vaja +Tested-by: Michal Simek +Acked-by: Michal Simek +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/1573122988-18399-1-git-send-email-rajan.vaja@xilinx.com +Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe") +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-cadence-ttc.c | 26 +++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c +index 160bc6597de5b..df5895e934636 100644 +--- a/drivers/clocksource/timer-cadence-ttc.c ++++ b/drivers/clocksource/timer-cadence-ttc.c +@@ -15,6 +15,8 @@ + #include + #include + #include ++#include ++#include + + /* + * This driver configures the 2 16/32-bit count-up timers as follows: +@@ -464,13 +466,7 @@ static int __init ttc_setup_clockevent(struct clk *clk, + return err; + } + +-/** +- * ttc_timer_init - Initialize the timer +- * +- * Initializes the timer hardware and register the clock source and clock event +- * timers with Linux kernal timer framework +- */ +-static int __init ttc_timer_init(struct device_node *timer) ++static int __init ttc_timer_probe(struct platform_device *pdev) + { + unsigned int irq; + void __iomem *timer_baseaddr; +@@ -478,6 +474,7 @@ static int __init ttc_timer_init(struct device_node *timer) + static int initialized; + int clksel, ret; + u32 timer_width = 16; ++ struct device_node *timer = pdev->dev.of_node; + + if (initialized) + return 0; +@@ -532,4 +529,17 @@ static int __init ttc_timer_init(struct device_node *timer) + return 0; + } + +-TIMER_OF_DECLARE(ttc, "cdns,ttc", ttc_timer_init); ++static const struct of_device_id ttc_timer_of_match[] = { ++ {.compatible = "cdns,ttc"}, ++ {}, ++}; ++ ++MODULE_DEVICE_TABLE(of, ttc_timer_of_match); ++ ++static struct platform_driver ttc_timer_driver = { ++ .driver = { ++ .name = "cdns_ttc_timer", ++ .of_match_table = ttc_timer_of_match, ++ }, ++}; ++builtin_platform_driver_probe(ttc_timer_driver, ttc_timer_probe); +-- +2.39.2 + diff --git a/queue-5.4/crypto-marvell-cesa-fix-type-mismatch-warning.patch b/queue-5.4/crypto-marvell-cesa-fix-type-mismatch-warning.patch new file mode 100644 index 00000000000..7ed4ccae55c --- /dev/null +++ b/queue-5.4/crypto-marvell-cesa-fix-type-mismatch-warning.patch @@ -0,0 +1,49 @@ +From 95077e34f3fe5cbe27a65bd338f45589cd7ef28c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 10:33:04 +0200 +Subject: crypto: marvell/cesa - Fix type mismatch warning + +From: Arnd Bergmann + +[ Upstream commit efbc7764c4446566edb76ca05e903b5905673d2e ] + +Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") uncovered +a type mismatch in cesa 3des support that leads to a memcpy beyond the +end of a structure: + +In function 'fortify_memcpy_chk', + inlined from 'mv_cesa_des3_ede_setkey' at drivers/crypto/marvell/cesa/cipher.c:307:2: +include/linux/fortify-string.h:583:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] + 583 | __write_overflow_field(p_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This is probably harmless as the actual data that is copied has the correct +type, but clearly worth fixing nonetheless. + +Fixes: 4ada48397823 ("crypto: marvell/cesa - add Triple-DES support") +Cc: Kees Cook +Cc: Gustavo A. R. Silva" +Signed-off-by: Arnd Bergmann +Reviewed-by: Kees Cook +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/marvell/cipher.c b/drivers/crypto/marvell/cipher.c +index 708dc63b2f099..c7d433d1cd99d 100644 +--- a/drivers/crypto/marvell/cipher.c ++++ b/drivers/crypto/marvell/cipher.c +@@ -287,7 +287,7 @@ static int mv_cesa_des_setkey(struct crypto_skcipher *cipher, const u8 *key, + static int mv_cesa_des3_ede_setkey(struct crypto_skcipher *cipher, + const u8 *key, unsigned int len) + { +- struct mv_cesa_des_ctx *ctx = crypto_skcipher_ctx(cipher); ++ struct mv_cesa_des3_ctx *ctx = crypto_skcipher_ctx(cipher); + int err; + + err = verify_skcipher_des3_key(cipher, key); +-- +2.39.2 + diff --git a/queue-5.4/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch b/queue-5.4/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch new file mode 100644 index 00000000000..66b1b565aaf --- /dev/null +++ b/queue-5.4/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch @@ -0,0 +1,88 @@ +From ab77abb378b334c4643ed68491cbad54967434c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:33:34 -0700 +Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ] + +Fix build warnings when DEBUG_FS is not enabled by using an empty +do-while loop instead of a value: + +In file included from ../drivers/crypto/nx/nx.c:27: +../drivers/crypto/nx/nx.c: In function 'nx_register_algs': +../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value] + 173 | #define NX_DEBUGFS_INIT(drv) (0) +../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT' + 573 | NX_DEBUGFS_INIT(&nx_driver); +../drivers/crypto/nx/nx.c: In function 'nx_remove': +../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value] + 174 | #define NX_DEBUGFS_FINI(drv) (0) +../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI' + 793 | NX_DEBUGFS_FINI(&nx_driver); + +Also, there is no need to build nx_debugfs.o when DEBUG_FS is not +enabled, so change the Makefile to accommodate that. + +Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption") +Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver") +Signed-off-by: Randy Dunlap +Cc: Breno Leitão +Cc: Nayna Jain +Cc: Paulo Flabiano Smorigo +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: linux-crypto@vger.kernel.org +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Christophe Leroy +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/Makefile | 2 +- + drivers/crypto/nx/nx.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile +index 015155da59c29..76139865d7fa1 100644 +--- a/drivers/crypto/nx/Makefile ++++ b/drivers/crypto/nx/Makefile +@@ -1,7 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o + nx-crypto-objs := nx.o \ +- nx_debugfs.o \ + nx-aes-cbc.o \ + nx-aes-ecb.o \ + nx-aes-gcm.o \ +@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \ + nx-sha256.o \ + nx-sha512.o + ++nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o + nx-compress-objs := nx-842.o +diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h +index 7ecca168f8c48..5c77aba450cf8 100644 +--- a/drivers/crypto/nx/nx.h ++++ b/drivers/crypto/nx/nx.h +@@ -169,8 +169,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int, + void nx_debugfs_init(struct nx_crypto_driver *); + void nx_debugfs_fini(struct nx_crypto_driver *); + #else +-#define NX_DEBUGFS_INIT(drv) (0) +-#define NX_DEBUGFS_FINI(drv) (0) ++#define NX_DEBUGFS_INIT(drv) do {} while (0) ++#define NX_DEBUGFS_FINI(drv) do {} while (0) + #endif + + #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL) +-- +2.39.2 + diff --git a/queue-5.4/crypto-skcipher-remove-crypto_has_ablkcipher.patch b/queue-5.4/crypto-skcipher-remove-crypto_has_ablkcipher.patch new file mode 100644 index 00000000000..c6238a04842 --- /dev/null +++ b/queue-5.4/crypto-skcipher-remove-crypto_has_ablkcipher.patch @@ -0,0 +1,88 @@ +From 977d524b86005c307a4d0ed46d890c93102e12b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 12:41:10 -0700 +Subject: crypto: skcipher - remove crypto_has_ablkcipher() + +From: Eric Biggers + +[ Upstream commit cec0cb8a28f9060367099beeafd0dbdb76fdfae2 ] + +crypto_has_ablkcipher() has no users, and it does the same thing as +crypto_has_skcipher() anyway. So remove it. This also removes the last +user of crypto_skcipher_type() and crypto_skcipher_mask(), so remove +those too. + +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Stable-dep-of: efbc7764c444 ("crypto: marvell/cesa - Fix type mismatch warning") +Signed-off-by: Sasha Levin +--- + Documentation/crypto/api-skcipher.rst | 2 +- + include/linux/crypto.h | 31 --------------------------- + 2 files changed, 1 insertion(+), 32 deletions(-) + +diff --git a/Documentation/crypto/api-skcipher.rst b/Documentation/crypto/api-skcipher.rst +index 20ba08dddf2ec..55e0851f6fed9 100644 +--- a/Documentation/crypto/api-skcipher.rst ++++ b/Documentation/crypto/api-skcipher.rst +@@ -41,7 +41,7 @@ Asynchronous Block Cipher API - Deprecated + :doc: Asynchronous Block Cipher API + + .. kernel-doc:: include/linux/crypto.h +- :functions: crypto_free_ablkcipher crypto_has_ablkcipher crypto_ablkcipher_ivsize crypto_ablkcipher_blocksize crypto_ablkcipher_setkey crypto_ablkcipher_reqtfm crypto_ablkcipher_encrypt crypto_ablkcipher_decrypt ++ :functions: crypto_free_ablkcipher crypto_ablkcipher_ivsize crypto_ablkcipher_blocksize crypto_ablkcipher_setkey crypto_ablkcipher_reqtfm crypto_ablkcipher_encrypt crypto_ablkcipher_decrypt + + Asynchronous Cipher Request Handle - Deprecated + ----------------------------------------------- +diff --git a/include/linux/crypto.h b/include/linux/crypto.h +index 0c720a2982ae4..019ddf7596534 100644 +--- a/include/linux/crypto.h ++++ b/include/linux/crypto.h +@@ -903,20 +903,6 @@ static inline struct crypto_ablkcipher *__crypto_ablkcipher_cast( + return (struct crypto_ablkcipher *)tfm; + } + +-static inline u32 crypto_skcipher_type(u32 type) +-{ +- type &= ~CRYPTO_ALG_TYPE_MASK; +- type |= CRYPTO_ALG_TYPE_BLKCIPHER; +- return type; +-} +- +-static inline u32 crypto_skcipher_mask(u32 mask) +-{ +- mask &= ~CRYPTO_ALG_TYPE_MASK; +- mask |= CRYPTO_ALG_TYPE_BLKCIPHER_MASK; +- return mask; +-} +- + /** + * DOC: Asynchronous Block Cipher API + * +@@ -962,23 +948,6 @@ static inline void crypto_free_ablkcipher(struct crypto_ablkcipher *tfm) + crypto_free_tfm(crypto_ablkcipher_tfm(tfm)); + } + +-/** +- * crypto_has_ablkcipher() - Search for the availability of an ablkcipher. +- * @alg_name: is the cra_name / name or cra_driver_name / driver name of the +- * ablkcipher +- * @type: specifies the type of the cipher +- * @mask: specifies the mask for the cipher +- * +- * Return: true when the ablkcipher is known to the kernel crypto API; false +- * otherwise +- */ +-static inline int crypto_has_ablkcipher(const char *alg_name, u32 type, +- u32 mask) +-{ +- return crypto_has_alg(alg_name, crypto_skcipher_type(type), +- crypto_skcipher_mask(mask)); +-} +- + static inline struct ablkcipher_tfm *crypto_ablkcipher_crt( + struct crypto_ablkcipher *tfm) + { +-- +2.39.2 + diff --git a/queue-5.4/crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch b/queue-5.4/crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch new file mode 100644 index 00000000000..d0090e0c195 --- /dev/null +++ b/queue-5.4/crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch @@ -0,0 +1,84 @@ +From 250ed9f7489ea73ea7422f38c4e4f648af200125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 12:41:09 -0700 +Subject: crypto: skcipher - unify the crypto_has_skcipher*() functions + +From: Eric Biggers + +[ Upstream commit d3ca75a8b3d77f2788e6c119ea7c3e3a1ab1e1ca ] + +crypto_has_skcipher() and crypto_has_skcipher2() do the same thing: they +check for the availability of an algorithm of type skcipher, blkcipher, +or ablkcipher, which also meets any non-type constraints the caller +specified. And they have exactly the same prototype. + +Therefore, eliminate the redundancy by removing crypto_has_skcipher() +and renaming crypto_has_skcipher2() to crypto_has_skcipher(). + +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Stable-dep-of: efbc7764c444 ("crypto: marvell/cesa - Fix type mismatch warning") +Signed-off-by: Sasha Levin +--- + crypto/skcipher.c | 4 ++-- + include/crypto/skcipher.h | 19 +------------------ + 2 files changed, 3 insertions(+), 20 deletions(-) + +diff --git a/crypto/skcipher.c b/crypto/skcipher.c +index 22753c1c72022..233678d078169 100644 +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -1017,12 +1017,12 @@ struct crypto_sync_skcipher *crypto_alloc_sync_skcipher( + } + EXPORT_SYMBOL_GPL(crypto_alloc_sync_skcipher); + +-int crypto_has_skcipher2(const char *alg_name, u32 type, u32 mask) ++int crypto_has_skcipher(const char *alg_name, u32 type, u32 mask) + { + return crypto_type_has_alg(alg_name, &crypto_skcipher_type2, + type, mask); + } +-EXPORT_SYMBOL_GPL(crypto_has_skcipher2); ++EXPORT_SYMBOL_GPL(crypto_has_skcipher); + + static int skcipher_prepare_alg(struct skcipher_alg *alg) + { +diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h +index 0bce6005d325d..6514e32e7c2fd 100644 +--- a/include/crypto/skcipher.h ++++ b/include/crypto/skcipher.h +@@ -220,30 +220,13 @@ static inline void crypto_free_sync_skcipher(struct crypto_sync_skcipher *tfm) + * crypto_has_skcipher() - Search for the availability of an skcipher. + * @alg_name: is the cra_name / name or cra_driver_name / driver name of the + * skcipher +- * @type: specifies the type of the cipher +- * @mask: specifies the mask for the cipher +- * +- * Return: true when the skcipher is known to the kernel crypto API; false +- * otherwise +- */ +-static inline int crypto_has_skcipher(const char *alg_name, u32 type, +- u32 mask) +-{ +- return crypto_has_alg(alg_name, crypto_skcipher_type(type), +- crypto_skcipher_mask(mask)); +-} +- +-/** +- * crypto_has_skcipher2() - Search for the availability of an skcipher. +- * @alg_name: is the cra_name / name or cra_driver_name / driver name of the +- * skcipher + * @type: specifies the type of the skcipher + * @mask: specifies the mask for the skcipher + * + * Return: true when the skcipher is known to the kernel crypto API; false + * otherwise + */ +-int crypto_has_skcipher2(const char *alg_name, u32 type, u32 mask); ++int crypto_has_skcipher(const char *alg_name, u32 type, u32 mask); + + static inline const char *crypto_skcipher_driver_name( + struct crypto_skcipher *tfm) +-- +2.39.2 + diff --git a/queue-5.4/drm-amdkfd-fix-potential-deallocation-of-previously-.patch b/queue-5.4/drm-amdkfd-fix-potential-deallocation-of-previously-.patch new file mode 100644 index 00000000000..b3b7a1f0677 --- /dev/null +++ b/queue-5.4/drm-amdkfd-fix-potential-deallocation-of-previously-.patch @@ -0,0 +1,58 @@ +From 328bbe520714edfe435345c4087849764a6099ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 04:23:14 -0700 +Subject: drm/amdkfd: Fix potential deallocation of previously deallocated + memory. + +From: Daniil Dulov + +[ Upstream commit cabbdea1f1861098991768d7bbf5a49ed1608213 ] + +Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate(). +The function then returns non-zero value, which causes the second deallocation. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") +Signed-off-by: Daniil Dulov +Signed-off-by: Felix Kuehling +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +index d3380c5bdbdea..d978fcac26651 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +@@ -101,18 +101,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, + &(mqd_mem_obj->gtt_mem), + &(mqd_mem_obj->gpu_addr), + (void *)&(mqd_mem_obj->cpu_ptr), true); ++ ++ if (retval) { ++ kfree(mqd_mem_obj); ++ return NULL; ++ } + } else { + retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd), + &mqd_mem_obj); +- } +- +- if (retval) { +- kfree(mqd_mem_obj); +- return NULL; ++ if (retval) ++ return NULL; + } + + return mqd_mem_obj; +- + } + + static void init_mqd(struct mqd_manager *mm, void **mqd, +-- +2.39.2 + diff --git a/queue-5.4/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch b/queue-5.4/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch new file mode 100644 index 00000000000..9e7f7876aec --- /dev/null +++ b/queue-5.4/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch @@ -0,0 +1,51 @@ +From d841c53b30d3cc981ac76595875a83e2edf58a71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:50:39 +0200 +Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H + +From: Dario Binacchi + +[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ] + +The previous setting was related to the overall dimension and not to the +active display area. +In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the +following parameters: + + ---------------------------------------------------------- +| Item | Specifications | unit | + ---------------------------------------------------------- +| Display area | 98.7 (W) x 57.5 (H) | mm | + ---------------------------------------------------------- +| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm | + ---------------------------------------------------------- + +Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H") +Signed-off-by: Dario Binacchi +Reviewed-by: Neil Armstrong +[narmstrong: fixed Fixes commit id length] +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 312a3c4e23318..ec0085e664365 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -531,8 +531,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = { + .num_modes = 1, + .bpc = 8, + .size = { +- .width = 105, +- .height = 67, ++ .width = 99, ++ .height = 58, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, + }; +-- +2.39.2 + diff --git a/queue-5.4/drm-radeon-fix-possible-division-by-zero-errors.patch b/queue-5.4/drm-radeon-fix-possible-division-by-zero-errors.patch new file mode 100644 index 00000000000..563e385024a --- /dev/null +++ b/queue-5.4/drm-radeon-fix-possible-division-by-zero-errors.patch @@ -0,0 +1,94 @@ +From 7b737e2a192e5411fcf868db4dc700d9e0c467c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 08:33:27 -0700 +Subject: drm/radeon: fix possible division-by-zero errors + +From: Nikita Zhandarovich + +[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ] + +Function rv740_get_decoded_reference_divider() may return 0 due to +unpredictable reference divider value calculated in +radeon_atom_get_clock_dividers(). This will lead to +division-by-zero error once that value is used as a divider +in calculating 'clk_s'. +While unlikely, this issue should nonetheless be prevented so add a +sanity check for such cases by testing 'decoded_ref' value against 0. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +v2: minor coding style fixes (Alex) +In practice this should actually happen as the vbios should be +properly populated. + +Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c +index 32ed60f1048bd..b31d65a6752f1 100644 +--- a/drivers/gpu/drm/radeon/cypress_dpm.c ++++ b/drivers/gpu/drm/radeon/cypress_dpm.c +@@ -559,8 +559,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c +index 288ec3039bc2c..cad7a73a551f7 100644 +--- a/drivers/gpu/drm/radeon/ni_dpm.c ++++ b/drivers/gpu/drm/radeon/ni_dpm.c +@@ -2241,8 +2241,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c +index 327d65a76e1f4..79b2de65e905e 100644 +--- a/drivers/gpu/drm/radeon/rv740_dpm.c ++++ b/drivers/gpu/drm/radeon/rv740_dpm.c +@@ -250,8 +250,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = 0x40000 * ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = 0x40000 * ss.percentage * + (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000); + + mpll_ss1 &= ~CLKV_MASK; +-- +2.39.2 + diff --git a/queue-5.4/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch b/queue-5.4/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch new file mode 100644 index 00000000000..03ee8842f4a --- /dev/null +++ b/queue-5.4/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch @@ -0,0 +1,116 @@ +From fe30f5a271889263f88508cc30282bf7e8b0d004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Apr 2023 19:23:46 +0800 +Subject: drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks` + +From: XuDong Liu + +[ Upstream commit 123ee07ba5b7123e0ce0e0f9d64938026c16a2ce ] + +Smatch reports: +drivers/gpu/drm/sun4i/sun4i_tcon.c:805 sun4i_tcon_init_clocks() warn: +'tcon->clk' from clk_prepare_enable() not released on lines: 792,801. + +In the function sun4i_tcon_init_clocks(), tcon->clk and tcon->sclk0 are +not disabled in the error handling, which affects the release of +these variable. Although sun4i_tcon_bind(), which calls +sun4i_tcon_init_clocks(), use sun4i_tcon_free_clocks to disable the +variables mentioned, but the error handling branch of +sun4i_tcon_init_clocks() ignores the required disable process. + +To fix this issue, use the devm_clk_get_enabled to automatically +balance enable and disabled calls. As original implementation use +sun4i_tcon_free_clocks() to disable clk explicitly, we delete the +related calls and error handling that are no longer needed. + +Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support") +Fixes: b14e945bda8a ("drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init") +Fixes: 8e9240472522 ("drm/sun4i: support TCONs without channel 1") +Fixes: 34d698f6e349 ("drm/sun4i: Add has_channel_0 TCON quirk") +Signed-off-by: XuDong Liu +Reviewed-by: Dongliang Mu +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20230430112347.4689-1-m202071377@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_tcon.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c +index eb3b2350687fb..193c7f979bcaa 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c +@@ -753,21 +753,19 @@ static irqreturn_t sun4i_tcon_handler(int irq, void *private) + static int sun4i_tcon_init_clocks(struct device *dev, + struct sun4i_tcon *tcon) + { +- tcon->clk = devm_clk_get(dev, "ahb"); ++ tcon->clk = devm_clk_get_enabled(dev, "ahb"); + if (IS_ERR(tcon->clk)) { + dev_err(dev, "Couldn't get the TCON bus clock\n"); + return PTR_ERR(tcon->clk); + } +- clk_prepare_enable(tcon->clk); + + if (tcon->quirks->has_channel_0) { +- tcon->sclk0 = devm_clk_get(dev, "tcon-ch0"); ++ tcon->sclk0 = devm_clk_get_enabled(dev, "tcon-ch0"); + if (IS_ERR(tcon->sclk0)) { + dev_err(dev, "Couldn't get the TCON channel 0 clock\n"); + return PTR_ERR(tcon->sclk0); + } + } +- clk_prepare_enable(tcon->sclk0); + + if (tcon->quirks->has_channel_1) { + tcon->sclk1 = devm_clk_get(dev, "tcon-ch1"); +@@ -780,12 +778,6 @@ static int sun4i_tcon_init_clocks(struct device *dev, + return 0; + } + +-static void sun4i_tcon_free_clocks(struct sun4i_tcon *tcon) +-{ +- clk_disable_unprepare(tcon->sclk0); +- clk_disable_unprepare(tcon->clk); +-} +- + static int sun4i_tcon_init_irq(struct device *dev, + struct sun4i_tcon *tcon) + { +@@ -1202,14 +1194,14 @@ static int sun4i_tcon_bind(struct device *dev, struct device *master, + ret = sun4i_tcon_init_regmap(dev, tcon); + if (ret) { + dev_err(dev, "Couldn't init our TCON regmap\n"); +- goto err_free_clocks; ++ goto err_assert_reset; + } + + if (tcon->quirks->has_channel_0) { + ret = sun4i_dclk_create(dev, tcon); + if (ret) { + dev_err(dev, "Couldn't create our TCON dot clock\n"); +- goto err_free_clocks; ++ goto err_assert_reset; + } + } + +@@ -1272,8 +1264,6 @@ static int sun4i_tcon_bind(struct device *dev, struct device *master, + err_free_dotclock: + if (tcon->quirks->has_channel_0) + sun4i_dclk_free(tcon); +-err_free_clocks: +- sun4i_tcon_free_clocks(tcon); + err_assert_reset: + reset_control_assert(tcon->lcd_rst); + return ret; +@@ -1287,7 +1277,6 @@ static void sun4i_tcon_unbind(struct device *dev, struct device *master, + list_del(&tcon->list); + if (tcon->quirks->has_channel_0) + sun4i_dclk_free(tcon); +- sun4i_tcon_free_clocks(tcon); + } + + static const struct component_ops sun4i_tcon_ops = { +-- +2.39.2 + diff --git a/queue-5.4/evm-complete-description-of-evm_inode_setattr.patch b/queue-5.4/evm-complete-description-of-evm_inode_setattr.patch new file mode 100644 index 00000000000..e2afc6c517a --- /dev/null +++ b/queue-5.4/evm-complete-description-of-evm_inode_setattr.patch @@ -0,0 +1,39 @@ +From abf63e3dc62b3c5f67f4f72f67f0569585ca960b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 11:40:36 +0100 +Subject: evm: Complete description of evm_inode_setattr() + +From: Roberto Sassu + +[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] + +Add the description for missing parameters of evm_inode_setattr() to +avoid the warning arising with W=n compile option. + +Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ +Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ +Signed-off-by: Roberto Sassu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/evm/evm_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index b82291d10e730..cc7e4e4439b0f 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -471,7 +471,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) + + /** + * evm_inode_setattr - prevent updating an invalid EVM extended attribute ++ * @idmap: idmap of the mount + * @dentry: pointer to the affected dentry ++ * @attr: iattr structure containing the new file attributes + * + * Permit update of file attributes when files have a valid EVM signature, + * except in the case of them having an immutable portable signature. +-- +2.39.2 + diff --git a/queue-5.4/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch b/queue-5.4/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch new file mode 100644 index 00000000000..c6493f6312c --- /dev/null +++ b/queue-5.4/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch @@ -0,0 +1,44 @@ +From 30fc0db36e128b7b4fb0c7bfb64a59bafe212a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 17:42:28 +0200 +Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in + mipid_spi_probe() + +From: Christophe JAILLET + +[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ] + +If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak. + +Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c +index a75ae0c9b14c7..d1cd8785d011d 100644 +--- a/drivers/video/fbdev/omap/lcd_mipid.c ++++ b/drivers/video/fbdev/omap/lcd_mipid.c +@@ -563,11 +563,15 @@ static int mipid_spi_probe(struct spi_device *spi) + + r = mipid_detect(md); + if (r < 0) +- return r; ++ goto free_md; + + omapfb_register_panel(&md->panel); + + return 0; ++ ++free_md: ++ kfree(md); ++ return r; + } + + static int mipid_spi_remove(struct spi_device *spi) +-- +2.39.2 + diff --git a/queue-5.4/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch b/queue-5.4/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch new file mode 100644 index 00000000000..c50569c50ac --- /dev/null +++ b/queue-5.4/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch @@ -0,0 +1,190 @@ +From ce75be9ebfebfabcc631106036991740eb2b4f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 14:32:31 -0700 +Subject: gtp: Fix use-after-free in __gtp_encap_destroy(). + +From: Kuniyuki Iwashima + +[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ] + +syzkaller reported use-after-free in __gtp_encap_destroy(). [0] + +It shows the same process freed sk and touched it illegally. + +Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() +and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, +but release_sock() is called after sock_put() releases the last refcnt. + +[0]: +BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] +BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] +BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] +BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] +BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 +Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 + +CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:351 [inline] + print_report+0xcc/0x620 mm/kasan/report.c:462 + kasan_report+0xb2/0xe0 mm/kasan/report.c:572 + check_region_inline mm/kasan/generic.c:181 [inline] + kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 + instrument_atomic_read_write include/linux/instrumented.h:96 [inline] + atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] + queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] + do_raw_spin_lock include/linux/spinlock.h:186 [inline] + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] + _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:355 [inline] + release_sock+0x1f/0x1a0 net/core/sock.c:3526 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f1168b1fe5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d +RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 + + +Allocated by task 1483: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:186 [inline] + slab_post_alloc_hook mm/slab.h:711 [inline] + slab_alloc_node mm/slub.c:3451 [inline] + slab_alloc mm/slub.c:3459 [inline] + __kmem_cache_alloc_lru mm/slub.c:3466 [inline] + kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475 + sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073 + sk_alloc+0x34/0x6c0 net/core/sock.c:2132 + inet6_create net/ipv6/af_inet6.c:192 [inline] + inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119 + __sock_create+0x2a1/0x530 net/socket.c:1535 + sock_create net/socket.c:1586 [inline] + __sys_socket_create net/socket.c:1623 [inline] + __sys_socket_create net/socket.c:1608 [inline] + __sys_socket+0x137/0x250 net/socket.c:1651 + __do_sys_socket net/socket.c:1664 [inline] + __se_sys_socket net/socket.c:1662 [inline] + __x64_sys_socket+0x72/0xb0 net/socket.c:1662 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 2401: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free mm/kasan/common.c:200 [inline] + __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:162 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook mm/slub.c:1807 [inline] + slab_free mm/slub.c:3786 [inline] + kmem_cache_free+0xb4/0x490 mm/slub.c:3808 + sk_prot_free net/core/sock.c:2113 [inline] + __sk_destruct+0x500/0x720 net/core/sock.c:2207 + sk_destruct+0xc1/0xe0 net/core/sock.c:2222 + __sk_free+0xed/0x3d0 net/core/sock.c:2233 + sk_free+0x7c/0xa0 net/core/sock.c:2244 + sock_put include/net/sock.h:1981 [inline] + __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The buggy address belongs to the object at ffff88800dbef300 + which belongs to the cache UDPv6 of size 1344 +The buggy address is located 152 bytes inside of + freed 1344-byte region [ffff88800dbef300, ffff88800dbef840) + +The buggy address belongs to the physical page: +page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8 +head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +memcg:ffff888008ee0801 +flags: 0x100000000010200(slab|head|node=0|zone=1) +page_type: 0xffffffff() +raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000 +raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index d0653babab923..0409afe9a53d6 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -297,7 +297,9 @@ static void __gtp_encap_destroy(struct sock *sk) + gtp->sk1u = NULL; + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); ++ release_sock(sk); + sock_put(sk); ++ return; + } + release_sock(sk); + } +-- +2.39.2 + diff --git a/queue-5.4/hwrng-st-fix-w-1-unused-variable-warning.patch b/queue-5.4/hwrng-st-fix-w-1-unused-variable-warning.patch new file mode 100644 index 00000000000..7b104bbd6b4 --- /dev/null +++ b/queue-5.4/hwrng-st-fix-w-1-unused-variable-warning.patch @@ -0,0 +1,43 @@ +From dde4ce22ee66b30e82dc447eb0223bd7ea5448a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 18:04:02 +1000 +Subject: hwrng: st - Fix W=1 unused variable warning + +From: Herbert Xu + +[ Upstream commit ad23756271d5744a0a0ba556f8aaa70e358d5aa6 ] + +This patch fixes an unused variable warning when this driver is +built-in with CONFIG_OF=n. + +Signed-off-by: Herbert Xu +Stable-dep-of: 501e197a02d4 ("hwrng: st - keep clock enabled while hwrng is registered") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/st-rng.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/st-rng.c b/drivers/char/hw_random/st-rng.c +index 863448360a7da..50975e761ca58 100644 +--- a/drivers/char/hw_random/st-rng.c ++++ b/drivers/char/hw_random/st-rng.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -123,7 +124,7 @@ static int st_rng_remove(struct platform_device *pdev) + return 0; + } + +-static const struct of_device_id st_rng_match[] = { ++static const struct of_device_id st_rng_match[] __maybe_unused = { + { .compatible = "st,rng" }, + {}, + }; +-- +2.39.2 + diff --git a/queue-5.4/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch b/queue-5.4/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch new file mode 100644 index 00000000000..0b4a2e9f864 --- /dev/null +++ b/queue-5.4/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch @@ -0,0 +1,96 @@ +From 715ccdf18c8c88329a35fdd3c69c07b7e74ada91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 09:58:13 +0100 +Subject: hwrng: st - keep clock enabled while hwrng is registered + +From: Martin Kaiser + +[ Upstream commit 501e197a02d4aef157f53ba3a0b9049c3e52fedc ] + +The st-rng driver uses devres to register itself with the hwrng core, +the driver will be unregistered from hwrng when its device goes out of +scope. This happens after the driver's remove function is called. + +However, st-rng's clock is disabled in the remove function. There's a +short timeframe where st-rng is still registered with the hwrng core +although its clock is disabled. I suppose the clock must be active to +access the hardware and serve requests from the hwrng core. + +Switch to devm_clk_get_enabled and let devres disable the clock and +unregister the hwrng. This avoids the race condition. + +Fixes: 3e75241be808 ("hwrng: drivers - Use device-managed registration API") +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/st-rng.c | 21 +-------------------- + 1 file changed, 1 insertion(+), 20 deletions(-) + +diff --git a/drivers/char/hw_random/st-rng.c b/drivers/char/hw_random/st-rng.c +index 50975e761ca58..f708a99619ecb 100644 +--- a/drivers/char/hw_random/st-rng.c ++++ b/drivers/char/hw_random/st-rng.c +@@ -42,7 +42,6 @@ + + struct st_rng_data { + void __iomem *base; +- struct clk *clk; + struct hwrng ops; + }; + +@@ -87,26 +86,18 @@ static int st_rng_probe(struct platform_device *pdev) + if (IS_ERR(base)) + return PTR_ERR(base); + +- clk = devm_clk_get(&pdev->dev, NULL); ++ clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(clk)) + return PTR_ERR(clk); + +- ret = clk_prepare_enable(clk); +- if (ret) +- return ret; +- + ddata->ops.priv = (unsigned long)ddata; + ddata->ops.read = st_rng_read; + ddata->ops.name = pdev->name; + ddata->base = base; +- ddata->clk = clk; +- +- dev_set_drvdata(&pdev->dev, ddata); + + ret = devm_hwrng_register(&pdev->dev, &ddata->ops); + if (ret) { + dev_err(&pdev->dev, "Failed to register HW RNG\n"); +- clk_disable_unprepare(clk); + return ret; + } + +@@ -115,15 +106,6 @@ static int st_rng_probe(struct platform_device *pdev) + return 0; + } + +-static int st_rng_remove(struct platform_device *pdev) +-{ +- struct st_rng_data *ddata = dev_get_drvdata(&pdev->dev); +- +- clk_disable_unprepare(ddata->clk); +- +- return 0; +-} +- + static const struct of_device_id st_rng_match[] __maybe_unused = { + { .compatible = "st,rng" }, + {}, +@@ -136,7 +118,6 @@ static struct platform_driver st_rng_driver = { + .of_match_table = of_match_ptr(st_rng_match), + }, + .probe = st_rng_probe, +- .remove = st_rng_remove + }; + + module_platform_driver(st_rng_driver); +-- +2.39.2 + diff --git a/queue-5.4/hwrng-virtio-add-an-internal-buffer.patch b/queue-5.4/hwrng-virtio-add-an-internal-buffer.patch new file mode 100644 index 00000000000..769f16dc836 --- /dev/null +++ b/queue-5.4/hwrng-virtio-add-an-internal-buffer.patch @@ -0,0 +1,127 @@ +From 6a5b285b4e99eacbafc877c8cb9e45f6babcc378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:08 +0200 +Subject: hwrng: virtio - add an internal buffer + +From: Laurent Vivier + +[ Upstream commit bf3175bc50a3754dc427e2f5046e17a9fafc8be7 ] + +hwrng core uses two buffers that can be mixed in the +virtio-rng queue. + +If the buffer is provided with wait=0 it is enqueued in the +virtio-rng queue but unused by the caller. +On the next call, core provides another buffer but the +first one is filled instead and the new one queued. +And the caller reads the data from the new one that is not +updated, and the data in the first one are lost. + +To avoid this mix, virtio-rng needs to use its own unique +internal buffer at a cost of a data copy to the caller buffer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-2-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 43 ++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 10 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 718d8c0876506..23149e94d621f 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -17,13 +17,20 @@ static DEFINE_IDA(rng_index_ida); + struct virtrng_info { + struct hwrng hwrng; + struct virtqueue *vq; +- struct completion have_data; + char name[25]; +- unsigned int data_avail; + int index; + bool busy; + bool hwrng_register_done; + bool hwrng_removed; ++ /* data transfer */ ++ struct completion have_data; ++ unsigned int data_avail; ++ /* minimal size returned by rng_buffer_size() */ ++#if SMP_CACHE_BYTES < 32 ++ u8 data[32]; ++#else ++ u8 data[SMP_CACHE_BYTES]; ++#endif + }; + + static void random_recv_done(struct virtqueue *vq) +@@ -38,14 +45,14 @@ static void random_recv_done(struct virtqueue *vq) + } + + /* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi, u8 *buf, size_t size) ++static void register_buffer(struct virtrng_info *vi) + { + struct scatterlist sg; + +- sg_init_one(&sg, buf, size); ++ sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +- virtqueue_add_inbuf(vi->vq, &sg, 1, buf, GFP_KERNEL); ++ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL); + + virtqueue_kick(vi->vq); + } +@@ -54,6 +61,8 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; ++ unsigned int chunk; ++ size_t read; + + if (vi->hwrng_removed) + return -ENODEV; +@@ -61,19 +70,33 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (!vi->busy) { + vi->busy = true; + reinit_completion(&vi->have_data); +- register_buffer(vi, buf, size); ++ register_buffer(vi); + } + + if (!wait) + return 0; + +- ret = wait_for_completion_killable(&vi->have_data); +- if (ret < 0) +- return ret; ++ read = 0; ++ while (size != 0) { ++ ret = wait_for_completion_killable(&vi->have_data); ++ if (ret < 0) ++ return ret; ++ ++ chunk = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf + read, vi->data, chunk); ++ read += chunk; ++ size -= chunk; ++ vi->data_avail = 0; ++ ++ if (size != 0) { ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } ++ } + + vi->busy = false; + +- return vi->data_avail; ++ return read; + } + + static void virtio_cleanup(struct hwrng *rng) +-- +2.39.2 + diff --git a/queue-5.4/hwrng-virtio-always-add-a-pending-request.patch b/queue-5.4/hwrng-virtio-always-add-a-pending-request.patch new file mode 100644 index 00000000000..1d85375023e --- /dev/null +++ b/queue-5.4/hwrng-virtio-always-add-a-pending-request.patch @@ -0,0 +1,111 @@ +From 2cb8a0e665647074371a4a03a06c9dc5753ccdca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:11 +0200 +Subject: hwrng: virtio - always add a pending request + +From: Laurent Vivier + +[ Upstream commit 9a4b612d675b03f7fc9fa1957ca399c8223f3954 ] + +If we ensure we have already some data available by enqueuing +again the buffer once data are exhausted, we can return what we +have without waiting for the device answer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-5-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 207a5f3b335c0..f98e3ee5f8b03 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -19,7 +19,6 @@ struct virtrng_info { + struct virtqueue *vq; + char name[25]; + int index; +- bool busy; + bool hwrng_register_done; + bool hwrng_removed; + /* data transfer */ +@@ -43,16 +42,18 @@ static void random_recv_done(struct virtqueue *vq) + return; + + vi->data_idx = 0; +- vi->busy = false; + + complete(&vi->have_data); + } + +-/* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi) ++static void request_entropy(struct virtrng_info *vi) + { + struct scatterlist sg; + ++ reinit_completion(&vi->have_data); ++ vi->data_avail = 0; ++ vi->data_idx = 0; ++ + sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +@@ -68,6 +69,8 @@ static unsigned int copy_data(struct virtrng_info *vi, void *buf, + memcpy(buf, vi->data + vi->data_idx, size); + vi->data_idx += size; + vi->data_avail -= size; ++ if (vi->data_avail == 0) ++ request_entropy(vi); + return size; + } + +@@ -97,13 +100,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + * so either size is 0 or data_avail is 0 + */ + while (size != 0) { +- /* data_avail is 0 */ +- if (!vi->busy) { +- /* no pending request, ask for more */ +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ /* data_avail is 0 but a request is pending */ + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -125,8 +122,7 @@ static void virtio_cleanup(struct hwrng *rng) + { + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + +- if (vi->busy) +- complete(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +@@ -162,6 +158,9 @@ static int probe_common(struct virtio_device *vdev) + goto err_find; + } + ++ /* we always have a pending entropy request */ ++ request_entropy(vi); ++ + return 0; + + err_find: +@@ -180,7 +179,6 @@ static void remove_common(struct virtio_device *vdev) + vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); +- vi->busy = false; + if (vi->hwrng_register_done) + hwrng_unregister(&vi->hwrng); + vdev->config->del_vqs(vdev); +-- +2.39.2 + diff --git a/queue-5.4/hwrng-virtio-don-t-wait-on-cleanup.patch b/queue-5.4/hwrng-virtio-don-t-wait-on-cleanup.patch new file mode 100644 index 00000000000..6f32d78ed8c --- /dev/null +++ b/queue-5.4/hwrng-virtio-don-t-wait-on-cleanup.patch @@ -0,0 +1,58 @@ +From a406077dac0b95e2a23e07bd5b7c2612d68b3bb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:09 +0200 +Subject: hwrng: virtio - don't wait on cleanup + +From: Laurent Vivier + +[ Upstream commit 2bb31abdbe55742c89f4dc0cc26fcbc8467364f6 ] + +When virtio-rng device was dropped by the hwrng core we were forced +to wait the buffer to come back from the device to not have +remaining ongoing operation that could spoil the buffer. + +But now, as the buffer is internal to the virtio-rng we can release +the waiting loop immediately, the buffer will be retrieve and use +when the virtio-rng driver will be selected again. + +This avoids to hang on an rng_current write command if the virtio-rng +device is blocked by a lack of entropy. This allows to select +another entropy source if the current one is empty. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-3-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 23149e94d621f..c8f5a3392e48c 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -81,6 +81,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; ++ /* if vi->data_avail is 0, we have been interrupted ++ * by a cleanup, but buffer stays in the queue ++ */ ++ if (vi->data_avail == 0) ++ return read; + + chunk = min_t(unsigned int, size, vi->data_avail); + memcpy(buf + read, vi->data, chunk); +@@ -104,7 +109,7 @@ static void virtio_cleanup(struct hwrng *rng) + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + + if (vi->busy) +- wait_for_completion(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +-- +2.39.2 + diff --git a/queue-5.4/hwrng-virtio-don-t-waste-entropy.patch b/queue-5.4/hwrng-virtio-don-t-waste-entropy.patch new file mode 100644 index 00000000000..8217a5d7f66 --- /dev/null +++ b/queue-5.4/hwrng-virtio-don-t-waste-entropy.patch @@ -0,0 +1,130 @@ +From b24fa80fc841193dfa55417d1aad4e5737135b38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:10 +0200 +Subject: hwrng: virtio - don't waste entropy + +From: Laurent Vivier + +[ Upstream commit 5c8e933050044d6dd2a000f9a5756ae73cbe7c44 ] + +if we don't use all the entropy available in the buffer, keep it +and use it later. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-4-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 52 +++++++++++++++++++---------- + 1 file changed, 35 insertions(+), 17 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index c8f5a3392e48c..207a5f3b335c0 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -25,6 +25,7 @@ struct virtrng_info { + /* data transfer */ + struct completion have_data; + unsigned int data_avail; ++ unsigned int data_idx; + /* minimal size returned by rng_buffer_size() */ + #if SMP_CACHE_BYTES < 32 + u8 data[32]; +@@ -41,6 +42,9 @@ static void random_recv_done(struct virtqueue *vq) + if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) + return; + ++ vi->data_idx = 0; ++ vi->busy = false; ++ + complete(&vi->have_data); + } + +@@ -57,6 +61,16 @@ static void register_buffer(struct virtrng_info *vi) + virtqueue_kick(vi->vq); + } + ++static unsigned int copy_data(struct virtrng_info *vi, void *buf, ++ unsigned int size) ++{ ++ size = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf, vi->data + vi->data_idx, size); ++ vi->data_idx += size; ++ vi->data_avail -= size; ++ return size; ++} ++ + static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; +@@ -67,17 +81,29 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->hwrng_removed) + return -ENODEV; + +- if (!vi->busy) { +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); ++ read = 0; ++ ++ /* copy available data */ ++ if (vi->data_avail) { ++ chunk = copy_data(vi, buf, size); ++ size -= chunk; ++ read += chunk; + } + + if (!wait) +- return 0; ++ return read; + +- read = 0; ++ /* We have already copied available entropy, ++ * so either size is 0 or data_avail is 0 ++ */ + while (size != 0) { ++ /* data_avail is 0 */ ++ if (!vi->busy) { ++ /* no pending request, ask for more */ ++ vi->busy = true; ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -87,20 +113,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->data_avail == 0) + return read; + +- chunk = min_t(unsigned int, size, vi->data_avail); +- memcpy(buf + read, vi->data, chunk); +- read += chunk; ++ chunk = copy_data(vi, buf + read, size); + size -= chunk; +- vi->data_avail = 0; +- +- if (size != 0) { +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ read += chunk; + } + +- vi->busy = false; +- + return read; + } + +@@ -160,6 +177,7 @@ static void remove_common(struct virtio_device *vdev) + + vi->hwrng_removed = true; + vi->data_avail = 0; ++ vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); + vi->busy = false; +-- +2.39.2 + diff --git a/queue-5.4/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch b/queue-5.4/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch new file mode 100644 index 00000000000..a6ec53cd9a5 --- /dev/null +++ b/queue-5.4/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch @@ -0,0 +1,86 @@ +From 8a4a549b7f39f7e6fa22594774a47da073037e9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 11:59:32 +0800 +Subject: hwrng: virtio - Fix race on data_avail and actual data + +From: Herbert Xu + +[ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ] + +The virtio rng device kicks off a new entropy request whenever the +data available reaches zero. When a new request occurs at the end +of a read operation, that is, when the result of that request is +only needed by the next reader, then there is a race between the +writing of the new data and the next reader. + +This is because there is no synchronisation whatsoever between the +writer and the reader. + +Fix this by writing data_avail with smp_store_release and reading +it with smp_load_acquire when we first enter read. The subsequent +reads are safe because they're either protected by the first load +acquire, or by the completion mechanism. + +Also remove the redundant zeroing of data_idx in random_recv_done +(data_idx must already be zero at this point) and data_avail in +request_entropy (ditto). + +Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com +Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.") +Signed-off-by: Herbert Xu +Acked-by: Michael S. Tsirkin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index f98e3ee5f8b03..145d7b1055c07 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -4,6 +4,7 @@ + * Copyright (C) 2007, 2008 Rusty Russell IBM Corporation + */ + ++#include + #include + #include + #include +@@ -36,13 +37,13 @@ struct virtrng_info { + static void random_recv_done(struct virtqueue *vq) + { + struct virtrng_info *vi = vq->vdev->priv; ++ unsigned int len; + + /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */ +- if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) ++ if (!virtqueue_get_buf(vi->vq, &len)) + return; + +- vi->data_idx = 0; +- ++ smp_store_release(&vi->data_avail, len); + complete(&vi->have_data); + } + +@@ -51,7 +52,6 @@ static void request_entropy(struct virtrng_info *vi) + struct scatterlist sg; + + reinit_completion(&vi->have_data); +- vi->data_avail = 0; + vi->data_idx = 0; + + sg_init_one(&sg, vi->data, sizeof(vi->data)); +@@ -87,7 +87,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + read = 0; + + /* copy available data */ +- if (vi->data_avail) { ++ if (smp_load_acquire(&vi->data_avail)) { + chunk = copy_data(vi, buf, size); + size -= chunk; + read += chunk; +-- +2.39.2 + diff --git a/queue-5.4/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch b/queue-5.4/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch new file mode 100644 index 00000000000..0bd99028c2c --- /dev/null +++ b/queue-5.4/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch @@ -0,0 +1,110 @@ +From 2dee9c4c3ff7ec007303988264b1cf40a7a30180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 11:56:28 -0500 +Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors + +From: Patrick Kelsey + +[ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ] + +Fix three sources of error involving struct sdma_txreq.num_descs. + +When _extend_sdma_tx_descs() extends the descriptor array, it uses the +value of tx->num_descs to determine how many existing entries from the +tx's original, internal descriptor array to copy to the newly allocated +one. As this value was incremented before the call, the copy loop will +access one entry past the internal descriptor array, copying its contents +into the corresponding slot in the new array. + +If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then +invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a +loop that unmaps all descriptor entries in use. As this value was +incremented before the call, the unmap loop will invoke sdma_unmap_desc() +on a descriptor entry whose contents consist of whatever random data was +copied into it during (1), leading to cascading further calls into the +kernel and driver using arbitrary data. + +_sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1. + +Fix all of the above by: +- Only increment .num_descs after .descp is extended. +- Use .num_descs - 1 instead of .num_descs for last .descp entry. + +Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors") +Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Brendan Cunningham +Signed-off-by: Patrick Kelsey +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/sdma.c | 4 ++-- + drivers/infiniband/hw/hfi1/sdma.h | 15 +++++++-------- + 2 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index 2a684fc6056e1..057c9ffcd02e1 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -3203,8 +3203,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + { + int rval = 0; + +- tx->num_desc++; +- if ((unlikely(tx->num_desc == tx->desc_limit))) { ++ if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { + rval = _extend_sdma_tx_descs(dd, tx); + if (rval) { + __sdma_txclean(dd, tx); +@@ -3217,6 +3216,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + SDMA_MAP_NONE, + dd->sdma_pad_phys, + sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1))); ++ tx->num_desc++; + _sdma_close_tx(dd, tx); + return rval; + } +diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h +index 1e2e40f79cb20..6ac00755848db 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.h ++++ b/drivers/infiniband/hw/hfi1/sdma.h +@@ -672,14 +672,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx) + static inline void _sdma_close_tx(struct hfi1_devdata *dd, + struct sdma_txreq *tx) + { +- tx->descp[tx->num_desc].qw[0] |= +- SDMA_DESC0_LAST_DESC_FLAG; +- tx->descp[tx->num_desc].qw[1] |= +- dd->default_desc1; ++ u16 last_desc = tx->num_desc - 1; ++ ++ tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; ++ tx->descp[last_desc].qw[1] |= dd->default_desc1; + if (tx->flags & SDMA_TXREQ_F_URGENT) +- tx->descp[tx->num_desc].qw[1] |= +- (SDMA_DESC1_HEAD_TO_HOST_FLAG | +- SDMA_DESC1_INT_REQ_FLAG); ++ tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | ++ SDMA_DESC1_INT_REQ_FLAG); + } + + static inline int _sdma_txadd_daddr( +@@ -696,6 +695,7 @@ static inline int _sdma_txadd_daddr( + type, + addr, len); + WARN_ON(len > tx->tlen); ++ tx->num_desc++; + tx->tlen -= len; + /* special cases for last */ + if (!tx->tlen) { +@@ -707,7 +707,6 @@ static inline int _sdma_txadd_daddr( + _sdma_close_tx(dd, tx); + } + } +- tx->num_desc++; + return rval; + } + +-- +2.39.2 + diff --git a/queue-5.4/ima-fix-build-warnings.patch b/queue-5.4/ima-fix-build-warnings.patch new file mode 100644 index 00000000000..ef4b0a03fc5 --- /dev/null +++ b/queue-5.4/ima-fix-build-warnings.patch @@ -0,0 +1,61 @@ +From a51450c0b2a17fd29dcb2b4169473a99934099d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 09:41:13 +0200 +Subject: ima: Fix build warnings + +From: Roberto Sassu + +[ Upstream commit 95526d13038c2bbddd567a4d8e39fac42484e182 ] + +Fix build warnings (function parameters description) for +ima_collect_modsig(), ima_match_policy() and ima_parse_add_rule(). + +Fixes: 15588227e086 ("ima: Collect modsig") # v5.4+ +Fixes: 2fe5d6def167 ("ima: integrity appraisal extension") # v5.14+ +Fixes: 4af4662fa4a9 ("integrity: IMA policy") # v3.2+ +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_modsig.c | 3 +++ + security/integrity/ima/ima_policy.c | 3 ++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c +index d106885cc4955..5fb971efc6e10 100644 +--- a/security/integrity/ima/ima_modsig.c ++++ b/security/integrity/ima/ima_modsig.c +@@ -109,6 +109,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, + + /** + * ima_collect_modsig - Calculate the file hash without the appended signature. ++ * @modsig: parsed module signature ++ * @buf: data to verify the signature on ++ * @size: data size + * + * Since the modsig is part of the file contents, the hash used in its signature + * isn't the same one ordinarily calculated by IMA. Therefore PKCS7 code +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 6df0436462ab7..e749403f07a8b 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -500,6 +500,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) + * @secid: LSM secid of the task to be validated + * @func: IMA hook identifier + * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) ++ * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) + * @pcr: set the pcr to extend + * @template_desc: the template that should be used for this rule + * +@@ -1266,7 +1267,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + + /** + * ima_parse_add_rule - add a rule to ima_policy_rules +- * @rule - ima measurement policy rule ++ * @rule: ima measurement policy rule + * + * Avoid locking by allowing just one writer at a time in ima_write_policy() + * Returns the length of the rule parsed, an error code on failure +-- +2.39.2 + diff --git a/queue-5.4/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch b/queue-5.4/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch new file mode 100644 index 00000000000..f6f3ffbb3e1 --- /dev/null +++ b/queue-5.4/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch @@ -0,0 +1,39 @@ +From 9c456640af3511035ce8c2a97570abdec1de36c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 17:27:55 -0700 +Subject: Input: adxl34x - do not hardcode interrupt trigger type + +From: Marek Vasut + +[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ] + +Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's +respect the settings specified in the firmware description. + +Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") +Signed-off-by: Marek Vasut +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/adxl34x.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c +index 4cc4e8ff42b33..ad035c342cd3b 100644 +--- a/drivers/input/misc/adxl34x.c ++++ b/drivers/input/misc/adxl34x.c +@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq, + AC_WRITE(ac, POWER_CTL, 0); + + err = request_threaded_irq(ac->irq, NULL, adxl34x_irq, +- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- dev_name(dev), ac); ++ IRQF_ONESHOT, dev_name(dev), ac); + if (err) { + dev_err(dev, "irq %d busy?\n", ac->irq); + goto err_free_mem; +-- +2.39.2 + diff --git a/queue-5.4/input-drv260x-sleep-between-polling-go-bit.patch b/queue-5.4/input-drv260x-sleep-between-polling-go-bit.patch new file mode 100644 index 00000000000..38cfb6c5476 --- /dev/null +++ b/queue-5.4/input-drv260x-sleep-between-polling-go-bit.patch @@ -0,0 +1,39 @@ +From deaccebed61ccc21f57924efe05fd9eae857cfbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 17:01:45 -0700 +Subject: Input: drv260x - sleep between polling GO bit + +From: Luca Weiss + +[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ] + +When doing the initial startup there's no need to poll without any +delay and spam the I2C bus. + +Let's sleep 15ms between each attempt, which is the same time as used +in the vendor driver. + +Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver") +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/drv260x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c +index 79d7fa710a714..54002d1a446b7 100644 +--- a/drivers/input/misc/drv260x.c ++++ b/drivers/input/misc/drv260x.c +@@ -435,6 +435,7 @@ static int drv260x_init(struct drv260x_data *haptics) + } + + do { ++ usleep_range(15000, 15500); + error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf); + if (error) { + dev_err(&haptics->client->dev, +-- +2.39.2 + diff --git a/queue-5.4/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch b/queue-5.4/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch new file mode 100644 index 00000000000..8130c2df469 --- /dev/null +++ b/queue-5.4/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch @@ -0,0 +1,66 @@ +From 35f34daabd4d15e75c1c2170d9f2c1a226290375 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 17:33:47 +0800 +Subject: ipvlan: Fix return value of ipvlan_queue_xmit() + +From: Cambda Zhu + +[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ] + +ipvlan_queue_xmit() should return NET_XMIT_XXX, but +ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX +in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED +in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to +NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or +NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase +both ipvlan and ipvlan->phy_dev drops counter. + +The skb to forward can be treated as xmitted successfully. This patch +makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb. + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Cambda Zhu +Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 0a5b5ff597c6f..ab09d110760ec 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -586,7 +586,8 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + out: +@@ -612,7 +613,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + skb = skb_share_check(skb, GFP_ATOMIC); +@@ -624,7 +626,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + * the skb for the main-dev. At the RX side we just return + * RX_PASS for it to be processed further on the stack. + */ +- return dev_forward_skb(ipvlan->phy_dev, skb); ++ dev_forward_skb(ipvlan->phy_dev, skb); ++ return NET_XMIT_SUCCESS; + + } else if (is_multicast_ether_addr(eth->h_dest)) { + skb_reset_mac_header(skb); +-- +2.39.2 + diff --git a/queue-5.4/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch b/queue-5.4/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch new file mode 100644 index 00000000000..a27520cabe5 --- /dev/null +++ b/queue-5.4/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch @@ -0,0 +1,53 @@ +From f17b7dd8b298df39048fbf98b7ebd6f7c8b807af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 18:33:42 +0200 +Subject: irqchip/jcore-aic: Fix missing allocation of IRQ descriptors + +From: John Paul Adrian Glaubitz + +[ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ] + +The initialization function for the J-Core AIC aic_irq_of_init() is +currently missing the call to irq_alloc_descs() which allocates and +initializes all the IRQ descriptors. Add missing function call and +return the error code from irq_alloc_descs() in case the allocation +fails. + +Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver") +Signed-off-by: John Paul Adrian Glaubitz +Tested-by: Rob Landley +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 5f47d8ee4ae39..b9dcc8e78c750 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -68,6 +68,7 @@ static int __init aic_irq_of_init(struct device_node *node, + unsigned min_irq = JCORE_AIC2_MIN_HWIRQ; + unsigned dom_sz = JCORE_AIC_MAX_HWIRQ+1; + struct irq_domain *domain; ++ int ret; + + pr_info("Initializing J-Core AIC\n"); + +@@ -100,6 +101,12 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + ++ ret = irq_alloc_descs(-1, min_irq, dom_sz - min_irq, ++ of_node_to_nid(node)); ++ ++ if (ret < 0) ++ return ret; ++ + domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, + &jcore_aic_irqdomain_ops, + &jcore_aic); +-- +2.39.2 + diff --git a/queue-5.4/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch b/queue-5.4/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch new file mode 100644 index 00000000000..254ab8be632 --- /dev/null +++ b/queue-5.4/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch @@ -0,0 +1,41 @@ +From 567410ef2e3646e5cde58e251d16d4bd165cb6e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 10:35:51 +0100 +Subject: irqchip/jcore-aic: Kill use of irq_create_strict_mappings() + +From: Marc Zyngier + +[ Upstream commit 5f8b938bd790cff6542c7fe3c1495c71f89fef1b ] + +irq_create_strict_mappings() is a poor way to allow the use of +a linear IRQ domain as a legacy one. Let's be upfront about it. + +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210406093557.1073423-4-maz@kernel.org +Stable-dep-of: 4848229494a3 ("irqchip/jcore-aic: Fix missing allocation of IRQ descriptors") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 033bccb41455c..5f47d8ee4ae39 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -100,11 +100,11 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + +- domain = irq_domain_add_linear(node, dom_sz, &jcore_aic_irqdomain_ops, ++ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, ++ &jcore_aic_irqdomain_ops, + &jcore_aic); + if (!domain) + return -ENOMEM; +- irq_create_strict_mappings(domain, min_irq, min_irq, dom_sz - min_irq); + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.4/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch b/queue-5.4/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch new file mode 100644 index 00000000000..7621ed250c6 --- /dev/null +++ b/queue-5.4/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch @@ -0,0 +1,93 @@ +From 5fb5cd1001376c72e6b15b36e2ec0a24646d9c74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 20:34:34 +0800 +Subject: kexec: fix a memory leak in crash_shrink_memory() + +From: Zhen Lei + +[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ] + +Patch series "kexec: enable kexec_crash_size to support two crash kernel +regions". + +When crashkernel=X fails to reserve region under 4G, it will fall back to +reserve region above 4G and a region of the default size will also be +reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only +supports one crash kernel region now, the user cannot sense the low memory +reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot +be freed by writing this file. + +For example: +resource_size(crashk_res) = 512M +resource_size(crashk_low_res) = 256M + +The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be +768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size +of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB, +which is incorrect. + +Since crashk_res manages the memory with high address and crashk_low_res +manages the memory with low address, crashk_low_res is shrunken only when +all crashk_res is shrunken. And because when there is only one crash +kernel region, crashk_res is always used. Therefore, if all crashk_res is +shrunken and crashk_low_res still exists, swap them. + +This patch (of 6): + +If the value of parameter 'new_size' is in the semi-open and semi-closed +interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the +calculation result of ram_res is: + + ram_res->start = crashk_res.end + 1 + ram_res->end = crashk_res.end + +The operation of insert_resource() fails, and ram_res is not added to +iomem_resource. As a result, the memory of the control block ram_res is +leaked. + +In fact, on all architectures, the start address and size of crashk_res +are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need +to round up crashk_res.start again. Instead, we should round up +'new_size' in advance. + +Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com +Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com +Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()") +Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size") +Signed-off-by: Zhen Lei +Acked-by: Baoquan He +Cc: Cong Wang +Cc: Eric W. Biederman +Cc: Michael Holzheu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kexec_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c +index d65b0fc8fb48b..3694d90c3722f 100644 +--- a/kernel/kexec_core.c ++++ b/kernel/kexec_core.c +@@ -1019,6 +1019,7 @@ int crash_shrink_memory(unsigned long new_size) + start = crashk_res.start; + end = crashk_res.end; + old_size = (end == 0) ? 0 : end - start + 1; ++ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN); + if (new_size >= old_size) { + ret = (new_size == old_size) ? 0 : -EINVAL; + goto unlock; +@@ -1030,9 +1031,7 @@ int crash_shrink_memory(unsigned long new_size) + goto unlock; + } + +- start = roundup(start, KEXEC_CRASH_MEM_ALIGN); +- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN); +- ++ end = start + new_size; + crash_free_reserved_phys_range(end, crashk_res.end); + + if ((start == end) && (crashk_res.parent != NULL)) +-- +2.39.2 + diff --git a/queue-5.4/lib-ts_bm-reset-initial-match-offset-for-every-block.patch b/queue-5.4/lib-ts_bm-reset-initial-match-offset-for-every-block.patch new file mode 100644 index 00000000000..704c8be9887 --- /dev/null +++ b/queue-5.4/lib-ts_bm-reset-initial-match-offset-for-every-block.patch @@ -0,0 +1,59 @@ +From e840b0560f2efee094b37016ba0a076546bc07d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 20:06:57 +0100 +Subject: lib/ts_bm: reset initial match offset for every block of text + +From: Jeremy Sowden + +[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ] + +The `shift` variable which indicates the offset in the string at which +to start matching the pattern is initialized to `bm->patlen - 1`, but it +is not reset when a new block is retrieved. This means the implemen- +tation may start looking at later and later positions in each successive +block and miss occurrences of the pattern at the beginning. E.g., +consider a HTTP packet held in a non-linear skb, where the HTTP request +line occurs in the second block: + + [... 52 bytes of packet headers ...] + GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n + +and the pattern is "GET /bmtest". + +Once the first block comprising the packet headers has been examined, +`shift` will be pointing to somewhere near the end of the block, and so +when the second block is examined the request line at the beginning will +be missed. + +Reinitialize the variable for each new block. + +Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2") +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390 +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + lib/ts_bm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/ts_bm.c b/lib/ts_bm.c +index b352903c50e38..0a22ae48af61f 100644 +--- a/lib/ts_bm.c ++++ b/lib/ts_bm.c +@@ -60,10 +60,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state) + struct ts_bm *bm = ts_config_priv(conf); + unsigned int i, text_len, consumed = state->offset; + const u8 *text; +- int shift = bm->patlen - 1, bs; ++ int bs; + const u8 icase = conf->flags & TS_IGNORECASE; + + for (;;) { ++ int shift = bm->patlen - 1; ++ + text_len = conf->get_next_block(consumed, &text, conf, state); + + if (unlikely(text_len == 0)) +-- +2.39.2 + diff --git a/queue-5.4/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch b/queue-5.4/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch new file mode 100644 index 00000000000..1c6ae0b220d --- /dev/null +++ b/queue-5.4/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch @@ -0,0 +1,65 @@ +From 424deacdd4401864eadf2e2e8b7afd6a5ebb7f9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:48:05 +0800 +Subject: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter + +From: Li Nan + +[ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ] + +If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() +will return -EINVAL because 'page >= bitmap->pages', but the return value +was not checked immediately in md_bitmap_get_counter() in order to set +*blocks value and slab-out-of-bounds occurs. + +Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and +return directly if true. + +Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 0545cdccf6369..bea8265ce9b8e 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -54,14 +54,7 @@ __acquires(bitmap->lock) + { + unsigned char *mappage; + +- if (page >= bitmap->pages) { +- /* This can happen if bitmap_start_sync goes beyond +- * End-of-device while looking for a whole page. +- * It is harmless. +- */ +- return -EINVAL; +- } +- ++ WARN_ON_ONCE(page >= bitmap->pages); + if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */ + return 0; + +@@ -1369,6 +1362,14 @@ __acquires(bitmap->lock) + sector_t csize; + int err; + ++ if (page >= bitmap->pages) { ++ /* ++ * This can happen if bitmap_start_sync goes beyond ++ * End-of-device while looking for a whole page or ++ * user set a huge number to sysfs bitmap_set_bits. ++ */ ++ return NULL; ++ } + err = md_bitmap_checkpage(bitmap, page, create, 0); + + if (bitmap->bp[page].hijacked || +-- +2.39.2 + diff --git a/queue-5.4/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch b/queue-5.4/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch new file mode 100644 index 00000000000..8e2253166d4 --- /dev/null +++ b/queue-5.4/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch @@ -0,0 +1,79 @@ +From dbee0683a39045c5b85c5ce372f10260fec448aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 17:18:39 +0800 +Subject: md/raid10: fix io loss while replacement replace rdev + +From: Li Nan + +[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ] + +When removing a disk with replacement, the replacement will be used to +replace rdev. During this process, there is a brief window in which both +rdev and replacement are read as NULL in raid10_write_request(). This +will result in io not being submitted but it should be. + + //remove //write + raid10_remove_disk raid10_write_request + mirror->rdev = NULL + read rdev -> NULL + mirror->rdev = mirror->replacement + mirror->replacement = NULL + read replacement -> NULL + +Fix it by reading replacement first and rdev later, meanwhile, use smp_mb() +to prevent memory reordering. + +Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 7f762df43a2fc..db4de8e07cd97 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -751,8 +751,16 @@ static struct md_rdev *read_balance(struct r10conf *conf, + disk = r10_bio->devs[slot].devnum; + rdev = rcu_dereference(conf->mirrors[disk].replacement); + if (rdev == NULL || test_bit(Faulty, &rdev->flags) || +- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset) ++ r10_bio->devs[slot].addr + sectors > ++ rdev->recovery_offset) { ++ /* ++ * Read replacement first to prevent reading both rdev ++ * and replacement as NULL during replacement replace ++ * rdev. ++ */ ++ smp_mb(); + rdev = rcu_dereference(conf->mirrors[disk].rdev); ++ } + if (rdev == NULL || + test_bit(Faulty, &rdev->flags)) + continue; +@@ -1363,9 +1371,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, + + for (i = 0; i < conf->copies; i++) { + int d = r10_bio->devs[i].devnum; +- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev); +- struct md_rdev *rrdev = rcu_dereference( +- conf->mirrors[d].replacement); ++ struct md_rdev *rdev, *rrdev; ++ ++ rrdev = rcu_dereference(conf->mirrors[d].replacement); ++ /* ++ * Read replacement first to prevent reading both rdev and ++ * replacement as NULL during replacement replace rdev. ++ */ ++ smp_mb(); ++ rdev = rcu_dereference(conf->mirrors[d].rdev); + if (rdev == rrdev) + rrdev = NULL; + if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) { +-- +2.39.2 + diff --git a/queue-5.4/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch b/queue-5.4/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch new file mode 100644 index 00000000000..31029cc4bbc --- /dev/null +++ b/queue-5.4/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch @@ -0,0 +1,81 @@ +From fe46b1dc2a17a2bf0917ebda81c867957f1909ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 15:22:15 +0800 +Subject: md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request + +From: Li Nan + +[ Upstream commit 34817a2441747b48e444cb0e05d84e14bc9443da ] + +There are two check of 'mreplace' in raid10_sync_request(). In the first +check, 'need_replace' will be set and 'mreplace' will be used later if +no-Faulty 'mreplace' exists, In the second check, 'mreplace' will be +set to NULL if it is Faulty, but 'need_replace' will not be changed +accordingly. null-ptr-deref occurs if Faulty is set between two check. + +Fix it by merging two checks into one. And replace 'need_replace' with +'mreplace' because their values are always the same. + +Fixes: ee37d7314a32 ("md/raid10: Fix raid10 replace hang when new added disk faulty") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230527072218.2365857-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index aee429ab114a5..7f762df43a2fc 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3054,7 +3054,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + int must_sync; + int any_working; + int need_recover = 0; +- int need_replace = 0; + struct raid10_info *mirror = &conf->mirrors[i]; + struct md_rdev *mrdev, *mreplace; + +@@ -3066,11 +3065,10 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + !test_bit(Faulty, &mrdev->flags) && + !test_bit(In_sync, &mrdev->flags)) + need_recover = 1; +- if (mreplace != NULL && +- !test_bit(Faulty, &mreplace->flags)) +- need_replace = 1; ++ if (mreplace && test_bit(Faulty, &mreplace->flags)) ++ mreplace = NULL; + +- if (!need_recover && !need_replace) { ++ if (!need_recover && !mreplace) { + rcu_read_unlock(); + continue; + } +@@ -3086,8 +3084,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + rcu_read_unlock(); + continue; + } +- if (mreplace && test_bit(Faulty, &mreplace->flags)) +- mreplace = NULL; + /* Unless we are doing a full sync, or a replacement + * we only need to recover the block if it is set in + * the bitmap +@@ -3210,11 +3206,11 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + bio = r10_bio->devs[1].repl_bio; + if (bio) + bio->bi_end_io = NULL; +- /* Note: if need_replace, then bio ++ /* Note: if replace is not NULL, then bio + * cannot be NULL as r10buf_pool_alloc will + * have allocated it. + */ +- if (!need_replace) ++ if (!mreplace) + break; + bio->bi_next = biolist; + biolist = bio; +-- +2.39.2 + diff --git a/queue-5.4/md-raid10-fix-overflow-of-md-safe_mode_delay.patch b/queue-5.4/md-raid10-fix-overflow-of-md-safe_mode_delay.patch new file mode 100644 index 00000000000..dc65a9d1a5b --- /dev/null +++ b/queue-5.4/md-raid10-fix-overflow-of-md-safe_mode_delay.patch @@ -0,0 +1,51 @@ +From 047ef324b352b0a73fa40f3a132be57b8dc224b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:33 +0800 +Subject: md/raid10: fix overflow of md/safe_mode_delay + +From: Li Nan + +[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ] + +There is no input check when echo md/safe_mode_delay in safe_delay_store(). +And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by +checking overflow in safe_delay_store() and use unsigned long conversion in +safe_delay_show(). + +Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers") +Signed-off-by: Li Nan +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 64558991ce0a0..bae264aae3cd0 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3766,8 +3766,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale) + static ssize_t + safe_delay_show(struct mddev *mddev, char *page) + { +- int msec = (mddev->safemode_delay*1000)/HZ; +- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000); ++ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ; ++ ++ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000); + } + static ssize_t + safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) +@@ -3779,7 +3780,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) + return -EINVAL; + } + +- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0) ++ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ) + return -EINVAL; + if (msec == 0) + mddev->safemode_delay = 0; +-- +2.39.2 + diff --git a/queue-5.4/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch b/queue-5.4/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch new file mode 100644 index 00000000000..2dc628be34b --- /dev/null +++ b/queue-5.4/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch @@ -0,0 +1,38 @@ +From 7c790c7196a12230bfbc93020dc28688b8f7016c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:34 +0800 +Subject: md/raid10: fix wrong setting of max_corr_read_errors + +From: Li Nan + +[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ] + +There is no input check when echo md/max_read_errors and overflow might +occur. Add check of input number. + +Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index bae264aae3cd0..0765712513e7d 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4441,6 +4441,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len + rv = kstrtouint(buf, 10, &n); + if (rv < 0) + return rv; ++ if (n > INT_MAX) ++ return -EINVAL; + atomic_set(&mddev->max_corr_read_errors, n); + return len; + } +-- +2.39.2 + diff --git a/queue-5.4/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch b/queue-5.4/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch new file mode 100644 index 00000000000..7891944c498 --- /dev/null +++ b/queue-5.4/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch @@ -0,0 +1,50 @@ +From 9b02b49d7db025e04ef464355fa2fc21bf311e8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 May 2023 13:29:31 +0200 +Subject: memory: brcmstb_dpfe: fix testing array offset after use + +From: Krzysztof Kozlowski + +[ Upstream commit 1d9e93fad549bc38f593147479ee063f2872c170 ] + +Code should first check for valid value of array offset, then use it as +the index. Fixes smatch warning: + + drivers/memory/brcmstb_dpfe.c:443 __send_command() error: testing array offset 'cmd' after use. + +Fixes: 2f330caff577 ("memory: brcmstb: Add driver for DPFE") +Acked-by: Markus Mayer +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230513112931.176066-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/brcmstb_dpfe.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c +index 6827ed4847507..127a9bffdbca8 100644 +--- a/drivers/memory/brcmstb_dpfe.c ++++ b/drivers/memory/brcmstb_dpfe.c +@@ -398,15 +398,17 @@ static void __finalize_command(struct private_data *priv) + static int __send_command(struct private_data *priv, unsigned int cmd, + u32 result[]) + { +- const u32 *msg = priv->dpfe_api->command[cmd]; + void __iomem *regs = priv->regs; + unsigned int i, chksum, chksum_idx; ++ const u32 *msg; + int ret = 0; + u32 resp; + + if (cmd >= DPFE_CMD_MAX) + return -1; + ++ msg = priv->dpfe_api->command[cmd]; ++ + mutex_lock(&priv->lock); + + /* Wait for DCPU to become ready */ +-- +2.39.2 + diff --git a/queue-5.4/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch b/queue-5.4/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch new file mode 100644 index 00000000000..7505393416b --- /dev/null +++ b/queue-5.4/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch @@ -0,0 +1,49 @@ +From a39791fb240f8a0cc95a7b38c8d051d9c66a539c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:27:04 +0200 +Subject: memstick r592: make memstick_debug_get_tpc_name() static + +From: Arnd Bergmann + +[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ] + +There are no other files referencing this function, apparently +it was left global to avoid an 'unused function' warning when +the only caller is left out. With a 'W=1' build, it causes +a 'missing prototype' warning though: + +drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes] + +Annotate the function as 'static __maybe_unused' to avoid both +problems. + +Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index dd06c18495eb6..0e37c6a5ee36c 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -44,12 +44,10 @@ static const char *tpc_names[] = { + * memstick_debug_get_tpc_name - debug helper that returns string for + * a TPC number + */ +-const char *memstick_debug_get_tpc_name(int tpc) ++static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc) + { + return tpc_names[tpc-1]; + } +-EXPORT_SYMBOL(memstick_debug_get_tpc_name); +- + + /* Read a register*/ + static inline u32 r592_read_reg(struct r592_device *dev, int address) +-- +2.39.2 + diff --git a/queue-5.4/modpost-fix-off-by-one-in-is_executable_section.patch b/queue-5.4/modpost-fix-off-by-one-in-is_executable_section.patch new file mode 100644 index 00000000000..e7be2880cc0 --- /dev/null +++ b/queue-5.4/modpost-fix-off-by-one-in-is_executable_section.patch @@ -0,0 +1,36 @@ +From b87d4d45db6fc1d96fd0ef1971e19eeee6f18792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 11:23:40 +0300 +Subject: modpost: fix off by one in is_executable_section() + +From: Dan Carpenter + +[ Upstream commit 3a3f1e573a105328a2cca45a7cfbebabbf5e3192 ] + +The > comparison should be >= to prevent an out of bounds array +access. + +Fixes: 52dc0595d540 ("modpost: handle relocations mismatch in __ex_table.") +Signed-off-by: Dan Carpenter +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 75d76b8f50302..53e276bb24acd 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1633,7 +1633,7 @@ static void default_mismatch_handler(const char *modname, struct elf_info *elf, + + static int is_executable_section(struct elf_info* elf, unsigned int section_index) + { +- if (section_index > elf->num_sections) ++ if (section_index >= elf->num_sections) + fatal("section_index is outside elf->num_sections!\n"); + + return ((elf->sechdrs[section_index].sh_flags & SHF_EXECINSTR) == SHF_EXECINSTR); +-- +2.39.2 + diff --git a/queue-5.4/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch b/queue-5.4/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch new file mode 100644 index 00000000000..e9ce3efead0 --- /dev/null +++ b/queue-5.4/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch @@ -0,0 +1,106 @@ +From 18d9db07cfefd6401ee7753b30d76c0ee86a82bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:56 +0900 +Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} + +From: Masahiro Yamada + +[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ] + +addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a +wrong way. + +Here, test code. + +[test code for R_ARM_JUMP24] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + b bar + +[test code for R_ARM_CALL] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + push {lr} + bl bar + pop {pc} + +If you compile it with ARM multi_v7_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text) + +(You need to use GNU linker instead of LLD to reproduce it.) + +Fix the code to make modpost show the correct symbol name. + +I imported (with adjustment) sign_extend32() from include/linux/bitops.h. + +The '+8' is the compensation for pc-relative instruction. It is +documented in "ELF for the Arm Architecture" [1]. + + "If the relocation is pc-relative then compensation for the PC bias + (the PC value is 8 bytes ahead of the executing instruction in Arm + state and 4 bytes in Thumb state) must be encoded in the relocation + by the object producer." + +[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index ad955c45d7a53..75d76b8f50302 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1812,12 +1812,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + #define R_ARM_THM_JUMP19 51 + #endif + ++static int32_t sign_extend32(int32_t value, int index) ++{ ++ uint8_t shift = 31 - index; ++ ++ return (int32_t)(value << shift) >> shift; ++} ++ + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); + Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); + void *loc = reloc_location(elf, sechdr, r); + uint32_t inst; ++ int32_t offset; + + switch (r_typ) { + case R_ARM_ABS32: +@@ -1827,6 +1835,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + case R_ARM_PC24: + case R_ARM_CALL: + case R_ARM_JUMP24: ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ offset = sign_extend32((inst & 0x00ffffff) << 2, 25); ++ r->r_addend = offset + sym->st_value + 8; ++ break; + case R_ARM_THM_CALL: + case R_ARM_THM_JUMP24: + case R_ARM_THM_JUMP19: +-- +2.39.2 + diff --git a/queue-5.4/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch b/queue-5.4/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch new file mode 100644 index 00000000000..7df4ab44079 --- /dev/null +++ b/queue-5.4/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch @@ -0,0 +1,133 @@ +From 20def63b530d07096c52c0a287ada543f35a00b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:55 +0900 +Subject: modpost: fix section mismatch message for R_ARM_ABS32 + +From: Masahiro Yamada + +[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ] + +addend_arm_rel() processes R_ARM_ABS32 in a wrong way. + +Here, test code. + + [test code 1] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + +If you compile it with ARM versatile_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data) + +(You need to use GNU linker instead of LLD to reproduce it.) + +If you compile it for other architectures, modpost will show the correct +symbol name. + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + +For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value. + +I just mimicked the code in arch/arm/kernel/module.c. + +However, there is more difficulty for ARM. + +Here, test code. + + [test code 2] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + + int __initdata bar; + int get_bar(void) { return bar; } + +With this commit applied, modpost will show the following messages +for ARM versatile_defconfig: + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data) + +The reference from 'get_bar' to 'foo' seems wrong. + +I have no solution for this because it is true in assembly level. + +In the following output, relocation at 0x1c is no longer associated +with 'bar'. The two relocation entries point to the same symbol, and +the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'. + + Disassembly of section .text: + + 00000000 : + 0: e59f3004 ldr r3, [pc, #4] @ c + 4: e5930000 ldr r0, [r3] + 8: e12fff1e bx lr + c: 00000000 .word 0x00000000 + + 00000010 : + 10: e59f3004 ldr r3, [pc, #4] @ 1c + 14: e5930004 ldr r0, [r3, #4] + 18: e12fff1e bx lr + 1c: 00000000 .word 0x00000000 + + Relocation section '.rel.text' at offset 0x244 contains 2 entries: + Offset Info Type Sym.Value Sym. Name + 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data + 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data + +When find_elf_symbol() gets into a situation where relsym->st_name is +zero, there is no guarantee to get the symbol name as written in C. + +I am keeping the current logic because it is useful in many architectures, +but the symbol name is not always correct depending on the optimization. +I left some comments in find_tosym(). + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index e5aeaf72dcdb8..ad955c45d7a53 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1325,6 +1325,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + if (relsym->st_name != 0) + return relsym; + ++ /* ++ * Strive to find a better symbol name, but the resulting name may not ++ * match the symbol referenced in the original code. ++ */ + relsym_secindex = get_secindex(elf, relsym); + for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) { + if (get_secindex(elf, sym) != relsym_secindex) +@@ -1811,12 +1815,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); ++ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); ++ void *loc = reloc_location(elf, sechdr, r); ++ uint32_t inst; + + switch (r_typ) { + case R_ARM_ABS32: +- /* From ARM ABI: (S + A) | T */ +- r->r_addend = (int)(long) +- (elf->symtab_start + ELF_R_SYM(r->r_info)); ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ r->r_addend = inst + sym->st_value; + break; + case R_ARM_PC24: + case R_ARM_CALL: +-- +2.39.2 + diff --git a/queue-5.4/net-create-netdev-dev_addr-assignment-helpers.patch b/queue-5.4/net-create-netdev-dev_addr-assignment-helpers.patch new file mode 100644 index 00000000000..78a6d4dca46 --- /dev/null +++ b/queue-5.4/net-create-netdev-dev_addr-assignment-helpers.patch @@ -0,0 +1,82 @@ +From 2d67803006cfe8da5b9f45fd45488caadc9bd986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 11:10:37 -0700 +Subject: net: create netdev->dev_addr assignment helpers + +From: Jakub Kicinski + +[ Upstream commit 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 ] + +Recent work on converting address list to a tree made it obvious +we need an abstraction around writing netdev->dev_addr. Without +such abstraction updating the main device address is invisible +to the core. + +Introduce a number of helpers which for now just wrap memcpy() +but in the future can make necessary changes to the address +tree. + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + include/linux/etherdevice.h | 12 ++++++++++++ + include/linux/netdevice.h | 18 ++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index 0f1e95240c0c0..66b89189a1e2e 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -288,6 +288,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src) + #endif + } + ++/** ++ * eth_hw_addr_set - Assign Ethernet address to a net_device ++ * @dev: pointer to net_device structure ++ * @addr: address to assign ++ * ++ * Assign given address to the net_device, addr_assign_type is not changed. ++ */ ++static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ ether_addr_copy(dev->dev_addr, addr); ++} ++ + /** + * eth_hw_addr_inherit - Copy dev_addr from another net_device + * @dst: pointer to net_device to copy dev_addr to +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 8dea4b53d664d..bf623f0e04d64 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4189,6 +4189,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list, + void __hw_addr_init(struct netdev_hw_addr_list *list); + + /* Functions used for device addresses handling */ ++static inline void ++__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len) ++{ ++ memcpy(dev->dev_addr, addr, len); ++} ++ ++static inline void dev_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ __dev_addr_set(dev, addr, dev->addr_len); ++} ++ ++static inline void ++dev_addr_mod(struct net_device *dev, unsigned int offset, ++ const u8 *addr, size_t len) ++{ ++ memcpy(&dev->dev_addr[offset], addr, len); ++} ++ + int dev_addr_add(struct net_device *dev, const unsigned char *addr, + unsigned char addr_type); + int dev_addr_del(struct net_device *dev, const unsigned char *addr, +-- +2.39.2 + diff --git a/queue-5.4/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch b/queue-5.4/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch new file mode 100644 index 00000000000..d4467950bf0 --- /dev/null +++ b/queue-5.4/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch @@ -0,0 +1,558 @@ +From 7ad4204145d770a3081ea1de73e27d2644c1e4ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jun 2023 17:10:07 +0800 +Subject: net: nfc: Fix use-after-free caused by nfc_llcp_find_local + +From: Lin Ma + +[ Upstream commit 6709d4b7bc2e079241fdef15d1160581c5261c10 ] + +This commit fixes several use-after-free that caused by function +nfc_llcp_find_local(). For example, one UAF can happen when below buggy +time window occurs. + +// nfc_genl_llc_get_params | // nfc_unregister_device + | +dev = nfc_get_device(idx); | device_lock(...) +if (!dev) | dev->shutting_down = true; + return -ENODEV; | device_unlock(...); + | +device_lock(...); | // nfc_llcp_unregister_device + | nfc_llcp_find_local() +nfc_llcp_find_local(...); | + | local_cleanup() +if (!local) { | + rc = -ENODEV; | // nfc_llcp_local_put + goto exit; | kref_put(.., local_release) +} | + | // local_release + | list_del(&local->list) + // nfc_genl_send_params | kfree() + local->dev->idx !!!UAF!!! | + | + +and the crash trace for the one of the discussed UAF like: + +BUG: KASAN: slab-use-after-free in nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 +Read of size 8 at addr ffff888105b0e410 by task 20114 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:319 [inline] + print_report+0xcc/0x620 mm/kasan/report.c:430 + kasan_report+0xb2/0xe0 mm/kasan/report.c:536 + nfc_genl_send_params net/nfc/netlink.c:999 [inline] + nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 + genl_family_rcv_msg_doit.isra.0+0x1ee/0x2e0 net/netlink/genetlink.c:968 + genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] + genl_rcv_msg+0x503/0x7d0 net/netlink/genetlink.c:1065 + netlink_rcv_skb+0x161/0x430 net/netlink/af_netlink.c:2548 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x644/0x900 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x934/0xe70 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b6/0x200 net/socket.c:747 + ____sys_sendmsg+0x6e9/0x890 net/socket.c:2501 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2555 + __sys_sendmsg+0xf7/0x1d0 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f34640a2389 +RSP: 002b:00007f3463415168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f34641c1f80 RCX: 00007f34640a2389 +RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000006 +RBP: 00007f34640ed493 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffe38449ecf R14: 00007f3463415300 R15: 0000000000022000 + + +Allocated by task 20116: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:374 [inline] + __kasan_kmalloc+0x7f/0x90 mm/kasan/common.c:383 + kmalloc include/linux/slab.h:580 [inline] + kzalloc include/linux/slab.h:720 [inline] + nfc_llcp_register_device+0x49/0xa40 net/nfc/llcp_core.c:1567 + nfc_register_device+0x61/0x260 net/nfc/core.c:1124 + nci_register_device+0x776/0xb20 net/nfc/nci/core.c:1257 + virtual_ncidev_open+0x147/0x230 drivers/nfc/virtual_ncidev.c:148 + misc_open+0x379/0x4a0 drivers/char/misc.c:165 + chrdev_open+0x26c/0x780 fs/char_dev.c:414 + do_dentry_open+0x6c4/0x12a0 fs/open.c:920 + do_open fs/namei.c:3560 [inline] + path_openat+0x24fe/0x37e0 fs/namei.c:3715 + do_filp_open+0x1ba/0x410 fs/namei.c:3742 + do_sys_openat2+0x171/0x4c0 fs/open.c:1356 + do_sys_open fs/open.c:1372 [inline] + __do_sys_openat fs/open.c:1388 [inline] + __se_sys_openat fs/open.c:1383 [inline] + __x64_sys_openat+0x143/0x200 fs/open.c:1383 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 20115: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free mm/kasan/common.c:200 [inline] + __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:162 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook mm/slub.c:1807 [inline] + slab_free mm/slub.c:3787 [inline] + __kmem_cache_free+0x7a/0x190 mm/slub.c:3800 + local_release net/nfc/llcp_core.c:174 [inline] + kref_put include/linux/kref.h:65 [inline] + nfc_llcp_local_put net/nfc/llcp_core.c:182 [inline] + nfc_llcp_local_put net/nfc/llcp_core.c:177 [inline] + nfc_llcp_unregister_device+0x206/0x290 net/nfc/llcp_core.c:1620 + nfc_unregister_device+0x160/0x1d0 net/nfc/core.c:1179 + virtual_ncidev_close+0x52/0xa0 drivers/nfc/virtual_ncidev.c:163 + __fput+0x252/0xa20 fs/file_table.c:321 + task_work_run+0x174/0x270 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x108/0x110 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:297 + do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Last potentially related work creation: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + __kasan_record_aux_stack+0x95/0xb0 mm/kasan/generic.c:491 + kvfree_call_rcu+0x29/0xa80 kernel/rcu/tree.c:3328 + drop_sysctl_table+0x3be/0x4e0 fs/proc/proc_sysctl.c:1735 + unregister_sysctl_table.part.0+0x9c/0x190 fs/proc/proc_sysctl.c:1773 + unregister_sysctl_table+0x24/0x30 fs/proc/proc_sysctl.c:1753 + neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3895 + addrconf_notify+0x140/0x17b0 net/ipv6/addrconf.c:3684 + notifier_call_chain+0xbe/0x210 kernel/notifier.c:87 + call_netdevice_notifiers_info+0xb5/0x150 net/core/dev.c:1937 + call_netdevice_notifiers_extack net/core/dev.c:1975 [inline] + call_netdevice_notifiers net/core/dev.c:1989 [inline] + dev_change_name+0x3c3/0x870 net/core/dev.c:1211 + dev_ifsioc+0x800/0xf70 net/core/dev_ioctl.c:376 + dev_ioctl+0x3d9/0xf80 net/core/dev_ioctl.c:542 + sock_do_ioctl+0x160/0x260 net/socket.c:1213 + sock_ioctl+0x3f9/0x670 net/socket.c:1316 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x19e/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The buggy address belongs to the object at ffff888105b0e400 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 16 bytes inside of + freed 1024-byte region [ffff888105b0e400, ffff888105b0e800) + +The buggy address belongs to the physical page: +head:ffffea000416c200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x200000000010200(slab|head|node=0|zone=2) +raw: 0200000000010200 ffff8881000430c0 ffffea00044c7010 ffffea0004510e10 +raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888105b0e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff888105b0e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff888105b0e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888105b0e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888105b0e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +In summary, this patch solves those use-after-free by + +1. Re-implement the nfc_llcp_find_local(). The current version does not +grab the reference when getting the local from the linked list. For +example, the llcp_sock_bind() gets the reference like below: + +// llcp_sock_bind() + + local = nfc_llcp_find_local(dev); // A + ..... \ + | raceable + ..... / + llcp_sock->local = nfc_llcp_local_get(local); // B + +There is an apparent race window that one can drop the reference +and free the local object fetched in (A) before (B) gets the reference. + +2. Some callers of the nfc_llcp_find_local() do not grab the reference +at all. For example, the nfc_genl_llc_{{get/set}_params/sdreq} functions. +We add the nfc_llcp_local_put() for them. Moreover, we add the necessary +error handling function to put the reference. + +3. Add the nfc_llcp_remove_local() helper. The local object is removed +from the linked list in local_release() when all reference is gone. This +patch removes it when nfc_llcp_unregister_device() is called. + +Therefore, every caller of nfc_llcp_find_local() will get a reference +even when the nfc_llcp_unregister_device() is called. This promises no +use-after-free for the local object is ever possible. + +Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support") +Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") +Signed-off-by: Lin Ma +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/llcp.h | 1 - + net/nfc/llcp_commands.c | 12 +++++++--- + net/nfc/llcp_core.c | 49 +++++++++++++++++++++++++++++++++++------ + net/nfc/llcp_sock.c | 18 ++++++++------- + net/nfc/netlink.c | 20 ++++++++++++----- + net/nfc/nfc.h | 1 + + 6 files changed, 77 insertions(+), 24 deletions(-) + +diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h +index d49d4bf2e37c8..a81893bc06ce8 100644 +--- a/net/nfc/llcp.h ++++ b/net/nfc/llcp.h +@@ -202,7 +202,6 @@ void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *s); + void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *s); + void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); +-struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local); + int nfc_llcp_local_put(struct nfc_llcp_local *local); + u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local, + struct nfc_llcp_sock *sock); +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index bb9f40563ff63..5b8754ae7d3af 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -361,6 +361,7 @@ int nfc_llcp_send_symm(struct nfc_dev *dev) + struct sk_buff *skb; + struct nfc_llcp_local *local; + u16 size = 0; ++ int err; + + pr_debug("Sending SYMM\n"); + +@@ -372,8 +373,10 @@ int nfc_llcp_send_symm(struct nfc_dev *dev) + size += dev->tx_headroom + dev->tx_tailroom + NFC_HEADER_SIZE; + + skb = alloc_skb(size, GFP_KERNEL); +- if (skb == NULL) +- return -ENOMEM; ++ if (skb == NULL) { ++ err = -ENOMEM; ++ goto out; ++ } + + skb_reserve(skb, dev->tx_headroom + NFC_HEADER_SIZE); + +@@ -383,8 +386,11 @@ int nfc_llcp_send_symm(struct nfc_dev *dev) + + nfc_llcp_send_to_raw_sock(local, skb, NFC_DIRECTION_TX); + +- return nfc_data_exchange(dev, local->target_idx, skb, ++ err = nfc_data_exchange(dev, local->target_idx, skb, + nfc_llcp_recv, local); ++out: ++ nfc_llcp_local_put(local); ++ return err; + } + + int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index fd43e75abd948..ddfd159f64e13 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -17,6 +17,8 @@ + static u8 llcp_magic[3] = {0x46, 0x66, 0x6d}; + + static LIST_HEAD(llcp_devices); ++/* Protects llcp_devices list */ ++static DEFINE_SPINLOCK(llcp_devices_lock); + + static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb); + +@@ -143,7 +145,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device, + write_unlock(&local->raw_sockets.lock); + } + +-struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local) ++static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local) + { + kref_get(&local->ref); + +@@ -171,7 +173,6 @@ static void local_release(struct kref *ref) + + local = container_of(ref, struct nfc_llcp_local, ref); + +- list_del(&local->list); + local_cleanup(local); + kfree(local); + } +@@ -284,12 +285,33 @@ static void nfc_llcp_sdreq_timer(struct timer_list *t) + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev) + { + struct nfc_llcp_local *local; ++ struct nfc_llcp_local *res = NULL; + ++ spin_lock(&llcp_devices_lock); + list_for_each_entry(local, &llcp_devices, list) +- if (local->dev == dev) ++ if (local->dev == dev) { ++ res = nfc_llcp_local_get(local); ++ break; ++ } ++ spin_unlock(&llcp_devices_lock); ++ ++ return res; ++} ++ ++static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev) ++{ ++ struct nfc_llcp_local *local, *tmp; ++ ++ spin_lock(&llcp_devices_lock); ++ list_for_each_entry_safe(local, tmp, &llcp_devices, list) ++ if (local->dev == dev) { ++ list_del(&local->list); ++ spin_unlock(&llcp_devices_lock); + return local; ++ } ++ spin_unlock(&llcp_devices_lock); + +- pr_debug("No device found\n"); ++ pr_warn("Shutting down device not found\n"); + + return NULL; + } +@@ -610,12 +632,15 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len) + + *general_bytes_len = local->gb_len; + ++ nfc_llcp_local_put(local); ++ + return local->gb; + } + + int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + struct nfc_llcp_local *local; ++ int err; + + if (gb_len < 3 || gb_len > NFC_MAX_GT_LEN) + return -EINVAL; +@@ -632,12 +657,16 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + + if (memcmp(local->remote_gb, llcp_magic, 3)) { + pr_err("MAC does not support LLCP\n"); +- return -EINVAL; ++ err = -EINVAL; ++ goto out; + } + +- return nfc_llcp_parse_gb_tlv(local, ++ err = nfc_llcp_parse_gb_tlv(local, + &local->remote_gb[3], + local->remote_gb_len - 3); ++out: ++ nfc_llcp_local_put(local); ++ return err; + } + + static u8 nfc_llcp_dsap(const struct sk_buff *pdu) +@@ -1527,6 +1556,8 @@ int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb) + + __nfc_llcp_recv(local, skb); + ++ nfc_llcp_local_put(local); ++ + return 0; + } + +@@ -1543,6 +1574,8 @@ void nfc_llcp_mac_is_down(struct nfc_dev *dev) + + /* Close and purge all existing sockets */ + nfc_llcp_socket_release(local, true, 0); ++ ++ nfc_llcp_local_put(local); + } + + void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, +@@ -1568,6 +1601,8 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, + mod_timer(&local->link_timer, + jiffies + msecs_to_jiffies(local->remote_lto)); + } ++ ++ nfc_llcp_local_put(local); + } + + int nfc_llcp_register_device(struct nfc_dev *ndev) +@@ -1618,7 +1653,7 @@ int nfc_llcp_register_device(struct nfc_dev *ndev) + + void nfc_llcp_unregister_device(struct nfc_dev *dev) + { +- struct nfc_llcp_local *local = nfc_llcp_find_local(dev); ++ struct nfc_llcp_local *local = nfc_llcp_remove_local(dev); + + if (local == NULL) { + pr_debug("No such device\n"); +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index 1c1748b86fae7..aea337d817025 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -99,7 +99,7 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) + } + + llcp_sock->dev = dev; +- llcp_sock->local = nfc_llcp_local_get(local); ++ llcp_sock->local = local; + llcp_sock->nfc_protocol = llcp_addr.nfc_protocol; + llcp_sock->service_name_len = min_t(unsigned int, + llcp_addr.service_name_len, +@@ -181,7 +181,7 @@ static int llcp_raw_sock_bind(struct socket *sock, struct sockaddr *addr, + } + + llcp_sock->dev = dev; +- llcp_sock->local = nfc_llcp_local_get(local); ++ llcp_sock->local = local; + llcp_sock->nfc_protocol = llcp_addr.nfc_protocol; + + nfc_llcp_sock_link(&local->raw_sockets, sk); +@@ -698,22 +698,22 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + if (dev->dep_link_up == false) { + ret = -ENOLINK; + device_unlock(&dev->dev); +- goto put_dev; ++ goto sock_llcp_put_local; + } + device_unlock(&dev->dev); + + if (local->rf_mode == NFC_RF_INITIATOR && + addr->target_idx != local->target_idx) { + ret = -ENOLINK; +- goto put_dev; ++ goto sock_llcp_put_local; + } + + llcp_sock->dev = dev; +- llcp_sock->local = nfc_llcp_local_get(local); ++ llcp_sock->local = local; + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { + ret = -ENOMEM; +- goto sock_llcp_put_local; ++ goto sock_llcp_nullify; + } + + llcp_sock->reserved_ssap = llcp_sock->ssap; +@@ -759,11 +759,13 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + sock_llcp_release: + nfc_llcp_put_ssap(local, llcp_sock->ssap); + +-sock_llcp_put_local: +- nfc_llcp_local_put(llcp_sock->local); ++sock_llcp_nullify: + llcp_sock->local = NULL; + llcp_sock->dev = NULL; + ++sock_llcp_put_local: ++ nfc_llcp_local_put(local); ++ + put_dev: + nfc_put_device(dev); + +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c +index 66ab97131fd24..5b55466fe315a 100644 +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -1047,11 +1047,14 @@ static int nfc_genl_llc_get_params(struct sk_buff *skb, struct genl_info *info) + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!msg) { + rc = -ENOMEM; +- goto exit; ++ goto put_local; + } + + rc = nfc_genl_send_params(msg, local, info->snd_portid, info->snd_seq); + ++put_local: ++ nfc_llcp_local_put(local); ++ + exit: + device_unlock(&dev->dev); + +@@ -1113,7 +1116,7 @@ static int nfc_genl_llc_set_params(struct sk_buff *skb, struct genl_info *info) + if (info->attrs[NFC_ATTR_LLC_PARAM_LTO]) { + if (dev->dep_link_up) { + rc = -EINPROGRESS; +- goto exit; ++ goto put_local; + } + + local->lto = nla_get_u8(info->attrs[NFC_ATTR_LLC_PARAM_LTO]); +@@ -1125,6 +1128,9 @@ static int nfc_genl_llc_set_params(struct sk_buff *skb, struct genl_info *info) + if (info->attrs[NFC_ATTR_LLC_PARAM_MIUX]) + local->miux = cpu_to_be16(miux); + ++put_local: ++ nfc_llcp_local_put(local); ++ + exit: + device_unlock(&dev->dev); + +@@ -1180,7 +1186,7 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info) + + if (rc != 0) { + rc = -EINVAL; +- goto exit; ++ goto put_local; + } + + if (!sdp_attrs[NFC_SDP_ATTR_URI]) +@@ -1199,7 +1205,7 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info) + sdreq = nfc_llcp_build_sdreq_tlv(tid, uri, uri_len); + if (sdreq == NULL) { + rc = -ENOMEM; +- goto exit; ++ goto put_local; + } + + tlvs_len += sdreq->tlv_len; +@@ -1209,10 +1215,14 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info) + + if (hlist_empty(&sdreq_list)) { + rc = -EINVAL; +- goto exit; ++ goto put_local; + } + + rc = nfc_llcp_send_snl_sdreq(local, &sdreq_list, tlvs_len); ++ ++put_local: ++ nfc_llcp_local_put(local); ++ + exit: + device_unlock(&dev->dev); + +diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h +index de2ec66d7e83a..0b1e6466f4fbf 100644 +--- a/net/nfc/nfc.h ++++ b/net/nfc/nfc.h +@@ -52,6 +52,7 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len); + u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len); + int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); ++int nfc_llcp_local_put(struct nfc_llcp_local *local); + int __init nfc_llcp_init(void); + void nfc_llcp_exit(void); + void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp); +-- +2.39.2 + diff --git a/queue-5.4/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch b/queue-5.4/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch new file mode 100644 index 00000000000..4ce560ffbbd --- /dev/null +++ b/queue-5.4/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch @@ -0,0 +1,149 @@ +From d5a7c6ca8c18a86b6c52b8ab4093950930df3d5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 17:56:53 +0200 +Subject: netfilter: conntrack: dccp: copy entire header to stack buffer, not + just basic one + +From: Florian Westphal + +[ Upstream commit ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30 ] + +Eric Dumazet says: + nf_conntrack_dccp_packet() has an unique: + + dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + + And nothing more is 'pulled' from the packet, depending on the content. + dh->dccph_doff, and/or dh->dccph_x ...) + So dccp_ack_seq() is happily reading stuff past the _dh buffer. + +BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0 +Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371 +[..] + +Fix this by increasing the stack buffer to also include room for +the extra sequence numbers and all the known dccp packet type headers, +then pull again after the initial validation of the basic header. + +While at it, mark packets invalid that lack 48bit sequence bit but +where RFC says the type MUST use them. + +Compile tested only. + +v2: first skb_header_pointer() now needs to adjust the size to + only pull the generic header. (Eric) + +Heads-up: I intend to remove dccp conntrack support later this year. + +Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support") +Reported-by: Eric Dumazet +Signed-off-by: Florian Westphal +Reviewed-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_dccp.c | 52 +++++++++++++++++++++++-- + 1 file changed, 49 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c +index b3f4a334f9d78..67b8dedef2935 100644 +--- a/net/netfilter/nf_conntrack_proto_dccp.c ++++ b/net/netfilter/nf_conntrack_proto_dccp.c +@@ -430,9 +430,19 @@ static bool dccp_error(const struct dccp_hdr *dh, + struct sk_buff *skb, unsigned int dataoff, + const struct nf_hook_state *state) + { ++ static const unsigned long require_seq48 = 1 << DCCP_PKT_REQUEST | ++ 1 << DCCP_PKT_RESPONSE | ++ 1 << DCCP_PKT_CLOSEREQ | ++ 1 << DCCP_PKT_CLOSE | ++ 1 << DCCP_PKT_RESET | ++ 1 << DCCP_PKT_SYNC | ++ 1 << DCCP_PKT_SYNCACK; + unsigned int dccp_len = skb->len - dataoff; + unsigned int cscov; + const char *msg; ++ u8 type; ++ ++ BUILD_BUG_ON(DCCP_PKT_INVALID >= BITS_PER_LONG); + + if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) || + dh->dccph_doff * 4 > dccp_len) { +@@ -457,10 +467,17 @@ static bool dccp_error(const struct dccp_hdr *dh, + goto out_invalid; + } + +- if (dh->dccph_type >= DCCP_PKT_INVALID) { ++ type = dh->dccph_type; ++ if (type >= DCCP_PKT_INVALID) { + msg = "nf_ct_dccp: reserved packet type "; + goto out_invalid; + } ++ ++ if (test_bit(type, &require_seq48) && !dh->dccph_x) { ++ msg = "nf_ct_dccp: type lacks 48bit sequence numbers"; ++ goto out_invalid; ++ } ++ + return false; + out_invalid: + nf_l4proto_log_invalid(skb, state->net, state->pf, +@@ -468,24 +485,53 @@ static bool dccp_error(const struct dccp_hdr *dh, + return true; + } + ++struct nf_conntrack_dccp_buf { ++ struct dccp_hdr dh; /* generic header part */ ++ struct dccp_hdr_ext ext; /* optional depending dh->dccph_x */ ++ union { /* depends on header type */ ++ struct dccp_hdr_ack_bits ack; ++ struct dccp_hdr_request req; ++ struct dccp_hdr_response response; ++ struct dccp_hdr_reset rst; ++ } u; ++}; ++ ++static struct dccp_hdr * ++dccp_header_pointer(const struct sk_buff *skb, int offset, const struct dccp_hdr *dh, ++ struct nf_conntrack_dccp_buf *buf) ++{ ++ unsigned int hdrlen = __dccp_hdr_len(dh); ++ ++ if (hdrlen > sizeof(*buf)) ++ return NULL; ++ ++ return skb_header_pointer(skb, offset, hdrlen, buf); ++} ++ + int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb, + unsigned int dataoff, + enum ip_conntrack_info ctinfo, + const struct nf_hook_state *state) + { + enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); +- struct dccp_hdr _dh, *dh; ++ struct nf_conntrack_dccp_buf _dh; + u_int8_t type, old_state, new_state; + enum ct_dccp_roles role; + unsigned int *timeouts; ++ struct dccp_hdr *dh; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(*dh), &_dh.dh); + if (!dh) + return NF_DROP; + + if (dccp_error(dh, skb, dataoff, state)) + return -NF_ACCEPT; + ++ /* pull again, including possible 48 bit sequences and subtype header */ ++ dh = dccp_header_pointer(skb, dataoff, dh, &_dh); ++ if (!dh) ++ return NF_DROP; ++ + type = dh->dccph_type; + if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh)) + return -NF_ACCEPT; +-- +2.39.2 + diff --git a/queue-5.4/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch b/queue-5.4/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch new file mode 100644 index 00000000000..7555dff7838 --- /dev/null +++ b/queue-5.4/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch @@ -0,0 +1,53 @@ +From b74a41236526cab841834be8c60c4dcace27e7ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 11:23:46 +0000 +Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() + return value. + +From: Ilia.Gavrilov + +[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ] + +ct_sip_parse_numerical_param() returns only 0 or 1 now. +But process_register_request() and process_register_response() imply +checking for a negative value if parsing of a numerical header parameter +failed. +The invocation in nf_nat_sip() looks correct: + if (ct_sip_parse_numerical_param(...) > 0 && + ...) { ... } + +Make the return value of the function ct_sip_parse_numerical_param() +a tristate to fix all the cases +a) return 1 if value is found; *val is set +b) return 0 if value is not found; *val is unchanged +c) return -1 on error; *val is undefined + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations") +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Simon Horman +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index 78fd9122b70c7..751df19fe0f8a 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -611,7 +611,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr, + start += strlen(name); + *val = simple_strtoul(start, &end, 0); + if (start == end) +- return 0; ++ return -1; + if (matchoff && matchlen) { + *matchoff = start - dptr; + *matchlen = end - start; +-- +2.39.2 + diff --git a/queue-5.4/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch b/queue-5.4/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch new file mode 100644 index 00000000000..2c4fc922355 --- /dev/null +++ b/queue-5.4/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch @@ -0,0 +1,152 @@ +From 778da9b0089a01d054cff210e6250f4fdb1821da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 09:43:13 -0700 +Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump(). + +From: Kuniyuki Iwashima + +[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ] + +syzbot reported a warning in __local_bh_enable_ip(). [0] + +Commit 8d61f926d420 ("netlink: fix potential deadlock in +netlink_set_err()") converted read_lock(&nl_table_lock) to +read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock. + +However, __netlink_diag_dump() calls sock_i_ino() that uses +read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y, +read_unlock_bh() finally enables IRQ even though it should stay +disabled until the following read_unlock_irqrestore(). + +Using read_lock() in sock_i_ino() would trigger a lockdep splat +in another place that was fixed in commit f064af1e500a ("net: fix +a lockdep splat"), so let's add __sock_i_ino() that would be safe +to use under BH disabled. + +[0]: +WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Modules linked in: +CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f +RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996 +RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3 +RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3 +R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4 +R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000 +FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sock_i_ino+0x83/0xa0 net/core/sock.c:2559 + __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171 + netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207 + netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269 + __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374 + netlink_dump_start include/linux/netlink.h:329 [inline] + netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238 + __sock_diag_cmd net/core/sock_diag.c:238 [inline] + sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269 + netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547 + sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0xde/0x190 net/socket.c:747 + ____sys_sendmsg+0x71c/0x900 net/socket.c:2503 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557 + __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5303aaabb9 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()") +Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422 +Suggested-by: Eric Dumazet +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 1 + + net/core/sock.c | 17 ++++++++++++++--- + net/netlink/diag.c | 2 +- + 3 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 87e57f81ee82b..ee8630d6abc16 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1863,6 +1863,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) + } + + kuid_t sock_i_uid(struct sock *sk); ++unsigned long __sock_i_ino(struct sock *sk); + unsigned long sock_i_ino(struct sock *sk); + + static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) +diff --git a/net/core/sock.c b/net/core/sock.c +index 5e1dccbd61a60..d55eea5538bce 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2085,13 +2085,24 @@ kuid_t sock_i_uid(struct sock *sk) + } + EXPORT_SYMBOL(sock_i_uid); + +-unsigned long sock_i_ino(struct sock *sk) ++unsigned long __sock_i_ino(struct sock *sk) + { + unsigned long ino; + +- read_lock_bh(&sk->sk_callback_lock); ++ read_lock(&sk->sk_callback_lock); + ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0; +- read_unlock_bh(&sk->sk_callback_lock); ++ read_unlock(&sk->sk_callback_lock); ++ return ino; ++} ++EXPORT_SYMBOL(__sock_i_ino); ++ ++unsigned long sock_i_ino(struct sock *sk) ++{ ++ unsigned long ino; ++ ++ local_bh_disable(); ++ ino = __sock_i_ino(sk); ++ local_bh_enable(); + return ino; + } + EXPORT_SYMBOL(sock_i_ino); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 4143b2ea4195a..e4f21b1067bcc 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -168,7 +168,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + NLM_F_MULTI, +- sock_i_ino(sk)) < 0) { ++ __sock_i_ino(sk)) < 0) { + ret = 1; + break; + } +-- +2.39.2 + diff --git a/queue-5.4/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch b/queue-5.4/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch new file mode 100644 index 00000000000..3f63bf4330f --- /dev/null +++ b/queue-5.4/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch @@ -0,0 +1,157 @@ +From 5f258f295e9638b079527a816407f29a70aaf082 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 17:47:20 +0000 +Subject: netlink: do not hard code device address lenth in fdb dumps + +From: Eric Dumazet + +[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ] + +syzbot reports that some netdev devices do not have a six bytes +address [1] + +Replace ETH_ALEN by dev->addr_len. + +[1] (Case of a device where dev->addr_len = 4) + +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 +instrument_copy_to_user include/linux/instrumented.h:114 [inline] +copyout+0xb8/0x100 lib/iov_iter.c:169 +_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 +copy_to_iter include/linux/uio.h:206 [inline] +simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 +__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 +skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 +skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] +netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 +sock_recvmsg_nosec net/socket.c:1019 [inline] +sock_recvmsg net/socket.c:1040 [inline] +____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was stored to memory at: +__nla_put lib/nlattr.c:1009 [inline] +nla_put+0x1c6/0x230 lib/nlattr.c:1067 +nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 +nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] +ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 +rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 +netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 +netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 +sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 +____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 +slab_alloc_node mm/slub.c:3451 [inline] +__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 +kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 +kmalloc include/linux/slab.h:559 [inline] +__hw_addr_create net/core/dev_addr_lists.c:60 [inline] +__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 +__dev_mc_add net/core/dev_addr_lists.c:867 [inline] +dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 +igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 +ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 +ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 +addrconf_type_change net/ipv6/addrconf.c:3731 [inline] +addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 +notifier_call_chain kernel/notifier.c:93 [inline] +raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1935 [inline] +call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] +call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 +bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 +do_set_master net/core/rtnetlink.c:2626 [inline] +rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] +__rtnl_newlink net/core/rtnetlink.c:3660 [inline] +rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 +rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 +netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 +rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0x999/0xd50 net/socket.c:2503 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557 +__sys_sendmsg net/socket.c:2586 [inline] +__do_sys_sendmsg net/socket.c:2595 [inline] +__se_sys_sendmsg net/socket.c:2593 [inline] +__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Bytes 2856-2857 of 3500 are uninitialized +Memory access of size 3500 starts at ffff888018d99104 +Data copied to user address 0000000020000480 + +Fixes: d83b06036048 ("net: add fdb generic dump routine") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 0b0107797e490..1db92a44548f0 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3586,7 +3586,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + ndm->ndm_ifindex = dev->ifindex; + ndm->ndm_state = ndm_state; + +- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr)) ++ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr)) + goto nla_put_failure; + if (vid) + if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid)) +@@ -3600,10 +3600,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + return -EMSGSIZE; + } + +-static inline size_t rtnl_fdb_nlmsg_size(void) ++static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev) + { + return NLMSG_ALIGN(sizeof(struct ndmsg)) + +- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */ ++ nla_total_size(dev->addr_len) + /* NDA_LLADDR */ + nla_total_size(sizeof(u16)) + /* NDA_VLAN */ + 0; + } +@@ -3615,7 +3615,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type, + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC); ++ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC); + if (!skb) + goto errout; + +-- +2.39.2 + diff --git a/queue-5.4/netlink-fix-potential-deadlock-in-netlink_set_err.patch b/queue-5.4/netlink-fix-potential-deadlock-in-netlink_set_err.patch new file mode 100644 index 00000000000..dcb8e7d95e1 --- /dev/null +++ b/queue-5.4/netlink-fix-potential-deadlock-in-netlink_set_err.patch @@ -0,0 +1,117 @@ +From 948b5b0cabac04cbb909065b88e8498feb9c99ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 15:43:37 +0000 +Subject: netlink: fix potential deadlock in netlink_set_err() + +From: Eric Dumazet + +[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ] + +syzbot reported a possible deadlock in netlink_set_err() [1] + +A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs +for netlink_lock_table()") in netlink_lock_table() + +This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump() +which were not covered by cited commit. + +[1] + +WARNING: possible irq lock inversion dependency detected +6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted + +syz-executor.2/23011 just changed the state of lock: +ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612 +but this lock was taken by another, SOFTIRQ-safe lock in the past: + (&local->queue_stop_reason_lock){..-.}-{2:2} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(nl_table_lock); + local_irq_disable(); + lock(&local->queue_stop_reason_lock); + lock(nl_table_lock); + + lock(&local->queue_stop_reason_lock); + + *** DEADLOCK *** + +Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()") +Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c +Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Johannes Berg +Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 5 +++-- + net/netlink/diag.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index bf7e300e8c25d..29eabd45b832a 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1601,6 +1601,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p) + int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + { + struct netlink_set_err_data info; ++ unsigned long flags; + struct sock *sk; + int ret = 0; + +@@ -1610,12 +1611,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + /* sk->sk_err wants a positive error value */ + info.code = -code; + +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + + sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list) + ret += do_one_set_err(sk, &info); + +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + return ret; + } + EXPORT_SYMBOL(netlink_set_err); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index c6255eac305c7..4143b2ea4195a 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -94,6 +94,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + struct net *net = sock_net(skb->sk); + struct netlink_diag_req *req; + struct netlink_sock *nlsk; ++ unsigned long flags; + struct sock *sk; + int num = 2; + int ret = 0; +@@ -152,7 +153,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + num++; + + mc_list: +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + sk_for_each_bound(sk, &tbl->mc_list) { + if (sk_hashed(sk)) + continue; +@@ -173,7 +174,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + } + num++; + } +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + + done: + cb->args[0] = num; +-- +2.39.2 + diff --git a/queue-5.4/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch b/queue-5.4/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch new file mode 100644 index 00000000000..9ac1d733574 --- /dev/null +++ b/queue-5.4/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch @@ -0,0 +1,465 @@ +From d7791cb815175aa568c4ce42a8772e693d9331a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 16:41:59 +0200 +Subject: nfc: constify several pointers to u8, char and sk_buff + +From: Krzysztof Kozlowski + +[ Upstream commit 3df40eb3a2ea58bf404a38f15a7a2768e4762cb0 ] + +Several functions receive pointers to u8, char or sk_buff but do not +modify the contents so make them const. This allows doing the same for +local variables and in total makes the code a little bit safer. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Stable-dep-of: 0d9b41daa590 ("nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()") +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 4 ++-- + net/nfc/core.c | 4 ++-- + net/nfc/hci/llc_shdlc.c | 10 ++++----- + net/nfc/llcp.h | 8 +++---- + net/nfc/llcp_commands.c | 46 ++++++++++++++++++++++------------------- + net/nfc/llcp_core.c | 44 +++++++++++++++++++++------------------ + net/nfc/nfc.h | 2 +- + 7 files changed, 63 insertions(+), 55 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index 5d277d68fd8d9..c55e72474eb2b 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -266,7 +266,7 @@ struct sk_buff *nfc_alloc_send_skb(struct nfc_dev *dev, struct sock *sk, + struct sk_buff *nfc_alloc_recv_skb(unsigned int size, gfp_t gfp); + + int nfc_set_remote_general_bytes(struct nfc_dev *dev, +- u8 *gt, u8 gt_len); ++ const u8 *gt, u8 gt_len); + u8 *nfc_get_local_general_bytes(struct nfc_dev *dev, size_t *gb_len); + + int nfc_fw_download_done(struct nfc_dev *dev, const char *firmware_name, +@@ -280,7 +280,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len); ++ const u8 *gb, size_t gb_len); + int nfc_tm_deactivated(struct nfc_dev *dev); + int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb); + +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 2d4729d1f0eb9..fef112fb49930 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -634,7 +634,7 @@ int nfc_disable_se(struct nfc_dev *dev, u32 se_idx) + return rc; + } + +-int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_set_remote_general_bytes(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len); + +@@ -663,7 +663,7 @@ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb) + EXPORT_SYMBOL(nfc_tm_data_received); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len) ++ const u8 *gb, size_t gb_len) + { + int rc; + +diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c +index 0eb4ddc056e78..02909e3e91ef1 100644 +--- a/net/nfc/hci/llc_shdlc.c ++++ b/net/nfc/hci/llc_shdlc.c +@@ -123,7 +123,7 @@ static bool llc_shdlc_x_lteq_y_lt_z(int x, int y, int z) + return ((y >= x) || (y < z)) ? true : false; + } + +-static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, ++static struct sk_buff *llc_shdlc_alloc_skb(const struct llc_shdlc *shdlc, + int payload_len) + { + struct sk_buff *skb; +@@ -137,7 +137,7 @@ static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, + } + + /* immediately sends an S frame. */ +-static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_s_frame(const struct llc_shdlc *shdlc, + enum sframe_type sframe_type, int nr) + { + int r; +@@ -159,7 +159,7 @@ static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, + } + + /* immediately sends an U frame. skb may contain optional payload */ +-static int llc_shdlc_send_u_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_u_frame(const struct llc_shdlc *shdlc, + struct sk_buff *skb, + enum uframe_modifier uframe_modifier) + { +@@ -361,7 +361,7 @@ static void llc_shdlc_connect_complete(struct llc_shdlc *shdlc, int r) + wake_up(shdlc->connect_wq); + } + +-static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_initiate(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +@@ -377,7 +377,7 @@ static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) + return llc_shdlc_send_u_frame(shdlc, skb, U_FRAME_RSET); + } + +-static int llc_shdlc_connect_send_ua(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_send_ua(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h +index 97853c9cefc70..d49d4bf2e37c8 100644 +--- a/net/nfc/llcp.h ++++ b/net/nfc/llcp.h +@@ -221,15 +221,15 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *sk, struct socket *newsock); + + /* TLV API */ + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + + /* Commands API */ + void nfc_llcp_recv(void *data, struct sk_buff *skb, int err); +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length); ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length); + struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap); +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len); + void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp); + void nfc_llcp_free_sdp_tlv_list(struct hlist_head *sdp_head); +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 475061c79c442..3c4172a5aeb5e 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -15,7 +15,7 @@ + #include "nfc.h" + #include "llcp.h" + +-static u8 llcp_tlv_length[LLCP_TLV_MAX] = { ++static const u8 llcp_tlv_length[LLCP_TLV_MAX] = { + 0, + 1, /* VERSION */ + 2, /* MIUX */ +@@ -29,7 +29,7 @@ static u8 llcp_tlv_length[LLCP_TLV_MAX] = { + + }; + +-static u8 llcp_tlv8(u8 *tlv, u8 type) ++static u8 llcp_tlv8(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -37,7 +37,7 @@ static u8 llcp_tlv8(u8 *tlv, u8 type) + return tlv[2]; + } + +-static u16 llcp_tlv16(u8 *tlv, u8 type) ++static u16 llcp_tlv16(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -46,37 +46,37 @@ static u16 llcp_tlv16(u8 *tlv, u8 type) + } + + +-static u8 llcp_tlv_version(u8 *tlv) ++static u8 llcp_tlv_version(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_VERSION); + } + +-static u16 llcp_tlv_miux(u8 *tlv) ++static u16 llcp_tlv_miux(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_MIUX) & 0x7ff; + } + +-static u16 llcp_tlv_wks(u8 *tlv) ++static u16 llcp_tlv_wks(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_WKS); + } + +-static u16 llcp_tlv_lto(u8 *tlv) ++static u16 llcp_tlv_lto(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_LTO); + } + +-static u8 llcp_tlv_opt(u8 *tlv) ++static u8 llcp_tlv_opt(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_OPT); + } + +-static u8 llcp_tlv_rw(u8 *tlv) ++static u8 llcp_tlv_rw(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_RW) & 0xf; + } + +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length) ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length) + { + u8 *tlv, length; + +@@ -130,7 +130,7 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap) + return sdres; + } + +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len) + { + struct nfc_llcp_sdp_tlv *sdreq; +@@ -190,9 +190,10 @@ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *head) + } + + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -239,9 +240,10 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, + } + + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -295,7 +297,7 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu, + return pdu; + } + +-static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, u8 *tlv, ++static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv, + u8 tlv_length) + { + /* XXX Add an skb length check */ +@@ -389,9 +391,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *service_name_tlv = NULL, service_name_tlv_length; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *service_name_tlv = NULL; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +@@ -465,8 +468,9 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index edadebb3efd2a..fd43e75abd948 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -302,7 +302,7 @@ static char *wks[] = { + "urn:nfc:sn:snep", + }; + +-static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) ++static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len) + { + int sap, num_wks; + +@@ -326,7 +326,7 @@ static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) + + static + struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct sock *sk; + struct nfc_llcp_sock *llcp_sock, *tmp_sock; +@@ -523,7 +523,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) + { + u8 *gb_cur, version, version_length; + u8 lto_length, wks_length, miux_length; +- u8 *version_tlv = NULL, *lto_tlv = NULL, ++ const u8 *version_tlv = NULL, *lto_tlv = NULL, + *wks_tlv = NULL, *miux_tlv = NULL; + __be16 wks = cpu_to_be16(local->local_wks); + u8 gb_len = 0; +@@ -613,7 +613,7 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len) + return local->gb; + } + +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + struct nfc_llcp_local *local; + +@@ -640,27 +640,27 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) + local->remote_gb_len - 3); + } + +-static u8 nfc_llcp_dsap(struct sk_buff *pdu) ++static u8 nfc_llcp_dsap(const struct sk_buff *pdu) + { + return (pdu->data[0] & 0xfc) >> 2; + } + +-static u8 nfc_llcp_ptype(struct sk_buff *pdu) ++static u8 nfc_llcp_ptype(const struct sk_buff *pdu) + { + return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6); + } + +-static u8 nfc_llcp_ssap(struct sk_buff *pdu) ++static u8 nfc_llcp_ssap(const struct sk_buff *pdu) + { + return pdu->data[1] & 0x3f; + } + +-static u8 nfc_llcp_ns(struct sk_buff *pdu) ++static u8 nfc_llcp_ns(const struct sk_buff *pdu) + { + return pdu->data[2] >> 4; + } + +-static u8 nfc_llcp_nr(struct sk_buff *pdu) ++static u8 nfc_llcp_nr(const struct sk_buff *pdu) + { + return pdu->data[2] & 0xf; + } +@@ -802,7 +802,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local + } + + static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct nfc_llcp_sock *llcp_sock; + +@@ -816,9 +816,10 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, + return llcp_sock; + } + +-static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len) ++static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len) + { +- u8 *tlv = &skb->data[2], type, length; ++ u8 type, length; ++ const u8 *tlv = &skb->data[2]; + size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0; + + while (offset < tlv_array_len) { +@@ -876,7 +877,7 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct sock *new_sk, *parent; + struct nfc_llcp_sock *sock, *new_sock; +@@ -894,7 +895,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, + goto fail; + } + } else { +- u8 *sn; ++ const u8 *sn; + size_t sn_len; + + sn = nfc_llcp_connect_sn(skb, &sn_len); +@@ -1113,7 +1114,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1156,7 +1157,8 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1189,7 +1191,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1227,12 +1230,13 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) + } + + static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; +- u8 dsap, ssap, *tlv, type, length, tid, sap; ++ u8 dsap, ssap, type, length, tid, sap; ++ const u8 *tlv; + u16 tlv_len, offset; +- char *service_name; ++ const char *service_name; + size_t service_name_len; + struct nfc_llcp_sdp_tlv *sdp; + HLIST_HEAD(llc_sdres_list); +diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h +index 889fefd64e56b..de2ec66d7e83a 100644 +--- a/net/nfc/nfc.h ++++ b/net/nfc/nfc.h +@@ -48,7 +48,7 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + int nfc_llcp_register_device(struct nfc_dev *dev); + void nfc_llcp_unregister_device(struct nfc_dev *dev); +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len); ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len); + u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len); + int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); +-- +2.39.2 + diff --git a/queue-5.4/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch b/queue-5.4/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch new file mode 100644 index 00000000000..07e924fee5e --- /dev/null +++ b/queue-5.4/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch @@ -0,0 +1,41 @@ +From c435c43b07ef6b17b7b90f150282902f2a503788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 May 2023 13:52:04 +0200 +Subject: nfc: llcp: fix possible use of uninitialized variable in + nfc_llcp_send_connect() + +From: Krzysztof Kozlowski + +[ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ] + +If sock->service_name is NULL, the local variable +service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(), +later leading to using value frmo the stack. Smatch warning: + + net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'. + +Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 3c4172a5aeb5e..bb9f40563ff63 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -394,7 +394,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + const u8 *service_name_tlv = NULL; + const u8 *miux_tlv = NULL; + const u8 *rw_tlv = NULL; +- u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; ++ u8 service_name_tlv_length = 0; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +-- +2.39.2 + diff --git a/queue-5.4/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch b/queue-5.4/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch new file mode 100644 index 00000000000..cd0d7f1b5ce --- /dev/null +++ b/queue-5.4/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch @@ -0,0 +1,51 @@ +From 03432eeff906bb9019659266c1377b092d9035c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 20:25:19 +0100 +Subject: nfc: llcp: simplify llcp_sock_connect() error paths + +From: Krzysztof Kozlowski + +[ Upstream commit ec10fd154d934cc4195da3cbd017a12817b41d51 ] + +The llcp_sock_connect() error paths were using a mixed way of central +exit (goto) and cleanup + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Stable-dep-of: 6709d4b7bc2e ("net: nfc: Fix use-after-free caused by nfc_llcp_find_local") +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index bd2174699af97..1c1748b86fae7 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -712,10 +712,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + llcp_sock->local = nfc_llcp_local_get(local); + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { +- nfc_llcp_local_put(llcp_sock->local); +- llcp_sock->local = NULL; + ret = -ENOMEM; +- goto put_dev; ++ goto sock_llcp_put_local; + } + + llcp_sock->reserved_ssap = llcp_sock->ssap; +@@ -760,8 +758,11 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + + sock_llcp_release: + nfc_llcp_put_ssap(local, llcp_sock->ssap); ++ ++sock_llcp_put_local: + nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ++ llcp_sock->dev = NULL; + + put_dev: + nfc_put_device(dev); +-- +2.39.2 + diff --git a/queue-5.4/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch b/queue-5.4/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch new file mode 100644 index 00000000000..9311b1044d8 --- /dev/null +++ b/queue-5.4/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch @@ -0,0 +1,41 @@ +From c75abb197fd47273f1a9756a46daaf04dc03bb9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jun 2023 17:32:25 -0400 +Subject: NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION + +From: Olga Kornievskaia + +[ Upstream commit c907e72f58ed979a24a9fdcadfbc447c51d5e509 ] + +When the client received NFS4ERR_BADSESSION, it schedules recovery +and start the state manager thread which in turn freezes the +session table and does not allow for any new requests to use the +no-longer valid session. However, it is possible that before +the state manager thread runs, a new operation would use the +released slot that received BADSESSION and was therefore not +updated its sequence number. Such re-use of the slot can lead +the application errors. + +Fixes: 5c441544f045 ("NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index c54dd49c993c5..231da9fadf098 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -915,6 +915,7 @@ static int nfs41_sequence_process(struct rpc_task *task, + out_noaction: + return ret; + session_recover: ++ set_bit(NFS4_SLOT_TBL_DRAINING, &session->fc_slot_table.slot_tbl_state); + nfs4_schedule_session_recovery(session, status); + dprintk("%s ERROR: %d Reset session\n", __func__, status); + nfs41_sequence_free_slot(res); +-- +2.39.2 + diff --git a/queue-5.4/pci-add-pci_clear_master-stub-for-non-config_pci.patch b/queue-5.4/pci-add-pci_clear_master-stub-for-non-config_pci.patch new file mode 100644 index 00000000000..66f54ef8cac --- /dev/null +++ b/queue-5.4/pci-add-pci_clear_master-stub-for-non-config_pci.patch @@ -0,0 +1,39 @@ +From db25f854d571d3fcae22d49953b6f83a15aafd41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 18:27:44 +0800 +Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI + +From: Sui Jingfeng + +[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ] + +Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that +support both PCI and platform devices don't need #ifdefs or extra Kconfig +symbols for the PCI parts. + +[bhelgaas: commit log] +Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()") +Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn +Signed-off-by: Sui Jingfeng +Signed-off-by: Bjorn Helgaas +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + include/linux/pci.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/pci.h b/include/linux/pci.h +index fc343d123127b..1cd5caa567cf5 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1687,6 +1687,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class, + #define pci_dev_put(dev) do { } while (0) + + static inline void pci_set_master(struct pci_dev *dev) { } ++static inline void pci_clear_master(struct pci_dev *dev) { } + static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; } + static inline void pci_disable_device(struct pci_dev *dev) { } + static inline int pci_assign_resource(struct pci_dev *dev, int i) +-- +2.39.2 + diff --git a/queue-5.4/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch b/queue-5.4/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch new file mode 100644 index 00000000000..9806e4f59e4 --- /dev/null +++ b/queue-5.4/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch @@ -0,0 +1,94 @@ +From 32b72de1b29eb74c3946b4b5b4d5775d6514b4dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 11:40:57 +0800 +Subject: PCI/ASPM: Disable ASPM on MFD function removal to avoid + use-after-free + +From: Ding Hui + +[ Upstream commit 456d8aa37d0f56fc9e985e812496e861dcd6f2f2 ] + +Struct pcie_link_state->downstream is a pointer to the pci_dev of function +0. Previously we retained that pointer when removing function 0, and +subsequent ASPM policy changes dereferenced it, resulting in a +use-after-free warning from KASAN, e.g.: + + # echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove + # echo powersave > /sys/module/pcie_aspm/parameters/policy + + BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500 + Call Trace: + kasan_report+0xae/0xe0 + pcie_config_aspm_link+0x42d/0x500 + pcie_aspm_set_policy+0x8e/0x1a0 + param_attr_store+0x162/0x2c0 + module_attr_store+0x3e/0x80 + +PCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM +Control value in all functions of multi-function devices. + +Disable ASPM and free the pcie_link_state when any child function is +removed so we can discard the dangling pcie_link_state->downstream pointer +and maintain the same ASPM Control configuration for all functions. + +[bhelgaas: commit log and comment] +Debugged-by: Zongquan Qin +Suggested-by: Bjorn Helgaas +Fixes: b5a0a9b59c81 ("PCI/ASPM: Read and set up L1 substate capabilities") +Link: https://lore.kernel.org/r/20230507034057.20970-1-dinghui@sangfor.com.cn +Signed-off-by: Ding Hui +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 7624c71011c6e..d8d27b11b48c4 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -991,21 +991,24 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + + down_read(&pci_bus_sem); + mutex_lock(&aspm_lock); +- /* +- * All PCIe functions are in one slot, remove one function will remove +- * the whole slot, so just wait until we are the last function left. +- */ +- if (!list_empty(&parent->subordinate->devices)) +- goto out; + + link = parent->link_state; + root = link->root; + parent_link = link->parent; + +- /* All functions are removed, so just disable ASPM for the link */ ++ /* ++ * link->downstream is a pointer to the pci_dev of function 0. If ++ * we remove that function, the pci_dev is about to be deallocated, ++ * so we can't use link->downstream again. Free the link state to ++ * avoid this. ++ * ++ * If we're removing a non-0 function, it's possible we could ++ * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends ++ * programming the same ASPM Control value for all functions of ++ * multi-function devices, so disable ASPM for all of them. ++ */ + pcie_config_aspm_link(link, 0); + list_del(&link->sibling); +- /* Clock PM is for endpoint device */ + free_link_state(link); + + /* Recheck latencies and configure upstream links */ +@@ -1013,7 +1016,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + pcie_update_aspm_capable(root); + pcie_config_aspm_path(parent_link); + } +-out: ++ + mutex_unlock(&aspm_lock); + up_read(&pci_bus_sem); + } +-- +2.39.2 + diff --git a/queue-5.4/pci-ftpci100-release-the-clock-resources.patch b/queue-5.4/pci-ftpci100-release-the-clock-resources.patch new file mode 100644 index 00000000000..d415b4a0ff5 --- /dev/null +++ b/queue-5.4/pci-ftpci100-release-the-clock-resources.patch @@ -0,0 +1,75 @@ +From d9c83ad50e70e515f58d592e5a298a460e44da62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 12:36:41 +0800 +Subject: PCI: ftpci100: Release the clock resources + +From: Junyan Ye + +[ Upstream commit c60738de85f40b0b9f5cb23c21f9246e5a47908c ] + +Smatch reported: +1. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn: +'clk' from clk_prepare_enable() not released on lines: 442,451,462,478,512,517. +2. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn: +'p->bus_clk' from clk_prepare_enable() not released on lines: 451,462,478,512,517. + +The clock resource is obtained by devm_clk_get(), and then +clk_prepare_enable() makes the clock resource ready for use. After that, +clk_disable_unprepare() should be called to release the clock resource +when it is no longer needed. However, while doing some error handling +in faraday_pci_probe(), clk_disable_unprepare() is not called to release +clk and p->bus_clk before returning. These return lines are exactly 442, +451, 462, 478, 512, 517. + +Fix this warning by replacing devm_clk_get() with devm_clk_get_enabled(), +which is equivalent to devm_clk_get() + clk_prepare_enable(). And with +devm_clk_get_enabled(), the clock will automatically be disabled, +unprepared and freed when the device is unbound from the bus. + +Link: https://lore.kernel.org/r/20230508043641.23807-1-yejunyan@hust.edu.cn +Fixes: b3c433efb8a3 ("PCI: faraday: Fix wrong pointer passed to PTR_ERR()") +Fixes: 2eeb02b28579 ("PCI: faraday: Add clock handling") +Fixes: 783a862563f7 ("PCI: faraday: Use pci_parse_request_of_pci_ranges()") +Fixes: d3c68e0a7e34 ("PCI: faraday: Add Faraday Technology FTPCI100 PCI Host Bridge driver") +Fixes: f1e8bd21e39e ("PCI: faraday: Convert IRQ masking to raw PCI config accessors") +Signed-off-by: Junyan Ye +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Dongliang Mu +Reviewed-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-ftpci100.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/drivers/pci/controller/pci-ftpci100.c b/drivers/pci/controller/pci-ftpci100.c +index bf5ece5d9291f..88983fd0c1bdd 100644 +--- a/drivers/pci/controller/pci-ftpci100.c ++++ b/drivers/pci/controller/pci-ftpci100.c +@@ -458,22 +458,12 @@ static int faraday_pci_probe(struct platform_device *pdev) + p->dev = dev; + + /* Retrieve and enable optional clocks */ +- clk = devm_clk_get(dev, "PCLK"); ++ clk = devm_clk_get_enabled(dev, "PCLK"); + if (IS_ERR(clk)) + return PTR_ERR(clk); +- ret = clk_prepare_enable(clk); +- if (ret) { +- dev_err(dev, "could not prepare PCLK\n"); +- return ret; +- } +- p->bus_clk = devm_clk_get(dev, "PCICLK"); ++ p->bus_clk = devm_clk_get_enabled(dev, "PCICLK"); + if (IS_ERR(p->bus_clk)) + return PTR_ERR(p->bus_clk); +- ret = clk_prepare_enable(p->bus_clk); +- if (ret) { +- dev_err(dev, "could not prepare PCICLK\n"); +- return ret; +- } + + regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); + p->base = devm_ioremap_resource(dev, regs); +-- +2.39.2 + diff --git a/queue-5.4/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch b/queue-5.4/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch new file mode 100644 index 00000000000..939d1ce18e5 --- /dev/null +++ b/queue-5.4/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch @@ -0,0 +1,74 @@ +From 5b574f7d148a6cd0058b8187e37a6e1b390861e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 10:15:18 +0800 +Subject: PCI: pciehp: Cancel bringup sequence if card is not present + +From: Rongguang Wei + +[ Upstream commit e8afd0d9fccc27c8ad263db5cf5952cfcf72d6fe ] + +If a PCIe hotplug slot has an Attention Button, the normal hot-add flow is: + + - Slot is empty and slot power is off + - User inserts card in slot and presses Attention Button + - OS blinks Power Indicator for 5 seconds + - After 5 seconds, OS turns on Power Indicator, turns on slot power, and + enumerates the device + +Previously, if a user pressed the Attention Button on an *empty* slot, +pciehp logged the following messages and blinked the Power Indicator +until a second button press: + + [0.000] pciehp: Button press: will power on in 5 sec + [0.001] # Power Indicator starts blinking + [5.001] # 5 second timeout; slot is empty, so we should cancel the + request to power on and turn off Power Indicator + + [7.000] # Power Indicator still blinking + [8.000] # possible card insertion + [9.000] pciehp: Button press: canceling request to power on + +The first button press incorrectly left the slot in BLINKINGON_STATE, so +the second was interpreted as a "cancel power on" event regardless of +whether a card was present. + +If the slot is empty, turn off the Power Indicator and return from +BLINKINGON_STATE to OFF_STATE after 5 seconds, effectively canceling the +request to power on. Putting the slot in OFF_STATE also means the second +button press will correctly request a slot power on if the slot is +occupied. + +[bhelgaas: commit log] +Link: https://lore.kernel.org/r/20230512021518.336460-1-clementwei90@163.com +Fixes: d331710ea78f ("PCI: pciehp: Become resilient to missed events") +Suggested-by: Lukas Wunner +Signed-off-by: Rongguang Wei +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_ctrl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c +index 6503d15effbbd..45d0f63707158 100644 +--- a/drivers/pci/hotplug/pciehp_ctrl.c ++++ b/drivers/pci/hotplug/pciehp_ctrl.c +@@ -258,6 +258,14 @@ void pciehp_handle_presence_or_link_change(struct controller *ctrl, u32 events) + present = pciehp_card_present(ctrl); + link_active = pciehp_check_link_active(ctrl); + if (present <= 0 && link_active <= 0) { ++ if (ctrl->state == BLINKINGON_STATE) { ++ ctrl->state = OFF_STATE; ++ cancel_delayed_work(&ctrl->button_work); ++ pciehp_set_indicators(ctrl, PCI_EXP_SLTCTL_PWR_IND_OFF, ++ INDICATOR_NOOP); ++ ctrl_info(ctrl, "Slot(%s): Card not present\n", ++ slot_name(ctrl)); ++ } + mutex_unlock(&ctrl->state_lock); + return; + } +-- +2.39.2 + diff --git a/queue-5.4/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch b/queue-5.4/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch new file mode 100644 index 00000000000..40436364670 --- /dev/null +++ b/queue-5.4/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch @@ -0,0 +1,45 @@ +From a1737631184f4487cf332e1462297552a0c010ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 16:41:01 -0700 +Subject: perf dwarf-aux: Fix off-by-one in die_get_varname() + +From: Namhyung Kim + +[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ] + +The die_get_varname() returns "(unknown_type)" string if it failed to +find a type for the variable. But it had a space before the opening +parenthesis and it made the closing parenthesis cut off due to the +off-by-one in the string length (14). + +Signed-off-by: Namhyung Kim +Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index f1e2f566ce6fc..1d51aa88f4cb6 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -1007,7 +1007,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf) + ret = die_get_typename(vr_die, buf); + if (ret < 0) { + pr_debug("Failed to get type, make it unknown.\n"); +- ret = strbuf_add(buf, " (unknown_type)", 14); ++ ret = strbuf_add(buf, "(unknown_type)", 14); + } + + return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die)); +-- +2.39.2 + diff --git a/queue-5.4/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch b/queue-5.4/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch new file mode 100644 index 00000000000..548919ce5aa --- /dev/null +++ b/queue-5.4/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch @@ -0,0 +1,41 @@ +From 152d13a34e904600505943e1e6716353de95a91f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 13:53:33 +0300 +Subject: pinctrl: at91-pio4: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") +Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") +Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") +Signed-off-by: Claudiu Beznea +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index 064b7c3c942a9..9c225256e3f4e 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -1013,6 +1013,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) + /* Pin naming convention: P(bank_name)(bank_pin_number). */ + pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", + bank + 'A', line); ++ if (!pin_desc[i].name) ++ return -ENOMEM; + + group->name = group_names[i] = pin_desc[i].name; + group->pin = pin_desc[i].number; +-- +2.39.2 + diff --git a/queue-5.4/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch b/queue-5.4/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch new file mode 100644 index 00000000000..69326a5c889 --- /dev/null +++ b/queue-5.4/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch @@ -0,0 +1,57 @@ +From d9266e338efc1bc6091314de4a485fbb7464cc50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 17:37:34 +0300 +Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode + +From: Andy Shevchenko + +[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ] + +Currently the getter returns ENOTSUPP on pin configured in +the push-pull mode. Fix this by adding the missed switch case. + +Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config") +Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support") +Acked-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c +index 8f06445a8e39c..2b48901f1b2af 100644 +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1021,11 +1021,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned int pin, + + break; + +- case PIN_CONFIG_DRIVE_OPEN_DRAIN: +- if (!(ctrl1 & CHV_PADCTRL1_ODEN)) +- return -EINVAL; +- break; +- + case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: { + u32 cfg; + +@@ -1035,6 +1030,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned int pin, + return -EINVAL; + + break; ++ ++ case PIN_CONFIG_DRIVE_PUSH_PULL: ++ if (ctrl1 & CHV_PADCTRL1_ODEN) ++ return -EINVAL; ++ break; ++ ++ case PIN_CONFIG_DRIVE_OPEN_DRAIN: ++ if (!(ctrl1 & CHV_PADCTRL1_ODEN)) ++ return -EINVAL; ++ break; + } + + default: +-- +2.39.2 + diff --git a/queue-5.4/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch b/queue-5.4/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch new file mode 100644 index 00000000000..e37e7ff7de1 --- /dev/null +++ b/queue-5.4/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch @@ -0,0 +1,48 @@ +From dbaf9f92815b85a8f4615e155ec975e17a19d3db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 06:07:43 -0700 +Subject: PM: domains: fix integer overflow issues in genpd_parse_state() + +From: Nikita Zhandarovich + +[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ] + +Currently, while calculating residency and latency values, right +operands may overflow if resulting values are big enough. + +To prevent this, albeit unlikely case, play it safe and convert +right operands to left ones' type s64. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT") +Signed-off-by: Nikita Zhandarovich +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/domain.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index edb791354421b..5be76197bc361 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2596,10 +2596,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state, + + err = of_property_read_u32(state_node, "min-residency-us", &residency); + if (!err) +- genpd_state->residency_ns = 1000 * residency; ++ genpd_state->residency_ns = 1000LL * residency; + +- genpd_state->power_on_latency_ns = 1000 * exit_latency; +- genpd_state->power_off_latency_ns = 1000 * entry_latency; ++ genpd_state->power_on_latency_ns = 1000LL * exit_latency; ++ genpd_state->power_off_latency_ns = 1000LL * entry_latency; + genpd_state->fwnode = &state_node->fwnode; + + return 0; +-- +2.39.2 + diff --git a/queue-5.4/powercap-rapl-fix-config_iosf_mbi-dependency.patch b/queue-5.4/powercap-rapl-fix-config_iosf_mbi-dependency.patch new file mode 100644 index 00000000000..81912f09243 --- /dev/null +++ b/queue-5.4/powercap-rapl-fix-config_iosf_mbi-dependency.patch @@ -0,0 +1,73 @@ +From 41525058e2272364af898c8cf1c11dc7ca4a4d98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 22:00:00 +0800 +Subject: powercap: RAPL: Fix CONFIG_IOSF_MBI dependency + +From: Zhang Rui + +[ Upstream commit 4658fe81b3f8afe8adf37734ec5fe595d90415c6 ] + +After commit 3382388d7148 ("intel_rapl: abstract RAPL common code"), +accessing to IOSF_MBI interface is done in the RAPL common code. + +Thus it is the CONFIG_INTEL_RAPL_CORE that has dependency of +CONFIG_IOSF_MBI, while CONFIG_INTEL_RAPL_MSR does not. + +This problem was not exposed previously because all the previous RAPL +common code users, aka, the RAPL MSR and MMIO I/F drivers, have +CONFIG_IOSF_MBI selected. + +Fix the CONFIG_IOSF_MBI dependency in RAPL code. This also fixes a build +time failure when the RAPL TPMI I/F driver is introduced without +selecting CONFIG_IOSF_MBI. + +x86_64-linux-ld: vmlinux.o: in function `set_floor_freq_atom': +intel_rapl_common.c:(.text+0x2dac9b8): undefined reference to `iosf_mbi_write' +x86_64-linux-ld: intel_rapl_common.c:(.text+0x2daca66): undefined reference to `iosf_mbi_read' + +Reference to iosf_mbi.h is also removed from the RAPL MSR I/F driver. + +Fixes: 3382388d7148 ("intel_rapl: abstract RAPL common code") +Reported-by: Arnd Bergmann +Link: https://lore.kernel.org/all/20230601213246.3271412-1-arnd@kernel.org +Signed-off-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/Kconfig | 4 +++- + drivers/powercap/intel_rapl_msr.c | 1 - + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/powercap/Kconfig b/drivers/powercap/Kconfig +index dc1c1381d7fa9..61fd5dfaf7a0f 100644 +--- a/drivers/powercap/Kconfig ++++ b/drivers/powercap/Kconfig +@@ -18,10 +18,12 @@ if POWERCAP + # Client driver configurations go here. + config INTEL_RAPL_CORE + tristate ++ depends on PCI ++ select IOSF_MBI + + config INTEL_RAPL + tristate "Intel RAPL Support via MSR Interface" +- depends on X86 && IOSF_MBI ++ depends on X86 && PCI + select INTEL_RAPL_CORE + ---help--- + This enables support for the Intel Running Average Power Limit (RAPL) +diff --git a/drivers/powercap/intel_rapl_msr.c b/drivers/powercap/intel_rapl_msr.c +index d5487965bdfe9..6091e462626a4 100644 +--- a/drivers/powercap/intel_rapl_msr.c ++++ b/drivers/powercap/intel_rapl_msr.c +@@ -22,7 +22,6 @@ + #include + #include + +-#include + #include + #include + +-- +2.39.2 + diff --git a/queue-5.4/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch b/queue-5.4/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch new file mode 100644 index 00000000000..a0222fa0be8 --- /dev/null +++ b/queue-5.4/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch @@ -0,0 +1,40 @@ +From 90ee0d92192c1f49b6949c2bb419a14f084acc69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 16:38:15 +0530 +Subject: powerpc/mm/dax: Fix the condition when checking if altmap vmemap can + cross-boundary + +From: Aneesh Kumar K.V + +[ Upstream commit c8eebc4a99f15280654f23e914e746c40a516e50 ] + +Without this fix, the last subsection vmemmap can end up in memory even if +the namespace is created with -M mem and has sufficient space in the altmap +area. + +Fixes: cf387d9644d8 ("libnvdimm/altmap: Track namespace boundaries in altmap") +Signed-off-by: Aneesh Kumar K.V +Tested-by: Sachin Sant > +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230616110826.344417-6-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/init_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/mm/init_64.c b/arch/powerpc/mm/init_64.c +index 210f1c28b8e41..e4fb5ab41e2d3 100644 +--- a/arch/powerpc/mm/init_64.c ++++ b/arch/powerpc/mm/init_64.c +@@ -178,7 +178,7 @@ static bool altmap_cross_boundary(struct vmem_altmap *altmap, unsigned long star + unsigned long nr_pfn = page_size / sizeof(struct page); + unsigned long start_pfn = page_to_pfn((struct page *)start); + +- if ((start_pfn + nr_pfn) > altmap->end_pfn) ++ if ((start_pfn + nr_pfn - 1) > altmap->end_pfn) + return true; + + if (start_pfn < altmap->base_pfn) +-- +2.39.2 + diff --git a/queue-5.4/pstore-ram-add-check-for-kstrdup.patch b/queue-5.4/pstore-ram-add-check-for-kstrdup.patch new file mode 100644 index 00000000000..82b2da7c06d --- /dev/null +++ b/queue-5.4/pstore-ram-add-check-for-kstrdup.patch @@ -0,0 +1,37 @@ +From d8abc2ef0d780ff00ba6d1003735e7a8c95dc465 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 17:37:33 +0800 +Subject: pstore/ram: Add check for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit d97038d5ec2062733c1e016caf9baaf68cf64ea1 ] + +Add check for the return value of kstrdup() and return the error +if it fails in order to avoid NULL pointer dereference. + +Fixes: e163fdb3f7f8 ("pstore/ram: Regularize prz label allocation lifetime") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230614093733.36048-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + fs/pstore/ram_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c +index 286340f312dcb..73aed51447b9a 100644 +--- a/fs/pstore/ram_core.c ++++ b/fs/pstore/ram_core.c +@@ -579,6 +579,8 @@ struct persistent_ram_zone *persistent_ram_new(phys_addr_t start, size_t size, + raw_spin_lock_init(&prz->buffer_lock); + prz->flags = flags; + prz->label = kstrdup(label, GFP_KERNEL); ++ if (!prz->label) ++ goto err; + + ret = persistent_ram_buffer_map(start, size, prz, memtype); + if (ret) +-- +2.39.2 + diff --git a/queue-5.4/radeon-avoid-double-free-in-ci_dpm_init.patch b/queue-5.4/radeon-avoid-double-free-in-ci_dpm_init.patch new file mode 100644 index 00000000000..b1e2cce03a3 --- /dev/null +++ b/queue-5.4/radeon-avoid-double-free-in-ci_dpm_init.patch @@ -0,0 +1,110 @@ +From e2c127f46914a54e4105b6f582029ebd80336dac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 08:12:28 -0700 +Subject: radeon: avoid double free in ci_dpm_init() + +From: Nikita Zhandarovich + +[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ] + +Several calls to ci_dpm_fini() will attempt to free resources that +either have been freed before or haven't been allocated yet. This +may lead to undefined or dangerous behaviour. + +For instance, if r600_parse_extended_power_table() fails, it might +call r600_free_extended_power_table() as will ci_dpm_fini() later +during error handling. + +Fix this by only freeing pointers to objects previously allocated. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index 1e62e7bbf1b1d..5403f4c902b64 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -5556,6 +5556,7 @@ static int ci_parse_power_table(struct radeon_device *rdev) + u8 frev, crev; + u8 *power_state_offset; + struct ci_ps *ps; ++ int ret; + + if (!atom_parse_data_header(mode_info->atom_context, index, NULL, + &frev, &crev, &data_offset)) +@@ -5585,11 +5586,15 @@ static int ci_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) +- return -EINVAL; ++ if (!rdev->pm.power_state[i].clock_info) { ++ ret = -EINVAL; ++ goto err_free_ps; ++ } + ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL); +- if (ps == NULL) +- return -ENOMEM; ++ if (ps == NULL) { ++ ret = -ENOMEM; ++ goto err_free_ps; ++ } + rdev->pm.dpm.ps[i].ps_priv = ps; + ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i], + non_clock_info, +@@ -5629,6 +5634,12 @@ static int ci_parse_power_table(struct radeon_device *rdev) + } + + return 0; ++ ++err_free_ps: ++ for (i = 0; i < rdev->pm.dpm.num_ps; i++) ++ kfree(rdev->pm.dpm.ps[i].ps_priv); ++ kfree(rdev->pm.dpm.ps); ++ return ret; + } + + static int ci_get_vbios_boot_values(struct radeon_device *rdev, +@@ -5717,25 +5728,26 @@ int ci_dpm_init(struct radeon_device *rdev) + + ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_get_platform_caps(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_parse_extended_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = ci_parse_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); ++ r600_free_extended_power_table(rdev); + return ret; + } + +-- +2.39.2 + diff --git a/queue-5.4/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch b/queue-5.4/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch new file mode 100644 index 00000000000..4ff6711918e --- /dev/null +++ b/queue-5.4/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch @@ -0,0 +1,44 @@ +From 88597efc4f3c7716484af6ddfcd97f57e714380e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 23:48:15 -0700 +Subject: RDMA/bnxt_re: Fix to remove an unnecessary log + +From: Kalesh AP + +[ Upstream commit 43774bc156614346fe5dacabc8e8c229167f2536 ] + +During destroy_qp, driver sets the qp handle in the existing CQEs +belonging to the QP being destroyed to NULL. As a result, a poll_cq after +destroy_qp can report unnecessary messages. Remove this noise from system +logs. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684478897-12247-6-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 5fc5ab7813c0f..18b579c8a8c55 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -2606,11 +2606,8 @@ static int bnxt_qplib_cq_process_terminal(struct bnxt_qplib_cq *cq, + + qp = (struct bnxt_qplib_qp *)((unsigned long) + le64_to_cpu(hwcqe->qp_handle)); +- if (!qp) { +- dev_err(&cq->hwq.pdev->dev, +- "FP: CQ Process terminal qp is NULL\n"); ++ if (!qp) + return -EINVAL; +- } + + /* Must block new posting of SQ and RQ */ + qp->state = CMDQ_MODIFY_QP_NEW_STATE_ERR; +-- +2.39.2 + diff --git a/queue-5.4/regulator-core-fix-more-error-checking-for-debugfs_c.patch b/queue-5.4/regulator-core-fix-more-error-checking-for-debugfs_c.patch new file mode 100644 index 00000000000..f23c54aa57b --- /dev/null +++ b/queue-5.4/regulator-core-fix-more-error-checking-for-debugfs_c.patch @@ -0,0 +1,40 @@ +From 388374e93efa26da04d6ee279b68a8efcc466553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 13:13:58 +0200 +Subject: regulator: core: Fix more error checking for debugfs_create_dir() + +From: Geert Uytterhoeven + +[ Upstream commit 2715bb11cfff964aa33946847f9527cfbd4874f5 ] + +In case of failure, debugfs_create_dir() does not return NULL, but an +error pointer. Most incorrect error checks were fixed, but the one in +create_regulator() was forgotten. + +Fix the remaining error check. + +Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/ee980a108b5854dd8ce3630f8f673e784e057d17.1685013051.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index cc9aa95d69691..0ac9c763942f9 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1710,7 +1710,7 @@ static struct regulator *create_regulator(struct regulator_dev *rdev, + + if (err != -EEXIST) + regulator->debugfs = debugfs_create_dir(supply_name, rdev->debugfs); +- if (!regulator->debugfs) { ++ if (IS_ERR(regulator->debugfs)) { + rdev_dbg(rdev, "Failed to create debugfs directory\n"); + } else { + debugfs_create_u32("uA_load", 0444, regulator->debugfs, +-- +2.39.2 + diff --git a/queue-5.4/regulator-core-streamline-debugfs-operations.patch b/queue-5.4/regulator-core-streamline-debugfs-operations.patch new file mode 100644 index 00000000000..c08ea129cab --- /dev/null +++ b/queue-5.4/regulator-core-streamline-debugfs-operations.patch @@ -0,0 +1,100 @@ +From 286608c89dc3e5d2200a1ef9e3bcaef22e6d3237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 13:13:59 +0200 +Subject: regulator: core: Streamline debugfs operations + +From: Geert Uytterhoeven + +[ Upstream commit 08880713ceec023dd94d634f1e8902728c385939 ] + +If CONFIG_DEBUG_FS is not set: + + regulator: Failed to create debugfs directory + ... + regulator-dummy: Failed to create debugfs directory + +As per the comments for debugfs_create_dir(), errors returned by this +function should be expected, and ignored: + + * If debugfs is not enabled in the kernel, the value -%ENODEV will be + * returned. + * + * NOTE: it's expected that most callers should _ignore_ the errors returned + * by this function. Other debugfs functions handle the fact that the "dentry" + * passed to them could be an error and they don't crash in that case. + * Drivers should generally work fine even if debugfs fails to init anyway. + +Adhere to the debugfs spirit, and streamline all operations by: + 1. Demoting the importance of the printed error messages to debug + level, like is already done in create_regulator(), + 2. Further ignoring any returned errors, as by design, all debugfs + functions are no-ops when passed an error pointer. + +Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/2f8bb6e113359ddfab7b59e4d4274bd4c06d6d0a.1685013051.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 0ac9c763942f9..fe4b666edd037 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1710,19 +1710,17 @@ static struct regulator *create_regulator(struct regulator_dev *rdev, + + if (err != -EEXIST) + regulator->debugfs = debugfs_create_dir(supply_name, rdev->debugfs); +- if (IS_ERR(regulator->debugfs)) { ++ if (IS_ERR(regulator->debugfs)) + rdev_dbg(rdev, "Failed to create debugfs directory\n"); +- } else { +- debugfs_create_u32("uA_load", 0444, regulator->debugfs, +- ®ulator->uA_load); +- debugfs_create_u32("min_uV", 0444, regulator->debugfs, +- ®ulator->voltage[PM_SUSPEND_ON].min_uV); +- debugfs_create_u32("max_uV", 0444, regulator->debugfs, +- ®ulator->voltage[PM_SUSPEND_ON].max_uV); +- debugfs_create_file("constraint_flags", 0444, +- regulator->debugfs, regulator, +- &constraint_flags_fops); +- } ++ ++ debugfs_create_u32("uA_load", 0444, regulator->debugfs, ++ ®ulator->uA_load); ++ debugfs_create_u32("min_uV", 0444, regulator->debugfs, ++ ®ulator->voltage[PM_SUSPEND_ON].min_uV); ++ debugfs_create_u32("max_uV", 0444, regulator->debugfs, ++ ®ulator->voltage[PM_SUSPEND_ON].max_uV); ++ debugfs_create_file("constraint_flags", 0444, regulator->debugfs, ++ regulator, &constraint_flags_fops); + + /* + * Check now if the regulator is an always on regulator - if +@@ -4906,10 +4904,8 @@ static void rdev_init_debugfs(struct regulator_dev *rdev) + } + + rdev->debugfs = debugfs_create_dir(rname, debugfs_root); +- if (IS_ERR(rdev->debugfs)) { +- rdev_warn(rdev, "Failed to create debugfs directory\n"); +- return; +- } ++ if (IS_ERR(rdev->debugfs)) ++ rdev_dbg(rdev, "Failed to create debugfs directory\n"); + + debugfs_create_u32("use_count", 0444, rdev->debugfs, + &rdev->use_count); +@@ -5797,7 +5793,7 @@ static int __init regulator_init(void) + + debugfs_root = debugfs_create_dir("regulator", NULL); + if (IS_ERR(debugfs_root)) +- pr_warn("regulator: Failed to create debugfs directory\n"); ++ pr_debug("regulator: Failed to create debugfs directory\n"); + + #ifdef CONFIG_DEBUG_FS + debugfs_create_file("supply_map", 0444, debugfs_root, NULL, +-- +2.39.2 + diff --git a/queue-5.4/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch b/queue-5.4/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch new file mode 100644 index 00000000000..9fd9c1baacd --- /dev/null +++ b/queue-5.4/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch @@ -0,0 +1,167 @@ +From fefb2d8ee61360931f99c7d7d29e3846834e27a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jun 2023 13:51:08 +0300 +Subject: rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO + +From: Edwin Peer + +[ Upstream commit fa0e21fa44438a0e856d42224bfa24641d37b979 ] + +This filter already exists for excluding IPv6 SNMP stats. Extend its +definition to also exclude IFLA_VF_INFO stats in RTM_GETLINK. + +This patch constitutes a partial fix for a netlink attribute nesting +overflow bug in IFLA_VFINFO_LIST. By excluding the stats when the +requester doesn't need them, the truncation of the VF list is avoided. + +While it was technically only the stats added in commit c5a9f6f0ab40 +("net/core: Add drop counters to VF statistics") breaking the camel's +back, the appreciable size of the stats data should never have been +included without due consideration for the maximum number of VFs +supported by PCI. + +Fixes: 3b766cd83232 ("net/core: Add reading VF statistics through the PF netdevice") +Fixes: c5a9f6f0ab40 ("net/core: Add drop counters to VF statistics") +Signed-off-by: Edwin Peer +Cc: Edwin Peer +Signed-off-by: Gal Pressman +Link: https://lore.kernel.org/r/20230611105108.122586-1-gal@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 96 +++++++++++++++++++++++--------------------- + 1 file changed, 51 insertions(+), 45 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index da1ef00fc9cc2..0b0107797e490 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -922,24 +922,27 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev, + nla_total_size(sizeof(struct ifla_vf_rate)) + + nla_total_size(sizeof(struct ifla_vf_link_state)) + + nla_total_size(sizeof(struct ifla_vf_rss_query_en)) + +- nla_total_size(0) + /* nest IFLA_VF_STATS */ +- /* IFLA_VF_STATS_RX_PACKETS */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_TX_PACKETS */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_RX_BYTES */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_TX_BYTES */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_BROADCAST */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_MULTICAST */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_RX_DROPPED */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_TX_DROPPED */ +- nla_total_size_64bit(sizeof(__u64)) + + nla_total_size(sizeof(struct ifla_vf_trust))); ++ if (~ext_filter_mask & RTEXT_FILTER_SKIP_STATS) { ++ size += num_vfs * ++ (nla_total_size(0) + /* nest IFLA_VF_STATS */ ++ /* IFLA_VF_STATS_RX_PACKETS */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_TX_PACKETS */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_RX_BYTES */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_TX_BYTES */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_BROADCAST */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_MULTICAST */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_RX_DROPPED */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_TX_DROPPED */ ++ nla_total_size_64bit(sizeof(__u64))); ++ } + return size; + } else + return 0; +@@ -1189,7 +1192,8 @@ static noinline_for_stack int rtnl_fill_stats(struct sk_buff *skb, + static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, + struct net_device *dev, + int vfs_num, +- struct nlattr *vfinfo) ++ struct nlattr *vfinfo, ++ u32 ext_filter_mask) + { + struct ifla_vf_rss_query_en vf_rss_query_en; + struct nlattr *vf, *vfstats, *vfvlanlist; +@@ -1279,33 +1283,35 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, + goto nla_put_vf_failure; + } + nla_nest_end(skb, vfvlanlist); +- memset(&vf_stats, 0, sizeof(vf_stats)); +- if (dev->netdev_ops->ndo_get_vf_stats) +- dev->netdev_ops->ndo_get_vf_stats(dev, vfs_num, +- &vf_stats); +- vfstats = nla_nest_start_noflag(skb, IFLA_VF_STATS); +- if (!vfstats) +- goto nla_put_vf_failure; +- if (nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_PACKETS, +- vf_stats.rx_packets, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_PACKETS, +- vf_stats.tx_packets, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_BYTES, +- vf_stats.rx_bytes, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_BYTES, +- vf_stats.tx_bytes, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_BROADCAST, +- vf_stats.broadcast, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_MULTICAST, +- vf_stats.multicast, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_DROPPED, +- vf_stats.rx_dropped, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_DROPPED, +- vf_stats.tx_dropped, IFLA_VF_STATS_PAD)) { +- nla_nest_cancel(skb, vfstats); +- goto nla_put_vf_failure; ++ if (~ext_filter_mask & RTEXT_FILTER_SKIP_STATS) { ++ memset(&vf_stats, 0, sizeof(vf_stats)); ++ if (dev->netdev_ops->ndo_get_vf_stats) ++ dev->netdev_ops->ndo_get_vf_stats(dev, vfs_num, ++ &vf_stats); ++ vfstats = nla_nest_start_noflag(skb, IFLA_VF_STATS); ++ if (!vfstats) ++ goto nla_put_vf_failure; ++ if (nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_PACKETS, ++ vf_stats.rx_packets, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_PACKETS, ++ vf_stats.tx_packets, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_BYTES, ++ vf_stats.rx_bytes, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_BYTES, ++ vf_stats.tx_bytes, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_BROADCAST, ++ vf_stats.broadcast, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_MULTICAST, ++ vf_stats.multicast, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_DROPPED, ++ vf_stats.rx_dropped, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_DROPPED, ++ vf_stats.tx_dropped, IFLA_VF_STATS_PAD)) { ++ nla_nest_cancel(skb, vfstats); ++ goto nla_put_vf_failure; ++ } ++ nla_nest_end(skb, vfstats); + } +- nla_nest_end(skb, vfstats); + nla_nest_end(skb, vf); + return 0; + +@@ -1338,7 +1344,7 @@ static noinline_for_stack int rtnl_fill_vf(struct sk_buff *skb, + return -EMSGSIZE; + + for (i = 0; i < num_vfs; i++) { +- if (rtnl_fill_vfinfo(skb, dev, i, vfinfo)) ++ if (rtnl_fill_vfinfo(skb, dev, i, vfinfo, ext_filter_mask)) + return -EMSGSIZE; + } + +-- +2.39.2 + diff --git a/queue-5.4/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch b/queue-5.4/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch new file mode 100644 index 00000000000..837ca484375 --- /dev/null +++ b/queue-5.4/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch @@ -0,0 +1,36 @@ +From 0ee82b960f4dc01a0d320e8313ba5f9117652bcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 16:50:58 +0800 +Subject: samples/bpf: Fix buffer overflow in tcp_basertt + +From: Pengcheng Yang + +[ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ] + +Using sizeof(nv) or strlen(nv)+1 is correct. + +Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program") +Signed-off-by: Pengcheng Yang +Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + samples/bpf/tcp_basertt_kern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/tcp_basertt_kern.c b/samples/bpf/tcp_basertt_kern.c +index 9dba48c2b9207..66dd58f78d528 100644 +--- a/samples/bpf/tcp_basertt_kern.c ++++ b/samples/bpf/tcp_basertt_kern.c +@@ -47,7 +47,7 @@ int bpf_basertt(struct bpf_sock_ops *skops) + case BPF_SOCK_OPS_BASE_RTT: + n = bpf_getsockopt(skops, SOL_TCP, TCP_CONGESTION, + cong, sizeof(cong)); +- if (!n && !__builtin_memcmp(cong, nv, sizeof(nv)+1)) { ++ if (!n && !__builtin_memcmp(cong, nv, sizeof(nv))) { + /* Set base_rtt to 80us */ + rv = 80; + } else if (n) { +-- +2.39.2 + diff --git a/queue-5.4/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch b/queue-5.4/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch new file mode 100644 index 00000000000..8d072a64d48 --- /dev/null +++ b/queue-5.4/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch @@ -0,0 +1,47 @@ +From faf7e47be6d7209421b9e209b652521f3d411e10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 22:12:55 +0800 +Subject: scsi: 3w-xxxx: Add error handling for initialization failure in + tw_probe() + +From: Yuchen Yang + +[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ] + +Smatch complains that: + +tw_probe() warn: missing error code 'retval' + +This patch adds error checking to tw_probe() to handle initialization +failure. If tw_reset_sequence() function returns a non-zero value, the +function will return -EINVAL to indicate initialization failure. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yuchen Yang +Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/3w-xxxx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c +index 2b1e0d5030201..75290aabd543b 100644 +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -2310,8 +2310,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) + TW_DISABLE_INTERRUPTS(tw_dev); + + /* Initialize the card */ +- if (tw_reset_sequence(tw_dev)) ++ if (tw_reset_sequence(tw_dev)) { ++ retval = -EINVAL; + goto out_release_mem_region; ++ } + + /* Set host specific parameters */ + host->max_id = TW_MAX_UNITS; +-- +2.39.2 + diff --git a/queue-5.4/scsi-qedf-fix-null-dereference-in-error-handling.patch b/queue-5.4/scsi-qedf-fix-null-dereference-in-error-handling.patch new file mode 100644 index 00000000000..94338e5f183 --- /dev/null +++ b/queue-5.4/scsi-qedf-fix-null-dereference-in-error-handling.patch @@ -0,0 +1,47 @@ +From 80fe24ae9795741038f5de36d24f410e3915dfe2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 22:00:21 +0800 +Subject: scsi: qedf: Fix NULL dereference in error handling + +From: Jinhong Zhu + +[ Upstream commit f025312b089474a54e4859f3453771314d9e3d4f ] + +Smatch reported: + +drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() +warn: missing unwind goto? + +At this point in the function, nothing has been allocated so we can return +directly. In particular the "qedf->global_queues" have not been allocated +so calling qedf_free_global_queues() will lead to a NULL dereference when +we check if (!gl[i]) and "gl" is NULL. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Signed-off-by: Jinhong Zhu +Link: https://lore.kernel.org/r/20230502140022.2852-1-jinhongzhu@hust.edu.cn +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index f864ef059d29e..858058f228191 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -2914,9 +2914,8 @@ static int qedf_alloc_global_queues(struct qedf_ctx *qedf) + * addresses of our queues + */ + if (!qedf->p_cpuq) { +- status = -EINVAL; + QEDF_ERR(&qedf->dbg_ctx, "p_cpuq is NULL.\n"); +- goto mem_alloc_failure; ++ return -EINVAL; + } + + qedf->global_queues = kzalloc((sizeof(struct global_queue *) +-- +2.39.2 + diff --git a/queue-5.4/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch b/queue-5.4/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch new file mode 100644 index 00000000000..11284168de6 --- /dev/null +++ b/queue-5.4/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch @@ -0,0 +1,40 @@ +From 99215f1936d6398e88b17ca7218713097f26f412 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 23:03:34 +0200 +Subject: selftests: rtnetlink: remove netdevsim device after ipsec offload + test + +From: Sabrina Dubroca + +[ Upstream commit 5f789f103671fec3733ebe756e56adf15c90c21d ] + +On systems where netdevsim is built-in or loaded before the test +starts, kci_test_ipsec_offload doesn't remove the netdevsim device it +created during the test. + +Fixes: e05b2d141fef ("netdevsim: move netdev creation/destruction to dev probe") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Simon Horman +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/e1cb94f4f82f4eca4a444feec4488a1323396357.1687466906.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/rtnetlink.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index 911c549f186fb..3b929e031f59c 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -833,6 +833,7 @@ EOF + fi + + # clean up any leftovers ++ echo 0 > /sys/bus/netdevsim/del_device + $probed && rmmod netdevsim + + if [ $ret -ne 0 ]; then +-- +2.39.2 + diff --git a/queue-5.4/series b/queue-5.4/series index ba5ca553250..8f9387e07e5 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -6,3 +6,114 @@ fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch scripts-tags.sh-resolve-gtags-empty-index-generation.patch drm-amdgpu-validate-vm-ioctl-flags.patch +x86-resctrl-use-is_closid_match-in-more-places.patch +x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch +md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch +md-raid10-fix-overflow-of-md-safe_mode_delay.patch +md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch +md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch +md-raid10-fix-io-loss-while-replacement-replace-rdev.patch +irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch +irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch +tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch +clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch +clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch +pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch +powercap-rapl-fix-config_iosf_mbi-dependency.patch +arm-9303-1-kprobes-avoid-missing-declaration-warning.patch +evm-complete-description-of-evm_inode_setattr.patch +pstore-ram-add-check-for-kstrdup.patch +ima-fix-build-warnings.patch +wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch +wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch +samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch +spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch +wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch +nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch +nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch +regulator-core-fix-more-error-checking-for-debugfs_c.patch +regulator-core-streamline-debugfs-operations.patch +wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch +wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch +wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch +wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch +wl3501_cs-remove-unnecessary-null-check.patch +wl3501_cs-fix-misspelling-and-provide-missing-docume.patch +net-create-netdev-dev_addr-assignment-helpers.patch +wl3501_cs-use-eth_hw_addr_set.patch +wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch +wifi-ray_cs-utilize-strnlen-in-parse_addr.patch +wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch +wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch +wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch +wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch +watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch +watchdog-perf-more-properly-prevent-false-positives-.patch +kexec-fix-a-memory-leak-in-crash_shrink_memory.patch +memstick-r592-make-memstick_debug_get_tpc_name-stati.patch +wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch +rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch +wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch +wifi-cfg80211-rewrite-merging-of-inherited-elements.patch +wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch +netlink-fix-potential-deadlock-in-netlink_set_err.patch +netlink-do-not-hard-code-device-address-lenth-in-fdb.patch +selftests-rtnetlink-remove-netdevsim-device-after-ip.patch +gtp-fix-use-after-free-in-__gtp_encap_destroy.patch +nfc-llcp-simplify-llcp_sock_connect-error-paths.patch +net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch +lib-ts_bm-reset-initial-match-offset-for-every-block.patch +netfilter-conntrack-dccp-copy-entire-header-to-stack.patch +netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch +ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch +netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch +radeon-avoid-double-free-in-ci_dpm_init.patch +input-drv260x-sleep-between-polling-go-bit.patch +arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch +input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch +drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch +rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch +arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch +arm64-dts-qcom-msm8916-correct-camss-unit-address.patch +drm-panel-simple-fix-active-size-for-ampire-am-48027.patch +arm-ep93xx-fix-missing-prototype-warnings.patch +memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch +asoc-es8316-increment-max-value-for-alc-capture-targ.patch +asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch +soc-fsl-qe-fix-usb.c-build-errors.patch +ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch +arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch +fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch +drm-amdkfd-fix-potential-deallocation-of-previously-.patch +drm-radeon-fix-possible-division-by-zero-errors.patch +clk-tegra-tegra124-emc-fix-potential-memory-leak.patch +alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch +clk-cdce925-check-return-value-of-kasprintf.patch +clk-keystone-sci-clk-check-return-value-of-kasprintf.patch +asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch +scsi-qedf-fix-null-dereference-in-error-handling.patch +pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch +scsi-3w-xxxx-add-error-handling-for-initialization-f.patch +pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch +pci-ftpci100-release-the-clock-resources.patch +pci-add-pci_clear_master-stub-for-non-config_pci.patch +pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch +perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch +pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch +powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch +hwrng-virtio-add-an-internal-buffer.patch +hwrng-virtio-don-t-wait-on-cleanup.patch +hwrng-virtio-don-t-waste-entropy.patch +hwrng-virtio-always-add-a-pending-request.patch +hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch +crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch +modpost-fix-section-mismatch-message-for-r_arm_abs32.patch +modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch +crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch +crypto-skcipher-remove-crypto_has_ablkcipher.patch +crypto-marvell-cesa-fix-type-mismatch-warning.patch +modpost-fix-off-by-one-in-is_executable_section.patch +arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch +nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch +hwrng-st-fix-w-1-unused-variable-warning.patch +hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch diff --git a/queue-5.4/soc-fsl-qe-fix-usb.c-build-errors.patch b/queue-5.4/soc-fsl-qe-fix-usb.c-build-errors.patch new file mode 100644 index 00000000000..21c39fd1550 --- /dev/null +++ b/queue-5.4/soc-fsl-qe-fix-usb.c-build-errors.patch @@ -0,0 +1,60 @@ +From c3b66daa3de5c5e4f9b2e88b0dc50d38221b515e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 May 2023 15:52:16 -0700 +Subject: soc/fsl/qe: fix usb.c build errors + +From: Randy Dunlap + +[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ] + +Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set. +This happens when PPC_EP88XC is set, which selects CPM1 & CPM. +When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE +being set. When USB_FSL_QE is set, QE_USB deafults to y, which +causes build errors when QUICC_ENGINE is not set. Making +QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y. + +Fixes these build errors: + +drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set': +usb.c:(.text+0x1e): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg' +powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock' +powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock' + +Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/ +Suggested-by: Michael Ellerman +Cc: Christophe Leroy +Cc: Leo Li +Cc: Masahiro Yamada +Cc: Nicolas Schier +Cc: Qiang Zhao +Cc: linuxppc-dev +Cc: linux-arm-kernel@lists.infradead.org +Cc: Kumar Gala +Acked-by: Nicolas Schier +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig +index cfa4b2939992c..3ed0838607647 100644 +--- a/drivers/soc/fsl/qe/Kconfig ++++ b/drivers/soc/fsl/qe/Kconfig +@@ -38,6 +38,7 @@ config QE_TDM + + config QE_USB + bool ++ depends on QUICC_ENGINE + default y if USB_FSL_QE + help + QE USB Controller support +-- +2.39.2 + diff --git a/queue-5.4/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch b/queue-5.4/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch new file mode 100644 index 00000000000..c3b0fe67416 --- /dev/null +++ b/queue-5.4/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch @@ -0,0 +1,44 @@ +From f34cc0a8e911f3ac14b6bd726de7eb97e1254bda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 14:12:08 +0530 +Subject: spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG + +From: Vijaya Krishna Nivarthi + +[ Upstream commit 5fd7c99ecf45c8ee8a9b1268f0ffc91cc6271da2 ] + +The CS_TOGGLE bit when set is supposed to instruct FW to +toggle CS line between words. The driver with intent of +disabling this behaviour has been unsetting BIT(0). This has +not caused any trouble so far because the original BIT(1) +is untouched and BIT(0) likely wasn't being used. + +Correct this to prevent a potential future bug. + +Signed-off-by: Vijaya Krishna Nivarthi +--- + drivers/spi/spi-geni-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c +index 01b53d816497c..ae1cbc3215366 100644 +--- a/drivers/spi/spi-geni-qcom.c ++++ b/drivers/spi/spi-geni-qcom.c +@@ -32,7 +32,7 @@ + #define CS_DEMUX_OUTPUT_SEL GENMASK(3, 0) + + #define SE_SPI_TRANS_CFG 0x25c +-#define CS_TOGGLE BIT(0) ++#define CS_TOGGLE BIT(1) + + #define SE_SPI_WORD_LEN 0x268 + #define WORD_LEN_MSK GENMASK(9, 0) +-- +2.39.2 + diff --git a/queue-5.4/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch b/queue-5.4/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch new file mode 100644 index 00000000000..3faf7fc92b1 --- /dev/null +++ b/queue-5.4/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch @@ -0,0 +1,47 @@ +From dcbe7117f0e1afd5766b9340d5a6b27fc655acf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 16:38:54 +0200 +Subject: tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode(). + +From: Sebastian Andrzej Siewior + +[ Upstream commit 2951580ba6adb082bb6b7154a5ecb24e7c1f7569 ] + +The trace output for the HRTIMER_MODE_.*_HARD modes is seen as a number +since these modes are not decoded. The author was not aware of the fancy +decoding function which makes the life easier. + +Extend decode_hrtimer_mode() with the additional HRTIMER_MODE_.*_HARD +modes. + +Fixes: ae6683d815895 ("hrtimer: Introduce HARD expiry mode") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Reviewed-by: Mukesh Ojha +Acked-by: Steven Rostedt (Google) +Link: https://lore.kernel.org/r/20230418143854.8vHWQKLM@linutronix.de +Signed-off-by: Sasha Levin +--- + include/trace/events/timer.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h +index 295517f109d71..1b5371f0317af 100644 +--- a/include/trace/events/timer.h ++++ b/include/trace/events/timer.h +@@ -156,7 +156,11 @@ DEFINE_EVENT(timer_class, timer_cancel, + { HRTIMER_MODE_ABS_SOFT, "ABS|SOFT" }, \ + { HRTIMER_MODE_REL_SOFT, "REL|SOFT" }, \ + { HRTIMER_MODE_ABS_PINNED_SOFT, "ABS|PINNED|SOFT" }, \ +- { HRTIMER_MODE_REL_PINNED_SOFT, "REL|PINNED|SOFT" }) ++ { HRTIMER_MODE_REL_PINNED_SOFT, "REL|PINNED|SOFT" }, \ ++ { HRTIMER_MODE_ABS_HARD, "ABS|HARD" }, \ ++ { HRTIMER_MODE_REL_HARD, "REL|HARD" }, \ ++ { HRTIMER_MODE_ABS_PINNED_HARD, "ABS|PINNED|HARD" }, \ ++ { HRTIMER_MODE_REL_PINNED_HARD, "REL|PINNED|HARD" }) + + /** + * hrtimer_init - called when the hrtimer is initialized +-- +2.39.2 + diff --git a/queue-5.4/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch b/queue-5.4/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch new file mode 100644 index 00000000000..824280a8cbd --- /dev/null +++ b/queue-5.4/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch @@ -0,0 +1,89 @@ +From 4f82659bdc1c56f32ea954b80471985ae827e31a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:25 -0700 +Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on + correct config + +From: Douglas Anderson + +[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ] + +Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5. + +This patch series adds the "buddy" hardlockup detector. In brief, the +buddy hardlockup detector can detect hardlockups without arch-level +support by having CPUs checkup on a "buddy" CPU periodically. + +Given the new design of this patch series, testing all combinations is +fairly difficult. I've attempted to make sure that all combinations of +CONFIG_ options are good, but it wouldn't surprise me if I missed +something. I apologize in advance and I'll do my best to fix any +problems that are found. + +This patch (of 18): + +The real watchdog_update_hrtimer_threshold() is defined in +kernel/watchdog_hld.c. That file is included if +CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file +if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP. + +The dummy version of the function in "nmi.h" didn't get that quite right. +While this doesn't appear to be a huge deal, it's nice to make it +consistent. + +It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so +others don't get a double definition, and x86 uses perf lockup detector, +so it gets the out of line version. + +Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid +Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Reviewed-by: Nicholas Piggin +Reviewed-by: Petr Mladek +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Cc: Colin Cross +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/nmi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/nmi.h b/include/linux/nmi.h +index e972d1ae1ee63..6cb593d9ed08a 100644 +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -197,7 +197,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh); + #endif + + #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \ +- defined(CONFIG_HARDLOCKUP_DETECTOR) ++ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF) + void watchdog_update_hrtimer_threshold(u64 period); + #else + static inline void watchdog_update_hrtimer_threshold(u64 period) { } +-- +2.39.2 + diff --git a/queue-5.4/watchdog-perf-more-properly-prevent-false-positives-.patch b/queue-5.4/watchdog-perf-more-properly-prevent-false-positives-.patch new file mode 100644 index 00000000000..e77bbab4a3e --- /dev/null +++ b/queue-5.4/watchdog-perf-more-properly-prevent-false-positives-.patch @@ -0,0 +1,84 @@ +From e2905033dff78f08fe660d4115a13ee9bacfe8b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:26 -0700 +Subject: watchdog/perf: more properly prevent false positives with turbo modes + +From: Douglas Anderson + +[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ] + +Currently, in the watchdog_overflow_callback() we first check to see if +the watchdog had been touched and _then_ we handle the workaround for +turbo mode. This order should be reversed. + +Specifically, "touching" the hardlockup detector's watchdog should avoid +lockups being detected for one period that should be roughly the same +regardless of whether we're running turbo or not. That means that we +should do the extra accounting for turbo _before_ we look at (and clear) +the global indicating that we've been touched. + +NOTE: this fix is made based on code inspection. I am not aware of any +reports where the old code would have generated false positives. That +being said, this order seems more correct and also makes it easier down +the line to share code with the "buddy" hardlockup detector. + +Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Colin Cross +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Petr Mladek +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/watchdog_hld.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c +index 247bf0b1582ca..1e8a49dc956e2 100644 +--- a/kernel/watchdog_hld.c ++++ b/kernel/watchdog_hld.c +@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event, + /* Ensure the watchdog never gets throttled */ + event->hw.interrupts = 0; + ++ if (!watchdog_check_timestamp()) ++ return; ++ + if (__this_cpu_read(watchdog_nmi_touch) == true) { + __this_cpu_write(watchdog_nmi_touch, false); + return; + } + +- if (!watchdog_check_timestamp()) +- return; +- + /* check for a hardlockup + * This is done by making sure our timer interrupt + * is incrementing. The timer interrupt should have +-- +2.39.2 + diff --git a/queue-5.4/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch b/queue-5.4/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch new file mode 100644 index 00000000000..7238641bb26 --- /dev/null +++ b/queue-5.4/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch @@ -0,0 +1,58 @@ +From c85c822808eddcd72b92e6eaf3b44ce43fd81baf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:01 +0300 +Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ] + +For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid +uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should +validate pkt_len before accessing the SKB. + +For example, the obtained SKB may have been badly constructed with +pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr +but after being processed in ath9k_htc_rx_msg() and passed to +ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI +command header which should be located inside its data payload. + +Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit +memory can be referenced. + +Tested on Qualcomm Atheros Communications AR9271 802.11n . + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index deb22b8c2065f..ef861b19fd477 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -218,6 +218,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, + if (unlikely(wmi->stopped)) + goto free_skb; + ++ /* Validate the obtained SKB. */ ++ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr))) ++ goto free_skb; ++ + hdr = (struct wmi_cmd_hdr *) skb->data; + cmd_id = be16_to_cpu(hdr->command_id); + +-- +2.39.2 + diff --git a/queue-5.4/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch b/queue-5.4/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch new file mode 100644 index 00000000000..de2d5c3ff59 --- /dev/null +++ b/queue-5.4/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch @@ -0,0 +1,51 @@ +From 7a4ec3cd48756c3a4c45c84747bce2b2d8d347b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 16:46:55 +0300 +Subject: wifi: ath9k: convert msecs to jiffies where needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ] + +Since 'ieee80211_queue_delayed_work()' expects timeout in +jiffies and not milliseconds, 'msecs_to_jiffies()' should +be used in 'ath_restart_work()' and '__ath9k_flush()'. + +Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work") +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 4e606a4b19f2d..5968fcec11737 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -200,7 +200,7 @@ void ath_cancel_work(struct ath_softc *sc) + void ath_restart_work(struct ath_softc *sc) + { + ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + + if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah)) + ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work, +@@ -2228,7 +2228,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop, + } + + ieee80211_queue_delayed_work(hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + } + + static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw) +-- +2.39.2 + diff --git a/queue-5.4/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch b/queue-5.4/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch new file mode 100644 index 00000000000..d327d565ef2 --- /dev/null +++ b/queue-5.4/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch @@ -0,0 +1,54 @@ +From 5160d3edafaccfd69a7f737c6a937a832bbf2a36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 18:03:17 +0300 +Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ] + +A bad USB device is able to construct a service connection response +message with target endpoint being ENDPOINT0 which is reserved for +HTC_CTRL_RSVD_SVC and should not be modified to be used for any other +services. + +Reject such service connection responses. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index fe62ff668f757..99667aba289df 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target, + + if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { + epid = svc_rspmsg->endpoint_id; +- if (epid < 0 || epid >= ENDPOINT_MAX) ++ ++ /* Check that the received epid for the endpoint to attach ++ * a new service is valid. ENDPOINT0 can't be used here as it ++ * is already reserved for HTC_CTRL_RSVD_SVC service and thus ++ * should not be modified. ++ */ ++ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX) + return; + + service_id = be16_to_cpu(svc_rspmsg->service_id); +-- +2.39.2 + diff --git a/queue-5.4/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch b/queue-5.4/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch new file mode 100644 index 00000000000..0756ed454f5 --- /dev/null +++ b/queue-5.4/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch @@ -0,0 +1,95 @@ +From ac13d161aec4344df878948dd0a7edd2ebd65d67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:00 +0300 +Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset + calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Seiderer + +[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ] + +Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset +calculation (do not overflow the shift for the second register/queues +above five, use the register layout described in the comments above +ath9k_hw_verify_hang() instead). + +Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003") + +Reported-by: Gregg Wonderly +Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/ +Signed-off-by: Peter Seiderer +Acked-by: Toke Høiland-Jørgensen +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++-------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +index 2fe12b0de5b4f..dea8a998fb622 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue) + { + u32 dma_dbg_chain, dma_dbg_complete; + u8 dcu_chain_state, dcu_complete_state; ++ unsigned int dbg_reg, reg_offset; + int i; + +- for (i = 0; i < NUM_STATUS_READS; i++) { +- if (queue < 6) +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4); +- else +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5); ++ if (queue < 6) { ++ dbg_reg = AR_DMADBG_4; ++ reg_offset = queue * 5; ++ } else { ++ dbg_reg = AR_DMADBG_5; ++ reg_offset = (queue - 6) * 5; ++ } + ++ for (i = 0; i < NUM_STATUS_READS; i++) { ++ dma_dbg_chain = REG_READ(ah, dbg_reg); + dma_dbg_complete = REG_READ(ah, AR_DMADBG_6); + +- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f; ++ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f; + dcu_complete_state = dma_dbg_complete & 0x3; + + if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1)) +@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + u8 dcu_chain_state, dcu_complete_state; + bool dcu_wait_frdone = false; + unsigned long chk_dcu = 0; ++ unsigned int reg_offset; + unsigned int i = 0; + + dma_dbg_4 = REG_READ(ah, AR_DMADBG_4); +@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + goto exit; + + for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) { +- if (i < 6) ++ if (i < 6) { + chk_dbg = dma_dbg_4; +- else ++ reg_offset = i * 5; ++ } else { + chk_dbg = dma_dbg_5; ++ reg_offset = (i - 6) * 5; ++ } + +- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f; ++ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f; + if (dcu_chain_state == 0x6) { + dcu_wait_frdone = true; + chk_dcu |= BIT(i); +-- +2.39.2 + diff --git a/queue-5.4/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch b/queue-5.4/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch new file mode 100644 index 00000000000..6f8e781b335 --- /dev/null +++ b/queue-5.4/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch @@ -0,0 +1,111 @@ +From 5d57e9c45741a6ae31def7e692e434e493f9bdff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 11:37:44 +0200 +Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Remi Pommarel + +[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ] + +On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite +loop if it is called while all txq_fifos have packets that use different +key that the one we are looking for. Fix it by exiting the loop if all +txq_fifos have been checked already. + +Because this loop is called under spin_lock_bh() (see ath_txq_lock) it +causes the following rcu stall: + +rcu: INFO: rcu_sched self-detected stall on CPU +ath10k_pci 0000:01:00.0: failed to read temperature -11 +rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579 + (t=5257 jiffies g=17983297 q=334) +Task dump for CPU 1: +task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a +Call trace: + dump_backtrace+0x0/0x170 + show_stack+0x1c/0x24 + sched_show_task+0x140/0x170 + dump_cpu_task+0x48/0x54 + rcu_dump_cpu_stacks+0xf0/0x134 + rcu_sched_clock_irq+0x8d8/0x9fc + update_process_times+0xa0/0xec + tick_sched_timer+0x5c/0xd0 + __hrtimer_run_queues+0x154/0x320 + hrtimer_interrupt+0x120/0x2f0 + arch_timer_handler_virt+0x38/0x44 + handle_percpu_devid_irq+0x9c/0x1e0 + handle_domain_irq+0x64/0x90 + gic_handle_irq+0x78/0xb0 + call_on_irq_stack+0x28/0x38 + do_interrupt_handler+0x54/0x5c + el1_interrupt+0x2c/0x4c + el1h_64_irq_handler+0x14/0x1c + el1h_64_irq+0x74/0x78 + ath9k_txq_has_key+0x1bc/0x250 [ath9k] + ath9k_set_key+0x1cc/0x3dc [ath9k] + drv_set_key+0x78/0x170 + ieee80211_key_replace+0x564/0x6cc + ieee80211_key_link+0x174/0x220 + ieee80211_add_key+0x11c/0x300 + nl80211_new_key+0x12c/0x330 + genl_family_rcv_msg_doit+0xbc/0x11c + genl_rcv_msg+0xd8/0x1c4 + netlink_rcv_skb+0x40/0x100 + genl_rcv+0x3c/0x50 + netlink_unicast+0x1ec/0x2c0 + netlink_sendmsg+0x198/0x3c0 + ____sys_sendmsg+0x210/0x250 + ___sys_sendmsg+0x78/0xc4 + __sys_sendmsg+0x4c/0x90 + __arm64_sys_sendmsg+0x28/0x30 + invoke_syscall.constprop.0+0x60/0x100 + do_el0_svc+0x48/0xd0 + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xa8/0xb0 + el0t_64_sync+0x158/0x15c + +This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH +from 8 to 2 makes it reasonably easy to reproduce. + +Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it") +Signed-off-by: Remi Pommarel +Tested-by: Nicolas Escande +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index eb5751a45f266..4e606a4b19f2d 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -847,7 +847,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix) + static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + { + struct ath_hw *ah = sc->sc_ah; +- int i; ++ int i, j; + struct ath_txq *txq; + bool key_in_use = false; + +@@ -865,8 +865,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { + int idx = txq->txq_tailidx; + +- while (!key_in_use && +- !list_empty(&txq->txq_fifo[idx])) { ++ for (j = 0; !key_in_use && ++ !list_empty(&txq->txq_fifo[idx]) && ++ j < ATH_TXFIFO_DEPTH; j++) { + key_in_use = ath9k_txq_list_has_key( + &txq->txq_fifo[idx], keyix); + INCR(idx, ATH_TXFIFO_DEPTH); +-- +2.39.2 + diff --git a/queue-5.4/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch b/queue-5.4/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch new file mode 100644 index 00000000000..1a4799b317f --- /dev/null +++ b/queue-5.4/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch @@ -0,0 +1,59 @@ +From 41583092311a31bbcc90465936756f233013064d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:53:14 +0200 +Subject: wifi: atmel: Fix an error handling path in atmel_probe() + +From: Christophe JAILLET + +[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ] + +Should atmel_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +atmel_probe(), not atmel_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c +index 7afc9c5329fb1..f5fa1a95b0c15 100644 +--- a/drivers/net/wireless/atmel/atmel_cs.c ++++ b/drivers/net/wireless/atmel/atmel_cs.c +@@ -73,6 +73,7 @@ struct local_info { + static int atmel_probe(struct pcmcia_device *p_dev) + { + struct local_info *local; ++ int ret; + + dev_dbg(&p_dev->dev, "atmel_attach()\n"); + +@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev) + + p_dev->priv = local; + +- return atmel_config(p_dev); +-} /* atmel_attach */ ++ ret = atmel_config(p_dev); ++ if (ret) ++ goto err_free_priv; ++ ++ return 0; ++ ++err_free_priv: ++ kfree(p_dev->priv); ++ return ret; ++} + + static void atmel_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-5.4/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch b/queue-5.4/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch new file mode 100644 index 00000000000..8f6856119a4 --- /dev/null +++ b/queue-5.4/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch @@ -0,0 +1,290 @@ +From a425af437544a834e787a98d16a6d4c9f473d0d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 09:54:03 +0300 +Subject: wifi: cfg80211: rewrite merging of inherited elements + +From: Benjamin Berg + +[ Upstream commit dfd9aa3e7a456d57b18021d66472ab7ff8373ab7 ] + +The cfg80211_gen_new_ie function merges the IEs using inheritance rules. +Rewrite this function to fix issues around inheritance rules. In +particular, vendor elements do not require any special handling, as they +are either all inherited or overridden by the subprofile. +Also, add fragmentation handling as this may be needed in some cases. + +This also changes the function to not require making a copy. The new +version could be optimized a bit by explicitly tracking which IEs have +been handled already rather than looking that up again every time. + +Note that a small behavioural change is the removal of the SSID special +handling. This should be fine for the MBSSID element, as the SSID must +be included in the subelement. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Benjamin Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230616094949.bc6152e146db.I2b5f3bc45085e1901e5b5192a674436adaf94748@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 213 ++++++++++++++++++++++++++------------------ + 1 file changed, 124 insertions(+), 89 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index c4c124cb5332b..e35c54ba2fd56 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -223,117 +223,152 @@ bool cfg80211_is_element_inherited(const struct element *elem, + } + EXPORT_SYMBOL(cfg80211_is_element_inherited); + +-static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, +- const u8 *subelement, size_t subie_len, +- u8 *new_ie, gfp_t gfp) ++static size_t cfg80211_copy_elem_with_frags(const struct element *elem, ++ const u8 *ie, size_t ie_len, ++ u8 **pos, u8 *buf, size_t buf_len) + { +- u8 *pos, *tmp; +- const u8 *tmp_old, *tmp_new; +- const struct element *non_inherit_elem; +- u8 *sub_copy; ++ if (WARN_ON((u8 *)elem < ie || elem->data > ie + ie_len || ++ elem->data + elem->datalen > ie + ie_len)) ++ return 0; + +- /* copy subelement as we need to change its content to +- * mark an ie after it is processed. +- */ +- sub_copy = kmemdup(subelement, subie_len, gfp); +- if (!sub_copy) ++ if (elem->datalen + 2 > buf + buf_len - *pos) + return 0; + +- pos = &new_ie[0]; ++ memcpy(*pos, elem, elem->datalen + 2); ++ *pos += elem->datalen + 2; + +- /* set new ssid */ +- tmp_new = cfg80211_find_ie(WLAN_EID_SSID, sub_copy, subie_len); +- if (tmp_new) { +- memcpy(pos, tmp_new, tmp_new[1] + 2); +- pos += (tmp_new[1] + 2); ++ /* Finish if it is not fragmented */ ++ if (elem->datalen != 255) ++ return *pos - buf; ++ ++ ie_len = ie + ie_len - elem->data - elem->datalen; ++ ie = (const u8 *)elem->data + elem->datalen; ++ ++ for_each_element(elem, ie, ie_len) { ++ if (elem->id != WLAN_EID_FRAGMENT) ++ break; ++ ++ if (elem->datalen + 2 > buf + buf_len - *pos) ++ return 0; ++ ++ memcpy(*pos, elem, elem->datalen + 2); ++ *pos += elem->datalen + 2; ++ ++ if (elem->datalen != 255) ++ break; + } + +- /* get non inheritance list if exists */ +- non_inherit_elem = +- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, +- sub_copy, subie_len); ++ return *pos - buf; ++} + +- /* go through IEs in ie (skip SSID) and subelement, +- * merge them into new_ie ++static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, ++ const u8 *subie, size_t subie_len, ++ u8 *new_ie, size_t new_ie_len) ++{ ++ const struct element *non_inherit_elem, *parent, *sub; ++ u8 *pos = new_ie; ++ u8 id, ext_id; ++ unsigned int match_len; ++ ++ non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, ++ subie, subie_len); ++ ++ /* We copy the elements one by one from the parent to the generated ++ * elements. ++ * If they are not inherited (included in subie or in the non ++ * inheritance element), then we copy all occurrences the first time ++ * we see this element type. + */ +- tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); +- tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; +- +- while (tmp_old + 2 - ie <= ielen && +- tmp_old + tmp_old[1] + 2 - ie <= ielen) { +- if (tmp_old[0] == 0) { +- tmp_old++; ++ for_each_element(parent, ie, ielen) { ++ if (parent->id == WLAN_EID_FRAGMENT) + continue; ++ ++ if (parent->id == WLAN_EID_EXTENSION) { ++ if (parent->datalen < 1) ++ continue; ++ ++ id = WLAN_EID_EXTENSION; ++ ext_id = parent->data[0]; ++ match_len = 1; ++ } else { ++ id = parent->id; ++ match_len = 0; + } + +- if (tmp_old[0] == WLAN_EID_EXTENSION) +- tmp = (u8 *)cfg80211_find_ext_ie(tmp_old[2], sub_copy, +- subie_len); +- else +- tmp = (u8 *)cfg80211_find_ie(tmp_old[0], sub_copy, +- subie_len); ++ /* Find first occurrence in subie */ ++ sub = cfg80211_find_elem_match(id, subie, subie_len, ++ &ext_id, match_len, 0); + +- if (!tmp) { +- const struct element *old_elem = (void *)tmp_old; ++ /* Copy from parent if not in subie and inherited */ ++ if (!sub && ++ cfg80211_is_element_inherited(parent, non_inherit_elem)) { ++ if (!cfg80211_copy_elem_with_frags(parent, ++ ie, ielen, ++ &pos, new_ie, ++ new_ie_len)) ++ return 0; + +- /* ie in old ie but not in subelement */ +- if (cfg80211_is_element_inherited(old_elem, +- non_inherit_elem)) { +- memcpy(pos, tmp_old, tmp_old[1] + 2); +- pos += tmp_old[1] + 2; +- } +- } else { +- /* ie in transmitting ie also in subelement, +- * copy from subelement and flag the ie in subelement +- * as copied (by setting eid field to WLAN_EID_SSID, +- * which is skipped anyway). +- * For vendor ie, compare OUI + type + subType to +- * determine if they are the same ie. +- */ +- if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) { +- if (tmp_old[1] >= 5 && tmp[1] >= 5 && +- !memcmp(tmp_old + 2, tmp + 2, 5)) { +- /* same vendor ie, copy from +- * subelement +- */ +- memcpy(pos, tmp, tmp[1] + 2); +- pos += tmp[1] + 2; +- tmp[0] = WLAN_EID_SSID; +- } else { +- memcpy(pos, tmp_old, tmp_old[1] + 2); +- pos += tmp_old[1] + 2; +- } +- } else { +- /* copy ie from subelement into new ie */ +- memcpy(pos, tmp, tmp[1] + 2); +- pos += tmp[1] + 2; +- tmp[0] = WLAN_EID_SSID; +- } ++ continue; + } + +- if (tmp_old + tmp_old[1] + 2 - ie == ielen) +- break; ++ /* Already copied if an earlier element had the same type */ ++ if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie, ++ &ext_id, match_len, 0)) ++ continue; + +- tmp_old += tmp_old[1] + 2; ++ /* Not inheriting, copy all similar elements from subie */ ++ while (sub) { ++ if (!cfg80211_copy_elem_with_frags(sub, ++ subie, subie_len, ++ &pos, new_ie, ++ new_ie_len)) ++ return 0; ++ ++ sub = cfg80211_find_elem_match(id, ++ sub->data + sub->datalen, ++ subie_len + subie - ++ (sub->data + ++ sub->datalen), ++ &ext_id, match_len, 0); ++ } + } + +- /* go through subelement again to check if there is any ie not +- * copied to new ie, skip ssid, capability, bssid-index ie ++ /* The above misses elements that are included in subie but not in the ++ * parent, so do a pass over subie and append those. ++ * Skip the non-tx BSSID caps and non-inheritance element. + */ +- tmp_new = sub_copy; +- while (tmp_new + 2 - sub_copy <= subie_len && +- tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { +- if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || +- tmp_new[0] == WLAN_EID_SSID)) { +- memcpy(pos, tmp_new, tmp_new[1] + 2); +- pos += tmp_new[1] + 2; ++ for_each_element(sub, subie, subie_len) { ++ if (sub->id == WLAN_EID_NON_TX_BSSID_CAP) ++ continue; ++ ++ if (sub->id == WLAN_EID_FRAGMENT) ++ continue; ++ ++ if (sub->id == WLAN_EID_EXTENSION) { ++ if (sub->datalen < 1) ++ continue; ++ ++ id = WLAN_EID_EXTENSION; ++ ext_id = sub->data[0]; ++ match_len = 1; ++ ++ if (ext_id == WLAN_EID_EXT_NON_INHERITANCE) ++ continue; ++ } else { ++ id = sub->id; ++ match_len = 0; + } +- if (tmp_new + tmp_new[1] + 2 - sub_copy == subie_len) +- break; +- tmp_new += tmp_new[1] + 2; ++ ++ /* Processed if one was included in the parent */ ++ if (cfg80211_find_elem_match(id, ie, ielen, ++ &ext_id, match_len, 0)) ++ continue; ++ ++ if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len, ++ &pos, new_ie, new_ie_len)) ++ return 0; + } + +- kfree(sub_copy); + return pos - new_ie; + } + +@@ -1659,7 +1694,7 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy, + new_ie_len = cfg80211_gen_new_ie(ie, ielen, + profile, + profile_len, new_ie, +- gfp); ++ IEEE80211_MAX_DATA_LEN); + if (!new_ie_len) + continue; + +-- +2.39.2 + diff --git a/queue-5.4/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch b/queue-5.4/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch new file mode 100644 index 00000000000..45855f05071 --- /dev/null +++ b/queue-5.4/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch @@ -0,0 +1,47 @@ +From ad0c4ac8adf759d2f50c28ae3a1e881c1d5d6a35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 12:41:22 +0300 +Subject: wifi: iwlwifi: pull from TXQs with softirqs disabled + +From: Johannes Berg + +[ Upstream commit 96fb6f47db24a712d650b0a9b9074873f273fb0e ] + +In mac80211, it's required that we pull from TXQs by calling +ieee80211_tx_dequeue() only with softirqs disabled. However, +in iwl_mvm_queue_state_change() we're often called with them +enabled, e.g. from flush if anything was flushed, triggering +a mac80211 warning. + +Fix that by disabling the softirqs across the TX call. + +Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230614123446.0feef7fa81db.I4dd62542d955b40dd8f0af34fa4accb9d0d17c7e@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +index 5973eecbc0378..18c5975d7c037 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -1167,8 +1167,11 @@ static void iwl_mvm_queue_state_change(struct iwl_op_mode *op_mode, + mvmtxq = iwl_mvm_txq_from_mac80211(txq); + mvmtxq->stopped = !start; + +- if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST) ++ if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST) { ++ local_bh_disable(); + iwl_mvm_mac_itxq_xmit(mvm->hw, txq); ++ local_bh_enable(); ++ } + } + + out: +-- +2.39.2 + diff --git a/queue-5.4/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch b/queue-5.4/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch new file mode 100644 index 00000000000..3b73b3017ce --- /dev/null +++ b/queue-5.4/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch @@ -0,0 +1,48 @@ +From 1085d36afdf3f8cf7e74b83e56c317c600b0b3ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 May 2023 15:53:15 +0200 +Subject: wifi: mwifiex: Fix the size of a memory allocation in + mwifiex_ret_802_11_scan() + +From: Christophe JAILLET + +[ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ] + +The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info", +not "struct cfg80211_wowlan_nd_match". + +Use struct_size() to ease the computation of the needed size. + +The current code over-allocates some memory, so is safe. +But it wastes 32 bytes. + +Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 629af26675cf1..1ab04adc53dcd 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2202,9 +2202,9 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv, + + if (nd_config) { + adapter->nd_info = +- kzalloc(sizeof(struct cfg80211_wowlan_nd_match) + +- sizeof(struct cfg80211_wowlan_nd_match *) * +- scan_rsp->number_of_sets, GFP_ATOMIC); ++ kzalloc(struct_size(adapter->nd_info, matches, ++ scan_rsp->number_of_sets), ++ GFP_ATOMIC); + + if (adapter->nd_info) + adapter->nd_info->n_matches = scan_rsp->number_of_sets; +-- +2.39.2 + diff --git a/queue-5.4/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch b/queue-5.4/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch new file mode 100644 index 00000000000..e3d05a9c99f --- /dev/null +++ b/queue-5.4/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch @@ -0,0 +1,58 @@ +From a82b964dc29e02673beba88eb3f3fac5fe8b3372 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:38:22 +0200 +Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ] + +Should orinoco_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +orinoco_cs_probe(), not orinoco_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +index a956f965a1e5e..03bfd2482656c 100644 +--- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + orinoco_cs_hard_reset, NULL); +@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return orinoco_cs_config(link); +-} /* orinoco_cs_attach */ ++ ret = orinoco_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void orinoco_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-5.4/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch b/queue-5.4/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch new file mode 100644 index 00000000000..89c54373fa3 --- /dev/null +++ b/queue-5.4/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch @@ -0,0 +1,59 @@ +From a6a54d691126bd157751bdc6406d43f6dc884f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:29:46 +0200 +Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ] + +Should spectrum_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +spectrum_cs_probe(), not spectrum_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +index b60048c95e0a8..011c86e55923e 100644 +--- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + spectrum_cs_hard_reset, +@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return spectrum_cs_config(link); +-} /* spectrum_cs_attach */ ++ ret = spectrum_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void spectrum_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-5.4/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch b/queue-5.4/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch new file mode 100644 index 00000000000..9d5d25b4ffd --- /dev/null +++ b/queue-5.4/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch @@ -0,0 +1,53 @@ +From e5f704120e9c7703b284cdd5aba6b59e33ee59e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:14 +0300 +Subject: wifi: ray_cs: Drop useless status variable in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 4dfc63c002a555a2c3c34d89009532ad803be876 ] + +The status variable assigned only once and used also only once. +Replace it's usage by actual value. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-2-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 29dd303a7beae..be2d599536cd5 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1643,7 +1643,6 @@ static int parse_addr(char *in_str, UCHAR *out) + { + int i, k; + int len; +- int status; + + if (in_str == NULL) + return 0; +@@ -1652,7 +1651,6 @@ static int parse_addr(char *in_str, UCHAR *out) + return 0; + memset(out, 0, ADDRLEN); + +- status = 1; + i = 5; + + while (len > 0) { +@@ -1670,7 +1668,7 @@ static int parse_addr(char *in_str, UCHAR *out) + if (!i--) + break; + } +- return status; ++ return 1; + } + + /*===========================================================================*/ +-- +2.39.2 + diff --git a/queue-5.4/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch b/queue-5.4/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch new file mode 100644 index 00000000000..0429aaa9f04 --- /dev/null +++ b/queue-5.4/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch @@ -0,0 +1,69 @@ +From 65be62ae0f66659dce4b99ad44de5557f5859187 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:13:22 +0200 +Subject: wifi: ray_cs: Fix an error handling path in ray_probe() + +From: Christophe JAILLET + +[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ] + +Should ray_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +ray_probe(), not ray_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index be2d599536cd5..d9c1ac5cb5626 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -270,13 +270,14 @@ static int ray_probe(struct pcmcia_device *p_dev) + { + ray_dev_t *local; + struct net_device *dev; ++ int ret; + + dev_dbg(&p_dev->dev, "ray_attach()\n"); + + /* Allocate space for private device-specific data */ + dev = alloc_etherdev(sizeof(ray_dev_t)); + if (!dev) +- goto fail_alloc_dev; ++ return -ENOMEM; + + local = netdev_priv(dev); + local->finder = p_dev; +@@ -313,11 +314,16 @@ static int ray_probe(struct pcmcia_device *p_dev) + timer_setup(&local->timer, NULL, 0); + + this_device = p_dev; +- return ray_config(p_dev); ++ ret = ray_config(p_dev); ++ if (ret) ++ goto err_free_dev; ++ ++ return 0; + +-fail_alloc_dev: +- return -ENOMEM; +-} /* ray_attach */ ++err_free_dev: ++ free_netdev(dev); ++ return ret; ++} + + static void ray_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-5.4/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch b/queue-5.4/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch new file mode 100644 index 00000000000..caf89aa20d5 --- /dev/null +++ b/queue-5.4/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch @@ -0,0 +1,67 @@ +From c404c684d64e7ee50c7ab10cc256f416600336ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:13 +0300 +Subject: wifi: ray_cs: Utilize strnlen() in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 9e8e9187673cb24324f9165dd47b2b28f60b0b10 ] + +Instead of doing simple operations and using an additional variable on stack, +utilize strnlen() and reuse len variable. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-1-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 3836d6ac53049..29dd303a7beae 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1641,31 +1641,29 @@ static void authenticate_timeout(struct timer_list *t) + /*===========================================================================*/ + static int parse_addr(char *in_str, UCHAR *out) + { ++ int i, k; + int len; +- int i, j, k; + int status; + + if (in_str == NULL) + return 0; +- if ((len = strlen(in_str)) < 2) ++ len = strnlen(in_str, ADDRLEN * 2 + 1) - 1; ++ if (len < 1) + return 0; + memset(out, 0, ADDRLEN); + + status = 1; +- j = len - 1; +- if (j > 12) +- j = 12; + i = 5; + +- while (j > 0) { +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ while (len > 0) { ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] = k; + else + return 0; + +- if (j == 0) ++ if (len == 0) + break; +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] += k << 4; + else + return 0; +-- +2.39.2 + diff --git a/queue-5.4/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch b/queue-5.4/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch new file mode 100644 index 00000000000..0f5992cfe7a --- /dev/null +++ b/queue-5.4/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch @@ -0,0 +1,41 @@ +From 7f54909fa4d4f617280082714baa5f5e1d8eb7f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 00:28:59 +0200 +Subject: wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown + +From: Marek Vasut + +[ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ] + +It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag +indicates to the MMC subsystem to keep the slot powered on during +suspend, but in shutdown the slot should actually be powered off. +Drop this call. + +Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state") +Signed-off-by: Marek Vasut +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c +index 4fe837090cdae..22b0567ad8261 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -1479,9 +1479,6 @@ static void rsi_shutdown(struct device *dev) + if (sdev->write_fail) + rsi_dbg(INFO_ZONE, "###### Device is not ready #######\n"); + +- if (rsi_set_sdio_pm_caps(adapter)) +- rsi_dbg(INFO_ZONE, "Setting power management caps failed\n"); +- + rsi_dbg(INFO_ZONE, "***** RSI module shut down *****\n"); + } + +-- +2.39.2 + diff --git a/queue-5.4/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch b/queue-5.4/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch new file mode 100644 index 00000000000..5b5193437cb --- /dev/null +++ b/queue-5.4/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch @@ -0,0 +1,66 @@ +From 27ed8f9cf820b41bbf02b9d9948fd443406b59b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:05:08 +0200 +Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe() + +From: Christophe JAILLET + +[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ] + +Should wl3501_config() fail, some resources need to be released as already +done in the remove function. + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index ae660f25a0e5a..e6505624f0c28 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1862,6 +1862,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + { + struct net_device *dev; + struct wl3501_card *this; ++ int ret; + + /* The io structure describes IO port mapping */ + p_dev->resource[0]->end = 16; +@@ -1873,8 +1874,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + + dev = alloc_etherdev(sizeof(struct wl3501_card)); + if (!dev) +- goto out_link; +- ++ return -ENOMEM; + + dev->netdev_ops = &wl3501_netdev_ops; + dev->watchdog_timeo = 5 * HZ; +@@ -1887,9 +1887,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + netif_stop_queue(dev); + p_dev->priv = dev; + +- return wl3501_config(p_dev); +-out_link: +- return -ENOMEM; ++ ret = wl3501_config(p_dev); ++ if (ret) ++ goto out_free_etherdev; ++ ++ return 0; ++ ++out_free_etherdev: ++ free_netdev(dev); ++ return ret; + } + + static int wl3501_config(struct pcmcia_device *link) +-- +2.39.2 + diff --git a/queue-5.4/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch b/queue-5.4/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch new file mode 100644 index 00000000000..37d30d2a967 --- /dev/null +++ b/queue-5.4/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch @@ -0,0 +1,143 @@ +From 4df70183be4ba1ea9facec6034f736cafe92768c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 10:33:51 +0100 +Subject: wl3501_cs: Fix a bunch of formatting issues related to function docs + +From: Lee Jones + +[ Upstream commit 2307d0bc9d8b60299f255d1771ce0d997162a957 ] + +Fixes the following W=1 kernel build warning(s): + + In file included from drivers/net/wireless/wl3501_cs.c:57: + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'channel' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:162: warning: Function parameter or member 'reg_domain' not described in 'iw_default_channel' + drivers/net/wireless/wl3501_cs.c:248: warning: Function parameter or member 'this' not described in 'wl3501_set_to_wla' + drivers/net/wireless/wl3501_cs.c:270: warning: Function parameter or member 'this' not described in 'wl3501_get_from_wla' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'this' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:729: warning: Function parameter or member 'this' not described in 'wl3501_block_interrupt' + drivers/net/wireless/wl3501_cs.c:746: warning: Function parameter or member 'this' not described in 'wl3501_unblock_interrupt' + drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'irq' not described in 'wl3501_interrupt' + drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'dev_id' not described in 'wl3501_interrupt' + drivers/net/wireless/wl3501_cs.c:1257: warning: Function parameter or member 'dev' not described in 'wl3501_reset' + drivers/net/wireless/wl3501_cs.c:1420: warning: Function parameter or member 'link' not described in 'wl3501_detach' + +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Fox Chen +Cc: de Melo +Cc: Gustavo Niemeyer +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200826093401.1458456-21-lee.jones@linaro.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 8638c7c72bc30..b66c7d4798977 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -134,8 +134,8 @@ static const struct { + + /** + * iw_valid_channel - validate channel in regulatory domain +- * @reg_comain - regulatory domain +- * @channel - channel to validate ++ * @reg_comain: regulatory domain ++ * @channel: channel to validate + * + * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. + */ +@@ -154,7 +154,7 @@ static int iw_valid_channel(int reg_domain, int channel) + + /** + * iw_default_channel - get default channel for a regulatory domain +- * @reg_comain - regulatory domain ++ * @reg_domain: regulatory domain + * + * Returns the default channel for a regulatory domain + */ +@@ -237,6 +237,7 @@ static int wl3501_get_flash_mac_addr(struct wl3501_card *this) + + /** + * wl3501_set_to_wla - Move 'size' bytes from PC to card ++ * @this: Card + * @dest: Card addressing space + * @src: PC addressing space + * @size: Bytes to move +@@ -259,6 +260,7 @@ static void wl3501_set_to_wla(struct wl3501_card *this, u16 dest, void *src, + + /** + * wl3501_get_from_wla - Move 'size' bytes from card to PC ++ * @this: Card + * @src: Card addressing space + * @dest: PC addressing space + * @size: Bytes to move +@@ -455,7 +457,7 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) + + /** + * wl3501_send_pkt - Send a packet. +- * @this - card ++ * @this: Card + * + * Send a packet. + * +@@ -723,7 +725,7 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr) + + /** + * wl3501_block_interrupt - Mask interrupt from SUTRO +- * @this - card ++ * @this: Card + * + * Mask interrupt from SUTRO. (i.e. SUTRO cannot interrupt the HOST) + * Return: 1 if interrupt is originally enabled +@@ -740,7 +742,7 @@ static int wl3501_block_interrupt(struct wl3501_card *this) + + /** + * wl3501_unblock_interrupt - Enable interrupt from SUTRO +- * @this - card ++ * @this: Card + * + * Enable interrupt from SUTRO. (i.e. SUTRO can interrupt the HOST) + * Return: 1 if interrupt is originally enabled +@@ -1114,8 +1116,8 @@ static inline void wl3501_ack_interrupt(struct wl3501_card *this) + + /** + * wl3501_interrupt - Hardware interrupt from card. +- * @irq - Interrupt number +- * @dev_id - net_device ++ * @irq: Interrupt number ++ * @dev_id: net_device + * + * We must acknowledge the interrupt as soon as possible, and block the + * interrupt from the same card immediately to prevent re-entry. +@@ -1251,7 +1253,7 @@ static int wl3501_close(struct net_device *dev) + + /** + * wl3501_reset - Reset the SUTRO. +- * @dev - network device ++ * @dev: network device + * + * It is almost the same as wl3501_open(). In fact, we may just wl3501_close() + * and wl3501_open() again, but I wouldn't like to free_irq() when the driver +@@ -1414,7 +1416,7 @@ static struct iw_statistics *wl3501_get_wireless_stats(struct net_device *dev) + + /** + * wl3501_detach - deletes a driver "instance" +- * @link - FILL_IN ++ * @link: FILL_IN + * + * This deletes a driver "instance". The device is de-registered with Card + * Services. If it has been released, all local data structures are freed. +-- +2.39.2 + diff --git a/queue-5.4/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch b/queue-5.4/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch new file mode 100644 index 00000000000..f1a12d70e04 --- /dev/null +++ b/queue-5.4/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch @@ -0,0 +1,64 @@ +From d06d8d3ae789dbce1284e8b6b777fc79b1b5c8c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 11:23:53 +0000 +Subject: wl3501_cs: Fix misspelling and provide missing documentation + +From: Lee Jones + +[ Upstream commit 8b8a6f8c3b50193d161c598a6784e721128d6dc3 ] + +Fixes the following W=1 kernel build warning(s): + + In file included from drivers/net/wireless/wl3501_cs.c:57: + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:143: warning: Excess function parameter 'reg_comain' description in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' + +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Fox Chen +Cc: de Melo +Cc: Gustavo Niemeyer +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201102112410.1049272-25-lee.jones@linaro.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index cf67ea13dd8dc..115bb408d4f20 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -134,7 +134,7 @@ static const struct { + + /** + * iw_valid_channel - validate channel in regulatory domain +- * @reg_comain: regulatory domain ++ * @reg_domain: regulatory domain + * @channel: channel to validate + * + * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. +@@ -458,11 +458,9 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) + /** + * wl3501_send_pkt - Send a packet. + * @this: Card +- * +- * Send a packet. +- * +- * data = Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, ++ * @data: Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, + * data[6] - data[11] is Src MAC Addr) ++ * @len: Packet length + * Ref: IEEE 802.11 + */ + static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) +-- +2.39.2 + diff --git a/queue-5.4/wl3501_cs-remove-unnecessary-null-check.patch b/queue-5.4/wl3501_cs-remove-unnecessary-null-check.patch new file mode 100644 index 00000000000..40652f5a538 --- /dev/null +++ b/queue-5.4/wl3501_cs-remove-unnecessary-null-check.patch @@ -0,0 +1,41 @@ +From b36352bf9fdd7de7a64645153974a7cbd0efbd00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 18:45:58 +0100 +Subject: wl3501_cs: Remove unnecessary NULL check + +From: Alex Dewar + +[ Upstream commit 1d2a85382282e7c77cbde5650335c3ffc6073fa1 ] + +In wl3501_detach(), link->priv is checked for a NULL value before being +passed to free_netdev(). However, it cannot be NULL at this point as it +has already been passed to other functions, so just remove the check. + +Addresses-Coverity: CID 710499: Null pointer dereferences (REVERSE_INULL) +Signed-off-by: Alex Dewar +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200926174558.9436-1-alex.dewar90@gmail.com +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index b66c7d4798977..cf67ea13dd8dc 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1437,9 +1437,7 @@ static void wl3501_detach(struct pcmcia_device *link) + wl3501_release(link); + + unregister_netdev(dev); +- +- if (link->priv) +- free_netdev(link->priv); ++ free_netdev(dev); + } + + static int wl3501_get_name(struct net_device *dev, struct iw_request_info *info, +-- +2.39.2 + diff --git a/queue-5.4/wl3501_cs-use-eth_hw_addr_set.patch b/queue-5.4/wl3501_cs-use-eth_hw_addr_set.patch new file mode 100644 index 00000000000..84dace2bc0e --- /dev/null +++ b/queue-5.4/wl3501_cs-use-eth_hw_addr_set.patch @@ -0,0 +1,40 @@ +From 3e39d5992157add9db25d94eac1b2b90e2a50a00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 16:50:20 -0700 +Subject: wl3501_cs: use eth_hw_addr_set() + +From: Jakub Kicinski + +[ Upstream commit 18774612246d036c04ce9fee7f67192f96f48725 ] + +Commit 406f42fa0d3c ("net-next: When a bond have a massive amount +of VLANs...") introduced a rbtree for faster Ethernet address look +up. To maintain netdev->dev_addr in this tree we need to make all +the writes to it got through appropriate helpers. + +Signed-off-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211018235021.1279697-15-kuba@kernel.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 115bb408d4f20..ae660f25a0e5a 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1945,8 +1945,7 @@ static int wl3501_config(struct pcmcia_device *link) + goto failed; + } + +- for (i = 0; i < 6; i++) +- dev->dev_addr[i] = ((char *)&this->mac_addr)[i]; ++ eth_hw_addr_set(dev, this->mac_addr); + + /* print probe information */ + printk(KERN_INFO "%s: wl3501 @ 0x%3.3x, IRQ %d, " +-- +2.39.2 + diff --git a/queue-5.4/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch b/queue-5.4/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch new file mode 100644 index 00000000000..da32d8dccd5 --- /dev/null +++ b/queue-5.4/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch @@ -0,0 +1,55 @@ +From 2998ac05b3d91d2d6eefb6428647f8668e5b752e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 14:04:48 +0800 +Subject: x86/resctrl: Only show tasks' pid in current pid namespace + +From: Shawn Wang + +[ Upstream commit 2997d94b5dd0e8b10076f5e0b6f18410c73e28bd ] + +When writing a task id to the "tasks" file in an rdtgroup, +rdtgroup_tasks_write() treats the pid as a number in the current pid +namespace. But when reading the "tasks" file, rdtgroup_tasks_show() shows +the list of global pids from the init namespace, which is confusing and +incorrect. + +To be more robust, let the "tasks" file only show pids in the current pid +namespace. + +Fixes: e02737d5b826 ("x86/intel_rdt: Add tasks files") +Signed-off-by: Shawn Wang +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Reinette Chatre +Acked-by: Fenghua Yu +Tested-by: Reinette Chatre +Link: https://lore.kernel.org/all/20230116071246.97717-1-shawnwang@linux.alibaba.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +index 9de55fd77937c..91016bb18d4f9 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -715,11 +715,15 @@ static ssize_t rdtgroup_tasks_write(struct kernfs_open_file *of, + static void show_rdt_tasks(struct rdtgroup *r, struct seq_file *s) + { + struct task_struct *p, *t; ++ pid_t pid; + + rcu_read_lock(); + for_each_process_thread(p, t) { +- if (is_closid_match(t, r) || is_rmid_match(t, r)) +- seq_printf(s, "%d\n", t->pid); ++ if (is_closid_match(t, r) || is_rmid_match(t, r)) { ++ pid = task_pid_vnr(t); ++ if (pid) ++ seq_printf(s, "%d\n", pid); ++ } + } + rcu_read_unlock(); + } +-- +2.39.2 + diff --git a/queue-5.4/x86-resctrl-use-is_closid_match-in-more-places.patch b/queue-5.4/x86-resctrl-use-is_closid_match-in-more-places.patch new file mode 100644 index 00000000000..f506418469b --- /dev/null +++ b/queue-5.4/x86-resctrl-use-is_closid_match-in-more-places.patch @@ -0,0 +1,93 @@ +From 5d6ccb5d9f775e13243d8b7284ea6b7abb0a0e2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 16:39:25 +0000 +Subject: x86/resctrl: Use is_closid_match() in more places + +From: James Morse + +[ Upstream commit e6b2fac36fcc0b73cbef063d700a9841850e37a0 ] + +rdtgroup_tasks_assigned() and show_rdt_tasks() loop over threads testing +for a CTRL/MON group match by closid/rmid with the provided rdtgrp. +Further down the file are helpers to do this, move these further up and +make use of them here. + +These helpers additionally check for alloc/mon capable. This is harmless +as rdtgroup_mkdir() tests these capable flags before allowing the config +directories to be created. + +Signed-off-by: James Morse +Signed-off-by: Borislav Petkov +Reviewed-by: Reinette Chatre +Link: https://lkml.kernel.org/r/20200708163929.2783-7-james.morse@arm.com +Stable-dep-of: 2997d94b5dd0 ("x86/resctrl: Only show tasks' pid in current pid namespace") +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 30 ++++++++++++-------------- + 1 file changed, 14 insertions(+), 16 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +index 0e4f14dae1c05..9de55fd77937c 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -593,6 +593,18 @@ static int __rdtgroup_move_task(struct task_struct *tsk, + return 0; + } + ++static bool is_closid_match(struct task_struct *t, struct rdtgroup *r) ++{ ++ return (rdt_alloc_capable && ++ (r->type == RDTCTRL_GROUP) && (t->closid == r->closid)); ++} ++ ++static bool is_rmid_match(struct task_struct *t, struct rdtgroup *r) ++{ ++ return (rdt_mon_capable && ++ (r->type == RDTMON_GROUP) && (t->rmid == r->mon.rmid)); ++} ++ + /** + * rdtgroup_tasks_assigned - Test if tasks have been assigned to resource group + * @r: Resource group +@@ -608,8 +620,7 @@ int rdtgroup_tasks_assigned(struct rdtgroup *r) + + rcu_read_lock(); + for_each_process_thread(p, t) { +- if ((r->type == RDTCTRL_GROUP && t->closid == r->closid) || +- (r->type == RDTMON_GROUP && t->rmid == r->mon.rmid)) { ++ if (is_closid_match(t, r) || is_rmid_match(t, r)) { + ret = 1; + break; + } +@@ -707,8 +718,7 @@ static void show_rdt_tasks(struct rdtgroup *r, struct seq_file *s) + + rcu_read_lock(); + for_each_process_thread(p, t) { +- if ((r->type == RDTCTRL_GROUP && t->closid == r->closid) || +- (r->type == RDTMON_GROUP && t->rmid == r->mon.rmid)) ++ if (is_closid_match(t, r) || is_rmid_match(t, r)) + seq_printf(s, "%d\n", t->pid); + } + rcu_read_unlock(); +@@ -2148,18 +2158,6 @@ static int reset_all_ctrls(struct rdt_resource *r) + return 0; + } + +-static bool is_closid_match(struct task_struct *t, struct rdtgroup *r) +-{ +- return (rdt_alloc_capable && +- (r->type == RDTCTRL_GROUP) && (t->closid == r->closid)); +-} +- +-static bool is_rmid_match(struct task_struct *t, struct rdtgroup *r) +-{ +- return (rdt_mon_capable && +- (r->type == RDTMON_GROUP) && (t->rmid == r->mon.rmid)); +-} +- + /* + * Move tasks from one to the other group. If @from is NULL, then all tasks + * in the systems are moved unconditionally (used for teardown). +-- +2.39.2 +