From 479d7d0f886de20cb0b43a33e155960ca28f7227 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 3 Dec 2022 04:21:46 -0500 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...-sleep-from-invalid-context-bug-in-b.patch | 65 ++++++++++ ..._isa_probe-add-missing-free_cc770dev.patch | 59 +++++++++ ...sja1000_isa_probe-add-missing-free_s.patch | 59 +++++++++ .../dsa-lan9303-correct-stat-name.patch | 43 +++++++ ...heck-for-null-before-removing-sysfs-.patch | 64 +++++++++ ...ix-pci-device-refcount-leak-in-nv1a_.patch | 45 +++++++ ..._temp-fix-missing-pci_disable_device.patch | 37 ++++++ ...-possible-uaf-when-ibmpex_register_b.patch | 44 +++++++ ...403-fix-oob-read-in-afe4403_read_raw.patch | 72 +++++++++++ ...04-fix-oob-read-in-afe4404_-read-wri.patch | 102 +++++++++++++++ ...521-add-missing-kconfig-dependencies.patch | 47 +++++++ ...icit-function-declaration-in-license.patch | 50 ++++++++ ...ential-socket-leak-in-p9_socket_open.patch | 45 +++++++ ...esas-ravb-fix-promiscuous-mode-after.patch | 41 ++++++ ...net-hsr-fix-potential-use-after-free.patch | 49 +++++++ ...nitialized-variable-bug-in-outlen_wr.patch | 39 ++++++ ...ix-error-handling-in-ntb_netdev_init.patch | 48 +++++++ ...ix-null-ptr-deref-while-probe-failed.patch | 73 +++++++++++ ...ement-node-refcount-in-of_fwnode_get.patch | 47 +++++++ ...t-tp_status_csum_valid-on-checksum_c.patch | 49 +++++++ ...flags-to-indicate-the-pmu-filled-sam.patch | 121 ++++++++++++++++++ ...-in-atomic-context-bugs-caused-by-ms.patch | 70 ++++++++++ queue-4.14/series | 22 ++++ 23 files changed, 1291 insertions(+) create mode 100644 queue-4.14/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch create mode 100644 queue-4.14/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch create mode 100644 queue-4.14/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch create mode 100644 queue-4.14/dsa-lan9303-correct-stat-name.patch create mode 100644 queue-4.14/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch create mode 100644 queue-4.14/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch create mode 100644 queue-4.14/hwmon-i5500_temp-fix-missing-pci_disable_device.patch create mode 100644 queue-4.14/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch create mode 100644 queue-4.14/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch create mode 100644 queue-4.14/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch create mode 100644 queue-4.14/iio-light-rpr0521-add-missing-kconfig-dependencies.patch create mode 100644 queue-4.14/kbuild-fix-wimplicit-function-declaration-in-license.patch create mode 100644 queue-4.14/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch create mode 100644 queue-4.14/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch create mode 100644 queue-4.14/net-hsr-fix-potential-use-after-free.patch create mode 100644 queue-4.14/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch create mode 100644 queue-4.14/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch create mode 100644 queue-4.14/net-phy-fix-null-ptr-deref-while-probe-failed.patch create mode 100644 queue-4.14/of-property-decrement-node-refcount-in-of_fwnode_get.patch create mode 100644 queue-4.14/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch create mode 100644 queue-4.14/perf-add-sample_flags-to-indicate-the-pmu-filled-sam.patch create mode 100644 queue-4.14/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch diff --git a/queue-4.14/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch b/queue-4.14/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch new file mode 100644 index 00000000000..6070766d6d0 --- /dev/null +++ b/queue-4.14/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch @@ -0,0 +1,65 @@ +From 25efb09df2881b5aef9ed0d48073ea7670c8eb78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 22:23:54 +0800 +Subject: btrfs: qgroup: fix sleep from invalid context bug in + btrfs_qgroup_inherit() + +From: ChenXiaoSong + +[ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ] + +Syzkaller reported BUG as follows: + + BUG: sleeping function called from invalid context at + include/linux/sched/mm.h:274 + Call Trace: + + dump_stack_lvl+0xcd/0x134 + __might_resched.cold+0x222/0x26b + kmem_cache_alloc+0x2e7/0x3c0 + update_qgroup_limit_item+0xe1/0x390 + btrfs_qgroup_inherit+0x147b/0x1ee0 + create_subvol+0x4eb/0x1710 + btrfs_mksubvol+0xfe5/0x13f0 + __btrfs_ioctl_snap_create+0x2b0/0x430 + btrfs_ioctl_snap_create_v2+0x25a/0x520 + btrfs_ioctl+0x2a1c/0x5ce0 + __x64_sys_ioctl+0x193/0x200 + do_syscall_64+0x35/0x80 + +Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in +btrfs_run_qgroups() later outside of the spinlock context. + +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Qu Wenruo +Signed-off-by: ChenXiaoSong +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 47c28983fd01..4ad588ed5813 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2239,14 +2239,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, + dstgroup->rsv_rfer = inherit->lim.rsv_rfer; + dstgroup->rsv_excl = inherit->lim.rsv_excl; + +- ret = update_qgroup_limit_item(trans, quota_root, dstgroup); +- if (ret) { +- fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; +- btrfs_info(fs_info, +- "unable to update quota limit for %llu", +- dstgroup->qgroupid); +- goto unlock; +- } ++ qgroup_dirty(fs_info, dstgroup); + } + + if (srcid) { +-- +2.35.1 + diff --git a/queue-4.14/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch b/queue-4.14/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch new file mode 100644 index 00000000000..7652d792beb --- /dev/null +++ b/queue-4.14/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch @@ -0,0 +1,59 @@ +From c1b7a44b355362bb943fb4a27039f853cbdb6795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:09:16 +0800 +Subject: can: cc770: cc770_isa_probe(): add missing free_cc770dev() + +From: Zhang Changzhong + +[ Upstream commit 62ec89e74099a3d6995988ed9f2f996b368417ec ] + +Add the missing free_cc770dev() before return from cc770_isa_probe() +in the register_cc770dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 7e02e5433e00 ("can: cc770: legacy CC770 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/cc770/cc770_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c +index 3a30fd3b4498..b86181740935 100644 +--- a/drivers/net/can/cc770/cc770_isa.c ++++ b/drivers/net/can/cc770/cc770_isa.c +@@ -272,22 +272,24 @@ static int cc770_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, + "couldn't register device (err=%d)\n", err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "device registered (reg_base=0x%p, irq=%d)\n", + priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_cc770dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-4.14/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch b/queue-4.14/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch new file mode 100644 index 00000000000..a5c76995102 --- /dev/null +++ b/queue-4.14/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch @@ -0,0 +1,59 @@ +From ac2daa3c050af541809b358c19378bba0067dc82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:08:41 +0800 +Subject: can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() + +From: Zhang Changzhong + +[ Upstream commit 92dfd9310a71d28cefe6a2d5174d43fab240e631 ] + +Add the missing free_sja1000dev() before return from +sja1000_isa_probe() in the register_sja1000dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 2a6ba39ad6a2 ("can: sja1000: legacy SJA1000 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sja1000/sja1000_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c +index a89c1e92554d..afccd9fde332 100644 +--- a/drivers/net/can/sja1000/sja1000_isa.c ++++ b/drivers/net/can/sja1000/sja1000_isa.c +@@ -213,22 +213,24 @@ static int sja1000_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, "registering %s failed (err=%d)\n", + DRV_NAME, err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "%s device registered (reg_base=0x%p, irq=%d)\n", + DRV_NAME, priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_sja1000dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-4.14/dsa-lan9303-correct-stat-name.patch b/queue-4.14/dsa-lan9303-correct-stat-name.patch new file mode 100644 index 00000000000..9a4b85d3b36 --- /dev/null +++ b/queue-4.14/dsa-lan9303-correct-stat-name.patch @@ -0,0 +1,43 @@ +From dd6499552a0d9ba8f8250d8aebb9f9ada2bca933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 13:35:59 -0600 +Subject: dsa: lan9303: Correct stat name + +From: Jerry Ray + +[ Upstream commit 39f59bca275d2d819a8788c0f962e9e89843efc9 ] + +This patch changes the reported ethtool statistics for the lan9303 +family of parts covered by this driver. + +The TxUnderRun statistic label is renamed to RxShort to accurately +reflect what stat the device is reporting. I did not reorder the +statistics as that might cause problems with existing user code that +are expecting the stats at a certain offset. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Jerry Ray +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221128193559.6572-1-jerry.ray@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lan9303-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c +index 1e5a69b9d90a..10d1c08ffeea 100644 +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -681,7 +681,7 @@ static const struct lan9303_mib_desc lan9303_mib[] = { + { .offset = LAN9303_MAC_TX_BRDCST_CNT_0, .name = "TxBroad", }, + { .offset = LAN9303_MAC_TX_PAUSE_CNT_0, .name = "TxPause", }, + { .offset = LAN9303_MAC_TX_MULCST_CNT_0, .name = "TxMulti", }, +- { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "TxUnderRun", }, ++ { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "RxShort", }, + { .offset = LAN9303_MAC_TX_64_CNT_0, .name = "Tx64Byte", }, + { .offset = LAN9303_MAC_TX_127_CNT_0, .name = "Tx128Byte", }, + { .offset = LAN9303_MAC_TX_255_CNT_0, .name = "Tx256Byte", }, +-- +2.35.1 + diff --git a/queue-4.14/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch b/queue-4.14/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch new file mode 100644 index 00000000000..4cd08afe730 --- /dev/null +++ b/queue-4.14/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch @@ -0,0 +1,64 @@ +From c9824ffd364d1ade62f9d62e863685bedd2924a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:23:13 -0500 +Subject: hwmon: (coretemp) Check for null before removing sysfs attrs + +From: Phil Auld + +[ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ] + +If coretemp_add_core() gets an error then pdata->core_data[indx] +is already NULL and has been kfreed. Don't pass that to +sysfs_remove_group() as that will crash in sysfs_remove_group(). + +[Shortened for readability] +[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' + +[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 +[91855.165103] #PF: supervisor read access in kernel mode +[91855.194506] #PF: error_code(0x0000) - not-present page +[91855.224445] PGD 0 P4D 0 +[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI +... +[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 +... +[91855.796571] Call Trace: +[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] +[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] +[91855.871107] cpuhp_invoke_callback+0x105/0x4b0 +[91855.893432] cpuhp_thread_fun+0x8e/0x150 +... + +Fix this by checking for NULL first. + +Signed-off-by: Phil Auld +Cc: linux-hwmon@vger.kernel.org +Cc: Fenghua Yu +Cc: Jean Delvare +Cc: Guenter Roeck +Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com +Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index a42744c7665b..ee35bbc1714a 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -531,6 +531,10 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx) + { + struct temp_data *tdata = pdata->core_data[indx]; + ++ /* if we errored on add then this is already gone */ ++ if (!tdata) ++ return; ++ + /* Remove the sysfs attributes */ + sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group); + +-- +2.35.1 + diff --git a/queue-4.14/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch b/queue-4.14/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch new file mode 100644 index 00000000000..ad3fa1dcddb --- /dev/null +++ b/queue-4.14/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch @@ -0,0 +1,45 @@ +From db5da98bc2c3fd739cd0b7b1bcd36da5052a8f7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:33:03 +0800 +Subject: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() + +From: Yang Yingliang + +[ Upstream commit 7dec14537c5906b8bf40fd6fd6d9c3850f8df11d ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). So call it after using to avoid refcount leak. + +Fixes: 14513ee696a0 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index ee35bbc1714a..770bf76a5348 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -255,10 +255,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev) + */ + if (host_bridge && host_bridge->vendor == PCI_VENDOR_ID_INTEL) { + for (i = 0; i < ARRAY_SIZE(tjmax_pci_table); i++) { +- if (host_bridge->device == tjmax_pci_table[i].device) ++ if (host_bridge->device == tjmax_pci_table[i].device) { ++ pci_dev_put(host_bridge); + return tjmax_pci_table[i].tjmax; ++ } + } + } ++ pci_dev_put(host_bridge); + + for (i = 0; i < ARRAY_SIZE(tjmax_table); i++) { + if (strstr(c->x86_model_id, tjmax_table[i].id)) +-- +2.35.1 + diff --git a/queue-4.14/hwmon-i5500_temp-fix-missing-pci_disable_device.patch b/queue-4.14/hwmon-i5500_temp-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..aa846282c5a --- /dev/null +++ b/queue-4.14/hwmon-i5500_temp-fix-missing-pci_disable_device.patch @@ -0,0 +1,37 @@ +From d2700828fa7fb3e3759522f23274c719166b3f05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 20:56:06 +0800 +Subject: hwmon: (i5500_temp) fix missing pci_disable_device() + +From: Yang Yingliang + +[ Upstream commit 3b7f98f237528c496ea0b689bace0e35eec3e060 ] + +pci_disable_device() need be called while module exiting, switch to use +pcim_enable(), pci_disable_device() will be called in pcim_release(). + +Fixes: ada072816be1 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/i5500_temp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/i5500_temp.c b/drivers/hwmon/i5500_temp.c +index 400e0675a90b..03fa12c78109 100644 +--- a/drivers/hwmon/i5500_temp.c ++++ b/drivers/hwmon/i5500_temp.c +@@ -117,7 +117,7 @@ static int i5500_temp_probe(struct pci_dev *pdev, + u32 tstimer; + s8 tsfsc; + +- err = pci_enable_device(pdev); ++ err = pcim_enable_device(pdev); + if (err) { + dev_err(&pdev->dev, "Failed to enable device\n"); + return err; +-- +2.35.1 + diff --git a/queue-4.14/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch b/queue-4.14/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch new file mode 100644 index 00000000000..46edaf8cdd3 --- /dev/null +++ b/queue-4.14/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch @@ -0,0 +1,44 @@ +From 6bb787e47a64041a7d559385329b4b8c69c55072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:44:23 +0800 +Subject: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails + +From: Gaosheng Cui + +[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ] + +Smatch report warning as follows: + +drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: + '&data->list' not removed from list + +If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will +be freed, but data->list will not be removed from driver_data.bmc_data, +then list traversal may cause UAF. + +Fix by removeing it from driver_data.bmc_data before free(). + +Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ibmpex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c +index 21b9c72f16bd..26a898781371 100644 +--- a/drivers/hwmon/ibmpex.c ++++ b/drivers/hwmon/ibmpex.c +@@ -517,6 +517,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev) + return; + + out_register: ++ list_del(&data->list); + hwmon_device_unregister(data->hwmon_dev); + out_user: + ipmi_destroy_user(data->user); +-- +2.35.1 + diff --git a/queue-4.14/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch b/queue-4.14/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch new file mode 100644 index 00000000000..e4c651ffa71 --- /dev/null +++ b/queue-4.14/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch @@ -0,0 +1,72 @@ +From d43aef11044f8c3234aadf4f27a21663cf05358a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:19:46 +0000 +Subject: iio: health: afe4403: Fix oob read in afe4403_read_raw + +From: Wei Yongjun + +[ Upstream commit 58143c1ed5882c138a3cd2251a336fc8755f23d9 ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 +Read of size 4 at addr ffffffffc02ac638 by task cat/279 + +Call Trace: + afe4403_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4403_channel_leds+0x18/0xffffffffffffe9e0 + +This issue can be reproduced by singe command: + + $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw + +The array size of afe4403_channel_leds is less than channels, so access +with chan->address cause OOB read in afe4403_read_raw. Fix it by moving +access before use it. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4403.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c +index 2f07c4d1398c..4756e9645f7d 100644 +--- a/drivers/iio/health/afe4403.c ++++ b/drivers/iio/health/afe4403.c +@@ -253,14 +253,14 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4403_data *afe = iio_priv(indio_dev); +- unsigned int reg = afe4403_channel_values[chan->address]; +- unsigned int field = afe4403_channel_leds[chan->address]; ++ unsigned int reg, field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ reg = afe4403_channel_values[chan->address]; + ret = afe4403_read(afe, reg, val); + if (ret) + return ret; +@@ -270,6 +270,7 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ field = afe4403_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[field], val); + if (ret) + return ret; +-- +2.35.1 + diff --git a/queue-4.14/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch b/queue-4.14/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch new file mode 100644 index 00000000000..c96df602f3f --- /dev/null +++ b/queue-4.14/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch @@ -0,0 +1,102 @@ +From deaa23e703ce55413c6a039e86298be746f984b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:20:10 +0000 +Subject: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw + +From: Wei Yongjun + +[ Upstream commit fc92d9e3de0b2d30a3ccc08048a5fad533e4672b ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 +Read of size 4 at addr ffffffffc00e4658 by task cat/278 + +Call Trace: + afe4404_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4404_channel_leds+0x18/0xffffffffffffe9c0 + +This issue can be reproduce by singe command: + + $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw + +The array size of afe4404_channel_leds and afe4404_channel_offdacs +are less than channels, so access with chan->address cause OOB read +in afe4404_[read|write]_raw. Fix it by moving access before use them. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4404.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c +index 5e256b11ac87..29a906411bd8 100644 +--- a/drivers/iio/health/afe4404.c ++++ b/drivers/iio/health/afe4404.c +@@ -258,20 +258,20 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int value_reg = afe4404_channel_values[chan->address]; +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int value_reg, led_field, offdac_field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ value_reg = afe4404_channel_values[chan->address]; + ret = regmap_read(afe->regmap, value_reg, val); + if (ret) + return ret; + return IIO_VAL_INT; + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + ret = regmap_field_read(afe->fields[offdac_field], val); + if (ret) + return ret; +@@ -281,6 +281,7 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[led_field], val); + if (ret) + return ret; +@@ -303,19 +304,20 @@ static int afe4404_write_raw(struct iio_dev *indio_dev, + int val, int val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int led_field, offdac_field; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + return regmap_field_write(afe->fields[offdac_field], val); + } + break; + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + return regmap_field_write(afe->fields[led_field], val); + } + break; +-- +2.35.1 + diff --git a/queue-4.14/iio-light-rpr0521-add-missing-kconfig-dependencies.patch b/queue-4.14/iio-light-rpr0521-add-missing-kconfig-dependencies.patch new file mode 100644 index 00000000000..f87879f2b93 --- /dev/null +++ b/queue-4.14/iio-light-rpr0521-add-missing-kconfig-dependencies.patch @@ -0,0 +1,47 @@ +From db01cd4766fb43d56aa9534793cd783219342955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 16:47:29 -0500 +Subject: iio: light: rpr0521: add missing Kconfig dependencies + +From: Paul Gazzillo + +[ Upstream commit 6ac12303572ef9ace5603c2c07f5f1b00a33f580 ] + +Fix an implicit declaration of function error for rpr0521 under some configs + +When CONFIG_RPR0521 is enabled without CONFIG_IIO_TRIGGERED_BUFFER, +the build results in "implicit declaration of function" errors, e.g., + drivers/iio/light/rpr0521.c:434:3: error: implicit declaration of function + 'iio_trigger_poll_chained' [-Werror=implicit-function-declaration] + 434 | iio_trigger_poll_chained(data->drdy_trigger0); + | ^~~~~~~~~~~~~~~~~~~~~~~~ + +This fix adds select dependencies to RPR0521's configuration declaration. + +Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") +Signed-off-by: Paul Gazzillo +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216678 +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221110214729.ls5ixav5kxpeftk7@device +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/light/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/light/Kconfig b/drivers/iio/light/Kconfig +index 2356ed9285df..67eda9643df5 100644 +--- a/drivers/iio/light/Kconfig ++++ b/drivers/iio/light/Kconfig +@@ -237,6 +237,8 @@ config RPR0521 + tristate "ROHM RPR0521 ALS and proximity sensor driver" + depends on I2C + select REGMAP_I2C ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + Say Y here if you want to build support for ROHM's RPR0521 + ambient light and proximity sensor device. +-- +2.35.1 + diff --git a/queue-4.14/kbuild-fix-wimplicit-function-declaration-in-license.patch b/queue-4.14/kbuild-fix-wimplicit-function-declaration-in-license.patch new file mode 100644 index 00000000000..7a688e43651 --- /dev/null +++ b/queue-4.14/kbuild-fix-wimplicit-function-declaration-in-license.patch @@ -0,0 +1,50 @@ +From e1e5b8c87580c24ac975ff42b75f53c92d83f7c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 18:26:34 +0000 +Subject: kbuild: fix -Wimplicit-function-declaration in + license_is_gpl_compatible + +From: Sam James + +[ Upstream commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 ] + +Add missing include for strcmp. + +Clang 16 makes -Wimplicit-function-declaration an error by default. +Unfortunately, out of tree modules may use this in configure scripts, +which means failure might cause silent miscompilation or misconfiguration. + +For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2], +or the (new) c-std-porting mailing list [3]. + +[0] https://lwn.net/Articles/913505/ +[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213 +[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240 +[3] hosted at lists.linux.dev. + +[akpm@linux-foundation.org: remember "linux/"] +Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org +Signed-off-by: Sam James +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/license.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/license.h b/include/linux/license.h +index decdbf43cb5c..87a21d5d6758 100644 +--- a/include/linux/license.h ++++ b/include/linux/license.h +@@ -1,6 +1,8 @@ + #ifndef __LICENSE_H + #define __LICENSE_H + ++#include ++ + static inline int license_is_gpl_compatible(const char *license) + { + return (strcmp(license, "GPL") == 0 +-- +2.35.1 + diff --git a/queue-4.14/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch b/queue-4.14/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch new file mode 100644 index 00000000000..0c5a2bac02e --- /dev/null +++ b/queue-4.14/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch @@ -0,0 +1,45 @@ +From 4349772cbd5f70155ad23e226497b9c1d39d20e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 16:10:05 +0800 +Subject: net/9p: Fix a potential socket leak in p9_socket_open + +From: Wang Hai + +[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ] + +Both p9_fd_create_tcp() and p9_fd_create_unix() will call +p9_socket_open(). If the creation of p9_trans_fd fails, +p9_fd_create_tcp() and p9_fd_create_unix() will return an +error directly instead of releasing the cscoket, which will +result in a socket leak. + +This patch adds sock_release() to fix the leak issue. + +Fixes: 6b18662e239a ("9p connect fixes") +Signed-off-by: Wang Hai +ACKed-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index da7fcf9d14a9..cdf60ffca240 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -865,8 +865,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket) + struct file *file; + + p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL); +- if (!p) ++ if (!p) { ++ sock_release(csocket); + return -ENOMEM; ++ } + + csocket->sk->sk_allocation = GFP_NOIO; + file = sock_alloc_file(csocket, 0, NULL); +-- +2.35.1 + diff --git a/queue-4.14/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch b/queue-4.14/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch new file mode 100644 index 00000000000..e80154b2274 --- /dev/null +++ b/queue-4.14/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch @@ -0,0 +1,41 @@ +From 2d75a8b340225b2fa3d894083261b1334d7efcb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 15:56:04 +0900 +Subject: net: ethernet: renesas: ravb: Fix promiscuous mode after system + resumed + +From: Yoshihiro Shimoda + +[ Upstream commit d66233a312ec9013af3e37e4030b479a20811ec3 ] + +After system resumed on some environment board, the promiscuous mode +is disabled because the SoC turned off. So, call ravb_set_rx_mode() in +the ravb_resume() to fix the issue. + +Reported-by: Tho Vu +Fixes: 0184165b2f42 ("ravb: add sleep PM suspend/resume support") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Pavan Chebbi +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 58496fb84b05..5513475e2a82 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2335,6 +2335,7 @@ static int __maybe_unused ravb_resume(struct device *dev) + ret = ravb_open(ndev); + if (ret < 0) + return ret; ++ ravb_set_rx_mode(ndev); + netif_device_attach(ndev); + } + +-- +2.35.1 + diff --git a/queue-4.14/net-hsr-fix-potential-use-after-free.patch b/queue-4.14/net-hsr-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..1ebd632be63 --- /dev/null +++ b/queue-4.14/net-hsr-fix-potential-use-after-free.patch @@ -0,0 +1,49 @@ +From 840c568a123a2f2614ad6721da5a0cddc6a8c323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 15:57:24 +0800 +Subject: net: hsr: Fix potential use-after-free + +From: YueHaibing + +[ Upstream commit 7e177d32442b7ed08a9fa61b61724abc548cb248 ] + +The skb is delivered to netif_rx() which may free it, after calling this, +dereferencing skb may trigger use-after-free. + +Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index 04b5450c5a55..adfb49760678 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -207,17 +207,18 @@ static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev, + struct hsr_node *node_src) + { + bool was_multicast_frame; +- int res; ++ int res, recv_len; + + was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST); + hsr_addr_subst_source(node_src, skb); + skb_pull(skb, ETH_HLEN); ++ recv_len = skb->len; + res = netif_rx(skb); + if (res == NET_RX_DROP) { + dev->stats.rx_dropped++; + } else { + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += recv_len; + if (was_multicast_frame) + dev->stats.multicast++; + } +-- +2.35.1 + diff --git a/queue-4.14/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch b/queue-4.14/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch new file mode 100644 index 00000000000..347cabe53f1 --- /dev/null +++ b/queue-4.14/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch @@ -0,0 +1,39 @@ +From 3c33c526c04b05f73004d8ce33f76ba604fb8827 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 19:22:04 +0800 +Subject: net/mlx5: Fix uninitialized variable bug in outlen_write() + +From: YueHaibing + +[ Upstream commit 3f5769a074c13d8f08455e40586600419e02a880 ] + +If sscanf() return 0, outlen is uninitialized and used in kzalloc(), +this is unexpected. We should return -EINVAL if the string is invalid. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: YueHaibing +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 6ae9a1987371..ad8be0a81546 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1309,8 +1309,8 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf, + return -EFAULT; + + err = sscanf(outlen_str, "%d", &outlen); +- if (err < 0) +- return err; ++ if (err != 1) ++ return -EINVAL; + + ptr = kzalloc(outlen, GFP_KERNEL); + if (!ptr) +-- +2.35.1 + diff --git a/queue-4.14/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch b/queue-4.14/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch new file mode 100644 index 00000000000..45e9911ec5a --- /dev/null +++ b/queue-4.14/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch @@ -0,0 +1,48 @@ +From 754526358204acee98144f5886f390d60ee1abfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 07:09:17 +0000 +Subject: net: net_netdev: Fix error handling in ntb_netdev_init_module() + +From: Yuan Can + +[ Upstream commit b8f79dccd38edf7db4911c353d9cd792ab13a327 ] + +The ntb_netdev_init_module() returns the ntb_transport_register_client() +directly without checking its return value, if +ntb_transport_register_client() failed, the NTB client device is not +unregistered. + +Fix by unregister NTB client device when ntb_transport_register_client() +failed. + +Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device") +Signed-off-by: Yuan Can +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ntb_netdev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c +index 97bf49ad81a6..5f941e20f199 100644 +--- a/drivers/net/ntb_netdev.c ++++ b/drivers/net/ntb_netdev.c +@@ -506,7 +506,14 @@ static int __init ntb_netdev_init_module(void) + rc = ntb_transport_register_client_dev(KBUILD_MODNAME); + if (rc) + return rc; +- return ntb_transport_register_client(&ntb_netdev_client); ++ ++ rc = ntb_transport_register_client(&ntb_netdev_client); ++ if (rc) { ++ ntb_transport_unregister_client_dev(KBUILD_MODNAME); ++ return rc; ++ } ++ ++ return 0; + } + module_init(ntb_netdev_init_module); + +-- +2.35.1 + diff --git a/queue-4.14/net-phy-fix-null-ptr-deref-while-probe-failed.patch b/queue-4.14/net-phy-fix-null-ptr-deref-while-probe-failed.patch new file mode 100644 index 00000000000..0e08bb8c32e --- /dev/null +++ b/queue-4.14/net-phy-fix-null-ptr-deref-while-probe-failed.patch @@ -0,0 +1,73 @@ +From a29346a131011157685b7ec9dff00a1ac63b66b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 21:28:08 +0800 +Subject: net: phy: fix null-ptr-deref while probe() failed + +From: Yang Yingliang + +[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ] + +I got a null-ptr-deref report as following when doing fault injection test: + +BUG: kernel NULL pointer dereference, address: 0000000000000058 +Oops: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:klist_put+0x2d/0xd0 +Call Trace: + + klist_remove+0xf1/0x1c0 + device_release_driver_internal+0x23e/0x2d0 + bus_remove_device+0x1bd/0x240 + device_del+0x357/0x770 + phy_device_remove+0x11/0x30 + mdiobus_unregister+0xa5/0x140 + release_nodes+0x6a/0xa0 + devres_release_all+0xf8/0x150 + device_unbind_cleanup+0x19/0xd0 + +//probe path: +phy_device_register() + device_add() + +phy_connect + phy_attach_direct() //set device driver + probe() //it's failed, driver is not bound + device_bind_driver() // probe failed, it's not called + +//remove path: +phy_device_remove() + device_del() + device_release_driver_internal() + __device_release_driver() //dev->drv is not NULL + klist_remove() <- knode_driver is not added yet, cause null-ptr-deref + +In phy_attach_direct(), after setting the 'dev->driver', probe() fails, +device_bind_driver() is not called, so the knode_driver->n_klist is not +set, then it causes null-ptr-deref in __device_release_driver() while +deleting device. Fix this by setting dev->driver to NULL in the error +path in phy_attach_direct(). + +Fixes: e13934563db0 ("[PATCH] PHY Layer fixup") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index b51bca051c47..5d557a005f85 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1050,6 +1050,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev, + + error_module_put: + module_put(d->driver->owner); ++ d->driver = NULL; + error_put_device: + put_device(d); + if (ndev_owner != bus->owner) +-- +2.35.1 + diff --git a/queue-4.14/of-property-decrement-node-refcount-in-of_fwnode_get.patch b/queue-4.14/of-property-decrement-node-refcount-in-of_fwnode_get.patch new file mode 100644 index 00000000000..25bd120666d --- /dev/null +++ b/queue-4.14/of-property-decrement-node-refcount-in-of_fwnode_get.patch @@ -0,0 +1,47 @@ +From 86b0bd6a434c4c99727b267919816665f189588f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 10:32:09 +0800 +Subject: of: property: decrement node refcount in + of_fwnode_get_reference_args() + +From: Yang Yingliang + +[ Upstream commit 60d865bd5a9b15a3961eb1c08bd4155682a3c81e ] + +In of_fwnode_get_reference_args(), the refcount of of_args.np has +been incremented in the case of successful return from +of_parse_phandle_with_args() or of_parse_phandle_with_fixed_args(). + +Decrement the refcount if of_args is not returned to the caller of +of_fwnode_get_reference_args(). + +Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args") +Signed-off-by: Yang Yingliang +Reviewed-by: Sakari Ailus +Reviewed-by: Frank Rowand +Link: https://lore.kernel.org/r/20221121023209.3909759-1-yangyingliang@huawei.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/property.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/property.c b/drivers/of/property.c +index fd9b734fff33..c017b11b00cb 100644 +--- a/drivers/of/property.c ++++ b/drivers/of/property.c +@@ -922,8 +922,10 @@ of_fwnode_get_reference_args(const struct fwnode_handle *fwnode, + nargs, index, &of_args); + if (ret < 0) + return ret; +- if (!args) ++ if (!args) { ++ of_node_put(of_args.np); + return 0; ++ } + + args->nargs = of_args.args_count; + args->fwnode = of_fwnode_handle(of_args.np); +-- +2.35.1 + diff --git a/queue-4.14/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch b/queue-4.14/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch new file mode 100644 index 00000000000..bf77ec47cd3 --- /dev/null +++ b/queue-4.14/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch @@ -0,0 +1,49 @@ +From 47baf24e851e2af8e318f80a9853c24c5980187c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 11:18:12 -0500 +Subject: packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE + +From: Willem de Bruijn + +[ Upstream commit b85f628aa158a653c006e9c1405a117baef8c868 ] + +CHECKSUM_COMPLETE signals that skb->csum stores the sum over the +entire packet. It does not imply that an embedded l4 checksum +field has been validated. + +Fixes: 682f048bd494 ("af_packet: pass checksum validation status to the user") +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 61093ce76b61..1be5fb6af017 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2248,8 +2248,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if (skb->ip_summed == CHECKSUM_PARTIAL) + status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + status |= TP_STATUS_CSUM_VALID; + + if (snaplen > res) +@@ -3488,8 +3487,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + if (skb->ip_summed == CHECKSUM_PARTIAL) + aux.tp_status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + aux.tp_status |= TP_STATUS_CSUM_VALID; + + aux.tp_len = origlen; +-- +2.35.1 + diff --git a/queue-4.14/perf-add-sample_flags-to-indicate-the-pmu-filled-sam.patch b/queue-4.14/perf-add-sample_flags-to-indicate-the-pmu-filled-sam.patch new file mode 100644 index 00000000000..c8ac77995d8 --- /dev/null +++ b/queue-4.14/perf-add-sample_flags-to-indicate-the-pmu-filled-sam.patch @@ -0,0 +1,121 @@ +From 6b1ee31694c1ae2e6ce12e4439bc20b6748e95aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 06:09:54 -0700 +Subject: perf: Add sample_flags to indicate the PMU-filled sample data + +From: Kan Liang + +[ Upstream commit 3aac580d5cc3001ca1627725b3b61edb529f341d ] + +On some platforms, some data e.g., timestamps, can be retrieved from +the PMU driver. Usually, the data from the PMU driver is more accurate. +The current perf kernel should output the PMU-filled sample data if +it's available. + +To check the availability of the PMU-filled sample data, the current +perf kernel initializes the related fields in the +perf_sample_data_init(). When outputting a sample, the perf checks +whether the field is updated by the PMU driver. If yes, the updated +value will be output. If not, the perf uses an SW way to calculate the +value or just outputs the initialized value if an SW way is unavailable +either. + +With more and more data being provided by the PMU driver, more fields +has to be initialized in the perf_sample_data_init(). That will +increase the number of cache lines touched in perf_sample_data_init() +and be harmful to the performance. + +Add new "sample_flags" to indicate the PMU-filled sample data. The PMU +driver should set the corresponding PERF_SAMPLE_ flag when the field is +updated. The initialization of the corresponding field is not required +anymore. The following patches will make use of it and remove the +corresponding fields from the perf_sample_data_init(), which will +further minimize the number of cache lines touched. + +Only clear the sample flags that have already been done by the PMU +driver in the perf_prepare_sample() for the PERF_RECORD_SAMPLE. For the +other PERF_RECORD_ event type, the sample data is not available. + +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220901130959.1285717-2-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + include/linux/perf_event.h | 2 ++ + kernel/events/core.c | 17 +++++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 41a3307a971c..5efd8109ad0a 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -899,6 +899,7 @@ struct perf_sample_data { + * Fields set by perf_sample_data_init(), group so as to + * minimize the cachelines touched. + */ ++ u64 sample_flags; + u64 addr; + struct perf_raw_record *raw; + struct perf_branch_stack *br_stack; +@@ -950,6 +951,7 @@ static inline void perf_sample_data_init(struct perf_sample_data *data, + u64 addr, u64 period) + { + /* remaining struct members initialized in perf_prepare_sample() */ ++ data->sample_flags = 0; + data->addr = addr; + data->raw = NULL; + data->br_stack = NULL; +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 2ad8acff03db..7ad142a5327e 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5767,11 +5767,10 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, + + static void __perf_event_header__init_id(struct perf_event_header *header, + struct perf_sample_data *data, +- struct perf_event *event) ++ struct perf_event *event, ++ u64 sample_type) + { +- u64 sample_type = event->attr.sample_type; +- +- data->type = sample_type; ++ data->type = event->attr.sample_type; + header->size += event->id_header_size; + + if (sample_type & PERF_SAMPLE_TID) { +@@ -5800,7 +5799,7 @@ void perf_event_header__init_id(struct perf_event_header *header, + struct perf_event *event) + { + if (event->attr.sample_id_all) +- __perf_event_header__init_id(header, data, event); ++ __perf_event_header__init_id(header, data, event, event->attr.sample_type); + } + + static void __perf_event__output_id_sample(struct perf_output_handle *handle, +@@ -6148,6 +6147,7 @@ void perf_prepare_sample(struct perf_event_header *header, + struct pt_regs *regs) + { + u64 sample_type = event->attr.sample_type; ++ u64 filtered_sample_type; + + header->type = PERF_RECORD_SAMPLE; + header->size = sizeof(*header) + event->header_size; +@@ -6155,7 +6155,12 @@ void perf_prepare_sample(struct perf_event_header *header, + header->misc = 0; + header->misc |= perf_misc_flags(regs); + +- __perf_event_header__init_id(header, data, event); ++ /* ++ * Clear the sample flags that have already been done by the ++ * PMU driver. ++ */ ++ filtered_sample_type = sample_type & ~data->sample_flags; ++ __perf_event_header__init_id(header, data, event, filtered_sample_type); + + if (sample_type & PERF_SAMPLE_IP) + data->ip = perf_instruction_pointer(regs); +-- +2.35.1 + diff --git a/queue-4.14/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch b/queue-4.14/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch new file mode 100644 index 00000000000..f4a82387fa8 --- /dev/null +++ b/queue-4.14/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch @@ -0,0 +1,70 @@ +From 45af11294302a5be090b755c0fe138e66af916f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 18:06:42 +0800 +Subject: qlcnic: fix sleep-in-atomic-context bugs caused by msleep + +From: Duoming Zhou + +[ Upstream commit 8dbd6e4ce1b9c527921643d9e34f188a10d4e893 ] + +The watchdog timer is used to monitor whether the process +of transmitting data is timeout. If we use qlcnic driver, +the dev_watchdog() that is the timer handler of watchdog +timer will call qlcnic_tx_timeout() to process the timeout. +But the qlcnic_tx_timeout() calls msleep(), as a result, +the sleep-in-atomic-context bugs will happen. The processes +are shown below: + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + msleep + +--------------------------- + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + qlcnic_83xx_recover_driver_lock + msleep + +Fix by changing msleep() to mdelay(), the mdelay() is +busy-waiting and the bugs could be mitigated. + +Fixes: 629263acaea3 ("qlcnic: 83xx CNA inter driver communication mechanism") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index 3c0862f9b381..079480b2786d 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -2992,7 +2992,7 @@ static void qlcnic_83xx_recover_driver_lock(struct qlcnic_adapter *adapter) + QLCWRX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK, val); + dev_info(&adapter->pdev->dev, + "%s: lock recovery initiated\n", __func__); +- msleep(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); + val = QLCRDX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK); + id = ((val >> 2) & 0xF); + if (id == adapter->portnum) { +@@ -3028,7 +3028,7 @@ int qlcnic_83xx_lock_driver(struct qlcnic_adapter *adapter) + if (status) + break; + +- msleep(QLC_83XX_DRV_LOCK_WAIT_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_WAIT_DELAY); + i++; + + if (i == 1) +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 06a440a1241..98ff95e24d9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -36,3 +36,25 @@ platform-x86-hp-wmi-ignore-smart-experience-app-even.patch tcp-configurable-source-port-perturb-table-size.patch net-usb-qmi_wwan-add-telit-0x103a-composition.patch drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch +iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch +iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch +iio-light-rpr0521-add-missing-kconfig-dependencies.patch +hwmon-i5500_temp-fix-missing-pci_disable_device.patch +hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch +of-property-decrement-node-refcount-in-of_fwnode_get.patch +net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch +can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch +can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch +qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch +net-phy-fix-null-ptr-deref-while-probe-failed.patch +net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch +net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch +dsa-lan9303-correct-stat-name.patch +net-hsr-fix-potential-use-after-free.patch +packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch +net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch +hwmon-coretemp-check-for-null-before-removing-sysfs-.patch +hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch +kbuild-fix-wimplicit-function-declaration-in-license.patch +perf-add-sample_flags-to-indicate-the-pmu-filled-sam.patch +btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch -- 2.47.3