--- /dev/null
+From bfbc79de60c53e5fed505390440b87ef59ee268c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 3 Oct 2023 17:55:52 +0200
+Subject: ASoC: codecs: wcd938x: drop bogus bind error handling
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit bfbc79de60c53e5fed505390440b87ef59ee268c upstream.
+
+Drop the bogus error handling for a soundwire device backcast during
+bind() that cannot fail.
+
+Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
+Cc: stable@vger.kernel.org # 5.14
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20231003155558.27079-2-johan+linaro@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd938x.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/sound/soc/codecs/wcd938x.c
++++ b/sound/soc/codecs/wcd938x.c
+@@ -4424,10 +4424,6 @@ static int wcd938x_bind(struct device *d
+ wcd938x->sdw_priv[AIF1_CAP] = dev_get_drvdata(wcd938x->txdev);
+ wcd938x->sdw_priv[AIF1_CAP]->wcd938x = wcd938x;
+ wcd938x->tx_sdw_dev = dev_to_sdw_dev(wcd938x->txdev);
+- if (!wcd938x->tx_sdw_dev) {
+- dev_err(dev, "could not get txslave with matching of dev\n");
+- return -EINVAL;
+- }
+
+ /* As TX is main CSR reg interface, which should not be suspended first.
+ * expicilty add the dependency link */
--- /dev/null
+From fa2f8a991ba4aa733ac1c3b1be0c86148aa4c52c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 3 Oct 2023 17:55:53 +0200
+Subject: ASoC: codecs: wcd938x: fix unbind tear down order
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit fa2f8a991ba4aa733ac1c3b1be0c86148aa4c52c upstream.
+
+Make sure to deregister the component before tearing down the resources
+it depends on during unbind().
+
+Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
+Cc: stable@vger.kernel.org # 5.14
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20231003155558.27079-3-johan+linaro@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd938x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/wcd938x.c
++++ b/sound/soc/codecs/wcd938x.c
+@@ -4480,10 +4480,10 @@ static void wcd938x_unbind(struct device
+ {
+ struct wcd938x_priv *wcd938x = dev_get_drvdata(dev);
+
++ snd_soc_unregister_component(dev);
+ device_link_remove(dev, wcd938x->txdev);
+ device_link_remove(dev, wcd938x->rxdev);
+ device_link_remove(wcd938x->rxdev, wcd938x->txdev);
+- snd_soc_unregister_component(dev);
+ component_unbind_all(dev, wcd938x);
+ }
+
--- /dev/null
+From c5c0383082eace13da2ffceeea154db2780165e7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 3 Oct 2023 17:55:58 +0200
+Subject: ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit c5c0383082eace13da2ffceeea154db2780165e7 upstream.
+
+Make sure to balance the runtime PM operations, including the disable
+count, on probe errors and on driver unbind.
+
+Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
+Cc: stable@vger.kernel.org # 5.14
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20231003155558.27079-8-johan+linaro@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd938x-sdw.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/wcd938x-sdw.c
++++ b/sound/soc/codecs/wcd938x-sdw.c
+@@ -266,7 +266,18 @@ static int wcd9380_probe(struct sdw_slav
+ pm_runtime_set_active(dev);
+ pm_runtime_enable(dev);
+
+- return component_add(dev, &wcd938x_sdw_component_ops);
++ ret = component_add(dev, &wcd938x_sdw_component_ops);
++ if (ret)
++ goto err_disable_rpm;
++
++ return 0;
++
++err_disable_rpm:
++ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
++ pm_runtime_dont_use_autosuspend(dev);
++
++ return ret;
+ }
+
+ static int wcd9380_remove(struct sdw_slave *pdev)
+@@ -275,6 +286,10 @@ static int wcd9380_remove(struct sdw_sla
+
+ component_del(dev, &wcd938x_sdw_component_ops);
+
++ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
++ pm_runtime_dont_use_autosuspend(dev);
++
+ return 0;
+ }
+
--- /dev/null
+From f0dfdcbe706462495d47982eecd13a61aabd644d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 3 Oct 2023 17:55:57 +0200
+Subject: ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit f0dfdcbe706462495d47982eecd13a61aabd644d upstream.
+
+Make sure to deregister the component when the driver is being unbound
+and before the underlying device-managed resources are freed.
+
+Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
+Cc: stable@vger.kernel.org # 5.14
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20231003155558.27079-7-johan+linaro@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd938x-sdw.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/sound/soc/codecs/wcd938x-sdw.c
++++ b/sound/soc/codecs/wcd938x-sdw.c
+@@ -269,6 +269,15 @@ static int wcd9380_probe(struct sdw_slav
+ return component_add(dev, &wcd938x_sdw_component_ops);
+ }
+
++static int wcd9380_remove(struct sdw_slave *pdev)
++{
++ struct device *dev = &pdev->dev;
++
++ component_del(dev, &wcd938x_sdw_component_ops);
++
++ return 0;
++}
++
+ static const struct sdw_device_id wcd9380_slave_id[] = {
+ SDW_SLAVE_ENTRY(0x0217, 0x10d, 0),
+ {},
+@@ -307,6 +316,7 @@ static const struct dev_pm_ops wcd938x_s
+
+ static struct sdw_driver wcd9380_codec_driver = {
+ .probe = wcd9380_probe,
++ .remove = wcd9380_remove,
+ .ops = &wcd9380_slave_ops,
+ .id_table = wcd9380_slave_id,
+ .driver = {
--- /dev/null
+From e339c6d628fe66c9b64bf31040a55770952aec57 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 12 Oct 2023 16:28:01 +0300
+Subject: drm/i915: Retry gtt fault when out of fence registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit e339c6d628fe66c9b64bf31040a55770952aec57 upstream.
+
+If we can't find a free fence register to handle a fault in the GMADR
+range just return VM_FAULT_NOPAGE without populating the PTE so that
+userspace will retry the access and trigger another fault. Eventually
+we should find a free fence and the fault will get properly handled.
+
+A further improvement idea might be to reserve a fence (or one per CPU?)
+for the express purpose of handling faults without having to retry. But
+that would require some additional work.
+
+Looks like this may have gotten broken originally by
+commit 39965b376601 ("drm/i915: don't trash the gtt when running out of fences")
+as that changed the errno to -EDEADLK which wasn't handle by the gtt
+fault code either. But later in commit 2feeb52859fc ("drm/i915/gt: Fix
+-EDEADLK handling regression") I changed it again to -ENOBUFS as -EDEADLK
+was now getting used for the ww mutex dance. So this fix only makes
+sense after that last commit.
+
+Cc: stable@vger.kernel.org
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9479
+Fixes: 2feeb52859fc ("drm/i915/gt: Fix -EDEADLK handling regression")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231012132801.16292-1-ville.syrjala@linux.intel.com
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+(cherry picked from commit 7f403caabe811b88ab0de3811ff3f4782c415761)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_mman.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+@@ -231,6 +231,7 @@ static vm_fault_t i915_error_to_vmf_faul
+ case 0:
+ case -EAGAIN:
+ case -ENOSPC: /* transient failure to evict? */
++ case -ENOBUFS: /* temporarily out of fences? */
+ case -ERESTARTSYS:
+ case -EINTR:
+ case -EBUSY:
--- /dev/null
+From d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 2 Oct 2023 13:54:28 +0300
+Subject: nvmet-tcp: Fix a possible UAF in queue intialization setup
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd upstream.
+
+From Alon:
+"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
+a malicious user can cause a UAF and a double free, which may lead to
+RCE (may also lead to an LPE in case the attacker already has local
+privileges)."
+
+Hence, when a queue initialization fails after the ahash requests are
+allocated, it is guaranteed that the queue removal async work will be
+called, hence leave the deallocation to the queue removal.
+
+Also, be extra careful not to continue processing the socket, so set
+queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
+
+Cc: stable@vger.kernel.org
+Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
+Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/tcp.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -348,6 +348,7 @@ static void nvmet_tcp_fatal_error(struct
+
+ static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status)
+ {
++ queue->rcv_state = NVMET_TCP_RECV_ERR;
+ if (status == -EPIPE || status == -ECONNRESET)
+ kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+ else
+@@ -894,15 +895,11 @@ static int nvmet_tcp_handle_icreq(struct
+ iov.iov_len = sizeof(*icresp);
+ ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len);
+ if (ret < 0)
+- goto free_crypto;
++ return ret; /* queue removal will cleanup */
+
+ queue->state = NVMET_TCP_Q_LIVE;
+ nvmet_prepare_receive_pdu(queue);
+ return 0;
+-free_crypto:
+- if (queue->hdr_digest || queue->data_digest)
+- nvmet_tcp_free_crypto(queue);
+- return ret;
+ }
+
+ static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
fs-ntfs3-fix-panic-about-slab-out-of-bounds-caused-by-ntfs_list_ea.patch
fs-ntfs3-fix-deadlock-in-mark_as_free_ex.patch
netfilter-nft_payload-fix-wrong-mac-header-matching.patch
+nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch
+drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch
+asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch
+asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch
+asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch
+asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
