--- /dev/null
+From 422f46a4b636d2a2964b4919e8b1b8bc5be1e319 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 11:44:42 +0930
+Subject: btrfs: reset destination buffer when read_extent_buffer() gets
+ invalid range
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 74ee79142c0a344d4eae2eb7012ebc4e82254109 ]
+
+Commit f98b6215d7d1 ("btrfs: extent_io: do extra check for extent buffer
+read write functions") changed how we handle invalid extent buffer range
+for read_extent_buffer().
+
+Previously if the range is invalid we just set the destination to zero,
+but after the patch we do nothing and error out.
+
+This can lead to smatch static checker errors like:
+
+ fs/btrfs/print-tree.c:186 print_uuid_item() error: uninitialized symbol 'subvol_id'.
+ fs/btrfs/tests/extent-io-tests.c:338 check_eb_bitmap() error: uninitialized symbol 'has'.
+ fs/btrfs/tests/extent-io-tests.c:353 check_eb_bitmap() error: uninitialized symbol 'has'.
+ fs/btrfs/uuid-tree.c:203 btrfs_uuid_tree_remove() error: uninitialized symbol 'read_subid'.
+ fs/btrfs/uuid-tree.c:353 btrfs_uuid_tree_iterate() error: uninitialized symbol 'subid_le'.
+ fs/btrfs/uuid-tree.c:72 btrfs_uuid_tree_lookup() error: uninitialized symbol 'data'.
+ fs/btrfs/volumes.c:7415 btrfs_dev_stats_value() error: uninitialized symbol 'val'.
+
+Fix those warnings by reverting back to the old memset() behavior.
+By this we keep the static checker happy and would still make a lot of
+noise when such invalid ranges are passed in.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: f98b6215d7d1 ("btrfs: extent_io: do extra check for extent buffer read write functions")
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent_io.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
+index 0ad69041954ff..afcc96a1f4276 100644
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -5184,8 +5184,14 @@ void read_extent_buffer(const struct extent_buffer *eb, void *dstv,
+ char *dst = (char *)dstv;
+ unsigned long i = get_eb_page_index(start);
+
+- if (check_eb_range(eb, start, len))
++ if (check_eb_range(eb, start, len)) {
++ /*
++ * Invalid range hit, reset the memory, so callers won't get
++ * some random garbage for their uninitialzed memory.
++ */
++ memset(dstv, 0, len);
+ return;
++ }
+
+ offset = get_eb_offset_in_page(eb, start);
+
+--
+2.40.1
+
--- /dev/null
+From 33e93238b9ea4b42d1c5c176f7448a009f5ff240 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 09:06:56 +0200
+Subject: MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit ef8f8f04a0b25e8f294b24350e8463a8d6a9ba0b ]
+
+While commit d4a5c59a955b ("mmc: au1xmmc: force non-modular build and
+remove symbol_get usage") to be built in, it can still build a kernel
+without MMC support and thuse no mmc_detect_change symbol at all.
+
+Add ifdefs to build the mmc support code in the alchemy arch code
+conditional on mmc support.
+
+Fixes: d4a5c59a955b ("mmc: au1xmmc: force non-modular build and remove symbol_get usage")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/alchemy/devboards/db1000.c | 4 ++++
+ arch/mips/alchemy/devboards/db1200.c | 6 ++++++
+ arch/mips/alchemy/devboards/db1300.c | 4 ++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/arch/mips/alchemy/devboards/db1000.c b/arch/mips/alchemy/devboards/db1000.c
+index 50de86eb8784c..3183df60ad337 100644
+--- a/arch/mips/alchemy/devboards/db1000.c
++++ b/arch/mips/alchemy/devboards/db1000.c
+@@ -164,6 +164,7 @@ static struct platform_device db1x00_audio_dev = {
+
+ /******************************************************************************/
+
++#ifdef CONFIG_MMC_AU1X
+ static irqreturn_t db1100_mmc_cd(int irq, void *ptr)
+ {
+ mmc_detect_change(ptr, msecs_to_jiffies(500));
+@@ -369,6 +370,7 @@ static struct platform_device db1100_mmc1_dev = {
+ .num_resources = ARRAY_SIZE(au1100_mmc1_res),
+ .resource = au1100_mmc1_res,
+ };
++#endif /* CONFIG_MMC_AU1X */
+
+ /******************************************************************************/
+
+@@ -432,8 +434,10 @@ static struct platform_device *db1x00_devs[] = {
+
+ static struct platform_device *db1100_devs[] = {
+ &au1100_lcd_device,
++#ifdef CONFIG_MMC_AU1X
+ &db1100_mmc0_dev,
+ &db1100_mmc1_dev,
++#endif
+ };
+
+ int __init db1000_dev_setup(void)
+diff --git a/arch/mips/alchemy/devboards/db1200.c b/arch/mips/alchemy/devboards/db1200.c
+index 76080c71a2a7b..f521874ebb07b 100644
+--- a/arch/mips/alchemy/devboards/db1200.c
++++ b/arch/mips/alchemy/devboards/db1200.c
+@@ -326,6 +326,7 @@ static struct platform_device db1200_ide_dev = {
+
+ /**********************************************************************/
+
++#ifdef CONFIG_MMC_AU1X
+ /* SD carddetects: they're supposed to be edge-triggered, but ack
+ * doesn't seem to work (CPLD Rev 2). Instead, the screaming one
+ * is disabled and its counterpart enabled. The 200ms timeout is
+@@ -584,6 +585,7 @@ static struct platform_device pb1200_mmc1_dev = {
+ .num_resources = ARRAY_SIZE(au1200_mmc1_res),
+ .resource = au1200_mmc1_res,
+ };
++#endif /* CONFIG_MMC_AU1X */
+
+ /**********************************************************************/
+
+@@ -751,7 +753,9 @@ static struct platform_device db1200_audiodma_dev = {
+ static struct platform_device *db1200_devs[] __initdata = {
+ NULL, /* PSC0, selected by S6.8 */
+ &db1200_ide_dev,
++#ifdef CONFIG_MMC_AU1X
+ &db1200_mmc0_dev,
++#endif
+ &au1200_lcd_dev,
+ &db1200_eth_dev,
+ &db1200_nand_dev,
+@@ -762,7 +766,9 @@ static struct platform_device *db1200_devs[] __initdata = {
+ };
+
+ static struct platform_device *pb1200_devs[] __initdata = {
++#ifdef CONFIG_MMC_AU1X
+ &pb1200_mmc1_dev,
++#endif
+ };
+
+ /* Some peripheral base addresses differ on the PB1200 */
+diff --git a/arch/mips/alchemy/devboards/db1300.c b/arch/mips/alchemy/devboards/db1300.c
+index ff61901329c62..d377e043b49f8 100644
+--- a/arch/mips/alchemy/devboards/db1300.c
++++ b/arch/mips/alchemy/devboards/db1300.c
+@@ -450,6 +450,7 @@ static struct platform_device db1300_ide_dev = {
+
+ /**********************************************************************/
+
++#ifdef CONFIG_MMC_AU1X
+ static irqreturn_t db1300_mmc_cd(int irq, void *ptr)
+ {
+ disable_irq_nosync(irq);
+@@ -632,6 +633,7 @@ static struct platform_device db1300_sd0_dev = {
+ .resource = au1300_sd0_res,
+ .num_resources = ARRAY_SIZE(au1300_sd0_res),
+ };
++#endif /* CONFIG_MMC_AU1X */
+
+ /**********************************************************************/
+
+@@ -767,8 +769,10 @@ static struct platform_device *db1300_dev[] __initdata = {
+ &db1300_5waysw_dev,
+ &db1300_nand_dev,
+ &db1300_ide_dev,
++#ifdef CONFIG_MMC_AU1X
+ &db1300_sd0_dev,
+ &db1300_sd1_dev,
++#endif
+ &db1300_lcd_dev,
+ &db1300_ac97_dev,
+ &db1300_i2s_dev,
+--
+2.40.1
+
scsi-qla2xxx-use-raw_smp_processor_id-instead-of-smp.patch
drm-amdkfd-flush-tlb-after-unmapping-for-gfx-v9.4.3.patch
drm-amdkfd-insert-missing-tlb-flush-on-gfx10-and-lat.patch
+btrfs-reset-destination-buffer-when-read_extent_buff.patch
+vfio-mdev-fix-a-null-ptr-deref-bug-for-mdev_unregist.patch
+mips-alchemy-only-build-mmc-support-helpers-if-au1xm.patch
+spi-spi-gxp-bug-correct-spi-write-return-value.patch
--- /dev/null
+From 9df3c952575323aac48207d6854fdca75954b5f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Sep 2023 21:53:39 +0000
+Subject: spi: spi-gxp: BUG: Correct spi write return value
+
+From: Charles Kearney <charles.kearney@hpe.com>
+
+[ Upstream commit 1a8196a93e493c0a50b800cb09cef60b124eee15 ]
+
+Bug fix to correct return value of gxp_spi_write function to zero.
+Completion of succesful operation should return zero.
+
+Fixes: 730bc8ba5e9e spi: spi-gxp: Add support for HPE GXP SoCs
+
+Signed-off-by: Charles Kearney <charles.kearney@hpe.com>
+Link: https://lore.kernel.org/r/20230920215339.4125856-2-charles.kearney@hpe.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-gxp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-gxp.c b/drivers/spi/spi-gxp.c
+index c900c2f39b578..21b07e2518513 100644
+--- a/drivers/spi/spi-gxp.c
++++ b/drivers/spi/spi-gxp.c
+@@ -195,7 +195,7 @@ static ssize_t gxp_spi_write(struct gxp_spi_chip *chip, const struct spi_mem_op
+ return ret;
+ }
+
+- return write_len;
++ return 0;
+ }
+
+ static int do_gxp_exec_mem_op(struct spi_mem *mem, const struct spi_mem_op *op)
+--
+2.40.1
+
--- /dev/null
+From a75d2d72470722367f419fe71ba739a3d8369cd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 19:55:51 +0800
+Subject: vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit c777b11d34e0f47dbbc4b018ef65ad030f2b283a ]
+
+Inject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in
+kobject_add_internal() in kobject_init_and_add() in mdev_type_add()
+in parent_create_sysfs_files(), it will return 0 and probe successfully.
+And when rmmod mdpy.ko, the mdpy_dev_exit() will call
+mdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized
+parent->types[i] in parent_remove_sysfs_files(), and it will cause
+below null-ptr-deref.
+
+If mdev_type_add() fails, return the error code and kset_unregister()
+to fix the issue.
+
+ general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+ RIP: 0010:__kobject_del+0x62/0x1c0
+ Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
+ RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
+ RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
+ RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
+ RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
+ R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
+ R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
+ FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
+ DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
+ DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ? die_addr+0x3d/0xa0
+ ? exc_general_protection+0x144/0x220
+ ? asm_exc_general_protection+0x22/0x30
+ ? __kobject_del+0x62/0x1c0
+ kobject_del+0x32/0x50
+ parent_remove_sysfs_files+0xd6/0x170 [mdev]
+ mdev_unregister_parent+0xfb/0x190 [mdev]
+ ? mdev_register_parent+0x270/0x270 [mdev]
+ ? find_module_all+0x9d/0xe0
+ mdpy_dev_exit+0x17/0x63 [mdpy]
+ __do_sys_delete_module.constprop.0+0x2fa/0x4b0
+ ? module_flags+0x300/0x300
+ ? __fput+0x4e7/0xa00
+ do_syscall_64+0x35/0x80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+ RIP: 0033:0x7fbc813221b7
+ Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48
+ RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+ RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7
+ RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58
+ RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000
+ R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870
+ R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0
+ </TASK>
+ Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ ---[ end trace 0000000000000000 ]---
+ RIP: 0010:__kobject_del+0x62/0x1c0
+ Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
+ RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
+ RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
+ RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
+ RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
+ R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
+ R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
+ FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
+ DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
+ DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
+ PKRU: 55555554
+ Kernel panic - not syncing: Fatal exception
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ Kernel Offset: disabled
+ Rebooting in 1 seconds..
+
+Fixes: da44c340c4fe ("vfio/mdev: simplify mdev_type handling")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Eric Farman <farman@linux.ibm.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/20230918115551.1423193-1-ruanjinjie@huawei.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/mdev/mdev_sysfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/mdev/mdev_sysfs.c b/drivers/vfio/mdev/mdev_sysfs.c
+index abe3359dd477f..16b007c6bbb56 100644
+--- a/drivers/vfio/mdev/mdev_sysfs.c
++++ b/drivers/vfio/mdev/mdev_sysfs.c
+@@ -233,7 +233,8 @@ int parent_create_sysfs_files(struct mdev_parent *parent)
+ out_err:
+ while (--i >= 0)
+ mdev_type_remove(parent->types[i]);
+- return 0;
++ kset_unregister(parent->mdev_types_kset);
++ return ret;
+ }
+
+ static ssize_t remove_store(struct device *dev, struct device_attribute *attr,
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
