--- /dev/null
+From 617bdc131a75a444da24b369185c61fd864cba4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 09:00:18 -0700
+Subject: efi/libstub: Disable Shadow Call Stack
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+[ Upstream commit cc49c71d2abe99c1c2c9bedf0693ad2d3ee4a067 ]
+
+Shadow stacks are not available in the EFI stub, filter out SCS flags.
+
+Suggested-by: James Morse <james.morse@arm.com>
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: 1a3887924a7e ("efi: libstub: Disable struct randomization")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
+index d3777d754984..e0cff3b942ac 100644
+--- a/drivers/firmware/efi/libstub/Makefile
++++ b/drivers/firmware/efi/libstub/Makefile
+@@ -31,6 +31,9 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \
+ $(call cc-option,-fno-addrsig) \
+ -D__DISABLE_EXPORTS
+
++# remove SCS flags from all objects in this directory
++KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS))
++
+ GCOV_PROFILE := n
+ KASAN_SANITIZE := n
+ UBSAN_SANITIZE := n
+--
+2.35.1
+
--- /dev/null
+From 647b9e3ae48fd6671991e42990051a828b138273 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 19:20:33 +0200
+Subject: efi: libstub: Disable struct randomization
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 1a3887924a7e6edd331be76da7bf4c1e8eab4b1e ]
+
+The EFI stub is a wrapper around the core kernel that makes it look like
+a EFI compatible PE/COFF application to the EFI firmware. EFI
+applications run on top of the EFI runtime, which is heavily based on
+so-called protocols, which are struct types consisting [mostly] of
+function pointer members that are instantiated and recorded in a
+protocol database.
+
+These structs look like the ideal randomization candidates to the
+randstruct plugin (as they only carry function pointers), but of course,
+these protocols are contracts between the firmware that exposes them,
+and the EFI applications (including our stubbed kernel) that invoke
+them. This means that struct randomization for EFI protocols is not a
+great idea, and given that the stub shares very little data with the
+core kernel that is represented as a randomizable struct, we're better
+off just disabling it completely here.
+
+Cc: <stable@vger.kernel.org> # v4.14+
+Reported-by: Daniel Marth <daniel.marth@inso.tuwien.ac.at>
+Tested-by: Daniel Marth <daniel.marth@inso.tuwien.ac.at>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/Makefile | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
+index e0cff3b942ac..7fad5d90898b 100644
+--- a/drivers/firmware/efi/libstub/Makefile
++++ b/drivers/firmware/efi/libstub/Makefile
+@@ -31,6 +31,13 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \
+ $(call cc-option,-fno-addrsig) \
+ -D__DISABLE_EXPORTS
+
++#
++# struct randomization only makes sense for Linux internal types, which the EFI
++# stub code never touches, so let's turn off struct randomization for the stub
++# altogether
++#
++KBUILD_CFLAGS := $(filter-out $(RANDSTRUCT_CFLAGS), $(KBUILD_CFLAGS))
++
+ # remove SCS flags from all objects in this directory
+ KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS))
+
+--
+2.35.1
+
--- /dev/null
+From 5eb23f2971df4366d2eb73db722e7c3358816f76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Aug 2019 12:17:28 +0200
+Subject: mvpp2: no need to check return value of debugfs_create functions
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit e6882aa623f6fe0d80fa82ebf3ee78c353bffbe1 ]
+
+When calling debugfs functions, there is no need to ever check the
+return value. The function can work or not, but the code logic should
+never do something different based on this.
+
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Nathan Huckleberry <nhuck@google.com>
+Cc: netdev@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: fe2c9c61f668 ("net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/marvell/mvpp2/mvpp2_debugfs.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+index f9744a61e5dd..87d9cbe10cec 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+@@ -484,8 +484,6 @@ static int mvpp2_dbgfs_flow_port_init(struct dentry *parent,
+ struct dentry *port_dir;
+
+ port_dir = debugfs_create_dir(port->dev->name, parent);
+- if (IS_ERR(port_dir))
+- return PTR_ERR(port_dir);
+
+ /* This will be freed by 'hash_opts' release op */
+ port_entry = kmalloc(sizeof(*port_entry), GFP_KERNEL);
+@@ -515,8 +513,6 @@ static int mvpp2_dbgfs_flow_entry_init(struct dentry *parent,
+ sprintf(flow_entry_name, "%02d", flow);
+
+ flow_entry_dir = debugfs_create_dir(flow_entry_name, parent);
+- if (!flow_entry_dir)
+- return -ENOMEM;
+
+ /* This will be freed by 'type' release op */
+ entry = kmalloc(sizeof(*entry), GFP_KERNEL);
+@@ -554,8 +550,6 @@ static int mvpp2_dbgfs_flow_init(struct dentry *parent, struct mvpp2 *priv)
+ int i, ret;
+
+ flow_dir = debugfs_create_dir("flows", parent);
+- if (!flow_dir)
+- return -ENOMEM;
+
+ for (i = 0; i < MVPP2_N_FLOWS; i++) {
+ ret = mvpp2_dbgfs_flow_entry_init(flow_dir, priv, i);
+@@ -579,8 +573,6 @@ static int mvpp2_dbgfs_prs_entry_init(struct dentry *parent,
+ sprintf(prs_entry_name, "%03d", tid);
+
+ prs_entry_dir = debugfs_create_dir(prs_entry_name, parent);
+- if (!prs_entry_dir)
+- return -ENOMEM;
+
+ /* The 'valid' entry's ops will free that */
+ entry = kmalloc(sizeof(*entry), GFP_KERNEL);
+@@ -618,8 +610,6 @@ static int mvpp2_dbgfs_prs_init(struct dentry *parent, struct mvpp2 *priv)
+ int i, ret;
+
+ prs_dir = debugfs_create_dir("parser", parent);
+- if (!prs_dir)
+- return -ENOMEM;
+
+ for (i = 0; i < MVPP2_PRS_TCAM_SRAM_SIZE; i++) {
+ ret = mvpp2_dbgfs_prs_entry_init(prs_dir, priv, i);
+@@ -636,8 +626,6 @@ static int mvpp2_dbgfs_port_init(struct dentry *parent,
+ struct dentry *port_dir;
+
+ port_dir = debugfs_create_dir(port->dev->name, parent);
+- if (IS_ERR(port_dir))
+- return PTR_ERR(port_dir);
+
+ debugfs_create_file("parser_entries", 0444, port_dir, port,
+ &mvpp2_dbgfs_port_parser_fops);
+@@ -671,15 +659,10 @@ void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name)
+ int ret, i;
+
+ mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL);
+- if (!mvpp2_root) {
++ if (!mvpp2_root)
+ mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL);
+- if (IS_ERR(mvpp2_root))
+- return;
+- }
+
+ mvpp2_dir = debugfs_create_dir(name, mvpp2_root);
+- if (IS_ERR(mvpp2_dir))
+- return;
+
+ priv->dbgfs_dir = mvpp2_dir;
+
+--
+2.35.1
+
--- /dev/null
+From 3feb4d894fc97629b74ff051ec35f09cf7ed11eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 15:41:11 +0200
+Subject: net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit fe2c9c61f668cde28dac2b188028c5299cedcc1e ]
+
+When calling debugfs_lookup() the result must have dput() called on it,
+otherwise the memory will leak over time. Fix this up to be much
+simpler logic and only create the root debugfs directory once when the
+driver is first accessed. That resolves the memory leak and makes
+things more obvious as to what the intent is.
+
+Cc: Marcin Wojtas <mw@semihalf.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: netdev@vger.kernel.org
+Cc: stable <stable@kernel.org>
+Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+index 87d9cbe10cec..a43bfb86f315 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+@@ -655,10 +655,10 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv)
+
+ void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name)
+ {
+- struct dentry *mvpp2_dir, *mvpp2_root;
++ static struct dentry *mvpp2_root;
++ struct dentry *mvpp2_dir;
+ int ret, i;
+
+- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL);
+ if (!mvpp2_root)
+ mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL);
+
+--
+2.35.1
+
--- /dev/null
+From a2beeda56ca0138c260720efafcd71c535534795 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Aug 2022 14:03:17 -0700
+Subject: nvmet: fix a use-after-free
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 6a02a61e81c231cc5c680c5dbf8665275147ac52 ]
+
+Fix the following use-after-free complaint triggered by blktests nvme/004:
+
+BUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350
+Read of size 4 at addr 0000607bd1835943 by task kworker/13:1/460
+Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]
+Call Trace:
+ show_stack+0x52/0x58
+ dump_stack_lvl+0x49/0x5e
+ print_report.cold+0x36/0x1e2
+ kasan_report+0xb9/0xf0
+ __asan_load4+0x6b/0x80
+ blk_mq_complete_request_remote+0xac/0x350
+ nvme_loop_queue_response+0x1df/0x275 [nvme_loop]
+ __nvmet_req_complete+0x132/0x4f0 [nvmet]
+ nvmet_req_complete+0x15/0x40 [nvmet]
+ nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]
+ nvme_loop_execute_work+0x20/0x30 [nvme_loop]
+ process_one_work+0x56e/0xa70
+ worker_thread+0x2d1/0x640
+ kthread+0x183/0x1c0
+ ret_from_fork+0x1f/0x30
+
+Cc: stable@vger.kernel.org
+Fixes: a07b4970f464 ("nvmet: add a generic NVMe target")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index 1a35d73c39c3..80b5aae1bdc9 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -504,6 +504,7 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status)
+ {
+ u32 old_sqhd, new_sqhd;
+ u16 sqhd;
++ struct nvmet_ns *ns = req->ns;
+
+ if (status)
+ nvmet_set_status(req, status);
+@@ -520,9 +521,9 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status)
+ req->rsp->sq_id = cpu_to_le16(req->sq->qid);
+ req->rsp->command_id = req->cmd->common.command_id;
+
+- if (req->ns)
+- nvmet_put_namespace(req->ns);
+ req->ops->queue_response(req);
++ if (ns)
++ nvmet_put_namespace(ns);
+ }
+
+ void nvmet_req_complete(struct nvmet_req *req, u16 status)
+--
+2.35.1
+
gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch
drm-meson-correct-osd1-global-alpha-value.patch
parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch
+efi-libstub-disable-shadow-call-stack.patch
+efi-libstub-disable-struct-randomization.patch
+nvmet-fix-a-use-after-free.patch
+mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch
+net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
