--- /dev/null
+From 9c89b352c8be3ef15f6564fa22c8091ff6564708 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Nov 2023 10:50:56 +0200
+Subject: bus: ti-sysc: Flush posted write only after srst_udelay
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit f71f6ff8c1f682a1cae4e8d7bdeed9d7f76b8f75 ]
+
+Commit 34539b442b3b ("bus: ti-sysc: Flush posted write on enable before
+reset") caused a regression reproducable on omap4 duovero where the ISS
+target module can produce interconnect errors on boot. Turns out the
+registers are not accessible until after a delay for devices needing
+a ti,sysc-delay-us value.
+
+Let's fix this by flushing the posted write only after the reset delay.
+We do flushing also for ti,sysc-delay-us using devices as that should
+trigger an interconnect error if the delay is not properly configured.
+
+Let's also add some comments while at it.
+
+Fixes: 34539b442b3b ("bus: ti-sysc: Flush posted write on enable before reset")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/ti-sysc.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
+index 8d82752c54d40..8ad389ebd77a9 100644
+--- a/drivers/bus/ti-sysc.c
++++ b/drivers/bus/ti-sysc.c
+@@ -1837,13 +1837,23 @@ static int sysc_reset(struct sysc *ddata)
+ sysc_val = sysc_read_sysconfig(ddata);
+ sysc_val |= sysc_mask;
+ sysc_write(ddata, sysc_offset, sysc_val);
+- /* Flush posted write */
++
++ /*
++ * Some devices need a delay before reading registers
++ * after reset. Presumably a srst_udelay is not needed
++ * for devices that use a rstctrl register reset.
++ */
++ if (ddata->cfg.srst_udelay)
++ fsleep(ddata->cfg.srst_udelay);
++
++ /*
++ * Flush posted write. For devices needing srst_udelay
++ * this should trigger an interconnect error if the
++ * srst_udelay value is needed but not configured.
++ */
+ sysc_val = sysc_read_sysconfig(ddata);
+ }
+
+- if (ddata->cfg.srst_udelay)
+- fsleep(ddata->cfg.srst_udelay);
+-
+ if (ddata->post_reset_quirk)
+ ddata->post_reset_quirk(ddata);
+
+--
+2.43.0
+
--- /dev/null
+From 0c277cf05ad4849a9e162f58788607f0787f24d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Aug 2023 16:24:18 +0200
+Subject: bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset()
+
+From: Julien Panis <jpanis@baylibre.com>
+
+[ Upstream commit d929b2b7464f95ec01e47f560b1e687482ba8929 ]
+
+The am335x-evm started producing boot errors because of subtle timing
+changes:
+
+Unhandled fault: external abort on non-linefetch (0x1008) at 0xf03c1010
+...
+sysc_reset from sysc_probe+0xf60/0x1514
+sysc_probe from platform_probe+0x5c/0xbc
+...
+
+The fix consists in using the appropriate sleep function in sysc reset.
+For flexible sleeping, fsleep is recommended. Here, sysc delay parameter
+can take any value in [0 - 255] us range. As a result, fsleep() should
+be used, calling udelay() for a sysc delay lower than 10 us.
+
+Signed-off-by: Julien Panis <jpanis@baylibre.com>
+Fixes: e709ed70d122 ("bus: ti-sysc: Fix missing reset delay handling")
+Message-ID: <20230821-fix-ti-sysc-reset-v1-1-5a0a5d8fae55@baylibre.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Stable-dep-of: f71f6ff8c1f6 ("bus: ti-sysc: Flush posted write only after srst_udelay")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/ti-sysc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
+index 70339f73181ea..8d82752c54d40 100644
+--- a/drivers/bus/ti-sysc.c
++++ b/drivers/bus/ti-sysc.c
+@@ -1842,8 +1842,7 @@ static int sysc_reset(struct sysc *ddata)
+ }
+
+ if (ddata->cfg.srst_udelay)
+- usleep_range(ddata->cfg.srst_udelay,
+- ddata->cfg.srst_udelay * 2);
++ fsleep(ddata->cfg.srst_udelay);
+
+ if (ddata->post_reset_quirk)
+ ddata->post_reset_quirk(ddata);
+--
+2.43.0
+
net-9p-avoid-freeing-uninit-memory-in-p9pdu_vreadf.patch
net-rfkill-gpio-set-gpio-direction.patch
x86-alternatives-sync-core-before-enabling-interrupts.patch
+usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch
+smb-client-fix-oob-in-smbcalcsize.patch
+bus-ti-sysc-use-fsleep-instead-of-usleep_range-in-sy.patch
+bus-ti-sysc-flush-posted-write-only-after-srst_udela.patch
--- /dev/null
+From 7938b789adf6c873e108db84afe0e85f1bb5466f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Dec 2023 19:59:14 -0300
+Subject: smb: client: fix OOB in smbCalcSize()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+[ Upstream commit b35858b3786ddbb56e1c35138ba25d6adf8d0bef ]
+
+Validate @smb->WordCount to avoid reading off the end of @smb and thus
+causing the following KASAN splat:
+
+ BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs]
+ Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328
+
+ CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+ rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x4a/0x80
+ print_report+0xcf/0x650
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __phys_addr+0x46/0x90
+ kasan_report+0xd8/0x110
+ ? smbCalcSize+0x32/0x40 [cifs]
+ ? smbCalcSize+0x32/0x40 [cifs]
+ kasan_check_range+0x105/0x1b0
+ smbCalcSize+0x32/0x40 [cifs]
+ checkSMB+0x162/0x370 [cifs]
+ ? __pfx_checkSMB+0x10/0x10 [cifs]
+ cifs_handle_standard+0xbc/0x2f0 [cifs]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ cifs_demultiplex_thread+0xed1/0x1360 [cifs]
+ ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? lockdep_hardirqs_on_prepare+0x136/0x210
+ ? __pfx_lock_release+0x10/0x10
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? mark_held_locks+0x1a/0x90
+ ? lockdep_hardirqs_on_prepare+0x136/0x210
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? __kthread_parkme+0xce/0xf0
+ ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
+ kthread+0x18d/0x1d0
+ ? kthread+0xdb/0x1d0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x34/0x60
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+ </TASK>
+
+This fixes CVE-2023-6606.
+
+Reported-by: j51569436@gmail.com
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/misc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
+index f41891379de91..db1fcdedf289a 100644
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -349,6 +349,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server)
+ cifs_dbg(VFS, "Length less than smb header size\n");
+ }
+ return -EIO;
++ } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) {
++ cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n",
++ __func__, smb->WordCount);
++ return -EIO;
+ }
+
+ /* otherwise, there is enough to get to the BCC */
+--
+2.43.0
+
--- /dev/null
+From 853a1252e9cede0032281d3b77d4886769e7a3ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 16:22:43 +0300
+Subject: usb: fotg210-hcd: delete an incorrect bounds test
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7fbcd195e2b8cc952e4aeaeb50867b798040314c ]
+
+Here "temp" is the number of characters that we have written and "size"
+is the size of the buffer. The intent was clearly to say that if we have
+written to the end of the buffer then stop.
+
+However, for that to work the comparison should have been done on the
+original "size" value instead of the "size -= temp" value. Not only
+will that not trigger when we want to, but there is a small chance that
+it will trigger incorrectly before we want it to and we break from the
+loop slightly earlier than intended.
+
+This code was recently changed from using snprintf() to scnprintf(). With
+snprintf() we likely would have continued looping and passed a negative
+size parameter to snprintf(). This would have triggered an annoying
+WARN(). Now that we have converted to scnprintf() "size" will never
+drop below 1 and there is no real need for this test. We could change
+the condition to "if (temp <= 1) goto done;" but just deleting the test
+is cleanest.
+
+Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/ZXmwIwHe35wGfgzu@suswa
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/fotg210-hcd.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
+index f457e083a6f89..c0f727e793072 100644
+--- a/drivers/usb/host/fotg210-hcd.c
++++ b/drivers/usb/host/fotg210-hcd.c
+@@ -428,8 +428,6 @@ static void qh_lines(struct fotg210_hcd *fotg210, struct fotg210_qh *qh,
+ temp = size;
+ size -= temp;
+ next += temp;
+- if (temp == size)
+- goto done;
+ }
+
+ temp = snprintf(next, size, "\n");
+@@ -439,7 +437,6 @@ static void qh_lines(struct fotg210_hcd *fotg210, struct fotg210_qh *qh,
+ size -= temp;
+ next += temp;
+
+-done:
+ *sizep = size;
+ *nextp = next;
+ }
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
