From: Sasha Levin Date: Wed, 21 Aug 2024 13:31:17 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.1.107~99 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1bc00a2bfd9a9d1e470b0af4954c02fa3a817fda;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/bluetooth-bnep-fix-out-of-bound-access.patch b/queue-5.4/bluetooth-bnep-fix-out-of-bound-access.patch new file mode 100644 index 00000000000..9e5153c7b7f --- /dev/null +++ b/queue-5.4/bluetooth-bnep-fix-out-of-bound-access.patch @@ -0,0 +1,38 @@ +From 8ca7e1cd2acb326fa188685d9cbdb31b04ae6a26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 12:11:08 -0500 +Subject: Bluetooth: bnep: Fix out-of-bound access + +From: Luiz Augusto von Dentz + +[ Upstream commit 0f0639b4d6f649338ce29c62da3ec0787fa08cd1 ] + +This fixes attempting to access past ethhdr.h_source, although it seems +intentional to copy also the contents of h_proto this triggers +out-of-bound access problems with the likes of static analyzer, so this +instead just copy ETH_ALEN and then proceed to use put_unaligned to copy +h_proto separetely. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/bnep/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c +index 43c284158f63e..089160361dded 100644 +--- a/net/bluetooth/bnep/core.c ++++ b/net/bluetooth/bnep/core.c +@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb) + + case BNEP_COMPRESSED_DST_ONLY: + __skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN); +- __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2); ++ __skb_put_data(nskb, s->eh.h_source, ETH_ALEN); ++ put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2)); + break; + + case BNEP_GENERAL: +-- +2.43.0 + diff --git a/queue-5.4/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch b/queue-5.4/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch new file mode 100644 index 00000000000..8c5a7b0a9c0 --- /dev/null +++ b/queue-5.4/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch @@ -0,0 +1,36 @@ +From 8ebb2e3af5824cf98948771f4d4c949cc06ec5ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jan 2024 02:26:32 +0100 +Subject: btrfs: change BUG_ON to assertion when checking for delayed_node root + +From: David Sterba + +[ Upstream commit be73f4448b607e6b7ce41cd8ef2214fdf6e7986f ] + +The pointer to root is initialized in btrfs_init_delayed_node(), no need +to check for it again. Change the BUG_ON to assertion. + +Reviewed-by: Josef Bacik +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/delayed-inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c +index 95afe5ef7500c..e3a43bf63f06c 100644 +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -988,7 +988,7 @@ static void btrfs_release_delayed_inode(struct btrfs_delayed_node *delayed_node) + + if (delayed_node && + test_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags)) { +- BUG_ON(!delayed_node->root); ++ ASSERT(delayed_node->root); + clear_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags); + delayed_node->count--; + +-- +2.43.0 + diff --git a/queue-5.4/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch b/queue-5.4/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch new file mode 100644 index 00000000000..5cdf1cc6e46 --- /dev/null +++ b/queue-5.4/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch @@ -0,0 +1,40 @@ +From 9337e23ec2fee4dd8c845244501fad2aa32cb1bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 23:20:53 +0100 +Subject: btrfs: delete pointless BUG_ON check on quota root in + btrfs_qgroup_account_extent() + +From: David Sterba + +[ Upstream commit f40a3ea94881f668084f68f6b9931486b1606db0 ] + +The BUG_ON is deep in the qgroup code where we can expect that it +exists. A NULL pointer would cause a crash. + +It was added long ago in 550d7a2ed5db35 ("btrfs: qgroup: Add new qgroup +calculation function btrfs_qgroup_account_extents()."). It maybe made +sense back then as the quota enable/disable state machine was not that +robust as it is nowadays, so we can just delete it. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index d6184b6206ff2..7d0b7e58d66af 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2603,8 +2603,6 @@ int btrfs_qgroup_account_extent(struct btrfs_trans_handle *trans, u64 bytenr, + if (nr_old_roots == 0 && nr_new_roots == 0) + goto out_free; + +- BUG_ON(!fs_info->quota_root); +- + trace_btrfs_qgroup_account_extent(fs_info, trans->transid, bytenr, + num_bytes, nr_old_roots, nr_new_roots); + +-- +2.43.0 + diff --git a/queue-5.4/btrfs-handle-invalid-root-reference-found-in-may_des.patch b/queue-5.4/btrfs-handle-invalid-root-reference-found-in-may_des.patch new file mode 100644 index 00000000000..a94353640f7 --- /dev/null +++ b/queue-5.4/btrfs-handle-invalid-root-reference-found-in-may_des.patch @@ -0,0 +1,42 @@ +From 6901235e32bc4282eeb22ebdcfab84d0e23dda9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jan 2024 22:58:01 +0100 +Subject: btrfs: handle invalid root reference found in may_destroy_subvol() + +From: David Sterba + +[ Upstream commit 6fbc6f4ac1f4907da4fc674251527e7dc79ffbf6 ] + +The may_destroy_subvol() looks up a root by a key, allowing to do an +inexact search when key->offset is -1. It's never expected to find such +item, as it would break the allowed range of a root id. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 2c86be3fc25cd..d2a988bf9c895 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4520,7 +4520,14 @@ static noinline int may_destroy_subvol(struct btrfs_root *root) + ret = btrfs_search_slot(NULL, fs_info->tree_root, &key, path, 0, 0); + if (ret < 0) + goto out; +- BUG_ON(ret == 0); ++ if (ret == 0) { ++ /* ++ * Key with offset -1 found, there would have to exist a root ++ * with such id, but this is out of valid range. ++ */ ++ ret = -EUCLEAN; ++ goto out; ++ } + + ret = 0; + if (path->slots[0] > 0) { +-- +2.43.0 + diff --git a/queue-5.4/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch b/queue-5.4/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch new file mode 100644 index 00000000000..45f5c72510b --- /dev/null +++ b/queue-5.4/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch @@ -0,0 +1,40 @@ +From 016f007211eea470364dd8593ffd0917453e8fc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 22:47:13 +0100 +Subject: btrfs: send: handle unexpected data in header buffer in begin_cmd() + +From: David Sterba + +[ Upstream commit e80e3f732cf53c64b0d811e1581470d67f6c3228 ] + +Change BUG_ON to a proper error handling in the unlikely case of seeing +data when the command is started. This is supposed to be reset when the +command is finished (send_cmd, send_encoded_extent). + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 576c027909f8a..e1063ef3dece5 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -692,7 +692,12 @@ static int begin_cmd(struct send_ctx *sctx, int cmd) + if (WARN_ON(!sctx->send_buf)) + return -EINVAL; + +- BUG_ON(sctx->send_size); ++ if (unlikely(sctx->send_size != 0)) { ++ btrfs_err(sctx->send_root->fs_info, ++ "send: command header buffer not empty cmd %d offset %llu", ++ cmd, sctx->send_off); ++ return -EINVAL; ++ } + + sctx->send_size += sizeof(*hdr); + hdr = (struct btrfs_cmd_header *)sctx->send_buf; +-- +2.43.0 + diff --git a/queue-5.4/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch b/queue-5.4/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch new file mode 100644 index 00000000000..599812a141c --- /dev/null +++ b/queue-5.4/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch @@ -0,0 +1,55 @@ +From 5cc85520424fb0a7ddd08c3ada4beab9c4bef559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jan 2024 03:59:43 +0100 +Subject: drm/lima: set gp bus_stop bit before hard reset + +From: Erico Nunes + +[ Upstream commit 27aa58ec85f973d98d336df7b7941149308db80f ] + +This is required for reliable hard resets. Otherwise, doing a hard reset +while a task is still running (such as a task which is being stopped by +the drm_sched timeout handler) may result in random mmu write timeouts +or lockups which cause the entire gpu to hang. + +Signed-off-by: Erico Nunes +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/20240124025947.2110659-5-nunes.erico@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_gp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c +index 3fca560087c97..4bf216cb33030 100644 +--- a/drivers/gpu/drm/lima/lima_gp.c ++++ b/drivers/gpu/drm/lima/lima_gp.c +@@ -138,6 +138,11 @@ static void lima_gp_task_run(struct lima_sched_pipe *pipe, + gp_write(LIMA_GP_CMD, cmd); + } + ++static int lima_gp_bus_stop_poll(struct lima_ip *ip) ++{ ++ return !!(gp_read(LIMA_GP_STATUS) & LIMA_GP_STATUS_BUS_STOPPED); ++} ++ + static int lima_gp_hard_reset_poll(struct lima_ip *ip) + { + gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC01A0000); +@@ -151,6 +156,13 @@ static int lima_gp_hard_reset(struct lima_ip *ip) + + gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC0FFE000); + gp_write(LIMA_GP_INT_MASK, 0); ++ ++ gp_write(LIMA_GP_CMD, LIMA_GP_CMD_STOP_BUS); ++ ret = lima_poll_timeout(ip, lima_gp_bus_stop_poll, 10, 100); ++ if (ret) { ++ dev_err(dev->dev, "%s bus stop timeout\n", lima_ip_name(ip)); ++ return ret; ++ } + gp_write(LIMA_GP_CMD, LIMA_GP_CMD_RESET); + ret = lima_poll_timeout(ip, lima_gp_hard_reset_poll, 10, 100); + if (ret) { +-- +2.43.0 + diff --git a/queue-5.4/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch b/queue-5.4/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch new file mode 100644 index 00000000000..353754f667b --- /dev/null +++ b/queue-5.4/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch @@ -0,0 +1,38 @@ +From 6d444d0d10862bc45713291b6fdb1b4301c3c6ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jan 2024 22:20:34 +0800 +Subject: ext4: do not trim the group with corrupted block bitmap + +From: Baokun Li + +[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ] + +Otherwise operating on an incorrupted block bitmap can lead to all sorts +of unknown problems. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 9bc590564ea1f..b268dc0e1df44 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5227,6 +5227,9 @@ static int ext4_try_to_trim_range(struct super_block *sb, + bool set_trimmed = false; + void *bitmap; + ++ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) ++ return 0; ++ + last = ext4_last_grp_cluster(sb, e4b->bd_group); + bitmap = e4b->bd_bitmap; + if (start == 0 && max >= last) +-- +2.43.0 + diff --git a/queue-5.4/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch b/queue-5.4/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch new file mode 100644 index 00000000000..560cb6bbdda --- /dev/null +++ b/queue-5.4/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch @@ -0,0 +1,42 @@ +From 3ac5e6a2c67427d55bd6b02aa3dda281851f2f34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 19:33:24 +0800 +Subject: ext4: set the type of max_zeroout to unsigned int to avoid overflow + +From: Baokun Li + +[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ] + +The max_zeroout is of type int and the s_extent_max_zeroout_kb is of +type uint, and the s_extent_max_zeroout_kb can be freely modified via +the sysfs interface. When the block size is 1024, max_zeroout may +overflow, so declare it as unsigned int to avoid overflow. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 90b12c7c0f20a..fed3dfed2c249 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3591,9 +3591,10 @@ static int ext4_ext_convert_to_initialized(handle_t *handle, + struct ext4_extent *ex, *abut_ex; + ext4_lblk_t ee_block, eof_block; + unsigned int ee_len, depth, map_len = map->m_len; +- int allocated = 0, max_zeroout = 0; + int err = 0; + int split_flag = EXT4_EXT_DATA_VALID2; ++ int allocated = 0; ++ unsigned int max_zeroout = 0; + + ext_debug("ext4_ext_convert_to_initialized: inode %lu, logical" + "block %llu, max_blocks %u\n", inode->i_ino, +-- +2.43.0 + diff --git a/queue-5.4/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch b/queue-5.4/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch new file mode 100644 index 00000000000..46edf4b96a2 --- /dev/null +++ b/queue-5.4/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch @@ -0,0 +1,50 @@ +From 0bb70e209ab70aa47ae26c385612cb453b835ba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 19:59:54 +0800 +Subject: f2fs: fix to do sanity check in update_sit_entry + +From: Zhiguo Niu + +[ Upstream commit 36959d18c3cf09b3c12157c6950e18652067de77 ] + +If GET_SEGNO return NULL_SEGNO for some unecpected case, +update_sit_entry will access invalid memory address, +cause system crash. It is better to do sanity check about +GET_SEGNO just like update_segment_mtime & locate_dirty_segment. + +Also remove some redundant judgment code. + +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index e43b57755a7fe..da37e2b8a0ec7 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2131,6 +2131,8 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del) + #endif + + segno = GET_SEGNO(sbi, blkaddr); ++ if (segno == NULL_SEGNO) ++ return; + + se = get_seg_entry(sbi, segno); + new_vblocks = se->valid_blocks + del; +@@ -3113,8 +3115,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page, + * since SSR needs latest valid block information. + */ + update_sit_entry(sbi, *new_blkaddr, 1); +- if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO) +- update_sit_entry(sbi, old_blkaddr, -1); ++ update_sit_entry(sbi, old_blkaddr, -1); + + if (!__has_curseg_space(sbi, type)) + sit_i->s_ops->allocate_segment(sbi, type, false); +-- +2.43.0 + diff --git a/queue-5.4/fbdev-offb-replace-of_node_put-with-__free-device_no.patch b/queue-5.4/fbdev-offb-replace-of_node_put-with-__free-device_no.patch new file mode 100644 index 00000000000..c62cf31ebbe --- /dev/null +++ b/queue-5.4/fbdev-offb-replace-of_node_put-with-__free-device_no.patch @@ -0,0 +1,45 @@ +From da3edf472393103b800f9fb7a9ab5cd1f4e2a955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 21:20:21 -0400 +Subject: fbdev: offb: replace of_node_put with __free(device_node) + +From: Abdulrasaq Lawani + +[ Upstream commit ce4a7ae84a58b9f33aae8d6c769b3c94f3d5ce76 ] + +Replaced instance of of_node_put with __free(device_node) +to simplify code and protect against any memory leaks +due to future changes in the control flow. + +Suggested-by: Julia Lawall +Signed-off-by: Abdulrasaq Lawani +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/offb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c +index fbc6eafb63c77..fcff3601b05cc 100644 +--- a/drivers/video/fbdev/offb.c ++++ b/drivers/video/fbdev/offb.c +@@ -354,7 +354,7 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp + par->cmap_type = cmap_gxt2000; + } else if (of_node_name_prefix(dp, "vga,Display-")) { + /* Look for AVIVO initialized by SLOF */ +- struct device_node *pciparent = of_get_parent(dp); ++ struct device_node *pciparent __free(device_node) = of_get_parent(dp); + const u32 *vid, *did; + vid = of_get_property(pciparent, "vendor-id", NULL); + did = of_get_property(pciparent, "device-id", NULL); +@@ -366,7 +366,6 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp + if (par->cmap_adr) + par->cmap_type = cmap_avivo; + } +- of_node_put(pciparent); + } else if (dp && of_device_is_compatible(dp, "qemu,std-vga")) { + #ifdef __BIG_ENDIAN + const __be32 io_of_addr[3] = { 0x01000000, 0x0, 0x0 }; +-- +2.43.0 + diff --git a/queue-5.4/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch b/queue-5.4/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch new file mode 100644 index 00000000000..7112adf0dd1 --- /dev/null +++ b/queue-5.4/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch @@ -0,0 +1,43 @@ +From e10c2b2cd84485322b58cad587413e1488a0b405 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 07:06:37 -0800 +Subject: fs: binfmt_elf_efpic: don't use missing interpreter's properties + +From: Max Filippov + +[ Upstream commit 15fd1dc3dadb4268207fa6797e753541aca09a2a ] + +Static FDPIC executable may get an executable stack even when it has +non-executable GNU_STACK segment. This happens when STACK segment has rw +permissions, but does not specify stack size. In that case FDPIC loader +uses permissions of the interpreter's stack, and for static executables +with no interpreter it results in choosing the arch-default permissions +for the stack. + +Fix that by using the interpreter's properties only when the interpreter +is actually used. + +Signed-off-by: Max Filippov +Link: https://lore.kernel.org/r/20240118150637.660461-1-jcmvbkbc@gmail.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf_fdpic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index 28aef31a6e6f2..aeeba59fa7342 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -320,7 +320,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm) + else + executable_stack = EXSTACK_DEFAULT; + +- if (stack_size == 0) { ++ if (stack_size == 0 && interp_params.flags & ELF_FDPIC_FLAG_PRESENT) { + stack_size = interp_params.stack_size; + if (interp_params.flags & ELF_FDPIC_FLAG_EXEC_STACK) + executable_stack = EXSTACK_ENABLE_X; +-- +2.43.0 + diff --git a/queue-5.4/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch b/queue-5.4/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch new file mode 100644 index 00000000000..24371c4890e --- /dev/null +++ b/queue-5.4/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch @@ -0,0 +1,44 @@ +From 511dc15d619e3a9d3e62003f7f2e192afe91e81e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 21:31:36 +0800 +Subject: hrtimer: Prevent queuing of hrtimer without a function callback + +From: Phil Chang + +[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ] + +The hrtimer function callback must not be NULL. It has to be specified by +the call side but it is not validated by the hrtimer code. When a hrtimer +is queued without a function callback, the kernel crashes with a null +pointer dereference when trying to execute the callback in __run_hrtimer(). + +Introduce a validation before queuing the hrtimer in +hrtimer_start_range_ns(). + +[anna-maria: Rephrase commit message] + +Signed-off-by: Phil Chang +Signed-off-by: Anna-Maria Behnsen +Signed-off-by: Thomas Gleixner +Reviewed-by: Anna-Maria Behnsen +Signed-off-by: Sasha Levin +--- + kernel/time/hrtimer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 1b301dd1692b8..2e4f136bdf6ab 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1183,6 +1183,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, + struct hrtimer_clock_base *base; + unsigned long flags; + ++ if (WARN_ON_ONCE(!timer->function)) ++ return; + /* + * Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft + * match on CONFIG_PREEMPT_RT = n. With PREEMPT_RT check the hard +-- +2.43.0 + diff --git a/queue-5.4/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-5.4/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch new file mode 100644 index 00000000000..9957f177dfb --- /dev/null +++ b/queue-5.4/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch @@ -0,0 +1,41 @@ +From 5ca1ee6e93d19596cc9075e4d37f46a0af9a641e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 14:10:53 +0800 +Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc + +From: Guanrui Huang + +[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ] + +This BUG_ON() is useless, because the same effect will be obtained +by letting the code run its course and vm being dereferenced, +triggering an exception. + +So just remove this check. + +Signed-off-by: Guanrui Huang +Signed-off-by: Thomas Gleixner +Reviewed-by: Zenghui Yu +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index d16776c6dee7b..ae3378ef469b0 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -3085,8 +3085,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + struct page *vprop_page; + int base, nr_ids, i, err = 0; + +- BUG_ON(!vm); +- + bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); + if (!bitmap) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.4/md-clean-up-invalid-bug_on-in-md_ioctl.patch b/queue-5.4/md-clean-up-invalid-bug_on-in-md_ioctl.patch new file mode 100644 index 00000000000..34bc394bd53 --- /dev/null +++ b/queue-5.4/md-clean-up-invalid-bug_on-in-md_ioctl.patch @@ -0,0 +1,42 @@ +From b25b3bb5ae3d8d2375d622e80b22a07df652d5c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 11:14:38 +0800 +Subject: md: clean up invalid BUG_ON in md_ioctl + +From: Li Nan + +[ Upstream commit 9dd8702e7cd28ebf076ff838933f29cf671165ec ] + +'disk->private_data' is set to mddev in md_alloc() and never set to NULL, +and users need to open mddev before submitting ioctl. So mddev must not +have been freed during ioctl, and there is no need to check mddev here. +Clean up it. + +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20240226031444.3606764-4-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 61c3e8df1b55b..e5f3010debb85 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7396,11 +7396,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + + mddev = bdev->bd_disk->private_data; + +- if (!mddev) { +- BUG(); +- goto out; +- } +- + /* Some actions do not requires the mutex */ + switch (cmd) { + case GET_ARRAY_INFO: +-- +2.43.0 + diff --git a/queue-5.4/media-pci-cx23885-check-cx23885_vdev_init-return.patch b/queue-5.4/media-pci-cx23885-check-cx23885_vdev_init-return.patch new file mode 100644 index 00000000000..3b8160be1fe --- /dev/null +++ b/queue-5.4/media-pci-cx23885-check-cx23885_vdev_init-return.patch @@ -0,0 +1,50 @@ +From dbbb93f1e84ae769faed5370ef502113fba54e92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 08:58:49 +0200 +Subject: media: pci: cx23885: check cx23885_vdev_init() return + +From: Hans Verkuil + +[ Upstream commit 15126b916e39b0cb67026b0af3c014bfeb1f76b3 ] + +cx23885_vdev_init() can return a NULL pointer, but that pointer +is used in the next line without a check. + +Add a NULL pointer check and go to the error unwind if it is NULL. + +Signed-off-by: Hans Verkuil +Reported-by: Sicong Huang +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23885-video.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c +index 90224a9947022..e4e295067a7ee 100644 +--- a/drivers/media/pci/cx23885/cx23885-video.c ++++ b/drivers/media/pci/cx23885/cx23885-video.c +@@ -1299,6 +1299,10 @@ int cx23885_video_register(struct cx23885_dev *dev) + /* register Video device */ + dev->video_dev = cx23885_vdev_init(dev, dev->pci, + &cx23885_video_template, "video"); ++ if (!dev->video_dev) { ++ err = -ENOMEM; ++ goto fail_unreg; ++ } + dev->video_dev->queue = &dev->vb2_vidq; + dev->video_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING | + V4L2_CAP_AUDIO | V4L2_CAP_VIDEO_CAPTURE; +@@ -1317,6 +1321,10 @@ int cx23885_video_register(struct cx23885_dev *dev) + /* register VBI device */ + dev->vbi_dev = cx23885_vdev_init(dev, dev->pci, + &cx23885_vbi_template, "vbi"); ++ if (!dev->vbi_dev) { ++ err = -ENOMEM; ++ goto fail_unreg; ++ } + dev->vbi_dev->queue = &dev->vb2_vbiq; + dev->vbi_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING | + V4L2_CAP_AUDIO | V4L2_CAP_VBI_CAPTURE; +-- +2.43.0 + diff --git a/queue-5.4/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch b/queue-5.4/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch new file mode 100644 index 00000000000..27b3de5b1fb --- /dev/null +++ b/queue-5.4/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch @@ -0,0 +1,51 @@ +From c90114e73df4072e96311d7bd10076579a275791 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 08:16:54 -0800 +Subject: net/sun3_82586: Avoid reading past buffer in debug output + +From: Kees Cook + +[ Upstream commit 4bea747f3fbec33c16d369b2f51e55981d7c78d0 ] + +Since NUM_XMIT_BUFFS is always 1, building m68k with sun3_defconfig and +-Warraybounds, this build warning is visible[1]: + +drivers/net/ethernet/i825xx/sun3_82586.c: In function 'sun3_82586_timeout': +drivers/net/ethernet/i825xx/sun3_82586.c:990:122: warning: array subscript 1 is above array bounds of 'volatile struct transmit_cmd_struct *[1]' [-Warray-bounds=] + 990 | printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status)); + | ~~~~~~~~~~~~^~~ +... +drivers/net/ethernet/i825xx/sun3_82586.c:156:46: note: while referencing 'xmit_cmds' + 156 | volatile struct transmit_cmd_struct *xmit_cmds[NUM_XMIT_BUFFS]; + +Avoid accessing index 1 since it doesn't exist. + +Link: https://github.com/KSPP/linux/issues/325 [1] +Cc: Sam Creasey +Signed-off-by: Kees Cook +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Reviewed-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20240206161651.work.876-kees@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/i825xx/sun3_82586.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c +index 1a86184d44c0a..e0c9fee4e1e65 100644 +--- a/drivers/net/ethernet/i825xx/sun3_82586.c ++++ b/drivers/net/ethernet/i825xx/sun3_82586.c +@@ -990,7 +990,7 @@ static void sun3_82586_timeout(struct net_device *dev) + { + #ifdef DEBUG + printk("%s: xmitter timed out, try to restart! stat: %02x\n",dev->name,p->scb->cus); +- printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status)); ++ printk("%s: command-stats: %04x\n", dev->name, swab16(p->xmit_cmds[0]->cmd_status)); + printk("%s: check, whether you set the right interrupt number!\n",dev->name); + #endif + sun3_82586_close(dev); +-- +2.43.0 + diff --git a/queue-5.4/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch b/queue-5.4/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch new file mode 100644 index 00000000000..d4d60195ec7 --- /dev/null +++ b/queue-5.4/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch @@ -0,0 +1,49 @@ +From d2cc55ebf365e0ca473a530dfc5cc9e154cb1315 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 11:24:53 +1100 +Subject: NFS: avoid infinite loop in pnfs_update_layout. + +From: NeilBrown + +[ Upstream commit 2fdbc20036acda9e5694db74a032d3c605323005 ] + +If pnfsd_update_layout() is called on a file for which recovery has +failed it will enter a tight infinite loop. + +NFS_LAYOUT_INVALID_STID will be set, nfs4_select_rw_stateid() will +return -EIO, and nfs4_schedule_stateid_recovery() will do nothing, so +nfs4_client_recover_expired_lease() will not wait. So the code will +loop indefinitely. + +Break the loop by testing the validity of the open stateid at the top of +the loop. + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 3b19fa74b0620..3f7d905d7528d 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1953,6 +1953,14 @@ pnfs_update_layout(struct inode *ino, + } + + lookup_again: ++ if (!nfs4_valid_open_stateid(ctx->state)) { ++ trace_pnfs_update_layout(ino, pos, count, ++ iomode, lo, lseg, ++ PNFS_UPDATE_LAYOUT_INVALID_OPEN); ++ lseg = ERR_PTR(-EIO); ++ goto out; ++ } ++ + lseg = ERR_PTR(nfs4_client_recover_expired_lease(clp)); + if (IS_ERR(lseg)) + goto out; +-- +2.43.0 + diff --git a/queue-5.4/nvme-clear-caller-pointer-on-identify-failure.patch b/queue-5.4/nvme-clear-caller-pointer-on-identify-failure.patch new file mode 100644 index 00000000000..4d12b18a477 --- /dev/null +++ b/queue-5.4/nvme-clear-caller-pointer-on-identify-failure.patch @@ -0,0 +1,46 @@ +From d6b801dd4fdee49c4a43e77e6d7fd48a9f0f3cba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 06:20:30 -0800 +Subject: nvme: clear caller pointer on identify failure + +From: Keith Busch + +[ Upstream commit 7e80eb792bd7377a20f204943ac31c77d859be89 ] + +The memory allocated for the identification is freed on failure. Set +it to NULL so the caller doesn't have a pointer to that freed address. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 9144ed14b0741..0676637e1eab6 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1080,8 +1080,10 @@ static int nvme_identify_ctrl(struct nvme_ctrl *dev, struct nvme_id_ctrl **id) + + error = nvme_submit_sync_cmd(dev->admin_q, &c, *id, + sizeof(struct nvme_id_ctrl)); +- if (error) ++ if (error) { + kfree(*id); ++ *id = NULL; ++ } + return error; + } + +@@ -1193,6 +1195,7 @@ static int nvme_identify_ns(struct nvme_ctrl *ctrl, + if (error) { + dev_warn(ctrl->device, "Identify namespace failed (%d)\n", error); + kfree(*id); ++ *id = NULL; + } + + return error; +-- +2.43.0 + diff --git a/queue-5.4/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch b/queue-5.4/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch new file mode 100644 index 00000000000..fffa268e3b3 --- /dev/null +++ b/queue-5.4/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch @@ -0,0 +1,85 @@ +From 1cc2c07a3c3b446a964ebd2424dc435071e4fed2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 10:53:06 +0300 +Subject: nvmet-rdma: fix possible bad dereference when freeing rsps + +From: Sagi Grimberg + +[ Upstream commit 73964c1d07c054376f1b32a62548571795159148 ] + +It is possible that the host connected and saw a cm established +event and started sending nvme capsules on the qp, however the +ctrl did not yet see an established event. This is why the +rsp_wait_list exists (for async handling of these cmds, we move +them to a pending list). + +Furthermore, it is possible that the ctrl cm times out, resulting +in a connect-error cm event. in this case we hit a bad deref [1] +because in nvmet_rdma_free_rsps we assume that all the responses +are in the free list. + +We are freeing the cmds array anyways, so don't even bother to +remove the rsp from the free_list. It is also guaranteed that we +are not racing anything when we are releasing the queue so no +other context accessing this array should be running. + +[1]: +-- +Workqueue: nvmet-free-wq nvmet_rdma_free_queue_work [nvmet_rdma] +[...] +pc : nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma] +lr : nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma] + Call trace: + nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma] + nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma] + process_one_work+0x1ec/0x4a0 + worker_thread+0x48/0x490 + kthread+0x158/0x160 + ret_from_fork+0x10/0x18 +-- + +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/rdma.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c +index 50e2007092bc0..ae41b6001c7e2 100644 +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -428,12 +428,8 @@ nvmet_rdma_alloc_rsps(struct nvmet_rdma_queue *queue) + return 0; + + out_free: +- while (--i >= 0) { +- struct nvmet_rdma_rsp *rsp = &queue->rsps[i]; +- +- list_del(&rsp->free_list); +- nvmet_rdma_free_rsp(ndev, rsp); +- } ++ while (--i >= 0) ++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]); + kfree(queue->rsps); + out: + return ret; +@@ -444,12 +440,8 @@ static void nvmet_rdma_free_rsps(struct nvmet_rdma_queue *queue) + struct nvmet_rdma_device *ndev = queue->dev; + int i, nr_rsps = queue->recv_queue_size * 2; + +- for (i = 0; i < nr_rsps; i++) { +- struct nvmet_rdma_rsp *rsp = &queue->rsps[i]; +- +- list_del(&rsp->free_list); +- nvmet_rdma_free_rsp(ndev, rsp); +- } ++ for (i = 0; i < nr_rsps; i++) ++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]); + kfree(queue->rsps); + } + +-- +2.43.0 + diff --git a/queue-5.4/nvmet-tcp-do-not-continue-for-invalid-icreq.patch b/queue-5.4/nvmet-tcp-do-not-continue-for-invalid-icreq.patch new file mode 100644 index 00000000000..32aadaa3974 --- /dev/null +++ b/queue-5.4/nvmet-tcp-do-not-continue-for-invalid-icreq.patch @@ -0,0 +1,37 @@ +From 5bcda32312ccee3396b5703b6dc0429e91a65a5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 08:11:05 +0100 +Subject: nvmet-tcp: do not continue for invalid icreq + +From: Hannes Reinecke + +[ Upstream commit 0889d13b9e1cbef49e802ae09f3b516911ad82a1 ] + +When the length check for an icreq sqe fails we should not +continue processing but rather return immediately as all +other contents of that sqe cannot be relied on. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index d40bd57537ba1..fa6e7fbf356e7 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -792,6 +792,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue) + pr_err("bad nvme-tcp pdu length (%d)\n", + le32_to_cpu(icreq->hdr.plen)); + nvmet_tcp_fatal_error(queue); ++ return -EPROTO; + } + + if (icreq->pfv != NVME_TCP_PFV_1_0) { +-- +2.43.0 + diff --git a/queue-5.4/nvmet-trace-avoid-dereferencing-pointer-too-early.patch b/queue-5.4/nvmet-trace-avoid-dereferencing-pointer-too-early.patch new file mode 100644 index 00000000000..300808fdf75 --- /dev/null +++ b/queue-5.4/nvmet-trace-avoid-dereferencing-pointer-too-early.patch @@ -0,0 +1,141 @@ +From 8d880632f2000b80810f218507a7af0eba5dfbae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 16:30:51 +0100 +Subject: nvmet-trace: avoid dereferencing pointer too early + +From: Daniel Wagner + +[ Upstream commit 0e716cec6fb11a14c220ee17c404b67962e902f7 ] + +The first command issued from the host to the target is the fabrics +connect command. At this point, neither the target queue nor the +controller have been allocated. But we already try to trace this command +in nvmet_req_init. + +Reported by KASAN. + +Reviewed-by: Hannes Reinecke +Signed-off-by: Daniel Wagner +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/trace.c | 6 +++--- + drivers/nvme/target/trace.h | 28 +++++++++++++++++----------- + 2 files changed, 20 insertions(+), 14 deletions(-) + +diff --git a/drivers/nvme/target/trace.c b/drivers/nvme/target/trace.c +index 1373a3c67962a..a3564e12927b6 100644 +--- a/drivers/nvme/target/trace.c ++++ b/drivers/nvme/target/trace.c +@@ -195,7 +195,7 @@ const char *nvmet_trace_disk_name(struct trace_seq *p, char *name) + return ret; + } + +-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl) ++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id) + { + const char *ret = trace_seq_buffer_ptr(p); + +@@ -208,8 +208,8 @@ const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl) + * If we can know the extra data of the connect command in this stage, + * we can update this print statement later. + */ +- if (ctrl) +- trace_seq_printf(p, "%d", ctrl->cntlid); ++ if (ctrl_id) ++ trace_seq_printf(p, "%d", ctrl_id); + else + trace_seq_printf(p, "_"); + trace_seq_putc(p, 0); +diff --git a/drivers/nvme/target/trace.h b/drivers/nvme/target/trace.h +index 3f61b6657175e..5b00a338d52ca 100644 +--- a/drivers/nvme/target/trace.h ++++ b/drivers/nvme/target/trace.h +@@ -32,18 +32,24 @@ const char *nvmet_trace_parse_fabrics_cmd(struct trace_seq *p, u8 fctype, + nvmet_trace_parse_nvm_cmd(p, opcode, cdw10) : \ + nvmet_trace_parse_admin_cmd(p, opcode, cdw10))) + +-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl); +-#define __print_ctrl_name(ctrl) \ +- nvmet_trace_ctrl_name(p, ctrl) ++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id); ++#define __print_ctrl_id(ctrl_id) \ ++ nvmet_trace_ctrl_id(p, ctrl_id) + + const char *nvmet_trace_disk_name(struct trace_seq *p, char *name); + #define __print_disk_name(name) \ + nvmet_trace_disk_name(p, name) + + #ifndef TRACE_HEADER_MULTI_READ +-static inline struct nvmet_ctrl *nvmet_req_to_ctrl(struct nvmet_req *req) ++static inline u16 nvmet_req_to_ctrl_id(struct nvmet_req *req) + { +- return req->sq->ctrl; ++ /* ++ * The queue and controller pointers are not valid until an association ++ * has been established. ++ */ ++ if (!req->sq || !req->sq->ctrl) ++ return 0; ++ return req->sq->ctrl->cntlid; + } + + static inline void __assign_req_name(char *name, struct nvmet_req *req) +@@ -60,7 +66,7 @@ TRACE_EVENT(nvmet_req_init, + TP_ARGS(req, cmd), + TP_STRUCT__entry( + __field(struct nvme_command *, cmd) +- __field(struct nvmet_ctrl *, ctrl) ++ __field(u16, ctrl_id) + __array(char, disk, DISK_NAME_LEN) + __field(int, qid) + __field(u16, cid) +@@ -73,7 +79,7 @@ TRACE_EVENT(nvmet_req_init, + ), + TP_fast_assign( + __entry->cmd = cmd; +- __entry->ctrl = nvmet_req_to_ctrl(req); ++ __entry->ctrl_id = nvmet_req_to_ctrl_id(req); + __assign_req_name(__entry->disk, req); + __entry->qid = req->sq->qid; + __entry->cid = cmd->common.command_id; +@@ -87,7 +93,7 @@ TRACE_EVENT(nvmet_req_init, + ), + TP_printk("nvmet%s: %sqid=%d, cmdid=%u, nsid=%u, flags=%#x, " + "meta=%#llx, cmd=(%s, %s)", +- __print_ctrl_name(__entry->ctrl), ++ __print_ctrl_id(__entry->ctrl_id), + __print_disk_name(__entry->disk), + __entry->qid, __entry->cid, __entry->nsid, + __entry->flags, __entry->metadata, +@@ -101,7 +107,7 @@ TRACE_EVENT(nvmet_req_complete, + TP_PROTO(struct nvmet_req *req), + TP_ARGS(req), + TP_STRUCT__entry( +- __field(struct nvmet_ctrl *, ctrl) ++ __field(u16, ctrl_id) + __array(char, disk, DISK_NAME_LEN) + __field(int, qid) + __field(int, cid) +@@ -109,7 +115,7 @@ TRACE_EVENT(nvmet_req_complete, + __field(u16, status) + ), + TP_fast_assign( +- __entry->ctrl = nvmet_req_to_ctrl(req); ++ __entry->ctrl_id = nvmet_req_to_ctrl_id(req); + __entry->qid = req->cq->qid; + __entry->cid = req->cqe->command_id; + __entry->result = le64_to_cpu(req->cqe->result.u64); +@@ -117,7 +123,7 @@ TRACE_EVENT(nvmet_req_complete, + __assign_req_name(__entry->disk, req); + ), + TP_printk("nvmet%s: %sqid=%d, cmdid=%u, res=%#llx, status=%#x", +- __print_ctrl_name(__entry->ctrl), ++ __print_ctrl_id(__entry->ctrl_id), + __print_disk_name(__entry->disk), + __entry->qid, __entry->cid, __entry->result, __entry->status) + +-- +2.43.0 + diff --git a/queue-5.4/openrisc-call-setup_memory-earlier-in-the-init-seque.patch b/queue-5.4/openrisc-call-setup_memory-earlier-in-the-init-seque.patch new file mode 100644 index 00000000000..262649d1c13 --- /dev/null +++ b/queue-5.4/openrisc-call-setup_memory-earlier-in-the-init-seque.patch @@ -0,0 +1,54 @@ +From 01824c19d9904a72a807cb76b9cb64272a019a0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 16:29:30 -0800 +Subject: openrisc: Call setup_memory() earlier in the init sequence + +From: Oreoluwa Babatunde + +[ Upstream commit 7b432bf376c9c198a7ff48f1ed14a14c0ffbe1fe ] + +The unflatten_and_copy_device_tree() function contains a call to +memblock_alloc(). This means that memblock is allocating memory before +any of the reserved memory regions are set aside in the setup_memory() +function which calls early_init_fdt_scan_reserved_mem(). Therefore, +there is a possibility for memblock to allocate from any of the +reserved memory regions. + +Hence, move the call to setup_memory() to be earlier in the init +sequence so that the reserved memory regions are set aside before any +allocations are done using memblock. + +Signed-off-by: Oreoluwa Babatunde +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/setup.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/openrisc/kernel/setup.c b/arch/openrisc/kernel/setup.c +index ae104eb4becc7..bd0ba3157d515 100644 +--- a/arch/openrisc/kernel/setup.c ++++ b/arch/openrisc/kernel/setup.c +@@ -280,6 +280,9 @@ void calibrate_delay(void) + + void __init setup_arch(char **cmdline_p) + { ++ /* setup memblock allocator */ ++ setup_memory(); ++ + unflatten_and_copy_device_tree(); + + setup_cpuinfo(); +@@ -304,9 +307,6 @@ void __init setup_arch(char **cmdline_p) + initrd_below_start_ok = 1; + #endif + +- /* setup memblock allocator */ +- setup_memory(); +- + /* paging_init() sets up the MMU and marks all pages as reserved */ + paging_init(); + +-- +2.43.0 + diff --git a/queue-5.4/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch b/queue-5.4/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch new file mode 100644 index 00000000000..90a5e0d20be --- /dev/null +++ b/queue-5.4/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch @@ -0,0 +1,60 @@ +From 11c92a40903910f237644097a6d1cc46e5a019e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 23:16:00 +0100 +Subject: parisc: Use irq_enter_rcu() to fix warning at + kernel/context_tracking.c:367 + +From: Helge Deller + +[ Upstream commit 73cb4a2d8d7e0259f94046116727084f21e4599f ] + +Use irq*_rcu() functions to fix this kernel warning: + + WARNING: CPU: 0 PID: 0 at kernel/context_tracking.c:367 ct_irq_enter+0xa0/0xd0 + Modules linked in: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc3-64bit+ #1037 + Hardware name: 9000/785/C3700 + + IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000412cd758 00000000412cd75c + IIR: 03ffe01f ISR: 0000000000000000 IOR: 0000000043c20c20 + CPU: 0 CR30: 0000000041caa000 CR31: 0000000000000000 + ORIG_R28: 0000000000000005 + IAOQ[0]: ct_irq_enter+0xa0/0xd0 + IAOQ[1]: ct_irq_enter+0xa4/0xd0 + RP(r2): irq_enter+0x34/0x68 + Backtrace: + [<000000004034a3ec>] irq_enter+0x34/0x68 + [<000000004030dc48>] do_cpu_irq_mask+0xc0/0x450 + [<0000000040303070>] intr_return+0x0/0xc + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c +index b4aa5af943ba5..c4c06bcd04835 100644 +--- a/arch/parisc/kernel/irq.c ++++ b/arch/parisc/kernel/irq.c +@@ -520,7 +520,7 @@ void do_cpu_irq_mask(struct pt_regs *regs) + + old_regs = set_irq_regs(regs); + local_irq_disable(); +- irq_enter(); ++ irq_enter_rcu(); + + eirr_val = mfctl(23) & cpu_eiem & per_cpu(local_ack_eiem, cpu); + if (!eirr_val) +@@ -555,7 +555,7 @@ void do_cpu_irq_mask(struct pt_regs *regs) + #endif /* CONFIG_IRQSTACKS */ + + out: +- irq_exit(); ++ irq_exit_rcu(); + set_irq_regs(old_regs); + return; + +-- +2.43.0 + diff --git a/queue-5.4/powerpc-boot-handle-allocation-failure-in-simple_rea.patch b/queue-5.4/powerpc-boot-handle-allocation-failure-in-simple_rea.patch new file mode 100644 index 00000000000..c2772128565 --- /dev/null +++ b/queue-5.4/powerpc-boot-handle-allocation-failure-in-simple_rea.patch @@ -0,0 +1,39 @@ +From 71ce334380aec84d5b2186531df70337e9ef5857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Dec 2022 10:18:16 +0800 +Subject: powerpc/boot: Handle allocation failure in simple_realloc() + +From: Li zeming + +[ Upstream commit 69b0194ccec033c208b071e019032c1919c2822d ] + +simple_malloc() will return NULL when there is not enough memory left. +Check pointer 'new' before using it to copy the old data. + +Signed-off-by: Li zeming +[mpe: Reword subject, use change log from Christophe] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20221219021816.3012-1-zeming@nfschina.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/simple_alloc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c +index 65ec135d01579..188c4f996512a 100644 +--- a/arch/powerpc/boot/simple_alloc.c ++++ b/arch/powerpc/boot/simple_alloc.c +@@ -114,7 +114,9 @@ static void *simple_realloc(void *ptr, unsigned long size) + return ptr; + + new = simple_malloc(size); +- memcpy(new, ptr, p->size); ++ if (new) ++ memcpy(new, ptr, p->size); ++ + simple_free(ptr); + return new; + } +-- +2.43.0 + diff --git a/queue-5.4/powerpc-boot-only-free-if-realloc-succeeds.patch b/queue-5.4/powerpc-boot-only-free-if-realloc-succeeds.patch new file mode 100644 index 00000000000..03f257f1ab4 --- /dev/null +++ b/queue-5.4/powerpc-boot-only-free-if-realloc-succeeds.patch @@ -0,0 +1,43 @@ +From e9098cc97d6c1b8861602a428a8728c6b019be3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 22:51:49 +1100 +Subject: powerpc/boot: Only free if realloc() succeeds + +From: Michael Ellerman + +[ Upstream commit f2d5bccaca3e8c09c9b9c8485375f7bdbb2631d2 ] + +simple_realloc() frees the original buffer (ptr) even if the +reallocation failed. + +Fix it to behave like standard realloc() and only free the original +buffer if the reallocation succeeded. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240229115149.749264-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/simple_alloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c +index 188c4f996512a..bc99f75b8582d 100644 +--- a/arch/powerpc/boot/simple_alloc.c ++++ b/arch/powerpc/boot/simple_alloc.c +@@ -114,10 +114,11 @@ static void *simple_realloc(void *ptr, unsigned long size) + return ptr; + + new = simple_malloc(size); +- if (new) ++ if (new) { + memcpy(new, ptr, p->size); ++ simple_free(ptr); ++ } + +- simple_free(ptr); + return new; + } + +-- +2.43.0 + diff --git a/queue-5.4/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch b/queue-5.4/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch new file mode 100644 index 00000000000..0c8df660355 --- /dev/null +++ b/queue-5.4/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch @@ -0,0 +1,38 @@ +From a0a35f789dbb7438187c07fe7d9fad18dd10ebc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 11:06:51 +0800 +Subject: powerpc/xics: Check return value of kasprintf in + icp_native_map_one_cpu + +From: Kunwu Chan + +[ Upstream commit 45b1ba7e5d1f6881050d558baf9bc74a2ae13930 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. Ensure the allocation was successful +by checking the pointer validity. + +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231122030651.3818-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xics/icp-native.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/xics/icp-native.c b/arch/powerpc/sysdev/xics/icp-native.c +index 7d13d2ef5a905..66de291b27d08 100644 +--- a/arch/powerpc/sysdev/xics/icp-native.c ++++ b/arch/powerpc/sysdev/xics/icp-native.c +@@ -235,6 +235,8 @@ static int __init icp_native_map_one_cpu(int hw_id, unsigned long addr, + rname = kasprintf(GFP_KERNEL, "CPU %d [0x%x] Interrupt Presentation", + cpu, hw_id); + ++ if (!rname) ++ return -ENOMEM; + if (!request_mem_region(addr, size, rname)) { + pr_warn("icp_native: Could not reserve ICP MMIO for CPU %d, interrupt server #0x%x\n", + cpu, hw_id); +-- +2.43.0 + diff --git a/queue-5.4/quota-remove-bug_on-from-dqget.patch b/queue-5.4/quota-remove-bug_on-from-dqget.patch new file mode 100644 index 00000000000..a58cadae079 --- /dev/null +++ b/queue-5.4/quota-remove-bug_on-from-dqget.patch @@ -0,0 +1,40 @@ +From 448b8073ccc7f612b73723048ec226be5f70fe06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 13:34:08 +0200 +Subject: quota: Remove BUG_ON from dqget() + +From: Jan Kara + +[ Upstream commit 249f374eb9b6b969c64212dd860cc1439674c4a8 ] + +dqget() checks whether dquot->dq_sb is set when returning it using +BUG_ON. Firstly this doesn't work as an invalidation check for quite +some time (we release dquot with dq_sb set these days), secondly using +BUG_ON is quite harsh. Use WARN_ON_ONCE and check whether dquot is still +hashed instead. + +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index a7ddb874912d4..14c0dd5b65a43 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -986,9 +986,8 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid) + * smp_mb__before_atomic() in dquot_acquire(). + */ + smp_rmb(); +-#ifdef CONFIG_QUOTA_DEBUG +- BUG_ON(!dquot->dq_sb); /* Has somebody invalidated entry under us? */ +-#endif ++ /* Has somebody invalidated entry under us? */ ++ WARN_ON_ONCE(hlist_unhashed(&dquot->dq_hash)); + out: + if (empty) + do_destroy_dquot(empty); +-- +2.43.0 + diff --git a/queue-5.4/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch b/queue-5.4/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch new file mode 100644 index 00000000000..9b728e45dc8 --- /dev/null +++ b/queue-5.4/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch @@ -0,0 +1,38 @@ +From 7a6f2cb5f26fd4c2c31c590d3b0148b7e92d36d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 13:13:26 +0100 +Subject: s390/iucv: fix receive buffer virtual vs physical address confusion + +From: Alexander Gordeev + +[ Upstream commit 4e8477aeb46dfe74e829c06ea588dd00ba20c8cc ] + +Fix IUCV_IPBUFLST-type buffers virtual vs physical address confusion. +This does not fix a bug since virtual and physical address spaces are +currently the same. + +Signed-off-by: Alexander Gordeev +Reviewed-by: Alexandra Winter +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index f0364649186b9..dc85973479284 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -1136,8 +1136,7 @@ static int iucv_message_receive_iprmdata(struct iucv_path *path, + size = (size < 8) ? size : 8; + for (array = buffer; size > 0; array++) { + copy = min_t(size_t, size, array->length); +- memcpy((u8 *)(addr_t) array->address, +- rmmsg, copy); ++ memcpy(phys_to_virt(array->address), rmmsg, copy); + rmmsg += copy; + size -= copy; + } +-- +2.43.0 + diff --git a/queue-5.4/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch b/queue-5.4/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch new file mode 100644 index 00000000000..8e309cb2148 --- /dev/null +++ b/queue-5.4/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch @@ -0,0 +1,41 @@ +From 64f8e58e588bc64a6efd214b48c1dd671e9d01be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 10:50:56 -0800 +Subject: scsi: lpfc: Initialize status local variable in + lpfc_sli4_repost_sgl_list() + +From: Justin Tee + +[ Upstream commit 3d0f9342ae200aa1ddc4d6e7a573c6f8f068d994 ] + +A static code analyzer tool indicates that the local variable called status +in the lpfc_sli4_repost_sgl_list() routine could be used to print garbage +uninitialized values in the routine's log message. + +Fix by initializing to zero. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240131185112.149731-2-justintee8345@gmail.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index e489c68cfb631..04b9a94f2f5e5 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -6902,7 +6902,7 @@ lpfc_sli4_repost_sgl_list(struct lpfc_hba *phba, + struct lpfc_sglq *sglq_entry = NULL; + struct lpfc_sglq *sglq_entry_next = NULL; + struct lpfc_sglq *sglq_entry_first = NULL; +- int status, total_cnt; ++ int status = 0, total_cnt; + int post_cnt = 0, num_posted = 0, block_cnt = 0; + int last_xritag = NO_XRI; + LIST_HEAD(prep_sgl_list); +-- +2.43.0 + diff --git a/queue-5.4/serial-pch-don-t-disable-interrupts-while-acquiring-.patch b/queue-5.4/serial-pch-don-t-disable-interrupts-while-acquiring-.patch new file mode 100644 index 00000000000..37e540dee50 --- /dev/null +++ b/queue-5.4/serial-pch-don-t-disable-interrupts-while-acquiring-.patch @@ -0,0 +1,52 @@ +From 31e0926dc36cbc9c0c3928681e1d15c93fdc262b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 22:45:28 +0100 +Subject: serial: pch: Don't disable interrupts while acquiring lock in ISR. + +From: Sebastian Andrzej Siewior + +[ Upstream commit f8ff23ebce8c305383c8070e1ea3b08a69eb1e8d ] + +The interrupt service routine is always invoked with disabled +interrupts. + +Remove the _irqsave() from the locking functions in the interrupts +service routine/ pch_uart_interrupt(). + +Signed-off-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/20240301215246.891055-16-bigeasy@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/pch_uart.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c +index 317067184bfa4..048851d663ca5 100644 +--- a/drivers/tty/serial/pch_uart.c ++++ b/drivers/tty/serial/pch_uart.c +@@ -1077,11 +1077,10 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id) + u8 lsr; + int ret = 0; + unsigned char iid; +- unsigned long flags; + int next = 1; + u8 msr; + +- spin_lock_irqsave(&priv->lock, flags); ++ spin_lock(&priv->lock); + handled = 0; + while (next) { + iid = pch_uart_hal_get_iid(priv); +@@ -1141,7 +1140,7 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id) + handled |= (unsigned int)ret; + } + +- spin_unlock_irqrestore(&priv->lock, flags); ++ spin_unlock(&priv->lock); + return IRQ_RETVAL(handled); + } + +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 8af68a666c5..2495bfb72c7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -40,3 +40,37 @@ scsi-spi-fix-sshdr-use.patch gfs2-setattr_chown-add-missing-initialization.patch wifi-iwlwifi-abort-scan-when-rfkill-on-but-device-en.patch ib-hfi1-fix-potential-deadlock-on-irq_src_lock-and-d.patch +powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch +nvmet-trace-avoid-dereferencing-pointer-too-early.patch +ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch +quota-remove-bug_on-from-dqget.patch +media-pci-cx23885-check-cx23885_vdev_init-return.patch +fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch +scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch +net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch +drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch +virtiofs-forbid-newlines-in-tags.patch +md-clean-up-invalid-bug_on-in-md_ioctl.patch +x86-increase-brk-randomness-entropy-for-64-bit-syste.patch +parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch +serial-pch-don-t-disable-interrupts-while-acquiring-.patch +powerpc-boot-handle-allocation-failure-in-simple_rea.patch +powerpc-boot-only-free-if-realloc-succeeds.patch +btrfs-change-bug_on-to-assertion-when-checking-for-d.patch +btrfs-handle-invalid-root-reference-found-in-may_des.patch +btrfs-send-handle-unexpected-data-in-header-buffer-i.patch +btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch +f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch +usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch +nvme-clear-caller-pointer-on-identify-failure.patch +bluetooth-bnep-fix-out-of-bound-access.patch +nvmet-tcp-do-not-continue-for-invalid-icreq.patch +nfs-avoid-infinite-loop-in-pnfs_update_layout.patch +openrisc-call-setup_memory-earlier-in-the-init-seque.patch +s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch +usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch +fbdev-offb-replace-of_node_put-with-__free-device_no.patch +irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch +ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch +nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch +hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch diff --git a/queue-5.4/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch b/queue-5.4/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch new file mode 100644 index 00000000000..94b452573d0 --- /dev/null +++ b/queue-5.4/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch @@ -0,0 +1,71 @@ +From 04189db474048168da841a0820f4dbefb63d0c61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Apr 2024 10:18:55 +0530 +Subject: usb: dwc3: core: Skip setting event buffers for host only controllers + +From: Krishna Kurapati + +[ Upstream commit 89d7f962994604a3e3d480832788d06179abefc5 ] + +On some SoC's like SA8295P where the tertiary controller is host-only +capable, GEVTADDRHI/LO, GEVTSIZ, GEVTCOUNT registers are not accessible. +Trying to access them leads to a crash. + +For DRD/Peripheral supported controllers, event buffer setup is done +again in gadget_pullup. Skip setup or cleanup of event buffers if +controller is host-only capable. + +Suggested-by: Johan Hovold +Signed-off-by: Krishna Kurapati +Acked-by: Thinh Nguyen +Reviewed-by: Johan Hovold +Reviewed-by: Bjorn Andersson +Tested-by: Johan Hovold +Link: https://lore.kernel.org/r/20240420044901.884098-4-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 12e72e804278e..cbe475134b3c6 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -391,6 +391,13 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc) + static int dwc3_alloc_event_buffers(struct dwc3 *dwc, unsigned length) + { + struct dwc3_event_buffer *evt; ++ unsigned int hw_mode; ++ ++ hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0); ++ if (hw_mode == DWC3_GHWPARAMS0_MODE_HOST) { ++ dwc->ev_buf = NULL; ++ return 0; ++ } + + evt = dwc3_alloc_one_event_buffer(dwc, length); + if (IS_ERR(evt)) { +@@ -412,6 +419,9 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc) + { + struct dwc3_event_buffer *evt; + ++ if (!dwc->ev_buf) ++ return 0; ++ + evt = dwc->ev_buf; + evt->lpos = 0; + dwc3_writel(dwc->regs, DWC3_GEVNTADRLO(0), +@@ -429,6 +439,9 @@ void dwc3_event_buffers_cleanup(struct dwc3 *dwc) + { + struct dwc3_event_buffer *evt; + ++ if (!dwc->ev_buf) ++ return; ++ + evt = dwc->ev_buf; + + evt->lpos = 0; +-- +2.43.0 + diff --git a/queue-5.4/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch b/queue-5.4/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch new file mode 100644 index 00000000000..557343d3f3e --- /dev/null +++ b/queue-5.4/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch @@ -0,0 +1,40 @@ +From 6bc5815ea9bbc8b101748ef1039623304d3a6438 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 18:33:16 +0100 +Subject: usb: gadget: fsl: Increase size of name buffer for endpoints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 87850f6cc20911e35eafcbc1d56b0d649ae9162d ] + +This fixes a W=1 warning about sprintf writing up to 16 bytes into a +buffer of size 14. There is no practical relevance because there are not +more than 32 endpoints. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/6754df25c56aae04f8110594fad2cd2452b1862a.1708709120.git.u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fsl_udc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c +index 9a05863b28768..6a4e206b1e2df 100644 +--- a/drivers/usb/gadget/udc/fsl_udc_core.c ++++ b/drivers/usb/gadget/udc/fsl_udc_core.c +@@ -2503,7 +2503,7 @@ static int fsl_udc_probe(struct platform_device *pdev) + /* setup the udc->eps[] for non-control endpoints and link + * to gadget.ep_list */ + for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) { +- char name[14]; ++ char name[16]; + + sprintf(name, "ep%dout", i); + struct_ep_setup(udc_controller, i * 2, name, 1); +-- +2.43.0 + diff --git a/queue-5.4/virtiofs-forbid-newlines-in-tags.patch b/queue-5.4/virtiofs-forbid-newlines-in-tags.patch new file mode 100644 index 00000000000..b0ccf89c438 --- /dev/null +++ b/queue-5.4/virtiofs-forbid-newlines-in-tags.patch @@ -0,0 +1,44 @@ +From ce93a1a34b21d334a546a52950bccdb4b0414262 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 19:11:47 -0500 +Subject: virtiofs: forbid newlines in tags + +From: Stefan Hajnoczi + +[ Upstream commit 40488cc16f7ea0d193a4e248f0d809c25cc377db ] + +Newlines in virtiofs tags are awkward for users and potential vectors +for string injection attacks. + +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Vivek Goyal +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/virtio_fs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c +index fadf6fb90fe22..48f144d083813 100644 +--- a/fs/fuse/virtio_fs.c ++++ b/fs/fuse/virtio_fs.c +@@ -237,6 +237,16 @@ static int virtio_fs_read_tag(struct virtio_device *vdev, struct virtio_fs *fs) + return -ENOMEM; + memcpy(fs->tag, tag_buf, len); + fs->tag[len] = '\0'; ++ ++ /* While the VIRTIO specification allows any character, newlines are ++ * awkward on mount(8) command-lines and cause problems in the sysfs ++ * "tag" attr and uevent TAG= properties. Forbid them. ++ */ ++ if (strchr(fs->tag, '\n')) { ++ dev_dbg(&vdev->dev, "refusing virtiofs tag with newline character\n"); ++ return -EINVAL; ++ } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.4/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch b/queue-5.4/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch new file mode 100644 index 00000000000..159a47a1a62 --- /dev/null +++ b/queue-5.4/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch @@ -0,0 +1,47 @@ +From 887edd139a09098ecf50947f0eceb3b5465674ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 22:25:43 -0800 +Subject: x86: Increase brk randomness entropy for 64-bit systems + +From: Kees Cook + +[ Upstream commit 44c76825d6eefee9eb7ce06c38e1a6632ac7eb7d ] + +In commit c1d171a00294 ("x86: randomize brk"), arch_randomize_brk() was +defined to use a 32MB range (13 bits of entropy), but was never increased +when moving to 64-bit. The default arch_randomize_brk() uses 32MB for +32-bit tasks, and 1GB (18 bits of entropy) for 64-bit tasks. + +Update x86_64 to match the entropy used by arm64 and other 64-bit +architectures. + +Reported-by: y0un9n132@gmail.com +Signed-off-by: Kees Cook +Signed-off-by: Thomas Gleixner +Acked-by: Jiri Kosina +Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/ +Link: https://lore.kernel.org/r/20240217062545.1631668-1-keescook@chromium.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/process.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index b8de27bb6e09c..c402b079b74e8 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -793,7 +793,10 @@ unsigned long arch_align_stack(unsigned long sp) + + unsigned long arch_randomize_brk(struct mm_struct *mm) + { +- return randomize_page(mm->brk, 0x02000000); ++ if (mmap_is_ia32()) ++ return randomize_page(mm->brk, SZ_32M); ++ ++ return randomize_page(mm->brk, SZ_1G); + } + + /* +-- +2.43.0 +