From: Sasha Levin Date: Wed, 21 Aug 2024 13:31:16 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.1.107~101 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=524503f15d13f57ceb3ab7b957b74febd4cf6708;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch b/queue-5.15/afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch new file mode 100644 index 00000000000..cf567679220 --- /dev/null +++ b/queue-5.15/afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch @@ -0,0 +1,57 @@ +From 0164c21a453f20a4f1b241b85977373627c35038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 20:24:34 -0400 +Subject: afs: fix __afs_break_callback() / afs_drop_open_mmap() race + +From: Al Viro + +[ Upstream commit 275655d3207b9e65d1561bf21c06a622d9ec1d43 ] + +In __afs_break_callback() we might check ->cb_nr_mmap and if it's non-zero +do queue_work(&vnode->cb_work). In afs_drop_open_mmap() we decrement +->cb_nr_mmap and do flush_work(&vnode->cb_work) if it reaches zero. + +The trouble is, there's nothing to prevent __afs_break_callback() from +seeing ->cb_nr_mmap before the decrement and do queue_work() after both +the decrement and flush_work(). If that happens, we might be in trouble - +vnode might get freed before the queued work runs. + +__afs_break_callback() is always done under ->cb_lock, so let's make +sure that ->cb_nr_mmap can change from non-zero to zero while holding +->cb_lock (the spinlock component of it - it's a seqlock and we don't +need to mess with the counter). + +Acked-by: Christian Brauner +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/afs/file.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/file.c b/fs/afs/file.c +index b165377179c3c..6774e1fcf7c5c 100644 +--- a/fs/afs/file.c ++++ b/fs/afs/file.c +@@ -512,13 +512,17 @@ static void afs_add_open_mmap(struct afs_vnode *vnode) + + static void afs_drop_open_mmap(struct afs_vnode *vnode) + { +- if (!atomic_dec_and_test(&vnode->cb_nr_mmap)) ++ if (atomic_add_unless(&vnode->cb_nr_mmap, -1, 1)) + return; + + down_write(&vnode->volume->cell->fs_open_mmaps_lock); + +- if (atomic_read(&vnode->cb_nr_mmap) == 0) ++ read_seqlock_excl(&vnode->cb_lock); ++ // the only place where ->cb_nr_mmap may hit 0 ++ // see __afs_break_callback() for the other side... ++ if (atomic_dec_and_test(&vnode->cb_nr_mmap)) + list_del_init(&vnode->cb_mmap_link); ++ read_sequnlock_excl(&vnode->cb_lock); + + up_write(&vnode->volume->cell->fs_open_mmaps_lock); + flush_work(&vnode->cb_work); +-- +2.43.0 + diff --git a/queue-5.15/bluetooth-bnep-fix-out-of-bound-access.patch b/queue-5.15/bluetooth-bnep-fix-out-of-bound-access.patch new file mode 100644 index 00000000000..0ff207c6955 --- /dev/null +++ b/queue-5.15/bluetooth-bnep-fix-out-of-bound-access.patch @@ -0,0 +1,38 @@ +From 65601c313afadfe32caee789c1bc76029ef9fa0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 12:11:08 -0500 +Subject: Bluetooth: bnep: Fix out-of-bound access + +From: Luiz Augusto von Dentz + +[ Upstream commit 0f0639b4d6f649338ce29c62da3ec0787fa08cd1 ] + +This fixes attempting to access past ethhdr.h_source, although it seems +intentional to copy also the contents of h_proto this triggers +out-of-bound access problems with the likes of static analyzer, so this +instead just copy ETH_ALEN and then proceed to use put_unaligned to copy +h_proto separetely. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/bnep/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c +index a796d72c7dbaa..8bb6c8ad11313 100644 +--- a/net/bluetooth/bnep/core.c ++++ b/net/bluetooth/bnep/core.c +@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb) + + case BNEP_COMPRESSED_DST_ONLY: + __skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN); +- __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2); ++ __skb_put_data(nskb, s->eh.h_source, ETH_ALEN); ++ put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2)); + break; + + case BNEP_GENERAL: +-- +2.43.0 + diff --git a/queue-5.15/btrfs-change-bug_on-to-assertion-in-tree_move_down.patch b/queue-5.15/btrfs-change-bug_on-to-assertion-in-tree_move_down.patch new file mode 100644 index 00000000000..17566c33b18 --- /dev/null +++ b/queue-5.15/btrfs-change-bug_on-to-assertion-in-tree_move_down.patch @@ -0,0 +1,35 @@ +From 19b7f68b3d5bd999ef91d57b449a9416d46b42a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 23:06:46 +0100 +Subject: btrfs: change BUG_ON to assertion in tree_move_down() + +From: David Sterba + +[ Upstream commit 56f335e043ae73c32dbb70ba95488845dc0f1e6e ] + +There's only one caller of tree_move_down() that does not pass level 0 +so the assertion is better suited here. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 27a33dfa93212..577980b33aeb7 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -6882,8 +6882,8 @@ static int tree_move_down(struct btrfs_path *path, int *level, u64 reada_min_gen + u64 reada_done = 0; + + lockdep_assert_held_read(&parent->fs_info->commit_root_sem); ++ ASSERT(*level != 0); + +- BUG_ON(*level == 0); + eb = btrfs_read_node_slot(parent, slot); + if (IS_ERR(eb)) + return PTR_ERR(eb); +-- +2.43.0 + diff --git a/queue-5.15/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch b/queue-5.15/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch new file mode 100644 index 00000000000..5094d06201f --- /dev/null +++ b/queue-5.15/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch @@ -0,0 +1,36 @@ +From f686cc5b0c4c67295013055419fec8f744b3e6cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jan 2024 02:26:32 +0100 +Subject: btrfs: change BUG_ON to assertion when checking for delayed_node root + +From: David Sterba + +[ Upstream commit be73f4448b607e6b7ce41cd8ef2214fdf6e7986f ] + +The pointer to root is initialized in btrfs_init_delayed_node(), no need +to check for it again. Change the BUG_ON to assertion. + +Reviewed-by: Josef Bacik +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/delayed-inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c +index 8d8b455992362..fa4a5053ca89a 100644 +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -901,7 +901,7 @@ static void btrfs_release_delayed_inode(struct btrfs_delayed_node *delayed_node) + + if (delayed_node && + test_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags)) { +- BUG_ON(!delayed_node->root); ++ ASSERT(delayed_node->root); + clear_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags); + delayed_node->count--; + +-- +2.43.0 + diff --git a/queue-5.15/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch b/queue-5.15/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch new file mode 100644 index 00000000000..4dada435db5 --- /dev/null +++ b/queue-5.15/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch @@ -0,0 +1,40 @@ +From 7dde506ebc4a98e3ddc894d4d0314efd06a9c325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 23:20:53 +0100 +Subject: btrfs: delete pointless BUG_ON check on quota root in + btrfs_qgroup_account_extent() + +From: David Sterba + +[ Upstream commit f40a3ea94881f668084f68f6b9931486b1606db0 ] + +The BUG_ON is deep in the qgroup code where we can expect that it +exists. A NULL pointer would cause a crash. + +It was added long ago in 550d7a2ed5db35 ("btrfs: qgroup: Add new qgroup +calculation function btrfs_qgroup_account_extents()."). It maybe made +sense back then as the quota enable/disable state machine was not that +robust as it is nowadays, so we can just delete it. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 1f5ab51e18dc4..a4908fd31ccc3 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2648,8 +2648,6 @@ int btrfs_qgroup_account_extent(struct btrfs_trans_handle *trans, u64 bytenr, + if (nr_old_roots == 0 && nr_new_roots == 0) + goto out_free; + +- BUG_ON(!fs_info->quota_root); +- + trace_btrfs_qgroup_account_extent(fs_info, trans->transid, bytenr, + num_bytes, nr_old_roots, nr_new_roots); + +-- +2.43.0 + diff --git a/queue-5.15/btrfs-handle-invalid-root-reference-found-in-may_des.patch b/queue-5.15/btrfs-handle-invalid-root-reference-found-in-may_des.patch new file mode 100644 index 00000000000..c5e23c57107 --- /dev/null +++ b/queue-5.15/btrfs-handle-invalid-root-reference-found-in-may_des.patch @@ -0,0 +1,42 @@ +From c855bb06f6ed2d3a0b5fe0a0d3e4afd610b961a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jan 2024 22:58:01 +0100 +Subject: btrfs: handle invalid root reference found in may_destroy_subvol() + +From: David Sterba + +[ Upstream commit 6fbc6f4ac1f4907da4fc674251527e7dc79ffbf6 ] + +The may_destroy_subvol() looks up a root by a key, allowing to do an +inexact search when key->offset is -1. It's never expected to find such +item, as it would break the allowed range of a root id. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 07c6ab4ba0d43..66b56ddf3f4cc 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4411,7 +4411,14 @@ static noinline int may_destroy_subvol(struct btrfs_root *root) + ret = btrfs_search_slot(NULL, fs_info->tree_root, &key, path, 0, 0); + if (ret < 0) + goto out; +- BUG_ON(ret == 0); ++ if (ret == 0) { ++ /* ++ * Key with offset -1 found, there would have to exist a root ++ * with such id, but this is out of valid range. ++ */ ++ ret = -EUCLEAN; ++ goto out; ++ } + + ret = 0; + if (path->slots[0] > 0) { +-- +2.43.0 + diff --git a/queue-5.15/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch b/queue-5.15/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch new file mode 100644 index 00000000000..e6f7ff14d65 --- /dev/null +++ b/queue-5.15/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch @@ -0,0 +1,40 @@ +From a905d39693962c54cbb714c1b8f92ad38410700b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 22:47:13 +0100 +Subject: btrfs: send: handle unexpected data in header buffer in begin_cmd() + +From: David Sterba + +[ Upstream commit e80e3f732cf53c64b0d811e1581470d67f6c3228 ] + +Change BUG_ON to a proper error handling in the unlikely case of seeing +data when the command is started. This is supposed to be reset when the +command is finished (send_cmd, send_encoded_extent). + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index c2842e892e4ed..27a33dfa93212 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -695,7 +695,12 @@ static int begin_cmd(struct send_ctx *sctx, int cmd) + if (WARN_ON(!sctx->send_buf)) + return -EINVAL; + +- BUG_ON(sctx->send_size); ++ if (unlikely(sctx->send_size != 0)) { ++ btrfs_err(sctx->send_root->fs_info, ++ "send: command header buffer not empty cmd %d offset %llu", ++ cmd, sctx->send_off); ++ return -EINVAL; ++ } + + sctx->send_size += sizeof(*hdr); + hdr = (struct btrfs_cmd_header *)sctx->send_buf; +-- +2.43.0 + diff --git a/queue-5.15/clocksource-drivers-arm_global_timer-guard-against-d.patch b/queue-5.15/clocksource-drivers-arm_global_timer-guard-against-d.patch new file mode 100644 index 00000000000..9e607372512 --- /dev/null +++ b/queue-5.15/clocksource-drivers-arm_global_timer-guard-against-d.patch @@ -0,0 +1,56 @@ +From 08bd45e344cc26eb5db0a34b3f05f3173ddd0dc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Feb 2024 16:13:35 +0100 +Subject: clocksource/drivers/arm_global_timer: Guard against division by zero + +From: Martin Blumenstingl + +[ Upstream commit e651f2fae33634175fae956d896277cf916f5d09 ] + +The result of the division of new_rate by gt_target_rate can be zero (if +new_rate is smaller than gt_target_rate). Using that result as divisor +without checking can result in a division by zero error. Guard against +this by checking for a zero value earlier. +While here, also change the psv variable to an unsigned long to make +sure we don't overflow the datatype as all other types involved are also +unsiged long. + +Signed-off-by: Martin Blumenstingl +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20240225151336.2728533-3-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/arm_global_timer.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/clocksource/arm_global_timer.c b/drivers/clocksource/arm_global_timer.c +index e1c773bb55359..22a58d35a41fa 100644 +--- a/drivers/clocksource/arm_global_timer.c ++++ b/drivers/clocksource/arm_global_timer.c +@@ -290,18 +290,17 @@ static int gt_clk_rate_change_cb(struct notifier_block *nb, + switch (event) { + case PRE_RATE_CHANGE: + { +- int psv; ++ unsigned long psv; + +- psv = DIV_ROUND_CLOSEST(ndata->new_rate, +- gt_target_rate); +- +- if (abs(gt_target_rate - (ndata->new_rate / psv)) > MAX_F_ERR) ++ psv = DIV_ROUND_CLOSEST(ndata->new_rate, gt_target_rate); ++ if (!psv || ++ abs(gt_target_rate - (ndata->new_rate / psv)) > MAX_F_ERR) + return NOTIFY_BAD; + + psv--; + + /* prescaler within legal range? */ +- if (psv < 0 || psv > GT_CONTROL_PRESCALER_MAX) ++ if (psv > GT_CONTROL_PRESCALER_MAX) + return NOTIFY_BAD; + + /* +-- +2.43.0 + diff --git a/queue-5.15/clocksource-make-watchdog-and-suspend-timing-multipl.patch b/queue-5.15/clocksource-make-watchdog-and-suspend-timing-multipl.patch new file mode 100644 index 00000000000..27fe2338aae --- /dev/null +++ b/queue-5.15/clocksource-make-watchdog-and-suspend-timing-multipl.patch @@ -0,0 +1,143 @@ +From b6d7b374eb0672fc46c548cce29cbf26f5506fc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 08:40:23 +0200 +Subject: clocksource: Make watchdog and suspend-timing multiplication overflow + safe + +From: Adrian Hunter + +[ Upstream commit d0304569fb019d1bcfbbbce1ce6df6b96f04079b ] + +Kernel timekeeping is designed to keep the change in cycles (since the last +timer interrupt) below max_cycles, which prevents multiplication overflow +when converting cycles to nanoseconds. However, if timer interrupts stop, +the clocksource_cyc2ns() calculation will eventually overflow. + +Add protection against that. Simplify by folding together +clocksource_delta() and clocksource_cyc2ns() into cycles_to_nsec_safe(). +Check against max_cycles, falling back to a slower higher precision +calculation. + +Suggested-by: Thomas Gleixner +Signed-off-by: Adrian Hunter +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20240325064023.2997-20-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + kernel/time/clocksource.c | 42 +++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 22 deletions(-) + +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index 3ccb383741d08..5aa8eec89e781 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -20,6 +20,16 @@ + #include "tick-internal.h" + #include "timekeeping_internal.h" + ++static noinline u64 cycles_to_nsec_safe(struct clocksource *cs, u64 start, u64 end) ++{ ++ u64 delta = clocksource_delta(end, start, cs->mask); ++ ++ if (likely(delta < cs->max_cycles)) ++ return clocksource_cyc2ns(delta, cs->mult, cs->shift); ++ ++ return mul_u64_u32_shr(delta, cs->mult, cs->shift); ++} ++ + /** + * clocks_calc_mult_shift - calculate mult/shift factors for scaled math of clocks + * @mult: pointer to mult variable +@@ -213,8 +223,8 @@ enum wd_read_status { + static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow) + { + unsigned int nretries, max_retries; +- u64 wd_end, wd_end2, wd_delta; + int64_t wd_delay, wd_seq_delay; ++ u64 wd_end, wd_end2; + + max_retries = clocksource_get_max_watchdog_retry(); + for (nretries = 0; nretries <= max_retries; nretries++) { +@@ -225,9 +235,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, + wd_end2 = watchdog->read(watchdog); + local_irq_enable(); + +- wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask); +- wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult, +- watchdog->shift); ++ wd_delay = cycles_to_nsec_safe(watchdog, *wdnow, wd_end); + if (wd_delay <= WATCHDOG_MAX_SKEW) { + if (nretries > 1 && nretries >= max_retries) { + pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n", +@@ -245,8 +253,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, + * report system busy, reinit the watchdog and skip the current + * watchdog test. + */ +- wd_delta = clocksource_delta(wd_end2, wd_end, watchdog->mask); +- wd_seq_delay = clocksource_cyc2ns(wd_delta, watchdog->mult, watchdog->shift); ++ wd_seq_delay = cycles_to_nsec_safe(watchdog, wd_end, wd_end2); + if (wd_seq_delay > WATCHDOG_MAX_SKEW/2) + goto skip_test; + } +@@ -357,8 +364,7 @@ void clocksource_verify_percpu(struct clocksource *cs) + delta = (csnow_end - csnow_mid) & cs->mask; + if (delta < 0) + cpumask_set_cpu(cpu, &cpus_ahead); +- delta = clocksource_delta(csnow_end, csnow_begin, cs->mask); +- cs_nsec = clocksource_cyc2ns(delta, cs->mult, cs->shift); ++ cs_nsec = cycles_to_nsec_safe(cs, csnow_begin, csnow_end); + if (cs_nsec > cs_nsec_max) + cs_nsec_max = cs_nsec; + if (cs_nsec < cs_nsec_min) +@@ -389,8 +395,8 @@ static inline void clocksource_reset_watchdog(void) + + static void clocksource_watchdog(struct timer_list *unused) + { +- u64 csnow, wdnow, cslast, wdlast, delta; + int64_t wd_nsec, cs_nsec, interval; ++ u64 csnow, wdnow, cslast, wdlast; + int next_cpu, reset_pending; + struct clocksource *cs; + enum wd_read_status read_ret; +@@ -447,12 +453,8 @@ static void clocksource_watchdog(struct timer_list *unused) + continue; + } + +- delta = clocksource_delta(wdnow, cs->wd_last, watchdog->mask); +- wd_nsec = clocksource_cyc2ns(delta, watchdog->mult, +- watchdog->shift); +- +- delta = clocksource_delta(csnow, cs->cs_last, cs->mask); +- cs_nsec = clocksource_cyc2ns(delta, cs->mult, cs->shift); ++ wd_nsec = cycles_to_nsec_safe(watchdog, cs->wd_last, wdnow); ++ cs_nsec = cycles_to_nsec_safe(cs, cs->cs_last, csnow); + wdlast = cs->wd_last; /* save these in case we print them */ + cslast = cs->cs_last; + cs->cs_last = csnow; +@@ -815,7 +817,7 @@ void clocksource_start_suspend_timing(struct clocksource *cs, u64 start_cycles) + */ + u64 clocksource_stop_suspend_timing(struct clocksource *cs, u64 cycle_now) + { +- u64 now, delta, nsec = 0; ++ u64 now, nsec = 0; + + if (!suspend_clocksource) + return 0; +@@ -830,12 +832,8 @@ u64 clocksource_stop_suspend_timing(struct clocksource *cs, u64 cycle_now) + else + now = suspend_clocksource->read(suspend_clocksource); + +- if (now > suspend_start) { +- delta = clocksource_delta(now, suspend_start, +- suspend_clocksource->mask); +- nsec = mul_u64_u32_shr(delta, suspend_clocksource->mult, +- suspend_clocksource->shift); +- } ++ if (now > suspend_start) ++ nsec = cycles_to_nsec_safe(suspend_clocksource, suspend_start, now); + + /* + * Disable the suspend timer to save power if current clocksource is +-- +2.43.0 + diff --git a/queue-5.15/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch b/queue-5.15/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch new file mode 100644 index 00000000000..3da8d6363ab --- /dev/null +++ b/queue-5.15/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch @@ -0,0 +1,55 @@ +From 9d0b8e6ad234be076006fb8024e0cf63c80f1c4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jan 2024 03:59:43 +0100 +Subject: drm/lima: set gp bus_stop bit before hard reset + +From: Erico Nunes + +[ Upstream commit 27aa58ec85f973d98d336df7b7941149308db80f ] + +This is required for reliable hard resets. Otherwise, doing a hard reset +while a task is still running (such as a task which is being stopped by +the drm_sched timeout handler) may result in random mmu write timeouts +or lockups which cause the entire gpu to hang. + +Signed-off-by: Erico Nunes +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/20240124025947.2110659-5-nunes.erico@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_gp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c +index ca3842f719842..82071835ec9ed 100644 +--- a/drivers/gpu/drm/lima/lima_gp.c ++++ b/drivers/gpu/drm/lima/lima_gp.c +@@ -166,6 +166,11 @@ static void lima_gp_task_run(struct lima_sched_pipe *pipe, + gp_write(LIMA_GP_CMD, cmd); + } + ++static int lima_gp_bus_stop_poll(struct lima_ip *ip) ++{ ++ return !!(gp_read(LIMA_GP_STATUS) & LIMA_GP_STATUS_BUS_STOPPED); ++} ++ + static int lima_gp_hard_reset_poll(struct lima_ip *ip) + { + gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC01A0000); +@@ -179,6 +184,13 @@ static int lima_gp_hard_reset(struct lima_ip *ip) + + gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC0FFE000); + gp_write(LIMA_GP_INT_MASK, 0); ++ ++ gp_write(LIMA_GP_CMD, LIMA_GP_CMD_STOP_BUS); ++ ret = lima_poll_timeout(ip, lima_gp_bus_stop_poll, 10, 100); ++ if (ret) { ++ dev_err(dev->dev, "%s bus stop timeout\n", lima_ip_name(ip)); ++ return ret; ++ } + gp_write(LIMA_GP_CMD, LIMA_GP_CMD_RESET); + ret = lima_poll_timeout(ip, lima_gp_hard_reset_poll, 10, 100); + if (ret) { +-- +2.43.0 + diff --git a/queue-5.15/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch b/queue-5.15/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch new file mode 100644 index 00000000000..e75663c12d4 --- /dev/null +++ b/queue-5.15/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch @@ -0,0 +1,38 @@ +From 7283c987396e3defb44b3dfd9562b75aaf88a688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jan 2024 22:20:34 +0800 +Subject: ext4: do not trim the group with corrupted block bitmap + +From: Baokun Li + +[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ] + +Otherwise operating on an incorrupted block bitmap can lead to all sorts +of unknown problems. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 630a5e5a380e2..a48c9cc5aa6e8 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -6496,6 +6496,9 @@ __releases(ext4_group_lock_ptr(sb, e4b->bd_group)) + bool set_trimmed = false; + void *bitmap; + ++ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) ++ return 0; ++ + last = ext4_last_grp_cluster(sb, e4b->bd_group); + bitmap = e4b->bd_bitmap; + if (start == 0 && max >= last) +-- +2.43.0 + diff --git a/queue-5.15/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch b/queue-5.15/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch new file mode 100644 index 00000000000..292284bc557 --- /dev/null +++ b/queue-5.15/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch @@ -0,0 +1,42 @@ +From 6ad1b4f25f9f761710a8bf6704fdeb7c531f7f22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 19:33:24 +0800 +Subject: ext4: set the type of max_zeroout to unsigned int to avoid overflow + +From: Baokun Li + +[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ] + +The max_zeroout is of type int and the s_extent_max_zeroout_kb is of +type uint, and the s_extent_max_zeroout_kb can be freely modified via +the sysfs interface. When the block size is 1024, max_zeroout may +overflow, so declare it as unsigned int to avoid overflow. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 6c41bf322315c..a3869e9c71b91 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3404,9 +3404,10 @@ static int ext4_ext_convert_to_initialized(handle_t *handle, + struct ext4_extent *ex, *abut_ex; + ext4_lblk_t ee_block, eof_block; + unsigned int ee_len, depth, map_len = map->m_len; +- int allocated = 0, max_zeroout = 0; + int err = 0; + int split_flag = EXT4_EXT_DATA_VALID2; ++ int allocated = 0; ++ unsigned int max_zeroout = 0; + + ext_debug(inode, "logical block %llu, max_blocks %u\n", + (unsigned long long)map->m_lblk, map_len); +-- +2.43.0 + diff --git a/queue-5.15/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch b/queue-5.15/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch new file mode 100644 index 00000000000..28e787a321e --- /dev/null +++ b/queue-5.15/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch @@ -0,0 +1,50 @@ +From e16102d6a0537f98760eb60df3c51b05ad7a64b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 19:59:54 +0800 +Subject: f2fs: fix to do sanity check in update_sit_entry + +From: Zhiguo Niu + +[ Upstream commit 36959d18c3cf09b3c12157c6950e18652067de77 ] + +If GET_SEGNO return NULL_SEGNO for some unecpected case, +update_sit_entry will access invalid memory address, +cause system crash. It is better to do sanity check about +GET_SEGNO just like update_segment_mtime & locate_dirty_segment. + +Also remove some redundant judgment code. + +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 1c69dc91c3292..dc33b4e5c07b8 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2269,6 +2269,8 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del) + #endif + + segno = GET_SEGNO(sbi, blkaddr); ++ if (segno == NULL_SEGNO) ++ return; + + se = get_seg_entry(sbi, segno); + new_vblocks = se->valid_blocks + del; +@@ -3443,8 +3445,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page, + * since SSR needs latest valid block information. + */ + update_sit_entry(sbi, *new_blkaddr, 1); +- if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO) +- update_sit_entry(sbi, old_blkaddr, -1); ++ update_sit_entry(sbi, old_blkaddr, -1); + + if (!__has_curseg_space(sbi, curseg)) { + if (from_gc) +-- +2.43.0 + diff --git a/queue-5.15/fbdev-offb-replace-of_node_put-with-__free-device_no.patch b/queue-5.15/fbdev-offb-replace-of_node_put-with-__free-device_no.patch new file mode 100644 index 00000000000..a58591d7537 --- /dev/null +++ b/queue-5.15/fbdev-offb-replace-of_node_put-with-__free-device_no.patch @@ -0,0 +1,45 @@ +From 9b7cb86683b052d647bcc6b28f576dfb53438f24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 21:20:21 -0400 +Subject: fbdev: offb: replace of_node_put with __free(device_node) + +From: Abdulrasaq Lawani + +[ Upstream commit ce4a7ae84a58b9f33aae8d6c769b3c94f3d5ce76 ] + +Replaced instance of of_node_put with __free(device_node) +to simplify code and protect against any memory leaks +due to future changes in the control flow. + +Suggested-by: Julia Lawall +Signed-off-by: Abdulrasaq Lawani +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/offb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c +index 4501e848a36f2..766adaf2618c5 100644 +--- a/drivers/video/fbdev/offb.c ++++ b/drivers/video/fbdev/offb.c +@@ -354,7 +354,7 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp + par->cmap_type = cmap_gxt2000; + } else if (of_node_name_prefix(dp, "vga,Display-")) { + /* Look for AVIVO initialized by SLOF */ +- struct device_node *pciparent = of_get_parent(dp); ++ struct device_node *pciparent __free(device_node) = of_get_parent(dp); + const u32 *vid, *did; + vid = of_get_property(pciparent, "vendor-id", NULL); + did = of_get_property(pciparent, "device-id", NULL); +@@ -366,7 +366,6 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp + if (par->cmap_adr) + par->cmap_type = cmap_avivo; + } +- of_node_put(pciparent); + } else if (dp && of_device_is_compatible(dp, "qemu,std-vga")) { + #ifdef __BIG_ENDIAN + const __be32 io_of_addr[3] = { 0x01000000, 0x0, 0x0 }; +-- +2.43.0 + diff --git a/queue-5.15/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch b/queue-5.15/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch new file mode 100644 index 00000000000..07c5c664875 --- /dev/null +++ b/queue-5.15/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch @@ -0,0 +1,43 @@ +From a2eb8e0d6c3c20983a24feaf3ce46bcc1b73e5c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 07:06:37 -0800 +Subject: fs: binfmt_elf_efpic: don't use missing interpreter's properties + +From: Max Filippov + +[ Upstream commit 15fd1dc3dadb4268207fa6797e753541aca09a2a ] + +Static FDPIC executable may get an executable stack even when it has +non-executable GNU_STACK segment. This happens when STACK segment has rw +permissions, but does not specify stack size. In that case FDPIC loader +uses permissions of the interpreter's stack, and for static executables +with no interpreter it results in choosing the arch-default permissions +for the stack. + +Fix that by using the interpreter's properties only when the interpreter +is actually used. + +Signed-off-by: Max Filippov +Link: https://lore.kernel.org/r/20240118150637.660461-1-jcmvbkbc@gmail.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf_fdpic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index f51f6e4d1a322..a7084a720b28c 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -320,7 +320,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm) + else + executable_stack = EXSTACK_DEFAULT; + +- if (stack_size == 0) { ++ if (stack_size == 0 && interp_params.flags & ELF_FDPIC_FLAG_PRESENT) { + stack_size = interp_params.stack_size; + if (interp_params.flags & ELF_FDPIC_FLAG_EXEC_STACK) + executable_stack = EXSTACK_ENABLE_X; +-- +2.43.0 + diff --git a/queue-5.15/fuse-fix-uaf-in-rcu-pathwalks.patch b/queue-5.15/fuse-fix-uaf-in-rcu-pathwalks.patch new file mode 100644 index 00000000000..9759a997dab --- /dev/null +++ b/queue-5.15/fuse-fix-uaf-in-rcu-pathwalks.patch @@ -0,0 +1,105 @@ +From 2375baca0732a42987589a7397cbf6c795d5bcb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 00:19:39 -0400 +Subject: fuse: fix UAF in rcu pathwalks + +From: Al Viro + +[ Upstream commit 053fc4f755ad43cf35210677bcba798ccdc48d0c ] + +->permission(), ->get_link() and ->inode_get_acl() might dereference +->s_fs_info (and, in case of ->permission(), ->s_fs_info->fc->user_ns +as well) when called from rcu pathwalk. + +Freeing ->s_fs_info->fc is rcu-delayed; we need to make freeing ->s_fs_info +and dropping ->user_ns rcu-delayed too. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/fuse/cuse.c | 3 +-- + fs/fuse/fuse_i.h | 1 + + fs/fuse/inode.c | 15 +++++++++++---- + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c +index c7d882a9fe339..295344a462e1d 100644 +--- a/fs/fuse/cuse.c ++++ b/fs/fuse/cuse.c +@@ -474,8 +474,7 @@ static int cuse_send_init(struct cuse_conn *cc) + + static void cuse_fc_release(struct fuse_conn *fc) + { +- struct cuse_conn *cc = fc_to_cc(fc); +- kfree_rcu(cc, fc.rcu); ++ kfree(fc_to_cc(fc)); + } + + /** +diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h +index 55b7ca26fb8ab..ac655c7a15db2 100644 +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -848,6 +848,7 @@ struct fuse_mount { + + /* Entry on fc->mounts */ + struct list_head fc_entry; ++ struct rcu_head rcu; + }; + + static inline struct fuse_mount *get_fuse_mount_super(struct super_block *sb) +diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c +index 396866f9d72c3..40a4c7680bd7e 100644 +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -883,6 +883,14 @@ void fuse_conn_init(struct fuse_conn *fc, struct fuse_mount *fm, + } + EXPORT_SYMBOL_GPL(fuse_conn_init); + ++static void delayed_release(struct rcu_head *p) ++{ ++ struct fuse_conn *fc = container_of(p, struct fuse_conn, rcu); ++ ++ put_user_ns(fc->user_ns); ++ fc->release(fc); ++} ++ + void fuse_conn_put(struct fuse_conn *fc) + { + if (refcount_dec_and_test(&fc->count)) { +@@ -894,13 +902,12 @@ void fuse_conn_put(struct fuse_conn *fc) + if (fiq->ops->release) + fiq->ops->release(fiq); + put_pid_ns(fc->pid_ns); +- put_user_ns(fc->user_ns); + bucket = rcu_dereference_protected(fc->curr_bucket, 1); + if (bucket) { + WARN_ON(atomic_read(&bucket->count) != 1); + kfree(bucket); + } +- fc->release(fc); ++ call_rcu(&fc->rcu, delayed_release); + } + } + EXPORT_SYMBOL_GPL(fuse_conn_put); +@@ -1297,7 +1304,7 @@ EXPORT_SYMBOL_GPL(fuse_send_init); + void fuse_free_conn(struct fuse_conn *fc) + { + WARN_ON(!list_empty(&fc->devices)); +- kfree_rcu(fc, rcu); ++ kfree(fc); + } + EXPORT_SYMBOL_GPL(fuse_free_conn); + +@@ -1836,7 +1843,7 @@ static void fuse_sb_destroy(struct super_block *sb) + void fuse_mount_destroy(struct fuse_mount *fm) + { + fuse_conn_put(fm->fc); +- kfree(fm); ++ kfree_rcu(fm, rcu); + } + EXPORT_SYMBOL(fuse_mount_destroy); + +-- +2.43.0 + diff --git a/queue-5.15/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch b/queue-5.15/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch new file mode 100644 index 00000000000..06b59c3bffb --- /dev/null +++ b/queue-5.15/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch @@ -0,0 +1,44 @@ +From a8ebb99e00eeb2bbd27259b7143641b79cfae73b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 21:31:36 +0800 +Subject: hrtimer: Prevent queuing of hrtimer without a function callback + +From: Phil Chang + +[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ] + +The hrtimer function callback must not be NULL. It has to be specified by +the call side but it is not validated by the hrtimer code. When a hrtimer +is queued without a function callback, the kernel crashes with a null +pointer dereference when trying to execute the callback in __run_hrtimer(). + +Introduce a validation before queuing the hrtimer in +hrtimer_start_range_ns(). + +[anna-maria: Rephrase commit message] + +Signed-off-by: Phil Chang +Signed-off-by: Anna-Maria Behnsen +Signed-off-by: Thomas Gleixner +Reviewed-by: Anna-Maria Behnsen +Signed-off-by: Sasha Levin +--- + kernel/time/hrtimer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 5502c687bd401..bdd9041d595e9 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1284,6 +1284,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, + struct hrtimer_clock_base *base; + unsigned long flags; + ++ if (WARN_ON_ONCE(!timer->function)) ++ return; + /* + * Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft + * match on CONFIG_PREEMPT_RT = n. With PREEMPT_RT check the hard +-- +2.43.0 + diff --git a/queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch new file mode 100644 index 00000000000..c06c0ab70f7 --- /dev/null +++ b/queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch @@ -0,0 +1,41 @@ +From e31ed48d4e237dfd969f1f8159d1f8d561df68fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 14:10:53 +0800 +Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc + +From: Guanrui Huang + +[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ] + +This BUG_ON() is useless, because the same effect will be obtained +by letting the code run its course and vm being dereferenced, +triggering an exception. + +So just remove this check. + +Signed-off-by: Guanrui Huang +Signed-off-by: Thomas Gleixner +Reviewed-by: Zenghui Yu +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index fa89e590c1333..3fa6c71843261 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -4491,8 +4491,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + struct page *vprop_page; + int base, nr_ids, i, err = 0; + +- BUG_ON(!vm); +- + bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); + if (!bitmap) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.15/md-clean-up-invalid-bug_on-in-md_ioctl.patch b/queue-5.15/md-clean-up-invalid-bug_on-in-md_ioctl.patch new file mode 100644 index 00000000000..83cb6ab8794 --- /dev/null +++ b/queue-5.15/md-clean-up-invalid-bug_on-in-md_ioctl.patch @@ -0,0 +1,42 @@ +From 8bc331ae1515e92512d3d2aab9fb214cb985d01e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 11:14:38 +0800 +Subject: md: clean up invalid BUG_ON in md_ioctl + +From: Li Nan + +[ Upstream commit 9dd8702e7cd28ebf076ff838933f29cf671165ec ] + +'disk->private_data' is set to mddev in md_alloc() and never set to NULL, +and users need to open mddev before submitting ioctl. So mddev must not +have been freed during ioctl, and there is no need to check mddev here. +Clean up it. + +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20240226031444.3606764-4-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 5b6c366587d54..332458ad96637 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7589,11 +7589,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + + mddev = bdev->bd_disk->private_data; + +- if (!mddev) { +- BUG(); +- goto out; +- } +- + /* Some actions do not requires the mutex */ + switch (cmd) { + case GET_ARRAY_INFO: +-- +2.43.0 + diff --git a/queue-5.15/media-drivers-media-dvb-core-copy-user-arrays-safely.patch b/queue-5.15/media-drivers-media-dvb-core-copy-user-arrays-safely.patch new file mode 100644 index 00000000000..4b64a433712 --- /dev/null +++ b/queue-5.15/media-drivers-media-dvb-core-copy-user-arrays-safely.patch @@ -0,0 +1,70 @@ +From a24970d9a3a62c231a2168e36e1b7acaac6a8d2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Nov 2023 20:16:34 +0100 +Subject: media: drivers/media/dvb-core: copy user arrays safely + +From: Philipp Stanner + +[ Upstream commit 102fb77c2deb0df3683ef8ff7a6f4cf91dc456e2 ] + +At several positions in dvb_frontend.c, memdup_user() is utilized to +copy userspace arrays. This is done without overflow checks. + +Use the new wrapper memdup_array_user() to copy the arrays more safely. + +Link: https://lore.kernel.org/linux-media/20231102191633.52592-2-pstanner@redhat.com +Suggested-by: Dave Airlie +Signed-off-by: Philipp Stanner +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_frontend.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index fea62bce97468..d76ac3ec93c2f 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -2160,7 +2160,8 @@ static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd, + if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS)) + return -EINVAL; + +- tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp)); ++ tvp = memdup_array_user(compat_ptr(tvps->props), ++ tvps->num, sizeof(*tvp)); + if (IS_ERR(tvp)) + return PTR_ERR(tvp); + +@@ -2191,7 +2192,8 @@ static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd, + if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS)) + return -EINVAL; + +- tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp)); ++ tvp = memdup_array_user(compat_ptr(tvps->props), ++ tvps->num, sizeof(*tvp)); + if (IS_ERR(tvp)) + return PTR_ERR(tvp); + +@@ -2368,7 +2370,8 @@ static int dvb_get_property(struct dvb_frontend *fe, struct file *file, + if (!tvps->num || tvps->num > DTV_IOCTL_MAX_MSGS) + return -EINVAL; + +- tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp)); ++ tvp = memdup_array_user((void __user *)tvps->props, ++ tvps->num, sizeof(*tvp)); + if (IS_ERR(tvp)) + return PTR_ERR(tvp); + +@@ -2446,7 +2449,8 @@ static int dvb_frontend_handle_ioctl(struct file *file, + if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS)) + return -EINVAL; + +- tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp)); ++ tvp = memdup_array_user((void __user *)tvps->props, ++ tvps->num, sizeof(*tvp)); + if (IS_ERR(tvp)) + return PTR_ERR(tvp); + +-- +2.43.0 + diff --git a/queue-5.15/media-pci-cx23885-check-cx23885_vdev_init-return.patch b/queue-5.15/media-pci-cx23885-check-cx23885_vdev_init-return.patch new file mode 100644 index 00000000000..379498f4123 --- /dev/null +++ b/queue-5.15/media-pci-cx23885-check-cx23885_vdev_init-return.patch @@ -0,0 +1,50 @@ +From ae155d287f5c3241eb6c371ad2f3a4d8a96c23ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 08:58:49 +0200 +Subject: media: pci: cx23885: check cx23885_vdev_init() return + +From: Hans Verkuil + +[ Upstream commit 15126b916e39b0cb67026b0af3c014bfeb1f76b3 ] + +cx23885_vdev_init() can return a NULL pointer, but that pointer +is used in the next line without a check. + +Add a NULL pointer check and go to the error unwind if it is NULL. + +Signed-off-by: Hans Verkuil +Reported-by: Sicong Huang +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23885-video.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c +index 6851e01da1c5b..7a696aea52f10 100644 +--- a/drivers/media/pci/cx23885/cx23885-video.c ++++ b/drivers/media/pci/cx23885/cx23885-video.c +@@ -1354,6 +1354,10 @@ int cx23885_video_register(struct cx23885_dev *dev) + /* register Video device */ + dev->video_dev = cx23885_vdev_init(dev, dev->pci, + &cx23885_video_template, "video"); ++ if (!dev->video_dev) { ++ err = -ENOMEM; ++ goto fail_unreg; ++ } + dev->video_dev->queue = &dev->vb2_vidq; + dev->video_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING | + V4L2_CAP_AUDIO | V4L2_CAP_VIDEO_CAPTURE; +@@ -1382,6 +1386,10 @@ int cx23885_video_register(struct cx23885_dev *dev) + /* register VBI device */ + dev->vbi_dev = cx23885_vdev_init(dev, dev->pci, + &cx23885_vbi_template, "vbi"); ++ if (!dev->vbi_dev) { ++ err = -ENOMEM; ++ goto fail_unreg; ++ } + dev->vbi_dev->queue = &dev->vb2_vbiq; + dev->vbi_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING | + V4L2_CAP_AUDIO | V4L2_CAP_VBI_CAPTURE; +-- +2.43.0 + diff --git a/queue-5.15/memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch b/queue-5.15/memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch new file mode 100644 index 00000000000..452b4c95e7b --- /dev/null +++ b/queue-5.15/memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch @@ -0,0 +1,283 @@ +From 12c1899fb107563c7fe09f05d1f6fbd6a7624b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 11:14:25 +0100 +Subject: memory: stm32-fmc2-ebi: check regmap_read return value + +From: Christophe Kerello + +[ Upstream commit 722463f73bcf65a8c818752a38c14ee672c77da1 ] + +Check regmap_read return value to avoid to use uninitialized local +variables. + +Signed-off-by: Christophe Kerello +Link: https://lore.kernel.org/r/20240226101428.37791-3-christophe.kerello@foss.st.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/stm32-fmc2-ebi.c | 122 +++++++++++++++++++++++--------- + 1 file changed, 88 insertions(+), 34 deletions(-) + +diff --git a/drivers/memory/stm32-fmc2-ebi.c b/drivers/memory/stm32-fmc2-ebi.c +index ffec26a99313b..5c387d32c078f 100644 +--- a/drivers/memory/stm32-fmc2-ebi.c ++++ b/drivers/memory/stm32-fmc2-ebi.c +@@ -179,8 +179,11 @@ static int stm32_fmc2_ebi_check_mux(struct stm32_fmc2_ebi *ebi, + int cs) + { + u32 bcr; ++ int ret; + +- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ if (ret) ++ return ret; + + if (bcr & FMC2_BCR_MTYP) + return 0; +@@ -193,8 +196,11 @@ static int stm32_fmc2_ebi_check_waitcfg(struct stm32_fmc2_ebi *ebi, + int cs) + { + u32 bcr, val = FIELD_PREP(FMC2_BCR_MTYP, FMC2_BCR_MTYP_NOR); ++ int ret; + +- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ if (ret) ++ return ret; + + if ((bcr & FMC2_BCR_MTYP) == val && bcr & FMC2_BCR_BURSTEN) + return 0; +@@ -207,8 +213,11 @@ static int stm32_fmc2_ebi_check_sync_trans(struct stm32_fmc2_ebi *ebi, + int cs) + { + u32 bcr; ++ int ret; + +- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ if (ret) ++ return ret; + + if (bcr & FMC2_BCR_BURSTEN) + return 0; +@@ -221,8 +230,11 @@ static int stm32_fmc2_ebi_check_async_trans(struct stm32_fmc2_ebi *ebi, + int cs) + { + u32 bcr; ++ int ret; + +- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ if (ret) ++ return ret; + + if (!(bcr & FMC2_BCR_BURSTEN) || !(bcr & FMC2_BCR_CBURSTRW)) + return 0; +@@ -235,8 +247,11 @@ static int stm32_fmc2_ebi_check_cpsize(struct stm32_fmc2_ebi *ebi, + int cs) + { + u32 bcr, val = FIELD_PREP(FMC2_BCR_MTYP, FMC2_BCR_MTYP_PSRAM); ++ int ret; + +- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ if (ret) ++ return ret; + + if ((bcr & FMC2_BCR_MTYP) == val && bcr & FMC2_BCR_BURSTEN) + return 0; +@@ -249,12 +264,18 @@ static int stm32_fmc2_ebi_check_address_hold(struct stm32_fmc2_ebi *ebi, + int cs) + { + u32 bcr, bxtr, val = FIELD_PREP(FMC2_BXTR_ACCMOD, FMC2_BXTR_EXTMOD_D); ++ int ret; ++ ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ if (ret) ++ return ret; + +- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); + if (prop->reg_type == FMC2_REG_BWTR) +- regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr); ++ ret = regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr); + else +- regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr); ++ ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr); ++ if (ret) ++ return ret; + + if ((!(bcr & FMC2_BCR_BURSTEN) || !(bcr & FMC2_BCR_CBURSTRW)) && + ((bxtr & FMC2_BXTR_ACCMOD) == val || bcr & FMC2_BCR_MUXEN)) +@@ -268,12 +289,19 @@ static int stm32_fmc2_ebi_check_clk_period(struct stm32_fmc2_ebi *ebi, + int cs) + { + u32 bcr, bcr1; ++ int ret; + +- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); +- if (cs) +- regmap_read(ebi->regmap, FMC2_BCR1, &bcr1); +- else ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ if (ret) ++ return ret; ++ ++ if (cs) { ++ ret = regmap_read(ebi->regmap, FMC2_BCR1, &bcr1); ++ if (ret) ++ return ret; ++ } else { + bcr1 = bcr; ++ } + + if (bcr & FMC2_BCR_BURSTEN && (!cs || !(bcr1 & FMC2_BCR1_CCLKEN))) + return 0; +@@ -305,12 +333,18 @@ static u32 stm32_fmc2_ebi_ns_to_clk_period(struct stm32_fmc2_ebi *ebi, + { + u32 nb_clk_cycles = stm32_fmc2_ebi_ns_to_clock_cycles(ebi, cs, setup); + u32 bcr, btr, clk_period; ++ int ret; ++ ++ ret = regmap_read(ebi->regmap, FMC2_BCR1, &bcr); ++ if (ret) ++ return ret; + +- regmap_read(ebi->regmap, FMC2_BCR1, &bcr); + if (bcr & FMC2_BCR1_CCLKEN || !cs) +- regmap_read(ebi->regmap, FMC2_BTR1, &btr); ++ ret = regmap_read(ebi->regmap, FMC2_BTR1, &btr); + else +- regmap_read(ebi->regmap, FMC2_BTR(cs), &btr); ++ ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &btr); ++ if (ret) ++ return ret; + + clk_period = FIELD_GET(FMC2_BTR_CLKDIV, btr) + 1; + +@@ -569,11 +603,16 @@ static int stm32_fmc2_ebi_set_address_setup(struct stm32_fmc2_ebi *ebi, + if (ret) + return ret; + +- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ if (ret) ++ return ret; ++ + if (prop->reg_type == FMC2_REG_BWTR) +- regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr); ++ ret = regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr); + else +- regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr); ++ ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr); ++ if (ret) ++ return ret; + + if ((bxtr & FMC2_BXTR_ACCMOD) == val || bcr & FMC2_BCR_MUXEN) + val = clamp_val(setup, 1, FMC2_BXTR_ADDSET_MAX); +@@ -691,11 +730,14 @@ static int stm32_fmc2_ebi_set_max_low_pulse(struct stm32_fmc2_ebi *ebi, + int cs, u32 setup) + { + u32 old_val, new_val, pcscntr; ++ int ret; + + if (setup < 1) + return 0; + +- regmap_read(ebi->regmap, FMC2_PCSCNTR, &pcscntr); ++ ret = regmap_read(ebi->regmap, FMC2_PCSCNTR, &pcscntr); ++ if (ret) ++ return ret; + + /* Enable counter for the bank */ + regmap_update_bits(ebi->regmap, FMC2_PCSCNTR, +@@ -942,17 +984,20 @@ static void stm32_fmc2_ebi_disable_bank(struct stm32_fmc2_ebi *ebi, int cs) + regmap_update_bits(ebi->regmap, FMC2_BCR(cs), FMC2_BCR_MBKEN, 0); + } + +-static void stm32_fmc2_ebi_save_setup(struct stm32_fmc2_ebi *ebi) ++static int stm32_fmc2_ebi_save_setup(struct stm32_fmc2_ebi *ebi) + { + unsigned int cs; ++ int ret; + + for (cs = 0; cs < FMC2_MAX_EBI_CE; cs++) { +- regmap_read(ebi->regmap, FMC2_BCR(cs), &ebi->bcr[cs]); +- regmap_read(ebi->regmap, FMC2_BTR(cs), &ebi->btr[cs]); +- regmap_read(ebi->regmap, FMC2_BWTR(cs), &ebi->bwtr[cs]); ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &ebi->bcr[cs]); ++ ret |= regmap_read(ebi->regmap, FMC2_BTR(cs), &ebi->btr[cs]); ++ ret |= regmap_read(ebi->regmap, FMC2_BWTR(cs), &ebi->bwtr[cs]); ++ if (ret) ++ return ret; + } + +- regmap_read(ebi->regmap, FMC2_PCSCNTR, &ebi->pcscntr); ++ return regmap_read(ebi->regmap, FMC2_PCSCNTR, &ebi->pcscntr); + } + + static void stm32_fmc2_ebi_set_setup(struct stm32_fmc2_ebi *ebi) +@@ -981,22 +1026,29 @@ static void stm32_fmc2_ebi_disable_banks(struct stm32_fmc2_ebi *ebi) + } + + /* NWAIT signal can not be connected to EBI controller and NAND controller */ +-static bool stm32_fmc2_ebi_nwait_used_by_ctrls(struct stm32_fmc2_ebi *ebi) ++static int stm32_fmc2_ebi_nwait_used_by_ctrls(struct stm32_fmc2_ebi *ebi) + { ++ struct device *dev = ebi->dev; + unsigned int cs; + u32 bcr; ++ int ret; + + for (cs = 0; cs < FMC2_MAX_EBI_CE; cs++) { + if (!(ebi->bank_assigned & BIT(cs))) + continue; + +- regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr); ++ if (ret) ++ return ret; ++ + if ((bcr & FMC2_BCR_WAITEN || bcr & FMC2_BCR_ASYNCWAIT) && +- ebi->bank_assigned & BIT(FMC2_NAND)) +- return true; ++ ebi->bank_assigned & BIT(FMC2_NAND)) { ++ dev_err(dev, "NWAIT signal connected to EBI and NAND controllers\n"); ++ return -EINVAL; ++ } + } + +- return false; ++ return 0; + } + + static void stm32_fmc2_ebi_enable(struct stm32_fmc2_ebi *ebi) +@@ -1083,10 +1135,9 @@ static int stm32_fmc2_ebi_parse_dt(struct stm32_fmc2_ebi *ebi) + return -ENODEV; + } + +- if (stm32_fmc2_ebi_nwait_used_by_ctrls(ebi)) { +- dev_err(dev, "NWAIT signal connected to EBI and NAND controllers\n"); +- return -EINVAL; +- } ++ ret = stm32_fmc2_ebi_nwait_used_by_ctrls(ebi); ++ if (ret) ++ return ret; + + stm32_fmc2_ebi_enable(ebi); + +@@ -1131,7 +1182,10 @@ static int stm32_fmc2_ebi_probe(struct platform_device *pdev) + if (ret) + goto err_release; + +- stm32_fmc2_ebi_save_setup(ebi); ++ ret = stm32_fmc2_ebi_save_setup(ebi); ++ if (ret) ++ goto err_release; ++ + platform_set_drvdata(pdev, ebi); + + return 0; +-- +2.43.0 + diff --git a/queue-5.15/memory-tegra-skip-sid-programming-if-sid-registers-a.patch b/queue-5.15/memory-tegra-skip-sid-programming-if-sid-registers-a.patch new file mode 100644 index 00000000000..5cd952720da --- /dev/null +++ b/queue-5.15/memory-tegra-skip-sid-programming-if-sid-registers-a.patch @@ -0,0 +1,39 @@ +From 3778704dee812b82f27e21671ecb0043410ebccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Nov 2023 16:57:13 +0530 +Subject: memory: tegra: Skip SID programming if SID registers aren't set + +From: Ashish Mhetre + +[ Upstream commit 0d6c918011ce4764ed277de4726a468b7ffe5fed ] + +There are few MC clients where SID security and override register +offsets are not specified like "sw_cluster0" in tegra234. Don't program +SID override for such clients because it leads to access to invalid +addresses. + +Signed-off-by: Ashish Mhetre +Link: https://lore.kernel.org/r/20231107112713.21399-2-amhetre@nvidia.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/tegra/tegra186.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/memory/tegra/tegra186.c b/drivers/memory/tegra/tegra186.c +index 4bed0e54fd456..2ff586c6b1021 100644 +--- a/drivers/memory/tegra/tegra186.c ++++ b/drivers/memory/tegra/tegra186.c +@@ -43,6 +43,9 @@ static void tegra186_mc_client_sid_override(struct tegra_mc *mc, + { + u32 value, old; + ++ if (client->regs.sid.security == 0 && client->regs.sid.override == 0) ++ return; ++ + value = readl(mc->regs + client->regs.sid.security); + if ((value & MC_SID_STREAMID_SECURITY_OVERRIDE) == 0) { + /* +-- +2.43.0 + diff --git a/queue-5.15/net-hns3-add-checking-for-vf-id-of-mailbox.patch b/queue-5.15/net-hns3-add-checking-for-vf-id-of-mailbox.patch new file mode 100644 index 00000000000..53faabc45eb --- /dev/null +++ b/queue-5.15/net-hns3-add-checking-for-vf-id-of-mailbox.patch @@ -0,0 +1,43 @@ +From 51ec63516fc61675fb915be8db67c633e425d5b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 09:01:15 +0800 +Subject: net: hns3: add checking for vf id of mailbox + +From: Jian Shen + +[ Upstream commit 4e2969a0d6a7549bc0bc1ebc990588b622c4443d ] + +Add checking for vf id of mailbox, in order to avoid array +out-of-bounds risk. + +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Reviewed-by: Sunil Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +index 77c432ab7856c..e2fe41d3972fb 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c +@@ -1066,10 +1066,11 @@ void hclge_mbx_handler(struct hclge_dev *hdev) + req = (struct hclge_mbx_vf_to_pf_cmd *)desc->data; + + flag = le16_to_cpu(crq->desc[crq->next_to_use].flag); +- if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B))) { ++ if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B) || ++ req->mbx_src_vfid > hdev->num_req_vfs)) { + dev_warn(&hdev->pdev->dev, +- "dropped invalid mailbox message, code = %u\n", +- req->msg.code); ++ "dropped invalid mailbox message, code = %u, vfid = %u\n", ++ req->msg.code, req->mbx_src_vfid); + + /* dropping/not processing this invalid message */ + crq->desc[crq->next_to_use].flag = 0; +-- +2.43.0 + diff --git a/queue-5.15/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch b/queue-5.15/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch new file mode 100644 index 00000000000..42ebf9f86b6 --- /dev/null +++ b/queue-5.15/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch @@ -0,0 +1,51 @@ +From b932eb35c34e268aed1b23a79abf1917738dc6f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 08:16:54 -0800 +Subject: net/sun3_82586: Avoid reading past buffer in debug output + +From: Kees Cook + +[ Upstream commit 4bea747f3fbec33c16d369b2f51e55981d7c78d0 ] + +Since NUM_XMIT_BUFFS is always 1, building m68k with sun3_defconfig and +-Warraybounds, this build warning is visible[1]: + +drivers/net/ethernet/i825xx/sun3_82586.c: In function 'sun3_82586_timeout': +drivers/net/ethernet/i825xx/sun3_82586.c:990:122: warning: array subscript 1 is above array bounds of 'volatile struct transmit_cmd_struct *[1]' [-Warray-bounds=] + 990 | printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status)); + | ~~~~~~~~~~~~^~~ +... +drivers/net/ethernet/i825xx/sun3_82586.c:156:46: note: while referencing 'xmit_cmds' + 156 | volatile struct transmit_cmd_struct *xmit_cmds[NUM_XMIT_BUFFS]; + +Avoid accessing index 1 since it doesn't exist. + +Link: https://github.com/KSPP/linux/issues/325 [1] +Cc: Sam Creasey +Signed-off-by: Kees Cook +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Reviewed-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20240206161651.work.876-kees@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/i825xx/sun3_82586.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c +index 18d32302c3c7a..6c89aa7eaa222 100644 +--- a/drivers/net/ethernet/i825xx/sun3_82586.c ++++ b/drivers/net/ethernet/i825xx/sun3_82586.c +@@ -987,7 +987,7 @@ static void sun3_82586_timeout(struct net_device *dev, unsigned int txqueue) + { + #ifdef DEBUG + printk("%s: xmitter timed out, try to restart! stat: %02x\n",dev->name,p->scb->cus); +- printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status)); ++ printk("%s: command-stats: %04x\n", dev->name, swab16(p->xmit_cmds[0]->cmd_status)); + printk("%s: check, whether you set the right interrupt number!\n",dev->name); + #endif + sun3_82586_close(dev); +-- +2.43.0 + diff --git a/queue-5.15/netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch b/queue-5.15/netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch new file mode 100644 index 00000000000..d8c18ea9e45 --- /dev/null +++ b/queue-5.15/netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch @@ -0,0 +1,80 @@ +From 6dbc30cea51606e37a9305912ee82fc676c4035f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 10:50:13 +0000 +Subject: netlink: hold nlk->cb_mutex longer in __netlink_dump_start() + +From: Eric Dumazet + +[ Upstream commit b5590270068c4324dac4a2b5a4a156e02e21339f ] + +__netlink_dump_start() releases nlk->cb_mutex right before +calling netlink_dump() which grabs it again. + +This seems dangerous, even if KASAN did not bother yet. + +Add a @lock_taken parameter to netlink_dump() to let it +grab the mutex if called from netlink_recvmsg() only. + +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 18a38db2b27eb..258d885548ae4 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -128,7 +128,7 @@ static const char *const nlk_cb_mutex_key_strings[MAX_LINKS + 1] = { + "nlk_cb_mutex-MAX_LINKS" + }; + +-static int netlink_dump(struct sock *sk); ++static int netlink_dump(struct sock *sk, bool lock_taken); + + /* nl_table locking explained: + * Lookup and traversal are protected with an RCU read-side lock. Insertion +@@ -2000,7 +2000,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + + if (READ_ONCE(nlk->cb_running) && + atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) { +- ret = netlink_dump(sk); ++ ret = netlink_dump(sk, false); + if (ret) { + WRITE_ONCE(sk->sk_err, -ret); + sk_error_report(sk); +@@ -2210,7 +2210,7 @@ static int netlink_dump_done(struct netlink_sock *nlk, struct sk_buff *skb, + return 0; + } + +-static int netlink_dump(struct sock *sk) ++static int netlink_dump(struct sock *sk, bool lock_taken) + { + struct netlink_sock *nlk = nlk_sk(sk); + struct netlink_ext_ack extack = {}; +@@ -2222,7 +2222,8 @@ static int netlink_dump(struct sock *sk) + int alloc_min_size; + int alloc_size; + +- mutex_lock(nlk->cb_mutex); ++ if (!lock_taken) ++ mutex_lock(nlk->cb_mutex); + if (!nlk->cb_running) { + err = -EINVAL; + goto errout_skb; +@@ -2378,9 +2379,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + WRITE_ONCE(nlk->cb_running, true); + nlk->dump_done_errno = INT_MAX; + +- mutex_unlock(nlk->cb_mutex); +- +- ret = netlink_dump(sk); ++ ret = netlink_dump(sk, true); + + sock_put(sk); + +-- +2.43.0 + diff --git a/queue-5.15/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch b/queue-5.15/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch new file mode 100644 index 00000000000..c1e2fc668d9 --- /dev/null +++ b/queue-5.15/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch @@ -0,0 +1,49 @@ +From 2deb29b4983d72e06cfcce1ef75f0bb164b9310e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 11:24:53 +1100 +Subject: NFS: avoid infinite loop in pnfs_update_layout. + +From: NeilBrown + +[ Upstream commit 2fdbc20036acda9e5694db74a032d3c605323005 ] + +If pnfsd_update_layout() is called on a file for which recovery has +failed it will enter a tight infinite loop. + +NFS_LAYOUT_INVALID_STID will be set, nfs4_select_rw_stateid() will +return -EIO, and nfs4_schedule_stateid_recovery() will do nothing, so +nfs4_client_recover_expired_lease() will not wait. So the code will +loop indefinitely. + +Break the loop by testing the validity of the open stateid at the top of +the loop. + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 9f6776c7062ec..e13f1c762951a 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1994,6 +1994,14 @@ pnfs_update_layout(struct inode *ino, + } + + lookup_again: ++ if (!nfs4_valid_open_stateid(ctx->state)) { ++ trace_pnfs_update_layout(ino, pos, count, ++ iomode, lo, lseg, ++ PNFS_UPDATE_LAYOUT_INVALID_OPEN); ++ lseg = ERR_PTR(-EIO); ++ goto out; ++ } ++ + lseg = ERR_PTR(nfs4_client_recover_expired_lease(clp)); + if (IS_ERR(lseg)) + goto out; +-- +2.43.0 + diff --git a/queue-5.15/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch b/queue-5.15/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch new file mode 100644 index 00000000000..14300f46be5 --- /dev/null +++ b/queue-5.15/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch @@ -0,0 +1,85 @@ +From e123ecbb571b1c27e3968029ab22e435486b80ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 10:53:06 +0300 +Subject: nvmet-rdma: fix possible bad dereference when freeing rsps + +From: Sagi Grimberg + +[ Upstream commit 73964c1d07c054376f1b32a62548571795159148 ] + +It is possible that the host connected and saw a cm established +event and started sending nvme capsules on the qp, however the +ctrl did not yet see an established event. This is why the +rsp_wait_list exists (for async handling of these cmds, we move +them to a pending list). + +Furthermore, it is possible that the ctrl cm times out, resulting +in a connect-error cm event. in this case we hit a bad deref [1] +because in nvmet_rdma_free_rsps we assume that all the responses +are in the free list. + +We are freeing the cmds array anyways, so don't even bother to +remove the rsp from the free_list. It is also guaranteed that we +are not racing anything when we are releasing the queue so no +other context accessing this array should be running. + +[1]: +-- +Workqueue: nvmet-free-wq nvmet_rdma_free_queue_work [nvmet_rdma] +[...] +pc : nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma] +lr : nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma] + Call trace: + nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma] + nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma] + process_one_work+0x1ec/0x4a0 + worker_thread+0x48/0x490 + kthread+0x158/0x160 + ret_from_fork+0x10/0x18 +-- + +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/rdma.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c +index 18e082091c821..9561ba3d43138 100644 +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -472,12 +472,8 @@ nvmet_rdma_alloc_rsps(struct nvmet_rdma_queue *queue) + return 0; + + out_free: +- while (--i >= 0) { +- struct nvmet_rdma_rsp *rsp = &queue->rsps[i]; +- +- list_del(&rsp->free_list); +- nvmet_rdma_free_rsp(ndev, rsp); +- } ++ while (--i >= 0) ++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]); + kfree(queue->rsps); + out: + return ret; +@@ -488,12 +484,8 @@ static void nvmet_rdma_free_rsps(struct nvmet_rdma_queue *queue) + struct nvmet_rdma_device *ndev = queue->dev; + int i, nr_rsps = queue->recv_queue_size * 2; + +- for (i = 0; i < nr_rsps; i++) { +- struct nvmet_rdma_rsp *rsp = &queue->rsps[i]; +- +- list_del(&rsp->free_list); +- nvmet_rdma_free_rsp(ndev, rsp); +- } ++ for (i = 0; i < nr_rsps; i++) ++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]); + kfree(queue->rsps); + } + +-- +2.43.0 + diff --git a/queue-5.15/nvmet-tcp-do-not-continue-for-invalid-icreq.patch b/queue-5.15/nvmet-tcp-do-not-continue-for-invalid-icreq.patch new file mode 100644 index 00000000000..91c4eecd17e --- /dev/null +++ b/queue-5.15/nvmet-tcp-do-not-continue-for-invalid-icreq.patch @@ -0,0 +1,37 @@ +From d00bbf4f0832d1e873edf94cb17987e6218dc6b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 08:11:05 +0100 +Subject: nvmet-tcp: do not continue for invalid icreq + +From: Hannes Reinecke + +[ Upstream commit 0889d13b9e1cbef49e802ae09f3b516911ad82a1 ] + +When the length check for an icreq sqe fails we should not +continue processing but rather return immediately as all +other contents of that sqe cannot be relied on. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 8468a41322f25..df044a79a7348 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -858,6 +858,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue) + pr_err("bad nvme-tcp pdu length (%d)\n", + le32_to_cpu(icreq->hdr.plen)); + nvmet_tcp_fatal_error(queue); ++ return -EPROTO; + } + + if (icreq->pfv != NVME_TCP_PFV_1_0) { +-- +2.43.0 + diff --git a/queue-5.15/nvmet-trace-avoid-dereferencing-pointer-too-early.patch b/queue-5.15/nvmet-trace-avoid-dereferencing-pointer-too-early.patch new file mode 100644 index 00000000000..c74335094d7 --- /dev/null +++ b/queue-5.15/nvmet-trace-avoid-dereferencing-pointer-too-early.patch @@ -0,0 +1,141 @@ +From 51a27ae75016a0b8d592f0327157b53af971252b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 16:30:51 +0100 +Subject: nvmet-trace: avoid dereferencing pointer too early + +From: Daniel Wagner + +[ Upstream commit 0e716cec6fb11a14c220ee17c404b67962e902f7 ] + +The first command issued from the host to the target is the fabrics +connect command. At this point, neither the target queue nor the +controller have been allocated. But we already try to trace this command +in nvmet_req_init. + +Reported by KASAN. + +Reviewed-by: Hannes Reinecke +Signed-off-by: Daniel Wagner +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/trace.c | 6 +++--- + drivers/nvme/target/trace.h | 28 +++++++++++++++++----------- + 2 files changed, 20 insertions(+), 14 deletions(-) + +diff --git a/drivers/nvme/target/trace.c b/drivers/nvme/target/trace.c +index bff454d46255b..6ee1f3db81d04 100644 +--- a/drivers/nvme/target/trace.c ++++ b/drivers/nvme/target/trace.c +@@ -211,7 +211,7 @@ const char *nvmet_trace_disk_name(struct trace_seq *p, char *name) + return ret; + } + +-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl) ++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id) + { + const char *ret = trace_seq_buffer_ptr(p); + +@@ -224,8 +224,8 @@ const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl) + * If we can know the extra data of the connect command in this stage, + * we can update this print statement later. + */ +- if (ctrl) +- trace_seq_printf(p, "%d", ctrl->cntlid); ++ if (ctrl_id) ++ trace_seq_printf(p, "%d", ctrl_id); + else + trace_seq_printf(p, "_"); + trace_seq_putc(p, 0); +diff --git a/drivers/nvme/target/trace.h b/drivers/nvme/target/trace.h +index 155334ddc13f3..89020018a0e35 100644 +--- a/drivers/nvme/target/trace.h ++++ b/drivers/nvme/target/trace.h +@@ -32,18 +32,24 @@ const char *nvmet_trace_parse_fabrics_cmd(struct trace_seq *p, u8 fctype, + nvmet_trace_parse_nvm_cmd(p, opcode, cdw10) : \ + nvmet_trace_parse_admin_cmd(p, opcode, cdw10))) + +-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl); +-#define __print_ctrl_name(ctrl) \ +- nvmet_trace_ctrl_name(p, ctrl) ++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id); ++#define __print_ctrl_id(ctrl_id) \ ++ nvmet_trace_ctrl_id(p, ctrl_id) + + const char *nvmet_trace_disk_name(struct trace_seq *p, char *name); + #define __print_disk_name(name) \ + nvmet_trace_disk_name(p, name) + + #ifndef TRACE_HEADER_MULTI_READ +-static inline struct nvmet_ctrl *nvmet_req_to_ctrl(struct nvmet_req *req) ++static inline u16 nvmet_req_to_ctrl_id(struct nvmet_req *req) + { +- return req->sq->ctrl; ++ /* ++ * The queue and controller pointers are not valid until an association ++ * has been established. ++ */ ++ if (!req->sq || !req->sq->ctrl) ++ return 0; ++ return req->sq->ctrl->cntlid; + } + + static inline void __assign_req_name(char *name, struct nvmet_req *req) +@@ -62,7 +68,7 @@ TRACE_EVENT(nvmet_req_init, + TP_ARGS(req, cmd), + TP_STRUCT__entry( + __field(struct nvme_command *, cmd) +- __field(struct nvmet_ctrl *, ctrl) ++ __field(u16, ctrl_id) + __array(char, disk, DISK_NAME_LEN) + __field(int, qid) + __field(u16, cid) +@@ -75,7 +81,7 @@ TRACE_EVENT(nvmet_req_init, + ), + TP_fast_assign( + __entry->cmd = cmd; +- __entry->ctrl = nvmet_req_to_ctrl(req); ++ __entry->ctrl_id = nvmet_req_to_ctrl_id(req); + __assign_req_name(__entry->disk, req); + __entry->qid = req->sq->qid; + __entry->cid = cmd->common.command_id; +@@ -89,7 +95,7 @@ TRACE_EVENT(nvmet_req_init, + ), + TP_printk("nvmet%s: %sqid=%d, cmdid=%u, nsid=%u, flags=%#x, " + "meta=%#llx, cmd=(%s, %s)", +- __print_ctrl_name(__entry->ctrl), ++ __print_ctrl_id(__entry->ctrl_id), + __print_disk_name(__entry->disk), + __entry->qid, __entry->cid, __entry->nsid, + __entry->flags, __entry->metadata, +@@ -103,7 +109,7 @@ TRACE_EVENT(nvmet_req_complete, + TP_PROTO(struct nvmet_req *req), + TP_ARGS(req), + TP_STRUCT__entry( +- __field(struct nvmet_ctrl *, ctrl) ++ __field(u16, ctrl_id) + __array(char, disk, DISK_NAME_LEN) + __field(int, qid) + __field(int, cid) +@@ -111,7 +117,7 @@ TRACE_EVENT(nvmet_req_complete, + __field(u16, status) + ), + TP_fast_assign( +- __entry->ctrl = nvmet_req_to_ctrl(req); ++ __entry->ctrl_id = nvmet_req_to_ctrl_id(req); + __entry->qid = req->cq->qid; + __entry->cid = req->cqe->command_id; + __entry->result = le64_to_cpu(req->cqe->result.u64); +@@ -119,7 +125,7 @@ TRACE_EVENT(nvmet_req_complete, + __assign_req_name(__entry->disk, req); + ), + TP_printk("nvmet%s: %sqid=%d, cmdid=%u, res=%#llx, status=%#x", +- __print_ctrl_name(__entry->ctrl), ++ __print_ctrl_id(__entry->ctrl_id), + __print_disk_name(__entry->disk), + __entry->qid, __entry->cid, __entry->result, __entry->status) + +-- +2.43.0 + diff --git a/queue-5.15/openrisc-call-setup_memory-earlier-in-the-init-seque.patch b/queue-5.15/openrisc-call-setup_memory-earlier-in-the-init-seque.patch new file mode 100644 index 00000000000..abe92e16ace --- /dev/null +++ b/queue-5.15/openrisc-call-setup_memory-earlier-in-the-init-seque.patch @@ -0,0 +1,54 @@ +From beae755abcc89c2b2d13c36f9f81c909f1e86912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 16:29:30 -0800 +Subject: openrisc: Call setup_memory() earlier in the init sequence + +From: Oreoluwa Babatunde + +[ Upstream commit 7b432bf376c9c198a7ff48f1ed14a14c0ffbe1fe ] + +The unflatten_and_copy_device_tree() function contains a call to +memblock_alloc(). This means that memblock is allocating memory before +any of the reserved memory regions are set aside in the setup_memory() +function which calls early_init_fdt_scan_reserved_mem(). Therefore, +there is a possibility for memblock to allocate from any of the +reserved memory regions. + +Hence, move the call to setup_memory() to be earlier in the init +sequence so that the reserved memory regions are set aside before any +allocations are done using memblock. + +Signed-off-by: Oreoluwa Babatunde +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/setup.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/openrisc/kernel/setup.c b/arch/openrisc/kernel/setup.c +index 0cd04d936a7a1..f2fe45d3094df 100644 +--- a/arch/openrisc/kernel/setup.c ++++ b/arch/openrisc/kernel/setup.c +@@ -270,6 +270,9 @@ void calibrate_delay(void) + + void __init setup_arch(char **cmdline_p) + { ++ /* setup memblock allocator */ ++ setup_memory(); ++ + unflatten_and_copy_device_tree(); + + setup_cpuinfo(); +@@ -293,9 +296,6 @@ void __init setup_arch(char **cmdline_p) + } + #endif + +- /* setup memblock allocator */ +- setup_memory(); +- + /* paging_init() sets up the MMU and marks all pages as reserved */ + paging_init(); + +-- +2.43.0 + diff --git a/queue-5.15/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch b/queue-5.15/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch new file mode 100644 index 00000000000..e89a9f22474 --- /dev/null +++ b/queue-5.15/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch @@ -0,0 +1,60 @@ +From 82a259a6ea51e54ae2732b6c7196018e2a9da64d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 23:16:00 +0100 +Subject: parisc: Use irq_enter_rcu() to fix warning at + kernel/context_tracking.c:367 + +From: Helge Deller + +[ Upstream commit 73cb4a2d8d7e0259f94046116727084f21e4599f ] + +Use irq*_rcu() functions to fix this kernel warning: + + WARNING: CPU: 0 PID: 0 at kernel/context_tracking.c:367 ct_irq_enter+0xa0/0xd0 + Modules linked in: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc3-64bit+ #1037 + Hardware name: 9000/785/C3700 + + IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000412cd758 00000000412cd75c + IIR: 03ffe01f ISR: 0000000000000000 IOR: 0000000043c20c20 + CPU: 0 CR30: 0000000041caa000 CR31: 0000000000000000 + ORIG_R28: 0000000000000005 + IAOQ[0]: ct_irq_enter+0xa0/0xd0 + IAOQ[1]: ct_irq_enter+0xa4/0xd0 + RP(r2): irq_enter+0x34/0x68 + Backtrace: + [<000000004034a3ec>] irq_enter+0x34/0x68 + [<000000004030dc48>] do_cpu_irq_mask+0xc0/0x450 + [<0000000040303070>] intr_return+0x0/0xc + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c +index 5d9044e65a1a6..04127377b7be8 100644 +--- a/arch/parisc/kernel/irq.c ++++ b/arch/parisc/kernel/irq.c +@@ -518,7 +518,7 @@ void do_cpu_irq_mask(struct pt_regs *regs) + + old_regs = set_irq_regs(regs); + local_irq_disable(); +- irq_enter(); ++ irq_enter_rcu(); + + eirr_val = mfctl(23) & cpu_eiem & per_cpu(local_ack_eiem, cpu); + if (!eirr_val) +@@ -553,7 +553,7 @@ void do_cpu_irq_mask(struct pt_regs *regs) + #endif /* CONFIG_IRQSTACKS */ + + out: +- irq_exit(); ++ irq_exit_rcu(); + set_irq_regs(old_regs); + return; + +-- +2.43.0 + diff --git a/queue-5.15/platform-x86-lg-laptop-fix-s-null-argument-warning.patch b/queue-5.15/platform-x86-lg-laptop-fix-s-null-argument-warning.patch new file mode 100644 index 00000000000..fbfb048a3a6 --- /dev/null +++ b/queue-5.15/platform-x86-lg-laptop-fix-s-null-argument-warning.patch @@ -0,0 +1,44 @@ +From ad82f18195a414427bb50425b3f86ec098333fb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 16:34:27 +0200 +Subject: platform/x86: lg-laptop: fix %s null argument warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gergo Koteles + +[ Upstream commit e71c8481692582c70cdfd0996c20cdcc71e425d3 ] + +W=1 warns about null argument to kprintf: +warning: ‘%s’ directive argument is null [-Wformat-overflow=] +pr_info("product: %s year: %d\n", product, year); + +Use "unknown" instead of NULL. + +Signed-off-by: Gergo Koteles +Reviewed-by: Kuppuswamy Sathyanarayanan +Link: https://lore.kernel.org/r/33d40e976f08f82b9227d0ecae38c787fcc0c0b2.1712154684.git.soyer@irl.hu +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/lg-laptop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c +index 5f9fbea8fc3c2..b374b0c7c62f6 100644 +--- a/drivers/platform/x86/lg-laptop.c ++++ b/drivers/platform/x86/lg-laptop.c +@@ -665,7 +665,7 @@ static int acpi_add(struct acpi_device *device) + default: + year = 2019; + } +- pr_info("product: %s year: %d\n", product, year); ++ pr_info("product: %s year: %d\n", product ?: "unknown", year); + + if (year >= 2019) + battery_limit_use_wmbb = 1; +-- +2.43.0 + diff --git a/queue-5.15/powerpc-boot-handle-allocation-failure-in-simple_rea.patch b/queue-5.15/powerpc-boot-handle-allocation-failure-in-simple_rea.patch new file mode 100644 index 00000000000..5882465524f --- /dev/null +++ b/queue-5.15/powerpc-boot-handle-allocation-failure-in-simple_rea.patch @@ -0,0 +1,39 @@ +From c0f241e9d10c01764c513f82dca023fe1f634238 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Dec 2022 10:18:16 +0800 +Subject: powerpc/boot: Handle allocation failure in simple_realloc() + +From: Li zeming + +[ Upstream commit 69b0194ccec033c208b071e019032c1919c2822d ] + +simple_malloc() will return NULL when there is not enough memory left. +Check pointer 'new' before using it to copy the old data. + +Signed-off-by: Li zeming +[mpe: Reword subject, use change log from Christophe] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20221219021816.3012-1-zeming@nfschina.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/simple_alloc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c +index 65ec135d01579..188c4f996512a 100644 +--- a/arch/powerpc/boot/simple_alloc.c ++++ b/arch/powerpc/boot/simple_alloc.c +@@ -114,7 +114,9 @@ static void *simple_realloc(void *ptr, unsigned long size) + return ptr; + + new = simple_malloc(size); +- memcpy(new, ptr, p->size); ++ if (new) ++ memcpy(new, ptr, p->size); ++ + simple_free(ptr); + return new; + } +-- +2.43.0 + diff --git a/queue-5.15/powerpc-boot-only-free-if-realloc-succeeds.patch b/queue-5.15/powerpc-boot-only-free-if-realloc-succeeds.patch new file mode 100644 index 00000000000..a4e2b1480bd --- /dev/null +++ b/queue-5.15/powerpc-boot-only-free-if-realloc-succeeds.patch @@ -0,0 +1,43 @@ +From c9a96a40744485089dc00251f384ca979cdcfd05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 22:51:49 +1100 +Subject: powerpc/boot: Only free if realloc() succeeds + +From: Michael Ellerman + +[ Upstream commit f2d5bccaca3e8c09c9b9c8485375f7bdbb2631d2 ] + +simple_realloc() frees the original buffer (ptr) even if the +reallocation failed. + +Fix it to behave like standard realloc() and only free the original +buffer if the reallocation succeeded. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240229115149.749264-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/simple_alloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c +index 188c4f996512a..bc99f75b8582d 100644 +--- a/arch/powerpc/boot/simple_alloc.c ++++ b/arch/powerpc/boot/simple_alloc.c +@@ -114,10 +114,11 @@ static void *simple_realloc(void *ptr, unsigned long size) + return ptr; + + new = simple_malloc(size); +- if (new) ++ if (new) { + memcpy(new, ptr, p->size); ++ simple_free(ptr); ++ } + +- simple_free(ptr); + return new; + } + +-- +2.43.0 + diff --git a/queue-5.15/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch b/queue-5.15/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch new file mode 100644 index 00000000000..ae5b7840bca --- /dev/null +++ b/queue-5.15/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch @@ -0,0 +1,38 @@ +From 819f020b291e9b822d9852747d4dbbe3ab11d37e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 11:06:51 +0800 +Subject: powerpc/xics: Check return value of kasprintf in + icp_native_map_one_cpu + +From: Kunwu Chan + +[ Upstream commit 45b1ba7e5d1f6881050d558baf9bc74a2ae13930 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. Ensure the allocation was successful +by checking the pointer validity. + +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231122030651.3818-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xics/icp-native.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/xics/icp-native.c b/arch/powerpc/sysdev/xics/icp-native.c +index 7d13d2ef5a905..66de291b27d08 100644 +--- a/arch/powerpc/sysdev/xics/icp-native.c ++++ b/arch/powerpc/sysdev/xics/icp-native.c +@@ -235,6 +235,8 @@ static int __init icp_native_map_one_cpu(int hw_id, unsigned long addr, + rname = kasprintf(GFP_KERNEL, "CPU %d [0x%x] Interrupt Presentation", + cpu, hw_id); + ++ if (!rname) ++ return -ENOMEM; + if (!request_mem_region(addr, size, rname)) { + pr_warn("icp_native: Could not reserve ICP MMIO for CPU %d, interrupt server #0x%x\n", + cpu, hw_id); +-- +2.43.0 + diff --git a/queue-5.15/quota-remove-bug_on-from-dqget.patch b/queue-5.15/quota-remove-bug_on-from-dqget.patch new file mode 100644 index 00000000000..444b40755aa --- /dev/null +++ b/queue-5.15/quota-remove-bug_on-from-dqget.patch @@ -0,0 +1,40 @@ +From 89e7b676a536476331d05402512cd32dd64f2a52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 13:34:08 +0200 +Subject: quota: Remove BUG_ON from dqget() + +From: Jan Kara + +[ Upstream commit 249f374eb9b6b969c64212dd860cc1439674c4a8 ] + +dqget() checks whether dquot->dq_sb is set when returning it using +BUG_ON. Firstly this doesn't work as an invalidation check for quite +some time (we release dquot with dq_sb set these days), secondly using +BUG_ON is quite harsh. Use WARN_ON_ONCE and check whether dquot is still +hashed instead. + +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index edb414d3fd164..3b62fbcefa8c3 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -995,9 +995,8 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid) + * smp_mb__before_atomic() in dquot_acquire(). + */ + smp_rmb(); +-#ifdef CONFIG_QUOTA_DEBUG +- BUG_ON(!dquot->dq_sb); /* Has somebody invalidated entry under us? */ +-#endif ++ /* Has somebody invalidated entry under us? */ ++ WARN_ON_ONCE(hlist_unhashed(&dquot->dq_hash)); + out: + if (empty) + do_destroy_dquot(empty); +-- +2.43.0 + diff --git a/queue-5.15/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch b/queue-5.15/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch new file mode 100644 index 00000000000..4f771680975 --- /dev/null +++ b/queue-5.15/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch @@ -0,0 +1,38 @@ +From d366a04d19ac722bfea3f0e309004c3eed27322e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 13:13:26 +0100 +Subject: s390/iucv: fix receive buffer virtual vs physical address confusion + +From: Alexander Gordeev + +[ Upstream commit 4e8477aeb46dfe74e829c06ea588dd00ba20c8cc ] + +Fix IUCV_IPBUFLST-type buffers virtual vs physical address confusion. +This does not fix a bug since virtual and physical address spaces are +currently the same. + +Signed-off-by: Alexander Gordeev +Reviewed-by: Alexandra Winter +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index 30fc78236050a..1a88ed72a7a97 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -1090,8 +1090,7 @@ static int iucv_message_receive_iprmdata(struct iucv_path *path, + size = (size < 8) ? size : 8; + for (array = buffer; size > 0; array++) { + copy = min_t(size_t, size, array->length); +- memcpy((u8 *)(addr_t) array->address, +- rmmsg, copy); ++ memcpy(phys_to_virt(array->address), rmmsg, copy); + rmmsg += copy; + size -= copy; + } +-- +2.43.0 + diff --git a/queue-5.15/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch b/queue-5.15/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch new file mode 100644 index 00000000000..2218bd72f37 --- /dev/null +++ b/queue-5.15/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch @@ -0,0 +1,41 @@ +From f084306f8cb93ef17293c48246fca19ad4d0bab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 10:50:56 -0800 +Subject: scsi: lpfc: Initialize status local variable in + lpfc_sli4_repost_sgl_list() + +From: Justin Tee + +[ Upstream commit 3d0f9342ae200aa1ddc4d6e7a573c6f8f068d994 ] + +A static code analyzer tool indicates that the local variable called status +in the lpfc_sli4_repost_sgl_list() routine could be used to print garbage +uninitialized values in the routine's log message. + +Fix by initializing to zero. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240131185112.149731-2-justintee8345@gmail.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 30bc72324f068..68b015bb6d157 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -7490,7 +7490,7 @@ lpfc_sli4_repost_sgl_list(struct lpfc_hba *phba, + struct lpfc_sglq *sglq_entry = NULL; + struct lpfc_sglq *sglq_entry_next = NULL; + struct lpfc_sglq *sglq_entry_first = NULL; +- int status, total_cnt; ++ int status = 0, total_cnt; + int post_cnt = 0, num_posted = 0, block_cnt = 0; + int last_xritag = NO_XRI; + LIST_HEAD(prep_sgl_list); +-- +2.43.0 + diff --git a/queue-5.15/serial-pch-don-t-disable-interrupts-while-acquiring-.patch b/queue-5.15/serial-pch-don-t-disable-interrupts-while-acquiring-.patch new file mode 100644 index 00000000000..df618d8490b --- /dev/null +++ b/queue-5.15/serial-pch-don-t-disable-interrupts-while-acquiring-.patch @@ -0,0 +1,52 @@ +From 333c74d574bb988fa14d20dc98e5a5abe38d83e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 22:45:28 +0100 +Subject: serial: pch: Don't disable interrupts while acquiring lock in ISR. + +From: Sebastian Andrzej Siewior + +[ Upstream commit f8ff23ebce8c305383c8070e1ea3b08a69eb1e8d ] + +The interrupt service routine is always invoked with disabled +interrupts. + +Remove the _irqsave() from the locking functions in the interrupts +service routine/ pch_uart_interrupt(). + +Signed-off-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/20240301215246.891055-16-bigeasy@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/pch_uart.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c +index e783a4225bf04..932e978b5497e 100644 +--- a/drivers/tty/serial/pch_uart.c ++++ b/drivers/tty/serial/pch_uart.c +@@ -1066,11 +1066,10 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id) + u8 lsr; + int ret = 0; + unsigned char iid; +- unsigned long flags; + int next = 1; + u8 msr; + +- spin_lock_irqsave(&priv->lock, flags); ++ spin_lock(&priv->lock); + handled = 0; + while (next) { + iid = pch_uart_hal_get_iid(priv); +@@ -1130,7 +1129,7 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id) + handled |= (unsigned int)ret; + } + +- spin_unlock_irqrestore(&priv->lock, flags); ++ spin_unlock(&priv->lock); + return IRQ_RETVAL(handled); + } + +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index dec40904646..a70d5435c92 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -62,3 +62,47 @@ wifi-iwlwifi-fw-fix-debugfs-command-sending.patch ib-hfi1-fix-potential-deadlock-on-irq_src_lock-and-d.patch hwmon-ltc2992-avoid-division-by-zero.patch arm64-fix-kasan-random-tag-seed-initialization.patch +memory-tegra-skip-sid-programming-if-sid-registers-a.patch +powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch +nvmet-trace-avoid-dereferencing-pointer-too-early.patch +ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch +afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch +fuse-fix-uaf-in-rcu-pathwalks.patch +quota-remove-bug_on-from-dqget.patch +media-pci-cx23885-check-cx23885_vdev_init-return.patch +fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch +scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch +media-drivers-media-dvb-core-copy-user-arrays-safely.patch +net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch +drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch +virtiofs-forbid-newlines-in-tags.patch +clocksource-drivers-arm_global_timer-guard-against-d.patch +netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch +md-clean-up-invalid-bug_on-in-md_ioctl.patch +x86-increase-brk-randomness-entropy-for-64-bit-syste.patch +memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch +parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch +serial-pch-don-t-disable-interrupts-while-acquiring-.patch +powerpc-boot-handle-allocation-failure-in-simple_rea.patch +powerpc-boot-only-free-if-realloc-succeeds.patch +btrfs-change-bug_on-to-assertion-when-checking-for-d.patch +btrfs-handle-invalid-root-reference-found-in-may_des.patch +btrfs-send-handle-unexpected-data-in-header-buffer-i.patch +btrfs-change-bug_on-to-assertion-in-tree_move_down.patch +btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch +f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch +usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch +bluetooth-bnep-fix-out-of-bound-access.patch +net-hns3-add-checking-for-vf-id-of-mailbox.patch +nvmet-tcp-do-not-continue-for-invalid-icreq.patch +nfs-avoid-infinite-loop-in-pnfs_update_layout.patch +openrisc-call-setup_memory-earlier-in-the-init-seque.patch +s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch +clocksource-make-watchdog-and-suspend-timing-multipl.patch +platform-x86-lg-laptop-fix-s-null-argument-warning.patch +usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch +fbdev-offb-replace-of_node_put-with-__free-device_no.patch +irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch +ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch +nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch +hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch diff --git a/queue-5.15/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch b/queue-5.15/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch new file mode 100644 index 00000000000..73f3fd1ac93 --- /dev/null +++ b/queue-5.15/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch @@ -0,0 +1,71 @@ +From da5733ff91ab2f534e420bd0a6868a14719ca5b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Apr 2024 10:18:55 +0530 +Subject: usb: dwc3: core: Skip setting event buffers for host only controllers + +From: Krishna Kurapati + +[ Upstream commit 89d7f962994604a3e3d480832788d06179abefc5 ] + +On some SoC's like SA8295P where the tertiary controller is host-only +capable, GEVTADDRHI/LO, GEVTSIZ, GEVTCOUNT registers are not accessible. +Trying to access them leads to a crash. + +For DRD/Peripheral supported controllers, event buffer setup is done +again in gadget_pullup. Skip setup or cleanup of event buffers if +controller is host-only capable. + +Suggested-by: Johan Hovold +Signed-off-by: Krishna Kurapati +Acked-by: Thinh Nguyen +Reviewed-by: Johan Hovold +Reviewed-by: Bjorn Andersson +Tested-by: Johan Hovold +Link: https://lore.kernel.org/r/20240420044901.884098-4-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 1dc417da1a0fe..26eaeb7a0301b 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -430,6 +430,13 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc) + static int dwc3_alloc_event_buffers(struct dwc3 *dwc, unsigned length) + { + struct dwc3_event_buffer *evt; ++ unsigned int hw_mode; ++ ++ hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0); ++ if (hw_mode == DWC3_GHWPARAMS0_MODE_HOST) { ++ dwc->ev_buf = NULL; ++ return 0; ++ } + + evt = dwc3_alloc_one_event_buffer(dwc, length); + if (IS_ERR(evt)) { +@@ -451,6 +458,9 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc) + { + struct dwc3_event_buffer *evt; + ++ if (!dwc->ev_buf) ++ return 0; ++ + evt = dwc->ev_buf; + evt->lpos = 0; + dwc3_writel(dwc->regs, DWC3_GEVNTADRLO(0), +@@ -468,6 +478,9 @@ void dwc3_event_buffers_cleanup(struct dwc3 *dwc) + { + struct dwc3_event_buffer *evt; + ++ if (!dwc->ev_buf) ++ return; ++ + evt = dwc->ev_buf; + + evt->lpos = 0; +-- +2.43.0 + diff --git a/queue-5.15/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch b/queue-5.15/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch new file mode 100644 index 00000000000..118f987ba0b --- /dev/null +++ b/queue-5.15/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch @@ -0,0 +1,40 @@ +From 22b9a1c86b63a81c95483940476a9d7d7124258e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 18:33:16 +0100 +Subject: usb: gadget: fsl: Increase size of name buffer for endpoints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 87850f6cc20911e35eafcbc1d56b0d649ae9162d ] + +This fixes a W=1 warning about sprintf writing up to 16 bytes into a +buffer of size 14. There is no practical relevance because there are not +more than 32 endpoints. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/6754df25c56aae04f8110594fad2cd2452b1862a.1708709120.git.u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fsl_udc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c +index 29fcb9b461d71..abe7c9a6ce234 100644 +--- a/drivers/usb/gadget/udc/fsl_udc_core.c ++++ b/drivers/usb/gadget/udc/fsl_udc_core.c +@@ -2485,7 +2485,7 @@ static int fsl_udc_probe(struct platform_device *pdev) + /* setup the udc->eps[] for non-control endpoints and link + * to gadget.ep_list */ + for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) { +- char name[14]; ++ char name[16]; + + sprintf(name, "ep%dout", i); + struct_ep_setup(udc_controller, i * 2, name, 1); +-- +2.43.0 + diff --git a/queue-5.15/virtiofs-forbid-newlines-in-tags.patch b/queue-5.15/virtiofs-forbid-newlines-in-tags.patch new file mode 100644 index 00000000000..2f311c4e227 --- /dev/null +++ b/queue-5.15/virtiofs-forbid-newlines-in-tags.patch @@ -0,0 +1,44 @@ +From d49d76a586b7dc3d97822c2163f0debddc042a56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 19:11:47 -0500 +Subject: virtiofs: forbid newlines in tags + +From: Stefan Hajnoczi + +[ Upstream commit 40488cc16f7ea0d193a4e248f0d809c25cc377db ] + +Newlines in virtiofs tags are awkward for users and potential vectors +for string injection attacks. + +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Vivek Goyal +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/virtio_fs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c +index 94fc874f5de7f..a4deacc6f78c7 100644 +--- a/fs/fuse/virtio_fs.c ++++ b/fs/fuse/virtio_fs.c +@@ -310,6 +310,16 @@ static int virtio_fs_read_tag(struct virtio_device *vdev, struct virtio_fs *fs) + return -ENOMEM; + memcpy(fs->tag, tag_buf, len); + fs->tag[len] = '\0'; ++ ++ /* While the VIRTIO specification allows any character, newlines are ++ * awkward on mount(8) command-lines and cause problems in the sysfs ++ * "tag" attr and uevent TAG= properties. Forbid them. ++ */ ++ if (strchr(fs->tag, '\n')) { ++ dev_dbg(&vdev->dev, "refusing virtiofs tag with newline character\n"); ++ return -EINVAL; ++ } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.15/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch b/queue-5.15/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch new file mode 100644 index 00000000000..c33e79cd349 --- /dev/null +++ b/queue-5.15/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch @@ -0,0 +1,47 @@ +From 31c46a2b61935e613954aadd9e1b4373e5841f90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 22:25:43 -0800 +Subject: x86: Increase brk randomness entropy for 64-bit systems + +From: Kees Cook + +[ Upstream commit 44c76825d6eefee9eb7ce06c38e1a6632ac7eb7d ] + +In commit c1d171a00294 ("x86: randomize brk"), arch_randomize_brk() was +defined to use a 32MB range (13 bits of entropy), but was never increased +when moving to 64-bit. The default arch_randomize_brk() uses 32MB for +32-bit tasks, and 1GB (18 bits of entropy) for 64-bit tasks. + +Update x86_64 to match the entropy used by arm64 and other 64-bit +architectures. + +Reported-by: y0un9n132@gmail.com +Signed-off-by: Kees Cook +Signed-off-by: Thomas Gleixner +Acked-by: Jiri Kosina +Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/ +Link: https://lore.kernel.org/r/20240217062545.1631668-1-keescook@chromium.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/process.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index e6b28c689e9a9..720d99520316a 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -937,7 +937,10 @@ unsigned long arch_align_stack(unsigned long sp) + + unsigned long arch_randomize_brk(struct mm_struct *mm) + { +- return randomize_page(mm->brk, 0x02000000); ++ if (mmap_is_ia32()) ++ return randomize_page(mm->brk, SZ_32M); ++ ++ return randomize_page(mm->brk, SZ_1G); + } + + /* +-- +2.43.0 +