From: Sasha Levin Date: Sat, 3 Dec 2022 09:21:44 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.9.335~83 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7dc4108d73e1c3bff8203d3e05b25785c27e8b93;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/afs-fix-fileserver-probe-rtt-handling.patch b/queue-5.4/afs-fix-fileserver-probe-rtt-handling.patch new file mode 100644 index 00000000000..28fa8e8ba11 --- /dev/null +++ b/queue-5.4/afs-fix-fileserver-probe-rtt-handling.patch @@ -0,0 +1,50 @@ +From c7ee09d8aabcb51962f39c8345a78d9b9bf127dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 22:02:56 +0000 +Subject: afs: Fix fileserver probe RTT handling + +From: David Howells + +[ Upstream commit ca57f02295f188d6c65ec02202402979880fa6d8 ] + +The fileserver probing code attempts to work out the best fileserver to +use for a volume by retrieving the RTT calculated by AF_RXRPC for the +probe call sent to each server and comparing them. Sometimes, however, +no RTT estimate is available and rxrpc_kernel_get_srtt() returns false, +leading good fileservers to be given an RTT of UINT_MAX and thus causing +the rotation algorithm to ignore them. + +Fix afs_select_fileserver() to ignore rxrpc_kernel_get_srtt()'s return +value and just take the estimated RTT it provides - which will be capped +at 1 second. + +Fixes: 1d4adfaf6574 ("rxrpc: Make rxrpc_kernel_get_srtt() indicate validity") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/166965503999.3392585.13954054113218099395.stgit@warthog.procyon.org.uk/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/fs_probe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c +index 51ee3dd79700..e9282e025912 100644 +--- a/fs/afs/fs_probe.c ++++ b/fs/afs/fs_probe.c +@@ -92,8 +92,8 @@ void afs_fileserver_probe_result(struct afs_call *call) + } + } + +- if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) && +- rtt_us < server->probe.rtt) { ++ rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us); ++ if (rtt_us < server->probe.rtt) { + server->probe.rtt = rtt_us; + alist->preferred = index; + have_result = true; +-- +2.35.1 + diff --git a/queue-5.4/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch b/queue-5.4/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch new file mode 100644 index 00000000000..049e587383a --- /dev/null +++ b/queue-5.4/btrfs-free-btrfs_path-before-copying-inodes-to-users.patch @@ -0,0 +1,68 @@ +From 141837121b5bd60c02f9e99ce58af98eefc68647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 11:36:28 +0530 +Subject: btrfs: free btrfs_path before copying inodes to userspace + +From: Anand Jain + +[ Upstream commit 418ffb9e3cf6c4e2574d3a732b724916684bd133 ] + +btrfs_ioctl_logical_to_ino() frees the search path after the userspace +copy from the temp buffer @inodes. Which potentially can lead to a lock +splat. + +Fix this by freeing the path before we copy @inodes to userspace. + +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ioctl.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index fb0c13b2bc6a..8553bd4361dd 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -4590,21 +4590,20 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, + size = min_t(u32, loi->size, SZ_16M); + } + +- path = btrfs_alloc_path(); +- if (!path) { +- ret = -ENOMEM; +- goto out; +- } +- + inodes = init_data_container(size); + if (IS_ERR(inodes)) { + ret = PTR_ERR(inodes); +- inodes = NULL; +- goto out; ++ goto out_loi; + } + ++ path = btrfs_alloc_path(); ++ if (!path) { ++ ret = -ENOMEM; ++ goto out; ++ } + ret = iterate_inodes_from_logical(loi->logical, fs_info, path, + build_ino_list, inodes, ignore_offset); ++ btrfs_free_path(path); + if (ret == -EINVAL) + ret = -ENOENT; + if (ret < 0) +@@ -4616,7 +4615,6 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info, + ret = -EFAULT; + + out: +- btrfs_free_path(path); + kvfree(inodes); + out_loi: + kfree(loi); +-- +2.35.1 + diff --git a/queue-5.4/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch b/queue-5.4/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch new file mode 100644 index 00000000000..9f90470130c --- /dev/null +++ b/queue-5.4/btrfs-move-quota_enabled-check-to-rescan_should_stop.patch @@ -0,0 +1,66 @@ +From 0641de5f0691b119888c992bc9c99ab2785b5a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jan 2022 17:16:18 +0200 +Subject: btrfs: move QUOTA_ENABLED check to rescan_should_stop from + btrfs_qgroup_rescan_worker + +From: Nikolay Borisov + +[ Upstream commit db5df254120004471e1c957957ab2f1e612dcbd6 ] + +Instead of having 2 places that short circuit the qgroup leaf scan have +everything in the qgroup_rescan_leaf function. In addition to that, also +ensure that the inconsistent qgroup flag is set when rescan_should_stop +returns true. This both retains the old behavior when -EINTR was set in +the body of the loop and at the same time also extends this behavior +when scanning is interrupted due to remount or unmount operations. + +Signed-off-by: Nikolay Borisov +Signed-off-by: David Sterba +Stable-dep-of: f7e942b5bb35 ("btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()") +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 84a102347490..8658bac7c6e4 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -3203,7 +3203,8 @@ static int qgroup_rescan_leaf(struct btrfs_trans_handle *trans, + static bool rescan_should_stop(struct btrfs_fs_info *fs_info) + { + return btrfs_fs_closing(fs_info) || +- test_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state); ++ test_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state) || ++ !test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags); + } + + static void btrfs_qgroup_rescan_worker(struct btrfs_work *work) +@@ -3233,11 +3234,9 @@ static void btrfs_qgroup_rescan_worker(struct btrfs_work *work) + err = PTR_ERR(trans); + break; + } +- if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) { +- err = -EINTR; +- } else { +- err = qgroup_rescan_leaf(trans, path); +- } ++ ++ err = qgroup_rescan_leaf(trans, path); ++ + if (err > 0) + btrfs_commit_transaction(trans); + else +@@ -3251,7 +3250,7 @@ static void btrfs_qgroup_rescan_worker(struct btrfs_work *work) + if (err > 0 && + fs_info->qgroup_flags & BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT) { + fs_info->qgroup_flags &= ~BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; +- } else if (err < 0) { ++ } else if (err < 0 || stopped) { + fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; + } + mutex_unlock(&fs_info->qgroup_rescan_lock); +-- +2.35.1 + diff --git a/queue-5.4/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch b/queue-5.4/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch new file mode 100644 index 00000000000..489b495d7c0 --- /dev/null +++ b/queue-5.4/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch @@ -0,0 +1,65 @@ +From d47b7013b51ff33e867e990d5a1d121ab557cf09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 22:23:54 +0800 +Subject: btrfs: qgroup: fix sleep from invalid context bug in + btrfs_qgroup_inherit() + +From: ChenXiaoSong + +[ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ] + +Syzkaller reported BUG as follows: + + BUG: sleeping function called from invalid context at + include/linux/sched/mm.h:274 + Call Trace: + + dump_stack_lvl+0xcd/0x134 + __might_resched.cold+0x222/0x26b + kmem_cache_alloc+0x2e7/0x3c0 + update_qgroup_limit_item+0xe1/0x390 + btrfs_qgroup_inherit+0x147b/0x1ee0 + create_subvol+0x4eb/0x1710 + btrfs_mksubvol+0xfe5/0x13f0 + __btrfs_ioctl_snap_create+0x2b0/0x430 + btrfs_ioctl_snap_create_v2+0x25a/0x520 + btrfs_ioctl+0x2a1c/0x5ce0 + __x64_sys_ioctl+0x193/0x200 + do_syscall_64+0x35/0x80 + +Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in +btrfs_run_qgroups() later outside of the spinlock context. + +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Qu Wenruo +Signed-off-by: ChenXiaoSong +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 8658bac7c6e4..5c8507e74bc1 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2824,14 +2824,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + dstgroup->rsv_rfer = inherit->lim.rsv_rfer; + dstgroup->rsv_excl = inherit->lim.rsv_excl; + +- ret = update_qgroup_limit_item(trans, dstgroup); +- if (ret) { +- fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; +- btrfs_info(fs_info, +- "unable to update quota limit for %llu", +- dstgroup->qgroupid); +- goto unlock; +- } ++ qgroup_dirty(fs_info, dstgroup); + } + + if (srcid) { +-- +2.35.1 + diff --git a/queue-5.4/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch b/queue-5.4/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch new file mode 100644 index 00000000000..e54b247c677 --- /dev/null +++ b/queue-5.4/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch @@ -0,0 +1,59 @@ +From 747d8d8744ee7e8ecefd68578e114540056268b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:09:16 +0800 +Subject: can: cc770: cc770_isa_probe(): add missing free_cc770dev() + +From: Zhang Changzhong + +[ Upstream commit 62ec89e74099a3d6995988ed9f2f996b368417ec ] + +Add the missing free_cc770dev() before return from cc770_isa_probe() +in the register_cc770dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 7e02e5433e00 ("can: cc770: legacy CC770 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/cc770/cc770_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c +index b9047d8110d5..910e8c309a67 100644 +--- a/drivers/net/can/cc770/cc770_isa.c ++++ b/drivers/net/can/cc770/cc770_isa.c +@@ -264,22 +264,24 @@ static int cc770_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, + "couldn't register device (err=%d)\n", err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "device registered (reg_base=0x%p, irq=%d)\n", + priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_cc770dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-5.4/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch b/queue-5.4/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch new file mode 100644 index 00000000000..7175bb06422 --- /dev/null +++ b/queue-5.4/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch @@ -0,0 +1,59 @@ +From 48af590eb726f9a88d899b4c43559ed5b7686e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:08:41 +0800 +Subject: can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() + +From: Zhang Changzhong + +[ Upstream commit 92dfd9310a71d28cefe6a2d5174d43fab240e631 ] + +Add the missing free_sja1000dev() before return from +sja1000_isa_probe() in the register_sja1000dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 2a6ba39ad6a2 ("can: sja1000: legacy SJA1000 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sja1000/sja1000_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c +index 1c4d32d1a542..fe8441be716b 100644 +--- a/drivers/net/can/sja1000/sja1000_isa.c ++++ b/drivers/net/can/sja1000/sja1000_isa.c +@@ -202,22 +202,24 @@ static int sja1000_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, "registering %s failed (err=%d)\n", + DRV_NAME, err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "%s device registered (reg_base=0x%p, irq=%d)\n", + DRV_NAME, priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_sja1000dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-5.4/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch b/queue-5.4/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch new file mode 100644 index 00000000000..81c1d65950a --- /dev/null +++ b/queue-5.4/drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch @@ -0,0 +1,42 @@ +From 1b17fa10080ee74c319298555625f10e89787874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 12:34:14 -0500 +Subject: drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info + correctly when the edid is read" + +From: Alex Deucher + +[ Upstream commit 602ad43c3cd8f15cbb25ce9bb494129edb2024ed ] + +This partially reverts 20543be93ca45968f344261c1a997177e51bd7e1. + +Calling drm_connector_update_edid_property() in +amdgpu_connector_free_edid() causes a noticeable pause in +the system every 10 seconds on polled outputs so revert this +part of the change. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2257 +Cc: Claudio Suarez +Acked-by: Luben Tuikov +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index 448ad5ade19a..fac43a9f553c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -329,7 +329,6 @@ static void amdgpu_connector_free_edid(struct drm_connector *connector) + + kfree(amdgpu_connector->edid); + amdgpu_connector->edid = NULL; +- drm_connector_update_edid_property(connector, NULL); + } + + static int amdgpu_connector_ddc_get_modes(struct drm_connector *connector) +-- +2.35.1 + diff --git a/queue-5.4/drm-amdgpu-update-drm_display_info-correctly-when-th.patch b/queue-5.4/drm-amdgpu-update-drm_display_info-correctly-when-th.patch new file mode 100644 index 00000000000..419d5b1ee82 --- /dev/null +++ b/queue-5.4/drm-amdgpu-update-drm_display_info-correctly-when-th.patch @@ -0,0 +1,71 @@ +From b3f9de3591e1fa6aa63b539875e149e3acf2aebd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 13:34:58 +0200 +Subject: drm/amdgpu: update drm_display_info correctly when the edid is read + +From: Claudio Suarez + +[ Upstream commit 20543be93ca45968f344261c1a997177e51bd7e1 ] + +drm_display_info is updated by drm_get_edid() or +drm_connector_update_edid_property(). In the amdgpu driver it is almost +always updated when the edid is read in amdgpu_connector_get_edid(), +but not always. Change amdgpu_connector_get_edid() and +amdgpu_connector_free_edid() to keep drm_display_info updated. + +Reviewed-by: Harry Wentland +Signed-off-by: Claudio Suarez +Signed-off-by: Alex Deucher +Stable-dep-of: 602ad43c3cd8 ("drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info correctly when the edid is read"") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 5 ++++- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index cf80da354ba1..448ad5ade19a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -316,8 +316,10 @@ static void amdgpu_connector_get_edid(struct drm_connector *connector) + if (!amdgpu_connector->edid) { + /* some laptops provide a hardcoded edid in rom for LCDs */ + if (((connector->connector_type == DRM_MODE_CONNECTOR_LVDS) || +- (connector->connector_type == DRM_MODE_CONNECTOR_eDP))) ++ (connector->connector_type == DRM_MODE_CONNECTOR_eDP))) { + amdgpu_connector->edid = amdgpu_connector_get_hardcoded_edid(adev); ++ drm_connector_update_edid_property(connector, amdgpu_connector->edid); ++ } + } + } + +@@ -327,6 +329,7 @@ static void amdgpu_connector_free_edid(struct drm_connector *connector) + + kfree(amdgpu_connector->edid); + amdgpu_connector->edid = NULL; ++ drm_connector_update_edid_property(connector, NULL); + } + + static int amdgpu_connector_ddc_get_modes(struct drm_connector *connector) +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index de33864af70b..fe9c135fee0e 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1436,13 +1436,12 @@ amdgpu_dm_update_connector_after_detect(struct amdgpu_dm_connector *aconnector) + aconnector->edid = + (struct edid *)sink->dc_edid.raw_edid; + +- drm_connector_update_edid_property(connector, +- aconnector->edid); + if (aconnector->dc_link->aux_mode) + drm_dp_cec_set_edid(&aconnector->dm_dp_aux.aux, + aconnector->edid); + } + ++ drm_connector_update_edid_property(connector, aconnector->edid); + amdgpu_dm_update_freesync_caps(connector, aconnector->edid); + + } else { +-- +2.35.1 + diff --git a/queue-5.4/dsa-lan9303-correct-stat-name.patch b/queue-5.4/dsa-lan9303-correct-stat-name.patch new file mode 100644 index 00000000000..336d53b93aa --- /dev/null +++ b/queue-5.4/dsa-lan9303-correct-stat-name.patch @@ -0,0 +1,43 @@ +From b10e71ac03b848caa2c3227d61c7f5a9d89d0c3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 13:35:59 -0600 +Subject: dsa: lan9303: Correct stat name + +From: Jerry Ray + +[ Upstream commit 39f59bca275d2d819a8788c0f962e9e89843efc9 ] + +This patch changes the reported ethtool statistics for the lan9303 +family of parts covered by this driver. + +The TxUnderRun statistic label is renamed to RxShort to accurately +reflect what stat the device is reporting. I did not reorder the +statistics as that might cause problems with existing user code that +are expecting the stats at a certain offset. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Jerry Ray +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221128193559.6572-1-jerry.ray@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lan9303-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c +index 4b9d5b0ce416..e981b0184077 100644 +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -957,7 +957,7 @@ static const struct lan9303_mib_desc lan9303_mib[] = { + { .offset = LAN9303_MAC_TX_BRDCST_CNT_0, .name = "TxBroad", }, + { .offset = LAN9303_MAC_TX_PAUSE_CNT_0, .name = "TxPause", }, + { .offset = LAN9303_MAC_TX_MULCST_CNT_0, .name = "TxMulti", }, +- { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "TxUnderRun", }, ++ { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "RxShort", }, + { .offset = LAN9303_MAC_TX_64_CNT_0, .name = "Tx64Byte", }, + { .offset = LAN9303_MAC_TX_127_CNT_0, .name = "Tx128Byte", }, + { .offset = LAN9303_MAC_TX_255_CNT_0, .name = "Tx256Byte", }, +-- +2.35.1 + diff --git a/queue-5.4/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch b/queue-5.4/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch new file mode 100644 index 00000000000..e7a7cf43a2e --- /dev/null +++ b/queue-5.4/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch @@ -0,0 +1,45 @@ +From e45cb60f642a9c846bceb24d533126d0a69c854f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 01:24:07 +0800 +Subject: e100: Fix possible use after free in e100_xmit_prepare + +From: Wang Hai + +[ Upstream commit 45605c75c52c7ae7bfe902214343aabcfe5ba0ff ] + +In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so +e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will +resend the skb. But the skb is already freed, which will cause UAF bug +when the upper layer resends the skb. + +Remove the harmful free. + +Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare") +Signed-off-by: Wang Hai +Reviewed-by: Alexander Duyck +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 9f4ea2735791..db1b908497cf 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -1745,11 +1745,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, + dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len, + DMA_TO_DEVICE); + /* If we can't map the skb, have the upper layer try later */ +- if (dma_mapping_error(&nic->pdev->dev, dma_addr)) { +- dev_kfree_skb_any(skb); +- skb = NULL; ++ if (dma_mapping_error(&nic->pdev->dev, dma_addr)) + return -ENOMEM; +- } + + /* + * Use the last 4 bytes of the SKB payload packet as the CRC, used for +-- +2.35.1 + diff --git a/queue-5.4/e100-switch-from-pci_-to-dma_-api.patch b/queue-5.4/e100-switch-from-pci_-to-dma_-api.patch new file mode 100644 index 00000000000..f6720f5b877 --- /dev/null +++ b/queue-5.4/e100-switch-from-pci_-to-dma_-api.patch @@ -0,0 +1,356 @@ +From 9aa85d0b70c60684aa2b0ffd15afab9ff764661c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 22:07:36 +0100 +Subject: e100: switch from 'pci_' to 'dma_' API + +From: Christophe JAILLET + +[ Upstream commit 4140ff1ba06d3fc16afd518736940ab742886317 ] + +The wrappers in include/linux/pci-dma-compat.h should go away. + +The patch has been generated with the coccinelle script below and has been +hand modified to replace GFP_ with a correct flag. +It has been compile tested. + +When memory is allocated in 'e100_alloc()', GFP_KERNEL can be used because +it is only called from the probe function and no lock is acquired. + +@@ +@@ +- PCI_DMA_BIDIRECTIONAL ++ DMA_BIDIRECTIONAL + +@@ +@@ +- PCI_DMA_TODEVICE ++ DMA_TO_DEVICE + +@@ +@@ +- PCI_DMA_FROMDEVICE ++ DMA_FROM_DEVICE + +@@ +@@ +- PCI_DMA_NONE ++ DMA_NONE + +@@ +expression e1, e2, e3; +@@ +- pci_alloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3; +@@ +- pci_zalloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_free_consistent(e1, e2, e3, e4) ++ dma_free_coherent(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_single(e1, e2, e3, e4) ++ dma_map_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_single(e1, e2, e3, e4) ++ dma_unmap_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4, e5; +@@ +- pci_map_page(e1, e2, e3, e4, e5) ++ dma_map_page(&e1->dev, e2, e3, e4, e5) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_page(e1, e2, e3, e4) ++ dma_unmap_page(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_sg(e1, e2, e3, e4) ++ dma_map_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_sg(e1, e2, e3, e4) ++ dma_unmap_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_cpu(e1, e2, e3, e4) ++ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_device(e1, e2, e3, e4) ++ dma_sync_single_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4) ++ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_device(e1, e2, e3, e4) ++ dma_sync_sg_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2; +@@ +- pci_dma_mapping_error(e1, e2) ++ dma_mapping_error(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_dma_mask(e1, e2) ++ dma_set_mask(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_consistent_dma_mask(e1, e2) ++ dma_set_coherent_mask(&e1->dev, e2) + +Signed-off-by: Christophe JAILLET +Tested-by: Aaron Brown +Link: https://lore.kernel.org/r/20210128210736.749724-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Stable-dep-of: 45605c75c52c ("e100: Fix possible use after free in e100_xmit_prepare") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 92 ++++++++++++++++--------------- + 1 file changed, 49 insertions(+), 43 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 70962967d714..9f4ea2735791 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -1742,10 +1742,10 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, + dma_addr_t dma_addr; + cb->command = nic->tx_command; + +- dma_addr = pci_map_single(nic->pdev, +- skb->data, skb->len, PCI_DMA_TODEVICE); ++ dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len, ++ DMA_TO_DEVICE); + /* If we can't map the skb, have the upper layer try later */ +- if (pci_dma_mapping_error(nic->pdev, dma_addr)) { ++ if (dma_mapping_error(&nic->pdev->dev, dma_addr)) { + dev_kfree_skb_any(skb); + skb = NULL; + return -ENOMEM; +@@ -1831,10 +1831,10 @@ static int e100_tx_clean(struct nic *nic) + dev->stats.tx_packets++; + dev->stats.tx_bytes += cb->skb->len; + +- pci_unmap_single(nic->pdev, +- le32_to_cpu(cb->u.tcb.tbd.buf_addr), +- le16_to_cpu(cb->u.tcb.tbd.size), +- PCI_DMA_TODEVICE); ++ dma_unmap_single(&nic->pdev->dev, ++ le32_to_cpu(cb->u.tcb.tbd.buf_addr), ++ le16_to_cpu(cb->u.tcb.tbd.size), ++ DMA_TO_DEVICE); + dev_kfree_skb_any(cb->skb); + cb->skb = NULL; + tx_cleaned = 1; +@@ -1858,10 +1858,10 @@ static void e100_clean_cbs(struct nic *nic) + while (nic->cbs_avail != nic->params.cbs.count) { + struct cb *cb = nic->cb_to_clean; + if (cb->skb) { +- pci_unmap_single(nic->pdev, +- le32_to_cpu(cb->u.tcb.tbd.buf_addr), +- le16_to_cpu(cb->u.tcb.tbd.size), +- PCI_DMA_TODEVICE); ++ dma_unmap_single(&nic->pdev->dev, ++ le32_to_cpu(cb->u.tcb.tbd.buf_addr), ++ le16_to_cpu(cb->u.tcb.tbd.size), ++ DMA_TO_DEVICE); + dev_kfree_skb(cb->skb); + } + nic->cb_to_clean = nic->cb_to_clean->next; +@@ -1928,10 +1928,10 @@ static int e100_rx_alloc_skb(struct nic *nic, struct rx *rx) + + /* Init, and map the RFD. */ + skb_copy_to_linear_data(rx->skb, &nic->blank_rfd, sizeof(struct rfd)); +- rx->dma_addr = pci_map_single(nic->pdev, rx->skb->data, +- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL); ++ rx->dma_addr = dma_map_single(&nic->pdev->dev, rx->skb->data, ++ RFD_BUF_LEN, DMA_BIDIRECTIONAL); + +- if (pci_dma_mapping_error(nic->pdev, rx->dma_addr)) { ++ if (dma_mapping_error(&nic->pdev->dev, rx->dma_addr)) { + dev_kfree_skb_any(rx->skb); + rx->skb = NULL; + rx->dma_addr = 0; +@@ -1944,8 +1944,10 @@ static int e100_rx_alloc_skb(struct nic *nic, struct rx *rx) + if (rx->prev->skb) { + struct rfd *prev_rfd = (struct rfd *)rx->prev->skb->data; + put_unaligned_le32(rx->dma_addr, &prev_rfd->link); +- pci_dma_sync_single_for_device(nic->pdev, rx->prev->dma_addr, +- sizeof(struct rfd), PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, ++ rx->prev->dma_addr, ++ sizeof(struct rfd), ++ DMA_BIDIRECTIONAL); + } + + return 0; +@@ -1964,8 +1966,8 @@ static int e100_rx_indicate(struct nic *nic, struct rx *rx, + return -EAGAIN; + + /* Need to sync before taking a peek at cb_complete bit */ +- pci_dma_sync_single_for_cpu(nic->pdev, rx->dma_addr, +- sizeof(struct rfd), PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_cpu(&nic->pdev->dev, rx->dma_addr, ++ sizeof(struct rfd), DMA_BIDIRECTIONAL); + rfd_status = le16_to_cpu(rfd->status); + + netif_printk(nic, rx_status, KERN_DEBUG, nic->netdev, +@@ -1984,9 +1986,9 @@ static int e100_rx_indicate(struct nic *nic, struct rx *rx, + + if (ioread8(&nic->csr->scb.status) & rus_no_res) + nic->ru_running = RU_SUSPENDED; +- pci_dma_sync_single_for_device(nic->pdev, rx->dma_addr, +- sizeof(struct rfd), +- PCI_DMA_FROMDEVICE); ++ dma_sync_single_for_device(&nic->pdev->dev, rx->dma_addr, ++ sizeof(struct rfd), ++ DMA_FROM_DEVICE); + return -ENODATA; + } + +@@ -1998,8 +2000,8 @@ static int e100_rx_indicate(struct nic *nic, struct rx *rx, + actual_size = RFD_BUF_LEN - sizeof(struct rfd); + + /* Get data */ +- pci_unmap_single(nic->pdev, rx->dma_addr, +- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL); ++ dma_unmap_single(&nic->pdev->dev, rx->dma_addr, RFD_BUF_LEN, ++ DMA_BIDIRECTIONAL); + + /* If this buffer has the el bit, but we think the receiver + * is still running, check to see if it really stopped while +@@ -2100,22 +2102,25 @@ static void e100_rx_clean(struct nic *nic, unsigned int *work_done, + (struct rfd *)new_before_last_rx->skb->data; + new_before_last_rfd->size = 0; + new_before_last_rfd->command |= cpu_to_le16(cb_el); +- pci_dma_sync_single_for_device(nic->pdev, +- new_before_last_rx->dma_addr, sizeof(struct rfd), +- PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, ++ new_before_last_rx->dma_addr, ++ sizeof(struct rfd), ++ DMA_BIDIRECTIONAL); + + /* Now that we have a new stopping point, we can clear the old + * stopping point. We must sync twice to get the proper + * ordering on the hardware side of things. */ + old_before_last_rfd->command &= ~cpu_to_le16(cb_el); +- pci_dma_sync_single_for_device(nic->pdev, +- old_before_last_rx->dma_addr, sizeof(struct rfd), +- PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, ++ old_before_last_rx->dma_addr, ++ sizeof(struct rfd), ++ DMA_BIDIRECTIONAL); + old_before_last_rfd->size = cpu_to_le16(VLAN_ETH_FRAME_LEN + + ETH_FCS_LEN); +- pci_dma_sync_single_for_device(nic->pdev, +- old_before_last_rx->dma_addr, sizeof(struct rfd), +- PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, ++ old_before_last_rx->dma_addr, ++ sizeof(struct rfd), ++ DMA_BIDIRECTIONAL); + } + + if (restart_required) { +@@ -2137,8 +2142,9 @@ static void e100_rx_clean_list(struct nic *nic) + if (nic->rxs) { + for (rx = nic->rxs, i = 0; i < count; rx++, i++) { + if (rx->skb) { +- pci_unmap_single(nic->pdev, rx->dma_addr, +- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL); ++ dma_unmap_single(&nic->pdev->dev, ++ rx->dma_addr, RFD_BUF_LEN, ++ DMA_BIDIRECTIONAL); + dev_kfree_skb(rx->skb); + } + } +@@ -2180,8 +2186,8 @@ static int e100_rx_alloc_list(struct nic *nic) + before_last = (struct rfd *)rx->skb->data; + before_last->command |= cpu_to_le16(cb_el); + before_last->size = 0; +- pci_dma_sync_single_for_device(nic->pdev, rx->dma_addr, +- sizeof(struct rfd), PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_device(&nic->pdev->dev, rx->dma_addr, ++ sizeof(struct rfd), DMA_BIDIRECTIONAL); + + nic->rx_to_use = nic->rx_to_clean = nic->rxs; + nic->ru_running = RU_SUSPENDED; +@@ -2380,8 +2386,8 @@ static int e100_loopback_test(struct nic *nic, enum loopback loopback_mode) + + msleep(10); + +- pci_dma_sync_single_for_cpu(nic->pdev, nic->rx_to_clean->dma_addr, +- RFD_BUF_LEN, PCI_DMA_BIDIRECTIONAL); ++ dma_sync_single_for_cpu(&nic->pdev->dev, nic->rx_to_clean->dma_addr, ++ RFD_BUF_LEN, DMA_BIDIRECTIONAL); + + if (memcmp(nic->rx_to_clean->skb->data + sizeof(struct rfd), + skb->data, ETH_DATA_LEN)) +@@ -2763,16 +2769,16 @@ static int e100_do_ioctl(struct net_device *netdev, struct ifreq *ifr, int cmd) + + static int e100_alloc(struct nic *nic) + { +- nic->mem = pci_alloc_consistent(nic->pdev, sizeof(struct mem), +- &nic->dma_addr); ++ nic->mem = dma_alloc_coherent(&nic->pdev->dev, sizeof(struct mem), ++ &nic->dma_addr, GFP_KERNEL); + return nic->mem ? 0 : -ENOMEM; + } + + static void e100_free(struct nic *nic) + { + if (nic->mem) { +- pci_free_consistent(nic->pdev, sizeof(struct mem), +- nic->mem, nic->dma_addr); ++ dma_free_coherent(&nic->pdev->dev, sizeof(struct mem), ++ nic->mem, nic->dma_addr); + nic->mem = NULL; + } + } +@@ -2865,7 +2871,7 @@ static int e100_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + goto err_out_disable_pdev; + } + +- if ((err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)))) { ++ if ((err = dma_set_mask(&pdev->dev, DMA_BIT_MASK(32)))) { + netif_err(nic, probe, nic->netdev, "No usable DMA configuration, aborting\n"); + goto err_out_free_res; + } +-- +2.35.1 + diff --git a/queue-5.4/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch b/queue-5.4/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch new file mode 100644 index 00000000000..424888f132c --- /dev/null +++ b/queue-5.4/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch @@ -0,0 +1,64 @@ +From 8c974f7fe1187020b913b83eae37054d27bca2a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:23:13 -0500 +Subject: hwmon: (coretemp) Check for null before removing sysfs attrs + +From: Phil Auld + +[ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ] + +If coretemp_add_core() gets an error then pdata->core_data[indx] +is already NULL and has been kfreed. Don't pass that to +sysfs_remove_group() as that will crash in sysfs_remove_group(). + +[Shortened for readability] +[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' + +[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 +[91855.165103] #PF: supervisor read access in kernel mode +[91855.194506] #PF: error_code(0x0000) - not-present page +[91855.224445] PGD 0 P4D 0 +[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI +... +[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 +... +[91855.796571] Call Trace: +[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] +[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] +[91855.871107] cpuhp_invoke_callback+0x105/0x4b0 +[91855.893432] cpuhp_thread_fun+0x8e/0x150 +... + +Fix this by checking for NULL first. + +Signed-off-by: Phil Auld +Cc: linux-hwmon@vger.kernel.org +Cc: Fenghua Yu +Cc: Jean Delvare +Cc: Guenter Roeck +Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com +Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index d2530f581186..65e06e18b8f0 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -533,6 +533,10 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx) + { + struct temp_data *tdata = pdata->core_data[indx]; + ++ /* if we errored on add then this is already gone */ ++ if (!tdata) ++ return; ++ + /* Remove the sysfs attributes */ + sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group); + +-- +2.35.1 + diff --git a/queue-5.4/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch b/queue-5.4/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch new file mode 100644 index 00000000000..c63d2826986 --- /dev/null +++ b/queue-5.4/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch @@ -0,0 +1,45 @@ +From a3a09c6de94740f19378056eedc001d7b8e69c73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:33:03 +0800 +Subject: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() + +From: Yang Yingliang + +[ Upstream commit 7dec14537c5906b8bf40fd6fd6d9c3850f8df11d ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). So call it after using to avoid refcount leak. + +Fixes: 14513ee696a0 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 65e06e18b8f0..7a64ff6a8779 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -242,10 +242,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev) + */ + if (host_bridge && host_bridge->vendor == PCI_VENDOR_ID_INTEL) { + for (i = 0; i < ARRAY_SIZE(tjmax_pci_table); i++) { +- if (host_bridge->device == tjmax_pci_table[i].device) ++ if (host_bridge->device == tjmax_pci_table[i].device) { ++ pci_dev_put(host_bridge); + return tjmax_pci_table[i].tjmax; ++ } + } + } ++ pci_dev_put(host_bridge); + + for (i = 0; i < ARRAY_SIZE(tjmax_table); i++) { + if (strstr(c->x86_model_id, tjmax_table[i].id)) +-- +2.35.1 + diff --git a/queue-5.4/hwmon-i5500_temp-fix-missing-pci_disable_device.patch b/queue-5.4/hwmon-i5500_temp-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..02c47fa9464 --- /dev/null +++ b/queue-5.4/hwmon-i5500_temp-fix-missing-pci_disable_device.patch @@ -0,0 +1,37 @@ +From fc3f21710f6129729ca756587894c8321ee68cdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 20:56:06 +0800 +Subject: hwmon: (i5500_temp) fix missing pci_disable_device() + +From: Yang Yingliang + +[ Upstream commit 3b7f98f237528c496ea0b689bace0e35eec3e060 ] + +pci_disable_device() need be called while module exiting, switch to use +pcim_enable(), pci_disable_device() will be called in pcim_release(). + +Fixes: ada072816be1 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/i5500_temp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/i5500_temp.c b/drivers/hwmon/i5500_temp.c +index 360f5aee1394..d4be03f43fb4 100644 +--- a/drivers/hwmon/i5500_temp.c ++++ b/drivers/hwmon/i5500_temp.c +@@ -108,7 +108,7 @@ static int i5500_temp_probe(struct pci_dev *pdev, + u32 tstimer; + s8 tsfsc; + +- err = pci_enable_device(pdev); ++ err = pcim_enable_device(pdev); + if (err) { + dev_err(&pdev->dev, "Failed to enable device\n"); + return err; +-- +2.35.1 + diff --git a/queue-5.4/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch b/queue-5.4/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch new file mode 100644 index 00000000000..c2d0d513bc9 --- /dev/null +++ b/queue-5.4/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch @@ -0,0 +1,44 @@ +From 497d490461965eba6276f56f3570dd4e53cddf58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:44:23 +0800 +Subject: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails + +From: Gaosheng Cui + +[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ] + +Smatch report warning as follows: + +drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: + '&data->list' not removed from list + +If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will +be freed, but data->list will not be removed from driver_data.bmc_data, +then list traversal may cause UAF. + +Fix by removeing it from driver_data.bmc_data before free(). + +Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ibmpex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c +index b2ab83c9fd9a..fe90f0536d76 100644 +--- a/drivers/hwmon/ibmpex.c ++++ b/drivers/hwmon/ibmpex.c +@@ -502,6 +502,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev) + return; + + out_register: ++ list_del(&data->list); + hwmon_device_unregister(data->hwmon_dev); + out_user: + ipmi_destroy_user(data->user); +-- +2.35.1 + diff --git a/queue-5.4/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch b/queue-5.4/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch new file mode 100644 index 00000000000..3669b716da9 --- /dev/null +++ b/queue-5.4/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch @@ -0,0 +1,72 @@ +From 2d2aaaedbbdcc57f4960d6a151dfa837b00b9101 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:19:46 +0000 +Subject: iio: health: afe4403: Fix oob read in afe4403_read_raw + +From: Wei Yongjun + +[ Upstream commit 58143c1ed5882c138a3cd2251a336fc8755f23d9 ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 +Read of size 4 at addr ffffffffc02ac638 by task cat/279 + +Call Trace: + afe4403_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4403_channel_leds+0x18/0xffffffffffffe9e0 + +This issue can be reproduced by singe command: + + $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw + +The array size of afe4403_channel_leds is less than channels, so access +with chan->address cause OOB read in afe4403_read_raw. Fix it by moving +access before use it. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4403.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c +index 29104656a537..3fdaf3104cce 100644 +--- a/drivers/iio/health/afe4403.c ++++ b/drivers/iio/health/afe4403.c +@@ -245,14 +245,14 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4403_data *afe = iio_priv(indio_dev); +- unsigned int reg = afe4403_channel_values[chan->address]; +- unsigned int field = afe4403_channel_leds[chan->address]; ++ unsigned int reg, field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ reg = afe4403_channel_values[chan->address]; + ret = afe4403_read(afe, reg, val); + if (ret) + return ret; +@@ -262,6 +262,7 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ field = afe4403_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[field], val); + if (ret) + return ret; +-- +2.35.1 + diff --git a/queue-5.4/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch b/queue-5.4/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch new file mode 100644 index 00000000000..f262c8239b2 --- /dev/null +++ b/queue-5.4/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch @@ -0,0 +1,102 @@ +From 04fa1f84a0125754a45fa13b9e409346f61ca0dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:20:10 +0000 +Subject: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw + +From: Wei Yongjun + +[ Upstream commit fc92d9e3de0b2d30a3ccc08048a5fad533e4672b ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 +Read of size 4 at addr ffffffffc00e4658 by task cat/278 + +Call Trace: + afe4404_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4404_channel_leds+0x18/0xffffffffffffe9c0 + +This issue can be reproduce by singe command: + + $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw + +The array size of afe4404_channel_leds and afe4404_channel_offdacs +are less than channels, so access with chan->address cause OOB read +in afe4404_[read|write]_raw. Fix it by moving access before use them. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4404.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c +index cebb1fd4d0b1..7780e9b312b3 100644 +--- a/drivers/iio/health/afe4404.c ++++ b/drivers/iio/health/afe4404.c +@@ -250,20 +250,20 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int value_reg = afe4404_channel_values[chan->address]; +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int value_reg, led_field, offdac_field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ value_reg = afe4404_channel_values[chan->address]; + ret = regmap_read(afe->regmap, value_reg, val); + if (ret) + return ret; + return IIO_VAL_INT; + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + ret = regmap_field_read(afe->fields[offdac_field], val); + if (ret) + return ret; +@@ -273,6 +273,7 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[led_field], val); + if (ret) + return ret; +@@ -295,19 +296,20 @@ static int afe4404_write_raw(struct iio_dev *indio_dev, + int val, int val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int led_field, offdac_field; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + return regmap_field_write(afe->fields[offdac_field], val); + } + break; + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + return regmap_field_write(afe->fields[led_field], val); + } + break; +-- +2.35.1 + diff --git a/queue-5.4/iio-light-rpr0521-add-missing-kconfig-dependencies.patch b/queue-5.4/iio-light-rpr0521-add-missing-kconfig-dependencies.patch new file mode 100644 index 00000000000..15a4c131c4d --- /dev/null +++ b/queue-5.4/iio-light-rpr0521-add-missing-kconfig-dependencies.patch @@ -0,0 +1,47 @@ +From 0dc044f6a0c0c29ed70a9242eeb50b8a3b5df2b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 16:47:29 -0500 +Subject: iio: light: rpr0521: add missing Kconfig dependencies + +From: Paul Gazzillo + +[ Upstream commit 6ac12303572ef9ace5603c2c07f5f1b00a33f580 ] + +Fix an implicit declaration of function error for rpr0521 under some configs + +When CONFIG_RPR0521 is enabled without CONFIG_IIO_TRIGGERED_BUFFER, +the build results in "implicit declaration of function" errors, e.g., + drivers/iio/light/rpr0521.c:434:3: error: implicit declaration of function + 'iio_trigger_poll_chained' [-Werror=implicit-function-declaration] + 434 | iio_trigger_poll_chained(data->drdy_trigger0); + | ^~~~~~~~~~~~~~~~~~~~~~~~ + +This fix adds select dependencies to RPR0521's configuration declaration. + +Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") +Signed-off-by: Paul Gazzillo +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216678 +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221110214729.ls5ixav5kxpeftk7@device +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/light/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/light/Kconfig b/drivers/iio/light/Kconfig +index 42b64b85d06c..83885f6c93cd 100644 +--- a/drivers/iio/light/Kconfig ++++ b/drivers/iio/light/Kconfig +@@ -239,6 +239,8 @@ config RPR0521 + tristate "ROHM RPR0521 ALS and proximity sensor driver" + depends on I2C + select REGMAP_I2C ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + Say Y here if you want to build support for ROHM's RPR0521 + ambient light and proximity sensor device. +-- +2.35.1 + diff --git a/queue-5.4/kbuild-fix-wimplicit-function-declaration-in-license.patch b/queue-5.4/kbuild-fix-wimplicit-function-declaration-in-license.patch new file mode 100644 index 00000000000..c2acb88fc1d --- /dev/null +++ b/queue-5.4/kbuild-fix-wimplicit-function-declaration-in-license.patch @@ -0,0 +1,50 @@ +From 89259f1ab2bd5639d429980eb7d7d726dab5dc6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 18:26:34 +0000 +Subject: kbuild: fix -Wimplicit-function-declaration in + license_is_gpl_compatible + +From: Sam James + +[ Upstream commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 ] + +Add missing include for strcmp. + +Clang 16 makes -Wimplicit-function-declaration an error by default. +Unfortunately, out of tree modules may use this in configure scripts, +which means failure might cause silent miscompilation or misconfiguration. + +For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2], +or the (new) c-std-porting mailing list [3]. + +[0] https://lwn.net/Articles/913505/ +[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213 +[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240 +[3] hosted at lists.linux.dev. + +[akpm@linux-foundation.org: remember "linux/"] +Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org +Signed-off-by: Sam James +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/license.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/license.h b/include/linux/license.h +index decdbf43cb5c..87a21d5d6758 100644 +--- a/include/linux/license.h ++++ b/include/linux/license.h +@@ -1,6 +1,8 @@ + #ifndef __LICENSE_H + #define __LICENSE_H + ++#include ++ + static inline int license_is_gpl_compatible(const char *license) + { + return (strcmp(license, "GPL") == 0 +-- +2.35.1 + diff --git a/queue-5.4/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch b/queue-5.4/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch new file mode 100644 index 00000000000..4dfdebec9d5 --- /dev/null +++ b/queue-5.4/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch @@ -0,0 +1,45 @@ +From 08f252954b3c1df4b7f8ca16793d861a8c524d6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 16:10:05 +0800 +Subject: net/9p: Fix a potential socket leak in p9_socket_open + +From: Wang Hai + +[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ] + +Both p9_fd_create_tcp() and p9_fd_create_unix() will call +p9_socket_open(). If the creation of p9_trans_fd fails, +p9_fd_create_tcp() and p9_fd_create_unix() will return an +error directly instead of releasing the cscoket, which will +result in a socket leak. + +This patch adds sock_release() to fix the leak issue. + +Fixes: 6b18662e239a ("9p connect fixes") +Signed-off-by: Wang Hai +ACKed-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 5d6284adbac0..23c1d78ab1e4 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -852,8 +852,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket) + struct file *file; + + p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL); +- if (!p) ++ if (!p) { ++ sock_release(csocket); + return -ENOMEM; ++ } + + csocket->sk->sk_allocation = GFP_NOIO; + file = sock_alloc_file(csocket, 0, NULL); +-- +2.35.1 + diff --git a/queue-5.4/net-ethernet-nixge-fix-null-dereference.patch b/queue-5.4/net-ethernet-nixge-fix-null-dereference.patch new file mode 100644 index 00000000000..3efd129a255 --- /dev/null +++ b/queue-5.4/net-ethernet-nixge-fix-null-dereference.patch @@ -0,0 +1,75 @@ +From e4a3cd6858af5089bf23f3949894e8d70aaedf2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 11:43:03 +0300 +Subject: net: ethernet: nixge: fix NULL dereference + +From: Yuri Karpov + +[ Upstream commit 9256db4e45e8b497b0e993cc3ed4ad08eb2389b6 ] + +In function nixge_hw_dma_bd_release() dereference of NULL pointer +priv->rx_bd_v is possible for the case of its allocation failure in +nixge_hw_dma_bd_init(). + +Move for() loop with priv->rx_bd_v dereference under the check for +its validity. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev") +Signed-off-by: Yuri Karpov +Reviewed-by: Maciej Fijalkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ni/nixge.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c +index ffd44edfffbf..acb25b8c9458 100644 +--- a/drivers/net/ethernet/ni/nixge.c ++++ b/drivers/net/ethernet/ni/nixge.c +@@ -249,25 +249,26 @@ static void nixge_hw_dma_bd_release(struct net_device *ndev) + struct sk_buff *skb; + int i; + +- for (i = 0; i < RX_BD_NUM; i++) { +- phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], +- phys); +- +- dma_unmap_single(ndev->dev.parent, phys_addr, +- NIXGE_MAX_JUMBO_FRAME_SIZE, +- DMA_FROM_DEVICE); +- +- skb = (struct sk_buff *)(uintptr_t) +- nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], +- sw_id_offset); +- dev_kfree_skb(skb); +- } ++ if (priv->rx_bd_v) { ++ for (i = 0; i < RX_BD_NUM; i++) { ++ phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], ++ phys); ++ ++ dma_unmap_single(ndev->dev.parent, phys_addr, ++ NIXGE_MAX_JUMBO_FRAME_SIZE, ++ DMA_FROM_DEVICE); ++ ++ skb = (struct sk_buff *)(uintptr_t) ++ nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], ++ sw_id_offset); ++ dev_kfree_skb(skb); ++ } + +- if (priv->rx_bd_v) + dma_free_coherent(ndev->dev.parent, + sizeof(*priv->rx_bd_v) * RX_BD_NUM, + priv->rx_bd_v, + priv->rx_bd_p); ++ } + + if (priv->tx_skb) + devm_kfree(ndev->dev.parent, priv->tx_skb); +-- +2.35.1 + diff --git a/queue-5.4/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch b/queue-5.4/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch new file mode 100644 index 00000000000..acf595e3981 --- /dev/null +++ b/queue-5.4/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch @@ -0,0 +1,41 @@ +From 2dd71d16f8ff14833ade7cae6f03e23276215a80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 15:56:04 +0900 +Subject: net: ethernet: renesas: ravb: Fix promiscuous mode after system + resumed + +From: Yoshihiro Shimoda + +[ Upstream commit d66233a312ec9013af3e37e4030b479a20811ec3 ] + +After system resumed on some environment board, the promiscuous mode +is disabled because the SoC turned off. So, call ravb_set_rx_mode() in +the ravb_resume() to fix the issue. + +Reported-by: Tho Vu +Fixes: 0184165b2f42 ("ravb: add sleep PM suspend/resume support") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Pavan Chebbi +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 9208a72fe17e..95fd1f2d5439 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2327,6 +2327,7 @@ static int __maybe_unused ravb_resume(struct device *dev) + ret = ravb_open(ndev); + if (ret < 0) + return ret; ++ ravb_set_rx_mode(ndev); + netif_device_attach(ndev); + } + +-- +2.35.1 + diff --git a/queue-5.4/net-hsr-fix-potential-use-after-free.patch b/queue-5.4/net-hsr-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..34596d7be56 --- /dev/null +++ b/queue-5.4/net-hsr-fix-potential-use-after-free.patch @@ -0,0 +1,49 @@ +From ebf534eafa5fbf8c66808f2ec347abf98c32c008 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 15:57:24 +0800 +Subject: net: hsr: Fix potential use-after-free + +From: YueHaibing + +[ Upstream commit 7e177d32442b7ed08a9fa61b61724abc548cb248 ] + +The skb is delivered to netif_rx() which may free it, after calling this, +dereferencing skb may trigger use-after-free. + +Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index bf3ecf792688..7073724fdfa6 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -198,17 +198,18 @@ static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev, + struct hsr_node *node_src) + { + bool was_multicast_frame; +- int res; ++ int res, recv_len; + + was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST); + hsr_addr_subst_source(node_src, skb); + skb_pull(skb, ETH_HLEN); ++ recv_len = skb->len; + res = netif_rx(skb); + if (res == NET_RX_DROP) { + dev->stats.rx_dropped++; + } else { + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += recv_len; + if (was_multicast_frame) + dev->stats.multicast++; + } +-- +2.35.1 + diff --git a/queue-5.4/net-mlx5-dr-fix-uninitialized-var-warning.patch b/queue-5.4/net-mlx5-dr-fix-uninitialized-var-warning.patch new file mode 100644 index 00000000000..83162c8d850 --- /dev/null +++ b/queue-5.4/net-mlx5-dr-fix-uninitialized-var-warning.patch @@ -0,0 +1,51 @@ +From eb6e5ab117e2c1ccc142239dcc004ea09f5efac7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 21:47:07 +0800 +Subject: net/mlx5: DR, Fix uninitialized var warning + +From: YueHaibing + +[ Upstream commit 52f7cf70eb8fac6111786c59ae9dfc5cf2bee710 ] + +Smatch warns this: + +drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c:81 + mlx5dr_table_set_miss_action() error: uninitialized symbol 'ret'. + +Initializing ret with -EOPNOTSUPP and fix missing action case. + +Fixes: 7838e1725394 ("net/mlx5: DR, Expose steering table functionality") +Signed-off-by: YueHaibing +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +index e178d8d3dbc9..077b4bec1b13 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +@@ -9,7 +9,7 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + struct mlx5dr_matcher *last_matcher = NULL; + struct mlx5dr_htbl_connect_info info; + struct mlx5dr_ste_htbl *last_htbl; +- int ret; ++ int ret = -EOPNOTSUPP; + + if (action && action->action_type != DR_ACTION_TYP_FT) + return -EOPNOTSUPP; +@@ -68,6 +68,9 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + } + } + ++ if (ret) ++ goto out; ++ + /* Release old action */ + if (tbl->miss_action) + refcount_dec(&tbl->miss_action->refcount); +-- +2.35.1 + diff --git a/queue-5.4/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch b/queue-5.4/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch new file mode 100644 index 00000000000..fb6e59867ec --- /dev/null +++ b/queue-5.4/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch @@ -0,0 +1,39 @@ +From 4f2d91d693feb83fe65cc62ddf8dc9c914548c32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 19:22:04 +0800 +Subject: net/mlx5: Fix uninitialized variable bug in outlen_write() + +From: YueHaibing + +[ Upstream commit 3f5769a074c13d8f08455e40586600419e02a880 ] + +If sscanf() return 0, outlen is uninitialized and used in kzalloc(), +this is unexpected. We should return -EINVAL if the string is invalid. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: YueHaibing +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index e00a8eb7716f..93a6597366f5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1417,8 +1417,8 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf, + return -EFAULT; + + err = sscanf(outlen_str, "%d", &outlen); +- if (err < 0) +- return err; ++ if (err != 1) ++ return -EINVAL; + + ptr = kzalloc(outlen, GFP_KERNEL); + if (!ptr) +-- +2.35.1 + diff --git a/queue-5.4/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch b/queue-5.4/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch new file mode 100644 index 00000000000..9e2dfe42a6a --- /dev/null +++ b/queue-5.4/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch @@ -0,0 +1,40 @@ +From 776ebf9f8ccf0457bcd9f5b64c33ec6cce6adb01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 20:04:29 +0200 +Subject: net/mlx5e: Fix use-after-free when reverting termination table + +From: Roi Dayan + +[ Upstream commit 52c795af04441d76f565c4634f893e5b553df2ae ] + +When having multiple dests with termination tables and second one +or afterwards fails the driver reverts usage of term tables but +doesn't reset the assignment in attr->dests[num_vport_dests].termtbl +which case a use-after-free when releasing the rule. +Fix by resetting the assignment of termtbl to null. + +Fixes: 10caabdaad5a ("net/mlx5e: Use termination table for VLAN push actions") +Signed-off-by: Roi Dayan +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +index 366bda1bb1c3..c9115c0407ee 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +@@ -267,6 +267,8 @@ mlx5_eswitch_add_termtbl_rule(struct mlx5_eswitch *esw, + for (curr_dest = 0; curr_dest < num_vport_dests; curr_dest++) { + struct mlx5_termtbl_handle *tt = attr->dests[curr_dest].termtbl; + ++ attr->dests[curr_dest].termtbl = NULL; ++ + /* search for the destination associated with the + * current term table + */ +-- +2.35.1 + diff --git a/queue-5.4/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch b/queue-5.4/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch new file mode 100644 index 00000000000..b7e684094e5 --- /dev/null +++ b/queue-5.4/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch @@ -0,0 +1,48 @@ +From 813f3eae0186baa4e07ba0d23b4d366ef4364758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 07:09:17 +0000 +Subject: net: net_netdev: Fix error handling in ntb_netdev_init_module() + +From: Yuan Can + +[ Upstream commit b8f79dccd38edf7db4911c353d9cd792ab13a327 ] + +The ntb_netdev_init_module() returns the ntb_transport_register_client() +directly without checking its return value, if +ntb_transport_register_client() failed, the NTB client device is not +unregistered. + +Fix by unregister NTB client device when ntb_transport_register_client() +failed. + +Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device") +Signed-off-by: Yuan Can +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ntb_netdev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c +index a5bab614ff84..1b7d588ff3c5 100644 +--- a/drivers/net/ntb_netdev.c ++++ b/drivers/net/ntb_netdev.c +@@ -484,7 +484,14 @@ static int __init ntb_netdev_init_module(void) + rc = ntb_transport_register_client_dev(KBUILD_MODNAME); + if (rc) + return rc; +- return ntb_transport_register_client(&ntb_netdev_client); ++ ++ rc = ntb_transport_register_client(&ntb_netdev_client); ++ if (rc) { ++ ntb_transport_unregister_client_dev(KBUILD_MODNAME); ++ return rc; ++ } ++ ++ return 0; + } + module_init(ntb_netdev_init_module); + +-- +2.35.1 + diff --git a/queue-5.4/net-phy-fix-null-ptr-deref-while-probe-failed.patch b/queue-5.4/net-phy-fix-null-ptr-deref-while-probe-failed.patch new file mode 100644 index 00000000000..81dc73a5f9b --- /dev/null +++ b/queue-5.4/net-phy-fix-null-ptr-deref-while-probe-failed.patch @@ -0,0 +1,73 @@ +From c7f72218734023d235df69ba698c3ebe5e0c4f84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 21:28:08 +0800 +Subject: net: phy: fix null-ptr-deref while probe() failed + +From: Yang Yingliang + +[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ] + +I got a null-ptr-deref report as following when doing fault injection test: + +BUG: kernel NULL pointer dereference, address: 0000000000000058 +Oops: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:klist_put+0x2d/0xd0 +Call Trace: + + klist_remove+0xf1/0x1c0 + device_release_driver_internal+0x23e/0x2d0 + bus_remove_device+0x1bd/0x240 + device_del+0x357/0x770 + phy_device_remove+0x11/0x30 + mdiobus_unregister+0xa5/0x140 + release_nodes+0x6a/0xa0 + devres_release_all+0xf8/0x150 + device_unbind_cleanup+0x19/0xd0 + +//probe path: +phy_device_register() + device_add() + +phy_connect + phy_attach_direct() //set device driver + probe() //it's failed, driver is not bound + device_bind_driver() // probe failed, it's not called + +//remove path: +phy_device_remove() + device_del() + device_release_driver_internal() + __device_release_driver() //dev->drv is not NULL + klist_remove() <- knode_driver is not added yet, cause null-ptr-deref + +In phy_attach_direct(), after setting the 'dev->driver', probe() fails, +device_bind_driver() is not called, so the knode_driver->n_klist is not +set, then it causes null-ptr-deref in __device_release_driver() while +deleting device. Fix this by setting dev->driver to NULL in the error +path in phy_attach_direct(). + +Fixes: e13934563db0 ("[PATCH] PHY Layer fixup") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 78b918dcd547..388799985720 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1312,6 +1312,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev, + + error_module_put: + module_put(d->driver->owner); ++ d->driver = NULL; + error_put_device: + put_device(d); + if (ndev_owner != bus->owner) +-- +2.35.1 + diff --git a/queue-5.4/net-tun-fix-use-after-free-in-tun_detach.patch b/queue-5.4/net-tun-fix-use-after-free-in-tun_detach.patch new file mode 100644 index 00000000000..72dd0a9778f --- /dev/null +++ b/queue-5.4/net-tun-fix-use-after-free-in-tun_detach.patch @@ -0,0 +1,90 @@ +From 59631b151604a798d638fe61988150c1be21b517 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 02:51:34 +0900 +Subject: net: tun: Fix use-after-free in tun_detach() + +From: Shigeru Yoshida + +[ Upstream commit 5daadc86f27ea4d691e2131c04310d0418c6cd12 ] + +syzbot reported use-after-free in tun_detach() [1]. This causes call +trace like below: + +================================================================== +BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 +Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 + +CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:284 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:395 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 + notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 + call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 + call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] + call_netdevice_notifiers net/core/dev.c:1997 [inline] + netdev_wait_allrefs_any net/core/dev.c:10237 [inline] + netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 + tun_detach drivers/net/tun.c:704 [inline] + tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xb3d/0x2a30 kernel/exit.c:820 + do_group_exit+0xd4/0x2a0 kernel/exit.c:950 + get_signal+0x21b1/0x2440 kernel/signal.c:2858 + arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The cause of the issue is that sock_put() from __tun_detach() drops +last reference count for struct net, and then notifier_call_chain() +from netdev_state_change() accesses that struct net. + +This patch fixes the issue by calling sock_put() from tun_detach() +after all necessary accesses for the struct net has done. + +Fixes: 83c1f36f9880 ("tun: send netlink notification when the device is modified") +Reported-by: syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1] +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20221124175134.1589053-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index f01db73dab05..957e6051c535 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -742,7 +742,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean) + if (tun) + xdp_rxq_info_unreg(&tfile->xdp_rxq); + ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free); +- sock_put(&tfile->sk); + } + } + +@@ -758,6 +757,9 @@ static void tun_detach(struct tun_file *tfile, bool clean) + if (dev) + netdev_state_change(dev); + rtnl_unlock(); ++ ++ if (clean) ++ sock_put(&tfile->sk); + } + + static void tun_detach_all(struct net_device *dev) +-- +2.35.1 + diff --git a/queue-5.4/of-property-decrement-node-refcount-in-of_fwnode_get.patch b/queue-5.4/of-property-decrement-node-refcount-in-of_fwnode_get.patch new file mode 100644 index 00000000000..6bf045dc0c8 --- /dev/null +++ b/queue-5.4/of-property-decrement-node-refcount-in-of_fwnode_get.patch @@ -0,0 +1,47 @@ +From 1a1fc5ce454bf54a52f04f51be445dac03e181f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 10:32:09 +0800 +Subject: of: property: decrement node refcount in + of_fwnode_get_reference_args() + +From: Yang Yingliang + +[ Upstream commit 60d865bd5a9b15a3961eb1c08bd4155682a3c81e ] + +In of_fwnode_get_reference_args(), the refcount of of_args.np has +been incremented in the case of successful return from +of_parse_phandle_with_args() or of_parse_phandle_with_fixed_args(). + +Decrement the refcount if of_args is not returned to the caller of +of_fwnode_get_reference_args(). + +Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args") +Signed-off-by: Yang Yingliang +Reviewed-by: Sakari Ailus +Reviewed-by: Frank Rowand +Link: https://lore.kernel.org/r/20221121023209.3909759-1-yangyingliang@huawei.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/property.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/property.c b/drivers/of/property.c +index d7fa75e31f22..f6010ec0f67b 100644 +--- a/drivers/of/property.c ++++ b/drivers/of/property.c +@@ -918,8 +918,10 @@ of_fwnode_get_reference_args(const struct fwnode_handle *fwnode, + nargs, index, &of_args); + if (ret < 0) + return ret; +- if (!args) ++ if (!args) { ++ of_node_put(of_args.np); + return 0; ++ } + + args->nargs = of_args.args_count; + args->fwnode = of_fwnode_handle(of_args.np); +-- +2.35.1 + diff --git a/queue-5.4/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch b/queue-5.4/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch new file mode 100644 index 00000000000..4a6d0060ba3 --- /dev/null +++ b/queue-5.4/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch @@ -0,0 +1,49 @@ +From ac8b78ebf2535acc5ec47e0a5812dc286c5c94f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 11:18:12 -0500 +Subject: packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE + +From: Willem de Bruijn + +[ Upstream commit b85f628aa158a653c006e9c1405a117baef8c868 ] + +CHECKSUM_COMPLETE signals that skb->csum stores the sum over the +entire packet. It does not imply that an embedded l4 checksum +field has been validated. + +Fixes: 682f048bd494 ("af_packet: pass checksum validation status to the user") +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 8f5ef2841199..d76edafb4dff 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2222,8 +2222,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if (skb->ip_summed == CHECKSUM_PARTIAL) + status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + status |= TP_STATUS_CSUM_VALID; + + if (snaplen > res) +@@ -3451,8 +3450,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + if (skb->ip_summed == CHECKSUM_PARTIAL) + aux.tp_status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + aux.tp_status |= TP_STATUS_CSUM_VALID; + + aux.tp_len = origlen; +-- +2.35.1 + diff --git a/queue-5.4/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch b/queue-5.4/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch new file mode 100644 index 00000000000..3bbbc74be01 --- /dev/null +++ b/queue-5.4/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch @@ -0,0 +1,70 @@ +From 48775fd27e5b3b1ae1383a46443ec7ac822fc98e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 18:06:42 +0800 +Subject: qlcnic: fix sleep-in-atomic-context bugs caused by msleep + +From: Duoming Zhou + +[ Upstream commit 8dbd6e4ce1b9c527921643d9e34f188a10d4e893 ] + +The watchdog timer is used to monitor whether the process +of transmitting data is timeout. If we use qlcnic driver, +the dev_watchdog() that is the timer handler of watchdog +timer will call qlcnic_tx_timeout() to process the timeout. +But the qlcnic_tx_timeout() calls msleep(), as a result, +the sleep-in-atomic-context bugs will happen. The processes +are shown below: + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + msleep + +--------------------------- + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + qlcnic_83xx_recover_driver_lock + msleep + +Fix by changing msleep() to mdelay(), the mdelay() is +busy-waiting and the bugs could be mitigated. + +Fixes: 629263acaea3 ("qlcnic: 83xx CNA inter driver communication mechanism") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index df43d364e6a4..e6538f38b056 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -2993,7 +2993,7 @@ static void qlcnic_83xx_recover_driver_lock(struct qlcnic_adapter *adapter) + QLCWRX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK, val); + dev_info(&adapter->pdev->dev, + "%s: lock recovery initiated\n", __func__); +- msleep(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); + val = QLCRDX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK); + id = ((val >> 2) & 0xF); + if (id == adapter->portnum) { +@@ -3029,7 +3029,7 @@ int qlcnic_83xx_lock_driver(struct qlcnic_adapter *adapter) + if (status) + break; + +- msleep(QLC_83XX_DRV_LOCK_WAIT_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_WAIT_DELAY); + i++; + + if (i == 1) +-- +2.35.1 + diff --git a/queue-5.4/scripts-faddr2line-fix-regression-in-name-resolution.patch b/queue-5.4/scripts-faddr2line-fix-regression-in-name-resolution.patch new file mode 100644 index 00000000000..ca1e69a6274 --- /dev/null +++ b/queue-5.4/scripts-faddr2line-fix-regression-in-name-resolution.patch @@ -0,0 +1,79 @@ +From f7479c324bb1714b05e9ca2db0356304f78d6f8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 13:22:11 +0530 +Subject: scripts/faddr2line: Fix regression in name resolution on ppc64le + +From: Srikar Dronamraju + +[ Upstream commit 2d77de1581bb5b470486edaf17a7d70151131afd ] + +Commit 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section +failures") can cause faddr2line to fail on ppc64le on some +distributions, while it works fine on other distributions. The failure +can be attributed to differences in the readelf output. + + $ ./scripts/faddr2line vmlinux find_busiest_group+0x00 + no match for find_busiest_group+0x00 + +On ppc64le, readelf adds the localentry tag before the symbol name on +some distributions, and adds the localentry tag after the symbol name on +other distributions. This problem has been discussed previously: + + https://lore.kernel.org/bpf/20191211160133.GB4580@calabresa/ + +This problem can be overcome by filtering out the localentry tags in the +readelf output. Similar fixes are already present in the kernel by way +of the following commits: + + 1fd6cee127e2 ("libbpf: Fix VERSIONED_SYM_COUNT number parsing") + aa915931ac3e ("libbpf: Fix readelf output parsing for Fedora") + +[jpoimboe: rework commit log] + +Fixes: 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section failures") +Signed-off-by: Srikar Dronamraju +Acked-by: Naveen N. Rao +Reviewed-by: Thadeu Lima de Souza Cascardo +Link: https://lore.kernel.org/r/20220927075211.897152-1-srikar@linux.vnet.ibm.com +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra +Signed-off-by: Sasha Levin +--- + scripts/faddr2line | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/scripts/faddr2line b/scripts/faddr2line +index 57099687e5e1..9e730b805e87 100755 +--- a/scripts/faddr2line ++++ b/scripts/faddr2line +@@ -73,7 +73,8 @@ command -v ${ADDR2LINE} >/dev/null 2>&1 || die "${ADDR2LINE} isn't installed" + find_dir_prefix() { + local objfile=$1 + +- local start_kernel_addr=$(${READELF} --symbols --wide $objfile | ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}') ++ local start_kernel_addr=$(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ++ ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}') + [[ -z $start_kernel_addr ]] && return + + local file_line=$(${ADDR2LINE} -e $objfile $start_kernel_addr) +@@ -177,7 +178,7 @@ __faddr2line() { + found=2 + break + fi +- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2) ++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2) + + if [[ $found = 0 ]]; then + warn "can't find symbol: sym_name: $sym_name sym_sec: $sym_sec sym_addr: $sym_addr sym_elf_size: $sym_elf_size" +@@ -258,7 +259,7 @@ __faddr2line() { + + DONE=1 + +- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn') ++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn') + } + + [[ $# -lt 2 ]] && usage +-- +2.35.1 + diff --git a/queue-5.4/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch b/queue-5.4/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch new file mode 100644 index 00000000000..acea06a08f0 --- /dev/null +++ b/queue-5.4/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch @@ -0,0 +1,202 @@ +From 63060af9366b6f7fc808d1a91d22d027f92b0062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 11:17:20 +0800 +Subject: sctp: fix memory leak in sctp_stream_outq_migrate() + +From: Zhengchao Shao + +[ Upstream commit 9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9 ] + +When sctp_stream_outq_migrate() is called to release stream out resources, +the memory pointed to by prio_head in stream out is not released. + +The memory leak information is as follows: + unreferenced object 0xffff88801fe79f80 (size 64): + comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s) + hex dump (first 32 bytes): + 80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................ + 90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................ + backtrace: + [] kmalloc_trace+0x26/0x60 + [] sctp_sched_prio_set+0x4cc/0x770 + [] sctp_stream_init_ext+0xd2/0x1b0 + [] sctp_sendmsg_to_asoc+0x1614/0x1a30 + [] sctp_sendmsg+0xda1/0x1ef0 + [] inet_sendmsg+0x9d/0xe0 + [] sock_sendmsg+0xd3/0x120 + [] __sys_sendto+0x23a/0x340 + [] __x64_sys_sendto+0xe1/0x1b0 + [] do_syscall_64+0x39/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0 +Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler") +Reported-by: syzbot+29c402e56c4760763cc0@syzkaller.appspotmail.com +Signed-off-by: Zhengchao Shao +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/20221126031720.378562-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sctp/stream_sched.h | 2 ++ + net/sctp/stream.c | 25 ++++++++++++++++++------- + net/sctp/stream_sched.c | 5 +++++ + net/sctp/stream_sched_prio.c | 19 +++++++++++++++++++ + net/sctp/stream_sched_rr.c | 5 +++++ + 5 files changed, 49 insertions(+), 7 deletions(-) + +diff --git a/include/net/sctp/stream_sched.h b/include/net/sctp/stream_sched.h +index 01a70b27e026..65058faea4db 100644 +--- a/include/net/sctp/stream_sched.h ++++ b/include/net/sctp/stream_sched.h +@@ -26,6 +26,8 @@ struct sctp_sched_ops { + int (*init)(struct sctp_stream *stream); + /* Init a stream */ + int (*init_sid)(struct sctp_stream *stream, __u16 sid, gfp_t gfp); ++ /* free a stream */ ++ void (*free_sid)(struct sctp_stream *stream, __u16 sid); + /* Frees the entire thing */ + void (*free)(struct sctp_stream *stream); + +diff --git a/net/sctp/stream.c b/net/sctp/stream.c +index 56762745d6e4..ca8fdc9abca5 100644 +--- a/net/sctp/stream.c ++++ b/net/sctp/stream.c +@@ -52,6 +52,19 @@ static void sctp_stream_shrink_out(struct sctp_stream *stream, __u16 outcnt) + } + } + ++static void sctp_stream_free_ext(struct sctp_stream *stream, __u16 sid) ++{ ++ struct sctp_sched_ops *sched; ++ ++ if (!SCTP_SO(stream, sid)->ext) ++ return; ++ ++ sched = sctp_sched_ops_from_stream(stream); ++ sched->free_sid(stream, sid); ++ kfree(SCTP_SO(stream, sid)->ext); ++ SCTP_SO(stream, sid)->ext = NULL; ++} ++ + /* Migrates chunks from stream queues to new stream queues if needed, + * but not across associations. Also, removes those chunks to streams + * higher than the new max. +@@ -70,16 +83,14 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream, + * sctp_stream_update will swap ->out pointers. + */ + for (i = 0; i < outcnt; i++) { +- kfree(SCTP_SO(new, i)->ext); ++ sctp_stream_free_ext(new, i); + SCTP_SO(new, i)->ext = SCTP_SO(stream, i)->ext; + SCTP_SO(stream, i)->ext = NULL; + } + } + +- for (i = outcnt; i < stream->outcnt; i++) { +- kfree(SCTP_SO(stream, i)->ext); +- SCTP_SO(stream, i)->ext = NULL; +- } ++ for (i = outcnt; i < stream->outcnt; i++) ++ sctp_stream_free_ext(stream, i); + } + + static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt, +@@ -174,9 +185,9 @@ void sctp_stream_free(struct sctp_stream *stream) + struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream); + int i; + +- sched->free(stream); ++ sched->unsched_all(stream); + for (i = 0; i < stream->outcnt; i++) +- kfree(SCTP_SO(stream, i)->ext); ++ sctp_stream_free_ext(stream, i); + genradix_free(&stream->out); + genradix_free(&stream->in); + } +diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c +index a2e1d34f52c5..33c2630c2496 100644 +--- a/net/sctp/stream_sched.c ++++ b/net/sctp/stream_sched.c +@@ -46,6 +46,10 @@ static int sctp_sched_fcfs_init_sid(struct sctp_stream *stream, __u16 sid, + return 0; + } + ++static void sctp_sched_fcfs_free_sid(struct sctp_stream *stream, __u16 sid) ++{ ++} ++ + static void sctp_sched_fcfs_free(struct sctp_stream *stream) + { + } +@@ -96,6 +100,7 @@ static struct sctp_sched_ops sctp_sched_fcfs = { + .get = sctp_sched_fcfs_get, + .init = sctp_sched_fcfs_init, + .init_sid = sctp_sched_fcfs_init_sid, ++ .free_sid = sctp_sched_fcfs_free_sid, + .free = sctp_sched_fcfs_free, + .enqueue = sctp_sched_fcfs_enqueue, + .dequeue = sctp_sched_fcfs_dequeue, +diff --git a/net/sctp/stream_sched_prio.c b/net/sctp/stream_sched_prio.c +index 80b5a2c4cbc7..4fc9f2923ed1 100644 +--- a/net/sctp/stream_sched_prio.c ++++ b/net/sctp/stream_sched_prio.c +@@ -204,6 +204,24 @@ static int sctp_sched_prio_init_sid(struct sctp_stream *stream, __u16 sid, + return sctp_sched_prio_set(stream, sid, 0, gfp); + } + ++static void sctp_sched_prio_free_sid(struct sctp_stream *stream, __u16 sid) ++{ ++ struct sctp_stream_priorities *prio = SCTP_SO(stream, sid)->ext->prio_head; ++ int i; ++ ++ if (!prio) ++ return; ++ ++ SCTP_SO(stream, sid)->ext->prio_head = NULL; ++ for (i = 0; i < stream->outcnt; i++) { ++ if (SCTP_SO(stream, i)->ext && ++ SCTP_SO(stream, i)->ext->prio_head == prio) ++ return; ++ } ++ ++ kfree(prio); ++} ++ + static void sctp_sched_prio_free(struct sctp_stream *stream) + { + struct sctp_stream_priorities *prio, *n; +@@ -323,6 +341,7 @@ static struct sctp_sched_ops sctp_sched_prio = { + .get = sctp_sched_prio_get, + .init = sctp_sched_prio_init, + .init_sid = sctp_sched_prio_init_sid, ++ .free_sid = sctp_sched_prio_free_sid, + .free = sctp_sched_prio_free, + .enqueue = sctp_sched_prio_enqueue, + .dequeue = sctp_sched_prio_dequeue, +diff --git a/net/sctp/stream_sched_rr.c b/net/sctp/stream_sched_rr.c +index ff425aed62c7..cc444fe0d67c 100644 +--- a/net/sctp/stream_sched_rr.c ++++ b/net/sctp/stream_sched_rr.c +@@ -90,6 +90,10 @@ static int sctp_sched_rr_init_sid(struct sctp_stream *stream, __u16 sid, + return 0; + } + ++static void sctp_sched_rr_free_sid(struct sctp_stream *stream, __u16 sid) ++{ ++} ++ + static void sctp_sched_rr_free(struct sctp_stream *stream) + { + sctp_sched_rr_unsched_all(stream); +@@ -177,6 +181,7 @@ static struct sctp_sched_ops sctp_sched_rr = { + .get = sctp_sched_rr_get, + .init = sctp_sched_rr_init, + .init_sid = sctp_sched_rr_init_sid, ++ .free_sid = sctp_sched_rr_free_sid, + .free = sctp_sched_rr_free, + .enqueue = sctp_sched_rr_enqueue, + .dequeue = sctp_sched_rr_dequeue, +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 69a28c07bce..fa8caeff495 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -85,3 +85,39 @@ drm-amd-dc-dce120-fix-audio-register-mapping-stop-triggering-kasan.patch drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch drm-i915-fix-tlb-invalidation-for-gen12-video-and-compute-engines.patch fuse-lock-inode-unconditionally-in-fuse_fallocate.patch +btrfs-free-btrfs_path-before-copying-inodes-to-users.patch +spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch +btrfs-move-quota_enabled-check-to-rescan_should_stop.patch +kbuild-fix-wimplicit-function-declaration-in-license.patch +drm-amdgpu-update-drm_display_info-correctly-when-th.patch +drm-amdgpu-partially-revert-drm-amdgpu-update-drm_di.patch +btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch +iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch +iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch +iio-light-rpr0521-add-missing-kconfig-dependencies.patch +scripts-faddr2line-fix-regression-in-name-resolution.patch +hwmon-i5500_temp-fix-missing-pci_disable_device.patch +hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch +of-property-decrement-node-refcount-in-of_fwnode_get.patch +e100-switch-from-pci_-to-dma_-api.patch +e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch +net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch +net-mlx5e-fix-use-after-free-when-reverting-terminat.patch +can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch +can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch +qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch +wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch +net-phy-fix-null-ptr-deref-while-probe-failed.patch +net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch +net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch +net-ethernet-nixge-fix-null-dereference.patch +dsa-lan9303-correct-stat-name.patch +net-hsr-fix-potential-use-after-free.patch +afs-fix-fileserver-probe-rtt-handling.patch +net-tun-fix-use-after-free-in-tun_detach.patch +packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch +sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch +net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch +hwmon-coretemp-check-for-null-before-removing-sysfs-.patch +hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch +net-mlx5-dr-fix-uninitialized-var-warning.patch diff --git a/queue-5.4/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch b/queue-5.4/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch new file mode 100644 index 00000000000..108540f12cc --- /dev/null +++ b/queue-5.4/spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch @@ -0,0 +1,65 @@ +From 2e252d34908acefcfbca844d3c58dd434e58c77b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 19:10:00 +0100 +Subject: spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input + clock + +From: Frieder Schrempf + +[ Upstream commit db2d2dc9a0b58c6faefb6b002fdbed4f0362d1a4 ] + +In case the requested bus clock is higher than the input clock, the correct +dividers (pre = 0, post = 0) are returned from mx51_ecspi_clkdiv(), but +*fres is left uninitialized and therefore contains an arbitrary value. + +This causes trouble for the recently introduced PIO polling feature as the +value in spi_imx->spi_bus_clk is used there to calculate for which +transfers to enable PIO polling. + +Fix this by setting *fres even if no clock dividers are in use. + +This issue was observed on Kontron BL i.MX8MM with an SPI peripheral clock set +to 50 MHz by default and a requested SPI bus clock of 80 MHz for the SPI NOR +flash. + +With the fix applied the debug message from mx51_ecspi_clkdiv() now prints the +following: + +spi_imx 30820000.spi: mx51_ecspi_clkdiv: fin: 50000000, fspi: 50000000, +post: 0, pre: 0 + +Fixes: 6fd8b8503a0d ("spi: spi-imx: Fix out-of-order CS/SCLK operation at low speeds") +Fixes: 07e759387788 ("spi: spi-imx: add PIO polling support") +Cc: Marc Kleine-Budde +Cc: David Jander +Cc: Fabio Estevam +Cc: Mark Brown +Cc: Marek Vasut +Cc: stable@vger.kernel.org +Signed-off-by: Frieder Schrempf +Tested-by: Fabio Estevam +Acked-by: Marek Vasut +Link: https://lore.kernel.org/r/20221115181002.2068270-1-frieder@fris.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 474d5a7fa95e..9d593675257e 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -431,8 +431,7 @@ static unsigned int mx51_ecspi_clkdiv(struct spi_imx_data *spi_imx, + unsigned int pre, post; + unsigned int fin = spi_imx->spi_clk; + +- if (unlikely(fspi > fin)) +- return 0; ++ fspi = min(fspi, fin); + + post = fls(fin) - fls(fspi); + if (fin > fspi << post) +-- +2.35.1 + diff --git a/queue-5.4/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch b/queue-5.4/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch new file mode 100644 index 00000000000..e1e91bd92c8 --- /dev/null +++ b/queue-5.4/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch @@ -0,0 +1,41 @@ +From 91673515c07a8fcf56101812448c47afe0d516e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 12:36:57 +0100 +Subject: wifi: cfg80211: fix buffer overflow in elem comparison +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johannes Berg + +[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ] + +For vendor elements, the code here assumes that 5 octets +are present without checking. Since the element itself is +already checked to fit, we only need to check the length. + +Reported-and-tested-by: Sönke Huster +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 630c64520516..c4c124cb5332 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -291,7 +291,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, + * determine if they are the same ie. + */ + if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) { +- if (!memcmp(tmp_old + 2, tmp + 2, 5)) { ++ if (tmp_old[1] >= 5 && tmp[1] >= 5 && ++ !memcmp(tmp_old + 2, tmp + 2, 5)) { + /* same vendor ie, copy from + * subelement + */ +-- +2.35.1 +