From: Greg Kroah-Hartman Date: Sun, 3 Dec 2023 12:59:39 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.14.332~53 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e236c9695a248355b298e17bfa243aa8554e80c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: dm-verity-align-struct-dm_verity_fec_io-properly.patch firewire-core-fix-possible-memory-leak-in-create_units.patch pinctrl-avoid-reload-of-p-state-in-list-iteration.patch --- diff --git a/queue-4.14/dm-verity-align-struct-dm_verity_fec_io-properly.patch b/queue-4.14/dm-verity-align-struct-dm_verity_fec_io-properly.patch new file mode 100644 index 00000000000..b988839c5e2 --- /dev/null +++ b/queue-4.14/dm-verity-align-struct-dm_verity_fec_io-properly.patch @@ -0,0 +1,52 @@ +From 38bc1ab135db87577695816b190e7d6d8ec75879 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 28 Nov 2023 14:50:23 +0100 +Subject: dm-verity: align struct dm_verity_fec_io properly + +From: Mikulas Patocka + +commit 38bc1ab135db87577695816b190e7d6d8ec75879 upstream. + +dm_verity_fec_io is placed after the end of two hash digests. If the hash +digest has unaligned length, struct dm_verity_fec_io could be unaligned. + +This commit fixes the placement of struct dm_verity_fec_io, so that it's +aligned. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Fixes: a739ff3f543a ("dm verity: add support for forward error correction") +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-fec.c | 3 ++- + drivers/md/dm-verity.h | 6 ------ + 2 files changed, 2 insertions(+), 7 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -28,7 +28,8 @@ bool verity_fec_is_enabled(struct dm_ver + */ + static inline struct dm_verity_fec_io *fec_io(struct dm_verity_io *io) + { +- return (struct dm_verity_fec_io *) verity_io_digest_end(io->v, io); ++ return (struct dm_verity_fec_io *) ++ ((char *)io + io->v->ti->per_io_data_size - sizeof(struct dm_verity_fec_io)); + } + + /* +--- a/drivers/md/dm-verity.h ++++ b/drivers/md/dm-verity.h +@@ -113,12 +113,6 @@ static inline u8 *verity_io_want_digest( + return (u8 *)(io + 1) + v->ahash_reqsize + v->digest_size; + } + +-static inline u8 *verity_io_digest_end(struct dm_verity *v, +- struct dm_verity_io *io) +-{ +- return verity_io_want_digest(v, io) + v->digest_size; +-} +- + extern int verity_for_bv_block(struct dm_verity *v, struct dm_verity_io *io, + struct bvec_iter *iter, + int (*process)(struct dm_verity *v, diff --git a/queue-4.14/firewire-core-fix-possible-memory-leak-in-create_units.patch b/queue-4.14/firewire-core-fix-possible-memory-leak-in-create_units.patch new file mode 100644 index 00000000000..2ccbd83230e --- /dev/null +++ b/queue-4.14/firewire-core-fix-possible-memory-leak-in-create_units.patch @@ -0,0 +1,60 @@ +From 891e0eab32a57fca4d36c5162628eb0bcb1f0edf Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 29 Nov 2023 17:34:08 +0800 +Subject: firewire: core: fix possible memory leak in create_units() + +From: Yang Yingliang + +commit 891e0eab32a57fca4d36c5162628eb0bcb1f0edf upstream. + +If device_register() fails, the refcount of device is not 0, the name +allocated in dev_set_name() is leaked. To fix this by calling put_device(), +so that it will be freed in callback function kobject_cleanup(). + +unreferenced object 0xffff9d99035c7a90 (size 8): + comm "systemd-udevd", pid 168, jiffies 4294672386 (age 152.089s) + hex dump (first 8 bytes): + 66 77 30 2e 30 00 ff ff fw0.0... + backtrace: + [<00000000e1d62bac>] __kmem_cache_alloc_node+0x1e9/0x360 + [<00000000bbeaff31>] __kmalloc_node_track_caller+0x44/0x1a0 + [<00000000491f2fb4>] kvasprintf+0x67/0xd0 + [<000000005b960ddc>] kobject_set_name_vargs+0x1e/0x90 + [<00000000427ac591>] dev_set_name+0x4e/0x70 + [<000000003b4e447d>] create_units+0xc5/0x110 + +fw_unit_release() will be called in the error path, move fw_device_get() +before calling device_register() to keep balanced with fw_device_put() in +fw_unit_release(). + +Cc: stable@vger.kernel.org +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Fixes: a1f64819fe9f ("firewire: struct device - replace bus_id with dev_name(), dev_set_name()") +Signed-off-by: Yang Yingliang +Signed-off-by: Takashi Sakamoto +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firewire/core-device.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/drivers/firewire/core-device.c ++++ b/drivers/firewire/core-device.c +@@ -732,14 +732,11 @@ static void create_units(struct fw_devic + fw_unit_attributes, + &unit->attribute_group); + +- if (device_register(&unit->device) < 0) +- goto skip_unit; +- + fw_device_get(device); +- continue; +- +- skip_unit: +- kfree(unit); ++ if (device_register(&unit->device) < 0) { ++ put_device(&unit->device); ++ continue; ++ } + } + } + diff --git a/queue-4.14/pinctrl-avoid-reload-of-p-state-in-list-iteration.patch b/queue-4.14/pinctrl-avoid-reload-of-p-state-in-list-iteration.patch new file mode 100644 index 00000000000..76508d52dbb --- /dev/null +++ b/queue-4.14/pinctrl-avoid-reload-of-p-state-in-list-iteration.patch @@ -0,0 +1,54 @@ +From 4198a9b571065978632276264e01d71d68000ac5 Mon Sep 17 00:00:00 2001 +From: Maria Yu +Date: Wed, 15 Nov 2023 18:28:24 +0800 +Subject: pinctrl: avoid reload of p state in list iteration + +From: Maria Yu + +commit 4198a9b571065978632276264e01d71d68000ac5 upstream. + +When in the list_for_each_entry iteration, reload of p->state->settings +with a local setting from old_state will turn the list iteration into an +infinite loop. + +The typical symptom when the issue happens, will be a printk message like: + + "not freeing pin xx (xxx) as part of deactivating group xxx - it is +already used for some other setting". + +This is a compiler-dependent problem, one instance occurred using Clang +version 10.0 on the arm64 architecture with linux version 4.19. + +Fixes: 6e5e959dde0d ("pinctrl: API changes to support multiple states per device") +Signed-off-by: Maria Yu +Cc: +Link: https://lore.kernel.org/r/20231115102824.23727-1-quic_aiquny@quicinc.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -1196,17 +1196,17 @@ EXPORT_SYMBOL_GPL(pinctrl_lookup_state); + static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state) + { + struct pinctrl_setting *setting, *setting2; +- struct pinctrl_state *old_state = p->state; ++ struct pinctrl_state *old_state = READ_ONCE(p->state); + int ret; + +- if (p->state) { ++ if (old_state) { + /* + * For each pinmux setting in the old state, forget SW's record + * of mux owner for that pingroup. Any pingroups which are + * still owned by the new state will be re-acquired by the call + * to pinmux_enable_setting() in the loop below. + */ +- list_for_each_entry(setting, &p->state->settings, node) { ++ list_for_each_entry(setting, &old_state->settings, node) { + if (setting->type != PIN_MAP_TYPE_MUX_GROUP) + continue; + pinmux_disable_setting(setting); diff --git a/queue-4.14/series b/queue-4.14/series index 3c5c2317c1f..963c5b758cc 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -17,3 +17,6 @@ usb-serial-option-add-fibocom-l7xx-modules.patch usb-serial-option-fix-fm101r-gl-defines.patch usb-serial-option-don-t-claim-interface-4-for-zte-mf290.patch usb-dwc3-set-the-dma-max_seg_size.patch +pinctrl-avoid-reload-of-p-state-in-list-iteration.patch +firewire-core-fix-possible-memory-leak-in-create_units.patch +dm-verity-align-struct-dm_verity_fec_io-properly.patch