From: Greg Kroah-Hartman Date: Wed, 28 Dec 2022 09:18:42 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.15.86~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=94adfb8409179bf852b4811dc34c05f9de77aba1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: 9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch regulator-core-fix-deadlock-on-regulator-enable.patch reiserfs-add-missing-calls-to-reiserfs_security_free.patch --- diff --git a/queue-5.4/9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch b/queue-5.4/9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch new file mode 100644 index 00000000000..44e40f53508 --- /dev/null +++ b/queue-5.4/9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch @@ -0,0 +1,96 @@ +From 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 Mon Sep 17 00:00:00 2001 +From: Schspa Shi +Date: Thu, 1 Dec 2022 11:33:10 +0800 +Subject: 9p: set req refcount to zero to avoid uninitialized usage + +From: Schspa Shi + +commit 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 upstream. + +When a new request is allocated, the refcount will be zero if it is +reused, but if the request is newly allocated from slab, it is not fully +initialized before being added to idr. + +If the p9_read_work got a response before the refcount initiated. It will +use a uninitialized req, which will result in a bad request data struct. + +Here is the logs from syzbot. + +Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00 +0x00 0x00 . . . . . . . . ] (in kfence-#110): + p9_fcall_fini net/9p/client.c:248 [inline] + p9_req_put net/9p/client.c:396 [inline] + p9_req_put+0x208/0x250 net/9p/client.c:390 + p9_client_walk+0x247/0x540 net/9p/client.c:1165 + clone_fid fs/9p/fid.h:21 [inline] + v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118 + v9fs_xattr_set fs/9p/xattr.c:100 [inline] + v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159 + __vfs_setxattr+0x119/0x180 fs/xattr.c:182 + __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216 + __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277 + vfs_setxattr+0x143/0x340 fs/xattr.c:309 + setxattr+0x146/0x160 fs/xattr.c:617 + path_setxattr+0x197/0x1c0 fs/xattr.c:636 + __do_sys_setxattr fs/xattr.c:652 [inline] + __se_sys_setxattr fs/xattr.c:648 [inline] + __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 + entry_SYSENTER_compat_after_hwframe+0x70/0x82 + +Below is a similar scenario, the scenario in the syzbot log looks more +complicated than this one, but this patch can fix it. + + T21124 p9_read_work +======================== second trans ================================= +p9_client_walk + p9_client_rpc + p9_client_prepare_req + p9_tag_alloc + req = kmem_cache_alloc(p9_req_cache, GFP_NOFS); + tag = idr_alloc + << preempted >> + req->tc.tag = tag; + /* req->[refcount/tag] == uninitialized */ + m->rreq = p9_tag_lookup(m->client, m->rc.tag); + /* increments uninitalized refcount */ + + refcount_set(&req->refcount, 2); + /* cb drops one ref */ + p9_client_cb(req) + /* reader thread drops its ref: + request is incorrectly freed */ + p9_req_put(req) + /* use after free and ref underflow */ + p9_req_put(req) + +To fix it, we can initialize the refcount to zero before add to idr. + +Link: https://lkml.kernel.org/r/20221201033310.18589-1-schspa@gmail.com +Cc: stable@vger.kernel.org # 6.0+ due to 6cda12864cb0 ("9p: Drop kref usage") +Fixes: 728356dedeff ("9p: Add refcount to p9_req_t") +Reported-by: syzbot+8f1060e2aaf8ca55220b@syzkaller.appspotmail.com +Signed-off-by: Schspa Shi +Reviewed-by: Christian Schoenebeck +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/client.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -283,6 +283,11 @@ p9_tag_alloc(struct p9_client *c, int8_t + p9pdu_reset(&req->rc); + req->t_err = 0; + req->status = REQ_STATUS_ALLOC; ++ /* refcount needs to be set to 0 before inserting into the idr ++ * so p9_tag_lookup does not accept a request that is not fully ++ * initialized. refcount_set to 2 below will mark request ready. ++ */ ++ refcount_set(&req->refcount, 0); + init_waitqueue_head(&req->wq); + INIT_LIST_HEAD(&req->req_list); + diff --git a/queue-5.4/hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch b/queue-5.4/hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch new file mode 100644 index 00000000000..921a9e1b30e --- /dev/null +++ b/queue-5.4/hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch @@ -0,0 +1,89 @@ +From 1db1f392591aff13fd643f0ec7c1d5e27391d700 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 1 Dec 2022 15:11:41 -0800 +Subject: HID: wacom: Ensure bootloader PID is usable in hidraw mode + +From: Jason Gerecke + +commit 1db1f392591aff13fd643f0ec7c1d5e27391d700 upstream. + +Some Wacom devices have a special "bootloader" mode that is used for +firmware flashing. When operating in this mode, the device cannot be +used for input, and the HID descriptor is not able to be processed by +the driver. The driver generates an "Unknown device_type" warning and +then returns an error code from wacom_probe(). This is a problem because +userspace still needs to be able to interact with the device via hidraw +to perform the firmware flash. + +This commit adds a non-generic device definition for 056a:0094 which +is used when devices are in "bootloader" mode. It marks the devices +with a special BOOTLOADER type that is recognized by wacom_probe() and +wacom_raw_event(). When we see this type we ensure a hidraw device is +created and otherwise keep our hands off so that userspace is in full +control. + +Signed-off-by: Jason Gerecke +Tested-by: Tatsunosuke Tobita +Cc: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_sys.c | 8 ++++++++ + drivers/hid/wacom_wac.c | 4 ++++ + drivers/hid/wacom_wac.h | 1 + + 3 files changed, 13 insertions(+) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -160,6 +160,9 @@ static int wacom_raw_event(struct hid_de + { + struct wacom *wacom = hid_get_drvdata(hdev); + ++ if (wacom->wacom_wac.features.type == BOOTLOADER) ++ return 0; ++ + if (size > WACOM_PKGLEN_MAX) + return 1; + +@@ -2786,6 +2789,11 @@ static int wacom_probe(struct hid_device + return error; + } + ++ if (features->type == BOOTLOADER) { ++ hid_warn(hdev, "Using device in hidraw-only mode"); ++ return hid_hw_start(hdev, HID_CONNECT_HIDRAW); ++ } ++ + error = wacom_parse_and_register(wacom, false); + if (error) + return error; +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -4782,6 +4782,9 @@ static const struct wacom_features wacom + static const struct wacom_features wacom_features_HID_ANY_ID = + { "Wacom HID", .type = HID_GENERIC, .oVid = HID_ANY_ID, .oPid = HID_ANY_ID }; + ++static const struct wacom_features wacom_features_0x94 = ++ { "Wacom Bootloader", .type = BOOTLOADER }; ++ + #define USB_DEVICE_WACOM(prod) \ + HID_DEVICE(BUS_USB, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\ + .driver_data = (kernel_ulong_t)&wacom_features_##prod +@@ -4855,6 +4858,7 @@ const struct hid_device_id wacom_ids[] = + { USB_DEVICE_WACOM(0x84) }, + { USB_DEVICE_WACOM(0x90) }, + { USB_DEVICE_WACOM(0x93) }, ++ { USB_DEVICE_WACOM(0x94) }, + { USB_DEVICE_WACOM(0x97) }, + { USB_DEVICE_WACOM(0x9A) }, + { USB_DEVICE_WACOM(0x9F) }, +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -242,6 +242,7 @@ enum { + MTTPC, + MTTPC_B, + HID_GENERIC, ++ BOOTLOADER, + MAX_TYPE + }; + diff --git a/queue-5.4/iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch b/queue-5.4/iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch new file mode 100644 index 00000000000..c280f81c777 --- /dev/null +++ b/queue-5.4/iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch @@ -0,0 +1,54 @@ +From 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Tue, 20 Sep 2022 13:28:07 +0200 +Subject: iio: adc: ad_sigma_delta: do not use internal iio_dev lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 upstream. + +Drop 'mlock' usage by making use of iio_device_claim_direct_mode(). +This change actually makes sure we cannot do a single conversion while +buffering is enable. Note there was a potential race in the previous +code since we were only acquiring the lock after checking if the bus is +enabled. + +Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices") +Signed-off-by: Nuno Sá +Reviewed-by: Miquel Raynal +Cc: #No rush as race is very old. +Link: https://lore.kernel.org/r/20220920112821.975359-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad_sigma_delta.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -283,10 +283,10 @@ int ad_sigma_delta_single_conversion(str + unsigned int data_reg; + int ret = 0; + +- if (iio_buffer_enabled(indio_dev)) +- return -EBUSY; ++ ret = iio_device_claim_direct_mode(indio_dev); ++ if (ret) ++ return ret; + +- mutex_lock(&indio_dev->mlock); + ad_sigma_delta_set_channel(sigma_delta, chan->address); + + spi_bus_lock(sigma_delta->spi->master); +@@ -325,7 +325,7 @@ out: + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + sigma_delta->bus_locked = false; + spi_bus_unlock(sigma_delta->spi->master); +- mutex_unlock(&indio_dev->mlock); ++ iio_device_release_direct_mode(indio_dev); + + if (ret) + return ret; diff --git a/queue-5.4/iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch b/queue-5.4/iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch new file mode 100644 index 00000000000..71af4510a2b --- /dev/null +++ b/queue-5.4/iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch @@ -0,0 +1,53 @@ +From e2af60f5900c6ade53477b494ffb54690eee11f5 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Tue, 15 Nov 2022 14:23:23 +0100 +Subject: iio: adc128s052: add proper .data members in adc128_of_match table + +From: Rasmus Villemoes + +commit e2af60f5900c6ade53477b494ffb54690eee11f5 upstream. + +Prior to commit bd5d54e4d49d ("iio: adc128s052: add ACPI _HID +AANT1280"), the driver unconditionally used spi_get_device_id() to get +the index into the adc128_config array. + +However, with that commit, OF-based boards now incorrectly treat all +supported sensors as if they are an adc128s052, because all the .data +members of the adc128_of_match table are implicitly 0. Our board, +which has an adc122s021, thus exposes 8 channels whereas it really +only has two. + +Fixes: bd5d54e4d49d ("iio: adc128s052: add ACPI _HID AANT1280") +Signed-off-by: Rasmus Villemoes +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221115132324.1078169-1-linux@rasmusvillemoes.dk +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-adc128s052.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/iio/adc/ti-adc128s052.c ++++ b/drivers/iio/adc/ti-adc128s052.c +@@ -194,13 +194,13 @@ static int adc128_remove(struct spi_devi + } + + static const struct of_device_id adc128_of_match[] = { +- { .compatible = "ti,adc128s052", }, +- { .compatible = "ti,adc122s021", }, +- { .compatible = "ti,adc122s051", }, +- { .compatible = "ti,adc122s101", }, +- { .compatible = "ti,adc124s021", }, +- { .compatible = "ti,adc124s051", }, +- { .compatible = "ti,adc124s101", }, ++ { .compatible = "ti,adc128s052", .data = (void*)0L, }, ++ { .compatible = "ti,adc122s021", .data = (void*)1L, }, ++ { .compatible = "ti,adc122s051", .data = (void*)1L, }, ++ { .compatible = "ti,adc122s101", .data = (void*)1L, }, ++ { .compatible = "ti,adc124s021", .data = (void*)2L, }, ++ { .compatible = "ti,adc124s051", .data = (void*)2L, }, ++ { .compatible = "ti,adc124s101", .data = (void*)2L, }, + { /* sentinel */ }, + }; + MODULE_DEVICE_TABLE(of, adc128_of_match); diff --git a/queue-5.4/regulator-core-fix-deadlock-on-regulator-enable.patch b/queue-5.4/regulator-core-fix-deadlock-on-regulator-enable.patch new file mode 100644 index 00000000000..1880d14d530 --- /dev/null +++ b/queue-5.4/regulator-core-fix-deadlock-on-regulator-enable.patch @@ -0,0 +1,65 @@ +From cb3543cff90a4448ed560ac86c98033ad5fecda9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 15 Dec 2022 11:46:46 +0100 +Subject: regulator: core: fix deadlock on regulator enable + +From: Johan Hovold + +commit cb3543cff90a4448ed560ac86c98033ad5fecda9 upstream. + +When updating the operating mode as part of regulator enable, the caller +has already locked the regulator tree and drms_uA_update() must not try +to do the same in order not to trigger a deadlock. + +The lock inversion is reported by lockdep as: + + ====================================================== + WARNING: possible circular locking dependency detected + 6.1.0-next-20221215 #142 Not tainted + ------------------------------------------------------ + udevd/154 is trying to acquire lock: + ffffc11f123d7e50 (regulator_list_mutex){+.+.}-{3:3}, at: regulator_lock_dependent+0x54/0x280 + + but task is already holding lock: + ffff80000e4c36e8 (regulator_ww_class_acquire){+.+.}-{0:0}, at: regulator_enable+0x34/0x80 + + which lock already depends on the new lock. + + ... + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(regulator_ww_class_acquire); + lock(regulator_list_mutex); + lock(regulator_ww_class_acquire); + lock(regulator_list_mutex); + + *** DEADLOCK *** + +just before probe of a Qualcomm UFS controller (occasionally) deadlocks +when enabling one of its regulators. + +Fixes: 9243a195be7a ("regulator: core: Change voltage setting path") +Fixes: f8702f9e4aa7 ("regulator: core: Use ww_mutex for regulators locking") +Cc: stable@vger.kernel.org # 5.0 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20221215104646.19818-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -956,7 +956,7 @@ static int drms_uA_update(struct regulat + /* get input voltage */ + input_uV = 0; + if (rdev->supply) +- input_uV = regulator_get_voltage(rdev->supply); ++ input_uV = regulator_get_voltage_rdev(rdev->supply->rdev); + if (input_uV <= 0) + input_uV = rdev->constraints->input_uV; + if (input_uV <= 0) { diff --git a/queue-5.4/reiserfs-add-missing-calls-to-reiserfs_security_free.patch b/queue-5.4/reiserfs-add-missing-calls-to-reiserfs_security_free.patch new file mode 100644 index 00000000000..aa48b3d4baa --- /dev/null +++ b/queue-5.4/reiserfs-add-missing-calls-to-reiserfs_security_free.patch @@ -0,0 +1,89 @@ +From 572302af1258459e124437b8f3369357447afac7 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Thu, 10 Nov 2022 10:46:35 +0100 +Subject: reiserfs: Add missing calls to reiserfs_security_free() + +From: Roberto Sassu + +commit 572302af1258459e124437b8f3369357447afac7 upstream. + +Commit 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes +during inode creation") defined reiserfs_security_free() to free the name +and value of a security xattr allocated by the active LSM through +security_old_inode_init_security(). However, this function is not called +in the reiserfs code. + +Thus, add a call to reiserfs_security_free() whenever +reiserfs_security_init() is called, and initialize value to NULL, to avoid +to call kfree() on an uninitialized pointer. + +Finally, remove the kfree() for the xattr name, as it is not allocated +anymore. + +Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation") +Cc: stable@vger.kernel.org +Cc: Jeff Mahoney +Cc: Tetsuo Handa +Reported-by: Mimi Zohar +Reported-by: Tetsuo Handa +Signed-off-by: Roberto Sassu +Reviewed-by: Mimi Zohar +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + fs/reiserfs/namei.c | 4 ++++ + fs/reiserfs/xattr_security.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/reiserfs/namei.c ++++ b/fs/reiserfs/namei.c +@@ -695,6 +695,7 @@ static int reiserfs_create(struct inode + + out_failed: + reiserfs_write_unlock(dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +@@ -778,6 +779,7 @@ static int reiserfs_mknod(struct inode * + + out_failed: + reiserfs_write_unlock(dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +@@ -876,6 +878,7 @@ static int reiserfs_mkdir(struct inode * + retval = journal_end(&th); + out_failed: + reiserfs_write_unlock(dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +@@ -1191,6 +1194,7 @@ static int reiserfs_symlink(struct inode + retval = journal_end(&th); + out_failed: + reiserfs_write_unlock(parent_dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +--- a/fs/reiserfs/xattr_security.c ++++ b/fs/reiserfs/xattr_security.c +@@ -49,6 +49,7 @@ int reiserfs_security_init(struct inode + int error; + + sec->name = NULL; ++ sec->value = NULL; + + /* Don't add selinux attributes on xattrs - they'll never get used */ + if (IS_PRIVATE(dir)) +@@ -94,7 +95,6 @@ int reiserfs_security_write(struct reise + + void reiserfs_security_free(struct reiserfs_security_handle *sec) + { +- kfree(sec->name); + kfree(sec->value); + sec->name = NULL; + sec->value = NULL; diff --git a/queue-5.4/series b/queue-5.4/series index ed2d1fcdba9..4363b84d448 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -445,3 +445,9 @@ pstore-make-sure-config_pstore_pmsg-selects-config_r.patch alsa-hda-realtek-add-quirk-for-lenovo-tianyi510pro-14iob.patch alsa-hda-hdmi-add-hp-device-0x8711-to-force-connect-list.patch usb-dwc3-core-defer-probe-on-ulpi_read_id-timeout.patch +hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch +9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch +reiserfs-add-missing-calls-to-reiserfs_security_free.patch +iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch +iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch +regulator-core-fix-deadlock-on-regulator-enable.patch