From: Sasha Levin Date: Fri, 8 Sep 2023 21:36:59 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v6.1.53~107 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=baa904ce323cb0dcf637afa7b1a9203dd59c8da2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-ac97-fix-possible-error-value-of-rac97.patch b/queue-4.14/alsa-ac97-fix-possible-error-value-of-rac97.patch new file mode 100644 index 00000000000..92addd4b016 --- /dev/null +++ b/queue-4.14/alsa-ac97-fix-possible-error-value-of-rac97.patch @@ -0,0 +1,52 @@ +From f4a89d58b624d2c42cebe57dfb5a74ccf8205169 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 10:52:13 +0800 +Subject: ALSA: ac97: Fix possible error value of *rac97 + +From: Su Hui + +[ Upstream commit 67de40c9df94037769967ba28c7d951afb45b7fb ] + +Before committing 79597c8bf64c, *rac97 always be NULL if there is +an error. When error happens, make sure *rac97 is NULL is safer. + +For examble, in snd_vortex_mixer(): + err = snd_ac97_mixer(pbus, &ac97, &vortex->codec); + vortex->isquad = ((vortex->codec == NULL) ? + 0 : (vortex->codec->ext_id&0x80)); +If error happened but vortex->codec isn't NULL, this may cause some +problems. + +Move the judgement order to be clearer and better. + +Fixes: 79597c8bf64c ("ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer") +Suggested-by: Christophe JAILLET +Acked-by: Christophe JAILLET +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20230823025212.1000961-1-suhui@nfschina.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ac97/ac97_codec.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index e37eab3ddc734..5095048d5cea6 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -2026,10 +2026,9 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, + .dev_disconnect = snd_ac97_dev_disconnect, + }; + +- if (!rac97) +- return -EINVAL; +- if (snd_BUG_ON(!bus || !template)) ++ if (snd_BUG_ON(!bus || !template || !rac97)) + return -EINVAL; ++ *rac97 = NULL; + if (snd_BUG_ON(template->num >= 4)) + return -EINVAL; + if (bus->codec[template->num]) +-- +2.40.1 + diff --git a/queue-4.14/amba-bus-fix-refcount-leak.patch b/queue-4.14/amba-bus-fix-refcount-leak.patch new file mode 100644 index 00000000000..e6a2fb7904c --- /dev/null +++ b/queue-4.14/amba-bus-fix-refcount-leak.patch @@ -0,0 +1,39 @@ +From 70ba4b203f6d1403d10200a42aeb9474d9d6b5f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 10:39:27 +0800 +Subject: amba: bus: fix refcount leak + +From: Peng Fan + +[ Upstream commit e312cbdc11305568554a9e18a2ea5c2492c183f3 ] + +commit 5de1540b7bc4 ("drivers/amba: create devices from device tree") +increases the refcount of of_node, but not releases it in +amba_device_release, so there is refcount leak. By using of_node_put +to avoid refcount leak. + +Fixes: 5de1540b7bc4 ("drivers/amba: create devices from device tree") +Signed-off-by: Peng Fan +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230821023928.3324283-1-peng.fan@oss.nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/amba/bus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c +index 8ea401fc89968..e07d6a4d3f03a 100644 +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -344,6 +344,7 @@ static void amba_device_release(struct device *dev) + { + struct amba_device *d = to_amba_device(dev); + ++ of_node_put(d->dev.of_node); + if (d->res.parent) + release_resource(&d->res); + kfree(d); +-- +2.40.1 + diff --git a/queue-4.14/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch b/queue-4.14/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch new file mode 100644 index 00000000000..e678cdb4d5a --- /dev/null +++ b/queue-4.14/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch @@ -0,0 +1,47 @@ +From 558be7e1a28698f0284ccc1ebbc93afb1248f81e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:40:03 +0200 +Subject: ARM: dts: BCM53573: Add cells sizes to PCIe node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 3392ef368d9b04622fe758b1079b512664b6110a ] + +This fixes: +arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dtb: pcie@2000: '#address-cells' is a required property + From schema: /lib/python3.10/site-packages/dtschema/schemas/pci/pci-bus.yaml +arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dtb: pcie@2000: '#size-cells' is a required property + From schema: /lib/python3.10/site-packages/dtschema/schemas/pci/pci-bus.yaml + +Two properties that need to be added later are "device_type" and +"ranges". Adding "device_type" on its own causes a new warning and the +value of "ranges" needs to be determined yet. + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230707114004.2740-3-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm53573.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm53573.dtsi b/arch/arm/boot/dts/bcm53573.dtsi +index c698a565b8ae9..99cc83b911c1a 100644 +--- a/arch/arm/boot/dts/bcm53573.dtsi ++++ b/arch/arm/boot/dts/bcm53573.dtsi +@@ -119,6 +119,9 @@ uart0: serial@0300 { + + pcie0: pcie@2000 { + reg = <0x00002000 0x1000>; ++ ++ #address-cells = <3>; ++ #size-cells = <2>; + }; + + usb2: usb2@4000 { +-- +2.40.1 + diff --git a/queue-4.14/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch b/queue-4.14/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch new file mode 100644 index 00000000000..b72b3678563 --- /dev/null +++ b/queue-4.14/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch @@ -0,0 +1,54 @@ +From 71f59fe710054f186fa145ba6134a95400585601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:40:04 +0200 +Subject: ARM: dts: BCM53573: Use updated "spi-gpio" binding properties +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 2c0fd6b3d0778ceab40205315ccef74568490f17 ] + +Switch away from deprecated properties. + +This fixes: +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: gpio-sck: False schema does not allow [[3, 21, 0]] + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: gpio-miso: False schema does not allow [[3, 22, 0]] + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: gpio-mosi: False schema does not allow [[3, 23, 0]] + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: 'sck-gpios' is a required property + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: Unevaluated properties are not allowed ('gpio-miso', 'gpio-mosi', 'gpio-sck' were unexpected) + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230707114004.2740-4-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm947189acdbmr.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm947189acdbmr.dts b/arch/arm/boot/dts/bcm947189acdbmr.dts +index ef263412fea51..02c916bedd281 100644 +--- a/arch/arm/boot/dts/bcm947189acdbmr.dts ++++ b/arch/arm/boot/dts/bcm947189acdbmr.dts +@@ -61,9 +61,9 @@ wps { + spi { + compatible = "spi-gpio"; + num-chipselects = <1>; +- gpio-sck = <&chipcommon 21 0>; +- gpio-miso = <&chipcommon 22 0>; +- gpio-mosi = <&chipcommon 23 0>; ++ sck-gpios = <&chipcommon 21 0>; ++ miso-gpios = <&chipcommon 22 0>; ++ mosi-gpios = <&chipcommon 23 0>; + cs-gpios = <&chipcommon 24 0>; + #address-cells = <1>; + #size-cells = <0>; +-- +2.40.1 + diff --git a/queue-4.14/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch b/queue-4.14/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch new file mode 100644 index 00000000000..d977e5dffcb --- /dev/null +++ b/queue-4.14/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch @@ -0,0 +1,37 @@ +From e5d800f56ccd80b4ea1098378363d89cc34e5491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:29:25 +0200 +Subject: ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses + (split) + +From: Krzysztof Kozlowski + +[ Upstream commit cf0cb2af6a18f28b84f9f1416bff50ca60d6e98a ] + +The davicom,dm9000 Ethernet Controller accepts two reg addresses. + +Fixes: a43736deb47d ("ARM: dts: Add dts file for S3C6410-based Mini6410 board") +Reviewed-by: Alim Akhtar +Link: https://lore.kernel.org/r/20230713152926.82884-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s3c6410-mini6410.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/s3c6410-mini6410.dts b/arch/arm/boot/dts/s3c6410-mini6410.dts +index de04d8764b0f9..98de4ea8b8bca 100644 +--- a/arch/arm/boot/dts/s3c6410-mini6410.dts ++++ b/arch/arm/boot/dts/s3c6410-mini6410.dts +@@ -61,7 +61,7 @@ srom-cs1@18000000 { + + ethernet@18000000 { + compatible = "davicom,dm9000"; +- reg = <0x18000000 0x2 0x18000004 0x2>; ++ reg = <0x18000000 0x2>, <0x18000004 0x2>; + interrupt-parent = <&gpn>; + interrupts = <7 IRQ_TYPE_LEVEL_HIGH>; + davicom,no-eeprom; +-- +2.40.1 + diff --git a/queue-4.14/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch b/queue-4.14/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch new file mode 100644 index 00000000000..e758bc44f21 --- /dev/null +++ b/queue-4.14/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch @@ -0,0 +1,37 @@ +From bf3cbb53ac466bd1f9a2e556c8436897dfdbae86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:29:26 +0200 +Subject: ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses + (split) + +From: Krzysztof Kozlowski + +[ Upstream commit 982655cb0e7f18934d7532c32366e574ad61dbd7 ] + +The davicom,dm9000 Ethernet Controller accepts two reg addresses. + +Fixes: b672b27d232e ("ARM: dts: Add Device tree for s5pc110/s5pv210 boards") +Reviewed-by: Alim Akhtar +Link: https://lore.kernel.org/r/20230713152926.82884-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210-smdkv210.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/s5pv210-smdkv210.dts b/arch/arm/boot/dts/s5pv210-smdkv210.dts +index 75398318ed57c..4e17023684c91 100644 +--- a/arch/arm/boot/dts/s5pv210-smdkv210.dts ++++ b/arch/arm/boot/dts/s5pv210-smdkv210.dts +@@ -36,7 +36,7 @@ memory@20000000 { + + ethernet@18000000 { + compatible = "davicom,dm9000"; +- reg = <0xA8000000 0x2 0xA8000002 0x2>; ++ reg = <0xa8000000 0x2>, <0xa8000002 0x2>; + interrupt-parent = <&gph1>; + interrupts = <1 4>; + local-mac-address = [00 00 de ad be ef]; +-- +2.40.1 + diff --git a/queue-4.14/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch b/queue-4.14/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch new file mode 100644 index 00000000000..e75ff87a495 --- /dev/null +++ b/queue-4.14/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch @@ -0,0 +1,80 @@ +From df818d20fcbac892d653910e5e93d309fb427ff4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 20:14:35 +0800 +Subject: audit: fix possible soft lockup in __audit_inode_child() + +From: Gaosheng Cui + +[ Upstream commit b59bc6e37237e37eadf50cd5de369e913f524463 ] + +Tracefs or debugfs maybe cause hundreds to thousands of PATH records, +too many PATH records maybe cause soft lockup. + +For example: + 1. CONFIG_KASAN=y && CONFIG_PREEMPTION=n + 2. auditctl -a exit,always -S open -k key + 3. sysctl -w kernel.watchdog_thresh=5 + 4. mkdir /sys/kernel/debug/tracing/instances/test + +There may be a soft lockup as follows: + watchdog: BUG: soft lockup - CPU#45 stuck for 7s! [mkdir:15498] + Kernel panic - not syncing: softlockup: hung tasks + Call trace: + dump_backtrace+0x0/0x30c + show_stack+0x20/0x30 + dump_stack+0x11c/0x174 + panic+0x27c/0x494 + watchdog_timer_fn+0x2bc/0x390 + __run_hrtimer+0x148/0x4fc + __hrtimer_run_queues+0x154/0x210 + hrtimer_interrupt+0x2c4/0x760 + arch_timer_handler_phys+0x48/0x60 + handle_percpu_devid_irq+0xe0/0x340 + __handle_domain_irq+0xbc/0x130 + gic_handle_irq+0x78/0x460 + el1_irq+0xb8/0x140 + __audit_inode_child+0x240/0x7bc + tracefs_create_file+0x1b8/0x2a0 + trace_create_file+0x18/0x50 + event_create_dir+0x204/0x30c + __trace_add_new_event+0xac/0x100 + event_trace_add_tracer+0xa0/0x130 + trace_array_create_dir+0x60/0x140 + trace_array_create+0x1e0/0x370 + instance_mkdir+0x90/0xd0 + tracefs_syscall_mkdir+0x68/0xa0 + vfs_mkdir+0x21c/0x34c + do_mkdirat+0x1b4/0x1d4 + __arm64_sys_mkdirat+0x4c/0x60 + el0_svc_common.constprop.0+0xa8/0x240 + do_el0_svc+0x8c/0xc0 + el0_svc+0x20/0x30 + el0_sync_handler+0xb0/0xb4 + el0_sync+0x160/0x180 + +Therefore, we add cond_resched() to __audit_inode_child() to fix it. + +Fixes: 5195d8e217a7 ("audit: dynamically allocate audit_names when not enough space is in the names array") +Signed-off-by: Gaosheng Cui +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/auditsc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index ffa8d64f6fef4..fb474e36c971b 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1899,6 +1899,8 @@ void __audit_inode_child(struct inode *parent, + } + } + ++ cond_resched(); ++ + /* is there a matching child entry? */ + list_for_each_entry(n, &context->names_list, list) { + /* can only match entries that have a name */ +-- +2.40.1 + diff --git a/queue-4.14/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch b/queue-4.14/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch new file mode 100644 index 00000000000..5fafe759faa --- /dev/null +++ b/queue-4.14/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch @@ -0,0 +1,41 @@ +From 63fe8888249358460a200dd49cae8687c8b3fcf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 21:30:00 +0800 +Subject: Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe() + +From: Yuanjun Gong + +[ Upstream commit e8b5aed31355072faac8092ead4938ddec3111fd ] + +in nokia_bluetooth_serdev_probe(), check the return value of +clk_prepare_enable() and return the error code if +clk_prepare_enable() returns an unexpected value. + +Fixes: 7bb318680e86 ("Bluetooth: add nokia driver") +Signed-off-by: Yuanjun Gong +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_nokia.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_nokia.c b/drivers/bluetooth/hci_nokia.c +index 3539fd03f47ee..474866448f181 100644 +--- a/drivers/bluetooth/hci_nokia.c ++++ b/drivers/bluetooth/hci_nokia.c +@@ -746,7 +746,11 @@ static int nokia_bluetooth_serdev_probe(struct serdev_device *serdev) + return err; + } + +- clk_prepare_enable(sysclk); ++ err = clk_prepare_enable(sysclk); ++ if (err) { ++ dev_err(dev, "could not enable sysclk: %d", err); ++ return err; ++ } + btdev->sysclk_speed = clk_get_rate(sysclk); + clk_disable_unprepare(sysclk); + +-- +2.40.1 + diff --git a/queue-4.14/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch b/queue-4.14/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch new file mode 100644 index 00000000000..46dae3f7e77 --- /dev/null +++ b/queue-4.14/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch @@ -0,0 +1,50 @@ +From 9e8a534de46f7f74bd3cb79b42b76de6da65043b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 11:23:37 +0200 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors + also in case of OOM + +From: Marc Kleine-Budde + +[ Upstream commit 6c8bc15f02b85bc8f47074110d8fd8caf7a1e42d ] + +In case of an RX overflow error from the CAN controller and an OOM +where no skb can be allocated, the error counters are not incremented. + +Fix this by first incrementing the error counters and then allocate +the skb. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Link: https://lore.kernel.org/all/20230718-gs_usb-cleanups-v1-7-c3b9154ec605@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index a43f25de85749..893fa5580c773 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -389,6 +389,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + } + + if (hf->flags & GS_CAN_FLAG_OVERFLOW) { ++ stats->rx_over_errors++; ++ stats->rx_errors++; ++ + skb = alloc_can_err_skb(netdev, &cf); + if (!skb) + goto resubmit_urb; +@@ -396,8 +399,6 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + cf->can_id |= CAN_ERR_CRTL; + cf->can_dlc = CAN_ERR_DLC; + cf->data[1] = CAN_ERR_CRTL_RX_OVERFLOW; +- stats->rx_over_errors++; +- stats->rx_errors++; + netif_rx(skb); + } + +-- +2.40.1 + diff --git a/queue-4.14/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch b/queue-4.14/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch new file mode 100644 index 00000000000..4549a35ea93 --- /dev/null +++ b/queue-4.14/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch @@ -0,0 +1,37 @@ +From 35e31fd84c1f14abde81f1319fb65a04ee8e296b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 11:25:28 +0000 +Subject: cgroup:namespace: Remove unused cgroup_namespaces_init() + +From: Lu Jialin + +[ Upstream commit 82b90b6c5b38e457c7081d50dff11ecbafc1e61a ] + +cgroup_namspace_init() just return 0. Therefore, there is no need to +call it during start_kernel. Just remove it. + +Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") +Signed-off-by: Lu Jialin +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/namespace.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/kernel/cgroup/namespace.c b/kernel/cgroup/namespace.c +index b05f1dd58a622..313e66b8c6622 100644 +--- a/kernel/cgroup/namespace.c ++++ b/kernel/cgroup/namespace.c +@@ -148,9 +148,3 @@ const struct proc_ns_operations cgroupns_operations = { + .install = cgroupns_install, + .owner = cgroupns_owner, + }; +- +-static __init int cgroup_namespaces_init(void) +-{ +- return 0; +-} +-subsys_initcall(cgroup_namespaces_init); +-- +2.40.1 + diff --git a/queue-4.14/clk-sunxi-ng-modify-mismatched-function-name.patch b/queue-4.14/clk-sunxi-ng-modify-mismatched-function-name.patch new file mode 100644 index 00000000000..d6e6b842821 --- /dev/null +++ b/queue-4.14/clk-sunxi-ng-modify-mismatched-function-name.patch @@ -0,0 +1,39 @@ +From 7229a17cca6a62b8d2b08103ee755d047c28c5cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 15:31:07 +0000 +Subject: clk: sunxi-ng: Modify mismatched function name + +From: Zhang Jianhua + +[ Upstream commit 075d9ca5b4e17f84fd1c744a405e69ec743be7f0 ] + +No functional modification involved. + +drivers/clk/sunxi-ng/ccu_mmc_timing.c:54: warning: expecting prototype for sunxi_ccu_set_mmc_timing_mode(). Prototype was for sunxi_ccu_get_mmc_timing_mode() instead + +Fixes: f6f64ed868d3 ("clk: sunxi-ng: Add interface to query or configure MMC timing modes.") +Signed-off-by: Zhang Jianhua +Reviewed-by: Randy Dunlap +Link: https://lore.kernel.org/r/20230722153107.2078179-1-chris.zjh@huawei.com +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu_mmc_timing.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu_mmc_timing.c b/drivers/clk/sunxi-ng/ccu_mmc_timing.c +index f9869f7353c01..9356dc1571561 100644 +--- a/drivers/clk/sunxi-ng/ccu_mmc_timing.c ++++ b/drivers/clk/sunxi-ng/ccu_mmc_timing.c +@@ -50,7 +50,7 @@ int sunxi_ccu_set_mmc_timing_mode(struct clk *clk, bool new_mode) + EXPORT_SYMBOL_GPL(sunxi_ccu_set_mmc_timing_mode); + + /** +- * sunxi_ccu_set_mmc_timing_mode: Get the current MMC clock timing mode ++ * sunxi_ccu_get_mmc_timing_mode: Get the current MMC clock timing mode + * @clk: clock to query + * + * Returns 0 if the clock is in old timing mode, > 0 if it is in +-- +2.40.1 + diff --git a/queue-4.14/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch b/queue-4.14/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch new file mode 100644 index 00000000000..acd5b0140c3 --- /dev/null +++ b/queue-4.14/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch @@ -0,0 +1,39 @@ +From 91dcb9769375e7a6d6085b57b341d26ff60de039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Aug 2023 09:51:13 +0000 +Subject: cpufreq: powernow-k8: Use related_cpus instead of cpus in + driver.exit() + +From: Liao Chang + +[ Upstream commit 03997da042dac73c69e60d91942c727c76828b65 ] + +Since the 'cpus' field of policy structure will become empty in the +cpufreq core API, it is better to use 'related_cpus' in the exit() +callback of driver. + +Fixes: c3274763bfc3 ("cpufreq: powernow-k8: Initialize per-cpu data-structures properly") +Signed-off-by: Liao Chang +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/powernow-k8.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/powernow-k8.c b/drivers/cpufreq/powernow-k8.c +index 32bb00a6fe099..3b9aa473ae8ff 100644 +--- a/drivers/cpufreq/powernow-k8.c ++++ b/drivers/cpufreq/powernow-k8.c +@@ -1120,7 +1120,8 @@ static int powernowk8_cpu_exit(struct cpufreq_policy *pol) + + kfree(data->powernow_table); + kfree(data); +- for_each_cpu(cpu, pol->cpus) ++ /* pol->cpus will be empty here, use related_cpus instead. */ ++ for_each_cpu(cpu, pol->related_cpus) + per_cpu(powernow_data, cpu) = NULL; + + return 0; +-- +2.40.1 + diff --git a/queue-4.14/crypto-caam-fix-unchecked-return-value-error.patch b/queue-4.14/crypto-caam-fix-unchecked-return-value-error.patch new file mode 100644 index 00000000000..825a4b5935e --- /dev/null +++ b/queue-4.14/crypto-caam-fix-unchecked-return-value-error.patch @@ -0,0 +1,44 @@ +From 7a8012cefecbe8bc7fac42201b1605cff4e3fe03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 12:55:25 +0200 +Subject: crypto: caam - fix unchecked return value error + +From: Gaurav Jain + +[ Upstream commit e30685204711a6be40dec2622606950ccd37dafe ] + +error: +Unchecked return value (CHECKED_RETURN) +check_return: Calling sg_miter_next without checking return value + +fix: +added check if(!sg_miter_next) + +Fixes: 8a2a0dd35f2e ("crypto: caam - strip input zeros from RSA input buffer") +Signed-off-by: Gaurav Jain +Signed-off-by: Meenakshi Aggarwal +Reviewed-by: Gaurav Jain +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/caam/caampkc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/caam/caampkc.c b/drivers/crypto/caam/caampkc.c +index 6f3f81bb880b5..01f9053db287b 100644 +--- a/drivers/crypto/caam/caampkc.c ++++ b/drivers/crypto/caam/caampkc.c +@@ -194,7 +194,9 @@ static int caam_rsa_count_leading_zeros(struct scatterlist *sgl, + if (len && *buff) + break; + +- sg_miter_next(&miter); ++ if (!sg_miter_next(&miter)) ++ break; ++ + buff = miter.addr; + len = miter.length; + +-- +2.40.1 + diff --git a/queue-4.14/dma-buf-sync_file-fix-docs-syntax.patch b/queue-4.14/dma-buf-sync_file-fix-docs-syntax.patch new file mode 100644 index 00000000000..525184a4e39 --- /dev/null +++ b/queue-4.14/dma-buf-sync_file-fix-docs-syntax.patch @@ -0,0 +1,39 @@ +From d377659d62756484575fdd9e56e9d3a251516b0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 07:49:41 -0700 +Subject: dma-buf/sync_file: Fix docs syntax + +From: Rob Clark + +[ Upstream commit 05d56d8079d510a2994039470f65bea85f0075ee ] + +Fixes the warning: + + include/uapi/linux/sync_file.h:77: warning: Function parameter or member 'num_fences' not described in 'sync_file_info' + +Fixes: 2d75c88fefb2 ("staging/android: refactor SYNC IOCTLs") +Signed-off-by: Rob Clark +Reviewed-by: Randy Dunlap +Link: https://lore.kernel.org/r/20230724145000.125880-1-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/uapi/linux/sync_file.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/sync_file.h b/include/uapi/linux/sync_file.h +index ee2dcfb3d6602..d7f7c04a6e0c1 100644 +--- a/include/uapi/linux/sync_file.h ++++ b/include/uapi/linux/sync_file.h +@@ -52,7 +52,7 @@ struct sync_fence_info { + * @name: name of fence + * @status: status of fence. 1: signaled 0:active <0:error + * @flags: sync_file_info flags +- * @num_fences number of fences in the sync_file ++ * @num_fences: number of fences in the sync_file + * @pad: padding for 64-bit alignment, should always be zero + * @sync_fence_info: pointer to array of structs sync_fence_info with all + * fences in the sync_file +-- +2.40.1 + diff --git a/queue-4.14/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch b/queue-4.14/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch new file mode 100644 index 00000000000..82fb2259c3a --- /dev/null +++ b/queue-4.14/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch @@ -0,0 +1,40 @@ +From 1b2d970f221013cbc97666c3ad178dea57708617 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 14:41:08 +0000 +Subject: dmaengine: ste_dma40: Add missing IRQ check in d40_probe + +From: ruanjinjie + +[ Upstream commit c05ce6907b3d6e148b70f0bb5eafd61dcef1ddc1 ] + +Check for the return value of platform_get_irq(): if no interrupt +is specified, it wouldn't make sense to call request_irq(). + +Fixes: 8d318a50b3d7 ("DMAENGINE: Support for ST-Ericssons DMA40 block v3") +Signed-off-by: Ruan Jinjie +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20230724144108.2582917-1-ruanjinjie@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ste_dma40.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c +index ee15d4fefbad2..498d9886ed9bc 100644 +--- a/drivers/dma/ste_dma40.c ++++ b/drivers/dma/ste_dma40.c +@@ -3577,6 +3577,10 @@ static int __init d40_probe(struct platform_device *pdev) + spin_lock_init(&base->lcla_pool.lock); + + base->irq = platform_get_irq(pdev, 0); ++ if (base->irq < 0) { ++ ret = base->irq; ++ goto destroy_cache; ++ } + + ret = request_irq(base->irq, d40_handle_interrupt, 0, D40_NAME, base); + if (ret) { +-- +2.40.1 + diff --git a/queue-4.14/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch b/queue-4.14/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch new file mode 100644 index 00000000000..46c5d04a694 --- /dev/null +++ b/queue-4.14/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch @@ -0,0 +1,38 @@ +From 9659c851b33890005a3f27e2bfeb738da3ca563c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 18:22:46 +0800 +Subject: drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init() + +From: Minjie Du + +[ Upstream commit a995c50db887ef97f3160775aef7d772635a6f6e ] + +The function clk_register_pll() may return NULL or an ERR_PTR. Don't +treat an ERR_PTR as valid. + +Signed-off-by: Minjie Du +Link: https://lore.kernel.org/r/20230712102246.10348-1-duminjie@vivo.com +Fixes: b9e0d40c0d83 ("clk: keystone: add Keystone PLL clock driver") +[sboyd@kernel.org: Reword commit text] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/pll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/keystone/pll.c b/drivers/clk/keystone/pll.c +index e7e840fb74eaf..526694c2a6c97 100644 +--- a/drivers/clk/keystone/pll.c ++++ b/drivers/clk/keystone/pll.c +@@ -213,7 +213,7 @@ static void __init _of_pll_clk_init(struct device_node *node, bool pllctrl) + } + + clk = clk_register_pll(NULL, node->name, parent_name, pll_data); +- if (clk) { ++ if (!IS_ERR_OR_NULL(clk)) { + of_clk_add_provider(node, of_clk_src_simple_get, clk); + return; + } +-- +2.40.1 + diff --git a/queue-4.14/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch b/queue-4.14/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch new file mode 100644 index 00000000000..c99c6d17594 --- /dev/null +++ b/queue-4.14/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch @@ -0,0 +1,80 @@ +From 44c053c1a3743931e305375fee73a98e7be61a80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 18:24:08 +0800 +Subject: drivers: usb: smsusb: fix error handling code in smsusb_init_device + +From: Dongliang Mu + +[ Upstream commit b9c7141f384097fa4fa67d2f72e5731d628aef7c ] + +The previous commit 4b208f8b561f ("[media] siano: register media controller +earlier")moves siano_media_device_register before smscore_register_device, +and adds corresponding error handling code if smscore_register_device +fails. However, it misses the following error handling code of +smsusb_init_device. + +Fix this by moving error handling code at the end of smsusb_init_device +and adding a goto statement in the following error handling parts. + +Fixes: 4b208f8b561f ("[media] siano: register media controller earlier") +Signed-off-by: Dongliang Mu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/siano/smsusb.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 92a6192f9ab2b..1d67b4c1a020c 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -467,12 +467,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + rc = smscore_register_device(¶ms, &dev->coredev, mdev); + if (rc < 0) { + pr_err("smscore_register_device(...) failed, rc %d\n", rc); +- smsusb_term_device(intf); +-#ifdef CONFIG_MEDIA_CONTROLLER_DVB +- media_device_unregister(mdev); +-#endif +- kfree(mdev); +- return rc; ++ goto err_unregister_device; + } + + smscore_set_board_id(dev->coredev, board_id); +@@ -489,8 +484,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + rc = smsusb_start_streaming(dev); + if (rc < 0) { + pr_err("smsusb_start_streaming(...) failed\n"); +- smsusb_term_device(intf); +- return rc; ++ goto err_unregister_device; + } + + dev->state = SMSUSB_ACTIVE; +@@ -498,13 +492,20 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + rc = smscore_start_device(dev->coredev); + if (rc < 0) { + pr_err("smscore_start_device(...) failed\n"); +- smsusb_term_device(intf); +- return rc; ++ goto err_unregister_device; + } + + pr_debug("device 0x%p created\n", dev); + + return rc; ++ ++err_unregister_device: ++ smsusb_term_device(intf); ++#ifdef CONFIG_MEDIA_CONTROLLER_DVB ++ media_device_unregister(mdev); ++#endif ++ kfree(mdev); ++ return rc; + } + + static int smsusb_probe(struct usb_interface *intf, +-- +2.40.1 + diff --git a/queue-4.14/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch b/queue-4.14/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch new file mode 100644 index 00000000000..0fe0a024295 --- /dev/null +++ b/queue-4.14/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch @@ -0,0 +1,49 @@ +From a0826c64f4d1da0ab7fb2e96c8677a41356120e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 09:01:43 +0300 +Subject: drm: adv7511: Fix low refresh rate register for ADV7533/5 + +From: Bogdan Togorean + +[ Upstream commit d281eeaa4de2636ff0c8e6ae387bb07b50e5fcbb ] + +For ADV7533 and ADV7535 low refresh rate is selected using +bits [3:2] of 0x4a main register. +So depending on ADV model write 0xfb or 0x4a register. + +Fixes: 2437e7cd88e8 ("drm/bridge: adv7533: Initial support for ADV7533") +Reviewed-by: Robert Foss +Reviewed-by: Nuno Sa +Signed-off-by: Bogdan Togorean +Signed-off-by: Alexandru Ardelean +Reviewed-by: Frieder Schrempf +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230719060143.63649-1-alex@shruggie.ro +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +index f5195d9841f86..687c68e0a59d0 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -744,8 +744,13 @@ static void adv7511_mode_set(struct adv7511 *adv7511, + else + low_refresh_rate = ADV7511_LOW_REFRESH_RATE_NONE; + +- regmap_update_bits(adv7511->regmap, 0xfb, +- 0x6, low_refresh_rate << 1); ++ if (adv7511->type == ADV7511) ++ regmap_update_bits(adv7511->regmap, 0xfb, ++ 0x6, low_refresh_rate << 1); ++ else ++ regmap_update_bits(adv7511->regmap, 0x4a, ++ 0xc, low_refresh_rate << 2); ++ + regmap_update_bits(adv7511->regmap, 0x17, + 0x60, (vsync_polarity << 6) | (hsync_polarity << 5)); + +-- +2.40.1 + diff --git a/queue-4.14/fs-fix-error-checking-for-d_hash_and_lookup.patch b/queue-4.14/fs-fix-error-checking-for-d_hash_and_lookup.patch new file mode 100644 index 00000000000..80e6d508e2b --- /dev/null +++ b/queue-4.14/fs-fix-error-checking-for-d_hash_and_lookup.patch @@ -0,0 +1,38 @@ +From ba70978d49199bf6b10d912a32a6fecb24811ce2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 20:05:42 +0800 +Subject: fs: Fix error checking for d_hash_and_lookup() + +From: Wang Ming + +[ Upstream commit 0d5a4f8f775ff990142cdc810a84eae078589d27 ] + +The d_hash_and_lookup() function returns error pointers or NULL. +Most incorrect error checks were fixed, but the one in int path_pts() +was forgotten. + +Fixes: eedf265aa003 ("devpts: Make each mount of devpts an independent filesystem.") +Signed-off-by: Wang Ming +Message-Id: <20230713120555.7025-1-machel@vivo.com> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/namei.c b/fs/namei.c +index a8c36363e6b1e..b6de8f0a16077 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2615,7 +2615,7 @@ int path_pts(struct path *path) + this.name = "pts"; + this.len = 3; + child = d_hash_and_lookup(parent, &this); +- if (!child) ++ if (IS_ERR_OR_NULL(child)) + return -ENOENT; + + path->dentry = child; +-- +2.40.1 + diff --git a/queue-4.14/fs-lockd-avoid-possible-wrong-null-parameter.patch b/queue-4.14/fs-lockd-avoid-possible-wrong-null-parameter.patch new file mode 100644 index 00000000000..0023b80166e --- /dev/null +++ b/queue-4.14/fs-lockd-avoid-possible-wrong-null-parameter.patch @@ -0,0 +1,43 @@ +From 15235d9039e8e7d886ace8dc9d7bf9ff34b941f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 09:26:57 +0800 +Subject: fs: lockd: avoid possible wrong NULL parameter + +From: Su Hui + +[ Upstream commit de8d38cf44bac43e83bad28357ba84784c412752 ] + +clang's static analysis warning: fs/lockd/mon.c: line 293, column 2: +Null pointer passed as 2nd argument to memory copy function. + +Assuming 'hostname' is NULL and calling 'nsm_create_handle()', this will +pass NULL as 2nd argument to memory copy function 'memcpy()'. So return +NULL if 'hostname' is invalid. + +Fixes: 77a3ef33e2de ("NSM: More clean up of nsm_get_handle()") +Signed-off-by: Su Hui +Reviewed-by: Nick Desaulniers +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/lockd/mon.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c +index 9fbbd11f9ecbb..4a2da67fc255c 100644 +--- a/fs/lockd/mon.c ++++ b/fs/lockd/mon.c +@@ -274,6 +274,9 @@ static struct nsm_handle *nsm_create_handle(const struct sockaddr *sap, + { + struct nsm_handle *new; + ++ if (!hostname) ++ return NULL; ++ + new = kzalloc(sizeof(*new) + hostname_len + 1, GFP_KERNEL); + if (unlikely(new == NULL)) + return NULL; +-- +2.40.1 + diff --git a/queue-4.14/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch b/queue-4.14/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch new file mode 100644 index 00000000000..12d2d03d743 --- /dev/null +++ b/queue-4.14/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch @@ -0,0 +1,50 @@ +From 9c471945c8c0e5d78019d111a7a131b8b7b3f9f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 17:54:17 +0300 +Subject: fs: ocfs2: namei: check return value of ocfs2_add_entry() + +From: Artem Chernyshev + +[ Upstream commit 6b72e5f9e79360fce4f2be7fe81159fbdf4256a5 ] + +Process result of ocfs2_add_entry() in case we have an error +value. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Link: https://lkml.kernel.org/r/20230803145417.177649-1-artem.chernyshev@red-soft.ru +Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") +Signed-off-by: Artem Chernyshev +Reviewed-by: Joseph Qi +Cc: Artem Chernyshev +Cc: Joel Becker +Cc: Kurt Hackel +Cc: Mark Fasheh +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/namei.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index 6ec15ffeb5629..f36a338bf7278 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -1537,6 +1537,10 @@ static int ocfs2_rename(struct inode *old_dir, + status = ocfs2_add_entry(handle, new_dentry, old_inode, + OCFS2_I(old_inode)->ip_blkno, + new_dir_bh, &target_insert); ++ if (status < 0) { ++ mlog_errno(status); ++ goto bail; ++ } + } + + old_inode->i_ctime = current_time(old_inode); +-- +2.40.1 + diff --git a/queue-4.14/hid-multitouch-correct-devm-device-reference-for-hid.patch b/queue-4.14/hid-multitouch-correct-devm-device-reference-for-hid.patch new file mode 100644 index 00000000000..7f44cfbc199 --- /dev/null +++ b/queue-4.14/hid-multitouch-correct-devm-device-reference-for-hid.patch @@ -0,0 +1,67 @@ +From f42c7510e347b6ca1e812ff5b582d1927f193af6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 06:14:33 +0000 +Subject: HID: multitouch: Correct devm device reference for hidinput input_dev + name + +From: Rahul Rameshbabu + +[ Upstream commit 4794394635293a3e74591351fff469cea7ad15a2 ] + +Reference the HID device rather than the input device for the devm +allocation of the input_dev name. Referencing the input_dev would lead to a +use-after-free when the input_dev was unregistered and subsequently fires a +uevent that depends on the name. At the point of firing the uevent, the +name would be freed by devres management. + +Use devm_kasprintf to simplify the logic for allocating memory and +formatting the input_dev name string. + +Reported-by: Maxime Ripard +Closes: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/#m443f3dce92520f74b6cf6ffa8653f9c92643d4ae +Fixes: c08d46aa805b ("HID: multitouch: devm conversion") +Suggested-by: Maxime Ripard +Suggested-by: Dmitry Torokhov +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Maxime Ripard +Link: https://lore.kernel.org/r/20230824061308.222021-3-sergeantsagara@protonmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 0fa3bd2b035e7..55b1023af31fa 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1136,7 +1136,6 @@ static void mt_post_parse(struct mt_device *td) + static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi) + { + struct mt_device *td = hid_get_drvdata(hdev); +- char *name; + const char *suffix = NULL; + struct hid_field *field = hi->report->field[0]; + int ret; +@@ -1196,15 +1195,9 @@ static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi) + } + } + +- if (suffix) { +- name = devm_kzalloc(&hi->input->dev, +- strlen(hdev->name) + strlen(suffix) + 2, +- GFP_KERNEL); +- if (name) { +- sprintf(name, "%s %s", hdev->name, suffix); +- hi->input->name = name; +- } +- } ++ if (suffix) ++ hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, ++ "%s %s", hdev->name, suffix); + + return 0; + } +-- +2.40.1 + diff --git a/queue-4.14/jfs-validate-max-amount-of-blocks-before-allocation.patch b/queue-4.14/jfs-validate-max-amount-of-blocks-before-allocation.patch new file mode 100644 index 00000000000..befb95de6e7 --- /dev/null +++ b/queue-4.14/jfs-validate-max-amount-of-blocks-before-allocation.patch @@ -0,0 +1,42 @@ +From 218626d5d0c3ddc068d68482c8ff7f91499024db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Aug 2023 20:32:16 +0300 +Subject: jfs: validate max amount of blocks before allocation. + +From: Alexei Filippov + +[ Upstream commit 0225e10972fa809728b8d4c1bd2772b3ec3fdb57 ] + +The lack of checking bmp->db_max_freebud in extBalloc() can lead to +shift out of bounds, so this patch prevents undefined behavior, because +bmp->db_max_freebud == -1 only if there is no free space. + +Signed-off-by: Aleksei Filippov +Signed-off-by: Dave Kleikamp +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+5f088f29593e6b4c8db8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=01abadbd6ae6a08b1f1987aa61554c6b3ac19ff2 +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_extent.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_extent.c b/fs/jfs/jfs_extent.c +index 2ae7d59ab10a5..c971e8a6525de 100644 +--- a/fs/jfs/jfs_extent.c ++++ b/fs/jfs/jfs_extent.c +@@ -521,6 +521,11 @@ extBalloc(struct inode *ip, s64 hint, s64 * nblocks, s64 * blkno) + * blocks in the map. in that case, we'll start off with the + * maximum free. + */ ++ ++ /* give up if no space left */ ++ if (bmp->db_maxfreebud == -1) ++ return -ENOSPC; ++ + max = (s64) 1 << bmp->db_maxfreebud; + if (*nblocks >= max && *nblocks > nbperpage) + nb = nblks = (max > nbperpage) ? max : nbperpage; +-- +2.40.1 + diff --git a/queue-4.14/lwt-check-lwtunnel_xmit_continue-strictly.patch b/queue-4.14/lwt-check-lwtunnel_xmit_continue-strictly.patch new file mode 100644 index 00000000000..596c76b2f9f --- /dev/null +++ b/queue-4.14/lwt-check-lwtunnel_xmit_continue-strictly.patch @@ -0,0 +1,78 @@ +From 24762cc3bc7dd05eb082042ffbb7f4c76a0e325e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 19:58:14 -0700 +Subject: lwt: Check LWTUNNEL_XMIT_CONTINUE strictly + +From: Yan Zhai + +[ Upstream commit a171fbec88a2c730b108c7147ac5e7b2f5a02b47 ] + +LWTUNNEL_XMIT_CONTINUE is implicitly assumed in ip(6)_finish_output2, +such that any positive return value from a xmit hook could cause +unexpected continue behavior, despite that related skb may have been +freed. This could be error-prone for future xmit hook ops. One of the +possible errors is to return statuses of dst_output directly. + +To make the code safer, redefine LWTUNNEL_XMIT_CONTINUE value to +distinguish from dst_output statuses and check the continue +condition explicitly. + +Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") +Suggested-by: Dan Carpenter +Signed-off-by: Yan Zhai +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/96b939b85eda00e8df4f7c080f770970a4c5f698.1692326837.git.yan@cloudflare.com +Signed-off-by: Sasha Levin +--- + include/net/lwtunnel.h | 5 ++++- + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h +index d747ef975cd80..0ab4647ccc24d 100644 +--- a/include/net/lwtunnel.h ++++ b/include/net/lwtunnel.h +@@ -16,9 +16,12 @@ + #define LWTUNNEL_STATE_INPUT_REDIRECT BIT(1) + #define LWTUNNEL_STATE_XMIT_REDIRECT BIT(2) + ++/* LWTUNNEL_XMIT_CONTINUE should be distinguishable from dst_output return ++ * values (NET_XMIT_xxx and NETDEV_TX_xxx in linux/netdevice.h) for safety. ++ */ + enum { + LWTUNNEL_XMIT_DONE, +- LWTUNNEL_XMIT_CONTINUE, ++ LWTUNNEL_XMIT_CONTINUE = 0x100, + }; + + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index c5c9dc0f41cbc..c242c412dabc0 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -221,7 +221,7 @@ static int ip_finish_output2(struct net *net, struct sock *sk, struct sk_buff *s + if (lwtunnel_xmit_redirect(dst->lwtstate)) { + int res = lwtunnel_xmit(skb); + +- if (res < 0 || res == LWTUNNEL_XMIT_DONE) ++ if (res != LWTUNNEL_XMIT_CONTINUE) + return res; + } + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 36647d3211074..c9322e6a1c0cb 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -106,7 +106,7 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * + if (lwtunnel_xmit_redirect(dst->lwtstate)) { + int res = lwtunnel_xmit(skb); + +- if (res < 0 || res == LWTUNNEL_XMIT_DONE) ++ if (res != LWTUNNEL_XMIT_CONTINUE) + return res; + } + +-- +2.40.1 + diff --git a/queue-4.14/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch b/queue-4.14/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch new file mode 100644 index 00000000000..0636384d0c1 --- /dev/null +++ b/queue-4.14/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch @@ -0,0 +1,55 @@ +From 3295e1b663214ada8d84fed6ff028ec8e723ca99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 21:53:55 +0800 +Subject: md/raid1: free the r1bio before waiting for blocked rdev + +From: Xueshi Hu + +[ Upstream commit 992db13a4aee766c8bfbf046ad15c2db5fa7cab8 ] + +Raid1 reshape will change mempool and r1conf::raid_disks which are +needed to free r1bio. allow_barrier() make a concurrent raid1_reshape() +possible. So, free the in-flight r1bio before waiting blocked rdev. + +Fixes: 6bfe0b499082 ("md: support blocking writes to an array on device failure") +Reviewed-by: Yu Kuai +Signed-off-by: Xueshi Hu +Link: https://lore.kernel.org/r/20230814135356.1113639-3-xueshi.hu@smartx.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 28f78199de3ba..09350e7eab8de 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1329,6 +1329,7 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + } + wait_barrier(conf, bio->bi_iter.bi_sector); + ++ retry_write: + r1_bio = alloc_r1bio(mddev, bio); + r1_bio->sectors = max_write_sectors; + +@@ -1350,7 +1351,6 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + */ + + disks = conf->raid_disks * 2; +- retry_write: + blocked_rdev = NULL; + rcu_read_lock(); + max_sectors = r1_bio->sectors; +@@ -1421,7 +1421,7 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + for (j = 0; j < i; j++) + if (r1_bio->bios[j]) + rdev_dec_pending(conf->mirrors[j].rdev, mddev); +- r1_bio->state = 0; ++ free_r1bio(r1_bio); + allow_barrier(conf, bio->bi_iter.bi_sector); + raid1_log(mddev, "wait rdev %d blocked", blocked_rdev->raid_disk); + md_wait_for_blocked_rdev(blocked_rdev, mddev); +-- +2.40.1 + diff --git a/queue-4.14/media-cx24120-add-retval-check-for-cx24120_message_s.patch b/queue-4.14/media-cx24120-add-retval-check-for-cx24120_message_s.patch new file mode 100644 index 00000000000..84c85f334ea --- /dev/null +++ b/queue-4.14/media-cx24120-add-retval-check-for-cx24120_message_s.patch @@ -0,0 +1,40 @@ +From 5ad144a287ed15683f9e8366f596a7be09f7c7d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 01:55:01 -0700 +Subject: media: cx24120: Add retval check for cx24120_message_send() + +From: Daniil Dulov + +[ Upstream commit 96002c0ac824e1773d3f706b1f92e2a9f2988047 ] + +If cx24120_message_send() returns error, we should keep local struct +unchanged. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5afc9a25be8d ("[media] Add support for TechniSat Skystar S2") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/cx24120.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/cx24120.c b/drivers/media/dvb-frontends/cx24120.c +index 7f11dcc94d854..869fb1a9ddf38 100644 +--- a/drivers/media/dvb-frontends/cx24120.c ++++ b/drivers/media/dvb-frontends/cx24120.c +@@ -980,7 +980,9 @@ static void cx24120_set_clock_ratios(struct dvb_frontend *fe) + cmd.arg[8] = (clock_ratios_table[idx].rate >> 8) & 0xff; + cmd.arg[9] = (clock_ratios_table[idx].rate >> 0) & 0xff; + +- cx24120_message_send(state, &cmd); ++ ret = cx24120_message_send(state, &cmd); ++ if (ret != 0) ++ return; + + /* Calculate ber window rates for stat work */ + cx24120_calculate_ber_window(state, clock_ratios_table[idx].rate); +-- +2.40.1 + diff --git a/queue-4.14/media-dib7000p-fix-potential-division-by-zero.patch b/queue-4.14/media-dib7000p-fix-potential-division-by-zero.patch new file mode 100644 index 00000000000..9b302bc5826 --- /dev/null +++ b/queue-4.14/media-dib7000p-fix-potential-division-by-zero.patch @@ -0,0 +1,39 @@ +From ac30ad95bd999206b10aab306abee1a3099c0104 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 06:38:32 -0700 +Subject: media: dib7000p: Fix potential division by zero + +From: Daniil Dulov + +[ Upstream commit a1db7b2c5533fc67e2681eb5efc921a67bc7d5b8 ] + +Variable loopdiv can be assigned 0, then it is used as a denominator, +without checking it for 0. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 713d54a8bd81 ("[media] DiB7090: add support for the dib7090 based") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +[hverkuil: (bw != NULL) -> bw] +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib7000p.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c +index 0fbaabe43682c..d5c1859eba3c5 100644 +--- a/drivers/media/dvb-frontends/dib7000p.c ++++ b/drivers/media/dvb-frontends/dib7000p.c +@@ -500,7 +500,7 @@ static int dib7000p_update_pll(struct dvb_frontend *fe, struct dibx000_bandwidth + prediv = reg_1856 & 0x3f; + loopdiv = (reg_1856 >> 6) & 0x3f; + +- if ((bw != NULL) && (bw->pll_prediv != prediv || bw->pll_ratio != loopdiv)) { ++ if (loopdiv && bw && (bw->pll_prediv != prediv || bw->pll_ratio != loopdiv)) { + dprintk("Updating pll (prediv: old = %d new = %d ; loopdiv : old = %d new = %d)\n", prediv, bw->pll_prediv, loopdiv, bw->pll_ratio); + reg_1856 &= 0xf000; + reg_1857 = dib7000p_read_word(state, 1857); +-- +2.40.1 + diff --git a/queue-4.14/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch b/queue-4.14/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch new file mode 100644 index 00000000000..7eb0e909007 --- /dev/null +++ b/queue-4.14/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch @@ -0,0 +1,50 @@ +From 9d7c9431148dd085721ea11f836e21f0b0770959 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 07:58:36 +0200 +Subject: media: dvb-usb: m920x: Fix a potential memory leak in + m920x_i2c_xfer() + +From: Christophe JAILLET + +[ Upstream commit ea9ef6c2e001c5dc94bee35ebd1c8a98621cf7b8 ] + +'read' is freed when it is known to be NULL, but not when a read error +occurs. + +Revert the logic to avoid a small leak, should a m920x_read() call fail. + +Fixes: a2ab06d7c4d6 ("media: m920x: don't use stack on USB reads") +Signed-off-by: Christophe JAILLET +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/m920x.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c +index 8a43e2415686a..2a421bd9912bc 100644 +--- a/drivers/media/usb/dvb-usb/m920x.c ++++ b/drivers/media/usb/dvb-usb/m920x.c +@@ -283,7 +283,6 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + char *read = kmalloc(1, GFP_KERNEL); + if (!read) { + ret = -ENOMEM; +- kfree(read); + goto unlock; + } + +@@ -294,8 +293,10 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + + if ((ret = m920x_read(d->udev, M9206_I2C, 0x0, + 0x20 | stop, +- read, 1)) != 0) ++ read, 1)) != 0) { ++ kfree(read); + goto unlock; ++ } + msg[i].buf[j] = read[0]; + } + +-- +2.40.1 + diff --git a/queue-4.14/media-go7007-remove-redundant-if-statement.patch b/queue-4.14/media-go7007-remove-redundant-if-statement.patch new file mode 100644 index 00000000000..f3eb8cc8155 --- /dev/null +++ b/queue-4.14/media-go7007-remove-redundant-if-statement.patch @@ -0,0 +1,43 @@ +From 4e86b1e4c58c72de65fe40bd3e2ea89ecac48e4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 19:40:07 +0200 +Subject: media: go7007: Remove redundant if statement + +From: Colin Ian King + +[ Upstream commit f33cb49081da0ec5af0888f8ecbd566bd326eed1 ] + +The if statement that compares msgs[i].len != 3 is always false because +it is in a code block where msg[i].len is equal to 3. The check is +redundant and can be removed. + +As detected by cppcheck static analysis: +drivers/media/usb/go7007/go7007-i2c.c:168:20: warning: Opposite inner +'if' condition leads to a dead code block. [oppositeInnerCondition] + +Link: https://lore.kernel.org/linux-media/20230727174007.635572-1-colin.i.king@gmail.com + +Fixes: 866b8695d67e ("Staging: add the go7007 video driver") +Signed-off-by: Colin Ian King +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-i2c.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/usb/go7007/go7007-i2c.c b/drivers/media/usb/go7007/go7007-i2c.c +index c084bf794b567..64f25d4e52b20 100644 +--- a/drivers/media/usb/go7007/go7007-i2c.c ++++ b/drivers/media/usb/go7007/go7007-i2c.c +@@ -173,8 +173,6 @@ static int go7007_i2c_master_xfer(struct i2c_adapter *adapter, + } else if (msgs[i].len == 3) { + if (msgs[i].flags & I2C_M_RD) + return -EIO; +- if (msgs[i].len != 3) +- return -EIO; + if (go7007_i2c_xfer(go, msgs[i].addr, 0, + (msgs[i].buf[0] << 8) | msgs[i].buf[1], + 0x01, &msgs[i].buf[2]) < 0) +-- +2.40.1 + diff --git a/queue-4.14/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch b/queue-4.14/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch new file mode 100644 index 00000000000..bf9f5bc0f4f --- /dev/null +++ b/queue-4.14/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch @@ -0,0 +1,43 @@ +From 181aad1af2c53a474657e941e8443377bbca28f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 17:14:41 +0800 +Subject: media: mediatek: vcodec: Return NULL if no vdec_fb is found + +From: Irui Wang + +[ Upstream commit dfa2d6e07432270330ae191f50a0e70636a4cd2b ] + +"fb_use_list" is used to store used or referenced frame buffers for +vp9 stateful decoder. "NULL" should be returned when getting target +frame buffer failed from "fb_use_list", not a random unexpected one. + +Fixes: f77e89854b3e ("[media] vcodec: mediatek: Add Mediatek VP9 Video Decoder Driver") +Signed-off-by: Irui Wang +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c +index bc8349bc2e80c..2c0d89a46410a 100644 +--- a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c ++++ b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c +@@ -230,10 +230,11 @@ static struct vdec_fb *vp9_rm_from_fb_use_list(struct vdec_vp9_inst + if (fb->base_y.va == addr) { + list_move_tail(&node->list, + &inst->available_fb_node_list); +- break; ++ return fb; + } + } +- return fb; ++ ++ return NULL; + } + + static void vp9_add_to_fb_free_list(struct vdec_vp9_inst *inst, +-- +2.40.1 + diff --git a/queue-4.14/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch b/queue-4.14/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch new file mode 100644 index 00000000000..be2a14cd5e7 --- /dev/null +++ b/queue-4.14/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch @@ -0,0 +1,38 @@ +From e45d30f32ce1fe75f2989747bafcd2dba6268e62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 14:43:36 +0800 +Subject: net: arcnet: Do not call kfree_skb() under local_irq_disable() + +From: Jinjie Ruan + +[ Upstream commit 786c96e92fb9e854cb8b0cb7399bb2fb28e15c4b ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with hardware interrupts being disabled. +So replace kfree_skb() with dev_kfree_skb_irq() under +local_irq_disable(). Compile tested only. + +Fixes: 05fcd31cc472 ("arcnet: add err_skb package for package status feedback") +Signed-off-by: Jinjie Ruan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/arcnet/arcnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/arcnet/arcnet.c b/drivers/net/arcnet/arcnet.c +index 998bc7bc7d1f0..0f02d2b3438f2 100644 +--- a/drivers/net/arcnet/arcnet.c ++++ b/drivers/net/arcnet/arcnet.c +@@ -433,7 +433,7 @@ static void arcnet_reply_tasklet(unsigned long data) + + ret = sock_queue_err_skb(sk, ackskb); + if (ret) +- kfree_skb(ackskb); ++ dev_kfree_skb_irq(ackskb); + + local_irq_enable(); + }; +-- +2.40.1 + diff --git a/queue-4.14/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch b/queue-4.14/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch new file mode 100644 index 00000000000..62fc5c2b224 --- /dev/null +++ b/queue-4.14/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch @@ -0,0 +1,83 @@ +From 5898b54fdb41d254552b1e9f013d72e7e154d718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 10:55:29 +0800 +Subject: net: tcp: fix unexcepted socket die when snd_wnd is 0 + +From: Menglong Dong + +[ Upstream commit e89688e3e97868451a5d05b38a9d2633d6785cd4 ] + +In tcp_retransmit_timer(), a window shrunk connection will be regarded +as timeout if 'tcp_jiffies32 - tp->rcv_tstamp > TCP_RTO_MAX'. This is not +right all the time. + +The retransmits will become zero-window probes in tcp_retransmit_timer() +if the 'snd_wnd==0'. Therefore, the icsk->icsk_rto will come up to +TCP_RTO_MAX sooner or later. + +However, the timer can be delayed and be triggered after 122877ms, not +TCP_RTO_MAX, as I tested. + +Therefore, 'tcp_jiffies32 - tp->rcv_tstamp > TCP_RTO_MAX' is always true +once the RTO come up to TCP_RTO_MAX, and the socket will die. + +Fix this by replacing the 'tcp_jiffies32' with '(u32)icsk->icsk_timeout', +which is exact the timestamp of the timeout. + +However, "tp->rcv_tstamp" can restart from idle, then tp->rcv_tstamp +could already be a long time (minutes or hours) in the past even on the +first RTO. So we double check the timeout with the duration of the +retransmission. + +Meanwhile, making "2 * TCP_RTO_MAX" as the timeout to avoid the socket +dying too soon. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/netdev/CADxym3YyMiO+zMD4zj03YPM3FBi-1LHi6gSD2XT8pyAMM096pg@mail.gmail.com/ +Signed-off-by: Menglong Dong +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_timer.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index d708094952056..3d51a7edb3117 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -396,6 +396,22 @@ static void tcp_fastopen_synack_timer(struct sock *sk) + TCP_TIMEOUT_INIT << req->num_timeout, TCP_RTO_MAX); + } + ++static bool tcp_rtx_probe0_timed_out(const struct sock *sk, ++ const struct sk_buff *skb) ++{ ++ const struct tcp_sock *tp = tcp_sk(sk); ++ const int timeout = TCP_RTO_MAX * 2; ++ u32 rcv_delta, rtx_delta; ++ ++ rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp; ++ if (rcv_delta <= timeout) ++ return false; ++ ++ rtx_delta = (u32)msecs_to_jiffies(tcp_time_stamp(tp) - ++ (tp->retrans_stamp ?: tcp_skb_timestamp(skb))); ++ ++ return rtx_delta > timeout; ++} + + /** + * tcp_retransmit_timer() - The TCP retransmit timeout handler +@@ -458,7 +474,7 @@ void tcp_retransmit_timer(struct sock *sk) + tp->snd_una, tp->snd_nxt); + } + #endif +- if (tcp_jiffies32 - tp->rcv_tstamp > TCP_RTO_MAX) { ++ if (tcp_rtx_probe0_timed_out(sk, skb)) { + tcp_write_err(sk); + goto out; + } +-- +2.40.1 + diff --git a/queue-4.14/netrom-deny-concurrent-connect.patch b/queue-4.14/netrom-deny-concurrent-connect.patch new file mode 100644 index 00000000000..1a4e1b60aca --- /dev/null +++ b/queue-4.14/netrom-deny-concurrent-connect.patch @@ -0,0 +1,139 @@ +From fc9768393321c856f609da4b5814990e61bf5cc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 09:50:59 -0700 +Subject: netrom: Deny concurrent connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit c2f8fd7949603efb03908e05abbf7726748c8de3 ] + +syzkaller reported null-ptr-deref [0] related to AF_NETROM. +This is another self-accept issue from the strace log. [1] + +syz-executor creates an AF_NETROM socket and calls connect(), which +is blocked at that time. Then, sk->sk_state is TCP_SYN_SENT and +sock->state is SS_CONNECTING. + + [pid 5059] socket(AF_NETROM, SOCK_SEQPACKET, 0) = 4 + [pid 5059] connect(4, {sa_family=AF_NETROM, sa_data="..." + +Another thread calls connect() concurrently, which finally fails +with -EINVAL. However, the problem here is the socket state is +reset even while the first connect() is blocked. + + [pid 5060] connect(4, NULL, 0 + [pid 5060] <... connect resumed>) = -1 EINVAL (Invalid argument) + +As sk->state is TCP_CLOSE and sock->state is SS_UNCONNECTED, the +following listen() succeeds. Then, the first connect() looks up +itself as a listener and puts skb into the queue with skb->sk itself. +As a result, the next accept() gets another FD of itself as 3, and +the first connect() finishes. + + [pid 5060] listen(4, 0 + [pid 5060] <... listen resumed>) = 0 + [pid 5060] accept(4, NULL, NULL + [pid 5060] <... accept resumed>) = 3 + [pid 5059] <... connect resumed>) = 0 + +Then, accept4() is called but blocked, which causes the general protection +fault later. + + [pid 5059] accept4(4, NULL, 0x20000400, SOCK_NONBLOCK + +After that, another self-accept occurs by accept() and writev(). + + [pid 5060] accept(4, NULL, NULL + [pid 5061] writev(3, [{iov_base=...}] + [pid 5061] <... writev resumed>) = 99 + [pid 5060] <... accept resumed>) = 6 + +Finally, the leader thread close()s all FDs. Since the three FDs +reference the same socket, nr_release() does the cleanup for it +three times, and the remaining accept4() causes the following fault. + + [pid 5058] close(3) = 0 + [pid 5058] close(4) = 0 + [pid 5058] close(5) = -1 EBADF (Bad file descriptor) + [pid 5058] close(6) = 0 + [pid 5058] <... exit_group resumed>) = ? + [ 83.456055][ T5059] general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN + +To avoid the issue, we need to return an error for connect() if +another connect() is in progress, as done in __inet_stream_connect(). + +[0]: +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] +CPU: 0 PID: 5059 Comm: syz-executor.0 Not tainted 6.5.0-rc5-syzkaller-00194-gace0ab3a4b54 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5012 +Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 11 6e 23 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 69 48 90 0f 84 96 0d 00 +RSP: 0018:ffffc90003d6f9e0 EFLAGS: 00010006 +RAX: ffff8880244c8000 RBX: 1ffff920007adf6c RCX: 0000000000000003 +RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000018 +RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000001 +R10: 0000000000000018 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007f51d519a6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f51d5158d58 CR3: 000000002943f000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + lock_acquire kernel/locking/lockdep.c:5761 [inline] + lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162 + prepare_to_wait+0x47/0x380 kernel/sched/wait.c:269 + nr_accept+0x20d/0x650 net/netrom/af_netrom.c:798 + do_accept+0x3a6/0x570 net/socket.c:1872 + __sys_accept4_file net/socket.c:1913 [inline] + __sys_accept4+0x99/0x120 net/socket.c:1943 + __do_sys_accept4 net/socket.c:1954 [inline] + __se_sys_accept4 net/socket.c:1951 [inline] + __x64_sys_accept4+0x96/0x100 net/socket.c:1951 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f51d447cae9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f51d519a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000120 +RAX: ffffffffffffffda RBX: 00007f51d459bf80 RCX: 00007f51d447cae9 +RDX: 0000000020000400 RSI: 0000000000000000 RDI: 0000000000000004 +RBP: 00007f51d44c847a R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000800 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f51d459bf80 R15: 00007ffc25c34e48 + + +Link: https://syzkaller.appspot.com/text?tag=CrashLog&x=152cdb63a80000 [1] +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+666c97e4686410e79649@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=666c97e4686410e79649 +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index b5a99b5172076..4480d0d8394b1 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -663,6 +663,11 @@ static int nr_connect(struct socket *sock, struct sockaddr *uaddr, + goto out_release; + } + ++ if (sock->state == SS_CONNECTING) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.40.1 + diff --git a/queue-4.14/nfs-blocklayout-use-the-passed-in-gfp-flags.patch b/queue-4.14/nfs-blocklayout-use-the-passed-in-gfp-flags.patch new file mode 100644 index 00000000000..6ff0f7f2add --- /dev/null +++ b/queue-4.14/nfs-blocklayout-use-the-passed-in-gfp-flags.patch @@ -0,0 +1,47 @@ +From 73e529423c70c85953c055ba65f291bbb86246cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 11:08:46 +0300 +Subject: nfs/blocklayout: Use the passed in gfp flags + +From: Dan Carpenter + +[ Upstream commit 08b45fcb2d4675f6182fe0edc0d8b1fe604051fa ] + +This allocation should use the passed in GFP_ flags instead of +GFP_KERNEL. One places where this matters is in filelayout_pg_init_write() +which uses GFP_NOFS as the allocation flags. + +Fixes: 5c83746a0cf2 ("pnfs/blocklayout: in-kernel GETDEVICEINFO XDR parsing") +Signed-off-by: Dan Carpenter +Reviewed-by: Christoph Hellwig +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c +index 70c4165d2d742..a16c852412628 100644 +--- a/fs/nfs/blocklayout/dev.c ++++ b/fs/nfs/blocklayout/dev.c +@@ -422,7 +422,7 @@ bl_parse_concat(struct nfs_server *server, struct pnfs_block_dev *d, + int ret, i; + + d->children = kcalloc(v->concat.volumes_count, +- sizeof(struct pnfs_block_dev), GFP_KERNEL); ++ sizeof(struct pnfs_block_dev), gfp_mask); + if (!d->children) + return -ENOMEM; + +@@ -451,7 +451,7 @@ bl_parse_stripe(struct nfs_server *server, struct pnfs_block_dev *d, + int ret, i; + + d->children = kcalloc(v->stripe.volumes_count, +- sizeof(struct pnfs_block_dev), GFP_KERNEL); ++ sizeof(struct pnfs_block_dev), gfp_mask); + if (!d->children) + return -ENOMEM; + +-- +2.40.1 + diff --git a/queue-4.14/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch b/queue-4.14/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch new file mode 100644 index 00000000000..33049a32aea --- /dev/null +++ b/queue-4.14/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch @@ -0,0 +1,139 @@ +From 897f07acb1873255c6a5c491c7d7a13611c97982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 10:20:52 -0400 +Subject: NFSD: da_addr_body field missing in some GETDEVICEINFO replies + +From: Chuck Lever + +[ Upstream commit 6372e2ee629894433fe6107d7048536a3280a284 ] + +The XDR specification in RFC 8881 looks like this: + +struct device_addr4 { + layouttype4 da_layout_type; + opaque da_addr_body<>; +}; + +struct GETDEVICEINFO4resok { + device_addr4 gdir_device_addr; + bitmap4 gdir_notification; +}; + +union GETDEVICEINFO4res switch (nfsstat4 gdir_status) { +case NFS4_OK: + GETDEVICEINFO4resok gdir_resok4; +case NFS4ERR_TOOSMALL: + count4 gdir_mincount; +default: + void; +}; + +Looking at nfsd4_encode_getdeviceinfo() .... + +When the client provides a zero gd_maxcount, then the Linux NFS +server implementation encodes the da_layout_type field and then +skips the da_addr_body field completely, proceeding directly to +encode gdir_notification field. + +There does not appear to be an option in the specification to skip +encoding da_addr_body. Moreover, Section 18.40.3 says: + +> If the client wants to just update or turn off notifications, it +> MAY send a GETDEVICEINFO operation with gdia_maxcount set to zero. +> In that event, if the device ID is valid, the reply's da_addr_body +> field of the gdir_device_addr field will be of zero length. + +Since the layout drivers are responsible for encoding the +da_addr_body field, put this fix inside the ->encode_getdeviceinfo +methods. + +Fixes: 9cf514ccfacb ("nfsd: implement pNFS operations") +Reviewed-by: Christoph Hellwig +Cc: Tom Haynes +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/blocklayoutxdr.c | 9 +++++++++ + fs/nfsd/flexfilelayoutxdr.c | 9 +++++++++ + fs/nfsd/nfs4xdr.c | 25 +++++++++++-------------- + 3 files changed, 29 insertions(+), 14 deletions(-) + +diff --git a/fs/nfsd/blocklayoutxdr.c b/fs/nfsd/blocklayoutxdr.c +index 442543304930b..2455dc8be18a8 100644 +--- a/fs/nfsd/blocklayoutxdr.c ++++ b/fs/nfsd/blocklayoutxdr.c +@@ -82,6 +82,15 @@ nfsd4_block_encode_getdeviceinfo(struct xdr_stream *xdr, + int len = sizeof(__be32), ret, i; + __be32 *p; + ++ /* ++ * See paragraph 5 of RFC 8881 S18.40.3. ++ */ ++ if (!gdp->gd_maxcount) { ++ if (xdr_stream_encode_u32(xdr, 0) != XDR_UNIT) ++ return nfserr_resource; ++ return nfs_ok; ++ } ++ + p = xdr_reserve_space(xdr, len + sizeof(__be32)); + if (!p) + return nfserr_resource; +diff --git a/fs/nfsd/flexfilelayoutxdr.c b/fs/nfsd/flexfilelayoutxdr.c +index e81d2a5cf381e..bb205328e043d 100644 +--- a/fs/nfsd/flexfilelayoutxdr.c ++++ b/fs/nfsd/flexfilelayoutxdr.c +@@ -85,6 +85,15 @@ nfsd4_ff_encode_getdeviceinfo(struct xdr_stream *xdr, + int addr_len; + __be32 *p; + ++ /* ++ * See paragraph 5 of RFC 8881 S18.40.3. ++ */ ++ if (!gdp->gd_maxcount) { ++ if (xdr_stream_encode_u32(xdr, 0) != XDR_UNIT) ++ return nfserr_resource; ++ return nfs_ok; ++ } ++ + /* len + padding for two strings */ + addr_len = 16 + da->netaddr.netid_len + da->netaddr.addr_len; + ver_len = 20; +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index d34ed6575e8fb..997d3134beb32 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -4091,20 +4091,17 @@ nfsd4_encode_getdeviceinfo(struct nfsd4_compoundres *resp, __be32 nfserr, + + *p++ = cpu_to_be32(gdev->gd_layout_type); + +- /* If maxcount is 0 then just update notifications */ +- if (gdev->gd_maxcount != 0) { +- ops = nfsd4_layout_ops[gdev->gd_layout_type]; +- nfserr = ops->encode_getdeviceinfo(xdr, gdev); +- if (nfserr) { +- /* +- * We don't bother to burden the layout drivers with +- * enforcing gd_maxcount, just tell the client to +- * come back with a bigger buffer if it's not enough. +- */ +- if (xdr->buf->len + 4 > gdev->gd_maxcount) +- goto toosmall; +- return nfserr; +- } ++ ops = nfsd4_layout_ops[gdev->gd_layout_type]; ++ nfserr = ops->encode_getdeviceinfo(xdr, gdev); ++ if (nfserr) { ++ /* ++ * We don't bother to burden the layout drivers with ++ * enforcing gd_maxcount, just tell the client to ++ * come back with a bigger buffer if it's not enough. ++ */ ++ if (xdr->buf->len + 4 > gdev->gd_maxcount) ++ goto toosmall; ++ return nfserr; + } + + if (gdev->gd_notify_types) { +-- +2.40.1 + diff --git a/queue-4.14/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch b/queue-4.14/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch new file mode 100644 index 00000000000..fe780400375 --- /dev/null +++ b/queue-4.14/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch @@ -0,0 +1,74 @@ +From a104ef6ca9828fbc32f5205a8cb7173cd894ea9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 16:02:46 +0800 +Subject: of: unittest: fix null pointer dereferencing in + of_unittest_find_node_by_name() + +From: Ruan Jinjie + +[ Upstream commit d6ce4f0ea19c32f10867ed93d8386924326ab474 ] + +when kmalloc() fail to allocate memory in kasprintf(), name +or full_name will be NULL, strcmp() will cause +null pointer dereference. + +Fixes: 0d638a07d3a1 ("of: Convert to using %pOF instead of full_name") +Signed-off-by: Ruan Jinjie +Link: https://lore.kernel.org/r/20230727080246.519539-1-ruanjinjie@huawei.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 55c98f119df22..89d1011d5b327 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -51,7 +51,7 @@ static void __init of_unittest_find_node_by_name(void) + + np = of_find_node_by_path("/testcase-data"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data", name), ++ unittest(np && name && !strcmp("/testcase-data", name), + "find /testcase-data failed\n"); + of_node_put(np); + kfree(name); +@@ -62,14 +62,14 @@ static void __init of_unittest_find_node_by_name(void) + + np = of_find_node_by_path("/testcase-data/phandle-tests/consumer-a"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data/phandle-tests/consumer-a", name), ++ unittest(np && name && !strcmp("/testcase-data/phandle-tests/consumer-a", name), + "find /testcase-data/phandle-tests/consumer-a failed\n"); + of_node_put(np); + kfree(name); + + np = of_find_node_by_path("testcase-alias"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data", name), ++ unittest(np && name && !strcmp("/testcase-data", name), + "find testcase-alias failed\n"); + of_node_put(np); + kfree(name); +@@ -80,7 +80,7 @@ static void __init of_unittest_find_node_by_name(void) + + np = of_find_node_by_path("testcase-alias/phandle-tests/consumer-a"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data/phandle-tests/consumer-a", name), ++ unittest(np && name && !strcmp("/testcase-data/phandle-tests/consumer-a", name), + "find testcase-alias/phandle-tests/consumer-a failed\n"); + of_node_put(np); + kfree(name); +@@ -966,6 +966,8 @@ static void attach_node_and_children(struct device_node *np) + const char *full_name; + + full_name = kasprintf(GFP_KERNEL, "%pOF", np); ++ if (!full_name) ++ return; + + if (!strcmp(full_name, "/__local_fixups__") || + !strcmp(full_name, "/__fixups__")) { +-- +2.40.1 + diff --git a/queue-4.14/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch b/queue-4.14/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch new file mode 100644 index 00000000000..40990fcdc2f --- /dev/null +++ b/queue-4.14/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch @@ -0,0 +1,38 @@ +From 36556c0e29ca22bdd0be06ef183d1256ef30ef14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 20:34:11 +0800 +Subject: PCI: Mark NVIDIA T4 GPUs to avoid bus reset + +From: Wu Zongyong + +[ Upstream commit d5af729dc2071273f14cbb94abbc60608142fd83 ] + +NVIDIA T4 GPUs do not work with SBR. This problem is found when the T4 card +is direct attached to a Root Port only. Avoid bus reset by marking T4 GPUs +PCI_DEV_FLAGS_NO_BUS_RESET. + +Fixes: 4c207e7121fa ("PCI: Mark some NVIDIA GPUs to avoid bus reset") +Link: https://lore.kernel.org/r/2dcebea53a6eb9bd212ec6d8974af2e5e0333ef6.1681129861.git.wuzongyong@linux.alibaba.com +Signed-off-by: Wu Zongyong +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 7ca82b8c5c37e..b61e6587e9d72 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3396,7 +3396,7 @@ static void quirk_no_bus_reset(struct pci_dev *dev) + */ + static void quirk_nvidia_no_bus_reset(struct pci_dev *dev) + { +- if ((dev->device & 0xffc0) == 0x2340) ++ if ((dev->device & 0xffc0) == 0x2340 || dev->device == 0x1eb8) + quirk_no_bus_reset(dev); + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID, +-- +2.40.1 + diff --git a/queue-4.14/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch b/queue-4.14/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..131602427fe --- /dev/null +++ b/queue-4.14/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,54 @@ +From 3f699cc898744e2ef8e38beab820ef494dc6b849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:55 +0300 +Subject: PCI: pciehp: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 5f75f96c61039151c193775d776fde42477eace1 ] + +As hotplug is not the only driver touching LNKCTL, use the RMW capability +accessor which handles concurrent changes correctly. + +Suggested-by: Lukas Wunner +Fixes: 7f822999e12a ("PCI: pciehp: Add Disable/enable link functions") +Link: https://lore.kernel.org/r/20230717120503.15276-4-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Acked-by: "Rafael J. Wysocki" +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_hpc.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index c2dd297d4007b..2ec015d1f6710 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -338,17 +338,11 @@ int pciehp_check_link_status(struct controller *ctrl) + static int __pciehp_link_set(struct controller *ctrl, bool enable) + { + struct pci_dev *pdev = ctrl_dev(ctrl); +- u16 lnk_ctrl; + +- pcie_capability_read_word(pdev, PCI_EXP_LNKCTL, &lnk_ctrl); ++ pcie_capability_clear_and_set_word(pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_LD, ++ enable ? 0 : PCI_EXP_LNKCTL_LD); + +- if (enable) +- lnk_ctrl &= ~PCI_EXP_LNKCTL_LD; +- else +- lnk_ctrl |= PCI_EXP_LNKCTL_LD; +- +- pcie_capability_write_word(pdev, PCI_EXP_LNKCTL, lnk_ctrl); +- ctrl_dbg(ctrl, "%s: lnk_ctrl = %x\n", __func__, lnk_ctrl); + return 0; + } + +-- +2.40.1 + diff --git a/queue-4.14/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch b/queue-4.14/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch new file mode 100644 index 00000000000..5b2d64eeb97 --- /dev/null +++ b/queue-4.14/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch @@ -0,0 +1,96 @@ +From 36e6f956283e512a37e17b94a65727ea1e14342b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 14:53:22 +1100 +Subject: powerpc/iommu: Fix notifiers being shared by PCI and VIO buses + +From: Russell Currey + +[ Upstream commit c37b6908f7b2bd24dcaaf14a180e28c9132b9c58 ] + +fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both +PCI and VIO buses. struct notifier_block is a linked list node, so this +causes any notifiers later registered to either bus type to also be +registered to the other since they share the same node. + +This causes issues in (at least) the vgaarb code, which registers a +notifier for PCI buses. pci_notify() ends up being called on a vio +device, converted with to_pci_dev() even though it's not a PCI device, +and finally makes a bad access in vga_arbiter_add_pci_device() as +discovered with KASAN: + + BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00 + Read of size 4 at addr c000000264c26fdc by task swapper/0/1 + + Call Trace: + dump_stack_lvl+0x1bc/0x2b8 (unreliable) + print_report+0x3f4/0xc60 + kasan_report+0x244/0x698 + __asan_load4+0xe8/0x250 + vga_arbiter_add_pci_device+0x60/0xe00 + pci_notify+0x88/0x444 + notifier_call_chain+0x104/0x320 + blocking_notifier_call_chain+0xa0/0x140 + device_add+0xac8/0x1d30 + device_register+0x58/0x80 + vio_register_device_node+0x9ac/0xce0 + vio_bus_scan_register_devices+0xc4/0x13c + __machine_initcall_pseries_vio_device_init+0x94/0xf0 + do_one_initcall+0x12c/0xaa8 + kernel_init_freeable+0xa48/0xba8 + kernel_init+0x64/0x400 + ret_from_kernel_thread+0x5c/0x64 + +Fix this by creating separate notifier_block structs for each bus type. + +Fixes: d6b9a81b2a45 ("powerpc: IOMMU fault injection") +Reported-by: Nageswara R Sastry +Signed-off-by: Russell Currey +Tested-by: Nageswara R Sastry +Reviewed-by: Andrew Donnellan +[mpe: Add #ifdef to fix CONFIG_IBMVIO=n build] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230322035322.328709-1-ruscur@russell.cc +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/iommu.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c +index 87af91937c8a9..410fb08a2c31b 100644 +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -145,17 +145,28 @@ static int fail_iommu_bus_notify(struct notifier_block *nb, + return 0; + } + +-static struct notifier_block fail_iommu_bus_notifier = { ++/* ++ * PCI and VIO buses need separate notifier_block structs, since they're linked ++ * list nodes. Sharing a notifier_block would mean that any notifiers later ++ * registered for PCI buses would also get called by VIO buses and vice versa. ++ */ ++static struct notifier_block fail_iommu_pci_bus_notifier = { + .notifier_call = fail_iommu_bus_notify + }; + ++#ifdef CONFIG_IBMVIO ++static struct notifier_block fail_iommu_vio_bus_notifier = { ++ .notifier_call = fail_iommu_bus_notify ++}; ++#endif ++ + static int __init fail_iommu_setup(void) + { + #ifdef CONFIG_PCI +- bus_register_notifier(&pci_bus_type, &fail_iommu_bus_notifier); ++ bus_register_notifier(&pci_bus_type, &fail_iommu_pci_bus_notifier); + #endif + #ifdef CONFIG_IBMVIO +- bus_register_notifier(&vio_bus_type, &fail_iommu_bus_notifier); ++ bus_register_notifier(&vio_bus_type, &fail_iommu_vio_bus_notifier); + #endif + + return 0; +-- +2.40.1 + diff --git a/queue-4.14/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch b/queue-4.14/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch new file mode 100644 index 00000000000..90301f7cbce --- /dev/null +++ b/queue-4.14/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch @@ -0,0 +1,98 @@ +From bce66c4cfccc68068bdebd4a2f4adfb02278e19e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 17:55:33 +0300 +Subject: regmap: rbtree: Use alloc_flags for memory allocations + +From: Dan Carpenter + +[ Upstream commit 0c8b0bf42c8cef56f7cd9cd876fbb7ece9217064 ] + +The kunit tests discovered a sleeping in atomic bug. The allocations +in the regcache-rbtree code should use the map->alloc_flags instead of +GFP_KERNEL. + +[ 5.005510] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306 +[ 5.005960] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 117, name: kunit_try_catch +[ 5.006219] preempt_count: 1, expected: 0 +[ 5.006414] 1 lock held by kunit_try_catch/117: +[ 5.006590] #0: 833b9010 (regmap_kunit:86:(config)->lock){....}-{2:2}, at: regmap_lock_spinlock+0x14/0x1c +[ 5.007493] irq event stamp: 162 +[ 5.007627] hardirqs last enabled at (161): [<80786738>] crng_make_state+0x1a0/0x294 +[ 5.007871] hardirqs last disabled at (162): [<80c531ec>] _raw_spin_lock_irqsave+0x7c/0x80 +[ 5.008119] softirqs last enabled at (0): [<801110ac>] copy_process+0x810/0x2138 +[ 5.008356] softirqs last disabled at (0): [<00000000>] 0x0 +[ 5.008688] CPU: 0 PID: 117 Comm: kunit_try_catch Tainted: G N 6.4.4-rc3-g0e8d2fdfb188 #1 +[ 5.009011] Hardware name: Generic DT based system +[ 5.009277] unwind_backtrace from show_stack+0x18/0x1c +[ 5.009497] show_stack from dump_stack_lvl+0x38/0x5c +[ 5.009676] dump_stack_lvl from __might_resched+0x188/0x2d0 +[ 5.009860] __might_resched from __kmem_cache_alloc_node+0x1dc/0x25c +[ 5.010061] __kmem_cache_alloc_node from kmalloc_trace+0x30/0xc8 +[ 5.010254] kmalloc_trace from regcache_rbtree_write+0x26c/0x468 +[ 5.010446] regcache_rbtree_write from _regmap_write+0x88/0x140 +[ 5.010634] _regmap_write from regmap_write+0x44/0x68 +[ 5.010803] regmap_write from basic_read_write+0x8c/0x270 +[ 5.010980] basic_read_write from kunit_try_run_case+0x48/0xa0 + +Fixes: 28644c809f44 ("regmap: Add the rbtree cache support") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/ee59d128-413c-48ad-a3aa-d9d350c80042@roeck-us.net/ +Signed-off-by: Dan Carpenter +Tested-by: Guenter Roeck +Link: https://lore.kernel.org/r/58f12a07-5f4b-4a8f-ab84-0a42d1908cb9@moroto.mountain +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache-rbtree.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/base/regmap/regcache-rbtree.c b/drivers/base/regmap/regcache-rbtree.c +index e9b7ce8c272c6..7353c55270874 100644 +--- a/drivers/base/regmap/regcache-rbtree.c ++++ b/drivers/base/regmap/regcache-rbtree.c +@@ -291,7 +291,7 @@ static int regcache_rbtree_insert_to_block(struct regmap *map, + + blk = krealloc(rbnode->block, + blklen * map->cache_word_size, +- GFP_KERNEL); ++ map->alloc_flags); + if (!blk) + return -ENOMEM; + +@@ -300,7 +300,7 @@ static int regcache_rbtree_insert_to_block(struct regmap *map, + if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) { + present = krealloc(rbnode->cache_present, + BITS_TO_LONGS(blklen) * sizeof(*present), +- GFP_KERNEL); ++ map->alloc_flags); + if (!present) + return -ENOMEM; + +@@ -334,7 +334,7 @@ regcache_rbtree_node_alloc(struct regmap *map, unsigned int reg) + const struct regmap_range *range; + int i; + +- rbnode = kzalloc(sizeof(*rbnode), GFP_KERNEL); ++ rbnode = kzalloc(sizeof(*rbnode), map->alloc_flags); + if (!rbnode) + return NULL; + +@@ -360,13 +360,13 @@ regcache_rbtree_node_alloc(struct regmap *map, unsigned int reg) + } + + rbnode->block = kmalloc_array(rbnode->blklen, map->cache_word_size, +- GFP_KERNEL); ++ map->alloc_flags); + if (!rbnode->block) + goto err_free; + + rbnode->cache_present = kcalloc(BITS_TO_LONGS(rbnode->blklen), + sizeof(*rbnode->cache_present), +- GFP_KERNEL); ++ map->alloc_flags); + if (!rbnode->cache_present) + goto err_free_block; + +-- +2.40.1 + diff --git a/queue-4.14/reiserfs-check-the-return-value-from-__getblk.patch b/queue-4.14/reiserfs-check-the-return-value-from-__getblk.patch new file mode 100644 index 00000000000..50fc2ad16a5 --- /dev/null +++ b/queue-4.14/reiserfs-check-the-return-value-from-__getblk.patch @@ -0,0 +1,49 @@ +From 15e52b44a1fb04e59f7f6445107a3f7da218bbdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 12:16:06 +0100 +Subject: reiserfs: Check the return value from __getblk() + +From: Matthew Wilcox + +[ Upstream commit ba38980add7ffc9e674ada5b4ded4e7d14e76581 ] + +__getblk() can return a NULL pointer if we run out of memory or if we +try to access beyond the end of the device; check it and handle it +appropriately. + +Signed-off-by: Matthew Wilcox (Oracle) +Link: https://lore.kernel.org/lkml/CAFcO6XOacq3hscbXevPQP7sXRoYFz34ZdKPYjmd6k5sZuhGFDw@mail.gmail.com/ +Tested-by: butt3rflyh4ck +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # probably introduced in 2002 +Acked-by: Edward Shishkin +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/reiserfs/journal.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c +index 1a6e6343fed36..53d2e397c123e 100644 +--- a/fs/reiserfs/journal.c ++++ b/fs/reiserfs/journal.c +@@ -2333,7 +2333,7 @@ static struct buffer_head *reiserfs_breada(struct block_device *dev, + int i, j; + + bh = __getblk(dev, block, bufsize); +- if (buffer_uptodate(bh)) ++ if (!bh || buffer_uptodate(bh)) + return (bh); + + if (block + BUFNR > max_block) { +@@ -2343,6 +2343,8 @@ static struct buffer_head *reiserfs_breada(struct block_device *dev, + j = 1; + for (i = 1; i < blocks; i++) { + bh = __getblk(dev, block + i, bufsize); ++ if (!bh) ++ break; + if (buffer_uptodate(bh)) { + brelse(bh); + break; +-- +2.40.1 + diff --git a/queue-4.14/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch b/queue-4.14/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch new file mode 100644 index 00000000000..841503bdc9b --- /dev/null +++ b/queue-4.14/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch @@ -0,0 +1,124 @@ +From ca3a08503885da29810d2dd96736e6083f3672d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 10:57:14 +0300 +Subject: Revert "IB/isert: Fix incorrect release of isert connection" + +From: Leon Romanovsky + +[ Upstream commit dfe261107c080709459c32695847eec96238852b ] + +Commit: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") is +causing problems on OPA when DEVICE_REMOVAL is happening. + + ------------[ cut here ]------------ + WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359 +ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc +scsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file +rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs +rfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod +opa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm +ib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core +x86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt +ipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma +intel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter +acpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul +crc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci +ghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse + CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1 + Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS +SE5C610.86B.01.01.0014.121820151719 12/18/2015 + RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83 +c4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc <0f> 0b eb a1 +90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f + RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206 + RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d + RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640 + RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d + R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18 + R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38 + FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0 + Call Trace: + + ? __warn+0x80/0x130 + ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + ? report_bug+0x195/0x1a0 + ? handle_bug+0x3c/0x70 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + disable_device+0x9d/0x160 [ib_core] + __ib_unregister_device+0x42/0xb0 [ib_core] + ib_unregister_device+0x22/0x30 [ib_core] + rvt_unregister_device+0x20/0x90 [rdmavt] + hfi1_unregister_ib_device+0x16/0xf0 [hfi1] + remove_one+0x55/0x1a0 [hfi1] + pci_device_remove+0x36/0xa0 + device_release_driver_internal+0x193/0x200 + driver_detach+0x44/0x90 + bus_remove_driver+0x69/0xf0 + pci_unregister_driver+0x2a/0xb0 + hfi1_mod_cleanup+0xc/0x3c [hfi1] + __do_sys_delete_module.constprop.0+0x17a/0x2f0 + ? exit_to_user_mode_prepare+0xc4/0xd0 + ? syscall_trace_enter.constprop.0+0x126/0x1a0 + do_syscall_64+0x5c/0x90 + ? syscall_exit_to_user_mode+0x12/0x30 + ? do_syscall_64+0x69/0x90 + ? syscall_exit_work+0x103/0x130 + ? syscall_exit_to_user_mode+0x12/0x30 + ? do_syscall_64+0x69/0x90 + ? exc_page_fault+0x65/0x150 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + RIP: 0033:0x7ff1e643f5ab + Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 +66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 +ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 + RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab + RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8 + RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000 + R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8 + R13: 0000000000000000 R14: 00005615267fdcb8 R15: 00007ffec9105ff8 + + ---[ end trace 0000000000000000 ]--- + +And... + + restrack: ------------[ cut here ]------------ + infiniband hfi1_0: BUG: RESTRACK detected leak of resources + restrack: Kernel PD object allocated by ib_isert is not freed + restrack: Kernel CQ object allocated by ib_core is not freed + restrack: Kernel QP object allocated by rdma_cm is not freed + restrack: ------------[ cut here ]------------ + +Fixes: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") +Reported-by: Dennis Dalessandro +Closes: https://lore.kernel.org/all/921cd1d9-2879-f455-1f50-0053fe6a6655@cornelisnetworks.com +Link: https://lore.kernel.org/r/a27982d3235005c58f6d321f3fad5eb6e1beaf9e.1692604607.git.leonro@nvidia.com +Tested-by: Dennis Dalessandro +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/isert/ib_isert.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index 598e2bb005c8c..0d9b53c6e2654 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2652,6 +2652,8 @@ static void isert_wait_conn(struct iscsi_conn *conn) + isert_put_unsol_pending_cmds(conn); + isert_wait4cmds(conn); + isert_wait4logout(isert_conn); ++ ++ queue_work(isert_release_wq, &isert_conn->release_work); + } + + static void isert_free_conn(struct iscsi_conn *conn) +-- +2.40.1 + diff --git a/queue-4.14/rpmsg-glink-add-check-for-kstrdup.patch b/queue-4.14/rpmsg-glink-add-check-for-kstrdup.patch new file mode 100644 index 00000000000..1b86e47ae10 --- /dev/null +++ b/queue-4.14/rpmsg-glink-add-check-for-kstrdup.patch @@ -0,0 +1,39 @@ +From e6d621818ce2a6a7da5e81becb538ffa6386faeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 11:06:31 +0800 +Subject: rpmsg: glink: Add check for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit b5c9ee8296a3760760c7b5d2e305f91412adc795 ] + +Add check for the return value of kstrdup() and return the error +if it fails in order to avoid NULL pointer dereference. + +Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20230619030631.12361-1-jiasheng@iscas.ac.cn +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index 0fb185e0620aa..c1dfad2986859 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -225,6 +225,10 @@ static struct glink_channel *qcom_glink_alloc_channel(struct qcom_glink *glink, + + channel->glink = glink; + channel->name = kstrdup(name, GFP_KERNEL); ++ if (!channel->name) { ++ kfree(channel); ++ return ERR_PTR(-ENOMEM); ++ } + + init_completion(&channel->open_req); + init_completion(&channel->open_ack); +-- +2.40.1 + diff --git a/queue-4.14/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch b/queue-4.14/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch new file mode 100644 index 00000000000..43f6fcf1860 --- /dev/null +++ b/queue-4.14/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch @@ -0,0 +1,46 @@ +From a1e8d05d339d6d68c3118c1d7de26d19bd67a116 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 15:59:38 +0800 +Subject: scsi: be2iscsi: Add length check when parsing nlattrs + +From: Lin Ma + +[ Upstream commit ee0268f230f66cb472df3424f380ea668da2749a ] + +beiscsi_iface_set_param() parses nlattr with nla_for_each_attr and assumes +every attributes can be viewed as struct iscsi_iface_param_info. + +This is not true because there is no any nla_policy to validate the +attributes passed from the upper function iscsi_set_iface_params(). + +Add the nla_len check before accessing the nlattr data and return EINVAL if +the length check fails. + +Fixes: 0e43895ec1f4 ("[SCSI] be2iscsi: adding functionality to change network settings using iscsiadm") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230723075938.3713864-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/be2iscsi/be_iscsi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/be2iscsi/be_iscsi.c b/drivers/scsi/be2iscsi/be_iscsi.c +index 43a80ce5ce6a9..0e95bccac32e3 100644 +--- a/drivers/scsi/be2iscsi/be_iscsi.c ++++ b/drivers/scsi/be2iscsi/be_iscsi.c +@@ -442,6 +442,10 @@ int beiscsi_iface_set_param(struct Scsi_Host *shost, + } + + nla_for_each_attr(attrib, data, dt_len, rm_len) { ++ /* ignore nla_type as it is never used */ ++ if (nla_len(attrib) < sizeof(*iface_param)) ++ return -EINVAL; ++ + iface_param = nla_data(attrib); + + if (iface_param->param_type != ISCSI_NET_PARAM) +-- +2.40.1 + diff --git a/queue-4.14/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch b/queue-4.14/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch new file mode 100644 index 00000000000..28f4619bedb --- /dev/null +++ b/queue-4.14/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch @@ -0,0 +1,61 @@ +From 7e1ff342147c94017c20a80805f8d0e197ab5361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 10:03:25 -0400 +Subject: scsi: core: Use 32-bit hostnum in scsi_host_lookup() + +From: Tony Battersby + +[ Upstream commit 62ec2092095b678ff89ce4ba51c2938cd1e8e630 ] + +Change scsi_host_lookup() hostnum argument type from unsigned short to +unsigned int to match the type used everywhere else. + +Fixes: 6d49f63b415c ("[SCSI] Make host_no an unsigned int") +Signed-off-by: Tony Battersby +Link: https://lore.kernel.org/r/a02497e7-c12b-ef15-47fc-3f0a0b00ffce@cybernetics.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 4 ++-- + include/scsi/scsi_host.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index 27609b2ae544a..493700ae19b45 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -555,7 +555,7 @@ EXPORT_SYMBOL(scsi_unregister); + static int __scsi_host_match(struct device *dev, const void *data) + { + struct Scsi_Host *p; +- const unsigned short *hostnum = data; ++ const unsigned int *hostnum = data; + + p = class_to_shost(dev); + return p->host_no == *hostnum; +@@ -572,7 +572,7 @@ static int __scsi_host_match(struct device *dev, const void *data) + * that scsi_host_get() took. The put_device() below dropped + * the reference from class_find_device(). + **/ +-struct Scsi_Host *scsi_host_lookup(unsigned short hostnum) ++struct Scsi_Host *scsi_host_lookup(unsigned int hostnum) + { + struct device *cdev; + struct Scsi_Host *shost = NULL; +diff --git a/include/scsi/scsi_host.h b/include/scsi/scsi_host.h +index 9c1e4bad6581d..1294b6ce9884f 100644 +--- a/include/scsi/scsi_host.h ++++ b/include/scsi/scsi_host.h +@@ -786,7 +786,7 @@ extern void scsi_rescan_device(struct device *); + extern void scsi_remove_host(struct Scsi_Host *); + extern struct Scsi_Host *scsi_host_get(struct Scsi_Host *); + extern void scsi_host_put(struct Scsi_Host *t); +-extern struct Scsi_Host *scsi_host_lookup(unsigned short); ++extern struct Scsi_Host *scsi_host_lookup(unsigned int hostnum); + extern const char *scsi_host_state_name(enum scsi_host_state); + extern void scsi_cmd_get_serial(struct Scsi_Host *, struct scsi_cmnd *); + +-- +2.40.1 + diff --git a/queue-4.14/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch b/queue-4.14/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch new file mode 100644 index 00000000000..99db493f86f --- /dev/null +++ b/queue-4.14/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch @@ -0,0 +1,156 @@ +From 422ec4858073eaa4966c7765d66d4c1d2a701daf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 07:47:08 +0000 +Subject: scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock + +From: Chengfeng Ye + +[ Upstream commit 1a1975551943f681772720f639ff42fbaa746212 ] + +There is a long call chain that &fip->ctlr_lock is acquired by isr +fnic_isr_msix_wq_copy() under hard IRQ context. Thus other process context +code acquiring the lock should disable IRQ, otherwise deadlock could happen +if the IRQ preempts the execution while the lock is held in process context +on the same CPU. + +[ISR] +fnic_isr_msix_wq_copy() + -> fnic_wq_copy_cmpl_handler() + -> fnic_fcpio_cmpl_handler() + -> fnic_fcpio_flogi_reg_cmpl_handler() + -> fnic_flush_tx() + -> fnic_send_frame() + -> fcoe_ctlr_els_send() + -> spin_lock_bh(&fip->ctlr_lock) + +[Process Context] +1. fcoe_ctlr_timer_work() + -> fcoe_ctlr_flogi_send() + -> spin_lock_bh(&fip->ctlr_lock) + +2. fcoe_ctlr_recv_work() + -> fcoe_ctlr_recv_handler() + -> fcoe_ctlr_recv_els() + -> fcoe_ctlr_announce() + -> spin_lock_bh(&fip->ctlr_lock) + +3. fcoe_ctlr_recv_work() + -> fcoe_ctlr_recv_handler() + -> fcoe_ctlr_recv_els() + -> fcoe_ctlr_flogi_retry() + -> spin_lock_bh(&fip->ctlr_lock) + +4. -> fcoe_xmit() + -> fcoe_ctlr_els_send() + -> spin_lock_bh(&fip->ctlr_lock) + +spin_lock_bh() is not enough since fnic_isr_msix_wq_copy() is a +hardirq. + +These flaws were found by an experimental static analysis tool I am +developing for irq-related deadlock. + +The patch fix the potential deadlocks by spin_lock_irqsave() to disable +hard irq. + +Fixes: 794d98e77f59 ("[SCSI] libfcoe: retry rejected FLOGI to another FCF if possible") +Signed-off-by: Chengfeng Ye +Link: https://lore.kernel.org/r/20230817074708.7509-1-dg573847474@gmail.com +Reviewed-by: Davidlohr Bueso +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index 1c8fa41aa3ab7..57826f7bb9f2a 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -330,16 +330,17 @@ static void fcoe_ctlr_announce(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *sel; + struct fcoe_fcf *fcf; ++ unsigned long flags; + + mutex_lock(&fip->ctlr_mutex); +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + + kfree_skb(fip->flogi_req); + fip->flogi_req = NULL; + list_for_each_entry(fcf, &fip->fcfs, list) + fcf->flogi_sent = 0; + +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + sel = fip->sel_fcf; + + if (sel && ether_addr_equal(sel->fcf_mac, fip->dest_addr)) +@@ -709,6 +710,7 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport, + { + struct fc_frame *fp; + struct fc_frame_header *fh; ++ unsigned long flags; + u16 old_xid; + u8 op; + u8 mac[ETH_ALEN]; +@@ -742,11 +744,11 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport, + op = FIP_DT_FLOGI; + if (fip->mode == FIP_MODE_VN2VN) + break; +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + kfree_skb(fip->flogi_req); + fip->flogi_req = skb; + fip->flogi_req_send = 1; +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + schedule_work(&fip->timer_work); + return -EINPROGRESS; + case ELS_FDISC: +@@ -1723,10 +1725,11 @@ static int fcoe_ctlr_flogi_send_locked(struct fcoe_ctlr *fip) + static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *fcf; ++ unsigned long flags; + int error; + + mutex_lock(&fip->ctlr_mutex); +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + LIBFCOE_FIP_DBG(fip, "re-sending FLOGI - reselect\n"); + fcf = fcoe_ctlr_select(fip); + if (!fcf || fcf->flogi_sent) { +@@ -1737,7 +1740,7 @@ static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + fcoe_ctlr_solicit(fip, NULL); + error = fcoe_ctlr_flogi_send_locked(fip); + } +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + mutex_unlock(&fip->ctlr_mutex); + return error; + } +@@ -1754,8 +1757,9 @@ static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + static void fcoe_ctlr_flogi_send(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *fcf; ++ unsigned long flags; + +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + fcf = fip->sel_fcf; + if (!fcf || !fip->flogi_req_send) + goto unlock; +@@ -1782,7 +1786,7 @@ static void fcoe_ctlr_flogi_send(struct fcoe_ctlr *fip) + } else /* XXX */ + LIBFCOE_FIP_DBG(fip, "No FCF selected - defer send\n"); + unlock: +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + } + + /** +-- +2.40.1 + diff --git a/queue-4.14/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch b/queue-4.14/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch new file mode 100644 index 00000000000..dcab150f496 --- /dev/null +++ b/queue-4.14/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch @@ -0,0 +1,79 @@ +From 32dcdab0fcf6c3594ccaef01786f584f09befb64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 15:58:20 +0800 +Subject: scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() + +From: Lin Ma + +[ Upstream commit ce51c817008450ef4188471db31639d42d37a5e1 ] + +The functions iscsi_if_set_param() and iscsi_if_set_host_param() convert an +nlattr payload to type char* and then call C string handling functions like +sscanf and kstrdup: + + char *data = (char*)ev + sizeof(*ev); + ... + sscanf(data, "%d", &value); + +However, since the nlattr is provided by the user-space program and the +nlmsg skb is allocated with GFP_KERNEL instead of GFP_ZERO flag (see +netlink_alloc_large_skb() in netlink_sendmsg()), dirty data on the heap can +lead to an OOB access for those string handling functions. + +By investigating how the bug is introduced, we find it is really +interesting as the old version parsing code starting from commit +fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") treated +the nlattr as integer bytes instead of string and had length check in +iscsi_copy_param(): + + if (ev->u.set_param.len != sizeof(uint32_t)) + BUG(); + +But, since the commit a54a52caad4b ("[SCSI] iscsi: fixup set/get param +functions"), the code treated the nlattr as C string while forgetting to +add any strlen checks(), opening the possibility of an OOB access. + +Fix the potential OOB by adding the strlen() check before accessing the +buf. If the data passes this check, all low-level set_param handlers can +safely treat this buf as legal C string. + +Fixes: fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") +Fixes: 1d9bf13a9cf9 ("[SCSI] iscsi class: add iscsi host set param event") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230723075820.3713119-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 26c6f1b288013..d90fdfbb69de6 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2765,6 +2765,10 @@ iscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) + if (!conn || !session) + return -EINVAL; + ++ /* data will be regarded as NULL-ended string, do length check */ ++ if (strlen(data) > ev->u.set_param.len) ++ return -EINVAL; ++ + switch (ev->u.set_param.param) { + case ISCSI_PARAM_SESS_RECOVERY_TMO: + sscanf(data, "%d", &value); +@@ -2917,6 +2921,10 @@ iscsi_set_host_param(struct iscsi_transport *transport, + return -ENODEV; + } + ++ /* see similar check in iscsi_if_set_param() */ ++ if (strlen(data) > ev->u.set_host_param.len) ++ return -EINVAL; ++ + err = transport->set_host_param(shost, ev->u.set_host_param.param, + data, ev->u.set_host_param.len); + scsi_host_put(shost); +-- +2.40.1 + diff --git a/queue-4.14/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch b/queue-4.14/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch new file mode 100644 index 00000000000..29b7f2114f8 --- /dev/null +++ b/queue-4.14/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch @@ -0,0 +1,112 @@ +From d3cc44d8db74c077a78597b2c6abc91b2ed7184b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:40:34 +0200 +Subject: scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() + directly + +From: Oleksandr Natalenko + +[ Upstream commit 25dbc20deab5165f847b4eb42f376f725a986ee8 ] + +The qedf_dbg_fp_int_cmd_read() function invokes sprintf() directly on a +__user pointer, which may crash the kernel. + +Avoid doing that by vmalloc()'ating a buffer for scnprintf() and then +calling simple_read_from_buffer() which does a proper copy_to_user() call. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ +Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ +Cc: Saurav Kashyap +Cc: Rob Evers +Cc: Johannes Thumshirn +Cc: David Laight +Cc: Jozef Bacik +Cc: Laurence Oberman +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: linux-scsi@vger.kernel.org +Reviewed-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Tested-by: Laurence Oberman +Acked-by: Saurav Kashyap +Signed-off-by: Oleksandr Natalenko +Link: https://lore.kernel.org/r/20230731084034.37021-4-oleksandr@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_dbg.h | 2 ++ + drivers/scsi/qedf/qedf_debugfs.c | 21 +++++++++++++++------ + 2 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_dbg.h b/drivers/scsi/qedf/qedf_dbg.h +index 50083cae84c37..9fa5da44971a4 100644 +--- a/drivers/scsi/qedf/qedf_dbg.h ++++ b/drivers/scsi/qedf/qedf_dbg.h +@@ -63,6 +63,8 @@ extern uint qedf_debug; + #define QEDF_LOG_NOTICE 0x40000000 /* Notice logs */ + #define QEDF_LOG_WARN 0x80000000 /* Warning logs */ + ++#define QEDF_DEBUGFS_LOG_LEN (2 * PAGE_SIZE) ++ + /* Debug context structure */ + struct qedf_dbg_ctx { + unsigned int host_no; +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index 273dd258a0022..41fa846f0bdb7 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #include "qedf.h" + #include "qedf_dbg.h" +@@ -117,7 +118,9 @@ static ssize_t + qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count, + loff_t *ppos) + { ++ ssize_t ret; + size_t cnt = 0; ++ char *cbuf; + int id; + struct qedf_fastpath *fp = NULL; + struct qedf_dbg_ctx *qedf_dbg = +@@ -127,19 +130,25 @@ qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count, + + QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n"); + +- cnt = sprintf(buffer, "\nFastpath I/O completions\n\n"); ++ cbuf = vmalloc(QEDF_DEBUGFS_LOG_LEN); ++ if (!cbuf) ++ return 0; ++ ++ cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt, "\nFastpath I/O completions\n\n"); + + for (id = 0; id < qedf->num_queues; id++) { + fp = &(qedf->fp_array[id]); + if (fp->sb_id == QEDF_SB_ID_NULL) + continue; +- cnt += sprintf((buffer + cnt), "#%d: %lu\n", id, +- fp->completions); ++ cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt, ++ "#%d: %lu\n", id, fp->completions); + } + +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ ret = simple_read_from_buffer(buffer, count, ppos, cbuf, cnt); ++ ++ vfree(cbuf); ++ ++ return ret; + } + + static ssize_t +-- +2.40.1 + diff --git a/queue-4.14/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch b/queue-4.14/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch new file mode 100644 index 00000000000..66fd412eb07 --- /dev/null +++ b/queue-4.14/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch @@ -0,0 +1,70 @@ +From e47048fd5a21622f516d28178046c98e0e606041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:40:32 +0200 +Subject: scsi: qedf: Do not touch __user pointer in + qedf_dbg_stop_io_on_error_cmd_read() directly + +From: Oleksandr Natalenko + +[ Upstream commit 7d3d20dee4f648ec44e9717d5f647d594d184433 ] + +The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf() +directly on a __user pointer, which may crash the kernel. + +Avoid doing that by using a small on-stack buffer for scnprintf() and then +calling simple_read_from_buffer() which does a proper copy_to_user() call. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ +Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ +Cc: Saurav Kashyap +Cc: Rob Evers +Cc: Johannes Thumshirn +Cc: David Laight +Cc: Jozef Bacik +Cc: Laurence Oberman +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: linux-scsi@vger.kernel.org +Reviewed-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Tested-by: Laurence Oberman +Acked-by: Saurav Kashyap +Signed-off-by: Oleksandr Natalenko +Link: https://lore.kernel.org/r/20230731084034.37021-2-oleksandr@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_debugfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index 2b1ef3075e93f..273dd258a0022 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -204,18 +204,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer, + size_t count, loff_t *ppos) + { + int cnt; ++ char cbuf[7]; + struct qedf_dbg_ctx *qedf_dbg = + (struct qedf_dbg_ctx *)filp->private_data; + struct qedf_ctx *qedf = container_of(qedf_dbg, + struct qedf_ctx, dbg_ctx); + + QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n"); +- cnt = sprintf(buffer, "%s\n", ++ cnt = scnprintf(cbuf, sizeof(cbuf), "%s\n", + qedf->stop_io_on_error ? "true" : "false"); + +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt); + } + + static ssize_t +-- +2.40.1 + diff --git a/queue-4.14/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch b/queue-4.14/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch new file mode 100644 index 00000000000..23c05506080 --- /dev/null +++ b/queue-4.14/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch @@ -0,0 +1,80 @@ +From 3587d58ac3ad9eb503752cb06c89e4b3dbc89588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 16:00:53 +0800 +Subject: scsi: qla4xxx: Add length check when parsing nlattrs + +From: Lin Ma + +[ Upstream commit 47cd3770e31df942e2bb925a9a855c79ed0662eb ] + +There are three places that qla4xxx parses nlattrs: + + - qla4xxx_set_chap_entry() + + - qla4xxx_iface_set_param() + + - qla4xxx_sysfs_ddb_set_param() + +and each of them directly converts the nlattr to specific pointer of +structure without length checking. This could be dangerous as those +attributes are not validated and a malformed nlattr (e.g., length 0) could +result in an OOB read that leaks heap dirty data. + +Add the nla_len check before accessing the nlattr data and return EINVAL if +the length check fails. + +Fixes: 26ffd7b45fe9 ("[SCSI] qla4xxx: Add support to set CHAP entries") +Fixes: 1e9e2be3ee03 ("[SCSI] qla4xxx: Add flash node mgmt support") +Fixes: 00c31889f751 ("[SCSI] qla4xxx: fix data alignment and use nl helpers") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 62022a66e9ee2..d6e9717cb0fb5 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -942,6 +942,11 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len) + memset(&chap_rec, 0, sizeof(chap_rec)); + + nla_for_each_attr(attr, data, len, rem) { ++ if (nla_len(attr) < sizeof(*param_info)) { ++ rc = -EINVAL; ++ goto exit_set_chap; ++ } ++ + param_info = nla_data(attr); + + switch (param_info->param) { +@@ -2727,6 +2732,11 @@ qla4xxx_iface_set_param(struct Scsi_Host *shost, void *data, uint32_t len) + } + + nla_for_each_attr(attr, data, len, rem) { ++ if (nla_len(attr) < sizeof(*iface_param)) { ++ rval = -EINVAL; ++ goto exit_init_fw_cb; ++ } ++ + iface_param = nla_data(attr); + + if (iface_param->param_type == ISCSI_NET_PARAM) { +@@ -8102,6 +8112,11 @@ qla4xxx_sysfs_ddb_set_param(struct iscsi_bus_flash_session *fnode_sess, + + memset((void *)&chap_tbl, 0, sizeof(chap_tbl)); + nla_for_each_attr(attr, data, len, rem) { ++ if (nla_len(attr) < sizeof(*fnode_param)) { ++ rc = -EINVAL; ++ goto exit_set_param; ++ } ++ + fnode_param = nla_data(attr); + + switch (fnode_param->param) { +-- +2.40.1 + diff --git a/queue-4.14/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch b/queue-4.14/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch new file mode 100644 index 00000000000..2d076f883d1 --- /dev/null +++ b/queue-4.14/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch @@ -0,0 +1,41 @@ +From 61df5301529633051110291290397afbfa1d3702 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 18:54:06 +0800 +Subject: serial: tegra: handle clk prepare error in tegra_uart_hw_init() + +From: Yi Yang + +[ Upstream commit 5abd01145d0cc6cd1b7c2fe6ee0b9ea0fa13671e ] + +In tegra_uart_hw_init(), the return value of clk_prepare_enable() should +be checked since it might fail. + +Fixes: e9ea096dd225 ("serial: tegra: add serial driver") +Signed-off-by: Yi Yang +Link: https://lore.kernel.org/r/20230817105406.228674-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial-tegra.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/serial-tegra.c b/drivers/tty/serial/serial-tegra.c +index a13d6d4674bcc..05e522be94669 100644 +--- a/drivers/tty/serial/serial-tegra.c ++++ b/drivers/tty/serial/serial-tegra.c +@@ -827,7 +827,11 @@ static int tegra_uart_hw_init(struct tegra_uart_port *tup) + tup->ier_shadow = 0; + tup->current_baud = 0; + +- clk_prepare_enable(tup->uart_clk); ++ ret = clk_prepare_enable(tup->uart_clk); ++ if (ret) { ++ dev_err(tup->uport.dev, "could not enable clk\n"); ++ return ret; ++ } + + /* Reset the UART controller to clear all previous status.*/ + reset_control_assert(tup->rst); +-- +2.40.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 3fd6cce0f45..43f478234a6 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -32,3 +32,66 @@ powerpc-32s-fix-assembler-warning-about-r0.patch udf-check-consistency-of-space-bitmap-descriptor.patch udf-handle-error-when-adding-extent-to-a-file.patch revert-net-macsec-preserve-ingress-frame-ordering.patch +reiserfs-check-the-return-value-from-__getblk.patch +fs-fix-error-checking-for-d_hash_and_lookup.patch +cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch +regmap-rbtree-use-alloc_flags-for-memory-allocations.patch +spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch +can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch +wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch +bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch +net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch +crypto-caam-fix-unchecked-return-value-error.patch +lwt-check-lwtunnel_xmit_continue-strictly.patch +fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch +wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch +wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch +wifi-ath9k-protect-wmi-command-response-buffer-repla.patch +wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch +wifi-ath9k-use-is_err-with-debugfs_create_dir.patch +net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch +netrom-deny-concurrent-connect.patch +arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch +arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch +arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch +arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch +drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch +of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch +smackfs-prevent-underflow-in-smk_set_cipso.patch +audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch +md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch +alsa-ac97-fix-possible-error-value-of-rac97.patch +drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch +clk-sunxi-ng-modify-mismatched-function-name.patch +pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch +pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch +wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch +nfs-blocklayout-use-the-passed-in-gfp-flags.patch +powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch +jfs-validate-max-amount-of-blocks-before-allocation.patch +fs-lockd-avoid-possible-wrong-null-parameter.patch +nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch +drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch +media-dib7000p-fix-potential-division-by-zero.patch +media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch +media-cx24120-add-retval-check-for-cx24120_message_s.patch +media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch +usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch +scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch +scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch +scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch +x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch +scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch +scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch +dma-buf-sync_file-fix-docs-syntax.patch +media-go7007-remove-redundant-if-statement.patch +usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch +cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch +scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch +scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch +serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch +amba-bus-fix-refcount-leak.patch +revert-ib-isert-fix-incorrect-release-of-isert-conne.patch +hid-multitouch-correct-devm-device-reference-for-hid.patch +rpmsg-glink-add-check-for-kstrdup.patch +dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch diff --git a/queue-4.14/smackfs-prevent-underflow-in-smk_set_cipso.patch b/queue-4.14/smackfs-prevent-underflow-in-smk_set_cipso.patch new file mode 100644 index 00000000000..c0b71860b00 --- /dev/null +++ b/queue-4.14/smackfs-prevent-underflow-in-smk_set_cipso.patch @@ -0,0 +1,37 @@ +From bb9b7e888491e7fd69a5b16d03e5f0fb0fd67a4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 08:52:39 +0300 +Subject: smackfs: Prevent underflow in smk_set_cipso() + +From: Dan Carpenter + +[ Upstream commit 3ad49d37cf5759c3b8b68d02e3563f633d9c1aee ] + +There is a upper bound to "catlen" but no lower bound to prevent +negatives. I don't see that this necessarily causes a problem but we +may as well be safe. + +Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") +Signed-off-by: Dan Carpenter +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index a9c516362170a..61e734baa332a 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -923,7 +923,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + } + + ret = sscanf(rule, "%d", &catlen); +- if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM) ++ if (ret != 1 || catlen < 0 || catlen > SMACK_CIPSO_MAXCATNUM) + goto out; + + if (format == SMK_FIXED24_FMT && +-- +2.40.1 + diff --git a/queue-4.14/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch b/queue-4.14/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch new file mode 100644 index 00000000000..46daf618691 --- /dev/null +++ b/queue-4.14/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch @@ -0,0 +1,44 @@ +From 31d41bfec1514fb607d38f7e2665fd5d40e17584 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 23:49:09 +0800 +Subject: spi: tegra20-sflash: fix to check return value of platform_get_irq() + in tegra_sflash_probe() + +From: Zhang Shurong + +[ Upstream commit 29a449e765ff70a5bd533be94babb6d36985d096 ] + +The platform_get_irq might be failed and return a negative result. So +there should have an error handling code. + +Fixed this by adding an error handling code. + +Fixes: 8528547bcc33 ("spi: tegra: add spi driver for sflash controller") +Signed-off-by: Zhang Shurong +Link: https://lore.kernel.org/r/tencent_71FC162D589E4788C2152AAC84CD8D5C6D06@qq.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra20-sflash.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-tegra20-sflash.c b/drivers/spi/spi-tegra20-sflash.c +index 749288310c36c..2989795272a16 100644 +--- a/drivers/spi/spi-tegra20-sflash.c ++++ b/drivers/spi/spi-tegra20-sflash.c +@@ -469,7 +469,11 @@ static int tegra_sflash_probe(struct platform_device *pdev) + goto exit_free_master; + } + +- tsd->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ goto exit_free_master; ++ tsd->irq = ret; ++ + ret = request_irq(tsd->irq, tegra_sflash_isr, 0, + dev_name(&pdev->dev), tsd); + if (ret < 0) { +-- +2.40.1 + diff --git a/queue-4.14/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch b/queue-4.14/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch new file mode 100644 index 00000000000..1549753c63e --- /dev/null +++ b/queue-4.14/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch @@ -0,0 +1,37 @@ +From e69e0b6c9a14a36297ab401e6f682710f7d28350 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 13:47:04 -0400 +Subject: USB: gadget: f_mass_storage: Fix unused variable warning + +From: Alan Stern + +[ Upstream commit 55c3e571d2a0aabef4f1354604443f1c415d2e85 ] + +Fix a "variable set but not used" warning in f_mass_storage.c. rc is +used if verbose debugging is enabled but not otherwise. + +Signed-off-by: Alan Stern +Fixes: d5e2b67aae79 ("USB: g_mass_storage: template f_mass_storage.c file created") +Link: https://lore.kernel.org/r/cfed16c7-aa46-494b-ba84-b0e0dc99be3a@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_mass_storage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c +index 41b5baa1f43b7..6aee3cf50c747 100644 +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -952,7 +952,7 @@ static void invalidate_sub(struct fsg_lun *curlun) + { + struct file *filp = curlun->filp; + struct inode *inode = file_inode(filp); +- unsigned long rc; ++ unsigned long __maybe_unused rc; + + rc = invalidate_mapping_pages(inode->i_mapping, 0, -1); + VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc); +-- +2.40.1 + diff --git a/queue-4.14/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch b/queue-4.14/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch new file mode 100644 index 00000000000..019fed49b47 --- /dev/null +++ b/queue-4.14/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch @@ -0,0 +1,50 @@ +From 6d8345e0d1f7c786a2763ecf071181bb0883b6dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 19:03:52 +0800 +Subject: usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host() + +From: Xu Yang + +[ Upstream commit 5eda42aebb7668b4dcff025cd3ccb0d3d7c53da6 ] + +The function mxs_phy_is_otg_host() will return true if OTG_ID_VALUE is +0 at USBPHY_CTRL register. However, OTG_ID_VALUE will not reflect the real +state if the ID pin is float, such as Host-only or Type-C cases. The value +of OTG_ID_VALUE is always 1 which means device mode. +This patch will fix the issue by judging the current mode based on +last_event. The controller will update last_event in time. + +Fixes: 7b09e67639d6 ("usb: phy: mxs: refine mxs_phy_disconnect_line") +Signed-off-by: Xu Yang +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20230627110353.1879477-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-mxs-usb.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/phy/phy-mxs-usb.c b/drivers/usb/phy/phy-mxs-usb.c +index 0e2f1a36d315d..6e462a8d83093 100644 +--- a/drivers/usb/phy/phy-mxs-usb.c ++++ b/drivers/usb/phy/phy-mxs-usb.c +@@ -303,14 +303,8 @@ static void __mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool disconnect) + + static bool mxs_phy_is_otg_host(struct mxs_phy *mxs_phy) + { +- void __iomem *base = mxs_phy->phy.io_priv; +- u32 phyctrl = readl(base + HW_USBPHY_CTRL); +- +- if (IS_ENABLED(CONFIG_USB_OTG) && +- !(phyctrl & BM_USBPHY_CTRL_OTG_ID_VALUE)) +- return true; +- +- return false; ++ return IS_ENABLED(CONFIG_USB_OTG) && ++ mxs_phy->phy.last_event == USB_EVENT_ID; + } + + static void mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool on) +-- +2.40.1 + diff --git a/queue-4.14/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch b/queue-4.14/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..2b273f011fe --- /dev/null +++ b/queue-4.14/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,61 @@ +From 3d08a70770b2c18d9e5b014d5f84142f7936530f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:05:02 +0300 +Subject: wifi: ath10k: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit f139492a09f15254fa261245cdbd65555cdf39e3 ] + +Don't assume that only the driver would be accessing LNKCTL. ASPM policy +changes can trigger write to LNKCTL outside of driver's control. + +Use RMW capability accessors which does proper locking to avoid losing +concurrent updates to the register value. On restore, clear the ASPMC field +properly. + +Suggested-by: Lukas Wunner +Fixes: 76d870ed09ab ("ath10k: enable ASPM") +Link: https://lore.kernel.org/r/20230717120503.15276-11-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Simon Horman +Acked-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/pci.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index 07457eb9d4551..27200544162c7 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -1661,8 +1661,9 @@ static int ath10k_pci_hif_start(struct ath10k *ar) + ath10k_pci_irq_enable(ar); + ath10k_pci_rx_post(ar); + +- pcie_capability_write_word(ar_pci->pdev, PCI_EXP_LNKCTL, +- ar_pci->link_ctl); ++ pcie_capability_clear_and_set_word(ar_pci->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_ASPMC, ++ ar_pci->link_ctl & PCI_EXP_LNKCTL_ASPMC); + + return 0; + } +@@ -2516,8 +2517,8 @@ static int ath10k_pci_hif_power_up(struct ath10k *ar) + + pcie_capability_read_word(ar_pci->pdev, PCI_EXP_LNKCTL, + &ar_pci->link_ctl); +- pcie_capability_write_word(ar_pci->pdev, PCI_EXP_LNKCTL, +- ar_pci->link_ctl & ~PCI_EXP_LNKCTL_ASPMC); ++ pcie_capability_clear_word(ar_pci->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_ASPMC); + + /* + * Bring the target up cleanly. +-- +2.40.1 + diff --git a/queue-4.14/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch b/queue-4.14/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch new file mode 100644 index 00000000000..94372caeffb --- /dev/null +++ b/queue-4.14/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch @@ -0,0 +1,78 @@ +From e98d3f2bfcc09c1555a9d13b513c9a987f08c304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 22:26:07 +0300 +Subject: wifi: ath9k: protect WMI command response buffer replacement with a + lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 454994cfa9e4c18b6df9f78b60db8eadc20a6c25 ] + +If ath9k_wmi_cmd() has exited with a timeout, it is possible that during +next ath9k_wmi_cmd() call the wmi_rsp callback for previous wmi command +writes to new wmi->cmd_rsp_buf and makes a completion. This results in an +invalid ath9k_wmi_cmd() return value. + +Move the replacement of WMI command response buffer and length under +wmi_lock. Note that last_seq_id value is updated there, too. + +Thus, the buffer cannot be written to by a belated wmi_rsp callback +because that path is properly rejected by the last_seq_id check. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230425192607.18015-2-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index 7b4e922181190..e0ecd2e867477 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -279,7 +279,8 @@ int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi, + + static int ath9k_wmi_cmd_issue(struct wmi *wmi, + struct sk_buff *skb, +- enum wmi_cmd_id cmd, u16 len) ++ enum wmi_cmd_id cmd, u16 len, ++ u8 *rsp_buf, u32 rsp_len) + { + struct wmi_cmd_hdr *hdr; + unsigned long flags; +@@ -289,6 +290,11 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi, + hdr->seq_no = cpu_to_be16(++wmi->tx_seq_id); + + spin_lock_irqsave(&wmi->wmi_lock, flags); ++ ++ /* record the rsp buffer and length */ ++ wmi->cmd_rsp_buf = rsp_buf; ++ wmi->cmd_rsp_len = rsp_len; ++ + wmi->last_seq_id = wmi->tx_seq_id; + spin_unlock_irqrestore(&wmi->wmi_lock, flags); + +@@ -329,11 +335,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + goto out; + } + +- /* record the rsp buffer and length */ +- wmi->cmd_rsp_buf = rsp_buf; +- wmi->cmd_rsp_len = rsp_len; +- +- ret = ath9k_wmi_cmd_issue(wmi, skb, cmd_id, cmd_len); ++ ret = ath9k_wmi_cmd_issue(wmi, skb, cmd_id, cmd_len, rsp_buf, rsp_len); + if (ret) + goto out; + +-- +2.40.1 + diff --git a/queue-4.14/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch b/queue-4.14/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch new file mode 100644 index 00000000000..7c4a130de24 --- /dev/null +++ b/queue-4.14/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch @@ -0,0 +1,44 @@ +From 0b598fe25a3a8afc623a4c52208ad4dd33b0af89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 11:03:44 +0800 +Subject: wifi: ath9k: use IS_ERR() with debugfs_create_dir() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wang Ming + +[ Upstream commit 1e4134610d93271535ecf900a676e1f094e9944c ] + +The debugfs_create_dir() function returns error pointers, +it never returns NULL. Most incorrect error checks were fixed, +but the one in ath9k_htc_init_debug() was forgotten. + +Fix the remaining error check. + +Fixes: e5facc75fa91 ("ath9k_htc: Cleanup HTC debugfs") +Signed-off-by: Wang Ming +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230713030358.12379-1-machel@vivo.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +index dc79afd7e151b..b711b2e1ce93e 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +@@ -491,7 +491,7 @@ int ath9k_htc_init_debug(struct ath_hw *ah) + + priv->debug.debugfs_phy = debugfs_create_dir(KBUILD_MODNAME, + priv->hw->wiphy->debugfsdir); +- if (!priv->debug.debugfs_phy) ++ if (IS_ERR(priv->debug.debugfs_phy)) + return -ENOMEM; + + ath9k_cmn_spectral_init_debug(&priv->spec_priv, priv->debug.debugfs_phy); +-- +2.40.1 + diff --git a/queue-4.14/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch b/queue-4.14/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch new file mode 100644 index 00000000000..6fb978957ea --- /dev/null +++ b/queue-4.14/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch @@ -0,0 +1,50 @@ +From 55cab595609b5d2f538cdf31dc49563842df211a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 12:49:57 +0300 +Subject: wifi: mwifiex: avoid possible NULL skb pointer dereference + +From: Dmitry Antipov + +[ Upstream commit 35a7a1ce7c7d61664ee54f5239a1f120ab95a87e ] + +In 'mwifiex_handle_uap_rx_forward()', always check the value +returned by 'skb_copy()' to avoid potential NULL pointer +dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop +original skb in case of copying failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling") +Acked-by: Brian Norris +Signed-off-by: Dmitry Antipov +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230814095041.16416-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +index 90c07722c25f8..a887d7a9b7c03 100644 +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -266,7 +266,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv, + + if (is_multicast_ether_addr(ra)) { + skb_uap = skb_copy(skb, GFP_ATOMIC); +- mwifiex_uap_queue_bridged_pkt(priv, skb_uap); ++ if (likely(skb_uap)) { ++ mwifiex_uap_queue_bridged_pkt(priv, skb_uap); ++ } else { ++ mwifiex_dbg(adapter, ERROR, ++ "failed to copy skb for uAP\n"); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ return -1; ++ } + } else { + if (mwifiex_get_sta_entry(priv, ra)) { + /* Requeue Intra-BSS packet */ +-- +2.40.1 + diff --git a/queue-4.14/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch b/queue-4.14/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch new file mode 100644 index 00000000000..93a7f92d08b --- /dev/null +++ b/queue-4.14/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch @@ -0,0 +1,52 @@ +From 925e614949c94a123261ae3d0f50a4d07184aacc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 19:07:15 +0300 +Subject: wifi: mwifiex: fix memory leak in mwifiex_histogram_read() + +From: Dmitry Antipov + +[ Upstream commit 9c8fd72a5c2a031cbc680a2990107ecd958ffcdb ] + +Always free the zeroed page on return from 'mwifiex_histogram_read()'. + +Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support") + +Acked-by: Brian Norris +Signed-off-by: Dmitry Antipov +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230802160726.85545-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/debugfs.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c +index 49ca84ef1a992..b843be87112c0 100644 +--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c ++++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c +@@ -288,8 +288,11 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf, + if (!p) + return -ENOMEM; + +- if (!priv || !priv->hist_data) +- return -EFAULT; ++ if (!priv || !priv->hist_data) { ++ ret = -EFAULT; ++ goto free_and_exit; ++ } ++ + phist_data = priv->hist_data; + + p += sprintf(p, "\n" +@@ -344,6 +347,8 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf, + ret = simple_read_from_buffer(ubuf, count, ppos, (char *)page, + (unsigned long)p - page); + ++free_and_exit: ++ free_page(page); + return ret; + } + +-- +2.40.1 + diff --git a/queue-4.14/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch b/queue-4.14/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch new file mode 100644 index 00000000000..bf7bdd1b38d --- /dev/null +++ b/queue-4.14/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch @@ -0,0 +1,51 @@ +From 21db838c7bd27bd72760cbcfcd462c2a076189fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 08:39:11 +0000 +Subject: wifi: mwifiex: Fix missed return in oob checks failed path + +From: Polaris Pi + +[ Upstream commit 2785851c627f2db05f9271f7f63661b5dbd95c4c ] + +Add missed return in mwifiex_uap_queue_bridged_pkt() and +mwifiex_process_rx_packet(). + +Fixes: 119585281617 ("wifi: mwifiex: Fix OOB and integer underflow when rx packets") +Signed-off-by: Polaris Pi +Reported-by: Dmitry Antipov +Acked-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230810083911.3725248-1-pinkperfect2021@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sta_rx.c | 1 + + drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +index a3d716a215ef2..f3c6daeba1b85 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +@@ -104,6 +104,7 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv, + skb->len, rx_pkt_off); + priv->stats.rx_dropped++; + dev_kfree_skb_any(skb); ++ return -1; + } + + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, +diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +index 09243e6d8ba9a..90c07722c25f8 100644 +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -123,6 +123,7 @@ static void mwifiex_uap_queue_bridged_pkt(struct mwifiex_private *priv, + skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); + priv->stats.rx_dropped++; + dev_kfree_skb_any(skb); ++ return; + } + + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, +-- +2.40.1 + diff --git a/queue-4.14/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch b/queue-4.14/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch new file mode 100644 index 00000000000..9d43b6e2ece --- /dev/null +++ b/queue-4.14/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch @@ -0,0 +1,127 @@ +From 4478c1e573ce230f2ca00cab1eda5b12b406fd11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 07:07:41 +0000 +Subject: wifi: mwifiex: Fix OOB and integer underflow when rx packets + +From: Polaris Pi + +[ Upstream commit 11958528161731c58e105b501ed60b83a91ea941 ] + +Make sure mwifiex_process_mgmt_packet, +mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet, +mwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet +not out-of-bounds access the skb->data buffer. + +Fixes: 2dbaf751b1de ("mwifiex: report received management frames to cfg80211") +Signed-off-by: Polaris Pi +Reviewed-by: Matthew Wang +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230723070741.1544662-1-pinkperfect2021@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sta_rx.c | 11 ++++++++++- + .../net/wireless/marvell/mwifiex/uap_txrx.c | 19 +++++++++++++++++++ + drivers/net/wireless/marvell/mwifiex/util.c | 10 +++++++--- + 3 files changed, 36 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +index 00fcbda09349e..a3d716a215ef2 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +@@ -98,6 +98,14 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv, + rx_pkt_len = le16_to_cpu(local_rx_pd->rx_pkt_length); + rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_off; + ++ if (sizeof(*rx_pkt_hdr) + rx_pkt_off > skb->len) { ++ mwifiex_dbg(priv->adapter, ERROR, ++ "wrong rx packet offset: len=%d, rx_pkt_off=%d\n", ++ skb->len, rx_pkt_off); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ } ++ + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, + sizeof(bridge_tunnel_header))) || + (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header, +@@ -203,7 +211,8 @@ int mwifiex_process_sta_rx_packet(struct mwifiex_private *priv, + + rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_offset; + +- if ((rx_pkt_offset + rx_pkt_length) > (u16) skb->len) { ++ if ((rx_pkt_offset + rx_pkt_length) > skb->len || ++ sizeof(rx_pkt_hdr->eth803_hdr) + rx_pkt_offset > skb->len) { + mwifiex_dbg(adapter, ERROR, + "wrong rx packet: len=%d, rx_pkt_offset=%d, rx_pkt_length=%d\n", + skb->len, rx_pkt_offset, rx_pkt_length); +diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +index 1e6a62c69ac52..09243e6d8ba9a 100644 +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -116,6 +116,15 @@ static void mwifiex_uap_queue_bridged_pkt(struct mwifiex_private *priv, + return; + } + ++ if (sizeof(*rx_pkt_hdr) + ++ le16_to_cpu(uap_rx_pd->rx_pkt_offset) > skb->len) { ++ mwifiex_dbg(adapter, ERROR, ++ "wrong rx packet offset: len=%d,rx_pkt_offset=%d\n", ++ skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ } ++ + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, + sizeof(bridge_tunnel_header))) || + (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header, +@@ -385,6 +394,16 @@ int mwifiex_process_uap_rx_packet(struct mwifiex_private *priv, + rx_pkt_type = le16_to_cpu(uap_rx_pd->rx_pkt_type); + rx_pkt_hdr = (void *)uap_rx_pd + le16_to_cpu(uap_rx_pd->rx_pkt_offset); + ++ if (le16_to_cpu(uap_rx_pd->rx_pkt_offset) + ++ sizeof(rx_pkt_hdr->eth803_hdr) > skb->len) { ++ mwifiex_dbg(adapter, ERROR, ++ "wrong rx packet for struct ethhdr: len=%d, offset=%d\n", ++ skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ return 0; ++ } ++ + ether_addr_copy(ta, rx_pkt_hdr->eth803_hdr.h_source); + + if ((le16_to_cpu(uap_rx_pd->rx_pkt_offset) + +diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c +index 51ccf10f44132..4fccdf01b8a05 100644 +--- a/drivers/net/wireless/marvell/mwifiex/util.c ++++ b/drivers/net/wireless/marvell/mwifiex/util.c +@@ -403,11 +403,15 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv, + } + + rx_pd = (struct rxpd *)skb->data; ++ pkt_len = le16_to_cpu(rx_pd->rx_pkt_length); ++ if (pkt_len < sizeof(struct ieee80211_hdr) + sizeof(pkt_len)) { ++ mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length"); ++ return -1; ++ } + + skb_pull(skb, le16_to_cpu(rx_pd->rx_pkt_offset)); + skb_pull(skb, sizeof(pkt_len)); +- +- pkt_len = le16_to_cpu(rx_pd->rx_pkt_length); ++ pkt_len -= sizeof(pkt_len); + + ieee_hdr = (void *)skb->data; + if (ieee80211_is_mgmt(ieee_hdr->frame_control)) { +@@ -420,7 +424,7 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv, + skb->data + sizeof(struct ieee80211_hdr), + pkt_len - sizeof(struct ieee80211_hdr)); + +- pkt_len -= ETH_ALEN + sizeof(pkt_len); ++ pkt_len -= ETH_ALEN; + rx_pd->rx_pkt_length = cpu_to_le16(pkt_len); + + cfg80211_rx_mgmt(&priv->wdev, priv->roc_cfg.chan.center_freq, +-- +2.40.1 + diff --git a/queue-4.14/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch b/queue-4.14/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch new file mode 100644 index 00000000000..6724019efb3 --- /dev/null +++ b/queue-4.14/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch @@ -0,0 +1,46 @@ +From 61ae5a8d5d905a16841e5a6244e51662ce7499ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 18:11:20 -0700 +Subject: x86/APM: drop the duplicate APM_MINOR_DEV macro + +From: Randy Dunlap + +[ Upstream commit 4ba2909638a29630a346d6c4907a3105409bee7d ] + +This source file already includes , which contains +the same macro. It doesn't need to be defined here again. + +Fixes: 874bcd00f520 ("apm-emulation: move APM_MINOR_DEV to include/linux/miscdevice.h") +Signed-off-by: Randy Dunlap +Cc: Jiri Kosina +Cc: x86@kernel.org +Cc: Sohil Mehta +Cc: Corentin Labbe +Reviewed-by: Sohil Mehta +Link: https://lore.kernel.org/r/20230728011120.759-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apm_32.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c +index 63d3e6a6b5efc..558ac8bb8c7f5 100644 +--- a/arch/x86/kernel/apm_32.c ++++ b/arch/x86/kernel/apm_32.c +@@ -246,12 +246,6 @@ + extern int (*console_blank_hook)(int); + #endif + +-/* +- * The apm_bios device is one of the misc char devices. +- * This is its minor number. +- */ +-#define APM_MINOR_DEV 134 +- + /* + * Various options can be changed at boot time as follows: + * (We allow underscores for compatibility with the modules code) +-- +2.40.1 +