From: Sasha Levin Date: Fri, 29 Sep 2023 13:45:19 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.5.6~79 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bf7f1554f2524d40e50127560aafa0ab88d3dd41;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/btrfs-reset-destination-buffer-when-read_extent_buff.patch b/queue-6.1/btrfs-reset-destination-buffer-when-read_extent_buff.patch new file mode 100644 index 00000000000..53d6a7afdce --- /dev/null +++ b/queue-6.1/btrfs-reset-destination-buffer-when-read_extent_buff.patch @@ -0,0 +1,63 @@ +From 422f46a4b636d2a2964b4919e8b1b8bc5be1e319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 11:44:42 +0930 +Subject: btrfs: reset destination buffer when read_extent_buffer() gets + invalid range + +From: Qu Wenruo + +[ Upstream commit 74ee79142c0a344d4eae2eb7012ebc4e82254109 ] + +Commit f98b6215d7d1 ("btrfs: extent_io: do extra check for extent buffer +read write functions") changed how we handle invalid extent buffer range +for read_extent_buffer(). + +Previously if the range is invalid we just set the destination to zero, +but after the patch we do nothing and error out. + +This can lead to smatch static checker errors like: + + fs/btrfs/print-tree.c:186 print_uuid_item() error: uninitialized symbol 'subvol_id'. + fs/btrfs/tests/extent-io-tests.c:338 check_eb_bitmap() error: uninitialized symbol 'has'. + fs/btrfs/tests/extent-io-tests.c:353 check_eb_bitmap() error: uninitialized symbol 'has'. + fs/btrfs/uuid-tree.c:203 btrfs_uuid_tree_remove() error: uninitialized symbol 'read_subid'. + fs/btrfs/uuid-tree.c:353 btrfs_uuid_tree_iterate() error: uninitialized symbol 'subid_le'. + fs/btrfs/uuid-tree.c:72 btrfs_uuid_tree_lookup() error: uninitialized symbol 'data'. + fs/btrfs/volumes.c:7415 btrfs_dev_stats_value() error: uninitialized symbol 'val'. + +Fix those warnings by reverting back to the old memset() behavior. +By this we keep the static checker happy and would still make a lot of +noise when such invalid ranges are passed in. + +Reported-by: Dan Carpenter +Fixes: f98b6215d7d1 ("btrfs: extent_io: do extra check for extent buffer read write functions") +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 0ad69041954ff..afcc96a1f4276 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -5184,8 +5184,14 @@ void read_extent_buffer(const struct extent_buffer *eb, void *dstv, + char *dst = (char *)dstv; + unsigned long i = get_eb_page_index(start); + +- if (check_eb_range(eb, start, len)) ++ if (check_eb_range(eb, start, len)) { ++ /* ++ * Invalid range hit, reset the memory, so callers won't get ++ * some random garbage for their uninitialzed memory. ++ */ ++ memset(dstv, 0, len); + return; ++ } + + offset = get_eb_offset_in_page(eb, start); + +-- +2.40.1 + diff --git a/queue-6.1/mips-alchemy-only-build-mmc-support-helpers-if-au1xm.patch b/queue-6.1/mips-alchemy-only-build-mmc-support-helpers-if-au1xm.patch new file mode 100644 index 00000000000..7bad939597f --- /dev/null +++ b/queue-6.1/mips-alchemy-only-build-mmc-support-helpers-if-au1xm.patch @@ -0,0 +1,134 @@ +From 33e93238b9ea4b42d1c5c176f7448a009f5ff240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Sep 2023 09:06:56 +0200 +Subject: MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled + +From: Christoph Hellwig + +[ Upstream commit ef8f8f04a0b25e8f294b24350e8463a8d6a9ba0b ] + +While commit d4a5c59a955b ("mmc: au1xmmc: force non-modular build and +remove symbol_get usage") to be built in, it can still build a kernel +without MMC support and thuse no mmc_detect_change symbol at all. + +Add ifdefs to build the mmc support code in the alchemy arch code +conditional on mmc support. + +Fixes: d4a5c59a955b ("mmc: au1xmmc: force non-modular build and remove symbol_get usage") +Reported-by: kernel test robot +Signed-off-by: Christoph Hellwig +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap # build-tested +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/alchemy/devboards/db1000.c | 4 ++++ + arch/mips/alchemy/devboards/db1200.c | 6 ++++++ + arch/mips/alchemy/devboards/db1300.c | 4 ++++ + 3 files changed, 14 insertions(+) + +diff --git a/arch/mips/alchemy/devboards/db1000.c b/arch/mips/alchemy/devboards/db1000.c +index 50de86eb8784c..3183df60ad337 100644 +--- a/arch/mips/alchemy/devboards/db1000.c ++++ b/arch/mips/alchemy/devboards/db1000.c +@@ -164,6 +164,7 @@ static struct platform_device db1x00_audio_dev = { + + /******************************************************************************/ + ++#ifdef CONFIG_MMC_AU1X + static irqreturn_t db1100_mmc_cd(int irq, void *ptr) + { + mmc_detect_change(ptr, msecs_to_jiffies(500)); +@@ -369,6 +370,7 @@ static struct platform_device db1100_mmc1_dev = { + .num_resources = ARRAY_SIZE(au1100_mmc1_res), + .resource = au1100_mmc1_res, + }; ++#endif /* CONFIG_MMC_AU1X */ + + /******************************************************************************/ + +@@ -432,8 +434,10 @@ static struct platform_device *db1x00_devs[] = { + + static struct platform_device *db1100_devs[] = { + &au1100_lcd_device, ++#ifdef CONFIG_MMC_AU1X + &db1100_mmc0_dev, + &db1100_mmc1_dev, ++#endif + }; + + int __init db1000_dev_setup(void) +diff --git a/arch/mips/alchemy/devboards/db1200.c b/arch/mips/alchemy/devboards/db1200.c +index 76080c71a2a7b..f521874ebb07b 100644 +--- a/arch/mips/alchemy/devboards/db1200.c ++++ b/arch/mips/alchemy/devboards/db1200.c +@@ -326,6 +326,7 @@ static struct platform_device db1200_ide_dev = { + + /**********************************************************************/ + ++#ifdef CONFIG_MMC_AU1X + /* SD carddetects: they're supposed to be edge-triggered, but ack + * doesn't seem to work (CPLD Rev 2). Instead, the screaming one + * is disabled and its counterpart enabled. The 200ms timeout is +@@ -584,6 +585,7 @@ static struct platform_device pb1200_mmc1_dev = { + .num_resources = ARRAY_SIZE(au1200_mmc1_res), + .resource = au1200_mmc1_res, + }; ++#endif /* CONFIG_MMC_AU1X */ + + /**********************************************************************/ + +@@ -751,7 +753,9 @@ static struct platform_device db1200_audiodma_dev = { + static struct platform_device *db1200_devs[] __initdata = { + NULL, /* PSC0, selected by S6.8 */ + &db1200_ide_dev, ++#ifdef CONFIG_MMC_AU1X + &db1200_mmc0_dev, ++#endif + &au1200_lcd_dev, + &db1200_eth_dev, + &db1200_nand_dev, +@@ -762,7 +766,9 @@ static struct platform_device *db1200_devs[] __initdata = { + }; + + static struct platform_device *pb1200_devs[] __initdata = { ++#ifdef CONFIG_MMC_AU1X + &pb1200_mmc1_dev, ++#endif + }; + + /* Some peripheral base addresses differ on the PB1200 */ +diff --git a/arch/mips/alchemy/devboards/db1300.c b/arch/mips/alchemy/devboards/db1300.c +index ff61901329c62..d377e043b49f8 100644 +--- a/arch/mips/alchemy/devboards/db1300.c ++++ b/arch/mips/alchemy/devboards/db1300.c +@@ -450,6 +450,7 @@ static struct platform_device db1300_ide_dev = { + + /**********************************************************************/ + ++#ifdef CONFIG_MMC_AU1X + static irqreturn_t db1300_mmc_cd(int irq, void *ptr) + { + disable_irq_nosync(irq); +@@ -632,6 +633,7 @@ static struct platform_device db1300_sd0_dev = { + .resource = au1300_sd0_res, + .num_resources = ARRAY_SIZE(au1300_sd0_res), + }; ++#endif /* CONFIG_MMC_AU1X */ + + /**********************************************************************/ + +@@ -767,8 +769,10 @@ static struct platform_device *db1300_dev[] __initdata = { + &db1300_5waysw_dev, + &db1300_nand_dev, + &db1300_ide_dev, ++#ifdef CONFIG_MMC_AU1X + &db1300_sd0_dev, + &db1300_sd1_dev, ++#endif + &db1300_lcd_dev, + &db1300_ac97_dev, + &db1300_i2s_dev, +-- +2.40.1 + diff --git a/queue-6.1/series b/queue-6.1/series index 4be35b08fa6..59bfef6e8e4 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -104,3 +104,7 @@ scsi-qla2xxx-select-qpair-depending-on-which-cpu-pos.patch scsi-qla2xxx-use-raw_smp_processor_id-instead-of-smp.patch drm-amdkfd-flush-tlb-after-unmapping-for-gfx-v9.4.3.patch drm-amdkfd-insert-missing-tlb-flush-on-gfx10-and-lat.patch +btrfs-reset-destination-buffer-when-read_extent_buff.patch +vfio-mdev-fix-a-null-ptr-deref-bug-for-mdev_unregist.patch +mips-alchemy-only-build-mmc-support-helpers-if-au1xm.patch +spi-spi-gxp-bug-correct-spi-write-return-value.patch diff --git a/queue-6.1/spi-spi-gxp-bug-correct-spi-write-return-value.patch b/queue-6.1/spi-spi-gxp-bug-correct-spi-write-return-value.patch new file mode 100644 index 00000000000..6d8260447be --- /dev/null +++ b/queue-6.1/spi-spi-gxp-bug-correct-spi-write-return-value.patch @@ -0,0 +1,38 @@ +From 9df3c952575323aac48207d6854fdca75954b5f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Sep 2023 21:53:39 +0000 +Subject: spi: spi-gxp: BUG: Correct spi write return value + +From: Charles Kearney + +[ Upstream commit 1a8196a93e493c0a50b800cb09cef60b124eee15 ] + +Bug fix to correct return value of gxp_spi_write function to zero. +Completion of succesful operation should return zero. + +Fixes: 730bc8ba5e9e spi: spi-gxp: Add support for HPE GXP SoCs + +Signed-off-by: Charles Kearney +Link: https://lore.kernel.org/r/20230920215339.4125856-2-charles.kearney@hpe.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-gxp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-gxp.c b/drivers/spi/spi-gxp.c +index c900c2f39b578..21b07e2518513 100644 +--- a/drivers/spi/spi-gxp.c ++++ b/drivers/spi/spi-gxp.c +@@ -195,7 +195,7 @@ static ssize_t gxp_spi_write(struct gxp_spi_chip *chip, const struct spi_mem_op + return ret; + } + +- return write_len; ++ return 0; + } + + static int do_gxp_exec_mem_op(struct spi_mem *mem, const struct spi_mem_op *op) +-- +2.40.1 + diff --git a/queue-6.1/vfio-mdev-fix-a-null-ptr-deref-bug-for-mdev_unregist.patch b/queue-6.1/vfio-mdev-fix-a-null-ptr-deref-bug-for-mdev_unregist.patch new file mode 100644 index 00000000000..f21587baefe --- /dev/null +++ b/queue-6.1/vfio-mdev-fix-a-null-ptr-deref-bug-for-mdev_unregist.patch @@ -0,0 +1,116 @@ +From a75d2d72470722367f419fe71ba739a3d8369cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 19:55:51 +0800 +Subject: vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent() + +From: Jinjie Ruan + +[ Upstream commit c777b11d34e0f47dbbc4b018ef65ad030f2b283a ] + +Inject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in +kobject_add_internal() in kobject_init_and_add() in mdev_type_add() +in parent_create_sysfs_files(), it will return 0 and probe successfully. +And when rmmod mdpy.ko, the mdpy_dev_exit() will call +mdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized +parent->types[i] in parent_remove_sysfs_files(), and it will cause +below null-ptr-deref. + +If mdev_type_add() fails, return the error code and kset_unregister() +to fix the issue. + + general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + RIP: 0010:__kobject_del+0x62/0x1c0 + Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8 + RSP: 0018:ffff88810695fd30 EFLAGS: 00010202 + RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000 + RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010 + RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1 + R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000 + R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660 + FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0 + DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea + DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600 + PKRU: 55555554 + Call Trace: + + ? die_addr+0x3d/0xa0 + ? exc_general_protection+0x144/0x220 + ? asm_exc_general_protection+0x22/0x30 + ? __kobject_del+0x62/0x1c0 + kobject_del+0x32/0x50 + parent_remove_sysfs_files+0xd6/0x170 [mdev] + mdev_unregister_parent+0xfb/0x190 [mdev] + ? mdev_register_parent+0x270/0x270 [mdev] + ? find_module_all+0x9d/0xe0 + mdpy_dev_exit+0x17/0x63 [mdpy] + __do_sys_delete_module.constprop.0+0x2fa/0x4b0 + ? module_flags+0x300/0x300 + ? __fput+0x4e7/0xa00 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + RIP: 0033:0x7fbc813221b7 + Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 + RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7 + RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58 + RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000 + R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870 + R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0 + + Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy] + Dumping ftrace buffer: + (ftrace buffer empty) + ---[ end trace 0000000000000000 ]--- + RIP: 0010:__kobject_del+0x62/0x1c0 + Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8 + RSP: 0018:ffff88810695fd30 EFLAGS: 00010202 + RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000 + RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010 + RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1 + R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000 + R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660 + FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0 + DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea + DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600 + PKRU: 55555554 + Kernel panic - not syncing: Fatal exception + Dumping ftrace buffer: + (ftrace buffer empty) + Kernel Offset: disabled + Rebooting in 1 seconds.. + +Fixes: da44c340c4fe ("vfio/mdev: simplify mdev_type handling") +Signed-off-by: Jinjie Ruan +Reviewed-by: Eric Farman +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20230918115551.1423193-1-ruanjinjie@huawei.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/mdev/mdev_sysfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/mdev/mdev_sysfs.c b/drivers/vfio/mdev/mdev_sysfs.c +index abe3359dd477f..16b007c6bbb56 100644 +--- a/drivers/vfio/mdev/mdev_sysfs.c ++++ b/drivers/vfio/mdev/mdev_sysfs.c +@@ -233,7 +233,8 @@ int parent_create_sysfs_files(struct mdev_parent *parent) + out_err: + while (--i >= 0) + mdev_type_remove(parent->types[i]); +- return 0; ++ kset_unregister(parent->mdev_types_kset); ++ return ret; + } + + static ssize_t remove_store(struct device *dev, struct device_attribute *attr, +-- +2.40.1 +