From: Greg Kroah-Hartman Date: Fri, 27 Dec 2024 16:08:19 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.1.123~49 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cca3f59cd4caa62a5b55793a7d8a81bdc7549054;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: dmaengine-at_xdmac-avoid-null_prt_deref-in-at_xdmac_prep_dma_memset.patch dmaengine-mv_xor-fix-child-node-refcount-handling-in-early-exit.patch mtd-rawnand-fix-double-free-in-atmel_pmecc_create_user.patch phy-core-fix-an-of-node-refcount-leakage-in-_of_phy_get.patch phy-core-fix-an-of-node-refcount-leakage-in-of_phy_provider_lookup.patch phy-core-fix-that-api-devm_phy_destroy-fails-to-destroy-the-phy.patch phy-core-fix-that-api-devm_phy_put-fails-to-release-the-phy.patch --- diff --git a/queue-5.4/dmaengine-at_xdmac-avoid-null_prt_deref-in-at_xdmac_prep_dma_memset.patch b/queue-5.4/dmaengine-at_xdmac-avoid-null_prt_deref-in-at_xdmac_prep_dma_memset.patch new file mode 100644 index 00000000000..63f927e5d76 --- /dev/null +++ b/queue-5.4/dmaengine-at_xdmac-avoid-null_prt_deref-in-at_xdmac_prep_dma_memset.patch @@ -0,0 +1,34 @@ +From c43ec96e8d34399bd9dab2f2dc316b904892133f Mon Sep 17 00:00:00 2001 +From: Chen Ridong +Date: Tue, 29 Oct 2024 08:28:45 +0000 +Subject: dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset + +From: Chen Ridong + +commit c43ec96e8d34399bd9dab2f2dc316b904892133f upstream. + +The at_xdmac_memset_create_desc may return NULL, which will lead to a +null pointer dereference. For example, the len input is error, or the +atchan->free_descs_list is empty and memory is exhausted. Therefore, add +check to avoid this. + +Fixes: b206d9a23ac7 ("dmaengine: xdmac: Add memset support") +Signed-off-by: Chen Ridong +Link: https://lore.kernel.org/r/20241029082845.1185380-1-chenridong@huaweicloud.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/at_xdmac.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1214,6 +1214,8 @@ at_xdmac_prep_dma_memset(struct dma_chan + return NULL; + + desc = at_xdmac_memset_create_desc(chan, atchan, dest, len, value); ++ if (!desc) ++ return NULL; + list_add_tail(&desc->desc_node, &desc->descs_list); + + desc->tx_dma_desc.cookie = -EBUSY; diff --git a/queue-5.4/dmaengine-mv_xor-fix-child-node-refcount-handling-in-early-exit.patch b/queue-5.4/dmaengine-mv_xor-fix-child-node-refcount-handling-in-early-exit.patch new file mode 100644 index 00000000000..72770cf5b56 --- /dev/null +++ b/queue-5.4/dmaengine-mv_xor-fix-child-node-refcount-handling-in-early-exit.patch @@ -0,0 +1,44 @@ +From 362f1bf98a3ecb5a2a4fcbdaa9718c8403beceb2 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Fri, 11 Oct 2024 22:57:59 +0200 +Subject: dmaengine: mv_xor: fix child node refcount handling in early exit + +From: Javier Carrasco + +commit 362f1bf98a3ecb5a2a4fcbdaa9718c8403beceb2 upstream. + +The for_each_child_of_node() loop requires explicit calls to +of_node_put() to decrement the child's refcount upon early exits (break, +goto, return). + +Add the missing calls in the two early exits before the goto +instructions. + +Cc: stable@vger.kernel.org +Fixes: f7d12ef53ddf ("dma: mv_xor: add Device Tree binding") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20241011-dma_mv_xor_of_node_put-v1-1-3c2de819f463@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/mv_xor.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/dma/mv_xor.c ++++ b/drivers/dma/mv_xor.c +@@ -1394,6 +1394,7 @@ static int mv_xor_probe(struct platform_ + irq = irq_of_parse_and_map(np, 0); + if (!irq) { + ret = -ENODEV; ++ of_node_put(np); + goto err_channel_add; + } + +@@ -1402,6 +1403,7 @@ static int mv_xor_probe(struct platform_ + if (IS_ERR(chan)) { + ret = PTR_ERR(chan); + irq_dispose_mapping(irq); ++ of_node_put(np); + goto err_channel_add; + } + diff --git a/queue-5.4/mtd-rawnand-fix-double-free-in-atmel_pmecc_create_user.patch b/queue-5.4/mtd-rawnand-fix-double-free-in-atmel_pmecc_create_user.patch new file mode 100644 index 00000000000..1027c415aa4 --- /dev/null +++ b/queue-5.4/mtd-rawnand-fix-double-free-in-atmel_pmecc_create_user.patch @@ -0,0 +1,35 @@ +From d8e4771f99c0400a1873235704b28bb803c83d17 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 23 Oct 2024 11:40:56 +0300 +Subject: mtd: rawnand: fix double free in atmel_pmecc_create_user() + +From: Dan Carpenter + +commit d8e4771f99c0400a1873235704b28bb803c83d17 upstream. + +The "user" pointer was converted from being allocated with kzalloc() to +being allocated by devm_kzalloc(). Calling kfree(user) will lead to a +double free. + +Fixes: 6d734f1bfc33 ("mtd: rawnand: atmel: Fix possible memory leak") +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/atmel/pmecc.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/mtd/nand/raw/atmel/pmecc.c ++++ b/drivers/mtd/nand/raw/atmel/pmecc.c +@@ -380,10 +380,8 @@ atmel_pmecc_create_user(struct atmel_pme + user->delta = user->dmu + req->ecc.strength + 1; + + gf_tables = atmel_pmecc_get_gf_tables(req); +- if (IS_ERR(gf_tables)) { +- kfree(user); ++ if (IS_ERR(gf_tables)) + return ERR_CAST(gf_tables); +- } + + user->gf_tables = gf_tables; + diff --git a/queue-5.4/phy-core-fix-an-of-node-refcount-leakage-in-_of_phy_get.patch b/queue-5.4/phy-core-fix-an-of-node-refcount-leakage-in-_of_phy_get.patch new file mode 100644 index 00000000000..7c864ae9f92 --- /dev/null +++ b/queue-5.4/phy-core-fix-an-of-node-refcount-leakage-in-_of_phy_get.patch @@ -0,0 +1,50 @@ +From 5ebdc6be16c2000e37fcb8b4072d442d268ad492 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Fri, 13 Dec 2024 20:36:44 +0800 +Subject: phy: core: Fix an OF node refcount leakage in _of_phy_get() + +From: Zijun Hu + +commit 5ebdc6be16c2000e37fcb8b4072d442d268ad492 upstream. + +_of_phy_get() will directly return when suffers of_device_is_compatible() +error, but it forgets to decrease refcount of OF node @args.np before error +return, the refcount was increased by previous of_parse_phandle_with_args() +so causes the OF node's refcount leakage. + +Fix by decreasing the refcount via of_node_put() before the error return. + +Fixes: b7563e2796f8 ("phy: work around 'phys' references to usb-nop-xceiv devices") +Cc: stable@vger.kernel.org +Reviewed-by: Johan Hovold +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-4-40ae28f5015a@quicinc.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/phy-core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/phy/phy-core.c ++++ b/drivers/phy/phy-core.c +@@ -507,8 +507,10 @@ static struct phy *_of_phy_get(struct de + return ERR_PTR(-ENODEV); + + /* This phy type handled by the usb-phy subsystem for now */ +- if (of_device_is_compatible(args.np, "usb-nop-xceiv")) +- return ERR_PTR(-ENODEV); ++ if (of_device_is_compatible(args.np, "usb-nop-xceiv")) { ++ phy = ERR_PTR(-ENODEV); ++ goto out_put_node; ++ } + + mutex_lock(&phy_provider_mutex); + phy_provider = of_phy_provider_lookup(args.np); +@@ -530,6 +532,7 @@ out_put_module: + + out_unlock: + mutex_unlock(&phy_provider_mutex); ++out_put_node: + of_node_put(args.np); + + return phy; diff --git a/queue-5.4/phy-core-fix-an-of-node-refcount-leakage-in-of_phy_provider_lookup.patch b/queue-5.4/phy-core-fix-an-of-node-refcount-leakage-in-of_phy_provider_lookup.patch new file mode 100644 index 00000000000..da8bdcb1ed2 --- /dev/null +++ b/queue-5.4/phy-core-fix-an-of-node-refcount-leakage-in-of_phy_provider_lookup.patch @@ -0,0 +1,52 @@ +From a2d633cb1421e679b56f1a9fe1f42f089706f1ed Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Fri, 13 Dec 2024 20:36:45 +0800 +Subject: phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() + +From: Zijun Hu + +commit a2d633cb1421e679b56f1a9fe1f42f089706f1ed upstream. + +For macro for_each_child_of_node(parent, child), refcount of @child has +been increased before entering its loop body, so normally needs to call +of_node_put(@child) before returning from the loop body to avoid refcount +leakage. + +of_phy_provider_lookup() has such usage but does not call of_node_put() +before returning, so cause leakage of the OF node refcount. + +Fix by simply calling of_node_put() before returning from the loop body. + +The APIs affected by this issue are shown below since they indirectly +invoke problematic of_phy_provider_lookup(). +phy_get() +of_phy_get() +devm_phy_get() +devm_of_phy_get() +devm_of_phy_get_by_index() + +Fixes: 2a4c37016ca9 ("phy: core: Fix of_phy_provider_lookup to return PHY provider for sub node") +Cc: stable@vger.kernel.org +Reviewed-by: Johan Hovold +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-5-40ae28f5015a@quicinc.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/phy-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/phy/phy-core.c ++++ b/drivers/phy/phy-core.c +@@ -138,8 +138,10 @@ static struct phy_provider *of_phy_provi + return phy_provider; + + for_each_child_of_node(phy_provider->children, child) +- if (child == node) ++ if (child == node) { ++ of_node_put(child); + return phy_provider; ++ } + } + + return ERR_PTR(-EPROBE_DEFER); diff --git a/queue-5.4/phy-core-fix-that-api-devm_phy_destroy-fails-to-destroy-the-phy.patch b/queue-5.4/phy-core-fix-that-api-devm_phy_destroy-fails-to-destroy-the-phy.patch new file mode 100644 index 00000000000..bdbd9696367 --- /dev/null +++ b/queue-5.4/phy-core-fix-that-api-devm_phy_destroy-fails-to-destroy-the-phy.patch @@ -0,0 +1,38 @@ +From 4dc48c88fcf82b89fdebd83a906aaa64f40fb8a9 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Fri, 13 Dec 2024 20:36:43 +0800 +Subject: phy: core: Fix that API devm_phy_destroy() fails to destroy the phy + +From: Zijun Hu + +commit 4dc48c88fcf82b89fdebd83a906aaa64f40fb8a9 upstream. + +For devm_phy_destroy(), its comment says it needs to invoke phy_destroy() +to destroy the phy, but it will not actually invoke the function since +devres_destroy() does not call devm_phy_consume(), and the missing +phy_destroy() call will cause that the phy fails to be destroyed. + +Fortunately, the faulty API has not been used by current kernel tree. +Fix by using devres_release() instead of devres_destroy() within the API. + +Fixes: ff764963479a ("drivers: phy: add generic PHY framework") +Reviewed-by: Johan Hovold +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-3-40ae28f5015a@quicinc.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/phy-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/phy/phy-core.c ++++ b/drivers/phy/phy-core.c +@@ -958,7 +958,7 @@ void devm_phy_destroy(struct device *dev + { + int r; + +- r = devres_destroy(dev, devm_phy_consume, devm_phy_match, phy); ++ r = devres_release(dev, devm_phy_consume, devm_phy_match, phy); + dev_WARN_ONCE(dev, r, "couldn't find PHY resource\n"); + } + EXPORT_SYMBOL_GPL(devm_phy_destroy); diff --git a/queue-5.4/phy-core-fix-that-api-devm_phy_put-fails-to-release-the-phy.patch b/queue-5.4/phy-core-fix-that-api-devm_phy_put-fails-to-release-the-phy.patch new file mode 100644 index 00000000000..b00f6cf8174 --- /dev/null +++ b/queue-5.4/phy-core-fix-that-api-devm_phy_put-fails-to-release-the-phy.patch @@ -0,0 +1,66 @@ +From fe4bfa9b6d7bd752bfe4700c937f235aa8ce997b Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Fri, 13 Dec 2024 20:36:41 +0800 +Subject: phy: core: Fix that API devm_phy_put() fails to release the phy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zijun Hu + +commit fe4bfa9b6d7bd752bfe4700c937f235aa8ce997b upstream. + +For devm_phy_put(), its comment says it needs to invoke phy_put() to +release the phy, but it will not actually invoke the function since +devres_destroy() does not call devm_phy_release(), and the missing +phy_put() call will cause: + +- The phy fails to be released. +- devm_phy_put() can not fully undo what API devm_phy_get() does. +- Leak refcount of both the module and device for below typical usage: + + devm_phy_get(); // or its variant + ... + err = do_something(); + if (err) + goto err_out; + ... + err_out: + devm_phy_put(); // leak refcount here + + The file(s) affected by this issue are shown below since they have such + typical usage. + drivers/pci/controller/cadence/pcie-cadence.c + drivers/net/ethernet/ti/am65-cpsw-nuss.c + +Fix by using devres_release() instead of devres_destroy() within the API. + +Fixes: ff764963479a ("drivers: phy: add generic PHY framework") +Cc: stable@vger.kernel.org +Cc: Lorenzo Pieralisi +Cc: Krzysztof Wilczyński +Cc: Bjorn Helgaas +Cc: David S. Miller +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Reviewed-by: Johan Hovold +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241213-phy_core_fix-v6-1-40ae28f5015a@quicinc.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/phy-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/phy/phy-core.c ++++ b/drivers/phy/phy-core.c +@@ -606,7 +606,7 @@ void devm_phy_put(struct device *dev, st + if (!phy) + return; + +- r = devres_destroy(dev, devm_phy_release, devm_phy_match, phy); ++ r = devres_release(dev, devm_phy_release, devm_phy_match, phy); + dev_WARN_ONCE(dev, r, "couldn't find PHY resource\n"); + } + EXPORT_SYMBOL_GPL(devm_phy_put); diff --git a/queue-5.4/series b/queue-5.4/series index 55d5358abbf..920defb2e4e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -34,3 +34,10 @@ media-dvb-frontends-dib3000mb-fix-uninit-value-in-di.patch bpf-check-negative-offsets-in-__bpf_skb_min_len.patch nfsd-restore-callback-functionality-for-nfsv4.0.patch mtd-diskonchip-cast-an-operand-to-prevent-potential-overflow.patch +phy-core-fix-an-of-node-refcount-leakage-in-_of_phy_get.patch +phy-core-fix-an-of-node-refcount-leakage-in-of_phy_provider_lookup.patch +phy-core-fix-that-api-devm_phy_put-fails-to-release-the-phy.patch +phy-core-fix-that-api-devm_phy_destroy-fails-to-destroy-the-phy.patch +dmaengine-mv_xor-fix-child-node-refcount-handling-in-early-exit.patch +dmaengine-at_xdmac-avoid-null_prt_deref-in-at_xdmac_prep_dma_memset.patch +mtd-rawnand-fix-double-free-in-atmel_pmecc_create_user.patch