From: Greg Kroah-Hartman Date: Wed, 28 Dec 2022 09:19:02 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.15.86~38 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ccd37505296873b2e90e4c6633f63e59a3b0395c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: 9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch floppy-fix-memory-leak-in-do_floppy_init.patch hid-mcp2221-don-t-connect-hidraw.patch hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch iio-fix-memory-leak-in-iio_device_register_eventset.patch loop-fix-the-max_loop-commandline-argument-treatment-when-it-is-set-to-0.patch regulator-core-fix-deadlock-on-regulator-enable.patch reiserfs-add-missing-calls-to-reiserfs_security_free.patch security-restrict-config_zero_call_used_regs-to-gcc-or-clang-15.0.6.patch --- diff --git a/queue-5.15/9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch b/queue-5.15/9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch new file mode 100644 index 00000000000..cdc526544d0 --- /dev/null +++ b/queue-5.15/9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch @@ -0,0 +1,96 @@ +From 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 Mon Sep 17 00:00:00 2001 +From: Schspa Shi +Date: Thu, 1 Dec 2022 11:33:10 +0800 +Subject: 9p: set req refcount to zero to avoid uninitialized usage + +From: Schspa Shi + +commit 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 upstream. + +When a new request is allocated, the refcount will be zero if it is +reused, but if the request is newly allocated from slab, it is not fully +initialized before being added to idr. + +If the p9_read_work got a response before the refcount initiated. It will +use a uninitialized req, which will result in a bad request data struct. + +Here is the logs from syzbot. + +Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00 +0x00 0x00 . . . . . . . . ] (in kfence-#110): + p9_fcall_fini net/9p/client.c:248 [inline] + p9_req_put net/9p/client.c:396 [inline] + p9_req_put+0x208/0x250 net/9p/client.c:390 + p9_client_walk+0x247/0x540 net/9p/client.c:1165 + clone_fid fs/9p/fid.h:21 [inline] + v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118 + v9fs_xattr_set fs/9p/xattr.c:100 [inline] + v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159 + __vfs_setxattr+0x119/0x180 fs/xattr.c:182 + __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216 + __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277 + vfs_setxattr+0x143/0x340 fs/xattr.c:309 + setxattr+0x146/0x160 fs/xattr.c:617 + path_setxattr+0x197/0x1c0 fs/xattr.c:636 + __do_sys_setxattr fs/xattr.c:652 [inline] + __se_sys_setxattr fs/xattr.c:648 [inline] + __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 + entry_SYSENTER_compat_after_hwframe+0x70/0x82 + +Below is a similar scenario, the scenario in the syzbot log looks more +complicated than this one, but this patch can fix it. + + T21124 p9_read_work +======================== second trans ================================= +p9_client_walk + p9_client_rpc + p9_client_prepare_req + p9_tag_alloc + req = kmem_cache_alloc(p9_req_cache, GFP_NOFS); + tag = idr_alloc + << preempted >> + req->tc.tag = tag; + /* req->[refcount/tag] == uninitialized */ + m->rreq = p9_tag_lookup(m->client, m->rc.tag); + /* increments uninitalized refcount */ + + refcount_set(&req->refcount, 2); + /* cb drops one ref */ + p9_client_cb(req) + /* reader thread drops its ref: + request is incorrectly freed */ + p9_req_put(req) + /* use after free and ref underflow */ + p9_req_put(req) + +To fix it, we can initialize the refcount to zero before add to idr. + +Link: https://lkml.kernel.org/r/20221201033310.18589-1-schspa@gmail.com +Cc: stable@vger.kernel.org # 6.0+ due to 6cda12864cb0 ("9p: Drop kref usage") +Fixes: 728356dedeff ("9p: Add refcount to p9_req_t") +Reported-by: syzbot+8f1060e2aaf8ca55220b@syzkaller.appspotmail.com +Signed-off-by: Schspa Shi +Reviewed-by: Christian Schoenebeck +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/client.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -281,6 +281,11 @@ p9_tag_alloc(struct p9_client *c, int8_t + p9pdu_reset(&req->rc); + req->t_err = 0; + req->status = REQ_STATUS_ALLOC; ++ /* refcount needs to be set to 0 before inserting into the idr ++ * so p9_tag_lookup does not accept a request that is not fully ++ * initialized. refcount_set to 2 below will mark request ready. ++ */ ++ refcount_set(&req->refcount, 0); + init_waitqueue_head(&req->wq); + INIT_LIST_HEAD(&req->req_list); + diff --git a/queue-5.15/floppy-fix-memory-leak-in-do_floppy_init.patch b/queue-5.15/floppy-fix-memory-leak-in-do_floppy_init.patch new file mode 100644 index 00000000000..b0277fb338b --- /dev/null +++ b/queue-5.15/floppy-fix-memory-leak-in-do_floppy_init.patch @@ -0,0 +1,90 @@ +From f8ace2e304c5dd8a7328db9cd2b8a4b1b98d83ec Mon Sep 17 00:00:00 2001 +From: Yuan Can +Date: Mon, 31 Oct 2022 12:04:43 +0000 +Subject: floppy: Fix memory leak in do_floppy_init() + +From: Yuan Can + +commit f8ace2e304c5dd8a7328db9cd2b8a4b1b98d83ec upstream. + +A memory leak was reported when floppy_alloc_disk() failed in +do_floppy_init(). + +unreferenced object 0xffff888115ed25a0 (size 8): + comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s) + hex dump (first 8 bytes): + 00 ac 67 5b 81 88 ff ff ..g[.... + backtrace: + [<000000007f457abb>] __kmalloc_node+0x4c/0xc0 + [<00000000a87bfa9e>] blk_mq_realloc_tag_set_tags.part.0+0x6f/0x180 + [<000000006f02e8b1>] blk_mq_alloc_tag_set+0x573/0x1130 + [<0000000066007fd7>] 0xffffffffc06b8b08 + [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0 + [<00000000e26d04ee>] do_init_module+0x1a4/0x680 + [<000000001bb22407>] load_module+0x6249/0x7110 + [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200 + [<000000007bddca46>] do_syscall_64+0x35/0x80 + [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 +unreferenced object 0xffff88810fc30540 (size 32): + comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000007f457abb>] __kmalloc_node+0x4c/0xc0 + [<000000006b91eab4>] blk_mq_alloc_tag_set+0x393/0x1130 + [<0000000066007fd7>] 0xffffffffc06b8b08 + [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0 + [<00000000e26d04ee>] do_init_module+0x1a4/0x680 + [<000000001bb22407>] load_module+0x6249/0x7110 + [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200 + [<000000007bddca46>] do_syscall_64+0x35/0x80 + [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +If the floppy_alloc_disk() failed, disks of current drive will not be set, +thus the lastest allocated set->tag cannot be freed in the error handling +path. A simple call graph shown as below: + + floppy_module_init() + floppy_init() + do_floppy_init() + for (drive = 0; drive < N_DRIVE; drive++) + blk_mq_alloc_tag_set() + blk_mq_alloc_tag_set_tags() + blk_mq_realloc_tag_set_tags() # set->tag allocated + floppy_alloc_disk() + blk_mq_alloc_disk() # error occurred, disks failed to allocated + + ->out_put_disk: + for (drive = 0; drive < N_DRIVE; drive++) + if (!disks[drive][0]) # the last disks is not set and loop break + break; + blk_mq_free_tag_set() # the latest allocated set->tag leaked + +Fix this problem by free the set->tag of current drive before jump to +error handling path. + +Cc: stable@vger.kernel.org +Fixes: 302cfee15029 ("floppy: use a separate gendisk for each media format") +Signed-off-by: Yuan Can +[efremov: added stable list, changed title] +Signed-off-by: Denis Efremov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/floppy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -4587,8 +4587,10 @@ static int __init do_floppy_init(void) + goto out_put_disk; + + err = floppy_alloc_disk(drive, 0); +- if (err) ++ if (err) { ++ blk_mq_free_tag_set(&tag_sets[drive]); + goto out_put_disk; ++ } + + timer_setup(&motor_off_timer[drive], motor_off_callback, 0); + } diff --git a/queue-5.15/hid-mcp2221-don-t-connect-hidraw.patch b/queue-5.15/hid-mcp2221-don-t-connect-hidraw.patch new file mode 100644 index 00000000000..53460367dd7 --- /dev/null +++ b/queue-5.15/hid-mcp2221-don-t-connect-hidraw.patch @@ -0,0 +1,62 @@ +From 67c90d14018775556d5420382ace86521421f9ff Mon Sep 17 00:00:00 2001 +From: Enrik Berkhan +Date: Thu, 3 Nov 2022 23:27:12 +0100 +Subject: HID: mcp2221: don't connect hidraw +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Enrik Berkhan + +commit 67c90d14018775556d5420382ace86521421f9ff upstream. + +The MCP2221 driver should not connect to the hidraw userspace interface, +as it needs exclusive access to the chip. + +If you want to use /dev/hidrawX with the MCP2221, you need to avoid +binding this driver to the device and use the hid generic driver instead +(e.g. using udev rules). + +Cc: stable@vger.kernel.org +Reported-by: Sven Zühlsdorf +Signed-off-by: Enrik Berkhan +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20221103222714.21566-2-Enrik.Berkhan@inka.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-mcp2221.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-mcp2221.c ++++ b/drivers/hid/hid-mcp2221.c +@@ -840,12 +840,19 @@ static int mcp2221_probe(struct hid_devi + return ret; + } + +- ret = hid_hw_start(hdev, HID_CONNECT_HIDRAW); ++ /* ++ * This driver uses the .raw_event callback and therefore does not need any ++ * HID_CONNECT_xxx flags. ++ */ ++ ret = hid_hw_start(hdev, 0); + if (ret) { + hid_err(hdev, "can't start hardware\n"); + return ret; + } + ++ hid_info(hdev, "USB HID v%x.%02x Device [%s] on %s\n", hdev->version >> 8, ++ hdev->version & 0xff, hdev->name, hdev->phys); ++ + ret = hid_hw_open(hdev); + if (ret) { + hid_err(hdev, "can't open device\n"); +@@ -870,8 +877,7 @@ static int mcp2221_probe(struct hid_devi + mcp->adapter.retries = 1; + mcp->adapter.dev.parent = &hdev->dev; + snprintf(mcp->adapter.name, sizeof(mcp->adapter.name), +- "MCP2221 usb-i2c bridge on hidraw%d", +- ((struct hidraw *)hdev->hidraw)->minor); ++ "MCP2221 usb-i2c bridge"); + + ret = i2c_add_adapter(&mcp->adapter); + if (ret) { diff --git a/queue-5.15/hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch b/queue-5.15/hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch new file mode 100644 index 00000000000..1361e22a4fd --- /dev/null +++ b/queue-5.15/hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch @@ -0,0 +1,89 @@ +From 1db1f392591aff13fd643f0ec7c1d5e27391d700 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 1 Dec 2022 15:11:41 -0800 +Subject: HID: wacom: Ensure bootloader PID is usable in hidraw mode + +From: Jason Gerecke + +commit 1db1f392591aff13fd643f0ec7c1d5e27391d700 upstream. + +Some Wacom devices have a special "bootloader" mode that is used for +firmware flashing. When operating in this mode, the device cannot be +used for input, and the HID descriptor is not able to be processed by +the driver. The driver generates an "Unknown device_type" warning and +then returns an error code from wacom_probe(). This is a problem because +userspace still needs to be able to interact with the device via hidraw +to perform the firmware flash. + +This commit adds a non-generic device definition for 056a:0094 which +is used when devices are in "bootloader" mode. It marks the devices +with a special BOOTLOADER type that is recognized by wacom_probe() and +wacom_raw_event(). When we see this type we ensure a hidraw device is +created and otherwise keep our hands off so that userspace is in full +control. + +Signed-off-by: Jason Gerecke +Tested-by: Tatsunosuke Tobita +Cc: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_sys.c | 8 ++++++++ + drivers/hid/wacom_wac.c | 4 ++++ + drivers/hid/wacom_wac.h | 1 + + 3 files changed, 13 insertions(+) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -160,6 +160,9 @@ static int wacom_raw_event(struct hid_de + { + struct wacom *wacom = hid_get_drvdata(hdev); + ++ if (wacom->wacom_wac.features.type == BOOTLOADER) ++ return 0; ++ + if (size > WACOM_PKGLEN_MAX) + return 1; + +@@ -2792,6 +2795,11 @@ static int wacom_probe(struct hid_device + return error; + } + ++ if (features->type == BOOTLOADER) { ++ hid_warn(hdev, "Using device in hidraw-only mode"); ++ return hid_hw_start(hdev, HID_CONNECT_HIDRAW); ++ } ++ + error = wacom_parse_and_register(wacom, false); + if (error) + return error; +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -4813,6 +4813,9 @@ static const struct wacom_features wacom + static const struct wacom_features wacom_features_HID_ANY_ID = + { "Wacom HID", .type = HID_GENERIC, .oVid = HID_ANY_ID, .oPid = HID_ANY_ID }; + ++static const struct wacom_features wacom_features_0x94 = ++ { "Wacom Bootloader", .type = BOOTLOADER }; ++ + #define USB_DEVICE_WACOM(prod) \ + HID_DEVICE(BUS_USB, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\ + .driver_data = (kernel_ulong_t)&wacom_features_##prod +@@ -4886,6 +4889,7 @@ const struct hid_device_id wacom_ids[] = + { USB_DEVICE_WACOM(0x84) }, + { USB_DEVICE_WACOM(0x90) }, + { USB_DEVICE_WACOM(0x93) }, ++ { USB_DEVICE_WACOM(0x94) }, + { USB_DEVICE_WACOM(0x97) }, + { USB_DEVICE_WACOM(0x9A) }, + { USB_DEVICE_WACOM(0x9F) }, +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -242,6 +242,7 @@ enum { + MTTPC, + MTTPC_B, + HID_GENERIC, ++ BOOTLOADER, + MAX_TYPE + }; + diff --git a/queue-5.15/iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch b/queue-5.15/iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch new file mode 100644 index 00000000000..77ee74c5c7f --- /dev/null +++ b/queue-5.15/iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch @@ -0,0 +1,54 @@ +From 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Tue, 20 Sep 2022 13:28:07 +0200 +Subject: iio: adc: ad_sigma_delta: do not use internal iio_dev lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 upstream. + +Drop 'mlock' usage by making use of iio_device_claim_direct_mode(). +This change actually makes sure we cannot do a single conversion while +buffering is enable. Note there was a potential race in the previous +code since we were only acquiring the lock after checking if the bus is +enabled. + +Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices") +Signed-off-by: Nuno Sá +Reviewed-by: Miquel Raynal +Cc: #No rush as race is very old. +Link: https://lore.kernel.org/r/20220920112821.975359-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad_sigma_delta.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -280,10 +280,10 @@ int ad_sigma_delta_single_conversion(str + unsigned int data_reg; + int ret = 0; + +- if (iio_buffer_enabled(indio_dev)) +- return -EBUSY; ++ ret = iio_device_claim_direct_mode(indio_dev); ++ if (ret) ++ return ret; + +- mutex_lock(&indio_dev->mlock); + ad_sigma_delta_set_channel(sigma_delta, chan->address); + + spi_bus_lock(sigma_delta->spi->master); +@@ -322,7 +322,7 @@ out: + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + sigma_delta->bus_locked = false; + spi_bus_unlock(sigma_delta->spi->master); +- mutex_unlock(&indio_dev->mlock); ++ iio_device_release_direct_mode(indio_dev); + + if (ret) + return ret; diff --git a/queue-5.15/iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch b/queue-5.15/iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch new file mode 100644 index 00000000000..a81a679a35d --- /dev/null +++ b/queue-5.15/iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch @@ -0,0 +1,53 @@ +From e2af60f5900c6ade53477b494ffb54690eee11f5 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Tue, 15 Nov 2022 14:23:23 +0100 +Subject: iio: adc128s052: add proper .data members in adc128_of_match table + +From: Rasmus Villemoes + +commit e2af60f5900c6ade53477b494ffb54690eee11f5 upstream. + +Prior to commit bd5d54e4d49d ("iio: adc128s052: add ACPI _HID +AANT1280"), the driver unconditionally used spi_get_device_id() to get +the index into the adc128_config array. + +However, with that commit, OF-based boards now incorrectly treat all +supported sensors as if they are an adc128s052, because all the .data +members of the adc128_of_match table are implicitly 0. Our board, +which has an adc122s021, thus exposes 8 channels whereas it really +only has two. + +Fixes: bd5d54e4d49d ("iio: adc128s052: add ACPI _HID AANT1280") +Signed-off-by: Rasmus Villemoes +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221115132324.1078169-1-linux@rasmusvillemoes.dk +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-adc128s052.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/iio/adc/ti-adc128s052.c ++++ b/drivers/iio/adc/ti-adc128s052.c +@@ -193,13 +193,13 @@ static int adc128_remove(struct spi_devi + } + + static const struct of_device_id adc128_of_match[] = { +- { .compatible = "ti,adc128s052", }, +- { .compatible = "ti,adc122s021", }, +- { .compatible = "ti,adc122s051", }, +- { .compatible = "ti,adc122s101", }, +- { .compatible = "ti,adc124s021", }, +- { .compatible = "ti,adc124s051", }, +- { .compatible = "ti,adc124s101", }, ++ { .compatible = "ti,adc128s052", .data = (void*)0L, }, ++ { .compatible = "ti,adc122s021", .data = (void*)1L, }, ++ { .compatible = "ti,adc122s051", .data = (void*)1L, }, ++ { .compatible = "ti,adc122s101", .data = (void*)1L, }, ++ { .compatible = "ti,adc124s021", .data = (void*)2L, }, ++ { .compatible = "ti,adc124s051", .data = (void*)2L, }, ++ { .compatible = "ti,adc124s101", .data = (void*)2L, }, + { /* sentinel */ }, + }; + MODULE_DEVICE_TABLE(of, adc128_of_match); diff --git a/queue-5.15/iio-fix-memory-leak-in-iio_device_register_eventset.patch b/queue-5.15/iio-fix-memory-leak-in-iio_device_register_eventset.patch new file mode 100644 index 00000000000..6b666882d2c --- /dev/null +++ b/queue-5.15/iio-fix-memory-leak-in-iio_device_register_eventset.patch @@ -0,0 +1,52 @@ +From 86fdd15e10e404e70ecb2a3bff24d70356d42b36 Mon Sep 17 00:00:00 2001 +From: Zeng Heng +Date: Tue, 15 Nov 2022 10:37:12 +0800 +Subject: iio: fix memory leak in iio_device_register_eventset() + +From: Zeng Heng + +commit 86fdd15e10e404e70ecb2a3bff24d70356d42b36 upstream. + +When iio_device_register_sysfs_group() returns failed, +iio_device_register_eventset() needs to free attrs array. + +Otherwise, kmemleak would scan & report memory leak as below: + +unreferenced object 0xffff88810a1cc3c0 (size 32): + comm "100-i2c-vcnl302", pid 728, jiffies 4295052307 (age 156.027s) + backtrace: + __kmalloc+0x46/0x1b0 + iio_device_register_eventset at drivers/iio/industrialio-event.c:541 + __iio_device_register at drivers/iio/industrialio-core.c:1959 + __devm_iio_device_register at drivers/iio/industrialio-core.c:2040 + +Fixes: 32f171724e5c ("iio: core: rework iio device group creation") +Signed-off-by: Zeng Heng +Link: https://lore.kernel.org/r/20221115023712.3726854-1-zengheng4@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-event.c ++++ b/drivers/iio/industrialio-event.c +@@ -549,7 +549,7 @@ int iio_device_register_eventset(struct + + ret = iio_device_register_sysfs_group(indio_dev, &ev_int->group); + if (ret) +- goto error_free_setup_event_lines; ++ goto error_free_group_attrs; + + ev_int->ioctl_handler.ioctl = iio_event_ioctl; + iio_device_ioctl_handler_register(&iio_dev_opaque->indio_dev, +@@ -557,6 +557,8 @@ int iio_device_register_eventset(struct + + return 0; + ++error_free_group_attrs: ++ kfree(ev_int->group.attrs); + error_free_setup_event_lines: + iio_free_chan_devattr_list(&ev_int->dev_attr_list); + kfree(ev_int); diff --git a/queue-5.15/loop-fix-the-max_loop-commandline-argument-treatment-when-it-is-set-to-0.patch b/queue-5.15/loop-fix-the-max_loop-commandline-argument-treatment-when-it-is-set-to-0.patch new file mode 100644 index 00000000000..1374b8ba0d8 --- /dev/null +++ b/queue-5.15/loop-fix-the-max_loop-commandline-argument-treatment-when-it-is-set-to-0.patch @@ -0,0 +1,98 @@ +From 85c50197716c60fe57f411339c579462e563ac57 Mon Sep 17 00:00:00 2001 +From: "Isaac J. Manjarres" +Date: Thu, 8 Dec 2022 13:29:01 -0800 +Subject: loop: Fix the max_loop commandline argument treatment when it is set to 0 + +From: Isaac J. Manjarres + +commit 85c50197716c60fe57f411339c579462e563ac57 upstream. + +Currently, the max_loop commandline argument can be used to specify how +many loop block devices are created at init time. If it is not +specified on the commandline, CONFIG_BLK_DEV_LOOP_MIN_COUNT loop block +devices will be created. + +The max_loop commandline argument can be used to override the value of +CONFIG_BLK_DEV_LOOP_MIN_COUNT. However, when max_loop is set to 0 +through the commandline, the current logic treats it as if it had not +been set, and creates CONFIG_BLK_DEV_LOOP_MIN_COUNT devices anyway. + +Fix this by starting max_loop off as set to CONFIG_BLK_DEV_LOOP_MIN_COUNT. +This preserves the intended behavior of creating +CONFIG_BLK_DEV_LOOP_MIN_COUNT loop block devices if the max_loop +commandline parameter is not specified, and allowing max_loop to +be respected for all values, including 0. + +This allows environments that can create all of their required loop +block devices on demand to not have to unnecessarily preallocate loop +block devices. + +Fixes: 732850827450 ("remove artificial software max_loop limit") +Cc: stable@vger.kernel.org +Cc: Ken Chen +Signed-off-by: Isaac J. Manjarres +Link: https://lore.kernel.org/r/20221208212902.765781-1-isaacmanjarres@google.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/loop.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -2091,7 +2091,16 @@ static const struct block_device_operati + /* + * And now the modules code and kernel interface. + */ +-static int max_loop; ++ ++/* ++ * If max_loop is specified, create that many devices upfront. ++ * This also becomes a hard limit. If max_loop is not specified, ++ * create CONFIG_BLK_DEV_LOOP_MIN_COUNT loop devices at module ++ * init time. Loop devices can be requested on-demand with the ++ * /dev/loop-control interface, or be instantiated by accessing ++ * a 'dead' device node. ++ */ ++static int max_loop = CONFIG_BLK_DEV_LOOP_MIN_COUNT; + module_param(max_loop, int, 0444); + MODULE_PARM_DESC(max_loop, "Maximum number of loop devices"); + module_param(max_part, int, 0444); +@@ -2536,7 +2545,7 @@ MODULE_ALIAS("devname:loop-control"); + + static int __init loop_init(void) + { +- int i, nr; ++ int i; + int err; + + part_shift = 0; +@@ -2564,19 +2573,6 @@ static int __init loop_init(void) + goto err_out; + } + +- /* +- * If max_loop is specified, create that many devices upfront. +- * This also becomes a hard limit. If max_loop is not specified, +- * create CONFIG_BLK_DEV_LOOP_MIN_COUNT loop devices at module +- * init time. Loop devices can be requested on-demand with the +- * /dev/loop-control interface, or be instantiated by accessing +- * a 'dead' device node. +- */ +- if (max_loop) +- nr = max_loop; +- else +- nr = CONFIG_BLK_DEV_LOOP_MIN_COUNT; +- + err = misc_register(&loop_misc); + if (err < 0) + goto err_out; +@@ -2588,7 +2584,7 @@ static int __init loop_init(void) + } + + /* pre-create number of devices given by config or max_loop */ +- for (i = 0; i < nr; i++) ++ for (i = 0; i < max_loop; i++) + loop_add(i); + + printk(KERN_INFO "loop: module loaded\n"); diff --git a/queue-5.15/regulator-core-fix-deadlock-on-regulator-enable.patch b/queue-5.15/regulator-core-fix-deadlock-on-regulator-enable.patch new file mode 100644 index 00000000000..33dba7f3922 --- /dev/null +++ b/queue-5.15/regulator-core-fix-deadlock-on-regulator-enable.patch @@ -0,0 +1,65 @@ +From cb3543cff90a4448ed560ac86c98033ad5fecda9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 15 Dec 2022 11:46:46 +0100 +Subject: regulator: core: fix deadlock on regulator enable + +From: Johan Hovold + +commit cb3543cff90a4448ed560ac86c98033ad5fecda9 upstream. + +When updating the operating mode as part of regulator enable, the caller +has already locked the regulator tree and drms_uA_update() must not try +to do the same in order not to trigger a deadlock. + +The lock inversion is reported by lockdep as: + + ====================================================== + WARNING: possible circular locking dependency detected + 6.1.0-next-20221215 #142 Not tainted + ------------------------------------------------------ + udevd/154 is trying to acquire lock: + ffffc11f123d7e50 (regulator_list_mutex){+.+.}-{3:3}, at: regulator_lock_dependent+0x54/0x280 + + but task is already holding lock: + ffff80000e4c36e8 (regulator_ww_class_acquire){+.+.}-{0:0}, at: regulator_enable+0x34/0x80 + + which lock already depends on the new lock. + + ... + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(regulator_ww_class_acquire); + lock(regulator_list_mutex); + lock(regulator_ww_class_acquire); + lock(regulator_list_mutex); + + *** DEADLOCK *** + +just before probe of a Qualcomm UFS controller (occasionally) deadlocks +when enabling one of its regulators. + +Fixes: 9243a195be7a ("regulator: core: Change voltage setting path") +Fixes: f8702f9e4aa7 ("regulator: core: Use ww_mutex for regulators locking") +Cc: stable@vger.kernel.org # 5.0 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20221215104646.19818-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -962,7 +962,7 @@ static int drms_uA_update(struct regulat + /* get input voltage */ + input_uV = 0; + if (rdev->supply) +- input_uV = regulator_get_voltage(rdev->supply); ++ input_uV = regulator_get_voltage_rdev(rdev->supply->rdev); + if (input_uV <= 0) + input_uV = rdev->constraints->input_uV; + if (input_uV <= 0) { diff --git a/queue-5.15/reiserfs-add-missing-calls-to-reiserfs_security_free.patch b/queue-5.15/reiserfs-add-missing-calls-to-reiserfs_security_free.patch new file mode 100644 index 00000000000..b5ded46b31c --- /dev/null +++ b/queue-5.15/reiserfs-add-missing-calls-to-reiserfs_security_free.patch @@ -0,0 +1,89 @@ +From 572302af1258459e124437b8f3369357447afac7 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Thu, 10 Nov 2022 10:46:35 +0100 +Subject: reiserfs: Add missing calls to reiserfs_security_free() + +From: Roberto Sassu + +commit 572302af1258459e124437b8f3369357447afac7 upstream. + +Commit 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes +during inode creation") defined reiserfs_security_free() to free the name +and value of a security xattr allocated by the active LSM through +security_old_inode_init_security(). However, this function is not called +in the reiserfs code. + +Thus, add a call to reiserfs_security_free() whenever +reiserfs_security_init() is called, and initialize value to NULL, to avoid +to call kfree() on an uninitialized pointer. + +Finally, remove the kfree() for the xattr name, as it is not allocated +anymore. + +Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation") +Cc: stable@vger.kernel.org +Cc: Jeff Mahoney +Cc: Tetsuo Handa +Reported-by: Mimi Zohar +Reported-by: Tetsuo Handa +Signed-off-by: Roberto Sassu +Reviewed-by: Mimi Zohar +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + fs/reiserfs/namei.c | 4 ++++ + fs/reiserfs/xattr_security.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/reiserfs/namei.c ++++ b/fs/reiserfs/namei.c +@@ -696,6 +696,7 @@ static int reiserfs_create(struct user_n + + out_failed: + reiserfs_write_unlock(dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +@@ -779,6 +780,7 @@ static int reiserfs_mknod(struct user_na + + out_failed: + reiserfs_write_unlock(dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +@@ -878,6 +880,7 @@ static int reiserfs_mkdir(struct user_na + retval = journal_end(&th); + out_failed: + reiserfs_write_unlock(dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +@@ -1194,6 +1197,7 @@ static int reiserfs_symlink(struct user_ + retval = journal_end(&th); + out_failed: + reiserfs_write_unlock(parent_dir->i_sb); ++ reiserfs_security_free(&security); + return retval; + } + +--- a/fs/reiserfs/xattr_security.c ++++ b/fs/reiserfs/xattr_security.c +@@ -50,6 +50,7 @@ int reiserfs_security_init(struct inode + int error; + + sec->name = NULL; ++ sec->value = NULL; + + /* Don't add selinux attributes on xattrs - they'll never get used */ + if (IS_PRIVATE(dir)) +@@ -95,7 +96,6 @@ int reiserfs_security_write(struct reise + + void reiserfs_security_free(struct reiserfs_security_handle *sec) + { +- kfree(sec->name); + kfree(sec->value); + sec->name = NULL; + sec->value = NULL; diff --git a/queue-5.15/security-restrict-config_zero_call_used_regs-to-gcc-or-clang-15.0.6.patch b/queue-5.15/security-restrict-config_zero_call_used_regs-to-gcc-or-clang-15.0.6.patch new file mode 100644 index 00000000000..e24508277d3 --- /dev/null +++ b/queue-5.15/security-restrict-config_zero_call_used_regs-to-gcc-or-clang-15.0.6.patch @@ -0,0 +1,37 @@ +From d6a9fb87e9d18f3394a9845546bbe868efdccfd2 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 14 Dec 2022 16:26:03 -0700 +Subject: security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6 + +From: Nathan Chancellor + +commit d6a9fb87e9d18f3394a9845546bbe868efdccfd2 upstream. + +A bad bug in clang's implementation of -fzero-call-used-regs can result +in NULL pointer dereferences (see the links above the check for more +information). Restrict CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either a +supported GCC version or a clang newer than 15.0.6, which will catch +both a theoretical 15.0.7 and the upcoming 16.0.0, which will both have +the bug fixed. + +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Nathan Chancellor +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221214232602.4118147-1-nathan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + security/Kconfig.hardening | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -240,6 +240,9 @@ config INIT_ON_FREE_DEFAULT_ON + + config CC_HAS_ZERO_CALL_USED_REGS + def_bool $(cc-option,-fzero-call-used-regs=used-gpr) ++ # https://github.com/ClangBuiltLinux/linux/issues/1766 ++ # https://github.com/llvm/llvm-project/issues/59242 ++ depends on !CC_IS_CLANG || CLANG_VERSION > 150006 + + config ZERO_CALL_USED_REGS + bool "Enable register zeroing on function exit" diff --git a/queue-5.15/series b/queue-5.15/series index b5565240dcd..1934f3e4904 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -709,3 +709,14 @@ arm64-dts-qcom-sm8250-fix-usb-dp-phy-registers.patch usb-dwc3-fix-race-between-dwc3_set_mode-and-__dwc3_set_mode.patch usb-dwc3-core-defer-probe-on-ulpi_read_id-timeout.patch xhci-prevent-infinite-loop-in-transaction-errors-recovery-for-streams.patch +hid-wacom-ensure-bootloader-pid-is-usable-in-hidraw-mode.patch +hid-mcp2221-don-t-connect-hidraw.patch +loop-fix-the-max_loop-commandline-argument-treatment-when-it-is-set-to-0.patch +9p-set-req-refcount-to-zero-to-avoid-uninitialized-usage.patch +security-restrict-config_zero_call_used_regs-to-gcc-or-clang-15.0.6.patch +reiserfs-add-missing-calls-to-reiserfs_security_free.patch +iio-fix-memory-leak-in-iio_device_register_eventset.patch +iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch +iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch +regulator-core-fix-deadlock-on-regulator-enable.patch +floppy-fix-memory-leak-in-do_floppy_init.patch