From: Sasha Levin Date: Wed, 21 Aug 2024 13:31:18 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.1.107~98 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ea7f659e2ec236ef4f9e5ee917d7045c9247a5d4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/bluetooth-bnep-fix-out-of-bound-access.patch b/queue-4.19/bluetooth-bnep-fix-out-of-bound-access.patch new file mode 100644 index 00000000000..2f84fd84478 --- /dev/null +++ b/queue-4.19/bluetooth-bnep-fix-out-of-bound-access.patch @@ -0,0 +1,38 @@ +From a124b7146e2ecb44661c977933a8c4637f73844c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 12:11:08 -0500 +Subject: Bluetooth: bnep: Fix out-of-bound access + +From: Luiz Augusto von Dentz + +[ Upstream commit 0f0639b4d6f649338ce29c62da3ec0787fa08cd1 ] + +This fixes attempting to access past ethhdr.h_source, although it seems +intentional to copy also the contents of h_proto this triggers +out-of-bound access problems with the likes of static analyzer, so this +instead just copy ETH_ALEN and then proceed to use put_unaligned to copy +h_proto separetely. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/bnep/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c +index 7b3965861013c..a16d584a6c0d0 100644 +--- a/net/bluetooth/bnep/core.c ++++ b/net/bluetooth/bnep/core.c +@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb) + + case BNEP_COMPRESSED_DST_ONLY: + __skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN); +- __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2); ++ __skb_put_data(nskb, s->eh.h_source, ETH_ALEN); ++ put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2)); + break; + + case BNEP_GENERAL: +-- +2.43.0 + diff --git a/queue-4.19/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch b/queue-4.19/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch new file mode 100644 index 00000000000..ed691ef06f0 --- /dev/null +++ b/queue-4.19/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch @@ -0,0 +1,36 @@ +From 36326b7990c65a44778d151c19e9ab8e2da5c6ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jan 2024 02:26:32 +0100 +Subject: btrfs: change BUG_ON to assertion when checking for delayed_node root + +From: David Sterba + +[ Upstream commit be73f4448b607e6b7ce41cd8ef2214fdf6e7986f ] + +The pointer to root is initialized in btrfs_init_delayed_node(), no need +to check for it again. Change the BUG_ON to assertion. + +Reviewed-by: Josef Bacik +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/delayed-inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c +index fec62782fc86c..fa8f359d89994 100644 +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -984,7 +984,7 @@ static void btrfs_release_delayed_inode(struct btrfs_delayed_node *delayed_node) + + if (delayed_node && + test_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags)) { +- BUG_ON(!delayed_node->root); ++ ASSERT(delayed_node->root); + clear_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags); + delayed_node->count--; + +-- +2.43.0 + diff --git a/queue-4.19/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch b/queue-4.19/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch new file mode 100644 index 00000000000..548ad2e6572 --- /dev/null +++ b/queue-4.19/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch @@ -0,0 +1,40 @@ +From bf02b9e07be6c5fb4e5eb08dc2b4e0538e5bfe8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 23:20:53 +0100 +Subject: btrfs: delete pointless BUG_ON check on quota root in + btrfs_qgroup_account_extent() + +From: David Sterba + +[ Upstream commit f40a3ea94881f668084f68f6b9931486b1606db0 ] + +The BUG_ON is deep in the qgroup code where we can expect that it +exists. A NULL pointer would cause a crash. + +It was added long ago in 550d7a2ed5db35 ("btrfs: qgroup: Add new qgroup +calculation function btrfs_qgroup_account_extents()."). It maybe made +sense back then as the quota enable/disable state machine was not that +robust as it is nowadays, so we can just delete it. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index ef95525fa6cdf..770e6f652a1e5 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2095,8 +2095,6 @@ int btrfs_qgroup_account_extent(struct btrfs_trans_handle *trans, u64 bytenr, + if (nr_old_roots == 0 && nr_new_roots == 0) + goto out_free; + +- BUG_ON(!fs_info->quota_root); +- + trace_btrfs_qgroup_account_extent(fs_info, trans->transid, bytenr, + num_bytes, nr_old_roots, nr_new_roots); + +-- +2.43.0 + diff --git a/queue-4.19/btrfs-handle-invalid-root-reference-found-in-may_des.patch b/queue-4.19/btrfs-handle-invalid-root-reference-found-in-may_des.patch new file mode 100644 index 00000000000..1c377bc7e53 --- /dev/null +++ b/queue-4.19/btrfs-handle-invalid-root-reference-found-in-may_des.patch @@ -0,0 +1,42 @@ +From 92fc3855e3d0b44364e5b32c9ec0f0edb8b16010 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jan 2024 22:58:01 +0100 +Subject: btrfs: handle invalid root reference found in may_destroy_subvol() + +From: David Sterba + +[ Upstream commit 6fbc6f4ac1f4907da4fc674251527e7dc79ffbf6 ] + +The may_destroy_subvol() looks up a root by a key, allowing to do an +inexact search when key->offset is -1. It's never expected to find such +item, as it would break the allowed range of a root id. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 7f675862ffb0e..15ebebed40056 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4296,7 +4296,14 @@ static noinline int may_destroy_subvol(struct btrfs_root *root) + ret = btrfs_search_slot(NULL, fs_info->tree_root, &key, path, 0, 0); + if (ret < 0) + goto out; +- BUG_ON(ret == 0); ++ if (ret == 0) { ++ /* ++ * Key with offset -1 found, there would have to exist a root ++ * with such id, but this is out of valid range. ++ */ ++ ret = -EUCLEAN; ++ goto out; ++ } + + ret = 0; + if (path->slots[0] > 0) { +-- +2.43.0 + diff --git a/queue-4.19/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch b/queue-4.19/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch new file mode 100644 index 00000000000..c1299164e50 --- /dev/null +++ b/queue-4.19/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch @@ -0,0 +1,40 @@ +From 26a613e0b6c729eeaac39d77510846d030fb75ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 22:47:13 +0100 +Subject: btrfs: send: handle unexpected data in header buffer in begin_cmd() + +From: David Sterba + +[ Upstream commit e80e3f732cf53c64b0d811e1581470d67f6c3228 ] + +Change BUG_ON to a proper error handling in the unlikely case of seeing +data when the command is started. This is supposed to be reset when the +command is finished (send_cmd, send_encoded_extent). + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index e3b6ca9176afe..2840abf2037b1 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -677,7 +677,12 @@ static int begin_cmd(struct send_ctx *sctx, int cmd) + if (WARN_ON(!sctx->send_buf)) + return -EINVAL; + +- BUG_ON(sctx->send_size); ++ if (unlikely(sctx->send_size != 0)) { ++ btrfs_err(sctx->send_root->fs_info, ++ "send: command header buffer not empty cmd %d offset %llu", ++ cmd, sctx->send_off); ++ return -EINVAL; ++ } + + sctx->send_size += sizeof(*hdr); + hdr = (struct btrfs_cmd_header *)sctx->send_buf; +-- +2.43.0 + diff --git a/queue-4.19/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch b/queue-4.19/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch new file mode 100644 index 00000000000..5603d475fd4 --- /dev/null +++ b/queue-4.19/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch @@ -0,0 +1,38 @@ +From c4aed850fea42bc2e942505c0d3fdaa1362e1578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jan 2024 22:20:34 +0800 +Subject: ext4: do not trim the group with corrupted block bitmap + +From: Baokun Li + +[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ] + +Otherwise operating on an incorrupted block bitmap can lead to all sorts +of unknown problems. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 5dcc3cad5c7d3..75dbe40ed8f72 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5219,6 +5219,9 @@ static int ext4_try_to_trim_range(struct super_block *sb, + bool set_trimmed = false; + void *bitmap; + ++ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) ++ return 0; ++ + last = ext4_last_grp_cluster(sb, e4b->bd_group); + bitmap = e4b->bd_bitmap; + if (start == 0 && max >= last) +-- +2.43.0 + diff --git a/queue-4.19/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch b/queue-4.19/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch new file mode 100644 index 00000000000..bac140fedce --- /dev/null +++ b/queue-4.19/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch @@ -0,0 +1,42 @@ +From 89c3d6bfda66c716a70324d205b847dc99fd426d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 19:33:24 +0800 +Subject: ext4: set the type of max_zeroout to unsigned int to avoid overflow + +From: Baokun Li + +[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ] + +The max_zeroout is of type int and the s_extent_max_zeroout_kb is of +type uint, and the s_extent_max_zeroout_kb can be freely modified via +the sysfs interface. When the block size is 1024, max_zeroout may +overflow, so declare it as unsigned int to avoid overflow. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index d931252b7d0d1..d162cc0590533 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3445,9 +3445,10 @@ static int ext4_ext_convert_to_initialized(handle_t *handle, + struct ext4_extent *ex, *abut_ex; + ext4_lblk_t ee_block, eof_block; + unsigned int ee_len, depth, map_len = map->m_len; +- int allocated = 0, max_zeroout = 0; + int err = 0; + int split_flag = EXT4_EXT_DATA_VALID2; ++ int allocated = 0; ++ unsigned int max_zeroout = 0; + + ext_debug("ext4_ext_convert_to_initialized: inode %lu, logical" + "block %llu, max_blocks %u\n", inode->i_ino, +-- +2.43.0 + diff --git a/queue-4.19/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch b/queue-4.19/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch new file mode 100644 index 00000000000..ad7fdc406c1 --- /dev/null +++ b/queue-4.19/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch @@ -0,0 +1,50 @@ +From f8770d25c5af27da52519e5ebb55241ef5059289 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 19:59:54 +0800 +Subject: f2fs: fix to do sanity check in update_sit_entry + +From: Zhiguo Niu + +[ Upstream commit 36959d18c3cf09b3c12157c6950e18652067de77 ] + +If GET_SEGNO return NULL_SEGNO for some unecpected case, +update_sit_entry will access invalid memory address, +cause system crash. It is better to do sanity check about +GET_SEGNO just like update_segment_mtime & locate_dirty_segment. + +Also remove some redundant judgment code. + +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 34090edc8ce25..6750cda692cc3 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2018,6 +2018,8 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del) + #endif + + segno = GET_SEGNO(sbi, blkaddr); ++ if (segno == NULL_SEGNO) ++ return; + + se = get_seg_entry(sbi, segno); + new_vblocks = se->valid_blocks + del; +@@ -2935,8 +2937,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page, + * since SSR needs latest valid block information. + */ + update_sit_entry(sbi, *new_blkaddr, 1); +- if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO) +- update_sit_entry(sbi, old_blkaddr, -1); ++ update_sit_entry(sbi, old_blkaddr, -1); + + if (!__has_curseg_space(sbi, type)) + sit_i->s_ops->allocate_segment(sbi, type, false); +-- +2.43.0 + diff --git a/queue-4.19/fbdev-offb-replace-of_node_put-with-__free-device_no.patch b/queue-4.19/fbdev-offb-replace-of_node_put-with-__free-device_no.patch new file mode 100644 index 00000000000..ef8520a31a8 --- /dev/null +++ b/queue-4.19/fbdev-offb-replace-of_node_put-with-__free-device_no.patch @@ -0,0 +1,45 @@ +From bd7378b4c91f74c593c678515d52900f2e9a3fc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 21:20:21 -0400 +Subject: fbdev: offb: replace of_node_put with __free(device_node) + +From: Abdulrasaq Lawani + +[ Upstream commit ce4a7ae84a58b9f33aae8d6c769b3c94f3d5ce76 ] + +Replaced instance of of_node_put with __free(device_node) +to simplify code and protect against any memory leaks +due to future changes in the control flow. + +Suggested-by: Julia Lawall +Signed-off-by: Abdulrasaq Lawani +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/offb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c +index 77c0a2f45b3b9..b52c6080abe44 100644 +--- a/drivers/video/fbdev/offb.c ++++ b/drivers/video/fbdev/offb.c +@@ -352,7 +352,7 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp + par->cmap_type = cmap_gxt2000; + } else if (dp && !strncmp(name, "vga,Display-", 12)) { + /* Look for AVIVO initialized by SLOF */ +- struct device_node *pciparent = of_get_parent(dp); ++ struct device_node *pciparent __free(device_node) = of_get_parent(dp); + const u32 *vid, *did; + vid = of_get_property(pciparent, "vendor-id", NULL); + did = of_get_property(pciparent, "device-id", NULL); +@@ -364,7 +364,6 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp + if (par->cmap_adr) + par->cmap_type = cmap_avivo; + } +- of_node_put(pciparent); + } else if (dp && of_device_is_compatible(dp, "qemu,std-vga")) { + #ifdef __BIG_ENDIAN + const __be32 io_of_addr[3] = { 0x01000000, 0x0, 0x0 }; +-- +2.43.0 + diff --git a/queue-4.19/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch b/queue-4.19/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch new file mode 100644 index 00000000000..bcc6b9aea89 --- /dev/null +++ b/queue-4.19/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch @@ -0,0 +1,43 @@ +From 8fc2881465cd39fff94ba6c9df53844e31807fcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 07:06:37 -0800 +Subject: fs: binfmt_elf_efpic: don't use missing interpreter's properties + +From: Max Filippov + +[ Upstream commit 15fd1dc3dadb4268207fa6797e753541aca09a2a ] + +Static FDPIC executable may get an executable stack even when it has +non-executable GNU_STACK segment. This happens when STACK segment has rw +permissions, but does not specify stack size. In that case FDPIC loader +uses permissions of the interpreter's stack, and for static executables +with no interpreter it results in choosing the arch-default permissions +for the stack. + +Fix that by using the interpreter's properties only when the interpreter +is actually used. + +Signed-off-by: Max Filippov +Link: https://lore.kernel.org/r/20240118150637.660461-1-jcmvbkbc@gmail.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf_fdpic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index a7c2efcd0a4a3..0dbbb3a21e6c3 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -324,7 +324,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm) + else + executable_stack = EXSTACK_DEFAULT; + +- if (stack_size == 0) { ++ if (stack_size == 0 && interp_params.flags & ELF_FDPIC_FLAG_PRESENT) { + stack_size = interp_params.stack_size; + if (interp_params.flags & ELF_FDPIC_FLAG_EXEC_STACK) + executable_stack = EXSTACK_ENABLE_X; +-- +2.43.0 + diff --git a/queue-4.19/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch b/queue-4.19/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch new file mode 100644 index 00000000000..386c099d732 --- /dev/null +++ b/queue-4.19/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch @@ -0,0 +1,44 @@ +From 3b235d37b2d97bbcc87699a30b4a73d96559c110 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 21:31:36 +0800 +Subject: hrtimer: Prevent queuing of hrtimer without a function callback + +From: Phil Chang + +[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ] + +The hrtimer function callback must not be NULL. It has to be specified by +the call side but it is not validated by the hrtimer code. When a hrtimer +is queued without a function callback, the kernel crashes with a null +pointer dereference when trying to execute the callback in __run_hrtimer(). + +Introduce a validation before queuing the hrtimer in +hrtimer_start_range_ns(). + +[anna-maria: Rephrase commit message] + +Signed-off-by: Phil Chang +Signed-off-by: Anna-Maria Behnsen +Signed-off-by: Thomas Gleixner +Reviewed-by: Anna-Maria Behnsen +Signed-off-by: Sasha Levin +--- + kernel/time/hrtimer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 0eb5b6cc6d939..b600dc1290d7e 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1172,6 +1172,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, + struct hrtimer_clock_base *base; + unsigned long flags; + ++ if (WARN_ON_ONCE(!timer->function)) ++ return; + /* + * Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft + * match. +-- +2.43.0 + diff --git a/queue-4.19/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-4.19/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch new file mode 100644 index 00000000000..925afb3a888 --- /dev/null +++ b/queue-4.19/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch @@ -0,0 +1,41 @@ +From edea4e8398c458d82d779606910b1a3461863375 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 14:10:53 +0800 +Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc + +From: Guanrui Huang + +[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ] + +This BUG_ON() is useless, because the same effect will be obtained +by letting the code run its course and vm being dereferenced, +triggering an exception. + +So just remove this check. + +Signed-off-by: Guanrui Huang +Signed-off-by: Thomas Gleixner +Reviewed-by: Zenghui Yu +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 6b58194c1e346..2e0478e8be747 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -2958,8 +2958,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + struct page *vprop_page; + int base, nr_ids, i, err = 0; + +- BUG_ON(!vm); +- + bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); + if (!bitmap) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-4.19/md-clean-up-invalid-bug_on-in-md_ioctl.patch b/queue-4.19/md-clean-up-invalid-bug_on-in-md_ioctl.patch new file mode 100644 index 00000000000..2fb8ddb5fe0 --- /dev/null +++ b/queue-4.19/md-clean-up-invalid-bug_on-in-md_ioctl.patch @@ -0,0 +1,42 @@ +From 5a4e39eef7516ae55ed0dfdbc171d379ccc7aefd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 11:14:38 +0800 +Subject: md: clean up invalid BUG_ON in md_ioctl + +From: Li Nan + +[ Upstream commit 9dd8702e7cd28ebf076ff838933f29cf671165ec ] + +'disk->private_data' is set to mddev in md_alloc() and never set to NULL, +and users need to open mddev before submitting ioctl. So mddev must not +have been freed during ioctl, and there is no need to check mddev here. +Clean up it. + +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20240226031444.3606764-4-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 68eb3220be1c9..6f463eec60b48 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7245,11 +7245,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, + + mddev = bdev->bd_disk->private_data; + +- if (!mddev) { +- BUG(); +- goto out; +- } +- + /* Some actions do not requires the mutex */ + switch (cmd) { + case GET_ARRAY_INFO: +-- +2.43.0 + diff --git a/queue-4.19/media-pci-cx23885-check-cx23885_vdev_init-return.patch b/queue-4.19/media-pci-cx23885-check-cx23885_vdev_init-return.patch new file mode 100644 index 00000000000..aa48f47e791 --- /dev/null +++ b/queue-4.19/media-pci-cx23885-check-cx23885_vdev_init-return.patch @@ -0,0 +1,50 @@ +From 33b9c9655cff418833f0fc6ba4018f9b1bf16878 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 08:58:49 +0200 +Subject: media: pci: cx23885: check cx23885_vdev_init() return + +From: Hans Verkuil + +[ Upstream commit 15126b916e39b0cb67026b0af3c014bfeb1f76b3 ] + +cx23885_vdev_init() can return a NULL pointer, but that pointer +is used in the next line without a check. + +Add a NULL pointer check and go to the error unwind if it is NULL. + +Signed-off-by: Hans Verkuil +Reported-by: Sicong Huang +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23885-video.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c +index 16564899f1141..435a3c1c7e650 100644 +--- a/drivers/media/pci/cx23885/cx23885-video.c ++++ b/drivers/media/pci/cx23885/cx23885-video.c +@@ -1297,6 +1297,10 @@ int cx23885_video_register(struct cx23885_dev *dev) + /* register Video device */ + dev->video_dev = cx23885_vdev_init(dev, dev->pci, + &cx23885_video_template, "video"); ++ if (!dev->video_dev) { ++ err = -ENOMEM; ++ goto fail_unreg; ++ } + dev->video_dev->queue = &dev->vb2_vidq; + err = video_register_device(dev->video_dev, VFL_TYPE_GRABBER, + video_nr[dev->nr]); +@@ -1311,6 +1315,10 @@ int cx23885_video_register(struct cx23885_dev *dev) + /* register VBI device */ + dev->vbi_dev = cx23885_vdev_init(dev, dev->pci, + &cx23885_vbi_template, "vbi"); ++ if (!dev->vbi_dev) { ++ err = -ENOMEM; ++ goto fail_unreg; ++ } + dev->vbi_dev->queue = &dev->vb2_vbiq; + err = video_register_device(dev->vbi_dev, VFL_TYPE_VBI, + vbi_nr[dev->nr]); +-- +2.43.0 + diff --git a/queue-4.19/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch b/queue-4.19/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch new file mode 100644 index 00000000000..5e645e3bd6b --- /dev/null +++ b/queue-4.19/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch @@ -0,0 +1,51 @@ +From a3ec9a4c0754a8d58fc0c6cb5c8b305309842ba4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 08:16:54 -0800 +Subject: net/sun3_82586: Avoid reading past buffer in debug output + +From: Kees Cook + +[ Upstream commit 4bea747f3fbec33c16d369b2f51e55981d7c78d0 ] + +Since NUM_XMIT_BUFFS is always 1, building m68k with sun3_defconfig and +-Warraybounds, this build warning is visible[1]: + +drivers/net/ethernet/i825xx/sun3_82586.c: In function 'sun3_82586_timeout': +drivers/net/ethernet/i825xx/sun3_82586.c:990:122: warning: array subscript 1 is above array bounds of 'volatile struct transmit_cmd_struct *[1]' [-Warray-bounds=] + 990 | printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status)); + | ~~~~~~~~~~~~^~~ +... +drivers/net/ethernet/i825xx/sun3_82586.c:156:46: note: while referencing 'xmit_cmds' + 156 | volatile struct transmit_cmd_struct *xmit_cmds[NUM_XMIT_BUFFS]; + +Avoid accessing index 1 since it doesn't exist. + +Link: https://github.com/KSPP/linux/issues/325 [1] +Cc: Sam Creasey +Signed-off-by: Kees Cook +Reviewed-by: Simon Horman +Tested-by: Simon Horman # build-tested +Reviewed-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20240206161651.work.876-kees@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/i825xx/sun3_82586.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c +index 1a86184d44c0a..e0c9fee4e1e65 100644 +--- a/drivers/net/ethernet/i825xx/sun3_82586.c ++++ b/drivers/net/ethernet/i825xx/sun3_82586.c +@@ -990,7 +990,7 @@ static void sun3_82586_timeout(struct net_device *dev) + { + #ifdef DEBUG + printk("%s: xmitter timed out, try to restart! stat: %02x\n",dev->name,p->scb->cus); +- printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status)); ++ printk("%s: command-stats: %04x\n", dev->name, swab16(p->xmit_cmds[0]->cmd_status)); + printk("%s: check, whether you set the right interrupt number!\n",dev->name); + #endif + sun3_82586_close(dev); +-- +2.43.0 + diff --git a/queue-4.19/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch b/queue-4.19/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch new file mode 100644 index 00000000000..970b6e6ce51 --- /dev/null +++ b/queue-4.19/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch @@ -0,0 +1,49 @@ +From d56dce3ad484823bd5118e1968d577c182d0ebb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 11:24:53 +1100 +Subject: NFS: avoid infinite loop in pnfs_update_layout. + +From: NeilBrown + +[ Upstream commit 2fdbc20036acda9e5694db74a032d3c605323005 ] + +If pnfsd_update_layout() is called on a file for which recovery has +failed it will enter a tight infinite loop. + +NFS_LAYOUT_INVALID_STID will be set, nfs4_select_rw_stateid() will +return -EIO, and nfs4_schedule_stateid_recovery() will do nothing, so +nfs4_client_recover_expired_lease() will not wait. So the code will +loop indefinitely. + +Break the loop by testing the validity of the open stateid at the top of +the loop. + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index cfb1fe5dfb1e1..7a0d9a1e6d134 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1889,6 +1889,14 @@ pnfs_update_layout(struct inode *ino, + } + + lookup_again: ++ if (!nfs4_valid_open_stateid(ctx->state)) { ++ trace_pnfs_update_layout(ino, pos, count, ++ iomode, lo, lseg, ++ PNFS_UPDATE_LAYOUT_INVALID_OPEN); ++ lseg = ERR_PTR(-EIO); ++ goto out; ++ } ++ + lseg = ERR_PTR(nfs4_client_recover_expired_lease(clp)); + if (IS_ERR(lseg)) + goto out; +-- +2.43.0 + diff --git a/queue-4.19/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch b/queue-4.19/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch new file mode 100644 index 00000000000..b212d800ab9 --- /dev/null +++ b/queue-4.19/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch @@ -0,0 +1,85 @@ +From 2d0955213bba30349e3a580ae5a3b4b462c234e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 10:53:06 +0300 +Subject: nvmet-rdma: fix possible bad dereference when freeing rsps + +From: Sagi Grimberg + +[ Upstream commit 73964c1d07c054376f1b32a62548571795159148 ] + +It is possible that the host connected and saw a cm established +event and started sending nvme capsules on the qp, however the +ctrl did not yet see an established event. This is why the +rsp_wait_list exists (for async handling of these cmds, we move +them to a pending list). + +Furthermore, it is possible that the ctrl cm times out, resulting +in a connect-error cm event. in this case we hit a bad deref [1] +because in nvmet_rdma_free_rsps we assume that all the responses +are in the free list. + +We are freeing the cmds array anyways, so don't even bother to +remove the rsp from the free_list. It is also guaranteed that we +are not racing anything when we are releasing the queue so no +other context accessing this array should be running. + +[1]: +-- +Workqueue: nvmet-free-wq nvmet_rdma_free_queue_work [nvmet_rdma] +[...] +pc : nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma] +lr : nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma] + Call trace: + nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma] + nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma] + process_one_work+0x1ec/0x4a0 + worker_thread+0x48/0x490 + kthread+0x158/0x160 + ret_from_fork+0x10/0x18 +-- + +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/rdma.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c +index cfd26437aeaea..7889a55156f4d 100644 +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -435,12 +435,8 @@ nvmet_rdma_alloc_rsps(struct nvmet_rdma_queue *queue) + return 0; + + out_free: +- while (--i >= 0) { +- struct nvmet_rdma_rsp *rsp = &queue->rsps[i]; +- +- list_del(&rsp->free_list); +- nvmet_rdma_free_rsp(ndev, rsp); +- } ++ while (--i >= 0) ++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]); + kfree(queue->rsps); + out: + return ret; +@@ -451,12 +447,8 @@ static void nvmet_rdma_free_rsps(struct nvmet_rdma_queue *queue) + struct nvmet_rdma_device *ndev = queue->dev; + int i, nr_rsps = queue->recv_queue_size * 2; + +- for (i = 0; i < nr_rsps; i++) { +- struct nvmet_rdma_rsp *rsp = &queue->rsps[i]; +- +- list_del(&rsp->free_list); +- nvmet_rdma_free_rsp(ndev, rsp); +- } ++ for (i = 0; i < nr_rsps; i++) ++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]); + kfree(queue->rsps); + } + +-- +2.43.0 + diff --git a/queue-4.19/openrisc-call-setup_memory-earlier-in-the-init-seque.patch b/queue-4.19/openrisc-call-setup_memory-earlier-in-the-init-seque.patch new file mode 100644 index 00000000000..9eb017e85b2 --- /dev/null +++ b/queue-4.19/openrisc-call-setup_memory-earlier-in-the-init-seque.patch @@ -0,0 +1,54 @@ +From 1e11022bc396695657474bb079bb254cf575e95b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 16:29:30 -0800 +Subject: openrisc: Call setup_memory() earlier in the init sequence + +From: Oreoluwa Babatunde + +[ Upstream commit 7b432bf376c9c198a7ff48f1ed14a14c0ffbe1fe ] + +The unflatten_and_copy_device_tree() function contains a call to +memblock_alloc(). This means that memblock is allocating memory before +any of the reserved memory regions are set aside in the setup_memory() +function which calls early_init_fdt_scan_reserved_mem(). Therefore, +there is a possibility for memblock to allocate from any of the +reserved memory regions. + +Hence, move the call to setup_memory() to be earlier in the init +sequence so that the reserved memory regions are set aside before any +allocations are done using memblock. + +Signed-off-by: Oreoluwa Babatunde +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/setup.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/openrisc/kernel/setup.c b/arch/openrisc/kernel/setup.c +index f3a7375ac3cd9..f306816c98cb2 100644 +--- a/arch/openrisc/kernel/setup.c ++++ b/arch/openrisc/kernel/setup.c +@@ -287,6 +287,9 @@ void calibrate_delay(void) + + void __init setup_arch(char **cmdline_p) + { ++ /* setup memblock allocator */ ++ setup_memory(); ++ + unflatten_and_copy_device_tree(); + + setup_cpuinfo(); +@@ -311,9 +314,6 @@ void __init setup_arch(char **cmdline_p) + initrd_below_start_ok = 1; + #endif + +- /* setup memblock allocator */ +- setup_memory(); +- + /* paging_init() sets up the MMU and marks all pages as reserved */ + paging_init(); + +-- +2.43.0 + diff --git a/queue-4.19/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch b/queue-4.19/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch new file mode 100644 index 00000000000..cae455cd37c --- /dev/null +++ b/queue-4.19/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch @@ -0,0 +1,60 @@ +From 917da4e505b60ebde7022c3a68c654527c366aa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 23:16:00 +0100 +Subject: parisc: Use irq_enter_rcu() to fix warning at + kernel/context_tracking.c:367 + +From: Helge Deller + +[ Upstream commit 73cb4a2d8d7e0259f94046116727084f21e4599f ] + +Use irq*_rcu() functions to fix this kernel warning: + + WARNING: CPU: 0 PID: 0 at kernel/context_tracking.c:367 ct_irq_enter+0xa0/0xd0 + Modules linked in: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc3-64bit+ #1037 + Hardware name: 9000/785/C3700 + + IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000412cd758 00000000412cd75c + IIR: 03ffe01f ISR: 0000000000000000 IOR: 0000000043c20c20 + CPU: 0 CR30: 0000000041caa000 CR31: 0000000000000000 + ORIG_R28: 0000000000000005 + IAOQ[0]: ct_irq_enter+0xa0/0xd0 + IAOQ[1]: ct_irq_enter+0xa4/0xd0 + RP(r2): irq_enter+0x34/0x68 + Backtrace: + [<000000004034a3ec>] irq_enter+0x34/0x68 + [<000000004030dc48>] do_cpu_irq_mask+0xc0/0x450 + [<0000000040303070>] intr_return+0x0/0xc + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c +index 11c1505775f87..6b20a0a11913b 100644 +--- a/arch/parisc/kernel/irq.c ++++ b/arch/parisc/kernel/irq.c +@@ -524,7 +524,7 @@ void do_cpu_irq_mask(struct pt_regs *regs) + + old_regs = set_irq_regs(regs); + local_irq_disable(); +- irq_enter(); ++ irq_enter_rcu(); + + eirr_val = mfctl(23) & cpu_eiem & per_cpu(local_ack_eiem, cpu); + if (!eirr_val) +@@ -559,7 +559,7 @@ void do_cpu_irq_mask(struct pt_regs *regs) + #endif /* CONFIG_IRQSTACKS */ + + out: +- irq_exit(); ++ irq_exit_rcu(); + set_irq_regs(old_regs); + return; + +-- +2.43.0 + diff --git a/queue-4.19/powerpc-boot-handle-allocation-failure-in-simple_rea.patch b/queue-4.19/powerpc-boot-handle-allocation-failure-in-simple_rea.patch new file mode 100644 index 00000000000..6e0e222f4ae --- /dev/null +++ b/queue-4.19/powerpc-boot-handle-allocation-failure-in-simple_rea.patch @@ -0,0 +1,39 @@ +From 4a47a84716de36b3a42e2b0005c95bff471fb499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Dec 2022 10:18:16 +0800 +Subject: powerpc/boot: Handle allocation failure in simple_realloc() + +From: Li zeming + +[ Upstream commit 69b0194ccec033c208b071e019032c1919c2822d ] + +simple_malloc() will return NULL when there is not enough memory left. +Check pointer 'new' before using it to copy the old data. + +Signed-off-by: Li zeming +[mpe: Reword subject, use change log from Christophe] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20221219021816.3012-1-zeming@nfschina.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/simple_alloc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c +index 65ec135d01579..188c4f996512a 100644 +--- a/arch/powerpc/boot/simple_alloc.c ++++ b/arch/powerpc/boot/simple_alloc.c +@@ -114,7 +114,9 @@ static void *simple_realloc(void *ptr, unsigned long size) + return ptr; + + new = simple_malloc(size); +- memcpy(new, ptr, p->size); ++ if (new) ++ memcpy(new, ptr, p->size); ++ + simple_free(ptr); + return new; + } +-- +2.43.0 + diff --git a/queue-4.19/powerpc-boot-only-free-if-realloc-succeeds.patch b/queue-4.19/powerpc-boot-only-free-if-realloc-succeeds.patch new file mode 100644 index 00000000000..27cc3796608 --- /dev/null +++ b/queue-4.19/powerpc-boot-only-free-if-realloc-succeeds.patch @@ -0,0 +1,43 @@ +From f7e392f464dc1026793bc9358b9e1d7017d2bdeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 22:51:49 +1100 +Subject: powerpc/boot: Only free if realloc() succeeds + +From: Michael Ellerman + +[ Upstream commit f2d5bccaca3e8c09c9b9c8485375f7bdbb2631d2 ] + +simple_realloc() frees the original buffer (ptr) even if the +reallocation failed. + +Fix it to behave like standard realloc() and only free the original +buffer if the reallocation succeeded. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240229115149.749264-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/simple_alloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c +index 188c4f996512a..bc99f75b8582d 100644 +--- a/arch/powerpc/boot/simple_alloc.c ++++ b/arch/powerpc/boot/simple_alloc.c +@@ -114,10 +114,11 @@ static void *simple_realloc(void *ptr, unsigned long size) + return ptr; + + new = simple_malloc(size); +- if (new) ++ if (new) { + memcpy(new, ptr, p->size); ++ simple_free(ptr); ++ } + +- simple_free(ptr); + return new; + } + +-- +2.43.0 + diff --git a/queue-4.19/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch b/queue-4.19/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch new file mode 100644 index 00000000000..14b074c64bd --- /dev/null +++ b/queue-4.19/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch @@ -0,0 +1,38 @@ +From e4437cfaf219608d9a4824ed4c2c83fbfcfaad5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 11:06:51 +0800 +Subject: powerpc/xics: Check return value of kasprintf in + icp_native_map_one_cpu + +From: Kunwu Chan + +[ Upstream commit 45b1ba7e5d1f6881050d558baf9bc74a2ae13930 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. Ensure the allocation was successful +by checking the pointer validity. + +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231122030651.3818-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xics/icp-native.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/xics/icp-native.c b/arch/powerpc/sysdev/xics/icp-native.c +index 340de58a15bd6..71278d554715d 100644 +--- a/arch/powerpc/sysdev/xics/icp-native.c ++++ b/arch/powerpc/sysdev/xics/icp-native.c +@@ -240,6 +240,8 @@ static int __init icp_native_map_one_cpu(int hw_id, unsigned long addr, + rname = kasprintf(GFP_KERNEL, "CPU %d [0x%x] Interrupt Presentation", + cpu, hw_id); + ++ if (!rname) ++ return -ENOMEM; + if (!request_mem_region(addr, size, rname)) { + pr_warn("icp_native: Could not reserve ICP MMIO for CPU %d, interrupt server #0x%x\n", + cpu, hw_id); +-- +2.43.0 + diff --git a/queue-4.19/quota-remove-bug_on-from-dqget.patch b/queue-4.19/quota-remove-bug_on-from-dqget.patch new file mode 100644 index 00000000000..ce2508cb89c --- /dev/null +++ b/queue-4.19/quota-remove-bug_on-from-dqget.patch @@ -0,0 +1,40 @@ +From bd5b304beb9a2a127aec0840c9fc1dd730241a33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 13:34:08 +0200 +Subject: quota: Remove BUG_ON from dqget() + +From: Jan Kara + +[ Upstream commit 249f374eb9b6b969c64212dd860cc1439674c4a8 ] + +dqget() checks whether dquot->dq_sb is set when returning it using +BUG_ON. Firstly this doesn't work as an invalidation check for quite +some time (we release dquot with dq_sb set these days), secondly using +BUG_ON is quite harsh. Use WARN_ON_ONCE and check whether dquot is still +hashed instead. + +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 6bdb44fb07a7f..a470bb4e00f18 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -985,9 +985,8 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid) + * smp_mb__before_atomic() in dquot_acquire(). + */ + smp_rmb(); +-#ifdef CONFIG_QUOTA_DEBUG +- BUG_ON(!dquot->dq_sb); /* Has somebody invalidated entry under us? */ +-#endif ++ /* Has somebody invalidated entry under us? */ ++ WARN_ON_ONCE(hlist_unhashed(&dquot->dq_hash)); + out: + if (empty) + do_destroy_dquot(empty); +-- +2.43.0 + diff --git a/queue-4.19/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch b/queue-4.19/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch new file mode 100644 index 00000000000..17416b8900a --- /dev/null +++ b/queue-4.19/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch @@ -0,0 +1,38 @@ +From e9a13be48897f9e4e4a2f2b129259d3413b03b9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 13:13:26 +0100 +Subject: s390/iucv: fix receive buffer virtual vs physical address confusion + +From: Alexander Gordeev + +[ Upstream commit 4e8477aeb46dfe74e829c06ea588dd00ba20c8cc ] + +Fix IUCV_IPBUFLST-type buffers virtual vs physical address confusion. +This does not fix a bug since virtual and physical address spaces are +currently the same. + +Signed-off-by: Alexander Gordeev +Reviewed-by: Alexandra Winter +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index 2f82a6f0992e4..b1ecf008fa507 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -1149,8 +1149,7 @@ static int iucv_message_receive_iprmdata(struct iucv_path *path, + size = (size < 8) ? size : 8; + for (array = buffer; size > 0; array++) { + copy = min_t(size_t, size, array->length); +- memcpy((u8 *)(addr_t) array->address, +- rmmsg, copy); ++ memcpy(phys_to_virt(array->address), rmmsg, copy); + rmmsg += copy; + size -= copy; + } +-- +2.43.0 + diff --git a/queue-4.19/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch b/queue-4.19/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch new file mode 100644 index 00000000000..93fdf316b2e --- /dev/null +++ b/queue-4.19/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch @@ -0,0 +1,41 @@ +From 92307cd1d652d7d1129d92016ef75805804f2080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 10:50:56 -0800 +Subject: scsi: lpfc: Initialize status local variable in + lpfc_sli4_repost_sgl_list() + +From: Justin Tee + +[ Upstream commit 3d0f9342ae200aa1ddc4d6e7a573c6f8f068d994 ] + +A static code analyzer tool indicates that the local variable called status +in the lpfc_sli4_repost_sgl_list() routine could be used to print garbage +uninitialized values in the routine's log message. + +Fix by initializing to zero. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240131185112.149731-2-justintee8345@gmail.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index e72fc88aeb40e..9da9d5ee0b8ef 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -6597,7 +6597,7 @@ lpfc_sli4_repost_sgl_list(struct lpfc_hba *phba, + struct lpfc_sglq *sglq_entry = NULL; + struct lpfc_sglq *sglq_entry_next = NULL; + struct lpfc_sglq *sglq_entry_first = NULL; +- int status, total_cnt; ++ int status = 0, total_cnt; + int post_cnt = 0, num_posted = 0, block_cnt = 0; + int last_xritag = NO_XRI; + LIST_HEAD(prep_sgl_list); +-- +2.43.0 + diff --git a/queue-4.19/serial-pch-don-t-disable-interrupts-while-acquiring-.patch b/queue-4.19/serial-pch-don-t-disable-interrupts-while-acquiring-.patch new file mode 100644 index 00000000000..9eab811f3e2 --- /dev/null +++ b/queue-4.19/serial-pch-don-t-disable-interrupts-while-acquiring-.patch @@ -0,0 +1,52 @@ +From 5256e661321670d7aff0456bc2028f8309b6098f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 22:45:28 +0100 +Subject: serial: pch: Don't disable interrupts while acquiring lock in ISR. + +From: Sebastian Andrzej Siewior + +[ Upstream commit f8ff23ebce8c305383c8070e1ea3b08a69eb1e8d ] + +The interrupt service routine is always invoked with disabled +interrupts. + +Remove the _irqsave() from the locking functions in the interrupts +service routine/ pch_uart_interrupt(). + +Signed-off-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/20240301215246.891055-16-bigeasy@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/pch_uart.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c +index 4b035d61b280a..99375814be8b9 100644 +--- a/drivers/tty/serial/pch_uart.c ++++ b/drivers/tty/serial/pch_uart.c +@@ -1093,11 +1093,10 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id) + u8 lsr; + int ret = 0; + unsigned char iid; +- unsigned long flags; + int next = 1; + u8 msr; + +- spin_lock_irqsave(&priv->lock, flags); ++ spin_lock(&priv->lock); + handled = 0; + while (next) { + iid = pch_uart_hal_get_iid(priv); +@@ -1157,7 +1156,7 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id) + handled |= (unsigned int)ret; + } + +- spin_unlock_irqrestore(&priv->lock, flags); ++ spin_unlock(&priv->lock); + return IRQ_RETVAL(handled); + } + +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 320d6dd18ac..2d1938215d7 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -22,3 +22,31 @@ binfmt_misc-cleanup-on-filesystem-umount.patch scsi-spi-fix-sshdr-use.patch gfs2-setattr_chown-add-missing-initialization.patch wifi-iwlwifi-abort-scan-when-rfkill-on-but-device-en.patch +powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch +ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch +quota-remove-bug_on-from-dqget.patch +media-pci-cx23885-check-cx23885_vdev_init-return.patch +fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch +scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch +net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch +md-clean-up-invalid-bug_on-in-md_ioctl.patch +parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch +serial-pch-don-t-disable-interrupts-while-acquiring-.patch +powerpc-boot-handle-allocation-failure-in-simple_rea.patch +powerpc-boot-only-free-if-realloc-succeeds.patch +btrfs-change-bug_on-to-assertion-when-checking-for-d.patch +btrfs-handle-invalid-root-reference-found-in-may_des.patch +btrfs-send-handle-unexpected-data-in-header-buffer-i.patch +btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch +f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch +usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch +bluetooth-bnep-fix-out-of-bound-access.patch +nfs-avoid-infinite-loop-in-pnfs_update_layout.patch +openrisc-call-setup_memory-earlier-in-the-init-seque.patch +s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch +usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch +fbdev-offb-replace-of_node_put-with-__free-device_no.patch +irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch +ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch +nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch +hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch diff --git a/queue-4.19/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch b/queue-4.19/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch new file mode 100644 index 00000000000..48adf1a5ca7 --- /dev/null +++ b/queue-4.19/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch @@ -0,0 +1,71 @@ +From dc8271f07aa961dd74fa00f6b3924cb19e37366c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Apr 2024 10:18:55 +0530 +Subject: usb: dwc3: core: Skip setting event buffers for host only controllers + +From: Krishna Kurapati + +[ Upstream commit 89d7f962994604a3e3d480832788d06179abefc5 ] + +On some SoC's like SA8295P where the tertiary controller is host-only +capable, GEVTADDRHI/LO, GEVTSIZ, GEVTCOUNT registers are not accessible. +Trying to access them leads to a crash. + +For DRD/Peripheral supported controllers, event buffer setup is done +again in gadget_pullup. Skip setup or cleanup of event buffers if +controller is host-only capable. + +Suggested-by: Johan Hovold +Signed-off-by: Krishna Kurapati +Acked-by: Thinh Nguyen +Reviewed-by: Johan Hovold +Reviewed-by: Bjorn Andersson +Tested-by: Johan Hovold +Link: https://lore.kernel.org/r/20240420044901.884098-4-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index fd82904e14657..b14e06ee831bc 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -372,6 +372,13 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc) + static int dwc3_alloc_event_buffers(struct dwc3 *dwc, unsigned length) + { + struct dwc3_event_buffer *evt; ++ unsigned int hw_mode; ++ ++ hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0); ++ if (hw_mode == DWC3_GHWPARAMS0_MODE_HOST) { ++ dwc->ev_buf = NULL; ++ return 0; ++ } + + evt = dwc3_alloc_one_event_buffer(dwc, length); + if (IS_ERR(evt)) { +@@ -393,6 +400,9 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc) + { + struct dwc3_event_buffer *evt; + ++ if (!dwc->ev_buf) ++ return 0; ++ + evt = dwc->ev_buf; + evt->lpos = 0; + dwc3_writel(dwc->regs, DWC3_GEVNTADRLO(0), +@@ -410,6 +420,9 @@ void dwc3_event_buffers_cleanup(struct dwc3 *dwc) + { + struct dwc3_event_buffer *evt; + ++ if (!dwc->ev_buf) ++ return; ++ + evt = dwc->ev_buf; + + evt->lpos = 0; +-- +2.43.0 + diff --git a/queue-4.19/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch b/queue-4.19/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch new file mode 100644 index 00000000000..abf2bc9a339 --- /dev/null +++ b/queue-4.19/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch @@ -0,0 +1,40 @@ +From 55a787fc7c9d7dd0332debd7bd60f34a60cf2aee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 18:33:16 +0100 +Subject: usb: gadget: fsl: Increase size of name buffer for endpoints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 87850f6cc20911e35eafcbc1d56b0d649ae9162d ] + +This fixes a W=1 warning about sprintf writing up to 16 bytes into a +buffer of size 14. There is no practical relevance because there are not +more than 32 endpoints. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/6754df25c56aae04f8110594fad2cd2452b1862a.1708709120.git.u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fsl_udc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c +index 367697144cda2..b86f86902f55e 100644 +--- a/drivers/usb/gadget/udc/fsl_udc_core.c ++++ b/drivers/usb/gadget/udc/fsl_udc_core.c +@@ -2501,7 +2501,7 @@ static int fsl_udc_probe(struct platform_device *pdev) + /* setup the udc->eps[] for non-control endpoints and link + * to gadget.ep_list */ + for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) { +- char name[14]; ++ char name[16]; + + sprintf(name, "ep%dout", i); + struct_ep_setup(udc_controller, i * 2, name, 1); +-- +2.43.0 +