From: Sasha Levin Date: Fri, 25 Nov 2022 18:03:06 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v5.15.80~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fab8b8895336b0b9f31068e4bbd873da95eb4e98;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch b/queue-4.14/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch new file mode 100644 index 00000000000..43cf737cd4e --- /dev/null +++ b/queue-4.14/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch @@ -0,0 +1,52 @@ +From 6e02849f25c84433c76db9b5b20f8dac055477e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 10:10:21 +0800 +Subject: audit: fix undefined behavior in bit shift for AUDIT_BIT + +From: Gaosheng Cui + +[ Upstream commit 986d93f55bdeab1cac858d1e47b41fac10b2d7f6 ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in kernel/auditfilter.c:179:23 +left shift of 1 by 31 places cannot be represented in type 'int' +Call Trace: + + dump_stack_lvl+0x7d/0xa5 + dump_stack+0x15/0x1b + ubsan_epilogue+0xe/0x4e + __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c + audit_register_class+0x9d/0x137 + audit_classes_init+0x4d/0xb8 + do_one_initcall+0x76/0x430 + kernel_init_freeable+0x3b3/0x422 + kernel_init+0x24/0x1e0 + ret_from_fork+0x1f/0x30 + + +Signed-off-by: Gaosheng Cui +[PM: remove bad 'Fixes' tag as issue predates git, added in v2.6.6-rc1] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + include/uapi/linux/audit.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h +index 7668582db6ba..68847af5e16d 100644 +--- a/include/uapi/linux/audit.h ++++ b/include/uapi/linux/audit.h +@@ -172,7 +172,7 @@ + #define AUDIT_MAX_KEY_LEN 256 + #define AUDIT_BITMASK_SIZE 64 + #define AUDIT_WORD(nr) ((__u32)((nr)/32)) +-#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) ++#define AUDIT_BIT(nr) (1U << ((nr) - AUDIT_WORD(nr)*32)) + + #define AUDIT_SYSCALL_CLASSES 16 + #define AUDIT_CLASS_DIR_WRITE 0 +-- +2.35.1 + diff --git a/queue-4.14/mips-pic32-treat-port-as-signed-integer.patch b/queue-4.14/mips-pic32-treat-port-as-signed-integer.patch new file mode 100644 index 00000000000..ee95099b23a --- /dev/null +++ b/queue-4.14/mips-pic32-treat-port-as-signed-integer.patch @@ -0,0 +1,105 @@ +From 5162c85735f190662cc7b4313805a7becf435e0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 15:23:44 +0200 +Subject: MIPS: pic32: treat port as signed integer + +From: Jason A. Donenfeld + +[ Upstream commit 648060902aa302331b5d6e4f26d8ee0761d239ab ] + +get_port_from_cmdline() returns an int, yet is assigned to a char, which +is wrong in its own right, but also, with char becoming unsigned, this +poses problems, because -1 is used as an error value. Further +complicating things, fw_init_early_console() is only ever called with a +-1 argument. Fix this up by removing the unused argument from +fw_init_early_console() and treating port as a proper signed integer. + +Cc: Thomas Bogendoerfer +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/fw/fw.h | 2 +- + arch/mips/pic32/pic32mzda/early_console.c | 13 ++++++------- + arch/mips/pic32/pic32mzda/init.c | 2 +- + 3 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/arch/mips/include/asm/fw/fw.h b/arch/mips/include/asm/fw/fw.h +index d0ef8b4892bb..d0494ce4b337 100644 +--- a/arch/mips/include/asm/fw/fw.h ++++ b/arch/mips/include/asm/fw/fw.h +@@ -26,6 +26,6 @@ extern char *fw_getcmdline(void); + extern void fw_meminit(void); + extern char *fw_getenv(char *name); + extern unsigned long fw_getenvl(char *name); +-extern void fw_init_early_console(char port); ++extern void fw_init_early_console(void); + + #endif /* __ASM_FW_H_ */ +diff --git a/arch/mips/pic32/pic32mzda/early_console.c b/arch/mips/pic32/pic32mzda/early_console.c +index d7b783463fac..4933c5337059 100644 +--- a/arch/mips/pic32/pic32mzda/early_console.c ++++ b/arch/mips/pic32/pic32mzda/early_console.c +@@ -34,7 +34,7 @@ + #define U_BRG(x) (UART_BASE(x) + 0x40) + + static void __iomem *uart_base; +-static char console_port = -1; ++static int console_port = -1; + + static int __init configure_uart_pins(int port) + { +@@ -54,7 +54,7 @@ static int __init configure_uart_pins(int port) + return 0; + } + +-static void __init configure_uart(char port, int baud) ++static void __init configure_uart(int port, int baud) + { + u32 pbclk; + +@@ -67,7 +67,7 @@ static void __init configure_uart(char port, int baud) + uart_base + PIC32_SET(U_STA(port))); + } + +-static void __init setup_early_console(char port, int baud) ++static void __init setup_early_console(int port, int baud) + { + if (configure_uart_pins(port)) + return; +@@ -137,16 +137,15 @@ static int __init get_baud_from_cmdline(char *arch_cmdline) + return baud; + } + +-void __init fw_init_early_console(char port) ++void __init fw_init_early_console(void) + { + char *arch_cmdline = pic32_getcmdline(); +- int baud = -1; ++ int baud, port; + + uart_base = ioremap_nocache(PIC32_BASE_UART, 0xc00); + + baud = get_baud_from_cmdline(arch_cmdline); +- if (port == -1) +- port = get_port_from_cmdline(arch_cmdline); ++ port = get_port_from_cmdline(arch_cmdline); + + if (port == -1) + port = EARLY_CONSOLE_PORT; +diff --git a/arch/mips/pic32/pic32mzda/init.c b/arch/mips/pic32/pic32mzda/init.c +index 406c6c5cec29..cf2625551b45 100644 +--- a/arch/mips/pic32/pic32mzda/init.c ++++ b/arch/mips/pic32/pic32mzda/init.c +@@ -68,7 +68,7 @@ void __init plat_mem_setup(void) + strlcpy(arcs_cmdline, boot_command_line, COMMAND_LINE_SIZE); + + #ifdef CONFIG_EARLY_PRINTK +- fw_init_early_console(-1); ++ fw_init_early_console(); + #endif + pic32_config_init(); + } +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index e69de29bb2d..e52eb4921a9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -0,0 +1,5 @@ +wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch +audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch +wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch +spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch +mips-pic32-treat-port-as-signed-integer.patch diff --git a/queue-4.14/spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch b/queue-4.14/spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch new file mode 100644 index 00000000000..3db50b02721 --- /dev/null +++ b/queue-4.14/spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch @@ -0,0 +1,51 @@ +From b9484b02e7157d1ce0038b6762b7d0c100e38629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 09:00:42 +0100 +Subject: spi: stm32: fix stm32_spi_prepare_mbr() that halves spi clk for every + run + +From: Sean Nyekjaer + +[ Upstream commit 62aa1a344b0904549f6de7af958e8a1136fd5228 ] + +When this driver is used with a driver that uses preallocated spi_transfer +structs. The speed_hz is halved by every run. This results in: + +spi_stm32 44004000.spi: SPI transfer setup failed +ads7846 spi0.0: SPI transfer failed: -22 + +Example when running with DIV_ROUND_UP(): +- First run; speed_hz = 1000000, spi->clk_rate 125000000 + div 125 -> mbrdiv = 7, cur_speed = 976562 +- Second run; speed_hz = 976562 + div 128,00007 (roundup to 129) -> mbrdiv = 8, cur_speed = 488281 +- Third run; speed_hz = 488281 + div 256,000131072067109 (roundup to 257) and then -EINVAL is returned. + +Use DIV_ROUND_CLOSEST to allow to round down and allow us to keep the +set speed. + +Signed-off-by: Sean Nyekjaer +Link: https://lore.kernel.org/r/20221103080043.3033414-1-sean@geanix.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index c8e546439fff..87502f39bc4f 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -255,7 +255,7 @@ static int stm32_spi_prepare_mbr(struct stm32_spi *spi, u32 speed_hz) + u32 div, mbrdiv; + + /* Ensure spi->clk_rate is even */ +- div = DIV_ROUND_UP(spi->clk_rate & ~0x1, speed_hz); ++ div = DIV_ROUND_CLOSEST(spi->clk_rate & ~0x1, speed_hz); + + /* + * SPI framework set xfer->speed_hz to master->max_speed_hz if +-- +2.35.1 + diff --git a/queue-4.14/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch b/queue-4.14/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch new file mode 100644 index 00000000000..7fa2bdf3ec6 --- /dev/null +++ b/queue-4.14/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch @@ -0,0 +1,42 @@ +From 3d48be7a77916c4553cf72a38cb77568b11a8cce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 16:01:33 +0200 +Subject: wifi: mac80211: Fix ack frame idr leak when mesh has no route + +From: Nicolas Cavallari + +[ Upstream commit 39e7b5de9853bd92ddbfa4b14165babacd7da0ba ] + +When trying to transmit an data frame with tx_status to a destination +that have no route in the mesh, then it is dropped without recrediting +the ack_status_frames idr. + +Once it is exhausted, wpa_supplicant starts failing to do SAE with +NL80211_CMD_FRAME and logs "nl80211: Frame command failed". + +Use ieee80211_free_txskb() instead of kfree_skb() to fix it. + +Signed-off-by: Nicolas Cavallari +Link: https://lore.kernel.org/r/20221027140133.1504-1-nicolas.cavallari@green-communications.fr +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_pathtbl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index 54d44836dd28..e4c62b0a3fdb 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -793,7 +793,7 @@ int mesh_path_send_to_gates(struct mesh_path *mpath) + void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb) + { +- kfree_skb(skb); ++ ieee80211_free_txskb(&sdata->local->hw, skb); + sdata->u.mesh.mshstats.dropped_frames_no_route++; + } + +-- +2.35.1 + diff --git a/queue-4.14/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch b/queue-4.14/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch new file mode 100644 index 00000000000..cdaa3057caf --- /dev/null +++ b/queue-4.14/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch @@ -0,0 +1,57 @@ +From 0abe9b1461ac82df536e0b53cce50a560f1bbb0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Oct 2022 16:54:39 +0200 +Subject: wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support + +From: Jonas Jelonek + +[ Upstream commit 69188df5f6e4cecc6b76b958979ba363cd5240e8 ] + +Fixes a warning that occurs when rc table support is enabled +(IEEE80211_HW_SUPPORTS_RC_TABLE) in mac80211_hwsim and the PS mode +is changed via the exported debugfs attribute. + +When the PS mode is changed, a packet is broadcasted via +hwsim_send_nullfunc by creating and transmitting a plain skb with only +header initialized. The ieee80211 rate array in the control buffer is +zero-initialized. When ratetbl support is enabled, ieee80211_get_tx_rates +is called for the skb with sta parameter set to NULL and thus no +ratetbl can be used. The final rate array then looks like +[-1,0; 0,0; 0,0; 0,0] which causes the warning in ieee80211_get_tx_rate. + +The issue is fixed by setting the count of the first rate with idx '0' +to 1 and hence ieee80211_get_tx_rates won't overwrite it with idx '-1'. + +Signed-off-by: Jonas Jelonek +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 55cca2ffa392..d3905e70b1e9 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -670,6 +670,7 @@ static void hwsim_send_nullfunc(struct mac80211_hwsim_data *data, u8 *mac, + struct hwsim_vif_priv *vp = (void *)vif->drv_priv; + struct sk_buff *skb; + struct ieee80211_hdr *hdr; ++ struct ieee80211_tx_info *cb; + + if (!vp->assoc) + return; +@@ -690,6 +691,10 @@ static void hwsim_send_nullfunc(struct mac80211_hwsim_data *data, u8 *mac, + memcpy(hdr->addr2, mac, ETH_ALEN); + memcpy(hdr->addr3, vp->bssid, ETH_ALEN); + ++ cb = IEEE80211_SKB_CB(skb); ++ cb->control.rates[0].count = 1; ++ cb->control.rates[1].idx = -1; ++ + rcu_read_lock(); + mac80211_hwsim_tx_frame(data->hw, skb, + rcu_dereference(vif->chanctx_conf)->def.chan); +-- +2.35.1 +