From 3957f55e471f9cbf90fff75a8a7961bc00b5c312 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 29 Jun 2024 22:22:22 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...-improve-patch-ioctl-data-validation.patch | 81 ++++++++++++++ ...check-for-struct-bpf_fib_lookup-size.patch | 39 +++++++ ...from-set_memory_ro-into-account-with.patch | 88 +++++++++++++++ ...-ecdh-explicitly-zeroize-private_key.patch | 46 ++++++++ ...-ili9881c-fix-warning-with-gpio-cont.patch | 54 +++++++++ ...-add-missing-display-timing-flags-fo.patch | 40 +++++++ ...n_display-decrease-the-size-of-alloc.patch | 79 +++++++++++++ ...validate-the-obtained-number-of-irqs.patch | 47 ++++++++ ...allow-reconfiguration-without-direct.patch | 88 +++++++++++++++ queue-5.15/media-dvbdev-initialize-sbuf.patch | 42 +++++++ ...edboot-added-conversion-of-operands-.patch | 40 +++++++ ...explicit-cpumask-var-allocation-on-s.patch | 72 ++++++++++++ ...xplicit-cpumask-var-allocation-on-st.patch | 85 ++++++++++++++ ...-comment-for-nvme-rdma-provider-type.patch | 38 +++++++ ...fix-potential-invalid-address-access.patch | 104 ++++++++++++++++++ queue-5.15/series | 19 ++++ ...pc-send-null-dummy-message-instead-o.patch | 71 ++++++++++++ ...y-fail-if-control-queue-feature-requ.patch | 66 +++++++++++ ...lock-features-only-with-block-device.patch | 64 +++++++++++ ...pu-fix-amd-x86_bug_fxsave_leak-fixup.patch | 61 ++++++++++ 20 files changed, 1224 insertions(+) create mode 100644 queue-5.15/alsa-emux-improve-patch-ioctl-data-validation.patch create mode 100644 queue-5.15/bpf-add-a-check-for-struct-bpf_fib_lookup-size.patch create mode 100644 queue-5.15/bpf-take-return-from-set_memory_ro-into-account-with.patch create mode 100644 queue-5.15/crypto-ecdh-explicitly-zeroize-private_key.patch create mode 100644 queue-5.15/drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch create mode 100644 queue-5.15/drm-panel-simple-add-missing-display-timing-flags-fo.patch create mode 100644 queue-5.15/drm-radeon-radeon_display-decrease-the-size-of-alloc.patch create mode 100644 queue-5.15/gpio-davinci-validate-the-obtained-number-of-irqs.patch create mode 100644 queue-5.15/gpiolib-cdev-disallow-reconfiguration-without-direct.patch create mode 100644 queue-5.15/media-dvbdev-initialize-sbuf.patch create mode 100644 queue-5.15/mtd-partitions-redboot-added-conversion-of-operands-.patch create mode 100644 queue-5.15/net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch create mode 100644 queue-5.15/net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch create mode 100644 queue-5.15/nvme-fixup-comment-for-nvme-rdma-provider-type.patch create mode 100644 queue-5.15/rdma-restrack-fix-potential-invalid-address-access.patch create mode 100644 queue-5.15/soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch create mode 100644 queue-5.15/vduse-temporarily-fail-if-control-queue-feature-requ.patch create mode 100644 queue-5.15/vduse-validate-block-features-only-with-block-device.patch create mode 100644 queue-5.15/x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch diff --git a/queue-5.15/alsa-emux-improve-patch-ioctl-data-validation.patch b/queue-5.15/alsa-emux-improve-patch-ioctl-data-validation.patch new file mode 100644 index 00000000000..75724938420 --- /dev/null +++ b/queue-5.15/alsa-emux-improve-patch-ioctl-data-validation.patch @@ -0,0 +1,81 @@ +From 6e6132890c408932f48ffc8b43b8ff3e16fc4f37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Apr 2024 08:48:20 +0200 +Subject: ALSA: emux: improve patch ioctl data validation + +From: Oswald Buddenhagen + +[ Upstream commit 89b32ccb12ae67e630c6453d778ec30a592a212f ] + +In load_data(), make the validation of and skipping over the main info +block match that in load_guspatch(). + +In load_guspatch(), add checking that the specified patch length matches +the actually supplied data, like load_data() already did. + +Signed-off-by: Oswald Buddenhagen +Message-ID: <20240406064830.1029573-8-oswald.buddenhagen@gmx.de> +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/synth/emux/soundfont.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/sound/synth/emux/soundfont.c b/sound/synth/emux/soundfont.c +index 16f00097cb95a..eed47e4830248 100644 +--- a/sound/synth/emux/soundfont.c ++++ b/sound/synth/emux/soundfont.c +@@ -701,7 +701,6 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count) + struct snd_soundfont *sf; + struct soundfont_sample_info sample_info; + struct snd_sf_sample *sp; +- long off; + + /* patch must be opened */ + sf = sflist->currsf; +@@ -711,12 +710,16 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count) + if (is_special_type(sf->type)) + return -EINVAL; + ++ if (count < (long)sizeof(sample_info)) { ++ return -EINVAL; ++ } + if (copy_from_user(&sample_info, data, sizeof(sample_info))) + return -EFAULT; ++ data += sizeof(sample_info); ++ count -= sizeof(sample_info); + +- off = sizeof(sample_info); +- +- if (sample_info.size != (count-off)/2) ++ // SoundFont uses S16LE samples. ++ if (sample_info.size * 2 != count) + return -EINVAL; + + /* Check for dup */ +@@ -744,7 +747,7 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count) + int rc; + rc = sflist->callback.sample_new + (sflist->callback.private_data, sp, sflist->memhdr, +- data + off, count - off); ++ data, count); + if (rc < 0) { + sf_sample_delete(sflist, sf, sp); + return rc; +@@ -957,10 +960,12 @@ load_guspatch(struct snd_sf_list *sflist, const char __user *data, + } + if (copy_from_user(&patch, data, sizeof(patch))) + return -EFAULT; +- + count -= sizeof(patch); + data += sizeof(patch); + ++ if ((patch.len << (patch.mode & WAVE_16_BITS ? 1 : 0)) != count) ++ return -EINVAL; ++ + sf = newsf(sflist, SNDRV_SFNT_PAT_TYPE_GUS|SNDRV_SFNT_PAT_SHARED, NULL); + if (sf == NULL) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.15/bpf-add-a-check-for-struct-bpf_fib_lookup-size.patch b/queue-5.15/bpf-add-a-check-for-struct-bpf_fib_lookup-size.patch new file mode 100644 index 00000000000..4720d7dbb33 --- /dev/null +++ b/queue-5.15/bpf-add-a-check-for-struct-bpf_fib_lookup-size.patch @@ -0,0 +1,39 @@ +From 46c641eba91283511396513a0376a76897b2dc83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 10:17:42 +0000 +Subject: bpf: Add a check for struct bpf_fib_lookup size + +From: Anton Protopopov + +[ Upstream commit 59b418c7063d30e0a3e1f592d47df096db83185c ] + +The struct bpf_fib_lookup should not grow outside of its 64 bytes. +Add a static assert to validate this. + +Suggested-by: David Ahern +Signed-off-by: Anton Protopopov +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240326101742.17421-4-aspsk@isovalent.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 47eb1bd47aa6e..a873c8fd51b67 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -79,6 +79,9 @@ + #include + #include + ++/* Keep the struct bpf_fib_lookup small so that it fits into a cacheline */ ++static_assert(sizeof(struct bpf_fib_lookup) == 64, "struct bpf_fib_lookup size check"); ++ + static const struct bpf_func_proto * + bpf_sk_base_func_proto(enum bpf_func_id func_id); + +-- +2.43.0 + diff --git a/queue-5.15/bpf-take-return-from-set_memory_ro-into-account-with.patch b/queue-5.15/bpf-take-return-from-set_memory_ro-into-account-with.patch new file mode 100644 index 00000000000..7dcb37480c2 --- /dev/null +++ b/queue-5.15/bpf-take-return-from-set_memory_ro-into-account-with.patch @@ -0,0 +1,88 @@ +From d0e0956f1504bddc846091ada744beab37e71e22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 06:38:07 +0100 +Subject: bpf: Take return from set_memory_ro() into account with + bpf_prog_lock_ro() + +From: Christophe Leroy + +[ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ] + +set_memory_ro() can fail, leaving memory unprotected. + +Check its return and take it into account as an error. + +Link: https://github.com/KSPP/linux/issues/7 +Signed-off-by: Christophe Leroy +Cc: linux-hardening@vger.kernel.org +Reviewed-by: Kees Cook +Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 5 +++-- + kernel/bpf/core.c | 4 +++- + kernel/bpf/verifier.c | 8 ++++++-- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index af0103bebb7bf..9cb3558683393 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -875,14 +875,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default) + + #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0])) + +-static inline void bpf_prog_lock_ro(struct bpf_prog *fp) ++static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp) + { + #ifndef CONFIG_BPF_JIT_ALWAYS_ON + if (!fp->jited) { + set_vm_flush_reset_perms(fp); +- set_memory_ro((unsigned long)fp, fp->pages); ++ return set_memory_ro((unsigned long)fp, fp->pages); + } + #endif ++ return 0; + } + + static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr) +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 36c2896ee45f4..f36f7b71dc07b 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1940,7 +1940,9 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err) + } + + finalize: +- bpf_prog_lock_ro(fp); ++ *err = bpf_prog_lock_ro(fp); ++ if (*err) ++ return fp; + + /* The tail call compatibility check can only be done at + * this late stage as we need to determine, if we deal +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 07ca1157f97cf..b9f63c4b8598c 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -12812,10 +12812,14 @@ static int jit_subprogs(struct bpf_verifier_env *env) + * bpf_prog_load will add the kallsyms for the main program. + */ + for (i = 1; i < env->subprog_cnt; i++) { +- bpf_prog_lock_ro(func[i]); +- bpf_prog_kallsyms_add(func[i]); ++ err = bpf_prog_lock_ro(func[i]); ++ if (err) ++ goto out_free; + } + ++ for (i = 1; i < env->subprog_cnt; i++) ++ bpf_prog_kallsyms_add(func[i]); ++ + /* Last step: make now unused interpreter insns from main + * prog consistent for later dump requests, so they can + * later look the same as if they were interpreted only. +-- +2.43.0 + diff --git a/queue-5.15/crypto-ecdh-explicitly-zeroize-private_key.patch b/queue-5.15/crypto-ecdh-explicitly-zeroize-private_key.patch new file mode 100644 index 00000000000..a87228818f5 --- /dev/null +++ b/queue-5.15/crypto-ecdh-explicitly-zeroize-private_key.patch @@ -0,0 +1,46 @@ +From 681352423530110ddf51e788523a08a4310d84b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 11:24:30 -0500 +Subject: crypto: ecdh - explicitly zeroize private_key + +From: Joachim Vandersmissen + +[ Upstream commit 73e5984e540a76a2ee1868b91590c922da8c24c9 ] + +private_key is overwritten with the key parameter passed in by the +caller (if present), or alternatively a newly generated private key. +However, it is possible that the caller provides a key (or the newly +generated key) which is shorter than the previous key. In that +scenario, some key material from the previous key would not be +overwritten. The easiest solution is to explicitly zeroize the entire +private_key array first. + +Note that this patch slightly changes the behavior of this function: +previously, if the ecc_gen_privkey failed, the old private_key would +remain. Now, the private_key is always zeroized. This behavior is +consistent with the case where params.key is set and ecc_is_key_valid +fails. + +Signed-off-by: Joachim Vandersmissen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/ecdh.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/ecdh.c b/crypto/ecdh.c +index c6f61c2211dc7..865e76e5a51c4 100644 +--- a/crypto/ecdh.c ++++ b/crypto/ecdh.c +@@ -33,6 +33,8 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf, + params.key_size > sizeof(u64) * ctx->ndigits) + return -EINVAL; + ++ memset(ctx->private_key, 0, sizeof(ctx->private_key)); ++ + if (!params.key || !params.key_size) + return ecc_gen_privkey(ctx->curve_id, ctx->ndigits, + ctx->private_key); +-- +2.43.0 + diff --git a/queue-5.15/drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch b/queue-5.15/drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch new file mode 100644 index 00000000000..b85edcedcd3 --- /dev/null +++ b/queue-5.15/drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch @@ -0,0 +1,54 @@ +From 1321321c2f01212b1a93b92acc3284b8d804991b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 17:48:39 +0200 +Subject: drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that + sleep + +From: Laurent Pinchart + +[ Upstream commit ee7860cd8b5763017f8dc785c2851fecb7a0c565 ] + +The ilitek-ili9881c controls the reset GPIO using the non-sleeping +gpiod_set_value() function. This complains loudly when the GPIO +controller needs to sleep. As the caller can sleep, use +gpiod_set_value_cansleep() to fix the issue. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240317154839.21260-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20240317154839.21260-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c +index 534dd7414d428..917cb322bab1a 100644 +--- a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c ++++ b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c +@@ -506,10 +506,10 @@ static int ili9881c_prepare(struct drm_panel *panel) + msleep(5); + + /* And reset it */ +- gpiod_set_value(ctx->reset, 1); ++ gpiod_set_value_cansleep(ctx->reset, 1); + msleep(20); + +- gpiod_set_value(ctx->reset, 0); ++ gpiod_set_value_cansleep(ctx->reset, 0); + msleep(20); + + for (i = 0; i < ctx->desc->init_length; i++) { +@@ -564,7 +564,7 @@ static int ili9881c_unprepare(struct drm_panel *panel) + + mipi_dsi_dcs_enter_sleep_mode(ctx->dsi); + regulator_disable(ctx->power); +- gpiod_set_value(ctx->reset, 1); ++ gpiod_set_value_cansleep(ctx->reset, 1); + + return 0; + } +-- +2.43.0 + diff --git a/queue-5.15/drm-panel-simple-add-missing-display-timing-flags-fo.patch b/queue-5.15/drm-panel-simple-add-missing-display-timing-flags-fo.patch new file mode 100644 index 00000000000..38e9a8c4f12 --- /dev/null +++ b/queue-5.15/drm-panel-simple-add-missing-display-timing-flags-fo.patch @@ -0,0 +1,40 @@ +From de965304d9ebc2cf494bf92f12312f909f254bc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 09:56:12 +0800 +Subject: drm/panel: simple: Add missing display timing flags for KOE + TX26D202VM0BWA + +From: Liu Ying + +[ Upstream commit 37ce99b77762256ec9fda58d58fd613230151456 ] + +KOE TX26D202VM0BWA panel spec indicates the DE signal is active high in +timing chart, so add DISPLAY_FLAGS_DE_HIGH flag in display timing flags. +This aligns display_timing with panel_desc. + +Fixes: 8a07052440c2 ("drm/panel: simple: Add support for KOE TX26D202VM0BWA panel") +Signed-off-by: Liu Ying +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240624015612.341983-1-victor.liu@nxp.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20240624015612.341983-1-victor.liu@nxp.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 0dc4d891fedc2..26c99ffe787cd 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2873,6 +2873,7 @@ static const struct display_timing koe_tx26d202vm0bwa_timing = { + .vfront_porch = { 3, 5, 10 }, + .vback_porch = { 2, 5, 10 }, + .vsync_len = { 5, 5, 5 }, ++ .flags = DISPLAY_FLAGS_DE_HIGH, + }; + + static const struct panel_desc koe_tx26d202vm0bwa = { +-- +2.43.0 + diff --git a/queue-5.15/drm-radeon-radeon_display-decrease-the-size-of-alloc.patch b/queue-5.15/drm-radeon-radeon_display-decrease-the-size-of-alloc.patch new file mode 100644 index 00000000000..12c7c62d254 --- /dev/null +++ b/queue-5.15/drm-radeon-radeon_display-decrease-the-size-of-alloc.patch @@ -0,0 +1,79 @@ +From d9fd74778cf4214362ce90c8fdceb12bc2e3d262 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Mar 2024 17:34:47 +0100 +Subject: drm/radeon/radeon_display: Decrease the size of allocated memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Erick Archer + +[ Upstream commit ae6a233092747e9652eb793d92f79d0820e01c6a ] + +This is an effort to get rid of all multiplications from allocation +functions in order to prevent integer overflows [1] [2]. + +In this case, the memory allocated to store RADEONFB_CONN_LIMIT pointers +to "drm_connector" structures can be avoided. This is because this +memory area is never accessed. + +Also, in the kzalloc function, it is preferred to use sizeof(*pointer) +instead of sizeof(type) due to the type of the variable can change and +one needs not change the former (unlike the latter). + +At the same time take advantage to remove the "#if 0" block, the code +where the removed memory area was accessed, and the RADEONFB_CONN_LIMIT +constant due to now is never used. + +Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] +Link: https://github.com/KSPP/linux/issues/160 [2] +Acked-by: Christian König +Signed-off-by: Erick Archer +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon.h | 1 - + drivers/gpu/drm/radeon/radeon_display.c | 8 +------- + 2 files changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon.h b/drivers/gpu/drm/radeon/radeon.h +index 895776c421d4d..71037061a317b 100644 +--- a/drivers/gpu/drm/radeon/radeon.h ++++ b/drivers/gpu/drm/radeon/radeon.h +@@ -132,7 +132,6 @@ extern int radeon_cik_support; + /* RADEON_IB_POOL_SIZE must be a power of 2 */ + #define RADEON_IB_POOL_SIZE 16 + #define RADEON_DEBUGFS_MAX_COMPONENTS 32 +-#define RADEONFB_CONN_LIMIT 4 + #define RADEON_BIOS_NUM_SCRATCH 8 + + /* internal ring indices */ +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 6337fad441df3..05c88e41663ee 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -677,7 +677,7 @@ static void radeon_crtc_init(struct drm_device *dev, int index) + struct radeon_device *rdev = dev->dev_private; + struct radeon_crtc *radeon_crtc; + +- radeon_crtc = kzalloc(sizeof(struct radeon_crtc) + (RADEONFB_CONN_LIMIT * sizeof(struct drm_connector *)), GFP_KERNEL); ++ radeon_crtc = kzalloc(sizeof(*radeon_crtc), GFP_KERNEL); + if (radeon_crtc == NULL) + return; + +@@ -703,12 +703,6 @@ static void radeon_crtc_init(struct drm_device *dev, int index) + dev->mode_config.cursor_width = radeon_crtc->max_cursor_width; + dev->mode_config.cursor_height = radeon_crtc->max_cursor_height; + +-#if 0 +- radeon_crtc->mode_set.crtc = &radeon_crtc->base; +- radeon_crtc->mode_set.connectors = (struct drm_connector **)(radeon_crtc + 1); +- radeon_crtc->mode_set.num_connectors = 0; +-#endif +- + if (rdev->is_atom_bios && (ASIC_IS_AVIVO(rdev) || radeon_r4xx_atom)) + radeon_atombios_init_crtc(dev, radeon_crtc); + else +-- +2.43.0 + diff --git a/queue-5.15/gpio-davinci-validate-the-obtained-number-of-irqs.patch b/queue-5.15/gpio-davinci-validate-the-obtained-number-of-irqs.patch new file mode 100644 index 00000000000..e591c6e419a --- /dev/null +++ b/queue-5.15/gpio-davinci-validate-the-obtained-number-of-irqs.patch @@ -0,0 +1,47 @@ +From 8e062244a4e93d6914bee9251d735fe9f4cd78cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 17:43:44 +0300 +Subject: gpio: davinci: Validate the obtained number of IRQs + +From: Aleksandr Mishin + +[ Upstream commit 7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164 ] + +Value of pdata->gpio_unbanked is taken from Device Tree. In case of broken +DT due to any error this value can be any. Without this value validation +there can be out of chips->irqs array boundaries access in +davinci_gpio_probe(). + +Validate the obtained nirq value so that it won't exceed the maximum +number of IRQs per bank. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: eb3744a2dd01 ("gpio: davinci: Do not assume continuous IRQ numbering") +Signed-off-by: Aleksandr Mishin +Link: https://lore.kernel.org/r/20240618144344.16943-1-amishin@t-argos.ru +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-davinci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c +index 0214244e9f01f..d691e2ed88a08 100644 +--- a/drivers/gpio/gpio-davinci.c ++++ b/drivers/gpio/gpio-davinci.c +@@ -227,6 +227,11 @@ static int davinci_gpio_probe(struct platform_device *pdev) + else + nirq = DIV_ROUND_UP(ngpio, 16); + ++ if (nirq > MAX_INT_PER_BANK) { ++ dev_err(dev, "Too many IRQs!\n"); ++ return -EINVAL; ++ } ++ + chips = devm_kzalloc(dev, sizeof(*chips), GFP_KERNEL); + if (!chips) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.15/gpiolib-cdev-disallow-reconfiguration-without-direct.patch b/queue-5.15/gpiolib-cdev-disallow-reconfiguration-without-direct.patch new file mode 100644 index 00000000000..092efa71bd5 --- /dev/null +++ b/queue-5.15/gpiolib-cdev-disallow-reconfiguration-without-direct.patch @@ -0,0 +1,88 @@ +From e1e9fe825166345c134b058421954a45cb784371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 13:29:22 +0800 +Subject: gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) + +From: Kent Gibson + +[ Upstream commit 9919cce62f68e6ab68dc2a975b5dc670f8ca7d40 ] + +linehandle_set_config() behaves badly when direction is not set. +The configuration validation is borrowed from linehandle_create(), where, +to verify the intent of the user, the direction must be set to in order +to effect a change to the electrical configuration of a line. But, when +applied to reconfiguration, that validation does not allow for the unset +direction case, making it possible to clear flags set previously without +specifying the line direction. + +Adding to the inconsistency, those changes are not immediately applied by +linehandle_set_config(), but will take effect when the line value is next +get or set. + +For example, by requesting a configuration with no flags set, an output +line with GPIOHANDLE_REQUEST_ACTIVE_LOW and GPIOHANDLE_REQUEST_OPEN_DRAIN +requested could have those flags cleared, inverting the sense of the line +and changing the line drive to push-pull on the next line value set. + +Ensure the intent of the user by disallowing configurations which do not +have direction set, returning an error to userspace to indicate that the +configuration is invalid. + +And, for clarity, use lflags, a local copy of gcnf.flags, throughout when +dealing with the requested flags, rather than a mixture of both. + +Fixes: e588bb1eae31 ("gpio: add new SET_CONFIG ioctl() to gpio chardev") +Signed-off-by: Kent Gibson +Link: https://lore.kernel.org/r/20240626052925.174272-2-warthog618@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-cdev.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c +index 1db991cb2efce..c2f9d95d1086f 100644 +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -127,6 +127,10 @@ struct linehandle_state { + GPIOHANDLE_REQUEST_OPEN_DRAIN | \ + GPIOHANDLE_REQUEST_OPEN_SOURCE) + ++#define GPIOHANDLE_REQUEST_DIRECTION_FLAGS \ ++ (GPIOHANDLE_REQUEST_INPUT | \ ++ GPIOHANDLE_REQUEST_OUTPUT) ++ + static int linehandle_validate_flags(u32 flags) + { + /* Return an error if an unknown flag is set */ +@@ -207,21 +211,21 @@ static long linehandle_set_config(struct linehandle_state *lh, + if (ret) + return ret; + ++ /* Lines must be reconfigured explicitly as input or output. */ ++ if (!(lflags & GPIOHANDLE_REQUEST_DIRECTION_FLAGS)) ++ return -EINVAL; ++ + for (i = 0; i < lh->num_descs; i++) { + desc = lh->descs[i]; +- linehandle_flags_to_desc_flags(gcnf.flags, &desc->flags); ++ linehandle_flags_to_desc_flags(lflags, &desc->flags); + +- /* +- * Lines have to be requested explicitly for input +- * or output, else the line will be treated "as is". +- */ + if (lflags & GPIOHANDLE_REQUEST_OUTPUT) { + int val = !!gcnf.default_values[i]; + + ret = gpiod_direction_output(desc, val); + if (ret) + return ret; +- } else if (lflags & GPIOHANDLE_REQUEST_INPUT) { ++ } else { + ret = gpiod_direction_input(desc); + if (ret) + return ret; +-- +2.43.0 + diff --git a/queue-5.15/media-dvbdev-initialize-sbuf.patch b/queue-5.15/media-dvbdev-initialize-sbuf.patch new file mode 100644 index 00000000000..909016e11c7 --- /dev/null +++ b/queue-5.15/media-dvbdev-initialize-sbuf.patch @@ -0,0 +1,42 @@ +From 81d02ff657161badf70fb6bde74b0b3b60b67783 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 14:50:25 +0000 +Subject: media: dvbdev: Initialize sbuf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Ribalda + +[ Upstream commit 17d1316de0d7dc1bdc5d6e3ad4efd30a9bf1a381 ] + +Because the size passed to copy_from_user() cannot be known beforehand, +it needs to be checked during runtime with check_object_size. That makes +gcc believe that the content of sbuf can be used before init. + +Fix: +./include/linux/thread_info.h:215:17: warning: ‘sbuf’ may be used uninitialized [-Wmaybe-uninitialized] + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 23a0c209744dc..661588fc64f6a 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -974,7 +974,7 @@ int dvb_usercopy(struct file *file, + int (*func)(struct file *file, + unsigned int cmd, void *arg)) + { +- char sbuf[128]; ++ char sbuf[128] = {}; + void *mbuf = NULL; + void *parg = NULL; + int err = -EINVAL; +-- +2.43.0 + diff --git a/queue-5.15/mtd-partitions-redboot-added-conversion-of-operands-.patch b/queue-5.15/mtd-partitions-redboot-added-conversion-of-operands-.patch new file mode 100644 index 00000000000..62710f628ad --- /dev/null +++ b/queue-5.15/mtd-partitions-redboot-added-conversion-of-operands-.patch @@ -0,0 +1,40 @@ +From 70afb26d3b19d5e610684ba836d424d215debdfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 12:37:58 +0300 +Subject: mtd: partitions: redboot: Added conversion of operands to a larger + type + +From: Denis Arefev + +[ Upstream commit 1162bc2f8f5de7da23d18aa4b7fbd4e93c369c50 ] + +The value of an arithmetic expression directory * master->erasesize is +subject to overflow due to a failure to cast operands to a larger data +type before perfroming arithmetic + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Denis Arefev +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240315093758.20790-1-arefev@swemel.ru +Signed-off-by: Sasha Levin +--- + drivers/mtd/parsers/redboot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c +index a16b42a885816..3b55b676ca6b9 100644 +--- a/drivers/mtd/parsers/redboot.c ++++ b/drivers/mtd/parsers/redboot.c +@@ -102,7 +102,7 @@ static int parse_redboot_partitions(struct mtd_info *master, + offset -= master->erasesize; + } + } else { +- offset = directory * master->erasesize; ++ offset = (unsigned long) directory * master->erasesize; + while (mtd_block_isbad(master, offset)) { + offset += master->erasesize; + if (offset == master->size) +-- +2.43.0 + diff --git a/queue-5.15/net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch b/queue-5.15/net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch new file mode 100644 index 00000000000..cfd17b7c4ac --- /dev/null +++ b/queue-5.15/net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch @@ -0,0 +1,72 @@ +From a50655bed092908c5e16327d7b0f69e3f10df8b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Mar 2024 13:34:41 +0800 +Subject: net/dpaa2: Avoid explicit cpumask var allocation on stack + +From: Dawei Li + +[ Upstream commit d33fe1714a44ff540629b149d8fab4ac6967585c ] + +For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask +variable on stack is not recommended since it can cause potential stack +overflow. + +Instead, kernel code should always use *cpumask_var API(s) to allocate +cpumask var in config-neutral way, leaving allocation strategy to +CONFIG_CPUMASK_OFFSTACK. + +Use *cpumask_var API(s) to address it. + +Signed-off-by: Dawei Li +Link: https://lore.kernel.org/r/20240331053441.1276826-3-dawei.li@shingroup.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +index 78040a09313ef..fa1b1b7dd8a06 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -2468,11 +2468,14 @@ static int dpaa2_eth_xdp_xmit(struct net_device *net_dev, int n, + static int update_xps(struct dpaa2_eth_priv *priv) + { + struct net_device *net_dev = priv->net_dev; +- struct cpumask xps_mask; +- struct dpaa2_eth_fq *fq; + int i, num_queues, netdev_queues; ++ struct dpaa2_eth_fq *fq; ++ cpumask_var_t xps_mask; + int err = 0; + ++ if (!alloc_cpumask_var(&xps_mask, GFP_KERNEL)) ++ return -ENOMEM; ++ + num_queues = dpaa2_eth_queue_count(priv); + netdev_queues = (net_dev->num_tc ? : 1) * num_queues; + +@@ -2482,16 +2485,17 @@ static int update_xps(struct dpaa2_eth_priv *priv) + for (i = 0; i < netdev_queues; i++) { + fq = &priv->fq[i % num_queues]; + +- cpumask_clear(&xps_mask); +- cpumask_set_cpu(fq->target_cpu, &xps_mask); ++ cpumask_clear(xps_mask); ++ cpumask_set_cpu(fq->target_cpu, xps_mask); + +- err = netif_set_xps_queue(net_dev, &xps_mask, i); ++ err = netif_set_xps_queue(net_dev, xps_mask, i); + if (err) { + netdev_warn_once(net_dev, "Error setting XPS queue\n"); + break; + } + } + ++ free_cpumask_var(xps_mask); + return err; + } + +-- +2.43.0 + diff --git a/queue-5.15/net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch b/queue-5.15/net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch new file mode 100644 index 00000000000..ec7f7f64ba4 --- /dev/null +++ b/queue-5.15/net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch @@ -0,0 +1,85 @@ +From adcb4538d65bd3e78aef54a2796b40bb2d9e68d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Mar 2024 13:34:40 +0800 +Subject: net/iucv: Avoid explicit cpumask var allocation on stack + +From: Dawei Li + +[ Upstream commit be4e1304419c99a164b4c0e101c7c2a756b635b9 ] + +For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask +variable on stack is not recommended since it can cause potential stack +overflow. + +Instead, kernel code should always use *cpumask_var API(s) to allocate +cpumask var in config-neutral way, leaving allocation strategy to +CONFIG_CPUMASK_OFFSTACK. + +Use *cpumask_var API(s) to address it. + +Signed-off-by: Dawei Li +Reviewed-by: Alexandra Winter +Link: https://lore.kernel.org/r/20240331053441.1276826-2-dawei.li@shingroup.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index 68edefed79f16..30fc78236050a 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -519,7 +519,7 @@ static void iucv_setmask_mp(void) + */ + static void iucv_setmask_up(void) + { +- cpumask_t cpumask; ++ static cpumask_t cpumask; + int cpu; + + /* Disable all cpu but the first in cpu_irq_cpumask. */ +@@ -627,23 +627,33 @@ static int iucv_cpu_online(unsigned int cpu) + + static int iucv_cpu_down_prep(unsigned int cpu) + { +- cpumask_t cpumask; ++ cpumask_var_t cpumask; ++ int ret = 0; + + if (!iucv_path_table) + return 0; + +- cpumask_copy(&cpumask, &iucv_buffer_cpumask); +- cpumask_clear_cpu(cpu, &cpumask); +- if (cpumask_empty(&cpumask)) ++ if (!alloc_cpumask_var(&cpumask, GFP_KERNEL)) ++ return -ENOMEM; ++ ++ cpumask_copy(cpumask, &iucv_buffer_cpumask); ++ cpumask_clear_cpu(cpu, cpumask); ++ if (cpumask_empty(cpumask)) { + /* Can't offline last IUCV enabled cpu. */ +- return -EINVAL; ++ ret = -EINVAL; ++ goto __free_cpumask; ++ } + + iucv_retrieve_cpu(NULL); + if (!cpumask_empty(&iucv_irq_cpumask)) +- return 0; ++ goto __free_cpumask; ++ + smp_call_function_single(cpumask_first(&iucv_buffer_cpumask), + iucv_allow_cpu, NULL, 1); +- return 0; ++ ++__free_cpumask: ++ free_cpumask_var(cpumask); ++ return ret; + } + + /** +-- +2.43.0 + diff --git a/queue-5.15/nvme-fixup-comment-for-nvme-rdma-provider-type.patch b/queue-5.15/nvme-fixup-comment-for-nvme-rdma-provider-type.patch new file mode 100644 index 00000000000..00cfc75ebae --- /dev/null +++ b/queue-5.15/nvme-fixup-comment-for-nvme-rdma-provider-type.patch @@ -0,0 +1,38 @@ +From ac736eeb579cc13d6e3a9025de5c99f9ca9e596f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 09:27:27 +0200 +Subject: nvme: fixup comment for nvme RDMA Provider Type + +From: Hannes Reinecke + +[ Upstream commit f80a55fa90fa76d01e3fffaa5d0413e522ab9a00 ] + +PRTYPE is the provider type, not the QP service type. + +Fixes: eb793e2c9286 ("nvme.h: add NVMe over Fabrics definitions") +Signed-off-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + include/linux/nvme.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/nvme.h b/include/linux/nvme.h +index 461ee0ee59fe4..537cc5b7e0500 100644 +--- a/include/linux/nvme.h ++++ b/include/linux/nvme.h +@@ -71,8 +71,8 @@ enum { + NVMF_RDMA_QPTYPE_DATAGRAM = 2, /* Reliable Datagram */ + }; + +-/* RDMA QP Service Type codes for Discovery Log Page entry TSAS +- * RDMA_QPTYPE field ++/* RDMA Provider Type codes for Discovery Log Page entry TSAS ++ * RDMA_PRTYPE field + */ + enum { + NVMF_RDMA_PRTYPE_NOT_SPECIFIED = 1, /* No Provider Specified */ +-- +2.43.0 + diff --git a/queue-5.15/rdma-restrack-fix-potential-invalid-address-access.patch b/queue-5.15/rdma-restrack-fix-potential-invalid-address-access.patch new file mode 100644 index 00000000000..c5d8c012458 --- /dev/null +++ b/queue-5.15/rdma-restrack-fix-potential-invalid-address-access.patch @@ -0,0 +1,104 @@ +From 7700b1f8fdae8fc1e37e020b2e4d1c5e33351875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 17:23:20 +0800 +Subject: RDMA/restrack: Fix potential invalid address access + +From: Wenchao Hao + +[ Upstream commit ca537a34775c103f7b14d7bbd976403f1d1525d8 ] + +struct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME +in ib_create_cq(), while if the module exited but forgot del this +rdma_restrack_entry, it would cause a invalid address access in +rdma_restrack_clean() when print the owner of this rdma_restrack_entry. + +These code is used to help find one forgotten PD release in one of the +ULPs. But it is not needed anymore, so delete them. + +Signed-off-by: Wenchao Hao +Link: https://lore.kernel.org/r/20240318092320.1215235-1-haowenchao2@huawei.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/restrack.c | 51 +----------------------------- + 1 file changed, 1 insertion(+), 50 deletions(-) + +diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/restrack.c +index 01a499a8b88db..438ed35881752 100644 +--- a/drivers/infiniband/core/restrack.c ++++ b/drivers/infiniband/core/restrack.c +@@ -37,22 +37,6 @@ int rdma_restrack_init(struct ib_device *dev) + return 0; + } + +-static const char *type2str(enum rdma_restrack_type type) +-{ +- static const char * const names[RDMA_RESTRACK_MAX] = { +- [RDMA_RESTRACK_PD] = "PD", +- [RDMA_RESTRACK_CQ] = "CQ", +- [RDMA_RESTRACK_QP] = "QP", +- [RDMA_RESTRACK_CM_ID] = "CM_ID", +- [RDMA_RESTRACK_MR] = "MR", +- [RDMA_RESTRACK_CTX] = "CTX", +- [RDMA_RESTRACK_COUNTER] = "COUNTER", +- [RDMA_RESTRACK_SRQ] = "SRQ", +- }; +- +- return names[type]; +-}; +- + /** + * rdma_restrack_clean() - clean resource tracking + * @dev: IB device +@@ -60,47 +44,14 @@ static const char *type2str(enum rdma_restrack_type type) + void rdma_restrack_clean(struct ib_device *dev) + { + struct rdma_restrack_root *rt = dev->res; +- struct rdma_restrack_entry *e; +- char buf[TASK_COMM_LEN]; +- bool found = false; +- const char *owner; + int i; + + for (i = 0 ; i < RDMA_RESTRACK_MAX; i++) { + struct xarray *xa = &dev->res[i].xa; + +- if (!xa_empty(xa)) { +- unsigned long index; +- +- if (!found) { +- pr_err("restrack: %s", CUT_HERE); +- dev_err(&dev->dev, "BUG: RESTRACK detected leak of resources\n"); +- } +- xa_for_each(xa, index, e) { +- if (rdma_is_kernel_res(e)) { +- owner = e->kern_name; +- } else { +- /* +- * There is no need to call get_task_struct here, +- * because we can be here only if there are more +- * get_task_struct() call than put_task_struct(). +- */ +- get_task_comm(buf, e->task); +- owner = buf; +- } +- +- pr_err("restrack: %s %s object allocated by %s is not freed\n", +- rdma_is_kernel_res(e) ? "Kernel" : +- "User", +- type2str(e->type), owner); +- } +- found = true; +- } ++ WARN_ON(!xa_empty(xa)); + xa_destroy(xa); + } +- if (found) +- pr_err("restrack: %s", CUT_HERE); +- + kfree(rt); + } + +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 13119c3193d..aad6ca26c19 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -313,3 +313,22 @@ parisc-use-correct-compat-recv-recvfrom-syscalls.patch tcp-fix-tcp_rcv_fastopen_synack-to-enter-tcp_ca_loss.patch netfilter-nf_tables-fully-validate-nft_data_value-on.patch tracing-net_sched-null-pointer-dereference-in-perf_t.patch +bpf-take-return-from-set_memory_ro-into-account-with.patch +drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch +vduse-validate-block-features-only-with-block-device.patch +vduse-temporarily-fail-if-control-queue-feature-requ.patch +x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch +mtd-partitions-redboot-added-conversion-of-operands-.patch +bpf-add-a-check-for-struct-bpf_fib_lookup-size.patch +rdma-restrack-fix-potential-invalid-address-access.patch +net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch +net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch +crypto-ecdh-explicitly-zeroize-private_key.patch +alsa-emux-improve-patch-ioctl-data-validation.patch +media-dvbdev-initialize-sbuf.patch +soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch +drm-radeon-radeon_display-decrease-the-size-of-alloc.patch +nvme-fixup-comment-for-nvme-rdma-provider-type.patch +drm-panel-simple-add-missing-display-timing-flags-fo.patch +gpio-davinci-validate-the-obtained-number-of-irqs.patch +gpiolib-cdev-disallow-reconfiguration-without-direct.patch diff --git a/queue-5.15/soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch b/queue-5.15/soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch new file mode 100644 index 00000000000..00180aae507 --- /dev/null +++ b/queue-5.15/soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch @@ -0,0 +1,71 @@ +From bee6ea06af2a0d6438e938e3574f9976f6dee417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 11:55:07 -0500 +Subject: soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer + message + +From: Andrew Davis + +[ Upstream commit ddbf3204f600a4d1f153498f618369fca352ae00 ] + +mbox_send_message() sends a u32 bit message, not a pointer to a message. +We only convert to a pointer type as a generic type. If we want to send +a dummy message of 0, then simply send 0 (NULL). + +Signed-off-by: Andrew Davis +Link: https://lore.kernel.org/r/20240325165507.30323-1-afd@ti.com +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + drivers/soc/ti/wkup_m3_ipc.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/soc/ti/wkup_m3_ipc.c b/drivers/soc/ti/wkup_m3_ipc.c +index 8b3ff44fd9010..967c40059a431 100644 +--- a/drivers/soc/ti/wkup_m3_ipc.c ++++ b/drivers/soc/ti/wkup_m3_ipc.c +@@ -14,7 +14,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -151,7 +150,6 @@ static irqreturn_t wkup_m3_txev_handler(int irq, void *ipc_data) + static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc) + { + struct device *dev = m3_ipc->dev; +- mbox_msg_t dummy_msg = 0; + int ret; + + if (!m3_ipc->mbox) { +@@ -167,7 +165,7 @@ static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc) + * the RX callback to avoid multiple interrupts being received + * by the CM3. + */ +- ret = mbox_send_message(m3_ipc->mbox, &dummy_msg); ++ ret = mbox_send_message(m3_ipc->mbox, NULL); + if (ret < 0) { + dev_err(dev, "%s: mbox_send_message() failed: %d\n", + __func__, ret); +@@ -189,7 +187,6 @@ static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc) + static int wkup_m3_ping_noirq(struct wkup_m3_ipc *m3_ipc) + { + struct device *dev = m3_ipc->dev; +- mbox_msg_t dummy_msg = 0; + int ret; + + if (!m3_ipc->mbox) { +@@ -198,7 +195,7 @@ static int wkup_m3_ping_noirq(struct wkup_m3_ipc *m3_ipc) + return -EIO; + } + +- ret = mbox_send_message(m3_ipc->mbox, &dummy_msg); ++ ret = mbox_send_message(m3_ipc->mbox, NULL); + if (ret < 0) { + dev_err(dev, "%s: mbox_send_message() failed: %d\n", + __func__, ret); +-- +2.43.0 + diff --git a/queue-5.15/vduse-temporarily-fail-if-control-queue-feature-requ.patch b/queue-5.15/vduse-temporarily-fail-if-control-queue-feature-requ.patch new file mode 100644 index 00000000000..78dc0ad8b8e --- /dev/null +++ b/queue-5.15/vduse-temporarily-fail-if-control-queue-feature-requ.patch @@ -0,0 +1,66 @@ +From fc8aa1795cdf5974ce4f206d3d08f3bcd668b32e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jan 2024 12:10:24 +0100 +Subject: vduse: Temporarily fail if control queue feature requested +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Coquelin + +[ Upstream commit 56e71885b0349241c07631a7b979b61e81afab6a ] + +Virtio-net driver control queue implementation is not safe +when used with VDUSE. If the VDUSE application does not +reply to control queue messages, it currently ends up +hanging the kernel thread sending this command. + +Some work is on-going to make the control queue +implementation robust with VDUSE. Until it is completed, +let's fail features check if control-queue feature is +requested. + +Signed-off-by: Maxime Coquelin +Message-Id: <20240109111025.1320976-3-maxime.coquelin@redhat.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Eugenio Pérez +Reviewed-by: Xie Yongji +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa_user/vduse_dev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c +index 898ef597338a2..4684d4756b427 100644 +--- a/drivers/vdpa/vdpa_user/vduse_dev.c ++++ b/drivers/vdpa/vdpa_user/vduse_dev.c +@@ -8,6 +8,7 @@ + * + */ + ++#include "linux/virtio_net.h" + #include + #include + #include +@@ -26,6 +27,7 @@ + #include + #include + #include ++#include + #include + + #include "iova_domain.h" +@@ -1236,6 +1238,9 @@ static bool features_is_valid(struct vduse_dev_config *config) + if ((config->device_id == VIRTIO_ID_BLOCK) && + (config->features & BIT_ULL(VIRTIO_BLK_F_CONFIG_WCE))) + return false; ++ else if ((config->device_id == VIRTIO_ID_NET) && ++ (config->features & BIT_ULL(VIRTIO_NET_F_CTRL_VQ))) ++ return false; + + return true; + } +-- +2.43.0 + diff --git a/queue-5.15/vduse-validate-block-features-only-with-block-device.patch b/queue-5.15/vduse-validate-block-features-only-with-block-device.patch new file mode 100644 index 00000000000..2ce48a3622f --- /dev/null +++ b/queue-5.15/vduse-validate-block-features-only-with-block-device.patch @@ -0,0 +1,64 @@ +From c42ac86ee26bc637f0e8106469573cbcc908634b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jan 2024 12:10:23 +0100 +Subject: vduse: validate block features only with block devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Coquelin + +[ Upstream commit a115b5716fc9a64652aa9cb332070087178ffafa ] + +This patch is preliminary work to enable network device +type support to VDUSE. + +As VIRTIO_BLK_F_CONFIG_WCE shares the same value as +VIRTIO_NET_F_HOST_TSO4, we need to restrict its check +to Virtio-blk device type. + +Acked-by: Jason Wang +Reviewed-by: Xie Yongji +Reviewed-by: Eugenio Pérez +Signed-off-by: Maxime Coquelin +Message-Id: <20240109111025.1320976-2-maxime.coquelin@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c +index 564864f039d20..898ef597338a2 100644 +--- a/drivers/vdpa/vdpa_user/vduse_dev.c ++++ b/drivers/vdpa/vdpa_user/vduse_dev.c +@@ -1227,13 +1227,14 @@ static bool device_is_allowed(u32 device_id) + return false; + } + +-static bool features_is_valid(u64 features) ++static bool features_is_valid(struct vduse_dev_config *config) + { +- if (!(features & (1ULL << VIRTIO_F_ACCESS_PLATFORM))) ++ if (!(config->features & BIT_ULL(VIRTIO_F_ACCESS_PLATFORM))) + return false; + + /* Now we only support read-only configuration space */ +- if (features & (1ULL << VIRTIO_BLK_F_CONFIG_WCE)) ++ if ((config->device_id == VIRTIO_ID_BLOCK) && ++ (config->features & BIT_ULL(VIRTIO_BLK_F_CONFIG_WCE))) + return false; + + return true; +@@ -1260,7 +1261,7 @@ static bool vduse_validate_config(struct vduse_dev_config *config) + if (!device_is_allowed(config->device_id)) + return false; + +- if (!features_is_valid(config->features)) ++ if (!features_is_valid(config)) + return false; + + return true; +-- +2.43.0 + diff --git a/queue-5.15/x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch b/queue-5.15/x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch new file mode 100644 index 00000000000..64f22f703bb --- /dev/null +++ b/queue-5.15/x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch @@ -0,0 +1,61 @@ +From 19598933a5ddc7d6c3605bcc13fabb2d9f74d841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 09:18:23 +0100 +Subject: x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup + +From: Uros Bizjak + +[ Upstream commit 5d31174f3c8c465d9dbe88f6b9d1fe5716f44981 ] + +The assembly snippet in restore_fpregs_from_fpstate() that implements +X86_BUG_FXSAVE_LEAK fixup loads the value from a random variable, +preferably the one that is already in the L1 cache. + +However, the access to fpinit_state via *fpstate pointer is not +implemented correctly. The "m" asm constraint requires dereferenced +pointer variable, otherwise the compiler just reloads the value +via temporary stack slot. The current asm code reflects this: + + mov %rdi,(%rsp) + ... + fildl (%rsp) + +With dereferenced pointer variable, the code does what the +comment above the asm snippet says: + + fildl (%rdi) + +Also, remove the pointless %P operand modifier. The modifier is +ineffective on non-symbolic references - it was used to prevent +%rip-relative addresses in .altinstr sections, but FILDL in the +.text section can use %rip-relative addresses without problems. + +Signed-off-by: Uros Bizjak +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: H. Peter Anvin +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20240315081849.5187-1-ubizjak@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/fpu/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index 3ad1bf5de7373..157008d99f951 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -121,8 +121,8 @@ void __restore_fpregs_from_fpstate(union fpregs_state *fpstate, u64 mask) + asm volatile( + "fnclex\n\t" + "emms\n\t" +- "fildl %P[addr]" /* set F?P to defined value */ +- : : [addr] "m" (fpstate)); ++ "fildl %[addr]" /* set F?P to defined value */ ++ : : [addr] "m" (*fpstate)); + } + + if (use_xsave()) { +-- +2.43.0 + -- 2.47.3