From 69fcf0fc47908609c4569e6eadd71a35ef928dfd Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 9 Jul 2023 00:58:28 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...ssible-null-dereference-in-snd_ac97_.patch | 42 ++++ ...es-avoid-missing-declaration-warning.patch | 103 ++++++++++ ...x-drop-clock-names-from-the-spi-node.patch | 42 ++++ ...p93xx-fix-missing-prototype-warnings.patch | 48 +++++ ...ement-max-value-for-alc-capture-targ.patch | 91 +++++++++ ...ild-warnings-when-debug_fs-is-not-en.patch | 88 ++++++++ ...-fix-active-size-for-ampire-am-48027.patch | 51 +++++ ...fix-possible-division-by-zero-errors.patch | 94 +++++++++ ...ete-description-of-evm_inode_setattr.patch | 39 ++++ ..._mipid-fix-an-error-handling-path-in.patch | 44 ++++ ...se-after-free-in-__gtp_encap_destroy.patch | 190 ++++++++++++++++++ ...-not-hardcode-interrupt-trigger-type.patch | 39 ++++ ...drv260x-sleep-between-polling-go-bit.patch | 39 ++++ ...a-memory-leak-in-crash_shrink_memory.patch | 93 +++++++++ ...initial-match-offset-for-every-block.patch | 59 ++++++ ...-loss-while-replacement-replace-rdev.patch | 79 ++++++++ ...0-fix-overflow-of-md-safe_mode_delay.patch | 51 +++++ ...rong-setting-of-max_corr_read_errors.patch | 38 ++++ ...ke-memstick_debug_get_tpc_name-stati.patch | 49 +++++ ...-off-by-one-in-is_executable_section.patch | 36 ++++ ...ion-mismatch-message-for-r_arm_-pc24.patch | 106 ++++++++++ ...ion-mismatch-message-for-r_arm_abs32.patch | 133 ++++++++++++ ...ntrack_sip-fix-the-ct_sip_parse_nume.patch | 53 +++++ ...__sock_i_ino-for-__netlink_diag_dump.patch | 152 ++++++++++++++ ...ard-code-device-address-lenth-in-fdb.patch | 157 +++++++++++++++ ...otential-deadlock-in-netlink_set_err.patch | 117 +++++++++++ ...clear_master-stub-for-non-config_pci.patch | 39 ++++ ...ux-fix-off-by-one-in-die_get_varname.patch | 45 +++++ ...4-check-return-value-of-devm_kasprin.patch | 41 ++++ ...ew-return-correct-value-if-pin-in-pu.patch | 57 ++++++ ...nteger-overflow-issues-in-genpd_pars.patch | 48 +++++ ...eon-avoid-double-free-in-ci_dpm_init.patch | 110 ++++++++++ ...-error-handling-for-initialization-f.patch | 47 +++++ queue-4.14/series | 46 +++++ .../soc-fsl-qe-fix-usb.c-build-errors.patch | 60 ++++++ ...fine-dummy-watchdog_update_hrtimer_t.patch | 89 ++++++++ ...re-properly-prevent-false-positives-.patch | 84 ++++++++ ...-referencing-uninit-memory-in-ath9k_.patch | 58 ++++++ ...onvert-msecs-to-jiffies-where-needed.patch | 51 +++++ ...-allow-to-overwrite-endpoint0-attrib.patch | 54 +++++ ...r9003-mac-hardware-hang-check-regist.patch | 95 +++++++++ ...ossible-stall-on-ath9k_txq_list_has_.patch | 111 ++++++++++ ...n-error-handling-path-in-atmel_probe.patch | 59 ++++++ ...-an-error-handling-path-in-orinoco_c.patch | 58 ++++++ ...-an-error-handling-path-in-spectrum_.patch | 59 ++++++ ...-an-error-handling-path-in-ray_probe.patch | 69 +++++++ ...ix-an-error-handling-path-in-wl3501_.patch | 66 ++++++ 47 files changed, 3379 insertions(+) create mode 100644 queue-4.14/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch create mode 100644 queue-4.14/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch create mode 100644 queue-4.14/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch create mode 100644 queue-4.14/arm-ep93xx-fix-missing-prototype-warnings.patch create mode 100644 queue-4.14/asoc-es8316-increment-max-value-for-alc-capture-targ.patch create mode 100644 queue-4.14/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch create mode 100644 queue-4.14/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch create mode 100644 queue-4.14/drm-radeon-fix-possible-division-by-zero-errors.patch create mode 100644 queue-4.14/evm-complete-description-of-evm_inode_setattr.patch create mode 100644 queue-4.14/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch create mode 100644 queue-4.14/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch create mode 100644 queue-4.14/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch create mode 100644 queue-4.14/input-drv260x-sleep-between-polling-go-bit.patch create mode 100644 queue-4.14/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch create mode 100644 queue-4.14/lib-ts_bm-reset-initial-match-offset-for-every-block.patch create mode 100644 queue-4.14/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch create mode 100644 queue-4.14/md-raid10-fix-overflow-of-md-safe_mode_delay.patch create mode 100644 queue-4.14/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch create mode 100644 queue-4.14/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch create mode 100644 queue-4.14/modpost-fix-off-by-one-in-is_executable_section.patch create mode 100644 queue-4.14/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch create mode 100644 queue-4.14/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch create mode 100644 queue-4.14/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch create mode 100644 queue-4.14/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch create mode 100644 queue-4.14/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch create mode 100644 queue-4.14/netlink-fix-potential-deadlock-in-netlink_set_err.patch create mode 100644 queue-4.14/pci-add-pci_clear_master-stub-for-non-config_pci.patch create mode 100644 queue-4.14/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch create mode 100644 queue-4.14/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch create mode 100644 queue-4.14/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch create mode 100644 queue-4.14/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch create mode 100644 queue-4.14/radeon-avoid-double-free-in-ci_dpm_init.patch create mode 100644 queue-4.14/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch create mode 100644 queue-4.14/soc-fsl-qe-fix-usb.c-build-errors.patch create mode 100644 queue-4.14/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch create mode 100644 queue-4.14/watchdog-perf-more-properly-prevent-false-positives-.patch create mode 100644 queue-4.14/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch create mode 100644 queue-4.14/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch create mode 100644 queue-4.14/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch create mode 100644 queue-4.14/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch create mode 100644 queue-4.14/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch create mode 100644 queue-4.14/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch create mode 100644 queue-4.14/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch create mode 100644 queue-4.14/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch create mode 100644 queue-4.14/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch create mode 100644 queue-4.14/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch diff --git a/queue-4.14/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch b/queue-4.14/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch new file mode 100644 index 00000000000..f5f5a443d16 --- /dev/null +++ b/queue-4.14/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch @@ -0,0 +1,42 @@ +From b89ef5b09a642832a2792562461e622a8690533f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 10:17:32 +0800 +Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer + +From: Su Hui + +[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ] + +smatch error: +sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error: +we previously assumed 'rac97' could be null (see line 2072) + +remove redundant assignment, return error if rac97 is NULL. + +Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*") +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ac97/ac97_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index d5dfc7349e70f..e37eab3ddc734 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -2026,8 +2026,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, + .dev_disconnect = snd_ac97_dev_disconnect, + }; + +- if (rac97) +- *rac97 = NULL; ++ if (!rac97) ++ return -EINVAL; + if (snd_BUG_ON(!bus || !template)) + return -EINVAL; + if (snd_BUG_ON(template->num >= 4)) +-- +2.39.2 + diff --git a/queue-4.14/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch b/queue-4.14/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch new file mode 100644 index 00000000000..bd46ef1da42 --- /dev/null +++ b/queue-4.14/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch @@ -0,0 +1,103 @@ +From 04966809110d87d032419aafec1eeae5df3ec796 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 19:28:42 +0100 +Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings + +From: Arnd Bergmann + +[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ] + +checker_stack_use_t32strd() and kprobe_handler() can be made static since +they are not used from other files, while coverage_start_registers() +and __kprobes_test_case() are used from assembler code, and just need +a declaration to avoid a warning with the global definition. + +arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd' +arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler' +arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers' +arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start' +arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16' +arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32' + +Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions") +Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation") +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Kees Cook +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/probes/kprobes/checkers-common.c | 2 +- + arch/arm/probes/kprobes/core.c | 2 +- + arch/arm/probes/kprobes/opt-arm.c | 2 -- + arch/arm/probes/kprobes/test-core.c | 2 +- + arch/arm/probes/kprobes/test-core.h | 4 ++++ + 5 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c +index 971119c294741..aa10e5e46ebb2 100644 +--- a/arch/arm/probes/kprobes/checkers-common.c ++++ b/arch/arm/probes/kprobes/checkers-common.c +@@ -48,7 +48,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn, + * Different from other insn uses imm8, the real addressing offset of + * STRD in T32 encoding should be imm8 * 4. See ARMARM description. + */ +-enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, ++static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, + struct arch_probes_insn *asi, + const struct decode_header *h) + { +diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c +index 3cd2066c2ca3c..01989c4bdf051 100644 +--- a/arch/arm/probes/kprobes/core.c ++++ b/arch/arm/probes/kprobes/core.c +@@ -244,7 +244,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) + * kprobe, and that level is reserved for user kprobe handlers, so we can't + * risk encountering a new kprobe in an interrupt handler. + */ +-void __kprobes kprobe_handler(struct pt_regs *regs) ++static void __kprobes kprobe_handler(struct pt_regs *regs) + { + struct kprobe *p, *cur; + struct kprobe_ctlblk *kcb; +diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c +index cf08cb7267670..1516c340a0766 100644 +--- a/arch/arm/probes/kprobes/opt-arm.c ++++ b/arch/arm/probes/kprobes/opt-arm.c +@@ -158,8 +158,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty) + } + } + +-extern void kprobe_handler(struct pt_regs *regs); +- + static void + optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) + { +diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c +index a10d7187ad2c5..941b7452d879d 100644 +--- a/arch/arm/probes/kprobes/test-core.c ++++ b/arch/arm/probes/kprobes/test-core.c +@@ -780,7 +780,7 @@ static const char coverage_register_lookup[16] = { + [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP, + }; + +-unsigned coverage_start_registers(const struct decode_header *h) ++static unsigned coverage_start_registers(const struct decode_header *h) + { + unsigned regs = 0; + int i; +diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h +index 94285203e9f74..459ebda077139 100644 +--- a/arch/arm/probes/kprobes/test-core.h ++++ b/arch/arm/probes/kprobes/test-core.h +@@ -456,3 +456,7 @@ void kprobe_thumb32_test_cases(void); + #else + void kprobe_arm_test_cases(void); + #endif ++ ++void __kprobes_test_case_start(void); ++void __kprobes_test_case_end_16(void); ++void __kprobes_test_case_end_32(void); +-- +2.39.2 + diff --git a/queue-4.14/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch b/queue-4.14/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch new file mode 100644 index 00000000000..13f3293af25 --- /dev/null +++ b/queue-4.14/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch @@ -0,0 +1,42 @@ +From 59200e68dfcfdfb4a2ad6b8167eeb9b77c82e9d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 14:28:30 +0200 +Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ] + +There is no such property in the SPI controller binding documentation. +Also Linux driver doesn't look for it. + +This fixes: +arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected) + From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm5301x.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi +index c3b6ba4db8e3d..b48d8336b798e 100644 +--- a/arch/arm/boot/dts/bcm5301x.dtsi ++++ b/arch/arm/boot/dts/bcm5301x.dtsi +@@ -449,7 +449,6 @@ spi@18029200 { + "spi_lr_session_done", + "spi_lr_overread"; + clocks = <&iprocmed>; +- clock-names = "iprocmed"; + num-cs = <2>; + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.2 + diff --git a/queue-4.14/arm-ep93xx-fix-missing-prototype-warnings.patch b/queue-4.14/arm-ep93xx-fix-missing-prototype-warnings.patch new file mode 100644 index 00000000000..d47c9c6a95a --- /dev/null +++ b/queue-4.14/arm-ep93xx-fix-missing-prototype-warnings.patch @@ -0,0 +1,48 @@ +From 921bc0f23cfccbf4c8f5c3258a19e5ccf2c59f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 17:30:58 +0200 +Subject: ARM: ep93xx: fix missing-prototype warnings + +From: Arnd Bergmann + +[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ] + +ep93xx_clocksource_read() is only called from the file it is declared in, +while ep93xx_timer_init() is declared in a header that is not included here. + +arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init' +arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read' + +Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS") +Acked-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c +index de998830f534f..b07956883e165 100644 +--- a/arch/arm/mach-ep93xx/timer-ep93xx.c ++++ b/arch/arm/mach-ep93xx/timer-ep93xx.c +@@ -9,6 +9,7 @@ + #include + #include + #include "soc.h" ++#include "platform.h" + + /************************************************************************* + * Timer handling for EP93xx +@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void) + return ret; + } + +-u64 ep93xx_clocksource_read(struct clocksource *c) ++static u64 ep93xx_clocksource_read(struct clocksource *c) + { + u64 ret; + +-- +2.39.2 + diff --git a/queue-4.14/asoc-es8316-increment-max-value-for-alc-capture-targ.patch b/queue-4.14/asoc-es8316-increment-max-value-for-alc-capture-targ.patch new file mode 100644 index 00000000000..21f839edf6b --- /dev/null +++ b/queue-4.14/asoc-es8316-increment-max-value-for-alc-capture-targ.patch @@ -0,0 +1,91 @@ +From fccbe8e3a2d8d9351271ae6205222ad2cb191a86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:11:38 +0300 +Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume + control + +From: Cristian Ciocaltea + +[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ] + +The following error occurs when trying to restore a previously saved +ALSA mixer state (tested on a Rock 5B board): + + $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog + $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog + alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument + +According to ES8316 datasheet, the register at address 0x2B, which is +related to the above mixer control, contains by default the value 0xB0. +Considering the corresponding ALC target bits (ALCLVL) are 7:4, the +control is initialized with 11, which is one step above the maximum +value allowed by the driver: + + ALCLVL | dB gain + -------+-------- + 0000 | -16.5 + 0001 | -15.0 + 0010 | -13.5 + .... | ..... + 0111 | -6.0 + 1000 | -4.5 + 1001 | -3.0 + 1010 | -1.5 + .... | ..... + 1111 | -1.5 + +The tests performed using the VU meter feature (--vumeter=TYPE) of +arecord/aplay confirm the specs are correct and there is no measured +gain if the 1011-1111 range would have been mapped to 0 dB: + + dB gain | VU meter % + --------+----------- + -6.0 | 30-31 + -4.5 | 35-36 + -3.0 | 42-43 + -1.5 | 50-51 + 0.0 | 50-51 + +Increment the max value allowed for ALC Capture Target Volume control, +so that it matches the hardware default. Additionally, update the +related TLV to prevent an artificial extension of the dB gain range. + +Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index 0410f2e5183c3..fad918c44ec97 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -45,7 +45,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0); +-static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0); ++ ++static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv, ++ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0), ++ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0), ++); ++ + static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv, + 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0), + 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0), +@@ -107,7 +112,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = { + alc_max_gain_tlv), + SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0, + alc_min_gain_tlv), +- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0, ++ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0, + alc_target_tlv), + SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0), + SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0), +-- +2.39.2 + diff --git a/queue-4.14/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch b/queue-4.14/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch new file mode 100644 index 00000000000..0d34459240d --- /dev/null +++ b/queue-4.14/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch @@ -0,0 +1,88 @@ +From 72d036cf88b1942e9956b74ea46257ac4bebb6cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:33:34 -0700 +Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ] + +Fix build warnings when DEBUG_FS is not enabled by using an empty +do-while loop instead of a value: + +In file included from ../drivers/crypto/nx/nx.c:27: +../drivers/crypto/nx/nx.c: In function 'nx_register_algs': +../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value] + 173 | #define NX_DEBUGFS_INIT(drv) (0) +../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT' + 573 | NX_DEBUGFS_INIT(&nx_driver); +../drivers/crypto/nx/nx.c: In function 'nx_remove': +../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value] + 174 | #define NX_DEBUGFS_FINI(drv) (0) +../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI' + 793 | NX_DEBUGFS_FINI(&nx_driver); + +Also, there is no need to build nx_debugfs.o when DEBUG_FS is not +enabled, so change the Makefile to accommodate that. + +Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption") +Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver") +Signed-off-by: Randy Dunlap +Cc: Breno Leitão +Cc: Nayna Jain +Cc: Paulo Flabiano Smorigo +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: linux-crypto@vger.kernel.org +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Christophe Leroy +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/Makefile | 2 +- + drivers/crypto/nx/nx.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile +index 015155da59c29..76139865d7fa1 100644 +--- a/drivers/crypto/nx/Makefile ++++ b/drivers/crypto/nx/Makefile +@@ -1,7 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o + nx-crypto-objs := nx.o \ +- nx_debugfs.o \ + nx-aes-cbc.o \ + nx-aes-ecb.o \ + nx-aes-gcm.o \ +@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \ + nx-sha256.o \ + nx-sha512.o + ++nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o + nx-compress-objs := nx-842.o +diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h +index c3e54af18645c..ebad937a9545c 100644 +--- a/drivers/crypto/nx/nx.h ++++ b/drivers/crypto/nx/nx.h +@@ -180,8 +180,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int, + int nx_debugfs_init(struct nx_crypto_driver *); + void nx_debugfs_fini(struct nx_crypto_driver *); + #else +-#define NX_DEBUGFS_INIT(drv) (0) +-#define NX_DEBUGFS_FINI(drv) (0) ++#define NX_DEBUGFS_INIT(drv) do {} while (0) ++#define NX_DEBUGFS_FINI(drv) do {} while (0) + #endif + + #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL) +-- +2.39.2 + diff --git a/queue-4.14/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch b/queue-4.14/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch new file mode 100644 index 00000000000..272b3c4703f --- /dev/null +++ b/queue-4.14/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch @@ -0,0 +1,51 @@ +From bcb67259ce1344cd061230405da5aba87b462e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:50:39 +0200 +Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H + +From: Dario Binacchi + +[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ] + +The previous setting was related to the overall dimension and not to the +active display area. +In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the +following parameters: + + ---------------------------------------------------------- +| Item | Specifications | unit | + ---------------------------------------------------------- +| Display area | 98.7 (W) x 57.5 (H) | mm | + ---------------------------------------------------------- +| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm | + ---------------------------------------------------------- + +Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H") +Signed-off-by: Dario Binacchi +Reviewed-by: Neil Armstrong +[narmstrong: fixed Fixes commit id length] +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 6df312ba1826b..8bee025c0622f 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -407,8 +407,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = { + .num_modes = 1, + .bpc = 8, + .size = { +- .width = 105, +- .height = 67, ++ .width = 99, ++ .height = 58, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, + }; +-- +2.39.2 + diff --git a/queue-4.14/drm-radeon-fix-possible-division-by-zero-errors.patch b/queue-4.14/drm-radeon-fix-possible-division-by-zero-errors.patch new file mode 100644 index 00000000000..d93d477eea8 --- /dev/null +++ b/queue-4.14/drm-radeon-fix-possible-division-by-zero-errors.patch @@ -0,0 +1,94 @@ +From e42659e8b9ad9591c59c292d438a9bfc84ce7a0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 08:33:27 -0700 +Subject: drm/radeon: fix possible division-by-zero errors + +From: Nikita Zhandarovich + +[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ] + +Function rv740_get_decoded_reference_divider() may return 0 due to +unpredictable reference divider value calculated in +radeon_atom_get_clock_dividers(). This will lead to +division-by-zero error once that value is used as a divider +in calculating 'clk_s'. +While unlikely, this issue should nonetheless be prevented so add a +sanity check for such cases by testing 'decoded_ref' value against 0. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +v2: minor coding style fixes (Alex) +In practice this should actually happen as the vbios should be +properly populated. + +Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c +index 3eb7899a4035b..2c637e04dfebc 100644 +--- a/drivers/gpu/drm/radeon/cypress_dpm.c ++++ b/drivers/gpu/drm/radeon/cypress_dpm.c +@@ -558,8 +558,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c +index fa88c18099464..701c99a551388 100644 +--- a/drivers/gpu/drm/radeon/ni_dpm.c ++++ b/drivers/gpu/drm/radeon/ni_dpm.c +@@ -2239,8 +2239,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c +index afd597ec50858..50290e93c79dc 100644 +--- a/drivers/gpu/drm/radeon/rv740_dpm.c ++++ b/drivers/gpu/drm/radeon/rv740_dpm.c +@@ -251,8 +251,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = 0x40000 * ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = 0x40000 * ss.percentage * + (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000); + + mpll_ss1 &= ~CLKV_MASK; +-- +2.39.2 + diff --git a/queue-4.14/evm-complete-description-of-evm_inode_setattr.patch b/queue-4.14/evm-complete-description-of-evm_inode_setattr.patch new file mode 100644 index 00000000000..d127f3d3cc4 --- /dev/null +++ b/queue-4.14/evm-complete-description-of-evm_inode_setattr.patch @@ -0,0 +1,39 @@ +From dc1f0b308572962cdfc4f9dfed3800c8a64c1b8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 11:40:36 +0100 +Subject: evm: Complete description of evm_inode_setattr() + +From: Roberto Sassu + +[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] + +Add the description for missing parameters of evm_inode_setattr() to +avoid the warning arising with W=n compile option. + +Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ +Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ +Signed-off-by: Roberto Sassu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/evm/evm_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index 6e761b07cb3f0..9b75166619236 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -427,7 +427,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) + + /** + * evm_inode_setattr - prevent updating an invalid EVM extended attribute ++ * @idmap: idmap of the mount + * @dentry: pointer to the affected dentry ++ * @attr: iattr structure containing the new file attributes + * + * Permit update of file attributes when files have a valid EVM signature, + * except in the case of them having an immutable portable signature. +-- +2.39.2 + diff --git a/queue-4.14/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch b/queue-4.14/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch new file mode 100644 index 00000000000..1e13e21bea7 --- /dev/null +++ b/queue-4.14/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch @@ -0,0 +1,44 @@ +From 9b0e44c7e91e78627600eaea1653ffcd58762808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 17:42:28 +0200 +Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in + mipid_spi_probe() + +From: Christophe JAILLET + +[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ] + +If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak. + +Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c +index e3a85432f9266..5730355ee5986 100644 +--- a/drivers/video/fbdev/omap/lcd_mipid.c ++++ b/drivers/video/fbdev/omap/lcd_mipid.c +@@ -576,11 +576,15 @@ static int mipid_spi_probe(struct spi_device *spi) + + r = mipid_detect(md); + if (r < 0) +- return r; ++ goto free_md; + + omapfb_register_panel(&md->panel); + + return 0; ++ ++free_md: ++ kfree(md); ++ return r; + } + + static int mipid_spi_remove(struct spi_device *spi) +-- +2.39.2 + diff --git a/queue-4.14/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch b/queue-4.14/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch new file mode 100644 index 00000000000..8b98c12f033 --- /dev/null +++ b/queue-4.14/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch @@ -0,0 +1,190 @@ +From 90872d4db4ed3760deecf49994898ae9e5cdd1ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 14:32:31 -0700 +Subject: gtp: Fix use-after-free in __gtp_encap_destroy(). + +From: Kuniyuki Iwashima + +[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ] + +syzkaller reported use-after-free in __gtp_encap_destroy(). [0] + +It shows the same process freed sk and touched it illegally. + +Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() +and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, +but release_sock() is called after sock_put() releases the last refcnt. + +[0]: +BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] +BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] +BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] +BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] +BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 +Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 + +CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:351 [inline] + print_report+0xcc/0x620 mm/kasan/report.c:462 + kasan_report+0xb2/0xe0 mm/kasan/report.c:572 + check_region_inline mm/kasan/generic.c:181 [inline] + kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 + instrument_atomic_read_write include/linux/instrumented.h:96 [inline] + atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] + queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] + do_raw_spin_lock include/linux/spinlock.h:186 [inline] + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] + _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:355 [inline] + release_sock+0x1f/0x1a0 net/core/sock.c:3526 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f1168b1fe5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d +RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 + + +Allocated by task 1483: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:186 [inline] + slab_post_alloc_hook mm/slab.h:711 [inline] + slab_alloc_node mm/slub.c:3451 [inline] + slab_alloc mm/slub.c:3459 [inline] + __kmem_cache_alloc_lru mm/slub.c:3466 [inline] + kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475 + sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073 + sk_alloc+0x34/0x6c0 net/core/sock.c:2132 + inet6_create net/ipv6/af_inet6.c:192 [inline] + inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119 + __sock_create+0x2a1/0x530 net/socket.c:1535 + sock_create net/socket.c:1586 [inline] + __sys_socket_create net/socket.c:1623 [inline] + __sys_socket_create net/socket.c:1608 [inline] + __sys_socket+0x137/0x250 net/socket.c:1651 + __do_sys_socket net/socket.c:1664 [inline] + __se_sys_socket net/socket.c:1662 [inline] + __x64_sys_socket+0x72/0xb0 net/socket.c:1662 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 2401: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free mm/kasan/common.c:200 [inline] + __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:162 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook mm/slub.c:1807 [inline] + slab_free mm/slub.c:3786 [inline] + kmem_cache_free+0xb4/0x490 mm/slub.c:3808 + sk_prot_free net/core/sock.c:2113 [inline] + __sk_destruct+0x500/0x720 net/core/sock.c:2207 + sk_destruct+0xc1/0xe0 net/core/sock.c:2222 + __sk_free+0xed/0x3d0 net/core/sock.c:2233 + sk_free+0x7c/0xa0 net/core/sock.c:2244 + sock_put include/net/sock.h:1981 [inline] + __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The buggy address belongs to the object at ffff88800dbef300 + which belongs to the cache UDPv6 of size 1344 +The buggy address is located 152 bytes inside of + freed 1344-byte region [ffff88800dbef300, ffff88800dbef840) + +The buggy address belongs to the physical page: +page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8 +head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +memcg:ffff888008ee0801 +flags: 0x100000000010200(slab|head|node=0|zone=1) +page_type: 0xffffffff() +raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000 +raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 666f5e5740afc..d7bf8212ff04a 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -301,7 +301,9 @@ static void __gtp_encap_destroy(struct sock *sk) + gtp->sk1u = NULL; + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); ++ release_sock(sk); + sock_put(sk); ++ return; + } + release_sock(sk); + } +-- +2.39.2 + diff --git a/queue-4.14/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch b/queue-4.14/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch new file mode 100644 index 00000000000..3ced3c4e033 --- /dev/null +++ b/queue-4.14/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch @@ -0,0 +1,39 @@ +From 5ea373ea053b20d1edf8c85d046cd5550f88eb30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 17:27:55 -0700 +Subject: Input: adxl34x - do not hardcode interrupt trigger type + +From: Marek Vasut + +[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ] + +Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's +respect the settings specified in the firmware description. + +Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") +Signed-off-by: Marek Vasut +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/adxl34x.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c +index 2e189646d8fe2..d56ab4b25edf4 100644 +--- a/drivers/input/misc/adxl34x.c ++++ b/drivers/input/misc/adxl34x.c +@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq, + AC_WRITE(ac, POWER_CTL, 0); + + err = request_threaded_irq(ac->irq, NULL, adxl34x_irq, +- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- dev_name(dev), ac); ++ IRQF_ONESHOT, dev_name(dev), ac); + if (err) { + dev_err(dev, "irq %d busy?\n", ac->irq); + goto err_free_mem; +-- +2.39.2 + diff --git a/queue-4.14/input-drv260x-sleep-between-polling-go-bit.patch b/queue-4.14/input-drv260x-sleep-between-polling-go-bit.patch new file mode 100644 index 00000000000..2c089ef1b90 --- /dev/null +++ b/queue-4.14/input-drv260x-sleep-between-polling-go-bit.patch @@ -0,0 +1,39 @@ +From 9701a5f646ee3ea5c89c5b4fc820ed480cc38a0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 17:01:45 -0700 +Subject: Input: drv260x - sleep between polling GO bit + +From: Luca Weiss + +[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ] + +When doing the initial startup there's no need to poll without any +delay and spam the I2C bus. + +Let's sleep 15ms between each attempt, which is the same time as used +in the vendor driver. + +Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver") +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/drv260x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c +index 17eb84ab4c0b7..fe3fbde989be2 100644 +--- a/drivers/input/misc/drv260x.c ++++ b/drivers/input/misc/drv260x.c +@@ -443,6 +443,7 @@ static int drv260x_init(struct drv260x_data *haptics) + } + + do { ++ usleep_range(15000, 15500); + error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf); + if (error) { + dev_err(&haptics->client->dev, +-- +2.39.2 + diff --git a/queue-4.14/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch b/queue-4.14/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch new file mode 100644 index 00000000000..e13b4cb5eef --- /dev/null +++ b/queue-4.14/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch @@ -0,0 +1,93 @@ +From b5159c9e9d1f86a7fc3b30077b60e3112478939e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 20:34:34 +0800 +Subject: kexec: fix a memory leak in crash_shrink_memory() + +From: Zhen Lei + +[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ] + +Patch series "kexec: enable kexec_crash_size to support two crash kernel +regions". + +When crashkernel=X fails to reserve region under 4G, it will fall back to +reserve region above 4G and a region of the default size will also be +reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only +supports one crash kernel region now, the user cannot sense the low memory +reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot +be freed by writing this file. + +For example: +resource_size(crashk_res) = 512M +resource_size(crashk_low_res) = 256M + +The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be +768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size +of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB, +which is incorrect. + +Since crashk_res manages the memory with high address and crashk_low_res +manages the memory with low address, crashk_low_res is shrunken only when +all crashk_res is shrunken. And because when there is only one crash +kernel region, crashk_res is always used. Therefore, if all crashk_res is +shrunken and crashk_low_res still exists, swap them. + +This patch (of 6): + +If the value of parameter 'new_size' is in the semi-open and semi-closed +interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the +calculation result of ram_res is: + + ram_res->start = crashk_res.end + 1 + ram_res->end = crashk_res.end + +The operation of insert_resource() fails, and ram_res is not added to +iomem_resource. As a result, the memory of the control block ram_res is +leaked. + +In fact, on all architectures, the start address and size of crashk_res +are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need +to round up crashk_res.start again. Instead, we should round up +'new_size' in advance. + +Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com +Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com +Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()") +Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size") +Signed-off-by: Zhen Lei +Acked-by: Baoquan He +Cc: Cong Wang +Cc: Eric W. Biederman +Cc: Michael Holzheu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kexec_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c +index 27cf24e285e0c..3d87dcbb9cbd6 100644 +--- a/kernel/kexec_core.c ++++ b/kernel/kexec_core.c +@@ -1016,6 +1016,7 @@ int crash_shrink_memory(unsigned long new_size) + start = crashk_res.start; + end = crashk_res.end; + old_size = (end == 0) ? 0 : end - start + 1; ++ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN); + if (new_size >= old_size) { + ret = (new_size == old_size) ? 0 : -EINVAL; + goto unlock; +@@ -1027,9 +1028,7 @@ int crash_shrink_memory(unsigned long new_size) + goto unlock; + } + +- start = roundup(start, KEXEC_CRASH_MEM_ALIGN); +- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN); +- ++ end = start + new_size; + crash_free_reserved_phys_range(end, crashk_res.end); + + if ((start == end) && (crashk_res.parent != NULL)) +-- +2.39.2 + diff --git a/queue-4.14/lib-ts_bm-reset-initial-match-offset-for-every-block.patch b/queue-4.14/lib-ts_bm-reset-initial-match-offset-for-every-block.patch new file mode 100644 index 00000000000..a278f033974 --- /dev/null +++ b/queue-4.14/lib-ts_bm-reset-initial-match-offset-for-every-block.patch @@ -0,0 +1,59 @@ +From c9dce737312c5a1ed1b71235471dedb5e2f18ee1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 20:06:57 +0100 +Subject: lib/ts_bm: reset initial match offset for every block of text + +From: Jeremy Sowden + +[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ] + +The `shift` variable which indicates the offset in the string at which +to start matching the pattern is initialized to `bm->patlen - 1`, but it +is not reset when a new block is retrieved. This means the implemen- +tation may start looking at later and later positions in each successive +block and miss occurrences of the pattern at the beginning. E.g., +consider a HTTP packet held in a non-linear skb, where the HTTP request +line occurs in the second block: + + [... 52 bytes of packet headers ...] + GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n + +and the pattern is "GET /bmtest". + +Once the first block comprising the packet headers has been examined, +`shift` will be pointing to somewhere near the end of the block, and so +when the second block is examined the request line at the beginning will +be missed. + +Reinitialize the variable for each new block. + +Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2") +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390 +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + lib/ts_bm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/ts_bm.c b/lib/ts_bm.c +index 9e66ee4020e90..5de382e79a45a 100644 +--- a/lib/ts_bm.c ++++ b/lib/ts_bm.c +@@ -64,10 +64,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state) + struct ts_bm *bm = ts_config_priv(conf); + unsigned int i, text_len, consumed = state->offset; + const u8 *text; +- int shift = bm->patlen - 1, bs; ++ int bs; + const u8 icase = conf->flags & TS_IGNORECASE; + + for (;;) { ++ int shift = bm->patlen - 1; ++ + text_len = conf->get_next_block(consumed, &text, conf, state); + + if (unlikely(text_len == 0)) +-- +2.39.2 + diff --git a/queue-4.14/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch b/queue-4.14/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch new file mode 100644 index 00000000000..2dd362bca91 --- /dev/null +++ b/queue-4.14/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch @@ -0,0 +1,79 @@ +From fd3f8ebaefa1a130bfcb191177eb4582ded1719a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 17:18:39 +0800 +Subject: md/raid10: fix io loss while replacement replace rdev + +From: Li Nan + +[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ] + +When removing a disk with replacement, the replacement will be used to +replace rdev. During this process, there is a brief window in which both +rdev and replacement are read as NULL in raid10_write_request(). This +will result in io not being submitted but it should be. + + //remove //write + raid10_remove_disk raid10_write_request + mirror->rdev = NULL + read rdev -> NULL + mirror->rdev = mirror->replacement + mirror->replacement = NULL + read replacement -> NULL + +Fix it by reading replacement first and rdev later, meanwhile, use smp_mb() +to prevent memory reordering. + +Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 95c3a21cd7335..25c8f3e3d2edb 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -775,8 +775,16 @@ static struct md_rdev *read_balance(struct r10conf *conf, + disk = r10_bio->devs[slot].devnum; + rdev = rcu_dereference(conf->mirrors[disk].replacement); + if (rdev == NULL || test_bit(Faulty, &rdev->flags) || +- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset) ++ r10_bio->devs[slot].addr + sectors > ++ rdev->recovery_offset) { ++ /* ++ * Read replacement first to prevent reading both rdev ++ * and replacement as NULL during replacement replace ++ * rdev. ++ */ ++ smp_mb(); + rdev = rcu_dereference(conf->mirrors[disk].rdev); ++ } + if (rdev == NULL || + test_bit(Faulty, &rdev->flags)) + continue; +@@ -1366,9 +1374,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, + + for (i = 0; i < conf->copies; i++) { + int d = r10_bio->devs[i].devnum; +- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev); +- struct md_rdev *rrdev = rcu_dereference( +- conf->mirrors[d].replacement); ++ struct md_rdev *rdev, *rrdev; ++ ++ rrdev = rcu_dereference(conf->mirrors[d].replacement); ++ /* ++ * Read replacement first to prevent reading both rdev and ++ * replacement as NULL during replacement replace rdev. ++ */ ++ smp_mb(); ++ rdev = rcu_dereference(conf->mirrors[d].rdev); + if (rdev == rrdev) + rrdev = NULL; + if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) { +-- +2.39.2 + diff --git a/queue-4.14/md-raid10-fix-overflow-of-md-safe_mode_delay.patch b/queue-4.14/md-raid10-fix-overflow-of-md-safe_mode_delay.patch new file mode 100644 index 00000000000..91e3002dd55 --- /dev/null +++ b/queue-4.14/md-raid10-fix-overflow-of-md-safe_mode_delay.patch @@ -0,0 +1,51 @@ +From ada7592041afa34d47f688adc356223828cb5d62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:33 +0800 +Subject: md/raid10: fix overflow of md/safe_mode_delay + +From: Li Nan + +[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ] + +There is no input check when echo md/safe_mode_delay in safe_delay_store(). +And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by +checking overflow in safe_delay_store() and use unsigned long conversion in +safe_delay_show(). + +Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers") +Signed-off-by: Li Nan +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 69d1501d9160e..f2f3b42e44287 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3647,8 +3647,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale) + static ssize_t + safe_delay_show(struct mddev *mddev, char *page) + { +- int msec = (mddev->safemode_delay*1000)/HZ; +- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000); ++ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ; ++ ++ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000); + } + static ssize_t + safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) +@@ -3660,7 +3661,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) + return -EINVAL; + } + +- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0) ++ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ) + return -EINVAL; + if (msec == 0) + mddev->safemode_delay = 0; +-- +2.39.2 + diff --git a/queue-4.14/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch b/queue-4.14/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch new file mode 100644 index 00000000000..3e62b317738 --- /dev/null +++ b/queue-4.14/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch @@ -0,0 +1,38 @@ +From 9ada9289bf5ba824602e49156355e7cf4267f7d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:34 +0800 +Subject: md/raid10: fix wrong setting of max_corr_read_errors + +From: Li Nan + +[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ] + +There is no input check when echo md/max_read_errors and overflow might +occur. Add check of input number. + +Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index f2f3b42e44287..12392a4fb9c0d 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4313,6 +4313,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len + rv = kstrtouint(buf, 10, &n); + if (rv < 0) + return rv; ++ if (n > INT_MAX) ++ return -EINVAL; + atomic_set(&mddev->max_corr_read_errors, n); + return len; + } +-- +2.39.2 + diff --git a/queue-4.14/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch b/queue-4.14/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch new file mode 100644 index 00000000000..42a72186b83 --- /dev/null +++ b/queue-4.14/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch @@ -0,0 +1,49 @@ +From c9705ee3e2527a4790f7b4a2685af0c79f2f3c4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:27:04 +0200 +Subject: memstick r592: make memstick_debug_get_tpc_name() static + +From: Arnd Bergmann + +[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ] + +There are no other files referencing this function, apparently +it was left global to avoid an 'unused function' warning when +the only caller is left out. With a 'W=1' build, it causes +a 'missing prototype' warning though: + +drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes] + +Annotate the function as 'static __maybe_unused' to avoid both +problems. + +Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index d52c89b2a1d58..a2dbf3331689f 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -47,12 +47,10 @@ static const char *tpc_names[] = { + * memstick_debug_get_tpc_name - debug helper that returns string for + * a TPC number + */ +-const char *memstick_debug_get_tpc_name(int tpc) ++static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc) + { + return tpc_names[tpc-1]; + } +-EXPORT_SYMBOL(memstick_debug_get_tpc_name); +- + + /* Read a register*/ + static inline u32 r592_read_reg(struct r592_device *dev, int address) +-- +2.39.2 + diff --git a/queue-4.14/modpost-fix-off-by-one-in-is_executable_section.patch b/queue-4.14/modpost-fix-off-by-one-in-is_executable_section.patch new file mode 100644 index 00000000000..9c38026ee33 --- /dev/null +++ b/queue-4.14/modpost-fix-off-by-one-in-is_executable_section.patch @@ -0,0 +1,36 @@ +From 66f24a80c4b814ecd862e31ed464c5d2378abf3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 11:23:40 +0300 +Subject: modpost: fix off by one in is_executable_section() + +From: Dan Carpenter + +[ Upstream commit 3a3f1e573a105328a2cca45a7cfbebabbf5e3192 ] + +The > comparison should be >= to prevent an out of bounds array +access. + +Fixes: 52dc0595d540 ("modpost: handle relocations mismatch in __ex_table.") +Signed-off-by: Dan Carpenter +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 88f4586c35762..9e177b5531127 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1582,7 +1582,7 @@ static void default_mismatch_handler(const char *modname, struct elf_info *elf, + + static int is_executable_section(struct elf_info* elf, unsigned int section_index) + { +- if (section_index > elf->num_sections) ++ if (section_index >= elf->num_sections) + fatal("section_index is outside elf->num_sections!\n"); + + return ((elf->sechdrs[section_index].sh_flags & SHF_EXECINSTR) == SHF_EXECINSTR); +-- +2.39.2 + diff --git a/queue-4.14/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch b/queue-4.14/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch new file mode 100644 index 00000000000..f025428382d --- /dev/null +++ b/queue-4.14/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch @@ -0,0 +1,106 @@ +From d3d74491ff83fd3032a2d7f5dddcf106f8bae3ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:56 +0900 +Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} + +From: Masahiro Yamada + +[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ] + +addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a +wrong way. + +Here, test code. + +[test code for R_ARM_JUMP24] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + b bar + +[test code for R_ARM_CALL] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + push {lr} + bl bar + pop {pc} + +If you compile it with ARM multi_v7_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text) + +(You need to use GNU linker instead of LLD to reproduce it.) + +Fix the code to make modpost show the correct symbol name. + +I imported (with adjustment) sign_extend32() from include/linux/bitops.h. + +The '+8' is the compensation for pc-relative instruction. It is +documented in "ELF for the Arm Architecture" [1]. + + "If the relocation is pc-relative then compensation for the PC bias + (the PC value is 8 bytes ahead of the executing instruction in Arm + state and 4 bytes in Thumb state) must be encoded in the relocation + by the object producer." + +[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index f8bb964961b83..88f4586c35762 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1763,12 +1763,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + #define R_ARM_THM_JUMP19 51 + #endif + ++static int32_t sign_extend32(int32_t value, int index) ++{ ++ uint8_t shift = 31 - index; ++ ++ return (int32_t)(value << shift) >> shift; ++} ++ + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); + Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); + void *loc = reloc_location(elf, sechdr, r); + uint32_t inst; ++ int32_t offset; + + switch (r_typ) { + case R_ARM_ABS32: +@@ -1778,6 +1786,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + case R_ARM_PC24: + case R_ARM_CALL: + case R_ARM_JUMP24: ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ offset = sign_extend32((inst & 0x00ffffff) << 2, 25); ++ r->r_addend = offset + sym->st_value + 8; ++ break; + case R_ARM_THM_CALL: + case R_ARM_THM_JUMP24: + case R_ARM_THM_JUMP19: +-- +2.39.2 + diff --git a/queue-4.14/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch b/queue-4.14/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch new file mode 100644 index 00000000000..2aea58f267f --- /dev/null +++ b/queue-4.14/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch @@ -0,0 +1,133 @@ +From 3c05290d5dfef05bf888e1bf1cacffb7320786e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:55 +0900 +Subject: modpost: fix section mismatch message for R_ARM_ABS32 + +From: Masahiro Yamada + +[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ] + +addend_arm_rel() processes R_ARM_ABS32 in a wrong way. + +Here, test code. + + [test code 1] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + +If you compile it with ARM versatile_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data) + +(You need to use GNU linker instead of LLD to reproduce it.) + +If you compile it for other architectures, modpost will show the correct +symbol name. + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + +For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value. + +I just mimicked the code in arch/arm/kernel/module.c. + +However, there is more difficulty for ARM. + +Here, test code. + + [test code 2] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + + int __initdata bar; + int get_bar(void) { return bar; } + +With this commit applied, modpost will show the following messages +for ARM versatile_defconfig: + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data) + +The reference from 'get_bar' to 'foo' seems wrong. + +I have no solution for this because it is true in assembly level. + +In the following output, relocation at 0x1c is no longer associated +with 'bar'. The two relocation entries point to the same symbol, and +the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'. + + Disassembly of section .text: + + 00000000 : + 0: e59f3004 ldr r3, [pc, #4] @ c + 4: e5930000 ldr r0, [r3] + 8: e12fff1e bx lr + c: 00000000 .word 0x00000000 + + 00000010 : + 10: e59f3004 ldr r3, [pc, #4] @ 1c + 14: e5930004 ldr r0, [r3, #4] + 18: e12fff1e bx lr + 1c: 00000000 .word 0x00000000 + + Relocation section '.rel.text' at offset 0x244 contains 2 entries: + Offset Info Type Sym.Value Sym. Name + 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data + 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data + +When find_elf_symbol() gets into a situation where relsym->st_name is +zero, there is no guarantee to get the symbol name as written in C. + +I am keeping the current logic because it is useful in many architectures, +but the symbol name is not always correct depending on the optimization. +I left some comments in find_tosym(). + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index ed2b7a16554e8..f8bb964961b83 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1271,6 +1271,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + if (relsym->st_name != 0) + return relsym; + ++ /* ++ * Strive to find a better symbol name, but the resulting name may not ++ * match the symbol referenced in the original code. ++ */ + relsym_secindex = get_secindex(elf, relsym); + for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) { + if (get_secindex(elf, sym) != relsym_secindex) +@@ -1762,12 +1766,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); ++ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); ++ void *loc = reloc_location(elf, sechdr, r); ++ uint32_t inst; + + switch (r_typ) { + case R_ARM_ABS32: +- /* From ARM ABI: (S + A) | T */ +- r->r_addend = (int)(long) +- (elf->symtab_start + ELF_R_SYM(r->r_info)); ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ r->r_addend = inst + sym->st_value; + break; + case R_ARM_PC24: + case R_ARM_CALL: +-- +2.39.2 + diff --git a/queue-4.14/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch b/queue-4.14/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch new file mode 100644 index 00000000000..a03559f6531 --- /dev/null +++ b/queue-4.14/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch @@ -0,0 +1,53 @@ +From 7df69f31d9aff4c9d7cc7a32c9ddab1de1843fb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 11:23:46 +0000 +Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() + return value. + +From: Ilia.Gavrilov + +[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ] + +ct_sip_parse_numerical_param() returns only 0 or 1 now. +But process_register_request() and process_register_response() imply +checking for a negative value if parsing of a numerical header parameter +failed. +The invocation in nf_nat_sip() looks correct: + if (ct_sip_parse_numerical_param(...) > 0 && + ...) { ... } + +Make the return value of the function ct_sip_parse_numerical_param() +a tristate to fix all the cases +a) return 1 if value is found; *val is set +b) return 0 if value is not found; *val is unchanged +c) return -1 on error; *val is undefined + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations") +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Simon Horman +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index 3b4c9407d6f26..13c58e2c25c2a 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -605,7 +605,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr, + start += strlen(name); + *val = simple_strtoul(start, &end, 0); + if (start == end) +- return 0; ++ return -1; + if (matchoff && matchlen) { + *matchoff = start - dptr; + *matchlen = end - start; +-- +2.39.2 + diff --git a/queue-4.14/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch b/queue-4.14/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch new file mode 100644 index 00000000000..5a98a6345ee --- /dev/null +++ b/queue-4.14/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch @@ -0,0 +1,152 @@ +From 91ef19223efa1fdae1754a3c594eefed2006b04b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 09:43:13 -0700 +Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump(). + +From: Kuniyuki Iwashima + +[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ] + +syzbot reported a warning in __local_bh_enable_ip(). [0] + +Commit 8d61f926d420 ("netlink: fix potential deadlock in +netlink_set_err()") converted read_lock(&nl_table_lock) to +read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock. + +However, __netlink_diag_dump() calls sock_i_ino() that uses +read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y, +read_unlock_bh() finally enables IRQ even though it should stay +disabled until the following read_unlock_irqrestore(). + +Using read_lock() in sock_i_ino() would trigger a lockdep splat +in another place that was fixed in commit f064af1e500a ("net: fix +a lockdep splat"), so let's add __sock_i_ino() that would be safe +to use under BH disabled. + +[0]: +WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Modules linked in: +CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f +RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996 +RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3 +RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3 +R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4 +R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000 +FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sock_i_ino+0x83/0xa0 net/core/sock.c:2559 + __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171 + netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207 + netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269 + __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374 + netlink_dump_start include/linux/netlink.h:329 [inline] + netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238 + __sock_diag_cmd net/core/sock_diag.c:238 [inline] + sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269 + netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547 + sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0xde/0x190 net/socket.c:747 + ____sys_sendmsg+0x71c/0x900 net/socket.c:2503 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557 + __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5303aaabb9 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()") +Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422 +Suggested-by: Eric Dumazet +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 1 + + net/core/sock.c | 17 ++++++++++++++--- + net/netlink/diag.c | 2 +- + 3 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index eccec5df94b9c..def9dc1ddda11 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1738,6 +1738,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) + } + + kuid_t sock_i_uid(struct sock *sk); ++unsigned long __sock_i_ino(struct sock *sk); + unsigned long sock_i_ino(struct sock *sk); + + static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) +diff --git a/net/core/sock.c b/net/core/sock.c +index b05296d79f621..5991b09c75f4d 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1932,13 +1932,24 @@ kuid_t sock_i_uid(struct sock *sk) + } + EXPORT_SYMBOL(sock_i_uid); + +-unsigned long sock_i_ino(struct sock *sk) ++unsigned long __sock_i_ino(struct sock *sk) + { + unsigned long ino; + +- read_lock_bh(&sk->sk_callback_lock); ++ read_lock(&sk->sk_callback_lock); + ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0; +- read_unlock_bh(&sk->sk_callback_lock); ++ read_unlock(&sk->sk_callback_lock); ++ return ino; ++} ++EXPORT_SYMBOL(__sock_i_ino); ++ ++unsigned long sock_i_ino(struct sock *sk) ++{ ++ unsigned long ino; ++ ++ local_bh_disable(); ++ ino = __sock_i_ino(sk); ++ local_bh_enable(); + return ino; + } + EXPORT_SYMBOL(sock_i_ino); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 8c96757d9dc2b..8cbe6de1f0753 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -171,7 +171,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + NLM_F_MULTI, +- sock_i_ino(sk)) < 0) { ++ __sock_i_ino(sk)) < 0) { + ret = 1; + break; + } +-- +2.39.2 + diff --git a/queue-4.14/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch b/queue-4.14/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch new file mode 100644 index 00000000000..454f2a222b2 --- /dev/null +++ b/queue-4.14/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch @@ -0,0 +1,157 @@ +From 4e37680d72b802a57dff693bf164769f21f205e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 17:47:20 +0000 +Subject: netlink: do not hard code device address lenth in fdb dumps + +From: Eric Dumazet + +[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ] + +syzbot reports that some netdev devices do not have a six bytes +address [1] + +Replace ETH_ALEN by dev->addr_len. + +[1] (Case of a device where dev->addr_len = 4) + +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 +instrument_copy_to_user include/linux/instrumented.h:114 [inline] +copyout+0xb8/0x100 lib/iov_iter.c:169 +_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 +copy_to_iter include/linux/uio.h:206 [inline] +simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 +__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 +skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 +skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] +netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 +sock_recvmsg_nosec net/socket.c:1019 [inline] +sock_recvmsg net/socket.c:1040 [inline] +____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was stored to memory at: +__nla_put lib/nlattr.c:1009 [inline] +nla_put+0x1c6/0x230 lib/nlattr.c:1067 +nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 +nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] +ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 +rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 +netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 +netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 +sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 +____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 +slab_alloc_node mm/slub.c:3451 [inline] +__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 +kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 +kmalloc include/linux/slab.h:559 [inline] +__hw_addr_create net/core/dev_addr_lists.c:60 [inline] +__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 +__dev_mc_add net/core/dev_addr_lists.c:867 [inline] +dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 +igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 +ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 +ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 +addrconf_type_change net/ipv6/addrconf.c:3731 [inline] +addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 +notifier_call_chain kernel/notifier.c:93 [inline] +raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1935 [inline] +call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] +call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 +bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 +do_set_master net/core/rtnetlink.c:2626 [inline] +rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] +__rtnl_newlink net/core/rtnetlink.c:3660 [inline] +rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 +rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 +netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 +rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0x999/0xd50 net/socket.c:2503 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557 +__sys_sendmsg net/socket.c:2586 [inline] +__do_sys_sendmsg net/socket.c:2595 [inline] +__se_sys_sendmsg net/socket.c:2593 [inline] +__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Bytes 2856-2857 of 3500 are uninitialized +Memory access of size 3500 starts at ffff888018d99104 +Data copied to user address 0000000020000480 + +Fixes: d83b06036048 ("net: add fdb generic dump routine") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 738514e5c8ba2..a76f3024687f0 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -2976,7 +2976,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + ndm->ndm_ifindex = dev->ifindex; + ndm->ndm_state = ndm_state; + +- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr)) ++ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr)) + goto nla_put_failure; + if (vid) + if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid)) +@@ -2990,10 +2990,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + return -EMSGSIZE; + } + +-static inline size_t rtnl_fdb_nlmsg_size(void) ++static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev) + { + return NLMSG_ALIGN(sizeof(struct ndmsg)) + +- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */ ++ nla_total_size(dev->addr_len) + /* NDA_LLADDR */ + nla_total_size(sizeof(u16)) + /* NDA_VLAN */ + 0; + } +@@ -3005,7 +3005,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type, + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC); ++ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC); + if (!skb) + goto errout; + +-- +2.39.2 + diff --git a/queue-4.14/netlink-fix-potential-deadlock-in-netlink_set_err.patch b/queue-4.14/netlink-fix-potential-deadlock-in-netlink_set_err.patch new file mode 100644 index 00000000000..5d533d0f275 --- /dev/null +++ b/queue-4.14/netlink-fix-potential-deadlock-in-netlink_set_err.patch @@ -0,0 +1,117 @@ +From d9a3772e94ce4153e151d4d258f248192b7fa53e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 15:43:37 +0000 +Subject: netlink: fix potential deadlock in netlink_set_err() + +From: Eric Dumazet + +[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ] + +syzbot reported a possible deadlock in netlink_set_err() [1] + +A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs +for netlink_lock_table()") in netlink_lock_table() + +This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump() +which were not covered by cited commit. + +[1] + +WARNING: possible irq lock inversion dependency detected +6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted + +syz-executor.2/23011 just changed the state of lock: +ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612 +but this lock was taken by another, SOFTIRQ-safe lock in the past: + (&local->queue_stop_reason_lock){..-.}-{2:2} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(nl_table_lock); + local_irq_disable(); + lock(&local->queue_stop_reason_lock); + lock(nl_table_lock); + + lock(&local->queue_stop_reason_lock); + + *** DEADLOCK *** + +Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()") +Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c +Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Johannes Berg +Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 5 +++-- + net/netlink/diag.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 4b40edb51b9e5..6aa9849715775 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1574,6 +1574,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p) + int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + { + struct netlink_set_err_data info; ++ unsigned long flags; + struct sock *sk; + int ret = 0; + +@@ -1583,12 +1584,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + /* sk->sk_err wants a positive error value */ + info.code = -code; + +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + + sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list) + ret += do_one_set_err(sk, &info); + +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + return ret; + } + EXPORT_SYMBOL(netlink_set_err); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 8faa20b4d4573..8c96757d9dc2b 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -93,6 +93,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + struct net *net = sock_net(skb->sk); + struct netlink_diag_req *req; + struct netlink_sock *nlsk; ++ unsigned long flags; + struct sock *sk; + int num = 2; + int ret = 0; +@@ -155,7 +156,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + num++; + + mc_list: +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + sk_for_each_bound(sk, &tbl->mc_list) { + if (sk_hashed(sk)) + continue; +@@ -176,7 +177,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + } + num++; + } +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + + done: + cb->args[0] = num; +-- +2.39.2 + diff --git a/queue-4.14/pci-add-pci_clear_master-stub-for-non-config_pci.patch b/queue-4.14/pci-add-pci_clear_master-stub-for-non-config_pci.patch new file mode 100644 index 00000000000..605b3297a7e --- /dev/null +++ b/queue-4.14/pci-add-pci_clear_master-stub-for-non-config_pci.patch @@ -0,0 +1,39 @@ +From 8b55dacac43c133c882c6e999a26146bca5ae3ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 18:27:44 +0800 +Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI + +From: Sui Jingfeng + +[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ] + +Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that +support both PCI and platform devices don't need #ifdefs or extra Kconfig +symbols for the PCI parts. + +[bhelgaas: commit log] +Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()") +Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn +Signed-off-by: Sui Jingfeng +Signed-off-by: Bjorn Helgaas +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + include/linux/pci.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 521030233c8d3..7f93c39199471 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1630,6 +1630,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class, + #define pci_dev_put(dev) do { } while (0) + + static inline void pci_set_master(struct pci_dev *dev) { } ++static inline void pci_clear_master(struct pci_dev *dev) { } + static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; } + static inline void pci_disable_device(struct pci_dev *dev) { } + static inline int pci_assign_resource(struct pci_dev *dev, int i) +-- +2.39.2 + diff --git a/queue-4.14/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch b/queue-4.14/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch new file mode 100644 index 00000000000..b631838561f --- /dev/null +++ b/queue-4.14/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch @@ -0,0 +1,45 @@ +From 4310bb3ccd05e30c189479a0bc6cd051630e2910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 16:41:01 -0700 +Subject: perf dwarf-aux: Fix off-by-one in die_get_varname() + +From: Namhyung Kim + +[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ] + +The die_get_varname() returns "(unknown_type)" string if it failed to +find a type for the variable. But it had a space before the opening +parenthesis and it made the closing parenthesis cut off due to the +off-by-one in the string length (14). + +Signed-off-by: Namhyung Kim +Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index 7514aa9c68c99..f95c3d43b5cbb 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -1033,7 +1033,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf) + ret = die_get_typename(vr_die, buf); + if (ret < 0) { + pr_debug("Failed to get type, make it unknown.\n"); +- ret = strbuf_add(buf, " (unknown_type)", 14); ++ ret = strbuf_add(buf, "(unknown_type)", 14); + } + + return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die)); +-- +2.39.2 + diff --git a/queue-4.14/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch b/queue-4.14/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch new file mode 100644 index 00000000000..d4d1fce52f6 --- /dev/null +++ b/queue-4.14/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch @@ -0,0 +1,41 @@ +From 2f9beae7ff24a9d539600b850ae49101b50cc828 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 13:53:33 +0300 +Subject: pinctrl: at91-pio4: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") +Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") +Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") +Signed-off-by: Claudiu Beznea +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index 32e863a352a30..8f18a35b66b61 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -983,6 +983,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) + /* Pin naming convention: P(bank_name)(bank_pin_number). */ + pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", + bank + 'A', line); ++ if (!pin_desc[i].name) ++ return -ENOMEM; + + group->name = group_names[i] = pin_desc[i].name; + group->pin = pin_desc[i].number; +-- +2.39.2 + diff --git a/queue-4.14/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch b/queue-4.14/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch new file mode 100644 index 00000000000..e53fa0b0bf2 --- /dev/null +++ b/queue-4.14/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch @@ -0,0 +1,57 @@ +From bef209446e876dd5b29a9adc7c1a49c47716f5be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 17:37:34 +0300 +Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode + +From: Andy Shevchenko + +[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ] + +Currently the getter returns ENOTSUPP on pin configured in +the push-pull mode. Fix this by adding the missed switch case. + +Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config") +Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support") +Acked-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c +index d39718b4242d9..fa4a9ccef1f49 100644 +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1040,11 +1040,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin, + + break; + +- case PIN_CONFIG_DRIVE_OPEN_DRAIN: +- if (!(ctrl1 & CHV_PADCTRL1_ODEN)) +- return -EINVAL; +- break; +- + case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: { + u32 cfg; + +@@ -1054,6 +1049,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin, + return -EINVAL; + + break; ++ ++ case PIN_CONFIG_DRIVE_PUSH_PULL: ++ if (ctrl1 & CHV_PADCTRL1_ODEN) ++ return -EINVAL; ++ break; ++ ++ case PIN_CONFIG_DRIVE_OPEN_DRAIN: ++ if (!(ctrl1 & CHV_PADCTRL1_ODEN)) ++ return -EINVAL; ++ break; + } + + default: +-- +2.39.2 + diff --git a/queue-4.14/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch b/queue-4.14/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch new file mode 100644 index 00000000000..ad0102aa900 --- /dev/null +++ b/queue-4.14/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch @@ -0,0 +1,48 @@ +From 5b2b316999b5480b362804367ce4ab11af3cfc52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 06:07:43 -0700 +Subject: PM: domains: fix integer overflow issues in genpd_parse_state() + +From: Nikita Zhandarovich + +[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ] + +Currently, while calculating residency and latency values, right +operands may overflow if resulting values are big enough. + +To prevent this, albeit unlikely case, play it safe and convert +right operands to left ones' type s64. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT") +Signed-off-by: Nikita Zhandarovich +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/domain.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index a64b093a88cf4..0f38df5856e12 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2206,10 +2206,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state, + + err = of_property_read_u32(state_node, "min-residency-us", &residency); + if (!err) +- genpd_state->residency_ns = 1000 * residency; ++ genpd_state->residency_ns = 1000LL * residency; + +- genpd_state->power_on_latency_ns = 1000 * exit_latency; +- genpd_state->power_off_latency_ns = 1000 * entry_latency; ++ genpd_state->power_on_latency_ns = 1000LL * exit_latency; ++ genpd_state->power_off_latency_ns = 1000LL * entry_latency; + genpd_state->fwnode = &state_node->fwnode; + + return 0; +-- +2.39.2 + diff --git a/queue-4.14/radeon-avoid-double-free-in-ci_dpm_init.patch b/queue-4.14/radeon-avoid-double-free-in-ci_dpm_init.patch new file mode 100644 index 00000000000..3f994dfebdf --- /dev/null +++ b/queue-4.14/radeon-avoid-double-free-in-ci_dpm_init.patch @@ -0,0 +1,110 @@ +From 2efc342e5532fba6f91ff4660b8021986c89f516 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 08:12:28 -0700 +Subject: radeon: avoid double free in ci_dpm_init() + +From: Nikita Zhandarovich + +[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ] + +Several calls to ci_dpm_fini() will attempt to free resources that +either have been freed before or haven't been allocated yet. This +may lead to undefined or dangerous behaviour. + +For instance, if r600_parse_extended_power_table() fails, it might +call r600_free_extended_power_table() as will ci_dpm_fini() later +during error handling. + +Fix this by only freeing pointers to objects previously allocated. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index 81bc2b89222f2..0403924a2ca6b 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -5530,6 +5530,7 @@ static int ci_parse_power_table(struct radeon_device *rdev) + u8 frev, crev; + u8 *power_state_offset; + struct ci_ps *ps; ++ int ret; + + if (!atom_parse_data_header(mode_info->atom_context, index, NULL, + &frev, &crev, &data_offset)) +@@ -5558,11 +5559,15 @@ static int ci_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) +- return -EINVAL; ++ if (!rdev->pm.power_state[i].clock_info) { ++ ret = -EINVAL; ++ goto err_free_ps; ++ } + ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL); +- if (ps == NULL) +- return -ENOMEM; ++ if (ps == NULL) { ++ ret = -ENOMEM; ++ goto err_free_ps; ++ } + rdev->pm.dpm.ps[i].ps_priv = ps; + ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i], + non_clock_info, +@@ -5602,6 +5607,12 @@ static int ci_parse_power_table(struct radeon_device *rdev) + } + + return 0; ++ ++err_free_ps: ++ for (i = 0; i < rdev->pm.dpm.num_ps; i++) ++ kfree(rdev->pm.dpm.ps[i].ps_priv); ++ kfree(rdev->pm.dpm.ps); ++ return ret; + } + + static int ci_get_vbios_boot_values(struct radeon_device *rdev, +@@ -5679,25 +5690,26 @@ int ci_dpm_init(struct radeon_device *rdev) + + ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_get_platform_caps(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_parse_extended_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = ci_parse_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); ++ r600_free_extended_power_table(rdev); + return ret; + } + +-- +2.39.2 + diff --git a/queue-4.14/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch b/queue-4.14/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch new file mode 100644 index 00000000000..f561fc28251 --- /dev/null +++ b/queue-4.14/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch @@ -0,0 +1,47 @@ +From 67c0c02ab98363f9025ff4dd2a492fea280ee3c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 22:12:55 +0800 +Subject: scsi: 3w-xxxx: Add error handling for initialization failure in + tw_probe() + +From: Yuchen Yang + +[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ] + +Smatch complains that: + +tw_probe() warn: missing error code 'retval' + +This patch adds error checking to tw_probe() to handle initialization +failure. If tw_reset_sequence() function returns a non-zero value, the +function will return -EINVAL to indicate initialization failure. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yuchen Yang +Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/3w-xxxx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c +index 961ea6f7def87..7f21d724461ed 100644 +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -2303,8 +2303,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) + TW_DISABLE_INTERRUPTS(tw_dev); + + /* Initialize the card */ +- if (tw_reset_sequence(tw_dev)) ++ if (tw_reset_sequence(tw_dev)) { ++ retval = -EINVAL; + goto out_release_mem_region; ++ } + + /* Set host specific parameters */ + host->max_id = TW_MAX_UNITS; +-- +2.39.2 + diff --git a/queue-4.14/series b/queue-4.14/series index f4f482eee33..b1147658efc 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -5,3 +5,49 @@ fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch scripts-tags.sh-resolve-gtags-empty-index-generation.patch drm-amdgpu-validate-vm-ioctl-flags.patch treewide-remove-uninitialized_var-usage.patch +md-raid10-fix-overflow-of-md-safe_mode_delay.patch +md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch +md-raid10-fix-io-loss-while-replacement-replace-rdev.patch +pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch +arm-9303-1-kprobes-avoid-missing-declaration-warning.patch +evm-complete-description-of-evm_inode_setattr.patch +wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch +wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch +wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch +wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch +wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch +wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch +wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch +wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch +watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch +watchdog-perf-more-properly-prevent-false-positives-.patch +kexec-fix-a-memory-leak-in-crash_shrink_memory.patch +memstick-r592-make-memstick_debug_get_tpc_name-stati.patch +wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch +wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch +netlink-fix-potential-deadlock-in-netlink_set_err.patch +netlink-do-not-hard-code-device-address-lenth-in-fdb.patch +gtp-fix-use-after-free-in-__gtp_encap_destroy.patch +lib-ts_bm-reset-initial-match-offset-for-every-block.patch +netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch +netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch +radeon-avoid-double-free-in-ci_dpm_init.patch +input-drv260x-sleep-between-polling-go-bit.patch +arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch +input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch +drm-panel-simple-fix-active-size-for-ampire-am-48027.patch +arm-ep93xx-fix-missing-prototype-warnings.patch +asoc-es8316-increment-max-value-for-alc-capture-targ.patch +soc-fsl-qe-fix-usb.c-build-errors.patch +fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch +drm-radeon-fix-possible-division-by-zero-errors.patch +alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch +scsi-3w-xxxx-add-error-handling-for-initialization-f.patch +pci-add-pci_clear_master-stub-for-non-config_pci.patch +pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch +perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch +pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch +crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch +modpost-fix-section-mismatch-message-for-r_arm_abs32.patch +modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch +modpost-fix-off-by-one-in-is_executable_section.patch diff --git a/queue-4.14/soc-fsl-qe-fix-usb.c-build-errors.patch b/queue-4.14/soc-fsl-qe-fix-usb.c-build-errors.patch new file mode 100644 index 00000000000..6411431244f --- /dev/null +++ b/queue-4.14/soc-fsl-qe-fix-usb.c-build-errors.patch @@ -0,0 +1,60 @@ +From aea0c3c5f12d3f4980759f79452e0de6ae64a7a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 May 2023 15:52:16 -0700 +Subject: soc/fsl/qe: fix usb.c build errors + +From: Randy Dunlap + +[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ] + +Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set. +This happens when PPC_EP88XC is set, which selects CPM1 & CPM. +When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE +being set. When USB_FSL_QE is set, QE_USB deafults to y, which +causes build errors when QUICC_ENGINE is not set. Making +QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y. + +Fixes these build errors: + +drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set': +usb.c:(.text+0x1e): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg' +powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock' +powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock' + +Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/ +Suggested-by: Michael Ellerman +Cc: Christophe Leroy +Cc: Leo Li +Cc: Masahiro Yamada +Cc: Nicolas Schier +Cc: Qiang Zhao +Cc: linuxppc-dev +Cc: linux-arm-kernel@lists.infradead.org +Cc: Kumar Gala +Acked-by: Nicolas Schier +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig +index 73a2e08b47ef9..e2ccddd348b5b 100644 +--- a/drivers/soc/fsl/qe/Kconfig ++++ b/drivers/soc/fsl/qe/Kconfig +@@ -37,6 +37,7 @@ config QE_TDM + + config QE_USB + bool ++ depends on QUICC_ENGINE + default y if USB_FSL_QE + help + QE USB Controller support +-- +2.39.2 + diff --git a/queue-4.14/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch b/queue-4.14/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch new file mode 100644 index 00000000000..ae0b3eb64e8 --- /dev/null +++ b/queue-4.14/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch @@ -0,0 +1,89 @@ +From 6a0d612522a8a9f884efb89892478ceb5dc45f26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:25 -0700 +Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on + correct config + +From: Douglas Anderson + +[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ] + +Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5. + +This patch series adds the "buddy" hardlockup detector. In brief, the +buddy hardlockup detector can detect hardlockups without arch-level +support by having CPUs checkup on a "buddy" CPU periodically. + +Given the new design of this patch series, testing all combinations is +fairly difficult. I've attempted to make sure that all combinations of +CONFIG_ options are good, but it wouldn't surprise me if I missed +something. I apologize in advance and I'll do my best to fix any +problems that are found. + +This patch (of 18): + +The real watchdog_update_hrtimer_threshold() is defined in +kernel/watchdog_hld.c. That file is included if +CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file +if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP. + +The dummy version of the function in "nmi.h" didn't get that quite right. +While this doesn't appear to be a huge deal, it's nice to make it +consistent. + +It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so +others don't get a double definition, and x86 uses perf lockup detector, +so it gets the out of line version. + +Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid +Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Reviewed-by: Nicholas Piggin +Reviewed-by: Petr Mladek +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Cc: Colin Cross +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/nmi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/nmi.h b/include/linux/nmi.h +index 50d1439953385..5ef76f8cf0800 100644 +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -189,7 +189,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh); + #endif + + #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \ +- defined(CONFIG_HARDLOCKUP_DETECTOR) ++ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF) + void watchdog_update_hrtimer_threshold(u64 period); + #else + static inline void watchdog_update_hrtimer_threshold(u64 period) { } +-- +2.39.2 + diff --git a/queue-4.14/watchdog-perf-more-properly-prevent-false-positives-.patch b/queue-4.14/watchdog-perf-more-properly-prevent-false-positives-.patch new file mode 100644 index 00000000000..8e79f0cb115 --- /dev/null +++ b/queue-4.14/watchdog-perf-more-properly-prevent-false-positives-.patch @@ -0,0 +1,84 @@ +From ca7cff94f034e42e8cb915b96e92361ec3d91e61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:26 -0700 +Subject: watchdog/perf: more properly prevent false positives with turbo modes + +From: Douglas Anderson + +[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ] + +Currently, in the watchdog_overflow_callback() we first check to see if +the watchdog had been touched and _then_ we handle the workaround for +turbo mode. This order should be reversed. + +Specifically, "touching" the hardlockup detector's watchdog should avoid +lockups being detected for one period that should be roughly the same +regardless of whether we're running turbo or not. That means that we +should do the extra accounting for turbo _before_ we look at (and clear) +the global indicating that we've been touched. + +NOTE: this fix is made based on code inspection. I am not aware of any +reports where the old code would have generated false positives. That +being said, this order seems more correct and also makes it easier down +the line to share code with the "buddy" hardlockup detector. + +Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Colin Cross +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Petr Mladek +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/watchdog_hld.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c +index 4ece6028007ab..4c2cd69013a68 100644 +--- a/kernel/watchdog_hld.c ++++ b/kernel/watchdog_hld.c +@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event, + /* Ensure the watchdog never gets throttled */ + event->hw.interrupts = 0; + ++ if (!watchdog_check_timestamp()) ++ return; ++ + if (__this_cpu_read(watchdog_nmi_touch) == true) { + __this_cpu_write(watchdog_nmi_touch, false); + return; + } + +- if (!watchdog_check_timestamp()) +- return; +- + /* check for a hardlockup + * This is done by making sure our timer interrupt + * is incrementing. The timer interrupt should have +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch b/queue-4.14/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch new file mode 100644 index 00000000000..cdf08f7289d --- /dev/null +++ b/queue-4.14/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch @@ -0,0 +1,58 @@ +From 15722199b0db35c53140a4c3da8b48db7d979b96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:01 +0300 +Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ] + +For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid +uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should +validate pkt_len before accessing the SKB. + +For example, the obtained SKB may have been badly constructed with +pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr +but after being processed in ath9k_htc_rx_msg() and passed to +ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI +command header which should be located inside its data payload. + +Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit +memory can be referenced. + +Tested on Qualcomm Atheros Communications AR9271 802.11n . + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index 9a17f7a07b1e8..7b4e922181190 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -217,6 +217,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, + if (unlikely(wmi->stopped)) + goto free_skb; + ++ /* Validate the obtained SKB. */ ++ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr))) ++ goto free_skb; ++ + hdr = (struct wmi_cmd_hdr *) skb->data; + cmd_id = be16_to_cpu(hdr->command_id); + +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch b/queue-4.14/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch new file mode 100644 index 00000000000..4438aa76d8e --- /dev/null +++ b/queue-4.14/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch @@ -0,0 +1,51 @@ +From 6365f37e0e9cc15c4394dd4ef3b1b3cca3e159f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 16:46:55 +0300 +Subject: wifi: ath9k: convert msecs to jiffies where needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ] + +Since 'ieee80211_queue_delayed_work()' expects timeout in +jiffies and not milliseconds, 'msecs_to_jiffies()' should +be used in 'ath_restart_work()' and '__ath9k_flush()'. + +Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work") +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 1afaa437619d3..f659bf7937272 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -199,7 +199,7 @@ void ath_cancel_work(struct ath_softc *sc) + void ath_restart_work(struct ath_softc *sc) + { + ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + + if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah)) + ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work, +@@ -2225,7 +2225,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop, + } + + ieee80211_queue_delayed_work(hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + } + + static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw) +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch b/queue-4.14/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch new file mode 100644 index 00000000000..25ce91b5c43 --- /dev/null +++ b/queue-4.14/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch @@ -0,0 +1,54 @@ +From 13167a069308a2e8ca54ddf784f4b52a26f73e7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 18:03:17 +0300 +Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ] + +A bad USB device is able to construct a service connection response +message with target endpoint being ENDPOINT0 which is reserved for +HTC_CTRL_RSVD_SVC and should not be modified to be used for any other +services. + +Reject such service connection responses. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 6331c98088e03..d5e5f9cf4ca86 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target, + + if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { + epid = svc_rspmsg->endpoint_id; +- if (epid < 0 || epid >= ENDPOINT_MAX) ++ ++ /* Check that the received epid for the endpoint to attach ++ * a new service is valid. ENDPOINT0 can't be used here as it ++ * is already reserved for HTC_CTRL_RSVD_SVC service and thus ++ * should not be modified. ++ */ ++ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX) + return; + + service_id = be16_to_cpu(svc_rspmsg->service_id); +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch b/queue-4.14/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch new file mode 100644 index 00000000000..c8533306d3d --- /dev/null +++ b/queue-4.14/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch @@ -0,0 +1,95 @@ +From 8bca5ca5ad9d8e98dab161144a6667672a10d9fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:00 +0300 +Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset + calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Seiderer + +[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ] + +Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset +calculation (do not overflow the shift for the second register/queues +above five, use the register layout described in the comments above +ath9k_hw_verify_hang() instead). + +Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003") + +Reported-by: Gregg Wonderly +Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/ +Signed-off-by: Peter Seiderer +Acked-by: Toke Høiland-Jørgensen +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++-------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +index 2fe12b0de5b4f..dea8a998fb622 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue) + { + u32 dma_dbg_chain, dma_dbg_complete; + u8 dcu_chain_state, dcu_complete_state; ++ unsigned int dbg_reg, reg_offset; + int i; + +- for (i = 0; i < NUM_STATUS_READS; i++) { +- if (queue < 6) +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4); +- else +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5); ++ if (queue < 6) { ++ dbg_reg = AR_DMADBG_4; ++ reg_offset = queue * 5; ++ } else { ++ dbg_reg = AR_DMADBG_5; ++ reg_offset = (queue - 6) * 5; ++ } + ++ for (i = 0; i < NUM_STATUS_READS; i++) { ++ dma_dbg_chain = REG_READ(ah, dbg_reg); + dma_dbg_complete = REG_READ(ah, AR_DMADBG_6); + +- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f; ++ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f; + dcu_complete_state = dma_dbg_complete & 0x3; + + if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1)) +@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + u8 dcu_chain_state, dcu_complete_state; + bool dcu_wait_frdone = false; + unsigned long chk_dcu = 0; ++ unsigned int reg_offset; + unsigned int i = 0; + + dma_dbg_4 = REG_READ(ah, AR_DMADBG_4); +@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + goto exit; + + for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) { +- if (i < 6) ++ if (i < 6) { + chk_dbg = dma_dbg_4; +- else ++ reg_offset = i * 5; ++ } else { + chk_dbg = dma_dbg_5; ++ reg_offset = (i - 6) * 5; ++ } + +- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f; ++ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f; + if (dcu_chain_state == 0x6) { + dcu_wait_frdone = true; + chk_dcu |= BIT(i); +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch b/queue-4.14/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch new file mode 100644 index 00000000000..4e0f0994be0 --- /dev/null +++ b/queue-4.14/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch @@ -0,0 +1,111 @@ +From ffae2c93ba2dd4b7bab48da5c472f7c98af6f51f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 11:37:44 +0200 +Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Remi Pommarel + +[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ] + +On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite +loop if it is called while all txq_fifos have packets that use different +key that the one we are looking for. Fix it by exiting the loop if all +txq_fifos have been checked already. + +Because this loop is called under spin_lock_bh() (see ath_txq_lock) it +causes the following rcu stall: + +rcu: INFO: rcu_sched self-detected stall on CPU +ath10k_pci 0000:01:00.0: failed to read temperature -11 +rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579 + (t=5257 jiffies g=17983297 q=334) +Task dump for CPU 1: +task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a +Call trace: + dump_backtrace+0x0/0x170 + show_stack+0x1c/0x24 + sched_show_task+0x140/0x170 + dump_cpu_task+0x48/0x54 + rcu_dump_cpu_stacks+0xf0/0x134 + rcu_sched_clock_irq+0x8d8/0x9fc + update_process_times+0xa0/0xec + tick_sched_timer+0x5c/0xd0 + __hrtimer_run_queues+0x154/0x320 + hrtimer_interrupt+0x120/0x2f0 + arch_timer_handler_virt+0x38/0x44 + handle_percpu_devid_irq+0x9c/0x1e0 + handle_domain_irq+0x64/0x90 + gic_handle_irq+0x78/0xb0 + call_on_irq_stack+0x28/0x38 + do_interrupt_handler+0x54/0x5c + el1_interrupt+0x2c/0x4c + el1h_64_irq_handler+0x14/0x1c + el1h_64_irq+0x74/0x78 + ath9k_txq_has_key+0x1bc/0x250 [ath9k] + ath9k_set_key+0x1cc/0x3dc [ath9k] + drv_set_key+0x78/0x170 + ieee80211_key_replace+0x564/0x6cc + ieee80211_key_link+0x174/0x220 + ieee80211_add_key+0x11c/0x300 + nl80211_new_key+0x12c/0x330 + genl_family_rcv_msg_doit+0xbc/0x11c + genl_rcv_msg+0xd8/0x1c4 + netlink_rcv_skb+0x40/0x100 + genl_rcv+0x3c/0x50 + netlink_unicast+0x1ec/0x2c0 + netlink_sendmsg+0x198/0x3c0 + ____sys_sendmsg+0x210/0x250 + ___sys_sendmsg+0x78/0xc4 + __sys_sendmsg+0x4c/0x90 + __arm64_sys_sendmsg+0x28/0x30 + invoke_syscall.constprop.0+0x60/0x100 + do_el0_svc+0x48/0xd0 + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xa8/0xb0 + el0t_64_sync+0x158/0x15c + +This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH +from 8 to 2 makes it reasonably easy to reproduce. + +Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it") +Signed-off-by: Remi Pommarel +Tested-by: Nicolas Escande +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 507d8c5149686..1afaa437619d3 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -846,7 +846,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix) + static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + { + struct ath_hw *ah = sc->sc_ah; +- int i; ++ int i, j; + struct ath_txq *txq; + bool key_in_use = false; + +@@ -864,8 +864,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { + int idx = txq->txq_tailidx; + +- while (!key_in_use && +- !list_empty(&txq->txq_fifo[idx])) { ++ for (j = 0; !key_in_use && ++ !list_empty(&txq->txq_fifo[idx]) && ++ j < ATH_TXFIFO_DEPTH; j++) { + key_in_use = ath9k_txq_list_has_key( + &txq->txq_fifo[idx], keyix); + INCR(idx, ATH_TXFIFO_DEPTH); +-- +2.39.2 + diff --git a/queue-4.14/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch b/queue-4.14/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch new file mode 100644 index 00000000000..2702ec5983c --- /dev/null +++ b/queue-4.14/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch @@ -0,0 +1,59 @@ +From 2817bcf5bac10dba64f6cde263968b6d6620dc37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:53:14 +0200 +Subject: wifi: atmel: Fix an error handling path in atmel_probe() + +From: Christophe JAILLET + +[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ] + +Should atmel_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +atmel_probe(), not atmel_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c +index 7afc9c5329fb1..f5fa1a95b0c15 100644 +--- a/drivers/net/wireless/atmel/atmel_cs.c ++++ b/drivers/net/wireless/atmel/atmel_cs.c +@@ -73,6 +73,7 @@ struct local_info { + static int atmel_probe(struct pcmcia_device *p_dev) + { + struct local_info *local; ++ int ret; + + dev_dbg(&p_dev->dev, "atmel_attach()\n"); + +@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev) + + p_dev->priv = local; + +- return atmel_config(p_dev); +-} /* atmel_attach */ ++ ret = atmel_config(p_dev); ++ if (ret) ++ goto err_free_priv; ++ ++ return 0; ++ ++err_free_priv: ++ kfree(p_dev->priv); ++ return ret; ++} + + static void atmel_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-4.14/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch b/queue-4.14/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch new file mode 100644 index 00000000000..5ad59f56169 --- /dev/null +++ b/queue-4.14/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch @@ -0,0 +1,58 @@ +From a937c86c33f74aa1377afc348b77d4ea28e31654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:38:22 +0200 +Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ] + +Should orinoco_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +orinoco_cs_probe(), not orinoco_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +index a956f965a1e5e..03bfd2482656c 100644 +--- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + orinoco_cs_hard_reset, NULL); +@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return orinoco_cs_config(link); +-} /* orinoco_cs_attach */ ++ ret = orinoco_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void orinoco_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-4.14/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch b/queue-4.14/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch new file mode 100644 index 00000000000..acb192147e6 --- /dev/null +++ b/queue-4.14/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch @@ -0,0 +1,59 @@ +From 325689203eadd7186d6b6a63acd3e9b6d359608c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:29:46 +0200 +Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ] + +Should spectrum_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +spectrum_cs_probe(), not spectrum_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +index b60048c95e0a8..011c86e55923e 100644 +--- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + spectrum_cs_hard_reset, +@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return spectrum_cs_config(link); +-} /* spectrum_cs_attach */ ++ ret = spectrum_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void spectrum_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-4.14/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch b/queue-4.14/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch new file mode 100644 index 00000000000..211bc76a259 --- /dev/null +++ b/queue-4.14/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch @@ -0,0 +1,69 @@ +From f1dbcacde6ea3007f38cbe5088a408f1279ba1d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:13:22 +0200 +Subject: wifi: ray_cs: Fix an error handling path in ray_probe() + +From: Christophe JAILLET + +[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ] + +Should ray_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +ray_probe(), not ray_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 1ee1505632600..16d2385bd426e 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -283,13 +283,14 @@ static int ray_probe(struct pcmcia_device *p_dev) + { + ray_dev_t *local; + struct net_device *dev; ++ int ret; + + dev_dbg(&p_dev->dev, "ray_attach()\n"); + + /* Allocate space for private device-specific data */ + dev = alloc_etherdev(sizeof(ray_dev_t)); + if (!dev) +- goto fail_alloc_dev; ++ return -ENOMEM; + + local = netdev_priv(dev); + local->finder = p_dev; +@@ -326,11 +327,16 @@ static int ray_probe(struct pcmcia_device *p_dev) + init_timer(&local->timer); + + this_device = p_dev; +- return ray_config(p_dev); ++ ret = ray_config(p_dev); ++ if (ret) ++ goto err_free_dev; ++ ++ return 0; + +-fail_alloc_dev: +- return -ENOMEM; +-} /* ray_attach */ ++err_free_dev: ++ free_netdev(dev); ++ return ret; ++} + + static void ray_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-4.14/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch b/queue-4.14/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch new file mode 100644 index 00000000000..a223cc84139 --- /dev/null +++ b/queue-4.14/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch @@ -0,0 +1,66 @@ +From 8dab0dbe39e8d71a496215662856df1d9694b6a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:05:08 +0200 +Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe() + +From: Christophe JAILLET + +[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ] + +Should wl3501_config() fail, some resources need to be released as already +done in the remove function. + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index cfde9b94b4b60..2eacd099a812f 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1865,6 +1865,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + { + struct net_device *dev; + struct wl3501_card *this; ++ int ret; + + /* The io structure describes IO port mapping */ + p_dev->resource[0]->end = 16; +@@ -1876,8 +1877,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + + dev = alloc_etherdev(sizeof(struct wl3501_card)); + if (!dev) +- goto out_link; +- ++ return -ENOMEM; + + dev->netdev_ops = &wl3501_netdev_ops; + dev->watchdog_timeo = 5 * HZ; +@@ -1890,9 +1890,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + netif_stop_queue(dev); + p_dev->priv = dev; + +- return wl3501_config(p_dev); +-out_link: +- return -ENOMEM; ++ ret = wl3501_config(p_dev); ++ if (ret) ++ goto out_free_etherdev; ++ ++ return 0; ++ ++out_free_etherdev: ++ free_netdev(dev); ++ return ret; + } + + static int wl3501_config(struct pcmcia_device *link) +-- +2.39.2 + -- 2.47.3