From 71bcadf59a0856206b594e76fecf1735569348d0 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 21 Jun 2024 11:39:29 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...s-empty-buckets-in-batadv_purge_orig.patch | 110 ++++++++++++++++++ ...ps-octeon-add-pcie-link-status-check.patch | 55 +++++++++ ...old-for-hp-pavilion-17-pc-1972-pcie-.patch | 71 +++++++++++ ...-clang-null-pointer-arithmetic-warni.patch | 85 ++++++++++++++ ...enforce-hcall-result-buffer-validity.patch | 82 +++++++++++++ ...cu_torture_one_read-pipe_count-overf.patch | 39 +++++++ ...rash-while-reading-debugfs-attribute.patch | 95 +++++++++++++++ queue-4.19/series | 9 ++ ...ent-overflow-in-udf_disk_stamp_to_ti.patch | 54 +++++++++ ...check-for-incompatible-versions-of-t.patch | 75 ++++++++++++ 10 files changed, 675 insertions(+) create mode 100644 queue-4.19/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch create mode 100644 queue-4.19/mips-octeon-add-pcie-link-status-check.patch create mode 100644 queue-4.19/pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch create mode 100644 queue-4.19/powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch create mode 100644 queue-4.19/powerpc-pseries-enforce-hcall-result-buffer-validity.patch create mode 100644 queue-4.19/rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch create mode 100644 queue-4.19/scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch create mode 100644 queue-4.19/udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch create mode 100644 queue-4.19/usb-misc-uss720-check-for-incompatible-versions-of-t.patch diff --git a/queue-4.19/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch b/queue-4.19/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch new file mode 100644 index 00000000000..d8ddb9c6cb4 --- /dev/null +++ b/queue-4.19/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch @@ -0,0 +1,110 @@ +From 2c5f571f696e9f20878100bb42fac189f2fc55d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Mar 2024 15:54:38 +0000 +Subject: batman-adv: bypass empty buckets in batadv_purge_orig_ref() + +From: Eric Dumazet + +[ Upstream commit 40dc8ab605894acae1473e434944924a22cfaaa0 ] + +Many syzbot reports are pointing to soft lockups in +batadv_purge_orig_ref() [1] + +Root cause is unknown, but we can avoid spending too much +time there and perhaps get more interesting reports. + +[1] + +watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] +Modules linked in: +irq event stamp: 6182794 + hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 + hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] + hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 + softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline] + softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 + softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline] + softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271 +CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 +Workqueue: bat_events batadv_purge_orig +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] + pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 + lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 +sp : ffff800099007970 +x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000 +x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001 +x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4 +x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0 +x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001 +x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003 +x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 +x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000 +x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 +x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000 +Call trace: + __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] + arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] + __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 + __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] + _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 + spin_unlock_bh include/linux/spinlock.h:396 [inline] + batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 + batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 + process_one_work+0x694/0x1204 kernel/workqueue.c:2633 + process_scheduled_works kernel/workqueue.c:2706 [inline] + worker_thread+0x938/0xef4 kernel/workqueue.c:2787 + kthread+0x288/0x310 kernel/kthread.c:388 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 + lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103 +sp : ffff800093a17d30 +x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4 +x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002 +x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000 +x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396 +x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001 +x14: 1fffe00036805f10 x13: 0000000000000000 x12: 0000000000000003 +x11: 0000000000000001 x10: 0000000000000003 x9 : 0000000000000000 +x8 : 00000000000ce8d1 x7 : ffff8000804609e4 x6 : 0000000000000000 +x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008ad6aac0 +x2 : 0000000000000000 x1 : ffff80008aedea60 x0 : ffff800125436000 +Call trace: + __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] + arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:49 + cpuidle_idle_call kernel/sched/idle.c:170 [inline] + do_idle+0x1f0/0x4e8 kernel/sched/idle.c:312 + cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:410 + secondary_start_kernel+0x198/0x1c0 arch/arm64/kernel/smp.c:272 + __secondary_switched+0xb8/0xbc arch/arm64/kernel/head.S:404 + +Signed-off-by: Eric Dumazet +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/originator.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c +index 1d295da3e342b..c1ad1ae21eeac 100644 +--- a/net/batman-adv/originator.c ++++ b/net/batman-adv/originator.c +@@ -1358,6 +1358,8 @@ void batadv_purge_orig_ref(struct batadv_priv *bat_priv) + /* for all origins... */ + for (i = 0; i < hash->size; i++) { + head = &hash->table[i]; ++ if (hlist_empty(head)) ++ continue; + list_lock = &hash->list_locks[i]; + + spin_lock_bh(list_lock); +-- +2.43.0 + diff --git a/queue-4.19/mips-octeon-add-pcie-link-status-check.patch b/queue-4.19/mips-octeon-add-pcie-link-status-check.patch new file mode 100644 index 00000000000..3cd6ad7fa82 --- /dev/null +++ b/queue-4.19/mips-octeon-add-pcie-link-status-check.patch @@ -0,0 +1,55 @@ +From fb497fb1a1c3652d85be62ea11eddb47d469f3da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 23:22:00 +0800 +Subject: MIPS: Octeon: Add PCIe link status check + +From: Songyang Li + +[ Upstream commit 29b83a64df3b42c88c0338696feb6fdcd7f1f3b7 ] + +The standard PCIe configuration read-write interface is used to +access the configuration space of the peripheral PCIe devices +of the mips processor after the PCIe link surprise down, it can +generate kernel panic caused by "Data bus error". So it is +necessary to add PCIe link status check for system protection. +When the PCIe link is down or in training, assigning a value +of 0 to the configuration address can prevent read-write behavior +to the configuration space of peripheral PCIe devices, thereby +preventing kernel panic. + +Signed-off-by: Songyang Li +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/pci/pcie-octeon.c | 6 ++++++ + 1 file changed, 6 insertions(+) + mode change 100644 => 100755 arch/mips/pci/pcie-octeon.c + +diff --git a/arch/mips/pci/pcie-octeon.c b/arch/mips/pci/pcie-octeon.c +old mode 100644 +new mode 100755 +index d919a0d813a17..38de2a9c3cf1a +--- a/arch/mips/pci/pcie-octeon.c ++++ b/arch/mips/pci/pcie-octeon.c +@@ -230,12 +230,18 @@ static inline uint64_t __cvmx_pcie_build_config_addr(int pcie_port, int bus, + { + union cvmx_pcie_address pcie_addr; + union cvmx_pciercx_cfg006 pciercx_cfg006; ++ union cvmx_pciercx_cfg032 pciercx_cfg032; + + pciercx_cfg006.u32 = + cvmx_pcie_cfgx_read(pcie_port, CVMX_PCIERCX_CFG006(pcie_port)); + if ((bus <= pciercx_cfg006.s.pbnum) && (dev != 0)) + return 0; + ++ pciercx_cfg032.u32 = ++ cvmx_pcie_cfgx_read(pcie_port, CVMX_PCIERCX_CFG032(pcie_port)); ++ if ((pciercx_cfg032.s.dlla == 0) || (pciercx_cfg032.s.lt == 1)) ++ return 0; ++ + pcie_addr.u64 = 0; + pcie_addr.config.upper = 2; + pcie_addr.config.io = 1; +-- +2.43.0 + diff --git a/queue-4.19/pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch b/queue-4.19/pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch new file mode 100644 index 00000000000..8269f20e878 --- /dev/null +++ b/queue-4.19/pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch @@ -0,0 +1,71 @@ +From 1758829f7ddd3d6c982e66dc316ee8ea9004f48d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 10:37:09 -0600 +Subject: PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports + +From: Mario Limonciello + +[ Upstream commit 256df20c590bf0e4d63ac69330cf23faddac3e08 ] + +Hewlett-Packard HP Pavilion 17 Notebook PC/1972 is an Intel Ivy Bridge +system with a muxless AMD Radeon dGPU. Attempting to use the dGPU fails +with the following sequence: + + ACPI Error: Aborting method \AMD3._ON due to previous error (AE_AML_LOOP_TIMEOUT) (20230628/psparse-529) + radeon 0000:01:00.0: not ready 1023ms after resume; waiting + radeon 0000:01:00.0: not ready 2047ms after resume; waiting + radeon 0000:01:00.0: not ready 4095ms after resume; waiting + radeon 0000:01:00.0: not ready 8191ms after resume; waiting + radeon 0000:01:00.0: not ready 16383ms after resume; waiting + radeon 0000:01:00.0: not ready 32767ms after resume; waiting + radeon 0000:01:00.0: not ready 65535ms after resume; giving up + radeon 0000:01:00.0: Unable to change power state from D3cold to D0, device inaccessible + +The issue is that the Root Port the dGPU is connected to can't handle the +transition from D3cold to D0 so the dGPU can't properly exit runtime PM. + +The existing logic in pci_bridge_d3_possible() checks for systems that are +newer than 2015 to decide that D3 is safe. This would nominally work for +an Ivy Bridge system (which was discontinued in 2015), but this system +appears to have continued to receive BIOS updates until 2017 and so this +existing logic doesn't appropriately capture it. + +Add the system to bridge_d3_blacklist to prevent D3cold from being used. + +Link: https://lore.kernel.org/r/20240307163709.323-1-mario.limonciello@amd.com +Reported-by: Eric Heintzmann +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3229 +Signed-off-by: Mario Limonciello +Signed-off-by: Bjorn Helgaas +Tested-by: Eric Heintzmann +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 2ac400adaee11..4f229cb5d2a9f 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2530,6 +2530,18 @@ static const struct dmi_system_id bridge_d3_blacklist[] = { + DMI_MATCH(DMI_BOARD_VERSION, "Continental Z2"), + }, + }, ++ { ++ /* ++ * Changing power state of root port dGPU is connected fails ++ * https://gitlab.freedesktop.org/drm/amd/-/issues/3229 ++ */ ++ .ident = "Hewlett-Packard HP Pavilion 17 Notebook PC/1972", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_BOARD_NAME, "1972"), ++ DMI_MATCH(DMI_BOARD_VERSION, "95.33"), ++ }, ++ }, + #endif + { } + }; +-- +2.43.0 + diff --git a/queue-4.19/powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch b/queue-4.19/powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch new file mode 100644 index 00000000000..b2e7c7310b6 --- /dev/null +++ b/queue-4.19/powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch @@ -0,0 +1,85 @@ +From 0f741122c81e391795cc78c7f34b51f0d315432b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 17:56:18 +1000 +Subject: powerpc/io: Avoid clang null pointer arithmetic warnings + +From: Michael Ellerman + +[ Upstream commit 03c0f2c2b2220fc9cf8785cd7b61d3e71e24a366 ] + +With -Wextra clang warns about pointer arithmetic using a null pointer. +When building with CONFIG_PCI=n, that triggers a warning in the IO +accessors, eg: + + In file included from linux/arch/powerpc/include/asm/io.h:672: + linux/arch/powerpc/include/asm/io-defs.h:23:1: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] + 23 | DEF_PCI_AC_RET(inb, u8, (unsigned long port), (port), pio, port) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ... + linux/arch/powerpc/include/asm/io.h:591:53: note: expanded from macro '__do_inb' + 591 | #define __do_inb(port) readb((PCI_IO_ADDR)_IO_BASE + port); + | ~~~~~~~~~~~~~~~~~~~~~ ^ + +That is because when CONFIG_PCI=n, _IO_BASE is defined as 0. + +Although _IO_BASE is defined as plain 0, the cast (PCI_IO_ADDR) converts +it to void * before the addition with port happens. + +Instead the addition can be done first, and then the cast. The resulting +value will be the same, but avoids the warning, and also avoids void +pointer arithmetic which is apparently non-standard. + +Reported-by: Naresh Kamboju +Closes: https://lore.kernel.org/all/CA+G9fYtEh8zmq8k8wE-8RZwW-Qr927RLTn+KqGnq1F=ptaaNsA@mail.gmail.com +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240503075619.394467-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/io.h | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h +index 4681d4c50567e..5ff8ab12f56c7 100644 +--- a/arch/powerpc/include/asm/io.h ++++ b/arch/powerpc/include/asm/io.h +@@ -569,12 +569,12 @@ __do_out_asm(_rec_outl, "stwbrx") + #define __do_inw(port) _rec_inw(port) + #define __do_inl(port) _rec_inl(port) + #else /* CONFIG_PPC32 */ +-#define __do_outb(val, port) writeb(val,(PCI_IO_ADDR)_IO_BASE+port); +-#define __do_outw(val, port) writew(val,(PCI_IO_ADDR)_IO_BASE+port); +-#define __do_outl(val, port) writel(val,(PCI_IO_ADDR)_IO_BASE+port); +-#define __do_inb(port) readb((PCI_IO_ADDR)_IO_BASE + port); +-#define __do_inw(port) readw((PCI_IO_ADDR)_IO_BASE + port); +-#define __do_inl(port) readl((PCI_IO_ADDR)_IO_BASE + port); ++#define __do_outb(val, port) writeb(val,(PCI_IO_ADDR)(_IO_BASE+port)); ++#define __do_outw(val, port) writew(val,(PCI_IO_ADDR)(_IO_BASE+port)); ++#define __do_outl(val, port) writel(val,(PCI_IO_ADDR)(_IO_BASE+port)); ++#define __do_inb(port) readb((PCI_IO_ADDR)(_IO_BASE + port)); ++#define __do_inw(port) readw((PCI_IO_ADDR)(_IO_BASE + port)); ++#define __do_inl(port) readl((PCI_IO_ADDR)(_IO_BASE + port)); + #endif /* !CONFIG_PPC32 */ + + #ifdef CONFIG_EEH +@@ -590,12 +590,12 @@ __do_out_asm(_rec_outl, "stwbrx") + #define __do_writesw(a, b, n) _outsw(PCI_FIX_ADDR(a),(b),(n)) + #define __do_writesl(a, b, n) _outsl(PCI_FIX_ADDR(a),(b),(n)) + +-#define __do_insb(p, b, n) readsb((PCI_IO_ADDR)_IO_BASE+(p), (b), (n)) +-#define __do_insw(p, b, n) readsw((PCI_IO_ADDR)_IO_BASE+(p), (b), (n)) +-#define __do_insl(p, b, n) readsl((PCI_IO_ADDR)_IO_BASE+(p), (b), (n)) +-#define __do_outsb(p, b, n) writesb((PCI_IO_ADDR)_IO_BASE+(p),(b),(n)) +-#define __do_outsw(p, b, n) writesw((PCI_IO_ADDR)_IO_BASE+(p),(b),(n)) +-#define __do_outsl(p, b, n) writesl((PCI_IO_ADDR)_IO_BASE+(p),(b),(n)) ++#define __do_insb(p, b, n) readsb((PCI_IO_ADDR)(_IO_BASE+(p)), (b), (n)) ++#define __do_insw(p, b, n) readsw((PCI_IO_ADDR)(_IO_BASE+(p)), (b), (n)) ++#define __do_insl(p, b, n) readsl((PCI_IO_ADDR)(_IO_BASE+(p)), (b), (n)) ++#define __do_outsb(p, b, n) writesb((PCI_IO_ADDR)(_IO_BASE+(p)),(b),(n)) ++#define __do_outsw(p, b, n) writesw((PCI_IO_ADDR)(_IO_BASE+(p)),(b),(n)) ++#define __do_outsl(p, b, n) writesl((PCI_IO_ADDR)(_IO_BASE+(p)),(b),(n)) + + #define __do_memset_io(addr, c, n) \ + _memset_io(PCI_FIX_ADDR(addr), c, n) +-- +2.43.0 + diff --git a/queue-4.19/powerpc-pseries-enforce-hcall-result-buffer-validity.patch b/queue-4.19/powerpc-pseries-enforce-hcall-result-buffer-validity.patch new file mode 100644 index 00000000000..0067197ca70 --- /dev/null +++ b/queue-4.19/powerpc-pseries-enforce-hcall-result-buffer-validity.patch @@ -0,0 +1,82 @@ +From ad2aa563c9b1beca7490b5d28a2aefa8c017e00d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 09:08:31 -0500 +Subject: powerpc/pseries: Enforce hcall result buffer validity and size + +From: Nathan Lynch + +[ Upstream commit ff2e185cf73df480ec69675936c4ee75a445c3e4 ] + +plpar_hcall(), plpar_hcall9(), and related functions expect callers to +provide valid result buffers of certain minimum size. Currently this +is communicated only through comments in the code and the compiler has +no idea. + +For example, if I write a bug like this: + + long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE + plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...); + +This compiles with no diagnostics emitted, but likely results in stack +corruption at runtime when plpar_hcall9() stores results past the end +of the array. (To be clear this is a contrived example and I have not +found a real instance yet.) + +To make this class of error less likely, we can use explicitly-sized +array parameters instead of pointers in the declarations for the hcall +APIs. When compiled with -Warray-bounds[1], the code above now +provokes a diagnostic like this: + +error: array argument is too small; +is of size 32, callee requires at least 72 [-Werror,-Warray-bounds] + 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, + | ^ ~~~~~~ + +[1] Enabled for LLVM builds but not GCC for now. See commit + 0da6e5fd6c37 ("gcc: disable '-Warray-bounds' for gcc-13 too") and + related changes. + +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240408-pseries-hvcall-retbuf-v1-1-ebc73d7253cf@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/hvcall.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h +index 2bbf6c01a13d7..1fb2c4a3eb54b 100644 +--- a/arch/powerpc/include/asm/hvcall.h ++++ b/arch/powerpc/include/asm/hvcall.h +@@ -383,7 +383,7 @@ long plpar_hcall_norets(unsigned long opcode, ...); + * Used for all but the craziest of phyp interfaces (see plpar_hcall9) + */ + #define PLPAR_HCALL_BUFSIZE 4 +-long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...); ++long plpar_hcall(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...); + + /** + * plpar_hcall_raw: - Make a hypervisor call without calculating hcall stats +@@ -397,7 +397,7 @@ long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...); + * plpar_hcall, but plpar_hcall_raw works in real mode and does not + * calculate hypervisor call statistics. + */ +-long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...); ++long plpar_hcall_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...); + + /** + * plpar_hcall9: - Make a pseries hypervisor call with up to 9 return arguments +@@ -408,8 +408,8 @@ long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...); + * PLPAR_HCALL9_BUFSIZE to size the return argument buffer. + */ + #define PLPAR_HCALL9_BUFSIZE 9 +-long plpar_hcall9(unsigned long opcode, unsigned long *retbuf, ...); +-long plpar_hcall9_raw(unsigned long opcode, unsigned long *retbuf, ...); ++long plpar_hcall9(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...); ++long plpar_hcall9_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...); + + struct hvcall_mpp_data { + unsigned long entitled_mem; +-- +2.43.0 + diff --git a/queue-4.19/rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch b/queue-4.19/rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch new file mode 100644 index 00000000000..059c79d0cd9 --- /dev/null +++ b/queue-4.19/rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch @@ -0,0 +1,39 @@ +From 6fc847b530e2b49b645958fe51c56a5a6e87e364 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 19:21:47 -0800 +Subject: rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment + +From: Paul E. McKenney + +[ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ] + +The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should +not happen, but...". This is only true when testing an RCU whose grace +periods are always long enough. This commit therefore fixes this comment. + +Reported-by: Linus Torvalds +Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOKm74Tw@mail.gmail.com/ +Signed-off-by: Paul E. McKenney +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcutorture.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index 0b7af7e2bcbb1..8986ef3a95888 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -1334,7 +1334,8 @@ static bool rcu_torture_one_read(struct torture_random_state *trsp) + preempt_disable(); + pipe_count = p->rtort_pipe_count; + if (pipe_count > RCU_TORTURE_PIPE_LEN) { +- /* Should not happen, but... */ ++ // Should not happen in a correct RCU implementation, ++ // happens quite often for torture_type=busted. + pipe_count = RCU_TORTURE_PIPE_LEN; + } + completed = cur_ops->get_gp_seq(); +-- +2.43.0 + diff --git a/queue-4.19/scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch b/queue-4.19/scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch new file mode 100644 index 00000000000..a533596773e --- /dev/null +++ b/queue-4.19/scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch @@ -0,0 +1,95 @@ +From 14d84863e926c48a2a24072a18e625e30d6b54f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 12:51:55 +0530 +Subject: scsi: qedi: Fix crash while reading debugfs attribute + +From: Manish Rangankar + +[ Upstream commit 28027ec8e32ecbadcd67623edb290dad61e735b5 ] + +The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly +on a __user pointer, which results into the crash. + +To fix this issue, use a small local stack buffer for sprintf() and then +call simple_read_from_buffer(), which in turns make the copy_to_user() +call. + +BUG: unable to handle page fault for address: 00007f4801111000 +PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0 +Oops: 0002 [#1] PREEMPT SMP PTI +Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023 +RIP: 0010:memcpy_orig+0xcd/0x130 +RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202 +RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f +RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000 +RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572 +R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff +R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af +FS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + ? __die_body+0x1a/0x60 + ? page_fault_oops+0x183/0x510 + ? exc_page_fault+0x69/0x150 + ? asm_exc_page_fault+0x22/0x30 + ? memcpy_orig+0xcd/0x130 + vsnprintf+0x102/0x4c0 + sprintf+0x51/0x80 + qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324] + full_proxy_read+0x50/0x80 + vfs_read+0xa5/0x2e0 + ? folio_add_new_anon_rmap+0x44/0xa0 + ? set_pte_at+0x15/0x30 + ? do_pte_missing+0x426/0x7f0 + ksys_read+0xa5/0xe0 + do_syscall_64+0x58/0x80 + ? __count_memcg_events+0x46/0x90 + ? count_memcg_event_mm+0x3d/0x60 + ? handle_mm_fault+0x196/0x2f0 + ? do_user_addr_fault+0x267/0x890 + ? exc_page_fault+0x69/0x150 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f4800f20b4d + +Tested-by: Martin Hoyer +Reviewed-by: John Meneghini +Signed-off-by: Manish Rangankar +Link: https://lore.kernel.org/r/20240415072155.30840-1-mrangankar@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_debugfs.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_debugfs.c b/drivers/scsi/qedi/qedi_debugfs.c +index fd914ca4149a8..6bb5f2b31b881 100644 +--- a/drivers/scsi/qedi/qedi_debugfs.c ++++ b/drivers/scsi/qedi/qedi_debugfs.c +@@ -136,15 +136,11 @@ static ssize_t + qedi_dbg_do_not_recover_cmd_read(struct file *filp, char __user *buffer, + size_t count, loff_t *ppos) + { +- size_t cnt = 0; +- +- if (*ppos) +- return 0; ++ char buf[64]; ++ int len; + +- cnt = sprintf(buffer, "do_not_recover=%d\n", qedi_do_not_recover); +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ len = sprintf(buf, "do_not_recover=%d\n", qedi_do_not_recover); ++ return simple_read_from_buffer(buffer, count, ppos, buf, len); + } + + static int +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 8c0f61b53fd..9baefe272ef 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -63,3 +63,12 @@ nilfs2-fix-potential-kernel-bug-due-to-lack-of-writeback-flag-waiting.patch hv_utils-drain-the-timesync-packets-on-onchannelcallback.patch hugetlb_encode.h-fix-undefined-behaviour-34-26.patch usb-storage-alauda-check-whether-the-media-is-initia.patch +rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch +batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch +scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch +powerpc-pseries-enforce-hcall-result-buffer-validity.patch +powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch +usb-misc-uss720-check-for-incompatible-versions-of-t.patch +udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch +pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch +mips-octeon-add-pcie-link-status-check.patch diff --git a/queue-4.19/udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch b/queue-4.19/udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch new file mode 100644 index 00000000000..bb61bbb8b79 --- /dev/null +++ b/queue-4.19/udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch @@ -0,0 +1,54 @@ +From 9e35c19767bc7259a047984b49076917ef9c6393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 16:27:55 +0300 +Subject: udf: udftime: prevent overflow in udf_disk_stamp_to_time() + +From: Roman Smirnov + +[ Upstream commit 3b84adf460381169c085e4bc09e7b57e9e16db0a ] + +An overflow can occur in a situation where src.centiseconds +takes the value of 255. This situation is unlikely, but there +is no validation check anywere in the code. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Suggested-by: Jan Kara +Signed-off-by: Roman Smirnov +Reviewed-by: Sergey Shtylyov +Signed-off-by: Jan Kara +Message-Id: <20240327132755.13945-1-r.smirnov@omp.ru> +Signed-off-by: Sasha Levin +--- + fs/udf/udftime.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/udf/udftime.c b/fs/udf/udftime.c +index fce4ad976c8c2..26169b1f482c3 100644 +--- a/fs/udf/udftime.c ++++ b/fs/udf/udftime.c +@@ -60,13 +60,18 @@ udf_disk_stamp_to_time(struct timespec64 *dest, struct timestamp src) + dest->tv_sec = mktime64(year, src.month, src.day, src.hour, src.minute, + src.second); + dest->tv_sec -= offset * 60; +- dest->tv_nsec = 1000 * (src.centiseconds * 10000 + +- src.hundredsOfMicroseconds * 100 + src.microseconds); ++ + /* + * Sanitize nanosecond field since reportedly some filesystems are + * recorded with bogus sub-second values. + */ +- dest->tv_nsec %= NSEC_PER_SEC; ++ if (src.centiseconds < 100 && src.hundredsOfMicroseconds < 100 && ++ src.microseconds < 100) { ++ dest->tv_nsec = 1000 * (src.centiseconds * 10000 + ++ src.hundredsOfMicroseconds * 100 + src.microseconds); ++ } else { ++ dest->tv_nsec = 0; ++ } + } + + void +-- +2.43.0 + diff --git a/queue-4.19/usb-misc-uss720-check-for-incompatible-versions-of-t.patch b/queue-4.19/usb-misc-uss720-check-for-incompatible-versions-of-t.patch new file mode 100644 index 00000000000..be1f2172999 --- /dev/null +++ b/queue-4.19/usb-misc-uss720-check-for-incompatible-versions-of-t.patch @@ -0,0 +1,75 @@ +From e3cbc6b6089f5bf7dff8b76c010198dce94cb02a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 09:07:11 -0600 +Subject: usb: misc: uss720: check for incompatible versions of the Belkin + F5U002 + +From: Alex Henrie + +[ Upstream commit 3295f1b866bfbcabd625511968e8a5c541f9ab32 ] + +The incompatible device in my possession has a sticker that says +"F5U002 Rev 2" and "P80453-B", and lsusb identifies it as +"050d:0002 Belkin Components IEEE-1284 Controller". There is a bug +report from 2007 from Michael Trausch who was seeing the exact same +errors that I saw in 2024 trying to use this cable. + +Link: https://lore.kernel.org/all/46DE5830.9060401@trausch.us/ +Signed-off-by: Alex Henrie +Link: https://lore.kernel.org/r/20240326150723.99939-5-alexhenrie24@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/uss720.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c +index 0be8efcda15d5..d972c09629397 100644 +--- a/drivers/usb/misc/uss720.c ++++ b/drivers/usb/misc/uss720.c +@@ -677,7 +677,7 @@ static int uss720_probe(struct usb_interface *intf, + struct parport_uss720_private *priv; + struct parport *pp; + unsigned char reg; +- int i; ++ int ret; + + dev_dbg(&intf->dev, "probe: vendor id 0x%x, device id 0x%x\n", + le16_to_cpu(usbdev->descriptor.idVendor), +@@ -688,8 +688,8 @@ static int uss720_probe(struct usb_interface *intf, + usb_put_dev(usbdev); + return -ENODEV; + } +- i = usb_set_interface(usbdev, intf->altsetting->desc.bInterfaceNumber, 2); +- dev_dbg(&intf->dev, "set interface result %d\n", i); ++ ret = usb_set_interface(usbdev, intf->altsetting->desc.bInterfaceNumber, 2); ++ dev_dbg(&intf->dev, "set interface result %d\n", ret); + + interface = intf->cur_altsetting; + +@@ -725,12 +725,18 @@ static int uss720_probe(struct usb_interface *intf, + set_1284_register(pp, 7, 0x00, GFP_KERNEL); + set_1284_register(pp, 6, 0x30, GFP_KERNEL); /* PS/2 mode */ + set_1284_register(pp, 2, 0x0c, GFP_KERNEL); +- /* debugging */ +- get_1284_register(pp, 0, ®, GFP_KERNEL); ++ ++ /* The Belkin F5U002 Rev 2 P80453-B USB parallel port adapter shares the ++ * device ID 050d:0002 with some other device that works with this ++ * driver, but it itself does not. Detect and handle the bad cable ++ * here. */ ++ ret = get_1284_register(pp, 0, ®, GFP_KERNEL); + dev_dbg(&intf->dev, "reg: %7ph\n", priv->reg); ++ if (ret < 0) ++ return ret; + +- i = usb_find_last_int_in_endpoint(interface, &epd); +- if (!i) { ++ ret = usb_find_last_int_in_endpoint(interface, &epd); ++ if (!ret) { + dev_dbg(&intf->dev, "epaddr %d interval %d\n", + epd->bEndpointAddress, epd->bInterval); + } +-- +2.43.0 + -- 2.47.3