From 743a1876a223ae5734b82113e1e74c98400f96ae Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 10 Sep 2023 11:38:05 +0100 Subject: [PATCH] 6.1-stable patches added patches: cpufreq-brcmstb-avs-cpufreq-fix-warray-bounds-bug.patch crypto-stm32-fix-loop-iterating-through-scatterlist-for-dma.patch of-property-fw_devlink-add-a-devlink-for-panel-followers.patch s390-dasd-fix-string-length-handling.patch s390-dcssblk-fix-kernel-crash-with-list_add-corruption.patch s390-ipl-add-missing-secure-has_secure-file-to-ipl-type-unknown.patch --- ...tb-avs-cpufreq-fix-warray-bounds-bug.patch | 64 +++++++++ ...terating-through-scatterlist-for-dma.patch | 37 ++++++ ...nk-add-a-devlink-for-panel-followers.patch | 44 +++++++ ...s390-dasd-fix-string-length-handling.patch | 122 ++++++++++++++++++ ...ernel-crash-with-list_add-corruption.patch | 70 ++++++++++ ...-has_secure-file-to-ipl-type-unknown.patch | 37 ++++++ queue-6.1/series | 6 + 7 files changed, 380 insertions(+) create mode 100644 queue-6.1/cpufreq-brcmstb-avs-cpufreq-fix-warray-bounds-bug.patch create mode 100644 queue-6.1/crypto-stm32-fix-loop-iterating-through-scatterlist-for-dma.patch create mode 100644 queue-6.1/of-property-fw_devlink-add-a-devlink-for-panel-followers.patch create mode 100644 queue-6.1/s390-dasd-fix-string-length-handling.patch create mode 100644 queue-6.1/s390-dcssblk-fix-kernel-crash-with-list_add-corruption.patch create mode 100644 queue-6.1/s390-ipl-add-missing-secure-has_secure-file-to-ipl-type-unknown.patch diff --git a/queue-6.1/cpufreq-brcmstb-avs-cpufreq-fix-warray-bounds-bug.patch b/queue-6.1/cpufreq-brcmstb-avs-cpufreq-fix-warray-bounds-bug.patch new file mode 100644 index 00000000000..ee1c18782d7 --- /dev/null +++ b/queue-6.1/cpufreq-brcmstb-avs-cpufreq-fix-warray-bounds-bug.patch @@ -0,0 +1,64 @@ +From e520d0b6be950ce3738cf4b9bd3b392be818f1dc Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 31 Jul 2023 21:15:48 -0600 +Subject: cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug + +From: Gustavo A. R. Silva + +commit e520d0b6be950ce3738cf4b9bd3b392be818f1dc upstream. + +Allocate extra space for terminating element at: + +drivers/cpufreq/brcmstb-avs-cpufreq.c: +449 table[i].frequency = CPUFREQ_TABLE_END; + +and add code comment to make this clear. + +This fixes the following -Warray-bounds warning seen after building +ARM with multi_v7_defconfig (GCC 13): +In function 'brcm_avs_get_freq_table', + inlined from 'brcm_avs_cpufreq_init' at drivers/cpufreq/brcmstb-avs-cpufreq.c:623:15: +drivers/cpufreq/brcmstb-avs-cpufreq.c:449:28: warning: array subscript 5 is outside array bounds of 'void[60]' [-Warray-bounds=] + 449 | table[i].frequency = CPUFREQ_TABLE_END; +In file included from include/linux/node.h:18, + from include/linux/cpu.h:17, + from include/linux/cpufreq.h:12, + from drivers/cpufreq/brcmstb-avs-cpufreq.c:44: +In function 'devm_kmalloc_array', + inlined from 'devm_kcalloc' at include/linux/device.h:328:9, + inlined from 'brcm_avs_get_freq_table' at drivers/cpufreq/brcmstb-avs-cpufreq.c:437:10, + inlined from 'brcm_avs_cpufreq_init' at drivers/cpufreq/brcmstb-avs-cpufreq.c:623:15: +include/linux/device.h:323:16: note: at offset 60 into object of size 60 allocated by 'devm_kmalloc' + 323 | return devm_kmalloc(dev, bytes, flags); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This helps with the ongoing efforts to tighten the FORTIFY_SOURCE +routines on memcpy() and help us make progress towards globally +enabling -Warray-bounds. + +Link: https://github.com/KSPP/linux/issues/324 +Fixes: de322e085995 ("cpufreq: brcmstb-avs-cpufreq: AVS CPUfreq driver for Broadcom STB SoCs") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Florian Fainelli +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/brcmstb-avs-cpufreq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c ++++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c +@@ -434,7 +434,11 @@ brcm_avs_get_freq_table(struct device *d + if (ret) + return ERR_PTR(ret); + +- table = devm_kcalloc(dev, AVS_PSTATE_MAX + 1, sizeof(*table), ++ /* ++ * We allocate space for the 5 different P-STATES AVS, ++ * plus extra space for a terminating element. ++ */ ++ table = devm_kcalloc(dev, AVS_PSTATE_MAX + 1 + 1, sizeof(*table), + GFP_KERNEL); + if (!table) + return ERR_PTR(-ENOMEM); diff --git a/queue-6.1/crypto-stm32-fix-loop-iterating-through-scatterlist-for-dma.patch b/queue-6.1/crypto-stm32-fix-loop-iterating-through-scatterlist-for-dma.patch new file mode 100644 index 00000000000..b6a1800ab12 --- /dev/null +++ b/queue-6.1/crypto-stm32-fix-loop-iterating-through-scatterlist-for-dma.patch @@ -0,0 +1,37 @@ +From d9c83f71eeceed2cb54bb78be84f2d4055fd9a1f Mon Sep 17 00:00:00 2001 +From: Thomas Bourgoin +Date: Thu, 13 Jul 2023 17:15:15 +0200 +Subject: crypto: stm32 - fix loop iterating through scatterlist for DMA + +From: Thomas Bourgoin + +commit d9c83f71eeceed2cb54bb78be84f2d4055fd9a1f upstream. + +We were reading the length of the scatterlist sg after copying value of +tsg inside. +So we are using the size of the previous scatterlist and for the first +one we are using an unitialised value. +Fix this by copying tsg in sg[0] before reading the size. + +Fixes : 8a1012d3f2ab ("crypto: stm32 - Support for STM32 HASH module") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Bourgoin +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/stm32/stm32-hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/stm32/stm32-hash.c ++++ b/drivers/crypto/stm32/stm32-hash.c +@@ -565,9 +565,9 @@ static int stm32_hash_dma_send(struct st + } + + for_each_sg(rctx->sg, tsg, rctx->nents, i) { ++ sg[0] = *tsg; + len = sg->length; + +- sg[0] = *tsg; + if (sg_is_last(sg)) { + if (hdev->dma_mode == 1) { + len = (ALIGN(sg->length, 16) - 16); diff --git a/queue-6.1/of-property-fw_devlink-add-a-devlink-for-panel-followers.patch b/queue-6.1/of-property-fw_devlink-add-a-devlink-for-panel-followers.patch new file mode 100644 index 00000000000..5fd45a8b66a --- /dev/null +++ b/queue-6.1/of-property-fw_devlink-add-a-devlink-for-panel-followers.patch @@ -0,0 +1,44 @@ +From fbf0ea2da3c7cd0b33ed7ae53a67ab1c24838cba Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Thu, 27 Jul 2023 10:16:31 -0700 +Subject: of: property: fw_devlink: Add a devlink for panel followers + +From: Douglas Anderson + +commit fbf0ea2da3c7cd0b33ed7ae53a67ab1c24838cba upstream. + +Inform fw_devlink of the fact that a panel follower (like a +touchscreen) is effectively a consumer of the panel from the purposes +of fw_devlink. + +NOTE: this patch isn't required for correctness but instead optimizes +probe order / helps avoid deferrals. + +Acked-by: Rob Herring +Reviewed-by: Maxime Ripard +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20230727101636.v4.4.Ibf8e1342b5b7906279db2365aca45e6253857bb3@changeid +Cc: Adam Ford +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/property.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/of/property.c ++++ b/drivers/of/property.c +@@ -1266,6 +1266,7 @@ DEFINE_SIMPLE_PROP(pwms, "pwms", "#pwm-c + DEFINE_SIMPLE_PROP(resets, "resets", "#reset-cells") + DEFINE_SIMPLE_PROP(leds, "leds", NULL) + DEFINE_SIMPLE_PROP(backlight, "backlight", NULL) ++DEFINE_SIMPLE_PROP(panel, "panel", NULL) + DEFINE_SUFFIX_PROP(regulators, "-supply", NULL) + DEFINE_SUFFIX_PROP(gpio, "-gpio", "#gpio-cells") + +@@ -1354,6 +1355,7 @@ static const struct supplier_bindings of + { .parse_prop = parse_resets, }, + { .parse_prop = parse_leds, }, + { .parse_prop = parse_backlight, }, ++ { .parse_prop = parse_panel, }, + { .parse_prop = parse_gpio_compat, }, + { .parse_prop = parse_interrupts, }, + { .parse_prop = parse_regulators, }, diff --git a/queue-6.1/s390-dasd-fix-string-length-handling.patch b/queue-6.1/s390-dasd-fix-string-length-handling.patch new file mode 100644 index 00000000000..11bb57911aa --- /dev/null +++ b/queue-6.1/s390-dasd-fix-string-length-handling.patch @@ -0,0 +1,122 @@ +From f7cf22424665043787a96a66a048ff6b2cfd473c Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 28 Aug 2023 17:31:42 +0200 +Subject: s390/dasd: fix string length handling + +From: Heiko Carstens + +commit f7cf22424665043787a96a66a048ff6b2cfd473c upstream. + +Building dasd_eckd.o with latest clang reveals this bug: + + CC drivers/s390/block/dasd_eckd.o + drivers/s390/block/dasd_eckd.c:1082:3: warning: 'snprintf' will always be truncated; + specified size is 1, but format string expands to at least 11 [-Wfortify-source] + 1082 | snprintf(print_uid, sizeof(*print_uid), + | ^ + drivers/s390/block/dasd_eckd.c:1087:3: warning: 'snprintf' will always be truncated; + specified size is 1, but format string expands to at least 10 [-Wfortify-source] + 1087 | snprintf(print_uid, sizeof(*print_uid), + | ^ + +Fix this by moving and using the existing UID_STRLEN for the arrays +that are being written to. Also rename UID_STRLEN to DASD_UID_STRLEN +to clarify its scope. + +Fixes: 23596961b437 ("s390/dasd: split up dasd_eckd_read_conf") +Reviewed-by: Peter Oberparleiter +Signed-off-by: Heiko Carstens +Tested-by: Nick Desaulniers # build +Reported-by: Nathan Chancellor +Closes: https://github.com/ClangBuiltLinux/linux/issues/1923 +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20230828153142.2843753-2-hca@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_devmap.c | 6 +----- + drivers/s390/block/dasd_eckd.c | 10 +++++----- + drivers/s390/block/dasd_int.h | 4 ++++ + 3 files changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/s390/block/dasd_devmap.c ++++ b/drivers/s390/block/dasd_devmap.c +@@ -1377,16 +1377,12 @@ static ssize_t dasd_vendor_show(struct d + + static DEVICE_ATTR(vendor, 0444, dasd_vendor_show, NULL); + +-#define UID_STRLEN ( /* vendor */ 3 + 1 + /* serial */ 14 + 1 +\ +- /* SSID */ 4 + 1 + /* unit addr */ 2 + 1 +\ +- /* vduit */ 32 + 1) +- + static ssize_t + dasd_uid_show(struct device *dev, struct device_attribute *attr, char *buf) + { ++ char uid_string[DASD_UID_STRLEN]; + struct dasd_device *device; + struct dasd_uid uid; +- char uid_string[UID_STRLEN]; + char ua_string[3]; + + device = dasd_device_from_cdev(to_ccwdev(dev)); +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -1079,12 +1079,12 @@ static void dasd_eckd_get_uid_string(str + + create_uid(conf, &uid); + if (strlen(uid.vduit) > 0) +- snprintf(print_uid, sizeof(*print_uid), ++ snprintf(print_uid, DASD_UID_STRLEN, + "%s.%s.%04x.%02x.%s", + uid.vendor, uid.serial, uid.ssid, + uid.real_unit_addr, uid.vduit); + else +- snprintf(print_uid, sizeof(*print_uid), ++ snprintf(print_uid, DASD_UID_STRLEN, + "%s.%s.%04x.%02x", + uid.vendor, uid.serial, uid.ssid, + uid.real_unit_addr); +@@ -1093,8 +1093,8 @@ static void dasd_eckd_get_uid_string(str + static int dasd_eckd_check_cabling(struct dasd_device *device, + void *conf_data, __u8 lpm) + { ++ char print_path_uid[DASD_UID_STRLEN], print_device_uid[DASD_UID_STRLEN]; + struct dasd_eckd_private *private = device->private; +- char print_path_uid[60], print_device_uid[60]; + struct dasd_conf path_conf; + + path_conf.data = conf_data; +@@ -1293,9 +1293,9 @@ static void dasd_eckd_path_available_act + __u8 path_rcd_buf[DASD_ECKD_RCD_DATA_SIZE]; + __u8 lpm, opm, npm, ppm, epm, hpfpm, cablepm; + struct dasd_conf_data *conf_data; ++ char print_uid[DASD_UID_STRLEN]; + struct dasd_conf path_conf; + unsigned long flags; +- char print_uid[60]; + int rc, pos; + + opm = 0; +@@ -5856,8 +5856,8 @@ static void dasd_eckd_dump_sense(struct + static int dasd_eckd_reload_device(struct dasd_device *device) + { + struct dasd_eckd_private *private = device->private; ++ char print_uid[DASD_UID_STRLEN]; + int rc, old_base; +- char print_uid[60]; + struct dasd_uid uid; + unsigned long flags; + +--- a/drivers/s390/block/dasd_int.h ++++ b/drivers/s390/block/dasd_int.h +@@ -259,6 +259,10 @@ struct dasd_uid { + char vduit[33]; + }; + ++#define DASD_UID_STRLEN ( /* vendor */ 3 + 1 + /* serial */ 14 + 1 + \ ++ /* SSID */ 4 + 1 + /* unit addr */ 2 + 1 + \ ++ /* vduit */ 32 + 1) ++ + /* + * PPRC Status data + */ diff --git a/queue-6.1/s390-dcssblk-fix-kernel-crash-with-list_add-corruption.patch b/queue-6.1/s390-dcssblk-fix-kernel-crash-with-list_add-corruption.patch new file mode 100644 index 00000000000..c90970bcae7 --- /dev/null +++ b/queue-6.1/s390-dcssblk-fix-kernel-crash-with-list_add-corruption.patch @@ -0,0 +1,70 @@ +From c8f40a0bccefd613748d080147469a4652d6e74c Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Thu, 10 Aug 2023 10:22:36 +0200 +Subject: s390/dcssblk: fix kernel crash with list_add corruption + +From: Gerald Schaefer + +commit c8f40a0bccefd613748d080147469a4652d6e74c upstream. + +Commit fb08a1908cb1 ("dax: simplify the dax_device <-> gendisk +association") introduced new logic for gendisk association, requiring +drivers to explicitly call dax_add_host() and dax_remove_host(). + +For dcssblk driver, some dax_remove_host() calls were missing, e.g. in +device remove path. The commit also broke error handling for out_dax case +in device add path, resulting in an extra put_device() w/o the previous +get_device() in that case. + +This lead to stale xarray entries after device add / remove cycles. In the +case when a previously used struct gendisk pointer (xarray index) would be +used again, because blk_alloc_disk() happened to return such a pointer, the +xa_insert() in dax_add_host() would fail and go to out_dax, doing the extra +put_device() in the error path. In combination with an already flawed error +handling in dcssblk (device_register() cleanup), which needs to be +addressed in a separate patch, this resulted in a missing device_del() / +klist_del(), and eventually in the kernel crash with list_add corruption on +a subsequent device_add() / klist_add(). + +Fix this by adding the missing dax_remove_host() calls, and also move the +put_device() in the error path to restore the previous logic. + +Fixes: fb08a1908cb1 ("dax: simplify the dax_device <-> gendisk association") +Cc: # 5.17+ +Acked-by: Heiko Carstens +Signed-off-by: Gerald Schaefer +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dcssblk.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/s390/block/dcssblk.c ++++ b/drivers/s390/block/dcssblk.c +@@ -411,6 +411,7 @@ removeseg: + } + list_del(&dev_info->lh); + ++ dax_remove_host(dev_info->gd); + kill_dax(dev_info->dax_dev); + put_dax(dev_info->dax_dev); + del_gendisk(dev_info->gd); +@@ -706,9 +707,9 @@ dcssblk_add_store(struct device *dev, st + goto out; + + out_dax_host: ++ put_device(&dev_info->dev); + dax_remove_host(dev_info->gd); + out_dax: +- put_device(&dev_info->dev); + kill_dax(dev_info->dax_dev); + put_dax(dev_info->dax_dev); + put_dev: +@@ -788,6 +789,7 @@ dcssblk_remove_store(struct device *dev, + } + + list_del(&dev_info->lh); ++ dax_remove_host(dev_info->gd); + kill_dax(dev_info->dax_dev); + put_dax(dev_info->dax_dev); + del_gendisk(dev_info->gd); diff --git a/queue-6.1/s390-ipl-add-missing-secure-has_secure-file-to-ipl-type-unknown.patch b/queue-6.1/s390-ipl-add-missing-secure-has_secure-file-to-ipl-type-unknown.patch new file mode 100644 index 00000000000..4dcf1ccda8d --- /dev/null +++ b/queue-6.1/s390-ipl-add-missing-secure-has_secure-file-to-ipl-type-unknown.patch @@ -0,0 +1,37 @@ +From ea5717cb13468323a7c3dd394748301802991f39 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Tue, 15 Aug 2023 09:26:06 +0200 +Subject: s390/ipl: add missing secure/has_secure file to ipl type 'unknown' + +From: Sven Schnelle + +commit ea5717cb13468323a7c3dd394748301802991f39 upstream. + +OS installers are relying on /sys/firmware/ipl/has_secure to be +present on machines supporting secure boot. This file is present +for all IPL types, but not the unknown type, which prevents a secure +installation when an LPAR is booted in HMC via FTP(s), because +this is an unknown IPL type in linux. While at it, also add the secure +file. + +Fixes: c9896acc7851 ("s390/ipl: Provide has_secure sysfs attribute") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Schnelle +Reviewed-by: Heiko Carstens +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/ipl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/s390/kernel/ipl.c ++++ b/arch/s390/kernel/ipl.c +@@ -503,6 +503,8 @@ static struct attribute_group ipl_ccw_at + + static struct attribute *ipl_unknown_attrs[] = { + &sys_ipl_type_attr.attr, ++ &sys_ipl_secure_attr.attr, ++ &sys_ipl_has_secure_attr.attr, + NULL, + }; + diff --git a/queue-6.1/series b/queue-6.1/series index d18340e7cd6..aec7528443c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -572,3 +572,9 @@ platform-chrome-chromeos_acpi-print-hex-string-for-acpi_type_buffer.patch mmc-renesas_sdhi-register-irqs-before-registering-controller.patch pstore-ram-check-start-of-empty-przs-during-init.patch arm64-sdei-abort-running-sdei-handlers-during-crash.patch +s390-dcssblk-fix-kernel-crash-with-list_add-corruption.patch +s390-ipl-add-missing-secure-has_secure-file-to-ipl-type-unknown.patch +s390-dasd-fix-string-length-handling.patch +crypto-stm32-fix-loop-iterating-through-scatterlist-for-dma.patch +cpufreq-brcmstb-avs-cpufreq-fix-warray-bounds-bug.patch +of-property-fw_devlink-add-a-devlink-for-panel-followers.patch -- 2.47.3