From a731e06176fabfdfdf983beed7004aa4d6521217 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 19 May 2023 21:27:32 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...-when-removing-custom-query-handlers.patch | 40 ++++++ ...eck-null-return-of-acpi_allocate_zer.patch | 40 ++++++ ...efined-behavior-applying-zero-offset.patch | 68 +++++++++ ...fix-bad-unlock-balance-in-l2cap_disc.patch | 37 +++++ ...-fix-gcc-7-constant-overflow-warning.patch | 75 ++++++++++ ...id-potential-32-bit-integer-overflow.patch | 37 +++++ ...eck-block-size-validity-during-mount.patch | 54 ++++++++ ...tent-lstart-adjustment-logic-in-ext4.patch | 129 ++++++++++++++++++ ...art-correctly-in-ext4_mb_normalize_r.patch | 72 ++++++++++ ...e-warn_on-from-hfsplus_cat_-read-wri.patch | 108 +++++++++++++++ ...2-fix-inode-height-consistency-check.patch | 49 +++++++ ...pp-don-t-use-the-usb-serial-for-usb-.patch | 101 ++++++++++++++ ...pp-reconcile-usb-and-unifying-serial.patch | 55 ++++++++ ...c-set-battery-quirk-only-when-we-see.patch | 104 ++++++++++++++ ...-constants-for-gip-interface-numbers.patch | 47 +++++++ ...id-use-after-free-on-rmap-obj-array-.patch | 67 +++++++++ ...te-memory-region-to-avoid-memory-ove.patch | 78 +++++++++++ ...x-uaf-bug-in-r592_remove-due-to-race.patch | 53 +++++++ ...d-dln2-fix-memory-leak-in-dln2_probe.patch | 38 ++++++ ...t-catch-invalid-index-in-xps-mapping.patch | 43 ++++++ ...x-return-type-of-pasemi_mac_start_tx.patch | 54 ++++++++ ...check-queue-mode-setting-from-config.patch | 87 ++++++++++++ ...-use-_poll_timeout-functions-for-wai.patch | 113 +++++++++++++++ ...-memory-leaks-in-the-uwrite-function.patch | 48 +++++++ ...urn-error-in-cache-sync-operations-f.patch | 49 +++++++ .../sched-fix-kcsan-noinstr-violation.patch | 40 ++++++ ...lan-fix-use-after-free-bug-in-mptlan.patch | 55 ++++++++ ...it-port-pm-on-port-specific-driver-u.patch | 56 ++++++++ queue-4.14/series | 32 +++++ ...imx-fix-mx51_ecspi_-macros-when-cs-3.patch | 80 +++++++++++ ...-replace-macro-rtl_pci_device-with-p.patch | 57 ++++++++ ...g80211-pass-the-pmk-in-binary-instea.patch | 57 ++++++++ ...-fix-memcpy-detected-field-spanning-.patch | 72 ++++++++++ 33 files changed, 2095 insertions(+) create mode 100644 queue-4.14/acpi-ec-fix-oops-when-removing-custom-query-handlers.patch create mode 100644 queue-4.14/acpica-acpica-check-null-return-of-acpi_allocate_zer.patch create mode 100644 queue-4.14/acpica-avoid-undefined-behavior-applying-zero-offset.patch create mode 100644 queue-4.14/bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch create mode 100644 queue-4.14/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch create mode 100644 queue-4.14/drm-tegra-avoid-potential-32-bit-integer-overflow.patch create mode 100644 queue-4.14/ext2-check-block-size-validity-during-mount.patch create mode 100644 queue-4.14/ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch create mode 100644 queue-4.14/ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch create mode 100644 queue-4.14/fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch create mode 100644 queue-4.14/gfs2-fix-inode-height-consistency-check.patch create mode 100644 queue-4.14/hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch create mode 100644 queue-4.14/hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch create mode 100644 queue-4.14/hid-wacom-generic-set-battery-quirk-only-when-we-see.patch create mode 100644 queue-4.14/input-xpad-add-constants-for-gip-interface-numbers.patch create mode 100644 queue-4.14/lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch create mode 100644 queue-4.14/mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch create mode 100644 queue-4.14/memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch create mode 100644 queue-4.14/mfd-dln2-fix-memory-leak-in-dln2_probe.patch create mode 100644 queue-4.14/net-catch-invalid-index-in-xps-mapping.patch create mode 100644 queue-4.14/net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch create mode 100644 queue-4.14/null_blk-always-check-queue-mode-setting-from-config.patch create mode 100644 queue-4.14/phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch create mode 100644 queue-4.14/recordmcount-fix-memory-leaks-in-the-uwrite-function.patch create mode 100644 queue-4.14/regmap-cache-return-error-in-cache-sync-operations-f.patch create mode 100644 queue-4.14/sched-fix-kcsan-noinstr-violation.patch create mode 100644 queue-4.14/scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch create mode 100644 queue-4.14/serial-8250-reinit-port-pm-on-port-specific-driver-u.patch create mode 100644 queue-4.14/spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch create mode 100644 queue-4.14/staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch create mode 100644 queue-4.14/wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch create mode 100644 queue-4.14/wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch diff --git a/queue-4.14/acpi-ec-fix-oops-when-removing-custom-query-handlers.patch b/queue-4.14/acpi-ec-fix-oops-when-removing-custom-query-handlers.patch new file mode 100644 index 00000000000..f9a516d6d6f --- /dev/null +++ b/queue-4.14/acpi-ec-fix-oops-when-removing-custom-query-handlers.patch @@ -0,0 +1,40 @@ +From a03a3fc486646fe620eccbb6c90224859ff1b0c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 21:26:27 +0100 +Subject: ACPI: EC: Fix oops when removing custom query handlers + +From: Armin Wolf + +[ Upstream commit e5b492c6bb900fcf9722e05f4a10924410e170c1 ] + +When removing custom query handlers, the handler might still +be used inside the EC query workqueue, causing a kernel oops +if the module holding the callback function was already unloaded. + +Fix this by flushing the EC query workqueue when removing +custom query handlers. + +Tested on a Acer Travelmate 4002WLMi + +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index f8fc30be68711..1dedab328c464 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1135,6 +1135,7 @@ static void acpi_ec_remove_query_handlers(struct acpi_ec *ec, + void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) + { + acpi_ec_remove_query_handlers(ec, false, query_bit); ++ flush_workqueue(ec_query_wq); + } + EXPORT_SYMBOL_GPL(acpi_ec_remove_query_handler); + +-- +2.39.2 + diff --git a/queue-4.14/acpica-acpica-check-null-return-of-acpi_allocate_zer.patch b/queue-4.14/acpica-acpica-check-null-return-of-acpi_allocate_zer.patch new file mode 100644 index 00000000000..e295443152e --- /dev/null +++ b/queue-4.14/acpica-acpica-check-null-return-of-acpi_allocate_zer.patch @@ -0,0 +1,40 @@ +From 3ed2e05c4c6b41983740a18742a3fd2c8e8d8945 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 15:57:57 +0200 +Subject: ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in + acpi_db_display_objects + +From: void0red <30990023+void0red@users.noreply.github.com> + +[ Upstream commit ae5a0eccc85fc960834dd66e3befc2728284b86c ] + +ACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4 + +ACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause +null pointer dereference later. + +Link: https://github.com/acpica/acpica/commit/0d5f467d +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dbnames.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c +index 8c207c7725179..658fd7cfbd6cd 100644 +--- a/drivers/acpi/acpica/dbnames.c ++++ b/drivers/acpi/acpica/dbnames.c +@@ -600,6 +600,9 @@ acpi_status acpi_db_display_objects(char *obj_type_arg, char *display_count_arg) + object_info = + ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_object_info)); + ++ if (!object_info) ++ return (AE_NO_MEMORY); ++ + /* Walk the namespace from the root */ + + (void)acpi_walk_namespace(ACPI_TYPE_ANY, ACPI_ROOT_OBJECT, +-- +2.39.2 + diff --git a/queue-4.14/acpica-avoid-undefined-behavior-applying-zero-offset.patch b/queue-4.14/acpica-avoid-undefined-behavior-applying-zero-offset.patch new file mode 100644 index 00000000000..9d4671275f1 --- /dev/null +++ b/queue-4.14/acpica-avoid-undefined-behavior-applying-zero-offset.patch @@ -0,0 +1,68 @@ +From 0569c2aee517d14e8a9e091c61064bc30f071bca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 15:42:43 +0200 +Subject: ACPICA: Avoid undefined behavior: applying zero offset to null + pointer + +From: Tamir Duberstein + +[ Upstream commit 05bb0167c80b8f93c6a4e0451b7da9b96db990c2 ] + +ACPICA commit 770653e3ba67c30a629ca7d12e352d83c2541b1e + +Before this change we see the following UBSAN stack trace in Fuchsia: + + #0 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 +0x233302 + #1.2 0x000020d0f660777f in ubsan_get_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:41 +0x3d77f + #1.1 0x000020d0f660777f in maybe_print_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:51 +0x3d77f + #1 0x000020d0f660777f in ~scoped_report() compiler-rt/lib/ubsan/ubsan_diag.cpp:387 +0x3d77f + #2 0x000020d0f660b96d in handlepointer_overflow_impl() compiler-rt/lib/ubsan/ubsan_handlers.cpp:809 +0x4196d + #3 0x000020d0f660b50d in compiler-rt/lib/ubsan/ubsan_handlers.cpp:815 +0x4150d + #4 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 +0x233302 + #5 0x000021e4213e2369 in acpi_ds_call_control_method(struct acpi_thread_state*, struct acpi_walk_state*, union acpi_parse_object*) ../../third_party/acpica/source/components/dispatcher/dsmethod.c:605 +0x262369 + #6 0x000021e421437fac in acpi_ps_parse_aml(struct acpi_walk_state*) ../../third_party/acpica/source/components/parser/psparse.c:550 +0x2b7fac + #7 0x000021e4214464d2 in acpi_ps_execute_method(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/parser/psxface.c:244 +0x2c64d2 + #8 0x000021e4213aa052 in acpi_ns_evaluate(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/namespace/nseval.c:250 +0x22a052 + #9 0x000021e421413dd8 in acpi_ns_init_one_device(acpi_handle, u32, void*, void**) ../../third_party/acpica/source/components/namespace/nsinit.c:735 +0x293dd8 + #10 0x000021e421429e98 in acpi_ns_walk_namespace(acpi_object_type, acpi_handle, u32, u32, acpi_walk_callback, acpi_walk_callback, void*, void**) ../../third_party/acpica/source/components/namespace/nswalk.c:298 +0x2a9e98 + #11 0x000021e4214131ac in acpi_ns_initialize_devices(u32) ../../third_party/acpica/source/components/namespace/nsinit.c:268 +0x2931ac + #12 0x000021e42147c40d in acpi_initialize_objects(u32) ../../third_party/acpica/source/components/utilities/utxfinit.c:304 +0x2fc40d + #13 0x000021e42126d603 in acpi::acpi_impl::initialize_acpi(acpi::acpi_impl*) ../../src/devices/board/lib/acpi/acpi-impl.cc:224 +0xed603 + +Add a simple check that avoids incrementing a pointer by zero, but +otherwise behaves as before. Note that our findings are against ACPICA +20221020, but the same code exists on master. + +Link: https://github.com/acpica/acpica/commit/770653e3 +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dswstate.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/acpica/dswstate.c b/drivers/acpi/acpica/dswstate.c +index da111a1f5bfbc..6eaf2a01034ea 100644 +--- a/drivers/acpi/acpica/dswstate.c ++++ b/drivers/acpi/acpica/dswstate.c +@@ -610,9 +610,14 @@ acpi_ds_init_aml_walk(struct acpi_walk_state *walk_state, + ACPI_FUNCTION_TRACE(ds_init_aml_walk); + + walk_state->parser_state.aml = +- walk_state->parser_state.aml_start = aml_start; +- walk_state->parser_state.aml_end = +- walk_state->parser_state.pkg_end = aml_start + aml_length; ++ walk_state->parser_state.aml_start = ++ walk_state->parser_state.aml_end = ++ walk_state->parser_state.pkg_end = aml_start; ++ /* Avoid undefined behavior: applying zero offset to null pointer */ ++ if (aml_length != 0) { ++ walk_state->parser_state.aml_end += aml_length; ++ walk_state->parser_state.pkg_end += aml_length; ++ } + + /* The next_op of the next_walk will be the beginning of the method */ + +-- +2.39.2 + diff --git a/queue-4.14/bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch b/queue-4.14/bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch new file mode 100644 index 00000000000..40e22a03d00 --- /dev/null +++ b/queue-4.14/bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch @@ -0,0 +1,37 @@ +From 0f2289b7049b2aaa0f321d4b42bcc0498753a64e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 10:27:54 +0800 +Subject: Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp + +From: Min Li + +[ Upstream commit 25e97f7b1866e6b8503be349eeea44bb52d661ce ] + +conn->chan_lock isn't acquired before l2cap_get_chan_by_scid, +if l2cap_get_chan_by_scid returns NULL, then 'bad unlock balance' +is triggered. + +Reported-by: syzbot+9519d6b5b79cf7787cf3@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000894f5f05f95e9f4d@google.com/ +Signed-off-by: Min Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 6f47cb69775d6..b0bb4cf52a7ee 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4392,7 +4392,6 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + + chan = l2cap_get_chan_by_scid(conn, scid); + if (!chan) { +- mutex_unlock(&conn->chan_lock); + return 0; + } + +-- +2.39.2 + diff --git a/queue-4.14/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch b/queue-4.14/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch new file mode 100644 index 00000000000..71d1634c94b --- /dev/null +++ b/queue-4.14/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch @@ -0,0 +1,75 @@ +From b71ff687739659178388a47a579974aafcb98650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 09:59:10 +0100 +Subject: clk: tegra20: fix gcc-7 constant overflow warning + +From: Arnd Bergmann + +[ Upstream commit b4a2adbf3586efa12fe78b9dec047423e01f3010 ] + +Older gcc versions get confused by comparing a u32 value to a negative +constant in a switch()/case block: + +drivers/clk/tegra/clk-tegra20.c: In function 'tegra20_clk_measure_input_freq': +drivers/clk/tegra/clk-tegra20.c:581:2: error: case label does not reduce to an integer constant + case OSC_CTRL_OSC_FREQ_12MHZ: + ^~~~ +drivers/clk/tegra/clk-tegra20.c:593:2: error: case label does not reduce to an integer constant + case OSC_CTRL_OSC_FREQ_26MHZ: + +Make the constants unsigned instead. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230227085914.2560984-1-arnd@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra20.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c +index 4c9038e738886..a660adaa4920f 100644 +--- a/drivers/clk/tegra/clk-tegra20.c ++++ b/drivers/clk/tegra/clk-tegra20.c +@@ -27,24 +27,24 @@ + #include "clk-id.h" + + #define OSC_CTRL 0x50 +-#define OSC_CTRL_OSC_FREQ_MASK (3<<30) +-#define OSC_CTRL_OSC_FREQ_13MHZ (0<<30) +-#define OSC_CTRL_OSC_FREQ_19_2MHZ (1<<30) +-#define OSC_CTRL_OSC_FREQ_12MHZ (2<<30) +-#define OSC_CTRL_OSC_FREQ_26MHZ (3<<30) +-#define OSC_CTRL_MASK (0x3f2 | OSC_CTRL_OSC_FREQ_MASK) +- +-#define OSC_CTRL_PLL_REF_DIV_MASK (3<<28) +-#define OSC_CTRL_PLL_REF_DIV_1 (0<<28) +-#define OSC_CTRL_PLL_REF_DIV_2 (1<<28) +-#define OSC_CTRL_PLL_REF_DIV_4 (2<<28) ++#define OSC_CTRL_OSC_FREQ_MASK (3u<<30) ++#define OSC_CTRL_OSC_FREQ_13MHZ (0u<<30) ++#define OSC_CTRL_OSC_FREQ_19_2MHZ (1u<<30) ++#define OSC_CTRL_OSC_FREQ_12MHZ (2u<<30) ++#define OSC_CTRL_OSC_FREQ_26MHZ (3u<<30) ++#define OSC_CTRL_MASK (0x3f2u | OSC_CTRL_OSC_FREQ_MASK) ++ ++#define OSC_CTRL_PLL_REF_DIV_MASK (3u<<28) ++#define OSC_CTRL_PLL_REF_DIV_1 (0u<<28) ++#define OSC_CTRL_PLL_REF_DIV_2 (1u<<28) ++#define OSC_CTRL_PLL_REF_DIV_4 (2u<<28) + + #define OSC_FREQ_DET 0x58 +-#define OSC_FREQ_DET_TRIG (1<<31) ++#define OSC_FREQ_DET_TRIG (1u<<31) + + #define OSC_FREQ_DET_STATUS 0x5c +-#define OSC_FREQ_DET_BUSY (1<<31) +-#define OSC_FREQ_DET_CNT_MASK 0xFFFF ++#define OSC_FREQ_DET_BUSYu (1<<31) ++#define OSC_FREQ_DET_CNT_MASK 0xFFFFu + + #define TEGRA20_CLK_PERIPH_BANKS 3 + +-- +2.39.2 + diff --git a/queue-4.14/drm-tegra-avoid-potential-32-bit-integer-overflow.patch b/queue-4.14/drm-tegra-avoid-potential-32-bit-integer-overflow.patch new file mode 100644 index 00000000000..a1339d9eda9 --- /dev/null +++ b/queue-4.14/drm-tegra-avoid-potential-32-bit-integer-overflow.patch @@ -0,0 +1,37 @@ +From c6e8d60ba10c80149493e6ace298aad1417532b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 04:25:59 +0800 +Subject: drm/tegra: Avoid potential 32-bit integer overflow + +From: Nur Hussein + +[ Upstream commit 2429b3c529da29d4277d519bd66d034842dcd70c ] + +In tegra_sor_compute_config(), the 32-bit value mode->clock is +multiplied by 1000, and assigned to the u64 variable pclk. We can avoid +a potential 32-bit integer overflow by casting mode->clock to u64 before +we do the arithmetic and assignment. + +Signed-off-by: Nur Hussein +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/sor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/sor.c b/drivers/gpu/drm/tegra/sor.c +index 352ae52be3418..76451c8bfb46b 100644 +--- a/drivers/gpu/drm/tegra/sor.c ++++ b/drivers/gpu/drm/tegra/sor.c +@@ -709,7 +709,7 @@ static int tegra_sor_compute_config(struct tegra_sor *sor, + struct drm_dp_link *link) + { + const u64 f = 100000, link_rate = link->rate * 1000; +- const u64 pclk = mode->clock * 1000; ++ const u64 pclk = (u64)mode->clock * 1000; + u64 input, output, watermark, num; + struct tegra_sor_params params; + u32 num_syms_per_line; +-- +2.39.2 + diff --git a/queue-4.14/ext2-check-block-size-validity-during-mount.patch b/queue-4.14/ext2-check-block-size-validity-during-mount.patch new file mode 100644 index 00000000000..647dffa3e7d --- /dev/null +++ b/queue-4.14/ext2-check-block-size-validity-during-mount.patch @@ -0,0 +1,54 @@ +From c92a520e45bbf670943aa15a565a0c3443223976 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 11:59:39 +0100 +Subject: ext2: Check block size validity during mount + +From: Jan Kara + +[ Upstream commit 62aeb94433fcec80241754b70d0d1836d5926b0a ] + +Check that log of block size stored in the superblock has sensible +value. Otherwise the shift computing the block size can overflow leading +to undefined behavior. + +Reported-by: syzbot+4fec412f59eba8c01b77@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/ext2.h | 1 + + fs/ext2/super.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/fs/ext2/ext2.h b/fs/ext2/ext2.h +index 032295e1d3865..b500fed96a692 100644 +--- a/fs/ext2/ext2.h ++++ b/fs/ext2/ext2.h +@@ -177,6 +177,7 @@ static inline struct ext2_sb_info *EXT2_SB(struct super_block *sb) + #define EXT2_MIN_BLOCK_SIZE 1024 + #define EXT2_MAX_BLOCK_SIZE 4096 + #define EXT2_MIN_BLOCK_LOG_SIZE 10 ++#define EXT2_MAX_BLOCK_LOG_SIZE 16 + #define EXT2_BLOCK_SIZE(s) ((s)->s_blocksize) + #define EXT2_ADDR_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (__u32)) + #define EXT2_BLOCK_SIZE_BITS(s) ((s)->s_blocksize_bits) +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index 5f7079b65426c..7ca9fb0bfc324 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -965,6 +965,13 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) + goto failed_mount; + } + ++ if (le32_to_cpu(es->s_log_block_size) > ++ (EXT2_MAX_BLOCK_LOG_SIZE - BLOCK_SIZE_BITS)) { ++ ext2_msg(sb, KERN_ERR, ++ "Invalid log block size: %u", ++ le32_to_cpu(es->s_log_block_size)); ++ goto failed_mount; ++ } + blocksize = BLOCK_SIZE << le32_to_cpu(sbi->s_es->s_log_block_size); + + if (sbi->s_mount_opt & EXT2_MOUNT_DAX) { +-- +2.39.2 + diff --git a/queue-4.14/ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch b/queue-4.14/ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch new file mode 100644 index 00000000000..55957c961de --- /dev/null +++ b/queue-4.14/ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch @@ -0,0 +1,129 @@ +From f5404ac7b0dcb4e02edccbf8b18c0c91a9f49c10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Mar 2023 13:43:39 +0530 +Subject: ext4: Fix best extent lstart adjustment logic in + ext4_mb_new_inode_pa() + +From: Ojaswin Mujoo + +[ Upstream commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9 ] + +When the length of best extent found is less than the length of goal extent +we need to make sure that the best extent atleast covers the start of the +original request. This is done by adjusting the ac_b_ex.fe_logical (logical +start) of the extent. + +While doing so, the current logic sometimes results in the best extent's +logical range overflowing the goal extent. Since this best extent is later +added to the inode preallocation list, we have a possibility of introducing +overlapping preallocations. This is discussed in detail here [1]. + +As per Jan's suggestion, to fix this, replace the existing logic with the +below logic for adjusting best extent as it keeps fragmentation in check +while ensuring logical range of best extent doesn't overflow out of goal +extent: + +1. Check if best extent can be kept at end of goal range and still cover + original start. +2. Else, check if best extent can be kept at start of goal range and still + cover original start. +3. Else, keep the best extent at start of original request. + +Also, add a few extra BUG_ONs that might help catch errors faster. + +[1] https://lore.kernel.org/r/Y+OGkVvzPN0RMv0O@li-bb2b2a4c-3307-11b2-a85c-8fa5c3a69313.ibm.com + +Suggested-by: Jan Kara +Signed-off-by: Ojaswin Mujoo +Reviewed-by: Ritesh Harjani (IBM) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/f96aca6d415b36d1f90db86c1a8cd7e2e9d7ab0e.1679731817.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 49 ++++++++++++++++++++++++++++++----------------- + 1 file changed, 31 insertions(+), 18 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 36ace5eef84ec..ce21da3f437f0 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -3403,6 +3403,7 @@ static void ext4_mb_use_inode_pa(struct ext4_allocation_context *ac, + BUG_ON(start < pa->pa_pstart); + BUG_ON(end > pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len)); + BUG_ON(pa->pa_free < len); ++ BUG_ON(ac->ac_b_ex.fe_len <= 0); + pa->pa_free -= len; + + mb_debug(1, "use %llu/%u from inode pa %p\n", start, len, pa); +@@ -3707,10 +3708,8 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) + return -ENOMEM; + + if (ac->ac_b_ex.fe_len < ac->ac_g_ex.fe_len) { +- int winl; +- int wins; +- int win; +- int offs; ++ int new_bex_start; ++ int new_bex_end; + + /* we can't allocate as much as normalizer wants. + * so, found space must get proper lstart +@@ -3718,26 +3717,40 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) + BUG_ON(ac->ac_g_ex.fe_logical > ac->ac_o_ex.fe_logical); + BUG_ON(ac->ac_g_ex.fe_len < ac->ac_o_ex.fe_len); + +- /* we're limited by original request in that +- * logical block must be covered any way +- * winl is window we can move our chunk within */ +- winl = ac->ac_o_ex.fe_logical - ac->ac_g_ex.fe_logical; ++ /* ++ * Use the below logic for adjusting best extent as it keeps ++ * fragmentation in check while ensuring logical range of best ++ * extent doesn't overflow out of goal extent: ++ * ++ * 1. Check if best ex can be kept at end of goal and still ++ * cover original start ++ * 2. Else, check if best ex can be kept at start of goal and ++ * still cover original start ++ * 3. Else, keep the best ex at start of original request. ++ */ ++ new_bex_end = ac->ac_g_ex.fe_logical + ++ EXT4_C2B(sbi, ac->ac_g_ex.fe_len); ++ new_bex_start = new_bex_end - EXT4_C2B(sbi, ac->ac_b_ex.fe_len); ++ if (ac->ac_o_ex.fe_logical >= new_bex_start) ++ goto adjust_bex; + +- /* also, we should cover whole original request */ +- wins = EXT4_C2B(sbi, ac->ac_b_ex.fe_len - ac->ac_o_ex.fe_len); ++ new_bex_start = ac->ac_g_ex.fe_logical; ++ new_bex_end = ++ new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len); ++ if (ac->ac_o_ex.fe_logical < new_bex_end) ++ goto adjust_bex; + +- /* the smallest one defines real window */ +- win = min(winl, wins); ++ new_bex_start = ac->ac_o_ex.fe_logical; ++ new_bex_end = ++ new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len); + +- offs = ac->ac_o_ex.fe_logical % +- EXT4_C2B(sbi, ac->ac_b_ex.fe_len); +- if (offs && offs < win) +- win = offs; ++adjust_bex: ++ ac->ac_b_ex.fe_logical = new_bex_start; + +- ac->ac_b_ex.fe_logical = ac->ac_o_ex.fe_logical - +- EXT4_NUM_B2C(sbi, win); + BUG_ON(ac->ac_o_ex.fe_logical < ac->ac_b_ex.fe_logical); + BUG_ON(ac->ac_o_ex.fe_len > ac->ac_b_ex.fe_len); ++ BUG_ON(new_bex_end > (ac->ac_g_ex.fe_logical + ++ EXT4_C2B(sbi, ac->ac_g_ex.fe_len))); + } + + /* preallocation can change ac_b_ex, thus we store actually +-- +2.39.2 + diff --git a/queue-4.14/ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch b/queue-4.14/ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch new file mode 100644 index 00000000000..ea95ffc4cb4 --- /dev/null +++ b/queue-4.14/ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch @@ -0,0 +1,72 @@ +From 9403a50f5da9b7114947ef13d9acfe9c64f72230 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 01:21:01 +0800 +Subject: ext4: set goal start correctly in ext4_mb_normalize_request + +From: Kemeng Shi + +[ Upstream commit b07ffe6927c75d99af534d685282ea188d9f71a6 ] + +We need to set ac_g_ex to notify the goal start used in +ext4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in +ext4_mb_normalize_request. +Besides we should assure goal start is in range [first_data_block, +blocks_count) as ext4_mb_initialize_context does. + +[ Added a check to make sure size is less than ar->pright; otherwise + we could end up passing an underflowed value of ar->pright - size to + ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on. + - TYT ] + +Signed-off-by: Kemeng Shi +Reviewed-by: Ritesh Harjani (IBM) +Link: https://lore.kernel.org/r/20230303172120.3800725-2-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index d9f2fde2e3e92..36ace5eef84ec 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -3116,6 +3116,7 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac, + struct ext4_allocation_request *ar) + { + struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb); ++ struct ext4_super_block *es = sbi->s_es; + int bsbits, max; + ext4_lblk_t end; + loff_t size, start_off; +@@ -3296,18 +3297,21 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac, + ac->ac_g_ex.fe_len = EXT4_NUM_B2C(sbi, size); + + /* define goal start in order to merge */ +- if (ar->pright && (ar->lright == (start + size))) { ++ if (ar->pright && (ar->lright == (start + size)) && ++ ar->pright >= size && ++ ar->pright - size >= le32_to_cpu(es->s_first_data_block)) { + /* merge to the right */ + ext4_get_group_no_and_offset(ac->ac_sb, ar->pright - size, +- &ac->ac_f_ex.fe_group, +- &ac->ac_f_ex.fe_start); ++ &ac->ac_g_ex.fe_group, ++ &ac->ac_g_ex.fe_start); + ac->ac_flags |= EXT4_MB_HINT_TRY_GOAL; + } +- if (ar->pleft && (ar->lleft + 1 == start)) { ++ if (ar->pleft && (ar->lleft + 1 == start) && ++ ar->pleft + 1 < ext4_blocks_count(es)) { + /* merge to the left */ + ext4_get_group_no_and_offset(ac->ac_sb, ar->pleft + 1, +- &ac->ac_f_ex.fe_group, +- &ac->ac_f_ex.fe_start); ++ &ac->ac_g_ex.fe_group, ++ &ac->ac_g_ex.fe_start); + ac->ac_flags |= EXT4_MB_HINT_TRY_GOAL; + } + +-- +2.39.2 + diff --git a/queue-4.14/fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch b/queue-4.14/fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch new file mode 100644 index 00000000000..a822f58a9b2 --- /dev/null +++ b/queue-4.14/fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch @@ -0,0 +1,108 @@ +From d662e739a8a19c910a859cf2a4eaa6998b0f34ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 19:57:33 +0900 +Subject: fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() + +From: Tetsuo Handa + +[ Upstream commit 81b21c0f0138ff5a499eafc3eb0578ad2a99622c ] + +syzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for +crafted filesystem image can contain bogus length. There conditions are +not kernel bugs that can justify kernel to panic. + +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=e2787430e752a92b8750 +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=4913dca2ea6e4d43f3f1 +Signed-off-by: Tetsuo Handa +Reviewed-by: Viacheslav Dubeyko +Message-Id: <15308173-5252-d6a3-ae3b-e96d46cb6f41@I-love.SAKURA.ne.jp> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/hfsplus/inode.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c +index ccb2a94c2032a..4924a489c8ac0 100644 +--- a/fs/hfsplus/inode.c ++++ b/fs/hfsplus/inode.c +@@ -488,7 +488,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd) + if (type == HFSPLUS_FOLDER) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_folder)); ++ if (fd->entrylength < sizeof(struct hfsplus_cat_folder)) { ++ pr_err("bad catalog folder entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_folder)); + hfsplus_get_perms(inode, &folder->permissions, 1); +@@ -508,7 +512,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd) + } else if (type == HFSPLUS_FILE) { + struct hfsplus_cat_file *file = &entry.file; + +- WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_file)); ++ if (fd->entrylength < sizeof(struct hfsplus_cat_file)) { ++ pr_err("bad catalog file entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_file)); + +@@ -539,6 +547,7 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd) + pr_err("bad catalog entry used to create inode\n"); + res = -EIO; + } ++out: + return res; + } + +@@ -547,6 +556,7 @@ int hfsplus_cat_write_inode(struct inode *inode) + struct inode *main_inode = inode; + struct hfs_find_data fd; + hfsplus_cat_entry entry; ++ int res = 0; + + if (HFSPLUS_IS_RSRC(inode)) + main_inode = HFSPLUS_I(inode)->rsrc_inode; +@@ -565,7 +575,11 @@ int hfsplus_cat_write_inode(struct inode *inode) + if (S_ISDIR(main_inode->i_mode)) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_folder)); ++ if (fd.entrylength < sizeof(struct hfsplus_cat_folder)) { ++ pr_err("bad catalog folder entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_folder)); + /* simple node checks? */ +@@ -590,7 +604,11 @@ int hfsplus_cat_write_inode(struct inode *inode) + } else { + struct hfsplus_cat_file *file = &entry.file; + +- WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_file)); ++ if (fd.entrylength < sizeof(struct hfsplus_cat_file)) { ++ pr_err("bad catalog file entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_file)); + hfsplus_inode_write_fork(inode, &file->data_fork); +@@ -611,5 +629,5 @@ int hfsplus_cat_write_inode(struct inode *inode) + set_bit(HFSPLUS_I_CAT_DIRTY, &HFSPLUS_I(inode)->flags); + out: + hfs_find_exit(&fd); +- return 0; ++ return res; + } +-- +2.39.2 + diff --git a/queue-4.14/gfs2-fix-inode-height-consistency-check.patch b/queue-4.14/gfs2-fix-inode-height-consistency-check.patch new file mode 100644 index 00000000000..b41ed7ba496 --- /dev/null +++ b/queue-4.14/gfs2-fix-inode-height-consistency-check.patch @@ -0,0 +1,49 @@ +From 5bfe544dafd5fc754e7a74ab71a5b33fddf2ed35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 00:43:16 +0200 +Subject: gfs2: Fix inode height consistency check + +From: Andreas Gruenbacher + +[ Upstream commit cfcdb5bad34f600aed7613c3c1a5e618111f77b7 ] + +The maximum allowed height of an inode's metadata tree depends on the +filesystem block size; it is lower for bigger-block filesystems. When +reading in an inode, make sure that the height doesn't exceed the +maximum allowed height. + +Arrays like sd_heightsize are sized to be big enough for any filesystem +block size; they will often be slightly bigger than what's needed for a +specific filesystem. + +Reported-by: syzbot+45d4691b1ed3c48eba05@syzkaller.appspotmail.com +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c +index f1844af4005b6..4838e26c06f74 100644 +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -333,6 +333,7 @@ static int inode_go_demote_ok(const struct gfs2_glock *gl) + + static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) + { ++ struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); + const struct gfs2_dinode *str = buf; + struct timespec atime; + u16 height, depth; +@@ -372,7 +373,7 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) + /* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */ + gfs2_set_inode_flags(&ip->i_inode); + height = be16_to_cpu(str->di_height); +- if (unlikely(height > GFS2_MAX_META_HEIGHT)) ++ if (unlikely(height > sdp->sd_max_height)) + goto corrupt; + ip->i_height = (u8)height; + +-- +2.39.2 + diff --git a/queue-4.14/hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch b/queue-4.14/hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch new file mode 100644 index 00000000000..5f8d47b2873 --- /dev/null +++ b/queue-4.14/hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch @@ -0,0 +1,101 @@ +From dffb592c548b5df8fa3986e737a9b343c358e292 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 14:01:16 +0100 +Subject: HID: logitech-hidpp: Don't use the USB serial for USB devices + +From: Bastien Nocera + +[ Upstream commit 7ad1fe0da0fa91bf920b79ab05ae97bfabecc4f4 ] + +For devices that support the 0x0003 feature (Device Information) version 4, +set the serial based on the output of that feature, rather than relying +on the usbhid code setting the USB serial. + +This should allow the serial when connected through USB to (nearly) +match the one when connected through a unifying receiver. + +For example, on the serials on a G903 wired/wireless mouse: +- Unifying: 4067-e8-ce-cd-45 +- USB before patch: 017C385C3837 +- USB after patch: c086-e8-ce-cd-45 + +Signed-off-by: Bastien Nocera +Link: https://lore.kernel.org/r/20230302130117.3975-1-hadess@hadess.net +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 51 ++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 6ad776b4711b7..e2db4731eb825 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -777,6 +777,55 @@ static bool hidpp_is_connected(struct hidpp_device *hidpp) + return ret == 0; + } + ++/* -------------------------------------------------------------------------- */ ++/* 0x0003: Device Information */ ++/* -------------------------------------------------------------------------- */ ++ ++#define HIDPP_PAGE_DEVICE_INFORMATION 0x0003 ++ ++#define CMD_GET_DEVICE_INFO 0x00 ++ ++static int hidpp_get_serial(struct hidpp_device *hidpp, u32 *serial) ++{ ++ struct hidpp_report response; ++ u8 feature_type; ++ u8 feature_index; ++ int ret; ++ ++ ret = hidpp_root_get_feature(hidpp, HIDPP_PAGE_DEVICE_INFORMATION, ++ &feature_index, ++ &feature_type); ++ if (ret) ++ return ret; ++ ++ ret = hidpp_send_fap_command_sync(hidpp, feature_index, ++ CMD_GET_DEVICE_INFO, ++ NULL, 0, &response); ++ if (ret) ++ return ret; ++ ++ /* See hidpp_unifying_get_serial() */ ++ *serial = *((u32 *)&response.rap.params[1]); ++ return 0; ++} ++ ++static int hidpp_serial_init(struct hidpp_device *hidpp) ++{ ++ struct hid_device *hdev = hidpp->hid_dev; ++ u32 serial; ++ int ret; ++ ++ ret = hidpp_get_serial(hidpp, &serial); ++ if (ret) ++ return ret; ++ ++ snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD", ++ hdev->product, &serial); ++ dbg_hid("HID++ DeviceInformation: Got serial: %s\n", hdev->uniq); ++ ++ return 0; ++} ++ + /* -------------------------------------------------------------------------- */ + /* 0x0005: GetDeviceNameType */ + /* -------------------------------------------------------------------------- */ +@@ -3039,6 +3088,8 @@ static int hidpp_probe(struct hid_device *hdev, const struct hid_device_id *id) + + if (hidpp->quirks & HIDPP_QUIRK_UNIFYING) + hidpp_unifying_init(hidpp); ++ else if (hid_is_usb(hidpp->hid_dev)) ++ hidpp_serial_init(hidpp); + + connected = hidpp_is_connected(hidpp); + atomic_set(&hidpp->connected, connected); +-- +2.39.2 + diff --git a/queue-4.14/hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch b/queue-4.14/hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch new file mode 100644 index 00000000000..f5cc77caf28 --- /dev/null +++ b/queue-4.14/hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch @@ -0,0 +1,55 @@ +From 4bea80b695809eea0c2f159a3b78b0de79f4b707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 14:01:17 +0100 +Subject: HID: logitech-hidpp: Reconcile USB and Unifying serials + +From: Bastien Nocera + +[ Upstream commit 5b3691d15e04b6d5a32c915577b8dbc5cfb56382 ] + +Now that USB HID++ devices can gather a serial number that matches the +one that would be gathered when connected through a Unifying receiver, +remove the last difference by dropping the product ID as devices +usually have different product IDs when connected through USB or +Unifying. + +For example, on the serials on a G903 wired/wireless mouse: +- Unifying before patch: 4067-e8-ce-cd-45 +- USB before patch: c086-e8-ce-cd-45 +- Unifying and USB after patch: e8-ce-cd-45 + +Signed-off-by: Bastien Nocera +Link: https://lore.kernel.org/r/20230302130117.3975-2-hadess@hadess.net +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index e2db4731eb825..1588508b3e7b7 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -675,8 +675,7 @@ static int hidpp_unifying_init(struct hidpp_device *hidpp) + if (ret) + return ret; + +- snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD", +- hdev->product, &serial); ++ snprintf(hdev->uniq, sizeof(hdev->uniq), "%4phD", &serial); + dbg_hid("HID++ Unifying: Got serial: %s\n", hdev->uniq); + + name = hidpp_unifying_get_name(hidpp); +@@ -819,8 +818,7 @@ static int hidpp_serial_init(struct hidpp_device *hidpp) + if (ret) + return ret; + +- snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD", +- hdev->product, &serial); ++ snprintf(hdev->uniq, sizeof(hdev->uniq), "%4phD", &serial); + dbg_hid("HID++ DeviceInformation: Got serial: %s\n", hdev->uniq); + + return 0; +-- +2.39.2 + diff --git a/queue-4.14/hid-wacom-generic-set-battery-quirk-only-when-we-see.patch b/queue-4.14/hid-wacom-generic-set-battery-quirk-only-when-we-see.patch new file mode 100644 index 00000000000..20707de7f76 --- /dev/null +++ b/queue-4.14/hid-wacom-generic-set-battery-quirk-only-when-we-see.patch @@ -0,0 +1,104 @@ +From 0ff6ba3e49d473317b5dc577abedff15769acecf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 11:17:43 -0700 +Subject: HID: wacom: generic: Set battery quirk only when we see battery data + +From: Jason Gerecke + +[ Upstream commit bea407a427baa019758f29f4d31b26f008bb8cc6 ] + +Some devices will include battery status usages in the HID descriptor +but we won't see that battery data for one reason or another. For example, +AES sensors won't send battery data unless an AES pen is in proximity. +If a user does not have an AES pen but instead only interacts with the +AES touchscreen with their fingers then there is no need for us to create +a battery object. Similarly, if a family of peripherals shares the same +HID descriptor between wired-only and wireless-capable SKUs, users of the +former may never see a battery event and will not want a power_supply +object created. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217062 +Link: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/2354 +Signed-off-by: Jason Gerecke +Tested-by: Mario Limonciello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_wac.c | 33 +++++++++++---------------------- + 1 file changed, 11 insertions(+), 22 deletions(-) + +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index 921d5184196d2..1b0161c2cd7a6 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1782,18 +1782,7 @@ static void wacom_map_usage(struct input_dev *input, struct hid_usage *usage, + static void wacom_wac_battery_usage_mapping(struct hid_device *hdev, + struct hid_field *field, struct hid_usage *usage) + { +- struct wacom *wacom = hid_get_drvdata(hdev); +- struct wacom_wac *wacom_wac = &wacom->wacom_wac; +- struct wacom_features *features = &wacom_wac->features; +- unsigned equivalent_usage = wacom_equivalent_usage(usage->hid); +- +- switch (equivalent_usage) { +- case HID_DG_BATTERYSTRENGTH: +- case WACOM_HID_WD_BATTERY_LEVEL: +- case WACOM_HID_WD_BATTERY_CHARGING: +- features->quirks |= WACOM_QUIRK_BATTERY; +- break; +- } ++ return; + } + + static void wacom_wac_battery_event(struct hid_device *hdev, struct hid_field *field, +@@ -1814,18 +1803,21 @@ static void wacom_wac_battery_event(struct hid_device *hdev, struct hid_field *f + wacom_wac->hid_data.bat_connected = 1; + wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO; + } ++ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY; + break; + case WACOM_HID_WD_BATTERY_LEVEL: + value = value * 100 / (field->logical_maximum - field->logical_minimum); + wacom_wac->hid_data.battery_capacity = value; + wacom_wac->hid_data.bat_connected = 1; + wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO; ++ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY; + break; + case WACOM_HID_WD_BATTERY_CHARGING: + wacom_wac->hid_data.bat_charging = value; + wacom_wac->hid_data.ps_connected = value; + wacom_wac->hid_data.bat_connected = 1; + wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO; ++ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY; + break; + } + } +@@ -1841,18 +1833,15 @@ static void wacom_wac_battery_report(struct hid_device *hdev, + { + struct wacom *wacom = hid_get_drvdata(hdev); + struct wacom_wac *wacom_wac = &wacom->wacom_wac; +- struct wacom_features *features = &wacom_wac->features; + +- if (features->quirks & WACOM_QUIRK_BATTERY) { +- int status = wacom_wac->hid_data.bat_status; +- int capacity = wacom_wac->hid_data.battery_capacity; +- bool charging = wacom_wac->hid_data.bat_charging; +- bool connected = wacom_wac->hid_data.bat_connected; +- bool powered = wacom_wac->hid_data.ps_connected; ++ int status = wacom_wac->hid_data.bat_status; ++ int capacity = wacom_wac->hid_data.battery_capacity; ++ bool charging = wacom_wac->hid_data.bat_charging; ++ bool connected = wacom_wac->hid_data.bat_connected; ++ bool powered = wacom_wac->hid_data.ps_connected; + +- wacom_notify_battery(wacom_wac, status, capacity, charging, +- connected, powered); +- } ++ wacom_notify_battery(wacom_wac, status, capacity, charging, ++ connected, powered); + } + + static void wacom_wac_pad_usage_mapping(struct hid_device *hdev, +-- +2.39.2 + diff --git a/queue-4.14/input-xpad-add-constants-for-gip-interface-numbers.patch b/queue-4.14/input-xpad-add-constants-for-gip-interface-numbers.patch new file mode 100644 index 00000000000..8a0a90a492f --- /dev/null +++ b/queue-4.14/input-xpad-add-constants-for-gip-interface-numbers.patch @@ -0,0 +1,47 @@ +From e178d2099eea1f25fcd5673d372e9d82506261bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 23:57:42 -0700 +Subject: Input: xpad - add constants for GIP interface numbers + +From: Vicki Pfau + +[ Upstream commit f9b2e603c6216824e34dc9a67205d98ccc9a41ca ] + +Wired GIP devices present multiple interfaces with the same USB identification +other than the interface number. This adds constants for differentiating two of +them and uses them where appropriate + +Signed-off-by: Vicki Pfau +Link: https://lore.kernel.org/r/20230411031650.960322-2-vi@endrift.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/joystick/xpad.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 1a12f95227301..f1c2bc108fd76 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -506,6 +506,9 @@ struct xboxone_init_packet { + } + + ++#define GIP_WIRED_INTF_DATA 0 ++#define GIP_WIRED_INTF_AUDIO 1 ++ + /* + * This packet is required for all Xbox One pads with 2015 + * or later firmware installed (or present from the factory). +@@ -1830,7 +1833,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id + } + + if (xpad->xtype == XTYPE_XBOXONE && +- intf->cur_altsetting->desc.bInterfaceNumber != 0) { ++ intf->cur_altsetting->desc.bInterfaceNumber != GIP_WIRED_INTF_DATA) { + /* + * The Xbox One controller lists three interfaces all with the + * same interface class, subclass and protocol. Differentiate by +-- +2.39.2 + diff --git a/queue-4.14/lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch b/queue-4.14/lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch new file mode 100644 index 00000000000..efe3cb79371 --- /dev/null +++ b/queue-4.14/lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch @@ -0,0 +1,67 @@ +From 232935d274c4b46158a70eb82674954918c8b8e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 07:51:02 +0200 +Subject: lib: cpu_rmap: Avoid use after free on rmap->obj array entries + +From: Eli Cohen + +[ Upstream commit 4e0473f1060aa49621d40a113afde24818101d37 ] + +When calling irq_set_affinity_notifier() with NULL at the notify +argument, it will cause freeing of the glue pointer in the +corresponding array entry but will leave the pointer in the array. A +subsequent call to free_irq_cpu_rmap() will try to free this entry again +leading to possible use after free. + +Fix that by setting NULL to the array entry and checking that we have +non-zero at the array entry when iterating over the array in +free_irq_cpu_rmap(). + +The current code does not suffer from this since there are no cases +where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the +notify arg) is called, followed by a call to free_irq_cpu_rmap() so we +don't hit and issue. Subsequent patches in this series excersize this +flow, hence the required fix. + +Cc: Thomas Gleixner +Signed-off-by: Eli Cohen +Signed-off-by: Saeed Mahameed +Reviewed-by: Jacob Keller +Signed-off-by: Sasha Levin +--- + lib/cpu_rmap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c +index f610b2a10b3ed..f52389054a24f 100644 +--- a/lib/cpu_rmap.c ++++ b/lib/cpu_rmap.c +@@ -235,7 +235,8 @@ void free_irq_cpu_rmap(struct cpu_rmap *rmap) + + for (index = 0; index < rmap->used; index++) { + glue = rmap->obj[index]; +- irq_set_affinity_notifier(glue->notify.irq, NULL); ++ if (glue) ++ irq_set_affinity_notifier(glue->notify.irq, NULL); + } + + cpu_rmap_put(rmap); +@@ -271,6 +272,7 @@ static void irq_cpu_rmap_release(struct kref *ref) + container_of(ref, struct irq_glue, notify.kref); + + cpu_rmap_put(glue->rmap); ++ glue->rmap->obj[glue->index] = NULL; + kfree(glue); + } + +@@ -300,6 +302,7 @@ int irq_cpu_rmap_add(struct cpu_rmap *rmap, int irq) + rc = irq_set_affinity_notifier(irq, &glue->notify); + if (rc) { + cpu_rmap_put(glue->rmap); ++ rmap->obj[glue->index] = NULL; + kfree(glue); + } + return rc; +-- +2.39.2 + diff --git a/queue-4.14/mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch b/queue-4.14/mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch new file mode 100644 index 00000000000..f3ba955b2b8 --- /dev/null +++ b/queue-4.14/mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch @@ -0,0 +1,78 @@ +From 0830caf8f257f864918ed26e9c55aafd01ad0417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 10:33:28 +0200 +Subject: mcb-pci: Reallocate memory region to avoid memory overlapping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rodríguez Barbarin, José Javier + +[ Upstream commit 9be24faadd085c284890c3afcec7a0184642315a ] + +mcb-pci requests a fixed-size memory region to parse the chameleon +table, however, if the chameleon table is smaller that the allocated +region, it could overlap with the IP Cores' memory regions. + +After parsing the chameleon table, drop/reallocate the memory region +with the actual chameleon table size. + +Co-developed-by: Jorge Sanjuan Garcia +Signed-off-by: Jorge Sanjuan Garcia +Signed-off-by: Javier Rodriguez +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20230411083329.4506-3-jth@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/mcb/mcb-pci.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/drivers/mcb/mcb-pci.c b/drivers/mcb/mcb-pci.c +index af4d2f26f1c62..b0ec3bbf1b76d 100644 +--- a/drivers/mcb/mcb-pci.c ++++ b/drivers/mcb/mcb-pci.c +@@ -34,7 +34,7 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { + struct resource *res; + struct priv *priv; +- int ret; ++ int ret, table_size; + unsigned long flags; + + priv = devm_kzalloc(&pdev->dev, sizeof(struct priv), GFP_KERNEL); +@@ -93,7 +93,30 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + if (ret < 0) + goto out_mcb_bus; + +- dev_dbg(&pdev->dev, "Found %d cells\n", ret); ++ table_size = ret; ++ ++ if (table_size < CHAM_HEADER_SIZE) { ++ /* Release the previous resources */ ++ devm_iounmap(&pdev->dev, priv->base); ++ devm_release_mem_region(&pdev->dev, priv->mapbase, CHAM_HEADER_SIZE); ++ ++ /* Then, allocate it again with the actual chameleon table size */ ++ res = devm_request_mem_region(&pdev->dev, priv->mapbase, ++ table_size, ++ KBUILD_MODNAME); ++ if (!res) { ++ dev_err(&pdev->dev, "Failed to request PCI memory\n"); ++ ret = -EBUSY; ++ goto out_mcb_bus; ++ } ++ ++ priv->base = devm_ioremap(&pdev->dev, priv->mapbase, table_size); ++ if (!priv->base) { ++ dev_err(&pdev->dev, "Cannot ioremap\n"); ++ ret = -ENOMEM; ++ goto out_mcb_bus; ++ } ++ } + + mcb_bus_add_devices(priv->bus); + +-- +2.39.2 + diff --git a/queue-4.14/memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch b/queue-4.14/memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch new file mode 100644 index 00000000000..f3d3e1678d9 --- /dev/null +++ b/queue-4.14/memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch @@ -0,0 +1,53 @@ +From d24427cf66d2a1c5387e351cf22c7a9ee0fbd555 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 00:43:38 +0800 +Subject: memstick: r592: Fix UAF bug in r592_remove due to race condition + +From: Zheng Wang + +[ Upstream commit 63264422785021704c39b38f65a78ab9e4a186d7 ] + +In r592_probe, dev->detect_timer was bound with r592_detect_timer. +In r592_irq function, the timer function will be invoked by mod_timer. + +If we remove the module which will call hantro_release to make cleanup, +there may be a unfinished work. The possible sequence is as follows, +which will cause a typical UAF bug. + +Fix it by canceling the work before cleanup in r592_remove. + +CPU0 CPU1 + + |r592_detect_timer +r592_remove | + memstick_free_host| + put_device; | + kfree(host); | + | + | queue_work + | &host->media_checker //use + +Signed-off-by: Zheng Wang +Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index 256634ec58b63..d52c89b2a1d58 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -832,7 +832,7 @@ static void r592_remove(struct pci_dev *pdev) + /* Stop the processing thread. + That ensures that we won't take any more requests */ + kthread_stop(dev->io_thread); +- ++ del_timer_sync(&dev->detect_timer); + r592_enable_device(dev, false); + + while (!error && dev->req) { +-- +2.39.2 + diff --git a/queue-4.14/mfd-dln2-fix-memory-leak-in-dln2_probe.patch b/queue-4.14/mfd-dln2-fix-memory-leak-in-dln2_probe.patch new file mode 100644 index 00000000000..bf36648db8a --- /dev/null +++ b/queue-4.14/mfd-dln2-fix-memory-leak-in-dln2_probe.patch @@ -0,0 +1,38 @@ +From 07bb2ad4894d33cdd2191670aff3318de10e5e1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 10:43:53 +0800 +Subject: mfd: dln2: Fix memory leak in dln2_probe() + +From: Qiang Ning + +[ Upstream commit 96da8f148396329ba769246cb8ceaa35f1ddfc48 ] + +When dln2_setup_rx_urbs() in dln2_probe() fails, error out_free forgets +to call usb_put_dev() to decrease the refcount of dln2->usb_dev. + +Fix this by adding usb_put_dev() in the error handling code of +dln2_probe(). + +Signed-off-by: Qiang Ning +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20230330024353.4503-1-qning0106@126.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/dln2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index 97a69cd6f1278..a0ad99ca495fd 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -804,6 +804,7 @@ static int dln2_probe(struct usb_interface *interface, + dln2_stop_rx_urbs(dln2); + + out_free: ++ usb_put_dev(dln2->usb_dev); + dln2_free(dln2); + + return ret; +-- +2.39.2 + diff --git a/queue-4.14/net-catch-invalid-index-in-xps-mapping.patch b/queue-4.14/net-catch-invalid-index-in-xps-mapping.patch new file mode 100644 index 00000000000..47bca22f091 --- /dev/null +++ b/queue-4.14/net-catch-invalid-index-in-xps-mapping.patch @@ -0,0 +1,43 @@ +From ead0566f85a1f768c0db28d22602f963f4d8a8fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Mar 2023 10:07:24 -0500 +Subject: net: Catch invalid index in XPS mapping + +From: Nick Child + +[ Upstream commit 5dd0dfd55baec0742ba8f5625a0dd064aca7db16 ] + +When setting the XPS value of a TX queue, warn the user once if the +index of the queue is greater than the number of allocated TX queues. + +Previously, this scenario went uncaught. In the best case, it resulted +in unnecessary allocations. In the worst case, it resulted in +out-of-bounds memory references through calls to `netdev_get_tx_queue( +dev, index)`. Therefore, it is important to inform the user but not +worth returning an error and risk downing the netdevice. + +Signed-off-by: Nick Child +Reviewed-by: Piotr Raczynski +Link: https://lore.kernel.org/r/20230321150725.127229-1-nnac123@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 86f762a1cf7ac..a4d68da682322 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2165,6 +2165,8 @@ int netif_set_xps_queue(struct net_device *dev, const struct cpumask *mask, + struct xps_map *map, *new_map; + bool active = false; + ++ WARN_ON_ONCE(index >= dev->num_tx_queues); ++ + if (dev->num_tc) { + num_tc = dev->num_tc; + tc = netdev_txq_to_tc(dev, index); +-- +2.39.2 + diff --git a/queue-4.14/net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch b/queue-4.14/net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch new file mode 100644 index 00000000000..f9d8de969f0 --- /dev/null +++ b/queue-4.14/net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch @@ -0,0 +1,54 @@ +From 6116943f0a5a6f885bf88fefef2c5248e05ee5e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Mar 2023 16:41:08 -0700 +Subject: net: pasemi: Fix return type of pasemi_mac_start_tx() + +From: Nathan Chancellor + +[ Upstream commit c8384d4a51e7cb0e6587f3143f29099f202c5de1 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +warning in clang aims to catch these at compile time, which reveals: + + drivers/net/ethernet/pasemi/pasemi_mac.c:1665:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = pasemi_mac_start_tx, + ^~~~~~~~~~~~~~~~~~~ + 1 error generated. + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of +pasemi_mac_start_tx() to match the prototype's to resolve the warning. +While PowerPC does not currently implement support for kCFI, it could in +the future, which means this warning becomes a fatal CFI failure at run +time. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Signed-off-by: Nathan Chancellor +Reviewed-by: Horatiu Vultur +Link: https://lore.kernel.org/r/20230319-pasemi-incompatible-pointer-types-strict-v1-1-1b9459d8aef0@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pasemi/pasemi_mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pasemi/pasemi_mac.c b/drivers/net/ethernet/pasemi/pasemi_mac.c +index 6ccdce21ca9b5..c891ee70099a7 100644 +--- a/drivers/net/ethernet/pasemi/pasemi_mac.c ++++ b/drivers/net/ethernet/pasemi/pasemi_mac.c +@@ -1436,7 +1436,7 @@ static void pasemi_mac_queue_csdesc(const struct sk_buff *skb, + write_dma_reg(PAS_DMA_TXCHAN_INCR(txring->chan.chno), 2); + } + +-static int pasemi_mac_start_tx(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t pasemi_mac_start_tx(struct sk_buff *skb, struct net_device *dev) + { + struct pasemi_mac * const mac = netdev_priv(dev); + struct pasemi_mac_txring * const txring = tx_ring(mac); +-- +2.39.2 + diff --git a/queue-4.14/null_blk-always-check-queue-mode-setting-from-config.patch b/queue-4.14/null_blk-always-check-queue-mode-setting-from-config.patch new file mode 100644 index 00000000000..162702c2835 --- /dev/null +++ b/queue-4.14/null_blk-always-check-queue-mode-setting-from-config.patch @@ -0,0 +1,87 @@ +From 9b8ce896c1decd4a19f6e4fe713fde54d74a9045 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 15:03:39 -0700 +Subject: null_blk: Always check queue mode setting from configfs + +From: Chaitanya Kulkarni + +[ Upstream commit 63f8793ee60513a09f110ea460a6ff2c33811cdb ] + +Make sure to check device queue mode in the null_validate_conf() and +return error for NULL_Q_RQ as we don't allow legacy I/O path, without +this patch we get OOPs when queue mode is set to 1 from configfs, +following are repro steps :- + +modprobe null_blk nr_devices=0 +mkdir config/nullb/nullb0 +echo 1 > config/nullb/nullb0/memory_backed +echo 4096 > config/nullb/nullb0/blocksize +echo 20480 > config/nullb/nullb0/size +echo 1 > config/nullb/nullb0/queue_mode +echo 1 > config/nullb/nullb0/power + +Entering kdb (current=0xffff88810acdd080, pid 2372) on processor 42 Oops: (null) +due to oops @ 0xffffffffc041c329 +CPU: 42 PID: 2372 Comm: sh Tainted: G O N 6.3.0-rc5lblk+ #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +RIP: 0010:null_add_dev.part.0+0xd9/0x720 [null_blk] +Code: 01 00 00 85 d2 0f 85 a1 03 00 00 48 83 bb 08 01 00 00 00 0f 85 f7 03 00 00 80 bb 62 01 00 00 00 48 8b 75 20 0f 85 6d 02 00 00 <48> 89 6e 60 48 8b 75 20 bf 06 00 00 00 e8 f5 37 2c c1 48 8b 75 20 +RSP: 0018:ffffc900052cbde0 EFLAGS: 00010246 +RAX: 0000000000000001 RBX: ffff88811084d800 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888100042e00 +RBP: ffff8881053d8200 R08: ffffc900052cbd68 R09: ffff888105db2000 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002 +R13: ffff888104765200 R14: ffff88810eec1748 R15: ffff88810eec1740 +FS: 00007fd445fd1740(0000) GS:ffff8897dfc80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000060 CR3: 0000000166a00000 CR4: 0000000000350ee0 +DR0: ffffffff8437a488 DR1: ffffffff8437a489 DR2: ffffffff8437a48a +DR3: ffffffff8437a48b DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Call Trace: + + nullb_device_power_store+0xd1/0x120 [null_blk] + configfs_write_iter+0xb4/0x120 + vfs_write+0x2ba/0x3c0 + ksys_write+0x5f/0xe0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7fd4460c57a7 +Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 +RSP: 002b:00007ffd3792a4a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd4460c57a7 +RDX: 0000000000000002 RSI: 000055b43c02e4c0 RDI: 0000000000000001 +RBP: 000055b43c02e4c0 R08: 000000000000000a R09: 00007fd44615b4e0 +R10: 00007fd44615b3e0 R11: 0000000000000246 R12: 0000000000000002 +R13: 00007fd446198520 R14: 0000000000000002 R15: 00007fd446198700 + + +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Damien Le Moal +Reviewed-by: Ming Lei +Reviewed-by: Nitesh Shetty +Link: https://lore.kernel.org/r/20230416220339.43845-1-kch@nvidia.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c +index b499e72b2847e..38660b5cfb73c 100644 +--- a/drivers/block/null_blk.c ++++ b/drivers/block/null_blk.c +@@ -1780,6 +1780,11 @@ static int null_init_tag_set(struct nullb *nullb, struct blk_mq_tag_set *set) + + static void null_validate_conf(struct nullb_device *dev) + { ++ if (dev->queue_mode == NULL_Q_RQ) { ++ pr_err("legacy IO path is no longer available\n"); ++ return -EINVAL; ++ } ++ + dev->blocksize = round_down(dev->blocksize, 512); + dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096); + if (dev->use_lightnvm && dev->blocksize != 4096) +-- +2.39.2 + diff --git a/queue-4.14/phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch b/queue-4.14/phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch new file mode 100644 index 00000000000..3201d0bf191 --- /dev/null +++ b/queue-4.14/phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch @@ -0,0 +1,113 @@ +From 31ca13fe48a7e2035c36058321d53e5b6beace13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 23:43:08 +0100 +Subject: phy: st: miphy28lp: use _poll_timeout functions for waits + +From: Alain Volmat + +[ Upstream commit e3be4dd2c8d8aabfd2c3127d0e2e5754d3ae82d6 ] + +This commit introduces _poll_timeout functions usage instead of +wait loops waiting for a status bit. + +Signed-off-by: Alain Volmat +Reviewed-by: Patrice Chotard +Link: https://lore.kernel.org/r/20230210224309.98452-1-avolmat@me.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-miphy28lp.c | 42 ++++++++-------------------------- + 1 file changed, 10 insertions(+), 32 deletions(-) + +diff --git a/drivers/phy/st/phy-miphy28lp.c b/drivers/phy/st/phy-miphy28lp.c +index 213e2e15339c4..fe23432e5b1a6 100644 +--- a/drivers/phy/st/phy-miphy28lp.c ++++ b/drivers/phy/st/phy-miphy28lp.c +@@ -13,6 +13,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -488,19 +489,11 @@ static inline void miphy28lp_pcie_config_gen(struct miphy28lp_phy *miphy_phy) + + static inline int miphy28lp_wait_compensation(struct miphy28lp_phy *miphy_phy) + { +- unsigned long finish = jiffies + 5 * HZ; + u8 val; + + /* Waiting for Compensation to complete */ +- do { +- val = readb_relaxed(miphy_phy->base + MIPHY_COMP_FSM_6); +- +- if (time_after_eq(jiffies, finish)) +- return -EBUSY; +- cpu_relax(); +- } while (!(val & COMP_DONE)); +- +- return 0; ++ return readb_relaxed_poll_timeout(miphy_phy->base + MIPHY_COMP_FSM_6, ++ val, val & COMP_DONE, 1, 5 * USEC_PER_SEC); + } + + +@@ -809,7 +802,6 @@ static inline void miphy28lp_configure_usb3(struct miphy28lp_phy *miphy_phy) + + static inline int miphy_is_ready(struct miphy28lp_phy *miphy_phy) + { +- unsigned long finish = jiffies + 5 * HZ; + u8 mask = HFC_PLL | HFC_RDY; + u8 val; + +@@ -820,21 +812,14 @@ static inline int miphy_is_ready(struct miphy28lp_phy *miphy_phy) + if (miphy_phy->type == PHY_TYPE_SATA) + mask |= PHY_RDY; + +- do { +- val = readb_relaxed(miphy_phy->base + MIPHY_STATUS_1); +- if ((val & mask) != mask) +- cpu_relax(); +- else +- return 0; +- } while (!time_after_eq(jiffies, finish)); +- +- return -EBUSY; ++ return readb_relaxed_poll_timeout(miphy_phy->base + MIPHY_STATUS_1, ++ val, (val & mask) == mask, 1, ++ 5 * USEC_PER_SEC); + } + + static int miphy_osc_is_ready(struct miphy28lp_phy *miphy_phy) + { + struct miphy28lp_dev *miphy_dev = miphy_phy->phydev; +- unsigned long finish = jiffies + 5 * HZ; + u32 val; + + if (!miphy_phy->osc_rdy) +@@ -843,17 +828,10 @@ static int miphy_osc_is_ready(struct miphy28lp_phy *miphy_phy) + if (!miphy_phy->syscfg_reg[SYSCFG_STATUS]) + return -EINVAL; + +- do { +- regmap_read(miphy_dev->regmap, +- miphy_phy->syscfg_reg[SYSCFG_STATUS], &val); +- +- if ((val & MIPHY_OSC_RDY) != MIPHY_OSC_RDY) +- cpu_relax(); +- else +- return 0; +- } while (!time_after_eq(jiffies, finish)); +- +- return -EBUSY; ++ return regmap_read_poll_timeout(miphy_dev->regmap, ++ miphy_phy->syscfg_reg[SYSCFG_STATUS], ++ val, val & MIPHY_OSC_RDY, 1, ++ 5 * USEC_PER_SEC); + } + + static int miphy28lp_get_resource_byname(struct device_node *child, +-- +2.39.2 + diff --git a/queue-4.14/recordmcount-fix-memory-leaks-in-the-uwrite-function.patch b/queue-4.14/recordmcount-fix-memory-leaks-in-the-uwrite-function.patch new file mode 100644 index 00000000000..7c096117a08 --- /dev/null +++ b/queue-4.14/recordmcount-fix-memory-leaks-in-the-uwrite-function.patch @@ -0,0 +1,48 @@ +From 589ac15eff129de414f61ada725d791e0b5fb4c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 09:05:27 +0800 +Subject: recordmcount: Fix memory leaks in the uwrite function + +From: Hao Zeng + +[ Upstream commit fa359d068574d29e7d2f0fdd0ebe4c6a12b5cfb9 ] + +Common realloc mistake: 'file_append' nulled but not freed upon failure + +Link: https://lkml.kernel.org/r/20230426010527.703093-1-zenghao@kylinos.cn + +Signed-off-by: Hao Zeng +Suggested-by: Steven Rostedt +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + scripts/recordmcount.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c +index 9012e33ae22f8..731600de03893 100644 +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -146,6 +146,7 @@ uwrite(int const fd, void const *const buf, size_t const count) + { + size_t cnt = count; + off_t idx = 0; ++ void *p = NULL; + + file_updated = 1; + +@@ -153,7 +154,10 @@ uwrite(int const fd, void const *const buf, size_t const count) + off_t aoffset = (file_ptr + count) - file_end; + + if (aoffset > file_append_size) { +- file_append = realloc(file_append, aoffset); ++ p = realloc(file_append, aoffset); ++ if (!p) ++ free(file_append); ++ file_append = p; + file_append_size = aoffset; + } + if (!file_append) { +-- +2.39.2 + diff --git a/queue-4.14/regmap-cache-return-error-in-cache-sync-operations-f.patch b/queue-4.14/regmap-cache-return-error-in-cache-sync-operations-f.patch new file mode 100644 index 00000000000..230620e83c0 --- /dev/null +++ b/queue-4.14/regmap-cache-return-error-in-cache-sync-operations-f.patch @@ -0,0 +1,49 @@ +From 6c543665c42a6c39783ae20216e89693b7b02eda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 08:18:11 +0100 +Subject: regmap: cache: Return error in cache sync operations for + REGCACHE_NONE + +From: Alexander Stein + +[ Upstream commit fd883d79e4dcd2417c2b80756f22a2ff03b0f6e0 ] + +There is no sense in doing a cache sync on REGCACHE_NONE regmaps. +Instead of panicking the kernel due to missing cache_ops, return an error +to client driver. + +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20230313071812.13577-1-alexander.stein@ew.tq-group.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c +index 773560348337f..b78e4b6e2c9da 100644 +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -347,6 +347,9 @@ int regcache_sync(struct regmap *map) + const char *name; + bool bypass; + ++ if (WARN_ON(map->cache_type == REGCACHE_NONE)) ++ return -EINVAL; ++ + BUG_ON(!map->cache_ops); + + map->lock(map->lock_arg); +@@ -416,6 +419,9 @@ int regcache_sync_region(struct regmap *map, unsigned int min, + const char *name; + bool bypass; + ++ if (WARN_ON(map->cache_type == REGCACHE_NONE)) ++ return -EINVAL; ++ + BUG_ON(!map->cache_ops); + + map->lock(map->lock_arg); +-- +2.39.2 + diff --git a/queue-4.14/sched-fix-kcsan-noinstr-violation.patch b/queue-4.14/sched-fix-kcsan-noinstr-violation.patch new file mode 100644 index 00000000000..cb5b211ef1f --- /dev/null +++ b/queue-4.14/sched-fix-kcsan-noinstr-violation.patch @@ -0,0 +1,40 @@ +From 314834e9e7c79f51ab30d1f76dbd1a36e4f3f1b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 10:24:07 -0700 +Subject: sched: Fix KCSAN noinstr violation + +From: Josh Poimboeuf + +[ Upstream commit e0b081d17a9f4e5c0cbb0e5fbeb1abe3de0f7e4e ] + +With KCSAN enabled, end_of_stack() can get out-of-lined. Force it +inline. + +Fixes the following warnings: + + vmlinux.o: warning: objtool: check_stackleak_irqoff+0x2b: call to end_of_stack() leaves .noinstr.text section + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/cc1b4d73d3a428a00d206242a68fdf99a934ca7b.1681320026.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/sched/task_stack.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h +index 3461beb89b040..62d1cd4db27af 100644 +--- a/include/linux/sched/task_stack.h ++++ b/include/linux/sched/task_stack.h +@@ -23,7 +23,7 @@ static inline void *task_stack_page(const struct task_struct *task) + + #define setup_thread_stack(new,old) do { } while(0) + +-static inline unsigned long *end_of_stack(const struct task_struct *task) ++static __always_inline unsigned long *end_of_stack(const struct task_struct *task) + { + #ifdef CONFIG_STACK_GROWSUP + return (unsigned long *)((unsigned long)task->stack + THREAD_SIZE) - 1; +-- +2.39.2 + diff --git a/queue-4.14/scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch b/queue-4.14/scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch new file mode 100644 index 00000000000..1eec2def7d5 --- /dev/null +++ b/queue-4.14/scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch @@ -0,0 +1,55 @@ +From c7de1d5e588aaeb89c95c6455bf30cc83211cdc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 16:16:35 +0800 +Subject: scsi: message: mptlan: Fix use after free bug in mptlan_remove() due + to race condition + +From: Zheng Wang + +[ Upstream commit f486893288f3e9b171b836f43853a6426515d800 ] + +mptlan_probe() calls mpt_register_lan_device() which initializes the +&priv->post_buckets_task workqueue. A call to +mpt_lan_wake_post_buckets_task() will subsequently start the work. + +During driver unload in mptlan_remove() the following race may occur: + +CPU0 CPU1 + + |mpt_lan_post_receive_buckets_work() +mptlan_remove() | + free_netdev() | + kfree(dev); | + | + | dev->mtu + | //use + +Fix this by finishing the work prior to cleaning up in mptlan_remove(). + +[mkp: we really should remove mptlan instead of attempting to fix it] + +Signed-off-by: Zheng Wang +Link: https://lore.kernel.org/r/20230318081635.796479-1-zyytlz.wz@163.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/message/fusion/mptlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/message/fusion/mptlan.c b/drivers/message/fusion/mptlan.c +index 55dd71bbdc2aa..74d0ae00b0827 100644 +--- a/drivers/message/fusion/mptlan.c ++++ b/drivers/message/fusion/mptlan.c +@@ -1429,7 +1429,9 @@ mptlan_remove(struct pci_dev *pdev) + { + MPT_ADAPTER *ioc = pci_get_drvdata(pdev); + struct net_device *dev = ioc->netdev; ++ struct mpt_lan_priv *priv = netdev_priv(dev); + ++ cancel_delayed_work_sync(&priv->post_buckets_task); + if(dev != NULL) { + unregister_netdev(dev); + free_netdev(dev); +-- +2.39.2 + diff --git a/queue-4.14/serial-8250-reinit-port-pm-on-port-specific-driver-u.patch b/queue-4.14/serial-8250-reinit-port-pm-on-port-specific-driver-u.patch new file mode 100644 index 00000000000..cf2eb25e002 --- /dev/null +++ b/queue-4.14/serial-8250-reinit-port-pm-on-port-specific-driver-u.patch @@ -0,0 +1,56 @@ +From 547c033d91c54d9135da74e288627b7ec3457f0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 13:14:06 +0300 +Subject: serial: 8250: Reinit port->pm on port specific driver unbind + +From: Tony Lindgren + +[ Upstream commit 04e82793f068d2f0ffe62fcea03d007a8cdc16a7 ] + +When we unbind a serial port hardware specific 8250 driver, the generic +serial8250 driver takes over the port. After that we see an oops about 10 +seconds later. This can produce the following at least on some TI SoCs: + +Unhandled fault: imprecise external abort (0x1406) +Internal error: : 1406 [#1] SMP ARM + +Turns out that we may still have the serial port hardware specific driver +port->pm in use, and serial8250_pm() tries to call it after the port +specific driver is gone: + +serial8250_pm [8250_base] from uart_change_pm+0x54/0x8c [serial_base] +uart_change_pm [serial_base] from uart_hangup+0x154/0x198 [serial_base] +uart_hangup [serial_base] from __tty_hangup.part.0+0x328/0x37c +__tty_hangup.part.0 from disassociate_ctty+0x154/0x20c +disassociate_ctty from do_exit+0x744/0xaac +do_exit from do_group_exit+0x40/0x8c +do_group_exit from __wake_up_parent+0x0/0x1c + +Let's fix the issue by calling serial8250_set_defaults() in +serial8250_unregister_port(). This will set the port back to using +the serial8250 default functions, and sets the port->pm to point to +serial8250_pm. + +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20230418101407.12403-1-tony@atomide.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index 8d46bd612888f..3cc3fab510912 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -1128,6 +1128,7 @@ void serial8250_unregister_port(int line) + uart->port.type = PORT_UNKNOWN; + uart->port.dev = &serial8250_isa_devs->dev; + uart->capabilities = 0; ++ serial8250_init_port(uart); + serial8250_apply_quirks(uart); + uart_add_one_port(&serial8250_reg, &uart->port); + } else { +-- +2.39.2 + diff --git a/queue-4.14/series b/queue-4.14/series index c8118da048c..4eaa7dd076a 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -3,3 +3,35 @@ netlink-annotate-accesses-to-nlk-cb_running.patch net-annotate-sk-sk_err-write-from-do_recvmmsg.patch ipvlan-fix-out-of-bounds-caused-by-unclear-skb-cb.patch af_unix-fix-a-data-race-of-sk-sk_receive_queue-qlen.patch +fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch +regmap-cache-return-error-in-cache-sync-operations-f.patch +memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch +acpi-ec-fix-oops-when-removing-custom-query-handlers.patch +drm-tegra-avoid-potential-32-bit-integer-overflow.patch +acpica-avoid-undefined-behavior-applying-zero-offset.patch +acpica-acpica-check-null-return-of-acpi_allocate_zer.patch +wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch +ext2-check-block-size-validity-during-mount.patch +net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch +net-catch-invalid-index-in-xps-mapping.patch +lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch +scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch +gfs2-fix-inode-height-consistency-check.patch +ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch +ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch +null_blk-always-check-queue-mode-setting-from-config.patch +wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch +bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch +staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch +hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch +hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch +spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch +hid-wacom-generic-set-battery-quirk-only-when-we-see.patch +serial-8250-reinit-port-pm-on-port-specific-driver-u.patch +mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch +sched-fix-kcsan-noinstr-violation.patch +recordmcount-fix-memory-leaks-in-the-uwrite-function.patch +clk-tegra20-fix-gcc-7-constant-overflow-warning.patch +input-xpad-add-constants-for-gip-interface-numbers.patch +phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch +mfd-dln2-fix-memory-leak-in-dln2_probe.patch diff --git a/queue-4.14/spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch b/queue-4.14/spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch new file mode 100644 index 00000000000..60bbdc21005 --- /dev/null +++ b/queue-4.14/spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch @@ -0,0 +1,80 @@ +From 267c091a942d27f201169024bc62608ab4251480 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 18:21:32 -0400 +Subject: spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kevin Groeneveld + +[ Upstream commit 87c614175bbf28d3fd076dc2d166bac759e41427 ] + +When using gpio based chip select the cs value can go outside the range +0 – 3. The various MX51_ECSPI_* macros did not take this into consideration +resulting in possible corruption of the configuration. + +For example for any cs value over 3 the SCLKPHA bits would not be set and +other values in the register possibly corrupted. + +One way to fix this is to just mask the cs bits to 2 bits. This still +allows all 4 native chip selects to work as well as gpio chip selects +(which can use any of the 4 chip select configurations). + +Signed-off-by: Kevin Groeneveld +Link: https://lore.kernel.org/r/20230318222132.3373-1-kgroeneveld@lenbrook.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index df18d07d544d5..e306de7009295 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -241,6 +241,18 @@ static bool spi_imx_can_dma(struct spi_master *master, struct spi_device *spi, + return true; + } + ++/* ++ * Note the number of natively supported chip selects for MX51 is 4. Some ++ * devices may have less actual SS pins but the register map supports 4. When ++ * using gpio chip selects the cs values passed into the macros below can go ++ * outside the range 0 - 3. We therefore need to limit the cs value to avoid ++ * corrupting bits outside the allocated locations. ++ * ++ * The simplest way to do this is to just mask the cs bits to 2 bits. This ++ * still allows all 4 native chip selects to work as well as gpio chip selects ++ * (which can use any of the 4 chip select configurations). ++ */ ++ + #define MX51_ECSPI_CTRL 0x08 + #define MX51_ECSPI_CTRL_ENABLE (1 << 0) + #define MX51_ECSPI_CTRL_XCH (1 << 2) +@@ -249,16 +261,16 @@ static bool spi_imx_can_dma(struct spi_master *master, struct spi_device *spi, + #define MX51_ECSPI_CTRL_DRCTL(drctl) ((drctl) << 16) + #define MX51_ECSPI_CTRL_POSTDIV_OFFSET 8 + #define MX51_ECSPI_CTRL_PREDIV_OFFSET 12 +-#define MX51_ECSPI_CTRL_CS(cs) ((cs) << 18) ++#define MX51_ECSPI_CTRL_CS(cs) ((cs & 3) << 18) + #define MX51_ECSPI_CTRL_BL_OFFSET 20 + #define MX51_ECSPI_CTRL_BL_MASK (0xfff << 20) + + #define MX51_ECSPI_CONFIG 0x0c +-#define MX51_ECSPI_CONFIG_SCLKPHA(cs) (1 << ((cs) + 0)) +-#define MX51_ECSPI_CONFIG_SCLKPOL(cs) (1 << ((cs) + 4)) +-#define MX51_ECSPI_CONFIG_SBBCTRL(cs) (1 << ((cs) + 8)) +-#define MX51_ECSPI_CONFIG_SSBPOL(cs) (1 << ((cs) + 12)) +-#define MX51_ECSPI_CONFIG_SCLKCTL(cs) (1 << ((cs) + 20)) ++#define MX51_ECSPI_CONFIG_SCLKPHA(cs) (1 << ((cs & 3) + 0)) ++#define MX51_ECSPI_CONFIG_SCLKPOL(cs) (1 << ((cs & 3) + 4)) ++#define MX51_ECSPI_CONFIG_SBBCTRL(cs) (1 << ((cs & 3) + 8)) ++#define MX51_ECSPI_CONFIG_SSBPOL(cs) (1 << ((cs & 3) + 12)) ++#define MX51_ECSPI_CONFIG_SCLKCTL(cs) (1 << ((cs & 3) + 20)) + + #define MX51_ECSPI_INT 0x10 + #define MX51_ECSPI_INT_TEEN (1 << 0) +-- +2.39.2 + diff --git a/queue-4.14/staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch b/queue-4.14/staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch new file mode 100644 index 00000000000..ac1d52468ca --- /dev/null +++ b/queue-4.14/staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch @@ -0,0 +1,57 @@ +From 7ecdf83af98b9270058a3e93cceec1227a8888df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Feb 2023 07:47:21 +0100 +Subject: staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE + +From: Philipp Hortmann + +[ Upstream commit fda2093860df4812d69052a8cf4997e53853a340 ] + +Replace macro RTL_PCI_DEVICE with PCI_DEVICE to get rid of rtl819xp_ops +which is empty. + +Signed-off-by: Philipp Hortmann +Link: https://lore.kernel.org/r/8b45ee783fa91196b7c9d6fc840a189496afd2f4.1677133271.git.philipp.g.hortmann@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 6 +++--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.h | 5 ----- + 2 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +index 8420bdae1a5cc..8bccaf9ea7009 100644 +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +@@ -61,9 +61,9 @@ static const struct rtl819x_ops rtl819xp_ops = { + }; + + static struct pci_device_id rtl8192_pci_id_tbl[] = { +- {RTL_PCI_DEVICE(0x10ec, 0x8192, rtl819xp_ops)}, +- {RTL_PCI_DEVICE(0x07aa, 0x0044, rtl819xp_ops)}, +- {RTL_PCI_DEVICE(0x07aa, 0x0047, rtl819xp_ops)}, ++ {PCI_DEVICE(0x10ec, 0x8192)}, ++ {PCI_DEVICE(0x07aa, 0x0044)}, ++ {PCI_DEVICE(0x07aa, 0x0047)}, + {} + }; + +diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl8192e/rtl_core.h +index 9d3089cb6a5af..ff9b544edf875 100644 +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.h ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.h +@@ -67,11 +67,6 @@ + #define IS_HARDWARE_TYPE_8192SE(_priv) \ + (((struct r8192_priv *)rtllib_priv(dev))->card_8192 == NIC_8192SE) + +-#define RTL_PCI_DEVICE(vend, dev, cfg) \ +- .vendor = (vend), .device = (dev), \ +- .subvendor = PCI_ANY_ID, .subdevice = PCI_ANY_ID, \ +- .driver_data = (kernel_ulong_t)&(cfg) +- + #define TOTAL_CAM_ENTRY 32 + #define CAM_CONTENT_COUNT 8 + +-- +2.39.2 + diff --git a/queue-4.14/wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch b/queue-4.14/wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch new file mode 100644 index 00000000000..43152777afa --- /dev/null +++ b/queue-4.14/wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch @@ -0,0 +1,57 @@ +From 85d14b1ccae83a7dc1dc84f1b20aa1ca811e980c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 18:24:19 +0900 +Subject: wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex + +From: Hector Martin + +[ Upstream commit 89b89e52153fda2733562776c7c9d9d3ebf8dd6d ] + +Apparently the hex passphrase mechanism does not work on newer +chips/firmware (e.g. BCM4387). It seems there was a simple way of +passing it in binary all along, so use that and avoid the hexification. + +OpenBSD has been doing it like this from the beginning, so this should +work on all chips. + +Also clear the structure before setting the PMK. This was leaking +uninitialized stack contents to the device. + +Reviewed-by: Linus Walleij +Reviewed-by: Arend van Spriel +Signed-off-by: Hector Martin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230214092423.15175-6-marcan@marcan.st +Signed-off-by: Sasha Levin +--- + .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index df0e48e4cf5b3..4abb948f607fa 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -1349,13 +1349,14 @@ static u16 brcmf_map_fw_linkdown_reason(const struct brcmf_event_msg *e) + static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len) + { + struct brcmf_wsec_pmk_le pmk; +- int i, err; ++ int err; ++ ++ memset(&pmk, 0, sizeof(pmk)); + +- /* convert to firmware key format */ +- pmk.key_len = cpu_to_le16(pmk_len << 1); +- pmk.flags = cpu_to_le16(BRCMF_WSEC_PASSPHRASE); +- for (i = 0; i < pmk_len; i++) +- snprintf(&pmk.key[2 * i], 3, "%02x", pmk_data[i]); ++ /* pass pmk directly */ ++ pmk.key_len = cpu_to_le16(pmk_len); ++ pmk.flags = cpu_to_le16(0); ++ memcpy(pmk.key, pmk_data, pmk_len); + + /* store psk in firmware */ + err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_WSEC_PMK, +-- +2.39.2 + diff --git a/queue-4.14/wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch b/queue-4.14/wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch new file mode 100644 index 00000000000..5e1687ae4cd --- /dev/null +++ b/queue-4.14/wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch @@ -0,0 +1,72 @@ +From acf8a99da472503d4d309334de9839aba3f4bd25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 15:25:46 +0200 +Subject: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write + backtrace + +From: Hans de Goede + +[ Upstream commit ef16799640865f937719f0771c93be5dca18adc6 ] + +A received TKIP key may be up to 32 bytes because it may contain +MIC rx/tx keys too. These are not used by iwl and copying these +over overflows the iwl_keyinfo.key field. + +Add a check to not copy more data to iwl_keyinfo.key then will fit. + +This fixes backtraces like this one: + + memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16) + WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm] + + Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017 + RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm] + + Call Trace: + + iwl_set_dynamic_key+0x1f0/0x220 [iwldvm] + iwlagn_mac_set_key+0x1e4/0x280 [iwldvm] + drv_set_key+0xa4/0x1b0 [mac80211] + ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211] + ieee80211_key_replace+0x22d/0x8e0 [mac80211] + + +Link: https://www.alionet.org/index.php?topic=1469.0 +Link: https://lore.kernel.org/linux-wireless/20230218191056.never.374-kees@kernel.org/ +Link: https://lore.kernel.org/linux-wireless/68760035-7f75-1b23-e355-bfb758a87d83@redhat.com/ +Cc: Kees Cook +Suggested-by: Johannes Berg +Signed-off-by: Hans de Goede +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/sta.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c +index de6ec9b7ace45..f30bac02d32ce 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c +@@ -1101,6 +1101,7 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv, + { + __le16 key_flags; + struct iwl_addsta_cmd sta_cmd; ++ size_t to_copy; + int i; + + spin_lock_bh(&priv->sta_lock); +@@ -1120,7 +1121,9 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv, + sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32; + for (i = 0; i < 5; i++) + sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]); +- memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen); ++ /* keyconf may contain MIC rx/tx keys which iwl does not use */ ++ to_copy = min_t(size_t, sizeof(sta_cmd.key.key), keyconf->keylen); ++ memcpy(sta_cmd.key.key, keyconf->key, to_copy); + break; + case WLAN_CIPHER_SUITE_WEP104: + key_flags |= STA_KEY_FLG_KEY_SIZE_MSK; +-- +2.39.2 + -- 2.47.3