From b4576243503d5773a858252873cf2f38bbba5a4c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 19 May 2023 21:27:27 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...-when-removing-custom-query-handlers.patch | 40 ++ ...eck-null-return-of-acpi_allocate_zer.patch | 40 ++ ...efined-behavior-applying-zero-offset.patch | 68 ++++ ...qcom-msm8996-add-missing-dwc3-quirks.patch | 39 ++ ...-btintel-add-le-states-quirk-support.patch | 41 ++ ...m-fall-back-to-getting-bdaddr-from-e.patch | 113 ++++++ ...fix-bad-unlock-balance-in-l2cap_disc.patch | 37 ++ ...overflow-in-bnxt_get_nvram_directory.patch | 42 ++ ...count_-sub-add-into-btf-id-deny-list.patch | 73 ++++ ...tate-data-races-in-bpf_local_storage.patch | 83 ++++ ...-fix-gcc-7-constant-overflow-warning.patch | 75 ++++ ...use-dc_log_dc-in-the-trasform-pixel-.patch | 109 ++++++ ...n-out-of-bounds-error-in-bios-parser.patch | 49 +++ ...d-displayid_get_header-and-check-bou.patch | 62 +++ ...ean-up-handling-of-dp-aux-interrupts.patch | 210 ++++++++++ ...id-potential-32-bit-integer-overflow.patch | 37 ++ ...eck-block-size-validity-during-mount.patch | 54 +++ ...tent-lstart-adjustment-logic-in-ext4.patch | 129 +++++++ ...art-correctly-in-ext4_mb_normalize_r.patch | 72 ++++ ...o-check-readonly-condition-correctly.patch | 80 ++++ ...-all-dirty-pages-during-umount-if-cp.patch | 93 +++++ ...i-fix-sleep-from-invalid-context-bug.patch | 236 +++++++++++ ...e-warn_on-from-hfsplus_cat_-read-wri.patch | 110 ++++++ ...s3-add-length-check-in-indx_get_root.patch | 133 +++++++ ...fs3-enhance-the-attribute-size-check.patch | 135 +++++++ ...ossible-null-pointer-dereference-in-.patch | 49 +++ ...x-null-dereference-in-ni_write_inode.patch | 43 +++ ...l-pointer-dereference-in-ni_write_in.patch | 109 ++++++ ...date-mft-flags-before-replaying-logs.patch | 141 +++++++ ...2-fix-inode-height-consistency-check.patch | 49 +++ ...pp-don-t-use-the-usb-serial-for-usb-.patch | 101 +++++ ...pp-reconcile-usb-and-unifying-serial.patch | 55 +++ ...c-set-battery-quirk-only-when-we-see.patch | 104 +++++ ...-constants-for-gip-interface-numbers.patch | 47 +++ ...mmu-qcom-limit-the-smr-groups-to-128.patch | 67 ++++ ...3-acknowledge-pri-event-queue-overfl.patch | 90 +++++ ...ease-dma-buffer-to-avoid-memory-leak.patch | 71 ++++ ...h-of-source-for-ip_vs_sync_conn_opti.patch | 90 +++++ ...id-use-after-free-on-rmap-obj-array-.patch | 67 ++++ ...te-memory-region-to-avoid-memory-ove.patch | 78 ++++ ...x-a-null-ptr-deref-bug-in-buffer_pre.patch | 110 ++++++ ...ix-null-ptr-deref-bug-in-buf-prepare.patch | 91 +++++ ...ignated-initializers-over-memset-for.patch | 365 ++++++++++++++++++ ...x-uaf-bug-in-r592_remove-due-to-race.patch | 53 +++ ...d-dln2-fix-memory-leak-in-dln2_probe.patch | 38 ++ ...x-incomplete-validation-of-ioctl-arg.patch | 82 ++++ ...t-catch-invalid-index-in-xps-mapping.patch | 43 +++ ...x-return-type-of-pasemi_mac_start_tx.patch | 54 +++ ...check-queue-mode-setting-from-config.patch | 87 +++++ ...egular-spinlock-with-spin_trylock-on.patch | 136 +++++++ ...-use-_poll_timeout-functions-for-wai.patch | 113 ++++++ ...print_task_exp_stall-exp_tasks-acces.patch | 68 ++++ ...-fix-multiple-warray-bounds-warnings.patch | 187 +++++++++ ...-memory-leaks-in-the-uwrite-function.patch | 48 +++ ...utdown-from-wait_event-to-wait_event.patch | 42 ++ ...urn-error-in-cache-sync-operations-f.patch | 49 +++ ..._rproc-add-mutex-protection-for-work.patch | 58 +++ ...-fix-fout-leak-in-hbm-s-run_bpf_prog.patch | 35 ++ .../sched-fix-kcsan-noinstr-violation.patch | 40 ++ ...t-lpfc_debugfs_lockstat_write-buffer.patch | 56 +++ ...lan-fix-use-after-free-bug-in-mptlan.patch | 55 +++ ...iscsit-free-cmds-before-session-free.patch | 64 +++ ...pci-add-support-for-intel-lunar-lake.patch | 34 ++ ...it-port-pm-on-port-specific-driver-u.patch | 56 +++ queue-5.15/series | 74 ++++ ...racefully-handle-too-many-ports-in-d.patch | 50 +++ ...imx-fix-mx51_ecspi_-macros-when-cs-3.patch | 80 ++++ ...-replace-macro-rtl_pci_device-with-p.patch | 57 +++ ...ix-multiple-times-discover-svids-err.patch | 59 +++ ...-memcpy-run-time-false-positive-warn.patch | 73 ++++ ...skb-corruption-in-reo-destination-ri.patch | 80 ++++ ...g80211-pass-the-pmk-in-binary-instea.patch | 57 +++ ...-fix-memcpy-detected-field-spanning-.patch | 72 ++++ ...e-fix-integer-overflow-in-iwl_write_.patch | 56 +++ ...e-fix-possible-null-pointer-derefere.patch | 56 +++ 75 files changed, 5999 insertions(+) create mode 100644 queue-5.15/acpi-ec-fix-oops-when-removing-custom-query-handlers.patch create mode 100644 queue-5.15/acpica-acpica-check-null-return-of-acpi_allocate_zer.patch create mode 100644 queue-5.15/acpica-avoid-undefined-behavior-applying-zero-offset.patch create mode 100644 queue-5.15/arm64-dts-qcom-msm8996-add-missing-dwc3-quirks.patch create mode 100644 queue-5.15/bluetooth-btintel-add-le-states-quirk-support.patch create mode 100644 queue-5.15/bluetooth-hci_bcm-fall-back-to-getting-bdaddr-from-e.patch create mode 100644 queue-5.15/bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch create mode 100644 queue-5.15/bnxt-avoid-overflow-in-bnxt_get_nvram_directory.patch create mode 100644 queue-5.15/bpf-add-preempt_count_-sub-add-into-btf-id-deny-list.patch create mode 100644 queue-5.15/bpf-annotate-data-races-in-bpf_local_storage.patch create mode 100644 queue-5.15/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch create mode 100644 queue-5.15/drm-amd-display-use-dc_log_dc-in-the-trasform-pixel-.patch create mode 100644 queue-5.15/drm-amd-fix-an-out-of-bounds-error-in-bios-parser.patch create mode 100644 queue-5.15/drm-displayid-add-displayid_get_header-and-check-bou.patch create mode 100644 queue-5.15/drm-msm-dp-clean-up-handling-of-dp-aux-interrupts.patch create mode 100644 queue-5.15/drm-tegra-avoid-potential-32-bit-integer-overflow.patch create mode 100644 queue-5.15/ext2-check-block-size-validity-during-mount.patch create mode 100644 queue-5.15/ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch create mode 100644 queue-5.15/ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch create mode 100644 queue-5.15/f2fs-fix-to-check-readonly-condition-correctly.patch create mode 100644 queue-5.15/f2fs-fix-to-drop-all-dirty-pages-during-umount-if-cp.patch create mode 100644 queue-5.15/firmware-arm_sdei-fix-sleep-from-invalid-context-bug.patch create mode 100644 queue-5.15/fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch create mode 100644 queue-5.15/fs-ntfs3-add-length-check-in-indx_get_root.patch create mode 100644 queue-5.15/fs-ntfs3-enhance-the-attribute-size-check.patch create mode 100644 queue-5.15/fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch create mode 100644 queue-5.15/fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch create mode 100644 queue-5.15/fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch create mode 100644 queue-5.15/fs-ntfs3-validate-mft-flags-before-replaying-logs.patch create mode 100644 queue-5.15/gfs2-fix-inode-height-consistency-check.patch create mode 100644 queue-5.15/hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch create mode 100644 queue-5.15/hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch create mode 100644 queue-5.15/hid-wacom-generic-set-battery-quirk-only-when-we-see.patch create mode 100644 queue-5.15/input-xpad-add-constants-for-gip-interface-numbers.patch create mode 100644 queue-5.15/iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch create mode 100644 queue-5.15/iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch create mode 100644 queue-5.15/iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch create mode 100644 queue-5.15/ipvs-update-width-of-source-for-ip_vs_sync_conn_opti.patch create mode 100644 queue-5.15/lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch create mode 100644 queue-5.15/mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch create mode 100644 queue-5.15/media-cx23885-fix-a-null-ptr-deref-bug-in-buffer_pre.patch create mode 100644 queue-5.15/media-pci-tw68-fix-null-ptr-deref-bug-in-buf-prepare.patch create mode 100644 queue-5.15/media-prefer-designated-initializers-over-memset-for.patch create mode 100644 queue-5.15/memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch create mode 100644 queue-5.15/mfd-dln2-fix-memory-leak-in-dln2_probe.patch create mode 100644 queue-5.15/nbd-fix-incomplete-validation-of-ioctl-arg.patch create mode 100644 queue-5.15/net-catch-invalid-index-in-xps-mapping.patch create mode 100644 queue-5.15/net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch create mode 100644 queue-5.15/null_blk-always-check-queue-mode-setting-from-config.patch create mode 100644 queue-5.15/parisc-replace-regular-spinlock-with-spin_trylock-on.patch create mode 100644 queue-5.15/phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch create mode 100644 queue-5.15/rcu-protect-rcu_print_task_exp_stall-exp_tasks-acces.patch create mode 100644 queue-5.15/rdma-core-fix-multiple-warray-bounds-warnings.patch create mode 100644 queue-5.15/recordmcount-fix-memory-leaks-in-the-uwrite-function.patch create mode 100644 queue-5.15/refscale-move-shutdown-from-wait_event-to-wait_event.patch create mode 100644 queue-5.15/regmap-cache-return-error-in-cache-sync-operations-f.patch create mode 100644 queue-5.15/remoteproc-stm32_rproc-add-mutex-protection-for-work.patch create mode 100644 queue-5.15/samples-bpf-fix-fout-leak-in-hbm-s-run_bpf_prog.patch create mode 100644 queue-5.15/sched-fix-kcsan-noinstr-violation.patch create mode 100644 queue-5.15/scsi-lpfc-prevent-lpfc_debugfs_lockstat_write-buffer.patch create mode 100644 queue-5.15/scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch create mode 100644 queue-5.15/scsi-target-iscsit-free-cmds-before-session-free.patch create mode 100644 queue-5.15/scsi-ufs-ufs-pci-add-support-for-intel-lunar-lake.patch create mode 100644 queue-5.15/serial-8250-reinit-port-pm-on-port-specific-driver-u.patch create mode 100644 queue-5.15/soundwire-qcom-gracefully-handle-too-many-ports-in-d.patch create mode 100644 queue-5.15/spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch create mode 100644 queue-5.15/staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch create mode 100644 queue-5.15/usb-typec-tcpm-fix-multiple-times-discover-svids-err.patch create mode 100644 queue-5.15/wifi-ath-silence-memcpy-run-time-false-positive-warn.patch create mode 100644 queue-5.15/wifi-ath11k-fix-skb-corruption-in-reo-destination-ri.patch create mode 100644 queue-5.15/wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch create mode 100644 queue-5.15/wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch create mode 100644 queue-5.15/wifi-iwlwifi-pcie-fix-integer-overflow-in-iwl_write_.patch create mode 100644 queue-5.15/wifi-iwlwifi-pcie-fix-possible-null-pointer-derefere.patch diff --git a/queue-5.15/acpi-ec-fix-oops-when-removing-custom-query-handlers.patch b/queue-5.15/acpi-ec-fix-oops-when-removing-custom-query-handlers.patch new file mode 100644 index 00000000000..55007dbf238 --- /dev/null +++ b/queue-5.15/acpi-ec-fix-oops-when-removing-custom-query-handlers.patch @@ -0,0 +1,40 @@ +From 12587742692423a4ecfa1eddd210728be7bc10a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 21:26:27 +0100 +Subject: ACPI: EC: Fix oops when removing custom query handlers + +From: Armin Wolf + +[ Upstream commit e5b492c6bb900fcf9722e05f4a10924410e170c1 ] + +When removing custom query handlers, the handler might still +be used inside the EC query workqueue, causing a kernel oops +if the module holding the callback function was already unloaded. + +Fix this by flushing the EC query workqueue when removing +custom query handlers. + +Tested on a Acer Travelmate 4002WLMi + +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 4e583a8cb5626..472418a0e0cab 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1101,6 +1101,7 @@ static void acpi_ec_remove_query_handlers(struct acpi_ec *ec, + void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) + { + acpi_ec_remove_query_handlers(ec, false, query_bit); ++ flush_workqueue(ec_query_wq); + } + EXPORT_SYMBOL_GPL(acpi_ec_remove_query_handler); + +-- +2.39.2 + diff --git a/queue-5.15/acpica-acpica-check-null-return-of-acpi_allocate_zer.patch b/queue-5.15/acpica-acpica-check-null-return-of-acpi_allocate_zer.patch new file mode 100644 index 00000000000..cd95c143af1 --- /dev/null +++ b/queue-5.15/acpica-acpica-check-null-return-of-acpi_allocate_zer.patch @@ -0,0 +1,40 @@ +From f181cd0ff3f5eec58169aa52d124113917fdaabd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 15:57:57 +0200 +Subject: ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in + acpi_db_display_objects + +From: void0red <30990023+void0red@users.noreply.github.com> + +[ Upstream commit ae5a0eccc85fc960834dd66e3befc2728284b86c ] + +ACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4 + +ACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause +null pointer dereference later. + +Link: https://github.com/acpica/acpica/commit/0d5f467d +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dbnames.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c +index 3615e1a6efd8a..b91155ea9c343 100644 +--- a/drivers/acpi/acpica/dbnames.c ++++ b/drivers/acpi/acpica/dbnames.c +@@ -652,6 +652,9 @@ acpi_status acpi_db_display_objects(char *obj_type_arg, char *display_count_arg) + object_info = + ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_object_info)); + ++ if (!object_info) ++ return (AE_NO_MEMORY); ++ + /* Walk the namespace from the root */ + + (void)acpi_walk_namespace(ACPI_TYPE_ANY, ACPI_ROOT_OBJECT, +-- +2.39.2 + diff --git a/queue-5.15/acpica-avoid-undefined-behavior-applying-zero-offset.patch b/queue-5.15/acpica-avoid-undefined-behavior-applying-zero-offset.patch new file mode 100644 index 00000000000..edc7a8f9f19 --- /dev/null +++ b/queue-5.15/acpica-avoid-undefined-behavior-applying-zero-offset.patch @@ -0,0 +1,68 @@ +From 55fbabfd5c5cb7d8b502b9687cefabcf58bc34f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Apr 2023 15:42:43 +0200 +Subject: ACPICA: Avoid undefined behavior: applying zero offset to null + pointer + +From: Tamir Duberstein + +[ Upstream commit 05bb0167c80b8f93c6a4e0451b7da9b96db990c2 ] + +ACPICA commit 770653e3ba67c30a629ca7d12e352d83c2541b1e + +Before this change we see the following UBSAN stack trace in Fuchsia: + + #0 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 +0x233302 + #1.2 0x000020d0f660777f in ubsan_get_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:41 +0x3d77f + #1.1 0x000020d0f660777f in maybe_print_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:51 +0x3d77f + #1 0x000020d0f660777f in ~scoped_report() compiler-rt/lib/ubsan/ubsan_diag.cpp:387 +0x3d77f + #2 0x000020d0f660b96d in handlepointer_overflow_impl() compiler-rt/lib/ubsan/ubsan_handlers.cpp:809 +0x4196d + #3 0x000020d0f660b50d in compiler-rt/lib/ubsan/ubsan_handlers.cpp:815 +0x4150d + #4 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 +0x233302 + #5 0x000021e4213e2369 in acpi_ds_call_control_method(struct acpi_thread_state*, struct acpi_walk_state*, union acpi_parse_object*) ../../third_party/acpica/source/components/dispatcher/dsmethod.c:605 +0x262369 + #6 0x000021e421437fac in acpi_ps_parse_aml(struct acpi_walk_state*) ../../third_party/acpica/source/components/parser/psparse.c:550 +0x2b7fac + #7 0x000021e4214464d2 in acpi_ps_execute_method(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/parser/psxface.c:244 +0x2c64d2 + #8 0x000021e4213aa052 in acpi_ns_evaluate(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/namespace/nseval.c:250 +0x22a052 + #9 0x000021e421413dd8 in acpi_ns_init_one_device(acpi_handle, u32, void*, void**) ../../third_party/acpica/source/components/namespace/nsinit.c:735 +0x293dd8 + #10 0x000021e421429e98 in acpi_ns_walk_namespace(acpi_object_type, acpi_handle, u32, u32, acpi_walk_callback, acpi_walk_callback, void*, void**) ../../third_party/acpica/source/components/namespace/nswalk.c:298 +0x2a9e98 + #11 0x000021e4214131ac in acpi_ns_initialize_devices(u32) ../../third_party/acpica/source/components/namespace/nsinit.c:268 +0x2931ac + #12 0x000021e42147c40d in acpi_initialize_objects(u32) ../../third_party/acpica/source/components/utilities/utxfinit.c:304 +0x2fc40d + #13 0x000021e42126d603 in acpi::acpi_impl::initialize_acpi(acpi::acpi_impl*) ../../src/devices/board/lib/acpi/acpi-impl.cc:224 +0xed603 + +Add a simple check that avoids incrementing a pointer by zero, but +otherwise behaves as before. Note that our findings are against ACPICA +20221020, but the same code exists on master. + +Link: https://github.com/acpica/acpica/commit/770653e3 +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dswstate.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/acpica/dswstate.c b/drivers/acpi/acpica/dswstate.c +index fbe2ba05c82a6..1c862940cc5b2 100644 +--- a/drivers/acpi/acpica/dswstate.c ++++ b/drivers/acpi/acpica/dswstate.c +@@ -576,9 +576,14 @@ acpi_ds_init_aml_walk(struct acpi_walk_state *walk_state, + ACPI_FUNCTION_TRACE(ds_init_aml_walk); + + walk_state->parser_state.aml = +- walk_state->parser_state.aml_start = aml_start; +- walk_state->parser_state.aml_end = +- walk_state->parser_state.pkg_end = aml_start + aml_length; ++ walk_state->parser_state.aml_start = ++ walk_state->parser_state.aml_end = ++ walk_state->parser_state.pkg_end = aml_start; ++ /* Avoid undefined behavior: applying zero offset to null pointer */ ++ if (aml_length != 0) { ++ walk_state->parser_state.aml_end += aml_length; ++ walk_state->parser_state.pkg_end += aml_length; ++ } + + /* The next_op of the next_walk will be the beginning of the method */ + +-- +2.39.2 + diff --git a/queue-5.15/arm64-dts-qcom-msm8996-add-missing-dwc3-quirks.patch b/queue-5.15/arm64-dts-qcom-msm8996-add-missing-dwc3-quirks.patch new file mode 100644 index 00000000000..81736298bbb --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-msm8996-add-missing-dwc3-quirks.patch @@ -0,0 +1,39 @@ +From 6785afaf5334cef93813e166684fd61dbe5ee0be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 02:18:49 +0100 +Subject: arm64: dts: qcom: msm8996: Add missing DWC3 quirks + +From: Konrad Dybcio + +[ Upstream commit d0af0537e28f6eace02deed63b585396de939213 ] + +Add missing dwc3 quirks from msm-3.18. Unfortunately, none of them +make `dwc3-qcom 6af8800.usb: HS-PHY not in L2` go away. + +Signed-off-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230302011849.1873056-1-konrad.dybcio@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index b22d3c8db3b39..cd66bb16c7392 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -2595,8 +2595,11 @@ + interrupts = <0 131 IRQ_TYPE_LEVEL_HIGH>; + phys = <&hsusb_phy1>, <&ssusb_phy_0>; + phy-names = "usb2-phy", "usb3-phy"; ++ snps,hird-threshold = /bits/ 8 <0>; + snps,dis_u2_susphy_quirk; + snps,dis_enblslpm_quirk; ++ snps,is-utmi-l1-suspend; ++ tx-fifo-resize; + }; + }; + +-- +2.39.2 + diff --git a/queue-5.15/bluetooth-btintel-add-le-states-quirk-support.patch b/queue-5.15/bluetooth-btintel-add-le-states-quirk-support.patch new file mode 100644 index 00000000000..11190804b4b --- /dev/null +++ b/queue-5.15/bluetooth-btintel-add-le-states-quirk-support.patch @@ -0,0 +1,41 @@ +From 9497a1d40ba6d69f46c0d5ec700b640f238b19ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Mar 2023 10:03:10 +0530 +Subject: Bluetooth: btintel: Add LE States quirk support + +From: Chethan T N + +[ Upstream commit 77f542b10c535c9a93bf8afdd2665524935807c2 ] + +Basically all Intel controllers support both Central/Peripheral +LE states. + +This patch enables the LE States quirk by default on all +Solar and Magnertor Intel controllers. + +Signed-off-by: Chethan T N +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c +index d707aa63e9441..2a4cc5d8c2d40 100644 +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -2381,9 +2381,8 @@ static int btintel_setup_combined(struct hci_dev *hdev) + */ + set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); + +- /* Valid LE States quirk for GfP */ +- if (INTEL_HW_VARIANT(ver_tlv.cnvi_bt) == 0x18) +- set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); ++ /* Apply LE States quirk from solar onwards */ ++ set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); + + /* Setup MSFT Extension support */ + btintel_set_msft_opcode(hdev, +-- +2.39.2 + diff --git a/queue-5.15/bluetooth-hci_bcm-fall-back-to-getting-bdaddr-from-e.patch b/queue-5.15/bluetooth-hci_bcm-fall-back-to-getting-bdaddr-from-e.patch new file mode 100644 index 00000000000..6e5f251a958 --- /dev/null +++ b/queue-5.15/bluetooth-hci_bcm-fall-back-to-getting-bdaddr-from-e.patch @@ -0,0 +1,113 @@ +From f75b24c16c7ac58867a227ee9570c949fd7d4f46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 23:11:21 +0200 +Subject: Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set + +From: Hans de Goede + +[ Upstream commit 0d218c3642b9ccf71f44987cd03c19320f3bd918 ] + +On some devices the BCM Bluetooth adapter does not have a valid bdaddr set. + +btbcm.c currently sets HCI_QUIRK_INVALID_BDADDR to indicate when this is +the case. But this requires users to manual setup a btaddr, by doing e.g.: + +btmgmt -i hci0 public-addr 'B0:F1:EC:82:1D:B3' + +Which means that Bluetooth will not work out of the box on such devices. +To avoid this (where possible) hci_bcm sets: HCI_QUIRK_USE_BDADDR_PROPERTY +which tries to get the bdaddr from devicetree. + +But this only works on devicetree platforms. On UEFI based platforms +there is a special Broadcom UEFI variable which when present contains +the devices bdaddr, just like how there is another UEFI variable which +contains wifi nvram contents including the wifi MAC address. + +Add support for getting the bdaddr from this Broadcom UEFI variable, +so that Bluetooth will work OOTB for users on devices where this +UEFI variable is present. + +This fixes Bluetooth not working on for example Asus T100HA 2-in-1s. + +Signed-off-by: Hans de Goede +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btbcm.c | 47 ++++++++++++++++++++++++++++++++++++--- + 1 file changed, 44 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c +index a18f289d73466..f228cdbccaee3 100644 +--- a/drivers/bluetooth/btbcm.c ++++ b/drivers/bluetooth/btbcm.c +@@ -6,6 +6,7 @@ + * Copyright (C) 2015 Intel Corporation + */ + ++#include + #include + #include + #include +@@ -33,6 +34,43 @@ + /* For kmalloc-ing the fw-name array instead of putting it on the stack */ + typedef char bcm_fw_name[BCM_FW_NAME_LEN]; + ++#ifdef CONFIG_EFI ++static int btbcm_set_bdaddr_from_efi(struct hci_dev *hdev) ++{ ++ efi_guid_t guid = EFI_GUID(0x74b00bd9, 0x805a, 0x4d61, 0xb5, 0x1f, ++ 0x43, 0x26, 0x81, 0x23, 0xd1, 0x13); ++ bdaddr_t efi_bdaddr, bdaddr; ++ efi_status_t status; ++ unsigned long len; ++ int ret; ++ ++ if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) ++ return -EOPNOTSUPP; ++ ++ len = sizeof(efi_bdaddr); ++ status = efi.get_variable(L"BDADDR", &guid, NULL, &len, &efi_bdaddr); ++ if (status != EFI_SUCCESS) ++ return -ENXIO; ++ ++ if (len != sizeof(efi_bdaddr)) ++ return -EIO; ++ ++ baswap(&bdaddr, &efi_bdaddr); ++ ++ ret = btbcm_set_bdaddr(hdev, &bdaddr); ++ if (ret) ++ return ret; ++ ++ bt_dev_info(hdev, "BCM: Using EFI device address (%pMR)", &bdaddr); ++ return 0; ++} ++#else ++static int btbcm_set_bdaddr_from_efi(struct hci_dev *hdev) ++{ ++ return -EOPNOTSUPP; ++} ++#endif ++ + int btbcm_check_bdaddr(struct hci_dev *hdev) + { + struct hci_rp_read_bd_addr *bda; +@@ -86,9 +124,12 @@ int btbcm_check_bdaddr(struct hci_dev *hdev) + !bacmp(&bda->bdaddr, BDADDR_BCM4345C5) || + !bacmp(&bda->bdaddr, BDADDR_BCM43430A0) || + !bacmp(&bda->bdaddr, BDADDR_BCM43341B)) { +- bt_dev_info(hdev, "BCM: Using default device address (%pMR)", +- &bda->bdaddr); +- set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); ++ /* Try falling back to BDADDR EFI variable */ ++ if (btbcm_set_bdaddr_from_efi(hdev) != 0) { ++ bt_dev_info(hdev, "BCM: Using default device address (%pMR)", ++ &bda->bdaddr); ++ set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); ++ } + } + + kfree_skb(skb); +-- +2.39.2 + diff --git a/queue-5.15/bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch b/queue-5.15/bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch new file mode 100644 index 00000000000..3c3d277fa59 --- /dev/null +++ b/queue-5.15/bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch @@ -0,0 +1,37 @@ +From b205fce04f03df148712a71c3246fdaa2da6dccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 10:27:54 +0800 +Subject: Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp + +From: Min Li + +[ Upstream commit 25e97f7b1866e6b8503be349eeea44bb52d661ce ] + +conn->chan_lock isn't acquired before l2cap_get_chan_by_scid, +if l2cap_get_chan_by_scid returns NULL, then 'bad unlock balance' +is triggered. + +Reported-by: syzbot+9519d6b5b79cf7787cf3@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000894f5f05f95e9f4d@google.com/ +Signed-off-by: Min Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 446343348329f..f01b77b037878 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4694,7 +4694,6 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + + chan = l2cap_get_chan_by_scid(conn, scid); + if (!chan) { +- mutex_unlock(&conn->chan_lock); + return 0; + } + +-- +2.39.2 + diff --git a/queue-5.15/bnxt-avoid-overflow-in-bnxt_get_nvram_directory.patch b/queue-5.15/bnxt-avoid-overflow-in-bnxt_get_nvram_directory.patch new file mode 100644 index 00000000000..3e5c13efb8f --- /dev/null +++ b/queue-5.15/bnxt-avoid-overflow-in-bnxt_get_nvram_directory.patch @@ -0,0 +1,42 @@ +From 370217cf5fae2d2a2672cc8f0b77916922f784e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 20:43:47 +0300 +Subject: bnxt: avoid overflow in bnxt_get_nvram_directory() + +From: Maxim Korotkov + +[ Upstream commit 7c6dddc239abe660598c49ec95ea0ed6399a4b2a ] + +The value of an arithmetic expression is subject +of possible overflow due to a failure to cast operands to a larger data +type before performing arithmetic. Used macro for multiplication instead +operator for avoiding overflow. + +Found by Security Code and Linux Verification +Center (linuxtesting.org) with SVACE. + +Signed-off-by: Maxim Korotkov +Reviewed-by: Pavan Chebbi +Link: https://lore.kernel.org/r/20230309174347.3515-1-korotkov.maxim.s@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index bc9812a0a91c3..3c9ba116d5aff 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -2709,7 +2709,7 @@ static int bnxt_get_nvram_directory(struct net_device *dev, u32 len, u8 *data) + if (rc) + return rc; + +- buflen = dir_entries * entry_length; ++ buflen = mul_u32_u32(dir_entries, entry_length); + buf = hwrm_req_dma_slice(bp, req, buflen, &dma_handle); + if (!buf) { + hwrm_req_drop(bp, req); +-- +2.39.2 + diff --git a/queue-5.15/bpf-add-preempt_count_-sub-add-into-btf-id-deny-list.patch b/queue-5.15/bpf-add-preempt_count_-sub-add-into-btf-id-deny-list.patch new file mode 100644 index 00000000000..701057ff347 --- /dev/null +++ b/queue-5.15/bpf-add-preempt_count_-sub-add-into-btf-id-deny-list.patch @@ -0,0 +1,73 @@ +From dd1e232b1f071a1526e23a281dbe99891f06d79e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 02:52:48 +0000 +Subject: bpf: Add preempt_count_{sub,add} into btf id deny list + +From: Yafang + +[ Upstream commit c11bd046485d7bf1ca200db0e7d0bdc4bafdd395 ] + +The recursion check in __bpf_prog_enter* and __bpf_prog_exit* +leave preempt_count_{sub,add} unprotected. When attaching trampoline to +them we get panic as follows, + +[ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28) +[ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI +[ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump: loaded Not tainted 6.2.0+ #4 +[ 867.843100] Call Trace: +[ 867.843101] +[ 867.843104] asm_exc_int3+0x3a/0x40 +[ 867.843108] RIP: 0010:preempt_count_sub+0x1/0xa0 +[ 867.843135] __bpf_prog_enter_recur+0x17/0x90 +[ 867.843148] bpf_trampoline_6442468108_0+0x2e/0x1000 +[ 867.843154] ? preempt_count_sub+0x1/0xa0 +[ 867.843157] preempt_count_sub+0x5/0xa0 +[ 867.843159] ? migrate_enable+0xac/0xf0 +[ 867.843164] __bpf_prog_exit_recur+0x2d/0x40 +[ 867.843168] bpf_trampoline_6442468108_0+0x55/0x1000 +... +[ 867.843788] preempt_count_sub+0x5/0xa0 +[ 867.843793] ? migrate_enable+0xac/0xf0 +[ 867.843829] __bpf_prog_exit_recur+0x2d/0x40 +[ 867.843837] BUG: IRQ stack guard page was hit at 0000000099bd8228 (stack is 00000000b23e2bc4..000000006d95af35) +[ 867.843841] BUG: IRQ stack guard page was hit at 000000005ae07924 (stack is 00000000ffd69623..0000000014eb594c) +[ 867.843843] BUG: IRQ stack guard page was hit at 00000000028320f0 (stack is 00000000034b6438..0000000078d1bcec) +[ 867.843842] bpf_trampoline_6442468108_0+0x55/0x1000 +... + +That is because in __bpf_prog_exit_recur, the preempt_count_{sub,add} are +called after prog->active is decreased. + +Fixing this by adding these two functions into btf ids deny list. + +Suggested-by: Steven Rostedt +Signed-off-by: Yafang +Cc: Masami Hiramatsu +Cc: Steven Rostedt +Cc: Jiri Olsa +Acked-by: Hao Luo +Link: https://lore.kernel.org/r/20230413025248.79764-1-laoar.shao@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 261c2ed3adb17..d0db1c7e2645d 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -13645,6 +13645,10 @@ BTF_ID(func, migrate_enable) + #if !defined CONFIG_PREEMPT_RCU && !defined CONFIG_TINY_RCU + BTF_ID(func, rcu_read_unlock_strict) + #endif ++#if defined(CONFIG_DEBUG_PREEMPT) || defined(CONFIG_TRACE_PREEMPT_TOGGLE) ++BTF_ID(func, preempt_count_add) ++BTF_ID(func, preempt_count_sub) ++#endif + BTF_SET_END(btf_id_deny) + + static int check_attach_btf_id(struct bpf_verifier_env *env) +-- +2.39.2 + diff --git a/queue-5.15/bpf-annotate-data-races-in-bpf_local_storage.patch b/queue-5.15/bpf-annotate-data-races-in-bpf_local_storage.patch new file mode 100644 index 00000000000..39f712f8da5 --- /dev/null +++ b/queue-5.15/bpf-annotate-data-races-in-bpf_local_storage.patch @@ -0,0 +1,83 @@ +From 50bbc46f7b94108deccacfb9b60d2437903f78da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Feb 2023 21:06:42 +0100 +Subject: bpf: Annotate data races in bpf_local_storage + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit 0a09a2f933c73dc76ab0b72da6855f44342a8903 ] + +There are a few cases where hlist_node is checked to be unhashed without +holding the lock protecting its modification. In this case, one must use +hlist_unhashed_lockless to avoid load tearing and KCSAN reports. Fix +this by using lockless variant in places not protected by the lock. + +Since this is not prompted by any actual KCSAN reports but only from +code review, I have not included a fixes tag. + +Cc: Martin KaFai Lau +Cc: KP Singh +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230221200646.2500777-4-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_local_storage.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c +index 6c2d39a3d5581..5ef8eaf4985ed 100644 +--- a/kernel/bpf/bpf_local_storage.c ++++ b/kernel/bpf/bpf_local_storage.c +@@ -48,11 +48,21 @@ owner_storage(struct bpf_local_storage_map *smap, void *owner) + return map->ops->map_owner_storage_ptr(owner); + } + ++static bool selem_linked_to_storage_lockless(const struct bpf_local_storage_elem *selem) ++{ ++ return !hlist_unhashed_lockless(&selem->snode); ++} ++ + static bool selem_linked_to_storage(const struct bpf_local_storage_elem *selem) + { + return !hlist_unhashed(&selem->snode); + } + ++static bool selem_linked_to_map_lockless(const struct bpf_local_storage_elem *selem) ++{ ++ return !hlist_unhashed_lockless(&selem->map_node); ++} ++ + static bool selem_linked_to_map(const struct bpf_local_storage_elem *selem) + { + return !hlist_unhashed(&selem->map_node); +@@ -142,7 +152,7 @@ static void __bpf_selem_unlink_storage(struct bpf_local_storage_elem *selem) + bool free_local_storage = false; + unsigned long flags; + +- if (unlikely(!selem_linked_to_storage(selem))) ++ if (unlikely(!selem_linked_to_storage_lockless(selem))) + /* selem has already been unlinked from sk */ + return; + +@@ -170,7 +180,7 @@ void bpf_selem_unlink_map(struct bpf_local_storage_elem *selem) + struct bpf_local_storage_map_bucket *b; + unsigned long flags; + +- if (unlikely(!selem_linked_to_map(selem))) ++ if (unlikely(!selem_linked_to_map_lockless(selem))) + /* selem has already be unlinked from smap */ + return; + +@@ -373,7 +383,7 @@ bpf_local_storage_update(void *owner, struct bpf_local_storage_map *smap, + err = check_flags(old_sdata, map_flags); + if (err) + return ERR_PTR(err); +- if (old_sdata && selem_linked_to_storage(SELEM(old_sdata))) { ++ if (old_sdata && selem_linked_to_storage_lockless(SELEM(old_sdata))) { + copy_map_value_locked(&smap->map, old_sdata->data, + value, false); + return old_sdata; +-- +2.39.2 + diff --git a/queue-5.15/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch b/queue-5.15/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch new file mode 100644 index 00000000000..0ffab2cf343 --- /dev/null +++ b/queue-5.15/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch @@ -0,0 +1,75 @@ +From a14ef69fdb59591c333fa6723edb3500908f8afa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 09:59:10 +0100 +Subject: clk: tegra20: fix gcc-7 constant overflow warning + +From: Arnd Bergmann + +[ Upstream commit b4a2adbf3586efa12fe78b9dec047423e01f3010 ] + +Older gcc versions get confused by comparing a u32 value to a negative +constant in a switch()/case block: + +drivers/clk/tegra/clk-tegra20.c: In function 'tegra20_clk_measure_input_freq': +drivers/clk/tegra/clk-tegra20.c:581:2: error: case label does not reduce to an integer constant + case OSC_CTRL_OSC_FREQ_12MHZ: + ^~~~ +drivers/clk/tegra/clk-tegra20.c:593:2: error: case label does not reduce to an integer constant + case OSC_CTRL_OSC_FREQ_26MHZ: + +Make the constants unsigned instead. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230227085914.2560984-1-arnd@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra20.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c +index d246a39a6b4f0..cc57ababc882d 100644 +--- a/drivers/clk/tegra/clk-tegra20.c ++++ b/drivers/clk/tegra/clk-tegra20.c +@@ -18,24 +18,24 @@ + #define MISC_CLK_ENB 0x48 + + #define OSC_CTRL 0x50 +-#define OSC_CTRL_OSC_FREQ_MASK (3<<30) +-#define OSC_CTRL_OSC_FREQ_13MHZ (0<<30) +-#define OSC_CTRL_OSC_FREQ_19_2MHZ (1<<30) +-#define OSC_CTRL_OSC_FREQ_12MHZ (2<<30) +-#define OSC_CTRL_OSC_FREQ_26MHZ (3<<30) +-#define OSC_CTRL_MASK (0x3f2 | OSC_CTRL_OSC_FREQ_MASK) +- +-#define OSC_CTRL_PLL_REF_DIV_MASK (3<<28) +-#define OSC_CTRL_PLL_REF_DIV_1 (0<<28) +-#define OSC_CTRL_PLL_REF_DIV_2 (1<<28) +-#define OSC_CTRL_PLL_REF_DIV_4 (2<<28) ++#define OSC_CTRL_OSC_FREQ_MASK (3u<<30) ++#define OSC_CTRL_OSC_FREQ_13MHZ (0u<<30) ++#define OSC_CTRL_OSC_FREQ_19_2MHZ (1u<<30) ++#define OSC_CTRL_OSC_FREQ_12MHZ (2u<<30) ++#define OSC_CTRL_OSC_FREQ_26MHZ (3u<<30) ++#define OSC_CTRL_MASK (0x3f2u | OSC_CTRL_OSC_FREQ_MASK) ++ ++#define OSC_CTRL_PLL_REF_DIV_MASK (3u<<28) ++#define OSC_CTRL_PLL_REF_DIV_1 (0u<<28) ++#define OSC_CTRL_PLL_REF_DIV_2 (1u<<28) ++#define OSC_CTRL_PLL_REF_DIV_4 (2u<<28) + + #define OSC_FREQ_DET 0x58 +-#define OSC_FREQ_DET_TRIG (1<<31) ++#define OSC_FREQ_DET_TRIG (1u<<31) + + #define OSC_FREQ_DET_STATUS 0x5c +-#define OSC_FREQ_DET_BUSY (1<<31) +-#define OSC_FREQ_DET_CNT_MASK 0xFFFF ++#define OSC_FREQ_DET_BUSYu (1<<31) ++#define OSC_FREQ_DET_CNT_MASK 0xFFFFu + + #define TEGRA20_CLK_PERIPH_BANKS 3 + +-- +2.39.2 + diff --git a/queue-5.15/drm-amd-display-use-dc_log_dc-in-the-trasform-pixel-.patch b/queue-5.15/drm-amd-display-use-dc_log_dc-in-the-trasform-pixel-.patch new file mode 100644 index 00000000000..def0a3673eb --- /dev/null +++ b/queue-5.15/drm-amd-display-use-dc_log_dc-in-the-trasform-pixel-.patch @@ -0,0 +1,109 @@ +From bcf4ac1f9bced01087e94312f8402bbdeeacf236 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 10:20:09 -0400 +Subject: drm/amd/display: Use DC_LOG_DC in the trasform pixel function + +From: Rodrigo Siqueira + +[ Upstream commit 7222f5841ff49709ca666b05ff336776e0664a20 ] + +[Why & How] +DC now uses a new commit sequence which is more robust since it +addresses cases where we need to reorganize pipes based on planes and +other parameters. As a result, this new commit sequence reset the DC +state by cleaning plane states and re-creating them accordingly with the +need. For this reason, the dce_transform_set_pixel_storage_depth can be +invoked after a plane state is destroyed and before its re-creation. In +this situation and on DCE devices, DC will hit a condition that will +trigger a dmesg log that looks like this: + +Console: switching to colour frame buffer device 240x67 +------------[ cut here ]------------ +[..] +Hardware name: System manufacturer System Product Name/PRIME X370-PRO, BIOS 5603 07/28/2020 +RIP: 0010:dce_transform_set_pixel_storage_depth+0x3f8/0x480 [amdgpu] +[..] +RSP: 0018:ffffc9000202b850 EFLAGS: 00010293 +RAX: ffffffffa081d100 RBX: ffff888110790000 RCX: 000000000000000c +RDX: ffff888100bedbf8 RSI: 0000000000001a50 RDI: ffff88810463c900 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000007 +R10: 0000000000000001 R11: 0000000000000f00 R12: ffff88810f500010 +R13: ffff888100bedbf8 R14: ffff88810f515688 R15: 0000000000000000 +FS: 00007ff0159249c0(0000) GS:ffff88840e940000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ff01528e550 CR3: 0000000002a10000 CR4: 00000000003506e0 +Call Trace: + + ? dm_write_reg_func+0x21/0x80 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + dc_stream_set_dither_option+0xfb/0x130 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + amdgpu_dm_crtc_configure_crc_source+0x10b/0x190 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + amdgpu_dm_atomic_commit_tail+0x20a8/0x2a90 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + ? free_unref_page_commit+0x98/0x170 + ? free_unref_page+0xcc/0x150 + commit_tail+0x94/0x120 + drm_atomic_helper_commit+0x10f/0x140 + drm_atomic_commit+0x94/0xc0 + ? drm_plane_get_damage_clips.cold+0x1c/0x1c + drm_client_modeset_commit_atomic+0x203/0x250 + drm_client_modeset_commit_locked+0x56/0x150 + drm_client_modeset_commit+0x21/0x40 + drm_fb_helper_lastclose+0x42/0x70 + amdgpu_driver_lastclose_kms+0xa/0x10 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8] + drm_release+0xda/0x110 + __fput+0x89/0x240 + task_work_run+0x5c/0x90 + do_exit+0x333/0xae0 + do_group_exit+0x2d/0x90 + __x64_sys_exit_group+0x14/0x20 + do_syscall_64+0x5b/0x80 + ? exit_to_user_mode_prepare+0x1e/0x140 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7ff016ceaca1 +Code: Unable to access opcode bytes at RIP 0x7ff016ceac77. +RSP: 002b:00007ffe7a2357e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 00007ff016e15a00 RCX: 00007ff016ceaca1 +RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 +RBP: 0000000000000000 R08: ffffffffffffff78 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff016e15a00 +R13: 0000000000000000 R14: 00007ff016e1aee8 R15: 00007ff016e1af00 + + +Since this issue only happens in a transition state on DC, this commit +replace BREAK_TO_DEBUGGER with DC_LOG_DC. + +Reviewed-by: Harry Wentland +Acked-by: Qingqing Zhuo +Signed-off-by: Rodrigo Siqueira +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce/dce_transform.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c +index d9fd4ec60588f..670d5ab9d9984 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c +@@ -1009,7 +1009,7 @@ static void dce_transform_set_pixel_storage_depth( + color_depth = COLOR_DEPTH_101010; + pixel_depth = 0; + expan_mode = 1; +- BREAK_TO_DEBUGGER(); ++ DC_LOG_DC("The pixel depth %d is not valid, set COLOR_DEPTH_101010 instead.", depth); + break; + } + +@@ -1023,8 +1023,7 @@ static void dce_transform_set_pixel_storage_depth( + if (!(xfm_dce->lb_pixel_depth_supported & depth)) { + /*we should use unsupported capabilities + * unless it is required by w/a*/ +- DC_LOG_WARNING("%s: Capability not supported", +- __func__); ++ DC_LOG_DC("%s: Capability not supported", __func__); + } + } + +-- +2.39.2 + diff --git a/queue-5.15/drm-amd-fix-an-out-of-bounds-error-in-bios-parser.patch b/queue-5.15/drm-amd-fix-an-out-of-bounds-error-in-bios-parser.patch new file mode 100644 index 00000000000..9f2bc8583ef --- /dev/null +++ b/queue-5.15/drm-amd-fix-an-out-of-bounds-error-in-bios-parser.patch @@ -0,0 +1,49 @@ +From b00563dae3bdcb096a2d772f522dfacb3db1e878 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Mar 2023 14:07:06 -0500 +Subject: drm/amd: Fix an out of bounds error in BIOS parser + +From: Mario Limonciello + +[ Upstream commit d116db180decec1b21bba31d2ff495ac4d8e1b83 ] + +The array is hardcoded to 8 in atomfirmware.h, but firmware provides +a bigger one sometimes. Deferencing the larger array causes an out +of bounds error. + +commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error +in bios parser") fixed some of this, but there are two other cases +not covered by it. Fix those as well. + +Reported-by: erhard_f@mailbox.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214853 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2473 +Signed-off-by: Mario Limonciello +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +index 1d86fd5610c03..228f098e5d88f 100644 +--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c ++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +@@ -406,11 +406,8 @@ static enum bp_result get_gpio_i2c_info( + info->i2c_slave_address = record->i2c_slave_addr; + + /* TODO: check how to get register offset for en, Y, etc. */ +- info->gpio_info.clk_a_register_index = +- le16_to_cpu( +- header->gpio_pin[table_index].data_a_reg_index); +- info->gpio_info.clk_a_shift = +- header->gpio_pin[table_index].gpio_bitshift; ++ info->gpio_info.clk_a_register_index = le16_to_cpu(pin->data_a_reg_index); ++ info->gpio_info.clk_a_shift = pin->gpio_bitshift; + + return BP_RESULT_OK; + } +-- +2.39.2 + diff --git a/queue-5.15/drm-displayid-add-displayid_get_header-and-check-bou.patch b/queue-5.15/drm-displayid-add-displayid_get_header-and-check-bou.patch new file mode 100644 index 00000000000..17296c4154b --- /dev/null +++ b/queue-5.15/drm-displayid-add-displayid_get_header-and-check-bou.patch @@ -0,0 +1,62 @@ +From f59dd771314e3d885d6c06bcab7983636ed24b6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 22:44:58 +0200 +Subject: drm/displayid: add displayid_get_header() and check bounds better + +From: Jani Nikula + +[ Upstream commit 5bacecc3c56131c31f18b23d366f2184328fd9cf ] + +Add a helper to get a pointer to struct displayid_header. To be +pedantic, add buffer overflow checks to not touch the base if that +itself would overflow. + +Cc: Iaroslav Boliukin +Cc: Dmitry Osipenko +Signed-off-by: Jani Nikula +Tested-by: Dmitry Osipenko +Reviewed-by: Dmitry Osipenko +Signed-off-by: Dmitry Osipenko +Link: https://patchwork.freedesktop.org/patch/msgid/4a03b3a5132642d3cdb6d4c2641422955a917292.1676580180.git.jani.nikula@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_displayid.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_displayid.c b/drivers/gpu/drm/drm_displayid.c +index 32da557b960fd..82b7f0bb44097 100644 +--- a/drivers/gpu/drm/drm_displayid.c ++++ b/drivers/gpu/drm/drm_displayid.c +@@ -7,13 +7,28 @@ + #include + #include + ++static const struct displayid_header * ++displayid_get_header(const u8 *displayid, int length, int index) ++{ ++ const struct displayid_header *base; ++ ++ if (sizeof(*base) > length - index) ++ return ERR_PTR(-EINVAL); ++ ++ base = (const struct displayid_header *)&displayid[index]; ++ ++ return base; ++} ++ + static int validate_displayid(const u8 *displayid, int length, int idx) + { + int i, dispid_length; + u8 csum = 0; + const struct displayid_header *base; + +- base = (const struct displayid_header *)&displayid[idx]; ++ base = displayid_get_header(displayid, length, idx); ++ if (IS_ERR(base)) ++ return PTR_ERR(base); + + DRM_DEBUG_KMS("base revision 0x%x, length %d, %d %d\n", + base->rev, base->bytes, base->prod_id, base->ext_count); +-- +2.39.2 + diff --git a/queue-5.15/drm-msm-dp-clean-up-handling-of-dp-aux-interrupts.patch b/queue-5.15/drm-msm-dp-clean-up-handling-of-dp-aux-interrupts.patch new file mode 100644 index 00000000000..abd2c0bc505 --- /dev/null +++ b/queue-5.15/drm-msm-dp-clean-up-handling-of-dp-aux-interrupts.patch @@ -0,0 +1,210 @@ +From 69d7141ba95e92189ccfeb604c4ee95f33dbbfa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 17:09:12 -0800 +Subject: drm/msm/dp: Clean up handling of DP AUX interrupts + +From: Douglas Anderson + +[ Upstream commit b20566cdef05cd40d95f10869d2a7646f48b1bbe ] + +The DP AUX interrupt handling was a bit of a mess. +* There were two functions (one for "native" transfers and one for + "i2c" transfers) that were quite similar. It was hard to say how + many of the differences between the two functions were on purpose + and how many of them were just an accident of how they were coded. +* Each function sometimes used "else if" to test for error bits and + sometimes didn't and again it was hard to say if this was on purpose + or just an accident. +* The two functions wouldn't notice whether "unknown" bits were + set. For instance, there seems to be a bit "DP_INTR_PLL_UNLOCKED" + and if it was set there would be no indication. +* The two functions wouldn't notice if more than one error was set. + +Let's fix this by being more consistent / explicit about what we're +doing. + +By design this could cause different handling for AUX transfers, +though I'm not actually aware of any bug fixed as a result of +this patch (this patch was created because we simply noticed how odd +the old code was by code inspection). Specific notes here: +1. In the old native transfer case if we got "done + wrong address" + we'd ignore the "wrong address" (because of the "else if"). Now we + won't. +2. In the old native transfer case if we got "done + timeout" we'd + ignore the "timeout" (because of the "else if"). Now we won't. +3. In the old native transfer case we'd see "nack_defer" and translate + it to the error number for "nack". This differed from the i2c + transfer case where "nack_defer" was given the error number for + "nack_defer". This 100% can't matter because the only user of this + error number treats "nack defer" the same as "nack", so it's clear + that the difference between the "native" and "i2c" was pointless + here. +4. In the old i2c transfer case if we got "done" plus any error + besides "nack" or "defer" then we'd ignore the error. Now we don't. +5. If there is more than one error signaled by the hardware it's + possible that we'll report a different one than we used to. I don't + know if this matters. If someone is aware of a case this matters we + should document it and change the code to make it explicit. +6. One quirk we keep (I don't know if this is important) is that in + the i2c transfer case if we see "done + defer" we report that as a + "nack". That seemed too intentional in the old code to just drop. + +After this change we will add extra logging, including: +* A warning if we see more than one error bit set. +* A warning if we see an unexpected interrupt. +* A warning if we get an AUX transfer interrupt when shouldn't. + +It actually turns out that as a result of this change then at boot we +sometimes see an error: + [drm:dp_aux_isr] *ERROR* Unexpected DP AUX IRQ 0x01000000 when not busy +That means that, during init, we are seeing DP_INTR_PLL_UNLOCKED. For +now I'm going to say that leaving this error reported in the logs is +OK-ish and hopefully it will encourage someone to track down what's +going on at init time. + +One last note here is that this change renames one of the interrupt +bits. The bit named "i2c done" clearly was used for native transfers +being done too, so I renamed it to indicate this. + +Signed-off-by: Douglas Anderson +Tested-by: Kuogee Hsieh +Reviewed-by: Kuogee Hsieh +Patchwork: https://patchwork.freedesktop.org/patch/520658/ +Link: https://lore.kernel.org/r/20230126170745.v2.1.I90ffed3ddd21e818ae534f820cb4d6d8638859ab@changeid +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_aux.c | 80 ++++++++++++----------------- + drivers/gpu/drm/msm/dp/dp_catalog.c | 2 +- + drivers/gpu/drm/msm/dp/dp_catalog.h | 2 +- + 3 files changed, 36 insertions(+), 48 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_aux.c b/drivers/gpu/drm/msm/dp/dp_aux.c +index 7b8d4ba868eb7..4742aca2af482 100644 +--- a/drivers/gpu/drm/msm/dp/dp_aux.c ++++ b/drivers/gpu/drm/msm/dp/dp_aux.c +@@ -161,47 +161,6 @@ static ssize_t dp_aux_cmd_fifo_rx(struct dp_aux_private *aux, + return i; + } + +-static void dp_aux_native_handler(struct dp_aux_private *aux, u32 isr) +-{ +- if (isr & DP_INTR_AUX_I2C_DONE) +- aux->aux_error_num = DP_AUX_ERR_NONE; +- else if (isr & DP_INTR_WRONG_ADDR) +- aux->aux_error_num = DP_AUX_ERR_ADDR; +- else if (isr & DP_INTR_TIMEOUT) +- aux->aux_error_num = DP_AUX_ERR_TOUT; +- if (isr & DP_INTR_NACK_DEFER) +- aux->aux_error_num = DP_AUX_ERR_NACK; +- if (isr & DP_INTR_AUX_ERROR) { +- aux->aux_error_num = DP_AUX_ERR_PHY; +- dp_catalog_aux_clear_hw_interrupts(aux->catalog); +- } +-} +- +-static void dp_aux_i2c_handler(struct dp_aux_private *aux, u32 isr) +-{ +- if (isr & DP_INTR_AUX_I2C_DONE) { +- if (isr & (DP_INTR_I2C_NACK | DP_INTR_I2C_DEFER)) +- aux->aux_error_num = DP_AUX_ERR_NACK; +- else +- aux->aux_error_num = DP_AUX_ERR_NONE; +- } else { +- if (isr & DP_INTR_WRONG_ADDR) +- aux->aux_error_num = DP_AUX_ERR_ADDR; +- else if (isr & DP_INTR_TIMEOUT) +- aux->aux_error_num = DP_AUX_ERR_TOUT; +- if (isr & DP_INTR_NACK_DEFER) +- aux->aux_error_num = DP_AUX_ERR_NACK_DEFER; +- if (isr & DP_INTR_I2C_NACK) +- aux->aux_error_num = DP_AUX_ERR_NACK; +- if (isr & DP_INTR_I2C_DEFER) +- aux->aux_error_num = DP_AUX_ERR_DEFER; +- if (isr & DP_INTR_AUX_ERROR) { +- aux->aux_error_num = DP_AUX_ERR_PHY; +- dp_catalog_aux_clear_hw_interrupts(aux->catalog); +- } +- } +-} +- + static void dp_aux_update_offset_and_segment(struct dp_aux_private *aux, + struct drm_dp_aux_msg *input_msg) + { +@@ -410,13 +369,42 @@ void dp_aux_isr(struct drm_dp_aux *dp_aux) + if (!isr) + return; + +- if (!aux->cmd_busy) ++ if (!aux->cmd_busy) { ++ DRM_ERROR("Unexpected DP AUX IRQ %#010x when not busy\n", isr); + return; ++ } + +- if (aux->native) +- dp_aux_native_handler(aux, isr); +- else +- dp_aux_i2c_handler(aux, isr); ++ /* ++ * The logic below assumes only one error bit is set (other than "done" ++ * which can apparently be set at the same time as some of the other ++ * bits). Warn if more than one get set so we know we need to improve ++ * the logic. ++ */ ++ if (hweight32(isr & ~DP_INTR_AUX_XFER_DONE) > 1) ++ DRM_WARN("Some DP AUX interrupts unhandled: %#010x\n", isr); ++ ++ if (isr & DP_INTR_AUX_ERROR) { ++ aux->aux_error_num = DP_AUX_ERR_PHY; ++ dp_catalog_aux_clear_hw_interrupts(aux->catalog); ++ } else if (isr & DP_INTR_NACK_DEFER) { ++ aux->aux_error_num = DP_AUX_ERR_NACK_DEFER; ++ } else if (isr & DP_INTR_WRONG_ADDR) { ++ aux->aux_error_num = DP_AUX_ERR_ADDR; ++ } else if (isr & DP_INTR_TIMEOUT) { ++ aux->aux_error_num = DP_AUX_ERR_TOUT; ++ } else if (!aux->native && (isr & DP_INTR_I2C_NACK)) { ++ aux->aux_error_num = DP_AUX_ERR_NACK; ++ } else if (!aux->native && (isr & DP_INTR_I2C_DEFER)) { ++ if (isr & DP_INTR_AUX_XFER_DONE) ++ aux->aux_error_num = DP_AUX_ERR_NACK; ++ else ++ aux->aux_error_num = DP_AUX_ERR_DEFER; ++ } else if (isr & DP_INTR_AUX_XFER_DONE) { ++ aux->aux_error_num = DP_AUX_ERR_NONE; ++ } else { ++ DRM_WARN("Unexpected interrupt: %#010x\n", isr); ++ return; ++ } + + complete(&aux->comp); + } +diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.c b/drivers/gpu/drm/msm/dp/dp_catalog.c +index 9ef24ced6586d..8df5dfd6ad17f 100644 +--- a/drivers/gpu/drm/msm/dp/dp_catalog.c ++++ b/drivers/gpu/drm/msm/dp/dp_catalog.c +@@ -34,7 +34,7 @@ + #define MSM_DP_CONTROLLER_P0_SIZE 0x0400 + + #define DP_INTERRUPT_STATUS1 \ +- (DP_INTR_AUX_I2C_DONE| \ ++ (DP_INTR_AUX_XFER_DONE| \ + DP_INTR_WRONG_ADDR | DP_INTR_TIMEOUT | \ + DP_INTR_NACK_DEFER | DP_INTR_WRONG_DATA_CNT | \ + DP_INTR_I2C_NACK | DP_INTR_I2C_DEFER | \ +diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.h b/drivers/gpu/drm/msm/dp/dp_catalog.h +index 6965afa81aad2..32d3e14c98f7f 100644 +--- a/drivers/gpu/drm/msm/dp/dp_catalog.h ++++ b/drivers/gpu/drm/msm/dp/dp_catalog.h +@@ -13,7 +13,7 @@ + + /* interrupts */ + #define DP_INTR_HPD BIT(0) +-#define DP_INTR_AUX_I2C_DONE BIT(3) ++#define DP_INTR_AUX_XFER_DONE BIT(3) + #define DP_INTR_WRONG_ADDR BIT(6) + #define DP_INTR_TIMEOUT BIT(9) + #define DP_INTR_NACK_DEFER BIT(12) +-- +2.39.2 + diff --git a/queue-5.15/drm-tegra-avoid-potential-32-bit-integer-overflow.patch b/queue-5.15/drm-tegra-avoid-potential-32-bit-integer-overflow.patch new file mode 100644 index 00000000000..a38a7839349 --- /dev/null +++ b/queue-5.15/drm-tegra-avoid-potential-32-bit-integer-overflow.patch @@ -0,0 +1,37 @@ +From 9afc13306524a41bf9c18e5c4d716be75baafa6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 04:25:59 +0800 +Subject: drm/tegra: Avoid potential 32-bit integer overflow + +From: Nur Hussein + +[ Upstream commit 2429b3c529da29d4277d519bd66d034842dcd70c ] + +In tegra_sor_compute_config(), the 32-bit value mode->clock is +multiplied by 1000, and assigned to the u64 variable pclk. We can avoid +a potential 32-bit integer overflow by casting mode->clock to u64 before +we do the arithmetic and assignment. + +Signed-off-by: Nur Hussein +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/sor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/sor.c b/drivers/gpu/drm/tegra/sor.c +index 0ea320c1092bd..f2f76a0897a80 100644 +--- a/drivers/gpu/drm/tegra/sor.c ++++ b/drivers/gpu/drm/tegra/sor.c +@@ -1153,7 +1153,7 @@ static int tegra_sor_compute_config(struct tegra_sor *sor, + struct drm_dp_link *link) + { + const u64 f = 100000, link_rate = link->rate * 1000; +- const u64 pclk = mode->clock * 1000; ++ const u64 pclk = (u64)mode->clock * 1000; + u64 input, output, watermark, num; + struct tegra_sor_params params; + u32 num_syms_per_line; +-- +2.39.2 + diff --git a/queue-5.15/ext2-check-block-size-validity-during-mount.patch b/queue-5.15/ext2-check-block-size-validity-during-mount.patch new file mode 100644 index 00000000000..c3b13398f71 --- /dev/null +++ b/queue-5.15/ext2-check-block-size-validity-during-mount.patch @@ -0,0 +1,54 @@ +From 08acd7b85301c32c4ef70aec1068296732958064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 11:59:39 +0100 +Subject: ext2: Check block size validity during mount + +From: Jan Kara + +[ Upstream commit 62aeb94433fcec80241754b70d0d1836d5926b0a ] + +Check that log of block size stored in the superblock has sensible +value. Otherwise the shift computing the block size can overflow leading +to undefined behavior. + +Reported-by: syzbot+4fec412f59eba8c01b77@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/ext2.h | 1 + + fs/ext2/super.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/fs/ext2/ext2.h b/fs/ext2/ext2.h +index 3be9dd6412b78..a610c096f3a9d 100644 +--- a/fs/ext2/ext2.h ++++ b/fs/ext2/ext2.h +@@ -179,6 +179,7 @@ static inline struct ext2_sb_info *EXT2_SB(struct super_block *sb) + #define EXT2_MIN_BLOCK_SIZE 1024 + #define EXT2_MAX_BLOCK_SIZE 4096 + #define EXT2_MIN_BLOCK_LOG_SIZE 10 ++#define EXT2_MAX_BLOCK_LOG_SIZE 16 + #define EXT2_BLOCK_SIZE(s) ((s)->s_blocksize) + #define EXT2_ADDR_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (__u32)) + #define EXT2_BLOCK_SIZE_BITS(s) ((s)->s_blocksize_bits) +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index 02d82f8fe85d9..486a43e347950 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -947,6 +947,13 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) + goto failed_mount; + } + ++ if (le32_to_cpu(es->s_log_block_size) > ++ (EXT2_MAX_BLOCK_LOG_SIZE - BLOCK_SIZE_BITS)) { ++ ext2_msg(sb, KERN_ERR, ++ "Invalid log block size: %u", ++ le32_to_cpu(es->s_log_block_size)); ++ goto failed_mount; ++ } + blocksize = BLOCK_SIZE << le32_to_cpu(sbi->s_es->s_log_block_size); + + if (test_opt(sb, DAX)) { +-- +2.39.2 + diff --git a/queue-5.15/ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch b/queue-5.15/ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch new file mode 100644 index 00000000000..ae79181909f --- /dev/null +++ b/queue-5.15/ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch @@ -0,0 +1,129 @@ +From e66b7dee400225c430d95a6a000d4042ef7f253c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Mar 2023 13:43:39 +0530 +Subject: ext4: Fix best extent lstart adjustment logic in + ext4_mb_new_inode_pa() + +From: Ojaswin Mujoo + +[ Upstream commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9 ] + +When the length of best extent found is less than the length of goal extent +we need to make sure that the best extent atleast covers the start of the +original request. This is done by adjusting the ac_b_ex.fe_logical (logical +start) of the extent. + +While doing so, the current logic sometimes results in the best extent's +logical range overflowing the goal extent. Since this best extent is later +added to the inode preallocation list, we have a possibility of introducing +overlapping preallocations. This is discussed in detail here [1]. + +As per Jan's suggestion, to fix this, replace the existing logic with the +below logic for adjusting best extent as it keeps fragmentation in check +while ensuring logical range of best extent doesn't overflow out of goal +extent: + +1. Check if best extent can be kept at end of goal range and still cover + original start. +2. Else, check if best extent can be kept at start of goal range and still + cover original start. +3. Else, keep the best extent at start of original request. + +Also, add a few extra BUG_ONs that might help catch errors faster. + +[1] https://lore.kernel.org/r/Y+OGkVvzPN0RMv0O@li-bb2b2a4c-3307-11b2-a85c-8fa5c3a69313.ibm.com + +Suggested-by: Jan Kara +Signed-off-by: Ojaswin Mujoo +Reviewed-by: Ritesh Harjani (IBM) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/f96aca6d415b36d1f90db86c1a8cd7e2e9d7ab0e.1679731817.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 49 ++++++++++++++++++++++++++++++----------------- + 1 file changed, 31 insertions(+), 18 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index de51963c701f7..e8f5f05bddb3f 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4333,6 +4333,7 @@ static void ext4_mb_use_inode_pa(struct ext4_allocation_context *ac, + BUG_ON(start < pa->pa_pstart); + BUG_ON(end > pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len)); + BUG_ON(pa->pa_free < len); ++ BUG_ON(ac->ac_b_ex.fe_len <= 0); + pa->pa_free -= len; + + mb_debug(ac->ac_sb, "use %llu/%d from inode pa %p\n", start, len, pa); +@@ -4662,10 +4663,8 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) + pa = ac->ac_pa; + + if (ac->ac_b_ex.fe_len < ac->ac_g_ex.fe_len) { +- int winl; +- int wins; +- int win; +- int offs; ++ int new_bex_start; ++ int new_bex_end; + + /* we can't allocate as much as normalizer wants. + * so, found space must get proper lstart +@@ -4673,26 +4672,40 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac) + BUG_ON(ac->ac_g_ex.fe_logical > ac->ac_o_ex.fe_logical); + BUG_ON(ac->ac_g_ex.fe_len < ac->ac_o_ex.fe_len); + +- /* we're limited by original request in that +- * logical block must be covered any way +- * winl is window we can move our chunk within */ +- winl = ac->ac_o_ex.fe_logical - ac->ac_g_ex.fe_logical; ++ /* ++ * Use the below logic for adjusting best extent as it keeps ++ * fragmentation in check while ensuring logical range of best ++ * extent doesn't overflow out of goal extent: ++ * ++ * 1. Check if best ex can be kept at end of goal and still ++ * cover original start ++ * 2. Else, check if best ex can be kept at start of goal and ++ * still cover original start ++ * 3. Else, keep the best ex at start of original request. ++ */ ++ new_bex_end = ac->ac_g_ex.fe_logical + ++ EXT4_C2B(sbi, ac->ac_g_ex.fe_len); ++ new_bex_start = new_bex_end - EXT4_C2B(sbi, ac->ac_b_ex.fe_len); ++ if (ac->ac_o_ex.fe_logical >= new_bex_start) ++ goto adjust_bex; + +- /* also, we should cover whole original request */ +- wins = EXT4_C2B(sbi, ac->ac_b_ex.fe_len - ac->ac_o_ex.fe_len); ++ new_bex_start = ac->ac_g_ex.fe_logical; ++ new_bex_end = ++ new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len); ++ if (ac->ac_o_ex.fe_logical < new_bex_end) ++ goto adjust_bex; + +- /* the smallest one defines real window */ +- win = min(winl, wins); ++ new_bex_start = ac->ac_o_ex.fe_logical; ++ new_bex_end = ++ new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len); + +- offs = ac->ac_o_ex.fe_logical % +- EXT4_C2B(sbi, ac->ac_b_ex.fe_len); +- if (offs && offs < win) +- win = offs; ++adjust_bex: ++ ac->ac_b_ex.fe_logical = new_bex_start; + +- ac->ac_b_ex.fe_logical = ac->ac_o_ex.fe_logical - +- EXT4_NUM_B2C(sbi, win); + BUG_ON(ac->ac_o_ex.fe_logical < ac->ac_b_ex.fe_logical); + BUG_ON(ac->ac_o_ex.fe_len > ac->ac_b_ex.fe_len); ++ BUG_ON(new_bex_end > (ac->ac_g_ex.fe_logical + ++ EXT4_C2B(sbi, ac->ac_g_ex.fe_len))); + } + + /* preallocation can change ac_b_ex, thus we store actually +-- +2.39.2 + diff --git a/queue-5.15/ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch b/queue-5.15/ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch new file mode 100644 index 00000000000..2935216b327 --- /dev/null +++ b/queue-5.15/ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch @@ -0,0 +1,72 @@ +From 672c3c18f362d07bd51d8d2ec501fe8062853923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 01:21:01 +0800 +Subject: ext4: set goal start correctly in ext4_mb_normalize_request + +From: Kemeng Shi + +[ Upstream commit b07ffe6927c75d99af534d685282ea188d9f71a6 ] + +We need to set ac_g_ex to notify the goal start used in +ext4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in +ext4_mb_normalize_request. +Besides we should assure goal start is in range [first_data_block, +blocks_count) as ext4_mb_initialize_context does. + +[ Added a check to make sure size is less than ar->pright; otherwise + we could end up passing an underflowed value of ar->pright - size to + ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on. + - TYT ] + +Signed-off-by: Kemeng Shi +Reviewed-by: Ritesh Harjani (IBM) +Link: https://lore.kernel.org/r/20230303172120.3800725-2-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 4cc635633f789..de51963c701f7 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4045,6 +4045,7 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac, + struct ext4_allocation_request *ar) + { + struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb); ++ struct ext4_super_block *es = sbi->s_es; + int bsbits, max; + ext4_lblk_t end; + loff_t size, start_off; +@@ -4225,18 +4226,21 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac, + ac->ac_g_ex.fe_len = EXT4_NUM_B2C(sbi, size); + + /* define goal start in order to merge */ +- if (ar->pright && (ar->lright == (start + size))) { ++ if (ar->pright && (ar->lright == (start + size)) && ++ ar->pright >= size && ++ ar->pright - size >= le32_to_cpu(es->s_first_data_block)) { + /* merge to the right */ + ext4_get_group_no_and_offset(ac->ac_sb, ar->pright - size, +- &ac->ac_f_ex.fe_group, +- &ac->ac_f_ex.fe_start); ++ &ac->ac_g_ex.fe_group, ++ &ac->ac_g_ex.fe_start); + ac->ac_flags |= EXT4_MB_HINT_TRY_GOAL; + } +- if (ar->pleft && (ar->lleft + 1 == start)) { ++ if (ar->pleft && (ar->lleft + 1 == start) && ++ ar->pleft + 1 < ext4_blocks_count(es)) { + /* merge to the left */ + ext4_get_group_no_and_offset(ac->ac_sb, ar->pleft + 1, +- &ac->ac_f_ex.fe_group, +- &ac->ac_f_ex.fe_start); ++ &ac->ac_g_ex.fe_group, ++ &ac->ac_g_ex.fe_start); + ac->ac_flags |= EXT4_MB_HINT_TRY_GOAL; + } + +-- +2.39.2 + diff --git a/queue-5.15/f2fs-fix-to-check-readonly-condition-correctly.patch b/queue-5.15/f2fs-fix-to-check-readonly-condition-correctly.patch new file mode 100644 index 00000000000..78ab720f53f --- /dev/null +++ b/queue-5.15/f2fs-fix-to-check-readonly-condition-correctly.patch @@ -0,0 +1,80 @@ +From 9aef7e447eec6057f500c5b3e63c719bcfe5708f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 23:28:07 +0800 +Subject: f2fs: fix to check readonly condition correctly + +From: Chao Yu + +[ Upstream commit d78dfefcde9d311284434560d69c0478c55a657e ] + +With below case, it can mount multi-device image w/ rw option, however +one of secondary device is set as ro, later update will cause panic, so +let's introduce f2fs_dev_is_readonly(), and check multi-devices rw status +in f2fs_remount() w/ it in order to avoid such inconsistent mount status. + +mkfs.f2fs -c /dev/zram1 /dev/zram0 -f +blockdev --setro /dev/zram1 +mount -t f2fs dev/zram0 /mnt/f2fs +mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only. +mount -t f2fs -o remount,rw mnt/f2fs +dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=8192 + +kernel BUG at fs/f2fs/inline.c:258! +RIP: 0010:f2fs_write_inline_data+0x23e/0x2d0 [f2fs] +Call Trace: + f2fs_write_single_data_page+0x26b/0x9f0 [f2fs] + f2fs_write_cache_pages+0x389/0xa60 [f2fs] + __f2fs_write_data_pages+0x26b/0x2d0 [f2fs] + f2fs_write_data_pages+0x2e/0x40 [f2fs] + do_writepages+0xd3/0x1b0 + __writeback_single_inode+0x5b/0x420 + writeback_sb_inodes+0x236/0x5a0 + __writeback_inodes_wb+0x56/0xf0 + wb_writeback+0x2a3/0x490 + wb_do_writeback+0x2b2/0x330 + wb_workfn+0x6a/0x260 + process_one_work+0x270/0x5e0 + worker_thread+0x52/0x3e0 + kthread+0xf4/0x120 + ret_from_fork+0x29/0x50 + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 5 +++++ + fs/f2fs/super.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 7424470c68cbe..5c0920e11e4ba 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -4284,6 +4284,11 @@ static inline bool f2fs_hw_is_readonly(struct f2fs_sb_info *sbi) + return false; + } + ++static inline bool f2fs_dev_is_readonly(struct f2fs_sb_info *sbi) ++{ ++ return f2fs_sb_has_readonly(sbi) || f2fs_hw_is_readonly(sbi); ++} ++ + static inline bool f2fs_lfs_mode(struct f2fs_sb_info *sbi) + { + return F2FS_OPTION(sbi).fs_mode == FS_MODE_LFS; +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 4cc9b948139ad..5c0b2b300aa1b 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2225,7 +2225,7 @@ static int f2fs_remount(struct super_block *sb, int *flags, char *data) + if (f2fs_readonly(sb) && (*flags & SB_RDONLY)) + goto skip; + +- if (f2fs_sb_has_readonly(sbi) && !(*flags & SB_RDONLY)) { ++ if (f2fs_dev_is_readonly(sbi) && !(*flags & SB_RDONLY)) { + err = -EROFS; + goto restore_opts; + } +-- +2.39.2 + diff --git a/queue-5.15/f2fs-fix-to-drop-all-dirty-pages-during-umount-if-cp.patch b/queue-5.15/f2fs-fix-to-drop-all-dirty-pages-during-umount-if-cp.patch new file mode 100644 index 00000000000..bef1ccf4b89 --- /dev/null +++ b/queue-5.15/f2fs-fix-to-drop-all-dirty-pages-during-umount-if-cp.patch @@ -0,0 +1,93 @@ +From 1289fbd7396df8d842022e51ed67fb8c4a5ff5d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 10:12:22 +0800 +Subject: f2fs: fix to drop all dirty pages during umount() if cp_error is set + +From: Chao Yu + +[ Upstream commit c9b3649a934d131151111354bcbb638076f03a30 ] + +xfstest generic/361 reports a bug as below: + +f2fs_bug_on(sbi, sbi->fsync_node_num); + +kernel BUG at fs/f2fs/super.c:1627! +RIP: 0010:f2fs_put_super+0x3a8/0x3b0 +Call Trace: + generic_shutdown_super+0x8c/0x1b0 + kill_block_super+0x2b/0x60 + kill_f2fs_super+0x87/0x110 + deactivate_locked_super+0x39/0x80 + deactivate_super+0x46/0x50 + cleanup_mnt+0x109/0x170 + __cleanup_mnt+0x16/0x20 + task_work_run+0x65/0xa0 + exit_to_user_mode_prepare+0x175/0x190 + syscall_exit_to_user_mode+0x25/0x50 + do_syscall_64+0x4c/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +During umount(), if cp_error is set, f2fs_wait_on_all_pages() should +not stop waiting all F2FS_WB_CP_DATA pages to be writebacked, otherwise, +fsync_node_num can be non-zero after f2fs_wait_on_all_pages() causing +this bug. + +In this case, to avoid deadloop in f2fs_wait_on_all_pages(), it needs +to drop all dirty pages rather than redirtying them. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 12 ++++++++++-- + fs/f2fs/data.c | 3 ++- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index c68f1f8000f17..d6ae6de35af20 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -312,8 +312,15 @@ static int __f2fs_write_meta_page(struct page *page, + + trace_f2fs_writepage(page, META); + +- if (unlikely(f2fs_cp_error(sbi))) ++ if (unlikely(f2fs_cp_error(sbi))) { ++ if (is_sbi_flag_set(sbi, SBI_IS_CLOSE)) { ++ ClearPageUptodate(page); ++ dec_page_count(sbi, F2FS_DIRTY_META); ++ unlock_page(page); ++ return 0; ++ } + goto redirty_out; ++ } + if (unlikely(is_sbi_flag_set(sbi, SBI_POR_DOING))) + goto redirty_out; + if (wbc->for_reclaim && page->index < GET_SUM_BLOCK(sbi, 0)) +@@ -1298,7 +1305,8 @@ void f2fs_wait_on_all_pages(struct f2fs_sb_info *sbi, int type) + if (!get_pages(sbi, type)) + break; + +- if (unlikely(f2fs_cp_error(sbi))) ++ if (unlikely(f2fs_cp_error(sbi) && ++ !is_sbi_flag_set(sbi, SBI_IS_CLOSE))) + break; + + if (type == F2FS_DIRTY_META) +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index d38bffe28b034..3956852ad1de0 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2764,7 +2764,8 @@ int f2fs_write_single_data_page(struct page *page, int *submitted, + * don't drop any dirty dentry pages for keeping lastest + * directory structure. + */ +- if (S_ISDIR(inode->i_mode)) ++ if (S_ISDIR(inode->i_mode) && ++ !is_sbi_flag_set(sbi, SBI_IS_CLOSE)) + goto redirty_out; + goto out; + } +-- +2.39.2 + diff --git a/queue-5.15/firmware-arm_sdei-fix-sleep-from-invalid-context-bug.patch b/queue-5.15/firmware-arm_sdei-fix-sleep-from-invalid-context-bug.patch new file mode 100644 index 00000000000..bb12a95c365 --- /dev/null +++ b/queue-5.15/firmware-arm_sdei-fix-sleep-from-invalid-context-bug.patch @@ -0,0 +1,236 @@ +From 15f1f08f2f4d468ba18b8299688cb600eaa3128e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 09:49:19 +0100 +Subject: firmware: arm_sdei: Fix sleep from invalid context BUG + +From: Pierre Gondois + +[ Upstream commit d2c48b2387eb89e0bf2a2e06e30987cf410acad4 ] + +Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra +triggers: + + BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 + in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0 + preempt_count: 0, expected: 0 + RCU nest depth: 0, expected: 0 + 3 locks held by cpuhp/0/24: + #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 + #1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 + #2: ffffda3021c711f0 (sdei_list_lock){....}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130 + irq event stamp: 36 + hardirqs last enabled at (35): [] finish_task_switch+0xb4/0x2b0 + hardirqs last disabled at (36): [] cpuhp_thread_fun+0x21c/0x248 + softirqs last enabled at (0): [] copy_process+0x63c/0x1ac0 + softirqs last disabled at (0): [<0000000000000000>] 0x0 + CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[...] + Hardware name: WIWYNN Mt.Jade Server [...] + Call trace: + dump_backtrace+0x114/0x120 + show_stack+0x20/0x70 + dump_stack_lvl+0x9c/0xd8 + dump_stack+0x18/0x34 + __might_resched+0x188/0x228 + rt_spin_lock+0x70/0x120 + sdei_cpuhp_up+0x3c/0x130 + cpuhp_invoke_callback+0x250/0xf08 + cpuhp_thread_fun+0x120/0x248 + smpboot_thread_fn+0x280/0x320 + kthread+0x130/0x140 + ret_from_fork+0x10/0x20 + +sdei_cpuhp_up() is called in the STARTING hotplug section, +which runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry +instead to execute the cpuhp cb later, with preemption enabled. + +SDEI originally got its own cpuhp slot to allow interacting +with perf. It got superseded by pNMI and this early slot is not +relevant anymore. [1] + +Some SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the +calling CPU. It is checked that preemption is disabled for them. +_ONLINE cpuhp cb are executed in the 'per CPU hotplug thread'. +Preemption is enabled in those threads, but their cpumask is limited +to 1 CPU. +Move 'WARN_ON_ONCE(preemptible())' statements so that SDEI cpuhp cb +don't trigger them. + +Also add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call +which acts on the calling CPU. + +[1]: +https://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/ + +Suggested-by: James Morse +Signed-off-by: Pierre Gondois +Reviewed-by: James Morse +Link: https://lore.kernel.org/r/20230216084920.144064-1-pierre.gondois@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- + include/linux/cpuhotplug.h | 1 - + 2 files changed, 20 insertions(+), 18 deletions(-) + +diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c +index 1e1a51510e83b..f9040bd610812 100644 +--- a/drivers/firmware/arm_sdei.c ++++ b/drivers/firmware/arm_sdei.c +@@ -43,6 +43,8 @@ static asmlinkage void (*sdei_firmware_call)(unsigned long function_id, + /* entry point from firmware to arch asm code */ + static unsigned long sdei_entry_point; + ++static int sdei_hp_state; ++ + struct sdei_event { + /* These three are protected by the sdei_list_lock */ + struct list_head list; +@@ -301,8 +303,6 @@ int sdei_mask_local_cpu(void) + { + int err; + +- WARN_ON_ONCE(preemptible()); +- + err = invoke_sdei_fn(SDEI_1_0_FN_SDEI_PE_MASK, 0, 0, 0, 0, 0, NULL); + if (err && err != -EIO) { + pr_warn_once("failed to mask CPU[%u]: %d\n", +@@ -315,6 +315,7 @@ int sdei_mask_local_cpu(void) + + static void _ipi_mask_cpu(void *ignored) + { ++ WARN_ON_ONCE(preemptible()); + sdei_mask_local_cpu(); + } + +@@ -322,8 +323,6 @@ int sdei_unmask_local_cpu(void) + { + int err; + +- WARN_ON_ONCE(preemptible()); +- + err = invoke_sdei_fn(SDEI_1_0_FN_SDEI_PE_UNMASK, 0, 0, 0, 0, 0, NULL); + if (err && err != -EIO) { + pr_warn_once("failed to unmask CPU[%u]: %d\n", +@@ -336,6 +335,7 @@ int sdei_unmask_local_cpu(void) + + static void _ipi_unmask_cpu(void *ignored) + { ++ WARN_ON_ONCE(preemptible()); + sdei_unmask_local_cpu(); + } + +@@ -343,6 +343,8 @@ static void _ipi_private_reset(void *ignored) + { + int err; + ++ WARN_ON_ONCE(preemptible()); ++ + err = invoke_sdei_fn(SDEI_1_0_FN_SDEI_PRIVATE_RESET, 0, 0, 0, 0, 0, + NULL); + if (err && err != -EIO) +@@ -389,8 +391,6 @@ static void _local_event_enable(void *data) + int err; + struct sdei_crosscall_args *arg = data; + +- WARN_ON_ONCE(preemptible()); +- + err = sdei_api_event_enable(arg->event->event_num); + + sdei_cross_call_return(arg, err); +@@ -479,8 +479,6 @@ static void _local_event_unregister(void *data) + int err; + struct sdei_crosscall_args *arg = data; + +- WARN_ON_ONCE(preemptible()); +- + err = sdei_api_event_unregister(arg->event->event_num); + + sdei_cross_call_return(arg, err); +@@ -561,8 +559,6 @@ static void _local_event_register(void *data) + struct sdei_registered_event *reg; + struct sdei_crosscall_args *arg = data; + +- WARN_ON(preemptible()); +- + reg = per_cpu_ptr(arg->event->private_registered, smp_processor_id()); + err = sdei_api_event_register(arg->event->event_num, sdei_entry_point, + reg, 0, 0); +@@ -717,6 +713,8 @@ static int sdei_pm_notifier(struct notifier_block *nb, unsigned long action, + { + int rv; + ++ WARN_ON_ONCE(preemptible()); ++ + switch (action) { + case CPU_PM_ENTER: + rv = sdei_mask_local_cpu(); +@@ -765,7 +763,7 @@ static int sdei_device_freeze(struct device *dev) + int err; + + /* unregister private events */ +- cpuhp_remove_state(CPUHP_AP_ARM_SDEI_STARTING); ++ cpuhp_remove_state(sdei_entry_point); + + err = sdei_unregister_shared(); + if (err) +@@ -786,12 +784,15 @@ static int sdei_device_thaw(struct device *dev) + return err; + } + +- err = cpuhp_setup_state(CPUHP_AP_ARM_SDEI_STARTING, "SDEI", ++ err = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "SDEI", + &sdei_cpuhp_up, &sdei_cpuhp_down); +- if (err) ++ if (err < 0) { + pr_warn("Failed to re-register CPU hotplug notifier...\n"); ++ return err; ++ } + +- return err; ++ sdei_hp_state = err; ++ return 0; + } + + static int sdei_device_restore(struct device *dev) +@@ -823,7 +824,7 @@ static int sdei_reboot_notifier(struct notifier_block *nb, unsigned long action, + * We are going to reset the interface, after this there is no point + * doing work when we take CPUs offline. + */ +- cpuhp_remove_state(CPUHP_AP_ARM_SDEI_STARTING); ++ cpuhp_remove_state(sdei_hp_state); + + sdei_platform_reset(); + +@@ -1003,13 +1004,15 @@ static int sdei_probe(struct platform_device *pdev) + goto remove_cpupm; + } + +- err = cpuhp_setup_state(CPUHP_AP_ARM_SDEI_STARTING, "SDEI", ++ err = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "SDEI", + &sdei_cpuhp_up, &sdei_cpuhp_down); +- if (err) { ++ if (err < 0) { + pr_warn("Failed to register CPU hotplug notifier...\n"); + goto remove_reboot; + } + ++ sdei_hp_state = err; ++ + return 0; + + remove_reboot: +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index c88ccc48877d6..dbca858ffa6da 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -159,7 +159,6 @@ enum cpuhp_state { + CPUHP_AP_PERF_X86_CSTATE_STARTING, + CPUHP_AP_PERF_XTENSA_STARTING, + CPUHP_AP_MIPS_OP_LOONGSON3_STARTING, +- CPUHP_AP_ARM_SDEI_STARTING, + CPUHP_AP_ARM_VFP_STARTING, + CPUHP_AP_ARM64_DEBUG_MONITORS_STARTING, + CPUHP_AP_PERF_ARM_HW_BREAKPOINT_STARTING, +-- +2.39.2 + diff --git a/queue-5.15/fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch b/queue-5.15/fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch new file mode 100644 index 00000000000..a05a9e0ea04 --- /dev/null +++ b/queue-5.15/fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch @@ -0,0 +1,110 @@ +From 93657bfff8a428d2f940a9e534b415e64a7d4f32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 19:57:33 +0900 +Subject: fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() + +From: Tetsuo Handa + +[ Upstream commit 81b21c0f0138ff5a499eafc3eb0578ad2a99622c ] + +syzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for +crafted filesystem image can contain bogus length. There conditions are +not kernel bugs that can justify kernel to panic. + +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=e2787430e752a92b8750 +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=4913dca2ea6e4d43f3f1 +Signed-off-by: Tetsuo Handa +Reviewed-by: Viacheslav Dubeyko +Message-Id: <15308173-5252-d6a3-ae3b-e96d46cb6f41@I-love.SAKURA.ne.jp> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/hfsplus/inode.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c +index bf6f75f569e4d..87bc222dc9062 100644 +--- a/fs/hfsplus/inode.c ++++ b/fs/hfsplus/inode.c +@@ -509,7 +509,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd) + if (type == HFSPLUS_FOLDER) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_folder)); ++ if (fd->entrylength < sizeof(struct hfsplus_cat_folder)) { ++ pr_err("bad catalog folder entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_folder)); + hfsplus_get_perms(inode, &folder->permissions, 1); +@@ -529,7 +533,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd) + } else if (type == HFSPLUS_FILE) { + struct hfsplus_cat_file *file = &entry.file; + +- WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_file)); ++ if (fd->entrylength < sizeof(struct hfsplus_cat_file)) { ++ pr_err("bad catalog file entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_file)); + +@@ -560,6 +568,7 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd) + pr_err("bad catalog entry used to create inode\n"); + res = -EIO; + } ++out: + return res; + } + +@@ -568,6 +577,7 @@ int hfsplus_cat_write_inode(struct inode *inode) + struct inode *main_inode = inode; + struct hfs_find_data fd; + hfsplus_cat_entry entry; ++ int res = 0; + + if (HFSPLUS_IS_RSRC(inode)) + main_inode = HFSPLUS_I(inode)->rsrc_inode; +@@ -586,7 +596,11 @@ int hfsplus_cat_write_inode(struct inode *inode) + if (S_ISDIR(main_inode->i_mode)) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_folder)); ++ if (fd.entrylength < sizeof(struct hfsplus_cat_folder)) { ++ pr_err("bad catalog folder entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_folder)); + /* simple node checks? */ +@@ -611,7 +625,11 @@ int hfsplus_cat_write_inode(struct inode *inode) + } else { + struct hfsplus_cat_file *file = &entry.file; + +- WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_file)); ++ if (fd.entrylength < sizeof(struct hfsplus_cat_file)) { ++ pr_err("bad catalog file entry\n"); ++ res = -EIO; ++ goto out; ++ } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_file)); + hfsplus_inode_write_fork(inode, &file->data_fork); +@@ -632,7 +650,7 @@ int hfsplus_cat_write_inode(struct inode *inode) + set_bit(HFSPLUS_I_CAT_DIRTY, &HFSPLUS_I(inode)->flags); + out: + hfs_find_exit(&fd); +- return 0; ++ return res; + } + + int hfsplus_fileattr_get(struct dentry *dentry, struct fileattr *fa) +-- +2.39.2 + diff --git a/queue-5.15/fs-ntfs3-add-length-check-in-indx_get_root.patch b/queue-5.15/fs-ntfs3-add-length-check-in-indx_get_root.patch new file mode 100644 index 00000000000..2e7c41aa386 --- /dev/null +++ b/queue-5.15/fs-ntfs3-add-length-check-in-indx_get_root.patch @@ -0,0 +1,133 @@ +From 33b4b518da8f1ecccf2788a2e6954c12eebb468e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Oct 2022 23:15:06 +0800 +Subject: fs/ntfs3: Add length check in indx_get_root + +From: Edward Lo + +[ Upstream commit 08e8cf5f2d9ec383a2e339a2711b62a54ff3fba0 ] + +This adds a length check to guarantee the retrieved index root is legit. + +[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 +[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 +[ 162.460851] +[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 +[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 162.462609] Call Trace: +[ 162.462954] +[ 162.463276] dump_stack_lvl+0x49/0x63 +[ 162.463822] print_report.cold+0xf5/0x689 +[ 162.464608] ? unwind_get_return_address+0x3a/0x60 +[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.466975] kasan_report+0xa7/0x130 +[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 +[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.468536] __asan_load2+0x68/0x90 +[ 162.468923] hdr_find_e.isra.0+0x10c/0x320 +[ 162.469282] ? cmp_uints+0xe0/0xe0 +[ 162.469557] ? cmp_sdh+0x90/0x90 +[ 162.469864] ? ni_find_attr+0x214/0x300 +[ 162.470217] ? ni_load_mi+0x80/0x80 +[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.470931] ? ntfs_bread_run+0x190/0x190 +[ 162.471307] ? indx_get_root+0xe4/0x190 +[ 162.471556] ? indx_get_root+0x140/0x190 +[ 162.471833] ? indx_init+0x1e0/0x1e0 +[ 162.472069] ? fnd_clear+0x115/0x140 +[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 +[ 162.472731] indx_find+0x184/0x470 +[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 +[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 +[ 162.474704] ? do_syscall_64+0x3b/0x90 +[ 162.474962] dir_search_u+0x196/0x2f0 +[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 +[ 162.475661] ? ntfs_security_init+0x3d6/0x440 +[ 162.475906] ? is_sd_valid+0x180/0x180 +[ 162.476191] ntfs_extend_init+0x13f/0x2c0 +[ 162.476496] ? ntfs_fix_post_read+0x130/0x130 +[ 162.476861] ? iput.part.0+0x286/0x320 +[ 162.477325] ntfs_fill_super+0x11e0/0x1b50 +[ 162.477709] ? put_ntfs+0x1d0/0x1d0 +[ 162.477970] ? vsprintf+0x20/0x20 +[ 162.478258] ? set_blocksize+0x95/0x150 +[ 162.478538] get_tree_bdev+0x232/0x370 +[ 162.478789] ? put_ntfs+0x1d0/0x1d0 +[ 162.479038] ntfs_fs_get_tree+0x15/0x20 +[ 162.479374] vfs_get_tree+0x4c/0x130 +[ 162.479729] path_mount+0x654/0xfe0 +[ 162.480124] ? putname+0x80/0xa0 +[ 162.480484] ? finish_automount+0x2e0/0x2e0 +[ 162.480894] ? putname+0x80/0xa0 +[ 162.481467] ? kmem_cache_free+0x1c4/0x440 +[ 162.482280] ? putname+0x80/0xa0 +[ 162.482714] do_mount+0xd6/0xf0 +[ 162.483264] ? path_mount+0xfe0/0xfe0 +[ 162.484782] ? __kasan_check_write+0x14/0x20 +[ 162.485593] __x64_sys_mount+0xca/0x110 +[ 162.486024] do_syscall_64+0x3b/0x90 +[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.487141] RIP: 0033:0x7f9d374e948a +[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a +[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 +[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 +[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 +[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff +[ 162.493644] +[ 162.493908] +[ 162.494214] The buggy address belongs to the physical page: +[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc +[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) +[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 +[ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000 +[ 162.500542] page dumped because: kasan: bad access detected +[ 162.501057] +[ 162.501242] Memory state around the buggy address: +[ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503963] ^ +[ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/index.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index f62e0df7a7b4e..1ae3b310869d6 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -934,6 +934,7 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index *indx, struct ntfs_inode *ni, + struct ATTR_LIST_ENTRY *le = NULL; + struct ATTRIB *a; + const struct INDEX_NAMES *in = &s_index_names[indx->type]; ++ struct INDEX_ROOT *root = NULL; + + a = ni_find_attr(ni, NULL, &le, ATTR_ROOT, in->name, in->name_len, NULL, + mi); +@@ -943,7 +944,15 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index *indx, struct ntfs_inode *ni, + if (attr) + *attr = a; + +- return resident_data_ex(a, sizeof(struct INDEX_ROOT)); ++ root = resident_data_ex(a, sizeof(struct INDEX_ROOT)); ++ ++ /* length check */ ++ if (root && offsetof(struct INDEX_ROOT, ihdr) + le32_to_cpu(root->ihdr.used) > ++ le32_to_cpu(a->res.data_size)) { ++ return NULL; ++ } ++ ++ return root; + } + + static int indx_write(struct ntfs_index *indx, struct ntfs_inode *ni, +-- +2.39.2 + diff --git a/queue-5.15/fs-ntfs3-enhance-the-attribute-size-check.patch b/queue-5.15/fs-ntfs3-enhance-the-attribute-size-check.patch new file mode 100644 index 00000000000..4d4c2e5039f --- /dev/null +++ b/queue-5.15/fs-ntfs3-enhance-the-attribute-size-check.patch @@ -0,0 +1,135 @@ +From 7918774bd4842d95484cf9de5632023bf653f80d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 23:33:37 +0800 +Subject: fs/ntfs3: Enhance the attribute size check + +From: Edward Lo + +[ Upstream commit 4f082a7531223a438c757bb20e304f4c941c67a8 ] + +This combines the overflow and boundary check so that all attribute size +will be properly examined while enumerating them. + +[ 169.181521] BUG: KASAN: slab-out-of-bounds in run_unpack+0x2e3/0x570 +[ 169.183161] Read of size 1 at addr ffff8880094b6240 by task mount/247 +[ 169.184046] +[ 169.184925] CPU: 0 PID: 247 Comm: mount Not tainted 6.0.0-rc7+ #3 +[ 169.185908] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 169.187066] Call Trace: +[ 169.187492] +[ 169.188049] dump_stack_lvl+0x49/0x63 +[ 169.188495] print_report.cold+0xf5/0x689 +[ 169.188964] ? run_unpack+0x2e3/0x570 +[ 169.189331] kasan_report+0xa7/0x130 +[ 169.189714] ? run_unpack+0x2e3/0x570 +[ 169.190079] __asan_load1+0x51/0x60 +[ 169.190634] run_unpack+0x2e3/0x570 +[ 169.191290] ? run_pack+0x840/0x840 +[ 169.191569] ? run_lookup_entry+0xb3/0x1f0 +[ 169.192443] ? mi_enum_attr+0x20a/0x230 +[ 169.192886] run_unpack_ex+0xad/0x3e0 +[ 169.193276] ? run_unpack+0x570/0x570 +[ 169.193557] ? ni_load_mi+0x80/0x80 +[ 169.193889] ? debug_smp_processor_id+0x17/0x20 +[ 169.194236] ? mi_init+0x4a/0x70 +[ 169.194496] attr_load_runs_vcn+0x166/0x1c0 +[ 169.194851] ? attr_data_write_resident+0x250/0x250 +[ 169.195188] mi_read+0x133/0x2c0 +[ 169.195481] ntfs_iget5+0x277/0x1780 +[ 169.196017] ? call_rcu+0x1c7/0x330 +[ 169.196392] ? ntfs_get_block_bmap+0x70/0x70 +[ 169.196708] ? evict+0x223/0x280 +[ 169.197014] ? __kmalloc+0x33/0x540 +[ 169.197305] ? wnd_init+0x15b/0x1b0 +[ 169.197599] ntfs_fill_super+0x1026/0x1ba0 +[ 169.197994] ? put_ntfs+0x1d0/0x1d0 +[ 169.198299] ? vsprintf+0x20/0x20 +[ 169.198583] ? mutex_unlock+0x81/0xd0 +[ 169.198930] ? set_blocksize+0x95/0x150 +[ 169.199269] get_tree_bdev+0x232/0x370 +[ 169.199750] ? put_ntfs+0x1d0/0x1d0 +[ 169.200094] ntfs_fs_get_tree+0x15/0x20 +[ 169.200431] vfs_get_tree+0x4c/0x130 +[ 169.200714] path_mount+0x654/0xfe0 +[ 169.201067] ? putname+0x80/0xa0 +[ 169.201358] ? finish_automount+0x2e0/0x2e0 +[ 169.201965] ? putname+0x80/0xa0 +[ 169.202445] ? kmem_cache_free+0x1c4/0x440 +[ 169.203075] ? putname+0x80/0xa0 +[ 169.203414] do_mount+0xd6/0xf0 +[ 169.203719] ? path_mount+0xfe0/0xfe0 +[ 169.203977] ? __kasan_check_write+0x14/0x20 +[ 169.204382] __x64_sys_mount+0xca/0x110 +[ 169.204711] do_syscall_64+0x3b/0x90 +[ 169.205059] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 169.205571] RIP: 0033:0x7f67a80e948a +[ 169.206327] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 169.208296] RSP: 002b:00007ffddf020f58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 169.209253] RAX: ffffffffffffffda RBX: 000055e2547a6060 RCX: 00007f67a80e948a +[ 169.209777] RDX: 000055e2547a6260 RSI: 000055e2547a62e0 RDI: 000055e2547aeaf0 +[ 169.210342] RBP: 0000000000000000 R08: 000055e2547a6280 R09: 0000000000000020 +[ 169.210843] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055e2547aeaf0 +[ 169.211307] R13: 000055e2547a6260 R14: 0000000000000000 R15: 00000000ffffffff +[ 169.211913] +[ 169.212304] +[ 169.212680] Allocated by task 0: +[ 169.212963] (stack is not available) +[ 169.213200] +[ 169.213472] The buggy address belongs to the object at ffff8880094b5e00 +[ 169.213472] which belongs to the cache UDP of size 1152 +[ 169.214095] The buggy address is located 1088 bytes inside of +[ 169.214095] 1152-byte region [ffff8880094b5e00, ffff8880094b6280) +[ 169.214639] +[ 169.215004] The buggy address belongs to the physical page: +[ 169.215766] page:000000002e324c8c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94b4 +[ 169.218412] head:000000002e324c8c order:2 compound_mapcount:0 compound_pincount:0 +[ 169.219078] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +[ 169.220272] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888002409b40 +[ 169.221006] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +[ 169.222320] page dumped because: kasan: bad access detected +[ 169.222922] +[ 169.223119] Memory state around the buggy address: +[ 169.224056] ffff8880094b6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 169.224908] ffff8880094b6180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 169.225677] >ffff8880094b6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 169.226445] ^ +[ 169.227055] ffff8880094b6280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 169.227638] ffff8880094b6300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/record.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c +index fd342da398bea..41f6e578966b2 100644 +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -220,11 +220,6 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + return NULL; + } + +- if (off + asize < off) { +- /* overflow check */ +- return NULL; +- } +- + attr = Add2Ptr(attr, asize); + off += asize; + } +@@ -247,8 +242,8 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) + if ((t32 & 0xf) || (t32 > 0x100)) + return NULL; + +- /* Check boundary. */ +- if (off + asize > used) ++ /* Check overflow and boundary. */ ++ if (off + asize < off || off + asize > used) + return NULL; + + /* Check size of attribute. */ +-- +2.39.2 + diff --git a/queue-5.15/fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch b/queue-5.15/fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch new file mode 100644 index 00000000000..ef6dd8d01e9 --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch @@ -0,0 +1,49 @@ +From 3ba0830a592a242282c2030febda538bf598f06f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 16:59:43 +0800 +Subject: fs/ntfs3: Fix a possible null-pointer dereference in ni_clear() + +From: Jia-Ju Bai + +[ Upstream commit ec275bf9693d19cc0fdce8436f4c425ced86f6e7 ] + +In a previous commit c1006bd13146, ni->mi.mrec in ni_write_inode() +could be NULL, and thus a NULL check is added for this variable. + +However, in the same call stack, ni->mi.mrec can be also dereferenced +in ni_clear(): + +ntfs_evict_inode(inode) + ni_write_inode(inode, ...) + ni = ntfs_i(inode); + is_rec_inuse(ni->mi.mrec) -> Add a NULL check by previous commit + ni_clear(ntfs_i(inode)) + is_rec_inuse(ni->mi.mrec) -> No check + +Thus, a possible null-pointer dereference may exist in ni_clear(). +To fix it, a NULL check is added in this function. + +Signed-off-by: Jia-Ju Bai +Reported-by: TOTE Robot +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/frecord.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index 95556515ded3d..d24e12d348d49 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -101,7 +101,7 @@ void ni_clear(struct ntfs_inode *ni) + { + struct rb_node *node; + +- if (!ni->vfs_inode.i_nlink && is_rec_inuse(ni->mi.mrec)) ++ if (!ni->vfs_inode.i_nlink && ni->mi.mrec && is_rec_inuse(ni->mi.mrec)) + ni_delete_all(ni); + + al_destroy(ni); +-- +2.39.2 + diff --git a/queue-5.15/fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch b/queue-5.15/fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch new file mode 100644 index 00000000000..60356c3c406 --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch @@ -0,0 +1,43 @@ +From 6d120f840c0a339909bc89dc8a0624a8aed1a9c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Oct 2022 12:32:51 +0530 +Subject: fs/ntfs3: Fix NULL dereference in ni_write_inode + +From: Abdun Nihaal + +[ Upstream commit 8dae4f6341e335a09575be60b4fdf697c732a470 ] + +Syzbot reports a NULL dereference in ni_write_inode. +When creating a new inode, if allocation fails in mi_init function +(called in mi_format_new function), mi->mrec is set to NULL. +In the error path of this inode creation, mi->mrec is later +dereferenced in ni_write_inode. + +Add a NULL check to prevent NULL dereference. + +Link: https://syzkaller.appspot.com/bug?extid=f45957555ed4a808cc7a +Reported-and-tested-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com +Signed-off-by: Abdun Nihaal +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/frecord.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index cdeb0b51f0ba8..95556515ded3d 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -3189,6 +3189,9 @@ int ni_write_inode(struct inode *inode, int sync, const char *hint) + return 0; + } + ++ if (!ni->mi.mrec) ++ goto out; ++ + if (is_rec_inuse(ni->mi.mrec) && + !(sbi->flags & NTFS_FLAGS_LOG_REPLAYING) && inode->i_nlink) { + bool modified = false; +-- +2.39.2 + diff --git a/queue-5.15/fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch b/queue-5.15/fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch new file mode 100644 index 00000000000..42a3391b88b --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch @@ -0,0 +1,109 @@ +From 21f039b98dae19b43d742c13a9ad5e7f52dc6ef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 17:19:12 +0800 +Subject: fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode' + +From: Ye Bin + +[ Upstream commit db2a3cc6a3481076da6344cc62a80a4e2525f36f ] + +Syzbot found the following issue: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 +Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x06: level 2 translation fault +Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 +user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000 +[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000 +Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP +Modules linked in: +CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] +pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 +lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226 +sp : ffff8000126c3800 +x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000 +x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000 +x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000 +x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0 +x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500 +x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500 +x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500 +x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000 +x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 +x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 +Call trace: + is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] + ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 + ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744 + evict+0xec/0x334 fs/inode.c:665 + iput_final fs/inode.c:1748 [inline] + iput+0x2c4/0x324 fs/inode.c:1774 + ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660 + ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278 + ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100 + lookup_open fs/namei.c:3413 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x804/0x11c4 fs/namei.c:3688 + do_filp_open+0xdc/0x1b8 fs/namei.c:3718 + do_sys_openat2+0xb8/0x22c fs/open.c:1311 + do_sys_open fs/open.c:1327 [inline] + __do_sys_openat fs/open.c:1343 [inline] + __se_sys_openat fs/open.c:1338 [inline] + __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338 + __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] + invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] + el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 + do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 + el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 + el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 + el0t_64_sync+0x18c/0x190 +Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14) +---[ end trace 0000000000000000 ]--- + +Above issue may happens as follows: +ntfs_new_inode + mi_init + mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory + if (!mi->mrec) + return -ENOMEM; +iput + iput_final + evict + ntfs_evict_inode + ni_write_inode + is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref + +To solve above issue if new inode failed make inode bad before call 'iput()' in +'ntfs_new_inode()'. + +Reported-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com +Signed-off-by: Ye Bin +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/fsntfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c +index 4a97a28cb8f29..3c823613de97d 100644 +--- a/fs/ntfs3/fsntfs.c ++++ b/fs/ntfs3/fsntfs.c +@@ -1686,6 +1686,7 @@ struct ntfs_inode *ntfs_new_inode(struct ntfs_sb_info *sbi, CLST rno, bool dir) + + out: + if (err) { ++ make_bad_inode(inode); + iput(inode); + ni = ERR_PTR(err); + } +-- +2.39.2 + diff --git a/queue-5.15/fs-ntfs3-validate-mft-flags-before-replaying-logs.patch b/queue-5.15/fs-ntfs3-validate-mft-flags-before-replaying-logs.patch new file mode 100644 index 00000000000..5a6aa458bfd --- /dev/null +++ b/queue-5.15/fs-ntfs3-validate-mft-flags-before-replaying-logs.patch @@ -0,0 +1,141 @@ +From fddd861891c87bbb882477b917ee8a83e480abb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 23:39:44 +0800 +Subject: fs/ntfs3: Validate MFT flags before replaying logs + +From: Edward Lo + +[ Upstream commit 98bea253aa28ad8be2ce565a9ca21beb4a9419e5 ] + +Log load and replay is part of the metadata handle flow during mount +operation. The $MFT record will be loaded and used while replaying logs. +However, a malformed $MFT record, say, has RECORD_FLAG_DIR flag set and +contains an ATTR_ROOT attribute will misguide kernel to treat it as a +directory, and try to free the allocated resources when the +corresponding inode is freed, which will cause an invalid kfree because +the memory hasn't actually been allocated. + +[ 101.368647] BUG: KASAN: invalid-free in kvfree+0x2c/0x40 +[ 101.369457] +[ 101.369986] CPU: 0 PID: 198 Comm: mount Not tainted 6.0.0-rc7+ #5 +[ 101.370529] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 101.371362] Call Trace: +[ 101.371795] +[ 101.372157] dump_stack_lvl+0x49/0x63 +[ 101.372658] print_report.cold+0xf5/0x689 +[ 101.373022] ? ni_write_inode+0x754/0xd90 +[ 101.373378] ? kvfree+0x2c/0x40 +[ 101.373698] kasan_report_invalid_free+0x77/0xf0 +[ 101.374058] ? kvfree+0x2c/0x40 +[ 101.374352] ? kvfree+0x2c/0x40 +[ 101.374668] __kasan_slab_free+0x189/0x1b0 +[ 101.374992] ? kvfree+0x2c/0x40 +[ 101.375271] kfree+0x168/0x3b0 +[ 101.375717] kvfree+0x2c/0x40 +[ 101.376002] indx_clear+0x26/0x60 +[ 101.376316] ni_clear+0xc5/0x290 +[ 101.376661] ntfs_evict_inode+0x45/0x70 +[ 101.377001] evict+0x199/0x280 +[ 101.377432] iput.part.0+0x286/0x320 +[ 101.377819] iput+0x32/0x50 +[ 101.378166] ntfs_loadlog_and_replay+0x143/0x320 +[ 101.378656] ? ntfs_bio_fill_1+0x510/0x510 +[ 101.378968] ? iput.part.0+0x286/0x320 +[ 101.379367] ntfs_fill_super+0xecb/0x1ba0 +[ 101.379729] ? put_ntfs+0x1d0/0x1d0 +[ 101.380046] ? vsprintf+0x20/0x20 +[ 101.380542] ? mutex_unlock+0x81/0xd0 +[ 101.380914] ? set_blocksize+0x95/0x150 +[ 101.381597] get_tree_bdev+0x232/0x370 +[ 101.382254] ? put_ntfs+0x1d0/0x1d0 +[ 101.382699] ntfs_fs_get_tree+0x15/0x20 +[ 101.383094] vfs_get_tree+0x4c/0x130 +[ 101.383675] path_mount+0x654/0xfe0 +[ 101.384203] ? putname+0x80/0xa0 +[ 101.384540] ? finish_automount+0x2e0/0x2e0 +[ 101.384943] ? putname+0x80/0xa0 +[ 101.385362] ? kmem_cache_free+0x1c4/0x440 +[ 101.385968] ? putname+0x80/0xa0 +[ 101.386666] do_mount+0xd6/0xf0 +[ 101.387228] ? path_mount+0xfe0/0xfe0 +[ 101.387585] ? __kasan_check_write+0x14/0x20 +[ 101.387979] __x64_sys_mount+0xca/0x110 +[ 101.388436] do_syscall_64+0x3b/0x90 +[ 101.388757] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 101.389289] RIP: 0033:0x7fa0f70e948a +[ 101.390048] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 101.391297] RSP: 002b:00007ffc24fdecc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 101.391988] RAX: ffffffffffffffda RBX: 000055932c183060 RCX: 00007fa0f70e948a +[ 101.392494] RDX: 000055932c183260 RSI: 000055932c1832e0 RDI: 000055932c18bce0 +[ 101.393053] RBP: 0000000000000000 R08: 000055932c183280 R09: 0000000000000020 +[ 101.393577] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055932c18bce0 +[ 101.394044] R13: 000055932c183260 R14: 0000000000000000 R15: 00000000ffffffff +[ 101.394747] +[ 101.395402] +[ 101.396047] Allocated by task 198: +[ 101.396724] kasan_save_stack+0x26/0x50 +[ 101.397400] __kasan_slab_alloc+0x6d/0x90 +[ 101.397974] kmem_cache_alloc_lru+0x192/0x5a0 +[ 101.398524] ntfs_alloc_inode+0x23/0x70 +[ 101.399137] alloc_inode+0x3b/0xf0 +[ 101.399534] iget5_locked+0x54/0xa0 +[ 101.400026] ntfs_iget5+0xaf/0x1780 +[ 101.400414] ntfs_loadlog_and_replay+0xe5/0x320 +[ 101.400883] ntfs_fill_super+0xecb/0x1ba0 +[ 101.401313] get_tree_bdev+0x232/0x370 +[ 101.401774] ntfs_fs_get_tree+0x15/0x20 +[ 101.402224] vfs_get_tree+0x4c/0x130 +[ 101.402673] path_mount+0x654/0xfe0 +[ 101.403160] do_mount+0xd6/0xf0 +[ 101.403537] __x64_sys_mount+0xca/0x110 +[ 101.404058] do_syscall_64+0x3b/0x90 +[ 101.404333] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 101.404816] +[ 101.405067] The buggy address belongs to the object at ffff888008cc9ea0 +[ 101.405067] which belongs to the cache ntfs_inode_cache of size 992 +[ 101.406171] The buggy address is located 232 bytes inside of +[ 101.406171] 992-byte region [ffff888008cc9ea0, ffff888008cca280) +[ 101.406995] +[ 101.408559] The buggy address belongs to the physical page: +[ 101.409320] page:00000000dccf19dd refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cc8 +[ 101.410654] head:00000000dccf19dd order:2 compound_mapcount:0 compound_pincount:0 +[ 101.411533] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +[ 101.412665] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888003695140 +[ 101.413209] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000 +[ 101.413799] page dumped because: kasan: bad access detected +[ 101.414213] +[ 101.414427] Memory state around the buggy address: +[ 101.414991] ffff888008cc9e80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.415785] ffff888008cc9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.416933] >ffff888008cc9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.417857] ^ +[ 101.418566] ffff888008cca000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.419704] ffff888008cca080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index 359eff346910e..2034c0ae6549b 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -98,6 +98,12 @@ static struct inode *ntfs_read_mft(struct inode *inode, + /* Record should contain $I30 root. */ + is_dir = rec->flags & RECORD_FLAG_DIR; + ++ /* MFT_REC_MFT is not a dir */ ++ if (is_dir && ino == MFT_REC_MFT) { ++ err = -EINVAL; ++ goto out; ++ } ++ + inode->i_generation = le16_to_cpu(rec->seq); + + /* Enumerate all struct Attributes MFT. */ +-- +2.39.2 + diff --git a/queue-5.15/gfs2-fix-inode-height-consistency-check.patch b/queue-5.15/gfs2-fix-inode-height-consistency-check.patch new file mode 100644 index 00000000000..0e9f9de3825 --- /dev/null +++ b/queue-5.15/gfs2-fix-inode-height-consistency-check.patch @@ -0,0 +1,49 @@ +From 2bfb88e5845d865f41b3399c0536eabee1e2ee8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 00:43:16 +0200 +Subject: gfs2: Fix inode height consistency check + +From: Andreas Gruenbacher + +[ Upstream commit cfcdb5bad34f600aed7613c3c1a5e618111f77b7 ] + +The maximum allowed height of an inode's metadata tree depends on the +filesystem block size; it is lower for bigger-block filesystems. When +reading in an inode, make sure that the height doesn't exceed the +maximum allowed height. + +Arrays like sd_heightsize are sized to be big enough for any filesystem +block size; they will often be slightly bigger than what's needed for a +specific filesystem. + +Reported-by: syzbot+45d4691b1ed3c48eba05@syzkaller.appspotmail.com +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c +index 450032b4c886e..558932ad89d5d 100644 +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -394,6 +394,7 @@ static int inode_go_demote_ok(const struct gfs2_glock *gl) + + static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) + { ++ struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); + const struct gfs2_dinode *str = buf; + struct timespec64 atime; + u16 height, depth; +@@ -440,7 +441,7 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) + /* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */ + gfs2_set_inode_flags(inode); + height = be16_to_cpu(str->di_height); +- if (unlikely(height > GFS2_MAX_META_HEIGHT)) ++ if (unlikely(height > sdp->sd_max_height)) + goto corrupt; + ip->i_height = (u8)height; + +-- +2.39.2 + diff --git a/queue-5.15/hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch b/queue-5.15/hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch new file mode 100644 index 00000000000..976987de5b6 --- /dev/null +++ b/queue-5.15/hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch @@ -0,0 +1,101 @@ +From 5d65827e336cef02b5f4e9442ee7b9a312d4ab4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 14:01:16 +0100 +Subject: HID: logitech-hidpp: Don't use the USB serial for USB devices + +From: Bastien Nocera + +[ Upstream commit 7ad1fe0da0fa91bf920b79ab05ae97bfabecc4f4 ] + +For devices that support the 0x0003 feature (Device Information) version 4, +set the serial based on the output of that feature, rather than relying +on the usbhid code setting the USB serial. + +This should allow the serial when connected through USB to (nearly) +match the one when connected through a unifying receiver. + +For example, on the serials on a G903 wired/wireless mouse: +- Unifying: 4067-e8-ce-cd-45 +- USB before patch: 017C385C3837 +- USB after patch: c086-e8-ce-cd-45 + +Signed-off-by: Bastien Nocera +Link: https://lore.kernel.org/r/20230302130117.3975-1-hadess@hadess.net +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 51 ++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 601ab673727dc..5eb25812e9479 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -928,6 +928,55 @@ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp) + return 0; + } + ++/* -------------------------------------------------------------------------- */ ++/* 0x0003: Device Information */ ++/* -------------------------------------------------------------------------- */ ++ ++#define HIDPP_PAGE_DEVICE_INFORMATION 0x0003 ++ ++#define CMD_GET_DEVICE_INFO 0x00 ++ ++static int hidpp_get_serial(struct hidpp_device *hidpp, u32 *serial) ++{ ++ struct hidpp_report response; ++ u8 feature_type; ++ u8 feature_index; ++ int ret; ++ ++ ret = hidpp_root_get_feature(hidpp, HIDPP_PAGE_DEVICE_INFORMATION, ++ &feature_index, ++ &feature_type); ++ if (ret) ++ return ret; ++ ++ ret = hidpp_send_fap_command_sync(hidpp, feature_index, ++ CMD_GET_DEVICE_INFO, ++ NULL, 0, &response); ++ if (ret) ++ return ret; ++ ++ /* See hidpp_unifying_get_serial() */ ++ *serial = *((u32 *)&response.rap.params[1]); ++ return 0; ++} ++ ++static int hidpp_serial_init(struct hidpp_device *hidpp) ++{ ++ struct hid_device *hdev = hidpp->hid_dev; ++ u32 serial; ++ int ret; ++ ++ ret = hidpp_get_serial(hidpp, &serial); ++ if (ret) ++ return ret; ++ ++ snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD", ++ hdev->product, &serial); ++ dbg_hid("HID++ DeviceInformation: Got serial: %s\n", hdev->uniq); ++ ++ return 0; ++} ++ + /* -------------------------------------------------------------------------- */ + /* 0x0005: GetDeviceNameType */ + /* -------------------------------------------------------------------------- */ +@@ -4141,6 +4190,8 @@ static int hidpp_probe(struct hid_device *hdev, const struct hid_device_id *id) + + if (hidpp->quirks & HIDPP_QUIRK_UNIFYING) + hidpp_unifying_init(hidpp); ++ else if (hid_is_usb(hidpp->hid_dev)) ++ hidpp_serial_init(hidpp); + + connected = hidpp_root_get_protocol_version(hidpp) == 0; + atomic_set(&hidpp->connected, connected); +-- +2.39.2 + diff --git a/queue-5.15/hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch b/queue-5.15/hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch new file mode 100644 index 00000000000..e3805222cbf --- /dev/null +++ b/queue-5.15/hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch @@ -0,0 +1,55 @@ +From 3bed78c62981b7aabd2b518d8eb7d14c8b2cfe89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 14:01:17 +0100 +Subject: HID: logitech-hidpp: Reconcile USB and Unifying serials + +From: Bastien Nocera + +[ Upstream commit 5b3691d15e04b6d5a32c915577b8dbc5cfb56382 ] + +Now that USB HID++ devices can gather a serial number that matches the +one that would be gathered when connected through a Unifying receiver, +remove the last difference by dropping the product ID as devices +usually have different product IDs when connected through USB or +Unifying. + +For example, on the serials on a G903 wired/wireless mouse: +- Unifying before patch: 4067-e8-ce-cd-45 +- USB before patch: c086-e8-ce-cd-45 +- Unifying and USB after patch: e8-ce-cd-45 + +Signed-off-by: Bastien Nocera +Link: https://lore.kernel.org/r/20230302130117.3975-2-hadess@hadess.net +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 5eb25812e9479..baa68ae9b9efc 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -834,8 +834,7 @@ static int hidpp_unifying_init(struct hidpp_device *hidpp) + if (ret) + return ret; + +- snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD", +- hdev->product, &serial); ++ snprintf(hdev->uniq, sizeof(hdev->uniq), "%4phD", &serial); + dbg_hid("HID++ Unifying: Got serial: %s\n", hdev->uniq); + + name = hidpp_unifying_get_name(hidpp); +@@ -970,8 +969,7 @@ static int hidpp_serial_init(struct hidpp_device *hidpp) + if (ret) + return ret; + +- snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD", +- hdev->product, &serial); ++ snprintf(hdev->uniq, sizeof(hdev->uniq), "%4phD", &serial); + dbg_hid("HID++ DeviceInformation: Got serial: %s\n", hdev->uniq); + + return 0; +-- +2.39.2 + diff --git a/queue-5.15/hid-wacom-generic-set-battery-quirk-only-when-we-see.patch b/queue-5.15/hid-wacom-generic-set-battery-quirk-only-when-we-see.patch new file mode 100644 index 00000000000..46d48c1e3f9 --- /dev/null +++ b/queue-5.15/hid-wacom-generic-set-battery-quirk-only-when-we-see.patch @@ -0,0 +1,104 @@ +From 7d9feaa5a903296ac9c9d08e9989dddf5b2d146d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 11:17:43 -0700 +Subject: HID: wacom: generic: Set battery quirk only when we see battery data + +From: Jason Gerecke + +[ Upstream commit bea407a427baa019758f29f4d31b26f008bb8cc6 ] + +Some devices will include battery status usages in the HID descriptor +but we won't see that battery data for one reason or another. For example, +AES sensors won't send battery data unless an AES pen is in proximity. +If a user does not have an AES pen but instead only interacts with the +AES touchscreen with their fingers then there is no need for us to create +a battery object. Similarly, if a family of peripherals shares the same +HID descriptor between wired-only and wireless-capable SKUs, users of the +former may never see a battery event and will not want a power_supply +object created. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217062 +Link: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/2354 +Signed-off-by: Jason Gerecke +Tested-by: Mario Limonciello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_wac.c | 33 +++++++++++---------------------- + 1 file changed, 11 insertions(+), 22 deletions(-) + +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index b4bdb532a0a40..0f1f27c03344e 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1925,18 +1925,7 @@ static void wacom_map_usage(struct input_dev *input, struct hid_usage *usage, + static void wacom_wac_battery_usage_mapping(struct hid_device *hdev, + struct hid_field *field, struct hid_usage *usage) + { +- struct wacom *wacom = hid_get_drvdata(hdev); +- struct wacom_wac *wacom_wac = &wacom->wacom_wac; +- struct wacom_features *features = &wacom_wac->features; +- unsigned equivalent_usage = wacom_equivalent_usage(usage->hid); +- +- switch (equivalent_usage) { +- case HID_DG_BATTERYSTRENGTH: +- case WACOM_HID_WD_BATTERY_LEVEL: +- case WACOM_HID_WD_BATTERY_CHARGING: +- features->quirks |= WACOM_QUIRK_BATTERY; +- break; +- } ++ return; + } + + static void wacom_wac_battery_event(struct hid_device *hdev, struct hid_field *field, +@@ -1957,18 +1946,21 @@ static void wacom_wac_battery_event(struct hid_device *hdev, struct hid_field *f + wacom_wac->hid_data.bat_connected = 1; + wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO; + } ++ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY; + break; + case WACOM_HID_WD_BATTERY_LEVEL: + value = value * 100 / (field->logical_maximum - field->logical_minimum); + wacom_wac->hid_data.battery_capacity = value; + wacom_wac->hid_data.bat_connected = 1; + wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO; ++ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY; + break; + case WACOM_HID_WD_BATTERY_CHARGING: + wacom_wac->hid_data.bat_charging = value; + wacom_wac->hid_data.ps_connected = value; + wacom_wac->hid_data.bat_connected = 1; + wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO; ++ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY; + break; + } + } +@@ -1984,18 +1976,15 @@ static void wacom_wac_battery_report(struct hid_device *hdev, + { + struct wacom *wacom = hid_get_drvdata(hdev); + struct wacom_wac *wacom_wac = &wacom->wacom_wac; +- struct wacom_features *features = &wacom_wac->features; + +- if (features->quirks & WACOM_QUIRK_BATTERY) { +- int status = wacom_wac->hid_data.bat_status; +- int capacity = wacom_wac->hid_data.battery_capacity; +- bool charging = wacom_wac->hid_data.bat_charging; +- bool connected = wacom_wac->hid_data.bat_connected; +- bool powered = wacom_wac->hid_data.ps_connected; ++ int status = wacom_wac->hid_data.bat_status; ++ int capacity = wacom_wac->hid_data.battery_capacity; ++ bool charging = wacom_wac->hid_data.bat_charging; ++ bool connected = wacom_wac->hid_data.bat_connected; ++ bool powered = wacom_wac->hid_data.ps_connected; + +- wacom_notify_battery(wacom_wac, status, capacity, charging, +- connected, powered); +- } ++ wacom_notify_battery(wacom_wac, status, capacity, charging, ++ connected, powered); + } + + static void wacom_wac_pad_usage_mapping(struct hid_device *hdev, +-- +2.39.2 + diff --git a/queue-5.15/input-xpad-add-constants-for-gip-interface-numbers.patch b/queue-5.15/input-xpad-add-constants-for-gip-interface-numbers.patch new file mode 100644 index 00000000000..98bfb4a73aa --- /dev/null +++ b/queue-5.15/input-xpad-add-constants-for-gip-interface-numbers.patch @@ -0,0 +1,47 @@ +From aaf42fc30326b10488dc7ecefad41ee1a3fb355e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 23:57:42 -0700 +Subject: Input: xpad - add constants for GIP interface numbers + +From: Vicki Pfau + +[ Upstream commit f9b2e603c6216824e34dc9a67205d98ccc9a41ca ] + +Wired GIP devices present multiple interfaces with the same USB identification +other than the interface number. This adds constants for differentiating two of +them and uses them where appropriate + +Signed-off-by: Vicki Pfau +Link: https://lore.kernel.org/r/20230411031650.960322-2-vi@endrift.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/joystick/xpad.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index dbfabd229a7c6..a7af9b56e338f 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -493,6 +493,9 @@ struct xboxone_init_packet { + } + + ++#define GIP_WIRED_INTF_DATA 0 ++#define GIP_WIRED_INTF_AUDIO 1 ++ + /* + * This packet is required for all Xbox One pads with 2015 + * or later firmware installed (or present from the factory). +@@ -1821,7 +1824,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id + } + + if (xpad->xtype == XTYPE_XBOXONE && +- intf->cur_altsetting->desc.bInterfaceNumber != 0) { ++ intf->cur_altsetting->desc.bInterfaceNumber != GIP_WIRED_INTF_DATA) { + /* + * The Xbox One controller lists three interfaces all with the + * same interface class, subclass and protocol. Differentiate by +-- +2.39.2 + diff --git a/queue-5.15/iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch b/queue-5.15/iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch new file mode 100644 index 00000000000..0f76cbc7a38 --- /dev/null +++ b/queue-5.15/iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch @@ -0,0 +1,67 @@ +From 6e870136418da9cde5f7bea73b22d6e305caee69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 13:30:29 +0530 +Subject: iommu/arm-smmu-qcom: Limit the SMR groups to 128 + +From: Manivannan Sadhasivam + +[ Upstream commit 12261134732689b7e30c59db9978f81230965181 ] + +Some platforms support more than 128 stream matching groups than what is +defined by the ARM SMMU architecture specification. But due to some unknown +reasons, those additional groups don't exhibit the same behavior as the +architecture supported ones. + +For instance, the additional groups will not detect the quirky behavior of +some firmware versions intercepting writes to S2CR register, thus skipping +the quirk implemented in the driver and causing boot crash. + +So let's limit the groups to 128 for now until the issue with those groups +are fixed and issue a notice to users in that case. + +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20230327080029.11584-1-manivannan.sadhasivam@linaro.org +[will: Reworded the comment slightly] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +index c998960495b4e..50453d38400c5 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -247,12 +247,26 @@ static int qcom_smmu_init_context(struct arm_smmu_domain *smmu_domain, + + static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu) + { +- unsigned int last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1); + struct qcom_smmu *qsmmu = to_qcom_smmu(smmu); ++ unsigned int last_s2cr; + u32 reg; + u32 smr; + int i; + ++ /* ++ * Some platforms support more than the Arm SMMU architected maximum of ++ * 128 stream matching groups. For unknown reasons, the additional ++ * groups don't exhibit the same behavior as the architected registers, ++ * so limit the groups to 128 until the behavior is fixed for the other ++ * groups. ++ */ ++ if (smmu->num_mapping_groups > 128) { ++ dev_notice(smmu->dev, "\tLimiting the stream matching groups to 128\n"); ++ smmu->num_mapping_groups = 128; ++ } ++ ++ last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1); ++ + /* + * With some firmware versions writes to S2CR of type FAULT are + * ignored, and writing BYPASS will end up written as FAULT in the +-- +2.39.2 + diff --git a/queue-5.15/iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch b/queue-5.15/iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch new file mode 100644 index 00000000000..621a81e157a --- /dev/null +++ b/queue-5.15/iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch @@ -0,0 +1,90 @@ +From 934ebf6f5c8528df7ba5ee4c36f52a2adb45fd6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Mar 2023 12:34:19 +0000 +Subject: iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any + +From: Tomas Krcka + +[ Upstream commit 67ea0b7ce41844eae7c10bb04dfe66a23318c224 ] + +When an overflow occurs in the PRI queue, the SMMU toggles the overflow +flag in the PROD register. To exit the overflow condition, the PRI thread +is supposed to acknowledge it by toggling this flag in the CONS register. +Unacknowledged overflow causes the queue to stop adding anything new. + +Currently, the priq thread always writes the CONS register back to the +SMMU after clearing the queue. + +The writeback is not necessary if the OVFLG in the PROD register has not +been changed, no overflow has occured. + +This commit checks the difference of the overflow flag between CONS and +PROD register. If it's different, toggles the OVACKFLG flag in the CONS +register and write it to the SMMU. + +The situation is similar for the event queue. +The acknowledge register is also toggled after clearing the event +queue but never propagated to the hardware. This would only be done the +next time when executing evtq thread. + +Unacknowledged event queue overflow doesn't affect the event +queue, because the SMMU still adds elements to that queue when the +overflow condition is active. +But it feel nicer to keep SMMU in sync when possible, so use the same +way here as well. + +Signed-off-by: Tomas Krcka +Link: https://lore.kernel.org/r/20230329123420.34641-1-tomas.krcka@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +index e7da4a47ce52e..bcdb2cbdda971 100644 +--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c ++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +@@ -154,6 +154,18 @@ static void queue_inc_cons(struct arm_smmu_ll_queue *q) + q->cons = Q_OVF(q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons); + } + ++static void queue_sync_cons_ovf(struct arm_smmu_queue *q) ++{ ++ struct arm_smmu_ll_queue *llq = &q->llq; ++ ++ if (likely(Q_OVF(llq->prod) == Q_OVF(llq->cons))) ++ return; ++ ++ llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) | ++ Q_IDX(llq, llq->cons); ++ queue_sync_cons_out(q); ++} ++ + static int queue_sync_prod_in(struct arm_smmu_queue *q) + { + u32 prod; +@@ -1564,8 +1576,7 @@ static irqreturn_t arm_smmu_evtq_thread(int irq, void *dev) + } while (!queue_empty(llq)); + + /* Sync our overflow flag, as we believe we're up to speed */ +- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) | +- Q_IDX(llq, llq->cons); ++ queue_sync_cons_ovf(q); + return IRQ_HANDLED; + } + +@@ -1623,9 +1634,7 @@ static irqreturn_t arm_smmu_priq_thread(int irq, void *dev) + } while (!queue_empty(llq)); + + /* Sync our overflow flag, as we believe we're up to speed */ +- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) | +- Q_IDX(llq, llq->cons); +- queue_sync_cons_out(q); ++ queue_sync_cons_ovf(q); + return IRQ_HANDLED; + } + +-- +2.39.2 + diff --git a/queue-5.15/iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch b/queue-5.15/iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch new file mode 100644 index 00000000000..bf7f93056ef --- /dev/null +++ b/queue-5.15/iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch @@ -0,0 +1,71 @@ +From 970eb96b6ae0e5b7cbf7bc98f43b76e92d791ae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 11:31:23 +0800 +Subject: iommu/sprd: Release dma buffer to avoid memory leak + +From: Chunyan Zhang + +[ Upstream commit 9afea57384d4ae7b2034593eac7fa76c7122762a ] + +When attaching to a domain, the driver would alloc a DMA buffer which +is used to store address mapping table, and it need to be released +when the IOMMU domain is freed. + +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20230331033124.864691-2-zhang.lyra@gmail.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/sprd-iommu.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/drivers/iommu/sprd-iommu.c b/drivers/iommu/sprd-iommu.c +index 27ac818b03544..723940e841612 100644 +--- a/drivers/iommu/sprd-iommu.c ++++ b/drivers/iommu/sprd-iommu.c +@@ -151,13 +151,6 @@ static struct iommu_domain *sprd_iommu_domain_alloc(unsigned int domain_type) + return &dom->domain; + } + +-static void sprd_iommu_domain_free(struct iommu_domain *domain) +-{ +- struct sprd_iommu_domain *dom = to_sprd_domain(domain); +- +- kfree(dom); +-} +- + static void sprd_iommu_first_vpn(struct sprd_iommu_domain *dom) + { + struct sprd_iommu_device *sdev = dom->sdev; +@@ -230,6 +223,28 @@ static void sprd_iommu_hw_en(struct sprd_iommu_device *sdev, bool en) + sprd_iommu_update_bits(sdev, reg_cfg, mask, 0, val); + } + ++static void sprd_iommu_cleanup(struct sprd_iommu_domain *dom) ++{ ++ size_t pgt_size; ++ ++ /* Nothing need to do if the domain hasn't been attached */ ++ if (!dom->sdev) ++ return; ++ ++ pgt_size = sprd_iommu_pgt_size(&dom->domain); ++ dma_free_coherent(dom->sdev->dev, pgt_size, dom->pgt_va, dom->pgt_pa); ++ dom->sdev = NULL; ++ sprd_iommu_hw_en(dom->sdev, false); ++} ++ ++static void sprd_iommu_domain_free(struct iommu_domain *domain) ++{ ++ struct sprd_iommu_domain *dom = to_sprd_domain(domain); ++ ++ sprd_iommu_cleanup(dom); ++ kfree(dom); ++} ++ + static int sprd_iommu_attach_device(struct iommu_domain *domain, + struct device *dev) + { +-- +2.39.2 + diff --git a/queue-5.15/ipvs-update-width-of-source-for-ip_vs_sync_conn_opti.patch b/queue-5.15/ipvs-update-width-of-source-for-ip_vs_sync_conn_opti.patch new file mode 100644 index 00000000000..6d89cf87dc8 --- /dev/null +++ b/queue-5.15/ipvs-update-width-of-source-for-ip_vs_sync_conn_opti.patch @@ -0,0 +1,90 @@ +From 38c1bee93b375f700359a5ec0f534d39d669fa5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 17:10:45 +0200 +Subject: ipvs: Update width of source for ip_vs_sync_conn_options + +From: Simon Horman + +[ Upstream commit e3478c68f6704638d08f437cbc552ca5970c151a ] + +In ip_vs_sync_conn_v0() copy is made to struct ip_vs_sync_conn_options. +That structure looks like this: + +struct ip_vs_sync_conn_options { + struct ip_vs_seq in_seq; + struct ip_vs_seq out_seq; +}; + +The source of the copy is the in_seq field of struct ip_vs_conn. Whose +type is struct ip_vs_seq. Thus we can see that the source - is not as +wide as the amount of data copied, which is the width of struct +ip_vs_sync_conn_option. + +The copy is safe because the next field in is another struct ip_vs_seq. +Make use of struct_group() to annotate this. + +Flagged by gcc-13 as: + + In file included from ./include/linux/string.h:254, + from ./include/linux/bitmap.h:11, + from ./include/linux/cpumask.h:12, + from ./arch/x86/include/asm/paravirt.h:17, + from ./arch/x86/include/asm/cpuid.h:62, + from ./arch/x86/include/asm/processor.h:19, + from ./arch/x86/include/asm/timex.h:5, + from ./include/linux/timex.h:67, + from ./include/linux/time32.h:13, + from ./include/linux/time.h:60, + from ./include/linux/stat.h:19, + from ./include/linux/module.h:13, + from net/netfilter/ipvs/ip_vs_sync.c:38: + In function 'fortify_memcpy_chk', + inlined from 'ip_vs_sync_conn_v0' at net/netfilter/ipvs/ip_vs_sync.c:606:3: + ./include/linux/fortify-string.h:529:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 529 | __read_overflow2_field(q_size_field, size); + | + +Compile tested only. + +Signed-off-by: Simon Horman +Reviewed-by: Horatiu Vultur +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/ip_vs.h | 6 ++++-- + net/netfilter/ipvs/ip_vs_sync.c | 2 +- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h +index 7cb5a1aace40d..59f8412de45ac 100644 +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -549,8 +549,10 @@ struct ip_vs_conn { + */ + struct ip_vs_app *app; /* bound ip_vs_app object */ + void *app_data; /* Application private data */ +- struct ip_vs_seq in_seq; /* incoming seq. struct */ +- struct ip_vs_seq out_seq; /* outgoing seq. struct */ ++ struct_group(sync_conn_opt, ++ struct ip_vs_seq in_seq; /* incoming seq. struct */ ++ struct ip_vs_seq out_seq; /* outgoing seq. struct */ ++ ); + + const struct ip_vs_pe *pe; + char *pe_data; +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index a56fd0b5a430a..0d89e68dc9d18 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -603,7 +603,7 @@ static void ip_vs_sync_conn_v0(struct netns_ipvs *ipvs, struct ip_vs_conn *cp, + if (cp->flags & IP_VS_CONN_F_SEQ_MASK) { + struct ip_vs_sync_conn_options *opt = + (struct ip_vs_sync_conn_options *)&s[1]; +- memcpy(opt, &cp->in_seq, sizeof(*opt)); ++ memcpy(opt, &cp->sync_conn_opt, sizeof(*opt)); + } + + m->nr_conns++; +-- +2.39.2 + diff --git a/queue-5.15/lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch b/queue-5.15/lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch new file mode 100644 index 00000000000..19b3a3c2a73 --- /dev/null +++ b/queue-5.15/lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch @@ -0,0 +1,67 @@ +From ce0343c6fc0e8033562bb627636115d29d208016 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 07:51:02 +0200 +Subject: lib: cpu_rmap: Avoid use after free on rmap->obj array entries + +From: Eli Cohen + +[ Upstream commit 4e0473f1060aa49621d40a113afde24818101d37 ] + +When calling irq_set_affinity_notifier() with NULL at the notify +argument, it will cause freeing of the glue pointer in the +corresponding array entry but will leave the pointer in the array. A +subsequent call to free_irq_cpu_rmap() will try to free this entry again +leading to possible use after free. + +Fix that by setting NULL to the array entry and checking that we have +non-zero at the array entry when iterating over the array in +free_irq_cpu_rmap(). + +The current code does not suffer from this since there are no cases +where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the +notify arg) is called, followed by a call to free_irq_cpu_rmap() so we +don't hit and issue. Subsequent patches in this series excersize this +flow, hence the required fix. + +Cc: Thomas Gleixner +Signed-off-by: Eli Cohen +Signed-off-by: Saeed Mahameed +Reviewed-by: Jacob Keller +Signed-off-by: Sasha Levin +--- + lib/cpu_rmap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c +index f08d9c56f712e..e77f12bb3c774 100644 +--- a/lib/cpu_rmap.c ++++ b/lib/cpu_rmap.c +@@ -232,7 +232,8 @@ void free_irq_cpu_rmap(struct cpu_rmap *rmap) + + for (index = 0; index < rmap->used; index++) { + glue = rmap->obj[index]; +- irq_set_affinity_notifier(glue->notify.irq, NULL); ++ if (glue) ++ irq_set_affinity_notifier(glue->notify.irq, NULL); + } + + cpu_rmap_put(rmap); +@@ -268,6 +269,7 @@ static void irq_cpu_rmap_release(struct kref *ref) + container_of(ref, struct irq_glue, notify.kref); + + cpu_rmap_put(glue->rmap); ++ glue->rmap->obj[glue->index] = NULL; + kfree(glue); + } + +@@ -297,6 +299,7 @@ int irq_cpu_rmap_add(struct cpu_rmap *rmap, int irq) + rc = irq_set_affinity_notifier(irq, &glue->notify); + if (rc) { + cpu_rmap_put(glue->rmap); ++ rmap->obj[glue->index] = NULL; + kfree(glue); + } + return rc; +-- +2.39.2 + diff --git a/queue-5.15/mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch b/queue-5.15/mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch new file mode 100644 index 00000000000..f3cb59137d1 --- /dev/null +++ b/queue-5.15/mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch @@ -0,0 +1,78 @@ +From 0acf4e4a3a366afd0fef8c2122827944e5623c0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 10:33:28 +0200 +Subject: mcb-pci: Reallocate memory region to avoid memory overlapping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rodríguez Barbarin, José Javier + +[ Upstream commit 9be24faadd085c284890c3afcec7a0184642315a ] + +mcb-pci requests a fixed-size memory region to parse the chameleon +table, however, if the chameleon table is smaller that the allocated +region, it could overlap with the IP Cores' memory regions. + +After parsing the chameleon table, drop/reallocate the memory region +with the actual chameleon table size. + +Co-developed-by: Jorge Sanjuan Garcia +Signed-off-by: Jorge Sanjuan Garcia +Signed-off-by: Javier Rodriguez +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20230411083329.4506-3-jth@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/mcb/mcb-pci.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/drivers/mcb/mcb-pci.c b/drivers/mcb/mcb-pci.c +index dc88232d9af83..53d9202ff9a7c 100644 +--- a/drivers/mcb/mcb-pci.c ++++ b/drivers/mcb/mcb-pci.c +@@ -31,7 +31,7 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { + struct resource *res; + struct priv *priv; +- int ret; ++ int ret, table_size; + unsigned long flags; + + priv = devm_kzalloc(&pdev->dev, sizeof(struct priv), GFP_KERNEL); +@@ -90,7 +90,30 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + if (ret < 0) + goto out_mcb_bus; + +- dev_dbg(&pdev->dev, "Found %d cells\n", ret); ++ table_size = ret; ++ ++ if (table_size < CHAM_HEADER_SIZE) { ++ /* Release the previous resources */ ++ devm_iounmap(&pdev->dev, priv->base); ++ devm_release_mem_region(&pdev->dev, priv->mapbase, CHAM_HEADER_SIZE); ++ ++ /* Then, allocate it again with the actual chameleon table size */ ++ res = devm_request_mem_region(&pdev->dev, priv->mapbase, ++ table_size, ++ KBUILD_MODNAME); ++ if (!res) { ++ dev_err(&pdev->dev, "Failed to request PCI memory\n"); ++ ret = -EBUSY; ++ goto out_mcb_bus; ++ } ++ ++ priv->base = devm_ioremap(&pdev->dev, priv->mapbase, table_size); ++ if (!priv->base) { ++ dev_err(&pdev->dev, "Cannot ioremap\n"); ++ ret = -ENOMEM; ++ goto out_mcb_bus; ++ } ++ } + + mcb_bus_add_devices(priv->bus); + +-- +2.39.2 + diff --git a/queue-5.15/media-cx23885-fix-a-null-ptr-deref-bug-in-buffer_pre.patch b/queue-5.15/media-cx23885-fix-a-null-ptr-deref-bug-in-buffer_pre.patch new file mode 100644 index 00000000000..6f3a7d84011 --- /dev/null +++ b/queue-5.15/media-cx23885-fix-a-null-ptr-deref-bug-in-buffer_pre.patch @@ -0,0 +1,110 @@ +From 00f58f2103c0fe4eb193fd98d4f7a9301cd5d4a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Mar 2023 13:39:05 +0100 +Subject: media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and + buffer_finish() + +From: harperchen + +[ Upstream commit 47e8b73bc35d7c54642f78e498697692f6358996 ] + +When the driver calls cx23885_risc_buffer() to prepare the buffer, the +function call dma_alloc_coherent may fail, resulting in a empty buffer +risc->cpu. Later when we free the buffer or access the buffer, null ptr +deref is triggered. + +This bug is similar to the following one: +https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71. + +We believe the bug can be also dynamically triggered from user side. +Similarly, we fix this by checking the return value of cx23885_risc_buffer() +and the value of risc->cpu before buffer free. + +Signed-off-by: harperchen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23885-core.c | 4 +++- + drivers/media/pci/cx23885/cx23885-video.c | 13 +++++++------ + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/pci/cx23885/cx23885-core.c b/drivers/media/pci/cx23885/cx23885-core.c +index a07b18f2034e9..8019cdf5dbae5 100644 +--- a/drivers/media/pci/cx23885/cx23885-core.c ++++ b/drivers/media/pci/cx23885/cx23885-core.c +@@ -1325,7 +1325,9 @@ void cx23885_free_buffer(struct cx23885_dev *dev, struct cx23885_buffer *buf) + { + struct cx23885_riscmem *risc = &buf->risc; + +- dma_free_coherent(&dev->pci->dev, risc->size, risc->cpu, risc->dma); ++ if (risc->cpu) ++ dma_free_coherent(&dev->pci->dev, risc->size, risc->cpu, risc->dma); ++ memset(risc, 0, sizeof(*risc)); + } + + static void cx23885_tsport_reg_dump(struct cx23885_tsport *port) +diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c +index a380e0920a21f..b01499f810697 100644 +--- a/drivers/media/pci/cx23885/cx23885-video.c ++++ b/drivers/media/pci/cx23885/cx23885-video.c +@@ -342,6 +342,7 @@ static int queue_setup(struct vb2_queue *q, + + static int buffer_prepare(struct vb2_buffer *vb) + { ++ int ret; + struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); + struct cx23885_dev *dev = vb->vb2_queue->drv_priv; + struct cx23885_buffer *buf = +@@ -358,12 +359,12 @@ static int buffer_prepare(struct vb2_buffer *vb) + + switch (dev->field) { + case V4L2_FIELD_TOP: +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, 0, UNSET, + buf->bpl, 0, dev->height); + break; + case V4L2_FIELD_BOTTOM: +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, UNSET, 0, + buf->bpl, 0, dev->height); + break; +@@ -391,21 +392,21 @@ static int buffer_prepare(struct vb2_buffer *vb) + line0_offset = 0; + line1_offset = buf->bpl; + } +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, line0_offset, + line1_offset, + buf->bpl, buf->bpl, + dev->height >> 1); + break; + case V4L2_FIELD_SEQ_TB: +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, + 0, buf->bpl * (dev->height >> 1), + buf->bpl, 0, + dev->height >> 1); + break; + case V4L2_FIELD_SEQ_BT: +- cx23885_risc_buffer(dev->pci, &buf->risc, ++ ret = cx23885_risc_buffer(dev->pci, &buf->risc, + sgt->sgl, + buf->bpl * (dev->height >> 1), 0, + buf->bpl, 0, +@@ -418,7 +419,7 @@ static int buffer_prepare(struct vb2_buffer *vb) + buf, buf->vb.vb2_buf.index, + dev->width, dev->height, dev->fmt->depth, dev->fmt->fourcc, + (unsigned long)buf->risc.dma); +- return 0; ++ return ret; + } + + static void buffer_finish(struct vb2_buffer *vb) +-- +2.39.2 + diff --git a/queue-5.15/media-pci-tw68-fix-null-ptr-deref-bug-in-buf-prepare.patch b/queue-5.15/media-pci-tw68-fix-null-ptr-deref-bug-in-buf-prepare.patch new file mode 100644 index 00000000000..ba28a13563c --- /dev/null +++ b/queue-5.15/media-pci-tw68-fix-null-ptr-deref-bug-in-buf-prepare.patch @@ -0,0 +1,91 @@ +From 271938a3b167cde56e33cfaa5ad0f3ef699faf88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 16:30:11 +0100 +Subject: media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish + +From: harperchen + +[ Upstream commit 1634b7adcc5bef645b3666fdd564e5952a9e24e0 ] + +When the driver calls tw68_risc_buffer() to prepare the buffer, the +function call dma_alloc_coherent may fail, resulting in a empty buffer +buf->cpu. Later when we free the buffer or access the buffer, null ptr +deref is triggered. + +This bug is similar to the following one: +https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71. + +We believe the bug can be also dynamically triggered from user side. +Similarly, we fix this by checking the return value of tw68_risc_buffer() +and the value of buf->cpu before buffer free. + +Signed-off-by: harperchen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/tw68/tw68-video.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/pci/tw68/tw68-video.c b/drivers/media/pci/tw68/tw68-video.c +index fe94944d05317..0d1120abc6471 100644 +--- a/drivers/media/pci/tw68/tw68-video.c ++++ b/drivers/media/pci/tw68/tw68-video.c +@@ -437,6 +437,7 @@ static void tw68_buf_queue(struct vb2_buffer *vb) + */ + static int tw68_buf_prepare(struct vb2_buffer *vb) + { ++ int ret; + struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); + struct vb2_queue *vq = vb->vb2_queue; + struct tw68_dev *dev = vb2_get_drv_priv(vq); +@@ -452,30 +453,30 @@ static int tw68_buf_prepare(struct vb2_buffer *vb) + bpl = (dev->width * dev->fmt->depth) >> 3; + switch (dev->field) { + case V4L2_FIELD_TOP: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + 0, UNSET, bpl, 0, dev->height); + break; + case V4L2_FIELD_BOTTOM: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + UNSET, 0, bpl, 0, dev->height); + break; + case V4L2_FIELD_SEQ_TB: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + 0, bpl * (dev->height >> 1), + bpl, 0, dev->height >> 1); + break; + case V4L2_FIELD_SEQ_BT: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + bpl * (dev->height >> 1), 0, + bpl, 0, dev->height >> 1); + break; + case V4L2_FIELD_INTERLACED: + default: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + 0, bpl, bpl, bpl, dev->height >> 1); + break; + } +- return 0; ++ return ret; + } + + static void tw68_buf_finish(struct vb2_buffer *vb) +@@ -485,7 +486,8 @@ static void tw68_buf_finish(struct vb2_buffer *vb) + struct tw68_dev *dev = vb2_get_drv_priv(vq); + struct tw68_buf *buf = container_of(vbuf, struct tw68_buf, vb); + +- dma_free_coherent(&dev->pci->dev, buf->size, buf->cpu, buf->dma); ++ if (buf->cpu) ++ dma_free_coherent(&dev->pci->dev, buf->size, buf->cpu, buf->dma); + } + + static int tw68_start_streaming(struct vb2_queue *q, unsigned int count) +-- +2.39.2 + diff --git a/queue-5.15/media-prefer-designated-initializers-over-memset-for.patch b/queue-5.15/media-prefer-designated-initializers-over-memset-for.patch new file mode 100644 index 00000000000..8731f9fa0d6 --- /dev/null +++ b/queue-5.15/media-prefer-designated-initializers-over-memset-for.patch @@ -0,0 +1,365 @@ +From 7735dbb003359a0523315dc0a75cf804f693a69d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 17:18:39 +0200 +Subject: media: Prefer designated initializers over memset for subdev pad ops + +From: Laurent Pinchart + +[ Upstream commit e3a69496a1cde364c74a600d7a370179b58aed29 ] + +Structures passed to subdev pad operations are all zero-initialized, but +not always with the same kind of code constructs. While most drivers +used designated initializers, which zero all the fields that are not +specified, when declaring variables, some use memset(). Those two +methods lead to the same end result, and, depending on compiler +optimizations, may even be completely equivalent, but they're not +consistent. + +Improve coding style consistency by using designated initializers +instead of calling memset(). Where applicable, also move the variables +to inner scopes of for loops to ensure correct initialization in all +iterations. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Lad Prabhakar # For am437x +Acked-by: Sakari Ailus +Reviewed-by: Tomi Valkeinen +Reviewed-by: Kieran Bingham +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/am437x/am437x-vpfe.c | 15 ++++++++------- + .../media/platform/exynos4-is/fimc-capture.c | 7 ++++--- + drivers/media/platform/ti-vpe/cal-video.c | 8 ++++---- + drivers/media/platform/vsp1/vsp1_drm.c | 18 +++++++++--------- + drivers/media/platform/vsp1/vsp1_entity.c | 11 +++++------ + drivers/media/usb/dvb-usb/cxusb-analog.c | 14 +++++++------- + drivers/staging/media/imx/imx-media-capture.c | 12 ++++++------ + drivers/staging/media/imx/imx-media-utils.c | 8 ++++---- + drivers/staging/media/omap4iss/iss_video.c | 6 +++--- + 9 files changed, 50 insertions(+), 49 deletions(-) + +diff --git a/drivers/media/platform/am437x/am437x-vpfe.c b/drivers/media/platform/am437x/am437x-vpfe.c +index 1c9cb9e05fdf6..c1ce93efc6559 100644 +--- a/drivers/media/platform/am437x/am437x-vpfe.c ++++ b/drivers/media/platform/am437x/am437x-vpfe.c +@@ -1499,7 +1499,9 @@ static int vpfe_enum_size(struct file *file, void *priv, + struct v4l2_frmsizeenum *fsize) + { + struct vpfe_device *vpfe = video_drvdata(file); +- struct v4l2_subdev_frame_size_enum fse; ++ struct v4l2_subdev_frame_size_enum fse = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + struct v4l2_subdev *sd = vpfe->current_subdev->sd; + struct vpfe_fmt *fmt; + int ret; +@@ -1514,11 +1516,9 @@ static int vpfe_enum_size(struct file *file, void *priv, + + memset(fsize->reserved, 0x0, sizeof(fsize->reserved)); + +- memset(&fse, 0x0, sizeof(fse)); + fse.index = fsize->index; + fse.pad = 0; + fse.code = fmt->code; +- fse.which = V4L2_SUBDEV_FORMAT_ACTIVE; + ret = v4l2_subdev_call(sd, pad, enum_frame_size, NULL, &fse); + if (ret) + return ret; +@@ -2146,7 +2146,6 @@ vpfe_async_bound(struct v4l2_async_notifier *notifier, + { + struct vpfe_device *vpfe = container_of(notifier->v4l2_dev, + struct vpfe_device, v4l2_dev); +- struct v4l2_subdev_mbus_code_enum mbus_code; + struct vpfe_subdev_info *sdinfo; + struct vpfe_fmt *fmt; + int ret = 0; +@@ -2173,9 +2172,11 @@ vpfe_async_bound(struct v4l2_async_notifier *notifier, + + vpfe->num_active_fmt = 0; + for (j = 0, i = 0; (ret != -EINVAL); ++j) { +- memset(&mbus_code, 0, sizeof(mbus_code)); +- mbus_code.index = j; +- mbus_code.which = V4L2_SUBDEV_FORMAT_ACTIVE; ++ struct v4l2_subdev_mbus_code_enum mbus_code = { ++ .index = j, ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; ++ + ret = v4l2_subdev_call(subdev, pad, enum_mbus_code, + NULL, &mbus_code); + if (ret) +diff --git a/drivers/media/platform/exynos4-is/fimc-capture.c b/drivers/media/platform/exynos4-is/fimc-capture.c +index 7ff4024003f4a..0b3cf01e9537e 100644 +--- a/drivers/media/platform/exynos4-is/fimc-capture.c ++++ b/drivers/media/platform/exynos4-is/fimc-capture.c +@@ -763,7 +763,10 @@ static int fimc_pipeline_try_format(struct fimc_ctx *ctx, + struct fimc_dev *fimc = ctx->fimc_dev; + struct fimc_pipeline *p = to_fimc_pipeline(fimc->vid_cap.ve.pipe); + struct v4l2_subdev *sd = p->subdevs[IDX_SENSOR]; +- struct v4l2_subdev_format sfmt; ++ struct v4l2_subdev_format sfmt = { ++ .which = set ? V4L2_SUBDEV_FORMAT_ACTIVE ++ : V4L2_SUBDEV_FORMAT_TRY, ++ }; + struct v4l2_mbus_framefmt *mf = &sfmt.format; + struct media_entity *me; + struct fimc_fmt *ffmt; +@@ -774,9 +777,7 @@ static int fimc_pipeline_try_format(struct fimc_ctx *ctx, + if (WARN_ON(!sd || !tfmt)) + return -EINVAL; + +- memset(&sfmt, 0, sizeof(sfmt)); + sfmt.format = *tfmt; +- sfmt.which = set ? V4L2_SUBDEV_FORMAT_ACTIVE : V4L2_SUBDEV_FORMAT_TRY; + + me = fimc_pipeline_get_head(&sd->entity); + +diff --git a/drivers/media/platform/ti-vpe/cal-video.c b/drivers/media/platform/ti-vpe/cal-video.c +index 3e936a2ca36c6..d87177d04e921 100644 +--- a/drivers/media/platform/ti-vpe/cal-video.c ++++ b/drivers/media/platform/ti-vpe/cal-video.c +@@ -814,7 +814,6 @@ static const struct v4l2_file_operations cal_fops = { + + static int cal_ctx_v4l2_init_formats(struct cal_ctx *ctx) + { +- struct v4l2_subdev_mbus_code_enum mbus_code; + struct v4l2_mbus_framefmt mbus_fmt; + const struct cal_format_info *fmtinfo; + unsigned int i, j, k; +@@ -829,10 +828,11 @@ static int cal_ctx_v4l2_init_formats(struct cal_ctx *ctx) + ctx->num_active_fmt = 0; + + for (j = 0, i = 0; ; ++j) { ++ struct v4l2_subdev_mbus_code_enum mbus_code = { ++ .index = j, ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + +- memset(&mbus_code, 0, sizeof(mbus_code)); +- mbus_code.index = j; +- mbus_code.which = V4L2_SUBDEV_FORMAT_ACTIVE; + ret = v4l2_subdev_call(ctx->phy->source, pad, enum_mbus_code, + NULL, &mbus_code); + if (ret == -EINVAL) +diff --git a/drivers/media/platform/vsp1/vsp1_drm.c b/drivers/media/platform/vsp1/vsp1_drm.c +index 06f74d410973e..706d48601bf2c 100644 +--- a/drivers/media/platform/vsp1/vsp1_drm.c ++++ b/drivers/media/platform/vsp1/vsp1_drm.c +@@ -66,7 +66,9 @@ static int vsp1_du_insert_uif(struct vsp1_device *vsp1, + struct vsp1_entity *prev, unsigned int prev_pad, + struct vsp1_entity *next, unsigned int next_pad) + { +- struct v4l2_subdev_format format; ++ struct v4l2_subdev_format format = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + int ret; + + if (!uif) { +@@ -82,8 +84,6 @@ static int vsp1_du_insert_uif(struct vsp1_device *vsp1, + prev->sink = uif; + prev->sink_pad = UIF_PAD_SINK; + +- memset(&format, 0, sizeof(format)); +- format.which = V4L2_SUBDEV_FORMAT_ACTIVE; + format.pad = prev_pad; + + ret = v4l2_subdev_call(&prev->subdev, pad, get_fmt, NULL, &format); +@@ -118,8 +118,12 @@ static int vsp1_du_pipeline_setup_rpf(struct vsp1_device *vsp1, + struct vsp1_entity *uif, + unsigned int brx_input) + { +- struct v4l2_subdev_selection sel; +- struct v4l2_subdev_format format; ++ struct v4l2_subdev_selection sel = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; ++ struct v4l2_subdev_format format = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + const struct v4l2_rect *crop; + int ret; + +@@ -129,8 +133,6 @@ static int vsp1_du_pipeline_setup_rpf(struct vsp1_device *vsp1, + */ + crop = &vsp1->drm->inputs[rpf->entity.index].crop; + +- memset(&format, 0, sizeof(format)); +- format.which = V4L2_SUBDEV_FORMAT_ACTIVE; + format.pad = RWPF_PAD_SINK; + format.format.width = crop->width + crop->left; + format.format.height = crop->height + crop->top; +@@ -147,8 +149,6 @@ static int vsp1_du_pipeline_setup_rpf(struct vsp1_device *vsp1, + __func__, format.format.width, format.format.height, + format.format.code, rpf->entity.index); + +- memset(&sel, 0, sizeof(sel)); +- sel.which = V4L2_SUBDEV_FORMAT_ACTIVE; + sel.pad = RWPF_PAD_SINK; + sel.target = V4L2_SEL_TGT_CROP; + sel.r = *crop; +diff --git a/drivers/media/platform/vsp1/vsp1_entity.c b/drivers/media/platform/vsp1/vsp1_entity.c +index 823c15facd1b4..b40926270c149 100644 +--- a/drivers/media/platform/vsp1/vsp1_entity.c ++++ b/drivers/media/platform/vsp1/vsp1_entity.c +@@ -184,15 +184,14 @@ vsp1_entity_get_pad_selection(struct vsp1_entity *entity, + int vsp1_entity_init_cfg(struct v4l2_subdev *subdev, + struct v4l2_subdev_state *sd_state) + { +- struct v4l2_subdev_format format; + unsigned int pad; + + for (pad = 0; pad < subdev->entity.num_pads - 1; ++pad) { +- memset(&format, 0, sizeof(format)); +- +- format.pad = pad; +- format.which = sd_state ? V4L2_SUBDEV_FORMAT_TRY +- : V4L2_SUBDEV_FORMAT_ACTIVE; ++ struct v4l2_subdev_format format = { ++ .pad = pad, ++ .which = sd_state ? V4L2_SUBDEV_FORMAT_TRY ++ : V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + + v4l2_subdev_call(subdev, pad, set_fmt, sd_state, &format); + } +diff --git a/drivers/media/usb/dvb-usb/cxusb-analog.c b/drivers/media/usb/dvb-usb/cxusb-analog.c +index e93183ddd7975..deba5224cb8df 100644 +--- a/drivers/media/usb/dvb-usb/cxusb-analog.c ++++ b/drivers/media/usb/dvb-usb/cxusb-analog.c +@@ -1014,7 +1014,10 @@ static int cxusb_medion_try_s_fmt_vid_cap(struct file *file, + { + struct dvb_usb_device *dvbdev = video_drvdata(file); + struct cxusb_medion_dev *cxdev = dvbdev->priv; +- struct v4l2_subdev_format subfmt; ++ struct v4l2_subdev_format subfmt = { ++ .which = isset ? V4L2_SUBDEV_FORMAT_ACTIVE : ++ V4L2_SUBDEV_FORMAT_TRY, ++ }; + u32 field; + int ret; + +@@ -1024,9 +1027,6 @@ static int cxusb_medion_try_s_fmt_vid_cap(struct file *file, + field = vb2_start_streaming_called(&cxdev->videoqueue) ? + cxdev->field_order : cxusb_medion_field_order(cxdev); + +- memset(&subfmt, 0, sizeof(subfmt)); +- subfmt.which = isset ? V4L2_SUBDEV_FORMAT_ACTIVE : +- V4L2_SUBDEV_FORMAT_TRY; + subfmt.format.width = f->fmt.pix.width & ~1; + subfmt.format.height = f->fmt.pix.height & ~1; + subfmt.format.code = MEDIA_BUS_FMT_FIXED; +@@ -1464,7 +1464,9 @@ int cxusb_medion_analog_init(struct dvb_usb_device *dvbdev) + .buf = tuner_analog_msg_data, + .len = + sizeof(tuner_analog_msg_data) }; +- struct v4l2_subdev_format subfmt; ++ struct v4l2_subdev_format subfmt = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + int ret; + + /* switch tuner to analog mode so IF demod will become accessible */ +@@ -1507,8 +1509,6 @@ int cxusb_medion_analog_init(struct dvb_usb_device *dvbdev) + v4l2_subdev_call(cxdev->tuner, video, s_std, cxdev->norm); + v4l2_subdev_call(cxdev->cx25840, video, s_std, cxdev->norm); + +- memset(&subfmt, 0, sizeof(subfmt)); +- subfmt.which = V4L2_SUBDEV_FORMAT_ACTIVE; + subfmt.format.width = cxdev->width; + subfmt.format.height = cxdev->height; + subfmt.format.code = MEDIA_BUS_FMT_FIXED; +diff --git a/drivers/staging/media/imx/imx-media-capture.c b/drivers/staging/media/imx/imx-media-capture.c +index 93ba092360105..5cc67786b9169 100644 +--- a/drivers/staging/media/imx/imx-media-capture.c ++++ b/drivers/staging/media/imx/imx-media-capture.c +@@ -501,14 +501,14 @@ static int capture_legacy_g_parm(struct file *file, void *fh, + struct v4l2_streamparm *a) + { + struct capture_priv *priv = video_drvdata(file); +- struct v4l2_subdev_frame_interval fi; ++ struct v4l2_subdev_frame_interval fi = { ++ .pad = priv->src_sd_pad, ++ }; + int ret; + + if (a->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) + return -EINVAL; + +- memset(&fi, 0, sizeof(fi)); +- fi.pad = priv->src_sd_pad; + ret = v4l2_subdev_call(priv->src_sd, video, g_frame_interval, &fi); + if (ret < 0) + return ret; +@@ -523,14 +523,14 @@ static int capture_legacy_s_parm(struct file *file, void *fh, + struct v4l2_streamparm *a) + { + struct capture_priv *priv = video_drvdata(file); +- struct v4l2_subdev_frame_interval fi; ++ struct v4l2_subdev_frame_interval fi = { ++ .pad = priv->src_sd_pad, ++ }; + int ret; + + if (a->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) + return -EINVAL; + +- memset(&fi, 0, sizeof(fi)); +- fi.pad = priv->src_sd_pad; + fi.interval = a->parm.capture.timeperframe; + ret = v4l2_subdev_call(priv->src_sd, video, s_frame_interval, &fi); + if (ret < 0) +diff --git a/drivers/staging/media/imx/imx-media-utils.c b/drivers/staging/media/imx/imx-media-utils.c +index 6f90acf9c725c..49ba521dd9edd 100644 +--- a/drivers/staging/media/imx/imx-media-utils.c ++++ b/drivers/staging/media/imx/imx-media-utils.c +@@ -432,15 +432,15 @@ int imx_media_init_cfg(struct v4l2_subdev *sd, + struct v4l2_subdev_state *sd_state) + { + struct v4l2_mbus_framefmt *mf_try; +- struct v4l2_subdev_format format; + unsigned int pad; + int ret; + + for (pad = 0; pad < sd->entity.num_pads; pad++) { +- memset(&format, 0, sizeof(format)); ++ struct v4l2_subdev_format format = { ++ .pad = pad, ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + +- format.pad = pad; +- format.which = V4L2_SUBDEV_FORMAT_ACTIVE; + ret = v4l2_subdev_call(sd, pad, get_fmt, NULL, &format); + if (ret) + continue; +diff --git a/drivers/staging/media/omap4iss/iss_video.c b/drivers/staging/media/omap4iss/iss_video.c +index d0da083deed53..801e145ea976a 100644 +--- a/drivers/staging/media/omap4iss/iss_video.c ++++ b/drivers/staging/media/omap4iss/iss_video.c +@@ -244,7 +244,9 @@ static int + __iss_video_get_format(struct iss_video *video, + struct v4l2_mbus_framefmt *format) + { +- struct v4l2_subdev_format fmt; ++ struct v4l2_subdev_format fmt = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; + struct v4l2_subdev *subdev; + u32 pad; + int ret; +@@ -253,9 +255,7 @@ __iss_video_get_format(struct iss_video *video, + if (!subdev) + return -EINVAL; + +- memset(&fmt, 0, sizeof(fmt)); + fmt.pad = pad; +- fmt.which = V4L2_SUBDEV_FORMAT_ACTIVE; + + mutex_lock(&video->mutex); + ret = v4l2_subdev_call(subdev, pad, get_fmt, NULL, &fmt); +-- +2.39.2 + diff --git a/queue-5.15/memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch b/queue-5.15/memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch new file mode 100644 index 00000000000..536f6eeb7c7 --- /dev/null +++ b/queue-5.15/memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch @@ -0,0 +1,53 @@ +From e5bb9a1a2f039897b1487bbe9bc226d561ea5690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 00:43:38 +0800 +Subject: memstick: r592: Fix UAF bug in r592_remove due to race condition + +From: Zheng Wang + +[ Upstream commit 63264422785021704c39b38f65a78ab9e4a186d7 ] + +In r592_probe, dev->detect_timer was bound with r592_detect_timer. +In r592_irq function, the timer function will be invoked by mod_timer. + +If we remove the module which will call hantro_release to make cleanup, +there may be a unfinished work. The possible sequence is as follows, +which will cause a typical UAF bug. + +Fix it by canceling the work before cleanup in r592_remove. + +CPU0 CPU1 + + |r592_detect_timer +r592_remove | + memstick_free_host| + put_device; | + kfree(host); | + | + | queue_work + | &host->media_checker //use + +Signed-off-by: Zheng Wang +Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index 1d35d147552d4..42bfc46842b82 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -829,7 +829,7 @@ static void r592_remove(struct pci_dev *pdev) + /* Stop the processing thread. + That ensures that we won't take any more requests */ + kthread_stop(dev->io_thread); +- ++ del_timer_sync(&dev->detect_timer); + r592_enable_device(dev, false); + + while (!error && dev->req) { +-- +2.39.2 + diff --git a/queue-5.15/mfd-dln2-fix-memory-leak-in-dln2_probe.patch b/queue-5.15/mfd-dln2-fix-memory-leak-in-dln2_probe.patch new file mode 100644 index 00000000000..f6c56bcca4e --- /dev/null +++ b/queue-5.15/mfd-dln2-fix-memory-leak-in-dln2_probe.patch @@ -0,0 +1,38 @@ +From a1f4affe4d51933dfc27a2b7570cfd0aa1f430ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 10:43:53 +0800 +Subject: mfd: dln2: Fix memory leak in dln2_probe() + +From: Qiang Ning + +[ Upstream commit 96da8f148396329ba769246cb8ceaa35f1ddfc48 ] + +When dln2_setup_rx_urbs() in dln2_probe() fails, error out_free forgets +to call usb_put_dev() to decrease the refcount of dln2->usb_dev. + +Fix this by adding usb_put_dev() in the error handling code of +dln2_probe(). + +Signed-off-by: Qiang Ning +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20230330024353.4503-1-qning0106@126.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/dln2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index 852129ea07666..fc65f9e25fda8 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -836,6 +836,7 @@ static int dln2_probe(struct usb_interface *interface, + dln2_stop_rx_urbs(dln2); + + out_free: ++ usb_put_dev(dln2->usb_dev); + dln2_free(dln2); + + return ret; +-- +2.39.2 + diff --git a/queue-5.15/nbd-fix-incomplete-validation-of-ioctl-arg.patch b/queue-5.15/nbd-fix-incomplete-validation-of-ioctl-arg.patch new file mode 100644 index 00000000000..346c8890e7a --- /dev/null +++ b/queue-5.15/nbd-fix-incomplete-validation-of-ioctl-arg.patch @@ -0,0 +1,82 @@ +From e2a9a0375cbfd77da40539c6003a26a898906f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 22:58:05 +0800 +Subject: nbd: fix incomplete validation of ioctl arg + +From: Zhong Jinghua + +[ Upstream commit 55793ea54d77719a071b1ccc05a05056e3b5e009 ] + +We tested and found an alarm caused by nbd_ioctl arg without verification. +The UBSAN warning calltrace like below: + +UBSAN: Undefined behaviour in fs/buffer.c:1709:35 +signed integer overflow: +-9223372036854775808 - 1 cannot be represented in type 'long long int' +CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1 +Hardware name: linux,dummy-virt (DT) +Call trace: + dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78 + show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158 + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x170/0x1dc lib/dump_stack.c:118 + ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161 + handle_overflow+0x188/0x1dc lib/ubsan.c:192 + __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206 + __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709 + block_write_full_page+0x1f0/0x280 fs/buffer.c:2934 + blkdev_writepage+0x34/0x40 fs/block_dev.c:607 + __writepage+0x68/0xe8 mm/page-writeback.c:2305 + write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240 + generic_writepages+0xdc/0x148 mm/page-writeback.c:2329 + blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114 + do_writepages+0xd4/0x250 mm/page-writeback.c:2344 + +The reason for triggering this warning is __block_write_full_page() +-> i_size_read(inode) - 1 overflow. +inode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize. +We think it is necessary to limit the size of arg to prevent errors. + +Moreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int. +Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine), +it will become 1 after the coercion, which will return unexpected results. + +Fix it by adding checks to prevent passing in too large numbers. + +Signed-off-by: Zhong Jinghua +Reviewed-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20230206145805.2645671-1-zhongjinghua@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index ade8b839e4458..394355f12d4e0 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -326,6 +326,9 @@ static int nbd_set_size(struct nbd_device *nbd, loff_t bytesize, + if (blksize < 512 || blksize > PAGE_SIZE || !is_power_of_2(blksize)) + return -EINVAL; + ++ if (bytesize < 0) ++ return -EINVAL; ++ + nbd->config->bytesize = bytesize; + nbd->config->blksize_bits = __ffs(blksize); + +@@ -1048,6 +1051,9 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, + struct nbd_sock *nsock; + int err; + ++ /* Arg will be cast to int, check it to avoid overflow */ ++ if (arg > INT_MAX) ++ return -EINVAL; + sock = nbd_get_socket(nbd, arg, &err); + if (!sock) + return err; +-- +2.39.2 + diff --git a/queue-5.15/net-catch-invalid-index-in-xps-mapping.patch b/queue-5.15/net-catch-invalid-index-in-xps-mapping.patch new file mode 100644 index 00000000000..7998e1f5eea --- /dev/null +++ b/queue-5.15/net-catch-invalid-index-in-xps-mapping.patch @@ -0,0 +1,43 @@ +From 55cf79455222d224e8760a467db0fe6c2c1bfd0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Mar 2023 10:07:24 -0500 +Subject: net: Catch invalid index in XPS mapping + +From: Nick Child + +[ Upstream commit 5dd0dfd55baec0742ba8f5625a0dd064aca7db16 ] + +When setting the XPS value of a TX queue, warn the user once if the +index of the queue is greater than the number of allocated TX queues. + +Previously, this scenario went uncaught. In the best case, it resulted +in unnecessary allocations. In the worst case, it resulted in +out-of-bounds memory references through calls to `netdev_get_tx_queue( +dev, index)`. Therefore, it is important to inform the user but not +worth returning an error and risk downing the netdevice. + +Signed-off-by: Nick Child +Reviewed-by: Piotr Raczynski +Link: https://lore.kernel.org/r/20230321150725.127229-1-nnac123@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 30289cd1c29f4..56a3bff7249d4 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2574,6 +2574,8 @@ int __netif_set_xps_queue(struct net_device *dev, const unsigned long *mask, + struct xps_map *map, *new_map; + unsigned int nr_ids; + ++ WARN_ON_ONCE(index >= dev->num_tx_queues); ++ + if (dev->num_tc) { + /* Do not allow XPS on subordinate device directly */ + num_tc = dev->num_tc; +-- +2.39.2 + diff --git a/queue-5.15/net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch b/queue-5.15/net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch new file mode 100644 index 00000000000..f6535a478f9 --- /dev/null +++ b/queue-5.15/net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch @@ -0,0 +1,54 @@ +From d3b713ae9009214fd007c2965730eca14fae8b6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Mar 2023 16:41:08 -0700 +Subject: net: pasemi: Fix return type of pasemi_mac_start_tx() + +From: Nathan Chancellor + +[ Upstream commit c8384d4a51e7cb0e6587f3143f29099f202c5de1 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +warning in clang aims to catch these at compile time, which reveals: + + drivers/net/ethernet/pasemi/pasemi_mac.c:1665:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = pasemi_mac_start_tx, + ^~~~~~~~~~~~~~~~~~~ + 1 error generated. + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of +pasemi_mac_start_tx() to match the prototype's to resolve the warning. +While PowerPC does not currently implement support for kCFI, it could in +the future, which means this warning becomes a fatal CFI failure at run +time. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Signed-off-by: Nathan Chancellor +Reviewed-by: Horatiu Vultur +Link: https://lore.kernel.org/r/20230319-pasemi-incompatible-pointer-types-strict-v1-1-1b9459d8aef0@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pasemi/pasemi_mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pasemi/pasemi_mac.c b/drivers/net/ethernet/pasemi/pasemi_mac.c +index 7e096b2888b92..b223488318ad7 100644 +--- a/drivers/net/ethernet/pasemi/pasemi_mac.c ++++ b/drivers/net/ethernet/pasemi/pasemi_mac.c +@@ -1423,7 +1423,7 @@ static void pasemi_mac_queue_csdesc(const struct sk_buff *skb, + write_dma_reg(PAS_DMA_TXCHAN_INCR(txring->chan.chno), 2); + } + +-static int pasemi_mac_start_tx(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t pasemi_mac_start_tx(struct sk_buff *skb, struct net_device *dev) + { + struct pasemi_mac * const mac = netdev_priv(dev); + struct pasemi_mac_txring * const txring = tx_ring(mac); +-- +2.39.2 + diff --git a/queue-5.15/null_blk-always-check-queue-mode-setting-from-config.patch b/queue-5.15/null_blk-always-check-queue-mode-setting-from-config.patch new file mode 100644 index 00000000000..6bfbddf4b49 --- /dev/null +++ b/queue-5.15/null_blk-always-check-queue-mode-setting-from-config.patch @@ -0,0 +1,87 @@ +From 4edad5035e26c80cefbce1b86a2880390286b02e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 15:03:39 -0700 +Subject: null_blk: Always check queue mode setting from configfs + +From: Chaitanya Kulkarni + +[ Upstream commit 63f8793ee60513a09f110ea460a6ff2c33811cdb ] + +Make sure to check device queue mode in the null_validate_conf() and +return error for NULL_Q_RQ as we don't allow legacy I/O path, without +this patch we get OOPs when queue mode is set to 1 from configfs, +following are repro steps :- + +modprobe null_blk nr_devices=0 +mkdir config/nullb/nullb0 +echo 1 > config/nullb/nullb0/memory_backed +echo 4096 > config/nullb/nullb0/blocksize +echo 20480 > config/nullb/nullb0/size +echo 1 > config/nullb/nullb0/queue_mode +echo 1 > config/nullb/nullb0/power + +Entering kdb (current=0xffff88810acdd080, pid 2372) on processor 42 Oops: (null) +due to oops @ 0xffffffffc041c329 +CPU: 42 PID: 2372 Comm: sh Tainted: G O N 6.3.0-rc5lblk+ #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +RIP: 0010:null_add_dev.part.0+0xd9/0x720 [null_blk] +Code: 01 00 00 85 d2 0f 85 a1 03 00 00 48 83 bb 08 01 00 00 00 0f 85 f7 03 00 00 80 bb 62 01 00 00 00 48 8b 75 20 0f 85 6d 02 00 00 <48> 89 6e 60 48 8b 75 20 bf 06 00 00 00 e8 f5 37 2c c1 48 8b 75 20 +RSP: 0018:ffffc900052cbde0 EFLAGS: 00010246 +RAX: 0000000000000001 RBX: ffff88811084d800 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888100042e00 +RBP: ffff8881053d8200 R08: ffffc900052cbd68 R09: ffff888105db2000 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002 +R13: ffff888104765200 R14: ffff88810eec1748 R15: ffff88810eec1740 +FS: 00007fd445fd1740(0000) GS:ffff8897dfc80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000060 CR3: 0000000166a00000 CR4: 0000000000350ee0 +DR0: ffffffff8437a488 DR1: ffffffff8437a489 DR2: ffffffff8437a48a +DR3: ffffffff8437a48b DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Call Trace: + + nullb_device_power_store+0xd1/0x120 [null_blk] + configfs_write_iter+0xb4/0x120 + vfs_write+0x2ba/0x3c0 + ksys_write+0x5f/0xe0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7fd4460c57a7 +Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 +RSP: 002b:00007ffd3792a4a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd4460c57a7 +RDX: 0000000000000002 RSI: 000055b43c02e4c0 RDI: 0000000000000001 +RBP: 000055b43c02e4c0 R08: 000000000000000a R09: 00007fd44615b4e0 +R10: 00007fd44615b3e0 R11: 0000000000000246 R12: 0000000000000002 +R13: 00007fd446198520 R14: 0000000000000002 R15: 00007fd446198700 + + +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Damien Le Moal +Reviewed-by: Ming Lei +Reviewed-by: Nitesh Shetty +Link: https://lore.kernel.org/r/20230416220339.43845-1-kch@nvidia.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index 033b0f64f2b9b..686ec6bcdef3d 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -1744,6 +1744,11 @@ static int null_init_tag_set(struct nullb *nullb, struct blk_mq_tag_set *set) + + static int null_validate_conf(struct nullb_device *dev) + { ++ if (dev->queue_mode == NULL_Q_RQ) { ++ pr_err("legacy IO path is no longer available\n"); ++ return -EINVAL; ++ } ++ + dev->blocksize = round_down(dev->blocksize, 512); + dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096); + +-- +2.39.2 + diff --git a/queue-5.15/parisc-replace-regular-spinlock-with-spin_trylock-on.patch b/queue-5.15/parisc-replace-regular-spinlock-with-spin_trylock-on.patch new file mode 100644 index 00000000000..9c0a661f9b2 --- /dev/null +++ b/queue-5.15/parisc-replace-regular-spinlock-with-spin_trylock-on.patch @@ -0,0 +1,136 @@ +From f351b59e9d9f4e04a4aaca42e2994bf4e7fcd732 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 18:11:05 -0300 +Subject: parisc: Replace regular spinlock with spin_trylock on panic path + +From: Guilherme G. Piccoli + +[ Upstream commit 829632dae8321787525ee37dc4828bbe6edafdae ] + +The panic notifiers' callbacks execute in an atomic context, with +interrupts/preemption disabled, and all CPUs not running the panic +function are off, so it's very dangerous to wait on a regular +spinlock, there's a risk of deadlock. + +Refactor the panic notifier of parisc/power driver to make use +of spin_trylock - for that, we've added a second version of the +soft-power function. Also, some comments were reorganized and +trailing white spaces, useless header inclusion and blank lines +were removed. + +Cc: "James E.J. Bottomley" +Cc: Jeroen Roovers +Acked-by: Helge Deller # parisc +Signed-off-by: Guilherme G. Piccoli +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/pdc.h | 1 + + arch/parisc/kernel/firmware.c | 27 +++++++++++++++++++++++---- + drivers/parisc/power.c | 16 ++++++++++------ + 3 files changed, 34 insertions(+), 10 deletions(-) + +diff --git a/arch/parisc/include/asm/pdc.h b/arch/parisc/include/asm/pdc.h +index b388d81765883..2f48e0a80d9c6 100644 +--- a/arch/parisc/include/asm/pdc.h ++++ b/arch/parisc/include/asm/pdc.h +@@ -81,6 +81,7 @@ int pdc_do_firm_test_reset(unsigned long ftc_bitmap); + int pdc_do_reset(void); + int pdc_soft_power_info(unsigned long *power_reg); + int pdc_soft_power_button(int sw_control); ++int pdc_soft_power_button_panic(int sw_control); + void pdc_io_reset(void); + void pdc_io_reset_devices(void); + int pdc_iodc_getc(void); +diff --git a/arch/parisc/kernel/firmware.c b/arch/parisc/kernel/firmware.c +index 8e5a906df9175..5385e0fe98426 100644 +--- a/arch/parisc/kernel/firmware.c ++++ b/arch/parisc/kernel/firmware.c +@@ -1158,15 +1158,18 @@ int __init pdc_soft_power_info(unsigned long *power_reg) + } + + /* +- * pdc_soft_power_button - Control the soft power button behaviour +- * @sw_control: 0 for hardware control, 1 for software control ++ * pdc_soft_power_button{_panic} - Control the soft power button behaviour ++ * @sw_control: 0 for hardware control, 1 for software control + * + * + * This PDC function places the soft power button under software or + * hardware control. +- * Under software control the OS may control to when to allow to shut +- * down the system. Under hardware control pressing the power button ++ * Under software control the OS may control to when to allow to shut ++ * down the system. Under hardware control pressing the power button + * powers off the system immediately. ++ * ++ * The _panic version relies on spin_trylock to prevent deadlock ++ * on panic path. + */ + int pdc_soft_power_button(int sw_control) + { +@@ -1180,6 +1183,22 @@ int pdc_soft_power_button(int sw_control) + return retval; + } + ++int pdc_soft_power_button_panic(int sw_control) ++{ ++ int retval; ++ unsigned long flags; ++ ++ if (!spin_trylock_irqsave(&pdc_lock, flags)) { ++ pr_emerg("Couldn't enable soft power button\n"); ++ return -EBUSY; /* ignored by the panic notifier */ ++ } ++ ++ retval = mem_pdc_call(PDC_SOFT_POWER, PDC_SOFT_POWER_ENABLE, __pa(pdc_result), sw_control); ++ spin_unlock_irqrestore(&pdc_lock, flags); ++ ++ return retval; ++} ++ + /* + * pdc_io_reset - Hack to avoid overlapping range registers of Bridges devices. + * Primarily a problem on T600 (which parisc-linux doesn't support) but +diff --git a/drivers/parisc/power.c b/drivers/parisc/power.c +index 456776bd8ee66..6f5e5f0230d39 100644 +--- a/drivers/parisc/power.c ++++ b/drivers/parisc/power.c +@@ -37,7 +37,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -175,16 +174,21 @@ static void powerfail_interrupt(int code, void *x) + + + +-/* parisc_panic_event() is called by the panic handler. +- * As soon as a panic occurs, our tasklets above will not be +- * executed any longer. This function then re-enables the +- * soft-power switch and allows the user to switch off the system ++/* ++ * parisc_panic_event() is called by the panic handler. ++ * ++ * As soon as a panic occurs, our tasklets above will not ++ * be executed any longer. This function then re-enables ++ * the soft-power switch and allows the user to switch off ++ * the system. We rely in pdc_soft_power_button_panic() ++ * since this version spin_trylocks (instead of regular ++ * spinlock), preventing deadlocks on panic path. + */ + static int parisc_panic_event(struct notifier_block *this, + unsigned long event, void *ptr) + { + /* re-enable the soft-power switch */ +- pdc_soft_power_button(0); ++ pdc_soft_power_button_panic(0); + return NOTIFY_DONE; + } + +-- +2.39.2 + diff --git a/queue-5.15/phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch b/queue-5.15/phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch new file mode 100644 index 00000000000..e42e3f22e2d --- /dev/null +++ b/queue-5.15/phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch @@ -0,0 +1,113 @@ +From 5ab5b7d3622fab706d521c1989c8139800c5e015 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 23:43:08 +0100 +Subject: phy: st: miphy28lp: use _poll_timeout functions for waits + +From: Alain Volmat + +[ Upstream commit e3be4dd2c8d8aabfd2c3127d0e2e5754d3ae82d6 ] + +This commit introduces _poll_timeout functions usage instead of +wait loops waiting for a status bit. + +Signed-off-by: Alain Volmat +Reviewed-by: Patrice Chotard +Link: https://lore.kernel.org/r/20230210224309.98452-1-avolmat@me.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-miphy28lp.c | 42 ++++++++-------------------------- + 1 file changed, 10 insertions(+), 32 deletions(-) + +diff --git a/drivers/phy/st/phy-miphy28lp.c b/drivers/phy/st/phy-miphy28lp.c +index 068160a34f5cc..e30305b77f0d1 100644 +--- a/drivers/phy/st/phy-miphy28lp.c ++++ b/drivers/phy/st/phy-miphy28lp.c +@@ -9,6 +9,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -484,19 +485,11 @@ static inline void miphy28lp_pcie_config_gen(struct miphy28lp_phy *miphy_phy) + + static inline int miphy28lp_wait_compensation(struct miphy28lp_phy *miphy_phy) + { +- unsigned long finish = jiffies + 5 * HZ; + u8 val; + + /* Waiting for Compensation to complete */ +- do { +- val = readb_relaxed(miphy_phy->base + MIPHY_COMP_FSM_6); +- +- if (time_after_eq(jiffies, finish)) +- return -EBUSY; +- cpu_relax(); +- } while (!(val & COMP_DONE)); +- +- return 0; ++ return readb_relaxed_poll_timeout(miphy_phy->base + MIPHY_COMP_FSM_6, ++ val, val & COMP_DONE, 1, 5 * USEC_PER_SEC); + } + + +@@ -805,7 +798,6 @@ static inline void miphy28lp_configure_usb3(struct miphy28lp_phy *miphy_phy) + + static inline int miphy_is_ready(struct miphy28lp_phy *miphy_phy) + { +- unsigned long finish = jiffies + 5 * HZ; + u8 mask = HFC_PLL | HFC_RDY; + u8 val; + +@@ -816,21 +808,14 @@ static inline int miphy_is_ready(struct miphy28lp_phy *miphy_phy) + if (miphy_phy->type == PHY_TYPE_SATA) + mask |= PHY_RDY; + +- do { +- val = readb_relaxed(miphy_phy->base + MIPHY_STATUS_1); +- if ((val & mask) != mask) +- cpu_relax(); +- else +- return 0; +- } while (!time_after_eq(jiffies, finish)); +- +- return -EBUSY; ++ return readb_relaxed_poll_timeout(miphy_phy->base + MIPHY_STATUS_1, ++ val, (val & mask) == mask, 1, ++ 5 * USEC_PER_SEC); + } + + static int miphy_osc_is_ready(struct miphy28lp_phy *miphy_phy) + { + struct miphy28lp_dev *miphy_dev = miphy_phy->phydev; +- unsigned long finish = jiffies + 5 * HZ; + u32 val; + + if (!miphy_phy->osc_rdy) +@@ -839,17 +824,10 @@ static int miphy_osc_is_ready(struct miphy28lp_phy *miphy_phy) + if (!miphy_phy->syscfg_reg[SYSCFG_STATUS]) + return -EINVAL; + +- do { +- regmap_read(miphy_dev->regmap, +- miphy_phy->syscfg_reg[SYSCFG_STATUS], &val); +- +- if ((val & MIPHY_OSC_RDY) != MIPHY_OSC_RDY) +- cpu_relax(); +- else +- return 0; +- } while (!time_after_eq(jiffies, finish)); +- +- return -EBUSY; ++ return regmap_read_poll_timeout(miphy_dev->regmap, ++ miphy_phy->syscfg_reg[SYSCFG_STATUS], ++ val, val & MIPHY_OSC_RDY, 1, ++ 5 * USEC_PER_SEC); + } + + static int miphy28lp_get_resource_byname(struct device_node *child, +-- +2.39.2 + diff --git a/queue-5.15/rcu-protect-rcu_print_task_exp_stall-exp_tasks-acces.patch b/queue-5.15/rcu-protect-rcu_print_task_exp_stall-exp_tasks-acces.patch new file mode 100644 index 00000000000..eab4500a502 --- /dev/null +++ b/queue-5.15/rcu-protect-rcu_print_task_exp_stall-exp_tasks-acces.patch @@ -0,0 +1,68 @@ +From 4c3f32ab57eb43b53c45b8c1e37ff33ecd2b34e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Dec 2022 13:25:53 +0800 +Subject: rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access + +From: Zqiang + +[ Upstream commit 3c1566bca3f8349f12b75d0a2d5e4a20ad6262ec ] + +For kernels built with CONFIG_PREEMPT_RCU=y, the following scenario can +result in a NULL-pointer dereference: + + CPU1 CPU2 +rcu_preempt_deferred_qs_irqrestore rcu_print_task_exp_stall + if (special.b.blocked) READ_ONCE(rnp->exp_tasks) != NULL + raw_spin_lock_rcu_node + np = rcu_next_node_entry(t, rnp) + if (&t->rcu_node_entry == rnp->exp_tasks) + WRITE_ONCE(rnp->exp_tasks, np) + .... + raw_spin_unlock_irqrestore_rcu_node + raw_spin_lock_irqsave_rcu_node + t = list_entry(rnp->exp_tasks->prev, + struct task_struct, rcu_node_entry) + (if rnp->exp_tasks is NULL, this + will dereference a NULL pointer) + +The problem is that CPU2 accesses the rcu_node structure's->exp_tasks +field without holding the rcu_node structure's ->lock and CPU2 did +not observe CPU1's change to rcu_node structure's ->exp_tasks in time. +Therefore, if CPU1 sets rcu_node structure's->exp_tasks pointer to NULL, +then CPU2 might dereference that NULL pointer. + +This commit therefore holds the rcu_node structure's ->lock while +accessing that structure's->exp_tasks field. + +[ paulmck: Apply Frederic Weisbecker feedback. ] + +Acked-by: Joel Fernandes (Google) +Signed-off-by: Zqiang +Signed-off-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_exp.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index f9fb2793b0193..f46c0c1a5eb35 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -708,9 +708,11 @@ static int rcu_print_task_exp_stall(struct rcu_node *rnp) + int ndetected = 0; + struct task_struct *t; + +- if (!READ_ONCE(rnp->exp_tasks)) +- return 0; + raw_spin_lock_irqsave_rcu_node(rnp, flags); ++ if (!rnp->exp_tasks) { ++ raw_spin_unlock_irqrestore_rcu_node(rnp, flags); ++ return 0; ++ } + t = list_entry(rnp->exp_tasks->prev, + struct task_struct, rcu_node_entry); + list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) { +-- +2.39.2 + diff --git a/queue-5.15/rdma-core-fix-multiple-warray-bounds-warnings.patch b/queue-5.15/rdma-core-fix-multiple-warray-bounds-warnings.patch new file mode 100644 index 00000000000..fc3ec7d2939 --- /dev/null +++ b/queue-5.15/rdma-core-fix-multiple-warray-bounds-warnings.patch @@ -0,0 +1,187 @@ +From 03707e8f8766e3139fbf7603fbc2bdc109b8d400 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Mar 2023 17:47:03 -0600 +Subject: RDMA/core: Fix multiple -Warray-bounds warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +[ Upstream commit aa4d540b4150052ae3b36d286b9c833a961ce291 ] + +GCC-13 (and Clang)[1] does not like to access a partially allocated +object, since it cannot reason about it for bounds checking. + +In this case 140 bytes are allocated for an object of type struct +ib_umad_packet: + + packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL); + +However, notice that sizeof(*packet) is only 104 bytes: + +struct ib_umad_packet { + struct ib_mad_send_buf * msg; /* 0 8 */ + struct ib_mad_recv_wc * recv_wc; /* 8 8 */ + struct list_head list; /* 16 16 */ + int length; /* 32 4 */ + + /* XXX 4 bytes hole, try to pack */ + + struct ib_user_mad mad __attribute__((__aligned__(8))); /* 40 64 */ + + /* size: 104, cachelines: 2, members: 5 */ + /* sum members: 100, holes: 1, sum holes: 4 */ + /* forced alignments: 1, forced holes: 1, sum forced holes: 4 */ + /* last cacheline: 40 bytes */ +} __attribute__((__aligned__(8))); + +and 36 bytes extra bytes are allocated for a flexible-array member in +struct ib_user_mad: + +include/rdma/ib_mad.h: +120 enum { +... +123 IB_MGMT_RMPP_HDR = 36, +... } + +struct ib_user_mad { + struct ib_user_mad_hdr hdr; /* 0 64 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __u64 data[] __attribute__((__aligned__(8))); /* 64 0 */ + + /* size: 64, cachelines: 1, members: 2 */ + /* forced alignments: 1 */ +} __attribute__((__aligned__(8))); + +So we have sizeof(*packet) + IB_MGMT_RMPP_HDR == 140 bytes + +Then the address of the flex-array member (for which only 36 bytes were +allocated) is casted and copied into a pointer to struct ib_rmpp_mad, +which, in turn, is of size 256 bytes: + + rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data; + +struct ib_rmpp_mad { + struct ib_mad_hdr mad_hdr; /* 0 24 */ + struct ib_rmpp_hdr rmpp_hdr; /* 24 12 */ + u8 data[220]; /* 36 220 */ + + /* size: 256, cachelines: 4, members: 3 */ +}; + +The thing is that those 36 bytes allocated for flex-array member data +in struct ib_user_mad onlly account for the size of both struct ib_mad_hdr +and struct ib_rmpp_hdr, but nothing is left for array u8 data[220]. +So, the compiler is legitimately complaining about accessing an object +for which not enough memory was allocated. + +Apparently, the only members of struct ib_rmpp_mad that are relevant +(that are actually being used) in function ib_umad_write() are mad_hdr +and rmpp_hdr. So, instead of casting packet->mad.data to +(struct ib_rmpp_mad *) create a new structure + +struct ib_rmpp_mad_hdr { + struct ib_mad_hdr mad_hdr; + struct ib_rmpp_hdr rmpp_hdr; +} __packed; + +and cast packet->mad.data to (struct ib_rmpp_mad_hdr *). + +Notice that + + IB_MGMT_RMPP_HDR == sizeof(struct ib_rmpp_mad_hdr) == 36 bytes + +Refactor the rest of the code, accordingly. + +Fix the following warnings seen under GCC-13 and -Warray-bounds: +drivers/infiniband/core/user_mad.c:564:50: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] +drivers/infiniband/core/user_mad.c:566:42: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] +drivers/infiniband/core/user_mad.c:618:25: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] +drivers/infiniband/core/user_mad.c:622:44: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] + +Link: https://github.com/KSPP/linux/issues/273 +Link: https://godbolt.org/z/oYWaGM4Yb [1] +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/ZBpB91qQcB10m3Fw@work +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index 98cb594cd9a69..a61c9ede43387 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -131,6 +131,11 @@ struct ib_umad_packet { + struct ib_user_mad mad; + }; + ++struct ib_rmpp_mad_hdr { ++ struct ib_mad_hdr mad_hdr; ++ struct ib_rmpp_hdr rmpp_hdr; ++} __packed; ++ + #define CREATE_TRACE_POINTS + #include + +@@ -494,11 +499,11 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + size_t count, loff_t *pos) + { + struct ib_umad_file *file = filp->private_data; ++ struct ib_rmpp_mad_hdr *rmpp_mad_hdr; + struct ib_umad_packet *packet; + struct ib_mad_agent *agent; + struct rdma_ah_attr ah_attr; + struct ib_ah *ah; +- struct ib_rmpp_mad *rmpp_mad; + __be64 *tid; + int ret, data_len, hdr_len, copy_offset, rmpp_active; + u8 base_version; +@@ -506,7 +511,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + if (count < hdr_size(file) + IB_MGMT_RMPP_HDR) + return -EINVAL; + +- packet = kzalloc(sizeof *packet + IB_MGMT_RMPP_HDR, GFP_KERNEL); ++ packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL); + if (!packet) + return -ENOMEM; + +@@ -560,13 +565,13 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + goto err_up; + } + +- rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data; +- hdr_len = ib_get_mad_data_offset(rmpp_mad->mad_hdr.mgmt_class); ++ rmpp_mad_hdr = (struct ib_rmpp_mad_hdr *)packet->mad.data; ++ hdr_len = ib_get_mad_data_offset(rmpp_mad_hdr->mad_hdr.mgmt_class); + +- if (ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class) ++ if (ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class) + && ib_mad_kernel_rmpp_agent(agent)) { + copy_offset = IB_MGMT_RMPP_HDR; +- rmpp_active = ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) & ++ rmpp_active = ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) & + IB_MGMT_RMPP_FLAG_ACTIVE; + } else { + copy_offset = IB_MGMT_MAD_HDR; +@@ -615,12 +620,12 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid; + *tid = cpu_to_be64(((u64) agent->hi_tid) << 32 | + (be64_to_cpup(tid) & 0xffffffff)); +- rmpp_mad->mad_hdr.tid = *tid; ++ rmpp_mad_hdr->mad_hdr.tid = *tid; + } + + if (!ib_mad_kernel_rmpp_agent(agent) +- && ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class) +- && (ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) { ++ && ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class) ++ && (ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) { + spin_lock_irq(&file->send_lock); + list_add_tail(&packet->list, &file->send_list); + spin_unlock_irq(&file->send_lock); +-- +2.39.2 + diff --git a/queue-5.15/recordmcount-fix-memory-leaks-in-the-uwrite-function.patch b/queue-5.15/recordmcount-fix-memory-leaks-in-the-uwrite-function.patch new file mode 100644 index 00000000000..64c408d09f8 --- /dev/null +++ b/queue-5.15/recordmcount-fix-memory-leaks-in-the-uwrite-function.patch @@ -0,0 +1,48 @@ +From b04e5b53b5c143f8758eb8c98d2de3ee50370496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 09:05:27 +0800 +Subject: recordmcount: Fix memory leaks in the uwrite function + +From: Hao Zeng + +[ Upstream commit fa359d068574d29e7d2f0fdd0ebe4c6a12b5cfb9 ] + +Common realloc mistake: 'file_append' nulled but not freed upon failure + +Link: https://lkml.kernel.org/r/20230426010527.703093-1-zenghao@kylinos.cn + +Signed-off-by: Hao Zeng +Suggested-by: Steven Rostedt +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + scripts/recordmcount.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c +index cce12e1971d85..ec692af8ce9eb 100644 +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -102,6 +102,7 @@ static ssize_t uwrite(void const *const buf, size_t const count) + { + size_t cnt = count; + off_t idx = 0; ++ void *p = NULL; + + file_updated = 1; + +@@ -109,7 +110,10 @@ static ssize_t uwrite(void const *const buf, size_t const count) + off_t aoffset = (file_ptr + count) - file_end; + + if (aoffset > file_append_size) { +- file_append = realloc(file_append, aoffset); ++ p = realloc(file_append, aoffset); ++ if (!p) ++ free(file_append); ++ file_append = p; + file_append_size = aoffset; + } + if (!file_append) { +-- +2.39.2 + diff --git a/queue-5.15/refscale-move-shutdown-from-wait_event-to-wait_event.patch b/queue-5.15/refscale-move-shutdown-from-wait_event-to-wait_event.patch new file mode 100644 index 00000000000..e8febecbbe1 --- /dev/null +++ b/queue-5.15/refscale-move-shutdown-from-wait_event-to-wait_event.patch @@ -0,0 +1,42 @@ +From 71649886df297fdc29b9e7936b595a535af0736a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 16:12:18 -0800 +Subject: refscale: Move shutdown from wait_event() to wait_event_idle() + +From: Paul E. McKenney + +[ Upstream commit 6bc6e6b27524304aadb9c04611ddb1c84dd7617a ] + +The ref_scale_shutdown() kthread/function uses wait_event() to wait for +the refscale test to complete. However, although the read-side tests +are normally extremely fast, there is no law against specifying a very +large value for the refscale.loops module parameter or against having +a slow read-side primitive. Either way, this might well trigger the +hung-task timeout. + +This commit therefore replaces those wait_event() calls with calls to +wait_event_idle(), which do not trigger the hung-task timeout. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +--- + kernel/rcu/refscale.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/refscale.c b/kernel/rcu/refscale.c +index 66dc14cf5687e..5abb0cf52803a 100644 +--- a/kernel/rcu/refscale.c ++++ b/kernel/rcu/refscale.c +@@ -777,7 +777,7 @@ ref_scale_cleanup(void) + static int + ref_scale_shutdown(void *arg) + { +- wait_event(shutdown_wq, shutdown_start); ++ wait_event_idle(shutdown_wq, shutdown_start); + + smp_mb(); // Wake before output. + ref_scale_cleanup(); +-- +2.39.2 + diff --git a/queue-5.15/regmap-cache-return-error-in-cache-sync-operations-f.patch b/queue-5.15/regmap-cache-return-error-in-cache-sync-operations-f.patch new file mode 100644 index 00000000000..8b17d499768 --- /dev/null +++ b/queue-5.15/regmap-cache-return-error-in-cache-sync-operations-f.patch @@ -0,0 +1,49 @@ +From b53d8eac14ee2d7a78172500e2cfea7c98c4cf89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 08:18:11 +0100 +Subject: regmap: cache: Return error in cache sync operations for + REGCACHE_NONE + +From: Alexander Stein + +[ Upstream commit fd883d79e4dcd2417c2b80756f22a2ff03b0f6e0 ] + +There is no sense in doing a cache sync on REGCACHE_NONE regmaps. +Instead of panicking the kernel due to missing cache_ops, return an error +to client driver. + +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20230313071812.13577-1-alexander.stein@ew.tq-group.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c +index f2469d3435ca3..0b517a83c4493 100644 +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -343,6 +343,9 @@ int regcache_sync(struct regmap *map) + const char *name; + bool bypass; + ++ if (WARN_ON(map->cache_type == REGCACHE_NONE)) ++ return -EINVAL; ++ + BUG_ON(!map->cache_ops); + + map->lock(map->lock_arg); +@@ -412,6 +415,9 @@ int regcache_sync_region(struct regmap *map, unsigned int min, + const char *name; + bool bypass; + ++ if (WARN_ON(map->cache_type == REGCACHE_NONE)) ++ return -EINVAL; ++ + BUG_ON(!map->cache_ops); + + map->lock(map->lock_arg); +-- +2.39.2 + diff --git a/queue-5.15/remoteproc-stm32_rproc-add-mutex-protection-for-work.patch b/queue-5.15/remoteproc-stm32_rproc-add-mutex-protection-for-work.patch new file mode 100644 index 00000000000..284c749317f --- /dev/null +++ b/queue-5.15/remoteproc-stm32_rproc-add-mutex-protection-for-work.patch @@ -0,0 +1,58 @@ +From 2c21617997c2bdbe9507092c123d1da411cecfae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 18:06:34 +0200 +Subject: remoteproc: stm32_rproc: Add mutex protection for workqueue + +From: Arnaud Pouliquen + +[ Upstream commit 35bdafda40cc343ad2ba2cce105eba03a70241cc ] + +The workqueue may execute late even after remoteproc is stopped or +stopping, some resources (rpmsg device and endpoint) have been +released in rproc_stop_subdevices(), then rproc_vq_interrupt() +accessing these resources will cause kernel dump. + +Call trace: +virtqueue_add_inbuf +virtqueue_add_inbuf +rpmsg_recv_single +rpmsg_recv_done +vring_interrupt +stm32_rproc_mb_vq_work +process_one_work +worker_thread +kthread + +Suggested-by: Mathieu Poirier +Signed-off-by: Arnaud Pouliquen +Link: https://lore.kernel.org/r/20230331160634.3113031-1-arnaud.pouliquen@foss.st.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/stm32_rproc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/remoteproc/stm32_rproc.c b/drivers/remoteproc/stm32_rproc.c +index a0fabc3f13dc2..aba3df1d1bf52 100644 +--- a/drivers/remoteproc/stm32_rproc.c ++++ b/drivers/remoteproc/stm32_rproc.c +@@ -291,8 +291,16 @@ static void stm32_rproc_mb_vq_work(struct work_struct *work) + struct stm32_mbox *mb = container_of(work, struct stm32_mbox, vq_work); + struct rproc *rproc = dev_get_drvdata(mb->client.dev); + ++ mutex_lock(&rproc->lock); ++ ++ if (rproc->state != RPROC_RUNNING) ++ goto unlock_mutex; ++ + if (rproc_vq_interrupt(rproc, mb->vq_id) == IRQ_NONE) + dev_dbg(&rproc->dev, "no message found in vq%d\n", mb->vq_id); ++ ++unlock_mutex: ++ mutex_unlock(&rproc->lock); + } + + static void stm32_rproc_mb_callback(struct mbox_client *cl, void *data) +-- +2.39.2 + diff --git a/queue-5.15/samples-bpf-fix-fout-leak-in-hbm-s-run_bpf_prog.patch b/queue-5.15/samples-bpf-fix-fout-leak-in-hbm-s-run_bpf_prog.patch new file mode 100644 index 00000000000..1afdfb328f9 --- /dev/null +++ b/queue-5.15/samples-bpf-fix-fout-leak-in-hbm-s-run_bpf_prog.patch @@ -0,0 +1,35 @@ +From 3b61deb1765dc6dba98cb5e84ef61304002c10de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 16:43:49 +0800 +Subject: samples/bpf: Fix fout leak in hbm's run_bpf_prog + +From: Hao Zeng + +[ Upstream commit 23acb14af1914010dd0aae1bbb7fab28bf518b8e ] + +Fix fout being fopen'ed but then not subsequently fclose'd. In the affected +branch, fout is otherwise going out of scope. + +Signed-off-by: Hao Zeng +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230411084349.1999628-1-zenghao@kylinos.cn +Signed-off-by: Sasha Levin +--- + samples/bpf/hbm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/samples/bpf/hbm.c b/samples/bpf/hbm.c +index b0c18efe7928e..a271099603feb 100644 +--- a/samples/bpf/hbm.c ++++ b/samples/bpf/hbm.c +@@ -308,6 +308,7 @@ static int run_bpf_prog(char *prog, int cg_id) + fout = fopen(fname, "w"); + fprintf(fout, "id:%d\n", cg_id); + fprintf(fout, "ERROR: Could not lookup queue_stats\n"); ++ fclose(fout); + } else if (stats_flag && qstats.lastPacketTime > + qstats.firstPacketTime) { + long long delta_us = (qstats.lastPacketTime - +-- +2.39.2 + diff --git a/queue-5.15/sched-fix-kcsan-noinstr-violation.patch b/queue-5.15/sched-fix-kcsan-noinstr-violation.patch new file mode 100644 index 00000000000..76d83506f96 --- /dev/null +++ b/queue-5.15/sched-fix-kcsan-noinstr-violation.patch @@ -0,0 +1,40 @@ +From 5fb9e32df3bb04f23985929718e1a5ff0d6e19a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 10:24:07 -0700 +Subject: sched: Fix KCSAN noinstr violation + +From: Josh Poimboeuf + +[ Upstream commit e0b081d17a9f4e5c0cbb0e5fbeb1abe3de0f7e4e ] + +With KCSAN enabled, end_of_stack() can get out-of-lined. Force it +inline. + +Fixes the following warnings: + + vmlinux.o: warning: objtool: check_stackleak_irqoff+0x2b: call to end_of_stack() leaves .noinstr.text section + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/cc1b4d73d3a428a00d206242a68fdf99a934ca7b.1681320026.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/sched/task_stack.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h +index 1009b6b5ce403..879a5c8f930b6 100644 +--- a/include/linux/sched/task_stack.h ++++ b/include/linux/sched/task_stack.h +@@ -23,7 +23,7 @@ static __always_inline void *task_stack_page(const struct task_struct *task) + + #define setup_thread_stack(new,old) do { } while(0) + +-static inline unsigned long *end_of_stack(const struct task_struct *task) ++static __always_inline unsigned long *end_of_stack(const struct task_struct *task) + { + #ifdef CONFIG_STACK_GROWSUP + return (unsigned long *)((unsigned long)task->stack + THREAD_SIZE) - 1; +-- +2.39.2 + diff --git a/queue-5.15/scsi-lpfc-prevent-lpfc_debugfs_lockstat_write-buffer.patch b/queue-5.15/scsi-lpfc-prevent-lpfc_debugfs_lockstat_write-buffer.patch new file mode 100644 index 00000000000..0aa8cb460cb --- /dev/null +++ b/queue-5.15/scsi-lpfc-prevent-lpfc_debugfs_lockstat_write-buffer.patch @@ -0,0 +1,56 @@ +From 474f51e001ac459c14b02774a0b478bfb994eb50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 15:16:17 -0800 +Subject: scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow + +From: Justin Tee + +[ Upstream commit c6087b82a9146826564a55c5ca0164cac40348f5 ] + +A static code analysis tool flagged the possibility of buffer overflow when +using copy_from_user() for a debugfs entry. + +Currently, it is possible that copy_from_user() copies more bytes than what +would fit in the mybuf char array. Add a min() restriction check between +sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect +against buffer overflow. + +Link: https://lore.kernel.org/r/20230301231626.9621-2-justintee8345@gmail.com +Signed-off-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_debugfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index 8e8bbe734e875..560b2504e674d 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -2157,10 +2157,13 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf, + char mybuf[64]; + char *pbuf; + int i; ++ size_t bsize; + + memset(mybuf, 0, sizeof(mybuf)); + +- if (copy_from_user(mybuf, buf, nbytes)) ++ bsize = min(nbytes, (sizeof(mybuf) - 1)); ++ ++ if (copy_from_user(mybuf, buf, bsize)) + return -EFAULT; + pbuf = &mybuf[0]; + +@@ -2181,7 +2184,7 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf, + qp->lock_conflict.wq_access = 0; + } + } +- return nbytes; ++ return bsize; + } + #endif + +-- +2.39.2 + diff --git a/queue-5.15/scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch b/queue-5.15/scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch new file mode 100644 index 00000000000..7a531f2eb62 --- /dev/null +++ b/queue-5.15/scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch @@ -0,0 +1,55 @@ +From 0c74ecea34bb987b37464ec1554b838484558eb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 16:16:35 +0800 +Subject: scsi: message: mptlan: Fix use after free bug in mptlan_remove() due + to race condition + +From: Zheng Wang + +[ Upstream commit f486893288f3e9b171b836f43853a6426515d800 ] + +mptlan_probe() calls mpt_register_lan_device() which initializes the +&priv->post_buckets_task workqueue. A call to +mpt_lan_wake_post_buckets_task() will subsequently start the work. + +During driver unload in mptlan_remove() the following race may occur: + +CPU0 CPU1 + + |mpt_lan_post_receive_buckets_work() +mptlan_remove() | + free_netdev() | + kfree(dev); | + | + | dev->mtu + | //use + +Fix this by finishing the work prior to cleaning up in mptlan_remove(). + +[mkp: we really should remove mptlan instead of attempting to fix it] + +Signed-off-by: Zheng Wang +Link: https://lore.kernel.org/r/20230318081635.796479-1-zyytlz.wz@163.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/message/fusion/mptlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/message/fusion/mptlan.c b/drivers/message/fusion/mptlan.c +index 3261cac762def..ec3ee356078db 100644 +--- a/drivers/message/fusion/mptlan.c ++++ b/drivers/message/fusion/mptlan.c +@@ -1427,7 +1427,9 @@ mptlan_remove(struct pci_dev *pdev) + { + MPT_ADAPTER *ioc = pci_get_drvdata(pdev); + struct net_device *dev = ioc->netdev; ++ struct mpt_lan_priv *priv = netdev_priv(dev); + ++ cancel_delayed_work_sync(&priv->post_buckets_task); + if(dev != NULL) { + unregister_netdev(dev); + free_netdev(dev); +-- +2.39.2 + diff --git a/queue-5.15/scsi-target-iscsit-free-cmds-before-session-free.patch b/queue-5.15/scsi-target-iscsit-free-cmds-before-session-free.patch new file mode 100644 index 00000000000..8a11205b6d0 --- /dev/null +++ b/queue-5.15/scsi-target-iscsit-free-cmds-before-session-free.patch @@ -0,0 +1,64 @@ +From a6fd07f8e0d5f31c79e4ab2908d5f9c6b4b68d3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 20:56:17 -0500 +Subject: scsi: target: iscsit: Free cmds before session free + +From: Dmitry Bogdanov + +[ Upstream commit d8990b5a4d065f38f35d69bcd627ec5a7f8330ca ] + +Commands from recovery entries are freed after session has been closed. +That leads to use-after-free at command free or NPE with such call trace: + +Time2Retain timer expired for SID: 1, cleaning up iSCSI session. +BUG: kernel NULL pointer dereference, address: 0000000000000140 +RIP: 0010:sbitmap_queue_clear+0x3a/0xa0 +Call Trace: + target_release_cmd_kref+0xd1/0x1f0 [target_core_mod] + transport_generic_free_cmd+0xd1/0x180 [target_core_mod] + iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod] + iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod] + iscsit_close_session+0x13a/0x140 [iscsi_target_mod] + iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod] + call_timer_fn+0x24/0x140 + +Move cleanup of recovery enrties to before session freeing. + +Reported-by: Forza +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Mike Christie +Link: https://lore.kernel.org/r/20230319015620.96006-7-michael.christie@oracle.com +Reviewed-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 9c6b98438f98f..686a9e5918e21 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4387,6 +4387,9 @@ int iscsit_close_session(struct iscsi_session *sess, bool can_sleep) + iscsit_stop_time2retain_timer(sess); + spin_unlock_bh(&se_tpg->session_lock); + ++ if (sess->sess_ops->ErrorRecoveryLevel == 2) ++ iscsit_free_connection_recovery_entries(sess); ++ + /* + * transport_deregister_session_configfs() will clear the + * struct se_node_acl->nacl_sess pointer now as a iscsi_np process context +@@ -4410,9 +4413,6 @@ int iscsit_close_session(struct iscsi_session *sess, bool can_sleep) + + transport_deregister_session(sess->se_sess); + +- if (sess->sess_ops->ErrorRecoveryLevel == 2) +- iscsit_free_connection_recovery_entries(sess); +- + iscsit_free_all_ooo_cmdsns(sess); + + spin_lock_bh(&se_tpg->session_lock); +-- +2.39.2 + diff --git a/queue-5.15/scsi-ufs-ufs-pci-add-support-for-intel-lunar-lake.patch b/queue-5.15/scsi-ufs-ufs-pci-add-support-for-intel-lunar-lake.patch new file mode 100644 index 00000000000..989edfc9c32 --- /dev/null +++ b/queue-5.15/scsi-ufs-ufs-pci-add-support-for-intel-lunar-lake.patch @@ -0,0 +1,34 @@ +From b17b1580726839d7544fc18d5db82d18cecd65ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 13:58:32 +0300 +Subject: scsi: ufs: ufs-pci: Add support for Intel Lunar Lake + +From: Adrian Hunter + +[ Upstream commit 0a07d3c7a1d205b47d9f3608ff4e9d1065d63b6d ] + +Add PCI ID to support Intel Lunar Lake, same as MTL. + +Signed-off-by: Adrian Hunter +Link: https://lore.kernel.org/r/20230328105832.3495-1-adrian.hunter@intel.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd-pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ufs/ufshcd-pci.c b/drivers/scsi/ufs/ufshcd-pci.c +index e892b9feffb11..0920530a72d28 100644 +--- a/drivers/scsi/ufs/ufshcd-pci.c ++++ b/drivers/scsi/ufs/ufshcd-pci.c +@@ -596,6 +596,7 @@ static const struct pci_device_id ufshcd_pci_tbl[] = { + { PCI_VDEVICE(INTEL, 0x51FF), (kernel_ulong_t)&ufs_intel_adl_hba_vops }, + { PCI_VDEVICE(INTEL, 0x54FF), (kernel_ulong_t)&ufs_intel_adl_hba_vops }, + { PCI_VDEVICE(INTEL, 0x7E47), (kernel_ulong_t)&ufs_intel_mtl_hba_vops }, ++ { PCI_VDEVICE(INTEL, 0xA847), (kernel_ulong_t)&ufs_intel_mtl_hba_vops }, + { } /* terminate list */ + }; + +-- +2.39.2 + diff --git a/queue-5.15/serial-8250-reinit-port-pm-on-port-specific-driver-u.patch b/queue-5.15/serial-8250-reinit-port-pm-on-port-specific-driver-u.patch new file mode 100644 index 00000000000..838862359f6 --- /dev/null +++ b/queue-5.15/serial-8250-reinit-port-pm-on-port-specific-driver-u.patch @@ -0,0 +1,56 @@ +From 6607f4762b4024f132ed1437c0e56381ce490d36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 13:14:06 +0300 +Subject: serial: 8250: Reinit port->pm on port specific driver unbind + +From: Tony Lindgren + +[ Upstream commit 04e82793f068d2f0ffe62fcea03d007a8cdc16a7 ] + +When we unbind a serial port hardware specific 8250 driver, the generic +serial8250 driver takes over the port. After that we see an oops about 10 +seconds later. This can produce the following at least on some TI SoCs: + +Unhandled fault: imprecise external abort (0x1406) +Internal error: : 1406 [#1] SMP ARM + +Turns out that we may still have the serial port hardware specific driver +port->pm in use, and serial8250_pm() tries to call it after the port +specific driver is gone: + +serial8250_pm [8250_base] from uart_change_pm+0x54/0x8c [serial_base] +uart_change_pm [serial_base] from uart_hangup+0x154/0x198 [serial_base] +uart_hangup [serial_base] from __tty_hangup.part.0+0x328/0x37c +__tty_hangup.part.0 from disassociate_ctty+0x154/0x20c +disassociate_ctty from do_exit+0x744/0xaac +do_exit from do_group_exit+0x40/0x8c +do_group_exit from __wake_up_parent+0x0/0x1c + +Let's fix the issue by calling serial8250_set_defaults() in +serial8250_unregister_port(). This will set the port back to using +the serial8250 default functions, and sets the port->pm to point to +serial8250_pm. + +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20230418101407.12403-1-tony@atomide.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index f3bfaa1a794bd..1890f342f090a 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -1156,6 +1156,7 @@ void serial8250_unregister_port(int line) + uart->port.type = PORT_UNKNOWN; + uart->port.dev = &serial8250_isa_devs->dev; + uart->capabilities = 0; ++ serial8250_init_port(uart); + serial8250_apply_quirks(uart); + uart_add_one_port(&serial8250_reg, &uart->port); + } else { +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series index 8221b43135f..9cab5a53922 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -27,3 +27,77 @@ ext4-don-t-clear-sb_rdonly-when-remounting-r-w-until.patch ext4-fix-lockdep-warning-when-enabling-mmp.patch ext4-allow-to-find-by-goal-if-ext4_mb_hint_goal_only.patch ext4-allow-ext4_get_group_info-to-fail.patch +refscale-move-shutdown-from-wait_event-to-wait_event.patch +rcu-protect-rcu_print_task_exp_stall-exp_tasks-acces.patch +fs-hfsplus-remove-warn_on-from-hfsplus_cat_-read-wri.patch +drm-displayid-add-displayid_get_header-and-check-bou.patch +drm-amd-display-use-dc_log_dc-in-the-trasform-pixel-.patch +regmap-cache-return-error-in-cache-sync-operations-f.patch +arm64-dts-qcom-msm8996-add-missing-dwc3-quirks.patch +media-cx23885-fix-a-null-ptr-deref-bug-in-buffer_pre.patch +media-pci-tw68-fix-null-ptr-deref-bug-in-buf-prepare.patch +memstick-r592-fix-uaf-bug-in-r592_remove-due-to-race.patch +firmware-arm_sdei-fix-sleep-from-invalid-context-bug.patch +acpi-ec-fix-oops-when-removing-custom-query-handlers.patch +remoteproc-stm32_rproc-add-mutex-protection-for-work.patch +drm-tegra-avoid-potential-32-bit-integer-overflow.patch +drm-msm-dp-clean-up-handling-of-dp-aux-interrupts.patch +acpica-avoid-undefined-behavior-applying-zero-offset.patch +acpica-acpica-check-null-return-of-acpi_allocate_zer.patch +drm-amd-fix-an-out-of-bounds-error-in-bios-parser.patch +media-prefer-designated-initializers-over-memset-for.patch +wifi-ath-silence-memcpy-run-time-false-positive-warn.patch +bpf-annotate-data-races-in-bpf_local_storage.patch +wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch +ext2-check-block-size-validity-during-mount.patch +scsi-lpfc-prevent-lpfc_debugfs_lockstat_write-buffer.patch +bnxt-avoid-overflow-in-bnxt_get_nvram_directory.patch +net-pasemi-fix-return-type-of-pasemi_mac_start_tx.patch +net-catch-invalid-index-in-xps-mapping.patch +scsi-target-iscsit-free-cmds-before-session-free.patch +lib-cpu_rmap-avoid-use-after-free-on-rmap-obj-array-.patch +scsi-message-mptlan-fix-use-after-free-bug-in-mptlan.patch +gfs2-fix-inode-height-consistency-check.patch +scsi-ufs-ufs-pci-add-support-for-intel-lunar-lake.patch +ext4-set-goal-start-correctly-in-ext4_mb_normalize_r.patch +ext4-fix-best-extent-lstart-adjustment-logic-in-ext4.patch +f2fs-fix-to-drop-all-dirty-pages-during-umount-if-cp.patch +f2fs-fix-to-check-readonly-condition-correctly.patch +samples-bpf-fix-fout-leak-in-hbm-s-run_bpf_prog.patch +bpf-add-preempt_count_-sub-add-into-btf-id-deny-list.patch +wifi-iwlwifi-pcie-fix-possible-null-pointer-derefere.patch +wifi-iwlwifi-pcie-fix-integer-overflow-in-iwl_write_.patch +null_blk-always-check-queue-mode-setting-from-config.patch +wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch +wifi-ath11k-fix-skb-corruption-in-reo-destination-ri.patch +nbd-fix-incomplete-validation-of-ioctl-arg.patch +ipvs-update-width-of-source-for-ip_vs_sync_conn_opti.patch +bluetooth-btintel-add-le-states-quirk-support.patch +bluetooth-hci_bcm-fall-back-to-getting-bdaddr-from-e.patch +bluetooth-l2cap-fix-bad-unlock-balance-in-l2cap_disc.patch +staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch +hid-logitech-hidpp-don-t-use-the-usb-serial-for-usb-.patch +hid-logitech-hidpp-reconcile-usb-and-unifying-serial.patch +spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch +hid-wacom-generic-set-battery-quirk-only-when-we-see.patch +usb-typec-tcpm-fix-multiple-times-discover-svids-err.patch +serial-8250-reinit-port-pm-on-port-specific-driver-u.patch +mcb-pci-reallocate-memory-region-to-avoid-memory-ove.patch +sched-fix-kcsan-noinstr-violation.patch +recordmcount-fix-memory-leaks-in-the-uwrite-function.patch +rdma-core-fix-multiple-warray-bounds-warnings.patch +iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch +fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch +fs-ntfs3-enhance-the-attribute-size-check.patch +fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch +fs-ntfs3-validate-mft-flags-before-replaying-logs.patch +fs-ntfs3-add-length-check-in-indx_get_root.patch +fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch +clk-tegra20-fix-gcc-7-constant-overflow-warning.patch +iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch +iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch +input-xpad-add-constants-for-gip-interface-numbers.patch +phy-st-miphy28lp-use-_poll_timeout-functions-for-wai.patch +soundwire-qcom-gracefully-handle-too-many-ports-in-d.patch +mfd-dln2-fix-memory-leak-in-dln2_probe.patch +parisc-replace-regular-spinlock-with-spin_trylock-on.patch diff --git a/queue-5.15/soundwire-qcom-gracefully-handle-too-many-ports-in-d.patch b/queue-5.15/soundwire-qcom-gracefully-handle-too-many-ports-in-d.patch new file mode 100644 index 00000000000..f4c3a86d5de --- /dev/null +++ b/queue-5.15/soundwire-qcom-gracefully-handle-too-many-ports-in-d.patch @@ -0,0 +1,50 @@ +From 00053a8f45d85004f485acd12966d8b5de81d1d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 15:44:12 +0100 +Subject: soundwire: qcom: gracefully handle too many ports in DT + +From: Krzysztof Kozlowski + +[ Upstream commit 2367e0ecb498764e95cfda691ff0828f7d25f9a4 ] + +There are two issues related to the number of ports coming from +Devicetree when exceeding in total QCOM_SDW_MAX_PORTS. Both lead to +incorrect memory accesses: +1. With DTS having too big value of input or output ports, the driver, + when copying port parameters from local/stack arrays into 'pconfig' + array in 'struct qcom_swrm_ctrl', will iterate over their sizes. + +2. If DTS also has too many parameters for these ports (e.g. + qcom,ports-sinterval-low), the driver will overflow buffers on the + stack when reading these properties from DTS. + +Add a sanity check so incorrect DTS will not cause kernel memory +corruption. + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230222144412.237832-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/qcom.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c +index 52d0e4164c6b5..2ba0911f5d0cc 100644 +--- a/drivers/soundwire/qcom.c ++++ b/drivers/soundwire/qcom.c +@@ -1142,6 +1142,9 @@ static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl) + ctrl->num_dout_ports = val; + + nports = ctrl->num_dout_ports + ctrl->num_din_ports; ++ if (nports > QCOM_SDW_MAX_PORTS) ++ return -EINVAL; ++ + /* Valid port numbers are from 1-14, so mask out port 0 explicitly */ + set_bit(0, &ctrl->dout_port_mask); + set_bit(0, &ctrl->din_port_mask); +-- +2.39.2 + diff --git a/queue-5.15/spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch b/queue-5.15/spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch new file mode 100644 index 00000000000..8cf3601a29c --- /dev/null +++ b/queue-5.15/spi-spi-imx-fix-mx51_ecspi_-macros-when-cs-3.patch @@ -0,0 +1,80 @@ +From 7ca6c1f152fb3f84e2f234c0b2a6398882565c6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 18:21:32 -0400 +Subject: spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kevin Groeneveld + +[ Upstream commit 87c614175bbf28d3fd076dc2d166bac759e41427 ] + +When using gpio based chip select the cs value can go outside the range +0 – 3. The various MX51_ECSPI_* macros did not take this into consideration +resulting in possible corruption of the configuration. + +For example for any cs value over 3 the SCLKPHA bits would not be set and +other values in the register possibly corrupted. + +One way to fix this is to just mask the cs bits to 2 bits. This still +allows all 4 native chip selects to work as well as gpio chip selects +(which can use any of the 4 chip select configurations). + +Signed-off-by: Kevin Groeneveld +Link: https://lore.kernel.org/r/20230318222132.3373-1-kgroeneveld@lenbrook.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 2f06f2840d616..f201653931d89 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -247,6 +247,18 @@ static bool spi_imx_can_dma(struct spi_master *master, struct spi_device *spi, + return true; + } + ++/* ++ * Note the number of natively supported chip selects for MX51 is 4. Some ++ * devices may have less actual SS pins but the register map supports 4. When ++ * using gpio chip selects the cs values passed into the macros below can go ++ * outside the range 0 - 3. We therefore need to limit the cs value to avoid ++ * corrupting bits outside the allocated locations. ++ * ++ * The simplest way to do this is to just mask the cs bits to 2 bits. This ++ * still allows all 4 native chip selects to work as well as gpio chip selects ++ * (which can use any of the 4 chip select configurations). ++ */ ++ + #define MX51_ECSPI_CTRL 0x08 + #define MX51_ECSPI_CTRL_ENABLE (1 << 0) + #define MX51_ECSPI_CTRL_XCH (1 << 2) +@@ -255,16 +267,16 @@ static bool spi_imx_can_dma(struct spi_master *master, struct spi_device *spi, + #define MX51_ECSPI_CTRL_DRCTL(drctl) ((drctl) << 16) + #define MX51_ECSPI_CTRL_POSTDIV_OFFSET 8 + #define MX51_ECSPI_CTRL_PREDIV_OFFSET 12 +-#define MX51_ECSPI_CTRL_CS(cs) ((cs) << 18) ++#define MX51_ECSPI_CTRL_CS(cs) ((cs & 3) << 18) + #define MX51_ECSPI_CTRL_BL_OFFSET 20 + #define MX51_ECSPI_CTRL_BL_MASK (0xfff << 20) + + #define MX51_ECSPI_CONFIG 0x0c +-#define MX51_ECSPI_CONFIG_SCLKPHA(cs) (1 << ((cs) + 0)) +-#define MX51_ECSPI_CONFIG_SCLKPOL(cs) (1 << ((cs) + 4)) +-#define MX51_ECSPI_CONFIG_SBBCTRL(cs) (1 << ((cs) + 8)) +-#define MX51_ECSPI_CONFIG_SSBPOL(cs) (1 << ((cs) + 12)) +-#define MX51_ECSPI_CONFIG_SCLKCTL(cs) (1 << ((cs) + 20)) ++#define MX51_ECSPI_CONFIG_SCLKPHA(cs) (1 << ((cs & 3) + 0)) ++#define MX51_ECSPI_CONFIG_SCLKPOL(cs) (1 << ((cs & 3) + 4)) ++#define MX51_ECSPI_CONFIG_SBBCTRL(cs) (1 << ((cs & 3) + 8)) ++#define MX51_ECSPI_CONFIG_SSBPOL(cs) (1 << ((cs & 3) + 12)) ++#define MX51_ECSPI_CONFIG_SCLKCTL(cs) (1 << ((cs & 3) + 20)) + + #define MX51_ECSPI_INT 0x10 + #define MX51_ECSPI_INT_TEEN (1 << 0) +-- +2.39.2 + diff --git a/queue-5.15/staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch b/queue-5.15/staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch new file mode 100644 index 00000000000..b4437116152 --- /dev/null +++ b/queue-5.15/staging-rtl8192e-replace-macro-rtl_pci_device-with-p.patch @@ -0,0 +1,57 @@ +From 633f91775e762e173cd5b6900b2bd0c4e38036a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Feb 2023 07:47:21 +0100 +Subject: staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE + +From: Philipp Hortmann + +[ Upstream commit fda2093860df4812d69052a8cf4997e53853a340 ] + +Replace macro RTL_PCI_DEVICE with PCI_DEVICE to get rid of rtl819xp_ops +which is empty. + +Signed-off-by: Philipp Hortmann +Link: https://lore.kernel.org/r/8b45ee783fa91196b7c9d6fc840a189496afd2f4.1677133271.git.philipp.g.hortmann@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 6 +++--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.h | 5 ----- + 2 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +index 48c696df8d015..52d7dc5b29054 100644 +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +@@ -49,9 +49,9 @@ static const struct rtl819x_ops rtl819xp_ops = { + }; + + static struct pci_device_id rtl8192_pci_id_tbl[] = { +- {RTL_PCI_DEVICE(0x10ec, 0x8192, rtl819xp_ops)}, +- {RTL_PCI_DEVICE(0x07aa, 0x0044, rtl819xp_ops)}, +- {RTL_PCI_DEVICE(0x07aa, 0x0047, rtl819xp_ops)}, ++ {PCI_DEVICE(0x10ec, 0x8192)}, ++ {PCI_DEVICE(0x07aa, 0x0044)}, ++ {PCI_DEVICE(0x07aa, 0x0047)}, + {} + }; + +diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl8192e/rtl_core.h +index 698552a921009..197f1e3d7aca7 100644 +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.h ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.h +@@ -55,11 +55,6 @@ + #define IS_HARDWARE_TYPE_8192SE(_priv) \ + (((struct r8192_priv *)rtllib_priv(dev))->card_8192 == NIC_8192SE) + +-#define RTL_PCI_DEVICE(vend, dev, cfg) \ +- .vendor = (vend), .device = (dev), \ +- .subvendor = PCI_ANY_ID, .subdevice = PCI_ANY_ID, \ +- .driver_data = (kernel_ulong_t)&(cfg) +- + #define TOTAL_CAM_ENTRY 32 + #define CAM_CONTENT_COUNT 8 + +-- +2.39.2 + diff --git a/queue-5.15/usb-typec-tcpm-fix-multiple-times-discover-svids-err.patch b/queue-5.15/usb-typec-tcpm-fix-multiple-times-discover-svids-err.patch new file mode 100644 index 00000000000..bb97f4f7c56 --- /dev/null +++ b/queue-5.15/usb-typec-tcpm-fix-multiple-times-discover-svids-err.patch @@ -0,0 +1,59 @@ +From ef8e69aa1284fc511e92c657bd9811523f49b970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 16:11:49 +0800 +Subject: usb: typec: tcpm: fix multiple times discover svids error + +From: Frank Wang + +[ Upstream commit dac3b192107b978198e89ec0f77375738352e0c8 ] + +PD3.0 Spec 6.4.4.3.2 say that only Responder supports 12 or more SVIDs, +the Discover SVIDs Command Shall be executed multiple times until a +Discover SVIDs VDO is returned ending either with a SVID value of +0x0000 in the last part of the last VDO or with a VDO containing two +SVIDs with values of 0x0000. + +In the current implementation, if the last VDO does not find that the +Discover SVIDs Command would be executed multiple times even if the +Responder SVIDs are less than 12, and we found some odd dockers just +meet this case. So fix it. + +Acked-by: Heikki Krogerus +Signed-off-by: Frank Wang +Link: https://lore.kernel.org/r/20230316081149.24519-1-frank.wang@rock-chips.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm/tcpm.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c +index 81329605757fa..c6e5991b38689 100644 +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -1506,7 +1506,21 @@ static bool svdm_consume_svids(struct tcpm_port *port, const u32 *p, int cnt) + pmdata->svids[pmdata->nsvids++] = svid; + tcpm_log(port, "SVID %d: 0x%x", pmdata->nsvids, svid); + } +- return true; ++ ++ /* ++ * PD3.0 Spec 6.4.4.3.2: The SVIDs are returned 2 per VDO (see Table ++ * 6-43), and can be returned maximum 6 VDOs per response (see Figure ++ * 6-19). If the Respondersupports 12 or more SVID then the Discover ++ * SVIDs Command Shall be executed multiple times until a Discover ++ * SVIDs VDO is returned ending either with a SVID value of 0x0000 in ++ * the last part of the last VDO or with a VDO containing two SVIDs ++ * with values of 0x0000. ++ * ++ * However, some odd dockers support SVIDs less than 12 but without ++ * 0x0000 in the last VDO, so we need to break the Discover SVIDs ++ * request and return false here. ++ */ ++ return cnt == 7; + abort: + tcpm_log(port, "SVID_DISCOVERY_MAX(%d) too low!", SVID_DISCOVERY_MAX); + return false; +-- +2.39.2 + diff --git a/queue-5.15/wifi-ath-silence-memcpy-run-time-false-positive-warn.patch b/queue-5.15/wifi-ath-silence-memcpy-run-time-false-positive-warn.patch new file mode 100644 index 00000000000..bef5b4e256b --- /dev/null +++ b/queue-5.15/wifi-ath-silence-memcpy-run-time-false-positive-warn.patch @@ -0,0 +1,73 @@ +From af725ab0748db150afdf505711c470fef32bda84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 20:31:38 +0200 +Subject: wifi: ath: Silence memcpy run-time false positive warning + +From: Kees Cook + +[ Upstream commit bfcc8ba45eb87bfaaff900bbad2b87b204899d41 ] + +The memcpy() in ath_key_config() was attempting to write across +neighboring struct members in struct ath_keyval. Introduce a wrapping +struct_group, kv_values, to be the addressable target of the memcpy +without overflowing an individual member. Silences the false positive +run-time warning: + + memcpy: detected field-spanning write (size 32) of single field "hk.kv_val" at drivers/net/wireless/ath/key.c:506 (size 16) + +Link: https://bbs.archlinux.org/viewtopic.php?id=282254 +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230210054310.never.554-kees@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath.h | 12 +++++++----- + drivers/net/wireless/ath/key.c | 2 +- + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h +index f083fb9038c36..f02a308a9ffc5 100644 +--- a/drivers/net/wireless/ath/ath.h ++++ b/drivers/net/wireless/ath/ath.h +@@ -96,11 +96,13 @@ struct ath_keyval { + u8 kv_type; + u8 kv_pad; + u16 kv_len; +- u8 kv_val[16]; /* TK */ +- u8 kv_mic[8]; /* Michael MIC key */ +- u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware +- * supports both MIC keys in the same key cache entry; +- * in that case, kv_mic is the RX key) */ ++ struct_group(kv_values, ++ u8 kv_val[16]; /* TK */ ++ u8 kv_mic[8]; /* Michael MIC key */ ++ u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware ++ * supports both MIC keys in the same key cache entry; ++ * in that case, kv_mic is the RX key) */ ++ ); + }; + + enum ath_cipher { +diff --git a/drivers/net/wireless/ath/key.c b/drivers/net/wireless/ath/key.c +index 61b59a804e308..b7b61d4f02bae 100644 +--- a/drivers/net/wireless/ath/key.c ++++ b/drivers/net/wireless/ath/key.c +@@ -503,7 +503,7 @@ int ath_key_config(struct ath_common *common, + + hk.kv_len = key->keylen; + if (key->keylen) +- memcpy(hk.kv_val, key->key, key->keylen); ++ memcpy(&hk.kv_values, key->key, key->keylen); + + if (!(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) { + switch (vif->type) { +-- +2.39.2 + diff --git a/queue-5.15/wifi-ath11k-fix-skb-corruption-in-reo-destination-ri.patch b/queue-5.15/wifi-ath11k-fix-skb-corruption-in-reo-destination-ri.patch new file mode 100644 index 00000000000..b4ab7bfe566 --- /dev/null +++ b/queue-5.15/wifi-ath11k-fix-skb-corruption-in-reo-destination-ri.patch @@ -0,0 +1,80 @@ +From f3c99297146e947f5f9e7738df51144d2b88b6bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 13:35:02 +0300 +Subject: wifi: ath11k: Fix SKB corruption in REO destination ring + +From: Nagarajan Maran + +[ Upstream commit f9fff67d2d7ca6fa8066132003a3deef654c55b1 ] + +While running traffics for a long time, randomly an RX descriptor +filled with value "0" from REO destination ring is received. +This descriptor which is invalid causes the wrong SKB (SKB stored in +the IDR lookup with buffer id "0") to be fetched which in turn +causes SKB memory corruption issue and the same leads to crash +after some time. + +Changed the start id for idr allocation to "1" and the buffer id "0" +is reserved for error validation. Introduced Sanity check to validate +the descriptor, before processing the SKB. + +Crash Signature : + +Unable to handle kernel paging request at virtual address 3f004900 +PC points to "b15_dma_inv_range+0x30/0x50" +LR points to "dma_cache_maint_page+0x8c/0x128". +The Backtrace obtained is as follows: +[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128) +[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc) +[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k]) +[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k]) +[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci]) +[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8) +[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280) +[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280) +[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4) +[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4) +[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90) +[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c) + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Nagarajan Maran +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230403191533.28114-1-quic_nmaran@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c +index 3c64d33d0133b..357abd87d5491 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -354,10 +354,10 @@ int ath11k_dp_rxbufs_replenish(struct ath11k_base *ab, int mac_id, + goto fail_free_skb; + + spin_lock_bh(&rx_ring->idr_lock); +- buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 0, +- rx_ring->bufs_max * 3, GFP_ATOMIC); ++ buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 1, ++ (rx_ring->bufs_max * 3) + 1, GFP_ATOMIC); + spin_unlock_bh(&rx_ring->idr_lock); +- if (buf_id < 0) ++ if (buf_id <= 0) + goto fail_dma_unmap; + + desc = ath11k_hal_srng_src_get_next_entry(ab, srng); +@@ -2602,6 +2602,9 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, + cookie); + mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie); + ++ if (unlikely(buf_id == 0)) ++ continue; ++ + ar = ab->pdevs[mac_id].ar; + rx_ring = &ar->dp.rx_refill_buf_ring; + spin_lock_bh(&rx_ring->idr_lock); +-- +2.39.2 + diff --git a/queue-5.15/wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch b/queue-5.15/wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch new file mode 100644 index 00000000000..c19314c6c48 --- /dev/null +++ b/queue-5.15/wifi-brcmfmac-cfg80211-pass-the-pmk-in-binary-instea.patch @@ -0,0 +1,57 @@ +From a9166913d7d223634157c14663bad288181cc52b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 18:24:19 +0900 +Subject: wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex + +From: Hector Martin + +[ Upstream commit 89b89e52153fda2733562776c7c9d9d3ebf8dd6d ] + +Apparently the hex passphrase mechanism does not work on newer +chips/firmware (e.g. BCM4387). It seems there was a simple way of +passing it in binary all along, so use that and avoid the hexification. + +OpenBSD has been doing it like this from the beginning, so this should +work on all chips. + +Also clear the structure before setting the PMK. This was leaking +uninitialized stack contents to the device. + +Reviewed-by: Linus Walleij +Reviewed-by: Arend van Spriel +Signed-off-by: Hector Martin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230214092423.15175-6-marcan@marcan.st +Signed-off-by: Sasha Levin +--- + .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index 5a1b01db02e6e..b14c54da56ed9 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -1350,13 +1350,14 @@ static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len) + { + struct brcmf_pub *drvr = ifp->drvr; + struct brcmf_wsec_pmk_le pmk; +- int i, err; ++ int err; ++ ++ memset(&pmk, 0, sizeof(pmk)); + +- /* convert to firmware key format */ +- pmk.key_len = cpu_to_le16(pmk_len << 1); +- pmk.flags = cpu_to_le16(BRCMF_WSEC_PASSPHRASE); +- for (i = 0; i < pmk_len; i++) +- snprintf(&pmk.key[2 * i], 3, "%02x", pmk_data[i]); ++ /* pass pmk directly */ ++ pmk.key_len = cpu_to_le16(pmk_len); ++ pmk.flags = cpu_to_le16(0); ++ memcpy(pmk.key, pmk_data, pmk_len); + + /* store psk in firmware */ + err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_WSEC_PMK, +-- +2.39.2 + diff --git a/queue-5.15/wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch b/queue-5.15/wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch new file mode 100644 index 00000000000..943f935a06d --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-dvm-fix-memcpy-detected-field-spanning-.patch @@ -0,0 +1,72 @@ +From a21282332cdbcad1a8d3751416f2b1420b34c036 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 15:25:46 +0200 +Subject: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write + backtrace + +From: Hans de Goede + +[ Upstream commit ef16799640865f937719f0771c93be5dca18adc6 ] + +A received TKIP key may be up to 32 bytes because it may contain +MIC rx/tx keys too. These are not used by iwl and copying these +over overflows the iwl_keyinfo.key field. + +Add a check to not copy more data to iwl_keyinfo.key then will fit. + +This fixes backtraces like this one: + + memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16) + WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm] + + Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017 + RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm] + + Call Trace: + + iwl_set_dynamic_key+0x1f0/0x220 [iwldvm] + iwlagn_mac_set_key+0x1e4/0x280 [iwldvm] + drv_set_key+0xa4/0x1b0 [mac80211] + ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211] + ieee80211_key_replace+0x22d/0x8e0 [mac80211] + + +Link: https://www.alionet.org/index.php?topic=1469.0 +Link: https://lore.kernel.org/linux-wireless/20230218191056.never.374-kees@kernel.org/ +Link: https://lore.kernel.org/linux-wireless/68760035-7f75-1b23-e355-bfb758a87d83@redhat.com/ +Cc: Kees Cook +Suggested-by: Johannes Berg +Signed-off-by: Hans de Goede +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/sta.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c +index ddc14059b07d1..7c3168145e58a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c +@@ -1086,6 +1086,7 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv, + { + __le16 key_flags; + struct iwl_addsta_cmd sta_cmd; ++ size_t to_copy; + int i; + + spin_lock_bh(&priv->sta_lock); +@@ -1105,7 +1106,9 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv, + sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32; + for (i = 0; i < 5; i++) + sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]); +- memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen); ++ /* keyconf may contain MIC rx/tx keys which iwl does not use */ ++ to_copy = min_t(size_t, sizeof(sta_cmd.key.key), keyconf->keylen); ++ memcpy(sta_cmd.key.key, keyconf->key, to_copy); + break; + case WLAN_CIPHER_SUITE_WEP104: + key_flags |= STA_KEY_FLG_KEY_SIZE_MSK; +-- +2.39.2 + diff --git a/queue-5.15/wifi-iwlwifi-pcie-fix-integer-overflow-in-iwl_write_.patch b/queue-5.15/wifi-iwlwifi-pcie-fix-integer-overflow-in-iwl_write_.patch new file mode 100644 index 00000000000..93c298f6c4a --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-pcie-fix-integer-overflow-in-iwl_write_.patch @@ -0,0 +1,56 @@ +From f6f78cba994d2045889a0165b8d1f68debac7d4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 13:11:59 +0300 +Subject: wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf + +From: Hyunwoo Kim + +[ Upstream commit 58d1b717879bfeabe09b35e41ad667c79933eb2e ] + +An integer overflow occurs in the iwl_write_to_user_buf() function, +which is called by the iwl_dbgfs_monitor_data_read() function. + +static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, + void *buf, ssize_t *size, + ssize_t *bytes_copied) +{ + int buf_size_left = count - *bytes_copied; + + buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); + if (*size > buf_size_left) + *size = buf_size_left; + +If the user passes a SIZE_MAX value to the "ssize_t count" parameter, +the ssize_t count parameter is assigned to "int buf_size_left". +Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a +negative number, so "*size" is assigned "buf_size_left" and goes into +the third argument of the copy_to_user function, causing a heap overflow. + +This is not a security vulnerability because iwl_dbgfs_monitor_data_read() +is a debugfs operation with 0400 privileges. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230414130637.2d80ace81532.Iecfba549e0e0be21bbb0324675392e42e75bd5ad@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +index ee325950de9d2..04e1f3829e96b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -2778,7 +2778,7 @@ static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, + void *buf, ssize_t *size, + ssize_t *bytes_copied) + { +- int buf_size_left = count - *bytes_copied; ++ ssize_t buf_size_left = count - *bytes_copied; + + buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); + if (*size > buf_size_left) +-- +2.39.2 + diff --git a/queue-5.15/wifi-iwlwifi-pcie-fix-possible-null-pointer-derefere.patch b/queue-5.15/wifi-iwlwifi-pcie-fix-possible-null-pointer-derefere.patch new file mode 100644 index 00000000000..f540fb36871 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-pcie-fix-possible-null-pointer-derefere.patch @@ -0,0 +1,56 @@ +From b651bf1c2c6ae78708a3683b7f03301d20563af6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 21:40:32 +0300 +Subject: wifi: iwlwifi: pcie: fix possible NULL pointer dereference + +From: Daniel Gabay + +[ Upstream commit b655b9a9f8467684cfa8906713d33b71ea8c8f54 ] + +It is possible that iwl_pci_probe() will fail and free the trans, +then afterwards iwl_pci_remove() will be called and crash by trying +to access trans which is already freed, fix it. + +iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2 + wfpm id 0xa5a5a5a2 +iwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2 +... +BUG: kernel NULL pointer dereference, address: 0000000000000028 +... +RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi] +pci_device_remove+0x3e/0xb0 +device_release_driver_internal+0x103/0x1f0 +driver_detach+0x4c/0x90 +bus_remove_driver+0x5c/0xd0 +driver_unregister+0x31/0x50 +pci_unregister_driver+0x40/0x90 +iwl_pci_unregister_driver+0x15/0x20 [iwlwifi] +__exit_compat+0x9/0x98 [iwlwifi] +__x64_sys_delete_module+0x147/0x260 + +Signed-off-by: Daniel Gabay +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230413213309.082f6e21341b.I0db21d7fa9a828d571ca886713bd0b5d0b6e1e5c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 3b974388d834d..5d324d64c8799 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -1380,6 +1380,9 @@ static void iwl_pci_remove(struct pci_dev *pdev) + { + struct iwl_trans *trans = pci_get_drvdata(pdev); + ++ if (!trans) ++ return; ++ + iwl_drv_stop(trans->drv); + + iwl_trans_pcie_free(trans); +-- +2.39.2 + -- 2.47.3