From a29d61e7e8e578fd6bc893e3fc566de319821ca5 Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Date: Wed, 10 Apr 2024 12:24:37 +0000 Subject: [PATCH 01/90] media: dvb: as102-fe: Fix as10x_register_addr packing [ Upstream commit 309422d280748c74f57f471559980268ac27732a ] This structure is embedded in multiple other structures that are packed, which conflicts with it being aligned. drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access] Mark it as being packed. Marking the inner struct as 'packed' does not change the layout, since the whole struct is already packed, it just silences the clang warning. See also this llvm discussion: https://github.com/llvm/llvm-project/issues/55520 Signed-off-by: Ricardo Ribalda Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit 86b769452b39428807f287ff5bb5aaf6fbfb7e9c) Signed-off-by: Vegard Nossum --- drivers/media/dvb-frontends/as102_fe_types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/dvb-frontends/as102_fe_types.h b/drivers/media/dvb-frontends/as102_fe_types.h index 80a5398b580f..661d7574a6c7 100644 --- a/drivers/media/dvb-frontends/as102_fe_types.h +++ b/drivers/media/dvb-frontends/as102_fe_types.h @@ -183,6 +183,6 @@ struct as10x_register_addr { uint32_t addr; /* register mode access */ uint8_t mode; -}; +} __packed; #endif From 763d3cd7f083891a68cf5158c5bab81bb5e8be0f Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Date: Thu, 11 Apr 2024 21:17:56 +0000 Subject: [PATCH 02/90] media: dvb-usb: dib0700_devices: Add missing release_firmware() [ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ] Add missing release_firmware on the error paths. drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415. drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497. Signed-off-by: Ricardo Ribalda Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit 213375679632f6ed1e4eb98b78a8f600977b9b34) Signed-off-by: Vegard Nossum --- drivers/media/usb/dvb-usb/dib0700_devices.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c index 969358f57d91..0a65884cefe3 100644 --- a/drivers/media/usb/dvb-usb/dib0700_devices.c +++ b/drivers/media/usb/dvb-usb/dib0700_devices.c @@ -2423,7 +2423,12 @@ static int stk9090m_frontend_attach(struct dvb_usb_adapter *adap) adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &stk9090m_config); - return adap->fe_adap[0].fe == NULL ? -ENODEV : 0; + if (!adap->fe_adap[0].fe) { + release_firmware(state->frontend_firmware); + return -ENODEV; + } + + return 0; } static int dib9090_tuner_attach(struct dvb_usb_adapter *adap) @@ -2496,8 +2501,10 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, 0x80); adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &nim9090md_config[0]); - if (adap->fe_adap[0].fe == NULL) + if (!adap->fe_adap[0].fe) { + release_firmware(state->frontend_firmware); return -ENODEV; + } i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_3_4, 0); dib9000_i2c_enumeration(i2c, 1, 0x12, 0x82); @@ -2505,7 +2512,12 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) fe_slave = dvb_attach(dib9000_attach, i2c, 0x82, &nim9090md_config[1]); dib9000_set_slave_frontend(adap->fe_adap[0].fe, fe_slave); - return fe_slave == NULL ? -ENODEV : 0; + if (!fe_slave) { + release_firmware(state->frontend_firmware); + return -ENODEV; + } + + return 0; } static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap) From f3829e3d794cad5ddb6c88e0ff1b27b6435d224b Mon Sep 17 00:00:00 2001 From: Michael Guralnik Date: Tue, 16 Apr 2024 15:01:44 +0300 Subject: [PATCH 03/90] IB/core: Implement a limit on UMAD receive List [ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ] The existing behavior of ib_umad, which maintains received MAD packets in an unbounded list, poses a risk of uncontrolled growth. As user-space applications extract packets from this list, the rate of extraction may not match the rate of incoming packets, leading to potential list overflow. To address this, we introduce a limit to the size of the list. After considering typical scenarios, such as OpenSM processing, which can handle approximately 100k packets per second, and the 1-second retry timeout for most packets, we set the list size limit to 200k. Packets received beyond this limit are dropped, assuming they are likely timed out by the time they are handled by user-space. Notably, packets queued on the receive list due to reasons like timed-out sends are preserved even when the list is full. Signed-off-by: Michael Guralnik Reviewed-by: Mark Zhang Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin (cherry picked from commit 1288cf1cceb0e6df276e182f5412370fb4169bcb) Signed-off-by: Vegard Nossum --- drivers/infiniband/core/user_mad.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c index a3aab7d55ad4..6fe02f350b04 100644 --- a/drivers/infiniband/core/user_mad.c +++ b/drivers/infiniband/core/user_mad.c @@ -60,6 +60,8 @@ MODULE_AUTHOR("Roland Dreier"); MODULE_DESCRIPTION("InfiniBand userspace MAD packet access"); MODULE_LICENSE("Dual BSD/GPL"); +#define MAX_UMAD_RECV_LIST_SIZE 200000 + enum { IB_UMAD_MAX_PORTS = 64, IB_UMAD_MAX_AGENTS = 32, @@ -108,6 +110,7 @@ struct ib_umad_file { struct mutex mutex; struct ib_umad_port *port; struct list_head recv_list; + atomic_t recv_list_size; struct list_head send_list; struct list_head port_list; spinlock_t send_lock; @@ -160,24 +163,28 @@ static struct ib_mad_agent *__get_agent(struct ib_umad_file *file, int id) return file->agents_dead ? NULL : file->agent[id]; } -static int queue_packet(struct ib_umad_file *file, - struct ib_mad_agent *agent, - struct ib_umad_packet *packet) +static int queue_packet(struct ib_umad_file *file, struct ib_mad_agent *agent, + struct ib_umad_packet *packet, bool is_recv_mad) { int ret = 1; mutex_lock(&file->mutex); + if (is_recv_mad && + atomic_read(&file->recv_list_size) > MAX_UMAD_RECV_LIST_SIZE) + goto unlock; + for (packet->mad.hdr.id = 0; packet->mad.hdr.id < IB_UMAD_MAX_AGENTS; packet->mad.hdr.id++) if (agent == __get_agent(file, packet->mad.hdr.id)) { list_add_tail(&packet->list, &file->recv_list); + atomic_inc(&file->recv_list_size); wake_up_interruptible(&file->recv_wait); ret = 0; break; } - +unlock: mutex_unlock(&file->mutex); return ret; @@ -204,7 +211,7 @@ static void send_handler(struct ib_mad_agent *agent, if (send_wc->status == IB_WC_RESP_TIMEOUT_ERR) { packet->length = IB_MGMT_MAD_HDR; packet->mad.hdr.status = ETIMEDOUT; - if (!queue_packet(file, agent, packet)) + if (!queue_packet(file, agent, packet, false)) return; } kfree(packet); @@ -260,7 +267,7 @@ static void recv_handler(struct ib_mad_agent *agent, packet->mad.hdr.flow_label = cpu_to_be32(grh->flow_label); } - if (queue_packet(file, agent, packet)) + if (queue_packet(file, agent, packet, true)) goto err2; return; @@ -374,6 +381,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, packet = list_entry(file->recv_list.next, struct ib_umad_packet, list); list_del(&packet->list); + atomic_dec(&file->recv_list_size); mutex_unlock(&file->mutex); @@ -386,6 +394,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, /* Requeue packet */ mutex_lock(&file->mutex); list_add(&packet->list, &file->recv_list); + atomic_inc(&file->recv_list_size); mutex_unlock(&file->mutex); } else { if (packet->recv_wc) From 8fb8547e74c70ef7ed9af6d75f8b27186d6c1d88 Mon Sep 17 00:00:00 2001 From: Michael Bunk Date: Sun, 16 Jan 2022 11:22:36 +0000 Subject: [PATCH 04/90] media: dw2102: Don't translate i2c read into write [ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ] The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed an i2c transaction with a single message must be a write operation and a transaction with two messages would be a read operation. Though this works for the driver code, it leads to problems once the i2c device is exposed to code not knowing this convention. For example, I did "insmod i2c-dev" and issued read requests from userspace, which were translated into write requests and destroyed the EEPROM of my device. So, just check and respect the I2C_M_READ flag, which indicates a read when set on a message. If it is absent, it is a write message. Incidentally, changing from the case statement to a while loop allows the code to lift the limitation to two i2c messages per transaction. There are 4 more *_i2c_transfer functions affected by the same behaviour and limitation that should be fixed in the same way. Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org Signed-off-by: Michael Bunk Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin (cherry picked from commit 74eb7ec7afe976a499484f56e8af020c3260a559) Signed-off-by: Vegard Nossum --- drivers/media/usb/dvb-usb/dw2102.c | 120 ++++++++++++++++++----------- 1 file changed, 73 insertions(+), 47 deletions(-) diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c index ef2218810471..5a7f655e5306 100644 --- a/drivers/media/usb/dvb-usb/dw2102.c +++ b/drivers/media/usb/dvb-usb/dw2102.c @@ -721,6 +721,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], { struct dvb_usb_device *d = i2c_get_adapdata(adap); struct dw2102_state *state; + int j; if (!d) return -ENODEV; @@ -734,11 +735,11 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], return -EAGAIN; } - switch (num) { - case 1: - switch (msg[0].addr) { + j = 0; + while (j < num) { + switch (msg[j].addr) { case SU3000_STREAM_CTRL: - state->data[0] = msg[0].buf[0] + 0x36; + state->data[0] = msg[j].buf[0] + 0x36; state->data[1] = 3; state->data[2] = 0; if (dvb_usb_generic_rw(d, state->data, 3, @@ -750,61 +751,86 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], if (dvb_usb_generic_rw(d, state->data, 1, state->data, 2, 0) < 0) err("i2c transfer failed."); - msg[0].buf[1] = state->data[0]; - msg[0].buf[0] = state->data[1]; + msg[j].buf[1] = state->data[0]; + msg[j].buf[0] = state->data[1]; break; default: - if (3 + msg[0].len > sizeof(state->data)) { - warn("i2c wr: len=%d is too big!\n", - msg[0].len); + /* if the current write msg is followed by a another + * read msg to/from the same address + */ + if ((j+1 < num) && (msg[j+1].flags & I2C_M_RD) && + (msg[j].addr == msg[j+1].addr)) { + /* join both i2c msgs to one usb read command */ + if (4 + msg[j].len > sizeof(state->data)) { + warn("i2c combined wr/rd: write len=%d is too big!\n", + msg[j].len); + num = -EOPNOTSUPP; + break; + } + if (1 + msg[j+1].len > sizeof(state->data)) { + warn("i2c combined wr/rd: read len=%d is too big!\n", + msg[j+1].len); + num = -EOPNOTSUPP; + break; + } + + state->data[0] = 0x09; + state->data[1] = msg[j].len; + state->data[2] = msg[j+1].len; + state->data[3] = msg[j].addr; + memcpy(&state->data[4], msg[j].buf, msg[j].len); + + if (dvb_usb_generic_rw(d, state->data, msg[j].len + 4, + state->data, msg[j+1].len + 1, 0) < 0) + err("i2c transfer failed."); + + memcpy(msg[j+1].buf, &state->data[1], msg[j+1].len); + j++; + break; + } + + if (msg[j].flags & I2C_M_RD) { + /* single read */ + if (1 + msg[j].len > sizeof(state->data)) { + warn("i2c rd: len=%d is too big!\n", msg[j].len); + num = -EOPNOTSUPP; + break; + } + + state->data[0] = 0x09; + state->data[1] = 0; + state->data[2] = msg[j].len; + state->data[3] = msg[j].addr; + memcpy(&state->data[4], msg[j].buf, msg[j].len); + + if (dvb_usb_generic_rw(d, state->data, 4, + state->data, msg[j].len + 1, 0) < 0) + err("i2c transfer failed."); + + memcpy(msg[j].buf, &state->data[1], msg[j].len); + break; + } + + /* single write */ + if (3 + msg[j].len > sizeof(state->data)) { + warn("i2c wr: len=%d is too big!\n", msg[j].len); num = -EOPNOTSUPP; break; } - /* always i2c write*/ state->data[0] = 0x08; - state->data[1] = msg[0].addr; - state->data[2] = msg[0].len; + state->data[1] = msg[j].addr; + state->data[2] = msg[j].len; - memcpy(&state->data[3], msg[0].buf, msg[0].len); + memcpy(&state->data[3], msg[j].buf, msg[j].len); - if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3, + if (dvb_usb_generic_rw(d, state->data, msg[j].len + 3, state->data, 1, 0) < 0) err("i2c transfer failed."); + } // switch + j++; - } - break; - case 2: - /* always i2c read */ - if (4 + msg[0].len > sizeof(state->data)) { - warn("i2c rd: len=%d is too big!\n", - msg[0].len); - num = -EOPNOTSUPP; - break; - } - if (1 + msg[1].len > sizeof(state->data)) { - warn("i2c rd: len=%d is too big!\n", - msg[1].len); - num = -EOPNOTSUPP; - break; - } - - state->data[0] = 0x09; - state->data[1] = msg[0].len; - state->data[2] = msg[1].len; - state->data[3] = msg[0].addr; - memcpy(&state->data[4], msg[0].buf, msg[0].len); - - if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4, - state->data, msg[1].len + 1, 0) < 0) - err("i2c transfer failed."); - - memcpy(msg[1].buf, &state->data[1], msg[1].len); - break; - default: - warn("more than 2 i2c messages at a time is not handled yet."); - break; - } + } // while mutex_unlock(&d->data_mutex); mutex_unlock(&d->i2c_mutex); return num; From fca275dacc79b9d77ec45e208a68284a19515d5f Mon Sep 17 00:00:00 2001 From: Erick Archer Date: Sat, 27 Apr 2024 19:23:36 +0200 Subject: [PATCH 05/90] sctp: prefer struct_size over open coded arithmetic [ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ] This is an effort to get rid of all multiplications from allocation functions in order to prevent integer overflows [1][2]. As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this structure ends in a flexible array: struct sctp_assoc_ids { [...] sctp_assoc_t gaids_assoc_id[]; }; the preferred way in the kernel is to use the struct_size() helper to do the arithmetic instead of the calculation "size + size * count" in the kmalloc() function. Also, refactor the code adding the "ids_size" variable to avoid sizing twice. This way, the code is more readable and safer. This code was detected with the help of Coccinelle, and audited and modified manually. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] Link: https://github.com/KSPP/linux/issues/160 [2] Signed-off-by: Erick Archer Acked-by: Xin Long Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 03f37e56305156bd25c5c237d1cc7f5c75495ef2) [Vegard: add #include that was pulled in through some other unknown header on 4.19.y] Signed-off-by: Vegard Nossum --- net/sctp/socket.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index fe26395690f3..7d7d28a477a4 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -66,6 +66,7 @@ #include #include #include +#include #include #include @@ -6407,6 +6408,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, struct sctp_sock *sp = sctp_sk(sk); struct sctp_association *asoc; struct sctp_assoc_ids *ids; + size_t ids_size; u32 num = 0; if (sctp_style(sk, TCP)) @@ -6419,11 +6421,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, num++; } - if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num) + ids_size = struct_size(ids, gaids_assoc_id, num); + if (len < ids_size) return -EINVAL; - len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num; - + len = ids_size; ids = kmalloc(len, GFP_USER | __GFP_NOWARN); if (unlikely(!ids)) return -ENOMEM; From b0f4f0d200c9bcb8c14b1f09a288dc89d026fdc3 Mon Sep 17 00:00:00 2001 From: Jean Delvare Date: Tue, 30 Apr 2024 18:29:32 +0200 Subject: [PATCH 06/90] firmware: dmi: Stop decoding on broken entry [ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ] If a DMI table entry is shorter than 4 bytes, it is invalid. Due to how DMI table parsing works, it is impossible to safely recover from such an error, so we have to stop decoding the table. Signed-off-by: Jean Delvare Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/ Reviewed-by: Michael Kelley Signed-off-by: Sasha Levin (cherry picked from commit c2a350a3fa622a174e3704691d05989cdfde4d51) Signed-off-by: Vegard Nossum --- drivers/firmware/dmi_scan.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c index fe0d30340e96..1a15c7c4417f 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c @@ -99,6 +99,17 @@ static void dmi_decode_table(u8 *buf, (data - buf + sizeof(struct dmi_header)) <= dmi_len) { const struct dmi_header *dm = (const struct dmi_header *)data; + /* + * If a short entry is found (less than 4 bytes), not only it + * is invalid, but we cannot reliably locate the next entry. + */ + if (dm->length < sizeof(struct dmi_header)) { + pr_warn(FW_BUG + "Corrupted DMI table, offset %zd (only %d entries processed)\n", + data - buf, i); + break; + } + /* * We want to know the total length (formatted area and * strings) before decoding to make sure we won't run off the From d2b33d0a14125c60fb7fc2fe60e7305ef606bc7f Mon Sep 17 00:00:00 2001 From: Erick Archer Date: Sat, 27 Apr 2024 17:05:56 +0200 Subject: [PATCH 07/90] Input: ff-core - prefer struct_size over open coded arithmetic [ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ] This is an effort to get rid of all multiplications from allocation functions in order to prevent integer overflows [1][2]. As the "ff" variable is a pointer to "struct ff_device" and this structure ends in a flexible array: struct ff_device { [...] struct file *effect_owners[] __counted_by(max_effects); }; the preferred way in the kernel is to use the struct_size() helper to do the arithmetic instead of the calculation "size + count * size" in the kzalloc() function. The struct_size() helper returns SIZE_MAX on overflow. So, refactor the comparison to take advantage of this. This way, the code is more readable and safer. This code was detected with the help of Coccinelle, and audited and modified manually. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] Link: https://github.com/KSPP/linux/issues/160 [2] Signed-off-by: Erick Archer Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin (cherry picked from commit e52cfcf68df0b52565be68106e9f65ab8077b48a) Signed-off-by: Vegard Nossum --- drivers/input/ff-core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c index 66a46c84e28f..7d83de2c536d 100644 --- a/drivers/input/ff-core.c +++ b/drivers/input/ff-core.c @@ -24,8 +24,10 @@ /* #define DEBUG */ #include +#include #include #include +#include #include #include @@ -330,9 +332,8 @@ int input_ff_create(struct input_dev *dev, unsigned int max_effects) return -EINVAL; } - ff_dev_size = sizeof(struct ff_device) + - max_effects * sizeof(struct file *); - if (ff_dev_size < max_effects) /* overflow */ + ff_dev_size = struct_size(ff, effect_owners, max_effects); + if (ff_dev_size == SIZE_MAX) /* overflow */ return -EINVAL; ff = kzalloc(ff_dev_size, GFP_KERNEL); From 9c1cb2b6cbf9a9e1ee2e9702637c71adc476e874 Mon Sep 17 00:00:00 2001 From: Simon Horman Date: Tue, 30 Apr 2024 18:46:45 +0100 Subject: [PATCH 08/90] net: dsa: mv88e6xxx: Correct check for empty list [ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ] Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO busses") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only. Reviewed-by: Andrew Lunn Signed-off-by: Simon Horman Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 47d28dde172696031c880c5778633cdca30394ee) Signed-off-by: Vegard Nossum --- drivers/net/dsa/mv88e6xxx/chip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c index 0f64fc3759f3..863b25fe11aa 100644 --- a/drivers/net/dsa/mv88e6xxx/chip.c +++ b/drivers/net/dsa/mv88e6xxx/chip.c @@ -227,8 +227,8 @@ struct mii_bus *mv88e6xxx_default_mdio_bus(struct mv88e6xxx_chip *chip) { struct mv88e6xxx_mdio_bus *mdio_bus; - mdio_bus = list_first_entry(&chip->mdios, struct mv88e6xxx_mdio_bus, - list); + mdio_bus = list_first_entry_or_null(&chip->mdios, + struct mv88e6xxx_mdio_bus, list); if (!mdio_bus) return NULL; From a65c17e8b9fe25ecae58373ddbea9fe06135f193 Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Date: Mon, 29 Apr 2024 16:04:47 +0100 Subject: [PATCH 09/90] media: dvb-frontends: tda18271c2dd: Remove casting during div [ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ] do_div() divides 64 bits by 32. We were adding a casting to the divider to 64 bits, for a number that fits perfectly in 32 bits. Remove it. Found by cocci: drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org Signed-off-by: Ricardo Ribalda Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin (cherry picked from commit 2401cbc0f5d4bd1e327d247548cc6ee57bc76c53) Signed-off-by: Vegard Nossum --- drivers/media/dvb-frontends/tda18271c2dd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c index 2d2778be2d2f..eedea109b6dc 100644 --- a/drivers/media/dvb-frontends/tda18271c2dd.c +++ b/drivers/media/dvb-frontends/tda18271c2dd.c @@ -345,7 +345,7 @@ static int CalcMainPLL(struct tda_state *state, u32 freq) OscFreq = (u64) freq * (u64) Div; OscFreq *= (u64) 16384; - do_div(OscFreq, (u64)16000000); + do_div(OscFreq, 16000000); MainDiv = OscFreq; state->m_Regs[MPD] = PostDiv & 0x77; @@ -369,7 +369,7 @@ static int CalcCalPLL(struct tda_state *state, u32 freq) OscFreq = (u64)freq * (u64)Div; /* CalDiv = u32( OscFreq * 16384 / 16000000 ); */ OscFreq *= (u64)16384; - do_div(OscFreq, (u64)16000000); + do_div(OscFreq, 16000000); CalDiv = OscFreq; state->m_Regs[CPD] = PostDiv; From 909138842fcc6194732efcd7e9d6ab4b9b715600 Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Date: Mon, 29 Apr 2024 16:04:50 +0100 Subject: [PATCH 10/90] media: s2255: Use refcount_t instead of atomic_t for num_channels [ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ] Use an API that resembles more the actual use of num_channels. Found by cocci: drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363. drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558. Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org Signed-off-by: Ricardo Ribalda Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin (cherry picked from commit 32f2f5385eefa73aaebefda419147ac8599ba9e6) Signed-off-by: Vegard Nossum --- drivers/media/usb/s2255/s2255drv.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c index 08106d3866b4..b7fedf0e6f9e 100644 --- a/drivers/media/usb/s2255/s2255drv.c +++ b/drivers/media/usb/s2255/s2255drv.c @@ -256,7 +256,7 @@ struct s2255_vc { struct s2255_dev { struct s2255_vc vc[MAX_CHANNELS]; struct v4l2_device v4l2_dev; - atomic_t num_channels; + refcount_t num_channels; int frames; struct mutex lock; /* channels[].vdev.lock */ struct mutex cmdlock; /* protects cmdbuf */ @@ -1581,11 +1581,11 @@ static void s2255_video_device_release(struct video_device *vdev) container_of(vdev, struct s2255_vc, vdev); dprintk(dev, 4, "%s, chnls: %d\n", __func__, - atomic_read(&dev->num_channels)); + refcount_read(&dev->num_channels)); v4l2_ctrl_handler_free(&vc->hdl); - if (atomic_dec_and_test(&dev->num_channels)) + if (refcount_dec_and_test(&dev->num_channels)) s2255_destroy(dev); return; } @@ -1688,7 +1688,7 @@ static int s2255_probe_v4l(struct s2255_dev *dev) "failed to register video device!\n"); break; } - atomic_inc(&dev->num_channels); + refcount_inc(&dev->num_channels); v4l2_info(&dev->v4l2_dev, "V4L2 device registered as %s\n", video_device_node_name(&vc->vdev)); @@ -1696,11 +1696,11 @@ static int s2255_probe_v4l(struct s2255_dev *dev) pr_info("Sensoray 2255 V4L driver Revision: %s\n", S2255_VERSION); /* if no channels registered, return error and probe will fail*/ - if (atomic_read(&dev->num_channels) == 0) { + if (refcount_read(&dev->num_channels) == 0) { v4l2_device_unregister(&dev->v4l2_dev); return ret; } - if (atomic_read(&dev->num_channels) != MAX_CHANNELS) + if (refcount_read(&dev->num_channels) != MAX_CHANNELS) pr_warn("s2255: Not all channels available.\n"); return 0; } @@ -2250,7 +2250,7 @@ static int s2255_probe(struct usb_interface *interface, goto errorFWDATA1; } - atomic_set(&dev->num_channels, 0); + refcount_set(&dev->num_channels, 0); dev->pid = id->idProduct; dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL); if (!dev->fw_data) @@ -2370,12 +2370,12 @@ static void s2255_disconnect(struct usb_interface *interface) { struct s2255_dev *dev = to_s2255_dev(usb_get_intfdata(interface)); int i; - int channels = atomic_read(&dev->num_channels); + int channels = refcount_read(&dev->num_channels); mutex_lock(&dev->lock); v4l2_device_disconnect(&dev->v4l2_dev); mutex_unlock(&dev->lock); /*see comments in the uvc_driver.c usb disconnect function */ - atomic_inc(&dev->num_channels); + refcount_inc(&dev->num_channels); /* unregister each video device. */ for (i = 0; i < channels; i++) video_unregister_device(&dev->vc[i].vdev); @@ -2388,7 +2388,7 @@ static void s2255_disconnect(struct usb_interface *interface) dev->vc[i].vidstatus_ready = 1; wake_up(&dev->vc[i].wait_vidstatus); } - if (atomic_dec_and_test(&dev->num_channels)) + if (refcount_dec_and_test(&dev->num_channels)) s2255_destroy(dev); dev_info(&interface->dev, "%s\n", __func__); } From cf654f32bbef8fd9d7d57d91a3378370a975e85f Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Date: Mon, 29 Apr 2024 16:05:04 +0100 Subject: [PATCH 11/90] media: dvb-frontends: tda10048: Fix integer overflow [ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ] state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer when multiplied by pll_mfactor. Create a new 64 bit variable to hold the calculations. Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org Reported-by: Dan Carpenter Signed-off-by: Ricardo Ribalda Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin (cherry picked from commit 8167e4d7dc086d4f7ca7897dcff3827e4d22c99a) Signed-off-by: Vegard Nossum --- drivers/media/dvb-frontends/tda10048.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/media/dvb-frontends/tda10048.c b/drivers/media/dvb-frontends/tda10048.c index a75f86ca5318..8ad7fb4a77cf 100644 --- a/drivers/media/dvb-frontends/tda10048.c +++ b/drivers/media/dvb-frontends/tda10048.c @@ -422,6 +422,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) struct tda10048_config *config = &state->config; int i; u32 if_freq_khz; + u64 sample_freq; dprintk(1, "%s(bw = %d)\n", __func__, bw); @@ -463,9 +464,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor); /* Calculate the sample frequency */ - state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45); - state->sample_freq /= (state->pll_nfactor + 1); - state->sample_freq /= (state->pll_pfactor + 4); + sample_freq = state->xtal_hz; + sample_freq *= state->pll_mfactor + 45; + do_div(sample_freq, state->pll_nfactor + 1); + do_div(sample_freq, state->pll_pfactor + 4); + state->sample_freq = sample_freq; dprintk(1, "- sample_freq = %d\n", state->sample_freq); /* Update the I/F */ From f5a529216e877313cde4f8a3fc637c816642e861 Mon Sep 17 00:00:00 2001 From: Heiner Kallweit Date: Fri, 12 Apr 2024 12:21:58 +0200 Subject: [PATCH 12/90] i2c: i801: Annotate apanel_addr as __ro_after_init [ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ] Annotate this variable as __ro_after_init to protect it from being overwritten later. Signed-off-by: Heiner Kallweit Signed-off-by: Andi Shyti Signed-off-by: Sasha Levin (cherry picked from commit 1a1f7053437d0f27534ecc9ec7e5d441c082b81c) Signed-off-by: Vegard Nossum --- drivers/i2c/busses/i2c-i801.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c index 12f23962ce0e..d2c6da8cfc4e 100644 --- a/drivers/i2c/busses/i2c-i801.c +++ b/drivers/i2c/busses/i2c-i801.c @@ -1032,7 +1032,7 @@ static const struct pci_device_id i801_ids[] = { MODULE_DEVICE_TABLE(pci, i801_ids); #if defined CONFIG_X86 && defined CONFIG_DMI -static unsigned char apanel_addr; +static unsigned char apanel_addr __ro_after_init; /* Scan the system ROM for the signature "FJKEYINF" */ static __init const void __iomem *bios_signature(const void __iomem *bios) From af94a2ea5b6eb5ead8c016a196311449e0e145ac Mon Sep 17 00:00:00 2001 From: Michael Ellerman Date: Fri, 3 May 2024 17:56:19 +1000 Subject: [PATCH 13/90] powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n [ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ] There is code that builds with calls to IO accessors even when CONFIG_PCI=n, but the actual calls are guarded by runtime checks. If not those calls would be faulting, because the page at virtual address zero is (usually) not mapped into the kernel. As Arnd pointed out, it is possible a large port value could cause the address to be above mmap_min_addr which would then access userspace, which would be a bug. To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That is a value chosen to point into unmapped space between the kernel and userspace, so any access will always fault. Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an effect on 64-bit. Signed-off-by: Michael Ellerman Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au Signed-off-by: Sasha Levin (cherry picked from commit 85cc3ecb0b1256d539bb6a58a5f995c802a331c4) Signed-off-by: Vegard Nossum --- arch/powerpc/include/asm/io.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h index e057e0236843..eaaaf54e095f 100644 --- a/arch/powerpc/include/asm/io.h +++ b/arch/powerpc/include/asm/io.h @@ -49,7 +49,7 @@ extern struct pci_dev *isa_bridge_pcidev; * define properly based on the platform */ #ifndef CONFIG_PCI -#define _IO_BASE 0 +#define _IO_BASE POISON_POINTER_DELTA #define _ISA_MEM_BASE 0 #define PCI_DRAM_OFFSET 0 #elif defined(CONFIG_PPC32) From b490b0a094cb6b1e6dc7c79ef9c76213480e03e8 Mon Sep 17 00:00:00 2001 From: Mike Marshall Date: Wed, 1 May 2024 16:20:36 -0400 Subject: [PATCH 14/90] orangefs: fix out-of-bounds fsid access [ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ] Arnd Bergmann sent a patch to fsdevel, he says: "orangefs_statfs() copies two consecutive fields of the superblock into the statfs structure, which triggers a warning from the string fortification helpers" Jan Kara suggested an alternate way to do the patch to make it more readable. I ran both ideas through xfstests and both seem fine. This patch is based on Jan Kara's suggestion. Signed-off-by: Mike Marshall Signed-off-by: Sasha Levin (cherry picked from commit b90176a9553775e23966650e445b1866e62e4924) Signed-off-by: Vegard Nossum --- fs/orangefs/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c index e5f7df28793d..3bd2d2c825ef 100644 --- a/fs/orangefs/super.c +++ b/fs/orangefs/super.c @@ -188,7 +188,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf) (long)new_op->downcall.resp.statfs.files_avail); buf->f_type = sb->s_magic; - memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid)); + buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id; + buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id; buf->f_bsize = new_op->downcall.resp.statfs.block_size; buf->f_namelen = ORANGEFS_NAME_MAX; From 48d99fb324e4d263c533ae24712372138c5cb664 Mon Sep 17 00:00:00 2001 From: Greg Kurz Date: Tue, 9 Mar 2021 19:11:10 +0100 Subject: [PATCH 15/90] powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ] All these commands end up peeking into the PACA using the user originated cpu id as an index. Check the cpu id is valid in order to prevent xmon to crash. Instead of printing an error, this follows the same behavior as the "lp s #" command : ignore the buggy cpu id parameter and fall back to the #-less version of the command. Signed-off-by: Greg Kurz Reviewed-by: Cédric Le Goater Signed-off-by: Michael Ellerman Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan Signed-off-by: Sasha Levin (cherry picked from commit 04b90b8d0b6929d7427551215b71901959c8e098) Signed-off-by: Vegard Nossum --- arch/powerpc/xmon/xmon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c index 0885993b2fb4..fe3351c65da9 100644 --- a/arch/powerpc/xmon/xmon.c +++ b/arch/powerpc/xmon/xmon.c @@ -1119,7 +1119,7 @@ static int cpu_cmd(void) unsigned long cpu, first_cpu, last_cpu; int timeout; - if (!scanhex(&cpu)) { + if (!scanhex(&cpu) || cpu >= num_possible_cpus()) { /* print cpus waiting or in xmon */ printf("cpus stopped:"); last_cpu = first_cpu = NR_CPUS; @@ -2426,7 +2426,7 @@ static void dump_pacas(void) termch = c; /* Put c back, it wasn't 'a' */ - if (scanhex(&num)) + if (scanhex(&num) && num < num_possible_cpus()) dump_one_paca(num); else dump_one_paca(xmon_owner); @@ -2509,7 +2509,7 @@ static void dump_xives(void) termch = c; /* Put c back, it wasn't 'a' */ - if (scanhex(&num)) + if (scanhex(&num) && num < num_possible_cpus()) dump_one_xive(num); else dump_one_xive(xmon_owner); From 7523a69d10eba34a5bf215bbbf73b02932303c2b Mon Sep 17 00:00:00 2001 From: Wang Yong Date: Tue, 7 May 2024 15:00:46 +0800 Subject: [PATCH 16/90] jffs2: Fix potential illegal address access in jffs2_free_inode [ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ] During the stress testing of the jffs2 file system,the following abnormal printouts were found: [ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 [ 2430.649622] Mem abort info: [ 2430.649829] ESR = 0x96000004 [ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits [ 2430.650564] SET = 0, FnV = 0 [ 2430.650795] EA = 0, S1PTW = 0 [ 2430.651032] FSC = 0x04: level 0 translation fault [ 2430.651446] Data abort info: [ 2430.651683] ISV = 0, ISS = 0x00000004 [ 2430.652001] CM = 0, WnR = 0 [ 2430.652558] [0069696969696948] address between user and kernel address ranges [ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 [ 2430.655008] Hardware name: linux,dummy-virt (DT) [ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2430.656142] pc : kfree+0x78/0x348 [ 2430.656630] lr : jffs2_free_inode+0x24/0x48 [ 2430.657051] sp : ffff800009eebd10 [ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 [ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 [ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 [ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 [ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 [ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 [ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 [ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 [ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 [ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 [ 2430.664217] Call trace: [ 2430.664528] kfree+0x78/0x348 [ 2430.664855] jffs2_free_inode+0x24/0x48 [ 2430.665233] i_callback+0x24/0x50 [ 2430.665528] rcu_do_batch+0x1ac/0x448 [ 2430.665892] rcu_core+0x28c/0x3c8 [ 2430.666151] rcu_core_si+0x18/0x28 [ 2430.666473] __do_softirq+0x138/0x3cc [ 2430.666781] irq_exit+0xf0/0x110 [ 2430.667065] handle_domain_irq+0x6c/0x98 [ 2430.667447] gic_handle_irq+0xac/0xe8 [ 2430.667739] call_on_irq_stack+0x28/0x54 The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of the jffs_inode_info structure. It was found that all variables in the jffs_inode_info structure were 5a5a5a5a, except for the first member sem. It is suspected that these variables are not initialized because they were set to 5a5a5a5a during memory testing, which is meant to detect uninitialized memory.The sem variable is initialized in the function jffs2_i_init_once, while other members are initialized in the function jffs2_init_inode_info. The function jffs2_init_inode_info is called after iget_locked, but in the iget_locked function, the destroy_inode process is triggered, which releases the inode and consequently, the target member of the inode is not initialized.In concurrent high pressure scenarios, iget_locked may enter the destroy_inode branch as described in the code. Since the destroy_inode functionality of jffs2 only releases the target, the fix method is to set target to NULL in jffs2_i_init_once. Signed-off-by: Wang Yong Reviewed-by: Lu Zhongjun Reviewed-by: Yang Tao Cc: Xu Xin Cc: Yang Yang Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin (cherry picked from commit b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8) Signed-off-by: Vegard Nossum --- fs/jffs2/super.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c index 9a9f30eddbbb..93a533c4b15e 100644 --- a/fs/jffs2/super.c +++ b/fs/jffs2/super.c @@ -63,6 +63,7 @@ static void jffs2_i_init_once(void *foo) struct jffs2_inode_info *f = foo; mutex_init(&f->sem); + f->target = NULL; inode_init_once(&f->vfs_inode); } From d232297f0376ff857296774d047ced0731895562 Mon Sep 17 00:00:00 2001 From: Holger Dengler Date: Tue, 7 May 2024 17:03:18 +0200 Subject: [PATCH 17/90] s390/pkey: Wipe sensitive data on failure [ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ] Wipe sensitive data from stack also if the copy_to_user() fails. Suggested-by: Heiko Carstens Reviewed-by: Harald Freudenberger Reviewed-by: Ingo Franzki Acked-by: Heiko Carstens Signed-off-by: Holger Dengler Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin (cherry picked from commit 6e2e374403bf73140d0efc9541cb1b3bea55ac02) Signed-off-by: Vegard Nossum --- drivers/s390/crypto/pkey_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index bd0376dc7e1e..5b6ad4f295e9 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -1088,7 +1088,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, if (rc) break; if (copy_to_user(ucs, &kcs, sizeof(kcs))) - return -EFAULT; + rc = -EFAULT; memzero_explicit(&kcs, sizeof(kcs)); break; } @@ -1119,7 +1119,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, if (rc) break; if (copy_to_user(ucp, &kcp, sizeof(kcp))) - return -EFAULT; + rc = -EFAULT; memzero_explicit(&kcp, sizeof(kcp)); break; } From f1bac5dbfa7aaf5cee717a604ed1c94b363a9883 Mon Sep 17 00:00:00 2001 From: Neal Cardwell Date: Wed, 26 Jun 2024 22:42:27 -0400 Subject: [PATCH 18/90] UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() [ Upstream commit a6458ab7fd4f427d4f6f54380453ad255b7fde83 ] In some production workloads we noticed that connections could sometimes close extremely prematurely with ETIMEDOUT after transmitting only 1 TLP and RTO retransmission (when we would normally expect roughly tcp_retries2 = TCP_RETR2 = 15 RTOs before a connection closes with ETIMEDOUT). From tracing we determined that these workloads can suffer from a scenario where in fast recovery, after some retransmits, a DSACK undo can happen at a point where the scoreboard is totally clear (we have retrans_out == sacked_out == lost_out == 0). In such cases, calling tcp_try_keep_open() means that we do not execute any code path that clears tp->retrans_stamp to 0. That means that tp->retrans_stamp can remain erroneously set to the start time of the undone fast recovery, even after the fast recovery is undone. If minutes or hours elapse, and then a TLP/RTO/RTO sequence occurs, then the start_ts value in retransmits_timed_out() (which is from tp->retrans_stamp) will be erroneously ancient (left over from the fast recovery undone via DSACKs). Thus this ancient tp->retrans_stamp value can cause the connection to die very prematurely with ETIMEDOUT via tcp_write_err(). The fix: we change DSACK undo in fast recovery (TCP_CA_Recovery) to call tcp_try_to_open() instead of tcp_try_keep_open(). This ensures that if no retransmits are in flight at the time of DSACK undo in fast recovery then we properly zero retrans_stamp. Note that calling tcp_try_to_open() is more consistent with other loss recovery behavior, since normal fast recovery (CA_Recovery) and RTO recovery (CA_Loss) both normally end when tp->snd_una meets or exceeds tp->high_seq and then in tcp_fastretrans_alert() the "default" switch case executes tcp_try_to_open(). Also note that by inspection this change to call tcp_try_to_open() implies at least one other nice bug fix, where now an ECE-marked DSACK that causes an undo will properly invoke tcp_enter_cwr() rather than ignoring the ECE mark. Fixes: c7d9d6a185a7 ("tcp: undo on DSACK during recovery") Signed-off-by: Neal Cardwell Signed-off-by: Yuchung Cheng Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 8b5fd51b3040ce2596d22a72767c66d7435853b6) [Harshit: Minor conflict resolution due to missing commit: 737ff314563c ("tcp: use sequence distance to detect reordering") and more commits] Signed-off-by: Harshit Mogalapalli --- net/ipv4/tcp_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 8b88e271121d..a3d550c36b97 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -2914,7 +2914,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const int acked, tcp_fackets_out(tp) > tp->reordering; } if (tcp_try_undo_dsack(sk)) { - tcp_try_keep_open(sk); + tcp_try_to_open(sk, flag); return; } tcp_rack_identify_loss(sk, ack_flag); From f8f32610dabb5c07608475f3cfe4915aa4cd15e5 Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Thu, 27 Jun 2024 14:25:00 -0700 Subject: [PATCH 19/90] tcp_metrics: validate source addr length [ Upstream commit 66be40e622e177316ae81717aa30057ba9e61dff ] I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated). Reviewed-by: Eric Dumazet Fixes: 3e7013ddf55a ("tcp: metrics: Allow selective get/del of tcp-metrics based on src IP") Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 19d997b59fa1fd7a02e770ee0881c0652b9c32c9) Signed-off-by: Vegard Nossum --- net/ipv4/tcp_metrics.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c index e9cd8c95eaa5..e433b222368c 100644 --- a/net/ipv4/tcp_metrics.c +++ b/net/ipv4/tcp_metrics.c @@ -630,6 +630,7 @@ static const struct nla_policy tcp_metrics_nl_policy[TCP_METRICS_ATTR_MAX + 1] = [TCP_METRICS_ATTR_ADDR_IPV4] = { .type = NLA_U32, }, [TCP_METRICS_ATTR_ADDR_IPV6] = { .type = NLA_BINARY, .len = sizeof(struct in6_addr), }, + [TCP_METRICS_ATTR_SADDR_IPV4] = { .type = NLA_U32, }, /* Following attributes are not received for GET/DEL, * we keep them for reference */ From ea462f7627ecabdd4263965f5a8864f0ab86d08b Mon Sep 17 00:00:00 2001 From: Sam Sun Date: Tue, 2 Jul 2024 14:55:55 +0100 Subject: [PATCH 20/90] bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() [ Upstream commit e271ff53807e8f2c628758290f0e499dbe51cb3d ] In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 drivers/net/bonding/bond_options.c:1201 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 dev_attr_store+0x54/0x80 drivers/base/core.c:2366 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x96a/0xd80 fs/read_write.c:584 ksys_write+0x122/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b ---[ end trace ]--- Fix it by adding a check of string length before using it. Fixes: f9de11a16594 ("bonding: add ip checks when store ip target") Signed-off-by: Yue Sun Signed-off-by: Simon Horman Acked-by: Jay Vosburgh Reviewed-by: Hangbin Liu Link: https://patch.msgid.link/20240702-bond-oob-v6-1-2dfdba195c19@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 6a8a4fd082c439e19fede027e80c79bc4c84bb8e) Signed-off-by: Vegard Nossum --- drivers/net/bonding/bond_options.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c index 1e81b1cafae3..d7dbbe356ab7 100644 --- a/drivers/net/bonding/bond_options.c +++ b/drivers/net/bonding/bond_options.c @@ -1074,9 +1074,9 @@ static int bond_option_arp_ip_targets_set(struct bonding *bond, __be32 target; if (newval->string) { - if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) { - netdev_err(bond->dev, "invalid ARP target %pI4 specified\n", - &target); + if (strlen(newval->string) < 1 || + !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) { + netdev_err(bond->dev, "invalid ARP target specified\n"); return ret; } if (newval->string[0] == '+') From a8987b87ffb8455fddf7b29734f043256d589a34 Mon Sep 17 00:00:00 2001 From: Sowmini Varadhan Date: Tue, 27 Feb 2018 09:52:44 -0800 Subject: [PATCH 21/90] selftests/net: reap zerocopy completions passed up as ancillary data. PF_RDS sockets pass up cookies for zerocopy completion as ancillary data. Update msg_zerocopy to reap this information. Signed-off-by: Sowmini Varadhan Acked-by: Willem de Bruijn Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller (cherry picked from commit 6f3899e602b0f4ec3d62ff385bb805e7109defa4) Signed-off-by: Harshit Mogalapalli --- tools/testing/selftests/net/msg_zerocopy.c | 65 +++++++++++++++++++--- 1 file changed, 57 insertions(+), 8 deletions(-) diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c index 6184d2a4c4a6..ab7e4beca8df 100644 --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -306,7 +306,53 @@ static int do_setup_tx(int domain, int type, int protocol) return fd; } -static bool do_recv_completion(int fd) +static uint32_t do_process_zerocopy_cookies(struct rds_zcopy_cookies *ck) +{ + int i; + + if (ck->num > RDS_MAX_ZCOOKIES) + error(1, 0, "Returned %d cookies, max expected %d\n", + ck->num, RDS_MAX_ZCOOKIES); + for (i = 0; i < ck->num; i++) + if (cfg_verbose >= 2) + fprintf(stderr, "%d\n", ck->cookies[i]); + return ck->num; +} + +static bool do_recvmsg_completion(int fd) +{ + char cmsgbuf[CMSG_SPACE(sizeof(struct rds_zcopy_cookies))]; + struct rds_zcopy_cookies *ck; + struct cmsghdr *cmsg; + struct msghdr msg; + bool ret = false; + + memset(&msg, 0, sizeof(msg)); + msg.msg_control = cmsgbuf; + msg.msg_controllen = sizeof(cmsgbuf); + + if (recvmsg(fd, &msg, MSG_DONTWAIT)) + return ret; + + if (msg.msg_flags & MSG_CTRUNC) + error(1, errno, "recvmsg notification: truncated"); + + for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { + if (cmsg->cmsg_level == SOL_RDS && + cmsg->cmsg_type == RDS_CMSG_ZCOPY_COMPLETION) { + + ck = (struct rds_zcopy_cookies *)CMSG_DATA(cmsg); + completions += do_process_zerocopy_cookies(ck); + ret = true; + break; + } + error(0, 0, "ignoring cmsg at level %d type %d\n", + cmsg->cmsg_level, cmsg->cmsg_type); + } + return ret; +} + +static bool do_recv_completion(int fd, int domain) { struct sock_extended_err *serr; struct msghdr msg = {}; @@ -315,6 +361,9 @@ static bool do_recv_completion(int fd) int ret, zerocopy; char control[100]; + if (domain == PF_RDS) + return do_recvmsg_completion(fd); + msg.msg_control = control; msg.msg_controllen = sizeof(control); @@ -370,20 +419,20 @@ static bool do_recv_completion(int fd) } /* Read all outstanding messages on the errqueue */ -static void do_recv_completions(int fd) +static void do_recv_completions(int fd, int domain) { - while (do_recv_completion(fd)) {} + while (do_recv_completion(fd, domain)) {} } /* Wait for all remaining completions on the errqueue */ -static void do_recv_remaining_completions(int fd) +static void do_recv_remaining_completions(int fd, int domain) { int64_t tstop = gettimeofday_ms() + cfg_waittime_ms; while (completions < expected_completions && gettimeofday_ms() < tstop) { - if (do_poll(fd, POLLERR)) - do_recv_completions(fd); + if (do_poll(fd, domain == PF_RDS ? POLLIN : POLLERR)) + do_recv_completions(fd, domain); } if (completions < expected_completions) @@ -457,13 +506,13 @@ static void do_tx(int domain, int type, int protocol) while (!do_poll(fd, POLLOUT)) { if (cfg_zerocopy) - do_recv_completions(fd); + do_recv_completions(fd, domain); } } while (gettimeofday_ms() < tstop); if (cfg_zerocopy) - do_recv_remaining_completions(fd); + do_recv_remaining_completions(fd, domain); if (close(fd)) error(1, errno, "close"); From c75d2712b73df3ce9a145395882cee0d56f8916f Mon Sep 17 00:00:00 2001 From: Zijian Zhang Date: Mon, 1 Jul 2024 22:53:48 +0000 Subject: [PATCH 22/90] selftests: fix OOM in msg_zerocopy selftest [ Upstream commit af2b7e5b741aaae9ffbba2c660def434e07aa241 ] In selftests/net/msg_zerocopy.c, it has a while loop keeps calling sendmsg on a socket with MSG_ZEROCOPY flag, and it will recv the notifications until the socket is not writable. Typically, it will start the receiving process after around 30+ sendmsgs. However, as the introduction of commit dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale"), the sender is always writable and does not get any chance to run recv notifications. The selftest always exits with OUT_OF_MEMORY because the memory used by opt_skb exceeds the net.core.optmem_max. Meanwhile, it could be set to a different value to trigger OOM on older kernels too. Thus, we introduce "cfg_notification_limit" to force sender to receive notifications after some number of sendmsgs. Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") Signed-off-by: Zijian Zhang Signed-off-by: Xiaochun Lu Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20240701225349.3395580-2-zijianzhang@bytedance.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit d6ab0198fb470e1a9948d08c610a94601a1fdb2c) Signed-off-by: Harshit Mogalapalli --- tools/testing/selftests/net/msg_zerocopy.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c index ab7e4beca8df..2323a9e60f54 100644 --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -81,6 +81,7 @@ static bool cfg_rx; static int cfg_runtime_ms = 4200; static int cfg_verbose; static int cfg_waittime_ms = 500; +static int cfg_notification_limit = 32; static bool cfg_zerocopy; static socklen_t cfg_alen; @@ -91,6 +92,7 @@ static char payload[IP_MAXPACKET]; static long packets, bytes, completions, expected_completions; static int zerocopied = -1; static uint32_t next_completion; +static uint32_t sends_since_notify; static unsigned long gettimeofday_ms(void) { @@ -182,6 +184,7 @@ static bool do_sendmsg(int fd, struct msghdr *msg, bool do_zerocopy) error(1, errno, "send"); if (cfg_verbose && ret != len) fprintf(stderr, "send: ret=%u != %u\n", ret, len); + sends_since_notify++; if (len) { packets++; @@ -422,6 +425,7 @@ static bool do_recv_completion(int fd, int domain) static void do_recv_completions(int fd, int domain) { while (do_recv_completion(fd, domain)) {} + sends_since_notify = 0; } /* Wait for all remaining completions on the errqueue */ @@ -504,6 +508,9 @@ static void do_tx(int domain, int type, int protocol) else do_sendmsg(fd, &msg, cfg_zerocopy); + if (cfg_zerocopy && sends_since_notify >= cfg_notification_limit) + do_recv_completions(fd, domain); + while (!do_poll(fd, POLLOUT)) { if (cfg_zerocopy) do_recv_completions(fd, domain); @@ -661,7 +668,7 @@ static void parse_opts(int argc, char **argv) cfg_payload_len = max_payload_len; - while ((c = getopt(argc, argv, "46c:C:D:i:mp:rs:S:t:vz")) != -1) { + while ((c = getopt(argc, argv, "46c:C:D:i:l:mp:rs:S:t:vz")) != -1) { switch (c) { case '4': if (cfg_family != PF_UNSPEC) @@ -689,6 +696,9 @@ static void parse_opts(int argc, char **argv) if (cfg_ifindex == 0) error(1, errno, "invalid iface: %s", optarg); break; + case 'l': + cfg_notification_limit = strtoul(optarg, NULL, 0); + break; case 'm': cfg_cork_mixed = true; break; From 3688bfa238e9ea94bff46c0dc030f412f239a08c Mon Sep 17 00:00:00 2001 From: Zijian Zhang Date: Mon, 1 Jul 2024 22:53:49 +0000 Subject: [PATCH 23/90] selftests: make order checking verbose in msg_zerocopy selftest [ Upstream commit 7d6d8f0c8b700c9493f2839abccb6d29028b4219 ] We find that when lock debugging is on, notifications may not come in order. Thus, we have order checking outputs managed by cfg_verbose, to avoid too many outputs in this case. Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") Signed-off-by: Zijian Zhang Signed-off-by: Xiaochun Lu Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20240701225349.3395580-3-zijianzhang@bytedance.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit b1cb48187a6edc2ab72f5b3e6b4af7a232730d64) Signed-off-by: Harshit Mogalapalli --- tools/testing/selftests/net/msg_zerocopy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c index 2323a9e60f54..7cfc7713ca7f 100644 --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -400,7 +400,7 @@ static bool do_recv_completion(int fd, int domain) /* Detect notification gaps. These should not happen often, if at all. * Gaps can occur due to drops, reordering and retransmissions. */ - if (lo != next_completion) + if (cfg_verbose && lo != next_completion) fprintf(stderr, "gap: %u..%u does not append to %u\n", lo, hi, next_completion); next_completion = hi + 1; From 600edf70c16cb29b82c9fd1e830398168eea7bca Mon Sep 17 00:00:00 2001 From: Shigeru Yoshida Date: Wed, 3 Jul 2024 18:16:49 +0900 Subject: [PATCH 24/90] inet_diag: Initialize pad field in struct inet_diag_req_v2 [ Upstream commit 61cf1c739f08190a4cbf047b9fbb192a94d87e3f ] KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw sockets uses the pad field in struct inet_diag_req_v2 for the underlying protocol. This field corresponds to the sdiag_raw_protocol field in struct inet_diag_req_raw. inet_diag_get_exact_compat() converts inet_diag_req to inet_diag_req_v2, but leaves the pad field uninitialized. So the issue occurs when raw_lookup() accesses the sdiag_raw_protocol field. Fix this by initializing the pad field in inet_diag_get_exact_compat(). Also, do the same fix in inet_diag_dump_compat() to avoid the similar issue in the future. [1] BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline] BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 raw_lookup net/ipv4/raw_diag.c:49 [inline] raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71 raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 inet_diag_cmd_exact+0x7d9/0x980 inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x332/0x3d0 net/socket.c:745 ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 __sys_sendmsg net/socket.c:2668 [inline] __do_sys_sendmsg net/socket.c:2677 [inline] __se_sys_sendmsg net/socket.c:2675 [inline] __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71 raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99 inet_diag_cmd_exact+0x7d9/0x980 inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline] inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426 sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564 sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x332/0x3d0 net/socket.c:745 ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639 __sys_sendmsg net/socket.c:2668 [inline] __do_sys_sendmsg net/socket.c:2677 [inline] __se_sys_sendmsg net/socket.c:2675 [inline] __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675 x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable req.i created at: inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline] inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426 sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282 CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 Fixes: 432490f9d455 ("net: ip, diag -- Add diag interface for raw sockets") Reported-by: syzkaller Signed-off-by: Shigeru Yoshida Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20240703091649.111773-1-syoshida@redhat.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 7094a5fd20ab66028f1da7f06e0f2692d70346f9) Signed-off-by: Vegard Nossum --- net/ipv4/inet_diag.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c index a3335815e981..462f85c76edd 100644 --- a/net/ipv4/inet_diag.c +++ b/net/ipv4/inet_diag.c @@ -1089,6 +1089,7 @@ static int inet_diag_dump_compat(struct sk_buff *skb, req.sdiag_family = AF_UNSPEC; /* compatibility */ req.sdiag_protocol = inet_diag_type2proto(cb->nlh->nlmsg_type); req.idiag_ext = rc->idiag_ext; + req.pad = 0; req.idiag_states = rc->idiag_states; req.id = rc->id; @@ -1107,6 +1108,7 @@ static int inet_diag_get_exact_compat(struct sk_buff *in_skb, req.sdiag_family = rc->idiag_family; req.sdiag_protocol = inet_diag_type2proto(nlh->nlmsg_type); req.idiag_ext = rc->idiag_ext; + req.pad = 0; req.idiag_states = rc->idiag_states; req.id = rc->id; From 72ae23ea4ee2e943e8d58ad302c6a843dbf80ad0 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi Date: Sun, 23 Jun 2024 14:11:33 +0900 Subject: [PATCH 25/90] nilfs2: fix inode number range checks commit e2fec219a36e0993642844be0f345513507031f4 upstream. Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time. Link: https://lkml.kernel.org/r/20240623051135.4180-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240623051135.4180-2-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Cc: Hillf Danton Cc: Jan Kara Cc: Matthew Wilcox (Oracle) Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 57235c3c88bb430043728d0d02f44a4efe386476) Signed-off-by: Vegard Nossum --- fs/nilfs2/nilfs.h | 5 +++-- fs/nilfs2/the_nilfs.c | 6 ++++++ fs/nilfs2/the_nilfs.h | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/fs/nilfs2/nilfs.h b/fs/nilfs2/nilfs.h index c68eb8d2ca03..4a325e5b62ed 100644 --- a/fs/nilfs2/nilfs.h +++ b/fs/nilfs2/nilfs.h @@ -125,9 +125,10 @@ enum { #define NILFS_FIRST_INO(sb) (((struct the_nilfs *)sb->s_fs_info)->ns_first_ino) #define NILFS_MDT_INODE(sb, ino) \ - ((ino) < NILFS_FIRST_INO(sb) && (NILFS_MDT_INO_BITS & BIT(ino))) + ((ino) < NILFS_USER_INO && (NILFS_MDT_INO_BITS & BIT(ino))) #define NILFS_VALID_INODE(sb, ino) \ - ((ino) >= NILFS_FIRST_INO(sb) || (NILFS_SYS_INO_BITS & BIT(ino))) + ((ino) >= NILFS_FIRST_INO(sb) || \ + ((ino) < NILFS_USER_INO && (NILFS_SYS_INO_BITS & BIT(ino)))) /** * struct nilfs_transaction_info: context information for synchronization diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c index e0a887e98c36..906a21579030 100644 --- a/fs/nilfs2/the_nilfs.c +++ b/fs/nilfs2/the_nilfs.c @@ -429,6 +429,12 @@ static int nilfs_store_disk_layout(struct the_nilfs *nilfs, } nilfs->ns_first_ino = le32_to_cpu(sbp->s_first_ino); + if (nilfs->ns_first_ino < NILFS_USER_INO) { + nilfs_err(nilfs->ns_sb, + "too small lower limit for non-reserved inode numbers: %u", + nilfs->ns_first_ino); + return -EINVAL; + } nilfs->ns_blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment); if (nilfs->ns_blocks_per_segment < NILFS_SEG_MIN_BLOCKS) { diff --git a/fs/nilfs2/the_nilfs.h b/fs/nilfs2/the_nilfs.h index 6db4943fd05b..e6adb1229cdb 100644 --- a/fs/nilfs2/the_nilfs.h +++ b/fs/nilfs2/the_nilfs.h @@ -190,7 +190,7 @@ struct the_nilfs { unsigned long ns_nrsvsegs; unsigned long ns_first_data_block; int ns_inode_size; - int ns_first_ino; + unsigned int ns_first_ino; u32 ns_crc_seed; /* /sys/fs// */ From ba6206b639aa6f1d9ade9cb55831ebc1f7268594 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi Date: Sun, 23 Jun 2024 14:11:34 +0900 Subject: [PATCH 26/90] nilfs2: add missing check for inode numbers on directory entries commit bb76c6c274683c8570ad788f79d4b875bde0e458 upstream. Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis. Link: https://lkml.kernel.org/r/20240623051135.4180-3-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8 Reported-by: Jan Kara Closes: https://lkml.kernel.org/r/20240617075758.wewhukbrjod5fp5o@quack3 Tested-by: Ryusuke Konishi Cc: Hillf Danton Cc: Matthew Wilcox (Oracle) Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit c33c2b0d92aa1c2262d999b2598ad6fbd53bd479) Signed-off-by: Vegard Nossum --- fs/nilfs2/dir.c | 6 ++++++ fs/nilfs2/nilfs.h | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c index eed73d59ec08..fcec9216d300 100644 --- a/fs/nilfs2/dir.c +++ b/fs/nilfs2/dir.c @@ -152,6 +152,9 @@ static bool nilfs_check_page(struct page *page) goto Enamelen; if (((offs + rec_len - 1) ^ offs) & ~(chunk_size-1)) goto Espan; + if (unlikely(p->inode && + NILFS_PRIVATE_INODE(le64_to_cpu(p->inode)))) + goto Einumber; } if (offs != limit) goto Eend; @@ -177,6 +180,9 @@ Enamelen: goto bad_entry; Espan: error = "directory entry across blocks"; + goto bad_entry; +Einumber: + error = "disallowed inode number"; bad_entry: nilfs_error(sb, "bad entry in directory #%lu: %s - offset=%lu, inode=%lu, rec_len=%d, name_len=%d", diff --git a/fs/nilfs2/nilfs.h b/fs/nilfs2/nilfs.h index 4a325e5b62ed..028b872375b7 100644 --- a/fs/nilfs2/nilfs.h +++ b/fs/nilfs2/nilfs.h @@ -130,6 +130,11 @@ enum { ((ino) >= NILFS_FIRST_INO(sb) || \ ((ino) < NILFS_USER_INO && (NILFS_SYS_INO_BITS & BIT(ino)))) +#define NILFS_PRIVATE_INODE(ino) ({ \ + ino_t __ino = (ino); \ + ((__ino) < NILFS_USER_INO && (__ino) != NILFS_ROOT_INO && \ + (__ino) != NILFS_SKETCH_INO); }) + /** * struct nilfs_transaction_info: context information for synchronization * @ti_magic: Magic number From 34096341954fed86e3b510d1c0617470f21bb41d Mon Sep 17 00:00:00 2001 From: Jinliang Zheng Date: Thu, 20 Jun 2024 20:21:24 +0800 Subject: [PATCH 27/90] mm: optimize the redundant loop of mm_update_owner_next() commit cf3f9a593dab87a032d2b6a6fb205e7f3de4f0a1 upstream. When mm_update_owner_next() is racing with swapoff (try_to_unuse()) or /proc or ptrace or page migration (get_task_mm()), it is impossible to find an appropriate task_struct in the loop whose mm_struct is the same as the target mm_struct. If the above race condition is combined with the stress-ng-zombie and stress-ng-dup tests, such a long loop can easily cause a Hard Lockup in write_lock_irq() for tasklist_lock. Recognize this situation in advance and exit early. Link: https://lkml.kernel.org/r/20240620122123.3877432-1-alexjlzheng@tencent.com Signed-off-by: Jinliang Zheng Acked-by: Michal Hocko Cc: Christian Brauner Cc: Jens Axboe Cc: Mateusz Guzik Cc: Matthew Wilcox (Oracle) Cc: Oleg Nesterov Cc: Tycho Andersen Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 2890a7faf552dd3e4e40e343610ba3e0ba5b788e) Signed-off-by: Vegard Nossum --- kernel/exit.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/exit.c b/kernel/exit.c index 38dc916c94fa..28a09ca5f54a 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -493,6 +493,8 @@ retry: * Search through everything else, we should not get here often. */ for_each_process(g) { + if (atomic_read(&mm->mm_users) <= 1) + break; if (g->flags & PF_KTHREAD) continue; for_each_thread(g, c) { From 1cbdc455dc33b76a9efdf4694308b2b1c8ea5a21 Mon Sep 17 00:00:00 2001 From: Jaganath Kanakkassery Date: Wed, 3 Apr 2019 12:11:44 +0530 Subject: [PATCH 28/90] Bluetooth: Fix incorrect pointer arithmatic in ext_adv_report_evt commit cd9151b618da4723877bd94eae952f2e50acbc0e upstream. In ext_adv_report_event rssi comes before data (not after data as in legacy adv_report_evt) so "+ 1" is not required in the ptr arithmatic to point to next report. Signed-off-by: Jaganath Kanakkassery Signed-off-by: Marcel Holtmann Signed-off-by: Wentao Guan Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b162f19e6603571061b19dbb604a9883f0fa4ecc) Signed-off-by: Vegard Nossum --- net/bluetooth/hci_event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index f012db539831..fb89b128751a 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -5024,7 +5024,7 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) bt_dev_err(hdev, "Dropping invalid advertising data"); } - ptr += sizeof(*ev) + ev->length + 1; + ptr += sizeof(*ev) + ev->length; } hci_dev_unlock(hdev); From 73f492747cfcd09e43ef25970d26c8943ab830ec Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Mon, 17 Jun 2024 18:23:00 +0200 Subject: [PATCH 29/90] fsnotify: Do not generate events for O_PATH file descriptors commit 702eb71fd6501b3566283f8c96d7ccc6ddd662e9 upstream. Currently we will not generate FS_OPEN events for O_PATH file descriptors but we will generate FS_CLOSE events for them. This is asymmetry is confusing. Arguably no fsnotify events should be generated for O_PATH file descriptors as they cannot be used to access or modify file content, they are just convenient handles to file objects like paths. So fix the asymmetry by stopping to generate FS_CLOSE for O_PATH file descriptors. Cc: Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20240617162303.1596-1-jack@suse.cz Reviewed-by: Amir Goldstein Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b7421cad1d8725831a98b339d7ecbb284dd1c5de) Signed-off-by: Vegard Nossum --- include/linux/fsnotify.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h index bdaf22582f6e..9af2ea5a1efc 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h @@ -38,7 +38,13 @@ static inline int fsnotify_perm(struct file *file, int mask) __u32 fsnotify_mask = 0; int ret; - if (file->f_mode & FMODE_NONOTIFY) + /* + * FMODE_NONOTIFY are fds generated by fanotify itself which should not + * generate new events. We also don't want to generate events for + * FMODE_PATH fds (involves open & close events) as they are just + * handle creation / destruction events and not "real" file events. + */ + if (file->f_mode & (FMODE_NONOTIFY | FMODE_PATH)) return 0; if (!(mask & (MAY_READ | MAY_OPEN))) return 0; From 6949c5283758b9d0847b1ce1d461e9c7d2730fa1 Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Fri, 21 Jun 2024 16:42:37 +0200 Subject: [PATCH 30/90] Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" commit 30139c702048f1097342a31302cbd3d478f50c63 upstream. Patch series "mm: Avoid possible overflows in dirty throttling". Dirty throttling logic assumes dirty limits in page units fit into 32-bits. This patch series makes sure this is true (see patch 2/2 for more details). This patch (of 2): This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78. The commit is broken in several ways. Firstly, the removed (u64) cast from the multiplication will introduce a multiplication overflow on 32-bit archs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the default settings with 4GB of RAM will trigger this). Secondly, the div64_u64() is unnecessarily expensive on 32-bit archs. We have div64_ul() in case we want to be safe & cheap. Thirdly, if dirty thresholds are larger than 1<<32 pages, then dirty balancing is going to blow up in many other spectacular ways anyway so trying to fix one possible overflow is just moot. Link: https://lkml.kernel.org/r/20240621144017.30993-1-jack@suse.cz Link: https://lkml.kernel.org/r/20240621144246.11148-1-jack@suse.cz Fixes: 9319b647902c ("mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again") Signed-off-by: Jan Kara Reviewed-By: Zach O'Keefe Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 253f9ea7e8e53a5176bd80ceb174907b10724c1a) Signed-off-by: Vegard Nossum --- mm/page-writeback.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/page-writeback.c b/mm/page-writeback.c index 2193086847b3..29f9980c13ac 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -1531,7 +1531,7 @@ static inline void wb_dirty_limits(struct dirty_throttle_control *dtc) */ dtc->wb_thresh = __wb_calc_thresh(dtc); dtc->wb_bg_thresh = dtc->thresh ? - div64_u64(dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; + div_u64((u64)dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; /* * In order to avoid the stacked BDI deadlock we need From c300d28e4079a0046e79ff18bdffb48c7dee3861 Mon Sep 17 00:00:00 2001 From: Ma Ke Date: Thu, 27 Jun 2024 15:42:04 +0800 Subject: [PATCH 31/90] drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes commit 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 upstream. In nouveau_connector_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Cc: stable@vger.kernel.org Fixes: 6ee738610f41 ("drm/nouveau: Add DRM driver for NVIDIA GPUs") Signed-off-by: Ma Ke Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20240627074204.3023776-1-make24@iscas.ac.cn Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9baf60323efa992b7c915094529f0a1882c34e7e) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c index ae57a47fbf22..39e291148a5c 100644 --- a/drivers/gpu/drm/nouveau/nouveau_connector.c +++ b/drivers/gpu/drm/nouveau/nouveau_connector.c @@ -958,6 +958,9 @@ nouveau_connector_get_modes(struct drm_connector *connector) struct drm_display_mode *mode; mode = drm_mode_duplicate(dev, nv_connector->native_mode); + if (!mode) + return 0; + drm_mode_probed_add(connector, mode); ret = 1; } From 27967cf8362a84f47938fe7ff0ff57c991c858cc Mon Sep 17 00:00:00 2001 From: Alex Deucher Date: Mon, 1 Jul 2024 12:50:10 -0400 Subject: [PATCH 32/90] drm/amdgpu/atomfirmware: silence UBSAN warning commit d0417264437a8fa05f894cabba5a26715b32d78e upstream. This is a variable sized array. Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/110420.html Tested-by: Jeff Layton Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 385b615c95df14df68ca8322245c13a9389392f6) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/amd/include/atomfirmware.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/include/atomfirmware.h b/drivers/gpu/drm/amd/include/atomfirmware.h index 837296db9628..50a1fb8c1c5a 100644 --- a/drivers/gpu/drm/amd/include/atomfirmware.h +++ b/drivers/gpu/drm/amd/include/atomfirmware.h @@ -594,7 +594,7 @@ struct atom_gpio_pin_lut_v2_1 { struct atom_common_table_header table_header; /*the real number of this included in the structure is calcualted by using the (whole structure size - the header size)/size of atom_gpio_pin_lut */ - struct atom_gpio_pin_assignment gpio_pin[8]; + struct atom_gpio_pin_assignment gpio_pin[]; }; From a64eeaefb325e45890fca958151be84cfa53b633 Mon Sep 17 00:00:00 2001 From: Ghadi Elie Rahme Date: Thu, 27 Jun 2024 14:14:05 +0300 Subject: [PATCH 33/90] bnx2x: Fix multiple UBSAN array-index-out-of-bounds commit 134061163ee5ca4759de5c24ca3bd71608891ba7 upstream. Fix UBSAN warnings that occur when using a system with 32 physical cpu cores or more, or when the user defines a number of Ethernet queues greater than or equal to FP_SB_MAX_E1x using the num_queues module parameter. Currently there is a read/write out of bounds that occurs on the array "struct stats_query_entry query" present inside the "bnx2x_fw_stats_req" struct in "drivers/net/ethernet/broadcom/bnx2x/bnx2x.h". Looking at the definition of the "struct stats_query_entry query" array: struct stats_query_entry query[FP_SB_MAX_E1x+ BNX2X_FIRST_QUEUE_QUERY_IDX]; FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3 meaning the array has a total size of 19. Since accesses to "struct stats_query_entry query" are offset-ted by BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet queues should not exceed FP_SB_MAX_E1x (16). However one of these queues is reserved for FCOE and thus the number of Ethernet queues should be set to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if it is not. This is also described in a comment in the source code in drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition of FP_SB_MAX_E1x. Below is the part of this explanation that it important for this patch /* * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is * control by the number of fast-path status blocks supported by the * device (HW/FW). Each fast-path status block (FP-SB) aka non-default * status block represents an independent interrupts context that can * serve a regular L2 networking queue. However special L2 queues such * as the FCoE queue do not require a FP-SB and other components like * the CNIC may consume FP-SB reducing the number of possible L2 queues * * If the maximum number of FP-SB available is X then: * a. If CNIC is supported it consumes 1 FP-SB thus the max number of * regular L2 queues is Y=X-1 * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor) * c. If the FCoE L2 queue is supported the actual number of L2 queues * is Y+1 * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for * slow-path interrupts) or Y+2 if CNIC is supported (one additional * FP interrupt context for the CNIC). * e. The number of HW context (CID count) is always X or X+1 if FCoE * L2 queue is supported. The cid for the FCoE L2 queue is always X. */ However this driver also supports NICs that use the E2 controller which can handle more queues due to having more FP-SB represented by FP_SB_MAX_E2. Looking at the commits when the E2 support was added, it was originally using the E1x parameters: commit f2e0899f0f27 ("bnx2x: Add 57712 support"). Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver was later updated to take full advantage of the E2 instead of having it be limited to the capabilities of the E1x. But as far as we can tell, the array "stats_query_entry query" was still limited to using the FP-SB available to the E1x cards as part of an oversignt when the driver was updated to take full advantage of the E2, and now with the driver being aware of the greater queue size supported by E2 NICs, it causes the UBSAN warnings seen in the stack traces below. This patch increases the size of the "stats_query_entry query" array by replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle both types of NICs. Stack traces: UBSAN: array-index-out-of-bounds in drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11 index 20 is out of range for type 'stats_query_entry [19]' CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133 Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019 Call Trace: dump_stack_lvl+0x76/0xa0 dump_stack+0x10/0x20 __ubsan_handle_out_of_bounds+0xcb/0x110 bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x] bnx2x_stats_init+0x156/0x320 [bnx2x] bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x] bnx2x_nic_load+0x8e8/0x19e0 [bnx2x] bnx2x_open+0x16b/0x290 [bnx2x] __dev_open+0x10e/0x1d0 RIP: 0033:0x736223927a0a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003 RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080 R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0 R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00 ---[ end trace ]--- ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11 index 28 is out of range for type 'stats_query_entry [19]' CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133 Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019 Call Trace: dump_stack_lvl+0x76/0xa0 dump_stack+0x10/0x20 __ubsan_handle_out_of_bounds+0xcb/0x110 bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x] bnx2x_stats_init+0x156/0x320 [bnx2x] bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x] bnx2x_nic_load+0x8e8/0x19e0 [bnx2x] bnx2x_open+0x16b/0x290 [bnx2x] __dev_open+0x10e/0x1d0 RIP: 0033:0x736223927a0a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003 RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080 R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0 R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00 ---[ end trace ]--- ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8 index 29 is out of range for type 'stats_query_entry [19]' CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic #202405052133 Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019 Workqueue: bnx2x bnx2x_sp_task [bnx2x] Call Trace: dump_stack_lvl+0x76/0xa0 dump_stack+0x10/0x20 __ubsan_handle_out_of_bounds+0xcb/0x110 bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x] bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x] ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x] bnx2x_stats_start+0x44/0x70 [bnx2x] bnx2x_stats_handle+0x149/0x350 [bnx2x] bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x] bnx2x_sp_task+0x491/0x5c0 [bnx2x] process_one_work+0x18d/0x3f0 ---[ end trace ]--- Fixes: 50f0a562f8cc ("bnx2x: add fcoe statistics") Signed-off-by: Ghadi Elie Rahme Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20240627111405.1037812-1-ghadi.rahme@canonical.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman (cherry picked from commit cfb04472ce33bee2579caf4dc9f4242522f6e26e) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/broadcom/bnx2x/bnx2x.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h index d17a5c911524..554e97183d58 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h @@ -1252,7 +1252,7 @@ enum { struct bnx2x_fw_stats_req { struct stats_query_header hdr; - struct stats_query_entry query[FP_SB_MAX_E1x+ + struct stats_query_entry query[FP_SB_MAX_E2 + BNX2X_FIRST_QUEUE_QUERY_IDX]; }; From 9c6553444512bcd2fdaf2b4153835f19f684f2c4 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Mon, 29 Apr 2024 15:15:05 +0100 Subject: [PATCH 34/90] media: dw2102: fix a potential buffer overflow commit 1c73d0b29d04bf4082e7beb6a508895e118ee30d upstream. As pointed by smatch: drivers/media/usb/dvb-usb/dw2102.c:802 su3000_i2c_transfer() error: __builtin_memcpy() '&state->data[4]' too small (64 vs 67) That seemss to be due to a wrong copy-and-paste. Fixes: 0e148a522b84 ("media: dw2102: Don't translate i2c read into write") Reported-by: Hans Verkuil Reviewed-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 39fb2a0c2e78d9b2de726be119e6d06e38aa4ed4) Signed-off-by: Vegard Nossum --- drivers/media/usb/dvb-usb/dw2102.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c index 5a7f655e5306..0e9b9e25f032 100644 --- a/drivers/media/usb/dvb-usb/dw2102.c +++ b/drivers/media/usb/dvb-usb/dw2102.c @@ -791,7 +791,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], if (msg[j].flags & I2C_M_RD) { /* single read */ - if (1 + msg[j].len > sizeof(state->data)) { + if (4 + msg[j].len > sizeof(state->data)) { warn("i2c rd: len=%d is too big!\n", msg[j].len); num = -EOPNOTSUPP; break; From 900ede664c5f6c4194cc6a86558c291918c285dd Mon Sep 17 00:00:00 2001 From: Wolfram Sang Date: Thu, 19 Apr 2018 22:00:13 +0200 Subject: [PATCH 35/90] i2c: pnx: move header into the driver There are no platform_data users anymore. Move the structs into the driver. Signed-off-by: Wolfram Sang Acked-by: Vladimir Zapolskiy (cherry picked from commit caaccda136ae3fa1c5f6563aae22ca3c199f563a) Signed-off-by: Vegard Nossum --- drivers/i2c/busses/i2c-pnx.c | 21 +++++++++++++++++++- include/linux/i2c-pnx.h | 38 ------------------------------------ 2 files changed, 20 insertions(+), 39 deletions(-) delete mode 100644 include/linux/i2c-pnx.h diff --git a/drivers/i2c/busses/i2c-pnx.c b/drivers/i2c/busses/i2c-pnx.c index 42d6b3a226f8..0aabb1033bfd 100644 --- a/drivers/i2c/busses/i2c-pnx.c +++ b/drivers/i2c/busses/i2c-pnx.c @@ -18,7 +18,6 @@ #include #include #include -#include #include #include #include @@ -29,6 +28,26 @@ #define I2C_PNX_SPEED_KHZ_DEFAULT 100 #define I2C_PNX_REGION_SIZE 0x100 +struct i2c_pnx_mif { + int ret; /* Return value */ + int mode; /* Interface mode */ + struct completion complete; /* I/O completion */ + struct timer_list timer; /* Timeout */ + u8 * buf; /* Data buffer */ + int len; /* Length of data buffer */ + int order; /* RX Bytes to order via TX */ +}; + +struct i2c_pnx_algo_data { + void __iomem *ioaddr; + struct i2c_pnx_mif mif; + int last; + struct clk *clk; + struct i2c_adapter adapter; + int irq; + u32 timeout; +}; + enum { mstatus_tdi = 0x00000001, mstatus_afi = 0x00000002, diff --git a/include/linux/i2c-pnx.h b/include/linux/i2c-pnx.h deleted file mode 100644 index 5388326fbbff..000000000000 --- a/include/linux/i2c-pnx.h +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Header file for I2C support on PNX010x/4008. - * - * Author: Dennis Kovalev - * - * 2004-2006 (c) MontaVista Software, Inc. This file is licensed under - * the terms of the GNU General Public License version 2. This program - * is licensed "as is" without any warranty of any kind, whether express - * or implied. - */ - -#ifndef __I2C_PNX_H__ -#define __I2C_PNX_H__ - -struct platform_device; -struct clk; - -struct i2c_pnx_mif { - int ret; /* Return value */ - int mode; /* Interface mode */ - struct completion complete; /* I/O completion */ - struct timer_list timer; /* Timeout */ - u8 * buf; /* Data buffer */ - int len; /* Length of data buffer */ - int order; /* RX Bytes to order via TX */ -}; - -struct i2c_pnx_algo_data { - void __iomem *ioaddr; - struct i2c_pnx_mif mif; - int last; - struct clk *clk; - struct i2c_adapter adapter; - int irq; - u32 timeout; -}; - -#endif /* __I2C_PNX_H__ */ From 82043a1a1450176d4a5c5664b05ab1e7bfeed0ee Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Mon, 16 Oct 2017 16:27:29 -0700 Subject: [PATCH 36/90] i2c/busses: Convert timers to use timer_setup() In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. Signed-off-by: Kees Cook Signed-off-by: Wolfram Sang (cherry picked from commit b9e43e363d0115ca981c106d968e24140ad37f6c) Signed-off-by: Vegard Nossum --- drivers/i2c/busses/i2c-img-scb.c | 7 +++---- drivers/i2c/busses/i2c-pnx.c | 8 +++----- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/drivers/i2c/busses/i2c-img-scb.c b/drivers/i2c/busses/i2c-img-scb.c index eb1d91b986fd..823b0b33b2cb 100644 --- a/drivers/i2c/busses/i2c-img-scb.c +++ b/drivers/i2c/busses/i2c-img-scb.c @@ -826,9 +826,9 @@ next_atomic_cmd: * Timer function to check if something has gone wrong in automatic mode (so we * don't have to handle so many interrupts just to catch an exception). */ -static void img_i2c_check_timer(unsigned long arg) +static void img_i2c_check_timer(struct timer_list *t) { - struct img_i2c *i2c = (struct img_i2c *)arg; + struct img_i2c *i2c = from_timer(i2c, t, check_timer); unsigned long flags; unsigned int line_status; @@ -1362,8 +1362,7 @@ static int img_i2c_probe(struct platform_device *pdev) } /* Set up the exception check timer */ - setup_timer(&i2c->check_timer, img_i2c_check_timer, - (unsigned long)i2c); + timer_setup(&i2c->check_timer, img_i2c_check_timer, 0); i2c->bitrate = timings[0].max_bitrate; if (!of_property_read_u32(node, "clock-frequency", &val)) diff --git a/drivers/i2c/busses/i2c-pnx.c b/drivers/i2c/busses/i2c-pnx.c index 0aabb1033bfd..6e0e546ef83f 100644 --- a/drivers/i2c/busses/i2c-pnx.c +++ b/drivers/i2c/busses/i2c-pnx.c @@ -131,7 +131,6 @@ static inline void i2c_pnx_arm_timer(struct i2c_pnx_algo_data *alg_data) jiffies, expires); timer->expires = jiffies + expires; - timer->data = (unsigned long)alg_data; add_timer(timer); } @@ -454,9 +453,9 @@ static irqreturn_t i2c_pnx_interrupt(int irq, void *dev_id) return IRQ_HANDLED; } -static void i2c_pnx_timeout(unsigned long data) +static void i2c_pnx_timeout(struct timer_list *t) { - struct i2c_pnx_algo_data *alg_data = (struct i2c_pnx_algo_data *)data; + struct i2c_pnx_algo_data *alg_data = from_timer(alg_data, t, mif.timer); u32 ctl; dev_err(&alg_data->adapter.dev, @@ -678,8 +677,7 @@ static int i2c_pnx_probe(struct platform_device *pdev) if (IS_ERR(alg_data->clk)) return PTR_ERR(alg_data->clk); - setup_timer(&alg_data->mif.timer, i2c_pnx_timeout, - (unsigned long)alg_data); + timer_setup(&alg_data->mif.timer, i2c_pnx_timeout, 0); snprintf(alg_data->adapter.name, sizeof(alg_data->adapter.name), "%s", pdev->name); From 1921a68ba39c00e508c2b6fdd571d6fdeb6268e4 Mon Sep 17 00:00:00 2001 From: Piotr Wojtaszczyk Date: Fri, 28 Jun 2024 17:25:42 +0200 Subject: [PATCH 37/90] i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr [ Upstream commit f63b94be6942ba82c55343e196bd09b53227618e ] When del_timer_sync() is called in an interrupt context it throws a warning because of potential deadlock. The timer is used only to exit from wait_for_completion() after a timeout so replacing the call with wait_for_completion_timeout() allows to remove the problematic timer and its related functions altogether. Fixes: 41561f28e76a ("i2c: New Philips PNX bus driver") Signed-off-by: Piotr Wojtaszczyk Signed-off-by: Andi Shyti Signed-off-by: Sasha Levin (cherry picked from commit a349e5ab4dc9954746e836cd10b407ce48f9b2f6) Signed-off-by: Vegard Nossum --- drivers/i2c/busses/i2c-pnx.c | 48 ++++++++---------------------------- 1 file changed, 10 insertions(+), 38 deletions(-) diff --git a/drivers/i2c/busses/i2c-pnx.c b/drivers/i2c/busses/i2c-pnx.c index 6e0e546ef83f..4d09665a72e5 100644 --- a/drivers/i2c/busses/i2c-pnx.c +++ b/drivers/i2c/busses/i2c-pnx.c @@ -15,7 +15,6 @@ #include #include #include -#include #include #include #include @@ -32,7 +31,6 @@ struct i2c_pnx_mif { int ret; /* Return value */ int mode; /* Interface mode */ struct completion complete; /* I/O completion */ - struct timer_list timer; /* Timeout */ u8 * buf; /* Data buffer */ int len; /* Length of data buffer */ int order; /* RX Bytes to order via TX */ @@ -117,24 +115,6 @@ static inline int wait_reset(struct i2c_pnx_algo_data *data) return (timeout <= 0); } -static inline void i2c_pnx_arm_timer(struct i2c_pnx_algo_data *alg_data) -{ - struct timer_list *timer = &alg_data->mif.timer; - unsigned long expires = msecs_to_jiffies(alg_data->timeout); - - if (expires <= 1) - expires = 2; - - del_timer_sync(timer); - - dev_dbg(&alg_data->adapter.dev, "Timer armed at %lu plus %lu jiffies.\n", - jiffies, expires); - - timer->expires = jiffies + expires; - - add_timer(timer); -} - /** * i2c_pnx_start - start a device * @slave_addr: slave address @@ -259,8 +239,6 @@ static int i2c_pnx_master_xmit(struct i2c_pnx_algo_data *alg_data) ~(mcntrl_afie | mcntrl_naie | mcntrl_drmie), I2C_REG_CTL(alg_data)); - del_timer_sync(&alg_data->mif.timer); - dev_dbg(&alg_data->adapter.dev, "%s(): Waking up xfer routine.\n", __func__); @@ -276,8 +254,6 @@ static int i2c_pnx_master_xmit(struct i2c_pnx_algo_data *alg_data) ~(mcntrl_afie | mcntrl_naie | mcntrl_drmie), I2C_REG_CTL(alg_data)); - /* Stop timer. */ - del_timer_sync(&alg_data->mif.timer); dev_dbg(&alg_data->adapter.dev, "%s(): Waking up xfer routine after zero-xfer.\n", __func__); @@ -364,8 +340,6 @@ static int i2c_pnx_master_rcv(struct i2c_pnx_algo_data *alg_data) mcntrl_drmie | mcntrl_daie); iowrite32(ctl, I2C_REG_CTL(alg_data)); - /* Kill timer. */ - del_timer_sync(&alg_data->mif.timer); complete(&alg_data->mif.complete); } } @@ -400,8 +374,6 @@ static irqreturn_t i2c_pnx_interrupt(int irq, void *dev_id) mcntrl_drmie); iowrite32(ctl, I2C_REG_CTL(alg_data)); - /* Stop timer, to prevent timeout. */ - del_timer_sync(&alg_data->mif.timer); complete(&alg_data->mif.complete); } else if (stat & mstatus_nai) { /* Slave did not acknowledge, generate a STOP */ @@ -419,8 +391,6 @@ static irqreturn_t i2c_pnx_interrupt(int irq, void *dev_id) /* Our return value. */ alg_data->mif.ret = -EIO; - /* Stop timer, to prevent timeout. */ - del_timer_sync(&alg_data->mif.timer); complete(&alg_data->mif.complete); } else { /* @@ -453,9 +423,8 @@ static irqreturn_t i2c_pnx_interrupt(int irq, void *dev_id) return IRQ_HANDLED; } -static void i2c_pnx_timeout(struct timer_list *t) +static void i2c_pnx_timeout(struct i2c_pnx_algo_data *alg_data) { - struct i2c_pnx_algo_data *alg_data = from_timer(alg_data, t, mif.timer); u32 ctl; dev_err(&alg_data->adapter.dev, @@ -472,7 +441,6 @@ static void i2c_pnx_timeout(struct timer_list *t) iowrite32(ctl, I2C_REG_CTL(alg_data)); wait_reset(alg_data); alg_data->mif.ret = -EIO; - complete(&alg_data->mif.complete); } static inline void bus_reset_if_active(struct i2c_pnx_algo_data *alg_data) @@ -514,6 +482,7 @@ i2c_pnx_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) struct i2c_msg *pmsg; int rc = 0, completed = 0, i; struct i2c_pnx_algo_data *alg_data = adap->algo_data; + unsigned long time_left; u32 stat; dev_dbg(&alg_data->adapter.dev, @@ -548,7 +517,6 @@ i2c_pnx_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) dev_dbg(&alg_data->adapter.dev, "%s(): mode %d, %d bytes\n", __func__, alg_data->mif.mode, alg_data->mif.len); - i2c_pnx_arm_timer(alg_data); /* initialize the completion var */ init_completion(&alg_data->mif.complete); @@ -564,7 +532,10 @@ i2c_pnx_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) break; /* Wait for completion */ - wait_for_completion(&alg_data->mif.complete); + time_left = wait_for_completion_timeout(&alg_data->mif.complete, + alg_data->timeout); + if (time_left == 0) + i2c_pnx_timeout(alg_data); if (!(rc = alg_data->mif.ret)) completed++; @@ -657,7 +628,10 @@ static int i2c_pnx_probe(struct platform_device *pdev) alg_data->adapter.algo_data = alg_data; alg_data->adapter.nr = pdev->id; - alg_data->timeout = I2C_PNX_TIMEOUT_DEFAULT; + alg_data->timeout = msecs_to_jiffies(I2C_PNX_TIMEOUT_DEFAULT); + if (alg_data->timeout <= 1) + alg_data->timeout = 2; + #ifdef CONFIG_OF alg_data->adapter.dev.of_node = of_node_get(pdev->dev.of_node); if (pdev->dev.of_node) { @@ -677,8 +651,6 @@ static int i2c_pnx_probe(struct platform_device *pdev) if (IS_ERR(alg_data->clk)) return PTR_ERR(alg_data->clk); - timer_setup(&alg_data->mif.timer, i2c_pnx_timeout, 0); - snprintf(alg_data->adapter.name, sizeof(alg_data->adapter.name), "%s", pdev->name); From 75fb795f98517dbdb2973414465cffa685d9cd8a Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi Date: Sun, 23 Jun 2024 14:11:35 +0900 Subject: [PATCH 38/90] nilfs2: fix incorrect inode allocation from reserved inodes commit 93aef9eda1cea9e84ab2453fcceb8addad0e46f1 upstream. If the bitmap block that manages the inode allocation status is corrupted, nilfs_ifile_create_inode() may allocate a new inode from the reserved inode area where it should not be allocated. Previous fix commit d325dc6eb763 ("nilfs2: fix use-after-free bug of struct nilfs_root"), fixed the problem that reserved inodes with inode numbers less than NILFS_USER_INO (=11) were incorrectly reallocated due to bitmap corruption, but since the start number of non-reserved inodes is read from the super block and may change, in which case inode allocation may occur from the extended reserved inode area. If that happens, access to that inode will cause an IO error, causing the file system to degrade to an error state. Fix this potential issue by adding a wraparound option to the common metadata object allocation routine and by modifying nilfs_ifile_create_inode() to disable the option so that it only allocates inodes with inode numbers greater than or equal to the inode number read in "nilfs->ns_first_ino", regardless of the bitmap status of reserved inodes. Link: https://lkml.kernel.org/r/20240623051135.4180-4-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Cc: Hillf Danton Cc: Jan Kara Cc: Matthew Wilcox (Oracle) Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit de9d81daaca2b7b3c853bf2ff729353e84f06b18) Signed-off-by: Vegard Nossum --- fs/nilfs2/alloc.c | 18 ++++++++++++++---- fs/nilfs2/alloc.h | 4 ++-- fs/nilfs2/dat.c | 2 +- fs/nilfs2/ifile.c | 7 ++----- 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/fs/nilfs2/alloc.c b/fs/nilfs2/alloc.c index 459575a1e56d..40cdd0f96798 100644 --- a/fs/nilfs2/alloc.c +++ b/fs/nilfs2/alloc.c @@ -386,11 +386,12 @@ void *nilfs_palloc_block_get_entry(const struct inode *inode, __u64 nr, * @target: offset number of an entry in the group (start point) * @bsize: size in bits * @lock: spin lock protecting @bitmap + * @wrap: whether to wrap around */ static int nilfs_palloc_find_available_slot(unsigned char *bitmap, unsigned long target, unsigned int bsize, - spinlock_t *lock) + spinlock_t *lock, bool wrap) { int pos, end = bsize; @@ -406,6 +407,8 @@ static int nilfs_palloc_find_available_slot(unsigned char *bitmap, end = target; } + if (!wrap) + return -ENOSPC; /* wrap around */ for (pos = 0; pos < end; pos++) { @@ -504,9 +507,10 @@ int nilfs_palloc_count_max_entries(struct inode *inode, u64 nused, u64 *nmaxp) * nilfs_palloc_prepare_alloc_entry - prepare to allocate a persistent object * @inode: inode of metadata file using this allocator * @req: nilfs_palloc_req structure exchanged for the allocation + * @wrap: whether to wrap around */ int nilfs_palloc_prepare_alloc_entry(struct inode *inode, - struct nilfs_palloc_req *req) + struct nilfs_palloc_req *req, bool wrap) { struct buffer_head *desc_bh, *bitmap_bh; struct nilfs_palloc_group_desc *desc; @@ -525,7 +529,7 @@ int nilfs_palloc_prepare_alloc_entry(struct inode *inode, entries_per_group = nilfs_palloc_entries_per_group(inode); for (i = 0; i < ngroups; i += n) { - if (group >= ngroups) { + if (group >= ngroups && wrap) { /* wrap around */ group = 0; maxgroup = nilfs_palloc_group(inode, req->pr_entry_nr, @@ -550,7 +554,13 @@ int nilfs_palloc_prepare_alloc_entry(struct inode *inode, bitmap = bitmap_kaddr + bh_offset(bitmap_bh); pos = nilfs_palloc_find_available_slot( bitmap, group_offset, - entries_per_group, lock); + entries_per_group, lock, wrap); + /* + * Since the search for a free slot in the + * second and subsequent bitmap blocks always + * starts from the beginning, the wrap flag + * only has an effect on the first search. + */ if (pos >= 0) { /* found a free entry */ nilfs_palloc_group_desc_add_entries( diff --git a/fs/nilfs2/alloc.h b/fs/nilfs2/alloc.h index 05149e606a78..af2580650346 100644 --- a/fs/nilfs2/alloc.h +++ b/fs/nilfs2/alloc.h @@ -59,8 +59,8 @@ struct nilfs_palloc_req { struct buffer_head *pr_entry_bh; }; -int nilfs_palloc_prepare_alloc_entry(struct inode *, - struct nilfs_palloc_req *); +int nilfs_palloc_prepare_alloc_entry(struct inode *inode, + struct nilfs_palloc_req *req, bool wrap); void nilfs_palloc_commit_alloc_entry(struct inode *, struct nilfs_palloc_req *); void nilfs_palloc_abort_alloc_entry(struct inode *, struct nilfs_palloc_req *); diff --git a/fs/nilfs2/dat.c b/fs/nilfs2/dat.c index d2d19274add7..67e799269ccb 100644 --- a/fs/nilfs2/dat.c +++ b/fs/nilfs2/dat.c @@ -84,7 +84,7 @@ int nilfs_dat_prepare_alloc(struct inode *dat, struct nilfs_palloc_req *req) { int ret; - ret = nilfs_palloc_prepare_alloc_entry(dat, req); + ret = nilfs_palloc_prepare_alloc_entry(dat, req, true); if (ret < 0) return ret; diff --git a/fs/nilfs2/ifile.c b/fs/nilfs2/ifile.c index 7efaac75d983..16011cb34163 100644 --- a/fs/nilfs2/ifile.c +++ b/fs/nilfs2/ifile.c @@ -64,13 +64,10 @@ int nilfs_ifile_create_inode(struct inode *ifile, ino_t *out_ino, struct nilfs_palloc_req req; int ret; - req.pr_entry_nr = 0; /* - * 0 says find free inode from beginning - * of a group. dull code!! - */ + req.pr_entry_nr = NILFS_FIRST_INO(ifile->i_sb); req.pr_entry_bh = NULL; - ret = nilfs_palloc_prepare_alloc_entry(ifile, &req); + ret = nilfs_palloc_prepare_alloc_entry(ifile, &req, false); if (!ret) { ret = nilfs_palloc_get_entry_block(ifile, req.pr_entry_nr, 1, &req.pr_entry_bh); From 852460760459aec08d18bc7780f254f6f256606d Mon Sep 17 00:00:00 2001 From: Neal Cardwell Date: Wed, 3 Jul 2024 13:12:46 -0400 Subject: [PATCH 39/90] tcp: fix incorrect undo caused by DSACK of TLP retransmit [ Upstream commit 0ec986ed7bab6801faed1440e8839dcc710331ff ] Loss recovery undo_retrans bookkeeping had a long-standing bug where a DSACK from a spurious TLP retransmit packet could cause an erroneous undo of a fast recovery or RTO recovery that repaired a single really-lost packet (in a sequence range outside that of the TLP retransmit). Basically, because the loss recovery state machine didn't account for the fact that it sent a TLP retransmit, the DSACK for the TLP retransmit could erroneously be implicitly be interpreted as corresponding to the normal fast recovery or RTO recovery retransmit that plugged a real hole, thus resulting in an improper undo. For example, consider the following buggy scenario where there is a real packet loss but the congestion control response is improperly undone because of this bug: + send packets P1, P2, P3, P4 + P1 is really lost + send TLP retransmit of P4 + receive SACK for original P2, P3, P4 + enter fast recovery, fast-retransmit P1, increment undo_retrans to 1 + receive DSACK for TLP P4, decrement undo_retrans to 0, undo (bug!) + receive cumulative ACK for P1-P4 (fast retransmit plugged real hole) The fix: when we initialize undo machinery in tcp_init_undo(), if there is a TLP retransmit in flight, then increment tp->undo_retrans so that we make sure that we receive a DSACK corresponding to the TLP retransmit, as well as DSACKs for all later normal retransmits, before triggering a loss recovery undo. Note that we also have to move the line that clears tp->tlp_high_seq for RTO recovery, so that upon RTO we remember the tp->tlp_high_seq value until tcp_init_undo() and clear it only afterward. Also note that the bug dates back to the original 2013 TLP implementation, commit 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)"). However, this patch will only compile and work correctly with kernels that have tp->tlp_retrans, which was added only in v5.8 in 2020 in commit 76be93fc0702 ("tcp: allow at most one TLP probe per flight"). So we associate this fix with that later commit. Fixes: 76be93fc0702 ("tcp: allow at most one TLP probe per flight") Signed-off-by: Neal Cardwell Reviewed-by: Eric Dumazet Cc: Yuchung Cheng Cc: Kevin Yang Link: https://patch.msgid.link/20240703171246.1739561-1-ncardwell.sw@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 83f5eb01c4beb9741bc1600bcd8b6e94a1774abe) Signed-off-by: Vegard Nossum --- net/ipv4/tcp_input.c | 11 ++++++++++- net/ipv4/tcp_timer.c | 2 -- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index a3d550c36b97..4a343bbeb754 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -1972,8 +1972,16 @@ void tcp_clear_retrans(struct tcp_sock *tp) static inline void tcp_init_undo(struct tcp_sock *tp) { tp->undo_marker = tp->snd_una; + /* Retransmission still in flight may cause DSACKs later. */ - tp->undo_retrans = tp->retrans_out ? : -1; + /* First, account for regular retransmits in flight: */ + tp->undo_retrans = tp->retrans_out; + /* Next, account for TLP retransmits in flight: */ + if (tp->tlp_high_seq && tp->tlp_retrans) + tp->undo_retrans++; + /* Finally, avoid 0, because undo_retrans==0 means "can undo now": */ + if (!tp->undo_retrans) + tp->undo_retrans = -1; } /* Enter Loss state. If we detect SACK reneging, forget all SACK information @@ -2047,6 +2055,7 @@ void tcp_enter_loss(struct sock *sk) net->ipv4.sysctl_tcp_reordering); tcp_set_ca_state(sk, TCP_CA_Loss); tp->high_seq = tp->snd_nxt; + tp->tlp_high_seq = 0; tcp_ecn_queue_cwr(tp); /* F-RTO RFC5682 sec 3.1 step 1: retransmit SND.UNA if no previous diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c index 3d51a7edb311..968c43dea2a5 100644 --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -448,8 +448,6 @@ void tcp_retransmit_timer(struct sock *sk) if (WARN_ON_ONCE(!skb)) return; - tp->tlp_high_seq = 0; - if (!tp->snd_wnd && !sock_flag(sk, SOCK_DEAD) && !((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV))) { /* Receiver dastardly shrinks window. Our retransmits From 95139b5d59c4b6d6c56f39c2b4b4f26e22330000 Mon Sep 17 00:00:00 2001 From: Aleksander Jan Bajkowski Date: Tue, 28 Dec 2021 23:00:31 +0100 Subject: [PATCH 40/90] net: lantiq_etop: add blank line after declaration [ Upstream commit 4c46625bb586a741b8d0e6bdbddbcb2549fa1d36 ] This patch adds a missing line after the declaration and fixes the checkpatch warning: WARNING: Missing a blank line after declarations + int desc; + for (desc = 0; desc < LTQ_DESC_NUM; desc++) Signed-off-by: Aleksander Jan Bajkowski Link: https://lore.kernel.org/r/20211228220031.71576-1-olek2@wp.pl Signed-off-by: Jakub Kicinski Stable-dep-of: e1533b6319ab ("net: ethernet: lantiq_etop: fix double free in detach") Signed-off-by: Sasha Levin (cherry picked from commit 12d204b835dd85c7fe6501be6ee1aaa1e5315ff9) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/lantiq_etop.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c index 2a14520e4798..e8edc91e12b4 100644 --- a/drivers/net/ethernet/lantiq_etop.c +++ b/drivers/net/ethernet/lantiq_etop.c @@ -222,6 +222,7 @@ ltq_etop_free_channel(struct net_device *dev, struct ltq_etop_chan *ch) free_irq(ch->dma.irq, priv); if (IS_RX(ch->idx)) { int desc; + for (desc = 0; desc < LTQ_DESC_NUM; desc++) dev_kfree_skb_any(ch->skb[ch->dma.desc]); } From ae3b644b836cdcca258294db2569189af4ef7ff3 Mon Sep 17 00:00:00 2001 From: Aleksander Jan Bajkowski Date: Mon, 8 Jul 2024 22:58:26 +0200 Subject: [PATCH 41/90] net: ethernet: lantiq_etop: fix double free in detach [ Upstream commit e1533b6319ab9c3a97dad314dd88b3783bc41b69 ] The number of the currently released descriptor is never incremented which results in the same skb being released multiple times. Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver") Reported-by: Joe Perches Closes: https://lore.kernel.org/all/fc1bf93d92bb5b2f99c6c62745507cc22f3a7b2d.camel@perches.com/ Signed-off-by: Aleksander Jan Bajkowski Reviewed-by: Andrew Lunn Link: https://patch.msgid.link/20240708205826.5176-1-olek2@wp.pl Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 1a2db00a554cfda57c397cce79b2804bf9633fec) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/lantiq_etop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c index e8edc91e12b4..17a59919f000 100644 --- a/drivers/net/ethernet/lantiq_etop.c +++ b/drivers/net/ethernet/lantiq_etop.c @@ -221,9 +221,9 @@ ltq_etop_free_channel(struct net_device *dev, struct ltq_etop_chan *ch) if (ch->dma.irq) free_irq(ch->dma.irq, priv); if (IS_RX(ch->idx)) { - int desc; + struct ltq_dma_channel *dma = &ch->dma; - for (desc = 0; desc < LTQ_DESC_NUM; desc++) + for (dma->desc = 0; dma->desc < LTQ_DESC_NUM; dma->desc++) dev_kfree_skb_any(ch->skb[ch->dma.desc]); } } From 84f3c0bb96cd91096079828b24b51af408265abe Mon Sep 17 00:00:00 2001 From: Dmitry Antipov Date: Mon, 8 Jul 2024 14:56:15 +0300 Subject: [PATCH 42/90] ppp: reject claimed-as-LCP but actually malformed packets [ Upstream commit f2aeb7306a898e1cbd03963d376f4b6656ca2b55 ] Since 'ppp_async_encode()' assumes valid LCP packets (with code from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that LCP packet has an actual body beyond PPP_LCP header bytes, and reject claimed-as-LCP but actually malformed data otherwise. Reported-by: syzbot+ec0723ba9605678b14bf@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ec0723ba9605678b14bf Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Dmitry Antipov Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 97d1efd8be26615ff680cdde86937d5943138f37) Signed-off-by: Vegard Nossum --- drivers/net/ppp/ppp_generic.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index 5bcbf0e0616d..7f4e7d56693f 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -73,6 +73,7 @@ #define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */ #define PPP_PROTO_LEN 2 +#define PPP_LCP_HDRLEN 4 /* * An instance of /dev/ppp can be associated with either a ppp @@ -494,6 +495,15 @@ static ssize_t ppp_read(struct file *file, char __user *buf, return ret; } +static bool ppp_check_packet(struct sk_buff *skb, size_t count) +{ + /* LCP packets must include LCP header which 4 bytes long: + * 1-byte code, 1-byte identifier, and 2-byte length. + */ + return get_unaligned_be16(skb->data) != PPP_LCP || + count >= PPP_PROTO_LEN + PPP_LCP_HDRLEN; +} + static ssize_t ppp_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { @@ -516,6 +526,11 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, kfree_skb(skb); goto out; } + ret = -EINVAL; + if (unlikely(!ppp_check_packet(skb, count))) { + kfree_skb(skb); + goto out; + } switch (pf->kind) { case INTERFACE: From 4e591539244c71973243bd4315024d601991ee3a Mon Sep 17 00:00:00 2001 From: Chen Ni Date: Wed, 10 Jul 2024 16:16:48 +0800 Subject: [PATCH 43/90] ARM: davinci: Convert comma to semicolon [ Upstream commit acc3815db1a02d654fbc19726ceaadca0d7dd81c ] Replace a comma between expression statements by a semicolon. Fixes: efc1bb8a6fd5 ("davinci: add power management support") Signed-off-by: Chen Ni Acked-by: Bartosz Golaszewski Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin (cherry picked from commit f9ace6a3278a613d22abbd7d69e13d481b800622) Signed-off-by: Vegard Nossum --- arch/arm/mach-davinci/pm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/mach-davinci/pm.c b/arch/arm/mach-davinci/pm.c index b5cc05dc2cb2..ef078ce01db7 100644 --- a/arch/arm/mach-davinci/pm.c +++ b/arch/arm/mach-davinci/pm.c @@ -65,7 +65,7 @@ static void davinci_pm_suspend(void) /* Configure sleep count in deep sleep register */ val = __raw_readl(pm_config.deepsleep_reg); - val &= ~DEEPSLEEP_SLEEPCOUNT_MASK, + val &= ~DEEPSLEEP_SLEEPCOUNT_MASK; val |= pm_config.sleepcount; __raw_writel(val, pm_config.deepsleep_reg); From 400d7f0eceb6a1993c04f36ee766abff02f975b8 Mon Sep 17 00:00:00 2001 From: Daniele Palmas Date: Thu, 30 May 2024 10:00:53 +0200 Subject: [PATCH 44/90] USB: serial: option: add Telit generic core-dump composition commit 4298e400dbdbf259549d69c349e060652ad53611 upstream. Add the following core-dump composition, used in different Telit modems: 0x9000: tty (sahara) T: Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#= 41 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=9000 Rev=00.00 S: Manufacturer=Telit Cinterion S: Product=FN990-dump S: SerialNumber=e815bdde C: #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=2mA I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Daniele Palmas Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman (cherry picked from commit a88697c3871ade2c9d03437d170af77ec92d2982) Signed-off-by: Vegard Nossum --- drivers/usb/serial/option.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index 69d367f29f1f..317c71269060 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -1436,6 +1436,8 @@ static const struct usb_device_id option_ids[] = { .driver_info = NCTRL(2) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x701b, 0xff), /* Telit LE910R1 (ECM) */ .driver_info = NCTRL(2) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x9000, 0xff), /* Telit generic core-dump device */ + .driver_info = NCTRL(0) }, { USB_DEVICE(TELIT_VENDOR_ID, 0x9010), /* Telit SBL FN980 flashing device */ .driver_info = NCTRL(0) | ZLP }, { USB_DEVICE(TELIT_VENDOR_ID, 0x9200), /* Telit LE910S1 flashing device */ From 4094a8160b0626b4fc428b2770adcd99652a9117 Mon Sep 17 00:00:00 2001 From: Daniele Palmas Date: Tue, 25 Jun 2024 12:27:16 +0200 Subject: [PATCH 45/90] USB: serial: option: add Telit FN912 rmnet compositions commit 9a590ff283421b71560deded2110dbdcbe1f7d1d upstream. Add the following Telit FN912 compositions: 0x3000: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=3000 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN912 S: SerialNumber=92c4c4d8 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x3001: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb T: Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=3001 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN912 S: SerialNumber=92c4c4d8 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Daniele Palmas Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 908bc2cb55f8affc7a90bb8d17fd4323088e2a19) Signed-off-by: Vegard Nossum --- drivers/usb/serial/option.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index 317c71269060..daf9198ff11d 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -1428,6 +1428,10 @@ static const struct usb_device_id option_ids[] = { .driver_info = NCTRL(0) | RSVD(1) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff), /* Telit LN940 (MBIM) */ .driver_info = NCTRL(0) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x3000, 0xff), /* Telit FN912 */ + .driver_info = RSVD(0) | NCTRL(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x3001, 0xff), /* Telit FN912 */ + .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x7010, 0xff), /* Telit LE910-S1 (RNDIS) */ .driver_info = NCTRL(2) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x7011, 0xff), /* Telit LE910-S1 (ECM) */ From 01b762bc1225b0a0ffb18638161627cb185ce408 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= Date: Wed, 26 Jun 2024 15:32:23 +0200 Subject: [PATCH 46/90] USB: serial: option: add Fibocom FM350-GL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 2604e08ff251dba330e16b65e80074c9c540aad7 upstream. FM350-GL is 5G Sub-6 WWAN module which uses M.2 form factor interface. It is based on Mediatek's MTK T700 CPU. The module supports PCIe Gen3 x1 and USB 2.0 and 3.0 interfaces. The manufacturer states that USB is "for debug" but it has been confirmed to be fully functional, except for modem-control requests on some of the interfaces. USB device composition is controlled by AT+GTUSBMODE= command. Two values are currently supported for the : 40: RNDIS+AT+AP(GNSS)+META+DEBUG+NPT+ADB 41: RNDIS+AT+AP(GNSS)+META+DEBUG+NPT+ADB+AP(LOG)+AP(META) (default value) [ Note that the functions above are not ordered by interface number. ] Mode 40 corresponds to: T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 22 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0e8d ProdID=7126 Rev= 0.01 S: Manufacturer=Fibocom Wireless Inc. S: Product=FM350-GL C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=125us I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Mode 41 corresponds to: T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0e8d ProdID=7127 Rev= 0.01 S: Manufacturer=Fibocom Wireless Inc. S: Product=FM350-GL C:* #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=125us I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Cc: stable@vger.kernel.org Signed-off-by: Bjørn Mork Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman (cherry picked from commit de307ab87774c96700fa1831f78f5085255c35f8) Signed-off-by: Vegard Nossum --- drivers/usb/serial/option.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index daf9198ff11d..88b97c4c432a 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -2233,6 +2233,10 @@ static const struct usb_device_id option_ids[] = { { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_7106_2COM, 0x02, 0x02, 0x01) }, { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x02, 0x01) }, { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, MEDIATEK_PRODUCT_DC_4COM2, 0xff, 0x00, 0x00) }, + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, 0x7126, 0xff, 0x00, 0x00), + .driver_info = NCTRL(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(MEDIATEK_VENDOR_ID, 0x7127, 0xff, 0x00, 0x00), + .driver_info = NCTRL(2) | NCTRL(3) | NCTRL(4) }, { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MPL200), .driver_info = RSVD(1) | RSVD(4) }, From 4dd077fc35bd45cb3763b56b29397495aa60e832 Mon Sep 17 00:00:00 2001 From: Slark Xiao Date: Fri, 5 Jul 2024 16:17:09 +0800 Subject: [PATCH 47/90] USB: serial: option: add support for Foxconn T99W651 commit 3c841d54b63e4446383de3238399a3910e47d8e2 upstream. T99W651 is a RNDIS based modem device. There are 3 serial ports need to be enumerated: Diag, NMEA and AT. Test evidence as below: T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 6 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e145 Rev=05.15 S: Manufacturer=QCOM S: Product=SDXPINN-IDP _SN:93B562B2 S: SerialNumber=82e6fe26 C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option I: If#=0x5 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) 0&1: RNDIS, 2:AT, 3:NMEA, 4:DIAG, 5:QDSS, 6:ADB QDSS is not a serial port. Signed-off-by: Slark Xiao Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9fde2ddfed4787728a20aefea6a625c6b2b32fc4) Signed-off-by: Vegard Nossum --- drivers/usb/serial/option.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index 88b97c4c432a..c26c8580c0f0 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -2296,6 +2296,8 @@ static const struct usb_device_id option_ids[] = { .driver_info = RSVD(3) }, { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe0f0, 0xff), /* Foxconn T99W373 MBIM */ .driver_info = RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */ + .driver_info = RSVD(5) | RSVD(6) }, { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, { USB_DEVICE(0x1782, 0x4d10) }, /* Fibocom L610 (AT mode) */ From e8c421c3e622eec18fb2a723b3801e041094e76b Mon Sep 17 00:00:00 2001 From: Mank Wang Date: Sat, 29 Jun 2024 01:54:45 +0000 Subject: [PATCH 48/90] USB: serial: option: add Netprisma LCUK54 series modules commit dc6dbe3ed28795b01c712ad8f567728f9c14b01d upstream. Add support for Netprisma LCUK54 series modules. LCUK54-WRD-LWW(0x3731/0x0100): NetPrisma LCUK54-WWD for Global LCUK54-WRD-LWW(0x3731/0x0101): NetPrisma LCUK54-WRD for Global SKU LCUK54-WRD-LCN(0x3731/0x0106): NetPrisma LCUK54-WRD for China SKU LCUK54-WRD-LWW(0x3731/0x0111): NetPrisma LCUK54-WWD for SA LCUK54-WRD-LWW(0x3731/0x0112): NetPrisma LCUK54-WWD for EU LCUK54-WRD-LWW(0x3731/0x0113): NetPrisma LCUK54-WWD for NA LCUK54-WWD-LCN(0x3731/0x0115): NetPrisma LCUK54-WWD for China EDU LCUK54-WWD-LWW(0x3731/0x0116): NetPrisma LCUK54-WWD for Golbal EDU Above products use the exact same interface layout and option driver: MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=3731 ProdID=0101 Rev= 5.04 S: Manufacturer=NetPrisma S: Product=LCUK54-WRD S: SerialNumber=b6250c36 C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none) E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Mank Wang Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 038d9a89fac14fd9855383b2ae990ee755e36bd0) Signed-off-by: Vegard Nossum --- drivers/usb/serial/option.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index c26c8580c0f0..6a1e8497ff3a 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -2335,6 +2335,30 @@ static const struct usb_device_id option_ids[] = { .driver_info = RSVD(4) }, { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0115, 0xff), /* Rolling RW135-GL (laptop MBIM) */ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */ + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0101, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WRD for Global SKU */ + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0101, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0101, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0106, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WRD for China SKU */ + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0106, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0106, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0111, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for SA */ + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0111, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0111, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0112, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for EU */ + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0112, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0112, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0113, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for NA */ + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0113, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0113, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0115, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for China EDU */ + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0115, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0115, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0116, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Golbal EDU */ + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0116, 0xff, 0x00, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0116, 0xff, 0xff, 0x40) }, { USB_DEVICE_AND_INTERFACE_INFO(OPPO_VENDOR_ID, OPPO_PRODUCT_R11, 0xff, 0xff, 0x30) }, { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x30) }, { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x40) }, From bb8ef9c34dbad9828e35221d9b93887f81fedf61 Mon Sep 17 00:00:00 2001 From: Vanillan Wang Date: Fri, 31 May 2024 10:40:12 +0800 Subject: [PATCH 49/90] USB: serial: option: add Rolling RW350-GL variants commit ae420771551bd9f04347c59744dd062332bdec3e upstream. Update the USB serial option driver support for the Rolling RW350-GL - VID:PID 33f8:0802, RW350-GL are laptop M.2 cards (with MBIM interfaces for /Linux/Chrome OS) Here are the outputs of usb-devices: usbmode=63: mbim, pipe T: Bus=02 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 D: Ver= 3.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs= 1 P: Vendor=33f8 ProdID=0802 Rev=00.01 S: Manufacturer=Rolling Wireless S.a.r.l. S: Product=USB DATA CARD C: #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms usbmode=64: mbim, others at (If#= 5 adb) MBIM(MI0) + GNSS(MI2) + AP log(MI3) + AP META(MI4) + ADB(MI5) + MD AT(MI6) + MD META(MI7) + NPT(MI8) + Debug(MI9) T: Bus=02 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 5 Spd=5000 MxCh= 0 D: Ver= 3.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs= 1 P: Vendor=33f8 ProdID=0802 Rev=00.01 S: Manufacturer=Rolling Wireless S.a.r.l. S: Product=USB DATA CARD C: #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=896mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=06(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=07(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=08(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms I: If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=09(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=8a(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms Signed-off-by: Vanillan Wang Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 5bc1f4bee4d84245a3479f53aef38f82b99a19f0) Signed-off-by: Vegard Nossum --- drivers/usb/serial/option.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index 6a1e8497ff3a..d058580cd5c2 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -2335,6 +2335,8 @@ static const struct usb_device_id option_ids[] = { .driver_info = RSVD(4) }, { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0115, 0xff), /* Rolling RW135-GL (laptop MBIM) */ .driver_info = RSVD(5) }, + { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */ + .driver_info = RSVD(5) }, { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) }, { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) }, From af79b0b19953f31e510d5330cb6d3bb246b096a2 Mon Sep 17 00:00:00 2001 From: WangYuli Date: Tue, 2 Jul 2024 23:44:08 +0800 Subject: [PATCH 50/90] USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k commit 3859e85de30815a20bce7db712ce3d94d40a682d upstream. START BP-850K is a dot matrix printer that crashes when it receives a Set-Interface request and needs USB_QUIRK_NO_SET_INTF to work properly. Cc: stable Signed-off-by: jinxiaobo Signed-off-by: WangYuli Link: https://lore.kernel.org/r/202E4B2BD0F0FEA4+20240702154408.631201-1-wangyuli@uniontech.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 1d1f3d602971bbb8de654e7bbe78bf6c2ebd06c1) Signed-off-by: Vegard Nossum --- drivers/usb/core/quirks.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c index 60a49b87cc64..496dcb223667 100644 --- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -313,6 +313,9 @@ static const struct usb_device_id usb_quirk_list[] = { { USB_DEVICE(0x1b1c, 0x1b38), .driver_info = USB_QUIRK_DELAY_INIT | USB_QUIRK_DELAY_CTRL_MSG }, + /* START BP-850k Printer */ + { USB_DEVICE(0x1bc3, 0x0003), .driver_info = USB_QUIRK_NO_SET_INTF }, + /* MIDI keyboard WORLDE MINI */ { USB_DEVICE(0x1c75, 0x0204), .driver_info = USB_QUIRK_CONFIG_INTF_STRINGS }, From 4a1cba1a65533b8f9ece63c774c0bd1d265e14bf Mon Sep 17 00:00:00 2001 From: Lee Jones Date: Fri, 5 Jul 2024 08:43:39 +0100 Subject: [PATCH 51/90] usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() commit 6d3c721e686ea6c59e18289b400cc95c76e927e0 upstream. Userspace provided string 's' could trivially have the length zero. Left unchecked this will firstly result in an OOB read in the form `if (str[0 - 1] == '\n') followed closely by an OOB write in the form `str[0 - 1] = '\0'`. There is already a validating check to catch strings that are too long. Let's supply an additional check for invalid strings that are too short. Signed-off-by: Lee Jones Cc: stable Link: https://lore.kernel.org/r/20240705074339.633717-1-lee@kernel.org Signed-off-by: Greg Kroah-Hartman (cherry picked from commit a444c3fc264119801575ab086e03fb4952f23fd0) Signed-off-by: Vegard Nossum --- drivers/usb/gadget/configfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c index 2ecb1cfa4206..972b691c2370 100644 --- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -115,9 +115,12 @@ static int usb_string_copy(const char *s, char **s_copy) int ret; char *str; char *copy = *s_copy; + ret = strlen(s); if (ret > USB_MAX_STRING_LEN) return -EOVERFLOW; + if (ret < 1) + return -EINVAL; if (copy) { str = copy; From d60eb2fd2445dd07125d1e450aa4c310d5baf190 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Thu, 27 Jun 2024 15:56:18 -0400 Subject: [PATCH 52/90] USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor commit a368ecde8a5055b627749b09c6218ef793043e47 upstream. Syzbot has identified a bug in usbcore (see the Closes: tag below) caused by our assumption that the reserved bits in an endpoint descriptor's bEndpointAddress field will always be 0. As a result of the bug, the endpoint_is_duplicate() routine in config.c (and possibly other routines as well) may believe that two descriptors are for distinct endpoints, even though they have the same direction and endpoint number. This can lead to confusion, including the bug identified by syzbot (two descriptors with matching endpoint numbers and directions, where one was interrupt and the other was bulk). To fix the bug, we will clear the reserved bits in bEndpointAddress when we parse the descriptor. (Note that both the USB-2.0 and USB-3.1 specs say these bits are "Reserved, reset to zero".) This requires us to make a copy of the descriptor earlier in usb_parse_endpoint() and use the copy instead of the original when checking for duplicates. Signed-off-by: Alan Stern Reported-and-tested-by: syzbot+8693a0bb9c10b554272a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/0000000000003d868e061bc0f554@google.com/ Fixes: 0a8fd1346254 ("USB: fix problems with duplicate endpoint addresses") CC: Oliver Neukum CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/205a5edc-7fef-4159-b64a-80374b6b101a@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman (cherry picked from commit d8418fd083d1b90a6c007cf8dcf81aeae274727b) Signed-off-by: Vegard Nossum --- drivers/usb/core/config.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index f4f3fcef22a6..a7f13fce5d8e 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -291,6 +291,20 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, if (ifp->desc.bNumEndpoints >= num_ep) goto skip_to_next_endpoint_or_interface_descriptor; + /* Save a copy of the descriptor and use it instead of the original */ + endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints]; + memcpy(&endpoint->desc, d, n); + d = &endpoint->desc; + + /* Clear the reserved bits in bEndpointAddress */ + i = d->bEndpointAddress & + (USB_ENDPOINT_DIR_MASK | USB_ENDPOINT_NUMBER_MASK); + if (i != d->bEndpointAddress) { + dev_notice(ddev, "config %d interface %d altsetting %d has an endpoint descriptor with address 0x%X, changing to 0x%X\n", + cfgno, inum, asnum, d->bEndpointAddress, i); + endpoint->desc.bEndpointAddress = i; + } + /* Check for duplicate endpoint addresses */ if (config_endpoint_is_duplicate(config, inum, asnum, d)) { dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n", @@ -308,10 +322,8 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, } } - endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints]; + /* Accept this endpoint */ ++ifp->desc.bNumEndpoints; - - memcpy(&endpoint->desc, d, n); INIT_LIST_HEAD(&endpoint->urb_list); /* From a43cf7b341011779151d27dd5bc52387d5f5f835 Mon Sep 17 00:00:00 2001 From: He Zhe Date: Thu, 6 Jun 2024 20:39:08 +0800 Subject: [PATCH 53/90] hpet: Support 32-bit userspace commit 4e60131d0d36af65ab9c9144f4f163fe97ae36e8 upstream. hpet_compat_ioctl and read file operations failed to handle parameters from 32-bit userspace and thus samples/timers/hpet_example.c fails as below. root@intel-x86-64:~# ./hpet_example-32.out poll /dev/hpet 1 2 -hpet: executing poll hpet_poll: HPET_IRQFREQ failed This patch fixes cmd and arg handling in hpet_compat_ioctl and adds compat handling for 32-bit userspace in hpet_read. hpet_example now shows that it works for both 64-bit and 32-bit. root@intel-x86-64:~# ./hpet_example-32.out poll /dev/hpet 1 2 -hpet: executing poll hpet_poll: info.hi_flags 0x0 hpet_poll: expired time = 0xf4298 hpet_poll: revents = 0x1 hpet_poll: data 0x1 hpet_poll: expired time = 0xf4235 hpet_poll: revents = 0x1 hpet_poll: data 0x1 root@intel-x86-64:~# ./hpet_example-64.out poll /dev/hpet 1 2 -hpet: executing poll hpet_poll: info.hi_flags 0x0 hpet_poll: expired time = 0xf42a1 hpet_poll: revents = 0x1 hpet_poll: data 0x1 hpet_poll: expired time = 0xf4232 hpet_poll: revents = 0x1 hpet_poll: data 0x1 Cc: stable@vger.kernel.org Signed-off-by: He Zhe Fixes: 54066a57c584 ("hpet: kill BKL, add compat_ioctl") Reviewed-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240606123908.738733-1-zhe.he@windriver.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit e2cb94465de92f6a840bc7eface420b30cc64aa0) Signed-off-by: Vegard Nossum --- drivers/char/hpet.c | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c index b9935675085c..63f643cc8dc4 100644 --- a/drivers/char/hpet.c +++ b/drivers/char/hpet.c @@ -307,8 +307,13 @@ hpet_read(struct file *file, char __user *buf, size_t count, loff_t * ppos) if (!devp->hd_ireqfreq) return -EIO; - if (count < sizeof(unsigned long)) - return -EINVAL; + if (in_compat_syscall()) { + if (count < sizeof(compat_ulong_t)) + return -EINVAL; + } else { + if (count < sizeof(unsigned long)) + return -EINVAL; + } add_wait_queue(&devp->hd_waitqueue, &wait); @@ -332,9 +337,16 @@ hpet_read(struct file *file, char __user *buf, size_t count, loff_t * ppos) schedule(); } - retval = put_user(data, (unsigned long __user *)buf); - if (!retval) - retval = sizeof(unsigned long); + if (in_compat_syscall()) { + retval = put_user(data, (compat_ulong_t __user *)buf); + if (!retval) + retval = sizeof(compat_ulong_t); + } else { + retval = put_user(data, (unsigned long __user *)buf); + if (!retval) + retval = sizeof(unsigned long); + } + out: __set_current_state(TASK_RUNNING); remove_wait_queue(&devp->hd_waitqueue, &wait); @@ -691,12 +703,24 @@ struct compat_hpet_info { unsigned short hi_timer; }; +/* 32-bit types would lead to different command codes which should be + * translated into 64-bit ones before passed to hpet_ioctl_common + */ +#define COMPAT_HPET_INFO _IOR('h', 0x03, struct compat_hpet_info) +#define COMPAT_HPET_IRQFREQ _IOW('h', 0x6, compat_ulong_t) + static long hpet_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct hpet_info info; int err; + if (cmd == COMPAT_HPET_INFO) + cmd = HPET_INFO; + + if (cmd == COMPAT_HPET_IRQFREQ) + cmd = HPET_IRQFREQ; + mutex_lock(&hpet_mutex); err = hpet_ioctl_common(file->private_data, cmd, arg, &info); mutex_unlock(&hpet_mutex); From c618a1f6d3ecaa97aaf0283d9b89824e651bc013 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Mon, 8 Jul 2024 22:37:29 +0200 Subject: [PATCH 54/90] libceph: fix race between delayed_work() and ceph_monc_stop() commit 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 upstream. The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused. To fix this: - clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop() - bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting) - call cancel_delayed_work_sync() after the session is closed Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/66857 Signed-off-by: Ilya Dryomov Reviewed-by: Xiubo Li Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 1177afeca833174ba83504688eec898c6214f4bf) Signed-off-by: Vegard Nossum --- net/ceph/mon_client.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c index daca0af59942..12c00a7d0b56 100644 --- a/net/ceph/mon_client.c +++ b/net/ceph/mon_client.c @@ -963,13 +963,19 @@ static void delayed_work(struct work_struct *work) struct ceph_mon_client *monc = container_of(work, struct ceph_mon_client, delayed_work.work); - dout("monc delayed_work\n"); mutex_lock(&monc->mutex); + dout("%s mon%d\n", __func__, monc->cur_mon); + if (monc->cur_mon < 0) { + goto out; + } + if (monc->hunting) { dout("%s continuing hunt\n", __func__); reopen_session(monc); } else { int is_auth = ceph_auth_is_authenticated(monc->auth); + + dout("%s is_authed %d\n", __func__, is_auth); if (ceph_con_keepalive_expired(&monc->con, CEPH_MONC_PING_TIMEOUT)) { dout("monc keepalive timeout\n"); @@ -994,6 +1000,8 @@ static void delayed_work(struct work_struct *work) } } __schedule_delayed(monc); + +out: mutex_unlock(&monc->mutex); } @@ -1107,13 +1115,15 @@ EXPORT_SYMBOL(ceph_monc_init); void ceph_monc_stop(struct ceph_mon_client *monc) { dout("stop\n"); - cancel_delayed_work_sync(&monc->delayed_work); mutex_lock(&monc->mutex); __close_session(monc); + monc->hunting = false; monc->cur_mon = -1; mutex_unlock(&monc->mutex); + cancel_delayed_work_sync(&monc->delayed_work); + /* * flush msgr queue before we destroy ourselves to ensure that: * - any work that references our embedded con is finished. From bd19e77de5e3d3c721c8dc55e0d7f1b6a0117279 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Tue, 16 Jul 2024 01:53:59 +0000 Subject: [PATCH 55/90] tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() commit 36534d3c54537bf098224a32dc31397793d4594d upstream. Due to timer wheel implementation, a timer will usually fire after its schedule. For instance, for HZ=1000, a timeout between 512ms and 4s has a granularity of 64ms. For this range of values, the extra delay could be up to 63ms. For TCP, this means that tp->rcv_tstamp may be after inet_csk(sk)->icsk_timeout whenever the timer interrupt finally triggers, if one packet came during the extra delay. We need to make sure tcp_rtx_probe0_timed_out() handles this case. Fixes: e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0") Signed-off-by: Eric Dumazet Cc: Menglong Dong Acked-by: Neal Cardwell Reviewed-by: Jason Xing Link: https://lore.kernel.org/r/20240607125652.1472540-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 0fe6516462392ffe355a45a1ada8d264a783430f) Signed-off-by: Vegard Nossum --- net/ipv4/tcp_timer.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c index 968c43dea2a5..c554d33c0a09 100644 --- a/net/ipv4/tcp_timer.c +++ b/net/ipv4/tcp_timer.c @@ -401,8 +401,13 @@ static bool tcp_rtx_probe0_timed_out(const struct sock *sk, { const struct tcp_sock *tp = tcp_sk(sk); const int timeout = TCP_RTO_MAX * 2; - u32 rcv_delta, rtx_delta; + u32 rtx_delta; + s32 rcv_delta; + /* Note: timer interrupt might have been delayed by at least one jiffy, + * and tp->rcv_tstamp might very well have been written recently. + * rcv_delta can thus be negative. + */ rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp; if (rcv_delta <= timeout) return false; From 2a8372159bc037d3c15b66659a35ca18a0a61d98 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi Date: Sat, 29 Jun 2024 01:51:07 +0900 Subject: [PATCH 56/90] nilfs2: fix kernel bug on rename operation of broken directory commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream. Syzbot reported that in rename directory operation on broken directory on nilfs2, __block_write_begin_int() called to prepare block write may fail BUG_ON check for access exceeding the folio/page size. This is because nilfs_dotdot(), which gets parent directory reference entry ("..") of the directory to be moved or renamed, does not check consistency enough, and may return location exceeding folio/page size for broken directories. Fix this issue by checking required directory entries ("." and "..") in the first chunk of the directory in nilfs_dotdot(). Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627 Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit ff9767ba2cb949701e45e6e4287f8af82986b703) Signed-off-by: Vegard Nossum --- fs/nilfs2/dir.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c index fcec9216d300..34c8412dc86d 100644 --- a/fs/nilfs2/dir.c +++ b/fs/nilfs2/dir.c @@ -405,11 +405,39 @@ found: struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p) { - struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p); + struct page *page; + struct nilfs_dir_entry *de, *next_de; + size_t limit; + char *msg; + de = nilfs_get_page(dir, 0, &page); if (IS_ERR(de)) return NULL; - return nilfs_next_entry(de); + + limit = nilfs_last_byte(dir, 0); /* is a multiple of chunk size */ + if (unlikely(!limit || le64_to_cpu(de->inode) != dir->i_ino || + !nilfs_match(1, ".", de))) { + msg = "missing '.'"; + goto fail; + } + + next_de = nilfs_next_entry(de); + /* + * If "next_de" has not reached the end of the chunk, there is + * at least one more record. Check whether it matches "..". + */ + if (unlikely((char *)next_de == (char *)de + nilfs_chunk_size(dir) || + !nilfs_match(2, "..", next_de))) { + msg = "missing '..'"; + goto fail; + } + *p = page; + return next_de; + +fail: + nilfs_error(dir->i_sb, "directory #%lu %s", dir->i_ino, msg); + nilfs_put_page(page); + return NULL; } ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr) From e0aa415e86deeac3ffde591fc5fd5e4a13e9ff23 Mon Sep 17 00:00:00 2001 From: Wolfram Sang Date: Sun, 7 Jul 2024 10:28:46 +0200 Subject: [PATCH 57/90] i2c: rcar: bring hardware to known state when probing [ Upstream commit 4e36c0f20cb1c74c7bd7ea31ba432c1c4a989031 ] When probing, the hardware is not brought into a known state. This may be a problem when a hypervisor restarts Linux without resetting the hardware, leaving an old state running. Make sure the hardware gets initialized, especially interrupts should be cleared and disabled. Reported-by: Dirk Behme Reported-by: Geert Uytterhoeven Closes: https://lore.kernel.org/r/20240702045535.2000393-1-dirk.behme@de.bosch.com Fixes: 6ccbe607132b ("i2c: add Renesas R-Car I2C driver") Signed-off-by: Wolfram Sang Signed-off-by: Andi Shyti Signed-off-by: Sasha Levin (cherry picked from commit a291702b35433e4948476b79c034a21fd2b5ebc8) Signed-off-by: Vegard Nossum --- drivers/i2c/busses/i2c-rcar.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c index d5d0809a6283..682f9b0731f8 100644 --- a/drivers/i2c/busses/i2c-rcar.c +++ b/drivers/i2c/busses/i2c-rcar.c @@ -173,6 +173,14 @@ static void rcar_i2c_init(struct rcar_i2c_priv *priv) rcar_i2c_write(priv, ICCCR, priv->icccr); } +static void rcar_i2c_reset_slave(struct rcar_i2c_priv *priv) +{ + rcar_i2c_write(priv, ICSIER, 0); + rcar_i2c_write(priv, ICSSR, 0); + rcar_i2c_write(priv, ICSCR, SDBS); + rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */ +} + static int rcar_i2c_bus_barrier(struct rcar_i2c_priv *priv) { int i; @@ -818,11 +826,8 @@ static int rcar_unreg_slave(struct i2c_client *slave) /* ensure no irq is running before clearing ptr */ disable_irq(priv->irq); - rcar_i2c_write(priv, ICSIER, 0); - rcar_i2c_write(priv, ICSSR, 0); + rcar_i2c_reset_slave(priv); enable_irq(priv->irq); - rcar_i2c_write(priv, ICSCR, SDBS); - rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */ priv->slave = NULL; @@ -919,7 +924,9 @@ static int rcar_i2c_probe(struct platform_device *pdev) if (ret < 0) goto out_pm_put; - rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */ + /* Bring hardware to known state */ + rcar_i2c_init(priv); + rcar_i2c_reset_slave(priv); if (priv->devtype == I2C_RCAR_GEN3) { priv->rstc = devm_reset_control_get_exclusive(&pdev->dev, NULL); From a45e56a28a046474b31d07f9e1ca29b63b9f3679 Mon Sep 17 00:00:00 2001 From: Vegard Nossum Date: Sat, 24 Aug 2024 06:57:18 +0000 Subject: [PATCH 58/90] LTS: Update to 4.14.351 This corresponds to 4.19.318 upstream (v4.19.317..v4.19.318). Signed-off-by: Vegard Nossum --- .elts/config.yaml | 4 +- .elts/meta/4.14.351.yaml | 222 +++++++++++++++++++++++++++++ .elts/upstream/4.19.318.yaml | 264 +++++++++++++++++++++++++++++++++++ Makefile | 2 +- 4 files changed, 489 insertions(+), 3 deletions(-) create mode 100644 .elts/meta/4.14.351.yaml create mode 100644 .elts/upstream/4.19.318.yaml diff --git a/.elts/config.yaml b/.elts/config.yaml index 90612c7fd1db..dde8bf91c918 100644 --- a/.elts/config.yaml +++ b/.elts/config.yaml @@ -1,5 +1,5 @@ upstream_repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git upstream_base: 4.19.304 base: 4.14.336 -upstream_version: 4.19.317 -version: 4.14.350 +upstream_version: 4.19.318 +version: 4.14.351 diff --git a/.elts/meta/4.14.351.yaml b/.elts/meta/4.14.351.yaml new file mode 100644 index 000000000000..5e5da4d4ddfe --- /dev/null +++ b/.elts/meta/4.14.351.yaml @@ -0,0 +1,222 @@ +a29d61e7e8e578fd6bc893e3fc566de319821ca5: + title: 'media: dvb: as102-fe: Fix as10x_register_addr packing' + mainline: 309422d280748c74f57f471559980268ac27732a + upstream: 86b769452b39428807f287ff5bb5aaf6fbfb7e9c +763d3cd7f083891a68cf5158c5bab81bb5e8be0f: + title: 'media: dvb-usb: dib0700_devices: Add missing release_firmware()' + mainline: 4b267c23ee064bd24c6933df0588ad1b6e111145 + upstream: 213375679632f6ed1e4eb98b78a8f600977b9b34 +f3829e3d794cad5ddb6c88e0ff1b27b6435d224b: + title: 'IB/core: Implement a limit on UMAD receive List' + mainline: ca0b44e20a6f3032224599f02e7c8fb49525c894 + upstream: 1288cf1cceb0e6df276e182f5412370fb4169bcb +8fb8547e74c70ef7ed9af6d75f8b27186d6c1d88: + title: 'media: dw2102: Don''t translate i2c read into write' + mainline: 0e148a522b8453115038193e19ec7bea71403e4a + upstream: 74eb7ec7afe976a499484f56e8af020c3260a559 +fca275dacc79b9d77ec45e208a68284a19515d5f: + title: 'sctp: prefer struct_size over open coded arithmetic' + mainline: e5c5f3596de224422561d48eba6ece5210d967b3 + upstream: 03f37e56305156bd25c5c237d1cc7f5c75495ef2 +b0f4f0d200c9bcb8c14b1f09a288dc89d026fdc3: + title: 'firmware: dmi: Stop decoding on broken entry' + mainline: 0ef11f604503b1862a21597436283f158114d77e + upstream: c2a350a3fa622a174e3704691d05989cdfde4d51 +d2b33d0a14125c60fb7fc2fe60e7305ef606bc7f: + title: 'Input: ff-core - prefer struct_size over open coded arithmetic' + mainline: a08b8f8557ad88ffdff8905e5da972afe52e3307 + upstream: e52cfcf68df0b52565be68106e9f65ab8077b48a +9c1cb2b6cbf9a9e1ee2e9702637c71adc476e874: + title: 'net: dsa: mv88e6xxx: Correct check for empty list' + mainline: 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b + upstream: 47d28dde172696031c880c5778633cdca30394ee +a65c17e8b9fe25ecae58373ddbea9fe06135f193: + title: 'media: dvb-frontends: tda18271c2dd: Remove casting during div' + mainline: e9a844632630e18ed0671a7e3467431bd719952e + upstream: 2401cbc0f5d4bd1e327d247548cc6ee57bc76c53 +909138842fcc6194732efcd7e9d6ab4b9b715600: + title: 'media: s2255: Use refcount_t instead of atomic_t for num_channels' + mainline: 6cff72f6bcee89228a662435b7c47e21a391c8d0 + upstream: 32f2f5385eefa73aaebefda419147ac8599ba9e6 +cf654f32bbef8fd9d7d57d91a3378370a975e85f: + title: 'media: dvb-frontends: tda10048: Fix integer overflow' + mainline: 1aa1329a67cc214c3b7bd2a14d1301a795760b07 + upstream: 8167e4d7dc086d4f7ca7897dcff3827e4d22c99a +f5a529216e877313cde4f8a3fc637c816642e861: + title: 'i2c: i801: Annotate apanel_addr as __ro_after_init' + mainline: 355b1513b1e97b6cef84b786c6480325dfd3753d + upstream: 1a1f7053437d0f27534ecc9ec7e5d441c082b81c +af94a2ea5b6eb5ead8c016a196311449e0e145ac: + title: 'powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n' + mainline: be140f1732b523947425aaafbe2e37b41b622d96 + upstream: 85cc3ecb0b1256d539bb6a58a5f995c802a331c4 +b490b0a094cb6b1e6dc7c79ef9c76213480e03e8: + title: 'orangefs: fix out-of-bounds fsid access' + mainline: 53e4efa470d5fc6a96662d2d3322cfc925818517 + upstream: b90176a9553775e23966650e445b1866e62e4924 +48d99fb324e4d263c533ae24712372138c5cb664: + title: 'powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"' + mainline: 8873aab8646194a4446117bb617cc71bddda2dee + upstream: 04b90b8d0b6929d7427551215b71901959c8e098 +7523a69d10eba34a5bf215bbbf73b02932303c2b: + title: 'jffs2: Fix potential illegal address access in jffs2_free_inode' + mainline: af9a8730ddb6a4b2edd779ccc0aceb994d616830 + upstream: b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8 +d232297f0376ff857296774d047ced0731895562: + title: 's390/pkey: Wipe sensitive data on failure' + mainline: 1d8c270de5eb74245d72325d285894a577a945d9 + upstream: 6e2e374403bf73140d0efc9541cb1b3bea55ac02 +f1bac5dbfa7aaf5cee717a604ed1c94b363a9883: + title: 'UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()' + mainline: a6458ab7fd4f427d4f6f54380453ad255b7fde83 + upstream: 8b5fd51b3040ce2596d22a72767c66d7435853b6 +f8f32610dabb5c07608475f3cfe4915aa4cd15e5: + title: 'tcp_metrics: validate source addr length' + mainline: 66be40e622e177316ae81717aa30057ba9e61dff + upstream: 19d997b59fa1fd7a02e770ee0881c0652b9c32c9 +ea462f7627ecabdd4263965f5a8864f0ab86d08b: + title: 'bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()' + mainline: e271ff53807e8f2c628758290f0e499dbe51cb3d + upstream: 6a8a4fd082c439e19fede027e80c79bc4c84bb8e +a8987b87ffb8455fddf7b29734f043256d589a34: + title: 'selftests/net: reap zerocopy completions passed up as ancillary data.' +c75d2712b73df3ce9a145395882cee0d56f8916f: + title: 'selftests: fix OOM in msg_zerocopy selftest' + mainline: af2b7e5b741aaae9ffbba2c660def434e07aa241 + upstream: d6ab0198fb470e1a9948d08c610a94601a1fdb2c +3688bfa238e9ea94bff46c0dc030f412f239a08c: + title: 'selftests: make order checking verbose in msg_zerocopy selftest' + mainline: 7d6d8f0c8b700c9493f2839abccb6d29028b4219 + upstream: b1cb48187a6edc2ab72f5b3e6b4af7a232730d64 +600edf70c16cb29b82c9fd1e830398168eea7bca: + title: 'inet_diag: Initialize pad field in struct inet_diag_req_v2' + mainline: 61cf1c739f08190a4cbf047b9fbb192a94d87e3f + upstream: 7094a5fd20ab66028f1da7f06e0f2692d70346f9 +72ae23ea4ee2e943e8d58ad302c6a843dbf80ad0: + title: 'nilfs2: fix inode number range checks' + mainline: e2fec219a36e0993642844be0f345513507031f4 + upstream: 57235c3c88bb430043728d0d02f44a4efe386476 +ba6206b639aa6f1d9ade9cb55831ebc1f7268594: + title: 'nilfs2: add missing check for inode numbers on directory entries' + mainline: bb76c6c274683c8570ad788f79d4b875bde0e458 + upstream: c33c2b0d92aa1c2262d999b2598ad6fbd53bd479 +34096341954fed86e3b510d1c0617470f21bb41d: + title: 'mm: optimize the redundant loop of mm_update_owner_next()' + mainline: cf3f9a593dab87a032d2b6a6fb205e7f3de4f0a1 + upstream: 2890a7faf552dd3e4e40e343610ba3e0ba5b788e +1cbdc455dc33b76a9efdf4694308b2b1c8ea5a21: + title: 'Bluetooth: Fix incorrect pointer arithmatic in ext_adv_report_evt' + mainline: cd9151b618da4723877bd94eae952f2e50acbc0e + upstream: b162f19e6603571061b19dbb604a9883f0fa4ecc +73f492747cfcd09e43ef25970d26c8943ab830ec: + title: 'fsnotify: Do not generate events for O_PATH file descriptors' + mainline: 702eb71fd6501b3566283f8c96d7ccc6ddd662e9 + upstream: b7421cad1d8725831a98b339d7ecbb284dd1c5de +6949c5283758b9d0847b1ce1d461e9c7d2730fa1: + title: 'Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again"' + mainline: 30139c702048f1097342a31302cbd3d478f50c63 + upstream: 253f9ea7e8e53a5176bd80ceb174907b10724c1a +c300d28e4079a0046e79ff18bdffb48c7dee3861: + title: 'drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes' + mainline: 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 + upstream: 9baf60323efa992b7c915094529f0a1882c34e7e +27967cf8362a84f47938fe7ff0ff57c991c858cc: + title: 'drm/amdgpu/atomfirmware: silence UBSAN warning' + mainline: d0417264437a8fa05f894cabba5a26715b32d78e + upstream: 385b615c95df14df68ca8322245c13a9389392f6 +a64eeaefb325e45890fca958151be84cfa53b633: + title: 'bnx2x: Fix multiple UBSAN array-index-out-of-bounds' + mainline: 134061163ee5ca4759de5c24ca3bd71608891ba7 + upstream: cfb04472ce33bee2579caf4dc9f4242522f6e26e +9c6553444512bcd2fdaf2b4153835f19f684f2c4: + title: 'media: dw2102: fix a potential buffer overflow' + mainline: 1c73d0b29d04bf4082e7beb6a508895e118ee30d + upstream: 39fb2a0c2e78d9b2de726be119e6d06e38aa4ed4 +900ede664c5f6c4194cc6a86558c291918c285dd: + title: 'i2c: pnx: move header into the driver' +82043a1a1450176d4a5c5664b05ab1e7bfeed0ee: + title: 'i2c/busses: Convert timers to use timer_setup()' +1921a68ba39c00e508c2b6fdd571d6fdeb6268e4: + title: 'i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr' + mainline: f63b94be6942ba82c55343e196bd09b53227618e + upstream: a349e5ab4dc9954746e836cd10b407ce48f9b2f6 +75fb795f98517dbdb2973414465cffa685d9cd8a: + title: 'nilfs2: fix incorrect inode allocation from reserved inodes' + mainline: 93aef9eda1cea9e84ab2453fcceb8addad0e46f1 + upstream: de9d81daaca2b7b3c853bf2ff729353e84f06b18 +852460760459aec08d18bc7780f254f6f256606d: + title: 'tcp: fix incorrect undo caused by DSACK of TLP retransmit' + mainline: 0ec986ed7bab6801faed1440e8839dcc710331ff + upstream: 83f5eb01c4beb9741bc1600bcd8b6e94a1774abe +95139b5d59c4b6d6c56f39c2b4b4f26e22330000: + title: 'net: lantiq_etop: add blank line after declaration' + mainline: 4c46625bb586a741b8d0e6bdbddbcb2549fa1d36 + upstream: 12d204b835dd85c7fe6501be6ee1aaa1e5315ff9 +ae3b644b836cdcca258294db2569189af4ef7ff3: + title: 'net: ethernet: lantiq_etop: fix double free in detach' + mainline: e1533b6319ab9c3a97dad314dd88b3783bc41b69 + upstream: 1a2db00a554cfda57c397cce79b2804bf9633fec +84f3c0bb96cd91096079828b24b51af408265abe: + title: 'ppp: reject claimed-as-LCP but actually malformed packets' + mainline: f2aeb7306a898e1cbd03963d376f4b6656ca2b55 + upstream: 97d1efd8be26615ff680cdde86937d5943138f37 +4e591539244c71973243bd4315024d601991ee3a: + title: 'ARM: davinci: Convert comma to semicolon' + mainline: acc3815db1a02d654fbc19726ceaadca0d7dd81c + upstream: f9ace6a3278a613d22abbd7d69e13d481b800622 +400d7f0eceb6a1993c04f36ee766abff02f975b8: + title: 'USB: serial: option: add Telit generic core-dump composition' + mainline: 4298e400dbdbf259549d69c349e060652ad53611 + upstream: a88697c3871ade2c9d03437d170af77ec92d2982 +4094a8160b0626b4fc428b2770adcd99652a9117: + title: 'USB: serial: option: add Telit FN912 rmnet compositions' + mainline: 9a590ff283421b71560deded2110dbdcbe1f7d1d + upstream: 908bc2cb55f8affc7a90bb8d17fd4323088e2a19 +01b762bc1225b0a0ffb18638161627cb185ce408: + title: 'USB: serial: option: add Fibocom FM350-GL' + mainline: 2604e08ff251dba330e16b65e80074c9c540aad7 + upstream: de307ab87774c96700fa1831f78f5085255c35f8 +4dd077fc35bd45cb3763b56b29397495aa60e832: + title: 'USB: serial: option: add support for Foxconn T99W651' + mainline: 3c841d54b63e4446383de3238399a3910e47d8e2 + upstream: 9fde2ddfed4787728a20aefea6a625c6b2b32fc4 +e8c421c3e622eec18fb2a723b3801e041094e76b: + title: 'USB: serial: option: add Netprisma LCUK54 series modules' + mainline: dc6dbe3ed28795b01c712ad8f567728f9c14b01d + upstream: 038d9a89fac14fd9855383b2ae990ee755e36bd0 +bb8ef9c34dbad9828e35221d9b93887f81fedf61: + title: 'USB: serial: option: add Rolling RW350-GL variants' + mainline: ae420771551bd9f04347c59744dd062332bdec3e + upstream: 5bc1f4bee4d84245a3479f53aef38f82b99a19f0 +af79b0b19953f31e510d5330cb6d3bb246b096a2: + title: 'USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k' + mainline: 3859e85de30815a20bce7db712ce3d94d40a682d + upstream: 1d1f3d602971bbb8de654e7bbe78bf6c2ebd06c1 +4a1cba1a65533b8f9ece63c774c0bd1d265e14bf: + title: 'usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()' + mainline: 6d3c721e686ea6c59e18289b400cc95c76e927e0 + upstream: a444c3fc264119801575ab086e03fb4952f23fd0 +d60eb2fd2445dd07125d1e450aa4c310d5baf190: + title: 'USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor' + mainline: a368ecde8a5055b627749b09c6218ef793043e47 + upstream: d8418fd083d1b90a6c007cf8dcf81aeae274727b +a43cf7b341011779151d27dd5bc52387d5f5f835: + title: 'hpet: Support 32-bit userspace' + mainline: 4e60131d0d36af65ab9c9144f4f163fe97ae36e8 + upstream: e2cb94465de92f6a840bc7eface420b30cc64aa0 +c618a1f6d3ecaa97aaf0283d9b89824e651bc013: + title: 'libceph: fix race between delayed_work() and ceph_monc_stop()' + mainline: 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 + upstream: 1177afeca833174ba83504688eec898c6214f4bf +bd19e77de5e3d3c721c8dc55e0d7f1b6a0117279: + title: 'tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()' + mainline: 36534d3c54537bf098224a32dc31397793d4594d + upstream: 0fe6516462392ffe355a45a1ada8d264a783430f +2a8372159bc037d3c15b66659a35ca18a0a61d98: + title: 'nilfs2: fix kernel bug on rename operation of broken directory' + mainline: a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 + upstream: ff9767ba2cb949701e45e6e4287f8af82986b703 +e0aa415e86deeac3ffde591fc5fd5e4a13e9ff23: + title: 'i2c: rcar: bring hardware to known state when probing' + mainline: 4e36c0f20cb1c74c7bd7ea31ba432c1c4a989031 + upstream: a291702b35433e4948476b79c034a21fd2b5ebc8 diff --git a/.elts/upstream/4.19.318.yaml b/.elts/upstream/4.19.318.yaml new file mode 100644 index 000000000000..5a69986912ac --- /dev/null +++ b/.elts/upstream/4.19.318.yaml @@ -0,0 +1,264 @@ +a8a223aa3fb7790168fbf777a8db5bcef011b4dc: + title: 'asm-generic: Move common compat types to asm-generic/compat.h' + mainline: fb3739759474d150a9927b920a80ea2afb4c2a51 + skipped: not stable material +86b769452b39428807f287ff5bb5aaf6fbfb7e9c: + title: 'media: dvb: as102-fe: Fix as10x_register_addr packing' + mainline: 309422d280748c74f57f471559980268ac27732a + backport: a29d61e7e8e578fd6bc893e3fc566de319821ca5 +213375679632f6ed1e4eb98b78a8f600977b9b34: + title: 'media: dvb-usb: dib0700_devices: Add missing release_firmware()' + mainline: 4b267c23ee064bd24c6933df0588ad1b6e111145 + backport: 763d3cd7f083891a68cf5158c5bab81bb5e8be0f +1288cf1cceb0e6df276e182f5412370fb4169bcb: + title: 'IB/core: Implement a limit on UMAD receive List' + mainline: ca0b44e20a6f3032224599f02e7c8fb49525c894 + backport: f3829e3d794cad5ddb6c88e0ff1b27b6435d224b +9eb4db08a808e3a3ba59193aeb84a57a6dc4d8c9: + title: 'drm/amd/display: Skip finding free audio for unknown engine_id' + mainline: 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 + skipped: patched file is not in 4.14.y +74eb7ec7afe976a499484f56e8af020c3260a559: + title: 'media: dw2102: Don''t translate i2c read into write' + mainline: 0e148a522b8453115038193e19ec7bea71403e4a + backport: 8fb8547e74c70ef7ed9af6d75f8b27186d6c1d88 +03f37e56305156bd25c5c237d1cc7f5c75495ef2: + title: 'sctp: prefer struct_size over open coded arithmetic' + mainline: e5c5f3596de224422561d48eba6ece5210d967b3 + backport: fca275dacc79b9d77ec45e208a68284a19515d5f +c2a350a3fa622a174e3704691d05989cdfde4d51: + title: 'firmware: dmi: Stop decoding on broken entry' + mainline: 0ef11f604503b1862a21597436283f158114d77e + backport: b0f4f0d200c9bcb8c14b1f09a288dc89d026fdc3 +e52cfcf68df0b52565be68106e9f65ab8077b48a: + title: 'Input: ff-core - prefer struct_size over open coded arithmetic' + mainline: a08b8f8557ad88ffdff8905e5da972afe52e3307 + backport: d2b33d0a14125c60fb7fc2fe60e7305ef606bc7f +47d28dde172696031c880c5778633cdca30394ee: + title: 'net: dsa: mv88e6xxx: Correct check for empty list' + mainline: 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b + backport: 9c1cb2b6cbf9a9e1ee2e9702637c71adc476e874 +2401cbc0f5d4bd1e327d247548cc6ee57bc76c53: + title: 'media: dvb-frontends: tda18271c2dd: Remove casting during div' + mainline: e9a844632630e18ed0671a7e3467431bd719952e + backport: a65c17e8b9fe25ecae58373ddbea9fe06135f193 +32f2f5385eefa73aaebefda419147ac8599ba9e6: + title: 'media: s2255: Use refcount_t instead of atomic_t for num_channels' + mainline: 6cff72f6bcee89228a662435b7c47e21a391c8d0 + backport: 909138842fcc6194732efcd7e9d6ab4b9b715600 +8167e4d7dc086d4f7ca7897dcff3827e4d22c99a: + title: 'media: dvb-frontends: tda10048: Fix integer overflow' + mainline: 1aa1329a67cc214c3b7bd2a14d1301a795760b07 + backport: cf654f32bbef8fd9d7d57d91a3378370a975e85f +1a1f7053437d0f27534ecc9ec7e5d441c082b81c: + title: 'i2c: i801: Annotate apanel_addr as __ro_after_init' + mainline: 355b1513b1e97b6cef84b786c6480325dfd3753d + backport: f5a529216e877313cde4f8a3fc637c816642e861 +85cc3ecb0b1256d539bb6a58a5f995c802a331c4: + title: 'powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n' + mainline: be140f1732b523947425aaafbe2e37b41b622d96 + backport: af94a2ea5b6eb5ead8c016a196311449e0e145ac +b90176a9553775e23966650e445b1866e62e4924: + title: 'orangefs: fix out-of-bounds fsid access' + mainline: 53e4efa470d5fc6a96662d2d3322cfc925818517 + backport: b490b0a094cb6b1e6dc7c79ef9c76213480e03e8 +04b90b8d0b6929d7427551215b71901959c8e098: + title: 'powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"' + mainline: 8873aab8646194a4446117bb617cc71bddda2dee + backport: 48d99fb324e4d263c533ae24712372138c5cb664 +b6c8b3e31eb88c85094d848a0bd8b4bafe67e4d8: + title: 'jffs2: Fix potential illegal address access in jffs2_free_inode' + mainline: af9a8730ddb6a4b2edd779ccc0aceb994d616830 + backport: 7523a69d10eba34a5bf215bbbf73b02932303c2b +6e2e374403bf73140d0efc9541cb1b3bea55ac02: + title: 's390/pkey: Wipe sensitive data on failure' + mainline: 1d8c270de5eb74245d72325d285894a577a945d9 + backport: d232297f0376ff857296774d047ced0731895562 +0cb018bf9217805f97740fe83261e18199fc2773: + title: 'tcp: take care of compressed acks in tcp_add_reno_sack()' + mainline: 19119f298bb1f2af3bb1093f5f2a1fed8da94e37 + skipped: commit did not cherry-pick cleanly +552970cb728120695820ef9decb0933b3f9ce774: + title: 'tcp: tcp_mark_head_lost is only valid for sack-tcp' + mainline: 636ef28d6e4d174e424102466caf572b0406fb0e + skipped: commit did not cherry-pick cleanly +57a672a35020884512ae64fbbcb5c70149424781: + title: 'tcp: add ece_ack flag to reno sack functions' + mainline: c634e34f6ebfb75259e6ce467523fd3adf30d3d2 + skipped: commit did not cherry-pick cleanly +550968385e2f0df8e29c6431ab2dc0961499acb0: + title: 'net: tcp better handling of reordering then loss cases' + mainline: a29cb6914681a55667436a9eb7a42e28da8cf387 + skipped: commit did not cherry-pick cleanly +8b5fd51b3040ce2596d22a72767c66d7435853b6: + title: 'UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()' + mainline: a6458ab7fd4f427d4f6f54380453ad255b7fde83 + backport: f1bac5dbfa7aaf5cee717a604ed1c94b363a9883 +19d997b59fa1fd7a02e770ee0881c0652b9c32c9: + title: 'tcp_metrics: validate source addr length' + mainline: 66be40e622e177316ae81717aa30057ba9e61dff + backport: f8f32610dabb5c07608475f3cfe4915aa4cd15e5 +6a8a4fd082c439e19fede027e80c79bc4c84bb8e: + title: 'bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()' + mainline: e271ff53807e8f2c628758290f0e499dbe51cb3d + backport: ea462f7627ecabdd4263965f5a8864f0ab86d08b +d6ab0198fb470e1a9948d08c610a94601a1fdb2c: + title: 'selftests: fix OOM in msg_zerocopy selftest' + mainline: af2b7e5b741aaae9ffbba2c660def434e07aa241 + backport: c75d2712b73df3ce9a145395882cee0d56f8916f +b1cb48187a6edc2ab72f5b3e6b4af7a232730d64: + title: 'selftests: make order checking verbose in msg_zerocopy selftest' + mainline: 7d6d8f0c8b700c9493f2839abccb6d29028b4219 + backport: 3688bfa238e9ea94bff46c0dc030f412f239a08c +7094a5fd20ab66028f1da7f06e0f2692d70346f9: + title: 'inet_diag: Initialize pad field in struct inet_diag_req_v2' + mainline: 61cf1c739f08190a4cbf047b9fbb192a94d87e3f + backport: 600edf70c16cb29b82c9fd1e830398168eea7bca +57235c3c88bb430043728d0d02f44a4efe386476: + title: 'nilfs2: fix inode number range checks' + mainline: e2fec219a36e0993642844be0f345513507031f4 + backport: 72ae23ea4ee2e943e8d58ad302c6a843dbf80ad0 +c33c2b0d92aa1c2262d999b2598ad6fbd53bd479: + title: 'nilfs2: add missing check for inode numbers on directory entries' + mainline: bb76c6c274683c8570ad788f79d4b875bde0e458 + backport: ba6206b639aa6f1d9ade9cb55831ebc1f7268594 +2890a7faf552dd3e4e40e343610ba3e0ba5b788e: + title: 'mm: optimize the redundant loop of mm_update_owner_next()' + mainline: cf3f9a593dab87a032d2b6a6fb205e7f3de4f0a1 + backport: 34096341954fed86e3b510d1c0617470f21bb41d +b162f19e6603571061b19dbb604a9883f0fa4ecc: + title: 'Bluetooth: Fix incorrect pointer arithmatic in ext_adv_report_evt' + mainline: cd9151b618da4723877bd94eae952f2e50acbc0e + backport: 1cbdc455dc33b76a9efdf4694308b2b1c8ea5a21 +a7428ec9d7911f1a74da20359063ff265081832a: + title: 'can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct' + mainline: 19d5b2698c35b2132a355c67b4d429053804f8cc + skipped: fixes patch not in branch +b7421cad1d8725831a98b339d7ecbb284dd1c5de: + title: 'fsnotify: Do not generate events for O_PATH file descriptors' + mainline: 702eb71fd6501b3566283f8c96d7ccc6ddd662e9 + backport: 73f492747cfcd09e43ef25970d26c8943ab830ec +253f9ea7e8e53a5176bd80ceb174907b10724c1a: + title: 'Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again"' + mainline: 30139c702048f1097342a31302cbd3d478f50c63 + backport: 6949c5283758b9d0847b1ce1d461e9c7d2730fa1 +9baf60323efa992b7c915094529f0a1882c34e7e: + title: 'drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes' + mainline: 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 + backport: c300d28e4079a0046e79ff18bdffb48c7dee3861 +385b615c95df14df68ca8322245c13a9389392f6: + title: 'drm/amdgpu/atomfirmware: silence UBSAN warning' + mainline: d0417264437a8fa05f894cabba5a26715b32d78e + backport: 27967cf8362a84f47938fe7ff0ff57c991c858cc +cfb04472ce33bee2579caf4dc9f4242522f6e26e: + title: 'bnx2x: Fix multiple UBSAN array-index-out-of-bounds' + mainline: 134061163ee5ca4759de5c24ca3bd71608891ba7 + backport: a64eeaefb325e45890fca958151be84cfa53b633 +39fb2a0c2e78d9b2de726be119e6d06e38aa4ed4: + title: 'media: dw2102: fix a potential buffer overflow' + mainline: 1c73d0b29d04bf4082e7beb6a508895e118ee30d + backport: 9c6553444512bcd2fdaf2b4153835f19f684f2c4 +a349e5ab4dc9954746e836cd10b407ce48f9b2f6: + title: 'i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr' + mainline: f63b94be6942ba82c55343e196bd09b53227618e + backport: 1921a68ba39c00e508c2b6fdd571d6fdeb6268e4 +de9d81daaca2b7b3c853bf2ff729353e84f06b18: + title: 'nilfs2: fix incorrect inode allocation from reserved inodes' + mainline: 93aef9eda1cea9e84ab2453fcceb8addad0e46f1 + backport: 75fb795f98517dbdb2973414465cffa685d9cd8a +f0d7f98ff88c26698296f62fe91d7e7141fe4a47: + title: 'drm/i915: make find_fw_domain work on intel_uncore' + mainline: cb7ee69015aaba5e1091af94e73bc72483c08e37 + skipped: fixes new functionality not in 4.14 +83f5eb01c4beb9741bc1600bcd8b6e94a1774abe: + title: 'tcp: fix incorrect undo caused by DSACK of TLP retransmit' + mainline: 0ec986ed7bab6801faed1440e8839dcc710331ff + backport: 852460760459aec08d18bc7780f254f6f256606d +12d204b835dd85c7fe6501be6ee1aaa1e5315ff9: + title: 'net: lantiq_etop: add blank line after declaration' + mainline: 4c46625bb586a741b8d0e6bdbddbcb2549fa1d36 + backport: 95139b5d59c4b6d6c56f39c2b4b4f26e22330000 +1a2db00a554cfda57c397cce79b2804bf9633fec: + title: 'net: ethernet: lantiq_etop: fix double free in detach' + mainline: e1533b6319ab9c3a97dad314dd88b3783bc41b69 + backport: ae3b644b836cdcca258294db2569189af4ef7ff3 +97d1efd8be26615ff680cdde86937d5943138f37: + title: 'ppp: reject claimed-as-LCP but actually malformed packets' + mainline: f2aeb7306a898e1cbd03963d376f4b6656ca2b55 + backport: 84f3c0bb96cd91096079828b24b51af408265abe +f9ace6a3278a613d22abbd7d69e13d481b800622: + title: 'ARM: davinci: Convert comma to semicolon' + mainline: acc3815db1a02d654fbc19726ceaadca0d7dd81c + backport: 4e591539244c71973243bd4315024d601991ee3a +a88697c3871ade2c9d03437d170af77ec92d2982: + title: 'USB: serial: option: add Telit generic core-dump composition' + mainline: 4298e400dbdbf259549d69c349e060652ad53611 + backport: 400d7f0eceb6a1993c04f36ee766abff02f975b8 +908bc2cb55f8affc7a90bb8d17fd4323088e2a19: + title: 'USB: serial: option: add Telit FN912 rmnet compositions' + mainline: 9a590ff283421b71560deded2110dbdcbe1f7d1d + backport: 4094a8160b0626b4fc428b2770adcd99652a9117 +de307ab87774c96700fa1831f78f5085255c35f8: + title: 'USB: serial: option: add Fibocom FM350-GL' + mainline: 2604e08ff251dba330e16b65e80074c9c540aad7 + backport: 01b762bc1225b0a0ffb18638161627cb185ce408 +9fde2ddfed4787728a20aefea6a625c6b2b32fc4: + title: 'USB: serial: option: add support for Foxconn T99W651' + mainline: 3c841d54b63e4446383de3238399a3910e47d8e2 + backport: 4dd077fc35bd45cb3763b56b29397495aa60e832 +038d9a89fac14fd9855383b2ae990ee755e36bd0: + title: 'USB: serial: option: add Netprisma LCUK54 series modules' + mainline: dc6dbe3ed28795b01c712ad8f567728f9c14b01d + backport: e8c421c3e622eec18fb2a723b3801e041094e76b +5bc1f4bee4d84245a3479f53aef38f82b99a19f0: + title: 'USB: serial: option: add Rolling RW350-GL variants' + mainline: ae420771551bd9f04347c59744dd062332bdec3e + backport: bb8ef9c34dbad9828e35221d9b93887f81fedf61 +1d1f3d602971bbb8de654e7bbe78bf6c2ebd06c1: + title: 'USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k' + mainline: 3859e85de30815a20bce7db712ce3d94d40a682d + backport: af79b0b19953f31e510d5330cb6d3bb246b096a2 +a444c3fc264119801575ab086e03fb4952f23fd0: + title: 'usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()' + mainline: 6d3c721e686ea6c59e18289b400cc95c76e927e0 + backport: 4a1cba1a65533b8f9ece63c774c0bd1d265e14bf +d8418fd083d1b90a6c007cf8dcf81aeae274727b: + title: 'USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor' + mainline: a368ecde8a5055b627749b09c6218ef793043e47 + backport: d60eb2fd2445dd07125d1e450aa4c310d5baf190 +e2cb94465de92f6a840bc7eface420b30cc64aa0: + title: 'hpet: Support 32-bit userspace' + mainline: 4e60131d0d36af65ab9c9144f4f163fe97ae36e8 + backport: a43cf7b341011779151d27dd5bc52387d5f5f835 +1177afeca833174ba83504688eec898c6214f4bf: + title: 'libceph: fix race between delayed_work() and ceph_monc_stop()' + mainline: 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 + backport: c618a1f6d3ecaa97aaf0283d9b89824e651bc013 +e5a1f7427f97bde4bda73c02106c3bde87696f8f: + title: 'tcp: refactor tcp_retransmit_timer()' + mainline: 0d580fbd2db084a5c96ee9c00492236a279d5e0f + skipped: squashed into 6d9175b95504d28045909631514d06660b4b1a9a +faa0a1fc2a0bb510b2381a5c7aa5b46e9a83d64a: + title: 'net: tcp: fix unexcepted socket die when snd_wnd is 0' + mainline: e89688e3e97868451a5d05b38a9d2633d6785cd4 + skipped: commit is already present in branch +0fe6516462392ffe355a45a1ada8d264a783430f: + title: 'tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()' + mainline: 36534d3c54537bf098224a32dc31397793d4594d + backport: bd19e77de5e3d3c721c8dc55e0d7f1b6a0117279 +7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4: + title: 'tcp: avoid too many retransmit packets' + mainline: 97a9063518f198ec0adb2ecb89789de342bb8283 + skipped: fixes patch not in branch +17866066b8ac1cc38fb449670bc15dc9fee4b40a: + title: 'SUNRPC: Fix RPC client cleaned up the freed pipefs dentries' + mainline: bfca5fb4e97c46503ddfc582335917b0cc228264 + skipped: commit is already present in branch +ff9767ba2cb949701e45e6e4287f8af82986b703: + title: 'nilfs2: fix kernel bug on rename operation of broken directory' + mainline: a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 + backport: 2a8372159bc037d3c15b66659a35ca18a0a61d98 +a291702b35433e4948476b79c034a21fd2b5ebc8: + title: 'i2c: rcar: bring hardware to known state when probing' + mainline: 4e36c0f20cb1c74c7bd7ea31ba432c1c4a989031 + backport: e0aa415e86deeac3ffde591fc5fd5e4a13e9ff23 diff --git a/Makefile b/Makefile index 369fa2adf31a..1495f89ca09d 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 VERSION = 4 PATCHLEVEL = 14 -SUBLEVEL = 350 +SUBLEVEL = 351 EXTRAVERSION = -openela NAME = Petit Gorille From c133012a813396eefedf1bfa049efe8015b98812 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Mon, 7 Aug 2023 09:41:19 -0700 Subject: [PATCH 59/90] gcc-plugins: Rename last_stmt() for GCC 14+ commit 2e3f65ccfe6b0778b261ad69c9603ae85f210334 upstream. In GCC 14, last_stmt() was renamed to last_nondebug_stmt(). Add a helper macro to handle the renaming. Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook Cc: Thomas Meyer Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 2d05669ce1f18c1bc51476980a0e8bd107682546) Signed-off-by: Harshit Mogalapalli --- scripts/gcc-plugins/gcc-common.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h index 01312b1d6294..b8a1fc6f1fd0 100644 --- a/scripts/gcc-plugins/gcc-common.h +++ b/scripts/gcc-plugins/gcc-common.h @@ -971,4 +971,8 @@ static inline void debug_gimple_stmt(const_gimple s) #define SET_DECL_MODE(decl, mode) DECL_MODE(decl) = (mode) #endif +#if BUILDING_GCC_VERSION >= 14000 +#define last_stmt(x) last_nondebug_stmt(x) +#endif + #endif From 2eb33ecdc2e4a03f4b673a04428924293b58cd7e Mon Sep 17 00:00:00 2001 From: Saurav Kashyap Date: Wed, 15 May 2024 14:41:01 +0530 Subject: [PATCH 60/90] scsi: qedf: Set qed_slowpath_params to zero before use [ Upstream commit 6c3bb589debd763dc4b94803ddf3c13b4fcca776 ] Zero qed_slowpath_params before use. Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20240515091101.18754-4-skashyap@marvell.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit 9656f9540fa3949dfb65e9f18d263bbd96778831) Signed-off-by: Harshit Mogalapalli --- drivers/scsi/qedf/qedf_main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c index 7756901f99da..b1630a894c22 100644 --- a/drivers/scsi/qedf/qedf_main.c +++ b/drivers/scsi/qedf/qedf_main.c @@ -3046,6 +3046,7 @@ static int __qedf_probe(struct pci_dev *pdev, int mode) } /* Start the Slowpath-process */ + memset(&slowpath_params, 0, sizeof(struct qed_slowpath_params)); slowpath_params.int_mode = QED_INT_MODE_MSIX; slowpath_params.drv_major = QEDF_DRIVER_MAJOR_VER; slowpath_params.drv_minor = QEDF_DRIVER_MINOR_VER; From 7af36fe3934a05c3df07dac10732c2f2097fa9eb Mon Sep 17 00:00:00 2001 From: Armin Wolf Date: Wed, 22 May 2024 23:36:48 +0200 Subject: [PATCH 61/90] ACPI: EC: Abort address space access upon error [ Upstream commit f6f172dc6a6d7775b2df6adfd1350700e9a847ec ] When a multi-byte address space access is requested, acpi_ec_read()/ acpi_ec_write() is being called multiple times. Abort such operations if a single call to acpi_ec_read() / acpi_ec_write() fails, as the data read from / written to the EC might be incomplete. Signed-off-by: Armin Wolf Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin (cherry picked from commit 52a1125633abf465f59d184020add71616b87efa) Signed-off-by: Harshit Mogalapalli --- drivers/acpi/ec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c index 1dedab328c46..1ca18348eed2 100644 --- a/drivers/acpi/ec.c +++ b/drivers/acpi/ec.c @@ -1312,10 +1312,13 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, if (ec->busy_polling || bits > 8) acpi_ec_burst_enable(ec); - for (i = 0; i < bytes; ++i, ++address, ++value) + for (i = 0; i < bytes; ++i, ++address, ++value) { result = (function == ACPI_READ) ? acpi_ec_read(ec, address, value) : acpi_ec_write(ec, address, *value); + if (result < 0) + break; + } if (ec->busy_polling || bits > 8) acpi_ec_burst_disable(ec); From af32f802de713de4b0a2b4f6e97c8e1ca9dfc758 Mon Sep 17 00:00:00 2001 From: Armin Wolf Date: Wed, 22 May 2024 23:36:49 +0200 Subject: [PATCH 62/90] ACPI: EC: Avoid returning AE_OK on errors in address space handler [ Upstream commit c4bd7f1d78340e63de4d073fd3dbe5391e2996e5 ] If an error code other than EINVAL, ENODEV or ETIME is returned by acpi_ec_read() / acpi_ec_write(), then AE_OK is incorrectly returned by acpi_ec_space_handler(). Fix this by only returning AE_OK on success, and return AE_ERROR otherwise. Signed-off-by: Armin Wolf [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin (cherry picked from commit 286b25bf40251e940756371eae6c7e59fdbd6745) Signed-off-by: Harshit Mogalapalli --- drivers/acpi/ec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c index 1ca18348eed2..74c1fb90d886 100644 --- a/drivers/acpi/ec.c +++ b/drivers/acpi/ec.c @@ -1330,8 +1330,10 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, return AE_NOT_FOUND; case -ETIME: return AE_TIME; - default: + case 0: return AE_OK; + default: + return AE_ERROR; } } From 2fac830d7e5b9250a13d556a1d5125a1a2b351b4 Mon Sep 17 00:00:00 2001 From: Nicolas Escande Date: Mon, 27 May 2024 16:17:59 +0200 Subject: [PATCH 63/90] wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata [ Upstream commit 6f6291f09a322c1c1578badac8072d049363f4e6 ] With a ath9k device I can see that: iw phy phy0 interface add mesh0 type mp ip link set mesh0 up iw dev mesh0 scan Will start a scan with the Power Management bit set in the Frame Control Field. This is because we set this bit depending on the nonpeer_pm variable of the mesh iface sdata and when there are no active links on the interface it remains to NL80211_MESH_POWER_UNKNOWN. As soon as links starts to be established, it wil switch to NL80211_MESH_POWER_ACTIVE as it is the value set by befault on the per sta nonpeer_pm field. As we want no power save by default, (as expressed with the per sta ini values), lets init it to the expected default value of NL80211_MESH_POWER_ACTIVE. Also please note that we cannot change the default value from userspace prior to establishing a link as using NL80211_CMD_SET_MESH_CONFIG will not work before NL80211_CMD_JOIN_MESH has been issued. So too late for our initial scan. Signed-off-by: Nicolas Escande Link: https://msgid.link/20240527141759.299411-1-nico.escande@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin (cherry picked from commit 46487275e810d1e7c99f36af9fdfae0909c4e200) Signed-off-by: Harshit Mogalapalli --- net/mac80211/mesh.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index c6edae051e9b..02bb3d20f111 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c @@ -1452,6 +1452,7 @@ void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata) ifmsh->last_preq = jiffies; ifmsh->next_perr = jiffies; ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_NONE; + ifmsh->nonpeer_pm = NL80211_MESH_POWER_ACTIVE; /* Allocate all mesh structures when creating the first mesh interface. */ if (!mesh_allocated) ieee80211s_init(); From 60882d697cfb5c6868f24649c60b8dd8d2703668 Mon Sep 17 00:00:00 2001 From: Dmitry Antipov Date: Fri, 17 May 2024 18:33:32 +0300 Subject: [PATCH 64/90] wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() [ Upstream commit 92ecbb3ac6f3fe8ae9edf3226c76aa17b6800699 ] When testing the previous patch with CONFIG_UBSAN_BOUNDS, I've noticed the following: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:372:4 index 0 is out of range for type 'struct ieee80211_channel *[]' CPU: 0 PID: 1435 Comm: wpa_supplicant Not tainted 6.9.0+ #1 Hardware name: LENOVO 20UN005QRT/20UN005QRT <...BIOS details...> Call Trace: dump_stack_lvl+0x2d/0x90 __ubsan_handle_out_of_bounds+0xe7/0x140 ? timerqueue_add+0x98/0xb0 ieee80211_prep_hw_scan+0x2db/0x480 [mac80211] ? __kmalloc+0xe1/0x470 __ieee80211_start_scan+0x541/0x760 [mac80211] rdev_scan+0x1f/0xe0 [cfg80211] nl80211_trigger_scan+0x9b6/0xae0 [cfg80211] ... Since '__ieee80211_start_scan()' leaves 'hw_scan_req->req.n_channels' uninitialized, actual boundaries of 'hw_scan_req->req.channels' can't be checked in 'ieee80211_prep_hw_scan()'. Although an initialization of 'hw_scan_req->req.n_channels' introduces some confusion around allocated vs. used VLA members, this shouldn't be a problem since everything is correctly adjusted soon in 'ieee80211_prep_hw_scan()'. Cleanup 'kmalloc()' math in '__ieee80211_start_scan()' by using the convenient 'struct_size()' as well. Signed-off-by: Dmitry Antipov Link: https://msgid.link/20240517153332.18271-2-dmantipov@yandex.ru [improve (imho) indentation a bit] Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin (cherry picked from commit cd3212a9e0209dff7eda30f01ab8590f5e8d92fb) [Harshit: add #include that was pulled in through some other unknown header on 4.19.y] Signed-off-by: Harshit Mogalapalli --- net/mac80211/scan.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index 5df8f393c119..7cd5f7596017 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "ieee80211_i.h" #include "driver-ops.h" @@ -592,15 +593,21 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata, local->hw_scan_ies_bufsize *= n_bands; } - local->hw_scan_req = kmalloc( - sizeof(*local->hw_scan_req) + - req->n_channels * sizeof(req->channels[0]) + - local->hw_scan_ies_bufsize, GFP_KERNEL); + local->hw_scan_req = kmalloc(struct_size(local->hw_scan_req, + req.channels, + req->n_channels) + + local->hw_scan_ies_bufsize, + GFP_KERNEL); if (!local->hw_scan_req) return -ENOMEM; local->hw_scan_req->req.ssids = req->ssids; local->hw_scan_req->req.n_ssids = req->n_ssids; + /* None of the channels are actually set + * up but let UBSAN know the boundaries. + */ + local->hw_scan_req->req.n_channels = req->n_channels; + ies = (u8 *)local->hw_scan_req + sizeof(*local->hw_scan_req) + req->n_channels * sizeof(req->channels[0]); From f995731405d60b4b3e3cb2c556625c5c3a786c8f Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Tue, 9 Jan 2018 11:34:15 -0800 Subject: [PATCH 65/90] Input: silead - add support for capactive home button found on some x86 tablets On some x86 tablets with a silead touchscreen the windows logo on the front is a capacitive home button. Touching this button results in a touch with bits 12-15 of the Y coordinates set, while normally only the lower 12 are used. Detect this and report a KEY_LEFTMETA press when this happens. Note for now we only respond to the Y coordinate bits 12-15 containing 0x01, on some tablets *without* a capacative button I've noticed these bits containing 0x04 when crossing the edges of the screen. Acked-by: Rob Herring Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov (cherry picked from commit eca3be9b95ac7cf9442654a54962859d74f8e38a) Signed-off-by: Harshit Mogalapalli --- .../input/touchscreen/silead_gsl1680.txt | 2 + drivers/input/touchscreen/silead.c | 46 ++++++++++++++----- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/Documentation/devicetree/bindings/input/touchscreen/silead_gsl1680.txt b/Documentation/devicetree/bindings/input/touchscreen/silead_gsl1680.txt index 6aa625e0cb8d..84752de12412 100644 --- a/Documentation/devicetree/bindings/input/touchscreen/silead_gsl1680.txt +++ b/Documentation/devicetree/bindings/input/touchscreen/silead_gsl1680.txt @@ -23,6 +23,8 @@ Optional properties: - touchscreen-inverted-y : See touchscreen.txt - touchscreen-swapped-x-y : See touchscreen.txt - silead,max-fingers : maximum number of fingers the touchscreen can detect +- silead,home-button : Boolean, set to true on devices which have a + capacitive home-button build into the touchscreen - vddio-supply : regulator phandle for controller VDDIO - avdd-supply : regulator phandle for controller AVDD diff --git a/drivers/input/touchscreen/silead.c b/drivers/input/touchscreen/silead.c index 18c866129845..c21b0f6ab93d 100644 --- a/drivers/input/touchscreen/silead.c +++ b/drivers/input/touchscreen/silead.c @@ -57,7 +57,7 @@ #define SILEAD_POINT_Y_MSB_OFF 0x01 #define SILEAD_POINT_X_OFF 0x02 #define SILEAD_POINT_X_MSB_OFF 0x03 -#define SILEAD_TOUCH_ID_MASK 0xF0 +#define SILEAD_EXTRA_DATA_MASK 0xF0 #define SILEAD_CMD_SLEEP_MIN 10000 #define SILEAD_CMD_SLEEP_MAX 20000 @@ -110,6 +110,9 @@ static int silead_ts_request_input_dev(struct silead_ts_data *data) INPUT_MT_DIRECT | INPUT_MT_DROP_UNUSED | INPUT_MT_TRACK); + if (device_property_read_bool(dev, "silead,home-button")) + input_set_capability(data->input, EV_KEY, KEY_LEFTMETA); + data->input->name = SILEAD_TS_NAME; data->input->phys = "input/ts"; data->input->id.bustype = BUS_I2C; @@ -140,7 +143,8 @@ static void silead_ts_read_data(struct i2c_client *client) struct input_dev *input = data->input; struct device *dev = &client->dev; u8 *bufp, buf[SILEAD_TS_DATA_LEN]; - int touch_nr, error, i; + int touch_nr, softbutton, error, i; + bool softbutton_pressed = false; error = i2c_smbus_read_i2c_block_data(client, SILEAD_REG_DATA, SILEAD_TS_DATA_LEN, buf); @@ -149,21 +153,40 @@ static void silead_ts_read_data(struct i2c_client *client) return; } - touch_nr = buf[0]; - if (touch_nr > data->max_fingers) { + if (buf[0] > data->max_fingers) { dev_warn(dev, "More touches reported then supported %d > %d\n", - touch_nr, data->max_fingers); - touch_nr = data->max_fingers; + buf[0], data->max_fingers); + buf[0] = data->max_fingers; } + touch_nr = 0; bufp = buf + SILEAD_POINT_DATA_LEN; - for (i = 0; i < touch_nr; i++, bufp += SILEAD_POINT_DATA_LEN) { - /* Bits 4-7 are the touch id */ - data->id[i] = (bufp[SILEAD_POINT_X_MSB_OFF] & - SILEAD_TOUCH_ID_MASK) >> 4; - touchscreen_set_mt_pos(&data->pos[i], &data->prop, + for (i = 0; i < buf[0]; i++, bufp += SILEAD_POINT_DATA_LEN) { + softbutton = (bufp[SILEAD_POINT_Y_MSB_OFF] & + SILEAD_EXTRA_DATA_MASK) >> 4; + + if (softbutton) { + /* + * For now only respond to softbutton == 0x01, some + * tablets *without* a capacative button send 0x04 + * when crossing the edges of the screen. + */ + if (softbutton == 0x01) + softbutton_pressed = true; + + continue; + } + + /* + * Bits 4-7 are the touch id, note not all models have + * hardware touch ids so atm we don't use these. + */ + data->id[touch_nr] = (bufp[SILEAD_POINT_X_MSB_OFF] & + SILEAD_EXTRA_DATA_MASK) >> 4; + touchscreen_set_mt_pos(&data->pos[touch_nr], &data->prop, get_unaligned_le16(&bufp[SILEAD_POINT_X_OFF]) & 0xfff, get_unaligned_le16(&bufp[SILEAD_POINT_Y_OFF]) & 0xfff); + touch_nr++; } input_mt_assign_slots(input, data->slots, data->pos, touch_nr, 0); @@ -179,6 +202,7 @@ static void silead_ts_read_data(struct i2c_client *client) } input_mt_sync_frame(input); + input_report_key(input, KEY_LEFTMETA, softbutton_pressed); input_sync(input); } From 1501ce3d5bfea3a1e8aaec61b878f20d8a93dfcb Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Sat, 25 May 2024 21:38:53 +0200 Subject: [PATCH 66/90] Input: silead - Always support 10 fingers [ Upstream commit 38a38f5a36da9820680d413972cb733349400532 ] When support for Silead touchscreens was orginal added some touchscreens with older firmware versions only supported 5 fingers and this was made the default requiring the setting of a "silead,max-fingers=10" uint32 device-property for all touchscreen models which do support 10 fingers. There are very few models with the old 5 finger fw, so in practice the setting of the "silead,max-fingers=10" is boilerplate which needs to be copy and pasted to every touchscreen config. Reporting that 10 fingers are supported on devices which only support 5 fingers doesn't cause any problems for userspace in practice, since at max 4 finger gestures are supported anyways. Drop the max_fingers configuration and simply always assume 10 fingers. Signed-off-by: Hans de Goede Acked-by: Dmitry Torokhov Link: https://lore.kernel.org/r/20240525193854.39130-2-hdegoede@redhat.com Signed-off-by: Sasha Levin (cherry picked from commit ce0368a52554d213c5cd447ba786b54390a845e1) Signed-off-by: Harshit Mogalapalli --- drivers/input/touchscreen/silead.c | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/drivers/input/touchscreen/silead.c b/drivers/input/touchscreen/silead.c index c21b0f6ab93d..07a64b2d510e 100644 --- a/drivers/input/touchscreen/silead.c +++ b/drivers/input/touchscreen/silead.c @@ -78,7 +78,6 @@ struct silead_ts_data { struct regulator_bulk_data regulators[2]; char fw_name[64]; struct touchscreen_properties prop; - u32 max_fingers; u32 chip_id; struct input_mt_pos pos[SILEAD_MAX_FINGERS]; int slots[SILEAD_MAX_FINGERS]; @@ -106,7 +105,7 @@ static int silead_ts_request_input_dev(struct silead_ts_data *data) input_set_abs_params(data->input, ABS_MT_POSITION_Y, 0, 4095, 0, 0); touchscreen_parse_properties(data->input, true, &data->prop); - input_mt_init_slots(data->input, data->max_fingers, + input_mt_init_slots(data->input, SILEAD_MAX_FINGERS, INPUT_MT_DIRECT | INPUT_MT_DROP_UNUSED | INPUT_MT_TRACK); @@ -153,10 +152,10 @@ static void silead_ts_read_data(struct i2c_client *client) return; } - if (buf[0] > data->max_fingers) { + if (buf[0] > SILEAD_MAX_FINGERS) { dev_warn(dev, "More touches reported then supported %d > %d\n", - buf[0], data->max_fingers); - buf[0] = data->max_fingers; + buf[0], SILEAD_MAX_FINGERS); + buf[0] = SILEAD_MAX_FINGERS; } touch_nr = 0; @@ -208,7 +207,6 @@ static void silead_ts_read_data(struct i2c_client *client) static int silead_ts_init(struct i2c_client *client) { - struct silead_ts_data *data = i2c_get_clientdata(client); int error; error = i2c_smbus_write_byte_data(client, SILEAD_REG_RESET, @@ -218,7 +216,7 @@ static int silead_ts_init(struct i2c_client *client) usleep_range(SILEAD_CMD_SLEEP_MIN, SILEAD_CMD_SLEEP_MAX); error = i2c_smbus_write_byte_data(client, SILEAD_REG_TOUCH_NR, - data->max_fingers); + SILEAD_MAX_FINGERS); if (error) goto i2c_write_err; usleep_range(SILEAD_CMD_SLEEP_MIN, SILEAD_CMD_SLEEP_MAX); @@ -445,13 +443,6 @@ static void silead_ts_read_props(struct i2c_client *client) const char *str; int error; - error = device_property_read_u32(dev, "silead,max-fingers", - &data->max_fingers); - if (error) { - dev_dbg(dev, "Max fingers read error %d\n", error); - data->max_fingers = 5; /* Most devices handle up-to 5 fingers */ - } - error = device_property_read_string(dev, "firmware-name", &str); if (!error) snprintf(data->fw_name, sizeof(data->fw_name), From 6e6d94454bba0055f8d77d3bb42d49c369e80e95 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Fri, 31 May 2024 13:26:35 +0000 Subject: [PATCH 67/90] ila: block BH in ila_output() [ Upstream commit cf28ff8e4c02e1ffa850755288ac954b6ff0db8c ] As explained in commit 1378817486d6 ("tipc: block BH before using dst_cache"), net/core/dst_cache.c helpers need to be called with BH disabled. ila_output() is called from lwtunnel_output() possibly from process context, and under rcu_read_lock(). We might be interrupted by a softirq, re-enter ila_output() and corrupt dst_cache data structures. Fix the race by using local_bh_disable(). Signed-off-by: Eric Dumazet Acked-by: Paolo Abeni Link: https://lore.kernel.org/r/20240531132636.2637995-5-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 7435bd2f84a25aba607030237261b3795ba782da) Signed-off-by: Harshit Mogalapalli --- net/ipv6/ila/ila_lwt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/ipv6/ila/ila_lwt.c b/net/ipv6/ila/ila_lwt.c index 696281b4bca2..9cd665061c23 100644 --- a/net/ipv6/ila/ila_lwt.c +++ b/net/ipv6/ila/ila_lwt.c @@ -55,7 +55,9 @@ static int ila_output(struct net *net, struct sock *sk, struct sk_buff *skb) return orig_dst->lwtstate->orig_output(net, sk, skb); } + local_bh_disable(); dst = dst_cache_get(&ilwt->dst_cache); + local_bh_enable(); if (unlikely(!dst)) { struct ipv6hdr *ip6h = ipv6_hdr(skb); struct flowi6 fl6; @@ -83,8 +85,11 @@ static int ila_output(struct net *net, struct sock *sk, struct sk_buff *skb) goto drop; } - if (ilwt->connected) + if (ilwt->connected) { + local_bh_disable(); dst_cache_set_ip6(&ilwt->dst_cache, dst, &fl6.saddr); + local_bh_enable(); + } } skb_dst_set(skb, dst); From 265ba671aaff09b4531db6875d668dfb4efd716a Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Sun, 2 Jun 2024 03:20:40 +0900 Subject: [PATCH 68/90] kconfig: gconf: give a proper initial state to the Save button [ Upstream commit 46edf4372e336ef3a61c3126e49518099d2e2e6d ] Currently, the initial state of the "Save" button is always active. If none of the CONFIG options are changed while loading the .config file, the "Save" button should be greyed out. This can be fixed by calling conf_read() after widget initialization. Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin (cherry picked from commit b6d6a91b584a022424d99264741bdfa6b336c83b) Signed-off-by: Harshit Mogalapalli --- scripts/kconfig/gconf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c index cfddddb9c9d7..2d0209a008db 100644 --- a/scripts/kconfig/gconf.c +++ b/scripts/kconfig/gconf.c @@ -1488,7 +1488,6 @@ int main(int ac, char *av[]) conf_parse(name); fixup_rootmenu(&rootmenu); - conf_read(NULL); /* Load the interface and connect signals */ init_main_window(glade_file); @@ -1496,6 +1495,8 @@ int main(int ac, char *av[]) init_left_tree(); init_right_tree(); + conf_read(NULL); + switch (view_mode) { case SINGLE_VIEW: display_tree_part(); From 692c2ebeacc0c82e6c088e5a6f63ff9395a2082e Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 4 Jun 2024 01:19:04 +0900 Subject: [PATCH 69/90] kconfig: remove wrong expr_trans_bool() [ Upstream commit 77a92660d8fe8d29503fae768d9f5eb529c88b36 ] expr_trans_bool() performs an incorrect transformation. [Test Code] config MODULES def_bool y modules config A def_bool y select C if B != n config B def_tristate m config C tristate [Result] CONFIG_MODULES=y CONFIG_A=y CONFIG_B=m CONFIG_C=m This output is incorrect because CONFIG_C=y is expected. Documentation/kbuild/kconfig-language.rst clearly explains the function of the '!=' operator: If the values of both symbols are equal, it returns 'n', otherwise 'y'. Therefore, the statement: select C if B != n should be equivalent to: select C if y Or, more simply: select C Hence, the symbol C should be selected by the value of A, which is 'y'. However, expr_trans_bool() wrongly transforms it to: select C if B Therefore, the symbol C is selected by (A && B), which is 'm'. The comment block of expr_trans_bool() correctly explains its intention: * bool FOO!=n => FOO ^^^^ If FOO is bool, FOO!=n can be simplified into FOO. This is correct. However, the actual code performs this transformation when FOO is tristate: if (e->left.sym->type == S_TRISTATE) { ^^^^^^^^^^ While it can be fixed to S_BOOLEAN, there is no point in doing so because expr_tranform() already transforms FOO!=n to FOO when FOO is bool. (see the "case E_UNEQUAL" part) expr_trans_bool() is wrong and unnecessary. Signed-off-by: Masahiro Yamada Acked-by: Randy Dunlap Signed-off-by: Sasha Levin (cherry picked from commit b366d89859fe7b58894b3698844b551fe32f892a) Signed-off-by: Harshit Mogalapalli --- scripts/kconfig/expr.c | 29 ----------------------------- scripts/kconfig/expr.h | 1 - scripts/kconfig/menu.c | 2 -- 3 files changed, 32 deletions(-) diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c index 96420b620963..d090cd4ae251 100644 --- a/scripts/kconfig/expr.c +++ b/scripts/kconfig/expr.c @@ -333,35 +333,6 @@ static struct expr *expr_eliminate_yn(struct expr *e) return e; } -/* - * bool FOO!=n => FOO - */ -struct expr *expr_trans_bool(struct expr *e) -{ - if (!e) - return NULL; - switch (e->type) { - case E_AND: - case E_OR: - case E_NOT: - e->left.expr = expr_trans_bool(e->left.expr); - e->right.expr = expr_trans_bool(e->right.expr); - break; - case E_UNEQUAL: - // FOO!=n -> FOO - if (e->left.sym->type == S_TRISTATE) { - if (e->right.sym == &symbol_no) { - e->type = E_SYMBOL; - e->right.sym = NULL; - } - } - break; - default: - ; - } - return e; -} - /* * e1 || e2 -> ? */ diff --git a/scripts/kconfig/expr.h b/scripts/kconfig/expr.h index a73f762c48d6..1cb40b270e16 100644 --- a/scripts/kconfig/expr.h +++ b/scripts/kconfig/expr.h @@ -211,7 +211,6 @@ struct expr *expr_copy(const struct expr *org); void expr_free(struct expr *e); void expr_eliminate_eq(struct expr **ep1, struct expr **ep2); tristate expr_calc_value(struct expr *e); -struct expr *expr_trans_bool(struct expr *e); struct expr *expr_eliminate_dups(struct expr *e); struct expr *expr_transform(struct expr *e); int expr_contains_symbol(struct expr *dep, struct symbol *sym); diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c index 749c2bd5fc51..e7fb6a212637 100644 --- a/scripts/kconfig/menu.c +++ b/scripts/kconfig/menu.c @@ -330,8 +330,6 @@ void menu_finalize(struct menu *parent) dep = expr_transform(prop->visible.expr); dep = expr_alloc_and(expr_copy(basedep), dep); dep = expr_eliminate_dups(dep); - if (menu->sym && menu->sym->type != S_TRISTATE) - dep = expr_trans_bool(dep); prop->visible.expr = dep; if (prop->type == P_SELECT) { struct symbol *es = prop_get_symbol(prop); From 8d3da24eb73289dde20e54b84c848e61ae0138b0 Mon Sep 17 00:00:00 2001 From: Yuntao Wang Date: Thu, 30 May 2024 00:06:56 +0800 Subject: [PATCH 70/90] fs/file: fix the check in find_next_fd() [ Upstream commit ed8c7fbdfe117abbef81f65428ba263118ef298a ] The maximum possible return value of find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) is maxbit. This return value, multiplied by BITS_PER_LONG, gives the value of bitbit, which can never be greater than maxfd, it can only be equal to maxfd at most, so the following check 'if (bitbit > maxfd)' will never be true. Moreover, when bitbit equals maxfd, it indicates that there are no unused fds, and the function can directly return. Fix this check. Signed-off-by: Yuntao Wang Link: https://lore.kernel.org/r/20240529160656.209352-1-yuntao.wang@linux.dev Reviewed-by: Jan Kara Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin (cherry picked from commit 5611e11988535125b3a05305680851ff587702a9) Signed-off-by: Harshit Mogalapalli --- fs/file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/file.c b/fs/file.c index eac95f11003a..281c34963b2b 100644 --- a/fs/file.c +++ b/fs/file.c @@ -467,12 +467,12 @@ struct files_struct init_files = { static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start) { - unsigned int maxfd = fdt->max_fds; + unsigned int maxfd = fdt->max_fds; /* always multiple of BITS_PER_LONG */ unsigned int maxbit = maxfd / BITS_PER_LONG; unsigned int bitbit = start / BITS_PER_LONG; bitbit = find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) * BITS_PER_LONG; - if (bitbit > maxfd) + if (bitbit >= maxfd) return maxfd; if (bitbit > start) start = bitbit; From cdb32323efca90437116ce55ba43da736ecad374 Mon Sep 17 00:00:00 2001 From: Alexander Usyskin Date: Thu, 30 May 2024 12:14:15 +0300 Subject: [PATCH 71/90] mei: demote client disconnect warning on suspend to debug [ Upstream commit 1db5322b7e6b58e1b304ce69a50e9dca798ca95b ] Change level for the "not connected" client message in the write callback from error to debug. The MEI driver currently disconnects all clients upon system suspend. This behavior is by design and user-space applications with open connections before the suspend are expected to handle errors upon resume, by reopening their handles, reconnecting, and retrying their operations. However, the current driver implementation logs an error message every time a write operation is attempted on a disconnected client. Since this is a normal and expected flow after system resume logging this as an error can be misleading. Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20240530091415.725247-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit bd2a753fa12cf3d28726a4bf067398514e52d57c) Signed-off-by: Harshit Mogalapalli --- drivers/misc/mei/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c index 8d1d40dbf744..de840cec7284 100644 --- a/drivers/misc/mei/main.c +++ b/drivers/misc/mei/main.c @@ -271,7 +271,7 @@ static ssize_t mei_write(struct file *file, const char __user *ubuf, } if (!mei_cl_is_connected(cl)) { - cl_err(dev, cl, "is not connected"); + cl_dbg(dev, cl, "is not connected"); rets = -ENODEV; goto out; } From 56e8fc1b0ac2a752cba13ccd0e128f7eaadcd8d0 Mon Sep 17 00:00:00 2001 From: Dmitry Antipov Date: Fri, 31 May 2024 06:20:10 +0300 Subject: [PATCH 72/90] wifi: cfg80211: wext: add extra SIOCSIWSCAN data check [ Upstream commit 6ef09cdc5ba0f93826c09d810c141a8d103a80fc ] In 'cfg80211_wext_siwscan()', add extra check whether number of channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise. Reported-by: syzbot+253cd2d2491df77c93ac@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=253cd2d2491df77c93ac Signed-off-by: Dmitry Antipov Link: https://msgid.link/20240531032010.451295-1-dmantipov@yandex.ru Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin (cherry picked from commit b02ba9a0b55b762bd04743a22f3d9f9645005e79) Signed-off-by: Harshit Mogalapalli --- net/wireless/scan.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 88fe0e8e8b18..b8d89bef467e 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1400,10 +1400,14 @@ int cfg80211_wext_siwscan(struct net_device *dev, wiphy = &rdev->wiphy; /* Determine number of channels, needed to allocate creq */ - if (wreq && wreq->num_channels) + if (wreq && wreq->num_channels) { + /* Passed from userspace so should be checked */ + if (unlikely(wreq->num_channels > IW_MAX_FREQUENCIES)) + return -EINVAL; n_channels = wreq->num_channels; - else + } else { n_channels = ieee80211_get_num_supported_channels(wiphy); + } creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) + n_channels * sizeof(void *), From 0eafa6b4fdf53fdc8b8924325f994fe4ed0700a7 Mon Sep 17 00:00:00 2001 From: Jonathan Denose Date: Fri, 3 May 2024 16:12:07 +0000 Subject: [PATCH 73/90] Input: elantech - fix touchpad state on resume for Lenovo N24 [ Upstream commit a69ce592cbe0417664bc5a075205aa75c2ec1273 ] The Lenovo N24 on resume becomes stuck in a state where it sends incorrect packets, causing elantech_packet_check_v4 to fail. The only way for the device to resume sending the correct packets is for it to be disabled and then re-enabled. This change adds a dmi check to trigger this behavior on resume. Signed-off-by: Jonathan Denose Link: https://lore.kernel.org/r/20240503155020.v2.1.Ifa0e25ebf968d8f307f58d678036944141ab17e6@changeid Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin (cherry picked from commit 9b6a1cb833dc8ceab3fbc45a261a8dd37c4f8013) Signed-off-by: Harshit Mogalapalli --- drivers/input/mouse/elantech.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c index 5324f0a3fd73..38746efe70a9 100644 --- a/drivers/input/mouse/elantech.c +++ b/drivers/input/mouse/elantech.c @@ -1519,16 +1519,47 @@ static void elantech_disconnect(struct psmouse *psmouse) psmouse->private = NULL; } +/* + * Some hw_version 4 models fail to properly activate absolute mode on + * resume without going through disable/enable cycle. + */ +static const struct dmi_system_id elantech_needs_reenable[] = { +#if defined(CONFIG_DMI) && defined(CONFIG_X86) + { + /* Lenovo N24 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "81AF"), + }, + }, +#endif + { } +}; + /* * Put the touchpad back into absolute mode when reconnecting */ static int elantech_reconnect(struct psmouse *psmouse) { + int err; + psmouse_reset(psmouse); if (elantech_detect(psmouse, 0)) return -1; + if (dmi_check_system(elantech_needs_reenable)) { + err = ps2_command(&psmouse->ps2dev, NULL, PSMOUSE_CMD_DISABLE); + if (err) + psmouse_warn(psmouse, "failed to deactivate mouse on %s: %d\n", + psmouse->ps2dev.serio->phys, err); + + err = ps2_command(&psmouse->ps2dev, NULL, PSMOUSE_CMD_ENABLE); + if (err) + psmouse_warn(psmouse, "failed to reactivate mouse on %s: %d\n", + psmouse->ps2dev.serio->phys, err); + } + if (elantech_set_absolute_mode(psmouse)) { psmouse_err(psmouse, "failed to put touchpad back into absolute mode.\n"); From 2ba3ceb092c9ac54204c7416bfa884d37f59bd1a Mon Sep 17 00:00:00 2001 From: Heiko Carstens Date: Fri, 14 Jun 2024 18:09:01 +0200 Subject: [PATCH 74/90] s390/sclp: Fix sclp_init() cleanup on failure [ Upstream commit 6434b33faaa063df500af355ee6c3942e0f8d982 ] If sclp_init() fails it only partially cleans up: if there are multiple failing calls to sclp_init() sclp_state_change_event will be added several times to sclp_reg_list, which results in the following warning: ------------[ cut here ]------------ list_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10. WARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3 Krnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 ... Call Trace: [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8 ([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8) [<000003ffe0a8d37e>] sclp_init+0x40e/0x450 [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0 [<000003ffe15b77a6>] do_initcalls+0x126/0x150 [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8 [<000003ffe0d6650e>] kernel_init+0x2e/0x180 [<000003ffe000301c>] __ret_from_fork+0x3c/0x60 [<000003ffe0d759ca>] ret_from_fork+0xa/0x30 Fix this by removing sclp_state_change_event from sclp_reg_list when sclp_init() fails. Reviewed-by: Peter Oberparleiter Signed-off-by: Heiko Carstens Signed-off-by: Alexander Gordeev Signed-off-by: Sasha Levin (cherry picked from commit a778987afc36d5dc02a1f82d352a81edcaf7eb83) Signed-off-by: Harshit Mogalapalli --- drivers/s390/char/sclp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/s390/char/sclp.c b/drivers/s390/char/sclp.c index 41d8aa96801f..8e8f2e49cb6d 100644 --- a/drivers/s390/char/sclp.c +++ b/drivers/s390/char/sclp.c @@ -1187,6 +1187,7 @@ sclp_init(void) fail_unregister_reboot_notifier: unregister_reboot_notifier(&sclp_reboot_notifier); fail_init_state_uninitialized: + list_del(&sclp_state_change_event.list); sclp_init_state = sclp_init_state_uninitialized; fail_unlock: spin_unlock_irqrestore(&sclp_lock, flags); From f78b195536a163671b4aa1b85b88e432919c79f9 Mon Sep 17 00:00:00 2001 From: Shengjiu Wang Date: Thu, 20 Jun 2024 10:40:18 +0800 Subject: [PATCH 75/90] ALSA: dmaengine_pcm: terminate dmaengine before synchronize [ Upstream commit 6a7db25aad8ce6512b366d2ce1d0e60bac00a09d ] When dmaengine supports pause function, in suspend state, dmaengine_pause() is called instead of dmaengine_terminate_async(), In end of playback stream, the runtime->state will go to SNDRV_PCM_STATE_DRAINING, if system suspend & resume happen at this time, application will not resume playback stream, the stream will be closed directly, the dmaengine_terminate_async() will not be called before the dmaengine_synchronize(), which violates the call sequence for dmaengine_synchronize(). This behavior also happens for capture streams, but there is no SNDRV_PCM_STATE_DRAINING state for capture. So use dmaengine_tx_status() to check the DMA status if the status is DMA_PAUSED, then call dmaengine_terminate_async() to terminate dmaengine before dmaengine_synchronize(). Signed-off-by: Shengjiu Wang Link: https://patch.msgid.link/1718851218-27803-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin (cherry picked from commit fe0a6e7eb38f9d5396f6ff548186a6cd62c08b1a) Signed-off-by: Harshit Mogalapalli --- sound/core/pcm_dmaengine.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c index 6f6da1128edc..80188d5c1118 100644 --- a/sound/core/pcm_dmaengine.c +++ b/sound/core/pcm_dmaengine.c @@ -354,6 +354,12 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_open_request_chan); int snd_dmaengine_pcm_close(struct snd_pcm_substream *substream) { struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream); + struct dma_tx_state state; + enum dma_status status; + + status = dmaengine_tx_status(prtd->dma_chan, prtd->cookie, &state); + if (status == DMA_PAUSED) + dmaengine_terminate_async(prtd->dma_chan); dmaengine_synchronize(prtd->dma_chan); kfree(prtd); @@ -371,6 +377,12 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_close); int snd_dmaengine_pcm_close_release_chan(struct snd_pcm_substream *substream) { struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream); + struct dma_tx_state state; + enum dma_status status; + + status = dmaengine_tx_status(prtd->dma_chan, prtd->cookie, &state); + if (status == DMA_PAUSED) + dmaengine_terminate_async(prtd->dma_chan); dmaengine_synchronize(prtd->dma_chan); dma_release_channel(prtd->dma_chan); From c16c01ccdd91f3d7764c0e63da5ba2274eb031a8 Mon Sep 17 00:00:00 2001 From: Daniele Palmas Date: Tue, 25 Jun 2024 12:22:36 +0200 Subject: [PATCH 76/90] net: usb: qmi_wwan: add Telit FN912 compositions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 77453e2b015b5ced5b3f45364dd5a72dfc3bdecb ] Add the following Telit FN912 compositions: 0x3000: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=3000 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN912 S: SerialNumber=92c4c4d8 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x3001: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb T: Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=3001 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN912 S: SerialNumber=92c4c4d8 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Daniele Palmas Acked-by: Bjørn Mork Link: https://patch.msgid.link/20240625102236.69539-1-dnlplm@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 6f5c552bb803ac30a746addc91b3da9b94b48c4d) Signed-off-by: Harshit Mogalapalli --- drivers/net/usb/qmi_wwan.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c index ec09ef974302..facd37cae259 100644 --- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -1326,6 +1326,8 @@ static const struct usb_device_id products[] = { {QMI_QUIRK_SET_DTR(0x1bc7, 0x1260, 2)}, /* Telit LE910Cx */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1261, 2)}, /* Telit LE910Cx */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x3000, 0)}, /* Telit FN912 series */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x3001, 0)}, /* Telit FN912 series */ {QMI_FIXED_INTF(0x1c9e, 0x9801, 3)}, /* Telewell TW-3G HSPA+ */ {QMI_FIXED_INTF(0x1c9e, 0x9803, 4)}, /* Telewell TW-3G HSPA+ */ {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */ From eef43c3ccb72817061d1c663129fc04ff09de4a6 Mon Sep 17 00:00:00 2001 From: Yunshui Jiang Date: Fri, 31 May 2024 16:07:39 +0800 Subject: [PATCH 77/90] net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() [ Upstream commit b8ec0dc3845f6c9089573cb5c2c4b05f7fc10728 ] mac802154 devices update their dev->stats fields locklessly. Therefore these counters should be updated atomically. Adopt SMP safe DEV_STATS_INC() and DEV_STATS_ADD() to achieve this. Signed-off-by: Yunshui Jiang Message-ID: <20240531080739.2608969-1-jiangyunshui@kylinos.cn> Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin (cherry picked from commit 77cfeb27b8ded33c3f4023a24a2d1517ad4e4893) Signed-off-by: Harshit Mogalapalli --- net/mac802154/tx.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c index 2f873a0dc583..0f192174a569 100644 --- a/net/mac802154/tx.c +++ b/net/mac802154/tx.c @@ -42,8 +42,8 @@ void ieee802154_xmit_worker(struct work_struct *work) if (res) goto err_tx; - dev->stats.tx_packets++; - dev->stats.tx_bytes += skb->len; + DEV_STATS_INC(dev, tx_packets); + DEV_STATS_ADD(dev, tx_bytes, skb->len); ieee802154_xmit_complete(&local->hw, skb, false); @@ -94,8 +94,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) goto err_tx; } - dev->stats.tx_packets++; - dev->stats.tx_bytes += len; + DEV_STATS_INC(dev, tx_packets); + DEV_STATS_ADD(dev, tx_bytes, len); } else { local->tx_skb = skb; queue_work(local->workqueue, &local->tx_work); From 43df6e148cb43ad243a345291d8ddc2cea7786ce Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 10 Jun 2024 20:00:32 +0900 Subject: [PATCH 78/90] Bluetooth: hci_core: cancel all works upon hci_unregister_dev() [ Upstream commit 0d151a103775dd9645c78c97f77d6e2a5298d913 ] syzbot is reporting that calling hci_release_dev() from hci_error_reset() due to hci_dev_put() from hci_error_reset() can cause deadlock at destroy_workqueue(), for hci_error_reset() is called from hdev->req_workqueue which destroy_workqueue() needs to flush. We need to make sure that hdev->{rx_work,cmd_work,tx_work} which are queued into hdev->workqueue and hdev->{power_on,error_reset} which are queued into hdev->req_workqueue are no longer running by the moment destroy_workqueue(hdev->workqueue); destroy_workqueue(hdev->req_workqueue); are called from hci_release_dev(). Call cancel_work_sync() on these work items from hci_unregister_dev() as soon as hdev->list is removed from hci_dev_list. Reported-by: syzbot Closes: https://syzkaller.appspot.com/bug?extid=da0a9c9721e36db712e8 Signed-off-by: Tetsuo Handa Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin (cherry picked from commit 48542881997e17b49dc16b93fe910e0cfcf7a9f9) Signed-off-by: Harshit Mogalapalli --- net/bluetooth/hci_core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 5a6bef003eba..570cf275d2bc 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3208,7 +3208,11 @@ void hci_unregister_dev(struct hci_dev *hdev) list_del(&hdev->list); write_unlock(&hci_dev_list_lock); + cancel_work_sync(&hdev->rx_work); + cancel_work_sync(&hdev->cmd_work); + cancel_work_sync(&hdev->tx_work); cancel_work_sync(&hdev->power_on); + cancel_work_sync(&hdev->error_reset); hci_dev_do_close(hdev); From fe34d279afd5186910b42c6ccf419f32552f6eab Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Tue, 2 Jul 2024 21:03:26 +0200 Subject: [PATCH 79/90] fs: better handle deep ancestor chains in is_subdir() [ Upstream commit 391b59b045004d5b985d033263ccba3e941a7740 ] Jan reported that 'cd ..' may take a long time in deep directory hierarchies under a bind-mount. If concurrent renames happen it is possible to livelock in is_subdir() because it will keep retrying. Change is_subdir() from simply retrying over and over to retry once and then acquire the rename lock to handle deep ancestor chains better. The list of alternatives to this approach were less then pleasant. Change the scope of rcu lock to cover the whole walk while at it. A big thanks to Jan and Linus. Both Jan and Linus had proposed effectively the same thing just that one version ended up being slightly more elegant. Reported-by: Jan Kara Signed-off-by: Linus Torvalds Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin (cherry picked from commit a5c4645346b0efb5a10ed28ae281a9af29037608) Signed-off-by: Harshit Mogalapalli --- fs/dcache.c | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index 5a9a773ece54..bfd906585f20 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -3563,28 +3563,25 @@ out: bool is_subdir(struct dentry *new_dentry, struct dentry *old_dentry) { - bool result; + bool subdir; unsigned seq; if (new_dentry == old_dentry) return true; - do { - /* for restarting inner loop in case of seq retry */ - seq = read_seqbegin(&rename_lock); - /* - * Need rcu_readlock to protect against the d_parent trashing - * due to d_move - */ - rcu_read_lock(); - if (d_ancestor(old_dentry, new_dentry)) - result = true; - else - result = false; - rcu_read_unlock(); - } while (read_seqretry(&rename_lock, seq)); - - return result; + /* Access d_parent under rcu as d_move() may change it. */ + rcu_read_lock(); + seq = read_seqbegin(&rename_lock); + subdir = d_ancestor(old_dentry, new_dentry); + /* Try lockless once... */ + if (read_seqretry(&rename_lock, seq)) { + /* ...else acquire lock for progress even on deep chains. */ + read_seqlock_excl(&rename_lock); + subdir = d_ancestor(old_dentry, new_dentry); + read_sequnlock_excl(&rename_lock); + } + rcu_read_unlock(); + return subdir; } static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) From 4e4a79155c2fe74dd5aea4e56b96923d39d50408 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= Date: Wed, 8 May 2024 11:56:10 +0200 Subject: [PATCH 80/90] spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit ce1dac560a74220f2e53845ec0723b562288aed4 ] While in commit 2dd33f9cec90 ("spi: imx: support DMA for imx35") it was claimed that DMA works on i.MX25, i.MX31 and i.MX35 the respective device trees don't add DMA channels. The Reference manuals of i.MX31 and i.MX25 also don't mention the CSPI core being DMA capable. (I didn't check the others.) Since commit e267a5b3ec59 ("spi: spi-imx: Use dev_err_probe for failed DMA channel requests") this results in an error message spi_imx 43fa4000.spi: error -ENODEV: can't get the TX DMA channel! during boot. However that isn't fatal and the driver gets loaded just fine, just without using DMA. Signed-off-by: Uwe Kleine-König Link: https://patch.msgid.link/20240508095610.2146640-2-u.kleine-koenig@pengutronix.de Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit 4f5e56dddabe947cc840ffb2db60d9df6ca9e8b9) Signed-off-by: Harshit Mogalapalli --- drivers/spi/spi-imx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c index e306de700929..fd9d1be37fd7 100644 --- a/drivers/spi/spi-imx.c +++ b/drivers/spi/spi-imx.c @@ -908,7 +908,7 @@ static struct spi_imx_devtype_data imx35_cspi_devtype_data = { .rx_available = mx31_rx_available, .reset = mx31_reset, .fifo_size = 8, - .has_dmamode = true, + .has_dmamode = false, .dynamic_burst = false, .devtype = IMX35_CSPI, }; From 010cabb684a2904c698713694a24cb0c99d24f41 Mon Sep 17 00:00:00 2001 From: John Hubbard Date: Fri, 5 Jul 2024 09:57:34 -1000 Subject: [PATCH 81/90] selftests/vDSO: fix clang build errors and warnings [ Upstream commit 73810cd45b99c6c418e1c6a487b52c1e74edb20d ] When building with clang, via: make LLVM=1 -C tools/testing/selftests ...there are several warnings, and an error. This fixes all of those and allows these tests to run and pass. 1. Fix linker error (undefined reference to memcpy) by providing a local version of memcpy. 2. clang complains about using this form: if (g = h & 0xf0000000) ...so factor out the assignment into a separate step. 3. The code is passing a signed const char* to elf_hash(), which expects a const unsigned char *. There are several callers, so fix this at the source by allowing the function to accept a signed argument, and then converting to unsigned operations, once inside the function. 4. clang doesn't have __attribute__((externally_visible)) and generates a warning to that effect. Fortunately, gcc 12 and gcc 13 do not seem to require that attribute in order to build, run and pass tests here, so remove it. Reviewed-by: Carlos Llamas Reviewed-by: Edward Liaw Reviewed-by: Muhammad Usama Anjum Tested-by: Muhammad Usama Anjum Signed-off-by: John Hubbard Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin (cherry picked from commit d5e9dddd18fdfe04772bce07d4a34e39e7b1e402) Signed-off-by: Harshit Mogalapalli --- tools/testing/selftests/vDSO/parse_vdso.c | 16 +++++++++++----- .../selftests/vDSO/vdso_standalone_test_x86.c | 18 ++++++++++++++++-- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c index 1dbb4b87268f..9ef3ad3789c1 100644 --- a/tools/testing/selftests/vDSO/parse_vdso.c +++ b/tools/testing/selftests/vDSO/parse_vdso.c @@ -77,14 +77,20 @@ static struct vdso_info ELF(Verdef) *verdef; } vdso_info; -/* Straight from the ELF specification. */ -static unsigned long elf_hash(const unsigned char *name) +/* + * Straight from the ELF specification...and then tweaked slightly, in order to + * avoid a few clang warnings. + */ +static unsigned long elf_hash(const char *name) { unsigned long h = 0, g; - while (*name) + const unsigned char *uch_name = (const unsigned char *)name; + + while (*uch_name) { - h = (h << 4) + *name++; - if (g = h & 0xf0000000) + h = (h << 4) + *uch_name++; + g = h & 0xf0000000; + if (g) h ^= g >> 24; h &= ~g; } diff --git a/tools/testing/selftests/vDSO/vdso_standalone_test_x86.c b/tools/testing/selftests/vDSO/vdso_standalone_test_x86.c index 93b0ebf8cc38..805e8c189276 100644 --- a/tools/testing/selftests/vDSO/vdso_standalone_test_x86.c +++ b/tools/testing/selftests/vDSO/vdso_standalone_test_x86.c @@ -20,7 +20,7 @@ extern void *vdso_sym(const char *version, const char *name); extern void vdso_init_from_sysinfo_ehdr(uintptr_t base); extern void vdso_init_from_auxv(void *auxv); -/* We need a libc functions... */ +/* We need some libc functions... */ int strcmp(const char *a, const char *b) { /* This implementation is buggy: it never returns -1. */ @@ -36,6 +36,20 @@ int strcmp(const char *a, const char *b) return 0; } +/* + * The clang build needs this, although gcc does not. + * Stolen from lib/string.c. + */ +void *memcpy(void *dest, const void *src, size_t count) +{ + char *tmp = dest; + const char *s = src; + + while (count--) + *tmp++ = *s++; + return dest; +} + /* ...and two syscalls. This is x86-specific. */ static inline long x86_syscall3(long nr, long a0, long a1, long a2) { @@ -72,7 +86,7 @@ void to_base10(char *lastdig, time_t n) } } -__attribute__((externally_visible)) void c_main(void **stack) +void c_main(void **stack) { /* Parse the stack */ long argc = (long)*stack; From 7cc7fff373ff4131e0db0e9f099913b524cd0275 Mon Sep 17 00:00:00 2001 From: Edward Adam Davis Date: Tue, 21 May 2024 13:21:46 +0800 Subject: [PATCH 82/90] hfsplus: fix uninit-value in copy_name [ Upstream commit 0570730c16307a72f8241df12363f76600baf57d ] [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. Reported-and-tested-by: syzbot+efde959319469ff8d4d7@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis Link: https://lore.kernel.org/r/tencent_8BBB6433BC9E1C1B7B4BDF1BF52574BA8808@qq.com Reported-and-tested-by: syzbot+01ade747b16e9c8030e0@syzkaller.appspotmail.com Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin (cherry picked from commit 72805debec8f7aa342da194fe0ed7bc8febea335) Signed-off-by: Harshit Mogalapalli --- fs/hfsplus/xattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c index e538b758c448..e697980898f0 100644 --- a/fs/hfsplus/xattr.c +++ b/fs/hfsplus/xattr.c @@ -706,7 +706,7 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size) return err; } - strbuf = kmalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + + strbuf = kzalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + XATTR_MAC_OSX_PREFIX_LEN + 1, GFP_KERNEL); if (!strbuf) { res = -ENOMEM; From 0092a371ee34e3dc89e46d1267ee614d60026158 Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Tue, 2 Jul 2024 18:26:52 +0200 Subject: [PATCH 83/90] filelock: Remove locks reliably when fcntl/close race is detected commit 3cad1bc010416c6dd780643476bc59ed742436b9 upstream. When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. In theory (but AFAIK not in practice), posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. This only affects systems with SELinux / Smack / AppArmor / BPF-LSM in enforcing mode and only works from some security contexts. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush(). Fixes: c293621bbf67 ("[PATCH] stale POSIX lock handling") Cc: stable@kernel.org Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2563 Signed-off-by: Jann Horn Link: https://lore.kernel.org/r/20240702-fs-lock-recover-2-v1-1-edd456f63789@google.com Reviewed-by: Jeff Layton Signed-off-by: Christian Brauner [stable fixup: ->c.flc_type was ->fl_type in older kernels] Signed-off-by: Jann Horn Signed-off-by: Greg Kroah-Hartman (cherry picked from commit d30ff33040834c3b9eee29740acd92f9c7ba2250) Signed-off-by: Harshit Mogalapalli --- fs/locks.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/fs/locks.c b/fs/locks.c index 1a40e277eb5e..3b9652eedb52 100644 --- a/fs/locks.c +++ b/fs/locks.c @@ -2308,8 +2308,9 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, error = do_lock_file_wait(filp, cmd, file_lock); /* - * Attempt to detect a close/fcntl race and recover by releasing the - * lock that was just acquired. There is no need to do that when we're + * Detect close/fcntl races and recover by zapping all POSIX locks + * associated with this file and our files_struct, just like on + * filp_flush(). There is no need to do that when we're * unlocking though, or for OFD locks. */ if (!error && file_lock->fl_type != F_UNLCK && @@ -2323,9 +2324,7 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, f = fcheck(fd); spin_unlock(¤t->files->file_lock); if (f != filp) { - file_lock->fl_type = F_UNLCK; - error = do_lock_file_wait(filp, cmd, file_lock); - WARN_ON_ONCE(error); + locks_remove_posix(filp, ¤t->files); error = -EBADF; } } From a650c33ed9edba733de822a47397ead4c1ebc2fb Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 26 Sep 2023 17:09:03 +0100 Subject: [PATCH 84/90] ARM: 9324/1: fix get_user() broken with veneer commit 24d3ba0a7b44c1617c27f5045eecc4f34752ab03 upstream. The 32-bit ARM kernel stops working if the kernel grows to the point where veneers for __get_user_* are created. AAPCS32 [1] states, "Register r12 (IP) may be used by a linker as a scratch register between a routine and any subroutine it calls. It can also be used within a routine to hold intermediate values between subroutine calls." However, bl instructions buried within the inline asm are unpredictable for compilers; hence, "ip" must be added to the clobber list. This becomes critical when veneers for __get_user_* are created because veneers use the ip register since commit 02e541db0540 ("ARM: 8323/1: force linker to use PIC veneers"). [1]: https://github.com/ARM-software/abi-aa/blob/2023Q1/aapcs32/aapcs32.rst Signed-off-by: Masahiro Yamada Reviewed-by: Ard Biesheuvel Signed-off-by: Russell King (Oracle) Cc: John Stultz Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 41a5c1717bf4ad1b6084e8682de64b178eabc059) Signed-off-by: Harshit Mogalapalli --- arch/arm/include/asm/uaccess.h | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h index fe47d24955ea..5fa4bcd9bebe 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h @@ -145,16 +145,6 @@ extern int __get_user_64t_1(void *); extern int __get_user_64t_2(void *); extern int __get_user_64t_4(void *); -#define __GUP_CLOBBER_1 "lr", "cc" -#ifdef CONFIG_CPU_USE_DOMAINS -#define __GUP_CLOBBER_2 "ip", "lr", "cc" -#else -#define __GUP_CLOBBER_2 "lr", "cc" -#endif -#define __GUP_CLOBBER_4 "lr", "cc" -#define __GUP_CLOBBER_32t_8 "lr", "cc" -#define __GUP_CLOBBER_8 "lr", "cc" - #define __get_user_x(__r2, __p, __e, __l, __s) \ __asm__ __volatile__ ( \ __asmeq("%0", "r0") __asmeq("%1", "r2") \ @@ -162,7 +152,7 @@ extern int __get_user_64t_4(void *); "bl __get_user_" #__s \ : "=&r" (__e), "=r" (__r2) \ : "0" (__p), "r" (__l) \ - : __GUP_CLOBBER_##__s) + : "ip", "lr", "cc") /* narrowing a double-word get into a single 32bit word register: */ #ifdef __ARMEB__ @@ -184,7 +174,7 @@ extern int __get_user_64t_4(void *); "bl __get_user_64t_" #__s \ : "=&r" (__e), "=r" (__r2) \ : "0" (__p), "r" (__l) \ - : __GUP_CLOBBER_##__s) + : "ip", "lr", "cc") #else #define __get_user_x_64t __get_user_x #endif From f70e0950f817b75ed1f01859f15d9c2b6a37dba2 Mon Sep 17 00:00:00 2001 From: Kuan-Wei Chiu Date: Tue, 2 Jul 2024 04:56:39 +0800 Subject: [PATCH 85/90] ACPI: processor_idle: Fix invalid comparison with insertion sort for latency commit 233323f9b9f828cd7cd5145ad811c1990b692542 upstream. The acpi_cst_latency_cmp() comparison function currently used for sorting C-state latencies does not satisfy transitivity, causing incorrect sorting results. Specifically, if there are two valid acpi_processor_cx elements A and B and one invalid element C, it may occur that A < B, A = C, and B = C. Sorting algorithms assume that if A < B and A = C, then C < B, leading to incorrect ordering. Given the small size of the array (<=8), we replace the library sort function with a simple insertion sort that properly ignores invalid elements and sorts valid ones based on latency. This change ensures correct ordering of the C-state latencies. Fixes: 65ea8f2c6e23 ("ACPI: processor idle: Fix up C-state latency if not ordered") Reported-by: Julian Sikorski Closes: https://lore.kernel.org/lkml/70674dc7-5586-4183-8953-8095567e73df@gmail.com Signed-off-by: Kuan-Wei Chiu Tested-by: Julian Sikorski Cc: All applicable Link: https://patch.msgid.link/20240701205639.117194-1-visitorckw@gmail.com Signed-off-by: Rafael J. Wysocki Signed-off-by: Kuan-Wei Chiu Signed-off-by: Greg Kroah-Hartman (cherry picked from commit c9d6e349f7aad4ab9c557047d357df256c15f25e) Signed-off-by: Harshit Mogalapalli --- drivers/acpi/processor_idle.c | 40 ++++++++++++++--------------------- 1 file changed, 16 insertions(+), 24 deletions(-) diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c index 5580e506838e..f943a427335f 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c @@ -29,7 +29,6 @@ #include #include #include /* need_resched() */ -#include #include #include #include @@ -541,28 +540,24 @@ static void acpi_processor_power_verify_c3(struct acpi_processor *pr, return; } -static int acpi_cst_latency_cmp(const void *a, const void *b) +static void acpi_cst_latency_sort(struct acpi_processor_cx *states, size_t length) { - const struct acpi_processor_cx *x = a, *y = b; + int i, j, k; - if (!(x->valid && y->valid)) - return 0; - if (x->latency > y->latency) - return 1; - if (x->latency < y->latency) - return -1; - return 0; -} -static void acpi_cst_latency_swap(void *a, void *b, int n) -{ - struct acpi_processor_cx *x = a, *y = b; - u32 tmp; + for (i = 1; i < length; i++) { + if (!states[i].valid) + continue; - if (!(x->valid && y->valid)) - return; - tmp = x->latency; - x->latency = y->latency; - y->latency = tmp; + for (j = i - 1, k = i; j >= 0; j--) { + if (!states[j].valid) + continue; + + if (states[j].latency > states[k].latency) + swap(states[j].latency, states[k].latency); + + k = j; + } + } } static int acpi_processor_power_verify(struct acpi_processor *pr) @@ -607,10 +602,7 @@ static int acpi_processor_power_verify(struct acpi_processor *pr) if (buggy_latency) { pr_notice("FW issue: working around C-state latencies out of order\n"); - sort(&pr->power.states[1], max_cstate, - sizeof(struct acpi_processor_cx), - acpi_cst_latency_cmp, - acpi_cst_latency_swap); + acpi_cst_latency_sort(&pr->power.states[1], max_cstate); } lapic_timer_propagate_broadcast(pr); From aac14d323840fa0e71308002c051ce8174804c77 Mon Sep 17 00:00:00 2001 From: Paolo Abeni Date: Tue, 21 May 2024 16:01:00 +0200 Subject: [PATCH 86/90] net: relax socket state check at accept time. commit 26afda78cda3da974fd4c287962c169e9462c495 upstream. Christoph reported the following splat: WARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0 Modules linked in: CPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 RIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759 Code: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80 RSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293 RAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64 R10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000 R13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800 FS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786 do_accept+0x435/0x620 net/socket.c:1929 __sys_accept4_file net/socket.c:1969 [inline] __sys_accept4+0x9b/0x110 net/socket.c:1999 __do_sys_accept net/socket.c:2016 [inline] __se_sys_accept net/socket.c:2013 [inline] __x64_sys_accept+0x7d/0x90 net/socket.c:2013 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x4315f9 Code: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b RAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300 R10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055 The reproducer invokes shutdown() before entering the listener status. After commit 94062790aedb ("tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets"), the above causes the child to reach the accept syscall in FIN_WAIT1 status. Eric noted we can relax the existing assertion in __inet_accept() Reported-by: Christoph Paasch Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/490 Suggested-by: Eric Dumazet Fixes: 94062790aedb ("tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets") Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/23ab880a44d8cfd967e84de8b93dbf48848e3d8c.1716299669.git.pabeni@redhat.com Signed-off-by: Paolo Abeni Signed-off-by: Nikolay Kuratov Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 7de00adc9bd035d861ba4177848ca0bfa5ed1e04) Signed-off-by: Harshit Mogalapalli --- net/ipv4/af_inet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index dccc6219591c..1b2d955eb818 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -710,7 +710,9 @@ int inet_accept(struct socket *sock, struct socket *newsock, int flags, sock_rps_record_flow(sk2); WARN_ON(!((1 << sk2->sk_state) & (TCPF_ESTABLISHED | TCPF_SYN_RECV | - TCPF_CLOSE_WAIT | TCPF_CLOSE))); + TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 | + TCPF_CLOSING | TCPF_CLOSE_WAIT | + TCPF_CLOSE))); sock_graft(sk2, newsock); From 3c99e72be6bf85c5e3e19ddf0e1a38a9eebbd4a6 Mon Sep 17 00:00:00 2001 From: lei lu Date: Wed, 26 Jun 2024 18:44:33 +0800 Subject: [PATCH 87/90] ocfs2: add bounds checking to ocfs2_check_dir_entry() commit 255547c6bb8940a97eea94ef9d464ea5967763fb upstream. This adds sanity checks for ocfs2_dir_entry to make sure all members of ocfs2_dir_entry don't stray beyond valid memory region. Link: https://lkml.kernel.org/r/20240626104433.163270-1-llfamsec@gmail.com Signed-off-by: lei lu Reviewed-by: Heming Zhao Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 13d38c00df97289e6fba2e54193959293fd910d2) Signed-off-by: Harshit Mogalapalli --- fs/ocfs2/dir.c | 46 +++++++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c index 08d902a89213..4153a07434ec 100644 --- a/fs/ocfs2/dir.c +++ b/fs/ocfs2/dir.c @@ -313,13 +313,16 @@ out: * bh passed here can be an inode block or a dir data block, depending * on the inode inline data flag. */ -static int ocfs2_check_dir_entry(struct inode * dir, - struct ocfs2_dir_entry * de, - struct buffer_head * bh, +static int ocfs2_check_dir_entry(struct inode *dir, + struct ocfs2_dir_entry *de, + struct buffer_head *bh, + char *buf, + unsigned int size, unsigned long offset) { const char *error_msg = NULL; const int rlen = le16_to_cpu(de->rec_len); + const unsigned long next_offset = ((char *) de - buf) + rlen; if (unlikely(rlen < OCFS2_DIR_REC_LEN(1))) error_msg = "rec_len is smaller than minimal"; @@ -327,9 +330,11 @@ static int ocfs2_check_dir_entry(struct inode * dir, error_msg = "rec_len % 4 != 0"; else if (unlikely(rlen < OCFS2_DIR_REC_LEN(de->name_len))) error_msg = "rec_len is too small for name_len"; - else if (unlikely( - ((char *) de - bh->b_data) + rlen > dir->i_sb->s_blocksize)) - error_msg = "directory entry across blocks"; + else if (unlikely(next_offset > size)) + error_msg = "directory entry overrun"; + else if (unlikely(next_offset > size - OCFS2_DIR_REC_LEN(1)) && + next_offset != size) + error_msg = "directory entry too close to end"; if (unlikely(error_msg != NULL)) mlog(ML_ERROR, "bad entry in directory #%llu: %s - " @@ -371,16 +376,17 @@ static inline int ocfs2_search_dirblock(struct buffer_head *bh, de_buf = first_de; dlimit = de_buf + bytes; - while (de_buf < dlimit) { + while (de_buf < dlimit - OCFS2_DIR_MEMBER_LEN) { /* this code is executed quadratically often */ /* do minimal checking `by hand' */ de = (struct ocfs2_dir_entry *) de_buf; - if (de_buf + namelen <= dlimit && + if (de->name + namelen <= dlimit && ocfs2_match(namelen, name, de)) { /* found a match - just to be sure, do a full check */ - if (!ocfs2_check_dir_entry(dir, de, bh, offset)) { + if (!ocfs2_check_dir_entry(dir, de, bh, first_de, + bytes, offset)) { ret = -1; goto bail; } @@ -1157,7 +1163,7 @@ static int __ocfs2_delete_entry(handle_t *handle, struct inode *dir, pde = NULL; de = (struct ocfs2_dir_entry *) first_de; while (i < bytes) { - if (!ocfs2_check_dir_entry(dir, de, bh, i)) { + if (!ocfs2_check_dir_entry(dir, de, bh, first_de, bytes, i)) { status = -EIO; mlog_errno(status); goto bail; @@ -1657,7 +1663,8 @@ int __ocfs2_add_entry(handle_t *handle, /* These checks should've already been passed by the * prepare function, but I guess we can leave them * here anyway. */ - if (!ocfs2_check_dir_entry(dir, de, insert_bh, offset)) { + if (!ocfs2_check_dir_entry(dir, de, insert_bh, data_start, + size, offset)) { retval = -ENOENT; goto bail; } @@ -1795,7 +1802,8 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode, } de = (struct ocfs2_dir_entry *) (data->id_data + ctx->pos); - if (!ocfs2_check_dir_entry(inode, de, di_bh, ctx->pos)) { + if (!ocfs2_check_dir_entry(inode, de, di_bh, (char *)data->id_data, + i_size_read(inode), ctx->pos)) { /* On error, skip the f_pos to the end. */ ctx->pos = i_size_read(inode); break; @@ -1892,7 +1900,8 @@ static int ocfs2_dir_foreach_blk_el(struct inode *inode, while (ctx->pos < i_size_read(inode) && offset < sb->s_blocksize) { de = (struct ocfs2_dir_entry *) (bh->b_data + offset); - if (!ocfs2_check_dir_entry(inode, de, bh, offset)) { + if (!ocfs2_check_dir_entry(inode, de, bh, bh->b_data, + sb->s_blocksize, offset)) { /* On error, skip the f_pos to the next block. */ ctx->pos = (ctx->pos | (sb->s_blocksize - 1)) + 1; @@ -3368,7 +3377,7 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh, struct super_block *sb = dir->i_sb; struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; struct ocfs2_dir_entry *de, *last_de = NULL; - char *de_buf, *limit; + char *first_de, *de_buf, *limit; unsigned long offset = 0; unsigned int rec_len, new_rec_len, free_space = dir->i_sb->s_blocksize; @@ -3381,14 +3390,16 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh, else free_space = dir->i_sb->s_blocksize - i_size_read(dir); - de_buf = di->id2.i_data.id_data; + first_de = di->id2.i_data.id_data; + de_buf = first_de; limit = de_buf + i_size_read(dir); rec_len = OCFS2_DIR_REC_LEN(namelen); while (de_buf < limit) { de = (struct ocfs2_dir_entry *)de_buf; - if (!ocfs2_check_dir_entry(dir, de, di_bh, offset)) { + if (!ocfs2_check_dir_entry(dir, de, di_bh, first_de, + i_size_read(dir), offset)) { ret = -ENOENT; goto out; } @@ -3470,7 +3481,8 @@ static int ocfs2_find_dir_space_el(struct inode *dir, const char *name, /* move to next block */ de = (struct ocfs2_dir_entry *) bh->b_data; } - if (!ocfs2_check_dir_entry(dir, de, bh, offset)) { + if (!ocfs2_check_dir_entry(dir, de, bh, bh->b_data, blocksize, + offset)) { status = -ENOENT; goto bail; } From 7f65c3bae2493c58ef7d6ef1bf9ce717c71fb87d Mon Sep 17 00:00:00 2001 From: lei lu Date: Wed, 29 May 2024 02:30:40 +0800 Subject: [PATCH 88/90] jfs: don't walk off the end of ealist commit d0fa70aca54c8643248e89061da23752506ec0d4 upstream. Add a check before visiting the members of ea to make sure each ea stays within the ealist. Signed-off-by: lei lu Signed-off-by: Dave Kleikamp Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 7f91bd0f2941fa36449ce1a15faaa64f840d9746) Signed-off-by: Harshit Mogalapalli --- fs/jfs/xattr.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c index e8b12e708428..37b984692ca9 100644 --- a/fs/jfs/xattr.c +++ b/fs/jfs/xattr.c @@ -810,7 +810,7 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data, size_t buf_size) { struct jfs_ea_list *ealist; - struct jfs_ea *ea; + struct jfs_ea *ea, *ealist_end; struct ea_buffer ea_buf; int xattr_size; ssize_t size; @@ -830,9 +830,16 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data, goto not_found; ealist = (struct jfs_ea_list *) ea_buf.xattr; + ealist_end = END_EALIST(ealist); /* Find the named attribute */ - for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) + for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) { + if (unlikely(ea + 1 > ealist_end) || + unlikely(NEXT_EA(ea) > ealist_end)) { + size = -EUCLEAN; + goto release; + } + if ((namelen == ea->namelen) && memcmp(name, ea->name, namelen) == 0) { /* Found it */ @@ -847,6 +854,7 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data, memcpy(data, value, size); goto release; } + } not_found: size = -ENODATA; release: @@ -874,7 +882,7 @@ ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size) ssize_t size = 0; int xattr_size; struct jfs_ea_list *ealist; - struct jfs_ea *ea; + struct jfs_ea *ea, *ealist_end; struct ea_buffer ea_buf; down_read(&JFS_IP(inode)->xattr_sem); @@ -889,9 +897,16 @@ ssize_t jfs_listxattr(struct dentry * dentry, char *data, size_t buf_size) goto release; ealist = (struct jfs_ea_list *) ea_buf.xattr; + ealist_end = END_EALIST(ealist); /* compute required size of list */ - for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist); ea = NEXT_EA(ea)) { + for (ea = FIRST_EA(ealist); ea < ealist_end; ea = NEXT_EA(ea)) { + if (unlikely(ea + 1 > ealist_end) || + unlikely(NEXT_EA(ea) > ealist_end)) { + size = -EUCLEAN; + goto release; + } + if (can_list(ea)) size += name_size(ea) + 1; } From a429e9177821cfc3fc4b316b64e431ae613319c3 Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Tue, 23 Jul 2024 17:03:56 +0200 Subject: [PATCH 89/90] filelock: Fix fcntl/close race recovery compat path commit f8138f2ad2f745b9a1c696a05b749eabe44337ea upstream. When I wrote commit 3cad1bc01041 ("filelock: Remove locks reliably when fcntl/close race is detected"), I missed that there are two copies of the code I was patching: The normal version, and the version for 64-bit offsets on 32-bit kernels. Thanks to Greg KH for stumbling over this while doing the stable backport... Apply exactly the same fix to the compat path for 32-bit kernels. Fixes: c293621bbf67 ("[PATCH] stale POSIX lock handling") Cc: stable@kernel.org Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2563 Signed-off-by: Jann Horn Link: https://lore.kernel.org/r/20240723-fs-lock-recover-compatfix-v1-1-148096719529@google.com Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman (cherry picked from commit a561145f3ae973ebf3e0aee41624e92a6c5cb38d) Signed-off-by: Harshit Mogalapalli --- fs/locks.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/fs/locks.c b/fs/locks.c index 3b9652eedb52..227c4054f02e 100644 --- a/fs/locks.c +++ b/fs/locks.c @@ -2438,8 +2438,9 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, error = do_lock_file_wait(filp, cmd, file_lock); /* - * Attempt to detect a close/fcntl race and recover by releasing the - * lock that was just acquired. There is no need to do that when we're + * Detect close/fcntl races and recover by zapping all POSIX locks + * associated with this file and our files_struct, just like on + * filp_flush(). There is no need to do that when we're * unlocking though, or for OFD locks. */ if (!error && file_lock->fl_type != F_UNLCK && @@ -2453,9 +2454,7 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, f = fcheck(fd); spin_unlock(¤t->files->file_lock); if (f != filp) { - file_lock->fl_type = F_UNLCK; - error = do_lock_file_wait(filp, cmd, file_lock); - WARN_ON_ONCE(error); + locks_remove_posix(filp, ¤t->files); error = -EBADF; } } From 6da009d8de389742d55219ebed50378f53937a5b Mon Sep 17 00:00:00 2001 From: Vegard Nossum Date: Mon, 26 Aug 2024 08:06:03 +0000 Subject: [PATCH 90/90] LTS: Update to 4.14.352 This corresponds to 4.19.319 upstream (v4.19.318..v4.19.319). Signed-off-by: Vegard Nossum --- .elts/config.yaml | 4 +- .elts/meta/4.14.352.yaml | 122 +++++++++++++++++++++++++++++++++ .elts/upstream/4.19.319.yaml | 128 +++++++++++++++++++++++++++++++++++ Makefile | 2 +- 4 files changed, 253 insertions(+), 3 deletions(-) create mode 100644 .elts/meta/4.14.352.yaml create mode 100644 .elts/upstream/4.19.319.yaml diff --git a/.elts/config.yaml b/.elts/config.yaml index dde8bf91c918..43a7d46ea912 100644 --- a/.elts/config.yaml +++ b/.elts/config.yaml @@ -1,5 +1,5 @@ upstream_repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git upstream_base: 4.19.304 base: 4.14.336 -upstream_version: 4.19.318 -version: 4.14.351 +upstream_version: 4.19.319 +version: 4.14.352 diff --git a/.elts/meta/4.14.352.yaml b/.elts/meta/4.14.352.yaml new file mode 100644 index 000000000000..e0a03dd0ce61 --- /dev/null +++ b/.elts/meta/4.14.352.yaml @@ -0,0 +1,122 @@ +c133012a813396eefedf1bfa049efe8015b98812: + title: 'gcc-plugins: Rename last_stmt() for GCC 14+' + mainline: 2e3f65ccfe6b0778b261ad69c9603ae85f210334 + upstream: 2d05669ce1f18c1bc51476980a0e8bd107682546 +2eb33ecdc2e4a03f4b673a04428924293b58cd7e: + title: 'scsi: qedf: Set qed_slowpath_params to zero before use' + mainline: 6c3bb589debd763dc4b94803ddf3c13b4fcca776 + upstream: 9656f9540fa3949dfb65e9f18d263bbd96778831 +7af36fe3934a05c3df07dac10732c2f2097fa9eb: + title: 'ACPI: EC: Abort address space access upon error' + mainline: f6f172dc6a6d7775b2df6adfd1350700e9a847ec + upstream: 52a1125633abf465f59d184020add71616b87efa +af32f802de713de4b0a2b4f6e97c8e1ca9dfc758: + title: 'ACPI: EC: Avoid returning AE_OK on errors in address space handler' + mainline: c4bd7f1d78340e63de4d073fd3dbe5391e2996e5 + upstream: 286b25bf40251e940756371eae6c7e59fdbd6745 +2fac830d7e5b9250a13d556a1d5125a1a2b351b4: + title: 'wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata' + mainline: 6f6291f09a322c1c1578badac8072d049363f4e6 + upstream: 46487275e810d1e7c99f36af9fdfae0909c4e200 +60882d697cfb5c6868f24649c60b8dd8d2703668: + title: 'wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()' + mainline: 92ecbb3ac6f3fe8ae9edf3226c76aa17b6800699 + upstream: cd3212a9e0209dff7eda30f01ab8590f5e8d92fb +f995731405d60b4b3e3cb2c556625c5c3a786c8f: + title: 'Input: silead - add support for capactive home button found on some x86 tablets' +1501ce3d5bfea3a1e8aaec61b878f20d8a93dfcb: + title: 'Input: silead - Always support 10 fingers' + mainline: 38a38f5a36da9820680d413972cb733349400532 + upstream: ce0368a52554d213c5cd447ba786b54390a845e1 +6e6d94454bba0055f8d77d3bb42d49c369e80e95: + title: 'ila: block BH in ila_output()' + mainline: cf28ff8e4c02e1ffa850755288ac954b6ff0db8c + upstream: 7435bd2f84a25aba607030237261b3795ba782da +265ba671aaff09b4531db6875d668dfb4efd716a: + title: 'kconfig: gconf: give a proper initial state to the Save button' + mainline: 46edf4372e336ef3a61c3126e49518099d2e2e6d + upstream: b6d6a91b584a022424d99264741bdfa6b336c83b +692c2ebeacc0c82e6c088e5a6f63ff9395a2082e: + title: 'kconfig: remove wrong expr_trans_bool()' + mainline: 77a92660d8fe8d29503fae768d9f5eb529c88b36 + upstream: b366d89859fe7b58894b3698844b551fe32f892a +8d3da24eb73289dde20e54b84c848e61ae0138b0: + title: 'fs/file: fix the check in find_next_fd()' + mainline: ed8c7fbdfe117abbef81f65428ba263118ef298a + upstream: 5611e11988535125b3a05305680851ff587702a9 +cdb32323efca90437116ce55ba43da736ecad374: + title: 'mei: demote client disconnect warning on suspend to debug' + mainline: 1db5322b7e6b58e1b304ce69a50e9dca798ca95b + upstream: bd2a753fa12cf3d28726a4bf067398514e52d57c +56e8fc1b0ac2a752cba13ccd0e128f7eaadcd8d0: + title: 'wifi: cfg80211: wext: add extra SIOCSIWSCAN data check' + mainline: 6ef09cdc5ba0f93826c09d810c141a8d103a80fc + upstream: b02ba9a0b55b762bd04743a22f3d9f9645005e79 +0eafa6b4fdf53fdc8b8924325f994fe4ed0700a7: + title: 'Input: elantech - fix touchpad state on resume for Lenovo N24' + mainline: a69ce592cbe0417664bc5a075205aa75c2ec1273 + upstream: 9b6a1cb833dc8ceab3fbc45a261a8dd37c4f8013 +2ba3ceb092c9ac54204c7416bfa884d37f59bd1a: + title: 's390/sclp: Fix sclp_init() cleanup on failure' + mainline: 6434b33faaa063df500af355ee6c3942e0f8d982 + upstream: a778987afc36d5dc02a1f82d352a81edcaf7eb83 +f78b195536a163671b4aa1b85b88e432919c79f9: + title: 'ALSA: dmaengine_pcm: terminate dmaengine before synchronize' + mainline: 6a7db25aad8ce6512b366d2ce1d0e60bac00a09d + upstream: fe0a6e7eb38f9d5396f6ff548186a6cd62c08b1a +c16c01ccdd91f3d7764c0e63da5ba2274eb031a8: + title: 'net: usb: qmi_wwan: add Telit FN912 compositions' + mainline: 77453e2b015b5ced5b3f45364dd5a72dfc3bdecb + upstream: 6f5c552bb803ac30a746addc91b3da9b94b48c4d +eef43c3ccb72817061d1c663129fc04ff09de4a6: + title: 'net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()' + mainline: b8ec0dc3845f6c9089573cb5c2c4b05f7fc10728 + upstream: 77cfeb27b8ded33c3f4023a24a2d1517ad4e4893 +43df6e148cb43ad243a345291d8ddc2cea7786ce: + title: 'Bluetooth: hci_core: cancel all works upon hci_unregister_dev()' + mainline: 0d151a103775dd9645c78c97f77d6e2a5298d913 + upstream: 48542881997e17b49dc16b93fe910e0cfcf7a9f9 +fe34d279afd5186910b42c6ccf419f32552f6eab: + title: 'fs: better handle deep ancestor chains in is_subdir()' + mainline: 391b59b045004d5b985d033263ccba3e941a7740 + upstream: a5c4645346b0efb5a10ed28ae281a9af29037608 +4e4a79155c2fe74dd5aea4e56b96923d39d50408: + title: 'spi: imx: Don''t expect DMA for i.MX{25,35,50,51,53} cspi devices' + mainline: ce1dac560a74220f2e53845ec0723b562288aed4 + upstream: 4f5e56dddabe947cc840ffb2db60d9df6ca9e8b9 +010cabb684a2904c698713694a24cb0c99d24f41: + title: 'selftests/vDSO: fix clang build errors and warnings' + mainline: 73810cd45b99c6c418e1c6a487b52c1e74edb20d + upstream: d5e9dddd18fdfe04772bce07d4a34e39e7b1e402 +7cc7fff373ff4131e0db0e9f099913b524cd0275: + title: 'hfsplus: fix uninit-value in copy_name' + mainline: 0570730c16307a72f8241df12363f76600baf57d + upstream: 72805debec8f7aa342da194fe0ed7bc8febea335 +0092a371ee34e3dc89e46d1267ee614d60026158: + title: 'filelock: Remove locks reliably when fcntl/close race is detected' + mainline: 3cad1bc010416c6dd780643476bc59ed742436b9 + upstream: d30ff33040834c3b9eee29740acd92f9c7ba2250 +a650c33ed9edba733de822a47397ead4c1ebc2fb: + title: 'ARM: 9324/1: fix get_user() broken with veneer' + mainline: 24d3ba0a7b44c1617c27f5045eecc4f34752ab03 + upstream: 41a5c1717bf4ad1b6084e8682de64b178eabc059 +f70e0950f817b75ed1f01859f15d9c2b6a37dba2: + title: 'ACPI: processor_idle: Fix invalid comparison with insertion sort for latency' + mainline: 233323f9b9f828cd7cd5145ad811c1990b692542 + upstream: c9d6e349f7aad4ab9c557047d357df256c15f25e +aac14d323840fa0e71308002c051ce8174804c77: + title: 'net: relax socket state check at accept time.' + mainline: 26afda78cda3da974fd4c287962c169e9462c495 + upstream: 7de00adc9bd035d861ba4177848ca0bfa5ed1e04 +3c99e72be6bf85c5e3e19ddf0e1a38a9eebbd4a6: + title: 'ocfs2: add bounds checking to ocfs2_check_dir_entry()' + mainline: 255547c6bb8940a97eea94ef9d464ea5967763fb + upstream: 13d38c00df97289e6fba2e54193959293fd910d2 +7f65c3bae2493c58ef7d6ef1bf9ce717c71fb87d: + title: 'jfs: don''t walk off the end of ealist' + mainline: d0fa70aca54c8643248e89061da23752506ec0d4 + upstream: 7f91bd0f2941fa36449ce1a15faaa64f840d9746 +a429e9177821cfc3fc4b316b64e431ae613319c3: + title: 'filelock: Fix fcntl/close race recovery compat path' + mainline: f8138f2ad2f745b9a1c696a05b749eabe44337ea + upstream: a561145f3ae973ebf3e0aee41624e92a6c5cb38d diff --git a/.elts/upstream/4.19.319.yaml b/.elts/upstream/4.19.319.yaml new file mode 100644 index 000000000000..651bd206e0dd --- /dev/null +++ b/.elts/upstream/4.19.319.yaml @@ -0,0 +1,128 @@ +2d05669ce1f18c1bc51476980a0e8bd107682546: + title: 'gcc-plugins: Rename last_stmt() for GCC 14+' + mainline: 2e3f65ccfe6b0778b261ad69c9603ae85f210334 + backport: c133012a813396eefedf1bfa049efe8015b98812 +9656f9540fa3949dfb65e9f18d263bbd96778831: + title: 'scsi: qedf: Set qed_slowpath_params to zero before use' + mainline: 6c3bb589debd763dc4b94803ddf3c13b4fcca776 + backport: 2eb33ecdc2e4a03f4b673a04428924293b58cd7e +52a1125633abf465f59d184020add71616b87efa: + title: 'ACPI: EC: Abort address space access upon error' + mainline: f6f172dc6a6d7775b2df6adfd1350700e9a847ec + backport: 7af36fe3934a05c3df07dac10732c2f2097fa9eb +286b25bf40251e940756371eae6c7e59fdbd6745: + title: 'ACPI: EC: Avoid returning AE_OK on errors in address space handler' + mainline: c4bd7f1d78340e63de4d073fd3dbe5391e2996e5 + backport: af32f802de713de4b0a2b4f6e97c8e1ca9dfc758 +46487275e810d1e7c99f36af9fdfae0909c4e200: + title: 'wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata' + mainline: 6f6291f09a322c1c1578badac8072d049363f4e6 + backport: 2fac830d7e5b9250a13d556a1d5125a1a2b351b4 +cd3212a9e0209dff7eda30f01ab8590f5e8d92fb: + title: 'wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()' + mainline: 92ecbb3ac6f3fe8ae9edf3226c76aa17b6800699 + backport: 60882d697cfb5c6868f24649c60b8dd8d2703668 +ce0368a52554d213c5cd447ba786b54390a845e1: + title: 'Input: silead - Always support 10 fingers' + mainline: 38a38f5a36da9820680d413972cb733349400532 + backport: 1501ce3d5bfea3a1e8aaec61b878f20d8a93dfcb +7435bd2f84a25aba607030237261b3795ba782da: + title: 'ila: block BH in ila_output()' + mainline: cf28ff8e4c02e1ffa850755288ac954b6ff0db8c + backport: 6e6d94454bba0055f8d77d3bb42d49c369e80e95 +b6d6a91b584a022424d99264741bdfa6b336c83b: + title: 'kconfig: gconf: give a proper initial state to the Save button' + mainline: 46edf4372e336ef3a61c3126e49518099d2e2e6d + backport: 265ba671aaff09b4531db6875d668dfb4efd716a +b366d89859fe7b58894b3698844b551fe32f892a: + title: 'kconfig: remove wrong expr_trans_bool()' + mainline: 77a92660d8fe8d29503fae768d9f5eb529c88b36 + backport: 692c2ebeacc0c82e6c088e5a6f63ff9395a2082e +5611e11988535125b3a05305680851ff587702a9: + title: 'fs/file: fix the check in find_next_fd()' + mainline: ed8c7fbdfe117abbef81f65428ba263118ef298a + backport: 8d3da24eb73289dde20e54b84c848e61ae0138b0 +bd2a753fa12cf3d28726a4bf067398514e52d57c: + title: 'mei: demote client disconnect warning on suspend to debug' + mainline: 1db5322b7e6b58e1b304ce69a50e9dca798ca95b + backport: cdb32323efca90437116ce55ba43da736ecad374 +b02ba9a0b55b762bd04743a22f3d9f9645005e79: + title: 'wifi: cfg80211: wext: add extra SIOCSIWSCAN data check' + mainline: 6ef09cdc5ba0f93826c09d810c141a8d103a80fc + backport: 56e8fc1b0ac2a752cba13ccd0e128f7eaadcd8d0 +9b6a1cb833dc8ceab3fbc45a261a8dd37c4f8013: + title: 'Input: elantech - fix touchpad state on resume for Lenovo N24' + mainline: a69ce592cbe0417664bc5a075205aa75c2ec1273 + backport: 0eafa6b4fdf53fdc8b8924325f994fe4ed0700a7 +0405060fa24286e361cf784bfb37695e8dadc541: + title: 'bytcr_rt5640 : inverse jack detect for Archos 101 cesium' + mainline: e3209a1827646daaab744aa6a5767b1f57fb5385 + skipped: commit did not cherry-pick cleanly +0aa5858cb091344f149d1169f00d08b585fa70de: + title: 'can: kvaser_usb: fix return value for hif_usb_send_regout' + mainline: 0d34d8163fd87978a6abd792e2d8ad849f4c3d57 + skipped: fixes code not in 4.14.y +a778987afc36d5dc02a1f82d352a81edcaf7eb83: + title: 's390/sclp: Fix sclp_init() cleanup on failure' + mainline: 6434b33faaa063df500af355ee6c3942e0f8d982 + backport: 2ba3ceb092c9ac54204c7416bfa884d37f59bd1a +fe0a6e7eb38f9d5396f6ff548186a6cd62c08b1a: + title: 'ALSA: dmaengine_pcm: terminate dmaengine before synchronize' + mainline: 6a7db25aad8ce6512b366d2ce1d0e60bac00a09d + backport: f78b195536a163671b4aa1b85b88e432919c79f9 +6f5c552bb803ac30a746addc91b3da9b94b48c4d: + title: 'net: usb: qmi_wwan: add Telit FN912 compositions' + mainline: 77453e2b015b5ced5b3f45364dd5a72dfc3bdecb + backport: c16c01ccdd91f3d7764c0e63da5ba2274eb031a8 +77cfeb27b8ded33c3f4023a24a2d1517ad4e4893: + title: 'net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()' + mainline: b8ec0dc3845f6c9089573cb5c2c4b05f7fc10728 + backport: eef43c3ccb72817061d1c663129fc04ff09de4a6 +48542881997e17b49dc16b93fe910e0cfcf7a9f9: + title: 'Bluetooth: hci_core: cancel all works upon hci_unregister_dev()' + mainline: 0d151a103775dd9645c78c97f77d6e2a5298d913 + backport: 43df6e148cb43ad243a345291d8ddc2cea7786ce +a5c4645346b0efb5a10ed28ae281a9af29037608: + title: 'fs: better handle deep ancestor chains in is_subdir()' + mainline: 391b59b045004d5b985d033263ccba3e941a7740 + backport: fe34d279afd5186910b42c6ccf419f32552f6eab +4f5e56dddabe947cc840ffb2db60d9df6ca9e8b9: + title: 'spi: imx: Don''t expect DMA for i.MX{25,35,50,51,53} cspi devices' + mainline: ce1dac560a74220f2e53845ec0723b562288aed4 + backport: 4e4a79155c2fe74dd5aea4e56b96923d39d50408 +d5e9dddd18fdfe04772bce07d4a34e39e7b1e402: + title: 'selftests/vDSO: fix clang build errors and warnings' + mainline: 73810cd45b99c6c418e1c6a487b52c1e74edb20d + backport: 010cabb684a2904c698713694a24cb0c99d24f41 +72805debec8f7aa342da194fe0ed7bc8febea335: + title: 'hfsplus: fix uninit-value in copy_name' + mainline: 0570730c16307a72f8241df12363f76600baf57d + backport: 7cc7fff373ff4131e0db0e9f099913b524cd0275 +d30ff33040834c3b9eee29740acd92f9c7ba2250: + title: 'filelock: Remove locks reliably when fcntl/close race is detected' + mainline: 3cad1bc010416c6dd780643476bc59ed742436b9 + backport: 0092a371ee34e3dc89e46d1267ee614d60026158 +41a5c1717bf4ad1b6084e8682de64b178eabc059: + title: 'ARM: 9324/1: fix get_user() broken with veneer' + mainline: 24d3ba0a7b44c1617c27f5045eecc4f34752ab03 + backport: a650c33ed9edba733de822a47397ead4c1ebc2fb +c9d6e349f7aad4ab9c557047d357df256c15f25e: + title: 'ACPI: processor_idle: Fix invalid comparison with insertion sort for latency' + mainline: 233323f9b9f828cd7cd5145ad811c1990b692542 + backport: f70e0950f817b75ed1f01859f15d9c2b6a37dba2 +7de00adc9bd035d861ba4177848ca0bfa5ed1e04: + title: 'net: relax socket state check at accept time.' + mainline: 26afda78cda3da974fd4c287962c169e9462c495 + backport: aac14d323840fa0e71308002c051ce8174804c77 +13d38c00df97289e6fba2e54193959293fd910d2: + title: 'ocfs2: add bounds checking to ocfs2_check_dir_entry()' + mainline: 255547c6bb8940a97eea94ef9d464ea5967763fb + backport: 3c99e72be6bf85c5e3e19ddf0e1a38a9eebbd4a6 +7f91bd0f2941fa36449ce1a15faaa64f840d9746: + title: 'jfs: don''t walk off the end of ealist' + mainline: d0fa70aca54c8643248e89061da23752506ec0d4 + backport: 7f65c3bae2493c58ef7d6ef1bf9ce717c71fb87d +a561145f3ae973ebf3e0aee41624e92a6c5cb38d: + title: 'filelock: Fix fcntl/close race recovery compat path' + mainline: f8138f2ad2f745b9a1c696a05b749eabe44337ea + backport: a429e9177821cfc3fc4b316b64e431ae613319c3 diff --git a/Makefile b/Makefile index 1495f89ca09d..1c92795b18c7 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 VERSION = 4 PATCHLEVEL = 14 -SUBLEVEL = 351 +SUBLEVEL = 352 EXTRAVERSION = -openela NAME = Petit Gorille