From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44048C4332F for ; Thu, 13 Oct 2022 18:02:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230461AbiJMSCe (ORCPT ); Thu, 13 Oct 2022 14:02:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230350AbiJMSCI (ORCPT ); Thu, 13 Oct 2022 14:02:08 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B65B613331D; Thu, 13 Oct 2022 11:01:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1C96961926; Thu, 13 Oct 2022 17:58:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1933DC433C1; Thu, 13 Oct 2022 17:58:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683934; bh=cUcTAyfiGD90tgpRNKHa/Zr0CnwqHXDM72pjPAcUCIM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bW0RW2fev3ZHuTu/SVY/RXWmPwQb8eZu1fWRU21fxMY+4+1ROe0ksVXor/jlrQNEs ur4JWYmOPOPspfRyFmeceviAsCh4PNT8UpBfcOl0Bwt3lzgfXo0tsJ0y1fEzYLQmva Bq5T9KYXn1dti60pKyg9R0svDbL6uldeoYNmi3Sc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ryusuke Konishi , syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com, Tetsuo Handa , Andrew Morton Subject: [PATCH 5.19 01/33] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() Date: Thu, 13 Oct 2022 19:52:33 +0200 Message-Id: <20221013175145.284122320@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ryusuke Konishi commit 21a87d88c2253350e115029f14fe2a10a7e6c856 upstream. If the i_mode field in inode of metadata files is corrupted on disk, it can cause the initialization of bmap structure, which should have been called from nilfs_read_inode_common(), not to be called. This causes a lockdep warning followed by a NULL pointer dereference at nilfs_bmap_lookup_at_level(). This patch fixes these issues by adding a missing sanitiy check for the i_mode field of metadata file's inode. Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmai= l.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com Reported-by: Tetsuo Handa Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- fs/nilfs2/inode.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -440,6 +440,8 @@ int nilfs_read_inode_common(struct inode inode->i_atime.tv_nsec =3D le32_to_cpu(raw_inode->i_mtime_nsec); inode->i_ctime.tv_nsec =3D le32_to_cpu(raw_inode->i_ctime_nsec); inode->i_mtime.tv_nsec =3D le32_to_cpu(raw_inode->i_mtime_nsec); + if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode)) + return -EIO; /* this inode is for metadata and corrupted */ if (inode->i_nlink =3D=3D 0) return -ESTALE; /* this inode is deleted */ From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C207C43219 for ; Thu, 13 Oct 2022 18:28:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229987AbiJMS2P (ORCPT ); Thu, 13 Oct 2022 14:28:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231924AbiJMS13 (ORCPT ); Thu, 13 Oct 2022 14:27:29 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A680918A3E2; Thu, 13 Oct 2022 11:22:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 85ED7B8204B; Thu, 13 Oct 2022 17:59:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E0074C433C1; Thu, 13 Oct 2022 17:59:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683953; bh=7lrOG+XELFk1IIcIKmG8btdaYc1FlQlU2Ev0FtNv+Y0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=B9f4HS7/pHnV5P14uWo9RiBYMqIPArxCEOAEHFrJyEBGfTsta4J9aPvUnBhOQoaiG B4WjSDHl1UPyNByCgUEOL8pSEEMi5yvf9r4+YEAgQDcOPuEp9xVfD12TBjIJ3DZcx8 mCpxu290OzK4/eLGkys/lRnXOO72tgb53QAnVptU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ryusuke Konishi , syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com, Khalid Masum , Andrew Morton Subject: [PATCH 5.19 02/33] nilfs2: fix use-after-free bug of struct nilfs_root Date: Thu, 13 Oct 2022 19:52:34 +0200 Message-Id: <20221013175145.312497204@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ryusuke Konishi commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream. If the beginning of the inode bitmap area is corrupted on disk, an inode with the same inode number as the root inode can be allocated and fail soon after. In this case, the subsequent call to nilfs_clear_inode() on that bogus root inode will wrongly decrement the reference counter of struct nilfs_root, and this will erroneously free struct nilfs_root, causing kernel oopses. This fixes the problem by changing nilfs_new_inode() to skip reserved inode numbers while repairing the inode bitmap. Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmai= l.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com Reported-by: Khalid Masum Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- fs/nilfs2/inode.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -328,6 +328,7 @@ struct inode *nilfs_new_inode(struct ino struct inode *inode; struct nilfs_inode_info *ii; struct nilfs_root *root; + struct buffer_head *bh; int err =3D -ENOMEM; ino_t ino; =20 @@ -343,11 +344,25 @@ struct inode *nilfs_new_inode(struct ino ii->i_state =3D BIT(NILFS_I_NEW); ii->i_root =3D root; =20 - err =3D nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); + err =3D nilfs_ifile_create_inode(root->ifile, &ino, &bh); if (unlikely(err)) goto failed_ifile_create_inode; /* reference count of i_bh inherits from nilfs_mdt_read_block() */ =20 + if (unlikely(ino < NILFS_USER_INO)) { + nilfs_warn(sb, + "inode bitmap is inconsistent for reserved inodes"); + do { + brelse(bh); + err =3D nilfs_ifile_create_inode(root->ifile, &ino, &bh); + if (unlikely(err)) + goto failed_ifile_create_inode; + } while (ino < NILFS_USER_INO); + + nilfs_info(sb, "repaired inode bitmap for reserved inodes"); + } + ii->i_bh =3D bh; + atomic64_inc(&root->inodes_count); inode_init_owner(&init_user_ns, inode, dir, mode); inode->i_ino =3D ino; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7C5AC43219 for ; Thu, 13 Oct 2022 18:04:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230369AbiJMSEn (ORCPT ); Thu, 13 Oct 2022 14:04:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34224 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230386AbiJMSDJ (ORCPT ); Thu, 13 Oct 2022 14:03:09 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E973152C43; Thu, 13 Oct 2022 11:02:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9F5BB61944; Thu, 13 Oct 2022 17:59:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AEE73C433D6; Thu, 13 Oct 2022 17:59:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683956; bh=4/0gbWRoGgXhcpCItadg29FCqoOIDIWdJPHkOeinRzA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MKDsUS2ZW3MV2CqY8QXt7BnAgc80+wT+eAjSoeEYLlFRzBz0r+6389psQe/DCEoxk z8OVK77hu9nnTx9ZdB94AksDbcZB0KlMcK4PFuIRCM4k9cEb2PkP/lpdMw9vLFyXIU hAhwXiE30dXofio9WxmvmzeV1dIvIoYKkm81Anf8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ryusuke Konishi , syzbot+7381dc4ad60658ca4c05@syzkaller.appspotmail.com, Andrew Morton Subject: [PATCH 5.19 03/33] nilfs2: fix leak of nilfs_root in case of writer thread creation failure Date: Thu, 13 Oct 2022 19:52:35 +0200 Message-Id: <20221013175145.342219247@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ryusuke Konishi commit d0d51a97063db4704a5ef6bc978dddab1636a306 upstream. If nilfs_attach_log_writer() failed to create a log writer thread, it frees a data structure of the log writer without any cleanup. After commit e912a5b66837 ("nilfs2: use root object to get ifile"), this causes a leak of struct nilfs_root, which started to leak an ifile metadata inode and a kobject on that struct. In addition, if the kernel is booted with panic_on_warn, the above ifile metadata inode leak will cause the following panic when the nilfs2 kernel module is removed: kmem_cache_destroy nilfs2_inode_cache: Slab cache still has objects when called from nilfs_destroy_cachep+0x16/0x3a [nilfs2] WARNING: CPU: 8 PID: 1464 at mm/slab_common.c:494 kmem_cache_destroy+0x13= 8/0x140 ... RIP: 0010:kmem_cache_destroy+0x138/0x140 Code: 00 20 00 00 e8 a9 55 d8 ff e9 76 ff ff ff 48 8b 53 60 48 c7 c6 20 7= 0 65 86 48 c7 c7 d8 69 9c 86 48 8b 4c 24 28 e8 ef 71 c7 00 <0f> 0b e9 53 ff= ff ff c3 48 81 ff ff 0f 00 00 77 03 31 c0 c3 53 48 ... Call Trace: ? nilfs_palloc_freev.cold.24+0x58/0x58 [nilfs2] nilfs_destroy_cachep+0x16/0x3a [nilfs2] exit_nilfs_fs+0xa/0x1b [nilfs2] __x64_sys_delete_module+0x1d9/0x3a0 ? __sanitizer_cov_trace_pc+0x1a/0x50 ? syscall_trace_enter.isra.19+0x119/0x190 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd ... Kernel panic - not syncing: panic_on_warn set ... This patch fixes these issues by calling nilfs_detach_log_writer() cleanup function if spawning the log writer thread fails. Link: https://lkml.kernel.org/r/20221007085226.57667-1-konishi.ryusuke@gmai= l.com Fixes: e912a5b66837 ("nilfs2: use root object to get ifile") Signed-off-by: Ryusuke Konishi Reported-by: syzbot+7381dc4ad60658ca4c05@syzkaller.appspotmail.com Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- fs/nilfs2/segment.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2786,10 +2786,9 @@ int nilfs_attach_log_writer(struct super inode_attach_wb(nilfs->ns_bdev->bd_inode, NULL); =20 err =3D nilfs_segctor_start_thread(nilfs->ns_writer); - if (err) { - kfree(nilfs->ns_writer); - nilfs->ns_writer =3D NULL; - } + if (unlikely(err)) + nilfs_detach_log_writer(sb); + return err; } From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FAD7C433FE for ; Thu, 13 Oct 2022 18:04:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230499AbiJMSEr (ORCPT ); Thu, 13 Oct 2022 14:04:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229905AbiJMSDS (ORCPT ); Thu, 13 Oct 2022 14:03:18 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4AD57160EF2; Thu, 13 Oct 2022 11:03:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 804D761932; Thu, 13 Oct 2022 17:59:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 91A75C433C1; Thu, 13 Oct 2022 17:59:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683968; bh=T5hUlJubGs9iN1Cr22GehC2ffTzgTKc0wkupXsH0j3A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nD3dFIh6WubljEvy960Q3y1ZDFULDS+LDshobU8yA/nY7nU2fyzw0dtXk8ZOeqVDL K1xG9D5YId19t6uSyqpoHSrcvSfC1Z4X63RYH/cMpWoB3EyS5C4qYRuSj4P4pBN1hL Qjq3dMZSRJB3k180U+P0jmxU2wsE8aOOuwtZu6dY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ryusuke Konishi , syzbot+fbb3e0b24e8dae5a16ee@syzkaller.appspotmail.com, Andrew Morton Subject: [PATCH 5.19 04/33] nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure Date: Thu, 13 Oct 2022 19:52:36 +0200 Message-Id: <20221013175145.371745826@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ryusuke Konishi commit 723ac751208f6d6540191689cfbf6c77135a7a1b upstream. If creation or finalization of a checkpoint fails due to anomalies in the checkpoint metadata on disk, a kernel warning is generated. This patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted with panic_on_warn, does not panic. A nilfs_error is appropriate here to handle the abnormal filesystem condition. This also replaces the detected error codes with an I/O error so that neither of the internal error codes is returned to callers. Link: https://lkml.kernel.org/r/20220929123330.19658-1-konishi.ryusuke@gmai= l.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+fbb3e0b24e8dae5a16ee@syzkaller.appspotmail.com Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- fs/nilfs2/segment.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -875,9 +875,11 @@ static int nilfs_segctor_create_checkpoi nilfs_mdt_mark_dirty(nilfs->ns_cpfile); nilfs_cpfile_put_checkpoint( nilfs->ns_cpfile, nilfs->ns_cno, bh_cp); - } else - WARN_ON(err =3D=3D -EINVAL || err =3D=3D -ENOENT); - + } else if (err =3D=3D -EINVAL || err =3D=3D -ENOENT) { + nilfs_error(sci->sc_super, + "checkpoint creation failed due to metadata corruption."); + err =3D -EIO; + } return err; } =20 @@ -891,7 +893,11 @@ static int nilfs_segctor_fill_in_checkpo err =3D nilfs_cpfile_get_checkpoint(nilfs->ns_cpfile, nilfs->ns_cno, 0, &raw_cp, &bh_cp); if (unlikely(err)) { - WARN_ON(err =3D=3D -EINVAL || err =3D=3D -ENOENT); + if (err =3D=3D -EINVAL || err =3D=3D -ENOENT) { + nilfs_error(sci->sc_super, + "checkpoint finalization failed due to metadata corruption."); + err =3D -EIO; + } goto failed_ibh; } raw_cp->cp_snapshot_list.ssl_next =3D 0; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E57DCC4332F for ; Thu, 13 Oct 2022 18:09:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231205AbiJMSJJ (ORCPT ); Thu, 13 Oct 2022 14:09:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231680AbiJMSIc (ORCPT ); Thu, 13 Oct 2022 14:08:32 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 689DF169129; Thu, 13 Oct 2022 11:06:06 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5FAF561939; Thu, 13 Oct 2022 17:59:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 61ED7C433D6; Thu, 13 Oct 2022 17:59:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683971; bh=Z8sVtd3LR/Wlz+vDZJp0UhS6gX76XtrAS7OWntiXtaM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UEKGKLjrFSbH+2RpIQqW7gyxYfk+s/is5cxtaAWhAQuvK8lC65rW/hXH87OwEZ8Rt 40sRTCkypWuyElgr1+3IHQUTlTCS+BL7ncrlPs7mD6Vv16TmaycCOWKf+uJrGwHYi9 NMWPTj7oZT7ZkAG2LpuHsBlnn+vOcybLYr3JiaUc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hu Weiwen , Xiubo Li , Ilya Dryomov Subject: [PATCH 5.19 05/33] ceph: dont truncate file in atomic_open Date: Thu, 13 Oct 2022 19:52:37 +0200 Message-Id: <20221013175145.405997424@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Hu Weiwen commit 7cb9994754f8a36ae9e5ec4597c5c4c2d6c03832 upstream. Clear O_TRUNC from the flags sent in the MDS create request. `atomic_open' is called before permission check. We should not do any modification to the file here. The caller will do the truncation afterward. Fixes: 124e68e74099 ("ceph: file operations") Signed-off-by: Hu Weiwen Reviewed-by: Xiubo Li Signed-off-by: Ilya Dryomov [Xiubo: fixed a trivial conflict for 5.19 backport] Signed-off-by: Xiubo Li Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- fs/ceph/file.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -740,6 +740,12 @@ int ceph_atomic_open(struct inode *dir, if (dentry->d_name.len > NAME_MAX) return -ENAMETOOLONG; =20 + /* + * Do not truncate the file, since atomic_open is called before the + * permission check. The caller will do the truncation afterward. + */ + flags &=3D ~O_TRUNC; + if (flags & O_CREAT) { if (ceph_quota_is_max_files_exceeded(dir)) return -EDQUOT; @@ -807,9 +813,7 @@ retry: } =20 set_bit(CEPH_MDS_R_PARENT_LOCKED, &req->r_req_flags); - err =3D ceph_mdsc_do_request(mdsc, - (flags & (O_CREAT|O_TRUNC)) ? dir : NULL, - req); + err =3D ceph_mdsc_do_request(mdsc, (flags & O_CREAT) ? dir : NULL, req); if (err =3D=3D -ENOENT) { dentry =3D ceph_handle_snapdir(req, dentry); if (IS_ERR(dentry)) { From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9921C4332F for ; Thu, 13 Oct 2022 18:05:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230024AbiJMSFP (ORCPT ); Thu, 13 Oct 2022 14:05:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34782 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230521AbiJMSDX (ORCPT ); Thu, 13 Oct 2022 14:03:23 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2DD9152C6D; Thu, 13 Oct 2022 11:03:09 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E174F61940; Thu, 13 Oct 2022 17:59:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E6558C433C1; Thu, 13 Oct 2022 17:59:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683975; bh=TtqNUNWlPTyKk3R9AHqRdsMadV8TWTbVuO0bnrdbaEg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=q4tvDJZHpVjjg0NSCnpXUHN34wK9qSCAbHyBL21yO3eoe94H0iNd8i+J5Hg/JD4Aa f4hCOrhDQy9y5qWbRBA0pkOM8Wh6TvtqriKgKn2KnP7uwkEawPx2y7I0npzXRaBo0n iAeZXU+XoATwdPZKKD6odGwjKLU5oqsGDn9SJWDM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Rishabh Bhatnagar , Christoph Hellwig Subject: [PATCH 5.19 06/33] nvme-pci: set min_align_mask before calculating max_hw_sectors Date: Thu, 13 Oct 2022 19:52:38 +0200 Message-Id: <20221013175145.442325068@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Rishabh Bhatnagar commit 61ce339f19fabbc3e51237148a7ef6f2270e44fa upstream. If swiotlb is force enabled dma_max_mapping_size ends up calling swiotlb_max_mapping_size which takes into account the min align mask for the device. Set the min align mask for nvme driver before calling dma_max_mapping_size while calculating max hw sectors. Signed-off-by: Rishabh Bhatnagar Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/nvme/host/pci.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -2825,6 +2825,8 @@ static void nvme_reset_work(struct work_ goto out; } =20 + dma_set_min_align_mask(dev->dev, NVME_CTRL_PAGE_SIZE - 1); + /* * If we're called to reset a live controller first shut it down before * moving on. @@ -2858,7 +2860,6 @@ static void nvme_reset_work(struct work_ * Don't limit the IOMMU merged segment size. */ dma_set_max_seg_size(dev->dev, 0xffffffff); - dma_set_min_align_mask(dev->dev, NVME_CTRL_PAGE_SIZE - 1); =20 mutex_unlock(&dev->shutdown_lock); From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BBDA6C4332F for ; Thu, 13 Oct 2022 18:29:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231934AbiJMS3X (ORCPT ); Thu, 13 Oct 2022 14:29:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37676 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231712AbiJMS27 (ORCPT ); Thu, 13 Oct 2022 14:28:59 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49599189828; Thu, 13 Oct 2022 11:24:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 60C9AB82054; Thu, 13 Oct 2022 17:59:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BAB0DC433D6; Thu, 13 Oct 2022 17:59:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683978; bh=dJedo5s/cX6DAlf+BtxI9nuAynqWpllp7eHF1Gc1I+g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=h7VbJwb9kn+RXONNJU0+jIjS+Cell5Xh7qOoBVgU8SP8z3uaOfkiRsV+vIZbidvkz KLtvVV++iGEFjpB38f72eUI8BirCR/+qlCcOJ4lEZblOw4RKADINHBAOdxTF+ho2xI /7XntzHy628wH9/bi4Rd559S4Rwh7EzwWXo/PW8E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Guozihua , Zhongguohua , Al Viro , Theodore Tso , Andrew Lutomirski , "Jason A. Donenfeld" Subject: [PATCH 5.19 07/33] random: restore O_NONBLOCK support Date: Thu, 13 Oct 2022 19:52:39 +0200 Message-Id: <20221013175145.478477562@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jason A. Donenfeld commit cd4f24ae9404fd31fc461066e57889be3b68641b upstream. Prior to 5.6, when /dev/random was opened with O_NONBLOCK, it would return -EAGAIN if there was no entropy. When the pools were unified in 5.6, this was lost. The post 5.6 behavior of blocking until the pool is initialized, and ignoring O_NONBLOCK in the process, went unnoticed, with no reports about the regression received for two and a half years. However, eventually this indeed did break somebody's userspace. So we restore the old behavior, by returning -EAGAIN if the pool is not initialized. Unlike the old /dev/random, this can only occur during early boot, after which it never blocks again. In order to make this O_NONBLOCK behavior consistent with other expectations, also respect users reading with preadv2(RWF_NOWAIT) and similar. Fixes: 30c08efec888 ("random: make /dev/random be almost like /dev/urandom") Reported-by: Guozihua Reported-by: Zhongguohua Cc: Al Viro Cc: Theodore Ts'o Cc: Andrew Lutomirski Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/char/mem.c | 4 ++-- drivers/char/random.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -706,8 +706,8 @@ static const struct memdev { #endif [5] =3D { "zero", 0666, &zero_fops, FMODE_NOWAIT }, [7] =3D { "full", 0666, &full_fops, 0 }, - [8] =3D { "random", 0666, &random_fops, 0 }, - [9] =3D { "urandom", 0666, &urandom_fops, 0 }, + [8] =3D { "random", 0666, &random_fops, FMODE_NOWAIT }, + [9] =3D { "urandom", 0666, &urandom_fops, FMODE_NOWAIT }, #ifdef CONFIG_PRINTK [11] =3D { "kmsg", 0644, &kmsg_fops, 0 }, #endif --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1330,6 +1330,11 @@ static ssize_t random_read_iter(struct k { int ret; =20 + if (!crng_ready() && + ((kiocb->ki_flags & (IOCB_NOWAIT | IOCB_NOIO)) || + (kiocb->ki_filp->f_flags & O_NONBLOCK))) + return -EAGAIN; + ret =3D wait_for_random_bytes(); if (ret !=3D 0) return ret; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 166F5C4332F for ; Thu, 13 Oct 2022 18:06:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231463AbiJMSGS (ORCPT ); Thu, 13 Oct 2022 14:06:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231281AbiJMSD7 (ORCPT ); Thu, 13 Oct 2022 14:03:59 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8EB71157F68; Thu, 13 Oct 2022 11:03:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 07413B8204A; Thu, 13 Oct 2022 17:59:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8EE40C433C1; Thu, 13 Oct 2022 17:59:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683981; bh=AHNUl8UA0Xu7B/6vMkbigBdeVNdDURdugPOvYBgn3Dw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ysZU41TOVqXAAC+vIeYahfOuaDlW9uBZt6IPDSAOz0JECZTNo8xr5GnbihNz+YQhM jEf2HgjPK0JY5iqf3REVF/L9Myc5fzkbp5kg62H4Z/n9nk3FEiDDSiMmOZ3bimxsEU DZu+WtbIuLZrMlY1FICMozUpUTO1m+36DF//15cg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Jason A. Donenfeld" Subject: [PATCH 5.19 08/33] random: clamp credited irq bits to maximum mixed Date: Thu, 13 Oct 2022 19:52:40 +0200 Message-Id: <20221013175145.515746744@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jason A. Donenfeld commit e78a802a7b4febf53f2a92842f494b01062d85a8 upstream. Since the most that's mixed into the pool is sizeof(long)*2, don't credit more than that many bytes of entropy. Fixes: e3e33fc2ea7f ("random: do not use input pool from hard IRQs") Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/char/random.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -989,7 +989,7 @@ static void mix_interrupt_randomness(str local_irq_enable(); =20 mix_pool_bytes(pool, sizeof(pool)); - credit_init_bits(max(1u, (count & U16_MAX) / 64)); + credit_init_bits(clamp_t(unsigned int, (count & U16_MAX) / 64, 1, sizeof(= pool) * 8)); =20 memzero_explicit(pool, sizeof(pool)); } From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA0E0C433FE for ; Thu, 13 Oct 2022 18:40:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232102AbiJMSkf (ORCPT ); Thu, 13 Oct 2022 14:40:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40826 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230417AbiJMSkB (ORCPT ); Thu, 13 Oct 2022 14:40:01 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C9E41AF2C; Thu, 13 Oct 2022 11:37:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C97F6B82053; Thu, 13 Oct 2022 17:59:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2ED85C433D6; Thu, 13 Oct 2022 17:59:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683984; bh=YzomB7J4BsTWMhyhV0465aLsGEaRBA/Q+cVNwoCa4xM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mF2VeCdM/PEHI1RkiYJxS0RgrKMuLTz3h4d64QptTuZOL11crC0Jjd6nfESXdEPhR eidS2o9y6D9ikhnlNaaZQyYs1eRpkFf0LTptiBwskl8SIdJ/eyCfKV4P1tc00AY4Ms MnOcmQr7cRcSgqjX/YmS0oS4d0IgxTCs3Ekhp2nQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai , Hans de Goede Subject: [PATCH 5.19 09/33] ALSA: hda: Fix position reporting on Poulsbo Date: Thu, 13 Oct 2022 19:52:41 +0200 Message-Id: <20221013175145.560683354@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Takashi Iwai commit 56e696c0f0c71b77fff921fc94b58a02f0445b2c upstream. Hans reported that his Sony VAIO VPX11S1E showed the broken sound behavior at the start of the stream for a couple of seconds, and it turned out that the position_fix=3D1 option fixes the issue. It implies that the position reporting is inaccurate, and very likely hitting on all Poulsbo devices. The patch applies the workaround for Poulsbo generically to switch to LPIB mode instead of the default position buffer. Reported-and-tested-by: Hans de Goede Cc: Link: https://lore.kernel.org/r/3e8697e1-87c6-7a7b-d2e8-b21f1d2f181b@redhat= .com Link: https://lore.kernel.org/r/20221001142124.7241-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- sound/pci/hda/hda_intel.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c @@ -2554,7 +2554,8 @@ static const struct pci_device_id azx_id .driver_data =3D AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_NOPM }, /* Poulsbo */ { PCI_DEVICE(0x8086, 0x811b), - .driver_data =3D AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_BASE }, + .driver_data =3D AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_BASE | + AZX_DCAPS_POSFIX_LPIB }, /* Oaktrail */ { PCI_DEVICE(0x8086, 0x080a), .driver_data =3D AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_BASE }, From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8859BC433FE for ; Thu, 13 Oct 2022 18:07:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231451AbiJMSHm (ORCPT ); Thu, 13 Oct 2022 14:07:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231396AbiJMSF5 (ORCPT ); Thu, 13 Oct 2022 14:05:57 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1CDC402E6; Thu, 13 Oct 2022 11:05:02 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 55C4D6193E; Thu, 13 Oct 2022 17:58:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4284DC433C1; Thu, 13 Oct 2022 17:58:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683937; bh=R9j/96IoVeZngWhfbldLsT3XRXlyrXbZ8yhjwXM1yYI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BphwbBxECrQIZqlsFztmOTVnW/NposE5LAO6pzqWkbX0PZ7D1SeHr52Cs94iJFydw B5ubfSfwX2op2JMEHI4zk+d4cgl45tsgN3gkESseWP8O9/hFQnlkpWsU4s0SMV7lgx 5P+I22smy1bIHAJwCELw2s2RQVHN27XJMPvpuFNk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai Subject: [PATCH 5.19 10/33] ALSA: hda/realtek: Add quirk for HP Zbook Firefly 14 G9 model Date: Thu, 13 Oct 2022 19:52:42 +0200 Message-Id: <20221013175145.590055976@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Takashi Iwai commit 225f6e1bc151978041595c7d2acaded3aac41f54 upstream. HP Zbook Firefly 14 G9 model (103c:8abb) requires yet another binding with CS35L41 codec, but with a slightly different configuration. It's over spi1 instead of spi0. Create a new fixup entry for that. Cc: Link: https://lore.kernel.org/r/20220929061455.13355-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- sound/pci/hda/patch_realtek.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -6717,6 +6717,11 @@ static void cs35l41_fixup_spi_two(struct cs35l41_generic_fixup(codec, action, "spi0", "CSC3551", 2); } =20 +static void cs35l41_fixup_spi1_two(struct hda_codec *codec, const struct h= da_fixup *fix, int action) +{ + cs35l41_generic_fixup(codec, action, "spi1", "CSC3551", 2); +} + static void cs35l41_fixup_spi_four(struct hda_codec *codec, const struct h= da_fixup *fix, int action) { cs35l41_generic_fixup(codec, action, "spi0", "CSC3551", 4); @@ -7102,6 +7107,8 @@ enum { ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED, ALC245_FIXUP_CS35L41_SPI_2, ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED, + ALC245_FIXUP_CS35L41_SPI1_2, + ALC245_FIXUP_CS35L41_SPI1_2_HP_GPIO_LED, ALC245_FIXUP_CS35L41_SPI_4, ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED, ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED, @@ -8948,6 +8955,16 @@ static const struct hda_fixup alc269_fix .chained =3D true, .chain_id =3D ALC285_FIXUP_HP_GPIO_LED, }, + [ALC245_FIXUP_CS35L41_SPI1_2] =3D { + .type =3D HDA_FIXUP_FUNC, + .v.func =3D cs35l41_fixup_spi1_two, + }, + [ALC245_FIXUP_CS35L41_SPI1_2_HP_GPIO_LED] =3D { + .type =3D HDA_FIXUP_FUNC, + .v.func =3D cs35l41_fixup_spi1_two, + .chained =3D true, + .chain_id =3D ALC285_FIXUP_HP_GPIO_LED, + }, [ALC245_FIXUP_CS35L41_SPI_4] =3D { .type =3D HDA_FIXUP_FUNC, .v.func =3D cs35l41_fixup_spi_four, @@ -9306,6 +9323,7 @@ static const struct snd_pci_quirk alc269 SND_PCI_QUIRK(0x103c, 0x8aa3, "HP ProBook 450 G9 (MB 8AA1)", ALC236_FIXUP= _HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8aa8, "HP EliteBook 640 G9 (MB 8AA6)", ALC236_FIX= UP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8aab, "HP EliteBook 650 G9 (MB 8AA9)", ALC236_FIX= UP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8abb, "HP ZBook Firefly 14 G9", ALC245_FIXUP_CS3= 5L41_SPI1_2_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ad1, "HP EliteBook 840 14 inch G9 Notebook PC", = ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ad2, "HP EliteBook 860 16 inch G9 Notebook PC", = ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B221C4332F for ; Thu, 13 Oct 2022 18:07:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231571AbiJMSHU (ORCPT ); Thu, 13 Oct 2022 14:07:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38462 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231207AbiJMSFJ (ORCPT ); Thu, 13 Oct 2022 14:05:09 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C64B4157F45; Thu, 13 Oct 2022 11:04:33 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BA9AA61941; Thu, 13 Oct 2022 17:59:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B1787C433C1; Thu, 13 Oct 2022 17:59:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683941; bh=R56tc7ab5Ae7BCl75vsYTgnxuRRQc6ZCGNdTc3leahg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Pqqjf8IfVdSiADsbvp0iwQ4PPMN6AXHEj/xv5dQalbAfsiB5fODVocU6PDuzmfrE3 TsMpLNvETAu4ghBHBXWbgesOj0XbSaYSCOUvI/nlp8HEz9qUh+n9gORewijKrO6zsL 5zAxyyqCQQ4FYQ7svXIHraWs7ien7IhzLpK6SkpM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Aditya Garg , Samuel Jiang , Orlando Chamberlain , Mimi Zohar Subject: [PATCH 5.19 11/33] efi: Correct Macmini DMI match in uefi cert quirk Date: Thu, 13 Oct 2022 19:52:43 +0200 Message-Id: <20221013175145.629145950@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Orlando Chamberlain commit bab715bdaa9ebf28d99a6d1efb2704a30125e96d upstream. It turns out Apple doesn't capitalise the "mini" in "Macmini" in DMI, which is inconsistent with other model line names. Correct the capitalisation of Macmini in the quirk for skipping loading platform certs on T2 Macs. Currently users get: Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee ------------[ cut here ]------------ [Firmware Bug]: Page fault caused by firmware at PA: 0xffffa30640054000 WARNING: CPU: 1 PID: 8 at arch/x86/platform/efi/quirks.c:735 efi_crash_grac= efully_on_page_fault+0x55/0xe0 Modules linked in: CPU: 1 PID: 8 Comm: kworker/u12:0 Not tainted 5.18.14-arch1-2-t2 #1 4535eb3= fc40fd08edab32a509fbf4c9bc52d111e Hardware name: Apple Inc. Macmini8,1/Mac-7BA5B2DFE22DDD8C, BIOS 1731.120.10= .0.0 (iBridge: 19.16.15071.0.0,0) 04/24/2022 Workqueue: efi_rts_wq efi_call_rts ... ---[ end trace 0000000000000000 ]--- efi: Froze efi_rts_wq and disabled EFI Runtime Services integrity: Couldn't get size: 0x8000000000000015 integrity: MODSIGN: Couldn't get UEFI db list efi: EFI Runtime Services are disabled! integrity: Couldn't get size: 0x8000000000000015 integrity: Couldn't get UEFI dbx list Fixes: 155ca952c7ca ("efi: Do not import certificates from UEFI Secure Boot= for T2 Macs") Cc: stable@vger.kernel.org Cc: Aditya Garg Tested-by: Samuel Jiang Signed-off-by: Orlando Chamberlain Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman --- security/integrity/platform_certs/load_uefi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -31,7 +31,7 @@ static const struct dmi_system_id uefi_s { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") }, - { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "Macmini8,1") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") }, From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04E04C4332F for ; Thu, 13 Oct 2022 18:13:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231401AbiJMSNJ (ORCPT ); Thu, 13 Oct 2022 14:13:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231751AbiJMSM1 (ORCPT ); Thu, 13 Oct 2022 14:12:27 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 384FE1757A1; Thu, 13 Oct 2022 11:09:04 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4D2F96192A; Thu, 13 Oct 2022 17:59:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 317D7C433D7; Thu, 13 Oct 2022 17:59:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683944; bh=u3wOX1M1rrknB6ZGLhBuFpeKJ4/JbNruxTQnEpNP1yA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PdZz7uRw5uik7ZlLHGARjXQU7Zwrzx8NxUnH4rGCu8qaiqPNZn8Z6Ga9aCqVHhNP4 BLSznxnfCXPIyRW00N+aDeGV9aPaunp8xuB5HbFS+jy4u8RMBkzCr7wAPS0d9IIIU3 B84BgjEssHXys9J5qM+CQdPeMMGDqkGpp0XvrgJs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, "James E.J. Bottomley" , "Martin K. Petersen" , Dan Carpenter , hdthky , Linus Torvalds Subject: [PATCH 5.19 12/33] scsi: stex: Properly zero out the passthrough command structure Date: Thu, 13 Oct 2022 19:52:44 +0200 Message-Id: <20221013175145.670977674@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Linus Torvalds commit 6022f210461fef67e6e676fd8544ca02d1bcfa7a upstream. The passthrough structure is declared off of the stack, so it needs to be set to zero before copied back to userspace to prevent any unintentional data leakage. Switch things to be statically allocated which will fill the unused fields with 0 automatically. Link: https://lore.kernel.org/r/YxrjN3OOw2HHl9tx@kroah.com Cc: stable@kernel.org Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: Dan Carpenter Reported-by: hdthky Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/scsi/stex.c | 17 +++++++++-------- include/scsi/scsi_cmnd.h | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) --- a/drivers/scsi/stex.c +++ b/drivers/scsi/stex.c @@ -665,16 +665,17 @@ static int stex_queuecommand_lck(struct return 0; case PASSTHRU_CMD: if (cmd->cmnd[1] =3D=3D PASSTHRU_GET_DRVVER) { - struct st_drvver ver; + const struct st_drvver ver =3D { + .major =3D ST_VER_MAJOR, + .minor =3D ST_VER_MINOR, + .oem =3D ST_OEM, + .build =3D ST_BUILD_VER, + .signature[0] =3D PASSTHRU_SIGNATURE, + .console_id =3D host->max_id - 1, + .host_no =3D hba->host->host_no, + }; size_t cp_len =3D sizeof(ver); =20 - ver.major =3D ST_VER_MAJOR; - ver.minor =3D ST_VER_MINOR; - ver.oem =3D ST_OEM; - ver.build =3D ST_BUILD_VER; - ver.signature[0] =3D PASSTHRU_SIGNATURE; - ver.console_id =3D host->max_id - 1; - ver.host_no =3D hba->host->host_no; cp_len =3D scsi_sg_copy_from_buffer(cmd, &ver, cp_len); if (sizeof(ver) =3D=3D cp_len) cmd->result =3D DID_OK << 16; --- a/include/scsi/scsi_cmnd.h +++ b/include/scsi/scsi_cmnd.h @@ -201,7 +201,7 @@ static inline unsigned int scsi_get_resi for_each_sg(scsi_sglist(cmd), sg, nseg, __i) =20 static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd, - void *buf, int buflen) + const void *buf, int buflen) { return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd), buf, buflen); From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 958F0C4332F for ; Thu, 13 Oct 2022 18:04:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231147AbiJMSEw (ORCPT ); Thu, 13 Oct 2022 14:04:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33672 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230456AbiJMSDW (ORCPT ); Thu, 13 Oct 2022 14:03:22 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 233DD152C5A; Thu, 13 Oct 2022 11:02:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 13A71B8204D; Thu, 13 Oct 2022 17:59:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 364FBC43140; Thu, 13 Oct 2022 17:59:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683947; bh=xm4dJk+a4xXbTCFuEdRLmVRDxS983Q+yBTlQeFFvqXU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kHQZZ3ud0OVJa/DzL9/AlRrdzff+jwVcDc2PlVU5AewSCtIM5UeBebAssT/K1bOtx c/tNFcUzRuM+68n25/+KIDY1saBkZPCYL1IrCt8bU9eWq1Of6tMFHUEQSt/B3w6TnT JXLTn+aZ5CHoYY3u1EDbnHf4K55FSpRKDPMsQUYI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Frank Wunderlich , Johan Hovold Subject: [PATCH 5.19 13/33] USB: serial: qcserial: add new usb-id for Dell branded EM7455 Date: Thu, 13 Oct 2022 19:52:45 +0200 Message-Id: <20221013175145.707906746@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Frank Wunderlich commit eee48781ea199e32c1d0c4732641c494833788ca upstream. Add support for Dell 5811e (EM7455) with USB-id 0x413c:0x81c2. Signed-off-by: Frank Wunderlich Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/usb/serial/qcserial.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/usb/serial/qcserial.c +++ b/drivers/usb/serial/qcserial.c @@ -177,6 +177,7 @@ static const struct usb_device_id id_tab {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobi= le Broadband Card (rev3) */ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */ + {DEVICE_SWI(0x413c, 0x81c2)}, /* Dell Wireless 5811e */ {DEVICE_SWI(0x413c, 0x81cb)}, /* Dell Wireless 5816e QDL */ {DEVICE_SWI(0x413c, 0x81cc)}, /* Dell Wireless 5816e */ {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */ From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED93FC4332F for ; Thu, 13 Oct 2022 18:04:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231129AbiJMSDb (ORCPT ); Thu, 13 Oct 2022 14:03:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230484AbiJMSDC (ORCPT ); Thu, 13 Oct 2022 14:03:02 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF6BD152C6F; Thu, 13 Oct 2022 11:02:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1650E6194E; Thu, 13 Oct 2022 17:59:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EEA3C433C1; Thu, 13 Oct 2022 17:59:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683950; bh=DdUGzI2prsvOQgSs5XCjWOCD4D1KUOHY03lBWxbnGn0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yfMu0Gp7yesb1UTRu+0H9HaJlvpZQ/8CP4aKbLRkDoLZgFj1yc7ngpzAu5K1aC6mm Cm/6MXprnjbBH1paO7+70IzQXmIhgmM632gD+vCq3l2FCboebl0JOm7no3E2fdw56n H//f/+Xc9QbjgmkisswDWwNAzucV/df3vqC1fAo8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ferry Toth , Andy Shevchenko Subject: [PATCH 5.19 14/33] Revert "USB: fixup for merge issue with "usb: dwc3: Dont switch OTG -> peripheral if extcon is present"" Date: Thu, 13 Oct 2022 19:52:46 +0200 Message-Id: <20221013175145.750236704@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andy Shevchenko commit 2adc960ce79d3231b02f820daeee434542fe2911 upstream. This reverts commit 8bd6b8c4b1009d7d2662138d6bdc6fe58a9274c5. Prerequisite revert for the reverting of the original commit 0f0101719138. Fixes: 8bd6b8c4b100 ("USB: fixup for merge issue with "usb: dwc3: Don't swi= tch OTG -> peripheral if extcon is present"") Fixes: 0f0101719138 ("usb: dwc3: Don't switch OTG -> peripheral if extcon i= s present") Reported-by: Ferry Toth Cc: stable@vger.kernel.org Signed-off-by: Andy Shevchenko Tested-by: Ferry Toth # for Merrifield Link: https://lore.kernel.org/r/20220927155332.10762-2-andriy.shevchenko@li= nux.intel.com Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/usb/dwc3/core.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -1650,8 +1650,13 @@ static struct extcon_dev *dwc3_get_extco * This device property is for kernel internal use only and * is expected to be set by the glue code. */ - if (device_property_read_string(dev, "linux,extcon-name", &name) =3D=3D 0) - return extcon_get_extcon_dev(name); + if (device_property_read_string(dev, "linux,extcon-name", &name) =3D=3D 0= ) { + edev =3D extcon_get_extcon_dev(name); + if (!edev) + return ERR_PTR(-EPROBE_DEFER); + + return edev; + } =20 /* * Try to get an extcon device from the USB PHY controller's "port" From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8C2FC433FE for ; Thu, 13 Oct 2022 18:07:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231552AbiJMSHL (ORCPT ); Thu, 13 Oct 2022 14:07:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231249AbiJMSDx (ORCPT ); Thu, 13 Oct 2022 14:03:53 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A0E78152C45; Thu, 13 Oct 2022 11:03:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 177F561950; Thu, 13 Oct 2022 18:00:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 23272C433D6; Thu, 13 Oct 2022 18:00:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684043; bh=dAi356NZYKsu2332PoP+xSDiNtF2zzin39/QY3Yol/8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ex3RTcvwDtEp2nkN0Y5bQMkeoy5vBc86AOr9Io3YrjfSHbdv4GKD81QFUkae3i0+E KhqU2DyboPBnyJXBVcT1tNyT7vRXusNfcXILvi2+3StrmrLdwF4Ntba4R3KIiISmx4 WNoy8eyM8tB51PYZJmnQZZtLasrRjJ9yaQXa1vlU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ferry Toth , Andy Shevchenko , Sven Peter Subject: [PATCH 5.19 15/33] Revert "usb: dwc3: Dont switch OTG -> peripheral if extcon is present" Date: Thu, 13 Oct 2022 19:52:47 +0200 Message-Id: <20221013175145.789903173@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andy Shevchenko commit 7a84e7353e23202d4f82b05093af4db2b26e6768 upstream. This reverts commit 0f01017191384e3962fa31520a9fd9846c3d352f. As pointed out by Ferry this breaks Dual Role support on Intel Merrifield platforms. Fixes: 0f0101719138 ("usb: dwc3: Don't switch OTG -> peripheral if extcon i= s present") Reported-by: Ferry Toth Cc: stable@vger.kernel.org Signed-off-by: Andy Shevchenko Tested-by: Ferry Toth # for Merrifield Reviewed-by: Sven Peter Link: https://lore.kernel.org/r/20220927155332.10762-3-andriy.shevchenko@li= nux.intel.com Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/usb/dwc3/core.c | 55 -------------------------------------------= ----- drivers/usb/dwc3/drd.c | 50 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 54 deletions(-) --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -23,7 +23,6 @@ #include #include #include -#include #include #include #include @@ -86,7 +85,7 @@ static int dwc3_get_dr_mode(struct dwc3 * mode. If the controller supports DRD but the dr_mode is not * specified or set to OTG, then set the mode to peripheral. */ - if (mode =3D=3D USB_DR_MODE_OTG && !dwc->edev && + if (mode =3D=3D USB_DR_MODE_OTG && (!IS_ENABLED(CONFIG_USB_ROLE_SWITCH) || !device_property_read_bool(dwc->dev, "usb-role-switch")) && !DWC3_VER_IS_PRIOR(DWC3, 330A)) @@ -1634,51 +1633,6 @@ static void dwc3_check_params(struct dwc } } =20 -static struct extcon_dev *dwc3_get_extcon(struct dwc3 *dwc) -{ - struct device *dev =3D dwc->dev; - struct device_node *np_phy; - struct extcon_dev *edev =3D NULL; - const char *name; - - if (device_property_read_bool(dev, "extcon")) - return extcon_get_edev_by_phandle(dev, 0); - - /* - * Device tree platforms should get extcon via phandle. - * On ACPI platforms, we get the name from a device property. - * This device property is for kernel internal use only and - * is expected to be set by the glue code. - */ - if (device_property_read_string(dev, "linux,extcon-name", &name) =3D=3D 0= ) { - edev =3D extcon_get_extcon_dev(name); - if (!edev) - return ERR_PTR(-EPROBE_DEFER); - - return edev; - } - - /* - * Try to get an extcon device from the USB PHY controller's "port" - * node. Check if it has the "port" node first, to avoid printing the - * error message from underlying code, as it's a valid case: extcon - * device (and "port" node) may be missing in case of "usb-role-switch" - * or OTG mode. - */ - np_phy =3D of_parse_phandle(dev->of_node, "phys", 0); - if (of_graph_is_present(np_phy)) { - struct device_node *np_conn; - - np_conn =3D of_graph_get_remote_node(np_phy, -1, -1); - if (np_conn) - edev =3D extcon_find_edev_by_node(np_conn); - of_node_put(np_conn); - } - of_node_put(np_phy); - - return edev; -} - static int dwc3_probe(struct platform_device *pdev) { struct device *dev =3D &pdev->dev; @@ -1815,13 +1769,6 @@ static int dwc3_probe(struct platform_de goto err2; } =20 - dwc->edev =3D dwc3_get_extcon(dwc); - if (IS_ERR(dwc->edev)) { - ret =3D PTR_ERR(dwc->edev); - dev_err_probe(dwc->dev, ret, "failed to get extcon\n"); - goto err3; - } - ret =3D dwc3_get_dr_mode(dwc); if (ret) goto err3; --- a/drivers/usb/dwc3/drd.c +++ b/drivers/usb/dwc3/drd.c @@ -8,6 +8,7 @@ */ =20 #include +#include #include #include #include @@ -438,6 +439,51 @@ static int dwc3_drd_notifier(struct noti return NOTIFY_DONE; } =20 +static struct extcon_dev *dwc3_get_extcon(struct dwc3 *dwc) +{ + struct device *dev =3D dwc->dev; + struct device_node *np_phy; + struct extcon_dev *edev =3D NULL; + const char *name; + + if (device_property_read_bool(dev, "extcon")) + return extcon_get_edev_by_phandle(dev, 0); + + /* + * Device tree platforms should get extcon via phandle. + * On ACPI platforms, we get the name from a device property. + * This device property is for kernel internal use only and + * is expected to be set by the glue code. + */ + if (device_property_read_string(dev, "linux,extcon-name", &name) =3D=3D 0= ) { + edev =3D extcon_get_extcon_dev(name); + if (!edev) + return ERR_PTR(-EPROBE_DEFER); + + return edev; + } + + /* + * Try to get an extcon device from the USB PHY controller's "port" + * node. Check if it has the "port" node first, to avoid printing the + * error message from underlying code, as it's a valid case: extcon + * device (and "port" node) may be missing in case of "usb-role-switch" + * or OTG mode. + */ + np_phy =3D of_parse_phandle(dev->of_node, "phys", 0); + if (of_graph_is_present(np_phy)) { + struct device_node *np_conn; + + np_conn =3D of_graph_get_remote_node(np_phy, -1, -1); + if (np_conn) + edev =3D extcon_find_edev_by_node(np_conn); + of_node_put(np_conn); + } + of_node_put(np_phy); + + return edev; +} + #if IS_ENABLED(CONFIG_USB_ROLE_SWITCH) #define ROLE_SWITCH 1 static int dwc3_usb_role_switch_set(struct usb_role_switch *sw, @@ -542,6 +588,10 @@ int dwc3_drd_init(struct dwc3 *dwc) device_property_read_bool(dwc->dev, "usb-role-switch")) return dwc3_setup_role_switch(dwc); =20 + dwc->edev =3D dwc3_get_extcon(dwc); + if (IS_ERR(dwc->edev)) + return PTR_ERR(dwc->edev); + if (dwc->edev) { dwc->edev_nb.notifier_call =3D dwc3_drd_notifier; ret =3D extcon_register_notifier(dwc->edev, EXTCON_USB_HOST, From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4A36C433FE for ; Thu, 13 Oct 2022 18:06:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231468AbiJMSGY (ORCPT ); Thu, 13 Oct 2022 14:06:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231303AbiJMSEC (ORCPT ); Thu, 13 Oct 2022 14:04:02 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F118152C6C; Thu, 13 Oct 2022 11:03:59 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 45D4EB82055; Thu, 13 Oct 2022 17:59:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 29128C433D6; Thu, 13 Oct 2022 17:59:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683991; bh=5fGeL9rrSeEnEiyxIZ1qrK6yt0BsEelbTs8rHswWTrY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ky74HZOGwnZvI9xWX0wu61ijjIpGyarrK4j/w3PVL1ZtNcZW/Tle2lTMtcDpM93hx oetnoY4wLIzttmGZvYag/NqLDQTYuHItl/21IJNGKLTmtRKLGySEzG/Nt+tgRMmZwM DJGml+aKCFRdBokWLQF22AnP8igs5/rWubbnSPKs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nathan Lynch , Laurent Dufour , Michael Ellerman Subject: [PATCH 5.19 16/33] Revert "powerpc/rtas: Implement reentrant rtas call" Date: Thu, 13 Oct 2022 19:52:48 +0200 Message-Id: <20221013175145.819258725@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Nathan Lynch commit f88aabad33ea22be2ce1c60d8901942e4e2a9edb upstream. At the time this was submitted by Leonardo, I confirmed -- or thought I had confirmed -- with PowerVM partition firmware development that the following RTAS functions: - ibm,get-xive - ibm,int-off - ibm,int-on - ibm,set-xive were safe to call on multiple CPUs simultaneously, not only with respect to themselves as indicated by PAPR, but with arbitrary other RTAS calls: https://lore.kernel.org/linuxppc-dev/875zcy2v8o.fsf@linux.ibm.com/ Recent discussion with firmware development makes it clear that this is not true, and that the code in commit b664db8e3f97 ("powerpc/rtas: Implement reentrant rtas call") is unsafe, likely explaining several strange bugs we've seen in internal testing involving DLPAR and LPM. These scenarios use ibm,configure-connector, whose internal state can be corrupted by the concurrent use of the "reentrant" functions, leading to symptoms like endless busy statuses from RTAS. Fixes: b664db8e3f97 ("powerpc/rtas: Implement reentrant rtas call") Cc: stable@vger.kernel.org # v5.8+ Signed-off-by: Nathan Lynch Reviewed-by: Laurent Dufour Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220907220111.223267-1-nathanl@linux.ibm.c= om Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- arch/powerpc/include/asm/paca.h | 1=20 arch/powerpc/include/asm/rtas.h | 1=20 arch/powerpc/kernel/paca.c | 32 --------------------- arch/powerpc/kernel/rtas.c | 54 -------------------------------= ----- arch/powerpc/sysdev/xics/ics-rtas.c | 22 +++++++------- 5 files changed, 11 insertions(+), 99 deletions(-) --- a/arch/powerpc/include/asm/paca.h +++ b/arch/powerpc/include/asm/paca.h @@ -263,7 +263,6 @@ struct paca_struct { u64 l1d_flush_size; #endif #ifdef CONFIG_PPC_PSERIES - struct rtas_args *rtas_args_reentrant; u8 *mce_data_buf; /* buffer to hold per cpu rtas errlog */ #endif /* CONFIG_PPC_PSERIES */ =20 --- a/arch/powerpc/include/asm/rtas.h +++ b/arch/powerpc/include/asm/rtas.h @@ -240,7 +240,6 @@ extern struct rtas_t rtas; extern int rtas_token(const char *service); extern int rtas_service_present(const char *service); extern int rtas_call(int token, int, int, int *, ...); -int rtas_call_reentrant(int token, int nargs, int nret, int *outputs, ...); void rtas_call_unlocked(struct rtas_args *args, int token, int nargs, int nret, ...); extern void __noreturn rtas_restart(char *cmd); --- a/arch/powerpc/kernel/paca.c +++ b/arch/powerpc/kernel/paca.c @@ -16,7 +16,6 @@ #include #include #include -#include =20 #include "setup.h" =20 @@ -170,30 +169,6 @@ static struct slb_shadow * __init new_sl } #endif /* CONFIG_PPC_64S_HASH_MMU */ =20 -#ifdef CONFIG_PPC_PSERIES -/** - * new_rtas_args() - Allocates rtas args - * @cpu: CPU number - * @limit: Memory limit for this allocation - * - * Allocates a struct rtas_args and return it's pointer, - * if not in Hypervisor mode - * - * Return: Pointer to allocated rtas_args - * NULL if CPU in Hypervisor Mode - */ -static struct rtas_args * __init new_rtas_args(int cpu, unsigned long limi= t) -{ - limit =3D min_t(unsigned long, limit, RTAS_INSTANTIATE_MAX); - - if (early_cpu_has_feature(CPU_FTR_HVMODE)) - return NULL; - - return alloc_paca_data(sizeof(struct rtas_args), L1_CACHE_BYTES, - limit, cpu); -} -#endif /* CONFIG_PPC_PSERIES */ - /* The Paca is an array with one entry per processor. Each contains an * lppaca, which contains the information shared between the * hypervisor and Linux. @@ -232,10 +207,6 @@ void __init initialise_paca(struct paca_ /* For now -- if we have threads this will be adjusted later */ new_paca->tcd_ptr =3D &new_paca->tcd; #endif - -#ifdef CONFIG_PPC_PSERIES - new_paca->rtas_args_reentrant =3D NULL; -#endif } =20 /* Put the paca pointer into r13 and SPRG_PACA */ @@ -308,9 +279,6 @@ void __init allocate_paca(int cpu) #ifdef CONFIG_PPC_64S_HASH_MMU paca->slb_shadow_ptr =3D new_slb_shadow(cpu, limit); #endif -#ifdef CONFIG_PPC_PSERIES - paca->rtas_args_reentrant =3D new_rtas_args(cpu, limit); -#endif paca_struct_size +=3D sizeof(struct paca_struct); } =20 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -43,7 +43,6 @@ #include #include #include -#include =20 /* This is here deliberately so it's only used in this file */ void enter_rtas(unsigned long); @@ -932,59 +931,6 @@ void rtas_activate_firmware(void) pr_err("ibm,activate-firmware failed (%i)\n", fwrc); } =20 -#ifdef CONFIG_PPC_PSERIES -/** - * rtas_call_reentrant() - Used for reentrant rtas calls - * @token: Token for desired reentrant RTAS call - * @nargs: Number of Input Parameters - * @nret: Number of Output Parameters - * @outputs: Array of outputs - * @...: Inputs for desired RTAS call - * - * According to LoPAR documentation, only "ibm,int-on", "ibm,int-off", - * "ibm,get-xive" and "ibm,set-xive" are currently reentrant. - * Reentrant calls need their own rtas_args buffer, so not using rtas.args= , but - * PACA one instead. - * - * Return: -1 on error, - * First output value of RTAS call if (nret > 0), - * 0 otherwise, - */ -int rtas_call_reentrant(int token, int nargs, int nret, int *outputs, ...) -{ - va_list list; - struct rtas_args *args; - unsigned long flags; - int i, ret =3D 0; - - if (!rtas.entry || token =3D=3D RTAS_UNKNOWN_SERVICE) - return -1; - - local_irq_save(flags); - preempt_disable(); - - /* We use the per-cpu (PACA) rtas args buffer */ - args =3D local_paca->rtas_args_reentrant; - - va_start(list, outputs); - va_rtas_call_unlocked(args, token, nargs, nret, list); - va_end(list); - - if (nret > 1 && outputs) - for (i =3D 0; i < nret - 1; ++i) - outputs[i] =3D be32_to_cpu(args->rets[i + 1]); - - if (nret > 0) - ret =3D be32_to_cpu(args->rets[0]); - - local_irq_restore(flags); - preempt_enable(); - - return ret; -} - -#endif /* CONFIG_PPC_PSERIES */ - /** * get_pseries_errorlog() - Find a specific pseries error log in an RTAS * extended event log. --- a/arch/powerpc/sysdev/xics/ics-rtas.c +++ b/arch/powerpc/sysdev/xics/ics-rtas.c @@ -36,8 +36,8 @@ static void ics_rtas_unmask_irq(struct i =20 server =3D xics_get_irq_server(d->irq, irq_data_get_affinity_mask(d), 0); =20 - call_status =3D rtas_call_reentrant(ibm_set_xive, 3, 1, NULL, hw_irq, - server, DEFAULT_PRIORITY); + call_status =3D rtas_call(ibm_set_xive, 3, 1, NULL, hw_irq, server, + DEFAULT_PRIORITY); if (call_status !=3D 0) { printk(KERN_ERR "%s: ibm_set_xive irq %u server %x returned %d\n", @@ -46,7 +46,7 @@ static void ics_rtas_unmask_irq(struct i } =20 /* Now unmask the interrupt (often a no-op) */ - call_status =3D rtas_call_reentrant(ibm_int_on, 1, 1, NULL, hw_irq); + call_status =3D rtas_call(ibm_int_on, 1, 1, NULL, hw_irq); if (call_status !=3D 0) { printk(KERN_ERR "%s: ibm_int_on irq=3D%u returned %d\n", __func__, hw_irq, call_status); @@ -68,7 +68,7 @@ static void ics_rtas_mask_real_irq(unsig if (hw_irq =3D=3D XICS_IPI) return; =20 - call_status =3D rtas_call_reentrant(ibm_int_off, 1, 1, NULL, hw_irq); + call_status =3D rtas_call(ibm_int_off, 1, 1, NULL, hw_irq); if (call_status !=3D 0) { printk(KERN_ERR "%s: ibm_int_off irq=3D%u returned %d\n", __func__, hw_irq, call_status); @@ -76,8 +76,8 @@ static void ics_rtas_mask_real_irq(unsig } =20 /* Have to set XIVE to 0xff to be able to remove a slot */ - call_status =3D rtas_call_reentrant(ibm_set_xive, 3, 1, NULL, hw_irq, - xics_default_server, 0xff); + call_status =3D rtas_call(ibm_set_xive, 3, 1, NULL, hw_irq, + xics_default_server, 0xff); if (call_status !=3D 0) { printk(KERN_ERR "%s: ibm_set_xive(0xff) irq=3D%u returned %d\n", __func__, hw_irq, call_status); @@ -108,7 +108,7 @@ static int ics_rtas_set_affinity(struct if (hw_irq =3D=3D XICS_IPI || hw_irq =3D=3D XICS_IRQ_SPURIOUS) return -1; =20 - status =3D rtas_call_reentrant(ibm_get_xive, 1, 3, xics_status, hw_irq); + status =3D rtas_call(ibm_get_xive, 1, 3, xics_status, hw_irq); =20 if (status) { printk(KERN_ERR "%s: ibm,get-xive irq=3D%u returns %d\n", @@ -126,8 +126,8 @@ static int ics_rtas_set_affinity(struct pr_debug("%s: irq %d [hw 0x%x] server: 0x%x\n", __func__, d->irq, hw_irq, irq_server); =20 - status =3D rtas_call_reentrant(ibm_set_xive, 3, 1, NULL, - hw_irq, irq_server, xics_status[1]); + status =3D rtas_call(ibm_set_xive, 3, 1, NULL, + hw_irq, irq_server, xics_status[1]); =20 if (status) { printk(KERN_ERR "%s: ibm,set-xive irq=3D%u returns %d\n", @@ -158,7 +158,7 @@ static int ics_rtas_check(struct ics *ic return -EINVAL; =20 /* Check if RTAS knows about this interrupt */ - rc =3D rtas_call_reentrant(ibm_get_xive, 1, 3, status, hw_irq); + rc =3D rtas_call(ibm_get_xive, 1, 3, status, hw_irq); if (rc) return -ENXIO; =20 @@ -174,7 +174,7 @@ static long ics_rtas_get_server(struct i { int rc, status[2]; =20 - rc =3D rtas_call_reentrant(ibm_get_xive, 1, 3, status, vec); + rc =3D rtas_call(ibm_get_xive, 1, 3, status, vec); if (rc) return -1; return status[0]; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F9A1C433FE for ; Thu, 13 Oct 2022 18:16:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231614AbiJMSQW (ORCPT ); Thu, 13 Oct 2022 14:16:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57610 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232009AbiJMSN5 (ORCPT ); Thu, 13 Oct 2022 14:13:57 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C0E9814C1; Thu, 13 Oct 2022 11:10:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7658361949; Thu, 13 Oct 2022 18:00:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7E0BFC433D7; Thu, 13 Oct 2022 18:00:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684020; bh=4rWjydFXyLLDqW4rzOLOSOJ8MSOKHrz5swor8EvZv0k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pouIC8brJOISXS9+BiKw5sY0N7rL7qR0n14OlfxUAPYees0LHi2hmtYGWhKCiYToW igmXLNECvLboxFwpgZA24DlAy8KYPoijlolP5TGD/Rp6CPc2NhL4Pf94umIXKrewO+ uX+hZGaEZ129kAfSwfKDTPgM6o/4L5t0k8EgjGrY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Herbert Xu , Giovanni Cabiddu Subject: [PATCH 5.19 17/33] Revert "crypto: qat - reduce size of mapped region" Date: Thu, 13 Oct 2022 19:52:49 +0200 Message-Id: <20221013175145.852098967@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Giovanni Cabiddu commit 9c5f21b198d259bfe1191b1fedf08e2eab15b33b upstream. This reverts commit e48767c17718067ba21fb2ef461779ec2506f845. In an attempt to resolve a set of warnings reported by the static analyzer Smatch, the reverted commit improperly reduced the sizes of the DMA mappings used for the input and output parameters for both RSA and DH creating a mismatch (map size=3D8 bytes, unmap size=3D64 bytes). This issue is reported when CONFIG_DMA_API_DEBUG is selected, when the crypto self test is run. The function dma_unmap_single() reports a warning similar to the one below, saying that the `device driver frees DMA memory with different size`. DMA-API: 4xxx 0000:06:00.0: device driver frees DMA memory with differe= nt size [device address=3D0x0000000123206c80] [map size=3D8 bytes] [unmap s= ize=3D64 bytes] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:973 check_unmap+0x3d0/0x8c= 0\ ... Call Trace: debug_dma_unmap_page+0x5c/0x60 qat_dh_cb+0xd7/0x110 [intel_qat] qat_alg_asym_callback+0x1a/0x30 [intel_qat] adf_response_handler+0xbd/0x1a0 [intel_qat] tasklet_action_common.constprop.0+0xcd/0xe0 __do_softirq+0xf8/0x30c __irq_exit_rcu+0xbf/0x140 common_interrupt+0xb9/0xd0 The original commit was correct. Cc: Reported-by: Herbert Xu Signed-off-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/crypto/qat/qat_common/qat_asym_algs.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/drivers/crypto/qat/qat_common/qat_asym_algs.c +++ b/drivers/crypto/qat/qat_common/qat_asym_algs.c @@ -333,13 +333,13 @@ static int qat_dh_compute_value(struct k qat_req->out.dh.out_tab[1] =3D 0; /* Mapping in.in.b or in.in_g2.xa is the same */ qat_req->phy_in =3D dma_map_single(dev, &qat_req->in.dh.in.b, - sizeof(qat_req->in.dh.in.b), + sizeof(struct qat_dh_input_params), DMA_TO_DEVICE); if (unlikely(dma_mapping_error(dev, qat_req->phy_in))) goto unmap_dst; =20 qat_req->phy_out =3D dma_map_single(dev, &qat_req->out.dh.r, - sizeof(qat_req->out.dh.r), + sizeof(struct qat_dh_output_params), DMA_TO_DEVICE); if (unlikely(dma_mapping_error(dev, qat_req->phy_out))) goto unmap_in_params; @@ -730,13 +730,13 @@ static int qat_rsa_enc(struct akcipher_r qat_req->in.rsa.in_tab[3] =3D 0; qat_req->out.rsa.out_tab[1] =3D 0; qat_req->phy_in =3D dma_map_single(dev, &qat_req->in.rsa.enc.m, - sizeof(qat_req->in.rsa.enc.m), + sizeof(struct qat_rsa_input_params), DMA_TO_DEVICE); if (unlikely(dma_mapping_error(dev, qat_req->phy_in))) goto unmap_dst; =20 qat_req->phy_out =3D dma_map_single(dev, &qat_req->out.rsa.enc.c, - sizeof(qat_req->out.rsa.enc.c), + sizeof(struct qat_rsa_output_params), DMA_TO_DEVICE); if (unlikely(dma_mapping_error(dev, qat_req->phy_out))) goto unmap_in_params; @@ -876,13 +876,13 @@ static int qat_rsa_dec(struct akcipher_r qat_req->in.rsa.in_tab[3] =3D 0; qat_req->out.rsa.out_tab[1] =3D 0; qat_req->phy_in =3D dma_map_single(dev, &qat_req->in.rsa.dec.c, - sizeof(qat_req->in.rsa.dec.c), + sizeof(struct qat_rsa_input_params), DMA_TO_DEVICE); if (unlikely(dma_mapping_error(dev, qat_req->phy_in))) goto unmap_dst; =20 qat_req->phy_out =3D dma_map_single(dev, &qat_req->out.rsa.dec.m, - sizeof(qat_req->out.rsa.dec.m), + sizeof(struct qat_rsa_output_params), DMA_TO_DEVICE); if (unlikely(dma_mapping_error(dev, qat_req->phy_out))) goto unmap_in_params; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B657C4332F for ; Thu, 13 Oct 2022 18:05:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231301AbiJMSFt (ORCPT ); Thu, 13 Oct 2022 14:05:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34760 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231181AbiJMSDj (ORCPT ); Thu, 13 Oct 2022 14:03:39 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D303A157F5F; Thu, 13 Oct 2022 11:03:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4375461952; Thu, 13 Oct 2022 18:00:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4941FC43143; Thu, 13 Oct 2022 18:00:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684023; bh=wWxXNLldQJWjVR9cUWjf0UKYSuekCHsercakn8tOViM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1eiYyJPoKshujY3RDf7cXo4GmJfJ//cnAvgJzt8StnPv3FyQ16sJIwwnHDtztK9eZ 3rgECIoaD6vidM7Azg0j9umeiMz5UJANTzlFg+qmlapPzprI0+kgkEBpSuMaL6/VqT tKOzBsleYnlXi61Qq/GEYkaYlXyXWTa7IUdvkQ2U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sebastian Andrzej Siewior , "Jason A. Donenfeld" Subject: [PATCH 5.19 18/33] random: avoid reading two cache lines on irq randomness Date: Thu, 13 Oct 2022 19:52:50 +0200 Message-Id: <20221013175145.887818528@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jason A. Donenfeld commit 9ee0507e896b45af6d65408c77815800bce30008 upstream. In order to avoid reading and dirtying two cache lines on every IRQ, move the work_struct to the bottom of the fast_pool struct. add_ interrupt_randomness() always touches .pool and .count, which are currently split, because .mix pushes everything down. Instead, move .mix to the bottom, so that .pool and .count are always in the first cache line, since .mix is only accessed when the pool is full. Fixes: 58340f8e952b ("random: defer fast pool mixing to worker") Reviewed-by: Sebastian Andrzej Siewior Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/char/random.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -903,10 +903,10 @@ EXPORT_SYMBOL_GPL(unregister_random_vmfo #endif =20 struct fast_pool { - struct work_struct mix; unsigned long pool[4]; unsigned long last; unsigned int count; + struct work_struct mix; }; =20 static DEFINE_PER_CPU(struct fast_pool, irq_randomness) =3D { From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68270C433FE for ; Thu, 13 Oct 2022 18:08:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231636AbiJMSH6 (ORCPT ); Thu, 13 Oct 2022 14:07:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46390 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231511AbiJMSGe (ORCPT ); Thu, 13 Oct 2022 14:06:34 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E5EF437DB; Thu, 13 Oct 2022 11:05:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 99095B82065; Thu, 13 Oct 2022 18:00:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D5A3CC433C1; Thu, 13 Oct 2022 18:00:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684026; bh=BLsZ3M6JOHN9+LrdwWJRcShlBn9OykEOl6tyUen3xuY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wESsBqSLbO5SgIBmjsO/TLsTQPzKgi6C3PeS3xxli95JkcAmr+UVbkinc+ea871x0 EUCogEO7Xwf0bJKN4JskmFbzT7iaIHs+dklJQ1JeG1//uJxuvJHYxPnrG/pI5XFdXM X9eXilk2zfKpjvpAm02XR7yB400sUiePB12D6px8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sherry Yang , Paul Webb , Phillip Goerl , Jack Vogel , Nicky Veitch , Colm Harrington , Ramanan Govindarajan , Sebastian Andrzej Siewior , Dominik Brodowski , Tejun Heo , Sultan Alsawaf , "Jason A. Donenfeld" Subject: [PATCH 5.19 19/33] random: use expired timer rather than wq for mixing fast pool Date: Thu, 13 Oct 2022 19:52:51 +0200 Message-Id: <20221013175145.919301297@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jason A. Donenfeld commit 748bc4dd9e663f23448d8ad7e58c011a67ea1eca upstream. Previously, the fast pool was dumped into the main pool periodically in the fast pool's hard IRQ handler. This worked fine and there weren't problems with it, until RT came around. Since RT converts spinlocks into sleeping locks, problems cropped up. Rather than switching to raw spinlocks, the RT developers preferred we make the transformation from originally doing: do_some_stuff() spin_lock() do_some_other_stuff() spin_unlock() to doing: do_some_stuff() queue_work_on(some_other_stuff_worker) This is an ordinary pattern done all over the kernel. However, Sherry noticed a 10% performance regression in qperf TCP over a 40gbps InfiniBand card. Quoting her message: > MT27500 Family [ConnectX-3] cards: > Infiniband device 'mlx4_0' port 1 status: > default gid: fe80:0000:0000:0000:0010:e000:0178:9eb1 > base lid: 0x6 > sm lid: 0x1 > state: 4: ACTIVE > phys state: 5: LinkUp > rate: 40 Gb/sec (4X QDR) > link_layer: InfiniBand > > Cards are configured with IP addresses on private subnet for IPoIB > performance testing. > Regression identified in this bug is in TCP latency in this stack as repo= rted > by qperf tcp_lat metric: > > We have one system listen as a qperf server: > [root@yourQperfServer ~]# qperf > > Have the other system connect to qperf server as a client (in this > case, it=E2=80=99s X7 server with Mellanox card): > [root@yourQperfClient ~]# numactl -m0 -N0 qperf 20.20.20.101 -v -uu -ub -= -time 60 --wait_server 20 -oo msg_size:4K:1024K:*2 tcp_lat Rather than incur the scheduling latency from queue_work_on, we can instead switch to running on the next timer tick, on the same core. This also batches things a bit more -- once per jiffy -- which is okay now that mix_interrupt_randomness() can credit multiple bits at once. Reported-by: Sherry Yang Tested-by: Paul Webb Cc: Sherry Yang Cc: Phillip Goerl Cc: Jack Vogel Cc: Nicky Veitch Cc: Colm Harrington Cc: Ramanan Govindarajan Cc: Sebastian Andrzej Siewior Cc: Dominik Brodowski Cc: Tejun Heo Cc: Sultan Alsawaf Cc: stable@vger.kernel.org Fixes: 58340f8e952b ("random: defer fast pool mixing to worker") Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/char/random.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -906,17 +906,20 @@ struct fast_pool { unsigned long pool[4]; unsigned long last; unsigned int count; - struct work_struct mix; + struct timer_list mix; }; =20 +static void mix_interrupt_randomness(struct timer_list *work); + static DEFINE_PER_CPU(struct fast_pool, irq_randomness) =3D { #ifdef CONFIG_64BIT #define FASTMIX_PERM SIPHASH_PERMUTATION - .pool =3D { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CO= NST_3 } + .pool =3D { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CO= NST_3 }, #else #define FASTMIX_PERM HSIPHASH_PERMUTATION - .pool =3D { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHAS= H_CONST_3 } + .pool =3D { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHAS= H_CONST_3 }, #endif + .mix =3D __TIMER_INITIALIZER(mix_interrupt_randomness, 0) }; =20 /* @@ -958,7 +961,7 @@ int __cold random_online_cpu(unsigned in } #endif =20 -static void mix_interrupt_randomness(struct work_struct *work) +static void mix_interrupt_randomness(struct timer_list *work) { struct fast_pool *fast_pool =3D container_of(work, struct fast_pool, mix); /* @@ -1012,10 +1015,11 @@ void add_interrupt_randomness(int irq) if (new_count < 1024 && !time_is_before_jiffies(fast_pool->last + HZ)) return; =20 - if (unlikely(!fast_pool->mix.func)) - INIT_WORK(&fast_pool->mix, mix_interrupt_randomness); fast_pool->count |=3D MIX_INFLIGHT; - queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix); + if (!timer_pending(&fast_pool->mix)) { + fast_pool->mix.expires =3D jiffies; + add_timer_on(&fast_pool->mix, raw_smp_processor_id()); + } } EXPORT_SYMBOL_GPL(add_interrupt_randomness); =20 From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A8C7C4332F for ; Thu, 13 Oct 2022 18:05:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229954AbiJMSFy (ORCPT ); Thu, 13 Oct 2022 14:05:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231191AbiJMSDk (ORCPT ); Thu, 13 Oct 2022 14:03:40 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21298157F67; Thu, 13 Oct 2022 11:03:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A8C256192C; Thu, 13 Oct 2022 18:00:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BA7EFC433D6; Thu, 13 Oct 2022 18:00:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684029; bh=yO7jB7qJ3SzvXbCw+6Kqc+Vb9MrWMZHZx+fu+glnvtQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=L9sSsanom39si1D52rxNAjy+/eOpMiSssQb1LvxTpnHby3Qai1tMaCGA5iRQDvVbp ItI/CyySBMlmQweTK7XPqnp6oIIT3+KLK60U8261/V78bvjr4Ix8lMuSLkwer3uI+G ldgi4CQKL8KPNiCcZ3+xlGVDviM+Ffu+ub1Xb5UQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Soenke Huster , Kees Cook , Johannes Berg Subject: [PATCH 5.19 20/33] wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() Date: Thu, 13 Oct 2022 19:52:52 +0200 Message-Id: <20221013175145.955718271@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element: /* copy the IEs after MBSSID */ cpy_len =3D mbssid[1] + 2; This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated. Fix this by using size_t for the cpy_len variable. This fixes CVE-2022-41674. Reported-by: Soenke Huster Tested-by: Soenke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in sc= anning") Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/wireless/scan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2279,7 +2279,7 @@ cfg80211_update_notlisted_nontrans(struc size_t new_ie_len; struct cfg80211_bss_ies *new_ies; const struct cfg80211_bss_ies *old; - u8 cpy_len; + size_t cpy_len; =20 lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EFDFC4321E for ; Thu, 13 Oct 2022 18:06:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231440AbiJMSGG (ORCPT ); Thu, 13 Oct 2022 14:06:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35824 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231239AbiJMSDv (ORCPT ); Thu, 13 Oct 2022 14:03:51 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E294B15B334; Thu, 13 Oct 2022 11:03:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C0AE66194D; Thu, 13 Oct 2022 18:00:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8211BC433B5; Thu, 13 Oct 2022 18:00:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684032; bh=IxQ0xOPd/CgxYSCw3RHLoSKvbRbv71Q5pnfxySmwIXg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HDi832MrhVajrwc/qZQstyp4UhkTSjpSDJg3gIvzuRECDxhKeZEJEKf6QHR32lYxw UzUp4XZJaC63j7ugcf0AS7StpnCfWiWoG9wa9vQAbNc1OqCOHA9/s1vnL5EiS99QkU 2UUkbNA1JJE9CNTvrYYmufHbwoJdtA0swRYFCYtg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Johannes Berg Subject: [PATCH 5.19 21/33] wifi: cfg80211/mac80211: reject bad MBSSID elements Date: Thu, 13 Oct 2022 19:52:53 +0200 Message-Id: <20221013175145.987965400@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream. Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, and the minimum is 1 since a multiple BSSID set with just one BSSID doesn't make sense (the # of BSSIDs is limited by 2^n). Limit this in the parsing in both cfg80211 and mac80211, rejecting any elements with an invalid value. This fixes potentially bad shifts in the processing of these inside the cfg80211_gen_new_bssid() function later. I found this during the investigation of CVE-2022-41674 fixed by the previous patch. Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in sc= anning") Fixes: 78ac51f81532 ("mac80211: support multi-bssid") Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/mac80211/util.c | 2 ++ net/wireless/scan.c | 2 ++ 2 files changed, 4 insertions(+) --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1439,6 +1439,8 @@ static size_t ieee802_11_find_bssid_prof for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { if (elem->datalen < 2) continue; + if (elem->data[0] < 1 || elem->data[0] > 8) + continue; =20 for_each_element(sub, elem->data + 1, elem->datalen - 1) { u8 new_bssid[ETH_ALEN]; --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2143,6 +2143,8 @@ static void cfg80211_parse_mbssid_data(s for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { if (elem->datalen < 4) continue; + if (elem->data[0] < 1 || (int)elem->data[0] > 8) + continue; for_each_element(sub, elem->data + 1, elem->datalen - 1) { u8 profile_len; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CDE09C4332F for ; Thu, 13 Oct 2022 18:32:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230168AbiJMSc1 (ORCPT ); Thu, 13 Oct 2022 14:32:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232029AbiJMScE (ORCPT ); Thu, 13 Oct 2022 14:32:04 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2F363194216; Thu, 13 Oct 2022 11:28:06 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7D56AB8206C; Thu, 13 Oct 2022 18:00:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A8AABC433C1; Thu, 13 Oct 2022 18:00:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684035; bh=iFDYfkZv+13hUjNnwoj0yShUJzr5cGRa6UiH4O+3Hu8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pV9DJ7/h7FGsGGF8d4EaYUWod/kjDVjxjAjTD/qG4kmM2x/Q9YzRdZ11gKkCJt5ZI 1r3SfpIpP+SM5AS0BeZRbVi42as1DiZ60hP7kIs1QG0FUht6LjaT60uNP7UshnzQi2 TxHs7GWvlkrWBt2vs2W5y9+dtq0F3OtOUkVqs7yA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ilan Peer , Kees Cook , Johannes Berg Subject: [PATCH 5.19 22/33] wifi: mac80211: fix MBSSID parsing use-after-free Date: Thu, 13 Oct 2022 19:52:54 +0200 Message-Id: <20221013175146.021304834@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed. Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it. The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan. This fixes CVE-2022-42719. Fixes: 5023b14cf4df ("mac80211: support profile split between elements") Co-developed-by: Ilan Peer Signed-off-by: Ilan Peer Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/mac80211/ieee80211_i.h | 8 ++++++++ net/mac80211/util.c | 31 ++++++++++++++++--------------- 2 files changed, 24 insertions(+), 15 deletions(-) --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1640,6 +1640,14 @@ struct ieee802_11_elems { =20 /* whether a parse error occurred while retrieving these elements */ bool parse_error; + + /* + * scratch buffer that can be used for various element parsing related + * tasks, e.g., element de-fragmentation etc. + */ + size_t scratch_len; + u8 *scratch_pos; + u8 scratch[]; }; =20 static inline struct ieee80211_local *hw_to_local( --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1503,25 +1503,28 @@ struct ieee802_11_elems *ieee802_11_pars const struct element *non_inherit =3D NULL; u8 *nontransmitted_profile; int nontransmitted_profile_len =3D 0; + size_t scratch_len =3D len; =20 - elems =3D kzalloc(sizeof(*elems), GFP_ATOMIC); + elems =3D kzalloc(sizeof(*elems) + scratch_len, GFP_ATOMIC); if (!elems) return NULL; elems->ie_start =3D start; elems->total_len =3D len; + elems->scratch_len =3D scratch_len; + elems->scratch_pos =3D elems->scratch; =20 - nontransmitted_profile =3D kmalloc(len, GFP_ATOMIC); - if (nontransmitted_profile) { - nontransmitted_profile_len =3D - ieee802_11_find_bssid_profile(start, len, elems, - transmitter_bssid, - bss_bssid, - nontransmitted_profile); - non_inherit =3D - cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, - nontransmitted_profile, - nontransmitted_profile_len); - } + nontransmitted_profile =3D elems->scratch_pos; + nontransmitted_profile_len =3D + ieee802_11_find_bssid_profile(start, len, elems, + transmitter_bssid, + bss_bssid, + nontransmitted_profile); + elems->scratch_pos +=3D nontransmitted_profile_len; + elems->scratch_len -=3D nontransmitted_profile_len; + non_inherit =3D + cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, + nontransmitted_profile, + nontransmitted_profile_len); =20 crc =3D _ieee802_11_parse_elems_crc(start, len, action, elems, filter, crc, non_inherit); @@ -1550,8 +1553,6 @@ struct ieee802_11_elems *ieee802_11_pars offsetofend(struct ieee80211_bssid_index, dtim_count)) elems->dtim_count =3D elems->bssid_index->dtim_count; =20 - kfree(nontransmitted_profile); - elems->crc =3D crc; =20 return elems; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3F31C433FE for ; Thu, 13 Oct 2022 18:11:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231605AbiJMSLf (ORCPT ); Thu, 13 Oct 2022 14:11:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231536AbiJMSKf (ORCPT ); Thu, 13 Oct 2022 14:10:35 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD132402CE; Thu, 13 Oct 2022 11:07:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 3F52EB8206B; Thu, 13 Oct 2022 18:00:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A0606C433C1; Thu, 13 Oct 2022 18:00:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684038; bh=7ADSkhJgMzgbvEfxkGhKSmMII+dlmQ0WYUlz4phgh+4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nBO1QCCBOucbVd6BnykPgv/bfpu+AC4kkyWTVhKMg7FfsbpVBRL8ohwAGyuqX2ef1 PT5ixYImrOUf1qLGkbSjR2NSB845BadCz5O28yDRHk75Co1ErNpnN4ibhmAMyjs9ty TAm7d0NFaorhP8lib0vhwwOCDXE5JAorfAwTbows= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Soenke Huster , Johannes Berg Subject: [PATCH 5.19 23/33] wifi: cfg80211: ensure length byte is present before access Date: Thu, 13 Oct 2022 19:52:55 +0200 Message-Id: <20221013175146.048460185@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream. When iterating the elements here, ensure the length byte is present before checking it to see if the entire element will fit into the buffer. Longer term, we should rewrite this code using the type-safe element iteration macros that check all of this. Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in sc= anning") Reported-by: Soenke Huster Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/wireless/scan.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const tmp_old =3D cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); tmp_old =3D (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; =20 - while (tmp_old + tmp_old[1] + 2 - ie <=3D ielen) { + while (tmp_old + 2 - ie <=3D ielen && + tmp_old + tmp_old[1] + 2 - ie <=3D ielen) { if (tmp_old[0] =3D=3D 0) { tmp_old++; continue; @@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const * copied to new ie, skip ssid, capability, bssid-index ie */ tmp_new =3D sub_copy; - while (tmp_new + tmp_new[1] + 2 - sub_copy <=3D subie_len) { + while (tmp_new + 2 - sub_copy <=3D subie_len && + tmp_new + tmp_new[1] + 2 - sub_copy <=3D subie_len) { if (!(tmp_new[0] =3D=3D WLAN_EID_NON_TX_BSSID_CAP || tmp_new[0] =3D=3D WLAN_EID_SSID)) { memcpy(pos, tmp_new, tmp_new[1] + 2); From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55792C4332F for ; Thu, 13 Oct 2022 18:27:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231852AbiJMS1d (ORCPT ); Thu, 13 Oct 2022 14:27:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229646AbiJMS1H (ORCPT ); Thu, 13 Oct 2022 14:27:07 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4995F18811C; Thu, 13 Oct 2022 11:22:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0C5ECB8206D; Thu, 13 Oct 2022 18:00:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5DA34C433C1; Thu, 13 Oct 2022 18:00:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684040; bh=GLtAHWxXyJx3NijczFxtqRQxyiQ/itl74fwTwCHfKGk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=w4MxXcHO5wllpIw8nOarbLHH+1koEZ/Cfyxm8eZo4/lUC/Fg/FfFTAs1iSscVe9ZV NX0dDdvPrD9IXcC4LsKlQpY7kikJ8B+5Bv3cKdHylMC/wojE024ydo5WS12jTUEEIh DAlxj61pK+d9jh/DwftsT5UYMrZnkVCUX7uGlJf8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?S=C3=B6nke=20Huster?= , Johannes Berg Subject: [PATCH 5.19 24/33] wifi: cfg80211: fix BSS refcounting bugs Date: Thu, 13 Oct 2022 19:52:56 +0200 Message-Id: <20221013175146.079038869@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream. There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro. - In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data. - In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there. This fixes CVE-2022-42720. Reported-by: S=C3=B6nke Huster Tested-by: S=C3=B6nke Huster Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmi= tting BSS") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/wireless/scan.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cf lockdep_assert_held(&rdev->bss_lock); =20 bss->refcount++; - if (bss->pub.hidden_beacon_bss) { - bss =3D container_of(bss->pub.hidden_beacon_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } - if (bss->pub.transmitted_bss) { - bss =3D container_of(bss->pub.transmitted_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } + + if (bss->pub.hidden_beacon_bss) + bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; + + if (bss->pub.transmitted_bss) + bss_from_pub(bss->pub.transmitted_bss)->refcount++; } =20 static inline void bss_ref_put(struct cfg80211_registered_device *rdev, @@ -1741,6 +1735,8 @@ cfg80211_bss_update(struct cfg80211_regi new->refcount =3D 1; INIT_LIST_HEAD(&new->hidden_list); INIT_LIST_HEAD(&new->pub.nontrans_list); + /* we'll set this later if it was non-NULL */ + new->pub.transmitted_bss =3D NULL; =20 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { hidden =3D rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); @@ -2023,10 +2019,15 @@ cfg80211_inform_single_bss_data(struct w spin_lock_bh(&rdev->bss_lock); if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, &res->pub)) { - if (__cfg80211_unlink_bss(rdev, res)) + if (__cfg80211_unlink_bss(rdev, res)) { rdev->bss_generation++; + res =3D NULL; + } } spin_unlock_bh(&rdev->bss_lock); + + if (!res) + return NULL; } =20 trace_cfg80211_return_bss(&res->pub); From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26DD0C4332F for ; Thu, 13 Oct 2022 18:41:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232113AbiJMSlK (ORCPT ); Thu, 13 Oct 2022 14:41:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231598AbiJMSku (ORCPT ); Thu, 13 Oct 2022 14:40:50 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD1E2558ED; Thu, 13 Oct 2022 11:38:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6403561937; Thu, 13 Oct 2022 17:59:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 68E13C433D6; Thu, 13 Oct 2022 17:59:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683993; bh=SsMZnV5IRg+VfGQh81XQuLjXEJU1N9vepNOsf1+r8VU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XupFSdcanVoqBrR3ZUeCjq/jIhRjzuktdqfchbKbArkX+6LFO4Ye7YxnI6S11TOjt VEev7W4um+iv8xqeNcJpqSqxIOwviN9C4KJeI8cH+HWhl/N0TtB1Kj/+ADCJlyoi8l +hMmv+MUYs5V88OF4hk5ueGNeMdjB/ds01wCbebc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?S=C3=B6nke=20Huster?= , Johannes Berg Subject: [PATCH 5.19 25/33] wifi: cfg80211: avoid nontransmitted BSS list corruption Date: Thu, 13 Oct 2022 19:52:57 +0200 Message-Id: <20221013175146.112157722@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted. Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS. This fixes CVE-2022-42721. Reported-by: S=C3=B6nke Huster Tested-by: S=C3=B6nke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in sc= anning") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/wireless/scan.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -423,6 +423,15 @@ cfg80211_add_nontrans_list(struct cfg802 =20 rcu_read_unlock(); =20 + /* + * This is a bit weird - it's not on the list, but already on another + * one! The only way that could happen is if there's some BSSID/SSID + * shared by multiple APs in their multi-BSSID profiles, potentially + * with hidden SSID mixed in ... ignore it. + */ + if (!list_empty(&nontrans_bss->nontrans_list)) + return -EINVAL; + /* add to the list */ list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); return 0; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44E77C433FE for ; Thu, 13 Oct 2022 18:06:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231485AbiJMSG1 (ORCPT ); Thu, 13 Oct 2022 14:06:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231388AbiJMSEQ (ORCPT ); Thu, 13 Oct 2022 14:04:16 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 524D3659EF; Thu, 13 Oct 2022 11:04:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DB4D0B82052; Thu, 13 Oct 2022 17:59:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 391ABC433D6; Thu, 13 Oct 2022 17:59:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683996; bh=Rkj3yavmHq/l2/l7pqDSO4Z4hWCdKByuzZ0zgjaB5Qg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qvTnogA4IDMxNVqOz5W/Y6oEQDkC8+JKYqXusAdmb+BdxSqx21oIQh2srKDZhzVDj UtCkEe+TAOr2WQlbeBHGfY6yTThSbAJjUFavCqrEx2QYGUDLWww58/FEri8f+SKqJr uHrQr9jl9L6ji4Yo6SXVNiGTvuQWL2EcQrzpDrLE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?S=C3=B6nke=20Huster?= , Johannes Berg Subject: [PATCH 5.19 26/33] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate Date: Thu, 13 Oct 2022 19:52:58 +0200 Message-Id: <20221013175146.140719923@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit 1833b6f46d7e2830251a063935ab464256defe22 upstream. If the tool on the other side (e.g. wmediumd) gets confused about the rate, we hit a warning in mac80211. Silence that by effectively duplicating the check here and dropping the frame silently (in mac80211 it's dropped with the warning). Reported-by: S=C3=B6nke Huster Tested-by: S=C3=B6nke Huster Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/net/wireless/mac80211_hwsim.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -4251,6 +4251,8 @@ static int hwsim_cloned_frame_received_n =20 rx_status.band =3D channel->band; rx_status.rate_idx =3D nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]); + if (rx_status.rate_idx >=3D data2->hw->wiphy->bands[rx_status.band]->n_bi= trates) + goto out; rx_status.signal =3D nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]); =20 hdr =3D (void *)skb->data; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 270A7C4332F for ; Thu, 13 Oct 2022 18:07:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231391AbiJMSG7 (ORCPT ); Thu, 13 Oct 2022 14:06:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37302 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231467AbiJMSEc (ORCPT ); Thu, 13 Oct 2022 14:04:32 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D37A152C69; Thu, 13 Oct 2022 11:04:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8B9ECB8204C; Thu, 13 Oct 2022 18:00:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 029F7C433C1; Thu, 13 Oct 2022 17:59:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683999; bh=Jp73yVrOmRE+jNa8WTnBD8qKwn5yRM6gc/u9VefjL6E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DPIs34uMs/LIbiRtKsG/mcnLtu/q5aMQ99/AUXHa4Cy7kZ2lXm5LrVcTQRhZnLWa6 tJoJPLzR1yoEfFabURq9eo0Mylx680TMfkAwDU98CaCejTqPpGNbdqCNfsQBNanmFm 0h1nescFmJ6odj49bpGpEklkpiBcisZQ7QxvA3lU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?S=C3=B6nke=20Huster?= , Johannes Berg Subject: [PATCH 5.19 27/33] wifi: mac80211: fix crash in beacon protection for P2P-device Date: Thu, 13 Oct 2022 19:52:59 +0200 Message-Id: <20221013175146.167857089@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream. If beacon protection is active but the beacon cannot be decrypted or is otherwise malformed, we call the cfg80211 API to report this to userspace, but that uses a netdev pointer, which isn't present for P2P-Device. Fix this to call it only conditionally to ensure cfg80211 won't crash in the case of P2P-Device. This fixes CVE-2022-42722. Reported-by: S=C3=B6nke Huster Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user s= pace") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/mac80211/rx.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -1988,10 +1988,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_ =20 if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS || mmie_keyidx >=3D NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS + - NUM_DEFAULT_BEACON_KEYS) { - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, - skb->data, - skb->len); + NUM_DEFAULT_BEACON_KEYS) { + if (rx->sdata->dev) + cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, + skb->data, + skb->len); return RX_DROP_MONITOR; /* unexpected BIP keyidx */ } =20 @@ -2139,7 +2140,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_ /* either the frame has been decrypted or will be dropped */ status->flag |=3D RX_FLAG_DECRYPTED; =20 - if (unlikely(ieee80211_is_beacon(fc) && result =3D=3D RX_DROP_UNUSABLE)) + if (unlikely(ieee80211_is_beacon(fc) && result =3D=3D RX_DROP_UNUSABLE && + rx->sdata->dev)) cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, skb->data, skb->len); =20 From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05F7DC4332F for ; Thu, 13 Oct 2022 18:09:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231285AbiJMSJc (ORCPT ); Thu, 13 Oct 2022 14:09:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231811AbiJMSIv (ORCPT ); Thu, 13 Oct 2022 14:08:51 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18787C58A9; Thu, 13 Oct 2022 11:06:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 83A2FB82039; Thu, 13 Oct 2022 18:00:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D3FF4C433C1; Thu, 13 Oct 2022 18:00:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684002; bh=YcQbhCSPoD2UnDkliHAi/oE6U9WmvVTA8st+VYyO1o0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b9cpQHBBPvrPyqGe5Wydz4+sDrNPajAooT13TiUpjWREXGjhvtxCpB+Z8LddCfJcF sw3w8aIZcHhJXdDaEWh8/PCX14xUWN/8LRxNC/jtathVdvitBoYxTG9MEjLT8JZIP0 z5HXmwiu8cUK6yFT8QzuOq4fBBIKtC+dqRgfkN5c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?S=C3=B6nke=20Huster?= , Johannes Berg Subject: [PATCH 5.19 28/33] wifi: cfg80211: update hidden BSSes to avoid WARN_ON Date: Thu, 13 Oct 2022 19:53:00 +0200 Message-Id: <20221013175146.199236952@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream. When updating beacon elements in a non-transmitted BSS, also update the hidden sub-entries to the same beacon elements, so that a future update through other paths won't trigger a WARN_ON(). The warning is triggered because the beacon elements in the hidden BSSes that are children of the BSS should always be the same as in the parent. Reported-by: S=C3=B6nke Huster Tested-by: S=C3=B6nke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in sc= anning") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/wireless/scan.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1607,6 +1607,23 @@ struct cfg80211_non_tx_bss { u8 bssid_index; }; =20 +static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *kno= wn, + const struct cfg80211_bss_ies *new_ies, + const struct cfg80211_bss_ies *old_ies) +{ + struct cfg80211_internal_bss *bss; + + /* Assign beacon IEs to all sub entries */ + list_for_each_entry(bss, &known->hidden_list, hidden_list) { + const struct cfg80211_bss_ies *ies; + + ies =3D rcu_access_pointer(bss->pub.beacon_ies); + WARN_ON(ies !=3D old_ies); + + rcu_assign_pointer(bss->pub.beacon_ies, new_ies); + } +} + static bool cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, struct cfg80211_internal_bss *known, @@ -1630,7 +1647,6 @@ cfg80211_update_known_bss(struct cfg8021 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); } else if (rcu_access_pointer(new->pub.beacon_ies)) { const struct cfg80211_bss_ies *old; - struct cfg80211_internal_bss *bss; =20 if (known->pub.hidden_beacon_bss && !list_empty(&known->hidden_list)) { @@ -1658,16 +1674,7 @@ cfg80211_update_known_bss(struct cfg8021 if (old =3D=3D rcu_access_pointer(known->pub.ies)) rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); =20 - /* Assign beacon IEs to all sub entries */ - list_for_each_entry(bss, &known->hidden_list, hidden_list) { - const struct cfg80211_bss_ies *ies; - - ies =3D rcu_access_pointer(bss->pub.beacon_ies); - WARN_ON(ies !=3D old); - - rcu_assign_pointer(bss->pub.beacon_ies, - new->pub.beacon_ies); - } + cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old); =20 if (old) kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); @@ -2360,6 +2367,8 @@ cfg80211_update_notlisted_nontrans(struc } else { old =3D rcu_access_pointer(nontrans_bss->beacon_ies); rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies); + cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss), + new_ies, old); rcu_assign_pointer(nontrans_bss->ies, new_ies); if (old) kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9FA09C4332F for ; Thu, 13 Oct 2022 18:07:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231561AbiJMSHO (ORCPT ); Thu, 13 Oct 2022 14:07:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38454 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231200AbiJMSFJ (ORCPT ); Thu, 13 Oct 2022 14:05:09 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A068E252B2; Thu, 13 Oct 2022 11:04:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B587DB82040; Thu, 13 Oct 2022 18:00:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F2738C433D6; Thu, 13 Oct 2022 18:00:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684005; bh=cLMk1ar/nQON1mZgjjsdpVy1arXfNUVtd1FNGe7wHxc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=V4N34Obj/cCMaRlvCk4UglUmq2EQLafJRZsO6al4oqeu+ig9g8pV6y0FnyximbHAA 0dXhQj+zS/81O1UM5/MzJcQGt86mcQLb4+wmki2kP922rz4FrN0WKYjONAVhn0dg2C m3lH/E2ASiDoEfMAY56PI/QCHxqg/U2CXFnZrYXs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, butt3rflyh4ck , Jeremy Kerr , "David S. Miller" Subject: [PATCH 5.19 29/33] mctp: prevent double key removal and unref Date: Thu, 13 Oct 2022 19:53:01 +0200 Message-Id: <20221013175146.233632264@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jeremy Kerr commit 3a732b46736cd8a29092e4b0b1a9ba83e672bf89 upstream. Currently, we have a bug where a simultaneous DROPTAG ioctl and socket close may race, as we attempt to remove a key from lists twice, and perform an unref for each removal operation. This may result in a uaf when we attempt the second unref. This change fixes the race by making __mctp_key_remove tolerant to being called on a key that has already been removed from the socket/net lists, and only performs the unref when we do the actual remove. We also need to hold the list lock on the ioctl cleanup path. This fix is based on a bug report and comprehensive analysis from butt3rflyh4ck , found via syzkaller. Cc: stable@vger.kernel.org Fixes: 63ed1aab3d40 ("mctp: Add SIOCMCTP{ALLOC,DROP}TAG ioctls for tag cont= rol") Reported-by: butt3rflyh4ck Signed-off-by: Jeremy Kerr Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- net/mctp/af_mctp.c | 23 ++++++++++++++++------- net/mctp/route.c | 10 +++++----- 2 files changed, 21 insertions(+), 12 deletions(-) --- a/net/mctp/af_mctp.c +++ b/net/mctp/af_mctp.c @@ -295,11 +295,12 @@ __must_hold(&net->mctp.keys_lock) mctp_dev_release_key(key->dev, key); spin_unlock_irqrestore(&key->lock, flags); =20 - hlist_del(&key->hlist); - hlist_del(&key->sklist); - - /* unref for the lists */ - mctp_key_unref(key); + if (!hlist_unhashed(&key->hlist)) { + hlist_del_init(&key->hlist); + hlist_del_init(&key->sklist); + /* unref for the lists */ + mctp_key_unref(key); + } =20 kfree_skb(skb); } @@ -373,9 +374,17 @@ static int mctp_ioctl_alloctag(struct mc =20 ctl.tag =3D tag | MCTP_TAG_OWNER | MCTP_TAG_PREALLOC; if (copy_to_user((void __user *)arg, &ctl, sizeof(ctl))) { - spin_lock_irqsave(&key->lock, flags); - __mctp_key_remove(key, net, flags, MCTP_TRACE_KEY_DROPPED); + unsigned long fl2; + /* Unwind our key allocation: the keys list lock needs to be + * taken before the individual key locks, and we need a valid + * flags value (fl2) to pass to __mctp_key_remove, hence the + * second spin_lock_irqsave() rather than a plain spin_lock(). + */ + spin_lock_irqsave(&net->mctp.keys_lock, flags); + spin_lock_irqsave(&key->lock, fl2); + __mctp_key_remove(key, net, fl2, MCTP_TRACE_KEY_DROPPED); mctp_key_unref(key); + spin_unlock_irqrestore(&net->mctp.keys_lock, flags); return -EFAULT; } =20 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -228,12 +228,12 @@ __releases(&key->lock) =20 if (!key->manual_alloc) { spin_lock_irqsave(&net->mctp.keys_lock, flags); - hlist_del(&key->hlist); - hlist_del(&key->sklist); + if (!hlist_unhashed(&key->hlist)) { + hlist_del_init(&key->hlist); + hlist_del_init(&key->sklist); + mctp_key_unref(key); + } spin_unlock_irqrestore(&net->mctp.keys_lock, flags); - - /* unref for the lists */ - mctp_key_unref(key); } =20 /* and one for the local reference */ From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BA46C433FE for ; Thu, 13 Oct 2022 18:05:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231186AbiJMSFH (ORCPT ); Thu, 13 Oct 2022 14:05:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230457AbiJMSDW (ORCPT ); Thu, 13 Oct 2022 14:03:22 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E6299157F45; Thu, 13 Oct 2022 11:03:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6CBED61948; Thu, 13 Oct 2022 18:00:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EB5A1C433D6; Thu, 13 Oct 2022 18:00:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684008; bh=/HRpr7EII9h229SUlP4Dmlr4MvLxTEfPUsGzRLuyqhM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VZ52mhIYs22nS2pViIVxkt0A3AZ2TMC3wjsY4uVYyvaIqkvL8Ggr9vt2eU40kY4LC fU/OIdzAOql5TCmN4ovz/X7OJX9Nl7HOR50i5h9ksQzzovYLuOdw2teI1vc8xXBvoc obpHAz1vZ7JcwOYU4aSyr4nLPjLXSG9vhaQMG2/4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jasper Poppe , Jeremy Palmer , Ruineka , Cleber de Mattos Casali , Kyle Gospodnetich , Pavel Rojtberg , Dmitry Torokhov Subject: [PATCH 5.19 30/33] Input: xpad - add supported devices as contributed on github Date: Thu, 13 Oct 2022 19:53:02 +0200 Message-Id: <20221013175146.266767921@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Pavel Rojtberg commit b382c5e37344883dc97525d05f1f6b788f549985 upstream. This is based on multiple commits at https://github.com/paroj/xpad Cc: stable@vger.kernel.org Signed-off-by: Jasper Poppe Signed-off-by: Jeremy Palmer Signed-off-by: Ruineka Signed-off-by: Cleber de Mattos Casali Signed-off-by: Kyle Gospodnetich Signed-off-by: Pavel Rojtberg Link: https://lore.kernel.org/r/20220818154411.510308-2-rojtberg@gmail.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/input/joystick/xpad.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) --- a/drivers/input/joystick/xpad.c +++ b/drivers/input/joystick/xpad.c @@ -113,6 +113,8 @@ static const struct xpad_device { u8 xtype; } xpad_device[] =3D { { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff01, "Wooting One (Legacy)", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff02, "Wooting Two (Legacy)", 0, XTYPE_XBOX360 }, { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX }, { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX }, { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, @@ -244,6 +246,7 @@ static const struct xpad_device { { 0x0f0d, 0x0063, "Hori Real Arcade Pro Hayabusa (USA) Xbox One", MAP_TRI= GGERS_TO_BUTTONS, XTYPE_XBOXONE }, { 0x0f0d, 0x0067, "HORIPAD ONE", 0, XTYPE_XBOXONE }, { 0x0f0d, 0x0078, "Hori Real Arcade Pro V Kai Xbox One", MAP_TRIGGERS_TO_= BUTTONS, XTYPE_XBOXONE }, + { 0x0f0d, 0x00c5, "Hori Fighting Commander ONE", MAP_TRIGGERS_TO_BUTTONS,= XTYPE_XBOXONE }, { 0x0f30, 0x010b, "Philips Recoil", 0, XTYPE_XBOX }, { 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX }, { 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX }, @@ -260,6 +263,7 @@ static const struct xpad_device { { 0x1430, 0x8888, "TX6500+ Dance Pad (first generation)", MAP_DPAD_TO_BUT= TONS, XTYPE_XBOX }, { 0x1430, 0xf801, "RedOctane Controller", 0, XTYPE_XBOX360 }, { 0x146b, 0x0601, "BigBen Interactive XBOX 360 Controller", 0, XTYPE_XBOX= 360 }, + { 0x146b, 0x0604, "Bigben Interactive DAIJA Arcade Stick", MAP_TRIGGERS_T= O_BUTTONS, XTYPE_XBOX360 }, { 0x1532, 0x0037, "Razer Sabertooth", 0, XTYPE_XBOX360 }, { 0x1532, 0x0a00, "Razer Atrox Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XT= YPE_XBOXONE }, { 0x1532, 0x0a03, "Razer Wildcat", 0, XTYPE_XBOXONE }, @@ -325,6 +329,7 @@ static const struct xpad_device { { 0x24c6, 0x5502, "Hori Fighting Stick VX Alt", MAP_TRIGGERS_TO_BUTTONS, = XTYPE_XBOX360 }, { 0x24c6, 0x5503, "Hori Fighting Edge", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XB= OX360 }, { 0x24c6, 0x5506, "Hori SOULCALIBUR V Stick", 0, XTYPE_XBOX360 }, + { 0x24c6, 0x5510, "Hori Fighting Commander ONE (Xbox 360/PC Mode)", MAP_T= RIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, { 0x24c6, 0x550d, "Hori GEM Xbox controller", 0, XTYPE_XBOX360 }, { 0x24c6, 0x550e, "Hori Real Arcade Pro V Kai 360", MAP_TRIGGERS_TO_BUTTO= NS, XTYPE_XBOX360 }, { 0x24c6, 0x551a, "PowerA FUSION Pro Controller", 0, XTYPE_XBOXONE }, @@ -334,6 +339,14 @@ static const struct xpad_device { { 0x24c6, 0x5b03, "Thrustmaster Ferrari 458 Racing Wheel", 0, XTYPE_XBOX3= 60 }, { 0x24c6, 0x5d04, "Razer Sabertooth", 0, XTYPE_XBOX360 }, { 0x24c6, 0xfafe, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 }, + { 0x2563, 0x058d, "OneXPlayer Gamepad", 0, XTYPE_XBOX360 }, + { 0x2dc8, 0x2000, "8BitDo Pro 2 Wired Controller fox Xbox", 0, XTYPE_XBOX= ONE }, + { 0x31e3, 0x1100, "Wooting One", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1200, "Wooting Two", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1210, "Wooting Lekker", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1220, "Wooting Two HE", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1300, "Wooting 60HE (AVR)", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1310, "Wooting 60HE (ARM)", 0, XTYPE_XBOX360 }, { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 }, { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX }, { 0xffff, 0xffff, "Chinese-made Xbox Controller", 0, XTYPE_XBOX }, @@ -419,6 +432,7 @@ static const signed short xpad_abs_trigg static const struct usb_device_id xpad_table[] =3D { { USB_INTERFACE_INFO('X', 'B', 0) }, /* X-Box USB-IF not approved class */ XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 Controller */ + XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */ XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster X-Box 360 controllers */ XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */ XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */ @@ -429,6 +443,7 @@ static const struct usb_device_id xpad_t { USB_DEVICE(0x0738, 0x4540) }, /* Mad Catz Beat Pad */ XPAD_XBOXONE_VENDOR(0x0738), /* Mad Catz FightStick TE 2 */ XPAD_XBOX360_VENDOR(0x07ff), /* Mad Catz GamePad */ + XPAD_XBOX360_VENDOR(0x0c12), /* Zeroplus X-Box 360 controllers */ XPAD_XBOX360_VENDOR(0x0e6f), /* 0x0e6f X-Box 360 controllers */ XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f X-Box One controllers */ XPAD_XBOX360_VENDOR(0x0f0d), /* Hori Controllers */ @@ -450,8 +465,12 @@ static const struct usb_device_id xpad_t XPAD_XBOXONE_VENDOR(0x20d6), /* PowerA Controllers */ XPAD_XBOX360_VENDOR(0x24c6), /* PowerA Controllers */ XPAD_XBOXONE_VENDOR(0x24c6), /* PowerA Controllers */ + XPAD_XBOX360_VENDOR(0x2563), /* OneXPlayer Gamepad */ + XPAD_XBOX360_VENDOR(0x260d), /* Dareu H101 */ + XPAD_XBOXONE_VENDOR(0x2dc8), /* 8BitDo Pro 2 Wired Controller for Xbox */ XPAD_XBOXONE_VENDOR(0x2e24), /* Hyperkin Duke X-Box One pad */ XPAD_XBOX360_VENDOR(0x2f24), /* GameSir Controllers */ + XPAD_XBOX360_VENDOR(0x31e3), /* Wooting Keyboards */ XPAD_XBOX360_VENDOR(0x3285), /* Nacon GC-100 */ { } }; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5FF24C433FE for ; Thu, 13 Oct 2022 18:27:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231902AbiJMS1s (ORCPT ); Thu, 13 Oct 2022 14:27:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231425AbiJMS1O (ORCPT ); Thu, 13 Oct 2022 14:27:14 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4867C18A3E6; Thu, 13 Oct 2022 11:22:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E7376B8205C; Thu, 13 Oct 2022 18:00:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 46967C433D6; Thu, 13 Oct 2022 18:00:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684011; bh=45B25suZiRTyMNLHbM6xw8qTu27E00Fp19ufaiOX5r0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n0eKB41KzVPCF2HFHjdqyG/G5mzHQcgLvAgFKzuxnwH1o2aNr4LnF10RcgSmxZYUj Z6JKaF75GNZLhiADHcZvYoLZsgGaYSMR6S9I3APJTICKB03leMHqb8KPT7/PlWuMhF 79OHev7cnV46XA3cmwhcufo6zO01VdKTVQvxcb7E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Cameron Gutman , Pavel Rojtberg , Dmitry Torokhov Subject: [PATCH 5.19 31/33] Input: xpad - fix wireless 360 controller breaking after suspend Date: Thu, 13 Oct 2022 19:53:03 +0200 Message-Id: <20221013175146.298237504@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Cameron Gutman commit a17b9841152e7f4621619902b347e2cc39c32996 upstream. Suspending and resuming the system can sometimes cause the out URB to get hung after a reset_resume. This causes LED setting and force feedback to break on resume. To avoid this, just drop the reset_resume callback so the USB core rebinds xpad to the wireless pads on resume if a reset happened. A nice side effect of this change is the LED ring on wireless controllers is now set correctly on system resume. Cc: stable@vger.kernel.org Fixes: 4220f7db1e42 ("Input: xpad - workaround dead irq_out after suspend/ = resume") Signed-off-by: Cameron Gutman Signed-off-by: Pavel Rojtberg Link: https://lore.kernel.org/r/20220818154411.510308-3-rojtberg@gmail.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/input/joystick/xpad.c | 1 - 1 file changed, 1 deletion(-) --- a/drivers/input/joystick/xpad.c +++ b/drivers/input/joystick/xpad.c @@ -1991,7 +1991,6 @@ static struct usb_driver xpad_driver =3D { .disconnect =3D xpad_disconnect, .suspend =3D xpad_suspend, .resume =3D xpad_resume, - .reset_resume =3D xpad_resume, .id_table =3D xpad_table, }; From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76F3EC433FE for ; Thu, 13 Oct 2022 18:09:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231258AbiJMSJS (ORCPT ); Thu, 13 Oct 2022 14:09:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38452 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231664AbiJMSIU (ORCPT ); Thu, 13 Oct 2022 14:08:20 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56F2517899; Thu, 13 Oct 2022 11:05:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0FB596192F; Thu, 13 Oct 2022 18:00:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1A53FC433B5; Thu, 13 Oct 2022 18:00:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684014; bh=d76VYFuP2IkY/Fd+zNHwxmqro3iVPoBaVndsGkcmcJw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pu4sKdDHDmz+USEbKtNMCD/7sr9nDlS8UXJ6rOOWxnZrhsxHzbuRzjMZ8BNjRMHL1 gh6DQupiMxNDWxImhnUqd3AUs/6ZNxxgxzv4vpoU80C681GBlH1d9GvBZ80mfB5Jq0 +mQL8E6nIJaiZrfq3LpMzM8kLH/TfM2G3wruSTfU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shunsuke Mie , stable Subject: [PATCH 5.19 32/33] misc: pci_endpoint_test: Aggregate params checking for xfer Date: Thu, 13 Oct 2022 19:53:04 +0200 Message-Id: <20221013175146.330866983@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Shunsuke Mie commit 3e42deaac06567c7e86d287c305ccda24db4ae3d upstream. Each transfer test functions have same parameter checking code. This patch unites those to an introduced function. Signed-off-by: Shunsuke Mie Cc: stable Link: https://lore.kernel.org/r/20220907020100.122588-1-mie@igel.co.jp Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/misc/pci_endpoint_test.c | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) --- a/drivers/misc/pci_endpoint_test.c +++ b/drivers/misc/pci_endpoint_test.c @@ -332,6 +332,17 @@ static bool pci_endpoint_test_msi_irq(st return false; } =20 +static int pci_endpoint_test_validate_xfer_params(struct device *dev, + struct pci_endpoint_test_xfer_param *param, size_t alignment) +{ + if (param->size > SIZE_MAX - alignment) { + dev_dbg(dev, "Maximum transfer data size exceeded\n"); + return -EINVAL; + } + + return 0; +} + static bool pci_endpoint_test_copy(struct pci_endpoint_test *test, unsigned long arg) { @@ -363,9 +374,11 @@ static bool pci_endpoint_test_copy(struc return false; } =20 + err =3D pci_endpoint_test_validate_xfer_params(dev, ¶m, alignment); + if (err) + return false; + size =3D param.size; - if (size > SIZE_MAX - alignment) - goto err; =20 use_dma =3D !!(param.flags & PCITEST_FLAGS_USE_DMA); if (use_dma) @@ -497,9 +510,11 @@ static bool pci_endpoint_test_write(stru return false; } =20 + err =3D pci_endpoint_test_validate_xfer_params(dev, ¶m, alignment); + if (err) + return false; + size =3D param.size; - if (size > SIZE_MAX - alignment) - goto err; =20 use_dma =3D !!(param.flags & PCITEST_FLAGS_USE_DMA); if (use_dma) @@ -595,9 +610,11 @@ static bool pci_endpoint_test_read(struc return false; } =20 + err =3D pci_endpoint_test_validate_xfer_params(dev, ¶m, alignment); + if (err) + return false; + size =3D param.size; - if (size > SIZE_MAX - alignment) - goto err; =20 use_dma =3D !!(param.flags & PCITEST_FLAGS_USE_DMA); if (use_dma) From nobody Fri Dec 19 19:07:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02E02C4332F for ; Thu, 13 Oct 2022 18:05:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230090AbiJMSF2 (ORCPT ); Thu, 13 Oct 2022 14:05:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230453AbiJMSDZ (ORCPT ); Thu, 13 Oct 2022 14:03:25 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B017B152C5B; Thu, 13 Oct 2022 11:03:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 98B586194C; Thu, 13 Oct 2022 18:00:18 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8EBDDC433C1; Thu, 13 Oct 2022 18:00:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684018; bh=5ZgFuOtpNeu9B5tS5zB18GvxrieiEtS9AebSGSuoKG4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=McXb/zTMLW+MoVARBrGHY7HzF0COnrMzHAJfd6QTEAJwSZGS5FbDTH5J3G8645tyw HdMkxtqGlWL/obMdAiAI911J578YdpXYaB8MnRG3TGwcAElCJ8yGFshLYK2AKFmIiD eBIf1tdqO+B+cfbmOwWUFfGqEpGLbsqWX96ROmKA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable , Shunsuke Mie Subject: [PATCH 5.19 33/33] misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic Date: Thu, 13 Oct 2022 19:53:05 +0200 Message-Id: <20221013175146.362156313@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Shunsuke Mie commit 8e30538eca016de8e252bef174beadecd64239f0 upstream. The dma_map_single() doesn't permit zero length mapping. It causes a follow panic. A panic was reported on arm64: [ 60.137988] ------------[ cut here ]------------ [ 60.142630] kernel BUG at kernel/dma/swiotlb.c:624! [ 60.147508] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rc= ar_fdp1 vsp1 rcar_vin videobuf2_vmalloc rcar_csi2 v4l 2_mem2mem videobuf2_dma_contig videobuf2_memops pci_endpoint_test videobuf2= _v4l2 videobuf2_common rcar_fcp v4l2_fwnode v4l2_asyn c videodev mc gpio_bd9571mwv max9611 pwm_rcar ccree at24 authenc libdes phy= _rcar_gen3_usb3 usb_dmac display_connector pwm_bl [ 60.186252] CPU: 0 PID: 508 Comm: pcitest Not tainted 6.0.0-rc1rpci-dev+= #237 [ 60.193387] Hardware name: Renesas Salvator-X 2nd version board based on= r8a77951 (DT) [ 60.201302] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE= =3D--) [ 60.208263] pc : swiotlb_tbl_map_single+0x2c0/0x590 [ 60.213149] lr : swiotlb_map+0x88/0x1f0 [ 60.216982] sp : ffff80000a883bc0 [ 60.220292] x29: ffff80000a883bc0 x28: 0000000000000000 x27: 00000000000= 00000 [ 60.227430] x26: 0000000000000000 x25: ffff0004c0da20d0 x24: ffff80000a1= f77c0 [ 60.234567] x23: 0000000000000002 x22: 0001000040000010 x21: 000000007a0= 00000 [ 60.241703] x20: 0000000000200000 x19: 0000000000000000 x18: 00000000000= 00000 [ 60.248840] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0006ff7= b9180 [ 60.255977] x14: ffff0006ff7b9180 x13: 0000000000000000 x12: 00000000000= 00000 [ 60.263113] x11: 0000000000000000 x10: 0000000000000000 x9 : 00000000000= 00000 [ 60.270249] x8 : 0001000000000010 x7 : ffff0004c6754b20 x6 : 00000000000= 00000 [ 60.277385] x5 : ffff0004c0da2090 x4 : 0000000000000000 x3 : 00000000000= 00001 [ 60.284521] x2 : 0000000040000000 x1 : 0000000000000000 x0 : 00000000400= 00010 [ 60.291658] Call trace: [ 60.294100] swiotlb_tbl_map_single+0x2c0/0x590 [ 60.298629] swiotlb_map+0x88/0x1f0 [ 60.302115] dma_map_page_attrs+0x188/0x230 [ 60.306299] pci_endpoint_test_ioctl+0x5e4/0xd90 [pci_endpoint_test] [ 60.312660] __arm64_sys_ioctl+0xa8/0xf0 [ 60.316583] invoke_syscall+0x44/0x108 [ 60.320334] el0_svc_common.constprop.0+0xcc/0xf0 [ 60.325038] do_el0_svc+0x2c/0xb8 [ 60.328351] el0_svc+0x2c/0x88 [ 60.331406] el0t_64_sync_handler+0xb8/0xc0 [ 60.335587] el0t_64_sync+0x18c/0x190 [ 60.339251] Code: 52800013 d2e00414 35fff45c d503201f (d4210000) [ 60.345344] ---[ end trace 0000000000000000 ]--- To fix it, this patch adds a checking the payload length if it is zero. Fixes: 343dc693f7b7 ("misc: pci_endpoint_test: Prevent some integer overflo= ws") Cc: stable Signed-off-by: Shunsuke Mie Link: https://lore.kernel.org/r/20220907020100.122588-2-mie@igel.co.jp Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman Tested-by: Bagas Sanjaya Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Tested-by: Shuah Khan Tested-by: Slade Watkins Tested-by: Sudip Mukherjee --- drivers/misc/pci_endpoint_test.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/misc/pci_endpoint_test.c +++ b/drivers/misc/pci_endpoint_test.c @@ -335,6 +335,11 @@ static bool pci_endpoint_test_msi_irq(st static int pci_endpoint_test_validate_xfer_params(struct device *dev, struct pci_endpoint_test_xfer_param *param, size_t alignment) { + if (!param->size) { + dev_dbg(dev, "Data size is zero\n"); + return -EINVAL; + } + if (param->size > SIZE_MAX - alignment) { dev_dbg(dev, "Maximum transfer data size exceeded\n"); return -EINVAL;