diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-04 07:56:38 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-04 07:56:38 +0100 |
commit | 620a7e8c70d8c0f8f8f0484024607450d3fcce07 (patch) | |
tree | 5168d48c409e7619d3335b016128859ea74c2a0c /queue-5.4 | |
parent | 7d6188ab9fd96b8939abbc46deb0ac6371f5bf43 (diff) | |
download | stable-queue-620a7e8c70d8c0f8f8f0484024607450d3fcce07.tar.gz |
5.4-stable patches
added patches:
btrfs-dev-replace-properly-validate-device-names.patch
dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch
dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch
gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch
mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch
mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch
mmc-sdhci-xenon-fix-phy-init-clock-stability.patch
wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch
Diffstat (limited to 'queue-5.4')
9 files changed, 637 insertions, 0 deletions
diff --git a/queue-5.4/btrfs-dev-replace-properly-validate-device-names.patch b/queue-5.4/btrfs-dev-replace-properly-validate-device-names.patch new file mode 100644 index 0000000000..3e22adeddd --- /dev/null +++ b/queue-5.4/btrfs-dev-replace-properly-validate-device-names.patch @@ -0,0 +1,72 @@ +From 9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 Mon Sep 17 00:00:00 2001 +From: David Sterba <dsterba@suse.com> +Date: Wed, 14 Feb 2024 16:19:24 +0100 +Subject: btrfs: dev-replace: properly validate device names + +From: David Sterba <dsterba@suse.com> + +commit 9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 upstream. + +There's a syzbot report that device name buffers passed to device +replace are not properly checked for string termination which could lead +to a read out of bounds in getname_kernel(). + +Add a helper that validates both source and target device name buffers. +For devid as the source initialize the buffer to empty string in case +something tries to read it later. + +This was originally analyzed and fixed in a different way by Edward Adam +Davis (see links). + +Link: https://lore.kernel.org/linux-btrfs/000000000000d1a1d1060cc9c5e7@google.com/ +Link: https://lore.kernel.org/linux-btrfs/tencent_44CA0665C9836EF9EEC80CB9E7E206DF5206@qq.com/ +CC: stable@vger.kernel.org # 4.19+ +CC: Edward Adam Davis <eadavis@qq.com> +Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com +Reviewed-by: Boris Burkov <boris@bur.io> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/btrfs/dev-replace.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -535,6 +535,23 @@ leave: + return ret; + } + ++static int btrfs_check_replace_dev_names(struct btrfs_ioctl_dev_replace_args *args) ++{ ++ if (args->start.srcdevid == 0) { ++ if (memchr(args->start.srcdev_name, 0, ++ sizeof(args->start.srcdev_name)) == NULL) ++ return -ENAMETOOLONG; ++ } else { ++ args->start.srcdev_name[0] = 0; ++ } ++ ++ if (memchr(args->start.tgtdev_name, 0, ++ sizeof(args->start.tgtdev_name)) == NULL) ++ return -ENAMETOOLONG; ++ ++ return 0; ++} ++ + int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, + struct btrfs_ioctl_dev_replace_args *args) + { +@@ -547,10 +564,9 @@ int btrfs_dev_replace_by_ioctl(struct bt + default: + return -EINVAL; + } +- +- if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || +- args->start.tgtdev_name[0] == '\0') +- return -EINVAL; ++ ret = btrfs_check_replace_dev_names(args); ++ if (ret < 0) ++ return ret; + + ret = btrfs_dev_replace_start(fs_info, args->start.tgtdev_name, + args->start.srcdevid, diff --git a/queue-5.4/dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch b/queue-5.4/dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch new file mode 100644 index 0000000000..6b8e4bd22f --- /dev/null +++ b/queue-5.4/dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch @@ -0,0 +1,54 @@ +From 9d739bccf261dd93ec1babf82f5c5d71dd4caa3e Mon Sep 17 00:00:00 2001 +From: Peng Ma <peng.ma@nxp.com> +Date: Thu, 1 Feb 2024 16:50:07 -0500 +Subject: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read + +From: Peng Ma <peng.ma@nxp.com> + +commit 9d739bccf261dd93ec1babf82f5c5d71dd4caa3e upstream. + +There is chip (ls1028a) errata: + +The SoC may hang on 16 byte unaligned read transactions by QDMA. + +Unaligned read transactions initiated by QDMA may stall in the NOC +(Network On-Chip), causing a deadlock condition. Stalled transactions will +trigger completion timeouts in PCIe controller. + +Workaround: +Enable prefetch by setting the source descriptor prefetchable bit +( SD[PF] = 1 ). + +Implement this workaround. + +Cc: stable@vger.kernel.org +Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs") +Signed-off-by: Peng Ma <peng.ma@nxp.com> +Signed-off-by: Frank Li <Frank.Li@nxp.com> +Link: https://lore.kernel.org/r/20240201215007.439503-1-Frank.Li@nxp.com +Signed-off-by: Vinod Koul <vkoul@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/dma/fsl-qdma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/dma/fsl-qdma.c ++++ b/drivers/dma/fsl-qdma.c +@@ -109,6 +109,7 @@ + #define FSL_QDMA_CMD_WTHROTL_OFFSET 20 + #define FSL_QDMA_CMD_DSEN_OFFSET 19 + #define FSL_QDMA_CMD_LWC_OFFSET 16 ++#define FSL_QDMA_CMD_PF BIT(17) + + /* Field definition for Descriptor offset */ + #define QDMA_CCDF_STATUS 20 +@@ -372,7 +373,8 @@ static void fsl_qdma_comp_fill_memcpy(st + qdma_csgf_set_f(csgf_dest, len); + /* Descriptor Buffer */ + cmd = cpu_to_le32(FSL_QDMA_CMD_RWTTYPE << +- FSL_QDMA_CMD_RWTTYPE_OFFSET); ++ FSL_QDMA_CMD_RWTTYPE_OFFSET) | ++ FSL_QDMA_CMD_PF; + sdf->data = QDMA_SDDF_CMD(cmd); + + cmd = cpu_to_le32(FSL_QDMA_CMD_RWTTYPE << diff --git a/queue-5.4/dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch b/queue-5.4/dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch new file mode 100644 index 0000000000..ddc462065f --- /dev/null +++ b/queue-5.4/dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch @@ -0,0 +1,95 @@ +From 87a39071e0b639f45e05d296cc0538eef44ec0bd Mon Sep 17 00:00:00 2001 +From: Curtis Klein <curtis.klein@hpe.com> +Date: Thu, 1 Feb 2024 17:04:06 -0500 +Subject: dmaengine: fsl-qdma: init irq after reg initialization + +From: Curtis Klein <curtis.klein@hpe.com> + +commit 87a39071e0b639f45e05d296cc0538eef44ec0bd upstream. + +Initialize the qDMA irqs after the registers are configured so that +interrupts that may have been pending from a primary kernel don't get +processed by the irq handler before it is ready to and cause panic with +the following trace: + + Call trace: + fsl_qdma_queue_handler+0xf8/0x3e8 + __handle_irq_event_percpu+0x78/0x2b0 + handle_irq_event_percpu+0x1c/0x68 + handle_irq_event+0x44/0x78 + handle_fasteoi_irq+0xc8/0x178 + generic_handle_irq+0x24/0x38 + __handle_domain_irq+0x90/0x100 + gic_handle_irq+0x5c/0xb8 + el1_irq+0xb8/0x180 + _raw_spin_unlock_irqrestore+0x14/0x40 + __setup_irq+0x4bc/0x798 + request_threaded_irq+0xd8/0x190 + devm_request_threaded_irq+0x74/0xe8 + fsl_qdma_probe+0x4d4/0xca8 + platform_drv_probe+0x50/0xa0 + really_probe+0xe0/0x3f8 + driver_probe_device+0x64/0x130 + device_driver_attach+0x6c/0x78 + __driver_attach+0xbc/0x158 + bus_for_each_dev+0x5c/0x98 + driver_attach+0x20/0x28 + bus_add_driver+0x158/0x220 + driver_register+0x60/0x110 + __platform_driver_register+0x44/0x50 + fsl_qdma_driver_init+0x18/0x20 + do_one_initcall+0x48/0x258 + kernel_init_freeable+0x1a4/0x23c + kernel_init+0x10/0xf8 + ret_from_fork+0x10/0x18 + +Cc: stable@vger.kernel.org +Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs") +Signed-off-by: Curtis Klein <curtis.klein@hpe.com> +Signed-off-by: Yi Zhao <yi.zhao@nxp.com> +Signed-off-by: Frank Li <Frank.Li@nxp.com> +Link: https://lore.kernel.org/r/20240201220406.440145-1-Frank.Li@nxp.com +Signed-off-by: Vinod Koul <vkoul@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/dma/fsl-qdma.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/dma/fsl-qdma.c ++++ b/drivers/dma/fsl-qdma.c +@@ -1152,10 +1152,6 @@ static int fsl_qdma_probe(struct platfor + if (!fsl_qdma->queue) + return -ENOMEM; + +- ret = fsl_qdma_irq_init(pdev, fsl_qdma); +- if (ret) +- return ret; +- + fsl_qdma->irq_base = platform_get_irq_byname(pdev, "qdma-queue0"); + if (fsl_qdma->irq_base < 0) + return fsl_qdma->irq_base; +@@ -1194,16 +1190,19 @@ static int fsl_qdma_probe(struct platfor + + platform_set_drvdata(pdev, fsl_qdma); + +- ret = dma_async_device_register(&fsl_qdma->dma_dev); ++ ret = fsl_qdma_reg_init(fsl_qdma); + if (ret) { +- dev_err(&pdev->dev, +- "Can't register NXP Layerscape qDMA engine.\n"); ++ dev_err(&pdev->dev, "Can't Initialize the qDMA engine.\n"); + return ret; + } + +- ret = fsl_qdma_reg_init(fsl_qdma); ++ ret = fsl_qdma_irq_init(pdev, fsl_qdma); ++ if (ret) ++ return ret; ++ ++ ret = dma_async_device_register(&fsl_qdma->dma_dev); + if (ret) { +- dev_err(&pdev->dev, "Can't Initialize the qDMA engine.\n"); ++ dev_err(&pdev->dev, "Can't register NXP Layerscape qDMA engine.\n"); + return ret; + } + diff --git a/queue-5.4/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch b/queue-5.4/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch new file mode 100644 index 0000000000..d50c58ebc3 --- /dev/null +++ b/queue-5.4/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch @@ -0,0 +1,151 @@ +From 616d82c3cfa2a2146dd7e3ae47bda7e877ee549e Mon Sep 17 00:00:00 2001 +From: Alexander Ofitserov <oficerovas@altlinux.org> +Date: Wed, 28 Feb 2024 14:47:03 +0300 +Subject: gtp: fix use-after-free and null-ptr-deref in gtp_newlink() + +From: Alexander Ofitserov <oficerovas@altlinux.org> + +commit 616d82c3cfa2a2146dd7e3ae47bda7e877ee549e upstream. + +The gtp_link_ops operations structure for the subsystem must be +registered after registering the gtp_net_ops pernet operations structure. + +Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: + +[ 1010.702740] gtp: GTP module unloaded +[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI +[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1 +[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 +[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp] +[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00 +[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203 +[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000 +[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282 +[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000 +[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80 +[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400 +[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000 +[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0 +[ 1010.715968] PKRU: 55555554 +[ 1010.715972] Call Trace: +[ 1010.715985] ? __die_body.cold+0x1a/0x1f +[ 1010.715995] ? die_addr+0x43/0x70 +[ 1010.716002] ? exc_general_protection+0x199/0x2f0 +[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30 +[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp] +[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp] +[ 1010.716042] __rtnl_newlink+0x1063/0x1700 +[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0 +[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0 +[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0 +[ 1010.716076] ? __kernel_text_address+0x56/0xa0 +[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0 +[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30 +[ 1010.716098] ? arch_stack_walk+0x9e/0xf0 +[ 1010.716106] ? stack_trace_save+0x91/0xd0 +[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170 +[ 1010.716121] ? __lock_acquire+0x15c5/0x5380 +[ 1010.716139] ? mark_held_locks+0x9e/0xe0 +[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0 +[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700 +[ 1010.716160] rtnl_newlink+0x69/0xa0 +[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50 +[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0 +[ 1010.716179] ? lock_acquire+0x1fe/0x560 +[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50 +[ 1010.716196] netlink_rcv_skb+0x14d/0x440 +[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0 +[ 1010.716208] ? netlink_ack+0xab0/0xab0 +[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50 +[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50 +[ 1010.716226] ? __virt_addr_valid+0x30b/0x590 +[ 1010.716233] netlink_unicast+0x54b/0x800 +[ 1010.716240] ? netlink_attachskb+0x870/0x870 +[ 1010.716248] ? __check_object_size+0x2de/0x3b0 +[ 1010.716254] netlink_sendmsg+0x938/0xe40 +[ 1010.716261] ? netlink_unicast+0x800/0x800 +[ 1010.716269] ? __import_iovec+0x292/0x510 +[ 1010.716276] ? netlink_unicast+0x800/0x800 +[ 1010.716284] __sock_sendmsg+0x159/0x190 +[ 1010.716290] ____sys_sendmsg+0x712/0x880 +[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0 +[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270 +[ 1010.716309] ? lock_acquire+0x1fe/0x560 +[ 1010.716315] ? drain_array_locked+0x90/0x90 +[ 1010.716324] ___sys_sendmsg+0xf8/0x170 +[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170 +[ 1010.716337] ? lockdep_init_map_type+0x2c7/0x860 +[ 1010.716343] ? lockdep_hardirqs_on_prepare+0x430/0x430 +[ 1010.716350] ? debug_mutex_init+0x33/0x70 +[ 1010.716360] ? percpu_counter_add_batch+0x8b/0x140 +[ 1010.716367] ? lock_acquire+0x1fe/0x560 +[ 1010.716373] ? find_held_lock+0x2c/0x110 +[ 1010.716384] ? __fd_install+0x1b6/0x6f0 +[ 1010.716389] ? lock_downgrade+0x810/0x810 +[ 1010.716396] ? __fget_light+0x222/0x290 +[ 1010.716403] __sys_sendmsg+0xea/0x1b0 +[ 1010.716409] ? __sys_sendmsg_sock+0x40/0x40 +[ 1010.716419] ? lockdep_hardirqs_on_prepare+0x2b3/0x430 +[ 1010.716425] ? syscall_enter_from_user_mode+0x1d/0x60 +[ 1010.716432] do_syscall_64+0x30/0x40 +[ 1010.716438] entry_SYSCALL_64_after_hwframe+0x62/0xc7 +[ 1010.716444] RIP: 0033:0x7fd1508cbd49 +[ 1010.716452] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48 +[ 1010.716456] RSP: 002b:00007fff18872348 EFLAGS: 00000202 ORIG_RAX: 000000000000002e +[ 1010.716463] RAX: ffffffffffffffda RBX: 000055f72bf0eac0 RCX: 00007fd1508cbd49 +[ 1010.716468] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 +[ 1010.716473] RBP: 00007fff18872360 R08: 00007fff18872360 R09: 00007fff18872360 +[ 1010.716478] R10: 00007fff18872360 R11: 0000000000000202 R12: 000055f72bf0e1b0 +[ 1010.716482] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 1010.716491] Modules linked in: gtp(+) udp_tunnel ib_core uinput af_packet rfkill qrtr joydev hid_generic usbhid hid kvm_intel iTCO_wdt intel_pmc_bxt iTCO_vendor_support kvm snd_hda_codec_generic ledtrig_audio irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel snd_hda_intel nls_utf8 snd_intel_dspcfg nls_cp866 psmouse aesni_intel vfat crypto_simd fat cryptd glue_helper snd_hda_codec pcspkr snd_hda_core i2c_i801 snd_hwdep i2c_smbus xhci_pci snd_pcm lpc_ich xhci_pci_renesas xhci_hcd qemu_fw_cfg tiny_power_button button sch_fq_codel vboxvideo drm_vram_helper drm_ttm_helper ttm vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore msr fuse efi_pstore dm_mod ip_tables x_tables autofs4 virtio_gpu virtio_dma_buf drm_kms_helper cec rc_core drm virtio_rng virtio_scsi rng_core virtio_balloon virtio_blk virtio_net virtio_console net_failover failover ahci libahci libata evdev scsi_mod input_leds serio_raw virtio_pci intel_agp +[ 1010.716674] virtio_ring intel_gtt virtio [last unloaded: gtp] +[ 1010.716693] ---[ end trace 04990a4ce61e174b ]--- + +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Ofitserov <oficerovas@altlinux.org> +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Reviewed-by: Jiri Pirko <jiri@nvidia.com> +Link: https://lore.kernel.org/r/20240228114703.465107-1-oficerovas@altlinux.org +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/net/gtp.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1377,26 +1377,26 @@ static int __init gtp_init(void) + + get_random_bytes(>p_h_initval, sizeof(gtp_h_initval)); + +- err = rtnl_link_register(>p_link_ops); ++ err = register_pernet_subsys(>p_net_ops); + if (err < 0) + goto error_out; + +- err = register_pernet_subsys(>p_net_ops); ++ err = rtnl_link_register(>p_link_ops); + if (err < 0) +- goto unreg_rtnl_link; ++ goto unreg_pernet_subsys; + + err = genl_register_family(>p_genl_family); + if (err < 0) +- goto unreg_pernet_subsys; ++ goto unreg_rtnl_link; + + pr_info("GTP module loaded (pdp ctx size %zd bytes)\n", + sizeof(struct pdp_ctx)); + return 0; + +-unreg_pernet_subsys: +- unregister_pernet_subsys(>p_net_ops); + unreg_rtnl_link: + rtnl_link_unregister(>p_link_ops); ++unreg_pernet_subsys: ++ unregister_pernet_subsys(>p_net_ops); + error_out: + pr_err("error loading GTP module loaded\n"); + return err; diff --git a/queue-5.4/mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch b/queue-5.4/mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch new file mode 100644 index 0000000000..a6264fb0f6 --- /dev/null +++ b/queue-5.4/mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch @@ -0,0 +1,72 @@ +From ff3206d2186d84e4f77e1378ba1d225633f17b9b Mon Sep 17 00:00:00 2001 +From: Ivan Semenov <ivan@semenov.dev> +Date: Tue, 6 Feb 2024 19:28:45 +0200 +Subject: mmc: core: Fix eMMC initialization with 1-bit bus connection + +From: Ivan Semenov <ivan@semenov.dev> + +commit ff3206d2186d84e4f77e1378ba1d225633f17b9b upstream. + +Initializing an eMMC that's connected via a 1-bit bus is current failing, +if the HW (DT) informs that 4-bit bus is supported. In fact this is a +regression, as we were earlier capable of falling back to 1-bit mode, when +switching to 4/8-bit bus failed. Therefore, let's restore the behaviour. + +Log for Samsung eMMC 5.1 chip connected via 1bit bus (only D0 pin) +Before patch: +[134509.044225] mmc0: switch to bus width 4 failed +[134509.044509] mmc0: new high speed MMC card at address 0001 +[134509.054594] mmcblk0: mmc0:0001 BGUF4R 29.1 GiB +[134509.281602] mmc0: switch to bus width 4 failed +[134509.282638] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.282657] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.284598] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.284602] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.284609] ldm_validate_partition_table(): Disk read failed. +[134509.286495] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.286500] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.288303] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.288308] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.289540] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.289544] Buffer I/O error on dev mmcblk0, logical block 0, async page read +[134509.289553] mmcblk0: unable to read partition table +[134509.289728] mmcblk0boot0: mmc0:0001 BGUF4R 31.9 MiB +[134509.290283] mmcblk0boot1: mmc0:0001 BGUF4R 31.9 MiB +[134509.294577] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2 +[134509.295835] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 +[134509.295841] Buffer I/O error on dev mmcblk0, logical block 0, async page read + +After patch: + +[134551.089613] mmc0: switch to bus width 4 failed +[134551.090377] mmc0: new high speed MMC card at address 0001 +[134551.102271] mmcblk0: mmc0:0001 BGUF4R 29.1 GiB +[134551.113365] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 p16 p17 p18 p19 p20 p21 +[134551.114262] mmcblk0boot0: mmc0:0001 BGUF4R 31.9 MiB +[134551.114925] mmcblk0boot1: mmc0:0001 BGUF4R 31.9 MiB + +Fixes: 577fb13199b1 ("mmc: rework selection of bus speed mode") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Semenov <ivan@semenov.dev> +Link: https://lore.kernel.org/r/20240206172845.34316-1-ivan@semenov.dev +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/mmc/core/mmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -991,10 +991,12 @@ static int mmc_select_bus_width(struct m + static unsigned ext_csd_bits[] = { + EXT_CSD_BUS_WIDTH_8, + EXT_CSD_BUS_WIDTH_4, ++ EXT_CSD_BUS_WIDTH_1, + }; + static unsigned bus_widths[] = { + MMC_BUS_WIDTH_8, + MMC_BUS_WIDTH_4, ++ MMC_BUS_WIDTH_1, + }; + struct mmc_host *host = card->host; + unsigned idx, bus_width = 0; diff --git a/queue-5.4/mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch b/queue-5.4/mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch new file mode 100644 index 0000000000..f6715a8971 --- /dev/null +++ b/queue-5.4/mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch @@ -0,0 +1,75 @@ +From 09e23823ae9a3e2d5d20f2e1efe0d6e48cef9129 Mon Sep 17 00:00:00 2001 +From: Elad Nachman <enachman@marvell.com> +Date: Thu, 22 Feb 2024 21:17:14 +0200 +Subject: mmc: sdhci-xenon: add timeout for PHY init complete + +From: Elad Nachman <enachman@marvell.com> + +commit 09e23823ae9a3e2d5d20f2e1efe0d6e48cef9129 upstream. + +AC5X spec says PHY init complete bit must be polled until zero. +We see cases in which timeout can take longer than the standard +calculation on AC5X, which is expected following the spec comment above. +According to the spec, we must wait as long as it takes for that bit to +toggle on AC5X. +Cap that with 100 delay loops so we won't get stuck forever. + +Fixes: 06c8b667ff5b ("mmc: sdhci-xenon: Add support to PHYs of Marvell Xenon SDHC") +Acked-by: Adrian Hunter <adrian.hunter@intel.com> +Cc: stable@vger.kernel.org +Signed-off-by: Elad Nachman <enachman@marvell.com> +Link: https://lore.kernel.org/r/20240222191714.1216470-3-enachman@marvell.com +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/mmc/host/sdhci-xenon-phy.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/mmc/host/sdhci-xenon-phy.c ++++ b/drivers/mmc/host/sdhci-xenon-phy.c +@@ -109,6 +109,8 @@ + #define XENON_EMMC_PHY_LOGIC_TIMING_ADJUST (XENON_EMMC_PHY_REG_BASE + 0x18) + #define XENON_LOGIC_TIMING_VALUE 0x00AA8977 + ++#define XENON_MAX_PHY_TIMEOUT_LOOPS 100 ++ + /* + * List offset of PHY registers and some special register values + * in eMMC PHY 5.0 or eMMC PHY 5.1 +@@ -259,18 +261,27 @@ static int xenon_emmc_phy_init(struct sd + /* get the wait time */ + wait /= clock; + wait++; +- /* wait for host eMMC PHY init completes */ +- udelay(wait); + +- reg = sdhci_readl(host, phy_regs->timing_adj); +- reg &= XENON_PHY_INITIALIZAION; +- if (reg) { ++ /* ++ * AC5X spec says bit must be polled until zero. ++ * We see cases in which timeout can take longer ++ * than the standard calculation on AC5X, which is ++ * expected following the spec comment above. ++ * According to the spec, we must wait as long as ++ * it takes for that bit to toggle on AC5X. ++ * Cap that with 100 delay loops so we won't get ++ * stuck here forever: ++ */ ++ ++ ret = read_poll_timeout(sdhci_readl, reg, ++ !(reg & XENON_PHY_INITIALIZAION), ++ wait, XENON_MAX_PHY_TIMEOUT_LOOPS * wait, ++ false, host, phy_regs->timing_adj); ++ if (ret) + dev_err(mmc_dev(host->mmc), "eMMC PHY init cannot complete after %d us\n", +- wait); +- return -ETIMEDOUT; +- } ++ wait * XENON_MAX_PHY_TIMEOUT_LOOPS); + +- return 0; ++ return ret; + } + + #define ARMADA_3700_SOC_PAD_1_8V 0x1 diff --git a/queue-5.4/mmc-sdhci-xenon-fix-phy-init-clock-stability.patch b/queue-5.4/mmc-sdhci-xenon-fix-phy-init-clock-stability.patch new file mode 100644 index 0000000000..5492f703a2 --- /dev/null +++ b/queue-5.4/mmc-sdhci-xenon-fix-phy-init-clock-stability.patch @@ -0,0 +1,68 @@ +From 8e9f25a290ae0016353c9ea13314c95fb3207812 Mon Sep 17 00:00:00 2001 +From: Elad Nachman <enachman@marvell.com> +Date: Thu, 22 Feb 2024 22:09:30 +0200 +Subject: mmc: sdhci-xenon: fix PHY init clock stability + +From: Elad Nachman <enachman@marvell.com> + +commit 8e9f25a290ae0016353c9ea13314c95fb3207812 upstream. + +Each time SD/mmc phy is initialized, at times, in some of +the attempts, phy fails to completes its initialization +which results into timeout error. Per the HW spec, it is +a pre-requisite to ensure a stable SD clock before a phy +initialization is attempted. + +Fixes: 06c8b667ff5b ("mmc: sdhci-xenon: Add support to PHYs of Marvell Xenon SDHC") +Acked-by: Adrian Hunter <adrian.hunter@intel.com> +Cc: stable@vger.kernel.org +Signed-off-by: Elad Nachman <enachman@marvell.com> +Link: https://lore.kernel.org/r/20240222200930.1277665-1-enachman@marvell.com +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/mmc/host/sdhci-xenon-phy.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/mmc/host/sdhci-xenon-phy.c ++++ b/drivers/mmc/host/sdhci-xenon-phy.c +@@ -11,6 +11,7 @@ + #include <linux/slab.h> + #include <linux/delay.h> + #include <linux/ktime.h> ++#include <linux/iopoll.h> + #include <linux/of_address.h> + + #include "sdhci-pltfm.h" +@@ -218,6 +219,19 @@ static int xenon_alloc_emmc_phy(struct s + return 0; + } + ++static int xenon_check_stability_internal_clk(struct sdhci_host *host) ++{ ++ u32 reg; ++ int err; ++ ++ err = read_poll_timeout(sdhci_readw, reg, reg & SDHCI_CLOCK_INT_STABLE, ++ 1100, 20000, false, host, SDHCI_CLOCK_CONTROL); ++ if (err) ++ dev_err(mmc_dev(host->mmc), "phy_init: Internal clock never stabilized.\n"); ++ ++ return err; ++} ++ + /* + * eMMC 5.0/5.1 PHY init/re-init. + * eMMC PHY init should be executed after: +@@ -234,6 +248,11 @@ static int xenon_emmc_phy_init(struct sd + struct xenon_priv *priv = sdhci_pltfm_priv(pltfm_host); + struct xenon_emmc_phy_regs *phy_regs = priv->emmc_phy_regs; + ++ int ret = xenon_check_stability_internal_clk(host); ++ ++ if (ret) ++ return ret; ++ + reg = sdhci_readl(host, phy_regs->timing_adj); + reg |= XENON_PHY_INITIALIZAION; + sdhci_writel(host, reg, phy_regs->timing_adj); diff --git a/queue-5.4/series b/queue-5.4/series index 1fc8a9ec18..aea3c64c9c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -13,3 +13,11 @@ efi-capsule-loader-fix-incorrect-allocation-size.patch power-supply-bq27xxx-i2c-do-not-free-non-existing-ir.patch alsa-drop-leftover-snd-rtctimer-stuff-from-makefile.patch afs-fix-endless-loop-in-directory-parsing.patch +gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch +wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch +btrfs-dev-replace-properly-validate-device-names.patch +dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch +dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch +mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch +mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch +mmc-sdhci-xenon-fix-phy-init-clock-stability.patch diff --git a/queue-5.4/wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch b/queue-5.4/wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch new file mode 100644 index 0000000000..ff864313ba --- /dev/null +++ b/queue-5.4/wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch @@ -0,0 +1,42 @@ +From f78c1375339a291cba492a70eaf12ec501d28a8e Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Wed, 14 Feb 2024 20:08:35 +0100 +Subject: wifi: nl80211: reject iftype change with mesh ID change + +From: Johannes Berg <johannes.berg@intel.com> + +commit f78c1375339a291cba492a70eaf12ec501d28a8e upstream. + +It's currently possible to change the mesh ID when the +interface isn't yet in mesh mode, at the same time as +changing it into mesh mode. This leads to an overwrite +of data in the wdev->u union for the interface type it +currently has, causing cfg80211_change_iface() to do +wrong things when switching. + +We could probably allow setting an interface to mesh +while setting the mesh ID at the same time by doing a +different order of operations here, but realistically +there's no userspace that's going to do this, so just +disallow changes in iftype when setting mesh ID. + +Cc: stable@vger.kernel.org +Fixes: 29cbe68c516a ("cfg80211/mac80211: add mesh join/leave commands") +Reported-by: syzbot+dd4779978217b1973180@syzkaller.appspotmail.com +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/wireless/nl80211.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3527,6 +3527,8 @@ static int nl80211_set_interface(struct + + if (ntype != NL80211_IFTYPE_MESH_POINT) + return -EINVAL; ++ if (otype != NL80211_IFTYPE_MESH_POINT) ++ return -EINVAL; + if (netif_running(dev)) + return -EBUSY; + |