--- /dev/null
+From 23e83a01476ff531eaf619974949baee14747f75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 00:49:24 +0000
+Subject: ALSA: asihpi: check pao in control_message()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 9026c0bf233db53b86f74f4c620715e94eb32a09 ]
+
+control_message() might be called with pao = NULL.
+Here indicates control_message() as sample.
+
+(B) static void control_message(struct hpi_adapter_obj *pao, ...)
+ { ^^^
+ struct hpi_hw_obj *phw = pao->priv;
+ ... ^^^
+ }
+
+(A) void _HPI_6205(struct hpi_adapter_obj *pao, ...)
+ { ^^^
+ ...
+ case HPI_OBJ_CONTROL:
+(B) control_message(pao, phm, phr);
+ break; ^^^
+ ...
+ }
+
+ void HPI_6205(...)
+ {
+ ...
+(A) _HPI_6205(NULL, phm, phr);
+ ... ^^^^
+ }
+
+Therefore, We will get too many warning via cppcheck, like below
+
+ sound/pci/asihpi/hpi6205.c:238:27: warning: Possible null pointer dereference: pao [nullPointer]
+ struct hpi_hw_obj *phw = pao->priv;
+ ^
+ sound/pci/asihpi/hpi6205.c:433:13: note: Calling function '_HPI_6205', 1st argument 'NULL' value is 0
+ _HPI_6205(NULL, phm, phr);
+ ^
+ sound/pci/asihpi/hpi6205.c:401:20: note: Calling function 'control_message', 1st argument 'pao' value is 0
+ control_message(pao, phm, phr);
+ ^
+Set phr->error like many functions doing, and don't call _HPI_6205()
+with NULL.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87ttypeaqz.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpi6205.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c
+index 3d6914c64c4a8..4cdaeefeb6885 100644
+--- a/sound/pci/asihpi/hpi6205.c
++++ b/sound/pci/asihpi/hpi6205.c
+@@ -430,7 +430,7 @@ void HPI_6205(struct hpi_message *phm, struct hpi_response *phr)
+ pao = hpi_find_adapter(phm->adapter_index);
+ } else {
+ /* subsys messages don't address an adapter */
+- _HPI_6205(NULL, phm, phr);
++ phr->error = HPI_ERROR_INVALID_OBJ_INDEX;
+ return;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From aed8406e70eb195cb44d7ec8b96d30c97130db76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 00:50:28 +0000
+Subject: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ]
+
+tuning_ctl_set() might have buffer overrun at (X) if it didn't break
+from loop by matching (A).
+
+ static int tuning_ctl_set(...)
+ {
+ for (i = 0; i < TUNING_CTLS_COUNT; i++)
+(A) if (nid == ca0132_tuning_ctls[i].nid)
+ break;
+
+ snd_hda_power_up(...);
+(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);
+ snd_hda_power_down(...); ^
+
+ return 1;
+ }
+
+We will get below error by cppcheck
+
+ sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
+ for (i = 0; i < TUNING_CTLS_COUNT; i++)
+ ^
+ sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
+ dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
+ ^
+This patch cares non match case.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_ca0132.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
+index 574c39120df86..f9582053878df 100644
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -3843,8 +3843,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid,
+
+ for (i = 0; i < TUNING_CTLS_COUNT; i++)
+ if (nid == ca0132_tuning_ctls[i].nid)
+- break;
++ goto found;
+
++ return -EINVAL;
++found:
+ snd_hda_power_up(codec);
+ dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
+ ca0132_tuning_ctls[i].req,
+--
+2.39.2
+
--- /dev/null
+From 83a03ee18b9a9aea5c3187d9c89745b7b4f90ad1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:22:54 +0000
+Subject: fbdev: au1200fb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 44a3b36b42acfc433aaaf526191dd12fbb919fdb ]
+
+var->pixclock can be assigned to zero by user. Without
+proper check, divide by zero would occur when invoking
+macro PICOS2KHZ in au1200fb_fb_check_var.
+
+Error out if var->pixclock is zero.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/au1200fb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c
+index 265d3b45efd0c..43a4dddaafd52 100644
+--- a/drivers/video/fbdev/au1200fb.c
++++ b/drivers/video/fbdev/au1200fb.c
+@@ -1040,6 +1040,9 @@ static int au1200fb_fb_check_var(struct fb_var_screeninfo *var,
+ u32 pixclock;
+ int screen_size, plane;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ plane = fbdev->plane;
+
+ /* Make sure that the mode respect all LCD controller and
+--
+2.39.2
+
--- /dev/null
+From 7b5f1f55a81510c0d0eb32be77a7569afc922308 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 08:33:47 +0000
+Subject: fbdev: intelfb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit d823685486a3446d061fed7c7d2f80af984f119a ]
+
+Variable var->pixclock is controlled by user and can be assigned
+to zero. Without proper check, divide by zero would occur in
+intelfbhw_validate_mode and intelfbhw_mode_to_hw.
+
+Error out if var->pixclock is zero.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/intelfb/intelfbdrv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c
+index a76c61512c608..274e6bb4a9610 100644
+--- a/drivers/video/fbdev/intelfb/intelfbdrv.c
++++ b/drivers/video/fbdev/intelfb/intelfbdrv.c
+@@ -1214,6 +1214,9 @@ static int intelfb_check_var(struct fb_var_screeninfo *var,
+
+ dinfo = GET_DINFO(info);
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ /* update the pitch */
+ if (intelfbhw_validate_mode(dinfo, var) != 0)
+ return -EINVAL;
+--
+2.39.2
+
--- /dev/null
+From da28073e5656ec750218534eef71fe60bd794f3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:05:18 +0000
+Subject: fbdev: lxfb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 61ac4b86a4c047c20d5cb423ddd87496f14d9868 ]
+
+var->pixclock can be assigned to zero by user. Without proper
+check, divide by zero would occur in lx_set_clock.
+
+Error out if var->pixclock is zero.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/geode/lxfb_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/geode/lxfb_core.c b/drivers/video/fbdev/geode/lxfb_core.c
+index b0f07d676eb3e..ffda25089e2ce 100644
+--- a/drivers/video/fbdev/geode/lxfb_core.c
++++ b/drivers/video/fbdev/geode/lxfb_core.c
+@@ -234,6 +234,9 @@ static void get_modedb(struct fb_videomode **modedb, unsigned int *size)
+
+ static int lxfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ {
++ if (!var->pixclock)
++ return -EINVAL;
++
+ if (var->xres > 1920 || var->yres > 1440)
+ return -EINVAL;
+
+--
+2.39.2
+
--- /dev/null
+From e29cd2b937199a5994eed3b52a0daa7998d04342 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 07:18:31 +0000
+Subject: fbdev: nvidia: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit 92e2a00f2987483e1f9253625828622edd442e61 ]
+
+variable var->pixclock can be set by user. In case it
+equals to zero, divide by zero would occur in nvidiafb_set_par.
+
+Similar crashes have happened in other fbdev drivers. There
+is no check and modification on var->pixclock along the call
+chain to nvidia_check_var and nvidiafb_set_par. We believe it
+could also be triggered in driver nvidia from user site.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/nvidia/nvidia.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c
+index fbeeed5afe350..aa502b3ba25ae 100644
+--- a/drivers/video/fbdev/nvidia/nvidia.c
++++ b/drivers/video/fbdev/nvidia/nvidia.c
+@@ -766,6 +766,8 @@ static int nvidiafb_check_var(struct fb_var_screeninfo *var,
+ int pitch, err = 0;
+
+ NVTRACE_ENTER();
++ if (!var->pixclock)
++ return -EINVAL;
+
+ var->transp.offset = 0;
+ var->transp.length = 0;
+--
+2.39.2
+
--- /dev/null
+From 4ddbe22eae51719901699a900d3dd83ba0ec9434 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 13:08:56 +0000
+Subject: fbdev: tgafb: Fix potential divide by zero
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+[ Upstream commit f90bd245de82c095187d8c2cabb8b488a39eaecc ]
+
+fb_set_var would by called when user invokes ioctl with cmd
+FBIOPUT_VSCREENINFO. User-provided data would finally reach
+tgafb_check_var. In case var->pixclock is assigned to zero,
+divide by zero would occur when checking whether reciprocal
+of var->pixclock is too high.
+
+Similar crashes have happened in other fbdev drivers. There
+is no check and modification on var->pixclock along the call
+chain to tgafb_check_var. We believe it could also be triggered
+in driver tgafb from user site.
+
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/tgafb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c
+index 286b2371c7dd3..eab2b4f87d68f 100644
+--- a/drivers/video/fbdev/tgafb.c
++++ b/drivers/video/fbdev/tgafb.c
+@@ -166,6 +166,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ {
+ struct tga_par *par = (struct tga_par *)info->par;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ if (par->tga_type == TGA_TYPE_8PLANE) {
+ if (var->bits_per_pixel != 8)
+ return -EINVAL;
+--
+2.39.2
+
--- /dev/null
+From ae31aadb4654fab4b1c9abc3df7fc25695ca6e42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 09:36:25 +1100
+Subject: md: avoid signed overflow in slot_store()
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 3bc57292278a0b6ac4656cad94c14f2453344b57 ]
+
+slot_store() uses kstrtouint() to get a slot number, but stores the
+result in an "int" variable (by casting a pointer).
+This can result in a negative slot number if the unsigned int value is
+very large.
+
+A negative number means that the slot is empty, but setting a negative
+slot number this way will not remove the device from the array. I don't
+think this is a serious problem, but it could cause confusion and it is
+best to fix it.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index aa2993d5d5d38..64558991ce0a0 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3082,6 +3082,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len)
+ err = kstrtouint(buf, 10, (unsigned int *)&slot);
+ if (err < 0)
+ return err;
++ if (slot < 0)
++ /* overflow */
++ return -ENOSPC;
+ }
+ if (rdev->mddev->pers && slot == -1) {
+ /* Setting 'slot' on an active array requires also
+--
+2.39.2
+
--- /dev/null
+From 0de9b4c93a4167bade81a75eccece5ecf84abef8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 19:32:38 -0700
+Subject: sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit 6015b1aca1a233379625385feb01dd014aca60b5 ]
+
+The getaffinity() system call uses 'cpumask_size()' to decide how big
+the CPU mask is - so far so good. It is indeed the allocation size of a
+cpumask.
+
+But the code also assumes that the whole allocation is initialized
+without actually doing so itself. That's wrong, because we might have
+fixed-size allocations (making copying and clearing more efficient), but
+not all of it is then necessarily used if 'nr_cpu_ids' is smaller.
+
+Having checked other users of 'cpumask_size()', they all seem to be ok,
+either using it purely for the allocation size, or explicitly zeroing
+the cpumask before using the size in bytes to copy it.
+
+See for example the ublk_ctrl_get_queue_affinity() function that uses
+the proper 'zalloc_cpumask_var()' to make sure that the whole mask is
+cleared, whether the storage is on the stack or if it was an external
+allocation.
+
+Fix this by just zeroing the allocation before using it. Do the same
+for the compat version of sched_getaffinity(), which had the same logic.
+
+Also, for consistency, make sched_getaffinity() use 'cpumask_bits()' to
+access the bits. For a cpumask_var_t, it ends up being a pointer to the
+same data either way, but it's just a good idea to treat it like you
+would a 'cpumask_t'. The compat case already did that.
+
+Reported-by: Ryan Roberts <ryan.roberts@arm.com>
+Link: https://lore.kernel.org/lkml/7d026744-6bd6-6827-0471-b5e8eae0be3f@arm.com/
+Cc: Yury Norov <yury.norov@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/compat.c | 2 +-
+ kernel/sched/core.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/compat.c b/kernel/compat.c
+index a2bc1d6ceb570..241516f326c04 100644
+--- a/kernel/compat.c
++++ b/kernel/compat.c
+@@ -240,7 +240,7 @@ COMPAT_SYSCALL_DEFINE3(sched_getaffinity, compat_pid_t, pid, unsigned int, len,
+ if (len & (sizeof(compat_ulong_t)-1))
+ return -EINVAL;
+
+- if (!alloc_cpumask_var(&mask, GFP_KERNEL))
++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
+ return -ENOMEM;
+
+ ret = sched_getaffinity(pid, mask);
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index d5765b7c92f79..51ac62637e4ed 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5661,14 +5661,14 @@ SYSCALL_DEFINE3(sched_getaffinity, pid_t, pid, unsigned int, len,
+ if (len & (sizeof(unsigned long)-1))
+ return -EINVAL;
+
+- if (!alloc_cpumask_var(&mask, GFP_KERNEL))
++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
+ return -ENOMEM;
+
+ ret = sched_getaffinity(pid, mask);
+ if (ret == 0) {
+ unsigned int retlen = min(len, cpumask_size());
+
+- if (copy_to_user(user_mask_ptr, mask, retlen))
++ if (copy_to_user(user_mask_ptr, cpumask_bits(mask), retlen))
+ ret = -EFAULT;
+ else
+ ret = retlen;
+--
+2.39.2
+
bus-imx-weim-fix-branch-condition-evaluates-to-a-gar.patch
drm-meson-fix-error-handling-when-afbcd.ops-init-fai.patch
drm-meson-fix-missing-component-unbind-on-bind-error.patch
+md-avoid-signed-overflow-in-slot_store.patch
+alsa-asihpi-check-pao-in-control_message.patch
+alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch
+fbdev-tgafb-fix-potential-divide-by-zero.patch
+sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch
+fbdev-nvidia-fix-potential-divide-by-zero.patch
+fbdev-intelfb-fix-potential-divide-by-zero.patch
+fbdev-lxfb-fix-potential-divide-by-zero.patch
+fbdev-au1200fb-fix-potential-divide-by-zero.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
