--- /dev/null
+From a3dd4d63eeb452cfb064a13862fb376ab108f6a6 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 25 Nov 2024 15:46:16 +0100
+Subject: ALSA: usb-audio: Fix out of bounds reads when finding clock sources
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream.
+
+The current USB-audio driver code doesn't check bLength of each
+descriptor at traversing for clock descriptors. That is, when a
+device provides a bogus descriptor with a shorter bLength, the driver
+might hit out-of-bounds reads.
+
+For addressing it, this patch adds sanity checks to the validator
+functions for the clock descriptor traversal. When the descriptor
+length is shorter than expected, it's skipped in the loop.
+
+For the clock source and clock multiplier descriptors, we can just
+check bLength against the sizeof() of each descriptor type.
+OTOH, the clock selector descriptor of UAC2 and UAC3 has an array
+of bNrInPins elements and two more fields at its tail, hence those
+have to be checked in addition to the sizeof() check.
+
+Reported-by: Benoît Sevens <bsevens@google.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com
+Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Benoît Sevens <bsevens@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/clock.c | 32 ++++++++++++++++++++++++++++++--
+ 1 file changed, 30 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/clock.c
++++ b/sound/usb/clock.c
+@@ -21,6 +21,10 @@
+ #include "clock.h"
+ #include "quirks.h"
+
++/* check whether the descriptor bLength has the minimal length */
++#define DESC_LENGTH_CHECK(p) \
++ (p->bLength >= sizeof(*p))
++
+ static void *find_uac_clock_desc(struct usb_host_interface *iface, int id,
+ bool (*validator)(void *, int), u8 type)
+ {
+@@ -38,36 +42,60 @@ static void *find_uac_clock_desc(struct
+ static bool validate_clock_source_v2(void *p, int id)
+ {
+ struct uac_clock_source_descriptor *cs = p;
++ if (!DESC_LENGTH_CHECK(cs))
++ return false;
+ return cs->bClockID == id;
+ }
+
+ static bool validate_clock_source_v3(void *p, int id)
+ {
+ struct uac3_clock_source_descriptor *cs = p;
++ if (!DESC_LENGTH_CHECK(cs))
++ return false;
+ return cs->bClockID == id;
+ }
+
+ static bool validate_clock_selector_v2(void *p, int id)
+ {
+ struct uac_clock_selector_descriptor *cs = p;
+- return cs->bClockID == id;
++ if (!DESC_LENGTH_CHECK(cs))
++ return false;
++ if (cs->bClockID != id)
++ return false;
++ /* additional length check for baCSourceID array (in bNrInPins size)
++ * and two more fields (which sizes depend on the protocol)
++ */
++ return cs->bLength >= sizeof(*cs) + cs->bNrInPins +
++ 1 /* bmControls */ + 1 /* iClockSelector */;
+ }
+
+ static bool validate_clock_selector_v3(void *p, int id)
+ {
+ struct uac3_clock_selector_descriptor *cs = p;
+- return cs->bClockID == id;
++ if (!DESC_LENGTH_CHECK(cs))
++ return false;
++ if (cs->bClockID != id)
++ return false;
++ /* additional length check for baCSourceID array (in bNrInPins size)
++ * and two more fields (which sizes depend on the protocol)
++ */
++ return cs->bLength >= sizeof(*cs) + cs->bNrInPins +
++ 4 /* bmControls */ + 2 /* wCSelectorDescrStr */;
+ }
+
+ static bool validate_clock_multiplier_v2(void *p, int id)
+ {
+ struct uac_clock_multiplier_descriptor *cs = p;
++ if (!DESC_LENGTH_CHECK(cs))
++ return false;
+ return cs->bClockID == id;
+ }
+
+ static bool validate_clock_multiplier_v3(void *p, int id)
+ {
+ struct uac3_clock_multiplier_descriptor *cs = p;
++ if (!DESC_LENGTH_CHECK(cs))
++ return false;
+ return cs->bClockID == id;
+ }
+
--- /dev/null
+From 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Fri, 13 Sep 2024 15:06:01 -0300
+Subject: media: uvcvideo: Require entities to have a non-zero unique ID
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195 upstream.
+
+Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero
+unique ID.
+
+```
+Each Unit and Terminal within the video function is assigned a unique
+identification number, the Unit ID (UID) or Terminal ID (TID), contained in
+the bUnitID or bTerminalID field of the descriptor. The value 0x00 is
+reserved for undefined ID,
+```
+
+So, deny allocating an entity with ID 0 or an ID that belongs to a unit
+that is already added to the list of entities.
+
+This also prevents some syzkaller reproducers from triggering warnings due
+to a chain of entities referring to themselves. In one particular case, an
+Output Unit is connected to an Input Unit, both with the same ID of 1. But
+when looking up for the source ID of the Output Unit, that same entity is
+found instead of the input entity, which leads to such warnings.
+
+In another case, a backward chain was considered finished as the source ID
+was 0. Later on, that entity was found, but its pads were not valid.
+
+Here is a sample stack trace for one of those cases.
+
+[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd
+[ 20.830206] usb 1-1: Using ep0 maxpacket: 8
+[ 20.833501] usb 1-1: config 0 descriptor??
+[ 21.038518] usb 1-1: string descriptor 0 read error: -71
+[ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201)
+[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!
+[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!
+[ 21.042218] ------------[ cut here ]------------
+[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0
+[ 21.043195] Modules linked in:
+[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444
+[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+[ 21.044639] Workqueue: usb_hub_wq hub_event
+[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0
+[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00
+[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246
+[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1
+[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290
+[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000
+[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003
+[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000
+[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
+[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0
+[ 21.051136] PKRU: 55555554
+[ 21.051331] Call Trace:
+[ 21.051480] <TASK>
+[ 21.051611] ? __warn+0xc4/0x210
+[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0
+[ 21.052252] ? report_bug+0x11b/0x1a0
+[ 21.052540] ? trace_hardirqs_on+0x31/0x40
+[ 21.052901] ? handle_bug+0x3d/0x70
+[ 21.053197] ? exc_invalid_op+0x1a/0x50
+[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20
+[ 21.053924] ? media_create_pad_link+0x91/0x2e0
+[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0
+[ 21.054834] ? media_create_pad_link+0x91/0x2e0
+[ 21.055131] ? _raw_spin_unlock+0x1e/0x40
+[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210
+[ 21.055837] uvc_mc_register_entities+0x358/0x400
+[ 21.056144] uvc_register_chains+0x1fd/0x290
+[ 21.056413] uvc_probe+0x380e/0x3dc0
+[ 21.056676] ? __lock_acquire+0x5aa/0x26e0
+[ 21.056946] ? find_held_lock+0x33/0xa0
+[ 21.057196] ? kernfs_activate+0x70/0x80
+[ 21.057533] ? usb_match_dynamic_id+0x1b/0x70
+[ 21.057811] ? find_held_lock+0x33/0xa0
+[ 21.058047] ? usb_match_dynamic_id+0x55/0x70
+[ 21.058330] ? lock_release+0x124/0x260
+[ 21.058657] ? usb_match_one_id_intf+0xa2/0x100
+[ 21.058997] usb_probe_interface+0x1ba/0x330
+[ 21.059399] really_probe+0x1ba/0x4c0
+[ 21.059662] __driver_probe_device+0xb2/0x180
+[ 21.059944] driver_probe_device+0x5a/0x100
+[ 21.060170] __device_attach_driver+0xe9/0x160
+[ 21.060427] ? __pfx___device_attach_driver+0x10/0x10
+[ 21.060872] bus_for_each_drv+0xa9/0x100
+[ 21.061312] __device_attach+0xed/0x190
+[ 21.061812] device_initial_probe+0xe/0x20
+[ 21.062229] bus_probe_device+0x4d/0xd0
+[ 21.062590] device_add+0x308/0x590
+[ 21.062912] usb_set_configuration+0x7b6/0xaf0
+[ 21.063403] usb_generic_driver_probe+0x36/0x80
+[ 21.063714] usb_probe_device+0x7b/0x130
+[ 21.063936] really_probe+0x1ba/0x4c0
+[ 21.064111] __driver_probe_device+0xb2/0x180
+[ 21.064577] driver_probe_device+0x5a/0x100
+[ 21.065019] __device_attach_driver+0xe9/0x160
+[ 21.065403] ? __pfx___device_attach_driver+0x10/0x10
+[ 21.065820] bus_for_each_drv+0xa9/0x100
+[ 21.066094] __device_attach+0xed/0x190
+[ 21.066535] device_initial_probe+0xe/0x20
+[ 21.066992] bus_probe_device+0x4d/0xd0
+[ 21.067250] device_add+0x308/0x590
+[ 21.067501] usb_new_device+0x347/0x610
+[ 21.067817] hub_event+0x156b/0x1e30
+[ 21.068060] ? process_scheduled_works+0x48b/0xaf0
+[ 21.068337] process_scheduled_works+0x5a3/0xaf0
+[ 21.068668] worker_thread+0x3cf/0x560
+[ 21.068932] ? kthread+0x109/0x1b0
+[ 21.069133] kthread+0x197/0x1b0
+[ 21.069343] ? __pfx_worker_thread+0x10/0x10
+[ 21.069598] ? __pfx_kthread+0x10/0x10
+[ 21.069908] ret_from_fork+0x32/0x40
+[ 21.070169] ? __pfx_kthread+0x10/0x10
+[ 21.070424] ret_from_fork_asm+0x1a/0x30
+[ 21.070737] </TASK>
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+0584f746fde3d52b4675@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675
+Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b
+Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/20240913180601.1400596-2-cascardo@igalia.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[ ribalda: The context around the changes differs from master. This
+ version is also missing the gpio unit, so that part is gone from the
+ patch. ]
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 63 ++++++++++++++++++++++---------------
+ 1 file changed, 39 insertions(+), 24 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -1029,14 +1029,27 @@ error:
+ return ret;
+ }
+
+-static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id,
+- unsigned int num_pads, unsigned int extra_size)
++static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type,
++ u16 id, unsigned int num_pads,
++ unsigned int extra_size)
+ {
+ struct uvc_entity *entity;
+ unsigned int num_inputs;
+ unsigned int size;
+ unsigned int i;
+
++ /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */
++ if (id == 0) {
++ dev_err(&dev->udev->dev, "Found Unit with invalid ID 0.\n");
++ return ERR_PTR(-EINVAL);
++ }
++
++ /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */
++ if (uvc_entity_by_id(dev, id)) {
++ dev_err(&dev->udev->dev, "Found multiple Units with ID %u\n", id);
++ return ERR_PTR(-EINVAL);
++ }
++
+ extra_size = roundup(extra_size, sizeof(*entity->pads));
+ if (num_pads)
+ num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1;
+@@ -1046,7 +1059,7 @@ static struct uvc_entity *uvc_alloc_enti
+ + num_inputs;
+ entity = kzalloc(size, GFP_KERNEL);
+ if (entity == NULL)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+
+ entity->id = id;
+ entity->type = type;
+@@ -1117,10 +1130,10 @@ static int uvc_parse_vendor_control(stru
+ break;
+ }
+
+- unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3],
+- p + 1, 2*n);
+- if (unit == NULL)
+- return -ENOMEM;
++ unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT,
++ buffer[3], p + 1, 2 * n);
++ if (IS_ERR(unit))
++ return PTR_ERR(unit);
+
+ memcpy(unit->extension.guidExtensionCode, &buffer[4], 16);
+ unit->extension.bNumControls = buffer[20];
+@@ -1231,10 +1244,10 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3],
+- 1, n + p);
+- if (term == NULL)
+- return -ENOMEM;
++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT,
++ buffer[3], 1, n + p);
++ if (IS_ERR(term))
++ return PTR_ERR(term);
+
+ if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) {
+ term->camera.bControlSize = n;
+@@ -1290,10 +1303,10 @@ static int uvc_parse_standard_control(st
+ return 0;
+ }
+
+- term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3],
+- 1, 0);
+- if (term == NULL)
+- return -ENOMEM;
++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT,
++ buffer[3], 1, 0);
++ if (IS_ERR(term))
++ return PTR_ERR(term);
+
+ memcpy(term->baSourceID, &buffer[7], 1);
+
+@@ -1314,9 +1327,10 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0);
+- if (unit == NULL)
+- return -ENOMEM;
++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
++ p + 1, 0);
++ if (IS_ERR(unit))
++ return PTR_ERR(unit);
+
+ memcpy(unit->baSourceID, &buffer[5], p);
+
+@@ -1338,9 +1352,9 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n);
+- if (unit == NULL)
+- return -ENOMEM;
++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n);
++ if (IS_ERR(unit))
++ return PTR_ERR(unit);
+
+ memcpy(unit->baSourceID, &buffer[4], 1);
+ unit->processing.wMaxMultiplier =
+@@ -1369,9 +1383,10 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n);
+- if (unit == NULL)
+- return -ENOMEM;
++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
++ p + 1, n);
++ if (IS_ERR(unit))
++ return PTR_ERR(unit);
+
+ memcpy(unit->extension.guidExtensionCode, &buffer[4], 16);
+ unit->extension.bNumControls = buffer[20];
--- /dev/null
+From 7912405643a14b527cd4a4f33c1d4392da900888 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sun, 1 Dec 2024 12:17:30 +0100
+Subject: modpost: Add .irqentry.text to OTHER_SECTIONS
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 7912405643a14b527cd4a4f33c1d4392da900888 upstream.
+
+The compiler can fully inline the actual handler function of an interrupt
+entry into the .irqentry.text entry point. If such a function contains an
+access which has an exception table entry, modpost complains about a
+section mismatch:
+
+ WARNING: vmlinux.o(__ex_table+0x447c): Section mismatch in reference ...
+
+ The relocation at __ex_table+0x447c references section ".irqentry.text"
+ which is not in the list of authorized sections.
+
+Add .irqentry.text to OTHER_SECTIONS to cure the issue.
+
+Reported-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org # needed for linux-5.4-y
+Link: https://lore.kernel.org/all/20241128111844.GE10431@google.com/
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/mod/modpost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -951,7 +951,7 @@ static void check_section(const char *mo
+ ".kprobes.text", ".cpuidle.text", ".noinstr.text"
+ #define OTHER_TEXT_SECTIONS ".ref.text", ".head.text", ".spinlock.text", \
+ ".fixup", ".entry.text", ".exception.text", ".text.*", \
+- ".coldtext"
++ ".coldtext", ".irqentry.text"
+
+ #define INIT_SECTIONS ".init.*"
+ #define MEM_INIT_SECTIONS ".meminit.*"
--- /dev/null
+From 64f093c4d99d797b68b407a9d8767aadc3e3ea7a Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Thu, 17 Oct 2024 10:58:36 +0900
+Subject: PCI: rockchip-ep: Fix address translation unit programming
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 64f093c4d99d797b68b407a9d8767aadc3e3ea7a upstream.
+
+The Rockchip PCIe endpoint controller handles PCIe transfers addresses
+by masking the lower bits of the programmed PCI address and using the
+same number of lower bits masked from the CPU address space used for the
+mapping. For a PCI mapping of <size> bytes starting from <pci_addr>,
+the number of bits masked is the number of address bits changing in the
+address range [pci_addr..pci_addr + size - 1].
+
+However, rockchip_pcie_prog_ep_ob_atu() calculates num_pass_bits only
+using the size of the mapping, resulting in an incorrect number of mask
+bits depending on the value of the PCI address to map.
+
+Fix this by introducing the helper function
+rockchip_pcie_ep_ob_atu_num_bits() to correctly calculate the number of
+mask bits to use to program the address translation unit. The number of
+mask bits is calculated depending on both the PCI address and size of
+the mapping, and clamped between 8 and 20 using the macros
+ROCKCHIP_PCIE_AT_MIN_NUM_BITS and ROCKCHIP_PCIE_AT_MAX_NUM_BITS. As
+defined in the Rockchip RK3399 TRM V1.3 Part2, Sections 17.5.5.1.1 and
+17.6.8.2.1, this clamping is necessary because:
+
+ 1) The lower 8 bits of the PCI address to be mapped by the outbound
+ region are ignored. So a minimum of 8 address bits are needed and
+ imply that the PCI address must be aligned to 256.
+
+ 2) The outbound memory regions are 1MB in size. So while we can specify
+ up to 63-bits for the PCI address (num_bits filed uses bits 0 to 5 of
+ the outbound address region 0 register), we must limit the number of
+ valid address bits to 20 to match the memory window maximum size (1
+ << 20 = 1MB).
+
+Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
+Link: https://lore.kernel.org/r/20241017015849.190271-2-dlemoal@kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rockchip-ep.c | 18 +++++++++++++-----
+ drivers/pci/controller/pcie-rockchip.h | 4 ++++
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/controller/pcie-rockchip-ep.c
++++ b/drivers/pci/controller/pcie-rockchip-ep.c
+@@ -67,18 +67,26 @@ static void rockchip_pcie_clear_ep_ob_at
+ ROCKCHIP_PCIE_AT_OB_REGION_CPU_ADDR1(region));
+ }
+
++static int rockchip_pcie_ep_ob_atu_num_bits(struct rockchip_pcie *rockchip,
++ u64 pci_addr, size_t size)
++{
++ int num_pass_bits = fls64(pci_addr ^ (pci_addr + size - 1));
++
++ return clamp(num_pass_bits,
++ ROCKCHIP_PCIE_AT_MIN_NUM_BITS,
++ ROCKCHIP_PCIE_AT_MAX_NUM_BITS);
++}
++
+ static void rockchip_pcie_prog_ep_ob_atu(struct rockchip_pcie *rockchip, u8 fn,
+ u32 r, u32 type, u64 cpu_addr,
+ u64 pci_addr, size_t size)
+ {
+- u64 sz = 1ULL << fls64(size - 1);
+- int num_pass_bits = ilog2(sz);
++ int num_pass_bits;
+ u32 addr0, addr1, desc0, desc1;
+ bool is_nor_msg = (type == AXI_WRAPPER_NOR_MSG);
+
+- /* The minimal region size is 1MB */
+- if (num_pass_bits < 8)
+- num_pass_bits = 8;
++ num_pass_bits = rockchip_pcie_ep_ob_atu_num_bits(rockchip,
++ pci_addr, size);
+
+ cpu_addr -= rockchip->mem_res->start;
+ addr0 = ((is_nor_msg ? 0x10 : (num_pass_bits - 1)) &
+--- a/drivers/pci/controller/pcie-rockchip.h
++++ b/drivers/pci/controller/pcie-rockchip.h
+@@ -241,6 +241,10 @@
+ #define ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP BIT(24)
+ #define ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR 0x1
+ #define ROCKCHIP_PCIE_EP_FUNC_BASE(fn) (((fn) << 12) & GENMASK(19, 12))
++
++#define ROCKCHIP_PCIE_AT_MIN_NUM_BITS 8
++#define ROCKCHIP_PCIE_AT_MAX_NUM_BITS 20
++
+ #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR0(fn, bar) \
+ (PCIE_RC_RP_ATS_BASE + 0x0840 + (fn) * 0x0040 + (bar) * 0x0008)
+ #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR1(fn, bar) \
--- /dev/null
+From zhangzekun11@huawei.com Thu Dec 12 12:44:57 2024
+From: Zhang Zekun <zhangzekun11@huawei.com>
+Date: Wed, 4 Dec 2024 16:23:56 +0800
+Subject: Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()"
+To: <gregkh@linuxfoundation.org>
+Cc: <cve@kernel.org>, <stable@vger.kernel.org>, <kevinyang.wang@amd.com>, <alexander.deucher@amd.com>, <liuyongqiang13@huawei.com>
+Message-ID: <20241204082356.1048-1-zhangzekun11@huawei.com>
+
+From: Zhang Zekun <zhangzekun11@huawei.com>
+
+This reverts commit 17f5f18085acb5e9d8d13d84a4e12bb3aff2bd64.
+
+The origin mainline patch fix a buffer overflow issue in
+amdgpu_debugfs_gprwave_read(), but it has not been introduced in kernel
+6.1 and older kernels. This patch add a check in a wrong function in the
+same file.
+
+Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+@@ -396,7 +396,7 @@ static ssize_t amdgpu_debugfs_regs_pcie_
+ ssize_t result = 0;
+ int r;
+
+- if (size > 4096 || size & 0x3 || *pos & 0x3)
++ if (size & 0x3 || *pos & 0x3)
+ return -EINVAL;
+
+ r = pm_runtime_get_sync(adev_to_drm(adev)->dev);
--- /dev/null
+From a7d6840bed0c2b16ac3071b74b5fcf08fc488241 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Fri, 20 Aug 2021 16:02:54 +0900
+Subject: scsi: core: Fix scsi_mode_select() buffer length handling
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit a7d6840bed0c2b16ac3071b74b5fcf08fc488241 upstream.
+
+The MODE SELECT(6) command allows handling mode page buffers that are up to
+255 bytes, including the 4 byte header needed in front of the page
+buffer. For requests larger than this limit, automatically use the MODE
+SELECT(10) command.
+
+In both cases, since scsi_mode_select() adds the mode select page header,
+checks on the buffer length value must include this header size to avoid
+overflows of the command CDB allocation length field.
+
+While at it, use put_unaligned_be16() for setting the header block
+descriptor length and CDB allocation length when using MODE SELECT(10).
+
+[mkp: fix MODE SENSE vs. MODE SELECT confusion]
+
+Link: https://lore.kernel.org/r/20210820070255.682775-3-damien.lemoal@wdc.com
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_lib.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -2019,8 +2019,15 @@ scsi_mode_select(struct scsi_device *sde
+ memset(cmd, 0, sizeof(cmd));
+ cmd[1] = (pf ? 0x10 : 0) | (sp ? 0x01 : 0);
+
+- if (sdev->use_10_for_ms) {
+- if (len > 65535)
++ /*
++ * Use MODE SELECT(10) if the device asked for it or if the mode page
++ * and the mode select header cannot fit within the maximumm 255 bytes
++ * of the MODE SELECT(6) command.
++ */
++ if (sdev->use_10_for_ms ||
++ len + 4 > 255 ||
++ data->block_descriptor_length > 255) {
++ if (len > 65535 - 8)
+ return -EINVAL;
+ real_buffer = kmalloc(8 + len, GFP_KERNEL);
+ if (!real_buffer)
+@@ -2033,15 +2040,13 @@ scsi_mode_select(struct scsi_device *sde
+ real_buffer[3] = data->device_specific;
+ real_buffer[4] = data->longlba ? 0x01 : 0;
+ real_buffer[5] = 0;
+- real_buffer[6] = data->block_descriptor_length >> 8;
+- real_buffer[7] = data->block_descriptor_length;
++ put_unaligned_be16(data->block_descriptor_length,
++ &real_buffer[6]);
+
+ cmd[0] = MODE_SELECT_10;
+- cmd[7] = len >> 8;
+- cmd[8] = len;
++ put_unaligned_be16(len, &cmd[7]);
+ } else {
+- if (len > 255 || data->block_descriptor_length > 255 ||
+- data->longlba)
++ if (data->longlba)
+ return -EINVAL;
+
+ real_buffer = kmalloc(4 + len, GFP_KERNEL);
--- /dev/null
+From c749301ebee82eb5e97dec14b6ab31a4aabe37a6 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Fri, 20 Aug 2021 16:02:55 +0900
+Subject: scsi: sd: Fix sd_do_mode_sense() buffer length handling
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit c749301ebee82eb5e97dec14b6ab31a4aabe37a6 upstream.
+
+For devices that explicitly asked for MODE SENSE(10) use, make sure that
+scsi_mode_sense() is called with a buffer of at least 8 bytes so that the
+sense header fits.
+
+Link: https://lore.kernel.org/r/20210820070255.682775-4-damien.lemoal@wdc.com
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2649,6 +2649,13 @@ sd_do_mode_sense(struct scsi_disk *sdkp,
+ unsigned char *buffer, int len, struct scsi_mode_data *data,
+ struct scsi_sense_hdr *sshdr)
+ {
++ /*
++ * If we must use MODE SENSE(10), make sure that the buffer length
++ * is at least 8 bytes so that the mode sense header fits.
++ */
++ if (sdkp->device->use_10_for_ms && len < 8)
++ len = 8;
++
+ return scsi_mode_sense(sdkp->device, dbd, modepage, buffer, len,
+ SD_TIMEOUT, sdkp->max_retries, data,
+ sshdr);
xhci-dbc-fix-stall-transfer-event-handling.patch
drm-amd-display-check-bios-images-before-it-is-used.patch
ocfs2-revert-ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch
+modpost-add-.irqentry.text-to-other_sections.patch
+revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch
+pci-rockchip-ep-fix-address-translation-unit-programming.patch
+scsi-sd-fix-sd_do_mode_sense-buffer-length-handling.patch
+scsi-core-fix-scsi_mode_select-buffer-length-handling.patch
+alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch
+media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
