]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 5.15
authorSasha Levin <sashal@kernel.org>
Mon, 17 Mar 2025 14:33:54 +0000 (10:33 -0400)
committerSasha Levin <sashal@kernel.org>
Mon, 17 Mar 2025 14:33:54 +0000 (10:33 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
queue-5.15/asoc-codecs-wm0010-fix-error-handling-path-in-wm0010.patch [new file with mode: 0644]
queue-5.15/asoc-ops-consistently-treat-platform_max-as-control-.patch [new file with mode: 0644]
queue-5.15/cifs-fix-integer-overflow-while-processing-acdirmax-.patch [new file with mode: 0644]
queue-5.15/cifs-fix-integer-overflow-while-processing-acregmax-.patch [new file with mode: 0644]
queue-5.15/cifs-fix-integer-overflow-while-processing-actimeo-m.patch [new file with mode: 0644]
queue-5.15/cifs-fix-integer-overflow-while-processing-closetime.patch [new file with mode: 0644]
queue-5.15/drm-gma500-add-null-check-for-pci_gfx_root-in-mid_ge.patch [new file with mode: 0644]
queue-5.15/series

diff --git a/queue-5.15/asoc-codecs-wm0010-fix-error-handling-path-in-wm0010.patch b/queue-5.15/asoc-codecs-wm0010-fix-error-handling-path-in-wm0010.patch
new file mode 100644 (file)
index 0000000..8b8ac10
--- /dev/null
@@ -0,0 +1,59 @@
+From c29b89bce5256bda0e516a4a671a4ffc354fa2d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 18:45:36 +0100
+Subject: ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ed92bc5264c4357d4fca292c769ea9967cd3d3b6 ]
+
+Free some resources in the error handling path of the probe, as already
+done in the remove function.
+
+Fixes: e3523e01869d ("ASoC: wm0010: Add initial wm0010 DSP driver")
+Fixes: fd8b96574456 ("ASoC: wm0010: Clear IRQ as wake source and include missing header")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/5139ba1ab8c4c157ce04e56096a0f54a1683195c.1741549792.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm0010.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/wm0010.c b/sound/soc/codecs/wm0010.c
+index 28b4656c4e149..b2f87af1bfc87 100644
+--- a/sound/soc/codecs/wm0010.c
++++ b/sound/soc/codecs/wm0010.c
+@@ -952,7 +952,7 @@ static int wm0010_spi_probe(struct spi_device *spi)
+       if (ret) {
+               dev_err(wm0010->dev, "Failed to set IRQ %d as wake source: %d\n",
+                       irq, ret);
+-              return ret;
++              goto free_irq;
+       }
+       if (spi->max_speed_hz)
+@@ -964,9 +964,18 @@ static int wm0010_spi_probe(struct spi_device *spi)
+                                    &soc_component_dev_wm0010, wm0010_dai,
+                                    ARRAY_SIZE(wm0010_dai));
+       if (ret < 0)
+-              return ret;
++              goto disable_irq_wake;
+       return 0;
++
++disable_irq_wake:
++      irq_set_irq_wake(wm0010->irq, 0);
++
++free_irq:
++      if (wm0010->irq)
++              free_irq(wm0010->irq, wm0010);
++
++      return ret;
+ }
+ static int wm0010_spi_remove(struct spi_device *spi)
+-- 
+2.39.5
+
diff --git a/queue-5.15/asoc-ops-consistently-treat-platform_max-as-control-.patch b/queue-5.15/asoc-ops-consistently-treat-platform_max-as-control-.patch
new file mode 100644 (file)
index 0000000..7296f64
--- /dev/null
@@ -0,0 +1,106 @@
+From 0ff6175cfdeae8b56a9bb68f57746bec6a53f797 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Feb 2025 15:14:56 +0000
+Subject: ASoC: ops: Consistently treat platform_max as control value
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3 ]
+
+This reverts commit 9bdd10d57a88 ("ASoC: ops: Shift tested values in
+snd_soc_put_volsw() by +min"), and makes some additional related
+updates.
+
+There are two ways the platform_max could be interpreted; the maximum
+register value, or the maximum value the control can be set to. The
+patch moved from treating the value as a control value to a register
+one. When the patch was applied it was technically correct as
+snd_soc_limit_volume() also used the register interpretation. However,
+even then most of the other usages treated platform_max as a
+control value, and snd_soc_limit_volume() has since been updated to
+also do so in commit fb9ad24485087 ("ASoC: ops: add correct range
+check for limiting volume"). That patch however, missed updating
+snd_soc_put_volsw() back to the control interpretation, and fixing
+snd_soc_info_volsw_range(). The control interpretation makes more
+sense as limiting is typically done from the machine driver, so it is
+appropriate to use the customer facing representation rather than the
+internal codec representation. Update all the code to consistently use
+this interpretation of platform_max.
+
+Finally, also add some comments to the soc_mixer_control struct to
+hopefully avoid further patches switching between the two approaches.
+
+Fixes: fb9ad24485087 ("ASoC: ops: add correct range check for limiting volume")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20250228151456.3703342-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/soc.h |  5 ++++-
+ sound/soc/soc-ops.c | 15 +++++++--------
+ 2 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/include/sound/soc.h b/include/sound/soc.h
+index 3f0369aae2faf..42358dbc19b8c 100644
+--- a/include/sound/soc.h
++++ b/include/sound/soc.h
+@@ -1113,7 +1113,10 @@ void snd_soc_close_delayed_work(struct snd_soc_pcm_runtime *rtd);
+ /* mixer control */
+ struct soc_mixer_control {
+-      int min, max, platform_max;
++      /* Minimum and maximum specified as written to the hardware */
++      int min, max;
++      /* Limited maximum value specified as presented through the control */
++      int platform_max;
+       int reg, rreg;
+       unsigned int shift, rshift;
+       unsigned int sign_bit;
+diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
+index 57caa91a4376e..d8d0a26a554de 100644
+--- a/sound/soc/soc-ops.c
++++ b/sound/soc/soc-ops.c
+@@ -317,7 +317,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
+               mask = BIT(sign_bit + 1) - 1;
+       val = ucontrol->value.integer.value[0];
+-      if (mc->platform_max && ((int)val + min) > mc->platform_max)
++      if (mc->platform_max && val > mc->platform_max)
+               return -EINVAL;
+       if (val > max - min)
+               return -EINVAL;
+@@ -330,7 +330,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
+       val = val << shift;
+       if (snd_soc_volsw_is_stereo(mc)) {
+               val2 = ucontrol->value.integer.value[1];
+-              if (mc->platform_max && ((int)val2 + min) > mc->platform_max)
++              if (mc->platform_max && val2 > mc->platform_max)
+                       return -EINVAL;
+               if (val2 > max - min)
+                       return -EINVAL;
+@@ -485,17 +485,16 @@ int snd_soc_info_volsw_range(struct snd_kcontrol *kcontrol,
+ {
+       struct soc_mixer_control *mc =
+               (struct soc_mixer_control *)kcontrol->private_value;
+-      int platform_max;
+-      int min = mc->min;
++      int max;
+-      if (!mc->platform_max)
+-              mc->platform_max = mc->max;
+-      platform_max = mc->platform_max;
++      max = mc->max - mc->min;
++      if (mc->platform_max && mc->platform_max < max)
++              max = mc->platform_max;
+       uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
+       uinfo->count = snd_soc_volsw_is_stereo(mc) ? 2 : 1;
+       uinfo->value.integer.min = 0;
+-      uinfo->value.integer.max = platform_max - min;
++      uinfo->value.integer.max = max;
+       return 0;
+ }
+-- 
+2.39.5
+
diff --git a/queue-5.15/cifs-fix-integer-overflow-while-processing-acdirmax-.patch b/queue-5.15/cifs-fix-integer-overflow-while-processing-acdirmax-.patch
new file mode 100644 (file)
index 0000000..d9bb2d9
--- /dev/null
@@ -0,0 +1,44 @@
+From de76c94f1747ce311680b9d693346ba9e794ccb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Mar 2025 17:22:04 +0300
+Subject: cifs: Fix integer overflow while processing acdirmax mount option
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit 5b29891f91dfb8758baf1e2217bef4b16b2b165b ]
+
+User-provided mount parameter acdirmax of type u32 is intended to have
+an upper limit, but before it is validated, the value is converted from
+seconds to jiffies which can lead to an integer overflow.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 4c9f948142a5 ("cifs: Add new mount parameter "acdirmax" to allow caching directory metadata")
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/fs_context.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
+index d86cbed997fdd..9b1c0e0dfc63b 100644
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -1062,11 +1062,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+               ctx->acregmax = HZ * result.uint_32;
+               break;
+       case Opt_acdirmax:
+-              ctx->acdirmax = HZ * result.uint_32;
+-              if (ctx->acdirmax > CIFS_MAX_ACTIMEO) {
++              if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) {
+                       cifs_errorf(fc, "acdirmax too large\n");
+                       goto cifs_parse_mount_err;
+               }
++              ctx->acdirmax = HZ * result.uint_32;
+               break;
+       case Opt_actimeo:
+               if (HZ * result.uint_32 > CIFS_MAX_ACTIMEO) {
+-- 
+2.39.5
+
diff --git a/queue-5.15/cifs-fix-integer-overflow-while-processing-acregmax-.patch b/queue-5.15/cifs-fix-integer-overflow-while-processing-acregmax-.patch
new file mode 100644 (file)
index 0000000..528d60a
--- /dev/null
@@ -0,0 +1,44 @@
+From 2598a57514c71df16f2dd278f84da6cf0dacab9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Mar 2025 17:22:03 +0300
+Subject: cifs: Fix integer overflow while processing acregmax mount option
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit 7489161b1852390b4413d57f2457cd40b34da6cc ]
+
+User-provided mount parameter acregmax of type u32 is intended to have
+an upper limit, but before it is validated, the value is converted from
+seconds to jiffies which can lead to an integer overflow.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 5780464614f6 ("cifs: Add new parameter "acregmax" for distinct file and directory metadata timeout")
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/fs_context.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
+index fb3651513f83a..d86cbed997fdd 100644
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -1055,11 +1055,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+               ctx->got_wsize = true;
+               break;
+       case Opt_acregmax:
+-              ctx->acregmax = HZ * result.uint_32;
+-              if (ctx->acregmax > CIFS_MAX_ACTIMEO) {
++              if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) {
+                       cifs_errorf(fc, "acregmax too large\n");
+                       goto cifs_parse_mount_err;
+               }
++              ctx->acregmax = HZ * result.uint_32;
+               break;
+       case Opt_acdirmax:
+               ctx->acdirmax = HZ * result.uint_32;
+-- 
+2.39.5
+
diff --git a/queue-5.15/cifs-fix-integer-overflow-while-processing-actimeo-m.patch b/queue-5.15/cifs-fix-integer-overflow-while-processing-actimeo-m.patch
new file mode 100644 (file)
index 0000000..e739e35
--- /dev/null
@@ -0,0 +1,39 @@
+From 0318b293e5496c5a848da18f5fa676d391c69e9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Mar 2025 17:22:05 +0300
+Subject: cifs: Fix integer overflow while processing actimeo mount option
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit 64f690ee22c99e16084e0e45181b2a1eed2fa149 ]
+
+User-provided mount parameter actimeo of type u32 is intended to have
+an upper limit, but before it is validated, the value is converted from
+seconds to jiffies which can lead to an integer overflow.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 6d20e8406f09 ("cifs: add attribute cache timeout (actimeo) tunable")
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/fs_context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
+index 9b1c0e0dfc63b..f45a29a51700b 100644
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -1069,7 +1069,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+               ctx->acdirmax = HZ * result.uint_32;
+               break;
+       case Opt_actimeo:
+-              if (HZ * result.uint_32 > CIFS_MAX_ACTIMEO) {
++              if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) {
+                       cifs_errorf(fc, "timeout too large\n");
+                       goto cifs_parse_mount_err;
+               }
+-- 
+2.39.5
+
diff --git a/queue-5.15/cifs-fix-integer-overflow-while-processing-closetime.patch b/queue-5.15/cifs-fix-integer-overflow-while-processing-closetime.patch
new file mode 100644 (file)
index 0000000..408eba1
--- /dev/null
@@ -0,0 +1,44 @@
+From f53ca0d19310cf462b1d966ca8dda9b82b934d80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Mar 2025 17:22:06 +0300
+Subject: cifs: Fix integer overflow while processing closetimeo mount option
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit d5a30fddfe2f2e540f6c43b59cf701809995faef ]
+
+User-provided mount parameter closetimeo of type u32 is intended to have
+an upper limit, but before it is validated, the value is converted from
+seconds to jiffies which can lead to an integer overflow.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 5efdd9122eff ("smb3: allow deferred close timeout to be configurable")
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/fs_context.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c
+index f45a29a51700b..24c42043a2271 100644
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -1081,11 +1081,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+               ctx->acdirmax = ctx->acregmax = HZ * result.uint_32;
+               break;
+       case Opt_closetimeo:
+-              ctx->closetimeo = HZ * result.uint_32;
+-              if (ctx->closetimeo > SMB3_MAX_DCLOSETIMEO) {
++              if (result.uint_32 > SMB3_MAX_DCLOSETIMEO / HZ) {
+                       cifs_errorf(fc, "closetimeo too large\n");
+                       goto cifs_parse_mount_err;
+               }
++              ctx->closetimeo = HZ * result.uint_32;
+               break;
+       case Opt_echo_interval:
+               ctx->echo_interval = result.uint_32;
+-- 
+2.39.5
+
diff --git a/queue-5.15/drm-gma500-add-null-check-for-pci_gfx_root-in-mid_ge.patch b/queue-5.15/drm-gma500-add-null-check-for-pci_gfx_root-in-mid_ge.patch
new file mode 100644 (file)
index 0000000..3c25a30
--- /dev/null
@@ -0,0 +1,47 @@
+From 5877ef5f553bf0e4e0e0ab533b1ba9cedb107fcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Mar 2025 14:20:45 +0300
+Subject: drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
+
+From: Ivan Abramov <i.abramov@mt-integration.ru>
+
+[ Upstream commit 9af152dcf1a06f589f44a74da4ad67e365d4db9a ]
+
+Since pci_get_domain_bus_and_slot() can return NULL, add NULL check for
+pci_gfx_root in the mid_get_vbt_data().
+
+This change is similar to the checks implemented in mid_get_fuse_settings()
+and mid_get_pci_revID(), which were introduced by commit 0cecdd818cd7
+("gma500: Final enables for Oaktrail") as "additional minor
+bulletproofing".
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: f910b411053f ("gma500: Add the glue to the various BIOS and firmware interfaces")
+Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250306112046.17144-1-i.abramov@mt-integration.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/mid_bios.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/gma500/mid_bios.c b/drivers/gpu/drm/gma500/mid_bios.c
+index 68e787924ed04..1ba33f9518da2 100644
+--- a/drivers/gpu/drm/gma500/mid_bios.c
++++ b/drivers/gpu/drm/gma500/mid_bios.c
+@@ -280,6 +280,11 @@ static void mid_get_vbt_data(struct drm_psb_private *dev_priv)
+                                           0, PCI_DEVFN(2, 0));
+       int ret = -1;
++      if (pci_gfx_root == NULL) {
++              WARN_ON(1);
++              return;
++      }
++
+       /* Get the address of the platform config vbt */
+       pci_read_config_dword(pci_gfx_root, 0xFC, &addr);
+       pci_dev_put(pci_gfx_root);
+-- 
+2.39.5
+
index 69186454e65004f5ea331a08e299d65616f83f67..a01a39c4b7ca654b975fabbc09c5022fced44fd2 100644 (file)
@@ -62,3 +62,10 @@ drm-amd-display-fix-slab-use-after-free-on-hdcp_work.patch
 qlcnic-fix-memory-leak-issues-in-qlcnic_sriov_common.c.patch
 lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch
 tcp-fix-races-in-tcp_abort.patch
+asoc-ops-consistently-treat-platform_max-as-control-.patch
+drm-gma500-add-null-check-for-pci_gfx_root-in-mid_ge.patch
+asoc-codecs-wm0010-fix-error-handling-path-in-wm0010.patch
+cifs-fix-integer-overflow-while-processing-acregmax-.patch
+cifs-fix-integer-overflow-while-processing-acdirmax-.patch
+cifs-fix-integer-overflow-while-processing-actimeo-m.patch
+cifs-fix-integer-overflow-while-processing-closetime.patch