From: Greg Kroah-Hartman Date: Mon, 26 Feb 2024 10:42:37 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.19.308~60 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=06dd40fbd997522f01f998f5da4d29fdb1a62f65;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch platform-x86-intel-vbtn-stop-calling-vbdl-from-notify_handler.patch platform-x86-touchscreen_dmi-allow-partial-prefix-matches-for-acpi-names.patch --- diff --git a/queue-5.15/dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch b/queue-5.15/dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch new file mode 100644 index 00000000000..85bfb9060a6 --- /dev/null +++ b/queue-5.15/dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch @@ -0,0 +1,43 @@ +From 50c70240097ce41fe6bce6478b80478281e4d0f7 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 19 Feb 2024 21:30:10 +0100 +Subject: dm-crypt: don't modify the data when using authenticated encryption + +From: Mikulas Patocka + +commit 50c70240097ce41fe6bce6478b80478281e4d0f7 upstream. + +It was said that authenticated encryption could produce invalid tag when +the data that is being encrypted is modified [1]. So, fix this problem by +copying the data into the clone bio first and then encrypt them inside the +clone bio. + +This may reduce performance, but it is needed to prevent the user from +corrupting the device by writing data with O_DIRECT and modifying them at +the same time. + +[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/ + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-crypt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2065,6 +2065,12 @@ static void kcryptd_crypt_write_convert( + io->ctx.bio_out = clone; + io->ctx.iter_out = clone->bi_iter; + ++ if (crypt_integrity_aead(cc)) { ++ bio_copy_data(clone, io->base_bio); ++ io->ctx.bio_in = clone; ++ io->ctx.iter_in = clone->bi_iter; ++ } ++ + sector += bio_sectors(clone); + + crypt_inc_pending(io); diff --git a/queue-5.15/drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch b/queue-5.15/drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch new file mode 100644 index 00000000000..3c8f6233ce8 --- /dev/null +++ b/queue-5.15/drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch @@ -0,0 +1,49 @@ +From 40510a941d27d405a82dc3320823d875f94625df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= +Date: Wed, 21 Feb 2024 08:33:24 +0100 +Subject: drm/ttm: Fix an invalid freeing on already freed page in error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Hellström + +commit 40510a941d27d405a82dc3320823d875f94625df upstream. + +If caching mode change fails due to, for example, OOM we +free the allocated pages in a two-step process. First the pages +for which the caching change has already succeeded. Secondly +the pages for which a caching change did not succeed. + +However the second step was incorrectly freeing the pages already +freed in the first step. + +Fix. + +Signed-off-by: Thomas Hellström +Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path") +Cc: Christian König +Cc: Dave Airlie +Cc: Christian Koenig +Cc: Huang Rui +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.4+ +Reviewed-by: Matthew Auld +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20240221073324.3303-1-thomas.hellstrom@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ttm/ttm_pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ttm/ttm_pool.c ++++ b/drivers/gpu/drm/ttm/ttm_pool.c +@@ -384,7 +384,7 @@ static void ttm_pool_free_range(struct t + enum ttm_caching caching, + pgoff_t start_page, pgoff_t end_page) + { +- struct page **pages = tt->pages; ++ struct page **pages = &tt->pages[start_page]; + unsigned int order; + pgoff_t i, nr; + diff --git a/queue-5.15/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch b/queue-5.15/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch new file mode 100644 index 00000000000..7e6f87cbc48 --- /dev/null +++ b/queue-5.15/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch @@ -0,0 +1,97 @@ +From 136cfaca22567a03bbb3bf53a43d8cb5748b80ec Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Wed, 14 Feb 2024 19:27:33 +0300 +Subject: gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() + +From: Vasiliy Kovalev + +commit 136cfaca22567a03bbb3bf53a43d8cb5748b80ec upstream. + +The gtp_net_ops pernet operations structure for the subsystem must be +registered before registering the generic netlink family. + +Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: + +general protection fault, probably for non-canonical address +0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +CPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 +RIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp] +Code: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86 + df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> + 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74 +RSP: 0018:ffff888014107220 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000 +FS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0 +PKRU: 55555554 +Call Trace: + + ? show_regs+0x90/0xa0 + ? die_addr+0x50/0xd0 + ? exc_general_protection+0x148/0x220 + ? asm_exc_general_protection+0x22/0x30 + ? gtp_genl_dump_pdp+0x1be/0x800 [gtp] + ? __alloc_skb+0x1dd/0x350 + ? __pfx___alloc_skb+0x10/0x10 + genl_dumpit+0x11d/0x230 + netlink_dump+0x5b9/0xce0 + ? lockdep_hardirqs_on_prepare+0x253/0x430 + ? __pfx_netlink_dump+0x10/0x10 + ? kasan_save_track+0x10/0x40 + ? __kasan_kmalloc+0x9b/0xa0 + ? genl_start+0x675/0x970 + __netlink_dump_start+0x6fc/0x9f0 + genl_family_rcv_msg_dumpit+0x1bb/0x2d0 + ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10 + ? genl_op_from_small+0x2a/0x440 + ? cap_capable+0x1d0/0x240 + ? __pfx_genl_start+0x10/0x10 + ? __pfx_genl_dumpit+0x10/0x10 + ? __pfx_genl_done+0x10/0x10 + ? security_capable+0x9d/0xe0 + +Cc: stable@vger.kernel.org +Signed-off-by: Vasiliy Kovalev +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Link: https://lore.kernel.org/r/20240214162733.34214-1-kovalev@altlinux.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1426,20 +1426,20 @@ static int __init gtp_init(void) + if (err < 0) + goto error_out; + +- err = genl_register_family(>p_genl_family); ++ err = register_pernet_subsys(>p_net_ops); + if (err < 0) + goto unreg_rtnl_link; + +- err = register_pernet_subsys(>p_net_ops); ++ err = genl_register_family(>p_genl_family); + if (err < 0) +- goto unreg_genl_family; ++ goto unreg_pernet_subsys; + + pr_info("GTP module loaded (pdp ctx size %zd bytes)\n", + sizeof(struct pdp_ctx)); + return 0; + +-unreg_genl_family: +- genl_unregister_family(>p_genl_family); ++unreg_pernet_subsys: ++ unregister_pernet_subsys(>p_net_ops); + unreg_rtnl_link: + rtnl_link_unregister(>p_link_ops); + error_out: diff --git a/queue-5.15/kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch b/queue-5.15/kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch new file mode 100644 index 00000000000..20f1b4aae33 --- /dev/null +++ b/queue-5.15/kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch @@ -0,0 +1,36 @@ +From 8d3a7dfb801d157ac423261d7cd62c33e95375f8 Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Wed, 21 Feb 2024 09:27:31 +0000 +Subject: KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() + +From: Oliver Upton + +commit 8d3a7dfb801d157ac423261d7cd62c33e95375f8 upstream. + +vgic_get_irq() may not return a valid descriptor if there is no ITS that +holds a valid translation for the specified INTID. If that is the case, +it is safe to silently ignore it and continue processing the LPI pending +table. + +Cc: stable@vger.kernel.org +Fixes: 33d3bc9556a7 ("KVM: arm64: vgic-its: Read initial LPI pending table") +Signed-off-by: Oliver Upton +Link: https://lore.kernel.org/r/20240221092732.4126848-2-oliver.upton@linux.dev +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -462,6 +462,9 @@ static int its_sync_lpi_pending_table(st + } + + irq = vgic_get_irq(vcpu->kvm, NULL, intids[i]); ++ if (!irq) ++ continue; ++ + raw_spin_lock_irqsave(&irq->irq_lock, flags); + irq->pending_latch = pendmask & (1U << bit_nr); + vgic_queue_irq_unlock(vcpu->kvm, irq, flags); diff --git a/queue-5.15/kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch b/queue-5.15/kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch new file mode 100644 index 00000000000..6251e959245 --- /dev/null +++ b/queue-5.15/kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch @@ -0,0 +1,35 @@ +From 85a71ee9a0700f6c18862ef3b0011ed9dad99aca Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Wed, 21 Feb 2024 09:27:32 +0000 +Subject: KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler + +From: Oliver Upton + +commit 85a71ee9a0700f6c18862ef3b0011ed9dad99aca upstream. + +It is possible that an LPI mapped in a different ITS gets unmapped while +handling the MOVALL command. If that is the case, there is no state that +can be migrated to the destination. Silently ignore it and continue +migrating other LPIs. + +Cc: stable@vger.kernel.org +Fixes: ff9c114394aa ("KVM: arm/arm64: GICv4: Handle MOVALL applied to a vPE") +Signed-off-by: Oliver Upton +Link: https://lore.kernel.org/r/20240221092732.4126848-3-oliver.upton@linux.dev +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -1374,6 +1374,8 @@ static int vgic_its_cmd_handle_movall(st + + for (i = 0; i < irq_count; i++) { + irq = vgic_get_irq(kvm, NULL, intids[i]); ++ if (!irq) ++ continue; + + update_affinity(irq, vcpu2); + diff --git a/queue-5.15/platform-x86-intel-vbtn-stop-calling-vbdl-from-notify_handler.patch b/queue-5.15/platform-x86-intel-vbtn-stop-calling-vbdl-from-notify_handler.patch new file mode 100644 index 00000000000..c4d1d760470 --- /dev/null +++ b/queue-5.15/platform-x86-intel-vbtn-stop-calling-vbdl-from-notify_handler.patch @@ -0,0 +1,55 @@ +From 84c16d01ff219bc0a5dca5219db6b8b86a6854fb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 16 Feb 2024 21:33:00 +0100 +Subject: platform/x86: intel-vbtn: Stop calling "VBDL" from notify_handler + +From: Hans de Goede + +commit 84c16d01ff219bc0a5dca5219db6b8b86a6854fb upstream. + +Commit 14c200b7ca46 ("platform/x86: intel-vbtn: Fix missing +tablet-mode-switch events") causes 2 issues on the ThinkPad X1 Tablet Gen2: + +1. The ThinkPad will wake up immediately from suspend +2. When put in tablet mode SW_TABLET_MODE reverts to 0 after about 1 second + +Both these issues are caused by the "VBDL" ACPI method call added +at the end of the notify_handler. + +And it never became entirely clear if this call is even necessary to fix +the issue of missing tablet-mode-switch events on the Dell Inspiron 7352. + +Drop the "VBDL" ACPI method call again to fix the 2 issues this is +causing on the ThinkPad X1 Tablet Gen2. + +Fixes: 14c200b7ca46 ("platform/x86: intel-vbtn: Fix missing tablet-mode-switch events") +Reported-by: Alexander Kobel +Closes: https://lore.kernel.org/platform-driver-x86/295984ce-bd4b-49bd-adc5-ffe7c898d7f0@a-kobel.de/ +Cc: regressions@lists.linux.dev +Cc: Arnold Gozum +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Tested-by: Alexander Kobel +Link: https://lore.kernel.org/r/20240216203300.245826-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/vbtn.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/platform/x86/intel/vbtn.c b/drivers/platform/x86/intel/vbtn.c +index 210b0a81b7ec..084c355c86f5 100644 +--- a/drivers/platform/x86/intel/vbtn.c ++++ b/drivers/platform/x86/intel/vbtn.c +@@ -200,9 +200,6 @@ static void notify_handler(acpi_handle handle, u32 event, void *context) + autorelease = val && (!ke_rel || ke_rel->type == KE_IGNORE); + + sparse_keymap_report_event(input_dev, event, val, autorelease); +- +- /* Some devices need this to report further events */ +- acpi_evaluate_object(handle, "VBDL", NULL, NULL); + } + + /* +-- +2.44.0 + diff --git a/queue-5.15/platform-x86-touchscreen_dmi-allow-partial-prefix-matches-for-acpi-names.patch b/queue-5.15/platform-x86-touchscreen_dmi-allow-partial-prefix-matches-for-acpi-names.patch new file mode 100644 index 00000000000..a91da59ef66 --- /dev/null +++ b/queue-5.15/platform-x86-touchscreen_dmi-allow-partial-prefix-matches-for-acpi-names.patch @@ -0,0 +1,58 @@ +From dbcbfd662a725641d118fb3ae5ffb7be4e3d0fb0 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 12 Feb 2024 13:06:07 +0100 +Subject: platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names + +From: Hans de Goede + +commit dbcbfd662a725641d118fb3ae5ffb7be4e3d0fb0 upstream. + +On some devices the ACPI name of the touchscreen is e.g. either +MSSL1680:00 or MSSL1680:01 depending on the BIOS version. + +This happens for example on the "Chuwi Hi8 Air" tablet where the initial +commit's ts_data uses "MSSL1680:00" but the tablets from the github issue +and linux-hardware.org probe linked below both use "MSSL1680:01". + +Replace the strcmp() match on ts_data->acpi_name with a strstarts() +check to allow using a partial match on just the ACPI HID of "MSSL1680" +and change the ts_data->acpi_name for the "Chuwi Hi8 Air" accordingly +to fix the touchscreen not working on models where it is "MSSL1680:01". + +Note this drops the length check for I2C_NAME_SIZE. This never was +necessary since the ACPI names used are never more then 11 chars and +I2C_NAME_SIZE is 20 so the replaced strncmp() would always stop long +before reaching I2C_NAME_SIZE. + +Link: https://linux-hardware.org/?computer=AC4301C0542A +Fixes: bbb97d728f77 ("platform/x86: touchscreen_dmi: Add info for the Chuwi Hi8 Air tablet") +Closes: https://github.com/onitake/gsl-firmware/issues/91 +Cc: stable@vger.kernel.org +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240212120608.30469-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/touchscreen_dmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/touchscreen_dmi.c ++++ b/drivers/platform/x86/touchscreen_dmi.c +@@ -50,7 +50,7 @@ static const struct property_entry chuwi + }; + + static const struct ts_dmi_data chuwi_hi8_air_data = { +- .acpi_name = "MSSL1680:00", ++ .acpi_name = "MSSL1680", + .properties = chuwi_hi8_air_props, + }; + +@@ -1745,7 +1745,7 @@ static void ts_dmi_add_props(struct i2c_ + int error; + + if (has_acpi_companion(dev) && +- !strncmp(ts_data->acpi_name, client->name, I2C_NAME_SIZE)) { ++ strstarts(client->name, ts_data->acpi_name)) { + error = device_create_managed_software_node(dev, ts_data->properties, NULL); + if (error) + dev_err(dev, "failed to add properties: %d\n", error); diff --git a/queue-5.15/series b/queue-5.15/series index 1494b1d25ba..11ec8cbe6eb 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -75,3 +75,10 @@ ksmbd-free-aux-buffer-if-ksmbd_iov_pin_rsp_read-fail.patch pmdomain-renesas-r8a77980-sysc-cr7-must-be-always-on.patch erofs-fix-lz4-inplace-decompression.patch ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-error.patch +drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch +dm-crypt-don-t-modify-the-data-when-using-authenticated-encryption.patch +platform-x86-intel-vbtn-stop-calling-vbdl-from-notify_handler.patch +platform-x86-touchscreen_dmi-allow-partial-prefix-matches-for-acpi-names.patch +kvm-arm64-vgic-its-test-for-valid-irq-in-movall-handler.patch +kvm-arm64-vgic-its-test-for-valid-irq-in-its_sync_lpi_pending_table.patch +gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_genl_dump_pdp.patch