From: Greg Kroah-Hartman Date: Tue, 7 Mar 2023 16:19:09 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.2.3~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=16dfe5552cce1dc9daed22e5838dc8b03d77e26f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch drm-radeon-fix-edp-for-single-display-imac11-2.patch pci-avoid-flr-for-amd-fch-ahci-adapters.patch pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch scsi-ses-don-t-attach-if-enclosure-has-no-components.patch scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch --- diff --git a/queue-5.4/drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch b/queue-5.4/drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch new file mode 100644 index 00000000000..ebd3878e62a --- /dev/null +++ b/queue-5.4/drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch @@ -0,0 +1,36 @@ +From 5e438bf7f9a1705ebcae5fa89cdbfbc6932a7871 Mon Sep 17 00:00:00 2001 +From: Mavroudis Chatzilaridis +Date: Wed, 1 Feb 2023 18:51:25 +0000 +Subject: drm/i915/quirks: Add inverted backlight quirk for HP 14-r206nv + +From: Mavroudis Chatzilaridis + +commit 5e438bf7f9a1705ebcae5fa89cdbfbc6932a7871 upstream. + +This laptop uses inverted backlight PWM. Thus, without this quirk, +backlight brightness decreases as the brightness value increases and +vice versa. + +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8013 +Cc: stable@vger.kernel.org +Signed-off-by: Mavroudis Chatzilaridis +Reviewed-by: Jani Nikula +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20230201184947.8835-1-mavchatz@protonmail.com +(cherry picked from commit 83e7d6fd330d413cb2064e680ffea91b0512a520) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_quirks.c ++++ b/drivers/gpu/drm/i915/display/intel_quirks.c +@@ -149,6 +149,8 @@ static struct intel_quirk intel_quirks[] + /* ECS Liva Q2 */ + { 0x3185, 0x1019, 0xa94d, quirk_increase_ddi_disabled_time }, + { 0x3184, 0x1019, 0xa94d, quirk_increase_ddi_disabled_time }, ++ /* HP Notebook - 14-r206nv */ ++ { 0x0f31, 0x103c, 0x220f, quirk_invert_brightness }, + }; + + void intel_init_quirks(struct drm_i915_private *i915) diff --git a/queue-5.4/drm-radeon-fix-edp-for-single-display-imac11-2.patch b/queue-5.4/drm-radeon-fix-edp-for-single-display-imac11-2.patch new file mode 100644 index 00000000000..d36f7f3252c --- /dev/null +++ b/queue-5.4/drm-radeon-fix-edp-for-single-display-imac11-2.patch @@ -0,0 +1,46 @@ +From 05eacc198c68cbb35a7281ce4011f8899ee1cfb8 Mon Sep 17 00:00:00 2001 +From: Mark Hawrylak +Date: Sun, 19 Feb 2023 16:02:00 +1100 +Subject: drm/radeon: Fix eDP for single-display iMac11,2 + +From: Mark Hawrylak + +commit 05eacc198c68cbb35a7281ce4011f8899ee1cfb8 upstream. + +Apple iMac11,2 (mid 2010) also with Radeon HD-4670 that has the same +issue as iMac10,1 (late 2009) where the internal eDP panel stays dark on +driver load. This patch treats iMac11,2 the same as iMac10,1, +so the eDP panel stays active. + +Additional steps: +Kernel boot parameter radeon.nomodeset=0 required to keep the eDP +panel active. + +This patch is an extension of +commit 564d8a2cf3ab ("drm/radeon: Fix eDP for single-display iMac10,1 (v2)") +Link: https://lore.kernel.org/all/lsq.1507553064.833262317@decadent.org.uk/ +Signed-off-by: Mark Hawrylak +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/atombios_encoders.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -2192,11 +2192,12 @@ int radeon_atom_pick_dig_encoder(struct + + /* + * On DCE32 any encoder can drive any block so usually just use crtc id, +- * but Apple thinks different at least on iMac10,1, so there use linkb, ++ * but Apple thinks different at least on iMac10,1 and iMac11,2, so there use linkb, + * otherwise the internal eDP panel will stay dark. + */ + if (ASIC_IS_DCE32(rdev)) { +- if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1")) ++ if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1") || ++ dmi_match(DMI_PRODUCT_NAME, "iMac11,2")) + enc_idx = (dig->linkb) ? 1 : 0; + else + enc_idx = radeon_crtc->crtc_id; diff --git a/queue-5.4/pci-avoid-flr-for-amd-fch-ahci-adapters.patch b/queue-5.4/pci-avoid-flr-for-amd-fch-ahci-adapters.patch new file mode 100644 index 00000000000..e0863f5772a --- /dev/null +++ b/queue-5.4/pci-avoid-flr-for-amd-fch-ahci-adapters.patch @@ -0,0 +1,48 @@ +From 63ba51db24ed1b8f8088a897290eb6c036c5435d Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 28 Jan 2023 10:39:51 +0900 +Subject: PCI: Avoid FLR for AMD FCH AHCI adapters + +From: Damien Le Moal + +commit 63ba51db24ed1b8f8088a897290eb6c036c5435d upstream. + +PCI passthrough to VMs does not work with AMD FCH AHCI adapters: the guest +OS fails to correctly probe devices attached to the controller due to FIS +communication failures: + + ata4: softreset failed (1st FIS failed) + ... + ata4.00: qc timeout after 5000 msecs (cmd 0xec) + ata4.00: failed to IDENTIFY (I/O error, err_mask=0x4) + +Forcing the "bus" reset method before unbinding & binding the adapter to +the vfio-pci driver solves this issue, e.g.: + + echo "bus" > /sys/bus/pci/devices//reset_method + +gives a working guest OS, indicating that the default FLR reset method +doesn't work correctly. + +Apply quirk_no_flr() to AMD FCH AHCI devices to work around this issue. + +Link: https://lore.kernel.org/r/20230128013951.523247-1-damien.lemoal@opensource.wdc.com +Reported-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5338,6 +5338,7 @@ static void quirk_no_flr(struct pci_dev + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x1487, quirk_no_flr); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x148c, quirk_no_flr); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x149c, quirk_no_flr); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x7901, quirk_no_flr); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x1502, quirk_no_flr); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x1503, quirk_no_flr); + diff --git a/queue-5.4/pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch b/queue-5.4/pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch new file mode 100644 index 00000000000..36bc4ff7bf7 --- /dev/null +++ b/queue-5.4/pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch @@ -0,0 +1,136 @@ +From 74ff8864cc842be994853095dba6db48e716400a Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Fri, 20 Jan 2023 10:19:02 +0100 +Subject: PCI: hotplug: Allow marking devices as disconnected during bind/unbind + +From: Lukas Wunner + +commit 74ff8864cc842be994853095dba6db48e716400a upstream. + +On surprise removal, pciehp_unconfigure_device() and acpiphp's +trim_stale_devices() call pci_dev_set_disconnected() to mark removed +devices as permanently offline. Thereby, the PCI core and drivers know +to skip device accesses. + +However pci_dev_set_disconnected() takes the device_lock and thus waits for +a concurrent driver bind or unbind to complete. As a result, the driver's +->probe and ->remove hooks have no chance to learn that the device is gone. + +That doesn't make any sense, so drop the device_lock and instead use atomic +xchg() and cmpxchg() operations to update the device state. + +As a byproduct, an AB-BA deadlock reported by Anatoli is fixed which occurs +on surprise removal with AER concurrently performing a bus reset. + +AER bus reset: + + INFO: task irq/26-aerdrv:95 blocked for more than 120 seconds. + Tainted: G W 6.2.0-rc3-custom-norework-jan11+ + schedule + rwsem_down_write_slowpath + down_write_nested + pciehp_reset_slot # acquires reset_lock + pci_reset_hotplug_slot + pci_slot_reset # acquires device_lock + pci_bus_error_reset + aer_root_reset + pcie_do_recovery + aer_process_err_devices + aer_isr + +pciehp surprise removal: + + INFO: task irq/26-pciehp:96 blocked for more than 120 seconds. + Tainted: G W 6.2.0-rc3-custom-norework-jan11+ + schedule_preempt_disabled + __mutex_lock + mutex_lock_nested + pci_dev_set_disconnected # acquires device_lock + pci_walk_bus + pciehp_unconfigure_device + pciehp_disable_slot + pciehp_handle_presence_or_link_change + pciehp_ist # acquires reset_lock + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215590 +Fixes: a6bd101b8f84 ("PCI: Unify device inaccessible") +Link: https://lore.kernel.org/r/3dc88ea82bdc0e37d9000e413d5ebce481cbd629.1674205689.git.lukas@wunner.de +Reported-by: Anatoli Antonovitch +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.20+ +Cc: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.h | 43 +++++++++++++------------------------------ + 1 file changed, 13 insertions(+), 30 deletions(-) + +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -346,53 +346,36 @@ struct pci_sriov { + * @dev - pci device to set new error_state + * @new - the state we want dev to be in + * +- * Must be called with device_lock held. ++ * If the device is experiencing perm_failure, it has to remain in that state. ++ * Any other transition is allowed. + * + * Returns true if state has been changed to the requested state. + */ + static inline bool pci_dev_set_io_state(struct pci_dev *dev, + pci_channel_state_t new) + { +- bool changed = false; ++ pci_channel_state_t old; + +- device_lock_assert(&dev->dev); + switch (new) { + case pci_channel_io_perm_failure: +- switch (dev->error_state) { +- case pci_channel_io_frozen: +- case pci_channel_io_normal: +- case pci_channel_io_perm_failure: +- changed = true; +- break; +- } +- break; ++ xchg(&dev->error_state, pci_channel_io_perm_failure); ++ return true; + case pci_channel_io_frozen: +- switch (dev->error_state) { +- case pci_channel_io_frozen: +- case pci_channel_io_normal: +- changed = true; +- break; +- } +- break; ++ old = cmpxchg(&dev->error_state, pci_channel_io_normal, ++ pci_channel_io_frozen); ++ return old != pci_channel_io_perm_failure; + case pci_channel_io_normal: +- switch (dev->error_state) { +- case pci_channel_io_frozen: +- case pci_channel_io_normal: +- changed = true; +- break; +- } +- break; ++ old = cmpxchg(&dev->error_state, pci_channel_io_frozen, ++ pci_channel_io_normal); ++ return old != pci_channel_io_perm_failure; ++ default: ++ return false; + } +- if (changed) +- dev->error_state = new; +- return changed; + } + + static inline int pci_dev_set_disconnected(struct pci_dev *dev, void *unused) + { +- device_lock(&dev->dev); + pci_dev_set_io_state(dev, pci_channel_io_perm_failure); +- device_unlock(&dev->dev); + + return 0; + } diff --git a/queue-5.4/pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch b/queue-5.4/pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch new file mode 100644 index 00000000000..211e44c2c1d --- /dev/null +++ b/queue-5.4/pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch @@ -0,0 +1,57 @@ +From 8ef0217227b42e2c34a18de316cee3da16c9bf1e Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 15 Jan 2023 09:20:31 +0100 +Subject: PCI/PM: Observe reset delay irrespective of bridge_d3 + +From: Lukas Wunner + +commit 8ef0217227b42e2c34a18de316cee3da16c9bf1e upstream. + +If a PCI bridge is suspended to D3cold upon entering system sleep, +resuming it entails a Fundamental Reset per PCIe r6.0 sec 5.8. + +The delay prescribed after a Fundamental Reset in PCIe r6.0 sec 6.6.1 +is sought to be observed by: + + pci_pm_resume_noirq() + pci_pm_bridge_power_up_actions() + pci_bridge_wait_for_secondary_bus() + +However, pci_bridge_wait_for_secondary_bus() bails out if the bridge_d3 +flag is not set. That flag indicates whether a bridge is allowed to +suspend to D3cold at *runtime*. + +Hence *no* delay is observed on resume from system sleep if runtime +D3cold is forbidden. That doesn't make any sense, so drop the bridge_d3 +check from pci_bridge_wait_for_secondary_bus(). + +The purpose of the bridge_d3 check was probably to avoid delays if a +bridge remained in D0 during suspend. However the sole caller of +pci_bridge_wait_for_secondary_bus(), pci_pm_bridge_power_up_actions(), +is only invoked if the previous power state was D3cold. Hence the +additional bridge_d3 check seems superfluous. + +Fixes: ad9001f2f411 ("PCI/PM: Add missing link delays required by the PCIe spec") +Link: https://lore.kernel.org/r/eb37fa345285ec8bacabbf06b020b803f77bdd3d.1673769517.git.lukas@wunner.de +Tested-by: Ravi Kishore Koppuravuri +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Reviewed-by: Kuppuswamy Sathyanarayanan +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -4743,7 +4743,7 @@ void pci_bridge_wait_for_secondary_bus(s + if (pci_dev_is_disconnected(dev)) + return; + +- if (!pci_is_bridge(dev) || !dev->bridge_d3) ++ if (!pci_is_bridge(dev)) + return; + + down_read(&pci_bus_sem); diff --git a/queue-5.4/scsi-ses-don-t-attach-if-enclosure-has-no-components.patch b/queue-5.4/scsi-ses-don-t-attach-if-enclosure-has-no-components.patch new file mode 100644 index 00000000000..2d1c56fb199 --- /dev/null +++ b/queue-5.4/scsi-ses-don-t-attach-if-enclosure-has-no-components.patch @@ -0,0 +1,41 @@ +From 3fe97ff3d94934649abb0652028dd7296170c8d0 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Sat, 28 Nov 2020 15:27:21 -0800 +Subject: scsi: ses: Don't attach if enclosure has no components + +From: James Bottomley + +commit 3fe97ff3d94934649abb0652028dd7296170c8d0 upstream. + +An enclosure with no components can't usefully be operated by the driver +(since effectively it has nothing to manage), so report the problem and +don't attach. Not attaching also fixes an oops which could occur if the +driver tries to manage a zero component enclosure. + +[mkp: Switched to KERN_WARNING since this scenario is common] + +Link: https://lore.kernel.org/r/c5deac044ac409e32d9ad9968ce0dcbc996bfc7a.camel@linux.ibm.com +Cc: stable@vger.kernel.org +Reported-by: Ding Hui +Signed-off-by: James Bottomley +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -704,6 +704,12 @@ static int ses_intf_add(struct device *c + type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE) + components += type_ptr[1]; + } ++ ++ if (components == 0) { ++ sdev_printk(KERN_WARNING, sdev, "enclosure has no enumerated components\n"); ++ goto err_free; ++ } ++ + ses_dev->page1 = buf; + ses_dev->page1_len = len; + buf = NULL; diff --git a/queue-5.4/scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch b/queue-5.4/scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch new file mode 100644 index 00000000000..2f96d15cf65 --- /dev/null +++ b/queue-5.4/scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch @@ -0,0 +1,114 @@ +From db95d4df71cb55506425b6e4a5f8d68e3a765b63 Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Thu, 2 Feb 2023 17:24:49 +0100 +Subject: scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses + +From: Tomas Henzl + +commit db95d4df71cb55506425b6e4a5f8d68e3a765b63 upstream. + +Sanitize possible addl_desc_ptr out-of-bounds accesses in +ses_enclosure_data_process(). + +Link: https://lore.kernel.org/r/20230202162451.15346-3-thenzl@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -433,8 +433,8 @@ int ses_match_host(struct enclosure_devi + } + #endif /* 0 */ + +-static void ses_process_descriptor(struct enclosure_component *ecomp, +- unsigned char *desc) ++static int ses_process_descriptor(struct enclosure_component *ecomp, ++ unsigned char *desc, int max_desc_len) + { + int eip = desc[0] & 0x10; + int invalid = desc[0] & 0x80; +@@ -445,22 +445,32 @@ static void ses_process_descriptor(struc + unsigned char *d; + + if (invalid) +- return; ++ return 0; + + switch (proto) { + case SCSI_PROTOCOL_FCP: + if (eip) { ++ if (max_desc_len <= 7) ++ return 1; + d = desc + 4; + slot = d[3]; + } + break; + case SCSI_PROTOCOL_SAS: ++ + if (eip) { ++ if (max_desc_len <= 27) ++ return 1; + d = desc + 4; + slot = d[3]; + d = desc + 8; +- } else ++ } else { ++ if (max_desc_len <= 23) ++ return 1; + d = desc + 4; ++ } ++ ++ + /* only take the phy0 addr */ + addr = (u64)d[12] << 56 | + (u64)d[13] << 48 | +@@ -477,6 +487,8 @@ static void ses_process_descriptor(struc + } + ecomp->slot = slot; + scomp->addr = addr; ++ ++ return 0; + } + + struct efd { +@@ -549,7 +561,7 @@ static void ses_enclosure_data_process(s + /* skip past overall descriptor */ + desc_ptr += len + 4; + } +- if (ses_dev->page10) ++ if (ses_dev->page10 && ses_dev->page10_len > 9) + addl_desc_ptr = ses_dev->page10 + 8; + type_ptr = ses_dev->page1_types; + components = 0; +@@ -557,6 +569,7 @@ static void ses_enclosure_data_process(s + for (j = 0; j < type_ptr[1]; j++) { + char *name = NULL; + struct enclosure_component *ecomp; ++ int max_desc_len; + + if (desc_ptr) { + if (desc_ptr >= buf + page7_len) { +@@ -583,10 +596,14 @@ static void ses_enclosure_data_process(s + ecomp = &edev->component[components++]; + + if (!IS_ERR(ecomp)) { +- if (addl_desc_ptr) +- ses_process_descriptor( +- ecomp, +- addl_desc_ptr); ++ if (addl_desc_ptr) { ++ max_desc_len = ses_dev->page10_len - ++ (addl_desc_ptr - ses_dev->page10); ++ if (ses_process_descriptor(ecomp, ++ addl_desc_ptr, ++ max_desc_len)) ++ addl_desc_ptr = NULL; ++ } + if (create) + enclosure_component_register( + ecomp); diff --git a/queue-5.4/scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch b/queue-5.4/scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch new file mode 100644 index 00000000000..986e20ad165 --- /dev/null +++ b/queue-5.4/scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch @@ -0,0 +1,48 @@ +From 801ab13d50cf3d26170ee073ea8bb4eececb76ab Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Thu, 2 Feb 2023 17:24:50 +0100 +Subject: scsi: ses: Fix possible desc_ptr out-of-bounds accesses + +From: Tomas Henzl + +commit 801ab13d50cf3d26170ee073ea8bb4eececb76ab upstream. + +Sanitize possible desc_ptr out-of-bounds accesses in +ses_enclosure_data_process(). + +Link: https://lore.kernel.org/r/20230202162451.15346-4-thenzl@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -572,15 +572,19 @@ static void ses_enclosure_data_process(s + int max_desc_len; + + if (desc_ptr) { +- if (desc_ptr >= buf + page7_len) { ++ if (desc_ptr + 3 >= buf + page7_len) { + desc_ptr = NULL; + } else { + len = (desc_ptr[2] << 8) + desc_ptr[3]; + desc_ptr += 4; +- /* Add trailing zero - pushes into +- * reserved space */ +- desc_ptr[len] = '\0'; +- name = desc_ptr; ++ if (desc_ptr + len > buf + page7_len) ++ desc_ptr = NULL; ++ else { ++ /* Add trailing zero - pushes into ++ * reserved space */ ++ desc_ptr[len] = '\0'; ++ name = desc_ptr; ++ } + } + } + if (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || diff --git a/queue-5.4/scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch b/queue-5.4/scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch new file mode 100644 index 00000000000..d4cf236032d --- /dev/null +++ b/queue-5.4/scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch @@ -0,0 +1,43 @@ +From 9b4f5028e493cb353a5c8f5c45073eeea0303abd Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Thu, 2 Feb 2023 17:24:48 +0100 +Subject: scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() + +From: Tomas Henzl + +commit 9b4f5028e493cb353a5c8f5c45073eeea0303abd upstream. + +A fix for: + +BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses] +Read of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271 + +Checking after (and before in next loop) addl_desc_ptr[1] is sufficient, we +expect the size to be sanitized before first access to addl_desc_ptr[1]. +Make sure we don't walk beyond end of page. + +Link: https://lore.kernel.org/r/20230202162451.15346-2-thenzl@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -603,9 +603,11 @@ static void ses_enclosure_data_process(s + /* these elements are optional */ + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || + type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || +- type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) ++ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) { + addl_desc_ptr += addl_desc_ptr[1] + 2; +- ++ if (addl_desc_ptr + 1 >= ses_dev->page10 + ses_dev->page10_len) ++ addl_desc_ptr = NULL; ++ } + } + } + kfree(buf); diff --git a/queue-5.4/scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch b/queue-5.4/scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch new file mode 100644 index 00000000000..9d22b329dcf --- /dev/null +++ b/queue-5.4/scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch @@ -0,0 +1,38 @@ +From 578797f0c8cbc2e3ec5fc0dab87087b4c7073686 Mon Sep 17 00:00:00 2001 +From: Tomas Henzl +Date: Thu, 2 Feb 2023 17:24:51 +0100 +Subject: scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() + +From: Tomas Henzl + +commit 578797f0c8cbc2e3ec5fc0dab87087b4c7073686 upstream. + +A fix for: + +BUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses] +Read of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013 + +When edev->components is zero, accessing edev->component[0] members is +wrong. + +Link: https://lore.kernel.org/r/20230202162451.15346-5-thenzl@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -856,7 +856,8 @@ static void ses_intf_remove_enclosure(st + kfree(ses_dev->page2); + kfree(ses_dev); + +- kfree(edev->component[0].scratch); ++ if (edev->components) ++ kfree(edev->component[0].scratch); + + put_device(&edev->edev); + enclosure_unregister(edev); diff --git a/queue-5.4/series b/queue-5.4/series index a0de2744ad9..02b5a1f90af 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -272,3 +272,13 @@ scsi-core-remove-the-proc-scsi-proc_name-directory-earlier.patch scsi-qla2xxx-fix-link-failure-in-npiv-environment.patch scsi-qla2xxx-fix-dma-api-call-trace-on-nvme-ls-requests.patch scsi-qla2xxx-fix-erroneous-link-down.patch +scsi-ses-don-t-attach-if-enclosure-has-no-components.patch +scsi-ses-fix-slab-out-of-bounds-in-ses_enclosure_data_process.patch +scsi-ses-fix-possible-addl_desc_ptr-out-of-bounds-accesses.patch +scsi-ses-fix-possible-desc_ptr-out-of-bounds-accesses.patch +scsi-ses-fix-slab-out-of-bounds-in-ses_intf_remove.patch +pci-pm-observe-reset-delay-irrespective-of-bridge_d3.patch +pci-hotplug-allow-marking-devices-as-disconnected-during-bind-unbind.patch +pci-avoid-flr-for-amd-fch-ahci-adapters.patch +drm-i915-quirks-add-inverted-backlight-quirk-for-hp-14-r206nv.patch +drm-radeon-fix-edp-for-single-display-imac11-2.patch