From: Greg Kroah-Hartman Date: Sat, 9 Nov 2024 12:09:17 +0000 (+0100) Subject: 6.11-stable patches X-Git-Tag: v5.15.172~62 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ad8e4642b68445b0577eb7fb3ca52435a300f29;p=thirdparty%2Fkernel%2Fstable-queue.git 6.11-stable patches added patches: can-cc770-sja1000-_isa-allow-building-on-x86_64.patch can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch drm-xe-set-mask-bits-for-ccs_mode-register.patch ksmbd-check-outstanding-simultaneous-smb-operations.patch ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch ksmbd-fix-the-missing-xa_store-error-check.patch media-ar0521-don-t-overflow-when-checking-pll-values.patch media-av7110-fix-a-spectre-vulnerability.patch media-cx24116-prevent-overflows-on-snr-calculus.patch media-dvb-core-add-missing-buffer-index-check.patch media-mgb4-protect-driver-against-spectre.patch media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch media-s5p-jpeg-prevent-buffer-overflows.patch media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch --- diff --git a/queue-6.11/can-cc770-sja1000-_isa-allow-building-on-x86_64.patch b/queue-6.11/can-cc770-sja1000-_isa-allow-building-on-x86_64.patch new file mode 100644 index 00000000000..1b3a01f9405 --- /dev/null +++ b/queue-6.11/can-cc770-sja1000-_isa-allow-building-on-x86_64.patch @@ -0,0 +1,58 @@ +From 7b22846f8af5ab2f267de9eb209fb1835ee9978c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20M=C3=BChlbacher?= +Date: Thu, 19 Sep 2024 17:35:22 +0000 +Subject: can: {cc770,sja1000}_isa: allow building on x86_64 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Mühlbacher + +commit 7b22846f8af5ab2f267de9eb209fb1835ee9978c upstream. + +The ISA variable is only defined if X86_32 is also defined. However, +these drivers are still useful and in use on at least some modern 64-bit +x86 industrial systems as well. With the correct module parameters, they +work as long as IO port communication is possible, despite their name +having ISA in them. + +Fixes: a29689e60ed3 ("net: handle HAS_IOPORT dependencies") +Signed-off-by: Thomas Mühlbacher +Link: https://patch.msgid.link/20240919174151.15473-2-tmuehlbacher@posteo.net +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/cc770/Kconfig | 2 +- + drivers/net/can/sja1000/Kconfig | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/cc770/Kconfig b/drivers/net/can/cc770/Kconfig +index 467ef19de1c1..aae25c2f849e 100644 +--- a/drivers/net/can/cc770/Kconfig ++++ b/drivers/net/can/cc770/Kconfig +@@ -7,7 +7,7 @@ if CAN_CC770 + + config CAN_CC770_ISA + tristate "ISA Bus based legacy CC770 driver" +- depends on ISA ++ depends on HAS_IOPORT + help + This driver adds legacy support for CC770 and AN82527 chips + connected to the ISA bus using I/O port, memory mapped or +diff --git a/drivers/net/can/sja1000/Kconfig b/drivers/net/can/sja1000/Kconfig +index 01168db4c106..2f516cc6d22c 100644 +--- a/drivers/net/can/sja1000/Kconfig ++++ b/drivers/net/can/sja1000/Kconfig +@@ -87,7 +87,7 @@ config CAN_PLX_PCI + + config CAN_SJA1000_ISA + tristate "ISA Bus based legacy SJA1000 driver" +- depends on ISA ++ depends on HAS_IOPORT + help + This driver adds legacy support for SJA1000 chips connected to + the ISA bus using I/O port, memory mapped or indirect access. +-- +2.47.0 + diff --git a/queue-6.11/can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch b/queue-6.11/can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch new file mode 100644 index 00000000000..dfe1331e67c --- /dev/null +++ b/queue-6.11/can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch @@ -0,0 +1,42 @@ +From e4de81f9e134c78ff7c75a00e43bd819643530d0 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 30 Sep 2024 19:02:30 +0200 +Subject: can: m_can: m_can_close(): don't call free_irq() for IRQ-less devices + +From: Marc Kleine-Budde + +commit e4de81f9e134c78ff7c75a00e43bd819643530d0 upstream. + +In commit b382380c0d2d ("can: m_can: Add hrtimer to generate software +interrupt") support for IRQ-less devices was added. Instead of an +interrupt, the interrupt routine is called by a hrtimer-based polling +loop. + +That patch forgot to change free_irq() to be only called for devices +with IRQs. Fix this, by calling free_irq() conditionally only if an +IRQ is available for the device (and thus has been requested +previously). + +Fixes: b382380c0d2d ("can: m_can: Add hrtimer to generate software interrupt") +Reviewed-by: Simon Horman +Reviewed-by: Markus Schneider-Pargmann +Link: https://patch.msgid.link/20240930-m_can-cleanups-v1-1-001c579cdee4@pengutronix.de +Cc: # v6.6+ +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/m_can/m_can.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -1764,7 +1764,8 @@ static int m_can_close(struct net_device + netif_stop_queue(dev); + + m_can_stop(dev); +- free_irq(dev->irq, dev); ++ if (dev->irq) ++ free_irq(dev->irq, dev); + + m_can_clean(dev); + diff --git a/queue-6.11/can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch b/queue-6.11/can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch new file mode 100644 index 00000000000..b80158d651c --- /dev/null +++ b/queue-6.11/can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch @@ -0,0 +1,63 @@ +From 3c1c18551e6ac1b988d0a05c5650e3f6c95a1b8a Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Tue, 1 Oct 2024 16:56:22 +0200 +Subject: can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation + +From: Marc Kleine-Budde + +commit 3c1c18551e6ac1b988d0a05c5650e3f6c95a1b8a upstream. + +Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround +broken TEF FIFO tail index erratum") introduced +mcp251xfd_get_tef_len() to get the number of unhandled transmit events +from the Transmit Event FIFO (TEF). + +As the TEF has no head pointer, the driver uses the TX FIFO's tail +pointer instead, assuming that send frames are completed. However the +check for the TEF being full was not correct. This leads to the driver +stop working if the TEF is full. + +Fix the TEF full check by assuming that if, from the driver's point of +view, there are no free TX buffers in the chip and the TX FIFO is +empty, all messages must have been sent and the TEF must therefore be +full. + +Reported-by: Sven Schuchmann +Closes: https://patch.msgid.link/FR3P281MB155216711EFF900AD9791B7ED9692@FR3P281MB1552.DEUP281.PROD.OUTLOOK.COM +Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") +Tested-by: Sven Schuchmann +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20241104-mcp251xfd-fix-length-calculation-v3-1-608b6e7e2197@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +@@ -16,9 +16,9 @@ + + #include "mcp251xfd.h" + +-static inline bool mcp251xfd_tx_fifo_sta_full(u32 fifo_sta) ++static inline bool mcp251xfd_tx_fifo_sta_empty(u32 fifo_sta) + { +- return !(fifo_sta & MCP251XFD_REG_FIFOSTA_TFNRFNIF); ++ return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF; + } + + static inline int +@@ -122,7 +122,11 @@ mcp251xfd_get_tef_len(struct mcp251xfd_p + if (err) + return err; + +- if (mcp251xfd_tx_fifo_sta_full(fifo_sta)) { ++ /* If the chip says the TX-FIFO is empty, but there are no TX ++ * buffers free in the ring, we assume all have been sent. ++ */ ++ if (mcp251xfd_tx_fifo_sta_empty(fifo_sta) && ++ mcp251xfd_get_tx_free(tx_ring) == 0) { + *len_p = tx_ring->obj_num; + return 0; + } diff --git a/queue-6.11/can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch b/queue-6.11/can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch new file mode 100644 index 00000000000..d5c176b6962 --- /dev/null +++ b/queue-6.11/can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch @@ -0,0 +1,69 @@ +From eb9a839b3d8a989be5970035a5cf29bcd6ffd24d Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 25 Oct 2024 14:34:40 +0200 +Subject: can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes + +From: Marc Kleine-Budde + +commit eb9a839b3d8a989be5970035a5cf29bcd6ffd24d upstream. + +Since commit 50ea5449c563 ("can: mcp251xfd: fix ring configuration +when switching from CAN-CC to CAN-FD mode"), the current ring and +coalescing configuration is passed to can_ram_get_layout(). That fixed +the issue when switching between CAN-CC and CAN-FD mode with +configured ring (rx, tx) and/or coalescing parameters (rx-frames-irq, +tx-frames-irq). + +However 50ea5449c563 ("can: mcp251xfd: fix ring configuration when +switching from CAN-CC to CAN-FD mode"), introduced a regression when +switching CAN modes with disabled coalescing configuration: Even if +the previous CAN mode has no coalescing configured, the new mode is +configured with active coalescing. This leads to delayed receiving of +CAN-FD frames. + +This comes from the fact, that ethtool uses usecs = 0 and max_frames = +1 to disable coalescing, however the driver uses internally +priv->{rx,tx}_obj_num_coalesce_irq = 0 to indicate disabled +coalescing. + +Fix the regression by assigning struct ethtool_coalesce +ec->{rx,tx}_max_coalesced_frames_irq = 1 if coalescing is disabled in +the driver as can_ram_get_layout() expects this. + +Reported-by: https://github.com/vdh-robothania +Closes: https://github.com/raspberrypi/linux/issues/6407 +Fixes: 50ea5449c563 ("can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD mode") +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241025-mcp251xfd-fix-coalesing-v1-1-9d11416de1df@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c +@@ -2,7 +2,7 @@ + // + // mcp251xfd - Microchip MCP251xFD Family CAN controller driver + // +-// Copyright (c) 2019, 2020, 2021 Pengutronix, ++// Copyright (c) 2019, 2020, 2021, 2024 Pengutronix, + // Marc Kleine-Budde + // + // Based on: +@@ -483,9 +483,11 @@ int mcp251xfd_ring_alloc(struct mcp251xf + }; + const struct ethtool_coalesce ec = { + .rx_coalesce_usecs_irq = priv->rx_coalesce_usecs_irq, +- .rx_max_coalesced_frames_irq = priv->rx_obj_num_coalesce_irq, ++ .rx_max_coalesced_frames_irq = priv->rx_obj_num_coalesce_irq == 0 ? ++ 1 : priv->rx_obj_num_coalesce_irq, + .tx_coalesce_usecs_irq = priv->tx_coalesce_usecs_irq, +- .tx_max_coalesced_frames_irq = priv->tx_obj_num_coalesce_irq, ++ .tx_max_coalesced_frames_irq = priv->tx_obj_num_coalesce_irq == 0 ? ++ 1 : priv->tx_obj_num_coalesce_irq, + }; + struct can_ram_layout layout; + diff --git a/queue-6.11/drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch b/queue-6.11/drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch new file mode 100644 index 00000000000..5983df92a70 --- /dev/null +++ b/queue-6.11/drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch @@ -0,0 +1,34 @@ +From 64a2b6ed4bfd890a0e91955dd8ef8422a3944ed9 Mon Sep 17 00:00:00 2001 +From: Matthew Brost +Date: Mon, 4 Nov 2024 20:35:24 -0800 +Subject: drm/xe: Drop VM dma-resv lock on xe_sync_in_fence_get failure in exec IOCTL + +From: Matthew Brost + +commit 64a2b6ed4bfd890a0e91955dd8ef8422a3944ed9 upstream. + +Upon failure all locks need to be dropped before returning to the user. + +Fixes: 58480c1c912f ("drm/xe: Skip VMAs pin when requesting signal to the last XE_EXEC") +Cc: +Signed-off-by: Matthew Brost +Reviewed-by: Tejas Upadhyay +Reviewed-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/20241105043524.4062774-3-matthew.brost@intel.com +(cherry picked from commit 7d1a4258e602ffdce529f56686925034c1b3b095) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_exec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/xe/xe_exec.c ++++ b/drivers/gpu/drm/xe/xe_exec.c +@@ -212,6 +212,7 @@ retry: + fence = xe_sync_in_fence_get(syncs, num_syncs, q, vm); + if (IS_ERR(fence)) { + err = PTR_ERR(fence); ++ xe_vm_unlock(vm); + goto err_unlock_list; + } + for (i = 0; i < num_syncs; i++) diff --git a/queue-6.11/drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch b/queue-6.11/drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch new file mode 100644 index 00000000000..39dec48f5c4 --- /dev/null +++ b/queue-6.11/drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch @@ -0,0 +1,49 @@ +From af797b831d8975cb4610f396dcb7f03f4b9908e7 Mon Sep 17 00:00:00 2001 +From: Matthew Brost +Date: Mon, 4 Nov 2024 20:35:23 -0800 +Subject: drm/xe: Fix possible exec queue leak in exec IOCTL + +From: Matthew Brost + +commit af797b831d8975cb4610f396dcb7f03f4b9908e7 upstream. + +In a couple of places after an exec queue is looked up the exec IOCTL +returns on input errors without dropping the exec queue ref. Fix this +ensuring the exec queue ref is dropped on input error. + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Cc: +Signed-off-by: Matthew Brost +Reviewed-by: Tejas Upadhyay +Reviewed-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/20241105043524.4062774-2-matthew.brost@intel.com +(cherry picked from commit 07064a200b40ac2195cb6b7b779897d9377e5e6f) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_exec.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_exec.c ++++ b/drivers/gpu/drm/xe/xe_exec.c +@@ -129,12 +129,16 @@ int xe_exec_ioctl(struct drm_device *dev + if (XE_IOCTL_DBG(xe, !q)) + return -ENOENT; + +- if (XE_IOCTL_DBG(xe, q->flags & EXEC_QUEUE_FLAG_VM)) +- return -EINVAL; ++ if (XE_IOCTL_DBG(xe, q->flags & EXEC_QUEUE_FLAG_VM)) { ++ err = -EINVAL; ++ goto err_exec_queue; ++ } + + if (XE_IOCTL_DBG(xe, args->num_batch_buffer && +- q->width != args->num_batch_buffer)) +- return -EINVAL; ++ q->width != args->num_batch_buffer)) { ++ err = -EINVAL; ++ goto err_exec_queue; ++ } + + if (XE_IOCTL_DBG(xe, q->ops->reset_status(q))) { + err = -ECANCELED; diff --git a/queue-6.11/drm-xe-set-mask-bits-for-ccs_mode-register.patch b/queue-6.11/drm-xe-set-mask-bits-for-ccs_mode-register.patch new file mode 100644 index 00000000000..5d855906ac3 --- /dev/null +++ b/queue-6.11/drm-xe-set-mask-bits-for-ccs_mode-register.patch @@ -0,0 +1,53 @@ +From 7fd3fa006fa56c0ec299c61ecf5c572c723adad5 Mon Sep 17 00:00:00 2001 +From: Balasubramani Vivekanandan +Date: Tue, 8 Oct 2024 13:06:27 +0530 +Subject: drm/xe: Set mask bits for CCS_MODE register + +From: Balasubramani Vivekanandan + +commit 7fd3fa006fa56c0ec299c61ecf5c572c723adad5 upstream. + +CCS_MODE register requires setting mask bits from Xe2+ platforms. Set +the mask bits unconditionally, as those bits are unused for older +platforms. + +Signed-off-by: Balasubramani Vivekanandan +Cc: stable@vger.kernel.org # v6.11+ +Reviewed-by: Lucas De Marchi +Link: https://patchwork.freedesktop.org/patch/msgid/20241008073628.377433-2-balasubramani.vivekanandan@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit 23ea2c7572d4735ef66beb1e4feb8ae510b78247) +[ Fix conflict with mmio refactors ] +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/regs/xe_gt_regs.h | 2 +- + drivers/gpu/drm/xe/xe_gt_ccs_mode.c | 6 ++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/xe/regs/xe_gt_regs.h ++++ b/drivers/gpu/drm/xe/regs/xe_gt_regs.h +@@ -509,7 +509,7 @@ + * [4-6] RSVD + * [7] Disabled + */ +-#define CCS_MODE XE_REG(0x14804) ++#define CCS_MODE XE_REG(0x14804, XE_REG_OPTION_MASKED) + #define CCS_MODE_CSLICE_0_3_MASK REG_GENMASK(11, 0) /* 3 bits per cslice */ + #define CCS_MODE_CSLICE_MASK 0x7 /* CCS0-3 + rsvd */ + #define CCS_MODE_CSLICE_WIDTH ilog2(CCS_MODE_CSLICE_MASK + 1) +--- a/drivers/gpu/drm/xe/xe_gt_ccs_mode.c ++++ b/drivers/gpu/drm/xe/xe_gt_ccs_mode.c +@@ -68,6 +68,12 @@ static void __xe_gt_apply_ccs_mode(struc + } + } + ++ /* ++ * Mask bits need to be set for the register. Though only Xe2+ ++ * platforms require setting of mask bits, it won't harm for older ++ * platforms as these bits are unused there. ++ */ ++ mode |= CCS_MODE_CSLICE_0_3_MASK << 16; + xe_mmio_write32(gt, CCS_MODE, mode); + + xe_gt_dbg(gt, "CCS_MODE=%x config:%08x, num_engines:%d, num_slices:%d\n", diff --git a/queue-6.11/ksmbd-check-outstanding-simultaneous-smb-operations.patch b/queue-6.11/ksmbd-check-outstanding-simultaneous-smb-operations.patch new file mode 100644 index 00000000000..237cf71590b --- /dev/null +++ b/queue-6.11/ksmbd-check-outstanding-simultaneous-smb-operations.patch @@ -0,0 +1,137 @@ +From 0a77d947f599b1f39065015bec99390d0c0022ee Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 4 Nov 2024 13:43:06 +0900 +Subject: ksmbd: check outstanding simultaneous SMB operations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Namjae Jeon + +commit 0a77d947f599b1f39065015bec99390d0c0022ee upstream. + +If Client send simultaneous SMB operations to ksmbd, It exhausts too much +memory through the "ksmbd_work_cache”. It will cause OOM issue. +ksmbd has a credit mechanism but it can't handle this problem. This patch +add the check if it exceeds max credits to prevent this problem by assuming +that one smb request consumes at least one credit. + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/connection.c | 1 + + fs/smb/server/connection.h | 1 + + fs/smb/server/server.c | 16 ++++++++++------ + fs/smb/server/smb_common.c | 10 +++++++--- + fs/smb/server/smb_common.h | 2 +- + 5 files changed, 20 insertions(+), 10 deletions(-) + +--- a/fs/smb/server/connection.c ++++ b/fs/smb/server/connection.c +@@ -70,6 +70,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void + atomic_set(&conn->req_running, 0); + atomic_set(&conn->r_count, 0); + atomic_set(&conn->refcnt, 1); ++ atomic_set(&conn->mux_smb_requests, 0); + conn->total_credits = 1; + conn->outstanding_credits = 0; + +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -107,6 +107,7 @@ struct ksmbd_conn { + __le16 signing_algorithm; + bool binding; + atomic_t refcnt; ++ atomic_t mux_smb_requests; + }; + + struct ksmbd_conn_ops { +--- a/fs/smb/server/server.c ++++ b/fs/smb/server/server.c +@@ -270,6 +270,7 @@ static void handle_ksmbd_work(struct wor + + ksmbd_conn_try_dequeue_request(work); + ksmbd_free_work_struct(work); ++ atomic_dec(&conn->mux_smb_requests); + /* + * Checking waitqueue to dropping pending requests on + * disconnection. waitqueue_active is safe because it +@@ -291,6 +292,15 @@ static int queue_ksmbd_work(struct ksmbd + struct ksmbd_work *work; + int err; + ++ err = ksmbd_init_smb_server(conn); ++ if (err) ++ return 0; ++ ++ if (atomic_inc_return(&conn->mux_smb_requests) >= conn->vals->max_credits) { ++ atomic_dec_return(&conn->mux_smb_requests); ++ return -ENOSPC; ++ } ++ + work = ksmbd_alloc_work_struct(); + if (!work) { + pr_err("allocation for work failed\n"); +@@ -301,12 +311,6 @@ static int queue_ksmbd_work(struct ksmbd + work->request_buf = conn->request_buf; + conn->request_buf = NULL; + +- err = ksmbd_init_smb_server(work); +- if (err) { +- ksmbd_free_work_struct(work); +- return 0; +- } +- + ksmbd_conn_enqueue_request(work); + atomic_inc(&conn->r_count); + /* update activity on connection */ +--- a/fs/smb/server/smb_common.c ++++ b/fs/smb/server/smb_common.c +@@ -388,6 +388,10 @@ static struct smb_version_ops smb1_serve + .set_rsp_status = set_smb1_rsp_status, + }; + ++static struct smb_version_values smb1_server_values = { ++ .max_credits = SMB2_MAX_CREDITS, ++}; ++ + static int smb1_negotiate(struct ksmbd_work *work) + { + return ksmbd_smb_negotiate_common(work, SMB_COM_NEGOTIATE); +@@ -399,18 +403,18 @@ static struct smb_version_cmds smb1_serv + + static int init_smb1_server(struct ksmbd_conn *conn) + { ++ conn->vals = &smb1_server_values; + conn->ops = &smb1_server_ops; + conn->cmds = smb1_server_cmds; + conn->max_cmds = ARRAY_SIZE(smb1_server_cmds); + return 0; + } + +-int ksmbd_init_smb_server(struct ksmbd_work *work) ++int ksmbd_init_smb_server(struct ksmbd_conn *conn) + { +- struct ksmbd_conn *conn = work->conn; + __le32 proto; + +- proto = *(__le32 *)((struct smb_hdr *)work->request_buf)->Protocol; ++ proto = *(__le32 *)((struct smb_hdr *)conn->request_buf)->Protocol; + if (conn->need_neg == false) { + if (proto == SMB1_PROTO_NUMBER) + return -EINVAL; +--- a/fs/smb/server/smb_common.h ++++ b/fs/smb/server/smb_common.h +@@ -427,7 +427,7 @@ bool ksmbd_smb_request(struct ksmbd_conn + + int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); + +-int ksmbd_init_smb_server(struct ksmbd_work *work); ++int ksmbd_init_smb_server(struct ksmbd_conn *conn); + + struct ksmbd_kstat; + int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, diff --git a/queue-6.11/ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch b/queue-6.11/ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch new file mode 100644 index 00000000000..0edc2afd0ca --- /dev/null +++ b/queue-6.11/ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch @@ -0,0 +1,57 @@ +From 0a77715db22611df50b178374c51e2ba0d58866e Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 2 Nov 2024 18:46:38 +0900 +Subject: ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create + +From: Namjae Jeon + +commit 0a77715db22611df50b178374c51e2ba0d58866e upstream. + +There is a race condition between ksmbd_smb2_session_create and +ksmbd_expire_session. This patch add missing sessions_table_lock +while adding/deleting session from global session table. + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -175,6 +175,7 @@ static void ksmbd_expire_session(struct + unsigned long id; + struct ksmbd_session *sess; + ++ down_write(&sessions_table_lock); + down_write(&conn->session_lock); + xa_for_each(&conn->sessions, id, sess) { + if (atomic_read(&sess->refcnt) == 0 && +@@ -188,6 +189,7 @@ static void ksmbd_expire_session(struct + } + } + up_write(&conn->session_lock); ++ up_write(&sessions_table_lock); + } + + int ksmbd_session_register(struct ksmbd_conn *conn, +@@ -229,7 +231,6 @@ void ksmbd_sessions_deregister(struct ks + } + } + } +- up_write(&sessions_table_lock); + + down_write(&conn->session_lock); + xa_for_each(&conn->sessions, id, sess) { +@@ -249,6 +250,7 @@ void ksmbd_sessions_deregister(struct ks + } + } + up_write(&conn->session_lock); ++ up_write(&sessions_table_lock); + } + + struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, diff --git a/queue-6.11/ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch b/queue-6.11/ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch new file mode 100644 index 00000000000..a315670387d --- /dev/null +++ b/queue-6.11/ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch @@ -0,0 +1,38 @@ +From b8fc56fbca7482c1e5c0e3351c6ae78982e25ada Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 4 Nov 2024 13:40:41 +0900 +Subject: ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp + +From: Namjae Jeon + +commit b8fc56fbca7482c1e5c0e3351c6ae78982e25ada upstream. + +ksmbd_user_session_put should be called under smb3_preauth_hash_rsp(). +It will avoid freeing session before calling smb3_preauth_hash_rsp(). + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/server.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/server.c ++++ b/fs/smb/server/server.c +@@ -238,11 +238,11 @@ static void __handle_ksmbd_work(struct k + } while (is_chained == true); + + send: +- if (work->sess) +- ksmbd_user_session_put(work->sess); + if (work->tcon) + ksmbd_tree_connect_put(work->tcon); + smb3_preauth_hash_rsp(work); ++ if (work->sess) ++ ksmbd_user_session_put(work->sess); + if (work->sess && work->sess->enc && work->encrypted && + conn->ops->encrypt_resp) { + rc = conn->ops->encrypt_resp(work); diff --git a/queue-6.11/ksmbd-fix-the-missing-xa_store-error-check.patch b/queue-6.11/ksmbd-fix-the-missing-xa_store-error-check.patch new file mode 100644 index 00000000000..9e53ece6d8d --- /dev/null +++ b/queue-6.11/ksmbd-fix-the-missing-xa_store-error-check.patch @@ -0,0 +1,57 @@ +From 3abab905b14f4ba756d413f37f1fb02b708eee93 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Mon, 28 Oct 2024 08:28:30 +0900 +Subject: ksmbd: Fix the missing xa_store error check + +From: Jinjie Ruan + +commit 3abab905b14f4ba756d413f37f1fb02b708eee93 upstream. + +xa_store() can fail, it return xa_err(-EINVAL) if the entry cannot +be stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed, +so check error for xa_store() to fix it. + +Cc: stable@vger.kernel.org +Fixes: b685757c7b08 ("ksmbd: Implements sess->rpc_handle_list as xarray") +Signed-off-by: Jinjie Ruan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -90,7 +90,7 @@ static int __rpc_method(char *rpc_name) + + int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name) + { +- struct ksmbd_session_rpc *entry; ++ struct ksmbd_session_rpc *entry, *old; + struct ksmbd_rpc_command *resp; + int method; + +@@ -106,16 +106,19 @@ int ksmbd_session_rpc_open(struct ksmbd_ + entry->id = ksmbd_ipc_id_alloc(); + if (entry->id < 0) + goto free_entry; +- xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL); ++ old = xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL); ++ if (xa_is_err(old)) ++ goto free_id; + + resp = ksmbd_rpc_open(sess, entry->id); + if (!resp) +- goto free_id; ++ goto erase_xa; + + kvfree(resp); + return entry->id; +-free_id: ++erase_xa: + xa_erase(&sess->rpc_handle_list, entry->id); ++free_id: + ksmbd_rpc_id_free(entry->id); + free_entry: + kfree(entry); diff --git a/queue-6.11/media-ar0521-don-t-overflow-when-checking-pll-values.patch b/queue-6.11/media-ar0521-don-t-overflow-when-checking-pll-values.patch new file mode 100644 index 00000000000..b0b8cdd5b3b --- /dev/null +++ b/queue-6.11/media-ar0521-don-t-overflow-when-checking-pll-values.patch @@ -0,0 +1,39 @@ +From 438d3085ba5b8b5bfa5290faa594e577f6ac9aa7 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 11:38:10 +0200 +Subject: media: ar0521: don't overflow when checking PLL values + +From: Mauro Carvalho Chehab + +commit 438d3085ba5b8b5bfa5290faa594e577f6ac9aa7 upstream. + +The PLL checks are comparing 64 bit integers with 32 bit +ones, as reported by Coverity. Depending on the values of +the variables, this may underflow. + +Fix it ensuring that both sides of the expression are u64. + +Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Sakari Ailus +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ar0521.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/ar0521.c ++++ b/drivers/media/i2c/ar0521.c +@@ -255,10 +255,10 @@ static u32 calc_pll(struct ar0521_dev *s + continue; /* Minimum value */ + if (new_mult > 254) + break; /* Maximum, larger pre won't work either */ +- if (sensor->extclk_freq * (u64)new_mult < AR0521_PLL_MIN * ++ if (sensor->extclk_freq * (u64)new_mult < (u64)AR0521_PLL_MIN * + new_pre) + continue; +- if (sensor->extclk_freq * (u64)new_mult > AR0521_PLL_MAX * ++ if (sensor->extclk_freq * (u64)new_mult > (u64)AR0521_PLL_MAX * + new_pre) + break; /* Larger pre won't work either */ + new_pll = div64_round_up(sensor->extclk_freq * (u64)new_mult, diff --git a/queue-6.11/media-av7110-fix-a-spectre-vulnerability.patch b/queue-6.11/media-av7110-fix-a-spectre-vulnerability.patch new file mode 100644 index 00000000000..c41a119f214 --- /dev/null +++ b/queue-6.11/media-av7110-fix-a-spectre-vulnerability.patch @@ -0,0 +1,102 @@ +From 458ea1c0be991573ec436aa0afa23baacfae101a Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 09:24:24 +0200 +Subject: media: av7110: fix a spectre vulnerability + +From: Mauro Carvalho Chehab + +commit 458ea1c0be991573ec436aa0afa23baacfae101a upstream. + +As warned by smatch: + drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) + +There is a spectre-related vulnerability at the code. Fix it. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/av7110/av7110.h | 4 +++- + drivers/staging/media/av7110/av7110_ca.c | 25 +++++++++++++++++-------- + 2 files changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/staging/media/av7110/av7110.h ++++ b/drivers/staging/media/av7110/av7110.h +@@ -88,6 +88,8 @@ struct infrared { + u32 ir_config; + }; + ++#define MAX_CI_SLOTS 2 ++ + /* place to store all the necessary device information */ + struct av7110 { + /* devices */ +@@ -163,7 +165,7 @@ struct av7110 { + + /* CA */ + +- struct ca_slot_info ci_slot[2]; ++ struct ca_slot_info ci_slot[MAX_CI_SLOTS]; + + enum av7110_video_mode vidmode; + struct dmxdev dmxdev; +--- a/drivers/staging/media/av7110/av7110_ca.c ++++ b/drivers/staging/media/av7110/av7110_ca.c +@@ -26,23 +26,28 @@ + + void CI_handle(struct av7110 *av7110, u8 *data, u16 len) + { ++ unsigned slot_num; ++ + dprintk(8, "av7110:%p\n", av7110); + + if (len < 3) + return; + switch (data[0]) { + case CI_MSG_CI_INFO: +- if (data[2] != 1 && data[2] != 2) ++ if (data[2] != 1 && data[2] != MAX_CI_SLOTS) + break; ++ ++ slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS); ++ + switch (data[1]) { + case 0: +- av7110->ci_slot[data[2] - 1].flags = 0; ++ av7110->ci_slot[slot_num].flags = 0; + break; + case 1: +- av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT; ++ av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT; + break; + case 2: +- av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY; ++ av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY; + break; + } + break; +@@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *fil + case CA_GET_SLOT_INFO: + { + struct ca_slot_info *info = (struct ca_slot_info *)parg; ++ unsigned int slot_num; + + if (info->num < 0 || info->num > 1) { + mutex_unlock(&av7110->ioctl_mutex); + return -EINVAL; + } +- av7110->ci_slot[info->num].num = info->num; +- av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? +- CA_CI_LINK : CA_CI; +- memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info)); ++ slot_num = array_index_nospec(info->num, MAX_CI_SLOTS); ++ ++ av7110->ci_slot[slot_num].num = info->num; ++ av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? ++ CA_CI_LINK : CA_CI; ++ memcpy(info, &av7110->ci_slot[slot_num], ++ sizeof(struct ca_slot_info)); + break; + } + diff --git a/queue-6.11/media-cx24116-prevent-overflows-on-snr-calculus.patch b/queue-6.11/media-cx24116-prevent-overflows-on-snr-calculus.patch new file mode 100644 index 00000000000..92da5b91ff7 --- /dev/null +++ b/queue-6.11/media-cx24116-prevent-overflows-on-snr-calculus.patch @@ -0,0 +1,46 @@ +From 576a307a7650bd544fbb24df801b9b7863b85e2f Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 12:14:11 +0200 +Subject: media: cx24116: prevent overflows on SNR calculus + +From: Mauro Carvalho Chehab + +commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream. + +as reported by Coverity, if reading SNR registers fail, a negative +number will be returned, causing an underflow when reading SNR +registers. + +Prevent that. + +Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/cx24116.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/cx24116.c ++++ b/drivers/media/dvb-frontends/cx24116.c +@@ -741,6 +741,7 @@ static int cx24116_read_snr_pct(struct d + { + struct cx24116_state *state = fe->demodulator_priv; + u8 snr_reading; ++ int ret; + static const u32 snr_tab[] = { /* 10 x Table (rounded up) */ + 0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667, + 0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667, +@@ -749,7 +750,11 @@ static int cx24116_read_snr_pct(struct d + + dprintk("%s()\n", __func__); + +- snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0); ++ ret = cx24116_readreg(state, CX24116_REG_QUALITY0); ++ if (ret < 0) ++ return ret; ++ ++ snr_reading = ret; + + if (snr_reading >= 0xa0 /* 100% */) + *snr = 0xffff; diff --git a/queue-6.11/media-dvb-core-add-missing-buffer-index-check.patch b/queue-6.11/media-dvb-core-add-missing-buffer-index-check.patch new file mode 100644 index 00000000000..c3c3c204865 --- /dev/null +++ b/queue-6.11/media-dvb-core-add-missing-buffer-index-check.patch @@ -0,0 +1,43 @@ +From fa88dc7db176c79b50adb132a56120a1d4d9d18b Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 1 Oct 2024 11:01:34 +0200 +Subject: media: dvb-core: add missing buffer index check + +From: Hans Verkuil + +commit fa88dc7db176c79b50adb132a56120a1d4d9d18b upstream. + +dvb_vb2_expbuf() didn't check if the given buffer index was +for a valid buffer. Add this check. + +Signed-off-by: Hans Verkuil +Reported-by: Chenyuan Yang +Closes: https://lore.kernel.org/linux-media/?q=WARNING+in+vb2_core_reqbufs +Fixes: 7dc866df4012 ("media: dvb-core: Use vb2_get_buffer() instead of directly access to buffers array") +Reviewed-by: Benjamin Gaignard +Cc: +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvb_vb2.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-core/dvb_vb2.c ++++ b/drivers/media/dvb-core/dvb_vb2.c +@@ -366,9 +366,15 @@ int dvb_vb2_querybuf(struct dvb_vb2_ctx + int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp) + { + struct vb2_queue *q = &ctx->vb_q; ++ struct vb2_buffer *vb2 = vb2_get_buffer(q, exp->index); + int ret; + +- ret = vb2_core_expbuf(&ctx->vb_q, &exp->fd, q->type, q->bufs[exp->index], ++ if (!vb2) { ++ dprintk(1, "[%s] invalid buffer index\n", ctx->name); ++ return -EINVAL; ++ } ++ ++ ret = vb2_core_expbuf(&ctx->vb_q, &exp->fd, q->type, vb2, + 0, exp->flags); + if (ret) { + dprintk(1, "[%s] index=%d errno=%d\n", ctx->name, diff --git a/queue-6.11/media-mgb4-protect-driver-against-spectre.patch b/queue-6.11/media-mgb4-protect-driver-against-spectre.patch new file mode 100644 index 00000000000..b1639d38333 --- /dev/null +++ b/queue-6.11/media-mgb4-protect-driver-against-spectre.patch @@ -0,0 +1,45 @@ +From 2aee207e5b3c94ef859316008119ea06d6798d49 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 10:33:10 +0200 +Subject: media: mgb4: protect driver against spectre +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mauro Carvalho Chehab + +commit 2aee207e5b3c94ef859316008119ea06d6798d49 upstream. + +Frequency range is set from sysfs via frequency_range_store(), +being vulnerable to spectre, as reported by smatch: + + drivers/media/pci/mgb4/mgb4_cmt.c:231 mgb4_cmt_set_vin_freq_range() warn: potential spectre issue 'cmt_vals_in' [r] + drivers/media/pci/mgb4/mgb4_cmt.c:238 mgb4_cmt_set_vin_freq_range() warn: possible spectre second half. 'reg_set' + +Fix it. + +Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Martin Tůma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/mgb4/mgb4_cmt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/pci/mgb4/mgb4_cmt.c b/drivers/media/pci/mgb4/mgb4_cmt.c +index 70dc78ef193c..a25b68403bc6 100644 +--- a/drivers/media/pci/mgb4/mgb4_cmt.c ++++ b/drivers/media/pci/mgb4/mgb4_cmt.c +@@ -227,6 +227,8 @@ void mgb4_cmt_set_vin_freq_range(struct mgb4_vin_dev *vindev, + u32 config; + size_t i; + ++ freq_range = array_index_nospec(freq_range, ARRAY_SIZE(cmt_vals_in)); ++ + addr = cmt_addrs_in[vindev->config->id]; + reg_set = cmt_vals_in[freq_range]; + +-- +2.47.0 + diff --git a/queue-6.11/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch b/queue-6.11/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch new file mode 100644 index 00000000000..1250989104a --- /dev/null +++ b/queue-6.11/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch @@ -0,0 +1,57 @@ +From ba9cf6b430433e57bfc8072364e944b7c0eca2a4 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 16 Oct 2024 11:24:15 +0200 +Subject: media: pulse8-cec: fix data timestamp at pulse8_setup() + +From: Mauro Carvalho Chehab + +commit ba9cf6b430433e57bfc8072364e944b7c0eca2a4 upstream. + +As pointed by Coverity, there is a hidden overflow condition there. +As date is signed and u8 is unsigned, doing: + + date = (data[0] << 24) + +With a value bigger than 07f will make all upper bits of date +0xffffffff. This can be demonstrated with this small code: + + +typedef int64_t time64_t; +typedef uint8_t u8; + +int main(void) +{ + u8 data[] = { 0xde ,0xad , 0xbe, 0xef }; + time64_t date; + + date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + printf("Invalid data = 0x%08lx\n", date); + + date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + printf("Expected data = 0x%08lx\n", date); + + return 0; +} + + +Fix it by converting the upper bit calculation to unsigned. + +Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/cec/usb/pulse8/pulse8-cec.c ++++ b/drivers/media/cec/usb/pulse8/pulse8-cec.c +@@ -685,7 +685,7 @@ static int pulse8_setup(struct pulse8 *p + err = pulse8_send_and_wait(pulse8, cmd, 1, cmd[0], 4); + if (err) + return err; +- date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; ++ date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + dev_info(pulse8->dev, "Firmware build date %ptT\n", &date); + + dev_dbg(pulse8->dev, "Persistent config:\n"); diff --git a/queue-6.11/media-s5p-jpeg-prevent-buffer-overflows.patch b/queue-6.11/media-s5p-jpeg-prevent-buffer-overflows.patch new file mode 100644 index 00000000000..9b0f172f21f --- /dev/null +++ b/queue-6.11/media-s5p-jpeg-prevent-buffer-overflows.patch @@ -0,0 +1,87 @@ +From 14a22762c3daeac59a5a534e124acbb4d7a79b3a Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 11:10:31 +0200 +Subject: media: s5p-jpeg: prevent buffer overflows + +From: Mauro Carvalho Chehab + +commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream. + +The current logic allows word to be less than 2. If this happens, +there will be buffer overflows, as reported by smatch. Add extra +checks to prevent it. + +While here, remove an unused word = 0 assignment. + +Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jacek Anaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c +@@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_ + (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; + jpeg_buffer.curr = 0; + +- word = 0; +- + if (get_word_be(&jpeg_buffer, &word)) + return; +- jpeg_buffer.size = (long)word - 2; ++ ++ if (word < 2) ++ jpeg_buffer.size = 0; ++ else ++ jpeg_buffer.size = (long)word - 2; ++ + jpeg_buffer.data += 2; + jpeg_buffer.curr = 0; + +@@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_b + if (byte == -1) + return -1; + *word = (unsigned int)byte | temp; ++ + return 0; + } + +@@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; +- if (!length) ++ if (length <= 0) + return false; + sof = jpeg_buffer.curr; /* after 0xffc0 */ + sof_len = length; +@@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; +- if (!length) ++ if (length <= 0) + return false; + if (n_dqt >= S5P_JPEG_MAX_MARKER) + return false; +@@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; +- if (!length) ++ if (length <= 0) + return false; + if (n_dht >= S5P_JPEG_MAX_MARKER) + return false; +@@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; ++ /* No need to check underflows as skip() does it */ + skip(&jpeg_buffer, length); + break; + } diff --git a/queue-6.11/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch b/queue-6.11/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch new file mode 100644 index 00000000000..158608f9032 --- /dev/null +++ b/queue-6.11/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch @@ -0,0 +1,68 @@ +From 4c76f331a9a173ac8fe1297a9231c2a38f88e368 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 14:23:38 +0200 +Subject: media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() + +From: Mauro Carvalho Chehab + +commit 4c76f331a9a173ac8fe1297a9231c2a38f88e368 upstream. + +As detected by Coverity, the error check logic at get_ctrl() is +broken: if ptr_to_user() fails to fill a control due to an error, +no errors are returned and v4l2_g_ctrl() returns success on a +failed operation, which may cause applications to fail. + +Add an error check at get_ctrl() and ensure that it will +be returned to userspace without filling the control value if +get_ctrl() fails. + +Fixes: 71c689dc2e73 ("media: v4l2-ctrls: split up into four source files") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls-api.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c +@@ -753,9 +753,10 @@ static int get_ctrl(struct v4l2_ctrl *ct + for (i = 0; i < master->ncontrols; i++) + cur_to_new(master->cluster[i]); + ret = call_op(master, g_volatile_ctrl); +- new_to_user(c, ctrl); ++ if (!ret) ++ ret = new_to_user(c, ctrl); + } else { +- cur_to_user(c, ctrl); ++ ret = cur_to_user(c, ctrl); + } + v4l2_ctrl_unlock(master); + return ret; +@@ -770,7 +771,10 @@ int v4l2_g_ctrl(struct v4l2_ctrl_handler + if (!ctrl || !ctrl->is_int) + return -EINVAL; + ret = get_ctrl(ctrl, &c); +- control->value = c.value; ++ ++ if (!ret) ++ control->value = c.value; ++ + return ret; + } + EXPORT_SYMBOL(v4l2_g_ctrl); +@@ -811,10 +815,11 @@ static int set_ctrl_lock(struct v4l2_fh + int ret; + + v4l2_ctrl_lock(ctrl); +- user_to_new(c, ctrl); +- ret = set_ctrl(fh, ctrl, 0); ++ ret = user_to_new(c, ctrl); ++ if (!ret) ++ ret = set_ctrl(fh, ctrl, 0); + if (!ret) +- cur_to_user(c, ctrl); ++ ret = cur_to_user(c, ctrl); + v4l2_ctrl_unlock(ctrl); + return ret; + } diff --git a/queue-6.11/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch b/queue-6.11/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch new file mode 100644 index 00000000000..8927e22c4db --- /dev/null +++ b/queue-6.11/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch @@ -0,0 +1,36 @@ +From e6a3ea83fbe15d4818d01804e904cbb0e64e543b Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 16 Oct 2024 11:53:15 +0200 +Subject: media: v4l2-tpg: prevent the risk of a division by zero + +From: Mauro Carvalho Chehab + +commit e6a3ea83fbe15d4818d01804e904cbb0e64e543b upstream. + +As reported by Coverity, the logic at tpg_precalculate_line() +blindly rescales the buffer even when scaled_witdh is equal to +zero. If this ever happens, this will cause a division by zero. + +Instead, add a WARN_ON_ONCE() to trigger such cases and return +without doing any precalculation. + +Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +@@ -1795,6 +1795,9 @@ static void tpg_precalculate_line(struct + unsigned p; + unsigned x; + ++ if (WARN_ON_ONCE(!tpg->src_width || !tpg->scaled_width)) ++ return; ++ + switch (tpg->pattern) { + case TPG_PAT_GREEN: + contrast = TPG_COLOR_100_RED; diff --git a/queue-6.11/media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch b/queue-6.11/media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch new file mode 100644 index 00000000000..3e09b4b8712 --- /dev/null +++ b/queue-6.11/media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch @@ -0,0 +1,85 @@ +From 96d8569563916fe2f8fe17317e20e43f54f9ba4b Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 24 Oct 2024 10:21:30 +0200 +Subject: media: vivid: fix buffer overwrite when using > 32 buffers + +From: Hans Verkuil + +commit 96d8569563916fe2f8fe17317e20e43f54f9ba4b upstream. + +The maximum number of buffers that can be requested was increased to +64 for the video capture queue. But video capture used a must_blank +array that was still sized for 32 (VIDEO_MAX_FRAME). This caused an +out-of-bounds write when using buffer indices >= 32. + +Create a new define MAX_VID_CAP_BUFFERS that is used to access the +must_blank array and set max_num_buffers for the video capture queue. + +This solves a crash reported by: + + https://bugzilla.kernel.org/show_bug.cgi?id=219258 + +Signed-off-by: Hans Verkuil +Fixes: cea70ed416b4 ("media: test-drivers: vivid: Increase max supported buffers for capture queues") +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vivid/vivid-core.c | 2 +- + drivers/media/test-drivers/vivid/vivid-core.h | 4 +++- + drivers/media/test-drivers/vivid/vivid-ctrls.c | 2 +- + drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +- + 4 files changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/media/test-drivers/vivid/vivid-core.c ++++ b/drivers/media/test-drivers/vivid/vivid-core.c +@@ -910,7 +910,7 @@ static int vivid_create_queue(struct viv + * videobuf2-core.c to MAX_BUFFER_INDEX. + */ + if (buf_type == V4L2_BUF_TYPE_VIDEO_CAPTURE) +- q->max_num_buffers = 64; ++ q->max_num_buffers = MAX_VID_CAP_BUFFERS; + if (buf_type == V4L2_BUF_TYPE_SDR_CAPTURE) + q->max_num_buffers = 1024; + if (buf_type == V4L2_BUF_TYPE_VBI_CAPTURE) +--- a/drivers/media/test-drivers/vivid/vivid-core.h ++++ b/drivers/media/test-drivers/vivid/vivid-core.h +@@ -26,6 +26,8 @@ + #define MAX_INPUTS 16 + /* The maximum number of outputs */ + #define MAX_OUTPUTS 16 ++/* The maximum number of video capture buffers */ ++#define MAX_VID_CAP_BUFFERS 64 + /* The maximum up or down scaling factor is 4 */ + #define MAX_ZOOM 4 + /* The maximum image width/height are set to 4K DMT */ +@@ -481,7 +483,7 @@ struct vivid_dev { + /* video capture */ + struct tpg_data tpg; + unsigned ms_vid_cap; +- bool must_blank[VIDEO_MAX_FRAME]; ++ bool must_blank[MAX_VID_CAP_BUFFERS]; + + const struct vivid_fmt *fmt_cap; + struct v4l2_fract timeperframe_vid_cap; +--- a/drivers/media/test-drivers/vivid/vivid-ctrls.c ++++ b/drivers/media/test-drivers/vivid/vivid-ctrls.c +@@ -553,7 +553,7 @@ static int vivid_vid_cap_s_ctrl(struct v + break; + case VIVID_CID_PERCENTAGE_FILL: + tpg_s_perc_fill(&dev->tpg, ctrl->val); +- for (i = 0; i < VIDEO_MAX_FRAME; i++) ++ for (i = 0; i < MAX_VID_CAP_BUFFERS; i++) + dev->must_blank[i] = ctrl->val < 100; + break; + case VIVID_CID_INSERT_SAV: +--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +@@ -213,7 +213,7 @@ static int vid_cap_start_streaming(struc + + dev->vid_cap_seq_count = 0; + dprintk(dev, 1, "%s\n", __func__); +- for (i = 0; i < VIDEO_MAX_FRAME; i++) ++ for (i = 0; i < MAX_VID_CAP_BUFFERS; i++) + dev->must_blank[i] = tpg_g_perc_fill(&dev->tpg) < 100; + if (dev->start_streaming_error) { + dev->start_streaming_error = false; diff --git a/queue-6.11/series b/queue-6.11/series index 5527e190a5e..ed42b929885 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -72,3 +72,24 @@ tools-lib-thermal-fix-sampling-handler-context-ptr.patch thermal-of-support-thermal-zones-w-o-trips-subnode.patch asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch asoc-sof-sof-client-probes-ipc4-set-param_size-exten.patch +media-dvb-core-add-missing-buffer-index-check.patch +media-mgb4-protect-driver-against-spectre.patch +media-ar0521-don-t-overflow-when-checking-pll-values.patch +media-s5p-jpeg-prevent-buffer-overflows.patch +media-cx24116-prevent-overflows-on-snr-calculus.patch +media-av7110-fix-a-spectre-vulnerability.patch +media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch +media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch +media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch +media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch +can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch +can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch +can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch +can-cc770-sja1000-_isa-allow-building-on-x86_64.patch +ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch +ksmbd-check-outstanding-simultaneous-smb-operations.patch +ksmbd-fix-the-missing-xa_store-error-check.patch +ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch +drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch +drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch +drm-xe-set-mask-bits-for-ccs_mode-register.patch