From: Sasha Levin Date: Fri, 11 Oct 2024 12:10:06 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.10.227~80 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=302cc17090c25d3cb8429dc5680ee2093def5eec;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/drm-crtc-fix-uninitialized-variable-use-even-harder.patch b/queue-5.4/drm-crtc-fix-uninitialized-variable-use-even-harder.patch new file mode 100644 index 00000000000..6fb958bd93f --- /dev/null +++ b/queue-5.4/drm-crtc-fix-uninitialized-variable-use-even-harder.patch @@ -0,0 +1,40 @@ +From 928b4e719450e92c92baf957d9f1ba3312f25783 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 13:55:34 -0800 +Subject: drm/crtc: fix uninitialized variable use even harder + +From: Rob Clark + +[ Upstream commit b6802b61a9d0e99dcfa6fff7c50db7c48a9623d3 ] + +DRM_MODESET_LOCK_ALL_BEGIN() has a hidden trap-door (aka retry loop), +which means we can't rely too much on variable initializers. + +Fixes: 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable use") +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Tested-by: Dmitry Baryshkov # sc7180, sdm845 +Link: https://patchwork.freedesktop.org/patch/msgid/20240212215534.190682-1-robdclark@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_crtc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c +index 85d85a0ba85f9..da45cfd2939cf 100644 +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -727,6 +727,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, + connector_set = NULL; + fb = NULL; + mode = NULL; ++ num_connectors = 0; + + DRM_MODESET_LOCK_ALL_END(ctx, ret); + mutex_unlock(&crtc->dev->mode_config.mutex); +-- +2.43.0 + diff --git a/queue-5.4/input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch b/queue-5.4/input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch new file mode 100644 index 00000000000..4c336d3fc49 --- /dev/null +++ b/queue-5.4/input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch @@ -0,0 +1,55 @@ +From 76b18b8dc1aa41c6329ebb13c689f0e3e68dd94d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 05:42:12 +0000 +Subject: Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal + +From: Mathias Krause + +commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. + +Calling irq_domain_remove() will lead to freeing the IRQ domain +prematurely. The domain is still referenced and will be attempted to get +used via rmi_free_function_list() -> rmi_unregister_function() -> +irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. + +With PaX's MEMORY_SANITIZE this will lead to an access fault when +attempting to dereference embedded pointers, as in Torsten's report that +was faulting on the 'domain->ops->unmap' test. + +Fix this by releasing the IRQ domain only after all related IRQs have +been deactivated. + +Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") +Reported-by: Torsten Hilbrich +Signed-off-by: Mathias Krause +Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net +Signed-off-by: Dmitry Torokhov +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_driver.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c +index aa32371f04af6..ef9ea295f9e03 100644 +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -978,12 +978,12 @@ static int rmi_driver_remove(struct device *dev) + + rmi_disable_irq(rmi_dev, false); + +- irq_domain_remove(data->irqdomain); +- data->irqdomain = NULL; +- + rmi_f34_remove_sysfs(rmi_dev); + rmi_free_function_list(rmi_dev); + ++ irq_domain_remove(data->irqdomain); ++ data->irqdomain = NULL; ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.4/net-ethernet-cortina-drop-tso-support.patch b/queue-5.4/net-ethernet-cortina-drop-tso-support.patch new file mode 100644 index 00000000000..853303c1afb --- /dev/null +++ b/queue-5.4/net-ethernet-cortina-drop-tso-support.patch @@ -0,0 +1,88 @@ +From 9ce70e4de162b8a366a0873d3fdd98305c394e67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jan 2024 01:12:22 +0100 +Subject: net: ethernet: cortina: Drop TSO support + +From: Linus Walleij + +[ Upstream commit ac631873c9e7a50d2a8de457cfc4b9f86666403e ] + +The recent change to allow large frames without hardware checksumming +slotted in software checksumming in the driver if hardware could not +do it. + +This will however upset TSO (TCP Segment Offloading). Typical +error dumps includes this: + +skb len=2961 headroom=222 headlen=66 tailroom=0 +(...) +WARNING: CPU: 0 PID: 956 at net/core/dev.c:3259 skb_warn_bad_offload+0x7c/0x108 +gemini-ethernet-port: caps=(0x0000010000154813, 0x00002007ffdd7889) + +And the packets do not go through. + +The TSO implementation is bogus: a TSO enabled driver must propagate +the skb_shinfo(skb)->gso_size value to the TSO engine on the NIC. + +Drop the size check and TSO offloading features for now: this +needs to be fixed up properly. + +After this ethernet works fine on Gemini devices with a direct connected +PHY such as D-Link DNS-313. + +Also tested to still be working with a DSA switch using the Gemini +ethernet as conduit interface. + +Link: https://lore.kernel.org/netdev/CANn89iJLfxng1sYL5Zk0mknXpyYQPCp83m3KgD2KJ2_hKCpEUg@mail.gmail.com/ +Suggested-by: Eric Dumazet +Fixes: d4d0c5b4d279 ("net: ethernet: cortina: Handle large frames") +Signed-off-by: Linus Walleij +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 91952d086f226..8b5ed26cab03e 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -81,8 +81,7 @@ MODULE_PARM_DESC(debug, "Debug level (0=none,...,16=all)"); + #define GMAC0_IRQ4_8 (GMAC0_MIB_INT_BIT | GMAC0_RX_OVERRUN_INT_BIT) + + #define GMAC_OFFLOAD_FEATURES (NETIF_F_SG | NETIF_F_IP_CSUM | \ +- NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM | \ +- NETIF_F_TSO | NETIF_F_TSO_ECN | NETIF_F_TSO6) ++ NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM) + + /** + * struct gmac_queue_page - page buffer per-page info +@@ -1155,23 +1154,13 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + struct gmac_txdesc *txd; + skb_frag_t *skb_frag; + dma_addr_t mapping; +- unsigned short mtu; + void *buffer; + int ret; + +- mtu = ETH_HLEN; +- mtu += netdev->mtu; +- if (skb->protocol == htons(ETH_P_8021Q)) +- mtu += VLAN_HLEN; +- ++ /* TODO: implement proper TSO using MTU in word3 */ + word1 = skb->len; + word3 = SOF_BIT; + +- if (word1 > mtu) { +- word1 |= TSS_MTU_ENABLE_BIT; +- word3 |= mtu; +- } +- + if (skb->len >= ETH_FRAME_LEN) { + /* Hardware offloaded checksumming isn't working on frames + * bigger than 1514 bytes. A hypothesis about this is that the +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 4c15424a5ca..c0ad0dd4526 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -304,3 +304,9 @@ acpi-battery-fix-possible-crash-when-unregistering-a.patch ext4-fix-inode-tree-inconsistency-caused-by-enomem.patch clk-imx6ul-fix-failed-to-get-parent-error.patch unicode-don-t-special-case-ignorable-code-points.patch +net-ethernet-cortina-drop-tso-support.patch +tracing-remove-precision-vsnprintf-check-from-print-.patch +drm-crtc-fix-uninitialized-variable-use-even-harder.patch +tracing-have-saved_cmdlines-arrays-all-in-one-alloca.patch +virtio_console-fix-misc-probe-bugs.patch +input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch diff --git a/queue-5.4/tracing-have-saved_cmdlines-arrays-all-in-one-alloca.patch b/queue-5.4/tracing-have-saved_cmdlines-arrays-all-in-one-alloca.patch new file mode 100644 index 00000000000..2ce07472db1 --- /dev/null +++ b/queue-5.4/tracing-have-saved_cmdlines-arrays-all-in-one-alloca.patch @@ -0,0 +1,104 @@ +From a730f43977f19f3fe0317781aeafb1d3387b2e74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 09:06:14 -0500 +Subject: tracing: Have saved_cmdlines arrays all in one allocation + +From: Steven Rostedt (Google) + +[ Upstream commit 0b18c852cc6fb8284ac0ab97e3e840974a6a8a64 ] + +The saved_cmdlines have three arrays for mapping PIDs to COMMs: + + - map_pid_to_cmdline[] + - map_cmdline_to_pid[] + - saved_cmdlines + +The map_pid_to_cmdline[] is PID_MAX_DEFAULT in size and holds the index +into the other arrays. The map_cmdline_to_pid[] is a mapping back to the +full pid as it can be larger than PID_MAX_DEFAULT. And the +saved_cmdlines[] just holds the COMMs associated to the pids. + +Currently the map_pid_to_cmdline[] and saved_cmdlines[] are allocated +together (in reality the saved_cmdlines is just in the memory of the +rounding of the allocation of the structure as it is always allocated in +powers of two). The map_cmdline_to_pid[] array is allocated separately. + +Since the rounding to a power of two is rather large (it allows for 8000 +elements in saved_cmdlines), also include the map_cmdline_to_pid[] array. +(This drops it to 6000 by default, which is still plenty for most use +cases). This saves even more memory as the map_cmdline_to_pid[] array +doesn't need to be allocated. + +Link: https://lore.kernel.org/linux-trace-kernel/20240212174011.068211d9@gandalf.local.home/ +Link: https://lore.kernel.org/linux-trace-kernel/20240220140703.182330529@goodmis.org + +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Tim Chen +Cc: Vincent Donnefort +Cc: Sven Schnelle +Cc: Mete Durlu +Fixes: 44dc5c41b5b1 ("tracing: Fix wasted memory in saved_cmdlines logic") +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 67466563d86f1..d084334193bd3 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1982,6 +1982,10 @@ struct saved_cmdlines_buffer { + }; + static struct saved_cmdlines_buffer *savedcmd; + ++/* Holds the size of a cmdline and pid element */ ++#define SAVED_CMDLINE_MAP_ELEMENT_SIZE(s) \ ++ (TASK_COMM_LEN + sizeof((s)->map_cmdline_to_pid[0])) ++ + static inline char *get_saved_cmdlines(int idx) + { + return &savedcmd->saved_cmdlines[idx * TASK_COMM_LEN]; +@@ -1996,7 +2000,6 @@ static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s) + { + int order = get_order(sizeof(*s) + s->cmdline_num * TASK_COMM_LEN); + +- kfree(s->map_cmdline_to_pid); + kmemleak_free(s); + free_pages((unsigned long)s, order); + } +@@ -2009,7 +2012,7 @@ static struct saved_cmdlines_buffer *allocate_cmdlines_buffer(unsigned int val) + int order; + + /* Figure out how much is needed to hold the given number of cmdlines */ +- orig_size = sizeof(*s) + val * TASK_COMM_LEN; ++ orig_size = sizeof(*s) + val * SAVED_CMDLINE_MAP_ELEMENT_SIZE(s); + order = get_order(orig_size); + size = 1 << (order + PAGE_SHIFT); + page = alloc_pages(GFP_KERNEL, order); +@@ -2021,16 +2024,11 @@ static struct saved_cmdlines_buffer *allocate_cmdlines_buffer(unsigned int val) + memset(s, 0, sizeof(*s)); + + /* Round up to actual allocation */ +- val = (size - sizeof(*s)) / TASK_COMM_LEN; ++ val = (size - sizeof(*s)) / SAVED_CMDLINE_MAP_ELEMENT_SIZE(s); + s->cmdline_num = val; + +- s->map_cmdline_to_pid = kmalloc_array(val, +- sizeof(*s->map_cmdline_to_pid), +- GFP_KERNEL); +- if (!s->map_cmdline_to_pid) { +- free_saved_cmdlines_buffer(s); +- return NULL; +- } ++ /* Place map_cmdline_to_pid array right after saved_cmdlines */ ++ s->map_cmdline_to_pid = (unsigned *)&s->saved_cmdlines[val * TASK_COMM_LEN]; + + s->cmdline_idx = 0; + memset(&s->map_pid_to_cmdline, NO_CMDLINE_MAP, +-- +2.43.0 + diff --git a/queue-5.4/tracing-remove-precision-vsnprintf-check-from-print-.patch b/queue-5.4/tracing-remove-precision-vsnprintf-check-from-print-.patch new file mode 100644 index 00000000000..d86ad5d6ce5 --- /dev/null +++ b/queue-5.4/tracing-remove-precision-vsnprintf-check-from-print-.patch @@ -0,0 +1,69 @@ +From 652ecd393734df21ca47d324130afea4ad4cf95f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 17:43:41 -0500 +Subject: tracing: Remove precision vsnprintf() check from print event + +From: Steven Rostedt (Google) + +[ Upstream commit 5efd3e2aef91d2d812290dcb25b2058e6f3f532c ] + +This reverts 60be76eeabb3d ("tracing: Add size check when printing +trace_marker output"). The only reason the precision check was added +was because of a bug that miscalculated the write size of the string into +the ring buffer and it truncated it removing the terminating nul byte. On +reading the trace it crashed the kernel. But this was due to the bug in +the code that happened during development and should never happen in +practice. If anything, the precision can hide bugs where the string in the +ring buffer isn't nul terminated and it will not be checked. + +Link: https://lore.kernel.org/all/C7E7AF1A-D30F-4D18-B8E5-AF1EF58004F5@linux.ibm.com/ +Link: https://lore.kernel.org/linux-trace-kernel/20240227125706.04279ac2@gandalf.local.home +Link: https://lore.kernel.org/all/20240302111244.3a1674be@gandalf.local.home/ +Link: https://lore.kernel.org/linux-trace-kernel/20240304174341.2a561d9f@gandalf.local.home + +Cc: Masami Hiramatsu +Cc: Linus Torvalds +Fixes: 60be76eeabb3d ("tracing: Add size check when printing trace_marker output") +Reported-by: Sachin Sant +Tested-by: Sachin Sant +Reviewed-by: Mathieu Desnoyers +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_output.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c +index 9ffe54ff3edb2..b194dd1c8420f 100644 +--- a/kernel/trace/trace_output.c ++++ b/kernel/trace/trace_output.c +@@ -1291,12 +1291,11 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter, + { + struct print_entry *field; + struct trace_seq *s = &iter->seq; +- int max = iter->ent_size - offsetof(struct print_entry, buf); + + trace_assign_type(field, iter->ent); + + seq_print_ip_sym(s, field->ip, flags); +- trace_seq_printf(s, ": %.*s", max, field->buf); ++ trace_seq_printf(s, ": %s", field->buf); + + return trace_handle_return(s); + } +@@ -1305,11 +1304,10 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags, + struct trace_event *event) + { + struct print_entry *field; +- int max = iter->ent_size - offsetof(struct print_entry, buf); + + trace_assign_type(field, iter->ent); + +- trace_seq_printf(&iter->seq, "# %lx %.*s", field->ip, max, field->buf); ++ trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf); + + return trace_handle_return(&iter->seq); + } +-- +2.43.0 + diff --git a/queue-5.4/virtio_console-fix-misc-probe-bugs.patch b/queue-5.4/virtio_console-fix-misc-probe-bugs.patch new file mode 100644 index 00000000000..9adc5917db9 --- /dev/null +++ b/queue-5.4/virtio_console-fix-misc-probe-bugs.patch @@ -0,0 +1,71 @@ +From 5ab0df304938eb66b2939b6ec20bb071d51bccbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 14:16:44 -0400 +Subject: virtio_console: fix misc probe bugs + +From: Michael S. Tsirkin + +[ Upstream commit b9efbe2b8f0177fa97bfab290d60858900aa196b ] + +This fixes the following issue discovered by code review: + +after vqs have been created, a buggy device can send an interrupt. + +A control vq callback will then try to schedule control_work which has +not been initialized yet. Similarly for config interrupt. Further, in +and out vq callbacks invoke find_port_by_vq which attempts to take +ports_lock which also has not been initialized. + +To fix, init all locks and work before creating vqs. + +Message-ID: +Fixes: 17634ba25544 ("virtio: console: Add a new MULTIPORT feature, support for generic ports") +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index c736adef9d3c8..8cba4c2513736 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -2051,25 +2051,27 @@ static int virtcons_probe(struct virtio_device *vdev) + multiport = true; + } + +- err = init_vqs(portdev); +- if (err < 0) { +- dev_err(&vdev->dev, "Error %d initializing vqs\n", err); +- goto free_chrdev; +- } +- + spin_lock_init(&portdev->ports_lock); + INIT_LIST_HEAD(&portdev->ports); + INIT_LIST_HEAD(&portdev->list); + +- virtio_device_ready(portdev->vdev); +- + INIT_WORK(&portdev->config_work, &config_work_handler); + INIT_WORK(&portdev->control_work, &control_work_handler); + + if (multiport) { + spin_lock_init(&portdev->c_ivq_lock); + spin_lock_init(&portdev->c_ovq_lock); ++ } + ++ err = init_vqs(portdev); ++ if (err < 0) { ++ dev_err(&vdev->dev, "Error %d initializing vqs\n", err); ++ goto free_chrdev; ++ } ++ ++ virtio_device_ready(portdev->vdev); ++ ++ if (multiport) { + err = fill_queue(portdev->c_ivq, &portdev->c_ivq_lock); + if (err < 0) { + dev_err(&vdev->dev, +-- +2.43.0 +