From: Sasha Levin Date: Thu, 30 Mar 2023 11:50:34 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.14.312~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45bc6501a394108c9343b0ae9c861c3b1a308aa5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/alsa-asihpi-check-pao-in-control_message.patch b/queue-5.15/alsa-asihpi-check-pao-in-control_message.patch new file mode 100644 index 00000000000..b58bd6d316c --- /dev/null +++ b/queue-5.15/alsa-asihpi-check-pao-in-control_message.patch @@ -0,0 +1,72 @@ +From 06eaf083affee8d1a450bdaf2829961bd1a72623 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:49:24 +0000 +Subject: ALSA: asihpi: check pao in control_message() + +From: Kuninori Morimoto + +[ Upstream commit 9026c0bf233db53b86f74f4c620715e94eb32a09 ] + +control_message() might be called with pao = NULL. +Here indicates control_message() as sample. + +(B) static void control_message(struct hpi_adapter_obj *pao, ...) + { ^^^ + struct hpi_hw_obj *phw = pao->priv; + ... ^^^ + } + +(A) void _HPI_6205(struct hpi_adapter_obj *pao, ...) + { ^^^ + ... + case HPI_OBJ_CONTROL: +(B) control_message(pao, phm, phr); + break; ^^^ + ... + } + + void HPI_6205(...) + { + ... +(A) _HPI_6205(NULL, phm, phr); + ... ^^^^ + } + +Therefore, We will get too many warning via cppcheck, like below + + sound/pci/asihpi/hpi6205.c:238:27: warning: Possible null pointer dereference: pao [nullPointer] + struct hpi_hw_obj *phw = pao->priv; + ^ + sound/pci/asihpi/hpi6205.c:433:13: note: Calling function '_HPI_6205', 1st argument 'NULL' value is 0 + _HPI_6205(NULL, phm, phr); + ^ + sound/pci/asihpi/hpi6205.c:401:20: note: Calling function 'control_message', 1st argument 'pao' value is 0 + control_message(pao, phm, phr); + ^ +Set phr->error like many functions doing, and don't call _HPI_6205() +with NULL. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87ttypeaqz.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpi6205.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c +index 3d6914c64c4a8..4cdaeefeb6885 100644 +--- a/sound/pci/asihpi/hpi6205.c ++++ b/sound/pci/asihpi/hpi6205.c +@@ -430,7 +430,7 @@ void HPI_6205(struct hpi_message *phm, struct hpi_response *phr) + pao = hpi_find_adapter(phm->adapter_index); + } else { + /* subsys messages don't address an adapter */ +- _HPI_6205(NULL, phm, phr); ++ phr->error = HPI_ERROR_INVALID_OBJ_INDEX; + return; + } + +-- +2.39.2 + diff --git a/queue-5.15/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch b/queue-5.15/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch new file mode 100644 index 00000000000..7d16fe2461e --- /dev/null +++ b/queue-5.15/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch @@ -0,0 +1,62 @@ +From 646ce2b1a816c929214553c7512ac1134fd29d55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:50:28 +0000 +Subject: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() + +From: Kuninori Morimoto + +[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ] + +tuning_ctl_set() might have buffer overrun at (X) if it didn't break +from loop by matching (A). + + static int tuning_ctl_set(...) + { + for (i = 0; i < TUNING_CTLS_COUNT; i++) +(A) if (nid == ca0132_tuning_ctls[i].nid) + break; + + snd_hda_power_up(...); +(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...); + snd_hda_power_down(...); ^ + + return 1; + } + +We will get below error by cppcheck + + sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12 + for (i = 0; i < TUNING_CTLS_COUNT; i++) + ^ + sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds + dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20, + ^ +This patch cares non match case. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index c0cb6e49a9b65..2646663e03426 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4231,8 +4231,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid, + + for (i = 0; i < TUNING_CTLS_COUNT; i++) + if (nid == ca0132_tuning_ctls[i].nid) +- break; ++ goto found; + ++ return -EINVAL; ++found: + snd_hda_power_up(codec); + dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20, + ca0132_tuning_ctls[i].req, +-- +2.39.2 + diff --git a/queue-5.15/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch b/queue-5.15/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch new file mode 100644 index 00000000000..bf4aede9046 --- /dev/null +++ b/queue-5.15/asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch @@ -0,0 +1,93 @@ +From 43e3afcab5015044a6dc7cfe04696eb360dfe7af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Mar 2023 13:37:02 +0530 +Subject: ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds + +From: Ravulapati Vishnu Vardhan Rao + +[ Upstream commit e5e7e398f6bb7918dab0612eb6991f7bae95520d ] + +When we run syzkaller we get below Out of Bound. + "KASAN: slab-out-of-bounds Read in regcache_flat_read" + + Below is the backtrace of the issue: + + dump_backtrace+0x0/0x4c8 + show_stack+0x34/0x44 + dump_stack_lvl+0xd8/0x118 + print_address_description+0x30/0x2d8 + kasan_report+0x158/0x198 + __asan_report_load4_noabort+0x44/0x50 + regcache_flat_read+0x10c/0x110 + regcache_read+0xf4/0x180 + _regmap_read+0xc4/0x278 + _regmap_update_bits+0x130/0x290 + regmap_update_bits_base+0xc0/0x15c + snd_soc_component_update_bits+0xa8/0x22c + snd_soc_component_write_field+0x68/0xd4 + tx_macro_digital_mute+0xec/0x140 + + Actually There is no need to have decimator with 32 bits. + By limiting the variable with short type u8 issue is resolved. + +Signed-off-by: Ravulapati Vishnu Vardhan Rao +Link: https://lore.kernel.org/r/20230304080702.609-1-quic_visr@quicinc.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-tx-macro.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c +index 2b7ba78551fab..35d148e60c334 100644 +--- a/sound/soc/codecs/lpass-tx-macro.c ++++ b/sound/soc/codecs/lpass-tx-macro.c +@@ -239,7 +239,7 @@ enum { + + struct tx_mute_work { + struct tx_macro *tx; +- u32 decimator; ++ u8 decimator; + struct delayed_work dwork; + }; + +@@ -632,7 +632,7 @@ static int tx_macro_mclk_enable(struct tx_macro *tx, + return 0; + } + +-static bool is_amic_enabled(struct snd_soc_component *component, int decimator) ++static bool is_amic_enabled(struct snd_soc_component *component, u8 decimator) + { + u16 adc_mux_reg, adc_reg, adc_n; + +@@ -843,7 +843,7 @@ static int tx_macro_enable_dec(struct snd_soc_dapm_widget *w, + struct snd_kcontrol *kcontrol, int event) + { + struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); +- unsigned int decimator; ++ u8 decimator; + u16 tx_vol_ctl_reg, dec_cfg_reg, hpf_gate_reg, tx_gain_ctl_reg; + u8 hpf_cut_off_freq; + int hpf_delay = TX_MACRO_DMIC_HPF_DELAY_MS; +@@ -1058,7 +1058,8 @@ static int tx_macro_hw_params(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct snd_soc_component *component = dai->component; +- u32 decimator, sample_rate; ++ u32 sample_rate; ++ u8 decimator; + int tx_fs_rate; + struct tx_macro *tx = snd_soc_component_get_drvdata(component); + +@@ -1122,7 +1123,7 @@ static int tx_macro_digital_mute(struct snd_soc_dai *dai, int mute, int stream) + { + struct snd_soc_component *component = dai->component; + struct tx_macro *tx = snd_soc_component_get_drvdata(component); +- u16 decimator; ++ u8 decimator; + + decimator = tx->active_decimator[dai->id]; + +-- +2.39.2 + diff --git a/queue-5.15/fbdev-au1200fb-fix-potential-divide-by-zero.patch b/queue-5.15/fbdev-au1200fb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..ef65b66bc9e --- /dev/null +++ b/queue-5.15/fbdev-au1200fb-fix-potential-divide-by-zero.patch @@ -0,0 +1,39 @@ +From 924cf4a5c3ae4a4864717aa07a9a5b4651174b20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:22:54 +0000 +Subject: fbdev: au1200fb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 44a3b36b42acfc433aaaf526191dd12fbb919fdb ] + +var->pixclock can be assigned to zero by user. Without +proper check, divide by zero would occur when invoking +macro PICOS2KHZ in au1200fb_fb_check_var. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index c00e01a173685..a8a0a448cdb5e 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1040,6 +1040,9 @@ static int au1200fb_fb_check_var(struct fb_var_screeninfo *var, + u32 pixclock; + int screen_size, plane; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + plane = fbdev->plane; + + /* Make sure that the mode respect all LCD controller and +-- +2.39.2 + diff --git a/queue-5.15/fbdev-intelfb-fix-potential-divide-by-zero.patch b/queue-5.15/fbdev-intelfb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..e0c84c2cec9 --- /dev/null +++ b/queue-5.15/fbdev-intelfb-fix-potential-divide-by-zero.patch @@ -0,0 +1,39 @@ +From 0013239133f8537da2fea4e50d4cfb44ca48be9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 08:33:47 +0000 +Subject: fbdev: intelfb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit d823685486a3446d061fed7c7d2f80af984f119a ] + +Variable var->pixclock is controlled by user and can be assigned +to zero. Without proper check, divide by zero would occur in +intelfbhw_validate_mode and intelfbhw_mode_to_hw. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/intelfb/intelfbdrv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c +index a9579964eaba8..8a703adfa9360 100644 +--- a/drivers/video/fbdev/intelfb/intelfbdrv.c ++++ b/drivers/video/fbdev/intelfb/intelfbdrv.c +@@ -1214,6 +1214,9 @@ static int intelfb_check_var(struct fb_var_screeninfo *var, + + dinfo = GET_DINFO(info); + ++ if (!var->pixclock) ++ return -EINVAL; ++ + /* update the pitch */ + if (intelfbhw_validate_mode(dinfo, var) != 0) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-5.15/fbdev-lxfb-fix-potential-divide-by-zero.patch b/queue-5.15/fbdev-lxfb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..0a4392c873f --- /dev/null +++ b/queue-5.15/fbdev-lxfb-fix-potential-divide-by-zero.patch @@ -0,0 +1,38 @@ +From 6ff8792ff5eb617e31fbba5ecda978ac10cdacd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:05:18 +0000 +Subject: fbdev: lxfb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 61ac4b86a4c047c20d5cb423ddd87496f14d9868 ] + +var->pixclock can be assigned to zero by user. Without proper +check, divide by zero would occur in lx_set_clock. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/geode/lxfb_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/geode/lxfb_core.c b/drivers/video/fbdev/geode/lxfb_core.c +index 66c81262d18f8..6c6b6efb49f69 100644 +--- a/drivers/video/fbdev/geode/lxfb_core.c ++++ b/drivers/video/fbdev/geode/lxfb_core.c +@@ -234,6 +234,9 @@ static void get_modedb(struct fb_videomode **modedb, unsigned int *size) + + static int lxfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + { ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (var->xres > 1920 || var->yres > 1440) + return -EINVAL; + +-- +2.39.2 + diff --git a/queue-5.15/fbdev-nvidia-fix-potential-divide-by-zero.patch b/queue-5.15/fbdev-nvidia-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..c84a428296f --- /dev/null +++ b/queue-5.15/fbdev-nvidia-fix-potential-divide-by-zero.patch @@ -0,0 +1,40 @@ +From 8bd68366c0c39507b275f489dceb54360df661f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 07:18:31 +0000 +Subject: fbdev: nvidia: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 92e2a00f2987483e1f9253625828622edd442e61 ] + +variable var->pixclock can be set by user. In case it +equals to zero, divide by zero would occur in nvidiafb_set_par. + +Similar crashes have happened in other fbdev drivers. There +is no check and modification on var->pixclock along the call +chain to nvidia_check_var and nvidiafb_set_par. We believe it +could also be triggered in driver nvidia from user site. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/nvidia/nvidia.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c +index a372a183c1f01..f9c388a8c10e3 100644 +--- a/drivers/video/fbdev/nvidia/nvidia.c ++++ b/drivers/video/fbdev/nvidia/nvidia.c +@@ -763,6 +763,8 @@ static int nvidiafb_check_var(struct fb_var_screeninfo *var, + int pitch, err = 0; + + NVTRACE_ENTER(); ++ if (!var->pixclock) ++ return -EINVAL; + + var->transp.offset = 0; + var->transp.length = 0; +-- +2.39.2 + diff --git a/queue-5.15/fbdev-tgafb-fix-potential-divide-by-zero.patch b/queue-5.15/fbdev-tgafb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..51d78321f93 --- /dev/null +++ b/queue-5.15/fbdev-tgafb-fix-potential-divide-by-zero.patch @@ -0,0 +1,44 @@ +From addc252a7a18fd330de7578e1024b469c80a828d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:08:56 +0000 +Subject: fbdev: tgafb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit f90bd245de82c095187d8c2cabb8b488a39eaecc ] + +fb_set_var would by called when user invokes ioctl with cmd +FBIOPUT_VSCREENINFO. User-provided data would finally reach +tgafb_check_var. In case var->pixclock is assigned to zero, +divide by zero would occur when checking whether reciprocal +of var->pixclock is too high. + +Similar crashes have happened in other fbdev drivers. There +is no check and modification on var->pixclock along the call +chain to tgafb_check_var. We believe it could also be triggered +in driver tgafb from user site. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/tgafb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c +index ae0cf55406369..b9b00a1ffe222 100644 +--- a/drivers/video/fbdev/tgafb.c ++++ b/drivers/video/fbdev/tgafb.c +@@ -166,6 +166,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + { + struct tga_par *par = (struct tga_par *)info->par; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (par->tga_type == TGA_TYPE_8PLANE) { + if (var->bits_per_pixel != 8) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-5.15/md-avoid-signed-overflow-in-slot_store.patch b/queue-5.15/md-avoid-signed-overflow-in-slot_store.patch new file mode 100644 index 00000000000..ed4883e6307 --- /dev/null +++ b/queue-5.15/md-avoid-signed-overflow-in-slot_store.patch @@ -0,0 +1,44 @@ +From 2be6239463ed3769e2d565954be559862b92d62e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 09:36:25 +1100 +Subject: md: avoid signed overflow in slot_store() + +From: NeilBrown + +[ Upstream commit 3bc57292278a0b6ac4656cad94c14f2453344b57 ] + +slot_store() uses kstrtouint() to get a slot number, but stores the +result in an "int" variable (by casting a pointer). +This can result in a negative slot number if the unsigned int value is +very large. + +A negative number means that the slot is empty, but setting a negative +slot number this way will not remove the device from the array. I don't +think this is a serious problem, but it could cause confusion and it is +best to fix it. + +Reported-by: Dan Carpenter +Signed-off-by: NeilBrown +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 9e54b865f30da..bd0c9dfac9815 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3189,6 +3189,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len) + err = kstrtouint(buf, 10, (unsigned int *)&slot); + if (err < 0) + return err; ++ if (slot < 0) ++ /* overflow */ ++ return -ENOSPC; + } + if (rdev->mddev->pers && slot == -1) { + /* Setting 'slot' on an active array requires also +-- +2.39.2 + diff --git a/queue-5.15/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch b/queue-5.15/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch new file mode 100644 index 00000000000..fc164a3c0fc --- /dev/null +++ b/queue-5.15/net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch @@ -0,0 +1,40 @@ +From 4488344bc93f7c4a5a632b38435b2242e5ff8f7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 14:32:29 +0100 +Subject: net: hsr: Don't log netdev_err message on unknown prp dst node + +From: Kristian Overskeid + +[ Upstream commit 28e8cabe80f3e6e3c98121576eda898eeb20f1b1 ] + +If no frames has been exchanged with a node for HSR_NODE_FORGET_TIME, the +node will be deleted from the node_db list. If a frame is sent to the node +after it is deleted, a netdev_err message for each slave interface is +produced. This should not happen with dan nodes because of supervision +frames, but can happen often with san nodes, which clutters the kernel +log. Since the hsr protocol does not support sans, this is only relevant +for the prp protocol. + +Signed-off-by: Kristian Overskeid +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_framereg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c +index 414bf4d3d3c92..44eb9c9f80ee9 100644 +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -385,7 +385,7 @@ void hsr_addr_subst_dest(struct hsr_node *node_src, struct sk_buff *skb, + node_dst = find_node_by_addr_A(&port->hsr->node_db, + eth_hdr(skb)->h_dest); + if (!node_dst) { +- if (net_ratelimit()) ++ if (net_ratelimit() && port->hsr->prot_version != PRP_V1) + netdev_err(skb->dev, "%s: Unknown node\n", __func__); + return; + } +-- +2.39.2 + diff --git a/queue-5.15/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch b/queue-5.15/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch new file mode 100644 index 00000000000..97c87c49699 --- /dev/null +++ b/queue-5.15/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch @@ -0,0 +1,82 @@ +From c18fd69f2aace4dda0b123a1eee6fb984e46856c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 19:32:38 -0700 +Subject: sched_getaffinity: don't assume 'cpumask_size()' is fully initialized + +From: Linus Torvalds + +[ Upstream commit 6015b1aca1a233379625385feb01dd014aca60b5 ] + +The getaffinity() system call uses 'cpumask_size()' to decide how big +the CPU mask is - so far so good. It is indeed the allocation size of a +cpumask. + +But the code also assumes that the whole allocation is initialized +without actually doing so itself. That's wrong, because we might have +fixed-size allocations (making copying and clearing more efficient), but +not all of it is then necessarily used if 'nr_cpu_ids' is smaller. + +Having checked other users of 'cpumask_size()', they all seem to be ok, +either using it purely for the allocation size, or explicitly zeroing +the cpumask before using the size in bytes to copy it. + +See for example the ublk_ctrl_get_queue_affinity() function that uses +the proper 'zalloc_cpumask_var()' to make sure that the whole mask is +cleared, whether the storage is on the stack or if it was an external +allocation. + +Fix this by just zeroing the allocation before using it. Do the same +for the compat version of sched_getaffinity(), which had the same logic. + +Also, for consistency, make sched_getaffinity() use 'cpumask_bits()' to +access the bits. For a cpumask_var_t, it ends up being a pointer to the +same data either way, but it's just a good idea to treat it like you +would a 'cpumask_t'. The compat case already did that. + +Reported-by: Ryan Roberts +Link: https://lore.kernel.org/lkml/7d026744-6bd6-6827-0471-b5e8eae0be3f@arm.com/ +Cc: Yury Norov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/compat.c | 2 +- + kernel/sched/core.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/compat.c b/kernel/compat.c +index 55551989d9da5..fb50f29d9b361 100644 +--- a/kernel/compat.c ++++ b/kernel/compat.c +@@ -152,7 +152,7 @@ COMPAT_SYSCALL_DEFINE3(sched_getaffinity, compat_pid_t, pid, unsigned int, len, + if (len & (sizeof(compat_ulong_t)-1)) + return -EINVAL; + +- if (!alloc_cpumask_var(&mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL)) + return -ENOMEM; + + ret = sched_getaffinity(pid, mask); +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 0c72459d5f42a..acf7c09c9152f 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -8185,14 +8185,14 @@ SYSCALL_DEFINE3(sched_getaffinity, pid_t, pid, unsigned int, len, + if (len & (sizeof(unsigned long)-1)) + return -EINVAL; + +- if (!alloc_cpumask_var(&mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL)) + return -ENOMEM; + + ret = sched_getaffinity(pid, mask); + if (ret == 0) { + unsigned int retlen = min(len, cpumask_size()); + +- if (copy_to_user(user_mask_ptr, mask, retlen)) ++ if (copy_to_user(user_mask_ptr, cpumask_bits(mask), retlen)) + ret = -EFAULT; + else + ret = retlen; +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series index 4f31f1393da..5ca9d03be52 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -5,3 +5,19 @@ kernel-kcsan-kcsan_test-build-without-structleak-plu.patch kcsan-avoid-passing-g-for-test.patch ksmbd-don-t-terminate-inactive-sessions-after-a-few-.patch bus-imx-weim-fix-branch-condition-evaluates-to-a-gar.patch +xfrm-zero-padding-when-dumping-algos-and-encap.patch +asoc-codecs-tx-macro-fix-for-kasan-slab-out-of-bound.patch +md-avoid-signed-overflow-in-slot_store.patch +x86-pvh-obtain-vga-console-info-in-dom0.patch +net-hsr-don-t-log-netdev_err-message-on-unknown-prp-.patch +alsa-asihpi-check-pao-in-control_message.patch +alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch +fbdev-tgafb-fix-potential-divide-by-zero.patch +sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch +fbdev-nvidia-fix-potential-divide-by-zero.patch +fbdev-intelfb-fix-potential-divide-by-zero.patch +fbdev-lxfb-fix-potential-divide-by-zero.patch +fbdev-au1200fb-fix-potential-divide-by-zero.patch +tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch +tools-power-turbostat-fix-decoding-of-hwp_status.patch +tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch diff --git a/queue-5.15/tools-power-turbostat-fix-decoding-of-hwp_status.patch b/queue-5.15/tools-power-turbostat-fix-decoding-of-hwp_status.patch new file mode 100644 index 00000000000..5a9ca0c5161 --- /dev/null +++ b/queue-5.15/tools-power-turbostat-fix-decoding-of-hwp_status.patch @@ -0,0 +1,37 @@ +From e1f7dcb17bbf47e098679e26fe071d88ef399382 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 15:17:50 +0200 +Subject: tools/power turbostat: fix decoding of HWP_STATUS + +From: Antti Laakso + +[ Upstream commit 92c25393586ac799b9b7d9e50434f3c44a7622c4 ] + +The "excursion to minimum" information is in bit2 +in HWP_STATUS MSR. Fix the bitmask used for +decoding the register. + +Signed-off-by: Antti Laakso +Reviewed-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 84b8a35c91972..a3197efe52c63 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -4241,7 +4241,7 @@ int print_hwp(struct thread_data *t, struct core_data *c, struct pkg_data *p) + + fprintf(outf, "cpu%d: MSR_HWP_STATUS: 0x%08llx " + "(%sGuaranteed_Perf_Change, %sExcursion_Min)\n", +- cpu, msr, ((msr) & 0x1) ? "" : "No-", ((msr) & 0x2) ? "" : "No-"); ++ cpu, msr, ((msr) & 0x1) ? "" : "No-", ((msr) & 0x4) ? "" : "No-"); + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.15/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch b/queue-5.15/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch new file mode 100644 index 00000000000..fe1d0590279 --- /dev/null +++ b/queue-5.15/tools-power-turbostat-fix-dev-cpu_dma_latency-warnin.patch @@ -0,0 +1,58 @@ +From 05f1bfec1e72aa26791a8fd0ca0e517e4d3375e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:18:16 -0500 +Subject: tools/power turbostat: Fix /dev/cpu_dma_latency warnings + +From: Prarit Bhargava + +[ Upstream commit 40aafc7d58d3544f152a863a0e9863014b6d5d8c ] + +When running as non-root the following error is seen in turbostat: + +turbostat: fopen /dev/cpu_dma_latency +: Permission denied + +turbostat and the man page have information on how to avoid other +permission errors, so these can be fixed the same way. + +Provide better /dev/cpu_dma_latency warnings that provide instructions on +how to avoid the error, and update the man page. + +Signed-off-by: Prarit Bhargava +Cc: linux-pm@vger.kernel.org +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.8 | 2 ++ + tools/power/x86/turbostat/turbostat.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.8 b/tools/power/x86/turbostat/turbostat.8 +index 9b17097bc3d7b..b3d4bf08e70b1 100644 +--- a/tools/power/x86/turbostat/turbostat.8 ++++ b/tools/power/x86/turbostat/turbostat.8 +@@ -296,6 +296,8 @@ Alternatively, non-root users can be enabled to run turbostat this way: + + # chmod +r /dev/cpu/*/msr + ++# chmod +r /dev/cpu_dma_latency ++ + .B "turbostat " + reads hardware counters, but doesn't write them. + So it will not interfere with the OS or other programs, including +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 4f176bbf29f42..84b8a35c91972 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -5237,7 +5237,7 @@ void print_dev_latency(void) + + retval = read(fd, (void *)&value, sizeof(int)); + if (retval != sizeof(int)) { +- warn("read %s\n", path); ++ warn("read failed %s\n", path); + close(fd); + return; + } +-- +2.39.2 + diff --git a/queue-5.15/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch b/queue-5.15/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch new file mode 100644 index 00000000000..f14c06ba54e --- /dev/null +++ b/queue-5.15/tracing-fix-wrong-return-in-kprobe_event_gen_test.c.patch @@ -0,0 +1,53 @@ +From cca1d4c8b318c3675f6b9b52a2ceb829c22a6d9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 10:58:18 +0300 +Subject: tracing: Fix wrong return in kprobe_event_gen_test.c + +From: Anton Gusev + +[ Upstream commit bc4f359b3b607daac0290d0038561237a86b38cb ] + +Overwriting the error code with the deletion result may cause the +function to return 0 despite encountering an error. Commit b111545d26c0 +("tracing: Remove the useless value assignment in +test_create_synth_event()") solves a similar issue by +returning the original error code, so this patch does the same. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Link: https://lore.kernel.org/linux-trace-kernel/20230131075818.5322-1-aagusev@ispras.ru + +Signed-off-by: Anton Gusev +Reviewed-by: Steven Rostedt (Google) +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/kprobe_event_gen_test.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/kprobe_event_gen_test.c b/kernel/trace/kprobe_event_gen_test.c +index c736487fc0e48..e0c420eb0b2b4 100644 +--- a/kernel/trace/kprobe_event_gen_test.c ++++ b/kernel/trace/kprobe_event_gen_test.c +@@ -146,7 +146,7 @@ static int __init test_gen_kprobe_cmd(void) + if (trace_event_file_is_valid(gen_kprobe_test)) + gen_kprobe_test = NULL; + /* We got an error after creating the event, delete it */ +- ret = kprobe_event_delete("gen_kprobe_test"); ++ kprobe_event_delete("gen_kprobe_test"); + goto out; + } + +@@ -211,7 +211,7 @@ static int __init test_gen_kretprobe_cmd(void) + if (trace_event_file_is_valid(gen_kretprobe_test)) + gen_kretprobe_test = NULL; + /* We got an error after creating the event, delete it */ +- ret = kprobe_event_delete("gen_kretprobe_test"); ++ kprobe_event_delete("gen_kretprobe_test"); + goto out; + } + +-- +2.39.2 + diff --git a/queue-5.15/x86-pvh-obtain-vga-console-info-in-dom0.patch b/queue-5.15/x86-pvh-obtain-vga-console-info-in-dom0.patch new file mode 100644 index 00000000000..4dc8f6f1a47 --- /dev/null +++ b/queue-5.15/x86-pvh-obtain-vga-console-info-in-dom0.patch @@ -0,0 +1,140 @@ +From 71b40a2c8eb39f1311913fa425776b7eaf249a6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 15:45:48 +0100 +Subject: x86/PVH: obtain VGA console info in Dom0 + +From: Jan Beulich + +[ Upstream commit 934ef33ee75c3846f605f18b65048acd147e3918 ] + +A new platform-op was added to Xen to allow obtaining the same VGA +console information PV Dom0 is handed. Invoke the new function and have +the output data processed by xen_init_vga(). + +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross + +Link: https://lore.kernel.org/r/8f315e92-7bda-c124-71cc-478ab9c5e610@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/Makefile | 2 +- + arch/x86/xen/enlighten_pv.c | 3 ++- + arch/x86/xen/enlighten_pvh.c | 13 +++++++++++++ + arch/x86/xen/vga.c | 5 ++--- + arch/x86/xen/xen-ops.h | 7 ++++--- + include/xen/interface/platform.h | 3 +++ + 6 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/xen/Makefile b/arch/x86/xen/Makefile +index 4953260e281c3..40b5779fce21c 100644 +--- a/arch/x86/xen/Makefile ++++ b/arch/x86/xen/Makefile +@@ -45,7 +45,7 @@ obj-$(CONFIG_PARAVIRT_SPINLOCKS)+= spinlock.o + + obj-$(CONFIG_XEN_DEBUG_FS) += debugfs.o + +-obj-$(CONFIG_XEN_PV_DOM0) += vga.o ++obj-$(CONFIG_XEN_DOM0) += vga.o + + obj-$(CONFIG_SWIOTLB_XEN) += pci-swiotlb-xen.o + +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c +index 561aad13412f9..998db0257e2ad 100644 +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -1353,7 +1353,8 @@ asmlinkage __visible void __init xen_start_kernel(void) + + x86_platform.set_legacy_features = + xen_dom0_set_legacy_features; +- xen_init_vga(info, xen_start_info->console.dom0.info_size); ++ xen_init_vga(info, xen_start_info->console.dom0.info_size, ++ &boot_params.screen_info); + xen_start_info->console.domU.mfn = 0; + xen_start_info->console.domU.evtchn = 0; + +diff --git a/arch/x86/xen/enlighten_pvh.c b/arch/x86/xen/enlighten_pvh.c +index bcae606bbc5cf..1da44aca896c6 100644 +--- a/arch/x86/xen/enlighten_pvh.c ++++ b/arch/x86/xen/enlighten_pvh.c +@@ -43,6 +43,19 @@ void __init xen_pvh_init(struct boot_params *boot_params) + x86_init.oem.banner = xen_banner; + + xen_efi_init(boot_params); ++ ++ if (xen_initial_domain()) { ++ struct xen_platform_op op = { ++ .cmd = XENPF_get_dom0_console, ++ }; ++ long ret = HYPERVISOR_platform_op(&op); ++ ++ if (ret > 0) ++ xen_init_vga(&op.u.dom0_console, ++ min(ret * sizeof(char), ++ sizeof(op.u.dom0_console)), ++ &boot_params->screen_info); ++ } + } + + void __init mem_map_via_hcall(struct boot_params *boot_params_p) +diff --git a/arch/x86/xen/vga.c b/arch/x86/xen/vga.c +index e336f223f7f47..93697109592c3 100644 +--- a/arch/x86/xen/vga.c ++++ b/arch/x86/xen/vga.c +@@ -9,10 +9,9 @@ + + #include "xen-ops.h" + +-void __init xen_init_vga(const struct dom0_vga_console_info *info, size_t size) ++void __init xen_init_vga(const struct dom0_vga_console_info *info, size_t size, ++ struct screen_info *screen_info) + { +- struct screen_info *screen_info = &boot_params.screen_info; +- + /* This is drawn from a dump from vgacon:startup in + * standard Linux. */ + screen_info->orig_video_mode = 3; +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index 16aed4b121297..71f31032c635f 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -110,11 +110,12 @@ static inline void xen_uninit_lock_cpu(int cpu) + + struct dom0_vga_console_info; + +-#ifdef CONFIG_XEN_PV_DOM0 +-void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size); ++#ifdef CONFIG_XEN_DOM0 ++void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size, ++ struct screen_info *); + #else + static inline void __init xen_init_vga(const struct dom0_vga_console_info *info, +- size_t size) ++ size_t size, struct screen_info *si) + { + } + #endif +diff --git a/include/xen/interface/platform.h b/include/xen/interface/platform.h +index 732efb08c3e17..744bc41355678 100644 +--- a/include/xen/interface/platform.h ++++ b/include/xen/interface/platform.h +@@ -500,6 +500,8 @@ struct xenpf_symdata { + }; + DEFINE_GUEST_HANDLE_STRUCT(xenpf_symdata); + ++#define XENPF_get_dom0_console 64 ++ + struct xen_platform_op { + uint32_t cmd; + uint32_t interface_version; /* XENPF_INTERFACE_VERSION */ +@@ -523,6 +525,7 @@ struct xen_platform_op { + struct xenpf_mem_hotadd mem_add; + struct xenpf_core_parking core_parking; + struct xenpf_symdata symdata; ++ struct dom0_vga_console_info dom0_console; + uint8_t pad[128]; + } u; + }; +-- +2.39.2 + diff --git a/queue-5.15/xfrm-zero-padding-when-dumping-algos-and-encap.patch b/queue-5.15/xfrm-zero-padding-when-dumping-algos-and-encap.patch new file mode 100644 index 00000000000..78b5d712642 --- /dev/null +++ b/queue-5.15/xfrm-zero-padding-when-dumping-algos-and-encap.patch @@ -0,0 +1,111 @@ +From 5867b6a14c7f98c57b3102d1988e8c2cc9514e40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 09:09:52 +0800 +Subject: xfrm: Zero padding when dumping algos and encap + +From: Herbert Xu + +[ Upstream commit 8222d5910dae08213b6d9d4bc9a7f8502855e624 ] + +When copying data to user-space we should ensure that only valid +data is copied over. Padding in structures may be filled with +random (possibly sensitve) data and should never be given directly +to user-space. + +This patch fixes the copying of xfrm algorithms and the encap +template in xfrm_user so that padding is zeroed. + +Reported-by: syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com +Reported-by: Hyunwoo Kim +Signed-off-by: Herbert Xu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 45 ++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 41 insertions(+), 4 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 5fba82757ce5e..eb0952dbf4236 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -906,7 +906,9 @@ static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb) + return -EMSGSIZE; + + ap = nla_data(nla); +- memcpy(ap, aead, sizeof(*aead)); ++ strscpy_pad(ap->alg_name, aead->alg_name, sizeof(ap->alg_name)); ++ ap->alg_key_len = aead->alg_key_len; ++ ap->alg_icv_len = aead->alg_icv_len; + + if (redact_secret && aead->alg_key_len) + memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8); +@@ -926,7 +928,8 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb) + return -EMSGSIZE; + + ap = nla_data(nla); +- memcpy(ap, ealg, sizeof(*ealg)); ++ strscpy_pad(ap->alg_name, ealg->alg_name, sizeof(ap->alg_name)); ++ ap->alg_key_len = ealg->alg_key_len; + + if (redact_secret && ealg->alg_key_len) + memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8); +@@ -937,6 +940,40 @@ static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb) + return 0; + } + ++static int copy_to_user_calg(struct xfrm_algo *calg, struct sk_buff *skb) ++{ ++ struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_COMP, sizeof(*calg)); ++ struct xfrm_algo *ap; ++ ++ if (!nla) ++ return -EMSGSIZE; ++ ++ ap = nla_data(nla); ++ strscpy_pad(ap->alg_name, calg->alg_name, sizeof(ap->alg_name)); ++ ap->alg_key_len = 0; ++ ++ return 0; ++} ++ ++static int copy_to_user_encap(struct xfrm_encap_tmpl *ep, struct sk_buff *skb) ++{ ++ struct nlattr *nla = nla_reserve(skb, XFRMA_ENCAP, sizeof(*ep)); ++ struct xfrm_encap_tmpl *uep; ++ ++ if (!nla) ++ return -EMSGSIZE; ++ ++ uep = nla_data(nla); ++ memset(uep, 0, sizeof(*uep)); ++ ++ uep->encap_type = ep->encap_type; ++ uep->encap_sport = ep->encap_sport; ++ uep->encap_dport = ep->encap_dport; ++ uep->encap_oa = ep->encap_oa; ++ ++ return 0; ++} ++ + static int xfrm_smark_put(struct sk_buff *skb, struct xfrm_mark *m) + { + int ret = 0; +@@ -992,12 +1029,12 @@ static int copy_to_user_state_extra(struct xfrm_state *x, + goto out; + } + if (x->calg) { +- ret = nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); ++ ret = copy_to_user_calg(x->calg, skb); + if (ret) + goto out; + } + if (x->encap) { +- ret = nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); ++ ret = copy_to_user_encap(x->encap, skb); + if (ret) + goto out; + } +-- +2.39.2 +