From: Greg Kroah-Hartman Date: Mon, 20 Jan 2025 15:08:23 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.6.73~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e57f1c1e2094f1a408c725b6af45040d3c11b12;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch drm-i915-fb-relax-clear-color-alignment-to-64-bytes.patch hrtimers-handle-cpu-state-correctly-on-hotplug.patch irqchip-gic-v3-handle-cpu_pm_enter_failed-correctly.patch irqchip-plug-a-of-node-reference-leak-in-platform_irqchip_probe.patch revert-pci-use-preserve_config-in-place-of-pci_flags.patch --- diff --git a/queue-5.15/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch b/queue-5.15/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch new file mode 100644 index 0000000000..f2159e15fc --- /dev/null +++ b/queue-5.15/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch @@ -0,0 +1,79 @@ +From a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Fri, 5 Apr 2024 15:43:45 -0400 +Subject: Bluetooth: RFCOMM: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 upstream. + +syzbot reported rfcomm_sock_setsockopt_old() is copying data without +checking user input length. + +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset +include/linux/sockptr.h:49 [inline] +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr +include/linux/sockptr.h:55 [inline] +BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old +net/bluetooth/rfcomm/sock.c:632 [inline] +BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 +net/bluetooth/rfcomm/sock.c:673 +Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064 + +Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level") +Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Keerthana K +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/rfcomm/sock.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -636,7 +636,7 @@ static int rfcomm_sock_setsockopt_old(st + + switch (optname) { + case RFCOMM_LM: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { ++ if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { + err = -EFAULT; + break; + } +@@ -671,7 +671,6 @@ static int rfcomm_sock_setsockopt(struct + struct sock *sk = sock->sk; + struct bt_security sec; + int err = 0; +- size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -693,11 +692,9 @@ static int rfcomm_sock_setsockopt(struct + + sec.level = BT_SECURITY_LOW; + +- len = min_t(unsigned int, sizeof(sec), optlen); +- if (copy_from_sockptr(&sec, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); ++ if (err) + break; +- } + + if (sec.level > BT_SECURITY_HIGH) { + err = -EINVAL; +@@ -713,10 +710,9 @@ static int rfcomm_sock_setsockopt(struct + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); diff --git a/queue-5.15/drm-i915-fb-relax-clear-color-alignment-to-64-bytes.patch b/queue-5.15/drm-i915-fb-relax-clear-color-alignment-to-64-bytes.patch new file mode 100644 index 0000000000..d535a01ed3 --- /dev/null +++ b/queue-5.15/drm-i915-fb-relax-clear-color-alignment-to-64-bytes.patch @@ -0,0 +1,62 @@ +From 1a5401ec3018c101c456cdbda2eaef9482db6786 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 29 Nov 2024 08:50:11 +0200 +Subject: drm/i915/fb: Relax clear color alignment to 64 bytes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 1a5401ec3018c101c456cdbda2eaef9482db6786 upstream. + +Mesa changed its clear color alignment from 4k to 64 bytes +without informing the kernel side about the change. This +is now likely to cause framebuffer creation to fail. + +The only thing we do with the clear color buffer in i915 is: +1. map a single page +2. read out bytes 16-23 from said page +3. unmap the page + +So the only requirement we really have is that those 8 bytes +are all contained within one page. Thus we can deal with the +Mesa regression by reducing the alignment requiment from 4k +to the same 64 bytes in the kernel. We could even go as low as +32 bytes, but IIRC 64 bytes is the hardware requirement on +the 3D engine side so matching that seems sensible. + +Note that the Mesa alignment chages were partially undone +so the regression itself was already fixed on userspace +side. + +Cc: stable@vger.kernel.org +Cc: Sagar Ghuge +Cc: Nanley Chery +Reported-by: Xi Ruoyao +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13057 +Closes: https://lore.kernel.org/all/45a5bba8de009347262d86a4acb27169d9ae0d9f.camel@xry111.site/ +Link: https://gitlab.freedesktop.org/mesa/mesa/-/commit/17f97a69c13832a6c1b0b3aad45b06f07d4b852f +Link: https://gitlab.freedesktop.org/mesa/mesa/-/commit/888f63cf1baf34bc95e847a30a041dc7798edddb +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20241129065014.8363-2-ville.syrjala@linux.intel.com +Tested-by: Xi Ruoyao +Reviewed-by: José Roberto de Souza +(cherry picked from commit ed3a892e5e3d6b3f6eeb76db7c92a968aeb52f3d) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_fb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/display/intel_fb.c ++++ b/drivers/gpu/drm/i915/display/intel_fb.c +@@ -795,7 +795,7 @@ int intel_fill_fb_info(struct drm_i915_p + * arithmetic related to alignment and offset calculation. + */ + if (is_gen12_ccs_cc_plane(&fb->base, i)) { +- if (IS_ALIGNED(fb->base.offsets[i], PAGE_SIZE)) ++ if (IS_ALIGNED(fb->base.offsets[i], 64)) + continue; + else + return -EINVAL; diff --git a/queue-5.15/hrtimers-handle-cpu-state-correctly-on-hotplug.patch b/queue-5.15/hrtimers-handle-cpu-state-correctly-on-hotplug.patch new file mode 100644 index 0000000000..cac1beba92 --- /dev/null +++ b/queue-5.15/hrtimers-handle-cpu-state-correctly-on-hotplug.patch @@ -0,0 +1,101 @@ +From 2f8dea1692eef2b7ba6a256246ed82c365fdc686 Mon Sep 17 00:00:00 2001 +From: Koichiro Den +Date: Fri, 20 Dec 2024 22:44:21 +0900 +Subject: hrtimers: Handle CPU state correctly on hotplug + +From: Koichiro Den + +commit 2f8dea1692eef2b7ba6a256246ed82c365fdc686 upstream. + +Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway +through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to +CPUHP_ONLINE: + +Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set +to 1 throughout. However, during a CPU unplug operation, the tick and the +clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online +state, for instance CFS incorrectly assumes that the hrtick is already +active, and the chance of the clockevent device to transition to oneshot +mode is also lost forever for the CPU, unless it goes back to a lower state +than CPUHP_HRTIMERS_PREPARE once. + +This round-trip reveals another issue; cpu_base.online is not set to 1 +after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer(). + +Aside of that, the bulk of the per CPU state is not reset either, which +means there are dangling pointers in the worst case. + +Address this by adding a corresponding startup() callback, which resets the +stale per CPU state and sets the online flag. + +[ tglx: Make the new callback unconditionally available, remove the online + modification in the prepare() callback and clear the remaining + state in the starting callback instead of the prepare callback ] + +Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier") +Signed-off-by: Koichiro Den +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20241220134421.3809834-1-koichiro.den@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hrtimer.h | 1 + + kernel/cpu.c | 2 +- + kernel/time/hrtimer.c | 11 ++++++++++- + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/include/linux/hrtimer.h ++++ b/include/linux/hrtimer.h +@@ -532,6 +532,7 @@ extern void __init hrtimers_init(void); + extern void sysrq_timer_list_show(void); + + int hrtimers_prepare_cpu(unsigned int cpu); ++int hrtimers_cpu_starting(unsigned int cpu); + #ifdef CONFIG_HOTPLUG_CPU + int hrtimers_cpu_dying(unsigned int cpu); + #else +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1766,7 +1766,7 @@ static struct cpuhp_step cpuhp_hp_states + }, + [CPUHP_AP_HRTIMERS_DYING] = { + .name = "hrtimers:dying", +- .startup.single = NULL, ++ .startup.single = hrtimers_cpu_starting, + .teardown.single = hrtimers_cpu_dying, + }, + +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -2176,6 +2176,15 @@ int hrtimers_prepare_cpu(unsigned int cp + } + + cpu_base->cpu = cpu; ++ hrtimer_cpu_base_init_expiry_lock(cpu_base); ++ return 0; ++} ++ ++int hrtimers_cpu_starting(unsigned int cpu) ++{ ++ struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases); ++ ++ /* Clear out any left over state from a CPU down operation */ + cpu_base->active_bases = 0; + cpu_base->hres_active = 0; + cpu_base->hang_detected = 0; +@@ -2184,7 +2193,6 @@ int hrtimers_prepare_cpu(unsigned int cp + cpu_base->expires_next = KTIME_MAX; + cpu_base->softirq_expires_next = KTIME_MAX; + cpu_base->online = 1; +- hrtimer_cpu_base_init_expiry_lock(cpu_base); + return 0; + } + +@@ -2262,6 +2270,7 @@ int hrtimers_cpu_dying(unsigned int dyin + void __init hrtimers_init(void) + { + hrtimers_prepare_cpu(smp_processor_id()); ++ hrtimers_cpu_starting(smp_processor_id()); + open_softirq(HRTIMER_SOFTIRQ, hrtimer_run_softirq); + } + diff --git a/queue-5.15/irqchip-gic-v3-handle-cpu_pm_enter_failed-correctly.patch b/queue-5.15/irqchip-gic-v3-handle-cpu_pm_enter_failed-correctly.patch new file mode 100644 index 0000000000..8a79b869e7 --- /dev/null +++ b/queue-5.15/irqchip-gic-v3-handle-cpu_pm_enter_failed-correctly.patch @@ -0,0 +1,46 @@ +From 0d62a49ab55c99e8deb4593b8d9f923de1ab5c18 Mon Sep 17 00:00:00 2001 +From: Yogesh Lal +Date: Fri, 20 Dec 2024 15:09:07 +0530 +Subject: irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly + +From: Yogesh Lal + +commit 0d62a49ab55c99e8deb4593b8d9f923de1ab5c18 upstream. + +When a CPU attempts to enter low power mode, it disables the redistributor +and Group 1 interrupts and reinitializes the system registers upon wakeup. + +If the transition into low power mode fails, then the CPU_PM framework +invokes the PM notifier callback with CPU_PM_ENTER_FAILED to allow the +drivers to undo the state changes. + +The GIC V3 driver ignores CPU_PM_ENTER_FAILED, which leaves the GIC in +disabled state. + +Handle CPU_PM_ENTER_FAILED in the same way as CPU_PM_EXIT to restore normal +operation. + +[ tglx: Massage change log, add Fixes tag ] + +Fixes: 3708d52fc6bb ("irqchip: gic-v3: Implement CPU PM notifier") +Signed-off-by: Yogesh Lal +Signed-off-by: Thomas Gleixner +Acked-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20241220093907.2747601-1-quic_ylal@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -1340,7 +1340,7 @@ static int gic_retrigger(struct irq_data + static int gic_cpu_pm_notifier(struct notifier_block *self, + unsigned long cmd, void *v) + { +- if (cmd == CPU_PM_EXIT) { ++ if (cmd == CPU_PM_EXIT || cmd == CPU_PM_ENTER_FAILED) { + if (gic_dist_security_disabled()) + gic_enable_redist(true); + gic_cpu_sys_reg_init(); diff --git a/queue-5.15/irqchip-plug-a-of-node-reference-leak-in-platform_irqchip_probe.patch b/queue-5.15/irqchip-plug-a-of-node-reference-leak-in-platform_irqchip_probe.patch new file mode 100644 index 0000000000..f5dd81e998 --- /dev/null +++ b/queue-5.15/irqchip-plug-a-of-node-reference-leak-in-platform_irqchip_probe.patch @@ -0,0 +1,48 @@ +From 9322d1915f9d976ee48c09d800fbd5169bc2ddcc Mon Sep 17 00:00:00 2001 +From: Joe Hattori +Date: Sun, 15 Dec 2024 12:39:45 +0900 +Subject: irqchip: Plug a OF node reference leak in platform_irqchip_probe() + +From: Joe Hattori + +commit 9322d1915f9d976ee48c09d800fbd5169bc2ddcc upstream. + +platform_irqchip_probe() leaks a OF node when irq_init_cb() fails. Fix it +by declaring par_np with the __free(device_node) cleanup construct. + +This bug was found by an experimental static analysis tool that I am +developing. + +Fixes: f8410e626569 ("irqchip: Add IRQCHIP_PLATFORM_DRIVER_BEGIN/END and IRQCHIP_MATCH helper macros") +Signed-off-by: Joe Hattori +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20241215033945.3414223-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irqchip.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/irqchip/irqchip.c ++++ b/drivers/irqchip/irqchip.c +@@ -35,11 +35,10 @@ void __init irqchip_init(void) + int platform_irqchip_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; +- struct device_node *par_np = of_irq_find_parent(np); ++ struct device_node *par_np __free(device_node) = of_irq_find_parent(np); + of_irq_init_cb_t irq_init_cb = of_device_get_match_data(&pdev->dev); + + if (!irq_init_cb) { +- of_node_put(par_np); + return -EINVAL; + } + +@@ -55,7 +54,6 @@ int platform_irqchip_probe(struct platfo + * interrupt controller can check for specific domains as necessary. + */ + if (par_np && !irq_find_matching_host(par_np, DOMAIN_BUS_ANY)) { +- of_node_put(par_np); + return -EPROBE_DEFER; + } + diff --git a/queue-5.15/revert-pci-use-preserve_config-in-place-of-pci_flags.patch b/queue-5.15/revert-pci-use-preserve_config-in-place-of-pci_flags.patch new file mode 100644 index 0000000000..fe6d6bc7c3 --- /dev/null +++ b/queue-5.15/revert-pci-use-preserve_config-in-place-of-pci_flags.patch @@ -0,0 +1,72 @@ +From stable+bounces-109389-greg=kroah.com@vger.kernel.org Fri Jan 17 16:18:00 2025 +From: Terry Tritton +Date: Fri, 17 Jan 2025 15:16:25 +0000 +Subject: Revert "PCI: Use preserve_config in place of pci_flags" +To: stable +Cc: Terry Tritton , Greg KH , Vidya Sagar , Sasha Levin , Daniel Verkamp , Terry Tritton +Message-ID: <20250117151625.6429-1-terry.tritton@linaro.org> + +From: Terry Tritton + +This reverts commit c1a1393f7844c645389e5f1a3f1f0350e0fb9316 which is +commit 7246a4520b4bf1494d7d030166a11b5226f6d508 upstream. + +This patch causes a regression in cuttlefish/crossvm boot on arm64. + +The patch was part of a series that when applied will not cause a regression +but this patch was backported to the 5.15 branch by itself. + +The other patches do not apply cleanly to the 5.15 branch. + +Signed-off-by: Terry Tritton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pci-host-common.c | 4 ++++ + drivers/pci/probe.c | 20 +++++++++++--------- + 2 files changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/pci/controller/pci-host-common.c ++++ b/drivers/pci/controller/pci-host-common.c +@@ -73,6 +73,10 @@ int pci_host_common_probe(struct platfor + if (IS_ERR(cfg)) + return PTR_ERR(cfg); + ++ /* Do not reassign resources if probe only */ ++ if (!pci_has_flag(PCI_PROBE_ONLY)) ++ pci_add_flags(PCI_REASSIGN_ALL_BUS); ++ + bridge->sysdata = cfg; + bridge->ops = (struct pci_ops *)&ops->pci_ops; + bridge->msi_domain = true; +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -3048,18 +3048,20 @@ int pci_host_probe(struct pci_host_bridg + + bus = bridge->bus; + +- /* If we must preserve the resource configuration, claim now */ +- if (bridge->preserve_config) +- pci_bus_claim_resources(bus); +- + /* +- * Assign whatever was left unassigned. If we didn't claim above, +- * this will reassign everything. ++ * We insert PCI resources into the iomem_resource and ++ * ioport_resource trees in either pci_bus_claim_resources() ++ * or pci_bus_assign_resources(). + */ +- pci_assign_unassigned_root_bus_resources(bus); ++ if (pci_has_flag(PCI_PROBE_ONLY)) { ++ pci_bus_claim_resources(bus); ++ } else { ++ pci_bus_size_bridges(bus); ++ pci_bus_assign_resources(bus); + +- list_for_each_entry(child, &bus->children, node) +- pcie_bus_configure_settings(child); ++ list_for_each_entry(child, &bus->children, node) ++ pcie_bus_configure_settings(child); ++ } + + pci_bus_add_devices(bus); + return 0; diff --git a/queue-5.15/series b/queue-5.15/series index 4f140fc3b9..9c13cf813c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -109,3 +109,9 @@ vsock-prevent-null-ptr-deref-in-vsock_.patch filemap-avoid-truncating-64-bit-offset-to-32-bits.patch fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch gpiolib-cdev-fix-use-after-free-in-lineinfo_changed_notify.patch +bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch +irqchip-plug-a-of-node-reference-leak-in-platform_irqchip_probe.patch +irqchip-gic-v3-handle-cpu_pm_enter_failed-correctly.patch +hrtimers-handle-cpu-state-correctly-on-hotplug.patch +drm-i915-fb-relax-clear-color-alignment-to-64-bytes.patch +revert-pci-use-preserve_config-in-place-of-pci_flags.patch