From: Greg Kroah-Hartman Date: Tue, 23 Apr 2024 12:11:53 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.15.157~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5aaf689442661b82b3b9b01cd0fb8569faaa0db5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: binder-check-offset-alignment-in-binder_get_object.patch comedi-vmk80xx-fix-incomplete-endpoint-checking.patch thunderbolt-avoid-notify-pm-core-about-runtime-pm-resume.patch thunderbolt-fix-wake-configurations-after-device-unplug.patch --- diff --git a/queue-5.10/binder-check-offset-alignment-in-binder_get_object.patch b/queue-5.10/binder-check-offset-alignment-in-binder_get_object.patch new file mode 100644 index 00000000000..a716fc1d975 --- /dev/null +++ b/queue-5.10/binder-check-offset-alignment-in-binder_get_object.patch @@ -0,0 +1,46 @@ +From aaef73821a3b0194a01bd23ca77774f704a04d40 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Sat, 30 Mar 2024 19:01:14 +0000 +Subject: binder: check offset alignment in binder_get_object() + +From: Carlos Llamas + +commit aaef73821a3b0194a01bd23ca77774f704a04d40 upstream. + +Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying +txn") introduced changes to how binder objects are copied. In doing so, +it unintentionally removed an offset alignment check done through calls +to binder_alloc_copy_from_buffer() -> check_buffer(). + +These calls were replaced in binder_get_object() with copy_from_user(), +so now an explicit offset alignment check is needed here. This avoids +later complications when unwinding the objects gets harder. + +It is worth noting this check existed prior to commit 7a67a39320df +("binder: add function to copy binder object from buffer"), likely +removed due to redundancy at the time. + +Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn") +Cc: stable@vger.kernel.org +Signed-off-by: Carlos Llamas +Acked-by: Todd Kjos +Link: https://lore.kernel.org/r/20240330190115.1877819-1-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2042,8 +2042,10 @@ static size_t binder_get_object(struct b + size_t object_size = 0; + + read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset); +- if (offset > buffer->data_size || read_size < sizeof(*hdr)) ++ if (offset > buffer->data_size || read_size < sizeof(*hdr) || ++ !IS_ALIGNED(offset, sizeof(u32))) + return 0; ++ + if (u) { + if (copy_from_user(object, u + offset, read_size)) + return 0; diff --git a/queue-5.10/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch b/queue-5.10/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch new file mode 100644 index 00000000000..b6d74efedc9 --- /dev/null +++ b/queue-5.10/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch @@ -0,0 +1,98 @@ +From d1718530e3f640b7d5f0050e725216eab57a85d8 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Mon, 8 Apr 2024 10:16:33 -0700 +Subject: comedi: vmk80xx: fix incomplete endpoint checking + +From: Nikita Zhandarovich + +commit d1718530e3f640b7d5f0050e725216eab57a85d8 upstream. + +While vmk80xx does have endpoint checking implemented, some things +can fall through the cracks. Depending on the hardware model, +URBs can have either bulk or interrupt type, and current version +of vmk80xx_find_usb_endpoints() function does not take that fully +into account. While this warning does not seem to be too harmful, +at the very least it will crash systems with 'panic_on_warn' set on +them. + +Fix the issue found by Syzkaller [1] by somewhat simplifying the +endpoint checking process with usb_find_common_endpoints() and +ensuring that only expected endpoint types are present. + +This patch has not been tested on real hardware. + +[1] Syzkaller report: +usb 1-1: BOGUS urb xfer, pipe 1 != type 3 +WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 +... +Call Trace: + + usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 + vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline] + vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818 + comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 + usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 +... + +Similar issue also found by Syzkaller: +Link: https://syzkaller.appspot.com/bug?extid=5205eb2f17de3e01946e + +Reported-and-tested-by: syzbot+5f29dc6a889fc42bd896@syzkaller.appspotmail.com +Cc: stable +Fixes: 49253d542cc0 ("staging: comedi: vmk80xx: factor out usb endpoint detection") +Reviewed-by: Ian Abbott +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20240408171633.31649-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/vmk80xx.c | 35 ++++++++++--------------------- + 1 file changed, 12 insertions(+), 23 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -642,33 +642,22 @@ static int vmk80xx_find_usb_endpoints(st + struct vmk80xx_private *devpriv = dev->private; + struct usb_interface *intf = comedi_to_usb_interface(dev); + struct usb_host_interface *iface_desc = intf->cur_altsetting; +- struct usb_endpoint_descriptor *ep_desc; +- int i; ++ struct usb_endpoint_descriptor *ep_rx_desc, *ep_tx_desc; ++ int ret; + +- if (iface_desc->desc.bNumEndpoints != 2) +- return -ENODEV; +- +- for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { +- ep_desc = &iface_desc->endpoint[i].desc; +- +- if (usb_endpoint_is_int_in(ep_desc) || +- usb_endpoint_is_bulk_in(ep_desc)) { +- if (!devpriv->ep_rx) +- devpriv->ep_rx = ep_desc; +- continue; +- } ++ if (devpriv->model == VMK8061_MODEL) ++ ret = usb_find_common_endpoints(iface_desc, &ep_rx_desc, ++ &ep_tx_desc, NULL, NULL); ++ else ++ ret = usb_find_common_endpoints(iface_desc, NULL, NULL, ++ &ep_rx_desc, &ep_tx_desc); + +- if (usb_endpoint_is_int_out(ep_desc) || +- usb_endpoint_is_bulk_out(ep_desc)) { +- if (!devpriv->ep_tx) +- devpriv->ep_tx = ep_desc; +- continue; +- } +- } +- +- if (!devpriv->ep_rx || !devpriv->ep_tx) ++ if (ret) + return -ENODEV; + ++ devpriv->ep_rx = ep_rx_desc; ++ devpriv->ep_tx = ep_tx_desc; ++ + if (!usb_endpoint_maxp(devpriv->ep_rx) || !usb_endpoint_maxp(devpriv->ep_tx)) + return -EINVAL; + diff --git a/queue-5.10/series b/queue-5.10/series index bc89aaf3aa1..d2ab176cbde 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -49,3 +49,7 @@ clk-print-an-info-line-before-disabling-unused-clock.patch clk-initialize-struct-clk_core-kref-earlier.patch clk-get-runtime-pm-before-walking-tree-during-disabl.patch x86-cpufeatures-fix-dependencies-for-gfni-vaes-and-v.patch +binder-check-offset-alignment-in-binder_get_object.patch +thunderbolt-avoid-notify-pm-core-about-runtime-pm-resume.patch +thunderbolt-fix-wake-configurations-after-device-unplug.patch +comedi-vmk80xx-fix-incomplete-endpoint-checking.patch diff --git a/queue-5.10/thunderbolt-avoid-notify-pm-core-about-runtime-pm-resume.patch b/queue-5.10/thunderbolt-avoid-notify-pm-core-about-runtime-pm-resume.patch new file mode 100644 index 00000000000..de7ab3be9e2 --- /dev/null +++ b/queue-5.10/thunderbolt-avoid-notify-pm-core-about-runtime-pm-resume.patch @@ -0,0 +1,152 @@ +From dcd12acaf384c30437fa5a9a1f71df06fc9835fd Mon Sep 17 00:00:00 2001 +From: Gil Fine +Date: Fri, 1 Mar 2024 15:11:18 +0200 +Subject: thunderbolt: Avoid notify PM core about runtime PM resume + +From: Gil Fine + +commit dcd12acaf384c30437fa5a9a1f71df06fc9835fd upstream. + +Currently we notify PM core about occurred wakes after any resume. This +is not actually needed after resume from runtime suspend. Hence, notify +PM core about occurred wakes only after resume from system sleep. Also, +if the wake occurred in USB4 router upstream port, we don't notify the +PM core about it since it is not actually needed and can cause +unexpected autowake (e.g. if /sys/power/wakeup_count is used). + +While there add the missing kernel-doc for tb_switch_resume(). + +Signed-off-by: Gil Fine +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/switch.c | 27 +++++++++++++++++++++++++-- + drivers/thunderbolt/tb.c | 4 ++-- + drivers/thunderbolt/tb.h | 3 ++- + drivers/thunderbolt/usb4.c | 13 +++++++------ + 4 files changed, 36 insertions(+), 11 deletions(-) + +--- a/drivers/thunderbolt/switch.c ++++ b/drivers/thunderbolt/switch.c +@@ -2631,7 +2631,26 @@ static int tb_switch_set_wake(struct tb_ + return tb_lc_set_wake(sw, flags); + } + +-int tb_switch_resume(struct tb_switch *sw) ++static void tb_switch_check_wakes(struct tb_switch *sw) ++{ ++ if (device_may_wakeup(&sw->dev)) { ++ if (tb_switch_is_usb4(sw)) ++ usb4_switch_check_wakes(sw); ++ } ++} ++ ++/** ++ * tb_switch_resume() - Resume a switch after sleep ++ * @sw: Switch to resume ++ * @runtime: Is this resume from runtime suspend or system sleep ++ * ++ * Resumes and re-enumerates router (and all its children), if still plugged ++ * after suspend. Don't enumerate device router whose UID was changed during ++ * suspend. If this is resume from system sleep, notifies PM core about the ++ * wakes occurred during suspend. Disables all wakes, except USB4 wake of ++ * upstream port for USB4 routers that shall be always enabled. ++ */ ++int tb_switch_resume(struct tb_switch *sw, bool runtime) + { + struct tb_port *port; + int err; +@@ -2676,6 +2695,9 @@ int tb_switch_resume(struct tb_switch *s + if (err) + return err; + ++ if (!runtime) ++ tb_switch_check_wakes(sw); ++ + /* Disable wakes */ + tb_switch_set_wake(sw, 0); + +@@ -2702,7 +2724,8 @@ int tb_switch_resume(struct tb_switch *s + */ + if (tb_port_unlock(port)) + tb_port_warn(port, "failed to unlock port\n"); +- if (port->remote && tb_switch_resume(port->remote->sw)) { ++ if (port->remote && ++ tb_switch_resume(port->remote->sw, runtime)) { + tb_port_warn(port, + "lost during suspend, disconnecting\n"); + tb_sw_set_unplugged(port->remote->sw); +--- a/drivers/thunderbolt/tb.c ++++ b/drivers/thunderbolt/tb.c +@@ -1385,7 +1385,7 @@ static int tb_resume_noirq(struct tb *tb + /* remove any pci devices the firmware might have setup */ + tb_switch_reset(tb->root_switch); + +- tb_switch_resume(tb->root_switch); ++ tb_switch_resume(tb->root_switch, false); + tb_free_invalid_tunnels(tb); + tb_free_unplugged_children(tb->root_switch); + tb_restore_children(tb->root_switch); +@@ -1488,7 +1488,7 @@ static int tb_runtime_resume(struct tb * + struct tb_tunnel *tunnel, *n; + + mutex_lock(&tb->lock); +- tb_switch_resume(tb->root_switch); ++ tb_switch_resume(tb->root_switch, true); + tb_free_invalid_tunnels(tb); + tb_restore_children(tb->root_switch); + list_for_each_entry_safe(tunnel, n, &tcm->tunnel_list, list) +--- a/drivers/thunderbolt/tb.h ++++ b/drivers/thunderbolt/tb.h +@@ -653,7 +653,7 @@ int tb_switch_configure(struct tb_switch + int tb_switch_add(struct tb_switch *sw); + void tb_switch_remove(struct tb_switch *sw); + void tb_switch_suspend(struct tb_switch *sw, bool runtime); +-int tb_switch_resume(struct tb_switch *sw); ++int tb_switch_resume(struct tb_switch *sw, bool runtime); + int tb_switch_reset(struct tb_switch *sw); + void tb_sw_set_unplugged(struct tb_switch *sw); + struct tb_port *tb_switch_find_port(struct tb_switch *sw, +@@ -957,6 +957,7 @@ static inline struct tb_retimer *tb_to_r + return NULL; + } + ++void usb4_switch_check_wakes(struct tb_switch *sw); + int usb4_switch_setup(struct tb_switch *sw); + int usb4_switch_read_uid(struct tb_switch *sw, u64 *uid); + int usb4_switch_drom_read(struct tb_switch *sw, unsigned int address, void *buf, +--- a/drivers/thunderbolt/usb4.c ++++ b/drivers/thunderbolt/usb4.c +@@ -197,15 +197,18 @@ static int usb4_switch_op(struct tb_swit + return 0; + } + +-static void usb4_switch_check_wakes(struct tb_switch *sw) ++/** ++ * usb4_switch_check_wakes() - Check for wakes and notify PM core about them ++ * @sw: Router whose wakes to check ++ * ++ * Checks wakes occurred during suspend and notify the PM core about them. ++ */ ++void usb4_switch_check_wakes(struct tb_switch *sw) + { + struct tb_port *port; + bool wakeup = false; + u32 val; + +- if (!device_may_wakeup(&sw->dev)) +- return; +- + if (tb_route(sw)) { + if (tb_sw_read(sw, &val, TB_CFG_SWITCH, ROUTER_CS_6, 1)) + return; +@@ -270,8 +273,6 @@ int usb4_switch_setup(struct tb_switch * + u32 val = 0; + int ret; + +- usb4_switch_check_wakes(sw); +- + if (!tb_route(sw)) + return 0; + diff --git a/queue-5.10/thunderbolt-fix-wake-configurations-after-device-unplug.patch b/queue-5.10/thunderbolt-fix-wake-configurations-after-device-unplug.patch new file mode 100644 index 00000000000..4fa8189d378 --- /dev/null +++ b/queue-5.10/thunderbolt-fix-wake-configurations-after-device-unplug.patch @@ -0,0 +1,63 @@ +From c38fa07dc69f0b9e6f43ecab96dc7861a70c827c Mon Sep 17 00:00:00 2001 +From: Gil Fine +Date: Fri, 1 Mar 2024 15:22:53 +0200 +Subject: thunderbolt: Fix wake configurations after device unplug + +From: Gil Fine + +commit c38fa07dc69f0b9e6f43ecab96dc7861a70c827c upstream. + +Currently we don't configure correctly the wake events after unplug of device +router. What can happen is that the downstream ports of host router will be +configured to wake on: USB4-wake and wake-on-disconnect, but not on +wake-on-connect. This may cause the later plugged device not to wake the +domain and fail in enumeration. Fix this by clearing downstream port's "USB4 +Port is Configured" bit, after unplug of a device router. + +Signed-off-by: Gil Fine +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/switch.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/thunderbolt/switch.c ++++ b/drivers/thunderbolt/switch.c +@@ -2402,22 +2402,29 @@ void tb_switch_unconfigure_link(struct t + { + struct tb_port *up, *down; + +- if (sw->is_unplugged) +- return; + if (!tb_route(sw) || tb_switch_is_icm(sw)) + return; + ++ /* ++ * Unconfigure downstream port so that wake-on-connect can be ++ * configured after router unplug. No need to unconfigure upstream port ++ * since its router is unplugged. ++ */ + up = tb_upstream_port(sw); +- if (tb_switch_is_usb4(up->sw)) +- usb4_port_unconfigure(up); +- else +- tb_lc_unconfigure_port(up); +- + down = up->remote; + if (tb_switch_is_usb4(down->sw)) + usb4_port_unconfigure(down); + else + tb_lc_unconfigure_port(down); ++ ++ if (sw->is_unplugged) ++ return; ++ ++ up = tb_upstream_port(sw); ++ if (tb_switch_is_usb4(up->sw)) ++ usb4_port_unconfigure(up); ++ else ++ tb_lc_unconfigure_port(up); + } + + static int tb_switch_port_hotplug_enable(struct tb_switch *sw)