From: Sasha Levin <sashal@kernel.org>
Date: Thu, 4 Jul 2019 00:11:04 +0000 (-0400)
Subject: fixes for 4.14
X-Git-Tag: v5.1.17~43
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ef95420667740b1b71335631779edeed56fd55e;p=thirdparty%2Fkernel%2Fstable-queue.git

fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.14/drm-i915-dmc-protect-against-reading-random-memory.patch b/queue-4.14/drm-i915-dmc-protect-against-reading-random-memory.patch
new file mode 100644
index 00000000000..d03651c9453
--- /dev/null
+++ b/queue-4.14/drm-i915-dmc-protect-against-reading-random-memory.patch
@@ -0,0 +1,99 @@
+From 77a0f9399e883761b724b2a65e24193d11ca892c Mon Sep 17 00:00:00 2001
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+Date: Tue, 2 Jul 2019 12:23:04 -0700
+Subject: drm/i915/dmc: protect against reading random memory
+
+commit bc7b488b1d1c71dc4c5182206911127bc6c410d6 upstream.
+
+While loading the DMC firmware we were double checking the headers made
+sense, but in no place we checked that we were actually reading memory
+we were supposed to. This could be wrong in case the firmware file is
+truncated or malformed.
+
+Before this patch:
+	# ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin
+	-rw-r--r-- 1 root root  25716 Feb  1 12:26 icl_dmc_ver1_07.bin
+	# truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin
+	# modprobe i915
+	# dmesg| grep -i dmc
+	[drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
+	[drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7)
+
+i.e. it loads random data. Now it fails like below:
+	[drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
+	[drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting.
+	i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management.
+	i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915
+
+Before reading any part of the firmware file, validate the input first.
+
+Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.")
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com
+(cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+[ Lucas: backported to 4.9+ adjusting the context ]
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/intel_csr.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/intel_csr.c b/drivers/gpu/drm/i915/intel_csr.c
+index 92c1f8e166dc..0bdbbd4027fe 100644
+--- a/drivers/gpu/drm/i915/intel_csr.c
++++ b/drivers/gpu/drm/i915/intel_csr.c
+@@ -277,10 +277,17 @@ static uint32_t *parse_csr_fw(struct drm_i915_private *dev_priv,
+ 	uint32_t i;
+ 	uint32_t *dmc_payload;
+ 	uint32_t required_version;
++	size_t fsize;
+ 
+ 	if (!fw)
+ 		return NULL;
+ 
++	fsize = sizeof(struct intel_css_header) +
++		sizeof(struct intel_package_header) +
++		sizeof(struct intel_dmc_header);
++	if (fsize > fw->size)
++		goto error_truncated;
++
+ 	/* Extract CSS Header information*/
+ 	css_header = (struct intel_css_header *)fw->data;
+ 	if (sizeof(struct intel_css_header) !=
+@@ -350,6 +357,9 @@ static uint32_t *parse_csr_fw(struct drm_i915_private *dev_priv,
+ 		return NULL;
+ 	}
+ 	readcount += dmc_offset;
++	fsize += dmc_offset;
++	if (fsize > fw->size)
++		goto error_truncated;
+ 
+ 	/* Extract dmc_header information. */
+ 	dmc_header = (struct intel_dmc_header *)&fw->data[readcount];
+@@ -380,6 +390,10 @@ static uint32_t *parse_csr_fw(struct drm_i915_private *dev_priv,
+ 
+ 	/* fw_size is in dwords, so multiplied by 4 to convert into bytes. */
+ 	nbytes = dmc_header->fw_size * 4;
++	fsize += nbytes;
++	if (fsize > fw->size)
++		goto error_truncated;
++
+ 	if (nbytes > CSR_MAX_FW_SIZE) {
+ 		DRM_ERROR("CSR firmware too big (%u) bytes\n", nbytes);
+ 		return NULL;
+@@ -393,6 +407,10 @@ static uint32_t *parse_csr_fw(struct drm_i915_private *dev_priv,
+ 	}
+ 
+ 	return memcpy(dmc_payload, &fw->data[readcount], nbytes);
++
++error_truncated:
++	DRM_ERROR("Truncated DMC firmware, rejecting.\n");
++	return NULL;
+ }
+ 
+ static void csr_load_work_fn(struct work_struct *work)
+-- 
+2.20.1
+
diff --git a/queue-4.14/mips-netlogic-xlr-remove-erroneous-check-in-nlm_fmn_.patch b/queue-4.14/mips-netlogic-xlr-remove-erroneous-check-in-nlm_fmn_.patch
new file mode 100644
index 00000000000..de3a7bbc7f9
--- /dev/null
+++ b/queue-4.14/mips-netlogic-xlr-remove-erroneous-check-in-nlm_fmn_.patch
@@ -0,0 +1,55 @@
+From 6a50751321d4e1588b671e55fa8fefb13f71f5cb Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Wed, 8 Aug 2018 09:30:56 -0700
+Subject: MIPS: netlogic: xlr: Remove erroneous check in nlm_fmn_send()
+
+[ Upstream commit 02eec6c9fc0cb13169cc97a6139771768791f92b ]
+
+In nlm_fmn_send() we have a loop which attempts to send a message
+multiple times in order to handle the transient failure condition of a
+lack of available credit. When examining the status register to detect
+the failure we check for a condition that can never be true, which falls
+foul of gcc 8's -Wtautological-compare:
+
+  In file included from arch/mips/netlogic/common/irq.c:65:
+  ./arch/mips/include/asm/netlogic/xlr/fmn.h: In function 'nlm_fmn_send':
+  ./arch/mips/include/asm/netlogic/xlr/fmn.h:304:22: error: bitwise
+    comparison always evaluates to false [-Werror=tautological-compare]
+     if ((status & 0x2) == 1)
+                        ^~
+
+If the path taken if this condition were true all we do is print a
+message to the kernel console. Since failures seem somewhat expected
+here (making the console message questionable anyway) and the condition
+has clearly never evaluated true we simply remove it, rather than
+attempting to fix it to check status correctly.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20174/
+Cc: Ganesan Ramalingam <ganesanr@broadcom.com>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: Jayachandran C <jnair@caviumnetworks.com>
+Cc: John Crispin <john@phrozen.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/netlogic/xlr/fmn.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/netlogic/xlr/fmn.h b/arch/mips/include/asm/netlogic/xlr/fmn.h
+index 5604db3d1836..d79c68fa78d9 100644
+--- a/arch/mips/include/asm/netlogic/xlr/fmn.h
++++ b/arch/mips/include/asm/netlogic/xlr/fmn.h
+@@ -301,8 +301,6 @@ static inline int nlm_fmn_send(unsigned int size, unsigned int code,
+ 	for (i = 0; i < 8; i++) {
+ 		nlm_msgsnd(dest);
+ 		status = nlm_read_c2_status0();
+-		if ((status & 0x2) == 1)
+-			pr_info("Send pending fail!\n");
+ 		if ((status & 0x4) == 0)
+ 			return 0;
+ 	}
+-- 
+2.20.1
+
diff --git a/queue-4.14/series b/queue-4.14/series
index 6174d5dcc84..9f50c43f850 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -18,3 +18,5 @@ scripts-decode_stacktrace.sh-prefix-addr2line-with-c.patch
 mm-mlock.c-change-count_mm_mlocked_page_nr-return-ty.patch
 module-fix-livepatch-ftrace-module-text-permissions-.patch
 ftrace-fix-null-pointer-dereference-in-free_ftrace_f.patch
+mips-netlogic-xlr-remove-erroneous-check-in-nlm_fmn_.patch
+drm-i915-dmc-protect-against-reading-random-memory.patch