From: Sasha Levin Date: Thu, 30 Mar 2023 11:50:36 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.14.312~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=62dc839234dbab1f32346e78828edc65be66a4eb;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alsa-asihpi-check-pao-in-control_message.patch b/queue-4.19/alsa-asihpi-check-pao-in-control_message.patch new file mode 100644 index 00000000000..b742e7f603e --- /dev/null +++ b/queue-4.19/alsa-asihpi-check-pao-in-control_message.patch @@ -0,0 +1,72 @@ +From 0896d81e79fa91e0896caed1ef1f3b1fff28d6d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:49:24 +0000 +Subject: ALSA: asihpi: check pao in control_message() + +From: Kuninori Morimoto + +[ Upstream commit 9026c0bf233db53b86f74f4c620715e94eb32a09 ] + +control_message() might be called with pao = NULL. +Here indicates control_message() as sample. + +(B) static void control_message(struct hpi_adapter_obj *pao, ...) + { ^^^ + struct hpi_hw_obj *phw = pao->priv; + ... ^^^ + } + +(A) void _HPI_6205(struct hpi_adapter_obj *pao, ...) + { ^^^ + ... + case HPI_OBJ_CONTROL: +(B) control_message(pao, phm, phr); + break; ^^^ + ... + } + + void HPI_6205(...) + { + ... +(A) _HPI_6205(NULL, phm, phr); + ... ^^^^ + } + +Therefore, We will get too many warning via cppcheck, like below + + sound/pci/asihpi/hpi6205.c:238:27: warning: Possible null pointer dereference: pao [nullPointer] + struct hpi_hw_obj *phw = pao->priv; + ^ + sound/pci/asihpi/hpi6205.c:433:13: note: Calling function '_HPI_6205', 1st argument 'NULL' value is 0 + _HPI_6205(NULL, phm, phr); + ^ + sound/pci/asihpi/hpi6205.c:401:20: note: Calling function 'control_message', 1st argument 'pao' value is 0 + control_message(pao, phm, phr); + ^ +Set phr->error like many functions doing, and don't call _HPI_6205() +with NULL. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87ttypeaqz.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpi6205.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c +index 2864698436a5f..6a49f897c4d91 100644 +--- a/sound/pci/asihpi/hpi6205.c ++++ b/sound/pci/asihpi/hpi6205.c +@@ -441,7 +441,7 @@ void HPI_6205(struct hpi_message *phm, struct hpi_response *phr) + pao = hpi_find_adapter(phm->adapter_index); + } else { + /* subsys messages don't address an adapter */ +- _HPI_6205(NULL, phm, phr); ++ phr->error = HPI_ERROR_INVALID_OBJ_INDEX; + return; + } + +-- +2.39.2 + diff --git a/queue-4.19/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch b/queue-4.19/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch new file mode 100644 index 00000000000..46bc4724661 --- /dev/null +++ b/queue-4.19/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch @@ -0,0 +1,62 @@ +From 2622ca79d4683fae40dcad0cd7891963271441f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:50:28 +0000 +Subject: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() + +From: Kuninori Morimoto + +[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ] + +tuning_ctl_set() might have buffer overrun at (X) if it didn't break +from loop by matching (A). + + static int tuning_ctl_set(...) + { + for (i = 0; i < TUNING_CTLS_COUNT; i++) +(A) if (nid == ca0132_tuning_ctls[i].nid) + break; + + snd_hda_power_up(...); +(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...); + snd_hda_power_down(...); ^ + + return 1; + } + +We will get below error by cppcheck + + sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12 + for (i = 0; i < TUNING_CTLS_COUNT; i++) + ^ + sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds + dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20, + ^ +This patch cares non match case. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index ca8a37388d565..9f0e6bbc523c3 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -3620,8 +3620,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid, + + for (i = 0; i < TUNING_CTLS_COUNT; i++) + if (nid == ca0132_tuning_ctls[i].nid) +- break; ++ goto found; + ++ return -EINVAL; ++found: + snd_hda_power_up(codec); + dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20, + ca0132_tuning_ctls[i].req, +-- +2.39.2 + diff --git a/queue-4.19/fbdev-au1200fb-fix-potential-divide-by-zero.patch b/queue-4.19/fbdev-au1200fb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..7bd6f67028e --- /dev/null +++ b/queue-4.19/fbdev-au1200fb-fix-potential-divide-by-zero.patch @@ -0,0 +1,39 @@ +From 4b9db02281caa58c2a38ed3fe796a8809b80263c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:22:54 +0000 +Subject: fbdev: au1200fb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 44a3b36b42acfc433aaaf526191dd12fbb919fdb ] + +var->pixclock can be assigned to zero by user. Without +proper check, divide by zero would occur when invoking +macro PICOS2KHZ in au1200fb_fb_check_var. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index 3872ccef4cb2c..f8e83a9519189 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1039,6 +1039,9 @@ static int au1200fb_fb_check_var(struct fb_var_screeninfo *var, + u32 pixclock; + int screen_size, plane; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + plane = fbdev->plane; + + /* Make sure that the mode respect all LCD controller and +-- +2.39.2 + diff --git a/queue-4.19/fbdev-intelfb-fix-potential-divide-by-zero.patch b/queue-4.19/fbdev-intelfb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..757347f28a5 --- /dev/null +++ b/queue-4.19/fbdev-intelfb-fix-potential-divide-by-zero.patch @@ -0,0 +1,39 @@ +From 0e12b2ea6cc9970048541a9a4863711873db1b06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 08:33:47 +0000 +Subject: fbdev: intelfb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit d823685486a3446d061fed7c7d2f80af984f119a ] + +Variable var->pixclock is controlled by user and can be assigned +to zero. Without proper check, divide by zero would occur in +intelfbhw_validate_mode and intelfbhw_mode_to_hw. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/intelfb/intelfbdrv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c +index d7463a2a5d83f..c97c0c8514809 100644 +--- a/drivers/video/fbdev/intelfb/intelfbdrv.c ++++ b/drivers/video/fbdev/intelfb/intelfbdrv.c +@@ -1215,6 +1215,9 @@ static int intelfb_check_var(struct fb_var_screeninfo *var, + + dinfo = GET_DINFO(info); + ++ if (!var->pixclock) ++ return -EINVAL; ++ + /* update the pitch */ + if (intelfbhw_validate_mode(dinfo, var) != 0) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-4.19/fbdev-lxfb-fix-potential-divide-by-zero.patch b/queue-4.19/fbdev-lxfb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..5b2db3ffe9c --- /dev/null +++ b/queue-4.19/fbdev-lxfb-fix-potential-divide-by-zero.patch @@ -0,0 +1,38 @@ +From 22a943b575695e0ca213644bfcddde359493762c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:05:18 +0000 +Subject: fbdev: lxfb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 61ac4b86a4c047c20d5cb423ddd87496f14d9868 ] + +var->pixclock can be assigned to zero by user. Without proper +check, divide by zero would occur in lx_set_clock. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/geode/lxfb_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/geode/lxfb_core.c b/drivers/video/fbdev/geode/lxfb_core.c +index 138da6cb6cbcd..4345246b4c798 100644 +--- a/drivers/video/fbdev/geode/lxfb_core.c ++++ b/drivers/video/fbdev/geode/lxfb_core.c +@@ -247,6 +247,9 @@ static void get_modedb(struct fb_videomode **modedb, unsigned int *size) + + static int lxfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + { ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (var->xres > 1920 || var->yres > 1440) + return -EINVAL; + +-- +2.39.2 + diff --git a/queue-4.19/fbdev-nvidia-fix-potential-divide-by-zero.patch b/queue-4.19/fbdev-nvidia-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..451cceb5c7e --- /dev/null +++ b/queue-4.19/fbdev-nvidia-fix-potential-divide-by-zero.patch @@ -0,0 +1,40 @@ +From 19b615c49e87df916cb595f8eef5cd5c3c67b540 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 07:18:31 +0000 +Subject: fbdev: nvidia: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 92e2a00f2987483e1f9253625828622edd442e61 ] + +variable var->pixclock can be set by user. In case it +equals to zero, divide by zero would occur in nvidiafb_set_par. + +Similar crashes have happened in other fbdev drivers. There +is no check and modification on var->pixclock along the call +chain to nvidia_check_var and nvidiafb_set_par. We believe it +could also be triggered in driver nvidia from user site. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/nvidia/nvidia.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c +index fbeeed5afe350..aa502b3ba25ae 100644 +--- a/drivers/video/fbdev/nvidia/nvidia.c ++++ b/drivers/video/fbdev/nvidia/nvidia.c +@@ -766,6 +766,8 @@ static int nvidiafb_check_var(struct fb_var_screeninfo *var, + int pitch, err = 0; + + NVTRACE_ENTER(); ++ if (!var->pixclock) ++ return -EINVAL; + + var->transp.offset = 0; + var->transp.length = 0; +-- +2.39.2 + diff --git a/queue-4.19/fbdev-tgafb-fix-potential-divide-by-zero.patch b/queue-4.19/fbdev-tgafb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..abab8d2eaa5 --- /dev/null +++ b/queue-4.19/fbdev-tgafb-fix-potential-divide-by-zero.patch @@ -0,0 +1,44 @@ +From 99fe0f01ff00c5a8b37568de84c03c0cf83be602 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:08:56 +0000 +Subject: fbdev: tgafb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit f90bd245de82c095187d8c2cabb8b488a39eaecc ] + +fb_set_var would by called when user invokes ioctl with cmd +FBIOPUT_VSCREENINFO. User-provided data would finally reach +tgafb_check_var. In case var->pixclock is assigned to zero, +divide by zero would occur when checking whether reciprocal +of var->pixclock is too high. + +Similar crashes have happened in other fbdev drivers. There +is no check and modification on var->pixclock along the call +chain to tgafb_check_var. We believe it could also be triggered +in driver tgafb from user site. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/tgafb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c +index 65ba9921506e2..9d2912947eef6 100644 +--- a/drivers/video/fbdev/tgafb.c ++++ b/drivers/video/fbdev/tgafb.c +@@ -166,6 +166,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + { + struct tga_par *par = (struct tga_par *)info->par; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (par->tga_type == TGA_TYPE_8PLANE) { + if (var->bits_per_pixel != 8) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-4.19/md-avoid-signed-overflow-in-slot_store.patch b/queue-4.19/md-avoid-signed-overflow-in-slot_store.patch new file mode 100644 index 00000000000..d2fc69fbc26 --- /dev/null +++ b/queue-4.19/md-avoid-signed-overflow-in-slot_store.patch @@ -0,0 +1,44 @@ +From cb134b32f5c4f089f210f1ee7d3ad68542022951 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 09:36:25 +1100 +Subject: md: avoid signed overflow in slot_store() + +From: NeilBrown + +[ Upstream commit 3bc57292278a0b6ac4656cad94c14f2453344b57 ] + +slot_store() uses kstrtouint() to get a slot number, but stores the +result in an "int" variable (by casting a pointer). +This can result in a negative slot number if the unsigned int value is +very large. + +A negative number means that the slot is empty, but setting a negative +slot number this way will not remove the device from the array. I don't +think this is a serious problem, but it could cause confusion and it is +best to fix it. + +Reported-by: Dan Carpenter +Signed-off-by: NeilBrown +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 89d4dcc5253e5..f8c111b369928 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2991,6 +2991,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len) + err = kstrtouint(buf, 10, (unsigned int *)&slot); + if (err < 0) + return err; ++ if (slot < 0) ++ /* overflow */ ++ return -ENOSPC; + } + if (rdev->mddev->pers && slot == -1) { + /* Setting 'slot' on an active array requires also +-- +2.39.2 + diff --git a/queue-4.19/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch b/queue-4.19/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch new file mode 100644 index 00000000000..828f9113820 --- /dev/null +++ b/queue-4.19/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch @@ -0,0 +1,82 @@ +From 7dc44dd478b56f0036400dab1360a639f849e658 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 19:32:38 -0700 +Subject: sched_getaffinity: don't assume 'cpumask_size()' is fully initialized + +From: Linus Torvalds + +[ Upstream commit 6015b1aca1a233379625385feb01dd014aca60b5 ] + +The getaffinity() system call uses 'cpumask_size()' to decide how big +the CPU mask is - so far so good. It is indeed the allocation size of a +cpumask. + +But the code also assumes that the whole allocation is initialized +without actually doing so itself. That's wrong, because we might have +fixed-size allocations (making copying and clearing more efficient), but +not all of it is then necessarily used if 'nr_cpu_ids' is smaller. + +Having checked other users of 'cpumask_size()', they all seem to be ok, +either using it purely for the allocation size, or explicitly zeroing +the cpumask before using the size in bytes to copy it. + +See for example the ublk_ctrl_get_queue_affinity() function that uses +the proper 'zalloc_cpumask_var()' to make sure that the whole mask is +cleared, whether the storage is on the stack or if it was an external +allocation. + +Fix this by just zeroing the allocation before using it. Do the same +for the compat version of sched_getaffinity(), which had the same logic. + +Also, for consistency, make sched_getaffinity() use 'cpumask_bits()' to +access the bits. For a cpumask_var_t, it ends up being a pointer to the +same data either way, but it's just a good idea to treat it like you +would a 'cpumask_t'. The compat case already did that. + +Reported-by: Ryan Roberts +Link: https://lore.kernel.org/lkml/7d026744-6bd6-6827-0471-b5e8eae0be3f@arm.com/ +Cc: Yury Norov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/compat.c | 2 +- + kernel/sched/core.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/compat.c b/kernel/compat.c +index e4548a9e9c52c..5f320b0db8d09 100644 +--- a/kernel/compat.c ++++ b/kernel/compat.c +@@ -307,7 +307,7 @@ COMPAT_SYSCALL_DEFINE3(sched_getaffinity, compat_pid_t, pid, unsigned int, len, + if (len & (sizeof(compat_ulong_t)-1)) + return -EINVAL; + +- if (!alloc_cpumask_var(&mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL)) + return -ENOMEM; + + ret = sched_getaffinity(pid, mask); +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 207cd446b9d36..8d5a9fa8a951c 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -4953,14 +4953,14 @@ SYSCALL_DEFINE3(sched_getaffinity, pid_t, pid, unsigned int, len, + if (len & (sizeof(unsigned long)-1)) + return -EINVAL; + +- if (!alloc_cpumask_var(&mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL)) + return -ENOMEM; + + ret = sched_getaffinity(pid, mask); + if (ret == 0) { + unsigned int retlen = min(len, cpumask_size()); + +- if (copy_to_user(user_mask_ptr, mask, retlen)) ++ if (copy_to_user(user_mask_ptr, cpumask_bits(mask), retlen)) + ret = -EFAULT; + else + ret = retlen; +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index c5a6d379b44..bb0f150bb15 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -51,3 +51,12 @@ ocfs2-fix-data-corruption-after-failed-write.patch bus-imx-weim-fix-branch-condition-evaluates-to-a-gar.patch drm-meson-fix-error-handling-when-afbcd.ops-init-fai.patch drm-meson-fix-missing-component-unbind-on-bind-error.patch +md-avoid-signed-overflow-in-slot_store.patch +alsa-asihpi-check-pao-in-control_message.patch +alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch +fbdev-tgafb-fix-potential-divide-by-zero.patch +sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch +fbdev-nvidia-fix-potential-divide-by-zero.patch +fbdev-intelfb-fix-potential-divide-by-zero.patch +fbdev-lxfb-fix-potential-divide-by-zero.patch +fbdev-au1200fb-fix-potential-divide-by-zero.patch