From: Greg Kroah-Hartman Date: Mon, 8 Jul 2024 12:58:22 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.6.38~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=774061cd99ef7b3689f49f5ebbe2c5092df2f2a8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch drm-amdgpu-atomfirmware-silence-ubsan-warning.patch drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch --- diff --git a/queue-5.4/bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch b/queue-5.4/bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch new file mode 100644 index 00000000000..94b18b98d2b --- /dev/null +++ b/queue-5.4/bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch @@ -0,0 +1,185 @@ +From 134061163ee5ca4759de5c24ca3bd71608891ba7 Mon Sep 17 00:00:00 2001 +From: Ghadi Elie Rahme +Date: Thu, 27 Jun 2024 14:14:05 +0300 +Subject: bnx2x: Fix multiple UBSAN array-index-out-of-bounds + +From: Ghadi Elie Rahme + +commit 134061163ee5ca4759de5c24ca3bd71608891ba7 upstream. + +Fix UBSAN warnings that occur when using a system with 32 physical +cpu cores or more, or when the user defines a number of Ethernet +queues greater than or equal to FP_SB_MAX_E1x using the num_queues +module parameter. + +Currently there is a read/write out of bounds that occurs on the array +"struct stats_query_entry query" present inside the "bnx2x_fw_stats_req" +struct in "drivers/net/ethernet/broadcom/bnx2x/bnx2x.h". +Looking at the definition of the "struct stats_query_entry query" array: + +struct stats_query_entry query[FP_SB_MAX_E1x+ + BNX2X_FIRST_QUEUE_QUERY_IDX]; + +FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and +has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3 +meaning the array has a total size of 19. +Since accesses to "struct stats_query_entry query" are offset-ted by +BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet +queues should not exceed FP_SB_MAX_E1x (16). However one of these queues +is reserved for FCOE and thus the number of Ethernet queues should be set +to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if +it is not. + +This is also described in a comment in the source code in +drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition +of FP_SB_MAX_E1x. Below is the part of this explanation that it important +for this patch + +/* + * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is + * control by the number of fast-path status blocks supported by the + * device (HW/FW). Each fast-path status block (FP-SB) aka non-default + * status block represents an independent interrupts context that can + * serve a regular L2 networking queue. However special L2 queues such + * as the FCoE queue do not require a FP-SB and other components like + * the CNIC may consume FP-SB reducing the number of possible L2 queues + * + * If the maximum number of FP-SB available is X then: + * a. If CNIC is supported it consumes 1 FP-SB thus the max number of + * regular L2 queues is Y=X-1 + * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor) + * c. If the FCoE L2 queue is supported the actual number of L2 queues + * is Y+1 + * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for + * slow-path interrupts) or Y+2 if CNIC is supported (one additional + * FP interrupt context for the CNIC). + * e. The number of HW context (CID count) is always X or X+1 if FCoE + * L2 queue is supported. The cid for the FCoE L2 queue is always X. + */ + +However this driver also supports NICs that use the E2 controller which can +handle more queues due to having more FP-SB represented by FP_SB_MAX_E2. +Looking at the commits when the E2 support was added, it was originally +using the E1x parameters: commit f2e0899f0f27 ("bnx2x: Add 57712 support"). +Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver +was later updated to take full advantage of the E2 instead of having it be +limited to the capabilities of the E1x. But as far as we can tell, the +array "stats_query_entry query" was still limited to using the FP-SB +available to the E1x cards as part of an oversignt when the driver was +updated to take full advantage of the E2, and now with the driver being +aware of the greater queue size supported by E2 NICs, it causes the UBSAN +warnings seen in the stack traces below. + +This patch increases the size of the "stats_query_entry query" array by +replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle +both types of NICs. + +Stack traces: + +UBSAN: array-index-out-of-bounds in + drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11 +index 20 is out of range for type 'stats_query_entry [19]' +CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic + #202405052133 +Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, + BIOS P89 10/21/2019 +Call Trace: + + dump_stack_lvl+0x76/0xa0 + dump_stack+0x10/0x20 + __ubsan_handle_out_of_bounds+0xcb/0x110 + bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x] + bnx2x_stats_init+0x156/0x320 [bnx2x] + bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x] + bnx2x_nic_load+0x8e8/0x19e0 [bnx2x] + bnx2x_open+0x16b/0x290 [bnx2x] + __dev_open+0x10e/0x1d0 +RIP: 0033:0x736223927a0a +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca + 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 + f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a +RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003 +RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0 +R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00 + +---[ end trace ]--- +------------[ cut here ]------------ +UBSAN: array-index-out-of-bounds in + drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11 +index 28 is out of range for type 'stats_query_entry [19]' +CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic + #202405052133 +Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, + BIOS P89 10/21/2019 +Call Trace: + +dump_stack_lvl+0x76/0xa0 +dump_stack+0x10/0x20 +__ubsan_handle_out_of_bounds+0xcb/0x110 +bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x] +bnx2x_stats_init+0x156/0x320 [bnx2x] +bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x] +bnx2x_nic_load+0x8e8/0x19e0 [bnx2x] +bnx2x_open+0x16b/0x290 [bnx2x] +__dev_open+0x10e/0x1d0 +RIP: 0033:0x736223927a0a +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca + 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 + f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a +RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003 +RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0 +R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00 + +---[ end trace ]--- +------------[ cut here ]------------ +UBSAN: array-index-out-of-bounds in + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8 +index 29 is out of range for type 'stats_query_entry [19]' +CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic + #202405052133 +Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, + BIOS P89 10/21/2019 +Workqueue: bnx2x bnx2x_sp_task [bnx2x] +Call Trace: + + dump_stack_lvl+0x76/0xa0 + dump_stack+0x10/0x20 + __ubsan_handle_out_of_bounds+0xcb/0x110 + bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x] + bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x] + ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x] + bnx2x_stats_start+0x44/0x70 [bnx2x] + bnx2x_stats_handle+0x149/0x350 [bnx2x] + bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x] + bnx2x_sp_task+0x491/0x5c0 [bnx2x] + process_one_work+0x18d/0x3f0 + +---[ end trace ]--- + +Fixes: 50f0a562f8cc ("bnx2x: add fcoe statistics") +Signed-off-by: Ghadi Elie Rahme +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20240627111405.1037812-1-ghadi.rahme@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +@@ -1256,7 +1256,7 @@ enum { + + struct bnx2x_fw_stats_req { + struct stats_query_header hdr; +- struct stats_query_entry query[FP_SB_MAX_E1x+ ++ struct stats_query_entry query[FP_SB_MAX_E2 + + BNX2X_FIRST_QUEUE_QUERY_IDX]; + }; + diff --git a/queue-5.4/drm-amdgpu-atomfirmware-silence-ubsan-warning.patch b/queue-5.4/drm-amdgpu-atomfirmware-silence-ubsan-warning.patch new file mode 100644 index 00000000000..776b4caa72f --- /dev/null +++ b/queue-5.4/drm-amdgpu-atomfirmware-silence-ubsan-warning.patch @@ -0,0 +1,31 @@ +From d0417264437a8fa05f894cabba5a26715b32d78e Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 1 Jul 2024 12:50:10 -0400 +Subject: drm/amdgpu/atomfirmware: silence UBSAN warning + +From: Alex Deucher + +commit d0417264437a8fa05f894cabba5a26715b32d78e upstream. + +This is a variable sized array. + +Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/110420.html +Tested-by: Jeff Layton +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/include/atomfirmware.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/include/atomfirmware.h ++++ b/drivers/gpu/drm/amd/include/atomfirmware.h +@@ -653,7 +653,7 @@ struct atom_gpio_pin_lut_v2_1 + { + struct atom_common_table_header table_header; + /*the real number of this included in the structure is calcualted by using the (whole structure size - the header size)/size of atom_gpio_pin_lut */ +- struct atom_gpio_pin_assignment gpio_pin[8]; ++ struct atom_gpio_pin_assignment gpio_pin[]; + }; + + diff --git a/queue-5.4/drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch b/queue-5.4/drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch new file mode 100644 index 00000000000..d1167bf0e1f --- /dev/null +++ b/queue-5.4/drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch @@ -0,0 +1,35 @@ +From 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 27 Jun 2024 15:42:04 +0800 +Subject: drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes + +From: Ma Ke + +commit 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 upstream. + +In nouveau_connector_get_modes(), the return value of drm_mode_duplicate() +is assigned to mode, which will lead to a possible NULL pointer +dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. + +Cc: stable@vger.kernel.org +Fixes: 6ee738610f41 ("drm/nouveau: Add DRM driver for NVIDIA GPUs") +Signed-off-by: Ma Ke +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20240627074204.3023776-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -968,6 +968,9 @@ nouveau_connector_get_modes(struct drm_c + struct drm_display_mode *mode; + + mode = drm_mode_duplicate(dev, nv_connector->native_mode); ++ if (!mode) ++ return 0; ++ + drm_mode_probed_add(connector, mode); + ret = 1; + } diff --git a/queue-5.4/revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch b/queue-5.4/revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch new file mode 100644 index 00000000000..d635dc4208b --- /dev/null +++ b/queue-5.4/revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch @@ -0,0 +1,53 @@ +From 30139c702048f1097342a31302cbd3d478f50c63 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 21 Jun 2024 16:42:37 +0200 +Subject: Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" + +From: Jan Kara + +commit 30139c702048f1097342a31302cbd3d478f50c63 upstream. + +Patch series "mm: Avoid possible overflows in dirty throttling". + +Dirty throttling logic assumes dirty limits in page units fit into +32-bits. This patch series makes sure this is true (see patch 2/2 for +more details). + + +This patch (of 2): + +This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78. + +The commit is broken in several ways. Firstly, the removed (u64) cast +from the multiplication will introduce a multiplication overflow on 32-bit +archs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the +default settings with 4GB of RAM will trigger this). Secondly, the +div64_u64() is unnecessarily expensive on 32-bit archs. We have +div64_ul() in case we want to be safe & cheap. Thirdly, if dirty +thresholds are larger than 1<<32 pages, then dirty balancing is going to +blow up in many other spectacular ways anyway so trying to fix one +possible overflow is just moot. + +Link: https://lkml.kernel.org/r/20240621144017.30993-1-jack@suse.cz +Link: https://lkml.kernel.org/r/20240621144246.11148-1-jack@suse.cz +Fixes: 9319b647902c ("mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again") +Signed-off-by: Jan Kara +Reviewed-By: Zach O'Keefe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page-writeback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -1530,7 +1530,7 @@ static inline void wb_dirty_limits(struc + */ + dtc->wb_thresh = __wb_calc_thresh(dtc); + dtc->wb_bg_thresh = dtc->thresh ? +- div64_u64(dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; ++ div_u64((u64)dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; + + /* + * In order to avoid the stacked BDI deadlock we need diff --git a/queue-5.4/series b/queue-5.4/series index c176da9369b..909b2faf54d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -36,3 +36,7 @@ nilfs2-add-missing-check-for-inode-numbers-on-directory-entries.patch mm-optimize-the-redundant-loop-of-mm_update_owner_next.patch can-kvaser_usb-explicitly-initialize-family-in-leafimx-driver_info-struct.patch fsnotify-do-not-generate-events-for-o_path-file-descriptors.patch +revert-mm-writeback-fix-possible-divide-by-zero-in-wb_dirty_limits-again.patch +drm-nouveau-fix-null-pointer-dereference-in-nouveau_connector_get_modes.patch +drm-amdgpu-atomfirmware-silence-ubsan-warning.patch +bnx2x-fix-multiple-ubsan-array-index-out-of-bounds.patch