From: Greg Kroah-Hartman Date: Sat, 9 Nov 2024 12:09:03 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v5.15.172~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e233b3795733a040b359e060b6a8a76534d7309;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch ksmbd-check-outstanding-simultaneous-smb-operations.patch ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch ksmbd-fix-the-missing-xa_store-error-check.patch media-ar0521-don-t-overflow-when-checking-pll-values.patch media-cx24116-prevent-overflows-on-snr-calculus.patch media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch media-s5p-jpeg-prevent-buffer-overflows.patch media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch --- diff --git a/queue-6.6/can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch b/queue-6.6/can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch new file mode 100644 index 00000000000..cfbd98ac861 --- /dev/null +++ b/queue-6.6/can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch @@ -0,0 +1,42 @@ +From e4de81f9e134c78ff7c75a00e43bd819643530d0 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 30 Sep 2024 19:02:30 +0200 +Subject: can: m_can: m_can_close(): don't call free_irq() for IRQ-less devices + +From: Marc Kleine-Budde + +commit e4de81f9e134c78ff7c75a00e43bd819643530d0 upstream. + +In commit b382380c0d2d ("can: m_can: Add hrtimer to generate software +interrupt") support for IRQ-less devices was added. Instead of an +interrupt, the interrupt routine is called by a hrtimer-based polling +loop. + +That patch forgot to change free_irq() to be only called for devices +with IRQs. Fix this, by calling free_irq() conditionally only if an +IRQ is available for the device (and thus has been requested +previously). + +Fixes: b382380c0d2d ("can: m_can: Add hrtimer to generate software interrupt") +Reviewed-by: Simon Horman +Reviewed-by: Markus Schneider-Pargmann +Link: https://patch.msgid.link/20240930-m_can-cleanups-v1-1-001c579cdee4@pengutronix.de +Cc: # v6.6+ +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/m_can/m_can.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -1600,7 +1600,8 @@ static int m_can_close(struct net_device + netif_stop_queue(dev); + + m_can_stop(dev); +- free_irq(dev->irq, dev); ++ if (dev->irq) ++ free_irq(dev->irq, dev); + + if (cdev->is_peripheral) { + cdev->tx_skb = NULL; diff --git a/queue-6.6/can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch b/queue-6.6/can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch new file mode 100644 index 00000000000..b80158d651c --- /dev/null +++ b/queue-6.6/can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch @@ -0,0 +1,63 @@ +From 3c1c18551e6ac1b988d0a05c5650e3f6c95a1b8a Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Tue, 1 Oct 2024 16:56:22 +0200 +Subject: can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation + +From: Marc Kleine-Budde + +commit 3c1c18551e6ac1b988d0a05c5650e3f6c95a1b8a upstream. + +Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround +broken TEF FIFO tail index erratum") introduced +mcp251xfd_get_tef_len() to get the number of unhandled transmit events +from the Transmit Event FIFO (TEF). + +As the TEF has no head pointer, the driver uses the TX FIFO's tail +pointer instead, assuming that send frames are completed. However the +check for the TEF being full was not correct. This leads to the driver +stop working if the TEF is full. + +Fix the TEF full check by assuming that if, from the driver's point of +view, there are no free TX buffers in the chip and the TX FIFO is +empty, all messages must have been sent and the TEF must therefore be +full. + +Reported-by: Sven Schuchmann +Closes: https://patch.msgid.link/FR3P281MB155216711EFF900AD9791B7ED9692@FR3P281MB1552.DEUP281.PROD.OUTLOOK.COM +Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") +Tested-by: Sven Schuchmann +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20241104-mcp251xfd-fix-length-calculation-v3-1-608b6e7e2197@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +@@ -16,9 +16,9 @@ + + #include "mcp251xfd.h" + +-static inline bool mcp251xfd_tx_fifo_sta_full(u32 fifo_sta) ++static inline bool mcp251xfd_tx_fifo_sta_empty(u32 fifo_sta) + { +- return !(fifo_sta & MCP251XFD_REG_FIFOSTA_TFNRFNIF); ++ return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF; + } + + static inline int +@@ -122,7 +122,11 @@ mcp251xfd_get_tef_len(struct mcp251xfd_p + if (err) + return err; + +- if (mcp251xfd_tx_fifo_sta_full(fifo_sta)) { ++ /* If the chip says the TX-FIFO is empty, but there are no TX ++ * buffers free in the ring, we assume all have been sent. ++ */ ++ if (mcp251xfd_tx_fifo_sta_empty(fifo_sta) && ++ mcp251xfd_get_tx_free(tx_ring) == 0) { + *len_p = tx_ring->obj_num; + return 0; + } diff --git a/queue-6.6/can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch b/queue-6.6/can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch new file mode 100644 index 00000000000..d5c176b6962 --- /dev/null +++ b/queue-6.6/can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch @@ -0,0 +1,69 @@ +From eb9a839b3d8a989be5970035a5cf29bcd6ffd24d Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 25 Oct 2024 14:34:40 +0200 +Subject: can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes + +From: Marc Kleine-Budde + +commit eb9a839b3d8a989be5970035a5cf29bcd6ffd24d upstream. + +Since commit 50ea5449c563 ("can: mcp251xfd: fix ring configuration +when switching from CAN-CC to CAN-FD mode"), the current ring and +coalescing configuration is passed to can_ram_get_layout(). That fixed +the issue when switching between CAN-CC and CAN-FD mode with +configured ring (rx, tx) and/or coalescing parameters (rx-frames-irq, +tx-frames-irq). + +However 50ea5449c563 ("can: mcp251xfd: fix ring configuration when +switching from CAN-CC to CAN-FD mode"), introduced a regression when +switching CAN modes with disabled coalescing configuration: Even if +the previous CAN mode has no coalescing configured, the new mode is +configured with active coalescing. This leads to delayed receiving of +CAN-FD frames. + +This comes from the fact, that ethtool uses usecs = 0 and max_frames = +1 to disable coalescing, however the driver uses internally +priv->{rx,tx}_obj_num_coalesce_irq = 0 to indicate disabled +coalescing. + +Fix the regression by assigning struct ethtool_coalesce +ec->{rx,tx}_max_coalesced_frames_irq = 1 if coalescing is disabled in +the driver as can_ram_get_layout() expects this. + +Reported-by: https://github.com/vdh-robothania +Closes: https://github.com/raspberrypi/linux/issues/6407 +Fixes: 50ea5449c563 ("can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD mode") +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241025-mcp251xfd-fix-coalesing-v1-1-9d11416de1df@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c +@@ -2,7 +2,7 @@ + // + // mcp251xfd - Microchip MCP251xFD Family CAN controller driver + // +-// Copyright (c) 2019, 2020, 2021 Pengutronix, ++// Copyright (c) 2019, 2020, 2021, 2024 Pengutronix, + // Marc Kleine-Budde + // + // Based on: +@@ -483,9 +483,11 @@ int mcp251xfd_ring_alloc(struct mcp251xf + }; + const struct ethtool_coalesce ec = { + .rx_coalesce_usecs_irq = priv->rx_coalesce_usecs_irq, +- .rx_max_coalesced_frames_irq = priv->rx_obj_num_coalesce_irq, ++ .rx_max_coalesced_frames_irq = priv->rx_obj_num_coalesce_irq == 0 ? ++ 1 : priv->rx_obj_num_coalesce_irq, + .tx_coalesce_usecs_irq = priv->tx_coalesce_usecs_irq, +- .tx_max_coalesced_frames_irq = priv->tx_obj_num_coalesce_irq, ++ .tx_max_coalesced_frames_irq = priv->tx_obj_num_coalesce_irq == 0 ? ++ 1 : priv->tx_obj_num_coalesce_irq, + }; + struct can_ram_layout layout; + diff --git a/queue-6.6/ksmbd-check-outstanding-simultaneous-smb-operations.patch b/queue-6.6/ksmbd-check-outstanding-simultaneous-smb-operations.patch new file mode 100644 index 00000000000..237cf71590b --- /dev/null +++ b/queue-6.6/ksmbd-check-outstanding-simultaneous-smb-operations.patch @@ -0,0 +1,137 @@ +From 0a77d947f599b1f39065015bec99390d0c0022ee Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 4 Nov 2024 13:43:06 +0900 +Subject: ksmbd: check outstanding simultaneous SMB operations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Namjae Jeon + +commit 0a77d947f599b1f39065015bec99390d0c0022ee upstream. + +If Client send simultaneous SMB operations to ksmbd, It exhausts too much +memory through the "ksmbd_work_cache”. It will cause OOM issue. +ksmbd has a credit mechanism but it can't handle this problem. This patch +add the check if it exceeds max credits to prevent this problem by assuming +that one smb request consumes at least one credit. + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/connection.c | 1 + + fs/smb/server/connection.h | 1 + + fs/smb/server/server.c | 16 ++++++++++------ + fs/smb/server/smb_common.c | 10 +++++++--- + fs/smb/server/smb_common.h | 2 +- + 5 files changed, 20 insertions(+), 10 deletions(-) + +--- a/fs/smb/server/connection.c ++++ b/fs/smb/server/connection.c +@@ -70,6 +70,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void + atomic_set(&conn->req_running, 0); + atomic_set(&conn->r_count, 0); + atomic_set(&conn->refcnt, 1); ++ atomic_set(&conn->mux_smb_requests, 0); + conn->total_credits = 1; + conn->outstanding_credits = 0; + +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -107,6 +107,7 @@ struct ksmbd_conn { + __le16 signing_algorithm; + bool binding; + atomic_t refcnt; ++ atomic_t mux_smb_requests; + }; + + struct ksmbd_conn_ops { +--- a/fs/smb/server/server.c ++++ b/fs/smb/server/server.c +@@ -270,6 +270,7 @@ static void handle_ksmbd_work(struct wor + + ksmbd_conn_try_dequeue_request(work); + ksmbd_free_work_struct(work); ++ atomic_dec(&conn->mux_smb_requests); + /* + * Checking waitqueue to dropping pending requests on + * disconnection. waitqueue_active is safe because it +@@ -291,6 +292,15 @@ static int queue_ksmbd_work(struct ksmbd + struct ksmbd_work *work; + int err; + ++ err = ksmbd_init_smb_server(conn); ++ if (err) ++ return 0; ++ ++ if (atomic_inc_return(&conn->mux_smb_requests) >= conn->vals->max_credits) { ++ atomic_dec_return(&conn->mux_smb_requests); ++ return -ENOSPC; ++ } ++ + work = ksmbd_alloc_work_struct(); + if (!work) { + pr_err("allocation for work failed\n"); +@@ -301,12 +311,6 @@ static int queue_ksmbd_work(struct ksmbd + work->request_buf = conn->request_buf; + conn->request_buf = NULL; + +- err = ksmbd_init_smb_server(work); +- if (err) { +- ksmbd_free_work_struct(work); +- return 0; +- } +- + ksmbd_conn_enqueue_request(work); + atomic_inc(&conn->r_count); + /* update activity on connection */ +--- a/fs/smb/server/smb_common.c ++++ b/fs/smb/server/smb_common.c +@@ -388,6 +388,10 @@ static struct smb_version_ops smb1_serve + .set_rsp_status = set_smb1_rsp_status, + }; + ++static struct smb_version_values smb1_server_values = { ++ .max_credits = SMB2_MAX_CREDITS, ++}; ++ + static int smb1_negotiate(struct ksmbd_work *work) + { + return ksmbd_smb_negotiate_common(work, SMB_COM_NEGOTIATE); +@@ -399,18 +403,18 @@ static struct smb_version_cmds smb1_serv + + static int init_smb1_server(struct ksmbd_conn *conn) + { ++ conn->vals = &smb1_server_values; + conn->ops = &smb1_server_ops; + conn->cmds = smb1_server_cmds; + conn->max_cmds = ARRAY_SIZE(smb1_server_cmds); + return 0; + } + +-int ksmbd_init_smb_server(struct ksmbd_work *work) ++int ksmbd_init_smb_server(struct ksmbd_conn *conn) + { +- struct ksmbd_conn *conn = work->conn; + __le32 proto; + +- proto = *(__le32 *)((struct smb_hdr *)work->request_buf)->Protocol; ++ proto = *(__le32 *)((struct smb_hdr *)conn->request_buf)->Protocol; + if (conn->need_neg == false) { + if (proto == SMB1_PROTO_NUMBER) + return -EINVAL; +--- a/fs/smb/server/smb_common.h ++++ b/fs/smb/server/smb_common.h +@@ -427,7 +427,7 @@ bool ksmbd_smb_request(struct ksmbd_conn + + int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); + +-int ksmbd_init_smb_server(struct ksmbd_work *work); ++int ksmbd_init_smb_server(struct ksmbd_conn *conn); + + struct ksmbd_kstat; + int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work, diff --git a/queue-6.6/ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch b/queue-6.6/ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch new file mode 100644 index 00000000000..a59f59e267b --- /dev/null +++ b/queue-6.6/ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch @@ -0,0 +1,57 @@ +From 0a77715db22611df50b178374c51e2ba0d58866e Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 2 Nov 2024 18:46:38 +0900 +Subject: ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create + +From: Namjae Jeon + +commit 0a77715db22611df50b178374c51e2ba0d58866e upstream. + +There is a race condition between ksmbd_smb2_session_create and +ksmbd_expire_session. This patch add missing sessions_table_lock +while adding/deleting session from global session table. + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -174,6 +174,7 @@ static void ksmbd_expire_session(struct + unsigned long id; + struct ksmbd_session *sess; + ++ down_write(&sessions_table_lock); + down_write(&conn->session_lock); + xa_for_each(&conn->sessions, id, sess) { + if (atomic_read(&sess->refcnt) == 0 && +@@ -187,6 +188,7 @@ static void ksmbd_expire_session(struct + } + } + up_write(&conn->session_lock); ++ up_write(&sessions_table_lock); + } + + int ksmbd_session_register(struct ksmbd_conn *conn, +@@ -228,7 +230,6 @@ void ksmbd_sessions_deregister(struct ks + } + } + } +- up_write(&sessions_table_lock); + + down_write(&conn->session_lock); + xa_for_each(&conn->sessions, id, sess) { +@@ -248,6 +249,7 @@ void ksmbd_sessions_deregister(struct ks + } + } + up_write(&conn->session_lock); ++ up_write(&sessions_table_lock); + } + + struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, diff --git a/queue-6.6/ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch b/queue-6.6/ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch new file mode 100644 index 00000000000..a315670387d --- /dev/null +++ b/queue-6.6/ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch @@ -0,0 +1,38 @@ +From b8fc56fbca7482c1e5c0e3351c6ae78982e25ada Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 4 Nov 2024 13:40:41 +0900 +Subject: ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp + +From: Namjae Jeon + +commit b8fc56fbca7482c1e5c0e3351c6ae78982e25ada upstream. + +ksmbd_user_session_put should be called under smb3_preauth_hash_rsp(). +It will avoid freeing session before calling smb3_preauth_hash_rsp(). + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/server.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/server.c ++++ b/fs/smb/server/server.c +@@ -238,11 +238,11 @@ static void __handle_ksmbd_work(struct k + } while (is_chained == true); + + send: +- if (work->sess) +- ksmbd_user_session_put(work->sess); + if (work->tcon) + ksmbd_tree_connect_put(work->tcon); + smb3_preauth_hash_rsp(work); ++ if (work->sess) ++ ksmbd_user_session_put(work->sess); + if (work->sess && work->sess->enc && work->encrypted && + conn->ops->encrypt_resp) { + rc = conn->ops->encrypt_resp(work); diff --git a/queue-6.6/ksmbd-fix-the-missing-xa_store-error-check.patch b/queue-6.6/ksmbd-fix-the-missing-xa_store-error-check.patch new file mode 100644 index 00000000000..9e53ece6d8d --- /dev/null +++ b/queue-6.6/ksmbd-fix-the-missing-xa_store-error-check.patch @@ -0,0 +1,57 @@ +From 3abab905b14f4ba756d413f37f1fb02b708eee93 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Mon, 28 Oct 2024 08:28:30 +0900 +Subject: ksmbd: Fix the missing xa_store error check + +From: Jinjie Ruan + +commit 3abab905b14f4ba756d413f37f1fb02b708eee93 upstream. + +xa_store() can fail, it return xa_err(-EINVAL) if the entry cannot +be stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed, +so check error for xa_store() to fix it. + +Cc: stable@vger.kernel.org +Fixes: b685757c7b08 ("ksmbd: Implements sess->rpc_handle_list as xarray") +Signed-off-by: Jinjie Ruan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -90,7 +90,7 @@ static int __rpc_method(char *rpc_name) + + int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name) + { +- struct ksmbd_session_rpc *entry; ++ struct ksmbd_session_rpc *entry, *old; + struct ksmbd_rpc_command *resp; + int method; + +@@ -106,16 +106,19 @@ int ksmbd_session_rpc_open(struct ksmbd_ + entry->id = ksmbd_ipc_id_alloc(); + if (entry->id < 0) + goto free_entry; +- xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL); ++ old = xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL); ++ if (xa_is_err(old)) ++ goto free_id; + + resp = ksmbd_rpc_open(sess, entry->id); + if (!resp) +- goto free_id; ++ goto erase_xa; + + kvfree(resp); + return entry->id; +-free_id: ++erase_xa: + xa_erase(&sess->rpc_handle_list, entry->id); ++free_id: + ksmbd_rpc_id_free(entry->id); + free_entry: + kfree(entry); diff --git a/queue-6.6/media-ar0521-don-t-overflow-when-checking-pll-values.patch b/queue-6.6/media-ar0521-don-t-overflow-when-checking-pll-values.patch new file mode 100644 index 00000000000..3b2181fa22f --- /dev/null +++ b/queue-6.6/media-ar0521-don-t-overflow-when-checking-pll-values.patch @@ -0,0 +1,39 @@ +From 438d3085ba5b8b5bfa5290faa594e577f6ac9aa7 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 11:38:10 +0200 +Subject: media: ar0521: don't overflow when checking PLL values + +From: Mauro Carvalho Chehab + +commit 438d3085ba5b8b5bfa5290faa594e577f6ac9aa7 upstream. + +The PLL checks are comparing 64 bit integers with 32 bit +ones, as reported by Coverity. Depending on the values of +the variables, this may underflow. + +Fix it ensuring that both sides of the expression are u64. + +Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Sakari Ailus +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ar0521.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/ar0521.c ++++ b/drivers/media/i2c/ar0521.c +@@ -257,10 +257,10 @@ static u32 calc_pll(struct ar0521_dev *s + continue; /* Minimum value */ + if (new_mult > 254) + break; /* Maximum, larger pre won't work either */ +- if (sensor->extclk_freq * (u64)new_mult < AR0521_PLL_MIN * ++ if (sensor->extclk_freq * (u64)new_mult < (u64)AR0521_PLL_MIN * + new_pre) + continue; +- if (sensor->extclk_freq * (u64)new_mult > AR0521_PLL_MAX * ++ if (sensor->extclk_freq * (u64)new_mult > (u64)AR0521_PLL_MAX * + new_pre) + break; /* Larger pre won't work either */ + new_pll = div64_round_up(sensor->extclk_freq * (u64)new_mult, diff --git a/queue-6.6/media-cx24116-prevent-overflows-on-snr-calculus.patch b/queue-6.6/media-cx24116-prevent-overflows-on-snr-calculus.patch new file mode 100644 index 00000000000..92da5b91ff7 --- /dev/null +++ b/queue-6.6/media-cx24116-prevent-overflows-on-snr-calculus.patch @@ -0,0 +1,46 @@ +From 576a307a7650bd544fbb24df801b9b7863b85e2f Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 12:14:11 +0200 +Subject: media: cx24116: prevent overflows on SNR calculus + +From: Mauro Carvalho Chehab + +commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream. + +as reported by Coverity, if reading SNR registers fail, a negative +number will be returned, causing an underflow when reading SNR +registers. + +Prevent that. + +Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/cx24116.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/cx24116.c ++++ b/drivers/media/dvb-frontends/cx24116.c +@@ -741,6 +741,7 @@ static int cx24116_read_snr_pct(struct d + { + struct cx24116_state *state = fe->demodulator_priv; + u8 snr_reading; ++ int ret; + static const u32 snr_tab[] = { /* 10 x Table (rounded up) */ + 0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667, + 0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667, +@@ -749,7 +750,11 @@ static int cx24116_read_snr_pct(struct d + + dprintk("%s()\n", __func__); + +- snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0); ++ ret = cx24116_readreg(state, CX24116_REG_QUALITY0); ++ if (ret < 0) ++ return ret; ++ ++ snr_reading = ret; + + if (snr_reading >= 0xa0 /* 100% */) + *snr = 0xffff; diff --git a/queue-6.6/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch b/queue-6.6/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch new file mode 100644 index 00000000000..1250989104a --- /dev/null +++ b/queue-6.6/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch @@ -0,0 +1,57 @@ +From ba9cf6b430433e57bfc8072364e944b7c0eca2a4 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 16 Oct 2024 11:24:15 +0200 +Subject: media: pulse8-cec: fix data timestamp at pulse8_setup() + +From: Mauro Carvalho Chehab + +commit ba9cf6b430433e57bfc8072364e944b7c0eca2a4 upstream. + +As pointed by Coverity, there is a hidden overflow condition there. +As date is signed and u8 is unsigned, doing: + + date = (data[0] << 24) + +With a value bigger than 07f will make all upper bits of date +0xffffffff. This can be demonstrated with this small code: + + +typedef int64_t time64_t; +typedef uint8_t u8; + +int main(void) +{ + u8 data[] = { 0xde ,0xad , 0xbe, 0xef }; + time64_t date; + + date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + printf("Invalid data = 0x%08lx\n", date); + + date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + printf("Expected data = 0x%08lx\n", date); + + return 0; +} + + +Fix it by converting the upper bit calculation to unsigned. + +Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/cec/usb/pulse8/pulse8-cec.c ++++ b/drivers/media/cec/usb/pulse8/pulse8-cec.c +@@ -685,7 +685,7 @@ static int pulse8_setup(struct pulse8 *p + err = pulse8_send_and_wait(pulse8, cmd, 1, cmd[0], 4); + if (err) + return err; +- date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; ++ date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + dev_info(pulse8->dev, "Firmware build date %ptT\n", &date); + + dev_dbg(pulse8->dev, "Persistent config:\n"); diff --git a/queue-6.6/media-s5p-jpeg-prevent-buffer-overflows.patch b/queue-6.6/media-s5p-jpeg-prevent-buffer-overflows.patch new file mode 100644 index 00000000000..9b0f172f21f --- /dev/null +++ b/queue-6.6/media-s5p-jpeg-prevent-buffer-overflows.patch @@ -0,0 +1,87 @@ +From 14a22762c3daeac59a5a534e124acbb4d7a79b3a Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 11:10:31 +0200 +Subject: media: s5p-jpeg: prevent buffer overflows + +From: Mauro Carvalho Chehab + +commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream. + +The current logic allows word to be less than 2. If this happens, +there will be buffer overflows, as reported by smatch. Add extra +checks to prevent it. + +While here, remove an unused word = 0 assignment. + +Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jacek Anaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c +@@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_ + (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; + jpeg_buffer.curr = 0; + +- word = 0; +- + if (get_word_be(&jpeg_buffer, &word)) + return; +- jpeg_buffer.size = (long)word - 2; ++ ++ if (word < 2) ++ jpeg_buffer.size = 0; ++ else ++ jpeg_buffer.size = (long)word - 2; ++ + jpeg_buffer.data += 2; + jpeg_buffer.curr = 0; + +@@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_b + if (byte == -1) + return -1; + *word = (unsigned int)byte | temp; ++ + return 0; + } + +@@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; +- if (!length) ++ if (length <= 0) + return false; + sof = jpeg_buffer.curr; /* after 0xffc0 */ + sof_len = length; +@@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; +- if (!length) ++ if (length <= 0) + return false; + if (n_dqt >= S5P_JPEG_MAX_MARKER) + return false; +@@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; +- if (!length) ++ if (length <= 0) + return false; + if (n_dht >= S5P_JPEG_MAX_MARKER) + return false; +@@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; ++ /* No need to check underflows as skip() does it */ + skip(&jpeg_buffer, length); + break; + } diff --git a/queue-6.6/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch b/queue-6.6/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch new file mode 100644 index 00000000000..158608f9032 --- /dev/null +++ b/queue-6.6/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch @@ -0,0 +1,68 @@ +From 4c76f331a9a173ac8fe1297a9231c2a38f88e368 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 14:23:38 +0200 +Subject: media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() + +From: Mauro Carvalho Chehab + +commit 4c76f331a9a173ac8fe1297a9231c2a38f88e368 upstream. + +As detected by Coverity, the error check logic at get_ctrl() is +broken: if ptr_to_user() fails to fill a control due to an error, +no errors are returned and v4l2_g_ctrl() returns success on a +failed operation, which may cause applications to fail. + +Add an error check at get_ctrl() and ensure that it will +be returned to userspace without filling the control value if +get_ctrl() fails. + +Fixes: 71c689dc2e73 ("media: v4l2-ctrls: split up into four source files") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls-api.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c +@@ -753,9 +753,10 @@ static int get_ctrl(struct v4l2_ctrl *ct + for (i = 0; i < master->ncontrols; i++) + cur_to_new(master->cluster[i]); + ret = call_op(master, g_volatile_ctrl); +- new_to_user(c, ctrl); ++ if (!ret) ++ ret = new_to_user(c, ctrl); + } else { +- cur_to_user(c, ctrl); ++ ret = cur_to_user(c, ctrl); + } + v4l2_ctrl_unlock(master); + return ret; +@@ -770,7 +771,10 @@ int v4l2_g_ctrl(struct v4l2_ctrl_handler + if (!ctrl || !ctrl->is_int) + return -EINVAL; + ret = get_ctrl(ctrl, &c); +- control->value = c.value; ++ ++ if (!ret) ++ control->value = c.value; ++ + return ret; + } + EXPORT_SYMBOL(v4l2_g_ctrl); +@@ -811,10 +815,11 @@ static int set_ctrl_lock(struct v4l2_fh + int ret; + + v4l2_ctrl_lock(ctrl); +- user_to_new(c, ctrl); +- ret = set_ctrl(fh, ctrl, 0); ++ ret = user_to_new(c, ctrl); ++ if (!ret) ++ ret = set_ctrl(fh, ctrl, 0); + if (!ret) +- cur_to_user(c, ctrl); ++ ret = cur_to_user(c, ctrl); + v4l2_ctrl_unlock(ctrl); + return ret; + } diff --git a/queue-6.6/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch b/queue-6.6/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch new file mode 100644 index 00000000000..8927e22c4db --- /dev/null +++ b/queue-6.6/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch @@ -0,0 +1,36 @@ +From e6a3ea83fbe15d4818d01804e904cbb0e64e543b Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 16 Oct 2024 11:53:15 +0200 +Subject: media: v4l2-tpg: prevent the risk of a division by zero + +From: Mauro Carvalho Chehab + +commit e6a3ea83fbe15d4818d01804e904cbb0e64e543b upstream. + +As reported by Coverity, the logic at tpg_precalculate_line() +blindly rescales the buffer even when scaled_witdh is equal to +zero. If this ever happens, this will cause a division by zero. + +Instead, add a WARN_ON_ONCE() to trigger such cases and return +without doing any precalculation. + +Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +@@ -1795,6 +1795,9 @@ static void tpg_precalculate_line(struct + unsigned p; + unsigned x; + ++ if (WARN_ON_ONCE(!tpg->src_width || !tpg->scaled_width)) ++ return; ++ + switch (tpg->pattern) { + case TPG_PAT_GREEN: + contrast = TPG_COLOR_100_RED; diff --git a/queue-6.6/series b/queue-6.6/series index 8932ca7a761..ad6ca1fd9fb 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -58,3 +58,16 @@ tools-lib-thermal-fix-sampling-handler-context-ptr.patch thermal-of-support-thermal-zones-w-o-trips-subnode.patch asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch asoc-sof-sof-client-probes-ipc4-set-param_size-exten.patch +media-ar0521-don-t-overflow-when-checking-pll-values.patch +media-s5p-jpeg-prevent-buffer-overflows.patch +media-cx24116-prevent-overflows-on-snr-calculus.patch +media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch +media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch +media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch +can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch +can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch +can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch +ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch +ksmbd-check-outstanding-simultaneous-smb-operations.patch +ksmbd-fix-the-missing-xa_store-error-check.patch +ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch