From: Sasha Levin Date: Mon, 17 Mar 2025 14:33:54 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.6.84~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86cd4a652bfe8d6763d7a1e8c1866f64a2da6146;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/asoc-codecs-wm0010-fix-error-handling-path-in-wm0010.patch b/queue-5.15/asoc-codecs-wm0010-fix-error-handling-path-in-wm0010.patch new file mode 100644 index 0000000000..8b8ac10e6e --- /dev/null +++ b/queue-5.15/asoc-codecs-wm0010-fix-error-handling-path-in-wm0010.patch @@ -0,0 +1,59 @@ +From c29b89bce5256bda0e516a4a671a4ffc354fa2d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 18:45:36 +0100 +Subject: ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() + +From: Christophe JAILLET + +[ Upstream commit ed92bc5264c4357d4fca292c769ea9967cd3d3b6 ] + +Free some resources in the error handling path of the probe, as already +done in the remove function. + +Fixes: e3523e01869d ("ASoC: wm0010: Add initial wm0010 DSP driver") +Fixes: fd8b96574456 ("ASoC: wm0010: Clear IRQ as wake source and include missing header") +Signed-off-by: Christophe JAILLET +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/5139ba1ab8c4c157ce04e56096a0f54a1683195c.1741549792.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm0010.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wm0010.c b/sound/soc/codecs/wm0010.c +index 28b4656c4e149..b2f87af1bfc87 100644 +--- a/sound/soc/codecs/wm0010.c ++++ b/sound/soc/codecs/wm0010.c +@@ -952,7 +952,7 @@ static int wm0010_spi_probe(struct spi_device *spi) + if (ret) { + dev_err(wm0010->dev, "Failed to set IRQ %d as wake source: %d\n", + irq, ret); +- return ret; ++ goto free_irq; + } + + if (spi->max_speed_hz) +@@ -964,9 +964,18 @@ static int wm0010_spi_probe(struct spi_device *spi) + &soc_component_dev_wm0010, wm0010_dai, + ARRAY_SIZE(wm0010_dai)); + if (ret < 0) +- return ret; ++ goto disable_irq_wake; + + return 0; ++ ++disable_irq_wake: ++ irq_set_irq_wake(wm0010->irq, 0); ++ ++free_irq: ++ if (wm0010->irq) ++ free_irq(wm0010->irq, wm0010); ++ ++ return ret; + } + + static int wm0010_spi_remove(struct spi_device *spi) +-- +2.39.5 + diff --git a/queue-5.15/asoc-ops-consistently-treat-platform_max-as-control-.patch b/queue-5.15/asoc-ops-consistently-treat-platform_max-as-control-.patch new file mode 100644 index 0000000000..7296f64f93 --- /dev/null +++ b/queue-5.15/asoc-ops-consistently-treat-platform_max-as-control-.patch @@ -0,0 +1,106 @@ +From 0ff6175cfdeae8b56a9bb68f57746bec6a53f797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 15:14:56 +0000 +Subject: ASoC: ops: Consistently treat platform_max as control value + +From: Charles Keepax + +[ Upstream commit 0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3 ] + +This reverts commit 9bdd10d57a88 ("ASoC: ops: Shift tested values in +snd_soc_put_volsw() by +min"), and makes some additional related +updates. + +There are two ways the platform_max could be interpreted; the maximum +register value, or the maximum value the control can be set to. The +patch moved from treating the value as a control value to a register +one. When the patch was applied it was technically correct as +snd_soc_limit_volume() also used the register interpretation. However, +even then most of the other usages treated platform_max as a +control value, and snd_soc_limit_volume() has since been updated to +also do so in commit fb9ad24485087 ("ASoC: ops: add correct range +check for limiting volume"). That patch however, missed updating +snd_soc_put_volsw() back to the control interpretation, and fixing +snd_soc_info_volsw_range(). The control interpretation makes more +sense as limiting is typically done from the machine driver, so it is +appropriate to use the customer facing representation rather than the +internal codec representation. Update all the code to consistently use +this interpretation of platform_max. + +Finally, also add some comments to the soc_mixer_control struct to +hopefully avoid further patches switching between the two approaches. + +Fixes: fb9ad24485087 ("ASoC: ops: add correct range check for limiting volume") +Signed-off-by: Charles Keepax +Link: https://patch.msgid.link/20250228151456.3703342-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/sound/soc.h | 5 ++++- + sound/soc/soc-ops.c | 15 +++++++-------- + 2 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/include/sound/soc.h b/include/sound/soc.h +index 3f0369aae2faf..42358dbc19b8c 100644 +--- a/include/sound/soc.h ++++ b/include/sound/soc.h +@@ -1113,7 +1113,10 @@ void snd_soc_close_delayed_work(struct snd_soc_pcm_runtime *rtd); + + /* mixer control */ + struct soc_mixer_control { +- int min, max, platform_max; ++ /* Minimum and maximum specified as written to the hardware */ ++ int min, max; ++ /* Limited maximum value specified as presented through the control */ ++ int platform_max; + int reg, rreg; + unsigned int shift, rshift; + unsigned int sign_bit; +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c +index 57caa91a4376e..d8d0a26a554de 100644 +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -317,7 +317,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol, + mask = BIT(sign_bit + 1) - 1; + + val = ucontrol->value.integer.value[0]; +- if (mc->platform_max && ((int)val + min) > mc->platform_max) ++ if (mc->platform_max && val > mc->platform_max) + return -EINVAL; + if (val > max - min) + return -EINVAL; +@@ -330,7 +330,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol, + val = val << shift; + if (snd_soc_volsw_is_stereo(mc)) { + val2 = ucontrol->value.integer.value[1]; +- if (mc->platform_max && ((int)val2 + min) > mc->platform_max) ++ if (mc->platform_max && val2 > mc->platform_max) + return -EINVAL; + if (val2 > max - min) + return -EINVAL; +@@ -485,17 +485,16 @@ int snd_soc_info_volsw_range(struct snd_kcontrol *kcontrol, + { + struct soc_mixer_control *mc = + (struct soc_mixer_control *)kcontrol->private_value; +- int platform_max; +- int min = mc->min; ++ int max; + +- if (!mc->platform_max) +- mc->platform_max = mc->max; +- platform_max = mc->platform_max; ++ max = mc->max - mc->min; ++ if (mc->platform_max && mc->platform_max < max) ++ max = mc->platform_max; + + uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER; + uinfo->count = snd_soc_volsw_is_stereo(mc) ? 2 : 1; + uinfo->value.integer.min = 0; +- uinfo->value.integer.max = platform_max - min; ++ uinfo->value.integer.max = max; + + return 0; + } +-- +2.39.5 + diff --git a/queue-5.15/cifs-fix-integer-overflow-while-processing-acdirmax-.patch b/queue-5.15/cifs-fix-integer-overflow-while-processing-acdirmax-.patch new file mode 100644 index 0000000000..d9bb2d9d5b --- /dev/null +++ b/queue-5.15/cifs-fix-integer-overflow-while-processing-acdirmax-.patch @@ -0,0 +1,44 @@ +From de76c94f1747ce311680b9d693346ba9e794ccb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 17:22:04 +0300 +Subject: cifs: Fix integer overflow while processing acdirmax mount option + +From: Murad Masimov + +[ Upstream commit 5b29891f91dfb8758baf1e2217bef4b16b2b165b ] + +User-provided mount parameter acdirmax of type u32 is intended to have +an upper limit, but before it is validated, the value is converted from +seconds to jiffies which can lead to an integer overflow. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 4c9f948142a5 ("cifs: Add new mount parameter "acdirmax" to allow caching directory metadata") +Signed-off-by: Murad Masimov +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/fs_context.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c +index d86cbed997fdd..9b1c0e0dfc63b 100644 +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -1062,11 +1062,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, + ctx->acregmax = HZ * result.uint_32; + break; + case Opt_acdirmax: +- ctx->acdirmax = HZ * result.uint_32; +- if (ctx->acdirmax > CIFS_MAX_ACTIMEO) { ++ if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) { + cifs_errorf(fc, "acdirmax too large\n"); + goto cifs_parse_mount_err; + } ++ ctx->acdirmax = HZ * result.uint_32; + break; + case Opt_actimeo: + if (HZ * result.uint_32 > CIFS_MAX_ACTIMEO) { +-- +2.39.5 + diff --git a/queue-5.15/cifs-fix-integer-overflow-while-processing-acregmax-.patch b/queue-5.15/cifs-fix-integer-overflow-while-processing-acregmax-.patch new file mode 100644 index 0000000000..528d60aeea --- /dev/null +++ b/queue-5.15/cifs-fix-integer-overflow-while-processing-acregmax-.patch @@ -0,0 +1,44 @@ +From 2598a57514c71df16f2dd278f84da6cf0dacab9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 17:22:03 +0300 +Subject: cifs: Fix integer overflow while processing acregmax mount option + +From: Murad Masimov + +[ Upstream commit 7489161b1852390b4413d57f2457cd40b34da6cc ] + +User-provided mount parameter acregmax of type u32 is intended to have +an upper limit, but before it is validated, the value is converted from +seconds to jiffies which can lead to an integer overflow. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5780464614f6 ("cifs: Add new parameter "acregmax" for distinct file and directory metadata timeout") +Signed-off-by: Murad Masimov +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/fs_context.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c +index fb3651513f83a..d86cbed997fdd 100644 +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -1055,11 +1055,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, + ctx->got_wsize = true; + break; + case Opt_acregmax: +- ctx->acregmax = HZ * result.uint_32; +- if (ctx->acregmax > CIFS_MAX_ACTIMEO) { ++ if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) { + cifs_errorf(fc, "acregmax too large\n"); + goto cifs_parse_mount_err; + } ++ ctx->acregmax = HZ * result.uint_32; + break; + case Opt_acdirmax: + ctx->acdirmax = HZ * result.uint_32; +-- +2.39.5 + diff --git a/queue-5.15/cifs-fix-integer-overflow-while-processing-actimeo-m.patch b/queue-5.15/cifs-fix-integer-overflow-while-processing-actimeo-m.patch new file mode 100644 index 0000000000..e739e3514d --- /dev/null +++ b/queue-5.15/cifs-fix-integer-overflow-while-processing-actimeo-m.patch @@ -0,0 +1,39 @@ +From 0318b293e5496c5a848da18f5fa676d391c69e9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 17:22:05 +0300 +Subject: cifs: Fix integer overflow while processing actimeo mount option + +From: Murad Masimov + +[ Upstream commit 64f690ee22c99e16084e0e45181b2a1eed2fa149 ] + +User-provided mount parameter actimeo of type u32 is intended to have +an upper limit, but before it is validated, the value is converted from +seconds to jiffies which can lead to an integer overflow. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 6d20e8406f09 ("cifs: add attribute cache timeout (actimeo) tunable") +Signed-off-by: Murad Masimov +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/fs_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c +index 9b1c0e0dfc63b..f45a29a51700b 100644 +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -1069,7 +1069,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, + ctx->acdirmax = HZ * result.uint_32; + break; + case Opt_actimeo: +- if (HZ * result.uint_32 > CIFS_MAX_ACTIMEO) { ++ if (result.uint_32 > CIFS_MAX_ACTIMEO / HZ) { + cifs_errorf(fc, "timeout too large\n"); + goto cifs_parse_mount_err; + } +-- +2.39.5 + diff --git a/queue-5.15/cifs-fix-integer-overflow-while-processing-closetime.patch b/queue-5.15/cifs-fix-integer-overflow-while-processing-closetime.patch new file mode 100644 index 0000000000..408eba1d8c --- /dev/null +++ b/queue-5.15/cifs-fix-integer-overflow-while-processing-closetime.patch @@ -0,0 +1,44 @@ +From f53ca0d19310cf462b1d966ca8dda9b82b934d80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 17:22:06 +0300 +Subject: cifs: Fix integer overflow while processing closetimeo mount option + +From: Murad Masimov + +[ Upstream commit d5a30fddfe2f2e540f6c43b59cf701809995faef ] + +User-provided mount parameter closetimeo of type u32 is intended to have +an upper limit, but before it is validated, the value is converted from +seconds to jiffies which can lead to an integer overflow. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5efdd9122eff ("smb3: allow deferred close timeout to be configurable") +Signed-off-by: Murad Masimov +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/fs_context.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c +index f45a29a51700b..24c42043a2271 100644 +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -1081,11 +1081,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, + ctx->acdirmax = ctx->acregmax = HZ * result.uint_32; + break; + case Opt_closetimeo: +- ctx->closetimeo = HZ * result.uint_32; +- if (ctx->closetimeo > SMB3_MAX_DCLOSETIMEO) { ++ if (result.uint_32 > SMB3_MAX_DCLOSETIMEO / HZ) { + cifs_errorf(fc, "closetimeo too large\n"); + goto cifs_parse_mount_err; + } ++ ctx->closetimeo = HZ * result.uint_32; + break; + case Opt_echo_interval: + ctx->echo_interval = result.uint_32; +-- +2.39.5 + diff --git a/queue-5.15/drm-gma500-add-null-check-for-pci_gfx_root-in-mid_ge.patch b/queue-5.15/drm-gma500-add-null-check-for-pci_gfx_root-in-mid_ge.patch new file mode 100644 index 0000000000..3c25a30cb7 --- /dev/null +++ b/queue-5.15/drm-gma500-add-null-check-for-pci_gfx_root-in-mid_ge.patch @@ -0,0 +1,47 @@ +From 5877ef5f553bf0e4e0e0ab533b1ba9cedb107fcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 14:20:45 +0300 +Subject: drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() + +From: Ivan Abramov + +[ Upstream commit 9af152dcf1a06f589f44a74da4ad67e365d4db9a ] + +Since pci_get_domain_bus_and_slot() can return NULL, add NULL check for +pci_gfx_root in the mid_get_vbt_data(). + +This change is similar to the checks implemented in mid_get_fuse_settings() +and mid_get_pci_revID(), which were introduced by commit 0cecdd818cd7 +("gma500: Final enables for Oaktrail") as "additional minor +bulletproofing". + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: f910b411053f ("gma500: Add the glue to the various BIOS and firmware interfaces") +Signed-off-by: Ivan Abramov +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20250306112046.17144-1-i.abramov@mt-integration.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/mid_bios.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/gma500/mid_bios.c b/drivers/gpu/drm/gma500/mid_bios.c +index 68e787924ed04..1ba33f9518da2 100644 +--- a/drivers/gpu/drm/gma500/mid_bios.c ++++ b/drivers/gpu/drm/gma500/mid_bios.c +@@ -280,6 +280,11 @@ static void mid_get_vbt_data(struct drm_psb_private *dev_priv) + 0, PCI_DEVFN(2, 0)); + int ret = -1; + ++ if (pci_gfx_root == NULL) { ++ WARN_ON(1); ++ return; ++ } ++ + /* Get the address of the platform config vbt */ + pci_read_config_dword(pci_gfx_root, 0xFC, &addr); + pci_dev_put(pci_gfx_root); +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index 69186454e6..a01a39c4b7 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -62,3 +62,10 @@ drm-amd-display-fix-slab-use-after-free-on-hdcp_work.patch qlcnic-fix-memory-leak-issues-in-qlcnic_sriov_common.c.patch lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch tcp-fix-races-in-tcp_abort.patch +asoc-ops-consistently-treat-platform_max-as-control-.patch +drm-gma500-add-null-check-for-pci_gfx_root-in-mid_ge.patch +asoc-codecs-wm0010-fix-error-handling-path-in-wm0010.patch +cifs-fix-integer-overflow-while-processing-acregmax-.patch +cifs-fix-integer-overflow-while-processing-acdirmax-.patch +cifs-fix-integer-overflow-while-processing-actimeo-m.patch +cifs-fix-integer-overflow-while-processing-closetime.patch