From: Greg Kroah-Hartman Date: Fri, 6 Dec 2024 11:23:48 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.6.64~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a12e7d34ceb7976c719d650f881d3e6479624445;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch ovl-filter-invalid-inodes-with-missing-lookup-function.patch --- diff --git a/queue-5.4/clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch b/queue-5.4/clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch new file mode 100644 index 00000000000..984b8baeda9 --- /dev/null +++ b/queue-5.4/clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch @@ -0,0 +1,51 @@ +From 36d202241d234fa4ac50743510d098ad52bd193a Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Tue, 22 Oct 2024 11:45:56 +0200 +Subject: clk: qcom: gcc-qcs404: fix initial rate of GPLL3 + +From: Gabor Juhos + +commit 36d202241d234fa4ac50743510d098ad52bd193a upstream. + +The comment before the config of the GPLL3 PLL says that the +PLL should run at 930 MHz. In contrary to this, calculating +the frequency from the current configuration values by using +19.2 MHz as input frequency defined in 'qcs404.dtsi', it gives +921.6 MHz: + + $ xo=19200000; l=48; alpha=0x0; alpha_hi=0x0 + $ echo "$xo * ($((l)) + $(((alpha_hi << 32 | alpha) >> 8)) / 2^32)" | bc -l + 921600000.00000000000000000000 + +Set 'alpha_hi' in the configuration to a value used in downstream +kernels [1][2] in order to get the correct output rate: + + $ xo=19200000; l=48; alpha=0x0; alpha_hi=0x70 + $ echo "$xo * ($((l)) + $(((alpha_hi << 32 | alpha) >> 8)) / 2^32)" | bc -l + 930000000.00000000000000000000 + +The change is based on static code analysis, compile tested only. + +[1] https://git.codelinaro.org/clo/la/kernel/msm-5.4/-/blob/kernel.lnx.5.4.r56-rel/drivers/clk/qcom/gcc-qcs404.c?ref_type=heads#L335 +[2} https://git.codelinaro.org/clo/la/kernel/msm-5.15/-/blob/kernel.lnx.5.15.r49-rel/drivers/clk/qcom/gcc-qcs404.c?ref_type=heads#L127 + +Cc: stable@vger.kernel.org +Fixes: 652f1813c113 ("clk: qcom: gcc: Add global clock controller driver for QCS404") +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/r/20241022-fix-gcc-qcs404-gpll3-v1-1-c4d30d634d19@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-qcs404.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/qcom/gcc-qcs404.c ++++ b/drivers/clk/qcom/gcc-qcs404.c +@@ -337,6 +337,7 @@ static struct clk_alpha_pll gpll1_out_ma + /* 930MHz configuration */ + static const struct alpha_pll_config gpll3_config = { + .l = 48, ++ .alpha_hi = 0x70, + .alpha = 0x0, + .alpha_en_mask = BIT(24), + .post_div_mask = 0xf << 8, diff --git a/queue-5.4/ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch b/queue-5.4/ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch new file mode 100644 index 00000000000..030674ffed1 --- /dev/null +++ b/queue-5.4/ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch @@ -0,0 +1,43 @@ +From 45af52e7d3b8560f21d139b3759735eead8b1653 Mon Sep 17 00:00:00 2001 +From: guoweikang +Date: Wed, 20 Nov 2024 13:27:49 +0800 +Subject: ftrace: Fix regression with module command in stack_trace_filter + +From: guoweikang + +commit 45af52e7d3b8560f21d139b3759735eead8b1653 upstream. + +When executing the following command: + + # echo "write*:mod:ext3" > /sys/kernel/tracing/stack_trace_filter + +The current mod command causes a null pointer dereference. While commit +0f17976568b3f ("ftrace: Fix regression with module command in stack_trace_filter") +has addressed part of the issue, it left a corner case unhandled, which still +results in a kernel crash. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20241120052750.275463-1-guoweikang.kernel@gmail.com +Fixes: 04ec7bb642b77 ("tracing: Have the trace_array hold the list of registered func probes"); +Signed-off-by: guoweikang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4132,6 +4132,9 @@ ftrace_mod_callback(struct trace_array * + char *func; + int ret; + ++ if (!tr) ++ return -ENODEV; ++ + /* match_records() modifies func, and we need the original */ + func = kstrdup(func_orig, GFP_KERNEL); + if (!func) diff --git a/queue-5.4/media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch b/queue-5.4/media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch new file mode 100644 index 00000000000..7d3b2f834b0 --- /dev/null +++ b/queue-5.4/media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch @@ -0,0 +1,37 @@ +From d2842dec577900031826dc44e9bf0c66416d7173 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Mon, 28 Oct 2024 16:02:56 +0800 +Subject: media: gspca: ov534-ov772x: Fix off-by-one error in set_frame_rate() + +From: Jinjie Ruan + +commit d2842dec577900031826dc44e9bf0c66416d7173 upstream. + +In set_frame_rate(), select a rate in rate_0 or rate_1 by checking +sd->frame_rate >= r->fps in a loop, but the loop condition terminates when +the index reaches zero, which fails to check the last elememt in rate_0 or +rate_1. + +Check for >= 0 so that the last one in rate_0 or rate_1 is also checked. + +Fixes: 189d92af707e ("V4L/DVB (13422): gspca - ov534: ov772x changes from Richard Kaswy.") +Cc: stable@vger.kernel.org +Signed-off-by: Jinjie Ruan +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/gspca/ov534.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/gspca/ov534.c ++++ b/drivers/media/usb/gspca/ov534.c +@@ -847,7 +847,7 @@ static void set_frame_rate(struct gspca_ + r = rate_1; + i = ARRAY_SIZE(rate_1); + } +- while (--i > 0) { ++ while (--i >= 0) { + if (sd->frame_rate >= r->fps) + break; + r++; diff --git a/queue-5.4/media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch b/queue-5.4/media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch new file mode 100644 index 00000000000..01552dbec0d --- /dev/null +++ b/queue-5.4/media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch @@ -0,0 +1,79 @@ +From 869f38ae07f7df829da4951c3d1f7a2be09c2e9a Mon Sep 17 00:00:00 2001 +From: Alexander Shiyan +Date: Wed, 9 Oct 2024 09:05:44 +0300 +Subject: media: i2c: tc358743: Fix crash in the probe error path when using polling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexander Shiyan + +commit 869f38ae07f7df829da4951c3d1f7a2be09c2e9a upstream. + +If an error occurs in the probe() function, we should remove the polling +timer that was alarmed earlier, otherwise the timer is called with +arguments that are already freed, which results in a crash. + +------------[ cut here ]------------ +WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268 +Modules linked in: +CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226 +Hardware name: Diasom DS-RK3568-SOM-EVB (DT) +pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : __run_timers+0x244/0x268 +lr : __run_timers+0x1d4/0x268 +sp : ffffff80eff2baf0 +x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00 +x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00 +x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000 +x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff +x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e +x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000 +x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009 +x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480 +x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240 +x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0 +Call trace: + __run_timers+0x244/0x268 + timer_expire_remote+0x50/0x68 + tmigr_handle_remote+0x388/0x39c + run_timer_softirq+0x38/0x44 + handle_softirqs+0x138/0x298 + __do_softirq+0x14/0x20 + ____do_softirq+0x10/0x1c + call_on_irq_stack+0x24/0x4c + do_softirq_own_stack+0x1c/0x2c + irq_exit_rcu+0x9c/0xcc + el1_interrupt+0x48/0xc0 + el1h_64_irq_handler+0x18/0x24 + el1h_64_irq+0x7c/0x80 + default_idle_call+0x34/0x68 + do_idle+0x23c/0x294 + cpu_startup_entry+0x38/0x3c + secondary_start_kernel+0x128/0x160 + __secondary_switched+0xb8/0xbc +---[ end trace 0000000000000000 ]--- + +Fixes: 4e66a52a2e4c ("[media] tc358743: Add support for platforms without IRQ line") +Signed-off-by: Alexander Shiyan +Cc: stable@vger.kernel.org +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/tc358743.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -2175,8 +2175,10 @@ static int tc358743_probe(struct i2c_cli + + err_work_queues: + cec_unregister_adapter(state->cec_adap); +- if (!state->i2c_client->irq) ++ if (!state->i2c_client->irq) { ++ del_timer(&state->timer); + flush_work(&state->work_i2c_poll); ++ } + cancel_delayed_work(&state->delayed_work_enable_hotplug); + mutex_destroy(&state->confctl_mutex); + err_hdl: diff --git a/queue-5.4/media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch b/queue-5.4/media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch new file mode 100644 index 00000000000..b86bd4c5c0a --- /dev/null +++ b/queue-5.4/media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch @@ -0,0 +1,37 @@ +From 0f514068fbc5d4d189c817adc7c4e32cffdc2e47 Mon Sep 17 00:00:00 2001 +From: Gaosheng Cui +Date: Wed, 9 Oct 2024 16:28:02 +0800 +Subject: media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal() + +From: Gaosheng Cui + +commit 0f514068fbc5d4d189c817adc7c4e32cffdc2e47 upstream. + +The buffer in the loop should be released under the exception path, +otherwise there may be a memory leak here. + +To mitigate this, free the buffer when allegro_alloc_buffer fails. + +Fixes: f20387dfd065 ("media: allegro: add Allegro DVT video IP core driver") +Cc: +Signed-off-by: Gaosheng Cui +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/allegro-dvt/allegro-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/staging/media/allegro-dvt/allegro-core.c ++++ b/drivers/staging/media/allegro-dvt/allegro-core.c +@@ -1250,8 +1250,10 @@ static int allocate_buffers_internal(str + INIT_LIST_HEAD(&buffer->head); + + err = allegro_alloc_buffer(dev, buffer, size); +- if (err) ++ if (err) { ++ kfree(buffer); + goto err; ++ } + list_add(&buffer->head, list); + } + diff --git a/queue-5.4/media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch b/queue-5.4/media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch new file mode 100644 index 00000000000..0325f5ac4c7 --- /dev/null +++ b/queue-5.4/media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch @@ -0,0 +1,73 @@ +From 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba Mon Sep 17 00:00:00 2001 +From: Li Zetao +Date: Thu, 10 Oct 2024 23:41:13 +0800 +Subject: media: ts2020: fix null-ptr-deref in ts2020_probe() + +From: Li Zetao + +commit 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba upstream. + +KASAN reported a null-ptr-deref issue when executing the following +command: + + # echo ts2020 0x20 > /sys/bus/i2c/devices/i2c-0/new_device + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) + RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020] + RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202 + RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809 + RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010 + RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6 + R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790 + R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001 + FS: 00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + ts2020_probe+0xad/0xe10 [ts2020] + i2c_device_probe+0x421/0xb40 + really_probe+0x266/0x850 + ... + +The cause of the problem is that when using sysfs to dynamically register +an i2c device, there is no platform data, but the probe process of ts2020 +needs to use platform data, resulting in a null pointer being accessed. + +Solve this problem by adding checks to platform data. + +Fixes: dc245a5f9b51 ("[media] ts2020: implement I2C client bindings") +Cc: +Signed-off-by: Li Zetao +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/ts2020.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/ts2020.c ++++ b/drivers/media/dvb-frontends/ts2020.c +@@ -554,13 +554,19 @@ static int ts2020_probe(struct i2c_clien + const struct i2c_device_id *id) + { + struct ts2020_config *pdata = client->dev.platform_data; +- struct dvb_frontend *fe = pdata->fe; ++ struct dvb_frontend *fe; + struct ts2020_priv *dev; + int ret; + u8 u8tmp; + unsigned int utmp; + char *chip_str; + ++ if (!pdata) { ++ dev_err(&client->dev, "platform data is mandatory\n"); ++ return -EINVAL; ++ } ++ ++ fe = pdata->fe; + dev = kzalloc(sizeof(*dev), GFP_KERNEL); + if (!dev) { + ret = -ENOMEM; diff --git a/queue-5.4/media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch b/queue-5.4/media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch new file mode 100644 index 00000000000..63d8ff5eedb --- /dev/null +++ b/queue-5.4/media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch @@ -0,0 +1,37 @@ +From 2a20869f7d798aa2b69e45b863eaf1b1ecf98278 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Fri, 1 Nov 2024 17:40:50 +0800 +Subject: media: venus: Fix pm_runtime_set_suspended() with runtime pm enabled + +From: Jinjie Ruan + +commit 2a20869f7d798aa2b69e45b863eaf1b1ecf98278 upstream. + +It is not valid to call pm_runtime_set_suspended() for devices +with runtime PM enabled because it returns -EAGAIN if it is enabled +already and working. So, call pm_runtime_disable() before to fix it. + +Cc: stable@vger.kernel.org +Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") +Signed-off-by: Jinjie Ruan +Reviewed-by: Bryan O'Donoghue +Acked-by: Stanimir Varbanov +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -335,8 +335,8 @@ err_of_depopulate: + of_platform_depopulate(dev); + err_runtime_disable: + pm_runtime_put_noidle(dev); +- pm_runtime_set_suspended(dev); + pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); + hfi_destroy(core); + return ret; + } diff --git a/queue-5.4/ovl-filter-invalid-inodes-with-missing-lookup-function.patch b/queue-5.4/ovl-filter-invalid-inodes-with-missing-lookup-function.patch new file mode 100644 index 00000000000..22abd9f4ba8 --- /dev/null +++ b/queue-5.4/ovl-filter-invalid-inodes-with-missing-lookup-function.patch @@ -0,0 +1,38 @@ +From c8b359dddb418c60df1a69beea01d1b3322bfe83 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Tue, 19 Nov 2024 18:58:17 +0300 +Subject: ovl: Filter invalid inodes with missing lookup function + +From: Vasiliy Kovalev + +commit c8b359dddb418c60df1a69beea01d1b3322bfe83 upstream. + +Add a check to the ovl_dentry_weird() function to prevent the +processing of directory inodes that lack the lookup function. +This is important because such inodes can cause errors in overlayfs +when passed to the lowerstack. + +Reported-by: syzbot+a8c9d476508bd14a90e5@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a8c9d476508bd14a90e5 +Suggested-by: Miklos Szeredi +Link: https://lore.kernel.org/linux-unionfs/CAJfpegvx-oS9XGuwpJx=Xe28_jzWx5eRo1y900_ZzWY+=gGzUg@mail.gmail.com/ +Signed-off-by: Vasiliy Kovalev +Cc: +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/util.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/overlayfs/util.c ++++ b/fs/overlayfs/util.c +@@ -111,6 +111,9 @@ bool ovl_dentry_remote(struct dentry *de + + bool ovl_dentry_weird(struct dentry *dentry) + { ++ if (!d_can_lookup(dentry) && !d_is_file(dentry) && !d_is_symlink(dentry)) ++ return true; ++ + return dentry->d_flags & (DCACHE_NEED_AUTOMOUNT | + DCACHE_MANAGE_TRANSIT | + DCACHE_OP_HASH | diff --git a/queue-5.4/series b/queue-5.4/series index d6ba8834ff4..288fd3d4644 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -203,3 +203,11 @@ sh-intc-fix-use-after-free-bug-in-register_intc_cont.patch asoc-fsl_micfil-fix-the-naming-style-for-mask-definition.patch quota-flush-quota_release_work-upon-quota-writeback.patch btrfs-ref-verify-fix-use-after-free-after-invalid-re.patch +media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch +media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch +media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch +media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch +media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch +ovl-filter-invalid-inodes-with-missing-lookup-function.patch +ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch +clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch