From: Sasha Levin Date: Fri, 11 Oct 2024 12:10:06 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.10.227~79 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa31d21f9ef0777d253059c037838c9f16245226;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/drm-crtc-fix-uninitialized-variable-use-even-harder.patch b/queue-4.19/drm-crtc-fix-uninitialized-variable-use-even-harder.patch new file mode 100644 index 00000000000..eb3d1af313b --- /dev/null +++ b/queue-4.19/drm-crtc-fix-uninitialized-variable-use-even-harder.patch @@ -0,0 +1,40 @@ +From 1b5d0f952e88f1dd9c962a39eebf6a3eca0a5d43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 13:55:34 -0800 +Subject: drm/crtc: fix uninitialized variable use even harder + +From: Rob Clark + +[ Upstream commit b6802b61a9d0e99dcfa6fff7c50db7c48a9623d3 ] + +DRM_MODESET_LOCK_ALL_BEGIN() has a hidden trap-door (aka retry loop), +which means we can't rely too much on variable initializers. + +Fixes: 6e455f5dcdd1 ("drm/crtc: fix uninitialized variable use") +Signed-off-by: Rob Clark +Reviewed-by: Daniel Vetter +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Tested-by: Dmitry Baryshkov # sc7180, sdm845 +Link: https://patchwork.freedesktop.org/patch/msgid/20240212215534.190682-1-robdclark@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_crtc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c +index 82ad38ee3fea7..e8d5fc8408c59 100644 +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -768,6 +768,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, + connector_set = NULL; + fb = NULL; + mode = NULL; ++ num_connectors = 0; + + if (ret == -EDEADLK) { + ret = drm_modeset_backoff(&ctx); +-- +2.43.0 + diff --git a/queue-4.19/drm-move-drm_mode_setcrtc-local-re-init-to-failure-p.patch b/queue-4.19/drm-move-drm_mode_setcrtc-local-re-init-to-failure-p.patch new file mode 100644 index 00000000000..a7ff961baf6 --- /dev/null +++ b/queue-4.19/drm-move-drm_mode_setcrtc-local-re-init-to-failure-p.patch @@ -0,0 +1,73 @@ +From e249b97260327c71dbc080276a18b9f5e3948cac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Nov 2018 10:04:15 -0500 +Subject: drm: Move drm_mode_setcrtc() local re-init to failure path + +From: Sean Paul + +[ Upstream commit c232e9f41b136c141df9938024e521191a7b910d ] + +Instead of always re-initializing the variables we need to clean up on +out, move the re-initialization into the branch that goes back to retry +label. + +This is a lateral move right now, but will allow us to pull out the +modeset locking into common code. I kept this change separate to make +things easier to review. + +Changes in v2: +- None + +Reviewed-by: Daniel Vetter +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20181129150423.239081-2-sean@poorly.run +Stable-dep-of: b6802b61a9d0 ("drm/crtc: fix uninitialized variable use even harder") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_crtc.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c +index 22eba10af165d..82ad38ee3fea7 100644 +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -567,9 +567,9 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, + struct drm_mode_crtc *crtc_req = data; + struct drm_crtc *crtc; + struct drm_plane *plane; +- struct drm_connector **connector_set, *connector; +- struct drm_framebuffer *fb; +- struct drm_display_mode *mode; ++ struct drm_connector **connector_set = NULL, *connector; ++ struct drm_framebuffer *fb = NULL; ++ struct drm_display_mode *mode = NULL; + struct drm_mode_set set; + uint32_t __user *set_connectors_ptr; + struct drm_modeset_acquire_ctx ctx; +@@ -601,10 +601,6 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, + mutex_lock(&crtc->dev->mode_config.mutex); + drm_modeset_acquire_init(&ctx, DRM_MODESET_ACQUIRE_INTERRUPTIBLE); + retry: +- connector_set = NULL; +- fb = NULL; +- mode = NULL; +- + ret = drm_modeset_lock_all_ctx(crtc->dev, &ctx); + if (ret) + goto out; +@@ -767,6 +763,12 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, + } + kfree(connector_set); + drm_mode_destroy(dev, mode); ++ ++ /* In case we need to retry... */ ++ connector_set = NULL; ++ fb = NULL; ++ mode = NULL; ++ + if (ret == -EDEADLK) { + ret = drm_modeset_backoff(&ctx); + if (!ret) +-- +2.43.0 + diff --git a/queue-4.19/input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch b/queue-4.19/input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch new file mode 100644 index 00000000000..b946def891d --- /dev/null +++ b/queue-4.19/input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch @@ -0,0 +1,55 @@ +From 8a6e5f8218bd782b14818952d7ca84bfa4bd4330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 05:42:21 +0000 +Subject: Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal + +From: Mathias Krause + +commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. + +Calling irq_domain_remove() will lead to freeing the IRQ domain +prematurely. The domain is still referenced and will be attempted to get +used via rmi_free_function_list() -> rmi_unregister_function() -> +irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. + +With PaX's MEMORY_SANITIZE this will lead to an access fault when +attempting to dereference embedded pointers, as in Torsten's report that +was faulting on the 'domain->ops->unmap' test. + +Fix this by releasing the IRQ domain only after all related IRQs have +been deactivated. + +Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") +Reported-by: Torsten Hilbrich +Signed-off-by: Mathias Krause +Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net +Signed-off-by: Dmitry Torokhov +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_driver.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c +index 0da814b41e72b..75cd4c813cbb4 100644 +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -981,12 +981,12 @@ static int rmi_driver_remove(struct device *dev) + + rmi_disable_irq(rmi_dev, false); + +- irq_domain_remove(data->irqdomain); +- data->irqdomain = NULL; +- + rmi_f34_remove_sysfs(rmi_dev); + rmi_free_function_list(rmi_dev); + ++ irq_domain_remove(data->irqdomain); ++ data->irqdomain = NULL; ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-4.19/net-ethernet-cortina-drop-tso-support.patch b/queue-4.19/net-ethernet-cortina-drop-tso-support.patch new file mode 100644 index 00000000000..b4a2b09eb87 --- /dev/null +++ b/queue-4.19/net-ethernet-cortina-drop-tso-support.patch @@ -0,0 +1,88 @@ +From 2c9061415006c3f439d0acff0ff202c66a29ce2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jan 2024 01:12:22 +0100 +Subject: net: ethernet: cortina: Drop TSO support + +From: Linus Walleij + +[ Upstream commit ac631873c9e7a50d2a8de457cfc4b9f86666403e ] + +The recent change to allow large frames without hardware checksumming +slotted in software checksumming in the driver if hardware could not +do it. + +This will however upset TSO (TCP Segment Offloading). Typical +error dumps includes this: + +skb len=2961 headroom=222 headlen=66 tailroom=0 +(...) +WARNING: CPU: 0 PID: 956 at net/core/dev.c:3259 skb_warn_bad_offload+0x7c/0x108 +gemini-ethernet-port: caps=(0x0000010000154813, 0x00002007ffdd7889) + +And the packets do not go through. + +The TSO implementation is bogus: a TSO enabled driver must propagate +the skb_shinfo(skb)->gso_size value to the TSO engine on the NIC. + +Drop the size check and TSO offloading features for now: this +needs to be fixed up properly. + +After this ethernet works fine on Gemini devices with a direct connected +PHY such as D-Link DNS-313. + +Also tested to still be working with a DSA switch using the Gemini +ethernet as conduit interface. + +Link: https://lore.kernel.org/netdev/CANn89iJLfxng1sYL5Zk0mknXpyYQPCp83m3KgD2KJ2_hKCpEUg@mail.gmail.com/ +Suggested-by: Eric Dumazet +Fixes: d4d0c5b4d279 ("net: ethernet: cortina: Handle large frames") +Signed-off-by: Linus Walleij +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index d464dec9825ad..556600e425b36 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -81,8 +81,7 @@ MODULE_PARM_DESC(debug, "Debug level (0=none,...,16=all)"); + #define GMAC0_IRQ4_8 (GMAC0_MIB_INT_BIT | GMAC0_RX_OVERRUN_INT_BIT) + + #define GMAC_OFFLOAD_FEATURES (NETIF_F_SG | NETIF_F_IP_CSUM | \ +- NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM | \ +- NETIF_F_TSO | NETIF_F_TSO_ECN | NETIF_F_TSO6) ++ NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM) + + /** + * struct gmac_queue_page - page buffer per-page info +@@ -1156,23 +1155,13 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + struct gmac_txdesc *txd; + skb_frag_t *skb_frag; + dma_addr_t mapping; +- unsigned short mtu; + void *buffer; + int ret; + +- mtu = ETH_HLEN; +- mtu += netdev->mtu; +- if (skb->protocol == htons(ETH_P_8021Q)) +- mtu += VLAN_HLEN; +- ++ /* TODO: implement proper TSO using MTU in word3 */ + word1 = skb->len; + word3 = SOF_BIT; + +- if (word1 > mtu) { +- word1 |= TSS_MTU_ENABLE_BIT; +- word3 |= mtu; +- } +- + if (skb->len >= ETH_FRAME_LEN) { + /* Hardware offloaded checksumming isn't working on frames + * bigger than 1514 bytes. A hypothesis about this is that the +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index cf0fbb47105..7798c7f0551 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -226,3 +226,9 @@ rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch acpi-battery-simplify-battery-hook-locking.patch acpi-battery-fix-possible-crash-when-unregistering-a.patch ext4-fix-inode-tree-inconsistency-caused-by-enomem.patch +net-ethernet-cortina-drop-tso-support.patch +tracing-remove-precision-vsnprintf-check-from-print-.patch +drm-move-drm_mode_setcrtc-local-re-init-to-failure-p.patch +drm-crtc-fix-uninitialized-variable-use-even-harder.patch +virtio_console-fix-misc-probe-bugs.patch +input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch diff --git a/queue-4.19/tracing-remove-precision-vsnprintf-check-from-print-.patch b/queue-4.19/tracing-remove-precision-vsnprintf-check-from-print-.patch new file mode 100644 index 00000000000..a4d3be7b0e8 --- /dev/null +++ b/queue-4.19/tracing-remove-precision-vsnprintf-check-from-print-.patch @@ -0,0 +1,69 @@ +From fe8aef5089cfb88aea88b1aded938aa6df049b40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 17:43:41 -0500 +Subject: tracing: Remove precision vsnprintf() check from print event + +From: Steven Rostedt (Google) + +[ Upstream commit 5efd3e2aef91d2d812290dcb25b2058e6f3f532c ] + +This reverts 60be76eeabb3d ("tracing: Add size check when printing +trace_marker output"). The only reason the precision check was added +was because of a bug that miscalculated the write size of the string into +the ring buffer and it truncated it removing the terminating nul byte. On +reading the trace it crashed the kernel. But this was due to the bug in +the code that happened during development and should never happen in +practice. If anything, the precision can hide bugs where the string in the +ring buffer isn't nul terminated and it will not be checked. + +Link: https://lore.kernel.org/all/C7E7AF1A-D30F-4D18-B8E5-AF1EF58004F5@linux.ibm.com/ +Link: https://lore.kernel.org/linux-trace-kernel/20240227125706.04279ac2@gandalf.local.home +Link: https://lore.kernel.org/all/20240302111244.3a1674be@gandalf.local.home/ +Link: https://lore.kernel.org/linux-trace-kernel/20240304174341.2a561d9f@gandalf.local.home + +Cc: Masami Hiramatsu +Cc: Linus Torvalds +Fixes: 60be76eeabb3d ("tracing: Add size check when printing trace_marker output") +Reported-by: Sachin Sant +Tested-by: Sachin Sant +Reviewed-by: Mathieu Desnoyers +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_output.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c +index 43fb832d26d23..62015d62dd6f5 100644 +--- a/kernel/trace/trace_output.c ++++ b/kernel/trace/trace_output.c +@@ -1320,12 +1320,11 @@ static enum print_line_t trace_print_print(struct trace_iterator *iter, + { + struct print_entry *field; + struct trace_seq *s = &iter->seq; +- int max = iter->ent_size - offsetof(struct print_entry, buf); + + trace_assign_type(field, iter->ent); + + seq_print_ip_sym(s, field->ip, flags); +- trace_seq_printf(s, ": %.*s", max, field->buf); ++ trace_seq_printf(s, ": %s", field->buf); + + return trace_handle_return(s); + } +@@ -1334,11 +1333,10 @@ static enum print_line_t trace_print_raw(struct trace_iterator *iter, int flags, + struct trace_event *event) + { + struct print_entry *field; +- int max = iter->ent_size - offsetof(struct print_entry, buf); + + trace_assign_type(field, iter->ent); + +- trace_seq_printf(&iter->seq, "# %lx %.*s", field->ip, max, field->buf); ++ trace_seq_printf(&iter->seq, "# %lx %s", field->ip, field->buf); + + return trace_handle_return(&iter->seq); + } +-- +2.43.0 + diff --git a/queue-4.19/virtio_console-fix-misc-probe-bugs.patch b/queue-4.19/virtio_console-fix-misc-probe-bugs.patch new file mode 100644 index 00000000000..f31afab15aa --- /dev/null +++ b/queue-4.19/virtio_console-fix-misc-probe-bugs.patch @@ -0,0 +1,71 @@ +From 7b8296a7673e94fece9a88505bcf6a2cd28375b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 14:16:44 -0400 +Subject: virtio_console: fix misc probe bugs + +From: Michael S. Tsirkin + +[ Upstream commit b9efbe2b8f0177fa97bfab290d60858900aa196b ] + +This fixes the following issue discovered by code review: + +after vqs have been created, a buggy device can send an interrupt. + +A control vq callback will then try to schedule control_work which has +not been initialized yet. Similarly for config interrupt. Further, in +and out vq callbacks invoke find_port_by_vq which attempts to take +ports_lock which also has not been initialized. + +To fix, init all locks and work before creating vqs. + +Message-ID: +Fixes: 17634ba25544 ("virtio: console: Add a new MULTIPORT feature, support for generic ports") +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index d3937d6904000..ad9e266652607 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -2075,25 +2075,27 @@ static int virtcons_probe(struct virtio_device *vdev) + multiport = true; + } + +- err = init_vqs(portdev); +- if (err < 0) { +- dev_err(&vdev->dev, "Error %d initializing vqs\n", err); +- goto free_chrdev; +- } +- + spin_lock_init(&portdev->ports_lock); + INIT_LIST_HEAD(&portdev->ports); + INIT_LIST_HEAD(&portdev->list); + +- virtio_device_ready(portdev->vdev); +- + INIT_WORK(&portdev->config_work, &config_work_handler); + INIT_WORK(&portdev->control_work, &control_work_handler); + + if (multiport) { + spin_lock_init(&portdev->c_ivq_lock); + spin_lock_init(&portdev->c_ovq_lock); ++ } + ++ err = init_vqs(portdev); ++ if (err < 0) { ++ dev_err(&vdev->dev, "Error %d initializing vqs\n", err); ++ goto free_chrdev; ++ } ++ ++ virtio_device_ready(portdev->vdev); ++ ++ if (multiport) { + err = fill_queue(portdev->c_ivq, &portdev->c_ivq_lock); + if (err < 0) { + dev_err(&vdev->dev, +-- +2.43.0 +