From: Greg Kroah-Hartman Date: Fri, 20 Jun 2025 05:45:00 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.295~181 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abccf7489bb72aa9e3dd8b82d867d55da952db6e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: asoc-meson-meson-card-utils-use-of_property_present-for-dt-parsing.patch asoc-qcom-sdm845-add-error-handling-in-sdm845_slim_snd_hw_params.patch configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch crypto-marvell-cesa-do-not-chain-submitted-requests.patch gfs2-move-msleep-to-sleepable-context.patch net-mlx5-add-error-handling-in-mlx5_query_nic_vport_node_guid.patch net-mlx5_core-add-error-handling-inmlx5_query_nic_vport_qkey_viol_cntr.patch wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch --- diff --git a/queue-5.10/asoc-meson-meson-card-utils-use-of_property_present-for-dt-parsing.patch b/queue-5.10/asoc-meson-meson-card-utils-use-of_property_present-for-dt-parsing.patch new file mode 100644 index 0000000000..08ea2a1548 --- /dev/null +++ b/queue-5.10/asoc-meson-meson-card-utils-use-of_property_present-for-dt-parsing.patch @@ -0,0 +1,43 @@ +From 171eb6f71e9e3ba6a7410a1d93f3ac213f39dae2 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 19 Apr 2025 23:34:48 +0200 +Subject: ASoC: meson: meson-card-utils: use of_property_present() for DT parsing + +From: Martin Blumenstingl + +commit 171eb6f71e9e3ba6a7410a1d93f3ac213f39dae2 upstream. + +Commit c141ecc3cecd ("of: Warn when of_property_read_bool() is used on +non-boolean properties") added a warning when trying to parse a property +with a value (boolean properties are defined as: absent = false, present +without any value = true). This causes a warning from meson-card-utils. + +meson-card-utils needs to know about the existence of the +"audio-routing" and/or "audio-widgets" properties in order to properly +parse them. Switch to of_property_present() in order to silence the +following warning messages during boot: + OF: /sound: Read of boolean property 'audio-routing' with a value. + OF: /sound: Read of boolean property 'audio-widgets' with a value. + +Fixes: 7864a79f37b5 ("ASoC: meson: add axg sound card support") +Tested-by: Christian Hewitt +Cc: stable@vger.kernel.org +Signed-off-by: Martin Blumenstingl +Link: https://patch.msgid.link/20250419213448.59647-1-martin.blumenstingl@googlemail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/meson/meson-card-utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/meson/meson-card-utils.c ++++ b/sound/soc/meson/meson-card-utils.c +@@ -245,7 +245,7 @@ static int meson_card_parse_of_optional( + const char *p)) + { + /* If property is not provided, don't fail ... */ +- if (!of_property_read_bool(card->dev->of_node, propname)) ++ if (!of_property_present(card->dev->of_node, propname)) + return 0; + + /* ... but do fail if it is provided and the parsing fails */ diff --git a/queue-5.10/asoc-qcom-sdm845-add-error-handling-in-sdm845_slim_snd_hw_params.patch b/queue-5.10/asoc-qcom-sdm845-add-error-handling-in-sdm845_slim_snd_hw_params.patch new file mode 100644 index 0000000000..91db83b8dc --- /dev/null +++ b/queue-5.10/asoc-qcom-sdm845-add-error-handling-in-sdm845_slim_snd_hw_params.patch @@ -0,0 +1,41 @@ +From 688abe2860fd9c644705b9e11cb9649eb891b879 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Mon, 19 May 2025 15:57:39 +0800 +Subject: ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() + +From: Wentao Liang + +commit 688abe2860fd9c644705b9e11cb9649eb891b879 upstream. + +The function sdm845_slim_snd_hw_params() calls the functuion +snd_soc_dai_set_channel_map() but does not check its return +value. A proper implementation can be found in msm_snd_hw_params(). + +Add error handling for snd_soc_dai_set_channel_map(). If the +function fails and it is not a unsupported error, return the +error code immediately. + +Fixes: 5caf64c633a3 ("ASoC: qcom: sdm845: add support to DB845c and Lenovo Yoga") +Cc: stable@vger.kernel.org # v5.6 +Signed-off-by: Wentao Liang +Reviewed-by: Dmitry Baryshkov +Link: https://patch.msgid.link/20250519075739.1458-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/sdm845.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/soc/qcom/sdm845.c ++++ b/sound/soc/qcom/sdm845.c +@@ -78,6 +78,10 @@ static int sdm845_slim_snd_hw_params(str + else + ret = snd_soc_dai_set_channel_map(cpu_dai, tx_ch_cnt, + tx_ch, 0, NULL); ++ if (ret != 0 && ret != -ENOTSUPP) { ++ dev_err(rtd->dev, "failed to set cpu chan map, err:%d\n", ret); ++ return ret; ++ } + } + + return 0; diff --git a/queue-5.10/configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch b/queue-5.10/configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch new file mode 100644 index 0000000000..b93e0a4844 --- /dev/null +++ b/queue-5.10/configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch @@ -0,0 +1,39 @@ +From f830edbae247b89228c3e09294151b21e0dc849c Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Wed, 7 May 2025 19:50:26 +0800 +Subject: configfs: Do not override creating attribute file failure in populate_attrs() + +From: Zijun Hu + +commit f830edbae247b89228c3e09294151b21e0dc849c upstream. + +populate_attrs() may override failure for creating attribute files +by success for creating subsequent bin attribute files, and have +wrong return value. + +Fix by creating bin attribute files under successfully creating +attribute files. + +Fixes: 03607ace807b ("configfs: implement binary attributes") +Cc: stable@vger.kernel.org +Reviewed-by: Joel Becker +Reviewed-by: Breno Leitao +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250507-fix_configfs-v3-2-fe2d96de8dc4@quicinc.com +Signed-off-by: Andreas Hindborg +Signed-off-by: Greg Kroah-Hartman +--- + fs/configfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -619,7 +619,7 @@ static int populate_attrs(struct config_ + break; + } + } +- if (t->ct_bin_attrs) { ++ if (!error && t->ct_bin_attrs) { + for (i = 0; (bin_attr = t->ct_bin_attrs[i]) != NULL; i++) { + error = configfs_create_bin_file(item, bin_attr); + if (error) diff --git a/queue-5.10/crypto-marvell-cesa-do-not-chain-submitted-requests.patch b/queue-5.10/crypto-marvell-cesa-do-not-chain-submitted-requests.patch new file mode 100644 index 0000000000..dc7a250d57 --- /dev/null +++ b/queue-5.10/crypto-marvell-cesa-do-not-chain-submitted-requests.patch @@ -0,0 +1,156 @@ +From 0413bcf0fc460a68a2a7a8354aee833293d7d693 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 8 May 2025 13:22:16 +0800 +Subject: crypto: marvell/cesa - Do not chain submitted requests + +From: Herbert Xu + +commit 0413bcf0fc460a68a2a7a8354aee833293d7d693 upstream. + +This driver tries to chain requests together before submitting them +to hardware in order to reduce completion interrupts. + +However, it even extends chains that have already been submitted +to hardware. This is dangerous because there is no way of knowing +whether the hardware has already read the DMA memory in question +or not. + +Fix this by splitting the chain list into two. One for submitted +requests and one for requests that have not yet been submitted. +Only extend the latter. + +Reported-by: Klaus Kudielka +Fixes: 85030c5168f1 ("crypto: marvell - Add support for chaining crypto requests in TDMA mode") +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/marvell/cesa/cesa.c | 2 - + drivers/crypto/marvell/cesa/cesa.h | 9 ++++-- + drivers/crypto/marvell/cesa/tdma.c | 53 ++++++++++++++++++++++--------------- + 3 files changed, 39 insertions(+), 25 deletions(-) + +--- a/drivers/crypto/marvell/cesa/cesa.c ++++ b/drivers/crypto/marvell/cesa/cesa.c +@@ -94,7 +94,7 @@ static int mv_cesa_std_process(struct mv + + static int mv_cesa_int_process(struct mv_cesa_engine *engine, u32 status) + { +- if (engine->chain.first && engine->chain.last) ++ if (engine->chain_hw.first && engine->chain_hw.last) + return mv_cesa_tdma_process(engine, status); + + return mv_cesa_std_process(engine, status); +--- a/drivers/crypto/marvell/cesa/cesa.h ++++ b/drivers/crypto/marvell/cesa/cesa.h +@@ -439,8 +439,10 @@ struct mv_cesa_dev { + * SRAM + * @queue: fifo of the pending crypto requests + * @load: engine load counter, useful for load balancing +- * @chain: list of the current tdma descriptors being processed +- * by this engine. ++ * @chain_hw: list of the current tdma descriptors being processed ++ * by the hardware. ++ * @chain_sw: list of the current tdma descriptors that will be ++ * submitted to the hardware. + * @complete_queue: fifo of the processed requests by the engine + * + * Structure storing CESA engine information. +@@ -459,7 +461,8 @@ struct mv_cesa_engine { + struct gen_pool *pool; + struct crypto_queue queue; + atomic_t load; +- struct mv_cesa_tdma_chain chain; ++ struct mv_cesa_tdma_chain chain_hw; ++ struct mv_cesa_tdma_chain chain_sw; + struct list_head complete_queue; + int irq; + }; +--- a/drivers/crypto/marvell/cesa/tdma.c ++++ b/drivers/crypto/marvell/cesa/tdma.c +@@ -38,6 +38,15 @@ void mv_cesa_dma_step(struct mv_cesa_req + { + struct mv_cesa_engine *engine = dreq->engine; + ++ spin_lock_bh(&engine->lock); ++ if (engine->chain_sw.first == dreq->chain.first) { ++ engine->chain_sw.first = NULL; ++ engine->chain_sw.last = NULL; ++ } ++ engine->chain_hw.first = dreq->chain.first; ++ engine->chain_hw.last = dreq->chain.last; ++ spin_unlock_bh(&engine->lock); ++ + writel_relaxed(0, engine->regs + CESA_SA_CFG); + + mv_cesa_set_int_mask(engine, CESA_SA_INT_ACC0_IDMA_DONE); +@@ -96,25 +105,27 @@ void mv_cesa_dma_prepare(struct mv_cesa_ + void mv_cesa_tdma_chain(struct mv_cesa_engine *engine, + struct mv_cesa_req *dreq) + { +- if (engine->chain.first == NULL && engine->chain.last == NULL) { +- engine->chain.first = dreq->chain.first; +- engine->chain.last = dreq->chain.last; +- } else { +- struct mv_cesa_tdma_desc *last; ++ struct mv_cesa_tdma_desc *last = engine->chain_sw.last; + +- last = engine->chain.last; ++ /* ++ * Break the DMA chain if the request being queued needs the IV ++ * regs to be set before lauching the request. ++ */ ++ if (!last || dreq->chain.first->flags & CESA_TDMA_SET_STATE) ++ engine->chain_sw.first = dreq->chain.first; ++ else { + last->next = dreq->chain.first; +- engine->chain.last = dreq->chain.last; +- +- /* +- * Break the DMA chain if the CESA_TDMA_BREAK_CHAIN is set on +- * the last element of the current chain, or if the request +- * being queued needs the IV regs to be set before lauching +- * the request. +- */ +- if (!(last->flags & CESA_TDMA_BREAK_CHAIN) && +- !(dreq->chain.first->flags & CESA_TDMA_SET_STATE)) +- last->next_dma = cpu_to_le32(dreq->chain.first->cur_dma); ++ last->next_dma = cpu_to_le32(dreq->chain.first->cur_dma); ++ } ++ last = dreq->chain.last; ++ engine->chain_sw.last = last; ++ /* ++ * Break the DMA chain if the CESA_TDMA_BREAK_CHAIN is set on ++ * the last element of the current chain. ++ */ ++ if (last->flags & CESA_TDMA_BREAK_CHAIN) { ++ engine->chain_sw.first = NULL; ++ engine->chain_sw.last = NULL; + } + } + +@@ -127,7 +138,7 @@ int mv_cesa_tdma_process(struct mv_cesa_ + + tdma_cur = readl(engine->regs + CESA_TDMA_CUR); + +- for (tdma = engine->chain.first; tdma; tdma = next) { ++ for (tdma = engine->chain_hw.first; tdma; tdma = next) { + spin_lock_bh(&engine->lock); + next = tdma->next; + spin_unlock_bh(&engine->lock); +@@ -149,12 +160,12 @@ int mv_cesa_tdma_process(struct mv_cesa_ + &backlog); + + /* Re-chaining to the next request */ +- engine->chain.first = tdma->next; ++ engine->chain_hw.first = tdma->next; + tdma->next = NULL; + + /* If this is the last request, clear the chain */ +- if (engine->chain.first == NULL) +- engine->chain.last = NULL; ++ if (engine->chain_hw.first == NULL) ++ engine->chain_hw.last = NULL; + spin_unlock_bh(&engine->lock); + + ctx = crypto_tfm_ctx(req->tfm); diff --git a/queue-5.10/gfs2-move-msleep-to-sleepable-context.patch b/queue-5.10/gfs2-move-msleep-to-sleepable-context.patch new file mode 100644 index 0000000000..47a70953ec --- /dev/null +++ b/queue-5.10/gfs2-move-msleep-to-sleepable-context.patch @@ -0,0 +1,42 @@ +From ac5ee087d31ed93b6e45d2968a66828c6f621d8c Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Mon, 31 Mar 2025 19:03:24 -0400 +Subject: gfs2: move msleep to sleepable context + +From: Alexander Aring + +commit ac5ee087d31ed93b6e45d2968a66828c6f621d8c upstream. + +This patch moves the msleep_interruptible() out of the non-sleepable +context by moving the ls->ls_recover_spin spinlock around so +msleep_interruptible() will be called in a sleepable context. + +Cc: stable@vger.kernel.org +Fixes: 4a7727725dc7 ("GFS2: Fix recovery issues for spectators") +Suggested-by: Andreas Gruenbacher +Signed-off-by: Alexander Aring +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/lock_dlm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/lock_dlm.c ++++ b/fs/gfs2/lock_dlm.c +@@ -939,14 +939,15 @@ locks_done: + if (sdp->sd_args.ar_spectator) { + fs_info(sdp, "Recovery is required. Waiting for a " + "non-spectator to mount.\n"); ++ spin_unlock(&ls->ls_recover_spin); + msleep_interruptible(1000); + } else { + fs_info(sdp, "control_mount wait1 block %u start %u " + "mount %u lvb %u flags %lx\n", block_gen, + start_gen, mount_gen, lvb_gen, + ls->ls_recover_flags); ++ spin_unlock(&ls->ls_recover_spin); + } +- spin_unlock(&ls->ls_recover_spin); + goto restart; + } + diff --git a/queue-5.10/net-mlx5-add-error-handling-in-mlx5_query_nic_vport_node_guid.patch b/queue-5.10/net-mlx5-add-error-handling-in-mlx5_query_nic_vport_node_guid.patch new file mode 100644 index 0000000000..f47f52d19d --- /dev/null +++ b/queue-5.10/net-mlx5-add-error-handling-in-mlx5_query_nic_vport_node_guid.patch @@ -0,0 +1,55 @@ +From c6bb8a21cdad8c975a3a646b9e5c8df01ad29783 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Sun, 25 May 2025 00:34:25 +0800 +Subject: net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() + +From: Wentao Liang + +commit c6bb8a21cdad8c975a3a646b9e5c8df01ad29783 upstream. + +The function mlx5_query_nic_vport_node_guid() calls the function +mlx5_query_nic_vport_context() but does not check its return value. +A proper implementation can be found in mlx5_nic_vport_query_local_lb(). + +Add error handling for mlx5_query_nic_vport_context(). If it fails, free +the out buffer via kvfree() and return error code. + +Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") +Cc: stable@vger.kernel.org # v4.5 +Signed-off-by: Wentao Liang +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20250524163425.1695-1-vulab@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +@@ -440,19 +440,22 @@ int mlx5_query_nic_vport_node_guid(struc + { + u32 *out; + int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); ++ int err; + + out = kvzalloc(outlen, GFP_KERNEL); + if (!out) + return -ENOMEM; + +- mlx5_query_nic_vport_context(mdev, 0, out); ++ err = mlx5_query_nic_vport_context(mdev, 0, out); ++ if (err) ++ goto out; + + *node_guid = MLX5_GET64(query_nic_vport_context_out, out, + nic_vport_context.node_guid); +- ++out: + kvfree(out); + +- return 0; ++ return err; + } + EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_node_guid); + diff --git a/queue-5.10/net-mlx5_core-add-error-handling-inmlx5_query_nic_vport_qkey_viol_cntr.patch b/queue-5.10/net-mlx5_core-add-error-handling-inmlx5_query_nic_vport_qkey_viol_cntr.patch new file mode 100644 index 0000000000..ea442d0a50 --- /dev/null +++ b/queue-5.10/net-mlx5_core-add-error-handling-inmlx5_query_nic_vport_qkey_viol_cntr.patch @@ -0,0 +1,56 @@ +From f0b50730bdd8f2734e548de541e845c0d40dceb6 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Wed, 21 May 2025 21:36:20 +0800 +Subject: net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() + +From: Wentao Liang + +commit f0b50730bdd8f2734e548de541e845c0d40dceb6 upstream. + +The function mlx5_query_nic_vport_qkey_viol_cntr() calls the function +mlx5_query_nic_vport_context() but does not check its return value. This +could lead to undefined behavior if the query fails. A proper +implementation can be found in mlx5_nic_vport_query_local_lb(). + +Add error handling for mlx5_query_nic_vport_context(). If it fails, free +the out buffer via kvfree() and return error code. + +Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") +Cc: stable@vger.kernel.org # v4.5 +Signed-off-by: Wentao Liang +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20250521133620.912-1-vulab@iscas.ac.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +@@ -494,19 +494,22 @@ int mlx5_query_nic_vport_qkey_viol_cntr( + { + u32 *out; + int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); ++ int err; + + out = kvzalloc(outlen, GFP_KERNEL); + if (!out) + return -ENOMEM; + +- mlx5_query_nic_vport_context(mdev, 0, out); ++ err = mlx5_query_nic_vport_context(mdev, 0, out); ++ if (err) ++ goto out; + + *qkey_viol_cntr = MLX5_GET(query_nic_vport_context_out, out, + nic_vport_context.qkey_violation_counter); +- ++out: + kvfree(out); + +- return 0; ++ return err; + } + EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_qkey_viol_cntr); + diff --git a/queue-5.10/series b/queue-5.10/series index 605dcb270c..ca52a4e615 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -156,3 +156,11 @@ net-usb-aqc111-debug-info-before-sanitation.patch kbuild-userprogs-fix-bitsize-and-target-detection-on-clang.patch kbuild-hdrcheck-fix-cross-build-with-clang.patch tcp-tcp_data_ready-must-look-at-sock_done.patch +configfs-do-not-override-creating-attribute-file-failure-in-populate_attrs.patch +crypto-marvell-cesa-do-not-chain-submitted-requests.patch +gfs2-move-msleep-to-sleepable-context.patch +asoc-qcom-sdm845-add-error-handling-in-sdm845_slim_snd_hw_params.patch +asoc-meson-meson-card-utils-use-of_property_present-for-dt-parsing.patch +net-mlx5_core-add-error-handling-inmlx5_query_nic_vport_qkey_viol_cntr.patch +net-mlx5-add-error-handling-in-mlx5_query_nic_vport_node_guid.patch +wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch diff --git a/queue-5.10/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch b/queue-5.10/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch new file mode 100644 index 0000000000..bb11e8a7b2 --- /dev/null +++ b/queue-5.10/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch @@ -0,0 +1,114 @@ +From da1b9a55ff116cb040528ef664c70a4eec03ae99 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Fri, 16 May 2025 20:41:06 +0200 +Subject: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() + +From: Christian Lamparter + +commit da1b9a55ff116cb040528ef664c70a4eec03ae99 upstream. + +Robert Morris reported: + +|If a malicious USB device pretends to be an Intersil p54 wifi +|interface and generates an eeprom_readback message with a large +|eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the +|message beyond the end of priv->eeprom. +| +|static void p54_rx_eeprom_readback(struct p54_common *priv, +| struct sk_buff *skb) +|{ +| struct p54_hdr *hdr = (struct p54_hdr *) skb->data; +| struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data; +| +| if (priv->fw_var >= 0x509) { +| memcpy(priv->eeprom, eeprom->v2.data, +| le16_to_cpu(eeprom->v2.len)); +| } else { +| memcpy(priv->eeprom, eeprom->v1.data, +| le16_to_cpu(eeprom->v1.len)); +| } +| [...] + +The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom(). +The device is supposed to provide the same length back to the driver. +But yes, it's possible (like shown in the report) to alter the value +to something that causes a crash/panic due to overrun. + +This patch addresses the issue by adding the size to the common device +context, so p54_rx_eeprom_readback no longer relies on possibly tampered +values... That said, it also checks if the "firmware" altered the value +and no longer copies them. + +The one, small saving grace is: Before the driver tries to read the eeprom, +it needs to upload >a< firmware. the vendor firmware has a proprietary +license and as a reason, it is not present on most distributions by +default. + +Cc: +Reported-by: Robert Morris +Closes: https://lore.kernel.org/linux-wireless/28782.1747258414@localhost/ +Fixes: 7cb770729ba8 ("p54: move eeprom code into common library") +Signed-off-by: Christian Lamparter +Link: https://patch.msgid.link/20250516184107.47794-1-chunkeey@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intersil/p54/fwio.c | 2 ++ + drivers/net/wireless/intersil/p54/p54.h | 1 + + drivers/net/wireless/intersil/p54/txrx.c | 13 +++++++++---- + 3 files changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intersil/p54/fwio.c ++++ b/drivers/net/wireless/intersil/p54/fwio.c +@@ -233,6 +233,7 @@ int p54_download_eeprom(struct p54_commo + + mutex_lock(&priv->eeprom_mutex); + priv->eeprom = buf; ++ priv->eeprom_slice_size = len; + eeprom_hdr = skb_put(skb, eeprom_hdr_size + len); + + if (priv->fw_var < 0x509) { +@@ -255,6 +256,7 @@ int p54_download_eeprom(struct p54_commo + ret = -EBUSY; + } + priv->eeprom = NULL; ++ priv->eeprom_slice_size = 0; + mutex_unlock(&priv->eeprom_mutex); + return ret; + } +--- a/drivers/net/wireless/intersil/p54/p54.h ++++ b/drivers/net/wireless/intersil/p54/p54.h +@@ -258,6 +258,7 @@ struct p54_common { + + /* eeprom handling */ + void *eeprom; ++ size_t eeprom_slice_size; + struct completion eeprom_comp; + struct mutex eeprom_mutex; + }; +--- a/drivers/net/wireless/intersil/p54/txrx.c ++++ b/drivers/net/wireless/intersil/p54/txrx.c +@@ -500,14 +500,19 @@ static void p54_rx_eeprom_readback(struc + return ; + + if (priv->fw_var >= 0x509) { +- memcpy(priv->eeprom, eeprom->v2.data, +- le16_to_cpu(eeprom->v2.len)); ++ if (le16_to_cpu(eeprom->v2.len) != priv->eeprom_slice_size) ++ return; ++ ++ memcpy(priv->eeprom, eeprom->v2.data, priv->eeprom_slice_size); + } else { +- memcpy(priv->eeprom, eeprom->v1.data, +- le16_to_cpu(eeprom->v1.len)); ++ if (le16_to_cpu(eeprom->v1.len) != priv->eeprom_slice_size) ++ return; ++ ++ memcpy(priv->eeprom, eeprom->v1.data, priv->eeprom_slice_size); + } + + priv->eeprom = NULL; ++ priv->eeprom_slice_size = 0; + tmp = p54_find_and_unlink_skb(priv, hdr->req_id); + dev_kfree_skb_any(tmp); + complete(&priv->eeprom_comp);