From: Sasha Levin Date: Thu, 19 Dec 2024 19:23:49 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v6.1.122~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ddbfdffbbf709a0e6b5d283e27e7adc22419a076;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-usb-fix-ubsan-warning-in-parse_audio_unit.patch b/queue-5.4/alsa-usb-fix-ubsan-warning-in-parse_audio_unit.patch new file mode 100644 index 00000000000..d15447caa0d --- /dev/null +++ b/queue-5.4/alsa-usb-fix-ubsan-warning-in-parse_audio_unit.patch @@ -0,0 +1,47 @@ +From 782b030995a11e2daa53c8254162082fe201e1e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jul 2024 12:10:27 -0400 +Subject: ALSA: usb: Fix UBSAN warning in parse_audio_unit() + +From: Takashi Iwai + +[ Upstream commit 2f38cf730caedaeacdefb7ff35b0a3c1168117f9 ] + +A malformed USB descriptor may pass the lengthy mixer description with +a lot of channels, and this may overflow the 32bit integer shift +size, as caught by syzbot UBSAN test. Although this won't cause any +real trouble, it's better to address. + +This patch introduces a sanity check of the number of channels to bail +out the parsing when too many channels are found. + +Reported-by: syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/0000000000000adac5061d3c7355@google.com +Link: https://patch.msgid.link/20240715123619.26612-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 67eb1293fa15..1374a4e093b3 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1906,6 +1906,13 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid, + bmaControls = ftr->bmaControls; + } + ++ if (channels > 32) { ++ usb_audio_info(state->chip, ++ "usbmixer: too many channels (%d) in unit %d\n", ++ channels, unitid); ++ return -EINVAL; ++ } ++ + /* parse the source unit */ + err = parse_audio_unit(state, hdr->bSourceID); + if (err < 0) +-- +2.39.5 + diff --git a/queue-5.4/drm-i915-fix-memory-leak-by-correcting-cache-object-.patch b/queue-5.4/drm-i915-fix-memory-leak-by-correcting-cache-object-.patch new file mode 100644 index 00000000000..5894936e864 --- /dev/null +++ b/queue-5.4/drm-i915-fix-memory-leak-by-correcting-cache-object-.patch @@ -0,0 +1,41 @@ +From 53eb9081d0539e34ca58049c62c3dd240972c2cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 21:00:51 +0000 +Subject: drm/i915: Fix memory leak by correcting cache object name in error + handler + +From: Jiasheng Jiang + +[ Upstream commit 9bc5e7dc694d3112bbf0fa4c46ef0fa0f114937a ] + +Replace "slab_priorities" with "slab_dependencies" in the error handler +to avoid memory leak. + +Fixes: 32eb6bcfdda9 ("drm/i915: Make request allocation caches global") +Cc: # v5.2+ +Signed-off-by: Jiasheng Jiang +Reviewed-by: Nirmoy Das +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/20241127201042.29620-1-jiashengjiangcool@gmail.com +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/i915_scheduler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/i915_scheduler.c b/drivers/gpu/drm/i915/i915_scheduler.c +index 0ef205fe5e29..7ef068dcc48b 100644 +--- a/drivers/gpu/drm/i915/i915_scheduler.c ++++ b/drivers/gpu/drm/i915/i915_scheduler.c +@@ -533,6 +533,6 @@ int __init i915_global_scheduler_init(void) + return 0; + + err_priorities: +- kmem_cache_destroy(global.slab_priorities); ++ kmem_cache_destroy(global.slab_dependencies); + return -ENOMEM; + } +-- +2.39.5 + diff --git a/queue-5.4/erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch b/queue-5.4/erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch new file mode 100644 index 00000000000..b40d2560ba8 --- /dev/null +++ b/queue-5.4/erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch @@ -0,0 +1,78 @@ +From 5aca03c0ea4864e950edd8dbba7f8f9fe486e8ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 15:39:38 +0800 +Subject: erofs: fix incorrect symlink detection in fast symlink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gao Xiang + +commit 9ed50b8231e37b1ae863f5dec8153b98d9f389b4 upstream. + +Fast symlink can be used if the on-disk symlink data is stored +in the same block as the on-disk inode, so we don’t need to trigger +another I/O for symlink data. However, currently fs correction could be +reported _incorrectly_ if inode xattrs are too large. + +In fact, these should be valid images although they cannot be handled as +fast symlinks. + +Many thanks to Colin for reporting this! + +Reported-by: Colin Walters +Reported-by: https://honggfuzz.dev/ +Link: https://lore.kernel.org/r/bb2dd430-7de0-47da-ae5b-82ab2dd4d945@app.fastmail.com +Fixes: 431339ba9042 ("staging: erofs: add inode operations") +[ Note that it's a runtime misbehavior instead of a security issue. ] +Link: https://lore.kernel.org/r/20240909031911.1174718-1-hsiangkao@linux.alibaba.com +[ Gao Xiang: fix 5.4.y build warning due to `check_add_overflow`. ] +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/inode.c | 20 ++++++-------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c +index ba981076d6f2..af90d3d70a08 100644 +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -198,11 +198,14 @@ static int erofs_fill_symlink(struct inode *inode, void *data, + unsigned int m_pofs) + { + struct erofs_inode *vi = EROFS_I(inode); ++ loff_t off; + char *lnk; + +- /* if it cannot be handled with fast symlink scheme */ +- if (vi->datalayout != EROFS_INODE_FLAT_INLINE || +- inode->i_size >= PAGE_SIZE || inode->i_size < 0) { ++ m_pofs += vi->xattr_isize; ++ /* check if it cannot be handled with fast symlink scheme */ ++ if (vi->datalayout != EROFS_INODE_FLAT_INLINE || inode->i_size < 0 || ++ check_add_overflow((loff_t)m_pofs, inode->i_size, &off) || ++ off > i_blocksize(inode)) { + inode->i_op = &erofs_symlink_iops; + return 0; + } +@@ -211,17 +214,6 @@ static int erofs_fill_symlink(struct inode *inode, void *data, + if (!lnk) + return -ENOMEM; + +- m_pofs += vi->xattr_isize; +- /* inline symlink data shouldn't cross page boundary as well */ +- if (m_pofs + inode->i_size > PAGE_SIZE) { +- kfree(lnk); +- erofs_err(inode->i_sb, +- "inline data cross block boundary @ nid %llu", +- vi->nid); +- DBG_BUGON(1); +- return -EFSCORRUPTED; +- } +- + memcpy(lnk, data + m_pofs, inode->i_size); + lnk[inode->i_size] = '\0'; + +-- +2.39.5 + diff --git a/queue-5.4/erofs-fix-order-max_order-warning-due-to-crafted-neg.patch b/queue-5.4/erofs-fix-order-max_order-warning-due-to-crafted-neg.patch new file mode 100644 index 00000000000..ba8bfa824de --- /dev/null +++ b/queue-5.4/erofs-fix-order-max_order-warning-due-to-crafted-neg.patch @@ -0,0 +1,43 @@ +From 78781f3f3c3039d63ec435d153a1b4686eda9e4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 15:39:37 +0800 +Subject: erofs: fix order >= MAX_ORDER warning due to crafted negative i_size + +From: Gao Xiang + +commit 1dd73601a1cba37a0ed5f89a8662c90191df5873 upstream. + +As syzbot reported [1], the root cause is that i_size field is a +signed type, and negative i_size is also less than EROFS_BLKSIZ. +As a consequence, it's handled as fast symlink unexpectedly. + +Let's fall back to the generic path to deal with such unusual i_size. + +[1] https://lore.kernel.org/r/000000000000ac8efa05e7feaa1f@google.com + +Reported-by: syzbot+f966c13b1b4fc0403b19@syzkaller.appspotmail.com +Fixes: 431339ba9042 ("staging: erofs: add inode operations") +Reviewed-by: Yue Hu +Link: https://lore.kernel.org/r/20220909023948.28925-1-hsiangkao@linux.alibaba.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c +index 0dbeaf68e1d6..ba981076d6f2 100644 +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -202,7 +202,7 @@ static int erofs_fill_symlink(struct inode *inode, void *data, + + /* if it cannot be handled with fast symlink scheme */ + if (vi->datalayout != EROFS_INODE_FLAT_INLINE || +- inode->i_size >= PAGE_SIZE) { ++ inode->i_size >= PAGE_SIZE || inode->i_size < 0) { + inode->i_op = &erofs_symlink_iops; + return 0; + } +-- +2.39.5 + diff --git a/queue-5.4/i2c-pnx-fix-timeout-in-wait-functions.patch b/queue-5.4/i2c-pnx-fix-timeout-in-wait-functions.patch new file mode 100644 index 00000000000..c1f7807e40f --- /dev/null +++ b/queue-5.4/i2c-pnx-fix-timeout-in-wait-functions.patch @@ -0,0 +1,48 @@ +From 5c7f6a1ac42b9b43c750d31c350fb4eab7d527d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2024 00:19:34 +0100 +Subject: i2c: pnx: Fix timeout in wait functions + +From: Vladimir Riabchun + +[ Upstream commit 7363f2d4c18557c99c536b70489187bb4e05c412 ] + +Since commit f63b94be6942 ("i2c: pnx: Fix potential deadlock warning +from del_timer_sync() call in isr") jiffies are stored in +i2c_pnx_algo_data.timeout, but wait_timeout and wait_reset are still +using it as milliseconds. Convert jiffies back to milliseconds to wait +for the expected amount of time. + +Fixes: f63b94be6942 ("i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr") +Signed-off-by: Vladimir Riabchun +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-pnx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-pnx.c b/drivers/i2c/busses/i2c-pnx.c +index 4d09665a72e5..6ba534c983de 100644 +--- a/drivers/i2c/busses/i2c-pnx.c ++++ b/drivers/i2c/busses/i2c-pnx.c +@@ -95,7 +95,7 @@ enum { + + static inline int wait_timeout(struct i2c_pnx_algo_data *data) + { +- long timeout = data->timeout; ++ long timeout = jiffies_to_msecs(data->timeout); + while (timeout > 0 && + (ioread32(I2C_REG_STS(data)) & mstatus_active)) { + mdelay(1); +@@ -106,7 +106,7 @@ static inline int wait_timeout(struct i2c_pnx_algo_data *data) + + static inline int wait_reset(struct i2c_pnx_algo_data *data) + { +- long timeout = data->timeout; ++ long timeout = jiffies_to_msecs(data->timeout); + while (timeout > 0 && + (ioread32(I2C_REG_CTL(data)) & mcntrl_reset)) { + mdelay(1); +-- +2.39.5 + diff --git a/queue-5.4/pci-add-acs-quirk-for-broadcom-bcm5760x-nic.patch b/queue-5.4/pci-add-acs-quirk-for-broadcom-bcm5760x-nic.patch new file mode 100644 index 00000000000..d69b6f4400e --- /dev/null +++ b/queue-5.4/pci-add-acs-quirk-for-broadcom-bcm5760x-nic.patch @@ -0,0 +1,51 @@ +From e6ebd3dc97288728ec09eb862f476eb03bb02499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jul 2024 12:10:21 -0400 +Subject: PCI: Add ACS quirk for Broadcom BCM5760X NIC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ajit Khaparde + +[ Upstream commit 524e057b2d66b61f9b63b6db30467ab7b0bb4796 ] + +The Broadcom BCM5760X NIC may be a multi-function device. + +While it does not advertise an ACS capability, peer-to-peer transactions +are not possible between the individual functions. So it is ok to treat +them as fully isolated. + +Add an ACS quirk for this device so the functions can be in independent +IOMMU groups and attached individually to userspace applications using +VFIO. + +[kwilczynski: commit log] +Link: https://lore.kernel.org/linux-pci/20240510204228.73435-1-ajit.khaparde@broadcom.com +Signed-off-by: Ajit Khaparde +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Bjorn Helgaas +Reviewed-by: Andy Gospodarek +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 6a2d64d050c0..080d5077c645 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4997,6 +4997,10 @@ static const struct pci_dev_acs_enabled { + { PCI_VENDOR_ID_BROADCOM, 0x1750, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0x1751, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0x1752, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1760, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1761, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1762, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1763, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, + /* Amazon Annapurna Labs */ + { PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS, 0x0031, pci_quirk_al_acs }, +-- +2.39.5 + diff --git a/queue-5.4/pci-aer-disable-aer-service-on-suspend.patch b/queue-5.4/pci-aer-disable-aer-service-on-suspend.patch new file mode 100644 index 00000000000..169a2561d5b --- /dev/null +++ b/queue-5.4/pci-aer-disable-aer-service-on-suspend.patch @@ -0,0 +1,68 @@ +From 6073f86cb45d7ed3d54ba42aa57e38dcf6b92e4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jul 2024 12:10:24 -0400 +Subject: PCI/AER: Disable AER service on suspend + +From: Kai-Heng Feng + +[ Upstream commit 5afc2f763edc5daae4722ee46fea4e627d01fa90 ] + +If the link is powered off during suspend, electrical noise may cause +errors that are logged via AER. If the AER interrupt is enabled and shares +an IRQ with PME, that causes a spurious wakeup during suspend. + +Disable the AER interrupt during suspend to prevent this. Clear error +status before re-enabling IRQ interrupts during resume so we don't get an +interrupt for errors that occurred during the suspend/resume process. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=209149 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216295 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218090 +Link: https://lore.kernel.org/r/20240416043225.1462548-2-kai.heng.feng@canonical.com +Signed-off-by: Kai-Heng Feng +[bhelgaas: drop pci_ancestor_pr3_present() etc, commit log] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aer.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/pci/pcie/aer.c b/drivers/pci/pcie/aer.c +index 6b5c9f7916fa..ee38ca162a7c 100644 +--- a/drivers/pci/pcie/aer.c ++++ b/drivers/pci/pcie/aer.c +@@ -1407,6 +1407,22 @@ static int aer_probe(struct pcie_device *dev) + return 0; + } + ++static int aer_suspend(struct pcie_device *dev) ++{ ++ struct aer_rpc *rpc = get_service_data(dev); ++ ++ aer_disable_rootport(rpc); ++ return 0; ++} ++ ++static int aer_resume(struct pcie_device *dev) ++{ ++ struct aer_rpc *rpc = get_service_data(dev); ++ ++ aer_enable_rootport(rpc); ++ return 0; ++} ++ + /** + * aer_root_reset - reset link on Root Port + * @dev: pointer to Root Port's pci_dev data structure +@@ -1447,6 +1463,8 @@ static struct pcie_port_service_driver aerdriver = { + .service = PCIE_PORT_SERVICE_AER, + + .probe = aer_probe, ++ .suspend = aer_suspend, ++ .resume = aer_resume, + .remove = aer_remove, + .reset_link = aer_root_reset, + }; +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 19e6f6cda0b..59cdcc31b41 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,9 @@ net-sched-fix-ordering-of-qlen-adjustment.patch +usb-dwc2-gadget-don-t-write-invalid-mapped-sg-entrie.patch +pci-aer-disable-aer-service-on-suspend.patch +alsa-usb-fix-ubsan-warning-in-parse_audio_unit.patch +pci-add-acs-quirk-for-broadcom-bcm5760x-nic.patch +i2c-pnx-fix-timeout-in-wait-functions.patch +drm-i915-fix-memory-leak-by-correcting-cache-object-.patch +erofs-fix-order-max_order-warning-due-to-crafted-neg.patch +erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch diff --git a/queue-5.4/usb-dwc2-gadget-don-t-write-invalid-mapped-sg-entrie.patch b/queue-5.4/usb-dwc2-gadget-don-t-write-invalid-mapped-sg-entrie.patch new file mode 100644 index 00000000000..f4caae7c938 --- /dev/null +++ b/queue-5.4/usb-dwc2-gadget-don-t-write-invalid-mapped-sg-entrie.patch @@ -0,0 +1,56 @@ +From 68987b2af08a193cbeba3ae801fb409eefa84c0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jul 2024 12:10:22 -0400 +Subject: usb: dwc2: gadget: Don't write invalid mapped sg entries into + dma_desc with iommu enabled + +From: Peng Hongchi + +[ Upstream commit 1134289b6b93d73721340b66c310fd985385e8fa ] + +When using dma_map_sg() to map the scatterlist with iommu enabled, +the entries in the scatterlist can be mergerd into less but longer +entries in the function __finalise_sg(). So that the number of +valid mapped entries is actually smaller than ureq->num_reqs,and +there are still some invalid entries in the scatterlist with +dma_addr=0xffffffff and len=0. Writing these invalid sg entries +into the dma_desc can cause a data transmission error. + +The function dma_map_sg() returns the number of valid map entries +and the return value is assigned to usb_request::num_mapped_sgs in +function usb_gadget_map_request_by_dev(). So that just write valid +mapped entries into dma_desc according to the usb_request::num_mapped_sgs, +and set the IOC bit if it's the last valid mapped entry. + +This patch poses no risk to no-iommu situation, cause +ureq->num_mapped_sgs equals ureq->num_sgs while using dma_direct_map_sg() +to map the scatterlist whith iommu disabled. + +Signed-off-by: Peng Hongchi +Link: https://lore.kernel.org/r/20240523100315.7226-1-hongchi.peng@siengine.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/gadget.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index b341bbc9f1da..abc2271799e0 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -885,10 +885,10 @@ static void dwc2_gadget_config_nonisoc_xfer_ddma(struct dwc2_hsotg_ep *hs_ep, + } + + /* DMA sg buffer */ +- for_each_sg(ureq->sg, sg, ureq->num_sgs, i) { ++ for_each_sg(ureq->sg, sg, ureq->num_mapped_sgs, i) { + dwc2_gadget_fill_nonisoc_xfer_ddma_one(hs_ep, &desc, + sg_dma_address(sg) + sg->offset, sg_dma_len(sg), +- sg_is_last(sg)); ++ (i == (ureq->num_mapped_sgs - 1))); + desc_count += hs_ep->desc_count; + } + +-- +2.39.5 +