From 2d4bb77885183026e7a0d7bd5c50fcb3c6df2d38 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 12 Dec 2024 13:17:40 +0100 Subject: [PATCH] 5.10-stable patches added patches: alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch modpost-add-.irqentry.text-to-other_sections.patch pci-rockchip-ep-fix-address-translation-unit-programming.patch revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch scsi-core-fix-scsi_mode_select-buffer-length-handling.patch scsi-sd-fix-sd_do_mode_sense-buffer-length-handling.patch --- ...nds-reads-when-finding-clock-sources.patch | 114 ++++++++ ...ntities-to-have-a-non-zero-unique-id.patch | 269 ++++++++++++++++++ ...add-.irqentry.text-to-other_sections.patch | 43 +++ ...address-translation-unit-programming.patch | 101 +++++++ ...check-in-amdgpu_debugfs_gprwave_read.patch | 34 +++ ...i_mode_select-buffer-length-handling.patch | 71 +++++ ...do_mode_sense-buffer-length-handling.patch | 37 +++ queue-5.10/series | 7 + 8 files changed, 676 insertions(+) create mode 100644 queue-5.10/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch create mode 100644 queue-5.10/media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch create mode 100644 queue-5.10/modpost-add-.irqentry.text-to-other_sections.patch create mode 100644 queue-5.10/pci-rockchip-ep-fix-address-translation-unit-programming.patch create mode 100644 queue-5.10/revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch create mode 100644 queue-5.10/scsi-core-fix-scsi_mode_select-buffer-length-handling.patch create mode 100644 queue-5.10/scsi-sd-fix-sd_do_mode_sense-buffer-length-handling.patch diff --git a/queue-5.10/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch b/queue-5.10/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch new file mode 100644 index 00000000000..7ff65f255fc --- /dev/null +++ b/queue-5.10/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch @@ -0,0 +1,114 @@ +From a3dd4d63eeb452cfb064a13862fb376ab108f6a6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 25 Nov 2024 15:46:16 +0100 +Subject: ALSA: usb-audio: Fix out of bounds reads when finding clock sources +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream. + +The current USB-audio driver code doesn't check bLength of each +descriptor at traversing for clock descriptors. That is, when a +device provides a bogus descriptor with a shorter bLength, the driver +might hit out-of-bounds reads. + +For addressing it, this patch adds sanity checks to the validator +functions for the clock descriptor traversal. When the descriptor +length is shorter than expected, it's skipped in the loop. + +For the clock source and clock multiplier descriptors, we can just +check bLength against the sizeof() of each descriptor type. +OTOH, the clock selector descriptor of UAC2 and UAC3 has an array +of bNrInPins elements and two more fields at its tail, hence those +have to be checked in addition to the sizeof() check. + +Reported-by: Benoît Sevens +Cc: +Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com +Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Benoît Sevens +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/clock.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -21,6 +21,10 @@ + #include "clock.h" + #include "quirks.h" + ++/* check whether the descriptor bLength has the minimal length */ ++#define DESC_LENGTH_CHECK(p) \ ++ (p->bLength >= sizeof(*p)) ++ + static void *find_uac_clock_desc(struct usb_host_interface *iface, int id, + bool (*validator)(void *, int), u8 type) + { +@@ -38,36 +42,60 @@ static void *find_uac_clock_desc(struct + static bool validate_clock_source_v2(void *p, int id) + { + struct uac_clock_source_descriptor *cs = p; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; + return cs->bClockID == id; + } + + static bool validate_clock_source_v3(void *p, int id) + { + struct uac3_clock_source_descriptor *cs = p; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; + return cs->bClockID == id; + } + + static bool validate_clock_selector_v2(void *p, int id) + { + struct uac_clock_selector_descriptor *cs = p; +- return cs->bClockID == id; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; ++ if (cs->bClockID != id) ++ return false; ++ /* additional length check for baCSourceID array (in bNrInPins size) ++ * and two more fields (which sizes depend on the protocol) ++ */ ++ return cs->bLength >= sizeof(*cs) + cs->bNrInPins + ++ 1 /* bmControls */ + 1 /* iClockSelector */; + } + + static bool validate_clock_selector_v3(void *p, int id) + { + struct uac3_clock_selector_descriptor *cs = p; +- return cs->bClockID == id; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; ++ if (cs->bClockID != id) ++ return false; ++ /* additional length check for baCSourceID array (in bNrInPins size) ++ * and two more fields (which sizes depend on the protocol) ++ */ ++ return cs->bLength >= sizeof(*cs) + cs->bNrInPins + ++ 4 /* bmControls */ + 2 /* wCSelectorDescrStr */; + } + + static bool validate_clock_multiplier_v2(void *p, int id) + { + struct uac_clock_multiplier_descriptor *cs = p; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; + return cs->bClockID == id; + } + + static bool validate_clock_multiplier_v3(void *p, int id) + { + struct uac3_clock_multiplier_descriptor *cs = p; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; + return cs->bClockID == id; + } + diff --git a/queue-5.10/media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch b/queue-5.10/media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch new file mode 100644 index 00000000000..9462752fdc2 --- /dev/null +++ b/queue-5.10/media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch @@ -0,0 +1,269 @@ +From 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 13 Sep 2024 15:06:01 -0300 +Subject: media: uvcvideo: Require entities to have a non-zero unique ID + +From: Thadeu Lima de Souza Cascardo + +commit 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195 upstream. + +Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero +unique ID. + +``` +Each Unit and Terminal within the video function is assigned a unique +identification number, the Unit ID (UID) or Terminal ID (TID), contained in +the bUnitID or bTerminalID field of the descriptor. The value 0x00 is +reserved for undefined ID, +``` + +So, deny allocating an entity with ID 0 or an ID that belongs to a unit +that is already added to the list of entities. + +This also prevents some syzkaller reproducers from triggering warnings due +to a chain of entities referring to themselves. In one particular case, an +Output Unit is connected to an Input Unit, both with the same ID of 1. But +when looking up for the source ID of the Output Unit, that same entity is +found instead of the input entity, which leads to such warnings. + +In another case, a backward chain was considered finished as the source ID +was 0. Later on, that entity was found, but its pads were not valid. + +Here is a sample stack trace for one of those cases. + +[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd +[ 20.830206] usb 1-1: Using ep0 maxpacket: 8 +[ 20.833501] usb 1-1: config 0 descriptor?? +[ 21.038518] usb 1-1: string descriptor 0 read error: -71 +[ 21.038893] usb 1-1: Found UVC 0.00 device (2833:0201) +[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! +[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! +[ 21.042218] ------------[ cut here ]------------ +[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0 +[ 21.043195] Modules linked in: +[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 +[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +[ 21.044639] Workqueue: usb_hub_wq hub_event +[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0 +[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 +[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 +[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 +[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 +[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 +[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 +[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 +[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 +[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 +[ 21.051136] PKRU: 55555554 +[ 21.051331] Call Trace: +[ 21.051480] +[ 21.051611] ? __warn+0xc4/0x210 +[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0 +[ 21.052252] ? report_bug+0x11b/0x1a0 +[ 21.052540] ? trace_hardirqs_on+0x31/0x40 +[ 21.052901] ? handle_bug+0x3d/0x70 +[ 21.053197] ? exc_invalid_op+0x1a/0x50 +[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20 +[ 21.053924] ? media_create_pad_link+0x91/0x2e0 +[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0 +[ 21.054834] ? media_create_pad_link+0x91/0x2e0 +[ 21.055131] ? _raw_spin_unlock+0x1e/0x40 +[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210 +[ 21.055837] uvc_mc_register_entities+0x358/0x400 +[ 21.056144] uvc_register_chains+0x1fd/0x290 +[ 21.056413] uvc_probe+0x380e/0x3dc0 +[ 21.056676] ? __lock_acquire+0x5aa/0x26e0 +[ 21.056946] ? find_held_lock+0x33/0xa0 +[ 21.057196] ? kernfs_activate+0x70/0x80 +[ 21.057533] ? usb_match_dynamic_id+0x1b/0x70 +[ 21.057811] ? find_held_lock+0x33/0xa0 +[ 21.058047] ? usb_match_dynamic_id+0x55/0x70 +[ 21.058330] ? lock_release+0x124/0x260 +[ 21.058657] ? usb_match_one_id_intf+0xa2/0x100 +[ 21.058997] usb_probe_interface+0x1ba/0x330 +[ 21.059399] really_probe+0x1ba/0x4c0 +[ 21.059662] __driver_probe_device+0xb2/0x180 +[ 21.059944] driver_probe_device+0x5a/0x100 +[ 21.060170] __device_attach_driver+0xe9/0x160 +[ 21.060427] ? __pfx___device_attach_driver+0x10/0x10 +[ 21.060872] bus_for_each_drv+0xa9/0x100 +[ 21.061312] __device_attach+0xed/0x190 +[ 21.061812] device_initial_probe+0xe/0x20 +[ 21.062229] bus_probe_device+0x4d/0xd0 +[ 21.062590] device_add+0x308/0x590 +[ 21.062912] usb_set_configuration+0x7b6/0xaf0 +[ 21.063403] usb_generic_driver_probe+0x36/0x80 +[ 21.063714] usb_probe_device+0x7b/0x130 +[ 21.063936] really_probe+0x1ba/0x4c0 +[ 21.064111] __driver_probe_device+0xb2/0x180 +[ 21.064577] driver_probe_device+0x5a/0x100 +[ 21.065019] __device_attach_driver+0xe9/0x160 +[ 21.065403] ? __pfx___device_attach_driver+0x10/0x10 +[ 21.065820] bus_for_each_drv+0xa9/0x100 +[ 21.066094] __device_attach+0xed/0x190 +[ 21.066535] device_initial_probe+0xe/0x20 +[ 21.066992] bus_probe_device+0x4d/0xd0 +[ 21.067250] device_add+0x308/0x590 +[ 21.067501] usb_new_device+0x347/0x610 +[ 21.067817] hub_event+0x156b/0x1e30 +[ 21.068060] ? process_scheduled_works+0x48b/0xaf0 +[ 21.068337] process_scheduled_works+0x5a3/0xaf0 +[ 21.068668] worker_thread+0x3cf/0x560 +[ 21.068932] ? kthread+0x109/0x1b0 +[ 21.069133] kthread+0x197/0x1b0 +[ 21.069343] ? __pfx_worker_thread+0x10/0x10 +[ 21.069598] ? __pfx_kthread+0x10/0x10 +[ 21.069908] ret_from_fork+0x32/0x40 +[ 21.070169] ? __pfx_kthread+0x10/0x10 +[ 21.070424] ret_from_fork_asm+0x1a/0x30 +[ 21.070737] + +Cc: stable@vger.kernel.org +Reported-by: syzbot+0584f746fde3d52b4675@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675 +Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b +Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240913180601.1400596-2-cascardo@igalia.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +[ ribalda: The context around the changes differs from master. This + version is also missing the gpio unit, so that part is gone from the + patch. ] +Signed-off-by: Ricardo Ribalda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 63 ++++++++++++++++++++++--------------- + 1 file changed, 39 insertions(+), 24 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1029,14 +1029,27 @@ error: + return ret; + } + +-static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id, +- unsigned int num_pads, unsigned int extra_size) ++static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type, ++ u16 id, unsigned int num_pads, ++ unsigned int extra_size) + { + struct uvc_entity *entity; + unsigned int num_inputs; + unsigned int size; + unsigned int i; + ++ /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */ ++ if (id == 0) { ++ dev_err(&dev->udev->dev, "Found Unit with invalid ID 0.\n"); ++ return ERR_PTR(-EINVAL); ++ } ++ ++ /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */ ++ if (uvc_entity_by_id(dev, id)) { ++ dev_err(&dev->udev->dev, "Found multiple Units with ID %u\n", id); ++ return ERR_PTR(-EINVAL); ++ } ++ + extra_size = roundup(extra_size, sizeof(*entity->pads)); + if (num_pads) + num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1; +@@ -1046,7 +1059,7 @@ static struct uvc_entity *uvc_alloc_enti + + num_inputs; + entity = kzalloc(size, GFP_KERNEL); + if (entity == NULL) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + entity->id = id; + entity->type = type; +@@ -1117,10 +1130,10 @@ static int uvc_parse_vendor_control(stru + break; + } + +- unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3], +- p + 1, 2*n); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT, ++ buffer[3], p + 1, 2 * n); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->extension.guidExtensionCode, &buffer[4], 16); + unit->extension.bNumControls = buffer[20]; +@@ -1231,10 +1244,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3], +- 1, n + p); +- if (term == NULL) +- return -ENOMEM; ++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT, ++ buffer[3], 1, n + p); ++ if (IS_ERR(term)) ++ return PTR_ERR(term); + + if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) { + term->camera.bControlSize = n; +@@ -1290,10 +1303,10 @@ static int uvc_parse_standard_control(st + return 0; + } + +- term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3], +- 1, 0); +- if (term == NULL) +- return -ENOMEM; ++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT, ++ buffer[3], 1, 0); ++ if (IS_ERR(term)) ++ return PTR_ERR(term); + + memcpy(term->baSourceID, &buffer[7], 1); + +@@ -1314,9 +1327,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], ++ p + 1, 0); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->baSourceID, &buffer[5], p); + +@@ -1338,9 +1352,9 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->baSourceID, &buffer[4], 1); + unit->processing.wMaxMultiplier = +@@ -1369,9 +1383,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], ++ p + 1, n); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->extension.guidExtensionCode, &buffer[4], 16); + unit->extension.bNumControls = buffer[20]; diff --git a/queue-5.10/modpost-add-.irqentry.text-to-other_sections.patch b/queue-5.10/modpost-add-.irqentry.text-to-other_sections.patch new file mode 100644 index 00000000000..ed1528d86cb --- /dev/null +++ b/queue-5.10/modpost-add-.irqentry.text-to-other_sections.patch @@ -0,0 +1,43 @@ +From 7912405643a14b527cd4a4f33c1d4392da900888 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Sun, 1 Dec 2024 12:17:30 +0100 +Subject: modpost: Add .irqentry.text to OTHER_SECTIONS + +From: Thomas Gleixner + +commit 7912405643a14b527cd4a4f33c1d4392da900888 upstream. + +The compiler can fully inline the actual handler function of an interrupt +entry into the .irqentry.text entry point. If such a function contains an +access which has an exception table entry, modpost complains about a +section mismatch: + + WARNING: vmlinux.o(__ex_table+0x447c): Section mismatch in reference ... + + The relocation at __ex_table+0x447c references section ".irqentry.text" + which is not in the list of authorized sections. + +Add .irqentry.text to OTHER_SECTIONS to cure the issue. + +Reported-by: Sergey Senozhatsky +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org # needed for linux-5.4-y +Link: https://lore.kernel.org/all/20241128111844.GE10431@google.com/ +Signed-off-by: Masahiro Yamada +Signed-off-by: Sergey Senozhatsky +Signed-off-by: Greg Kroah-Hartman +--- + scripts/mod/modpost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -951,7 +951,7 @@ static void check_section(const char *mo + ".kprobes.text", ".cpuidle.text", ".noinstr.text" + #define OTHER_TEXT_SECTIONS ".ref.text", ".head.text", ".spinlock.text", \ + ".fixup", ".entry.text", ".exception.text", ".text.*", \ +- ".coldtext" ++ ".coldtext", ".irqentry.text" + + #define INIT_SECTIONS ".init.*" + #define MEM_INIT_SECTIONS ".meminit.*" diff --git a/queue-5.10/pci-rockchip-ep-fix-address-translation-unit-programming.patch b/queue-5.10/pci-rockchip-ep-fix-address-translation-unit-programming.patch new file mode 100644 index 00000000000..ec38044816f --- /dev/null +++ b/queue-5.10/pci-rockchip-ep-fix-address-translation-unit-programming.patch @@ -0,0 +1,101 @@ +From 64f093c4d99d797b68b407a9d8767aadc3e3ea7a Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Thu, 17 Oct 2024 10:58:36 +0900 +Subject: PCI: rockchip-ep: Fix address translation unit programming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Damien Le Moal + +commit 64f093c4d99d797b68b407a9d8767aadc3e3ea7a upstream. + +The Rockchip PCIe endpoint controller handles PCIe transfers addresses +by masking the lower bits of the programmed PCI address and using the +same number of lower bits masked from the CPU address space used for the +mapping. For a PCI mapping of bytes starting from , +the number of bits masked is the number of address bits changing in the +address range [pci_addr..pci_addr + size - 1]. + +However, rockchip_pcie_prog_ep_ob_atu() calculates num_pass_bits only +using the size of the mapping, resulting in an incorrect number of mask +bits depending on the value of the PCI address to map. + +Fix this by introducing the helper function +rockchip_pcie_ep_ob_atu_num_bits() to correctly calculate the number of +mask bits to use to program the address translation unit. The number of +mask bits is calculated depending on both the PCI address and size of +the mapping, and clamped between 8 and 20 using the macros +ROCKCHIP_PCIE_AT_MIN_NUM_BITS and ROCKCHIP_PCIE_AT_MAX_NUM_BITS. As +defined in the Rockchip RK3399 TRM V1.3 Part2, Sections 17.5.5.1.1 and +17.6.8.2.1, this clamping is necessary because: + + 1) The lower 8 bits of the PCI address to be mapped by the outbound + region are ignored. So a minimum of 8 address bits are needed and + imply that the PCI address must be aligned to 256. + + 2) The outbound memory regions are 1MB in size. So while we can specify + up to 63-bits for the PCI address (num_bits filed uses bits 0 to 5 of + the outbound address region 0 register), we must limit the number of + valid address bits to 20 to match the memory window maximum size (1 + << 20 = 1MB). + +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Link: https://lore.kernel.org/r/20241017015849.190271-2-dlemoal@kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 18 +++++++++++++----- + drivers/pci/controller/pcie-rockchip.h | 4 ++++ + 2 files changed, 17 insertions(+), 5 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -67,18 +67,26 @@ static void rockchip_pcie_clear_ep_ob_at + ROCKCHIP_PCIE_AT_OB_REGION_CPU_ADDR1(region)); + } + ++static int rockchip_pcie_ep_ob_atu_num_bits(struct rockchip_pcie *rockchip, ++ u64 pci_addr, size_t size) ++{ ++ int num_pass_bits = fls64(pci_addr ^ (pci_addr + size - 1)); ++ ++ return clamp(num_pass_bits, ++ ROCKCHIP_PCIE_AT_MIN_NUM_BITS, ++ ROCKCHIP_PCIE_AT_MAX_NUM_BITS); ++} ++ + static void rockchip_pcie_prog_ep_ob_atu(struct rockchip_pcie *rockchip, u8 fn, + u32 r, u32 type, u64 cpu_addr, + u64 pci_addr, size_t size) + { +- u64 sz = 1ULL << fls64(size - 1); +- int num_pass_bits = ilog2(sz); ++ int num_pass_bits; + u32 addr0, addr1, desc0, desc1; + bool is_nor_msg = (type == AXI_WRAPPER_NOR_MSG); + +- /* The minimal region size is 1MB */ +- if (num_pass_bits < 8) +- num_pass_bits = 8; ++ num_pass_bits = rockchip_pcie_ep_ob_atu_num_bits(rockchip, ++ pci_addr, size); + + cpu_addr -= rockchip->mem_res->start; + addr0 = ((is_nor_msg ? 0x10 : (num_pass_bits - 1)) & +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -241,6 +241,10 @@ + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP BIT(24) + #define ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR 0x1 + #define ROCKCHIP_PCIE_EP_FUNC_BASE(fn) (((fn) << 12) & GENMASK(19, 12)) ++ ++#define ROCKCHIP_PCIE_AT_MIN_NUM_BITS 8 ++#define ROCKCHIP_PCIE_AT_MAX_NUM_BITS 20 ++ + #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR0(fn, bar) \ + (PCIE_RC_RP_ATS_BASE + 0x0840 + (fn) * 0x0040 + (bar) * 0x0008) + #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR1(fn, bar) \ diff --git a/queue-5.10/revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch b/queue-5.10/revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch new file mode 100644 index 00000000000..6a59c83d26d --- /dev/null +++ b/queue-5.10/revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch @@ -0,0 +1,34 @@ +From zhangzekun11@huawei.com Thu Dec 12 12:44:57 2024 +From: Zhang Zekun +Date: Wed, 4 Dec 2024 16:23:56 +0800 +Subject: Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()" +To: +Cc: , , , , +Message-ID: <20241204082356.1048-1-zhangzekun11@huawei.com> + +From: Zhang Zekun + +This reverts commit 17f5f18085acb5e9d8d13d84a4e12bb3aff2bd64. + +The origin mainline patch fix a buffer overflow issue in +amdgpu_debugfs_gprwave_read(), but it has not been introduced in kernel +6.1 and older kernels. This patch add a check in a wrong function in the +same file. + +Signed-off-by: Zhang Zekun +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -396,7 +396,7 @@ static ssize_t amdgpu_debugfs_regs_pcie_ + ssize_t result = 0; + int r; + +- if (size > 4096 || size & 0x3 || *pos & 0x3) ++ if (size & 0x3 || *pos & 0x3) + return -EINVAL; + + r = pm_runtime_get_sync(adev_to_drm(adev)->dev); diff --git a/queue-5.10/scsi-core-fix-scsi_mode_select-buffer-length-handling.patch b/queue-5.10/scsi-core-fix-scsi_mode_select-buffer-length-handling.patch new file mode 100644 index 00000000000..03002e4e1c3 --- /dev/null +++ b/queue-5.10/scsi-core-fix-scsi_mode_select-buffer-length-handling.patch @@ -0,0 +1,71 @@ +From a7d6840bed0c2b16ac3071b74b5fcf08fc488241 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Fri, 20 Aug 2021 16:02:54 +0900 +Subject: scsi: core: Fix scsi_mode_select() buffer length handling + +From: Damien Le Moal + +commit a7d6840bed0c2b16ac3071b74b5fcf08fc488241 upstream. + +The MODE SELECT(6) command allows handling mode page buffers that are up to +255 bytes, including the 4 byte header needed in front of the page +buffer. For requests larger than this limit, automatically use the MODE +SELECT(10) command. + +In both cases, since scsi_mode_select() adds the mode select page header, +checks on the buffer length value must include this header size to avoid +overflows of the command CDB allocation length field. + +While at it, use put_unaligned_be16() for setting the header block +descriptor length and CDB allocation length when using MODE SELECT(10). + +[mkp: fix MODE SENSE vs. MODE SELECT confusion] + +Link: https://lore.kernel.org/r/20210820070255.682775-3-damien.lemoal@wdc.com +Signed-off-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_lib.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -2019,8 +2019,15 @@ scsi_mode_select(struct scsi_device *sde + memset(cmd, 0, sizeof(cmd)); + cmd[1] = (pf ? 0x10 : 0) | (sp ? 0x01 : 0); + +- if (sdev->use_10_for_ms) { +- if (len > 65535) ++ /* ++ * Use MODE SELECT(10) if the device asked for it or if the mode page ++ * and the mode select header cannot fit within the maximumm 255 bytes ++ * of the MODE SELECT(6) command. ++ */ ++ if (sdev->use_10_for_ms || ++ len + 4 > 255 || ++ data->block_descriptor_length > 255) { ++ if (len > 65535 - 8) + return -EINVAL; + real_buffer = kmalloc(8 + len, GFP_KERNEL); + if (!real_buffer) +@@ -2033,15 +2040,13 @@ scsi_mode_select(struct scsi_device *sde + real_buffer[3] = data->device_specific; + real_buffer[4] = data->longlba ? 0x01 : 0; + real_buffer[5] = 0; +- real_buffer[6] = data->block_descriptor_length >> 8; +- real_buffer[7] = data->block_descriptor_length; ++ put_unaligned_be16(data->block_descriptor_length, ++ &real_buffer[6]); + + cmd[0] = MODE_SELECT_10; +- cmd[7] = len >> 8; +- cmd[8] = len; ++ put_unaligned_be16(len, &cmd[7]); + } else { +- if (len > 255 || data->block_descriptor_length > 255 || +- data->longlba) ++ if (data->longlba) + return -EINVAL; + + real_buffer = kmalloc(4 + len, GFP_KERNEL); diff --git a/queue-5.10/scsi-sd-fix-sd_do_mode_sense-buffer-length-handling.patch b/queue-5.10/scsi-sd-fix-sd_do_mode_sense-buffer-length-handling.patch new file mode 100644 index 00000000000..f68bc2b8f27 --- /dev/null +++ b/queue-5.10/scsi-sd-fix-sd_do_mode_sense-buffer-length-handling.patch @@ -0,0 +1,37 @@ +From c749301ebee82eb5e97dec14b6ab31a4aabe37a6 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Fri, 20 Aug 2021 16:02:55 +0900 +Subject: scsi: sd: Fix sd_do_mode_sense() buffer length handling + +From: Damien Le Moal + +commit c749301ebee82eb5e97dec14b6ab31a4aabe37a6 upstream. + +For devices that explicitly asked for MODE SENSE(10) use, make sure that +scsi_mode_sense() is called with a buffer of at least 8 bytes so that the +sense header fits. + +Link: https://lore.kernel.org/r/20210820070255.682775-4-damien.lemoal@wdc.com +Signed-off-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2649,6 +2649,13 @@ sd_do_mode_sense(struct scsi_disk *sdkp, + unsigned char *buffer, int len, struct scsi_mode_data *data, + struct scsi_sense_hdr *sshdr) + { ++ /* ++ * If we must use MODE SENSE(10), make sure that the buffer length ++ * is at least 8 bytes so that the mode sense header fits. ++ */ ++ if (sdkp->device->use_10_for_ms && len < 8) ++ len = 8; ++ + return scsi_mode_sense(sdkp->device, dbd, modepage, buffer, len, + SD_TIMEOUT, sdkp->max_retries, data, + sshdr); diff --git a/queue-5.10/series b/queue-5.10/series index 2e38b0d008c..8cc6b211bda 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -449,3 +449,10 @@ jffs2-fix-rtime-decompressor.patch xhci-dbc-fix-stall-transfer-event-handling.patch drm-amd-display-check-bios-images-before-it-is-used.patch ocfs2-revert-ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch +modpost-add-.irqentry.text-to-other_sections.patch +revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch +pci-rockchip-ep-fix-address-translation-unit-programming.patch +scsi-sd-fix-sd_do_mode_sense-buffer-length-handling.patch +scsi-core-fix-scsi_mode_select-buffer-length-handling.patch +alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch +media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch -- 2.47.3