From b8697896c00bbad673ee481043acec245db280f1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 12 Dec 2024 13:17:15 +0100 Subject: [PATCH] 5.4-stable patches added patches: alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch drm-amd-display-don-t-refer-to-dc_sink-in-is_dsc_need_re_compute.patch modpost-add-.irqentry.text-to-other_sections.patch pci-rockchip-ep-fix-address-translation-unit-programming.patch revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch --- ...nds-reads-when-finding-clock-sources.patch | 114 ++++++++++++++++++ ...to-dc_sink-in-is_dsc_need_re_compute.patch | 59 +++++++++ ...add-.irqentry.text-to-other_sections.patch | 43 +++++++ ...address-translation-unit-programming.patch | 101 ++++++++++++++++ ...check-in-amdgpu_debugfs_gprwave_read.patch | 34 ++++++ queue-5.4/series | 5 + 6 files changed, 356 insertions(+) create mode 100644 queue-5.4/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch create mode 100644 queue-5.4/drm-amd-display-don-t-refer-to-dc_sink-in-is_dsc_need_re_compute.patch create mode 100644 queue-5.4/modpost-add-.irqentry.text-to-other_sections.patch create mode 100644 queue-5.4/pci-rockchip-ep-fix-address-translation-unit-programming.patch create mode 100644 queue-5.4/revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch diff --git a/queue-5.4/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch b/queue-5.4/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch new file mode 100644 index 00000000000..7ff65f255fc --- /dev/null +++ b/queue-5.4/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch @@ -0,0 +1,114 @@ +From a3dd4d63eeb452cfb064a13862fb376ab108f6a6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 25 Nov 2024 15:46:16 +0100 +Subject: ALSA: usb-audio: Fix out of bounds reads when finding clock sources +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream. + +The current USB-audio driver code doesn't check bLength of each +descriptor at traversing for clock descriptors. That is, when a +device provides a bogus descriptor with a shorter bLength, the driver +might hit out-of-bounds reads. + +For addressing it, this patch adds sanity checks to the validator +functions for the clock descriptor traversal. When the descriptor +length is shorter than expected, it's skipped in the loop. + +For the clock source and clock multiplier descriptors, we can just +check bLength against the sizeof() of each descriptor type. +OTOH, the clock selector descriptor of UAC2 and UAC3 has an array +of bNrInPins elements and two more fields at its tail, hence those +have to be checked in addition to the sizeof() check. + +Reported-by: Benoît Sevens +Cc: +Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com +Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Benoît Sevens +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/clock.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -21,6 +21,10 @@ + #include "clock.h" + #include "quirks.h" + ++/* check whether the descriptor bLength has the minimal length */ ++#define DESC_LENGTH_CHECK(p) \ ++ (p->bLength >= sizeof(*p)) ++ + static void *find_uac_clock_desc(struct usb_host_interface *iface, int id, + bool (*validator)(void *, int), u8 type) + { +@@ -38,36 +42,60 @@ static void *find_uac_clock_desc(struct + static bool validate_clock_source_v2(void *p, int id) + { + struct uac_clock_source_descriptor *cs = p; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; + return cs->bClockID == id; + } + + static bool validate_clock_source_v3(void *p, int id) + { + struct uac3_clock_source_descriptor *cs = p; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; + return cs->bClockID == id; + } + + static bool validate_clock_selector_v2(void *p, int id) + { + struct uac_clock_selector_descriptor *cs = p; +- return cs->bClockID == id; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; ++ if (cs->bClockID != id) ++ return false; ++ /* additional length check for baCSourceID array (in bNrInPins size) ++ * and two more fields (which sizes depend on the protocol) ++ */ ++ return cs->bLength >= sizeof(*cs) + cs->bNrInPins + ++ 1 /* bmControls */ + 1 /* iClockSelector */; + } + + static bool validate_clock_selector_v3(void *p, int id) + { + struct uac3_clock_selector_descriptor *cs = p; +- return cs->bClockID == id; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; ++ if (cs->bClockID != id) ++ return false; ++ /* additional length check for baCSourceID array (in bNrInPins size) ++ * and two more fields (which sizes depend on the protocol) ++ */ ++ return cs->bLength >= sizeof(*cs) + cs->bNrInPins + ++ 4 /* bmControls */ + 2 /* wCSelectorDescrStr */; + } + + static bool validate_clock_multiplier_v2(void *p, int id) + { + struct uac_clock_multiplier_descriptor *cs = p; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; + return cs->bClockID == id; + } + + static bool validate_clock_multiplier_v3(void *p, int id) + { + struct uac3_clock_multiplier_descriptor *cs = p; ++ if (!DESC_LENGTH_CHECK(cs)) ++ return false; + return cs->bClockID == id; + } + diff --git a/queue-5.4/drm-amd-display-don-t-refer-to-dc_sink-in-is_dsc_need_re_compute.patch b/queue-5.4/drm-amd-display-don-t-refer-to-dc_sink-in-is_dsc_need_re_compute.patch new file mode 100644 index 00000000000..8c57e5d0fe6 --- /dev/null +++ b/queue-5.4/drm-amd-display-don-t-refer-to-dc_sink-in-is_dsc_need_re_compute.patch @@ -0,0 +1,59 @@ +From jianqi.ren.cn@windriver.com Thu Dec 12 13:11:21 2024 +From: +Date: Wed, 11 Dec 2024 18:15:44 +0800 +Subject: [PATCH 6.1.y] drm/amd/display: Don't refer to dc_sink in is_dsc_need_re_compute +To: , +Cc: , , , , , , , , , , , , , , , +Message-ID: <20241211101544.2121147-1-jianqi.ren.cn@windriver.com> + + +From: Wayne Lin + +[ Upstream commit fcf6a49d79923a234844b8efe830a61f3f0584e4 ] + +[Why] +When unplug one of monitors connected after mst hub, encounter null pointer dereference. + +It's due to dc_sink get released immediately in early_unregister() or detect_ctx(). When +commit new state which directly referring to info stored in dc_sink will cause null pointer +dereference. + +[how] +Remove redundant checking condition. Relevant condition should already be covered by checking +if dsc_aux is null or not. Also reset dsc_aux to NULL when the connector is disconnected. + +Reviewed-by: Jerry Zuo +Acked-by: Zaeem Mohamed +Signed-off-by: Wayne Lin +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Jianqi Ren +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +index 1acef5f3838f..a1619f4569cf 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -183,6 +183,8 @@ amdgpu_dm_mst_connector_early_unregister(struct drm_connector *connector) + dc_sink_release(dc_sink); + aconnector->dc_sink = NULL; + aconnector->edid = NULL; ++ aconnector->dsc_aux = NULL; ++ port->passthrough_aux = NULL; + } + + aconnector->mst_status = MST_STATUS_DEFAULT; +@@ -487,6 +489,8 @@ dm_dp_mst_detect(struct drm_connector *connector, + dc_sink_release(aconnector->dc_sink); + aconnector->dc_sink = NULL; + aconnector->edid = NULL; ++ aconnector->dsc_aux = NULL; ++ port->passthrough_aux = NULL; + + amdgpu_dm_set_mst_status(&aconnector->mst_status, + MST_REMOTE_EDID | MST_ALLOCATE_NEW_PAYLOAD | MST_CLEAR_ALLOCATED_PAYLOAD, +-- +2.25.1 + diff --git a/queue-5.4/modpost-add-.irqentry.text-to-other_sections.patch b/queue-5.4/modpost-add-.irqentry.text-to-other_sections.patch new file mode 100644 index 00000000000..713dc6bf719 --- /dev/null +++ b/queue-5.4/modpost-add-.irqentry.text-to-other_sections.patch @@ -0,0 +1,43 @@ +From 7912405643a14b527cd4a4f33c1d4392da900888 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Sun, 1 Dec 2024 12:17:30 +0100 +Subject: modpost: Add .irqentry.text to OTHER_SECTIONS + +From: Thomas Gleixner + +commit 7912405643a14b527cd4a4f33c1d4392da900888 upstream. + +The compiler can fully inline the actual handler function of an interrupt +entry into the .irqentry.text entry point. If such a function contains an +access which has an exception table entry, modpost complains about a +section mismatch: + + WARNING: vmlinux.o(__ex_table+0x447c): Section mismatch in reference ... + + The relocation at __ex_table+0x447c references section ".irqentry.text" + which is not in the list of authorized sections. + +Add .irqentry.text to OTHER_SECTIONS to cure the issue. + +Reported-by: Sergey Senozhatsky +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org # needed for linux-5.4-y +Link: https://lore.kernel.org/all/20241128111844.GE10431@google.com/ +Signed-off-by: Masahiro Yamada +Signed-off-by: Sergey Senozhatsky +Signed-off-by: Greg Kroah-Hartman +--- + scripts/mod/modpost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -963,7 +963,7 @@ static void check_section(const char *mo + ".kprobes.text", ".cpuidle.text", ".noinstr.text" + #define OTHER_TEXT_SECTIONS ".ref.text", ".head.text", ".spinlock.text", \ + ".fixup", ".entry.text", ".exception.text", ".text.*", \ +- ".coldtext" ++ ".coldtext", ".irqentry.text" + + #define INIT_SECTIONS ".init.*" + #define MEM_INIT_SECTIONS ".meminit.*" diff --git a/queue-5.4/pci-rockchip-ep-fix-address-translation-unit-programming.patch b/queue-5.4/pci-rockchip-ep-fix-address-translation-unit-programming.patch new file mode 100644 index 00000000000..57f1d18e9bd --- /dev/null +++ b/queue-5.4/pci-rockchip-ep-fix-address-translation-unit-programming.patch @@ -0,0 +1,101 @@ +From 64f093c4d99d797b68b407a9d8767aadc3e3ea7a Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Thu, 17 Oct 2024 10:58:36 +0900 +Subject: PCI: rockchip-ep: Fix address translation unit programming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Damien Le Moal + +commit 64f093c4d99d797b68b407a9d8767aadc3e3ea7a upstream. + +The Rockchip PCIe endpoint controller handles PCIe transfers addresses +by masking the lower bits of the programmed PCI address and using the +same number of lower bits masked from the CPU address space used for the +mapping. For a PCI mapping of bytes starting from , +the number of bits masked is the number of address bits changing in the +address range [pci_addr..pci_addr + size - 1]. + +However, rockchip_pcie_prog_ep_ob_atu() calculates num_pass_bits only +using the size of the mapping, resulting in an incorrect number of mask +bits depending on the value of the PCI address to map. + +Fix this by introducing the helper function +rockchip_pcie_ep_ob_atu_num_bits() to correctly calculate the number of +mask bits to use to program the address translation unit. The number of +mask bits is calculated depending on both the PCI address and size of +the mapping, and clamped between 8 and 20 using the macros +ROCKCHIP_PCIE_AT_MIN_NUM_BITS and ROCKCHIP_PCIE_AT_MAX_NUM_BITS. As +defined in the Rockchip RK3399 TRM V1.3 Part2, Sections 17.5.5.1.1 and +17.6.8.2.1, this clamping is necessary because: + + 1) The lower 8 bits of the PCI address to be mapped by the outbound + region are ignored. So a minimum of 8 address bits are needed and + imply that the PCI address must be aligned to 256. + + 2) The outbound memory regions are 1MB in size. So while we can specify + up to 63-bits for the PCI address (num_bits filed uses bits 0 to 5 of + the outbound address region 0 register), we must limit the number of + valid address bits to 20 to match the memory window maximum size (1 + << 20 = 1MB). + +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Link: https://lore.kernel.org/r/20241017015849.190271-2-dlemoal@kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 18 +++++++++++++----- + drivers/pci/controller/pcie-rockchip.h | 4 ++++ + 2 files changed, 17 insertions(+), 5 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -66,18 +66,26 @@ static void rockchip_pcie_clear_ep_ob_at + ROCKCHIP_PCIE_AT_OB_REGION_CPU_ADDR1(region)); + } + ++static int rockchip_pcie_ep_ob_atu_num_bits(struct rockchip_pcie *rockchip, ++ u64 pci_addr, size_t size) ++{ ++ int num_pass_bits = fls64(pci_addr ^ (pci_addr + size - 1)); ++ ++ return clamp(num_pass_bits, ++ ROCKCHIP_PCIE_AT_MIN_NUM_BITS, ++ ROCKCHIP_PCIE_AT_MAX_NUM_BITS); ++} ++ + static void rockchip_pcie_prog_ep_ob_atu(struct rockchip_pcie *rockchip, u8 fn, + u32 r, u32 type, u64 cpu_addr, + u64 pci_addr, size_t size) + { +- u64 sz = 1ULL << fls64(size - 1); +- int num_pass_bits = ilog2(sz); ++ int num_pass_bits; + u32 addr0, addr1, desc0, desc1; + bool is_nor_msg = (type == AXI_WRAPPER_NOR_MSG); + +- /* The minimal region size is 1MB */ +- if (num_pass_bits < 8) +- num_pass_bits = 8; ++ num_pass_bits = rockchip_pcie_ep_ob_atu_num_bits(rockchip, ++ pci_addr, size); + + cpu_addr -= rockchip->mem_res->start; + addr0 = ((is_nor_msg ? 0x10 : (num_pass_bits - 1)) & +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -241,6 +241,10 @@ + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP BIT(24) + #define ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR 0x1 + #define ROCKCHIP_PCIE_EP_FUNC_BASE(fn) (((fn) << 12) & GENMASK(19, 12)) ++ ++#define ROCKCHIP_PCIE_AT_MIN_NUM_BITS 8 ++#define ROCKCHIP_PCIE_AT_MAX_NUM_BITS 20 ++ + #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR0(fn, bar) \ + (PCIE_RC_RP_ATS_BASE + 0x0840 + (fn) * 0x0040 + (bar) * 0x0008) + #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR1(fn, bar) \ diff --git a/queue-5.4/revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch b/queue-5.4/revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch new file mode 100644 index 00000000000..00f71e20c49 --- /dev/null +++ b/queue-5.4/revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch @@ -0,0 +1,34 @@ +From zhangzekun11@huawei.com Thu Dec 12 12:44:35 2024 +From: Zhang Zekun +Date: Wed, 4 Dec 2024 16:25:25 +0800 +Subject: Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()" +To: +Cc: , , , , , +Message-ID: <20241204082525.2140-1-zhangzekun11@huawei.com> + +From: Zhang Zekun + +This reverts commit 7ccd781794d247589104a791caab491e21218fba. + +The origin mainline patch fix a buffer overflow issue in +amdgpu_debugfs_gprwave_read(), but it has not been introduced in kernel +6.1 and older kernels. This patch add a check in a wrong function in the +same file. + +Signed-off-by: Zhang Zekun +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -395,7 +395,7 @@ static ssize_t amdgpu_debugfs_regs_smc_r + if (!adev->smc_rreg) + return -EOPNOTSUPP; + +- if (size > 4096 || size & 0x3 || *pos & 0x3) ++ if (size & 0x3 || *pos & 0x3) + return -EINVAL; + + while (size) { diff --git a/queue-5.4/series b/queue-5.4/series index c71400f6b00..bb42207f2c3 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -315,3 +315,8 @@ kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch jffs2-prevent-rtime-decompress-memory-corruption.patch jffs2-fix-rtime-decompressor.patch ocfs2-revert-ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch +modpost-add-.irqentry.text-to-other_sections.patch +revert-drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch +pci-rockchip-ep-fix-address-translation-unit-programming.patch +alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch +drm-amd-display-don-t-refer-to-dc_sink-in-is_dsc_need_re_compute.patch -- 2.47.3