From: Greg Kroah-Hartman Date: Fri, 21 Oct 2022 14:58:12 +0000 (+0200) Subject: 5.19-stable patches X-Git-Tag: v5.19.17~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76717809e51b8da6f2d4779471b993a56701c69a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.19-stable patches added patches: drm-i915-bios-use-hardcoded-fp_timing-size-for-generating-lfp-data-pointers.patch drm-i915-bios-validate-fp_timing-terminator-presence.patch drm-i915-rename-block_size-block_offset.patch --- diff --git a/queue-5.19/af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch b/queue-5.19/af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch index fa42dfdb610..131a7c01a75 100644 --- a/queue-5.19/af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch +++ b/queue-5.19/af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch @@ -62,15 +62,14 @@ Reported-by: syzbot Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman --- - net/unix/af_unix.c | 13 +++++++------ + net/unix/af_unix.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 3453e0053f76..0a93ac784baa 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c -@@ -548,12 +548,6 @@ static void unix_sock_destructor(struct sock *sk) +@@ -548,12 +548,6 @@ static void unix_sock_destructor(struct skb_queue_purge(&sk->sk_receive_queue); @@ -80,10 +79,10 @@ index 3453e0053f76..0a93ac784baa 100644 - u->oob_skb = NULL; - } -#endif - DEBUG_NET_WARN_ON_ONCE(refcount_read(&sk->sk_wmem_alloc)); - DEBUG_NET_WARN_ON_ONCE(!sk_unhashed(sk)); - DEBUG_NET_WARN_ON_ONCE(sk->sk_socket); -@@ -598,6 +592,13 @@ static void unix_release_sock(struct sock *sk, int embrion) + WARN_ON(refcount_read(&sk->sk_wmem_alloc)); + WARN_ON(!sk_unhashed(sk)); + WARN_ON(sk->sk_socket); +@@ -598,6 +592,13 @@ static void unix_release_sock(struct soc unix_state_unlock(sk); @@ -97,6 +96,3 @@ index 3453e0053f76..0a93ac784baa 100644 wake_up_interruptible_all(&u->peer_wait); if (skpair != NULL) { --- -2.35.1 - diff --git a/queue-5.19/drm-i915-bios-use-hardcoded-fp_timing-size-for-generating-lfp-data-pointers.patch b/queue-5.19/drm-i915-bios-use-hardcoded-fp_timing-size-for-generating-lfp-data-pointers.patch new file mode 100644 index 00000000000..2ec4e9b95d2 --- /dev/null +++ b/queue-5.19/drm-i915-bios-use-hardcoded-fp_timing-size-for-generating-lfp-data-pointers.patch @@ -0,0 +1,135 @@ +From d3a7051841f0a4bcb1ee26a1b721c6150cc4c2b1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 18 Aug 2022 22:22:23 +0300 +Subject: drm/i915/bios: Use hardcoded fp_timing size for generating LFP data pointers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit d3a7051841f0a4bcb1ee26a1b721c6150cc4c2b1 upstream. + +The current scheme for generating the LFP data table pointers +(when the block including them is missing from the VBT) expects +the 0xffff sequence to only appear in the fp_timing terminator +entries. However some VBTs also have extra 0xffff sequences +elsewhere in the LFP data. When looking for the terminators +we may end up finding those extra sequeneces insted, which means +we deduce the wrong size for the fp_timing table. The code +then notices the inconsistent looking values and gives up on +the generated data table pointers, preventing us from parsing +the LFP data table entirely. + +Let's give up on the "search for the terminators" approach +and instead just hardcode the expected size for the fp_timing +table. + +We have enough sanity checks in place to make sure we +shouldn't end up parsing total garbage even if that size +should change in the future (although that seems unlikely +as the fp_timing and dvo_timing tables have been declared +obsolete as of VBT version 229). + +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6592 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220818192223.29881-3-ville.syrjala@linux.intel.com +Reviewed-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/display/intel_bios.c | 46 +++++++++++------------------- + 1 file changed, 18 insertions(+), 28 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_bios.c ++++ b/drivers/gpu/drm/i915/display/intel_bios.c +@@ -336,18 +336,6 @@ static bool fixup_lfp_data_ptrs(const vo + return validate_lfp_data_ptrs(bdb, ptrs); + } + +-static const void *find_fp_timing_terminator(const u8 *data, int size) +-{ +- int i; +- +- for (i = 0; i < size - 1; i++) { +- if (data[i] == 0xff && data[i+1] == 0xff) +- return &data[i]; +- } +- +- return NULL; +-} +- + static int make_lfp_data_ptr(struct lvds_lfp_data_ptr_table *table, + int table_size, int total_size) + { +@@ -371,11 +359,22 @@ static void next_lfp_data_ptr(struct lvd + static void *generate_lfp_data_ptrs(struct drm_i915_private *i915, + const void *bdb) + { +- int i, size, table_size, block_size, offset; +- const void *t0, *t1, *block; ++ int i, size, table_size, block_size, offset, fp_timing_size; + struct bdb_lvds_lfp_data_ptrs *ptrs; ++ const void *block; + void *ptrs_block; + ++ /* ++ * The hardcoded fp_timing_size is only valid for ++ * modernish VBTs. All older VBTs definitely should ++ * include block 41 and thus we don't need to ++ * generate one. ++ */ ++ if (i915->vbt.version < 155) ++ return NULL; ++ ++ fp_timing_size = 38; ++ + block = find_raw_section(bdb, BDB_LVDS_LFP_DATA); + if (!block) + return NULL; +@@ -384,17 +383,8 @@ static void *generate_lfp_data_ptrs(stru + + block_size = get_blocksize(block); + +- size = block_size; +- t0 = find_fp_timing_terminator(block, size); +- if (!t0) +- return NULL; +- +- size -= t0 - block - 2; +- t1 = find_fp_timing_terminator(t0 + 2, size); +- if (!t1) +- return NULL; +- +- size = t1 - t0; ++ size = fp_timing_size + sizeof(struct lvds_dvo_timing) + ++ sizeof(struct lvds_pnp_id); + if (size * 16 > block_size) + return NULL; + +@@ -412,7 +402,7 @@ static void *generate_lfp_data_ptrs(stru + table_size = sizeof(struct lvds_dvo_timing); + size = make_lfp_data_ptr(&ptrs->ptr[0].dvo_timing, table_size, size); + +- table_size = t0 - block + 2; ++ table_size = fp_timing_size; + size = make_lfp_data_ptr(&ptrs->ptr[0].fp_timing, table_size, size); + + if (ptrs->ptr[0].fp_timing.table_size) +@@ -427,14 +417,14 @@ static void *generate_lfp_data_ptrs(stru + return NULL; + } + +- size = t1 - t0; ++ size = fp_timing_size + sizeof(struct lvds_dvo_timing) + ++ sizeof(struct lvds_pnp_id); + for (i = 1; i < 16; i++) { + next_lfp_data_ptr(&ptrs->ptr[i].fp_timing, &ptrs->ptr[i-1].fp_timing, size); + next_lfp_data_ptr(&ptrs->ptr[i].dvo_timing, &ptrs->ptr[i-1].dvo_timing, size); + next_lfp_data_ptr(&ptrs->ptr[i].panel_pnp_id, &ptrs->ptr[i-1].panel_pnp_id, size); + } + +- size = t1 - t0; + table_size = sizeof(struct lvds_lfp_panel_name); + + if (16 * (size + table_size) <= block_size) { diff --git a/queue-5.19/drm-i915-bios-validate-fp_timing-terminator-presence.patch b/queue-5.19/drm-i915-bios-validate-fp_timing-terminator-presence.patch new file mode 100644 index 00000000000..d7eaec4426e --- /dev/null +++ b/queue-5.19/drm-i915-bios-validate-fp_timing-terminator-presence.patch @@ -0,0 +1,122 @@ +From 4e78d6023c15c6acce8fbe42e13027c460395522 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 18 Aug 2022 22:22:22 +0300 +Subject: drm/i915/bios: Validate fp_timing terminator presence +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 4e78d6023c15c6acce8fbe42e13027c460395522 upstream. + +Validate the LFP data block a bit hardwer by making sure the +fp_timing terminators (0xffff) are where we expect them to be. + +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220818192223.29881-2-ville.syrjala@linux.intel.com +Reviewed-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_bios.c | 60 ++++++++++++++++-------------- + 1 file changed, 32 insertions(+), 28 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_bios.c ++++ b/drivers/gpu/drm/i915/display/intel_bios.c +@@ -134,18 +134,6 @@ static u32 raw_block_offset(const void * + return block - bdb; + } + +-/* size of the block excluding the header */ +-static u32 raw_block_size(const void *bdb, enum bdb_block_id section_id) +-{ +- const void *block; +- +- block = find_raw_section(bdb, section_id); +- if (!block) +- return 0; +- +- return get_blocksize(block); +-} +- + struct bdb_block_entry { + struct list_head node; + enum bdb_block_id section_id; +@@ -230,9 +218,14 @@ static bool validate_lfp_data_ptrs(const + { + int fp_timing_size, dvo_timing_size, panel_pnp_id_size, panel_name_size; + int data_block_size, lfp_data_size; ++ const void *data_block; + int i; + +- data_block_size = raw_block_size(bdb, BDB_LVDS_LFP_DATA); ++ data_block = find_raw_section(bdb, BDB_LVDS_LFP_DATA); ++ if (!data_block) ++ return false; ++ ++ data_block_size = get_blocksize(data_block); + if (data_block_size == 0) + return false; + +@@ -260,21 +253,6 @@ static bool validate_lfp_data_ptrs(const + if (16 * lfp_data_size > data_block_size) + return false; + +- /* +- * Except for vlv/chv machines all real VBTs seem to have 6 +- * unaccounted bytes in the fp_timing table. And it doesn't +- * appear to be a really intentional hole as the fp_timing +- * 0xffff terminator is always within those 6 missing bytes. +- */ +- if (fp_timing_size + dvo_timing_size + panel_pnp_id_size != lfp_data_size && +- fp_timing_size + 6 + dvo_timing_size + panel_pnp_id_size != lfp_data_size) +- return false; +- +- if (ptrs->ptr[0].fp_timing.offset + fp_timing_size > ptrs->ptr[0].dvo_timing.offset || +- ptrs->ptr[0].dvo_timing.offset + dvo_timing_size != ptrs->ptr[0].panel_pnp_id.offset || +- ptrs->ptr[0].panel_pnp_id.offset + panel_pnp_id_size != lfp_data_size) +- return false; +- + /* make sure the table entries have uniform size */ + for (i = 1; i < 16; i++) { + if (ptrs->ptr[i].fp_timing.table_size != fp_timing_size || +@@ -288,6 +266,23 @@ static bool validate_lfp_data_ptrs(const + return false; + } + ++ /* ++ * Except for vlv/chv machines all real VBTs seem to have 6 ++ * unaccounted bytes in the fp_timing table. And it doesn't ++ * appear to be a really intentional hole as the fp_timing ++ * 0xffff terminator is always within those 6 missing bytes. ++ */ ++ if (fp_timing_size + 6 + dvo_timing_size + panel_pnp_id_size == lfp_data_size) ++ fp_timing_size += 6; ++ ++ if (fp_timing_size + dvo_timing_size + panel_pnp_id_size != lfp_data_size) ++ return false; ++ ++ if (ptrs->ptr[0].fp_timing.offset + fp_timing_size != ptrs->ptr[0].dvo_timing.offset || ++ ptrs->ptr[0].dvo_timing.offset + dvo_timing_size != ptrs->ptr[0].panel_pnp_id.offset || ++ ptrs->ptr[0].panel_pnp_id.offset + panel_pnp_id_size != lfp_data_size) ++ return false; ++ + /* make sure the tables fit inside the data block */ + for (i = 0; i < 16; i++) { + if (ptrs->ptr[i].fp_timing.offset + fp_timing_size > data_block_size || +@@ -299,6 +294,15 @@ static bool validate_lfp_data_ptrs(const + if (ptrs->panel_name.offset + 16 * panel_name_size > data_block_size) + return false; + ++ /* make sure fp_timing terminators are present at expected locations */ ++ for (i = 0; i < 16; i++) { ++ const u16 *t = data_block + ptrs->ptr[i].fp_timing.offset + ++ fp_timing_size - 2; ++ ++ if (*t != 0xffff) ++ return false; ++ } ++ + return true; + } + diff --git a/queue-5.19/drm-i915-rename-block_size-block_offset.patch b/queue-5.19/drm-i915-rename-block_size-block_offset.patch new file mode 100644 index 00000000000..7db4a553ccd --- /dev/null +++ b/queue-5.19/drm-i915-rename-block_size-block_offset.patch @@ -0,0 +1,68 @@ +From 39b1bc4b5bcccac781267bb826b035fbb99c8b9d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 19 May 2022 17:00:10 +0300 +Subject: drm/i915: Rename block_size()/block_offset() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 39b1bc4b5bcccac781267bb826b035fbb99c8b9d upstream. + +Give block_size()/block_offset() a "raw_" prefix since they +both operate on the "raw" (as in not duplicated) BDB block +contents. + +What actually spurred this was a conflict between intel_bios.c +block_size() vs. block_size() from blkdev.h. That only +happened to me on a custom tree where we somehow manage to +include blkdev.h into intel_bios.c. But I think the rename +makes sense anyway to clarify the purpose of these functions. + +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220519140010.10600-1-ville.syrjala@linux.intel.com +Reviewed-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_bios.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_bios.c ++++ b/drivers/gpu/drm/i915/display/intel_bios.c +@@ -123,7 +123,7 @@ find_raw_section(const void *_bdb, enum + * Offset from the start of BDB to the start of the + * block data (just past the block header). + */ +-static u32 block_offset(const void *bdb, enum bdb_block_id section_id) ++static u32 raw_block_offset(const void *bdb, enum bdb_block_id section_id) + { + const void *block; + +@@ -135,7 +135,7 @@ static u32 block_offset(const void *bdb, + } + + /* size of the block excluding the header */ +-static u32 block_size(const void *bdb, enum bdb_block_id section_id) ++static u32 raw_block_size(const void *bdb, enum bdb_block_id section_id) + { + const void *block; + +@@ -232,7 +232,7 @@ static bool validate_lfp_data_ptrs(const + int data_block_size, lfp_data_size; + int i; + +- data_block_size = block_size(bdb, BDB_LVDS_LFP_DATA); ++ data_block_size = raw_block_size(bdb, BDB_LVDS_LFP_DATA); + if (data_block_size == 0) + return false; + +@@ -309,7 +309,7 @@ static bool fixup_lfp_data_ptrs(const vo + u32 offset; + int i; + +- offset = block_offset(bdb, BDB_LVDS_LFP_DATA); ++ offset = raw_block_offset(bdb, BDB_LVDS_LFP_DATA); + + for (i = 0; i < 16; i++) { + if (ptrs->ptr[i].fp_timing.offset < offset || diff --git a/queue-5.19/series b/queue-5.19/series index 7eb225b08a6..69db64ba957 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -176,7 +176,6 @@ smb3-must-initialize-two-acl-struct-fields-to-zero.patch selinux-use-grep-e-instead-of-egrep.patch ima-fix-blocking-of-security.ima-xattrs-of-unsupport.patch userfaultfd-open-userfaultfds-with-o_rdonly.patch -arm-dts-exynos-add-panel-and-backlight-to-p4note.patch ntfs3-rework-xattr-handlers-and-switch-to-posix-acl-.patch thermal-cpufreq_cooling-check-the-policy-first-in-cp.patch cpufreq-amd-pstate-fix-initial-highest_perf-value.patch @@ -199,7 +198,6 @@ nfsd-protect-against-send-buffer-overflow-in-nfsv2-r.patch nfsd-fix-handling-of-oversized-nfsv4-compound-reques.patch x86-paravirt-add-extra-clobbers-with-zero_call_used_.patch libbpf-initialize-err-in-probe_map_create.patch -wan-fix-syntax-errors-in-comments.patch wifi-rtlwifi-8192de-correct-checking-of-iqk-reload.patch wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch bpf-fix-non-static-bpf_func_proto-struct-definitions.patch @@ -288,7 +286,6 @@ spi-ensure-that-sg_table-won-t-be-used-after-being-f.patch bluetooth-hci_sync-fix-not-indicating-power-state.patch hwmon-pmbus-mp2888-fix-sensors-readouts-for-mps-mult.patch net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch -af_unix-use-debug_net_warn_on_once.patch af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch net-prestera-acl-add-check-for-kmemdup.patch eth-lan743x-reject-extts-for-non-pci11x1x-devices.patch @@ -368,7 +365,6 @@ arm64-dts-qcom-sc7180-trogdor-keep-pm6150_adc-enable.patch arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch arm-dts-kirkwood-lsxl-fix-serial-line.patch arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch -arm64-dts-qcom-sdm660-add-initial-inforce-ifc6560-bo.patch ia64-export-memory_add_physaddr_to_nid-to-fix-cxl-bu.patch arm64-dts-qcom-sm8350-sagami-correct-ts-pin-property.patch soc-tegra-fuse-drop-kconfig-dependency-on-tegra20_ap.patch @@ -768,3 +764,6 @@ kconfig.debug-add-toolchain-checks-for-debug_info_dwarf_toolchain_default.patch lib-kconfig.debug-add-check-for-non-constant-.-s-u-leb128-support-to-dwarf5.patch hid-uclogic-add-missing-suffix-for-digitalizers.patch ext4-continue-to-expand-file-system-when-the-target-size-doesn-t-reach.patch +drm-i915-rename-block_size-block_offset.patch +drm-i915-bios-validate-fp_timing-terminator-presence.patch +drm-i915-bios-use-hardcoded-fp_timing-size-for-generating-lfp-data-pointers.patch