From: Sasha Levin Date: Mon, 1 Jan 2024 18:11:07 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v5.10.206~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7d6e1461a5bafa8539f2b53176c7bd1cf5e6875;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/bus-ti-sysc-flush-posted-write-only-after-srst_udela.patch b/queue-5.4/bus-ti-sysc-flush-posted-write-only-after-srst_udela.patch new file mode 100644 index 00000000000..9e26c90583c --- /dev/null +++ b/queue-5.4/bus-ti-sysc-flush-posted-write-only-after-srst_udela.patch @@ -0,0 +1,64 @@ +From 9c89b352c8be3ef15f6564fa22c8091ff6564708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Nov 2023 10:50:56 +0200 +Subject: bus: ti-sysc: Flush posted write only after srst_udelay + +From: Tony Lindgren + +[ Upstream commit f71f6ff8c1f682a1cae4e8d7bdeed9d7f76b8f75 ] + +Commit 34539b442b3b ("bus: ti-sysc: Flush posted write on enable before +reset") caused a regression reproducable on omap4 duovero where the ISS +target module can produce interconnect errors on boot. Turns out the +registers are not accessible until after a delay for devices needing +a ti,sysc-delay-us value. + +Let's fix this by flushing the posted write only after the reset delay. +We do flushing also for ti,sysc-delay-us using devices as that should +trigger an interconnect error if the delay is not properly configured. + +Let's also add some comments while at it. + +Fixes: 34539b442b3b ("bus: ti-sysc: Flush posted write on enable before reset") +Cc: stable@vger.kernel.org +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 8d82752c54d40..8ad389ebd77a9 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -1837,13 +1837,23 @@ static int sysc_reset(struct sysc *ddata) + sysc_val = sysc_read_sysconfig(ddata); + sysc_val |= sysc_mask; + sysc_write(ddata, sysc_offset, sysc_val); +- /* Flush posted write */ ++ ++ /* ++ * Some devices need a delay before reading registers ++ * after reset. Presumably a srst_udelay is not needed ++ * for devices that use a rstctrl register reset. ++ */ ++ if (ddata->cfg.srst_udelay) ++ fsleep(ddata->cfg.srst_udelay); ++ ++ /* ++ * Flush posted write. For devices needing srst_udelay ++ * this should trigger an interconnect error if the ++ * srst_udelay value is needed but not configured. ++ */ + sysc_val = sysc_read_sysconfig(ddata); + } + +- if (ddata->cfg.srst_udelay) +- fsleep(ddata->cfg.srst_udelay); +- + if (ddata->post_reset_quirk) + ddata->post_reset_quirk(ddata); + +-- +2.43.0 + diff --git a/queue-5.4/bus-ti-sysc-use-fsleep-instead-of-usleep_range-in-sy.patch b/queue-5.4/bus-ti-sysc-use-fsleep-instead-of-usleep_range-in-sy.patch new file mode 100644 index 00000000000..c909dc9f436 --- /dev/null +++ b/queue-5.4/bus-ti-sysc-use-fsleep-instead-of-usleep_range-in-sy.patch @@ -0,0 +1,50 @@ +From 0c277cf05ad4849a9e162f58788607f0787f24d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 16:24:18 +0200 +Subject: bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() + +From: Julien Panis + +[ Upstream commit d929b2b7464f95ec01e47f560b1e687482ba8929 ] + +The am335x-evm started producing boot errors because of subtle timing +changes: + +Unhandled fault: external abort on non-linefetch (0x1008) at 0xf03c1010 +... +sysc_reset from sysc_probe+0xf60/0x1514 +sysc_probe from platform_probe+0x5c/0xbc +... + +The fix consists in using the appropriate sleep function in sysc reset. +For flexible sleeping, fsleep is recommended. Here, sysc delay parameter +can take any value in [0 - 255] us range. As a result, fsleep() should +be used, calling udelay() for a sysc delay lower than 10 us. + +Signed-off-by: Julien Panis +Fixes: e709ed70d122 ("bus: ti-sysc: Fix missing reset delay handling") +Message-ID: <20230821-fix-ti-sysc-reset-v1-1-5a0a5d8fae55@baylibre.com> +Signed-off-by: Tony Lindgren +Stable-dep-of: f71f6ff8c1f6 ("bus: ti-sysc: Flush posted write only after srst_udelay") +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 70339f73181ea..8d82752c54d40 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -1842,8 +1842,7 @@ static int sysc_reset(struct sysc *ddata) + } + + if (ddata->cfg.srst_udelay) +- usleep_range(ddata->cfg.srst_udelay, +- ddata->cfg.srst_udelay * 2); ++ fsleep(ddata->cfg.srst_udelay); + + if (ddata->post_reset_quirk) + ddata->post_reset_quirk(ddata); +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 9b4db0b70c2..5a091c30cb3 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -39,3 +39,7 @@ bluetooth-hci_event-fix-not-checking-if-hci_op_inquiry-has-been-sent.patch net-9p-avoid-freeing-uninit-memory-in-p9pdu_vreadf.patch net-rfkill-gpio-set-gpio-direction.patch x86-alternatives-sync-core-before-enabling-interrupts.patch +usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch +smb-client-fix-oob-in-smbcalcsize.patch +bus-ti-sysc-use-fsleep-instead-of-usleep_range-in-sy.patch +bus-ti-sysc-flush-posted-write-only-after-srst_udela.patch diff --git a/queue-5.4/smb-client-fix-oob-in-smbcalcsize.patch b/queue-5.4/smb-client-fix-oob-in-smbcalcsize.patch new file mode 100644 index 00000000000..8e848116cc2 --- /dev/null +++ b/queue-5.4/smb-client-fix-oob-in-smbcalcsize.patch @@ -0,0 +1,84 @@ +From 7938b789adf6c873e108db84afe0e85f1bb5466f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 19:59:14 -0300 +Subject: smb: client: fix OOB in smbCalcSize() + +From: Paulo Alcantara + +[ Upstream commit b35858b3786ddbb56e1c35138ba25d6adf8d0bef ] + +Validate @smb->WordCount to avoid reading off the end of @smb and thus +causing the following KASAN splat: + + BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs] + Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328 + + CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS + rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x4a/0x80 + print_report+0xcf/0x650 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __phys_addr+0x46/0x90 + kasan_report+0xd8/0x110 + ? smbCalcSize+0x32/0x40 [cifs] + ? smbCalcSize+0x32/0x40 [cifs] + kasan_check_range+0x105/0x1b0 + smbCalcSize+0x32/0x40 [cifs] + checkSMB+0x162/0x370 [cifs] + ? __pfx_checkSMB+0x10/0x10 [cifs] + cifs_handle_standard+0xbc/0x2f0 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + cifs_demultiplex_thread+0xed1/0x1360 [cifs] + ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? lockdep_hardirqs_on_prepare+0x136/0x210 + ? __pfx_lock_release+0x10/0x10 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? mark_held_locks+0x1a/0x90 + ? lockdep_hardirqs_on_prepare+0x136/0x210 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __kthread_parkme+0xce/0xf0 + ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] + kthread+0x18d/0x1d0 + ? kthread+0xdb/0x1d0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x60 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + + +This fixes CVE-2023-6606. + +Reported-by: j51569436@gmail.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218 +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/misc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index f41891379de91..db1fcdedf289a 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -349,6 +349,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) + cifs_dbg(VFS, "Length less than smb header size\n"); + } + return -EIO; ++ } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) { ++ cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n", ++ __func__, smb->WordCount); ++ return -EIO; + } + + /* otherwise, there is enough to get to the BCC */ +-- +2.43.0 + diff --git a/queue-5.4/usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch b/queue-5.4/usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch new file mode 100644 index 00000000000..27c11e77cb8 --- /dev/null +++ b/queue-5.4/usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch @@ -0,0 +1,63 @@ +From 853a1252e9cede0032281d3b77d4886769e7a3ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 16:22:43 +0300 +Subject: usb: fotg210-hcd: delete an incorrect bounds test + +From: Dan Carpenter + +[ Upstream commit 7fbcd195e2b8cc952e4aeaeb50867b798040314c ] + +Here "temp" is the number of characters that we have written and "size" +is the size of the buffer. The intent was clearly to say that if we have +written to the end of the buffer then stop. + +However, for that to work the comparison should have been done on the +original "size" value instead of the "size -= temp" value. Not only +will that not trigger when we want to, but there is a small chance that +it will trigger incorrectly before we want it to and we break from the +loop slightly earlier than intended. + +This code was recently changed from using snprintf() to scnprintf(). With +snprintf() we likely would have continued looping and passed a negative +size parameter to snprintf(). This would have triggered an annoying +WARN(). Now that we have converted to scnprintf() "size" will never +drop below 1 and there is no real need for this test. We could change +the condition to "if (temp <= 1) goto done;" but just deleting the test +is cleanest. + +Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver") +Cc: stable +Signed-off-by: Dan Carpenter +Reviewed-by: Linus Walleij +Reviewed-by: Lee Jones +Link: https://lore.kernel.org/r/ZXmwIwHe35wGfgzu@suswa +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/fotg210-hcd.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c +index f457e083a6f89..c0f727e793072 100644 +--- a/drivers/usb/host/fotg210-hcd.c ++++ b/drivers/usb/host/fotg210-hcd.c +@@ -428,8 +428,6 @@ static void qh_lines(struct fotg210_hcd *fotg210, struct fotg210_qh *qh, + temp = size; + size -= temp; + next += temp; +- if (temp == size) +- goto done; + } + + temp = snprintf(next, size, "\n"); +@@ -439,7 +437,6 @@ static void qh_lines(struct fotg210_hcd *fotg210, struct fotg210_qh *qh, + size -= temp; + next += temp; + +-done: + *sizep = size; + *nextp = next; + } +-- +2.43.0 +