--- /dev/null
+From 9a3351e70bbef3a1e5dc4ca0fd8dfb309736642b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jan 2025 16:21:00 +0000
+Subject: afs: Fix the maximum cell name length
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 8fd56ad6e7c90ac2bddb0741c6b248c8c5d56ac8 ]
+
+The kafs filesystem limits the maximum length of a cell to 256 bytes, but a
+problem occurs if someone actually does that: kafs tries to create a
+directory under /proc/net/afs/ with the name of the cell, but that fails
+with a warning:
+
+ WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:405
+
+because procfs limits the maximum filename length to 255.
+
+However, the DNS limits the maximum lookup length and, by extension, the
+maximum cell name, to 255 less two (length count and trailing NUL).
+
+Fix this by limiting the maximum acceptable cellname length to 253. This
+also allows us to be sure we can create the "/afs/.<cell>/" mountpoint too.
+
+Further, split the YFS VL record cell name maximum to be the 256 allowed by
+the protocol and ignore the record retrieved by YFSVL.GetCellName if it
+exceeds 253.
+
+Fixes: c3e9f888263b ("afs: Implement client support for the YFSVL.GetCellName RPC op")
+Reported-by: syzbot+7848fee1f1e5c53f912b@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/6776d25d.050a0220.3a8527.0048.GAE@google.com/
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/376236.1736180460@warthog.procyon.org.uk
+Tested-by: syzbot+7848fee1f1e5c53f912b@syzkaller.appspotmail.com
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/afs.h | 2 +-
+ fs/afs/afs_vl.h | 1 +
+ fs/afs/vl_alias.c | 8 ++++++--
+ fs/afs/vlclient.c | 2 +-
+ 4 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/fs/afs/afs.h b/fs/afs/afs.h
+index 432cb4b23961..3ea5f3e3c922 100644
+--- a/fs/afs/afs.h
++++ b/fs/afs/afs.h
+@@ -10,7 +10,7 @@
+
+ #include <linux/in.h>
+
+-#define AFS_MAXCELLNAME 256 /* Maximum length of a cell name */
++#define AFS_MAXCELLNAME 253 /* Maximum length of a cell name (DNS limited) */
+ #define AFS_MAXVOLNAME 64 /* Maximum length of a volume name */
+ #define AFS_MAXNSERVERS 8 /* Maximum servers in a basic volume record */
+ #define AFS_NMAXNSERVERS 13 /* Maximum servers in a N/U-class volume record */
+diff --git a/fs/afs/afs_vl.h b/fs/afs/afs_vl.h
+index 9c65ffb8a523..8da0899fbc08 100644
+--- a/fs/afs/afs_vl.h
++++ b/fs/afs/afs_vl.h
+@@ -13,6 +13,7 @@
+ #define AFS_VL_PORT 7003 /* volume location service port */
+ #define VL_SERVICE 52 /* RxRPC service ID for the Volume Location service */
+ #define YFS_VL_SERVICE 2503 /* Service ID for AuriStor upgraded VL service */
++#define YFS_VL_MAXCELLNAME 256 /* Maximum length of a cell name in YFS protocol */
+
+ enum AFSVL_Operations {
+ VLGETENTRYBYID = 503, /* AFS Get VLDB entry by ID */
+diff --git a/fs/afs/vl_alias.c b/fs/afs/vl_alias.c
+index f04a80e4f5c3..83cf1bfbe343 100644
+--- a/fs/afs/vl_alias.c
++++ b/fs/afs/vl_alias.c
+@@ -302,6 +302,7 @@ static char *afs_vl_get_cell_name(struct afs_cell *cell, struct key *key)
+ static int yfs_check_canonical_cell_name(struct afs_cell *cell, struct key *key)
+ {
+ struct afs_cell *master;
++ size_t name_len;
+ char *cell_name;
+
+ cell_name = afs_vl_get_cell_name(cell, key);
+@@ -313,8 +314,11 @@ static int yfs_check_canonical_cell_name(struct afs_cell *cell, struct key *key)
+ return 0;
+ }
+
+- master = afs_lookup_cell(cell->net, cell_name, strlen(cell_name),
+- NULL, false);
++ name_len = strlen(cell_name);
++ if (!name_len || name_len > AFS_MAXCELLNAME)
++ master = ERR_PTR(-EOPNOTSUPP);
++ else
++ master = afs_lookup_cell(cell->net, cell_name, name_len, NULL, false);
+ kfree(cell_name);
+ if (IS_ERR(master))
+ return PTR_ERR(master);
+diff --git a/fs/afs/vlclient.c b/fs/afs/vlclient.c
+index 00fca3c66ba6..16653f2ffe4f 100644
+--- a/fs/afs/vlclient.c
++++ b/fs/afs/vlclient.c
+@@ -671,7 +671,7 @@ static int afs_deliver_yfsvl_get_cell_name(struct afs_call *call)
+ return ret;
+
+ namesz = ntohl(call->tmp);
+- if (namesz > AFS_MAXCELLNAME)
++ if (namesz > YFS_VL_MAXCELLNAME)
+ return afs_protocol_error(call, afs_eproto_cellname_len);
+ paddedsz = (namesz + 3) & ~3;
+ call->count = namesz;
+--
+2.39.5
+
--- /dev/null
+From 7738999f153114f6cd79ad77df8096c28363aa08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 10:51:26 +0800
+Subject: drm/mediatek: Add support for 180-degree rotation in the display
+ driver
+
+From: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+
+[ Upstream commit 5c9d7e79ba154e8e1f0bfdeb7b495f454c1a3eba ]
+
+mediatek-drm driver reported the capability of 180-degree rotation by
+adding `DRM_MODE_ROTATE_180` to the plane property, as flip-x combined
+with flip-y equals a 180-degree rotation. However, we did not handle
+the rotation property in the driver and lead to rotation issues.
+
+Fixes: 74608d8feefd ("drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property")
+Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20241118025126.30808-1-jason-jh.lin@mediatek.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
+index c54d56fb7b4c..77397bf0b5b4 100644
+--- a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
++++ b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
+@@ -302,6 +302,7 @@ void mtk_ovl_layer_config(struct device *dev, unsigned int idx,
+ unsigned int addr = pending->addr;
+ unsigned int pitch = pending->pitch & 0xffff;
+ unsigned int fmt = pending->format;
++ unsigned int rotation = pending->rotation;
+ unsigned int offset = (pending->y << 16) | pending->x;
+ unsigned int src_size = (pending->height << 16) | pending->width;
+ unsigned int con;
+@@ -315,12 +316,19 @@ void mtk_ovl_layer_config(struct device *dev, unsigned int idx,
+ if (state->base.fb && state->base.fb->format->has_alpha)
+ con |= OVL_CON_AEN | OVL_CON_ALPHA;
+
+- if (pending->rotation & DRM_MODE_REFLECT_Y) {
++ /*
++ * Treat rotate 180 as flip x + flip y, and XOR the original rotation value
++ * to flip x + flip y to support both in the same time.
++ */
++ if (rotation & DRM_MODE_ROTATE_180)
++ rotation ^= DRM_MODE_REFLECT_X | DRM_MODE_REFLECT_Y;
++
++ if (rotation & DRM_MODE_REFLECT_Y) {
+ con |= OVL_CON_VIRT_FLIP;
+ addr += (pending->height - 1) * pending->pitch;
+ }
+
+- if (pending->rotation & DRM_MODE_REFLECT_X) {
++ if (rotation & DRM_MODE_REFLECT_X) {
+ con |= OVL_CON_HORZ_FLIP;
+ addr += pending->pitch - 1;
+ }
+--
+2.39.5
+
--- /dev/null
+From 815276fd8ba850a58ea77129708f98e3dc185ac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Dec 2024 23:30:50 +0800
+Subject: ksmbd: fix a missing return value check bug
+
+From: Wentao Liang <liangwentao@iscas.ac.cn>
+
+[ Upstream commit 4c16e1cadcbcaf3c82d5fc310fbd34d0f5d0db7c ]
+
+In the smb2_send_interim_resp(), if ksmbd_alloc_work_struct()
+fails to allocate a node, it returns a NULL pointer to the
+in_work pointer. This can lead to an illegal memory write of
+in_work->response_buf when allocate_interim_rsp_buf() attempts
+to perform a kzalloc() on it.
+
+To address this issue, incorporating a check for the return
+value of ksmbd_alloc_work_struct() ensures that the function
+returns immediately upon allocation failure, thereby preventing
+the aforementioned illegal memory access.
+
+Fixes: 041bba4414cd ("ksmbd: fix wrong interim response on compound")
+Signed-off-by: Wentao Liang <liangwentao@iscas.ac.cn>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/smb2pdu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
+index 7f9297a5f3ef..82b6be188ad4 100644
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -714,6 +714,9 @@ void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status)
+ struct smb2_hdr *rsp_hdr;
+ struct ksmbd_work *in_work = ksmbd_alloc_work_struct();
+
++ if (!in_work)
++ return;
++
+ if (allocate_interim_rsp_buf(in_work)) {
+ pr_err("smb_allocate_rsp_buf failed!\n");
+ ksmbd_free_work_struct(in_work);
+--
+2.39.5
+
net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch
netfilter-nf_tables-imbalance-in-flowtable-binding.patch
netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch
+drm-mediatek-add-support-for-180-degree-rotation-in-.patch
+ksmbd-fix-a-missing-return-value-check-bug.patch
+afs-fix-the-maximum-cell-name-length.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
