From: Sasha Levin Date: Sun, 6 Oct 2024 15:11:24 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.6.55~132 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=286921f45d861ac60487df53b0f01cf76c022018;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/acpi-ec-do-not-release-locks-during-operation-region.patch b/queue-5.15/acpi-ec-do-not-release-locks-during-operation-region.patch new file mode 100644 index 00000000000..3f39cc78b31 --- /dev/null +++ b/queue-5.15/acpi-ec-do-not-release-locks-during-operation-region.patch @@ -0,0 +1,166 @@ +From 9438770511d18e95ec40c155b402a660ea6c65e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2024 18:26:54 +0200 +Subject: ACPI: EC: Do not release locks during operation region accesses + +From: Rafael J. Wysocki + +[ Upstream commit dc171114926ec390ab90f46534545420ec03e458 ] + +It is not particularly useful to release locks (the EC mutex and the +ACPI global lock, if present) and re-acquire them immediately thereafter +during EC address space accesses in acpi_ec_space_handler(). + +First, releasing them for a while before grabbing them again does not +really help anyone because there may not be enough time for another +thread to acquire them. + +Second, if another thread successfully acquires them and carries out +a new EC write or read in the middle if an operation region access in +progress, it may confuse the EC firmware, especially after the burst +mode has been enabled. + +Finally, manipulating the locks after writing or reading every single +byte of data is overhead that it is better to avoid. + +Accordingly, modify the code to carry out EC address space accesses +entirely without releasing the locks. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Link: https://patch.msgid.link/12473338.O9o76ZdvQC@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 55 +++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 49 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 59e617ab12a51..ddc5b3a3d9b38 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -773,6 +773,9 @@ static int acpi_ec_transaction_unlocked(struct acpi_ec *ec, + unsigned long tmp; + int ret = 0; + ++ if (t->rdata) ++ memset(t->rdata, 0, t->rlen); ++ + /* start transaction */ + spin_lock_irqsave(&ec->lock, tmp); + /* Enable GPE for command processing (IBF=0/OBF=1) */ +@@ -809,8 +812,6 @@ static int acpi_ec_transaction(struct acpi_ec *ec, struct transaction *t) + + if (!ec || (!t) || (t->wlen && !t->wdata) || (t->rlen && !t->rdata)) + return -EINVAL; +- if (t->rdata) +- memset(t->rdata, 0, t->rlen); + + mutex_lock(&ec->mutex); + if (ec->global_lock) { +@@ -837,7 +838,7 @@ static int acpi_ec_burst_enable(struct acpi_ec *ec) + .wdata = NULL, .rdata = &d, + .wlen = 0, .rlen = 1}; + +- return acpi_ec_transaction(ec, &t); ++ return acpi_ec_transaction_unlocked(ec, &t); + } + + static int acpi_ec_burst_disable(struct acpi_ec *ec) +@@ -847,7 +848,7 @@ static int acpi_ec_burst_disable(struct acpi_ec *ec) + .wlen = 0, .rlen = 0}; + + return (acpi_ec_read_status(ec) & ACPI_EC_FLAG_BURST) ? +- acpi_ec_transaction(ec, &t) : 0; ++ acpi_ec_transaction_unlocked(ec, &t) : 0; + } + + static int acpi_ec_read(struct acpi_ec *ec, u8 address, u8 *data) +@@ -863,6 +864,19 @@ static int acpi_ec_read(struct acpi_ec *ec, u8 address, u8 *data) + return result; + } + ++static int acpi_ec_read_unlocked(struct acpi_ec *ec, u8 address, u8 *data) ++{ ++ int result; ++ u8 d; ++ struct transaction t = {.command = ACPI_EC_COMMAND_READ, ++ .wdata = &address, .rdata = &d, ++ .wlen = 1, .rlen = 1}; ++ ++ result = acpi_ec_transaction_unlocked(ec, &t); ++ *data = d; ++ return result; ++} ++ + static int acpi_ec_write(struct acpi_ec *ec, u8 address, u8 data) + { + u8 wdata[2] = { address, data }; +@@ -873,6 +887,16 @@ static int acpi_ec_write(struct acpi_ec *ec, u8 address, u8 data) + return acpi_ec_transaction(ec, &t); + } + ++static int acpi_ec_write_unlocked(struct acpi_ec *ec, u8 address, u8 data) ++{ ++ u8 wdata[2] = { address, data }; ++ struct transaction t = {.command = ACPI_EC_COMMAND_WRITE, ++ .wdata = wdata, .rdata = NULL, ++ .wlen = 2, .rlen = 0}; ++ ++ return acpi_ec_transaction_unlocked(ec, &t); ++} ++ + int ec_read(u8 addr, u8 *val) + { + int err; +@@ -1293,6 +1317,7 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + struct acpi_ec *ec = handler_context; + int result = 0, i, bytes = bits / 8; + u8 *value = (u8 *)value64; ++ u32 glk; + + if ((address > 0xFF) || !value || !handler_context) + return AE_BAD_PARAMETER; +@@ -1300,13 +1325,25 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + if (function != ACPI_READ && function != ACPI_WRITE) + return AE_BAD_PARAMETER; + ++ mutex_lock(&ec->mutex); ++ ++ if (ec->global_lock) { ++ acpi_status status; ++ ++ status = acpi_acquire_global_lock(ACPI_EC_UDELAY_GLK, &glk); ++ if (ACPI_FAILURE(status)) { ++ result = -ENODEV; ++ goto unlock; ++ } ++ } ++ + if (ec->busy_polling || bits > 8) + acpi_ec_burst_enable(ec); + + for (i = 0; i < bytes; ++i, ++address, ++value) { + result = (function == ACPI_READ) ? +- acpi_ec_read(ec, address, value) : +- acpi_ec_write(ec, address, *value); ++ acpi_ec_read_unlocked(ec, address, value) : ++ acpi_ec_write_unlocked(ec, address, *value); + if (result < 0) + break; + } +@@ -1314,6 +1351,12 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + if (ec->busy_polling || bits > 8) + acpi_ec_burst_disable(ec); + ++ if (ec->global_lock) ++ acpi_release_global_lock(glk); ++ ++unlock: ++ mutex_unlock(&ec->mutex); ++ + switch (result) { + case -EINVAL: + return AE_BAD_PARAMETER; +-- +2.43.0 + diff --git a/queue-5.15/acpi-pad-fix-crash-in-exit_round_robin.patch b/queue-5.15/acpi-pad-fix-crash-in-exit_round_robin.patch new file mode 100644 index 00000000000..8c29db9d92a --- /dev/null +++ b/queue-5.15/acpi-pad-fix-crash-in-exit_round_robin.patch @@ -0,0 +1,96 @@ +From 5b1217f0058801c5a02e6644801e77c350c923ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Aug 2024 23:13:52 +0900 +Subject: ACPI: PAD: fix crash in exit_round_robin() + +From: Seiji Nishikawa + +[ Upstream commit 0a2ed70a549e61c5181bad5db418d223b68ae932 ] + +The kernel occasionally crashes in cpumask_clear_cpu(), which is called +within exit_round_robin(), because when executing clear_bit(nr, addr) with +nr set to 0xffffffff, the address calculation may cause misalignment within +the memory, leading to access to an invalid memory address. + +---------- +BUG: unable to handle kernel paging request at ffffffffe0740618 + ... +CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1 + ... +RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad] +Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31 +RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202 +RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 +RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8 +R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e +R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e +FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + ? acpi_pad_add+0x120/0x120 [acpi_pad] + kthread+0x10b/0x130 + ? set_kthread_struct+0x50/0x50 + ret_from_fork+0x1f/0x40 + ... +CR2: ffffffffe0740618 + +crash> dis -lr ffffffffc0726923 + ... +/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114 +0xffffffffc0726918 : mov %r12d,%r12d +/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325 +0xffffffffc072691b : mov -0x3f8d7de0(,%r12,4),%eax +/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80 +0xffffffffc0726923 : lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 + +crash> px tsk_in_cpu[14] +$66 = 0xffffffff + +crash> px 0xffffffffc072692c+0x19cf4 +$99 = 0xffffffffc0740620 + +crash> sym 0xffffffffc0740620 +ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad] + +crash> px pad_busy_cpus_bits[0] +$42 = 0xfffc0 +---------- + +To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling +cpumask_clear_cpu() in exit_round_robin(), just as it is done in +round_robin_cpu(). + +Signed-off-by: Seiji Nishikawa +Link: https://patch.msgid.link/20240825141352.25280-1-snishika@redhat.com +[ rjw: Subject edit, avoid updates to the same value ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_pad.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/acpi_pad.c b/drivers/acpi/acpi_pad.c +index f45979aa2d648..76bb9836b6497 100644 +--- a/drivers/acpi/acpi_pad.c ++++ b/drivers/acpi/acpi_pad.c +@@ -129,8 +129,10 @@ static void exit_round_robin(unsigned int tsk_index) + { + struct cpumask *pad_busy_cpus = to_cpumask(pad_busy_cpus_bits); + +- cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus); +- tsk_in_cpu[tsk_index] = -1; ++ if (tsk_in_cpu[tsk_index] != -1) { ++ cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus); ++ tsk_in_cpu[tsk_index] = -1; ++ } + } + + static unsigned int idle_pct = 5; /* percentage */ +-- +2.43.0 + diff --git a/queue-5.15/acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch b/queue-5.15/acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch new file mode 100644 index 00000000000..3062ec710d2 --- /dev/null +++ b/queue-5.15/acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch @@ -0,0 +1,41 @@ +From d68b70f45e648d7916cea44f668a9e7cb9f015a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 14:05:48 +0800 +Subject: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in + acpi_db_convert_to_package() + +From: Pei Xiao + +[ Upstream commit a5242874488eba2b9062985bf13743c029821330 ] + +ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 + +ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause +NULL pointer dereference later. + +Link: https://github.com/acpica/acpica/commit/4d4547cf +Signed-off-by: Pei Xiao +Link: https://patch.msgid.link/tencent_4A21A2865B8B0A0D12CAEBEB84708EDDB505@qq.com +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dbconvert.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/acpica/dbconvert.c b/drivers/acpi/acpica/dbconvert.c +index 2b84ac093698a..8dbab69320499 100644 +--- a/drivers/acpi/acpica/dbconvert.c ++++ b/drivers/acpi/acpica/dbconvert.c +@@ -174,6 +174,8 @@ acpi_status acpi_db_convert_to_package(char *string, union acpi_object *object) + elements = + ACPI_ALLOCATE_ZEROED(DB_DEFAULT_PKG_ELEMENTS * + sizeof(union acpi_object)); ++ if (!elements) ++ return (AE_NO_MEMORY); + + this = string; + for (i = 0; i < (DB_DEFAULT_PKG_ELEMENTS - 1); i++) { +-- +2.43.0 + diff --git a/queue-5.15/acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch b/queue-5.15/acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch new file mode 100644 index 00000000000..7a237fa9f0e --- /dev/null +++ b/queue-5.15/acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch @@ -0,0 +1,90 @@ +From 39843776d24a125efb5a73f935c164005a6700eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 21:50:33 +0200 +Subject: ACPICA: Fix memory leak if acpi_ps_get_next_field() fails + +From: Armin Wolf + +[ Upstream commit e6169a8ffee8a012badd8c703716e761ce851b15 ] + +ACPICA commit 1280045754264841b119a5ede96cd005bc09b5a7 + +If acpi_ps_get_next_field() fails, the previously created field list +needs to be properly disposed before returning the status code. + +Link: https://github.com/acpica/acpica/commit/12800457 +Signed-off-by: Armin Wolf +[ rjw: Rename local variable to avoid compiler confusion ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psargs.c | 39 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c +index fd351074c6129..29239a569bfd7 100644 +--- a/drivers/acpi/acpica/psargs.c ++++ b/drivers/acpi/acpica/psargs.c +@@ -25,6 +25,8 @@ acpi_ps_get_next_package_length(struct acpi_parse_state *parser_state); + static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state + *parser_state); + ++static void acpi_ps_free_field_list(union acpi_parse_object *start); ++ + /******************************************************************************* + * + * FUNCTION: acpi_ps_get_next_package_length +@@ -683,6 +685,39 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state + return_PTR(field); + } + ++/******************************************************************************* ++ * ++ * FUNCTION: acpi_ps_free_field_list ++ * ++ * PARAMETERS: start - First Op in field list ++ * ++ * RETURN: None. ++ * ++ * DESCRIPTION: Free all Op objects inside a field list. ++ * ++ ******************************************************************************/ ++ ++static void acpi_ps_free_field_list(union acpi_parse_object *start) ++{ ++ union acpi_parse_object *cur = start; ++ union acpi_parse_object *next; ++ union acpi_parse_object *arg; ++ ++ while (cur) { ++ next = cur->common.next; ++ ++ /* AML_INT_CONNECTION_OP can have a single argument */ ++ ++ arg = acpi_ps_get_arg(cur, 0); ++ if (arg) { ++ acpi_ps_free_op(arg); ++ } ++ ++ acpi_ps_free_op(cur); ++ cur = next; ++ } ++} ++ + /******************************************************************************* + * + * FUNCTION: acpi_ps_get_next_arg +@@ -751,6 +786,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state, + while (parser_state->aml < parser_state->pkg_end) { + field = acpi_ps_get_next_field(parser_state); + if (!field) { ++ if (arg) { ++ acpi_ps_free_field_list(arg); ++ } ++ + return_ACPI_STATUS(AE_NO_MEMORY); + } + +-- +2.43.0 + diff --git a/queue-5.15/acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch b/queue-5.15/acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch new file mode 100644 index 00000000000..89067062c51 --- /dev/null +++ b/queue-5.15/acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch @@ -0,0 +1,55 @@ +From 3cc2f21985a2af9691a98467a3f1845b0e925959 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 20:50:11 +0200 +Subject: ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails + +From: Armin Wolf + +[ Upstream commit 5accb265f7a1b23e52b0ec42313d1e12895552f4 ] + +ACPICA commit 2802af722bbde7bf1a7ac68df68e179e2555d361 + +If acpi_ps_get_next_namepath() fails, the previously allocated +union acpi_parse_object needs to be freed before returning the +status code. + +The issue was first being reported on the Linux ACPI mailing list: + +Link: https://lore.kernel.org/linux-acpi/56f94776-484f-48c0-8855-dba8e6a7793b@yandex.ru/T/ +Link: https://github.com/acpica/acpica/commit/2802af72 +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psargs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c +index b9ff535aa02e6..fd351074c6129 100644 +--- a/drivers/acpi/acpica/psargs.c ++++ b/drivers/acpi/acpica/psargs.c +@@ -820,6 +820,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state, + acpi_ps_get_next_namepath(walk_state, parser_state, + arg, + ACPI_NOT_METHOD_CALL); ++ if (ACPI_FAILURE(status)) { ++ acpi_ps_free_op(arg); ++ return_ACPI_STATUS(status); ++ } + } else { + /* Single complex argument, nothing returned */ + +@@ -854,6 +858,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state, + acpi_ps_get_next_namepath(walk_state, parser_state, + arg, + ACPI_POSSIBLE_METHOD_CALL); ++ if (ACPI_FAILURE(status)) { ++ acpi_ps_free_op(arg); ++ return_ACPI_STATUS(status); ++ } + + if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) { + +-- +2.43.0 + diff --git a/queue-5.15/acpica-iasl-handle-empty-connection_node.patch b/queue-5.15/acpica-iasl-handle-empty-connection_node.patch new file mode 100644 index 00000000000..aafecddfe7b --- /dev/null +++ b/queue-5.15/acpica-iasl-handle-empty-connection_node.patch @@ -0,0 +1,36 @@ +From fc4303c3460ccd61742b4cf76435e32863d0e8cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Aug 2024 23:33:44 +0200 +Subject: ACPICA: iasl: handle empty connection_node + +From: Aleksandrs Vinarskis + +[ Upstream commit a0a2459b79414584af6c46dd8c6f866d8f1aa421 ] + +ACPICA commit 6c551e2c9487067d4b085333e7fe97e965a11625 + +Link: https://github.com/acpica/acpica/commit/6c551e2c +Signed-off-by: Aleksandrs Vinarskis +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exprep.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c +index d8c55dde191b1..8f143f377a3d3 100644 +--- a/drivers/acpi/acpica/exprep.c ++++ b/drivers/acpi/acpica/exprep.c +@@ -437,6 +437,9 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info) + + if (info->connection_node) { + second_desc = info->connection_node->object; ++ if (second_desc == NULL) { ++ break; ++ } + if (!(second_desc->common.flags & AOPOBJ_DATA_VALID)) { + status = + acpi_ds_get_buffer_arguments(second_desc); +-- +2.43.0 + diff --git a/queue-5.15/alsa-asihpi-fix-potential-oob-array-access.patch b/queue-5.15/alsa-asihpi-fix-potential-oob-array-access.patch new file mode 100644 index 00000000000..59291d87d07 --- /dev/null +++ b/queue-5.15/alsa-asihpi-fix-potential-oob-array-access.patch @@ -0,0 +1,39 @@ +From 0857c0a3fa3c6ee4afe013a4ad673dc0fcc0194c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 11:14:42 +0200 +Subject: ALSA: asihpi: Fix potential OOB array access + +From: Takashi Iwai + +[ Upstream commit 7b986c7430a6bb68d523dac7bfc74cbd5b44ef96 ] + +ASIHPI driver stores some values in the static array upon a response +from the driver, and its index depends on the firmware. We shouldn't +trust it blindly. + +This patch adds a sanity check of the array index to fit in the array +size. + +Link: https://patch.msgid.link/20240808091454.30846-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index f7427f8eb6303..761fc62f68f16 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -713,7 +713,7 @@ static u16 HPIMSGX__init(struct hpi_message *phm, + phr->error = HPI_ERROR_PROCESSING_MESSAGE; + return phr->error; + } +- if (hr.error == 0) { ++ if (hr.error == 0 && hr.u.s.adapter_index < HPI_MAX_ADAPTERS) { + /* the adapter was created successfully + save the mapping for future use */ + hpi_entry_points[hr.u.s.adapter_index] = entry_point_func; +-- +2.43.0 + diff --git a/queue-5.15/alsa-hdsp-break-infinite-midi-input-flush-loop.patch b/queue-5.15/alsa-hdsp-break-infinite-midi-input-flush-loop.patch new file mode 100644 index 00000000000..11881700d5f --- /dev/null +++ b/queue-5.15/alsa-hdsp-break-infinite-midi-input-flush-loop.patch @@ -0,0 +1,60 @@ +From b2916ed10c332ca7ee0ae75e6947bb477b04708b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 11:15:12 +0200 +Subject: ALSA: hdsp: Break infinite MIDI input flush loop + +From: Takashi Iwai + +[ Upstream commit c01f3815453e2d5f699ccd8c8c1f93a5b8669e59 ] + +The current MIDI input flush on HDSP and HDSPM drivers relies on the +hardware reporting the right value. If the hardware doesn't give the +proper value but returns -1, it may be stuck at an infinite loop. + +Add a counter and break if the loop is unexpectedly too long. + +Link: https://patch.msgid.link/20240808091513.31380-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/hdsp.c | 6 ++++-- + sound/pci/rme9652/hdspm.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index 82c72e6c13754..18d595d8f588c 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -1298,8 +1298,10 @@ static int snd_hdsp_midi_output_possible (struct hdsp *hdsp, int id) + + static void snd_hdsp_flush_midi_input (struct hdsp *hdsp, int id) + { +- while (snd_hdsp_midi_input_available (hdsp, id)) +- snd_hdsp_midi_read_byte (hdsp, id); ++ int count = 256; ++ ++ while (snd_hdsp_midi_input_available(hdsp, id) && --count) ++ snd_hdsp_midi_read_byte(hdsp, id); + } + + static int snd_hdsp_midi_output_write (struct hdsp_midi *hmidi) +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index fa1812e7a49dc..247f5c52fb090 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -1838,8 +1838,10 @@ static inline int snd_hdspm_midi_output_possible (struct hdspm *hdspm, int id) + + static void snd_hdspm_flush_midi_input(struct hdspm *hdspm, int id) + { +- while (snd_hdspm_midi_input_available (hdspm, id)) +- snd_hdspm_midi_read_byte (hdspm, id); ++ int count = 256; ++ ++ while (snd_hdspm_midi_input_available(hdspm, id) && --count) ++ snd_hdspm_midi_read_byte(hdspm, id); + } + + static int snd_hdspm_midi_output_write (struct hdspm_midi *hmidi) +-- +2.43.0 + diff --git a/queue-5.15/alsa-usb-audio-add-input-value-sanity-checks-for-sta.patch b/queue-5.15/alsa-usb-audio-add-input-value-sanity-checks-for-sta.patch new file mode 100644 index 00000000000..86555370fbd --- /dev/null +++ b/queue-5.15/alsa-usb-audio-add-input-value-sanity-checks-for-sta.patch @@ -0,0 +1,140 @@ +From 8a95f952bc9d758d094a95a5cbf88b4c53d54fb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 14:46:50 +0200 +Subject: ALSA: usb-audio: Add input value sanity checks for standard types + +From: Takashi Iwai + +[ Upstream commit 901e85677ec0bb9a69fb9eab1feafe0c4eb7d07e ] + +For an invalid input value that is out of the given range, currently +USB-audio driver corrects the value silently and accepts without +errors. This is no wrong behavior, per se, but the recent kselftest +rather wants to have an error in such a case, hence a different +behavior is expected now. + +This patch adds a sanity check at each control put for the standard +mixer types and returns an error if an invalid value is given. + +Note that this covers only the standard mixer types. The mixer quirks +that have own control callbacks would need different coverage. + +Link: https://patch.msgid.link/20240806124651.28203-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 35 +++++++++++++++++++++++++++-------- + sound/usb/mixer.h | 1 + + 2 files changed, 28 insertions(+), 8 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 9906785a02e92..ae27e5c57c70e 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1346,6 +1346,19 @@ static int get_min_max_with_quirks(struct usb_mixer_elem_info *cval, + + #define get_min_max(cval, def) get_min_max_with_quirks(cval, def, NULL) + ++/* get the max value advertised via control API */ ++static int get_max_exposed(struct usb_mixer_elem_info *cval) ++{ ++ if (!cval->max_exposed) { ++ if (cval->res) ++ cval->max_exposed = ++ DIV_ROUND_UP(cval->max - cval->min, cval->res); ++ else ++ cval->max_exposed = cval->max - cval->min; ++ } ++ return cval->max_exposed; ++} ++ + /* get a feature/mixer unit info */ + static int mixer_ctl_feature_info(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_info *uinfo) +@@ -1358,11 +1371,8 @@ static int mixer_ctl_feature_info(struct snd_kcontrol *kcontrol, + else + uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER; + uinfo->count = cval->channels; +- if (cval->val_type == USB_MIXER_BOOLEAN || +- cval->val_type == USB_MIXER_INV_BOOLEAN) { +- uinfo->value.integer.min = 0; +- uinfo->value.integer.max = 1; +- } else { ++ if (cval->val_type != USB_MIXER_BOOLEAN && ++ cval->val_type != USB_MIXER_INV_BOOLEAN) { + if (!cval->initialized) { + get_min_max_with_quirks(cval, 0, kcontrol); + if (cval->initialized && cval->dBmin >= cval->dBmax) { +@@ -1374,10 +1384,10 @@ static int mixer_ctl_feature_info(struct snd_kcontrol *kcontrol, + &kcontrol->id); + } + } +- uinfo->value.integer.min = 0; +- uinfo->value.integer.max = +- DIV_ROUND_UP(cval->max - cval->min, cval->res); + } ++ ++ uinfo->value.integer.min = 0; ++ uinfo->value.integer.max = get_max_exposed(cval); + return 0; + } + +@@ -1418,6 +1428,7 @@ static int mixer_ctl_feature_put(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { + struct usb_mixer_elem_info *cval = kcontrol->private_data; ++ int max_val = get_max_exposed(cval); + int c, cnt, val, oval, err; + int changed = 0; + +@@ -1430,6 +1441,8 @@ static int mixer_ctl_feature_put(struct snd_kcontrol *kcontrol, + if (err < 0) + return filter_error(cval, err); + val = ucontrol->value.integer.value[cnt]; ++ if (val < 0 || val > max_val) ++ return -EINVAL; + val = get_abs_value(cval, val); + if (oval != val) { + snd_usb_set_cur_mix_value(cval, c + 1, cnt, val); +@@ -1443,6 +1456,8 @@ static int mixer_ctl_feature_put(struct snd_kcontrol *kcontrol, + if (err < 0) + return filter_error(cval, err); + val = ucontrol->value.integer.value[0]; ++ if (val < 0 || val > max_val) ++ return -EINVAL; + val = get_abs_value(cval, val); + if (val != oval) { + snd_usb_set_cur_mix_value(cval, 0, 0, val); +@@ -2301,6 +2316,8 @@ static int mixer_ctl_procunit_put(struct snd_kcontrol *kcontrol, + if (err < 0) + return filter_error(cval, err); + val = ucontrol->value.integer.value[0]; ++ if (val < 0 || val > get_max_exposed(cval)) ++ return -EINVAL; + val = get_abs_value(cval, val); + if (val != oval) { + set_cur_ctl_value(cval, cval->control << 8, val); +@@ -2663,6 +2680,8 @@ static int mixer_ctl_selector_put(struct snd_kcontrol *kcontrol, + if (err < 0) + return filter_error(cval, err); + val = ucontrol->value.enumerated.item[0]; ++ if (val < 0 || val >= cval->max) /* here cval->max = # elements */ ++ return -EINVAL; + val = get_abs_value(cval, val); + if (val != oval) { + set_cur_ctl_value(cval, cval->control << 8, val); +diff --git a/sound/usb/mixer.h b/sound/usb/mixer.h +index 98ea24d91d803..e3f3740204f54 100644 +--- a/sound/usb/mixer.h ++++ b/sound/usb/mixer.h +@@ -88,6 +88,7 @@ struct usb_mixer_elem_info { + int channels; + int val_type; + int min, max, res; ++ int max_exposed; /* control API exposes the value in 0..max_exposed */ + int dBmin, dBmax; + int cached; + int cache_val[MAX_CHANNELS]; +-- +2.43.0 + diff --git a/queue-5.15/alsa-usb-audio-add-logitech-audio-profile-quirk.patch b/queue-5.15/alsa-usb-audio-add-logitech-audio-profile-quirk.patch new file mode 100644 index 00000000000..4f9daf90dd7 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-add-logitech-audio-profile-quirk.patch @@ -0,0 +1,40 @@ +From 02e673c49f68bef9d59e1610b5e5d42abaf1a334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 15:26:28 +0000 +Subject: ALSA: usb-audio: Add logitech Audio profile quirk + +From: Joshua Pius + +[ Upstream commit a51c925c11d7b855167e64b63eb4378e5adfc11d ] + +Specify shortnames for the following Logitech Devices: Rally bar, Rally +bar mini, Tap, MeetUp and Huddle. + +Signed-off-by: Joshua Pius +Link: https://patch.msgid.link/20240912152635.1859737-1-joshuapius@google.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/card.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/usb/card.c b/sound/usb/card.c +index bebd42413fadb..bec6d41a143d2 100644 +--- a/sound/usb/card.c ++++ b/sound/usb/card.c +@@ -382,6 +382,12 @@ static const struct usb_audio_device_name usb_audio_names[] = { + /* Creative/Toshiba Multimedia Center SB-0500 */ + DEVICE_NAME(0x041e, 0x3048, "Toshiba", "SB-0500"), + ++ /* Logitech Audio Devices */ ++ DEVICE_NAME(0x046d, 0x0867, "Logitech, Inc.", "Logi-MeetUp"), ++ DEVICE_NAME(0x046d, 0x0874, "Logitech, Inc.", "Logi-Tap-Audio"), ++ DEVICE_NAME(0x046d, 0x087c, "Logitech, Inc.", "Logi-Huddle"), ++ DEVICE_NAME(0x046d, 0x0898, "Logitech, Inc.", "Logi-RB-Audio"), ++ DEVICE_NAME(0x046d, 0x08d2, "Logitech, Inc.", "Logi-RBM-Audio"), + DEVICE_NAME(0x046d, 0x0990, "Logitech, Inc.", "QuickCam Pro 9000"), + + DEVICE_NAME(0x05e1, 0x0408, "Syntek", "STK1160"), +-- +2.43.0 + diff --git a/queue-5.15/alsa-usb-audio-define-macros-for-quirk-table-entries.patch b/queue-5.15/alsa-usb-audio-define-macros-for-quirk-table-entries.patch new file mode 100644 index 00000000000..49e86040143 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-define-macros-for-quirk-table-entries.patch @@ -0,0 +1,111 @@ +From 8853d0f3c4f08885e67749f55483ad7a39bee3b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 15:48:41 +0200 +Subject: ALSA: usb-audio: Define macros for quirk table entries + +From: Takashi Iwai + +[ Upstream commit 0c3ad39b791c2ecf718afcaca30e5ceafa939d5c ] + +Many entries in the USB-audio quirk tables have relatively complex +expressions. For improving the readability, introduce a few macros. +Those are applied in the following patch. + +Link: https://patch.msgid.link/20240814134844.2726-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks-table.h | 77 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 77 insertions(+) + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 7a15cc260f741..dd98b4e13edac 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -35,6 +35,83 @@ + .bInterfaceClass = USB_CLASS_AUDIO, \ + .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL + ++/* Quirk .driver_info, followed by the definition of the quirk entry; ++ * put like QUIRK_DRIVER_INFO { ... } in each entry of the quirk table ++ */ ++#define QUIRK_DRIVER_INFO \ ++ .driver_info = (unsigned long)&(const struct snd_usb_audio_quirk) ++ ++/* ++ * Macros for quirk data entries ++ */ ++ ++/* Quirk data entry for ignoring the interface */ ++#define QUIRK_DATA_IGNORE(_ifno) \ ++ .ifnum = (_ifno), .type = QUIRK_IGNORE_INTERFACE ++/* Quirk data entry for a standard audio interface */ ++#define QUIRK_DATA_STANDARD_AUDIO(_ifno) \ ++ .ifnum = (_ifno), .type = QUIRK_AUDIO_STANDARD_INTERFACE ++/* Quirk data entry for a standard MIDI interface */ ++#define QUIRK_DATA_STANDARD_MIDI(_ifno) \ ++ .ifnum = (_ifno), .type = QUIRK_MIDI_STANDARD_INTERFACE ++/* Quirk data entry for a standard mixer interface */ ++#define QUIRK_DATA_STANDARD_MIXER(_ifno) \ ++ .ifnum = (_ifno), .type = QUIRK_AUDIO_STANDARD_MIXER ++ ++/* Quirk data entry for Yamaha MIDI */ ++#define QUIRK_DATA_MIDI_YAMAHA(_ifno) \ ++ .ifnum = (_ifno), .type = QUIRK_MIDI_YAMAHA ++/* Quirk data entry for Edirol UAxx */ ++#define QUIRK_DATA_EDIROL_UAXX(_ifno) \ ++ .ifnum = (_ifno), .type = QUIRK_AUDIO_EDIROL_UAXX ++/* Quirk data entry for raw bytes interface */ ++#define QUIRK_DATA_RAW_BYTES(_ifno) \ ++ .ifnum = (_ifno), .type = QUIRK_MIDI_RAW_BYTES ++ ++/* Quirk composite array terminator */ ++#define QUIRK_COMPOSITE_END { .ifnum = -1 } ++ ++/* Quirk data entry for composite quirks; ++ * followed by the quirk array that is terminated with QUIRK_COMPOSITE_END ++ * e.g. QUIRK_DATA_COMPOSITE { { quirk1 }, { quirk2 },..., QUIRK_COMPOSITE_END } ++ */ ++#define QUIRK_DATA_COMPOSITE \ ++ .ifnum = QUIRK_ANY_INTERFACE, \ ++ .type = QUIRK_COMPOSITE, \ ++ .data = &(const struct snd_usb_audio_quirk[]) ++ ++/* Quirk data entry for a fixed audio endpoint; ++ * followed by audioformat definition ++ * e.g. QUIRK_DATA_AUDIOFORMAT(n) { .formats = xxx, ... } ++ */ ++#define QUIRK_DATA_AUDIOFORMAT(_ifno) \ ++ .ifnum = (_ifno), \ ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, \ ++ .data = &(const struct audioformat) ++ ++/* Quirk data entry for a fixed MIDI endpoint; ++ * followed by snd_usb_midi_endpoint_info definition ++ * e.g. QUIRK_DATA_MIDI_FIXED_ENDPOINT(n) { .out_cables = x, .in_cables = y } ++ */ ++#define QUIRK_DATA_MIDI_FIXED_ENDPOINT(_ifno) \ ++ .ifnum = (_ifno), \ ++ .type = QUIRK_MIDI_FIXED_ENDPOINT, \ ++ .data = &(const struct snd_usb_midi_endpoint_info) ++/* Quirk data entry for a MIDIMAN MIDI endpoint */ ++#define QUIRK_DATA_MIDI_MIDIMAN(_ifno) \ ++ .ifnum = (_ifno), \ ++ .type = QUIRK_MIDI_MIDIMAN, \ ++ .data = &(const struct snd_usb_midi_endpoint_info) ++/* Quirk data entry for a EMAGIC MIDI endpoint */ ++#define QUIRK_DATA_MIDI_EMAGIC(_ifno) \ ++ .ifnum = (_ifno), \ ++ .type = QUIRK_MIDI_EMAGIC, \ ++ .data = &(const struct snd_usb_midi_endpoint_info) ++ ++/* ++ * Here we go... the quirk table definition begins: ++ */ ++ + /* FTDI devices */ + { + USB_DEVICE(0x0403, 0xb8d8), +-- +2.43.0 + diff --git a/queue-5.15/ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch b/queue-5.15/ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch new file mode 100644 index 00000000000..0d33cda4920 --- /dev/null +++ b/queue-5.15/ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch @@ -0,0 +1,61 @@ +From 6efb7ec8a4377f06a6770707864e4c20dbefd5d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 11:14:11 +0900 +Subject: ata: sata_sil: Rename sil_blacklist to sil_quirks + +From: Damien Le Moal + +[ Upstream commit 93b0f9e11ce511353c65b7f924cf5f95bd9c3aba ] + +Rename the array sil_blacklist to sil_quirks as this name is more +neutral and is also consistent with how this driver define quirks with +the SIL_QUIRK_XXX flags. + +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Igor Pylypiv +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_sil.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c +index 75321f1ceba52..fc438c4518fb7 100644 +--- a/drivers/ata/sata_sil.c ++++ b/drivers/ata/sata_sil.c +@@ -128,7 +128,7 @@ static const struct pci_device_id sil_pci_tbl[] = { + static const struct sil_drivelist { + const char *product; + unsigned int quirk; +-} sil_blacklist [] = { ++} sil_quirks[] = { + { "ST320012AS", SIL_QUIRK_MOD15WRITE }, + { "ST330013AS", SIL_QUIRK_MOD15WRITE }, + { "ST340017AS", SIL_QUIRK_MOD15WRITE }, +@@ -601,8 +601,8 @@ static void sil_thaw(struct ata_port *ap) + * list, and apply the fixups to only the specific + * devices/hosts/firmwares that need it. + * +- * 20040111 - Seagate drives affected by the Mod15Write bug are blacklisted +- * The Maxtor quirk is in the blacklist, but I'm keeping the original ++ * 20040111 - Seagate drives affected by the Mod15Write bug are quirked ++ * The Maxtor quirk is in sil_quirks, but I'm keeping the original + * pessimistic fix for the following reasons... + * - There seems to be less info on it, only one device gleaned off the + * Windows driver, maybe only one is affected. More info would be greatly +@@ -621,9 +621,9 @@ static void sil_dev_config(struct ata_device *dev) + + ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num)); + +- for (n = 0; sil_blacklist[n].product; n++) +- if (!strcmp(sil_blacklist[n].product, model_num)) { +- quirks = sil_blacklist[n].quirk; ++ for (n = 0; sil_quirks[n].product; n++) ++ if (!strcmp(sil_quirks[n].product, model_num)) { ++ quirks = sil_quirks[n].quirk; + break; + } + +-- +2.43.0 + diff --git a/queue-5.15/blk_iocost-fix-more-out-of-bound-shifts.patch b/queue-5.15/blk_iocost-fix-more-out-of-bound-shifts.patch new file mode 100644 index 00000000000..43f93d0a271 --- /dev/null +++ b/queue-5.15/blk_iocost-fix-more-out-of-bound-shifts.patch @@ -0,0 +1,80 @@ +From 4d9e154d7f7f28ff4afe694cfdeca9312bc6b844 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 08:41:36 -0700 +Subject: blk_iocost: fix more out of bound shifts + +From: Konstantin Ovsepian + +[ Upstream commit 9bce8005ec0dcb23a58300e8522fe4a31da606fa ] + +Recently running UBSAN caught few out of bound shifts in the +ioc_forgive_debts() function: + +UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38 +shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long +long') +... +UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30 +shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long +long') +... +Call Trace: + +dump_stack_lvl+0xca/0x130 +__ubsan_handle_shift_out_of_bounds+0x22c/0x280 +? __lock_acquire+0x6441/0x7c10 +ioc_timer_fn+0x6cec/0x7750 +? blk_iocost_init+0x720/0x720 +? call_timer_fn+0x5d/0x470 +call_timer_fn+0xfa/0x470 +? blk_iocost_init+0x720/0x720 +__run_timer_base+0x519/0x700 +... + +Actual impact of this issue was not identified but I propose to fix the +undefined behaviour. +The proposed fix to prevent those out of bound shifts consist of +precalculating exponent before using it the shift operations by taking +min value from the actual exponent and maximum possible number of bits. + +Reported-by: Breno Leitao +Signed-off-by: Konstantin Ovsepian +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20240822154137.2627818-1-ovs@ovs.to +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iocost.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/block/blk-iocost.c b/block/blk-iocost.c +index bfdb7b0cf49de..9654d1c2c20f8 100644 +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -2068,7 +2068,7 @@ static void ioc_forgive_debts(struct ioc *ioc, u64 usage_us_sum, int nr_debtors, + struct ioc_now *now) + { + struct ioc_gq *iocg; +- u64 dur, usage_pct, nr_cycles; ++ u64 dur, usage_pct, nr_cycles, nr_cycles_shift; + + /* if no debtor, reset the cycle */ + if (!nr_debtors) { +@@ -2130,10 +2130,12 @@ static void ioc_forgive_debts(struct ioc *ioc, u64 usage_us_sum, int nr_debtors, + old_debt = iocg->abs_vdebt; + old_delay = iocg->delay; + ++ nr_cycles_shift = min_t(u64, nr_cycles, BITS_PER_LONG - 1); + if (iocg->abs_vdebt) +- iocg->abs_vdebt = iocg->abs_vdebt >> nr_cycles ?: 1; ++ iocg->abs_vdebt = iocg->abs_vdebt >> nr_cycles_shift ?: 1; ++ + if (iocg->delay) +- iocg->delay = iocg->delay >> nr_cycles ?: 1; ++ iocg->delay = iocg->delay >> nr_cycles_shift ?: 1; + + iocg_kick_waitq(iocg, true, now); + +-- +2.43.0 + diff --git a/queue-5.15/cgroup-disallow-mounting-v1-hierarchies-without-cont.patch b/queue-5.15/cgroup-disallow-mounting-v1-hierarchies-without-cont.patch new file mode 100644 index 00000000000..959962a4b6f --- /dev/null +++ b/queue-5.15/cgroup-disallow-mounting-v1-hierarchies-without-cont.patch @@ -0,0 +1,71 @@ +From 4ae8f436f32ddcd5381588c65ef1da960a7e672f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 18:32:22 +0200 +Subject: cgroup: Disallow mounting v1 hierarchies without controller + implementation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +[ Upstream commit 3c41382e920f1dd5c9f432948fe799c07af1cced ] + +The configs that disable some v1 controllers would still allow mounting +them but with no controller-specific files. (Making such hierarchies +equivalent to named v1 hierarchies.) To achieve behavior consistent with +actual out-compilation of a whole controller, the mounts should treat +respective controllers as non-existent. + +Wrap implementation into a helper function, leverage legacy_files to +detect compiled out controllers. The effect is that mounts on v1 would +fail and produce a message like: + [ 1543.999081] cgroup: Unknown subsys name 'memory' + +Signed-off-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup-v1.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c +index 1292bc8449458..e0559d119ef71 100644 +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -46,6 +46,12 @@ bool cgroup1_ssid_disabled(int ssid) + return cgroup_no_v1_mask & (1 << ssid); + } + ++static bool cgroup1_subsys_absent(struct cgroup_subsys *ss) ++{ ++ /* Check also dfl_cftypes for file-less controllers, i.e. perf_event */ ++ return ss->legacy_cftypes == NULL && ss->dfl_cftypes; ++} ++ + /** + * cgroup_attach_task_all - attach task 'tsk' to all cgroups of task 'from' + * @from: attach to all cgroups of a given task +@@ -937,7 +943,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param) + if (ret != -ENOPARAM) + return ret; + for_each_subsys(ss, i) { +- if (strcmp(param->key, ss->legacy_name)) ++ if (strcmp(param->key, ss->legacy_name) || ++ cgroup1_subsys_absent(ss)) + continue; + if (!cgroup_ssid_enabled(i) || cgroup1_ssid_disabled(i)) + return invalfc(fc, "Disabled controller '%s'", +@@ -1023,7 +1030,8 @@ static int check_cgroupfs_options(struct fs_context *fc) + mask = ~((u16)1 << cpuset_cgrp_id); + #endif + for_each_subsys(ss, i) +- if (cgroup_ssid_enabled(i) && !cgroup1_ssid_disabled(i)) ++ if (cgroup_ssid_enabled(i) && !cgroup1_ssid_disabled(i) && ++ !cgroup1_subsys_absent(ss)) + enabled |= 1 << i; + + ctx->subsys_mask &= enabled; +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-add-null-check-for-top_pipe_to_progr.patch b/queue-5.15/drm-amd-display-add-null-check-for-top_pipe_to_progr.patch new file mode 100644 index 00000000000..cb31bc4d91d --- /dev/null +++ b/queue-5.15/drm-amd-display-add-null-check-for-top_pipe_to_progr.patch @@ -0,0 +1,52 @@ +From 9c005e6d8a36bfe5ecf2864592e0434edfbec796 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 07:23:48 +0530 +Subject: drm/amd/display: Add null check for top_pipe_to_program in + commit_planes_for_stream + +From: Srinivasan Shanmugam + +[ Upstream commit 66d71a72539e173a9b00ca0b1852cbaa5f5bf1ad ] + +This commit addresses a null pointer dereference issue in the +`commit_planes_for_stream` function at line 4140. The issue could occur +when `top_pipe_to_program` is null. + +The fix adds a check to ensure `top_pipe_to_program` is not null before +accessing its stream_res. This prevents a null pointer dereference. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:4140 commit_planes_for_stream() error: we previously assumed 'top_pipe_to_program' could be null (see line 3906) + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 12e4beca5e840..22dbc6bc21af4 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -3027,7 +3027,8 @@ static void commit_planes_for_stream(struct dc *dc, + dc->hwss.pipe_control_lock(dc, top_pipe_to_program, false); + + if ((update_type != UPDATE_TYPE_FAST) && stream->update_flags.bits.dsc_changed) +- if (top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) { ++ if (top_pipe_to_program && ++ top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) { + top_pipe_to_program->stream_res.tg->funcs->wait_for_state( + top_pipe_to_program->stream_res.tg, + CRTC_STATE_VACTIVE); +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-check-null-pointers-before-using-dc-.patch b/queue-5.15/drm-amd-display-check-null-pointers-before-using-dc-.patch new file mode 100644 index 00000000000..050230df6cd --- /dev/null +++ b/queue-5.15/drm-amd-display-check-null-pointers-before-using-dc-.patch @@ -0,0 +1,46 @@ +From faa37acb135e01c7e3fff9d2736fd712b5d43fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 15:29:09 -0600 +Subject: drm/amd/display: Check null pointers before using dc->clk_mgr + +From: Alex Hung + +[ Upstream commit 95d9e0803e51d5a24276b7643b244c7477daf463 ] + +[WHY & HOW] +dc->clk_mgr is null checked previously in the same function, indicating +it might be null. + +Passing "dc" to "dc->hwss.apply_idle_power_optimizations", which +dereferences null "dc->clk_mgr". (The function pointer resolves to +"dcn35_apply_idle_power_optimizations".) + +This fixes 1 FORWARD_NULL issue reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Hung +Signed-off-by: Tom Chung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 22dbc6bc21af4..db7a758ab778d 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -3671,7 +3671,8 @@ void dc_allow_idle_optimizations(struct dc *dc, bool allow) + if (allow == dc->idle_optimizations_allowed) + return; + +- if (dc->hwss.apply_idle_power_optimizations && dc->hwss.apply_idle_power_optimizations(dc, allow)) ++ if (dc->hwss.apply_idle_power_optimizations && dc->clk_mgr != NULL && ++ dc->hwss.apply_idle_power_optimizations(dc, allow)) + dc->idle_optimizations_allowed = allow; + } + +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-check-stream-before-comparing-them.patch b/queue-5.15/drm-amd-display-check-stream-before-comparing-them.patch new file mode 100644 index 00000000000..a68ac458cbc --- /dev/null +++ b/queue-5.15/drm-amd-display-check-stream-before-comparing-them.patch @@ -0,0 +1,41 @@ +From 67581dfb5eafc8020a105e0f3564501c66378ca1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 20:05:14 -0600 +Subject: drm/amd/display: Check stream before comparing them + +From: Alex Hung + +[ Upstream commit 35ff747c86767937ee1e0ca987545b7eed7a0810 ] + +[WHAT & HOW] +amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is +necessary to check for null before dereferencing them. + +This fixes 1 FORWARD_NULL issue reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Jerry Zuo +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index 42432af34db29..3d126acaf525e 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1623,6 +1623,8 @@ static bool are_stream_backends_same( + bool dc_is_stream_unchanged( + struct dc_stream_state *old_stream, struct dc_stream_state *stream) + { ++ if (!old_stream || !stream) ++ return false; + + if (!are_stream_backends_same(old_stream, stream)) + return false; +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-fix-index-out-of-bounds-in-dcn30-col.patch b/queue-5.15/drm-amd-display-fix-index-out-of-bounds-in-dcn30-col.patch new file mode 100644 index 00000000000..466efba3c09 --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-index-out-of-bounds-in-dcn30-col.patch @@ -0,0 +1,54 @@ +From ea3f9f779847e0c8d1fc3e4521da1efaedc60e21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jul 2024 18:05:20 +0530 +Subject: drm/amd/display: Fix index out of bounds in DCN30 color + transformation + +From: Srinivasan Shanmugam + +[ Upstream commit d81873f9e715b72d4f8d391c8eb243946f784dfc ] + +This commit addresses a potential index out of bounds issue in the +`cm3_helper_translate_curve_to_hw_format` function in the DCN30 color +management module. The issue could occur when the index 'i' exceeds the +number of transfer function points (TRANSFER_FUNC_POINTS). + +The fix adds a check to ensure 'i' is within bounds before accessing the +transfer function points. If 'i' is out of bounds, the function returns +false to indicate an error. + +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +index e0b1fc92ed186..62c02adae7e76 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +@@ -178,6 +178,8 @@ bool cm3_helper_translate_curve_to_hw_format( + i += increment) { + if (j == hw_points - 1) + break; ++ if (i >= TRANSFER_FUNC_POINTS) ++ return false; + rgb_resulted[j].red = output_tf->tf_pts.red[i]; + rgb_resulted[j].green = output_tf->tf_pts.green[i]; + rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-fix-index-out-of-bounds-in-dcn30-deg.patch b/queue-5.15/drm-amd-display-fix-index-out-of-bounds-in-dcn30-deg.patch new file mode 100644 index 00000000000..2a4a2da0cac --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-index-out-of-bounds-in-dcn30-deg.patch @@ -0,0 +1,55 @@ +From 1be2f6f5cd72a1f0f750633a5178a3c1bd00b75f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jul 2024 18:44:02 +0530 +Subject: drm/amd/display: Fix index out of bounds in DCN30 degamma hardware + format translation + +From: Srinivasan Shanmugam + +[ Upstream commit bc50b614d59990747dd5aeced9ec22f9258991ff ] + +This commit addresses a potential index out of bounds issue in the +`cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30 +color management module. The issue could occur when the index 'i' +exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). + +The fix adds a check to ensure 'i' is within bounds before accessing the +transfer function points. If 'i' is out of bounds, the function returns +false to indicate an error. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +index e0df9b0065f9c..e0b1fc92ed186 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +@@ -355,6 +355,8 @@ bool cm3_helper_translate_curve_to_degamma_hw_format( + i += increment) { + if (j == hw_points - 1) + break; ++ if (i >= TRANSFER_FUNC_POINTS) ++ return false; + rgb_resulted[j].red = output_tf->tf_pts.red[i]; + rgb_resulted[j].green = output_tf->tf_pts.green[i]; + rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch b/queue-5.15/drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch new file mode 100644 index 00000000000..edb391f7df0 --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch @@ -0,0 +1,55 @@ +From a066ed8359a17051677caf9198f0dc3c51dced8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jul 2024 17:48:27 +0530 +Subject: drm/amd/display: Fix index out of bounds in degamma hardware format + translation + +From: Srinivasan Shanmugam + +[ Upstream commit b7e99058eb2e86aabd7a10761e76cae33d22b49f ] + +Fixes index out of bounds issue in +`cm_helper_translate_curve_to_degamma_hw_format` function. The issue +could occur when the index 'i' exceeds the number of transfer function +points (TRANSFER_FUNC_POINTS). + +The fix adds a check to ensure 'i' is within bounds before accessing the +transfer function points. If 'i' is out of bounds the function returns +false to indicate an error. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +index bd9bc51983fec..da7aeb9c4632a 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +@@ -560,6 +560,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format( + i += increment) { + if (j == hw_points - 1) + break; ++ if (i >= TRANSFER_FUNC_POINTS) ++ return false; + rgb_resulted[j].red = output_tf->tf_pts.red[i]; + rgb_resulted[j].green = output_tf->tf_pts.green[i]; + rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-display-initialize-get_bytes_per_element-s-d.patch b/queue-5.15/drm-amd-display-initialize-get_bytes_per_element-s-d.patch new file mode 100644 index 00000000000..65f9557439f --- /dev/null +++ b/queue-5.15/drm-amd-display-initialize-get_bytes_per_element-s-d.patch @@ -0,0 +1,55 @@ +From b4ac3359620f3c448ff4e56f7cd04ea482475896 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 09:57:01 -0600 +Subject: drm/amd/display: Initialize get_bytes_per_element's default to 1 + +From: Alex Hung + +[ Upstream commit 4067f4fa0423a89fb19a30b57231b384d77d2610 ] + +Variables, used as denominators and maybe not assigned to other values, +should not be 0. bytes_per_element_y & bytes_per_element_c are +initialized by get_bytes_per_element() which should never return 0. + +This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity. + +Signed-off-by: Alex Hung +Reviewed-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +- + .../gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c +index 26ececfd40cdc..99b19d1c7e0b0 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c +@@ -78,7 +78,7 @@ static void calculate_ttu_cursor(struct display_mode_lib *mode_lib, + + static unsigned int get_bytes_per_element(enum source_format_class source_format, bool is_chroma) + { +- unsigned int ret_val = 0; ++ unsigned int ret_val = 1; + + if (source_format == dm_444_16) { + if (!is_chroma) +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c +index 736978c4d40a1..9a6d5a6b6748b 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c +@@ -53,7 +53,7 @@ static void calculate_ttu_cursor( + + static unsigned int get_bytes_per_element(enum source_format_class source_format, bool is_chroma) + { +- unsigned int ret_val = 0; ++ unsigned int ret_val = 1; + + if (source_format == dm_444_16) { + if (!is_chroma) +-- +2.43.0 + diff --git a/queue-5.15/drm-amd-pm-ensure-the-fw_info-is-not-null-before-usi.patch b/queue-5.15/drm-amd-pm-ensure-the-fw_info-is-not-null-before-usi.patch new file mode 100644 index 00000000000..b884d719cce --- /dev/null +++ b/queue-5.15/drm-amd-pm-ensure-the-fw_info-is-not-null-before-usi.patch @@ -0,0 +1,36 @@ +From 6e9c7e990b0165ddab8a53c7167df1bc814c5a39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 17:15:12 +0800 +Subject: drm/amd/pm: ensure the fw_info is not null before using it + +From: Tim Huang + +[ Upstream commit 186fb12e7a7b038c2710ceb2fb74068f1b5d55a4 ] + +This resolves the dereference null return value warning +reported by Coverity. + +Signed-off-by: Tim Huang +Reviewed-by: Jesse Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c +index 182118e3fd5f3..2ca93a1f0b8e1 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c +@@ -1185,6 +1185,8 @@ static int init_overdrive_limits(struct pp_hwmgr *hwmgr, + fw_info = smu_atom_get_data_table(hwmgr->adev, + GetIndexIntoMasterTable(DATA, FirmwareInfo), + &size, &frev, &crev); ++ PP_ASSERT_WITH_CODE(fw_info != NULL, ++ "Missing firmware info!", return -EINVAL); + + if ((fw_info->ucTableFormatRevision == 1) + && (le16_to_cpu(fw_info->usStructureSize) >= sizeof(ATOM_FIRMWARE_INFO_V1_4))) +-- +2.43.0 + diff --git a/queue-5.15/drm-amdgpu-add-raven1-gfxoff-quirk.patch b/queue-5.15/drm-amdgpu-add-raven1-gfxoff-quirk.patch new file mode 100644 index 00000000000..a154b42e91f --- /dev/null +++ b/queue-5.15/drm-amdgpu-add-raven1-gfxoff-quirk.patch @@ -0,0 +1,35 @@ +From 8055ed6fd9af57a7a73f5a4d3aa0d209471d6958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 15:25:54 +0800 +Subject: drm/amdgpu: add raven1 gfxoff quirk + +From: Peng Liu + +[ Upstream commit 0126c0ae11e8b52ecfde9d1b174ee2f32d6c3a5d ] + +Fix screen corruption with openkylin. + +Link: https://bbs.openkylin.top/t/topic/171497 +Signed-off-by: Peng Liu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index fb37c0d4b35b4..cebedffc44c09 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -1274,6 +1274,8 @@ static const struct amdgpu_gfxoff_quirk amdgpu_gfxoff_quirk_list[] = { + { 0x1002, 0x15dd, 0x1002, 0x15dd, 0xc6 }, + /* Apple MacBook Pro (15-inch, 2019) Radeon Pro Vega 20 4 GB */ + { 0x1002, 0x69af, 0x106b, 0x019a, 0xc0 }, ++ /* https://bbs.openkylin.top/t/topic/171497 */ ++ { 0x1002, 0x15d8, 0x19e5, 0x3e14, 0xc2 }, + { 0, 0, 0, 0, 0 }, + }; + +-- +2.43.0 + diff --git a/queue-5.15/drm-amdgpu-enable-gfxoff-quirk-on-hp-705g4.patch b/queue-5.15/drm-amdgpu-enable-gfxoff-quirk-on-hp-705g4.patch new file mode 100644 index 00000000000..993c2db88b3 --- /dev/null +++ b/queue-5.15/drm-amdgpu-enable-gfxoff-quirk-on-hp-705g4.patch @@ -0,0 +1,38 @@ +From 0c6ba68a951a2c835464cc24b2cb5bc2ac42b669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 15:27:08 +0800 +Subject: drm/amdgpu: enable gfxoff quirk on HP 705G4 + +From: Peng Liu + +[ Upstream commit 2c7795e245d993bcba2f716a8c93a5891ef910c9 ] + +Enabling gfxoff quirk results in perfectly usable +graphical user interface on HP 705G4 DM with R5 2400G. + +Without the quirk, X server is completely unusable as +every few seconds there is gpu reset due to ring gfx timeout. + +Signed-off-by: Peng Liu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index cebedffc44c09..811cacacc2090 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -1276,6 +1276,8 @@ static const struct amdgpu_gfxoff_quirk amdgpu_gfxoff_quirk_list[] = { + { 0x1002, 0x69af, 0x106b, 0x019a, 0xc0 }, + /* https://bbs.openkylin.top/t/topic/171497 */ + { 0x1002, 0x15d8, 0x19e5, 0x3e14, 0xc2 }, ++ /* HP 705G4 DM with R5 2400G */ ++ { 0x1002, 0x15dd, 0x103c, 0x8464, 0xd6 }, + { 0, 0, 0, 0, 0 }, + }; + +-- +2.43.0 + diff --git a/queue-5.15/drm-printer-allow-null-data-in-devcoredump-printer.patch b/queue-5.15/drm-printer-allow-null-data-in-devcoredump-printer.patch new file mode 100644 index 00000000000..66856e88afb --- /dev/null +++ b/queue-5.15/drm-printer-allow-null-data-in-devcoredump-printer.patch @@ -0,0 +1,144 @@ +From 994b726d580768cb72e24c675da8d6b82e7551be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 08:41:17 -0700 +Subject: drm/printer: Allow NULL data in devcoredump printer + +From: Matthew Brost + +[ Upstream commit 53369581dc0c68a5700ed51e1660f44c4b2bb524 ] + +We want to determine the size of the devcoredump before writing it out. +To that end, we will run the devcoredump printer with NULL data to get +the size, alloc data based on the generated offset, then run the +devcorecump again with a valid data pointer to print. This necessitates +not writing data to the data pointer on the initial pass, when it is +NULL. + +v5: + - Better commit message (Jonathan) + - Add kerenl doc with examples (Jani) + +Cc: Maarten Lankhorst +Acked-by: Maarten Lankhorst +Signed-off-by: Matthew Brost +Reviewed-by: Jonathan Cavitt +Link: https://patchwork.freedesktop.org/patch/msgid/20240801154118.2547543-3-matthew.brost@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_print.c | 13 +++++---- + include/drm/drm_print.h | 54 ++++++++++++++++++++++++++++++++++++- + 2 files changed, 61 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/drm_print.c b/drivers/gpu/drm/drm_print.c +index f783d4963d4be..20f5e497b1601 100644 +--- a/drivers/gpu/drm/drm_print.c ++++ b/drivers/gpu/drm/drm_print.c +@@ -78,8 +78,9 @@ void __drm_puts_coredump(struct drm_printer *p, const char *str) + copy = iterator->remain; + + /* Copy out the bit of the string that we need */ +- memcpy(iterator->data, +- str + (iterator->start - iterator->offset), copy); ++ if (iterator->data) ++ memcpy(iterator->data, ++ str + (iterator->start - iterator->offset), copy); + + iterator->offset = iterator->start + copy; + iterator->remain -= copy; +@@ -88,7 +89,8 @@ void __drm_puts_coredump(struct drm_printer *p, const char *str) + + len = min_t(ssize_t, strlen(str), iterator->remain); + +- memcpy(iterator->data + pos, str, len); ++ if (iterator->data) ++ memcpy(iterator->data + pos, str, len); + + iterator->offset += len; + iterator->remain -= len; +@@ -118,8 +120,9 @@ void __drm_printfn_coredump(struct drm_printer *p, struct va_format *vaf) + if ((iterator->offset >= iterator->start) && (len < iterator->remain)) { + ssize_t pos = iterator->offset - iterator->start; + +- snprintf(((char *) iterator->data) + pos, +- iterator->remain, "%pV", vaf); ++ if (iterator->data) ++ snprintf(((char *) iterator->data) + pos, ++ iterator->remain, "%pV", vaf); + + iterator->offset += len; + iterator->remain -= len; +diff --git a/include/drm/drm_print.h b/include/drm/drm_print.h +index f7ece14b10227..10f3f54f8428e 100644 +--- a/include/drm/drm_print.h ++++ b/include/drm/drm_print.h +@@ -121,7 +121,8 @@ drm_vprintf(struct drm_printer *p, const char *fmt, va_list *va) + + /** + * struct drm_print_iterator - local struct used with drm_printer_coredump +- * @data: Pointer to the devcoredump output buffer ++ * @data: Pointer to the devcoredump output buffer, can be NULL if using ++ * drm_printer_coredump to determine size of devcoredump + * @start: The offset within the buffer to start writing + * @remain: The number of bytes to write for this iteration + */ +@@ -166,6 +167,57 @@ struct drm_print_iterator { + * coredump_read, ...) + * } + * ++ * The above example has a time complexity of O(N^2), where N is the size of the ++ * devcoredump. This is acceptable for small devcoredumps but scales poorly for ++ * larger ones. ++ * ++ * Another use case for drm_coredump_printer is to capture the devcoredump into ++ * a saved buffer before the dev_coredump() callback. This involves two passes: ++ * one to determine the size of the devcoredump and another to print it to a ++ * buffer. Then, in dev_coredump(), copy from the saved buffer into the ++ * devcoredump read buffer. ++ * ++ * For example:: ++ * ++ * char *devcoredump_saved_buffer; ++ * ++ * ssize_t __coredump_print(char *buffer, ssize_t count, ...) ++ * { ++ * struct drm_print_iterator iter; ++ * struct drm_printer p; ++ * ++ * iter.data = buffer; ++ * iter.start = 0; ++ * iter.remain = count; ++ * ++ * p = drm_coredump_printer(&iter); ++ * ++ * drm_printf(p, "foo=%d\n", foo); ++ * ... ++ * return count - iter.remain; ++ * } ++ * ++ * void coredump_print(...) ++ * { ++ * ssize_t count; ++ * ++ * count = __coredump_print(NULL, INT_MAX, ...); ++ * devcoredump_saved_buffer = kvmalloc(count, GFP_KERNEL); ++ * __coredump_print(devcoredump_saved_buffer, count, ...); ++ * } ++ * ++ * void coredump_read(char *buffer, loff_t offset, size_t count, ++ * void *data, size_t datalen) ++ * { ++ * ... ++ * memcpy(buffer, devcoredump_saved_buffer + offset, count); ++ * ... ++ * } ++ * ++ * The above example has a time complexity of O(N*2), where N is the size of the ++ * devcoredump. This scales better than the previous example for larger ++ * devcoredumps. ++ * + * RETURNS: + * The &drm_printer object + */ +-- +2.43.0 + diff --git a/queue-5.15/drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch b/queue-5.15/drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch new file mode 100644 index 00000000000..a6135a29af4 --- /dev/null +++ b/queue-5.15/drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch @@ -0,0 +1,140 @@ +From f60f9be7d3e9af1f78eaeaef25fd30f88c68c804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 17:58:12 +0200 +Subject: drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit c6dbab46324b1742b50dc2fb5c1fee2c28129439 ] + +With -Werror: + + In function ‘r100_cp_init_microcode’, + inlined from ‘r100_cp_init’ at drivers/gpu/drm/radeon/r100.c:1136:7: + include/linux/printk.h:465:44: error: ‘%s’ directive argument is null [-Werror=format-overflow=] + 465 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) + | ^ + include/linux/printk.h:437:17: note: in definition of macro ‘printk_index_wrap’ + 437 | _p_func(_fmt, ##__VA_ARGS__); \ + | ^~~~~~~ + include/linux/printk.h:508:9: note: in expansion of macro ‘printk’ + 508 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__) + | ^~~~~~ + drivers/gpu/drm/radeon/r100.c:1062:17: note: in expansion of macro ‘pr_err’ + 1062 | pr_err("radeon_cp: Failed to load firmware \"%s\"\n", fw_name); + | ^~~~~~ + +Fix this by converting the if/else if/... construct into a proper +switch() statement with a default to handle the error case. + +As a bonus, the generated code is ca. 100 bytes smaller (with gcc 11.4.0 +targeting arm32). + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/r100.c | 70 ++++++++++++++++++++++------------- + 1 file changed, 45 insertions(+), 25 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index d3ad98bd25907..d7256d1a1f482 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -1014,45 +1014,65 @@ static int r100_cp_init_microcode(struct radeon_device *rdev) + + DRM_DEBUG_KMS("\n"); + +- if ((rdev->family == CHIP_R100) || (rdev->family == CHIP_RV100) || +- (rdev->family == CHIP_RV200) || (rdev->family == CHIP_RS100) || +- (rdev->family == CHIP_RS200)) { ++ switch (rdev->family) { ++ case CHIP_R100: ++ case CHIP_RV100: ++ case CHIP_RV200: ++ case CHIP_RS100: ++ case CHIP_RS200: + DRM_INFO("Loading R100 Microcode\n"); + fw_name = FIRMWARE_R100; +- } else if ((rdev->family == CHIP_R200) || +- (rdev->family == CHIP_RV250) || +- (rdev->family == CHIP_RV280) || +- (rdev->family == CHIP_RS300)) { ++ break; ++ ++ case CHIP_R200: ++ case CHIP_RV250: ++ case CHIP_RV280: ++ case CHIP_RS300: + DRM_INFO("Loading R200 Microcode\n"); + fw_name = FIRMWARE_R200; +- } else if ((rdev->family == CHIP_R300) || +- (rdev->family == CHIP_R350) || +- (rdev->family == CHIP_RV350) || +- (rdev->family == CHIP_RV380) || +- (rdev->family == CHIP_RS400) || +- (rdev->family == CHIP_RS480)) { ++ break; ++ ++ case CHIP_R300: ++ case CHIP_R350: ++ case CHIP_RV350: ++ case CHIP_RV380: ++ case CHIP_RS400: ++ case CHIP_RS480: + DRM_INFO("Loading R300 Microcode\n"); + fw_name = FIRMWARE_R300; +- } else if ((rdev->family == CHIP_R420) || +- (rdev->family == CHIP_R423) || +- (rdev->family == CHIP_RV410)) { ++ break; ++ ++ case CHIP_R420: ++ case CHIP_R423: ++ case CHIP_RV410: + DRM_INFO("Loading R400 Microcode\n"); + fw_name = FIRMWARE_R420; +- } else if ((rdev->family == CHIP_RS690) || +- (rdev->family == CHIP_RS740)) { ++ break; ++ ++ case CHIP_RS690: ++ case CHIP_RS740: + DRM_INFO("Loading RS690/RS740 Microcode\n"); + fw_name = FIRMWARE_RS690; +- } else if (rdev->family == CHIP_RS600) { ++ break; ++ ++ case CHIP_RS600: + DRM_INFO("Loading RS600 Microcode\n"); + fw_name = FIRMWARE_RS600; +- } else if ((rdev->family == CHIP_RV515) || +- (rdev->family == CHIP_R520) || +- (rdev->family == CHIP_RV530) || +- (rdev->family == CHIP_R580) || +- (rdev->family == CHIP_RV560) || +- (rdev->family == CHIP_RV570)) { ++ break; ++ ++ case CHIP_RV515: ++ case CHIP_R520: ++ case CHIP_RV530: ++ case CHIP_R580: ++ case CHIP_RV560: ++ case CHIP_RV570: + DRM_INFO("Loading R500 Microcode\n"); + fw_name = FIRMWARE_R520; ++ break; ++ ++ default: ++ DRM_ERROR("Unsupported Radeon family %u\n", rdev->family); ++ return -EINVAL; + } + + err = request_firmware(&rdev->me_fw, fw_name, rdev->dev); +-- +2.43.0 + diff --git a/queue-5.15/ext4-avoid-use-after-free-in-ext4_ext_show_leaf.patch b/queue-5.15/ext4-avoid-use-after-free-in-ext4_ext_show_leaf.patch new file mode 100644 index 00000000000..070878cd38f --- /dev/null +++ b/queue-5.15/ext4-avoid-use-after-free-in-ext4_ext_show_leaf.patch @@ -0,0 +1,94 @@ +From 1c03f4dc7d57bdb7d2d13b4872cda0bb18b45ec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 10:35:24 +0800 +Subject: ext4: avoid use-after-free in ext4_ext_show_leaf() + +From: Baokun Li + +[ Upstream commit 4e2524ba2ca5f54bdbb9e5153bea00421ef653f5 ] + +In ext4_find_extent(), path may be freed by error or be reallocated, so +using a previously saved *ppath may have been freed and thus may trigger +use-after-free, as follows: + +ext4_split_extent + path = *ppath; + ext4_split_extent_at(ppath) + path = ext4_find_extent(ppath) + ext4_split_extent_at(ppath) + // ext4_find_extent fails to free path + // but zeroout succeeds + ext4_ext_show_leaf(inode, path) + eh = path[depth].p_hdr + // path use-after-free !!! + +Similar to ext4_split_extent_at(), we use *ppath directly as an input to +ext4_ext_show_leaf(). Fix a spelling error by the way. + +Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only +used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly. + +This issue is triggered only when EXT_DEBUG is defined and therefore does +not affect functionality. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Reviewed-by: Ojaswin Mujoo +Tested-by: Ojaswin Mujoo +Link: https://patch.msgid.link/20240822023545.1994557-5-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index a3869e9c71b91..1e52f90ddee43 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3288,7 +3288,7 @@ static int ext4_split_extent_at(handle_t *handle, + } + + /* +- * ext4_split_extents() splits an extent and mark extent which is covered ++ * ext4_split_extent() splits an extent and mark extent which is covered + * by @map as split_flags indicates + * + * It may result in splitting the extent into multiple extents (up to three) +@@ -3365,7 +3365,7 @@ static int ext4_split_extent(handle_t *handle, + goto out; + } + +- ext4_ext_show_leaf(inode, path); ++ ext4_ext_show_leaf(inode, *ppath); + out: + return err ? err : allocated; + } +@@ -3831,14 +3831,13 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode, + struct ext4_ext_path **ppath, int flags, + unsigned int allocated, ext4_fsblk_t newblock) + { +- struct ext4_ext_path __maybe_unused *path = *ppath; + int ret = 0; + int err = 0; + + ext_debug(inode, "logical block %llu, max_blocks %u, flags 0x%x, allocated %u\n", + (unsigned long long)map->m_lblk, map->m_len, flags, + allocated); +- ext4_ext_show_leaf(inode, path); ++ ext4_ext_show_leaf(inode, *ppath); + + /* + * When writing into unwritten space, we should not fail to +@@ -3935,7 +3934,7 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode, + if (allocated > map->m_len) + allocated = map->m_len; + map->m_len = allocated; +- ext4_ext_show_leaf(inode, path); ++ ext4_ext_show_leaf(inode, *ppath); + out2: + return err ? err : allocated; + } +-- +2.43.0 + diff --git a/queue-5.15/ext4-don-t-set-sb_rdonly-after-filesystem-errors.patch b/queue-5.15/ext4-don-t-set-sb_rdonly-after-filesystem-errors.patch new file mode 100644 index 00000000000..63f4cdb14a6 --- /dev/null +++ b/queue-5.15/ext4-don-t-set-sb_rdonly-after-filesystem-errors.patch @@ -0,0 +1,56 @@ +From e646f8d16514828ccde2645053b61c709761bca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 22:12:41 +0200 +Subject: ext4: don't set SB_RDONLY after filesystem errors + +From: Jan Kara + +[ Upstream commit d3476f3dad4ad68ae5f6b008ea6591d1520da5d8 ] + +When the filesystem is mounted with errors=remount-ro, we were setting +SB_RDONLY flag to stop all filesystem modifications. We knew this misses +proper locking (sb->s_umount) and does not go through proper filesystem +remount procedure but it has been the way this worked since early ext2 +days and it was good enough for catastrophic situation damage +mitigation. Recently, syzbot has found a way (see link) to trigger +warnings in filesystem freezing because the code got confused by +SB_RDONLY changing under its hands. Since these days we set +EXT4_FLAGS_SHUTDOWN on the superblock which is enough to stop all +filesystem modifications, modifying SB_RDONLY shouldn't be needed. So +stop doing that. + +Link: https://lore.kernel.org/all/000000000000b90a8e061e21d12f@google.com +Reported-by: Christian Brauner +Signed-off-by: Jan Kara +Reviewed-by: Christian Brauner +Link: https://patch.msgid.link/20240805201241.27286-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index b09b7a6b7a154..93eb26c162422 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -674,11 +674,12 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error, + + ext4_msg(sb, KERN_CRIT, "Remounting filesystem read-only"); + /* +- * Make sure updated value of ->s_mount_flags will be visible before +- * ->s_flags update ++ * EXT4_FLAGS_SHUTDOWN was set which stops all filesystem ++ * modifications. We don't set SB_RDONLY because that requires ++ * sb->s_umount semaphore and setting it without proper remount ++ * procedure is confusing code such as freeze_super() leading to ++ * deadlocks and other problems. + */ +- smp_wmb(); +- sb->s_flags |= SB_RDONLY; + } + + static void flush_stashed_error_work(struct work_struct *work) +-- +2.43.0 + diff --git a/queue-5.15/ext4-ext4_search_dir-should-return-a-proper-error.patch b/queue-5.15/ext4-ext4_search_dir-should-return-a-proper-error.patch new file mode 100644 index 00000000000..3d9d0df6bc1 --- /dev/null +++ b/queue-5.15/ext4-ext4_search_dir-should-return-a-proper-error.patch @@ -0,0 +1,86 @@ +From c696c3b2113fff935bf07a2494757304b174090e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 12:23:21 -0300 +Subject: ext4: ext4_search_dir should return a proper error + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit cd69f8f9de280e331c9e6ff689ced0a688a9ce8f ] + +ext4_search_dir currently returns -1 in case of a failure, while it returns +0 when the name is not found. In such failure cases, it should return an +error code instead. + +This becomes even more important when ext4_find_inline_entry returns an +error code as well in the next commit. + +-EFSCORRUPTED seems appropriate as such error code as these failures would +be caused by unexpected record lengths and is in line with other instances +of ext4_check_dir_entry failures. + +In the case of ext4_dx_find_entry, the current use of ERR_BAD_DX_DIR was +left as is to reduce the risk of regressions. + +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://patch.msgid.link/20240821152324.3621860-2-cascardo@igalia.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index a80f2cdab3744..3fb3c5dfded70 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1526,7 +1526,7 @@ static bool ext4_match(struct inode *parent, + } + + /* +- * Returns 0 if not found, -1 on failure, and 1 on success ++ * Returns 0 if not found, -EFSCORRUPTED on failure, and 1 on success + */ + int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + struct inode *dir, struct ext4_filename *fname, +@@ -1547,7 +1547,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + * a full check */ + if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf, + buf_size, offset)) +- return -1; ++ return -EFSCORRUPTED; + *res_dir = de; + return 1; + } +@@ -1555,7 +1555,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + de_len = ext4_rec_len_from_disk(de->rec_len, + dir->i_sb->s_blocksize); + if (de_len <= 0) +- return -1; ++ return -EFSCORRUPTED; + offset += de_len; + de = (struct ext4_dir_entry_2 *) ((char *) de + de_len); + } +@@ -1707,8 +1707,10 @@ static struct buffer_head *__ext4_find_entry(struct inode *dir, + goto cleanup_and_exit; + } else { + brelse(bh); +- if (i < 0) ++ if (i < 0) { ++ ret = ERR_PTR(i); + goto cleanup_and_exit; ++ } + } + next: + if (++block >= nblocks) +@@ -1803,7 +1805,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir, + if (retval == 1) + goto success; + brelse(bh); +- if (retval == -1) { ++ if (retval < 0) { + bh = ERR_PTR(ERR_BAD_DX_DIR); + goto errout; + } +-- +2.43.0 + diff --git a/queue-5.15/ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch b/queue-5.15/ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch new file mode 100644 index 00000000000..c7e2584904e --- /dev/null +++ b/queue-5.15/ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch @@ -0,0 +1,55 @@ +From 7c3d28ee32361bdc9e6dbf86a4f89d81f7459495 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 15:22:09 +0000 +Subject: ext4: fix i_data_sem unlock order in ext4_ind_migrate() + +From: Artem Sadovnikov + +[ Upstream commit cc749e61c011c255d81b192a822db650c68b313f ] + +Fuzzing reports a possible deadlock in jbd2_log_wait_commit. + +This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require +synchronous updates because the file descriptor is opened with O_SYNC. +This can lead to the jbd2_journal_stop() function calling +jbd2_might_wait_for_commit(), potentially causing a deadlock if the +EXT4_IOC_MIGRATE call races with a write(2) system call. + +This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this +case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the +jbd2_journal_stop function while i_data_sem is locked. This triggers +lockdep because the jbd2_journal_start function might also lock the same +jbd2_handle simultaneously. + +Found by Linux Verification Center (linuxtesting.org) with syzkaller. + +Reviewed-by: Ritesh Harjani (IBM) +Co-developed-by: Mikhail Ukhin +Signed-off-by: Mikhail Ukhin +Signed-off-by: Artem Sadovnikov +Rule: add +Link: https://lore.kernel.org/stable/20240404095000.5872-1-mish.uxin2012%40yandex.ru +Link: https://patch.msgid.link/20240829152210.2754-1-ancowi69@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/migrate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c +index b0ea646454ac8..59290356aa5b1 100644 +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -663,8 +663,8 @@ int ext4_ind_migrate(struct inode *inode) + if (unlikely(ret2 && !ret)) + ret = ret2; + errout: +- ext4_journal_stop(handle); + up_write(&EXT4_I(inode)->i_data_sem); ++ ext4_journal_stop(handle); + out_unlock: + percpu_up_write(&sbi->s_writepages_rwsem); + return ret; +-- +2.43.0 + diff --git a/queue-5.15/fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch b/queue-5.15/fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch new file mode 100644 index 00000000000..0c2273f707e --- /dev/null +++ b/queue-5.15/fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch @@ -0,0 +1,59 @@ +From 6d8128a0fa121f679880947ee0ca009ad0babf20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 22:29:52 +0800 +Subject: fbdev: pxafb: Fix possible use after free in pxafb_task() + +From: Kaixin Wang + +[ Upstream commit 4a6921095eb04a900e0000da83d9475eb958e61e ] + +In the pxafb_probe function, it calls the pxafb_init_fbinfo function, +after which &fbi->task is associated with pxafb_task. Moreover, +within this pxafb_init_fbinfo function, the pxafb_blank function +within the &pxafb_ops struct is capable of scheduling work. + +If we remove the module which will call pxafb_remove to make cleanup, +it will call unregister_framebuffer function which can call +do_unregister_framebuffer to free fbi->fb through +put_fb_info(fb_info), while the work mentioned above will be used. +The sequence of operations that may lead to a UAF bug is as follows: + +CPU0 CPU1 + + | pxafb_task +pxafb_remove | +unregister_framebuffer(info) | +do_unregister_framebuffer(fb_info) | +put_fb_info(fb_info) | +// free fbi->fb | set_ctrlr_state(fbi, state) + | __pxafb_lcd_power(fbi, 0) + | fbi->lcd_power(on, &fbi->fb.var) + | //use fbi->fb + +Fix it by ensuring that the work is canceled before proceeding +with the cleanup in pxafb_remove. + +Note that only root user can remove the driver at runtime. + +Signed-off-by: Kaixin Wang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxafb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c +index f1551e00eb12f..a0db2b3d07368 100644 +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2408,6 +2408,7 @@ static int pxafb_remove(struct platform_device *dev) + info = &fbi->fb; + + pxafb_overlay_exit(fbi); ++ cancel_work_sync(&fbi->task); + unregister_framebuffer(info); + + pxafb_disable_controller(fbi); +-- +2.43.0 + diff --git a/queue-5.15/genirq-proc-correctly-set-file-permissions-for-affin.patch b/queue-5.15/genirq-proc-correctly-set-file-permissions-for-affin.patch new file mode 100644 index 00000000000..56085b14a51 --- /dev/null +++ b/queue-5.15/genirq-proc-correctly-set-file-permissions-for-affin.patch @@ -0,0 +1,60 @@ +From 94333b60d5d3d5d505da92fdcd965ef4b8e101ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Aug 2024 21:19:11 +0800 +Subject: genirq/proc: Correctly set file permissions for affinity control + files + +From: Jeff Xie + +[ Upstream commit c7718e5c76d49b5bb394265383ae51f766d5dd3a ] + +The kernel already knows at the time of interrupt allocation whether +affinity of an interrupt can be controlled by userspace or not. + +It still creates all related procfs control files with read/write +permissions. That's inconsistent and non-intuitive for system +administrators and tools. + +Therefore set the file permissions to read-only for such interrupts. + +[ tglx: Massage change log, fixed UP build ] + +Signed-off-by: Jeff Xie +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/20240825131911.107119-1-jeff.xie@linux.dev +Signed-off-by: Sasha Levin +--- + kernel/irq/proc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/kernel/irq/proc.c b/kernel/irq/proc.c +index ee595ec09778d..b2893416c9df0 100644 +--- a/kernel/irq/proc.c ++++ b/kernel/irq/proc.c +@@ -362,8 +362,13 @@ void register_irq_proc(unsigned int irq, struct irq_desc *desc) + goto out_unlock; + + #ifdef CONFIG_SMP ++ umode_t umode = S_IRUGO; ++ ++ if (irq_can_set_affinity_usr(desc->irq_data.irq)) ++ umode |= S_IWUSR; ++ + /* create /proc/irq//smp_affinity */ +- proc_create_data("smp_affinity", 0644, desc->dir, ++ proc_create_data("smp_affinity", umode, desc->dir, + &irq_affinity_proc_ops, irqp); + + /* create /proc/irq//affinity_hint */ +@@ -371,7 +376,7 @@ void register_irq_proc(unsigned int irq, struct irq_desc *desc) + irq_affinity_hint_proc_show, irqp); + + /* create /proc/irq//smp_affinity_list */ +- proc_create_data("smp_affinity_list", 0644, desc->dir, ++ proc_create_data("smp_affinity_list", umode, desc->dir, + &irq_affinity_list_proc_ops, irqp); + + proc_create_single_data("node", 0444, desc->dir, irq_node_proc_show, +-- +2.43.0 + diff --git a/queue-5.15/hid-multitouch-add-support-for-thinkpad-x12-gen-2-kb.patch b/queue-5.15/hid-multitouch-add-support-for-thinkpad-x12-gen-2-kb.patch new file mode 100644 index 00000000000..9733ddc21df --- /dev/null +++ b/queue-5.15/hid-multitouch-add-support-for-thinkpad-x12-gen-2-kb.patch @@ -0,0 +1,54 @@ +From f58e7b9c6c4c93109600eac4370734972fbe2fbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Aug 2024 16:27:29 +0900 +Subject: HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio + +From: Vishnu Sankar + +[ Upstream commit 65b72ea91a257a5f0cb5a26b01194d3dd4b85298 ] + +This applies similar quirks used by previous generation device, so that +Trackpoint and buttons on the touchpad works. New USB KBD PID 0x61AE for +Thinkpad X12 Tab is added. + +Signed-off-by: Vishnu Sankar +Reviewed-by: Mark Pearson +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-multitouch.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 917207b0deef9..c74b518221129 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -762,6 +762,7 @@ + #define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3 + #define USB_DEVICE_ID_LENOVO_X1_TAB3 0x60b5 + #define USB_DEVICE_ID_LENOVO_X12_TAB 0x60fe ++#define USB_DEVICE_ID_LENOVO_X12_TAB2 0x61ae + #define USB_DEVICE_ID_LENOVO_OPTICAL_USB_MOUSE_600E 0x600e + #define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_608D 0x608d + #define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6019 0x6019 +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 36226f43ac5e9..6a3f4371bd109 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -2114,6 +2114,12 @@ static const struct hid_device_id mt_devices[] = { + USB_VENDOR_ID_LENOVO, + USB_DEVICE_ID_LENOVO_X12_TAB) }, + ++ /* Lenovo X12 TAB Gen 2 */ ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU, ++ HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_LENOVO, ++ USB_DEVICE_ID_LENOVO_X12_TAB2) }, ++ + /* Logitech devices */ + { .driver_data = MT_CLS_NSMU, + HID_DEVICE(BUS_BLUETOOTH, HID_GROUP_MULTITOUCH_WIN_8, +-- +2.43.0 + diff --git a/queue-5.15/ice-adjust-over-allocation-of-memory-in-ice_sched_ad.patch b/queue-5.15/ice-adjust-over-allocation-of-memory-in-ice_sched_ad.patch new file mode 100644 index 00000000000..8f9b9d04633 --- /dev/null +++ b/queue-5.15/ice-adjust-over-allocation-of-memory-in-ice_sched_ad.patch @@ -0,0 +1,61 @@ +From be86345be60fc0422fc3bc718ba8722ec7b6ab61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 15:39:49 +0300 +Subject: ice: Adjust over allocation of memory in ice_sched_add_root_node() + and ice_sched_add_node() + +From: Aleksandr Mishin + +[ Upstream commit 62fdaf9e8056e9a9e6fe63aa9c816ec2122d60c6 ] + +In ice_sched_add_root_node() and ice_sched_add_node() there are calls to +devm_kcalloc() in order to allocate memory for array of pointers to +'ice_sched_node' structure. But incorrect types are used as sizeof() +arguments in these calls (structures instead of pointers) which leads to +over allocation of memory. + +Adjust over allocation of memory by correcting types in devm_kcalloc() +sizeof() arguments. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Reviewed-by: Przemek Kitszel +Signed-off-by: Aleksandr Mishin +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_sched.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c +index 0b61fde449152..209e3a9d9b7ab 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sched.c ++++ b/drivers/net/ethernet/intel/ice/ice_sched.c +@@ -27,9 +27,8 @@ ice_sched_add_root_node(struct ice_port_info *pi, + if (!root) + return ICE_ERR_NO_MEMORY; + +- /* coverity[suspicious_sizeof] */ + root->children = devm_kcalloc(ice_hw_to_dev(hw), hw->max_children[0], +- sizeof(*root), GFP_KERNEL); ++ sizeof(*root->children), GFP_KERNEL); + if (!root->children) { + devm_kfree(ice_hw_to_dev(hw), root); + return ICE_ERR_NO_MEMORY; +@@ -180,10 +179,9 @@ ice_sched_add_node(struct ice_port_info *pi, u8 layer, + if (!node) + return ICE_ERR_NO_MEMORY; + if (hw->max_children[layer]) { +- /* coverity[suspicious_sizeof] */ + node->children = devm_kcalloc(ice_hw_to_dev(hw), + hw->max_children[layer], +- sizeof(*node), GFP_KERNEL); ++ sizeof(*node->children), GFP_KERNEL); + if (!node->children) { + devm_kfree(ice_hw_to_dev(hw), node); + return ICE_ERR_NO_MEMORY; +-- +2.43.0 + diff --git a/queue-5.15/iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch b/queue-5.15/iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch new file mode 100644 index 00000000000..80dfb4792a7 --- /dev/null +++ b/queue-5.15/iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch @@ -0,0 +1,74 @@ +From 6ef42b7cf2e5d11181a58c20c0e3d5b9abd47c98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 15:27:19 +0200 +Subject: iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux + +From: Marc Gonzalez + +[ Upstream commit 3a8990b8a778219327c5f8ecf10b5d81377b925a ] + +On qcom msm8998, writing to the last context bank of lpass_q6_smmu +(base address 0x05100000) produces a system freeze & reboot. + +The hardware/hypervisor reports 13 context banks for the LPASS SMMU +on msm8998, but only the first 12 are accessible... +Override the number of context banks + +[ 2.546101] arm-smmu 5100000.iommu: probing hardware configuration... +[ 2.552439] arm-smmu 5100000.iommu: SMMUv2 with: +[ 2.558945] arm-smmu 5100000.iommu: stage 1 translation +[ 2.563627] arm-smmu 5100000.iommu: address translation ops +[ 2.568923] arm-smmu 5100000.iommu: non-coherent table walk +[ 2.574566] arm-smmu 5100000.iommu: (IDR0.CTTW overridden by FW configuration) +[ 2.580220] arm-smmu 5100000.iommu: stream matching with 12 register groups +[ 2.587263] arm-smmu 5100000.iommu: 13 context banks (0 stage-2 only) +[ 2.614447] arm-smmu 5100000.iommu: Supported page sizes: 0x63315000 +[ 2.621358] arm-smmu 5100000.iommu: Stage-1: 36-bit VA -> 36-bit IPA +[ 2.627772] arm-smmu 5100000.iommu: preserved 0 boot mappings + +Specifically, the crashes occur here: + + qsmmu->bypass_cbndx = smmu->num_context_banks - 1; + arm_smmu_cb_write(smmu, qsmmu->bypass_cbndx, ARM_SMMU_CB_SCTLR, 0); + +and here: + + arm_smmu_write_context_bank(smmu, i); + arm_smmu_cb_write(smmu, i, ARM_SMMU_CB_FSR, ARM_SMMU_CB_FSR_FAULT); + +It is likely that FW reserves the last context bank for its own use, +thus a simple work-around is: DON'T USE IT in Linux. + +If we decrease the number of context banks, last one will be "hidden". + +Signed-off-by: Marc Gonzalez +Reviewed-by: Caleb Connolly +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20240820-smmu-v3-1-2f71483b00ec@freebox.fr +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +index 272c9b35c9f0e..da249140ed2a1 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -254,6 +254,13 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu) + u32 smr; + int i; + ++ /* ++ * MSM8998 LPASS SMMU reports 13 context banks, but accessing ++ * the last context bank crashes the system. ++ */ ++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") && smmu->num_context_banks == 13) ++ smmu->num_context_banks = 12; ++ + /* + * Some platforms support more than the Arm SMMU architected maximum of + * 128 stream matching groups. For unknown reasons, the additional +-- +2.43.0 + diff --git a/queue-5.15/iommu-vt-d-always-reserve-a-domain-id-for-identity-s.patch b/queue-5.15/iommu-vt-d-always-reserve-a-domain-id-for-identity-s.patch new file mode 100644 index 00000000000..2e1944668e6 --- /dev/null +++ b/queue-5.15/iommu-vt-d-always-reserve-a-domain-id-for-identity-s.patch @@ -0,0 +1,44 @@ +From 5beeafaad8655610b97914834fc912c484861bbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 10:27:13 +0800 +Subject: iommu/vt-d: Always reserve a domain ID for identity setup + +From: Lu Baolu + +[ Upstream commit 2c13012e09190174614fd6901857a1b8c199e17d ] + +We will use a global static identity domain. Reserve a static domain ID +for it. + +Signed-off-by: Lu Baolu +Reviewed-by: Jason Gunthorpe +Reviewed-by: Kevin Tian +Reviewed-by: Jerry Snitselaar +Link: https://lore.kernel.org/r/20240809055431.36513-4-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/iommu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c +index 46b2751c3f003..acb870a877ec0 100644 +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -1846,10 +1846,10 @@ static int iommu_init_domains(struct intel_iommu *iommu) + * entry for first-level or pass-through translation modes should + * be programmed with a domain id different from those used for + * second-level or nested translation. We reserve a domain id for +- * this purpose. ++ * this purpose. This domain id is also used for identity domain ++ * in legacy mode. + */ +- if (sm_supported(iommu)) +- set_bit(FLPT_DEFAULT_DID, iommu->domain_ids); ++ set_bit(FLPT_DEFAULT_DID, iommu->domain_ids); + + return 0; + } +-- +2.43.0 + diff --git a/queue-5.15/iommu-vt-d-fix-potential-lockup-if-qi_submit_sync-ca.patch b/queue-5.15/iommu-vt-d-fix-potential-lockup-if-qi_submit_sync-ca.patch new file mode 100644 index 00000000000..d57aa4036f3 --- /dev/null +++ b/queue-5.15/iommu-vt-d-fix-potential-lockup-if-qi_submit_sync-ca.patch @@ -0,0 +1,128 @@ +From 3e7ea13daacd82e2c41808e10dbc357b534fe316 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 10:27:18 +0800 +Subject: iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 + count + +From: Sanjay K Kumar + +[ Upstream commit 3cf74230c139f208b7fb313ae0054386eee31a81 ] + +If qi_submit_sync() is invoked with 0 invalidation descriptors (for +instance, for DMA draining purposes), we can run into a bug where a +submitting thread fails to detect the completion of invalidation_wait. +Subsequently, this led to a soft lockup. Currently, there is no impact +by this bug on the existing users because no callers are submitting +invalidations with 0 descriptors. This fix will enable future users +(such as DMA drain) calling qi_submit_sync() with 0 count. + +Suppose thread T1 invokes qi_submit_sync() with non-zero descriptors, while +concurrently, thread T2 calls qi_submit_sync() with zero descriptors. Both +threads then enter a while loop, waiting for their respective descriptors +to complete. T1 detects its completion (i.e., T1's invalidation_wait status +changes to QI_DONE by HW) and proceeds to call reclaim_free_desc() to +reclaim all descriptors, potentially including adjacent ones of other +threads that are also marked as QI_DONE. + +During this time, while T2 is waiting to acquire the qi->q_lock, the IOMMU +hardware may complete the invalidation for T2, setting its status to +QI_DONE. However, if T1's execution of reclaim_free_desc() frees T2's +invalidation_wait descriptor and changes its status to QI_FREE, T2 will +not observe the QI_DONE status for its invalidation_wait and will +indefinitely remain stuck. + +This soft lockup does not occur when only non-zero descriptors are +submitted.In such cases, invalidation descriptors are interspersed among +wait descriptors with the status QI_IN_USE, acting as barriers. These +barriers prevent the reclaim code from mistakenly freeing descriptors +belonging to other submitters. + +Considered the following example timeline: + T1 T2 +======================================== + ID1 + WD1 + while(WD1!=QI_DONE) + unlock + lock + WD1=QI_DONE* WD2 + while(WD2!=QI_DONE) + unlock + lock + WD1==QI_DONE? + ID1=QI_DONE WD2=DONE* + reclaim() + ID1=FREE + WD1=FREE + WD2=FREE + unlock + soft lockup! T2 never sees QI_DONE in WD2 + +Where: +ID = invalidation descriptor +WD = wait descriptor +* Written by hardware + +The root of the problem is that the descriptor status QI_DONE flag is used +for two conflicting purposes: +1. signal a descriptor is ready for reclaim (to be freed) +2. signal by the hardware that a wait descriptor is complete + +The solution (in this patch) is state separation by using QI_FREE flag +for #1. + +Once a thread's invalidation descriptors are complete, their status would +be set to QI_FREE. The reclaim_free_desc() function would then only +free descriptors marked as QI_FREE instead of those marked as +QI_DONE. This change ensures that T2 (from the previous example) will +correctly observe the completion of its invalidation_wait (marked as +QI_DONE). + +Signed-off-by: Sanjay K Kumar +Signed-off-by: Jacob Pan +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20240728210059.1964602-1-jacob.jun.pan@linux.intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/dmar.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/intel/dmar.c b/drivers/iommu/intel/dmar.c +index 1134aa24d67f1..7109d86491289 100644 +--- a/drivers/iommu/intel/dmar.c ++++ b/drivers/iommu/intel/dmar.c +@@ -1198,9 +1198,7 @@ static void free_iommu(struct intel_iommu *iommu) + */ + static inline void reclaim_free_desc(struct q_inval *qi) + { +- while (qi->desc_status[qi->free_tail] == QI_DONE || +- qi->desc_status[qi->free_tail] == QI_ABORT) { +- qi->desc_status[qi->free_tail] = QI_FREE; ++ while (qi->desc_status[qi->free_tail] == QI_FREE && qi->free_tail != qi->free_head) { + qi->free_tail = (qi->free_tail + 1) % QI_LENGTH; + qi->free_cnt++; + } +@@ -1435,8 +1433,16 @@ int qi_submit_sync(struct intel_iommu *iommu, struct qi_desc *desc, + raw_spin_lock(&qi->q_lock); + } + +- for (i = 0; i < count; i++) +- qi->desc_status[(index + i) % QI_LENGTH] = QI_DONE; ++ /* ++ * The reclaim code can free descriptors from multiple submissions ++ * starting from the tail of the queue. When count == 0, the ++ * status of the standalone wait descriptor at the tail of the queue ++ * must be set to QI_FREE to allow the reclaim code to proceed. ++ * It is also possible that descriptors from one of the previous ++ * submissions has to be reclaimed by a subsequent submission. ++ */ ++ for (i = 0; i <= count; i++) ++ qi->desc_status[(index + i) % QI_LENGTH] = QI_FREE; + + reclaim_free_desc(qi); + raw_spin_unlock_irqrestore(&qi->q_lock, flags); +-- +2.43.0 + diff --git a/queue-5.15/ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch b/queue-5.15/ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch new file mode 100644 index 00000000000..f38e6398260 --- /dev/null +++ b/queue-5.15/ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch @@ -0,0 +1,52 @@ +From bf4618f00ffd66997ac923bb976db3b9e639478b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2024 16:54:02 -0700 +Subject: ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). + +From: Kuniyuki Iwashima + +[ Upstream commit e3af3d3c5b26c33a7950e34e137584f6056c4319 ] + +dev->ip_ptr could be NULL if we set an invalid MTU. + +Even then, if we issue ioctl(SIOCSIFADDR) for a new IPv4 address, +devinet_ioctl() allocates struct in_ifaddr and fails later in +inet_set_ifa() because in_dev is NULL. + +Let's move the check earlier. + +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20240809235406.50187-2-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 425dfa8e4fd0a..da0f49d77c011 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -566,10 +566,6 @@ static int inet_set_ifa(struct net_device *dev, struct in_ifaddr *ifa) + + ASSERT_RTNL(); + +- if (!in_dev) { +- inet_free_ifa(ifa); +- return -ENOBUFS; +- } + ipv4_devconf_setall(in_dev); + neigh_parms_data_state_setall(in_dev->arp_parms); + if (ifa->ifa_dev != in_dev) { +@@ -1149,6 +1145,8 @@ int devinet_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr) + + if (!ifa) { + ret = -ENOBUFS; ++ if (!in_dev) ++ break; + ifa = inet_alloc_ifa(); + if (!ifa) + break; +-- +2.43.0 + diff --git a/queue-5.15/ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch b/queue-5.15/ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch new file mode 100644 index 00000000000..f842ef679a5 --- /dev/null +++ b/queue-5.15/ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch @@ -0,0 +1,50 @@ +From 4ab087eb46c228fcd4932cccf7ce3fd49917107b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 15:52:22 +0300 +Subject: ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family + +From: Ido Schimmel + +[ Upstream commit 8fed54758cd248cd311a2b5c1e180abef1866237 ] + +The NETLINK_FIB_LOOKUP netlink family can be used to perform a FIB +lookup according to user provided parameters and communicate the result +back to user space. + +However, unlike other users of the FIB lookup API, the upper DSCP bits +and the ECN bits of the DS field are not masked, which can result in the +wrong result being returned. + +Solve this by masking the upper DSCP bits and the ECN bits using +IPTOS_RT_MASK. + +The structure that communicates the request and the response is not +exported to user space, so it is unlikely that this netlink family is +actually in use [1]. + +[1] https://lore.kernel.org/netdev/ZpqpB8vJU%2FQ6LSqa@debian/ + +Signed-off-by: Ido Schimmel +Reviewed-by: Guillaume Nault +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index c21d57f02c651..5ca9c8f1610a7 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1332,7 +1332,7 @@ static void nl_fib_lookup(struct net *net, struct fib_result_nl *frn) + struct flowi4 fl4 = { + .flowi4_mark = frn->fl_mark, + .daddr = frn->fl_addr, +- .flowi4_tos = frn->fl_tos, ++ .flowi4_tos = frn->fl_tos & IPTOS_RT_MASK, + .flowi4_scope = frn->fl_scope, + }; + struct fib_table *tb; +-- +2.43.0 + diff --git a/queue-5.15/jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch b/queue-5.15/jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch new file mode 100644 index 00000000000..8074162ced9 --- /dev/null +++ b/queue-5.15/jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch @@ -0,0 +1,52 @@ +From 2faa55c3ebee304ee948ebe7a7ec3aaf760cb282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2024 09:25:23 +0800 +Subject: jfs: check if leafidx greater than num leaves per dmap tree + +From: Edward Adam Davis + +[ Upstream commit d64ff0d2306713ff084d4b09f84ed1a8c75ecc32 ] + +syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater +than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. + +Shaggy: +Modified sanity check to apply to control pages as well as leaf pages. + +Reported-and-tested-by: syzbot+dca05492eff41f604890@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890 +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 1eb28c4ccee54..2c8905391ad3e 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -3010,9 +3010,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) + static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) + { + int ti, n = 0, k, x = 0; +- int max_size; ++ int max_size, max_idx; + + max_size = is_ctl ? CTLTREESIZE : TREESIZE; ++ max_idx = is_ctl ? LPERCTL : LPERDMAP; + + /* first check the root of the tree to see if there is + * sufficient free space. +@@ -3044,6 +3045,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) + */ + assert(n < 4); + } ++ if (le32_to_cpu(tp->dmt_leafidx) >= max_idx) ++ return -ENOSPC; + + /* set the return to the leftmost leaf describing sufficient + * free space. +-- +2.43.0 + diff --git a/queue-5.15/jfs-fix-uaf-in-dbfreebits.patch b/queue-5.15/jfs-fix-uaf-in-dbfreebits.patch new file mode 100644 index 00000000000..e9413ff9bb3 --- /dev/null +++ b/queue-5.15/jfs-fix-uaf-in-dbfreebits.patch @@ -0,0 +1,117 @@ +From 7a81463cb7e11fc1f22ddd85eb405935c8a56902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2024 10:50:48 +0800 +Subject: jfs: Fix uaf in dbFreeBits + +From: Edward Adam Davis + +[ Upstream commit d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 ] + +[syzbot reported] +================================================================== +BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] +BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 +Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 + +CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + __mutex_lock_common kernel/locking/mutex.c:587 [inline] + __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 + dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 + dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] + dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 + dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 + jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 + jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + +Freed by task 5218: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 + poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 + __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 + kasan_slab_free include/linux/kasan.h:184 [inline] + slab_free_hook mm/slub.c:2252 [inline] + slab_free mm/slub.c:4473 [inline] + kfree+0x149/0x360 mm/slub.c:4594 + dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 + jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 + jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 + reconfigure_super+0x445/0x880 fs/super.c:1083 + vfs_cmd_reconfigure fs/fsopen.c:263 [inline] + vfs_fsconfig_locked fs/fsopen.c:292 [inline] + __do_sys_fsconfig fs/fsopen.c:473 [inline] + __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +[Analysis] +There are two paths (dbUnmount and jfs_ioc_trim) that generate race +condition when accessing bmap, which leads to the occurrence of uaf. + +Use the lock s_umount to synchronize them, in order to avoid uaf caused +by race condition. + +Reported-and-tested-by: syzbot+3c010e21296f33a5dc16@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_discard.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/jfs/jfs_discard.c b/fs/jfs/jfs_discard.c +index 575cb2ba74fc8..5f4b305030ad5 100644 +--- a/fs/jfs/jfs_discard.c ++++ b/fs/jfs/jfs_discard.c +@@ -65,7 +65,7 @@ void jfs_issue_discard(struct inode *ip, u64 blkno, u64 nblocks) + int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + { + struct inode *ipbmap = JFS_SBI(ip->i_sb)->ipbmap; +- struct bmap *bmp = JFS_SBI(ip->i_sb)->bmap; ++ struct bmap *bmp; + struct super_block *sb = ipbmap->i_sb; + int agno, agno_end; + u64 start, end, minlen; +@@ -83,10 +83,15 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + if (minlen == 0) + minlen = 1; + ++ down_read(&sb->s_umount); ++ bmp = JFS_SBI(ip->i_sb)->bmap; ++ + if (minlen > bmp->db_agsize || + start >= bmp->db_mapsize || +- range->len < sb->s_blocksize) ++ range->len < sb->s_blocksize) { ++ up_read(&sb->s_umount); + return -EINVAL; ++ } + + if (end >= bmp->db_mapsize) + end = bmp->db_mapsize - 1; +@@ -100,6 +105,8 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + trimmed += dbDiscardAG(ip, agno, minlen); + agno++; + } ++ ++ up_read(&sb->s_umount); + range->len = trimmed << sb->s_blocksize_bits; + + return 0; +-- +2.43.0 + diff --git a/queue-5.15/jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch b/queue-5.15/jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch new file mode 100644 index 00000000000..ec08d5f6480 --- /dev/null +++ b/queue-5.15/jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch @@ -0,0 +1,57 @@ +From 254f8008f81bb17c7effeae06e1ed0cf610ba04e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 09:07:58 +0800 +Subject: jfs: Fix uninit-value access of new_ea in ea_buffer + +From: Zhao Mengmeng + +[ Upstream commit 2b59ffad47db1c46af25ccad157bb3b25147c35c ] + +syzbot reports that lzo1x_1_do_compress is using uninit-value: + +===================================================== +BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 + +... + +Uninit was stored to memory at: + ea_put fs/jfs/xattr.c:639 [inline] + +... + +Local variable ea_buf created at: + __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662 + __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 + +===================================================== + +The reason is ea_buf->new_ea is not initialized properly. + +Fix this by using memset to empty its content at the beginning +in ea_get(). + +Reported-by: syzbot+02341e0daa42a15ce130@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=02341e0daa42a15ce130 +Signed-off-by: Zhao Mengmeng +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/xattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c +index 8ef8dfc3c1944..76b89718fd526 100644 +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -434,6 +434,8 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) + int rc; + int quota_allocation = 0; + ++ memset(&ea_buf->new_ea, 0, sizeof(ea_buf->new_ea)); ++ + /* When fsck.jfs clears a bad ea, it doesn't clear the size */ + if (ji->ea.flag == 0) + ea_size = 0; +-- +2.43.0 + diff --git a/queue-5.15/jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch b/queue-5.15/jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch new file mode 100644 index 00000000000..fe6b51b747b --- /dev/null +++ b/queue-5.15/jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch @@ -0,0 +1,35 @@ +From 56189059d819a5454f7e3523c21b5a2a368ea092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 00:12:44 +0000 +Subject: jfs: UBSAN: shift-out-of-bounds in dbFindBits + +From: Remington Brasga + +[ Upstream commit b0b2fc815e514221f01384f39fbfbff65d897e1c ] + +Fix issue with UBSAN throwing shift-out-of-bounds warning. + +Reported-by: syzbot+e38d703eeb410b17b473@syzkaller.appspotmail.com +Signed-off-by: Remington Brasga +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 625457e94b30a..1eb28c4ccee54 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -3088,7 +3088,7 @@ static int dbFindBits(u32 word, int l2nb) + + /* scan the word for nb free bits at nb alignments. + */ +- for (bitno = 0; mask != 0; bitno += nb, mask >>= nb) { ++ for (bitno = 0; mask != 0; bitno += nb, mask = (mask >> nb)) { + if ((mask & word) == mask) + break; + } +-- +2.43.0 + diff --git a/queue-5.15/net-atlantic-avoid-warning-about-potential-string-tr.patch b/queue-5.15/net-atlantic-avoid-warning-about-potential-string-tr.patch new file mode 100644 index 00000000000..703eb7d655d --- /dev/null +++ b/queue-5.15/net-atlantic-avoid-warning-about-potential-string-tr.patch @@ -0,0 +1,79 @@ +From 1f86c91d2d84fb9681f79fb3e10cbae0dcba4146 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 16:58:57 +0100 +Subject: net: atlantic: Avoid warning about potential string truncation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Horman + +[ Upstream commit 5874e0c9f25661c2faefe4809907166defae3d7f ] + +W=1 builds with GCC 14.2.0 warn that: + +.../aq_ethtool.c:278:59: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 6 [-Wformat-truncation=] + 278 | snprintf(tc_string, 8, "TC%d ", tc); + | ^~ +.../aq_ethtool.c:278:56: note: directive argument in the range [-2147483641, 254] + 278 | snprintf(tc_string, 8, "TC%d ", tc); + | ^~~~~~~ +.../aq_ethtool.c:278:33: note: ‘snprintf’ output between 5 and 15 bytes into a destination of size 8 + 278 | snprintf(tc_string, 8, "TC%d ", tc); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +tc is always in the range 0 - cfg->tcs. And as cfg->tcs is a u8, +the range is 0 - 255. Further, on inspecting the code, it seems +that cfg->tcs will never be more than AQ_CFG_TCS_MAX (8), so +the range is actually 0 - 8. + +So, it seems that the condition that GCC flags will not occur. +But, nonetheless, it would be nice if it didn't emit the warning. + +It seems that this can be achieved by changing the format specifier +from %d to %u, in which case I believe GCC recognises an upper bound +on the range of tc of 0 - 255. After some experimentation I think +this is due to the combination of the use of %u and the type of +cfg->tcs (u8). + +Empirically, updating the type of the tc variable to unsigned int +has the same effect. + +As both of these changes seem to make sense in relation to what the code +is actually doing - iterating over unsigned values - do both. + +Compile tested only. + +Signed-off-by: Simon Horman +Link: https://patch.msgid.link/20240821-atlantic-str-v1-1-fa2cfe38ca00@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c +index 715859cb6560a..df5076540cf1e 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c +@@ -256,7 +256,7 @@ static void aq_ethtool_get_strings(struct net_device *ndev, + const int rx_stat_cnt = ARRAY_SIZE(aq_ethtool_queue_rx_stat_names); + const int tx_stat_cnt = ARRAY_SIZE(aq_ethtool_queue_tx_stat_names); + char tc_string[8]; +- int tc; ++ unsigned int tc; + + memset(tc_string, 0, sizeof(tc_string)); + memcpy(p, aq_ethtool_stat_names, +@@ -265,7 +265,7 @@ static void aq_ethtool_get_strings(struct net_device *ndev, + + for (tc = 0; tc < cfg->tcs; tc++) { + if (cfg->is_qos) +- snprintf(tc_string, 8, "TC%d ", tc); ++ snprintf(tc_string, 8, "TC%u ", tc); + + for (i = 0; i < cfg->vecs; i++) { + for (si = 0; si < rx_stat_cnt; si++) { +-- +2.43.0 + diff --git a/queue-5.15/net-hisilicon-hip04-fix-of-node-leak-in-probe.patch b/queue-5.15/net-hisilicon-hip04-fix-of-node-leak-in-probe.patch new file mode 100644 index 00000000000..11e573ee574 --- /dev/null +++ b/queue-5.15/net-hisilicon-hip04-fix-of-node-leak-in-probe.patch @@ -0,0 +1,36 @@ +From 95b7068446651ce3352cc2db20743c85ac1a6a85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 16:44:19 +0200 +Subject: net: hisilicon: hip04: fix OF node leak in probe() + +From: Krzysztof Kozlowski + +[ Upstream commit 17555297dbd5bccc93a01516117547e26a61caf1 ] + +Driver is leaking OF node reference from +of_parse_phandle_with_fixed_args() in probe(). + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240827144421.52852-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 37b605fed32c3..2bda229651954 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -947,6 +947,7 @@ static int hip04_mac_probe(struct platform_device *pdev) + priv->tx_coalesce_timer.function = tx_done; + + priv->map = syscon_node_to_regmap(arg.np); ++ of_node_put(arg.np); + if (IS_ERR(priv->map)) { + dev_warn(d, "no syscon hisilicon,hip04-ppe\n"); + ret = PTR_ERR(priv->map); +-- +2.43.0 + diff --git a/queue-5.15/net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch b/queue-5.15/net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch new file mode 100644 index 00000000000..b826cd8ba4f --- /dev/null +++ b/queue-5.15/net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch @@ -0,0 +1,36 @@ +From db707e992ed6a6b55ddb13720c747baa11916fa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 16:44:20 +0200 +Subject: net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() + +From: Krzysztof Kozlowski + +[ Upstream commit 5680cf8d34e1552df987e2f4bb1bff0b2a8c8b11 ] + +Driver is leaking OF node reference from +of_parse_phandle_with_fixed_args() in hns_mac_get_info(). + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240827144421.52852-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +index 236ee9b9d1e60..7f7c14c742605 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +@@ -933,6 +933,7 @@ static int hns_mac_get_info(struct hns_mac_cb *mac_cb) + mac_cb->cpld_ctrl = NULL; + } else { + syscon = syscon_node_to_regmap(cpld_args.np); ++ of_node_put(cpld_args.np); + if (IS_ERR_OR_NULL(syscon)) { + dev_dbg(mac_cb->dev, "no cpld-syscon found!\n"); + mac_cb->cpld_ctrl = NULL; +-- +2.43.0 + diff --git a/queue-5.15/net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch b/queue-5.15/net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch new file mode 100644 index 00000000000..9a5a2b64223 --- /dev/null +++ b/queue-5.15/net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch @@ -0,0 +1,36 @@ +From 4b7ee412e3a4bfb3cb68be696e4b303be678ba70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 16:44:21 +0200 +Subject: net: hisilicon: hns_mdio: fix OF node leak in probe() + +From: Krzysztof Kozlowski + +[ Upstream commit e62beddc45f487b9969821fad3a0913d9bc18a2f ] + +Driver is leaking OF node reference from +of_parse_phandle_with_fixed_args() in probe(). + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240827144421.52852-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c +index 07fdab58001d9..dd5fe71279f04 100644 +--- a/drivers/net/ethernet/hisilicon/hns_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns_mdio.c +@@ -497,6 +497,7 @@ static int hns_mdio_probe(struct platform_device *pdev) + MDIO_SC_RESET_ST; + } + } ++ of_node_put(reg_args.np); + } else { + dev_warn(&pdev->dev, "find syscon ret = %#x\n", ret); + mdio_dev->subctrl_vbase = NULL; +-- +2.43.0 + diff --git a/queue-5.15/net-mvpp2-increase-size-of-queue_name-buffer.patch b/queue-5.15/net-mvpp2-increase-size-of-queue_name-buffer.patch new file mode 100644 index 00000000000..b30ee2282d5 --- /dev/null +++ b/queue-5.15/net-mvpp2-increase-size-of-queue_name-buffer.patch @@ -0,0 +1,58 @@ +From 26e865c17f52799394c2c4c8164b19e476e4f83f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 12:28:24 +0100 +Subject: net: mvpp2: Increase size of queue_name buffer + +From: Simon Horman + +[ Upstream commit 91d516d4de48532d967a77967834e00c8c53dfe6 ] + +Increase size of queue_name buffer from 30 to 31 to accommodate +the largest string written to it. This avoids truncation in +the possibly unlikely case where the string is name is the +maximum size. + +Flagged by gcc-14: + + .../mvpp2_main.c: In function 'mvpp2_probe': + .../mvpp2_main.c:7636:32: warning: 'snprintf' output may be truncated before the last format character [-Wformat-truncation=] + 7636 | "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev), + | ^ + .../mvpp2_main.c:7635:9: note: 'snprintf' output between 10 and 31 bytes into a destination of size 30 + 7635 | snprintf(priv->queue_name, sizeof(priv->queue_name), + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 7636 | "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev), + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 7637 | priv->port_count > 1 ? "+" : ""); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Introduced by commit 118d6298f6f0 ("net: mvpp2: add ethtool GOP statistics"). +I am not flagging this as a bug as I am not aware that it is one. + +Compile tested only. + +Signed-off-by: Simon Horman +Reviewed-by: Marcin Wojtas +Link: https://patch.msgid.link/20240806-mvpp2-namelen-v1-1-6dc773653f2f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +index 72608a47d4e02..24a8c9b8126b7 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +@@ -1088,7 +1088,7 @@ struct mvpp2 { + unsigned int max_port_rxqs; + + /* Workqueue to gather hardware statistics */ +- char queue_name[30]; ++ char queue_name[31]; + struct workqueue_struct *stats_queue; + + /* Debugfs root entry */ +-- +2.43.0 + diff --git a/queue-5.15/net-sched-consistently-use-rcu_replace_pointer-in-ta.patch b/queue-5.15/net-sched-consistently-use-rcu_replace_pointer-in-ta.patch new file mode 100644 index 00000000000..40017a4deb9 --- /dev/null +++ b/queue-5.15/net-sched-consistently-use-rcu_replace_pointer-in-ta.patch @@ -0,0 +1,42 @@ +From d5e6ab43c13290f59f612c19322a9ed34fcea67d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 14:54:01 +0300 +Subject: net: sched: consistently use rcu_replace_pointer() in taprio_change() + +From: Dmitry Antipov + +[ Upstream commit d5c4546062fd6f5dbce575c7ea52ad66d1968678 ] + +According to Vinicius (and carefully looking through the whole +https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa +once again), txtime branch of 'taprio_change()' is not going to +race against 'advance_sched()'. But using 'rcu_replace_pointer()' +in the former may be a good idea as well. + +Suggested-by: Vinicius Costa Gomes +Signed-off-by: Dmitry Antipov +Acked-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index 4a0986843fb5d..49831bd6a37d5 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -1599,7 +1599,9 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt, + goto unlock; + } + +- rcu_assign_pointer(q->admin_sched, new_admin); ++ /* Not going to race against advance_sched(), but still */ ++ admin = rcu_replace_pointer(q->admin_sched, new_admin, ++ lockdep_rtnl_is_held()); + if (admin) + call_rcu(&admin->rcu, taprio_free_sched_cb); + } else { +-- +2.43.0 + diff --git a/queue-5.15/net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch b/queue-5.15/net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch new file mode 100644 index 00000000000..bcfd5812dc6 --- /dev/null +++ b/queue-5.15/net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch @@ -0,0 +1,50 @@ +From d83d9852b3b3094f978f0d6d9ae19c8efcace4aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2024 03:11:09 +0900 +Subject: net/xen-netback: prevent UAF in xenvif_flush_hash() + +From: Jeongjun Park + +[ Upstream commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 ] + +During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, +kfree_rcu does not exist inside the rcu read critical section, so if +kfree_rcu is called when the rcu grace period ends during the iteration, +UAF occurs when accessing head->next after the entry becomes free. + +Therefore, to solve this, you need to change it to list_for_each_entry_safe. + +Signed-off-by: Jeongjun Park +Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/hash.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c +index ff96f22648efd..45ddce35f6d2c 100644 +--- a/drivers/net/xen-netback/hash.c ++++ b/drivers/net/xen-netback/hash.c +@@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data, + + static void xenvif_flush_hash(struct xenvif *vif) + { +- struct xenvif_hash_cache_entry *entry; ++ struct xenvif_hash_cache_entry *entry, *n; + unsigned long flags; + + if (xenvif_hash_cache_size == 0) +@@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif) + + spin_lock_irqsave(&vif->hash.cache.lock, flags); + +- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, +- lockdep_is_held(&vif->hash.cache.lock)) { ++ list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { + list_del_rcu(&entry->link); + vif->hash.cache.count--; + kfree_rcu(entry, rcu); +-- +2.43.0 + diff --git a/queue-5.15/nfp-use-irqf_no_autoen-flag-in-request_irq.patch b/queue-5.15/nfp-use-irqf_no_autoen-flag-in-request_irq.patch new file mode 100644 index 00000000000..4cad7416835 --- /dev/null +++ b/queue-5.15/nfp-use-irqf_no_autoen-flag-in-request_irq.patch @@ -0,0 +1,48 @@ +From aea28afb61767a28a7081ef4f037bbcbfee56689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 17:44:45 +0800 +Subject: nfp: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit daaba19d357f0900b303a530ced96c78086267ea ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Reviewed-by: Louis Peens +Signed-off-by: Jinjie Ruan +Link: https://patch.msgid.link/20240911094445.1922476-4-ruanjinjie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +index 69ac205bbdbd0..331d05590faf0 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +@@ -2665,8 +2665,8 @@ nfp_net_prepare_vector(struct nfp_net *nn, struct nfp_net_r_vector *r_vec, + + snprintf(r_vec->name, sizeof(r_vec->name), + "%s-rxtx-%d", nfp_net_name(nn), idx); +- err = request_irq(r_vec->irq_vector, r_vec->handler, 0, r_vec->name, +- r_vec); ++ err = request_irq(r_vec->irq_vector, r_vec->handler, IRQF_NO_AUTOEN, ++ r_vec->name, r_vec); + if (err) { + if (nn->dp.netdev) + netif_napi_del(&r_vec->napi); +@@ -2676,7 +2676,6 @@ nfp_net_prepare_vector(struct nfp_net *nn, struct nfp_net_r_vector *r_vec, + nn_err(nn, "Error requesting IRQ %d\n", r_vec->irq_vector); + return err; + } +- disable_irq(r_vec->irq_vector); + + irq_set_affinity_hint(r_vec->irq_vector, &r_vec->affinity_mask); + +-- +2.43.0 + diff --git a/queue-5.15/nvme-pci-qdepth-1-quirk.patch b/queue-5.15/nvme-pci-qdepth-1-quirk.patch new file mode 100644 index 00000000000..35f8a6a1a66 --- /dev/null +++ b/queue-5.15/nvme-pci-qdepth-1-quirk.patch @@ -0,0 +1,90 @@ +From 7c6a3b72cb078a6bd4e9e725edbadd05ad1ef312 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 10:39:59 -0700 +Subject: nvme-pci: qdepth 1 quirk + +From: Keith Busch + +[ Upstream commit 83bdfcbdbe5d901c5fa432decf12e1725a840a56 ] + +Another device has been reported to be unreliable if we have more than +one outstanding command. In this new case, data corruption may occur. +Since we have two devices now needing this quirky behavior, make a +generic quirk flag. + +The same Apple quirk is clearly not "temporary", so update the comment +while moving it. + +Link: https://lore.kernel.org/linux-nvme/191d810a4e3.fcc6066c765804.973611676137075390@collabora.com/ +Reported-by: Robert Beckett +Reviewed-by: Christoph Hellwig hch@lst.de> +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/nvme.h | 5 +++++ + drivers/nvme/host/pci.c | 18 +++++++++--------- + 2 files changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index f9bfd6a549f37..c8ec0e146c8cb 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -86,6 +86,11 @@ enum nvme_quirks { + */ + NVME_QUIRK_NO_DEEPEST_PS = (1 << 5), + ++ /* ++ * Problems seen with concurrent commands ++ */ ++ NVME_QUIRK_QDEPTH_ONE = (1 << 6), ++ + /* + * Set MEDIUM priority on SQ creation + */ +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 3fdf7282a88f0..9e80e238954ca 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2518,15 +2518,8 @@ static int nvme_pci_enable(struct nvme_dev *dev) + else + dev->io_sqes = NVME_NVM_IOSQES; + +- /* +- * Temporary fix for the Apple controller found in the MacBook8,1 and +- * some MacBook7,1 to avoid controller resets and data loss. +- */ +- if (pdev->vendor == PCI_VENDOR_ID_APPLE && pdev->device == 0x2001) { ++ if (dev->ctrl.quirks & NVME_QUIRK_QDEPTH_ONE) { + dev->q_depth = 2; +- dev_warn(dev->ctrl.device, "detected Apple NVMe controller, " +- "set queue depth=%u to work around controller resets\n", +- dev->q_depth); + } else if (pdev->vendor == PCI_VENDOR_ID_SAMSUNG && + (pdev->device == 0xa821 || pdev->device == 0xa822) && + NVME_CAP_MQES(dev->ctrl.cap) == 0) { +@@ -3366,6 +3359,8 @@ static const struct pci_device_id nvme_id_table[] = { + NVME_QUIRK_BOGUS_NID, }, + { PCI_VDEVICE(REDHAT, 0x0010), /* Qemu emulated controller */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, ++ { PCI_DEVICE(0x1217, 0x8760), /* O2 Micro 64GB Steam Deck */ ++ .driver_data = NVME_QUIRK_QDEPTH_ONE }, + { PCI_DEVICE(0x126f, 0x2262), /* Silicon Motion generic */ + .driver_data = NVME_QUIRK_NO_DEEPEST_PS | + NVME_QUIRK_BOGUS_NID, }, +@@ -3470,7 +3465,12 @@ static const struct pci_device_id nvme_id_table[] = { + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0xcd02), + .driver_data = NVME_QUIRK_DMA_ADDRESS_BITS_48, }, + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2001), +- .driver_data = NVME_QUIRK_SINGLE_VECTOR }, ++ /* ++ * Fix for the Apple controller found in the MacBook8,1 and ++ * some MacBook7,1 to avoid controller resets and data loss. ++ */ ++ .driver_data = NVME_QUIRK_SINGLE_VECTOR | ++ NVME_QUIRK_QDEPTH_ONE }, + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2003) }, + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2005), + .driver_data = NVME_QUIRK_SINGLE_VECTOR | +-- +2.43.0 + diff --git a/queue-5.15/of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch b/queue-5.15/of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch new file mode 100644 index 00000000000..c82a3fc1e95 --- /dev/null +++ b/queue-5.15/of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch @@ -0,0 +1,39 @@ +From 4d812c9c78f6fb1904b7f9517b0eaffd66789b4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 14:16:53 +0200 +Subject: of/irq: Refer to actual buffer size in of_irq_parse_one() + +From: Geert Uytterhoeven + +[ Upstream commit 39ab331ab5d377a18fbf5a0e0b228205edfcc7f4 ] + +Replace two open-coded calculations of the buffer size by invocations of +sizeof() on the buffer itself, to make sure the code will always use the +actual buffer size. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/817c0b9626fd30790fc488c472a3398324cfcc0c.1724156125.git.geert+renesas@glider.be +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/irq.c b/drivers/of/irq.c +index ad0cb49e233ac..70ac9cb3b2c67 100644 +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -301,8 +301,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar + addr = of_get_property(device, "reg", &addr_len); + + /* Prevent out-of-bounds read in case of longer interrupt parent address size */ +- if (addr_len > (3 * sizeof(__be32))) +- addr_len = 3 * sizeof(__be32); ++ if (addr_len > sizeof(addr_buf)) ++ addr_len = sizeof(addr_buf); + if (addr) + memcpy(addr_buf, addr, addr_len); + +-- +2.43.0 + diff --git a/queue-5.15/platform-x86-touchscreen_dmi-add-nanote-next-quirk.patch b/queue-5.15/platform-x86-touchscreen_dmi-add-nanote-next-quirk.patch new file mode 100644 index 00000000000..6ac1beb36a2 --- /dev/null +++ b/queue-5.15/platform-x86-touchscreen_dmi-add-nanote-next-quirk.patch @@ -0,0 +1,69 @@ +From 3aa4e866de29568dfff6f17804f866fae1f1a11e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 21:12:40 +0200 +Subject: platform/x86: touchscreen_dmi: add nanote-next quirk + +From: Ckath + +[ Upstream commit c11619af35bae5884029bd14170c3e4b55ddf6f3 ] + +Add touschscreen info for the nanote next (UMPC-03-SR). + +After checking with multiple owners the DMI info really is this generic. + +Signed-off-by: Ckath +Link: https://lore.kernel.org/r/e8dda83a-10ae-42cf-a061-5d29be0d193a@yandex.ru +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/touchscreen_dmi.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c +index 664a63c8a36c0..b0b1f1b201682 100644 +--- a/drivers/platform/x86/touchscreen_dmi.c ++++ b/drivers/platform/x86/touchscreen_dmi.c +@@ -857,6 +857,21 @@ static const struct ts_dmi_data rwc_nanote_p8_data = { + .properties = rwc_nanote_p8_props, + }; + ++static const struct property_entry rwc_nanote_next_props[] = { ++ PROPERTY_ENTRY_U32("touchscreen-min-x", 5), ++ PROPERTY_ENTRY_U32("touchscreen-min-y", 5), ++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1785), ++ PROPERTY_ENTRY_U32("touchscreen-size-y", 1145), ++ PROPERTY_ENTRY_BOOL("touchscreen-inverted-y"), ++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-rwc-nanote-next.fw"), ++ { } ++}; ++ ++static const struct ts_dmi_data rwc_nanote_next_data = { ++ .acpi_name = "MSSL1680:00", ++ .properties = rwc_nanote_next_props, ++}; ++ + static const struct property_entry schneider_sct101ctm_props[] = { + PROPERTY_ENTRY_U32("touchscreen-size-x", 1715), + PROPERTY_ENTRY_U32("touchscreen-size-y", 1140), +@@ -1588,6 +1603,17 @@ const struct dmi_system_id touchscreen_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_SKU, "0001") + }, + }, ++ { ++ /* RWC NANOTE NEXT */ ++ .driver_data = (void *)&rwc_nanote_next_data, ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."), ++ /* Above matches are too generic, add bios-version match */ ++ DMI_MATCH(DMI_BIOS_VERSION, "S8A70R100-V005"), ++ }, ++ }, + { + /* Schneider SCT101CTM */ + .driver_data = (void *)&schneider_sct101ctm_data, +-- +2.43.0 + diff --git a/queue-5.15/power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch b/queue-5.15/power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch new file mode 100644 index 00000000000..622efc66ab9 --- /dev/null +++ b/queue-5.15/power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch @@ -0,0 +1,39 @@ +From 6d761e5000e5b047577af936cbd715ab827b0ec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 09:28:36 -0500 +Subject: power: reset: brcmstb: Do not go into infinite loop if reset fails + +From: Andrew Davis + +[ Upstream commit cf8c39b00e982fa506b16f9d76657838c09150cb ] + +There may be other backup reset methods available, do not halt +here so that other reset methods can be tried. + +Signed-off-by: Andrew Davis +Reviewed-by: Dhruva Gole +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20240610142836.168603-5-afd@ti.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/brcmstb-reboot.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/power/reset/brcmstb-reboot.c b/drivers/power/reset/brcmstb-reboot.c +index 884b53c483c09..9f8b9e5cad93a 100644 +--- a/drivers/power/reset/brcmstb-reboot.c ++++ b/drivers/power/reset/brcmstb-reboot.c +@@ -72,9 +72,6 @@ static int brcmstb_restart_handler(struct notifier_block *this, + return NOTIFY_DONE; + } + +- while (1) +- ; +- + return NOTIFY_DONE; + } + +-- +2.43.0 + diff --git a/queue-5.15/proc-add-config-param-to-block-forcing-mem-writes.patch b/queue-5.15/proc-add-config-param-to-block-forcing-mem-writes.patch new file mode 100644 index 00000000000..07f253924f9 --- /dev/null +++ b/queue-5.15/proc-add-config-param-to-block-forcing-mem-writes.patch @@ -0,0 +1,200 @@ +From 8998e93630df7cb5319d0b8205d4289c9770c15d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 11:02:25 +0300 +Subject: proc: add config & param to block forcing mem writes + +From: Adrian Ratiu + +[ Upstream commit 41e8149c8892ed1962bd15350b3c3e6e90cba7f4 ] + +This adds a Kconfig option and boot param to allow removing +the FOLL_FORCE flag from /proc/pid/mem write calls because +it can be abused. + +The traditional forcing behavior is kept as default because +it can break GDB and some other use cases. + +Previously we tried a more sophisticated approach allowing +distributions to fine-tune /proc/pid/mem behavior, however +that got NAK-ed by Linus [1], who prefers this simpler +approach with semantics also easier to understand for users. + +Link: https://lore.kernel.org/lkml/CAHk-=wiGWLChxYmUA5HrT5aopZrB7_2VTa0NLZcxORgkUe5tEQ@mail.gmail.com/ [1] +Cc: Doug Anderson +Cc: Jeff Xu +Cc: Jann Horn +Cc: Kees Cook +Cc: Ard Biesheuvel +Cc: Christian Brauner +Suggested-by: Linus Torvalds +Signed-off-by: Linus Torvalds +Signed-off-by: Adrian Ratiu +Link: https://lore.kernel.org/r/20240802080225.89408-1-adrian.ratiu@collabora.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + .../admin-guide/kernel-parameters.txt | 10 +++ + fs/proc/base.c | 61 ++++++++++++++++++- + security/Kconfig | 32 ++++++++++ + 3 files changed, 102 insertions(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index c22a8ee02e73b..ede522c60ac4f 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4333,6 +4333,16 @@ + printk.time= Show timing data prefixed to each printk message line + Format: (1/Y/y=enable, 0/N/n=disable) + ++ proc_mem.force_override= [KNL] ++ Format: {always | ptrace | never} ++ Traditionally /proc/pid/mem allows memory permissions to be ++ overridden without restrictions. This option may be set to ++ restrict that. Can be one of: ++ - 'always': traditional behavior always allows mem overrides. ++ - 'ptrace': only allow mem overrides for active ptracers. ++ - 'never': never allow mem overrides. ++ If not specified, default is the CONFIG_PROC_MEM_* choice. ++ + processor.max_cstate= [HW,ACPI] + Limit processor to maximum C-state + max_cstate=9 overrides any DMI blacklist limit. +diff --git a/fs/proc/base.c b/fs/proc/base.c +index e5d7a5a75aff9..d0414e566d30a 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -86,6 +86,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -116,6 +117,40 @@ + static u8 nlink_tid __ro_after_init; + static u8 nlink_tgid __ro_after_init; + ++enum proc_mem_force { ++ PROC_MEM_FORCE_ALWAYS, ++ PROC_MEM_FORCE_PTRACE, ++ PROC_MEM_FORCE_NEVER ++}; ++ ++static enum proc_mem_force proc_mem_force_override __ro_after_init = ++ IS_ENABLED(CONFIG_PROC_MEM_NO_FORCE) ? PROC_MEM_FORCE_NEVER : ++ IS_ENABLED(CONFIG_PROC_MEM_FORCE_PTRACE) ? PROC_MEM_FORCE_PTRACE : ++ PROC_MEM_FORCE_ALWAYS; ++ ++static const struct constant_table proc_mem_force_table[] __initconst = { ++ { "always", PROC_MEM_FORCE_ALWAYS }, ++ { "ptrace", PROC_MEM_FORCE_PTRACE }, ++ { "never", PROC_MEM_FORCE_NEVER }, ++ { } ++}; ++ ++static int __init early_proc_mem_force_override(char *buf) ++{ ++ if (!buf) ++ return -EINVAL; ++ ++ /* ++ * lookup_constant() defaults to proc_mem_force_override to preseve ++ * the initial Kconfig choice in case an invalid param gets passed. ++ */ ++ proc_mem_force_override = lookup_constant(proc_mem_force_table, ++ buf, proc_mem_force_override); ++ ++ return 0; ++} ++early_param("proc_mem.force_override", early_proc_mem_force_override); ++ + struct pid_entry { + const char *name; + unsigned int len; +@@ -835,6 +870,28 @@ static int mem_open(struct inode *inode, struct file *file) + return ret; + } + ++static bool proc_mem_foll_force(struct file *file, struct mm_struct *mm) ++{ ++ struct task_struct *task; ++ bool ptrace_active = false; ++ ++ switch (proc_mem_force_override) { ++ case PROC_MEM_FORCE_NEVER: ++ return false; ++ case PROC_MEM_FORCE_PTRACE: ++ task = get_proc_task(file_inode(file)); ++ if (task) { ++ ptrace_active = READ_ONCE(task->ptrace) && ++ READ_ONCE(task->mm) == mm && ++ READ_ONCE(task->parent) == current; ++ put_task_struct(task); ++ } ++ return ptrace_active; ++ default: ++ return true; ++ } ++} ++ + static ssize_t mem_rw(struct file *file, char __user *buf, + size_t count, loff_t *ppos, int write) + { +@@ -855,7 +912,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf, + if (!mmget_not_zero(mm)) + goto free; + +- flags = FOLL_FORCE | (write ? FOLL_WRITE : 0); ++ flags = write ? FOLL_WRITE : 0; ++ if (proc_mem_foll_force(file, mm)) ++ flags |= FOLL_FORCE; + + while (count > 0) { + size_t this_len = min_t(size_t, count, PAGE_SIZE); +diff --git a/security/Kconfig b/security/Kconfig +index 5d412b3ddc496..6c9b5869e675a 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -19,6 +19,38 @@ config SECURITY_DMESG_RESTRICT + + If you are unsure how to answer this question, answer N. + ++choice ++ prompt "Allow /proc/pid/mem access override" ++ default PROC_MEM_ALWAYS_FORCE ++ help ++ Traditionally /proc/pid/mem allows users to override memory ++ permissions for users like ptrace, assuming they have ptrace ++ capability. ++ ++ This allows people to limit that - either never override, or ++ require actual active ptrace attachment. ++ ++ Defaults to the traditional behavior (for now) ++ ++config PROC_MEM_ALWAYS_FORCE ++ bool "Traditional /proc/pid/mem behavior" ++ help ++ This allows /proc/pid/mem accesses to override memory mapping ++ permissions if you have ptrace access rights. ++ ++config PROC_MEM_FORCE_PTRACE ++ bool "Require active ptrace() use for access override" ++ help ++ This allows /proc/pid/mem accesses to override memory mapping ++ permissions for active ptracers like gdb. ++ ++config PROC_MEM_NO_FORCE ++ bool "Never" ++ help ++ Never override memory mapping permissions ++ ++endchoice ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +-- +2.43.0 + diff --git a/queue-5.15/rcuscale-provide-clear-error-when-async-specified-wi.patch b/queue-5.15/rcuscale-provide-clear-error-when-async-specified-wi.patch new file mode 100644 index 00000000000..4ae1561e7c9 --- /dev/null +++ b/queue-5.15/rcuscale-provide-clear-error-when-async-specified-wi.patch @@ -0,0 +1,47 @@ +From 849a058043439420ed04025cc10d93ef0e282417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 17:43:03 -0700 +Subject: rcuscale: Provide clear error when async specified without primitives + +From: Paul E. McKenney + +[ Upstream commit 11377947b5861fa59bf77c827e1dd7c081842cc9 ] + +Currently, if the rcuscale module's async module parameter is specified +for RCU implementations that do not have async primitives such as RCU +Tasks Rude (which now lacks a call_rcu_tasks_rude() function), there +will be a series of splats due to calls to a NULL pointer. This commit +therefore warns of this situation, but switches to non-async testing. + +Signed-off-by: "Paul E. McKenney" +Signed-off-by: Neeraj Upadhyay +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcuscale.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/rcu/rcuscale.c b/kernel/rcu/rcuscale.c +index a83cb29d37607..f90955dc15327 100644 +--- a/kernel/rcu/rcuscale.c ++++ b/kernel/rcu/rcuscale.c +@@ -428,7 +428,7 @@ rcu_scale_writer(void *arg) + udelay(writer_holdoff); + wdp = &wdpp[i]; + *wdp = ktime_get_mono_fast_ns(); +- if (gp_async) { ++ if (gp_async && !WARN_ON_ONCE(!cur_ops->async)) { + retry: + if (!rhp) + rhp = kmalloc(sizeof(*rhp), GFP_KERNEL); +@@ -484,7 +484,7 @@ rcu_scale_writer(void *arg) + i++; + rcu_scale_wait_shutdown(); + } while (!torture_must_stop()); +- if (gp_async) { ++ if (gp_async && cur_ops->async) { + cur_ops->gp_barrier(); + } + writer_n_durations[me] = i_max + 1; +-- +2.43.0 + diff --git a/queue-5.15/regmap-hold-the-regmap-lock-when-allocating-and-free.patch b/queue-5.15/regmap-hold-the-regmap-lock-when-allocating-and-free.patch new file mode 100644 index 00000000000..34bd4a159f6 --- /dev/null +++ b/queue-5.15/regmap-hold-the-regmap-lock-when-allocating-and-free.patch @@ -0,0 +1,60 @@ +From 28c8617a36b2b1803e901519c9e6126354aa815f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 20:13:36 +0100 +Subject: regmap: Hold the regmap lock when allocating and freeing the cache + +From: Mark Brown + +[ Upstream commit fd4ebc07b4dff7e1abedf1b7fd477bc04b69ae55 ] + +For the benefit of the maple tree's lockdep checking hold the lock while +creating and exiting the cache. + +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20240822-b4-regmap-maple-nolock-v1-2-d5e6dbae3396@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache.c | 4 ++++ + drivers/base/regmap/regmap.c | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c +index aff2cd48305fa..852b00d30113d 100644 +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -189,7 +189,9 @@ int regcache_init(struct regmap *map, const struct regmap_config *config) + if (map->cache_ops->init) { + dev_dbg(map->dev, "Initializing %s cache\n", + map->cache_ops->name); ++ map->lock(map->lock_arg); + ret = map->cache_ops->init(map); ++ map->unlock(map->lock_arg); + if (ret) + goto err_free; + } +@@ -217,7 +219,9 @@ void regcache_exit(struct regmap *map) + if (map->cache_ops->exit) { + dev_dbg(map->dev, "Destroying %s cache\n", + map->cache_ops->name); ++ map->lock(map->lock_arg); + map->cache_ops->exit(map); ++ map->unlock(map->lock_arg); + } + } + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 893b0615935e9..47fcb00a2c26c 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1532,6 +1532,7 @@ void regmap_exit(struct regmap *map) + struct regmap_async *async; + + regcache_exit(map); ++ + regmap_debugfs_exit(map); + regmap_range_exit(map); + if (map->bus && map->bus->free_context) +-- +2.43.0 + diff --git a/queue-5.15/scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch b/queue-5.15/scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch new file mode 100644 index 00000000000..0739103974d --- /dev/null +++ b/queue-5.15/scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch @@ -0,0 +1,112 @@ +From 814f78eb5aa4014ea539e9b8c99ad534b46e5176 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 14:57:37 -0700 +Subject: scsi: aacraid: Rearrange order of struct aac_srb_unit + +From: Kees Cook + +[ Upstream commit 6e5860b0ad4934baee8c7a202c02033b2631bb44 ] + +struct aac_srb_unit contains struct aac_srb, which contains struct sgmap, +which ends in a (currently) "fake" (1-element) flexible array. Converting +this to a flexible array is needed so that runtime bounds checking won't +think the array is fixed size (i.e. under CONFIG_FORTIFY_SOURCE=y and/or +CONFIG_UBSAN_BOUNDS=y), as other parts of aacraid use struct sgmap as a +flexible array. + +It is not legal to have a flexible array in the middle of a structure, so +it either needs to be split up or rearranged so that it is at the end of +the structure. Luckily, struct aac_srb_unit, which is exclusively +consumed/updated by aac_send_safw_bmic_cmd(), does not depend on member +ordering. + +The values set in the on-stack struct aac_srb_unit instance "srbu" by the +only two callers, aac_issue_safw_bmic_identify() and +aac_get_safw_ciss_luns(), do not contain anything in srbu.srb.sgmap.sg, and +they both implicitly initialize srbu.srb.sgmap.count to 0 during +memset(). For example: + + memset(&srbu, 0, sizeof(struct aac_srb_unit)); + + srbcmd = &srbu.srb; + srbcmd->flags = cpu_to_le32(SRB_DataIn); + srbcmd->cdb[0] = CISS_REPORT_PHYSICAL_LUNS; + srbcmd->cdb[1] = 2; /* extended reporting */ + srbcmd->cdb[8] = (u8)(datasize >> 8); + srbcmd->cdb[9] = (u8)(datasize); + + rcode = aac_send_safw_bmic_cmd(dev, &srbu, phys_luns, datasize); + +During aac_send_safw_bmic_cmd(), a separate srb is mapped into DMA, and has +srbu.srb copied into it: + + srb = fib_data(fibptr); + memcpy(srb, &srbu->srb, sizeof(struct aac_srb)); + +Only then is srb.sgmap.count written and srb->sg populated: + + srb->count = cpu_to_le32(xfer_len); + + sg64 = (struct sgmap64 *)&srb->sg; + sg64->count = cpu_to_le32(1); + sg64->sg[0].addr[1] = cpu_to_le32(upper_32_bits(addr)); + sg64->sg[0].addr[0] = cpu_to_le32(lower_32_bits(addr)); + sg64->sg[0].count = cpu_to_le32(xfer_len); + +But this is happening in the DMA memory, not in srbu.srb. An attempt to +copy the changes back to srbu does happen: + + /* + * Copy the updated data for other dumping or other usage if + * needed + */ + memcpy(&srbu->srb, srb, sizeof(struct aac_srb)); + +But this was never correct: the sg64 (3 u32s) overlap of srb.sg (2 u32s) +always meant that srbu.srb would have held truncated information and any +attempt to walk srbu.srb.sg.sg based on the value of srbu.srb.sg.count +would result in attempting to parse past the end of srbu.srb.sg.sg[0] into +srbu.srb_reply. + +After getting a reply from hardware, the reply is copied into +srbu.srb_reply: + + srb_reply = (struct aac_srb_reply *)fib_data(fibptr); + memcpy(&srbu->srb_reply, srb_reply, sizeof(struct aac_srb_reply)); + +This has always been fixed-size, so there's no issue here. It is worth +noting that the two callers _never check_ srbu contents -- neither +srbu.srb nor srbu.srb_reply is examined. (They depend on the mapped +xfer_buf instead.) + +Therefore, the ordering of members in struct aac_srb_unit does not matter, +and the flexible array member can moved to the end. + +(Additionally, the two memcpy()s that update srbu could be entirely +removed as they are never consumed, but I left that as-is.) + +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20240711215739.208776-1-kees@kernel.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/aacraid.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h +index 3733df77bc65d..874fa0d1c805d 100644 +--- a/drivers/scsi/aacraid/aacraid.h ++++ b/drivers/scsi/aacraid/aacraid.h +@@ -2028,8 +2028,8 @@ struct aac_srb_reply + }; + + struct aac_srb_unit { +- struct aac_srb srb; + struct aac_srb_reply srb_reply; ++ struct aac_srb srb; + }; + + /* +-- +2.43.0 + diff --git a/queue-5.15/scsi-smartpqi-correct-stream-detection.patch b/queue-5.15/scsi-smartpqi-correct-stream-detection.patch new file mode 100644 index 00000000000..1578c4a051d --- /dev/null +++ b/queue-5.15/scsi-smartpqi-correct-stream-detection.patch @@ -0,0 +1,50 @@ +From c679498b71fff162c6b82817decfb0d01cb73c18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 13:54:56 -0500 +Subject: scsi: smartpqi: correct stream detection + +From: Mahesh Rajashekhara + +[ Upstream commit 4c76114932d1d6fad2e72823e7898a3c960cf2a7 ] + +Correct stream detection by initializing the structure +pqi_scsi_dev_raid_map_data to 0s. + +When the OS issues SCSI READ commands, the driver erroneously considers +them as SCSI WRITES. If they are identified as sequential IOs, the driver +then submits those requests via the RAID path instead of the AIO path. + +The 'is_write' flag might be set for SCSI READ commands also. The driver +may interpret SCSI READ commands as SCSI WRITE commands, resulting in IOs +being submitted through the RAID path. + +Note: This does not cause data corruption. + +Reviewed-by: Scott Benesh +Reviewed-by: Scott Teel +Reviewed-by: Mike McGowen +Signed-off-by: Mahesh Rajashekhara +Signed-off-by: Don Brace +Link: https://lore.kernel.org/r/20240827185501.692804-3-don.brace@microchip.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index e3d8de1159b51..dc6b003cd87fb 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -5646,7 +5646,7 @@ static bool pqi_is_parity_write_stream(struct pqi_ctrl_info *ctrl_info, + int rc; + struct pqi_scsi_dev *device; + struct pqi_stream_data *pqi_stream_data; +- struct pqi_scsi_dev_raid_map_data rmd; ++ struct pqi_scsi_dev_raid_map_data rmd = { 0 }; + + if (!ctrl_info->enable_stream_detection) + return false; +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 9d4dbaaa989..502bd6859e1 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -390,3 +390,75 @@ alsa-hda-generic-unconditionally-prefer-preferred_da.patch asoc-imx-card-set-card.owner-to-avoid-a-warning-call.patch alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch f2fs-require-fmode_write-for-atomic-write-ioctls.patch +wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch +wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch +ice-adjust-over-allocation-of-memory-in-ice_sched_ad.patch +net-xen-netback-prevent-uaf-in-xenvif_flush_hash.patch +net-hisilicon-hip04-fix-of-node-leak-in-probe.patch +net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch +net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch +acpi-pad-fix-crash-in-exit_round_robin.patch +acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch +acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch +net-sched-consistently-use-rcu_replace_pointer-in-ta.patch +blk_iocost-fix-more-out-of-bound-shifts.patch +nvme-pci-qdepth-1-quirk.patch +wifi-ath11k-fix-array-out-of-bound-access-in-soc-sta.patch +wifi-rtw88-select-want_dev_coredump.patch +acpi-ec-do-not-release-locks-during-operation-region.patch +acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch +tipc-guard-against-string-buffer-overrun.patch +net-mvpp2-increase-size-of-queue_name-buffer.patch +ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch +ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch +net-atlantic-avoid-warning-about-potential-string-tr.patch +tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch +acpica-iasl-handle-empty-connection_node.patch +proc-add-config-param-to-block-forcing-mem-writes.patch +wifi-mt76-mt7915-hold-dev-mt76.mutex-while-disabling.patch +wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch +nfp-use-irqf_no_autoen-flag-in-request_irq.patch +signal-replace-bug_on-s.patch +regmap-hold-the-regmap-lock-when-allocating-and-free.patch +genirq-proc-correctly-set-file-permissions-for-affin.patch +alsa-usb-audio-add-input-value-sanity-checks-for-sta.patch +x86-ioapic-handle-allocation-failures-gracefully.patch +alsa-usb-audio-define-macros-for-quirk-table-entries.patch +alsa-usb-audio-add-logitech-audio-profile-quirk.patch +tools-x86-kcpuid-protect-against-faulty-max-subleaf-.patch +alsa-asihpi-fix-potential-oob-array-access.patch +alsa-hdsp-break-infinite-midi-input-flush-loop.patch +x86-syscall-avoid-memcpy-for-ia32-syscall_get_argume.patch +fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch +rcuscale-provide-clear-error-when-async-specified-wi.patch +iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch +power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch +iommu-vt-d-always-reserve-a-domain-id-for-identity-s.patch +iommu-vt-d-fix-potential-lockup-if-qi_submit_sync-ca.patch +cgroup-disallow-mounting-v1-hierarchies-without-cont.patch +drm-amd-display-add-null-check-for-top_pipe_to_progr.patch +ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch +drm-amd-display-check-null-pointers-before-using-dc-.patch +jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch +jfs-fix-uaf-in-dbfreebits.patch +jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch +scsi-smartpqi-correct-stream-detection.patch +jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch +drm-amdgpu-add-raven1-gfxoff-quirk.patch +drm-amdgpu-enable-gfxoff-quirk-on-hp-705g4.patch +hid-multitouch-add-support-for-thinkpad-x12-gen-2-kb.patch +platform-x86-touchscreen_dmi-add-nanote-next-quirk.patch +drm-amd-display-check-stream-before-comparing-them.patch +drm-amd-display-fix-index-out-of-bounds-in-dcn30-deg.patch +drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch +drm-amd-display-fix-index-out-of-bounds-in-dcn30-col.patch +drm-amd-display-initialize-get_bytes_per_element-s-d.patch +drm-printer-allow-null-data-in-devcoredump-printer.patch +scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch +drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch +drm-amd-pm-ensure-the-fw_info-is-not-null-before-usi.patch +of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch +ext4-don-t-set-sb_rdonly-after-filesystem-errors.patch +ext4-ext4_search_dir-should-return-a-proper-error.patch +ext4-avoid-use-after-free-in-ext4_ext_show_leaf.patch +ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch diff --git a/queue-5.15/signal-replace-bug_on-s.patch b/queue-5.15/signal-replace-bug_on-s.patch new file mode 100644 index 00000000000..7ffa691133d --- /dev/null +++ b/queue-5.15/signal-replace-bug_on-s.patch @@ -0,0 +1,61 @@ +From 626e543343d33f41109c9698082943936fbda21d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 18:42:34 +0200 +Subject: signal: Replace BUG_ON()s + +From: Thomas Gleixner + +[ Upstream commit 7f8af7bac5380f2d95a63a6f19964e22437166e1 ] + +These really can be handled gracefully without killing the machine. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Frederic Weisbecker +Reviewed-by: Oleg Nesterov +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 08bccdbb1b463..8fc1da382448e 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1932,10 +1932,11 @@ struct sigqueue *sigqueue_alloc(void) + + void sigqueue_free(struct sigqueue *q) + { +- unsigned long flags; + spinlock_t *lock = ¤t->sighand->siglock; ++ unsigned long flags; + +- BUG_ON(!(q->flags & SIGQUEUE_PREALLOC)); ++ if (WARN_ON_ONCE(!(q->flags & SIGQUEUE_PREALLOC))) ++ return; + /* + * We must hold ->siglock while testing q->list + * to serialize with collect_signal() or with +@@ -1963,7 +1964,10 @@ int send_sigqueue(struct sigqueue *q, struct pid *pid, enum pid_type type) + unsigned long flags; + int ret, result; + +- BUG_ON(!(q->flags & SIGQUEUE_PREALLOC)); ++ if (WARN_ON_ONCE(!(q->flags & SIGQUEUE_PREALLOC))) ++ return 0; ++ if (WARN_ON_ONCE(q->info.si_code != SI_TIMER)) ++ return 0; + + ret = -1; + rcu_read_lock(); +@@ -1982,7 +1986,6 @@ int send_sigqueue(struct sigqueue *q, struct pid *pid, enum pid_type type) + * If an SI_TIMER entry is already queue just increment + * the overrun count. + */ +- BUG_ON(q->info.si_code != SI_TIMER); + q->info.si_overrun++; + result = TRACE_SIGNAL_ALREADY_PENDING; + goto out; +-- +2.43.0 + diff --git a/queue-5.15/tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch b/queue-5.15/tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch new file mode 100644 index 00000000000..2117e34647d --- /dev/null +++ b/queue-5.15/tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch @@ -0,0 +1,82 @@ +From ff67753ea208811e3869fc36ee3c986997f4b042 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2024 08:11:52 +0800 +Subject: tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() + process + +From: Jason Xing + +[ Upstream commit 0d9e5df4a257afc3a471a82961ace9a22b88295a ] + +We found that one close-wait socket was reset by the other side +due to a new connection reusing the same port which is beyond our +expectation, so we have to investigate the underlying reason. + +The following experiment is conducted in the test environment. We +limit the port range from 40000 to 40010 and delay the time to close() +after receiving a fin from the active close side, which can help us +easily reproduce like what happened in production. + +Here are three connections captured by tcpdump: +127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965525191 +127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 2769915070 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [F.], seq 1, ack 1 +// a few seconds later, within 60 seconds +127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730 +127.0.0.1.9999 > 127.0.0.1.40002: Flags [.], ack 2 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [R], seq 2965525193 +// later, very quickly +127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730 +127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 3120990805 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1 + +As we can see, the first flow is reset because: +1) client starts a new connection, I mean, the second one +2) client tries to find a suitable port which is a timewait socket + (its state is timewait, substate is fin_wait2) +3) client occupies that timewait port to send a SYN +4) server finds a corresponding close-wait socket in ehash table, + then replies with a challenge ack +5) client sends an RST to terminate this old close-wait socket. + +I don't think the port selection algo can choose a FIN_WAIT2 socket +when we turn on tcp_tw_reuse because on the server side there +remain unread data. In some cases, if one side haven't call close() yet, +we should not consider it as expendable and treat it at will. + +Even though, sometimes, the server isn't able to call close() as soon +as possible like what we expect, it can not be terminated easily, +especially due to a second unrelated connection happening. + +After this patch, we can see the expected failure if we start a +connection when all the ports are occupied in fin_wait2 state: +"Ncat: Cannot assign requested address." + +Reported-by: Jade Dong +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240823001152.31004-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 44a9fa957301b..43415de60d7f0 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -113,6 +113,9 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) + const struct tcp_timewait_sock *tcptw = tcp_twsk(sktw); + struct tcp_sock *tp = tcp_sk(sk); + ++ if (tw->tw_substate == TCP_FIN_WAIT2) ++ reuse = 0; ++ + if (reuse == 2) { + /* Still does not detect *everything* that goes through + * lo, since we require a loopback src or dst address +-- +2.43.0 + diff --git a/queue-5.15/tipc-guard-against-string-buffer-overrun.patch b/queue-5.15/tipc-guard-against-string-buffer-overrun.patch new file mode 100644 index 00000000000..2dde6fc83ce --- /dev/null +++ b/queue-5.15/tipc-guard-against-string-buffer-overrun.patch @@ -0,0 +1,53 @@ +From 7a49454b0a67bb27ab8f43324c1aa254fab315f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 19:35:37 +0100 +Subject: tipc: guard against string buffer overrun + +From: Simon Horman + +[ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ] + +Smatch reports that copying media_name and if_name to name_parts may +overwrite the destination. + + .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) + .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) + +This does seem to be the case so guard against this possibility by using +strscpy() and failing if truncation occurs. + +Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") + +Compile tested only. + +Reviewed-by: Jakub Kicinski +Signed-off-by: Simon Horman +Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 17e8e6e3670ab..8c2793181ee7b 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name, + + /* return bearer name components, if necessary */ + if (name_parts) { +- strcpy(name_parts->media_name, media_name); +- strcpy(name_parts->if_name, if_name); ++ if (strscpy(name_parts->media_name, media_name, ++ TIPC_MAX_MEDIA_NAME) < 0) ++ return 0; ++ if (strscpy(name_parts->if_name, if_name, ++ TIPC_MAX_IF_NAME) < 0) ++ return 0; + } + return 1; + } +-- +2.43.0 + diff --git a/queue-5.15/tools-x86-kcpuid-protect-against-faulty-max-subleaf-.patch b/queue-5.15/tools-x86-kcpuid-protect-against-faulty-max-subleaf-.patch new file mode 100644 index 00000000000..be8828e2f04 --- /dev/null +++ b/queue-5.15/tools-x86-kcpuid-protect-against-faulty-max-subleaf-.patch @@ -0,0 +1,68 @@ +From a2d9a52456894e3e5bf5c7c2872bf6217a887c06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 15:47:44 +0200 +Subject: tools/x86/kcpuid: Protect against faulty "max subleaf" values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ahmed S. Darwish + +[ Upstream commit cf96ab1a966b87b09fdd9e8cc8357d2d00776a3a ] + +Protect against the kcpuid code parsing faulty max subleaf numbers +through a min() expression. Thus, ensuring that max_subleaf will always +be ≤ MAX_SUBLEAF_NUM. + +Use "u32" for the subleaf numbers since kcpuid is compiled with -Wextra, +which includes signed/unsigned comparisons warnings. + +Signed-off-by: Ahmed S. Darwish +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/20240718134755.378115-5-darwi@linutronix.de +Signed-off-by: Sasha Levin +--- + tools/arch/x86/kcpuid/kcpuid.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/tools/arch/x86/kcpuid/kcpuid.c b/tools/arch/x86/kcpuid/kcpuid.c +index dae75511fef71..bbeb2dc86410b 100644 +--- a/tools/arch/x86/kcpuid/kcpuid.c ++++ b/tools/arch/x86/kcpuid/kcpuid.c +@@ -7,7 +7,8 @@ + #include + #include + +-#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) ++#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) ++#define min(a, b) (((a) < (b)) ? (a) : (b)) + + typedef unsigned int u32; + typedef unsigned long long u64; +@@ -203,12 +204,9 @@ static void raw_dump_range(struct cpuid_range *range) + #define MAX_SUBLEAF_NUM 32 + struct cpuid_range *setup_cpuid_range(u32 input_eax) + { +- u32 max_func, idx_func; +- int subleaf; ++ u32 max_func, idx_func, subleaf, max_subleaf; ++ u32 eax, ebx, ecx, edx, f = input_eax; + struct cpuid_range *range; +- u32 eax, ebx, ecx, edx; +- u32 f = input_eax; +- int max_subleaf; + bool allzero; + + eax = input_eax; +@@ -254,7 +252,7 @@ struct cpuid_range *setup_cpuid_range(u32 input_eax) + * others have to be tried (0xf) + */ + if (f == 0x7 || f == 0x14 || f == 0x17 || f == 0x18) +- max_subleaf = (eax & 0xff) + 1; ++ max_subleaf = min((eax & 0xff) + 1, max_subleaf); + + if (f == 0xb) + max_subleaf = 2; +-- +2.43.0 + diff --git a/queue-5.15/wifi-ath11k-fix-array-out-of-bound-access-in-soc-sta.patch b/queue-5.15/wifi-ath11k-fix-array-out-of-bound-access-in-soc-sta.patch new file mode 100644 index 00000000000..5ee7053ee3f --- /dev/null +++ b/queue-5.15/wifi-ath11k-fix-array-out-of-bound-access-in-soc-sta.patch @@ -0,0 +1,43 @@ +From 20b1248f5d3e1182795991375ea2741c74b19a5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2024 12:38:11 +0530 +Subject: wifi: ath11k: fix array out-of-bound access in SoC stats + +From: Karthikeyan Periyasamy + +[ Upstream commit 69f253e46af98af17e3efa3e5dfa72fcb7d1983d ] + +Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a +maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() +function access ath11k_soc_dp_stats::hal_reo_error using the REO +destination SRNG ring ID, which is incorrect. SRNG ring ID differ from +normal ring ID, and this usage leads to out-of-bounds array access. To fix +this issue, modify ath11k_dp_process_rx() to use the normal ring ID +directly instead of the SRNG ring ID to avoid out-of-bounds array access. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Karthikeyan Periyasamy +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240704070811.4186543-3-quic_periyasa@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c +index 6920cce493f69..318c3bfd45fdd 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -2637,7 +2637,7 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, + if (push_reason != + HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION) { + dev_kfree_skb_any(msdu); +- ab->soc_stats.hal_reo_error[dp->reo_dst_ring[ring_id].ring_id]++; ++ ab->soc_stats.hal_reo_error[ring_id]++; + continue; + } + +-- +2.43.0 + diff --git a/queue-5.15/wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch b/queue-5.15/wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch new file mode 100644 index 00000000000..8a53cd81be8 --- /dev/null +++ b/queue-5.15/wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch @@ -0,0 +1,47 @@ +From 79d5916cd292e9414506a519f228fe9318682f92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 14:17:43 +0300 +Subject: wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Kandybka + +[ Upstream commit 3f66f26703093886db81f0610b97a6794511917c ] + +In 'ath9k_get_et_stats()', promote TX stats counters to 'u64' +to avoid possible integer overflow. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Kandybka +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240725111743.14422-1-d.kandybka@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c +index f6f63923966af..f05ebf10f1508 100644 +--- a/drivers/net/wireless/ath/ath9k/debug.c ++++ b/drivers/net/wireless/ath/ath9k/debug.c +@@ -1316,11 +1316,11 @@ void ath9k_get_et_stats(struct ieee80211_hw *hw, + struct ath_softc *sc = hw->priv; + int i = 0; + +- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all + ++ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_pkts_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_pkts_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_pkts_all); +- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all + ++ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_bytes_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_bytes_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_bytes_all); +-- +2.43.0 + diff --git a/queue-5.15/wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch b/queue-5.15/wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch new file mode 100644 index 00000000000..de817abfaef --- /dev/null +++ b/queue-5.15/wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch @@ -0,0 +1,59 @@ +From d5cd1afbdd619c105393ba72b025944318c2b1c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 16:24:46 +0200 +Subject: wifi: ath9k_htc: Use __skb_set_length() for resetting urb before + resubmit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 94745807f3ebd379f23865e6dab196f220664179 ] + +Syzbot points out that skb_trim() has a sanity check on the existing length of +the skb, which can be uninitialised in some error paths. The intent here is +clearly just to reset the length to zero before resubmitting, so switch to +calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length() +already contains a call to skb_reset_tail_pointer(), so remove the redundant +call. + +The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar +usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it. + +Reported-by: syzbot+98afa303be379af6cdb2@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240812142447.12328-1-toke@toke.dk +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index e0130beb304df..6c73c0c0b82a9 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -718,8 +718,7 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb) + } + + resubmit: +- skb_reset_tail_pointer(skb); +- skb_trim(skb, 0); ++ __skb_set_length(skb, 0); + + usb_anchor_urb(urb, &hif_dev->rx_submitted); + ret = usb_submit_urb(urb, GFP_ATOMIC); +@@ -756,8 +755,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + case -ESHUTDOWN: + goto free_skb; + default: +- skb_reset_tail_pointer(skb); +- skb_trim(skb, 0); ++ __skb_set_length(skb, 0); + + goto resubmit; + } +-- +2.43.0 + diff --git a/queue-5.15/wifi-mt76-mt7915-hold-dev-mt76.mutex-while-disabling.patch b/queue-5.15/wifi-mt76-mt7915-hold-dev-mt76.mutex-while-disabling.patch new file mode 100644 index 00000000000..77b3e36cbd1 --- /dev/null +++ b/queue-5.15/wifi-mt76-mt7915-hold-dev-mt76.mutex-while-disabling.patch @@ -0,0 +1,42 @@ +From 79ad8d681bde58257e4dcb5e7be36af55bc45dc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 11:30:04 +0200 +Subject: wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker + +From: Felix Fietkau + +[ Upstream commit 8f7152f10cb434f954aeff85ca1be9cd4d01912b ] + +Prevent racing against other functions disabling the same worker + +Link: https://patch.msgid.link/20240827093011.18621-17-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +index a8a0e6af51f85..f6e686cc642b6 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +@@ -1653,13 +1653,15 @@ void mt7915_mac_reset_work(struct work_struct *work) + set_bit(MT76_RESET, &phy2->mt76->state); + cancel_delayed_work_sync(&phy2->mt76->mac_work); + } ++ ++ mutex_lock(&dev->mt76.mutex); ++ + mt76_worker_disable(&dev->mt76.tx_worker); + napi_disable(&dev->mt76.napi[0]); + napi_disable(&dev->mt76.napi[1]); + napi_disable(&dev->mt76.napi[2]); + napi_disable(&dev->mt76.tx_napi); + +- mutex_lock(&dev->mt76.mutex); + + mt76_wr(dev, MT_MCU_INT_EVENT, MT_MCU_INT_EVENT_DMA_STOPPED); + +-- +2.43.0 + diff --git a/queue-5.15/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch b/queue-5.15/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch new file mode 100644 index 00000000000..6c947991ce2 --- /dev/null +++ b/queue-5.15/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch @@ -0,0 +1,62 @@ +From cad22e7ba47ae2b01d50cced840534e64d108cce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 15:23:51 -0600 +Subject: wifi: mwifiex: Fix memcpy() field-spanning write warning in + mwifiex_cmd_802_11_scan_ext() + +From: Gustavo A. R. Silva + +[ Upstream commit 498365e52bebcbc36a93279fe7e9d6aec8479cee ] + +Replace one-element array with a flexible-array member in +`struct host_cmd_ds_802_11_scan_ext`. + +With this, fix the following warning: + +elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------ +elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1) +elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex] + +Reported-by: Andy Shevchenko +Closes: https://lore.kernel.org/linux-hardening/ZsZNgfnEwOcPdCly@black.fi.intel.com/ +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Andy Shevchenko +Acked-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/ZsZa5xRcsLq9D+RX@elsanto +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- + drivers/net/wireless/marvell/mwifiex/scan.c | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h +index 29140949c01ca..7779a3a139446 100644 +--- a/drivers/net/wireless/marvell/mwifiex/fw.h ++++ b/drivers/net/wireless/marvell/mwifiex/fw.h +@@ -1598,7 +1598,7 @@ struct host_cmd_ds_802_11_scan_rsp { + + struct host_cmd_ds_802_11_scan_ext { + u32 reserved; +- u8 tlv_buffer[1]; ++ u8 tlv_buffer[]; + } __packed; + + struct mwifiex_ie_types_bss_mode { +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 5ec8a42e7150a..293ad1e68cff7 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2560,8 +2560,7 @@ int mwifiex_ret_802_11_scan_ext(struct mwifiex_private *priv, + ext_scan_resp = &resp->params.ext_scan; + + tlv = (void *)ext_scan_resp->tlv_buffer; +- buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN +- - 1); ++ buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN); + + while (buf_left >= sizeof(struct mwifiex_ie_types_header)) { + type = le16_to_cpu(tlv->type); +-- +2.43.0 + diff --git a/queue-5.15/wifi-rtw88-select-want_dev_coredump.patch b/queue-5.15/wifi-rtw88-select-want_dev_coredump.patch new file mode 100644 index 00000000000..30f2636fc41 --- /dev/null +++ b/queue-5.15/wifi-rtw88-select-want_dev_coredump.patch @@ -0,0 +1,35 @@ +From 41f0a7825629c3b635c681bd679f10740c79a61a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 15:06:15 +0800 +Subject: wifi: rtw88: select WANT_DEV_COREDUMP + +From: Zong-Zhe Yang + +[ Upstream commit 7e989b0c1e33210c07340bf5228aa83ea52515b5 ] + +We have invoked device coredump when fw crash. +Should select WANT_DEV_COREDUMP by ourselves. + +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20240718070616.42217-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtw88/Kconfig b/drivers/net/wireless/realtek/rtw88/Kconfig +index e3d7cb6c12902..5c18da555681a 100644 +--- a/drivers/net/wireless/realtek/rtw88/Kconfig ++++ b/drivers/net/wireless/realtek/rtw88/Kconfig +@@ -12,6 +12,7 @@ if RTW88 + + config RTW88_CORE + tristate ++ select WANT_DEV_COREDUMP + + config RTW88_PCI + tristate +-- +2.43.0 + diff --git a/queue-5.15/x86-ioapic-handle-allocation-failures-gracefully.patch b/queue-5.15/x86-ioapic-handle-allocation-failures-gracefully.patch new file mode 100644 index 00000000000..e59a91a4760 --- /dev/null +++ b/queue-5.15/x86-ioapic-handle-allocation-failures-gracefully.patch @@ -0,0 +1,153 @@ +From cdfc3389b7095a14cec63b07faadcf98ce5caa4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 18:15:34 +0200 +Subject: x86/ioapic: Handle allocation failures gracefully + +From: Thomas Gleixner + +[ Upstream commit 830802a0fea8fb39d3dc9fb7d6b5581e1343eb1f ] + +Breno observed panics when using failslab under certain conditions during +runtime: + + can not alloc irq_pin_list (-1,0,20) + Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed + + panic+0x4e9/0x590 + mp_irqdomain_alloc+0x9ab/0xa80 + irq_domain_alloc_irqs_locked+0x25d/0x8d0 + __irq_domain_alloc_irqs+0x80/0x110 + mp_map_pin_to_irq+0x645/0x890 + acpi_register_gsi_ioapic+0xe6/0x150 + hpet_open+0x313/0x480 + +That's a pointless panic which is a leftover of the historic IO/APIC code +which panic'ed during early boot when the interrupt allocation failed. + +The only place which might justify panic is the PIT/HPET timer_check() code +which tries to figure out whether the timer interrupt is delivered through +the IO/APIC. But that code does not require to handle interrupt allocation +failures. If the interrupt cannot be allocated then timer delivery fails +and it either panics due to that or falls back to legacy mode. + +Cure this by removing the panic wrapper around __add_pin_to_irq_node() and +making mp_irqdomain_alloc() aware of the failure condition and handle it as +any other failure in this function gracefully. + +Reported-by: Breno Leitao +Signed-off-by: Thomas Gleixner +Tested-by: Breno Leitao +Tested-by: Qiuxu Zhuo +Link: https://lore.kernel.org/all/ZqfJmUF8sXIyuSHN@gmail.com +Link: https://lore.kernel.org/all/20240802155440.275200843@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/io_apic.c | 46 ++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 24 deletions(-) + +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index bb71b628edcb4..586ea838a5a15 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -350,27 +350,26 @@ static void ioapic_mask_entry(int apic, int pin) + * shared ISA-space IRQs, so we have to support them. We are super + * fast in the common case, and fast for shared ISA-space IRQs. + */ +-static int __add_pin_to_irq_node(struct mp_chip_data *data, +- int node, int apic, int pin) ++static bool add_pin_to_irq_node(struct mp_chip_data *data, int node, int apic, int pin) + { + struct irq_pin_list *entry; + +- /* don't allow duplicates */ +- for_each_irq_pin(entry, data->irq_2_pin) ++ /* Don't allow duplicates */ ++ for_each_irq_pin(entry, data->irq_2_pin) { + if (entry->apic == apic && entry->pin == pin) +- return 0; ++ return true; ++ } + + entry = kzalloc_node(sizeof(struct irq_pin_list), GFP_ATOMIC, node); + if (!entry) { +- pr_err("can not alloc irq_pin_list (%d,%d,%d)\n", +- node, apic, pin); +- return -ENOMEM; ++ pr_err("Cannot allocate irq_pin_list (%d,%d,%d)\n", node, apic, pin); ++ return false; + } ++ + entry->apic = apic; + entry->pin = pin; + list_add_tail(&entry->list, &data->irq_2_pin); +- +- return 0; ++ return true; + } + + static void __remove_pin_from_irq(struct mp_chip_data *data, int apic, int pin) +@@ -385,13 +384,6 @@ static void __remove_pin_from_irq(struct mp_chip_data *data, int apic, int pin) + } + } + +-static void add_pin_to_irq_node(struct mp_chip_data *data, +- int node, int apic, int pin) +-{ +- if (__add_pin_to_irq_node(data, node, apic, pin)) +- panic("IO-APIC: failed to add irq-pin. Can not proceed\n"); +-} +- + /* + * Reroute an IRQ to a different pin. + */ +@@ -1000,8 +992,7 @@ static int alloc_isa_irq_from_domain(struct irq_domain *domain, + if (irq_data && irq_data->parent_data) { + if (!mp_check_pin_attr(irq, info)) + return -EBUSY; +- if (__add_pin_to_irq_node(irq_data->chip_data, node, ioapic, +- info->ioapic.pin)) ++ if (!add_pin_to_irq_node(irq_data->chip_data, node, ioapic, info->ioapic.pin)) + return -ENOMEM; + } else { + info->flags |= X86_IRQ_ALLOC_LEGACY; +@@ -3024,10 +3015,8 @@ int mp_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, + return -ENOMEM; + + ret = irq_domain_alloc_irqs_parent(domain, virq, nr_irqs, info); +- if (ret < 0) { +- kfree(data); +- return ret; +- } ++ if (ret < 0) ++ goto free_data; + + INIT_LIST_HEAD(&data->irq_2_pin); + irq_data->hwirq = info->ioapic.pin; +@@ -3036,7 +3025,10 @@ int mp_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, + irq_data->chip_data = data; + mp_irqdomain_get_attr(mp_pin_to_gsi(ioapic, pin), data, info); + +- add_pin_to_irq_node(data, ioapic_alloc_attr_node(info), ioapic, pin); ++ if (!add_pin_to_irq_node(data, ioapic_alloc_attr_node(info), ioapic, pin)) { ++ ret = -ENOMEM; ++ goto free_irqs; ++ } + + mp_preconfigure_entry(data); + mp_register_handler(virq, data->is_level); +@@ -3051,6 +3043,12 @@ int mp_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, + ioapic, mpc_ioapic_id(ioapic), pin, virq, + data->is_level, data->active_low); + return 0; ++ ++free_irqs: ++ irq_domain_free_irqs_parent(domain, virq, nr_irqs); ++free_data: ++ kfree(data); ++ return ret; + } + + void mp_irqdomain_free(struct irq_domain *domain, unsigned int virq, +-- +2.43.0 + diff --git a/queue-5.15/x86-syscall-avoid-memcpy-for-ia32-syscall_get_argume.patch b/queue-5.15/x86-syscall-avoid-memcpy-for-ia32-syscall_get_argume.patch new file mode 100644 index 00000000000..22444bf8fcd --- /dev/null +++ b/queue-5.15/x86-syscall-avoid-memcpy-for-ia32-syscall_get_argume.patch @@ -0,0 +1,71 @@ +From c3e60cdd37339af69d64caeb40111b3d092e7fb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 13:22:06 -0700 +Subject: x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit d19d638b1e6cf746263ef60b7d0dee0204d8216a ] + +Modern (fortified) memcpy() prefers to avoid writing (or reading) beyond +the end of the addressed destination (or source) struct member: + +In function ‘fortify_memcpy_chk’, + inlined from ‘syscall_get_arguments’ at ./arch/x86/include/asm/syscall.h:85:2, + inlined from ‘populate_seccomp_data’ at kernel/seccomp.c:258:2, + inlined from ‘__seccomp_filter’ at kernel/seccomp.c:1231:3: +./include/linux/fortify-string.h:580:25: error: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 580 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As already done for x86_64 and compat mode, do not use memcpy() to +extract syscall arguments from struct pt_regs but rather just perform +direct assignments. Binary output differences are negligible, and actually +ends up using less stack space: + +- sub $0x84,%esp ++ sub $0x6c,%esp + +and less text size: + + text data bss dec hex filename + 10794 252 0 11046 2b26 gcc-32b/kernel/seccomp.o.stock + 10714 252 0 10966 2ad6 gcc-32b/kernel/seccomp.o.after + +Closes: https://lore.kernel.org/lkml/9b69fb14-df89-4677-9c82-056ea9e706f5@gmail.com/ +Reported-by: Mirsad Todorovac +Signed-off-by: Kees Cook +Signed-off-by: Dave Hansen +Reviewed-by: Gustavo A. R. Silva +Acked-by: Dave Hansen +Tested-by: Mirsad Todorovac +Link: https://lore.kernel.org/all/20240708202202.work.477-kees%40kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/syscall.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h +index 825528bf0daf5..df434204ad01d 100644 +--- a/arch/x86/include/asm/syscall.h ++++ b/arch/x86/include/asm/syscall.h +@@ -82,7 +82,12 @@ static inline void syscall_get_arguments(struct task_struct *task, + struct pt_regs *regs, + unsigned long *args) + { +- memcpy(args, ®s->bx, 6 * sizeof(args[0])); ++ args[0] = regs->bx; ++ args[1] = regs->cx; ++ args[2] = regs->dx; ++ args[3] = regs->si; ++ args[4] = regs->di; ++ args[5] = regs->bp; + } + + static inline void syscall_set_arguments(struct task_struct *task, +-- +2.43.0 +