From: Sasha Levin Date: Sun, 6 Oct 2024 15:11:26 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.6.55~129 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2ae7679c3ee1d74151b69ee0849a7215c7417f0c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-ec-do-not-release-locks-during-operation-region.patch b/queue-4.19/acpi-ec-do-not-release-locks-during-operation-region.patch new file mode 100644 index 00000000000..22c25ac6fce --- /dev/null +++ b/queue-4.19/acpi-ec-do-not-release-locks-during-operation-region.patch @@ -0,0 +1,166 @@ +From d3d1a24ea4b928d3925f04349724915a71286561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2024 18:26:54 +0200 +Subject: ACPI: EC: Do not release locks during operation region accesses + +From: Rafael J. Wysocki + +[ Upstream commit dc171114926ec390ab90f46534545420ec03e458 ] + +It is not particularly useful to release locks (the EC mutex and the +ACPI global lock, if present) and re-acquire them immediately thereafter +during EC address space accesses in acpi_ec_space_handler(). + +First, releasing them for a while before grabbing them again does not +really help anyone because there may not be enough time for another +thread to acquire them. + +Second, if another thread successfully acquires them and carries out +a new EC write or read in the middle if an operation region access in +progress, it may confuse the EC firmware, especially after the burst +mode has been enabled. + +Finally, manipulating the locks after writing or reading every single +byte of data is overhead that it is better to avoid. + +Accordingly, modify the code to carry out EC address space accesses +entirely without releasing the locks. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Link: https://patch.msgid.link/12473338.O9o76ZdvQC@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 55 +++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 49 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 7db62dec2ee53..1d0366c2c2175 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -807,6 +807,9 @@ static int acpi_ec_transaction_unlocked(struct acpi_ec *ec, + unsigned long tmp; + int ret = 0; + ++ if (t->rdata) ++ memset(t->rdata, 0, t->rlen); ++ + /* start transaction */ + spin_lock_irqsave(&ec->lock, tmp); + /* Enable GPE for command processing (IBF=0/OBF=1) */ +@@ -843,8 +846,6 @@ static int acpi_ec_transaction(struct acpi_ec *ec, struct transaction *t) + + if (!ec || (!t) || (t->wlen && !t->wdata) || (t->rlen && !t->rdata)) + return -EINVAL; +- if (t->rdata) +- memset(t->rdata, 0, t->rlen); + + mutex_lock(&ec->mutex); + if (ec->global_lock) { +@@ -871,7 +872,7 @@ static int acpi_ec_burst_enable(struct acpi_ec *ec) + .wdata = NULL, .rdata = &d, + .wlen = 0, .rlen = 1}; + +- return acpi_ec_transaction(ec, &t); ++ return acpi_ec_transaction_unlocked(ec, &t); + } + + static int acpi_ec_burst_disable(struct acpi_ec *ec) +@@ -881,7 +882,7 @@ static int acpi_ec_burst_disable(struct acpi_ec *ec) + .wlen = 0, .rlen = 0}; + + return (acpi_ec_read_status(ec) & ACPI_EC_FLAG_BURST) ? +- acpi_ec_transaction(ec, &t) : 0; ++ acpi_ec_transaction_unlocked(ec, &t) : 0; + } + + static int acpi_ec_read(struct acpi_ec *ec, u8 address, u8 *data) +@@ -897,6 +898,19 @@ static int acpi_ec_read(struct acpi_ec *ec, u8 address, u8 *data) + return result; + } + ++static int acpi_ec_read_unlocked(struct acpi_ec *ec, u8 address, u8 *data) ++{ ++ int result; ++ u8 d; ++ struct transaction t = {.command = ACPI_EC_COMMAND_READ, ++ .wdata = &address, .rdata = &d, ++ .wlen = 1, .rlen = 1}; ++ ++ result = acpi_ec_transaction_unlocked(ec, &t); ++ *data = d; ++ return result; ++} ++ + static int acpi_ec_write(struct acpi_ec *ec, u8 address, u8 data) + { + u8 wdata[2] = { address, data }; +@@ -907,6 +921,16 @@ static int acpi_ec_write(struct acpi_ec *ec, u8 address, u8 data) + return acpi_ec_transaction(ec, &t); + } + ++static int acpi_ec_write_unlocked(struct acpi_ec *ec, u8 address, u8 data) ++{ ++ u8 wdata[2] = { address, data }; ++ struct transaction t = {.command = ACPI_EC_COMMAND_WRITE, ++ .wdata = wdata, .rdata = NULL, ++ .wlen = 2, .rlen = 0}; ++ ++ return acpi_ec_transaction_unlocked(ec, &t); ++} ++ + int ec_read(u8 addr, u8 *val) + { + int err; +@@ -1320,6 +1344,7 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + struct acpi_ec *ec = handler_context; + int result = 0, i, bytes = bits / 8; + u8 *value = (u8 *)value64; ++ u32 glk; + + if ((address > 0xFF) || !value || !handler_context) + return AE_BAD_PARAMETER; +@@ -1327,13 +1352,25 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + if (function != ACPI_READ && function != ACPI_WRITE) + return AE_BAD_PARAMETER; + ++ mutex_lock(&ec->mutex); ++ ++ if (ec->global_lock) { ++ acpi_status status; ++ ++ status = acpi_acquire_global_lock(ACPI_EC_UDELAY_GLK, &glk); ++ if (ACPI_FAILURE(status)) { ++ result = -ENODEV; ++ goto unlock; ++ } ++ } ++ + if (ec->busy_polling || bits > 8) + acpi_ec_burst_enable(ec); + + for (i = 0; i < bytes; ++i, ++address, ++value) { + result = (function == ACPI_READ) ? +- acpi_ec_read(ec, address, value) : +- acpi_ec_write(ec, address, *value); ++ acpi_ec_read_unlocked(ec, address, value) : ++ acpi_ec_write_unlocked(ec, address, *value); + if (result < 0) + break; + } +@@ -1341,6 +1378,12 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + if (ec->busy_polling || bits > 8) + acpi_ec_burst_disable(ec); + ++ if (ec->global_lock) ++ acpi_release_global_lock(glk); ++ ++unlock: ++ mutex_unlock(&ec->mutex); ++ + switch (result) { + case -EINVAL: + return AE_BAD_PARAMETER; +-- +2.43.0 + diff --git a/queue-4.19/acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch b/queue-4.19/acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch new file mode 100644 index 00000000000..57eeececfd7 --- /dev/null +++ b/queue-4.19/acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch @@ -0,0 +1,41 @@ +From be3f54449610c8c0c47d61268aeb1b954cbf5d8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 14:05:48 +0800 +Subject: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in + acpi_db_convert_to_package() + +From: Pei Xiao + +[ Upstream commit a5242874488eba2b9062985bf13743c029821330 ] + +ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 + +ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause +NULL pointer dereference later. + +Link: https://github.com/acpica/acpica/commit/4d4547cf +Signed-off-by: Pei Xiao +Link: https://patch.msgid.link/tencent_4A21A2865B8B0A0D12CAEBEB84708EDDB505@qq.com +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dbconvert.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/acpica/dbconvert.c b/drivers/acpi/acpica/dbconvert.c +index 9fd9a98a9cbe8..5255a0837c82b 100644 +--- a/drivers/acpi/acpica/dbconvert.c ++++ b/drivers/acpi/acpica/dbconvert.c +@@ -170,6 +170,8 @@ acpi_status acpi_db_convert_to_package(char *string, union acpi_object *object) + elements = + ACPI_ALLOCATE_ZEROED(DB_DEFAULT_PKG_ELEMENTS * + sizeof(union acpi_object)); ++ if (!elements) ++ return (AE_NO_MEMORY); + + this = string; + for (i = 0; i < (DB_DEFAULT_PKG_ELEMENTS - 1); i++) { +-- +2.43.0 + diff --git a/queue-4.19/acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch b/queue-4.19/acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch new file mode 100644 index 00000000000..7e17b3ea000 --- /dev/null +++ b/queue-4.19/acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch @@ -0,0 +1,90 @@ +From 0a1eae77d310ea9d281bb4f67d01b920bef799f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 21:50:33 +0200 +Subject: ACPICA: Fix memory leak if acpi_ps_get_next_field() fails + +From: Armin Wolf + +[ Upstream commit e6169a8ffee8a012badd8c703716e761ce851b15 ] + +ACPICA commit 1280045754264841b119a5ede96cd005bc09b5a7 + +If acpi_ps_get_next_field() fails, the previously created field list +needs to be properly disposed before returning the status code. + +Link: https://github.com/acpica/acpica/commit/12800457 +Signed-off-by: Armin Wolf +[ rjw: Rename local variable to avoid compiler confusion ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psargs.c | 39 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c +index 576ac74a47935..956aaf6a3f3d0 100644 +--- a/drivers/acpi/acpica/psargs.c ++++ b/drivers/acpi/acpica/psargs.c +@@ -25,6 +25,8 @@ acpi_ps_get_next_package_length(struct acpi_parse_state *parser_state); + static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state + *parser_state); + ++static void acpi_ps_free_field_list(union acpi_parse_object *start); ++ + /******************************************************************************* + * + * FUNCTION: acpi_ps_get_next_package_length +@@ -683,6 +685,39 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state + return_PTR(field); + } + ++/******************************************************************************* ++ * ++ * FUNCTION: acpi_ps_free_field_list ++ * ++ * PARAMETERS: start - First Op in field list ++ * ++ * RETURN: None. ++ * ++ * DESCRIPTION: Free all Op objects inside a field list. ++ * ++ ******************************************************************************/ ++ ++static void acpi_ps_free_field_list(union acpi_parse_object *start) ++{ ++ union acpi_parse_object *cur = start; ++ union acpi_parse_object *next; ++ union acpi_parse_object *arg; ++ ++ while (cur) { ++ next = cur->common.next; ++ ++ /* AML_INT_CONNECTION_OP can have a single argument */ ++ ++ arg = acpi_ps_get_arg(cur, 0); ++ if (arg) { ++ acpi_ps_free_op(arg); ++ } ++ ++ acpi_ps_free_op(cur); ++ cur = next; ++ } ++} ++ + /******************************************************************************* + * + * FUNCTION: acpi_ps_get_next_arg +@@ -751,6 +786,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state, + while (parser_state->aml < parser_state->pkg_end) { + field = acpi_ps_get_next_field(parser_state); + if (!field) { ++ if (arg) { ++ acpi_ps_free_field_list(arg); ++ } ++ + return_ACPI_STATUS(AE_NO_MEMORY); + } + +-- +2.43.0 + diff --git a/queue-4.19/acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch b/queue-4.19/acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch new file mode 100644 index 00000000000..a13352019dd --- /dev/null +++ b/queue-4.19/acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch @@ -0,0 +1,55 @@ +From 852c9a04c14372484b2f5de88e289e341465d05d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 20:50:11 +0200 +Subject: ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails + +From: Armin Wolf + +[ Upstream commit 5accb265f7a1b23e52b0ec42313d1e12895552f4 ] + +ACPICA commit 2802af722bbde7bf1a7ac68df68e179e2555d361 + +If acpi_ps_get_next_namepath() fails, the previously allocated +union acpi_parse_object needs to be freed before returning the +status code. + +The issue was first being reported on the Linux ACPI mailing list: + +Link: https://lore.kernel.org/linux-acpi/56f94776-484f-48c0-8855-dba8e6a7793b@yandex.ru/T/ +Link: https://github.com/acpica/acpica/commit/2802af72 +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psargs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c +index 176d28d60125d..576ac74a47935 100644 +--- a/drivers/acpi/acpica/psargs.c ++++ b/drivers/acpi/acpica/psargs.c +@@ -820,6 +820,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state, + acpi_ps_get_next_namepath(walk_state, parser_state, + arg, + ACPI_NOT_METHOD_CALL); ++ if (ACPI_FAILURE(status)) { ++ acpi_ps_free_op(arg); ++ return_ACPI_STATUS(status); ++ } + } else { + /* Single complex argument, nothing returned */ + +@@ -854,6 +858,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state, + acpi_ps_get_next_namepath(walk_state, parser_state, + arg, + ACPI_POSSIBLE_METHOD_CALL); ++ if (ACPI_FAILURE(status)) { ++ acpi_ps_free_op(arg); ++ return_ACPI_STATUS(status); ++ } + + if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) { + +-- +2.43.0 + diff --git a/queue-4.19/acpica-iasl-handle-empty-connection_node.patch b/queue-4.19/acpica-iasl-handle-empty-connection_node.patch new file mode 100644 index 00000000000..08b778bb8bc --- /dev/null +++ b/queue-4.19/acpica-iasl-handle-empty-connection_node.patch @@ -0,0 +1,36 @@ +From 7e9f40416d3befc9175ac7cd16847dac991c3323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Aug 2024 23:33:44 +0200 +Subject: ACPICA: iasl: handle empty connection_node + +From: Aleksandrs Vinarskis + +[ Upstream commit a0a2459b79414584af6c46dd8c6f866d8f1aa421 ] + +ACPICA commit 6c551e2c9487067d4b085333e7fe97e965a11625 + +Link: https://github.com/acpica/acpica/commit/6c551e2c +Signed-off-by: Aleksandrs Vinarskis +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exprep.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c +index 228feeea555f1..91143bcfe0904 100644 +--- a/drivers/acpi/acpica/exprep.c ++++ b/drivers/acpi/acpica/exprep.c +@@ -437,6 +437,9 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info) + + if (info->connection_node) { + second_desc = info->connection_node->object; ++ if (second_desc == NULL) { ++ break; ++ } + if (!(second_desc->common.flags & AOPOBJ_DATA_VALID)) { + status = + acpi_ds_get_buffer_arguments(second_desc); +-- +2.43.0 + diff --git a/queue-4.19/alsa-asihpi-fix-potential-oob-array-access.patch b/queue-4.19/alsa-asihpi-fix-potential-oob-array-access.patch new file mode 100644 index 00000000000..9aa8f1ce72d --- /dev/null +++ b/queue-4.19/alsa-asihpi-fix-potential-oob-array-access.patch @@ -0,0 +1,39 @@ +From eaaaab6d9dc317daa1e46549b8b6c97b7bcf30a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 11:14:42 +0200 +Subject: ALSA: asihpi: Fix potential OOB array access + +From: Takashi Iwai + +[ Upstream commit 7b986c7430a6bb68d523dac7bfc74cbd5b44ef96 ] + +ASIHPI driver stores some values in the static array upon a response +from the driver, and its index depends on the firmware. We shouldn't +trust it blindly. + +This patch adds a sanity check of the array index to fit in the array +size. + +Link: https://patch.msgid.link/20240808091454.30846-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index 736f45337fc70..5be1d910a5d57 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -724,7 +724,7 @@ static u16 HPIMSGX__init(struct hpi_message *phm, + phr->error = HPI_ERROR_PROCESSING_MESSAGE; + return phr->error; + } +- if (hr.error == 0) { ++ if (hr.error == 0 && hr.u.s.adapter_index < HPI_MAX_ADAPTERS) { + /* the adapter was created successfully + save the mapping for future use */ + hpi_entry_points[hr.u.s.adapter_index] = entry_point_func; +-- +2.43.0 + diff --git a/queue-4.19/alsa-hdsp-break-infinite-midi-input-flush-loop.patch b/queue-4.19/alsa-hdsp-break-infinite-midi-input-flush-loop.patch new file mode 100644 index 00000000000..f028394e3a5 --- /dev/null +++ b/queue-4.19/alsa-hdsp-break-infinite-midi-input-flush-loop.patch @@ -0,0 +1,60 @@ +From 8213af34c4878886e2572a9429788d34190910cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 11:15:12 +0200 +Subject: ALSA: hdsp: Break infinite MIDI input flush loop + +From: Takashi Iwai + +[ Upstream commit c01f3815453e2d5f699ccd8c8c1f93a5b8669e59 ] + +The current MIDI input flush on HDSP and HDSPM drivers relies on the +hardware reporting the right value. If the hardware doesn't give the +proper value but returns -1, it may be stuck at an infinite loop. + +Add a counter and break if the loop is unexpectedly too long. + +Link: https://patch.msgid.link/20240808091513.31380-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/hdsp.c | 6 ++++-- + sound/pci/rme9652/hdspm.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index a0797fc17d957..b2e38524b1fee 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -1322,8 +1322,10 @@ static int snd_hdsp_midi_output_possible (struct hdsp *hdsp, int id) + + static void snd_hdsp_flush_midi_input (struct hdsp *hdsp, int id) + { +- while (snd_hdsp_midi_input_available (hdsp, id)) +- snd_hdsp_midi_read_byte (hdsp, id); ++ int count = 256; ++ ++ while (snd_hdsp_midi_input_available(hdsp, id) && --count) ++ snd_hdsp_midi_read_byte(hdsp, id); + } + + static int snd_hdsp_midi_output_write (struct hdsp_midi *hmidi) +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index 5dfddade1bae9..cc8313913d649 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -1846,8 +1846,10 @@ static inline int snd_hdspm_midi_output_possible (struct hdspm *hdspm, int id) + + static void snd_hdspm_flush_midi_input(struct hdspm *hdspm, int id) + { +- while (snd_hdspm_midi_input_available (hdspm, id)) +- snd_hdspm_midi_read_byte (hdspm, id); ++ int count = 256; ++ ++ while (snd_hdspm_midi_input_available(hdspm, id) && --count) ++ snd_hdspm_midi_read_byte(hdspm, id); + } + + static int snd_hdspm_midi_output_write (struct hdspm_midi *hmidi) +-- +2.43.0 + diff --git a/queue-4.19/ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch b/queue-4.19/ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch new file mode 100644 index 00000000000..dcf0ed3c998 --- /dev/null +++ b/queue-4.19/ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch @@ -0,0 +1,61 @@ +From 2015523a8ea6af5289a69d62af92f8c63fcdbd2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 11:14:11 +0900 +Subject: ata: sata_sil: Rename sil_blacklist to sil_quirks + +From: Damien Le Moal + +[ Upstream commit 93b0f9e11ce511353c65b7f924cf5f95bd9c3aba ] + +Rename the array sil_blacklist to sil_quirks as this name is more +neutral and is also consistent with how this driver define quirks with +the SIL_QUIRK_XXX flags. + +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Igor Pylypiv +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_sil.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c +index 82adaf02887fb..8613a3cf2c8a5 100644 +--- a/drivers/ata/sata_sil.c ++++ b/drivers/ata/sata_sil.c +@@ -144,7 +144,7 @@ static const struct pci_device_id sil_pci_tbl[] = { + static const struct sil_drivelist { + const char *product; + unsigned int quirk; +-} sil_blacklist [] = { ++} sil_quirks[] = { + { "ST320012AS", SIL_QUIRK_MOD15WRITE }, + { "ST330013AS", SIL_QUIRK_MOD15WRITE }, + { "ST340017AS", SIL_QUIRK_MOD15WRITE }, +@@ -617,8 +617,8 @@ static void sil_thaw(struct ata_port *ap) + * list, and apply the fixups to only the specific + * devices/hosts/firmwares that need it. + * +- * 20040111 - Seagate drives affected by the Mod15Write bug are blacklisted +- * The Maxtor quirk is in the blacklist, but I'm keeping the original ++ * 20040111 - Seagate drives affected by the Mod15Write bug are quirked ++ * The Maxtor quirk is in sil_quirks, but I'm keeping the original + * pessimistic fix for the following reasons... + * - There seems to be less info on it, only one device gleaned off the + * Windows driver, maybe only one is affected. More info would be greatly +@@ -637,9 +637,9 @@ static void sil_dev_config(struct ata_device *dev) + + ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num)); + +- for (n = 0; sil_blacklist[n].product; n++) +- if (!strcmp(sil_blacklist[n].product, model_num)) { +- quirks = sil_blacklist[n].quirk; ++ for (n = 0; sil_quirks[n].product; n++) ++ if (!strcmp(sil_quirks[n].product, model_num)) { ++ quirks = sil_quirks[n].quirk; + break; + } + +-- +2.43.0 + diff --git a/queue-4.19/drm-amd-display-check-stream-before-comparing-them.patch b/queue-4.19/drm-amd-display-check-stream-before-comparing-them.patch new file mode 100644 index 00000000000..0a0c7984d6a --- /dev/null +++ b/queue-4.19/drm-amd-display-check-stream-before-comparing-them.patch @@ -0,0 +1,41 @@ +From ea6fdc2be66652308a50a7b4cdf71a2f3d335019 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 20:05:14 -0600 +Subject: drm/amd/display: Check stream before comparing them + +From: Alex Hung + +[ Upstream commit 35ff747c86767937ee1e0ca987545b7eed7a0810 ] + +[WHAT & HOW] +amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is +necessary to check for null before dereferencing them. + +This fixes 1 FORWARD_NULL issue reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Jerry Zuo +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index 8b4337794d1ef..18ebbbf67f230 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1569,6 +1569,8 @@ static bool are_stream_backends_same( + bool dc_is_stream_unchanged( + struct dc_stream_state *old_stream, struct dc_stream_state *stream) + { ++ if (!old_stream || !stream) ++ return false; + + if (!are_stream_backends_same(old_stream, stream)) + return false; +-- +2.43.0 + diff --git a/queue-4.19/drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch b/queue-4.19/drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch new file mode 100644 index 00000000000..10f94b79f3a --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch @@ -0,0 +1,55 @@ +From 7bcc3ca42b16c1aea8313f7a87f1a32597509266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jul 2024 17:48:27 +0530 +Subject: drm/amd/display: Fix index out of bounds in degamma hardware format + translation + +From: Srinivasan Shanmugam + +[ Upstream commit b7e99058eb2e86aabd7a10761e76cae33d22b49f ] + +Fixes index out of bounds issue in +`cm_helper_translate_curve_to_degamma_hw_format` function. The issue +could occur when the index 'i' exceeds the number of transfer function +points (TRANSFER_FUNC_POINTS). + +The fix adds a check to ensure 'i' is within bounds before accessing the +transfer function points. If 'i' is out of bounds the function returns +false to indicate an error. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +index 67a3ba49234ee..ad42470613441 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +@@ -482,6 +482,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format( + i += increment) { + if (j == hw_points - 1) + break; ++ if (i >= TRANSFER_FUNC_POINTS) ++ return false; + rgb_resulted[j].red = output_tf->tf_pts.red[i]; + rgb_resulted[j].green = output_tf->tf_pts.green[i]; + rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; +-- +2.43.0 + diff --git a/queue-4.19/drm-printer-allow-null-data-in-devcoredump-printer.patch b/queue-4.19/drm-printer-allow-null-data-in-devcoredump-printer.patch new file mode 100644 index 00000000000..651d9ac48d0 --- /dev/null +++ b/queue-4.19/drm-printer-allow-null-data-in-devcoredump-printer.patch @@ -0,0 +1,144 @@ +From 521c3b1c08053b1b07250be9372d4e0eae766f5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 08:41:17 -0700 +Subject: drm/printer: Allow NULL data in devcoredump printer + +From: Matthew Brost + +[ Upstream commit 53369581dc0c68a5700ed51e1660f44c4b2bb524 ] + +We want to determine the size of the devcoredump before writing it out. +To that end, we will run the devcoredump printer with NULL data to get +the size, alloc data based on the generated offset, then run the +devcorecump again with a valid data pointer to print. This necessitates +not writing data to the data pointer on the initial pass, when it is +NULL. + +v5: + - Better commit message (Jonathan) + - Add kerenl doc with examples (Jani) + +Cc: Maarten Lankhorst +Acked-by: Maarten Lankhorst +Signed-off-by: Matthew Brost +Reviewed-by: Jonathan Cavitt +Link: https://patchwork.freedesktop.org/patch/msgid/20240801154118.2547543-3-matthew.brost@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_print.c | 13 +++++---- + include/drm/drm_print.h | 54 ++++++++++++++++++++++++++++++++++++- + 2 files changed, 61 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/drm_print.c b/drivers/gpu/drm/drm_print.c +index 0e7fc3e7dfb48..711a1b329879f 100644 +--- a/drivers/gpu/drm/drm_print.c ++++ b/drivers/gpu/drm/drm_print.c +@@ -54,8 +54,9 @@ void __drm_puts_coredump(struct drm_printer *p, const char *str) + copy = iterator->remain; + + /* Copy out the bit of the string that we need */ +- memcpy(iterator->data, +- str + (iterator->start - iterator->offset), copy); ++ if (iterator->data) ++ memcpy(iterator->data, ++ str + (iterator->start - iterator->offset), copy); + + iterator->offset = iterator->start + copy; + iterator->remain -= copy; +@@ -64,7 +65,8 @@ void __drm_puts_coredump(struct drm_printer *p, const char *str) + + len = min_t(ssize_t, strlen(str), iterator->remain); + +- memcpy(iterator->data + pos, str, len); ++ if (iterator->data) ++ memcpy(iterator->data + pos, str, len); + + iterator->offset += len; + iterator->remain -= len; +@@ -94,8 +96,9 @@ void __drm_printfn_coredump(struct drm_printer *p, struct va_format *vaf) + if ((iterator->offset >= iterator->start) && (len < iterator->remain)) { + ssize_t pos = iterator->offset - iterator->start; + +- snprintf(((char *) iterator->data) + pos, +- iterator->remain, "%pV", vaf); ++ if (iterator->data) ++ snprintf(((char *) iterator->data) + pos, ++ iterator->remain, "%pV", vaf); + + iterator->offset += len; + iterator->remain -= len; +diff --git a/include/drm/drm_print.h b/include/drm/drm_print.h +index f3e6eed3e79c6..fbf6dc19c1322 100644 +--- a/include/drm/drm_print.h ++++ b/include/drm/drm_print.h +@@ -111,7 +111,8 @@ drm_vprintf(struct drm_printer *p, const char *fmt, va_list *va) + + /** + * struct drm_print_iterator - local struct used with drm_printer_coredump +- * @data: Pointer to the devcoredump output buffer ++ * @data: Pointer to the devcoredump output buffer, can be NULL if using ++ * drm_printer_coredump to determine size of devcoredump + * @start: The offset within the buffer to start writing + * @remain: The number of bytes to write for this iteration + */ +@@ -156,6 +157,57 @@ struct drm_print_iterator { + * coredump_read, ...) + * } + * ++ * The above example has a time complexity of O(N^2), where N is the size of the ++ * devcoredump. This is acceptable for small devcoredumps but scales poorly for ++ * larger ones. ++ * ++ * Another use case for drm_coredump_printer is to capture the devcoredump into ++ * a saved buffer before the dev_coredump() callback. This involves two passes: ++ * one to determine the size of the devcoredump and another to print it to a ++ * buffer. Then, in dev_coredump(), copy from the saved buffer into the ++ * devcoredump read buffer. ++ * ++ * For example:: ++ * ++ * char *devcoredump_saved_buffer; ++ * ++ * ssize_t __coredump_print(char *buffer, ssize_t count, ...) ++ * { ++ * struct drm_print_iterator iter; ++ * struct drm_printer p; ++ * ++ * iter.data = buffer; ++ * iter.start = 0; ++ * iter.remain = count; ++ * ++ * p = drm_coredump_printer(&iter); ++ * ++ * drm_printf(p, "foo=%d\n", foo); ++ * ... ++ * return count - iter.remain; ++ * } ++ * ++ * void coredump_print(...) ++ * { ++ * ssize_t count; ++ * ++ * count = __coredump_print(NULL, INT_MAX, ...); ++ * devcoredump_saved_buffer = kvmalloc(count, GFP_KERNEL); ++ * __coredump_print(devcoredump_saved_buffer, count, ...); ++ * } ++ * ++ * void coredump_read(char *buffer, loff_t offset, size_t count, ++ * void *data, size_t datalen) ++ * { ++ * ... ++ * memcpy(buffer, devcoredump_saved_buffer + offset, count); ++ * ... ++ * } ++ * ++ * The above example has a time complexity of O(N*2), where N is the size of the ++ * devcoredump. This scales better than the previous example for larger ++ * devcoredumps. ++ * + * RETURNS: + * The &drm_printer object + */ +-- +2.43.0 + diff --git a/queue-4.19/drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch b/queue-4.19/drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch new file mode 100644 index 00000000000..b94e2ff92c0 --- /dev/null +++ b/queue-4.19/drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch @@ -0,0 +1,140 @@ +From 022eaf06644e696590fdd51711cddf42bfbbea44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 17:58:12 +0200 +Subject: drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit c6dbab46324b1742b50dc2fb5c1fee2c28129439 ] + +With -Werror: + + In function ‘r100_cp_init_microcode’, + inlined from ‘r100_cp_init’ at drivers/gpu/drm/radeon/r100.c:1136:7: + include/linux/printk.h:465:44: error: ‘%s’ directive argument is null [-Werror=format-overflow=] + 465 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) + | ^ + include/linux/printk.h:437:17: note: in definition of macro ‘printk_index_wrap’ + 437 | _p_func(_fmt, ##__VA_ARGS__); \ + | ^~~~~~~ + include/linux/printk.h:508:9: note: in expansion of macro ‘printk’ + 508 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__) + | ^~~~~~ + drivers/gpu/drm/radeon/r100.c:1062:17: note: in expansion of macro ‘pr_err’ + 1062 | pr_err("radeon_cp: Failed to load firmware \"%s\"\n", fw_name); + | ^~~~~~ + +Fix this by converting the if/else if/... construct into a proper +switch() statement with a default to handle the error case. + +As a bonus, the generated code is ca. 100 bytes smaller (with gcc 11.4.0 +targeting arm32). + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/r100.c | 70 ++++++++++++++++++++++------------- + 1 file changed, 45 insertions(+), 25 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index 15241b80e9d21..444a135158bdc 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -999,45 +999,65 @@ static int r100_cp_init_microcode(struct radeon_device *rdev) + + DRM_DEBUG_KMS("\n"); + +- if ((rdev->family == CHIP_R100) || (rdev->family == CHIP_RV100) || +- (rdev->family == CHIP_RV200) || (rdev->family == CHIP_RS100) || +- (rdev->family == CHIP_RS200)) { ++ switch (rdev->family) { ++ case CHIP_R100: ++ case CHIP_RV100: ++ case CHIP_RV200: ++ case CHIP_RS100: ++ case CHIP_RS200: + DRM_INFO("Loading R100 Microcode\n"); + fw_name = FIRMWARE_R100; +- } else if ((rdev->family == CHIP_R200) || +- (rdev->family == CHIP_RV250) || +- (rdev->family == CHIP_RV280) || +- (rdev->family == CHIP_RS300)) { ++ break; ++ ++ case CHIP_R200: ++ case CHIP_RV250: ++ case CHIP_RV280: ++ case CHIP_RS300: + DRM_INFO("Loading R200 Microcode\n"); + fw_name = FIRMWARE_R200; +- } else if ((rdev->family == CHIP_R300) || +- (rdev->family == CHIP_R350) || +- (rdev->family == CHIP_RV350) || +- (rdev->family == CHIP_RV380) || +- (rdev->family == CHIP_RS400) || +- (rdev->family == CHIP_RS480)) { ++ break; ++ ++ case CHIP_R300: ++ case CHIP_R350: ++ case CHIP_RV350: ++ case CHIP_RV380: ++ case CHIP_RS400: ++ case CHIP_RS480: + DRM_INFO("Loading R300 Microcode\n"); + fw_name = FIRMWARE_R300; +- } else if ((rdev->family == CHIP_R420) || +- (rdev->family == CHIP_R423) || +- (rdev->family == CHIP_RV410)) { ++ break; ++ ++ case CHIP_R420: ++ case CHIP_R423: ++ case CHIP_RV410: + DRM_INFO("Loading R400 Microcode\n"); + fw_name = FIRMWARE_R420; +- } else if ((rdev->family == CHIP_RS690) || +- (rdev->family == CHIP_RS740)) { ++ break; ++ ++ case CHIP_RS690: ++ case CHIP_RS740: + DRM_INFO("Loading RS690/RS740 Microcode\n"); + fw_name = FIRMWARE_RS690; +- } else if (rdev->family == CHIP_RS600) { ++ break; ++ ++ case CHIP_RS600: + DRM_INFO("Loading RS600 Microcode\n"); + fw_name = FIRMWARE_RS600; +- } else if ((rdev->family == CHIP_RV515) || +- (rdev->family == CHIP_R520) || +- (rdev->family == CHIP_RV530) || +- (rdev->family == CHIP_R580) || +- (rdev->family == CHIP_RV560) || +- (rdev->family == CHIP_RV570)) { ++ break; ++ ++ case CHIP_RV515: ++ case CHIP_R520: ++ case CHIP_RV530: ++ case CHIP_R580: ++ case CHIP_RV560: ++ case CHIP_RV570: + DRM_INFO("Loading R500 Microcode\n"); + fw_name = FIRMWARE_R520; ++ break; ++ ++ default: ++ DRM_ERROR("Unsupported Radeon family %u\n", rdev->family); ++ return -EINVAL; + } + + err = request_firmware(&rdev->me_fw, fw_name, rdev->dev); +-- +2.43.0 + diff --git a/queue-4.19/ext4-ext4_search_dir-should-return-a-proper-error.patch b/queue-4.19/ext4-ext4_search_dir-should-return-a-proper-error.patch new file mode 100644 index 00000000000..5ffe3ede613 --- /dev/null +++ b/queue-4.19/ext4-ext4_search_dir-should-return-a-proper-error.patch @@ -0,0 +1,86 @@ +From eb4f57409bccdf8485d2254977cc6f7d610b1ff7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 12:23:21 -0300 +Subject: ext4: ext4_search_dir should return a proper error + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit cd69f8f9de280e331c9e6ff689ced0a688a9ce8f ] + +ext4_search_dir currently returns -1 in case of a failure, while it returns +0 when the name is not found. In such failure cases, it should return an +error code instead. + +This becomes even more important when ext4_find_inline_entry returns an +error code as well in the next commit. + +-EFSCORRUPTED seems appropriate as such error code as these failures would +be caused by unexpected record lengths and is in line with other instances +of ext4_check_dir_entry failures. + +In the case of ext4_dx_find_entry, the current use of ERR_BAD_DX_DIR was +left as is to reduce the risk of regressions. + +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://patch.msgid.link/20240821152324.3621860-2-cascardo@igalia.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 8594feea2d932..d85be8255d790 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1334,7 +1334,7 @@ static inline bool ext4_match(const struct ext4_filename *fname, + } + + /* +- * Returns 0 if not found, -1 on failure, and 1 on success ++ * Returns 0 if not found, -EFSCORRUPTED on failure, and 1 on success + */ + int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + struct inode *dir, struct ext4_filename *fname, +@@ -1355,7 +1355,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + * a full check */ + if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf, + buf_size, offset)) +- return -1; ++ return -EFSCORRUPTED; + *res_dir = de; + return 1; + } +@@ -1363,7 +1363,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + de_len = ext4_rec_len_from_disk(de->rec_len, + dir->i_sb->s_blocksize); + if (de_len <= 0) +- return -1; ++ return -EFSCORRUPTED; + offset += de_len; + de = (struct ext4_dir_entry_2 *) ((char *) de + de_len); + } +@@ -1514,8 +1514,10 @@ static struct buffer_head *__ext4_find_entry(struct inode *dir, + goto cleanup_and_exit; + } else { + brelse(bh); +- if (i < 0) ++ if (i < 0) { ++ ret = ERR_PTR(i); + goto cleanup_and_exit; ++ } + } + next: + if (++block >= nblocks) +@@ -1609,7 +1611,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir, + if (retval == 1) + goto success; + brelse(bh); +- if (retval == -1) { ++ if (retval < 0) { + bh = ERR_PTR(ERR_BAD_DX_DIR); + goto errout; + } +-- +2.43.0 + diff --git a/queue-4.19/ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch b/queue-4.19/ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch new file mode 100644 index 00000000000..acff89d1d0b --- /dev/null +++ b/queue-4.19/ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch @@ -0,0 +1,55 @@ +From 8c7cf8ee220d223c82b6728bb563ae1ac90ebce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 15:22:09 +0000 +Subject: ext4: fix i_data_sem unlock order in ext4_ind_migrate() + +From: Artem Sadovnikov + +[ Upstream commit cc749e61c011c255d81b192a822db650c68b313f ] + +Fuzzing reports a possible deadlock in jbd2_log_wait_commit. + +This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require +synchronous updates because the file descriptor is opened with O_SYNC. +This can lead to the jbd2_journal_stop() function calling +jbd2_might_wait_for_commit(), potentially causing a deadlock if the +EXT4_IOC_MIGRATE call races with a write(2) system call. + +This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this +case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the +jbd2_journal_stop function while i_data_sem is locked. This triggers +lockdep because the jbd2_journal_start function might also lock the same +jbd2_handle simultaneously. + +Found by Linux Verification Center (linuxtesting.org) with syzkaller. + +Reviewed-by: Ritesh Harjani (IBM) +Co-developed-by: Mikhail Ukhin +Signed-off-by: Mikhail Ukhin +Signed-off-by: Artem Sadovnikov +Rule: add +Link: https://lore.kernel.org/stable/20240404095000.5872-1-mish.uxin2012%40yandex.ru +Link: https://patch.msgid.link/20240829152210.2754-1-ancowi69@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/migrate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c +index 4a72583c75593..9f73c2f7f9492 100644 +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -678,8 +678,8 @@ int ext4_ind_migrate(struct inode *inode) + ei->i_data[i] = cpu_to_le32(blk++); + ext4_mark_inode_dirty(handle, inode); + errout: +- ext4_journal_stop(handle); + up_write(&EXT4_I(inode)->i_data_sem); ++ ext4_journal_stop(handle); + out_unlock: + percpu_up_write(&sbi->s_writepages_rwsem); + return ret; +-- +2.43.0 + diff --git a/queue-4.19/fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch b/queue-4.19/fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch new file mode 100644 index 00000000000..2b9a2a76026 --- /dev/null +++ b/queue-4.19/fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch @@ -0,0 +1,59 @@ +From fdc42ed79c63f5c9ce4f18135fae9f7162d236a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 22:29:52 +0800 +Subject: fbdev: pxafb: Fix possible use after free in pxafb_task() + +From: Kaixin Wang + +[ Upstream commit 4a6921095eb04a900e0000da83d9475eb958e61e ] + +In the pxafb_probe function, it calls the pxafb_init_fbinfo function, +after which &fbi->task is associated with pxafb_task. Moreover, +within this pxafb_init_fbinfo function, the pxafb_blank function +within the &pxafb_ops struct is capable of scheduling work. + +If we remove the module which will call pxafb_remove to make cleanup, +it will call unregister_framebuffer function which can call +do_unregister_framebuffer to free fbi->fb through +put_fb_info(fb_info), while the work mentioned above will be used. +The sequence of operations that may lead to a UAF bug is as follows: + +CPU0 CPU1 + + | pxafb_task +pxafb_remove | +unregister_framebuffer(info) | +do_unregister_framebuffer(fb_info) | +put_fb_info(fb_info) | +// free fbi->fb | set_ctrlr_state(fbi, state) + | __pxafb_lcd_power(fbi, 0) + | fbi->lcd_power(on, &fbi->fb.var) + | //use fbi->fb + +Fix it by ensuring that the work is canceled before proceeding +with the cleanup in pxafb_remove. + +Note that only root user can remove the driver at runtime. + +Signed-off-by: Kaixin Wang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxafb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c +index 90dee3e6f8bc7..f76da5c6c6cd6 100644 +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2437,6 +2437,7 @@ static int pxafb_remove(struct platform_device *dev) + info = &fbi->fb; + + pxafb_overlay_exit(fbi); ++ cancel_work_sync(&fbi->task); + unregister_framebuffer(info); + + pxafb_disable_controller(fbi); +-- +2.43.0 + diff --git a/queue-4.19/ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch b/queue-4.19/ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch new file mode 100644 index 00000000000..e477016969b --- /dev/null +++ b/queue-4.19/ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch @@ -0,0 +1,52 @@ +From 83c20a695da2d84d6af53437ba54a9edb6024766 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2024 16:54:02 -0700 +Subject: ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). + +From: Kuniyuki Iwashima + +[ Upstream commit e3af3d3c5b26c33a7950e34e137584f6056c4319 ] + +dev->ip_ptr could be NULL if we set an invalid MTU. + +Even then, if we issue ioctl(SIOCSIFADDR) for a new IPv4 address, +devinet_ioctl() allocates struct in_ifaddr and fails later in +inet_set_ifa() because in_dev is NULL. + +Let's move the check earlier. + +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20240809235406.50187-2-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index e2ab8cdb71347..e4fea3adb0652 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -541,10 +541,6 @@ static int inet_set_ifa(struct net_device *dev, struct in_ifaddr *ifa) + + ASSERT_RTNL(); + +- if (!in_dev) { +- inet_free_ifa(ifa); +- return -ENOBUFS; +- } + ipv4_devconf_setall(in_dev); + neigh_parms_data_state_setall(in_dev->arp_parms); + if (ifa->ifa_dev != in_dev) { +@@ -1113,6 +1109,8 @@ int devinet_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr) + + if (!ifa) { + ret = -ENOBUFS; ++ if (!in_dev) ++ break; + ifa = inet_alloc_ifa(); + if (!ifa) + break; +-- +2.43.0 + diff --git a/queue-4.19/ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch b/queue-4.19/ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch new file mode 100644 index 00000000000..e2b3e7eebbf --- /dev/null +++ b/queue-4.19/ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch @@ -0,0 +1,50 @@ +From 69a20195461f5dcfc09a7c11f3a9b013fb56a5d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 15:52:22 +0300 +Subject: ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family + +From: Ido Schimmel + +[ Upstream commit 8fed54758cd248cd311a2b5c1e180abef1866237 ] + +The NETLINK_FIB_LOOKUP netlink family can be used to perform a FIB +lookup according to user provided parameters and communicate the result +back to user space. + +However, unlike other users of the FIB lookup API, the upper DSCP bits +and the ECN bits of the DS field are not masked, which can result in the +wrong result being returned. + +Solve this by masking the upper DSCP bits and the ECN bits using +IPTOS_RT_MASK. + +The structure that communicates the request and the response is not +exported to user space, so it is unlikely that this netlink family is +actually in use [1]. + +[1] https://lore.kernel.org/netdev/ZpqpB8vJU%2FQ6LSqa@debian/ + +Signed-off-by: Ido Schimmel +Reviewed-by: Guillaume Nault +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 9aa48b4c40960..322ba1ba2ac3b 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1135,7 +1135,7 @@ static void nl_fib_lookup(struct net *net, struct fib_result_nl *frn) + struct flowi4 fl4 = { + .flowi4_mark = frn->fl_mark, + .daddr = frn->fl_addr, +- .flowi4_tos = frn->fl_tos, ++ .flowi4_tos = frn->fl_tos & IPTOS_RT_MASK, + .flowi4_scope = frn->fl_scope, + }; + struct fib_table *tb; +-- +2.43.0 + diff --git a/queue-4.19/jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch b/queue-4.19/jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch new file mode 100644 index 00000000000..9a74482d851 --- /dev/null +++ b/queue-4.19/jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch @@ -0,0 +1,52 @@ +From dc592a38e941b0cb1724af17416aebfacb325792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2024 09:25:23 +0800 +Subject: jfs: check if leafidx greater than num leaves per dmap tree + +From: Edward Adam Davis + +[ Upstream commit d64ff0d2306713ff084d4b09f84ed1a8c75ecc32 ] + +syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater +than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. + +Shaggy: +Modified sanity check to apply to control pages as well as leaf pages. + +Reported-and-tested-by: syzbot+dca05492eff41f604890@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890 +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 9f731847ae634..21597e8b727c6 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -3019,9 +3019,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) + static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) + { + int ti, n = 0, k, x = 0; +- int max_size; ++ int max_size, max_idx; + + max_size = is_ctl ? CTLTREESIZE : TREESIZE; ++ max_idx = is_ctl ? LPERCTL : LPERDMAP; + + /* first check the root of the tree to see if there is + * sufficient free space. +@@ -3053,6 +3054,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) + */ + assert(n < 4); + } ++ if (le32_to_cpu(tp->dmt_leafidx) >= max_idx) ++ return -ENOSPC; + + /* set the return to the leftmost leaf describing sufficient + * free space. +-- +2.43.0 + diff --git a/queue-4.19/jfs-fix-uaf-in-dbfreebits.patch b/queue-4.19/jfs-fix-uaf-in-dbfreebits.patch new file mode 100644 index 00000000000..71ef1b50877 --- /dev/null +++ b/queue-4.19/jfs-fix-uaf-in-dbfreebits.patch @@ -0,0 +1,117 @@ +From e0ecd7067be9680186b390f5e95af9842edf59e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2024 10:50:48 +0800 +Subject: jfs: Fix uaf in dbFreeBits + +From: Edward Adam Davis + +[ Upstream commit d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 ] + +[syzbot reported] +================================================================== +BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] +BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 +Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 + +CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + __mutex_lock_common kernel/locking/mutex.c:587 [inline] + __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 + dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 + dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] + dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 + dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 + jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 + jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + +Freed by task 5218: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 + poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 + __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 + kasan_slab_free include/linux/kasan.h:184 [inline] + slab_free_hook mm/slub.c:2252 [inline] + slab_free mm/slub.c:4473 [inline] + kfree+0x149/0x360 mm/slub.c:4594 + dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 + jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 + jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 + reconfigure_super+0x445/0x880 fs/super.c:1083 + vfs_cmd_reconfigure fs/fsopen.c:263 [inline] + vfs_fsconfig_locked fs/fsopen.c:292 [inline] + __do_sys_fsconfig fs/fsopen.c:473 [inline] + __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +[Analysis] +There are two paths (dbUnmount and jfs_ioc_trim) that generate race +condition when accessing bmap, which leads to the occurrence of uaf. + +Use the lock s_umount to synchronize them, in order to avoid uaf caused +by race condition. + +Reported-and-tested-by: syzbot+3c010e21296f33a5dc16@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_discard.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/jfs/jfs_discard.c b/fs/jfs/jfs_discard.c +index f76ff0a464442..9d78c427b9443 100644 +--- a/fs/jfs/jfs_discard.c ++++ b/fs/jfs/jfs_discard.c +@@ -78,7 +78,7 @@ void jfs_issue_discard(struct inode *ip, u64 blkno, u64 nblocks) + int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + { + struct inode *ipbmap = JFS_SBI(ip->i_sb)->ipbmap; +- struct bmap *bmp = JFS_SBI(ip->i_sb)->bmap; ++ struct bmap *bmp; + struct super_block *sb = ipbmap->i_sb; + int agno, agno_end; + u64 start, end, minlen; +@@ -96,10 +96,15 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + if (minlen == 0) + minlen = 1; + ++ down_read(&sb->s_umount); ++ bmp = JFS_SBI(ip->i_sb)->bmap; ++ + if (minlen > bmp->db_agsize || + start >= bmp->db_mapsize || +- range->len < sb->s_blocksize) ++ range->len < sb->s_blocksize) { ++ up_read(&sb->s_umount); + return -EINVAL; ++ } + + if (end >= bmp->db_mapsize) + end = bmp->db_mapsize - 1; +@@ -113,6 +118,8 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + trimmed += dbDiscardAG(ip, agno, minlen); + agno++; + } ++ ++ up_read(&sb->s_umount); + range->len = trimmed << sb->s_blocksize_bits; + + return 0; +-- +2.43.0 + diff --git a/queue-4.19/jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch b/queue-4.19/jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch new file mode 100644 index 00000000000..8d0eea0ba50 --- /dev/null +++ b/queue-4.19/jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch @@ -0,0 +1,57 @@ +From 4f8d6b97eae2620db1ea35dae9059cc85c809f93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 09:07:58 +0800 +Subject: jfs: Fix uninit-value access of new_ea in ea_buffer + +From: Zhao Mengmeng + +[ Upstream commit 2b59ffad47db1c46af25ccad157bb3b25147c35c ] + +syzbot reports that lzo1x_1_do_compress is using uninit-value: + +===================================================== +BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 + +... + +Uninit was stored to memory at: + ea_put fs/jfs/xattr.c:639 [inline] + +... + +Local variable ea_buf created at: + __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662 + __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 + +===================================================== + +The reason is ea_buf->new_ea is not initialized properly. + +Fix this by using memset to empty its content at the beginning +in ea_get(). + +Reported-by: syzbot+02341e0daa42a15ce130@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=02341e0daa42a15ce130 +Signed-off-by: Zhao Mengmeng +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/xattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c +index 37b984692ca90..bb8c4583f0655 100644 +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -447,6 +447,8 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) + int rc; + int quota_allocation = 0; + ++ memset(&ea_buf->new_ea, 0, sizeof(ea_buf->new_ea)); ++ + /* When fsck.jfs clears a bad ea, it doesn't clear the size */ + if (ji->ea.flag == 0) + ea_size = 0; +-- +2.43.0 + diff --git a/queue-4.19/jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch b/queue-4.19/jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch new file mode 100644 index 00000000000..94477936aab --- /dev/null +++ b/queue-4.19/jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch @@ -0,0 +1,35 @@ +From e875c75f9bd82e521a5970ecde8465f8a1f15179 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 00:12:44 +0000 +Subject: jfs: UBSAN: shift-out-of-bounds in dbFindBits + +From: Remington Brasga + +[ Upstream commit b0b2fc815e514221f01384f39fbfbff65d897e1c ] + +Fix issue with UBSAN throwing shift-out-of-bounds warning. + +Reported-by: syzbot+e38d703eeb410b17b473@syzkaller.appspotmail.com +Signed-off-by: Remington Brasga +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 1128bcdf5024a..9f731847ae634 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -3097,7 +3097,7 @@ static int dbFindBits(u32 word, int l2nb) + + /* scan the word for nb free bits at nb alignments. + */ +- for (bitno = 0; mask != 0; bitno += nb, mask >>= nb) { ++ for (bitno = 0; mask != 0; bitno += nb, mask = (mask >> nb)) { + if ((mask & word) == mask) + break; + } +-- +2.43.0 + diff --git a/queue-4.19/net-hisilicon-hip04-fix-of-node-leak-in-probe.patch b/queue-4.19/net-hisilicon-hip04-fix-of-node-leak-in-probe.patch new file mode 100644 index 00000000000..3e32d5f3534 --- /dev/null +++ b/queue-4.19/net-hisilicon-hip04-fix-of-node-leak-in-probe.patch @@ -0,0 +1,36 @@ +From 8c188f89dc668fa2052baa898560a2a409e52b68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 16:44:19 +0200 +Subject: net: hisilicon: hip04: fix OF node leak in probe() + +From: Krzysztof Kozlowski + +[ Upstream commit 17555297dbd5bccc93a01516117547e26a61caf1 ] + +Driver is leaking OF node reference from +of_parse_phandle_with_fixed_args() in probe(). + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240827144421.52852-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 718afa4be2a06..c0ca12dd5f153 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -861,6 +861,7 @@ static int hip04_mac_probe(struct platform_device *pdev) + priv->tx_coalesce_timer.function = tx_done; + + priv->map = syscon_node_to_regmap(arg.np); ++ of_node_put(arg.np); + if (IS_ERR(priv->map)) { + dev_warn(d, "no syscon hisilicon,hip04-ppe\n"); + ret = PTR_ERR(priv->map); +-- +2.43.0 + diff --git a/queue-4.19/net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch b/queue-4.19/net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch new file mode 100644 index 00000000000..8465259e9cc --- /dev/null +++ b/queue-4.19/net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch @@ -0,0 +1,36 @@ +From 9a7ddf79ece919078d657d00a1ebaf14bcf0bfe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 16:44:20 +0200 +Subject: net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() + +From: Krzysztof Kozlowski + +[ Upstream commit 5680cf8d34e1552df987e2f4bb1bff0b2a8c8b11 ] + +Driver is leaking OF node reference from +of_parse_phandle_with_fixed_args() in hns_mac_get_info(). + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240827144421.52852-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +index d2791bcff5d49..5ee4317e5a524 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +@@ -937,6 +937,7 @@ static int hns_mac_get_info(struct hns_mac_cb *mac_cb) + mac_cb->cpld_ctrl = NULL; + } else { + syscon = syscon_node_to_regmap(cpld_args.np); ++ of_node_put(cpld_args.np); + if (IS_ERR_OR_NULL(syscon)) { + dev_dbg(mac_cb->dev, "no cpld-syscon found!\n"); + mac_cb->cpld_ctrl = NULL; +-- +2.43.0 + diff --git a/queue-4.19/net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch b/queue-4.19/net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch new file mode 100644 index 00000000000..a2f257d97f7 --- /dev/null +++ b/queue-4.19/net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch @@ -0,0 +1,36 @@ +From bd7482c56eb26bfc8f79995fe9c456246a7b4f25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 16:44:21 +0200 +Subject: net: hisilicon: hns_mdio: fix OF node leak in probe() + +From: Krzysztof Kozlowski + +[ Upstream commit e62beddc45f487b9969821fad3a0913d9bc18a2f ] + +Driver is leaking OF node reference from +of_parse_phandle_with_fixed_args() in probe(). + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240827144421.52852-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c +index 9a3bc0994a1db..b0f798042e411 100644 +--- a/drivers/net/ethernet/hisilicon/hns_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns_mdio.c +@@ -508,6 +508,7 @@ static int hns_mdio_probe(struct platform_device *pdev) + MDIO_SC_RESET_ST; + } + } ++ of_node_put(reg_args.np); + } else { + dev_warn(&pdev->dev, "find syscon ret = %#x\n", ret); + mdio_dev->subctrl_vbase = NULL; +-- +2.43.0 + diff --git a/queue-4.19/net-mvpp2-increase-size-of-queue_name-buffer.patch b/queue-4.19/net-mvpp2-increase-size-of-queue_name-buffer.patch new file mode 100644 index 00000000000..a0b57d4000f --- /dev/null +++ b/queue-4.19/net-mvpp2-increase-size-of-queue_name-buffer.patch @@ -0,0 +1,58 @@ +From 516c1322a0d6c13443e12ba624f05f2d06198684 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 12:28:24 +0100 +Subject: net: mvpp2: Increase size of queue_name buffer + +From: Simon Horman + +[ Upstream commit 91d516d4de48532d967a77967834e00c8c53dfe6 ] + +Increase size of queue_name buffer from 30 to 31 to accommodate +the largest string written to it. This avoids truncation in +the possibly unlikely case where the string is name is the +maximum size. + +Flagged by gcc-14: + + .../mvpp2_main.c: In function 'mvpp2_probe': + .../mvpp2_main.c:7636:32: warning: 'snprintf' output may be truncated before the last format character [-Wformat-truncation=] + 7636 | "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev), + | ^ + .../mvpp2_main.c:7635:9: note: 'snprintf' output between 10 and 31 bytes into a destination of size 30 + 7635 | snprintf(priv->queue_name, sizeof(priv->queue_name), + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 7636 | "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev), + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 7637 | priv->port_count > 1 ? "+" : ""); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Introduced by commit 118d6298f6f0 ("net: mvpp2: add ethtool GOP statistics"). +I am not flagging this as a bug as I am not aware that it is one. + +Compile tested only. + +Signed-off-by: Simon Horman +Reviewed-by: Marcin Wojtas +Link: https://patch.msgid.link/20240806-mvpp2-namelen-v1-1-6dc773653f2f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +index 23f60bc5d48f5..57fbfef336657 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +@@ -756,7 +756,7 @@ struct mvpp2 { + unsigned int max_port_rxqs; + + /* Workqueue to gather hardware statistics */ +- char queue_name[30]; ++ char queue_name[31]; + struct workqueue_struct *stats_queue; + + /* Debugfs root entry */ +-- +2.43.0 + diff --git a/queue-4.19/of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch b/queue-4.19/of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch new file mode 100644 index 00000000000..57ff5089a95 --- /dev/null +++ b/queue-4.19/of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch @@ -0,0 +1,39 @@ +From 748be46660e18f33e0186c44e510dd0074ef6eca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 14:16:53 +0200 +Subject: of/irq: Refer to actual buffer size in of_irq_parse_one() + +From: Geert Uytterhoeven + +[ Upstream commit 39ab331ab5d377a18fbf5a0e0b228205edfcc7f4 ] + +Replace two open-coded calculations of the buffer size by invocations of +sizeof() on the buffer itself, to make sure the code will always use the +actual buffer size. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/817c0b9626fd30790fc488c472a3398324cfcc0c.1724156125.git.geert+renesas@glider.be +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/irq.c b/drivers/of/irq.c +index f06c9df60e34d..35d83888071ea 100644 +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -302,8 +302,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar + addr = of_get_property(device, "reg", &addr_len); + + /* Prevent out-of-bounds read in case of longer interrupt parent address size */ +- if (addr_len > (3 * sizeof(__be32))) +- addr_len = 3 * sizeof(__be32); ++ if (addr_len > sizeof(addr_buf)) ++ addr_len = sizeof(addr_buf); + if (addr) + memcpy(addr_buf, addr, addr_len); + +-- +2.43.0 + diff --git a/queue-4.19/power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch b/queue-4.19/power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch new file mode 100644 index 00000000000..808f60c6bf6 --- /dev/null +++ b/queue-4.19/power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch @@ -0,0 +1,39 @@ +From af18fd125588034df1f54996086798df9db3755e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 09:28:36 -0500 +Subject: power: reset: brcmstb: Do not go into infinite loop if reset fails + +From: Andrew Davis + +[ Upstream commit cf8c39b00e982fa506b16f9d76657838c09150cb ] + +There may be other backup reset methods available, do not halt +here so that other reset methods can be tried. + +Signed-off-by: Andrew Davis +Reviewed-by: Dhruva Gole +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20240610142836.168603-5-afd@ti.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/brcmstb-reboot.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/power/reset/brcmstb-reboot.c b/drivers/power/reset/brcmstb-reboot.c +index 884b53c483c09..9f8b9e5cad93a 100644 +--- a/drivers/power/reset/brcmstb-reboot.c ++++ b/drivers/power/reset/brcmstb-reboot.c +@@ -72,9 +72,6 @@ static int brcmstb_restart_handler(struct notifier_block *this, + return NOTIFY_DONE; + } + +- while (1) +- ; +- + return NOTIFY_DONE; + } + +-- +2.43.0 + diff --git a/queue-4.19/regmap-hold-the-regmap-lock-when-allocating-and-free.patch b/queue-4.19/regmap-hold-the-regmap-lock-when-allocating-and-free.patch new file mode 100644 index 00000000000..5bf8f9c2069 --- /dev/null +++ b/queue-4.19/regmap-hold-the-regmap-lock-when-allocating-and-free.patch @@ -0,0 +1,60 @@ +From f4f0ff0ff39cd475cc0a40b0f9f1347ff0688925 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 20:13:36 +0100 +Subject: regmap: Hold the regmap lock when allocating and freeing the cache + +From: Mark Brown + +[ Upstream commit fd4ebc07b4dff7e1abedf1b7fd477bc04b69ae55 ] + +For the benefit of the maple tree's lockdep checking hold the lock while +creating and exiting the cache. + +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20240822-b4-regmap-maple-nolock-v1-2-d5e6dbae3396@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache.c | 4 ++++ + drivers/base/regmap/regmap.c | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c +index b78e4b6e2c9da..b86fefa4b089e 100644 +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -193,7 +193,9 @@ int regcache_init(struct regmap *map, const struct regmap_config *config) + if (map->cache_ops->init) { + dev_dbg(map->dev, "Initializing %s cache\n", + map->cache_ops->name); ++ map->lock(map->lock_arg); + ret = map->cache_ops->init(map); ++ map->unlock(map->lock_arg); + if (ret) + goto err_free; + } +@@ -221,7 +223,9 @@ void regcache_exit(struct regmap *map) + if (map->cache_ops->exit) { + dev_dbg(map->dev, "Destroying %s cache\n", + map->cache_ops->name); ++ map->lock(map->lock_arg); + map->cache_ops->exit(map); ++ map->unlock(map->lock_arg); + } + } + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 5e03735374ae2..75b793af4781a 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1312,6 +1312,7 @@ void regmap_exit(struct regmap *map) + struct regmap_async *async; + + regcache_exit(map); ++ + regmap_debugfs_exit(map); + regmap_range_exit(map); + if (map->bus && map->bus->free_context) +-- +2.43.0 + diff --git a/queue-4.19/scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch b/queue-4.19/scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch new file mode 100644 index 00000000000..e6df3a020e2 --- /dev/null +++ b/queue-4.19/scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch @@ -0,0 +1,112 @@ +From f574198762b98bbcf7a1a6745e0469a5eee5fb0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 14:57:37 -0700 +Subject: scsi: aacraid: Rearrange order of struct aac_srb_unit + +From: Kees Cook + +[ Upstream commit 6e5860b0ad4934baee8c7a202c02033b2631bb44 ] + +struct aac_srb_unit contains struct aac_srb, which contains struct sgmap, +which ends in a (currently) "fake" (1-element) flexible array. Converting +this to a flexible array is needed so that runtime bounds checking won't +think the array is fixed size (i.e. under CONFIG_FORTIFY_SOURCE=y and/or +CONFIG_UBSAN_BOUNDS=y), as other parts of aacraid use struct sgmap as a +flexible array. + +It is not legal to have a flexible array in the middle of a structure, so +it either needs to be split up or rearranged so that it is at the end of +the structure. Luckily, struct aac_srb_unit, which is exclusively +consumed/updated by aac_send_safw_bmic_cmd(), does not depend on member +ordering. + +The values set in the on-stack struct aac_srb_unit instance "srbu" by the +only two callers, aac_issue_safw_bmic_identify() and +aac_get_safw_ciss_luns(), do not contain anything in srbu.srb.sgmap.sg, and +they both implicitly initialize srbu.srb.sgmap.count to 0 during +memset(). For example: + + memset(&srbu, 0, sizeof(struct aac_srb_unit)); + + srbcmd = &srbu.srb; + srbcmd->flags = cpu_to_le32(SRB_DataIn); + srbcmd->cdb[0] = CISS_REPORT_PHYSICAL_LUNS; + srbcmd->cdb[1] = 2; /* extended reporting */ + srbcmd->cdb[8] = (u8)(datasize >> 8); + srbcmd->cdb[9] = (u8)(datasize); + + rcode = aac_send_safw_bmic_cmd(dev, &srbu, phys_luns, datasize); + +During aac_send_safw_bmic_cmd(), a separate srb is mapped into DMA, and has +srbu.srb copied into it: + + srb = fib_data(fibptr); + memcpy(srb, &srbu->srb, sizeof(struct aac_srb)); + +Only then is srb.sgmap.count written and srb->sg populated: + + srb->count = cpu_to_le32(xfer_len); + + sg64 = (struct sgmap64 *)&srb->sg; + sg64->count = cpu_to_le32(1); + sg64->sg[0].addr[1] = cpu_to_le32(upper_32_bits(addr)); + sg64->sg[0].addr[0] = cpu_to_le32(lower_32_bits(addr)); + sg64->sg[0].count = cpu_to_le32(xfer_len); + +But this is happening in the DMA memory, not in srbu.srb. An attempt to +copy the changes back to srbu does happen: + + /* + * Copy the updated data for other dumping or other usage if + * needed + */ + memcpy(&srbu->srb, srb, sizeof(struct aac_srb)); + +But this was never correct: the sg64 (3 u32s) overlap of srb.sg (2 u32s) +always meant that srbu.srb would have held truncated information and any +attempt to walk srbu.srb.sg.sg based on the value of srbu.srb.sg.count +would result in attempting to parse past the end of srbu.srb.sg.sg[0] into +srbu.srb_reply. + +After getting a reply from hardware, the reply is copied into +srbu.srb_reply: + + srb_reply = (struct aac_srb_reply *)fib_data(fibptr); + memcpy(&srbu->srb_reply, srb_reply, sizeof(struct aac_srb_reply)); + +This has always been fixed-size, so there's no issue here. It is worth +noting that the two callers _never check_ srbu contents -- neither +srbu.srb nor srbu.srb_reply is examined. (They depend on the mapped +xfer_buf instead.) + +Therefore, the ordering of members in struct aac_srb_unit does not matter, +and the flexible array member can moved to the end. + +(Additionally, the two memcpy()s that update srbu could be entirely +removed as they are never consumed, but I left that as-is.) + +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20240711215739.208776-1-kees@kernel.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/aacraid.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h +index 074760f210145..135e3f39c895c 100644 +--- a/drivers/scsi/aacraid/aacraid.h ++++ b/drivers/scsi/aacraid/aacraid.h +@@ -2037,8 +2037,8 @@ struct aac_srb_reply + }; + + struct aac_srb_unit { +- struct aac_srb srb; + struct aac_srb_reply srb_reply; ++ struct aac_srb srb; + }; + + /* +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 0c953e96c37..218236f319b 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -143,3 +143,38 @@ sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch alsa-hda-generic-unconditionally-prefer-preferred_da.patch alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch f2fs-require-fmode_write-for-atomic-write-ioctls.patch +wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch +wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch +net-hisilicon-hip04-fix-of-node-leak-in-probe.patch +net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch +net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch +acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch +acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch +acpi-ec-do-not-release-locks-during-operation-region.patch +acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch +tipc-guard-against-string-buffer-overrun.patch +net-mvpp2-increase-size-of-queue_name-buffer.patch +ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch +ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch +tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch +acpica-iasl-handle-empty-connection_node.patch +wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch +signal-replace-bug_on-s.patch +regmap-hold-the-regmap-lock-when-allocating-and-free.patch +alsa-asihpi-fix-potential-oob-array-access.patch +alsa-hdsp-break-infinite-midi-input-flush-loop.patch +fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch +power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch +ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch +jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch +jfs-fix-uaf-in-dbfreebits.patch +jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch +jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch +drm-amd-display-check-stream-before-comparing-them.patch +drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch +drm-printer-allow-null-data-in-devcoredump-printer.patch +scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch +drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch +of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch +ext4-ext4_search_dir-should-return-a-proper-error.patch +ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch diff --git a/queue-4.19/signal-replace-bug_on-s.patch b/queue-4.19/signal-replace-bug_on-s.patch new file mode 100644 index 00000000000..4cc59149fa6 --- /dev/null +++ b/queue-4.19/signal-replace-bug_on-s.patch @@ -0,0 +1,61 @@ +From 3035d74bbfc8414b7e57a3556113fe2e481a8d61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 18:42:34 +0200 +Subject: signal: Replace BUG_ON()s + +From: Thomas Gleixner + +[ Upstream commit 7f8af7bac5380f2d95a63a6f19964e22437166e1 ] + +These really can be handled gracefully without killing the machine. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Frederic Weisbecker +Reviewed-by: Oleg Nesterov +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/kernel/signal.c b/kernel/signal.c +index c79b87ac10416..356bdf5c45e61 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1739,10 +1739,11 @@ struct sigqueue *sigqueue_alloc(void) + + void sigqueue_free(struct sigqueue *q) + { +- unsigned long flags; + spinlock_t *lock = ¤t->sighand->siglock; ++ unsigned long flags; + +- BUG_ON(!(q->flags & SIGQUEUE_PREALLOC)); ++ if (WARN_ON_ONCE(!(q->flags & SIGQUEUE_PREALLOC))) ++ return; + /* + * We must hold ->siglock while testing q->list + * to serialize with collect_signal() or with +@@ -1770,7 +1771,10 @@ int send_sigqueue(struct sigqueue *q, struct pid *pid, enum pid_type type) + unsigned long flags; + int ret, result; + +- BUG_ON(!(q->flags & SIGQUEUE_PREALLOC)); ++ if (WARN_ON_ONCE(!(q->flags & SIGQUEUE_PREALLOC))) ++ return 0; ++ if (WARN_ON_ONCE(q->info.si_code != SI_TIMER)) ++ return 0; + + ret = -1; + rcu_read_lock(); +@@ -1789,7 +1793,6 @@ int send_sigqueue(struct sigqueue *q, struct pid *pid, enum pid_type type) + * If an SI_TIMER entry is already queue just increment + * the overrun count. + */ +- BUG_ON(q->info.si_code != SI_TIMER); + q->info.si_overrun++; + result = TRACE_SIGNAL_ALREADY_PENDING; + goto out; +-- +2.43.0 + diff --git a/queue-4.19/tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch b/queue-4.19/tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch new file mode 100644 index 00000000000..a9641c4c331 --- /dev/null +++ b/queue-4.19/tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch @@ -0,0 +1,82 @@ +From 01e2e6a75fa38515ad2fa444f9ccf6d598869956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2024 08:11:52 +0800 +Subject: tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() + process + +From: Jason Xing + +[ Upstream commit 0d9e5df4a257afc3a471a82961ace9a22b88295a ] + +We found that one close-wait socket was reset by the other side +due to a new connection reusing the same port which is beyond our +expectation, so we have to investigate the underlying reason. + +The following experiment is conducted in the test environment. We +limit the port range from 40000 to 40010 and delay the time to close() +after receiving a fin from the active close side, which can help us +easily reproduce like what happened in production. + +Here are three connections captured by tcpdump: +127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965525191 +127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 2769915070 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [F.], seq 1, ack 1 +// a few seconds later, within 60 seconds +127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730 +127.0.0.1.9999 > 127.0.0.1.40002: Flags [.], ack 2 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [R], seq 2965525193 +// later, very quickly +127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730 +127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 3120990805 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1 + +As we can see, the first flow is reset because: +1) client starts a new connection, I mean, the second one +2) client tries to find a suitable port which is a timewait socket + (its state is timewait, substate is fin_wait2) +3) client occupies that timewait port to send a SYN +4) server finds a corresponding close-wait socket in ehash table, + then replies with a challenge ack +5) client sends an RST to terminate this old close-wait socket. + +I don't think the port selection algo can choose a FIN_WAIT2 socket +when we turn on tcp_tw_reuse because on the server side there +remain unread data. In some cases, if one side haven't call close() yet, +we should not consider it as expendable and treat it at will. + +Even though, sometimes, the server isn't able to call close() as soon +as possible like what we expect, it can not be terminated easily, +especially due to a second unrelated connection happening. + +After this patch, we can see the expected failure if we start a +connection when all the ports are occupied in fin_wait2 state: +"Ncat: Cannot assign requested address." + +Reported-by: Jade Dong +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240823001152.31004-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index d08e9d33e4d79..1bf315e83d7b9 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -115,6 +115,9 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) + const struct tcp_timewait_sock *tcptw = tcp_twsk(sktw); + struct tcp_sock *tp = tcp_sk(sk); + ++ if (tw->tw_substate == TCP_FIN_WAIT2) ++ reuse = 0; ++ + if (reuse == 2) { + /* Still does not detect *everything* that goes through + * lo, since we require a loopback src or dst address +-- +2.43.0 + diff --git a/queue-4.19/tipc-guard-against-string-buffer-overrun.patch b/queue-4.19/tipc-guard-against-string-buffer-overrun.patch new file mode 100644 index 00000000000..161330763c3 --- /dev/null +++ b/queue-4.19/tipc-guard-against-string-buffer-overrun.patch @@ -0,0 +1,53 @@ +From 88247ced0463de38260841e74900160e6b20702c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 19:35:37 +0100 +Subject: tipc: guard against string buffer overrun + +From: Simon Horman + +[ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ] + +Smatch reports that copying media_name and if_name to name_parts may +overwrite the destination. + + .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) + .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) + +This does seem to be the case so guard against this possibility by using +strscpy() and failing if truncation occurs. + +Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") + +Compile tested only. + +Reviewed-by: Jakub Kicinski +Signed-off-by: Simon Horman +Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index c7686ff00f5bc..5ceb7d489686f 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -158,8 +158,12 @@ static int bearer_name_validate(const char *name, + + /* return bearer name components, if necessary */ + if (name_parts) { +- strcpy(name_parts->media_name, media_name); +- strcpy(name_parts->if_name, if_name); ++ if (strscpy(name_parts->media_name, media_name, ++ TIPC_MAX_MEDIA_NAME) < 0) ++ return 0; ++ if (strscpy(name_parts->if_name, if_name, ++ TIPC_MAX_IF_NAME) < 0) ++ return 0; + } + return 1; + } +-- +2.43.0 + diff --git a/queue-4.19/wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch b/queue-4.19/wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch new file mode 100644 index 00000000000..6f0d5cd9b9c --- /dev/null +++ b/queue-4.19/wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch @@ -0,0 +1,47 @@ +From adb989e32215fde94bb7a096aa8ac4b20de68f89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 14:17:43 +0300 +Subject: wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Kandybka + +[ Upstream commit 3f66f26703093886db81f0610b97a6794511917c ] + +In 'ath9k_get_et_stats()', promote TX stats counters to 'u64' +to avoid possible integer overflow. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Kandybka +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240725111743.14422-1-d.kandybka@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c +index 9440d6bfea922..c89f89f553e60 100644 +--- a/drivers/net/wireless/ath/ath9k/debug.c ++++ b/drivers/net/wireless/ath/ath9k/debug.c +@@ -1329,11 +1329,11 @@ void ath9k_get_et_stats(struct ieee80211_hw *hw, + struct ath_softc *sc = hw->priv; + int i = 0; + +- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all + ++ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_pkts_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_pkts_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_pkts_all); +- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all + ++ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_bytes_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_bytes_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_bytes_all); +-- +2.43.0 + diff --git a/queue-4.19/wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch b/queue-4.19/wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch new file mode 100644 index 00000000000..145c1ebb4c0 --- /dev/null +++ b/queue-4.19/wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch @@ -0,0 +1,59 @@ +From b5c6a66cd83e925335a50285322dd4e8feed5e5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 16:24:46 +0200 +Subject: wifi: ath9k_htc: Use __skb_set_length() for resetting urb before + resubmit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 94745807f3ebd379f23865e6dab196f220664179 ] + +Syzbot points out that skb_trim() has a sanity check on the existing length of +the skb, which can be uninitialised in some error paths. The intent here is +clearly just to reset the length to zero before resubmitting, so switch to +calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length() +already contains a call to skb_reset_tail_pointer(), so remove the redundant +call. + +The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar +usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it. + +Reported-by: syzbot+98afa303be379af6cdb2@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240812142447.12328-1-toke@toke.dk +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 3aa915d215545..24059a5178a9d 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -718,8 +718,7 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb) + } + + resubmit: +- skb_reset_tail_pointer(skb); +- skb_trim(skb, 0); ++ __skb_set_length(skb, 0); + + usb_anchor_urb(urb, &hif_dev->rx_submitted); + ret = usb_submit_urb(urb, GFP_ATOMIC); +@@ -756,8 +755,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + case -ESHUTDOWN: + goto free_skb; + default: +- skb_reset_tail_pointer(skb); +- skb_trim(skb, 0); ++ __skb_set_length(skb, 0); + + goto resubmit; + } +-- +2.43.0 + diff --git a/queue-4.19/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch b/queue-4.19/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch new file mode 100644 index 00000000000..83a74d49d75 --- /dev/null +++ b/queue-4.19/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch @@ -0,0 +1,62 @@ +From ccaeeff5856fddfbefe35c10ef0dbed727e6c5fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 15:23:51 -0600 +Subject: wifi: mwifiex: Fix memcpy() field-spanning write warning in + mwifiex_cmd_802_11_scan_ext() + +From: Gustavo A. R. Silva + +[ Upstream commit 498365e52bebcbc36a93279fe7e9d6aec8479cee ] + +Replace one-element array with a flexible-array member in +`struct host_cmd_ds_802_11_scan_ext`. + +With this, fix the following warning: + +elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------ +elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1) +elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex] + +Reported-by: Andy Shevchenko +Closes: https://lore.kernel.org/linux-hardening/ZsZNgfnEwOcPdCly@black.fi.intel.com/ +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Andy Shevchenko +Acked-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/ZsZa5xRcsLq9D+RX@elsanto +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- + drivers/net/wireless/marvell/mwifiex/scan.c | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h +index 3e3134bcc2b06..bfa482cf464ff 100644 +--- a/drivers/net/wireless/marvell/mwifiex/fw.h ++++ b/drivers/net/wireless/marvell/mwifiex/fw.h +@@ -1590,7 +1590,7 @@ struct host_cmd_ds_802_11_scan_rsp { + + struct host_cmd_ds_802_11_scan_ext { + u32 reserved; +- u8 tlv_buffer[1]; ++ u8 tlv_buffer[]; + } __packed; + + struct mwifiex_ie_types_bss_mode { +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 4f0e78ae3dbd0..0cbdd5a930d83 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2570,8 +2570,7 @@ int mwifiex_ret_802_11_scan_ext(struct mwifiex_private *priv, + ext_scan_resp = &resp->params.ext_scan; + + tlv = (void *)ext_scan_resp->tlv_buffer; +- buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN +- - 1); ++ buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN); + + while (buf_left >= sizeof(struct mwifiex_ie_types_header)) { + type = le16_to_cpu(tlv->type); +-- +2.43.0 +