From: Greg Kroah-Hartman Date: Sat, 9 Sep 2023 13:32:58 +0000 (+0100) Subject: 6.4-stable patches X-Git-Tag: v6.1.53~74 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3327b24c2965d8729927b7e7c3ea1c83e5ec5a26;p=thirdparty%2Fkernel%2Fstable-queue.git 6.4-stable patches added patches: alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch io_uring-don-t-set-affinity-on-a-dying-sqpoll-thread.patch --- diff --git a/queue-6.4/alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch b/queue-6.4/alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch new file mode 100644 index 00000000000..54814e64f40 --- /dev/null +++ b/queue-6.4/alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch @@ -0,0 +1,47 @@ +From 99bf5b0baac941176a6a3d5cef7705b29808de34 Mon Sep 17 00:00:00 2001 +From: Vitaly Rodionov +Date: Mon, 4 Sep 2023 17:00:33 +0100 +Subject: ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs. + +From: Vitaly Rodionov + +commit 99bf5b0baac941176a6a3d5cef7705b29808de34 upstream. + +Recently in v6.3-rc1 there was a change affecting behaviour of hrtimers +(commit 0c52310f260014d95c1310364379772cb74cf82d) and causing +few issues on platforms with two CS42L42 codecs. Canonical/Dell +has reported an issue with Vostro-3910. +We need to increase this value by 15ms. + +Link: https://bugs.launchpad.net/somerville/+bug/2031060 +Fixes: 9fb9fa18fb50 ("ALSA: hda/cirrus: Add extra 10 ms delay to allow PLL settle and lock.") +Signed-off-by: Vitaly Rodionov +Link: https://lore.kernel.org/r/20230904160033.908135-1-vitalyr@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_cs8409.c | 2 +- + sound/pci/hda/patch_cs8409.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_cs8409.c ++++ b/sound/pci/hda/patch_cs8409.c +@@ -888,7 +888,7 @@ static void cs42l42_resume(struct sub_co + + /* Initialize CS42L42 companion codec */ + cs8409_i2c_bulk_write(cs42l42, cs42l42->init_seq, cs42l42->init_seq_num); +- usleep_range(30000, 35000); ++ msleep(CS42L42_INIT_TIMEOUT_MS); + + /* Clear interrupts, by reading interrupt status registers */ + cs8409_i2c_bulk_read(cs42l42, irq_regs, ARRAY_SIZE(irq_regs)); +--- a/sound/pci/hda/patch_cs8409.h ++++ b/sound/pci/hda/patch_cs8409.h +@@ -229,6 +229,7 @@ enum cs8409_coefficient_index_registers + #define CS42L42_I2C_SLEEP_US (2000) + #define CS42L42_PDN_TIMEOUT_US (250000) + #define CS42L42_PDN_SLEEP_US (2000) ++#define CS42L42_INIT_TIMEOUT_MS (45) + #define CS42L42_FULL_SCALE_VOL_MASK (2) + #define CS42L42_FULL_SCALE_VOL_0DB (1) + #define CS42L42_FULL_SCALE_VOL_MINUS6DB (0) diff --git a/queue-6.4/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch b/queue-6.4/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch new file mode 100644 index 00000000000..3b18571031a --- /dev/null +++ b/queue-6.4/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch @@ -0,0 +1,75 @@ +From 8bd795fedb8450ecbef18eeadbd23ed8fc7630f5 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 7 Sep 2023 09:54:11 +0100 +Subject: arm64: csum: Fix OoB access in IP checksum code for negative lengths + +From: Will Deacon + +commit 8bd795fedb8450ecbef18eeadbd23ed8fc7630f5 upstream. + +Although commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-length +calls") added an early return for zero-length input, syzkaller has +popped up with an example of a _negative_ length which causes an +undefined shift and an out-of-bounds read: + + | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 + | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975 + | + | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0 + | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 + | Call trace: + | dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233 + | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240 + | __dump_stack lib/dump_stack.c:88 [inline] + | dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 + | print_address_description mm/kasan/report.c:351 [inline] + | print_report+0x174/0x514 mm/kasan/report.c:462 + | kasan_report+0xd4/0x130 mm/kasan/report.c:572 + | kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187 + | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31 + | do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 + | csum_partial+0x30/0x58 lib/checksum.c:128 + | gso_make_checksum include/linux/skbuff.h:4928 [inline] + | __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332 + | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47 + | ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119 + | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141 + | __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401 + | skb_gso_segment include/linux/netdevice.h:4859 [inline] + | validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659 + | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709 + | sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327 + | __dev_xmit_skb net/core/dev.c:3805 [inline] + | __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210 + | dev_queue_xmit include/linux/netdevice.h:3085 [inline] + | packet_xmit+0x6c/0x318 net/packet/af_packet.c:276 + | packet_snd net/packet/af_packet.c:3081 [inline] + | packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113 + | sock_sendmsg_nosec net/socket.c:724 [inline] + | sock_sendmsg net/socket.c:747 [inline] + | __sys_sendto+0x3b4/0x538 net/socket.c:2144 + +Extend the early return to reject negative lengths as well, aligning our +implementation with the generic code in lib/checksum.c + +Cc: Robin Murphy +Fixes: 5777eaed566a ("arm64: Implement optimised checksum routine") +Reported-by: syzbot+4a9f9820bd8d302e22f7@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/000000000000e0e94c0603f8d213@google.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/lib/csum.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/lib/csum.c ++++ b/arch/arm64/lib/csum.c +@@ -24,7 +24,7 @@ unsigned int __no_sanitize_address do_cs + const u64 *ptr; + u64 data, sum64 = 0; + +- if (unlikely(len == 0)) ++ if (unlikely(len <= 0)) + return 0; + + offset = (unsigned long)buff & 7; diff --git a/queue-6.4/io_uring-don-t-set-affinity-on-a-dying-sqpoll-thread.patch b/queue-6.4/io_uring-don-t-set-affinity-on-a-dying-sqpoll-thread.patch new file mode 100644 index 00000000000..e3254678fd7 --- /dev/null +++ b/queue-6.4/io_uring-don-t-set-affinity-on-a-dying-sqpoll-thread.patch @@ -0,0 +1,105 @@ +From bd6fc5da4c51107e1e0cec4a3a07963d1dae2c84 Mon Sep 17 00:00:00 2001 +From: Gabriel Krisman Bertazi +Date: Mon, 28 Aug 2023 19:42:49 -0400 +Subject: io_uring: Don't set affinity on a dying sqpoll thread + +From: Gabriel Krisman Bertazi + +commit bd6fc5da4c51107e1e0cec4a3a07963d1dae2c84 upstream. + +Syzbot reported a null-ptr-deref of sqd->thread inside +io_sqpoll_wq_cpu_affinity. It turns out the sqd->thread can go away +from under us during io_uring_register, in case the process gets a +fatal signal during io_uring_register. + +It is not particularly hard to hit the race, and while I am not sure +this is the exact case hit by syzbot, it solves it. Finally, checking +->thread is enough to close the race because we locked sqd while +"parking" the thread, thus preventing it from going away. + +I reproduced it fairly consistently with a program that does: + +int main(void) { + ... + io_uring_queue_init(RING_LEN, &ring1, IORING_SETUP_SQPOLL); + while (1) { + io_uring_register_iowq_aff(ring, 1, &mask); + } +} + +Executed in a loop with timeout to trigger SIGTERM: + while true; do timeout 1 /a.out ; done + +This will hit the following BUG() in very few attempts. + +BUG: kernel NULL pointer dereference, address: 00000000000007a8 +PGD 800000010e949067 P4D 800000010e949067 PUD 10e46e067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 0 PID: 15715 Comm: dead-sqpoll Not tainted 6.5.0-rc7-next-20230825-g193296236fa0-dirty #23 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +RIP: 0010:io_sqpoll_wq_cpu_affinity+0x27/0x70 +Code: 90 90 90 0f 1f 44 00 00 55 53 48 8b 9f 98 03 00 00 48 85 db 74 4f +48 89 df 48 89 f5 e8 e2 f8 ff ff 48 8b 43 38 48 85 c0 74 22 <48> 8b b8 +a8 07 00 00 48 89 ee e8 ba b1 00 00 48 89 df 89 c5 e8 70 +RSP: 0018:ffffb04040ea7e70 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff93c010749e40 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: ffffffffa7653331 RDI: 00000000ffffffff +RBP: ffffb04040ea7eb8 R08: 0000000000000000 R09: c0000000ffffdfff +R10: ffff93c01141b600 R11: ffffb04040ea7d18 R12: ffff93c00ea74840 +R13: 0000000000000011 R14: 0000000000000000 R15: ffff93c00ea74800 +FS: 00007fb7c276ab80(0000) GS:ffff93c36f200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000000007a8 CR3: 0000000111634003 CR4: 0000000000370ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ? __die_body+0x1a/0x60 + ? page_fault_oops+0x154/0x440 + ? do_user_addr_fault+0x174/0x7b0 + ? exc_page_fault+0x63/0x140 + ? asm_exc_page_fault+0x22/0x30 + ? io_sqpoll_wq_cpu_affinity+0x27/0x70 + __io_register_iowq_aff+0x2b/0x60 + __io_uring_register+0x614/0xa70 + __x64_sys_io_uring_register+0xaa/0x1a0 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +RIP: 0033:0x7fb7c226fec9 +Code: 2e 00 b8 ca 00 00 00 0f 05 eb a5 66 0f 1f 44 00 00 48 89 f8 48 89 +f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 +f0 ff ff 73 01 c3 48 8b 0d 97 7f 2d 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffe2c0674f8 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb7c226fec9 +RDX: 00007ffe2c067530 RSI: 0000000000000011 RDI: 0000000000000003 +RBP: 00007ffe2c0675d0 R08: 00007ffe2c067550 R09: 00007ffe2c067550 +R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffe2c067750 R14: 0000000000000000 R15: 0000000000000000 + +Modules linked in: +CR2: 00000000000007a8 +---[ end trace 0000000000000000 ]--- + +Reported-by: syzbot+c74fea926a78b8a91042@syzkaller.appspotmail.com +Fixes: ebdfefc09c6d ("io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used") +Signed-off-by: Gabriel Krisman Bertazi +Link: https://lore.kernel.org/r/87v8cybuo6.fsf@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/sqpoll.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/io_uring/sqpoll.c ++++ b/io_uring/sqpoll.c +@@ -430,7 +430,9 @@ __cold int io_sqpoll_wq_cpu_affinity(str + + if (sqd) { + io_sq_thread_park(sqd); +- ret = io_wq_cpu_affinity(sqd->thread->io_uring, mask); ++ /* Don't set affinity for a dying thread */ ++ if (sqd->thread) ++ ret = io_wq_cpu_affinity(sqd->thread->io_uring, mask); + io_sq_thread_unpark(sqd); + } + diff --git a/queue-6.4/series b/queue-6.4/series index 9a3e7b28d7b..48914938bd9 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -668,3 +668,6 @@ xtensa-pmu-fix-base-address-for-the-newer-hardware.patch loongarch-mm-add-p-d_leaf-definitions.patch powerpc-ftrace-fix-dropping-weak-symbols-with-older-toolchains.patch i3c-master-svc-fix-probe-failure-when-no-i3c-device-exist.patch +io_uring-don-t-set-affinity-on-a-dying-sqpoll-thread.patch +arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch +alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch