From: Greg Kroah-Hartman Date: Sat, 14 Jan 2023 15:10:16 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.14.303~67 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4c6cf7848a293b09c20ce4b5e179a8a03399e7bd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch drm-msm-adreno-make-adreno-quirks-not-overwrite-each-other.patch ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch ixgbe-fix-pci-device-refcount-leak.patch platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch --- diff --git a/queue-5.4/cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch b/queue-5.4/cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch new file mode 100644 index 00000000000..ff05101bf02 --- /dev/null +++ b/queue-5.4/cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch @@ -0,0 +1,34 @@ +From a152d05ae4a71d802d50cf9177dba34e8bb09f68 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 11 Jan 2023 12:37:58 +0100 +Subject: cifs: Fix uninitialized memory read for smb311 posix symlink create + +From: Volker Lendecke + +commit a152d05ae4a71d802d50cf9177dba34e8bb09f68 upstream. + +If smb311 posix is enabled, we send the intended mode for file +creation in the posix create context. Instead of using what's there on +the stack, create the mfsymlink file with 0644. + +Fixes: ce558b0e17f8a ("smb3: Add posix create context for smb3.11 posix mounts") +Cc: stable@vger.kernel.org +Signed-off-by: Volker Lendecke +Reviewed-by: Tom Talpey +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/link.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/cifs/link.c ++++ b/fs/cifs/link.c +@@ -481,6 +481,7 @@ smb3_create_mf_symlink(unsigned int xid, + oparms.disposition = FILE_CREATE; + oparms.fid = &fid; + oparms.reconnect = false; ++ oparms.mode = 0644; + + rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL, + NULL); diff --git a/queue-5.4/drm-msm-adreno-make-adreno-quirks-not-overwrite-each-other.patch b/queue-5.4/drm-msm-adreno-make-adreno-quirks-not-overwrite-each-other.patch new file mode 100644 index 00000000000..1614a416ee9 --- /dev/null +++ b/queue-5.4/drm-msm-adreno-make-adreno-quirks-not-overwrite-each-other.patch @@ -0,0 +1,56 @@ +From 13ef096e342b00e30b95a90c6c13eee1f0bec4c5 Mon Sep 17 00:00:00 2001 +From: Konrad Dybcio +Date: Mon, 2 Jan 2023 11:02:00 +0100 +Subject: drm/msm/adreno: Make adreno quirks not overwrite each other + +From: Konrad Dybcio + +commit 13ef096e342b00e30b95a90c6c13eee1f0bec4c5 upstream. + +So far the adreno quirks have all been assigned with an OR operator, +which is problematic, because they were assigned consecutive integer +values, which makes checking them with an AND operator kind of no bueno.. + +Switch to using BIT(n) so that only the quirks that the programmer chose +are taken into account when evaluating info->quirks & ADRENO_QUIRK_... + +Fixes: 370063ee427a ("drm/msm/adreno: Add A540 support") +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Marijn Suijten +Reviewed-by: Rob Clark +Signed-off-by: Konrad Dybcio +Reviewed-by: Akhil P Oommen +Patchwork: https://patchwork.freedesktop.org/patch/516456/ +Link: https://lore.kernel.org/r/20230102100201.77286-1-konrad.dybcio@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/adreno/adreno_gpu.h | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.h ++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.h +@@ -47,11 +47,9 @@ enum { + ADRENO_FW_MAX, + }; + +-enum adreno_quirks { +- ADRENO_QUIRK_TWO_PASS_USE_WFI = 1, +- ADRENO_QUIRK_FAULT_DETECT_MASK = 2, +- ADRENO_QUIRK_LMLOADKILL_DISABLE = 3, +-}; ++#define ADRENO_QUIRK_TWO_PASS_USE_WFI BIT(0) ++#define ADRENO_QUIRK_FAULT_DETECT_MASK BIT(1) ++#define ADRENO_QUIRK_LMLOADKILL_DISABLE BIT(2) + + struct adreno_rev { + uint8_t core; +@@ -74,7 +72,7 @@ struct adreno_info { + const char *name; + const char *fw[ADRENO_FW_MAX]; + uint32_t gmem; +- enum adreno_quirks quirks; ++ u64 quirks; + struct msm_gpu *(*init)(struct drm_device *dev); + const char *zapfw; + u32 inactive_period; diff --git a/queue-5.4/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch b/queue-5.4/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch new file mode 100644 index 00000000000..43dc059121c --- /dev/null +++ b/queue-5.4/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch @@ -0,0 +1,42 @@ +From cb3e9864cdbe35ff6378966660edbcbac955fe17 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 10 Jan 2023 08:59:06 +0800 +Subject: ipv6: raw: Deduct extension header length in rawv6_push_pending_frames + +From: Herbert Xu + +commit cb3e9864cdbe35ff6378966660edbcbac955fe17 upstream. + +The total cork length created by ip6_append_data includes extension +headers, so we must exclude them when comparing them against the +IPV6_CHECKSUM offset which does not include extension headers. + +Reported-by: Kyle Zeng +Fixes: 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory") +Signed-off-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/raw.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -539,6 +539,7 @@ csum_copy_err: + static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6, + struct raw6_sock *rp) + { ++ struct ipv6_txoptions *opt; + struct sk_buff *skb; + int err = 0; + int offset; +@@ -556,6 +557,9 @@ static int rawv6_push_pending_frames(str + + offset = rp->offset; + total_len = inet_sk(sk)->cork.base.length; ++ opt = inet6_sk(sk)->cork.opt; ++ total_len -= opt ? opt->opt_flen : 0; ++ + if (offset >= total_len - 1) { + err = -EINVAL; + ip6_flush_pending_frames(sk); diff --git a/queue-5.4/ixgbe-fix-pci-device-refcount-leak.patch b/queue-5.4/ixgbe-fix-pci-device-refcount-leak.patch new file mode 100644 index 00000000000..f91e8e3e005 --- /dev/null +++ b/queue-5.4/ixgbe-fix-pci-device-refcount-leak.patch @@ -0,0 +1,70 @@ +From b93fb4405fcb5112c5739c5349afb52ec7f15c07 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Tue, 29 Nov 2022 09:57:48 +0800 +Subject: ixgbe: fix pci device refcount leak + +From: Yang Yingliang + +commit b93fb4405fcb5112c5739c5349afb52ec7f15c07 upstream. + +As the comment of pci_get_domain_bus_and_slot() says, it +returns a PCI device with refcount incremented, when finish +using it, the caller must decrement the reference count by +calling pci_dev_put(). + +In ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(), +pci_dev_put() is called to avoid leak. + +Fixes: 8fa10ef01260 ("ixgbe: register a mdiobus") +Signed-off-by: Yang Yingliang +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.c +@@ -851,9 +851,11 @@ static struct pci_dev *ixgbe_get_first_s + rp_pdev = pci_get_domain_bus_and_slot(0, 0, devfn); + if (rp_pdev && rp_pdev->subordinate) { + bus = rp_pdev->subordinate->number; ++ pci_dev_put(rp_pdev); + return pci_get_domain_bus_and_slot(0, bus, 0); + } + ++ pci_dev_put(rp_pdev); + return NULL; + } + +@@ -870,6 +872,7 @@ static bool ixgbe_x550em_a_has_mii(struc + struct ixgbe_adapter *adapter = hw->back; + struct pci_dev *pdev = adapter->pdev; + struct pci_dev *func0_pdev; ++ bool has_mii = false; + + /* For the C3000 family of SoCs (x550em_a) the internal ixgbe devices + * are always downstream of root ports @ 0000:00:16.0 & 0000:00:17.0 +@@ -880,15 +883,16 @@ static bool ixgbe_x550em_a_has_mii(struc + func0_pdev = ixgbe_get_first_secondary_devfn(PCI_DEVFN(0x16, 0)); + if (func0_pdev) { + if (func0_pdev == pdev) +- return true; +- else +- return false; ++ has_mii = true; ++ goto out; + } + func0_pdev = ixgbe_get_first_secondary_devfn(PCI_DEVFN(0x17, 0)); + if (func0_pdev == pdev) +- return true; ++ has_mii = true; + +- return false; ++out: ++ pci_dev_put(func0_pdev); ++ return has_mii; + } + + /** diff --git a/queue-5.4/platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch b/queue-5.4/platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch new file mode 100644 index 00000000000..43983493aca --- /dev/null +++ b/queue-5.4/platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch @@ -0,0 +1,58 @@ +From ad75bd85b1db69c97eefea07b375567821f6ef58 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 13 Dec 2022 13:29:43 +0100 +Subject: platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe + +From: Hans de Goede + +commit ad75bd85b1db69c97eefea07b375567821f6ef58 upstream. + +The 0x153 version of the kbd backlight control SNC handle has no separate +address to probe if the backlight is there. + +This turns the probe call into a set keyboard backlight call with a value +of 0 turning off the keyboard backlight. + +Skip probing when there is no separate probe address to avoid this. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1583752 +Fixes: 800f20170dcf ("Keyboard backlight control for some Vaio Fit models") +Signed-off-by: Hans de Goede +Reviewed-by: Mattia Dongili +Link: https://lore.kernel.org/r/20221213122943.11123-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/sony-laptop.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/platform/x86/sony-laptop.c ++++ b/drivers/platform/x86/sony-laptop.c +@@ -1899,14 +1899,21 @@ static int sony_nc_kbd_backlight_setup(s + break; + } + +- ret = sony_call_snc_handle(handle, probe_base, &result); +- if (ret) +- return ret; ++ /* ++ * Only probe if there is a separate probe_base, otherwise the probe call ++ * is equivalent to __sony_nc_kbd_backlight_mode_set(0), resulting in ++ * the keyboard backlight being turned off. ++ */ ++ if (probe_base) { ++ ret = sony_call_snc_handle(handle, probe_base, &result); ++ if (ret) ++ return ret; + +- if ((handle == 0x0137 && !(result & 0x02)) || +- !(result & 0x01)) { +- dprintk("no backlight keyboard found\n"); +- return 0; ++ if ((handle == 0x0137 && !(result & 0x02)) || ++ !(result & 0x01)) { ++ dprintk("no backlight keyboard found\n"); ++ return 0; ++ } + } + + kbdbl_ctl = kzalloc(sizeof(*kbdbl_ctl), GFP_KERNEL); diff --git a/queue-5.4/series b/queue-5.4/series index 31de0b4b2eb..fff6a65ae23 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -609,3 +609,8 @@ s390-percpu-add-read_once-to-arch_this_cpu_to_op_simple.patch net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch alsa-hda-hdmi-add-a-hp-device-0x8715-to-force-connect-list.patch +cifs-fix-uninitialized-memory-read-for-smb311-posix-symlink-create.patch +drm-msm-adreno-make-adreno-quirks-not-overwrite-each-other.patch +platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch +ixgbe-fix-pci-device-refcount-leak.patch +ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch