From: Sasha Levin Date: Sat, 11 Jan 2025 14:26:58 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v6.1.125~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=62c42842d48301557c5fcda6a070bd324bcca1ef;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/afs-fix-the-maximum-cell-name-length.patch b/queue-5.15/afs-fix-the-maximum-cell-name-length.patch new file mode 100644 index 00000000000..7357b7bea95 --- /dev/null +++ b/queue-5.15/afs-fix-the-maximum-cell-name-length.patch @@ -0,0 +1,112 @@ +From 9a3351e70bbef3a1e5dc4ca0fd8dfb309736642b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jan 2025 16:21:00 +0000 +Subject: afs: Fix the maximum cell name length + +From: David Howells + +[ Upstream commit 8fd56ad6e7c90ac2bddb0741c6b248c8c5d56ac8 ] + +The kafs filesystem limits the maximum length of a cell to 256 bytes, but a +problem occurs if someone actually does that: kafs tries to create a +directory under /proc/net/afs/ with the name of the cell, but that fails +with a warning: + + WARNING: CPU: 0 PID: 9 at fs/proc/generic.c:405 + +because procfs limits the maximum filename length to 255. + +However, the DNS limits the maximum lookup length and, by extension, the +maximum cell name, to 255 less two (length count and trailing NUL). + +Fix this by limiting the maximum acceptable cellname length to 253. This +also allows us to be sure we can create the "/afs/./" mountpoint too. + +Further, split the YFS VL record cell name maximum to be the 256 allowed by +the protocol and ignore the record retrieved by YFSVL.GetCellName if it +exceeds 253. + +Fixes: c3e9f888263b ("afs: Implement client support for the YFSVL.GetCellName RPC op") +Reported-by: syzbot+7848fee1f1e5c53f912b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/6776d25d.050a0220.3a8527.0048.GAE@google.com/ +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/376236.1736180460@warthog.procyon.org.uk +Tested-by: syzbot+7848fee1f1e5c53f912b@syzkaller.appspotmail.com +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/afs.h | 2 +- + fs/afs/afs_vl.h | 1 + + fs/afs/vl_alias.c | 8 ++++++-- + fs/afs/vlclient.c | 2 +- + 4 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/fs/afs/afs.h b/fs/afs/afs.h +index 432cb4b23961..3ea5f3e3c922 100644 +--- a/fs/afs/afs.h ++++ b/fs/afs/afs.h +@@ -10,7 +10,7 @@ + + #include + +-#define AFS_MAXCELLNAME 256 /* Maximum length of a cell name */ ++#define AFS_MAXCELLNAME 253 /* Maximum length of a cell name (DNS limited) */ + #define AFS_MAXVOLNAME 64 /* Maximum length of a volume name */ + #define AFS_MAXNSERVERS 8 /* Maximum servers in a basic volume record */ + #define AFS_NMAXNSERVERS 13 /* Maximum servers in a N/U-class volume record */ +diff --git a/fs/afs/afs_vl.h b/fs/afs/afs_vl.h +index 9c65ffb8a523..8da0899fbc08 100644 +--- a/fs/afs/afs_vl.h ++++ b/fs/afs/afs_vl.h +@@ -13,6 +13,7 @@ + #define AFS_VL_PORT 7003 /* volume location service port */ + #define VL_SERVICE 52 /* RxRPC service ID for the Volume Location service */ + #define YFS_VL_SERVICE 2503 /* Service ID for AuriStor upgraded VL service */ ++#define YFS_VL_MAXCELLNAME 256 /* Maximum length of a cell name in YFS protocol */ + + enum AFSVL_Operations { + VLGETENTRYBYID = 503, /* AFS Get VLDB entry by ID */ +diff --git a/fs/afs/vl_alias.c b/fs/afs/vl_alias.c +index f04a80e4f5c3..83cf1bfbe343 100644 +--- a/fs/afs/vl_alias.c ++++ b/fs/afs/vl_alias.c +@@ -302,6 +302,7 @@ static char *afs_vl_get_cell_name(struct afs_cell *cell, struct key *key) + static int yfs_check_canonical_cell_name(struct afs_cell *cell, struct key *key) + { + struct afs_cell *master; ++ size_t name_len; + char *cell_name; + + cell_name = afs_vl_get_cell_name(cell, key); +@@ -313,8 +314,11 @@ static int yfs_check_canonical_cell_name(struct afs_cell *cell, struct key *key) + return 0; + } + +- master = afs_lookup_cell(cell->net, cell_name, strlen(cell_name), +- NULL, false); ++ name_len = strlen(cell_name); ++ if (!name_len || name_len > AFS_MAXCELLNAME) ++ master = ERR_PTR(-EOPNOTSUPP); ++ else ++ master = afs_lookup_cell(cell->net, cell_name, name_len, NULL, false); + kfree(cell_name); + if (IS_ERR(master)) + return PTR_ERR(master); +diff --git a/fs/afs/vlclient.c b/fs/afs/vlclient.c +index 00fca3c66ba6..16653f2ffe4f 100644 +--- a/fs/afs/vlclient.c ++++ b/fs/afs/vlclient.c +@@ -671,7 +671,7 @@ static int afs_deliver_yfsvl_get_cell_name(struct afs_call *call) + return ret; + + namesz = ntohl(call->tmp); +- if (namesz > AFS_MAXCELLNAME) ++ if (namesz > YFS_VL_MAXCELLNAME) + return afs_protocol_error(call, afs_eproto_cellname_len); + paddedsz = (namesz + 3) & ~3; + call->count = namesz; +-- +2.39.5 + diff --git a/queue-5.15/drm-mediatek-add-support-for-180-degree-rotation-in-.patch b/queue-5.15/drm-mediatek-add-support-for-180-degree-rotation-in-.patch new file mode 100644 index 00000000000..a989efee651 --- /dev/null +++ b/queue-5.15/drm-mediatek-add-support-for-180-degree-rotation-in-.patch @@ -0,0 +1,63 @@ +From 7738999f153114f6cd79ad77df8096c28363aa08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 10:51:26 +0800 +Subject: drm/mediatek: Add support for 180-degree rotation in the display + driver + +From: Jason-JH.Lin + +[ Upstream commit 5c9d7e79ba154e8e1f0bfdeb7b495f454c1a3eba ] + +mediatek-drm driver reported the capability of 180-degree rotation by +adding `DRM_MODE_ROTATE_180` to the plane property, as flip-x combined +with flip-y equals a 180-degree rotation. However, we did not handle +the rotation property in the driver and lead to rotation issues. + +Fixes: 74608d8feefd ("drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property") +Signed-off-by: Jason-JH.Lin +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20241118025126.30808-1-jason-jh.lin@mediatek.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c +index c54d56fb7b4c..77397bf0b5b4 100644 +--- a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c ++++ b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c +@@ -302,6 +302,7 @@ void mtk_ovl_layer_config(struct device *dev, unsigned int idx, + unsigned int addr = pending->addr; + unsigned int pitch = pending->pitch & 0xffff; + unsigned int fmt = pending->format; ++ unsigned int rotation = pending->rotation; + unsigned int offset = (pending->y << 16) | pending->x; + unsigned int src_size = (pending->height << 16) | pending->width; + unsigned int con; +@@ -315,12 +316,19 @@ void mtk_ovl_layer_config(struct device *dev, unsigned int idx, + if (state->base.fb && state->base.fb->format->has_alpha) + con |= OVL_CON_AEN | OVL_CON_ALPHA; + +- if (pending->rotation & DRM_MODE_REFLECT_Y) { ++ /* ++ * Treat rotate 180 as flip x + flip y, and XOR the original rotation value ++ * to flip x + flip y to support both in the same time. ++ */ ++ if (rotation & DRM_MODE_ROTATE_180) ++ rotation ^= DRM_MODE_REFLECT_X | DRM_MODE_REFLECT_Y; ++ ++ if (rotation & DRM_MODE_REFLECT_Y) { + con |= OVL_CON_VIRT_FLIP; + addr += (pending->height - 1) * pending->pitch; + } + +- if (pending->rotation & DRM_MODE_REFLECT_X) { ++ if (rotation & DRM_MODE_REFLECT_X) { + con |= OVL_CON_HORZ_FLIP; + addr += pending->pitch - 1; + } +-- +2.39.5 + diff --git a/queue-5.15/ksmbd-fix-a-missing-return-value-check-bug.patch b/queue-5.15/ksmbd-fix-a-missing-return-value-check-bug.patch new file mode 100644 index 00000000000..23fb5b590b9 --- /dev/null +++ b/queue-5.15/ksmbd-fix-a-missing-return-value-check-bug.patch @@ -0,0 +1,46 @@ +From 815276fd8ba850a58ea77129708f98e3dc185ac3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Dec 2024 23:30:50 +0800 +Subject: ksmbd: fix a missing return value check bug + +From: Wentao Liang + +[ Upstream commit 4c16e1cadcbcaf3c82d5fc310fbd34d0f5d0db7c ] + +In the smb2_send_interim_resp(), if ksmbd_alloc_work_struct() +fails to allocate a node, it returns a NULL pointer to the +in_work pointer. This can lead to an illegal memory write of +in_work->response_buf when allocate_interim_rsp_buf() attempts +to perform a kzalloc() on it. + +To address this issue, incorporating a check for the return +value of ksmbd_alloc_work_struct() ensures that the function +returns immediately upon allocation failure, thereby preventing +the aforementioned illegal memory access. + +Fixes: 041bba4414cd ("ksmbd: fix wrong interim response on compound") +Signed-off-by: Wentao Liang +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/smb2pdu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index 7f9297a5f3ef..82b6be188ad4 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -714,6 +714,9 @@ void smb2_send_interim_resp(struct ksmbd_work *work, __le32 status) + struct smb2_hdr *rsp_hdr; + struct ksmbd_work *in_work = ksmbd_alloc_work_struct(); + ++ if (!in_work) ++ return; ++ + if (allocate_interim_rsp_buf(in_work)) { + pr_err("smb_allocate_rsp_buf failed!\n"); + ksmbd_free_work_struct(in_work); +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index 31d7b16df55..eedb454be57 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -20,3 +20,6 @@ net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch netfilter-nf_tables-imbalance-in-flowtable-binding.patch netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch +drm-mediatek-add-support-for-180-degree-rotation-in-.patch +ksmbd-fix-a-missing-return-value-check-bug.patch +afs-fix-the-maximum-cell-name-length.patch