From: Greg Kroah-Hartman Date: Fri, 13 Sep 2024 12:43:53 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.1.111~43 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=657504a43975a7f9ffbb0962c3c86aa99bc7a3ea;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch mptcp-pm-fix-uaf-in-__timer_delete_sync.patch net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch --- diff --git a/queue-5.15/arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch b/queue-5.15/arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch new file mode 100644 index 00000000000..94d5e3a0534 --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch @@ -0,0 +1,70 @@ +From 741f5ba7ccba5d7ae796dd11c320e28045524771 Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Wed, 31 Jul 2024 13:05:29 +0200 +Subject: arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma + +From: Quentin Schulz + +commit 741f5ba7ccba5d7ae796dd11c320e28045524771 upstream. + +The Qseven BIOS_DISABLE signal on the RK3399-Q7 keeps the on-module eMMC +and SPI flash powered-down initially (in fact it keeps the reset signal +asserted). BIOS_DISABLE_OVERRIDE pin allows to override that signal so +that eMMC and SPI can be used regardless of the state of the signal. + +Let's make this GPIO a hog so that it's reserved and locked in the +proper state. + +At the same time, make sure the pin is reserved for the hog and cannot +be requested by another node. + +Cc: stable@vger.kernel.org +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20240731-puma-emmc-6-v1-2-4e28eadf32d0@cherry.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -108,6 +108,22 @@ + drive-impedance-ohm = <33>; + }; + ++&gpio3 { ++ /* ++ * The Qseven BIOS_DISABLE signal on the RK3399-Q7 keeps the on-module ++ * eMMC and SPI flash powered-down initially (in fact it keeps the ++ * reset signal asserted). BIOS_DISABLE_OVERRIDE pin allows to override ++ * that signal so that eMMC and SPI can be used regardless of the state ++ * of the signal. ++ */ ++ bios-disable-override-hog { ++ gpios = ; ++ gpio-hog; ++ line-name = "bios_disable_override"; ++ output-high; ++ }; ++}; ++ + &gmac { + assigned-clocks = <&cru SCLK_RMII_SRC>; + assigned-clock-parents = <&clkin_gmac>; +@@ -397,9 +413,14 @@ + + &pinctrl { + pinctrl-names = "default"; +- pinctrl-0 = <&q7_thermal_pin>; ++ pinctrl-0 = <&q7_thermal_pin &bios_disable_override_hog_pin>; + + gpios { ++ bios_disable_override_hog_pin: bios-disable-override-hog-pin { ++ rockchip,pins = ++ <3 RK_PD5 RK_FUNC_GPIO &pcfg_pull_down>; ++ }; ++ + q7_thermal_pin: q7-thermal-pin { + rockchip,pins = + <0 RK_PA3 RK_FUNC_GPIO &pcfg_pull_up>; diff --git a/queue-5.15/minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch b/queue-5.15/minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch new file mode 100644 index 00000000000..ea2aa6db54f --- /dev/null +++ b/queue-5.15/minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch @@ -0,0 +1,68 @@ +From 7c6a3a65ace70f12b27b1a27c9a69cb791dc6e91 Mon Sep 17 00:00:00 2001 +From: Lorenzo Stoakes +Date: Wed, 11 Sep 2024 18:51:11 +0100 +Subject: minmax: reduce min/max macro expansion in atomisp driver + +From: Lorenzo Stoakes + +commit 7c6a3a65ace70f12b27b1a27c9a69cb791dc6e91 upstream. + +Avoid unnecessary nested min()/max() which results in egregious macro +expansion. + +Use clamp_t() as this introduces the least possible expansion, and turn +the {s,u}DIGIT_FITTING() macros into inline functions to avoid the +nested expansion. + +This resolves an issue with slackware 15.0 32-bit compilation as +reported by Richard Narron. + +Presumably the min/max fixups would be difficult to backport, this patch +should be easier and fix's Richard's problem in 5.15. + +Reported-by: Richard Narron +Reviewed-by: Hans de Goede +Closes: https://lore.kernel.org/all/4a5321bd-b1f-1832-f0c-cea8694dc5aa@aaazen.com/ +Fixes: 867046cc7027 ("minmax: relax check to allow comparison between unsigned arguments and signed constants") +Cc: stable@vger.kernel.org +Signed-off-by: Lorenzo Stoakes +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +--- a/drivers/staging/media/atomisp/pci/sh_css_frac.h ++++ b/drivers/staging/media/atomisp/pci/sh_css_frac.h +@@ -30,12 +30,24 @@ + #define uISP_VAL_MAX ((unsigned int)((1 << uISP_REG_BIT) - 1)) + + /* a:fraction bits for 16bit precision, b:fraction bits for ISP precision */ +-#define sDIGIT_FITTING(v, a, b) \ +- min_t(int, max_t(int, (((v) >> sSHIFT) >> max(sFRACTION_BITS_FITTING(a) - (b), 0)), \ +- sISP_VAL_MIN), sISP_VAL_MAX) +-#define uDIGIT_FITTING(v, a, b) \ +- min((unsigned int)max((unsigned)(((v) >> uSHIFT) \ +- >> max((int)(uFRACTION_BITS_FITTING(a) - (b)), 0)), \ +- uISP_VAL_MIN), uISP_VAL_MAX) ++static inline int sDIGIT_FITTING(int v, int a, int b) ++{ ++ int fit_shift = sFRACTION_BITS_FITTING(a) - b; ++ ++ v >>= sSHIFT; ++ v >>= fit_shift > 0 ? fit_shift : 0; ++ ++ return clamp_t(int, v, sISP_VAL_MIN, sISP_VAL_MAX); ++} ++ ++static inline unsigned int uDIGIT_FITTING(unsigned int v, int a, int b) ++{ ++ int fit_shift = uFRACTION_BITS_FITTING(a) - b; ++ ++ v >>= uSHIFT; ++ v >>= fit_shift > 0 ? fit_shift : 0; ++ ++ return clamp_t(unsigned int, v, uISP_VAL_MIN, uISP_VAL_MAX); ++} + + #endif /* __SH_CSS_FRAC_H */ diff --git a/queue-5.15/mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch b/queue-5.15/mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch new file mode 100644 index 00000000000..2c0a4b5609f --- /dev/null +++ b/queue-5.15/mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch @@ -0,0 +1,80 @@ +From 79a61cc3fc0466ad2b7b89618a6157785f0293b3 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 11 Sep 2024 17:11:23 -0700 +Subject: mm: avoid leaving partial pfn mappings around in error case + +From: Linus Torvalds + +commit 79a61cc3fc0466ad2b7b89618a6157785f0293b3 upstream. + +As Jann points out, PFN mappings are special, because unlike normal +memory mappings, there is no lifetime information associated with the +mapping - it is just a raw mapping of PFNs with no reference counting of +a 'struct page'. + +That's all very much intentional, but it does mean that it's easy to +mess up the cleanup in case of errors. Yes, a failed mmap() will always +eventually clean up any partial mappings, but without any explicit +lifetime in the page table mapping itself, it's very easy to do the +error handling in the wrong order. + +In particular, it's easy to mistakenly free the physical backing store +before the page tables are actually cleaned up and (temporarily) have +stale dangling PTE entries. + +To make this situation less error-prone, just make sure that any partial +pfn mapping is torn down early, before any other error handling. + +Reported-and-tested-by: Jann Horn +Cc: Andrew Morton +Cc: Jason Gunthorpe +Cc: Simona Vetter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2380,11 +2380,7 @@ static inline int remap_p4d_range(struct + return 0; + } + +-/* +- * Variant of remap_pfn_range that does not call track_pfn_remap. The caller +- * must have pre-validated the caching bits of the pgprot_t. +- */ +-int remap_pfn_range_notrack(struct vm_area_struct *vma, unsigned long addr, ++static int remap_pfn_range_internal(struct vm_area_struct *vma, unsigned long addr, + unsigned long pfn, unsigned long size, pgprot_t prot) + { + pgd_t *pgd; +@@ -2437,6 +2433,27 @@ int remap_pfn_range_notrack(struct vm_ar + return 0; + } + ++/* ++ * Variant of remap_pfn_range that does not call track_pfn_remap. The caller ++ * must have pre-validated the caching bits of the pgprot_t. ++ */ ++int remap_pfn_range_notrack(struct vm_area_struct *vma, unsigned long addr, ++ unsigned long pfn, unsigned long size, pgprot_t prot) ++{ ++ int error = remap_pfn_range_internal(vma, addr, pfn, size, prot); ++ ++ if (!error) ++ return 0; ++ ++ /* ++ * A partial pfn range mapping is dangerous: it does not ++ * maintain page reference counts, and callers may free ++ * pages due to the error. So zap it early. ++ */ ++ zap_page_range_single(vma, addr, size, NULL); ++ return error; ++} ++ + /** + * remap_pfn_range - remap kernel memory to userspace + * @vma: user vma to map to diff --git a/queue-5.15/mptcp-pm-fix-uaf-in-__timer_delete_sync.patch b/queue-5.15/mptcp-pm-fix-uaf-in-__timer_delete_sync.patch new file mode 100644 index 00000000000..4af632e0c24 --- /dev/null +++ b/queue-5.15/mptcp-pm-fix-uaf-in-__timer_delete_sync.patch @@ -0,0 +1,90 @@ +From b4cd80b0338945a94972ac3ed54f8338d2da2076 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Tue, 10 Sep 2024 17:58:56 +0800 +Subject: mptcp: pm: Fix uaf in __timer_delete_sync + +From: Edward Adam Davis + +commit b4cd80b0338945a94972ac3ed54f8338d2da2076 upstream. + +There are two paths to access mptcp_pm_del_add_timer, result in a race +condition: + + CPU1 CPU2 + ==== ==== + net_rx_action + napi_poll netlink_sendmsg + __napi_poll netlink_unicast + process_backlog netlink_unicast_kernel + __netif_receive_skb genl_rcv + __netif_receive_skb_one_core netlink_rcv_skb + NF_HOOK genl_rcv_msg + ip_local_deliver_finish genl_family_rcv_msg + ip_protocol_deliver_rcu genl_family_rcv_msg_doit + tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit + tcp_v4_do_rcv mptcp_nl_remove_addrs_list + tcp_rcv_established mptcp_pm_remove_addrs_and_subflows + tcp_data_queue remove_anno_list_by_saddr + mptcp_incoming_options mptcp_pm_del_add_timer + mptcp_pm_del_add_timer kfree(entry) + +In remove_anno_list_by_saddr(running on CPU2), after leaving the critical +zone protected by "pm.lock", the entry will be released, which leads to the +occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1). + +Keeping a reference to add_timer inside the lock, and calling +sk_stop_timer_sync() with this reference, instead of "entry->add_timer". + +Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock, +do not directly access any members of the entry outside the pm lock, which +can avoid similar "entry->x" uaf. + +Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") +Cc: stable@vger.kernel.org +Reported-and-tested-by: syzbot+f3a31fb909db9b2a5c4d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f3a31fb909db9b2a5c4d +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Edward Adam Davis +Acked-by: Paolo Abeni +Link: https://patch.msgid.link/tencent_7142963A37944B4A74EF76CD66EA3C253609@qq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -361,15 +361,21 @@ mptcp_pm_del_add_timer(struct mptcp_sock + { + struct mptcp_pm_add_entry *entry; + struct sock *sk = (struct sock *)msk; ++ struct timer_list *add_timer = NULL; + + spin_lock_bh(&msk->pm.lock); + entry = mptcp_lookup_anno_list_by_saddr(msk, addr); +- if (entry && (!check_id || entry->addr.id == addr->id)) ++ if (entry && (!check_id || entry->addr.id == addr->id)) { + entry->retrans_times = ADD_ADDR_RETRANS_MAX; ++ add_timer = &entry->add_timer; ++ } ++ if (!check_id && entry) ++ list_del(&entry->list); + spin_unlock_bh(&msk->pm.lock); + +- if (entry && (!check_id || entry->addr.id == addr->id)) +- sk_stop_timer_sync(sk, &entry->add_timer); ++ /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */ ++ if (add_timer) ++ sk_stop_timer_sync(sk, add_timer); + + return entry; + } +@@ -1357,7 +1363,6 @@ static bool remove_anno_list_by_saddr(st + + entry = mptcp_pm_del_add_timer(msk, addr, false); + if (entry) { +- list_del(&entry->list); + kfree(entry); + return true; + } diff --git a/queue-5.15/net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch b/queue-5.15/net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch new file mode 100644 index 00000000000..8d8dd576018 --- /dev/null +++ b/queue-5.15/net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch @@ -0,0 +1,55 @@ +From 6513eb3d3191574b58859ef2d6dc26c0277c6f81 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Tue, 10 Sep 2024 17:35:35 -0400 +Subject: net: tighten bad gso csum offset check in virtio_net_hdr + +From: Willem de Bruijn + +commit 6513eb3d3191574b58859ef2d6dc26c0277c6f81 upstream. + +The referenced commit drops bad input, but has false positives. +Tighten the check to avoid these. + +The check detects illegal checksum offload requests, which produce +csum_start/csum_off beyond end of packet after segmentation. + +But it is based on two incorrect assumptions: + +1. virtio_net_hdr_to_skb with VIRTIO_NET_HDR_GSO_TCP[46] implies GSO. +True in callers that inject into the tx path, such as tap. +But false in callers that inject into rx, like virtio-net. +Here, the flags indicate GRO, and CHECKSUM_UNNECESSARY or +CHECKSUM_NONE without VIRTIO_NET_HDR_F_NEEDS_CSUM is normal. + +2. TSO requires checksum offload, i.e., ip_summed == CHECKSUM_PARTIAL. +False, as tcp[46]_gso_segment will fix up csum_start and offset for +all other ip_summed by calling __tcp_v4_send_check. + +Because of 2, we can limit the scope of the fix to virtio_net_hdr +that do try to set these fields, with a bogus value. + +Link: https://lore.kernel.org/netdev/20240909094527.GA3048202@port70.net/ +Fixes: 89add40066f9 ("net: drop bad gso csum_start and offset in virtio_net_hdr") +Signed-off-by: Willem de Bruijn +Acked-by: Jason Wang +Acked-by: Michael S. Tsirkin +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20240910213553.839926-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/virtio_net.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -161,7 +161,8 @@ retry: + break; + case SKB_GSO_TCPV4: + case SKB_GSO_TCPV6: +- if (skb->csum_offset != offsetof(struct tcphdr, check)) ++ if (skb->ip_summed == CHECKSUM_PARTIAL && ++ skb->csum_offset != offsetof(struct tcphdr, check)) + return -EINVAL; + break; + } diff --git a/queue-5.15/platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch b/queue-5.15/platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch new file mode 100644 index 00000000000..da69181dc52 --- /dev/null +++ b/queue-5.15/platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch @@ -0,0 +1,62 @@ +From 33297cef3101d950cec0033a0dce0a2d2bd59999 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 9 Sep 2024 13:32:26 +0200 +Subject: platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit 33297cef3101d950cec0033a0dce0a2d2bd59999 upstream. + +Some DSDT-s have an off-by-one bug where the SINF package count is +one higher than the SQTY reported value, allocate 1 entry extra. + +Also make the SQTY <-> SINF package count mismatch error more verbose +to help debugging similar issues in the future. + +This fixes the panasonic-laptop driver failing to probe() on some +devices with the following errors: + +[ 3.958887] SQTY reports bad SINF length SQTY: 37 SINF-pkg-count: 38 +[ 3.958892] Couldn't retrieve BIOS data +[ 3.983685] Panasonic Laptop Support - With Macros: probe of MAT0019:00 failed with error -5 + +Fixes: 709ee531c153 ("panasonic-laptop: add Panasonic Let's Note laptop extras driver v0.94") +Cc: stable@vger.kernel.org +Tested-by: James Harmison +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240909113227.254470-2-hdegoede@redhat.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/panasonic-laptop.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/panasonic-laptop.c ++++ b/drivers/platform/x86/panasonic-laptop.c +@@ -337,7 +337,8 @@ static int acpi_pcc_retrieve_biosdata(st + } + + if (pcc->num_sifr < hkey->package.count) { +- pr_err("SQTY reports bad SINF length\n"); ++ pr_err("SQTY reports bad SINF length SQTY: %lu SINF-pkg-count: %u\n", ++ pcc->num_sifr, hkey->package.count); + status = AE_ERROR; + goto end; + } +@@ -994,6 +995,12 @@ static int acpi_pcc_hotkey_add(struct ac + return -ENODEV; + } + ++ /* ++ * Some DSDT-s have an off-by-one bug where the SINF package count is ++ * one higher than the SQTY reported value, allocate 1 entry extra. ++ */ ++ num_sifr++; ++ + pcc = kzalloc(sizeof(struct pcc_acpi), GFP_KERNEL); + if (!pcc) { + pr_err("Couldn't allocate mem for pcc"); diff --git a/queue-5.15/platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch b/queue-5.15/platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch new file mode 100644 index 00000000000..be9addaaf6d --- /dev/null +++ b/queue-5.15/platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch @@ -0,0 +1,130 @@ +From f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 9 Sep 2024 13:32:25 +0200 +Subject: platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 upstream. + +The panasonic laptop code in various places uses the SINF array with index +values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array +is big enough. + +Not all panasonic laptops have this many SINF array entries, for example +the Toughbook CF-18 model only has 10 SINF array entries. So it only +supports the AC+DC brightness entries and mute. + +Check that the SINF array has a minimum size which covers all AC+DC +brightness entries and refuse to load if the SINF array is smaller. + +For higher SINF indexes hide the sysfs attributes when the SINF array +does not contain an entry for that attribute, avoiding show()/store() +accessing the array out of bounds and add bounds checking to the probe() +and resume() code accessing these. + +Fixes: e424fb8cc4e6 ("panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240909113227.254470-1-hdegoede@redhat.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/panasonic-laptop.c | 49 +++++++++++++++++++++++++------- + 1 file changed, 39 insertions(+), 10 deletions(-) + +--- a/drivers/platform/x86/panasonic-laptop.c ++++ b/drivers/platform/x86/panasonic-laptop.c +@@ -773,6 +773,24 @@ static DEVICE_ATTR_RW(dc_brightness); + static DEVICE_ATTR_RW(current_brightness); + static DEVICE_ATTR_RW(cdpower); + ++static umode_t pcc_sysfs_is_visible(struct kobject *kobj, struct attribute *attr, int idx) ++{ ++ struct device *dev = kobj_to_dev(kobj); ++ struct acpi_device *acpi = to_acpi_device(dev); ++ struct pcc_acpi *pcc = acpi_driver_data(acpi); ++ ++ if (attr == &dev_attr_mute.attr) ++ return (pcc->num_sifr > SINF_MUTE) ? attr->mode : 0; ++ ++ if (attr == &dev_attr_eco_mode.attr) ++ return (pcc->num_sifr > SINF_ECO_MODE) ? attr->mode : 0; ++ ++ if (attr == &dev_attr_current_brightness.attr) ++ return (pcc->num_sifr > SINF_CUR_BRIGHT) ? attr->mode : 0; ++ ++ return attr->mode; ++} ++ + static struct attribute *pcc_sysfs_entries[] = { + &dev_attr_numbatt.attr, + &dev_attr_lcdtype.attr, +@@ -787,8 +805,9 @@ static struct attribute *pcc_sysfs_entri + }; + + static const struct attribute_group pcc_attr_group = { +- .name = NULL, /* put in device directory */ +- .attrs = pcc_sysfs_entries, ++ .name = NULL, /* put in device directory */ ++ .attrs = pcc_sysfs_entries, ++ .is_visible = pcc_sysfs_is_visible, + }; + + +@@ -941,12 +960,15 @@ static int acpi_pcc_hotkey_resume(struct + if (!pcc) + return -EINVAL; + +- acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute); +- acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode); ++ if (pcc->num_sifr > SINF_MUTE) ++ acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute); ++ if (pcc->num_sifr > SINF_ECO_MODE) ++ acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode); + acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, pcc->sticky_key); + acpi_pcc_write_sset(pcc, SINF_AC_CUR_BRIGHT, pcc->ac_brightness); + acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, pcc->dc_brightness); +- acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness); ++ if (pcc->num_sifr > SINF_CUR_BRIGHT) ++ acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness); + + return 0; + } +@@ -963,8 +985,12 @@ static int acpi_pcc_hotkey_add(struct ac + + num_sifr = acpi_pcc_get_sqty(device); + +- if (num_sifr < 0 || num_sifr > 255) { +- pr_err("num_sifr out of range"); ++ /* ++ * pcc->sinf is expected to at least have the AC+DC brightness entries. ++ * Accesses to higher SINF entries are checked against num_sifr. ++ */ ++ if (num_sifr <= SINF_DC_CUR_BRIGHT || num_sifr > 255) { ++ pr_err("num_sifr %d out of range %d - 255\n", num_sifr, SINF_DC_CUR_BRIGHT + 1); + return -ENODEV; + } + +@@ -1016,11 +1042,14 @@ static int acpi_pcc_hotkey_add(struct ac + acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, 0); + pcc->sticky_key = 0; + +- pcc->eco_mode = pcc->sinf[SINF_ECO_MODE]; +- pcc->mute = pcc->sinf[SINF_MUTE]; + pcc->ac_brightness = pcc->sinf[SINF_AC_CUR_BRIGHT]; + pcc->dc_brightness = pcc->sinf[SINF_DC_CUR_BRIGHT]; +- pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT]; ++ if (pcc->num_sifr > SINF_MUTE) ++ pcc->mute = pcc->sinf[SINF_MUTE]; ++ if (pcc->num_sifr > SINF_ECO_MODE) ++ pcc->eco_mode = pcc->sinf[SINF_ECO_MODE]; ++ if (pcc->num_sifr > SINF_CUR_BRIGHT) ++ pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT]; + + /* add sysfs attributes */ + result = sysfs_create_group(&device->dev.kobj, &pcc_attr_group); diff --git a/queue-5.15/series b/queue-5.15/series index 6779100891d..16d678ddc11 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -12,3 +12,10 @@ drm-msm-adreno-fix-error-return-if-missing-firmware-.patch input-i8042-add-fujitsu-lifebook-e756-to-i8042-quirk.patch nfsv4-fix-clearing-of-layout-segments-in-layoutretur.patch nfs-avoid-unnecessary-rescanning-of-the-per-server-d.patch +platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch +platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch +mptcp-pm-fix-uaf-in-__timer_delete_sync.patch +arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch +minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch +net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch +mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch