From: Sasha Levin Date: Sat, 31 Aug 2024 23:13:51 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.19.321~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f227270625157ab76f403522447c9558c4c5b15;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/dmaengine-dw-add-memory-bus-width-verification.patch b/queue-5.10/dmaengine-dw-add-memory-bus-width-verification.patch new file mode 100644 index 00000000000..0b1efc3b676 --- /dev/null +++ b/queue-5.10/dmaengine-dw-add-memory-bus-width-verification.patch @@ -0,0 +1,186 @@ +From 5a9bf936ac09b1ecc0da8025244c129d5cc5779c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 10:50:47 +0300 +Subject: dmaengine: dw: Add memory bus width verification + +From: Serge Semin + +[ Upstream commit d04b21bfa1c50a2ade4816cab6fdc91827b346b1 ] + +Currently in case of the DEV_TO_MEM or MEM_TO_DEV DMA transfers the memory +data width (single transfer width) is determined based on the buffer +length, buffer base address or DMA master-channel max address width +capability. It isn't enough in case of the channel disabling prior the +block transfer is finished. Here is what DW AHB DMA IP-core databook says +regarding the port suspension (DMA-transfer pause) implementation in the +controller: + +"When CTLx.SRC_TR_WIDTH < CTLx.DST_TR_WIDTH and the CFGx.CH_SUSP bit is +high, the CFGx.FIFO_EMPTY is asserted once the contents of the FIFO do not +permit a single word of CTLx.DST_TR_WIDTH to be formed. However, there may +still be data in the channel FIFO, but not enough to form a single +transfer of CTLx.DST_TR_WIDTH. In this scenario, once the channel is +disabled, the remaining data in the channel FIFO is not transferred to the +destination peripheral." + +So in case if the port gets to be suspended and then disabled it's +possible to have the data silently discarded even though the controller +reported that FIFO is empty and the CTLx.BLOCK_TS indicated the dropped +data already received from the source device. This looks as if the data +somehow got lost on a way from the peripheral device to memory and causes +problems for instance in the DW APB UART driver, which pauses and disables +the DMA-transfer as soon as the recv data timeout happens. Here is the way +it looks: + + Memory <------- DMA FIFO <------ UART FIFO <---------------- UART + DST_TR_WIDTH -+--------| | | + | | | | No more data + Current lvl -+--------| |---------+- DMA-burst lvl + | | |---------+- Leftover data + | | |---------+- SRC_TR_WIDTH + -+--------+-------+---------+ + +In the example above: no more data is getting received over the UART port +and BLOCK_TS is not even close to be fully received; some data is left in +the UART FIFO, but not enough to perform a bursted DMA-xfer to the DMA +FIFO; some data is left in the DMA FIFO, but not enough to be passed +further to the system memory in a single transfer. In this situation the +8250 UART driver catches the recv timeout interrupt, pauses the +DMA-transfer and terminates it completely, after which the IRQ handler +manually fetches the leftover data from the UART FIFO into the +recv-buffer. But since the DMA-channel has been disabled with the data +left in the DMA FIFO, that data will be just discarded and the recv-buffer +will have a gap of the "current lvl" size in the recv-buffer at the tail +of the lately received data portion. So the data will be lost just due to +the misconfigured DMA transfer. + +Note this is only relevant for the case of the transfer suspension and +_disabling_. No problem will happen if the transfer will be re-enabled +afterwards or the block transfer is fully completed. In the later case the +"FIFO flush mode" will be executed at the transfer final stage in order to +push out the data left in the DMA FIFO. + +In order to fix the denoted problem the DW AHB DMA-engine driver needs to +make sure that the _bursted_ source transfer width is greater or equal to +the single destination transfer (note the HW databook describes more +strict constraint than actually required). Since the peripheral-device +side is prescribed by the client driver logic, the memory-side can be only +used for that. The solution can be easily implemented for the DEV_TO_MEM +transfers just by adjusting the memory-channel address width. Sadly it's +not that easy for the MEM_TO_DEV transfers since the mem-to-dma burst size +is normally dynamically determined by the controller. So the only thing +that can be done is to make sure that memory-side address width is greater +than the peripheral device address width. + +Fixes: a09820043c9e ("dw_dmac: autoconfigure data_width or get it via platform data") +Signed-off-by: Serge Semin +Acked-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20240802075100.6475-3-fancer.lancer@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dw/core.c | 51 +++++++++++++++++++++++++++++++++++++------ + 1 file changed, 44 insertions(+), 7 deletions(-) + +diff --git a/drivers/dma/dw/core.c b/drivers/dma/dw/core.c +index 128c194d65b6d..0beafcee72673 100644 +--- a/drivers/dma/dw/core.c ++++ b/drivers/dma/dw/core.c +@@ -625,12 +625,10 @@ dwc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + struct dw_desc *prev; + struct dw_desc *first; + u32 ctllo, ctlhi; +- u8 m_master = dwc->dws.m_master; +- u8 lms = DWC_LLP_LMS(m_master); ++ u8 lms = DWC_LLP_LMS(dwc->dws.m_master); + dma_addr_t reg; + unsigned int reg_width; + unsigned int mem_width; +- unsigned int data_width = dw->pdata->data_width[m_master]; + unsigned int i; + struct scatterlist *sg; + size_t total_len = 0; +@@ -664,7 +662,7 @@ dwc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + mem = sg_dma_address(sg); + len = sg_dma_len(sg); + +- mem_width = __ffs(data_width | mem | len); ++ mem_width = __ffs(sconfig->src_addr_width | mem | len); + + slave_sg_todev_fill_desc: + desc = dwc_desc_get(dwc); +@@ -724,7 +722,7 @@ dwc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + lli_write(desc, sar, reg); + lli_write(desc, dar, mem); + lli_write(desc, ctlhi, ctlhi); +- mem_width = __ffs(data_width | mem); ++ mem_width = __ffs(sconfig->dst_addr_width | mem); + lli_write(desc, ctllo, ctllo | DWC_CTLL_DST_WIDTH(mem_width)); + desc->len = dlen; + +@@ -816,6 +814,41 @@ static int dwc_verify_p_buswidth(struct dma_chan *chan) + return 0; + } + ++static int dwc_verify_m_buswidth(struct dma_chan *chan) ++{ ++ struct dw_dma_chan *dwc = to_dw_dma_chan(chan); ++ struct dw_dma *dw = to_dw_dma(chan->device); ++ u32 reg_width, reg_burst, mem_width; ++ ++ mem_width = dw->pdata->data_width[dwc->dws.m_master]; ++ ++ /* ++ * It's possible to have a data portion locked in the DMA FIFO in case ++ * of the channel suspension. Subsequent channel disabling will cause ++ * that data silent loss. In order to prevent that maintain the src and ++ * dst transfer widths coherency by means of the relation: ++ * (CTLx.SRC_TR_WIDTH * CTLx.SRC_MSIZE >= CTLx.DST_TR_WIDTH) ++ * Look for the details in the commit message that brings this change. ++ * ++ * Note the DMA configs utilized in the calculations below must have ++ * been verified to have correct values by this method call. ++ */ ++ if (dwc->dma_sconfig.direction == DMA_MEM_TO_DEV) { ++ reg_width = dwc->dma_sconfig.dst_addr_width; ++ if (mem_width < reg_width) ++ return -EINVAL; ++ ++ dwc->dma_sconfig.src_addr_width = mem_width; ++ } else if (dwc->dma_sconfig.direction == DMA_DEV_TO_MEM) { ++ reg_width = dwc->dma_sconfig.src_addr_width; ++ reg_burst = rounddown_pow_of_two(dwc->dma_sconfig.src_maxburst); ++ ++ dwc->dma_sconfig.dst_addr_width = min(mem_width, reg_width * reg_burst); ++ } ++ ++ return 0; ++} ++ + static int dwc_config(struct dma_chan *chan, struct dma_slave_config *sconfig) + { + struct dw_dma_chan *dwc = to_dw_dma_chan(chan); +@@ -825,14 +858,18 @@ static int dwc_config(struct dma_chan *chan, struct dma_slave_config *sconfig) + memcpy(&dwc->dma_sconfig, sconfig, sizeof(*sconfig)); + + dwc->dma_sconfig.src_maxburst = +- clamp(dwc->dma_sconfig.src_maxburst, 0U, dwc->max_burst); ++ clamp(dwc->dma_sconfig.src_maxburst, 1U, dwc->max_burst); + dwc->dma_sconfig.dst_maxburst = +- clamp(dwc->dma_sconfig.dst_maxburst, 0U, dwc->max_burst); ++ clamp(dwc->dma_sconfig.dst_maxburst, 1U, dwc->max_burst); + + ret = dwc_verify_p_buswidth(chan); + if (ret) + return ret; + ++ ret = dwc_verify_m_buswidth(chan); ++ if (ret) ++ return ret; ++ + dw->encode_maxburst(dwc, &dwc->dma_sconfig.src_maxburst); + dw->encode_maxburst(dwc, &dwc->dma_sconfig.dst_maxburst); + +-- +2.43.0 + diff --git a/queue-5.10/dmaengine-dw-add-peripheral-bus-width-verification.patch b/queue-5.10/dmaengine-dw-add-peripheral-bus-width-verification.patch new file mode 100644 index 00000000000..d4cb25c87df --- /dev/null +++ b/queue-5.10/dmaengine-dw-add-peripheral-bus-width-verification.patch @@ -0,0 +1,112 @@ +From 1ab52515f6e69c5b3a2473f0f1805ca2bbb3d3ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 10:50:46 +0300 +Subject: dmaengine: dw: Add peripheral bus width verification + +From: Serge Semin + +[ Upstream commit b336268dde75cb09bd795cb24893d52152a9191f ] + +Currently the src_addr_width and dst_addr_width fields of the +dma_slave_config structure are mapped to the CTLx.SRC_TR_WIDTH and +CTLx.DST_TR_WIDTH fields of the peripheral bus side in order to have the +properly aligned data passed to the target device. It's done just by +converting the passed peripheral bus width to the encoded value using the +__ffs() function. This implementation has several problematic sides: + +1. __ffs() is undefined if no bit exist in the passed value. Thus if the +specified addr-width is DMA_SLAVE_BUSWIDTH_UNDEFINED, __ffs() may return +unexpected value depending on the platform-specific implementation. + +2. DW AHB DMA-engine permits having the power-of-2 transfer width limited +by the DMAH_Mk_HDATA_WIDTH IP-core synthesize parameter. Specifying +bus-width out of that constraints scope will definitely cause unexpected +result since the destination reg will be only partly touched than the +client driver implied. + +Let's fix all of that by adding the peripheral bus width verification +method and calling it in dwc_config() which is supposed to be executed +before preparing any transfer. The new method will make sure that the +passed source or destination address width is valid and if undefined then +the driver will just fallback to the 1-byte width transfer. + +Fixes: 029a40e97d0d ("dmaengine: dw: provide DMA capabilities") +Signed-off-by: Serge Semin +Acked-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20240802075100.6475-2-fancer.lancer@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dw/core.c | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/drivers/dma/dw/core.c b/drivers/dma/dw/core.c +index 7ab83fe601ede..128c194d65b6d 100644 +--- a/drivers/dma/dw/core.c ++++ b/drivers/dma/dw/core.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -783,10 +784,43 @@ bool dw_dma_filter(struct dma_chan *chan, void *param) + } + EXPORT_SYMBOL_GPL(dw_dma_filter); + ++static int dwc_verify_p_buswidth(struct dma_chan *chan) ++{ ++ struct dw_dma_chan *dwc = to_dw_dma_chan(chan); ++ struct dw_dma *dw = to_dw_dma(chan->device); ++ u32 reg_width, max_width; ++ ++ if (dwc->dma_sconfig.direction == DMA_MEM_TO_DEV) ++ reg_width = dwc->dma_sconfig.dst_addr_width; ++ else if (dwc->dma_sconfig.direction == DMA_DEV_TO_MEM) ++ reg_width = dwc->dma_sconfig.src_addr_width; ++ else /* DMA_MEM_TO_MEM */ ++ return 0; ++ ++ max_width = dw->pdata->data_width[dwc->dws.p_master]; ++ ++ /* Fall-back to 1-byte transfer width if undefined */ ++ if (reg_width == DMA_SLAVE_BUSWIDTH_UNDEFINED) ++ reg_width = DMA_SLAVE_BUSWIDTH_1_BYTE; ++ else if (!is_power_of_2(reg_width) || reg_width > max_width) ++ return -EINVAL; ++ else /* bus width is valid */ ++ return 0; ++ ++ /* Update undefined addr width value */ ++ if (dwc->dma_sconfig.direction == DMA_MEM_TO_DEV) ++ dwc->dma_sconfig.dst_addr_width = reg_width; ++ else /* DMA_DEV_TO_MEM */ ++ dwc->dma_sconfig.src_addr_width = reg_width; ++ ++ return 0; ++} ++ + static int dwc_config(struct dma_chan *chan, struct dma_slave_config *sconfig) + { + struct dw_dma_chan *dwc = to_dw_dma_chan(chan); + struct dw_dma *dw = to_dw_dma(chan->device); ++ int ret; + + memcpy(&dwc->dma_sconfig, sconfig, sizeof(*sconfig)); + +@@ -795,6 +829,10 @@ static int dwc_config(struct dma_chan *chan, struct dma_slave_config *sconfig) + dwc->dma_sconfig.dst_maxburst = + clamp(dwc->dma_sconfig.dst_maxburst, 0U, dwc->max_burst); + ++ ret = dwc_verify_p_buswidth(chan); ++ if (ret) ++ return ret; ++ + dw->encode_maxburst(dwc, &dwc->dma_sconfig.src_maxburst); + dw->encode_maxburst(dwc, &dwc->dma_sconfig.dst_maxburst); + +-- +2.43.0 + diff --git a/queue-5.10/ethtool-check-device-is-present-when-getting-link-se.patch b/queue-5.10/ethtool-check-device-is-present-when-getting-link-se.patch new file mode 100644 index 00000000000..406f80305b4 --- /dev/null +++ b/queue-5.10/ethtool-check-device-is-present-when-getting-link-se.patch @@ -0,0 +1,79 @@ +From 76e0bdc5de6a815c644afa181bf2cc0ee4be8830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2024 16:26:58 +1000 +Subject: ethtool: check device is present when getting link settings + +From: Jamie Bainbridge + +[ Upstream commit a699781c79ecf6cfe67fb00a0331b4088c7c8466 ] + +A sysfs reader can race with a device reset or removal, attempting to +read device state when the device is not actually present. eg: + + [exception RIP: qed_get_current_link+17] + #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede] + #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3 + #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4 + #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300 + #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c + #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b + #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3 + #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1 + #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f + #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb + + crash> struct net_device.state ffff9a9d21336000 + state = 5, + +state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100). +The device is not present, note lack of __LINK_STATE_PRESENT (0b10). + +This is the same sort of panic as observed in commit 4224cfd7fb65 +("net-sysfs: add check for netdevice being present to speed_show"). + +There are many other callers of __ethtool_get_link_ksettings() which +don't have a device presence check. + +Move this check into ethtool to protect all callers. + +Fixes: d519e17e2d01 ("net: export device speed and duplex via sysfs") +Fixes: 4224cfd7fb65 ("net-sysfs: add check for netdevice being present to speed_show") +Signed-off-by: Jamie Bainbridge +Link: https://patch.msgid.link/8bae218864beaa44ed01628140475b9bf641c5b0.1724393671.git.jamie.bainbridge@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/net-sysfs.c | 2 +- + net/ethtool/ioctl.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c +index 989b3f7ee85f4..99303897b7bb7 100644 +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -213,7 +213,7 @@ static ssize_t speed_show(struct device *dev, + if (!rtnl_trylock()) + return restart_syscall(); + +- if (netif_running(netdev) && netif_device_present(netdev)) { ++ if (netif_running(netdev)) { + struct ethtool_link_ksettings cmd; + + if (!__ethtool_get_link_ksettings(netdev, &cmd)) +diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c +index 12bf740e2fb31..0a588545d3526 100644 +--- a/net/ethtool/ioctl.c ++++ b/net/ethtool/ioctl.c +@@ -432,6 +432,9 @@ int __ethtool_get_link_ksettings(struct net_device *dev, + if (!dev->ethtool_ops->get_link_ksettings) + return -EOPNOTSUPP; + ++ if (!netif_device_present(dev)) ++ return -ENODEV; ++ + memset(link_ksettings, 0, sizeof(*link_ksettings)); + return dev->ethtool_ops->get_link_ksettings(dev, link_ksettings); + } +-- +2.43.0 + diff --git a/queue-5.10/gtp-fix-a-potential-null-pointer-dereference.patch b/queue-5.10/gtp-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..e562ae7e6a8 --- /dev/null +++ b/queue-5.10/gtp-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,47 @@ +From eeb66ae3effa944c0710b6d927d9b96646481f4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Aug 2024 12:16:38 -0700 +Subject: gtp: fix a potential NULL pointer dereference + +From: Cong Wang + +[ Upstream commit defd8b3c37b0f9cb3e0f60f47d3d78d459d57fda ] + +When sockfd_lookup() fails, gtp_encap_enable_socket() returns a +NULL pointer, but its callers only check for error pointers thus miss +the NULL pointer case. + +Fix it by returning an error pointer with the error code carried from +sockfd_lookup(). + +(I found this bug during code inspection.) + +Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") +Cc: Andreas Schultz +Cc: Harald Welte +Signed-off-by: Cong Wang +Reviewed-by: Simon Horman +Reviewed-by: Pablo Neira Ayuso +Link: https://patch.msgid.link/20240825191638.146748-1-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 993960f0fa3cb..24cb7b97e4fcc 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -801,7 +801,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type, + sock = sockfd_lookup(fd, &err); + if (!sock) { + pr_debug("gtp socket fd=%d not found\n", fd); +- return NULL; ++ return ERR_PTR(err); + } + + sk = sock->sk; +-- +2.43.0 + diff --git a/queue-5.10/net-busy-poll-use-ktime_get_ns-instead-of-local_cloc.patch b/queue-5.10/net-busy-poll-use-ktime_get_ns-instead-of-local_cloc.patch new file mode 100644 index 00000000000..3dc00da4679 --- /dev/null +++ b/queue-5.10/net-busy-poll-use-ktime_get_ns-instead-of-local_cloc.patch @@ -0,0 +1,48 @@ +From f27d31431fd1a9bb578d0725e1487d76ce402d42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 11:49:16 +0000 +Subject: net: busy-poll: use ktime_get_ns() instead of local_clock() + +From: Eric Dumazet + +[ Upstream commit 0870b0d8b393dde53106678a1e2cec9dfa52f9b7 ] + +Typically, busy-polling durations are below 100 usec. + +When/if the busy-poller thread migrates to another cpu, +local_clock() can be off by +/-2msec or more for small +values of HZ, depending on the platform. + +Use ktimer_get_ns() to ensure deterministic behavior, +which is the whole point of busy-polling. + +Fixes: 060212928670 ("net: add low latency socket poll") +Fixes: 9a3c71aa8024 ("net: convert low latency sockets to sched_clock()") +Fixes: 37089834528b ("sched, net: Fixup busy_loop_us_clock()") +Signed-off-by: Eric Dumazet +Cc: Mina Almasry +Cc: Willem de Bruijn +Reviewed-by: Joe Damato +Link: https://patch.msgid.link/20240827114916.223377-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/busy_poll.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/busy_poll.h b/include/net/busy_poll.h +index 36e5e75e71720..be01eda3b6ff7 100644 +--- a/include/net/busy_poll.h ++++ b/include/net/busy_poll.h +@@ -61,7 +61,7 @@ static inline bool sk_can_busy_loop(struct sock *sk) + static inline unsigned long busy_loop_current_time(void) + { + #ifdef CONFIG_NET_RX_BUSY_POLL +- return (unsigned long)(local_clock() >> 10); ++ return (unsigned long)(ktime_get_ns() >> 10); + #else + return 0; + #endif +-- +2.43.0 + diff --git a/queue-5.10/nfc-pn533-add-poll-mod-list-filling-check.patch b/queue-5.10/nfc-pn533-add-poll-mod-list-filling-check.patch new file mode 100644 index 00000000000..0fff3f2a888 --- /dev/null +++ b/queue-5.10/nfc-pn533-add-poll-mod-list-filling-check.patch @@ -0,0 +1,62 @@ +From 808d3bffde455dd5b790d895023ac68d63306b77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 11:48:22 +0300 +Subject: nfc: pn533: Add poll mod list filling check + +From: Aleksandr Mishin + +[ Upstream commit febccb39255f9df35527b88c953b2e0deae50e53 ] + +In case of im_protocols value is 1 and tm_protocols value is 0 this +combination successfully passes the check +'if (!im_protocols && !tm_protocols)' in the nfc_start_poll(). +But then after pn533_poll_create_mod_list() call in pn533_start_poll() +poll mod list will remain empty and dev->poll_mod_count will remain 0 +which lead to division by zero. + +Normally no im protocol has value 1 in the mask, so this combination is +not expected by driver. But these protocol values actually come from +userspace via Netlink interface (NFC_CMD_START_POLL operation). So a +broken or malicious program may pass a message containing a "bad" +combination of protocol parameter values so that dev->poll_mod_count +is not incremented inside pn533_poll_create_mod_list(), thus leading +to division by zero. +Call trace looks like: +nfc_genl_start_poll() + nfc_start_poll() + ->start_poll() + pn533_start_poll() + +Add poll mod list filling check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: dfccd0f58044 ("NFC: pn533: Add some polling entropy") +Signed-off-by: Aleksandr Mishin +Acked-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20240827084822.18785-1-amishin@t-argos.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/pn533.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c +index 87e1296c68381..4de5205d9d61b 100644 +--- a/drivers/nfc/pn533/pn533.c ++++ b/drivers/nfc/pn533/pn533.c +@@ -1751,6 +1751,11 @@ static int pn533_start_poll(struct nfc_dev *nfc_dev, + } + + pn533_poll_create_mod_list(dev, im_protocols, tm_protocols); ++ if (!dev->poll_mod_count) { ++ nfc_err(dev->dev, ++ "Poll mod list is empty\n"); ++ return -EINVAL; ++ } + + /* Do not always start polling from the same modulation */ + get_random_bytes(&rand_mod, sizeof(rand_mod)); +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 0c46bd85292..3ca14978a86 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -135,3 +135,9 @@ cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch net-rds-fix-possible-deadlock-in-rds_message_put.patch ovl-do-not-fail-because-of-o_noatime.patch soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch +dmaengine-dw-add-peripheral-bus-width-verification.patch +dmaengine-dw-add-memory-bus-width-verification.patch +ethtool-check-device-is-present-when-getting-link-se.patch +gtp-fix-a-potential-null-pointer-dereference.patch +net-busy-poll-use-ktime_get_ns-instead-of-local_cloc.patch +nfc-pn533-add-poll-mod-list-filling-check.patch