From: Greg Kroah-Hartman Date: Fri, 13 Sep 2024 12:44:13 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.111~41 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=83b4d62ae24475d46a8f9985090e91caa7143a2f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: arm64-dts-rockchip-fix-emmc-spi-corruption-when-audio-has-been-used-on-rk3399-puma.patch arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch dm-integrity-fix-a-race-condition-when-accessing-recalc_sector.patch minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch mptcp-pm-fix-uaf-in-__timer_delete_sync.patch net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch selftests-mptcp-join-restrict-fullmesh-endp-on-1st-sf.patch x86-hyperv-fix-kexec-crash-due-to-vp-assist-page-corruption.patch --- diff --git a/queue-6.6/arm64-dts-rockchip-fix-emmc-spi-corruption-when-audio-has-been-used-on-rk3399-puma.patch b/queue-6.6/arm64-dts-rockchip-fix-emmc-spi-corruption-when-audio-has-been-used-on-rk3399-puma.patch new file mode 100644 index 00000000000..d0591bf52fd --- /dev/null +++ b/queue-6.6/arm64-dts-rockchip-fix-emmc-spi-corruption-when-audio-has-been-used-on-rk3399-puma.patch @@ -0,0 +1,73 @@ +From bb94a157b37ec23f53906a279320f6ed64300eba Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Wed, 31 Jul 2024 13:05:28 +0200 +Subject: arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma + +From: Quentin Schulz + +commit bb94a157b37ec23f53906a279320f6ed64300eba upstream. + +In commit 91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch +on rk3399"), an additional pinctrl state was added whose default pinmux +is for 8ch i2s0. However, Puma only has 2ch i2s0. It's been overriding +the pinctrl-0 property but the second property override was missed in +the aforementioned commit. + +On Puma, a hardware slider called "BIOS Disable/Normal Boot" can disable +eMMC and SPI to force booting from SD card. Another software-controlled +GPIO is then configured to override this behavior to make eMMC and SPI +available without human intervention. This is currently done in U-Boot +and it was enough until the aforementioned commit. + +Indeed, because of this additional not-yet-overridden property, this +software-controlled GPIO is now muxed in a state that does not override +this hardware slider anymore, rendering SPI and eMMC flashes unusable. + +Let's override the property with the 2ch pinmux to fix this. + +Fixes: 91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399") +Cc: stable@vger.kernel.org +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20240731-puma-emmc-6-v1-1-4e28eadf32d0@cherry.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -374,6 +374,7 @@ + + &i2s0 { + pinctrl-0 = <&i2s0_2ch_bus>; ++ pinctrl-1 = <&i2s0_2ch_bus_bclk_off>; + rockchip,playback-channels = <2>; + rockchip,capture-channels = <2>; + status = "okay"; +@@ -382,8 +383,8 @@ + /* + * As Q7 does not specify neither a global nor a RX clock for I2S these + * signals are not used. Furthermore I2S0_LRCK_RX is used as GPIO. +- * Therefore we have to redefine the i2s0_2ch_bus definition to prevent +- * conflicts. ++ * Therefore we have to redefine the i2s0_2ch_bus and i2s0_2ch_bus_bclk_off ++ * definitions to prevent conflicts. + */ + &i2s0_2ch_bus { + rockchip,pins = +@@ -391,6 +392,14 @@ + <3 RK_PD2 1 &pcfg_pull_none>, + <3 RK_PD3 1 &pcfg_pull_none>, + <3 RK_PD7 1 &pcfg_pull_none>; ++}; ++ ++&i2s0_2ch_bus_bclk_off { ++ rockchip,pins = ++ <3 RK_PD0 RK_FUNC_GPIO &pcfg_pull_none>, ++ <3 RK_PD2 1 &pcfg_pull_none>, ++ <3 RK_PD3 1 &pcfg_pull_none>, ++ <3 RK_PD7 1 &pcfg_pull_none>; + }; + + &io_domains { diff --git a/queue-6.6/arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch b/queue-6.6/arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch new file mode 100644 index 00000000000..04da7ff447e --- /dev/null +++ b/queue-6.6/arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch @@ -0,0 +1,70 @@ +From 741f5ba7ccba5d7ae796dd11c320e28045524771 Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Wed, 31 Jul 2024 13:05:29 +0200 +Subject: arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma + +From: Quentin Schulz + +commit 741f5ba7ccba5d7ae796dd11c320e28045524771 upstream. + +The Qseven BIOS_DISABLE signal on the RK3399-Q7 keeps the on-module eMMC +and SPI flash powered-down initially (in fact it keeps the reset signal +asserted). BIOS_DISABLE_OVERRIDE pin allows to override that signal so +that eMMC and SPI can be used regardless of the state of the signal. + +Let's make this GPIO a hog so that it's reserved and locked in the +proper state. + +At the same time, make sure the pin is reserved for the hog and cannot +be requested by another node. + +Cc: stable@vger.kernel.org +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20240731-puma-emmc-6-v1-2-4e28eadf32d0@cherry.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -119,6 +119,22 @@ + drive-impedance-ohm = <33>; + }; + ++&gpio3 { ++ /* ++ * The Qseven BIOS_DISABLE signal on the RK3399-Q7 keeps the on-module ++ * eMMC and SPI flash powered-down initially (in fact it keeps the ++ * reset signal asserted). BIOS_DISABLE_OVERRIDE pin allows to override ++ * that signal so that eMMC and SPI can be used regardless of the state ++ * of the signal. ++ */ ++ bios-disable-override-hog { ++ gpios = ; ++ gpio-hog; ++ line-name = "bios_disable_override"; ++ output-high; ++ }; ++}; ++ + &gmac { + assigned-clocks = <&cru SCLK_RMII_SRC>; + assigned-clock-parents = <&clkin_gmac>; +@@ -417,9 +433,14 @@ + + &pinctrl { + pinctrl-names = "default"; +- pinctrl-0 = <&q7_thermal_pin>; ++ pinctrl-0 = <&q7_thermal_pin &bios_disable_override_hog_pin>; + + gpios { ++ bios_disable_override_hog_pin: bios-disable-override-hog-pin { ++ rockchip,pins = ++ <3 RK_PD5 RK_FUNC_GPIO &pcfg_pull_down>; ++ }; ++ + q7_thermal_pin: q7-thermal-pin { + rockchip,pins = + <0 RK_PA3 RK_FUNC_GPIO &pcfg_pull_up>; diff --git a/queue-6.6/dm-integrity-fix-a-race-condition-when-accessing-recalc_sector.patch b/queue-6.6/dm-integrity-fix-a-race-condition-when-accessing-recalc_sector.patch new file mode 100644 index 00000000000..5082c9d306e --- /dev/null +++ b/queue-6.6/dm-integrity-fix-a-race-condition-when-accessing-recalc_sector.patch @@ -0,0 +1,58 @@ +From f8e1ca92e35e9041cc0a1bc226ef07a853a22de4 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 5 Sep 2024 20:27:25 +0200 +Subject: dm-integrity: fix a race condition when accessing recalc_sector + +From: Mikulas Patocka + +commit f8e1ca92e35e9041cc0a1bc226ef07a853a22de4 upstream. + +There's a race condition when accessing the variable +ic->sb->recalc_sector. The function integrity_recalc writes to this +variable when it makes some progress and the function +dm_integrity_map_continue may read this variable concurrently. + +One problem is that on 32-bit architectures the 64-bit variable is not +read and written atomically - it may be possible to read garbage if read +races with write. + +Another problem is that memory accesses to this variable are not guarded +with memory barriers. + +This commit fixes the race - it moves reading ic->sb->recalc_sector to an +earlier place where we hold &ic->endio_wait.lock. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-integrity.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -2183,6 +2183,7 @@ static void dm_integrity_map_continue(st + struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io)); + unsigned int journal_section, journal_entry; + unsigned int journal_read_pos; ++ sector_t recalc_sector; + struct completion read_comp; + bool discard_retried = false; + bool need_sync_io = ic->internal_hash && dio->op == REQ_OP_READ; +@@ -2323,6 +2324,7 @@ offload_to_thread: + goto lock_retry; + } + } ++ recalc_sector = le64_to_cpu(ic->sb->recalc_sector); + spin_unlock_irq(&ic->endio_wait.lock); + + if (unlikely(journal_read_pos != NOT_FOUND)) { +@@ -2377,7 +2379,7 @@ offload_to_thread: + if (need_sync_io) { + wait_for_completion_io(&read_comp); + if (ic->sb->flags & cpu_to_le32(SB_FLAG_RECALCULATING) && +- dio->range.logical_sector + dio->range.n_sectors > le64_to_cpu(ic->sb->recalc_sector)) ++ dio->range.logical_sector + dio->range.n_sectors > recalc_sector) + goto skip_check; + if (ic->mode == 'B') { + if (!block_bitmap_op(ic, ic->recalc_bitmap, dio->range.logical_sector, diff --git a/queue-6.6/minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch b/queue-6.6/minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch new file mode 100644 index 00000000000..ea2aa6db54f --- /dev/null +++ b/queue-6.6/minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch @@ -0,0 +1,68 @@ +From 7c6a3a65ace70f12b27b1a27c9a69cb791dc6e91 Mon Sep 17 00:00:00 2001 +From: Lorenzo Stoakes +Date: Wed, 11 Sep 2024 18:51:11 +0100 +Subject: minmax: reduce min/max macro expansion in atomisp driver + +From: Lorenzo Stoakes + +commit 7c6a3a65ace70f12b27b1a27c9a69cb791dc6e91 upstream. + +Avoid unnecessary nested min()/max() which results in egregious macro +expansion. + +Use clamp_t() as this introduces the least possible expansion, and turn +the {s,u}DIGIT_FITTING() macros into inline functions to avoid the +nested expansion. + +This resolves an issue with slackware 15.0 32-bit compilation as +reported by Richard Narron. + +Presumably the min/max fixups would be difficult to backport, this patch +should be easier and fix's Richard's problem in 5.15. + +Reported-by: Richard Narron +Reviewed-by: Hans de Goede +Closes: https://lore.kernel.org/all/4a5321bd-b1f-1832-f0c-cea8694dc5aa@aaazen.com/ +Fixes: 867046cc7027 ("minmax: relax check to allow comparison between unsigned arguments and signed constants") +Cc: stable@vger.kernel.org +Signed-off-by: Lorenzo Stoakes +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +--- a/drivers/staging/media/atomisp/pci/sh_css_frac.h ++++ b/drivers/staging/media/atomisp/pci/sh_css_frac.h +@@ -30,12 +30,24 @@ + #define uISP_VAL_MAX ((unsigned int)((1 << uISP_REG_BIT) - 1)) + + /* a:fraction bits for 16bit precision, b:fraction bits for ISP precision */ +-#define sDIGIT_FITTING(v, a, b) \ +- min_t(int, max_t(int, (((v) >> sSHIFT) >> max(sFRACTION_BITS_FITTING(a) - (b), 0)), \ +- sISP_VAL_MIN), sISP_VAL_MAX) +-#define uDIGIT_FITTING(v, a, b) \ +- min((unsigned int)max((unsigned)(((v) >> uSHIFT) \ +- >> max((int)(uFRACTION_BITS_FITTING(a) - (b)), 0)), \ +- uISP_VAL_MIN), uISP_VAL_MAX) ++static inline int sDIGIT_FITTING(int v, int a, int b) ++{ ++ int fit_shift = sFRACTION_BITS_FITTING(a) - b; ++ ++ v >>= sSHIFT; ++ v >>= fit_shift > 0 ? fit_shift : 0; ++ ++ return clamp_t(int, v, sISP_VAL_MIN, sISP_VAL_MAX); ++} ++ ++static inline unsigned int uDIGIT_FITTING(unsigned int v, int a, int b) ++{ ++ int fit_shift = uFRACTION_BITS_FITTING(a) - b; ++ ++ v >>= uSHIFT; ++ v >>= fit_shift > 0 ? fit_shift : 0; ++ ++ return clamp_t(unsigned int, v, uISP_VAL_MIN, uISP_VAL_MAX); ++} + + #endif /* __SH_CSS_FRAC_H */ diff --git a/queue-6.6/mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch b/queue-6.6/mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch new file mode 100644 index 00000000000..5231ee34e1d --- /dev/null +++ b/queue-6.6/mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch @@ -0,0 +1,80 @@ +From 79a61cc3fc0466ad2b7b89618a6157785f0293b3 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 11 Sep 2024 17:11:23 -0700 +Subject: mm: avoid leaving partial pfn mappings around in error case + +From: Linus Torvalds + +commit 79a61cc3fc0466ad2b7b89618a6157785f0293b3 upstream. + +As Jann points out, PFN mappings are special, because unlike normal +memory mappings, there is no lifetime information associated with the +mapping - it is just a raw mapping of PFNs with no reference counting of +a 'struct page'. + +That's all very much intentional, but it does mean that it's easy to +mess up the cleanup in case of errors. Yes, a failed mmap() will always +eventually clean up any partial mappings, but without any explicit +lifetime in the page table mapping itself, it's very easy to do the +error handling in the wrong order. + +In particular, it's easy to mistakenly free the physical backing store +before the page tables are actually cleaned up and (temporarily) have +stale dangling PTE entries. + +To make this situation less error-prone, just make sure that any partial +pfn mapping is torn down early, before any other error handling. + +Reported-and-tested-by: Jann Horn +Cc: Andrew Morton +Cc: Jason Gunthorpe +Cc: Simona Vetter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2424,11 +2424,7 @@ static inline int remap_p4d_range(struct + return 0; + } + +-/* +- * Variant of remap_pfn_range that does not call track_pfn_remap. The caller +- * must have pre-validated the caching bits of the pgprot_t. +- */ +-int remap_pfn_range_notrack(struct vm_area_struct *vma, unsigned long addr, ++static int remap_pfn_range_internal(struct vm_area_struct *vma, unsigned long addr, + unsigned long pfn, unsigned long size, pgprot_t prot) + { + pgd_t *pgd; +@@ -2481,6 +2477,27 @@ int remap_pfn_range_notrack(struct vm_ar + return 0; + } + ++/* ++ * Variant of remap_pfn_range that does not call track_pfn_remap. The caller ++ * must have pre-validated the caching bits of the pgprot_t. ++ */ ++int remap_pfn_range_notrack(struct vm_area_struct *vma, unsigned long addr, ++ unsigned long pfn, unsigned long size, pgprot_t prot) ++{ ++ int error = remap_pfn_range_internal(vma, addr, pfn, size, prot); ++ ++ if (!error) ++ return 0; ++ ++ /* ++ * A partial pfn range mapping is dangerous: it does not ++ * maintain page reference counts, and callers may free ++ * pages due to the error. So zap it early. ++ */ ++ zap_page_range_single(vma, addr, size, NULL); ++ return error; ++} ++ + /** + * remap_pfn_range - remap kernel memory to userspace + * @vma: user vma to map to diff --git a/queue-6.6/mptcp-pm-fix-uaf-in-__timer_delete_sync.patch b/queue-6.6/mptcp-pm-fix-uaf-in-__timer_delete_sync.patch new file mode 100644 index 00000000000..53ef825fb28 --- /dev/null +++ b/queue-6.6/mptcp-pm-fix-uaf-in-__timer_delete_sync.patch @@ -0,0 +1,90 @@ +From b4cd80b0338945a94972ac3ed54f8338d2da2076 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Tue, 10 Sep 2024 17:58:56 +0800 +Subject: mptcp: pm: Fix uaf in __timer_delete_sync + +From: Edward Adam Davis + +commit b4cd80b0338945a94972ac3ed54f8338d2da2076 upstream. + +There are two paths to access mptcp_pm_del_add_timer, result in a race +condition: + + CPU1 CPU2 + ==== ==== + net_rx_action + napi_poll netlink_sendmsg + __napi_poll netlink_unicast + process_backlog netlink_unicast_kernel + __netif_receive_skb genl_rcv + __netif_receive_skb_one_core netlink_rcv_skb + NF_HOOK genl_rcv_msg + ip_local_deliver_finish genl_family_rcv_msg + ip_protocol_deliver_rcu genl_family_rcv_msg_doit + tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit + tcp_v4_do_rcv mptcp_nl_remove_addrs_list + tcp_rcv_established mptcp_pm_remove_addrs_and_subflows + tcp_data_queue remove_anno_list_by_saddr + mptcp_incoming_options mptcp_pm_del_add_timer + mptcp_pm_del_add_timer kfree(entry) + +In remove_anno_list_by_saddr(running on CPU2), after leaving the critical +zone protected by "pm.lock", the entry will be released, which leads to the +occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1). + +Keeping a reference to add_timer inside the lock, and calling +sk_stop_timer_sync() with this reference, instead of "entry->add_timer". + +Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock, +do not directly access any members of the entry outside the pm lock, which +can avoid similar "entry->x" uaf. + +Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") +Cc: stable@vger.kernel.org +Reported-and-tested-by: syzbot+f3a31fb909db9b2a5c4d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f3a31fb909db9b2a5c4d +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Edward Adam Davis +Acked-by: Paolo Abeni +Link: https://patch.msgid.link/tencent_7142963A37944B4A74EF76CD66EA3C253609@qq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -339,15 +339,21 @@ mptcp_pm_del_add_timer(struct mptcp_sock + { + struct mptcp_pm_add_entry *entry; + struct sock *sk = (struct sock *)msk; ++ struct timer_list *add_timer = NULL; + + spin_lock_bh(&msk->pm.lock); + entry = mptcp_lookup_anno_list_by_saddr(msk, addr); +- if (entry && (!check_id || entry->addr.id == addr->id)) ++ if (entry && (!check_id || entry->addr.id == addr->id)) { + entry->retrans_times = ADD_ADDR_RETRANS_MAX; ++ add_timer = &entry->add_timer; ++ } ++ if (!check_id && entry) ++ list_del(&entry->list); + spin_unlock_bh(&msk->pm.lock); + +- if (entry && (!check_id || entry->addr.id == addr->id)) +- sk_stop_timer_sync(sk, &entry->add_timer); ++ /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */ ++ if (add_timer) ++ sk_stop_timer_sync(sk, add_timer); + + return entry; + } +@@ -1493,7 +1499,6 @@ static bool remove_anno_list_by_saddr(st + + entry = mptcp_pm_del_add_timer(msk, addr, false); + if (entry) { +- list_del(&entry->list); + kfree(entry); + return true; + } diff --git a/queue-6.6/net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch b/queue-6.6/net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch new file mode 100644 index 00000000000..f9654de923c --- /dev/null +++ b/queue-6.6/net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch @@ -0,0 +1,55 @@ +From 6513eb3d3191574b58859ef2d6dc26c0277c6f81 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Tue, 10 Sep 2024 17:35:35 -0400 +Subject: net: tighten bad gso csum offset check in virtio_net_hdr + +From: Willem de Bruijn + +commit 6513eb3d3191574b58859ef2d6dc26c0277c6f81 upstream. + +The referenced commit drops bad input, but has false positives. +Tighten the check to avoid these. + +The check detects illegal checksum offload requests, which produce +csum_start/csum_off beyond end of packet after segmentation. + +But it is based on two incorrect assumptions: + +1. virtio_net_hdr_to_skb with VIRTIO_NET_HDR_GSO_TCP[46] implies GSO. +True in callers that inject into the tx path, such as tap. +But false in callers that inject into rx, like virtio-net. +Here, the flags indicate GRO, and CHECKSUM_UNNECESSARY or +CHECKSUM_NONE without VIRTIO_NET_HDR_F_NEEDS_CSUM is normal. + +2. TSO requires checksum offload, i.e., ip_summed == CHECKSUM_PARTIAL. +False, as tcp[46]_gso_segment will fix up csum_start and offset for +all other ip_summed by calling __tcp_v4_send_check. + +Because of 2, we can limit the scope of the fix to virtio_net_hdr +that do try to set these fields, with a bogus value. + +Link: https://lore.kernel.org/netdev/20240909094527.GA3048202@port70.net/ +Fixes: 89add40066f9 ("net: drop bad gso csum_start and offset in virtio_net_hdr") +Signed-off-by: Willem de Bruijn +Acked-by: Jason Wang +Acked-by: Michael S. Tsirkin +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20240910213553.839926-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/virtio_net.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -173,7 +173,8 @@ retry: + break; + case SKB_GSO_TCPV4: + case SKB_GSO_TCPV6: +- if (skb->csum_offset != offsetof(struct tcphdr, check)) ++ if (skb->ip_summed == CHECKSUM_PARTIAL && ++ skb->csum_offset != offsetof(struct tcphdr, check)) + return -EINVAL; + break; + } diff --git a/queue-6.6/platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch b/queue-6.6/platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch new file mode 100644 index 00000000000..da69181dc52 --- /dev/null +++ b/queue-6.6/platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch @@ -0,0 +1,62 @@ +From 33297cef3101d950cec0033a0dce0a2d2bd59999 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 9 Sep 2024 13:32:26 +0200 +Subject: platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit 33297cef3101d950cec0033a0dce0a2d2bd59999 upstream. + +Some DSDT-s have an off-by-one bug where the SINF package count is +one higher than the SQTY reported value, allocate 1 entry extra. + +Also make the SQTY <-> SINF package count mismatch error more verbose +to help debugging similar issues in the future. + +This fixes the panasonic-laptop driver failing to probe() on some +devices with the following errors: + +[ 3.958887] SQTY reports bad SINF length SQTY: 37 SINF-pkg-count: 38 +[ 3.958892] Couldn't retrieve BIOS data +[ 3.983685] Panasonic Laptop Support - With Macros: probe of MAT0019:00 failed with error -5 + +Fixes: 709ee531c153 ("panasonic-laptop: add Panasonic Let's Note laptop extras driver v0.94") +Cc: stable@vger.kernel.org +Tested-by: James Harmison +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240909113227.254470-2-hdegoede@redhat.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/panasonic-laptop.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/panasonic-laptop.c ++++ b/drivers/platform/x86/panasonic-laptop.c +@@ -337,7 +337,8 @@ static int acpi_pcc_retrieve_biosdata(st + } + + if (pcc->num_sifr < hkey->package.count) { +- pr_err("SQTY reports bad SINF length\n"); ++ pr_err("SQTY reports bad SINF length SQTY: %lu SINF-pkg-count: %u\n", ++ pcc->num_sifr, hkey->package.count); + status = AE_ERROR; + goto end; + } +@@ -994,6 +995,12 @@ static int acpi_pcc_hotkey_add(struct ac + return -ENODEV; + } + ++ /* ++ * Some DSDT-s have an off-by-one bug where the SINF package count is ++ * one higher than the SQTY reported value, allocate 1 entry extra. ++ */ ++ num_sifr++; ++ + pcc = kzalloc(sizeof(struct pcc_acpi), GFP_KERNEL); + if (!pcc) { + pr_err("Couldn't allocate mem for pcc"); diff --git a/queue-6.6/platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch b/queue-6.6/platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch new file mode 100644 index 00000000000..7de8d97a207 --- /dev/null +++ b/queue-6.6/platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch @@ -0,0 +1,130 @@ +From f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 9 Sep 2024 13:32:25 +0200 +Subject: platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 upstream. + +The panasonic laptop code in various places uses the SINF array with index +values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array +is big enough. + +Not all panasonic laptops have this many SINF array entries, for example +the Toughbook CF-18 model only has 10 SINF array entries. So it only +supports the AC+DC brightness entries and mute. + +Check that the SINF array has a minimum size which covers all AC+DC +brightness entries and refuse to load if the SINF array is smaller. + +For higher SINF indexes hide the sysfs attributes when the SINF array +does not contain an entry for that attribute, avoiding show()/store() +accessing the array out of bounds and add bounds checking to the probe() +and resume() code accessing these. + +Fixes: e424fb8cc4e6 ("panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240909113227.254470-1-hdegoede@redhat.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/panasonic-laptop.c | 49 +++++++++++++++++++++++++------- + 1 file changed, 39 insertions(+), 10 deletions(-) + +--- a/drivers/platform/x86/panasonic-laptop.c ++++ b/drivers/platform/x86/panasonic-laptop.c +@@ -773,6 +773,24 @@ static DEVICE_ATTR_RW(dc_brightness); + static DEVICE_ATTR_RW(current_brightness); + static DEVICE_ATTR_RW(cdpower); + ++static umode_t pcc_sysfs_is_visible(struct kobject *kobj, struct attribute *attr, int idx) ++{ ++ struct device *dev = kobj_to_dev(kobj); ++ struct acpi_device *acpi = to_acpi_device(dev); ++ struct pcc_acpi *pcc = acpi_driver_data(acpi); ++ ++ if (attr == &dev_attr_mute.attr) ++ return (pcc->num_sifr > SINF_MUTE) ? attr->mode : 0; ++ ++ if (attr == &dev_attr_eco_mode.attr) ++ return (pcc->num_sifr > SINF_ECO_MODE) ? attr->mode : 0; ++ ++ if (attr == &dev_attr_current_brightness.attr) ++ return (pcc->num_sifr > SINF_CUR_BRIGHT) ? attr->mode : 0; ++ ++ return attr->mode; ++} ++ + static struct attribute *pcc_sysfs_entries[] = { + &dev_attr_numbatt.attr, + &dev_attr_lcdtype.attr, +@@ -787,8 +805,9 @@ static struct attribute *pcc_sysfs_entri + }; + + static const struct attribute_group pcc_attr_group = { +- .name = NULL, /* put in device directory */ +- .attrs = pcc_sysfs_entries, ++ .name = NULL, /* put in device directory */ ++ .attrs = pcc_sysfs_entries, ++ .is_visible = pcc_sysfs_is_visible, + }; + + +@@ -941,12 +960,15 @@ static int acpi_pcc_hotkey_resume(struct + if (!pcc) + return -EINVAL; + +- acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute); +- acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode); ++ if (pcc->num_sifr > SINF_MUTE) ++ acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute); ++ if (pcc->num_sifr > SINF_ECO_MODE) ++ acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode); + acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, pcc->sticky_key); + acpi_pcc_write_sset(pcc, SINF_AC_CUR_BRIGHT, pcc->ac_brightness); + acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, pcc->dc_brightness); +- acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness); ++ if (pcc->num_sifr > SINF_CUR_BRIGHT) ++ acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness); + + return 0; + } +@@ -963,8 +985,12 @@ static int acpi_pcc_hotkey_add(struct ac + + num_sifr = acpi_pcc_get_sqty(device); + +- if (num_sifr < 0 || num_sifr > 255) { +- pr_err("num_sifr out of range"); ++ /* ++ * pcc->sinf is expected to at least have the AC+DC brightness entries. ++ * Accesses to higher SINF entries are checked against num_sifr. ++ */ ++ if (num_sifr <= SINF_DC_CUR_BRIGHT || num_sifr > 255) { ++ pr_err("num_sifr %d out of range %d - 255\n", num_sifr, SINF_DC_CUR_BRIGHT + 1); + return -ENODEV; + } + +@@ -1020,11 +1046,14 @@ static int acpi_pcc_hotkey_add(struct ac + acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, 0); + pcc->sticky_key = 0; + +- pcc->eco_mode = pcc->sinf[SINF_ECO_MODE]; +- pcc->mute = pcc->sinf[SINF_MUTE]; + pcc->ac_brightness = pcc->sinf[SINF_AC_CUR_BRIGHT]; + pcc->dc_brightness = pcc->sinf[SINF_DC_CUR_BRIGHT]; +- pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT]; ++ if (pcc->num_sifr > SINF_MUTE) ++ pcc->mute = pcc->sinf[SINF_MUTE]; ++ if (pcc->num_sifr > SINF_ECO_MODE) ++ pcc->eco_mode = pcc->sinf[SINF_ECO_MODE]; ++ if (pcc->num_sifr > SINF_CUR_BRIGHT) ++ pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT]; + + /* add sysfs attributes */ + result = sysfs_create_group(&device->dev.kobj, &pcc_attr_group); diff --git a/queue-6.6/selftests-mptcp-join-restrict-fullmesh-endp-on-1st-sf.patch b/queue-6.6/selftests-mptcp-join-restrict-fullmesh-endp-on-1st-sf.patch new file mode 100644 index 00000000000..2eb9a2def27 --- /dev/null +++ b/queue-6.6/selftests-mptcp-join-restrict-fullmesh-endp-on-1st-sf.patch @@ -0,0 +1,45 @@ +From 49ac6f05ace5bb0070c68a0193aa05d3c25d4c83 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 10 Sep 2024 21:06:36 +0200 +Subject: selftests: mptcp: join: restrict fullmesh endp on 1st sf + +From: Matthieu Baerts (NGI0) + +commit 49ac6f05ace5bb0070c68a0193aa05d3c25d4c83 upstream. + +A new endpoint using the IP of the initial subflow has been recently +added to increase the code coverage. But it breaks the test when using +old kernels not having commit 86e39e04482b ("mptcp: keep track of local +endpoint still available for each msk"), e.g. on v5.15. + +Similar to commit d4c81bbb8600 ("selftests: mptcp: join: support local +endpoint being tracked or not"), it is possible to add the new endpoint +conditionally, by checking if "mptcp_pm_subflow_check_next" is present +in kallsyms: this is not directly linked to the commit introducing this +symbol but for the parent one which is linked anyway. So we can know in +advance what will be the expected behaviour, and add the new endpoint +only when it makes sense to do so. + +Fixes: 4878f9f8421f ("selftests: mptcp: join: validate fullmesh endp on 1st sf") +Cc: stable@vger.kernel.org +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20240910-net-selftests-mptcp-fix-install-v1-1-8f124aa9156d@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3222,7 +3222,9 @@ fullmesh_tests() + pm_nl_set_limits $ns1 1 3 + pm_nl_set_limits $ns2 1 3 + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal +- pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh ++ if mptcp_lib_kallsyms_has "mptcp_pm_subflow_check_next$"; then ++ pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh ++ fi + fullmesh=1 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 3 3 3 diff --git a/queue-6.6/series b/queue-6.6/series index 1307409bd43..be7d41e07ae 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -33,3 +33,14 @@ s390-mm-prevent-lowcore-vs-identity-mapping-overlap.patch smb-server-fix-return-value-of-smb2_open.patch nfsv4-fix-clearing-of-layout-segments-in-layoutretur.patch nfs-avoid-unnecessary-rescanning-of-the-per-server-d.patch +platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch +platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch +mptcp-pm-fix-uaf-in-__timer_delete_sync.patch +selftests-mptcp-join-restrict-fullmesh-endp-on-1st-sf.patch +arm64-dts-rockchip-fix-emmc-spi-corruption-when-audio-has-been-used-on-rk3399-puma.patch +arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch +minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch +net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch +dm-integrity-fix-a-race-condition-when-accessing-recalc_sector.patch +x86-hyperv-fix-kexec-crash-due-to-vp-assist-page-corruption.patch +mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch diff --git a/queue-6.6/x86-hyperv-fix-kexec-crash-due-to-vp-assist-page-corruption.patch b/queue-6.6/x86-hyperv-fix-kexec-crash-due-to-vp-assist-page-corruption.patch new file mode 100644 index 00000000000..3b5bae706df --- /dev/null +++ b/queue-6.6/x86-hyperv-fix-kexec-crash-due-to-vp-assist-page-corruption.patch @@ -0,0 +1,95 @@ +From b9af6418279c4cf73ca073f8ea024992b38be8ab Mon Sep 17 00:00:00 2001 +From: "Anirudh Rayabharam (Microsoft)" +Date: Wed, 28 Aug 2024 16:51:56 +0530 +Subject: x86/hyperv: fix kexec crash due to VP assist page corruption + +From: Anirudh Rayabharam (Microsoft) + +commit b9af6418279c4cf73ca073f8ea024992b38be8ab upstream. + +commit 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when +CPUs go online/offline") introduces a new cpuhp state for hyperv +initialization. + +cpuhp_setup_state() returns the state number if state is +CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN and 0 for all other states. +For the hyperv case, since a new cpuhp state was introduced it would +return 0. However, in hv_machine_shutdown(), the cpuhp_remove_state() call +is conditioned upon "hyperv_init_cpuhp > 0". This will never be true and +so hv_cpu_die() won't be called on all CPUs. This means the VP assist page +won't be reset. When the kexec kernel tries to setup the VP assist page +again, the hypervisor corrupts the memory region of the old VP assist page +causing a panic in case the kexec kernel is using that memory elsewhere. +This was originally fixed in commit dfe94d4086e4 ("x86/hyperv: Fix kexec +panic/hang issues"). + +Get rid of hyperv_init_cpuhp entirely since we are no longer using a +dynamic cpuhp state and use CPUHP_AP_HYPERV_ONLINE directly with +cpuhp_remove_state(). + +Cc: stable@vger.kernel.org +Fixes: 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline") +Signed-off-by: Anirudh Rayabharam (Microsoft) +Reviewed-by: Vitaly Kuznetsov +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20240828112158.3538342-1-anirudh@anirudhrb.com +Signed-off-by: Wei Liu +Message-ID: <20240828112158.3538342-1-anirudh@anirudhrb.com> +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/hyperv/hv_init.c | 5 +---- + arch/x86/include/asm/mshyperv.h | 1 - + arch/x86/kernel/cpu/mshyperv.c | 4 ++-- + 3 files changed, 3 insertions(+), 7 deletions(-) + +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -35,7 +35,6 @@ + #include + #include + +-int hyperv_init_cpuhp; + u64 hv_current_partition_id = ~0ull; + EXPORT_SYMBOL_GPL(hv_current_partition_id); + +@@ -607,8 +606,6 @@ skip_hypercall_pg_init: + + register_syscore_ops(&hv_syscore_ops); + +- hyperv_init_cpuhp = cpuhp; +- + if (cpuid_ebx(HYPERV_CPUID_FEATURES) & HV_ACCESS_PARTITION_ID) + hv_get_partition_id(); + +@@ -637,7 +634,7 @@ skip_hypercall_pg_init: + clean_guest_os_id: + wrmsrl(HV_X64_MSR_GUEST_OS_ID, 0); + hv_ivm_msr_write(HV_X64_MSR_GUEST_OS_ID, 0); +- cpuhp_remove_state(cpuhp); ++ cpuhp_remove_state(CPUHP_AP_HYPERV_ONLINE); + free_ghcb_page: + free_percpu(hv_ghcb_pg); + free_vp_assist_page: +--- a/arch/x86/include/asm/mshyperv.h ++++ b/arch/x86/include/asm/mshyperv.h +@@ -40,7 +40,6 @@ static inline unsigned char hv_get_nmi_r + } + + #if IS_ENABLED(CONFIG_HYPERV) +-extern int hyperv_init_cpuhp; + extern bool hyperv_paravisor_present; + + extern void *hv_hypercall_pg; +--- a/arch/x86/kernel/cpu/mshyperv.c ++++ b/arch/x86/kernel/cpu/mshyperv.c +@@ -199,8 +199,8 @@ static void hv_machine_shutdown(void) + * Call hv_cpu_die() on all the CPUs, otherwise later the hypervisor + * corrupts the old VP Assist Pages and can crash the kexec kernel. + */ +- if (kexec_in_progress && hyperv_init_cpuhp > 0) +- cpuhp_remove_state(hyperv_init_cpuhp); ++ if (kexec_in_progress) ++ cpuhp_remove_state(CPUHP_AP_HYPERV_ONLINE); + + /* The function calls stop_other_cpus(). */ + native_machine_shutdown();