From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 13:00:13 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.19.325~96 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=87f84e86e2bc4af5a5e8e06072342b45ee7e1596;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch mlxsw-spectrum_acl_tcam-fix-null-pointer-dereference-in-error-path.patch revert-arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch --- diff --git a/queue-6.1/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch b/queue-6.1/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch new file mode 100644 index 00000000000..c88c9812dda --- /dev/null +++ b/queue-6.1/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch @@ -0,0 +1,105 @@ +From b909df18ce2a998afef81d58bbd1a05dc0788c40 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Sevens?= +Date: Wed, 20 Nov 2024 12:41:44 +0000 +Subject: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +commit b909df18ce2a998afef81d58bbd1a05dc0788c40 upstream. + +A bogus device can provide a bNumConfigurations value that exceeds the +initial value used in usb_get_configuration for allocating dev->config. + +This can lead to out-of-bounds accesses later, e.g. in +usb_destroy_configuration. + +Signed-off-by: Benoît Sevens +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@kernel.org +Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@google.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -553,6 +553,7 @@ int snd_usb_create_quirk(struct snd_usb_ + static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) + { + struct usb_host_config *config = dev->actconfig; ++ struct usb_device_descriptor new_device_descriptor; + int err; + + if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || +@@ -564,10 +565,14 @@ static int snd_usb_extigy_boot_quirk(str + if (err < 0) + dev_dbg(&dev->dev, "error sending boot message: %d\n", err); + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &dev->descriptor, sizeof(dev->descriptor)); +- config = dev->actconfig; ++ &new_device_descriptor, sizeof(new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); ++ if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", ++ new_device_descriptor.bNumConfigurations); ++ else ++ memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + err = usb_reset_configuration(dev); + if (err < 0) + dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); +@@ -899,6 +904,7 @@ static void mbox2_setup_48_24_magic(stru + static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; ++ struct usb_device_descriptor new_device_descriptor; + int err; + u8 bootresponse[0x12]; + int fwsize; +@@ -934,10 +940,14 @@ static int snd_usb_mbox2_boot_quirk(stru + dev_dbg(&dev->dev, "device initialised!\n"); + + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &dev->descriptor, sizeof(dev->descriptor)); +- config = dev->actconfig; ++ &new_device_descriptor, sizeof(new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); ++ if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", ++ new_device_descriptor.bNumConfigurations); ++ else ++ memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + + err = usb_reset_configuration(dev); + if (err < 0) +@@ -1251,6 +1261,7 @@ static void mbox3_setup_48_24_magic(stru + static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; ++ struct usb_device_descriptor new_device_descriptor; + int err; + int descriptor_size; + +@@ -1264,10 +1275,14 @@ static int snd_usb_mbox3_boot_quirk(stru + dev_dbg(&dev->dev, "device initialised!\n"); + + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &dev->descriptor, sizeof(dev->descriptor)); +- config = dev->actconfig; ++ &new_device_descriptor, sizeof(new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); ++ if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", ++ new_device_descriptor.bNumConfigurations); ++ else ++ memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + + err = usb_reset_configuration(dev); + if (err < 0) diff --git a/queue-6.1/arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch b/queue-6.1/arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch new file mode 100644 index 00000000000..0f15d5f39db --- /dev/null +++ b/queue-6.1/arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch @@ -0,0 +1,41 @@ +From stable+bounces-95937-greg=kroah.com@vger.kernel.org Mon Dec 2 09:16:50 2024 +From: Chen-Yu Tsai +Date: Mon, 2 Dec 2024 16:16:22 +0800 +Subject: arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled +To: Greg Kroah-Hartman , Sasha Levin +Cc: "Chen-Yu Tsai" , stable@vger.kernel.org, linux-kernel@vger.kernel.org, "Matthias Brugger" , "AngeloGioacchino Del Regno" , devicetree@vger.kernel.org, linux-mediatek@lists.infradead.org, "Koichiro Den" , "Nícolas F. R. A. Prado" +Message-ID: <20241202081624.156285-2-wenst@chromium.org> + +From: Chen-Yu Tsai + +[ Upstream commit 09d385679487c58f0859c1ad4f404ba3df2f8830 ] + +USB 3.0 on xhci1 is not used, as the controller shares the same PHY as +pcie1. The latter is enabled to support the M.2 PCIe WLAN card on this +design. + +Mark USB 3.0 as disabled on this controller using the +"mediatek,u3p-dis-msk" property. + +Reported-by: Nícolas F. R. A. Prado #KernelCI +Closes: https://lore.kernel.org/all/9fce9838-ef87-4d1b-b3df-63e1ddb0ec51@notapiano/ +Fixes: b6267a396e1c ("arm64: dts: mediatek: cherry: Enable T-PHYs and USB XHCI controllers") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240731034411.371178-2-wenst@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi +@@ -906,6 +906,7 @@ + + vusb33-supply = <&mt6359_vusb_ldo_reg>; + vbus-supply = <&usb_vbus>; ++ mediatek,u3p-dis-msk = <1>; + }; + + &xhci2 { diff --git a/queue-6.1/mlxsw-spectrum_acl_tcam-fix-null-pointer-dereference-in-error-path.patch b/queue-6.1/mlxsw-spectrum_acl_tcam-fix-null-pointer-dereference-in-error-path.patch new file mode 100644 index 00000000000..cb3e775022c --- /dev/null +++ b/queue-6.1/mlxsw-spectrum_acl_tcam-fix-null-pointer-dereference-in-error-path.patch @@ -0,0 +1,99 @@ +From efeb7dfea8ee10cdec11b6b6ba4e405edbe75809 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 17 Jan 2024 16:04:17 +0100 +Subject: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path + +From: Ido Schimmel + +commit efeb7dfea8ee10cdec11b6b6ba4e405edbe75809 upstream. + +When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after +failing to attach the region to an ACL group, we hit a NULL pointer +dereference upon 'region->group->tcam' [1]. + +Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam(). + +[1] +BUG: kernel NULL pointer dereference, address: 0000000000000000 +[...] +RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 +[...] +Call Trace: + mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 + mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 + mlxsw_sp_acl_rule_add+0x47/0x240 + mlxsw_sp_flower_replace+0x1a9/0x1d0 + tc_setup_cb_add+0xdc/0x1c0 + fl_hw_replace_filter+0x146/0x1f0 + fl_change+0xc17/0x1360 + tc_new_tfilter+0x472/0xb90 + rtnetlink_rcv_msg+0x313/0x3b0 + netlink_rcv_skb+0x58/0x100 + netlink_unicast+0x244/0x390 + netlink_sendmsg+0x1e4/0x440 + ____sys_sendmsg+0x164/0x260 + ___sys_sendmsg+0x9a/0xe0 + __sys_sendmsg+0x7a/0xc0 + do_syscall_64+0x40/0xe0 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Fixes: 22a677661f56 ("mlxsw: spectrum: Introduce ACL core with simple TCAM implementation") +Signed-off-by: Ido Schimmel +Reviewed-by: Amit Cohen +Reviewed-by: Jiri Pirko +Signed-off-by: Petr Machata +Acked-by: Paolo Abeni +Link: https://lore.kernel.org/r/fb6a4542bbc9fcab5a523802d97059bffbca7126.1705502064.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +[ For the function mlxsw_sp_acl_to_tcam() is not exist in 6.1.y, pick +mlxsw_sp_acl_to_tcam() from commit 74cbc3c03c828ccf265a72f9bcb5aee906978744 ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 1 + + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c | 5 +++++ + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 4 ++-- + 3 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h +@@ -970,6 +970,7 @@ enum mlxsw_sp_acl_profile { + }; + + struct mlxsw_afk *mlxsw_sp_acl_afk(struct mlxsw_sp_acl *acl); ++struct mlxsw_sp_acl_tcam *mlxsw_sp_acl_to_tcam(struct mlxsw_sp_acl *acl); + + int mlxsw_sp_acl_ruleset_bind(struct mlxsw_sp *mlxsw_sp, + struct mlxsw_sp_flow_block *block, +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c +@@ -40,6 +40,11 @@ struct mlxsw_afk *mlxsw_sp_acl_afk(struc + return acl->afk; + } + ++struct mlxsw_sp_acl_tcam *mlxsw_sp_acl_to_tcam(struct mlxsw_sp_acl *acl) ++{ ++ return &acl->tcam; ++} ++ + struct mlxsw_sp_acl_ruleset_ht_key { + struct mlxsw_sp_flow_block *block; + u32 chain_index; +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +@@ -747,13 +747,13 @@ static void + mlxsw_sp_acl_tcam_region_destroy(struct mlxsw_sp *mlxsw_sp, + struct mlxsw_sp_acl_tcam_region *region) + { ++ struct mlxsw_sp_acl_tcam *tcam = mlxsw_sp_acl_to_tcam(mlxsw_sp->acl); + const struct mlxsw_sp_acl_tcam_ops *ops = mlxsw_sp->acl_tcam_ops; + + ops->region_fini(mlxsw_sp, region->priv); + mlxsw_sp_acl_tcam_region_disable(mlxsw_sp, region); + mlxsw_sp_acl_tcam_region_free(mlxsw_sp, region); +- mlxsw_sp_acl_tcam_region_id_put(region->group->tcam, +- region->id); ++ mlxsw_sp_acl_tcam_region_id_put(tcam, region->id); + kfree(region); + } + diff --git a/queue-6.1/revert-arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch b/queue-6.1/revert-arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch new file mode 100644 index 00000000000..10a5f974de3 --- /dev/null +++ b/queue-6.1/revert-arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch @@ -0,0 +1,36 @@ +From stable+bounces-95936-greg=kroah.com@vger.kernel.org Mon Dec 2 09:16:44 2024 +From: Chen-Yu Tsai +Date: Mon, 2 Dec 2024 16:16:21 +0800 +Subject: Revert "arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled" +To: Greg Kroah-Hartman , Sasha Levin +Cc: Chen-Yu Tsai , stable@vger.kernel.org, linux-kernel@vger.kernel.org, Matthias Brugger , AngeloGioacchino Del Regno , devicetree@vger.kernel.org, linux-mediatek@lists.infradead.org, Koichiro Den +Message-ID: <20241202081624.156285-1-wenst@chromium.org> + +From: Chen-Yu Tsai + +This reverts commit edca00ad79aa1dfd1b88ace1df1e9dfa21a3026f. + +The hunk was applied to the wrong device node when the commit was +backported to the 6.1 stable branch. + +Revert it to re-do the backport correctly. + +Reported-by: Koichiro Den +Closes: https://lore.kernel.org/stable/6itvivhxbjlpky5hn6x2hmc3kzz4regcvmsk226t6ippjad7yk@26xug5lrdqdw/ +Fixes: edca00ad79aa ("arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled") +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi +@@ -922,7 +922,6 @@ + usb2-lpm-disable; + vusb33-supply = <&mt6359_vusb_ldo_reg>; + vbus-supply = <&usb_vbus>; +- mediatek,u3p-dis-msk = <1>; + }; + + #include diff --git a/queue-6.1/series b/queue-6.1/series index 42a3e69a963..6e1177802dd 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -360,3 +360,7 @@ erofs-reliably-distinguish-block-based-and-fscache-mode.patch rcu-tasks-fix-access-non-existent-percpu-rtpcp-variable-in-rcu_tasks_need_gpcb.patch btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch perf-x86-intel-hide-topdown-metrics-events-if-the-feature-is-not-enumerated.patch +mlxsw-spectrum_acl_tcam-fix-null-pointer-dereference-in-error-path.patch +alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch +revert-arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch +arm64-dts-mediatek-mt8195-cherry-mark-usb-3.0-on-xhci1-as-disabled.patch