From: Greg Kroah-Hartman Date: Tue, 3 Dec 2024 09:46:38 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.325~58 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9a44d41aaa64195d8b954d072d6fa361a7b34991;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch spi-fix-acpi-deferred-irq-probe.patch --- diff --git a/queue-4.19/netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch b/queue-4.19/netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch new file mode 100644 index 00000000000..2ac02a9ee40 --- /dev/null +++ b/queue-4.19/netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch @@ -0,0 +1,51 @@ +From 35f56c554eb1b56b77b3cf197a6b00922d49033d Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Wed, 13 Nov 2024 22:02:09 +0900 +Subject: netfilter: ipset: add missing range check in bitmap_ip_uadt + +From: Jeongjun Park + +commit 35f56c554eb1b56b77b3cf197a6b00922d49033d upstream. + +When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, +the values of ip and ip_to are slightly swapped. Therefore, the range check +for ip should be done later, but this part is missing and it seems that the +vulnerability occurs. + +So we should add missing range checks and remove unnecessary range checks. + +Cc: +Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com +Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support") +Signed-off-by: Jeongjun Park +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -166,11 +166,8 @@ bitmap_ip_uadt(struct ip_set *set, struc + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); + if (ret) + return ret; +- if (ip > ip_to) { ++ if (ip > ip_to) + swap(ip, ip_to); +- if (ip < map->first_ip) +- return -IPSET_ERR_BITMAP_RANGE; +- } + } else if (tb[IPSET_ATTR_CIDR]) { + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); + +@@ -181,7 +178,7 @@ bitmap_ip_uadt(struct ip_set *set, struc + ip_to = ip; + } + +- if (ip_to > map->last_ip) ++ if (ip < map->first_ip || ip_to > map->last_ip) + return -IPSET_ERR_BITMAP_RANGE; + + for (; !before(ip_to, ip); ip += map->hosts) { diff --git a/queue-4.19/revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch b/queue-4.19/revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch new file mode 100644 index 00000000000..8c722c1b3f9 --- /dev/null +++ b/queue-4.19/revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch @@ -0,0 +1,66 @@ +From 718632467d88e98816fa01ab12681ef1c2aa56f8 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sat, 30 Nov 2024 16:55:56 +0100 +Subject: Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit" + +From: Greg Kroah-Hartman + +commit 718632467d88e98816fa01ab12681ef1c2aa56f8 upstream. + +This reverts commit 3791ea69a4858b81e0277f695ca40f5aae40f312. + +It was reported to cause boot-time issues, so revert it for now. + +Reported-by: Geert Uytterhoeven +Fixes: 3791ea69a485 ("serial: sh-sci: Clean sci_ports[0] after at earlycon exit") +Cc: stable +Cc: Claudiu Beznea +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 28 ---------------------------- + 1 file changed, 28 deletions(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -3455,32 +3455,6 @@ early_platform_init_buffer("earlyprintk" + #ifdef CONFIG_SERIAL_SH_SCI_EARLYCON + static struct plat_sci_port port_cfg __initdata; + +-static int early_console_exit(struct console *co) +-{ +- struct sci_port *sci_port = &sci_ports[0]; +- struct uart_port *port = &sci_port->port; +- unsigned long flags; +- int locked = 1; +- +- if (port->sysrq) +- locked = 0; +- else if (oops_in_progress) +- locked = uart_port_trylock_irqsave(port, &flags); +- else +- uart_port_lock_irqsave(port, &flags); +- +- /* +- * Clean the slot used by earlycon. A new SCI device might +- * map to this slot. +- */ +- memset(sci_ports, 0, sizeof(*sci_port)); +- +- if (locked) +- uart_port_unlock_irqrestore(port, flags); +- +- return 0; +-} +- + static int __init early_console_setup(struct earlycon_device *device, + int type) + { +@@ -3499,8 +3473,6 @@ static int __init early_console_setup(st + SCSCR_RE | SCSCR_TE | port_cfg.scscr); + + device->con->write = serial_console_write; +- device->con->exit = early_console_exit; +- + return 0; + } + static int __init sci_early_console_setup(struct earlycon_device *device, diff --git a/queue-4.19/revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch b/queue-4.19/revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch new file mode 100644 index 00000000000..f6ac590e5e3 --- /dev/null +++ b/queue-4.19/revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch @@ -0,0 +1,81 @@ +From 51cdd69d6a857f527d6d0697a2e1f0fa8bca1005 Mon Sep 17 00:00:00 2001 +From: Michal Vrastil +Date: Wed, 13 Nov 2024 15:54:33 -0800 +Subject: Revert "usb: gadget: composite: fix OS descriptors w_value logic" + +From: Michal Vrastil + +commit 51cdd69d6a857f527d6d0697a2e1f0fa8bca1005 upstream. + +This reverts commit ec6ce7075ef879b91a8710829016005dc8170f17. + +Fix installation of WinUSB driver using OS descriptors. Without the +fix the drivers are not installed correctly and the property +'DeviceInterfaceGUID' is missing on host side. + +The original change was based on the assumption that the interface +number is in the high byte of wValue but it is in the low byte, +instead. Unfortunately, the fix is based on MS documentation which is +also wrong. + +The actual USB request for OS descriptors (using USB analyzer) looks +like: + +Offset 0 1 2 3 4 5 6 7 +0x000 C1 A1 02 00 05 00 0A 00 + +C1: bmRequestType (device to host, vendor, interface) +A1: nas magic number +0002: wValue (2: nas interface) +0005: wIndex (5: get extended property i.e. nas interface GUID) +008E: wLength (142) + +The fix was tested on Windows 10 and Windows 11. + +Cc: stable@vger.kernel.org +Fixes: ec6ce7075ef8 ("usb: gadget: composite: fix OS descriptors w_value logic") +Signed-off-by: Michal Vrastil +Signed-off-by: Elson Roy Serrao +Acked-by: Peter korsgaard +Link: https://lore.kernel.org/r/20241113235433.20244-1-quic_eserrao@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1910,8 +1910,20 @@ unknown: + memset(buf, 0, w_length); + buf[5] = 0x01; + switch (ctrl->bRequestType & USB_RECIP_MASK) { ++ /* ++ * The Microsoft CompatID OS Descriptor Spec(w_index = 0x4) and ++ * Extended Prop OS Desc Spec(w_index = 0x5) state that the ++ * HighByte of wValue is the InterfaceNumber and the LowByte is ++ * the PageNumber. This high/low byte ordering is incorrectly ++ * documented in the Spec. USB analyzer output on the below ++ * request packets show the high/low byte inverted i.e LowByte ++ * is the InterfaceNumber and the HighByte is the PageNumber. ++ * Since we dont support >64KB CompatID/ExtendedProp descriptors, ++ * PageNumber is set to 0. Hence verify that the HighByte is 0 ++ * for below two cases. ++ */ + case USB_RECIP_DEVICE: +- if (w_index != 0x4 || (w_value & 0xff)) ++ if (w_index != 0x4 || (w_value >> 8)) + break; + buf[6] = w_index; + /* Number of ext compat interfaces */ +@@ -1927,9 +1939,9 @@ unknown: + } + break; + case USB_RECIP_INTERFACE: +- if (w_index != 0x5 || (w_value & 0xff)) ++ if (w_index != 0x5 || (w_value >> 8)) + break; +- interface = w_value >> 8; ++ interface = w_value & 0xFF; + if (interface >= MAX_CONFIG_INTERFACES || + !os_desc_cfg->interface[interface]) + break; diff --git a/queue-4.19/serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch b/queue-4.19/serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch new file mode 100644 index 00000000000..b67fb502a12 --- /dev/null +++ b/queue-4.19/serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch @@ -0,0 +1,84 @@ +From 3791ea69a4858b81e0277f695ca40f5aae40f312 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 6 Nov 2024 14:01:12 +0200 +Subject: serial: sh-sci: Clean sci_ports[0] after at earlycon exit + +From: Claudiu Beznea + +commit 3791ea69a4858b81e0277f695ca40f5aae40f312 upstream. + +The early_console_setup() function initializes the sci_ports[0].port with +an object of type struct uart_port obtained from the object of type +struct earlycon_device received as argument by the early_console_setup(). + +It may happen that later, when the rest of the serial ports are probed, +the serial port that was used as earlycon (e.g., port A) to be mapped to a +different position in sci_ports[] and the slot 0 to be used by a different +serial port (e.g., port B), as follows: + +sci_ports[0] = port A +sci_ports[X] = port B + +In this case, the new port mapped at index zero will have associated data +that was used for earlycon. + +In case this happens, after Linux boot, any access to the serial port that +maps on sci_ports[0] (port A) will block the serial port that was used as +earlycon (port B). + +To fix this, add early_console_exit() that clean the sci_ports[0] at +earlycon exit time. + +Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") +Cc: stable@vger.kernel.org +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20241106120118.1719888-4-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -3455,6 +3455,32 @@ early_platform_init_buffer("earlyprintk" + #ifdef CONFIG_SERIAL_SH_SCI_EARLYCON + static struct plat_sci_port port_cfg __initdata; + ++static int early_console_exit(struct console *co) ++{ ++ struct sci_port *sci_port = &sci_ports[0]; ++ struct uart_port *port = &sci_port->port; ++ unsigned long flags; ++ int locked = 1; ++ ++ if (port->sysrq) ++ locked = 0; ++ else if (oops_in_progress) ++ locked = uart_port_trylock_irqsave(port, &flags); ++ else ++ uart_port_lock_irqsave(port, &flags); ++ ++ /* ++ * Clean the slot used by earlycon. A new SCI device might ++ * map to this slot. ++ */ ++ memset(sci_ports, 0, sizeof(*sci_port)); ++ ++ if (locked) ++ uart_port_unlock_irqrestore(port, flags); ++ ++ return 0; ++} ++ + static int __init early_console_setup(struct earlycon_device *device, + int type) + { +@@ -3473,6 +3499,8 @@ static int __init early_console_setup(st + SCSCR_RE | SCSCR_TE | port_cfg.scscr); + + device->con->write = serial_console_write; ++ device->con->exit = early_console_exit; ++ + return 0; + } + static int __init sci_early_console_setup(struct earlycon_device *device, diff --git a/queue-4.19/series b/queue-4.19/series index b6abca61489..23440711bc5 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -105,3 +105,8 @@ pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch +revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch +serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch +revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch +netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch +spi-fix-acpi-deferred-irq-probe.patch diff --git a/queue-4.19/spi-fix-acpi-deferred-irq-probe.patch b/queue-4.19/spi-fix-acpi-deferred-irq-probe.patch new file mode 100644 index 00000000000..84f9391ac4a --- /dev/null +++ b/queue-4.19/spi-fix-acpi-deferred-irq-probe.patch @@ -0,0 +1,63 @@ +From d24cfee7f63d6b44d45a67c5662bd1cc48e8b3ca Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Fri, 22 Nov 2024 10:42:24 +0100 +Subject: spi: Fix acpi deferred irq probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stanislaw Gruszka + +commit d24cfee7f63d6b44d45a67c5662bd1cc48e8b3ca upstream. + +When probing spi device take care of deferred probe of ACPI irq gpio +similar like for OF/DT case. + +>From practical standpoint this fixes issue with vsc-tp driver on +Dell XP 9340 laptop, which try to request interrupt with spi->irq +equal to -EPROBE_DEFER and fail to probe with the following error: + +vsc-tp spi-INTC10D0:00: probe with driver vsc-tp failed with error -22 + +Suggested-by: Hans de Goede +Fixes: 33ada67da352 ("ACPI / spi: attach GPIO IRQ from ACPI description to SPI device") +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka +Reviewed-by: Hans de Goede +Tested-by: Alexis Lothoré # Dell XPS9320, ov01a10 +Link: https://patch.msgid.link/20241122094224.226773-1-stanislaw.gruszka@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -358,6 +358,16 @@ static int spi_drv_probe(struct device * + spi->irq = 0; + } + ++ if (has_acpi_companion(dev) && spi->irq < 0) { ++ struct acpi_device *adev = to_acpi_device_node(dev->fwnode); ++ ++ spi->irq = acpi_dev_gpio_irq_get(adev, 0); ++ if (spi->irq == -EPROBE_DEFER) ++ return -EPROBE_DEFER; ++ if (spi->irq < 0) ++ spi->irq = 0; ++ } ++ + ret = dev_pm_domain_attach(dev, true); + if (ret) + return ret; +@@ -1843,9 +1853,6 @@ static acpi_status acpi_register_spi_dev + acpi_set_modalias(adev, acpi_device_hid(adev), spi->modalias, + sizeof(spi->modalias)); + +- if (spi->irq < 0) +- spi->irq = acpi_dev_gpio_irq_get(adev, 0); +- + acpi_device_set_enumerated(adev); + + adev->power.flags.ignore_parent = true;