From: Greg Kroah-Hartman Date: Fri, 20 Oct 2023 18:04:10 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.14.328~84 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9d5a4e9e7b0f223ab057ecf3b947aa51731bb953;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch --- diff --git a/queue-5.15/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch b/queue-5.15/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch new file mode 100644 index 00000000000..efdfdc999ee --- /dev/null +++ b/queue-5.15/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch @@ -0,0 +1,36 @@ +From bfbc79de60c53e5fed505390440b87ef59ee268c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:52 +0200 +Subject: ASoC: codecs: wcd938x: drop bogus bind error handling + +From: Johan Hovold + +commit bfbc79de60c53e5fed505390440b87ef59ee268c upstream. + +Drop the bogus error handling for a soundwire device backcast during +bind() that cannot fail. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-2-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -4424,10 +4424,6 @@ static int wcd938x_bind(struct device *d + wcd938x->sdw_priv[AIF1_CAP] = dev_get_drvdata(wcd938x->txdev); + wcd938x->sdw_priv[AIF1_CAP]->wcd938x = wcd938x; + wcd938x->tx_sdw_dev = dev_to_sdw_dev(wcd938x->txdev); +- if (!wcd938x->tx_sdw_dev) { +- dev_err(dev, "could not get txslave with matching of dev\n"); +- return -EINVAL; +- } + + /* As TX is main CSR reg interface, which should not be suspended first. + * expicilty add the dependency link */ diff --git a/queue-5.15/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch b/queue-5.15/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch new file mode 100644 index 00000000000..643c0d5da66 --- /dev/null +++ b/queue-5.15/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch @@ -0,0 +1,37 @@ +From fa2f8a991ba4aa733ac1c3b1be0c86148aa4c52c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:53 +0200 +Subject: ASoC: codecs: wcd938x: fix unbind tear down order + +From: Johan Hovold + +commit fa2f8a991ba4aa733ac1c3b1be0c86148aa4c52c upstream. + +Make sure to deregister the component before tearing down the resources +it depends on during unbind(). + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-3-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -4480,10 +4480,10 @@ static void wcd938x_unbind(struct device + { + struct wcd938x_priv *wcd938x = dev_get_drvdata(dev); + ++ snd_soc_unregister_component(dev); + device_link_remove(dev, wcd938x->txdev); + device_link_remove(dev, wcd938x->rxdev); + device_link_remove(wcd938x->rxdev, wcd938x->txdev); +- snd_soc_unregister_component(dev); + component_unbind_all(dev, wcd938x); + } + diff --git a/queue-5.15/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch b/queue-5.15/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch new file mode 100644 index 00000000000..3e50a891e4f --- /dev/null +++ b/queue-5.15/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch @@ -0,0 +1,56 @@ +From c5c0383082eace13da2ffceeea154db2780165e7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:58 +0200 +Subject: ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors + +From: Johan Hovold + +commit c5c0383082eace13da2ffceeea154db2780165e7 upstream. + +Make sure to balance the runtime PM operations, including the disable +count, on probe errors and on driver unbind. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-8-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x-sdw.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd938x-sdw.c ++++ b/sound/soc/codecs/wcd938x-sdw.c +@@ -266,7 +266,18 @@ static int wcd9380_probe(struct sdw_slav + pm_runtime_set_active(dev); + pm_runtime_enable(dev); + +- return component_add(dev, &wcd938x_sdw_component_ops); ++ ret = component_add(dev, &wcd938x_sdw_component_ops); ++ if (ret) ++ goto err_disable_rpm; ++ ++ return 0; ++ ++err_disable_rpm: ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_dont_use_autosuspend(dev); ++ ++ return ret; + } + + static int wcd9380_remove(struct sdw_slave *pdev) +@@ -275,6 +286,10 @@ static int wcd9380_remove(struct sdw_sla + + component_del(dev, &wcd938x_sdw_component_ops); + ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_dont_use_autosuspend(dev); ++ + return 0; + } + diff --git a/queue-5.15/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch b/queue-5.15/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch new file mode 100644 index 00000000000..dd45a998e66 --- /dev/null +++ b/queue-5.15/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch @@ -0,0 +1,49 @@ +From f0dfdcbe706462495d47982eecd13a61aabd644d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:57 +0200 +Subject: ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind + +From: Johan Hovold + +commit f0dfdcbe706462495d47982eecd13a61aabd644d upstream. + +Make sure to deregister the component when the driver is being unbound +and before the underlying device-managed resources are freed. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-7-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x-sdw.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/soc/codecs/wcd938x-sdw.c ++++ b/sound/soc/codecs/wcd938x-sdw.c +@@ -269,6 +269,15 @@ static int wcd9380_probe(struct sdw_slav + return component_add(dev, &wcd938x_sdw_component_ops); + } + ++static int wcd9380_remove(struct sdw_slave *pdev) ++{ ++ struct device *dev = &pdev->dev; ++ ++ component_del(dev, &wcd938x_sdw_component_ops); ++ ++ return 0; ++} ++ + static const struct sdw_device_id wcd9380_slave_id[] = { + SDW_SLAVE_ENTRY(0x0217, 0x10d, 0), + {}, +@@ -307,6 +316,7 @@ static const struct dev_pm_ops wcd938x_s + + static struct sdw_driver wcd9380_codec_driver = { + .probe = wcd9380_probe, ++ .remove = wcd9380_remove, + .ops = &wcd9380_slave_ops, + .id_table = wcd9380_slave_id, + .driver = { diff --git a/queue-5.15/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch b/queue-5.15/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch new file mode 100644 index 00000000000..34d6c447c8d --- /dev/null +++ b/queue-5.15/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch @@ -0,0 +1,52 @@ +From e339c6d628fe66c9b64bf31040a55770952aec57 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 12 Oct 2023 16:28:01 +0300 +Subject: drm/i915: Retry gtt fault when out of fence registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit e339c6d628fe66c9b64bf31040a55770952aec57 upstream. + +If we can't find a free fence register to handle a fault in the GMADR +range just return VM_FAULT_NOPAGE without populating the PTE so that +userspace will retry the access and trigger another fault. Eventually +we should find a free fence and the fault will get properly handled. + +A further improvement idea might be to reserve a fence (or one per CPU?) +for the express purpose of handling faults without having to retry. But +that would require some additional work. + +Looks like this may have gotten broken originally by +commit 39965b376601 ("drm/i915: don't trash the gtt when running out of fences") +as that changed the errno to -EDEADLK which wasn't handle by the gtt +fault code either. But later in commit 2feeb52859fc ("drm/i915/gt: Fix +-EDEADLK handling regression") I changed it again to -ENOBUFS as -EDEADLK +was now getting used for the ww mutex dance. So this fix only makes +sense after that last commit. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9479 +Fixes: 2feeb52859fc ("drm/i915/gt: Fix -EDEADLK handling regression") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20231012132801.16292-1-ville.syrjala@linux.intel.com +Reviewed-by: Andi Shyti +(cherry picked from commit 7f403caabe811b88ab0de3811ff3f4782c415761) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_mman.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c +@@ -231,6 +231,7 @@ static vm_fault_t i915_error_to_vmf_faul + case 0: + case -EAGAIN: + case -ENOSPC: /* transient failure to evict? */ ++ case -ENOBUFS: /* temporarily out of fences? */ + case -ERESTARTSYS: + case -EINTR: + case -EBUSY: diff --git a/queue-5.15/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch b/queue-5.15/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch new file mode 100644 index 00000000000..1d0a87765a8 --- /dev/null +++ b/queue-5.15/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch @@ -0,0 +1,61 @@ +From d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 2 Oct 2023 13:54:28 +0300 +Subject: nvmet-tcp: Fix a possible UAF in queue intialization setup + +From: Sagi Grimberg + +commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd upstream. + +From Alon: +"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel, +a malicious user can cause a UAF and a double free, which may lead to +RCE (may also lead to an LPE in case the attacker already has local +privileges)." + +Hence, when a queue initialization fails after the ahash requests are +allocated, it is guaranteed that the queue removal async work will be +called, hence leave the deallocation to the queue removal. + +Also, be extra careful not to continue processing the socket, so set +queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error. + +Cc: stable@vger.kernel.org +Reported-by: Alon Zahavi +Tested-by: Alon Zahavi +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/tcp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -348,6 +348,7 @@ static void nvmet_tcp_fatal_error(struct + + static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status) + { ++ queue->rcv_state = NVMET_TCP_RECV_ERR; + if (status == -EPIPE || status == -ECONNRESET) + kernel_sock_shutdown(queue->sock, SHUT_RDWR); + else +@@ -894,15 +895,11 @@ static int nvmet_tcp_handle_icreq(struct + iov.iov_len = sizeof(*icresp); + ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); + if (ret < 0) +- goto free_crypto; ++ return ret; /* queue removal will cleanup */ + + queue->state = NVMET_TCP_Q_LIVE; + nvmet_prepare_receive_pdu(queue); + return 0; +-free_crypto: +- if (queue->hdr_digest || queue->data_digest) +- nvmet_tcp_free_crypto(queue); +- return ret; + } + + static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue, diff --git a/queue-5.15/series b/queue-5.15/series index bf5569cf324..a856bcc4349 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -23,3 +23,9 @@ fs-ntfs3-fix-possible-null-pointer-dereference-in-hdr_find_e.patch fs-ntfs3-fix-panic-about-slab-out-of-bounds-caused-by-ntfs_list_ea.patch fs-ntfs3-fix-deadlock-in-mark_as_free_ex.patch netfilter-nft_payload-fix-wrong-mac-header-matching.patch +nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch +drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch +asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch +asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch +asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch +asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch