From: Sasha Levin Date: Wed, 4 Sep 2024 17:42:43 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.1.109~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d2a7e269bed9a036be4a3802a5d46fbff969e33e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/apparmor-fix-possible-null-pointer-dereference.patch b/queue-5.4/apparmor-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..5fdd715190a --- /dev/null +++ b/queue-5.4/apparmor-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,107 @@ +From 1f98521c4e56874eb7aa9a9f591f10f69144cd60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 01:12:29 +0900 +Subject: apparmor: fix possible NULL pointer dereference + +From: Leesoo Ahn + +[ Upstream commit 3dd384108d53834002be5630132ad5c3f32166ad ] + +profile->parent->dents[AAFS_PROF_DIR] could be NULL only if its parent is made +from __create_missing_ancestors(..) and 'ent->old' is NULL in +aa_replace_profiles(..). +In that case, it must return an error code and the code, -ENOENT represents +its state that the path of its parent is not existed yet. + +BUG: kernel NULL pointer dereference, address: 0000000000000030 +PGD 0 P4D 0 +PREEMPT SMP PTI +CPU: 4 PID: 3362 Comm: apparmor_parser Not tainted 6.8.0-24-generic #24 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:aafs_create.constprop.0+0x7f/0x130 +Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae +RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0 +Call Trace: + + ? show_regs+0x6d/0x80 + ? __die+0x24/0x80 + ? page_fault_oops+0x99/0x1b0 + ? kernelmode_fixup_or_oops+0xb2/0x140 + ? __bad_area_nosemaphore+0x1a5/0x2c0 + ? find_vma+0x34/0x60 + ? bad_area_nosemaphore+0x16/0x30 + ? do_user_addr_fault+0x2a2/0x6b0 + ? exc_page_fault+0x83/0x1b0 + ? asm_exc_page_fault+0x27/0x30 + ? aafs_create.constprop.0+0x7f/0x130 + ? aafs_create.constprop.0+0x51/0x130 + __aafs_profile_mkdir+0x3d6/0x480 + aa_replace_profiles+0x83f/0x1270 + policy_update+0xe3/0x180 + profile_load+0xbc/0x150 + ? rw_verify_area+0x47/0x140 + vfs_write+0x100/0x480 + ? __x64_sys_openat+0x55/0xa0 + ? syscall_exit_to_user_mode+0x86/0x260 + ksys_write+0x73/0x100 + __x64_sys_write+0x19/0x30 + x64_sys_call+0x7e/0x25c0 + do_syscall_64+0x7f/0x180 + entry_SYSCALL_64_after_hwframe+0x78/0x80 +RIP: 0033:0x7be9f211c574 +Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 +RSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574 +RDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004 +RBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000 +R10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80 +R13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30 + +Modules linked in: snd_seq_dummy snd_hrtimer qrtr snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device i2c_i801 snd_timer i2c_smbus qxl snd soundcore drm_ttm_helper lpc_ich ttm joydev input_leds serio_raw mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci libahci psmouse virtio_rng xhci_pci xhci_pci_renesas +CR2: 0000000000000030 +---[ end trace 0000000000000000 ]--- +RIP: 0010:aafs_create.constprop.0+0x7f/0x130 +Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae +RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0 + +Signed-off-by: Leesoo Ahn +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/apparmorfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c +index 62736465ac82..efe04f54be9e 100644 +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -1593,6 +1593,10 @@ int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) + struct aa_profile *p; + p = aa_deref_parent(profile); + dent = prof_dir(p); ++ if (!dent) { ++ error = -ENOENT; ++ goto fail2; ++ } + /* adding to parent that previously didn't have children */ + dent = aafs_create_dir("profiles", dent); + if (IS_ERR(dent)) +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-check-gpio_id-before-used-as-array-i.patch b/queue-5.4/drm-amd-display-check-gpio_id-before-used-as-array-i.patch new file mode 100644 index 00000000000..7f1186af52b --- /dev/null +++ b/queue-5.4/drm-amd-display-check-gpio_id-before-used-as-array-i.patch @@ -0,0 +1,80 @@ +From 6e541db48f56630f839cf4cf63f9095bfbaf19f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 16:40:00 -0600 +Subject: drm/amd/display: Check gpio_id before used as array index + +From: Alex Hung + +[ Upstream commit 2a5626eeb3b5eec7a36886f9556113dd93ec8ed6 ] + +[WHY & HOW] +GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore +should be checked in advance. + +This fixes 5 OVERRUN issues reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c +index 0be817f8cae6..f76ec0dd29e7 100644 +--- a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c ++++ b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c +@@ -242,6 +242,9 @@ static bool is_pin_busy( + enum gpio_id id, + uint32_t en) + { ++ if (id == GPIO_ID_UNKNOWN) ++ return false; ++ + return service->busyness[id][en]; + } + +@@ -250,6 +253,9 @@ static void set_pin_busy( + enum gpio_id id, + uint32_t en) + { ++ if (id == GPIO_ID_UNKNOWN) ++ return; ++ + service->busyness[id][en] = true; + } + +@@ -258,6 +264,9 @@ static void set_pin_free( + enum gpio_id id, + uint32_t en) + { ++ if (id == GPIO_ID_UNKNOWN) ++ return; ++ + service->busyness[id][en] = false; + } + +@@ -266,7 +275,7 @@ enum gpio_result dal_gpio_service_lock( + enum gpio_id id, + uint32_t en) + { +- if (!service->busyness[id]) { ++ if (id != GPIO_ID_UNKNOWN && !service->busyness[id]) { + ASSERT_CRITICAL(false); + return GPIO_RESULT_OPEN_FAILED; + } +@@ -280,7 +289,7 @@ enum gpio_result dal_gpio_service_unlock( + enum gpio_id id, + uint32_t en) + { +- if (!service->busyness[id]) { ++ if (id != GPIO_ID_UNKNOWN && !service->busyness[id]) { + ASSERT_CRITICAL(false); + return GPIO_RESULT_OPEN_FAILED; + } +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-check-num_valid_sets-before-accessin.patch b/queue-5.4/drm-amd-display-check-num_valid_sets-before-accessin.patch new file mode 100644 index 00000000000..7e9d7d46bbb --- /dev/null +++ b/queue-5.4/drm-amd-display-check-num_valid_sets-before-accessin.patch @@ -0,0 +1,43 @@ +From 0d4095d259656ba4c97837b5b9503cc104814c7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 16:22:35 -0600 +Subject: drm/amd/display: Check num_valid_sets before accessing + reader_wm_sets[] + +From: Alex Hung + +[ Upstream commit b38a4815f79b87efb196cd5121579fc51e29a7fb ] + +[WHY & HOW] +num_valid_sets needs to be checked to avoid a negative index when +accessing reader_wm_sets[num_valid_sets - 1]. + +This fixes an OVERRUN issue reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c +index 9f301f8575a5..fec3ca955b26 100644 +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c +@@ -453,7 +453,8 @@ void build_watermark_ranges(struct clk_bw_params *bw_params, struct pp_smu_wm_ra + ranges->reader_wm_sets[num_valid_sets].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX; + + /* Modify previous watermark range to cover up to max */ +- ranges->reader_wm_sets[num_valid_sets - 1].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX; ++ if (num_valid_sets > 0) ++ ranges->reader_wm_sets[num_valid_sets - 1].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX; + } + num_valid_sets++; + } +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-fix-coverity-integer_overflow-within.patch b/queue-5.4/drm-amd-display-fix-coverity-integer_overflow-within.patch new file mode 100644 index 00000000000..5e7dcb310df --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-coverity-integer_overflow-within.patch @@ -0,0 +1,52 @@ +From 4569c1ffd7f383d877e2d0ff51aeb6bcd5c13bd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 11:58:11 -0400 +Subject: drm/amd/display: Fix Coverity INTEGER_OVERFLOW within + dal_gpio_service_create + +From: Hersen Wu + +[ Upstream commit c6077aa66fa230d12f37fef01161ef080d13b726 ] + +[Why] +For subtraction, coverity reports integer overflow +warning message when variable type is uint32_t. + +[How] +Change variable type to int32_t. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c +index f76ec0dd29e7..a61cec470d28 100644 +--- a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c ++++ b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c +@@ -58,7 +58,7 @@ struct gpio_service *dal_gpio_service_create( + struct dc_context *ctx) + { + struct gpio_service *service; +- uint32_t index_of_id; ++ int32_t index_of_id; + + service = kzalloc(sizeof(struct gpio_service), GFP_KERNEL); + +@@ -114,7 +114,7 @@ struct gpio_service *dal_gpio_service_create( + return service; + + failure_2: +- while (index_of_id) { ++ while (index_of_id > 0) { + --index_of_id; + kfree(service->busyness[index_of_id]); + } +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch b/queue-5.4/drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch new file mode 100644 index 00000000000..03026cde499 --- /dev/null +++ b/queue-5.4/drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch @@ -0,0 +1,41 @@ +From 7d422f0c845843ea68402d82e367cc6c02d10cbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2024 10:47:37 -0600 +Subject: drm/amd/display: Skip wbscl_set_scaler_filter if filter is null + +From: Alex Hung + +[ Upstream commit c4d31653c03b90e51515b1380115d1aedad925dd ] + +Callers can pass null in filter (i.e. from returned from the function +wbscl_get_filter_coeffs_16p) and a null check is added to ensure that is +not the case. + +This fixes 4 NULL_RETURNS issues reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Hamza Mahfooz +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c +index cd8bc92ce3ba..4058a4fd6b22 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c +@@ -690,6 +690,9 @@ static void wbscl_set_scaler_filter( + int pair; + uint16_t odd_coef, even_coef; + ++ if (!filter) ++ return; ++ + for (phase = 0; phase < (NUM_PHASES / 2 + 1); phase++) { + for (pair = 0; pair < tap_pairs; pair++) { + even_coef = filter[phase * taps + 2 * pair]; +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch b/queue-5.4/drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch new file mode 100644 index 00000000000..45c15058fdf --- /dev/null +++ b/queue-5.4/drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch @@ -0,0 +1,46 @@ +From 421ed4a43b18a81ffc0983dda1bf0d62838291bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 16:00:19 -0400 +Subject: drm/amd/display: Stop amdgpu_dm initialize when stream nums greater + than 6 + +From: Hersen Wu + +[ Upstream commit 84723eb6068c50610c5c0893980d230d7afa2105 ] + +[Why] +Coverity reports OVERRUN warning. Should abort amdgpu_dm +initialize. + +[How] +Return failure to amdgpu_dm_init. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 3bfc4aa328c6..869b38908b28 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2263,7 +2263,10 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev) + + /* There is one primary plane per CRTC */ + primary_planes = dm->dc->caps.max_streams; +- ASSERT(primary_planes <= AMDGPU_MAX_PLANES); ++ if (primary_planes > AMDGPU_MAX_PLANES) { ++ DRM_ERROR("DM: Plane nums out of 6 planes\n"); ++ return -EINVAL; ++ } + + /* + * Initialize primary planes, implicit planes for legacy IOCTLS. +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch b/queue-5.4/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch new file mode 100644 index 00000000000..be81a63f18e --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch @@ -0,0 +1,35 @@ +From 216b1690379d36f002a5e1f9f09dd9688c583fa1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 16:30:01 +0800 +Subject: drm/amdgpu: fix mc_data out-of-bounds read warning + +From: Tim Huang + +[ Upstream commit 51dfc0a4d609fe700750a62f41447f01b8c9ea50 ] + +Clear warning that read mc_data[i-1] may out-of-bounds. + +Signed-off-by: Tim Huang +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +index c687432da426..89930a38b63e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +@@ -1626,6 +1626,8 @@ int amdgpu_atombios_init_mc_reg_table(struct amdgpu_device *adev, + (u32)le32_to_cpu(*((u32 *)reg_data + j)); + j++; + } else if ((reg_table->mc_reg_address[i].pre_reg_data & LOW_NIBBLE_MASK) == DATA_EQU_PREV) { ++ if (i == 0) ++ continue; + reg_table->mc_reg_table_entry[num_ranges].mc_data[i] = + reg_table->mc_reg_table_entry[num_ranges].mc_data[i - 1]; + } +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-fix-overflowed-array-index-read-warning.patch b/queue-5.4/drm-amdgpu-fix-overflowed-array-index-read-warning.patch new file mode 100644 index 00000000000..681bce4afa5 --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-overflowed-array-index-read-warning.patch @@ -0,0 +1,41 @@ +From f661666cc91ed71a6f7f8063dfb788f57c91e4c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 13:15:27 +0800 +Subject: drm/amdgpu: fix overflowed array index read warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tim Huang + +[ Upstream commit ebbc2ada5c636a6a63d8316a3408753768f5aa9f ] + +Clear overflowed array index read warning by cast operation. + +Signed-off-by: Tim Huang +Reviewed-by: Alex Deucher +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +index e5c83e164d82..8fafda87d4ce 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -437,8 +437,9 @@ static ssize_t amdgpu_debugfs_ring_read(struct file *f, char __user *buf, + size_t size, loff_t *pos) + { + struct amdgpu_ring *ring = file_inode(f)->i_private; +- int r, i; + uint32_t value, result, early[3]; ++ loff_t i; ++ int r; + + if (*pos & 3 || size & 3) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch b/queue-5.4/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch new file mode 100644 index 00000000000..066828c176e --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch @@ -0,0 +1,36 @@ +From 75c24148d423fdf9eefdb4786792f0eb1f431dcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 16:21:00 +0800 +Subject: drm/amdgpu: fix ucode out-of-bounds read warning + +From: Tim Huang + +[ Upstream commit 8944acd0f9db33e17f387fdc75d33bb473d7936f ] + +Clear warning that read ucode[] may out-of-bounds. + +Signed-off-by: Tim Huang +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c +index 031b094607bd..3ce4447052b9 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c +@@ -213,6 +213,9 @@ static int amdgpu_cgs_get_firmware_info(struct cgs_device *cgs_device, + struct amdgpu_firmware_info *ucode; + + id = fw_type_convert(cgs_device, type); ++ if (id >= AMDGPU_UCODE_ID_MAXIMUM) ++ return -EINVAL; ++ + ucode = &adev->firmware.ucode[id]; + if (ucode->fw == NULL) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch b/queue-5.4/drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch new file mode 100644 index 00000000000..70ee5317f8f --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch @@ -0,0 +1,35 @@ +From 5eff61acc829f307aa1371b912a032739cc98031 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 10:50:54 +0800 +Subject: drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr + +From: Ma Jun + +[ Upstream commit c0d6bd3cd209419cc46ac49562bef1db65d90e70 ] + +Assign value to clock to fix the warning below: +"Using uninitialized value res. Field res.clock is uninitialized" + +Signed-off-by: Ma Jun +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c +index a4d65973bf7c..80771b1480ff 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c +@@ -100,6 +100,7 @@ struct amdgpu_afmt_acr amdgpu_afmt_acr(uint32_t clock) + amdgpu_afmt_calc_cts(clock, &res.cts_32khz, &res.n_32khz, 32000); + amdgpu_afmt_calc_cts(clock, &res.cts_44_1khz, &res.n_44_1khz, 44100); + amdgpu_afmt_calc_cts(clock, &res.cts_48khz, &res.n_48khz, 48000); ++ res.clock = clock; + + return res; + } +-- +2.43.0 + diff --git a/queue-5.4/drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch b/queue-5.4/drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch new file mode 100644 index 00000000000..dca36200af9 --- /dev/null +++ b/queue-5.4/drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch @@ -0,0 +1,71 @@ +From c5785dd5b8fae550369e08eccfdf72186697fc25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 15:31:08 -0400 +Subject: drm/amdkfd: Reconcile the definition and use of oem_id in struct + kfd_topology_device + +From: Michael Chen + +[ Upstream commit 10f624ef239bd136cdcc5bbc626157a57b938a31 ] + +Currently oem_id is defined as uint8_t[6] and casted to uint64_t* +in some use case. This would lead code scanner to complain about +access beyond. Re-define it in union to enforce 8-byte size and +alignment to avoid potential issue. + +Signed-off-by: Michael Chen +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_crat.h | 2 -- + drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 3 +-- + drivers/gpu/drm/amd/amdkfd/kfd_topology.h | 5 ++++- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.h b/drivers/gpu/drm/amd/amdkfd/kfd_crat.h +index d54ceebd346b..30c70b3ab17f 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.h +@@ -42,8 +42,6 @@ + #define CRAT_OEMTABLEID_LENGTH 8 + #define CRAT_RESERVED_LENGTH 6 + +-#define CRAT_OEMID_64BIT_MASK ((1ULL << (CRAT_OEMID_LENGTH * 8)) - 1) +- + /* Compute Unit flags */ + #define COMPUTE_UNIT_CPU (1 << 0) /* Create Virtual CRAT for CPU */ + #define COMPUTE_UNIT_GPU (1 << 1) /* Create Virtual CRAT for GPU */ +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +index a49e2ab071d6..de892ee147de 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +@@ -883,8 +883,7 @@ static void kfd_update_system_properties(void) + dev = list_last_entry(&topology_device_list, + struct kfd_topology_device, list); + if (dev) { +- sys_props.platform_id = +- (*((uint64_t *)dev->oem_id)) & CRAT_OEMID_64BIT_MASK; ++ sys_props.platform_id = dev->oem_id64; + sys_props.platform_oem = *((uint64_t *)dev->oem_table_id); + sys_props.platform_rev = dev->oem_revision; + } +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.h b/drivers/gpu/drm/amd/amdkfd/kfd_topology.h +index d4718d58d0f2..7230b5b5bfe5 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.h +@@ -172,7 +172,10 @@ struct kfd_topology_device { + struct attribute attr_gpuid; + struct attribute attr_name; + struct attribute attr_props; +- uint8_t oem_id[CRAT_OEMID_LENGTH]; ++ union { ++ uint8_t oem_id[CRAT_OEMID_LENGTH]; ++ uint64_t oem_id64; ++ }; + uint8_t oem_table_id[CRAT_OEMTABLEID_LENGTH]; + uint32_t oem_revision; + }; +-- +2.43.0 + diff --git a/queue-5.4/ionic-fix-potential-irq-name-truncation.patch b/queue-5.4/ionic-fix-potential-irq-name-truncation.patch new file mode 100644 index 00000000000..9ccc72f35bf --- /dev/null +++ b/queue-5.4/ionic-fix-potential-irq-name-truncation.patch @@ -0,0 +1,38 @@ +From 827bcfdb02db0579d2ccc0a1ebd90ca10fad86fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 17:02:53 -0700 +Subject: ionic: fix potential irq name truncation + +From: Shannon Nelson + +[ Upstream commit 3eb76e71b16e8ba5277bf97617aef51f5e64dbe4 ] + +Address a warning about potential string truncation based on the +string buffer sizes. We can add some hints to the string format +specifier to set limits on the resulting possible string to +squelch the complaints. + +Signed-off-by: Shannon Nelson +Link: https://lore.kernel.org/r/20240529000259.25775-2-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 7adad91617d8..20e5e0406c88 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -143,7 +143,7 @@ static int ionic_request_irq(struct ionic_lif *lif, struct ionic_qcq *qcq) + name = dev_name(dev); + + snprintf(intr->name, sizeof(intr->name), +- "%s-%s-%s", IONIC_DRV_NAME, name, q->name); ++ "%.5s-%.16s-%.8s", IONIC_DRV_NAME, name, q->name); + + return devm_request_irq(dev, intr->vector, ionic_isr, + 0, intr->name, &qcq->napi); +-- +2.43.0 + diff --git a/queue-5.4/media-uvcvideo-enforce-alignment-of-frame-and-interv.patch b/queue-5.4/media-uvcvideo-enforce-alignment-of-frame-and-interv.patch new file mode 100644 index 00000000000..0cf3bdaf3e9 --- /dev/null +++ b/queue-5.4/media-uvcvideo-enforce-alignment-of-frame-and-interv.patch @@ -0,0 +1,68 @@ +From 7894235bff04bbd5322bc91eb7c6338ed7546592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 17:56:18 +0000 +Subject: media: uvcvideo: Enforce alignment of frame and interval + +From: Ricardo Ribalda + +[ Upstream commit c8931ef55bd325052ec496f242aea7f6de47dc9c ] + +Struct uvc_frame and interval (u32*) are packaged together on +streaming->formats on a single contiguous allocation. + +Right now they are allocated right after uvc_format, without taking into +consideration their required alignment. + +This is working fine because both structures have a field with a +pointer, but it will stop working when the sizeof() of any of those +structs is not a multiple of the sizeof(void*). + +Enforce that alignment during the allocation. + +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240404-uvc-align-v2-1-9e104b0ecfbd@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 0caa57a6782a..6d1a7e02da51 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -887,16 +887,26 @@ static int uvc_parse_streaming(struct uvc_device *dev, + goto error; + } + +- size = nformats * sizeof(*format) + nframes * sizeof(*frame) ++ /* ++ * Allocate memory for the formats, the frames and the intervals, ++ * plus any required padding to guarantee that everything has the ++ * correct alignment. ++ */ ++ size = nformats * sizeof(*format); ++ size = ALIGN(size, __alignof__(*frame)) + nframes * sizeof(*frame); ++ size = ALIGN(size, __alignof__(*interval)) + + nintervals * sizeof(*interval); ++ + format = kzalloc(size, GFP_KERNEL); +- if (format == NULL) { ++ if (!format) { + ret = -ENOMEM; + goto error; + } + +- frame = (struct uvc_frame *)&format[nformats]; +- interval = (u32 *)&frame[nframes]; ++ frame = (void *)format + nformats * sizeof(*format); ++ frame = PTR_ALIGN(frame, __alignof__(*frame)); ++ interval = (void *)frame + nframes * sizeof(*frame); ++ interval = PTR_ALIGN(interval, __alignof__(*interval)); + + streaming->format = format; + streaming->nformats = nformats; +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index e6bf9abc19c..2ef8ea842fe 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,3 +1,20 @@ drm-panel-orientation-quirks-add-quirk-for-orangepi-.patch i2c-fix-conditional-for-substituting-empty-acpi-func.patch net-usb-qmi_wwan-add-meig-smart-srm825l.patch +drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch +drm-amdgpu-fix-overflowed-array-index-read-warning.patch +drm-amd-display-check-gpio_id-before-used-as-array-i.patch +drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch +drm-amd-display-check-num_valid_sets-before-accessin.patch +drm-amd-display-fix-coverity-integer_overflow-within.patch +drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch +drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch +drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch +apparmor-fix-possible-null-pointer-dereference.patch +ionic-fix-potential-irq-name-truncation.patch +usbip-don-t-submit-special-requests-twice.patch +usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch +smack-tcp-ipv4-fix-incorrect-labeling.patch +wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch +drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch +media-uvcvideo-enforce-alignment-of-frame-and-interv.patch diff --git a/queue-5.4/smack-tcp-ipv4-fix-incorrect-labeling.patch b/queue-5.4/smack-tcp-ipv4-fix-incorrect-labeling.patch new file mode 100644 index 00000000000..8368d32750a --- /dev/null +++ b/queue-5.4/smack-tcp-ipv4-fix-incorrect-labeling.patch @@ -0,0 +1,69 @@ +From 043b1ae88010b8db1019fe09fee71db58b487fad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2024 15:41:50 -0700 +Subject: smack: tcp: ipv4, fix incorrect labeling + +From: Casey Schaufler + +[ Upstream commit 2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550 ] + +Currently, Smack mirrors the label of incoming tcp/ipv4 connections: +when a label 'foo' connects to a label 'bar' with tcp/ipv4, +'foo' always gets 'foo' in returned ipv4 packets. So, +1) returned packets are incorrectly labeled ('foo' instead of 'bar') +2) 'bar' can write to 'foo' without being authorized to write. + +Here is a scenario how to see this: + +* Take two machines, let's call them C and S, + with active Smack in the default state + (no settings, no rules, no labeled hosts, only builtin labels) + +* At S, add Smack rule 'foo bar w' + (labels 'foo' and 'bar' are instantiated at S at this moment) + +* At S, at label 'bar', launch a program + that listens for incoming tcp/ipv4 connections + +* From C, at label 'foo', connect to the listener at S. + (label 'foo' is instantiated at C at this moment) + Connection succeedes and works. + +* Send some data in both directions. +* Collect network traffic of this connection. + +All packets in both directions are labeled with the CIPSO +of the label 'foo'. Hence, label 'bar' writes to 'foo' without +being authorized, and even without ever being known at C. + +If anybody cares: exactly the same happens with DCCP. + +This behavior 1st manifested in release 2.6.29.4 (see Fixes below) +and it looks unintentional. At least, no explanation was provided. + +I changed returned packes label into the 'bar', +to bring it into line with the Smack documentation claims. + +Signed-off-by: Konstantin Andreev +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 072ce1ef6efb..7d04b21737cf 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4196,7 +4196,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, + rcu_read_unlock(); + + if (hskp == NULL) +- rc = netlbl_req_setattr(req, &skp->smk_netlabel); ++ rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); + else + netlbl_req_delattr(req); + +-- +2.43.0 + diff --git a/queue-5.4/usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch b/queue-5.4/usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch new file mode 100644 index 00000000000..c049c4e5cb4 --- /dev/null +++ b/queue-5.4/usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch @@ -0,0 +1,44 @@ +From 265ff842dc59274fbb4d70cc4a069694c436ef7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 20:12:41 +0000 +Subject: usb: typec: ucsi: Fix null pointer dereference in trace + +From: Abhishek Pandit-Subedi + +[ Upstream commit 99516f76db48e1a9d54cdfed63c1babcee4e71a5 ] + +ucsi_register_altmode checks IS_ERR for the alt pointer and treats +NULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled, +ucsi_register_displayport returns NULL which causes a NULL pointer +dereference in trace. Rather than return NULL, call +typec_port_register_altmode to register DisplayPort alternate mode +as a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled. + +Reviewed-by: Benson Leung +Reviewed-by: Heikki Krogerus +Signed-off-by: Abhishek Pandit-Subedi +Signed-off-by: Jameson Thies +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240510201244.2968152-2-jthies@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/ucsi/ucsi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h +index de87d0b8319d..179ad343f42f 100644 +--- a/drivers/usb/typec/ucsi/ucsi.h ++++ b/drivers/usb/typec/ucsi/ucsi.h +@@ -446,7 +446,7 @@ ucsi_register_displayport(struct ucsi_connector *con, + bool override, int offset, + struct typec_altmode_desc *desc) + { +- return NULL; ++ return typec_port_register_altmode(con->port, desc); + } + + static inline void +-- +2.43.0 + diff --git a/queue-5.4/usbip-don-t-submit-special-requests-twice.patch b/queue-5.4/usbip-don-t-submit-special-requests-twice.patch new file mode 100644 index 00000000000..bd388b1c535 --- /dev/null +++ b/queue-5.4/usbip-don-t-submit-special-requests-twice.patch @@ -0,0 +1,183 @@ +From 58d31540fb8d88b73cb131f42e4cce7e6127f808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 May 2024 16:15:38 +0200 +Subject: usbip: Don't submit special requests twice + +From: Simon Holesch + +[ Upstream commit 8b6b386f9aa936ed0c190446c71cf59d4a507690 ] + +Skip submitting URBs, when identical requests were already sent in +tweak_special_requests(). Instead call the completion handler directly +to return the result of the URB. + +Even though submitting those requests twice should be harmless, there +are USB devices that react poorly to some duplicated requests. + +One example is the ChipIdea controller implementation in U-Boot: The +second SET_CONFIGURATION request makes U-Boot disable and re-enable all +endpoints. Re-enabling an endpoint in the ChipIdea controller, however, +was broken until U-Boot commit b272c8792502 ("usb: ci: Fix gadget +reinit"). + +Signed-off-by: Simon Holesch +Acked-by: Shuah Khan +Reviewed-by: Hongren Zheng +Tested-by: Hongren Zheng +Link: https://lore.kernel.org/r/20240519141922.171460-1-simon@holesch.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/stub_rx.c | 77 ++++++++++++++++++++++++------------- + 1 file changed, 50 insertions(+), 27 deletions(-) + +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index d3d360ff0d24..6be5cd87e7cb 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -144,53 +144,62 @@ static int tweak_set_configuration_cmd(struct urb *urb) + if (err && err != -ENODEV) + dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n", + config, err); +- return 0; ++ return err; + } + + static int tweak_reset_device_cmd(struct urb *urb) + { + struct stub_priv *priv = (struct stub_priv *) urb->context; + struct stub_device *sdev = priv->sdev; ++ int err; + + dev_info(&urb->dev->dev, "usb_queue_reset_device\n"); + +- if (usb_lock_device_for_reset(sdev->udev, NULL) < 0) { ++ err = usb_lock_device_for_reset(sdev->udev, NULL); ++ if (err < 0) { + dev_err(&urb->dev->dev, "could not obtain lock to reset device\n"); +- return 0; ++ return err; + } +- usb_reset_device(sdev->udev); ++ err = usb_reset_device(sdev->udev); + usb_unlock_device(sdev->udev); + +- return 0; ++ return err; + } + + /* + * clear_halt, set_interface, and set_configuration require special tricks. ++ * Returns 1 if request was tweaked, 0 otherwise. + */ +-static void tweak_special_requests(struct urb *urb) ++static int tweak_special_requests(struct urb *urb) + { ++ int err; ++ + if (!urb || !urb->setup_packet) +- return; ++ return 0; + + if (usb_pipetype(urb->pipe) != PIPE_CONTROL) +- return; ++ return 0; + + if (is_clear_halt_cmd(urb)) + /* tweak clear_halt */ +- tweak_clear_halt_cmd(urb); ++ err = tweak_clear_halt_cmd(urb); + + else if (is_set_interface_cmd(urb)) + /* tweak set_interface */ +- tweak_set_interface_cmd(urb); ++ err = tweak_set_interface_cmd(urb); + + else if (is_set_configuration_cmd(urb)) + /* tweak set_configuration */ +- tweak_set_configuration_cmd(urb); ++ err = tweak_set_configuration_cmd(urb); + + else if (is_reset_device_cmd(urb)) +- tweak_reset_device_cmd(urb); +- else ++ err = tweak_reset_device_cmd(urb); ++ else { + usbip_dbg_stub_rx("no need to tweak\n"); ++ return 0; ++ } ++ ++ return !err; + } + + /* +@@ -468,6 +477,7 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + int support_sg = 1; + int np = 0; + int ret, i; ++ int is_tweaked; + + if (pipe == -1) + return; +@@ -580,8 +590,11 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + priv->urbs[i]->pipe = pipe; + priv->urbs[i]->complete = stub_complete; + +- /* no need to submit an intercepted request, but harmless? */ +- tweak_special_requests(priv->urbs[i]); ++ /* ++ * all URBs belong to a single PDU, so a global is_tweaked flag is ++ * enough ++ */ ++ is_tweaked = tweak_special_requests(priv->urbs[i]); + + masking_bogus_flags(priv->urbs[i]); + } +@@ -594,22 +607,32 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + + /* urb is now ready to submit */ + for (i = 0; i < priv->num_urbs; i++) { +- ret = usb_submit_urb(priv->urbs[i], GFP_KERNEL); ++ if (!is_tweaked) { ++ ret = usb_submit_urb(priv->urbs[i], GFP_KERNEL); + +- if (ret == 0) +- usbip_dbg_stub_rx("submit urb ok, seqnum %u\n", +- pdu->base.seqnum); +- else { +- dev_err(&udev->dev, "submit_urb error, %d\n", ret); +- usbip_dump_header(pdu); +- usbip_dump_urb(priv->urbs[i]); ++ if (ret == 0) ++ usbip_dbg_stub_rx("submit urb ok, seqnum %u\n", ++ pdu->base.seqnum); ++ else { ++ dev_err(&udev->dev, "submit_urb error, %d\n", ret); ++ usbip_dump_header(pdu); ++ usbip_dump_urb(priv->urbs[i]); + ++ /* ++ * Pessimistic. ++ * This connection will be discarded. ++ */ ++ usbip_event_add(ud, SDEV_EVENT_ERROR_SUBMIT); ++ break; ++ } ++ } else { + /* +- * Pessimistic. +- * This connection will be discarded. ++ * An identical URB was already submitted in ++ * tweak_special_requests(). Skip submitting this URB to not ++ * duplicate the request. + */ +- usbip_event_add(ud, SDEV_EVENT_ERROR_SUBMIT); +- break; ++ priv->urbs[i]->status = 0; ++ stub_complete(priv->urbs[i]); + } + } + +-- +2.43.0 + diff --git a/queue-5.4/wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch b/queue-5.4/wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch new file mode 100644 index 00000000000..229f369c1fa --- /dev/null +++ b/queue-5.4/wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch @@ -0,0 +1,131 @@ +From 00a056e3ddc3643c644391ed8c158c085203ca85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 20:17:17 +0200 +Subject: wifi: cfg80211: make hash table duplicates more survivable + +From: Johannes Berg + +[ Upstream commit 7f12e26a194d0043441f870708093d9c2c3bad7d ] + +Jiazi Li reported that they occasionally see hash table duplicates +as evidenced by the WARN_ON() in rb_insert_bss() in this code. It +isn't clear how that happens, nor have I been able to reproduce it, +but if it does happen, the kernel crashes later, when it tries to +unhash the entry that's now not hashed. + +Try to make this situation more survivable by removing the BSS from +the list(s) as well, that way it's fully leaked here (as had been +the intent in the hash insert error path), and no longer reachable +through the list(s) so it shouldn't be unhashed again later. + +Link: https://lore.kernel.org/r/20231026013528.GA24122@Jiazi.Li +Signed-off-by: Johannes Berg +Link: https://msgid.link/20240607181726.36835-2-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 46 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 34 insertions(+), 12 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index c74882e3c309..b28e652514e8 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1003,7 +1003,7 @@ struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy, + } + EXPORT_SYMBOL(cfg80211_get_bss); + +-static void rb_insert_bss(struct cfg80211_registered_device *rdev, ++static bool rb_insert_bss(struct cfg80211_registered_device *rdev, + struct cfg80211_internal_bss *bss) + { + struct rb_node **p = &rdev->bss_tree.rb_node; +@@ -1019,7 +1019,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev, + + if (WARN_ON(!cmp)) { + /* will sort of leak this BSS */ +- return; ++ return false; + } + + if (cmp < 0) +@@ -1030,6 +1030,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev, + + rb_link_node(&bss->rbn, parent, p); + rb_insert_color(&bss->rbn, &rdev->bss_tree); ++ return true; + } + + static struct cfg80211_internal_bss * +@@ -1056,6 +1057,34 @@ rb_find_bss(struct cfg80211_registered_device *rdev, + return NULL; + } + ++static void cfg80211_insert_bss(struct cfg80211_registered_device *rdev, ++ struct cfg80211_internal_bss *bss) ++{ ++ lockdep_assert_held(&rdev->bss_lock); ++ ++ if (!rb_insert_bss(rdev, bss)) ++ return; ++ list_add_tail(&bss->list, &rdev->bss_list); ++ rdev->bss_entries++; ++} ++ ++static void cfg80211_rehash_bss(struct cfg80211_registered_device *rdev, ++ struct cfg80211_internal_bss *bss) ++{ ++ lockdep_assert_held(&rdev->bss_lock); ++ ++ rb_erase(&bss->rbn, &rdev->bss_tree); ++ if (!rb_insert_bss(rdev, bss)) { ++ list_del(&bss->list); ++ if (!list_empty(&bss->hidden_list)) ++ list_del_init(&bss->hidden_list); ++ if (!list_empty(&bss->pub.nontrans_list)) ++ list_del_init(&bss->pub.nontrans_list); ++ rdev->bss_entries--; ++ } ++ rdev->bss_generation++; ++} ++ + static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev, + struct cfg80211_internal_bss *new) + { +@@ -1331,9 +1360,7 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, + bss_ref_get(rdev, pbss); + } + +- list_add_tail(&new->list, &rdev->bss_list); +- rdev->bss_entries++; +- rb_insert_bss(rdev, new); ++ cfg80211_insert_bss(rdev, new); + found = new; + } + +@@ -2142,10 +2169,7 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev, + if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new))) + rdev->bss_generation++; + } +- +- rb_erase(&cbss->rbn, &rdev->bss_tree); +- rb_insert_bss(rdev, cbss); +- rdev->bss_generation++; ++ cfg80211_rehash_bss(rdev, cbss); + + list_for_each_entry_safe(nontrans_bss, tmp, + &cbss->pub.nontrans_list, +@@ -2153,9 +2177,7 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev, + bss = container_of(nontrans_bss, + struct cfg80211_internal_bss, pub); + bss->pub.channel = chan; +- rb_erase(&bss->rbn, &rdev->bss_tree); +- rb_insert_bss(rdev, bss); +- rdev->bss_generation++; ++ cfg80211_rehash_bss(rdev, bss); + } + + done: +-- +2.43.0 +