From: Sasha Levin Date: Sun, 6 Oct 2024 15:11:25 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.6.55~130 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef796e3728527e338cfe790490e187900dbc7c92;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpi-ec-do-not-release-locks-during-operation-region.patch b/queue-5.4/acpi-ec-do-not-release-locks-during-operation-region.patch new file mode 100644 index 00000000000..3fdeb738a12 --- /dev/null +++ b/queue-5.4/acpi-ec-do-not-release-locks-during-operation-region.patch @@ -0,0 +1,166 @@ +From 4531e61ac1f4ced10d16d640df0c769276f5fa7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2024 18:26:54 +0200 +Subject: ACPI: EC: Do not release locks during operation region accesses + +From: Rafael J. Wysocki + +[ Upstream commit dc171114926ec390ab90f46534545420ec03e458 ] + +It is not particularly useful to release locks (the EC mutex and the +ACPI global lock, if present) and re-acquire them immediately thereafter +during EC address space accesses in acpi_ec_space_handler(). + +First, releasing them for a while before grabbing them again does not +really help anyone because there may not be enough time for another +thread to acquire them. + +Second, if another thread successfully acquires them and carries out +a new EC write or read in the middle if an operation region access in +progress, it may confuse the EC firmware, especially after the burst +mode has been enabled. + +Finally, manipulating the locks after writing or reading every single +byte of data is overhead that it is better to avoid. + +Accordingly, modify the code to carry out EC address space accesses +entirely without releasing the locks. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Link: https://patch.msgid.link/12473338.O9o76ZdvQC@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 55 +++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 49 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 142578451e381..e8370732a7fa1 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -790,6 +790,9 @@ static int acpi_ec_transaction_unlocked(struct acpi_ec *ec, + unsigned long tmp; + int ret = 0; + ++ if (t->rdata) ++ memset(t->rdata, 0, t->rlen); ++ + /* start transaction */ + spin_lock_irqsave(&ec->lock, tmp); + /* Enable GPE for command processing (IBF=0/OBF=1) */ +@@ -826,8 +829,6 @@ static int acpi_ec_transaction(struct acpi_ec *ec, struct transaction *t) + + if (!ec || (!t) || (t->wlen && !t->wdata) || (t->rlen && !t->rdata)) + return -EINVAL; +- if (t->rdata) +- memset(t->rdata, 0, t->rlen); + + mutex_lock(&ec->mutex); + if (ec->global_lock) { +@@ -854,7 +855,7 @@ static int acpi_ec_burst_enable(struct acpi_ec *ec) + .wdata = NULL, .rdata = &d, + .wlen = 0, .rlen = 1}; + +- return acpi_ec_transaction(ec, &t); ++ return acpi_ec_transaction_unlocked(ec, &t); + } + + static int acpi_ec_burst_disable(struct acpi_ec *ec) +@@ -864,7 +865,7 @@ static int acpi_ec_burst_disable(struct acpi_ec *ec) + .wlen = 0, .rlen = 0}; + + return (acpi_ec_read_status(ec) & ACPI_EC_FLAG_BURST) ? +- acpi_ec_transaction(ec, &t) : 0; ++ acpi_ec_transaction_unlocked(ec, &t) : 0; + } + + static int acpi_ec_read(struct acpi_ec *ec, u8 address, u8 *data) +@@ -880,6 +881,19 @@ static int acpi_ec_read(struct acpi_ec *ec, u8 address, u8 *data) + return result; + } + ++static int acpi_ec_read_unlocked(struct acpi_ec *ec, u8 address, u8 *data) ++{ ++ int result; ++ u8 d; ++ struct transaction t = {.command = ACPI_EC_COMMAND_READ, ++ .wdata = &address, .rdata = &d, ++ .wlen = 1, .rlen = 1}; ++ ++ result = acpi_ec_transaction_unlocked(ec, &t); ++ *data = d; ++ return result; ++} ++ + static int acpi_ec_write(struct acpi_ec *ec, u8 address, u8 data) + { + u8 wdata[2] = { address, data }; +@@ -890,6 +904,16 @@ static int acpi_ec_write(struct acpi_ec *ec, u8 address, u8 data) + return acpi_ec_transaction(ec, &t); + } + ++static int acpi_ec_write_unlocked(struct acpi_ec *ec, u8 address, u8 data) ++{ ++ u8 wdata[2] = { address, data }; ++ struct transaction t = {.command = ACPI_EC_COMMAND_WRITE, ++ .wdata = wdata, .rdata = NULL, ++ .wlen = 2, .rlen = 0}; ++ ++ return acpi_ec_transaction_unlocked(ec, &t); ++} ++ + int ec_read(u8 addr, u8 *val) + { + int err; +@@ -1300,6 +1324,7 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + struct acpi_ec *ec = handler_context; + int result = 0, i, bytes = bits / 8; + u8 *value = (u8 *)value64; ++ u32 glk; + + if ((address > 0xFF) || !value || !handler_context) + return AE_BAD_PARAMETER; +@@ -1307,13 +1332,25 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + if (function != ACPI_READ && function != ACPI_WRITE) + return AE_BAD_PARAMETER; + ++ mutex_lock(&ec->mutex); ++ ++ if (ec->global_lock) { ++ acpi_status status; ++ ++ status = acpi_acquire_global_lock(ACPI_EC_UDELAY_GLK, &glk); ++ if (ACPI_FAILURE(status)) { ++ result = -ENODEV; ++ goto unlock; ++ } ++ } ++ + if (ec->busy_polling || bits > 8) + acpi_ec_burst_enable(ec); + + for (i = 0; i < bytes; ++i, ++address, ++value) { + result = (function == ACPI_READ) ? +- acpi_ec_read(ec, address, value) : +- acpi_ec_write(ec, address, *value); ++ acpi_ec_read_unlocked(ec, address, value) : ++ acpi_ec_write_unlocked(ec, address, *value); + if (result < 0) + break; + } +@@ -1321,6 +1358,12 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + if (ec->busy_polling || bits > 8) + acpi_ec_burst_disable(ec); + ++ if (ec->global_lock) ++ acpi_release_global_lock(glk); ++ ++unlock: ++ mutex_unlock(&ec->mutex); ++ + switch (result) { + case -EINVAL: + return AE_BAD_PARAMETER; +-- +2.43.0 + diff --git a/queue-5.4/acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch b/queue-5.4/acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch new file mode 100644 index 00000000000..ec7c209615f --- /dev/null +++ b/queue-5.4/acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch @@ -0,0 +1,41 @@ +From 66098a1b0a2fe9c91d928b0e00a99199e32fae47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 14:05:48 +0800 +Subject: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in + acpi_db_convert_to_package() + +From: Pei Xiao + +[ Upstream commit a5242874488eba2b9062985bf13743c029821330 ] + +ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 + +ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause +NULL pointer dereference later. + +Link: https://github.com/acpica/acpica/commit/4d4547cf +Signed-off-by: Pei Xiao +Link: https://patch.msgid.link/tencent_4A21A2865B8B0A0D12CAEBEB84708EDDB505@qq.com +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dbconvert.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/acpica/dbconvert.c b/drivers/acpi/acpica/dbconvert.c +index 9fd9a98a9cbe8..5255a0837c82b 100644 +--- a/drivers/acpi/acpica/dbconvert.c ++++ b/drivers/acpi/acpica/dbconvert.c +@@ -170,6 +170,8 @@ acpi_status acpi_db_convert_to_package(char *string, union acpi_object *object) + elements = + ACPI_ALLOCATE_ZEROED(DB_DEFAULT_PKG_ELEMENTS * + sizeof(union acpi_object)); ++ if (!elements) ++ return (AE_NO_MEMORY); + + this = string; + for (i = 0; i < (DB_DEFAULT_PKG_ELEMENTS - 1); i++) { +-- +2.43.0 + diff --git a/queue-5.4/acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch b/queue-5.4/acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch new file mode 100644 index 00000000000..eaca7da046a --- /dev/null +++ b/queue-5.4/acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch @@ -0,0 +1,90 @@ +From 2346f97930d59ecc45d6c7ecef76143509c42284 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Apr 2024 21:50:33 +0200 +Subject: ACPICA: Fix memory leak if acpi_ps_get_next_field() fails + +From: Armin Wolf + +[ Upstream commit e6169a8ffee8a012badd8c703716e761ce851b15 ] + +ACPICA commit 1280045754264841b119a5ede96cd005bc09b5a7 + +If acpi_ps_get_next_field() fails, the previously created field list +needs to be properly disposed before returning the status code. + +Link: https://github.com/acpica/acpica/commit/12800457 +Signed-off-by: Armin Wolf +[ rjw: Rename local variable to avoid compiler confusion ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psargs.c | 39 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c +index 78afbfc762d36..756152b5fb4a2 100644 +--- a/drivers/acpi/acpica/psargs.c ++++ b/drivers/acpi/acpica/psargs.c +@@ -25,6 +25,8 @@ acpi_ps_get_next_package_length(struct acpi_parse_state *parser_state); + static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state + *parser_state); + ++static void acpi_ps_free_field_list(union acpi_parse_object *start); ++ + /******************************************************************************* + * + * FUNCTION: acpi_ps_get_next_package_length +@@ -683,6 +685,39 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state + return_PTR(field); + } + ++/******************************************************************************* ++ * ++ * FUNCTION: acpi_ps_free_field_list ++ * ++ * PARAMETERS: start - First Op in field list ++ * ++ * RETURN: None. ++ * ++ * DESCRIPTION: Free all Op objects inside a field list. ++ * ++ ******************************************************************************/ ++ ++static void acpi_ps_free_field_list(union acpi_parse_object *start) ++{ ++ union acpi_parse_object *cur = start; ++ union acpi_parse_object *next; ++ union acpi_parse_object *arg; ++ ++ while (cur) { ++ next = cur->common.next; ++ ++ /* AML_INT_CONNECTION_OP can have a single argument */ ++ ++ arg = acpi_ps_get_arg(cur, 0); ++ if (arg) { ++ acpi_ps_free_op(arg); ++ } ++ ++ acpi_ps_free_op(cur); ++ cur = next; ++ } ++} ++ + /******************************************************************************* + * + * FUNCTION: acpi_ps_get_next_arg +@@ -751,6 +786,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state, + while (parser_state->aml < parser_state->pkg_end) { + field = acpi_ps_get_next_field(parser_state); + if (!field) { ++ if (arg) { ++ acpi_ps_free_field_list(arg); ++ } ++ + return_ACPI_STATUS(AE_NO_MEMORY); + } + +-- +2.43.0 + diff --git a/queue-5.4/acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch b/queue-5.4/acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch new file mode 100644 index 00000000000..90e7846f3b9 --- /dev/null +++ b/queue-5.4/acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch @@ -0,0 +1,55 @@ +From 1226635a4a1baa6f093756bb47d57e90d23162ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 20:50:11 +0200 +Subject: ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails + +From: Armin Wolf + +[ Upstream commit 5accb265f7a1b23e52b0ec42313d1e12895552f4 ] + +ACPICA commit 2802af722bbde7bf1a7ac68df68e179e2555d361 + +If acpi_ps_get_next_namepath() fails, the previously allocated +union acpi_parse_object needs to be freed before returning the +status code. + +The issue was first being reported on the Linux ACPI mailing list: + +Link: https://lore.kernel.org/linux-acpi/56f94776-484f-48c0-8855-dba8e6a7793b@yandex.ru/T/ +Link: https://github.com/acpica/acpica/commit/2802af72 +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psargs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c +index e62c7897fdf18..78afbfc762d36 100644 +--- a/drivers/acpi/acpica/psargs.c ++++ b/drivers/acpi/acpica/psargs.c +@@ -820,6 +820,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state, + acpi_ps_get_next_namepath(walk_state, parser_state, + arg, + ACPI_NOT_METHOD_CALL); ++ if (ACPI_FAILURE(status)) { ++ acpi_ps_free_op(arg); ++ return_ACPI_STATUS(status); ++ } + } else { + /* Single complex argument, nothing returned */ + +@@ -854,6 +858,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state, + acpi_ps_get_next_namepath(walk_state, parser_state, + arg, + ACPI_POSSIBLE_METHOD_CALL); ++ if (ACPI_FAILURE(status)) { ++ acpi_ps_free_op(arg); ++ return_ACPI_STATUS(status); ++ } + + if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) { + +-- +2.43.0 + diff --git a/queue-5.4/acpica-iasl-handle-empty-connection_node.patch b/queue-5.4/acpica-iasl-handle-empty-connection_node.patch new file mode 100644 index 00000000000..50acf6a453e --- /dev/null +++ b/queue-5.4/acpica-iasl-handle-empty-connection_node.patch @@ -0,0 +1,36 @@ +From 40384258bfcc4b0fd941e7ae710676f8a919b950 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Aug 2024 23:33:44 +0200 +Subject: ACPICA: iasl: handle empty connection_node + +From: Aleksandrs Vinarskis + +[ Upstream commit a0a2459b79414584af6c46dd8c6f866d8f1aa421 ] + +ACPICA commit 6c551e2c9487067d4b085333e7fe97e965a11625 + +Link: https://github.com/acpica/acpica/commit/6c551e2c +Signed-off-by: Aleksandrs Vinarskis +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exprep.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c +index 85f799c9c25c4..512a15d77d75f 100644 +--- a/drivers/acpi/acpica/exprep.c ++++ b/drivers/acpi/acpica/exprep.c +@@ -437,6 +437,9 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info) + + if (info->connection_node) { + second_desc = info->connection_node->object; ++ if (second_desc == NULL) { ++ break; ++ } + if (!(second_desc->common.flags & AOPOBJ_DATA_VALID)) { + status = + acpi_ds_get_buffer_arguments(second_desc); +-- +2.43.0 + diff --git a/queue-5.4/alsa-asihpi-fix-potential-oob-array-access.patch b/queue-5.4/alsa-asihpi-fix-potential-oob-array-access.patch new file mode 100644 index 00000000000..da76c2664ac --- /dev/null +++ b/queue-5.4/alsa-asihpi-fix-potential-oob-array-access.patch @@ -0,0 +1,39 @@ +From a69a7c964ac3b65b340c63e9d7b99e80a9c7de2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 11:14:42 +0200 +Subject: ALSA: asihpi: Fix potential OOB array access + +From: Takashi Iwai + +[ Upstream commit 7b986c7430a6bb68d523dac7bfc74cbd5b44ef96 ] + +ASIHPI driver stores some values in the static array upon a response +from the driver, and its index depends on the firmware. We shouldn't +trust it blindly. + +This patch adds a sanity check of the array index to fit in the array +size. + +Link: https://patch.msgid.link/20240808091454.30846-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index 5fb0b98bec304..b9eb597b0278a 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -713,7 +713,7 @@ static u16 HPIMSGX__init(struct hpi_message *phm, + phr->error = HPI_ERROR_PROCESSING_MESSAGE; + return phr->error; + } +- if (hr.error == 0) { ++ if (hr.error == 0 && hr.u.s.adapter_index < HPI_MAX_ADAPTERS) { + /* the adapter was created successfully + save the mapping for future use */ + hpi_entry_points[hr.u.s.adapter_index] = entry_point_func; +-- +2.43.0 + diff --git a/queue-5.4/alsa-hdsp-break-infinite-midi-input-flush-loop.patch b/queue-5.4/alsa-hdsp-break-infinite-midi-input-flush-loop.patch new file mode 100644 index 00000000000..8169e6dec8a --- /dev/null +++ b/queue-5.4/alsa-hdsp-break-infinite-midi-input-flush-loop.patch @@ -0,0 +1,60 @@ +From e5ea36444ffd248be8821d41571725a965c68a9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 11:15:12 +0200 +Subject: ALSA: hdsp: Break infinite MIDI input flush loop + +From: Takashi Iwai + +[ Upstream commit c01f3815453e2d5f699ccd8c8c1f93a5b8669e59 ] + +The current MIDI input flush on HDSP and HDSPM drivers relies on the +hardware reporting the right value. If the hardware doesn't give the +proper value but returns -1, it may be stuck at an infinite loop. + +Add a counter and break if the loop is unexpectedly too long. + +Link: https://patch.msgid.link/20240808091513.31380-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/rme9652/hdsp.c | 6 ++++-- + sound/pci/rme9652/hdspm.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index c7b3e76ea2d26..87ada0c01f84d 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -1308,8 +1308,10 @@ static int snd_hdsp_midi_output_possible (struct hdsp *hdsp, int id) + + static void snd_hdsp_flush_midi_input (struct hdsp *hdsp, int id) + { +- while (snd_hdsp_midi_input_available (hdsp, id)) +- snd_hdsp_midi_read_byte (hdsp, id); ++ int count = 256; ++ ++ while (snd_hdsp_midi_input_available(hdsp, id) && --count) ++ snd_hdsp_midi_read_byte(hdsp, id); + } + + static int snd_hdsp_midi_output_write (struct hdsp_midi *hmidi) +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index e34f07c9ff470..f5c7a214e17bc 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -1835,8 +1835,10 @@ static inline int snd_hdspm_midi_output_possible (struct hdspm *hdspm, int id) + + static void snd_hdspm_flush_midi_input(struct hdspm *hdspm, int id) + { +- while (snd_hdspm_midi_input_available (hdspm, id)) +- snd_hdspm_midi_read_byte (hdspm, id); ++ int count = 256; ++ ++ while (snd_hdspm_midi_input_available(hdspm, id) && --count) ++ snd_hdspm_midi_read_byte(hdspm, id); + } + + static int snd_hdspm_midi_output_write (struct hdspm_midi *hmidi) +-- +2.43.0 + diff --git a/queue-5.4/ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch b/queue-5.4/ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch new file mode 100644 index 00000000000..2a8f716909a --- /dev/null +++ b/queue-5.4/ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch @@ -0,0 +1,61 @@ +From 36aa75e00e239b8955160a4a308f2eccb678c86a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 11:14:11 +0900 +Subject: ata: sata_sil: Rename sil_blacklist to sil_quirks + +From: Damien Le Moal + +[ Upstream commit 93b0f9e11ce511353c65b7f924cf5f95bd9c3aba ] + +Rename the array sil_blacklist to sil_quirks as this name is more +neutral and is also consistent with how this driver define quirks with +the SIL_QUIRK_XXX flags. + +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Igor Pylypiv +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_sil.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c +index 75321f1ceba52..fc438c4518fb7 100644 +--- a/drivers/ata/sata_sil.c ++++ b/drivers/ata/sata_sil.c +@@ -128,7 +128,7 @@ static const struct pci_device_id sil_pci_tbl[] = { + static const struct sil_drivelist { + const char *product; + unsigned int quirk; +-} sil_blacklist [] = { ++} sil_quirks[] = { + { "ST320012AS", SIL_QUIRK_MOD15WRITE }, + { "ST330013AS", SIL_QUIRK_MOD15WRITE }, + { "ST340017AS", SIL_QUIRK_MOD15WRITE }, +@@ -601,8 +601,8 @@ static void sil_thaw(struct ata_port *ap) + * list, and apply the fixups to only the specific + * devices/hosts/firmwares that need it. + * +- * 20040111 - Seagate drives affected by the Mod15Write bug are blacklisted +- * The Maxtor quirk is in the blacklist, but I'm keeping the original ++ * 20040111 - Seagate drives affected by the Mod15Write bug are quirked ++ * The Maxtor quirk is in sil_quirks, but I'm keeping the original + * pessimistic fix for the following reasons... + * - There seems to be less info on it, only one device gleaned off the + * Windows driver, maybe only one is affected. More info would be greatly +@@ -621,9 +621,9 @@ static void sil_dev_config(struct ata_device *dev) + + ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num)); + +- for (n = 0; sil_blacklist[n].product; n++) +- if (!strcmp(sil_blacklist[n].product, model_num)) { +- quirks = sil_blacklist[n].quirk; ++ for (n = 0; sil_quirks[n].product; n++) ++ if (!strcmp(sil_quirks[n].product, model_num)) { ++ quirks = sil_quirks[n].quirk; + break; + } + +-- +2.43.0 + diff --git a/queue-5.4/cgroup-disallow-mounting-v1-hierarchies-without-cont.patch b/queue-5.4/cgroup-disallow-mounting-v1-hierarchies-without-cont.patch new file mode 100644 index 00000000000..fd878e2fa3b --- /dev/null +++ b/queue-5.4/cgroup-disallow-mounting-v1-hierarchies-without-cont.patch @@ -0,0 +1,71 @@ +From f699419da0a29505961b03d8b99acfee53672d60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 18:32:22 +0200 +Subject: cgroup: Disallow mounting v1 hierarchies without controller + implementation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +[ Upstream commit 3c41382e920f1dd5c9f432948fe799c07af1cced ] + +The configs that disable some v1 controllers would still allow mounting +them but with no controller-specific files. (Making such hierarchies +equivalent to named v1 hierarchies.) To achieve behavior consistent with +actual out-compilation of a whole controller, the mounts should treat +respective controllers as non-existent. + +Wrap implementation into a helper function, leverage legacy_files to +detect compiled out controllers. The effect is that mounts on v1 would +fail and produce a message like: + [ 1543.999081] cgroup: Unknown subsys name 'memory' + +Signed-off-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup-v1.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c +index 6fcabeacb7d87..489cd784dc939 100644 +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -52,6 +52,12 @@ bool cgroup1_ssid_disabled(int ssid) + return cgroup_no_v1_mask & (1 << ssid); + } + ++static bool cgroup1_subsys_absent(struct cgroup_subsys *ss) ++{ ++ /* Check also dfl_cftypes for file-less controllers, i.e. perf_event */ ++ return ss->legacy_cftypes == NULL && ss->dfl_cftypes; ++} ++ + /** + * cgroup_attach_task_all - attach task 'tsk' to all cgroups of task 'from' + * @from: attach to all cgroups of a given task +@@ -941,7 +947,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param) + return 0; + } + for_each_subsys(ss, i) { +- if (strcmp(param->key, ss->legacy_name)) ++ if (strcmp(param->key, ss->legacy_name) || ++ cgroup1_subsys_absent(ss)) + continue; + if (!cgroup_ssid_enabled(i) || cgroup1_ssid_disabled(i)) + return invalf(fc, "Disabled controller '%s'", +@@ -1027,7 +1034,8 @@ static int check_cgroupfs_options(struct fs_context *fc) + mask = ~((u16)1 << cpuset_cgrp_id); + #endif + for_each_subsys(ss, i) +- if (cgroup_ssid_enabled(i) && !cgroup1_ssid_disabled(i)) ++ if (cgroup_ssid_enabled(i) && !cgroup1_ssid_disabled(i) && ++ !cgroup1_subsys_absent(ss)) + enabled |= 1 << i; + + ctx->subsys_mask &= enabled; +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-check-stream-before-comparing-them.patch b/queue-5.4/drm-amd-display-check-stream-before-comparing-them.patch new file mode 100644 index 00000000000..5caac22f940 --- /dev/null +++ b/queue-5.4/drm-amd-display-check-stream-before-comparing-them.patch @@ -0,0 +1,41 @@ +From 543ec5cb46ab4bc44add92fdd24aa5503b1be23d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 20:05:14 -0600 +Subject: drm/amd/display: Check stream before comparing them + +From: Alex Hung + +[ Upstream commit 35ff747c86767937ee1e0ca987545b7eed7a0810 ] + +[WHAT & HOW] +amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is +necessary to check for null before dereferencing them. + +This fixes 1 FORWARD_NULL issue reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Jerry Zuo +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index 2f56684780eb5..b498f2f485820 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1542,6 +1542,8 @@ static bool are_stream_backends_same( + bool dc_is_stream_unchanged( + struct dc_stream_state *old_stream, struct dc_stream_state *stream) + { ++ if (!old_stream || !stream) ++ return false; + + if (!are_stream_backends_same(old_stream, stream)) + return false; +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch b/queue-5.4/drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch new file mode 100644 index 00000000000..8473af822a8 --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch @@ -0,0 +1,55 @@ +From 76c24aca02e2c42a5c47a034c4af7cb26d2dddf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Jul 2024 17:48:27 +0530 +Subject: drm/amd/display: Fix index out of bounds in degamma hardware format + translation + +From: Srinivasan Shanmugam + +[ Upstream commit b7e99058eb2e86aabd7a10761e76cae33d22b49f ] + +Fixes index out of bounds issue in +`cm_helper_translate_curve_to_degamma_hw_format` function. The issue +could occur when the index 'i' exceeds the number of transfer function +points (TRANSFER_FUNC_POINTS). + +The fix adds a check to ensure 'i' is within bounds before accessing the +transfer function points. If 'i' is out of bounds the function returns +false to indicate an error. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +index f1b1bc8da175b..9a053feff0e2d 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +@@ -551,6 +551,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format( + i += increment) { + if (j == hw_points - 1) + break; ++ if (i >= TRANSFER_FUNC_POINTS) ++ return false; + rgb_resulted[j].red = output_tf->tf_pts.red[i]; + rgb_resulted[j].green = output_tf->tf_pts.green[i]; + rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-initialize-get_bytes_per_element-s-d.patch b/queue-5.4/drm-amd-display-initialize-get_bytes_per_element-s-d.patch new file mode 100644 index 00000000000..9e14931757c --- /dev/null +++ b/queue-5.4/drm-amd-display-initialize-get_bytes_per_element-s-d.patch @@ -0,0 +1,55 @@ +From af1a24cbd567410405e76b73419294ef4b1dc558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jul 2024 09:57:01 -0600 +Subject: drm/amd/display: Initialize get_bytes_per_element's default to 1 + +From: Alex Hung + +[ Upstream commit 4067f4fa0423a89fb19a30b57231b384d77d2610 ] + +Variables, used as denominators and maybe not assigned to other values, +should not be 0. bytes_per_element_y & bytes_per_element_c are +initialized by get_bytes_per_element() which should never return 0. + +This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity. + +Signed-off-by: Alex Hung +Reviewed-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +- + .../gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c +index ed8bf5f723c93..3278a3f46296b 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c +@@ -78,7 +78,7 @@ static void calculate_ttu_cursor(struct display_mode_lib *mode_lib, + + static unsigned int get_bytes_per_element(enum source_format_class source_format, bool is_chroma) + { +- unsigned int ret_val = 0; ++ unsigned int ret_val = 1; + + if (source_format == dm_444_16) { + if (!is_chroma) +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c +index a1f207cbb9668..a52cee502a26e 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c +@@ -54,7 +54,7 @@ static void calculate_ttu_cursor( + + static unsigned int get_bytes_per_element(enum source_format_class source_format, bool is_chroma) + { +- unsigned int ret_val = 0; ++ unsigned int ret_val = 1; + + if (source_format == dm_444_16) { + if (!is_chroma) +-- +2.43.0 + diff --git a/queue-5.4/drm-printer-allow-null-data-in-devcoredump-printer.patch b/queue-5.4/drm-printer-allow-null-data-in-devcoredump-printer.patch new file mode 100644 index 00000000000..4126c0c7a75 --- /dev/null +++ b/queue-5.4/drm-printer-allow-null-data-in-devcoredump-printer.patch @@ -0,0 +1,144 @@ +From 5c203548c3cef0ea2c55f9c875ed2be1bfdf879f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 08:41:17 -0700 +Subject: drm/printer: Allow NULL data in devcoredump printer + +From: Matthew Brost + +[ Upstream commit 53369581dc0c68a5700ed51e1660f44c4b2bb524 ] + +We want to determine the size of the devcoredump before writing it out. +To that end, we will run the devcoredump printer with NULL data to get +the size, alloc data based on the generated offset, then run the +devcorecump again with a valid data pointer to print. This necessitates +not writing data to the data pointer on the initial pass, when it is +NULL. + +v5: + - Better commit message (Jonathan) + - Add kerenl doc with examples (Jani) + +Cc: Maarten Lankhorst +Acked-by: Maarten Lankhorst +Signed-off-by: Matthew Brost +Reviewed-by: Jonathan Cavitt +Link: https://patchwork.freedesktop.org/patch/msgid/20240801154118.2547543-3-matthew.brost@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_print.c | 13 +++++---- + include/drm/drm_print.h | 54 ++++++++++++++++++++++++++++++++++++- + 2 files changed, 61 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/drm_print.c b/drivers/gpu/drm/drm_print.c +index a17c8a14dba4f..898a08b481ed5 100644 +--- a/drivers/gpu/drm/drm_print.c ++++ b/drivers/gpu/drm/drm_print.c +@@ -59,8 +59,9 @@ void __drm_puts_coredump(struct drm_printer *p, const char *str) + copy = iterator->remain; + + /* Copy out the bit of the string that we need */ +- memcpy(iterator->data, +- str + (iterator->start - iterator->offset), copy); ++ if (iterator->data) ++ memcpy(iterator->data, ++ str + (iterator->start - iterator->offset), copy); + + iterator->offset = iterator->start + copy; + iterator->remain -= copy; +@@ -69,7 +70,8 @@ void __drm_puts_coredump(struct drm_printer *p, const char *str) + + len = min_t(ssize_t, strlen(str), iterator->remain); + +- memcpy(iterator->data + pos, str, len); ++ if (iterator->data) ++ memcpy(iterator->data + pos, str, len); + + iterator->offset += len; + iterator->remain -= len; +@@ -99,8 +101,9 @@ void __drm_printfn_coredump(struct drm_printer *p, struct va_format *vaf) + if ((iterator->offset >= iterator->start) && (len < iterator->remain)) { + ssize_t pos = iterator->offset - iterator->start; + +- snprintf(((char *) iterator->data) + pos, +- iterator->remain, "%pV", vaf); ++ if (iterator->data) ++ snprintf(((char *) iterator->data) + pos, ++ iterator->remain, "%pV", vaf); + + iterator->offset += len; + iterator->remain -= len; +diff --git a/include/drm/drm_print.h b/include/drm/drm_print.h +index a5d6f2f3e430f..a9447c2d650f3 100644 +--- a/include/drm/drm_print.h ++++ b/include/drm/drm_print.h +@@ -115,7 +115,8 @@ drm_vprintf(struct drm_printer *p, const char *fmt, va_list *va) + + /** + * struct drm_print_iterator - local struct used with drm_printer_coredump +- * @data: Pointer to the devcoredump output buffer ++ * @data: Pointer to the devcoredump output buffer, can be NULL if using ++ * drm_printer_coredump to determine size of devcoredump + * @start: The offset within the buffer to start writing + * @remain: The number of bytes to write for this iteration + */ +@@ -160,6 +161,57 @@ struct drm_print_iterator { + * coredump_read, ...) + * } + * ++ * The above example has a time complexity of O(N^2), where N is the size of the ++ * devcoredump. This is acceptable for small devcoredumps but scales poorly for ++ * larger ones. ++ * ++ * Another use case for drm_coredump_printer is to capture the devcoredump into ++ * a saved buffer before the dev_coredump() callback. This involves two passes: ++ * one to determine the size of the devcoredump and another to print it to a ++ * buffer. Then, in dev_coredump(), copy from the saved buffer into the ++ * devcoredump read buffer. ++ * ++ * For example:: ++ * ++ * char *devcoredump_saved_buffer; ++ * ++ * ssize_t __coredump_print(char *buffer, ssize_t count, ...) ++ * { ++ * struct drm_print_iterator iter; ++ * struct drm_printer p; ++ * ++ * iter.data = buffer; ++ * iter.start = 0; ++ * iter.remain = count; ++ * ++ * p = drm_coredump_printer(&iter); ++ * ++ * drm_printf(p, "foo=%d\n", foo); ++ * ... ++ * return count - iter.remain; ++ * } ++ * ++ * void coredump_print(...) ++ * { ++ * ssize_t count; ++ * ++ * count = __coredump_print(NULL, INT_MAX, ...); ++ * devcoredump_saved_buffer = kvmalloc(count, GFP_KERNEL); ++ * __coredump_print(devcoredump_saved_buffer, count, ...); ++ * } ++ * ++ * void coredump_read(char *buffer, loff_t offset, size_t count, ++ * void *data, size_t datalen) ++ * { ++ * ... ++ * memcpy(buffer, devcoredump_saved_buffer + offset, count); ++ * ... ++ * } ++ * ++ * The above example has a time complexity of O(N*2), where N is the size of the ++ * devcoredump. This scales better than the previous example for larger ++ * devcoredumps. ++ * + * RETURNS: + * The &drm_printer object + */ +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch b/queue-5.4/drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch new file mode 100644 index 00000000000..7ea2cb0a885 --- /dev/null +++ b/queue-5.4/drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch @@ -0,0 +1,140 @@ +From 3404cef0bcfbd586674bf9b3bae0ea5f9925bae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 17:58:12 +0200 +Subject: drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit c6dbab46324b1742b50dc2fb5c1fee2c28129439 ] + +With -Werror: + + In function ‘r100_cp_init_microcode’, + inlined from ‘r100_cp_init’ at drivers/gpu/drm/radeon/r100.c:1136:7: + include/linux/printk.h:465:44: error: ‘%s’ directive argument is null [-Werror=format-overflow=] + 465 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) + | ^ + include/linux/printk.h:437:17: note: in definition of macro ‘printk_index_wrap’ + 437 | _p_func(_fmt, ##__VA_ARGS__); \ + | ^~~~~~~ + include/linux/printk.h:508:9: note: in expansion of macro ‘printk’ + 508 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__) + | ^~~~~~ + drivers/gpu/drm/radeon/r100.c:1062:17: note: in expansion of macro ‘pr_err’ + 1062 | pr_err("radeon_cp: Failed to load firmware \"%s\"\n", fw_name); + | ^~~~~~ + +Fix this by converting the if/else if/... construct into a proper +switch() statement with a default to handle the error case. + +As a bonus, the generated code is ca. 100 bytes smaller (with gcc 11.4.0 +targeting arm32). + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/r100.c | 70 ++++++++++++++++++++++------------- + 1 file changed, 45 insertions(+), 25 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c +index 9d2e6112f70ae..a5545403b9601 100644 +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -1005,45 +1005,65 @@ static int r100_cp_init_microcode(struct radeon_device *rdev) + + DRM_DEBUG_KMS("\n"); + +- if ((rdev->family == CHIP_R100) || (rdev->family == CHIP_RV100) || +- (rdev->family == CHIP_RV200) || (rdev->family == CHIP_RS100) || +- (rdev->family == CHIP_RS200)) { ++ switch (rdev->family) { ++ case CHIP_R100: ++ case CHIP_RV100: ++ case CHIP_RV200: ++ case CHIP_RS100: ++ case CHIP_RS200: + DRM_INFO("Loading R100 Microcode\n"); + fw_name = FIRMWARE_R100; +- } else if ((rdev->family == CHIP_R200) || +- (rdev->family == CHIP_RV250) || +- (rdev->family == CHIP_RV280) || +- (rdev->family == CHIP_RS300)) { ++ break; ++ ++ case CHIP_R200: ++ case CHIP_RV250: ++ case CHIP_RV280: ++ case CHIP_RS300: + DRM_INFO("Loading R200 Microcode\n"); + fw_name = FIRMWARE_R200; +- } else if ((rdev->family == CHIP_R300) || +- (rdev->family == CHIP_R350) || +- (rdev->family == CHIP_RV350) || +- (rdev->family == CHIP_RV380) || +- (rdev->family == CHIP_RS400) || +- (rdev->family == CHIP_RS480)) { ++ break; ++ ++ case CHIP_R300: ++ case CHIP_R350: ++ case CHIP_RV350: ++ case CHIP_RV380: ++ case CHIP_RS400: ++ case CHIP_RS480: + DRM_INFO("Loading R300 Microcode\n"); + fw_name = FIRMWARE_R300; +- } else if ((rdev->family == CHIP_R420) || +- (rdev->family == CHIP_R423) || +- (rdev->family == CHIP_RV410)) { ++ break; ++ ++ case CHIP_R420: ++ case CHIP_R423: ++ case CHIP_RV410: + DRM_INFO("Loading R400 Microcode\n"); + fw_name = FIRMWARE_R420; +- } else if ((rdev->family == CHIP_RS690) || +- (rdev->family == CHIP_RS740)) { ++ break; ++ ++ case CHIP_RS690: ++ case CHIP_RS740: + DRM_INFO("Loading RS690/RS740 Microcode\n"); + fw_name = FIRMWARE_RS690; +- } else if (rdev->family == CHIP_RS600) { ++ break; ++ ++ case CHIP_RS600: + DRM_INFO("Loading RS600 Microcode\n"); + fw_name = FIRMWARE_RS600; +- } else if ((rdev->family == CHIP_RV515) || +- (rdev->family == CHIP_R520) || +- (rdev->family == CHIP_RV530) || +- (rdev->family == CHIP_R580) || +- (rdev->family == CHIP_RV560) || +- (rdev->family == CHIP_RV570)) { ++ break; ++ ++ case CHIP_RV515: ++ case CHIP_R520: ++ case CHIP_RV530: ++ case CHIP_R580: ++ case CHIP_RV560: ++ case CHIP_RV570: + DRM_INFO("Loading R500 Microcode\n"); + fw_name = FIRMWARE_R520; ++ break; ++ ++ default: ++ DRM_ERROR("Unsupported Radeon family %u\n", rdev->family); ++ return -EINVAL; + } + + err = request_firmware(&rdev->me_fw, fw_name, rdev->dev); +-- +2.43.0 + diff --git a/queue-5.4/ext4-ext4_search_dir-should-return-a-proper-error.patch b/queue-5.4/ext4-ext4_search_dir-should-return-a-proper-error.patch new file mode 100644 index 00000000000..fe749ce71b1 --- /dev/null +++ b/queue-5.4/ext4-ext4_search_dir-should-return-a-proper-error.patch @@ -0,0 +1,86 @@ +From 13f1089c93cf7215b3f962715d7e67e9f38c4869 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 12:23:21 -0300 +Subject: ext4: ext4_search_dir should return a proper error + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit cd69f8f9de280e331c9e6ff689ced0a688a9ce8f ] + +ext4_search_dir currently returns -1 in case of a failure, while it returns +0 when the name is not found. In such failure cases, it should return an +error code instead. + +This becomes even more important when ext4_find_inline_entry returns an +error code as well in the next commit. + +-EFSCORRUPTED seems appropriate as such error code as these failures would +be caused by unexpected record lengths and is in line with other instances +of ext4_check_dir_entry failures. + +In the case of ext4_dx_find_entry, the current use of ERR_BAD_DX_DIR was +left as is to reduce the risk of regressions. + +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://patch.msgid.link/20240821152324.3621860-2-cascardo@igalia.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index e4fbc0f07eed2..dd795e10486b2 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1417,7 +1417,7 @@ static inline bool ext4_match(const struct inode *parent, + } + + /* +- * Returns 0 if not found, -1 on failure, and 1 on success ++ * Returns 0 if not found, -EFSCORRUPTED on failure, and 1 on success + */ + int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + struct inode *dir, struct ext4_filename *fname, +@@ -1438,7 +1438,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + * a full check */ + if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf, + buf_size, offset)) +- return -1; ++ return -EFSCORRUPTED; + *res_dir = de; + return 1; + } +@@ -1446,7 +1446,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + de_len = ext4_rec_len_from_disk(de->rec_len, + dir->i_sb->s_blocksize); + if (de_len <= 0) +- return -1; ++ return -EFSCORRUPTED; + offset += de_len; + de = (struct ext4_dir_entry_2 *) ((char *) de + de_len); + } +@@ -1596,8 +1596,10 @@ static struct buffer_head *__ext4_find_entry(struct inode *dir, + goto cleanup_and_exit; + } else { + brelse(bh); +- if (i < 0) ++ if (i < 0) { ++ ret = ERR_PTR(i); + goto cleanup_and_exit; ++ } + } + next: + if (++block >= nblocks) +@@ -1691,7 +1693,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir, + if (retval == 1) + goto success; + brelse(bh); +- if (retval == -1) { ++ if (retval < 0) { + bh = ERR_PTR(ERR_BAD_DX_DIR); + goto errout; + } +-- +2.43.0 + diff --git a/queue-5.4/ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch b/queue-5.4/ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch new file mode 100644 index 00000000000..f15ba75009e --- /dev/null +++ b/queue-5.4/ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch @@ -0,0 +1,55 @@ +From c11b20478d3f0f499e0eaf97f92749e6d12786db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 15:22:09 +0000 +Subject: ext4: fix i_data_sem unlock order in ext4_ind_migrate() + +From: Artem Sadovnikov + +[ Upstream commit cc749e61c011c255d81b192a822db650c68b313f ] + +Fuzzing reports a possible deadlock in jbd2_log_wait_commit. + +This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require +synchronous updates because the file descriptor is opened with O_SYNC. +This can lead to the jbd2_journal_stop() function calling +jbd2_might_wait_for_commit(), potentially causing a deadlock if the +EXT4_IOC_MIGRATE call races with a write(2) system call. + +This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this +case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the +jbd2_journal_stop function while i_data_sem is locked. This triggers +lockdep because the jbd2_journal_start function might also lock the same +jbd2_handle simultaneously. + +Found by Linux Verification Center (linuxtesting.org) with syzkaller. + +Reviewed-by: Ritesh Harjani (IBM) +Co-developed-by: Mikhail Ukhin +Signed-off-by: Mikhail Ukhin +Signed-off-by: Artem Sadovnikov +Rule: add +Link: https://lore.kernel.org/stable/20240404095000.5872-1-mish.uxin2012%40yandex.ru +Link: https://patch.msgid.link/20240829152210.2754-1-ancowi69@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/migrate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c +index dbba3c3a2f064..ebee8c94b5fe6 100644 +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -678,8 +678,8 @@ int ext4_ind_migrate(struct inode *inode) + ei->i_data[i] = cpu_to_le32(blk++); + ext4_mark_inode_dirty(handle, inode); + errout: +- ext4_journal_stop(handle); + up_write(&EXT4_I(inode)->i_data_sem); ++ ext4_journal_stop(handle); + out_unlock: + percpu_up_write(&sbi->s_writepages_rwsem); + return ret; +-- +2.43.0 + diff --git a/queue-5.4/fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch b/queue-5.4/fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch new file mode 100644 index 00000000000..9d582fd4b03 --- /dev/null +++ b/queue-5.4/fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch @@ -0,0 +1,59 @@ +From 70615eae3bb7d4d56af72c23b3af1f3766a0fe03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 22:29:52 +0800 +Subject: fbdev: pxafb: Fix possible use after free in pxafb_task() + +From: Kaixin Wang + +[ Upstream commit 4a6921095eb04a900e0000da83d9475eb958e61e ] + +In the pxafb_probe function, it calls the pxafb_init_fbinfo function, +after which &fbi->task is associated with pxafb_task. Moreover, +within this pxafb_init_fbinfo function, the pxafb_blank function +within the &pxafb_ops struct is capable of scheduling work. + +If we remove the module which will call pxafb_remove to make cleanup, +it will call unregister_framebuffer function which can call +do_unregister_framebuffer to free fbi->fb through +put_fb_info(fb_info), while the work mentioned above will be used. +The sequence of operations that may lead to a UAF bug is as follows: + +CPU0 CPU1 + + | pxafb_task +pxafb_remove | +unregister_framebuffer(info) | +do_unregister_framebuffer(fb_info) | +put_fb_info(fb_info) | +// free fbi->fb | set_ctrlr_state(fbi, state) + | __pxafb_lcd_power(fbi, 0) + | fbi->lcd_power(on, &fbi->fb.var) + | //use fbi->fb + +Fix it by ensuring that the work is canceled before proceeding +with the cleanup in pxafb_remove. + +Note that only root user can remove the driver at runtime. + +Signed-off-by: Kaixin Wang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxafb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c +index 27635926cea3f..e8d51dc4bc283 100644 +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2416,6 +2416,7 @@ static int pxafb_remove(struct platform_device *dev) + info = &fbi->fb; + + pxafb_overlay_exit(fbi); ++ cancel_work_sync(&fbi->task); + unregister_framebuffer(info); + + pxafb_disable_controller(fbi); +-- +2.43.0 + diff --git a/queue-5.4/ice-adjust-over-allocation-of-memory-in-ice_sched_ad.patch b/queue-5.4/ice-adjust-over-allocation-of-memory-in-ice_sched_ad.patch new file mode 100644 index 00000000000..6e65b2553d0 --- /dev/null +++ b/queue-5.4/ice-adjust-over-allocation-of-memory-in-ice_sched_ad.patch @@ -0,0 +1,61 @@ +From 0fd900eee45086f4c789b4fc3ea95e93bb5d8d49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 15:39:49 +0300 +Subject: ice: Adjust over allocation of memory in ice_sched_add_root_node() + and ice_sched_add_node() + +From: Aleksandr Mishin + +[ Upstream commit 62fdaf9e8056e9a9e6fe63aa9c816ec2122d60c6 ] + +In ice_sched_add_root_node() and ice_sched_add_node() there are calls to +devm_kcalloc() in order to allocate memory for array of pointers to +'ice_sched_node' structure. But incorrect types are used as sizeof() +arguments in these calls (structures instead of pointers) which leads to +over allocation of memory. + +Adjust over allocation of memory by correcting types in devm_kcalloc() +sizeof() arguments. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Reviewed-by: Przemek Kitszel +Signed-off-by: Aleksandr Mishin +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_sched.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c +index 2fde9653a608f..d1c0ccee879bc 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sched.c ++++ b/drivers/net/ethernet/intel/ice/ice_sched.c +@@ -27,9 +27,8 @@ ice_sched_add_root_node(struct ice_port_info *pi, + if (!root) + return ICE_ERR_NO_MEMORY; + +- /* coverity[suspicious_sizeof] */ + root->children = devm_kcalloc(ice_hw_to_dev(hw), hw->max_children[0], +- sizeof(*root), GFP_KERNEL); ++ sizeof(*root->children), GFP_KERNEL); + if (!root->children) { + devm_kfree(ice_hw_to_dev(hw), root); + return ICE_ERR_NO_MEMORY; +@@ -181,10 +180,9 @@ ice_sched_add_node(struct ice_port_info *pi, u8 layer, + if (!node) + return ICE_ERR_NO_MEMORY; + if (hw->max_children[layer]) { +- /* coverity[suspicious_sizeof] */ + node->children = devm_kcalloc(ice_hw_to_dev(hw), + hw->max_children[layer], +- sizeof(*node), GFP_KERNEL); ++ sizeof(*node->children), GFP_KERNEL); + if (!node->children) { + devm_kfree(ice_hw_to_dev(hw), node); + return ICE_ERR_NO_MEMORY; +-- +2.43.0 + diff --git a/queue-5.4/ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch b/queue-5.4/ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch new file mode 100644 index 00000000000..5f6f456827c --- /dev/null +++ b/queue-5.4/ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch @@ -0,0 +1,52 @@ +From 40afc3fd9d5718bdb68270e700aa4358cb43b20f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2024 16:54:02 -0700 +Subject: ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). + +From: Kuniyuki Iwashima + +[ Upstream commit e3af3d3c5b26c33a7950e34e137584f6056c4319 ] + +dev->ip_ptr could be NULL if we set an invalid MTU. + +Even then, if we issue ioctl(SIOCSIFADDR) for a new IPv4 address, +devinet_ioctl() allocates struct in_ifaddr and fails later in +inet_set_ifa() because in_dev is NULL. + +Let's move the check earlier. + +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20240809235406.50187-2-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index ed00b233cee2e..dec884bf73f05 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -566,10 +566,6 @@ static int inet_set_ifa(struct net_device *dev, struct in_ifaddr *ifa) + + ASSERT_RTNL(); + +- if (!in_dev) { +- inet_free_ifa(ifa); +- return -ENOBUFS; +- } + ipv4_devconf_setall(in_dev); + neigh_parms_data_state_setall(in_dev->arp_parms); + if (ifa->ifa_dev != in_dev) { +@@ -1150,6 +1146,8 @@ int devinet_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr) + + if (!ifa) { + ret = -ENOBUFS; ++ if (!in_dev) ++ break; + ifa = inet_alloc_ifa(); + if (!ifa) + break; +-- +2.43.0 + diff --git a/queue-5.4/ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch b/queue-5.4/ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch new file mode 100644 index 00000000000..9f7be145bbc --- /dev/null +++ b/queue-5.4/ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch @@ -0,0 +1,50 @@ +From 8b34c5e2d9a7e11f0955cf32eea33a176bbd0777 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 15:52:22 +0300 +Subject: ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family + +From: Ido Schimmel + +[ Upstream commit 8fed54758cd248cd311a2b5c1e180abef1866237 ] + +The NETLINK_FIB_LOOKUP netlink family can be used to perform a FIB +lookup according to user provided parameters and communicate the result +back to user space. + +However, unlike other users of the FIB lookup API, the upper DSCP bits +and the ECN bits of the DS field are not masked, which can result in the +wrong result being returned. + +Solve this by masking the upper DSCP bits and the ECN bits using +IPTOS_RT_MASK. + +The structure that communicates the request and the response is not +exported to user space, so it is unlikely that this netlink family is +actually in use [1]. + +[1] https://lore.kernel.org/netdev/ZpqpB8vJU%2FQ6LSqa@debian/ + +Signed-off-by: Ido Schimmel +Reviewed-by: Guillaume Nault +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index c31003d8c22f8..2d6b125024314 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1344,7 +1344,7 @@ static void nl_fib_lookup(struct net *net, struct fib_result_nl *frn) + struct flowi4 fl4 = { + .flowi4_mark = frn->fl_mark, + .daddr = frn->fl_addr, +- .flowi4_tos = frn->fl_tos, ++ .flowi4_tos = frn->fl_tos & IPTOS_RT_MASK, + .flowi4_scope = frn->fl_scope, + }; + struct fib_table *tb; +-- +2.43.0 + diff --git a/queue-5.4/jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch b/queue-5.4/jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch new file mode 100644 index 00000000000..89385e9bf01 --- /dev/null +++ b/queue-5.4/jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch @@ -0,0 +1,52 @@ +From 0d53889df535cf414447ff44ffecb86bfcb0b1c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2024 09:25:23 +0800 +Subject: jfs: check if leafidx greater than num leaves per dmap tree + +From: Edward Adam Davis + +[ Upstream commit d64ff0d2306713ff084d4b09f84ed1a8c75ecc32 ] + +syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater +than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. + +Shaggy: +Modified sanity check to apply to control pages as well as leaf pages. + +Reported-and-tested-by: syzbot+dca05492eff41f604890@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890 +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index ab90c7561e20c..01cdfe7891b94 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -3006,9 +3006,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) + static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) + { + int ti, n = 0, k, x = 0; +- int max_size; ++ int max_size, max_idx; + + max_size = is_ctl ? CTLTREESIZE : TREESIZE; ++ max_idx = is_ctl ? LPERCTL : LPERDMAP; + + /* first check the root of the tree to see if there is + * sufficient free space. +@@ -3040,6 +3041,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) + */ + assert(n < 4); + } ++ if (le32_to_cpu(tp->dmt_leafidx) >= max_idx) ++ return -ENOSPC; + + /* set the return to the leftmost leaf describing sufficient + * free space. +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-uaf-in-dbfreebits.patch b/queue-5.4/jfs-fix-uaf-in-dbfreebits.patch new file mode 100644 index 00000000000..8d8a2270d78 --- /dev/null +++ b/queue-5.4/jfs-fix-uaf-in-dbfreebits.patch @@ -0,0 +1,117 @@ +From 6befdda3d19ea4d1a54de5cf4874716991b2718a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2024 10:50:48 +0800 +Subject: jfs: Fix uaf in dbFreeBits + +From: Edward Adam Davis + +[ Upstream commit d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 ] + +[syzbot reported] +================================================================== +BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] +BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 +Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 + +CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + __mutex_lock_common kernel/locking/mutex.c:587 [inline] + __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 + dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 + dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] + dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 + dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 + jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 + jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + +Freed by task 5218: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 + poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 + __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 + kasan_slab_free include/linux/kasan.h:184 [inline] + slab_free_hook mm/slub.c:2252 [inline] + slab_free mm/slub.c:4473 [inline] + kfree+0x149/0x360 mm/slub.c:4594 + dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 + jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 + jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 + reconfigure_super+0x445/0x880 fs/super.c:1083 + vfs_cmd_reconfigure fs/fsopen.c:263 [inline] + vfs_fsconfig_locked fs/fsopen.c:292 [inline] + __do_sys_fsconfig fs/fsopen.c:473 [inline] + __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +[Analysis] +There are two paths (dbUnmount and jfs_ioc_trim) that generate race +condition when accessing bmap, which leads to the occurrence of uaf. + +Use the lock s_umount to synchronize them, in order to avoid uaf caused +by race condition. + +Reported-and-tested-by: syzbot+3c010e21296f33a5dc16@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_discard.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/jfs/jfs_discard.c b/fs/jfs/jfs_discard.c +index 575cb2ba74fc8..5f4b305030ad5 100644 +--- a/fs/jfs/jfs_discard.c ++++ b/fs/jfs/jfs_discard.c +@@ -65,7 +65,7 @@ void jfs_issue_discard(struct inode *ip, u64 blkno, u64 nblocks) + int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + { + struct inode *ipbmap = JFS_SBI(ip->i_sb)->ipbmap; +- struct bmap *bmp = JFS_SBI(ip->i_sb)->bmap; ++ struct bmap *bmp; + struct super_block *sb = ipbmap->i_sb; + int agno, agno_end; + u64 start, end, minlen; +@@ -83,10 +83,15 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + if (minlen == 0) + minlen = 1; + ++ down_read(&sb->s_umount); ++ bmp = JFS_SBI(ip->i_sb)->bmap; ++ + if (minlen > bmp->db_agsize || + start >= bmp->db_mapsize || +- range->len < sb->s_blocksize) ++ range->len < sb->s_blocksize) { ++ up_read(&sb->s_umount); + return -EINVAL; ++ } + + if (end >= bmp->db_mapsize) + end = bmp->db_mapsize - 1; +@@ -100,6 +105,8 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + trimmed += dbDiscardAG(ip, agno, minlen); + agno++; + } ++ ++ up_read(&sb->s_umount); + range->len = trimmed << sb->s_blocksize_bits; + + return 0; +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch b/queue-5.4/jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch new file mode 100644 index 00000000000..d6538285492 --- /dev/null +++ b/queue-5.4/jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch @@ -0,0 +1,57 @@ +From 3de466fbfbf43960c0751d8cf205dcdcc4bed7d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 09:07:58 +0800 +Subject: jfs: Fix uninit-value access of new_ea in ea_buffer + +From: Zhao Mengmeng + +[ Upstream commit 2b59ffad47db1c46af25ccad157bb3b25147c35c ] + +syzbot reports that lzo1x_1_do_compress is using uninit-value: + +===================================================== +BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 + +... + +Uninit was stored to memory at: + ea_put fs/jfs/xattr.c:639 [inline] + +... + +Local variable ea_buf created at: + __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662 + __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 + +===================================================== + +The reason is ea_buf->new_ea is not initialized properly. + +Fix this by using memset to empty its content at the beginning +in ea_get(). + +Reported-by: syzbot+02341e0daa42a15ce130@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=02341e0daa42a15ce130 +Signed-off-by: Zhao Mengmeng +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/xattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c +index aea5531559c06..4ebee6e4dc1f9 100644 +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -434,6 +434,8 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) + int rc; + int quota_allocation = 0; + ++ memset(&ea_buf->new_ea, 0, sizeof(ea_buf->new_ea)); ++ + /* When fsck.jfs clears a bad ea, it doesn't clear the size */ + if (ji->ea.flag == 0) + ea_size = 0; +-- +2.43.0 + diff --git a/queue-5.4/jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch b/queue-5.4/jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch new file mode 100644 index 00000000000..079db6ef039 --- /dev/null +++ b/queue-5.4/jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch @@ -0,0 +1,35 @@ +From 12e088d9de44ca9000e208c5b59bb8e2e5057520 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 00:12:44 +0000 +Subject: jfs: UBSAN: shift-out-of-bounds in dbFindBits + +From: Remington Brasga + +[ Upstream commit b0b2fc815e514221f01384f39fbfbff65d897e1c ] + +Fix issue with UBSAN throwing shift-out-of-bounds warning. + +Reported-by: syzbot+e38d703eeb410b17b473@syzkaller.appspotmail.com +Signed-off-by: Remington Brasga +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index fe0b5a91356c4..ab90c7561e20c 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -3084,7 +3084,7 @@ static int dbFindBits(u32 word, int l2nb) + + /* scan the word for nb free bits at nb alignments. + */ +- for (bitno = 0; mask != 0; bitno += nb, mask >>= nb) { ++ for (bitno = 0; mask != 0; bitno += nb, mask = (mask >> nb)) { + if ((mask & word) == mask) + break; + } +-- +2.43.0 + diff --git a/queue-5.4/net-hisilicon-hip04-fix-of-node-leak-in-probe.patch b/queue-5.4/net-hisilicon-hip04-fix-of-node-leak-in-probe.patch new file mode 100644 index 00000000000..1c86f7d9bd0 --- /dev/null +++ b/queue-5.4/net-hisilicon-hip04-fix-of-node-leak-in-probe.patch @@ -0,0 +1,36 @@ +From e8707d8d8b4b651fd1b127364920f1c76c86b114 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 16:44:19 +0200 +Subject: net: hisilicon: hip04: fix OF node leak in probe() + +From: Krzysztof Kozlowski + +[ Upstream commit 17555297dbd5bccc93a01516117547e26a61caf1 ] + +Driver is leaking OF node reference from +of_parse_phandle_with_fixed_args() in probe(). + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240827144421.52852-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index b5eae06dd8705..00ca5183f9c3e 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -955,6 +955,7 @@ static int hip04_mac_probe(struct platform_device *pdev) + priv->tx_coalesce_timer.function = tx_done; + + priv->map = syscon_node_to_regmap(arg.np); ++ of_node_put(arg.np); + if (IS_ERR(priv->map)) { + dev_warn(d, "no syscon hisilicon,hip04-ppe\n"); + ret = PTR_ERR(priv->map); +-- +2.43.0 + diff --git a/queue-5.4/net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch b/queue-5.4/net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch new file mode 100644 index 00000000000..dffdb1720ce --- /dev/null +++ b/queue-5.4/net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch @@ -0,0 +1,36 @@ +From d9bd9f2f5d5e8deae9077aac7cbd61fad5c85635 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 16:44:20 +0200 +Subject: net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() + +From: Krzysztof Kozlowski + +[ Upstream commit 5680cf8d34e1552df987e2f4bb1bff0b2a8c8b11 ] + +Driver is leaking OF node reference from +of_parse_phandle_with_fixed_args() in hns_mac_get_info(). + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240827144421.52852-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +index e34245649057e..b3733d7a7d81c 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +@@ -933,6 +933,7 @@ static int hns_mac_get_info(struct hns_mac_cb *mac_cb) + mac_cb->cpld_ctrl = NULL; + } else { + syscon = syscon_node_to_regmap(cpld_args.np); ++ of_node_put(cpld_args.np); + if (IS_ERR_OR_NULL(syscon)) { + dev_dbg(mac_cb->dev, "no cpld-syscon found!\n"); + mac_cb->cpld_ctrl = NULL; +-- +2.43.0 + diff --git a/queue-5.4/net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch b/queue-5.4/net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch new file mode 100644 index 00000000000..230f9b8063d --- /dev/null +++ b/queue-5.4/net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch @@ -0,0 +1,36 @@ +From 0b2182caf7d221314147bb4eb770aa03bb25aaf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 16:44:21 +0200 +Subject: net: hisilicon: hns_mdio: fix OF node leak in probe() + +From: Krzysztof Kozlowski + +[ Upstream commit e62beddc45f487b9969821fad3a0913d9bc18a2f ] + +Driver is leaking OF node reference from +of_parse_phandle_with_fixed_args() in probe(). + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240827144421.52852-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c +index 7df5d7d211d47..58af9b4ae2be8 100644 +--- a/drivers/net/ethernet/hisilicon/hns_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns_mdio.c +@@ -498,6 +498,7 @@ static int hns_mdio_probe(struct platform_device *pdev) + MDIO_SC_RESET_ST; + } + } ++ of_node_put(reg_args.np); + } else { + dev_warn(&pdev->dev, "find syscon ret = %#x\n", ret); + mdio_dev->subctrl_vbase = NULL; +-- +2.43.0 + diff --git a/queue-5.4/net-mvpp2-increase-size-of-queue_name-buffer.patch b/queue-5.4/net-mvpp2-increase-size-of-queue_name-buffer.patch new file mode 100644 index 00000000000..fee6fcb1941 --- /dev/null +++ b/queue-5.4/net-mvpp2-increase-size-of-queue_name-buffer.patch @@ -0,0 +1,58 @@ +From 461a6660f16e61bbeb203cb14b80921197ec1fc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 12:28:24 +0100 +Subject: net: mvpp2: Increase size of queue_name buffer + +From: Simon Horman + +[ Upstream commit 91d516d4de48532d967a77967834e00c8c53dfe6 ] + +Increase size of queue_name buffer from 30 to 31 to accommodate +the largest string written to it. This avoids truncation in +the possibly unlikely case where the string is name is the +maximum size. + +Flagged by gcc-14: + + .../mvpp2_main.c: In function 'mvpp2_probe': + .../mvpp2_main.c:7636:32: warning: 'snprintf' output may be truncated before the last format character [-Wformat-truncation=] + 7636 | "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev), + | ^ + .../mvpp2_main.c:7635:9: note: 'snprintf' output between 10 and 31 bytes into a destination of size 30 + 7635 | snprintf(priv->queue_name, sizeof(priv->queue_name), + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 7636 | "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev), + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 7637 | priv->port_count > 1 ? "+" : ""); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Introduced by commit 118d6298f6f0 ("net: mvpp2: add ethtool GOP statistics"). +I am not flagging this as a bug as I am not aware that it is one. + +Compile tested only. + +Signed-off-by: Simon Horman +Reviewed-by: Marcin Wojtas +Link: https://patch.msgid.link/20240806-mvpp2-namelen-v1-1-6dc773653f2f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +index cf45b9210c155..552ec1f96e5d2 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +@@ -809,7 +809,7 @@ struct mvpp2 { + unsigned int max_port_rxqs; + + /* Workqueue to gather hardware statistics */ +- char queue_name[30]; ++ char queue_name[31]; + struct workqueue_struct *stats_queue; + + /* Debugfs root entry */ +-- +2.43.0 + diff --git a/queue-5.4/net-sched-consistently-use-rcu_replace_pointer-in-ta.patch b/queue-5.4/net-sched-consistently-use-rcu_replace_pointer-in-ta.patch new file mode 100644 index 00000000000..57c0020c9da --- /dev/null +++ b/queue-5.4/net-sched-consistently-use-rcu_replace_pointer-in-ta.patch @@ -0,0 +1,42 @@ +From d273c1b01e5f3d2c3e143a6f654c563b08eecb18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 14:54:01 +0300 +Subject: net: sched: consistently use rcu_replace_pointer() in taprio_change() + +From: Dmitry Antipov + +[ Upstream commit d5c4546062fd6f5dbce575c7ea52ad66d1968678 ] + +According to Vinicius (and carefully looking through the whole +https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa +once again), txtime branch of 'taprio_change()' is not going to +race against 'advance_sched()'. But using 'rcu_replace_pointer()' +in the former may be a good idea as well. + +Suggested-by: Vinicius Costa Gomes +Signed-off-by: Dmitry Antipov +Acked-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index 7b896be009d55..b8e26013bd75f 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -1578,7 +1578,9 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt, + goto unlock; + } + +- rcu_assign_pointer(q->admin_sched, new_admin); ++ /* Not going to race against advance_sched(), but still */ ++ admin = rcu_replace_pointer(q->admin_sched, new_admin, ++ lockdep_rtnl_is_held()); + if (admin) + call_rcu(&admin->rcu, taprio_free_sched_cb); + } else { +-- +2.43.0 + diff --git a/queue-5.4/nfp-use-irqf_no_autoen-flag-in-request_irq.patch b/queue-5.4/nfp-use-irqf_no_autoen-flag-in-request_irq.patch new file mode 100644 index 00000000000..ad95dd07039 --- /dev/null +++ b/queue-5.4/nfp-use-irqf_no_autoen-flag-in-request_irq.patch @@ -0,0 +1,48 @@ +From 9ca00542f073f44ea638bb43517a0425b4efaedb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 17:44:45 +0800 +Subject: nfp: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit daaba19d357f0900b303a530ced96c78086267ea ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Reviewed-by: Louis Peens +Signed-off-by: Jinjie Ruan +Link: https://patch.msgid.link/20240911094445.1922476-4-ruanjinjie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +index 61aabffc8888d..7cbce8f51f069 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +@@ -2626,8 +2626,8 @@ nfp_net_prepare_vector(struct nfp_net *nn, struct nfp_net_r_vector *r_vec, + + snprintf(r_vec->name, sizeof(r_vec->name), + "%s-rxtx-%d", nfp_net_name(nn), idx); +- err = request_irq(r_vec->irq_vector, r_vec->handler, 0, r_vec->name, +- r_vec); ++ err = request_irq(r_vec->irq_vector, r_vec->handler, IRQF_NO_AUTOEN, ++ r_vec->name, r_vec); + if (err) { + if (nn->dp.netdev) + netif_napi_del(&r_vec->napi); +@@ -2637,7 +2637,6 @@ nfp_net_prepare_vector(struct nfp_net *nn, struct nfp_net_r_vector *r_vec, + nn_err(nn, "Error requesting IRQ %d\n", r_vec->irq_vector); + return err; + } +- disable_irq(r_vec->irq_vector); + + irq_set_affinity_hint(r_vec->irq_vector, &r_vec->affinity_mask); + +-- +2.43.0 + diff --git a/queue-5.4/of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch b/queue-5.4/of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch new file mode 100644 index 00000000000..401253aa5bb --- /dev/null +++ b/queue-5.4/of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch @@ -0,0 +1,39 @@ +From d3b8486e8dd1d2fe2542859db1b1e4d9b687ca05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 14:16:53 +0200 +Subject: of/irq: Refer to actual buffer size in of_irq_parse_one() + +From: Geert Uytterhoeven + +[ Upstream commit 39ab331ab5d377a18fbf5a0e0b228205edfcc7f4 ] + +Replace two open-coded calculations of the buffer size by invocations of +sizeof() on the buffer itself, to make sure the code will always use the +actual buffer size. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/817c0b9626fd30790fc488c472a3398324cfcc0c.1724156125.git.geert+renesas@glider.be +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/irq.c b/drivers/of/irq.c +index ad0cb49e233ac..70ac9cb3b2c67 100644 +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -301,8 +301,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar + addr = of_get_property(device, "reg", &addr_len); + + /* Prevent out-of-bounds read in case of longer interrupt parent address size */ +- if (addr_len > (3 * sizeof(__be32))) +- addr_len = 3 * sizeof(__be32); ++ if (addr_len > sizeof(addr_buf)) ++ addr_len = sizeof(addr_buf); + if (addr) + memcpy(addr_buf, addr, addr_len); + +-- +2.43.0 + diff --git a/queue-5.4/power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch b/queue-5.4/power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch new file mode 100644 index 00000000000..5c457a11a2b --- /dev/null +++ b/queue-5.4/power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch @@ -0,0 +1,39 @@ +From 1ffb5e26393f3b0c19e030622825c50bccda39fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 09:28:36 -0500 +Subject: power: reset: brcmstb: Do not go into infinite loop if reset fails + +From: Andrew Davis + +[ Upstream commit cf8c39b00e982fa506b16f9d76657838c09150cb ] + +There may be other backup reset methods available, do not halt +here so that other reset methods can be tried. + +Signed-off-by: Andrew Davis +Reviewed-by: Dhruva Gole +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20240610142836.168603-5-afd@ti.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/brcmstb-reboot.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/power/reset/brcmstb-reboot.c b/drivers/power/reset/brcmstb-reboot.c +index 884b53c483c09..9f8b9e5cad93a 100644 +--- a/drivers/power/reset/brcmstb-reboot.c ++++ b/drivers/power/reset/brcmstb-reboot.c +@@ -72,9 +72,6 @@ static int brcmstb_restart_handler(struct notifier_block *this, + return NOTIFY_DONE; + } + +- while (1) +- ; +- + return NOTIFY_DONE; + } + +-- +2.43.0 + diff --git a/queue-5.4/proc-add-config-param-to-block-forcing-mem-writes.patch b/queue-5.4/proc-add-config-param-to-block-forcing-mem-writes.patch new file mode 100644 index 00000000000..403c735ca15 --- /dev/null +++ b/queue-5.4/proc-add-config-param-to-block-forcing-mem-writes.patch @@ -0,0 +1,200 @@ +From 3666ffd5690b6c578dc484cde0153e3ef7121caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 11:02:25 +0300 +Subject: proc: add config & param to block forcing mem writes + +From: Adrian Ratiu + +[ Upstream commit 41e8149c8892ed1962bd15350b3c3e6e90cba7f4 ] + +This adds a Kconfig option and boot param to allow removing +the FOLL_FORCE flag from /proc/pid/mem write calls because +it can be abused. + +The traditional forcing behavior is kept as default because +it can break GDB and some other use cases. + +Previously we tried a more sophisticated approach allowing +distributions to fine-tune /proc/pid/mem behavior, however +that got NAK-ed by Linus [1], who prefers this simpler +approach with semantics also easier to understand for users. + +Link: https://lore.kernel.org/lkml/CAHk-=wiGWLChxYmUA5HrT5aopZrB7_2VTa0NLZcxORgkUe5tEQ@mail.gmail.com/ [1] +Cc: Doug Anderson +Cc: Jeff Xu +Cc: Jann Horn +Cc: Kees Cook +Cc: Ard Biesheuvel +Cc: Christian Brauner +Suggested-by: Linus Torvalds +Signed-off-by: Linus Torvalds +Signed-off-by: Adrian Ratiu +Link: https://lore.kernel.org/r/20240802080225.89408-1-adrian.ratiu@collabora.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + .../admin-guide/kernel-parameters.txt | 10 +++ + fs/proc/base.c | 61 ++++++++++++++++++- + security/Kconfig | 32 ++++++++++ + 3 files changed, 102 insertions(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 6143c4cb7e984..9975dcab99c35 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3812,6 +3812,16 @@ + printk.time= Show timing data prefixed to each printk message line + Format: (1/Y/y=enable, 0/N/n=disable) + ++ proc_mem.force_override= [KNL] ++ Format: {always | ptrace | never} ++ Traditionally /proc/pid/mem allows memory permissions to be ++ overridden without restrictions. This option may be set to ++ restrict that. Can be one of: ++ - 'always': traditional behavior always allows mem overrides. ++ - 'ptrace': only allow mem overrides for active ptracers. ++ - 'never': never allow mem overrides. ++ If not specified, default is the CONFIG_PROC_MEM_* choice. ++ + processor.max_cstate= [HW,ACPI] + Limit processor to maximum C-state + max_cstate=9 overrides any DMI blacklist limit. +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 77a3eb7c39f54..34e15da39fdf3 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -86,6 +86,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -113,6 +114,40 @@ + static u8 nlink_tid __ro_after_init; + static u8 nlink_tgid __ro_after_init; + ++enum proc_mem_force { ++ PROC_MEM_FORCE_ALWAYS, ++ PROC_MEM_FORCE_PTRACE, ++ PROC_MEM_FORCE_NEVER ++}; ++ ++static enum proc_mem_force proc_mem_force_override __ro_after_init = ++ IS_ENABLED(CONFIG_PROC_MEM_NO_FORCE) ? PROC_MEM_FORCE_NEVER : ++ IS_ENABLED(CONFIG_PROC_MEM_FORCE_PTRACE) ? PROC_MEM_FORCE_PTRACE : ++ PROC_MEM_FORCE_ALWAYS; ++ ++static const struct constant_table proc_mem_force_table[] __initconst = { ++ { "always", PROC_MEM_FORCE_ALWAYS }, ++ { "ptrace", PROC_MEM_FORCE_PTRACE }, ++ { "never", PROC_MEM_FORCE_NEVER }, ++ { } ++}; ++ ++static int __init early_proc_mem_force_override(char *buf) ++{ ++ if (!buf) ++ return -EINVAL; ++ ++ /* ++ * lookup_constant() defaults to proc_mem_force_override to preseve ++ * the initial Kconfig choice in case an invalid param gets passed. ++ */ ++ proc_mem_force_override = lookup_constant(proc_mem_force_table, ++ buf, proc_mem_force_override); ++ ++ return 0; ++} ++early_param("proc_mem.force_override", early_proc_mem_force_override); ++ + struct pid_entry { + const char *name; + unsigned int len; +@@ -822,6 +857,28 @@ static int mem_open(struct inode *inode, struct file *file) + return ret; + } + ++static bool proc_mem_foll_force(struct file *file, struct mm_struct *mm) ++{ ++ struct task_struct *task; ++ bool ptrace_active = false; ++ ++ switch (proc_mem_force_override) { ++ case PROC_MEM_FORCE_NEVER: ++ return false; ++ case PROC_MEM_FORCE_PTRACE: ++ task = get_proc_task(file_inode(file)); ++ if (task) { ++ ptrace_active = READ_ONCE(task->ptrace) && ++ READ_ONCE(task->mm) == mm && ++ READ_ONCE(task->parent) == current; ++ put_task_struct(task); ++ } ++ return ptrace_active; ++ default: ++ return true; ++ } ++} ++ + static ssize_t mem_rw(struct file *file, char __user *buf, + size_t count, loff_t *ppos, int write) + { +@@ -842,7 +899,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf, + if (!mmget_not_zero(mm)) + goto free; + +- flags = FOLL_FORCE | (write ? FOLL_WRITE : 0); ++ flags = write ? FOLL_WRITE : 0; ++ if (proc_mem_foll_force(file, mm)) ++ flags |= FOLL_FORCE; + + while (count > 0) { + size_t this_len = min_t(size_t, count, PAGE_SIZE); +diff --git a/security/Kconfig b/security/Kconfig +index 52e5109f2c1b6..b3dff990c326a 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -19,6 +19,38 @@ config SECURITY_DMESG_RESTRICT + + If you are unsure how to answer this question, answer N. + ++choice ++ prompt "Allow /proc/pid/mem access override" ++ default PROC_MEM_ALWAYS_FORCE ++ help ++ Traditionally /proc/pid/mem allows users to override memory ++ permissions for users like ptrace, assuming they have ptrace ++ capability. ++ ++ This allows people to limit that - either never override, or ++ require actual active ptrace attachment. ++ ++ Defaults to the traditional behavior (for now) ++ ++config PROC_MEM_ALWAYS_FORCE ++ bool "Traditional /proc/pid/mem behavior" ++ help ++ This allows /proc/pid/mem accesses to override memory mapping ++ permissions if you have ptrace access rights. ++ ++config PROC_MEM_FORCE_PTRACE ++ bool "Require active ptrace() use for access override" ++ help ++ This allows /proc/pid/mem accesses to override memory mapping ++ permissions for active ptracers like gdb. ++ ++config PROC_MEM_NO_FORCE ++ bool "Never" ++ help ++ Never override memory mapping permissions ++ ++endchoice ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +-- +2.43.0 + diff --git a/queue-5.4/regmap-hold-the-regmap-lock-when-allocating-and-free.patch b/queue-5.4/regmap-hold-the-regmap-lock-when-allocating-and-free.patch new file mode 100644 index 00000000000..20f5f76ae8b --- /dev/null +++ b/queue-5.4/regmap-hold-the-regmap-lock-when-allocating-and-free.patch @@ -0,0 +1,60 @@ +From cfeaeea531577e4a93c02e916e83da63b3dc4d2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 20:13:36 +0100 +Subject: regmap: Hold the regmap lock when allocating and freeing the cache + +From: Mark Brown + +[ Upstream commit fd4ebc07b4dff7e1abedf1b7fd477bc04b69ae55 ] + +For the benefit of the maple tree's lockdep checking hold the lock while +creating and exiting the cache. + +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20240822-b4-regmap-maple-nolock-v1-2-d5e6dbae3396@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache.c | 4 ++++ + drivers/base/regmap/regmap.c | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c +index 7fdd702e564ae..2bd3394ef80bd 100644 +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -189,7 +189,9 @@ int regcache_init(struct regmap *map, const struct regmap_config *config) + if (map->cache_ops->init) { + dev_dbg(map->dev, "Initializing %s cache\n", + map->cache_ops->name); ++ map->lock(map->lock_arg); + ret = map->cache_ops->init(map); ++ map->unlock(map->lock_arg); + if (ret) + goto err_free; + } +@@ -217,7 +219,9 @@ void regcache_exit(struct regmap *map) + if (map->cache_ops->exit) { + dev_dbg(map->dev, "Destroying %s cache\n", + map->cache_ops->name); ++ map->lock(map->lock_arg); + map->cache_ops->exit(map); ++ map->unlock(map->lock_arg); + } + } + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index aa9c6e0ff878d..9f13c167bdae4 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1348,6 +1348,7 @@ void regmap_exit(struct regmap *map) + struct regmap_async *async; + + regcache_exit(map); ++ + regmap_debugfs_exit(map); + regmap_range_exit(map); + if (map->bus && map->bus->free_context) +-- +2.43.0 + diff --git a/queue-5.4/scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch b/queue-5.4/scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch new file mode 100644 index 00000000000..b90ff9b7325 --- /dev/null +++ b/queue-5.4/scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch @@ -0,0 +1,112 @@ +From bd8195cc64cf5ed236441bb69ef674831d6c7874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2024 14:57:37 -0700 +Subject: scsi: aacraid: Rearrange order of struct aac_srb_unit + +From: Kees Cook + +[ Upstream commit 6e5860b0ad4934baee8c7a202c02033b2631bb44 ] + +struct aac_srb_unit contains struct aac_srb, which contains struct sgmap, +which ends in a (currently) "fake" (1-element) flexible array. Converting +this to a flexible array is needed so that runtime bounds checking won't +think the array is fixed size (i.e. under CONFIG_FORTIFY_SOURCE=y and/or +CONFIG_UBSAN_BOUNDS=y), as other parts of aacraid use struct sgmap as a +flexible array. + +It is not legal to have a flexible array in the middle of a structure, so +it either needs to be split up or rearranged so that it is at the end of +the structure. Luckily, struct aac_srb_unit, which is exclusively +consumed/updated by aac_send_safw_bmic_cmd(), does not depend on member +ordering. + +The values set in the on-stack struct aac_srb_unit instance "srbu" by the +only two callers, aac_issue_safw_bmic_identify() and +aac_get_safw_ciss_luns(), do not contain anything in srbu.srb.sgmap.sg, and +they both implicitly initialize srbu.srb.sgmap.count to 0 during +memset(). For example: + + memset(&srbu, 0, sizeof(struct aac_srb_unit)); + + srbcmd = &srbu.srb; + srbcmd->flags = cpu_to_le32(SRB_DataIn); + srbcmd->cdb[0] = CISS_REPORT_PHYSICAL_LUNS; + srbcmd->cdb[1] = 2; /* extended reporting */ + srbcmd->cdb[8] = (u8)(datasize >> 8); + srbcmd->cdb[9] = (u8)(datasize); + + rcode = aac_send_safw_bmic_cmd(dev, &srbu, phys_luns, datasize); + +During aac_send_safw_bmic_cmd(), a separate srb is mapped into DMA, and has +srbu.srb copied into it: + + srb = fib_data(fibptr); + memcpy(srb, &srbu->srb, sizeof(struct aac_srb)); + +Only then is srb.sgmap.count written and srb->sg populated: + + srb->count = cpu_to_le32(xfer_len); + + sg64 = (struct sgmap64 *)&srb->sg; + sg64->count = cpu_to_le32(1); + sg64->sg[0].addr[1] = cpu_to_le32(upper_32_bits(addr)); + sg64->sg[0].addr[0] = cpu_to_le32(lower_32_bits(addr)); + sg64->sg[0].count = cpu_to_le32(xfer_len); + +But this is happening in the DMA memory, not in srbu.srb. An attempt to +copy the changes back to srbu does happen: + + /* + * Copy the updated data for other dumping or other usage if + * needed + */ + memcpy(&srbu->srb, srb, sizeof(struct aac_srb)); + +But this was never correct: the sg64 (3 u32s) overlap of srb.sg (2 u32s) +always meant that srbu.srb would have held truncated information and any +attempt to walk srbu.srb.sg.sg based on the value of srbu.srb.sg.count +would result in attempting to parse past the end of srbu.srb.sg.sg[0] into +srbu.srb_reply. + +After getting a reply from hardware, the reply is copied into +srbu.srb_reply: + + srb_reply = (struct aac_srb_reply *)fib_data(fibptr); + memcpy(&srbu->srb_reply, srb_reply, sizeof(struct aac_srb_reply)); + +This has always been fixed-size, so there's no issue here. It is worth +noting that the two callers _never check_ srbu contents -- neither +srbu.srb nor srbu.srb_reply is examined. (They depend on the mapped +xfer_buf instead.) + +Therefore, the ordering of members in struct aac_srb_unit does not matter, +and the flexible array member can moved to the end. + +(Additionally, the two memcpy()s that update srbu could be entirely +removed as they are never consumed, but I left that as-is.) + +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20240711215739.208776-1-kees@kernel.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/aacraid.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h +index 3fa03230f6ba3..6120f7890d903 100644 +--- a/drivers/scsi/aacraid/aacraid.h ++++ b/drivers/scsi/aacraid/aacraid.h +@@ -2024,8 +2024,8 @@ struct aac_srb_reply + }; + + struct aac_srb_unit { +- struct aac_srb srb; + struct aac_srb_reply srb_reply; ++ struct aac_srb srb; + }; + + /* +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 037f51c20d7..03b3c6c6a9f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -195,3 +195,46 @@ alsa-hda-realtek-fix-the-push-button-function-for-th.patch alsa-hda-generic-unconditionally-prefer-preferred_da.patch alsa-hda-conexant-fix-conflicting-quirk-for-system76.patch f2fs-require-fmode_write-for-atomic-write-ioctls.patch +wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch +wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch +ice-adjust-over-allocation-of-memory-in-ice_sched_ad.patch +net-hisilicon-hip04-fix-of-node-leak-in-probe.patch +net-hisilicon-hns_dsaf_mac-fix-of-node-leak-in-hns_m.patch +net-hisilicon-hns_mdio-fix-of-node-leak-in-probe.patch +acpica-fix-memory-leak-if-acpi_ps_get_next_namepath-.patch +acpica-fix-memory-leak-if-acpi_ps_get_next_field-fai.patch +net-sched-consistently-use-rcu_replace_pointer-in-ta.patch +wifi-rtw88-select-want_dev_coredump.patch +acpi-ec-do-not-release-locks-during-operation-region.patch +acpica-check-null-return-of-acpi_allocate_zeroed-in-.patch +tipc-guard-against-string-buffer-overrun.patch +net-mvpp2-increase-size-of-queue_name-buffer.patch +ipv4-check-in_dev-earlier-for-ioctl-siocsifaddr.patch +ipv4-mask-upper-dscp-bits-and-ecn-bits-in-netlink_fi.patch +tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch +acpica-iasl-handle-empty-connection_node.patch +proc-add-config-param-to-block-forcing-mem-writes.patch +wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch +nfp-use-irqf_no_autoen-flag-in-request_irq.patch +signal-replace-bug_on-s.patch +regmap-hold-the-regmap-lock-when-allocating-and-free.patch +alsa-asihpi-fix-potential-oob-array-access.patch +alsa-hdsp-break-infinite-midi-input-flush-loop.patch +x86-syscall-avoid-memcpy-for-ia32-syscall_get_argume.patch +fbdev-pxafb-fix-possible-use-after-free-in-pxafb_tas.patch +power-reset-brcmstb-do-not-go-into-infinite-loop-if-.patch +cgroup-disallow-mounting-v1-hierarchies-without-cont.patch +ata-sata_sil-rename-sil_blacklist-to-sil_quirks.patch +jfs-ubsan-shift-out-of-bounds-in-dbfindbits.patch +jfs-fix-uaf-in-dbfreebits.patch +jfs-check-if-leafidx-greater-than-num-leaves-per-dma.patch +jfs-fix-uninit-value-access-of-new_ea-in-ea_buffer.patch +drm-amd-display-check-stream-before-comparing-them.patch +drm-amd-display-fix-index-out-of-bounds-in-degamma-h.patch +drm-amd-display-initialize-get_bytes_per_element-s-d.patch +drm-printer-allow-null-data-in-devcoredump-printer.patch +scsi-aacraid-rearrange-order-of-struct-aac_srb_unit.patch +drm-radeon-r100-handle-unknown-family-in-r100_cp_ini.patch +of-irq-refer-to-actual-buffer-size-in-of_irq_parse_o.patch +ext4-ext4_search_dir-should-return-a-proper-error.patch +ext4-fix-i_data_sem-unlock-order-in-ext4_ind_migrate.patch diff --git a/queue-5.4/signal-replace-bug_on-s.patch b/queue-5.4/signal-replace-bug_on-s.patch new file mode 100644 index 00000000000..bf656618c65 --- /dev/null +++ b/queue-5.4/signal-replace-bug_on-s.patch @@ -0,0 +1,61 @@ +From f271a8e1767bcb3fae80b1f66afd96e55941bb48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 18:42:34 +0200 +Subject: signal: Replace BUG_ON()s + +From: Thomas Gleixner + +[ Upstream commit 7f8af7bac5380f2d95a63a6f19964e22437166e1 ] + +These really can be handled gracefully without killing the machine. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Frederic Weisbecker +Reviewed-by: Oleg Nesterov +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 1f4293a107b49..fae5a2adc9ec2 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1821,10 +1821,11 @@ struct sigqueue *sigqueue_alloc(void) + + void sigqueue_free(struct sigqueue *q) + { +- unsigned long flags; + spinlock_t *lock = ¤t->sighand->siglock; ++ unsigned long flags; + +- BUG_ON(!(q->flags & SIGQUEUE_PREALLOC)); ++ if (WARN_ON_ONCE(!(q->flags & SIGQUEUE_PREALLOC))) ++ return; + /* + * We must hold ->siglock while testing q->list + * to serialize with collect_signal() or with +@@ -1852,7 +1853,10 @@ int send_sigqueue(struct sigqueue *q, struct pid *pid, enum pid_type type) + unsigned long flags; + int ret, result; + +- BUG_ON(!(q->flags & SIGQUEUE_PREALLOC)); ++ if (WARN_ON_ONCE(!(q->flags & SIGQUEUE_PREALLOC))) ++ return 0; ++ if (WARN_ON_ONCE(q->info.si_code != SI_TIMER)) ++ return 0; + + ret = -1; + rcu_read_lock(); +@@ -1871,7 +1875,6 @@ int send_sigqueue(struct sigqueue *q, struct pid *pid, enum pid_type type) + * If an SI_TIMER entry is already queue just increment + * the overrun count. + */ +- BUG_ON(q->info.si_code != SI_TIMER); + q->info.si_overrun++; + result = TRACE_SIGNAL_ALREADY_PENDING; + goto out; +-- +2.43.0 + diff --git a/queue-5.4/tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch b/queue-5.4/tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch new file mode 100644 index 00000000000..67cea0c3a8d --- /dev/null +++ b/queue-5.4/tcp-avoid-reusing-fin_wait2-when-trying-to-find-port.patch @@ -0,0 +1,82 @@ +From 09d61085d21e80af71ed77fc58ee5ab6faa23dde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2024 08:11:52 +0800 +Subject: tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() + process + +From: Jason Xing + +[ Upstream commit 0d9e5df4a257afc3a471a82961ace9a22b88295a ] + +We found that one close-wait socket was reset by the other side +due to a new connection reusing the same port which is beyond our +expectation, so we have to investigate the underlying reason. + +The following experiment is conducted in the test environment. We +limit the port range from 40000 to 40010 and delay the time to close() +after receiving a fin from the active close side, which can help us +easily reproduce like what happened in production. + +Here are three connections captured by tcpdump: +127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965525191 +127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 2769915070 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [F.], seq 1, ack 1 +// a few seconds later, within 60 seconds +127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730 +127.0.0.1.9999 > 127.0.0.1.40002: Flags [.], ack 2 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [R], seq 2965525193 +// later, very quickly +127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730 +127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 3120990805 +127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1 + +As we can see, the first flow is reset because: +1) client starts a new connection, I mean, the second one +2) client tries to find a suitable port which is a timewait socket + (its state is timewait, substate is fin_wait2) +3) client occupies that timewait port to send a SYN +4) server finds a corresponding close-wait socket in ehash table, + then replies with a challenge ack +5) client sends an RST to terminate this old close-wait socket. + +I don't think the port selection algo can choose a FIN_WAIT2 socket +when we turn on tcp_tw_reuse because on the server side there +remain unread data. In some cases, if one side haven't call close() yet, +we should not consider it as expendable and treat it at will. + +Even though, sometimes, the server isn't able to call close() as soon +as possible like what we expect, it can not be terminated easily, +especially due to a second unrelated connection happening. + +After this patch, we can see the expected failure if we start a +connection when all the ports are occupied in fin_wait2 state: +"Ncat: Cannot assign requested address." + +Reported-by: Jade Dong +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240823001152.31004-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index c18ad443ca7db..a0a4dbcf8c12f 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -110,6 +110,9 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) + const struct tcp_timewait_sock *tcptw = tcp_twsk(sktw); + struct tcp_sock *tp = tcp_sk(sk); + ++ if (tw->tw_substate == TCP_FIN_WAIT2) ++ reuse = 0; ++ + if (reuse == 2) { + /* Still does not detect *everything* that goes through + * lo, since we require a loopback src or dst address +-- +2.43.0 + diff --git a/queue-5.4/tipc-guard-against-string-buffer-overrun.patch b/queue-5.4/tipc-guard-against-string-buffer-overrun.patch new file mode 100644 index 00000000000..2aef9645259 --- /dev/null +++ b/queue-5.4/tipc-guard-against-string-buffer-overrun.patch @@ -0,0 +1,53 @@ +From 1bdfa3410cfc7513af5a091a9227bac190c1aaa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 19:35:37 +0100 +Subject: tipc: guard against string buffer overrun + +From: Simon Horman + +[ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ] + +Smatch reports that copying media_name and if_name to name_parts may +overwrite the destination. + + .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) + .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) + +This does seem to be the case so guard against this possibility by using +strscpy() and failing if truncation occurs. + +Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") + +Compile tested only. + +Reviewed-by: Jakub Kicinski +Signed-off-by: Simon Horman +Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index a0bc919e4e473..dc5c6b1e97910 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -160,8 +160,12 @@ static int bearer_name_validate(const char *name, + + /* return bearer name components, if necessary */ + if (name_parts) { +- strcpy(name_parts->media_name, media_name); +- strcpy(name_parts->if_name, if_name); ++ if (strscpy(name_parts->media_name, media_name, ++ TIPC_MAX_MEDIA_NAME) < 0) ++ return 0; ++ if (strscpy(name_parts->if_name, if_name, ++ TIPC_MAX_IF_NAME) < 0) ++ return 0; + } + return 1; + } +-- +2.43.0 + diff --git a/queue-5.4/wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch b/queue-5.4/wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch new file mode 100644 index 00000000000..6b213d745ef --- /dev/null +++ b/queue-5.4/wifi-ath9k-fix-possible-integer-overflow-in-ath9k_ge.patch @@ -0,0 +1,47 @@ +From dda4820ee5c1f6a67f20f22ca2ad2e6e528de153 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 14:17:43 +0300 +Subject: wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Kandybka + +[ Upstream commit 3f66f26703093886db81f0610b97a6794511917c ] + +In 'ath9k_get_et_stats()', promote TX stats counters to 'u64' +to avoid possible integer overflow. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Kandybka +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240725111743.14422-1-d.kandybka@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c +index f5773ce252dd1..952c5e93e6ce9 100644 +--- a/drivers/net/wireless/ath/ath9k/debug.c ++++ b/drivers/net/wireless/ath/ath9k/debug.c +@@ -1316,11 +1316,11 @@ void ath9k_get_et_stats(struct ieee80211_hw *hw, + struct ath_softc *sc = hw->priv; + int i = 0; + +- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all + ++ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_pkts_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_pkts_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_pkts_all); +- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all + ++ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_bytes_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_bytes_all + + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_bytes_all); +-- +2.43.0 + diff --git a/queue-5.4/wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch b/queue-5.4/wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch new file mode 100644 index 00000000000..52ca28c6319 --- /dev/null +++ b/queue-5.4/wifi-ath9k_htc-use-__skb_set_length-for-resetting-ur.patch @@ -0,0 +1,59 @@ +From 76eedac7a1ce77b1197408c3d8da8fce9acfb873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 16:24:46 +0200 +Subject: wifi: ath9k_htc: Use __skb_set_length() for resetting urb before + resubmit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 94745807f3ebd379f23865e6dab196f220664179 ] + +Syzbot points out that skb_trim() has a sanity check on the existing length of +the skb, which can be uninitialised in some error paths. The intent here is +clearly just to reset the length to zero before resubmitting, so switch to +calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length() +already contains a call to skb_reset_tail_pointer(), so remove the redundant +call. + +The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar +usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it. + +Reported-by: syzbot+98afa303be379af6cdb2@syzkaller.appspotmail.com +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240812142447.12328-1-toke@toke.dk +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 3aa915d215545..24059a5178a9d 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -718,8 +718,7 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb) + } + + resubmit: +- skb_reset_tail_pointer(skb); +- skb_trim(skb, 0); ++ __skb_set_length(skb, 0); + + usb_anchor_urb(urb, &hif_dev->rx_submitted); + ret = usb_submit_urb(urb, GFP_ATOMIC); +@@ -756,8 +755,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + case -ESHUTDOWN: + goto free_skb; + default: +- skb_reset_tail_pointer(skb); +- skb_trim(skb, 0); ++ __skb_set_length(skb, 0); + + goto resubmit; + } +-- +2.43.0 + diff --git a/queue-5.4/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch b/queue-5.4/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch new file mode 100644 index 00000000000..38810124334 --- /dev/null +++ b/queue-5.4/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch @@ -0,0 +1,62 @@ +From d20ef3bae418270143becd754c835540922087b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 15:23:51 -0600 +Subject: wifi: mwifiex: Fix memcpy() field-spanning write warning in + mwifiex_cmd_802_11_scan_ext() + +From: Gustavo A. R. Silva + +[ Upstream commit 498365e52bebcbc36a93279fe7e9d6aec8479cee ] + +Replace one-element array with a flexible-array member in +`struct host_cmd_ds_802_11_scan_ext`. + +With this, fix the following warning: + +elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------ +elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1) +elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex] + +Reported-by: Andy Shevchenko +Closes: https://lore.kernel.org/linux-hardening/ZsZNgfnEwOcPdCly@black.fi.intel.com/ +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Andy Shevchenko +Acked-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/ZsZa5xRcsLq9D+RX@elsanto +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- + drivers/net/wireless/marvell/mwifiex/scan.c | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h +index 3e3134bcc2b06..bfa482cf464ff 100644 +--- a/drivers/net/wireless/marvell/mwifiex/fw.h ++++ b/drivers/net/wireless/marvell/mwifiex/fw.h +@@ -1590,7 +1590,7 @@ struct host_cmd_ds_802_11_scan_rsp { + + struct host_cmd_ds_802_11_scan_ext { + u32 reserved; +- u8 tlv_buffer[1]; ++ u8 tlv_buffer[]; + } __packed; + + struct mwifiex_ie_types_bss_mode { +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 1ab04adc53dcd..5e7fc7ba3eda1 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2563,8 +2563,7 @@ int mwifiex_ret_802_11_scan_ext(struct mwifiex_private *priv, + ext_scan_resp = &resp->params.ext_scan; + + tlv = (void *)ext_scan_resp->tlv_buffer; +- buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN +- - 1); ++ buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN); + + while (buf_left >= sizeof(struct mwifiex_ie_types_header)) { + type = le16_to_cpu(tlv->type); +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtw88-select-want_dev_coredump.patch b/queue-5.4/wifi-rtw88-select-want_dev_coredump.patch new file mode 100644 index 00000000000..e0170ab3474 --- /dev/null +++ b/queue-5.4/wifi-rtw88-select-want_dev_coredump.patch @@ -0,0 +1,35 @@ +From 9a924e36f6b0d4332a9c51e0960135fa5bee1788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 15:06:15 +0800 +Subject: wifi: rtw88: select WANT_DEV_COREDUMP + +From: Zong-Zhe Yang + +[ Upstream commit 7e989b0c1e33210c07340bf5228aa83ea52515b5 ] + +We have invoked device coredump when fw crash. +Should select WANT_DEV_COREDUMP by ourselves. + +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20240718070616.42217-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtw88/Kconfig b/drivers/net/wireless/realtek/rtw88/Kconfig +index 33bd7ed797ff7..474e0c3f35558 100644 +--- a/drivers/net/wireless/realtek/rtw88/Kconfig ++++ b/drivers/net/wireless/realtek/rtw88/Kconfig +@@ -12,6 +12,7 @@ if RTW88 + + config RTW88_CORE + tristate ++ select WANT_DEV_COREDUMP + + config RTW88_PCI + tristate +-- +2.43.0 + diff --git a/queue-5.4/x86-syscall-avoid-memcpy-for-ia32-syscall_get_argume.patch b/queue-5.4/x86-syscall-avoid-memcpy-for-ia32-syscall_get_argume.patch new file mode 100644 index 00000000000..df28c01f002 --- /dev/null +++ b/queue-5.4/x86-syscall-avoid-memcpy-for-ia32-syscall_get_argume.patch @@ -0,0 +1,71 @@ +From 0bcfdbd962b4707af54edfd8e8b0f6cadf1eae80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 13:22:06 -0700 +Subject: x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit d19d638b1e6cf746263ef60b7d0dee0204d8216a ] + +Modern (fortified) memcpy() prefers to avoid writing (or reading) beyond +the end of the addressed destination (or source) struct member: + +In function ‘fortify_memcpy_chk’, + inlined from ‘syscall_get_arguments’ at ./arch/x86/include/asm/syscall.h:85:2, + inlined from ‘populate_seccomp_data’ at kernel/seccomp.c:258:2, + inlined from ‘__seccomp_filter’ at kernel/seccomp.c:1231:3: +./include/linux/fortify-string.h:580:25: error: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 580 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As already done for x86_64 and compat mode, do not use memcpy() to +extract syscall arguments from struct pt_regs but rather just perform +direct assignments. Binary output differences are negligible, and actually +ends up using less stack space: + +- sub $0x84,%esp ++ sub $0x6c,%esp + +and less text size: + + text data bss dec hex filename + 10794 252 0 11046 2b26 gcc-32b/kernel/seccomp.o.stock + 10714 252 0 10966 2ad6 gcc-32b/kernel/seccomp.o.after + +Closes: https://lore.kernel.org/lkml/9b69fb14-df89-4677-9c82-056ea9e706f5@gmail.com/ +Reported-by: Mirsad Todorovac +Signed-off-by: Kees Cook +Signed-off-by: Dave Hansen +Reviewed-by: Gustavo A. R. Silva +Acked-by: Dave Hansen +Tested-by: Mirsad Todorovac +Link: https://lore.kernel.org/all/20240708202202.work.477-kees%40kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/syscall.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h +index 8db3fdb6102ec..2e7bffe9ae7d0 100644 +--- a/arch/x86/include/asm/syscall.h ++++ b/arch/x86/include/asm/syscall.h +@@ -94,7 +94,12 @@ static inline void syscall_get_arguments(struct task_struct *task, + struct pt_regs *regs, + unsigned long *args) + { +- memcpy(args, ®s->bx, 6 * sizeof(args[0])); ++ args[0] = regs->bx; ++ args[1] = regs->cx; ++ args[2] = regs->dx; ++ args[3] = regs->si; ++ args[4] = regs->di; ++ args[5] = regs->bp; + } + + static inline void syscall_set_arguments(struct task_struct *task, +-- +2.43.0 +