From 24dbe47df627be4273e245102a1903ca9b9165b0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 20 Jul 2023 19:09:08 +0200 Subject: [PATCH] 6.1-stable patches added patches: hid-amd_sfh-fix-for-shift-out-of-bounds.patch hid-amd_sfh-rename-the-float32-variable.patch net-lan743x-don-t-sleep-in-atomic-context.patch net-ncsi-change-from-ndo_set_mac_address-to-dev_set_mac_address.patch series --- ...-amd_sfh-fix-for-shift-out-of-bounds.patch | 95 +++++++++++++++++++ ...-amd_sfh-rename-the-float32-variable.patch | 61 ++++++++++++ ...an743x-don-t-sleep-in-atomic-context.patch | 72 ++++++++++++++ ...t_mac_address-to-dev_set_mac_address.patch | 50 ++++++++++ queue-6.1/series | 4 + 5 files changed, 282 insertions(+) create mode 100644 queue-6.1/hid-amd_sfh-fix-for-shift-out-of-bounds.patch create mode 100644 queue-6.1/hid-amd_sfh-rename-the-float32-variable.patch create mode 100644 queue-6.1/net-lan743x-don-t-sleep-in-atomic-context.patch create mode 100644 queue-6.1/net-ncsi-change-from-ndo_set_mac_address-to-dev_set_mac_address.patch create mode 100644 queue-6.1/series diff --git a/queue-6.1/hid-amd_sfh-fix-for-shift-out-of-bounds.patch b/queue-6.1/hid-amd_sfh-fix-for-shift-out-of-bounds.patch new file mode 100644 index 00000000000..f356feb4bac --- /dev/null +++ b/queue-6.1/hid-amd_sfh-fix-for-shift-out-of-bounds.patch @@ -0,0 +1,95 @@ +From 87854366176403438d01f368b09de3ec2234e0f5 Mon Sep 17 00:00:00 2001 +From: Basavaraj Natikar +Date: Fri, 7 Jul 2023 12:27:22 +0530 +Subject: HID: amd_sfh: Fix for shift-out-of-bounds + +From: Basavaraj Natikar + +commit 87854366176403438d01f368b09de3ec2234e0f5 upstream. + +Shift operation of 'exp' and 'shift' variables exceeds the maximum number +of shift values in the u32 range leading to UBSAN shift-out-of-bounds. + +... +[ 6.120512] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50 +[ 6.120598] shift exponent 104 is too large for 64-bit type 'long unsigned int' +[ 6.120659] CPU: 4 PID: 96 Comm: kworker/4:1 Not tainted 6.4.0amd_1-next-20230519-dirty #10 +[ 6.120665] Hardware name: AMD Birman-PHX/Birman-PHX, BIOS SFH_with_HPD_SEN.FD 04/05/2023 +[ 6.120667] Workqueue: events amd_sfh_work_buffer [amd_sfh] +[ 6.120687] Call Trace: +[ 6.120690] +[ 6.120694] dump_stack_lvl+0x48/0x70 +[ 6.120704] dump_stack+0x10/0x20 +[ 6.120707] ubsan_epilogue+0x9/0x40 +[ 6.120716] __ubsan_handle_shift_out_of_bounds+0x10f/0x170 +[ 6.120720] ? psi_group_change+0x25f/0x4b0 +[ 6.120729] float_to_int.cold+0x18/0xba [amd_sfh] +[ 6.120739] get_input_rep+0x57/0x340 [amd_sfh] +[ 6.120748] ? __schedule+0xba7/0x1b60 +[ 6.120756] ? __pfx_get_input_rep+0x10/0x10 [amd_sfh] +[ 6.120764] amd_sfh_work_buffer+0x91/0x180 [amd_sfh] +[ 6.120772] process_one_work+0x229/0x430 +[ 6.120780] worker_thread+0x4a/0x3c0 +[ 6.120784] ? __pfx_worker_thread+0x10/0x10 +[ 6.120788] kthread+0xf7/0x130 +[ 6.120792] ? __pfx_kthread+0x10/0x10 +[ 6.120795] ret_from_fork+0x29/0x50 +[ 6.120804] +... + +Fix this by adding the condition to validate shift ranges. + +Fixes: 93ce5e0231d7 ("HID: amd_sfh: Implement SFH1.1 functionality") +Cc: stable@vger.kernel.org +Tested-by: Kai-Heng Feng +Signed-off-by: Basavaraj Natikar +Signed-off-by: Akshata MukundShetty +Link: https://lore.kernel.org/r/20230707065722.9036-3-Basavaraj.Natikar@amd.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c | 20 +++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c +index c81d20cd3081..06bdcf072d10 100644 +--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c ++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c +@@ -143,16 +143,32 @@ static int float_to_int(u32 flt32_val) + if (!exp && !mantissa) + return 0; + ++ /* ++ * Calculate the exponent and fraction part of floating ++ * point representation. ++ */ + exp -= 127; + if (exp < 0) { + exp = -exp; ++ if (exp >= BITS_PER_TYPE(u32)) ++ return 0; + zeropre = (((BIT(23) + mantissa) * 100) >> 23) >> exp; + return zeropre >= 50 ? sign : 0; + } + + shift = 23 - exp; +- flt32_val = BIT(exp) + (mantissa >> shift); +- fraction = mantissa & GENMASK(shift - 1, 0); ++ if (abs(shift) >= BITS_PER_TYPE(u32)) ++ return 0; ++ ++ if (shift < 0) { ++ shift = -shift; ++ flt32_val = BIT(exp) + (mantissa << shift); ++ shift = 0; ++ } else { ++ flt32_val = BIT(exp) + (mantissa >> shift); ++ } ++ ++ fraction = (shift == 0) ? 0 : mantissa & GENMASK(shift - 1, 0); + + return (((fraction * 100) >> shift) >= 50) ? sign * (flt32_val + 1) : sign * flt32_val; + } +-- +2.41.0 + diff --git a/queue-6.1/hid-amd_sfh-rename-the-float32-variable.patch b/queue-6.1/hid-amd_sfh-rename-the-float32-variable.patch new file mode 100644 index 00000000000..74fc2ae31fe --- /dev/null +++ b/queue-6.1/hid-amd_sfh-rename-the-float32-variable.patch @@ -0,0 +1,61 @@ +From c1685a862a4bea863537f06abaa37a123aef493c Mon Sep 17 00:00:00 2001 +From: Basavaraj Natikar +Date: Fri, 7 Jul 2023 12:27:21 +0530 +Subject: HID: amd_sfh: Rename the float32 variable + +From: Basavaraj Natikar + +commit c1685a862a4bea863537f06abaa37a123aef493c upstream. + +As float32 is also used in other places as a data type, it is necessary +to rename the float32 variable in order to avoid confusion. + +Cc: stable@vger.kernel.org +Tested-by: Kai-Heng Feng +Signed-off-by: Basavaraj Natikar +Signed-off-by: Akshata MukundShetty +Link: https://lore.kernel.org/r/20230707065722.9036-2-Basavaraj.Natikar@amd.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c +index 6f0d332ccf51..c81d20cd3081 100644 +--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c ++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c +@@ -132,13 +132,13 @@ static void get_common_inputs(struct common_input_property *common, int report_i + common->event_type = HID_USAGE_SENSOR_EVENT_DATA_UPDATED_ENUM; + } + +-static int float_to_int(u32 float32) ++static int float_to_int(u32 flt32_val) + { + int fraction, shift, mantissa, sign, exp, zeropre; + +- mantissa = float32 & GENMASK(22, 0); +- sign = (float32 & BIT(31)) ? -1 : 1; +- exp = (float32 & ~BIT(31)) >> 23; ++ mantissa = flt32_val & GENMASK(22, 0); ++ sign = (flt32_val & BIT(31)) ? -1 : 1; ++ exp = (flt32_val & ~BIT(31)) >> 23; + + if (!exp && !mantissa) + return 0; +@@ -151,10 +151,10 @@ static int float_to_int(u32 float32) + } + + shift = 23 - exp; +- float32 = BIT(exp) + (mantissa >> shift); ++ flt32_val = BIT(exp) + (mantissa >> shift); + fraction = mantissa & GENMASK(shift - 1, 0); + +- return (((fraction * 100) >> shift) >= 50) ? sign * (float32 + 1) : sign * float32; ++ return (((fraction * 100) >> shift) >= 50) ? sign * (flt32_val + 1) : sign * flt32_val; + } + + static u8 get_input_rep(u8 current_index, int sensor_idx, int report_id, +-- +2.41.0 + diff --git a/queue-6.1/net-lan743x-don-t-sleep-in-atomic-context.patch b/queue-6.1/net-lan743x-don-t-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..2fd879c3d38 --- /dev/null +++ b/queue-6.1/net-lan743x-don-t-sleep-in-atomic-context.patch @@ -0,0 +1,72 @@ +From 7a8227b2e76be506b2ac64d2beac950ca04892a5 Mon Sep 17 00:00:00 2001 +From: Moritz Fischer +Date: Tue, 27 Jun 2023 03:50:00 +0000 +Subject: net: lan743x: Don't sleep in atomic context + +From: Moritz Fischer + +commit 7a8227b2e76be506b2ac64d2beac950ca04892a5 upstream. + +dev_set_rx_mode() grabs a spin_lock, and the lan743x implementation +proceeds subsequently to go to sleep using readx_poll_timeout(). + +Introduce a helper wrapping the readx_poll_timeout_atomic() function +and use it to replace the calls to readx_polL_timeout(). + +Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") +Cc: stable@vger.kernel.org +Cc: Bryan Whitehead +Cc: UNGLinuxDriver@microchip.com +Signed-off-by: Moritz Fischer +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230627035000.1295254-1-moritzf@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan743x_main.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -144,6 +144,18 @@ static int lan743x_csr_light_reset(struc + !(data & HW_CFG_LRST_), 100000, 10000000); + } + ++static int lan743x_csr_wait_for_bit_atomic(struct lan743x_adapter *adapter, ++ int offset, u32 bit_mask, ++ int target_value, int udelay_min, ++ int udelay_max, int count) ++{ ++ u32 data; ++ ++ return readx_poll_timeout_atomic(LAN743X_CSR_READ_OP, offset, data, ++ target_value == !!(data & bit_mask), ++ udelay_max, udelay_min * count); ++} ++ + static int lan743x_csr_wait_for_bit(struct lan743x_adapter *adapter, + int offset, u32 bit_mask, + int target_value, int usleep_min, +@@ -746,8 +758,8 @@ static int lan743x_dp_write(struct lan74 + u32 dp_sel; + int i; + +- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, +- 1, 40, 100, 100)) ++ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, DP_SEL_DPRDY_, ++ 1, 40, 100, 100)) + return -EIO; + dp_sel = lan743x_csr_read(adapter, DP_SEL); + dp_sel &= ~DP_SEL_MASK_; +@@ -758,8 +770,9 @@ static int lan743x_dp_write(struct lan74 + lan743x_csr_write(adapter, DP_ADDR, addr + i); + lan743x_csr_write(adapter, DP_DATA_0, buf[i]); + lan743x_csr_write(adapter, DP_CMD, DP_CMD_WRITE_); +- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, +- 1, 40, 100, 100)) ++ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, ++ DP_SEL_DPRDY_, ++ 1, 40, 100, 100)) + return -EIO; + } + diff --git a/queue-6.1/net-ncsi-change-from-ndo_set_mac_address-to-dev_set_mac_address.patch b/queue-6.1/net-ncsi-change-from-ndo_set_mac_address-to-dev_set_mac_address.patch new file mode 100644 index 00000000000..1ffb57b8b18 --- /dev/null +++ b/queue-6.1/net-ncsi-change-from-ndo_set_mac_address-to-dev_set_mac_address.patch @@ -0,0 +1,50 @@ +From 790071347a0a1a89e618eedcd51c687ea783aeb3 Mon Sep 17 00:00:00 2001 +From: Ivan Mikhaylov +Date: Wed, 7 Jun 2023 18:17:42 +0300 +Subject: net/ncsi: change from ndo_set_mac_address to dev_set_mac_address + +From: Ivan Mikhaylov + +commit 790071347a0a1a89e618eedcd51c687ea783aeb3 upstream. + +Change ndo_set_mac_address to dev_set_mac_address because +dev_set_mac_address provides a way to notify network layer about MAC +change. In other case, services may not aware about MAC change and keep +using old one which set from network adapter driver. + +As example, DHCP client from systemd do not update MAC address without +notification from net subsystem which leads to the problem with acquiring +the right address from DHCP server. + +Fixes: cb10c7c0dfd9e ("net/ncsi: Add NCSI Broadcom OEM command") +Cc: stable@vger.kernel.org # v6.0+ 2f38e84 net/ncsi: make one oem_gma function for all mfr id +Signed-off-by: Paul Fertser +Signed-off-by: Ivan Mikhaylov +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-rsp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -616,7 +616,6 @@ static int ncsi_rsp_handler_oem_mlx_gma( + { + struct ncsi_dev_priv *ndp = nr->ndp; + struct net_device *ndev = ndp->ndev.dev; +- const struct net_device_ops *ops = ndev->netdev_ops; + struct ncsi_rsp_oem_pkt *rsp; + struct sockaddr saddr; + int ret = 0; +@@ -630,7 +629,9 @@ static int ncsi_rsp_handler_oem_mlx_gma( + /* Set the flag for GMA command which should only be called once */ + ndp->gma_flag = 1; + +- ret = ops->ndo_set_mac_address(ndev, &saddr); ++ rtnl_lock(); ++ ret = dev_set_mac_address(ndev, &saddr, NULL); ++ rtnl_unlock(); + if (ret < 0) + netdev_warn(ndev, "NCSI: 'Writing mac address to device failed\n"); + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 00000000000..aee3e82ff54 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,4 @@ +net-ncsi-change-from-ndo_set_mac_address-to-dev_set_mac_address.patch +hid-amd_sfh-rename-the-float32-variable.patch +hid-amd_sfh-fix-for-shift-out-of-bounds.patch +net-lan743x-don-t-sleep-in-atomic-context.patch -- 2.47.3