From 3c6ef3277eaa6b84c8433ea311940ddec06a7c89 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 May 2024 16:23:34 +0200 Subject: [PATCH] 6.1-stable patches added patches: asoc-tegra-fix-dspk-16-bit-playback.patch asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch dyndbg-fix-old-bug_on-in-control-parser.patch mei-me-add-lunar-lake-point-m-did.patch net-bcmgenet-synchronize-ext_rgmii_oob_ctrl-access.patch net-bcmgenet-synchronize-umac_cmd-access.patch net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch slimbus-qcom-ngd-ctrl-add-timeout-for-wait-operation.patch tipc-fix-uaf-in-error-path.patch --- .../asoc-tegra-fix-dspk-16-bit-playback.patch | 53 +++++ ...casp-fix-race-condition-during-probe.patch | 76 ++++++++ ...dbg-fix-old-bug_on-in-control-parser.patch | 36 ++++ .../mei-me-add-lunar-lake-point-m-did.patch | 43 ++++ ...ynchronize-ext_rgmii_oob_ctrl-access.patch | 54 +++++ ...bcmgenet-synchronize-umac_cmd-access.patch | 184 ++++++++++++++++++ ...chronize-use-of-bcmgenet_set_rx_mode.patch | 45 +++++ queue-6.1/series | 9 + ...-ctrl-add-timeout-for-wait-operation.patch | 43 ++++ queue-6.1/tipc-fix-uaf-in-error-path.patch | 141 ++++++++++++++ 10 files changed, 684 insertions(+) create mode 100644 queue-6.1/asoc-tegra-fix-dspk-16-bit-playback.patch create mode 100644 queue-6.1/asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch create mode 100644 queue-6.1/dyndbg-fix-old-bug_on-in-control-parser.patch create mode 100644 queue-6.1/mei-me-add-lunar-lake-point-m-did.patch create mode 100644 queue-6.1/net-bcmgenet-synchronize-ext_rgmii_oob_ctrl-access.patch create mode 100644 queue-6.1/net-bcmgenet-synchronize-umac_cmd-access.patch create mode 100644 queue-6.1/net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch create mode 100644 queue-6.1/slimbus-qcom-ngd-ctrl-add-timeout-for-wait-operation.patch create mode 100644 queue-6.1/tipc-fix-uaf-in-error-path.patch diff --git a/queue-6.1/asoc-tegra-fix-dspk-16-bit-playback.patch b/queue-6.1/asoc-tegra-fix-dspk-16-bit-playback.patch new file mode 100644 index 00000000000..90a2fefe45c --- /dev/null +++ b/queue-6.1/asoc-tegra-fix-dspk-16-bit-playback.patch @@ -0,0 +1,53 @@ +From 2e93a29b48a017c777d4fcbfcc51aba4e6a90d38 Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Fri, 5 Apr 2024 10:43:06 +0000 +Subject: ASoC: tegra: Fix DSPK 16-bit playback + +From: Sameer Pujar + +commit 2e93a29b48a017c777d4fcbfcc51aba4e6a90d38 upstream. + +DSPK configuration is wrong for 16-bit playback and this happens because +the client config is always fixed at 24-bit in hw_params(). Fix this by +updating the client config to 16-bit for the respective playback. + +Fixes: 327ef6470266 ("ASoC: tegra: Add Tegra186 based DSPK driver") +Cc: stable@vger.kernel.org +Signed-off-by: Sameer Pujar +Acked-by: Thierry Reding +Link: https://msgid.link/r/20240405104306.551036-1-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra186_dspk.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/sound/soc/tegra/tegra186_dspk.c ++++ b/sound/soc/tegra/tegra186_dspk.c +@@ -1,8 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0-only ++// SPDX-FileCopyrightText: Copyright (c) 2020-2024 NVIDIA CORPORATION & AFFILIATES. All rights reserved. + // + // tegra186_dspk.c - Tegra186 DSPK driver +-// +-// Copyright (c) 2020 NVIDIA CORPORATION. All rights reserved. + + #include + #include +@@ -241,14 +240,14 @@ static int tegra186_dspk_hw_params(struc + return -EINVAL; + } + +- cif_conf.client_bits = TEGRA_ACIF_BITS_24; +- + switch (params_format(params)) { + case SNDRV_PCM_FORMAT_S16_LE: + cif_conf.audio_bits = TEGRA_ACIF_BITS_16; ++ cif_conf.client_bits = TEGRA_ACIF_BITS_16; + break; + case SNDRV_PCM_FORMAT_S32_LE: + cif_conf.audio_bits = TEGRA_ACIF_BITS_32; ++ cif_conf.client_bits = TEGRA_ACIF_BITS_24; + break; + default: + dev_err(dev, "unsupported format!\n"); diff --git a/queue-6.1/asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch b/queue-6.1/asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch new file mode 100644 index 00000000000..130de112731 --- /dev/null +++ b/queue-6.1/asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch @@ -0,0 +1,76 @@ +From d18ca8635db2f88c17acbdf6412f26d4f6aff414 Mon Sep 17 00:00:00 2001 +From: Joao Paulo Goncalves +Date: Wed, 17 Apr 2024 15:41:38 -0300 +Subject: ASoC: ti: davinci-mcasp: Fix race condition during probe + +From: Joao Paulo Goncalves + +commit d18ca8635db2f88c17acbdf6412f26d4f6aff414 upstream. + +When using davinci-mcasp as CPU DAI with simple-card, there are some +conditions that cause simple-card to finish registering a sound card before +davinci-mcasp finishes registering all sound components. This creates a +non-working sound card from userspace with no problem indication apart +from not being able to play/record audio on a PCM stream. The issue +arises during simultaneous probe execution of both drivers. Specifically, +the simple-card driver, awaiting a CPU DAI, proceeds as soon as +davinci-mcasp registers its DAI. However, this process can lead to the +client mutex lock (client_mutex in soc-core.c) being held or davinci-mcasp +being preempted before PCM DMA registration on davinci-mcasp finishes. +This situation occurs when the probes of both drivers run concurrently. +Below is the code path for this condition. To solve the issue, defer +davinci-mcasp CPU DAI registration to the last step in the audio part of +it. This way, simple-card CPU DAI parsing will be deferred until all +audio components are registered. + +Fail Code Path: + +simple-card.c: probe starts +simple-card.c: simple_dai_link_of: simple_parse_node(..,cpu,..) returns EPROBE_DEFER, no CPU DAI yet +davinci-mcasp.c: probe starts +davinci-mcasp.c: devm_snd_soc_register_component() register CPU DAI +simple-card.c: probes again, finish CPU DAI parsing and call devm_snd_soc_register_card() +simple-card.c: finish probe +davinci-mcasp.c: *dma_pcm_platform_register() register PCM DMA +davinci-mcasp.c: probe finish + +Cc: stable@vger.kernel.org +Fixes: 9fbd58cf4ab0 ("ASoC: davinci-mcasp: Choose PCM driver based on configured DMA controller") +Signed-off-by: Joao Paulo Goncalves +Acked-by: Peter Ujfalusi +Reviewed-by: Jai Luthra +Link: https://lore.kernel.org/r/20240417184138.1104774-1-jpaulo.silvagoncalves@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/ti/davinci-mcasp.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/sound/soc/ti/davinci-mcasp.c ++++ b/sound/soc/ti/davinci-mcasp.c +@@ -2416,12 +2416,6 @@ static int davinci_mcasp_probe(struct pl + + mcasp_reparent_fck(pdev); + +- ret = devm_snd_soc_register_component(&pdev->dev, &davinci_mcasp_component, +- &davinci_mcasp_dai[mcasp->op_mode], 1); +- +- if (ret != 0) +- goto err; +- + ret = davinci_mcasp_get_dma_type(mcasp); + switch (ret) { + case PCM_EDMA: +@@ -2448,6 +2442,12 @@ static int davinci_mcasp_probe(struct pl + goto err; + } + ++ ret = devm_snd_soc_register_component(&pdev->dev, &davinci_mcasp_component, ++ &davinci_mcasp_dai[mcasp->op_mode], 1); ++ ++ if (ret != 0) ++ goto err; ++ + no_audio: + ret = davinci_mcasp_init_gpiochip(mcasp); + if (ret) { diff --git a/queue-6.1/dyndbg-fix-old-bug_on-in-control-parser.patch b/queue-6.1/dyndbg-fix-old-bug_on-in-control-parser.patch new file mode 100644 index 00000000000..76ec7cf8ff4 --- /dev/null +++ b/queue-6.1/dyndbg-fix-old-bug_on-in-control-parser.patch @@ -0,0 +1,36 @@ +From 00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c Mon Sep 17 00:00:00 2001 +From: Jim Cromie +Date: Mon, 29 Apr 2024 13:31:11 -0600 +Subject: dyndbg: fix old BUG_ON in >control parser + +From: Jim Cromie + +commit 00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c upstream. + +Fix a BUG_ON from 2009. Even if it looks "unreachable" (I didn't +really look), lets make sure by removing it, doing pr_err and return +-EINVAL instead. + +Cc: stable +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20240429193145.66543-2-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + lib/dynamic_debug.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -301,7 +301,11 @@ static int ddebug_tokenize(char *buf, ch + } else { + for (end = buf; *end && !isspace(*end); end++) + ; +- BUG_ON(end == buf); ++ if (end == buf) { ++ pr_err("parse err after word:%d=%s\n", nwords, ++ nwords ? words[nwords - 1] : ""); ++ return -EINVAL; ++ } + } + + /* `buf' is start of word, `end' is one past its end */ diff --git a/queue-6.1/mei-me-add-lunar-lake-point-m-did.patch b/queue-6.1/mei-me-add-lunar-lake-point-m-did.patch new file mode 100644 index 00000000000..c16fc0b6433 --- /dev/null +++ b/queue-6.1/mei-me-add-lunar-lake-point-m-did.patch @@ -0,0 +1,43 @@ +From 4108a30f1097eead0f6bd5d885e6bf093b4d460f Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 21 Apr 2024 16:56:31 +0300 +Subject: mei: me: add lunar lake point M DID + +From: Alexander Usyskin + +commit 4108a30f1097eead0f6bd5d885e6bf093b4d460f upstream. + +Add Lunar (Point) Lake M device id. + +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20240421135631.223362-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 2 ++ + drivers/misc/mei/pci-me.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -115,6 +115,8 @@ + #define MEI_DEV_ID_ARL_S 0x7F68 /* Arrow Lake Point S */ + #define MEI_DEV_ID_ARL_H 0x7770 /* Arrow Lake Point H */ + ++#define MEI_DEV_ID_LNL_M 0xA870 /* Lunar Lake Point M */ ++ + /* + * MEI HW Section + */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -122,6 +122,8 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_ARL_S, MEI_ME_PCH15_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_ARL_H, MEI_ME_PCH15_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_LNL_M, MEI_ME_PCH15_CFG)}, ++ + /* required last entry */ + {0, } + }; diff --git a/queue-6.1/net-bcmgenet-synchronize-ext_rgmii_oob_ctrl-access.patch b/queue-6.1/net-bcmgenet-synchronize-ext_rgmii_oob_ctrl-access.patch new file mode 100644 index 00000000000..1892a505234 --- /dev/null +++ b/queue-6.1/net-bcmgenet-synchronize-ext_rgmii_oob_ctrl-access.patch @@ -0,0 +1,54 @@ +From d85cf67a339685beae1d0aee27b7f61da95455be Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Thu, 25 Apr 2024 15:27:19 -0700 +Subject: net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access + +From: Doug Berger + +commit d85cf67a339685beae1d0aee27b7f61da95455be upstream. + +The EXT_RGMII_OOB_CTRL register can be written from different +contexts. It is predominantly written from the adjust_link +handler which is synchronized by the phydev->lock, but can +also be written from a different context when configuring the +mii in bcmgenet_mii_config(). + +The chances of contention are quite low, but it is conceivable +that adjust_link could occur during resume when WoL is enabled +so use the phydev->lock synchronizer in bcmgenet_mii_config() +to be sure. + +Fixes: afe3f907d20f ("net: bcmgenet: power on MII block for all MII modes") +Cc: stable@vger.kernel.org +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -2,7 +2,7 @@ + /* + * Broadcom GENET MDIO routines + * +- * Copyright (c) 2014-2017 Broadcom ++ * Copyright (c) 2014-2024 Broadcom + */ + + #include +@@ -71,10 +71,12 @@ static void bcmgenet_mac_config(struct n + * transmit -- 25MHz(100Mbps) or 125MHz(1Gbps). + * Receive clock is provided by the PHY. + */ ++ mutex_lock(&phydev->lock); + reg = bcmgenet_ext_readl(priv, EXT_RGMII_OOB_CTRL); + reg &= ~OOB_DISABLE; + reg |= RGMII_LINK; + bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL); ++ mutex_unlock(&phydev->lock); + + reg = bcmgenet_umac_readl(priv, UMAC_CMD); + reg &= ~((CMD_SPEED_MASK << CMD_SPEED_SHIFT) | diff --git a/queue-6.1/net-bcmgenet-synchronize-umac_cmd-access.patch b/queue-6.1/net-bcmgenet-synchronize-umac_cmd-access.patch new file mode 100644 index 00000000000..f282a0ee83f --- /dev/null +++ b/queue-6.1/net-bcmgenet-synchronize-umac_cmd-access.patch @@ -0,0 +1,184 @@ +From 0d5e2a82232605b337972fb2c7d0cbc46898aca1 Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Thu, 25 Apr 2024 15:27:21 -0700 +Subject: net: bcmgenet: synchronize UMAC_CMD access + +From: Doug Berger + +commit 0d5e2a82232605b337972fb2c7d0cbc46898aca1 upstream. + +The UMAC_CMD register is written from different execution +contexts and has insufficient synchronization protections to +prevent possible corruption. Of particular concern are the +acceses from the phy_device delayed work context used by the +adjust_link call and the BH context that may be used by the +ndo_set_rx_mode call. + +A spinlock is added to the driver to protect contended register +accesses (i.e. reg_lock) and it is used to synchronize accesses +to UMAC_CMD. + +Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") +Cc: stable@vger.kernel.org +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 12 +++++++++++- + drivers/net/ethernet/broadcom/genet/bcmgenet.h | 4 +++- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 8 +++++++- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 ++ + 4 files changed, 23 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2468,14 +2468,18 @@ static void umac_enable_set(struct bcmge + { + u32 reg; + ++ spin_lock_bh(&priv->reg_lock); + reg = bcmgenet_umac_readl(priv, UMAC_CMD); +- if (reg & CMD_SW_RESET) ++ if (reg & CMD_SW_RESET) { ++ spin_unlock_bh(&priv->reg_lock); + return; ++ } + if (enable) + reg |= mask; + else + reg &= ~mask; + bcmgenet_umac_writel(priv, reg, UMAC_CMD); ++ spin_unlock_bh(&priv->reg_lock); + + /* UniMAC stops on a packet boundary, wait for a full-size packet + * to be processed +@@ -2491,8 +2495,10 @@ static void reset_umac(struct bcmgenet_p + udelay(10); + + /* issue soft reset and disable MAC while updating its registers */ ++ spin_lock_bh(&priv->reg_lock); + bcmgenet_umac_writel(priv, CMD_SW_RESET, UMAC_CMD); + udelay(2); ++ spin_unlock_bh(&priv->reg_lock); + } + + static void bcmgenet_intr_disable(struct bcmgenet_priv *priv) +@@ -3615,16 +3621,19 @@ static void bcmgenet_set_rx_mode(struct + * 3. The number of filters needed exceeds the number filters + * supported by the hardware. + */ ++ spin_lock(&priv->reg_lock); + reg = bcmgenet_umac_readl(priv, UMAC_CMD); + if ((dev->flags & (IFF_PROMISC | IFF_ALLMULTI)) || + (nfilter > MAX_MDF_FILTER)) { + reg |= CMD_PROMISC; + bcmgenet_umac_writel(priv, reg, UMAC_CMD); ++ spin_unlock(&priv->reg_lock); + bcmgenet_umac_writel(priv, 0, UMAC_MDF_CTRL); + return; + } else { + reg &= ~CMD_PROMISC; + bcmgenet_umac_writel(priv, reg, UMAC_CMD); ++ spin_unlock(&priv->reg_lock); + } + + /* update MDF filter */ +@@ -4026,6 +4035,7 @@ static int bcmgenet_probe(struct platfor + goto err; + } + ++ spin_lock_init(&priv->reg_lock); + spin_lock_init(&priv->lock); + + /* Set default pause parameters */ +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -1,6 +1,6 @@ + /* SPDX-License-Identifier: GPL-2.0-only */ + /* +- * Copyright (c) 2014-2020 Broadcom ++ * Copyright (c) 2014-2024 Broadcom + */ + + #ifndef __BCMGENET_H__ +@@ -573,6 +573,8 @@ struct bcmgenet_rxnfc_rule { + /* device context */ + struct bcmgenet_priv { + void __iomem *base; ++ /* reg_lock: lock to serialize access to shared registers */ ++ spinlock_t reg_lock; + enum bcmgenet_version version; + struct net_device *dev; + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -2,7 +2,7 @@ + /* + * Broadcom GENET (Gigabit Ethernet) Wake-on-LAN support + * +- * Copyright (c) 2014-2020 Broadcom ++ * Copyright (c) 2014-2024 Broadcom + */ + + #define pr_fmt(fmt) "bcmgenet_wol: " fmt +@@ -133,6 +133,7 @@ int bcmgenet_wol_power_down_cfg(struct b + } + + /* Can't suspend with WoL if MAC is still in reset */ ++ spin_lock_bh(&priv->reg_lock); + reg = bcmgenet_umac_readl(priv, UMAC_CMD); + if (reg & CMD_SW_RESET) + reg &= ~CMD_SW_RESET; +@@ -140,6 +141,7 @@ int bcmgenet_wol_power_down_cfg(struct b + /* disable RX */ + reg &= ~CMD_RX_EN; + bcmgenet_umac_writel(priv, reg, UMAC_CMD); ++ spin_unlock_bh(&priv->reg_lock); + mdelay(10); + + if (priv->wolopts & (WAKE_MAGIC | WAKE_MAGICSECURE)) { +@@ -185,6 +187,7 @@ int bcmgenet_wol_power_down_cfg(struct b + } + + /* Enable CRC forward */ ++ spin_lock_bh(&priv->reg_lock); + reg = bcmgenet_umac_readl(priv, UMAC_CMD); + priv->crc_fwd_en = 1; + reg |= CMD_CRC_FWD; +@@ -192,6 +195,7 @@ int bcmgenet_wol_power_down_cfg(struct b + /* Receiver must be enabled for WOL MP detection */ + reg |= CMD_RX_EN; + bcmgenet_umac_writel(priv, reg, UMAC_CMD); ++ spin_unlock_bh(&priv->reg_lock); + + reg = UMAC_IRQ_MPD_R; + if (hfb_enable) +@@ -238,7 +242,9 @@ void bcmgenet_wol_power_up_cfg(struct bc + } + + /* Disable CRC Forward */ ++ spin_lock_bh(&priv->reg_lock); + reg = bcmgenet_umac_readl(priv, UMAC_CMD); + reg &= ~CMD_CRC_FWD; + bcmgenet_umac_writel(priv, reg, UMAC_CMD); ++ spin_unlock_bh(&priv->reg_lock); + } +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -78,6 +78,7 @@ static void bcmgenet_mac_config(struct n + bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL); + mutex_unlock(&phydev->lock); + ++ spin_lock_bh(&priv->reg_lock); + reg = bcmgenet_umac_readl(priv, UMAC_CMD); + reg &= ~((CMD_SPEED_MASK << CMD_SPEED_SHIFT) | + CMD_HD_EN | +@@ -90,6 +91,7 @@ static void bcmgenet_mac_config(struct n + reg |= CMD_TX_EN | CMD_RX_EN; + } + bcmgenet_umac_writel(priv, reg, UMAC_CMD); ++ spin_unlock_bh(&priv->reg_lock); + + priv->eee.eee_active = phy_init_eee(phydev, 0) >= 0; + bcmgenet_eee_enable_set(dev, diff --git a/queue-6.1/net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch b/queue-6.1/net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch new file mode 100644 index 00000000000..e8a5f850348 --- /dev/null +++ b/queue-6.1/net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch @@ -0,0 +1,45 @@ +From 2dbe5f19368caae63b1f59f5bc2af78c7d522b3a Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Thu, 25 Apr 2024 15:27:20 -0700 +Subject: net: bcmgenet: synchronize use of bcmgenet_set_rx_mode() + +From: Doug Berger + +commit 2dbe5f19368caae63b1f59f5bc2af78c7d522b3a upstream. + +The ndo_set_rx_mode function is synchronized with the +netif_addr_lock spinlock and BHs disabled. Since this +function is also invoked directly from the driver the +same synchronization should be applied. + +Fixes: 72f96347628e ("net: bcmgenet: set Rx mode before starting netif") +Cc: stable@vger.kernel.org +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2,7 +2,7 @@ + /* + * Broadcom GENET (Gigabit Ethernet) controller driver + * +- * Copyright (c) 2014-2020 Broadcom ++ * Copyright (c) 2014-2024 Broadcom + */ + + #define pr_fmt(fmt) "bcmgenet: " fmt +@@ -3352,7 +3352,9 @@ static void bcmgenet_netif_start(struct + struct bcmgenet_priv *priv = netdev_priv(dev); + + /* Start the network engine */ ++ netif_addr_lock_bh(dev); + bcmgenet_set_rx_mode(dev); ++ netif_addr_unlock_bh(dev); + bcmgenet_enable_rx_napi(priv); + + umac_enable_set(priv, CMD_TX_EN | CMD_RX_EN, true); diff --git a/queue-6.1/series b/queue-6.1/series index 0b79e7be069..a02505b47d2 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -208,3 +208,12 @@ dt-bindings-iio-health-maxim-max30102-fix-compatible-check.patch iio-imu-adis16475-fix-sync-mode-setting.patch iio-accel-mxc4005-interrupt-handling-fixes.patch kmsan-compiler_types-declare-__no_sanitize_or_inline.patch +tipc-fix-uaf-in-error-path.patch +net-bcmgenet-synchronize-ext_rgmii_oob_ctrl-access.patch +net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch +net-bcmgenet-synchronize-umac_cmd-access.patch +asoc-tegra-fix-dspk-16-bit-playback.patch +asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch +dyndbg-fix-old-bug_on-in-control-parser.patch +slimbus-qcom-ngd-ctrl-add-timeout-for-wait-operation.patch +mei-me-add-lunar-lake-point-m-did.patch diff --git a/queue-6.1/slimbus-qcom-ngd-ctrl-add-timeout-for-wait-operation.patch b/queue-6.1/slimbus-qcom-ngd-ctrl-add-timeout-for-wait-operation.patch new file mode 100644 index 00000000000..ecdb35dc2cc --- /dev/null +++ b/queue-6.1/slimbus-qcom-ngd-ctrl-add-timeout-for-wait-operation.patch @@ -0,0 +1,43 @@ +From 98241a774db49988f25b7b3657026ce51ccec293 Mon Sep 17 00:00:00 2001 +From: Viken Dadhaniya +Date: Tue, 30 Apr 2024 10:12:38 +0100 +Subject: slimbus: qcom-ngd-ctrl: Add timeout for wait operation + +From: Viken Dadhaniya + +commit 98241a774db49988f25b7b3657026ce51ccec293 upstream. + +In current driver qcom_slim_ngd_up_worker() indefinitely +waiting for ctrl->qmi_up completion object. This is +resulting in workqueue lockup on Kthread. + +Added wait_for_completion_interruptible_timeout to +allow the thread to wait for specific timeout period and +bail out instead waiting infinitely. + +Fixes: a899d324863a ("slimbus: qcom-ngd-ctrl: add Sub System Restart support") +Cc: stable@vger.kernel.org +Reviewed-by: Konrad Dybcio +Signed-off-by: Viken Dadhaniya +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20240430091238.35209-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/qcom-ngd-ctrl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1376,7 +1376,11 @@ static void qcom_slim_ngd_up_worker(stru + ctrl = container_of(work, struct qcom_slim_ngd_ctrl, ngd_up_work); + + /* Make sure qmi service is up before continuing */ +- wait_for_completion_interruptible(&ctrl->qmi_up); ++ if (!wait_for_completion_interruptible_timeout(&ctrl->qmi_up, ++ msecs_to_jiffies(MSEC_PER_SEC))) { ++ dev_err(ctrl->dev, "QMI wait timeout\n"); ++ return; ++ } + + mutex_lock(&ctrl->ssr_lock); + qcom_slim_ngd_enable(ctrl, true); diff --git a/queue-6.1/tipc-fix-uaf-in-error-path.patch b/queue-6.1/tipc-fix-uaf-in-error-path.patch new file mode 100644 index 00000000000..daf6ebb47f6 --- /dev/null +++ b/queue-6.1/tipc-fix-uaf-in-error-path.patch @@ -0,0 +1,141 @@ +From 080cbb890286cd794f1ee788bbc5463e2deb7c2b Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 30 Apr 2024 15:53:37 +0200 +Subject: tipc: fix UAF in error path + +From: Paolo Abeni + +commit 080cbb890286cd794f1ee788bbc5463e2deb7c2b upstream. + +Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported +a UAF in the tipc_buf_append() error path: + +BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 +linux/net/core/skbuff.c:1183 +Read of size 8 at addr ffff88804d2a7c80 by task poc/8034 + +CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.16.0-debian-1.16.0-5 04/01/2014 +Call Trace: + + __dump_stack linux/lib/dump_stack.c:88 + dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 + print_address_description linux/mm/kasan/report.c:377 + print_report+0xc4/0x620 linux/mm/kasan/report.c:488 + kasan_report+0xda/0x110 linux/mm/kasan/report.c:601 + kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 + skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026 + skb_release_all linux/net/core/skbuff.c:1094 + __kfree_skb linux/net/core/skbuff.c:1108 + kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144 + kfree_skb linux/./include/linux/skbuff.h:1244 + tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186 + tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324 + tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824 + tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159 + tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390 + udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108 + udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186 + udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346 + __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422 + ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254 + dst_input linux/./include/net/dst.h:461 + ip_rcv_finish linux/net/ipv4/ip_input.c:449 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569 + __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534 + __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648 + process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976 + __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576 + napi_poll linux/net/core/dev.c:6645 + net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781 + __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553 + do_softirq linux/kernel/softirq.c:454 + do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441 + + + __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381 + local_bh_enable linux/./include/linux/bottom_half.h:33 + rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851 + __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378 + dev_queue_xmit linux/./include/linux/netdevice.h:3169 + neigh_hh_output linux/./include/net/neighbour.h:526 + neigh_output linux/./include/net/neighbour.h:540 + ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235 + __ip_finish_output linux/net/ipv4/ip_output.c:313 + __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295 + ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323 + NF_HOOK_COND linux/./include/linux/netfilter.h:303 + ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433 + dst_output linux/./include/net/dst.h:451 + ip_local_out linux/net/ipv4/ip_output.c:129 + ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492 + udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963 + udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250 + inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850 + sock_sendmsg_nosec linux/net/socket.c:730 + __sock_sendmsg linux/net/socket.c:745 + __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191 + __do_sys_sendto linux/net/socket.c:2203 + __se_sys_sendto linux/net/socket.c:2199 + __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199 + do_syscall_x64 linux/arch/x86/entry/common.c:52 + do_syscall_64+0xd8/0x270 linux/arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 linux/arch/x86/entry/entry_64.S:120 +RIP: 0033:0x7f3434974f29 +Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48 +RSP: 002b:00007fff9154f2b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3434974f29 +RDX: 00000000000032c8 RSI: 00007fff9154f300 RDI: 0000000000000003 +RBP: 00007fff915532e0 R08: 00007fff91553360 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000212 R12: 000055ed86d261d0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +In the critical scenario, either the relevant skb is freed or its +ownership is transferred into a frag_lists. In both cases, the cleanup +code must not free it again: we need to clear the skb reference earlier. + +Fixes: 1149557d64c9 ("tipc: eliminate unnecessary linearization of incoming buffers") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23852 +Acked-by: Xin Long +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/msg.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -156,6 +156,11 @@ int tipc_buf_append(struct sk_buff **hea + if (!head) + goto err; + ++ /* Either the input skb ownership is transferred to headskb ++ * or the input skb is freed, clear the reference to avoid ++ * bad access on error path. ++ */ ++ *buf = NULL; + if (skb_try_coalesce(head, frag, &headstolen, &delta)) { + kfree_skb_partial(frag, headstolen); + } else { +@@ -179,7 +184,6 @@ int tipc_buf_append(struct sk_buff **hea + *headbuf = NULL; + return 1; + } +- *buf = NULL; + return 0; + err: + kfree_skb(*buf); -- 2.47.3