From ae99e83baf0a3f54a0a97303e2b4e0b829462a5d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 May 2024 16:03:14 +0200 Subject: [PATCH] 5.15-stable patches added patches: asoc-tegra-fix-dspk-16-bit-playback.patch asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch tipc-fix-uaf-in-error-path.patch --- .../asoc-tegra-fix-dspk-16-bit-playback.patch | 53 +++++++ ...casp-fix-race-condition-during-probe.patch | 76 ++++++++++ ...chronize-use-of-bcmgenet_set_rx_mode.patch | 45 ++++++ queue-5.15/series | 4 + queue-5.15/tipc-fix-uaf-in-error-path.patch | 141 ++++++++++++++++++ 5 files changed, 319 insertions(+) create mode 100644 queue-5.15/asoc-tegra-fix-dspk-16-bit-playback.patch create mode 100644 queue-5.15/asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch create mode 100644 queue-5.15/net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch create mode 100644 queue-5.15/tipc-fix-uaf-in-error-path.patch diff --git a/queue-5.15/asoc-tegra-fix-dspk-16-bit-playback.patch b/queue-5.15/asoc-tegra-fix-dspk-16-bit-playback.patch new file mode 100644 index 00000000000..90a2fefe45c --- /dev/null +++ b/queue-5.15/asoc-tegra-fix-dspk-16-bit-playback.patch @@ -0,0 +1,53 @@ +From 2e93a29b48a017c777d4fcbfcc51aba4e6a90d38 Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Fri, 5 Apr 2024 10:43:06 +0000 +Subject: ASoC: tegra: Fix DSPK 16-bit playback + +From: Sameer Pujar + +commit 2e93a29b48a017c777d4fcbfcc51aba4e6a90d38 upstream. + +DSPK configuration is wrong for 16-bit playback and this happens because +the client config is always fixed at 24-bit in hw_params(). Fix this by +updating the client config to 16-bit for the respective playback. + +Fixes: 327ef6470266 ("ASoC: tegra: Add Tegra186 based DSPK driver") +Cc: stable@vger.kernel.org +Signed-off-by: Sameer Pujar +Acked-by: Thierry Reding +Link: https://msgid.link/r/20240405104306.551036-1-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra186_dspk.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/sound/soc/tegra/tegra186_dspk.c ++++ b/sound/soc/tegra/tegra186_dspk.c +@@ -1,8 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0-only ++// SPDX-FileCopyrightText: Copyright (c) 2020-2024 NVIDIA CORPORATION & AFFILIATES. All rights reserved. + // + // tegra186_dspk.c - Tegra186 DSPK driver +-// +-// Copyright (c) 2020 NVIDIA CORPORATION. All rights reserved. + + #include + #include +@@ -241,14 +240,14 @@ static int tegra186_dspk_hw_params(struc + return -EINVAL; + } + +- cif_conf.client_bits = TEGRA_ACIF_BITS_24; +- + switch (params_format(params)) { + case SNDRV_PCM_FORMAT_S16_LE: + cif_conf.audio_bits = TEGRA_ACIF_BITS_16; ++ cif_conf.client_bits = TEGRA_ACIF_BITS_16; + break; + case SNDRV_PCM_FORMAT_S32_LE: + cif_conf.audio_bits = TEGRA_ACIF_BITS_32; ++ cif_conf.client_bits = TEGRA_ACIF_BITS_24; + break; + default: + dev_err(dev, "unsupported format!\n"); diff --git a/queue-5.15/asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch b/queue-5.15/asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch new file mode 100644 index 00000000000..56c0c507401 --- /dev/null +++ b/queue-5.15/asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch @@ -0,0 +1,76 @@ +From d18ca8635db2f88c17acbdf6412f26d4f6aff414 Mon Sep 17 00:00:00 2001 +From: Joao Paulo Goncalves +Date: Wed, 17 Apr 2024 15:41:38 -0300 +Subject: ASoC: ti: davinci-mcasp: Fix race condition during probe + +From: Joao Paulo Goncalves + +commit d18ca8635db2f88c17acbdf6412f26d4f6aff414 upstream. + +When using davinci-mcasp as CPU DAI with simple-card, there are some +conditions that cause simple-card to finish registering a sound card before +davinci-mcasp finishes registering all sound components. This creates a +non-working sound card from userspace with no problem indication apart +from not being able to play/record audio on a PCM stream. The issue +arises during simultaneous probe execution of both drivers. Specifically, +the simple-card driver, awaiting a CPU DAI, proceeds as soon as +davinci-mcasp registers its DAI. However, this process can lead to the +client mutex lock (client_mutex in soc-core.c) being held or davinci-mcasp +being preempted before PCM DMA registration on davinci-mcasp finishes. +This situation occurs when the probes of both drivers run concurrently. +Below is the code path for this condition. To solve the issue, defer +davinci-mcasp CPU DAI registration to the last step in the audio part of +it. This way, simple-card CPU DAI parsing will be deferred until all +audio components are registered. + +Fail Code Path: + +simple-card.c: probe starts +simple-card.c: simple_dai_link_of: simple_parse_node(..,cpu,..) returns EPROBE_DEFER, no CPU DAI yet +davinci-mcasp.c: probe starts +davinci-mcasp.c: devm_snd_soc_register_component() register CPU DAI +simple-card.c: probes again, finish CPU DAI parsing and call devm_snd_soc_register_card() +simple-card.c: finish probe +davinci-mcasp.c: *dma_pcm_platform_register() register PCM DMA +davinci-mcasp.c: probe finish + +Cc: stable@vger.kernel.org +Fixes: 9fbd58cf4ab0 ("ASoC: davinci-mcasp: Choose PCM driver based on configured DMA controller") +Signed-off-by: Joao Paulo Goncalves +Acked-by: Peter Ujfalusi +Reviewed-by: Jai Luthra +Link: https://lore.kernel.org/r/20240417184138.1104774-1-jpaulo.silvagoncalves@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/ti/davinci-mcasp.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/sound/soc/ti/davinci-mcasp.c ++++ b/sound/soc/ti/davinci-mcasp.c +@@ -2423,12 +2423,6 @@ static int davinci_mcasp_probe(struct pl + + mcasp_reparent_fck(pdev); + +- ret = devm_snd_soc_register_component(&pdev->dev, &davinci_mcasp_component, +- &davinci_mcasp_dai[mcasp->op_mode], 1); +- +- if (ret != 0) +- goto err; +- + ret = davinci_mcasp_get_dma_type(mcasp); + switch (ret) { + case PCM_EDMA: +@@ -2455,6 +2449,12 @@ static int davinci_mcasp_probe(struct pl + goto err; + } + ++ ret = devm_snd_soc_register_component(&pdev->dev, &davinci_mcasp_component, ++ &davinci_mcasp_dai[mcasp->op_mode], 1); ++ ++ if (ret != 0) ++ goto err; ++ + no_audio: + ret = davinci_mcasp_init_gpiochip(mcasp); + if (ret) { diff --git a/queue-5.15/net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch b/queue-5.15/net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch new file mode 100644 index 00000000000..956c58ea72a --- /dev/null +++ b/queue-5.15/net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch @@ -0,0 +1,45 @@ +From 2dbe5f19368caae63b1f59f5bc2af78c7d522b3a Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Thu, 25 Apr 2024 15:27:20 -0700 +Subject: net: bcmgenet: synchronize use of bcmgenet_set_rx_mode() + +From: Doug Berger + +commit 2dbe5f19368caae63b1f59f5bc2af78c7d522b3a upstream. + +The ndo_set_rx_mode function is synchronized with the +netif_addr_lock spinlock and BHs disabled. Since this +function is also invoked directly from the driver the +same synchronization should be applied. + +Fixes: 72f96347628e ("net: bcmgenet: set Rx mode before starting netif") +Cc: stable@vger.kernel.org +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2,7 +2,7 @@ + /* + * Broadcom GENET (Gigabit Ethernet) controller driver + * +- * Copyright (c) 2014-2020 Broadcom ++ * Copyright (c) 2014-2024 Broadcom + */ + + #define pr_fmt(fmt) "bcmgenet: " fmt +@@ -3310,7 +3310,9 @@ static void bcmgenet_netif_start(struct + struct bcmgenet_priv *priv = netdev_priv(dev); + + /* Start the network engine */ ++ netif_addr_lock_bh(dev); + bcmgenet_set_rx_mode(dev); ++ netif_addr_unlock_bh(dev); + bcmgenet_enable_rx_napi(priv); + + umac_enable_set(priv, CMD_TX_EN | CMD_RX_EN, true); diff --git a/queue-5.15/series b/queue-5.15/series index 68a27863a89..7d5973af6d1 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -158,3 +158,7 @@ mptcp-ensure-snd_nxt-is-properly-initialized-on-connect.patch dt-bindings-iio-health-maxim-max30102-fix-compatible-check.patch iio-imu-adis16475-fix-sync-mode-setting.patch iio-accel-mxc4005-interrupt-handling-fixes.patch +tipc-fix-uaf-in-error-path.patch +net-bcmgenet-synchronize-use-of-bcmgenet_set_rx_mode.patch +asoc-tegra-fix-dspk-16-bit-playback.patch +asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch diff --git a/queue-5.15/tipc-fix-uaf-in-error-path.patch b/queue-5.15/tipc-fix-uaf-in-error-path.patch new file mode 100644 index 00000000000..daf6ebb47f6 --- /dev/null +++ b/queue-5.15/tipc-fix-uaf-in-error-path.patch @@ -0,0 +1,141 @@ +From 080cbb890286cd794f1ee788bbc5463e2deb7c2b Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 30 Apr 2024 15:53:37 +0200 +Subject: tipc: fix UAF in error path + +From: Paolo Abeni + +commit 080cbb890286cd794f1ee788bbc5463e2deb7c2b upstream. + +Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported +a UAF in the tipc_buf_append() error path: + +BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 +linux/net/core/skbuff.c:1183 +Read of size 8 at addr ffff88804d2a7c80 by task poc/8034 + +CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.16.0-debian-1.16.0-5 04/01/2014 +Call Trace: + + __dump_stack linux/lib/dump_stack.c:88 + dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 + print_address_description linux/mm/kasan/report.c:377 + print_report+0xc4/0x620 linux/mm/kasan/report.c:488 + kasan_report+0xda/0x110 linux/mm/kasan/report.c:601 + kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 + skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026 + skb_release_all linux/net/core/skbuff.c:1094 + __kfree_skb linux/net/core/skbuff.c:1108 + kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144 + kfree_skb linux/./include/linux/skbuff.h:1244 + tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186 + tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324 + tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824 + tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159 + tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390 + udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108 + udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186 + udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346 + __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422 + ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254 + dst_input linux/./include/net/dst.h:461 + ip_rcv_finish linux/net/ipv4/ip_input.c:449 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569 + __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534 + __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648 + process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976 + __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576 + napi_poll linux/net/core/dev.c:6645 + net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781 + __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553 + do_softirq linux/kernel/softirq.c:454 + do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441 + + + __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381 + local_bh_enable linux/./include/linux/bottom_half.h:33 + rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851 + __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378 + dev_queue_xmit linux/./include/linux/netdevice.h:3169 + neigh_hh_output linux/./include/net/neighbour.h:526 + neigh_output linux/./include/net/neighbour.h:540 + ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235 + __ip_finish_output linux/net/ipv4/ip_output.c:313 + __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295 + ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323 + NF_HOOK_COND linux/./include/linux/netfilter.h:303 + ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433 + dst_output linux/./include/net/dst.h:451 + ip_local_out linux/net/ipv4/ip_output.c:129 + ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492 + udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963 + udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250 + inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850 + sock_sendmsg_nosec linux/net/socket.c:730 + __sock_sendmsg linux/net/socket.c:745 + __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191 + __do_sys_sendto linux/net/socket.c:2203 + __se_sys_sendto linux/net/socket.c:2199 + __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199 + do_syscall_x64 linux/arch/x86/entry/common.c:52 + do_syscall_64+0xd8/0x270 linux/arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 linux/arch/x86/entry/entry_64.S:120 +RIP: 0033:0x7f3434974f29 +Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48 +RSP: 002b:00007fff9154f2b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3434974f29 +RDX: 00000000000032c8 RSI: 00007fff9154f300 RDI: 0000000000000003 +RBP: 00007fff915532e0 R08: 00007fff91553360 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000212 R12: 000055ed86d261d0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +In the critical scenario, either the relevant skb is freed or its +ownership is transferred into a frag_lists. In both cases, the cleanup +code must not free it again: we need to clear the skb reference earlier. + +Fixes: 1149557d64c9 ("tipc: eliminate unnecessary linearization of incoming buffers") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23852 +Acked-by: Xin Long +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/msg.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -156,6 +156,11 @@ int tipc_buf_append(struct sk_buff **hea + if (!head) + goto err; + ++ /* Either the input skb ownership is transferred to headskb ++ * or the input skb is freed, clear the reference to avoid ++ * bad access on error path. ++ */ ++ *buf = NULL; + if (skb_try_coalesce(head, frag, &headstolen, &delta)) { + kfree_skb_partial(frag, headstolen); + } else { +@@ -179,7 +184,6 @@ int tipc_buf_append(struct sk_buff **hea + *headbuf = NULL; + return 1; + } +- *buf = NULL; + return 0; + err: + kfree_skb(*buf); -- 2.47.3