September 2024 - Linux-stable-mirror

FAILED: patch "[PATCH] platform/x86: panasonic-laptop: Fix SINF array out of bounds" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024091343-editor-sulfite-f306@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: f52e98d16e9b ("platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses") f1fba0860962 ("platform/x86: panasonic-laptop: remove redundant assignment of variable result") 25dd390c6206 ("platform/x86: panasonic-laptop: Add sysfs attributes for firmware brightness registers") 468f96bfa3a0 ("platform/x86: panasonic-laptop: Add support for battery charging threshold (eco mode)") ed83c9171829 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") e3a9afbbc309 ("platform/x86: panasonic-laptop: Add write support to mute") 008563513348 ("platform/x86: panasonic-laptop: Fix sticky key init bug") 80373ad0edb5 ("platform/x86: panasonic-laptop: Fix naming of platform files for consistency with other modules") 0119fbc0215a ("platform/x86: panasonic-laptop: Split MODULE_AUTHOR() by one author per macro call") f1aaf914654a ("platform/x86: panasonic-laptop: Replace ACPI prints with pr_*() macros") d5a81d8e864b ("platform/x86: panasonic-laptop: Add support for optical driver power in Y and W series") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hdegoede(a)redhat.com> Date: Mon, 9 Sep 2024 13:32:25 +0200 Subject: [PATCH] platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The panasonic laptop code in various places uses the SINF array with index values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array is big enough. Not all panasonic laptops have this many SINF array entries, for example the Toughbook CF-18 model only has 10 SINF array entries. So it only supports the AC+DC brightness entries and mute. Check that the SINF array has a minimum size which covers all AC+DC brightness entries and refuse to load if the SINF array is smaller. For higher SINF indexes hide the sysfs attributes when the SINF array does not contain an entry for that attribute, avoiding show()/store() accessing the array out of bounds and add bounds checking to the probe() and resume() code accessing these. Fixes: e424fb8cc4e6 ("panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()") Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> Link: https://lore.kernel.org/r/20240909113227.254470-1-hdegoede@redhat.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c index cf845ee1c7b1..39044119d2a6 100644 --- a/drivers/platform/x86/panasonic-laptop.c +++ b/drivers/platform/x86/panasonic-laptop.c @@ -773,6 +773,24 @@ static DEVICE_ATTR_RW(dc_brightness); static DEVICE_ATTR_RW(current_brightness); static DEVICE_ATTR_RW(cdpower); +static umode_t pcc_sysfs_is_visible(struct kobject *kobj, struct attribute *attr, int idx) +{ + struct device *dev = kobj_to_dev(kobj); + struct acpi_device *acpi = to_acpi_device(dev); + struct pcc_acpi *pcc = acpi_driver_data(acpi); + + if (attr == &dev_attr_mute.attr) + return (pcc->num_sifr > SINF_MUTE) ? attr->mode : 0; + + if (attr == &dev_attr_eco_mode.attr) + return (pcc->num_sifr > SINF_ECO_MODE) ? attr->mode : 0; + + if (attr == &dev_attr_current_brightness.attr) + return (pcc->num_sifr > SINF_CUR_BRIGHT) ? attr->mode : 0; + + return attr->mode; +} + static struct attribute *pcc_sysfs_entries[] = { &dev_attr_numbatt.attr, &dev_attr_lcdtype.attr, @@ -787,8 +805,9 @@ static struct attribute *pcc_sysfs_entries[] = { }; static const struct attribute_group pcc_attr_group = { - .name = NULL, /* put in device directory */ - .attrs = pcc_sysfs_entries, + .name = NULL, /* put in device directory */ + .attrs = pcc_sysfs_entries, + .is_visible = pcc_sysfs_is_visible, }; @@ -941,12 +960,15 @@ static int acpi_pcc_hotkey_resume(struct device *dev) if (!pcc) return -EINVAL; - acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute); - acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode); + if (pcc->num_sifr > SINF_MUTE) + acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute); + if (pcc->num_sifr > SINF_ECO_MODE) + acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode); acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, pcc->sticky_key); acpi_pcc_write_sset(pcc, SINF_AC_CUR_BRIGHT, pcc->ac_brightness); acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, pcc->dc_brightness); - acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness); + if (pcc->num_sifr > SINF_CUR_BRIGHT) + acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness); return 0; } @@ -963,8 +985,12 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) num_sifr = acpi_pcc_get_sqty(device); - if (num_sifr < 0 || num_sifr > 255) { - pr_err("num_sifr out of range"); + /* + * pcc->sinf is expected to at least have the AC+DC brightness entries. + * Accesses to higher SINF entries are checked against num_sifr. + */ + if (num_sifr <= SINF_DC_CUR_BRIGHT || num_sifr > 255) { + pr_err("num_sifr %d out of range %d - 255\n", num_sifr, SINF_DC_CUR_BRIGHT + 1); return -ENODEV; } @@ -1020,11 +1046,14 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, 0); pcc->sticky_key = 0; - pcc->eco_mode = pcc->sinf[SINF_ECO_MODE]; - pcc->mute = pcc->sinf[SINF_MUTE]; pcc->ac_brightness = pcc->sinf[SINF_AC_CUR_BRIGHT]; pcc->dc_brightness = pcc->sinf[SINF_DC_CUR_BRIGHT]; - pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT]; + if (pcc->num_sifr > SINF_MUTE) + pcc->mute = pcc->sinf[SINF_MUTE]; + if (pcc->num_sifr > SINF_ECO_MODE) + pcc->eco_mode = pcc->sinf[SINF_ECO_MODE]; + if (pcc->num_sifr > SINF_CUR_BRIGHT) + pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT]; /* add sysfs attributes */ result = sysfs_create_group(&device->dev.kobj, &pcc_attr_group);

6 days, 16 hours

1
0
0 0

[PATCH 4.19 00/95] 4.19.322-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.19.322 release. There are 95 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 12 Sep 2024 09:42:36 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.322-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.19.322-rc2 Li RongQing <lirongqing(a)baidu.com> netns: restore ops before calling ops_exit_list Zhang Changzhong <zhangchangzhong(a)huawei.com> cx82310_eth: fix error return code in cx82310_bind() Daniel Borkmann <daniel(a)iogearbox.net> net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket Roland Xu <mu001999(a)outlook.com> rtmutex: Drop rt_mutex::wait_lock before scheduling Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> drm/i915/fence: Mark debug_fence_free() with __maybe_unused Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused Jonathan Cameron <Jonathan.Cameron(a)huawei.com> ACPI: processor: Fix memory leaks in error paths of processor_add() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() Eric Dumazet <edumazet(a)google.com> ila: call nf_unregister_net_hooks() sooner Eric Dumazet <edumazet(a)google.com> netns: add pre_exit method to struct pernet_operations Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: protect references to superblock parameters exposed in sysfs Qing Wang <wangqing(a)vivo.com> nilfs2: replace snprintf in show functions with sysfs_emit Zheng Yejian <zhengyejian(a)huaweicloud.com> tracing: Avoid possible softlockup in tracing_iter_reset() Steven Rostedt (VMware) <rostedt(a)goodmis.org> ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance() Sven Schnelle <svens(a)linux.ibm.com> uprobes: Use kzalloc to allocate xol area Jacky Bai <ping.bai(a)nxp.com> clocksource/drivers/imx-tpm: Fix next event not taking effect sometime Jacky Bai <ping.bai(a)nxp.com> clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com> VMCI: Fix use-after-free when removing resource in vmci_resource_remove() Naman Jain <namjain(a)linux.microsoft.com> Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic Saurabh Sengar <ssengar(a)linux.microsoft.com> uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind Geert Uytterhoeven <geert+renesas(a)glider.be> nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc Matteo Martelli <matteomartelli3(a)gmail.com> iio: fix scale application in iio_convert_raw_to_processed_unlocked David Lechner <dlechner(a)baylibre.com> iio: buffer-dmaengine: fix releasing dma channel on error Michael Ellerman <mpe(a)ellerman.id.au> ata: pata_macio: Use WARN instead of BUG Stefan Wiehler <stefan.wiehler(a)nokia.com> of/irq: Prevent device address out-of-bounds read in interrupt map walk Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: sanity check symbolic link size Oliver Neukum <oneukum(a)suse.com> usbnet: ipheth: race between ipheth_close and error handling Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: uinput - reject requests with unreasonable number of slots Camila Alvarez <cam.alvarez.i(a)gmail.com> HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup David Sterba <dsterba(a)suse.com> btrfs: initialize location to fix -Wmaybe-uninitialized in btrfs_lookup_dentry() Dan Williams <dan.j.williams(a)intel.com> PCI: Add missing bridge lock to pci_bus_lock() Josef Bacik <josef(a)toxicpanda.com> btrfs: clean up our handling of refs == 0 in snapshot delete Josef Bacik <josef(a)toxicpanda.com> btrfs: replace BUG_ON with ASSERT in walk_down_proc() Zqiang <qiang.zhang1211(a)gmail.com> smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() Sascha Hauer <s.hauer(a)pengutronix.de> wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Guenter Roeck <linux(a)roeck-us.net> hwmon: (w83627ehf) Fix underflows seen when writing limit attributes Guenter Roeck <linux(a)roeck-us.net> hwmon: (nct6775-core) Fix underflows seen when writing limit attributes Guenter Roeck <linux(a)roeck-us.net> hwmon: (lm95234) Fix underflows seen when writing limit attributes Guenter Roeck <linux(a)roeck-us.net> hwmon: (adc128d818) Fix underflows seen when writing limit attributes Krishna Kumar <krishnak(a)linux.ibm.com> pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Zijun Hu <quic_zijuhu(a)quicinc.com> devres: Initialize an uninitialized struct member Johannes Berg <johannes.berg(a)intel.com> um: line: always fill *error_out in setup_one_line() Waiman Long <longman(a)redhat.com> cgroup: Protect css->cgroup write under css_set_lock Jacob Pan <jacob.jun.pan(a)linux.intel.com> iommu/vt-d: Handle volatile descriptor status read Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: fix possible subblocks range of CAPT block Jonas Gorski <jonas.gorski(a)bisdn.de> net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> net: bridge: fdb: convert added_by_external_learn to use bitops Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> net: bridge: fdb: convert added_by_user to bitops Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> net: bridge: fdb: convert is_sticky to bitops Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> net: bridge: fdb: convert is_static to bitops Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> net: bridge: fdb: convert is_local to bitops Ido Schimmel <idosch(a)mellanox.com> bridge: switchdev: Allow clearing FDB entry offload indication Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> net: bridge: add support for sticky fdb entries Richard Guy Briggs <rgb(a)redhat.com> rfkill: fix spelling mistake contidion to condition Oliver Neukum <oneukum(a)suse.com> usbnet: modern method to get random MAC Jakub Kicinski <kuba(a)kernel.org> net: usb: don't write directly to netdev->dev_addr Len Baker <len.baker(a)gmx.com> drivers/net/usb: Remove all strcpy() uses Ondrej Zary <linux(a)zary.sk> cx82310_eth: re-enable ethernet mode after router reboot Aleksandr Mishin <amishin(a)t-argos.ru> platform/x86: dell-smbios: Fix error path in dell_smbios_init() Daiwei Li <daiweili(a)google.com> igb: Fix not clearing TimeSync interrupts for 82580 Kuniyuki Iwashima <kuniyu(a)amazon.com> can: bcm: Remove proc entry when dev is unregistered. Jules Irenge <jbi.octave(a)gmail.com> pcmcia: Use resource_size function on resource object Chen Ni <nichen(a)iscas.ac.cn> media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse Arend van Spriel <arend.vanspriel(a)broadcom.com> wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 Jan Kara <jack(a)suse.cz> udf: Avoid excessive partition lengths Yunjian Wang <wangyunjian(a)huawei.com> netfilter: nf_conncount: fix wrong variable type Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Remove put_pid()/put_cred() in copy_peercred(). Pali Rohár <pali(a)kernel.org> irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 Konstantin Andreev <andreev(a)swemel.ru> smack: unix sockets: fix accept()ed socket label Takashi Iwai <tiwai(a)suse.de> ALSA: hda: Add input value sanity checks to HDMI channel map controls Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix state management in error path of log writing function Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix missing cleanup on rollforward recovery error Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: clk-alpha-pll: Fix the pll post div mask Jann Horn <jannh(a)google.com> fuse: use unsigned type for getxattr/listxattr size truncation Sam Protsenko <semen.protsenko(a)linaro.org> mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K Zheng Qixing <zhengqixing(a)huawei.com> ata: libata: Fix memory leak for error path in ata_host_alloc() Christoffer Sandberg <cs(a)tuxedo.de> ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices Stephen Hemminger <stephen(a)networkplumber.org> sch/netem: fix use after free in netem_dequeue Hillf Danton <hdanton(a)sina.com> ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Sanity checks for each pipe and EP types Jan Kara <jack(a)suse.cz> udf: Limit file size to 4TB Breno Leitao <leitao(a)debian.org> virtio_net: Fix napi_skb_cache_put warning Christoph Hellwig <hch(a)lst.de> block: initialize integrity buffer to zero before writing it to media Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Enforce alignment of frame and interval Casey Schaufler <casey(a)schaufler-ca.com> smack: tcp: ipv4, fix incorrect labeling Simon Holesch <simon(a)holesch.de> usbip: Don't submit special requests twice Leesoo Ahn <lsahn(a)ooseel.net> apparmor: fix possible NULL pointer dereference Michael Chen <michael.chen(a)amd.com> drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Tim Huang <Tim.Huang(a)amd.com> drm/amdgpu: fix mc_data out-of-bounds read warning Tim Huang <Tim.Huang(a)amd.com> drm/amdgpu: fix ucode out-of-bounds read warning Tim Huang <Tim.Huang(a)amd.com> drm/amdgpu: fix overflowed array index read warning Ma Jun <Jun.Ma2(a)amd.com> drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> usb: dwc3: st: add missing depopulate in probe error path Nishka Dasgupta <nishkadg.linux(a)gmail.com> usb: dwc3: st: Add of_node_put() before return in probe function ZHANG Yuntian <yt(a)radxa.com> net: usb: qmi_wwan: add MeiG Smart SRM825L ------------- Diffstat: Makefile | 4 +- arch/um/drivers/line.c | 2 + block/bio-integrity.c | 11 +- drivers/acpi/acpi_processor.c | 15 +-- drivers/ata/libata-core.c | 4 +- drivers/ata/pata_macio.c | 7 +- drivers/base/devres.c | 1 + drivers/clk/qcom/clk-alpha-pll.c | 2 +- drivers/clocksource/timer-imx-tpm.c | 16 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 +- drivers/gpu/drm/amd/amdkfd/kfd_crat.h | 2 - drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 3 +- drivers/gpu/drm/amd/amdkfd/kfd_topology.h | 5 +- drivers/gpu/drm/i915/i915_sw_fence.c | 8 +- drivers/hid/hid-cougar.c | 2 +- drivers/hv/vmbus_drv.c | 1 + drivers/hwmon/adc128d818.c | 4 +- drivers/hwmon/lm95234.c | 9 +- drivers/hwmon/nct6775.c | 2 +- drivers/hwmon/w83627ehf.c | 4 +- drivers/iio/buffer/industrialio-buffer-dmaengine.c | 4 +- drivers/iio/inkern.c | 8 +- drivers/input/misc/uinput.c | 14 +++ drivers/iommu/dmar.c | 2 +- drivers/irqchip/irq-armada-370-xp.c | 4 + drivers/media/platform/qcom/camss/camss.c | 5 +- drivers/media/usb/uvc/uvc_driver.c | 18 ++- drivers/misc/vmw_vmci/vmci_resource.c | 3 +- drivers/mmc/host/dw_mmc.c | 4 +- drivers/net/dsa/vitesse-vsc73xx.c | 10 +- drivers/net/ethernet/intel/igb/igb_main.c | 10 ++ .../ethernet/mellanox/mlxsw/spectrum_switchdev.c | 9 +- drivers/net/ethernet/rocker/rocker_main.c | 1 + drivers/net/usb/ch9200.c | 4 +- drivers/net/usb/cx82310_eth.c | 56 +++++++-- drivers/net/usb/ipheth.c | 4 +- drivers/net/usb/kaweth.c | 3 +- drivers/net/usb/mcs7830.c | 4 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/usb/sierra_net.c | 6 +- drivers/net/usb/sr9700.c | 4 +- drivers/net/usb/sr9800.c | 5 +- drivers/net/usb/usbnet.c | 23 ++-- drivers/net/virtio_net.c | 8 +- .../broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 + drivers/net/wireless/marvell/mwifiex/main.h | 3 + drivers/nvmem/core.c | 6 +- drivers/of/irq.c | 15 ++- drivers/pci/hotplug/pnv_php.c | 3 +- drivers/pci/pci.c | 35 +++--- drivers/pcmcia/yenta_socket.c | 6 +- drivers/platform/x86/dell-smbios-base.c | 5 +- drivers/uio/uio_hv_generic.c | 11 +- drivers/usb/dwc3/dwc3-st.c | 12 +- drivers/usb/usbip/stub_rx.c | 77 ++++++++----- fs/btrfs/extent-tree.c | 32 ++++-- fs/btrfs/inode.c | 2 +- fs/fuse/xattr.c | 4 +- fs/nilfs2/recovery.c | 35 +++++- fs/nilfs2/segment.c | 10 +- fs/nilfs2/sysfs.c | 117 +++++++++++-------- fs/squashfs/inode.c | 7 +- fs/udf/super.c | 24 +++- include/linux/ring_buffer.h | 3 +- include/net/net_namespace.h | 5 + include/net/switchdev.h | 3 +- include/uapi/linux/neighbour.h | 1 + kernel/cgroup/cgroup.c | 2 +- kernel/events/uprobes.c | 3 +- kernel/locking/rtmutex.c | 4 +- kernel/smp.c | 1 + kernel/trace/ring_buffer.c | 23 +--- kernel/trace/trace.c | 6 +- kernel/trace/trace_functions_graph.c | 2 +- net/bridge/br.c | 4 +- net/bridge/br_fdb.c | 128 ++++++++++++--------- net/bridge/br_input.c | 2 +- net/bridge/br_private.h | 18 ++- net/bridge/br_switchdev.c | 11 +- net/can/bcm.c | 4 + net/core/net_namespace.c | 28 +++++ net/dsa/slave.c | 1 + net/ipv6/ila/ila.h | 1 + net/ipv6/ila/ila_main.c | 6 + net/ipv6/ila/ila_xlat.c | 13 ++- net/netfilter/nf_conncount.c | 8 +- net/rfkill/core.c | 4 +- net/sched/sch_netem.c | 9 +- net/sunrpc/xprtsock.c | 7 ++ net/unix/af_unix.c | 9 +- security/apparmor/apparmorfs.c | 4 + security/smack/smack_lsm.c | 14 ++- sound/hda/hdmi_chmap.c | 18 +++ sound/pci/hda/patch_conexant.c | 11 ++ sound/usb/helper.c | 17 +++ sound/usb/helper.h | 1 + sound/usb/quirks.c | 14 ++- 100 files changed, 767 insertions(+), 344 deletions(-)

6 days, 17 hours

6
6
0 0

[PATCH 5.15 000/214] 5.15.167-rc1 review

by Richard Narron

Slackware 15.0 64-bit compiles and runs fine. Slackware 15.0 32-bit fails to build and gives the "out of memory" error: cc1: out of memory allocating 180705472 bytes after a total of 284454912 bytes ... make[4]: *** [scripts/Makefile.build:289: drivers/staging/media/atomisp/pci/isp/kernels/ynr/ynr_1.0/ia_css_ynr.ho st.o] Error 1 Patching it with help from Lorenzo Stoakes allows the build to run: https://lore.kernel.org/lkml/5882b96e-1287-4390-8174-3316d39038ef@lucifer.l… And then 32-bit runs fine too. Richard Narron

6 days, 17 hours

3
4
0 0

[PATCH] drm/xe/vram: fix ccs offset calculation

by Matthew Auld

Spec says SW is expected to round up to the nearest 128K, if not already aligned. We are seeing the assert sometimes pop on BMG to tell us that there is a hole between GSM and CCS, as well as popping other asserts with having a vram size with strange alignment, which is likely caused by misaligned offset here. BSpec: 68023 Fixes: b5c2ca0372dc ("drm/xe/xe2hpg: Determine flat ccs offset for vram") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Cc: Akshata Jahagirdar <akshata.jahagirdar(a)intel.com> Cc: Shuicheng Lin <shuicheng.lin(a)intel.com> Cc: Matt Roper <matthew.d.roper(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.10+ --- drivers/gpu/drm/xe/xe_vram.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/xe/xe_vram.c b/drivers/gpu/drm/xe/xe_vram.c index 7e765b1499b1..8e65cb4cc477 100644 --- a/drivers/gpu/drm/xe/xe_vram.c +++ b/drivers/gpu/drm/xe/xe_vram.c @@ -181,6 +181,7 @@ static inline u64 get_flat_ccs_offset(struct xe_gt *gt, u64 tile_size) offset = offset_hi << 32; /* HW view bits 39:32 */ offset |= offset_lo << 6; /* HW view bits 31:6 */ + offset = round_up(offset, SZ_128K); /* SW must round up to nearest 128K */ offset *= num_enabled; /* convert to SW view */ /* We don't expect any holes */ -- 2.46.0

6 days, 17 hours

1
0
0 0

[PATCH v3] usb: gadget: core: force synchronous registration

by John Keeping

Registering a gadget driver is expected to complete synchronously and immediately after calling driver_register() this function checks that the driver has bound so as to return an error. Set PROBE_FORCE_SYNCHRONOUS to ensure this is the case even when asynchronous probing is set as the default. Fixes: fc274c1e99731 ("USB: gadget: Add a new bus for gadgets") Cc: stable(a)vger.kernel.org Signed-off-by: John Keeping <jkeeping(a)inmusicbrands.com> --- v3: - Add cc: stable v2: - Add "Fixes" trailer drivers/usb/gadget/udc/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index cf6478f97f4a..a6f46364be65 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -1696,6 +1696,7 @@ int usb_gadget_register_driver_owner(struct usb_gadget_driver *driver, driver->driver.bus = &gadget_bus_type; driver->driver.owner = owner; driver->driver.mod_name = mod_name; + driver->driver.probe_type = PROBE_FORCE_SYNCHRONOUS; ret = driver_register(&driver->driver); if (ret) { pr_warn("%s: driver registration failed: %d\n", -- 2.46.0

6 days, 19 hours

1
0
0 0

[PATCH] efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> The TPM event log table is a Linux specific construct, where the data produced by the GetEventLog() boot service is cached in memory, and passed on to the OS using a EFI configuration table. The use of EFI_LOADER_DATA here results in the region being left unreserved in the E820 memory map constructed by the EFI stub, and this is the memory description that is passed on to the incoming kernel by kexec, which is therefore unaware that the region should be reserved. Even though the utility of the TPM2 event log after a kexec is questionable, any corruption might send the parsing code off into the weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY instead, which is always treated as reserved by the E820 conversion logic. Cc: <stable(a)vger.kernel.org> Reported-by: Breno Leitao <leitao(a)debian.org> Tested-by: Usama Arif <usamaarif642(a)gmail.com> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/libstub/tpm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/efi/libstub/tpm.c b/drivers/firmware/efi/libstub/tpm.c index df3182f2e63a..1fd6823248ab 100644 --- a/drivers/firmware/efi/libstub/tpm.c +++ b/drivers/firmware/efi/libstub/tpm.c @@ -96,7 +96,7 @@ static void efi_retrieve_tcg2_eventlog(int version, efi_physical_addr_t log_loca } /* Allocate space for the logs and copy them. */ - status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, + status = efi_bs_call(allocate_pool, EFI_ACPI_RECLAIM_MEMORY, sizeof(*log_tbl) + log_size, (void **)&log_tbl); if (status != EFI_SUCCESS) { -- 2.46.0.662.g92d0881bb0-goog

6 days, 19 hours

3
2
0 0

FW: [PATCH] usb: xhci: fix loss of data on Cadence xHC

by Pawel Laszczak

Streams should flush their TRB cache, re-read TRBs, and start executing TRBs from the beginning of the new dequeue pointer after a 'Set TR Dequeue Pointer' command. Cadence controllers may fail to start from the beginning of the dequeue TRB as it doesn't clear the Opaque 'RsvdO' field of the stream context during 'Set TR Dequeue' command. This stream context area is where xHC stores information about the last partially executed TD when a stream is stopped. xHC uses this information to resume the transfer where it left mid TD, when the stream is restarted. Patch fixes this by clearing out all RsvdO fields before initializing new Stream transfer using a 'Set TR Dequeue Pointer' command. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: <stable(a)vger.kernel.org> Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> --- Changelog: v3: - changed patch to patch Cadence specific v2: - removed restoring of EDTLA field drivers/usb/cdns3/host.c | 4 +++- drivers/usb/host/xhci-pci.c | 7 +++++++ drivers/usb/host/xhci-ring.c | 14 ++++++++++++++ drivers/usb/host/xhci.h | 1 + 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/drivers/usb/cdns3/host.c b/drivers/usb/cdns3/host.c index ceca4d839dfd..7ba760ee62e3 100644 --- a/drivers/usb/cdns3/host.c +++ b/drivers/usb/cdns3/host.c @@ -62,7 +62,9 @@ static const struct xhci_plat_priv xhci_plat_cdns3_xhci = { .resume_quirk = xhci_cdns3_resume_quirk, }; -static const struct xhci_plat_priv xhci_plat_cdnsp_xhci; +static const struct xhci_plat_priv xhci_plat_cdnsp_xhci = { + .quirks = XHCI_CDNS_SCTX_QUIRK, +}; static int __cdns_host_init(struct cdns *cdns) { diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index b9ae5c2a2527..9199dbfcea07 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -74,6 +74,9 @@ #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 #define PCI_DEVICE_ID_ASMEDIA_3242_XHCI 0x3242 +#define PCI_DEVICE_ID_CADENCE 0x17CD +#define PCI_DEVICE_ID_CADENCE_SSP 0x0200 + static const char hcd_name[] = "xhci_hcd"; static struct hc_driver __read_mostly xhci_pci_hc_driver; @@ -532,6 +535,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) xhci->quirks |= XHCI_ZHAOXIN_TRB_FETCH; } + if (pdev->vendor == PCI_DEVICE_ID_CADENCE && + pdev->device == PCI_DEVICE_ID_CADENCE_SSP) + xhci->quirks |= XHCI_CDNS_SCTX_QUIRK; + /* xHC spec requires PCI devices to support D3hot and D3cold */ if (xhci->hci_version >= 0x120) xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 1dde53f6eb31..a1ad2658c0c7 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1386,6 +1386,20 @@ static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, struct xhci_stream_ctx *ctx = &ep->stream_info->stream_ctx_array[stream_id]; deq = le64_to_cpu(ctx->stream_ring) & SCTX_DEQ_MASK; + + /* + * Cadence xHCI controllers store some endpoint state + * information within Rsvd0 fields of Stream Endpoint + * context. This field is not cleared during Set TR + * Dequeue Pointer command which causes XDMA to skip + * over transfer ring and leads to data loss on stream + * pipe. + * To fix this issue driver must clear Rsvd0 field. + */ + if (xhci->quirks & XHCI_CDNS_SCTX_QUIRK) { + ctx->reserved[0] = 0; + ctx->reserved[1] = 0; + } } else { deq = le64_to_cpu(ep_ctx->deq) & ~EP_CTX_CYCLE_MASK; } diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 101e74c9060f..4cbd58eed214 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1907,6 +1907,7 @@ struct xhci_hcd { #define XHCI_ZHAOXIN_TRB_FETCH BIT_ULL(45) #define XHCI_ZHAOXIN_HOST BIT_ULL(46) #define XHCI_WRITE_64_HI_LO BIT_ULL(47) +#define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) unsigned int num_active_eps; unsigned int limit_active_eps; -- 2.43.0

6 days, 19 hours

3
5
0 0

[PATCH RESEND] drm/sti: avoid potential dereference of error pointers

by Ma Ke

The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. Cc: stable(a)vger.kernel.org Fixes: dec92020671c ("drm: Use the state pointer directly in planes atomic_check") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/sti/sti_cursor.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/sti/sti_cursor.c b/drivers/gpu/drm/sti/sti_cursor.c index db0a1eb53532..e460f5ba2d87 100644 --- a/drivers/gpu/drm/sti/sti_cursor.c +++ b/drivers/gpu/drm/sti/sti_cursor.c @@ -200,6 +200,8 @@ static int sti_cursor_atomic_check(struct drm_plane *drm_plane, return 0; crtc_state = drm_atomic_get_crtc_state(state, crtc); + if (IS_ERR(crtc_state)) + return PTR_ERR(crtc_state); mode = &crtc_state->mode; dst_x = new_plane_state->crtc_x; dst_y = new_plane_state->crtc_y; -- 2.25.1

6 days, 20 hours

3
4
0 0

[PATCH] drm/vc4: Fix atomicity violation in vc4_crtc_send_vblank()

by Qiu-ji Chen

Atomicity violation occurs when the vc4_crtc_send_vblank function is executed simultaneously with modifications to crtc->state or crtc->state->event. Consider a scenario where both crtc->state and crtc->state->event are non-null. They can pass the validity check, but at the same time, crtc->state or crtc->state->event could be set to null. In this case, the validity check in vc4_crtc_send_vblank might act on the old crtc->state and crtc->state->event (before locking), allowing invalid values to pass the validity check, leading to null pointer dereference. To address this issue, it is recommended to include the validity check of crtc->state and crtc->state->event within the locking section of the function. This modification ensures that the values of crtc->state->event and crtc->state do not change during the validation process, maintaining their valid conditions. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 68e4a69aec4d ("drm/vc4: crtc: Create vblank reporting function") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/gpu/drm/vc4/vc4_crtc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c index 8b5a7e5eb146..98885f519827 100644 --- a/drivers/gpu/drm/vc4/vc4_crtc.c +++ b/drivers/gpu/drm/vc4/vc4_crtc.c @@ -575,10 +575,12 @@ void vc4_crtc_send_vblank(struct drm_crtc *crtc) struct drm_device *dev = crtc->dev; unsigned long flags; - if (!crtc->state || !crtc->state->event) + spin_lock_irqsave(&dev->event_lock, flags); + if (!crtc->state || !crtc->state->event) { + spin_unlock_irqrestore(&dev->event_lock, flags); return; + } - spin_lock_irqsave(&dev->event_lock, flags); drm_crtc_send_vblank_event(crtc, crtc->state->event); crtc->state->event = NULL; spin_unlock_irqrestore(&dev->event_lock, flags); -- 2.34.1

6 days, 20 hours

1
0
0 0

[PATCH] drm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check

by Ma Ke

The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. Cc: stable(a)vger.kernel.org Fixes: dd86dc2f9ae1 ("drm/sti: implement atomic_check for the planes") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/sti/sti_hqvdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/sti/sti_hqvdp.c b/drivers/gpu/drm/sti/sti_hqvdp.c index 0fb48ac044d8..abab92df78bd 100644 --- a/drivers/gpu/drm/sti/sti_hqvdp.c +++ b/drivers/gpu/drm/sti/sti_hqvdp.c @@ -1037,6 +1037,9 @@ static int sti_hqvdp_atomic_check(struct drm_plane *drm_plane, return 0; crtc_state = drm_atomic_get_crtc_state(state, crtc); + if (IS_ERR(crtc_state)) + return PTR_ERR(crtc_state); + mode = &crtc_state->mode; dst_x = new_plane_state->crtc_x; dst_y = new_plane_state->crtc_y; -- 2.25.1

6 days, 20 hours

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2024