September 2024 - Linux-stable-mirror

[PATCH 5.10 0/1] rtlwifi: rtl8192de: fix ofdm power compensation

by Nikita Zhandarovich

This patch aims to prevent reliably encountered buffer overflow in rtl92d_dm_txpower_tracking_callback_thermalmeter() caused by accessing 'ofdm_index[]' array of size 2 with index 'i' equal to 2, which in turn is possible if value of 'is2t' is 'true'. The issue in question has been fixed by the following upstream patch that can be cleanly applied to 5.10 stable branch.

11 months, 3 weeks

1
1
0 0

[PATCH 3/3] vfs: return -EOVERFLOW in generic_remap_checks() when overflow check fails

by Julian Sun

Keep it consistent with the handling of the same check within generic_copy_file_checks(). Also, returning -EOVERFLOW in this case is more appropriate. Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/remap_range.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/remap_range.c b/fs/remap_range.c index 6fdeb3c8cb70..a26521ded5c8 100644 --- a/fs/remap_range.c +++ b/fs/remap_range.c @@ -42,7 +42,7 @@ static int generic_remap_checks(struct file *file_in, loff_t pos_in, /* The start of both ranges must be aligned to an fs block. */ if (!IS_ALIGNED(pos_in, bs) || !IS_ALIGNED(pos_out, bs)) - return -EINVAL; + return -EOVERFLOW; /* Ensure offsets don't wrap. */ if (check_add_overflow(pos_in, count, &tmp) || -- 2.39.2

11 months, 3 weeks

4
7
0 0

[PATCH] dmaengine: dw: Select only supported masters for ACPI devices

by Serge Semin

The recently submitted fix-commit revealed a problem in the iDMA32 platform code. Even though the controller supported only a single master the dw_dma_acpi_filter() method hard-coded two master interfaces with IDs 0 and 1. As a result the sanity check implemented in the commit b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") got incorrect interface data width and thus prevented the client drivers from configuring the DMA-channel with the EINVAL error returned. E.g. the next error was printed for the PXA2xx SPI controller driver trying to configure the requested channels: > [ 164.525604] pxa2xx_spi_pci 0000:00:07.1: DMA slave config failed > [ 164.536105] pxa2xx_spi_pci 0000:00:07.1: failed to get DMA TX descriptor > [ 164.543213] spidev spi-SPT0001:00: SPI transfer failed: -16 The problem would have been spotted much earlier if the iDMA32 controller supported more than one master interfaces. But since it supports just a single master and the iDMA32-specific code just ignores the master IDs in the CTLLO preparation method, the issue has been gone unnoticed so far. Fix the problem by specifying a single master ID for both memory and peripheral devices on the ACPI-based platforms if there is only one master available on the controller. Thus the issue noticed for the iDMA32 controllers will be eliminated and the ACPI-probed DW DMA controllers will be configured with the correct master ID by default. Cc: stable(a)vger.kernel.org Fixes: b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") Fixes: 199244d69458 ("dmaengine: dw: add support of iDMA 32-bit hardware") Reported-by: Ferry Toth <fntoth(a)gmail.com> Closes: https://lore.kernel.org/dmaengine/ZuXbCKUs1iOqFu51@black.fi.intel.com/ Reported-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Closes: https://lore.kernel.org/dmaengine/ZuXgI-VcHpMgbZ91@black.fi.intel.com/ Signed-off-by: Serge Semin <fancer.lancer(a)gmail.com> --- Note I haven't got any device with the Intel Merrifield iDMA32 + SPI PXA2xx pair to test out the solution. So any tests are very welcome. But based on Andy' (see the reported-by links) and my investigations the fix seems correct. --- drivers/dma/dw/acpi.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/dma/dw/acpi.c b/drivers/dma/dw/acpi.c index c510c109d2c3..efbe8baeccbc 100644 --- a/drivers/dma/dw/acpi.c +++ b/drivers/dma/dw/acpi.c @@ -8,15 +8,25 @@ static bool dw_dma_acpi_filter(struct dma_chan *chan, void *param) { + struct dw_dma *dw = to_dw_dma(chan->device); struct acpi_dma_spec *dma_spec = param; struct dw_dma_slave slave = { .dma_dev = dma_spec->dev, .src_id = dma_spec->slave_id, .dst_id = dma_spec->slave_id, .m_master = 0, - .p_master = 1, }; + /* + * Fallback to using a single interface for both memory and peripheral + * device if there is only one master I/F supported (e.g. iDMA32) + */ + if (dw->pdata->nr_masters == 0) + slave.p_master = 0; + else + slave.p_master = 1; + + return dw_dma_filter(chan, &slave); } -- 2.43.0

11 months, 3 weeks

3
6
0 0

[PATCH] fbcon: Fix a NULL pointer dereference issue in fbcon_putcs

by Qianqiang Liu

syzbot has found a NULL pointer dereference bug in fbcon [1]. This issue is caused by ops->putcs being a NULL pointer. We need to check the pointer before using it. [1] https://syzkaller.appspot.com/bug?extid=3d613ae53c031502687a Cc: stable(a)vger.kernel.org Reported-and-tested-by: syzbot+3d613ae53c031502687a(a)syzkaller.appspotmail.com Signed-off-by: Qianqiang Liu <qianqiang.liu(a)163.com> --- drivers/video/fbdev/core/fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 3f7333dca508..96c1262cc981 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1284,7 +1284,7 @@ static void fbcon_putcs(struct vc_data *vc, const u16 *s, unsigned int count, struct fbcon_display *p = &fb_display[vc->vc_num]; struct fbcon_ops *ops = info->fbcon_par; - if (!fbcon_is_inactive(vc, info)) + if (!fbcon_is_inactive(vc, info) && ops->putcs) ops->putcs(vc, info, s, count, real_y(p, ypos), xpos, get_color(vc, info, scr_readw(s), 1), get_color(vc, info, scr_readw(s), 0)); -- 2.39.2

11 months, 3 weeks

2
2
0 0

[PATCH 5.4] bpf: Fix DEVMAP_HASH overflow check on 32-bit arches

by Pu Lehui

From: Toke Høiland-Jørgensen <toke(a)redhat.com> [ Upstream commit 281d464a34f540de166cee74b723e97ac2515ec3 ] The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation. Fixes: 6f9d451ab1a3 ("xdp: Add devmap_hash map type for looking up devices by hashed index") Link: https://lore.kernel.org/r/000000000000ed666a0611af6818@google.com Reported-and-tested-by: syzbot+8cd36f6b65f3cafd400a(a)syzkaller.appspotmail.com Signed-off-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Message-ID: <20240307120340.99577-2-toke(a)redhat.com> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/devmap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 4b2819b0a05a..2370fc31169f 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -130,10 +130,13 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) cost = (u64) sizeof(struct list_head) * num_possible_cpus(); if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { - dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); - - if (!dtab->n_buckets) /* Overflow check */ + /* hash table size must be power of 2; roundup_pow_of_two() can + * overflow into UB on 32-bit arches, so check that first + */ + if (dtab->map.max_entries > 1UL << 31) return -EINVAL; + + dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); cost += (u64) sizeof(struct hlist_head) * dtab->n_buckets; } else { cost += (u64) dtab->map.max_entries * sizeof(struct bpf_dtab_netdev *); -- 2.34.1

11 months, 3 weeks

1
0
0 0

[PATCH] Input: adp5588-keys - Added checking of key and key_val variables

by Denis Arefev

If the adp5588_read function returns 0, then there will be an overflow of the kpad->keycode buffer. If the adp5588_read function returns a negative value, then the logic is broken - the wrong value is used as an index of the kpad->keycode array. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org # v5.10+ Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/input/keyboard/adp5588-keys.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/input/keyboard/adp5588-keys.c b/drivers/input/keyboard/adp5588-keys.c index 1b0279393df4..d05387f9c11f 100644 --- a/drivers/input/keyboard/adp5588-keys.c +++ b/drivers/input/keyboard/adp5588-keys.c @@ -526,14 +526,17 @@ static void adp5588_report_events(struct adp5588_kpad *kpad, int ev_cnt) int i; for (i = 0; i < ev_cnt; i++) { - int key = adp5588_read(kpad->client, KEY_EVENTA + i); - int key_val = key & KEY_EV_MASK; - int key_press = key & KEY_EV_PRESSED; + int key, key_val, key_press; + key = adp5588_read(kpad->client, KEY_EVENTA + i); + if (key < 0) + continue; + key_val = key & KEY_EV_MASK; + key_press = key & KEY_EV_PRESSED; if (key_val >= GPI_PIN_BASE && key_val <= GPI_PIN_END) { /* gpio line used as IRQ source */ adp5588_gpio_irq_handle(kpad, key_val, key_press); - } else { + } else if (key_val > 0) { int row = (key_val - 1) / ADP5588_COLS_MAX; int col = (key_val - 1) % ADP5588_COLS_MAX; int code = MATRIX_SCAN_CODE(row, col, kpad->row_shift); -- 2.25.1

11 months, 3 weeks

1
0
0 0

[PATCH v7 2/4] ufs: core: requeue aborted request

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> Regarding the specification of MCQ: Aborts a command using SQ cleanup, The host controller will post a Completion Queue entry with OCS = ABORTED. ufshcd_abort_all forcibly aborts all on-going commands. In MCQ mode, set a variable to notify SCSI to requeue the command after receiving response with OCS_ABORTED. This approach would then be consistent with legacy SDB mode. Below is ufshcd_err_handler legacy SDB flow: ufshcd_err_handler() ufshcd_abort_all() ufshcd_abort_one() ufshcd_try_to_abort_task() ufshcd_complete_requests() ufshcd_transfer_req_compl() ufshcd_poll() get outstanding_lock clear outstanding_reqs tag release outstanding_lock __ufshcd_transfer_req_compl() ufshcd_compl_one_cqe() cmd->result = DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done() ufshcd_intr() ufshcd_sl_intr() ufshcd_transfer_req_compl() ufshcd_poll() get outstanding_lock clear outstanding_reqs tag release outstanding_lock __ufshcd_transfer_req_compl() ufshcd_compl_one_cqe() cmd->result = DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done(); Below is ufshcd_err_handler MCQ flow: ufshcd_err_handler() ufshcd_abort_all() ufshcd_abort_one() ufshcd_try_to_abort_task() ufshcd_complete_requests() ufshcd_mcq_compl_pending_transfer() ufshcd_mcq_poll_cqe_lock() ufshcd_mcq_process_cqe() ufshcd_compl_one_cqe() cmd->result = DID_ABORT // should change to DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done() ufs_mtk_mcq_intr() ufshcd_mcq_poll_cqe_lock() ufshcd_mcq_process_cqe() ufshcd_compl_one_cqe() cmd->result = DID_ABORT // should change to DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done() So what we need to correct is to notify SCSI to requeue when MCQ mode receives OCS: ABORTED. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 40 ++++++++++++++++++++++++--------------- include/ufs/ufshcd.h | 8 ++++++++ 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index a6f818cdef0e..4f9c7a632465 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -3006,6 +3006,7 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd) ufshcd_prepare_lrbp_crypto(scsi_cmd_to_rq(cmd), lrbp); lrbp->req_abort_skip = false; + lrbp->abort_initiated_by = UFS_NO_ABORT; ufshcd_comp_scsi_upiu(hba, lrbp); @@ -5404,10 +5405,19 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp, } break; case OCS_ABORTED: - result |= DID_ABORT << 16; + if (lrbp->abort_initiated_by == UFS_ERR_HANDLER) + result |= DID_REQUEUE << 16; + else + result |= DID_ABORT << 16; + dev_warn(hba->dev, + "OCS aborted from controller = %x for tag %d\n", + ocs, lrbp->task_tag); break; case OCS_INVALID_COMMAND_STATUS: result |= DID_REQUEUE << 16; + dev_warn(hba->dev, + "OCS invaild from controller = %x for tag %d\n", + ocs, lrbp->task_tag); break; case OCS_INVALID_CMD_TABLE_ATTR: case OCS_INVALID_PRDT_ATTR: @@ -6471,26 +6481,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) struct scsi_device *sdev = cmd->device; struct Scsi_Host *shost = sdev->host; struct ufs_hba *hba = shost_priv(shost); - struct ufshcd_lrb *lrbp = &hba->lrb[tag]; - struct ufs_hw_queue *hwq; - unsigned long flags; *ret = ufshcd_try_to_abort_task(hba, tag); dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag, hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1, *ret ? "failed" : "succeeded"); - /* Release cmd in MCQ mode if abort succeeds */ - if (hba->mcq_enabled && (*ret == 0)) { - hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd)); - if (!hwq) - return 0; - spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) - ufshcd_release_scsi_cmd(hba, lrbp); - spin_unlock_irqrestore(&hwq->cq_lock, flags); - } - return *ret == 0; } @@ -7561,6 +7557,20 @@ int ufshcd_try_to_abort_task(struct ufs_hba *hba, int tag) goto out; } + /* + * When the host software receives a "FUNCTION COMPLETE", set this + * variable to requeue command after receive response with OCS_ABORTED + * + * MCQ mode: Host will post to CQ with OCS_ABORTED after SQ cleanup + * + * This variable is set because error handler ufshcd_abort_all forcibly + * aborts all commands, and the host controller will automatically + * fill in the OCS field of the corresponding response with OCS_ABORTED. + * Therefore, upon receiving this response, it needs to be requeued. + */ + if (!err && hba->mcq_enabled && ufshcd_eh_in_progress(hba)) + lrbp->abort_initiated_by = UFS_ERR_HANDLER; + err = ufshcd_clear_cmd(hba, tag); if (err) dev_err(hba->dev, "%s: Failed clearing cmd at tag %d, err %d\n", diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index 0fd2aebac728..61a7dc489511 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -145,6 +145,11 @@ enum ufs_pm_level { UFS_PM_LVL_MAX }; +enum ufs_abort_by { + UFS_NO_ABORT, + UFS_ERR_HANDLER, +}; + struct ufs_pm_lvl_states { enum ufs_dev_pwr_mode dev_state; enum uic_link_state link_state; @@ -173,6 +178,8 @@ struct ufs_pm_lvl_states { * @crypto_key_slot: the key slot to use for inline crypto (-1 if none) * @data_unit_num: the data unit number for the first block for inline crypto * @req_abort_skip: skip request abort task flag + * @abort_initiated_by: This variable is used to store the scenario in + * which the abort occurs */ struct ufshcd_lrb { struct utp_transfer_req_desc *utr_descriptor_ptr; @@ -202,6 +209,7 @@ struct ufshcd_lrb { #endif bool req_abort_skip; + int abort_initiated_by; }; /** -- 2.45.2

11 months, 3 weeks

1
0
0 0

[PATCH v7 1/4] ufs: core: fix the issue of ICU failure

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When setting the ICU bit without using read-modify-write, SQRTCy will restart SQ again and receive an RTC return error code 2 (Failure - SQ not stopped). Additionally, the error log has been modified so that this type of error can be observed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> Reviewed-by: Bao D. Nguyen <quic_nguyenb(a)quicinc.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/ufs/core/ufs-mcq.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index 5891cdacd0b3..3903947dbed1 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -539,7 +539,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) struct scsi_cmnd *cmd = lrbp->cmd; struct ufs_hw_queue *hwq; void __iomem *reg, *opr_sqd_base; - u32 nexus, id, val; + u32 nexus, id, val, rtc; int err; if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC) @@ -569,17 +569,18 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id); writel(nexus, opr_sqd_base + REG_SQCTI); - /* SQRTCy.ICU = 1 */ - writel(SQ_ICU, opr_sqd_base + REG_SQRTC); + /* Initiate Cleanup */ + writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU, + opr_sqd_base + REG_SQRTC); /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */ reg = opr_sqd_base + REG_SQRTS; err = read_poll_timeout(readl, val, val & SQ_CUS, 20, MCQ_POLL_US, false, reg); - if (err) - dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n", - __func__, id, task_tag, - FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))); + rtc = FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg)); + if (err || rtc) + dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%d\n", + __func__, id, task_tag, err, rtc); if (ufshcd_mcq_sq_start(hba, hwq)) err = -ETIMEDOUT; -- 2.45.2

11 months, 3 weeks

1
0
0 0

[PATCH 5.10/5.15 0/1] tty: add the option to have a tty reject a new ldisc

by Gavrilov Ilia

Syzkaller reports a sleeping function called from invalid context in do_con_write() in the 5.10 and 5.15 stable releases. The issue has been fixed by the following upstream patch that was adapted to 5.10 and 5.15. All of the changes made to the patch in order to adapt it are described at the end of the commit message. This patch has already been backported to the following stable branches: v6.9 - https://lore.kernel.org/all/20240625085551.368621044@linuxfoundation.org/ v6.6 - https://lore.kernel.org/all/20240625085539.398852153@linuxfoundation.org/ v6.1 - https://lore.kernel.org/all/20240625085527.625846117@linuxfoundation.org/ Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. Linus Torvalds (1): tty: add the option to have a tty reject a new ldisc drivers/tty/tty_ldisc.c | 6 ++++++ drivers/tty/vt/vt.c | 10 ++++++++++ include/linux/tty_driver.h | 8 ++++++++ 3 files changed, 24 insertions(+) -- 2.39.2

11 months, 3 weeks

1
1
0 0

[PATCH v1] usb: typec: Fix arg check for usb_power_delivery_unregister_capabilities

by Amit Sunil Dhamne

usb_power_delivery_register_capabilities() returns ERR_PTR in case of failure. usb_power_delivery_unregister_capabilities() we only check argument ("cap") for NULL. A more robust check would be checking for ERR_PTR as well. Cc: stable(a)vger.kernel.org Fixes: 662a60102c12 ("usb: typec: Separate USB Power Delivery from USB Type-C") Signed-off-by: Amit Sunil Dhamne <amitsd(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> --- drivers/usb/typec/pd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/typec/pd.c b/drivers/usb/typec/pd.c index d78c04a421bc..761fe4dddf1b 100644 --- a/drivers/usb/typec/pd.c +++ b/drivers/usb/typec/pd.c @@ -519,7 +519,7 @@ EXPORT_SYMBOL_GPL(usb_power_delivery_register_capabilities); */ void usb_power_delivery_unregister_capabilities(struct usb_power_delivery_capabilities *cap) { - if (!cap) + if (IS_ERR_OR_NULL(cap)) return; device_for_each_child(&cap->dev, NULL, remove_pdo); base-commit: 68d4209158f43a558c5553ea95ab0c8975eab18c -- 2.46.0.792.g87dc391469-goog

11 months, 3 weeks

3
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2024