* [PATCH AUTOSEL 5.4 02/22] drm/amd/display: Check gpio_id before used as array index
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 03/22] drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 Sasha Levin
` (19 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Alex Hung, Harry Wentland, Tom Chung, Daniel Wheeler,
Alex Deucher, Sasha Levin, sunpeng.li, Rodrigo.Siqueira,
christian.koenig, Xinhui.Pan, airlied, daniel, hersenxs.wu,
amd-gfx, dri-devel
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit 2a5626eeb3b5eec7a36886f9556113dd93ec8ed6 ]
[WHY & HOW]
GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore
should be checked in advance.
This fixes 5 OVERRUN issues reported by Coverity.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
index 0be817f8cae6b..f76ec0dd29e7b 100644
--- a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
+++ b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
@@ -242,6 +242,9 @@ static bool is_pin_busy(
enum gpio_id id,
uint32_t en)
{
+ if (id == GPIO_ID_UNKNOWN)
+ return false;
+
return service->busyness[id][en];
}
@@ -250,6 +253,9 @@ static void set_pin_busy(
enum gpio_id id,
uint32_t en)
{
+ if (id == GPIO_ID_UNKNOWN)
+ return;
+
service->busyness[id][en] = true;
}
@@ -258,6 +264,9 @@ static void set_pin_free(
enum gpio_id id,
uint32_t en)
{
+ if (id == GPIO_ID_UNKNOWN)
+ return;
+
service->busyness[id][en] = false;
}
@@ -266,7 +275,7 @@ enum gpio_result dal_gpio_service_lock(
enum gpio_id id,
uint32_t en)
{
- if (!service->busyness[id]) {
+ if (id != GPIO_ID_UNKNOWN && !service->busyness[id]) {
ASSERT_CRITICAL(false);
return GPIO_RESULT_OPEN_FAILED;
}
@@ -280,7 +289,7 @@ enum gpio_result dal_gpio_service_unlock(
enum gpio_id id,
uint32_t en)
{
- if (!service->busyness[id]) {
+ if (id != GPIO_ID_UNKNOWN && !service->busyness[id]) {
ASSERT_CRITICAL(false);
return GPIO_RESULT_OPEN_FAILED;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 03/22] drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 02/22] drm/amd/display: Check gpio_id before used as array index Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 04/22] drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] Sasha Levin
` (18 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hersen Wu, Harry Wentland, Tom Chung, Daniel Wheeler,
Alex Deucher, Sasha Levin, sunpeng.li, Rodrigo.Siqueira,
christian.koenig, Xinhui.Pan, airlied, daniel, alex.hung,
hamza.mahfooz, roman.li, mario.limonciello, Wayne.Lin, amd-gfx,
dri-devel
From: Hersen Wu <hersenxs.wu@amd.com>
[ Upstream commit 84723eb6068c50610c5c0893980d230d7afa2105 ]
[Why]
Coverity reports OVERRUN warning. Should abort amdgpu_dm
initialize.
[How]
Return failure to amdgpu_dm_init.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 3bfc4aa328c6f..869b38908b28d 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -2263,7 +2263,10 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev)
/* There is one primary plane per CRTC */
primary_planes = dm->dc->caps.max_streams;
- ASSERT(primary_planes <= AMDGPU_MAX_PLANES);
+ if (primary_planes > AMDGPU_MAX_PLANES) {
+ DRM_ERROR("DM: Plane nums out of 6 planes\n");
+ return -EINVAL;
+ }
/*
* Initialize primary planes, implicit planes for legacy IOCTLS.
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 04/22] drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 02/22] drm/amd/display: Check gpio_id before used as array index Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 03/22] drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 05/22] drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create Sasha Levin
` (17 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Alex Hung, Harry Wentland, Tom Chung, Daniel Wheeler,
Alex Deucher, Sasha Levin, sunpeng.li, Rodrigo.Siqueira,
christian.koenig, Xinhui.Pan, airlied, daniel, hamza.mahfooz,
roman.li, aric.cyr, joshua.aberback, amd-gfx, dri-devel
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit b38a4815f79b87efb196cd5121579fc51e29a7fb ]
[WHY & HOW]
num_valid_sets needs to be checked to avoid a negative index when
accessing reader_wm_sets[num_valid_sets - 1].
This fixes an OVERRUN issue reported by Coverity.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c
index 9f301f8575a54..fec3ca955b264 100644
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c
@@ -453,7 +453,8 @@ void build_watermark_ranges(struct clk_bw_params *bw_params, struct pp_smu_wm_ra
ranges->reader_wm_sets[num_valid_sets].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX;
/* Modify previous watermark range to cover up to max */
- ranges->reader_wm_sets[num_valid_sets - 1].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX;
+ if (num_valid_sets > 0)
+ ranges->reader_wm_sets[num_valid_sets - 1].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX;
}
num_valid_sets++;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 05/22] drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (2 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 04/22] drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 06/22] drm/amdgpu: fix ucode out-of-bounds read warning Sasha Levin
` (16 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hersen Wu, Harry Wentland, Tom Chung, Daniel Wheeler,
Alex Deucher, Sasha Levin, sunpeng.li, Rodrigo.Siqueira,
christian.koenig, Xinhui.Pan, airlied, daniel, alex.hung, amd-gfx,
dri-devel
From: Hersen Wu <hersenxs.wu@amd.com>
[ Upstream commit c6077aa66fa230d12f37fef01161ef080d13b726 ]
[Why]
For subtraction, coverity reports integer overflow
warning message when variable type is uint32_t.
[How]
Change variable type to int32_t.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
index f76ec0dd29e7b..a61cec470d28c 100644
--- a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
+++ b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
@@ -58,7 +58,7 @@ struct gpio_service *dal_gpio_service_create(
struct dc_context *ctx)
{
struct gpio_service *service;
- uint32_t index_of_id;
+ int32_t index_of_id;
service = kzalloc(sizeof(struct gpio_service), GFP_KERNEL);
@@ -114,7 +114,7 @@ struct gpio_service *dal_gpio_service_create(
return service;
failure_2:
- while (index_of_id) {
+ while (index_of_id > 0) {
--index_of_id;
kfree(service->busyness[index_of_id]);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 06/22] drm/amdgpu: fix ucode out-of-bounds read warning
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (3 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 05/22] drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 07/22] drm/amdgpu: fix mc_data " Sasha Levin
` (15 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Tim Huang, Alex Deucher, Sasha Levin, christian.koenig,
Xinhui.Pan, airlied, daniel, srinivasan.shanmugam, guchun.chen,
amd-gfx, dri-devel
From: Tim Huang <Tim.Huang@amd.com>
[ Upstream commit 8944acd0f9db33e17f387fdc75d33bb473d7936f ]
Clear warning that read ucode[] may out-of-bounds.
Signed-off-by: Tim Huang <Tim.Huang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
index 031b094607bdd..3ce4447052b9b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
@@ -213,6 +213,9 @@ static int amdgpu_cgs_get_firmware_info(struct cgs_device *cgs_device,
struct amdgpu_firmware_info *ucode;
id = fw_type_convert(cgs_device, type);
+ if (id >= AMDGPU_UCODE_ID_MAXIMUM)
+ return -EINVAL;
+
ucode = &adev->firmware.ucode[id];
if (ucode->fw == NULL)
return -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 07/22] drm/amdgpu: fix mc_data out-of-bounds read warning
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (4 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 06/22] drm/amdgpu: fix ucode out-of-bounds read warning Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 08/22] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Sasha Levin
` (14 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Tim Huang, Alex Deucher, Sasha Levin, christian.koenig,
Xinhui.Pan, airlied, daniel, lijo.lazar, Hawking.Zhang,
electrodeyt, amd-gfx, dri-devel
From: Tim Huang <Tim.Huang@amd.com>
[ Upstream commit 51dfc0a4d609fe700750a62f41447f01b8c9ea50 ]
Clear warning that read mc_data[i-1] may out-of-bounds.
Signed-off-by: Tim Huang <Tim.Huang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
index c687432da4262..89930a38b63eb 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
@@ -1626,6 +1626,8 @@ int amdgpu_atombios_init_mc_reg_table(struct amdgpu_device *adev,
(u32)le32_to_cpu(*((u32 *)reg_data + j));
j++;
} else if ((reg_table->mc_reg_address[i].pre_reg_data & LOW_NIBBLE_MASK) == DATA_EQU_PREV) {
+ if (i == 0)
+ continue;
reg_table->mc_reg_table_entry[num_ranges].mc_data[i] =
reg_table->mc_reg_table_entry[num_ranges].mc_data[i - 1];
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 08/22] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (5 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 07/22] drm/amdgpu: fix mc_data " Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 09/22] smack: tcp: ipv4, fix incorrect labeling Sasha Levin
` (13 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Michael Chen, Felix Kuehling, Alex Deucher, Sasha Levin,
Felix.Kuehling, christian.koenig, Xinhui.Pan, airlied, daniel,
amd-gfx, dri-devel
From: Michael Chen <michael.chen@amd.com>
[ Upstream commit 10f624ef239bd136cdcc5bbc626157a57b938a31 ]
Currently oem_id is defined as uint8_t[6] and casted to uint64_t*
in some use case. This would lead code scanner to complain about
access beyond. Re-define it in union to enforce 8-byte size and
alignment to avoid potential issue.
Signed-off-by: Michael Chen <michael.chen@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_crat.h | 2 --
drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 3 +--
drivers/gpu/drm/amd/amdkfd/kfd_topology.h | 5 ++++-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.h b/drivers/gpu/drm/amd/amdkfd/kfd_crat.h
index d54ceebd346b7..30c70b3ab17f1 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.h
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.h
@@ -42,8 +42,6 @@
#define CRAT_OEMTABLEID_LENGTH 8
#define CRAT_RESERVED_LENGTH 6
-#define CRAT_OEMID_64BIT_MASK ((1ULL << (CRAT_OEMID_LENGTH * 8)) - 1)
-
/* Compute Unit flags */
#define COMPUTE_UNIT_CPU (1 << 0) /* Create Virtual CRAT for CPU */
#define COMPUTE_UNIT_GPU (1 << 1) /* Create Virtual CRAT for GPU */
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
index a49e2ab071d68..de892ee147dea 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
@@ -883,8 +883,7 @@ static void kfd_update_system_properties(void)
dev = list_last_entry(&topology_device_list,
struct kfd_topology_device, list);
if (dev) {
- sys_props.platform_id =
- (*((uint64_t *)dev->oem_id)) & CRAT_OEMID_64BIT_MASK;
+ sys_props.platform_id = dev->oem_id64;
sys_props.platform_oem = *((uint64_t *)dev->oem_table_id);
sys_props.platform_rev = dev->oem_revision;
}
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.h b/drivers/gpu/drm/amd/amdkfd/kfd_topology.h
index d4718d58d0f24..7230b5b5bfe5a 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.h
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.h
@@ -172,7 +172,10 @@ struct kfd_topology_device {
struct attribute attr_gpuid;
struct attribute attr_name;
struct attribute attr_props;
- uint8_t oem_id[CRAT_OEMID_LENGTH];
+ union {
+ uint8_t oem_id[CRAT_OEMID_LENGTH];
+ uint64_t oem_id64;
+ };
uint8_t oem_table_id[CRAT_OEMTABLEID_LENGTH];
uint32_t oem_revision;
};
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 09/22] smack: tcp: ipv4, fix incorrect labeling
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (6 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 08/22] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 10/22] wifi: cfg80211: make hash table duplicates more survivable Sasha Levin
` (12 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Casey Schaufler, Konstantin Andreev, Sasha Levin, paul, jmorris,
serge, linux-security-module
From: Casey Schaufler <casey@schaufler-ca.com>
[ Upstream commit 2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550 ]
Currently, Smack mirrors the label of incoming tcp/ipv4 connections:
when a label 'foo' connects to a label 'bar' with tcp/ipv4,
'foo' always gets 'foo' in returned ipv4 packets. So,
1) returned packets are incorrectly labeled ('foo' instead of 'bar')
2) 'bar' can write to 'foo' without being authorized to write.
Here is a scenario how to see this:
* Take two machines, let's call them C and S,
with active Smack in the default state
(no settings, no rules, no labeled hosts, only builtin labels)
* At S, add Smack rule 'foo bar w'
(labels 'foo' and 'bar' are instantiated at S at this moment)
* At S, at label 'bar', launch a program
that listens for incoming tcp/ipv4 connections
* From C, at label 'foo', connect to the listener at S.
(label 'foo' is instantiated at C at this moment)
Connection succeedes and works.
* Send some data in both directions.
* Collect network traffic of this connection.
All packets in both directions are labeled with the CIPSO
of the label 'foo'. Hence, label 'bar' writes to 'foo' without
being authorized, and even without ever being known at C.
If anybody cares: exactly the same happens with DCCP.
This behavior 1st manifested in release 2.6.29.4 (see Fixes below)
and it looks unintentional. At least, no explanation was provided.
I changed returned packes label into the 'bar',
to bring it into line with the Smack documentation claims.
Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/smack/smack_lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 072ce1ef6efb7..7d04b21737cf5 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4196,7 +4196,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
rcu_read_unlock();
if (hskp == NULL)
- rc = netlbl_req_setattr(req, &skp->smk_netlabel);
+ rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel);
else
netlbl_req_delattr(req);
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 10/22] wifi: cfg80211: make hash table duplicates more survivable
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (7 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 09/22] smack: tcp: ipv4, fix incorrect labeling Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 11/22] drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Sasha Levin
` (11 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, Sasha Levin, johannes, davem, edumazet, kuba,
pabeni, linux-wireless, netdev
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 7f12e26a194d0043441f870708093d9c2c3bad7d ]
Jiazi Li reported that they occasionally see hash table duplicates
as evidenced by the WARN_ON() in rb_insert_bss() in this code. It
isn't clear how that happens, nor have I been able to reproduce it,
but if it does happen, the kernel crashes later, when it tries to
unhash the entry that's now not hashed.
Try to make this situation more survivable by removing the BSS from
the list(s) as well, that way it's fully leaked here (as had been
the intent in the hash insert error path), and no longer reachable
through the list(s) so it shouldn't be unhashed again later.
Link: https://lore.kernel.org/r/20231026013528.GA24122@Jiazi.Li
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Link: https://msgid.link/20240607181726.36835-2-johannes@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/scan.c | 46 +++++++++++++++++++++++++++++++++------------
1 file changed, 34 insertions(+), 12 deletions(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index c74882e3c3096..b28e652514e80 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1003,7 +1003,7 @@ struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy,
}
EXPORT_SYMBOL(cfg80211_get_bss);
-static void rb_insert_bss(struct cfg80211_registered_device *rdev,
+static bool rb_insert_bss(struct cfg80211_registered_device *rdev,
struct cfg80211_internal_bss *bss)
{
struct rb_node **p = &rdev->bss_tree.rb_node;
@@ -1019,7 +1019,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev,
if (WARN_ON(!cmp)) {
/* will sort of leak this BSS */
- return;
+ return false;
}
if (cmp < 0)
@@ -1030,6 +1030,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev,
rb_link_node(&bss->rbn, parent, p);
rb_insert_color(&bss->rbn, &rdev->bss_tree);
+ return true;
}
static struct cfg80211_internal_bss *
@@ -1056,6 +1057,34 @@ rb_find_bss(struct cfg80211_registered_device *rdev,
return NULL;
}
+static void cfg80211_insert_bss(struct cfg80211_registered_device *rdev,
+ struct cfg80211_internal_bss *bss)
+{
+ lockdep_assert_held(&rdev->bss_lock);
+
+ if (!rb_insert_bss(rdev, bss))
+ return;
+ list_add_tail(&bss->list, &rdev->bss_list);
+ rdev->bss_entries++;
+}
+
+static void cfg80211_rehash_bss(struct cfg80211_registered_device *rdev,
+ struct cfg80211_internal_bss *bss)
+{
+ lockdep_assert_held(&rdev->bss_lock);
+
+ rb_erase(&bss->rbn, &rdev->bss_tree);
+ if (!rb_insert_bss(rdev, bss)) {
+ list_del(&bss->list);
+ if (!list_empty(&bss->hidden_list))
+ list_del_init(&bss->hidden_list);
+ if (!list_empty(&bss->pub.nontrans_list))
+ list_del_init(&bss->pub.nontrans_list);
+ rdev->bss_entries--;
+ }
+ rdev->bss_generation++;
+}
+
static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,
struct cfg80211_internal_bss *new)
{
@@ -1331,9 +1360,7 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
bss_ref_get(rdev, pbss);
}
- list_add_tail(&new->list, &rdev->bss_list);
- rdev->bss_entries++;
- rb_insert_bss(rdev, new);
+ cfg80211_insert_bss(rdev, new);
found = new;
}
@@ -2142,10 +2169,7 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev,
if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new)))
rdev->bss_generation++;
}
-
- rb_erase(&cbss->rbn, &rdev->bss_tree);
- rb_insert_bss(rdev, cbss);
- rdev->bss_generation++;
+ cfg80211_rehash_bss(rdev, cbss);
list_for_each_entry_safe(nontrans_bss, tmp,
&cbss->pub.nontrans_list,
@@ -2153,9 +2177,7 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev,
bss = container_of(nontrans_bss,
struct cfg80211_internal_bss, pub);
bss->pub.channel = chan;
- rb_erase(&bss->rbn, &rdev->bss_tree);
- rb_insert_bss(rdev, bss);
- rdev->bss_generation++;
+ cfg80211_rehash_bss(rdev, bss);
}
done:
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 11/22] drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (8 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 10/22] wifi: cfg80211: make hash table duplicates more survivable Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 12/22] ELF: fix kernel.randomize_va_space double read Sasha Levin
` (10 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Alex Hung, Harry Wentland, Hamza Mahfooz, Alex Deucher,
Sasha Levin, sunpeng.li, Rodrigo.Siqueira, christian.koenig,
Xinhui.Pan, airlied, daniel, amd-gfx, dri-devel
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit c4d31653c03b90e51515b1380115d1aedad925dd ]
Callers can pass null in filter (i.e. from returned from the function
wbscl_get_filter_coeffs_16p) and a null check is added to ensure that is
not the case.
This fixes 4 NULL_RETURNS issues reported by Coverity.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c
index cd8bc92ce3ba9..4058a4fd6b224 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c
@@ -690,6 +690,9 @@ static void wbscl_set_scaler_filter(
int pair;
uint16_t odd_coef, even_coef;
+ if (!filter)
+ return;
+
for (phase = 0; phase < (NUM_PHASES / 2 + 1); phase++) {
for (pair = 0; pair < tap_pairs; pair++) {
even_coef = filter[phase * taps + 2 * pair];
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 12/22] ELF: fix kernel.randomize_va_space double read
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (9 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 11/22] drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 13/22] udf: Avoid excessive partition lengths Sasha Levin
` (9 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Alexey Dobriyan, Kees Cook, Sasha Levin, viro, brauner,
linux-fsdevel, linux-mm
From: Alexey Dobriyan <adobriyan@gmail.com>
[ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ]
ELF loader uses "randomize_va_space" twice. It is sysctl and can change
at any moment, so 2 loads could see 2 different values in theory with
unpredictable consequences.
Issue exactly one load for consistent value across one exec.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/binfmt_elf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 72cd871544ac0..33c323a2ccb19 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -854,7 +854,8 @@ static int load_elf_binary(struct linux_binprm *bprm)
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
+ const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space);
+ if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space)
current->flags |= PF_RANDOMIZE;
setup_new_exec(bprm);
@@ -1106,7 +1107,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
current->mm->end_data = end_data;
current->mm->start_stack = bprm->p;
- if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
+ if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) {
/*
* For architectures with ELF randomization, when executing
* a loader directly (i.e. no interpreter listed in ELF
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 13/22] udf: Avoid excessive partition lengths
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (10 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 12/22] ELF: fix kernel.randomize_va_space double read Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 14/22] usb: uas: set host status byte on data completion error Sasha Levin
` (8 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jan Kara, Sasha Levin, jack
From: Jan Kara <jack@suse.cz>
[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ]
Avoid mounting filesystems where the partition would overflow the
32-bits used for block number. Also refuse to mount filesystems where
the partition length is so large we cannot safely index bits in a
block bitmap.
Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/super.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/fs/udf/super.c b/fs/udf/super.c
index 0f8b3cb355852..2d3eabf955c55 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1082,12 +1082,19 @@ static int udf_fill_partdesc_info(struct super_block *sb,
struct udf_part_map *map;
struct udf_sb_info *sbi = UDF_SB(sb);
struct partitionHeaderDesc *phd;
+ u32 sum;
int err;
map = &sbi->s_partmaps[p_index];
map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */
map->s_partition_root = le32_to_cpu(p->partitionStartingLocation);
+ if (check_add_overflow(map->s_partition_root, map->s_partition_len,
+ &sum)) {
+ udf_err(sb, "Partition %d has invalid location %u + %u\n",
+ p_index, map->s_partition_root, map->s_partition_len);
+ return -EFSCORRUPTED;
+ }
if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY))
map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY;
@@ -1143,6 +1150,14 @@ static int udf_fill_partdesc_info(struct super_block *sb,
bitmap->s_extPosition = le32_to_cpu(
phd->unallocSpaceBitmap.extPosition);
map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP;
+ /* Check whether math over bitmap won't overflow. */
+ if (check_add_overflow(map->s_partition_len,
+ sizeof(struct spaceBitmapDesc) << 3,
+ &sum)) {
+ udf_err(sb, "Partition %d is too long (%u)\n", p_index,
+ map->s_partition_len);
+ return -EFSCORRUPTED;
+ }
udf_debug("unallocSpaceBitmap (part %d) @ %u\n",
p_index, bitmap->s_extPosition);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 14/22] usb: uas: set host status byte on data completion error
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (11 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 13/22] udf: Avoid excessive partition lengths Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 15/22] cgroup: Protect css->cgroup write under css_set_lock Sasha Levin
` (7 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Shantanu Goel, Oliver Neukum, Greg Kroah-Hartman, Sasha Levin,
stern, linux-usb, linux-scsi, usb-storage
From: Shantanu Goel <sgoel01@yahoo.com>
[ Upstream commit 9d32685a251a754f1823d287df233716aa23bcb9 ]
Set the host status byte when a data completion error is encountered
otherwise the upper layer may end up using the invalid zero'ed data.
The following output was observed from scsi/sd.c prior to this fix.
[ 11.872824] sd 0:0:0:1: [sdf] tag#9 data cmplt err -75 uas-tag 1 inflight:
[ 11.872826] sd 0:0:0:1: [sdf] tag#9 CDB: Read capacity(16) 9e 10 00 00 00 00 00 00 00 00 00 00 00 20 00 00
[ 11.872830] sd 0:0:0:1: [sdf] Sector size 0 reported, assuming 512.
Signed-off-by: Shantanu Goel <sgoel01@yahoo.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/87msnx4ec6.fsf@yahoo.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/storage/uas.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
index 678903d1ce4da..7493b4d9d1f58 100644
--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -424,6 +424,7 @@ static void uas_data_cmplt(struct urb *urb)
uas_log_cmd_state(cmnd, "data cmplt err", status);
/* error: no data transfered */
scsi_set_resid(cmnd, sdb->length);
+ set_host_byte(cmnd, DID_ERROR);
} else {
scsi_set_resid(cmnd, sdb->length - urb->actual_length);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 15/22] cgroup: Protect css->cgroup write under css_set_lock
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (12 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 14/22] usb: uas: set host status byte on data completion error Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 16/22] um: line: always fill *error_out in setup_one_line() Sasha Levin
` (6 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Waiman Long, Tejun Heo, Sasha Levin, lizefan.x, hannes, mkoutny,
cgroups
From: Waiman Long <longman@redhat.com>
[ Upstream commit 57b56d16800e8961278ecff0dc755d46c4575092 ]
The writing of css->cgroup associated with the cgroup root in
rebind_subsystems() is currently protected only by cgroup_mutex.
However, the reading of css->cgroup in both proc_cpuset_show() and
proc_cgroup_show() is protected just by css_set_lock. That makes the
readers susceptible to racing problems like data tearing or caching.
It is also a problem that can be reported by KCSAN.
This can be fixed by using READ_ONCE() and WRITE_ONCE() to access
css->cgroup. Alternatively, the writing of css->cgroup can be moved
under css_set_lock as well which is done by this patch.
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cgroup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 62a7a50750149..16ae868941211 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -1783,9 +1783,9 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
RCU_INIT_POINTER(scgrp->subsys[ssid], NULL);
rcu_assign_pointer(dcgrp->subsys[ssid], css);
ss->root = dst_root;
- css->cgroup = dcgrp;
spin_lock_irq(&css_set_lock);
+ css->cgroup = dcgrp;
WARN_ON(!list_empty(&dcgrp->e_csets[ss->id]));
list_for_each_entry_safe(cset, cset_pos, &scgrp->e_csets[ss->id],
e_cset_node[ss->id]) {
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 16/22] um: line: always fill *error_out in setup_one_line()
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (13 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 15/22] cgroup: Protect css->cgroup write under css_set_lock Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 17/22] devres: Initialize an uninitialized struct member Sasha Levin
` (5 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, Anton Ivanov, Sasha Levin, richard, johannes,
jirislaby, gregkh, benjamin, roberto.sassu, linux-um
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 824ac4a5edd3f7494ab1996826c4f47f8ef0f63d ]
The pointer isn't initialized by callers, but I have
encountered cases where it's still printed; initialize
it in all possible cases in setup_one_line().
Link: https://patch.msgid.link/20240703172235.ad863568b55f.Iaa1eba4db8265d7715ba71d5f6bb8c7ff63d27e9@changeid
Acked-By: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/um/drivers/line.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c
index d6a78c3548a55..de0ab2e455b03 100644
--- a/arch/um/drivers/line.c
+++ b/arch/um/drivers/line.c
@@ -383,6 +383,7 @@ int setup_one_line(struct line *lines, int n, char *init,
parse_chan_pair(NULL, line, n, opts, error_out);
err = 0;
}
+ *error_out = "configured as 'none'";
} else {
char *new = kstrdup(init, GFP_KERNEL);
if (!new) {
@@ -406,6 +407,7 @@ int setup_one_line(struct line *lines, int n, char *init,
}
}
if (err) {
+ *error_out = "failed to parse channel pair";
line->init_str = NULL;
line->valid = 0;
kfree(new);
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 17/22] devres: Initialize an uninitialized struct member
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (14 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 16/22] um: line: always fill *error_out in setup_one_line() Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 18/22] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Sasha Levin
` (4 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Zijun Hu, Greg Kroah-Hartman, Sasha Levin
From: Zijun Hu <quic_zijuhu@quicinc.com>
[ Upstream commit 56a20ad349b5c51909cf8810f7c79b288864ad33 ]
Initialize an uninitialized struct member for driver API
devres_open_group().
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/1719931914-19035-4-git-send-email-quic_zijuhu@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/devres.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/base/devres.c b/drivers/base/devres.c
index 0bbb328bd17f8..4a16c2ea2303b 100644
--- a/drivers/base/devres.c
+++ b/drivers/base/devres.c
@@ -561,6 +561,7 @@ void * devres_open_group(struct device *dev, void *id, gfp_t gfp)
grp->id = grp;
if (id)
grp->id = id;
+ grp->color = 0;
spin_lock_irqsave(&dev->devres_lock, flags);
add_dr(dev, &grp->node[0]);
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 18/22] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (15 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 17/22] devres: Initialize an uninitialized struct member Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 19/22] hwmon: (lm95234) Fix underflows seen when writing limit attributes Sasha Levin
` (3 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Krishna Kumar, Timothy Pearson, Bjorn Helgaas, Shawn Anastasio,
Michael Ellerman, Sasha Levin, linuxppc-dev, linux-pci
From: Krishna Kumar <krishnak@linux.ibm.com>
[ Upstream commit 335e35b748527f0c06ded9eebb65387f60647fda ]
The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel
crash when we try to hot-unplug/disable the PCIe switch/bridge from
the PHB.
The crash occurs because although the MSI data structure has been
released during disable/hot-unplug path and it has been assigned
with NULL, still during unregistration the code was again trying to
explicitly disable the MSI which causes the NULL pointer dereference and
kernel crash.
The patch fixes the check during unregistration path to prevent invoking
pci_disable_msi/msix() since its data structure is already freed.
Reported-by: Timothy Pearson <tpearson@raptorengineering.com>
Closes: https://lore.kernel.org/all/1981605666.2142272.1703742465927.JavaMail.zimbra@raptorengineeringinc.com/
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Shawn Anastasio <sanastasio@raptorengineering.com>
Signed-off-by: Krishna Kumar <krishnak@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240701074513.94873-2-krishnak@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/hotplug/pnv_php.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
index d7b2b47bc33eb..3824942618305 100644
--- a/drivers/pci/hotplug/pnv_php.c
+++ b/drivers/pci/hotplug/pnv_php.c
@@ -35,7 +35,6 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
bool disable_device)
{
struct pci_dev *pdev = php_slot->pdev;
- int irq = php_slot->irq;
u16 ctrl;
if (php_slot->irq > 0) {
@@ -54,7 +53,7 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
php_slot->wq = NULL;
}
- if (disable_device || irq > 0) {
+ if (disable_device) {
if (pdev->msix_enabled)
pci_disable_msix(pdev);
else if (pdev->msi_enabled)
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 19/22] hwmon: (lm95234) Fix underflows seen when writing limit attributes
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (16 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 18/22] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 20/22] hwmon: (w83627ehf) " Sasha Levin
` (2 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Guenter Roeck, Sasha Levin, jdelvare, linux-hwmon
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit af64e3e1537896337405f880c1e9ac1f8c0c6198 ]
DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
negative number such as -9223372036854775808 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/lm95234.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/hwmon/lm95234.c b/drivers/hwmon/lm95234.c
index 8a2a2a4904969..c49aaf0d710fa 100644
--- a/drivers/hwmon/lm95234.c
+++ b/drivers/hwmon/lm95234.c
@@ -301,7 +301,8 @@ static ssize_t tcrit2_store(struct device *dev, struct device_attribute *attr,
if (ret < 0)
return ret;
- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, index ? 255 : 127);
+ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, (index ? 255 : 127) * 1000),
+ 1000);
mutex_lock(&data->update_lock);
data->tcrit2[index] = val;
@@ -350,7 +351,7 @@ static ssize_t tcrit1_store(struct device *dev, struct device_attribute *attr,
if (ret < 0)
return ret;
- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 255);
+ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 255000), 1000);
mutex_lock(&data->update_lock);
data->tcrit1[index] = val;
@@ -391,7 +392,7 @@ static ssize_t tcrit1_hyst_store(struct device *dev,
if (ret < 0)
return ret;
- val = DIV_ROUND_CLOSEST(val, 1000);
+ val = DIV_ROUND_CLOSEST(clamp_val(val, -255000, 255000), 1000);
val = clamp_val((int)data->tcrit1[index] - val, 0, 31);
mutex_lock(&data->update_lock);
@@ -431,7 +432,7 @@ static ssize_t offset_store(struct device *dev, struct device_attribute *attr,
return ret;
/* Accuracy is 1/2 degrees C */
- val = clamp_val(DIV_ROUND_CLOSEST(val, 500), -128, 127);
+ val = DIV_ROUND_CLOSEST(clamp_val(val, -64000, 63500), 500);
mutex_lock(&data->update_lock);
data->toffset[index] = val;
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 20/22] hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (17 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 19/22] hwmon: (lm95234) Fix underflows seen when writing limit attributes Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 21/22] libbpf: Add NULL checks to bpf_object__{prev_map,next_map} Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 22/22] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Sasha Levin
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Guenter Roeck, Sasha Levin, jdelvare, linux-hwmon
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ]
DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
negative number such as -9223372036854775808 is provided by the user.
Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/w83627ehf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c
index eb171d15ac489..e4e5bb9115584 100644
--- a/drivers/hwmon/w83627ehf.c
+++ b/drivers/hwmon/w83627ehf.c
@@ -1506,7 +1506,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr,
if (err < 0)
return err;
- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127);
+ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000);
mutex_lock(&data->update_lock);
data->target_temp[nr] = val;
@@ -1532,7 +1532,7 @@ store_tolerance(struct device *dev, struct device_attribute *attr,
return err;
/* Limit the temp to 0C - 15C */
- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15);
+ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000);
mutex_lock(&data->update_lock);
if (sio_data->kind == nct6775 || sio_data->kind == nct6776) {
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 21/22] libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (18 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 20/22] hwmon: (w83627ehf) " Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 22/22] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Sasha Levin
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Andreas Ziegler, Daniel Borkmann, Sasha Levin, andrii, eddyz87,
ast, bpf
From: Andreas Ziegler <ziegler.andreas@siemens.com>
[ Upstream commit cedc12c5b57f7efa6dbebfb2b140e8675f5a2616 ]
In the current state, an erroneous call to
bpf_object__find_map_by_name(NULL, ...) leads to a segmentation
fault through the following call chain:
bpf_object__find_map_by_name(obj = NULL, ...)
-> bpf_object__for_each_map(pos, obj = NULL)
-> bpf_object__next_map((obj = NULL), NULL)
-> return (obj = NULL)->maps
While calling bpf_object__find_map_by_name with obj = NULL is
obviously incorrect, this should not lead to a segmentation
fault but rather be handled gracefully.
As __bpf_map__iter already handles this situation correctly, we
can delegate the check for the regular case there and only add
a check in case the prev or next parameter is NULL.
Signed-off-by: Andreas Ziegler <ziegler.andreas@siemens.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240703083436.505124-1-ziegler.andreas@siemens.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/libbpf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index b8849812449c3..98e34c5172673 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -4754,7 +4754,7 @@ __bpf_map__iter(const struct bpf_map *m, const struct bpf_object *obj, int i)
struct bpf_map *
bpf_map__next(const struct bpf_map *prev, const struct bpf_object *obj)
{
- if (prev == NULL)
+ if (prev == NULL && obj != NULL)
return obj->maps;
return __bpf_map__iter(prev, obj, 1);
@@ -4763,7 +4763,7 @@ bpf_map__next(const struct bpf_map *prev, const struct bpf_object *obj)
struct bpf_map *
bpf_map__prev(const struct bpf_map *next, const struct bpf_object *obj)
{
- if (next == NULL) {
+ if (next == NULL && obj != NULL) {
if (!obj->nr_maps)
return NULL;
return obj->maps + obj->nr_maps - 1;
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread* [PATCH AUTOSEL 5.4 22/22] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
2024-08-01 0:38 [PATCH AUTOSEL 5.4 01/22] drm/amdgpu: fix overflowed array index read warning Sasha Levin
` (19 preceding siblings ...)
2024-08-01 0:38 ` [PATCH AUTOSEL 5.4 21/22] libbpf: Add NULL checks to bpf_object__{prev_map,next_map} Sasha Levin
@ 2024-08-01 0:38 ` Sasha Levin
20 siblings, 0 replies; 22+ messages in thread
From: Sasha Levin @ 2024-08-01 0:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Sascha Hauer, Brian Norris, Francesco Dolcini, Kalle Valo,
Sasha Levin, dmantipov, linus.walleij, linux-wireless
From: Sascha Hauer <s.hauer@pengutronix.de>
[ Upstream commit c145eea2f75ff7949392aebecf7ef0a81c1f6c14 ]
mwifiex_get_priv_by_id() returns the priv pointer corresponding to
the bss_num and bss_type, but without checking if the priv is actually
currently in use.
Unused priv pointers do not have a wiphy attached to them which can
lead to NULL pointer dereferences further down the callstack. Fix
this by returning only used priv pointers which have priv->bss_mode
set to something else than NL80211_IFTYPE_UNSPECIFIED.
Said NULL pointer dereference happened when an Accesspoint was started
with wpa_supplicant -i mlan0 with this config:
network={
ssid="somessid"
mode=2
frequency=2412
key_mgmt=WPA-PSK WPA-PSK-SHA256
proto=RSN
group=CCMP
pairwise=CCMP
psk="12345678"
}
When waiting for the AP to be established, interrupting wpa_supplicant
with <ctrl-c> and starting it again this happens:
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140
| Mem abort info:
| ESR = 0x0000000096000004
| EC = 0x25: DABT (current EL), IL = 32 bits
| SET = 0, FnV = 0
| EA = 0, S1PTW = 0
| FSC = 0x04: level 0 translation fault
| Data abort info:
| ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
| CM = 0, WnR = 0, TnD = 0, TagAccess = 0
| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000
| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000
| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio
+mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs
+imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6
| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18
| Hardware name: somemachine (DT)
| Workqueue: events sdio_irq_work
| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex]
| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex]
| sp : ffff8000818b3a70
| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004
| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9
| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000
| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000
| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517
| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1
| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157
| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124
| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000
| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000
| Call trace:
| mwifiex_get_cfp+0xd8/0x15c [mwifiex]
| mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex]
| mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex]
| mwifiex_process_sta_event+0x298/0xf0c [mwifiex]
| mwifiex_process_event+0x110/0x238 [mwifiex]
| mwifiex_main_process+0x428/0xa44 [mwifiex]
| mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio]
| process_sdio_pending_irqs+0x64/0x1b8
| sdio_irq_work+0x4c/0x7c
| process_one_work+0x148/0x2a0
| worker_thread+0x2fc/0x40c
| kthread+0x110/0x114
| ret_from_fork+0x10/0x20
| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000)
| ---[ end trace 0000000000000000 ]---
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Acked-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20240703072409.556618-1-s.hauer@pengutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/main.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h
index fa5634af40f7c..2e7f31bf38002 100644
--- a/drivers/net/wireless/marvell/mwifiex/main.h
+++ b/drivers/net/wireless/marvell/mwifiex/main.h
@@ -1307,6 +1307,9 @@ mwifiex_get_priv_by_id(struct mwifiex_adapter *adapter,
for (i = 0; i < adapter->priv_num; i++) {
if (adapter->priv[i]) {
+ if (adapter->priv[i]->bss_mode == NL80211_IFTYPE_UNSPECIFIED)
+ continue;
+
if ((adapter->priv[i]->bss_num == bss_num) &&
(adapter->priv[i]->bss_type == bss_type))
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread