<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/accel, branch linux-6.4.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>accel/qaic: Clean up integer overflow checking in map_user_pages()</title>
<updated>2023-08-23T15:32:45+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-08-10T12:23:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3'/>
<id>d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3</id>
<content type='text'>
[ Upstream commit 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c ]

The encode_dma() function has some validation on in_trans-&gt;size but it
would be more clear to move those checks to find_and_map_user_pages().

The encode_dma() had two checks:

	if (in_trans-&gt;addr + in_trans-&gt;size &lt; in_trans-&gt;addr || !in_trans-&gt;size)
		return -EINVAL;

The in_trans-&gt;addr variable is the starting address.  The in_trans-&gt;size
variable is the total size of the transfer.  The transfer can occur in
parts and the resources-&gt;xferred_dma_size tracks how many bytes we have
already transferred.

This patch introduces a new variable "remaining" which represents the
amount we want to transfer (in_trans-&gt;size) minus the amount we have
already transferred (resources-&gt;xferred_dma_size).

I have modified the check for if in_trans-&gt;size is zero to instead check
if in_trans-&gt;size is less than resources-&gt;xferred_dma_size.  If we have
already transferred more bytes than in_trans-&gt;size then there are negative
bytes remaining which doesn't make sense.  If there are zero bytes
remaining to be copied, just return success.

The check in encode_dma() checked that "addr + size" could not overflow
and barring a driver bug that should work, but it's easier to check if
we do this in parts.  First check that "in_trans-&gt;addr +
resources-&gt;xferred_dma_size" is safe.  Then check that "xfer_start_addr +
remaining" is safe.

My final concern was that we are dealing with u64 values but on 32bit
systems the kmalloc() function will truncate the sizes to 32 bits.  So
I calculated "total = in_trans-&gt;size + offset_in_page(xfer_start_addr);"
and returned -EINVAL if it were &gt;= SIZE_MAX.  This will not affect 64bit
systems.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/24d3348b-25ac-4c1b-b171-9dae7c43e4e0@moroto.mountain
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c ]

The encode_dma() function has some validation on in_trans-&gt;size but it
would be more clear to move those checks to find_and_map_user_pages().

The encode_dma() had two checks:

	if (in_trans-&gt;addr + in_trans-&gt;size &lt; in_trans-&gt;addr || !in_trans-&gt;size)
		return -EINVAL;

The in_trans-&gt;addr variable is the starting address.  The in_trans-&gt;size
variable is the total size of the transfer.  The transfer can occur in
parts and the resources-&gt;xferred_dma_size tracks how many bytes we have
already transferred.

This patch introduces a new variable "remaining" which represents the
amount we want to transfer (in_trans-&gt;size) minus the amount we have
already transferred (resources-&gt;xferred_dma_size).

I have modified the check for if in_trans-&gt;size is zero to instead check
if in_trans-&gt;size is less than resources-&gt;xferred_dma_size.  If we have
already transferred more bytes than in_trans-&gt;size then there are negative
bytes remaining which doesn't make sense.  If there are zero bytes
remaining to be copied, just return success.

The check in encode_dma() checked that "addr + size" could not overflow
and barring a driver bug that should work, but it's easier to check if
we do this in parts.  First check that "in_trans-&gt;addr +
resources-&gt;xferred_dma_size" is safe.  Then check that "xfer_start_addr +
remaining" is safe.

My final concern was that we are dealing with u64 values but on 32bit
systems the kmalloc() function will truncate the sizes to 32 bits.  So
I calculated "total = in_trans-&gt;size + offset_in_page(xfer_start_addr);"
and returned -EINVAL if it were &gt;= SIZE_MAX.  This will not affect 64bit
systems.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/24d3348b-25ac-4c1b-b171-9dae7c43e4e0@moroto.mountain
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Fix slicing memory leak</title>
<updated>2023-08-23T15:32:45+00:00</updated>
<author>
<name>Pranjal Ramajor Asha Kanojiya</name>
<email>quic_pkanojiy@quicinc.com</email>
</author>
<published>2023-08-02T14:59:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=df45c3e46cdb41f486eecb4277fbcc4c1ffbf9be'/>
<id>df45c3e46cdb41f486eecb4277fbcc4c1ffbf9be</id>
<content type='text'>
[ Upstream commit 2d956177b7c96e62fac762a3b7da4318cde27a73 ]

The temporary buffer storing slicing configuration data from user is only
freed on error.  This is a memory leak.  Free the buffer unconditionally.

Fixes: ff13be830333 ("accel/qaic: Add datapath")
Signed-off-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230802145937.14827-1-quic_jhugo@quicinc.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2d956177b7c96e62fac762a3b7da4318cde27a73 ]

The temporary buffer storing slicing configuration data from user is only
freed on error.  This is a memory leak.  Free the buffer unconditionally.

Fixes: ff13be830333 ("accel/qaic: Add datapath")
Signed-off-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Carl Vanderlip &lt;quic_carlv@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230802145937.14827-1-quic_jhugo@quicinc.com
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/habanalabs: fix mem leak in capture user mappings</title>
<updated>2023-08-23T15:32:27+00:00</updated>
<author>
<name>Moti Haimovski</name>
<email>mhaimovski@habana.ai</email>
</author>
<published>2023-04-16T15:36:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=973e0890e5264cb075ef668661cad06b67777121'/>
<id>973e0890e5264cb075ef668661cad06b67777121</id>
<content type='text'>
[ Upstream commit 314a7ffd7c196b27eedd50cb7553029e17789b55 ]

This commit fixes a memory leak caused when clearing the user_mappings
info when a new context is opened immediately after user_mapping is
captured and a hard reset is performed.

Signed-off-by: Moti Haimovski &lt;mhaimovski@habana.ai&gt;
Reviewed-by: Dani Liberman &lt;dliberman@habana.ai&gt;
Reviewed-by: Oded Gabbay &lt;ogabbay@kernel.org&gt;
Signed-off-by: Oded Gabbay &lt;ogabbay@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 314a7ffd7c196b27eedd50cb7553029e17789b55 ]

This commit fixes a memory leak caused when clearing the user_mappings
info when a new context is opened immediately after user_mapping is
captured and a hard reset is performed.

Signed-off-by: Moti Haimovski &lt;mhaimovski@habana.ai&gt;
Reviewed-by: Dani Liberman &lt;dliberman@habana.ai&gt;
Reviewed-by: Oded Gabbay &lt;ogabbay@kernel.org&gt;
Signed-off-by: Oded Gabbay &lt;ogabbay@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/habanalabs: add pci health check during heartbeat</title>
<updated>2023-08-23T15:32:27+00:00</updated>
<author>
<name>Ofir Bitton</name>
<email>obitton@habana.ai</email>
</author>
<published>2023-04-18T11:48:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7f59afa93ffcfd1a73b3108fba3bc30b456fb67f'/>
<id>7f59afa93ffcfd1a73b3108fba3bc30b456fb67f</id>
<content type='text'>
[ Upstream commit d8b9cea584661b30305cf341bf9f675dc0a25471 ]

Currently upon a heartbeat failure, we don't know if the failure
is due to firmware hang or due to a bad PCI link. Hence, we
are reading a PCI config space register with a known value (vendor ID)
so we will know which of the two possibilities caused the heartbeat
failure.

Signed-off-by: Ofir Bitton &lt;obitton@habana.ai&gt;
Reviewed-by: Oded Gabbay &lt;ogabbay@kernel.org&gt;
Signed-off-by: Oded Gabbay &lt;ogabbay@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d8b9cea584661b30305cf341bf9f675dc0a25471 ]

Currently upon a heartbeat failure, we don't know if the failure
is due to firmware hang or due to a bad PCI link. Hence, we
are reading a PCI config space register with a known value (vendor ID)
so we will know which of the two possibilities caused the heartbeat
failure.

Signed-off-by: Ofir Bitton &lt;obitton@habana.ai&gt;
Reviewed-by: Oded Gabbay &lt;ogabbay@kernel.org&gt;
Signed-off-by: Oded Gabbay &lt;ogabbay@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/ivpu: Add set_pages_array_wc/uc for internal buffers</title>
<updated>2023-08-16T16:32:20+00:00</updated>
<author>
<name>Karol Wachowski</name>
<email>karol.wachowski@linux.intel.com</email>
</author>
<published>2023-08-02T06:37:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4747cc40425844e2227d3fada6efd9e7daf12610'/>
<id>4747cc40425844e2227d3fada6efd9e7daf12610</id>
<content type='text'>
commit 1963546390ed8b649f529993a755eba0fdeb7aaa upstream.

Buffers mapped with pgprot_writecombined() are not correctly
flushed. This triggers issues on VPU access using random
memory content such as MMU translation faults, invalid context
descriptors being fetched and can lead to VPU FW crashes.

Fixes: 647371a6609d ("accel/ivpu: Add GEM buffer object management")
Cc: stable@vger.kernel.org # 6.3+
Signed-off-by: Karol Wachowski &lt;karol.wachowski@linux.intel.com&gt;
Reviewed-by: Stanislaw Gruszka &lt;stanislaw.gruszka@linux.intel.com&gt;
Signed-off-by: Stanislaw Gruszka &lt;stanislaw.gruszka@linux.intel.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230802063735.3005291-1-stanislaw.gruszka@linux.intel.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1963546390ed8b649f529993a755eba0fdeb7aaa upstream.

Buffers mapped with pgprot_writecombined() are not correctly
flushed. This triggers issues on VPU access using random
memory content such as MMU translation faults, invalid context
descriptors being fetched and can lead to VPU FW crashes.

Fixes: 647371a6609d ("accel/ivpu: Add GEM buffer object management")
Cc: stable@vger.kernel.org # 6.3+
Signed-off-by: Karol Wachowski &lt;karol.wachowski@linux.intel.com&gt;
Reviewed-by: Stanislaw Gruszka &lt;stanislaw.gruszka@linux.intel.com&gt;
Signed-off-by: Stanislaw Gruszka &lt;stanislaw.gruszka@linux.intel.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230802063735.3005291-1-stanislaw.gruszka@linux.intel.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Add consistent integer overflow checks</title>
<updated>2023-07-27T06:56:37+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-07-11T08:21:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9d036b9530750b91cd69fdf85f80f3684b4484c3'/>
<id>9d036b9530750b91cd69fdf85f80f3684b4484c3</id>
<content type='text'>
commit 47d87f71d00b7091b43a56f608f7151b33e5772e upstream.

The encode_dma() function has integer overflow checks.  The
encode_passthrough(), encode_activate() and encode_status() functions
did not.  I added integer overflow checking everywhere.  I also
updated the integer overflow checking in encode_dma() to use size_add()
so everything is consistent.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
[jhugo: tweak if in encode_dma() to match existing style]
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q7IsPkj6WSCcL@moroto
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 47d87f71d00b7091b43a56f608f7151b33e5772e upstream.

The encode_dma() function has integer overflow checks.  The
encode_passthrough(), encode_activate() and encode_status() functions
did not.  I added integer overflow checking everywhere.  I also
updated the integer overflow checking in encode_dma() to use size_add()
so everything is consistent.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
[jhugo: tweak if in encode_dma() to match existing style]
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q7IsPkj6WSCcL@moroto
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: tighten bounds checking in decode_message()</title>
<updated>2023-07-27T06:56:37+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-07-11T08:20:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=57d14cb3bae4619ce2fb5235cb318c3d5d8f53fd'/>
<id>57d14cb3bae4619ce2fb5235cb318c3d5d8f53fd</id>
<content type='text'>
commit 51b56382ed2a2b03347372272362b3baa623ed1e upstream.

Copy the bounds checking from encode_message() to decode_message().

This patch addresses the following concerns.  Ensure that there is
enough space for at least one header so that we don't have a negative
size later.

	if (msg_hdr_len &lt; sizeof(*trans_hdr))

Ensure that we have enough space to read the next header from the
msg-&gt;data.

	if (msg_len &gt; msg_hdr_len - sizeof(*trans_hdr))
		return -EINVAL;

Check that the trans_hdr-&gt;len is not below the minimum size:

	if (hdr_len &lt; sizeof(*trans_hdr))

This minimum check ensures that we don't corrupt memory in
decode_passthrough() when we do.

	memcpy(out_trans-&gt;data, in_trans-&gt;data, len - sizeof(in_trans-&gt;hdr));

And finally, use size_add() to prevent an integer overflow:

	if (size_add(msg_len, hdr_len) &gt; msg_hdr_len)

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q5nbLyDO7kJa+@moroto
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 51b56382ed2a2b03347372272362b3baa623ed1e upstream.

Copy the bounds checking from encode_message() to decode_message().

This patch addresses the following concerns.  Ensure that there is
enough space for at least one header so that we don't have a negative
size later.

	if (msg_hdr_len &lt; sizeof(*trans_hdr))

Ensure that we have enough space to read the next header from the
msg-&gt;data.

	if (msg_len &gt; msg_hdr_len - sizeof(*trans_hdr))
		return -EINVAL;

Check that the trans_hdr-&gt;len is not below the minimum size:

	if (hdr_len &lt; sizeof(*trans_hdr))

This minimum check ensures that we don't corrupt memory in
decode_passthrough() when we do.

	memcpy(out_trans-&gt;data, in_trans-&gt;data, len - sizeof(in_trans-&gt;hdr));

And finally, use size_add() to prevent an integer overflow:

	if (size_add(msg_len, hdr_len) &gt; msg_hdr_len)

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q5nbLyDO7kJa+@moroto
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: tighten bounds checking in encode_message()</title>
<updated>2023-07-27T06:56:37+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-07-11T08:20:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1072bace37fff66a3cbc7d8ac757d840ee7acc49'/>
<id>1072bace37fff66a3cbc7d8ac757d840ee7acc49</id>
<content type='text'>
commit ea33cb6fc2788f9fe248d49e1c0b2553a58436ef upstream.

There are several issues in this code.  The check at the start of the
loop:

	if (user_len &gt;= user_msg-&gt;len) {

This check does not ensure that we have enough space for the trans_hdr
(8 bytes).  Instead the check needs to be:

	if (user_len &gt; user_msg-&gt;len - sizeof(*trans_hdr)) {

That subtraction is done as an unsigned long we want to avoid
negatives.  Add a lower bound to the start of the function.

	if (user_msg-&gt;len &lt; sizeof(*trans_hdr))

There is a second integer underflow which can happen if
trans_hdr-&gt;len is zero inside the encode_passthrough() function.

	memcpy(out_trans-&gt;data, in_trans-&gt;data, in_trans-&gt;hdr.len - sizeof(in_trans-&gt;hdr));

Instead of adding a check to encode_passthrough() it's better to check
in this central place.  Add that check:

	if (trans_hdr-&gt;len &lt; sizeof(trans_hdr)

The final concern is that the "user_len + trans_hdr-&gt;len" might have an
integer overflow bug.  Use size_add() to prevent that.

-	if (user_len + trans_hdr-&gt;len &gt; user_msg-&gt;len) {
+	if (size_add(user_len, trans_hdr-&gt;len) &gt; user_msg-&gt;len) {

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/9a0cb0c1-a974-4f10-bc8d-94437983639a@moroto.mountain
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ea33cb6fc2788f9fe248d49e1c0b2553a58436ef upstream.

There are several issues in this code.  The check at the start of the
loop:

	if (user_len &gt;= user_msg-&gt;len) {

This check does not ensure that we have enough space for the trans_hdr
(8 bytes).  Instead the check needs to be:

	if (user_len &gt; user_msg-&gt;len - sizeof(*trans_hdr)) {

That subtraction is done as an unsigned long we want to avoid
negatives.  Add a lower bound to the start of the function.

	if (user_msg-&gt;len &lt; sizeof(*trans_hdr))

There is a second integer underflow which can happen if
trans_hdr-&gt;len is zero inside the encode_passthrough() function.

	memcpy(out_trans-&gt;data, in_trans-&gt;data, in_trans-&gt;hdr.len - sizeof(in_trans-&gt;hdr));

Instead of adding a check to encode_passthrough() it's better to check
in this central place.  Add that check:

	if (trans_hdr-&gt;len &lt; sizeof(trans_hdr)

The final concern is that the "user_len + trans_hdr-&gt;len" might have an
integer overflow bug.  Use size_add() to prevent that.

-	if (user_len + trans_hdr-&gt;len &gt; user_msg-&gt;len) {
+	if (size_add(user_len, trans_hdr-&gt;len) &gt; user_msg-&gt;len) {

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/9a0cb0c1-a974-4f10-bc8d-94437983639a@moroto.mountain
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/qaic: Fix a leak in map_user_pages()</title>
<updated>2023-07-27T06:56:35+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2023-07-11T08:21:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cdcba752a3d48fbe6f05cf2c91ab9497c8daad0c'/>
<id>cdcba752a3d48fbe6f05cf2c91ab9497c8daad0c</id>
<content type='text'>
commit 73274c33d961f4aa0f968f763e2c9f4210b4f4a3 upstream.

If get_user_pages_fast() allocates some pages but not as many as we
wanted, then the current code leaks those pages.  Call put_page() on
the pages before returning.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Dafna Hirschfeld &lt;dhirschfeld@habana.ai&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q+ZuONTsBG+1T@moroto
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 73274c33d961f4aa0f968f763e2c9f4210b4f4a3 upstream.

If get_user_pages_fast() allocates some pages but not as many as we
wanted, then the current code leaks those pages.  Call put_page() on
the pages before returning.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Pranjal Ramajor Asha Kanojiya &lt;quic_pkanojiy@quicinc.com&gt;
Reviewed-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Reviewed-by: Dafna Hirschfeld &lt;dhirschfeld@habana.ai&gt;
Cc: stable@vger.kernel.org # 6.4.x
Signed-off-by: Jeffrey Hugo &lt;quic_jhugo@quicinc.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q+ZuONTsBG+1T@moroto
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>accel/ivpu: Clear specific interrupt status bits on C0</title>
<updated>2023-07-23T11:54:11+00:00</updated>
<author>
<name>Karol Wachowski</name>
<email>karol.wachowski@linux.intel.com</email>
</author>
<published>2023-07-03T08:07:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2d63081c7c3f1f408693047d9ab770cffbee5590'/>
<id>2d63081c7c3f1f408693047d9ab770cffbee5590</id>
<content type='text'>
commit 7f34e01f77f811ecb2ef83e60301b38cf89af466 upstream.

MTL C0 stepping fixed issue related to butrress interrupt status clearing,
to clear an interrupt status it is required to write 1 to specific
status bit field. This allows to execute read, modify and write routine.

Writing 0 will not clear the interrupt and will cause interrupt storm.

Fixes: 35b137630f08 ("accel/ivpu: Introduce a new DRM driver for Intel VPU")
Cc: stable@vger.kernel.org # 6.3.x
Signed-off-by: Karol Wachowski &lt;karol.wachowski@linux.intel.com&gt;
Reviewed-by: Jacek Lawrynowicz &lt;jacek.lawrynowicz@linux.intel.com&gt;
Signed-off-by: Stanislaw Gruszka &lt;stanislaw.gruszka@linux.intel.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230703080725.2065635-2-stanislaw.gruszka@linux.intel.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7f34e01f77f811ecb2ef83e60301b38cf89af466 upstream.

MTL C0 stepping fixed issue related to butrress interrupt status clearing,
to clear an interrupt status it is required to write 1 to specific
status bit field. This allows to execute read, modify and write routine.

Writing 0 will not clear the interrupt and will cause interrupt storm.

Fixes: 35b137630f08 ("accel/ivpu: Introduce a new DRM driver for Intel VPU")
Cc: stable@vger.kernel.org # 6.3.x
Signed-off-by: Karol Wachowski &lt;karol.wachowski@linux.intel.com&gt;
Reviewed-by: Jacek Lawrynowicz &lt;jacek.lawrynowicz@linux.intel.com&gt;
Signed-off-by: Stanislaw Gruszka &lt;stanislaw.gruszka@linux.intel.com&gt;
Link: https://patchwork.freedesktop.org/patch/msgid/20230703080725.2065635-2-stanislaw.gruszka@linux.intel.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
