--- /dev/null
+From 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 1 Dec 2021 14:25:26 +0100
+Subject: firmware: qemu_fw_cfg: fix kobject leak in probe error path
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 upstream.
+
+An initialised kobject must be freed using kobject_put() to avoid
+leaking associated resources (e.g. the object name).
+
+Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"
+the leak in the first error path of the file registration helper but
+left the second one unchanged. This "fix" would however result in a NULL
+pointer dereference due to the release function also removing the never
+added entry from the fw_cfg_entry_cache list. This has now been
+addressed.
+
+Fix the remaining kobject leak by restoring the common error path and
+adding the missing kobject_put().
+
+Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device")
+Cc: stable@vger.kernel.org # 4.6
+Cc: Gabriel Somlo <somlo@cmu.edu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211201132528.30025-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/qemu_fw_cfg.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -603,15 +603,13 @@ static int fw_cfg_register_file(const st
+ /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */
+ err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype,
+ fw_cfg_sel_ko, "%d", entry->select);
+- if (err) {
+- kobject_put(&entry->kobj);
+- return err;
+- }
++ if (err)
++ goto err_put_entry;
+
+ /* add raw binary content access */
+ err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw);
+ if (err)
+- goto err_add_raw;
++ goto err_del_entry;
+
+ /* try adding "/sys/firmware/qemu_fw_cfg/by_name/" symlink */
+ fw_cfg_build_symlink(fw_cfg_fname_kset, &entry->kobj, entry->name);
+@@ -620,9 +618,10 @@ static int fw_cfg_register_file(const st
+ fw_cfg_sysfs_cache_enlist(entry);
+ return 0;
+
+-err_add_raw:
++err_del_entry:
+ kobject_del(&entry->kobj);
+- kfree(entry);
++err_put_entry:
++ kobject_put(&entry->kobj);
+ return err;
+ }
+
--- /dev/null
+From d3e305592d69e21e36b76d24ca3c01971a2d09be Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 1 Dec 2021 14:25:25 +0100
+Subject: firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d3e305592d69e21e36b76d24ca3c01971a2d09be upstream.
+
+Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"
+a kobject leak in the file registration helper by properly calling
+kobject_put() for the entry in case registration of the object fails
+(e.g. due to a name collision).
+
+This would however result in a NULL pointer dereference when the
+release function tries to remove the never added entry from the
+fw_cfg_entry_cache list.
+
+Fix this by moving the list-removal out of the release function.
+
+Note that the offending commit was one of the benign looking umn.edu
+fixes which was reviewed but not reverted. [1][2]
+
+[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook
+[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com
+
+Fixes: fe3c60684377 ("firmware: Fix a reference count leak.")
+Cc: stable@vger.kernel.org # 5.8
+Cc: Qiushi Wu <wu000273@umn.edu>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211201132528.30025-2-johan@kernel.org
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/qemu_fw_cfg.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -388,9 +388,7 @@ static void fw_cfg_sysfs_cache_cleanup(v
+ struct fw_cfg_sysfs_entry *entry, *next;
+
+ list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) {
+- /* will end up invoking fw_cfg_sysfs_cache_delist()
+- * via each object's release() method (i.e. destructor)
+- */
++ fw_cfg_sysfs_cache_delist(entry);
+ kobject_put(&entry->kobj);
+ }
+ }
+@@ -448,7 +446,6 @@ static void fw_cfg_sysfs_release_entry(s
+ {
+ struct fw_cfg_sysfs_entry *entry = to_entry(kobj);
+
+- fw_cfg_sysfs_cache_delist(entry);
+ kfree(entry);
+ }
+
--- /dev/null
+From 1b656e9aad7f4886ed466094d1dc5ee4dd900d20 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 1 Dec 2021 14:25:27 +0100
+Subject: firmware: qemu_fw_cfg: fix sysfs information leak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1b656e9aad7f4886ed466094d1dc5ee4dd900d20 upstream.
+
+Make sure to always NUL-terminate file names retrieved from the firmware
+to avoid accessing data beyond the entry slab buffer and exposing it
+through sysfs in case the firmware data is corrupt.
+
+Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device")
+Cc: stable@vger.kernel.org # 4.6
+Cc: Gabriel Somlo <somlo@cmu.edu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211201132528.30025-4-johan@kernel.org
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/qemu_fw_cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -601,7 +601,7 @@ static int fw_cfg_register_file(const st
+ /* set file entry information */
+ entry->size = be32_to_cpu(f->size);
+ entry->select = be16_to_cpu(f->select);
+- memcpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH);
++ strscpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH);
+
+ /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */
+ err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype,
--- /dev/null
+From d5962fb7d69073bf68fb647531cfd4f0adf84be3 Mon Sep 17 00:00:00 2001
+From: Dario Petrillo <dario.pk1@gmail.com>
+Date: Mon, 10 Jan 2022 00:44:41 +0100
+Subject: perf annotate: Avoid TUI crash when navigating in the annotation of recursive functions
+
+From: Dario Petrillo <dario.pk1@gmail.com>
+
+commit d5962fb7d69073bf68fb647531cfd4f0adf84be3 upstream.
+
+In 'perf report', entering a recursive function from inside of itself
+(either directly of indirectly through some other function) results in
+calling symbol__annotate2 multiple() times, and freeing the whole
+disassembly when exiting from the innermost instance.
+
+The first issue causes the function's disassembly to be duplicated, and
+the latter a heap use-after-free (and crash) when trying to access the
+disassembly again.
+
+I reproduced the bug on perf 5.11.22 (Ubuntu 20.04.3 LTS) and 5.16.rc8
+with the following testcase (compile with gcc recursive.c -o recursive).
+To reproduce:
+
+- perf record ./recursive
+- perf report
+- enter fibonacci and annotate it
+- move the cursor on one of the "callq fibonacci" instructions and press enter
+ - at this point there will be two copies of the function in the disassembly
+- go back by pressing q, and perf will crash
+
+ #include <stdio.h>
+
+ int fibonacci(int n)
+ {
+ if(n <= 2) return 1;
+ return fibonacci(n-1) + fibonacci(n-2);
+ }
+
+ int main()
+ {
+ printf("%d\n", fibonacci(40));
+ }
+
+This patch addresses the issue by annotating a function and freeing the
+associated memory on exit only if no annotation is already present, so
+that a recursive function is only annotated on entry.
+
+Signed-off-by: Dario Petrillo <dario.pk1@gmail.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@kernel.org
+Link: http://lore.kernel.org/lkml/20220109234441.325106-1-dario.pk1@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/ui/browsers/annotate.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/tools/perf/ui/browsers/annotate.c
++++ b/tools/perf/ui/browsers/annotate.c
+@@ -966,6 +966,7 @@ int symbol__tui_annotate(struct map_symb
+ .opts = opts,
+ };
+ int ret = -1, err;
++ int not_annotated = list_empty(¬es->src->source);
+
+ if (sym == NULL)
+ return -1;
+@@ -973,13 +974,15 @@ int symbol__tui_annotate(struct map_symb
+ if (ms->map->dso->annotate_warned)
+ return -1;
+
+- err = symbol__annotate2(ms, evsel, opts, &browser.arch);
+- if (err) {
+- char msg[BUFSIZ];
+- ms->map->dso->annotate_warned = true;
+- symbol__strerror_disassemble(ms, err, msg, sizeof(msg));
+- ui__error("Couldn't annotate %s:\n%s", sym->name, msg);
+- goto out_free_offsets;
++ if (not_annotated) {
++ err = symbol__annotate2(ms, evsel, opts, &browser.arch);
++ if (err) {
++ char msg[BUFSIZ];
++ ms->map->dso->annotate_warned = true;
++ symbol__strerror_disassemble(ms, err, msg, sizeof(msg));
++ ui__error("Couldn't annotate %s:\n%s", sym->name, msg);
++ goto out_free_offsets;
++ }
+ }
+
+ ui_helpline__push("Press ESC to exit");
+@@ -994,9 +997,11 @@ int symbol__tui_annotate(struct map_symb
+
+ ret = annotate_browser__run(&browser, evsel, hbt);
+
+- annotated_source__purge(notes->src);
++ if(not_annotated)
++ annotated_source__purge(notes->src);
+
+ out_free_offsets:
+- zfree(¬es->offsets);
++ if(not_annotated)
++ zfree(¬es->offsets);
+ return ret;
+ }
video-vga16fb-only-probe-for-ega-and-vga-16-color-graphic-cards.patch
media-uvcvideo-fix-division-by-zero-at-stream-start.patch
rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch
+firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch
+firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch
+firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch
+perf-annotate-avoid-tui-crash-when-navigating-in-the-annotation-of-recursive-functions.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
