]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.19-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 20 Aug 2023 18:07:08 +0000 (20:07 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 20 Aug 2023 18:07:08 +0000 (20:07 +0200)
added patches:
fbdev-mmp-fix-value-check-in-mmphw_probe.patch
powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch

queue-4.19/fbdev-mmp-fix-value-check-in-mmphw_probe.patch [new file with mode: 0644]
queue-4.19/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch [new file with mode: 0644]
queue-4.19/series

diff --git a/queue-4.19/fbdev-mmp-fix-value-check-in-mmphw_probe.patch b/queue-4.19/fbdev-mmp-fix-value-check-in-mmphw_probe.patch
new file mode 100644 (file)
index 0000000..644b337
--- /dev/null
@@ -0,0 +1,34 @@
+From 0872b2c0abc0e84ac82472959c8e14e35277549c Mon Sep 17 00:00:00 2001
+From: Yuanjun Gong <ruc_gongyuanjun@163.com>
+Date: Fri, 28 Jul 2023 01:03:18 +0800
+Subject: fbdev: mmp: fix value check in mmphw_probe()
+
+From: Yuanjun Gong <ruc_gongyuanjun@163.com>
+
+commit 0872b2c0abc0e84ac82472959c8e14e35277549c upstream.
+
+in mmphw_probe(), check the return value of clk_prepare_enable()
+and return the error code if clk_prepare_enable() returns an
+unexpected value.
+
+Fixes: d63028c38905 ("video: mmp display controller support")
+Signed-off-by: Yuanjun Gong <ruc_gongyuanjun@163.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/mmp/hw/mmp_ctrl.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/mmp/hw/mmp_ctrl.c
++++ b/drivers/video/fbdev/mmp/hw/mmp_ctrl.c
+@@ -523,7 +523,9 @@ static int mmphw_probe(struct platform_d
+               ret = -ENOENT;
+               goto failed;
+       }
+-      clk_prepare_enable(ctrl->clk);
++      ret = clk_prepare_enable(ctrl->clk);
++      if (ret)
++              goto failed;
+       /* init global regs */
+       ctrl_set_default(ctrl);
diff --git a/queue-4.19/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch b/queue-4.19/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch
new file mode 100644 (file)
index 0000000..71f2689
--- /dev/null
@@ -0,0 +1,68 @@
+From 4f3175979e62de3b929bfa54a0db4b87d36257a7 Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <nathanl@linux.ibm.com>
+Date: Thu, 10 Aug 2023 22:37:55 -0500
+Subject: powerpc/rtas_flash: allow user copy to flash block cache objects
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+commit 4f3175979e62de3b929bfa54a0db4b87d36257a7 upstream.
+
+With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the
+/proc/powerpc/rtas/firmware_update interface to prepare a system
+firmware update yields a BUG():
+
+  kernel BUG at mm/usercopy.c:102!
+  Oops: Exception in kernel mode, sig: 5 [#1]
+  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+  Modules linked in:
+  CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2
+  Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries
+  NIP:  c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000
+  REGS: c0000000148c76a0 TRAP: 0700   Not tainted  (6.5.0-rc3+)
+  MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 24002242  XER: 0000000c
+  CFAR: c0000000001fbd34 IRQMASK: 0
+  [ ... GPRs omitted ... ]
+  NIP usercopy_abort+0xa0/0xb0
+  LR  usercopy_abort+0x9c/0xb0
+  Call Trace:
+    usercopy_abort+0x9c/0xb0 (unreliable)
+    __check_heap_object+0x1b4/0x1d0
+    __check_object_size+0x2d0/0x380
+    rtas_flash_write+0xe4/0x250
+    proc_reg_write+0xfc/0x160
+    vfs_write+0xfc/0x4e0
+    ksys_write+0x90/0x160
+    system_call_exception+0x178/0x320
+    system_call_common+0x160/0x2c4
+
+The blocks of the firmware image are copied directly from user memory
+to objects allocated from flash_block_cache, so flash_block_cache must
+be created using kmem_cache_create_usercopy() to mark it safe for user
+access.
+
+Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0")
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+[mpe: Trim and indent oops]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230810-rtas-flash-vs-hardened-usercopy-v2-1-dcf63793a938@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/rtas_flash.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kernel/rtas_flash.c
++++ b/arch/powerpc/kernel/rtas_flash.c
+@@ -714,9 +714,9 @@ static int __init rtas_flash_init(void)
+       if (!rtas_validate_flash_data.buf)
+               return -ENOMEM;
+-      flash_block_cache = kmem_cache_create("rtas_flash_cache",
+-                                            RTAS_BLK_SIZE, RTAS_BLK_SIZE, 0,
+-                                            NULL);
++      flash_block_cache = kmem_cache_create_usercopy("rtas_flash_cache",
++                                                     RTAS_BLK_SIZE, RTAS_BLK_SIZE,
++                                                     0, 0, RTAS_BLK_SIZE, NULL);
+       if (!flash_block_cache) {
+               printk(KERN_ERR "%s: failed to create block cache\n",
+                               __func__);
index 53bca8e16dfd6659a200afbb0be6562b92ff79e3..e046c8a22b22bb71fa7c6f40514434edb940ef7b 100644 (file)
@@ -54,3 +54,5 @@ nfsd-remove-incorrect-check-in-nfsd4_validate_statei.patch
 virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch
 virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
 virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
+fbdev-mmp-fix-value-check-in-mmphw_probe.patch
+powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch