From: Greg Kroah-Hartman Date: Tue, 18 Jan 2022 08:55:03 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.16.2~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0496512867ee7d6a479f95c4df457f9943e95b7c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch perf-annotate-avoid-tui-crash-when-navigating-in-the-annotation-of-recursive-functions.patch --- diff --git a/queue-5.15/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch b/queue-5.15/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..9748eb23169 --- /dev/null +++ b/queue-5.15/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch @@ -0,0 +1,67 @@ +From 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 Dec 2021 14:25:26 +0100 +Subject: firmware: qemu_fw_cfg: fix kobject leak in probe error path + +From: Johan Hovold + +commit 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 upstream. + +An initialised kobject must be freed using kobject_put() to avoid +leaking associated resources (e.g. the object name). + +Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed" +the leak in the first error path of the file registration helper but +left the second one unchanged. This "fix" would however result in a NULL +pointer dereference due to the release function also removing the never +added entry from the fw_cfg_entry_cache list. This has now been +addressed. + +Fix the remaining kobject leak by restoring the common error path and +adding the missing kobject_put(). + +Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device") +Cc: stable@vger.kernel.org # 4.6 +Cc: Gabriel Somlo +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211201132528.30025-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/qemu_fw_cfg.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -603,15 +603,13 @@ static int fw_cfg_register_file(const st + /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */ + err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype, + fw_cfg_sel_ko, "%d", entry->select); +- if (err) { +- kobject_put(&entry->kobj); +- return err; +- } ++ if (err) ++ goto err_put_entry; + + /* add raw binary content access */ + err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw); + if (err) +- goto err_add_raw; ++ goto err_del_entry; + + /* try adding "/sys/firmware/qemu_fw_cfg/by_name/" symlink */ + fw_cfg_build_symlink(fw_cfg_fname_kset, &entry->kobj, entry->name); +@@ -620,9 +618,10 @@ static int fw_cfg_register_file(const st + fw_cfg_sysfs_cache_enlist(entry); + return 0; + +-err_add_raw: ++err_del_entry: + kobject_del(&entry->kobj); +- kfree(entry); ++err_put_entry: ++ kobject_put(&entry->kobj); + return err; + } + diff --git a/queue-5.15/firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch b/queue-5.15/firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch new file mode 100644 index 00000000000..09f3f3de16a --- /dev/null +++ b/queue-5.15/firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch @@ -0,0 +1,60 @@ +From d3e305592d69e21e36b76d24ca3c01971a2d09be Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 Dec 2021 14:25:25 +0100 +Subject: firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries + +From: Johan Hovold + +commit d3e305592d69e21e36b76d24ca3c01971a2d09be upstream. + +Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed" +a kobject leak in the file registration helper by properly calling +kobject_put() for the entry in case registration of the object fails +(e.g. due to a name collision). + +This would however result in a NULL pointer dereference when the +release function tries to remove the never added entry from the +fw_cfg_entry_cache list. + +Fix this by moving the list-removal out of the release function. + +Note that the offending commit was one of the benign looking umn.edu +fixes which was reviewed but not reverted. [1][2] + +[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook +[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com + +Fixes: fe3c60684377 ("firmware: Fix a reference count leak.") +Cc: stable@vger.kernel.org # 5.8 +Cc: Qiushi Wu +Cc: Kees Cook +Cc: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211201132528.30025-2-johan@kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/qemu_fw_cfg.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -388,9 +388,7 @@ static void fw_cfg_sysfs_cache_cleanup(v + struct fw_cfg_sysfs_entry *entry, *next; + + list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) { +- /* will end up invoking fw_cfg_sysfs_cache_delist() +- * via each object's release() method (i.e. destructor) +- */ ++ fw_cfg_sysfs_cache_delist(entry); + kobject_put(&entry->kobj); + } + } +@@ -448,7 +446,6 @@ static void fw_cfg_sysfs_release_entry(s + { + struct fw_cfg_sysfs_entry *entry = to_entry(kobj); + +- fw_cfg_sysfs_cache_delist(entry); + kfree(entry); + } + diff --git a/queue-5.15/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch b/queue-5.15/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch new file mode 100644 index 00000000000..9a59a5029a0 --- /dev/null +++ b/queue-5.15/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch @@ -0,0 +1,35 @@ +From 1b656e9aad7f4886ed466094d1dc5ee4dd900d20 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 Dec 2021 14:25:27 +0100 +Subject: firmware: qemu_fw_cfg: fix sysfs information leak + +From: Johan Hovold + +commit 1b656e9aad7f4886ed466094d1dc5ee4dd900d20 upstream. + +Make sure to always NUL-terminate file names retrieved from the firmware +to avoid accessing data beyond the entry slab buffer and exposing it +through sysfs in case the firmware data is corrupt. + +Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device") +Cc: stable@vger.kernel.org # 4.6 +Cc: Gabriel Somlo +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211201132528.30025-4-johan@kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/qemu_fw_cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -601,7 +601,7 @@ static int fw_cfg_register_file(const st + /* set file entry information */ + entry->size = be32_to_cpu(f->size); + entry->select = be16_to_cpu(f->select); +- memcpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH); ++ strscpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH); + + /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */ + err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype, diff --git a/queue-5.15/perf-annotate-avoid-tui-crash-when-navigating-in-the-annotation-of-recursive-functions.patch b/queue-5.15/perf-annotate-avoid-tui-crash-when-navigating-in-the-annotation-of-recursive-functions.patch new file mode 100644 index 00000000000..4a59b847328 --- /dev/null +++ b/queue-5.15/perf-annotate-avoid-tui-crash-when-navigating-in-the-annotation-of-recursive-functions.patch @@ -0,0 +1,108 @@ +From d5962fb7d69073bf68fb647531cfd4f0adf84be3 Mon Sep 17 00:00:00 2001 +From: Dario Petrillo +Date: Mon, 10 Jan 2022 00:44:41 +0100 +Subject: perf annotate: Avoid TUI crash when navigating in the annotation of recursive functions + +From: Dario Petrillo + +commit d5962fb7d69073bf68fb647531cfd4f0adf84be3 upstream. + +In 'perf report', entering a recursive function from inside of itself +(either directly of indirectly through some other function) results in +calling symbol__annotate2 multiple() times, and freeing the whole +disassembly when exiting from the innermost instance. + +The first issue causes the function's disassembly to be duplicated, and +the latter a heap use-after-free (and crash) when trying to access the +disassembly again. + +I reproduced the bug on perf 5.11.22 (Ubuntu 20.04.3 LTS) and 5.16.rc8 +with the following testcase (compile with gcc recursive.c -o recursive). +To reproduce: + +- perf record ./recursive +- perf report +- enter fibonacci and annotate it +- move the cursor on one of the "callq fibonacci" instructions and press enter + - at this point there will be two copies of the function in the disassembly +- go back by pressing q, and perf will crash + + #include + + int fibonacci(int n) + { + if(n <= 2) return 1; + return fibonacci(n-1) + fibonacci(n-2); + } + + int main() + { + printf("%d\n", fibonacci(40)); + } + +This patch addresses the issue by annotating a function and freeing the +associated memory on exit only if no annotation is already present, so +that a recursive function is only annotated on entry. + +Signed-off-by: Dario Petrillo +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: stable@kernel.org +Link: http://lore.kernel.org/lkml/20220109234441.325106-1-dario.pk1@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/ui/browsers/annotate.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/tools/perf/ui/browsers/annotate.c ++++ b/tools/perf/ui/browsers/annotate.c +@@ -966,6 +966,7 @@ int symbol__tui_annotate(struct map_symb + .opts = opts, + }; + int ret = -1, err; ++ int not_annotated = list_empty(¬es->src->source); + + if (sym == NULL) + return -1; +@@ -973,13 +974,15 @@ int symbol__tui_annotate(struct map_symb + if (ms->map->dso->annotate_warned) + return -1; + +- err = symbol__annotate2(ms, evsel, opts, &browser.arch); +- if (err) { +- char msg[BUFSIZ]; +- ms->map->dso->annotate_warned = true; +- symbol__strerror_disassemble(ms, err, msg, sizeof(msg)); +- ui__error("Couldn't annotate %s:\n%s", sym->name, msg); +- goto out_free_offsets; ++ if (not_annotated) { ++ err = symbol__annotate2(ms, evsel, opts, &browser.arch); ++ if (err) { ++ char msg[BUFSIZ]; ++ ms->map->dso->annotate_warned = true; ++ symbol__strerror_disassemble(ms, err, msg, sizeof(msg)); ++ ui__error("Couldn't annotate %s:\n%s", sym->name, msg); ++ goto out_free_offsets; ++ } + } + + ui_helpline__push("Press ESC to exit"); +@@ -994,9 +997,11 @@ int symbol__tui_annotate(struct map_symb + + ret = annotate_browser__run(&browser, evsel, hbt); + +- annotated_source__purge(notes->src); ++ if(not_annotated) ++ annotated_source__purge(notes->src); + + out_free_offsets: +- zfree(¬es->offsets); ++ if(not_annotated) ++ zfree(¬es->offsets); + return ret; + } diff --git a/queue-5.15/series b/queue-5.15/series index afe50772cc8..77276b0d114 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -13,3 +13,7 @@ remoteproc-qcom-pas-add-missing-power-domain-mxc-for-cdsp.patch video-vga16fb-only-probe-for-ega-and-vga-16-color-graphic-cards.patch media-uvcvideo-fix-division-by-zero-at-stream-start.patch rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch +firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch +firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch +firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch +perf-annotate-avoid-tui-crash-when-navigating-in-the-annotation-of-recursive-functions.patch