From: Greg Kroah-Hartman Date: Sat, 18 Jan 2020 15:12:57 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.211~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c57fceec5d8cd6a0bbe4e14c9f14f6b42c85ed4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch block-fix-an-integer-overflow-in-logical-block-size.patch clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch fix-built-in-early-load-intel-microcode-alignment.patch --- diff --git a/queue-4.9/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch b/queue-4.9/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch new file mode 100644 index 00000000000..a720c7d0e2e --- /dev/null +++ b/queue-4.9/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch @@ -0,0 +1,54 @@ +From 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 15 Jan 2020 21:37:33 +0100 +Subject: ALSA: seq: Fix racy access for queue timer in proc read + +From: Takashi Iwai + +commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream. + +snd_seq_info_timer_read() reads the information of the timer assigned +for each queue, but it's done in a racy way which may lead to UAF as +spotted by syzkaller. + +This patch applies the missing q->timer_mutex lock while accessing the +timer object as well as a slight code change to adapt the standard +coding style. + +Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_timer.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -479,15 +479,19 @@ void snd_seq_info_timer_read(struct snd_ + q = queueptr(idx); + if (q == NULL) + continue; +- if ((tmr = q->timer) == NULL || +- (ti = tmr->timeri) == NULL) { +- queuefree(q); +- continue; +- } ++ mutex_lock(&q->timer_mutex); ++ tmr = q->timer; ++ if (!tmr) ++ goto unlock; ++ ti = tmr->timeri; ++ if (!ti) ++ goto unlock; + snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name); + resolution = snd_timer_resolution(ti) * tmr->ticks; + snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000); + snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base); ++unlock: ++ mutex_unlock(&q->timer_mutex); + queuefree(q); + } + } diff --git a/queue-4.9/block-fix-an-integer-overflow-in-logical-block-size.patch b/queue-4.9/block-fix-an-integer-overflow-in-logical-block-size.patch new file mode 100644 index 00000000000..48439d6a02f --- /dev/null +++ b/queue-4.9/block-fix-an-integer-overflow-in-logical-block-size.patch @@ -0,0 +1,116 @@ +From ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 15 Jan 2020 08:35:25 -0500 +Subject: block: fix an integer overflow in logical block size + +From: Mikulas Patocka + +commit ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 upstream. + +Logical block size has type unsigned short. That means that it can be at +most 32768. However, there are architectures that can run with 64k pages +(for example arm64) and on these architectures, it may be possible to +create block devices with 64k block size. + +For exmaple (run this on an architecture with 64k pages): + +Mount will fail with this error because it tries to read the superblock using 2-sector +access: + device-mapper: writecache: I/O is not aligned, sector 2, size 1024, block size 65536 + EXT4-fs (dm-0): unable to read superblock + +This patch changes the logical block size from unsigned short to unsigned +int to avoid the overflow. + +Cc: stable@vger.kernel.org +Reviewed-by: Martin K. Petersen +Reviewed-by: Ming Lei +Signed-off-by: Mikulas Patocka +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-settings.c | 2 +- + drivers/md/dm-snap-persistent.c | 2 +- + drivers/md/raid0.c | 2 +- + include/linux/blkdev.h | 8 ++++---- + 4 files changed, 7 insertions(+), 7 deletions(-) + +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -349,7 +349,7 @@ EXPORT_SYMBOL(blk_queue_max_segment_size + * storage device can address. The default of 512 covers most + * hardware. + **/ +-void blk_queue_logical_block_size(struct request_queue *q, unsigned short size) ++void blk_queue_logical_block_size(struct request_queue *q, unsigned int size) + { + q->limits.logical_block_size = size; + +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -17,7 +17,7 @@ + #include "dm-bufio.h" + + #define DM_MSG_PREFIX "persistent snapshot" +-#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32 /* 16KB */ ++#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32U /* 16KB */ + + #define DM_PREFETCH_CHUNKS 12 + +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -82,7 +82,7 @@ static int create_strip_zones(struct mdd + char b[BDEVNAME_SIZE]; + char b2[BDEVNAME_SIZE]; + struct r0conf *conf = kzalloc(sizeof(*conf), GFP_KERNEL); +- unsigned short blksize = 512; ++ unsigned blksize = 512; + + *private_conf = ERR_PTR(-ENOMEM); + if (!conf) +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -277,6 +277,7 @@ struct queue_limits { + unsigned int max_sectors; + unsigned int max_segment_size; + unsigned int physical_block_size; ++ unsigned int logical_block_size; + unsigned int alignment_offset; + unsigned int io_min; + unsigned int io_opt; +@@ -286,7 +287,6 @@ struct queue_limits { + unsigned int discard_granularity; + unsigned int discard_alignment; + +- unsigned short logical_block_size; + unsigned short max_segments; + unsigned short max_integrity_segments; + +@@ -996,7 +996,7 @@ extern void blk_queue_max_discard_sector + unsigned int max_discard_sectors); + extern void blk_queue_max_write_same_sectors(struct request_queue *q, + unsigned int max_write_same_sectors); +-extern void blk_queue_logical_block_size(struct request_queue *, unsigned short); ++extern void blk_queue_logical_block_size(struct request_queue *, unsigned int); + extern void blk_queue_physical_block_size(struct request_queue *, unsigned int); + extern void blk_queue_alignment_offset(struct request_queue *q, + unsigned int alignment); +@@ -1221,7 +1221,7 @@ static inline unsigned int queue_max_seg + return q->limits.max_segment_size; + } + +-static inline unsigned short queue_logical_block_size(struct request_queue *q) ++static inline unsigned queue_logical_block_size(struct request_queue *q) + { + int retval = 512; + +@@ -1231,7 +1231,7 @@ static inline unsigned short queue_logic + return retval; + } + +-static inline unsigned short bdev_logical_block_size(struct block_device *bdev) ++static inline unsigned int bdev_logical_block_size(struct block_device *bdev) + { + return queue_logical_block_size(bdev_get_queue(bdev)); + } diff --git a/queue-4.9/clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch b/queue-4.9/clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch new file mode 100644 index 00000000000..9e8d8415723 --- /dev/null +++ b/queue-4.9/clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch @@ -0,0 +1,65 @@ +From 12ead77432f2ce32dea797742316d15c5800cb32 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 25 Dec 2019 08:34:29 -0800 +Subject: clk: Don't try to enable critical clocks if prepare failed + +From: Guenter Roeck + +commit 12ead77432f2ce32dea797742316d15c5800cb32 upstream. + +The following traceback is seen if a critical clock fails to prepare. + +bcm2835-clk 3f101000.cprman: plld: couldn't lock PLL +------------[ cut here ]------------ +Enabling unprepared plld_per +WARNING: CPU: 1 PID: 1 at drivers/clk/clk.c:1014 clk_core_enable+0xcc/0x2c0 +... +Call trace: + clk_core_enable+0xcc/0x2c0 + __clk_register+0x5c4/0x788 + devm_clk_hw_register+0x4c/0xb0 + bcm2835_register_pll_divider+0xc0/0x150 + bcm2835_clk_probe+0x134/0x1e8 + platform_drv_probe+0x50/0xa0 + really_probe+0xd4/0x308 + driver_probe_device+0x54/0xe8 + device_driver_attach+0x6c/0x78 + __driver_attach+0x54/0xd8 +... + +Check return values from clk_core_prepare() and clk_core_enable() and +bail out if any of those functions returns an error. + +Cc: Jerome Brunet +Fixes: 99652a469df1 ("clk: migrate the count of orphaned clocks at init") +Signed-off-by: Guenter Roeck +Link: https://lkml.kernel.org/r/20191225163429.29694-1-linux@roeck-us.net +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2448,11 +2448,17 @@ static int __clk_core_init(struct clk_co + if (core->flags & CLK_IS_CRITICAL) { + unsigned long flags; + +- clk_core_prepare(core); ++ ret = clk_core_prepare(core); ++ if (ret) ++ goto out; + + flags = clk_enable_lock(); +- clk_core_enable(core); ++ ret = clk_core_enable(core); + clk_enable_unlock(flags); ++ if (ret) { ++ clk_core_unprepare(core); ++ goto out; ++ } + } + + /* diff --git a/queue-4.9/dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch b/queue-4.9/dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch new file mode 100644 index 00000000000..c07edf414b2 --- /dev/null +++ b/queue-4.9/dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch @@ -0,0 +1,42 @@ +From 4881873f4cc1460f63d85fa81363d56be328ccdc Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 30 Nov 2019 19:53:37 +0100 +Subject: dt-bindings: reset: meson8b: fix duplicate reset IDs + +From: Martin Blumenstingl + +commit 4881873f4cc1460f63d85fa81363d56be328ccdc upstream. + +According to the public S805 datasheet the RESET2 register uses the +following bits for the PIC_DC, PSC and NAND reset lines: +- PIC_DC is at bit 3 (meaning: RESET_VD_RMEM + 3) +- PSC is at bit 4 (meaning: RESET_VD_RMEM + 4) +- NAND is at bit 5 (meaning: RESET_VD_RMEM + 4) + +Update the reset IDs of these three reset lines so they don't conflict +with PIC_DC and map to the actual hardware reset lines. + +Fixes: 79795e20a184eb ("dt-bindings: reset: Add bindings for the Meson SoC Reset Controller") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + include/dt-bindings/reset/amlogic,meson8b-reset.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/dt-bindings/reset/amlogic,meson8b-reset.h ++++ b/include/dt-bindings/reset/amlogic,meson8b-reset.h +@@ -95,9 +95,9 @@ + #define RESET_VD_RMEM 64 + #define RESET_AUDIN 65 + #define RESET_DBLK 66 +-#define RESET_PIC_DC 66 +-#define RESET_PSC 66 +-#define RESET_NAND 66 ++#define RESET_PIC_DC 67 ++#define RESET_PSC 68 ++#define RESET_NAND 69 + #define RESET_GE2D 70 + #define RESET_PARSER_REG 71 + #define RESET_PARSER_FETCH 72 diff --git a/queue-4.9/fix-built-in-early-load-intel-microcode-alignment.patch b/queue-4.9/fix-built-in-early-load-intel-microcode-alignment.patch new file mode 100644 index 00000000000..5ccdf8b9141 --- /dev/null +++ b/queue-4.9/fix-built-in-early-load-intel-microcode-alignment.patch @@ -0,0 +1,54 @@ +From f5ae2ea6347a308cfe91f53b53682ce635497d0d Mon Sep 17 00:00:00 2001 +From: Jari Ruusu +Date: Sun, 12 Jan 2020 15:00:53 +0200 +Subject: Fix built-in early-load Intel microcode alignment + +From: Jari Ruusu + +commit f5ae2ea6347a308cfe91f53b53682ce635497d0d upstream. + +Intel Software Developer's Manual, volume 3, chapter 9.11.6 says: + + "Note that the microcode update must be aligned on a 16-byte boundary + and the size of the microcode update must be 1-KByte granular" + +When early-load Intel microcode is loaded from initramfs, userspace tool +'iucode_tool' has already 16-byte aligned those microcode bits in that +initramfs image. Image that was created something like this: + + iucode_tool --write-earlyfw=FOO.cpio microcode-files... + +However, when early-load Intel microcode is loaded from built-in +firmware BLOB using CONFIG_EXTRA_FIRMWARE= kernel config option, that +16-byte alignment is not guaranteed. + +Fix this by forcing all built-in firmware BLOBs to 16-byte alignment. + +[ If we end up having other firmware with much bigger alignment + requirements, we might need to introduce some method for the firmware + to specify it, this is the minimal "just increase the alignment a bit + to account for this one special case" patch - Linus ] + +Signed-off-by: Jari Ruusu +Cc: Borislav Petkov +Cc: Fenghua Yu +Cc: Luis Chamberlain +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + firmware/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/firmware/Makefile ++++ b/firmware/Makefile +@@ -156,7 +156,7 @@ quiet_cmd_fwbin = MK_FW $@ + PROGBITS=$(if $(CONFIG_ARM),%,@)progbits; \ + echo "/* Generated by firmware/Makefile */" > $@;\ + echo " .section .rodata" >>$@;\ +- echo " .p2align $${ASM_ALIGN}" >>$@;\ ++ echo " .p2align 4" >>$@;\ + echo "_fw_$${FWSTR}_bin:" >>$@;\ + echo " .incbin \"$(2)\"" >>$@;\ + echo "_fw_end:" >>$@;\