From: Greg Kroah-Hartman Date: Tue, 17 Sep 2019 12:05:59 +0000 (+0200) Subject: 5.2-stable patches X-Git-Tag: v4.14.145~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b5734c567ce0a712aeb25038789f264a6d2ac90;p=thirdparty%2Fkernel%2Fstable-queue.git 5.2-stable patches added patches: clk-fix-debugfs-clk_possible_parents-for-clks-without-parent-string-names.patch clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch clk-simplify-debugfs-printing-and-add-a-newline.patch driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch drm-meson-add-support-for-xbgr8888-abgr8888-formats.patch kernel-module-fix-mem-leak-in-module_add_modinfo_attrs.patch mt76-fix-a-signedness-bug-in-mt7615_add_interface.patch mt76-mt7615-use-after-free-in-mt7615_mcu_set_bcn.patch mtd-rawnand-mtk-fix-wrongly-assigned-oob-buffer-pointer-issue.patch pci-always-allow-probing-with-driver_override.patch powerpc-add-barrier_nospec-to-raw_copy_in_user.patch ubifs-correctly-use-tnc_next-in-search_dh_cookie.patch x86-boot-use-efi_setup_data-for-searching-rsdp-on-kexec-ed-kernels.patch x86-ima-check-efi-setupmode-too.patch --- diff --git a/queue-5.2/clk-fix-debugfs-clk_possible_parents-for-clks-without-parent-string-names.patch b/queue-5.2/clk-fix-debugfs-clk_possible_parents-for-clks-without-parent-string-names.patch new file mode 100644 index 00000000000..b1dd3177120 --- /dev/null +++ b/queue-5.2/clk-fix-debugfs-clk_possible_parents-for-clks-without-parent-string-names.patch @@ -0,0 +1,85 @@ +From 2d156b78ce8febf15cd58a025d7d9d7b7577126a Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Fri, 3 May 2019 11:15:09 +0800 +Subject: clk: Fix debugfs clk_possible_parents for clks without parent string names + +From: Chen-Yu Tsai + +commit 2d156b78ce8febf15cd58a025d7d9d7b7577126a upstream. + +Following the commit fc0c209c147f ("clk: Allow parents to be specified +without string names"), the parent name string is not always populated. + +Instead, fetch the parents clk_core struct using the appropriate helper, +and read its name directly. If that fails, go through the possible +sources of parent names. The order in which they are used is different +from how parents are looked up, with the global name having precedence +over local fw_name and indices. This makes more sense as a) the +parent_maps structure does not differentiate between legacy global names +and fallback global names, and b) global names likely provide more +information than local fw_names. + +Fixes: fc0c209c147f ("clk: Allow parents to be specified without string names") +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk.c | 44 +++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 41 insertions(+), 3 deletions(-) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -3023,12 +3023,50 @@ DEFINE_SHOW_ATTRIBUTE(clk_flags); + static int possible_parents_show(struct seq_file *s, void *data) + { + struct clk_core *core = s->private; ++ struct clk_core *parent; + int i; + +- for (i = 0; i < core->num_parents - 1; i++) +- seq_printf(s, "%s ", core->parents[i].name); ++ /* ++ * Go through the following options to fetch a parent's name. ++ * ++ * 1. Fetch the registered parent clock and use its name ++ * 2. Use the global (fallback) name if specified ++ * 3. Use the local fw_name if provided ++ * 4. Fetch parent clock's clock-output-name if DT index was set ++ * ++ * This may still fail in some cases, such as when the parent is ++ * specified directly via a struct clk_hw pointer, but it isn't ++ * registered (yet). ++ */ ++ for (i = 0; i < core->num_parents - 1; i++) { ++ parent = clk_core_get_parent_by_index(core, i); ++ if (parent) ++ seq_printf(s, "%s ", parent->name); ++ else if (core->parents[i].name) ++ seq_printf(s, "%s ", core->parents[i].name); ++ else if (core->parents[i].fw_name) ++ seq_printf(s, "<%s>(fw) ", core->parents[i].fw_name); ++ else if (core->parents[i].index >= 0) ++ seq_printf(s, "%s ", ++ of_clk_get_parent_name(core->of_node, ++ core->parents[i].index)); ++ else ++ seq_puts(s, "(missing) "); ++ } + +- seq_printf(s, "%s\n", core->parents[i].name); ++ parent = clk_core_get_parent_by_index(core, i); ++ if (parent) ++ seq_printf(s, "%s", parent->name); ++ else if (core->parents[i].name) ++ seq_printf(s, "%s", core->parents[i].name); ++ else if (core->parents[i].fw_name) ++ seq_printf(s, "<%s>(fw)", core->parents[i].fw_name); ++ else if (core->parents[i].index >= 0) ++ seq_printf(s, "%s", ++ of_clk_get_parent_name(core->of_node, ++ core->parents[i].index)); ++ else ++ seq_puts(s, "(missing)"); + + return 0; + } diff --git a/queue-5.2/clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch b/queue-5.2/clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch new file mode 100644 index 00000000000..c376492fe69 --- /dev/null +++ b/queue-5.2/clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch @@ -0,0 +1,48 @@ +From 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 3 May 2019 14:22:08 -0700 +Subject: clk: rockchip: Don't yell about bad mmc phases when getting + +From: Douglas Anderson + +commit 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 upstream. + +At boot time, my rk3288-veyron devices yell with 8 lines that look +like this: + [ 0.000000] rockchip_mmc_get_phase: invalid clk rate + +This is because the clock framework at clk_register() time tries to +get the phase but we don't have a parent yet. + +While the errors appear to be harmless they are still ugly and, in +general, we don't want yells like this in the log unless they are +important. + +There's no real reason to be yelling here. We can still return +-EINVAL to indicate that the phase makes no sense without a parent. +If someone really tries to do tuning and the clock is reported as 0 +then we'll see the yells in rockchip_mmc_set_phase(). + +Fixes: 4bf59902b500 ("clk: rockchip: Prevent calculating mmc phase if clock rate is zero") +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/rockchip/clk-mmc-phase.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/clk/rockchip/clk-mmc-phase.c ++++ b/drivers/clk/rockchip/clk-mmc-phase.c +@@ -52,10 +52,8 @@ static int rockchip_mmc_get_phase(struct + u32 delay_num = 0; + + /* See the comment for rockchip_mmc_set_phase below */ +- if (!rate) { +- pr_err("%s: invalid clk rate\n", __func__); ++ if (!rate) + return -EINVAL; +- } + + raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift); + diff --git a/queue-5.2/clk-simplify-debugfs-printing-and-add-a-newline.patch b/queue-5.2/clk-simplify-debugfs-printing-and-add-a-newline.patch new file mode 100644 index 00000000000..4cef51b073b --- /dev/null +++ b/queue-5.2/clk-simplify-debugfs-printing-and-add-a-newline.patch @@ -0,0 +1,84 @@ +From 11f6c2307caee89370d7752eb6f404f1ed73faaf Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Mon, 24 Jun 2019 20:01:55 -0700 +Subject: clk: Simplify debugfs printing and add a newline + +From: Stephen Boyd + +commit 11f6c2307caee89370d7752eb6f404f1ed73faaf upstream. + +The possible parent printing function duplicates a bunch of if +conditions. Pull that into another function so we can print an extra +character at the end, either a space or a newline. This way we can add +the required newline that got lost here and also shorten the code. + +Fixes: 2d156b78ce8f ("clk: Fix debugfs clk_possible_parents for clks without parent string names") +Cc: Chen-Yu Tsai +Tested-by: Chen-Yu Tsai +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -3020,11 +3020,10 @@ static int clk_flags_show(struct seq_fil + } + DEFINE_SHOW_ATTRIBUTE(clk_flags); + +-static int possible_parents_show(struct seq_file *s, void *data) ++static void possible_parent_show(struct seq_file *s, struct clk_core *core, ++ unsigned int i, char terminator) + { +- struct clk_core *core = s->private; + struct clk_core *parent; +- int i; + + /* + * Go through the following options to fetch a parent's name. +@@ -3038,22 +3037,6 @@ static int possible_parents_show(struct + * specified directly via a struct clk_hw pointer, but it isn't + * registered (yet). + */ +- for (i = 0; i < core->num_parents - 1; i++) { +- parent = clk_core_get_parent_by_index(core, i); +- if (parent) +- seq_printf(s, "%s ", parent->name); +- else if (core->parents[i].name) +- seq_printf(s, "%s ", core->parents[i].name); +- else if (core->parents[i].fw_name) +- seq_printf(s, "<%s>(fw) ", core->parents[i].fw_name); +- else if (core->parents[i].index >= 0) +- seq_printf(s, "%s ", +- of_clk_get_parent_name(core->of_node, +- core->parents[i].index)); +- else +- seq_puts(s, "(missing) "); +- } +- + parent = clk_core_get_parent_by_index(core, i); + if (parent) + seq_printf(s, "%s", parent->name); +@@ -3068,6 +3051,19 @@ static int possible_parents_show(struct + else + seq_puts(s, "(missing)"); + ++ seq_putc(s, terminator); ++} ++ ++static int possible_parents_show(struct seq_file *s, void *data) ++{ ++ struct clk_core *core = s->private; ++ int i; ++ ++ for (i = 0; i < core->num_parents - 1; i++) ++ possible_parent_show(s, core, i, ' '); ++ ++ possible_parent_show(s, core, i, '\n'); ++ + return 0; + } + DEFINE_SHOW_ATTRIBUTE(possible_parents); diff --git a/queue-5.2/driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch b/queue-5.2/driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch new file mode 100644 index 00000000000..c487f0798e8 --- /dev/null +++ b/queue-5.2/driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch @@ -0,0 +1,171 @@ +From ac43432cb1f5c2950408534987e57c2071e24d8f Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Sat, 27 Jul 2019 11:21:22 +0800 +Subject: driver core: Fix use-after-free and double free on glue directory + +From: Muchun Song + +commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. + +There is a race condition between removing glue directory and adding a new +device under the glue dir. It can be reproduced in following test: + +CPU1: CPU2: + +device_add() + get_device_parent() + class_dir_create_and_add() + kobject_add_internal() + create_dir() // create glue_dir + + device_add() + get_device_parent() + kobject_get() // get glue_dir + +device_del() + cleanup_glue_dir() + kobject_del(glue_dir) + + kobject_add() + kobject_add_internal() + create_dir() // in glue_dir + sysfs_create_dir_ns() + kernfs_create_dir_ns(sd) + + sysfs_remove_dir() // glue_dir->sd=NULL + sysfs_put() // free glue_dir->sd + + // sd is freed + kernfs_new_node(sd) + kernfs_get(glue_dir) + kernfs_add_one() + kernfs_put() + +Before CPU1 remove last child device under glue dir, if CPU2 add a new +device under glue dir, the glue_dir kobject reference count will be +increase to 2 via kobject_get() in get_device_parent(). And CPU2 has +been called kernfs_create_dir_ns(), but not call kernfs_new_node(). +Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in +glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call +kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase +it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next +call kernfs_add_one() by CPU2 will fail(This is also use-after-free) +and call kernfs_put() to decrease reference count. Because the reference +count is decremented to 0, it will also call kmem_cache_free() to free +the glue_dir->sd again. This will result in double free. + +In order to avoid this happening, we also should make sure that kernfs_node +for glue_dir is released in CPU1 only when refcount for glue_dir kobj is +1 to fix this race. + +The following calltrace is captured in kernel 4.14 with the following patch +applied: + +commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") + +-------------------------------------------------------------------------- +[ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 + Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). +.... +[ 3.633986] Call trace: +[ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 +[ 3.633994] sysfs_create_dir_ns+0x54/0xe8 +[ 3.634001] kobject_add_internal+0x22c/0x3f0 +[ 3.634005] kobject_add+0xe4/0x118 +[ 3.634011] device_add+0x200/0x870 +[ 3.634017] _request_firmware+0x958/0xc38 +[ 3.634020] request_firmware_into_buf+0x4c/0x70 +.... +[ 3.634064] kernel BUG at .../mm/slub.c:294! + Here is BUG_ON(object == fp) in set_freepointer(). +.... +[ 3.634346] Call trace: +[ 3.634351] kmem_cache_free+0x504/0x6b8 +[ 3.634355] kernfs_put+0x14c/0x1d8 +[ 3.634359] kernfs_create_dir_ns+0x88/0xb0 +[ 3.634362] sysfs_create_dir_ns+0x54/0xe8 +[ 3.634366] kobject_add_internal+0x22c/0x3f0 +[ 3.634370] kobject_add+0xe4/0x118 +[ 3.634374] device_add+0x200/0x870 +[ 3.634378] _request_firmware+0x958/0xc38 +[ 3.634381] request_firmware_into_buf+0x4c/0x70 +-------------------------------------------------------------------------- + +Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") +Signed-off-by: Muchun Song +Reviewed-by: Mukesh Ojha +Signed-off-by: Prateek Sood +Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 52 insertions(+), 1 deletion(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -1820,12 +1820,63 @@ static inline struct kobject *get_glue_d + */ + static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) + { ++ unsigned int ref; ++ + /* see if we live in a "glue" directory */ + if (!live_in_glue_dir(glue_dir, dev)) + return; + + mutex_lock(&gdp_mutex); +- if (!kobject_has_children(glue_dir)) ++ /** ++ * There is a race condition between removing glue directory ++ * and adding a new device under the glue directory. ++ * ++ * CPU1: CPU2: ++ * ++ * device_add() ++ * get_device_parent() ++ * class_dir_create_and_add() ++ * kobject_add_internal() ++ * create_dir() // create glue_dir ++ * ++ * device_add() ++ * get_device_parent() ++ * kobject_get() // get glue_dir ++ * ++ * device_del() ++ * cleanup_glue_dir() ++ * kobject_del(glue_dir) ++ * ++ * kobject_add() ++ * kobject_add_internal() ++ * create_dir() // in glue_dir ++ * sysfs_create_dir_ns() ++ * kernfs_create_dir_ns(sd) ++ * ++ * sysfs_remove_dir() // glue_dir->sd=NULL ++ * sysfs_put() // free glue_dir->sd ++ * ++ * // sd is freed ++ * kernfs_new_node(sd) ++ * kernfs_get(glue_dir) ++ * kernfs_add_one() ++ * kernfs_put() ++ * ++ * Before CPU1 remove last child device under glue dir, if CPU2 add ++ * a new device under glue dir, the glue_dir kobject reference count ++ * will be increase to 2 in kobject_get(k). And CPU2 has been called ++ * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir() ++ * and sysfs_put(). This result in glue_dir->sd is freed. ++ * ++ * Then the CPU2 will see a stale "empty" but still potentially used ++ * glue dir around in kernfs_new_node(). ++ * ++ * In order to avoid this happening, we also should make sure that ++ * kernfs_node for glue_dir is released in CPU1 only when refcount ++ * for glue_dir kobj is 1. ++ */ ++ ref = kref_read(&glue_dir->kref); ++ if (!kobject_has_children(glue_dir) && !--ref) + kobject_del(glue_dir); + kobject_put(glue_dir); + mutex_unlock(&gdp_mutex); diff --git a/queue-5.2/drm-meson-add-support-for-xbgr8888-abgr8888-formats.patch b/queue-5.2/drm-meson-add-support-for-xbgr8888-abgr8888-formats.patch new file mode 100644 index 00000000000..acd64a0d3fb --- /dev/null +++ b/queue-5.2/drm-meson-add-support-for-xbgr8888-abgr8888-formats.patch @@ -0,0 +1,61 @@ +From 5ffff4415f9eeae834960226770963e2947e17eb Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Mon, 29 Apr 2019 09:52:38 +0200 +Subject: drm/meson: Add support for XBGR8888 & ABGR8888 formats + +From: Neil Armstrong + +commit 5ffff4415f9eeae834960226770963e2947e17eb upstream. + +Add missing XBGR8888 & ABGR8888 formats variants from the primary plane. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Neil Armstrong +Reviewed-by: Kevin Hilman +Link: https://patchwork.freedesktop.org/patch/msgid/20190429075238.7884-1-narmstrong@baylibre.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/meson/meson_plane.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/gpu/drm/meson/meson_plane.c ++++ b/drivers/gpu/drm/meson/meson_plane.c +@@ -153,6 +153,13 @@ static void meson_plane_atomic_update(st + priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | + OSD_COLOR_MATRIX_32_ARGB; + break; ++ case DRM_FORMAT_XBGR8888: ++ /* For XRGB, replace the pixel's alpha by 0xFF */ ++ writel_bits_relaxed(OSD_REPLACE_EN, OSD_REPLACE_EN, ++ priv->io_base + _REG(VIU_OSD1_CTRL_STAT2)); ++ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | ++ OSD_COLOR_MATRIX_32_ABGR; ++ break; + case DRM_FORMAT_ARGB8888: + /* For ARGB, use the pixel's alpha */ + writel_bits_relaxed(OSD_REPLACE_EN, 0, +@@ -160,6 +167,13 @@ static void meson_plane_atomic_update(st + priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | + OSD_COLOR_MATRIX_32_ARGB; + break; ++ case DRM_FORMAT_ABGR8888: ++ /* For ARGB, use the pixel's alpha */ ++ writel_bits_relaxed(OSD_REPLACE_EN, 0, ++ priv->io_base + _REG(VIU_OSD1_CTRL_STAT2)); ++ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 | ++ OSD_COLOR_MATRIX_32_ABGR; ++ break; + case DRM_FORMAT_RGB888: + priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_24 | + OSD_COLOR_MATRIX_24_RGB; +@@ -346,7 +360,9 @@ static const struct drm_plane_funcs meso + + static const uint32_t supported_drm_formats[] = { + DRM_FORMAT_ARGB8888, ++ DRM_FORMAT_ABGR8888, + DRM_FORMAT_XRGB8888, ++ DRM_FORMAT_XBGR8888, + DRM_FORMAT_RGB888, + DRM_FORMAT_RGB565, + }; diff --git a/queue-5.2/kernel-module-fix-mem-leak-in-module_add_modinfo_attrs.patch b/queue-5.2/kernel-module-fix-mem-leak-in-module_add_modinfo_attrs.patch new file mode 100644 index 00000000000..ff501b3f2a2 --- /dev/null +++ b/queue-5.2/kernel-module-fix-mem-leak-in-module_add_modinfo_attrs.patch @@ -0,0 +1,98 @@ +From bc6f2a757d525e001268c3658bd88822e768f8db Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Tue, 11 Jun 2019 23:00:07 +0800 +Subject: kernel/module: Fix mem leak in module_add_modinfo_attrs + +From: YueHaibing + +commit bc6f2a757d525e001268c3658bd88822e768f8db upstream. + +In module_add_modinfo_attrs if sysfs_create_file +fails, we forget to free allocated modinfo_attrs +and roll back the sysfs files. + +Fixes: 03e88ae1b13d ("[PATCH] fix module sysfs files reference counting") +Reviewed-by: Miroslav Benes +Signed-off-by: YueHaibing +Signed-off-by: Jessica Yu +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/module.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1697,6 +1697,8 @@ static int add_usage_links(struct module + return ret; + } + ++static void module_remove_modinfo_attrs(struct module *mod, int end); ++ + static int module_add_modinfo_attrs(struct module *mod) + { + struct module_attribute *attr; +@@ -1711,24 +1713,34 @@ static int module_add_modinfo_attrs(stru + return -ENOMEM; + + temp_attr = mod->modinfo_attrs; +- for (i = 0; (attr = modinfo_attrs[i]) && !error; i++) { ++ for (i = 0; (attr = modinfo_attrs[i]); i++) { + if (!attr->test || attr->test(mod)) { + memcpy(temp_attr, attr, sizeof(*temp_attr)); + sysfs_attr_init(&temp_attr->attr); + error = sysfs_create_file(&mod->mkobj.kobj, + &temp_attr->attr); ++ if (error) ++ goto error_out; + ++temp_attr; + } + } ++ ++ return 0; ++ ++error_out: ++ if (i > 0) ++ module_remove_modinfo_attrs(mod, --i); + return error; + } + +-static void module_remove_modinfo_attrs(struct module *mod) ++static void module_remove_modinfo_attrs(struct module *mod, int end) + { + struct module_attribute *attr; + int i; + + for (i = 0; (attr = &mod->modinfo_attrs[i]); i++) { ++ if (end >= 0 && i > end) ++ break; + /* pick a field to test for end of list */ + if (!attr->attr.name) + break; +@@ -1816,7 +1828,7 @@ static int mod_sysfs_setup(struct module + return 0; + + out_unreg_modinfo_attrs: +- module_remove_modinfo_attrs(mod); ++ module_remove_modinfo_attrs(mod, -1); + out_unreg_param: + module_param_sysfs_remove(mod); + out_unreg_holders: +@@ -1852,7 +1864,7 @@ static void mod_sysfs_fini(struct module + { + } + +-static void module_remove_modinfo_attrs(struct module *mod) ++static void module_remove_modinfo_attrs(struct module *mod, int end) + { + } + +@@ -1868,7 +1880,7 @@ static void init_param_lock(struct modul + static void mod_sysfs_teardown(struct module *mod) + { + del_usage_links(mod); +- module_remove_modinfo_attrs(mod); ++ module_remove_modinfo_attrs(mod, -1); + module_param_sysfs_remove(mod); + kobject_put(mod->mkobj.drivers_dir); + kobject_put(mod->holders_dir); diff --git a/queue-5.2/mt76-fix-a-signedness-bug-in-mt7615_add_interface.patch b/queue-5.2/mt76-fix-a-signedness-bug-in-mt7615_add_interface.patch new file mode 100644 index 00000000000..7b12f1f6cf0 --- /dev/null +++ b/queue-5.2/mt76-fix-a-signedness-bug-in-mt7615_add_interface.patch @@ -0,0 +1,39 @@ +From b1571a0e77d8cef14227af293c6dda1464a57270 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 3 May 2019 15:54:36 +0300 +Subject: mt76: Fix a signedness bug in mt7615_add_interface() + +From: Dan Carpenter + +commit b1571a0e77d8cef14227af293c6dda1464a57270 upstream. + +The problem is that "mvif->omac_idx" is a u8 so it can't be negative +and the error handling won't work. The get_omac_idx() function returns +-1 on error. + +Fixes: 04b8e65922f6 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") +Signed-off-by: Dan Carpenter +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mediatek/mt76/mt7615/main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +@@ -77,11 +77,12 @@ static int mt7615_add_interface(struct i + goto out; + } + +- mvif->omac_idx = get_omac_idx(vif->type, dev->omac_mask); +- if (mvif->omac_idx < 0) { ++ idx = get_omac_idx(vif->type, dev->omac_mask); ++ if (idx < 0) { + ret = -ENOSPC; + goto out; + } ++ mvif->omac_idx = idx; + + /* TODO: DBDC support. Use band 0 and wmm 0 for now */ + mvif->band_idx = 0; diff --git a/queue-5.2/mt76-mt7615-use-after-free-in-mt7615_mcu_set_bcn.patch b/queue-5.2/mt76-mt7615-use-after-free-in-mt7615_mcu_set_bcn.patch new file mode 100644 index 00000000000..f93f33f81a3 --- /dev/null +++ b/queue-5.2/mt76-mt7615-use-after-free-in-mt7615_mcu_set_bcn.patch @@ -0,0 +1,44 @@ +From 9db1aec0c2d72a3b7b115ba56e8dbb5b46855333 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 3 May 2019 16:09:13 +0300 +Subject: mt76: mt7615: Use after free in mt7615_mcu_set_bcn() + +From: Dan Carpenter + +commit 9db1aec0c2d72a3b7b115ba56e8dbb5b46855333 upstream. + +We dereference "skb" when we assign: + + req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len); + ^^^^^^^^ +So this patch just moves the dev_kfree_skb() down a bit to avoid the +use after free. + +Fixes: 04b8e65922f6 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") +Signed-off-by: Dan Carpenter +Acked-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +@@ -1270,7 +1270,6 @@ int mt7615_mcu_set_bcn(struct mt7615_dev + mt7615_mac_write_txwi(dev, (__le32 *)(req.pkt), skb, wcid, NULL, + 0, NULL); + memcpy(req.pkt + MT_TXD_SIZE, skb->data, skb->len); +- dev_kfree_skb(skb); + + req.omac_idx = mvif->omac_idx; + req.enable = en; +@@ -1281,6 +1280,7 @@ int mt7615_mcu_set_bcn(struct mt7615_dev + req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len); + req.tim_ie_pos = cpu_to_le16(MT_TXD_SIZE + tim_off); + ++ dev_kfree_skb(skb); + skb = mt7615_mcu_msg_alloc(&req, sizeof(req)); + + return mt7615_mcu_msg_send(dev, skb, MCU_EXT_CMD_BCN_OFFLOAD, diff --git a/queue-5.2/mtd-rawnand-mtk-fix-wrongly-assigned-oob-buffer-pointer-issue.patch b/queue-5.2/mtd-rawnand-mtk-fix-wrongly-assigned-oob-buffer-pointer-issue.patch new file mode 100644 index 00000000000..9c6b8c7b92c --- /dev/null +++ b/queue-5.2/mtd-rawnand-mtk-fix-wrongly-assigned-oob-buffer-pointer-issue.patch @@ -0,0 +1,84 @@ +From 336d4b138be2dad372b67a2388e42805c48aaa38 Mon Sep 17 00:00:00 2001 +From: Xiaolei Li +Date: Tue, 7 May 2019 18:25:41 +0800 +Subject: mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue + +From: Xiaolei Li + +commit 336d4b138be2dad372b67a2388e42805c48aaa38 upstream. + +One main goal of the function mtk_nfc_update_ecc_stats is to check +whether sectors are all empty. If they are empty, set these sectors's +data buffer and OOB buffer as 0xff. + +But now, the sector OOB buffer pointer is wrongly assigned. We always +do memset from sector 0. + +To fix this issue, pass start sector number to make OOB buffer pointer +be properly assigned. + +Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device") +Signed-off-by: Xiaolei Li +Reviewed-by: Miquel Raynal +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/mtk_nand.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/drivers/mtd/nand/raw/mtk_nand.c ++++ b/drivers/mtd/nand/raw/mtk_nand.c +@@ -853,19 +853,21 @@ static int mtk_nfc_write_oob_std(struct + return mtk_nfc_write_page_raw(chip, NULL, 1, page); + } + +-static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 sectors) ++static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 start, ++ u32 sectors) + { + struct nand_chip *chip = mtd_to_nand(mtd); + struct mtk_nfc *nfc = nand_get_controller_data(chip); + struct mtk_nfc_nand_chip *mtk_nand = to_mtk_nand(chip); + struct mtk_ecc_stats stats; ++ u32 reg_size = mtk_nand->fdm.reg_size; + int rc, i; + + rc = nfi_readl(nfc, NFI_STA) & STA_EMP_PAGE; + if (rc) { + memset(buf, 0xff, sectors * chip->ecc.size); + for (i = 0; i < sectors; i++) +- memset(oob_ptr(chip, i), 0xff, mtk_nand->fdm.reg_size); ++ memset(oob_ptr(chip, start + i), 0xff, reg_size); + return 0; + } + +@@ -885,7 +887,7 @@ static int mtk_nfc_read_subpage(struct m + u32 spare = mtk_nand->spare_per_sector; + u32 column, sectors, start, end, reg; + dma_addr_t addr; +- int bitflips; ++ int bitflips = 0; + size_t len; + u8 *buf; + int rc; +@@ -952,14 +954,11 @@ static int mtk_nfc_read_subpage(struct m + if (rc < 0) { + dev_err(nfc->dev, "subpage done timeout\n"); + bitflips = -EIO; +- } else { +- bitflips = 0; +- if (!raw) { +- rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE); +- bitflips = rc < 0 ? -ETIMEDOUT : +- mtk_nfc_update_ecc_stats(mtd, buf, sectors); +- mtk_nfc_read_fdm(chip, start, sectors); +- } ++ } else if (!raw) { ++ rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE); ++ bitflips = rc < 0 ? -ETIMEDOUT : ++ mtk_nfc_update_ecc_stats(mtd, buf, start, sectors); ++ mtk_nfc_read_fdm(chip, start, sectors); + } + + dma_unmap_single(nfc->dev, addr, len, DMA_FROM_DEVICE); diff --git a/queue-5.2/pci-always-allow-probing-with-driver_override.patch b/queue-5.2/pci-always-allow-probing-with-driver_override.patch new file mode 100644 index 00000000000..a55fd793cbd --- /dev/null +++ b/queue-5.2/pci-always-allow-probing-with-driver_override.patch @@ -0,0 +1,51 @@ +From 2d2f4273cbe9058d1f5a518e5e880d27d7b3b30f Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Thu, 9 May 2019 13:27:22 -0600 +Subject: PCI: Always allow probing with driver_override + +From: Alex Williamson + +commit 2d2f4273cbe9058d1f5a518e5e880d27d7b3b30f upstream. + +Commit 0e7df22401a3 ("PCI: Add sysfs sriov_drivers_autoprobe to control +VF driver binding") introduced the sriov_drivers_autoprobe attribute +which allows users to prevent the kernel from automatically probing a +driver for new VFs as they are created. This allows VFs to be spawned +without automatically binding the new device to a host driver, such as +in cases where the user intends to use the device only with a meta +driver like vfio-pci. However, the current implementation prevents any +use of drivers_probe with the VF while sriov_drivers_autoprobe=0. This +blocks the now current general practice of setting driver_override +followed by using drivers_probe to bind a device to a specified driver. + +The kernel never automatically sets a driver_override therefore it seems +we can assume a driver_override reflects the intent of the user. Also, +probing a device using a driver_override match seems outside the scope +of the 'auto' part of sriov_drivers_autoprobe. Therefore, let's allow +driver_override matches regardless of sriov_drivers_autoprobe, which we +can do by simply testing if a driver_override is set for a device as a +'can probe' condition. + +Fixes: 0e7df22401a3 ("PCI: Add sysfs sriov_drivers_autoprobe to control VF driver binding") +Link: https://lore.kernel.org/lkml/155742996741.21878.569845487290798703.stgit@gimli.home +Link: https://lore.kernel.org/linux-pci/155672991496.20698.4279330795743262888.stgit@gimli.home/T/#u +Signed-off-by: Alex Williamson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -399,7 +399,8 @@ void __weak pcibios_free_irq(struct pci_ + #ifdef CONFIG_PCI_IOV + static inline bool pci_device_can_probe(struct pci_dev *pdev) + { +- return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe); ++ return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe || ++ pdev->driver_override); + } + #else + static inline bool pci_device_can_probe(struct pci_dev *pdev) diff --git a/queue-5.2/powerpc-add-barrier_nospec-to-raw_copy_in_user.patch b/queue-5.2/powerpc-add-barrier_nospec-to-raw_copy_in_user.patch new file mode 100644 index 00000000000..d4015278e27 --- /dev/null +++ b/queue-5.2/powerpc-add-barrier_nospec-to-raw_copy_in_user.patch @@ -0,0 +1,37 @@ +From 6fbcdd59094ade30db63f32316e9502425d7b256 Mon Sep 17 00:00:00 2001 +From: Suraj Jitindar Singh +Date: Wed, 6 Mar 2019 12:10:38 +1100 +Subject: powerpc: Add barrier_nospec to raw_copy_in_user() + +From: Suraj Jitindar Singh + +commit 6fbcdd59094ade30db63f32316e9502425d7b256 upstream. + +Commit ddf35cf3764b ("powerpc: Use barrier_nospec in copy_from_user()") +Added barrier_nospec before loading from user-controlled pointers. The +intention was to order the load from the potentially user-controlled +pointer vs a previous branch based on an access_ok() check or similar. + +In order to achieve the same result, add a barrier_nospec to the +raw_copy_in_user() function before loading from such a user-controlled +pointer. + +Fixes: ddf35cf3764b ("powerpc: Use barrier_nospec in copy_from_user()") +Signed-off-by: Suraj Jitindar Singh +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/uaccess.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/include/asm/uaccess.h ++++ b/arch/powerpc/include/asm/uaccess.h +@@ -312,6 +312,7 @@ raw_copy_in_user(void __user *to, const + { + unsigned long ret; + ++ barrier_nospec(); + allow_user_access(to, from, n); + ret = __copy_tofrom_user(to, from, n); + prevent_user_access(to, from, n); diff --git a/queue-5.2/series b/queue-5.2/series index b0973174980..6ec9fc03761 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -46,3 +46,17 @@ kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch kvm-x86-mmu-reintroduce-fast-invalidate-zap-for-flushing-memslot.patch kvm-nvmx-handle-page-fault-in-vmread.patch x86-purgatory-change-compiler-flags-from-mcmodel-kernel-to-mcmodel-large-to-fix-kexec-relocation-errors.patch +powerpc-add-barrier_nospec-to-raw_copy_in_user.patch +kernel-module-fix-mem-leak-in-module_add_modinfo_attrs.patch +x86-boot-use-efi_setup_data-for-searching-rsdp-on-kexec-ed-kernels.patch +x86-ima-check-efi-setupmode-too.patch +drm-meson-add-support-for-xbgr8888-abgr8888-formats.patch +clk-fix-debugfs-clk_possible_parents-for-clks-without-parent-string-names.patch +clk-simplify-debugfs-printing-and-add-a-newline.patch +mt76-fix-a-signedness-bug-in-mt7615_add_interface.patch +mt76-mt7615-use-after-free-in-mt7615_mcu_set_bcn.patch +clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch +mtd-rawnand-mtk-fix-wrongly-assigned-oob-buffer-pointer-issue.patch +pci-always-allow-probing-with-driver_override.patch +ubifs-correctly-use-tnc_next-in-search_dh_cookie.patch +driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch diff --git a/queue-5.2/ubifs-correctly-use-tnc_next-in-search_dh_cookie.patch b/queue-5.2/ubifs-correctly-use-tnc_next-in-search_dh_cookie.patch new file mode 100644 index 00000000000..d6b3821c20b --- /dev/null +++ b/queue-5.2/ubifs-correctly-use-tnc_next-in-search_dh_cookie.patch @@ -0,0 +1,85 @@ +From bacfa94b08027b9f66ede7044972e3b066766b3e Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 14 May 2019 22:31:08 +0200 +Subject: ubifs: Correctly use tnc_next() in search_dh_cookie() + +From: Richard Weinberger + +commit bacfa94b08027b9f66ede7044972e3b066766b3e upstream. + +Commit c877154d307f fixed an uninitialized variable and optimized +the function to not call tnc_next() in the first iteration of the +loop. While this seemed perfectly legit and wise, it turned out to +be illegal. +If the lookup function does not find an exact match it will rewind +the cursor by 1. +The rewinded cursor will not match the name hash we are looking for +and this results in a spurious -ENOENT. +So we need to move to the next entry in case of an non-exact match, +but not if the match was exact. + +While we are here, update the documentation to avoid further confusion. + +Cc: Hyunchul Lee +Cc: Geert Uytterhoeven +Fixes: c877154d307f ("ubifs: Fix uninitialized variable in search_dh_cookie()") +Fixes: 781f675e2d7e ("ubifs: Fix unlink code wrt. double hash lookups") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/tnc.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/fs/ubifs/tnc.c ++++ b/fs/ubifs/tnc.c +@@ -1158,8 +1158,8 @@ static struct ubifs_znode *dirty_cow_bot + * o exact match, i.e. the found zero-level znode contains key @key, then %1 + * is returned and slot number of the matched branch is stored in @n; + * o not exact match, which means that zero-level znode does not contain +- * @key, then %0 is returned and slot number of the closest branch is stored +- * in @n; ++ * @key, then %0 is returned and slot number of the closest branch or %-1 ++ * is stored in @n; In this case calling tnc_next() is mandatory. + * o @key is so small that it is even less than the lowest key of the + * leftmost zero-level node, then %0 is returned and %0 is stored in @n. + * +@@ -1882,13 +1882,19 @@ int ubifs_tnc_lookup_nm(struct ubifs_inf + + static int search_dh_cookie(struct ubifs_info *c, const union ubifs_key *key, + struct ubifs_dent_node *dent, uint32_t cookie, +- struct ubifs_znode **zn, int *n) ++ struct ubifs_znode **zn, int *n, int exact) + { + int err; + struct ubifs_znode *znode = *zn; + struct ubifs_zbranch *zbr; + union ubifs_key *dkey; + ++ if (!exact) { ++ err = tnc_next(c, &znode, n); ++ if (err) ++ return err; ++ } ++ + for (;;) { + zbr = &znode->zbranch[*n]; + dkey = &zbr->key; +@@ -1930,7 +1936,7 @@ static int do_lookup_dh(struct ubifs_inf + if (unlikely(err < 0)) + goto out_unlock; + +- err = search_dh_cookie(c, key, dent, cookie, &znode, &n); ++ err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err); + + out_unlock: + mutex_unlock(&c->tnc_mutex); +@@ -2723,7 +2729,7 @@ int ubifs_tnc_remove_dh(struct ubifs_inf + if (unlikely(err < 0)) + goto out_free; + +- err = search_dh_cookie(c, key, dent, cookie, &znode, &n); ++ err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err); + if (err) + goto out_free; + } diff --git a/queue-5.2/x86-boot-use-efi_setup_data-for-searching-rsdp-on-kexec-ed-kernels.patch b/queue-5.2/x86-boot-use-efi_setup_data-for-searching-rsdp-on-kexec-ed-kernels.patch new file mode 100644 index 00000000000..2ca94b93d2b --- /dev/null +++ b/queue-5.2/x86-boot-use-efi_setup_data-for-searching-rsdp-on-kexec-ed-kernels.patch @@ -0,0 +1,224 @@ +From 0a23ebc66a46786769dd68bfdaa3102345819b9c Mon Sep 17 00:00:00 2001 +From: Junichi Nomura +Date: Thu, 11 Apr 2019 15:49:32 +0200 +Subject: x86/boot: Use efi_setup_data for searching RSDP on kexec-ed kernels + +From: Junichi Nomura + +commit 0a23ebc66a46786769dd68bfdaa3102345819b9c upstream. + +Commit + + 3a63f70bf4c3a ("x86/boot: Early parse RSDP and save it in boot_params") + +broke kexec boot on EFI systems. efi_get_rsdp_addr() in the early +parsing code tries to search RSDP from the EFI tables but that will +crash because the table address is virtual when the kernel was booted by +kexec (set_virtual_address_map() has run in the first kernel and cannot +be run again in the second kernel). + +In the case of kexec, the physical address of EFI tables is provided via +efi_setup_data in boot_params, which is set up by kexec(1). + +Factor out the table parsing code and use different pointers depending +on whether the kernel is booted by kexec or not. + + [ bp: Massage. ] + +Fixes: 3a63f70bf4c3a ("x86/boot: Early parse RSDP and save it in boot_params") +Signed-off-by: Jun'ichi Nomura +Signed-off-by: Borislav Petkov +Tested-by: Dirk van der Merwe +Cc: Chao Fan +Cc: Dave Young +Link: https://lkml.kernel.org/r/20190408231011.GA5402@jeru.linux.bs1.fc.nec.co.jp +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/compressed/acpi.c | 143 +++++++++++++++++++++++++++++----------- + 1 file changed, 107 insertions(+), 36 deletions(-) + +--- a/arch/x86/boot/compressed/acpi.c ++++ b/arch/x86/boot/compressed/acpi.c +@@ -44,17 +44,109 @@ static acpi_physical_address get_acpi_rs + return addr; + } + +-/* Search EFI system tables for RSDP. */ +-static acpi_physical_address efi_get_rsdp_addr(void) ++/* ++ * Search EFI system tables for RSDP. If both ACPI_20_TABLE_GUID and ++ * ACPI_TABLE_GUID are found, take the former, which has more features. ++ */ ++static acpi_physical_address ++__efi_get_rsdp_addr(unsigned long config_tables, unsigned int nr_tables, ++ bool efi_64) + { + acpi_physical_address rsdp_addr = 0; + + #ifdef CONFIG_EFI +- unsigned long systab, systab_tables, config_tables; ++ int i; ++ ++ /* Get EFI tables from systab. */ ++ for (i = 0; i < nr_tables; i++) { ++ acpi_physical_address table; ++ efi_guid_t guid; ++ ++ if (efi_64) { ++ efi_config_table_64_t *tbl = (efi_config_table_64_t *)config_tables + i; ++ ++ guid = tbl->guid; ++ table = tbl->table; ++ ++ if (!IS_ENABLED(CONFIG_X86_64) && table >> 32) { ++ debug_putstr("Error getting RSDP address: EFI config table located above 4GB.\n"); ++ return 0; ++ } ++ } else { ++ efi_config_table_32_t *tbl = (efi_config_table_32_t *)config_tables + i; ++ ++ guid = tbl->guid; ++ table = tbl->table; ++ } ++ ++ if (!(efi_guidcmp(guid, ACPI_TABLE_GUID))) ++ rsdp_addr = table; ++ else if (!(efi_guidcmp(guid, ACPI_20_TABLE_GUID))) ++ return table; ++ } ++#endif ++ return rsdp_addr; ++} ++ ++/* EFI/kexec support is 64-bit only. */ ++#ifdef CONFIG_X86_64 ++static struct efi_setup_data *get_kexec_setup_data_addr(void) ++{ ++ struct setup_data *data; ++ u64 pa_data; ++ ++ pa_data = boot_params->hdr.setup_data; ++ while (pa_data) { ++ data = (struct setup_data *)pa_data; ++ if (data->type == SETUP_EFI) ++ return (struct efi_setup_data *)(pa_data + sizeof(struct setup_data)); ++ ++ pa_data = data->next; ++ } ++ return NULL; ++} ++ ++static acpi_physical_address kexec_get_rsdp_addr(void) ++{ ++ efi_system_table_64_t *systab; ++ struct efi_setup_data *esd; ++ struct efi_info *ei; ++ char *sig; ++ ++ esd = (struct efi_setup_data *)get_kexec_setup_data_addr(); ++ if (!esd) ++ return 0; ++ ++ if (!esd->tables) { ++ debug_putstr("Wrong kexec SETUP_EFI data.\n"); ++ return 0; ++ } ++ ++ ei = &boot_params->efi_info; ++ sig = (char *)&ei->efi_loader_signature; ++ if (strncmp(sig, EFI64_LOADER_SIGNATURE, 4)) { ++ debug_putstr("Wrong kexec EFI loader signature.\n"); ++ return 0; ++ } ++ ++ /* Get systab from boot params. */ ++ systab = (efi_system_table_64_t *) (ei->efi_systab | ((__u64)ei->efi_systab_hi << 32)); ++ if (!systab) ++ error("EFI system table not found in kexec boot_params."); ++ ++ return __efi_get_rsdp_addr((unsigned long)esd->tables, systab->nr_tables, true); ++} ++#else ++static acpi_physical_address kexec_get_rsdp_addr(void) { return 0; } ++#endif /* CONFIG_X86_64 */ ++ ++static acpi_physical_address efi_get_rsdp_addr(void) ++{ ++#ifdef CONFIG_EFI ++ unsigned long systab, config_tables; + unsigned int nr_tables; + struct efi_info *ei; + bool efi_64; +- int size, i; + char *sig; + + ei = &boot_params->efi_info; +@@ -88,49 +180,20 @@ static acpi_physical_address efi_get_rsd + + config_tables = stbl->tables; + nr_tables = stbl->nr_tables; +- size = sizeof(efi_config_table_64_t); + } else { + efi_system_table_32_t *stbl = (efi_system_table_32_t *)systab; + + config_tables = stbl->tables; + nr_tables = stbl->nr_tables; +- size = sizeof(efi_config_table_32_t); + } + + if (!config_tables) + error("EFI config tables not found."); + +- /* Get EFI tables from systab. */ +- for (i = 0; i < nr_tables; i++) { +- acpi_physical_address table; +- efi_guid_t guid; +- +- config_tables += size; +- +- if (efi_64) { +- efi_config_table_64_t *tbl = (efi_config_table_64_t *)config_tables; +- +- guid = tbl->guid; +- table = tbl->table; +- +- if (!IS_ENABLED(CONFIG_X86_64) && table >> 32) { +- debug_putstr("Error getting RSDP address: EFI config table located above 4GB.\n"); +- return 0; +- } +- } else { +- efi_config_table_32_t *tbl = (efi_config_table_32_t *)config_tables; +- +- guid = tbl->guid; +- table = tbl->table; +- } +- +- if (!(efi_guidcmp(guid, ACPI_TABLE_GUID))) +- rsdp_addr = table; +- else if (!(efi_guidcmp(guid, ACPI_20_TABLE_GUID))) +- return table; +- } ++ return __efi_get_rsdp_addr(config_tables, nr_tables, efi_64); ++#else ++ return 0; + #endif +- return rsdp_addr; + } + + static u8 compute_checksum(u8 *buffer, u32 length) +@@ -220,6 +283,14 @@ acpi_physical_address get_rsdp_addr(void + if (!pa) + pa = boot_params->acpi_rsdp_addr; + ++ /* ++ * Try to get EFI data from setup_data. This can happen when we're a ++ * kexec'ed kernel and kexec(1) has passed all the required EFI info to ++ * us. ++ */ ++ if (!pa) ++ pa = kexec_get_rsdp_addr(); ++ + if (!pa) + pa = efi_get_rsdp_addr(); + diff --git a/queue-5.2/x86-ima-check-efi-setupmode-too.patch b/queue-5.2/x86-ima-check-efi-setupmode-too.patch new file mode 100644 index 00000000000..fa85613f580 --- /dev/null +++ b/queue-5.2/x86-ima-check-efi-setupmode-too.patch @@ -0,0 +1,51 @@ +From 980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Wed, 24 Apr 2019 13:05:46 -0400 +Subject: x86/ima: check EFI SetupMode too + +From: Mimi Zohar + +commit 980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6 upstream. + +Checking "SecureBoot" mode is not sufficient, also check "SetupMode". + +Fixes: 399574c64eaf ("x86/ima: retry detecting secure boot mode") +Reported-by: Matthew Garrett +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/ima_arch.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/ima_arch.c ++++ b/arch/x86/kernel/ima_arch.c +@@ -11,10 +11,11 @@ extern struct boot_params boot_params; + static enum efi_secureboot_mode get_sb_mode(void) + { + efi_char16_t efi_SecureBoot_name[] = L"SecureBoot"; ++ efi_char16_t efi_SetupMode_name[] = L"SecureBoot"; + efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + unsigned long size; +- u8 secboot; ++ u8 secboot, setupmode; + + size = sizeof(secboot); + +@@ -36,7 +37,14 @@ static enum efi_secureboot_mode get_sb_m + return efi_secureboot_mode_unknown; + } + +- if (secboot == 0) { ++ size = sizeof(setupmode); ++ status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid, ++ NULL, &size, &setupmode); ++ ++ if (status != EFI_SUCCESS) /* ignore unknown SetupMode */ ++ setupmode = 0; ++ ++ if (secboot == 0 || setupmode == 1) { + pr_info("ima: secureboot mode disabled\n"); + return efi_secureboot_mode_disabled; + }