From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 14 Apr 2022 11:04:17 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.19.238~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3e593113a5688c0bb5a312c3eb41c700b20d53d9;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	acpi-processor-idle-check-for-architectural-support-for-lpi.patch
	cpuidle-psci-move-the-has_lpi-check-to-the-beginning-of-the-function.patch
	hamradio-defer-6pack-kfree-after-unregister_netdev.patch
	hamradio-remove-needs_free_netdev-to-avoid-uaf.patch
---

diff --git a/queue-5.10/acpi-processor-idle-check-for-architectural-support-for-lpi.patch b/queue-5.10/acpi-processor-idle-check-for-architectural-support-for-lpi.patch
new file mode 100644
index 00000000000..d3fc3e446a4
--- /dev/null
+++ b/queue-5.10/acpi-processor-idle-check-for-architectural-support-for-lpi.patch
@@ -0,0 +1,68 @@
+From eb087f305919ee8169ad65665610313e74260463 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Fri, 25 Feb 2022 13:06:46 -0600
+Subject: ACPI: processor idle: Check for architectural support for LPI
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit eb087f305919ee8169ad65665610313e74260463 upstream.
+
+When `osc_pc_lpi_support_confirmed` is set through `_OSC` and `_LPI` is
+populated then the cpuidle driver assumes that LPI is fully functional.
+
+However currently the kernel only provides architectural support for LPI
+on ARM.  This leads to high power consumption on X86 platforms that
+otherwise try to enable LPI.
+
+So probe whether or not LPI support is implemented before enabling LPI in
+the kernel.  This is done by overloading `acpi_processor_ffh_lpi_probe` to
+check whether it returns `-EOPNOTSUPP`. It also means that all future
+implementations of `acpi_processor_ffh_lpi_probe` will need to follow
+these semantics as well.
+
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/processor_idle.c |   15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -1080,6 +1080,11 @@ static int flatten_lpi_states(struct acp
+ 	return 0;
+ }
+ 
++int __weak acpi_processor_ffh_lpi_probe(unsigned int cpu)
++{
++	return -EOPNOTSUPP;
++}
++
+ static int acpi_processor_get_lpi_info(struct acpi_processor *pr)
+ {
+ 	int ret, i;
+@@ -1088,6 +1093,11 @@ static int acpi_processor_get_lpi_info(s
+ 	struct acpi_device *d = NULL;
+ 	struct acpi_lpi_states_array info[2], *tmp, *prev, *curr;
+ 
++	/* make sure our architecture has support */
++	ret = acpi_processor_ffh_lpi_probe(pr->id);
++	if (ret == -EOPNOTSUPP)
++		return ret;
++
+ 	if (!osc_pc_lpi_support_confirmed)
+ 		return -EOPNOTSUPP;
+ 
+@@ -1139,11 +1149,6 @@ static int acpi_processor_get_lpi_info(s
+ 	return 0;
+ }
+ 
+-int __weak acpi_processor_ffh_lpi_probe(unsigned int cpu)
+-{
+-	return -ENODEV;
+-}
+-
+ int __weak acpi_processor_ffh_lpi_enter(struct acpi_lpi_state *lpi)
+ {
+ 	return -ENODEV;
diff --git a/queue-5.10/cpuidle-psci-move-the-has_lpi-check-to-the-beginning-of-the-function.patch b/queue-5.10/cpuidle-psci-move-the-has_lpi-check-to-the-beginning-of-the-function.patch
new file mode 100644
index 00000000000..c0fa1dfb003
--- /dev/null
+++ b/queue-5.10/cpuidle-psci-move-the-has_lpi-check-to-the-beginning-of-the-function.patch
@@ -0,0 +1,46 @@
+From 01f6c7338ce267959975da65d86ba34f44d54220 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Fri, 25 Feb 2022 13:06:45 -0600
+Subject: cpuidle: PSCI: Move the `has_lpi` check to the beginning of the function
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 01f6c7338ce267959975da65d86ba34f44d54220 upstream.
+
+Currently the first thing checked is whether the PCSI cpu_suspend function
+has been initialized.
+
+Another change will be overloading `acpi_processor_ffh_lpi_probe` and
+calling it sooner.  So make the `has_lpi` check the first thing checked
+to prepare for that change.
+
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/cpuidle.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/kernel/cpuidle.c
++++ b/arch/arm64/kernel/cpuidle.c
+@@ -54,6 +54,9 @@ static int psci_acpi_cpu_init_idle(unsig
+ 	struct acpi_lpi_state *lpi;
+ 	struct acpi_processor *pr = per_cpu(processors, cpu);
+ 
++	if (unlikely(!pr || !pr->flags.has_lpi))
++		return -EINVAL;
++
+ 	/*
+ 	 * If the PSCI cpu_suspend function hook has not been initialized
+ 	 * idle states must not be enabled, so bail out
+@@ -61,9 +64,6 @@ static int psci_acpi_cpu_init_idle(unsig
+ 	if (!psci_ops.cpu_suspend)
+ 		return -EOPNOTSUPP;
+ 
+-	if (unlikely(!pr || !pr->flags.has_lpi))
+-		return -EINVAL;
+-
+ 	count = pr->power.count - 1;
+ 	if (count <= 0)
+ 		return -ENODEV;
diff --git a/queue-5.10/hamradio-defer-6pack-kfree-after-unregister_netdev.patch b/queue-5.10/hamradio-defer-6pack-kfree-after-unregister_netdev.patch
new file mode 100644
index 00000000000..ca480024b77
--- /dev/null
+++ b/queue-5.10/hamradio-defer-6pack-kfree-after-unregister_netdev.patch
@@ -0,0 +1,51 @@
+From 0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 8 Nov 2021 18:37:59 +0800
+Subject: hamradio: defer 6pack kfree after unregister_netdev
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 upstream.
+
+There is a possible race condition (use-after-free) like below
+
+ (USE)                       |  (FREE)
+  dev_queue_xmit             |
+   __dev_queue_xmit          |
+    __dev_xmit_skb           |
+     sch_direct_xmit         | ...
+      xmit_one               |
+       netdev_start_xmit     | tty_ldisc_kill
+        __netdev_start_xmit  |  6pack_close
+         sp_xmit             |   kfree
+          sp_encaps          |
+                             |
+
+According to the patch "defer ax25 kfree after unregister_netdev", this
+patch reorder the kfree after the unregister_netdev to avoid the possible
+UAF as the unregister_netdev() is well synchronized and won't return if
+there is a running routine.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Xu Jia <xujia39@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hamradio/6pack.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -679,9 +679,11 @@ static void sixpack_close(struct tty_str
+ 	del_timer_sync(&sp->tx_t);
+ 	del_timer_sync(&sp->resync_t);
+ 
+-	/* Free all 6pack frame buffers. */
++	/* Free all 6pack frame buffers after unreg. */
+ 	kfree(sp->rbuff);
+ 	kfree(sp->xbuff);
++
++	free_netdev(sp->dev);
+ }
+ 
+ /* Perform I/O control on an active 6pack channel. */
diff --git a/queue-5.10/hamradio-remove-needs_free_netdev-to-avoid-uaf.patch b/queue-5.10/hamradio-remove-needs_free_netdev-to-avoid-uaf.patch
new file mode 100644
index 00000000000..a7509a4d492
--- /dev/null
+++ b/queue-5.10/hamradio-remove-needs_free_netdev-to-avoid-uaf.patch
@@ -0,0 +1,42 @@
+From 81b1d548d00bcd028303c4f3150fa753b9b8aa71 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Thu, 11 Nov 2021 22:14:02 +0800
+Subject: hamradio: remove needs_free_netdev to avoid UAF
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 81b1d548d00bcd028303c4f3150fa753b9b8aa71 upstream.
+
+The former patch "defer 6pack kfree after unregister_netdev" reorders
+the kfree of two buffer after the unregister_netdev to prevent the race
+condition. It also adds free_netdev() function in sixpack_close(), which
+is a direct copy from the similar code in mkiss_close().
+
+However, in sixpack driver, the flag needs_free_netdev is set to true in
+sp_setup(), hence the unregister_netdev() will free the netdev
+automatically. Therefore, as the sp is netdev_priv, use-after-free
+occurs.
+
+This patch removes the needs_free_netdev = true and just let the
+free_netdev to finish this deallocation task.
+
+Fixes: 0b9111922b1f ("hamradio: defer 6pack kfree after unregister_netdev")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Link: https://lore.kernel.org/r/20211111141402.7551-1-linma@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Xu Jia <xujia39@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hamradio/6pack.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -311,7 +311,6 @@ static void sp_setup(struct net_device *
+ {
+ 	/* Finish setting up the DEVICE info. */
+ 	dev->netdev_ops		= &sp_netdev_ops;
+-	dev->needs_free_netdev	= true;
+ 	dev->mtu		= SIXP_MTU;
+ 	dev->hard_header_len	= AX25_MAX_HEADER_LEN;
+ 	dev->header_ops 	= &ax25_header_ops;
diff --git a/queue-5.10/series b/queue-5.10/series
index a66977f92f2..c4d7eb23fde 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -1 +1,5 @@
 drm-amdkfd-use-drm_priv-to-pass-vm-from-kfd-to-amdgpu.patch
+hamradio-defer-6pack-kfree-after-unregister_netdev.patch
+hamradio-remove-needs_free_netdev-to-avoid-uaf.patch
+cpuidle-psci-move-the-has_lpi-check-to-the-beginning-of-the-function.patch
+acpi-processor-idle-check-for-architectural-support-for-lpi.patch