From: Sasha Levin Date: Thu, 30 Mar 2023 11:50:37 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.14.312~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f285a0c80552516d4fdc0319ff3ac7f6549772f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-asihpi-check-pao-in-control_message.patch b/queue-4.14/alsa-asihpi-check-pao-in-control_message.patch new file mode 100644 index 00000000000..e3a66aa48f8 --- /dev/null +++ b/queue-4.14/alsa-asihpi-check-pao-in-control_message.patch @@ -0,0 +1,72 @@ +From 7b3f14a73f196342ebcad4f7c12e60b113b2d090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:49:24 +0000 +Subject: ALSA: asihpi: check pao in control_message() + +From: Kuninori Morimoto + +[ Upstream commit 9026c0bf233db53b86f74f4c620715e94eb32a09 ] + +control_message() might be called with pao = NULL. +Here indicates control_message() as sample. + +(B) static void control_message(struct hpi_adapter_obj *pao, ...) + { ^^^ + struct hpi_hw_obj *phw = pao->priv; + ... ^^^ + } + +(A) void _HPI_6205(struct hpi_adapter_obj *pao, ...) + { ^^^ + ... + case HPI_OBJ_CONTROL: +(B) control_message(pao, phm, phr); + break; ^^^ + ... + } + + void HPI_6205(...) + { + ... +(A) _HPI_6205(NULL, phm, phr); + ... ^^^^ + } + +Therefore, We will get too many warning via cppcheck, like below + + sound/pci/asihpi/hpi6205.c:238:27: warning: Possible null pointer dereference: pao [nullPointer] + struct hpi_hw_obj *phw = pao->priv; + ^ + sound/pci/asihpi/hpi6205.c:433:13: note: Calling function '_HPI_6205', 1st argument 'NULL' value is 0 + _HPI_6205(NULL, phm, phr); + ^ + sound/pci/asihpi/hpi6205.c:401:20: note: Calling function 'control_message', 1st argument 'pao' value is 0 + control_message(pao, phm, phr); + ^ +Set phr->error like many functions doing, and don't call _HPI_6205() +with NULL. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87ttypeaqz.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpi6205.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c +index 8d5abfa4e24bf..bc694a69b4b79 100644 +--- a/sound/pci/asihpi/hpi6205.c ++++ b/sound/pci/asihpi/hpi6205.c +@@ -441,7 +441,7 @@ void HPI_6205(struct hpi_message *phm, struct hpi_response *phr) + pao = hpi_find_adapter(phm->adapter_index); + } else { + /* subsys messages don't address an adapter */ +- _HPI_6205(NULL, phm, phr); ++ phr->error = HPI_ERROR_INVALID_OBJ_INDEX; + return; + } + +-- +2.39.2 + diff --git a/queue-4.14/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch b/queue-4.14/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch new file mode 100644 index 00000000000..5b984b21cb1 --- /dev/null +++ b/queue-4.14/alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch @@ -0,0 +1,62 @@ +From 399dd7d30f1323cd6565f5f3d85d5f89365d3f5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 00:50:28 +0000 +Subject: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() + +From: Kuninori Morimoto + +[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ] + +tuning_ctl_set() might have buffer overrun at (X) if it didn't break +from loop by matching (A). + + static int tuning_ctl_set(...) + { + for (i = 0; i < TUNING_CTLS_COUNT; i++) +(A) if (nid == ca0132_tuning_ctls[i].nid) + break; + + snd_hda_power_up(...); +(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...); + snd_hda_power_down(...); ^ + + return 1; + } + +We will get below error by cppcheck + + sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12 + for (i = 0; i < TUNING_CTLS_COUNT; i++) + ^ + sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds + dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20, + ^ +This patch cares non match case. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 280643f72c6e2..13c32f3414d2f 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -2943,8 +2943,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid, + + for (i = 0; i < TUNING_CTLS_COUNT; i++) + if (nid == ca0132_tuning_ctls[i].nid) +- break; ++ goto found; + ++ return -EINVAL; ++found: + snd_hda_power_up(codec); + dspio_set_param(codec, ca0132_tuning_ctls[i].mid, + ca0132_tuning_ctls[i].req, +-- +2.39.2 + diff --git a/queue-4.14/fbdev-au1200fb-fix-potential-divide-by-zero.patch b/queue-4.14/fbdev-au1200fb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..40c4be476d3 --- /dev/null +++ b/queue-4.14/fbdev-au1200fb-fix-potential-divide-by-zero.patch @@ -0,0 +1,39 @@ +From 8dd1dda09a5879999d2667a8e6704e44a67601ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:22:54 +0000 +Subject: fbdev: au1200fb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 44a3b36b42acfc433aaaf526191dd12fbb919fdb ] + +var->pixclock can be assigned to zero by user. Without +proper check, divide by zero would occur when invoking +macro PICOS2KHZ in au1200fb_fb_check_var. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index 6c542d0ca076e..e17a083f849ad 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1039,6 +1039,9 @@ static int au1200fb_fb_check_var(struct fb_var_screeninfo *var, + u32 pixclock; + int screen_size, plane; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + plane = fbdev->plane; + + /* Make sure that the mode respect all LCD controller and +-- +2.39.2 + diff --git a/queue-4.14/fbdev-intelfb-fix-potential-divide-by-zero.patch b/queue-4.14/fbdev-intelfb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..ee70f742fa4 --- /dev/null +++ b/queue-4.14/fbdev-intelfb-fix-potential-divide-by-zero.patch @@ -0,0 +1,39 @@ +From f764196212d76580dd307ee2d42c87ae4e38caf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 08:33:47 +0000 +Subject: fbdev: intelfb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit d823685486a3446d061fed7c7d2f80af984f119a ] + +Variable var->pixclock is controlled by user and can be assigned +to zero. Without proper check, divide by zero would occur in +intelfbhw_validate_mode and intelfbhw_mode_to_hw. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/intelfb/intelfbdrv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c +index d7463a2a5d83f..c97c0c8514809 100644 +--- a/drivers/video/fbdev/intelfb/intelfbdrv.c ++++ b/drivers/video/fbdev/intelfb/intelfbdrv.c +@@ -1215,6 +1215,9 @@ static int intelfb_check_var(struct fb_var_screeninfo *var, + + dinfo = GET_DINFO(info); + ++ if (!var->pixclock) ++ return -EINVAL; ++ + /* update the pitch */ + if (intelfbhw_validate_mode(dinfo, var) != 0) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-4.14/fbdev-lxfb-fix-potential-divide-by-zero.patch b/queue-4.14/fbdev-lxfb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..35af7e10a73 --- /dev/null +++ b/queue-4.14/fbdev-lxfb-fix-potential-divide-by-zero.patch @@ -0,0 +1,38 @@ +From 33925155594c7f1fb9ae50d580e3e2b075d11dbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 09:05:18 +0000 +Subject: fbdev: lxfb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 61ac4b86a4c047c20d5cb423ddd87496f14d9868 ] + +var->pixclock can be assigned to zero by user. Without proper +check, divide by zero would occur in lx_set_clock. + +Error out if var->pixclock is zero. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/geode/lxfb_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/geode/lxfb_core.c b/drivers/video/fbdev/geode/lxfb_core.c +index 138da6cb6cbcd..4345246b4c798 100644 +--- a/drivers/video/fbdev/geode/lxfb_core.c ++++ b/drivers/video/fbdev/geode/lxfb_core.c +@@ -247,6 +247,9 @@ static void get_modedb(struct fb_videomode **modedb, unsigned int *size) + + static int lxfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + { ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (var->xres > 1920 || var->yres > 1440) + return -EINVAL; + +-- +2.39.2 + diff --git a/queue-4.14/fbdev-nvidia-fix-potential-divide-by-zero.patch b/queue-4.14/fbdev-nvidia-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..baa2f4653c8 --- /dev/null +++ b/queue-4.14/fbdev-nvidia-fix-potential-divide-by-zero.patch @@ -0,0 +1,40 @@ +From 97b294c3c674febc6a6ced7aff302f865c374064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 07:18:31 +0000 +Subject: fbdev: nvidia: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit 92e2a00f2987483e1f9253625828622edd442e61 ] + +variable var->pixclock can be set by user. In case it +equals to zero, divide by zero would occur in nvidiafb_set_par. + +Similar crashes have happened in other fbdev drivers. There +is no check and modification on var->pixclock along the call +chain to nvidia_check_var and nvidiafb_set_par. We believe it +could also be triggered in driver nvidia from user site. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/nvidia/nvidia.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c +index 418a2d0d06a95..68e4bcdd38717 100644 +--- a/drivers/video/fbdev/nvidia/nvidia.c ++++ b/drivers/video/fbdev/nvidia/nvidia.c +@@ -766,6 +766,8 @@ static int nvidiafb_check_var(struct fb_var_screeninfo *var, + int pitch, err = 0; + + NVTRACE_ENTER(); ++ if (!var->pixclock) ++ return -EINVAL; + + var->transp.offset = 0; + var->transp.length = 0; +-- +2.39.2 + diff --git a/queue-4.14/fbdev-tgafb-fix-potential-divide-by-zero.patch b/queue-4.14/fbdev-tgafb-fix-potential-divide-by-zero.patch new file mode 100644 index 00000000000..5b0adb5b05a --- /dev/null +++ b/queue-4.14/fbdev-tgafb-fix-potential-divide-by-zero.patch @@ -0,0 +1,44 @@ +From 1131a8ff2ea227dfce067f6d8c01eec34769c53c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 13:08:56 +0000 +Subject: fbdev: tgafb: Fix potential divide by zero + +From: Wei Chen + +[ Upstream commit f90bd245de82c095187d8c2cabb8b488a39eaecc ] + +fb_set_var would by called when user invokes ioctl with cmd +FBIOPUT_VSCREENINFO. User-provided data would finally reach +tgafb_check_var. In case var->pixclock is assigned to zero, +divide by zero would occur when checking whether reciprocal +of var->pixclock is too high. + +Similar crashes have happened in other fbdev drivers. There +is no check and modification on var->pixclock along the call +chain to tgafb_check_var. We believe it could also be triggered +in driver tgafb from user site. + +Signed-off-by: Wei Chen +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/tgafb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/tgafb.c b/drivers/video/fbdev/tgafb.c +index 65ba9921506e2..9d2912947eef6 100644 +--- a/drivers/video/fbdev/tgafb.c ++++ b/drivers/video/fbdev/tgafb.c +@@ -166,6 +166,9 @@ tgafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + { + struct tga_par *par = (struct tga_par *)info->par; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (par->tga_type == TGA_TYPE_8PLANE) { + if (var->bits_per_pixel != 8) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-4.14/md-avoid-signed-overflow-in-slot_store.patch b/queue-4.14/md-avoid-signed-overflow-in-slot_store.patch new file mode 100644 index 00000000000..ac09fbacb4b --- /dev/null +++ b/queue-4.14/md-avoid-signed-overflow-in-slot_store.patch @@ -0,0 +1,44 @@ +From ee69b33f2253283394cfa8c2935548a510630cb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 09:36:25 +1100 +Subject: md: avoid signed overflow in slot_store() + +From: NeilBrown + +[ Upstream commit 3bc57292278a0b6ac4656cad94c14f2453344b57 ] + +slot_store() uses kstrtouint() to get a slot number, but stores the +result in an "int" variable (by casting a pointer). +This can result in a negative slot number if the unsigned int value is +very large. + +A negative number means that the slot is empty, but setting a negative +slot number this way will not remove the device from the array. I don't +think this is a serious problem, but it could cause confusion and it is +best to fix it. + +Reported-by: Dan Carpenter +Signed-off-by: NeilBrown +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 880a0ebca8660..69d1501d9160e 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2967,6 +2967,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len) + err = kstrtouint(buf, 10, (unsigned int *)&slot); + if (err < 0) + return err; ++ if (slot < 0) ++ /* overflow */ ++ return -ENOSPC; + } + if (rdev->mddev->pers && slot == -1) { + /* Setting 'slot' on an active array requires also +-- +2.39.2 + diff --git a/queue-4.14/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch b/queue-4.14/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch new file mode 100644 index 00000000000..391636b909d --- /dev/null +++ b/queue-4.14/sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch @@ -0,0 +1,82 @@ +From 346f6078a3af7dc6a5fd6f5a8f870ee02b1928ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 19:32:38 -0700 +Subject: sched_getaffinity: don't assume 'cpumask_size()' is fully initialized + +From: Linus Torvalds + +[ Upstream commit 6015b1aca1a233379625385feb01dd014aca60b5 ] + +The getaffinity() system call uses 'cpumask_size()' to decide how big +the CPU mask is - so far so good. It is indeed the allocation size of a +cpumask. + +But the code also assumes that the whole allocation is initialized +without actually doing so itself. That's wrong, because we might have +fixed-size allocations (making copying and clearing more efficient), but +not all of it is then necessarily used if 'nr_cpu_ids' is smaller. + +Having checked other users of 'cpumask_size()', they all seem to be ok, +either using it purely for the allocation size, or explicitly zeroing +the cpumask before using the size in bytes to copy it. + +See for example the ublk_ctrl_get_queue_affinity() function that uses +the proper 'zalloc_cpumask_var()' to make sure that the whole mask is +cleared, whether the storage is on the stack or if it was an external +allocation. + +Fix this by just zeroing the allocation before using it. Do the same +for the compat version of sched_getaffinity(), which had the same logic. + +Also, for consistency, make sched_getaffinity() use 'cpumask_bits()' to +access the bits. For a cpumask_var_t, it ends up being a pointer to the +same data either way, but it's just a good idea to treat it like you +would a 'cpumask_t'. The compat case already did that. + +Reported-by: Ryan Roberts +Link: https://lore.kernel.org/lkml/7d026744-6bd6-6827-0471-b5e8eae0be3f@arm.com/ +Cc: Yury Norov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/compat.c | 2 +- + kernel/sched/core.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/compat.c b/kernel/compat.c +index 45ae3ace49c29..63d10b91f80fa 100644 +--- a/kernel/compat.c ++++ b/kernel/compat.c +@@ -351,7 +351,7 @@ COMPAT_SYSCALL_DEFINE3(sched_getaffinity, compat_pid_t, pid, unsigned int, len, + if (len & (sizeof(compat_ulong_t)-1)) + return -EINVAL; + +- if (!alloc_cpumask_var(&mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL)) + return -ENOMEM; + + ret = sched_getaffinity(pid, mask); +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 22a7a3435ad46..e3bda201f6396 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -4794,14 +4794,14 @@ SYSCALL_DEFINE3(sched_getaffinity, pid_t, pid, unsigned int, len, + if (len & (sizeof(unsigned long)-1)) + return -EINVAL; + +- if (!alloc_cpumask_var(&mask, GFP_KERNEL)) ++ if (!zalloc_cpumask_var(&mask, GFP_KERNEL)) + return -ENOMEM; + + ret = sched_getaffinity(pid, mask); + if (ret == 0) { + size_t retlen = min_t(size_t, len, cpumask_size()); + +- if (copy_to_user(user_mask_ptr, mask, retlen)) ++ if (copy_to_user(user_mask_ptr, cpumask_bits(mask), retlen)) + ret = -EFAULT; + else + ret = retlen; +-- +2.39.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 8cb1535b9c3..bbce62d8111 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -40,3 +40,12 @@ dm-crypt-add-cond_resched-to-dmcrypt_write.patch sched-fair-sanitize-vruntime-of-entity-being-placed.patch sched-fair-sanitize-vruntime-of-entity-being-migrated.patch ocfs2-fix-data-corruption-after-failed-write.patch +md-avoid-signed-overflow-in-slot_store.patch +alsa-asihpi-check-pao-in-control_message.patch +alsa-hda-ca0132-fixup-buffer-overrun-at-tuning_ctl_s.patch +fbdev-tgafb-fix-potential-divide-by-zero.patch +sched_getaffinity-don-t-assume-cpumask_size-is-fully.patch +fbdev-nvidia-fix-potential-divide-by-zero.patch +fbdev-intelfb-fix-potential-divide-by-zero.patch +fbdev-lxfb-fix-potential-divide-by-zero.patch +fbdev-au1200fb-fix-potential-divide-by-zero.patch