From: Greg Kroah-Hartman Date: Mon, 27 Dec 2021 11:37:44 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.297~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e43da2352cac0c88fb10875b88de150603eefb2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch alsa-jack-check-the-return-value-of-kstrdup.patch input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch ipmi-bail-out-if-init_srcu_struct-fails.patch ipmi-fix-initialization-when-workqueue-allocation-fails.patch parisc-correct-completer-in-lws-start.patch x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch --- diff --git a/queue-4.19/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch b/queue-4.19/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch new file mode 100644 index 00000000000..11e4efe0fe6 --- /dev/null +++ b/queue-4.19/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch @@ -0,0 +1,37 @@ +From 2dee54b289fbc810669a1b2b8a0887fa1c9a14d7 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sun, 12 Dec 2021 17:20:25 +0000 +Subject: ALSA: drivers: opl3: Fix incorrect use of vp->state + +From: Colin Ian King + +commit 2dee54b289fbc810669a1b2b8a0887fa1c9a14d7 upstream. + +Static analysis with scan-build has found an assignment to vp2 that is +never used. It seems that the check on vp->state > 0 should be actually +on vp2->state instead. Fix this. + +This dates back to 2002, I found the offending commit from the git +history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git, +commit 91e39521bbf6 ("[PATCH] ALSA patch for 2.5.4") + +Signed-off-by: Colin Ian King +Cc: +Link: https://lore.kernel.org/r/20211212172025.470367-1-colin.i.king@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/drivers/opl3/opl3_midi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/drivers/opl3/opl3_midi.c ++++ b/sound/drivers/opl3/opl3_midi.c +@@ -412,7 +412,7 @@ void snd_opl3_note_on(void *p, int note, + } + if (instr_4op) { + vp2 = &opl3->voices[voice + 3]; +- if (vp->state > 0) { ++ if (vp2->state > 0) { + opl3_reg = reg_side | (OPL3_REG_KEYON_BLOCK + + voice_offset + 3); + reg_val = vp->keyon_reg & ~OPL3_KEYON_BIT; diff --git a/queue-4.19/alsa-jack-check-the-return-value-of-kstrdup.patch b/queue-4.19/alsa-jack-check-the-return-value-of-kstrdup.patch new file mode 100644 index 00000000000..0a3ec0d07c0 --- /dev/null +++ b/queue-4.19/alsa-jack-check-the-return-value-of-kstrdup.patch @@ -0,0 +1,33 @@ +From c01c1db1dc632edafb0dff32d40daf4f9c1a4e19 Mon Sep 17 00:00:00 2001 +From: Xiaoke Wang +Date: Mon, 13 Dec 2021 15:39:31 +0800 +Subject: ALSA: jack: Check the return value of kstrdup() + +From: Xiaoke Wang + +commit c01c1db1dc632edafb0dff32d40daf4f9c1a4e19 upstream. + +kstrdup() can return NULL, it is better to check the return value of it. + +Signed-off-by: Xiaoke Wang +Cc: +Link: https://lore.kernel.org/r/tencent_094816F3522E0DC704056C789352EBBF0606@qq.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/jack.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -234,6 +234,10 @@ int snd_jack_new(struct snd_card *card, + return -ENOMEM; + + jack->id = kstrdup(id, GFP_KERNEL); ++ if (jack->id == NULL) { ++ kfree(jack); ++ return -ENOMEM; ++ } + + /* don't creat input device for phantom jack */ + if (!phantom_jack) { diff --git a/queue-4.19/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch b/queue-4.19/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch new file mode 100644 index 00000000000..9ec65636c36 --- /dev/null +++ b/queue-4.19/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch @@ -0,0 +1,39 @@ +From 12f247ab590a08856441efdbd351cf2cc8f60a2d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Sun, 12 Dec 2021 21:01:49 -0800 +Subject: Input: atmel_mxt_ts - fix double free in mxt_read_info_block +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +commit 12f247ab590a08856441efdbd351cf2cc8f60a2d upstream. + +The "id_buf" buffer is stored in "data->raw_info_block" and freed by +"mxt_free_object_table" in case of error. + +Return instead of jumping to avoid a double free. + +Addresses-Coverity-ID: 1474582 ("Double free") +Fixes: 068bdb67ef74 ("Input: atmel_mxt_ts - fix the firmware update") +Signed-off-by: José Expósito +Link: https://lore.kernel.org/r/20211212194257.68879-1-jose.exposito89@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -1809,7 +1809,7 @@ static int mxt_read_info_block(struct mx + if (error) { + dev_err(&client->dev, "Error %d parsing object table\n", error); + mxt_free_object_table(data); +- goto err_free_mem; ++ return error; + } + + data->object_table = (struct mxt_object *)(id_buf + MXT_OBJECT_START); diff --git a/queue-4.19/ipmi-bail-out-if-init_srcu_struct-fails.patch b/queue-4.19/ipmi-bail-out-if-init_srcu_struct-fails.patch new file mode 100644 index 00000000000..c1bdd312d8b --- /dev/null +++ b/queue-4.19/ipmi-bail-out-if-init_srcu_struct-fails.patch @@ -0,0 +1,37 @@ +From 2b5160b12091285c5aca45980f100a9294af7b04 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 17 Dec 2021 12:44:09 -0300 +Subject: ipmi: bail out if init_srcu_struct fails + +From: Thadeu Lima de Souza Cascardo + +commit 2b5160b12091285c5aca45980f100a9294af7b04 upstream. + +In case, init_srcu_struct fails (because of memory allocation failure), we +might proceed with the driver initialization despite srcu_struct not being +entirely initialized. + +Fixes: 913a89f009d9 ("ipmi: Don't initialize anything in the core until something uses it") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: Corey Minyard +Cc: stable@vger.kernel.org +Message-Id: <20211217154410.1228673-1-cascardo@canonical.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_msghandler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -5085,7 +5085,9 @@ static int ipmi_init_msghandler(void) + if (initialized) + goto out; + +- init_srcu_struct(&ipmi_interfaces_srcu); ++ rv = init_srcu_struct(&ipmi_interfaces_srcu); ++ if (rv) ++ goto out; + + timer_setup(&ipmi_timer, ipmi_timeout, 0); + mod_timer(&ipmi_timer, jiffies + IPMI_TIMEOUT_JIFFIES); diff --git a/queue-4.19/ipmi-fix-initialization-when-workqueue-allocation-fails.patch b/queue-4.19/ipmi-fix-initialization-when-workqueue-allocation-fails.patch new file mode 100644 index 00000000000..34f19df3929 --- /dev/null +++ b/queue-4.19/ipmi-fix-initialization-when-workqueue-allocation-fails.patch @@ -0,0 +1,59 @@ +From 75d70d76cb7b927cace2cb34265d68ebb3306b13 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 17 Dec 2021 12:44:10 -0300 +Subject: ipmi: fix initialization when workqueue allocation fails + +From: Thadeu Lima de Souza Cascardo + +commit 75d70d76cb7b927cace2cb34265d68ebb3306b13 upstream. + +If the workqueue allocation fails, the driver is marked as not initialized, +and timer and panic_notifier will be left registered. + +Instead of removing those when workqueue allocation fails, do the workqueue +initialization before doing it, and cleanup srcu_struct if it fails. + +Fixes: 1d49eb91e86e ("ipmi: Move remove_work to dedicated workqueue") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: Corey Minyard +Cc: Ioanna Alifieraki +Cc: stable@vger.kernel.org +Message-Id: <20211217154410.1228673-2-cascardo@canonical.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_msghandler.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -5089,20 +5089,23 @@ static int ipmi_init_msghandler(void) + if (rv) + goto out; + +- timer_setup(&ipmi_timer, ipmi_timeout, 0); +- mod_timer(&ipmi_timer, jiffies + IPMI_TIMEOUT_JIFFIES); +- +- atomic_notifier_chain_register(&panic_notifier_list, &panic_block); +- + remove_work_wq = create_singlethread_workqueue("ipmi-msghandler-remove-wq"); + if (!remove_work_wq) { + pr_err("unable to create ipmi-msghandler-remove-wq workqueue"); + rv = -ENOMEM; +- goto out; ++ goto out_wq; + } + ++ timer_setup(&ipmi_timer, ipmi_timeout, 0); ++ mod_timer(&ipmi_timer, jiffies + IPMI_TIMEOUT_JIFFIES); ++ ++ atomic_notifier_chain_register(&panic_notifier_list, &panic_block); ++ + initialized = true; + ++out_wq: ++ if (rv) ++ cleanup_srcu_struct(&ipmi_interfaces_srcu); + out: + mutex_unlock(&ipmi_interfaces_mutex); + return rv; diff --git a/queue-4.19/parisc-correct-completer-in-lws-start.patch b/queue-4.19/parisc-correct-completer-in-lws-start.patch new file mode 100644 index 00000000000..de6bdde7309 --- /dev/null +++ b/queue-4.19/parisc-correct-completer-in-lws-start.patch @@ -0,0 +1,37 @@ +From 8f66fce0f46560b9e910787ff7ad0974441c4f9c Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Tue, 21 Dec 2021 13:21:22 -0500 +Subject: parisc: Correct completer in lws start + +From: John David Anglin + +commit 8f66fce0f46560b9e910787ff7ad0974441c4f9c upstream. + +The completer in the "or,ev %r1,%r30,%r30" instruction is reversed, so we are +not clipping the LWS number when we are called from a 32-bit process (W=0). +We need to nulify the following depdi instruction when the least-significant +bit of %r30 is 1. + +If the %r20 register is not clipped, a user process could perform a LWS call +that would branch to an undefined location in the kernel and potentially crash +the machine. + +Signed-off-by: John David Anglin +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/syscall.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -478,7 +478,7 @@ lws_start: + extrd,u %r1,PSW_W_BIT,1,%r1 + /* sp must be aligned on 4, so deposit the W bit setting into + * the bottom of sp temporarily */ +- or,ev %r1,%r30,%r30 ++ or,od %r1,%r30,%r30 + + /* Clip LWS number to a 32-bit value for 32-bit processes */ + depdi 0, 31, 32, %r20 diff --git a/queue-4.19/series b/queue-4.19/series index e9e7ad319b4..c9043a86796 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -18,3 +18,10 @@ fjes-check-for-error-irq.patch drivers-net-smc911x-check-for-error-irq.patch sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch hwmon-lm90-fix-usage-of-config2-register-in-detect-f.patch +alsa-jack-check-the-return-value-of-kstrdup.patch +alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch +input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch +ipmi-bail-out-if-init_srcu_struct-fails.patch +ipmi-fix-initialization-when-workqueue-allocation-fails.patch +parisc-correct-completer-in-lws-start.patch +x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch diff --git a/queue-4.19/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch b/queue-4.19/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch new file mode 100644 index 00000000000..e3525680361 --- /dev/null +++ b/queue-4.19/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch @@ -0,0 +1,52 @@ +From 57690554abe135fee81d6ac33cc94d75a7e224bb Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Thu, 16 Dec 2021 00:08:56 +0000 +Subject: x86/pkey: Fix undefined behaviour with PKRU_WD_BIT + +From: Andrew Cooper + +commit 57690554abe135fee81d6ac33cc94d75a7e224bb upstream. + +Both __pkru_allows_write() and arch_set_user_pkey_access() shift +PKRU_WD_BIT (a signed constant) by up to 30 bits, hitting the +sign bit. + +Use unsigned constants instead. + +Clearly pkey 15 has not been used in combination with UBSAN yet. + +Noticed by code inspection only. I can't actually provoke the +compiler into generating incorrect logic as far as this shift is +concerned. + +[ + dhansen: add stable@ tag, plus minor changelog massaging, + + For anyone doing backports, these #defines were in + arch/x86/include/asm/pgtable.h before 784a46618f6. +] + +Fixes: 33a709b25a76 ("mm/gup, x86/mm/pkeys: Check VMAs and PTEs for protection keys") +Signed-off-by: Andrew Cooper +Signed-off-by: Dave Hansen +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20211216000856.4480-1-andrew.cooper3@citrix.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -1356,8 +1356,8 @@ static inline pmd_t pmd_swp_clear_soft_d + #endif + #endif + +-#define PKRU_AD_BIT 0x1 +-#define PKRU_WD_BIT 0x2 ++#define PKRU_AD_BIT 0x1u ++#define PKRU_WD_BIT 0x2u + #define PKRU_BITS_PER_PKEY 2 + + static inline bool __pkru_allows_read(u32 pkru, u16 pkey)