From: Greg Kroah-Hartman Date: Mon, 7 Oct 2024 17:05:31 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.6.55~75 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=62a59cf73ce12a1649e68f1086a70922a074d629;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: aoe-fix-the-potential-use-after-free-problem-in-more-places.patch clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch clk-rockchip-fix-error-for-unknown-clocks.patch iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch input-adp5589-keys-fix-adp5589_gpio_get_value.patch input-adp5589-keys-fix-null-pointer-dereference.patch media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch --- diff --git a/queue-5.15/aoe-fix-the-potential-use-after-free-problem-in-more-places.patch b/queue-5.15/aoe-fix-the-potential-use-after-free-problem-in-more-places.patch new file mode 100644 index 00000000000..238401fbf93 --- /dev/null +++ b/queue-5.15/aoe-fix-the-potential-use-after-free-problem-in-more-places.patch @@ -0,0 +1,98 @@ +From 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 Mon Sep 17 00:00:00 2001 +From: Chun-Yi Lee +Date: Wed, 2 Oct 2024 11:54:58 +0800 +Subject: aoe: fix the potential use-after-free problem in more places + +From: Chun-Yi Lee + +commit 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 upstream. + +For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential +use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() +instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs +into use-after-free. + +Then Nicolai Stange found more places in aoe have potential use-after-free +problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() +and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push +packet to tx queue. So they should also use dev_hold() to increase the +refcnt of skb->dev. + +On the other hand, moving dev_put() to tx() causes that the refcnt of +skb->dev be reduced to a negative value, because corresponding +dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), +probe(), and aoecmd_cfg_rsp(). This patch fixed this issue. + +Cc: stable@vger.kernel.org +Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 +Fixes: f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") +Reported-by: Nicolai Stange +Signed-off-by: Chun-Yi Lee +Link: https://lore.kernel.org/stable/20240624064418.27043-1-jlee%40suse.com +Link: https://lore.kernel.org/r/20241002035458.24401-1-jlee@suse.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/aoe/aoecmd.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/block/aoe/aoecmd.c ++++ b/drivers/block/aoe/aoecmd.c +@@ -362,6 +362,7 @@ ata_rw_frameinit(struct frame *f) + } + + ah->cmdstat = ATA_CMD_PIO_READ | writebit | extbit; ++ dev_hold(t->ifp->nd); + skb->dev = t->ifp->nd; + } + +@@ -402,6 +403,8 @@ aoecmd_ata_rw(struct aoedev *d) + __skb_queue_head_init(&queue); + __skb_queue_tail(&queue, skb); + aoenet_xmit(&queue); ++ } else { ++ dev_put(f->t->ifp->nd); + } + return 1; + } +@@ -484,10 +487,13 @@ resend(struct aoedev *d, struct frame *f + memcpy(h->dst, t->addr, sizeof h->dst); + memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src); + ++ dev_hold(t->ifp->nd); + skb->dev = t->ifp->nd; + skb = skb_clone(skb, GFP_ATOMIC); +- if (skb == NULL) ++ if (skb == NULL) { ++ dev_put(t->ifp->nd); + return; ++ } + f->sent = ktime_get(); + __skb_queue_head_init(&queue); + __skb_queue_tail(&queue, skb); +@@ -618,6 +624,8 @@ probe(struct aoetgt *t) + __skb_queue_head_init(&queue); + __skb_queue_tail(&queue, skb); + aoenet_xmit(&queue); ++ } else { ++ dev_put(f->t->ifp->nd); + } + } + +@@ -1396,6 +1404,7 @@ aoecmd_ata_id(struct aoedev *d) + ah->cmdstat = ATA_CMD_ID_ATA; + ah->lba3 = 0xa0; + ++ dev_hold(t->ifp->nd); + skb->dev = t->ifp->nd; + + d->rttavg = RTTAVG_INIT; +@@ -1405,6 +1414,8 @@ aoecmd_ata_id(struct aoedev *d) + skb = skb_clone(skb, GFP_ATOMIC); + if (skb) + f->sent = ktime_get(); ++ else ++ dev_put(t->ifp->nd); + + return skb; + } diff --git a/queue-5.15/clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch b/queue-5.15/clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch new file mode 100644 index 00000000000..e01374165ea --- /dev/null +++ b/queue-5.15/clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch @@ -0,0 +1,36 @@ +From a4e5af27e6f6a8b0d14bc0d7eb04f4a6c7291586 Mon Sep 17 00:00:00 2001 +From: Mike Tipton +Date: Fri, 9 Aug 2024 10:51:29 +0530 +Subject: clk: qcom: clk-rpmh: Fix overflow in BCM vote + +From: Mike Tipton + +commit a4e5af27e6f6a8b0d14bc0d7eb04f4a6c7291586 upstream. + +Valid frequencies may result in BCM votes that exceed the max HW value. +Set vote ceiling to BCM_TCS_CMD_VOTE_MASK to ensure the votes aren't +truncated, which can result in lower frequencies than desired. + +Fixes: 04053f4d23a4 ("clk: qcom: clk-rpmh: Add IPA clock support") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Tipton +Reviewed-by: Taniya Das +Signed-off-by: Imran Shaik +Link: https://lore.kernel.org/r/20240809-clk-rpmh-bcm-vote-fix-v2-1-240c584b7ef9@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/clk-rpmh.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/clk/qcom/clk-rpmh.c ++++ b/drivers/clk/qcom/clk-rpmh.c +@@ -270,6 +270,8 @@ static int clk_rpmh_bcm_send_cmd(struct + cmd_state = 0; + } + ++ cmd_state = min(cmd_state, BCM_TCS_CMD_VOTE_MASK); ++ + if (c->last_sent_aggr_state != cmd_state) { + cmd.addr = c->res_addr; + cmd.data = BCM_TCS_CMD(1, enable, 0, cmd_state); diff --git a/queue-5.15/clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch b/queue-5.15/clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch new file mode 100644 index 00000000000..66e0abfbe1f --- /dev/null +++ b/queue-5.15/clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch @@ -0,0 +1,48 @@ +From 0e93c6320ecde0583de09f3fe801ce8822886fec Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Sun, 4 Aug 2024 08:40:05 +0300 +Subject: clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks + +From: Dmitry Baryshkov + +commit 0e93c6320ecde0583de09f3fe801ce8822886fec upstream. + +Add CLK_SET_RATE_PARENT for several branch clocks. Such clocks don't +have a way to change the rate, so set the parent rate instead. + +Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-1-1149dd8399fe@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/dispcc-sm8250.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/clk/qcom/dispcc-sm8250.c ++++ b/drivers/clk/qcom/dispcc-sm8250.c +@@ -832,6 +832,7 @@ static struct clk_branch disp_cc_mdss_dp + &disp_cc_mdss_dp_link1_div_clk_src.clkr.hw, + }, + .num_parents = 1, ++ .flags = CLK_SET_RATE_PARENT, + .ops = &clk_branch2_ops, + }, + }, +@@ -867,6 +868,7 @@ static struct clk_branch disp_cc_mdss_dp + &disp_cc_mdss_dp_link_div_clk_src.clkr.hw, + }, + .num_parents = 1, ++ .flags = CLK_SET_RATE_PARENT, + .ops = &clk_branch2_ops, + }, + }, +@@ -992,6 +994,7 @@ static struct clk_branch disp_cc_mdss_md + &disp_cc_mdss_mdp_clk_src.clkr.hw, + }, + .num_parents = 1, ++ .flags = CLK_SET_RATE_PARENT, + .ops = &clk_branch2_ops, + }, + }, diff --git a/queue-5.15/clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch b/queue-5.15/clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch new file mode 100644 index 00000000000..949574ce1d5 --- /dev/null +++ b/queue-5.15/clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch @@ -0,0 +1,44 @@ +From b8acaf2de8081371761ab4cf1e7a8ee4e7acc139 Mon Sep 17 00:00:00 2001 +From: Satya Priya Kakitapalli +Date: Mon, 12 Aug 2024 10:43:04 +0530 +Subject: clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table + +From: Satya Priya Kakitapalli + +commit b8acaf2de8081371761ab4cf1e7a8ee4e7acc139 upstream. + +Update the frequency tables of gcc_sdcc2_apps_clk and gcc_sdcc4_apps_clk +as per the latest frequency plan. + +Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x") +Cc: stable@vger.kernel.org +Signed-off-by: Satya Priya Kakitapalli +Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-4-8b3eaa5fb856@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sc8180x.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/clk/qcom/gcc-sc8180x.c ++++ b/drivers/clk/qcom/gcc-sc8180x.c +@@ -895,7 +895,7 @@ static const struct freq_tbl ftbl_gcc_sd + F(25000000, P_GPLL0_OUT_MAIN, 12, 1, 2), + F(50000000, P_GPLL0_OUT_MAIN, 12, 0, 0), + F(100000000, P_GPLL0_OUT_MAIN, 6, 0, 0), +- F(200000000, P_GPLL0_OUT_MAIN, 3, 0, 0), ++ F(202000000, P_GPLL9_OUT_MAIN, 4, 0, 0), + { } + }; + +@@ -918,9 +918,8 @@ static const struct freq_tbl ftbl_gcc_sd + F(400000, P_BI_TCXO, 12, 1, 4), + F(9600000, P_BI_TCXO, 2, 0, 0), + F(19200000, P_BI_TCXO, 1, 0, 0), +- F(37500000, P_GPLL0_OUT_MAIN, 16, 0, 0), + F(50000000, P_GPLL0_OUT_MAIN, 12, 0, 0), +- F(75000000, P_GPLL0_OUT_MAIN, 8, 0, 0), ++ F(100000000, P_GPLL0_OUT_MAIN, 6, 0, 0), + { } + }; + diff --git a/queue-5.15/clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch b/queue-5.15/clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch new file mode 100644 index 00000000000..abb01201121 --- /dev/null +++ b/queue-5.15/clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch @@ -0,0 +1,124 @@ +From bab0c7a0bc586e736b7cd2aac8e6391709a70ef2 Mon Sep 17 00:00:00 2001 +From: Satya Priya Kakitapalli +Date: Mon, 12 Aug 2024 10:43:05 +0530 +Subject: clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src + +From: Satya Priya Kakitapalli + +commit bab0c7a0bc586e736b7cd2aac8e6391709a70ef2 upstream. + +The branch clocks of gcc_cpuss_ahb_clk_src are marked critical +and hence these clocks vote on XO blocking the suspend. +De-register these clocks and its source as there is no rate +setting happening on them. + +Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x") +Cc: stable@vger.kernel.org +Signed-off-by: Satya Priya Kakitapalli +Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-5-8b3eaa5fb856@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sc8180x.c | 63 ----------------------------------------- + 1 file changed, 63 deletions(-) + +--- a/drivers/clk/qcom/gcc-sc8180x.c ++++ b/drivers/clk/qcom/gcc-sc8180x.c +@@ -261,28 +261,6 @@ static const struct clk_parent_data gcc_ + { .hw = &gpll0_out_even.clkr.hw }, + }; + +-static const struct freq_tbl ftbl_gcc_cpuss_ahb_clk_src[] = { +- F(19200000, P_BI_TCXO, 1, 0, 0), +- F(50000000, P_GPLL0_OUT_MAIN, 12, 0, 0), +- F(100000000, P_GPLL0_OUT_MAIN, 6, 0, 0), +- { } +-}; +- +-static struct clk_rcg2 gcc_cpuss_ahb_clk_src = { +- .cmd_rcgr = 0x48014, +- .mnd_width = 0, +- .hid_width = 5, +- .parent_map = gcc_parent_map_0, +- .freq_tbl = ftbl_gcc_cpuss_ahb_clk_src, +- .clkr.hw.init = &(struct clk_init_data){ +- .name = "gcc_cpuss_ahb_clk_src", +- .parent_data = gcc_parents_0, +- .num_parents = ARRAY_SIZE(gcc_parents_0), +- .flags = CLK_SET_RATE_PARENT, +- .ops = &clk_rcg2_ops, +- }, +-}; +- + static const struct freq_tbl ftbl_gcc_emac_ptp_clk_src[] = { + F(19200000, P_BI_TCXO, 1, 0, 0), + F(50000000, P_GPLL0_OUT_EVEN, 6, 0, 0), +@@ -1600,25 +1578,6 @@ static struct clk_branch gcc_cfg_noc_usb + }, + }; + +-/* For CPUSS functionality the AHB clock needs to be left enabled */ +-static struct clk_branch gcc_cpuss_ahb_clk = { +- .halt_reg = 0x48000, +- .halt_check = BRANCH_HALT_VOTED, +- .clkr = { +- .enable_reg = 0x52004, +- .enable_mask = BIT(21), +- .hw.init = &(struct clk_init_data){ +- .name = "gcc_cpuss_ahb_clk", +- .parent_hws = (const struct clk_hw *[]){ +- &gcc_cpuss_ahb_clk_src.clkr.hw +- }, +- .num_parents = 1, +- .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT, +- .ops = &clk_branch2_ops, +- }, +- }, +-}; +- + static struct clk_branch gcc_cpuss_rbcpr_clk = { + .halt_reg = 0x48008, + .halt_check = BRANCH_HALT, +@@ -3151,25 +3110,6 @@ static struct clk_branch gcc_sdcc4_apps_ + }, + }; + +-/* For CPUSS functionality the SYS NOC clock needs to be left enabled */ +-static struct clk_branch gcc_sys_noc_cpuss_ahb_clk = { +- .halt_reg = 0x4819c, +- .halt_check = BRANCH_HALT_VOTED, +- .clkr = { +- .enable_reg = 0x52004, +- .enable_mask = BIT(0), +- .hw.init = &(struct clk_init_data){ +- .name = "gcc_sys_noc_cpuss_ahb_clk", +- .parent_hws = (const struct clk_hw *[]){ +- &gcc_cpuss_ahb_clk_src.clkr.hw +- }, +- .num_parents = 1, +- .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT, +- .ops = &clk_branch2_ops, +- }, +- }, +-}; +- + static struct clk_branch gcc_tsif_ahb_clk = { + .halt_reg = 0x36004, + .halt_check = BRANCH_HALT, +@@ -4259,8 +4199,6 @@ static struct clk_regmap *gcc_sc8180x_cl + [GCC_CFG_NOC_USB3_MP_AXI_CLK] = &gcc_cfg_noc_usb3_mp_axi_clk.clkr, + [GCC_CFG_NOC_USB3_PRIM_AXI_CLK] = &gcc_cfg_noc_usb3_prim_axi_clk.clkr, + [GCC_CFG_NOC_USB3_SEC_AXI_CLK] = &gcc_cfg_noc_usb3_sec_axi_clk.clkr, +- [GCC_CPUSS_AHB_CLK] = &gcc_cpuss_ahb_clk.clkr, +- [GCC_CPUSS_AHB_CLK_SRC] = &gcc_cpuss_ahb_clk_src.clkr, + [GCC_CPUSS_RBCPR_CLK] = &gcc_cpuss_rbcpr_clk.clkr, + [GCC_DDRSS_GPU_AXI_CLK] = &gcc_ddrss_gpu_axi_clk.clkr, + [GCC_DISP_HF_AXI_CLK] = &gcc_disp_hf_axi_clk.clkr, +@@ -4397,7 +4335,6 @@ static struct clk_regmap *gcc_sc8180x_cl + [GCC_SDCC4_AHB_CLK] = &gcc_sdcc4_ahb_clk.clkr, + [GCC_SDCC4_APPS_CLK] = &gcc_sdcc4_apps_clk.clkr, + [GCC_SDCC4_APPS_CLK_SRC] = &gcc_sdcc4_apps_clk_src.clkr, +- [GCC_SYS_NOC_CPUSS_AHB_CLK] = &gcc_sys_noc_cpuss_ahb_clk.clkr, + [GCC_TSIF_AHB_CLK] = &gcc_tsif_ahb_clk.clkr, + [GCC_TSIF_INACTIVITY_TIMERS_CLK] = &gcc_tsif_inactivity_timers_clk.clkr, + [GCC_TSIF_REF_CLK] = &gcc_tsif_ref_clk.clkr, diff --git a/queue-5.15/clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch b/queue-5.15/clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch new file mode 100644 index 00000000000..d494ac9b0f0 --- /dev/null +++ b/queue-5.15/clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch @@ -0,0 +1,57 @@ +From ade508b545c969c72cd68479f275a5dd640fd8b9 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Fri, 19 Jul 2024 19:12:38 +0530 +Subject: clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() + +From: Manivannan Sadhasivam + +commit ade508b545c969c72cd68479f275a5dd640fd8b9 upstream. + +With PWRSTS_OFF_ON, PCIe GDSCs are turned off during gdsc_disable(). This +can happen during scenarios such as system suspend and breaks the resume +of PCIe controllers from suspend. + +So use PWRSTS_RET_ON to indicate the GDSC driver to not turn off the GDSCs +during gdsc_disable() and allow the hardware to transition the GDSCs to +retention when the parent domain enters low power state during system +suspend. + +Cc: stable@vger.kernel.org # 5.7 +Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20240719134238.312191-1-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sm8250.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/clk/qcom/gcc-sm8250.c ++++ b/drivers/clk/qcom/gcc-sm8250.c +@@ -3228,7 +3228,7 @@ static struct gdsc pcie_0_gdsc = { + .pd = { + .name = "pcie_0_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + }; + + static struct gdsc pcie_1_gdsc = { +@@ -3236,7 +3236,7 @@ static struct gdsc pcie_1_gdsc = { + .pd = { + .name = "pcie_1_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + }; + + static struct gdsc pcie_2_gdsc = { +@@ -3244,7 +3244,7 @@ static struct gdsc pcie_2_gdsc = { + .pd = { + .name = "pcie_2_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + }; + + static struct gdsc ufs_card_gdsc = { diff --git a/queue-5.15/clk-rockchip-fix-error-for-unknown-clocks.patch b/queue-5.15/clk-rockchip-fix-error-for-unknown-clocks.patch new file mode 100644 index 00000000000..eb6e123362d --- /dev/null +++ b/queue-5.15/clk-rockchip-fix-error-for-unknown-clocks.patch @@ -0,0 +1,43 @@ +From 12fd64babaca4dc09d072f63eda76ba44119816a Mon Sep 17 00:00:00 2001 +From: Sebastian Reichel +Date: Mon, 25 Mar 2024 20:33:36 +0100 +Subject: clk: rockchip: fix error for unknown clocks + +From: Sebastian Reichel + +commit 12fd64babaca4dc09d072f63eda76ba44119816a upstream. + +There is a clk == NULL check after the switch to check for +unsupported clk types. Since clk is re-assigned in a loop, +this check is useless right now for anything but the first +round. Let's fix this up by assigning clk = NULL in the +loop before the switch statement. + +Fixes: a245fecbb806 ("clk: rockchip: add basic infrastructure for clock branches") +Cc: stable@vger.kernel.org +Signed-off-by: Sebastian Reichel +[added fixes + stable-cc] +Link: https://lore.kernel.org/r/20240325193609.237182-6-sebastian.reichel@collabora.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/rockchip/clk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/clk/rockchip/clk.c ++++ b/drivers/clk/rockchip/clk.c +@@ -434,12 +434,13 @@ void rockchip_clk_register_branches(stru + struct rockchip_clk_branch *list, + unsigned int nr_clk) + { +- struct clk *clk = NULL; ++ struct clk *clk; + unsigned int idx; + unsigned long flags; + + for (idx = 0; idx < nr_clk; idx++, list++) { + flags = list->flags; ++ clk = NULL; + + /* catch simple muxes */ + switch (list->branch_type) { diff --git a/queue-5.15/iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch b/queue-5.15/iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch new file mode 100644 index 00000000000..4c02a4d9fd3 --- /dev/null +++ b/queue-5.15/iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch @@ -0,0 +1,78 @@ +From 129464e86c7445a858b790ac2d28d35f58256bbe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Barnab=C3=A1s=20Cz=C3=A9m=C3=A1n?= + +Date: Mon, 19 Aug 2024 00:29:40 +0200 +Subject: iio: magnetometer: ak8975: Fix reading for ak099xx sensors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Czémán + +commit 129464e86c7445a858b790ac2d28d35f58256bbe upstream. + +Move ST2 reading with overflow handling after measurement data +reading. +ST2 register read have to be read after read measurment data, +because it means end of the reading and realease the lock on the data. +Remove ST2 read skip on interrupt based waiting because ST2 required to +be read out at and of the axis read. + +Fixes: 57e73a423b1e ("iio: ak8975: add ak09911 and ak09912 support") +Signed-off-by: Barnabás Czémán +Link: https://patch.msgid.link/20240819-ak09918-v4-2-f0734d14cfb9@mainlining.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/magnetometer/ak8975.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/iio/magnetometer/ak8975.c ++++ b/drivers/iio/magnetometer/ak8975.c +@@ -661,22 +661,8 @@ static int ak8975_start_read_axis(struct + if (ret < 0) + return ret; + +- /* This will be executed only for non-interrupt based waiting case */ +- if (ret & data->def->ctrl_masks[ST1_DRDY]) { +- ret = i2c_smbus_read_byte_data(client, +- data->def->ctrl_regs[ST2]); +- if (ret < 0) { +- dev_err(&client->dev, "Error in reading ST2\n"); +- return ret; +- } +- if (ret & (data->def->ctrl_masks[ST2_DERR] | +- data->def->ctrl_masks[ST2_HOFL])) { +- dev_err(&client->dev, "ST2 status error 0x%x\n", ret); +- return -EINVAL; +- } +- } +- +- return 0; ++ /* Return with zero if the data is ready. */ ++ return !data->def->ctrl_regs[ST1_DRDY]; + } + + /* Retrieve raw flux value for one of the x, y, or z axis. */ +@@ -703,6 +689,20 @@ static int ak8975_read_axis(struct iio_d + if (ret < 0) + goto exit; + ++ /* Read out ST2 for release lock on measurment data. */ ++ ret = i2c_smbus_read_byte_data(client, data->def->ctrl_regs[ST2]); ++ if (ret < 0) { ++ dev_err(&client->dev, "Error in reading ST2\n"); ++ goto exit; ++ } ++ ++ if (ret & (data->def->ctrl_masks[ST2_DERR] | ++ data->def->ctrl_masks[ST2_HOFL])) { ++ dev_err(&client->dev, "ST2 status error 0x%x\n", ret); ++ ret = -EINVAL; ++ goto exit; ++ } ++ + mutex_unlock(&data->lock); + + pm_runtime_mark_last_busy(&data->client->dev); diff --git a/queue-5.15/input-adp5589-keys-fix-adp5589_gpio_get_value.patch b/queue-5.15/input-adp5589-keys-fix-adp5589_gpio_get_value.patch new file mode 100644 index 00000000000..c5a60760719 --- /dev/null +++ b/queue-5.15/input-adp5589-keys-fix-adp5589_gpio_get_value.patch @@ -0,0 +1,49 @@ +From c684771630e64bc39bddffeb65dd8a6612a6b249 Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Tue, 1 Oct 2024 07:47:23 -0700 +Subject: Input: adp5589-keys - fix adp5589_gpio_get_value() + +From: Nuno Sa + +commit c684771630e64bc39bddffeb65dd8a6612a6b249 upstream. + +The adp5589 seems to have the same behavior as similar devices as +explained in commit 910a9f5636f5 ("Input: adp5588-keys - get value from +data out when dir is out"). + +Basically, when the gpio is set as output we need to get the value from +ADP5589_GPO_DATA_OUT_A register instead of ADP5589_GPI_STATUS_A. + +Fixes: 9d2e173644bb ("Input: ADP5589 - new driver for I2C Keypad Decoder and I/O Expander") +Signed-off-by: Nuno Sa +Link: https://lore.kernel.org/r/20241001-b4-dev-adp5589-fw-conversion-v1-2-fca0149dfc47@analog.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/adp5589-keys.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/input/keyboard/adp5589-keys.c ++++ b/drivers/input/keyboard/adp5589-keys.c +@@ -391,10 +391,17 @@ static int adp5589_gpio_get_value(struct + struct adp5589_kpad *kpad = gpiochip_get_data(chip); + unsigned int bank = kpad->var->bank(kpad->gpiomap[off]); + unsigned int bit = kpad->var->bit(kpad->gpiomap[off]); ++ int val; + +- return !!(adp5589_read(kpad->client, +- kpad->var->reg(ADP5589_GPI_STATUS_A) + bank) & +- bit); ++ mutex_lock(&kpad->gpio_lock); ++ if (kpad->dir[bank] & bit) ++ val = kpad->dat_out[bank]; ++ else ++ val = adp5589_read(kpad->client, ++ kpad->var->reg(ADP5589_GPI_STATUS_A) + bank); ++ mutex_unlock(&kpad->gpio_lock); ++ ++ return !!(val & bit); + } + + static void adp5589_gpio_set_value(struct gpio_chip *chip, diff --git a/queue-5.15/input-adp5589-keys-fix-null-pointer-dereference.patch b/queue-5.15/input-adp5589-keys-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..0c8213e74ea --- /dev/null +++ b/queue-5.15/input-adp5589-keys-fix-null-pointer-dereference.patch @@ -0,0 +1,58 @@ +From fb5cc65f973661241e4a2b7390b429aa7b330c69 Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Tue, 1 Oct 2024 07:46:44 -0700 +Subject: Input: adp5589-keys - fix NULL pointer dereference + +From: Nuno Sa + +commit fb5cc65f973661241e4a2b7390b429aa7b330c69 upstream. + +We register a devm action to call adp5589_clear_config() and then pass +the i2c client as argument so that we can call i2c_get_clientdata() in +order to get our device object. However, i2c_set_clientdata() is only +being set at the end of the probe function which means that we'll get a +NULL pointer dereference in case the probe function fails early. + +Fixes: 30df385e35a4 ("Input: adp5589-keys - use devm_add_action_or_reset() for register clear") +Signed-off-by: Nuno Sa +Link: https://lore.kernel.org/r/20241001-b4-dev-adp5589-fw-conversion-v1-1-fca0149dfc47@analog.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/adp5589-keys.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/input/keyboard/adp5589-keys.c ++++ b/drivers/input/keyboard/adp5589-keys.c +@@ -936,10 +936,9 @@ static int adp5589_keypad_add(struct adp + + static void adp5589_clear_config(void *data) + { +- struct i2c_client *client = data; +- struct adp5589_kpad *kpad = i2c_get_clientdata(client); ++ struct adp5589_kpad *kpad = data; + +- adp5589_write(client, kpad->var->reg(ADP5589_GENERAL_CFG), 0); ++ adp5589_write(kpad->client, kpad->var->reg(ADP5589_GENERAL_CFG), 0); + } + + static int adp5589_probe(struct i2c_client *client, +@@ -983,7 +982,7 @@ static int adp5589_probe(struct i2c_clie + } + + error = devm_add_action_or_reset(&client->dev, adp5589_clear_config, +- client); ++ kpad); + if (error) + return error; + +@@ -1010,8 +1009,6 @@ static int adp5589_probe(struct i2c_clie + if (error) + return error; + +- i2c_set_clientdata(client, kpad); +- + dev_info(&client->dev, "Rev.%d keypad, irq %d\n", revid, client->irq); + return 0; + } diff --git a/queue-5.15/media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch b/queue-5.15/media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch new file mode 100644 index 00000000000..dafa653dc46 --- /dev/null +++ b/queue-5.15/media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch @@ -0,0 +1,45 @@ +From 2dc5d5d401f5c6cecd97800ffef82e8d17d228f0 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Wed, 19 Jun 2024 02:46:16 +0300 +Subject: media: sun4i_csi: Implement link validate for sun4i_csi subdev + +From: Laurent Pinchart + +commit 2dc5d5d401f5c6cecd97800ffef82e8d17d228f0 upstream. + +The sun4i_csi driver doesn't implement link validation for the subdev it +registers, leaving the link between the subdev and its source +unvalidated. Fix it, using the v4l2_subdev_link_validate() helper. + +Fixes: 577bbf23b758 ("media: sunxi: Add A10 CSI driver") +Cc: stable@vger.kernel.org +Signed-off-by: Laurent Pinchart +Acked-by: Chen-Yu Tsai +Reviewed-by: Tomi Valkeinen +Acked-by: Sakari Ailus +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c ++++ b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c +@@ -40,6 +40,10 @@ static const struct media_entity_operati + .link_validate = v4l2_subdev_link_validate, + }; + ++static const struct media_entity_operations sun4i_csi_subdev_entity_ops = { ++ .link_validate = v4l2_subdev_link_validate, ++}; ++ + static int sun4i_csi_notify_bound(struct v4l2_async_notifier *notifier, + struct v4l2_subdev *subdev, + struct v4l2_async_subdev *asd) +@@ -218,6 +222,7 @@ static int sun4i_csi_probe(struct platfo + v4l2_subdev_init(subdev, &sun4i_csi_subdev_ops); + subdev->flags = V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; + subdev->entity.function = MEDIA_ENT_F_VID_IF_BRIDGE; ++ subdev->entity.ops = &sun4i_csi_subdev_entity_ops; + subdev->owner = THIS_MODULE; + snprintf(subdev->name, sizeof(subdev->name), "sun4i-csi-0"); + v4l2_set_subdevdata(subdev, csi); diff --git a/queue-5.15/media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch b/queue-5.15/media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch new file mode 100644 index 00000000000..eefe46a1a88 --- /dev/null +++ b/queue-5.15/media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch @@ -0,0 +1,44 @@ +From 599f6899051cb70c4e0aa9fd591b9ee220cb6f14 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 7 Aug 2024 09:22:10 +0200 +Subject: media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags + +From: Hans Verkuil + +commit 599f6899051cb70c4e0aa9fd591b9ee220cb6f14 upstream. + +The cec_msg_set_reply_to() helper function never zeroed the +struct cec_msg flags field, this can cause unexpected behavior +if flags was uninitialized to begin with. + +Signed-off-by: Hans Verkuil +Fixes: 0dbacebede1e ("[media] cec: move the CEC framework out of staging and to media") +Cc: +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/cec.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/include/uapi/linux/cec.h ++++ b/include/uapi/linux/cec.h +@@ -132,6 +132,8 @@ static inline void cec_msg_init(struct c + * Set the msg destination to the orig initiator and the msg initiator to the + * orig destination. Note that msg and orig may be the same pointer, in which + * case the change is done in place. ++ * ++ * It also zeroes the reply, timeout and flags fields. + */ + static inline void cec_msg_set_reply_to(struct cec_msg *msg, + struct cec_msg *orig) +@@ -139,7 +141,9 @@ static inline void cec_msg_set_reply_to( + /* The destination becomes the initiator and vice versa */ + msg->msg[0] = (cec_msg_destination(orig) << 4) | + cec_msg_initiator(orig); +- msg->reply = msg->timeout = 0; ++ msg->reply = 0; ++ msg->timeout = 0; ++ msg->flags = 0; + } + + /* cec_msg flags field */ diff --git a/queue-5.15/media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch b/queue-5.15/media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch new file mode 100644 index 00000000000..8af97e6f3cb --- /dev/null +++ b/queue-5.15/media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch @@ -0,0 +1,50 @@ +From c5a85ed88e043474161bbfe54002c89c1cb50ee2 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Tue, 18 Jun 2024 14:55:59 +0530 +Subject: media: venus: fix use after free bug in venus_remove due to race condition + +From: Zheng Wang + +commit c5a85ed88e043474161bbfe54002c89c1cb50ee2 upstream. + +in venus_probe, core->work is bound with venus_sys_error_handler, which is +used to handle error. The code use core->sys_err_done to make sync work. +The core->work is started in venus_event_notify. + +If we call venus_remove, there might be an unfished work. The possible +sequence is as follows: + +CPU0 CPU1 + + |venus_sys_error_handler +venus_remove | +hfi_destroy | +venus_hfi_destroy | +kfree(hdev); | + |hfi_reinit + |venus_hfi_queues_reinit + |//use hdev + +Fix it by canceling the work in venus_remove. + +Cc: stable@vger.kernel.org +Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") +Signed-off-by: Zheng Wang +Signed-off-by: Dikshita Agarwal +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -409,6 +409,7 @@ static int venus_remove(struct platform_ + struct device *dev = core->dev; + int ret; + ++ cancel_delayed_work_sync(&core->work); + ret = pm_runtime_get_sync(dev); + WARN_ON(ret < 0); + diff --git a/queue-5.15/net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch b/queue-5.15/net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch new file mode 100644 index 00000000000..95baeb22316 --- /dev/null +++ b/queue-5.15/net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch @@ -0,0 +1,42 @@ +From 675faf5a14c14a2be0b870db30a70764df81e2df Mon Sep 17 00:00:00 2001 +From: KhaiWenTan +Date: Wed, 18 Sep 2024 14:14:22 +0800 +Subject: net: stmmac: Fix zero-division error when disabling tc cbs + +From: KhaiWenTan + +commit 675faf5a14c14a2be0b870db30a70764df81e2df upstream. + +The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider +when offload is disabled") allows the "port_transmit_rate_kbps" to be +set to a value of 0, which is then passed to the "div_s64" function when +tc-cbs is disabled. This leads to a zero-division error. + +When tc-cbs is disabled, the idleslope, sendslope, and credit values the +credit values are not required to be configured. Therefore, adding a return +statement after setting the txQ mode to DCB when tc-cbs is disabled would +prevent a zero-division error. + +Fixes: b8c43360f6e4 ("net: stmmac: No need to calculate speed divider when offload is disabled") +Cc: +Co-developed-by: Choong Yong Liang +Signed-off-by: Choong Yong Liang +Signed-off-by: KhaiWenTan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20240918061422.1589662-1-khai.wen.tan@linux.intel.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -394,6 +394,7 @@ static int tc_setup_cbs(struct stmmac_pr + return ret; + + priv->plat->tx_queues_cfg[queue].mode_to_use = MTL_QUEUE_DCB; ++ return 0; + } + + /* Final adjustments for HW */ diff --git a/queue-5.15/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch b/queue-5.15/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..a4263398bba --- /dev/null +++ b/queue-5.15/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch @@ -0,0 +1,32 @@ +From 73580e2ee6adfb40276bd420da3bb1abae204e10 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 25 Aug 2024 20:31:03 +0200 +Subject: rtc: at91sam9: fix OF node leak in probe() error path + +From: Krzysztof Kozlowski + +commit 73580e2ee6adfb40276bd420da3bb1abae204e10 upstream. + +Driver is leaking an OF node reference obtained from +of_parse_phandle_with_fixed_args(). + +Fixes: 43e112bb3dea ("rtc: at91sam9: make use of syscon/regmap to access GPBR registers") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240825183103.102904-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-at91sam9.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/rtc/rtc-at91sam9.c ++++ b/drivers/rtc/rtc-at91sam9.c +@@ -368,6 +368,7 @@ static int at91_rtc_probe(struct platfor + return ret; + + rtc->gpbr = syscon_node_to_regmap(args.np); ++ of_node_put(args.np); + rtc->gpbr_offset = args.args[0]; + if (IS_ERR(rtc->gpbr)) { + dev_err(&pdev->dev, "failed to retrieve gpbr regmap, aborting.\n"); diff --git a/queue-5.15/series b/queue-5.15/series index 45900e76e0c..3c094d4a9b1 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -523,3 +523,19 @@ perf-hist-update-hist-symbol-when-updating-maps.patch nfsd-fix-delegation_blocked-to-block-correctly-for-at-least-30-seconds.patch nfsd-map-the-ebadmsg-to-nfserr_io-to-avoid-warning.patch nfsd-fix-nfsv4-s-putpubfh-operation.patch +aoe-fix-the-potential-use-after-free-problem-in-more-places.patch +clk-rockchip-fix-error-for-unknown-clocks.patch +clk-qcom-dispcc-sm8250-use-clk_set_rate_parent-for-branch-clocks.patch +media-sun4i_csi-implement-link-validate-for-sun4i_csi-subdev.patch +media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch +clk-qcom-clk-rpmh-fix-overflow-in-bcm-vote.patch +clk-qcom-gcc-sm8150-de-register-gcc_cpuss_ahb_clk_src.patch +media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch +clk-qcom-gcc-sm8250-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch +clk-qcom-gcc-sc8180x-fix-the-sdcc2-and-sdcc4-clocks-freq-table.patch +iio-magnetometer-ak8975-fix-reading-for-ak099xx-sensors.patch +tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch +net-stmmac-fix-zero-division-error-when-disabling-tc-cbs.patch +rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch +input-adp5589-keys-fix-null-pointer-dereference.patch +input-adp5589-keys-fix-adp5589_gpio_get_value.patch diff --git a/queue-5.15/tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch b/queue-5.15/tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch new file mode 100644 index 00000000000..d6eb5a98629 --- /dev/null +++ b/queue-5.15/tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch @@ -0,0 +1,52 @@ +From ada1986d07976d60bed5017aa38b7f7cf27883f7 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 25 Sep 2024 22:30:59 +0900 +Subject: tomoyo: fallback to realpath if symlink's pathname does not exist + +From: Tetsuo Handa + +commit ada1986d07976d60bed5017aa38b7f7cf27883f7 upstream. + +Alfred Agrell found that TOMOYO cannot handle execveat(AT_EMPTY_PATH) +inside chroot environment where /dev and /proc are not mounted, for +commit 51f39a1f0cea ("syscalls: implement execveat() system call") missed +that TOMOYO tries to canonicalize argv[0] when the filename fed to the +executed program as argv[0] is supplied using potentially nonexistent +pathname. + +Since "/dev/fd/" already lost symlink information used for obtaining +that , it is too late to reconstruct symlink's pathname. Although + part of "/dev/fd//" might not be canonicalized, +TOMOYO cannot use tomoyo_realpath_nofollow() when /dev or /proc is not +mounted. Therefore, fallback to tomoyo_realpath_from_path() when +tomoyo_realpath_nofollow() failed. + +Reported-by: Alfred Agrell +Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082001 +Fixes: 51f39a1f0cea ("syscalls: implement execveat() system call") +Cc: stable@vger.kernel.org # v3.19+ +Signed-off-by: Tetsuo Handa +Signed-off-by: Greg Kroah-Hartman +--- + security/tomoyo/domain.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/security/tomoyo/domain.c ++++ b/security/tomoyo/domain.c +@@ -723,10 +723,13 @@ int tomoyo_find_next_domain(struct linux + ee->r.obj = &ee->obj; + ee->obj.path1 = bprm->file->f_path; + /* Get symlink's pathname of program. */ +- retval = -ENOENT; + exename.name = tomoyo_realpath_nofollow(original_name); +- if (!exename.name) +- goto out; ++ if (!exename.name) { ++ /* Fallback to realpath if symlink's pathname does not exist. */ ++ exename.name = tomoyo_realpath_from_path(&bprm->file->f_path); ++ if (!exename.name) ++ goto out; ++ } + tomoyo_fill_path_info(&exename); + retry: + /* Check 'aggregator' directive. */