From: Greg Kroah-Hartman Date: Thu, 23 Feb 2023 10:40:40 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v6.2.1~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ca5e69c65923e9d5656e5b4d0035d43be2ae75e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ext4-fix-function-prototype-mismatch-for-ext4_feat_ktype.patch wifi-mwifiex-add-missing-compatible-string-for-sd8787.patch --- diff --git a/queue-4.19/ext4-fix-function-prototype-mismatch-for-ext4_feat_ktype.patch b/queue-4.19/ext4-fix-function-prototype-mismatch-for-ext4_feat_ktype.patch new file mode 100644 index 00000000000..4dfd4bb3fea --- /dev/null +++ b/queue-4.19/ext4-fix-function-prototype-mismatch-for-ext4_feat_ktype.patch @@ -0,0 +1,74 @@ +From 118901ad1f25d2334255b3d50512fa20591531cd Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 4 Jan 2023 13:09:12 -0800 +Subject: ext4: Fix function prototype mismatch for ext4_feat_ktype + +From: Kees Cook + +commit 118901ad1f25d2334255b3d50512fa20591531cd upstream. + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. + +ext4_feat_ktype was setting the "release" handler to "kfree", which +doesn't have a matching function prototype. Add a simple wrapper +with the correct prototype. + +This was found as a result of Clang's new -Wcast-function-type-strict +flag, which is more sensitive than the simpler -Wcast-function-type, +which only checks for type width mismatches. + +Note that this code is only reached when ext4 is a loadable module and +it is being unloaded: + + CFI failure at kobject_put+0xbb/0x1b0 (target: kfree+0x0/0x180; expected type: 0x7c4aa698) + ... + RIP: 0010:kobject_put+0xbb/0x1b0 + ... + Call Trace: + + ext4_exit_sysfs+0x14/0x60 [ext4] + cleanup_module+0x67/0xedb [ext4] + +Fixes: b99fee58a20a ("ext4: create ext4_feat kobject dynamically") +Cc: Theodore Ts'o +Cc: Eric Biggers +Cc: stable@vger.kernel.org +Build-tested-by: Gustavo A. R. Silva +Reviewed-by: Gustavo A. R. Silva +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20230103234616.never.915-kees@kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Eric Biggers +Link: https://lore.kernel.org/r/20230104210908.gonna.388-kees@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/sysfs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/ext4/sysfs.c ++++ b/fs/ext4/sysfs.c +@@ -349,6 +349,11 @@ static void ext4_sb_release(struct kobje + complete(&sbi->s_kobj_unregister); + } + ++static void ext4_feat_release(struct kobject *kobj) ++{ ++ kfree(kobj); ++} ++ + static const struct sysfs_ops ext4_attr_ops = { + .show = ext4_attr_show, + .store = ext4_attr_store, +@@ -363,7 +368,7 @@ static struct kobj_type ext4_sb_ktype = + static struct kobj_type ext4_feat_ktype = { + .default_attrs = ext4_feat_attrs, + .sysfs_ops = &ext4_attr_ops, +- .release = (void (*)(struct kobject *))kfree, ++ .release = ext4_feat_release, + }; + + static struct kobject *ext4_root; diff --git a/queue-4.19/series b/queue-4.19/series index 9810296b908..589690599bf 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -7,3 +7,5 @@ alarmtimer-prevent-starvation-by-small-intervals-and-sig_ign.patch drm-i915-gvt-fix-double-free-bug-in-split_2mb_gtt_entry.patch mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch uaccess-add-speculation-barrier-to-copy_from_user.patch +wifi-mwifiex-add-missing-compatible-string-for-sd8787.patch +ext4-fix-function-prototype-mismatch-for-ext4_feat_ktype.patch diff --git a/queue-4.19/wifi-mwifiex-add-missing-compatible-string-for-sd8787.patch b/queue-4.19/wifi-mwifiex-add-missing-compatible-string-for-sd8787.patch new file mode 100644 index 00000000000..f08c6b612c9 --- /dev/null +++ b/queue-4.19/wifi-mwifiex-add-missing-compatible-string-for-sd8787.patch @@ -0,0 +1,34 @@ +From 36dd7a4c6226133b0b7aa92b8e604e688d958d0c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Fri, 27 Jan 2023 15:01:00 +0100 +Subject: wifi: mwifiex: Add missing compatible string for SD8787 + +From: Lukas Wunner + +commit 36dd7a4c6226133b0b7aa92b8e604e688d958d0c upstream. + +Commit e3fffc1f0b47 ("devicetree: document new marvell-8xxx and +pwrseq-sd8787 options") documented a compatible string for SD8787 in +the devicetree bindings, but neglected to add it to the mwifiex driver. + +Fixes: e3fffc1f0b47 ("devicetree: document new marvell-8xxx and pwrseq-sd8787 options") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v4.11+ +Cc: Matt Ranostay +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/320de5005ff3b8fd76be2d2b859fd021689c3681.1674827105.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/marvell/mwifiex/sdio.c ++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c +@@ -58,6 +58,7 @@ static struct memory_type_mapping mem_ty + }; + + static const struct of_device_id mwifiex_sdio_of_match_table[] = { ++ { .compatible = "marvell,sd8787" }, + { .compatible = "marvell,sd8897" }, + { .compatible = "marvell,sd8997" }, + { }