From: Greg Kroah-Hartman Date: Mon, 13 Sep 2021 12:20:00 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.4.146~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9100b407a9a2bfcf48a43c9bc131556d7c14cf99;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: clk-kirkwood-fix-a-clocking-boot-regression.patch fbmem-don-t-allow-too-huge-resolutions.patch --- diff --git a/queue-4.9/clk-kirkwood-fix-a-clocking-boot-regression.patch b/queue-4.9/clk-kirkwood-fix-a-clocking-boot-regression.patch new file mode 100644 index 00000000000..37c2e21c0d3 --- /dev/null +++ b/queue-4.9/clk-kirkwood-fix-a-clocking-boot-regression.patch @@ -0,0 +1,63 @@ +From aaedb9e00e5400220a8871180d23a83e67f29f63 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Sun, 15 Aug 2021 01:55:14 +0200 +Subject: clk: kirkwood: Fix a clocking boot regression + +From: Linus Walleij + +commit aaedb9e00e5400220a8871180d23a83e67f29f63 upstream. + +Since a few kernel releases the Pogoplug 4 has crashed like this +during boot: + +Unable to handle kernel NULL pointer dereference at virtual address 00000002 +(...) +[] (strlen) from [] (kstrdup+0x1c/0x4c) +[] (kstrdup) from [] (__clk_register+0x44/0x37c) +[] (__clk_register) from [] (clk_hw_register+0x20/0x44) +[] (clk_hw_register) from [] (__clk_hw_register_mux+0x198/0x1e4) +[] (__clk_hw_register_mux) from [] (clk_register_mux_table+0x5c/0x6c) +[] (clk_register_mux_table) from [] (kirkwood_clk_muxing_setup.constprop.0+0x13c/0x1ac) +[] (kirkwood_clk_muxing_setup.constprop.0) from [] (of_clk_init+0x12c/0x214) +[] (of_clk_init) from [] (time_init+0x20/0x2c) +[] (time_init) from [] (start_kernel+0x3dc/0x56c) +[] (start_kernel) from [<00000000>] (0x0) +Code: e3130020 1afffffb e12fff1e c08a1078 (e5d03000) + +This is because the "powersave" mux clock 0 was provided in an unterminated +array, which is required by the loop in the driver: + + /* Count, allocate, and register clock muxes */ + for (n = 0; desc[n].name;) + n++; + +Here n will go out of bounds and then call clk_register_mux() on random +memory contents after the mux clock. + +Fix this by terminating the array with a blank entry. + +Fixes: 105299381d87 ("cpufreq: kirkwood: use the powersave multiplexer") +Cc: stable@vger.kernel.org +Cc: Andrew Lunn +Cc: Chris Packham +Cc: Gregory CLEMENT +Cc: Sebastian Hesselbarth +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20210814235514.403426-1-linus.walleij@linaro.org +Reviewed-by: Andrew Lunn +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/mvebu/kirkwood.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/mvebu/kirkwood.c ++++ b/drivers/clk/mvebu/kirkwood.c +@@ -254,6 +254,7 @@ static const char *powersave_parents[] = + static const struct clk_muxing_soc_desc kirkwood_mux_desc[] __initconst = { + { "powersave", powersave_parents, ARRAY_SIZE(powersave_parents), + 11, 1, 0 }, ++ { } + }; + + static struct clk *clk_muxing_get_src( diff --git a/queue-4.9/fbmem-don-t-allow-too-huge-resolutions.patch b/queue-4.9/fbmem-don-t-allow-too-huge-resolutions.patch new file mode 100644 index 00000000000..319ddb1e8fc --- /dev/null +++ b/queue-4.9/fbmem-don-t-allow-too-huge-resolutions.patch @@ -0,0 +1,64 @@ +From 8c28051cdcbe9dfcec6bd0a4709d67a09df6edae Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 8 Sep 2021 19:27:49 +0900 +Subject: fbmem: don't allow too huge resolutions + +From: Tetsuo Handa + +commit 8c28051cdcbe9dfcec6bd0a4709d67a09df6edae upstream. + +syzbot is reporting page fault at vga16fb_fillrect() [1], for +vga16fb_check_var() is failing to detect multiplication overflow. + + if (vxres * vyres > maxmem) { + vyres = maxmem / vxres; + if (vyres < yres) + return -ENOMEM; + } + +Since no module would accept too huge resolutions where multiplication +overflow happens, let's reject in the common path. + +Link: https://syzkaller.appspot.com/bug?extid=04168c8063cfdde1db5e [1] +Reported-by: syzbot +Debugged-by: Randy Dunlap +Signed-off-by: Tetsuo Handa +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/185175d6-227a-7b55-433d-b070929b262c@i-love.sakura.ne.jp +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbmem.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + +@@ -981,6 +982,7 @@ fb_set_var(struct fb_info *info, struct + if ((var->activate & FB_ACTIVATE_FORCE) || + memcmp(&info->var, var, sizeof(struct fb_var_screeninfo))) { + u32 activate = var->activate; ++ u32 unused; + + /* When using FOURCC mode, make sure the red, green, blue and + * transp fields are set to 0. +@@ -1005,6 +1007,11 @@ fb_set_var(struct fb_info *info, struct + if (var->xres < 8 || var->yres < 8) + return -EINVAL; + ++ /* Too huge resolution causes multiplication overflow. */ ++ if (check_mul_overflow(var->xres, var->yres, &unused) || ++ check_mul_overflow(var->xres_virtual, var->yres_virtual, &unused)) ++ return -EINVAL; ++ + ret = info->fbops->fb_check_var(var, info); + + if (ret) diff --git a/queue-4.9/series b/queue-4.9/series index bcff38da995..28a9523bb3c 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -85,3 +85,5 @@ time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch kvm-x86-update-vcpu-s-hv_clock-before-back-to-guest-when-tsc_offset-is-adjusted.patch ima-remove-wmissing-prototypes-warning.patch +clk-kirkwood-fix-a-clocking-boot-regression.patch +fbmem-don-t-allow-too-huge-resolutions.patch