From: Greg Kroah-Hartman Date: Sat, 2 Apr 2022 12:51:14 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v5.17.2~183 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95f74fa9a37eec0ab78c7e82a638e12a4c10445a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: bcache-fixup-multiple-threads-crash.patch crypto-rsa-pkcs1pad-correctly-get-hash-from-source-scatterlist.patch crypto-rsa-pkcs1pad-fix-buffer-overread-in-pkcs1pad_verify_complete.patch crypto-rsa-pkcs1pad-only-allow-with-rsa.patch crypto-rsa-pkcs1pad-restore-signature-length-check.patch dec-limit-pmax-memory-probing-to-r3k-systems.patch exec-force-single-empty-string-when-argv-is-empty.patch lib-raid6-test-fix-multiple-definition-linking-error.patch media-gpio-ir-tx-fix-transmit-with-long-spaces-on-orange-pi-pc.patch media-omap3isp-use-struct_group-for-memcpy-region.patch media-venus-vdec-fixed-possible-memory-leak-issue.patch pm-domains-fix-sleep-in-atomic-bug-caused-by-genpd_debug_remove.patch --- diff --git a/queue-5.17/bcache-fixup-multiple-threads-crash.patch b/queue-5.17/bcache-fixup-multiple-threads-crash.patch new file mode 100644 index 00000000000..a226a5e0924 --- /dev/null +++ b/queue-5.17/bcache-fixup-multiple-threads-crash.patch @@ -0,0 +1,67 @@ +From 887554ab96588de2917b6c8c73e552da082e5368 Mon Sep 17 00:00:00 2001 +From: Mingzhe Zou +Date: Fri, 11 Feb 2022 14:39:15 +0800 +Subject: bcache: fixup multiple threads crash + +From: Mingzhe Zou + +commit 887554ab96588de2917b6c8c73e552da082e5368 upstream. + +When multiple threads to check btree nodes in parallel, the main +thread wait for all threads to stop or CACHE_SET_IO_DISABLE flag: + +wait_event_interruptible(check_state->wait, + atomic_read(&check_state->started) == 0 || + test_bit(CACHE_SET_IO_DISABLE, &c->flags)); + +However, the bch_btree_node_read and bch_btree_node_read_done +maybe call bch_cache_set_error, then the CACHE_SET_IO_DISABLE +will be set. If the flag already set, the main thread return +error. At the same time, maybe some threads still running and +read NULL pointer, the kernel will crash. + +This patch change the event wait condition, the main thread must +wait for all threads to stop. + +Fixes: 8e7102273f597 ("bcache: make bch_btree_check() to be multithreaded") +Signed-off-by: Mingzhe Zou +Cc: stable@vger.kernel.org # v5.7+ +Signed-off-by: Coly Li +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 6 ++++-- + drivers/md/bcache/writeback.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -2060,9 +2060,11 @@ int bch_btree_check(struct cache_set *c) + } + } + ++ /* ++ * Must wait for all threads to stop. ++ */ + wait_event_interruptible(check_state->wait, +- atomic_read(&check_state->started) == 0 || +- test_bit(CACHE_SET_IO_DISABLE, &c->flags)); ++ atomic_read(&check_state->started) == 0); + + for (i = 0; i < check_state->total_threads; i++) { + if (check_state->infos[i].result) { +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -998,9 +998,11 @@ void bch_sectors_dirty_init(struct bcach + } + } + ++ /* ++ * Must wait for all threads to stop. ++ */ + wait_event_interruptible(state->wait, +- atomic_read(&state->started) == 0 || +- test_bit(CACHE_SET_IO_DISABLE, &c->flags)); ++ atomic_read(&state->started) == 0); + + out: + kfree(state); diff --git a/queue-5.17/crypto-rsa-pkcs1pad-correctly-get-hash-from-source-scatterlist.patch b/queue-5.17/crypto-rsa-pkcs1pad-correctly-get-hash-from-source-scatterlist.patch new file mode 100644 index 00000000000..b2a0cb130ba --- /dev/null +++ b/queue-5.17/crypto-rsa-pkcs1pad-correctly-get-hash-from-source-scatterlist.patch @@ -0,0 +1,52 @@ +From e316f7179be22912281ce6331d96d7c121fb2b17 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 18 Jan 2022 16:13:03 -0800 +Subject: crypto: rsa-pkcs1pad - correctly get hash from source scatterlist + +From: Eric Biggers + +commit e316f7179be22912281ce6331d96d7c121fb2b17 upstream. + +Commit c7381b012872 ("crypto: akcipher - new verify API for public key +algorithms") changed akcipher_alg::verify to take in both the signature +and the actual hash and do the signature verification, rather than just +return the hash expected by the signature as was the case before. To do +this, it implemented a hack where the signature and hash are +concatenated with each other in one scatterlist. + +Obviously, for this to work correctly, akcipher_alg::verify needs to +correctly extract the two items from the scatterlist it is given. +Unfortunately, it doesn't correctly extract the hash in the case where +the signature is longer than the RSA key size, as it assumes that the +signature's length is equal to the RSA key size. This causes a prefix +of the hash, or even the entire hash, to be taken from the *signature*. + +(Note, the case of a signature longer than the RSA key size should not +be allowed in the first place; a separate patch will fix that.) + +It is unclear whether the resulting scheme has any useful security +properties. + +Fix this by correctly extracting the hash from the scatterlist. + +Fixes: c7381b012872 ("crypto: akcipher - new verify API for public key algorithms") +Cc: # v5.2+ +Reviewed-by: Vitaly Chikunov +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/rsa-pkcs1pad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/rsa-pkcs1pad.c ++++ b/crypto/rsa-pkcs1pad.c +@@ -495,7 +495,7 @@ static int pkcs1pad_verify_complete(stru + sg_nents_for_len(req->src, + req->src_len + req->dst_len), + req_ctx->out_buf + ctx->key_size, +- req->dst_len, ctx->key_size); ++ req->dst_len, req->src_len); + /* Do the actual verification step. */ + if (memcmp(req_ctx->out_buf + ctx->key_size, out_buf + pos, + req->dst_len) != 0) diff --git a/queue-5.17/crypto-rsa-pkcs1pad-fix-buffer-overread-in-pkcs1pad_verify_complete.patch b/queue-5.17/crypto-rsa-pkcs1pad-fix-buffer-overread-in-pkcs1pad_verify_complete.patch new file mode 100644 index 00000000000..5bdca586815 --- /dev/null +++ b/queue-5.17/crypto-rsa-pkcs1pad-fix-buffer-overread-in-pkcs1pad_verify_complete.patch @@ -0,0 +1,33 @@ +From a24611ea356c7f3f0ec926da11b9482ac1f414fd Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 18 Jan 2022 16:13:05 -0800 +Subject: crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() + +From: Eric Biggers + +commit a24611ea356c7f3f0ec926da11b9482ac1f414fd upstream. + +Before checking whether the expected digest_info is present, we need to +check that there are enough bytes remaining. + +Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad") +Cc: # v4.6+ +Cc: Tadeusz Struk +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/rsa-pkcs1pad.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/rsa-pkcs1pad.c ++++ b/crypto/rsa-pkcs1pad.c +@@ -476,6 +476,8 @@ static int pkcs1pad_verify_complete(stru + pos++; + + if (digest_info) { ++ if (digest_info->size > dst_len - pos) ++ goto done; + if (crypto_memneq(out_buf + pos, digest_info->data, + digest_info->size)) + goto done; diff --git a/queue-5.17/crypto-rsa-pkcs1pad-only-allow-with-rsa.patch b/queue-5.17/crypto-rsa-pkcs1pad-only-allow-with-rsa.patch new file mode 100644 index 00000000000..c6b9b58b7bb --- /dev/null +++ b/queue-5.17/crypto-rsa-pkcs1pad-only-allow-with-rsa.patch @@ -0,0 +1,36 @@ +From 9b30430ea356f237945e52f8a3a42158877bd5a9 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 18 Jan 2022 16:13:02 -0800 +Subject: crypto: rsa-pkcs1pad - only allow with rsa + +From: Eric Biggers + +commit 9b30430ea356f237945e52f8a3a42158877bd5a9 upstream. + +The pkcs1pad template can be instantiated with an arbitrary akcipher +algorithm, which doesn't make sense; it is specifically an RSA padding +scheme. Make it check that the underlying algorithm really is RSA. + +Fixes: 3d5b1ecdea6f ("crypto: rsa - RSA padding algorithm") +Cc: # v4.5+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/rsa-pkcs1pad.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/crypto/rsa-pkcs1pad.c ++++ b/crypto/rsa-pkcs1pad.c +@@ -621,6 +621,11 @@ static int pkcs1pad_create(struct crypto + + rsa_alg = crypto_spawn_akcipher_alg(&ctx->spawn); + ++ if (strcmp(rsa_alg->base.cra_name, "rsa") != 0) { ++ err = -EINVAL; ++ goto err_free_inst; ++ } ++ + err = -ENAMETOOLONG; + hash_name = crypto_attr_alg_name(tb[2]); + if (IS_ERR(hash_name)) { diff --git a/queue-5.17/crypto-rsa-pkcs1pad-restore-signature-length-check.patch b/queue-5.17/crypto-rsa-pkcs1pad-restore-signature-length-check.patch new file mode 100644 index 00000000000..b590426e88a --- /dev/null +++ b/queue-5.17/crypto-rsa-pkcs1pad-restore-signature-length-check.patch @@ -0,0 +1,46 @@ +From d3481accd974541e6a5d6a1fb588924a3519c36e Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 18 Jan 2022 16:13:04 -0800 +Subject: crypto: rsa-pkcs1pad - restore signature length check + +From: Eric Biggers + +commit d3481accd974541e6a5d6a1fb588924a3519c36e upstream. + +RSA PKCS#1 v1.5 signatures are required to be the same length as the RSA +key size. RFC8017 specifically requires the verifier to check this +(https://datatracker.ietf.org/doc/html/rfc8017#section-8.2.2). + +Commit a49de377e051 ("crypto: Add hash param to pkcs1pad") changed the +kernel to allow longer signatures, but didn't explain this part of the +change; it seems to be unrelated to the rest of the commit. + +Revert this change, since it doesn't appear to be correct. + +We can be pretty sure that no one is relying on overly-long signatures +(which would have to be front-padded with zeroes) being supported, given +that they would have been broken since commit c7381b012872 +("crypto: akcipher - new verify API for public key algorithms"). + +Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad") +Cc: # v4.6+ +Cc: Tadeusz Struk +Suggested-by: Vitaly Chikunov +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/rsa-pkcs1pad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/rsa-pkcs1pad.c ++++ b/crypto/rsa-pkcs1pad.c +@@ -538,7 +538,7 @@ static int pkcs1pad_verify(struct akciph + + if (WARN_ON(req->dst) || + WARN_ON(!req->dst_len) || +- !ctx->key_size || req->src_len < ctx->key_size) ++ !ctx->key_size || req->src_len != ctx->key_size) + return -EINVAL; + + req_ctx->out_buf = kmalloc(ctx->key_size + req->dst_len, GFP_KERNEL); diff --git a/queue-5.17/dec-limit-pmax-memory-probing-to-r3k-systems.patch b/queue-5.17/dec-limit-pmax-memory-probing-to-r3k-systems.patch new file mode 100644 index 00000000000..bf532a4ee49 --- /dev/null +++ b/queue-5.17/dec-limit-pmax-memory-probing-to-r3k-systems.patch @@ -0,0 +1,70 @@ +From 244eae91a94c6dab82b3232967d10eeb9dfa21c6 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 4 Mar 2022 20:16:23 +0000 +Subject: DEC: Limit PMAX memory probing to R3k systems + +From: Maciej W. Rozycki + +commit 244eae91a94c6dab82b3232967d10eeb9dfa21c6 upstream. + +Recent tightening of the opcode table in binutils so as to consistently +disallow the assembly or disassembly of CP0 instructions not supported +by the processor architecture chosen has caused a regression like below: + +arch/mips/dec/prom/locore.S: Assembler messages: +arch/mips/dec/prom/locore.S:29: Error: opcode not supported on this processor: r4600 (mips3) `rfe' + +in a piece of code used to probe for memory with PMAX DECstation models, +which have non-REX firmware. Those computers always have an R2000 CPU +and consequently the exception handler used in memory probing uses the +RFE instruction, which those processors use. + +While adding 64-bit support this code was correctly excluded for 64-bit +configurations, however it should have also been excluded for irrelevant +32-bit configurations. Do this now then, and only enable PMAX memory +probing for R3k systems. + +Reported-by: Jan-Benedict Glaw +Reported-by: Sudip Mukherjee +Signed-off-by: Maciej W. Rozycki +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org # v2.6.12+ +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/dec/prom/Makefile | 2 +- + arch/mips/include/asm/dec/prom.h | 15 +++++---------- + 2 files changed, 6 insertions(+), 11 deletions(-) + +--- a/arch/mips/dec/prom/Makefile ++++ b/arch/mips/dec/prom/Makefile +@@ -6,4 +6,4 @@ + + lib-y += init.o memory.o cmdline.o identify.o console.o + +-lib-$(CONFIG_32BIT) += locore.o ++lib-$(CONFIG_CPU_R3000) += locore.o +--- a/arch/mips/include/asm/dec/prom.h ++++ b/arch/mips/include/asm/dec/prom.h +@@ -43,16 +43,11 @@ + */ + #define REX_PROM_MAGIC 0x30464354 + +-#ifdef CONFIG_64BIT +- +-#define prom_is_rex(magic) 1 /* KN04 and KN05 are REX PROMs. */ +- +-#else /* !CONFIG_64BIT */ +- +-#define prom_is_rex(magic) ((magic) == REX_PROM_MAGIC) +- +-#endif /* !CONFIG_64BIT */ +- ++/* KN04 and KN05 are REX PROMs, so only do the check for R3k systems. */ ++static inline bool prom_is_rex(u32 magic) ++{ ++ return !IS_ENABLED(CONFIG_CPU_R3000) || magic == REX_PROM_MAGIC; ++} + + /* + * 3MIN/MAXINE PROM entry points for DS5000/1xx's, DS5000/xx's and diff --git a/queue-5.17/exec-force-single-empty-string-when-argv-is-empty.patch b/queue-5.17/exec-force-single-empty-string-when-argv-is-empty.patch new file mode 100644 index 00000000000..3de3cc66cae --- /dev/null +++ b/queue-5.17/exec-force-single-empty-string-when-argv-is-empty.patch @@ -0,0 +1,129 @@ +From dcd46d897adb70d63e025f175a00a89797d31a43 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 31 Jan 2022 16:09:47 -0800 +Subject: exec: Force single empty string when argv is empty + +From: Kees Cook + +commit dcd46d897adb70d63e025f175a00a89797d31a43 upstream. + +Quoting[1] Ariadne Conill: + +"In several other operating systems, it is a hard requirement that the +second argument to execve(2) be the name of a program, thus prohibiting +a scenario where argc < 1. POSIX 2017 also recommends this behaviour, +but it is not an explicit requirement[2]: + + The argument arg0 should point to a filename string that is + associated with the process being started by one of the exec + functions. +... +Interestingly, Michael Kerrisk opened an issue about this in 2008[3], +but there was no consensus to support fixing this issue then. +Hopefully now that CVE-2021-4034 shows practical exploitative use[4] +of this bug in a shellcode, we can reconsider. + +This issue is being tracked in the KSPP issue tracker[5]." + +While the initial code searches[6][7] turned up what appeared to be +mostly corner case tests, trying to that just reject argv == NULL +(or an immediately terminated pointer list) quickly started tripping[8] +existing userspace programs. + +The next best approach is forcing a single empty string into argv and +adjusting argc to match. The number of programs depending on argc == 0 +seems a smaller set than those calling execve with a NULL argv. + +Account for the additional stack space in bprm_stack_limits(). Inject an +empty string when argc == 0 (and set argc = 1). Warn about the case so +userspace has some notice about the change: + + process './argc0' launched './argc0' with NULL argv: empty string added + +Additionally WARN() and reject NULL argv usage for kernel threads. + +[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/ +[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html +[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408 +[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt +[5] https://github.com/KSPP/linux/issues/176 +[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0 +[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0 +[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/ + +Reported-by: Ariadne Conill +Reported-by: Michael Kerrisk +Cc: Matthew Wilcox +Cc: Christian Brauner +Cc: Rich Felker +Cc: Eric Biederman +Cc: Alexander Viro +Cc: linux-fsdevel@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Acked-by: Christian Brauner +Acked-by: Ariadne Conill +Acked-by: Andy Lutomirski +Link: https://lore.kernel.org/r/20220201000947.2453721-1-keescook@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -495,8 +495,14 @@ static int bprm_stack_limits(struct linu + * the stack. They aren't stored until much later when we can't + * signal to the parent that the child has run out of stack space. + * Instead, calculate it here so it's possible to fail gracefully. ++ * ++ * In the case of argc = 0, make sure there is space for adding a ++ * empty string (which will bump argc to 1), to ensure confused ++ * userspace programs don't start processing from argv[1], thinking ++ * argc can never be 0, to keep them from walking envp by accident. ++ * See do_execveat_common(). + */ +- ptr_size = (bprm->argc + bprm->envc) * sizeof(void *); ++ ptr_size = (max(bprm->argc, 1) + bprm->envc) * sizeof(void *); + if (limit <= ptr_size) + return -E2BIG; + limit -= ptr_size; +@@ -1897,6 +1903,9 @@ static int do_execveat_common(int fd, st + } + + retval = count(argv, MAX_ARG_STRINGS); ++ if (retval == 0) ++ pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n", ++ current->comm, bprm->filename); + if (retval < 0) + goto out_free; + bprm->argc = retval; +@@ -1923,6 +1932,19 @@ static int do_execveat_common(int fd, st + if (retval < 0) + goto out_free; + ++ /* ++ * When argv is empty, add an empty string ("") as argv[0] to ++ * ensure confused userspace programs that start processing ++ * from argv[1] won't end up walking envp. See also ++ * bprm_stack_limits(). ++ */ ++ if (bprm->argc == 0) { ++ retval = copy_string_kernel("", bprm); ++ if (retval < 0) ++ goto out_free; ++ bprm->argc = 1; ++ } ++ + retval = bprm_execve(bprm, fd, filename, flags); + out_free: + free_bprm(bprm); +@@ -1951,6 +1973,8 @@ int kernel_execve(const char *kernel_fil + } + + retval = count_strings_kernel(argv); ++ if (WARN_ON_ONCE(retval == 0)) ++ retval = -EINVAL; + if (retval < 0) + goto out_free; + bprm->argc = retval; diff --git a/queue-5.17/lib-raid6-test-fix-multiple-definition-linking-error.patch b/queue-5.17/lib-raid6-test-fix-multiple-definition-linking-error.patch new file mode 100644 index 00000000000..7d28e22bc6b --- /dev/null +++ b/queue-5.17/lib-raid6-test-fix-multiple-definition-linking-error.patch @@ -0,0 +1,41 @@ +From a5359ddd052860bacf957e65fe819c63e974b3a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dirk=20M=C3=BCller?= +Date: Tue, 8 Feb 2022 17:50:50 +0100 +Subject: lib/raid6/test: fix multiple definition linking error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dirk Müller + +commit a5359ddd052860bacf957e65fe819c63e974b3a6 upstream. + +GCC 10+ defaults to -fno-common, which enforces proper declaration of +external references using "extern". without this change a link would +fail with: + + lib/raid6/test/algos.c:28: multiple definition of `raid6_call'; + lib/raid6/test/test.c:22: first defined here + +the pq.h header that is included already includes an extern declaration +so we can just remove the redundant one here. + +Cc: +Signed-off-by: Dirk Müller +Reviewed-by: Paul Menzel +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + lib/raid6/test/test.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/lib/raid6/test/test.c ++++ b/lib/raid6/test/test.c +@@ -19,7 +19,6 @@ + #define NDISKS 16 /* Including P and Q */ + + const char raid6_empty_zero_page[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); +-struct raid6_calls raid6_call; + + char *dataptrs[NDISKS]; + char data[NDISKS][PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); diff --git a/queue-5.17/media-gpio-ir-tx-fix-transmit-with-long-spaces-on-orange-pi-pc.patch b/queue-5.17/media-gpio-ir-tx-fix-transmit-with-long-spaces-on-orange-pi-pc.patch new file mode 100644 index 00000000000..f7a3d0e1838 --- /dev/null +++ b/queue-5.17/media-gpio-ir-tx-fix-transmit-with-long-spaces-on-orange-pi-pc.patch @@ -0,0 +1,79 @@ +From 5ad05ecad4326ddaa26a83ba2233a67be24c1aaa Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 20 Feb 2022 15:28:24 +0100 +Subject: media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Young + +commit 5ad05ecad4326ddaa26a83ba2233a67be24c1aaa upstream. + +Calling udelay for than 1000us does not always yield the correct +results. + +Cc: stable@vger.kernel.org +Reported-by: Михаил +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/gpio-ir-tx.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/media/rc/gpio-ir-tx.c ++++ b/drivers/media/rc/gpio-ir-tx.c +@@ -48,11 +48,29 @@ static int gpio_ir_tx_set_carrier(struct + return 0; + } + ++static void delay_until(ktime_t until) ++{ ++ /* ++ * delta should never exceed 0.5 seconds (IR_MAX_DURATION) and on ++ * m68k ndelay(s64) does not compile; so use s32 rather than s64. ++ */ ++ s32 delta; ++ ++ while (true) { ++ delta = ktime_us_delta(until, ktime_get()); ++ if (delta <= 0) ++ return; ++ ++ /* udelay more than 1ms may not work */ ++ delta = min(delta, 1000); ++ udelay(delta); ++ } ++} ++ + static void gpio_ir_tx_unmodulated(struct gpio_ir *gpio_ir, uint *txbuf, + uint count) + { + ktime_t edge; +- s32 delta; + int i; + + local_irq_disable(); +@@ -63,9 +81,7 @@ static void gpio_ir_tx_unmodulated(struc + gpiod_set_value(gpio_ir->gpio, !(i % 2)); + + edge = ktime_add_us(edge, txbuf[i]); +- delta = ktime_us_delta(edge, ktime_get()); +- if (delta > 0) +- udelay(delta); ++ delay_until(edge); + } + + gpiod_set_value(gpio_ir->gpio, 0); +@@ -97,9 +113,7 @@ static void gpio_ir_tx_modulated(struct + if (i % 2) { + // space + edge = ktime_add_us(edge, txbuf[i]); +- delta = ktime_us_delta(edge, ktime_get()); +- if (delta > 0) +- udelay(delta); ++ delay_until(edge); + } else { + // pulse + ktime_t last = ktime_add_us(edge, txbuf[i]); diff --git a/queue-5.17/media-omap3isp-use-struct_group-for-memcpy-region.patch b/queue-5.17/media-omap3isp-use-struct_group-for-memcpy-region.patch new file mode 100644 index 00000000000..266ce738c03 --- /dev/null +++ b/queue-5.17/media-omap3isp-use-struct_group-for-memcpy-region.patch @@ -0,0 +1,128 @@ +From d4568fc8525897e683983806f813be1ae9eedaed Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 24 Jan 2022 18:29:52 +0100 +Subject: media: omap3isp: Use struct_group() for memcpy() region + +From: Kees Cook + +commit d4568fc8525897e683983806f813be1ae9eedaed upstream. + +In preparation for FORTIFY_SOURCE performing compile-time and run-time +field bounds checking for memcpy(), memmove(), and memset(), avoid +intentionally writing across neighboring fields. Wrap the target region +in struct_group(). This additionally fixes a theoretical misalignment +of the copy (since the size of "buf" changes between 64-bit and 32-bit, +but this is likely never built for 64-bit). + +FWIW, I think this code is totally broken on 64-bit (which appears to +not be a "real" build configuration): it would either always fail (with +an uninitialized data->buf_size) or would cause corruption in userspace +due to the copy_to_user() in the call path against an uninitialized +data->buf value: + +omap3isp_stat_request_statistics_time32(...) + struct omap3isp_stat_data data64; + ... + omap3isp_stat_request_statistics(stat, &data64); + +int omap3isp_stat_request_statistics(struct ispstat *stat, + struct omap3isp_stat_data *data) + ... + buf = isp_stat_buf_get(stat, data); + +static struct ispstat_buffer *isp_stat_buf_get(struct ispstat *stat, + struct omap3isp_stat_data *data) +... + if (buf->buf_size > data->buf_size) { + ... + return ERR_PTR(-EINVAL); + } + ... + rval = copy_to_user(data->buf, + buf->virt_addr, + buf->buf_size); + +Regardless, additionally initialize data64 to be zero-filled to avoid +undefined behavior. + +Link: https://lore.kernel.org/lkml/20211215220505.GB21862@embeddedor + +Cc: Arnd Bergmann +Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of omap3isp_stat_data") +Cc: stable@vger.kernel.org +Reviewed-by: Gustavo A. R. Silva +Signed-off-by: Kees Cook +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/omap3isp/ispstat.c | 5 +++-- + include/uapi/linux/omap3isp.h | 21 +++++++++++++-------- + 2 files changed, 16 insertions(+), 10 deletions(-) + +--- a/drivers/media/platform/omap3isp/ispstat.c ++++ b/drivers/media/platform/omap3isp/ispstat.c +@@ -512,7 +512,7 @@ int omap3isp_stat_request_statistics(str + int omap3isp_stat_request_statistics_time32(struct ispstat *stat, + struct omap3isp_stat_data_time32 *data) + { +- struct omap3isp_stat_data data64; ++ struct omap3isp_stat_data data64 = { }; + int ret; + + ret = omap3isp_stat_request_statistics(stat, &data64); +@@ -521,7 +521,8 @@ int omap3isp_stat_request_statistics_tim + + data->ts.tv_sec = data64.ts.tv_sec; + data->ts.tv_usec = data64.ts.tv_usec; +- memcpy(&data->buf, &data64.buf, sizeof(*data) - sizeof(data->ts)); ++ data->buf = (uintptr_t)data64.buf; ++ memcpy(&data->frame, &data64.frame, sizeof(data->frame)); + + return 0; + } +--- a/include/uapi/linux/omap3isp.h ++++ b/include/uapi/linux/omap3isp.h +@@ -162,6 +162,7 @@ struct omap3isp_h3a_aewb_config { + * struct omap3isp_stat_data - Statistic data sent to or received from user + * @ts: Timestamp of returned framestats. + * @buf: Pointer to pass to user. ++ * @buf_size: Size of buffer. + * @frame_number: Frame number of requested stats. + * @cur_frame: Current frame number being processed. + * @config_counter: Number of the configuration associated with the data. +@@ -176,10 +177,12 @@ struct omap3isp_stat_data { + struct timeval ts; + #endif + void __user *buf; +- __u32 buf_size; +- __u16 frame_number; +- __u16 cur_frame; +- __u16 config_counter; ++ __struct_group(/* no tag */, frame, /* no attrs */, ++ __u32 buf_size; ++ __u16 frame_number; ++ __u16 cur_frame; ++ __u16 config_counter; ++ ); + }; + + #ifdef __KERNEL__ +@@ -189,10 +192,12 @@ struct omap3isp_stat_data_time32 { + __s32 tv_usec; + } ts; + __u32 buf; +- __u32 buf_size; +- __u16 frame_number; +- __u16 cur_frame; +- __u16 config_counter; ++ __struct_group(/* no tag */, frame, /* no attrs */, ++ __u32 buf_size; ++ __u16 frame_number; ++ __u16 cur_frame; ++ __u16 config_counter; ++ ); + }; + #endif + diff --git a/queue-5.17/media-venus-vdec-fixed-possible-memory-leak-issue.patch b/queue-5.17/media-venus-vdec-fixed-possible-memory-leak-issue.patch new file mode 100644 index 00000000000..18e460e41e9 --- /dev/null +++ b/queue-5.17/media-venus-vdec-fixed-possible-memory-leak-issue.patch @@ -0,0 +1,48 @@ +From 8403fdd775858a7bf04868d43daea0acbe49ddfc Mon Sep 17 00:00:00 2001 +From: Ameer Hamza +Date: Mon, 6 Dec 2021 11:43:15 +0100 +Subject: media: venus: vdec: fixed possible memory leak issue + +From: Ameer Hamza + +commit 8403fdd775858a7bf04868d43daea0acbe49ddfc upstream. + +The venus_helper_alloc_dpb_bufs() implementation allows an early return +on an error path when checking the id from ida_alloc_min() which would +not release the earlier buffer allocation. + +Move the direct kfree() from the error checking of dma_alloc_attrs() to +the common fail path to ensure that allocations are released on all +error paths in this function. + +Addresses-Coverity: 1494120 ("Resource leak") + +cc: stable@vger.kernel.org # 5.16+ +Fixes: 40d87aafee29 ("media: venus: vdec: decoded picture buffer handling during reconfig sequence") +Signed-off-by: Ameer Hamza +Reviewed-by: Kieran Bingham +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/helpers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/venus/helpers.c ++++ b/drivers/media/platform/qcom/venus/helpers.c +@@ -189,7 +189,6 @@ int venus_helper_alloc_dpb_bufs(struct v + buf->va = dma_alloc_attrs(dev, buf->size, &buf->da, GFP_KERNEL, + buf->attrs); + if (!buf->va) { +- kfree(buf); + ret = -ENOMEM; + goto fail; + } +@@ -209,6 +208,7 @@ int venus_helper_alloc_dpb_bufs(struct v + return 0; + + fail: ++ kfree(buf); + venus_helper_free_dpb_bufs(inst); + return ret; + } diff --git a/queue-5.17/pm-domains-fix-sleep-in-atomic-bug-caused-by-genpd_debug_remove.patch b/queue-5.17/pm-domains-fix-sleep-in-atomic-bug-caused-by-genpd_debug_remove.patch new file mode 100644 index 00000000000..e83d25ec355 --- /dev/null +++ b/queue-5.17/pm-domains-fix-sleep-in-atomic-bug-caused-by-genpd_debug_remove.patch @@ -0,0 +1,74 @@ +From f6bfe8b5b2c2a5ac8bd2fc7bca3706e6c3fc26d8 Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Fri, 25 Feb 2022 14:48:15 +0800 +Subject: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove() + +From: Shawn Guo + +commit f6bfe8b5b2c2a5ac8bd2fc7bca3706e6c3fc26d8 upstream. + +When a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following +sleep-in-atomic bug will be seen, as genpd_debug_remove() will be called +with a spinlock being held. + +[ 0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460 +[ 0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0 +[ 0.029219] preempt_count: 1, expected: 0 +[ 0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489 +[ 0.029245] Hardware name: Thundercomm TurboX CM2290 (DT) +[ 0.029256] Call trace: +[ 0.029265] dump_backtrace.part.0+0xbc/0xd0 +[ 0.029285] show_stack+0x3c/0xa0 +[ 0.029298] dump_stack_lvl+0x7c/0xa0 +[ 0.029311] dump_stack+0x18/0x34 +[ 0.029323] __might_resched+0x10c/0x13c +[ 0.029338] __might_sleep+0x4c/0x80 +[ 0.029351] down_read+0x24/0xd0 +[ 0.029363] lookup_one_len_unlocked+0x9c/0xcc +[ 0.029379] lookup_positive_unlocked+0x10/0x50 +[ 0.029392] debugfs_lookup+0x68/0xac +[ 0.029406] genpd_remove.part.0+0x12c/0x1b4 +[ 0.029419] of_genpd_remove_last+0xa8/0xd4 +[ 0.029434] psci_cpuidle_domain_probe+0x174/0x53c +[ 0.029449] platform_probe+0x68/0xe0 +[ 0.029462] really_probe+0x190/0x430 +[ 0.029473] __driver_probe_device+0x90/0x18c +[ 0.029485] driver_probe_device+0x40/0xe0 +[ 0.029497] __driver_attach+0xf4/0x1d0 +[ 0.029508] bus_for_each_dev+0x70/0xd0 +[ 0.029523] driver_attach+0x24/0x30 +[ 0.029534] bus_add_driver+0x164/0x22c +[ 0.029545] driver_register+0x78/0x130 +[ 0.029556] __platform_driver_register+0x28/0x34 +[ 0.029569] psci_idle_init_domains+0x1c/0x28 +[ 0.029583] do_one_initcall+0x50/0x1b0 +[ 0.029595] kernel_init_freeable+0x214/0x280 +[ 0.029609] kernel_init+0x2c/0x13c +[ 0.029622] ret_from_fork+0x10/0x20 + +It doesn't seem necessary to call genpd_debug_remove() with the lock, so +move it out from locking to fix the problem. + +Fixes: 718072ceb211 ("PM: domains: create debugfs nodes when adding power domains") +Signed-off-by: Shawn Guo +Reviewed-by: Ulf Hansson +Cc: 5.11+ # 5.11+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/domain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2058,9 +2058,9 @@ static int genpd_remove(struct generic_p + kfree(link); + } + +- genpd_debug_remove(genpd); + list_del(&genpd->gpd_list_node); + genpd_unlock(genpd); ++ genpd_debug_remove(genpd); + cancel_work_sync(&genpd->power_off_work); + if (genpd_is_cpu_domain(genpd)) + free_cpumask_var(genpd->cpus); diff --git a/queue-5.17/series b/queue-5.17/series index 78cea52af77..1b1acafa8f1 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -156,3 +156,15 @@ mgag200-fix-memmapsl-configuration-in-gctl6-register.patch carl9170-fix-missing-bit-wise-or-operator-for-tx_params.patch pstore-don-t-use-semaphores-in-always-atomic-context-code.patch thermal-int340x-increase-bitmap-size.patch +lib-raid6-test-fix-multiple-definition-linking-error.patch +exec-force-single-empty-string-when-argv-is-empty.patch +crypto-rsa-pkcs1pad-only-allow-with-rsa.patch +crypto-rsa-pkcs1pad-correctly-get-hash-from-source-scatterlist.patch +crypto-rsa-pkcs1pad-restore-signature-length-check.patch +crypto-rsa-pkcs1pad-fix-buffer-overread-in-pkcs1pad_verify_complete.patch +bcache-fixup-multiple-threads-crash.patch +pm-domains-fix-sleep-in-atomic-bug-caused-by-genpd_debug_remove.patch +dec-limit-pmax-memory-probing-to-r3k-systems.patch +media-gpio-ir-tx-fix-transmit-with-long-spaces-on-orange-pi-pc.patch +media-omap3isp-use-struct_group-for-memcpy-region.patch +media-venus-vdec-fixed-possible-memory-leak-issue.patch