From: Greg Kroah-Hartman Date: Sat, 4 Dec 2021 10:45:07 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.294~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a6e8b7c7675e07bdc06a3f76e40df37c56750a78;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: kprobes-limit-max-data_size-of-the-kretprobe-instances.patch sata_fsl-fix-uaf-in-sata_fsl_port_stop-when-rmmod-sata_fsl.patch sata_fsl-fix-warning-in-remove_proc_entry-when-rmmod-sata_fsl.patch vrf-reset-ipcb-ip6cb-when-processing-outbound-pkts-in-vrf-dev-xmit.patch --- diff --git a/queue-4.14/kprobes-limit-max-data_size-of-the-kretprobe-instances.patch b/queue-4.14/kprobes-limit-max-data_size-of-the-kretprobe-instances.patch new file mode 100644 index 00000000000..0be2c78b265 --- /dev/null +++ b/queue-4.14/kprobes-limit-max-data_size-of-the-kretprobe-instances.patch @@ -0,0 +1,55 @@ +From 6bbfa44116689469267f1a6e3d233b52114139d2 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Wed, 1 Dec 2021 23:45:50 +0900 +Subject: kprobes: Limit max data_size of the kretprobe instances + +From: Masami Hiramatsu + +commit 6bbfa44116689469267f1a6e3d233b52114139d2 upstream. + +The 'kprobe::data_size' is unsigned, thus it can not be negative. But if +user sets it enough big number (e.g. (size_t)-8), the result of 'data_size ++ sizeof(struct kretprobe_instance)' becomes smaller than sizeof(struct +kretprobe_instance) or zero. In result, the kretprobe_instance are +allocated without enough memory, and kretprobe accesses outside of +allocated memory. + +To avoid this issue, introduce a max limitation of the +kretprobe::data_size. 4KB per instance should be OK. + +Link: https://lkml.kernel.org/r/163836995040.432120.10322772773821182925.stgit@devnote2 + +Cc: stable@vger.kernel.org +Fixes: f47cd9b553aa ("kprobes: kretprobe user entry-handler") +Reported-by: zhangyue +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kprobes.h | 2 ++ + kernel/kprobes.c | 3 +++ + 2 files changed, 5 insertions(+) + +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -193,6 +193,8 @@ struct kretprobe { + raw_spinlock_t lock; + }; + ++#define KRETPROBE_MAX_DATA_SIZE 4096 ++ + struct kretprobe_instance { + struct hlist_node hlist; + struct kretprobe *rp; +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2004,6 +2004,9 @@ int register_kretprobe(struct kretprobe + } + } + ++ if (rp->data_size > KRETPROBE_MAX_DATA_SIZE) ++ return -E2BIG; ++ + rp->kp.pre_handler = pre_handler_kretprobe; + rp->kp.post_handler = NULL; + rp->kp.fault_handler = NULL; diff --git a/queue-4.14/pinctrl-amd-fix-wakeups-when-irq-is-shared-with-sci.patch b/queue-4.14/pinctrl-amd-fix-wakeups-when-irq-is-shared-with-sci.patch deleted file mode 100644 index 1b2c0c6ed8f..00000000000 --- a/queue-4.14/pinctrl-amd-fix-wakeups-when-irq-is-shared-with-sci.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 2101022d66471069578d7db255d56ccb6a7e6421 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 31 Oct 2021 20:48:53 -0500 -Subject: pinctrl: amd: Fix wakeups when IRQ is shared with SCI - -From: Mario Limonciello - -[ Upstream commit 2d54067fcd23aae61e23508425ae5b29e973573d ] - -On some Lenovo AMD Gen2 platforms the IRQ for the SCI and pinctrl drivers -are shared. Due to how the s2idle loop handling works, this case needs -an extra explicit check whether the interrupt was caused by SCI or by -the GPIO controller. - -To fix this rework the existing IRQ handler function to function as a -checker and an IRQ handler depending on the calling arguments. - -BugLink: https://gitlab.freedesktop.org/drm/amd/-/issues/1738 -Reported-by: Joerie de Gram -Signed-off-by: Mario Limonciello -Acked-by: Basavaraj Natikar -Link: https://lore.kernel.org/r/20211101014853.6177-2-mario.limonciello@amd.com -Signed-off-by: Linus Walleij -Signed-off-by: Sasha Levin ---- - drivers/pinctrl/pinctrl-amd.c | 29 ++++++++++++++++++++++++++--- - 1 file changed, 26 insertions(+), 3 deletions(-) - -diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c -index 34d9148d27660..b3301f399f20f 100644 ---- a/drivers/pinctrl/pinctrl-amd.c -+++ b/drivers/pinctrl/pinctrl-amd.c -@@ -495,14 +495,14 @@ static struct irq_chip amd_gpio_irqchip = { - - #define PIN_IRQ_PENDING (BIT(INTERRUPT_STS_OFF) | BIT(WAKE_STS_OFF)) - --static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) -+static bool do_amd_gpio_irq_handler(int irq, void *dev_id) - { - struct amd_gpio *gpio_dev = dev_id; - struct gpio_chip *gc = &gpio_dev->gc; -- irqreturn_t ret = IRQ_NONE; - unsigned int i, irqnr; - unsigned long flags; - u32 __iomem *regs; -+ bool ret = false; - u32 regval; - u64 status, mask; - -@@ -524,6 +524,14 @@ static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) - /* Each status bit covers four pins */ - for (i = 0; i < 4; i++) { - regval = readl(regs + i); -+ /* caused wake on resume context for shared IRQ */ -+ if (irq < 0 && (regval & BIT(WAKE_STS_OFF))) { -+ dev_dbg(&gpio_dev->pdev->dev, -+ "Waking due to GPIO %d: 0x%x", -+ irqnr + i, regval); -+ return true; -+ } -+ - if (!(regval & PIN_IRQ_PENDING) || - !(regval & BIT(INTERRUPT_MASK_OFF))) - continue; -@@ -539,9 +547,12 @@ static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) - regval = readl(regs + i); - writel(regval, regs + i); - raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); -- ret = IRQ_HANDLED; -+ ret = true; - } - } -+ /* did not cause wake on resume context for shared IRQ */ -+ if (irq < 0) -+ return false; - - /* Signal EOI to the GPIO unit */ - raw_spin_lock_irqsave(&gpio_dev->lock, flags); -@@ -553,6 +564,16 @@ static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) - return ret; - } - -+static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) -+{ -+ return IRQ_RETVAL(do_amd_gpio_irq_handler(irq, dev_id)); -+} -+ -+static bool __maybe_unused amd_gpio_check_wake(void *dev_id) -+{ -+ return do_amd_gpio_irq_handler(-1, dev_id); -+} -+ - static int amd_get_groups_count(struct pinctrl_dev *pctldev) - { - struct amd_gpio *gpio_dev = pinctrl_dev_get_drvdata(pctldev); -@@ -896,6 +917,7 @@ static int amd_gpio_probe(struct platform_device *pdev) - goto out2; - - platform_set_drvdata(pdev, gpio_dev); -+ acpi_register_wakeup_handler(gpio_dev->irq, amd_gpio_check_wake, gpio_dev); - - dev_dbg(&pdev->dev, "amd gpio driver loaded\n"); - return ret; -@@ -913,6 +935,7 @@ static int amd_gpio_remove(struct platform_device *pdev) - gpio_dev = platform_get_drvdata(pdev); - - gpiochip_remove(&gpio_dev->gc); -+ acpi_unregister_wakeup_handler(amd_gpio_check_wake, gpio_dev); - - return 0; - } --- -2.33.0 - diff --git a/queue-4.14/sata_fsl-fix-uaf-in-sata_fsl_port_stop-when-rmmod-sata_fsl.patch b/queue-4.14/sata_fsl-fix-uaf-in-sata_fsl_port_stop-when-rmmod-sata_fsl.patch new file mode 100644 index 00000000000..9c8650d3d2a --- /dev/null +++ b/queue-4.14/sata_fsl-fix-uaf-in-sata_fsl_port_stop-when-rmmod-sata_fsl.patch @@ -0,0 +1,98 @@ +From 6c8ad7e8cf29eb55836e7a0215f967746ab2b504 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Fri, 26 Nov 2021 10:03:06 +0800 +Subject: sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl + +From: Baokun Li + +commit 6c8ad7e8cf29eb55836e7a0215f967746ab2b504 upstream. + +When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux, +a bug is reported: + ================================================================== + BUG: Unable to handle kernel data access on read at 0x80000800805b502c + Oops: Kernel access of bad area, sig: 11 [#1] + NIP [c0000000000388a4] .ioread32+0x4/0x20 + LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl] + Call Trace: + .free_irq+0x1c/0x4e0 (unreliable) + .ata_host_stop+0x74/0xd0 [libata] + .release_nodes+0x330/0x3f0 + .device_release_driver_internal+0x178/0x2c0 + .driver_detach+0x64/0xd0 + .bus_remove_driver+0x70/0xf0 + .driver_unregister+0x38/0x80 + .platform_driver_unregister+0x14/0x30 + .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl] + .__se_sys_delete_module+0x1ec/0x2d0 + .system_call_exception+0xfc/0x1f0 + system_call_common+0xf8/0x200 + ================================================================== + +The triggering of the BUG is shown in the following stack: + +driver_detach + device_release_driver_internal + __device_release_driver + drv->remove(dev) --> platform_drv_remove/platform_remove + drv->remove(dev) --> sata_fsl_remove + iounmap(host_priv->hcr_base); <---- unmap + kfree(host_priv); <---- free + devres_release_all + release_nodes + dr->node.release(dev, dr->data) --> ata_host_stop + ap->ops->port_stop(ap) --> sata_fsl_port_stop + ioread32(hcr_base + HCONTROL) <---- UAF + host->ops->host_stop(host) + +The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should +not be executed in drv->remove. These functions should be executed in +host_stop after port_stop. Therefore, we move these functions to the +new function sata_fsl_host_stop and bind the new function to host_stop. + +Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller") +Cc: stable@vger.kernel.org +Reported-by: Hulk Robot +Signed-off-by: Baokun Li +Reviewed-by: Sergei Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/sata_fsl.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/ata/sata_fsl.c ++++ b/drivers/ata/sata_fsl.c +@@ -1406,6 +1406,14 @@ static int sata_fsl_init_controller(stru + return 0; + } + ++static void sata_fsl_host_stop(struct ata_host *host) ++{ ++ struct sata_fsl_host_priv *host_priv = host->private_data; ++ ++ iounmap(host_priv->hcr_base); ++ kfree(host_priv); ++} ++ + /* + * scsi mid-layer and libata interface structures + */ +@@ -1438,6 +1446,8 @@ static struct ata_port_operations sata_f + .port_start = sata_fsl_port_start, + .port_stop = sata_fsl_port_stop, + ++ .host_stop = sata_fsl_host_stop, ++ + .pmp_attach = sata_fsl_pmp_attach, + .pmp_detach = sata_fsl_pmp_detach, + }; +@@ -1570,8 +1580,6 @@ static int sata_fsl_remove(struct platfo + ata_host_detach(host); + + irq_dispose_mapping(host_priv->irq); +- iounmap(host_priv->hcr_base); +- kfree(host_priv); + + return 0; + } diff --git a/queue-4.14/sata_fsl-fix-warning-in-remove_proc_entry-when-rmmod-sata_fsl.patch b/queue-4.14/sata_fsl-fix-warning-in-remove_proc_entry-when-rmmod-sata_fsl.patch new file mode 100644 index 00000000000..cbd550bb299 --- /dev/null +++ b/queue-4.14/sata_fsl-fix-warning-in-remove_proc_entry-when-rmmod-sata_fsl.patch @@ -0,0 +1,78 @@ +From 6f48394cf1f3e8486591ad98c11cdadb8f1ef2ad Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Fri, 26 Nov 2021 10:03:07 +0800 +Subject: sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl + +From: Baokun Li + +commit 6f48394cf1f3e8486591ad98c11cdadb8f1ef2ad upstream. + +Trying to remove the fsl-sata module in the PPC64 GNU/Linux +leads to the following warning: + ------------[ cut here ]------------ + remove_proc_entry: removing non-empty directory 'irq/69', + leaking at least 'fsl-sata[ff0221000.sata]' + WARNING: CPU: 3 PID: 1048 at fs/proc/generic.c:722 + .remove_proc_entry+0x20c/0x220 + IRQMASK: 0 + NIP [c00000000033826c] .remove_proc_entry+0x20c/0x220 + LR [c000000000338268] .remove_proc_entry+0x208/0x220 + Call Trace: + .remove_proc_entry+0x208/0x220 (unreliable) + .unregister_irq_proc+0x104/0x140 + .free_desc+0x44/0xb0 + .irq_free_descs+0x9c/0xf0 + .irq_dispose_mapping+0x64/0xa0 + .sata_fsl_remove+0x58/0xa0 [sata_fsl] + .platform_drv_remove+0x40/0x90 + .device_release_driver_internal+0x160/0x2c0 + .driver_detach+0x64/0xd0 + .bus_remove_driver+0x70/0xf0 + .driver_unregister+0x38/0x80 + .platform_driver_unregister+0x14/0x30 + .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl] + ---[ end trace 0ea876d4076908f5 ]--- + +The driver creates the mapping by calling irq_of_parse_and_map(), +so it also has to dispose the mapping. But the easy way out is to +simply use platform_get_irq() instead of irq_of_parse_map(). Also +we should adapt return value checking and propagate error values. + +In this case the mapping is not managed by the device but by +the of core, so the device has not to dispose the mapping. + +Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller") +Cc: stable@vger.kernel.org +Reported-by: Hulk Robot +Signed-off-by: Baokun Li +Reviewed-by: Sergei Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/sata_fsl.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/ata/sata_fsl.c ++++ b/drivers/ata/sata_fsl.c +@@ -1502,9 +1502,9 @@ static int sata_fsl_probe(struct platfor + host_priv->ssr_base = ssr_base; + host_priv->csr_base = csr_base; + +- irq = irq_of_parse_and_map(ofdev->dev.of_node, 0); +- if (!irq) { +- dev_err(&ofdev->dev, "invalid irq from platform\n"); ++ irq = platform_get_irq(ofdev, 0); ++ if (irq < 0) { ++ retval = irq; + goto error_exit_with_cleanup; + } + host_priv->irq = irq; +@@ -1579,8 +1579,6 @@ static int sata_fsl_remove(struct platfo + + ata_host_detach(host); + +- irq_dispose_mapping(host_priv->irq); +- + return 0; + } + diff --git a/queue-4.14/series b/queue-4.14/series index 469449968dc..1b2b4b11db8 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -71,7 +71,6 @@ ipc-warn-if-trying-to-remove-ipc-object-which-is-absent.patch nfsv42-fix-pagecache-invalidation-after-copy-clone.patch hugetlb-take-pmd-sharing-into-account-when-flushing-tlb-caches.patch net-return-correct-error-code.patch -pinctrl-amd-fix-wakeups-when-irq-is-shared-with-sci.patch platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch s390-setup-avoid-using-memblock_enforce_memory_limit.patch btrfs-check-integrity-fix-a-warning-on-write-caching.patch @@ -81,3 +80,7 @@ ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch +vrf-reset-ipcb-ip6cb-when-processing-outbound-pkts-in-vrf-dev-xmit.patch +kprobes-limit-max-data_size-of-the-kretprobe-instances.patch +sata_fsl-fix-uaf-in-sata_fsl_port_stop-when-rmmod-sata_fsl.patch +sata_fsl-fix-warning-in-remove_proc_entry-when-rmmod-sata_fsl.patch diff --git a/queue-4.14/vrf-reset-ipcb-ip6cb-when-processing-outbound-pkts-in-vrf-dev-xmit.patch b/queue-4.14/vrf-reset-ipcb-ip6cb-when-processing-outbound-pkts-in-vrf-dev-xmit.patch new file mode 100644 index 00000000000..bea0e0f19ab --- /dev/null +++ b/queue-4.14/vrf-reset-ipcb-ip6cb-when-processing-outbound-pkts-in-vrf-dev-xmit.patch @@ -0,0 +1,51 @@ +From ee201011c1e1563c114a55c86eb164b236f18e84 Mon Sep 17 00:00:00 2001 +From: Stephen Suryaputra +Date: Tue, 30 Nov 2021 11:26:37 -0500 +Subject: vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit + +From: Stephen Suryaputra + +commit ee201011c1e1563c114a55c86eb164b236f18e84 upstream. + +IPCB/IP6CB need to be initialized when processing outbound v4 or v6 pkts +in the codepath of vrf device xmit function so that leftover garbage +doesn't cause futher code that uses the CB to incorrectly process the +pkt. + +One occasion of the issue might occur when MPLS route uses the vrf +device as the outgoing device such as when the route is added using "ip +-f mpls route add