From: Greg Kroah-Hartman Date: Fri, 24 Sep 2021 09:25:14 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.285~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b91f76f6299653ce6b0179573b7d0a7531aa6b2c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: 9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch prctl-allow-to-setup-brk-for-et_dyn-executables.patch profiling-fix-shift-out-of-bounds-bugs.patch pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch --- diff --git a/queue-4.4/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch b/queue-4.4/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch new file mode 100644 index 00000000000..803098265e9 --- /dev/null +++ b/queue-4.4/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch @@ -0,0 +1,41 @@ +From f997ea3b7afc108eb9761f321b57de2d089c7c48 Mon Sep 17 00:00:00 2001 +From: Xie Yongji +Date: Mon, 17 May 2021 16:35:57 +0800 +Subject: 9p/trans_virtio: Remove sysfs file on probe failure + +From: Xie Yongji + +commit f997ea3b7afc108eb9761f321b57de2d089c7c48 upstream. + +This ensures we don't leak the sysfs file if we failed to +allocate chan->vc_wq during probe. + +Link: http://lkml.kernel.org/r/20210517083557.172-1-xieyongji@bytedance.com +Fixes: 86c8437383ac ("net/9p: Add sysfs mount_tag file for virtio 9P device") +Signed-off-by: Xie Yongji +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/trans_virtio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -605,7 +605,7 @@ static int p9_virtio_probe(struct virtio + chan->vc_wq = kmalloc(sizeof(wait_queue_head_t), GFP_KERNEL); + if (!chan->vc_wq) { + err = -ENOMEM; +- goto out_free_tag; ++ goto out_remove_file; + } + init_waitqueue_head(chan->vc_wq); + chan->ring_bufs_avail = 1; +@@ -623,6 +623,8 @@ static int p9_virtio_probe(struct virtio + + return 0; + ++out_remove_file: ++ sysfs_remove_file(&vdev->dev.kobj, &dev_attr_mount_tag.attr); + out_free_tag: + kfree(tag); + out_free_vq: diff --git a/queue-4.4/prctl-allow-to-setup-brk-for-et_dyn-executables.patch b/queue-4.4/prctl-allow-to-setup-brk-for-et_dyn-executables.patch new file mode 100644 index 00000000000..336369bc8a8 --- /dev/null +++ b/queue-4.4/prctl-allow-to-setup-brk-for-et_dyn-executables.patch @@ -0,0 +1,80 @@ +From e1fbbd073137a9d63279f6bf363151a938347640 Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov +Date: Tue, 7 Sep 2021 20:00:41 -0700 +Subject: prctl: allow to setup brk for et_dyn executables + +From: Cyrill Gorcunov + +commit e1fbbd073137a9d63279f6bf363151a938347640 upstream. + +Keno Fischer reported that when a binray loaded via ld-linux-x the +prctl(PR_SET_MM_MAP) doesn't allow to setup brk value because it lays +before mm:end_data. + +For example a test program shows + + | # ~/t + | + | start_code 401000 + | end_code 401a15 + | start_stack 7ffce4577dd0 + | start_data 403e10 + | end_data 40408c + | start_brk b5b000 + | sbrk(0) b5b000 + +and when executed via ld-linux + + | # /lib64/ld-linux-x86-64.so.2 ~/t + | + | start_code 7fc25b0a4000 + | end_code 7fc25b0c4524 + | start_stack 7fffcc6b2400 + | start_data 7fc25b0ce4c0 + | end_data 7fc25b0cff98 + | start_brk 55555710c000 + | sbrk(0) 55555710c000 + +This of course prevent criu from restoring such programs. Looking into +how kernel operates with brk/start_brk inside brk() syscall I don't see +any problem if we allow to setup brk/start_brk without checking for +end_data. Even if someone pass some weird address here on a purpose then +the worst possible result will be an unexpected unmapping of existing vma +(own vma, since prctl works with the callers memory) but test for +RLIMIT_DATA is still valid and a user won't be able to gain more memory in +case of expanding VMAs via new values shipped with prctl call. + +Link: https://lkml.kernel.org/r/20210121221207.GB2174@grain +Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec") +Signed-off-by: Cyrill Gorcunov +Reported-by: Keno Fischer +Acked-by: Andrey Vagin +Tested-by: Andrey Vagin +Cc: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: Kirill Tkhai +Cc: Eric W. Biederman +Cc: Pavel Tikhomirov +Cc: Alexander Mikhalitsyn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sys.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1775,13 +1775,6 @@ static int validate_prctl_map(struct prc + error = -EINVAL; + + /* +- * @brk should be after @end_data in traditional maps. +- */ +- if (prctl_map->start_brk <= prctl_map->end_data || +- prctl_map->brk <= prctl_map->end_data) +- goto out; +- +- /* + * Neither we should allow to override limits if they set. + */ + if (check_data_rlimit(rlimit(RLIMIT_DATA), prctl_map->brk, diff --git a/queue-4.4/profiling-fix-shift-out-of-bounds-bugs.patch b/queue-4.4/profiling-fix-shift-out-of-bounds-bugs.patch new file mode 100644 index 00000000000..509024adbb4 --- /dev/null +++ b/queue-4.4/profiling-fix-shift-out-of-bounds-bugs.patch @@ -0,0 +1,98 @@ +From 2d186afd04d669fe9c48b994c41a7405a3c9f16d Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 7 Sep 2021 19:58:21 -0700 +Subject: profiling: fix shift-out-of-bounds bugs + +From: Pavel Skripkin + +commit 2d186afd04d669fe9c48b994c41a7405a3c9f16d upstream. + +Syzbot reported shift-out-of-bounds bug in profile_init(). +The problem was in incorrect prof_shift. Since prof_shift value comes from +userspace we need to clamp this value into [0, BITS_PER_LONG -1] +boundaries. + +Second possible shiht-out-of-bounds was found by Tetsuo: +sample_step local variable in read_profile() had "unsigned int" type, +but prof_shift allows to make a BITS_PER_LONG shift. So, to prevent +possible shiht-out-of-bounds sample_step type was changed to +"unsigned long". + +Also, "unsigned short int" will be sufficient for storing +[0, BITS_PER_LONG] value, that's why there is no need for +"unsigned long" prof_shift. + +Link: https://lkml.kernel.org/r/20210813140022.5011-1-paskripkin@gmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+e68c89a9510c159d9684@syzkaller.appspotmail.com +Suggested-by: Tetsuo Handa +Signed-off-by: Pavel Skripkin +Cc: Thomas Gleixner +Cc: Steven Rostedt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/profile.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/kernel/profile.c ++++ b/kernel/profile.c +@@ -38,7 +38,8 @@ struct profile_hit { + #define NR_PROFILE_GRP (NR_PROFILE_HIT/PROFILE_GRPSZ) + + static atomic_t *prof_buffer; +-static unsigned long prof_len, prof_shift; ++static unsigned long prof_len; ++static unsigned short int prof_shift; + + int prof_on __read_mostly; + EXPORT_SYMBOL_GPL(prof_on); +@@ -63,8 +64,8 @@ int profile_setup(char *str) + if (str[strlen(sleepstr)] == ',') + str += strlen(sleepstr) + 1; + if (get_option(&str, &par)) +- prof_shift = par; +- pr_info("kernel sleep profiling enabled (shift: %ld)\n", ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); ++ pr_info("kernel sleep profiling enabled (shift: %u)\n", + prof_shift); + #else + pr_warn("kernel sleep profiling requires CONFIG_SCHEDSTATS\n"); +@@ -74,21 +75,21 @@ int profile_setup(char *str) + if (str[strlen(schedstr)] == ',') + str += strlen(schedstr) + 1; + if (get_option(&str, &par)) +- prof_shift = par; +- pr_info("kernel schedule profiling enabled (shift: %ld)\n", ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); ++ pr_info("kernel schedule profiling enabled (shift: %u)\n", + prof_shift); + } else if (!strncmp(str, kvmstr, strlen(kvmstr))) { + prof_on = KVM_PROFILING; + if (str[strlen(kvmstr)] == ',') + str += strlen(kvmstr) + 1; + if (get_option(&str, &par)) +- prof_shift = par; +- pr_info("kernel KVM profiling enabled (shift: %ld)\n", ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); ++ pr_info("kernel KVM profiling enabled (shift: %u)\n", + prof_shift); + } else if (get_option(&str, &par)) { +- prof_shift = par; ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); + prof_on = CPU_PROFILING; +- pr_info("kernel profiling enabled (shift: %ld)\n", ++ pr_info("kernel profiling enabled (shift: %u)\n", + prof_shift); + } + return 1; +@@ -475,7 +476,7 @@ read_profile(struct file *file, char __u + unsigned long p = *ppos; + ssize_t read; + char *pnt; +- unsigned int sample_step = 1 << prof_shift; ++ unsigned long sample_step = 1UL << prof_shift; + + profile_flip_buffers(); + if (p >= (prof_len+1)*sizeof(unsigned int)) diff --git a/queue-4.4/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch b/queue-4.4/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch new file mode 100644 index 00000000000..27dae3ee6bd --- /dev/null +++ b/queue-4.4/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch @@ -0,0 +1,60 @@ +From 020162d6f49f2963062229814a56a89c86cbeaa8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Wed, 7 Jul 2021 18:27:50 +0200 +Subject: pwm: mxs: Don't modify HW state in .probe() after the PWM chip was registered +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 020162d6f49f2963062229814a56a89c86cbeaa8 upstream. + +This fixes a race condition: After pwmchip_add() is called there might +already be a consumer and then modifying the hardware behind the +consumer's back is bad. So reset before calling pwmchip_add(). + +Note that reseting the hardware isn't the right thing to do if the PWM +is already running as it might e.g. disable (or even enable) a backlight +that is supposed to be on (or off). + +Fixes: 4dce82c1e840 ("pwm: add pwm-mxs support") +Cc: Sascha Hauer +Cc: Shawn Guo +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mxs.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/pwm/pwm-mxs.c ++++ b/drivers/pwm/pwm-mxs.c +@@ -158,6 +158,11 @@ static int mxs_pwm_probe(struct platform + return ret; + } + ++ /* FIXME: Only do this if the PWM isn't already running */ ++ ret = stmp_reset_block(mxs->base); ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "failed to reset PWM\n"); ++ + ret = pwmchip_add(&mxs->chip); + if (ret < 0) { + dev_err(&pdev->dev, "failed to add pwm chip %d\n", ret); +@@ -166,15 +171,7 @@ static int mxs_pwm_probe(struct platform + + platform_set_drvdata(pdev, mxs); + +- ret = stmp_reset_block(mxs->base); +- if (ret) +- goto pwm_remove; +- + return 0; +- +-pwm_remove: +- pwmchip_remove(&mxs->chip); +- return ret; + } + + static int mxs_pwm_remove(struct platform_device *pdev) diff --git a/queue-4.4/series b/queue-4.4/series index ca6f2a86b6d..d869eeb36d9 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -2,3 +2,8 @@ s390-bpf-fix-optimizing-out-zero-extensions.patch pm-wakeirq-fix-unbalanced-irq-enable-for-wakeirq.patch sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch sctp-add-param-size-validation-for-sctp_param_set_primary.patch +thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch +9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch +prctl-allow-to-setup-brk-for-et_dyn-executables.patch +profiling-fix-shift-out-of-bounds-bugs.patch +pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch diff --git a/queue-4.4/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch b/queue-4.4/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch new file mode 100644 index 00000000000..0275b120b5f --- /dev/null +++ b/queue-4.4/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch @@ -0,0 +1,32 @@ +From 02d438f62c05f0d055ceeedf12a2f8796b258c08 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 10 Aug 2021 11:44:13 +0300 +Subject: thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() + +From: Dan Carpenter + +commit 02d438f62c05f0d055ceeedf12a2f8796b258c08 upstream. + +This error path return success but it should propagate the negative +error code from devm_clk_get(). + +Fixes: 6c247393cfdd ("thermal: exynos: Add TMU support for Exynos7 SoC") +Signed-off-by: Dan Carpenter +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210810084413.GA23810@kili +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/samsung/exynos_tmu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/samsung/exynos_tmu.c ++++ b/drivers/thermal/samsung/exynos_tmu.c +@@ -1347,6 +1347,7 @@ static int exynos_tmu_probe(struct platf + data->sclk = devm_clk_get(&pdev->dev, "tmu_sclk"); + if (IS_ERR(data->sclk)) { + dev_err(&pdev->dev, "Failed to get sclk\n"); ++ ret = PTR_ERR(data->sclk); + goto err_clk; + } else { + ret = clk_prepare_enable(data->sclk);