From: Sasha Levin Date: Thu, 9 May 2019 01:16:21 +0000 (-0400) Subject: fixes for 4.9 X-Git-Tag: v4.9.175~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd16eb66688af7687980ab78c36ecf229d39788b;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/arm-8680-1-boot-compressed-fix-inappropriate-thumb2-.patch b/queue-4.9/arm-8680-1-boot-compressed-fix-inappropriate-thumb2-.patch new file mode 100644 index 00000000000..c9891da0d38 --- /dev/null +++ b/queue-4.9/arm-8680-1-boot-compressed-fix-inappropriate-thumb2-.patch @@ -0,0 +1,56 @@ +From 34aa363dca56091295bff10bfa7b96b6a869c3b5 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 9 Jun 2017 10:14:53 +0100 +Subject: ARM: 8680/1: boot/compressed: fix inappropriate Thumb2 mnemonic for + __nop + +[ Upstream commit 60ce2858514ed9ccaf00dc7e9f4dc219537e9855 ] + +Commit 06a4b6d009a1 ("ARM: 8677/1: boot/compressed: fix decompressor +header layout for v7-M") fixed an issue in the layout of the header +of the compressed kernel image that was caused by the assembler +emitting narrow opcodes for 'mov r0, r0', and for this reason, the +mnemonic was updated to use the W() macro, which will append the .w +suffix (which forces a wide encoding) if required, i.e., when building +the kernel in Thumb2 mode. + +However, this failed to take into account that on Thumb2 kernels built +for CPUs that are also ARM capable, the entry point is entered in ARM +mode, and so the instructions emitted here will be ARM instructions +that only exist in a wide encoding to begin with, which is why the +assembler rejects the .w suffix here and aborts the build with the +following message: + + head.S: Assembler messages: + head.S:132: Error: width suffixes are invalid in ARM mode -- `mov.w r0,r0' + +So replace the W(mov) with separate ARM and Thumb2 instructions, where +the latter will only be used for THUMB2_ONLY builds. + +Fixes: 06a4b6d009a1 ("ARM: 8677/1: boot/compressed: fix decompressor ...") +Reported-by: Arnd Bergmann +Acked-by: Arnd Bergmann +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/efi-header.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S +index 3f7d1b74c5e02..a17ca8d78656d 100644 +--- a/arch/arm/boot/compressed/efi-header.S ++++ b/arch/arm/boot/compressed/efi-header.S +@@ -17,7 +17,8 @@ + @ there. + .inst 'M' | ('Z' << 8) | (0x1310 << 16) @ tstne r0, #0x4d000 + #else +- W(mov) r0, r0 ++ AR_CLASS( mov r0, r0 ) ++ M_CLASS( nop.w ) + #endif + .endm + +-- +2.20.1 + diff --git a/queue-4.9/genirq-prevent-use-after-free-and-work-list-corrupti.patch b/queue-4.9/genirq-prevent-use-after-free-and-work-list-corrupti.patch new file mode 100644 index 00000000000..1314637a4df --- /dev/null +++ b/queue-4.9/genirq-prevent-use-after-free-and-work-list-corrupti.patch @@ -0,0 +1,43 @@ +From cee8e7bffa930767cbe51757867696ba0f0f51d1 Mon Sep 17 00:00:00 2001 +From: Prasad Sodagudi +Date: Sun, 24 Mar 2019 07:57:04 -0700 +Subject: genirq: Prevent use-after-free and work list corruption + +[ Upstream commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 ] + +When irq_set_affinity_notifier() replaces the notifier, then the +reference count on the old notifier is dropped which causes it to be +freed. But nothing ensures that the old notifier is not longer queued +in the work list. If it is queued this results in a use after free and +possibly in work list corruption. + +Ensure that the work is canceled before the reference is dropped. + +Signed-off-by: Prasad Sodagudi +Signed-off-by: Thomas Gleixner +Cc: marc.zyngier@arm.com +Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.org +Signed-off-by: Sasha Levin +--- + kernel/irq/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index cf94460504bba..be7f489788e27 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -332,8 +332,10 @@ irq_set_affinity_notifier(unsigned int irq, struct irq_affinity_notify *notify) + desc->affinity_notify = notify; + raw_spin_unlock_irqrestore(&desc->lock, flags); + +- if (old_notify) ++ if (old_notify) { ++ cancel_work_sync(&old_notify->work); + kref_put(&old_notify->kref, old_notify->release); ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 4f2b1da532a..32850f141ce 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -15,3 +15,5 @@ drm-mediatek-fix-possible-object-reference-leak.patch virtio-blk-limit-number-of-hw-queues-by-nr_cpu_ids.patch iommu-amd-set-exclusion-range-correctly.patch mm-add-try_get_page-helper-function.patch +arm-8680-1-boot-compressed-fix-inappropriate-thumb2-.patch +genirq-prevent-use-after-free-and-work-list-corrupti.patch