From: Greg Kroah-Hartman Date: Mon, 27 Dec 2021 13:23:01 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.297~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cedff18309fdb9eef0042d956a15a87b3953eecd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch --- diff --git a/queue-4.19/arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch b/queue-4.19/arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch new file mode 100644 index 00000000000..3893fc9e58f --- /dev/null +++ b/queue-4.19/arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch @@ -0,0 +1,51 @@ +From 8536a5ef886005bc443c2da9b842d69fd3d7647f Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 15 Dec 2021 09:31:36 +0100 +Subject: ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling + +From: Ard Biesheuvel + +commit 8536a5ef886005bc443c2da9b842d69fd3d7647f upstream. + +The Thumb2 version of the FP exception handling entry code treats the +register holding the CP number (R8) differently, resulting in the iWMMXT +CP number check to be incorrect. + +Fix this by unifying the ARM and Thumb2 code paths, and switch the +order of the additions of the TI_USED_CP offset and the shifted CP +index. + +Cc: +Fixes: b86040a59feb ("Thumb-2: Implementation of the unified start-up and exceptions code") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/entry-armv.S | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -620,11 +620,9 @@ call_fpe: + tstne r0, #0x04000000 @ bit 26 set on both ARM and Thumb-2 + reteq lr + and r8, r0, #0x00000f00 @ mask out CP number +- THUMB( lsr r8, r8, #8 ) + mov r7, #1 +- add r6, r10, #TI_USED_CP +- ARM( strb r7, [r6, r8, lsr #8] ) @ set appropriate used_cp[] +- THUMB( strb r7, [r6, r8] ) @ set appropriate used_cp[] ++ add r6, r10, r8, lsr #8 @ add used_cp[] array offset first ++ strb r7, [r6, #TI_USED_CP] @ set appropriate used_cp[] + #ifdef CONFIG_IWMMXT + @ Test if we need to give access to iWMMXt coprocessors + ldr r5, [r10, #TI_FLAGS] +@@ -633,7 +631,7 @@ call_fpe: + bcs iwmmxt_task_enable + #endif + ARM( add pc, pc, r8, lsr #6 ) +- THUMB( lsl r8, r8, #2 ) ++ THUMB( lsr r8, r8, #6 ) + THUMB( add pc, r8 ) + nop + diff --git a/queue-4.19/f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch b/queue-4.19/f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch new file mode 100644 index 00000000000..a4309694572 --- /dev/null +++ b/queue-4.19/f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch @@ -0,0 +1,83 @@ +From 5598b24efaf4892741c798b425d543e4bed357a1 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Sun, 12 Dec 2021 17:16:30 +0800 +Subject: f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() + +From: Chao Yu + +commit 5598b24efaf4892741c798b425d543e4bed357a1 upstream. + +As Wenqing Liu reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=215235 + +- Overview +page fault in f2fs_setxattr() when mount and operate on corrupted image + +- Reproduce +tested on kernel 5.16-rc3, 5.15.X under root + +1. unzip tmp7.zip +2. ./single.sh f2fs 7 + +Sometimes need to run the script several times + +- Kernel dump +loop0: detected capacity change from 0 to 131072 +F2FS-fs (loop0): Found nat_bits in checkpoint +F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee +BUG: unable to handle page fault for address: ffffe47bc7123f48 +RIP: 0010:kfree+0x66/0x320 +Call Trace: + __f2fs_setxattr+0x2aa/0xc00 [f2fs] + f2fs_setxattr+0xfa/0x480 [f2fs] + __f2fs_set_acl+0x19b/0x330 [f2fs] + __vfs_removexattr+0x52/0x70 + __vfs_removexattr_locked+0xb1/0x140 + vfs_removexattr+0x56/0x100 + removexattr+0x57/0x80 + path_removexattr+0xa3/0xc0 + __x64_sys_removexattr+0x17/0x20 + do_syscall_64+0x37/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The root cause is in __f2fs_setxattr(), we missed to do sanity check on +last xattr entry, result in out-of-bound memory access during updating +inconsistent xattr data of target inode. + +After the fix, it can detect such xattr inconsistency as below: + +F2FS-fs (loop11): inode (7) has invalid last xattr entry, entry_size: 60676 +F2FS-fs (loop11): inode (8) has corrupted xattr +F2FS-fs (loop11): inode (8) has corrupted xattr +F2FS-fs (loop11): inode (8) has invalid last xattr entry, entry_size: 47736 + +Cc: stable@vger.kernel.org +Reported-by: Wenqing Liu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[delete f2fs_err() call as it's not in older kernels - gregkh] +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/xattr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -658,8 +658,15 @@ static int __f2fs_setxattr(struct inode + } + + last = here; +- while (!IS_XATTR_LAST_ENTRY(last)) ++ while (!IS_XATTR_LAST_ENTRY(last)) { ++ if ((void *)(last) + sizeof(__u32) > last_base_addr || ++ (void *)XATTR_NEXT_ENTRY(last) > last_base_addr) { ++ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); ++ error = -EFSCORRUPTED; ++ goto exit; ++ } + last = XATTR_NEXT_ENTRY(last); ++ } + + newsize = XATTR_ALIGN(sizeof(struct f2fs_xattr_entry) + len + size); + diff --git a/queue-4.19/pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch b/queue-4.19/pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch new file mode 100644 index 00000000000..62a7612f3ba --- /dev/null +++ b/queue-4.19/pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch @@ -0,0 +1,43 @@ +From b67210cc217f9ca1c576909454d846970c13dfd4 Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Wed, 15 Dec 2021 10:58:08 +0100 +Subject: pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines + +From: Fabien Dessenne + +commit b67210cc217f9ca1c576909454d846970c13dfd4 upstream. + +Consider the GPIO controller offset (from "gpio-ranges") to compute the +maximum GPIO line number. +This fixes an issue where gpio-ranges uses a non-null offset. + e.g.: gpio-ranges = <&pinctrl 6 86 10> + In that case the last valid GPIO line is not 9 but 15 (6 + 10 - 1) + +Cc: stable@vger.kernel.org +Fixes: 67e2996f72c7 ("pinctrl: stm32: fix the reported number of GPIO lines per bank") +Reported-by: Christoph Fritz +Signed-off-by: Fabien Dessenne +Link: https://lore.kernel.org/r/20211215095808.621716-1-fabien.dessenne@foss.st.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/stm32/pinctrl-stm32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -1011,10 +1011,10 @@ static int stm32_gpiolib_register_bank(s + bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK; + bank->gpio_chip.base = args.args[1]; + +- npins = args.args[2]; +- while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, +- ++i, &args)) +- npins += args.args[2]; ++ /* get the last defined gpio line (offset + nb of pins) */ ++ npins = args.args[0] + args.args[2]; ++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, ++i, &args)) ++ npins = max(npins, (int)(args.args[0] + args.args[2])); + } else { + bank_nr = pctl->nbanks; + bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK; diff --git a/queue-4.19/series b/queue-4.19/series index c9043a86796..8b7a3275172 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -25,3 +25,7 @@ ipmi-bail-out-if-init_srcu_struct-fails.patch ipmi-fix-initialization-when-workqueue-allocation-fails.patch parisc-correct-completer-in-lws-start.patch x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch +pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch +arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch +f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch +usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch diff --git a/queue-4.19/usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch b/queue-4.19/usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch new file mode 100644 index 00000000000..82d2365a430 --- /dev/null +++ b/queue-4.19/usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch @@ -0,0 +1,88 @@ +From 890d5b40908bfd1a79be018d2d297cf9df60f4ee Mon Sep 17 00:00:00 2001 +From: Marian Postevca +Date: Sat, 4 Dec 2021 23:49:12 +0200 +Subject: usb: gadget: u_ether: fix race in setting MAC address in setup phase + +From: Marian Postevca + +commit 890d5b40908bfd1a79be018d2d297cf9df60f4ee upstream. + +When listening for notifications through netlink of a new interface being +registered, sporadically, it is possible for the MAC to be read as zero. +The zero MAC address lasts a short period of time and then switches to a +valid random MAC address. + +This causes problems for netd in Android, which assumes that the interface +is malfunctioning and will not use it. + +In the good case we get this log: +InterfaceController::getCfg() ifName usb0 + hwAddr 92:a8:f0:73:79:5b ipv4Addr 0.0.0.0 flags 0x1002 + +In the error case we get these logs: +InterfaceController::getCfg() ifName usb0 + hwAddr 00:00:00:00:00:00 ipv4Addr 0.0.0.0 flags 0x1002 + +netd : interfaceGetCfg("usb0") +netd : interfaceSetCfg() -> ServiceSpecificException + (99, "[Cannot assign requested address] : ioctl() failed") + +The reason for the issue is the order in which the interface is setup, +it is first registered through register_netdev() and after the MAC +address is set. + +Fixed by first setting the MAC address of the net_device and after that +calling register_netdev(). + +Fixes: bcd4a1c40bee885e ("usb: gadget: u_ether: construct with default values and add setters/getters") +Cc: stable@vger.kernel.org +Signed-off-by: Marian Postevca +Link: https://lore.kernel.org/r/20211204214912.17627-1-posteuca@mutex.one +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_ether.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -860,19 +860,23 @@ int gether_register_netdev(struct net_de + { + struct eth_dev *dev; + struct usb_gadget *g; +- struct sockaddr sa; + int status; + + if (!net->dev.parent) + return -EINVAL; + dev = netdev_priv(net); + g = dev->gadget; ++ ++ memcpy(net->dev_addr, dev->dev_mac, ETH_ALEN); ++ net->addr_assign_type = NET_ADDR_RANDOM; ++ + status = register_netdev(net); + if (status < 0) { + dev_dbg(&g->dev, "register_netdev failed, %d\n", status); + return status; + } else { + INFO(dev, "HOST MAC %pM\n", dev->host_mac); ++ INFO(dev, "MAC %pM\n", dev->dev_mac); + + /* two kinds of host-initiated state changes: + * - iff DATA transfer is active, carrier is "on" +@@ -880,15 +884,6 @@ int gether_register_netdev(struct net_de + */ + netif_carrier_off(net); + } +- sa.sa_family = net->type; +- memcpy(sa.sa_data, dev->dev_mac, ETH_ALEN); +- rtnl_lock(); +- status = dev_set_mac_address(net, &sa); +- rtnl_unlock(); +- if (status) +- pr_warn("cannot set self ethernet address: %d\n", status); +- else +- INFO(dev, "MAC %pM\n", dev->dev_mac); + + return status; + }