From: Sasha Levin Date: Mon, 22 Jan 2024 22:48:47 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v4.19.306~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb98d20f548a760cfc63f77714df3de75ab7a5a5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-property-let-args-be-null-in-__acpi_node_get_pr.patch b/queue-4.19/acpi-property-let-args-be-null-in-__acpi_node_get_pr.patch new file mode 100644 index 00000000000..72fd0eebd30 --- /dev/null +++ b/queue-4.19/acpi-property-let-args-be-null-in-__acpi_node_get_pr.patch @@ -0,0 +1,52 @@ +From 7dbb370ee1de9dcba61c24216922ef1839cfeafe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 12:10:08 +0200 +Subject: acpi: property: Let args be NULL in + __acpi_node_get_property_reference + +From: Sakari Ailus + +[ Upstream commit bef52aa0f3de1b7d8c258c13b16e577361dabf3a ] + +fwnode_get_property_reference_args() may not be called with args argument +NULL on ACPI, OF already supports this. Add the missing NULL checks and +document this. + +The purpose is to be able to count the references. + +Fixes: 977d5ad39f3e ("ACPI: Convert ACPI reference args to generic fwnode reference args") +Signed-off-by: Sakari Ailus +Reviewed-by: Andy Shevchenko +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20231109101010.1329587-2-sakari.ailus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/acpi/property.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c +index c59235038bf2..cfee286ee5c5 100644 +--- a/drivers/acpi/property.c ++++ b/drivers/acpi/property.c +@@ -566,6 +566,7 @@ acpi_fwnode_get_named_child_node(const struct fwnode_handle *fwnode, + * @index: Index of the reference to return + * @num_args: Maximum number of arguments after each reference + * @args: Location to store the returned reference with optional arguments ++ * (may be NULL) + * + * Find property with @name, verifify that it is a package containing at least + * one object reference and if so, store the ACPI device object pointer to the +@@ -624,6 +625,9 @@ int __acpi_node_get_property_reference(const struct fwnode_handle *fwnode, + if (ret) + return ret == -ENODEV ? -EINVAL : ret; + ++ if (!args) ++ return 0; ++ + args->fwnode = acpi_fwnode_handle(device); + args->nargs = 0; + return 0; +-- +2.43.0 + diff --git a/queue-4.19/apparmor-avoid-crash-when-parsed-profile-name-is-emp.patch b/queue-4.19/apparmor-avoid-crash-when-parsed-profile-name-is-emp.patch new file mode 100644 index 00000000000..f8070b7c310 --- /dev/null +++ b/queue-4.19/apparmor-avoid-crash-when-parsed-profile-name-is-emp.patch @@ -0,0 +1,82 @@ +From a9fce13b81243eb0d1b3d51666182ab2f91e3601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Dec 2023 19:07:43 +0300 +Subject: apparmor: avoid crash when parsed profile name is empty + +From: Fedor Pchelkin + +[ Upstream commit 55a8210c9e7d21ff2644809699765796d4bfb200 ] + +When processing a packed profile in unpack_profile() described like + + "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" + +a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then +passed to aa_splitn_fqname(). + +aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. +Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later +aa_alloc_profile() crashes as the new profile name is NULL now. + +general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 +RIP: 0010:strlen+0x1e/0xa0 +Call Trace: + + ? strlen+0x1e/0xa0 + aa_policy_init+0x1bb/0x230 + aa_alloc_profile+0xb1/0x480 + unpack_profile+0x3bc/0x4960 + aa_unpack+0x309/0x15e0 + aa_replace_profiles+0x213/0x33c0 + policy_update+0x261/0x370 + profile_replace+0x20e/0x2a0 + vfs_write+0x2af/0xe00 + ksys_write+0x126/0x250 + do_syscall_64+0x46/0xf0 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + +---[ end trace 0000000000000000 ]--- +RIP: 0010:strlen+0x1e/0xa0 + +It seems such behaviour of aa_splitn_fqname() is expected and checked in +other places where it is called (e.g. aa_remove_profiles). Well, there +is an explicit comment "a ns name without a following profile is allowed" +inside. + +AFAICS, nothing can prevent unpacked "name" to be in form like +":samba-dcerpcd" - it is passed from userspace. + +Deny the whole profile set replacement in such case and inform user with +EPROTO and an explaining message. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 04dc715e24d0 ("apparmor: audit policy ns specified in policy load") +Signed-off-by: Fedor Pchelkin +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/policy_unpack.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c +index 41da5ccc3f3e..683f551ec33b 100644 +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -635,6 +635,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) + + tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len); + if (tmpns) { ++ if (!tmpname) { ++ info = "empty profile name"; ++ goto fail; ++ } + *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL); + if (!*ns_name) { + info = "out of memory"; +-- +2.43.0 + diff --git a/queue-4.19/i2c-s3c24xx-fix-read-transfers-in-polling-mode.patch b/queue-4.19/i2c-s3c24xx-fix-read-transfers-in-polling-mode.patch new file mode 100644 index 00000000000..684bae689ad --- /dev/null +++ b/queue-4.19/i2c-s3c24xx-fix-read-transfers-in-polling-mode.patch @@ -0,0 +1,50 @@ +From 800ab8201ac06f6c51cd501e16469921f40b72b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 17:43:52 +0100 +Subject: i2c: s3c24xx: fix read transfers in polling mode + +From: Marek Szyprowski + +[ Upstream commit 0d9cf23ed55d7ba3ab26d617a3ae507863674c8f ] + +To properly handle read transfers in polling mode, no waiting for the ACK +state is needed as it will never come. Just wait a bit to ensure start +state is on the bus and continue processing next bytes. + +Fixes: 117053f77a5a ("i2c: s3c2410: Add polling mode support") +Signed-off-by: Marek Szyprowski +Reviewed-by: Chanho Park +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-s3c2410.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c +index 4c6036920388..8186af573a02 100644 +--- a/drivers/i2c/busses/i2c-s3c2410.c ++++ b/drivers/i2c/busses/i2c-s3c2410.c +@@ -233,8 +233,17 @@ static bool is_ack(struct s3c24xx_i2c *i2c) + int tries; + + for (tries = 50; tries; --tries) { +- if (readl(i2c->regs + S3C2410_IICCON) +- & S3C2410_IICCON_IRQPEND) { ++ unsigned long tmp = readl(i2c->regs + S3C2410_IICCON); ++ ++ if (!(tmp & S3C2410_IICCON_ACKEN)) { ++ /* ++ * Wait a bit for the bus to stabilize, ++ * delay estimated experimentally. ++ */ ++ usleep_range(100, 200); ++ return true; ++ } ++ if (tmp & S3C2410_IICCON_IRQPEND) { + if (!(readl(i2c->regs + S3C2410_IICSTAT) + & S3C2410_IICSTAT_LASTBIT)) + return true; +-- +2.43.0 + diff --git a/queue-4.19/i2c-s3c24xx-fix-transferring-more-than-one-message-i.patch b/queue-4.19/i2c-s3c24xx-fix-transferring-more-than-one-message-i.patch new file mode 100644 index 00000000000..6790d7a0000 --- /dev/null +++ b/queue-4.19/i2c-s3c24xx-fix-transferring-more-than-one-message-i.patch @@ -0,0 +1,88 @@ +From a831da7c47f3f93343a01f56157a3b5057df6f3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 17:43:53 +0100 +Subject: i2c: s3c24xx: fix transferring more than one message in polling mode + +From: Marek Szyprowski + +[ Upstream commit 990489e1042c6c5d6bccf56deca68f8dbeed8180 ] + +To properly handle ACK on the bus when transferring more than one +message in polling mode, move the polling handling loop from +s3c24xx_i2c_message_start() to s3c24xx_i2c_doxfer(). This way +i2c_s3c_irq_nextbyte() is always executed till the end, properly +acknowledging the IRQ bits and no recursive calls to +i2c_s3c_irq_nextbyte() are made. + +While touching this, also fix finishing transfers in polling mode by +using common code path and always waiting for the bus to become idle +and disabled. + +Fixes: 117053f77a5a ("i2c: s3c2410: Add polling mode support") +Signed-off-by: Marek Szyprowski +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-s3c2410.c | 27 ++++++++++----------------- + 1 file changed, 10 insertions(+), 17 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c +index 8186af573a02..fe245dfdaf4d 100644 +--- a/drivers/i2c/busses/i2c-s3c2410.c ++++ b/drivers/i2c/busses/i2c-s3c2410.c +@@ -296,16 +296,6 @@ static void s3c24xx_i2c_message_start(struct s3c24xx_i2c *i2c, + + stat |= S3C2410_IICSTAT_START; + writel(stat, i2c->regs + S3C2410_IICSTAT); +- +- if (i2c->quirks & QUIRK_POLL) { +- while ((i2c->msg_num != 0) && is_ack(i2c)) { +- i2c_s3c_irq_nextbyte(i2c, stat); +- stat = readl(i2c->regs + S3C2410_IICSTAT); +- +- if (stat & S3C2410_IICSTAT_ARBITR) +- dev_err(i2c->dev, "deal with arbitration loss\n"); +- } +- } + } + + static inline void s3c24xx_i2c_stop(struct s3c24xx_i2c *i2c, int ret) +@@ -712,7 +702,7 @@ static void s3c24xx_i2c_wait_idle(struct s3c24xx_i2c *i2c) + static int s3c24xx_i2c_doxfer(struct s3c24xx_i2c *i2c, + struct i2c_msg *msgs, int num) + { +- unsigned long timeout; ++ unsigned long timeout = 0; + int ret; + + if (i2c->suspended) +@@ -735,16 +725,19 @@ static int s3c24xx_i2c_doxfer(struct s3c24xx_i2c *i2c, + s3c24xx_i2c_message_start(i2c, msgs); + + if (i2c->quirks & QUIRK_POLL) { +- ret = i2c->msg_idx; ++ while ((i2c->msg_num != 0) && is_ack(i2c)) { ++ unsigned long stat = readl(i2c->regs + S3C2410_IICSTAT); + +- if (ret != num) +- dev_dbg(i2c->dev, "incomplete xfer (%d)\n", ret); ++ i2c_s3c_irq_nextbyte(i2c, stat); + +- goto out; ++ stat = readl(i2c->regs + S3C2410_IICSTAT); ++ if (stat & S3C2410_IICSTAT_ARBITR) ++ dev_err(i2c->dev, "deal with arbitration loss\n"); ++ } ++ } else { ++ timeout = wait_event_timeout(i2c->wait, i2c->msg_num == 0, HZ * 5); + } + +- timeout = wait_event_timeout(i2c->wait, i2c->msg_num == 0, HZ * 5); +- + ret = i2c->msg_idx; + + /* +-- +2.43.0 + diff --git a/queue-4.19/ipvs-avoid-stat-macros-calls-from-preemptible-contex.patch b/queue-4.19/ipvs-avoid-stat-macros-calls-from-preemptible-contex.patch new file mode 100644 index 00000000000..9b2085f6013 --- /dev/null +++ b/queue-4.19/ipvs-avoid-stat-macros-calls-from-preemptible-contex.patch @@ -0,0 +1,83 @@ +From 6be7b5387e5d9bffef947163286dfde036c38196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jan 2024 17:39:22 +0300 +Subject: ipvs: avoid stat macros calls from preemptible context + +From: Fedor Pchelkin + +[ Upstream commit d6938c1c76c64f42363d0d1f051e1b4641c2ad40 ] + +Inside decrement_ttl() upon discovering that the packet ttl has exceeded, +__IP_INC_STATS and __IP6_INC_STATS macros can be called from preemptible +context having the following backtrace: + +check_preemption_disabled: 48 callbacks suppressed +BUG: using __this_cpu_add() in preemptible [00000000] code: curl/1177 +caller is decrement_ttl+0x217/0x830 +CPU: 5 PID: 1177 Comm: curl Not tainted 6.7.0+ #34 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 04/01/2014 +Call Trace: + + dump_stack_lvl+0xbd/0xe0 + check_preemption_disabled+0xd1/0xe0 + decrement_ttl+0x217/0x830 + __ip_vs_get_out_rt+0x4e0/0x1ef0 + ip_vs_nat_xmit+0x205/0xcd0 + ip_vs_in_hook+0x9b1/0x26a0 + nf_hook_slow+0xc2/0x210 + nf_hook+0x1fb/0x770 + __ip_local_out+0x33b/0x640 + ip_local_out+0x2a/0x490 + __ip_queue_xmit+0x990/0x1d10 + __tcp_transmit_skb+0x288b/0x3d10 + tcp_connect+0x3466/0x5180 + tcp_v4_connect+0x1535/0x1bb0 + __inet_stream_connect+0x40d/0x1040 + inet_stream_connect+0x57/0xa0 + __sys_connect_file+0x162/0x1a0 + __sys_connect+0x137/0x160 + __x64_sys_connect+0x72/0xb0 + do_syscall_64+0x6f/0x140 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 +RIP: 0033:0x7fe6dbbc34e0 + +Use the corresponding preemption-aware variants: IP_INC_STATS and +IP6_INC_STATS. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 8d8e20e2d7bb ("ipvs: Decrement ttl") +Signed-off-by: Fedor Pchelkin +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_xmit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c +index 11f7c546e57b..e47d1a29c140 100644 +--- a/net/netfilter/ipvs/ip_vs_xmit.c ++++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -272,7 +272,7 @@ static inline bool decrement_ttl(struct netns_ipvs *ipvs, + skb->dev = dst->dev; + icmpv6_send(skb, ICMPV6_TIME_EXCEED, + ICMPV6_EXC_HOPLIMIT, 0); +- __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); ++ IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); + + return false; + } +@@ -287,7 +287,7 @@ static inline bool decrement_ttl(struct netns_ipvs *ipvs, + { + if (ip_hdr(skb)->ttl <= 1) { + /* Tell the sender its packet died... */ +- __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS); ++ IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS); + icmp_send(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0); + return false; + } +-- +2.43.0 + diff --git a/queue-4.19/kdb-censor-attempts-to-set-prompt-without-enable_mem.patch b/queue-4.19/kdb-censor-attempts-to-set-prompt-without-enable_mem.patch new file mode 100644 index 00000000000..31e2da42410 --- /dev/null +++ b/queue-4.19/kdb-censor-attempts-to-set-prompt-without-enable_mem.patch @@ -0,0 +1,66 @@ +From cf437289504d229e7e6ba24ddadfd0d17fe734ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2020 15:16:40 +0000 +Subject: kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ + +From: Daniel Thompson + +[ Upstream commit ad99b5105c0823ff02126497f4366e6a8009453e ] + +Currently the PROMPT variable could be abused to provoke the printf() +machinery to read outside the current stack frame. Normally this +doesn't matter becaues md is already a much better tool for reading +from memory. + +However the md command can be disabled by not setting KDB_ENABLE_MEM_READ. +Let's also prevent PROMPT from being modified in these circumstances. + +Whilst adding a comment to help future code reviewers we also remove +the #ifdef where PROMPT in consumed. There is no problem passing an +unused (0) to snprintf when !CONFIG_SMP. +argument + +Reported-by: Wang Xiayang +Signed-off-by: Daniel Thompson +Reviewed-by: Douglas Anderson +Stable-dep-of: 4f41d30cd6dc ("kdb: Fix a potential buffer overflow in kdb_local()") +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_main.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c +index dc6bf35e7884..8f31d472384f 100644 +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -399,6 +399,13 @@ int kdb_set(int argc, const char **argv) + if (argc != 2) + return KDB_ARGCOUNT; + ++ /* ++ * Censor sensitive variables ++ */ ++ if (strcmp(argv[1], "PROMPT") == 0 && ++ !kdb_check_flags(KDB_ENABLE_MEM_READ, kdb_cmd_enabled, false)) ++ return KDB_NOPERM; ++ + /* + * Check for internal variables + */ +@@ -1299,12 +1306,9 @@ static int kdb_local(kdb_reason_t reason, int error, struct pt_regs *regs, + *(cmd_hist[cmd_head]) = '\0'; + + do_full_getstr: +-#if defined(CONFIG_SMP) ++ /* PROMPT can only be set if we have MEM_READ permission. */ + snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT"), + raw_smp_processor_id()); +-#else +- snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT")); +-#endif + if (defcmd_in_progress) + strncat(kdb_prompt_str, "[defcmd]", CMD_BUFLEN); + +-- +2.43.0 + diff --git a/queue-4.19/kdb-fix-a-potential-buffer-overflow-in-kdb_local.patch b/queue-4.19/kdb-fix-a-potential-buffer-overflow-in-kdb_local.patch new file mode 100644 index 00000000000..45fd327f15c --- /dev/null +++ b/queue-4.19/kdb-fix-a-potential-buffer-overflow-in-kdb_local.patch @@ -0,0 +1,45 @@ +From 0f18d1c99a457e2be4e5742c1cc7b2ced45234fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Nov 2023 13:05:04 +0100 +Subject: kdb: Fix a potential buffer overflow in kdb_local() + +From: Christophe JAILLET + +[ Upstream commit 4f41d30cd6dc865c3cbc1a852372321eba6d4e4c ] + +When appending "[defcmd]" to 'kdb_prompt_str', the size of the string +already in the buffer should be taken into account. + +An option could be to switch from strncat() to strlcat() which does the +correct test to avoid such an overflow. + +However, this actually looks as dead code, because 'defcmd_in_progress' +can't be true here. +See a more detailed explanation at [1]. + +[1]: https://lore.kernel.org/all/CAD=FV=WSh7wKN7Yp-3wWiDgX4E3isQ8uh0LCzTmd1v9Cg9j+nQ@mail.gmail.com/ + +Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") +Signed-off-by: Christophe JAILLET +Reviewed-by: Douglas Anderson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c +index 8f31d472384f..7f78657dfa00 100644 +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1309,8 +1309,6 @@ static int kdb_local(kdb_reason_t reason, int error, struct pt_regs *regs, + /* PROMPT can only be set if we have MEM_READ permission. */ + snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT"), + raw_smp_processor_id()); +- if (defcmd_in_progress) +- strncat(kdb_prompt_str, "[defcmd]", CMD_BUFLEN); + + /* + * Fetch command from keyboard +-- +2.43.0 + diff --git a/queue-4.19/mips-alchemy-fix-an-out-of-bound-access-in-db1200_de.patch b/queue-4.19/mips-alchemy-fix-an-out-of-bound-access-in-db1200_de.patch new file mode 100644 index 00000000000..7d384d4ea53 --- /dev/null +++ b/queue-4.19/mips-alchemy-fix-an-out-of-bound-access-in-db1200_de.patch @@ -0,0 +1,36 @@ +From 28dac3f6adf7d167d410b5e8640c8ee33ff0d69a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jan 2024 19:07:36 +0100 +Subject: MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup() + +From: Christophe JAILLET + +[ Upstream commit 89c4b588d11e9acf01d604de4b0c715884f59213 ] + +When calling spi_register_board_info(), we should pass the number of +elements in 'db1200_spi_devs', not 'db1200_i2c_devs'. + +Fixes: 63323ec54a7e ("MIPS: Alchemy: Extended DB1200 board support.") +Signed-off-by: Christophe JAILLET +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/alchemy/devboards/db1200.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/alchemy/devboards/db1200.c b/arch/mips/alchemy/devboards/db1200.c +index 48840e48e79a..e47bac04cf75 100644 +--- a/arch/mips/alchemy/devboards/db1200.c ++++ b/arch/mips/alchemy/devboards/db1200.c +@@ -864,7 +864,7 @@ int __init db1200_dev_setup(void) + i2c_register_board_info(0, db1200_i2c_devs, + ARRAY_SIZE(db1200_i2c_devs)); + spi_register_board_info(db1200_spi_devs, +- ARRAY_SIZE(db1200_i2c_devs)); ++ ARRAY_SIZE(db1200_spi_devs)); + + /* SWITCHES: S6.8 I2C/SPI selector (OFF=I2C ON=SPI) + * S6.7 AC97/I2S selector (OFF=AC97 ON=I2S) +-- +2.43.0 + diff --git a/queue-4.19/mips-alchemy-fix-an-out-of-bound-access-in-db1550_de.patch b/queue-4.19/mips-alchemy-fix-an-out-of-bound-access-in-db1550_de.patch new file mode 100644 index 00000000000..6a963b8ea43 --- /dev/null +++ b/queue-4.19/mips-alchemy-fix-an-out-of-bound-access-in-db1550_de.patch @@ -0,0 +1,35 @@ +From 3da6000527de67c43a430191e358741837a09a5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jan 2024 19:09:46 +0100 +Subject: MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup() + +From: Christophe JAILLET + +[ Upstream commit 3c1e5abcda64bed0c7bffa65af2316995f269a61 ] + +When calling spi_register_board_info(), + +Fixes: f869d42e580f ("MIPS: Alchemy: Improved DB1550 support, with audio and serial busses.") +Signed-off-by: Christophe JAILLET +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/alchemy/devboards/db1550.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/alchemy/devboards/db1550.c b/arch/mips/alchemy/devboards/db1550.c +index 7d3dfaa10231..aaee46fe582f 100644 +--- a/arch/mips/alchemy/devboards/db1550.c ++++ b/arch/mips/alchemy/devboards/db1550.c +@@ -581,7 +581,7 @@ int __init db1550_dev_setup(void) + i2c_register_board_info(0, db1550_i2c_devs, + ARRAY_SIZE(db1550_i2c_devs)); + spi_register_board_info(db1550_spi_devs, +- ARRAY_SIZE(db1550_i2c_devs)); ++ ARRAY_SIZE(db1550_spi_devs)); + + c = clk_get(NULL, "psc0_intclk"); + if (!IS_ERR(c)) { +-- +2.43.0 + diff --git a/queue-4.19/net-dsa-vsc73xx-add-null-pointer-check-to-vsc73xx_gp.patch b/queue-4.19/net-dsa-vsc73xx-add-null-pointer-check-to-vsc73xx_gp.patch new file mode 100644 index 00000000000..060d84671c9 --- /dev/null +++ b/queue-4.19/net-dsa-vsc73xx-add-null-pointer-check-to-vsc73xx_gp.patch @@ -0,0 +1,39 @@ +From 493170fc8abc32bb56dbca3bc630adf5a4e92fd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jan 2024 15:20:18 +0800 +Subject: net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe + +From: Kunwu Chan + +[ Upstream commit 776dac5a662774f07a876b650ba578d0a62d20db ] + +devm_kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. + +Fixes: 05bd97fc559d ("net: dsa: Add Vitesse VSC73xx DSA router driver") +Signed-off-by: Kunwu Chan +Suggested-by: Jakub Kicinski +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240111072018.75971-1-chentao@kylinos.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/vitesse-vsc73xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/dsa/vitesse-vsc73xx.c b/drivers/net/dsa/vitesse-vsc73xx.c +index 9f1b5f2e8a64..34fefa015fd7 100644 +--- a/drivers/net/dsa/vitesse-vsc73xx.c ++++ b/drivers/net/dsa/vitesse-vsc73xx.c +@@ -1227,6 +1227,8 @@ static int vsc73xx_gpio_probe(struct vsc73xx *vsc) + + vsc->gc.label = devm_kasprintf(vsc->dev, GFP_KERNEL, "VSC%04x", + vsc->chipid); ++ if (!vsc->gc.label) ++ return -ENOMEM; + vsc->gc.ngpio = 4; + vsc->gc.owner = THIS_MODULE; + vsc->gc.parent = vsc->dev; +-- +2.43.0 + diff --git a/queue-4.19/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch b/queue-4.19/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch new file mode 100644 index 00000000000..35d1902ced6 --- /dev/null +++ b/queue-4.19/net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch @@ -0,0 +1,105 @@ +From b4a71d5e44e55719b15abe141173b3d48ecdf0be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jan 2024 14:14:00 +0800 +Subject: net: qualcomm: rmnet: fix global oob in rmnet_policy + +From: Lin Ma + +[ Upstream commit b33fb5b801c6db408b774a68e7c8722796b59ecc ] + +The variable rmnet_link_ops assign a *bigger* maxtype which leads to a +global out-of-bounds read when parsing the netlink attributes. See bug +trace below: + +================================================================== +BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] +BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 +Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 + +CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:284 [inline] + print_report+0x172/0x475 mm/kasan/report.c:395 + kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 + validate_nla lib/nlattr.c:386 [inline] + __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 + __nla_parse+0x3e/0x50 lib/nlattr.c:697 + nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] + __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 + rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 + rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 + netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0x154/0x190 net/socket.c:734 + ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 + __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fdcf2072359 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 +RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 +RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 + + +The buggy address belongs to the variable: + rmnet_policy+0x30/0xe0 + +The buggy address belongs to the physical page: +page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 +flags: 0x200000000001000(reserved|node=0|zone=2) +raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 +raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 + ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 +>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 + ^ + ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 + ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 + +According to the comment of `nla_parse_nested_deprecated`, the maxtype +should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here. + +Fixes: 14452ca3b5ce ("net: qualcomm: rmnet: Export mux_id and flags to netlink") +Signed-off-by: Lin Ma +Reviewed-by: Subash Abhinov Kasiviswanathan +Reviewed-by: Simon Horman +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20240110061400.3356108-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +index 05c438f47ff1..75ff82bc90cb 100644 +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +@@ -384,7 +384,7 @@ static int rmnet_fill_info(struct sk_buff *skb, const struct net_device *dev) + + struct rtnl_link_ops rmnet_link_ops __read_mostly = { + .kind = "rmnet", +- .maxtype = __IFLA_RMNET_MAX, ++ .maxtype = IFLA_RMNET_MAX, + .priv_size = sizeof(struct rmnet_priv), + .setup = rmnet_vnd_setup, + .validate = rmnet_rtnl_validate, +-- +2.43.0 + diff --git a/queue-4.19/net-ravb-fix-dma_addr_t-truncation-in-error-case.patch b/queue-4.19/net-ravb-fix-dma_addr_t-truncation-in-error-case.patch new file mode 100644 index 00000000000..1b18a13f1ea --- /dev/null +++ b/queue-4.19/net-ravb-fix-dma_addr_t-truncation-in-error-case.patch @@ -0,0 +1,53 @@ +From 36e3561cec035a469d0423dbd2f3f59444f9b957 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jan 2024 10:22:21 +0600 +Subject: net: ravb: Fix dma_addr_t truncation in error case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nikita Yushchenko + +[ Upstream commit e327b2372bc0f18c30433ac40be07741b59231c5 ] + +In ravb_start_xmit(), ravb driver uses u32 variable to store result of +dma_map_single() call. Since ravb hardware has 32-bit address fields in +descriptors, this works properly when mapping is successful - it is +platform's job to provide mapping addresses that fit into hardware +limitations. + +However, in failure case dma_map_single() returns DMA_MAPPING_ERROR +constant that is 64-bit when dma_addr_t is 64-bit. Storing this constant +in u32 leads to truncation, and further call to dma_mapping_error() +fails to notice the error. + +Fix that by storing result of dma_map_single() in a dma_addr_t +variable. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Nikita Yushchenko +Reviewed-by: Niklas Söderlund +Reviewed-by: Sergey Shtylyov +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index d70c82c926ea..3cfcc9e3c35d 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1508,7 +1508,7 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev) + struct ravb_tstamp_skb *ts_skb; + struct ravb_tx_desc *desc; + unsigned long flags; +- u32 dma_addr; ++ dma_addr_t dma_addr; + void *buffer; + u32 entry; + u32 len; +-- +2.43.0 + diff --git a/queue-4.19/perf-genelf-set-elf-program-header-addresses-properl.patch b/queue-4.19/perf-genelf-set-elf-program-header-addresses-properl.patch new file mode 100644 index 00000000000..d5bc7c12206 --- /dev/null +++ b/queue-4.19/perf-genelf-set-elf-program-header-addresses-properl.patch @@ -0,0 +1,50 @@ +From ad26fefd1de90f4836b38f778ab117b1c8aa40b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 23:05:44 -0800 +Subject: perf genelf: Set ELF program header addresses properly + +From: Namhyung Kim + +[ Upstream commit 1af478903fc48c1409a8dd6b698383b62387adf1 ] + +The text section starts after the ELF headers so PHDR.p_vaddr and +others should have the correct addresses. + +Fixes: babd04386b1df8c3 ("perf jit: Include program header in ELF files") +Reviewed-by: Ian Rogers +Signed-off-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Fangrui Song +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Lieven Hey +Cc: Milian Wolff +Cc: Pablo Galindo +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20231212070547.612536-2-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/genelf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/genelf.c b/tools/perf/util/genelf.c +index 65e41e259af8..72860270e935 100644 +--- a/tools/perf/util/genelf.c ++++ b/tools/perf/util/genelf.c +@@ -296,9 +296,9 @@ jit_write_elf(int fd, uint64_t load_addr, const char *sym, + */ + phdr = elf_newphdr(e, 1); + phdr[0].p_type = PT_LOAD; +- phdr[0].p_offset = 0; +- phdr[0].p_vaddr = 0; +- phdr[0].p_paddr = 0; ++ phdr[0].p_offset = GEN_ELF_TEXT_OFFSET; ++ phdr[0].p_vaddr = GEN_ELF_TEXT_OFFSET; ++ phdr[0].p_paddr = GEN_ELF_TEXT_OFFSET; + phdr[0].p_filesz = csize; + phdr[0].p_memsz = csize; + phdr[0].p_flags = PF_X | PF_R; +-- +2.43.0 + diff --git a/queue-4.19/serial-imx-correct-clock-error-message-in-function-p.patch b/queue-4.19/serial-imx-correct-clock-error-message-in-function-p.patch new file mode 100644 index 00000000000..1f52eb8fcdd --- /dev/null +++ b/queue-4.19/serial-imx-correct-clock-error-message-in-function-p.patch @@ -0,0 +1,40 @@ +From dd67f56f6e466091667fc16ba74789e923889df2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 10:32:09 +0100 +Subject: serial: imx: Correct clock error message in function probe() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoph Niedermaier + +[ Upstream commit 3e189470cad27d41a3a9dc02649f965b7ed1c90f ] + +Correct the clock error message by changing the clock name. + +Fixes: 1e512d45332b ("serial: imx: add error messages when .probe fails") +Signed-off-by: Christoph Niedermaier +Reviewed-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20231224093209.2612-1-cniedermaier@dh-electronics.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c +index 819f340a8a7a..024777e7aefe 100644 +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2250,7 +2250,7 @@ static int imx_uart_probe(struct platform_device *pdev) + /* For register access, we only need to enable the ipg clock. */ + ret = clk_prepare_enable(sport->clk_ipg); + if (ret) { +- dev_err(&pdev->dev, "failed to enable per clk: %d\n", ret); ++ dev_err(&pdev->dev, "failed to enable ipg clk: %d\n", ret); + return ret; + } + +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 1b22a873efe..868565a7e07 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -130,3 +130,17 @@ wifi-rtlwifi-remove-bogus-and-dangerous-aspm-disable-enable-code.patch wifi-rtlwifi-convert-lnkctl-change-to-pcie-cap-rmw-accessors.patch wifi-mwifiex-configure-bssid-consistently-when-starting-ap.patch hid-wacom-correct-behavior-when-processing-some-confidence-false-touches.patch +mips-alchemy-fix-an-out-of-bound-access-in-db1200_de.patch +mips-alchemy-fix-an-out-of-bound-access-in-db1550_de.patch +acpi-property-let-args-be-null-in-__acpi_node_get_pr.patch +perf-genelf-set-elf-program-header-addresses-properl.patch +apparmor-avoid-crash-when-parsed-profile-name-is-emp.patch +serial-imx-correct-clock-error-message-in-function-p.patch +net-qualcomm-rmnet-fix-global-oob-in-rmnet_policy.patch +net-ravb-fix-dma_addr_t-truncation-in-error-case.patch +net-dsa-vsc73xx-add-null-pointer-check-to-vsc73xx_gp.patch +ipvs-avoid-stat-macros-calls-from-preemptible-contex.patch +kdb-censor-attempts-to-set-prompt-without-enable_mem.patch +kdb-fix-a-potential-buffer-overflow-in-kdb_local.patch +i2c-s3c24xx-fix-read-transfers-in-polling-mode.patch +i2c-s3c24xx-fix-transferring-more-than-one-message-i.patch