From: Greg Kroah-Hartman Date: Sat, 27 Mar 2021 14:24:38 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.11.11~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f131fc27f8d8ca67c29b35c0a892ddd2a016419a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch squashfs-fix-inode-lookup-sanity-checks.patch squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch --- diff --git a/queue-4.14/arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch b/queue-4.14/arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch new file mode 100644 index 00000000000..c1f73ee8283 --- /dev/null +++ b/queue-4.14/arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch @@ -0,0 +1,40 @@ +From 221c3a09ddf70a0a51715e6c2878d8305e95c558 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 11 Apr 2018 19:05:03 +0300 +Subject: ARM: dts: at91-sama5d27_som1: fix phy address to 7 + +From: Claudiu Beznea + +commit 221c3a09ddf70a0a51715e6c2878d8305e95c558 upstream. + +Fix the phy address to 7 for Ethernet PHY on SAMA5D27 SOM1. No +connection established if phy address 0 is used. + +The board uses the 24 pins version of the KSZ8081RNA part, KSZ8081RNA +pin 16 REFCLK as PHYAD bit [2] has weak internal pull-down. But at +reset, connected to PD09 of the MPU it's connected with an internal +pull-up forming PHYAD[2:0] = 7. + +Signed-off-by: Claudiu Beznea +Fixes: 2f61929eb10a ("ARM: dts: at91: at91-sama5d27_som1: fix PHY ID") +Cc: Ludovic Desroches +Signed-off-by: Nicolas Ferre +Cc: # 4.14+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-sama5d27_som1.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/at91-sama5d27_som1.dtsi ++++ b/arch/arm/boot/dts/at91-sama5d27_som1.dtsi +@@ -67,8 +67,8 @@ + pinctrl-0 = <&pinctrl_macb0_default>; + phy-mode = "rmii"; + +- ethernet-phy@0 { +- reg = <0x0>; ++ ethernet-phy@7 { ++ reg = <0x7>; + interrupt-parent = <&pioA>; + interrupts = ; + pinctrl-names = "default"; diff --git a/queue-4.14/arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch b/queue-4.14/arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch new file mode 100644 index 00000000000..dcc4aa8cc9e --- /dev/null +++ b/queue-4.14/arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch @@ -0,0 +1,38 @@ +From ba8da03fa7dff59d9400250aebd38f94cde3cb0f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sun, 7 Mar 2021 22:47:37 +0200 +Subject: arm64: dts: ls1012a: mark crypto engine dma coherent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit ba8da03fa7dff59d9400250aebd38f94cde3cb0f upstream. + +Crypto engine (CAAM) on LS1012A platform is configured HW-coherent, +mark accordingly the DT node. + +Lack of "dma-coherent" property for an IP that is configured HW-coherent +can lead to problems, similar to what has been reported for LS1046A. + +Cc: # v4.12+ +Fixes: 85b85c569507 ("arm64: dts: ls1012a: add crypto node") +Signed-off-by: Horia Geantă +Acked-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi +@@ -164,6 +164,7 @@ + ranges = <0x0 0x00 0x1700000 0x100000>; + reg = <0x00 0x1700000 0x0 0x100000>; + interrupts = ; ++ dma-coherent; + + sec_jr0: jr@10000 { + compatible = "fsl,sec-v5.4-job-ring", diff --git a/queue-4.14/arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch b/queue-4.14/arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch new file mode 100644 index 00000000000..996a6fd1e72 --- /dev/null +++ b/queue-4.14/arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch @@ -0,0 +1,39 @@ +From 4fb3a074755b7737c4081cffe0ccfa08c2f2d29d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sun, 7 Mar 2021 22:47:36 +0200 +Subject: arm64: dts: ls1043a: mark crypto engine dma coherent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 4fb3a074755b7737c4081cffe0ccfa08c2f2d29d upstream. + +Crypto engine (CAAM) on LS1043A platform is configured HW-coherent, +mark accordingly the DT node. + +Lack of "dma-coherent" property for an IP that is configured HW-coherent +can lead to problems, similar to what has been reported for LS1046A. + +Cc: # v4.8+ +Fixes: 63dac35b58f4 ("arm64: dts: ls1043a: add crypto node") +Link: https://lore.kernel.org/linux-crypto/fe6faa24-d8f7-d18f-adfa-44fa0caa1598@arm.com +Signed-off-by: Horia Geantă +Acked-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi +@@ -219,6 +219,7 @@ + ranges = <0x0 0x00 0x1700000 0x100000>; + reg = <0x00 0x1700000 0x0 0x100000>; + interrupts = <0 75 0x4>; ++ dma-coherent; + + sec_jr0: jr@10000 { + compatible = "fsl,sec-v5.4-job-ring", diff --git a/queue-4.14/arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch b/queue-4.14/arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch new file mode 100644 index 00000000000..211ae4b7d94 --- /dev/null +++ b/queue-4.14/arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch @@ -0,0 +1,87 @@ +From 9c3a16f88385e671b63a0de7b82b85e604a80f42 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sun, 7 Mar 2021 22:47:35 +0200 +Subject: arm64: dts: ls1046a: mark crypto engine dma coherent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 9c3a16f88385e671b63a0de7b82b85e604a80f42 upstream. + +Crypto engine (CAAM) on LS1046A platform is configured HW-coherent, +mark accordingly the DT node. + +As reported by Greg and Sascha, and explained by Robin, lack of +"dma-coherent" property for an IP that is configured HW-coherent +can lead to problems, e.g. on v5.11: + +> kernel BUG at drivers/crypto/caam/jr.c:247! +> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +> Modules linked in: +> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.11.0-20210225-3-00039-g434215968816-dirty #12 +> Hardware name: TQ TQMLS1046A SoM on Arkona AT1130 (C300) board (DT) +> pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) +> pc : caam_jr_dequeue+0x98/0x57c +> lr : caam_jr_dequeue+0x98/0x57c +> sp : ffff800010003d50 +> x29: ffff800010003d50 x28: ffff8000118d4000 +> x27: ffff8000118d4328 x26: 00000000000001f0 +> x25: ffff0008022be480 x24: ffff0008022c6410 +> x23: 00000000000001f1 x22: ffff8000118d4329 +> x21: 0000000000004d80 x20: 00000000000001f1 +> x19: 0000000000000001 x18: 0000000000000020 +> x17: 0000000000000000 x16: 0000000000000015 +> x15: ffff800011690230 x14: 2e2e2e2e2e2e2e2e +> x13: 2e2e2e2e2e2e2020 x12: 3030303030303030 +> x11: ffff800011700a38 x10: 00000000fffff000 +> x9 : ffff8000100ada30 x8 : ffff8000116a8a38 +> x7 : 0000000000000001 x6 : 0000000000000000 +> x5 : 0000000000000000 x4 : 0000000000000000 +> x3 : 00000000ffffffff x2 : 0000000000000000 +> x1 : 0000000000000000 x0 : 0000000000001800 +> Call trace: +> caam_jr_dequeue+0x98/0x57c +> tasklet_action_common.constprop.0+0x164/0x18c +> tasklet_action+0x44/0x54 +> __do_softirq+0x160/0x454 +> __irq_exit_rcu+0x164/0x16c +> irq_exit+0x1c/0x30 +> __handle_domain_irq+0xc0/0x13c +> gic_handle_irq+0x5c/0xf0 +> el1_irq+0xb4/0x180 +> arch_cpu_idle+0x18/0x30 +> default_idle_call+0x3c/0x1c0 +> do_idle+0x23c/0x274 +> cpu_startup_entry+0x34/0x70 +> rest_init+0xdc/0xec +> arch_call_rest_init+0x1c/0x28 +> start_kernel+0x4ac/0x4e4 +> Code: 91392021 912c2000 d377d8c6 97f24d96 (d4210000) + +Cc: # v4.10+ +Fixes: 8126d88162a5 ("arm64: dts: add QorIQ LS1046A SoC support") +Link: https://lore.kernel.org/linux-crypto/fe6faa24-d8f7-d18f-adfa-44fa0caa1598@arm.com +Reported-by: Greg Ungerer +Reported-by: Sascha Hauer +Tested-by: Sascha Hauer +Signed-off-by: Horia Geantă +Acked-by: Greg Ungerer +Acked-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi +@@ -244,6 +244,7 @@ + ranges = <0x0 0x00 0x1700000 0x100000>; + reg = <0x00 0x1700000 0x0 0x100000>; + interrupts = ; ++ dma-coherent; + + sec_jr0: jr@10000 { + compatible = "fsl,sec-v5.4-job-ring", diff --git a/queue-4.14/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch b/queue-4.14/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch new file mode 100644 index 00000000000..87941f54bbc --- /dev/null +++ b/queue-4.14/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch @@ -0,0 +1,37 @@ +From 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 26 Mar 2021 14:32:32 -0400 +Subject: dm ioctl: fix out of bounds array access when no devices + +From: Mikulas Patocka + +commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream. + +If there are not any dm devices, we need to zero the "dev" argument in +the first structure dm_name_list. However, this can cause out of +bounds write, because the "needed" variable is zero and len may be +less than eight. + +Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is +too small to hold the "nl->dev" value. + +Signed-off-by: Mikulas Patocka +Reported-by: Dan Carpenter +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -529,7 +529,7 @@ static int list_devices(struct file *fil + * Grab our output buffer. + */ + nl = orig_nl = get_result_buffer(param, param_size, &len); +- if (len < needed) { ++ if (len < needed || len < sizeof(nl->dev)) { + param->flags |= DM_BUFFER_FULL_FLAG; + goto out; + } diff --git a/queue-4.14/series b/queue-4.14/series index 9406d682f2e..309606d0664 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -19,3 +19,10 @@ drm-radeon-fix-agp-dependency.patch nfs-we-don-t-support-removing-system.nfs4_acl.patch ia64-fix-ia64_syscall_get_set_arguments-for-break-ba.patch ia64-fix-ptrace-ptrace_syscall_info_exit-sign.patch +squashfs-fix-inode-lookup-sanity-checks.patch +squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch +arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch +arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch +arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch +arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch +dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch diff --git a/queue-4.14/squashfs-fix-inode-lookup-sanity-checks.patch b/queue-4.14/squashfs-fix-inode-lookup-sanity-checks.patch new file mode 100644 index 00000000000..d0281c266a8 --- /dev/null +++ b/queue-4.14/squashfs-fix-inode-lookup-sanity-checks.patch @@ -0,0 +1,61 @@ +From c1b2028315c6b15e8d6725e0d5884b15887d3daa Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Wed, 24 Mar 2021 21:37:32 -0700 +Subject: squashfs: fix inode lookup sanity checks + +From: Sean Nyekjaer + +commit c1b2028315c6b15e8d6725e0d5884b15887d3daa upstream. + +When mouting a squashfs image created without inode compression it fails +with: "unable to read inode lookup table" + +It turns out that the BLOCK_OFFSET is missing when checking the +SQUASHFS_METADATA_SIZE agaist the actual size. + +Link: https://lkml.kernel.org/r/20210226092903.1473545-1-sean@geanix.com +Fixes: eabac19e40c0 ("squashfs: add more sanity checks in inode lookup") +Signed-off-by: Sean Nyekjaer +Acked-by: Phillip Lougher +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/export.c | 8 ++++++-- + fs/squashfs/squashfs_fs.h | 1 + + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/squashfs/export.c ++++ b/fs/squashfs/export.c +@@ -165,14 +165,18 @@ __le64 *squashfs_read_inode_lookup_table + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end ++ || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= lookup_table_start || (lookup_table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= lookup_table_start || ++ (lookup_table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } +--- a/fs/squashfs/squashfs_fs.h ++++ b/fs/squashfs/squashfs_fs.h +@@ -30,6 +30,7 @@ + + /* size of metadata (inode and directory) blocks */ + #define SQUASHFS_METADATA_SIZE 8192 ++#define SQUASHFS_BLOCK_OFFSET 2 + + /* default size of block device I/O */ + #ifdef CONFIG_SQUASHFS_4K_DEVBLK_SIZE diff --git a/queue-4.14/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch b/queue-4.14/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch new file mode 100644 index 00000000000..ffa75b647d5 --- /dev/null +++ b/queue-4.14/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch @@ -0,0 +1,67 @@ +From 8b44ca2b634527151af07447a8090a5f3a043321 Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Wed, 24 Mar 2021 21:37:35 -0700 +Subject: squashfs: fix xattr id and id lookup sanity checks + +From: Phillip Lougher + +commit 8b44ca2b634527151af07447a8090a5f3a043321 upstream. + +The checks for maximum metadata block size is missing +SQUASHFS_BLOCK_OFFSET (the two byte length count). + +Link: https://lkml.kernel.org/r/2069685113.2081245.1614583677427@webmail.123-reg.co.uk +Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup") +Signed-off-by: Phillip Lougher +Cc: Sean Nyekjaer +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/id.c | 6 ++++-- + fs/squashfs/xattr_id.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/squashfs/id.c ++++ b/fs/squashfs/id.c +@@ -110,14 +110,16 @@ __le64 *squashfs_read_id_index_table(str + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= id_table_start || (id_table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -122,14 +122,16 @@ __le64 *squashfs_read_xattr_id_table(str + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= table_start || (table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + }