From: Greg Kroah-Hartman Date: Sun, 16 May 2021 09:26:14 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.4.120~84 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8a2bd4daca3abcc8b6115453c82ac4d6a6cbf58;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arc-entry-fix-off-by-one-error-in-syscall-number-validation.patch powerpc-64s-fix-crashes-when-toggling-entry-flush-barrier.patch squashfs-fix-divide-error-in-calculate_skip.patch --- diff --git a/queue-4.9/arc-entry-fix-off-by-one-error-in-syscall-number-validation.patch b/queue-4.9/arc-entry-fix-off-by-one-error-in-syscall-number-validation.patch new file mode 100644 index 00000000000..9b4fcd4d0be --- /dev/null +++ b/queue-4.9/arc-entry-fix-off-by-one-error-in-syscall-number-validation.patch @@ -0,0 +1,51 @@ +From 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Fri, 23 Apr 2021 12:16:25 -0700 +Subject: ARC: entry: fix off-by-one error in syscall number validation + +From: Vineet Gupta + +commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream. + +We have NR_syscall syscalls from [0 .. NR_syscall-1]. +However the check for invalid syscall number is "> NR_syscall" as +opposed to >=. This off-by-one error erronesously allows "NR_syscall" +to be treated as valid syscall causeing out-of-bounds access into +syscall-call table ensuing a crash (holes within syscall table have a +invalid-entry handler but this is beyond the array implementing the +table). + +This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10 +kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has +NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was +not handled as -ENOSYS but processed leading to a crash. + +Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48 +Reported-by: Shahab Vahedi +Cc: +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/kernel/entry.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arc/kernel/entry.S ++++ b/arch/arc/kernel/entry.S +@@ -169,7 +169,7 @@ tracesys: + + ; Do the Sys Call as we normally would. + ; Validate the Sys Call number +- cmp r8, NR_syscalls ++ cmp r8, NR_syscalls - 1 + mov.hi r0, -ENOSYS + bhi tracesys_exit + +@@ -252,7 +252,7 @@ ENTRY(EV_Trap) + ;============ Normal syscall case + + ; syscall num shd not exceed the total system calls avail +- cmp r8, NR_syscalls ++ cmp r8, NR_syscalls - 1 + mov.hi r0, -ENOSYS + bhi .Lret_from_system_call + diff --git a/queue-4.9/powerpc-64s-fix-crashes-when-toggling-entry-flush-barrier.patch b/queue-4.9/powerpc-64s-fix-crashes-when-toggling-entry-flush-barrier.patch new file mode 100644 index 00000000000..397f7e09da8 --- /dev/null +++ b/queue-4.9/powerpc-64s-fix-crashes-when-toggling-entry-flush-barrier.patch @@ -0,0 +1,70 @@ +From aec86b052df6541cc97c5fca44e5934cbea4963b Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Thu, 6 May 2021 14:49:59 +1000 +Subject: powerpc/64s: Fix crashes when toggling entry flush barrier + +From: Michael Ellerman + +commit aec86b052df6541cc97c5fca44e5934cbea4963b upstream. + +The entry flush mitigation can be enabled/disabled at runtime via a +debugfs file (entry_flush), which causes the kernel to patch itself to +enable/disable the relevant mitigations. + +However depending on which mitigation we're using, it may not be safe to +do that patching while other CPUs are active. For example the following +crash: + + sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20 + +Shows that we returned to userspace with a corrupted LR that points into +the kernel, due to executing the partially patched call to the fallback +entry flush (ie. we missed the LR restore). + +Fix it by doing the patching under stop machine. The CPUs that aren't +doing the patching will be spinning in the core of the stop machine +logic. That is currently sufficient for our purposes, because none of +the patching we do is to that code or anywhere in the vicinity. + +Fixes: f79643787e0a ("powerpc/64s: flush L1D on kernel entry") +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210506044959.1298123-2-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/lib/feature-fixups.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/lib/feature-fixups.c ++++ b/arch/powerpc/lib/feature-fixups.c +@@ -282,8 +282,9 @@ void do_uaccess_flush_fixups(enum l1d_fl + : "unknown"); + } + +-void do_entry_flush_fixups(enum l1d_flush_type types) ++static int __do_entry_flush_fixups(void *data) + { ++ enum l1d_flush_type types = *(enum l1d_flush_type *)data; + unsigned int instrs[3], *dest; + long *start, *end; + int i; +@@ -334,6 +335,19 @@ void do_entry_flush_fixups(enum l1d_flus + : "ori type" : + (types & L1D_FLUSH_MTTRIG) ? "mttrig type" + : "unknown"); ++ ++ return 0; ++} ++ ++void do_entry_flush_fixups(enum l1d_flush_type types) ++{ ++ /* ++ * The call to the fallback flush can not be safely patched in/out while ++ * other CPUs are executing it. So call __do_entry_flush_fixups() on one ++ * CPU while all other CPUs spin in the stop machine core with interrupts ++ * hard disabled. ++ */ ++ stop_machine(__do_entry_flush_fixups, &types, NULL); + } + + void do_rfi_flush_fixups(enum l1d_flush_type types) diff --git a/queue-4.9/series b/queue-4.9/series index 5171d425d90..ed34ef1e13b 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -202,3 +202,6 @@ khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch ksm-fix-potential-missing-rmap_item-for-stable_node.patch kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch +arc-entry-fix-off-by-one-error-in-syscall-number-validation.patch +powerpc-64s-fix-crashes-when-toggling-entry-flush-barrier.patch +squashfs-fix-divide-error-in-calculate_skip.patch diff --git a/queue-4.9/squashfs-fix-divide-error-in-calculate_skip.patch b/queue-4.9/squashfs-fix-divide-error-in-calculate_skip.patch new file mode 100644 index 00000000000..08cb8905c67 --- /dev/null +++ b/queue-4.9/squashfs-fix-divide-error-in-calculate_skip.patch @@ -0,0 +1,53 @@ +From d6e621de1fceb3b098ebf435ef7ea91ec4838a1a Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Fri, 14 May 2021 17:27:16 -0700 +Subject: squashfs: fix divide error in calculate_skip() + +From: Phillip Lougher + +commit d6e621de1fceb3b098ebf435ef7ea91ec4838a1a upstream. + +Sysbot has reported a "divide error" which has been identified as being +caused by a corrupted file_size value within the file inode. This value +has been corrupted to a much larger value than expected. + +Calculate_skip() is passed i_size_read(inode) >> msblk->block_log. Due to +the file_size value corruption this overflows the int argument/variable in +that function, leading to the divide error. + +This patch changes the function to use u64. This will accommodate any +unexpectedly large values due to corruption. + +The value returned from calculate_skip() is clamped to be never more than +SQUASHFS_CACHED_BLKS - 1, or 7. So file_size corruption does not lead to +an unexpectedly large return result here. + +Link: https://lkml.kernel.org/r/20210507152618.9447-1-phillip@squashfs.org.uk +Signed-off-by: Phillip Lougher +Reported-by: +Reported-by: +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/file.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/squashfs/file.c ++++ b/fs/squashfs/file.c +@@ -224,11 +224,11 @@ failure: + * If the skip factor is limited in this way then the file will use multiple + * slots. + */ +-static inline int calculate_skip(int blocks) ++static inline int calculate_skip(u64 blocks) + { +- int skip = blocks / ((SQUASHFS_META_ENTRIES + 1) ++ u64 skip = blocks / ((SQUASHFS_META_ENTRIES + 1) + * SQUASHFS_META_INDEXES); +- return min(SQUASHFS_CACHED_BLKS - 1, skip + 1); ++ return min((u64) SQUASHFS_CACHED_BLKS - 1, skip + 1); + } + +