From 357cb5eb8815bdbc645d0ea976832bf5b4ce92b8 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 8 Oct 2022 22:12:24 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...-stack-non-executable-to-fix-a-binut.patch | 85 +++++++++ ...-sdio-compatible-remove-sdhci-misnom.patch | 77 ++++++++ ..._dma-cleanup-for-fetching-xlnx-num-f.patch | 35 ++++ ..._dma-report-error-in-case-of-dma_set.patch | 47 +++++ ...mi-add-scmi-pm-driver-remove-routine.patch | 81 ++++++++ ...ix-uninit-value-bug-in-dgram_sendmsg.patch | 173 ++++++++++++++++++ ...i-qedf-fix-a-uaf-bug-in-__qedf_probe.patch | 76 ++++++++ queue-5.4/series | 9 + ...iler-warning-in-arch-x86-um-tls_32.c.patch | 70 +++++++ ...call_handler_t-cast-in-syscalls_32.h.patch | 41 +++++ 10 files changed, 694 insertions(+) create mode 100644 queue-5.4/arch-um-mark-the-stack-non-executable-to-fix-a-binut.patch create mode 100644 queue-5.4/arm-dts-fix-moxa-sdio-compatible-remove-sdhci-misnom.patch create mode 100644 queue-5.4/dmaengine-xilinx_dma-cleanup-for-fetching-xlnx-num-f.patch create mode 100644 queue-5.4/dmaengine-xilinx_dma-report-error-in-case-of-dma_set.patch create mode 100644 queue-5.4/firmware-arm_scmi-add-scmi-pm-driver-remove-routine.patch create mode 100644 queue-5.4/net-ieee802154-fix-uninit-value-bug-in-dgram_sendmsg.patch create mode 100644 queue-5.4/scsi-qedf-fix-a-uaf-bug-in-__qedf_probe.patch create mode 100644 queue-5.4/um-cleanup-compiler-warning-in-arch-x86-um-tls_32.c.patch create mode 100644 queue-5.4/um-cleanup-syscall_handler_t-cast-in-syscalls_32.h.patch diff --git a/queue-5.4/arch-um-mark-the-stack-non-executable-to-fix-a-binut.patch b/queue-5.4/arch-um-mark-the-stack-non-executable-to-fix-a-binut.patch new file mode 100644 index 00000000000..3618442bfd3 --- /dev/null +++ b/queue-5.4/arch-um-mark-the-stack-non-executable-to-fix-a-binut.patch @@ -0,0 +1,85 @@ +From d0fcb6674e049ffab4233e4a9fbdd04db8f489dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 14:48:55 +0800 +Subject: arch: um: Mark the stack non-executable to fix a binutils warning + +From: David Gow + +[ Upstream commit bd71558d585ac61cfd799db7f25e78dca404dd7a ] + +Since binutils 2.39, ld will print a warning if any stack section is +executable, which is the default for stack sections on files without a +.note.GNU-stack section. + +This was fixed for x86 in commit ffcf9c5700e4 ("x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments"), +but remained broken for UML, resulting in several warnings: + +/usr/bin/ld: warning: arch/x86/um/vdso/vdso.o: missing .note.GNU-stack section implies executable stack +/usr/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker +/usr/bin/ld: warning: .tmp_vmlinux.kallsyms1 has a LOAD segment with RWX permissions +/usr/bin/ld: warning: .tmp_vmlinux.kallsyms1.o: missing .note.GNU-stack section implies executable stack +/usr/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker +/usr/bin/ld: warning: .tmp_vmlinux.kallsyms2 has a LOAD segment with RWX permissions +/usr/bin/ld: warning: .tmp_vmlinux.kallsyms2.o: missing .note.GNU-stack section implies executable stack +/usr/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker +/usr/bin/ld: warning: vmlinux has a LOAD segment with RWX permissions + +Link both the VDSO and vmlinux with -z noexecstack, fixing the warnings +about .note.GNU-stack sections. In addition, pass --no-warn-rwx-segments +to dodge the remaining warnings about LOAD segments with RWX permissions +in the kallsyms objects. (Note that this flag is apparently not +available on lld, so hide it behind a test for BFD, which is what the +x86 patch does.) + +Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ffcf9c5700e49c0aee42dcba9a12ba21338e8136 +Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 +Signed-off-by: David Gow +Reviewed-by: Lukas Straub +Tested-by: Lukas Straub +Acked-by: Randy Dunlap # build-tested +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/Makefile | 8 ++++++++ + arch/x86/um/vdso/Makefile | 2 +- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/arch/um/Makefile b/arch/um/Makefile +index 275f5ffdf6f0..773120be0f56 100644 +--- a/arch/um/Makefile ++++ b/arch/um/Makefile +@@ -132,10 +132,18 @@ export LDS_ELF_FORMAT := $(ELF_FORMAT) + # The wrappers will select whether using "malloc" or the kernel allocator. + LINK_WRAPS = -Wl,--wrap,malloc -Wl,--wrap,free -Wl,--wrap,calloc + ++# Avoid binutils 2.39+ warnings by marking the stack non-executable and ++# ignorning warnings for the kallsyms sections. ++LDFLAGS_EXECSTACK = -z noexecstack ++ifeq ($(CONFIG_LD_IS_BFD),y) ++LDFLAGS_EXECSTACK += $(call ld-option,--no-warn-rwx-segments) ++endif ++ + LD_FLAGS_CMDLINE = $(foreach opt,$(KBUILD_LDFLAGS),-Wl,$(opt)) + + # Used by link-vmlinux.sh which has special support for um link + export CFLAGS_vmlinux := $(LINK-y) $(LINK_WRAPS) $(LD_FLAGS_CMDLINE) ++export LDFLAGS_vmlinux := $(LDFLAGS_EXECSTACK) + + # When cleaning we don't include .config, so we don't include + # TT or skas makefiles and don't clean skas_ptregs.h. +diff --git a/arch/x86/um/vdso/Makefile b/arch/x86/um/vdso/Makefile +index 0caddd6acb22..bec115036f87 100644 +--- a/arch/x86/um/vdso/Makefile ++++ b/arch/x86/um/vdso/Makefile +@@ -62,7 +62,7 @@ quiet_cmd_vdso = VDSO $@ + -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \ + sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@' + +-VDSO_LDFLAGS = -fPIC -shared -Wl,--hash-style=sysv ++VDSO_LDFLAGS = -fPIC -shared -Wl,--hash-style=sysv -z noexecstack + GCOV_PROFILE := n + + # +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-fix-moxa-sdio-compatible-remove-sdhci-misnom.patch b/queue-5.4/arm-dts-fix-moxa-sdio-compatible-remove-sdhci-misnom.patch new file mode 100644 index 00000000000..57eb29dcfaf --- /dev/null +++ b/queue-5.4/arm-dts-fix-moxa-sdio-compatible-remove-sdhci-misnom.patch @@ -0,0 +1,77 @@ +From 3b6e568dd84f57e0e87b0f7245eb248b7cbe12a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 20:53:41 +0300 +Subject: ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer + +From: Sergei Antonov + +[ Upstream commit 02181e68275d28cab3c3f755852770367f1bc229 ] + +Driver moxart-mmc.c has .compatible = "moxa,moxart-mmc". + +But moxart .dts/.dtsi and the documentation file moxa,moxart-dma.txt +contain compatible = "moxa,moxart-sdhci". + +Change moxart .dts/.dtsi files and moxa,moxart-dma.txt to match the driver. + +Replace 'sdhci' with 'mmc' in names too, since SDHCI is a different +controller from FTSDC010. + +Suggested-by: Arnd Bergmann +Signed-off-by: Sergei Antonov +Cc: Jonas Jensen +Link: https://lore.kernel.org/r/20220907175341.1477383-1-saproj@gmail.com' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt | 4 ++-- + arch/arm/boot/dts/moxart-uc7112lx.dts | 2 +- + arch/arm/boot/dts/moxart.dtsi | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt b/Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt +index 8a9f3559335b..7e14e26676ec 100644 +--- a/Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt ++++ b/Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt +@@ -34,8 +34,8 @@ Example: + Use specific request line passing from dma + For example, MMC request line is 5 + +- sdhci: sdhci@98e00000 { +- compatible = "moxa,moxart-sdhci"; ++ mmc: mmc@98e00000 { ++ compatible = "moxa,moxart-mmc"; + reg = <0x98e00000 0x5C>; + interrupts = <5 0>; + clocks = <&clk_apb>; +diff --git a/arch/arm/boot/dts/moxart-uc7112lx.dts b/arch/arm/boot/dts/moxart-uc7112lx.dts +index eb5291b0ee3a..e07b807b4cec 100644 +--- a/arch/arm/boot/dts/moxart-uc7112lx.dts ++++ b/arch/arm/boot/dts/moxart-uc7112lx.dts +@@ -79,7 +79,7 @@ &clk_pll { + clocks = <&ref12>; + }; + +-&sdhci { ++&mmc { + status = "okay"; + }; + +diff --git a/arch/arm/boot/dts/moxart.dtsi b/arch/arm/boot/dts/moxart.dtsi +index f5f070a87482..764832ddfa78 100644 +--- a/arch/arm/boot/dts/moxart.dtsi ++++ b/arch/arm/boot/dts/moxart.dtsi +@@ -93,8 +93,8 @@ watchdog: watchdog@98500000 { + clock-names = "PCLK"; + }; + +- sdhci: sdhci@98e00000 { +- compatible = "moxa,moxart-sdhci"; ++ mmc: mmc@98e00000 { ++ compatible = "moxa,moxart-mmc"; + reg = <0x98e00000 0x5C>; + interrupts = <5 IRQ_TYPE_LEVEL_HIGH>; + clocks = <&clk_apb>; +-- +2.35.1 + diff --git a/queue-5.4/dmaengine-xilinx_dma-cleanup-for-fetching-xlnx-num-f.patch b/queue-5.4/dmaengine-xilinx_dma-cleanup-for-fetching-xlnx-num-f.patch new file mode 100644 index 00000000000..c64b4a6ca3a --- /dev/null +++ b/queue-5.4/dmaengine-xilinx_dma-cleanup-for-fetching-xlnx-num-f.patch @@ -0,0 +1,35 @@ +From 15a287c37443e6fec6700974cb6b5602aebb43f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 11:41:24 +0530 +Subject: dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property + +From: Swati Agarwal + +[ Upstream commit 462bce790e6a7e68620a4ce260cc38f7ed0255d5 ] + +Free the allocated resources for missing xlnx,num-fstores property. + +Signed-off-by: Swati Agarwal +Link: https://lore.kernel.org/r/20220817061125.4720-3-swati.agarwal@xilinx.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 7729b8d22553..792776c86ee8 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -2683,7 +2683,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + if (err < 0) { + dev_err(xdev->dev, + "missing xlnx,num-fstores property\n"); +- return err; ++ goto disable_clks; + } + + err = of_property_read_u32(node, "xlnx,flush-fsync", +-- +2.35.1 + diff --git a/queue-5.4/dmaengine-xilinx_dma-report-error-in-case-of-dma_set.patch b/queue-5.4/dmaengine-xilinx_dma-report-error-in-case-of-dma_set.patch new file mode 100644 index 00000000000..d63e9217b4d --- /dev/null +++ b/queue-5.4/dmaengine-xilinx_dma-report-error-in-case-of-dma_set.patch @@ -0,0 +1,47 @@ +From cd9763f00b6efbb16dd33457ab09a769080e3550 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 11:41:25 +0530 +Subject: dmaengine: xilinx_dma: Report error in case of + dma_set_mask_and_coherent API failure + +From: Swati Agarwal + +[ Upstream commit 8f2b6bc79c32f0fa60df000ae387a790ec80eae9 ] + +The driver does not handle the failure case while calling +dma_set_mask_and_coherent API. + +In case of failure, capture the return value of API and then report an +error. + +Addresses-coverity: Unchecked return value (CHECKED_RETURN) + +Signed-off-by: Swati Agarwal +Reviewed-by: Radhey Shyam Pandey +Link: https://lore.kernel.org/r/20220817061125.4720-4-swati.agarwal@xilinx.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 792776c86ee8..3bb711e735ab 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -2703,7 +2703,11 @@ static int xilinx_dma_probe(struct platform_device *pdev) + xdev->ext_addr = false; + + /* Set the dma mask bits */ +- dma_set_mask_and_coherent(xdev->dev, DMA_BIT_MASK(addr_width)); ++ err = dma_set_mask_and_coherent(xdev->dev, DMA_BIT_MASK(addr_width)); ++ if (err < 0) { ++ dev_err(xdev->dev, "DMA mask error %d\n", err); ++ goto disable_clks; ++ } + + /* Initialize the DMA engine */ + xdev->common.dev = &pdev->dev; +-- +2.35.1 + diff --git a/queue-5.4/firmware-arm_scmi-add-scmi-pm-driver-remove-routine.patch b/queue-5.4/firmware-arm_scmi-add-scmi-pm-driver-remove-routine.patch new file mode 100644 index 00000000000..6d9414fadce --- /dev/null +++ b/queue-5.4/firmware-arm_scmi-add-scmi-pm-driver-remove-routine.patch @@ -0,0 +1,81 @@ +From b782bca40c12487490a1c541ac1c51be6d937799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 18:27:31 +0100 +Subject: firmware: arm_scmi: Add SCMI PM driver remove routine + +From: Cristian Marussi + +[ Upstream commit dea796fcab0a219830831c070b8dc367d7e0f708 ] + +Currently, when removing the SCMI PM driver not all the resources +registered with genpd subsystem are properly de-registered. + +As a side effect of this after a driver unload/load cycle you get a +splat with a few warnings like this: + + | debugfs: Directory 'BIG_CPU0' with parent 'pm_genpd' already present! + | debugfs: Directory 'BIG_CPU1' with parent 'pm_genpd' already present! + | debugfs: Directory 'LITTLE_CPU0' with parent 'pm_genpd' already present! + | debugfs: Directory 'LITTLE_CPU1' with parent 'pm_genpd' already present! + | debugfs: Directory 'LITTLE_CPU2' with parent 'pm_genpd' already present! + | debugfs: Directory 'LITTLE_CPU3' with parent 'pm_genpd' already present! + | debugfs: Directory 'BIG_SSTOP' with parent 'pm_genpd' already present! + | debugfs: Directory 'LITTLE_SSTOP' with parent 'pm_genpd' already present! + | debugfs: Directory 'DBGSYS' with parent 'pm_genpd' already present! + | debugfs: Directory 'GPUTOP' with parent 'pm_genpd' already present! + +Add a proper scmi_pm_domain_remove callback to the driver in order to +take care of all the needed cleanups not handled by devres framework. + +Link: https://lore.kernel.org/r/20220817172731.1185305-7-cristian.marussi@arm.com +Signed-off-by: Cristian Marussi +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/scmi_pm_domain.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/firmware/arm_scmi/scmi_pm_domain.c b/drivers/firmware/arm_scmi/scmi_pm_domain.c +index 177874adccf0..b0c8962b9885 100644 +--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c ++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c +@@ -106,9 +106,28 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev) + scmi_pd_data->domains = domains; + scmi_pd_data->num_domains = num_domains; + ++ dev_set_drvdata(dev, scmi_pd_data); ++ + return of_genpd_add_provider_onecell(np, scmi_pd_data); + } + ++static void scmi_pm_domain_remove(struct scmi_device *sdev) ++{ ++ int i; ++ struct genpd_onecell_data *scmi_pd_data; ++ struct device *dev = &sdev->dev; ++ struct device_node *np = dev->of_node; ++ ++ of_genpd_del_provider(np); ++ ++ scmi_pd_data = dev_get_drvdata(dev); ++ for (i = 0; i < scmi_pd_data->num_domains; i++) { ++ if (!scmi_pd_data->domains[i]) ++ continue; ++ pm_genpd_remove(scmi_pd_data->domains[i]); ++ } ++} ++ + static const struct scmi_device_id scmi_id_table[] = { + { SCMI_PROTOCOL_POWER }, + { }, +@@ -118,6 +137,7 @@ MODULE_DEVICE_TABLE(scmi, scmi_id_table); + static struct scmi_driver scmi_power_domain_driver = { + .name = "scmi-power-domain", + .probe = scmi_pm_domain_probe, ++ .remove = scmi_pm_domain_remove, + .id_table = scmi_id_table, + }; + module_scmi_driver(scmi_power_domain_driver); +-- +2.35.1 + diff --git a/queue-5.4/net-ieee802154-fix-uninit-value-bug-in-dgram_sendmsg.patch b/queue-5.4/net-ieee802154-fix-uninit-value-bug-in-dgram_sendmsg.patch new file mode 100644 index 00000000000..4fccdfe60a5 --- /dev/null +++ b/queue-5.4/net-ieee802154-fix-uninit-value-bug-in-dgram_sendmsg.patch @@ -0,0 +1,173 @@ +From f62213b20bf108a2b0ab2f9d745acb82f281ed4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 20:19:27 +0800 +Subject: net/ieee802154: fix uninit value bug in dgram_sendmsg + +From: Haimin Zhang + +[ Upstream commit 94160108a70c8af17fa1484a37e05181c0e094af ] + +There is uninit value bug in dgram_sendmsg function in +net/ieee802154/socket.c when the length of valid data pointed by the +msg->msg_name isn't verified. + +We introducing a helper function ieee802154_sockaddr_check_size to +check namelen. First we check there is addr_type in ieee802154_addr_sa. +Then, we check namelen according to addr_type. + +Also fixed in raw_bind, dgram_bind, dgram_connect. + +Signed-off-by: Haimin Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ieee802154_netdev.h | 37 +++++++++++++++++++++++++++++ + net/ieee802154/socket.c | 42 ++++++++++++++++++--------------- + 2 files changed, 60 insertions(+), 19 deletions(-) + +diff --git a/include/net/ieee802154_netdev.h b/include/net/ieee802154_netdev.h +index d0d188c3294b..a8994f307fc3 100644 +--- a/include/net/ieee802154_netdev.h ++++ b/include/net/ieee802154_netdev.h +@@ -15,6 +15,22 @@ + #ifndef IEEE802154_NETDEVICE_H + #define IEEE802154_NETDEVICE_H + ++#define IEEE802154_REQUIRED_SIZE(struct_type, member) \ ++ (offsetof(typeof(struct_type), member) + \ ++ sizeof(((typeof(struct_type) *)(NULL))->member)) ++ ++#define IEEE802154_ADDR_OFFSET \ ++ offsetof(typeof(struct sockaddr_ieee802154), addr) ++ ++#define IEEE802154_MIN_NAMELEN (IEEE802154_ADDR_OFFSET + \ ++ IEEE802154_REQUIRED_SIZE(struct ieee802154_addr_sa, addr_type)) ++ ++#define IEEE802154_NAMELEN_SHORT (IEEE802154_ADDR_OFFSET + \ ++ IEEE802154_REQUIRED_SIZE(struct ieee802154_addr_sa, short_addr)) ++ ++#define IEEE802154_NAMELEN_LONG (IEEE802154_ADDR_OFFSET + \ ++ IEEE802154_REQUIRED_SIZE(struct ieee802154_addr_sa, hwaddr)) ++ + #include + #include + #include +@@ -165,6 +181,27 @@ static inline void ieee802154_devaddr_to_raw(void *raw, __le64 addr) + memcpy(raw, &temp, IEEE802154_ADDR_LEN); + } + ++static inline int ++ieee802154_sockaddr_check_size(struct sockaddr_ieee802154 *daddr, int len) ++{ ++ struct ieee802154_addr_sa *sa; ++ ++ sa = &daddr->addr; ++ if (len < IEEE802154_MIN_NAMELEN) ++ return -EINVAL; ++ switch (sa->addr_type) { ++ case IEEE802154_ADDR_SHORT: ++ if (len < IEEE802154_NAMELEN_SHORT) ++ return -EINVAL; ++ break; ++ case IEEE802154_ADDR_LONG: ++ if (len < IEEE802154_NAMELEN_LONG) ++ return -EINVAL; ++ break; ++ } ++ return 0; ++} ++ + static inline void ieee802154_addr_from_sa(struct ieee802154_addr *a, + const struct ieee802154_addr_sa *sa) + { +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c +index 9a675ba0bf0a..a92b11999e5f 100644 +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -201,8 +201,9 @@ static int raw_bind(struct sock *sk, struct sockaddr *_uaddr, int len) + int err = 0; + struct net_device *dev = NULL; + +- if (len < sizeof(*uaddr)) +- return -EINVAL; ++ err = ieee802154_sockaddr_check_size(uaddr, len); ++ if (err < 0) ++ return err; + + uaddr = (struct sockaddr_ieee802154 *)_uaddr; + if (uaddr->family != AF_IEEE802154) +@@ -498,7 +499,8 @@ static int dgram_bind(struct sock *sk, struct sockaddr *uaddr, int len) + + ro->bound = 0; + +- if (len < sizeof(*addr)) ++ err = ieee802154_sockaddr_check_size(addr, len); ++ if (err < 0) + goto out; + + if (addr->family != AF_IEEE802154) +@@ -569,8 +571,9 @@ static int dgram_connect(struct sock *sk, struct sockaddr *uaddr, + struct dgram_sock *ro = dgram_sk(sk); + int err = 0; + +- if (len < sizeof(*addr)) +- return -EINVAL; ++ err = ieee802154_sockaddr_check_size(addr, len); ++ if (err < 0) ++ return err; + + if (addr->family != AF_IEEE802154) + return -EINVAL; +@@ -609,6 +612,7 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + struct ieee802154_mac_cb *cb; + struct dgram_sock *ro = dgram_sk(sk); + struct ieee802154_addr dst_addr; ++ DECLARE_SOCKADDR(struct sockaddr_ieee802154*, daddr, msg->msg_name); + int hlen, tlen; + int err; + +@@ -617,10 +621,20 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + return -EOPNOTSUPP; + } + +- if (!ro->connected && !msg->msg_name) +- return -EDESTADDRREQ; +- else if (ro->connected && msg->msg_name) +- return -EISCONN; ++ if (msg->msg_name) { ++ if (ro->connected) ++ return -EISCONN; ++ if (msg->msg_namelen < IEEE802154_MIN_NAMELEN) ++ return -EINVAL; ++ err = ieee802154_sockaddr_check_size(daddr, msg->msg_namelen); ++ if (err < 0) ++ return err; ++ ieee802154_addr_from_sa(&dst_addr, &daddr->addr); ++ } else { ++ if (!ro->connected) ++ return -EDESTADDRREQ; ++ dst_addr = ro->dst_addr; ++ } + + if (!ro->bound) + dev = dev_getfirstbyhwtype(sock_net(sk), ARPHRD_IEEE802154); +@@ -656,16 +670,6 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + cb = mac_cb_init(skb); + cb->type = IEEE802154_FC_TYPE_DATA; + cb->ackreq = ro->want_ack; +- +- if (msg->msg_name) { +- DECLARE_SOCKADDR(struct sockaddr_ieee802154*, +- daddr, msg->msg_name); +- +- ieee802154_addr_from_sa(&dst_addr, &daddr->addr); +- } else { +- dst_addr = ro->dst_addr; +- } +- + cb->secen = ro->secen; + cb->secen_override = ro->secen_override; + cb->seclevel = ro->seclevel; +-- +2.35.1 + diff --git a/queue-5.4/scsi-qedf-fix-a-uaf-bug-in-__qedf_probe.patch b/queue-5.4/scsi-qedf-fix-a-uaf-bug-in-__qedf_probe.patch new file mode 100644 index 00000000000..dc67f539b49 --- /dev/null +++ b/queue-5.4/scsi-qedf-fix-a-uaf-bug-in-__qedf_probe.patch @@ -0,0 +1,76 @@ +From 0456a673f392ee8d6e478f14e74dffb257848294 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 20:06:41 +0800 +Subject: scsi: qedf: Fix a UAF bug in __qedf_probe() + +From: Letu Ren + +[ Upstream commit fbfe96869b782364caebae0445763969ddb6ea67 ] + +In __qedf_probe(), if qedf->cdev is NULL which means +qed_ops->common->probe() failed, then the program will goto label err1, and +scsi_host_put() will free lport->host pointer. Because the memory qedf +points to is allocated by libfc_host_alloc(), it will be freed by +scsi_host_put(). However, the if statement below label err0 only checks +whether qedf is NULL but doesn't check whether the memory has been freed. +So a UAF bug can occur. + +There are two ways to reach the statements below err0. The first one is +described as before, "qedf" should be set to NULL. The second one is goto +"err0" directly. In the latter scenario qedf hasn't been changed and it has +the initial value NULL. As a result the if statement is not reachable in +any situation. + +The KASAN logs are as follows: + +[ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0 +[ 2.312969] +[ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 2.312969] Call Trace: +[ 2.312969] dump_stack_lvl+0x59/0x7b +[ 2.312969] print_address_description+0x7c/0x3b0 +[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 +[ 2.312969] __kasan_report+0x160/0x1c0 +[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 +[ 2.312969] kasan_report+0x4b/0x70 +[ 2.312969] ? kobject_put+0x25d/0x290 +[ 2.312969] kasan_check_range+0x2ca/0x310 +[ 2.312969] __qedf_probe+0x5dcf/0x6bc0 +[ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0 +[ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120 +[ 2.312969] ? rpm_resume+0xa5c/0x16e0 +[ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160 +[ 2.312969] local_pci_probe+0x13c/0x1f0 +[ 2.312969] pci_device_probe+0x37e/0x6c0 + +Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@gmail.com +Reported-by: Zheyu Ma +Acked-by: Saurav Kashyap +Co-developed-by: Wende Tan +Signed-off-by: Wende Tan +Signed-off-by: Letu Ren +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index c95e04cc6424..f864ef059d29 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -3544,11 +3544,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode) + err1: + scsi_host_put(lport->host); + err0: +- if (qedf) { +- QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n"); +- +- clear_bit(QEDF_PROBING, &qedf->flags); +- } + return rc; + } + +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index c26c7e34435..aacd9021966 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,12 @@ mm-pagewalk-fix-race-between-unmap-and-page-walker.patch wait_on_bit-add-an-acquire-memory-barrier.patch provide-arch_test_bit_acquire-for-architectures-that-define-test_bit.patch perf-tools-fixup-get_current_dir_name-compilation.patch +firmware-arm_scmi-add-scmi-pm-driver-remove-routine.patch +dmaengine-xilinx_dma-cleanup-for-fetching-xlnx-num-f.patch +dmaengine-xilinx_dma-report-error-in-case-of-dma_set.patch +arm-dts-fix-moxa-sdio-compatible-remove-sdhci-misnom.patch +scsi-qedf-fix-a-uaf-bug-in-__qedf_probe.patch +net-ieee802154-fix-uninit-value-bug-in-dgram_sendmsg.patch +um-cleanup-syscall_handler_t-cast-in-syscalls_32.h.patch +um-cleanup-compiler-warning-in-arch-x86-um-tls_32.c.patch +arch-um-mark-the-stack-non-executable-to-fix-a-binut.patch diff --git a/queue-5.4/um-cleanup-compiler-warning-in-arch-x86-um-tls_32.c.patch b/queue-5.4/um-cleanup-compiler-warning-in-arch-x86-um-tls_32.c.patch new file mode 100644 index 00000000000..4d47346fe6e --- /dev/null +++ b/queue-5.4/um-cleanup-compiler-warning-in-arch-x86-um-tls_32.c.patch @@ -0,0 +1,70 @@ +From a62ace76ee3323c02374f13be2b5971ce95fac2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 15:29:31 +0000 +Subject: um: Cleanup compiler warning in arch/x86/um/tls_32.c + +From: Lukas Straub + +[ Upstream commit d27fff3499671dc23a08efd01cdb8b3764a391c4 ] + +arch.tls_array is statically allocated so checking for NULL doesn't +make sense. This causes the compiler warning below. + +Remove the checks to silence these warnings. + +../arch/x86/um/tls_32.c: In function 'get_free_idx': +../arch/x86/um/tls_32.c:68:13: warning: the comparison will always evaluate as 'true' for the address of 'tls_array' will never be NULL [-Waddress] + 68 | if (!t->arch.tls_array) + | ^ +In file included from ../arch/x86/um/asm/processor.h:10, + from ../include/linux/rcupdate.h:30, + from ../include/linux/rculist.h:11, + from ../include/linux/pid.h:5, + from ../include/linux/sched.h:14, + from ../arch/x86/um/tls_32.c:7: +../arch/x86/um/asm/processor_32.h:22:31: note: 'tls_array' declared here + 22 | struct uml_tls_struct tls_array[GDT_ENTRY_TLS_ENTRIES]; + | ^~~~~~~~~ +../arch/x86/um/tls_32.c: In function 'get_tls_entry': +../arch/x86/um/tls_32.c:243:13: warning: the comparison will always evaluate as 'true' for the address of 'tls_array' will never be NULL [-Waddress] + 243 | if (!t->arch.tls_array) + | ^ +../arch/x86/um/asm/processor_32.h:22:31: note: 'tls_array' declared here + 22 | struct uml_tls_struct tls_array[GDT_ENTRY_TLS_ENTRIES]; + | ^~~~~~~~~ + +Signed-off-by: Lukas Straub +Acked-by: Randy Dunlap # build-tested +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/x86/um/tls_32.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/um/tls_32.c b/arch/x86/um/tls_32.c +index ac8eee093f9c..66162eafd8e8 100644 +--- a/arch/x86/um/tls_32.c ++++ b/arch/x86/um/tls_32.c +@@ -65,9 +65,6 @@ static int get_free_idx(struct task_struct* task) + struct thread_struct *t = &task->thread; + int idx; + +- if (!t->arch.tls_array) +- return GDT_ENTRY_TLS_MIN; +- + for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) + if (!t->arch.tls_array[idx].present) + return idx + GDT_ENTRY_TLS_MIN; +@@ -240,9 +237,6 @@ static int get_tls_entry(struct task_struct *task, struct user_desc *info, + { + struct thread_struct *t = &task->thread; + +- if (!t->arch.tls_array) +- goto clear; +- + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) + return -EINVAL; + +-- +2.35.1 + diff --git a/queue-5.4/um-cleanup-syscall_handler_t-cast-in-syscalls_32.h.patch b/queue-5.4/um-cleanup-syscall_handler_t-cast-in-syscalls_32.h.patch new file mode 100644 index 00000000000..bac6d5b77af --- /dev/null +++ b/queue-5.4/um-cleanup-syscall_handler_t-cast-in-syscalls_32.h.patch @@ -0,0 +1,41 @@ +From 0dc602beaf6b1b454c7bac7a4a022f395d527f77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 15:29:27 +0000 +Subject: um: Cleanup syscall_handler_t cast in syscalls_32.h + +From: Lukas Straub + +[ Upstream commit 61670b4d270c71219def1fbc9441debc2ac2e6e9 ] + +Like in f4f03f299a56ce4d73c5431e0327b3b6cb55ebb9 +"um: Cleanup syscall_handler_t definition/cast, fix warning", +remove the cast to to fix the compiler warning. + +Signed-off-by: Lukas Straub +Acked-by: Randy Dunlap # build-tested +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/x86/um/shared/sysdep/syscalls_32.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/um/shared/sysdep/syscalls_32.h b/arch/x86/um/shared/sysdep/syscalls_32.h +index 68fd2cf526fd..f6e9f84397e7 100644 +--- a/arch/x86/um/shared/sysdep/syscalls_32.h ++++ b/arch/x86/um/shared/sysdep/syscalls_32.h +@@ -6,10 +6,9 @@ + #include + #include + +-typedef long syscall_handler_t(struct pt_regs); ++typedef long syscall_handler_t(struct syscall_args); + + extern syscall_handler_t *sys_call_table[]; + + #define EXECUTE_SYSCALL(syscall, regs) \ +- ((long (*)(struct syscall_args)) \ +- (*sys_call_table[syscall]))(SYSCALL_ARGS(®s->regs)) ++ ((*sys_call_table[syscall]))(SYSCALL_ARGS(®s->regs)) +-- +2.35.1 + -- 2.47.3