From 41f6ee177b551842b88e7e886375165aefe4dc0a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 20 Aug 2023 20:07:23 +0200 Subject: [PATCH] 5.4-stable patches added patches: fbdev-mmp-fix-value-check-in-mmphw_probe.patch i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch --- ...v-mmp-fix-value-check-in-mmphw_probe.patch | 34 ++++++++++ ...fix-bcm_iproc_i2c_isr-deadlock-issue.patch | 61 +++++++++++++++++ ...er-copy-to-flash-block-cache-objects.patch | 68 +++++++++++++++++++ queue-5.4/series | 3 + 4 files changed, 166 insertions(+) create mode 100644 queue-5.4/fbdev-mmp-fix-value-check-in-mmphw_probe.patch create mode 100644 queue-5.4/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch create mode 100644 queue-5.4/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch diff --git a/queue-5.4/fbdev-mmp-fix-value-check-in-mmphw_probe.patch b/queue-5.4/fbdev-mmp-fix-value-check-in-mmphw_probe.patch new file mode 100644 index 00000000000..157db5f55f8 --- /dev/null +++ b/queue-5.4/fbdev-mmp-fix-value-check-in-mmphw_probe.patch @@ -0,0 +1,34 @@ +From 0872b2c0abc0e84ac82472959c8e14e35277549c Mon Sep 17 00:00:00 2001 +From: Yuanjun Gong +Date: Fri, 28 Jul 2023 01:03:18 +0800 +Subject: fbdev: mmp: fix value check in mmphw_probe() + +From: Yuanjun Gong + +commit 0872b2c0abc0e84ac82472959c8e14e35277549c upstream. + +in mmphw_probe(), check the return value of clk_prepare_enable() +and return the error code if clk_prepare_enable() returns an +unexpected value. + +Fixes: d63028c38905 ("video: mmp display controller support") +Signed-off-by: Yuanjun Gong +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/mmp/hw/mmp_ctrl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/mmp/hw/mmp_ctrl.c ++++ b/drivers/video/fbdev/mmp/hw/mmp_ctrl.c +@@ -510,7 +510,9 @@ static int mmphw_probe(struct platform_d + ret = -ENOENT; + goto failed; + } +- clk_prepare_enable(ctrl->clk); ++ ret = clk_prepare_enable(ctrl->clk); ++ if (ret) ++ goto failed; + + /* init global regs */ + ctrl_set_default(ctrl); diff --git a/queue-5.4/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch b/queue-5.4/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch new file mode 100644 index 00000000000..6ec49897800 --- /dev/null +++ b/queue-5.4/i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch @@ -0,0 +1,61 @@ +From 4caf4cb1eaed469742ef719f2cc024b1ec3fa9e6 Mon Sep 17 00:00:00 2001 +From: Chengfeng Ye +Date: Fri, 7 Jul 2023 08:49:41 +0000 +Subject: i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue + +From: Chengfeng Ye + +commit 4caf4cb1eaed469742ef719f2cc024b1ec3fa9e6 upstream. + +iproc_i2c_rd_reg() and iproc_i2c_wr_reg() are called from both +interrupt context (e.g. bcm_iproc_i2c_isr) and process context +(e.g. bcm_iproc_i2c_suspend). Therefore, interrupts should be +disabled to avoid potential deadlock. To prevent this scenario, +use spin_lock_irqsave(). + +Fixes: 9a1038728037 ("i2c: iproc: add NIC I2C support") +Signed-off-by: Chengfeng Ye +Acked-by: Ray Jui +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-bcm-iproc.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-bcm-iproc.c ++++ b/drivers/i2c/busses/i2c-bcm-iproc.c +@@ -240,13 +240,14 @@ static inline u32 iproc_i2c_rd_reg(struc + u32 offset) + { + u32 val; ++ unsigned long flags; + + if (iproc_i2c->idm_base) { +- spin_lock(&iproc_i2c->idm_lock); ++ spin_lock_irqsave(&iproc_i2c->idm_lock, flags); + writel(iproc_i2c->ape_addr_mask, + iproc_i2c->idm_base + IDM_CTRL_DIRECT_OFFSET); + val = readl(iproc_i2c->base + offset); +- spin_unlock(&iproc_i2c->idm_lock); ++ spin_unlock_irqrestore(&iproc_i2c->idm_lock, flags); + } else { + val = readl(iproc_i2c->base + offset); + } +@@ -257,12 +258,14 @@ static inline u32 iproc_i2c_rd_reg(struc + static inline void iproc_i2c_wr_reg(struct bcm_iproc_i2c_dev *iproc_i2c, + u32 offset, u32 val) + { ++ unsigned long flags; ++ + if (iproc_i2c->idm_base) { +- spin_lock(&iproc_i2c->idm_lock); ++ spin_lock_irqsave(&iproc_i2c->idm_lock, flags); + writel(iproc_i2c->ape_addr_mask, + iproc_i2c->idm_base + IDM_CTRL_DIRECT_OFFSET); + writel(val, iproc_i2c->base + offset); +- spin_unlock(&iproc_i2c->idm_lock); ++ spin_unlock_irqrestore(&iproc_i2c->idm_lock, flags); + } else { + writel(val, iproc_i2c->base + offset); + } diff --git a/queue-5.4/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch b/queue-5.4/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch new file mode 100644 index 00000000000..5f779fcaa0d --- /dev/null +++ b/queue-5.4/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch @@ -0,0 +1,68 @@ +From 4f3175979e62de3b929bfa54a0db4b87d36257a7 Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Thu, 10 Aug 2023 22:37:55 -0500 +Subject: powerpc/rtas_flash: allow user copy to flash block cache objects + +From: Nathan Lynch + +commit 4f3175979e62de3b929bfa54a0db4b87d36257a7 upstream. + +With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the +/proc/powerpc/rtas/firmware_update interface to prepare a system +firmware update yields a BUG(): + + kernel BUG at mm/usercopy.c:102! + Oops: Exception in kernel mode, sig: 5 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: + CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2 + Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries + NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000 + REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+) + MSR: 8000000000029033 CR: 24002242 XER: 0000000c + CFAR: c0000000001fbd34 IRQMASK: 0 + [ ... GPRs omitted ... ] + NIP usercopy_abort+0xa0/0xb0 + LR usercopy_abort+0x9c/0xb0 + Call Trace: + usercopy_abort+0x9c/0xb0 (unreliable) + __check_heap_object+0x1b4/0x1d0 + __check_object_size+0x2d0/0x380 + rtas_flash_write+0xe4/0x250 + proc_reg_write+0xfc/0x160 + vfs_write+0xfc/0x4e0 + ksys_write+0x90/0x160 + system_call_exception+0x178/0x320 + system_call_common+0x160/0x2c4 + +The blocks of the firmware image are copied directly from user memory +to objects allocated from flash_block_cache, so flash_block_cache must +be created using kmem_cache_create_usercopy() to mark it safe for user +access. + +Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +Signed-off-by: Nathan Lynch +Reviewed-by: Kees Cook +[mpe: Trim and indent oops] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230810-rtas-flash-vs-hardened-usercopy-v2-1-dcf63793a938@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/rtas_flash.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/rtas_flash.c ++++ b/arch/powerpc/kernel/rtas_flash.c +@@ -710,9 +710,9 @@ static int __init rtas_flash_init(void) + if (!rtas_validate_flash_data.buf) + return -ENOMEM; + +- flash_block_cache = kmem_cache_create("rtas_flash_cache", +- RTAS_BLK_SIZE, RTAS_BLK_SIZE, 0, +- NULL); ++ flash_block_cache = kmem_cache_create_usercopy("rtas_flash_cache", ++ RTAS_BLK_SIZE, RTAS_BLK_SIZE, ++ 0, 0, RTAS_BLK_SIZE, NULL); + if (!flash_block_cache) { + printk(KERN_ERR "%s: failed to create block cache\n", + __func__); diff --git a/queue-5.4/series b/queue-5.4/series index 16a9a1ec6f1..d737124c283 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -55,3 +55,6 @@ nfsd-remove-incorrect-check-in-nfsd4_validate_statei.patch virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch +i2c-bcm-iproc-fix-bcm_iproc_i2c_isr-deadlock-issue.patch +fbdev-mmp-fix-value-check-in-mmphw_probe.patch +powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch -- 2.47.3