From 42215a55a44e7ed016fa773fc483cc4f1d8ea027 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 24 Sep 2021 11:25:50 +0200 Subject: [PATCH] 4.14-stable patches added patches: 9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch prctl-allow-to-setup-brk-for-et_dyn-executables.patch profiling-fix-shift-out-of-bounds-bugs.patch pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch --- ...o-remove-sysfs-file-on-probe-failure.patch | 41 ++++++++ ...-to-setup-brk-for-et_dyn-executables.patch | 80 +++++++++++++++ ...ofiling-fix-shift-out-of-bounds-bugs.patch | 98 +++++++++++++++++++ ...be-after-the-pwm-chip-was-registered.patch | 55 +++++++++++ ...be-after-the-pwm-chip-was-registered.patch | 60 ++++++++++++ queue-4.14/series | 6 ++ ...ix-an-error-code-in-exynos_tmu_probe.patch | 32 ++++++ 7 files changed, 372 insertions(+) create mode 100644 queue-4.14/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch create mode 100644 queue-4.14/prctl-allow-to-setup-brk-for-et_dyn-executables.patch create mode 100644 queue-4.14/profiling-fix-shift-out-of-bounds-bugs.patch create mode 100644 queue-4.14/pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch create mode 100644 queue-4.14/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch create mode 100644 queue-4.14/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch diff --git a/queue-4.14/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch b/queue-4.14/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch new file mode 100644 index 00000000000..2ca22f294a1 --- /dev/null +++ b/queue-4.14/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch @@ -0,0 +1,41 @@ +From f997ea3b7afc108eb9761f321b57de2d089c7c48 Mon Sep 17 00:00:00 2001 +From: Xie Yongji +Date: Mon, 17 May 2021 16:35:57 +0800 +Subject: 9p/trans_virtio: Remove sysfs file on probe failure + +From: Xie Yongji + +commit f997ea3b7afc108eb9761f321b57de2d089c7c48 upstream. + +This ensures we don't leak the sysfs file if we failed to +allocate chan->vc_wq during probe. + +Link: http://lkml.kernel.org/r/20210517083557.172-1-xieyongji@bytedance.com +Fixes: 86c8437383ac ("net/9p: Add sysfs mount_tag file for virtio 9P device") +Signed-off-by: Xie Yongji +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/trans_virtio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -602,7 +602,7 @@ static int p9_virtio_probe(struct virtio + chan->vc_wq = kmalloc(sizeof(wait_queue_head_t), GFP_KERNEL); + if (!chan->vc_wq) { + err = -ENOMEM; +- goto out_free_tag; ++ goto out_remove_file; + } + init_waitqueue_head(chan->vc_wq); + chan->ring_bufs_avail = 1; +@@ -620,6 +620,8 @@ static int p9_virtio_probe(struct virtio + + return 0; + ++out_remove_file: ++ sysfs_remove_file(&vdev->dev.kobj, &dev_attr_mount_tag.attr); + out_free_tag: + kfree(tag); + out_free_vq: diff --git a/queue-4.14/prctl-allow-to-setup-brk-for-et_dyn-executables.patch b/queue-4.14/prctl-allow-to-setup-brk-for-et_dyn-executables.patch new file mode 100644 index 00000000000..d7d0d2f9c37 --- /dev/null +++ b/queue-4.14/prctl-allow-to-setup-brk-for-et_dyn-executables.patch @@ -0,0 +1,80 @@ +From e1fbbd073137a9d63279f6bf363151a938347640 Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov +Date: Tue, 7 Sep 2021 20:00:41 -0700 +Subject: prctl: allow to setup brk for et_dyn executables + +From: Cyrill Gorcunov + +commit e1fbbd073137a9d63279f6bf363151a938347640 upstream. + +Keno Fischer reported that when a binray loaded via ld-linux-x the +prctl(PR_SET_MM_MAP) doesn't allow to setup brk value because it lays +before mm:end_data. + +For example a test program shows + + | # ~/t + | + | start_code 401000 + | end_code 401a15 + | start_stack 7ffce4577dd0 + | start_data 403e10 + | end_data 40408c + | start_brk b5b000 + | sbrk(0) b5b000 + +and when executed via ld-linux + + | # /lib64/ld-linux-x86-64.so.2 ~/t + | + | start_code 7fc25b0a4000 + | end_code 7fc25b0c4524 + | start_stack 7fffcc6b2400 + | start_data 7fc25b0ce4c0 + | end_data 7fc25b0cff98 + | start_brk 55555710c000 + | sbrk(0) 55555710c000 + +This of course prevent criu from restoring such programs. Looking into +how kernel operates with brk/start_brk inside brk() syscall I don't see +any problem if we allow to setup brk/start_brk without checking for +end_data. Even if someone pass some weird address here on a purpose then +the worst possible result will be an unexpected unmapping of existing vma +(own vma, since prctl works with the callers memory) but test for +RLIMIT_DATA is still valid and a user won't be able to gain more memory in +case of expanding VMAs via new values shipped with prctl call. + +Link: https://lkml.kernel.org/r/20210121221207.GB2174@grain +Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec") +Signed-off-by: Cyrill Gorcunov +Reported-by: Keno Fischer +Acked-by: Andrey Vagin +Tested-by: Andrey Vagin +Cc: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: Kirill Tkhai +Cc: Eric W. Biederman +Cc: Pavel Tikhomirov +Cc: Alexander Mikhalitsyn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sys.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1874,13 +1874,6 @@ static int validate_prctl_map(struct prc + error = -EINVAL; + + /* +- * @brk should be after @end_data in traditional maps. +- */ +- if (prctl_map->start_brk <= prctl_map->end_data || +- prctl_map->brk <= prctl_map->end_data) +- goto out; +- +- /* + * Neither we should allow to override limits if they set. + */ + if (check_data_rlimit(rlimit(RLIMIT_DATA), prctl_map->brk, diff --git a/queue-4.14/profiling-fix-shift-out-of-bounds-bugs.patch b/queue-4.14/profiling-fix-shift-out-of-bounds-bugs.patch new file mode 100644 index 00000000000..554f1f71ce9 --- /dev/null +++ b/queue-4.14/profiling-fix-shift-out-of-bounds-bugs.patch @@ -0,0 +1,98 @@ +From 2d186afd04d669fe9c48b994c41a7405a3c9f16d Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 7 Sep 2021 19:58:21 -0700 +Subject: profiling: fix shift-out-of-bounds bugs + +From: Pavel Skripkin + +commit 2d186afd04d669fe9c48b994c41a7405a3c9f16d upstream. + +Syzbot reported shift-out-of-bounds bug in profile_init(). +The problem was in incorrect prof_shift. Since prof_shift value comes from +userspace we need to clamp this value into [0, BITS_PER_LONG -1] +boundaries. + +Second possible shiht-out-of-bounds was found by Tetsuo: +sample_step local variable in read_profile() had "unsigned int" type, +but prof_shift allows to make a BITS_PER_LONG shift. So, to prevent +possible shiht-out-of-bounds sample_step type was changed to +"unsigned long". + +Also, "unsigned short int" will be sufficient for storing +[0, BITS_PER_LONG] value, that's why there is no need for +"unsigned long" prof_shift. + +Link: https://lkml.kernel.org/r/20210813140022.5011-1-paskripkin@gmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+e68c89a9510c159d9684@syzkaller.appspotmail.com +Suggested-by: Tetsuo Handa +Signed-off-by: Pavel Skripkin +Cc: Thomas Gleixner +Cc: Steven Rostedt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/profile.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/kernel/profile.c ++++ b/kernel/profile.c +@@ -40,7 +40,8 @@ struct profile_hit { + #define NR_PROFILE_GRP (NR_PROFILE_HIT/PROFILE_GRPSZ) + + static atomic_t *prof_buffer; +-static unsigned long prof_len, prof_shift; ++static unsigned long prof_len; ++static unsigned short int prof_shift; + + int prof_on __read_mostly; + EXPORT_SYMBOL_GPL(prof_on); +@@ -66,8 +67,8 @@ int profile_setup(char *str) + if (str[strlen(sleepstr)] == ',') + str += strlen(sleepstr) + 1; + if (get_option(&str, &par)) +- prof_shift = par; +- pr_info("kernel sleep profiling enabled (shift: %ld)\n", ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); ++ pr_info("kernel sleep profiling enabled (shift: %u)\n", + prof_shift); + #else + pr_warn("kernel sleep profiling requires CONFIG_SCHEDSTATS\n"); +@@ -77,21 +78,21 @@ int profile_setup(char *str) + if (str[strlen(schedstr)] == ',') + str += strlen(schedstr) + 1; + if (get_option(&str, &par)) +- prof_shift = par; +- pr_info("kernel schedule profiling enabled (shift: %ld)\n", ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); ++ pr_info("kernel schedule profiling enabled (shift: %u)\n", + prof_shift); + } else if (!strncmp(str, kvmstr, strlen(kvmstr))) { + prof_on = KVM_PROFILING; + if (str[strlen(kvmstr)] == ',') + str += strlen(kvmstr) + 1; + if (get_option(&str, &par)) +- prof_shift = par; +- pr_info("kernel KVM profiling enabled (shift: %ld)\n", ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); ++ pr_info("kernel KVM profiling enabled (shift: %u)\n", + prof_shift); + } else if (get_option(&str, &par)) { +- prof_shift = par; ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); + prof_on = CPU_PROFILING; +- pr_info("kernel profiling enabled (shift: %ld)\n", ++ pr_info("kernel profiling enabled (shift: %u)\n", + prof_shift); + } + return 1; +@@ -467,7 +468,7 @@ read_profile(struct file *file, char __u + unsigned long p = *ppos; + ssize_t read; + char *pnt; +- unsigned int sample_step = 1 << prof_shift; ++ unsigned long sample_step = 1UL << prof_shift; + + profile_flip_buffers(); + if (p >= (prof_len+1)*sizeof(unsigned int)) diff --git a/queue-4.14/pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch b/queue-4.14/pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch new file mode 100644 index 00000000000..d3af6ce024d --- /dev/null +++ b/queue-4.14/pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch @@ -0,0 +1,55 @@ +From 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Wed, 7 Jul 2021 18:27:49 +0200 +Subject: pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e upstream. + +This fixes a race condition: After pwmchip_add() is called there might +already be a consumer and then modifying the hardware behind the +consumer's back is bad. So set the default before. + +(Side-note: I don't know what this register setting actually does, if +this modifies the polarity there is an inconsistency because the +inversed polarity isn't considered if the PWM is already running during +.probe().) + +Fixes: acfd92fdfb93 ("pwm: lpc32xx: Set PWM_PIN_LEVEL bit to default value") +Cc: Sylvain Lemieux +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-lpc32xx.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/pwm/pwm-lpc32xx.c ++++ b/drivers/pwm/pwm-lpc32xx.c +@@ -124,17 +124,17 @@ static int lpc32xx_pwm_probe(struct plat + lpc32xx->chip.npwm = 1; + lpc32xx->chip.base = -1; + ++ /* If PWM is disabled, configure the output to the default value */ ++ val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ val &= ~PWM_PIN_LEVEL; ++ writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ + ret = pwmchip_add(&lpc32xx->chip); + if (ret < 0) { + dev_err(&pdev->dev, "failed to add PWM chip, error %d\n", ret); + return ret; + } + +- /* When PWM is disable, configure the output to the default value */ +- val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); +- val &= ~PWM_PIN_LEVEL; +- writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); +- + platform_set_drvdata(pdev, lpc32xx); + + return 0; diff --git a/queue-4.14/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch b/queue-4.14/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch new file mode 100644 index 00000000000..27dae3ee6bd --- /dev/null +++ b/queue-4.14/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch @@ -0,0 +1,60 @@ +From 020162d6f49f2963062229814a56a89c86cbeaa8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Wed, 7 Jul 2021 18:27:50 +0200 +Subject: pwm: mxs: Don't modify HW state in .probe() after the PWM chip was registered +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 020162d6f49f2963062229814a56a89c86cbeaa8 upstream. + +This fixes a race condition: After pwmchip_add() is called there might +already be a consumer and then modifying the hardware behind the +consumer's back is bad. So reset before calling pwmchip_add(). + +Note that reseting the hardware isn't the right thing to do if the PWM +is already running as it might e.g. disable (or even enable) a backlight +that is supposed to be on (or off). + +Fixes: 4dce82c1e840 ("pwm: add pwm-mxs support") +Cc: Sascha Hauer +Cc: Shawn Guo +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mxs.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/pwm/pwm-mxs.c ++++ b/drivers/pwm/pwm-mxs.c +@@ -158,6 +158,11 @@ static int mxs_pwm_probe(struct platform + return ret; + } + ++ /* FIXME: Only do this if the PWM isn't already running */ ++ ret = stmp_reset_block(mxs->base); ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "failed to reset PWM\n"); ++ + ret = pwmchip_add(&mxs->chip); + if (ret < 0) { + dev_err(&pdev->dev, "failed to add pwm chip %d\n", ret); +@@ -166,15 +171,7 @@ static int mxs_pwm_probe(struct platform + + platform_set_drvdata(pdev, mxs); + +- ret = stmp_reset_block(mxs->base); +- if (ret) +- goto pwm_remove; +- + return 0; +- +-pwm_remove: +- pwmchip_remove(&mxs->chip); +- return ret; + } + + static int mxs_pwm_remove(struct platform_device *pdev) diff --git a/queue-4.14/series b/queue-4.14/series index 482d0c48169..aa05976aae2 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -9,3 +9,9 @@ arm-9098-1-ftrace-module_plt-fix-build-problem-without-dynamic_ftrace.patch sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch sctp-add-param-size-validation-for-sctp_param_set_primary.patch dmaengine-acpi-avoid-comparison-gsi-with-linux-virq.patch +thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch +9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch +prctl-allow-to-setup-brk-for-et_dyn-executables.patch +profiling-fix-shift-out-of-bounds-bugs.patch +pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch +pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch diff --git a/queue-4.14/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch b/queue-4.14/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch new file mode 100644 index 00000000000..8c73565cdfe --- /dev/null +++ b/queue-4.14/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch @@ -0,0 +1,32 @@ +From 02d438f62c05f0d055ceeedf12a2f8796b258c08 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 10 Aug 2021 11:44:13 +0300 +Subject: thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() + +From: Dan Carpenter + +commit 02d438f62c05f0d055ceeedf12a2f8796b258c08 upstream. + +This error path return success but it should propagate the negative +error code from devm_clk_get(). + +Fixes: 6c247393cfdd ("thermal: exynos: Add TMU support for Exynos7 SoC") +Signed-off-by: Dan Carpenter +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210810084413.GA23810@kili +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/samsung/exynos_tmu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/samsung/exynos_tmu.c ++++ b/drivers/thermal/samsung/exynos_tmu.c +@@ -1371,6 +1371,7 @@ static int exynos_tmu_probe(struct platf + data->sclk = devm_clk_get(&pdev->dev, "tmu_sclk"); + if (IS_ERR(data->sclk)) { + dev_err(&pdev->dev, "Failed to get sclk\n"); ++ ret = PTR_ERR(data->sclk); + goto err_clk; + } else { + ret = clk_prepare_enable(data->sclk); -- 2.47.3