From 7903e4d6e09daeedbcc522e67a76b689f067b704 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 20 Mar 2023 13:03:56 +0100 Subject: [PATCH] 5.4-stable patches added patches: fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch --- ...xelclock-and-add-fb_check_var-checks.patch | 77 +++++++++++++++++++ ...access-in-lookup_rec-when-index-is-0.patch | 54 +++++++++++++ queue-5.4/series | 3 + ...f-uninitialized-buffer-in-sme_enable.patch | 40 ++++++++++ 4 files changed, 174 insertions(+) create mode 100644 queue-5.4/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch create mode 100644 queue-5.4/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch create mode 100644 queue-5.4/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch diff --git a/queue-5.4/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch b/queue-5.4/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch new file mode 100644 index 00000000000..b029471b0d2 --- /dev/null +++ b/queue-5.4/fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch @@ -0,0 +1,77 @@ +From 203873a535d627c668f293be0cb73e26c30f9cc7 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 16 Mar 2023 11:38:19 +0100 +Subject: fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks + +From: Helge Deller + +commit 203873a535d627c668f293be0cb73e26c30f9cc7 upstream. + +Find a valid modeline depending on the machine graphic card +configuration and add the fb_check_var() function to validate +Xorg provided graphics settings. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/stifb.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/drivers/video/fbdev/stifb.c ++++ b/drivers/video/fbdev/stifb.c +@@ -922,6 +922,28 @@ SETUP_HCRX(struct stifb_info *fb) + /* ------------------- driver specific functions --------------------------- */ + + static int ++stifb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) ++{ ++ struct stifb_info *fb = container_of(info, struct stifb_info, info); ++ ++ if (var->xres != fb->info.var.xres || ++ var->yres != fb->info.var.yres || ++ var->bits_per_pixel != fb->info.var.bits_per_pixel) ++ return -EINVAL; ++ ++ var->xres_virtual = var->xres; ++ var->yres_virtual = var->yres; ++ var->xoffset = 0; ++ var->yoffset = 0; ++ var->grayscale = fb->info.var.grayscale; ++ var->red.length = fb->info.var.red.length; ++ var->green.length = fb->info.var.green.length; ++ var->blue.length = fb->info.var.blue.length; ++ ++ return 0; ++} ++ ++static int + stifb_setcolreg(u_int regno, u_int red, u_int green, + u_int blue, u_int transp, struct fb_info *info) + { +@@ -1103,6 +1125,7 @@ stifb_init_display(struct stifb_info *fb + + static struct fb_ops stifb_ops = { + .owner = THIS_MODULE, ++ .fb_check_var = stifb_check_var, + .fb_setcolreg = stifb_setcolreg, + .fb_blank = stifb_blank, + .fb_fillrect = cfb_fillrect, +@@ -1122,6 +1145,7 @@ static int __init stifb_init_fb(struct s + struct stifb_info *fb; + struct fb_info *info; + unsigned long sti_rom_address; ++ char modestr[32]; + char *dev_name; + int bpp, xres, yres; + +@@ -1300,6 +1324,9 @@ static int __init stifb_init_fb(struct s + info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_COPYAREA; + info->pseudo_palette = &fb->pseudo_palette; + ++ scnprintf(modestr, sizeof(modestr), "%dx%d-%d", xres, yres, bpp); ++ fb_find_mode(&info->var, info, modestr, NULL, 0, NULL, bpp); ++ + /* This has to be done !!! */ + if (fb_alloc_cmap(&info->cmap, NR_PALETTE, 0)) + goto out_err1; diff --git a/queue-5.4/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch b/queue-5.4/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch new file mode 100644 index 00000000000..f7c4a3814f9 --- /dev/null +++ b/queue-5.4/ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch @@ -0,0 +1,54 @@ +From ee92fa443358f4fc0017c1d0d325c27b37802504 Mon Sep 17 00:00:00 2001 +From: Chen Zhongjin +Date: Thu, 9 Mar 2023 16:02:30 +0800 +Subject: ftrace: Fix invalid address access in lookup_rec() when index is 0 + +From: Chen Zhongjin + +commit ee92fa443358f4fc0017c1d0d325c27b37802504 upstream. + +KASAN reported follow problem: + + BUG: KASAN: use-after-free in lookup_rec + Read of size 8 at addr ffff000199270ff0 by task modprobe + CPU: 2 Comm: modprobe + Call trace: + kasan_report + __asan_load8 + lookup_rec + ftrace_location + arch_check_ftrace_location + check_kprobe_address_safe + register_kprobe + +When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a +pg which is newly added to ftrace_pages_start in ftrace_process_locs(). +Before the first pg->index++, index is 0 and accessing pg->records[-1].ip +will cause this problem. + +Don't check the ip when pg->index is 0. + +Link: https://lore.kernel.org/linux-trace-kernel/20230309080230.36064-1-chenzhongjin@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 9644302e3315 ("ftrace: Speed up search by skipping pages by address") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Chen Zhongjin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1557,7 +1557,8 @@ unsigned long ftrace_location_range(unsi + key.flags = end; /* overload flags, as it is unsigned long */ + + for (pg = ftrace_pages_start; pg; pg = pg->next) { +- if (end < pg->records[0].ip || ++ if (pg->index == 0 || ++ end < pg->records[0].ip || + start >= (pg->records[pg->index - 1].ip + MCOUNT_INSN_SIZE)) + continue; + rec = bsearch(&key, pg->records, pg->index, diff --git a/queue-5.4/series b/queue-5.4/series index 9eb2e66ec0c..3cc78600be2 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -47,3 +47,6 @@ interconnect-fix-mem-leak-when-freeing-nodes.patch tracing-check-field-value-in-hist_field_name.patch tracing-make-tracepoint-lockdep-check-actually-test-something.patch kvm-nvmx-add-missing-consistency-checks-for-cr0-and-cr4.patch +ftrace-fix-invalid-address-access-in-lookup_rec-when-index-is-0.patch +fbdev-stifb-provide-valid-pixelclock-and-add-fb_check_var-checks.patch +x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch diff --git a/queue-5.4/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch b/queue-5.4/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch new file mode 100644 index 00000000000..cb3cb4f1b57 --- /dev/null +++ b/queue-5.4/x86-mm-fix-use-of-uninitialized-buffer-in-sme_enable.patch @@ -0,0 +1,40 @@ +From cbebd68f59f03633469f3ecf9bea99cd6cce3854 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Mon, 6 Mar 2023 08:06:56 -0800 +Subject: x86/mm: Fix use of uninitialized buffer in sme_enable() + +From: Nikita Zhandarovich + +commit cbebd68f59f03633469f3ecf9bea99cd6cce3854 upstream. + +cmdline_find_option() may fail before doing any initialization of +the buffer array. This may lead to unpredictable results when the same +buffer is used later in calls to strncmp() function. Fix the issue by +returning early if cmdline_find_option() returns an error. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: aca20d546214 ("x86/mm: Add support to make use of Secure Memory Encryption") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Tom Lendacky +Cc: +Link: https://lore.kernel.org/r/20230306160656.14844-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/mem_encrypt_identity.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/mem_encrypt_identity.c ++++ b/arch/x86/mm/mem_encrypt_identity.c +@@ -579,7 +579,8 @@ void __init sme_enable(struct boot_param + cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr | + ((u64)bp->ext_cmd_line_ptr << 32)); + +- cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)); ++ if (cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)) < 0) ++ return; + + if (!strncmp(buffer, cmdline_on, sizeof(buffer))) + sme_me_mask = me_mask; -- 2.47.3