From d6cebd0e264a96ce2f27864ac3be3ad9f63fb49d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 7 Apr 2024 08:53:29 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- .../erspan-add-type-i-version-0-support.patch | 195 ++++++++++++++++++ ...-erspan_base_hdr-is-present-in-skb-h.patch | 128 ++++++++++++ queue-4.19/fs-add-a-vfs_fchmod-helper.patch | 62 ++++++ queue-4.19/fs-add-a-vfs_fchown-helper.patch | 82 ++++++++ ...t-open-initrd.image-with-o_largefile.patch | 41 ++++ ...-out-a-helper-to-populate-the-initrd.patch | 97 +++++++++ ...-initramfs-unpacking-to-struct-file-.patch | 132 ++++++++++++ queue-4.19/series | 12 ++ ...iq-allocate-and-free-components-as-r.patch | 123 +++++++++++ ...chiq-avoid-use-of-bool-in-structures.patch | 101 +++++++++ ...iq-fix-client_component-for-64-bit-k.patch | 72 +++++++ ...vices-changen-strncpy-to-strscpy_pad.patch | 49 +++++ ...vices-fix-information-leak-in-create.patch | 39 ++++ 13 files changed, 1133 insertions(+) create mode 100644 queue-4.19/erspan-add-type-i-version-0-support.patch create mode 100644 queue-4.19/erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch create mode 100644 queue-4.19/fs-add-a-vfs_fchmod-helper.patch create mode 100644 queue-4.19/fs-add-a-vfs_fchown-helper.patch create mode 100644 queue-4.19/init-open-initrd.image-with-o_largefile.patch create mode 100644 queue-4.19/initramfs-factor-out-a-helper-to-populate-the-initrd.patch create mode 100644 queue-4.19/initramfs-switch-initramfs-unpacking-to-struct-file-.patch create mode 100644 queue-4.19/staging-mmal-vchiq-allocate-and-free-components-as-r.patch create mode 100644 queue-4.19/staging-mmal-vchiq-avoid-use-of-bool-in-structures.patch create mode 100644 queue-4.19/staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch create mode 100644 queue-4.19/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch create mode 100644 queue-4.19/staging-vc04_services-fix-information-leak-in-create.patch diff --git a/queue-4.19/erspan-add-type-i-version-0-support.patch b/queue-4.19/erspan-add-type-i-version-0-support.patch new file mode 100644 index 00000000000..cfaa83054d8 --- /dev/null +++ b/queue-4.19/erspan-add-type-i-version-0-support.patch @@ -0,0 +1,195 @@ +From d27fc8b083bea5681597f7b4fa3fd1211c49613f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 09:05:06 -0700 +Subject: erspan: Add type I version 0 support. + +From: William Tu + +[ Upstream commit f989d546a2d5a9f001f6f8be49d98c10ab9b1897 ] + +The Type I ERSPAN frame format is based on the barebones +IP + GRE(4-byte) encapsulation on top of the raw mirrored frame. +Both type I and II use 0x88BE as protocol type. Unlike type II +and III, no sequence number or key is required. +To creat a type I erspan tunnel device: + $ ip link add dev erspan11 type erspan \ + local 172.16.1.100 remote 172.16.1.200 \ + erspan_ver 0 + +Signed-off-by: William Tu +Signed-off-by: David S. Miller +Stable-dep-of: 17af420545a7 ("erspan: make sure erspan_base_hdr is present in skb->head") +Signed-off-by: Sasha Levin +--- + include/net/erspan.h | 19 +++++++++++++-- + net/ipv4/ip_gre.c | 58 ++++++++++++++++++++++++++++++++------------ + 2 files changed, 60 insertions(+), 17 deletions(-) + +diff --git a/include/net/erspan.h b/include/net/erspan.h +index b39643ef4c95f..0d9e86bd98934 100644 +--- a/include/net/erspan.h ++++ b/include/net/erspan.h +@@ -2,7 +2,19 @@ + #define __LINUX_ERSPAN_H + + /* +- * GRE header for ERSPAN encapsulation (8 octets [34:41]) -- 8 bytes ++ * GRE header for ERSPAN type I encapsulation (4 octets [34:37]) ++ * 0 1 2 3 ++ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ++ * |0|0|0|0|0|00000|000000000|00000| Protocol Type for ERSPAN | ++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ++ * ++ * The Type I ERSPAN frame format is based on the barebones IP + GRE ++ * encapsulation (as described above) on top of the raw mirrored frame. ++ * There is no extra ERSPAN header. ++ * ++ * ++ * GRE header for ERSPAN type II and II encapsulation (8 octets [34:41]) + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +@@ -43,7 +55,7 @@ + * | Platform Specific Info | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * +- * GRE proto ERSPAN type II = 0x88BE, type III = 0x22EB ++ * GRE proto ERSPAN type I/II = 0x88BE, type III = 0x22EB + */ + + #include +@@ -139,6 +151,9 @@ static inline u8 get_hwid(const struct erspan_md2 *md2) + + static inline int erspan_hdr_len(int version) + { ++ if (version == 0) ++ return 0; ++ + return sizeof(struct erspan_base_hdr) + + (version == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE); + } +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 38c8db78cda19..d1e90bfa84c11 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -251,6 +251,15 @@ static void gre_err(struct sk_buff *skb, u32 info) + ipgre_err(skb, info, &tpi); + } + ++static bool is_erspan_type1(int gre_hdr_len) ++{ ++ /* Both ERSPAN type I (version 0) and type II (version 1) use ++ * protocol 0x88BE, but the type I has only 4-byte GRE header, ++ * while type II has 8-byte. ++ */ ++ return gre_hdr_len == 4; ++} ++ + static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, + int gre_hdr_len) + { +@@ -265,17 +274,26 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, + int len; + + itn = net_generic(net, erspan_net_id); +- + iph = ip_hdr(skb); +- ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len); +- ver = ershdr->ver; +- +- tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, +- tpi->flags | TUNNEL_KEY, +- iph->saddr, iph->daddr, tpi->key); ++ if (is_erspan_type1(gre_hdr_len)) { ++ ver = 0; ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, ++ tpi->flags | TUNNEL_NO_KEY, ++ iph->saddr, iph->daddr, 0); ++ } else { ++ ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len); ++ ver = ershdr->ver; ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, ++ tpi->flags | TUNNEL_KEY, ++ iph->saddr, iph->daddr, tpi->key); ++ } + + if (tunnel) { +- len = gre_hdr_len + erspan_hdr_len(ver); ++ if (is_erspan_type1(gre_hdr_len)) ++ len = gre_hdr_len; ++ else ++ len = gre_hdr_len + erspan_hdr_len(ver); ++ + if (unlikely(!pskb_may_pull(skb, len))) + return PACKET_REJECT; + +@@ -746,7 +764,10 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb, + } + + /* Push ERSPAN header */ +- if (tunnel->erspan_ver == 1) { ++ if (tunnel->erspan_ver == 0) { ++ proto = htons(ETH_P_ERSPAN); ++ tunnel->parms.o_flags &= ~TUNNEL_SEQ; ++ } else if (tunnel->erspan_ver == 1) { + erspan_build_header(skb, ntohl(tunnel->parms.o_key), + tunnel->index, + truncate, true); +@@ -1156,7 +1177,10 @@ static int erspan_validate(struct nlattr *tb[], struct nlattr *data[], + if (ret) + return ret; + +- /* ERSPAN should only have GRE sequence and key flag */ ++ if (nla_get_u8(data[IFLA_GRE_ERSPAN_VER]) == 0) ++ return 0; ++ ++ /* ERSPAN type II/III should only have GRE sequence and key flag */ + if (data[IFLA_GRE_OFLAGS]) + flags |= nla_get_be16(data[IFLA_GRE_OFLAGS]); + if (data[IFLA_GRE_IFLAGS]) +@@ -1264,7 +1288,7 @@ static int erspan_netlink_parms(struct net_device *dev, + if (data[IFLA_GRE_ERSPAN_VER]) { + t->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]); + +- if (t->erspan_ver != 1 && t->erspan_ver != 2) ++ if (t->erspan_ver > 2) + return -EINVAL; + } + +@@ -1349,7 +1373,11 @@ static int erspan_tunnel_init(struct net_device *dev) + { + struct ip_tunnel *tunnel = netdev_priv(dev); + +- tunnel->tun_hlen = 8; ++ if (tunnel->erspan_ver == 0) ++ tunnel->tun_hlen = 4; /* 4-byte GRE hdr. */ ++ else ++ tunnel->tun_hlen = 8; /* 8-byte GRE hdr. */ ++ + tunnel->parms.iph.protocol = IPPROTO_GRE; + tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen + + erspan_hdr_len(tunnel->erspan_ver); +@@ -1552,8 +1580,8 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev) + struct ip_tunnel_parm *p = &t->parms; + __be16 o_flags = p->o_flags; + +- if (t->erspan_ver == 1 || t->erspan_ver == 2) { +- if (!t->collect_md) ++ if (t->erspan_ver <= 2) { ++ if (t->erspan_ver != 0 && !t->collect_md) + o_flags |= TUNNEL_KEY; + + if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver)) +@@ -1562,7 +1590,7 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev) + if (t->erspan_ver == 1) { + if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index)) + goto nla_put_failure; +- } else { ++ } else if (t->erspan_ver == 2) { + if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir)) + goto nla_put_failure; + if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid)) +-- +2.43.0 + diff --git a/queue-4.19/erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch b/queue-4.19/erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch new file mode 100644 index 00000000000..1611df0d40a --- /dev/null +++ b/queue-4.19/erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch @@ -0,0 +1,128 @@ +From ecbbe568db0e5423ef753df5424796b756167145 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 11:22:48 +0000 +Subject: erspan: make sure erspan_base_hdr is present in skb->head + +From: Eric Dumazet + +[ Upstream commit 17af420545a750f763025149fa7b833a4fc8b8f0 ] + +syzbot reported a problem in ip6erspan_rcv() [1] + +Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make +sure erspan_base_hdr is present in skb linear part (skb->head) +before getting @ver field from it. + +Add the missing pskb_may_pull() calls. + +v2: Reload iph pointer in erspan_rcv() after pskb_may_pull() + because skb->head might have changed. + +[1] + + BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] + BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline] + BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] + BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 + pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] + pskb_may_pull include/linux/skbuff.h:2756 [inline] + ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] + gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 + ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438 + ip6_input_finish net/ipv6/ip6_input.c:483 [inline] + NF_HOOK include/linux/netfilter.h:314 [inline] + ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 + ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 + dst_input include/net/dst.h:460 [inline] + ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79 + NF_HOOK include/linux/netfilter.h:314 [inline] + ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5538 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652 + netif_receive_skb_internal net/core/dev.c:5738 [inline] + netif_receive_skb+0x58/0x660 net/core/dev.c:5798 + tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549 + tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002 + tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 + call_write_iter include/linux/fs.h:2108 [inline] + new_sync_write fs/read_write.c:497 [inline] + vfs_write+0xb63/0x1520 fs/read_write.c:590 + ksys_write+0x20f/0x4c0 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __x64_sys_write+0x93/0xe0 fs/read_write.c:652 + do_syscall_64+0xd5/0x1f0 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3804 [inline] + slab_alloc_node mm/slub.c:3845 [inline] + kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 + __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 + alloc_skb include/linux/skbuff.h:1318 [inline] + alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 + sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 + tun_alloc_skb drivers/net/tun.c:1525 [inline] + tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846 + tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 + call_write_iter include/linux/fs.h:2108 [inline] + new_sync_write fs/read_write.c:497 [inline] + vfs_write+0xb63/0x1520 fs/read_write.c:590 + ksys_write+0x20f/0x4c0 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __x64_sys_write+0x93/0xe0 fs/read_write.c:652 + do_syscall_64+0xd5/0x1f0 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0 + +Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup") +Reported-by: syzbot+1c1cf138518bf0c53d68@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/ +Signed-off-by: Eric Dumazet +Cc: Lorenzo Bianconi +Link: https://lore.kernel.org/r/20240328112248.1101491-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 5 +++++ + net/ipv6/ip6_gre.c | 3 +++ + 2 files changed, 8 insertions(+) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index d1e90bfa84c11..6d4b6815aa347 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -281,8 +281,13 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, + tpi->flags | TUNNEL_NO_KEY, + iph->saddr, iph->daddr, 0); + } else { ++ if (unlikely(!pskb_may_pull(skb, ++ gre_hdr_len + sizeof(*ershdr)))) ++ return PACKET_REJECT; ++ + ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len); + ver = ershdr->ver; ++ iph = ip_hdr(skb); + tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, + tpi->flags | TUNNEL_KEY, + iph->saddr, iph->daddr, tpi->key); +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index aa8ada354a399..58e1fc8e41241 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -551,6 +551,9 @@ static int ip6erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, + struct ip6_tnl *tunnel; + u8 ver; + ++ if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr)))) ++ return PACKET_REJECT; ++ + ipv6h = ipv6_hdr(skb); + ershdr = (struct erspan_base_hdr *)skb->data; + ver = ershdr->ver; +-- +2.43.0 + diff --git a/queue-4.19/fs-add-a-vfs_fchmod-helper.patch b/queue-4.19/fs-add-a-vfs_fchmod-helper.patch new file mode 100644 index 00000000000..425d499fa0f --- /dev/null +++ b/queue-4.19/fs-add-a-vfs_fchmod-helper.patch @@ -0,0 +1,62 @@ +From 9c00e35277e95503317be9db68a1c81d4972579b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 08:55:05 +0200 +Subject: fs: add a vfs_fchmod helper + +From: Christoph Hellwig + +[ Upstream commit 9e96c8c0e94eea2f69a9705f5d0f51928ea26c17 ] + +Add a helper for struct file based chmode operations. To be used by +the initramfs code soon. + +Signed-off-by: Christoph Hellwig +Acked-by: Linus Torvalds +Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE") +Signed-off-by: Sasha Levin +--- + fs/open.c | 9 +++++++-- + include/linux/fs.h | 1 + + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/open.c b/fs/open.c +index e072e86003f56..fc634ab5af0d6 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -569,14 +569,19 @@ static int chmod_common(const struct path *path, umode_t mode) + return error; + } + ++int vfs_fchmod(struct file *file, umode_t mode) ++{ ++ audit_file(file); ++ return chmod_common(&file->f_path, mode); ++} ++ + int ksys_fchmod(unsigned int fd, umode_t mode) + { + struct fd f = fdget(fd); + int err = -EBADF; + + if (f.file) { +- audit_file(f.file); +- err = chmod_common(&f.file->f_path, mode); ++ err = vfs_fchmod(f.file, mode); + fdput(f); + } + return err; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 7d93d22ad1062..95e35e0740117 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1661,6 +1661,7 @@ int vfs_mkobj(struct dentry *, umode_t, + void *); + + int vfs_fchown(struct file *file, uid_t user, gid_t group); ++int vfs_fchmod(struct file *file, umode_t mode); + + extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg); + +-- +2.43.0 + diff --git a/queue-4.19/fs-add-a-vfs_fchown-helper.patch b/queue-4.19/fs-add-a-vfs_fchown-helper.patch new file mode 100644 index 00000000000..6285f96968f --- /dev/null +++ b/queue-4.19/fs-add-a-vfs_fchown-helper.patch @@ -0,0 +1,82 @@ +From 78f9b1f1aadf861c3aa7ae9649597a07f21808a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 08:47:43 +0200 +Subject: fs: add a vfs_fchown helper + +From: Christoph Hellwig + +[ Upstream commit c04011fe8cbd80af1be6e12b53193bf3846750d7 ] + +Add a helper for struct file based chown operations. To be used by +the initramfs code soon. + +Signed-off-by: Christoph Hellwig +Acked-by: Linus Torvalds +Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE") +Signed-off-by: Sasha Levin +--- + fs/open.c | 29 +++++++++++++++++------------ + include/linux/fs.h | 2 ++ + 2 files changed, 19 insertions(+), 12 deletions(-) + +diff --git a/fs/open.c b/fs/open.c +index 76996f920ebf5..e072e86003f56 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -707,23 +707,28 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group + AT_SYMLINK_NOFOLLOW); + } + ++int vfs_fchown(struct file *file, uid_t user, gid_t group) ++{ ++ int error; ++ ++ error = mnt_want_write_file(file); ++ if (error) ++ return error; ++ audit_file(file); ++ error = chown_common(&file->f_path, user, group); ++ mnt_drop_write_file(file); ++ return error; ++} ++ + int ksys_fchown(unsigned int fd, uid_t user, gid_t group) + { + struct fd f = fdget(fd); + int error = -EBADF; + +- if (!f.file) +- goto out; +- +- error = mnt_want_write_file(f.file); +- if (error) +- goto out_fput; +- audit_file(f.file); +- error = chown_common(&f.file->f_path, user, group); +- mnt_drop_write_file(f.file); +-out_fput: +- fdput(f); +-out: ++ if (f.file) { ++ error = vfs_fchown(f.file, user, group); ++ fdput(f); ++ } + return error; + } + +diff --git a/include/linux/fs.h b/include/linux/fs.h +index e2c87c056742c..7d93d22ad1062 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1660,6 +1660,8 @@ int vfs_mkobj(struct dentry *, umode_t, + int (*f)(struct dentry *, umode_t, void *), + void *); + ++int vfs_fchown(struct file *file, uid_t user, gid_t group); ++ + extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg); + + /* +-- +2.43.0 + diff --git a/queue-4.19/init-open-initrd.image-with-o_largefile.patch b/queue-4.19/init-open-initrd.image-with-o_largefile.patch new file mode 100644 index 00000000000..ceed07722ec --- /dev/null +++ b/queue-4.19/init-open-initrd.image-with-o_largefile.patch @@ -0,0 +1,41 @@ +From 3852fbc7a54318a93c90bdeb6cb1fc5258d9f494 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 15:15:22 -0700 +Subject: init: open /initrd.image with O_LARGEFILE + +From: John Sperbeck + +[ Upstream commit 4624b346cf67400ef46a31771011fb798dd2f999 ] + +If initrd data is larger than 2Gb, we'll eventually fail to write to the +/initrd.image file when we hit that limit, unless O_LARGEFILE is set. + +Link: https://lkml.kernel.org/r/20240317221522.896040-1-jsperbeck@google.com +Signed-off-by: John Sperbeck +Cc: Jens Axboe +Cc: Nick Desaulniers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + init/initramfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/initramfs.c b/init/initramfs.c +index e378d15a949e0..6b49c5ae78c7a 100644 +--- a/init/initramfs.c ++++ b/init/initramfs.c +@@ -613,7 +613,7 @@ static void populate_initrd_image(char *err) + + printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n", + err); +- file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700); ++ file = filp_open("/initrd.image", O_WRONLY|O_CREAT|O_LARGEFILE, 0700); + if (IS_ERR(file)) + return; + +-- +2.43.0 + diff --git a/queue-4.19/initramfs-factor-out-a-helper-to-populate-the-initrd.patch b/queue-4.19/initramfs-factor-out-a-helper-to-populate-the-initrd.patch new file mode 100644 index 00000000000..63bb0b470c2 --- /dev/null +++ b/queue-4.19/initramfs-factor-out-a-helper-to-populate-the-initrd.patch @@ -0,0 +1,97 @@ +From 031683b96a8a9a03196f5c36c547b37f208991ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2019 17:18:24 -0700 +Subject: initramfs: factor out a helper to populate the initrd image + +From: Christoph Hellwig + +[ Upstream commit 7c184ecd262fe64fe8cf4e099e0f7cefe88d88b2 ] + +This will allow for cleaner code sharing in the caller. + +Link: http://lkml.kernel.org/r/20190213174621.29297-5-hch@lst.de +Signed-off-by: Christoph Hellwig +Acked-by: Mike Rapoport +Cc: Catalin Marinas [arm64] +Cc: Geert Uytterhoeven [m68k] +Cc: Steven Price +Cc: Alexander Viro +Cc: Guan Xuetao +Cc: Russell King +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE") +Signed-off-by: Sasha Levin +--- + init/initramfs.c | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/init/initramfs.c b/init/initramfs.c +index dab8d63459f63..7103edf44436c 100644 +--- a/init/initramfs.c ++++ b/init/initramfs.c +@@ -599,6 +599,28 @@ static void __init clean_rootfs(void) + } + #endif + ++#ifdef CONFIG_BLK_DEV_RAM ++static void populate_initrd_image(char *err) ++{ ++ ssize_t written; ++ int fd; ++ ++ unpack_to_rootfs(__initramfs_start, __initramfs_size); ++ ++ printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n", ++ err); ++ fd = ksys_open("/initrd.image", O_WRONLY | O_CREAT, 0700); ++ if (fd < 0) ++ return; ++ ++ written = xwrite(fd, (char *)initrd_start, initrd_end - initrd_start); ++ if (written != initrd_end - initrd_start) ++ pr_err("/initrd.image: incomplete write (%zd != %ld)\n", ++ written, initrd_end - initrd_start); ++ ksys_close(fd); ++} ++#endif /* CONFIG_BLK_DEV_RAM */ ++ + static int __init populate_rootfs(void) + { + /* Load the built in initramfs */ +@@ -608,7 +630,6 @@ static int __init populate_rootfs(void) + /* If available load the bootloader supplied initrd */ + if (initrd_start && !IS_ENABLED(CONFIG_INITRAMFS_FORCE)) { + #ifdef CONFIG_BLK_DEV_RAM +- int fd; + printk(KERN_INFO "Trying to unpack rootfs image as initramfs...\n"); + err = unpack_to_rootfs((char *)initrd_start, + initrd_end - initrd_start); +@@ -616,22 +637,7 @@ static int __init populate_rootfs(void) + goto done; + + clean_rootfs(); +- unpack_to_rootfs(__initramfs_start, __initramfs_size); +- +- printk(KERN_INFO "rootfs image is not initramfs (%s)" +- "; looks like an initrd\n", err); +- fd = ksys_open("/initrd.image", +- O_WRONLY|O_CREAT, 0700); +- if (fd >= 0) { +- ssize_t written = xwrite(fd, (char *)initrd_start, +- initrd_end - initrd_start); +- +- if (written != initrd_end - initrd_start) +- pr_err("/initrd.image: incomplete write (%zd != %ld)\n", +- written, initrd_end - initrd_start); +- +- ksys_close(fd); +- } ++ populate_initrd_image(err); + done: + /* empty statement */; + #else +-- +2.43.0 + diff --git a/queue-4.19/initramfs-switch-initramfs-unpacking-to-struct-file-.patch b/queue-4.19/initramfs-switch-initramfs-unpacking-to-struct-file-.patch new file mode 100644 index 00000000000..0d5bc6f5088 --- /dev/null +++ b/queue-4.19/initramfs-switch-initramfs-unpacking-to-struct-file-.patch @@ -0,0 +1,132 @@ +From 10399e913a093fc2eea606cc82a773411b4e0097 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 08:56:19 +0200 +Subject: initramfs: switch initramfs unpacking to struct file based APIs + +From: Christoph Hellwig + +[ Upstream commit bf6419e4d5440c6d414a320506c5488857a5b001 ] + +There is no good reason to mess with file descriptors from in-kernel +code, switch the initramfs unpacking to struct file based write +instead. + +Signed-off-by: Christoph Hellwig +Acked-by: Linus Torvalds +Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE") +Signed-off-by: Sasha Levin +--- + init/initramfs.c | 47 ++++++++++++++++++++++++++--------------------- + 1 file changed, 26 insertions(+), 21 deletions(-) + +diff --git a/init/initramfs.c b/init/initramfs.c +index 7103edf44436c..e378d15a949e0 100644 +--- a/init/initramfs.c ++++ b/init/initramfs.c +@@ -11,13 +11,14 @@ + #include + #include + +-static ssize_t __init xwrite(int fd, const char *p, size_t count) ++static ssize_t __init xwrite(struct file *file, const char *p, size_t count, ++ loff_t *pos) + { + ssize_t out = 0; + + /* sys_write only can write MAX_RW_COUNT aka 2G-4K bytes at most */ + while (count) { +- ssize_t rv = ksys_write(fd, p, count); ++ ssize_t rv = kernel_write(file, p, count, pos); + + if (rv < 0) { + if (rv == -EINTR || rv == -EAGAIN) +@@ -315,7 +316,8 @@ static int __init maybe_link(void) + return 0; + } + +-static __initdata int wfd; ++static __initdata struct file *wfile; ++static __initdata loff_t wfile_pos; + + static int __init do_name(void) + { +@@ -332,16 +334,17 @@ static int __init do_name(void) + int openflags = O_WRONLY|O_CREAT; + if (ml != 1) + openflags |= O_TRUNC; +- wfd = ksys_open(collected, openflags, mode); +- +- if (wfd >= 0) { +- ksys_fchown(wfd, uid, gid); +- ksys_fchmod(wfd, mode); +- if (body_len) +- ksys_ftruncate(wfd, body_len); +- vcollected = kstrdup(collected, GFP_KERNEL); +- state = CopyFile; +- } ++ wfile = filp_open(collected, openflags, mode); ++ if (IS_ERR(wfile)) ++ return 0; ++ wfile_pos = 0; ++ ++ vfs_fchown(wfile, uid, gid); ++ vfs_fchmod(wfile, mode); ++ if (body_len) ++ vfs_truncate(&wfile->f_path, body_len); ++ vcollected = kstrdup(collected, GFP_KERNEL); ++ state = CopyFile; + } + } else if (S_ISDIR(mode)) { + ksys_mkdir(collected, mode); +@@ -363,16 +366,16 @@ static int __init do_name(void) + static int __init do_copy(void) + { + if (byte_count >= body_len) { +- if (xwrite(wfd, victim, body_len) != body_len) ++ if (xwrite(wfile, victim, body_len, &wfile_pos) != body_len) + error("write error"); +- ksys_close(wfd); ++ fput(wfile); + do_utime(vcollected, mtime); + kfree(vcollected); + eat(body_len); + state = SkipIt; + return 0; + } else { +- if (xwrite(wfd, victim, byte_count) != byte_count) ++ if (xwrite(wfile, victim, byte_count, &wfile_pos) != byte_count) + error("write error"); + body_len -= byte_count; + eat(byte_count); +@@ -603,21 +606,23 @@ static void __init clean_rootfs(void) + static void populate_initrd_image(char *err) + { + ssize_t written; +- int fd; ++ struct file *file; ++ loff_t pos = 0; + + unpack_to_rootfs(__initramfs_start, __initramfs_size); + + printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n", + err); +- fd = ksys_open("/initrd.image", O_WRONLY | O_CREAT, 0700); +- if (fd < 0) ++ file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700); ++ if (IS_ERR(file)) + return; + +- written = xwrite(fd, (char *)initrd_start, initrd_end - initrd_start); ++ written = xwrite(file, (char *)initrd_start, initrd_end - initrd_start, ++ &pos); + if (written != initrd_end - initrd_start) + pr_err("/initrd.image: incomplete write (%zd != %ld)\n", + written, initrd_end - initrd_start); +- ksys_close(fd); ++ fput(file); + } + #endif /* CONFIG_BLK_DEV_RAM */ + +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 10d993ab504..cd5ab87529a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -130,3 +130,15 @@ net-stmmac-fix-rx-queue-priority-assignment.patch selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch ipv6-fix-infinite-recursion-in-fib6_dump_done.patch i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch +staging-mmal-vchiq-avoid-use-of-bool-in-structures.patch +staging-mmal-vchiq-allocate-and-free-components-as-r.patch +staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch +staging-vc04_services-changen-strncpy-to-strscpy_pad.patch +staging-vc04_services-fix-information-leak-in-create.patch +initramfs-factor-out-a-helper-to-populate-the-initrd.patch +fs-add-a-vfs_fchown-helper.patch +fs-add-a-vfs_fchmod-helper.patch +initramfs-switch-initramfs-unpacking-to-struct-file-.patch +init-open-initrd.image-with-o_largefile.patch +erspan-add-type-i-version-0-support.patch +erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch diff --git a/queue-4.19/staging-mmal-vchiq-allocate-and-free-components-as-r.patch b/queue-4.19/staging-mmal-vchiq-allocate-and-free-components-as-r.patch new file mode 100644 index 00000000000..94968ac7c09 --- /dev/null +++ b/queue-4.19/staging-mmal-vchiq-allocate-and-free-components-as-r.patch @@ -0,0 +1,123 @@ +From b9bc79e2d7b420355f8d47179ad0cbc7bf73f170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 18:41:48 +0200 +Subject: staging: mmal-vchiq: Allocate and free components as required + +From: Dave Stevenson + +[ Upstream commit 8c589e1794a31e9a381916b0280260ab601e4d6e ] + +The existing code assumed that there would only ever be 4 components, +and never freed the entries once used. +Allow arbitrary creation and destruction of components. + +Signed-off-by: Dave Stevenson +Signed-off-by: Jacopo Mondi +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20200623164235.29566-3-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()") +Signed-off-by: Sasha Levin +--- + .../vc04_services/bcm2835-camera/mmal-vchiq.c | 29 ++++++++++++------- + .../vc04_services/bcm2835-camera/mmal-vchiq.h | 1 + + 2 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +index 00c943516ba38..4f128c75c0f6c 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -31,8 +31,11 @@ + #define USE_VCHIQ_ARM + #include "interface/vchi/vchi.h" + +-/* maximum number of components supported */ +-#define VCHIQ_MMAL_MAX_COMPONENTS 4 ++/* ++ * maximum number of components supported. ++ * This matches the maximum permitted by default on the VPU ++ */ ++#define VCHIQ_MMAL_MAX_COMPONENTS 64 + + /*#define FULL_MSG_DUMP 1*/ + +@@ -165,8 +168,6 @@ struct vchiq_mmal_instance { + /* protect accesses to context_map */ + struct mutex context_map_lock; + +- /* component to use next */ +- int component_idx; + struct vchiq_mmal_component component[VCHIQ_MMAL_MAX_COMPONENTS]; + }; + +@@ -1607,18 +1608,24 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance, + { + int ret; + int idx; /* port index */ +- struct vchiq_mmal_component *component; ++ struct vchiq_mmal_component *component = NULL; + + if (mutex_lock_interruptible(&instance->vchiq_mutex)) + return -EINTR; + +- if (instance->component_idx == VCHIQ_MMAL_MAX_COMPONENTS) { ++ for (idx = 0; idx < VCHIQ_MMAL_MAX_COMPONENTS; idx++) { ++ if (!instance->component[idx].in_use) { ++ component = &instance->component[idx]; ++ component->in_use = 1; ++ break; ++ } ++ } ++ ++ if (!component) { + ret = -EINVAL; /* todo is this correct error? */ + goto unlock; + } + +- component = &instance->component[instance->component_idx]; +- + ret = create_component(instance, component, name); + if (ret < 0) + goto unlock; +@@ -1666,8 +1673,6 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance, + goto release_component; + } + +- instance->component_idx++; +- + *component_out = component; + + mutex_unlock(&instance->vchiq_mutex); +@@ -1677,6 +1682,8 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance, + release_component: + destroy_component(instance, component); + unlock: ++ if (component) ++ component->in_use = 0; + mutex_unlock(&instance->vchiq_mutex); + + return ret; +@@ -1698,6 +1705,8 @@ int vchiq_mmal_component_finalise(struct vchiq_mmal_instance *instance, + + ret = destroy_component(instance, component); + ++ component->in_use = 0; ++ + mutex_unlock(&instance->vchiq_mutex); + + return ret; +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +index b3c231e619c90..ee5eb6d4d080d 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +@@ -81,6 +81,7 @@ struct vchiq_mmal_port { + }; + + struct vchiq_mmal_component { ++ u32 in_use:1; + u32 enabled:1; + u32 handle; /* VideoCore handle for component */ + u32 inputs; /* Number of input ports */ +-- +2.43.0 + diff --git a/queue-4.19/staging-mmal-vchiq-avoid-use-of-bool-in-structures.patch b/queue-4.19/staging-mmal-vchiq-avoid-use-of-bool-in-structures.patch new file mode 100644 index 00000000000..726b8ddbb60 --- /dev/null +++ b/queue-4.19/staging-mmal-vchiq-avoid-use-of-bool-in-structures.patch @@ -0,0 +1,101 @@ +From 41deae65b380841b597ddfbb30e1ea2edbe4075d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jun 2019 21:31:39 +0200 +Subject: staging: mmal-vchiq: Avoid use of bool in structures + +From: Dave Stevenson + +[ Upstream commit 640e77466e69d9c28de227bc76881f5501f532ca ] + +Fixes up a checkpatch error "Avoid using bool structure members +because of possible alignment issues". + +Signed-off-by: Dave Stevenson +Signed-off-by: Stefan Wahren +Acked-by: Hans Verkuil +Acked-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()") +Signed-off-by: Sasha Levin +--- + .../vc04_services/bcm2835-camera/mmal-vchiq.c | 12 ++++++------ + .../vc04_services/bcm2835-camera/mmal-vchiq.h | 4 ++-- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +index daa2b96565529..00c943516ba38 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -845,9 +845,9 @@ static int port_info_get(struct vchiq_mmal_instance *instance, + goto release_msg; + + if (rmsg->u.port_info_get_reply.port.is_enabled == 0) +- port->enabled = false; ++ port->enabled = 0; + else +- port->enabled = true; ++ port->enabled = 1; + + /* copy the values out of the message */ + port->handle = rmsg->u.port_info_get_reply.port_handle; +@@ -1283,7 +1283,7 @@ static int port_disable(struct vchiq_mmal_instance *instance, + if (!port->enabled) + return 0; + +- port->enabled = false; ++ port->enabled = 0; + + ret = port_action_port(instance, port, + MMAL_MSG_PORT_ACTION_TYPE_DISABLE); +@@ -1335,7 +1335,7 @@ static int port_enable(struct vchiq_mmal_instance *instance, + if (ret) + goto done; + +- port->enabled = true; ++ port->enabled = 1; + + if (port->buffer_cb) { + /* send buffer headers to videocore */ +@@ -1502,7 +1502,7 @@ int vchiq_mmal_port_connect_tunnel(struct vchiq_mmal_instance *instance, + pr_err("failed disconnecting src port\n"); + goto release_unlock; + } +- src->connected->enabled = false; ++ src->connected->enabled = 0; + src->connected = NULL; + } + +@@ -1746,7 +1746,7 @@ int vchiq_mmal_component_disable(struct vchiq_mmal_instance *instance, + + ret = disable_component(instance, component); + if (ret == 0) +- component->enabled = false; ++ component->enabled = 0; + + mutex_unlock(&instance->vchiq_mutex); + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +index b0ee1716525b4..b3c231e619c90 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +@@ -47,7 +47,7 @@ typedef void (*vchiq_mmal_buffer_cb)( + unsigned long length, u32 mmal_flags, s64 dts, s64 pts); + + struct vchiq_mmal_port { +- bool enabled; ++ u32 enabled:1; + u32 handle; + u32 type; /* port type, cached to use on port info set */ + u32 index; /* port index, cached to use on port info set */ +@@ -81,7 +81,7 @@ struct vchiq_mmal_port { + }; + + struct vchiq_mmal_component { +- bool enabled; ++ u32 enabled:1; + u32 handle; /* VideoCore handle for component */ + u32 inputs; /* Number of input ports */ + u32 outputs; /* Number of output ports */ +-- +2.43.0 + diff --git a/queue-4.19/staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch b/queue-4.19/staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch new file mode 100644 index 00000000000..65de2a6396e --- /dev/null +++ b/queue-4.19/staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch @@ -0,0 +1,72 @@ +From 260c3004eabc0be2c154c28b5cef159d808fa670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 17:09:02 +0200 +Subject: staging: mmal-vchiq: Fix client_component for 64 bit kernel + +From: Dave Stevenson + +[ Upstream commit 22e64b486adc4785542f8002c3af4c895490f841 ] + +The MMAL client_component field is used with the event +mechanism to allow the client to identify the component for +which the event is generated. +The field is only 32bits in size, therefore we can't use a +pointer to the component in a 64 bit kernel. + +Component handles are already held in an array per VCHI +instance, so use the array index as the client_component handle +to avoid having to create a new IDR for this purpose. + +Signed-off-by: Dave Stevenson +Signed-off-by: Jacopo Mondi +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20200629150945.10720-5-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()") +Signed-off-by: Sasha Levin +--- + drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 8 +++++++- + drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +index 4f128c75c0f6c..2794df22224ad 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -920,7 +920,7 @@ static int create_component(struct vchiq_mmal_instance *instance, + + /* build component create message */ + m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE; +- m.u.component_create.client_component = (u32)(unsigned long)component; ++ m.u.component_create.client_component = component->client_component; + strncpy(m.u.component_create.name, name, + sizeof(m.u.component_create.name)); + +@@ -1626,6 +1626,12 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance, + goto unlock; + } + ++ /* We need a handle to reference back to our component structure. ++ * Use the array index in instance->component rather than rolling ++ * another IDR. ++ */ ++ component->client_component = idx; ++ + ret = create_component(instance, component, name); + if (ret < 0) + goto unlock; +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +index ee5eb6d4d080d..d20d5182577d6 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +@@ -91,6 +91,7 @@ struct vchiq_mmal_component { + struct vchiq_mmal_port input[MAX_PORT_COUNT]; /* input ports */ + struct vchiq_mmal_port output[MAX_PORT_COUNT]; /* output ports */ + struct vchiq_mmal_port clock[MAX_PORT_COUNT]; /* clock ports */ ++ u32 client_component; /* Used to ref back to client struct */ + }; + + int vchiq_mmal_init(struct vchiq_mmal_instance **out_instance); +-- +2.43.0 + diff --git a/queue-4.19/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch b/queue-4.19/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch new file mode 100644 index 00000000000..f75b9f84de5 --- /dev/null +++ b/queue-4.19/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch @@ -0,0 +1,49 @@ +From 99f4650ba8420df18cc1276efcba889217e05e8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 17:36:56 +0100 +Subject: staging: vc04_services: changen strncpy() to strscpy_pad() + +From: Arnd Bergmann + +[ Upstream commit ef25725b7f8aaffd7756974d3246ec44fae0a5cf ] + +gcc-14 warns about this strncpy() that results in a non-terminated +string for an overflow: + +In file included from include/linux/string.h:369, + from drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:20: +In function 'strncpy', + inlined from 'create_component' at drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:940:2: +include/linux/fortify-string.h:108:33: error: '__builtin_strncpy' specified bound 128 equals destination size [-Werror=stringop-truncation] + +Change it to strscpy_pad(), which produces a properly terminated and +zero-padded string. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20240313163712.224585-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()") +Signed-off-by: Sasha Levin +--- + drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +index 2794df22224ad..5d1fb582fde60 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -921,8 +921,8 @@ static int create_component(struct vchiq_mmal_instance *instance, + /* build component create message */ + m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE; + m.u.component_create.client_component = component->client_component; +- strncpy(m.u.component_create.name, name, +- sizeof(m.u.component_create.name)); ++ strscpy_pad(m.u.component_create.name, name, ++ sizeof(m.u.component_create.name)); + + ret = send_synchronous_mmal_msg(instance, &m, + sizeof(m.u.component_create), +-- +2.43.0 + diff --git a/queue-4.19/staging-vc04_services-fix-information-leak-in-create.patch b/queue-4.19/staging-vc04_services-fix-information-leak-in-create.patch new file mode 100644 index 00000000000..0d31b2ac048 --- /dev/null +++ b/queue-4.19/staging-vc04_services-fix-information-leak-in-create.patch @@ -0,0 +1,39 @@ +From 8e132884f2b8575e7e6fd55b1f6f4c5f42dbb2c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 21:07:43 +0300 +Subject: staging: vc04_services: fix information leak in create_component() + +From: Dan Carpenter + +[ Upstream commit f37e76abd614b68987abc8e5c22d986013349771 ] + +The m.u.component_create.pid field is for debugging and in the mainline +kernel it's not used anything. However, it still needs to be set to +something to prevent disclosing uninitialized stack data. Set it to +zero. + +Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.") +Cc: stable +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/2d972847-9ebd-481b-b6f9-af390f5aabd3@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +index 5d1fb582fde60..a6ba608fed938 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -923,6 +923,7 @@ static int create_component(struct vchiq_mmal_instance *instance, + m.u.component_create.client_component = component->client_component; + strscpy_pad(m.u.component_create.name, name, + sizeof(m.u.component_create.name)); ++ m.u.component_create.pid = 0; + + ret = send_synchronous_mmal_msg(instance, &m, + sizeof(m.u.component_create), +-- +2.43.0 + -- 2.39.5