From ffbcbb4ef3d3e8dc2678c55d5ab85c2770ae99e6 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 5 Sep 2022 23:26:13 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...-spelling-mistake-unsupport-unsuppor.patch | 38 +++++++ ...o-fan-fix-array-out-of-bounds-access.patch | 100 ++++++++++++++++++ ...-rk805-pwrkey-fix-module-autoloading.patch | 37 +++++++ queue-4.14/series | 3 + 4 files changed, 178 insertions(+) create mode 100644 queue-4.14/drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch create mode 100644 queue-4.14/hwmon-gpio-fan-fix-array-out-of-bounds-access.patch create mode 100644 queue-4.14/input-rk805-pwrkey-fix-module-autoloading.patch diff --git a/queue-4.14/drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch b/queue-4.14/drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch new file mode 100644 index 00000000000..98f790cb5e0 --- /dev/null +++ b/queue-4.14/drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch @@ -0,0 +1,38 @@ +From 29bf676d55c89c87f7a672f766b4e0d1891b58fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 13:02:47 +0800 +Subject: drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" + +From: Colin Ian King + +[ Upstream commit 233f56745be446b289edac2ba8184c09365c005e ] + +There is a spelling mistake in a gvt_vgpu_err error message. Fix it. + +Fixes: 695fbc08d80f ("drm/i915/gvt: replace the gvt_err with gvt_vgpu_err") +Signed-off-by: Colin Ian King +Signed-off-by: Zhi Wang +Link: http://patchwork.freedesktop.org/patch/msgid/20220315202449.2952845-1-colin.i.king@gmail.com +Reviewed-by: Zhi Wang +Signed-off-by: Zhenyu Wang +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gvt/handlers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gvt/handlers.c b/drivers/gpu/drm/i915/gvt/handlers.c +index a5bed2e71b926..2a6c3004ff6d9 100644 +--- a/drivers/gpu/drm/i915/gvt/handlers.c ++++ b/drivers/gpu/drm/i915/gvt/handlers.c +@@ -601,7 +601,7 @@ static int update_fdi_rx_iir_status(struct intel_vgpu *vgpu, + else if (FDI_RX_IMR_TO_PIPE(offset) != INVALID_INDEX) + index = FDI_RX_IMR_TO_PIPE(offset); + else { +- gvt_vgpu_err("Unsupport registers %x\n", offset); ++ gvt_vgpu_err("Unsupported registers %x\n", offset); + return -EINVAL; + } + +-- +2.35.1 + diff --git a/queue-4.14/hwmon-gpio-fan-fix-array-out-of-bounds-access.patch b/queue-4.14/hwmon-gpio-fan-fix-array-out-of-bounds-access.patch new file mode 100644 index 00000000000..bf736f25294 --- /dev/null +++ b/queue-4.14/hwmon-gpio-fan-fix-array-out-of-bounds-access.patch @@ -0,0 +1,100 @@ +From 7733f7cb3debee67d415c080f93337875d513998 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 03:11:01 +0200 +Subject: hwmon: (gpio-fan) Fix array out of bounds access + +From: Armin Wolf + +[ Upstream commit f233d2be38dbbb22299192292983037f01ab363c ] + +The driver does not check if the cooling state passed to +gpio_fan_set_cur_state() exceeds the maximum cooling state as +stored in fan_data->num_speeds. Since the cooling state is later +used as an array index in set_fan_speed(), an array out of bounds +access can occur. +This can be exploited by setting the state of the thermal cooling device +to arbitrary values, causing for example a kernel oops when unavailable +memory is accessed this way. + +Example kernel oops: +[ 807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064 +[ 807.987369] Mem abort info: +[ 807.987398] ESR = 0x96000005 +[ 807.987428] EC = 0x25: DABT (current EL), IL = 32 bits +[ 807.987477] SET = 0, FnV = 0 +[ 807.987507] EA = 0, S1PTW = 0 +[ 807.987536] FSC = 0x05: level 1 translation fault +[ 807.987570] Data abort info: +[ 807.987763] ISV = 0, ISS = 0x00000005 +[ 807.987801] CM = 0, WnR = 0 +[ 807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000 +[ 807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 +[ 807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP +[ 807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 +[ 807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G C 5.15.56-v8+ #1575 +[ 807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT) +[ 807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan] +[ 807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan] +[ 807.988691] sp : ffffffc008cf3bd0 +[ 807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000 +[ 807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920 +[ 807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c +[ 807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000 +[ 807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70 +[ 807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +[ 807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c +[ 807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009 +[ 807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8 +[ 807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060 +[ 807.989084] Call trace: +[ 807.989091] set_fan_speed.part.5+0x34/0x80 [gpio_fan] +[ 807.989113] gpio_fan_set_cur_state+0x34/0x50 [gpio_fan] +[ 807.989199] cur_state_store+0x84/0xd0 +[ 807.989221] dev_attr_store+0x20/0x38 +[ 807.989262] sysfs_kf_write+0x4c/0x60 +[ 807.989282] kernfs_fop_write_iter+0x130/0x1c0 +[ 807.989298] new_sync_write+0x10c/0x190 +[ 807.989315] vfs_write+0x254/0x378 +[ 807.989362] ksys_write+0x70/0xf8 +[ 807.989379] __arm64_sys_write+0x24/0x30 +[ 807.989424] invoke_syscall+0x4c/0x110 +[ 807.989442] el0_svc_common.constprop.3+0xfc/0x120 +[ 807.989458] do_el0_svc+0x2c/0x90 +[ 807.989473] el0_svc+0x24/0x60 +[ 807.989544] el0t_64_sync_handler+0x90/0xb8 +[ 807.989558] el0t_64_sync+0x1a0/0x1a4 +[ 807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416) +[ 807.989627] ---[ end trace 8ded4c918658445b ]--- + +Fix this by checking the cooling state and return an error if it +exceeds the maximum cooling state. + +Tested on a Raspberry Pi 3. + +Fixes: b5cf88e46bad ("(gpio-fan): Add thermal control hooks") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20220830011101.178843-1-W_Armin@gmx.de +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/gpio-fan.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hwmon/gpio-fan.c b/drivers/hwmon/gpio-fan.c +index 9c355b9d31c57..d1b47d20f2fab 100644 +--- a/drivers/hwmon/gpio-fan.c ++++ b/drivers/hwmon/gpio-fan.c +@@ -422,6 +422,9 @@ static int gpio_fan_set_cur_state(struct thermal_cooling_device *cdev, + if (!fan_data) + return -EINVAL; + ++ if (state >= fan_data->num_speed) ++ return -EINVAL; ++ + set_fan_speed(fan_data, state); + return 0; + } +-- +2.35.1 + diff --git a/queue-4.14/input-rk805-pwrkey-fix-module-autoloading.patch b/queue-4.14/input-rk805-pwrkey-fix-module-autoloading.patch new file mode 100644 index 00000000000..3365cf9f56d --- /dev/null +++ b/queue-4.14/input-rk805-pwrkey-fix-module-autoloading.patch @@ -0,0 +1,37 @@ +From 14f1786c79c1b5e829b19d2fff3a8c37684a3c0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 16:33:18 -0700 +Subject: Input: rk805-pwrkey - fix module autoloading + +From: Peter Robinson + +[ Upstream commit 99077ad668ddd9b4823cc8ce3f3c7a3fc56f6fd9 ] + +Add the module alias so the rk805-pwrkey driver will +autoload when built as a module. + +Fixes: 5a35b85c2d92 ("Input: add power key driver for Rockchip RK805 PMIC") +Signed-off-by: Peter Robinson +Reviewed-by: Javier Martinez Canillas +Link: https://lore.kernel.org/r/20220612225437.3628788-1-pbrobinson@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/rk805-pwrkey.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/misc/rk805-pwrkey.c b/drivers/input/misc/rk805-pwrkey.c +index 921003963a53c..cdcad5c01e3c0 100644 +--- a/drivers/input/misc/rk805-pwrkey.c ++++ b/drivers/input/misc/rk805-pwrkey.c +@@ -106,6 +106,7 @@ static struct platform_driver rk805_pwrkey_driver = { + }; + module_platform_driver(rk805_pwrkey_driver); + ++MODULE_ALIAS("platform:rk805-pwrkey"); + MODULE_AUTHOR("Joseph Chen "); + MODULE_DESCRIPTION("RK805 PMIC Power Key driver"); + MODULE_LICENSE("GPL"); +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 17fa121719d..fa8806fea24 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -8,3 +8,6 @@ staging-rtl8712-fix-use-after-free-bugs.patch vt-clear-selection-before-changing-the-font.patch usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch +drm-i915-reg-fix-spelling-mistake-unsupport-unsuppor.patch +input-rk805-pwrkey-fix-module-autoloading.patch +hwmon-gpio-fan-fix-array-out-of-bounds-access.patch -- 2.47.2