From: Greg Kroah-Hartman Date: Thu, 27 Apr 2023 08:36:47 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.15.110~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=02ed7642a4b5170ad4753808f251522c23a79d53;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: counter-104-quad-8-fix-race-condition-between-flag-and-cntr-reads.patch kvm-arm64-fix-buffer-overflow-in-kvm_arm_set_fw_reg.patch --- diff --git a/queue-5.10/counter-104-quad-8-fix-race-condition-between-flag-and-cntr-reads.patch b/queue-5.10/counter-104-quad-8-fix-race-condition-between-flag-and-cntr-reads.patch new file mode 100644 index 00000000000..10e3c86358f --- /dev/null +++ b/queue-5.10/counter-104-quad-8-fix-race-condition-between-flag-and-cntr-reads.patch @@ -0,0 +1,98 @@ +From 4aa3b75c74603c3374877d5fd18ad9cc3a9a62ed Mon Sep 17 00:00:00 2001 +From: William Breathitt Gray +Date: Sun, 12 Mar 2023 19:15:49 -0400 +Subject: counter: 104-quad-8: Fix race condition between FLAG and CNTR reads + +From: William Breathitt Gray + +commit 4aa3b75c74603c3374877d5fd18ad9cc3a9a62ed upstream. + +The Counter (CNTR) register is 24 bits wide, but we can have an +effective 25-bit count value by setting bit 24 to the XOR of the Borrow +flag and Carry flag. The flags can be read from the FLAG register, but a +race condition exists: the Borrow flag and Carry flag are instantaneous +and could change by the time the count value is read from the CNTR +register. + +Since the race condition could result in an incorrect 25-bit count +value, remove support for 25-bit count values from this driver; +hard-coded maximum count values are replaced by a LS7267_CNTR_MAX define +for consistency and clarity. + +Fixes: 28e5d3bb0325 ("iio: 104-quad-8: Add IIO support for the ACCES 104-QUAD-8") +Cc: # 6.1.x +Cc: # 6.2.x +Link: https://lore.kernel.org/r/20230312231554.134858-1-william.gray@linaro.org/ +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + drivers/counter/104-quad-8.c | 28 ++++------------------------ + 1 file changed, 4 insertions(+), 24 deletions(-) + +--- a/drivers/counter/104-quad-8.c ++++ b/drivers/counter/104-quad-8.c +@@ -62,10 +62,6 @@ struct quad8_iio { + #define QUAD8_REG_CHAN_OP 0x11 + #define QUAD8_REG_INDEX_INPUT_LEVELS 0x16 + #define QUAD8_DIFF_ENCODER_CABLE_STATUS 0x17 +-/* Borrow Toggle flip-flop */ +-#define QUAD8_FLAG_BT BIT(0) +-/* Carry Toggle flip-flop */ +-#define QUAD8_FLAG_CT BIT(1) + /* Error flag */ + #define QUAD8_FLAG_E BIT(4) + /* Up/Down flag */ +@@ -104,9 +100,6 @@ static int quad8_read_raw(struct iio_dev + { + struct quad8_iio *const priv = iio_priv(indio_dev); + const int base_offset = priv->base + 2 * chan->channel; +- unsigned int flags; +- unsigned int borrow; +- unsigned int carry; + int i; + + switch (mask) { +@@ -117,12 +110,7 @@ static int quad8_read_raw(struct iio_dev + return IIO_VAL_INT; + } + +- flags = inb(base_offset + 1); +- borrow = flags & QUAD8_FLAG_BT; +- carry = !!(flags & QUAD8_FLAG_CT); +- +- /* Borrow XOR Carry effectively doubles count range */ +- *val = (borrow ^ carry) << 24; ++ *val = 0; + + mutex_lock(&priv->lock); + +@@ -643,17 +631,9 @@ static int quad8_count_read(struct count + { + struct quad8_iio *const priv = counter->priv; + const int base_offset = priv->base + 2 * count->id; +- unsigned int flags; +- unsigned int borrow; +- unsigned int carry; + int i; + +- flags = inb(base_offset + 1); +- borrow = flags & QUAD8_FLAG_BT; +- carry = !!(flags & QUAD8_FLAG_CT); +- +- /* Borrow XOR Carry effectively doubles count range */ +- *val = (unsigned long)(borrow ^ carry) << 24; ++ *val = 0; + + mutex_lock(&priv->lock); + +@@ -1198,8 +1178,8 @@ static ssize_t quad8_count_ceiling_read( + + mutex_unlock(&priv->lock); + +- /* By default 0x1FFFFFF (25 bits unsigned) is maximum count */ +- return sprintf(buf, "33554431\n"); ++ /* By default 0xFFFFFF (24 bits unsigned) is maximum count */ ++ return sprintf(buf, "16777215\n"); + } + + static ssize_t quad8_count_ceiling_write(struct counter_device *counter, diff --git a/queue-5.10/kvm-arm64-fix-buffer-overflow-in-kvm_arm_set_fw_reg.patch b/queue-5.10/kvm-arm64-fix-buffer-overflow-in-kvm_arm_set_fw_reg.patch new file mode 100644 index 00000000000..fb410ba3b70 --- /dev/null +++ b/queue-5.10/kvm-arm64-fix-buffer-overflow-in-kvm_arm_set_fw_reg.patch @@ -0,0 +1,38 @@ +From a25bc8486f9c01c1af6b6c5657234b2eee2c39d6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 19 Apr 2023 13:16:13 +0300 +Subject: KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() + +From: Dan Carpenter + +commit a25bc8486f9c01c1af6b6c5657234b2eee2c39d6 upstream. + +The KVM_REG_SIZE() comes from the ioctl and it can be a power of two +between 0-32768 but if it is more than sizeof(long) this will corrupt +memory. + +Fixes: 99adb567632b ("KVM: arm/arm64: Add save/restore support for firmware workaround state") +Signed-off-by: Dan Carpenter +Reviewed-by: Steven Price +Reviewed-by: Eric Auger +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/4efbab8c-640f-43b2-8ac6-6d68e08280fe@kili.mountain +Signed-off-by: Oliver Upton +[will: kvm_arm_set_fw_reg() lives in psci.c not hypercalls.c] +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/psci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kvm/psci.c ++++ b/arch/arm64/kvm/psci.c +@@ -499,6 +499,8 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu * + u64 val; + int wa_level; + ++ if (KVM_REG_SIZE(reg->id) != sizeof(val)) ++ return -ENOENT; + if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id))) + return -EFAULT; + diff --git a/queue-5.10/seccomp-move-copy_seccomp-to-no-failure-path.patch b/queue-5.10/seccomp-move-copy_seccomp-to-no-failure-path.patch index 1ed14c488a9..3c8e2b52c6a 100644 --- a/queue-5.10/seccomp-move-copy_seccomp-to-no-failure-path.patch +++ b/queue-5.10/seccomp-move-copy_seccomp-to-no-failure-path.patch @@ -129,14 +129,12 @@ Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220823154532.82913-1-kuniyu@amazon.com Signed-off-by: Greg Kroah-Hartman --- - kernel/fork.c | 17 +++++++++++------ + kernel/fork.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) -diff --git a/kernel/fork.c b/kernel/fork.c -index a5bc0c6a00fd..c6a289317e89 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -441,6 +441,9 @@ void put_task_stack(struct task_struct *tsk) +@@ -441,6 +441,9 @@ void put_task_stack(struct task_struct * void free_task(struct task_struct *tsk) { @@ -146,7 +144,7 @@ index a5bc0c6a00fd..c6a289317e89 100644 scs_release(tsk); #ifndef CONFIG_THREAD_INFO_IN_TASK -@@ -2248,12 +2251,6 @@ static __latent_entropy struct task_struct *copy_process( +@@ -2248,12 +2251,6 @@ static __latent_entropy struct task_stru spin_lock(¤t->sighand->siglock); @@ -159,7 +157,7 @@ index a5bc0c6a00fd..c6a289317e89 100644 rseq_fork(p, clone_flags); /* Don't start children in a dying pid namespace */ -@@ -2268,6 +2265,14 @@ static __latent_entropy struct task_struct *copy_process( +@@ -2268,6 +2265,14 @@ static __latent_entropy struct task_stru goto bad_fork_cancel_cgroup; } @@ -174,6 +172,3 @@ index a5bc0c6a00fd..c6a289317e89 100644 init_task_pid_links(p); if (likely(p->pid)) { ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace); --- -2.30.2 - diff --git a/queue-5.10/series b/queue-5.10/series index ce17d4e399d..6d74e1334d3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1 +1,3 @@ seccomp-move-copy_seccomp-to-no-failure-path.patch +counter-104-quad-8-fix-race-condition-between-flag-and-cntr-reads.patch +kvm-arm64-fix-buffer-overflow-in-kvm_arm_set_fw_reg.patch