From: Sasha Levin Date: Sun, 24 Nov 2024 14:13:03 +0000 (-0500) Subject: Fixes for 6.6 X-Git-Tag: v4.19.325~137 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0baa666ce73d23ea5935b305d75a479ef39d519c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/i2c-lpi2c-avoid-calling-clk_get_rate-during-transfer.patch b/queue-6.6/i2c-lpi2c-avoid-calling-clk_get_rate-during-transfer.patch new file mode 100644 index 00000000000..bd89c84c252 --- /dev/null +++ b/queue-6.6/i2c-lpi2c-avoid-calling-clk_get_rate-during-transfer.patch @@ -0,0 +1,68 @@ +From 9683a39d1c2d1c8356815925993389461bcb92d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 11:27:51 +0800 +Subject: i2c: lpi2c: Avoid calling clk_get_rate during transfer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexander Stein + +[ Upstream commit 4268254a39484fc11ba991ae148bacbe75d9cc0a ] + +Instead of repeatedly calling clk_get_rate for each transfer, lock +the clock rate and cache the value. +A deadlock has been observed while adding tlv320aic32x4 audio codec to +the system. When this clock provider adds its clock, the clk mutex is +locked already, it needs to access i2c, which in return needs the mutex +for clk_get_rate as well. + +Signed-off-by: Alexander Stein +Reviewed-by: Uwe Kleine-König +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +[ Resolve minor conflicts to fix CVE-2024-40965 ] +Signed-off-by: Bin Lan +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-imx-lpi2c.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c +index 678b30e90492a..5d4f04a3c6d32 100644 +--- a/drivers/i2c/busses/i2c-imx-lpi2c.c ++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c +@@ -99,6 +99,7 @@ struct lpi2c_imx_struct { + __u8 *rx_buf; + __u8 *tx_buf; + struct completion complete; ++ unsigned long rate_per; + unsigned int msglen; + unsigned int delivered; + unsigned int block_data; +@@ -207,9 +208,7 @@ static int lpi2c_imx_config(struct lpi2c_imx_struct *lpi2c_imx) + + lpi2c_imx_set_mode(lpi2c_imx); + +- clk_rate = clk_get_rate(lpi2c_imx->clks[0].clk); +- if (!clk_rate) +- return -EINVAL; ++ clk_rate = lpi2c_imx->rate_per; + + if (lpi2c_imx->mode == HS || lpi2c_imx->mode == ULTRA_FAST) + filt = 0; +@@ -590,6 +589,11 @@ static int lpi2c_imx_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ lpi2c_imx->rate_per = clk_get_rate(lpi2c_imx->clks[0].clk); ++ if (!lpi2c_imx->rate_per) ++ return dev_err_probe(&pdev->dev, -EINVAL, ++ "can't get I2C peripheral clock rate\n"); ++ + pm_runtime_set_autosuspend_delay(&pdev->dev, I2C_PM_TIMEOUT); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_get_noresume(&pdev->dev); +-- +2.43.0 + diff --git a/queue-6.6/s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch b/queue-6.6/s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch new file mode 100644 index 00000000000..ad9da4f162e --- /dev/null +++ b/queue-6.6/s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch @@ -0,0 +1,88 @@ +From c1878cfc3fbacb83804f44be380f570ff4ddf60d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 16:12:22 +0800 +Subject: s390/pkey: Wipe copies of clear-key structures on failure + +From: Holger Dengler + +[ Upstream commit d65d76a44ffe74c73298ada25b0f578680576073 ] + +Wipe all sensitive data from stack for all IOCTLs, which convert a +clear-key into a protected- or secure-key. + +Reviewed-by: Harald Freudenberger +Reviewed-by: Ingo Franzki +Acked-by: Heiko Carstens +Signed-off-by: Holger Dengler +Signed-off-by: Alexander Gordeev +[ Resolve minor conflicts to fix CVE-2024-42156 ] +Signed-off-by: Bin Lan +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/pkey_api.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c +index d2ffdf2491da0..70fcb5c40cfe3 100644 +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -1366,9 +1366,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype, + kcs.clrkey.clrkey, kcs.seckey.seckey); + DEBUG_DBG("%s cca_clr2seckey()=%d\n", __func__, rc); +- if (rc) +- break; +- if (copy_to_user(ucs, &kcs, sizeof(kcs))) ++ if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs))) + rc = -EFAULT; + memzero_explicit(&kcs, sizeof(kcs)); + break; +@@ -1401,9 +1399,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + kcp.protkey.protkey, + &kcp.protkey.len, &kcp.protkey.type); + DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc); +- if (rc) +- break; +- if (copy_to_user(ucp, &kcp, sizeof(kcp))) ++ if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp))) + rc = -EFAULT; + memzero_explicit(&kcp, sizeof(kcp)); + break; +@@ -1555,11 +1551,14 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + if (copy_from_user(&kcs, ucs, sizeof(kcs))) + return -EFAULT; + apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries); +- if (IS_ERR(apqns)) ++ if (IS_ERR(apqns)) { ++ memzero_explicit(&kcs, sizeof(kcs)); + return PTR_ERR(apqns); ++ } + kkey = kzalloc(klen, GFP_KERNEL); + if (!kkey) { + kfree(apqns); ++ memzero_explicit(&kcs, sizeof(kcs)); + return -ENOMEM; + } + rc = pkey_clr2seckey2(apqns, kcs.apqn_entries, +@@ -1569,15 +1568,18 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + kfree(apqns); + if (rc) { + kfree(kkey); ++ memzero_explicit(&kcs, sizeof(kcs)); + break; + } + if (kcs.key) { + if (kcs.keylen < klen) { + kfree(kkey); ++ memzero_explicit(&kcs, sizeof(kcs)); + return -EINVAL; + } + if (copy_to_user(kcs.key, kkey, klen)) { + kfree(kkey); ++ memzero_explicit(&kcs, sizeof(kcs)); + return -EFAULT; + } + } +-- +2.43.0 + diff --git a/queue-6.6/serial-sc16is7xx-fix-invalid-fifo-access-with-specia.patch b/queue-6.6/serial-sc16is7xx-fix-invalid-fifo-access-with-specia.patch new file mode 100644 index 00000000000..fd1d8de96af --- /dev/null +++ b/queue-6.6/serial-sc16is7xx-fix-invalid-fifo-access-with-specia.patch @@ -0,0 +1,65 @@ +From 134740f8247d5772bfd1a765555feb1001cac215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 14:43:31 +0800 +Subject: serial: sc16is7xx: fix invalid FIFO access with special register set + +From: Hugo Villeneuve + +[ Upstream commit 7d3b793faaab1305994ce568b59d61927235f57b ] + +When enabling access to the special register set, Receiver time-out and +RHR interrupts can happen. In this case, the IRQ handler will try to read +from the FIFO thru the RHR register at address 0x00, but address 0x00 is +mapped to DLL register, resulting in erroneous FIFO reading. + +Call graph example: + sc16is7xx_startup(): entry + sc16is7xx_ms_proc(): entry + sc16is7xx_set_termios(): entry + sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set + sc16is7xx_port_irq() entry --> IIR is 0x0C + sc16is7xx_handle_rx() entry + sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is + mapped to DLL (LCR=LCR_CONF_MODE_A) + sc16is7xx_set_baud(): exit --> Restore access to general register set + +Fix the problem by claiming the efr_lock mutex when accessing the Special +register set. + +Fixes: dfeae619d781 ("serial: sc16is7xx") +Cc: stable@vger.kernel.org +Signed-off-by: Hugo Villeneuve +Link: https://lore.kernel.org/r/20240723125302.1305372-3-hugo@hugovil.com +Signed-off-by: Greg Kroah-Hartman +[ Resolve minor conflicts ] +Signed-off-by: Bin Lan +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sc16is7xx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index 7a9924d9b294e..f290fbe21d633 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -545,6 +545,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) + SC16IS7XX_MCR_CLKSEL_BIT, + prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT); + ++ mutex_lock(&one->efr_lock); ++ + /* Open the LCR divisors for configuration */ + sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, + SC16IS7XX_LCR_CONF_MODE_A); +@@ -558,6 +560,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) + /* Put LCR back to the normal mode */ + sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); + ++ mutex_unlock(&one->efr_lock); ++ + return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div); + } + +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index f12fd1b19ac..8633c08094b 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -31,3 +31,7 @@ loongarch-define-a-default-value-for-vm_data_default.patch alsa-usb-audio-fix-yamaha-p-125-quirk-entry.patch arm-9420-1-smp-fix-smp-for-xip-kernels.patch ipmr-fix-access-to-mfc_cache_list-without-lock-held.patch +i2c-lpi2c-avoid-calling-clk_get_rate-during-transfer.patch +s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch +serial-sc16is7xx-fix-invalid-fifo-access-with-specia.patch +x86-stackprotector-work-around-strict-clang-tls-symb.patch diff --git a/queue-6.6/x86-stackprotector-work-around-strict-clang-tls-symb.patch b/queue-6.6/x86-stackprotector-work-around-strict-clang-tls-symb.patch new file mode 100644 index 00000000000..63713b8d55c --- /dev/null +++ b/queue-6.6/x86-stackprotector-work-around-strict-clang-tls-symb.patch @@ -0,0 +1,138 @@ +From 99dbcc880fdf909ab98a8e6ae0ad0a772918f399 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 10:15:19 -0500 +Subject: x86/stackprotector: Work around strict Clang TLS symbol requirements + +From: Ard Biesheuvel + +[ Upstream commit 577c134d311b9b94598d7a0c86be1f431f823003 ] + +GCC and Clang both implement stack protector support based on Thread Local +Storage (TLS) variables, and this is used in the kernel to implement per-task +stack cookies, by copying a task's stack cookie into a per-CPU variable every +time it is scheduled in. + +Both now also implement -mstack-protector-guard-symbol=, which permits the TLS +variable to be specified directly. This is useful because it will allow to +move away from using a fixed offset of 40 bytes into the per-CPU area on +x86_64, which requires a lot of special handling in the per-CPU code and the +runtime relocation code. + +However, while GCC is rather lax in its implementation of this command line +option, Clang actually requires that the provided symbol name refers to a TLS +variable (i.e., one declared with __thread), although it also permits the +variable to be undeclared entirely, in which case it will use an implicit +declaration of the right type. + +The upshot of this is that Clang will emit the correct references to the stack +cookie variable in most cases, e.g., + + 10d: 64 a1 00 00 00 00 mov %fs:0x0,%eax + 10f: R_386_32 __stack_chk_guard + +However, if a non-TLS definition of the symbol in question is visible in the +same compilation unit (which amounts to the whole of vmlinux if LTO is +enabled), it will drop the per-CPU prefix and emit a load from a bogus +address. + +Work around this by using a symbol name that never occurs in C code, and emit +it as an alias in the linker script. + +Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Brian Gerst +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Cc: stable@vger.kernel.org +Link: https://github.com/ClangBuiltLinux/linux/issues/1854 +Link: https://lore.kernel.org/r/20241105155801.1779119-2-brgerst@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/Makefile | 3 ++- + arch/x86/entry/entry.S | 15 +++++++++++++++ + arch/x86/include/asm/asm-prototypes.h | 3 +++ + arch/x86/kernel/cpu/common.c | 2 ++ + arch/x86/kernel/vmlinux.lds.S | 3 +++ + 5 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 3ff53a2d4ff08..c83582b5a010d 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -113,7 +113,8 @@ ifeq ($(CONFIG_X86_32),y) + + ifeq ($(CONFIG_STACKPROTECTOR),y) + ifeq ($(CONFIG_SMP),y) +- KBUILD_CFLAGS += -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard ++ KBUILD_CFLAGS += -mstack-protector-guard-reg=fs \ ++ -mstack-protector-guard-symbol=__ref_stack_chk_guard + else + KBUILD_CFLAGS += -mstack-protector-guard=global + endif +diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S +index 34eca8015b64b..2143358d0c4c7 100644 +--- a/arch/x86/entry/entry.S ++++ b/arch/x86/entry/entry.S +@@ -48,3 +48,18 @@ EXPORT_SYMBOL_GPL(mds_verw_sel); + + .popsection + ++#ifndef CONFIG_X86_64 ++/* ++ * Clang's implementation of TLS stack cookies requires the variable in ++ * question to be a TLS variable. If the variable happens to be defined as an ++ * ordinary variable with external linkage in the same compilation unit (which ++ * amounts to the whole of vmlinux with LTO enabled), Clang will drop the ++ * segment register prefix from the references, resulting in broken code. Work ++ * around this by avoiding the symbol used in -mstack-protector-guard-symbol= ++ * entirely in the C code, and use an alias emitted by the linker script ++ * instead. ++ */ ++#ifdef CONFIG_STACKPROTECTOR ++EXPORT_SYMBOL(__ref_stack_chk_guard); ++#endif ++#endif +diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h +index 0e82074517f6b..768076e686684 100644 +--- a/arch/x86/include/asm/asm-prototypes.h ++++ b/arch/x86/include/asm/asm-prototypes.h +@@ -19,3 +19,6 @@ + extern void cmpxchg8b_emu(void); + #endif + ++#if defined(__GENKSYMS__) && defined(CONFIG_STACKPROTECTOR) ++extern unsigned long __ref_stack_chk_guard; ++#endif +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 7a1e58fb43a03..852cc2ab4df94 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -2159,8 +2159,10 @@ void syscall_init(void) + + #ifdef CONFIG_STACKPROTECTOR + DEFINE_PER_CPU(unsigned long, __stack_chk_guard); ++#ifndef CONFIG_SMP + EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); + #endif ++#endif + + #endif /* CONFIG_X86_64 */ + +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index 54a5596adaa61..60eb8baa44d7b 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -496,6 +496,9 @@ SECTIONS + ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!") + } + ++/* needed for Clang - see arch/x86/entry/entry.S */ ++PROVIDE(__ref_stack_chk_guard = __stack_chk_guard); ++ + /* + * The ASSERT() sink to . is intentional, for binutils 2.14 compatibility: + */ +-- +2.43.0 +