From: Greg Kroah-Hartman Date: Sat, 12 Aug 2023 16:56:55 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.14.323~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c7431cd1dc0440704e5a060599224b72a14ebce;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch usb-dwc3-properly-handle-processing-of-pending-events.patch usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch x86-move-gds_ucode_mitigated-declaration-to-header.patch --- diff --git a/queue-4.14/drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch b/queue-4.14/drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch new file mode 100644 index 00000000000..f831f7f9b36 --- /dev/null +++ b/queue-4.14/drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch @@ -0,0 +1,40 @@ +From d5712cd22b9cf109fded1b7f178f4c1888c8b84b Mon Sep 17 00:00:00 2001 +From: Karol Herbst +Date: Sat, 5 Aug 2023 12:18:13 +0200 +Subject: drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes + +From: Karol Herbst + +commit d5712cd22b9cf109fded1b7f178f4c1888c8b84b upstream. + +The original commit adding that check tried to protect the kenrel against +a potential invalid NULL pointer access. + +However we call nouveau_connector_detect_depth once without a native_mode +set on purpose for non LVDS connectors and this broke DP support in a few +cases. + +Cc: Olaf Skibbe +Cc: Lyude Paul +Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/238 +Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/245 +Fixes: 20a2ce87fbaf8 ("drm/nouveau/dp: check for NULL nv_connector->native_mode") +Signed-off-by: Karol Herbst +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20230805101813.2603989-1-kherbst@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -945,7 +945,7 @@ nouveau_connector_get_modes(struct drm_c + /* Determine display colour depth for everything except LVDS now, + * DP requires this before mode_valid() is called. + */ +- if (connector->connector_type != DRM_MODE_CONNECTOR_LVDS && nv_connector->native_mode) ++ if (connector->connector_type != DRM_MODE_CONNECTOR_LVDS) + nouveau_connector_detect_depth(connector); + + /* Find the native mode if this is a digital panel, if we didn't diff --git a/queue-4.14/iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch b/queue-4.14/iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch new file mode 100644 index 00000000000..c416cd46079 --- /dev/null +++ b/queue-4.14/iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch @@ -0,0 +1,35 @@ +From 8a4629055ef55177b5b63dab1ecce676bd8cccdd Mon Sep 17 00:00:00 2001 +From: Yiyuan Guo +Date: Fri, 30 Jun 2023 22:37:19 +0800 +Subject: iio: cros_ec: Fix the allocation size for cros_ec_command + +From: Yiyuan Guo + +commit 8a4629055ef55177b5b63dab1ecce676bd8cccdd upstream. + +The struct cros_ec_command contains several integer fields and a +trailing array. An allocation size neglecting the integer fields can +lead to buffer overrun. + +Reviewed-by: Tzung-Bi Shih +Signed-off-by: Yiyuan Guo +Fixes: 974e6f02e27e ("iio: cros_ec_sensors_core: Add common functions for the ChromeOS EC Sensor Hub.") +Link: https://lore.kernel.org/r/20230630143719.1513906-1-yguoaz@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c ++++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c +@@ -47,7 +47,7 @@ int cros_ec_sensors_core_init(struct pla + platform_set_drvdata(pdev, indio_dev); + + state->ec = ec->ec_dev; +- state->msg = devm_kzalloc(&pdev->dev, ++ state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) + + max((u16)sizeof(struct ec_params_motion_sense), + state->ec->max_response), GFP_KERNEL); + if (!state->msg) diff --git a/queue-4.14/series b/queue-4.14/series index 7af09f0c761..b936bf17e9b 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -5,3 +5,9 @@ dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch test_firmware-return-enomem-instead-of-enospc-on-failed-memory-allocation.patch +iio-cros_ec-fix-the-allocation-size-for-cros_ec_command.patch +usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch +usb-dwc3-properly-handle-processing-of-pending-events.patch +x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch +x86-move-gds_ucode_mitigated-declaration-to-header.patch +drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch diff --git a/queue-4.14/usb-dwc3-properly-handle-processing-of-pending-events.patch b/queue-4.14/usb-dwc3-properly-handle-processing-of-pending-events.patch new file mode 100644 index 00000000000..6e94ad2965a --- /dev/null +++ b/queue-4.14/usb-dwc3-properly-handle-processing-of-pending-events.patch @@ -0,0 +1,56 @@ +From 3ddaa6a274578e23745b7466346fc2650df8f959 Mon Sep 17 00:00:00 2001 +From: Elson Roy Serrao +Date: Tue, 1 Aug 2023 12:26:58 -0700 +Subject: usb: dwc3: Properly handle processing of pending events + +From: Elson Roy Serrao + +commit 3ddaa6a274578e23745b7466346fc2650df8f959 upstream. + +If dwc3 is runtime suspended we defer processing the event buffer +until resume, by setting the pending_events flag. Set this flag before +triggering resume to avoid race with the runtime resume callback. + +While handling the pending events, in addition to checking the event +buffer we also need to process it. Handle this by explicitly calling +dwc3_thread_interrupt(). Also balance the runtime pm get() operation +that triggered this processing. + +Cc: stable@vger.kernel.org +Fixes: fc8bb91bc83e ("usb: dwc3: implement runtime PM") +Signed-off-by: Elson Roy Serrao +Acked-by: Thinh Nguyen +Reviewed-by: Roger Quadros +Link: https://lore.kernel.org/r/20230801192658.19275-1-quic_eserrao@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3172,9 +3172,14 @@ static irqreturn_t dwc3_check_event_buf( + u32 reg; + + if (pm_runtime_suspended(dwc->dev)) { ++ dwc->pending_events = true; ++ /* ++ * Trigger runtime resume. The get() function will be balanced ++ * after processing the pending events in dwc3_process_pending ++ * events(). ++ */ + pm_runtime_get(dwc->dev); + disable_irq_nosync(dwc->irq_gadget); +- dwc->pending_events = true; + return IRQ_HANDLED; + } + +@@ -3414,6 +3419,8 @@ void dwc3_gadget_process_pending_events( + { + if (dwc->pending_events) { + dwc3_interrupt(dwc->irq_gadget, dwc->ev_buf); ++ dwc3_thread_interrupt(dwc->irq_gadget, dwc->ev_buf); ++ pm_runtime_put(dwc->dev); + dwc->pending_events = false; + enable_irq(dwc->irq_gadget); + } diff --git a/queue-4.14/usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch b/queue-4.14/usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch new file mode 100644 index 00000000000..74e50f9394a --- /dev/null +++ b/queue-4.14/usb-storage-alauda-fix-uninit-value-in-alauda_check_media.patch @@ -0,0 +1,81 @@ +From a6ff6e7a9dd69364547751db0f626a10a6d628d2 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 2 Aug 2023 13:49:02 -0400 +Subject: usb-storage: alauda: Fix uninit-value in alauda_check_media() + +From: Alan Stern + +commit a6ff6e7a9dd69364547751db0f626a10a6d628d2 upstream. + +Syzbot got KMSAN to complain about access to an uninitialized value in +the alauda subdriver of usb-storage: + +BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 +drivers/usb/storage/alauda.c:1137 +CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 + __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 + alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 + +The problem is that alauda_check_media() doesn't verify that its USB +transfer succeeded before trying to use the received data. What +should happen if the transfer fails isn't entirely clear, but a +reasonably conservative approach is to pretend that no media is +present. + +A similar problem exists in a usb_stor_dbg() call in +alauda_get_media_status(). In this case, when an error occurs the +call is redundant, because usb_stor_ctrl_transfer() already will print +a debugging message. + +Finally, unrelated to the uninitialized memory access, is the fact +that alauda_check_media() performs DMA to a buffer on the stack. +Fortunately usb-storage provides a general purpose DMA-able buffer for +uses like this. We'll use it instead. + +Reported-and-tested-by: syzbot+e7d46eb426883fb97efd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/0000000000007d25ff059457342d@google.com/T/ +Suggested-by: Christophe JAILLET +Signed-off-by: Alan Stern +Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support") +Cc: +Link: https://lore.kernel.org/r/693d5d5e-f09b-42d0-8ed9-1f96cd30bcce@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/alauda.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/usb/storage/alauda.c ++++ b/drivers/usb/storage/alauda.c +@@ -330,7 +330,8 @@ static int alauda_get_media_status(struc + rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe, + command, 0xc0, 0, 1, data, 2); + +- usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); ++ if (rc == USB_STOR_XFER_GOOD) ++ usb_stor_dbg(us, "Media status %02X %02X\n", data[0], data[1]); + + return rc; + } +@@ -466,10 +467,14 @@ static int alauda_init_media(struct us_d + static int alauda_check_media(struct us_data *us) + { + struct alauda_info *info = (struct alauda_info *) us->extra; +- unsigned char status[2]; ++ unsigned char *status = us->iobuf; + int rc; + + rc = alauda_get_media_status(us, status); ++ if (rc != USB_STOR_XFER_GOOD) { ++ status[0] = 0xF0; /* Pretend there's no media */ ++ status[1] = 0; ++ } + + /* Check for no media or door open */ + if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10) diff --git a/queue-4.14/x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch b/queue-4.14/x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch new file mode 100644 index 00000000000..c42c4f8c005 --- /dev/null +++ b/queue-4.14/x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch @@ -0,0 +1,52 @@ +From 1b8b1aa90c9c0e825b181b98b8d9e249dc395470 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Thu, 3 Aug 2023 18:16:09 +0300 +Subject: x86/mm: Fix VDSO and VVAR placement on 5-level paging machines + +From: Kirill A. Shutemov + +commit 1b8b1aa90c9c0e825b181b98b8d9e249dc395470 upstream. + +Yingcong has noticed that on the 5-level paging machine, VDSO and VVAR +VMAs are placed above the 47-bit border: + +8000001a9000-8000001ad000 r--p 00000000 00:00 0 [vvar] +8000001ad000-8000001af000 r-xp 00000000 00:00 0 [vdso] + +This might confuse users who are not aware of 5-level paging and expect +all userspace addresses to be under the 47-bit border. + +So far problem has only been triggered with ASLR disabled, although it +may also occur with ASLR enabled if the layout is randomized in a just +right way. + +The problem happens due to custom placement for the VMAs in the VDSO +code: vdso_addr() tries to place them above the stack and checks the +result against TASK_SIZE_MAX, which is wrong. TASK_SIZE_MAX is set to +the 56-bit border on 5-level paging machines. Use DEFAULT_MAP_WINDOW +instead. + +Fixes: b569bab78d8d ("x86/mm: Prepare to expose larger address space to userspace") +Reported-by: Yingcong Wu +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Dave Hansen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20230803151609.22141-1-kirill.shutemov%40linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/vdso/vma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -227,8 +227,8 @@ static unsigned long vdso_addr(unsigned + + /* Round the lowest possible end address up to a PMD boundary. */ + end = (start + len + PMD_SIZE - 1) & PMD_MASK; +- if (end >= TASK_SIZE_MAX) +- end = TASK_SIZE_MAX; ++ if (end >= DEFAULT_MAP_WINDOW) ++ end = DEFAULT_MAP_WINDOW; + end -= len; + + if (end > start) { diff --git a/queue-4.14/x86-move-gds_ucode_mitigated-declaration-to-header.patch b/queue-4.14/x86-move-gds_ucode_mitigated-declaration-to-header.patch new file mode 100644 index 00000000000..3247dd5d6dd --- /dev/null +++ b/queue-4.14/x86-move-gds_ucode_mitigated-declaration-to-header.patch @@ -0,0 +1,48 @@ +From eb3515dc99c7c85f4170b50838136b2a193f8012 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 9 Aug 2023 15:05:00 +0200 +Subject: x86: Move gds_ucode_mitigated() declaration to header + +From: Arnd Bergmann + +commit eb3515dc99c7c85f4170b50838136b2a193f8012 upstream. + +The declaration got placed in the .c file of the caller, but that +causes a warning for the definition: + +arch/x86/kernel/cpu/bugs.c:682:6: error: no previous prototype for 'gds_ucode_mitigated' [-Werror=missing-prototypes] + +Move it to a header where both sides can observe it instead. + +Fixes: 81ac7e5d74174 ("KVM: Add GDS_NO support to KVM") +Signed-off-by: Arnd Bergmann +Signed-off-by: Dave Hansen +Tested-by: Daniel Sneddon +Cc: stable@kernel.org +Link: https://lore.kernel.org/all/20230809130530.1913368-2-arnd%40kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/processor.h | 2 ++ + arch/x86/kvm/x86.c | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -992,4 +992,6 @@ enum taa_mitigations { + TAA_MITIGATION_TSX_DISABLED, + }; + ++extern bool gds_ucode_mitigated(void); ++ + #endif /* _ASM_X86_PROCESSOR_H */ +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -201,8 +201,6 @@ struct kvm_stats_debugfs_item debugfs_en + + u64 __read_mostly host_xcr0; + +-extern bool gds_ucode_mitigated(void); +- + static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt); + + static inline void kvm_async_pf_hash_reset(struct kvm_vcpu *vcpu)