From: Greg Kroah-Hartman Date: Tue, 29 Nov 2022 17:00:56 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.10.157~67 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e17f6e82f2a1afe6ed8518cbaefa53c47f2821fd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch usb-dwc3-exynos-fix-remove-function.patch --- diff --git a/queue-5.10/arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch b/queue-5.10/arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch new file mode 100644 index 00000000000..af8cf2a9049 --- /dev/null +++ b/queue-5.10/arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch @@ -0,0 +1,39 @@ +From 91e8b74fe6381e083f8aa55217bb0562785ab398 Mon Sep 17 00:00:00 2001 +From: Jakob Unterwurzacher +Date: Wed, 19 Oct 2022 16:27:27 +0200 +Subject: arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency + +From: Jakob Unterwurzacher + +commit 91e8b74fe6381e083f8aa55217bb0562785ab398 upstream. + +CRC errors (code -84 EILSEQ) have been observed for some SanDisk +Ultra A1 cards when running at 50MHz. + +Waveform analysis suggest that the level shifters that are used on the +RK3399-Q7 module for voltage translation between 3.0 and 3.3V don't +handle clock rates at or above 48MHz properly. Back off to 40MHz for +some safety margin. + +Cc: stable@vger.kernel.org +Fixes: 60fd9f72ce8a ("arm64: dts: rockchip: add Haikou baseboard with RK3399-Q7 SoM") +Signed-off-by: Jakob Unterwurzacher +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20221019-upstream-puma-sd-40mhz-v1-0-754a76421518@theobroma-systems.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +@@ -203,7 +203,7 @@ + cap-sd-highspeed; + cd-gpios = <&gpio0 RK_PA7 GPIO_ACTIVE_LOW>; + disable-wp; +- max-frequency = <150000000>; ++ max-frequency = <40000000>; + pinctrl-names = "default"; + pinctrl-0 = <&sdmmc_clk &sdmmc_cmd &sdmmc_cd &sdmmc_bus4>; + vmmc-supply = <&vcc3v3_baseboard>; diff --git a/queue-5.10/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch b/queue-5.10/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch new file mode 100644 index 00000000000..a314972d2b3 --- /dev/null +++ b/queue-5.10/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch @@ -0,0 +1,101 @@ +From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 22 Sep 2022 20:04:34 +0800 +Subject: ext4: fix use-after-free in ext4_ext_shift_extents +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baokun Li + +commit f6b1a1cf1c3ee430d3f5e47847047ce789a690aa upstream. + +If the starting position of our insert range happens to be in the hole +between the two ext4_extent_idx, because the lblk of the ext4_extent in +the previous ext4_extent_idx is always less than the start, which leads +to the "extent" variable access across the boundary, the following UAF is +triggered: +================================================================== +BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790 +Read of size 4 at addr ffff88819807a008 by task fallocate/8010 +CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492 +Call Trace: + dump_stack+0x7d/0xa3 + print_address_description.constprop.0+0x1e/0x220 + kasan_report.cold+0x67/0x7f + ext4_ext_shift_extents+0x257/0x790 + ext4_insert_range+0x5b6/0x700 + ext4_fallocate+0x39e/0x3d0 + vfs_fallocate+0x26f/0x470 + ksys_fallocate+0x3a/0x70 + __x64_sys_fallocate+0x4f/0x60 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +================================================================== + +For right shifts, we can divide them into the following situations: + +1. When the first ee_block of ext4_extent_idx is greater than or equal to + start, make right shifts directly from the first ee_block. + 1) If it is greater than start, we need to continue searching in the + previous ext4_extent_idx. + 2) If it is equal to start, we can exit the loop (iterator=NULL). + +2. When the first ee_block of ext4_extent_idx is less than start, then + traverse from the last extent to find the first extent whose ee_block + is less than start. + 1) If extent is still the last extent after traversal, it means that + the last ee_block of ext4_extent_idx is less than start, that is, + start is located in the hole between idx and (idx+1), so we can + exit the loop directly (break) without right shifts. + 2) Otherwise, make right shifts at the corresponding position of the + found extent, and then exit the loop (iterator=NULL). + +Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate") +Cc: stable@vger.kernel.org # v4.2+ +Signed-off-by: Zhihao Cheng +Signed-off-by: Baokun Li +Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5182,6 +5182,7 @@ ext4_ext_shift_extents(struct inode *ino + * and it is decreased till we reach start. + */ + again: ++ ret = 0; + if (SHIFT == SHIFT_LEFT) + iterator = &start; + else +@@ -5225,14 +5226,21 @@ again: + ext4_ext_get_actual_len(extent); + } else { + extent = EXT_FIRST_EXTENT(path[depth].p_hdr); +- if (le32_to_cpu(extent->ee_block) > 0) ++ if (le32_to_cpu(extent->ee_block) > start) + *iterator = le32_to_cpu(extent->ee_block) - 1; +- else +- /* Beginning is reached, end of the loop */ ++ else if (le32_to_cpu(extent->ee_block) == start) + iterator = NULL; +- /* Update path extent in case we need to stop */ +- while (le32_to_cpu(extent->ee_block) < start) ++ else { ++ extent = EXT_LAST_EXTENT(path[depth].p_hdr); ++ while (le32_to_cpu(extent->ee_block) >= start) ++ extent--; ++ ++ if (extent == EXT_LAST_EXTENT(path[depth].p_hdr)) ++ break; ++ + extent++; ++ iterator = NULL; ++ } + path[depth].p_ext = extent; + } + ret = ext4_ext_shift_path_extents(path, shift, inode, diff --git a/queue-5.10/kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch b/queue-5.10/kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch new file mode 100644 index 00000000000..7f88290c213 --- /dev/null +++ b/queue-5.10/kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch @@ -0,0 +1,44 @@ +From 50c697215a8cc22f0e58c88f06f2716c05a26e85 Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Wed, 16 Nov 2022 18:26:34 +0000 +Subject: kbuild: fix -Wimplicit-function-declaration in license_is_gpl_compatible + +From: Sam James + +commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 upstream. + +Add missing include for strcmp. + +Clang 16 makes -Wimplicit-function-declaration an error by default. +Unfortunately, out of tree modules may use this in configure scripts, +which means failure might cause silent miscompilation or misconfiguration. + +For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2], +or the (new) c-std-porting mailing list [3]. + +[0] https://lwn.net/Articles/913505/ +[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213 +[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240 +[3] hosted at lists.linux.dev. + +[akpm@linux-foundation.org: remember "linux/"] +Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org +Signed-off-by: Sam James +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/license.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/license.h ++++ b/include/linux/license.h +@@ -2,6 +2,8 @@ + #ifndef __LICENSE_H + #define __LICENSE_H + ++#include ++ + static inline int license_is_gpl_compatible(const char *license) + { + return (strcmp(license, "GPL") == 0 diff --git a/queue-5.10/series b/queue-5.10/series index 05d6abfcb9d..4a86e6fb886 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -90,6 +90,10 @@ net-enetc-manage-enetc_f_qbv-in-priv-active_offloads.patch net-enetc-cache-accesses-to-priv-si-hw.patch net-enetc-preserve-tx-ring-priority-across-reconfigu.patch lib-vdso-use-grep-e-instead-of-egrep.patch +usb-dwc3-exynos-fix-remove-function.patch +ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch +arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch +kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch init-kconfig-fix-cc_has_asm_goto_tied_output-test-wi.patch nios2-add-force-for-vmlinuz.gz.patch kvm-x86-emulator-update-the-emulation-mode-after-rsm.patch diff --git a/queue-5.10/usb-dwc3-exynos-fix-remove-function.patch b/queue-5.10/usb-dwc3-exynos-fix-remove-function.patch new file mode 100644 index 00000000000..5f2c8b0caaa --- /dev/null +++ b/queue-5.10/usb-dwc3-exynos-fix-remove-function.patch @@ -0,0 +1,51 @@ +From e0481e5b3cc12ea7ccf4552d41518c89d3509004 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 10 Nov 2022 16:41:31 +0100 +Subject: usb: dwc3: exynos: Fix remove() function + +From: Marek Szyprowski + +commit e0481e5b3cc12ea7ccf4552d41518c89d3509004 upstream. + +The core DWC3 device node was not properly removed by the custom +dwc3_exynos_remove_child() function. Replace it with generic +of_platform_depopulate() which does that job right. + +Fixes: adcf20dcd262 ("usb: dwc3: exynos: Use of_platform API to create dwc3 core pdev") +Signed-off-by: Marek Szyprowski +Acked-by: Thinh Nguyen +Cc: stable@vger.kernel.org +Reviewed-by: Sam Protsenko +Link: https://lore.kernel.org/r/20221110154131.2577-1-m.szyprowski@samsung.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-exynos.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-exynos.c ++++ b/drivers/usb/dwc3/dwc3-exynos.c +@@ -37,15 +37,6 @@ struct dwc3_exynos { + struct regulator *vdd10; + }; + +-static int dwc3_exynos_remove_child(struct device *dev, void *unused) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- +- platform_device_unregister(pdev); +- +- return 0; +-} +- + static int dwc3_exynos_probe(struct platform_device *pdev) + { + struct dwc3_exynos *exynos; +@@ -142,7 +133,7 @@ static int dwc3_exynos_remove(struct pla + struct dwc3_exynos *exynos = platform_get_drvdata(pdev); + int i; + +- device_for_each_child(&pdev->dev, NULL, dwc3_exynos_remove_child); ++ of_platform_depopulate(&pdev->dev); + + for (i = exynos->num_clks - 1; i >= 0; i--) + clk_disable_unprepare(exynos->clks[i]);