--- /dev/null
+From a58015d638cd4e4555297b04bec9b49028369075 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 7 Jan 2021 23:23:48 -0800
+Subject: ACPI: scan: Harden acpi_device_add() against device ID overflows
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit a58015d638cd4e4555297b04bec9b49028369075 upstream.
+
+Linux VM on Hyper-V crashes with the latest mainline:
+
+[ 4.069624] detected buffer overflow in strcpy
+[ 4.077733] kernel BUG at lib/string.c:1149!
+..
+[ 4.085819] RIP: 0010:fortify_panic+0xf/0x11
+...
+[ 4.085819] Call Trace:
+[ 4.085819] acpi_device_add.cold.15+0xf2/0xfb
+[ 4.085819] acpi_add_single_object+0x2a6/0x690
+[ 4.085819] acpi_bus_check_add+0xc6/0x280
+[ 4.085819] acpi_ns_walk_namespace+0xda/0x1aa
+[ 4.085819] acpi_walk_namespace+0x9a/0xc2
+[ 4.085819] acpi_bus_scan+0x78/0x90
+[ 4.085819] acpi_scan_init+0xfa/0x248
+[ 4.085819] acpi_init+0x2c1/0x321
+[ 4.085819] do_one_initcall+0x44/0x1d0
+[ 4.085819] kernel_init_freeable+0x1ab/0x1f4
+
+This is because of the recent buffer overflow detection in the
+commit 6a39e62abbaf ("lib: string.h: detect intra-object overflow in
+fortified string functions")
+
+Here acpi_device_bus_id->bus_id can only hold 14 characters, while the
+the acpi_device_hid(device) returns a 22-char string
+"HYPER_V_GEN_COUNTER_V1".
+
+Per ACPI Spec v6.2, Section 6.1.5 _HID (Hardware ID), if the ID is a
+string, it must be of the form AAA#### or NNNN####, i.e. 7 chars or 8
+chars.
+
+The field bus_id in struct acpi_device_bus_id was originally defined as
+char bus_id[9], and later was enlarged to char bus_id[15] in 2007 in the
+commit bb0958544f3c ("ACPI: use more understandable bus_id for ACPI
+devices")
+
+Fix the issue by changing the field bus_id to const char *, and use
+kstrdup_const() to initialize it.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Tested-By: Jethro Beekman <jethro@fortanix.com>
+[ rjw: Subject change, whitespace adjustment ]
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/internal.h | 2 +-
+ drivers/acpi/scan.c | 15 ++++++++++++++-
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/internal.h
++++ b/drivers/acpi/internal.h
+@@ -98,7 +98,7 @@ void acpi_scan_table_handler(u32 event,
+ extern struct list_head acpi_bus_id_list;
+
+ struct acpi_device_bus_id {
+- char bus_id[15];
++ const char *bus_id;
+ unsigned int instance_no;
+ struct list_head node;
+ };
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -485,6 +485,7 @@ static void acpi_device_del(struct acpi_
+ acpi_device_bus_id->instance_no--;
+ else {
+ list_del(&acpi_device_bus_id->node);
++ kfree_const(acpi_device_bus_id->bus_id);
+ kfree(acpi_device_bus_id);
+ }
+ break;
+@@ -673,7 +674,14 @@ int acpi_device_add(struct acpi_device *
+ }
+ if (!found) {
+ acpi_device_bus_id = new_bus_id;
+- strcpy(acpi_device_bus_id->bus_id, acpi_device_hid(device));
++ acpi_device_bus_id->bus_id =
++ kstrdup_const(acpi_device_hid(device), GFP_KERNEL);
++ if (!acpi_device_bus_id->bus_id) {
++ pr_err(PREFIX "Memory allocation error for bus id\n");
++ result = -ENOMEM;
++ goto err_free_new_bus_id;
++ }
++
+ acpi_device_bus_id->instance_no = 0;
+ list_add_tail(&acpi_device_bus_id->node, &acpi_bus_id_list);
+ }
+@@ -708,6 +716,11 @@ int acpi_device_add(struct acpi_device *
+ if (device->parent)
+ list_del(&device->node);
+ list_del(&device->wakeup_list);
++
++ err_free_new_bus_id:
++ if (!found)
++ kfree(new_bus_id);
++
+ mutex_unlock(&acpi_device_lock);
+
+ err_detach:
--- /dev/null
+From 5c6679b5cb120f07652418524ab186ac47680b49 Mon Sep 17 00:00:00 2001
+From: Thomas Hebb <tommyhebb@gmail.com>
+Date: Sat, 12 Dec 2020 17:20:12 -0800
+Subject: ASoC: dapm: remove widget from dirty list on free
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+commit 5c6679b5cb120f07652418524ab186ac47680b49 upstream.
+
+A widget's "dirty" list_head, much like its "list" list_head, eventually
+chains back to a list_head on the snd_soc_card itself. This means that
+the list can stick around even after the widget (or all widgets) have
+been freed. Currently, however, widgets that are in the dirty list when
+freed remain there, corrupting the entire list and leading to memory
+errors and undefined behavior when the list is next accessed or
+modified.
+
+I encountered this issue when a component failed to probe relatively
+late in snd_soc_bind_card(), causing it to bail out and call
+soc_cleanup_card_resources(), which eventually called
+snd_soc_dapm_free() with widgets that were still dirty from when they'd
+been added.
+
+Fixes: db432b414e20 ("ASoC: Do DAPM power checks only for widgets changed since last run")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/f8b5f031d50122bf1a9bfc9cae046badf4a7a31a.1607822410.git.tommyhebb@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-dapm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -2349,6 +2349,7 @@ void snd_soc_dapm_free_widget(struct snd
+ enum snd_soc_dapm_direction dir;
+
+ list_del(&w->list);
++ list_del(&w->dirty);
+ /*
+ * remove source and sink paths associated to this widget.
+ * While removing the path, remove reference to it from both
--- /dev/null
+From 4d4f9c1a17a3480f8fe523673f7232b254d724b7 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Wed, 16 Dec 2020 23:39:56 +0000
+Subject: MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 4d4f9c1a17a3480f8fe523673f7232b254d724b7 upstream.
+
+The compressed payload is not necesarily 4-byte aligned, at least when
+compiling with Clang. In that case, the 4-byte value appended to the
+compressed payload that corresponds to the uncompressed kernel image
+size must be read using get_unaligned_le32().
+
+This fixes Clang-built kernels not booting on MIPS (tested on a Ingenic
+JZ4770 board).
+
+Fixes: b8f54f2cde78 ("MIPS: ZBOOT: copy appended dtb to the end of the kernel")
+Cc: <stable@vger.kernel.org> # v4.7
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/boot/compressed/decompress.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/boot/compressed/decompress.c
++++ b/arch/mips/boot/compressed/decompress.c
+@@ -17,6 +17,7 @@
+ #include <linux/libfdt.h>
+
+ #include <asm/addrspace.h>
++#include <asm/unaligned.h>
+
+ /*
+ * These two variables specify the free mem region
+@@ -124,7 +125,7 @@ void decompress_kernel(unsigned long boo
+ dtb_size = fdt_totalsize((void *)&__appended_dtb);
+
+ /* last four bytes is always image size in little endian */
+- image_size = le32_to_cpup((void *)&__image_end - 4);
++ image_size = get_unaligned_le32((void *)&__image_end - 4);
+
+ /* copy dtb to where the booted kernel will expect it */
+ memcpy((void *)VMLINUX_LOAD_ADDRESS_ULL + image_size,
--- /dev/null
+From 698222457465ce343443be81c5512edda86e5914 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 24 Dec 2020 19:44:38 +0000
+Subject: MIPS: Fix malformed NT_FILE and NT_SIGINFO in 32bit coredumps
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 698222457465ce343443be81c5512edda86e5914 upstream.
+
+Patches that introduced NT_FILE and NT_SIGINFO notes back in 2012
+had taken care of native (fs/binfmt_elf.c) and compat (fs/compat_binfmt_elf.c)
+coredumps; unfortunately, compat on mips (which does not go through the
+usual compat_binfmt_elf.c) had not been noticed.
+
+As the result, both N32 and O32 coredumps on 64bit mips kernels
+have those sections malformed enough to confuse the living hell out of
+all gdb and readelf versions (up to and including the tip of binutils-gdb.git).
+
+Longer term solution is to make both O32 and N32 compat use the
+regular compat_binfmt_elf.c, but that's too much for backports. The minimal
+solution is to do in arch/mips/kernel/binfmt_elf[on]32.c the same thing
+those patches have done in fs/compat_binfmt_elf.c
+
+Cc: stable@kernel.org # v3.7+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/binfmt_elfn32.c | 7 +++++++
+ arch/mips/kernel/binfmt_elfo32.c | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+--- a/arch/mips/kernel/binfmt_elfn32.c
++++ b/arch/mips/kernel/binfmt_elfn32.c
+@@ -110,4 +110,11 @@ cputime_to_compat_timeval(const cputime_
+ value->tv_sec = jiffies / HZ;
+ }
+
++/*
++ * Some data types as stored in coredump.
++ */
++#define user_long_t compat_long_t
++#define user_siginfo_t compat_siginfo_t
++#define copy_siginfo_to_external copy_siginfo_to_external32
++
+ #include "../../../fs/binfmt_elf.c"
+--- a/arch/mips/kernel/binfmt_elfo32.c
++++ b/arch/mips/kernel/binfmt_elfo32.c
+@@ -113,4 +113,11 @@ cputime_to_compat_timeval(const cputime_
+ value->tv_sec = jiffies / HZ;
+ }
+
++/*
++ * Some data types as stored in coredump.
++ */
++#define user_long_t compat_long_t
++#define user_siginfo_t compat_siginfo_t
++#define copy_siginfo_to_external copy_siginfo_to_external32
++
+ #include "../../../fs/binfmt_elf.c"
--- /dev/null
+From 69e976831cd53f9ba304fd20305b2025ecc78eab Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <alobakin@pm.me>
+Date: Sun, 10 Jan 2021 14:21:05 +0000
+Subject: MIPS: relocatable: fix possible boot hangup with KASLR enabled
+
+From: Alexander Lobakin <alobakin@pm.me>
+
+commit 69e976831cd53f9ba304fd20305b2025ecc78eab upstream.
+
+LLVM-built Linux triggered a boot hangup with KASLR enabled.
+
+arch/mips/kernel/relocate.c:get_random_boot() uses linux_banner,
+which is a string constant, as a random seed, but accesses it
+as an array of unsigned long (in rotate_xor()).
+When the address of linux_banner is not aligned to sizeof(long),
+such access emits unaligned access exception and hangs the kernel.
+
+Use PTR_ALIGN() to align input address to sizeof(long) and also
+align down the input length to prevent possible access-beyond-end.
+
+Fixes: 405bc8fd12f5 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE")
+Cc: stable@vger.kernel.org # 4.7+
+Signed-off-by: Alexander Lobakin <alobakin@pm.me>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/relocate.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/relocate.c
++++ b/arch/mips/kernel/relocate.c
+@@ -175,8 +175,14 @@ static int __init relocate_exception_tab
+ static inline __init unsigned long rotate_xor(unsigned long hash,
+ const void *area, size_t size)
+ {
+- size_t i;
+- unsigned long *ptr = (unsigned long *)area;
++ const typeof(hash) *ptr = PTR_ALIGN(area, sizeof(hash));
++ size_t diff, i;
++
++ diff = (void *)ptr - area;
++ if (unlikely(size < diff + sizeof(hash)))
++ return hash;
++
++ size = ALIGN_DOWN(size - diff, sizeof(hash));
+
+ for (i = 0; i < size / sizeof(hash); i++) {
+ /* Rotate by odd number of bits and XOR. */
--- /dev/null
+From 0eb98f1588c2cc7a79816d84ab18a55d254f481c Mon Sep 17 00:00:00 2001
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Tue, 12 Jan 2021 15:49:24 -0800
+Subject: mm/hugetlb: fix potential missing huge page size info
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+commit 0eb98f1588c2cc7a79816d84ab18a55d254f481c upstream.
+
+The huge page size is encoded for VM_FAULT_HWPOISON errors only. So if
+we return VM_FAULT_HWPOISON, huge page size would just be ignored.
+
+Link: https://lkml.kernel.org/r/20210107123449.38481-1-linmiaohe@huawei.com
+Fixes: aa50d3a7aa81 ("Encode huge page size for VM_FAULT_HWPOISON errors")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3767,7 +3767,7 @@ retry:
+ * So we need to block hugepage fault by PG_hwpoison bit check.
+ */
+ if (unlikely(PageHWPoison(page))) {
+- ret = VM_FAULT_HWPOISON |
++ ret = VM_FAULT_HWPOISON_LARGE |
+ VM_FAULT_SET_HINDEX(hstate_index(h));
+ goto backout_unlocked;
+ }
--- /dev/null
+asoc-dapm-remove-widget-from-dirty-list-on-free.patch
+mips-boot-fix-unaligned-access-with-config_mips_raw_appended_dtb.patch
+mips-fix-malformed-nt_file-and-nt_siginfo-in-32bit-coredumps.patch
+mips-relocatable-fix-possible-boot-hangup-with-kaslr-enabled.patch
+acpi-scan-harden-acpi_device_add-against-device-id-overflows.patch
+mm-hugetlb-fix-potential-missing-huge-page-size-info.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
