From: Greg Kroah-Hartman Date: Sun, 17 Jan 2021 14:24:18 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.19.169~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=49998bd6d1e75a766f41cfd2311b9764d4903b4c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-scan-harden-acpi_device_add-against-device-id-overflows.patch asoc-dapm-remove-widget-from-dirty-list-on-free.patch mips-boot-fix-unaligned-access-with-config_mips_raw_appended_dtb.patch mips-fix-malformed-nt_file-and-nt_siginfo-in-32bit-coredumps.patch mips-relocatable-fix-possible-boot-hangup-with-kaslr-enabled.patch mm-hugetlb-fix-potential-missing-huge-page-size-info.patch --- diff --git a/queue-4.9/acpi-scan-harden-acpi_device_add-against-device-id-overflows.patch b/queue-4.9/acpi-scan-harden-acpi_device_add-against-device-id-overflows.patch new file mode 100644 index 00000000000..273f333c71c --- /dev/null +++ b/queue-4.9/acpi-scan-harden-acpi_device_add-against-device-id-overflows.patch @@ -0,0 +1,109 @@ +From a58015d638cd4e4555297b04bec9b49028369075 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Thu, 7 Jan 2021 23:23:48 -0800 +Subject: ACPI: scan: Harden acpi_device_add() against device ID overflows + +From: Dexuan Cui + +commit a58015d638cd4e4555297b04bec9b49028369075 upstream. + +Linux VM on Hyper-V crashes with the latest mainline: + +[ 4.069624] detected buffer overflow in strcpy +[ 4.077733] kernel BUG at lib/string.c:1149! +.. +[ 4.085819] RIP: 0010:fortify_panic+0xf/0x11 +... +[ 4.085819] Call Trace: +[ 4.085819] acpi_device_add.cold.15+0xf2/0xfb +[ 4.085819] acpi_add_single_object+0x2a6/0x690 +[ 4.085819] acpi_bus_check_add+0xc6/0x280 +[ 4.085819] acpi_ns_walk_namespace+0xda/0x1aa +[ 4.085819] acpi_walk_namespace+0x9a/0xc2 +[ 4.085819] acpi_bus_scan+0x78/0x90 +[ 4.085819] acpi_scan_init+0xfa/0x248 +[ 4.085819] acpi_init+0x2c1/0x321 +[ 4.085819] do_one_initcall+0x44/0x1d0 +[ 4.085819] kernel_init_freeable+0x1ab/0x1f4 + +This is because of the recent buffer overflow detection in the +commit 6a39e62abbaf ("lib: string.h: detect intra-object overflow in +fortified string functions") + +Here acpi_device_bus_id->bus_id can only hold 14 characters, while the +the acpi_device_hid(device) returns a 22-char string +"HYPER_V_GEN_COUNTER_V1". + +Per ACPI Spec v6.2, Section 6.1.5 _HID (Hardware ID), if the ID is a +string, it must be of the form AAA#### or NNNN####, i.e. 7 chars or 8 +chars. + +The field bus_id in struct acpi_device_bus_id was originally defined as +char bus_id[9], and later was enlarged to char bus_id[15] in 2007 in the +commit bb0958544f3c ("ACPI: use more understandable bus_id for ACPI +devices") + +Fix the issue by changing the field bus_id to const char *, and use +kstrdup_const() to initialize it. + +Signed-off-by: Dexuan Cui +Tested-By: Jethro Beekman +[ rjw: Subject change, whitespace adjustment ] +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/internal.h | 2 +- + drivers/acpi/scan.c | 15 ++++++++++++++- + 2 files changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -98,7 +98,7 @@ void acpi_scan_table_handler(u32 event, + extern struct list_head acpi_bus_id_list; + + struct acpi_device_bus_id { +- char bus_id[15]; ++ const char *bus_id; + unsigned int instance_no; + struct list_head node; + }; +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -485,6 +485,7 @@ static void acpi_device_del(struct acpi_ + acpi_device_bus_id->instance_no--; + else { + list_del(&acpi_device_bus_id->node); ++ kfree_const(acpi_device_bus_id->bus_id); + kfree(acpi_device_bus_id); + } + break; +@@ -673,7 +674,14 @@ int acpi_device_add(struct acpi_device * + } + if (!found) { + acpi_device_bus_id = new_bus_id; +- strcpy(acpi_device_bus_id->bus_id, acpi_device_hid(device)); ++ acpi_device_bus_id->bus_id = ++ kstrdup_const(acpi_device_hid(device), GFP_KERNEL); ++ if (!acpi_device_bus_id->bus_id) { ++ pr_err(PREFIX "Memory allocation error for bus id\n"); ++ result = -ENOMEM; ++ goto err_free_new_bus_id; ++ } ++ + acpi_device_bus_id->instance_no = 0; + list_add_tail(&acpi_device_bus_id->node, &acpi_bus_id_list); + } +@@ -708,6 +716,11 @@ int acpi_device_add(struct acpi_device * + if (device->parent) + list_del(&device->node); + list_del(&device->wakeup_list); ++ ++ err_free_new_bus_id: ++ if (!found) ++ kfree(new_bus_id); ++ + mutex_unlock(&acpi_device_lock); + + err_detach: diff --git a/queue-4.9/asoc-dapm-remove-widget-from-dirty-list-on-free.patch b/queue-4.9/asoc-dapm-remove-widget-from-dirty-list-on-free.patch new file mode 100644 index 00000000000..94b78d9a731 --- /dev/null +++ b/queue-4.9/asoc-dapm-remove-widget-from-dirty-list-on-free.patch @@ -0,0 +1,45 @@ +From 5c6679b5cb120f07652418524ab186ac47680b49 Mon Sep 17 00:00:00 2001 +From: Thomas Hebb +Date: Sat, 12 Dec 2020 17:20:12 -0800 +Subject: ASoC: dapm: remove widget from dirty list on free + +From: Thomas Hebb + +commit 5c6679b5cb120f07652418524ab186ac47680b49 upstream. + +A widget's "dirty" list_head, much like its "list" list_head, eventually +chains back to a list_head on the snd_soc_card itself. This means that +the list can stick around even after the widget (or all widgets) have +been freed. Currently, however, widgets that are in the dirty list when +freed remain there, corrupting the entire list and leading to memory +errors and undefined behavior when the list is next accessed or +modified. + +I encountered this issue when a component failed to probe relatively +late in snd_soc_bind_card(), causing it to bail out and call +soc_cleanup_card_resources(), which eventually called +snd_soc_dapm_free() with widgets that were still dirty from when they'd +been added. + +Fixes: db432b414e20 ("ASoC: Do DAPM power checks only for widgets changed since last run") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Hebb +Reviewed-by: Charles Keepax +Link: https://lore.kernel.org/r/f8b5f031d50122bf1a9bfc9cae046badf4a7a31a.1607822410.git.tommyhebb@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-dapm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -2349,6 +2349,7 @@ void snd_soc_dapm_free_widget(struct snd + enum snd_soc_dapm_direction dir; + + list_del(&w->list); ++ list_del(&w->dirty); + /* + * remove source and sink paths associated to this widget. + * While removing the path, remove reference to it from both diff --git a/queue-4.9/mips-boot-fix-unaligned-access-with-config_mips_raw_appended_dtb.patch b/queue-4.9/mips-boot-fix-unaligned-access-with-config_mips_raw_appended_dtb.patch new file mode 100644 index 00000000000..45eab9f0e2f --- /dev/null +++ b/queue-4.9/mips-boot-fix-unaligned-access-with-config_mips_raw_appended_dtb.patch @@ -0,0 +1,51 @@ +From 4d4f9c1a17a3480f8fe523673f7232b254d724b7 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Wed, 16 Dec 2020 23:39:56 +0000 +Subject: MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paul Cercueil + +commit 4d4f9c1a17a3480f8fe523673f7232b254d724b7 upstream. + +The compressed payload is not necesarily 4-byte aligned, at least when +compiling with Clang. In that case, the 4-byte value appended to the +compressed payload that corresponds to the uncompressed kernel image +size must be read using get_unaligned_le32(). + +This fixes Clang-built kernels not booting on MIPS (tested on a Ingenic +JZ4770 board). + +Fixes: b8f54f2cde78 ("MIPS: ZBOOT: copy appended dtb to the end of the kernel") +Cc: # v4.7 +Signed-off-by: Paul Cercueil +Reviewed-by: Nick Desaulniers +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/boot/compressed/decompress.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/mips/boot/compressed/decompress.c ++++ b/arch/mips/boot/compressed/decompress.c +@@ -17,6 +17,7 @@ + #include + + #include ++#include + + /* + * These two variables specify the free mem region +@@ -124,7 +125,7 @@ void decompress_kernel(unsigned long boo + dtb_size = fdt_totalsize((void *)&__appended_dtb); + + /* last four bytes is always image size in little endian */ +- image_size = le32_to_cpup((void *)&__image_end - 4); ++ image_size = get_unaligned_le32((void *)&__image_end - 4); + + /* copy dtb to where the booted kernel will expect it */ + memcpy((void *)VMLINUX_LOAD_ADDRESS_ULL + image_size, diff --git a/queue-4.9/mips-fix-malformed-nt_file-and-nt_siginfo-in-32bit-coredumps.patch b/queue-4.9/mips-fix-malformed-nt_file-and-nt_siginfo-in-32bit-coredumps.patch new file mode 100644 index 00000000000..ab2b82c452a --- /dev/null +++ b/queue-4.9/mips-fix-malformed-nt_file-and-nt_siginfo-in-32bit-coredumps.patch @@ -0,0 +1,61 @@ +From 698222457465ce343443be81c5512edda86e5914 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 24 Dec 2020 19:44:38 +0000 +Subject: MIPS: Fix malformed NT_FILE and NT_SIGINFO in 32bit coredumps + +From: Al Viro + +commit 698222457465ce343443be81c5512edda86e5914 upstream. + +Patches that introduced NT_FILE and NT_SIGINFO notes back in 2012 +had taken care of native (fs/binfmt_elf.c) and compat (fs/compat_binfmt_elf.c) +coredumps; unfortunately, compat on mips (which does not go through the +usual compat_binfmt_elf.c) had not been noticed. + +As the result, both N32 and O32 coredumps on 64bit mips kernels +have those sections malformed enough to confuse the living hell out of +all gdb and readelf versions (up to and including the tip of binutils-gdb.git). + +Longer term solution is to make both O32 and N32 compat use the +regular compat_binfmt_elf.c, but that's too much for backports. The minimal +solution is to do in arch/mips/kernel/binfmt_elf[on]32.c the same thing +those patches have done in fs/compat_binfmt_elf.c + +Cc: stable@kernel.org # v3.7+ +Signed-off-by: Al Viro +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/binfmt_elfn32.c | 7 +++++++ + arch/mips/kernel/binfmt_elfo32.c | 7 +++++++ + 2 files changed, 14 insertions(+) + +--- a/arch/mips/kernel/binfmt_elfn32.c ++++ b/arch/mips/kernel/binfmt_elfn32.c +@@ -110,4 +110,11 @@ cputime_to_compat_timeval(const cputime_ + value->tv_sec = jiffies / HZ; + } + ++/* ++ * Some data types as stored in coredump. ++ */ ++#define user_long_t compat_long_t ++#define user_siginfo_t compat_siginfo_t ++#define copy_siginfo_to_external copy_siginfo_to_external32 ++ + #include "../../../fs/binfmt_elf.c" +--- a/arch/mips/kernel/binfmt_elfo32.c ++++ b/arch/mips/kernel/binfmt_elfo32.c +@@ -113,4 +113,11 @@ cputime_to_compat_timeval(const cputime_ + value->tv_sec = jiffies / HZ; + } + ++/* ++ * Some data types as stored in coredump. ++ */ ++#define user_long_t compat_long_t ++#define user_siginfo_t compat_siginfo_t ++#define copy_siginfo_to_external copy_siginfo_to_external32 ++ + #include "../../../fs/binfmt_elf.c" diff --git a/queue-4.9/mips-relocatable-fix-possible-boot-hangup-with-kaslr-enabled.patch b/queue-4.9/mips-relocatable-fix-possible-boot-hangup-with-kaslr-enabled.patch new file mode 100644 index 00000000000..17456aca65f --- /dev/null +++ b/queue-4.9/mips-relocatable-fix-possible-boot-hangup-with-kaslr-enabled.patch @@ -0,0 +1,51 @@ +From 69e976831cd53f9ba304fd20305b2025ecc78eab Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Sun, 10 Jan 2021 14:21:05 +0000 +Subject: MIPS: relocatable: fix possible boot hangup with KASLR enabled + +From: Alexander Lobakin + +commit 69e976831cd53f9ba304fd20305b2025ecc78eab upstream. + +LLVM-built Linux triggered a boot hangup with KASLR enabled. + +arch/mips/kernel/relocate.c:get_random_boot() uses linux_banner, +which is a string constant, as a random seed, but accesses it +as an array of unsigned long (in rotate_xor()). +When the address of linux_banner is not aligned to sizeof(long), +such access emits unaligned access exception and hangs the kernel. + +Use PTR_ALIGN() to align input address to sizeof(long) and also +align down the input length to prevent possible access-beyond-end. + +Fixes: 405bc8fd12f5 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE") +Cc: stable@vger.kernel.org # 4.7+ +Signed-off-by: Alexander Lobakin +Tested-by: Nathan Chancellor +Reviewed-by: Kees Cook +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/relocate.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/relocate.c ++++ b/arch/mips/kernel/relocate.c +@@ -175,8 +175,14 @@ static int __init relocate_exception_tab + static inline __init unsigned long rotate_xor(unsigned long hash, + const void *area, size_t size) + { +- size_t i; +- unsigned long *ptr = (unsigned long *)area; ++ const typeof(hash) *ptr = PTR_ALIGN(area, sizeof(hash)); ++ size_t diff, i; ++ ++ diff = (void *)ptr - area; ++ if (unlikely(size < diff + sizeof(hash))) ++ return hash; ++ ++ size = ALIGN_DOWN(size - diff, sizeof(hash)); + + for (i = 0; i < size / sizeof(hash); i++) { + /* Rotate by odd number of bits and XOR. */ diff --git a/queue-4.9/mm-hugetlb-fix-potential-missing-huge-page-size-info.patch b/queue-4.9/mm-hugetlb-fix-potential-missing-huge-page-size-info.patch new file mode 100644 index 00000000000..60464ff96c2 --- /dev/null +++ b/queue-4.9/mm-hugetlb-fix-potential-missing-huge-page-size-info.patch @@ -0,0 +1,36 @@ +From 0eb98f1588c2cc7a79816d84ab18a55d254f481c Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Tue, 12 Jan 2021 15:49:24 -0800 +Subject: mm/hugetlb: fix potential missing huge page size info + +From: Miaohe Lin + +commit 0eb98f1588c2cc7a79816d84ab18a55d254f481c upstream. + +The huge page size is encoded for VM_FAULT_HWPOISON errors only. So if +we return VM_FAULT_HWPOISON, huge page size would just be ignored. + +Link: https://lkml.kernel.org/r/20210107123449.38481-1-linmiaohe@huawei.com +Fixes: aa50d3a7aa81 ("Encode huge page size for VM_FAULT_HWPOISON errors") +Signed-off-by: Miaohe Lin +Reviewed-by: Mike Kravetz +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3767,7 +3767,7 @@ retry: + * So we need to block hugepage fault by PG_hwpoison bit check. + */ + if (unlikely(PageHWPoison(page))) { +- ret = VM_FAULT_HWPOISON | ++ ret = VM_FAULT_HWPOISON_LARGE | + VM_FAULT_SET_HINDEX(hstate_index(h)); + goto backout_unlocked; + } diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..7d5b66adeee --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,6 @@ +asoc-dapm-remove-widget-from-dirty-list-on-free.patch +mips-boot-fix-unaligned-access-with-config_mips_raw_appended_dtb.patch +mips-fix-malformed-nt_file-and-nt_siginfo-in-32bit-coredumps.patch +mips-relocatable-fix-possible-boot-hangup-with-kaslr-enabled.patch +acpi-scan-harden-acpi_device_add-against-device-id-overflows.patch +mm-hugetlb-fix-potential-missing-huge-page-size-info.patch