From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 7 May 2021 15:53:25 +0000 (+0200)
Subject: 5.11-stable patches
X-Git-Tag: v5.4.118~84
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6100dad64ae45fc010162a0ae462ea179a918c1d;p=thirdparty%2Fkernel%2Fstable-queue.git

5.11-stable patches

added patches:
	cpuidle-tegra-fix-c7-idling-state-on-tegra114.patch
	fbdev-zero-fill-colormap-in-fbcmap.c.patch
	posix-timers-preserve-return-value-in-clock_adjtime32.patch
---

diff --git a/queue-5.11/cpuidle-tegra-fix-c7-idling-state-on-tegra114.patch b/queue-5.11/cpuidle-tegra-fix-c7-idling-state-on-tegra114.patch
new file mode 100644
index 00000000000..0fa3e9a2ee1
--- /dev/null
+++ b/queue-5.11/cpuidle-tegra-fix-c7-idling-state-on-tegra114.patch
@@ -0,0 +1,52 @@
+From 32c8c34d8132b5fe8497c2538597445a0d65c29d Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Tue, 2 Mar 2021 12:54:04 +0300
+Subject: cpuidle: tegra: Fix C7 idling state on Tegra114
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 32c8c34d8132b5fe8497c2538597445a0d65c29d upstream.
+
+Trusted Foundation firmware doesn't implement the do_idle call and in
+this case suspending should fall back to the common suspend path. In order
+to fix this issue we will unconditionally set the NOFLUSH_L2 mode via
+firmware call, which is a NO-OP on Tegra30/124, and then proceed to the
+C7 idling, like it was done by the older Tegra114 cpuidle driver.
+
+Fixes: 14e086baca50 ("cpuidle: tegra: Squash Tegra114 driver into the common driver")
+Cc: stable@vger.kernel.org # 5.7+
+Reported-by: Anton Bambura <jenneron@protonmail.com> # TF701 T114
+Tested-by: Anton Bambura <jenneron@protonmail.com> # TF701 T114
+Tested-by: Matt Merhar <mattmerhar@protonmail.com> # Ouya T30
+Tested-by: Peter Geis <pgwipeout@gmail.com> # Ouya T30
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210302095405.28453-1-digetx@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/cpuidle-tegra.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/cpuidle/cpuidle-tegra.c
++++ b/drivers/cpuidle/cpuidle-tegra.c
+@@ -135,13 +135,13 @@ static int tegra_cpuidle_c7_enter(void)
+ {
+ 	int err;
+ 
+-	if (tegra_cpuidle_using_firmware()) {
+-		err = call_firmware_op(prepare_idle, TF_PM_MODE_LP2_NOFLUSH_L2);
+-		if (err)
+-			return err;
++	err = call_firmware_op(prepare_idle, TF_PM_MODE_LP2_NOFLUSH_L2);
++	if (err && err != -ENOSYS)
++		return err;
+ 
+-		return call_firmware_op(do_idle, 0);
+-	}
++	err = call_firmware_op(do_idle, 0);
++	if (err != -ENOSYS)
++		return err;
+ 
+ 	return cpu_suspend(0, tegra30_pm_secondary_cpu_suspend);
+ }
diff --git a/queue-5.11/fbdev-zero-fill-colormap-in-fbcmap.c.patch b/queue-5.11/fbdev-zero-fill-colormap-in-fbcmap.c.patch
new file mode 100644
index 00000000000..2196dd1ea0c
--- /dev/null
+++ b/queue-5.11/fbdev-zero-fill-colormap-in-fbcmap.c.patch
@@ -0,0 +1,51 @@
+From 19ab233989d0f7ab1de19a036e247afa4a0a1e9c Mon Sep 17 00:00:00 2001
+From: Phillip Potter <phil@philpotter.co.uk>
+Date: Wed, 31 Mar 2021 23:07:19 +0100
+Subject: fbdev: zero-fill colormap in fbcmap.c
+
+From: Phillip Potter <phil@philpotter.co.uk>
+
+commit 19ab233989d0f7ab1de19a036e247afa4a0a1e9c upstream.
+
+Use kzalloc() rather than kmalloc() for the dynamically allocated parts
+of the colormap in fb_alloc_cmap_gfp, to prevent a leak of random kernel
+data to userspace under certain circumstances.
+
+Fixes a KMSAN-found infoleak bug reported by syzbot at:
+https://syzkaller.appspot.com/bug?id=741578659feabd108ad9e06696f0c1f2e69c4b6e
+
+Reported-by: syzbot+47fa9c9c648b765305b9@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
+Link: https://lore.kernel.org/r/20210331220719.1499743-1-phil@philpotter.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbcmap.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/fbdev/core/fbcmap.c
++++ b/drivers/video/fbdev/core/fbcmap.c
+@@ -101,17 +101,17 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cm
+ 		if (!len)
+ 			return 0;
+ 
+-		cmap->red = kmalloc(size, flags);
++		cmap->red = kzalloc(size, flags);
+ 		if (!cmap->red)
+ 			goto fail;
+-		cmap->green = kmalloc(size, flags);
++		cmap->green = kzalloc(size, flags);
+ 		if (!cmap->green)
+ 			goto fail;
+-		cmap->blue = kmalloc(size, flags);
++		cmap->blue = kzalloc(size, flags);
+ 		if (!cmap->blue)
+ 			goto fail;
+ 		if (transp) {
+-			cmap->transp = kmalloc(size, flags);
++			cmap->transp = kzalloc(size, flags);
+ 			if (!cmap->transp)
+ 				goto fail;
+ 		} else {
diff --git a/queue-5.11/posix-timers-preserve-return-value-in-clock_adjtime32.patch b/queue-5.11/posix-timers-preserve-return-value-in-clock_adjtime32.patch
new file mode 100644
index 00000000000..c7de5dd4bf9
--- /dev/null
+++ b/queue-5.11/posix-timers-preserve-return-value-in-clock_adjtime32.patch
@@ -0,0 +1,42 @@
+From 2d036dfa5f10df9782f5278fc591d79d283c1fad Mon Sep 17 00:00:00 2001
+From: Chen Jun <chenjun102@huawei.com>
+Date: Wed, 14 Apr 2021 03:04:49 +0000
+Subject: posix-timers: Preserve return value in clock_adjtime32()
+
+From: Chen Jun <chenjun102@huawei.com>
+
+commit 2d036dfa5f10df9782f5278fc591d79d283c1fad upstream.
+
+The return value on success (>= 0) is overwritten by the return value of
+put_old_timex32(). That works correct in the fault case, but is wrong for
+the success case where put_old_timex32() returns 0.
+
+Just check the return value of put_old_timex32() and return -EFAULT in case
+it is not zero.
+
+[ tglx: Massage changelog ]
+
+Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts")
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Richard Cochran <richardcochran@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210414030449.90692-1-chenjun102@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/posix-timers.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -1191,8 +1191,8 @@ SYSCALL_DEFINE2(clock_adjtime32, clockid
+ 
+ 	err = do_clock_adjtime(which_clock, &ktx);
+ 
+-	if (err >= 0)
+-		err = put_old_timex32(utp, &ktx);
++	if (err >= 0 && put_old_timex32(utp, &ktx))
++		return -EFAULT;
+ 
+ 	return err;
+ }
diff --git a/queue-5.11/series b/queue-5.11/series
index ec825c9c635..ba918d91df9 100644
--- a/queue-5.11/series
+++ b/queue-5.11/series
@@ -58,3 +58,6 @@ x86-build-disable-highmem64g-selection-for-m486sx.patch
 btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch
 intel_th-pci-add-rocket-lake-cpu-support.patch
 btrfs-fix-race-between-transaction-aborts-and-fsyncs-leading-to-use-after-free.patch
+posix-timers-preserve-return-value-in-clock_adjtime32.patch
+fbdev-zero-fill-colormap-in-fbcmap.c.patch
+cpuidle-tegra-fix-c7-idling-state-on-tegra114.patch