From: Greg Kroah-Hartman Date: Tue, 30 Jul 2024 09:12:21 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v6.1.103~50 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=794da7c7f8dcc249df41aeb9f25d4c771f0fd4d3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch decompress_bunzip2-fix-rare-decompression-failure.patch kobject_uevent-fix-oob-access-within-zap_modalias_env.patch rtc-cmos-fix-return-value-of-nvmem-callbacks.patch ubi-eba-properly-rollback-inside-self_check_eba.patch --- diff --git a/queue-4.19/clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch b/queue-4.19/clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch new file mode 100644 index 00000000000..8f375cbb449 --- /dev/null +++ b/queue-4.19/clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch @@ -0,0 +1,46 @@ +From a83b22754e351f13fb46596c85f667dc33da71ec Mon Sep 17 00:00:00 2001 +From: Bastien Curutchet +Date: Thu, 18 Jul 2024 13:55:34 +0200 +Subject: clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use + +From: Bastien Curutchet + +commit a83b22754e351f13fb46596c85f667dc33da71ec upstream. + +The flag attribute of the struct clk_init_data isn't initialized before +the devm_clk_hw_register() call. This can lead to unexpected behavior +during registration. + +Initialize the entire clk_init_data to zero at declaration. + +Cc: stable@vger.kernel.org +Fixes: 58e1e2d2cd89 ("clk: davinci: cfgchip: Add TI DA8XX USB PHY clocks") +Signed-off-by: Bastien Curutchet +Reviewed-by: David Lechner +Link: https://lore.kernel.org/r/20240718115534.41513-1-bastien.curutchet@bootlin.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/davinci/da8xx-cfgchip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/davinci/da8xx-cfgchip.c ++++ b/drivers/clk/davinci/da8xx-cfgchip.c +@@ -507,7 +507,7 @@ da8xx_cfgchip_register_usb0_clk48(struct + const char * const parent_names[] = { "usb_refclkin", "pll0_auxclk" }; + struct clk *fck_clk; + struct da8xx_usb0_clk48 *usb0; +- struct clk_init_data init; ++ struct clk_init_data init = {}; + int ret; + + fck_clk = devm_clk_get(dev, "fck"); +@@ -581,7 +581,7 @@ da8xx_cfgchip_register_usb1_clk48(struct + { + const char * const parent_names[] = { "usb0_clk48", "usb_refclkin" }; + struct da8xx_usb1_clk48 *usb1; +- struct clk_init_data init; ++ struct clk_init_data init = {}; + int ret; + + usb1 = devm_kzalloc(dev, sizeof(*usb1), GFP_KERNEL); diff --git a/queue-4.19/decompress_bunzip2-fix-rare-decompression-failure.patch b/queue-4.19/decompress_bunzip2-fix-rare-decompression-failure.patch new file mode 100644 index 00000000000..0bcb5d142e4 --- /dev/null +++ b/queue-4.19/decompress_bunzip2-fix-rare-decompression-failure.patch @@ -0,0 +1,41 @@ +From bf6acd5d16057d7accbbb1bf7dc6d8c56eeb4ecc Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Wed, 17 Jul 2024 17:20:16 +0100 +Subject: decompress_bunzip2: fix rare decompression failure + +From: Ross Lagerwall + +commit bf6acd5d16057d7accbbb1bf7dc6d8c56eeb4ecc upstream. + +The decompression code parses a huffman tree and counts the number of +symbols for a given bit length. In rare cases, there may be >= 256 +symbols with a given bit length, causing the unsigned char to overflow. +This causes a decompression failure later when the code tries and fails to +find the bit length for a given symbol. + +Since the maximum number of symbols is 258, use unsigned short instead. + +Link: https://lkml.kernel.org/r/20240717162016.1514077-1-ross.lagerwall@citrix.com +Fixes: bc22c17e12c1 ("bzip2/lzma: library support for gzip, bzip2 and lzma decompression") +Signed-off-by: Ross Lagerwall +Cc: Alain Knaff +Cc: "H. Peter Anvin" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/decompress_bunzip2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/decompress_bunzip2.c ++++ b/lib/decompress_bunzip2.c +@@ -232,7 +232,8 @@ static int INIT get_next_block(struct bu + RUNB) */ + symCount = symTotal+2; + for (j = 0; j < groupCount; j++) { +- unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1]; ++ unsigned char length[MAX_SYMBOLS]; ++ unsigned short temp[MAX_HUFCODE_BITS+1]; + int minLen, maxLen, pp; + /* Read Huffman code lengths for each symbol. They're + stored in a way similar to mtf; record a starting diff --git a/queue-4.19/kobject_uevent-fix-oob-access-within-zap_modalias_env.patch b/queue-4.19/kobject_uevent-fix-oob-access-within-zap_modalias_env.patch new file mode 100644 index 00000000000..6176fd13a2e --- /dev/null +++ b/queue-4.19/kobject_uevent-fix-oob-access-within-zap_modalias_env.patch @@ -0,0 +1,50 @@ +From dd6e9894b451e7c85cceb8e9dc5432679a70e7dc Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Thu, 30 May 2024 21:14:37 +0800 +Subject: kobject_uevent: Fix OOB access within zap_modalias_env() + +From: Zijun Hu + +commit dd6e9894b451e7c85cceb8e9dc5432679a70e7dc upstream. + +zap_modalias_env() wrongly calculates size of memory block to move, so +will cause OOB memory access issue if variable MODALIAS is not the last +one within its @env parameter, fixed by correcting size to memmove. + +Fixes: 9b3fa47d4a76 ("kobject: fix suppressing modalias in uevents delivered over netlink") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Reviewed-by: Lk Sii +Link: https://lore.kernel.org/r/1717074877-11352-1-git-send-email-quic_zijuhu@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + lib/kobject_uevent.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/lib/kobject_uevent.c ++++ b/lib/kobject_uevent.c +@@ -430,8 +430,23 @@ static void zap_modalias_env(struct kobj + len = strlen(env->envp[i]) + 1; + + if (i != env->envp_idx - 1) { ++ /* @env->envp[] contains pointers to @env->buf[] ++ * with @env->buflen chars, and we are removing ++ * variable MODALIAS here pointed by @env->envp[i] ++ * with length @len as shown below: ++ * ++ * 0 @env->buf[] @env->buflen ++ * --------------------------------------------- ++ * ^ ^ ^ ^ ++ * | |-> @len <-| target block | ++ * @env->envp[0] @env->envp[i] @env->envp[i + 1] ++ * ++ * so the "target block" indicated above is moved ++ * backward by @len, and its right size is ++ * @env->buflen - (@env->envp[i + 1] - @env->envp[0]). ++ */ + memmove(env->envp[i], env->envp[i + 1], +- env->buflen - len); ++ env->buflen - (env->envp[i + 1] - env->envp[0])); + + for (j = i; j < env->envp_idx - 1; j++) + env->envp[j] = env->envp[j + 1] - len; diff --git a/queue-4.19/rtc-cmos-fix-return-value-of-nvmem-callbacks.patch b/queue-4.19/rtc-cmos-fix-return-value-of-nvmem-callbacks.patch new file mode 100644 index 00000000000..a3028f52e7d --- /dev/null +++ b/queue-4.19/rtc-cmos-fix-return-value-of-nvmem-callbacks.patch @@ -0,0 +1,77 @@ +From 1c184baccf0d5e2ef4cc1562261d0e48508a1c2b Mon Sep 17 00:00:00 2001 +From: Joy Chakraborty +Date: Wed, 12 Jun 2024 08:36:35 +0000 +Subject: rtc: cmos: Fix return value of nvmem callbacks + +From: Joy Chakraborty + +commit 1c184baccf0d5e2ef4cc1562261d0e48508a1c2b upstream. + +Read/write callbacks registered with nvmem core expect 0 to be returned +on success and a negative value to be returned on failure. + +cmos_nvram_read()/cmos_nvram_write() currently return the number of +bytes read or written, fix to return 0 on success and -EIO incase number +of bytes requested was not read or written. + +Fixes: 8b5b7958fd1c ("rtc: cmos: use generic nvmem") +Cc: stable@vger.kernel.org +Signed-off-by: Joy Chakraborty +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20240612083635.1253039-1-joychakr@google.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-cmos.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -601,11 +601,10 @@ static int cmos_nvram_read(void *priv, u + size_t count) + { + unsigned char *buf = val; +- int retval; + + off += NVRAM_OFFSET; + spin_lock_irq(&rtc_lock); +- for (retval = 0; count; count--, off++, retval++) { ++ for (; count; count--, off++) { + if (off < 128) + *buf++ = CMOS_READ(off); + else if (can_bank2) +@@ -615,7 +614,7 @@ static int cmos_nvram_read(void *priv, u + } + spin_unlock_irq(&rtc_lock); + +- return retval; ++ return count ? -EIO : 0; + } + + static int cmos_nvram_write(void *priv, unsigned int off, void *val, +@@ -623,7 +622,6 @@ static int cmos_nvram_write(void *priv, + { + struct cmos_rtc *cmos = priv; + unsigned char *buf = val; +- int retval; + + /* NOTE: on at least PCs and Ataris, the boot firmware uses a + * checksum on part of the NVRAM data. That's currently ignored +@@ -632,7 +630,7 @@ static int cmos_nvram_write(void *priv, + */ + off += NVRAM_OFFSET; + spin_lock_irq(&rtc_lock); +- for (retval = 0; count; count--, off++, retval++) { ++ for (; count; count--, off++) { + /* don't trash RTC registers */ + if (off == cmos->day_alrm + || off == cmos->mon_alrm +@@ -647,7 +645,7 @@ static int cmos_nvram_write(void *priv, + } + spin_unlock_irq(&rtc_lock); + +- return retval; ++ return count ? -EIO : 0; + } + + /*----------------------------------------------------------------*/ diff --git a/queue-4.19/series b/queue-4.19/series index 777cd7a2568..8762b9f5b11 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -79,3 +79,8 @@ pci-hv-return-zero-not-garbage-when-reading-pci_interrupt_pin.patch binder-fix-hang-of-unregistered-readers.patch scsi-qla2xxx-return-enobufs-if-sg_cnt-is-more-than-one-for-els-cmds.patch f2fs-fix-to-don-t-dirty-inode-for-readonly-filesystem.patch +clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch +ubi-eba-properly-rollback-inside-self_check_eba.patch +decompress_bunzip2-fix-rare-decompression-failure.patch +kobject_uevent-fix-oob-access-within-zap_modalias_env.patch +rtc-cmos-fix-return-value-of-nvmem-callbacks.patch diff --git a/queue-4.19/ubi-eba-properly-rollback-inside-self_check_eba.patch b/queue-4.19/ubi-eba-properly-rollback-inside-self_check_eba.patch new file mode 100644 index 00000000000..c83505f29d8 --- /dev/null +++ b/queue-4.19/ubi-eba-properly-rollback-inside-self_check_eba.patch @@ -0,0 +1,44 @@ +From 745d9f4a31defec731119ee8aad8ba9f2536dd9a Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Thu, 29 Feb 2024 23:42:36 +0300 +Subject: ubi: eba: properly rollback inside self_check_eba + +From: Fedor Pchelkin + +commit 745d9f4a31defec731119ee8aad8ba9f2536dd9a upstream. + +In case of a memory allocation failure in the volumes loop we can only +process the already allocated scan_eba and fm_eba array elements on the +error path - others are still uninitialized. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 00abf3041590 ("UBI: Add self_check_eba()") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/ubi/eba.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -1573,6 +1573,7 @@ int self_check_eba(struct ubi_device *ub + GFP_KERNEL); + if (!fm_eba[i]) { + ret = -ENOMEM; ++ kfree(scan_eba[i]); + goto out_free; + } + +@@ -1608,7 +1609,7 @@ int self_check_eba(struct ubi_device *ub + } + + out_free: +- for (i = 0; i < num_volumes; i++) { ++ while (--i >= 0) { + if (!ubi->volumes[i]) + continue; +