From: Greg Kroah-Hartman Date: Thu, 23 May 2024 12:41:16 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.19.315~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8622bc3005f87cef269c6ee3d262cee38eb64b7b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch binder-fix-max_thread-type-inconsistency.patch docs-kernel_include.py-cope-with-docutils-0.21.patch keys-trusted-do-not-use-warn-when-encode-fails.patch remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch usb-typec-ucsi-displayport-fix-potential-deadlock.patch --- diff --git a/queue-5.15/admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch b/queue-5.15/admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch new file mode 100644 index 00000000000..95c45620af5 --- /dev/null +++ b/queue-5.15/admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch @@ -0,0 +1,47 @@ +From 8af2d1ab78f2342f8c4c3740ca02d86f0ebfac5a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 23 Apr 2024 12:34:25 +0200 +Subject: admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 8af2d1ab78f2342f8c4c3740ca02d86f0ebfac5a upstream. + +sched_core_share_pid() copies the cookie to userspace with +put_user(id, (u64 __user *)uaddr), expecting 64 bits of space. +The "unsigned long" datatype that is documented in core-scheduling.rst +however is only 32 bits large on 32 bit architectures. + +Document "unsigned long long" as the correct data type that is always +64bits large. + +This matches what the selftest cs_prctl_test.c has been doing all along. + +Fixes: 0159bb020ca9 ("Documentation: Add usecases, design and interface for core scheduling") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/util-linux/df7a25a0-7923-4f8b-a527-5e6f0064074d@t-8ch.de/ +Signed-off-by: Thomas Weißschuh +Reviewed-by: Chris Hyser +Signed-off-by: Jonathan Corbet +Link: https://lore.kernel.org/r/20240423-core-scheduling-cookie-v1-1-5753a35f8dfc@weissschuh.net +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/hw-vuln/core-scheduling.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/admin-guide/hw-vuln/core-scheduling.rst ++++ b/Documentation/admin-guide/hw-vuln/core-scheduling.rst +@@ -66,8 +66,8 @@ arg4: + will be performed for all tasks in the task group of ``pid``. + + arg5: +- userspace pointer to an unsigned long for storing the cookie returned by +- ``PR_SCHED_CORE_GET`` command. Should be 0 for all other commands. ++ userspace pointer to an unsigned long long for storing the cookie returned ++ by ``PR_SCHED_CORE_GET`` command. Should be 0 for all other commands. + + In order for a process to push a cookie to, or pull a cookie from a process, it + is required to have the ptrace access mode: `PTRACE_MODE_READ_REALCREDS` to the diff --git a/queue-5.15/binder-fix-max_thread-type-inconsistency.patch b/queue-5.15/binder-fix-max_thread-type-inconsistency.patch new file mode 100644 index 00000000000..f12b4a087bb --- /dev/null +++ b/queue-5.15/binder-fix-max_thread-type-inconsistency.patch @@ -0,0 +1,51 @@ +From 42316941335644a98335f209daafa4c122f28983 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Sun, 21 Apr 2024 17:37:49 +0000 +Subject: binder: fix max_thread type inconsistency +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Carlos Llamas + +commit 42316941335644a98335f209daafa4c122f28983 upstream. + +The type defined for the BINDER_SET_MAX_THREADS ioctl was changed from +size_t to __u32 in order to avoid incompatibility issues between 32 and +64-bit kernels. However, the internal types used to copy from user and +store the value were never updated. Use u32 to fix the inconsistency. + +Fixes: a9350fc859ae ("staging: android: binder: fix BINDER_SET_MAX_THREADS declaration") +Reported-by: Arve Hjønnevåg +Cc: stable@vger.kernel.org +Signed-off-by: Carlos Llamas +Reviewed-by: Alice Ryhl +Link: https://lore.kernel.org/r/20240421173750.3117808-1-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 2 +- + drivers/android/binder_internal.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -5165,7 +5165,7 @@ static long binder_ioctl(struct file *fi + goto err; + break; + case BINDER_SET_MAX_THREADS: { +- int max_threads; ++ u32 max_threads; + + if (copy_from_user(&max_threads, ubuf, + sizeof(max_threads))) { +--- a/drivers/android/binder_internal.h ++++ b/drivers/android/binder_internal.h +@@ -420,7 +420,7 @@ struct binder_proc { + struct list_head todo; + struct binder_stats stats; + struct list_head delivered_death; +- int max_threads; ++ u32 max_threads; + int requested_threads; + int requested_threads_started; + int tmp_ref; diff --git a/queue-5.15/docs-kernel_include.py-cope-with-docutils-0.21.patch b/queue-5.15/docs-kernel_include.py-cope-with-docutils-0.21.patch new file mode 100644 index 00000000000..1ffb97a855f --- /dev/null +++ b/queue-5.15/docs-kernel_include.py-cope-with-docutils-0.21.patch @@ -0,0 +1,66 @@ +From d43ddd5c91802a46354fa4c4381416ef760676e2 Mon Sep 17 00:00:00 2001 +From: Akira Yokosawa +Date: Wed, 1 May 2024 12:16:11 +0900 +Subject: docs: kernel_include.py: Cope with docutils 0.21 + +From: Akira Yokosawa + +commit d43ddd5c91802a46354fa4c4381416ef760676e2 upstream. + +Running "make htmldocs" on a newly installed Sphinx 7.3.7 ends up in +a build error: + + Sphinx parallel build error: + AttributeError: module 'docutils.nodes' has no attribute 'reprunicode' + +docutils 0.21 has removed nodes.reprunicode, quote from release note [1]: + + * Removed objects: + + docutils.nodes.reprunicode, docutils.nodes.ensure_str() + Python 2 compatibility hacks + +Sphinx 7.3.0 supports docutils 0.21 [2]: + +kernel_include.py, whose origin is misc.py of docutils, uses reprunicode. + +Upstream docutils removed the offending line from the corresponding file +(docutils/docutils/parsers/rst/directives/misc.py) in January 2022. +Quoting the changelog [3]: + + Deprecate `nodes.reprunicode` and `nodes.ensure_str()`. + + Drop uses of the deprecated constructs (not required with Python 3). + +Do the same for kernel_include.py. + +Tested against: + - Sphinx 2.4.5 (docutils 0.17.1) + - Sphinx 3.4.3 (docutils 0.17.1) + - Sphinx 5.3.0 (docutils 0.18.1) + - Sphinx 6.2.1 (docutils 0.19) + - Sphinx 7.2.6 (docutils 0.20.1) + - Sphinx 7.3.7 (docutils 0.21.2) + +Link: http://www.docutils.org/RELEASE-NOTES.html#release-0-21-2024-04-09 [1] +Link: https://www.sphinx-doc.org/en/master/changes.html#release-7-3-0-released-apr-16-2024 [2] +Link: https://github.com/docutils/docutils/commit/c8471ce47a24 [3] +Signed-off-by: Akira Yokosawa +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Link: https://lore.kernel.org/r/faf5fa45-2a9d-4573-9d2e-3930bdc1ed65@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sphinx/kernel_include.py | 1 - + 1 file changed, 1 deletion(-) + +--- a/Documentation/sphinx/kernel_include.py ++++ b/Documentation/sphinx/kernel_include.py +@@ -94,7 +94,6 @@ class KernelInclude(Include): + # HINT: this is the only line I had to change / commented out: + #path = utils.relative_path(None, path) + +- path = nodes.reprunicode(path) + encoding = self.options.get( + 'encoding', self.state.document.settings.input_encoding) + e_handler=self.state.document.settings.input_encoding_error_handler diff --git a/queue-5.15/keys-trusted-do-not-use-warn-when-encode-fails.patch b/queue-5.15/keys-trusted-do-not-use-warn-when-encode-fails.patch new file mode 100644 index 00000000000..1a75425963f --- /dev/null +++ b/queue-5.15/keys-trusted-do-not-use-warn-when-encode-fails.patch @@ -0,0 +1,44 @@ +From 050bf3c793a07f96bd1e2fd62e1447f731ed733b Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 13 May 2024 21:19:04 +0300 +Subject: KEYS: trusted: Do not use WARN when encode fails + +From: Jarkko Sakkinen + +commit 050bf3c793a07f96bd1e2fd62e1447f731ed733b upstream. + +When asn1_encode_sequence() fails, WARN is not the correct solution. + +1. asn1_encode_sequence() is not an internal function (located + in lib/asn1_encode.c). +2. Location is known, which makes the stack trace useless. +3. Results a crash if panic_on_warn is set. + +It is also noteworthy that the use of WARN is undocumented, and it +should be avoided unless there is a carefully considered rationale to +use it. + +Replace WARN with pr_err, and print the return value instead, which is +only useful piece of information. + +Cc: stable@vger.kernel.org # v5.13+ +Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tpm2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -84,8 +84,9 @@ static int tpm2_key_encode(struct truste + work1 = payload->blob; + work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob), + scratch, work - scratch); +- if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) { ++ if (IS_ERR(work1)) { + ret = PTR_ERR(work1); ++ pr_err("BUG: ASN.1 encoder failed with %d\n", ret); + goto err; + } + diff --git a/queue-5.15/remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch b/queue-5.15/remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch new file mode 100644 index 00000000000..9e014fa569a --- /dev/null +++ b/queue-5.15/remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch @@ -0,0 +1,59 @@ +From 331f91d86f71d0bb89a44217cc0b2a22810bbd42 Mon Sep 17 00:00:00 2001 +From: AngeloGioacchino Del Regno +Date: Thu, 21 Mar 2024 09:46:13 +0100 +Subject: remoteproc: mediatek: Make sure IPI buffer fits in L2TCM + +From: AngeloGioacchino Del Regno + +commit 331f91d86f71d0bb89a44217cc0b2a22810bbd42 upstream. + +The IPI buffer location is read from the firmware that we load to the +System Companion Processor, and it's not granted that both the SRAM +(L2TCM) size that is defined in the devicetree node is large enough +for that, and while this is especially true for multi-core SCP, it's +still useful to check on single-core variants as well. + +Failing to perform this check may make this driver perform R/W +operations out of the L2TCM boundary, resulting (at best) in a +kernel panic. + +To fix that, check that the IPI buffer fits, otherwise return a +failure and refuse to boot the relevant SCP core (or the SCP at +all, if this is single core). + +Fixes: 3efa0ea743b7 ("remoteproc/mediatek: read IPI buffer offset from FW") +Signed-off-by: AngeloGioacchino Del Regno +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240321084614.45253-2-angelogioacchino.delregno@collabora.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/mtk_scp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/remoteproc/mtk_scp.c ++++ b/drivers/remoteproc/mtk_scp.c +@@ -126,7 +126,7 @@ static int scp_elf_read_ipi_buf_addr(str + static int scp_ipi_init(struct mtk_scp *scp, const struct firmware *fw) + { + int ret; +- size_t offset; ++ size_t buf_sz, offset; + + /* read the ipi buf addr from FW itself first */ + ret = scp_elf_read_ipi_buf_addr(scp, fw, &offset); +@@ -138,6 +138,14 @@ static int scp_ipi_init(struct mtk_scp * + } + dev_info(scp->dev, "IPI buf addr %#010zx\n", offset); + ++ /* Make sure IPI buffer fits in the L2TCM range assigned to this core */ ++ buf_sz = sizeof(*scp->recv_buf) + sizeof(*scp->send_buf); ++ ++ if (scp->sram_size < buf_sz + offset) { ++ dev_err(scp->dev, "IPI buffer does not fit in SRAM.\n"); ++ return -EOVERFLOW; ++ } ++ + scp->recv_buf = (struct mtk_share_obj __iomem *) + (scp->sram_base + offset); + scp->send_buf = (struct mtk_share_obj __iomem *) diff --git a/queue-5.15/serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch b/queue-5.15/serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch new file mode 100644 index 00000000000..23282587fde --- /dev/null +++ b/queue-5.15/serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch @@ -0,0 +1,95 @@ +From b2aba15ad6f908d1a620fd97f6af5620c3639742 Mon Sep 17 00:00:00 2001 +From: Daniel Thompson +Date: Wed, 24 Apr 2024 15:21:41 +0100 +Subject: serial: kgdboc: Fix NMI-safety problems from keyboard reset code + +From: Daniel Thompson + +commit b2aba15ad6f908d1a620fd97f6af5620c3639742 upstream. + +Currently, when kdb is compiled with keyboard support, then we will use +schedule_work() to provoke reset of the keyboard status. Unfortunately +schedule_work() gets called from the kgdboc post-debug-exception +handler. That risks deadlock since schedule_work() is not NMI-safe and, +even on platforms where the NMI is not directly used for debugging, the +debug trap can have NMI-like behaviour depending on where breakpoints +are placed. + +Fix this by using the irq work system, which is NMI-safe, to defer the +call to schedule_work() to a point when it is safe to call. + +Reported-by: Liuye +Closes: https://lore.kernel.org/all/20240228025602.3087748-1-liu.yeC@h3c.com/ +Cc: stable@vger.kernel.org +Reviewed-by: Douglas Anderson +Acked-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20240424-kgdboc_fix_schedule_work-v2-1-50f5a490aec5@linaro.org +Signed-off-by: Daniel Thompson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/kgdboc.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -48,6 +49,25 @@ static struct kgdb_io kgdboc_earlycon_i + static int (*earlycon_orig_exit)(struct console *con); + #endif /* IS_BUILTIN(CONFIG_KGDB_SERIAL_CONSOLE) */ + ++/* ++ * When we leave the debug trap handler we need to reset the keyboard status ++ * (since the original keyboard state gets partially clobbered by kdb use of ++ * the keyboard). ++ * ++ * The path to deliver the reset is somewhat circuitous. ++ * ++ * To deliver the reset we register an input handler, reset the keyboard and ++ * then deregister the input handler. However, to get this done right, we do ++ * have to carefully manage the calling context because we can only register ++ * input handlers from task context. ++ * ++ * In particular we need to trigger the action from the debug trap handler with ++ * all its NMI and/or NMI-like oddities. To solve this the kgdboc trap exit code ++ * (the "post_exception" callback) uses irq_work_queue(), which is NMI-safe, to ++ * schedule a callback from a hardirq context. From there we have to defer the ++ * work again, this time using schedule_work(), to get a callback using the ++ * system workqueue, which runs in task context. ++ */ + #ifdef CONFIG_KDB_KEYBOARD + static int kgdboc_reset_connect(struct input_handler *handler, + struct input_dev *dev, +@@ -99,10 +119,17 @@ static void kgdboc_restore_input_helper( + + static DECLARE_WORK(kgdboc_restore_input_work, kgdboc_restore_input_helper); + ++static void kgdboc_queue_restore_input_helper(struct irq_work *unused) ++{ ++ schedule_work(&kgdboc_restore_input_work); ++} ++ ++static DEFINE_IRQ_WORK(kgdboc_restore_input_irq_work, kgdboc_queue_restore_input_helper); ++ + static void kgdboc_restore_input(void) + { + if (likely(system_state == SYSTEM_RUNNING)) +- schedule_work(&kgdboc_restore_input_work); ++ irq_work_queue(&kgdboc_restore_input_irq_work); + } + + static int kgdboc_register_kbd(char **cptr) +@@ -133,6 +160,7 @@ static void kgdboc_unregister_kbd(void) + i--; + } + } ++ irq_work_sync(&kgdboc_restore_input_irq_work); + flush_work(&kgdboc_restore_input_work); + } + #else /* ! CONFIG_KDB_KEYBOARD */ diff --git a/queue-5.15/series b/queue-5.15/series index 730febfc6fa..be77aa06c4e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -14,3 +14,10 @@ netlink-annotate-lockless-accesses-to-nlk-max_recvmsg_len.patch netlink-annotate-data-races-around-sk-sk_err.patch kvm-x86-clear-has_error_code-not-error_code-for-rm-exception-injection.patch drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch +binder-fix-max_thread-type-inconsistency.patch +usb-typec-ucsi-displayport-fix-potential-deadlock.patch +serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch +remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch +keys-trusted-do-not-use-warn-when-encode-fails.patch +admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch +docs-kernel_include.py-cope-with-docutils-0.21.patch diff --git a/queue-5.15/usb-typec-ucsi-displayport-fix-potential-deadlock.patch b/queue-5.15/usb-typec-ucsi-displayport-fix-potential-deadlock.patch new file mode 100644 index 00000000000..290180397f8 --- /dev/null +++ b/queue-5.15/usb-typec-ucsi-displayport-fix-potential-deadlock.patch @@ -0,0 +1,51 @@ +From b791a67f68121d69108640d4a3e591d210ffe850 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Tue, 7 May 2024 16:43:16 +0300 +Subject: usb: typec: ucsi: displayport: Fix potential deadlock + +From: Heikki Krogerus + +commit b791a67f68121d69108640d4a3e591d210ffe850 upstream. + +The function ucsi_displayport_work() does not access the +connector, so it also must not acquire the connector lock. + +This fixes a potential deadlock scenario: + +ucsi_displayport_work() -> lock(&con->lock) +typec_altmode_vdm() +dp_altmode_vdm() +dp_altmode_work() +typec_altmode_enter() +ucsi_displayport_enter() -> lock(&con->lock) + +Reported-by: Mathias Nyman +Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode") +Cc: stable@vger.kernel.org +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240507134316.161999-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/displayport.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/usb/typec/ucsi/displayport.c ++++ b/drivers/usb/typec/ucsi/displayport.c +@@ -275,8 +275,6 @@ static void ucsi_displayport_work(struct + struct ucsi_dp *dp = container_of(work, struct ucsi_dp, work); + int ret; + +- mutex_lock(&dp->con->lock); +- + ret = typec_altmode_vdm(dp->alt, dp->header, + dp->vdo_data, dp->vdo_size); + if (ret) +@@ -285,8 +283,6 @@ static void ucsi_displayport_work(struct + dp->vdo_data = NULL; + dp->vdo_size = 0; + dp->header = 0; +- +- mutex_unlock(&dp->con->lock); + } + + void ucsi_displayport_remove_partner(struct typec_altmode *alt)