From: Sasha Levin Date: Mon, 19 Sep 2022 12:26:45 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.9.329~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=debc81302a4ef70f5fa7b1b04781d68363e7aa56;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/efi-libstub-disable-shadow-call-stack.patch b/queue-4.19/efi-libstub-disable-shadow-call-stack.patch new file mode 100644 index 00000000000..7ee291a30b4 --- /dev/null +++ b/queue-4.19/efi-libstub-disable-shadow-call-stack.patch @@ -0,0 +1,39 @@ +From 617bdc131a75a444da24b369185c61fd864cba4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 09:00:18 -0700 +Subject: efi/libstub: Disable Shadow Call Stack + +From: Sami Tolvanen + +[ Upstream commit cc49c71d2abe99c1c2c9bedf0693ad2d3ee4a067 ] + +Shadow stacks are not available in the EFI stub, filter out SCS flags. + +Suggested-by: James Morse +Signed-off-by: Sami Tolvanen +Reviewed-by: Kees Cook +Acked-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Stable-dep-of: 1a3887924a7e ("efi: libstub: Disable struct randomization") +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index d3777d754984..e0cff3b942ac 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -31,6 +31,9 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + $(call cc-option,-fno-addrsig) \ + -D__DISABLE_EXPORTS + ++# remove SCS flags from all objects in this directory ++KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS)) ++ + GCOV_PROFILE := n + KASAN_SANITIZE := n + UBSAN_SANITIZE := n +-- +2.35.1 + diff --git a/queue-4.19/efi-libstub-disable-struct-randomization.patch b/queue-4.19/efi-libstub-disable-struct-randomization.patch new file mode 100644 index 00000000000..1b618a27378 --- /dev/null +++ b/queue-4.19/efi-libstub-disable-struct-randomization.patch @@ -0,0 +1,56 @@ +From 647b9e3ae48fd6671991e42990051a828b138273 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 19:20:33 +0200 +Subject: efi: libstub: Disable struct randomization + +From: Ard Biesheuvel + +[ Upstream commit 1a3887924a7e6edd331be76da7bf4c1e8eab4b1e ] + +The EFI stub is a wrapper around the core kernel that makes it look like +a EFI compatible PE/COFF application to the EFI firmware. EFI +applications run on top of the EFI runtime, which is heavily based on +so-called protocols, which are struct types consisting [mostly] of +function pointer members that are instantiated and recorded in a +protocol database. + +These structs look like the ideal randomization candidates to the +randstruct plugin (as they only carry function pointers), but of course, +these protocols are contracts between the firmware that exposes them, +and the EFI applications (including our stubbed kernel) that invoke +them. This means that struct randomization for EFI protocols is not a +great idea, and given that the stub shares very little data with the +core kernel that is represented as a randomizable struct, we're better +off just disabling it completely here. + +Cc: # v4.14+ +Reported-by: Daniel Marth +Tested-by: Daniel Marth +Signed-off-by: Ard Biesheuvel +Acked-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index e0cff3b942ac..7fad5d90898b 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -31,6 +31,13 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + $(call cc-option,-fno-addrsig) \ + -D__DISABLE_EXPORTS + ++# ++# struct randomization only makes sense for Linux internal types, which the EFI ++# stub code never touches, so let's turn off struct randomization for the stub ++# altogether ++# ++KBUILD_CFLAGS := $(filter-out $(RANDSTRUCT_CFLAGS), $(KBUILD_CFLAGS)) ++ + # remove SCS flags from all objects in this directory + KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS)) + +-- +2.35.1 + diff --git a/queue-4.19/mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch b/queue-4.19/mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch new file mode 100644 index 00000000000..5eed70d48ff --- /dev/null +++ b/queue-4.19/mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch @@ -0,0 +1,104 @@ +From 5eb23f2971df4366d2eb73db722e7c3358816f76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Aug 2019 12:17:28 +0200 +Subject: mvpp2: no need to check return value of debugfs_create functions + +From: Greg Kroah-Hartman + +[ Upstream commit e6882aa623f6fe0d80fa82ebf3ee78c353bffbe1 ] + +When calling debugfs functions, there is no need to ever check the +return value. The function can work or not, but the code logic should +never do something different based on this. + +Cc: "David S. Miller" +Cc: Maxime Chevallier +Cc: Nick Desaulniers +Cc: Nathan Huckleberry +Cc: netdev@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Stable-dep-of: fe2c9c61f668 ("net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()") +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/mvpp2/mvpp2_debugfs.c | 19 +------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +index f9744a61e5dd..87d9cbe10cec 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +@@ -484,8 +484,6 @@ static int mvpp2_dbgfs_flow_port_init(struct dentry *parent, + struct dentry *port_dir; + + port_dir = debugfs_create_dir(port->dev->name, parent); +- if (IS_ERR(port_dir)) +- return PTR_ERR(port_dir); + + /* This will be freed by 'hash_opts' release op */ + port_entry = kmalloc(sizeof(*port_entry), GFP_KERNEL); +@@ -515,8 +513,6 @@ static int mvpp2_dbgfs_flow_entry_init(struct dentry *parent, + sprintf(flow_entry_name, "%02d", flow); + + flow_entry_dir = debugfs_create_dir(flow_entry_name, parent); +- if (!flow_entry_dir) +- return -ENOMEM; + + /* This will be freed by 'type' release op */ + entry = kmalloc(sizeof(*entry), GFP_KERNEL); +@@ -554,8 +550,6 @@ static int mvpp2_dbgfs_flow_init(struct dentry *parent, struct mvpp2 *priv) + int i, ret; + + flow_dir = debugfs_create_dir("flows", parent); +- if (!flow_dir) +- return -ENOMEM; + + for (i = 0; i < MVPP2_N_FLOWS; i++) { + ret = mvpp2_dbgfs_flow_entry_init(flow_dir, priv, i); +@@ -579,8 +573,6 @@ static int mvpp2_dbgfs_prs_entry_init(struct dentry *parent, + sprintf(prs_entry_name, "%03d", tid); + + prs_entry_dir = debugfs_create_dir(prs_entry_name, parent); +- if (!prs_entry_dir) +- return -ENOMEM; + + /* The 'valid' entry's ops will free that */ + entry = kmalloc(sizeof(*entry), GFP_KERNEL); +@@ -618,8 +610,6 @@ static int mvpp2_dbgfs_prs_init(struct dentry *parent, struct mvpp2 *priv) + int i, ret; + + prs_dir = debugfs_create_dir("parser", parent); +- if (!prs_dir) +- return -ENOMEM; + + for (i = 0; i < MVPP2_PRS_TCAM_SRAM_SIZE; i++) { + ret = mvpp2_dbgfs_prs_entry_init(prs_dir, priv, i); +@@ -636,8 +626,6 @@ static int mvpp2_dbgfs_port_init(struct dentry *parent, + struct dentry *port_dir; + + port_dir = debugfs_create_dir(port->dev->name, parent); +- if (IS_ERR(port_dir)) +- return PTR_ERR(port_dir); + + debugfs_create_file("parser_entries", 0444, port_dir, port, + &mvpp2_dbgfs_port_parser_fops); +@@ -671,15 +659,10 @@ void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name) + int ret, i; + + mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL); +- if (!mvpp2_root) { ++ if (!mvpp2_root) + mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL); +- if (IS_ERR(mvpp2_root)) +- return; +- } + + mvpp2_dir = debugfs_create_dir(name, mvpp2_root); +- if (IS_ERR(mvpp2_dir)) +- return; + + priv->dbgfs_dir = mvpp2_dir; + +-- +2.35.1 + diff --git a/queue-4.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch b/queue-4.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch new file mode 100644 index 00000000000..6c2dd8f111f --- /dev/null +++ b/queue-4.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch @@ -0,0 +1,51 @@ +From 3feb4d894fc97629b74ff051ec35f09cf7ed11eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 15:41:11 +0200 +Subject: net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() + +From: Greg Kroah-Hartman + +[ Upstream commit fe2c9c61f668cde28dac2b188028c5299cedcc1e ] + +When calling debugfs_lookup() the result must have dput() called on it, +otherwise the memory will leak over time. Fix this up to be much +simpler logic and only create the root debugfs directory once when the +driver is first accessed. That resolves the memory leak and makes +things more obvious as to what the intent is. + +Cc: Marcin Wojtas +Cc: Russell King +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Cc: stable +Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +index 87d9cbe10cec..a43bfb86f315 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +@@ -655,10 +655,10 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv) + + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name) + { +- struct dentry *mvpp2_dir, *mvpp2_root; ++ static struct dentry *mvpp2_root; ++ struct dentry *mvpp2_dir; + int ret, i; + +- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL); + if (!mvpp2_root) + mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL); + +-- +2.35.1 + diff --git a/queue-4.19/nvmet-fix-a-use-after-free.patch b/queue-4.19/nvmet-fix-a-use-after-free.patch new file mode 100644 index 00000000000..62c5c9f2e94 --- /dev/null +++ b/queue-4.19/nvmet-fix-a-use-after-free.patch @@ -0,0 +1,67 @@ +From a2beeda56ca0138c260720efafcd71c535534795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Aug 2022 14:03:17 -0700 +Subject: nvmet: fix a use-after-free + +From: Bart Van Assche + +[ Upstream commit 6a02a61e81c231cc5c680c5dbf8665275147ac52 ] + +Fix the following use-after-free complaint triggered by blktests nvme/004: + +BUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350 +Read of size 4 at addr 0000607bd1835943 by task kworker/13:1/460 +Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop] +Call Trace: + show_stack+0x52/0x58 + dump_stack_lvl+0x49/0x5e + print_report.cold+0x36/0x1e2 + kasan_report+0xb9/0xf0 + __asan_load4+0x6b/0x80 + blk_mq_complete_request_remote+0xac/0x350 + nvme_loop_queue_response+0x1df/0x275 [nvme_loop] + __nvmet_req_complete+0x132/0x4f0 [nvmet] + nvmet_req_complete+0x15/0x40 [nvmet] + nvmet_execute_io_connect+0x18a/0x1f0 [nvmet] + nvme_loop_execute_work+0x20/0x30 [nvme_loop] + process_one_work+0x56e/0xa70 + worker_thread+0x2d1/0x640 + kthread+0x183/0x1c0 + ret_from_fork+0x1f/0x30 + +Cc: stable@vger.kernel.org +Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") +Signed-off-by: Bart Van Assche +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 1a35d73c39c3..80b5aae1bdc9 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -504,6 +504,7 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status) + { + u32 old_sqhd, new_sqhd; + u16 sqhd; ++ struct nvmet_ns *ns = req->ns; + + if (status) + nvmet_set_status(req, status); +@@ -520,9 +521,9 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status) + req->rsp->sq_id = cpu_to_le16(req->sq->qid); + req->rsp->command_id = req->cmd->common.command_id; + +- if (req->ns) +- nvmet_put_namespace(req->ns); + req->ops->queue_response(req); ++ if (ns) ++ nvmet_put_namespace(ns); + } + + void nvmet_req_complete(struct nvmet_req *req, u16 status) +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index bd074682a20..539eea317d4 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -13,3 +13,8 @@ of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch drm-meson-correct-osd1-global-alpha-value.patch parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch +efi-libstub-disable-shadow-call-stack.patch +efi-libstub-disable-struct-randomization.patch +nvmet-fix-a-use-after-free.patch +mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch +net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch