From: Greg Kroah-Hartman Date: Tue, 5 Oct 2021 07:02:35 +0000 (+0200) Subject: 5.14-stable patches X-Git-Tag: v4.4.286~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e350e14a73145d858a8236d5ec8b50f35f31e338;p=thirdparty%2Fkernel%2Fstable-queue.git 5.14-stable patches added patches: bpf-add-oversize-check-before-call-kvcalloc.patch hid-amd_sfh-fix-potential-null-pointer-dereference-take-2.patch objtool-print-out-the-symbol-type-when-complaining-about-it.patch --- diff --git a/queue-5.14/bpf-add-oversize-check-before-call-kvcalloc.patch b/queue-5.14/bpf-add-oversize-check-before-call-kvcalloc.patch new file mode 100644 index 00000000000..a977d0af1a9 --- /dev/null +++ b/queue-5.14/bpf-add-oversize-check-before-call-kvcalloc.patch @@ -0,0 +1,55 @@ +From 0e6491b559704da720f6da09dd0a52c4df44c514 Mon Sep 17 00:00:00 2001 +From: Bixuan Cui +Date: Sat, 11 Sep 2021 08:55:57 +0800 +Subject: bpf: Add oversize check before call kvcalloc() + +From: Bixuan Cui + +commit 0e6491b559704da720f6da09dd0a52c4df44c514 upstream. + +Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the +oversize check. When the allocation is larger than what kmalloc() supports, +the following warning triggered: + +WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597 +Modules linked in: +CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597 +Call Trace: + kvmalloc include/linux/mm.h:806 [inline] + kvmalloc_array include/linux/mm.h:824 [inline] + kvcalloc include/linux/mm.h:829 [inline] + check_btf_line kernel/bpf/verifier.c:9925 [inline] + check_btf_info kernel/bpf/verifier.c:10049 [inline] + bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759 + bpf_prog_load kernel/bpf/syscall.c:2301 [inline] + __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587 + __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] + __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] + __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com +Signed-off-by: Bixuan Cui +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -10211,6 +10211,8 @@ static int propagate_liveness_reg(struct + /* Or if the read flag from REG is the same as PARENT_REG. */ + parent_flag == flag) + return 0; ++ if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info)) ++ return -EINVAL; + + err = mark_reg_read(env, reg, parent_reg, flag); + if (err) diff --git a/queue-5.14/hid-amd_sfh-fix-potential-null-pointer-dereference-take-2.patch b/queue-5.14/hid-amd_sfh-fix-potential-null-pointer-dereference-take-2.patch new file mode 100644 index 00000000000..c2e8a920e35 --- /dev/null +++ b/queue-5.14/hid-amd_sfh-fix-potential-null-pointer-dereference-take-2.patch @@ -0,0 +1,50 @@ +From 88a04049c08cd62e698bc1b1af2d09574b9e0aee Mon Sep 17 00:00:00 2001 +From: Basavaraj Natikar +Date: Thu, 23 Sep 2021 17:59:27 +0530 +Subject: HID: amd_sfh: Fix potential NULL pointer dereference - take 2 + +From: Basavaraj Natikar + +commit 88a04049c08cd62e698bc1b1af2d09574b9e0aee upstream. + +The cl_data field of a privdata must be allocated and updated before +using in amd_sfh_hid_client_init() function. + +Hence handling NULL pointer cl_data accordingly. + +Fixes: d46ef750ed58 ("HID: amd_sfh: Fix potential NULL pointer dereference") +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c +@@ -235,21 +235,17 @@ static int amd_mp2_pci_probe(struct pci_ + return rc; + } + +- rc = amd_sfh_hid_client_init(privdata); +- if (rc) +- return rc; +- + privdata->cl_data = devm_kzalloc(&pdev->dev, sizeof(struct amdtp_cl_data), GFP_KERNEL); + if (!privdata->cl_data) + return -ENOMEM; + +- rc = devm_add_action_or_reset(&pdev->dev, amd_mp2_pci_remove, privdata); ++ mp2_select_ops(privdata); ++ ++ rc = amd_sfh_hid_client_init(privdata); + if (rc) + return rc; + +- mp2_select_ops(privdata); +- +- return 0; ++ return devm_add_action_or_reset(&pdev->dev, amd_mp2_pci_remove, privdata); + } + + static const struct pci_device_id amd_mp2_pci_tbl[] = { diff --git a/queue-5.14/objtool-print-out-the-symbol-type-when-complaining-about-it.patch b/queue-5.14/objtool-print-out-the-symbol-type-when-complaining-about-it.patch new file mode 100644 index 00000000000..1b9fd609837 --- /dev/null +++ b/queue-5.14/objtool-print-out-the-symbol-type-when-complaining-about-it.patch @@ -0,0 +1,64 @@ +From 7fab1c12bde926c5a8c7d5984c551d0854d7e0b3 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sun, 3 Oct 2021 13:45:48 -0700 +Subject: objtool: print out the symbol type when complaining about it + +From: Linus Torvalds + +commit 7fab1c12bde926c5a8c7d5984c551d0854d7e0b3 upstream. + +The objtool warning that the kvm instruction emulation code triggered +wasn't very useful: + + arch/x86/kvm/emulate.o: warning: objtool: __ex_table+0x4: don't know how to handle reloc symbol type: kvm_fastop_exception + +in that it helpfully tells you which symbol name it had trouble figuring +out the relocation for, but it doesn't actually say what the unknown +symbol type was that triggered it all. + +In this case it was because of missing type information (type 0, aka +STT_NOTYPE), but on the whole it really should just have printed that +out as part of the message. + +Because if this warning triggers, that's very much the first thing you +want to know - why did reloc2sec_off() return failure for that symbol? + +So rather than just saying you can't handle some type of symbol without +saying what the type _was_, just print out the type number too. + +Fixes: 24ff65257375 ("objtool: Teach get_alt_entry() about more relocation types") +Link: https://lore.kernel.org/lkml/CAHk-=wiZwq-0LknKhXN4M+T8jbxn_2i9mcKpO+OaBSSq_Eh7tg@mail.gmail.com/ +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + tools/objtool/special.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/tools/objtool/special.c ++++ b/tools/objtool/special.c +@@ -110,8 +110,10 @@ static int get_alt_entry(struct elf *elf + return -1; + } + if (!reloc2sec_off(orig_reloc, &alt->orig_sec, &alt->orig_off)) { +- WARN_FUNC("don't know how to handle reloc symbol type: %s", +- sec, offset + entry->orig, orig_reloc->sym->name); ++ WARN_FUNC("don't know how to handle reloc symbol type %d: %s", ++ sec, offset + entry->orig, ++ orig_reloc->sym->type, ++ orig_reloc->sym->name); + return -1; + } + +@@ -132,8 +134,10 @@ static int get_alt_entry(struct elf *elf + return 1; + + if (!reloc2sec_off(new_reloc, &alt->new_sec, &alt->new_off)) { +- WARN_FUNC("don't know how to handle reloc symbol type: %s", +- sec, offset + entry->new, new_reloc->sym->name); ++ WARN_FUNC("don't know how to handle reloc symbol type %d: %s", ++ sec, offset + entry->new, ++ new_reloc->sym->type, ++ new_reloc->sym->name); + return -1; + } + diff --git a/queue-5.14/series b/queue-5.14/series index 56aa7cc9064..74ae4023b89 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -169,3 +169,6 @@ kvm-x86-handle-srcu-initialization-failure-during-page-track-init.patch netfilter-conntrack-serialize-hash-resizes-and-cleanups.patch netfilter-nf_tables-fix-oversized-kvmalloc-calls.patch drivers-net-mhi-fix-error-path-in-mhi_net_newlink.patch +bpf-add-oversize-check-before-call-kvcalloc.patch +objtool-print-out-the-symbol-type-when-complaining-about-it.patch +hid-amd_sfh-fix-potential-null-pointer-dereference-take-2.patch