From: Greg Kroah-Hartman Date: Wed, 4 Jan 2023 14:46:19 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v6.1.4~47 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f7f346c1158713ff36103e96a2383fc5ca6c3110;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: crypto-n2-add-missing-hash-statesize.patch device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch drm-connector-send-hotplug-uevent-on-connector-cleanup.patch drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch parisc-led-fix-potential-null-ptr-deref-in-start_task.patch pci-sysfs-fix-double-free-in-error-path.patch --- diff --git a/queue-4.9/crypto-n2-add-missing-hash-statesize.patch b/queue-4.9/crypto-n2-add-missing-hash-statesize.patch new file mode 100644 index 00000000000..92009810aa3 --- /dev/null +++ b/queue-4.9/crypto-n2-add-missing-hash-statesize.patch @@ -0,0 +1,74 @@ +From 76a4e874593543a2dff91d249c95bac728df2774 Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Thu, 6 Oct 2022 04:34:19 +0000 +Subject: crypto: n2 - add missing hash statesize + +From: Corentin Labbe + +commit 76a4e874593543a2dff91d249c95bac728df2774 upstream. + +Add missing statesize to hash templates. +This is mandatory otherwise no algorithms can be registered as the core +requires statesize to be set. + +CC: stable@kernel.org # 4.3+ +Reported-by: Rolf Eike Beer +Tested-by: Rolf Eike Beer +Fixes: 0a625fd2abaa ("crypto: n2 - Add Niagara2 crypto driver") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/n2_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/crypto/n2_core.c ++++ b/drivers/crypto/n2_core.c +@@ -1271,6 +1271,7 @@ struct n2_hash_tmpl { + const u32 *hash_init; + u8 hw_op_hashsz; + u8 digest_size; ++ u8 statesize; + u8 block_size; + u8 auth_type; + u8 hmac_type; +@@ -1302,6 +1303,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_MD5, + .hw_op_hashsz = MD5_DIGEST_SIZE, + .digest_size = MD5_DIGEST_SIZE, ++ .statesize = sizeof(struct md5_state), + .block_size = MD5_HMAC_BLOCK_SIZE }, + { .name = "sha1", + .hash_zero = sha1_zero_message_hash, +@@ -1310,6 +1312,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_SHA1, + .hw_op_hashsz = SHA1_DIGEST_SIZE, + .digest_size = SHA1_DIGEST_SIZE, ++ .statesize = sizeof(struct sha1_state), + .block_size = SHA1_BLOCK_SIZE }, + { .name = "sha256", + .hash_zero = sha256_zero_message_hash, +@@ -1318,6 +1321,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_SHA256, + .hw_op_hashsz = SHA256_DIGEST_SIZE, + .digest_size = SHA256_DIGEST_SIZE, ++ .statesize = sizeof(struct sha256_state), + .block_size = SHA256_BLOCK_SIZE }, + { .name = "sha224", + .hash_zero = sha224_zero_message_hash, +@@ -1326,6 +1330,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_RESERVED, + .hw_op_hashsz = SHA256_DIGEST_SIZE, + .digest_size = SHA224_DIGEST_SIZE, ++ .statesize = sizeof(struct sha256_state), + .block_size = SHA224_BLOCK_SIZE }, + }; + #define NUM_HASH_TMPLS ARRAY_SIZE(hash_tmpls) +@@ -1465,6 +1470,7 @@ static int __n2_register_one_ahash(const + + halg = &ahash->halg; + halg->digestsize = tmpl->digest_size; ++ halg->statesize = tmpl->statesize; + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", tmpl->name); diff --git a/queue-4.9/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch b/queue-4.9/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch new file mode 100644 index 00000000000..8ca340c487e --- /dev/null +++ b/queue-4.9/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch @@ -0,0 +1,95 @@ +From e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f Mon Sep 17 00:00:00 2001 +From: Wang Weiyang +Date: Tue, 25 Oct 2022 19:31:01 +0800 +Subject: device_cgroup: Roll back to original exceptions after copy failure + +From: Wang Weiyang + +commit e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f upstream. + +When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's +exceptions will be cleaned and A's behavior is changed to +DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's +whitelist. If copy failure occurs, just return leaving A to grant +permissions to all devices. And A may grant more permissions than +parent. + +Backup A's whitelist and recover original exceptions after copy +failure. + +Cc: stable@vger.kernel.org +Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") +Signed-off-by: Wang Weiyang +Reviewed-by: Aristeu Rozanski +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -87,6 +87,17 @@ free_and_exit: + return -ENOMEM; + } + ++static void dev_exceptions_move(struct list_head *dest, struct list_head *orig) ++{ ++ struct dev_exception_item *ex, *tmp; ++ ++ lockdep_assert_held(&devcgroup_mutex); ++ ++ list_for_each_entry_safe(ex, tmp, orig, list) { ++ list_move_tail(&ex->list, dest); ++ } ++} ++ + /* + * called under devcgroup_mutex + */ +@@ -608,11 +619,13 @@ static int devcgroup_update_access(struc + int count, rc = 0; + struct dev_exception_item ex; + struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); ++ struct dev_cgroup tmp_devcgrp; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + memset(&ex, 0, sizeof(ex)); ++ memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp)); + b = buffer; + + switch (*b) { +@@ -624,15 +637,27 @@ static int devcgroup_update_access(struc + + if (!may_allow_all(parent)) + return -EPERM; +- dev_exception_clean(devcgroup); +- devcgroup->behavior = DEVCG_DEFAULT_ALLOW; +- if (!parent) ++ if (!parent) { ++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW; ++ dev_exception_clean(devcgroup); + break; ++ } + ++ INIT_LIST_HEAD(&tmp_devcgrp.exceptions); ++ rc = dev_exceptions_copy(&tmp_devcgrp.exceptions, ++ &devcgroup->exceptions); ++ if (rc) ++ return rc; ++ dev_exception_clean(devcgroup); + rc = dev_exceptions_copy(&devcgroup->exceptions, + &parent->exceptions); +- if (rc) ++ if (rc) { ++ dev_exceptions_move(&devcgroup->exceptions, ++ &tmp_devcgrp.exceptions); + return rc; ++ } ++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW; ++ dev_exception_clean(&tmp_devcgrp); + break; + case DEVCG_DENY: + if (css_has_online_children(&devcgroup->css)) diff --git a/queue-4.9/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch b/queue-4.9/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch new file mode 100644 index 00000000000..63285967f8b --- /dev/null +++ b/queue-4.9/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch @@ -0,0 +1,59 @@ +From 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Mon, 17 Oct 2022 15:32:01 +0000 +Subject: drm/connector: send hotplug uevent on connector cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Ser + +commit 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc upstream. + +A typical DP-MST unplug removes a KMS connector. However care must +be taken to properly synchronize with user-space. The expected +sequence of events is the following: + +1. The kernel notices that the DP-MST port is gone. +2. The kernel marks the connector as disconnected, then sends a + uevent to make user-space re-scan the connector list. +3. User-space notices the connector goes from connected to disconnected, + disables it. +4. Kernel handles the IOCTL disabling the connector. On success, + the very last reference to the struct drm_connector is dropped and + drm_connector_cleanup() is called. +5. The connector is removed from the list, and a uevent is sent to tell + user-space that the connector disappeared. + +The very last step was missing. As a result, user-space thought the +connector still existed and could try to disable it again. Since the +kernel no longer knows about the connector, that would end up with +EINVAL and confused user-space. + +Fix this by sending a hotplug uevent from drm_connector_cleanup(). + +Signed-off-by: Simon Ser +Cc: stable@vger.kernel.org +Cc: Daniel Vetter +Cc: Lyude Paul +Cc: Jonas Ådahl +Tested-by: Jonas Ådahl +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20221017153150.60675-2-contact@emersion.fr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_connector.c ++++ b/drivers/gpu/drm/drm_connector.c +@@ -363,6 +363,9 @@ void drm_connector_cleanup(struct drm_co + mutex_destroy(&connector->mutex); + + memset(connector, 0, sizeof(*connector)); ++ ++ if (dev->registered) ++ drm_sysfs_hotplug_event(dev); + } + EXPORT_SYMBOL(drm_connector_cleanup); + diff --git a/queue-4.9/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch b/queue-4.9/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch new file mode 100644 index 00000000000..f99d97afe60 --- /dev/null +++ b/queue-4.9/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch @@ -0,0 +1,37 @@ +From 4cf949c7fafe21e085a4ee386bb2dade9067316e Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Tue, 25 Oct 2022 23:19:35 -0400 +Subject: drm/vmwgfx: Validate the box size for the snooped cursor + +From: Zack Rusin + +commit 4cf949c7fafe21e085a4ee386bb2dade9067316e upstream. + +Invalid userspace dma surface copies could potentially overflow +the memcpy from the surface to the snooped image leading to crashes. +To fix it the dimensions of the copybox have to be validated +against the expected size of the snooped cursor. + +Signed-off-by: Zack Rusin +Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes") +Cc: # v3.2+ +Reviewed-by: Michael Banack +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -301,7 +301,8 @@ void vmw_kms_cursor_snoop(struct vmw_sur + if (cmd->dma.guest.ptr.offset % PAGE_SIZE || + box->x != 0 || box->y != 0 || box->z != 0 || + box->srcx != 0 || box->srcy != 0 || box->srcz != 0 || +- box->d != 1 || box_count != 1) { ++ box->d != 1 || box_count != 1 || ++ box->w > 64 || box->h > 64) { + /* TODO handle none page aligned offsets */ + /* TODO handle more dst & src != 0 */ + /* TODO handle more then one copy */ diff --git a/queue-4.9/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch b/queue-4.9/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch new file mode 100644 index 00000000000..3e6d0b8c496 --- /dev/null +++ b/queue-4.9/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch @@ -0,0 +1,45 @@ +From 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Mon, 19 Sep 2022 10:56:37 -0500 +Subject: iommu/amd: Fix ivrs_acpihid cmdline parsing code + +From: Kim Phillips + +commit 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf upstream. + +The second (UID) strcmp in acpi_dev_hid_uid_match considers +"0" and "00" different, which can prevent device registration. + +Have the AMD IOMMU driver's ivrs_acpihid parsing code remove +any leading zeroes to make the UID strcmp succeed. Now users +can safely specify "AMDxxxxx:00" or "AMDxxxxx:0" and expect +the same behaviour. + +Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") +Signed-off-by: Kim Phillips +Cc: stable@vger.kernel.org +Cc: Suravee Suthikulpanit +Cc: Joerg Roedel +Link: https://lore.kernel.org/r/20220919155638.391481-1-kim.phillips@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu_init.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -2684,6 +2684,13 @@ static int __init parse_ivrs_acpihid(cha + return 1; + } + ++ /* ++ * Ignore leading zeroes after ':', so e.g., AMDI0095:00 ++ * will match AMDI0095:0 in the second strcmp in acpi_dev_hid_uid_match ++ */ ++ while (*uid == '0' && *(uid + 1)) ++ uid++; ++ + i = early_acpihid_map_size++; + memcpy(early_acpihid_map[i].hid, hid, strlen(hid)); + memcpy(early_acpihid_map[i].uid, uid, strlen(uid)); diff --git a/queue-4.9/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch b/queue-4.9/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch new file mode 100644 index 00000000000..11cf32b5998 --- /dev/null +++ b/queue-4.9/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch @@ -0,0 +1,42 @@ +From 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 17 Nov 2022 10:45:14 +0800 +Subject: parisc: led: Fix potential null-ptr-deref in start_task() + +From: Shang XiaoJing + +commit 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 upstream. + +start_task() calls create_singlethread_workqueue() and not checked the +ret value, which may return NULL. And a null-ptr-deref may happen: + +start_task() + create_singlethread_workqueue() # failed, led_wq is NULL + queue_delayed_work() + queue_delayed_work_on() + __queue_delayed_work() # warning here, but continue + __queue_work() # access wq->flags, null-ptr-deref + +Check the ret value and return -ENOMEM if it is NULL. + +Fixes: 3499495205a6 ("[PARISC] Use work queue in LED/LCD driver instead of tasklet.") +Signed-off-by: Shang XiaoJing +Signed-off-by: Helge Deller +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/led.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/parisc/led.c ++++ b/drivers/parisc/led.c +@@ -141,6 +141,9 @@ static int start_task(void) + + /* Create the work queue and queue the LED task */ + led_wq = create_singlethread_workqueue("led_wq"); ++ if (!led_wq) ++ return -ENOMEM; ++ + queue_delayed_work(led_wq, &led_task, 0); + + return 0; diff --git a/queue-4.9/pci-sysfs-fix-double-free-in-error-path.patch b/queue-4.9/pci-sysfs-fix-double-free-in-error-path.patch new file mode 100644 index 00000000000..58cc0fb2de6 --- /dev/null +++ b/queue-4.9/pci-sysfs-fix-double-free-in-error-path.patch @@ -0,0 +1,58 @@ +From aa382ffa705bea9931ec92b6f3c70e1fdb372195 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Tue, 8 Nov 2022 17:05:59 -0600 +Subject: PCI/sysfs: Fix double free in error path + +From: Sascha Hauer + +commit aa382ffa705bea9931ec92b6f3c70e1fdb372195 upstream. + +When pci_create_attr() fails, pci_remove_resource_files() is called which +will iterate over the res_attr[_wc] arrays and frees every non NULL entry. +To avoid a double free here set the array entry only after it's clear we +successfully initialized it. + +Fixes: b562ec8f74e4 ("PCI: Don't leak memory if sysfs_create_bin_file() fails") +Link: https://lore.kernel.org/r/20221007070735.GX986@pengutronix.de/ +Signed-off-by: Sascha Hauer +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -1167,11 +1167,9 @@ static int pci_create_attr(struct pci_de + + sysfs_bin_attr_init(res_attr); + if (write_combine) { +- pdev->res_attr_wc[num] = res_attr; + sprintf(res_attr_name, "resource%d_wc", num); + res_attr->mmap = pci_mmap_resource_wc; + } else { +- pdev->res_attr[num] = res_attr; + sprintf(res_attr_name, "resource%d", num); + res_attr->mmap = pci_mmap_resource_uc; + } +@@ -1184,10 +1182,17 @@ static int pci_create_attr(struct pci_de + res_attr->size = pci_resource_len(pdev, num); + res_attr->private = &pdev->resource[num]; + retval = sysfs_create_bin_file(&pdev->dev.kobj, res_attr); +- if (retval) ++ if (retval) { + kfree(res_attr); ++ return retval; ++ } ++ ++ if (write_combine) ++ pdev->res_attr_wc[num] = res_attr; ++ else ++ pdev->res_attr[num] = res_attr; + +- return retval; ++ return 0; + } + + /** diff --git a/queue-4.9/series b/queue-4.9/series index 165ad1c4c7d..9920849e614 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -235,3 +235,10 @@ tracing-fix-infinite-loop-in-tracing_read_pipe-on-overflowed-print_trace_line.pa arm-9256-1-nwfpe-avoid-compiler-generated-__aeabi_uldivmod.patch media-dvb-core-fix-double-free-in-dvb_register_device.patch cifs-fix-confusing-debug-message.patch +pci-sysfs-fix-double-free-in-error-path.patch +crypto-n2-add-missing-hash-statesize.patch +iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch +parisc-led-fix-potential-null-ptr-deref-in-start_task.patch +device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch +drm-connector-send-hotplug-uevent-on-connector-cleanup.patch +drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch