From: Sasha Levin Date: Mon, 12 Aug 2024 10:01:51 +0000 (-0400) Subject: Fixes for 6.10 X-Git-Tag: v6.1.105~81^2~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fe961c5f33ebc1660617037c008bff71d6773d3a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.10 Signed-off-by: Sasha Levin --- diff --git a/queue-6.10/ntp-clamp-maxerror-and-esterror-to-operating-range.patch b/queue-6.10/ntp-clamp-maxerror-and-esterror-to-operating-range.patch new file mode 100644 index 00000000000..5cf570f508f --- /dev/null +++ b/queue-6.10/ntp-clamp-maxerror-and-esterror-to-operating-range.patch @@ -0,0 +1,74 @@ +From 0be4e9a2267c0ff34ccd0bd465b7b105f6ce9814 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 20:22:44 +0000 +Subject: ntp: Clamp maxerror and esterror to operating range + +From: Justin Stitt + +[ Upstream commit 87d571d6fb77ec342a985afa8744bb9bb75b3622 ] + +Using syzkaller alongside the newly reintroduced signed integer overflow +sanitizer spits out this report: + +UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16 +9223372036854775807 + 500 cannot be represented in type 'long' +Call Trace: + handle_overflow+0x171/0x1b0 + second_overflow+0x2d6/0x500 + accumulate_nsecs_to_secs+0x60/0x160 + timekeeping_advance+0x1fe/0x890 + update_wall_time+0x10/0x30 + +time_maxerror is unconditionally incremented and the result is checked +against NTP_PHASE_LIMIT, but the increment itself can overflow, resulting +in wrap-around to negative space. + +Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user +supplied value was sanity checked to be in the operating range. That change +removed the sanity check and relied on clamping in handle_overflow() which +does not work correctly when the user supplied value is in the overflow +zone of the '+ 500' operation. + +The operation requires CAP_SYS_TIME and the side effect of the overflow is +NTP getting out of sync. + +Miroslav confirmed that the input value should be clamped to the operating +range and the same applies to time_esterror. The latter is not used by the +kernel, but the value still should be in the operating range as it was +before the sanity check got removed. + +Clamp them to the operating range. + +[ tglx: Changed it to clamping and included time_esterror ] + +Fixes: eea83d896e31 ("ntp: NTP4 user space bits update") +Signed-off-by: Justin Stitt +Signed-off-by: Thomas Gleixner +Cc: Miroslav Lichvar +Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-usec-v2-1-d539180f2b79@google.com +Closes: https://github.com/KSPP/linux/issues/354 +Signed-off-by: Sasha Levin +--- + kernel/time/ntp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c +index 406dccb79c2b6..502e1e5b7f7f6 100644 +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -727,10 +727,10 @@ static inline void process_adjtimex_modes(const struct __kernel_timex *txc, + } + + if (txc->modes & ADJ_MAXERROR) +- time_maxerror = txc->maxerror; ++ time_maxerror = clamp(txc->maxerror, 0, NTP_PHASE_LIMIT); + + if (txc->modes & ADJ_ESTERROR) +- time_esterror = txc->esterror; ++ time_esterror = clamp(txc->esterror, 0, NTP_PHASE_LIMIT); + + if (txc->modes & ADJ_TIMECONST) { + time_constant = txc->constant; +-- +2.43.0 + diff --git a/queue-6.10/series b/queue-6.10/series index b8d2ff0f834..beff9b623fe 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -198,3 +198,5 @@ scsi-ufs-core-fix-hba-last_dme_cmd_tstamp-timestamp-updating-logic.patch tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch media-v4l-fix-missing-tabular-column-hint-for-y14p-format.patch vhost-vdpa-switch-to-use-vmf_insert_pfn-in-the-fault-handler.patch +spmi-pmic-arb-add-missing-newline-in-dev_err-format-.patch +ntp-clamp-maxerror-and-esterror-to-operating-range.patch diff --git a/queue-6.10/spmi-pmic-arb-add-missing-newline-in-dev_err-format-.patch b/queue-6.10/spmi-pmic-arb-add-missing-newline-in-dev_err-format-.patch new file mode 100644 index 00000000000..a016a065ab5 --- /dev/null +++ b/queue-6.10/spmi-pmic-arb-add-missing-newline-in-dev_err-format-.patch @@ -0,0 +1,68 @@ +From 1c087d11a0f35c1417765b796da861a11b53dfd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 09:46:33 -0700 +Subject: spmi: pmic-arb: add missing newline in dev_err format strings + +From: David Collins + +[ Upstream commit ffcf2eb4bfa24f7256de53a95182c3e3e23fdc6c ] + +dev_err() format strings should end with '\n'. Several such +format strings in the spmi-pmic-arb driver are missing it. +Add newlines where needed. + +Fixes: 02922ccbb330 ("spmi: pmic-arb: Register controller for bus instead of arbiter") +Signed-off-by: David Collins +Link: https://lore.kernel.org/r/20240703221248.3640490-1-quic_collinsd@quicinc.com +Reviewed-by: Bjorn Andersson +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20240725164636.3362690-4-sboyd@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/spmi/spmi-pmic-arb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/spmi/spmi-pmic-arb.c b/drivers/spmi/spmi-pmic-arb.c +index 791cdc160c515..c408ded0c00f7 100644 +--- a/drivers/spmi/spmi-pmic-arb.c ++++ b/drivers/spmi/spmi-pmic-arb.c +@@ -398,7 +398,7 @@ static int pmic_arb_fmt_read_cmd(struct spmi_pmic_arb_bus *bus, u8 opc, u8 sid, + + *offset = rc; + if (bc >= PMIC_ARB_MAX_TRANS_BYTES) { +- dev_err(&bus->spmic->dev, "pmic-arb supports 1..%d bytes per trans, but:%zu requested", ++ dev_err(&bus->spmic->dev, "pmic-arb supports 1..%d bytes per trans, but:%zu requested\n", + PMIC_ARB_MAX_TRANS_BYTES, len); + return -EINVAL; + } +@@ -477,7 +477,7 @@ static int pmic_arb_fmt_write_cmd(struct spmi_pmic_arb_bus *bus, u8 opc, + + *offset = rc; + if (bc >= PMIC_ARB_MAX_TRANS_BYTES) { +- dev_err(&bus->spmic->dev, "pmic-arb supports 1..%d bytes per trans, but:%zu requested", ++ dev_err(&bus->spmic->dev, "pmic-arb supports 1..%d bytes per trans, but:%zu requested\n", + PMIC_ARB_MAX_TRANS_BYTES, len); + return -EINVAL; + } +@@ -1702,7 +1702,7 @@ static int spmi_pmic_arb_bus_init(struct platform_device *pdev, + + index = of_property_match_string(node, "reg-names", "cnfg"); + if (index < 0) { +- dev_err(dev, "cnfg reg region missing"); ++ dev_err(dev, "cnfg reg region missing\n"); + return -EINVAL; + } + +@@ -1712,7 +1712,7 @@ static int spmi_pmic_arb_bus_init(struct platform_device *pdev, + + index = of_property_match_string(node, "reg-names", "intr"); + if (index < 0) { +- dev_err(dev, "intr reg region missing"); ++ dev_err(dev, "intr reg region missing\n"); + return -EINVAL; + } + +-- +2.43.0 +