From 38217725bcf7c36b77b969d56361502825558430 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 7 May 2021 17:52:49 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	fbdev-zero-fill-colormap-in-fbcmap.c.patch
	posix-timers-preserve-return-value-in-clock_adjtime32.patch
---
 ...fbdev-zero-fill-colormap-in-fbcmap.c.patch | 51 +++++++++++++++++++
 ...erve-return-value-in-clock_adjtime32.patch | 42 +++++++++++++++
 queue-5.4/series                              |  2 +
 3 files changed, 95 insertions(+)
 create mode 100644 queue-5.4/fbdev-zero-fill-colormap-in-fbcmap.c.patch
 create mode 100644 queue-5.4/posix-timers-preserve-return-value-in-clock_adjtime32.patch

diff --git a/queue-5.4/fbdev-zero-fill-colormap-in-fbcmap.c.patch b/queue-5.4/fbdev-zero-fill-colormap-in-fbcmap.c.patch
new file mode 100644
index 00000000000..2196dd1ea0c
--- /dev/null
+++ b/queue-5.4/fbdev-zero-fill-colormap-in-fbcmap.c.patch
@@ -0,0 +1,51 @@
+From 19ab233989d0f7ab1de19a036e247afa4a0a1e9c Mon Sep 17 00:00:00 2001
+From: Phillip Potter <phil@philpotter.co.uk>
+Date: Wed, 31 Mar 2021 23:07:19 +0100
+Subject: fbdev: zero-fill colormap in fbcmap.c
+
+From: Phillip Potter <phil@philpotter.co.uk>
+
+commit 19ab233989d0f7ab1de19a036e247afa4a0a1e9c upstream.
+
+Use kzalloc() rather than kmalloc() for the dynamically allocated parts
+of the colormap in fb_alloc_cmap_gfp, to prevent a leak of random kernel
+data to userspace under certain circumstances.
+
+Fixes a KMSAN-found infoleak bug reported by syzbot at:
+https://syzkaller.appspot.com/bug?id=741578659feabd108ad9e06696f0c1f2e69c4b6e
+
+Reported-by: syzbot+47fa9c9c648b765305b9@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
+Link: https://lore.kernel.org/r/20210331220719.1499743-1-phil@philpotter.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbcmap.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/fbdev/core/fbcmap.c
++++ b/drivers/video/fbdev/core/fbcmap.c
+@@ -101,17 +101,17 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cm
+ 		if (!len)
+ 			return 0;
+ 
+-		cmap->red = kmalloc(size, flags);
++		cmap->red = kzalloc(size, flags);
+ 		if (!cmap->red)
+ 			goto fail;
+-		cmap->green = kmalloc(size, flags);
++		cmap->green = kzalloc(size, flags);
+ 		if (!cmap->green)
+ 			goto fail;
+-		cmap->blue = kmalloc(size, flags);
++		cmap->blue = kzalloc(size, flags);
+ 		if (!cmap->blue)
+ 			goto fail;
+ 		if (transp) {
+-			cmap->transp = kmalloc(size, flags);
++			cmap->transp = kzalloc(size, flags);
+ 			if (!cmap->transp)
+ 				goto fail;
+ 		} else {
diff --git a/queue-5.4/posix-timers-preserve-return-value-in-clock_adjtime32.patch b/queue-5.4/posix-timers-preserve-return-value-in-clock_adjtime32.patch
new file mode 100644
index 00000000000..feef1162b38
--- /dev/null
+++ b/queue-5.4/posix-timers-preserve-return-value-in-clock_adjtime32.patch
@@ -0,0 +1,42 @@
+From 2d036dfa5f10df9782f5278fc591d79d283c1fad Mon Sep 17 00:00:00 2001
+From: Chen Jun <chenjun102@huawei.com>
+Date: Wed, 14 Apr 2021 03:04:49 +0000
+Subject: posix-timers: Preserve return value in clock_adjtime32()
+
+From: Chen Jun <chenjun102@huawei.com>
+
+commit 2d036dfa5f10df9782f5278fc591d79d283c1fad upstream.
+
+The return value on success (>= 0) is overwritten by the return value of
+put_old_timex32(). That works correct in the fault case, but is wrong for
+the success case where put_old_timex32() returns 0.
+
+Just check the return value of put_old_timex32() and return -EFAULT in case
+it is not zero.
+
+[ tglx: Massage changelog ]
+
+Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts")
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Richard Cochran <richardcochran@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210414030449.90692-1-chenjun102@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/posix-timers.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -1169,8 +1169,8 @@ SYSCALL_DEFINE2(clock_adjtime32, clockid
+ 
+ 	err = do_clock_adjtime(which_clock, &ktx);
+ 
+-	if (err >= 0)
+-		err = put_old_timex32(utp, &ktx);
++	if (err >= 0 && put_old_timex32(utp, &ktx))
++		return -EFAULT;
+ 
+ 	return err;
+ }
diff --git a/queue-5.4/series b/queue-5.4/series
index efe0294883f..cf46a37bff6 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -33,3 +33,5 @@ irqchip-gic-v3-do-not-enable-irqs-when-handling-spurious-interrups.patch
 cifs-return-correct-error-code-from-smb2_get_enc_key.patch
 btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch
 intel_th-pci-add-rocket-lake-cpu-support.patch
+posix-timers-preserve-return-value-in-clock_adjtime32.patch
+fbdev-zero-fill-colormap-in-fbcmap.c.patch
-- 
2.47.3