From 73d1af61f7881367cdb8bd293b14cbf8e5d379ac Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 May 2020 16:03:34 +0200 Subject: [PATCH] 4.4-stable patches added patches: arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch exec-move-would_dump-into-flush_old_exec.patch x86-fix-early-boot-crash-on-gcc-10-third-try.patch --- ...d-s-rdk-fix-the-i2c1-pinctrl-entries.patch | 43 ++++++ ...-move-would_dump-into-flush_old_exec.patch | 58 +++++++ queue-4.4/series | 3 + ...early-boot-crash-on-gcc-10-third-try.patch | 145 ++++++++++++++++++ 4 files changed, 249 insertions(+) create mode 100644 queue-4.4/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch create mode 100644 queue-4.4/exec-move-would_dump-into-flush_old_exec.patch create mode 100644 queue-4.4/x86-fix-early-boot-crash-on-gcc-10-third-try.patch diff --git a/queue-4.4/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch b/queue-4.4/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch new file mode 100644 index 00000000000..3f23a31e98b --- /dev/null +++ b/queue-4.4/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch @@ -0,0 +1,43 @@ +From 0caf34350a25907515d929a9c77b9b206aac6d1e Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 27 Mar 2020 10:36:24 -0300 +Subject: ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries + +From: Fabio Estevam + +commit 0caf34350a25907515d929a9c77b9b206aac6d1e upstream. + +The I2C2 pins are already used and the following errors are seen: + +imx27-pinctrl 10015000.iomuxc: pin MX27_PAD_I2C2_SDA already requested by 10012000.i2c; cannot claim for 1001d000.i2c +imx27-pinctrl 10015000.iomuxc: pin-69 (1001d000.i2c) status -22 +imx27-pinctrl 10015000.iomuxc: could not request pin 69 (MX27_PAD_I2C2_SDA) from group i2c2grp on device 10015000.iomuxc +imx-i2c 1001d000.i2c: Error applying setting, reverse things back +imx-i2c: probe of 1001d000.i2c failed with error -22 + +Fix it by adding the correct I2C1 IOMUX entries for the pinctrl_i2c1 group. + +Cc: +Fixes: 61664d0b432a ("ARM: dts: imx27 phyCARD-S pinctrl") +Signed-off-by: Fabio Estevam +Reviewed-by: Stefan Riedmueller +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts ++++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts +@@ -81,8 +81,8 @@ + imx27-phycard-s-rdk { + pinctrl_i2c1: i2c1grp { + fsl,pins = < +- MX27_PAD_I2C2_SDA__I2C2_SDA 0x0 +- MX27_PAD_I2C2_SCL__I2C2_SCL 0x0 ++ MX27_PAD_I2C_DATA__I2C_DATA 0x0 ++ MX27_PAD_I2C_CLK__I2C_CLK 0x0 + >; + }; + diff --git a/queue-4.4/exec-move-would_dump-into-flush_old_exec.patch b/queue-4.4/exec-move-would_dump-into-flush_old_exec.patch new file mode 100644 index 00000000000..a5b528e7cc3 --- /dev/null +++ b/queue-4.4/exec-move-would_dump-into-flush_old_exec.patch @@ -0,0 +1,58 @@ +From f87d1c9559164294040e58f5e3b74a162bf7c6e8 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sat, 16 May 2020 16:29:20 -0500 +Subject: exec: Move would_dump into flush_old_exec + +From: Eric W. Biederman + +commit f87d1c9559164294040e58f5e3b74a162bf7c6e8 upstream. + +I goofed when I added mm->user_ns support to would_dump. I missed the +fact that in the case of binfmt_loader, binfmt_em86, binfmt_misc, and +binfmt_script bprm->file is reassigned. Which made the move of +would_dump from setup_new_exec to __do_execve_file before exec_binprm +incorrect as it can result in would_dump running on the script instead +of the interpreter of the script. + +The net result is that the code stopped making unreadable interpreters +undumpable. Which allows them to be ptraced and written to disk +without special permissions. Oops. + +The move was necessary because the call in set_new_exec was after +bprm->mm was no longer valid. + +To correct this mistake move the misplaced would_dump from +__do_execve_file into flos_old_exec, before exec_mmap is called. + +I tested and confirmed that without this fix I can attach with gdb to +a script with an unreadable interpreter, and with this fix I can not. + +Cc: stable@vger.kernel.org +Fixes: f84df2a6f268 ("exec: Ensure mm->user_ns contains the execed files") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1124,6 +1124,8 @@ int flush_old_exec(struct linux_binprm * + */ + set_mm_exe_file(bprm->mm, bprm->file); + ++ would_dump(bprm, bprm->file); ++ + /* + * Release all of the old mmap stuff + */ +@@ -1632,8 +1634,6 @@ static int do_execveat_common(int fd, st + if (retval < 0) + goto out; + +- would_dump(bprm, bprm->file); +- + retval = exec_binprm(bprm); + if (retval < 0) + goto out; diff --git a/queue-4.4/series b/queue-4.4/series index e5e59b7493e..6e40ef26fad 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -73,3 +73,6 @@ alsa-hda-realtek-limit-int-mic-boost-for-thinkpad-t530.patch alsa-rawmidi-fix-racy-buffer-resize-under-concurrent-accesses.patch alsa-rawmidi-initialize-allocated-buffers.patch usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch +arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch +x86-fix-early-boot-crash-on-gcc-10-third-try.patch +exec-move-would_dump-into-flush_old_exec.patch diff --git a/queue-4.4/x86-fix-early-boot-crash-on-gcc-10-third-try.patch b/queue-4.4/x86-fix-early-boot-crash-on-gcc-10-third-try.patch new file mode 100644 index 00000000000..9ce3dd46f0e --- /dev/null +++ b/queue-4.4/x86-fix-early-boot-crash-on-gcc-10-third-try.patch @@ -0,0 +1,145 @@ +From a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 22 Apr 2020 18:11:30 +0200 +Subject: x86: Fix early boot crash on gcc-10, third try +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +commit a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e upstream. + +... or the odyssey of trying to disable the stack protector for the +function which generates the stack canary value. + +The whole story started with Sergei reporting a boot crash with a kernel +built with gcc-10: + + Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary + CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139 + Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013 + Call Trace: + dump_stack + panic + ? start_secondary + __stack_chk_fail + start_secondary + secondary_startup_64 + -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary + +This happens because gcc-10 tail-call optimizes the last function call +in start_secondary() - cpu_startup_entry() - and thus emits a stack +canary check which fails because the canary value changes after the +boot_init_stack_canary() call. + +To fix that, the initial attempt was to mark the one function which +generates the stack canary with: + + __attribute__((optimize("-fno-stack-protector"))) ... start_secondary(void *unused) + +however, using the optimize attribute doesn't work cumulatively +as the attribute does not add to but rather replaces previously +supplied optimization options - roughly all -fxxx options. + +The key one among them being -fno-omit-frame-pointer and thus leading to +not present frame pointer - frame pointer which the kernel needs. + +The next attempt to prevent compilers from tail-call optimizing +the last function call cpu_startup_entry(), shy of carving out +start_secondary() into a separate compilation unit and building it with +-fno-stack-protector, was to add an empty asm(""). + +This current solution was short and sweet, and reportedly, is supported +by both compilers but we didn't get very far this time: future (LTO?) +optimization passes could potentially eliminate this, which leads us +to the third attempt: having an actual memory barrier there which the +compiler cannot ignore or move around etc. + +That should hold for a long time, but hey we said that about the other +two solutions too so... + +Reported-by: Sergei Trofimovich +Signed-off-by: Borislav Petkov +Tested-by: Kalle Valo +Cc: +Link: https://lkml.kernel.org/r/20200314164451.346497-1-slyfox@gentoo.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/stackprotector.h | 7 ++++++- + arch/x86/kernel/smpboot.c | 8 ++++++++ + arch/x86/xen/smp.c | 1 + + include/linux/compiler.h | 7 +++++++ + init/main.c | 2 ++ + 5 files changed, 24 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/stackprotector.h ++++ b/arch/x86/include/asm/stackprotector.h +@@ -54,8 +54,13 @@ + /* + * Initialize the stackprotector canary value. + * +- * NOTE: this must only be called from functions that never return, ++ * NOTE: this must only be called from functions that never return + * and it must always be inlined. ++ * ++ * In addition, it should be called from a compilation unit for which ++ * stack protector is disabled. Alternatively, the caller should not end ++ * with a function call which gets tail-call optimized as that would ++ * lead to checking a modified canary value. + */ + static __always_inline void boot_init_stack_canary(void) + { +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -243,6 +243,14 @@ static void notrace start_secondary(void + + wmb(); + cpu_startup_entry(CPUHP_ONLINE); ++ ++ /* ++ * Prevent tail call to cpu_startup_entry() because the stack protector ++ * guard has been changed a couple of function calls up, in ++ * boot_init_stack_canary() and must not be checked before tail calling ++ * another function. ++ */ ++ prevent_tail_call_optimization(); + } + + void __init smp_store_boot_cpu_info(void) +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -116,6 +116,7 @@ asmlinkage __visible void cpu_bringup_an + #endif + cpu_bringup(); + cpu_startup_entry(CPUHP_ONLINE); ++ prevent_tail_call_optimization(); + } + + static void xen_smp_intr_free(unsigned int cpu) +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -556,4 +556,11 @@ static __always_inline void __write_once + # define __kprobes + # define nokprobe_inline inline + #endif ++ ++/* ++ * This is needed in functions which generate the stack canary, see ++ * arch/x86/kernel/smpboot.c::start_secondary() for an example. ++ */ ++#define prevent_tail_call_optimization() mb() ++ + #endif /* __LINUX_COMPILER_H */ +--- a/init/main.c ++++ b/init/main.c +@@ -683,6 +683,8 @@ asmlinkage __visible void __init start_k + + /* Do the rest non-__init'ed, we're now alive */ + rest_init(); ++ ++ prevent_tail_call_optimization(); + } + + /* Call all constructor functions linked into the kernel. */ -- 2.47.3