From 8610d9ede1df663a6c29ba21d40369895a4b7e2e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Apr 2020 11:01:51 +0200 Subject: [PATCH] 5.6-stable patches added patches: arm-dts-sunxi-fix-de2-clocks-register-range.patch bpf-fix-buggy-r0-retval-refinement-for-tracing-helpers.patch bpf-test_progs-add-test-to-catch-retval-refine-error-handling.patch bpf-test_verifier-bpf_get_stack-return-value-add-0.patch bpf-test_verifier-switch-bpf_get_stack-s-0-s-r8-test.patch cifs-ignore-cached-share-root-handle-closing-errors.patch dma-debug-fix-displaying-of-dma-allocation-type.patch docs-fix-path-to-mtd-command-line-partition-parser.patch fbdev-potential-information-leak-in-do_fb_ioctl.patch fbmem-adjust-indentation-in-fb_prepare_logo-and-fb_blank.patch iio-si1133-read-24-bit-signed-integer-for-measurement.patch iio-st_sensors-handle-memory-allocation-failure-to-fix-null-pointer-dereference.patch keys-don-t-write-out-to-userspace-while-holding-key-semaphore.patch locktorture-print-ratio-of-acquisitions-not-failures.patch mtd-lpddr-fix-a-double-free-in-probe.patch mtd-phram-fix-a-double-free-issue-in-error-path.patch mtd-rawnand-free-the-nand_device-object.patch mtd-spinand-explicitly-use-mtd_ops_raw-to-write-the-bad-block-marker-to-oob.patch net-dsa-bcm_sf2-fix-overflow-checks.patch tty-evh_bytechan-fix-out-of-bounds-accesses.patch --- ...-sunxi-fix-de2-clocks-register-range.patch | 73 +++ ...etval-refinement-for-tracing-helpers.patch | 146 +++++ ...o-catch-retval-refine-error-handling.patch | 78 +++ ...ier-bpf_get_stack-return-value-add-0.patch | 133 ++++ ...r-switch-bpf_get_stack-s-0-s-r8-test.patch | 65 ++ ...hed-share-root-handle-closing-errors.patch | 95 +++ ...ix-displaying-of-dma-allocation-type.patch | 51 ++ ...to-mtd-command-line-partition-parser.patch | 34 ++ ...tial-information-leak-in-do_fb_ioctl.patch | 46 ++ ...tion-in-fb_prepare_logo-and-fb_blank.patch | 108 ++++ ...4-bit-signed-integer-for-measurement.patch | 131 ++++ ...lure-to-fix-null-pointer-dereference.patch | 44 ++ ...serspace-while-holding-key-semaphore.patch | 572 ++++++++++++++++++ ...t-ratio-of-acquisitions-not-failures.patch | 50 ++ ...mtd-lpddr-fix-a-double-free-in-probe.patch | 33 + ...ix-a-double-free-issue-in-error-path.patch | 64 ++ ...-rawnand-free-the-nand_device-object.patch | 32 + ...to-write-the-bad-block-marker-to-oob.patch | 38 ++ .../net-dsa-bcm_sf2-fix-overflow-checks.patch | 59 ++ queue-5.6/series | 20 + ..._bytechan-fix-out-of-bounds-accesses.patch | 111 ++++ 21 files changed, 1983 insertions(+) create mode 100644 queue-5.6/arm-dts-sunxi-fix-de2-clocks-register-range.patch create mode 100644 queue-5.6/bpf-fix-buggy-r0-retval-refinement-for-tracing-helpers.patch create mode 100644 queue-5.6/bpf-test_progs-add-test-to-catch-retval-refine-error-handling.patch create mode 100644 queue-5.6/bpf-test_verifier-bpf_get_stack-return-value-add-0.patch create mode 100644 queue-5.6/bpf-test_verifier-switch-bpf_get_stack-s-0-s-r8-test.patch create mode 100644 queue-5.6/cifs-ignore-cached-share-root-handle-closing-errors.patch create mode 100644 queue-5.6/dma-debug-fix-displaying-of-dma-allocation-type.patch create mode 100644 queue-5.6/docs-fix-path-to-mtd-command-line-partition-parser.patch create mode 100644 queue-5.6/fbdev-potential-information-leak-in-do_fb_ioctl.patch create mode 100644 queue-5.6/fbmem-adjust-indentation-in-fb_prepare_logo-and-fb_blank.patch create mode 100644 queue-5.6/iio-si1133-read-24-bit-signed-integer-for-measurement.patch create mode 100644 queue-5.6/iio-st_sensors-handle-memory-allocation-failure-to-fix-null-pointer-dereference.patch create mode 100644 queue-5.6/keys-don-t-write-out-to-userspace-while-holding-key-semaphore.patch create mode 100644 queue-5.6/locktorture-print-ratio-of-acquisitions-not-failures.patch create mode 100644 queue-5.6/mtd-lpddr-fix-a-double-free-in-probe.patch create mode 100644 queue-5.6/mtd-phram-fix-a-double-free-issue-in-error-path.patch create mode 100644 queue-5.6/mtd-rawnand-free-the-nand_device-object.patch create mode 100644 queue-5.6/mtd-spinand-explicitly-use-mtd_ops_raw-to-write-the-bad-block-marker-to-oob.patch create mode 100644 queue-5.6/net-dsa-bcm_sf2-fix-overflow-checks.patch create mode 100644 queue-5.6/tty-evh_bytechan-fix-out-of-bounds-accesses.patch diff --git a/queue-5.6/arm-dts-sunxi-fix-de2-clocks-register-range.patch b/queue-5.6/arm-dts-sunxi-fix-de2-clocks-register-range.patch new file mode 100644 index 00000000000..29784e34ea7 --- /dev/null +++ b/queue-5.6/arm-dts-sunxi-fix-de2-clocks-register-range.patch @@ -0,0 +1,73 @@ +From da180322582bd9db07f29e6d4a2d170afde0703f Mon Sep 17 00:00:00 2001 +From: Jernej Skrabec +Date: Sat, 25 Jan 2020 00:20:09 +0100 +Subject: ARM: dts: sunxi: Fix DE2 clocks register range + +From: Jernej Skrabec + +commit da180322582bd9db07f29e6d4a2d170afde0703f upstream. + +As it can be seen from DE2 manual, clock range is 0x10000. + +Fix it. + +Signed-off-by: Jernej Skrabec +Fixes: 73f122c82775 ("ARM: dts: sun8i: a83t: Add display pipeline") +Fixes: 05a43a262d03 ("ARM: dts: sun8i: r40: Add HDMI pipeline") +Fixes: 21b299209330 ("ARM: sun8i: v3s: add device nodes for DE2 display pipeline") +Fixes: d8c6f1f0295c ("ARM: sun8i: h3/h5: add DE2 CCU device node for H3") +[wens@csie.org: added fixes tags] +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun8i-a83t.dtsi | 2 +- + arch/arm/boot/dts/sun8i-r40.dtsi | 2 +- + arch/arm/boot/dts/sun8i-v3s.dtsi | 2 +- + arch/arm/boot/dts/sunxi-h3-h5.dtsi | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/sun8i-a83t.dtsi ++++ b/arch/arm/boot/dts/sun8i-a83t.dtsi +@@ -314,7 +314,7 @@ + + display_clocks: clock@1000000 { + compatible = "allwinner,sun8i-a83t-de2-clk"; +- reg = <0x01000000 0x100000>; ++ reg = <0x01000000 0x10000>; + clocks = <&ccu CLK_BUS_DE>, + <&ccu CLK_PLL_DE>; + clock-names = "bus", +--- a/arch/arm/boot/dts/sun8i-r40.dtsi ++++ b/arch/arm/boot/dts/sun8i-r40.dtsi +@@ -119,7 +119,7 @@ + display_clocks: clock@1000000 { + compatible = "allwinner,sun8i-r40-de2-clk", + "allwinner,sun8i-h3-de2-clk"; +- reg = <0x01000000 0x100000>; ++ reg = <0x01000000 0x10000>; + clocks = <&ccu CLK_BUS_DE>, + <&ccu CLK_DE>; + clock-names = "bus", +--- a/arch/arm/boot/dts/sun8i-v3s.dtsi ++++ b/arch/arm/boot/dts/sun8i-v3s.dtsi +@@ -105,7 +105,7 @@ + + display_clocks: clock@1000000 { + compatible = "allwinner,sun8i-v3s-de2-clk"; +- reg = <0x01000000 0x100000>; ++ reg = <0x01000000 0x10000>; + clocks = <&ccu CLK_BUS_DE>, + <&ccu CLK_DE>; + clock-names = "bus", +--- a/arch/arm/boot/dts/sunxi-h3-h5.dtsi ++++ b/arch/arm/boot/dts/sunxi-h3-h5.dtsi +@@ -114,7 +114,7 @@ + + display_clocks: clock@1000000 { + /* compatible is in per SoC .dtsi file */ +- reg = <0x01000000 0x100000>; ++ reg = <0x01000000 0x10000>; + clocks = <&ccu CLK_BUS_DE>, + <&ccu CLK_DE>; + clock-names = "bus", diff --git a/queue-5.6/bpf-fix-buggy-r0-retval-refinement-for-tracing-helpers.patch b/queue-5.6/bpf-fix-buggy-r0-retval-refinement-for-tracing-helpers.patch new file mode 100644 index 00000000000..f66b7d293b8 --- /dev/null +++ b/queue-5.6/bpf-fix-buggy-r0-retval-refinement-for-tracing-helpers.patch @@ -0,0 +1,146 @@ +From daniel@iogearbox.net Wed Apr 22 10:22:28 2020 +From: Daniel Borkmann +Date: Tue, 21 Apr 2020 15:01:49 +0200 +Subject: bpf: fix buggy r0 retval refinement for tracing helpers +To: gregkh@linuxfoundation.org +Cc: alexei.starovoitov@gmail.com, john.fastabend@gmail.com, kpsingh@chromium.org, jannh@google.com, fontanalorenz@gmail.com, leodidonato@gmail.com, yhs@fb.com, bpf@vger.kernel.org, Daniel Borkmann , Alexei Starovoitov +Message-ID: <20200421130152.14348-1-daniel@iogearbox.net> + +From: Daniel Borkmann +Date: Tue, 21 Apr 2020 15:01:49 +0200 + +[ no upstream commit ] + +See the glory details in 100605035e15 ("bpf: Verifier, do_refine_retval_range +may clamp umin to 0 incorrectly") for why 849fa50662fb ("bpf/verifier: refine +retval R0 state for bpf_get_stack helper") is buggy. The whole series however +is not suitable for stable since it adds significant amount [0] of verifier +complexity in order to add 32bit subreg tracking. Something simpler is needed. + +Unfortunately, reverting 849fa50662fb ("bpf/verifier: refine retval R0 state +for bpf_get_stack helper") or just cherry-picking 100605035e15 ("bpf: Verifier, +do_refine_retval_range may clamp umin to 0 incorrectly") is not an option since +it will break existing tracing programs badly (at least those that are using +bpf_get_stack() and bpf_probe_read_str() helpers). Not fixing it in stable is +also not an option since on 4.19 kernels an error will cause a soft-lockup due +to hitting dead-code sanitized branch since we don't hard-wire such branches +in old kernels yet. But even then for 5.x 849fa50662fb ("bpf/verifier: refine +retval R0 state for bpf_get_stack helper") would cause wrong bounds on the +verifier simluation when an error is hit. + +In one of the earlier iterations of mentioned patch series for upstream there +was the concern that just using smax_value in do_refine_retval_range() would +nuke bounds by subsequent <<32 >>32 shifts before the comparison against 0 [1] +which eventually led to the 32bit subreg tracking in the first place. While I +initially went for implementing the idea [1] to pattern match the two shift +operations, it turned out to be more complex than actually needed, meaning, we +could simply treat do_refine_retval_range() similarly to how we branch off +verification for conditionals or under speculation, that is, pushing a new +reg state to the stack for later verification. This means, instead of verifying +the current path with the ret_reg in [S32MIN, msize_max_value] interval where +later bounds would get nuked, we split this into two: i) for the success case +where ret_reg can be in [0, msize_max_value], and ii) for the error case with +ret_reg known to be in interval [S32MIN, -1]. Latter will preserve the bounds +during these shift patterns and can match reg < 0 test. test_progs also succeed +with this approach. + + [0] https://lore.kernel.org/bpf/158507130343.15666.8018068546764556975.stgit@john-Precision-5820-Tower/ + [1] https://lore.kernel.org/bpf/158015334199.28573.4940395881683556537.stgit@john-XPS-13-9370/T/#m2e0ad1d5949131014748b6daa48a3495e7f0456d + +Fixes: 849fa50662fb ("bpf/verifier: refine retval R0 state for bpf_get_stack helper") +Reported-by: Lorenzo Fontana +Reported-by: Leonardo Di Donato +Reported-by: John Fastabend +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Acked-by: John Fastabend +Tested-by: John Fastabend +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 45 ++++++++++++++++++++++++++++++++++----------- + 1 file changed, 34 insertions(+), 11 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -227,8 +227,7 @@ struct bpf_call_arg_meta { + bool pkt_access; + int regno; + int access_size; +- s64 msize_smax_value; +- u64 msize_umax_value; ++ u64 msize_max_value; + int ref_obj_id; + int func_id; + u32 btf_id; +@@ -3568,8 +3567,7 @@ static int check_func_arg(struct bpf_ver + /* remember the mem_size which may be used later + * to refine return values. + */ +- meta->msize_smax_value = reg->smax_value; +- meta->msize_umax_value = reg->umax_value; ++ meta->msize_max_value = reg->umax_value; + + /* The register is SCALAR_VALUE; the access check + * happens using its boundaries. +@@ -4095,21 +4093,44 @@ static int prepare_func_exit(struct bpf_ + return 0; + } + +-static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type, +- int func_id, +- struct bpf_call_arg_meta *meta) ++static int do_refine_retval_range(struct bpf_verifier_env *env, ++ struct bpf_reg_state *regs, int ret_type, ++ int func_id, struct bpf_call_arg_meta *meta) + { + struct bpf_reg_state *ret_reg = ®s[BPF_REG_0]; ++ struct bpf_reg_state tmp_reg = *ret_reg; ++ bool ret; + + if (ret_type != RET_INTEGER || + (func_id != BPF_FUNC_get_stack && + func_id != BPF_FUNC_probe_read_str)) +- return; ++ return 0; ++ ++ /* Error case where ret is in interval [S32MIN, -1]. */ ++ ret_reg->smin_value = S32_MIN; ++ ret_reg->smax_value = -1; + +- ret_reg->smax_value = meta->msize_smax_value; +- ret_reg->umax_value = meta->msize_umax_value; + __reg_deduce_bounds(ret_reg); + __reg_bound_offset(ret_reg); ++ __update_reg_bounds(ret_reg); ++ ++ ret = push_stack(env, env->insn_idx + 1, env->insn_idx, false); ++ if (!ret) ++ return -EFAULT; ++ ++ *ret_reg = tmp_reg; ++ ++ /* Success case where ret is in range [0, msize_max_value]. */ ++ ret_reg->smin_value = 0; ++ ret_reg->smax_value = meta->msize_max_value; ++ ret_reg->umin_value = ret_reg->smin_value; ++ ret_reg->umax_value = ret_reg->smax_value; ++ ++ __reg_deduce_bounds(ret_reg); ++ __reg_bound_offset(ret_reg); ++ __update_reg_bounds(ret_reg); ++ ++ return 0; + } + + static int +@@ -4377,7 +4398,9 @@ static int check_helper_call(struct bpf_ + regs[BPF_REG_0].ref_obj_id = id; + } + +- do_refine_retval_range(regs, fn->ret_type, func_id, &meta); ++ err = do_refine_retval_range(env, regs, fn->ret_type, func_id, &meta); ++ if (err) ++ return err; + + err = check_map_func_compatibility(env, meta.map_ptr, func_id); + if (err) diff --git a/queue-5.6/bpf-test_progs-add-test-to-catch-retval-refine-error-handling.patch b/queue-5.6/bpf-test_progs-add-test-to-catch-retval-refine-error-handling.patch new file mode 100644 index 00000000000..bf6dfa32628 --- /dev/null +++ b/queue-5.6/bpf-test_progs-add-test-to-catch-retval-refine-error-handling.patch @@ -0,0 +1,78 @@ +From d2db08c7a14e0b5eed6132baf258b80622e041a9 Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Mon, 30 Mar 2020 14:37:19 -0700 +Subject: bpf: Test_progs, add test to catch retval refine error handling + +From: John Fastabend + +commit d2db08c7a14e0b5eed6132baf258b80622e041a9 upstream. + +Before this series the verifier would clamp return bounds of +bpf_get_stack() to [0, X] and this led the verifier to believe +that a JMP_JSLT 0 would be false and so would prune that path. + +The result is anything hidden behind that JSLT would be unverified. +Add a test to catch this case by hiding an goto pc-1 behind the +check which will cause an infinite loop if not rejected. + +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/158560423908.10843.11783152347709008373.stgit@john-Precision-5820-Tower +Signed-off-by: Daniel Borkmann +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c | 5 ++ + tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c | 26 +++++++++++ + 2 files changed, 31 insertions(+) + +--- a/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c ++++ b/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c +@@ -82,6 +82,7 @@ static void get_stack_print_output(void + void test_get_stack_raw_tp(void) + { + const char *file = "./test_get_stack_rawtp.o"; ++ const char *file_err = "./test_get_stack_rawtp_err.o"; + const char *prog_name = "raw_tracepoint/sys_enter"; + int i, err, prog_fd, exp_cnt = MAX_CNT_RAWTP; + struct perf_buffer_opts pb_opts = {}; +@@ -93,6 +94,10 @@ void test_get_stack_raw_tp(void) + struct bpf_map *map; + cpu_set_t cpu_set; + ++ err = bpf_prog_load(file_err, BPF_PROG_TYPE_RAW_TRACEPOINT, &obj, &prog_fd); ++ if (CHECK(err >= 0, "prog_load raw tp", "err %d errno %d\n", err, errno)) ++ return; ++ + err = bpf_prog_load(file, BPF_PROG_TYPE_RAW_TRACEPOINT, &obj, &prog_fd); + if (CHECK(err, "prog_load raw tp", "err %d errno %d\n", err, errno)) + return; +--- /dev/null ++++ b/tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c +@@ -0,0 +1,26 @@ ++// SPDX-License-Identifier: GPL-2.0 ++ ++#include ++#include ++ ++#define MAX_STACK_RAWTP 10 ++ ++SEC("raw_tracepoint/sys_enter") ++int bpf_prog2(void *ctx) ++{ ++ __u64 stack[MAX_STACK_RAWTP]; ++ int error; ++ ++ /* set all the flags which should return -EINVAL */ ++ error = bpf_get_stack(ctx, stack, 0, -1); ++ if (error < 0) ++ goto loop; ++ ++ return error; ++loop: ++ while (1) { ++ error++; ++ } ++} ++ ++char _license[] SEC("license") = "GPL"; diff --git a/queue-5.6/bpf-test_verifier-bpf_get_stack-return-value-add-0.patch b/queue-5.6/bpf-test_verifier-bpf_get_stack-return-value-add-0.patch new file mode 100644 index 00000000000..60076d798cd --- /dev/null +++ b/queue-5.6/bpf-test_verifier-bpf_get_stack-return-value-add-0.patch @@ -0,0 +1,133 @@ +From 9ac26e9973bac5716a2a542e32f380c84db2b88c Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Mon, 30 Mar 2020 14:37:40 -0700 +Subject: bpf: Test_verifier, bpf_get_stack return value add <0 + +From: John Fastabend + +commit 9ac26e9973bac5716a2a542e32f380c84db2b88c upstream. + +With current ALU32 subreg handling and retval refine fix from last +patches we see an expected failure in test_verifier. With verbose +verifier state being printed at each step for clarity we have the +following relavent lines [I omit register states that are not +necessarily useful to see failure cause], + +#101/p bpf_get_stack return R0 within range FAIL +Failed to load prog 'Success'! +[..] +14: (85) call bpf_get_stack#67 + R0_w=map_value(id=0,off=0,ks=8,vs=48,imm=0) + R3_w=inv48 +15: + R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) +15: (b7) r1 = 0 +16: + R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) + R1_w=inv0 +16: (bf) r8 = r0 +17: + R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) + R1_w=inv0 + R8_w=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) +17: (67) r8 <<= 32 +18: + R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) + R1_w=inv0 + R8_w=inv(id=0,smax_value=9223372032559808512, + umax_value=18446744069414584320, + var_off=(0x0; 0xffffffff00000000), + s32_min_value=0, + s32_max_value=0, + u32_max_value=0, + var32_off=(0x0; 0x0)) +18: (c7) r8 s>>= 32 +19 + R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) + R1_w=inv0 + R8_w=inv(id=0,smin_value=-2147483648, + smax_value=2147483647, + var32_off=(0x0; 0xffffffff)) +19: (cd) if r1 s< r8 goto pc+16 + R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) + R1_w=inv0 + R8_w=inv(id=0,smin_value=-2147483648, + smax_value=0, + var32_off=(0x0; 0xffffffff)) +20: + R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) + R1_w=inv0 + R8_w=inv(id=0,smin_value=-2147483648, + smax_value=0, + R9=inv48 +20: (1f) r9 -= r8 +21: (bf) r2 = r7 +22: + R2_w=map_value(id=0,off=0,ks=8,vs=48,imm=0) +22: (0f) r2 += r8 +value -2147483648 makes map_value pointer be out of bounds + +After call bpf_get_stack() on line 14 and some moves we have at line 16 +an r8 bound with max_value 48 but an unknown min value. This is to be +expected bpf_get_stack call can only return a max of the input size but +is free to return any negative error in the 32-bit register space. The +C helper is returning an int so will use lower 32-bits. + +Lines 17 and 18 clear the top 32 bits with a left/right shift but use +ARSH so we still have worst case min bound before line 19 of -2147483648. +At this point the signed check 'r1 s< r8' meant to protect the addition +on line 22 where dst reg is a map_value pointer may very well return +true with a large negative number. Then the final line 22 will detect +this as an invalid operation and fail the program. What we want to do +is proceed only if r8 is positive non-error. So change 'r1 s< r8' to +'r1 s> r8' so that we jump if r8 is negative. + +Next we will throw an error because we access past the end of the map +value. The map value size is 48 and sizeof(struct test_val) is 48 so +we walk off the end of the map value on the second call to +get bpf_get_stack(). Fix this by changing sizeof(struct test_val) to +24 by using 'sizeof(struct test_val) / 2'. After this everything passes +as expected. + +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/158560426019.10843.3285429543232025187.stgit@john-Precision-5820-Tower +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/bpf/verifier/bpf_get_stack.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/bpf/verifier/bpf_get_stack.c ++++ b/tools/testing/selftests/bpf/verifier/bpf_get_stack.c +@@ -9,17 +9,17 @@ + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), +- BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)), ++ BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)/2), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), +- BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)), ++ BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)/2), + BPF_MOV64_IMM(BPF_REG_4, 256), + BPF_EMIT_CALL(BPF_FUNC_get_stack), + BPF_MOV64_IMM(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), + BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32), + BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32), +- BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16), ++ BPF_JMP_REG(BPF_JSGT, BPF_REG_1, BPF_REG_8, 16), + BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), + BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8), +@@ -29,7 +29,7 @@ + BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), + BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), +- BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)), ++ BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)/2), + BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5), + BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), diff --git a/queue-5.6/bpf-test_verifier-switch-bpf_get_stack-s-0-s-r8-test.patch b/queue-5.6/bpf-test_verifier-switch-bpf_get_stack-s-0-s-r8-test.patch new file mode 100644 index 00000000000..5b4b4f37d5c --- /dev/null +++ b/queue-5.6/bpf-test_verifier-switch-bpf_get_stack-s-0-s-r8-test.patch @@ -0,0 +1,65 @@ +From daniel@iogearbox.net Wed Apr 22 10:24:25 2020 +From: Daniel Borkmann +Date: Tue, 21 Apr 2020 15:01:52 +0200 +Subject: bpf, test_verifier: switch bpf_get_stack's 0 s> r8 test +To: gregkh@linuxfoundation.org +Cc: alexei.starovoitov@gmail.com, john.fastabend@gmail.com, kpsingh@chromium.org, jannh@google.com, fontanalorenz@gmail.com, leodidonato@gmail.com, yhs@fb.com, bpf@vger.kernel.org, Daniel Borkmann , Alexei Starovoitov +Message-ID: <20200421130152.14348-4-daniel@iogearbox.net> + +From: Daniel Borkmann + +[ no upstream commit ] + +Switch the comparison, so that is_branch_taken() will recognize that below +branch is never taken: + + [...] + 17: [...] R1_w=inv0 [...] R8_w=inv(id=0,smin_value=-2147483648,smax_value=-1,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) [...] + 17: (67) r8 <<= 32 + 18: [...] R8_w=inv(id=0,smax_value=-4294967296,umin_value=9223372036854775808,umax_value=18446744069414584320,var_off=(0x8000000000000000; 0x7fffffff00000000)) [...] + 18: (c7) r8 s>>= 32 + 19: [...] R8_w=inv(id=0,smin_value=-2147483648,smax_value=-1,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) [...] + 19: (6d) if r1 s> r8 goto pc+16 + [...] R1_w=inv0 [...] R8_w=inv(id=0,smin_value=-2147483648,smax_value=-1,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) [...] + [...] + +Currently we check for is_branch_taken() only if either K is source, or source +is a scalar value that is const. For upstream it would be good to extend this +properly to check whether dst is const and src not. + +For the sake of the test_verifier, it is probably not needed here: + + # ./test_verifier 101 + #101/p bpf_get_stack return R0 within range OK + Summary: 1 PASSED, 0 SKIPPED, 0 FAILED + +I haven't seen this issue in test_progs* though, they are passing fine: + + # ./test_progs-no_alu32 -t get_stack + Switching to flavor 'no_alu32' subdirectory... + #20 get_stack_raw_tp:OK + Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED + + # ./test_progs -t get_stack + #20 get_stack_raw_tp:OK + Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED + +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Acked-by: John Fastabend +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/verifier/bpf_get_stack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/bpf/verifier/bpf_get_stack.c ++++ b/tools/testing/selftests/bpf/verifier/bpf_get_stack.c +@@ -19,7 +19,7 @@ + BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), + BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32), + BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32), +- BPF_JMP_REG(BPF_JSGT, BPF_REG_1, BPF_REG_8, 16), ++ BPF_JMP_REG(BPF_JSLT, BPF_REG_8, BPF_REG_1, 16), + BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), + BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8), diff --git a/queue-5.6/cifs-ignore-cached-share-root-handle-closing-errors.patch b/queue-5.6/cifs-ignore-cached-share-root-handle-closing-errors.patch new file mode 100644 index 00000000000..0b04bdefbfb --- /dev/null +++ b/queue-5.6/cifs-ignore-cached-share-root-handle-closing-errors.patch @@ -0,0 +1,95 @@ +From e79b0332ae06b4895dcecddf4bbc5d3917e9383c Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Tue, 7 Apr 2020 11:49:55 +0200 +Subject: cifs: ignore cached share root handle closing errors + +From: Aurelien Aptel + +commit e79b0332ae06b4895dcecddf4bbc5d3917e9383c upstream. + +Fix tcon use-after-free and NULL ptr deref. + +Customer system crashes with the following kernel log: + +[462233.169868] CIFS VFS: Cancelling wait for mid 4894753 cmd: 14 => a QUERY DIR +[462233.228045] CIFS VFS: cifs_put_smb_ses: Session Logoff failure rc=-4 +[462233.305922] CIFS VFS: cifs_put_smb_ses: Session Logoff failure rc=-4 +[462233.306205] CIFS VFS: cifs_put_smb_ses: Session Logoff failure rc=-4 +[462233.347060] CIFS VFS: cifs_put_smb_ses: Session Logoff failure rc=-4 +[462233.347107] CIFS VFS: Close unmatched open +[462233.347113] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 +... + [exception RIP: cifs_put_tcon+0xa0] (this is doing tcon->ses->server) + #6 [...] smb2_cancelled_close_fid at ... [cifs] + #7 [...] process_one_work at ... + #8 [...] worker_thread at ... + #9 [...] kthread at ... + +The most likely explanation we have is: + +* When we put the last reference of a tcon (refcount=0), we close the + cached share root handle. +* If closing a handle is interrupted, SMB2_close() will + queue a SMB2_close() in a work thread. +* The queued object keeps a tcon ref so we bump the tcon + refcount, jumping from 0 to 1. +* We reach the end of cifs_put_tcon(), we free the tcon object despite + it now having a refcount of 1. +* The queued work now runs, but the tcon, ses & server was freed in + the meantime resulting in a crash. + +THREAD 1 +======== +cifs_put_tcon => tcon refcount reach 0 + SMB2_tdis + close_shroot_lease + close_shroot_lease_locked => if cached root has lease && refcount = 0 + smb2_close_cached_fid => if cached root valid + SMB2_close => retry close in a thread if interrupted + smb2_handle_cancelled_close + __smb2_handle_cancelled_close => !! tcon refcount bump 0 => 1 !! + INIT_WORK(&cancelled->work, smb2_cancelled_close_fid); + queue_work(cifsiod_wq, &cancelled->work) => queue work + tconInfoFree(tcon); ==> freed! + cifs_put_smb_ses(ses); ==> freed! + +THREAD 2 (workqueue) +======== +smb2_cancelled_close_fid + SMB2_close(0, cancelled->tcon, ...); => use-after-free of tcon + cifs_put_tcon(cancelled->tcon); => tcon refcount reach 0 second time + *CRASH* + +Fixes: d9191319358d ("CIFS: Close cached root handle only if it has a lease") +Signed-off-by: Aurelien Aptel +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2misc.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -766,6 +766,20 @@ smb2_handle_cancelled_close(struct cifs_ + + cifs_dbg(FYI, "%s: tc_count=%d\n", __func__, tcon->tc_count); + spin_lock(&cifs_tcp_ses_lock); ++ if (tcon->tc_count <= 0) { ++ struct TCP_Server_Info *server = NULL; ++ ++ WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); ++ spin_unlock(&cifs_tcp_ses_lock); ++ ++ if (tcon->ses) ++ server = tcon->ses->server; ++ ++ cifs_server_dbg(FYI, "tid=%u: tcon is closing, skipping async close retry of fid %llu %llu\n", ++ tcon->tid, persistent_fid, volatile_fid); ++ ++ return 0; ++ } + tcon->tc_count++; + spin_unlock(&cifs_tcp_ses_lock); + diff --git a/queue-5.6/dma-debug-fix-displaying-of-dma-allocation-type.patch b/queue-5.6/dma-debug-fix-displaying-of-dma-allocation-type.patch new file mode 100644 index 00000000000..4d09af27279 --- /dev/null +++ b/queue-5.6/dma-debug-fix-displaying-of-dma-allocation-type.patch @@ -0,0 +1,51 @@ +From 9bb50ed7470944238ec8e30a94ef096caf9056ee Mon Sep 17 00:00:00 2001 +From: Grygorii Strashko +Date: Wed, 8 Apr 2020 22:43:00 +0300 +Subject: dma-debug: fix displaying of dma allocation type + +From: Grygorii Strashko + +commit 9bb50ed7470944238ec8e30a94ef096caf9056ee upstream. + +The commit 2e05ea5cdc1a ("dma-mapping: implement dma_map_single_attrs using +dma_map_page_attrs") removed "dma_debug_page" enum, but missed to update +type2name string table. This causes incorrect displaying of dma allocation +type. +Fix it by removing "page" string from type2name string table and switch to +use named initializers. + +Before (dma_alloc_coherent()): +k3-ringacc 4b800000.ringacc: scather-gather idx 2208 P=d1140000 N=d114 D=d1140000 L=40 DMA_BIDIRECTIONAL dma map error check not applicable +k3-ringacc 4b800000.ringacc: scather-gather idx 2216 P=d1150000 N=d115 D=d1150000 L=40 DMA_BIDIRECTIONAL dma map error check not applicable + +After: +k3-ringacc 4b800000.ringacc: coherent idx 2208 P=d1140000 N=d114 D=d1140000 L=40 DMA_BIDIRECTIONAL dma map error check not applicable +k3-ringacc 4b800000.ringacc: coherent idx 2216 P=d1150000 N=d115 D=d1150000 L=40 DMA_BIDIRECTIONAL dma map error check not applicable + +Fixes: 2e05ea5cdc1a ("dma-mapping: implement dma_map_single_attrs using dma_map_page_attrs") +Signed-off-by: Grygorii Strashko +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/dma/debug.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -137,9 +137,12 @@ static const char *const maperr2str[] = + [MAP_ERR_CHECKED] = "dma map error checked", + }; + +-static const char *type2name[5] = { "single", "page", +- "scather-gather", "coherent", +- "resource" }; ++static const char *type2name[] = { ++ [dma_debug_single] = "single", ++ [dma_debug_sg] = "scather-gather", ++ [dma_debug_coherent] = "coherent", ++ [dma_debug_resource] = "resource", ++}; + + static const char *dir2name[4] = { "DMA_BIDIRECTIONAL", "DMA_TO_DEVICE", + "DMA_FROM_DEVICE", "DMA_NONE" }; diff --git a/queue-5.6/docs-fix-path-to-mtd-command-line-partition-parser.patch b/queue-5.6/docs-fix-path-to-mtd-command-line-partition-parser.patch new file mode 100644 index 00000000000..5e6b2b5c827 --- /dev/null +++ b/queue-5.6/docs-fix-path-to-mtd-command-line-partition-parser.patch @@ -0,0 +1,34 @@ +From fb2511247dc4061fd122d0195838278a4a0b7b59 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonathan=20Neusch=C3=A4fer?= +Date: Tue, 18 Feb 2020 16:02:19 +0100 +Subject: docs: Fix path to MTD command line partition parser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +commit fb2511247dc4061fd122d0195838278a4a0b7b59 upstream. + +cmdlinepart.c has been moved to drivers/mtd/parsers/. + +Fixes: a3f12a35c91d ("mtd: parsers: Move CMDLINE parser") +Signed-off-by: Jonathan Neuschäfer +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/admin-guide/kernel-parameters.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2795,7 +2795,7 @@ + ,[,,,,] + + mtdparts= [MTD] +- See drivers/mtd/cmdlinepart.c. ++ See drivers/mtd/parsers/cmdlinepart.c + + multitce=off [PPC] This parameter disables the use of the pSeries + firmware feature for updating multiple TCE entries diff --git a/queue-5.6/fbdev-potential-information-leak-in-do_fb_ioctl.patch b/queue-5.6/fbdev-potential-information-leak-in-do_fb_ioctl.patch new file mode 100644 index 00000000000..6e7bd932d21 --- /dev/null +++ b/queue-5.6/fbdev-potential-information-leak-in-do_fb_ioctl.patch @@ -0,0 +1,46 @@ +From d3d19d6fc5736a798b118971935ce274f7deaa82 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 13 Jan 2020 14:08:14 +0300 +Subject: fbdev: potential information leak in do_fb_ioctl() + +From: Dan Carpenter + +commit d3d19d6fc5736a798b118971935ce274f7deaa82 upstream. + +The "fix" struct has a 2 byte hole after ->ywrapstep and the +"fix = info->fix;" assignment doesn't necessarily clear it. It depends +on the compiler. The solution is just to replace the assignment with an +memcpy(). + +Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held") +Signed-off-by: Dan Carpenter +Cc: Andrew Morton +Cc: Arnd Bergmann +Cc: "Eric W. Biederman" +Cc: Andrea Righi +Cc: Daniel Vetter +Cc: Sam Ravnborg +Cc: Maarten Lankhorst +Cc: Daniel Thompson +Cc: Peter Rosin +Cc: Jani Nikula +Cc: Gerd Hoffmann +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200113100132.ixpaymordi24n3av@kili.mountain +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/core/fbmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1115,7 +1115,7 @@ static long do_fb_ioctl(struct fb_info * + break; + case FBIOGET_FSCREENINFO: + lock_fb_info(info); +- fix = info->fix; ++ memcpy(&fix, &info->fix, sizeof(fix)); + if (info->flags & FBINFO_HIDE_SMEM_START) + fix.smem_start = 0; + unlock_fb_info(info); diff --git a/queue-5.6/fbmem-adjust-indentation-in-fb_prepare_logo-and-fb_blank.patch b/queue-5.6/fbmem-adjust-indentation-in-fb_prepare_logo-and-fb_blank.patch new file mode 100644 index 00000000000..2ddd8708c79 --- /dev/null +++ b/queue-5.6/fbmem-adjust-indentation-in-fb_prepare_logo-and-fb_blank.patch @@ -0,0 +1,108 @@ +From 93166f5f2e4dc593cff8ca77ef828ac6f148b0f3 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 17 Dec 2019 20:00:25 -0700 +Subject: fbmem: Adjust indentation in fb_prepare_logo and fb_blank + +From: Nathan Chancellor + +commit 93166f5f2e4dc593cff8ca77ef828ac6f148b0f3 upstream. + +Clang warns: + +../drivers/video/fbdev/core/fbmem.c:665:3: warning: misleading +indentation; statement is not part of the previous 'else' +[-Wmisleading-indentation] + if (fb_logo.depth > 4 && depth > 4) { + ^ +../drivers/video/fbdev/core/fbmem.c:661:2: note: previous statement is +here + else + ^ +../drivers/video/fbdev/core/fbmem.c:1075:3: warning: misleading +indentation; statement is not part of the previous 'if' +[-Wmisleading-indentation] + return ret; + ^ +../drivers/video/fbdev/core/fbmem.c:1072:2: note: previous statement is +here + if (!ret) + ^ +2 warnings generated. + +This warning occurs because there are spaces before the tabs on these +lines. Normalize the indentation in these functions so that it is +consistent with the Linux kernel coding style and clang no longer warns. + +Fixes: 1692b37c99d5 ("fbdev: Fix logo if logo depth is less than framebuffer depth") +Link: https://github.com/ClangBuiltLinux/linux/issues/825 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20191218030025.10064-1-natechancellor@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/core/fbmem.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -663,20 +663,20 @@ int fb_prepare_logo(struct fb_info *info + fb_logo.depth = 1; + + +- if (fb_logo.depth > 4 && depth > 4) { +- switch (info->fix.visual) { +- case FB_VISUAL_TRUECOLOR: +- fb_logo.needs_truepalette = 1; +- break; +- case FB_VISUAL_DIRECTCOLOR: +- fb_logo.needs_directpalette = 1; +- fb_logo.needs_cmapreset = 1; +- break; +- case FB_VISUAL_PSEUDOCOLOR: +- fb_logo.needs_cmapreset = 1; +- break; +- } +- } ++ if (fb_logo.depth > 4 && depth > 4) { ++ switch (info->fix.visual) { ++ case FB_VISUAL_TRUECOLOR: ++ fb_logo.needs_truepalette = 1; ++ break; ++ case FB_VISUAL_DIRECTCOLOR: ++ fb_logo.needs_directpalette = 1; ++ fb_logo.needs_cmapreset = 1; ++ break; ++ case FB_VISUAL_PSEUDOCOLOR: ++ fb_logo.needs_cmapreset = 1; ++ break; ++ } ++ } + + height = fb_logo.logo->height; + if (fb_center_logo) +@@ -1065,19 +1065,19 @@ fb_blank(struct fb_info *info, int blank + struct fb_event event; + int ret = -EINVAL; + +- if (blank > FB_BLANK_POWERDOWN) +- blank = FB_BLANK_POWERDOWN; ++ if (blank > FB_BLANK_POWERDOWN) ++ blank = FB_BLANK_POWERDOWN; + + event.info = info; + event.data = ␣ + + if (info->fbops->fb_blank) +- ret = info->fbops->fb_blank(blank, info); ++ ret = info->fbops->fb_blank(blank, info); + + if (!ret) + fb_notifier_call_chain(FB_EVENT_BLANK, &event); + +- return ret; ++ return ret; + } + EXPORT_SYMBOL(fb_blank); + diff --git a/queue-5.6/iio-si1133-read-24-bit-signed-integer-for-measurement.patch b/queue-5.6/iio-si1133-read-24-bit-signed-integer-for-measurement.patch new file mode 100644 index 00000000000..fd6c03b0c88 --- /dev/null +++ b/queue-5.6/iio-si1133-read-24-bit-signed-integer-for-measurement.patch @@ -0,0 +1,131 @@ +From 328b50e9a0ad1fe8accdf8c19923deebab5e0c01 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maxime=20Roussin-B=C3=A9langer?= + +Date: Wed, 19 Feb 2020 12:40:08 -0500 +Subject: iio: si1133: read 24-bit signed integer for measurement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Roussin-Bélanger + +commit 328b50e9a0ad1fe8accdf8c19923deebab5e0c01 upstream. + +The chip is configured in 24 bit mode. The values read from +it must always be treated as is. This fixes the issue by +replacing the previous 16 bits value by a 24 bits buffer. + +This changes affects the value output by previous version of +the driver, since the least significant byte was missing. +The upper half of 16 bit values previously output are now +the upper half of a 24 bit value. + +Fixes: e01e7eaf37d8 ("iio: light: introduce si1133") + +Reported-by: Simon Goyette +Co-authored-by: Guillaume Champagne +Signed-off-by: Maxime Roussin-Bélanger +Signed-off-by: Guillaume Champagne +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/si1133.c | 37 ++++++++++++++++++++++++------------- + 1 file changed, 24 insertions(+), 13 deletions(-) + +--- a/drivers/iio/light/si1133.c ++++ b/drivers/iio/light/si1133.c +@@ -102,6 +102,9 @@ + #define SI1133_INPUT_FRACTION_LOW 15 + #define SI1133_LUX_OUTPUT_FRACTION 12 + #define SI1133_LUX_BUFFER_SIZE 9 ++#define SI1133_MEASURE_BUFFER_SIZE 3 ++ ++#define SI1133_SIGN_BIT_INDEX 23 + + static const int si1133_scale_available[] = { + 1, 2, 4, 8, 16, 32, 64, 128}; +@@ -234,13 +237,13 @@ static const struct si1133_lux_coeff lux + } + }; + +-static int si1133_calculate_polynomial_inner(u32 input, u8 fraction, u16 mag, ++static int si1133_calculate_polynomial_inner(s32 input, u8 fraction, u16 mag, + s8 shift) + { + return ((input << fraction) / mag) << shift; + } + +-static int si1133_calculate_output(u32 x, u32 y, u8 x_order, u8 y_order, ++static int si1133_calculate_output(s32 x, s32 y, u8 x_order, u8 y_order, + u8 input_fraction, s8 sign, + const struct si1133_coeff *coeffs) + { +@@ -276,7 +279,7 @@ static int si1133_calculate_output(u32 x + * The algorithm is from: + * https://siliconlabs.github.io/Gecko_SDK_Doc/efm32zg/html/si1133_8c_source.html#l00716 + */ +-static int si1133_calc_polynomial(u32 x, u32 y, u8 input_fraction, u8 num_coeff, ++static int si1133_calc_polynomial(s32 x, s32 y, u8 input_fraction, u8 num_coeff, + const struct si1133_coeff *coeffs) + { + u8 x_order, y_order; +@@ -614,7 +617,7 @@ static int si1133_measure(struct si1133_ + { + int err; + +- __be16 resp; ++ u8 buffer[SI1133_MEASURE_BUFFER_SIZE]; + + err = si1133_set_adcmux(data, 0, chan->channel); + if (err) +@@ -625,12 +628,13 @@ static int si1133_measure(struct si1133_ + if (err) + return err; + +- err = si1133_bulk_read(data, SI1133_REG_HOSTOUT(0), sizeof(resp), +- (u8 *)&resp); ++ err = si1133_bulk_read(data, SI1133_REG_HOSTOUT(0), sizeof(buffer), ++ buffer); + if (err) + return err; + +- *val = be16_to_cpu(resp); ++ *val = sign_extend32((buffer[0] << 16) | (buffer[1] << 8) | buffer[2], ++ SI1133_SIGN_BIT_INDEX); + + return err; + } +@@ -704,9 +708,9 @@ static int si1133_get_lux(struct si1133_ + { + int err; + int lux; +- u32 high_vis; +- u32 low_vis; +- u32 ir; ++ s32 high_vis; ++ s32 low_vis; ++ s32 ir; + u8 buffer[SI1133_LUX_BUFFER_SIZE]; + + /* Activate lux channels */ +@@ -719,9 +723,16 @@ static int si1133_get_lux(struct si1133_ + if (err) + return err; + +- high_vis = (buffer[0] << 16) | (buffer[1] << 8) | buffer[2]; +- low_vis = (buffer[3] << 16) | (buffer[4] << 8) | buffer[5]; +- ir = (buffer[6] << 16) | (buffer[7] << 8) | buffer[8]; ++ high_vis = ++ sign_extend32((buffer[0] << 16) | (buffer[1] << 8) | buffer[2], ++ SI1133_SIGN_BIT_INDEX); ++ ++ low_vis = ++ sign_extend32((buffer[3] << 16) | (buffer[4] << 8) | buffer[5], ++ SI1133_SIGN_BIT_INDEX); ++ ++ ir = sign_extend32((buffer[6] << 16) | (buffer[7] << 8) | buffer[8], ++ SI1133_SIGN_BIT_INDEX); + + if (high_vis > SI1133_ADC_THRESHOLD || ir > SI1133_ADC_THRESHOLD) + lux = si1133_calc_polynomial(high_vis, ir, diff --git a/queue-5.6/iio-st_sensors-handle-memory-allocation-failure-to-fix-null-pointer-dereference.patch b/queue-5.6/iio-st_sensors-handle-memory-allocation-failure-to-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..2e53216c655 --- /dev/null +++ b/queue-5.6/iio-st_sensors-handle-memory-allocation-failure-to-fix-null-pointer-dereference.patch @@ -0,0 +1,44 @@ +From 9960c70949d4356abed8747a20637e0946bb0bad Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 21 Jan 2020 16:17:57 +0000 +Subject: iio: st_sensors: handle memory allocation failure to fix null pointer dereference + +From: Colin Ian King + +commit 9960c70949d4356abed8747a20637e0946bb0bad upstream. + +A null pointer deference on pdata can occur if the allocation of +pdata fails. Fix this by adding a null pointer check and handle +the -ENOMEM failure in the caller. + +Addresses-Coverity: ("Dereference null return value") +Fixes: 3ce85cc4fbb7 ("iio: st_sensors: get platform data from device tree") +Signed-off-by: Colin Ian King +Reviewed-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/common/st_sensors/st_sensors_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/iio/common/st_sensors/st_sensors_core.c ++++ b/drivers/iio/common/st_sensors/st_sensors_core.c +@@ -328,6 +328,8 @@ static struct st_sensors_platform_data * + return NULL; + + pdata = devm_kzalloc(dev, sizeof(*pdata), GFP_KERNEL); ++ if (!pdata) ++ return ERR_PTR(-ENOMEM); + if (!device_property_read_u32(dev, "st,drdy-int-pin", &val) && (val <= 2)) + pdata->drdy_int_pin = (u8) val; + else +@@ -371,6 +373,8 @@ int st_sensors_init_sensor(struct iio_de + + /* If OF/DT pdata exists, it will take precedence of anything else */ + of_pdata = st_sensors_dev_probe(indio_dev->dev.parent, pdata); ++ if (IS_ERR(of_pdata)) ++ return PTR_ERR(of_pdata); + if (of_pdata) + pdata = of_pdata; + diff --git a/queue-5.6/keys-don-t-write-out-to-userspace-while-holding-key-semaphore.patch b/queue-5.6/keys-don-t-write-out-to-userspace-while-holding-key-semaphore.patch new file mode 100644 index 00000000000..a5e2ad78f1c --- /dev/null +++ b/queue-5.6/keys-don-t-write-out-to-userspace-while-holding-key-semaphore.patch @@ -0,0 +1,572 @@ +From d3ec10aa95819bff18a0d936b18884c7816d0914 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Sat, 21 Mar 2020 21:11:24 -0400 +Subject: KEYS: Don't write out to userspace while holding key semaphore + +From: Waiman Long + +commit d3ec10aa95819bff18a0d936b18884c7816d0914 upstream. + +A lockdep circular locking dependency report was seen when running a +keyutils test: + +[12537.027242] ====================================================== +[12537.059309] WARNING: possible circular locking dependency detected +[12537.088148] 4.18.0-147.7.1.el8_1.x86_64+debug #1 Tainted: G OE --------- - - +[12537.125253] ------------------------------------------------------ +[12537.153189] keyctl/25598 is trying to acquire lock: +[12537.175087] 000000007c39f96c (&mm->mmap_sem){++++}, at: __might_fault+0xc4/0x1b0 +[12537.208365] +[12537.208365] but task is already holding lock: +[12537.234507] 000000003de5b58d (&type->lock_class){++++}, at: keyctl_read_key+0x15a/0x220 +[12537.270476] +[12537.270476] which lock already depends on the new lock. +[12537.270476] +[12537.307209] +[12537.307209] the existing dependency chain (in reverse order) is: +[12537.340754] +[12537.340754] -> #3 (&type->lock_class){++++}: +[12537.367434] down_write+0x4d/0x110 +[12537.385202] __key_link_begin+0x87/0x280 +[12537.405232] request_key_and_link+0x483/0xf70 +[12537.427221] request_key+0x3c/0x80 +[12537.444839] dns_query+0x1db/0x5a5 [dns_resolver] +[12537.468445] dns_resolve_server_name_to_ip+0x1e1/0x4d0 [cifs] +[12537.496731] cifs_reconnect+0xe04/0x2500 [cifs] +[12537.519418] cifs_readv_from_socket+0x461/0x690 [cifs] +[12537.546263] cifs_read_from_socket+0xa0/0xe0 [cifs] +[12537.573551] cifs_demultiplex_thread+0x311/0x2db0 [cifs] +[12537.601045] kthread+0x30c/0x3d0 +[12537.617906] ret_from_fork+0x3a/0x50 +[12537.636225] +[12537.636225] -> #2 (root_key_user.cons_lock){+.+.}: +[12537.664525] __mutex_lock+0x105/0x11f0 +[12537.683734] request_key_and_link+0x35a/0xf70 +[12537.705640] request_key+0x3c/0x80 +[12537.723304] dns_query+0x1db/0x5a5 [dns_resolver] +[12537.746773] dns_resolve_server_name_to_ip+0x1e1/0x4d0 [cifs] +[12537.775607] cifs_reconnect+0xe04/0x2500 [cifs] +[12537.798322] cifs_readv_from_socket+0x461/0x690 [cifs] +[12537.823369] cifs_read_from_socket+0xa0/0xe0 [cifs] +[12537.847262] cifs_demultiplex_thread+0x311/0x2db0 [cifs] +[12537.873477] kthread+0x30c/0x3d0 +[12537.890281] ret_from_fork+0x3a/0x50 +[12537.908649] +[12537.908649] -> #1 (&tcp_ses->srv_mutex){+.+.}: +[12537.935225] __mutex_lock+0x105/0x11f0 +[12537.954450] cifs_call_async+0x102/0x7f0 [cifs] +[12537.977250] smb2_async_readv+0x6c3/0xc90 [cifs] +[12538.000659] cifs_readpages+0x120a/0x1e50 [cifs] +[12538.023920] read_pages+0xf5/0x560 +[12538.041583] __do_page_cache_readahead+0x41d/0x4b0 +[12538.067047] ondemand_readahead+0x44c/0xc10 +[12538.092069] filemap_fault+0xec1/0x1830 +[12538.111637] __do_fault+0x82/0x260 +[12538.129216] do_fault+0x419/0xfb0 +[12538.146390] __handle_mm_fault+0x862/0xdf0 +[12538.167408] handle_mm_fault+0x154/0x550 +[12538.187401] __do_page_fault+0x42f/0xa60 +[12538.207395] do_page_fault+0x38/0x5e0 +[12538.225777] page_fault+0x1e/0x30 +[12538.243010] +[12538.243010] -> #0 (&mm->mmap_sem){++++}: +[12538.267875] lock_acquire+0x14c/0x420 +[12538.286848] __might_fault+0x119/0x1b0 +[12538.306006] keyring_read_iterator+0x7e/0x170 +[12538.327936] assoc_array_subtree_iterate+0x97/0x280 +[12538.352154] keyring_read+0xe9/0x110 +[12538.370558] keyctl_read_key+0x1b9/0x220 +[12538.391470] do_syscall_64+0xa5/0x4b0 +[12538.410511] entry_SYSCALL_64_after_hwframe+0x6a/0xdf +[12538.435535] +[12538.435535] other info that might help us debug this: +[12538.435535] +[12538.472829] Chain exists of: +[12538.472829] &mm->mmap_sem --> root_key_user.cons_lock --> &type->lock_class +[12538.472829] +[12538.524820] Possible unsafe locking scenario: +[12538.524820] +[12538.551431] CPU0 CPU1 +[12538.572654] ---- ---- +[12538.595865] lock(&type->lock_class); +[12538.613737] lock(root_key_user.cons_lock); +[12538.644234] lock(&type->lock_class); +[12538.672410] lock(&mm->mmap_sem); +[12538.687758] +[12538.687758] *** DEADLOCK *** +[12538.687758] +[12538.714455] 1 lock held by keyctl/25598: +[12538.732097] #0: 000000003de5b58d (&type->lock_class){++++}, at: keyctl_read_key+0x15a/0x220 +[12538.770573] +[12538.770573] stack backtrace: +[12538.790136] CPU: 2 PID: 25598 Comm: keyctl Kdump: loaded Tainted: G +[12538.844855] Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 12/27/2015 +[12538.881963] Call Trace: +[12538.892897] dump_stack+0x9a/0xf0 +[12538.907908] print_circular_bug.isra.25.cold.50+0x1bc/0x279 +[12538.932891] ? save_trace+0xd6/0x250 +[12538.948979] check_prev_add.constprop.32+0xc36/0x14f0 +[12538.971643] ? keyring_compare_object+0x104/0x190 +[12538.992738] ? check_usage+0x550/0x550 +[12539.009845] ? sched_clock+0x5/0x10 +[12539.025484] ? sched_clock_cpu+0x18/0x1e0 +[12539.043555] __lock_acquire+0x1f12/0x38d0 +[12539.061551] ? trace_hardirqs_on+0x10/0x10 +[12539.080554] lock_acquire+0x14c/0x420 +[12539.100330] ? __might_fault+0xc4/0x1b0 +[12539.119079] __might_fault+0x119/0x1b0 +[12539.135869] ? __might_fault+0xc4/0x1b0 +[12539.153234] keyring_read_iterator+0x7e/0x170 +[12539.172787] ? keyring_read+0x110/0x110 +[12539.190059] assoc_array_subtree_iterate+0x97/0x280 +[12539.211526] keyring_read+0xe9/0x110 +[12539.227561] ? keyring_gc_check_iterator+0xc0/0xc0 +[12539.249076] keyctl_read_key+0x1b9/0x220 +[12539.266660] do_syscall_64+0xa5/0x4b0 +[12539.283091] entry_SYSCALL_64_after_hwframe+0x6a/0xdf + +One way to prevent this deadlock scenario from happening is to not +allow writing to userspace while holding the key semaphore. Instead, +an internal buffer is allocated for getting the keys out from the +read method first before copying them out to userspace without holding +the lock. + +That requires taking out the __user modifier from all the relevant +read methods as well as additional changes to not use any userspace +write helpers. That is, + + 1) The put_user() call is replaced by a direct copy. + 2) The copy_to_user() call is replaced by memcpy(). + 3) All the fault handling code is removed. + +Compiling on a x86-64 system, the size of the rxrpc_read() function is +reduced from 3795 bytes to 2384 bytes with this patch. + +Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Waiman Long +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + include/keys/big_key-type.h | 2 + include/keys/user-type.h | 3 - + include/linux/key-type.h | 2 + net/dns_resolver/dns_key.c | 2 + net/rxrpc/key.c | 27 +++-------- + security/keys/big_key.c | 11 +--- + security/keys/encrypted-keys/encrypted.c | 7 +- + security/keys/keyctl.c | 73 +++++++++++++++++++++++------- + security/keys/keyring.c | 6 -- + security/keys/request_key_auth.c | 7 +- + security/keys/trusted-keys/trusted_tpm1.c | 14 ----- + security/keys/user_defined.c | 5 -- + 12 files changed, 85 insertions(+), 74 deletions(-) + +--- a/include/keys/big_key-type.h ++++ b/include/keys/big_key-type.h +@@ -17,6 +17,6 @@ extern void big_key_free_preparse(struct + extern void big_key_revoke(struct key *key); + extern void big_key_destroy(struct key *key); + extern void big_key_describe(const struct key *big_key, struct seq_file *m); +-extern long big_key_read(const struct key *key, char __user *buffer, size_t buflen); ++extern long big_key_read(const struct key *key, char *buffer, size_t buflen); + + #endif /* _KEYS_BIG_KEY_TYPE_H */ +--- a/include/keys/user-type.h ++++ b/include/keys/user-type.h +@@ -41,8 +41,7 @@ extern int user_update(struct key *key, + extern void user_revoke(struct key *key); + extern void user_destroy(struct key *key); + extern void user_describe(const struct key *user, struct seq_file *m); +-extern long user_read(const struct key *key, +- char __user *buffer, size_t buflen); ++extern long user_read(const struct key *key, char *buffer, size_t buflen); + + static inline const struct user_key_payload *user_key_payload_rcu(const struct key *key) + { +--- a/include/linux/key-type.h ++++ b/include/linux/key-type.h +@@ -127,7 +127,7 @@ struct key_type { + * much is copied into the buffer + * - shouldn't do the copy if the buffer is NULL + */ +- long (*read)(const struct key *key, char __user *buffer, size_t buflen); ++ long (*read)(const struct key *key, char *buffer, size_t buflen); + + /* handle request_key() for this type instead of invoking + * /sbin/request-key (optional) +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -302,7 +302,7 @@ static void dns_resolver_describe(const + * - the key's semaphore is read-locked + */ + static long dns_resolver_read(const struct key *key, +- char __user *buffer, size_t buflen) ++ char *buffer, size_t buflen) + { + int err = PTR_ERR(key->payload.data[dns_key_error]); + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -31,7 +31,7 @@ static void rxrpc_free_preparse_s(struct + static void rxrpc_destroy(struct key *); + static void rxrpc_destroy_s(struct key *); + static void rxrpc_describe(const struct key *, struct seq_file *); +-static long rxrpc_read(const struct key *, char __user *, size_t); ++static long rxrpc_read(const struct key *, char *, size_t); + + /* + * rxrpc defined keys take an arbitrary string as the description and an +@@ -1042,12 +1042,12 @@ EXPORT_SYMBOL(rxrpc_get_null_key); + * - this returns the result in XDR form + */ + static long rxrpc_read(const struct key *key, +- char __user *buffer, size_t buflen) ++ char *buffer, size_t buflen) + { + const struct rxrpc_key_token *token; + const struct krb5_principal *princ; + size_t size; +- __be32 __user *xdr, *oldxdr; ++ __be32 *xdr, *oldxdr; + u32 cnlen, toksize, ntoks, tok, zero; + u16 toksizes[AFSTOKEN_MAX]; + int loop; +@@ -1124,30 +1124,25 @@ static long rxrpc_read(const struct key + if (!buffer || buflen < size) + return size; + +- xdr = (__be32 __user *) buffer; ++ xdr = (__be32 *)buffer; + zero = 0; + #define ENCODE(x) \ + do { \ +- __be32 y = htonl(x); \ +- if (put_user(y, xdr++) < 0) \ +- goto fault; \ ++ *xdr++ = htonl(x); \ + } while(0) + #define ENCODE_DATA(l, s) \ + do { \ + u32 _l = (l); \ + ENCODE(l); \ +- if (copy_to_user(xdr, (s), _l) != 0) \ +- goto fault; \ +- if (_l & 3 && \ +- copy_to_user((u8 __user *)xdr + _l, &zero, 4 - (_l & 3)) != 0) \ +- goto fault; \ ++ memcpy(xdr, (s), _l); \ ++ if (_l & 3) \ ++ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \ + xdr += (_l + 3) >> 2; \ + } while(0) + #define ENCODE64(x) \ + do { \ + __be64 y = cpu_to_be64(x); \ +- if (copy_to_user(xdr, &y, 8) != 0) \ +- goto fault; \ ++ memcpy(xdr, &y, 8); \ + xdr += 8 >> 2; \ + } while(0) + #define ENCODE_STR(s) \ +@@ -1238,8 +1233,4 @@ static long rxrpc_read(const struct key + ASSERTCMP((char __user *) xdr - buffer, ==, size); + _leave(" = %zu", size); + return size; +- +-fault: +- _leave(" = -EFAULT"); +- return -EFAULT; + } +--- a/security/keys/big_key.c ++++ b/security/keys/big_key.c +@@ -352,7 +352,7 @@ void big_key_describe(const struct key * + * read the key data + * - the key's semaphore is read-locked + */ +-long big_key_read(const struct key *key, char __user *buffer, size_t buflen) ++long big_key_read(const struct key *key, char *buffer, size_t buflen) + { + size_t datalen = (size_t)key->payload.data[big_key_len]; + long ret; +@@ -391,9 +391,8 @@ long big_key_read(const struct key *key, + + ret = datalen; + +- /* copy decrypted data to user */ +- if (copy_to_user(buffer, buf->virt, datalen) != 0) +- ret = -EFAULT; ++ /* copy out decrypted data */ ++ memcpy(buffer, buf->virt, datalen); + + err_fput: + fput(file); +@@ -401,9 +400,7 @@ error: + big_key_free_buffer(buf); + } else { + ret = datalen; +- if (copy_to_user(buffer, key->payload.data[big_key_data], +- datalen) != 0) +- ret = -EFAULT; ++ memcpy(buffer, key->payload.data[big_key_data], datalen); + } + + return ret; +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -902,14 +902,14 @@ out: + } + + /* +- * encrypted_read - format and copy the encrypted data to userspace ++ * encrypted_read - format and copy out the encrypted data + * + * The resulting datablob format is: + * + * + * On success, return to userspace the encrypted key datablob size. + */ +-static long encrypted_read(const struct key *key, char __user *buffer, ++static long encrypted_read(const struct key *key, char *buffer, + size_t buflen) + { + struct encrypted_key_payload *epayload; +@@ -957,8 +957,7 @@ static long encrypted_read(const struct + key_put(mkey); + memzero_explicit(derived_key, sizeof(derived_key)); + +- if (copy_to_user(buffer, ascii_buf, asciiblob_len) != 0) +- ret = -EFAULT; ++ memcpy(buffer, ascii_buf, asciiblob_len); + kzfree(ascii_buf); + + return asciiblob_len; +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -798,6 +798,21 @@ error: + } + + /* ++ * Call the read method ++ */ ++static long __keyctl_read_key(struct key *key, char *buffer, size_t buflen) ++{ ++ long ret; ++ ++ down_read(&key->sem); ++ ret = key_validate(key); ++ if (ret == 0) ++ ret = key->type->read(key, buffer, buflen); ++ up_read(&key->sem); ++ return ret; ++} ++ ++/* + * Read a key's payload. + * + * The key must either grant the caller Read permission, or it must grant the +@@ -812,26 +827,27 @@ long keyctl_read_key(key_serial_t keyid, + struct key *key; + key_ref_t key_ref; + long ret; ++ char *key_data; + + /* find the key first */ + key_ref = lookup_user_key(keyid, 0, 0); + if (IS_ERR(key_ref)) { + ret = -ENOKEY; +- goto error; ++ goto out; + } + + key = key_ref_to_ptr(key_ref); + + ret = key_read_state(key); + if (ret < 0) +- goto error2; /* Negatively instantiated */ ++ goto key_put_out; /* Negatively instantiated */ + + /* see if we can read it directly */ + ret = key_permission(key_ref, KEY_NEED_READ); + if (ret == 0) + goto can_read_key; + if (ret != -EACCES) +- goto error2; ++ goto key_put_out; + + /* we can't; see if it's searchable from this process's keyrings + * - we automatically take account of the fact that it may be +@@ -839,26 +855,51 @@ long keyctl_read_key(key_serial_t keyid, + */ + if (!is_key_possessed(key_ref)) { + ret = -EACCES; +- goto error2; ++ goto key_put_out; + } + + /* the key is probably readable - now try to read it */ + can_read_key: +- ret = -EOPNOTSUPP; +- if (key->type->read) { +- /* Read the data with the semaphore held (since we might sleep) +- * to protect against the key being updated or revoked. +- */ +- down_read(&key->sem); +- ret = key_validate(key); +- if (ret == 0) +- ret = key->type->read(key, buffer, buflen); +- up_read(&key->sem); ++ if (!key->type->read) { ++ ret = -EOPNOTSUPP; ++ goto key_put_out; ++ } ++ ++ if (!buffer || !buflen) { ++ /* Get the key length from the read method */ ++ ret = __keyctl_read_key(key, NULL, 0); ++ goto key_put_out; ++ } ++ ++ /* ++ * Read the data with the semaphore held (since we might sleep) ++ * to protect against the key being updated or revoked. ++ * ++ * Allocating a temporary buffer to hold the keys before ++ * transferring them to user buffer to avoid potential ++ * deadlock involving page fault and mmap_sem. ++ */ ++ key_data = kmalloc(buflen, GFP_KERNEL); ++ ++ if (!key_data) { ++ ret = -ENOMEM; ++ goto key_put_out; ++ } ++ ret = __keyctl_read_key(key, key_data, buflen); ++ ++ /* ++ * Read methods will just return the required length without ++ * any copying if the provided length isn't large enough. ++ */ ++ if (ret > 0 && ret <= buflen) { ++ if (copy_to_user(buffer, key_data, ret)) ++ ret = -EFAULT; + } ++ kzfree(key_data); + +-error2: ++key_put_out: + key_put(key); +-error: ++out: + return ret; + } + +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -459,7 +459,6 @@ static int keyring_read_iterator(const v + { + struct keyring_read_iterator_context *ctx = data; + const struct key *key = keyring_ptr_to_key(object); +- int ret; + + kenter("{%s,%d},,{%zu/%zu}", + key->type->name, key->serial, ctx->count, ctx->buflen); +@@ -467,10 +466,7 @@ static int keyring_read_iterator(const v + if (ctx->count >= ctx->buflen) + return 1; + +- ret = put_user(key->serial, ctx->buffer); +- if (ret < 0) +- return ret; +- ctx->buffer++; ++ *ctx->buffer++ = key->serial; + ctx->count += sizeof(key->serial); + return 0; + } +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -22,7 +22,7 @@ static int request_key_auth_instantiate( + static void request_key_auth_describe(const struct key *, struct seq_file *); + static void request_key_auth_revoke(struct key *); + static void request_key_auth_destroy(struct key *); +-static long request_key_auth_read(const struct key *, char __user *, size_t); ++static long request_key_auth_read(const struct key *, char *, size_t); + + /* + * The request-key authorisation key type definition. +@@ -80,7 +80,7 @@ static void request_key_auth_describe(co + * - the key's semaphore is read-locked + */ + static long request_key_auth_read(const struct key *key, +- char __user *buffer, size_t buflen) ++ char *buffer, size_t buflen) + { + struct request_key_auth *rka = dereference_key_locked(key); + size_t datalen; +@@ -97,8 +97,7 @@ static long request_key_auth_read(const + if (buflen > datalen) + buflen = datalen; + +- if (copy_to_user(buffer, rka->callout_info, buflen) != 0) +- ret = -EFAULT; ++ memcpy(buffer, rka->callout_info, buflen); + } + + return ret; +--- a/security/keys/trusted-keys/trusted_tpm1.c ++++ b/security/keys/trusted-keys/trusted_tpm1.c +@@ -1130,11 +1130,10 @@ out: + * trusted_read - copy the sealed blob data to userspace in hex. + * On success, return to userspace the trusted key datablob size. + */ +-static long trusted_read(const struct key *key, char __user *buffer, ++static long trusted_read(const struct key *key, char *buffer, + size_t buflen) + { + const struct trusted_key_payload *p; +- char *ascii_buf; + char *bufp; + int i; + +@@ -1143,18 +1142,9 @@ static long trusted_read(const struct ke + return -EINVAL; + + if (buffer && buflen >= 2 * p->blob_len) { +- ascii_buf = kmalloc_array(2, p->blob_len, GFP_KERNEL); +- if (!ascii_buf) +- return -ENOMEM; +- +- bufp = ascii_buf; ++ bufp = buffer; + for (i = 0; i < p->blob_len; i++) + bufp = hex_byte_pack(bufp, p->blob[i]); +- if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) { +- kzfree(ascii_buf); +- return -EFAULT; +- } +- kzfree(ascii_buf); + } + return 2 * p->blob_len; + } +--- a/security/keys/user_defined.c ++++ b/security/keys/user_defined.c +@@ -168,7 +168,7 @@ EXPORT_SYMBOL_GPL(user_describe); + * read the key data + * - the key's semaphore is read-locked + */ +-long user_read(const struct key *key, char __user *buffer, size_t buflen) ++long user_read(const struct key *key, char *buffer, size_t buflen) + { + const struct user_key_payload *upayload; + long ret; +@@ -181,8 +181,7 @@ long user_read(const struct key *key, ch + if (buflen > upayload->datalen) + buflen = upayload->datalen; + +- if (copy_to_user(buffer, upayload->data, buflen) != 0) +- ret = -EFAULT; ++ memcpy(buffer, upayload->data, buflen); + } + + return ret; diff --git a/queue-5.6/locktorture-print-ratio-of-acquisitions-not-failures.patch b/queue-5.6/locktorture-print-ratio-of-acquisitions-not-failures.patch new file mode 100644 index 00000000000..96833168b34 --- /dev/null +++ b/queue-5.6/locktorture-print-ratio-of-acquisitions-not-failures.patch @@ -0,0 +1,50 @@ +From 80c503e0e68fbe271680ab48f0fe29bc034b01b7 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Thu, 23 Jan 2020 09:19:01 -0800 +Subject: locktorture: Print ratio of acquisitions, not failures + +From: Paul E. McKenney + +commit 80c503e0e68fbe271680ab48f0fe29bc034b01b7 upstream. + +The __torture_print_stats() function in locktorture.c carefully +initializes local variable "min" to statp[0].n_lock_acquired, but +then compares it to statp[i].n_lock_fail. Given that the .n_lock_fail +field should normally be zero, and given the initialization, it seems +reasonable to display the maximum and minimum number acquisitions +instead of miscomputing the maximum and minimum number of failures. +This commit therefore switches from failures to acquisitions. + +And this turns out to be not only a day-zero bug, but entirely my +own fault. I hate it when that happens! + +Fixes: 0af3fe1efa53 ("locktorture: Add a lock-torture kernel module") +Reported-by: Will Deacon +Signed-off-by: Paul E. McKenney +Acked-by: Will Deacon +Cc: Davidlohr Bueso +Cc: Josh Triplett +Cc: Peter Zijlstra +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/locking/locktorture.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/locking/locktorture.c ++++ b/kernel/locking/locktorture.c +@@ -696,10 +696,10 @@ static void __torture_print_stats(char * + if (statp[i].n_lock_fail) + fail = true; + sum += statp[i].n_lock_acquired; +- if (max < statp[i].n_lock_fail) +- max = statp[i].n_lock_fail; +- if (min > statp[i].n_lock_fail) +- min = statp[i].n_lock_fail; ++ if (max < statp[i].n_lock_acquired) ++ max = statp[i].n_lock_acquired; ++ if (min > statp[i].n_lock_acquired) ++ min = statp[i].n_lock_acquired; + } + page += sprintf(page, + "%s: Total: %lld Max/Min: %ld/%ld %s Fail: %d %s\n", diff --git a/queue-5.6/mtd-lpddr-fix-a-double-free-in-probe.patch b/queue-5.6/mtd-lpddr-fix-a-double-free-in-probe.patch new file mode 100644 index 00000000000..c4ac3ca547e --- /dev/null +++ b/queue-5.6/mtd-lpddr-fix-a-double-free-in-probe.patch @@ -0,0 +1,33 @@ +From 4da0ea71ea934af18db4c63396ba2af1a679ef02 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 28 Feb 2020 12:25:54 +0300 +Subject: mtd: lpddr: Fix a double free in probe() + +From: Dan Carpenter + +commit 4da0ea71ea934af18db4c63396ba2af1a679ef02 upstream. + +This function is only called from lpddr_probe(). We free "lpddr" both +here and in the caller, so it's a double free. The best place to free +"lpddr" is in lpddr_probe() so let's delete this one. + +Fixes: 8dc004395d5e ("[MTD] LPDDR qinfo probing.") +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200228092554.o57igp3nqhyvf66t@kili.mountain +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/lpddr/lpddr_cmds.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/mtd/lpddr/lpddr_cmds.c ++++ b/drivers/mtd/lpddr/lpddr_cmds.c +@@ -68,7 +68,6 @@ struct mtd_info *lpddr_cmdset(struct map + shared = kmalloc_array(lpddr->numchips, sizeof(struct flchip_shared), + GFP_KERNEL); + if (!shared) { +- kfree(lpddr); + kfree(mtd); + return NULL; + } diff --git a/queue-5.6/mtd-phram-fix-a-double-free-issue-in-error-path.patch b/queue-5.6/mtd-phram-fix-a-double-free-issue-in-error-path.patch new file mode 100644 index 00000000000..19e33ff787b --- /dev/null +++ b/queue-5.6/mtd-phram-fix-a-double-free-issue-in-error-path.patch @@ -0,0 +1,64 @@ +From 49c64df880570034308e4a9a49c4bc95cf8cdb33 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Wed, 18 Mar 2020 23:31:56 +0800 +Subject: mtd: phram: fix a double free issue in error path + +From: Wen Yang + +commit 49c64df880570034308e4a9a49c4bc95cf8cdb33 upstream. + +The variable 'name' is released multiple times in the error path, +which may cause double free issues. +This problem is avoided by adding a goto label to release the memory +uniformly. And this change also makes the code a bit more cleaner. + +Fixes: 4f678a58d335 ("mtd: fix memory leaks in phram_setup") +Signed-off-by: Wen Yang +Cc: Joern Engel +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: Vignesh Raghavendra +Cc: linux-mtd@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200318153156.25612-1-wenyang@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/devices/phram.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/mtd/devices/phram.c ++++ b/drivers/mtd/devices/phram.c +@@ -243,22 +243,25 @@ static int phram_setup(const char *val) + + ret = parse_num64(&start, token[1]); + if (ret) { +- kfree(name); + parse_err("illegal start address\n"); ++ goto error; + } + + ret = parse_num64(&len, token[2]); + if (ret) { +- kfree(name); + parse_err("illegal device length\n"); ++ goto error; + } + + ret = register_device(name, start, len); +- if (!ret) +- pr_info("%s device: %#llx at %#llx\n", name, len, start); +- else +- kfree(name); ++ if (ret) ++ goto error; + ++ pr_info("%s device: %#llx at %#llx\n", name, len, start); ++ return 0; ++ ++error: ++ kfree(name); + return ret; + } + diff --git a/queue-5.6/mtd-rawnand-free-the-nand_device-object.patch b/queue-5.6/mtd-rawnand-free-the-nand_device-object.patch new file mode 100644 index 00000000000..159221488b0 --- /dev/null +++ b/queue-5.6/mtd-rawnand-free-the-nand_device-object.patch @@ -0,0 +1,32 @@ +From 009264605cdf1b12962c3a46f75818d05452e890 Mon Sep 17 00:00:00 2001 +From: Christophe Kerello +Date: Thu, 23 Jan 2020 09:22:48 +0100 +Subject: mtd: rawnand: free the nand_device object + +From: Christophe Kerello + +commit 009264605cdf1b12962c3a46f75818d05452e890 upstream. + +This patch releases the resources allocated in nanddev_init function. + +Fixes: a7ab085d7c16 ("mtd: rawnand: Initialize the nand_device object") +Signed-off-by: Christophe Kerello +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/1579767768-32295-1-git-send-email-christophe.kerello@st.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/nand_base.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -5907,6 +5907,8 @@ void nand_cleanup(struct nand_chip *chip + chip->ecc.algo == NAND_ECC_BCH) + nand_bch_free((struct nand_bch_control *)chip->ecc.priv); + ++ nanddev_cleanup(&chip->base); ++ + /* Free bad block table memory */ + kfree(chip->bbt); + kfree(chip->data_buf); diff --git a/queue-5.6/mtd-spinand-explicitly-use-mtd_ops_raw-to-write-the-bad-block-marker-to-oob.patch b/queue-5.6/mtd-spinand-explicitly-use-mtd_ops_raw-to-write-the-bad-block-marker-to-oob.patch new file mode 100644 index 00000000000..468bad53993 --- /dev/null +++ b/queue-5.6/mtd-spinand-explicitly-use-mtd_ops_raw-to-write-the-bad-block-marker-to-oob.patch @@ -0,0 +1,38 @@ +From 621a7b780bd8b7054647d53d5071961f2c9e0873 Mon Sep 17 00:00:00 2001 +From: Frieder Schrempf +Date: Tue, 18 Feb 2020 10:05:25 +0000 +Subject: mtd: spinand: Explicitly use MTD_OPS_RAW to write the bad block marker to OOB + +From: Frieder Schrempf + +commit 621a7b780bd8b7054647d53d5071961f2c9e0873 upstream. + +When writing the bad block marker to the OOB area the access mode +should be set to MTD_OPS_RAW as it is done for reading the marker. +Currently this only works because req.mode is initialized to +MTD_OPS_PLACE_OOB (0) and spinand_write_to_cache_op() checks for +req.mode != MTD_OPS_AUTO_OOB. + +Fix this by explicitly setting req.mode to MTD_OPS_RAW. + +Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") +Signed-off-by: Frieder Schrempf +Reviewed-by: Boris Brezillon +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200218100432.32433-3-frieder.schrempf@kontron.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/spi/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -609,6 +609,7 @@ static int spinand_markbad(struct nand_d + .ooboffs = 0, + .ooblen = sizeof(marker), + .oobbuf.out = marker, ++ .mode = MTD_OPS_RAW, + }; + int ret; + diff --git a/queue-5.6/net-dsa-bcm_sf2-fix-overflow-checks.patch b/queue-5.6/net-dsa-bcm_sf2-fix-overflow-checks.patch new file mode 100644 index 00000000000..6c52239deb2 --- /dev/null +++ b/queue-5.6/net-dsa-bcm_sf2-fix-overflow-checks.patch @@ -0,0 +1,59 @@ +From d0802dc411f469569a537283b6f3833af47aece9 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 30 Mar 2020 14:38:46 -0700 +Subject: net: dsa: bcm_sf2: Fix overflow checks + +From: Florian Fainelli + +commit d0802dc411f469569a537283b6f3833af47aece9 upstream. + +Commit f949a12fd697 ("net: dsa: bcm_sf2: fix buffer overflow doing +set_rxnfc") tried to fix the some user controlled buffer overflows in +bcm_sf2_cfp_rule_set() and bcm_sf2_cfp_rule_del() but the fix was using +CFP_NUM_RULES, which while it is correct not to overflow the bitmaps, is +not representative of what the device actually supports. Correct that by +using bcm_sf2_cfp_rule_size() instead. + +The latter subtracts the number of rules by 1, so change the checks from +greater than or equal to greater than accordingly. + +Fixes: f949a12fd697 ("net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/dsa/bcm_sf2_cfp.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/net/dsa/bcm_sf2_cfp.c ++++ b/drivers/net/dsa/bcm_sf2_cfp.c +@@ -882,17 +882,14 @@ static int bcm_sf2_cfp_rule_set(struct d + fs->m_ext.data[1])) + return -EINVAL; + +- if (fs->location != RX_CLS_LOC_ANY && fs->location >= CFP_NUM_RULES) ++ if (fs->location != RX_CLS_LOC_ANY && ++ fs->location > bcm_sf2_cfp_rule_size(priv)) + return -EINVAL; + + if (fs->location != RX_CLS_LOC_ANY && + test_bit(fs->location, priv->cfp.used)) + return -EBUSY; + +- if (fs->location != RX_CLS_LOC_ANY && +- fs->location > bcm_sf2_cfp_rule_size(priv)) +- return -EINVAL; +- + ret = bcm_sf2_cfp_rule_cmp(priv, port, fs); + if (ret == 0) + return -EEXIST; +@@ -973,7 +970,7 @@ static int bcm_sf2_cfp_rule_del(struct b + struct cfp_rule *rule; + int ret; + +- if (loc >= CFP_NUM_RULES) ++ if (loc > bcm_sf2_cfp_rule_size(priv)) + return -EINVAL; + + /* Refuse deleting unused rules, and those that are not unique since diff --git a/queue-5.6/series b/queue-5.6/series index 525bab832bf..c9a4911696e 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -144,3 +144,23 @@ f2fs-fix-leaking-uninitialized-memory-in-compressed-.patch f2fs-fix-to-wait-all-node-page-writeback.patch platform-chrome-cros_ec-query-ec-protocol-version-if.patch drm-nouveau-gr-gp107-gp108-implement-workaround-for-.patch +net-dsa-bcm_sf2-fix-overflow-checks.patch +cifs-ignore-cached-share-root-handle-closing-errors.patch +dma-debug-fix-displaying-of-dma-allocation-type.patch +fbdev-potential-information-leak-in-do_fb_ioctl.patch +arm-dts-sunxi-fix-de2-clocks-register-range.patch +iio-si1133-read-24-bit-signed-integer-for-measurement.patch +fbmem-adjust-indentation-in-fb_prepare_logo-and-fb_blank.patch +tty-evh_bytechan-fix-out-of-bounds-accesses.patch +iio-st_sensors-handle-memory-allocation-failure-to-fix-null-pointer-dereference.patch +locktorture-print-ratio-of-acquisitions-not-failures.patch +mtd-rawnand-free-the-nand_device-object.patch +mtd-spinand-explicitly-use-mtd_ops_raw-to-write-the-bad-block-marker-to-oob.patch +docs-fix-path-to-mtd-command-line-partition-parser.patch +mtd-lpddr-fix-a-double-free-in-probe.patch +mtd-phram-fix-a-double-free-issue-in-error-path.patch +keys-don-t-write-out-to-userspace-while-holding-key-semaphore.patch +bpf-fix-buggy-r0-retval-refinement-for-tracing-helpers.patch +bpf-test_verifier-bpf_get_stack-return-value-add-0.patch +bpf-test_progs-add-test-to-catch-retval-refine-error-handling.patch +bpf-test_verifier-switch-bpf_get_stack-s-0-s-r8-test.patch diff --git a/queue-5.6/tty-evh_bytechan-fix-out-of-bounds-accesses.patch b/queue-5.6/tty-evh_bytechan-fix-out-of-bounds-accesses.patch new file mode 100644 index 00000000000..cc5a710f61d --- /dev/null +++ b/queue-5.6/tty-evh_bytechan-fix-out-of-bounds-accesses.patch @@ -0,0 +1,111 @@ +From 3670664b5da555a2a481449b3baafff113b0ac35 Mon Sep 17 00:00:00 2001 +From: Stephen Rothwell +Date: Thu, 9 Jan 2020 18:39:12 +1100 +Subject: tty: evh_bytechan: Fix out of bounds accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephen Rothwell + +commit 3670664b5da555a2a481449b3baafff113b0ac35 upstream. + +ev_byte_channel_send() assumes that its third argument is a 16 byte +array. Some places where it is called it may not be (or we can't +easily tell if it is). Newer compilers have started producing warnings +about this, so make sure we actually pass a 16 byte array. + +There may be more elegant solutions to this, but the driver is quite +old and hasn't been updated in many years. + +The warnings (from a powerpc allyesconfig build) are: + + In file included from include/linux/byteorder/big_endian.h:5, + from arch/powerpc/include/uapi/asm/byteorder.h:14, + from include/asm-generic/bitops/le.h:6, + from arch/powerpc/include/asm/bitops.h:250, + from include/linux/bitops.h:29, + from include/linux/kernel.h:12, + from include/asm-generic/bug.h:19, + from arch/powerpc/include/asm/bug.h:109, + from include/linux/bug.h:5, + from include/linux/mmdebug.h:5, + from include/linux/gfp.h:5, + from include/linux/slab.h:15, + from drivers/tty/ehv_bytechan.c:24: + drivers/tty/ehv_bytechan.c: In function ‘ehv_bc_udbg_putc’: + arch/powerpc/include/asm/epapr_hcalls.h:298:20: warning: array subscript 1 is outside array bounds of ‘const char[1]’ [-Warray-bounds] + 298 | r6 = be32_to_cpu(p[1]); + include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of macro ‘__be32_to_cpu’ + 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x)) + | ^ + arch/powerpc/include/asm/epapr_hcalls.h:298:7: note: in expansion of macro ‘be32_to_cpu’ + 298 | r6 = be32_to_cpu(p[1]); + | ^~~~~~~~~~~ + drivers/tty/ehv_bytechan.c:166:13: note: while referencing ‘data’ + 166 | static void ehv_bc_udbg_putc(char c) + | ^~~~~~~~~~~~~~~~ + +Fixes: dcd83aaff1c8 ("tty/powerpc: introduce the ePAPR embedded hypervisor byte channel driver") +Signed-off-by: Stephen Rothwell +Tested-by: Laurentiu Tudor +[mpe: Trim warnings from change log] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200109183912.5fcb52aa@canb.auug.org.au +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/ehv_bytechan.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/tty/ehv_bytechan.c ++++ b/drivers/tty/ehv_bytechan.c +@@ -136,6 +136,21 @@ static int find_console_handle(void) + return 1; + } + ++static unsigned int local_ev_byte_channel_send(unsigned int handle, ++ unsigned int *count, ++ const char *p) ++{ ++ char buffer[EV_BYTE_CHANNEL_MAX_BYTES]; ++ unsigned int c = *count; ++ ++ if (c < sizeof(buffer)) { ++ memcpy(buffer, p, c); ++ memset(&buffer[c], 0, sizeof(buffer) - c); ++ p = buffer; ++ } ++ return ev_byte_channel_send(handle, count, p); ++} ++ + /*************************** EARLY CONSOLE DRIVER ***************************/ + + #ifdef CONFIG_PPC_EARLY_DEBUG_EHV_BC +@@ -154,7 +169,7 @@ static void byte_channel_spin_send(const + + do { + count = 1; +- ret = ev_byte_channel_send(CONFIG_PPC_EARLY_DEBUG_EHV_BC_HANDLE, ++ ret = local_ev_byte_channel_send(CONFIG_PPC_EARLY_DEBUG_EHV_BC_HANDLE, + &count, &data); + } while (ret == EV_EAGAIN); + } +@@ -221,7 +236,7 @@ static int ehv_bc_console_byte_channel_s + while (count) { + len = min_t(unsigned int, count, EV_BYTE_CHANNEL_MAX_BYTES); + do { +- ret = ev_byte_channel_send(handle, &len, s); ++ ret = local_ev_byte_channel_send(handle, &len, s); + } while (ret == EV_EAGAIN); + count -= len; + s += len; +@@ -401,7 +416,7 @@ static void ehv_bc_tx_dequeue(struct ehv + CIRC_CNT_TO_END(bc->head, bc->tail, BUF_SIZE), + EV_BYTE_CHANNEL_MAX_BYTES); + +- ret = ev_byte_channel_send(bc->handle, &len, bc->buf + bc->tail); ++ ret = local_ev_byte_channel_send(bc->handle, &len, bc->buf + bc->tail); + + /* 'len' is valid only if the return code is 0 or EV_EAGAIN */ + if (!ret || (ret == EV_EAGAIN)) -- 2.47.3