From fbe0a5bd8ac5ef4833277ef453e6b2dd42f53a46 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 10 May 2021 11:00:39 +0200 Subject: [PATCH] 5.11-stable patches added patches: lib-vsprintf.c-remove-leftover-f-and-f-cases-from-bstr_printf.patch thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch thermal-drivers-cpufreq_cooling-fix-slab-oob-issue.patch --- ...tover-f-and-f-cases-from-bstr_printf.patch | 48 +++++++++++++++ queue-5.11/series | 3 + ...al-zone-while-looping-over-instances.patch | 42 +++++++++++++ ...s-cpufreq_cooling-fix-slab-oob-issue.patch | 60 +++++++++++++++++++ 4 files changed, 153 insertions(+) create mode 100644 queue-5.11/lib-vsprintf.c-remove-leftover-f-and-f-cases-from-bstr_printf.patch create mode 100644 queue-5.11/thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch create mode 100644 queue-5.11/thermal-drivers-cpufreq_cooling-fix-slab-oob-issue.patch diff --git a/queue-5.11/lib-vsprintf.c-remove-leftover-f-and-f-cases-from-bstr_printf.patch b/queue-5.11/lib-vsprintf.c-remove-leftover-f-and-f-cases-from-bstr_printf.patch new file mode 100644 index 00000000000..901679f077b --- /dev/null +++ b/queue-5.11/lib-vsprintf.c-remove-leftover-f-and-f-cases-from-bstr_printf.patch @@ -0,0 +1,48 @@ +From 84696cfaf4d90945eb2a8302edc6cf627db56b84 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Fri, 23 Apr 2021 11:45:29 +0200 +Subject: lib/vsprintf.c: remove leftover 'f' and 'F' cases from bstr_printf() + +From: Rasmus Villemoes + +commit 84696cfaf4d90945eb2a8302edc6cf627db56b84 upstream. + +Commit 9af7706492f9 ("lib/vsprintf: Remove support for %pF and %pf in +favour of %pS and %ps") removed support for %pF and %pf, and correctly +removed the handling of those cases in vbin_printf(). However, the +corresponding cases in bstr_printf() were left behind. + +In the same series, %pf was re-purposed for dealing with +fwnodes (3bd32d6a2ee6, "lib/vsprintf: Add %pfw conversion specifier +for printing fwnode names"). + +So should anyone use %pf with the binary printf routines, +vbin_printf() would (correctly, as it involves dereferencing the +pointer) do the string formatting to the u32 array, but bstr_printf() +would not copy the string from the u32 array, but instead interpret +the first sizeof(void*) bytes of the formatted string as a pointer - +which generally won't end well (also, all subsequent get_args would be +out of sync). + +Fixes: 9af7706492f9 ("lib/vsprintf: Remove support for %pF and %pf in favour of %pS and %ps") +Cc: stable@vger.kernel.org +Signed-off-by: Rasmus Villemoes +Reviewed-by: Sakari Ailus +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210423094529.1862521-1-linux@rasmusvillemoes.dk +Signed-off-by: Greg Kroah-Hartman +--- + lib/vsprintf.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -3103,8 +3103,6 @@ int bstr_printf(char *buf, size_t size, + switch (*fmt) { + case 'S': + case 's': +- case 'F': +- case 'f': + case 'x': + case 'K': + case 'e': diff --git a/queue-5.11/series b/queue-5.11/series index b946a2d797c..be5de460f93 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -337,3 +337,6 @@ dm-space-map-common-fix-division-bug-in-sm_ll_find_free_block.patch dm-integrity-fix-missing-goto-in-bitmap_flush_interval-error-handling.patch dm-rq-fix-double-free-of-blk_mq_tag_set-in-dev-remove-after-table-load-fails.patch pinctrl-ingenic-add-support-for-read-the-pin-configuration-of-x1830.patch +lib-vsprintf.c-remove-leftover-f-and-f-cases-from-bstr_printf.patch +thermal-drivers-cpufreq_cooling-fix-slab-oob-issue.patch +thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch diff --git a/queue-5.11/thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch b/queue-5.11/thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch new file mode 100644 index 00000000000..6676f6d5d4f --- /dev/null +++ b/queue-5.11/thermal-core-fair-share-lock-the-thermal-zone-while-looping-over-instances.patch @@ -0,0 +1,42 @@ +From fef05776eb02238dcad8d5514e666a42572c3f32 Mon Sep 17 00:00:00 2001 +From: Lukasz Luba +Date: Thu, 22 Apr 2021 16:36:22 +0100 +Subject: thermal/core/fair share: Lock the thermal zone while looping over instances + +From: Lukasz Luba + +commit fef05776eb02238dcad8d5514e666a42572c3f32 upstream. + +The tz->lock must be hold during the looping over the instances in that +thermal zone. This lock was missing in the governor code since the +beginning, so it's hard to point into a particular commit. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Lukasz Luba +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210422153624.6074-2-lukasz.luba@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/gov_fair_share.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/thermal/gov_fair_share.c ++++ b/drivers/thermal/gov_fair_share.c +@@ -82,6 +82,8 @@ static int fair_share_throttle(struct th + int total_instance = 0; + int cur_trip_level = get_trip_level(tz); + ++ mutex_lock(&tz->lock); ++ + list_for_each_entry(instance, &tz->thermal_instances, tz_node) { + if (instance->trip != trip) + continue; +@@ -110,6 +112,8 @@ static int fair_share_throttle(struct th + mutex_unlock(&instance->cdev->lock); + thermal_cdev_update(cdev); + } ++ ++ mutex_unlock(&tz->lock); + return 0; + } + diff --git a/queue-5.11/thermal-drivers-cpufreq_cooling-fix-slab-oob-issue.patch b/queue-5.11/thermal-drivers-cpufreq_cooling-fix-slab-oob-issue.patch new file mode 100644 index 00000000000..f38187c5a61 --- /dev/null +++ b/queue-5.11/thermal-drivers-cpufreq_cooling-fix-slab-oob-issue.patch @@ -0,0 +1,60 @@ +From 34ab17cc6c2c1ac93d7e5d53bb972df9a968f085 Mon Sep 17 00:00:00 2001 +From: brian-sy yang +Date: Tue, 29 Dec 2020 13:08:31 +0800 +Subject: thermal/drivers/cpufreq_cooling: Fix slab OOB issue + +From: brian-sy yang + +commit 34ab17cc6c2c1ac93d7e5d53bb972df9a968f085 upstream. + +Slab OOB issue is scanned by KASAN in cpu_power_to_freq(). +If power is limited below the power of OPP0 in EM table, +it will cause slab out-of-bound issue with negative array +index. + +Return the lowest frequency if limited power cannot found +a suitable OPP in EM table to fix this issue. + +Backtrace: +[] die+0x104/0x5ac +[] bug_handler+0x64/0xd0 +[] brk_handler+0x160/0x258 +[] do_debug_exception+0x248/0x3f0 +[] el1_dbg+0x14/0xbc +[] __kasan_report+0x1dc/0x1e0 +[] kasan_report+0x10/0x20 +[] __asan_report_load8_noabort+0x18/0x28 +[] cpufreq_power2state+0x180/0x43c +[] power_actor_set_power+0x114/0x1d4 +[] allocate_power+0xaec/0xde0 +[] power_allocator_throttle+0x3ec/0x5a4 +[] handle_thermal_trip+0x160/0x294 +[] thermal_zone_device_check+0xe4/0x154 +[] process_one_work+0x5e4/0xe28 +[] worker_thread+0xa4c/0xfac +[] kthread+0x33c/0x358 +[] ret_from_fork+0xc/0x18 + +Fixes: 371a3bc79c11b ("thermal/drivers/cpufreq_cooling: Fix wrong frequency converted from power") +Signed-off-by: brian-sy yang +Signed-off-by: Michael Kao +Reviewed-by: Lukasz Luba +Cc: stable@vger.kernel.org #v5.7 +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20201229050831.19493-1-michael.kao@mediatek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/cpufreq_cooling.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thermal/cpufreq_cooling.c ++++ b/drivers/thermal/cpufreq_cooling.c +@@ -123,7 +123,7 @@ static u32 cpu_power_to_freq(struct cpuf + { + int i; + +- for (i = cpufreq_cdev->max_level; i >= 0; i--) { ++ for (i = cpufreq_cdev->max_level; i > 0; i--) { + if (power >= cpufreq_cdev->em->table[i].power) + break; + } -- 2.47.3