Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.19.112 2020-03-20T10:56:00+00:00 2020-03-20T10:56:00+00:00 Waiman Long longman@redhat.com 2018-11-14T17:55:40+00:00 urn:sha1:a44324b0bdcace26e4fd94489b4eb78232df0e4d commit ef1491e791308317bb9851a0ad380c4a68b58d54 upstream. The following commit: 9dbbedaa6171 ("efi: Make efi_rts_work accessible to efi page fault handler") converted 'efi_rts_work' from an auto variable to a global variable. However, when submitting the work, INIT_WORK_ONSTACK() was still used, causing the following complaint from debugobjects: ODEBUG: object 00000000ed27b500 is NOT on stack 00000000c7d38760, but annotated. Change the macro to just INIT_WORK() to eliminate the warning. Signed-off-by: Waiman Long <longman@redhat.com> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-efi@vger.kernel.org Fixes: 9dbbedaa6171 ("efi: Make efi_rts_work accessible to efi page fault handler") Link: http://lkml.kernel.org/r/20181114175544.12860-2-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar <mingo@kernel.org> Cc: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-03-18T06:14:25+00:00 Vladis Dronov vdronov@redhat.com 2020-03-08T08:08:55+00:00 urn:sha1:d47aae069e8fd17b1f21042699ae63518e38cac9 commit d6c066fda90d578aacdf19771a027ed484a79825 upstream. Add a sanity check to efivar_store_raw() the same way efivar_{attr,size,data}_read() and efivar_show_raw() have it. Signed-off-by: Vladis Dronov <vdronov@redhat.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200305084041.24053-3-vdronov@redhat.com Link: https://lore.kernel.org/r/20200308080859.21568-25-ardb@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-03-18T06:14:21+00:00 Sai Praneeth sai.praneeth.prakhya@intel.com 2018-09-11T19:15:21+00:00 urn:sha1:53afdba2c35e6c4a9e5e2e05cf94e72d7ab51660 commit 9dbbedaa6171247c4c7c40b83f05b200a117c2e0 upstream. After the kernel has booted, if any accesses by firmware causes a page fault, the efi page fault handler would freeze efi_rts_wq and schedules a new process. To do this, the efi page fault handler needs efi_rts_work. Hence, make it accessible. There will be no race conditions in accessing this structure, because all the calls to efi runtime services are already serialized. Tested-by: Bhupesh Sharma <bhsharma@redhat.com> Suggested-by: Matt Fleming <matt@codeblueprint.co.uk> Based-on-code-from: Ricardo Neri <ricardo.neri@intel.com> Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Fixes: 3eb420e70d87 (“efi: Use a work queue to invoke EFI Runtime Services”) Signed-off-by: Wen Yang <wenyang@linux.alibaba.com> Cc: Caspar Zhang <caspar@linux.alibaba.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-03-18T06:14:21+00:00 Vladis Dronov vdronov@redhat.com 2020-03-08T08:08:54+00:00 urn:sha1:86896c1c578521b3a96c1178fafe7cdad858248c commit 286d3250c9d6437340203fb64938bea344729a0e upstream. There is a race and a buffer overflow corrupting a kernel memory while reading an EFI variable with a size more than 1024 bytes via the older sysfs method. This happens because accessing struct efi_variable in efivar_{attr,size,data}_read() and friends is not protected from a concurrent access leading to a kernel memory corruption and, at best, to a crash. The race scenario is the following: CPU0: CPU1: efivar_attr_read() var->DataSize = 1024; efivar_entry_get(... &var->DataSize) down_interruptible(&efivars_lock) efivar_attr_read() // same EFI var var->DataSize = 1024; efivar_entry_get(... &var->DataSize) down_interruptible(&efivars_lock) virt_efi_get_variable() // returns EFI_BUFFER_TOO_SMALL but // var->DataSize is set to a real // var size more than 1024 bytes up(&efivars_lock) virt_efi_get_variable() // called with var->DataSize set // to a real var size, returns // successfully and overwrites // a 1024-bytes kernel buffer up(&efivars_lock) This can be reproduced by concurrent reading of an EFI variable which size is more than 1024 bytes: ts# for cpu in $(seq 0 $(nproc --ignore=1)); do ( taskset -c $cpu \ cat /sys/firmware/efi/vars/KEKDefault*/size & ) ; done Fix this by using a local variable for a var's data buffer size so it does not get overwritten. Fixes: e14ab23dde12b80d ("efivars: efivar_entry API") Reported-by: Bob Sanders <bob.sanders@hpe.com> and the LTP testsuite Signed-off-by: Vladis Dronov <vdronov@redhat.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200305084041.24053-2-vdronov@redhat.com Link: https://lore.kernel.org/r/20200308080859.21568-24-ardb@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-01-27T13:51:19+00:00 Jean Delvare jdelvare@suse.de 2019-10-14T19:41:24+00:00 urn:sha1:b79d380017d1d23b1b07c860a1adc1360a1fcb09 [ Upstream commit 81dde26de9c08bb04c4962a15608778aaffb3cf9 ] Before reading the Extended Size field, we should ensure it fits in the DMI record. There is already a record length check but it does not cover that field. It would take a seriously corrupted DMI table to hit that bug, so no need to worry, but we should still fix it. Signed-off-by: Jean Delvare <jdelvare@suse.de> Fixes: 6deae96b42eb ("firmware, DMI: Add function to look up a handle and return DIMM size") Cc: Tony Luck <tony.luck@intel.com> Cc: Borislav Petkov <bp@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-01-27T13:50:54+00:00 Peng Fan peng.fan@nxp.com 2019-05-22T10:15:21+00:00 urn:sha1:9a0e3a1d2ab6e6d5776e50b8408a80bd076e9ec0 [ Upstream commit c0759b9b5d411ab27c479125cee9bae391a96436 ] The boolean rate_discrete needs to be assigned to clk->rate_discrete, so that clock driver can distinguish between the continuous range and discrete rates. It uses this in scmi_clk_round_rate could get the rounded value if it's a continuous range. Fixes: 5f6c6430e904 ("firmware: arm_scmi: add initial support for clock protocol") Signed-off-by: Peng Fan <peng.fan@nxp.com> [sudeep.holla: updated commit message] Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-01-27T13:50:54+00:00 Sudeep Holla sudeep.holla@arm.com 2019-05-14T16:10:31+00:00 urn:sha1:5277e3150780dd4d3272c73fe5300fa17b7163d9 [ Upstream commit 430daaf96ad133be5ce7c3a5c60e94247f7c6f71 ] As per the SCMI specification the bitfields for SENSOR_DESC attributes are as follows: attributes_low [7:0] Number of trip points supported attributes_high [15:11] The power-of-10 multiplier in 2's-complement format that is applied to the sensor units Looks like the code developed during the draft versions of the specification slipped through and are wrong with respect to final released version. Fix them by adjusting the bitfields appropriately. Fixes: 5179c523c1ea ("firmware: arm_scmi: add initial support for sensor protocol") Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-01-27T13:50:38+00:00 Steven Price steven.price@arm.com 2019-03-25T17:37:22+00:00 urn:sha1:7851256f4d6b50807960c2f6681641a90ca7d66a [ Upstream commit fa7fe29a645b4da08efe8ff2392898b88f9ded9f ] of_parse_phandle_with_args() requires the caller to call of_node_put() on the returned args->np pointer. Otherwise the reference count will remain incremented. However, in this case, since we don't actually use the returned pointer, we can simply pass in NULL. Fixes: aa4f886f3893f ("firmware: arm_scmi: add basic driver infrastructure for SCMI") Signed-off-by: Steven Price <steven.price@arm.com> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-01-27T13:49:55+00:00 Stephen Boyd swboyd@chromium.org 2018-08-15T20:37:03+00:00 urn:sha1:23e39ad3cac7b01dcbfe4da8f3347db076774373 [ Upstream commit 09ed061a4f56d50758851ca3997510f27115f81b ] Now that the /firmware/coreboot node in DT is populated by the core DT platform code with commit 3aa0582fdb82 ("of: platform: populate /firmware/ node from of_platform_default_populate_init()") we should and can remove the platform device creation here. Otherwise, the of_platform_device_create() call will fail, the coreboot of driver won't be registered, and this driver will never bind. At the same time, we should move this driver to use MODULE_DEVICE_TABLE so that module auto-load works properly when the coreboot device is auto-populated and we should drop the of_node handling that was presumably placed here to hold a reference to the DT node created during module init that no longer happens. Cc: Wei-Ning Huang <wnhuang@chromium.org> Cc: Julius Werner <jwerner@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org> Cc: Samuel Holland <samuel@sholland.org> Reviewed-by: Sudeep Holla <Sudeep.Holla@arm.com> Fixes: 3aa0582fdb82 ("of: platform: populate /firmware/ node from of_platform_default_populate_init()") Signed-off-by: Stephen Boyd <swboyd@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-01-27T13:49:51+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2020-01-23T09:47:03+00:00 urn:sha1:0a19f053484ec66454f39ead0e77235541343a01 This reverts commit 3e6b472f474accf757e107919f8ee42e7315ac0d which is commit ef1491e791308317bb9851a0ad380c4a68b58d54 upstream. Chris reports that this commit has problems and should not have been backported to 4.19.y Reported-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: Waiman Long <longman@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-efi@vger.kernel.org Cc: Ingo Molnar <mingo@kernel.org> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>