The header flag XLF_CAN_BE_LOADED_ABOVE_4G will inform us whether
allocations above 4 GiB for kernel, command line, etc are permitted,
so we take it into account when calling efi_allocate_pages() etc.
However, CONFIG_EFI_STUB implies CONFIG_RELOCATABLE, and so the flag
is guaranteed to be set on x86_64 builds, whereas i386 builds are
guaranteed to run under firmware that will not allocate above 4 GB
in the first place.
So drop the check, and just pass ULONG_MAX as the upper bound for
all allocations.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20200303225054.28741-1-ardb@kernel.org
Link: https://lore.kernel.org/r/20200308080859.21568-27-ardb@kernel.org
drivers/firmware/efi/libstub/Makefile builds a static library, which
is not linked into the main vmlinux target in the ordinary way [arm64],
or at all [ARM, x86].
Since commit:
7f2084fa55 ("[kbuild] handle exports in lib-y objects reliably")
any Makefile using lib-y generates lib-ksyms.o which is linked into vmlinux.
In this case, the following garbage object is linked into vmlinux.
drivers/firmware/efi/libstub/lib-ksyms.o
We do not want to follow the default linking rules for static libraries
built under libstub/ so using subdir-y instead of obj-y is the correct
way to descend into this directory.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
[ardb: update commit log to clarify that arm64 deviates in this respect]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20200305055047.6097-1-masahiroy@kernel.org
Link: https://lore.kernel.org/r/20200308080859.21568-23-ardb@kernel.org
Commit:
3a6b6c6fb2 ("efi: Make EFI_MEMORY_ATTRIBUTES_TABLE initialization common across all architectures")
moved the call to efi_memattr_init() from ARM specific to the generic
EFI init code, in order to be able to apply the restricted permissions
described in that table on x86 as well.
We never enabled this feature fully on i386, and so mapping and
reserving this table is pointless. However, due to the early call to
memblock_reserve(), the memory bookkeeping gets confused to the point
where it produces the splat below when we try to map the memory later
on:
------------[ cut here ]------------
ioremap on RAM at 0x3f251000 - 0x3fa1afff
WARNING: CPU: 0 PID: 0 at arch/x86/mm/ioremap.c:166 __ioremap_caller ...
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.20.0 #48
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
EIP: __ioremap_caller.constprop.0+0x249/0x260
Code: 90 0f b7 05 4e 38 40 de 09 45 e0 e9 09 ff ff ff 90 8d 45 ec c6 05 ...
EAX: 00000029 EBX: 00000000 ECX: de59c228 EDX: 00000001
ESI: 3f250fff EDI: 00000000 EBP: de3edf20 ESP: de3edee0
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00200296
CR0: 80050033 CR2: ffd17000 CR3: 1e58c000 CR4: 00040690
Call Trace:
ioremap_cache+0xd/0x10
? old_map_region+0x72/0x9d
old_map_region+0x72/0x9d
efi_map_region+0x8/0xa
efi_enter_virtual_mode+0x260/0x43b
start_kernel+0x329/0x3aa
i386_start_kernel+0xa7/0xab
startup_32_smp+0x164/0x168
---[ end trace e15ccf6b9f356833 ]---
Let's work around this by disregarding the memory attributes table
altogether on i386, which does not result in a loss of functionality
or protection, given that we never consumed the contents.
Fixes: 3a6b6c6fb2 ("efi: Make EFI_MEMORY_ATTRIBUTES_TABLE ... ")
Tested-by: Arvind Sankar <nivedita@alum.mit.edu>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20200304165917.5893-1-ardb@kernel.org
Link: https://lore.kernel.org/r/20200308080859.21568-21-ardb@kernel.org
The following commit:
223e3ee56f ("efi/x86: add headroom to decompressor BSS to account for setup block")
added headroom to the PE image to account for the setup block, which
wasn't used for the decompression buffer.
Now that the decompression buffer is located at the start of the image,
and includes the setup block, this is no longer required.
Add a check to make sure that the head section of the compressed kernel
won't overwrite itself while relocating. This is only for
future-proofing as with current limits on the setup and the actual size
of the head section, this can never happen.
Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20200303221205.4048668-5-nivedita@alum.mit.edu
Link: https://lore.kernel.org/r/20200308080859.21568-19-ardb@kernel.org
Even though it is uncommon, there are cases where the Exit() EFI boot
service might return, e.g., when we were booted via the EFI handover
protocol from OVMF and the kernel image was specified on the command
line, in which case Exit() attempts to terminate the boot manager,
which is not an EFI application itself.
So let's drop into an infinite loop instead of randomly executing code
that isn't expecting it.
Tested-by: Nathan Chancellor <natechancellor@gmail.com> # build
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
[ardb: put 'hlt' in deadloop]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20200303080648.21427-1-ardb@kernel.org
Link: https://lore.kernel.org/r/20200308080859.21568-15-ardb@kernel.org
code32_start is meant for 16-bit real-mode bootloaders to inform the
kernel where the 32-bit protected mode code starts. Nothing in the
protected mode kernel except the EFI stub uses it.
efi_main() currently returns boot_params, with code32_start set inside it
to tell efi_stub_entry() where startup_32 is located. Since it was invoked
by efi_stub_entry() in the first place, boot_params is already known.
Return the address of startup_32 instead.
This will allow a 64-bit kernel to live above 4Gb, for example, and it's
cleaner as well.
Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20200301230436.2246909-5-nivedita@alum.mit.edu
Link: https://lore.kernel.org/r/20200308080859.21568-13-ardb@kernel.org
There is a race and a buffer overflow corrupting a kernel memory while
reading an EFI variable with a size more than 1024 bytes via the older
sysfs method. This happens because accessing struct efi_variable in
efivar_{attr,size,data}_read() and friends is not protected from
a concurrent access leading to a kernel memory corruption and, at best,
to a crash. The race scenario is the following:
CPU0: CPU1:
efivar_attr_read()
var->DataSize = 1024;
efivar_entry_get(... &var->DataSize)
down_interruptible(&efivars_lock)
efivar_attr_read() // same EFI var
var->DataSize = 1024;
efivar_entry_get(... &var->DataSize)
down_interruptible(&efivars_lock)
virt_efi_get_variable()
// returns EFI_BUFFER_TOO_SMALL but
// var->DataSize is set to a real
// var size more than 1024 bytes
up(&efivars_lock)
virt_efi_get_variable()
// called with var->DataSize set
// to a real var size, returns
// successfully and overwrites
// a 1024-bytes kernel buffer
up(&efivars_lock)
This can be reproduced by concurrent reading of an EFI variable which size
is more than 1024 bytes:
ts# for cpu in $(seq 0 $(nproc --ignore=1)); do ( taskset -c $cpu \
cat /sys/firmware/efi/vars/KEKDefault*/size & ) ; done
Fix this by using a local variable for a var's data buffer size so it
does not get overwritten.
Fixes: e14ab23dde ("efivars: efivar_entry API")
Reported-by: Bob Sanders <bob.sanders@hpe.com> and the LTP testsuite
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200305084041.24053-2-vdronov@redhat.com
Link: https://lore.kernel.org/r/20200308080859.21568-24-ardb@kernel.org
More EFI updates for v5.7
- Incorporate a stable branch with the EFI pieces of Hans's work on
loading device firmware from EFI boot service memory regions
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Pull rdma fixes from Jason Gunthorpe:
"Nothing particularly exciting, some small ODP regressions from the mmu
notifier rework, another bunch of syzkaller fixes, and a bug fix for a
botched syzkaller fix in the first rc pull request.
- Fix busted syzkaller fix in 'get_new_pps' - this turned out to
crash on certain HW configurations
- Bug fixes for various missed things in error unwinds
- Add a missing rcu_read_lock annotation in hfi/qib
- Fix two ODP related regressions from the recent mmu notifier
changes
- Several more syzkaller bugs in siw, RDMA netlink, verbs and iwcm
- Revert an old patch in CMA as it is now shown to not be allocating
port numbers properly"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
RDMA/iwcm: Fix iwcm work deallocation
RDMA/siw: Fix failure handling during device creation
RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing
RDMA/odp: Ensure the mm is still alive before creating an implicit child
RDMA/core: Fix protection fault in ib_mr_pool_destroy
IB/mlx5: Fix implicit ODP race
IB/hfi1, qib: Ensure RCU is locked when accessing list
RDMA/core: Fix pkey and port assignment in get_new_pps
RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
RDMA/rw: Fix error flow during RDMA context initialization
RDMA/core: Fix use of logical OR in get_new_pps
Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"
Pull io_uring fixes from Jens Axboe:
"Here are a few io_uring fixes that should go into this release. This
contains:
- Removal of (now) unused io_wq_flush() and associated flag (Pavel)
- Fix cancelation lockup with linked timeouts (Pavel)
- Fix for potential use-after-free when freeing percpu ref for fixed
file sets
- io-wq cancelation fixups (Pavel)"
* tag 'io_uring-5.6-2020-03-07' of git://git.kernel.dk/linux-block:
io_uring: fix lockup with timeouts
io_uring: free fixed_file_data after RCU grace period
io-wq: remove io_wq_flush and IO_WQ_WORK_INTERNAL
io-wq: fix IO_WQ_WORK_NO_CANCEL cancellation
Pull block fixes from Jens Axboe:
"Here are a few fixes that should go into this release. This contains:
- Revert of a bad bcache patch from this merge window
- Removed unused function (Daniel)
- Fixup for the blktrace fix from Jan from this release (Cengiz)
- Fix of deeper level bfqq overwrite in BFQ (Carlo)"
* tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block:
block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
blktrace: fix dereference after null check
Revert "bcache: ignore pending signals when creating gc and allocator thread"
block: Remove used kblockd_schedule_work_on()
Pull media fixes from Mauro Carvalho Chehab:
- a fix for the media controller links in both hantro driver and in
v4l2-mem2mem core
- some fixes for the pulse8-cec driver
- vicodec: handle alpha channel for RGB32 formats, as it may be used
- mc-entity.c: fix handling of pad flags
* tag 'media/v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
media: hantro: Fix broken media controller links
media: mc-entity.c: use & to check pad flags, not ==
media: v4l2-mem2mem.c: fix broken links
media: vicodec: process all 4 components for RGB32 formats
media: pulse8-cec: close serio in disconnect, not adap_free
media: pulse8-cec: INIT_DELAYED_WORK was called too late
There is a recipe to deadlock the kernel: submit a timeout sqe with a
linked_timeout (e.g. test_single_link_timeout_ception() from liburing),
and SIGKILL the process.
Then, io_kill_timeouts() takes @ctx->completion_lock, but the timeout
isn't flagged with REQ_F_COMP_LOCKED, and will try to double grab it
during io_put_free() to cancel the linked timeout. Probably, the same
can happen with another io_kill_timeout() call site, that is
io_commit_cqring().
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Pull s390 fixes from Vasily Gorbik:
- Fix panic in gup_fast on large pud by providing an implementation of
pud_write. This has been overlooked during migration to common gup
code.
- Fix unexpected write combining on PCI stores.
* tag 's390-5.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/pci: Fix unexpected write combine on resource
s390/mm: fix panic in gup_fast on large pud
Pull powerpc fixes from Michael Ellerman:
"Some more powerpc fixes for 5.6:
- One fix for a recent regression to our breakpoint/watchpoint code.
- Another fix for our KUAP support, this time a missing annotation in
a rarely used path in signal handling.
- A fix for our handling of a CPU feature that effects the PMU, when
booting guests in some configurations.
- A minor fix to our linker script to explicitly include the .BTF
section.
Thanks to: Christophe Leroy, Desnes A. Nunes do Rosario, Leonardo
Bras, Naveen N. Rao, Ravi Bangoria, Stefan Berger"
* tag 'powerpc-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()
powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
powerpc: Include .BTF section
powerpc/watchpoint: Don't call dar_within_range() for Book3S
Pull xen fixes from Juergen Gross:
"Four fixes and a small cleanup patch:
- two fixes by Dongli Zhang fixing races in the xenbus driver
- two fixes by me fixing issues introduced in 5.6
- a small cleanup by Gustavo Silva replacing a zero-length array with
a flexible-array"
* tag 'for-linus-5.6b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
xen/blkfront: fix ring info addressing
xen/xenbus: fix locking
xenbus: req->err should be updated before req->state
xenbus: req->body should be updated before req->state
xen: Replace zero-length array with flexible-array member
Pull thread fixes from Christian Brauner:
"Here are a few hopefully uncontroversial fixes:
- Use RCU_INIT_POINTER() when initializing rcu protected members in
task_struct to fix sparse warnings.
- Add pidfd_fdinfo_test binary to .gitignore file"
* tag 'for-linus-2020-03-07' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux:
selftests: pidfd: Add pidfd_fdinfo_test in .gitignore
exit: Fix Sparse errors and warnings
fork: Use RCU_INIT_POINTER() instead of rcu_access_pointer()
Pull sound fixes from Takashi Iwai:
"The regular "bump-in-the-middle" updates, containing mostly ASoC-
related fixes at this time. All changes are reasonably small.
A few entries are for ASoC and ALSA core parts (DAPM, PCM, topology)
for followups of the recent changes and potential buffer overflow by
snprintf(), while the rest are (both new and old) device-specific
fixes for Intel, meson, tas2562, rt1015, as well as the usual HD-audio
quirks"
* tag 'sound-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (25 commits)
ALSA: sgio2audio: Remove usage of dropped hw_params/hw_free functions
ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1
ALSA: hda/realtek - Add Headset Mic supported
ASoC: wm8741: Fix typo in Kconfig prompt
ASoC: stm32: sai: manage rebind issue
ASoC: SOF: Fix snd_sof_ipc_stream_posn()
ASoC: rt1015: modify pre-divider for sysclk
ASoC: rt1015: add operation callback function for rt1015_dai[]
ASoC: soc-component: tidyup snd_soc_pcm_component_sync_stop()
ASoC: dapm: Correct DAPM handling of active widgets during shutdown
ASoC: tas2562: Fix sample rate error message
ASoC: Intel: Skylake: Fix available clock counter incrementation
ASoC: soc-pcm/soc-compress: don't use snd_soc_dapm_stream_stop()
ASoC: meson: g12a: add tohdmitx reset
ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
ASoC: soc-core: fix for_rtd_codec_dai_rollback() macro
ASoC: topology: Fix memleak in soc_tplg_manifest_load()
ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
...
ASoC: Fixes for v5.6
More fixes that have arrived since the merge window, spread out all
over. There's a few things like the operation callback addition for
rt1015 and the meson reset addition which add small new bits of
functionality to fix non-working systems, they're all very small and for
parts of newly added functionality.
Pull kselftest update from Shuah Khan:
"This consists of a cleanup patch to undo changes to global .gitignore
that added selftests/lkdtm objects and add them to a local
selftests/lkdtm/.gitignore.
Summary of Linus's comments on local vs. global gitignore scope:
- Keep local gitignore patterns in local files.
- Put only global gitignore patterns in the top-level gitignore file.
Local scope keeps things much better separated. It also incidentally
means that if a directory gets renamed, the gitignore file continues
to work unless in the case of renaming the actual files themselves
that are named in the gitignore"
* tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
selftest/lkdtm: Use local .gitignore
Pull RISC-V fixes from Palmer Dabbelt:
"This contains a handful of fixes that I would like to target for 5.6:
- A pair of fixes to module loading, which we hope solve the last of
the issues with module text being loaded too sparsely for our call
relocations.
- A Kconfig fix that disallows selecting memory models not supported
by NOMMU.
- A series of Kconfig updates to ease selecting the drivers necessary
to run on QEMU's virt platform.
- DTS updates for SiFive's HiFive Unleashed.
- A fix to our seccomp support that avoids mangling restartable
syscalls"
* tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
riscv: fix seccomp reject syscall code path
riscv: dts: Add GPIO reboot method to HiFive Unleashed DTS file
RISC-V: Select Goldfish RTC driver for QEMU virt machine
RISC-V: Select SYSCON Reboot and Poweroff for QEMU virt machine
RISC-V: Enable QEMU virt machine support in defconfigs
RISC-V: Add kconfig option for QEMU virt machine
riscv: Fix range looking for kernel image memblock
riscv: Force flat memory model with no-mmu
riscv: Change code model of module to medany to improve data accessing
riscv: avoid the PIC offset of static percpu data in module beyond 2G limits
Pull devicetree fixes from Rob Herring:
"Another batch of DT fixes. I think this should be the last of it, but
sending pull requests seems to cause people to send more fixes.
Summary:
- Fixes for warnings introduced by hierarchical PSCI binding changes
- Fixes for broken doc references due to DT schema conversions
- Several grammar and typo fixes
- Fix a bunch of dtc warnings in examples"
* tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
dt-bindings: arm: Fixup the DT bindings for hierarchical PSCI states
dt-bindings: power: Extend nodename pattern for power-domain providers
MAINTAINERS: update ALLWINNER CPUFREQ DRIVER entry
dt-bindings: bus: Drop empty compatible string in example
dt-bindings: power: Convert domain-idle-states bindings to json-schema
dt-bindings: arm: Fix cpu compatibles in the hierarchical example for PSCI
dt-bindings: arm: Correct links to idle states definitions
dt-bindings: mfd: Fix typo in file name of twl-familly.txt
dt-bindings: mfd: tps65910: Improve grammar
dt-bindings: mfd: zii,rave-sp: Fix a typo ("onborad")
dt-bindings: arm: fsl: fix APF6Dev compatible
dt-bindings: Fix dtc warnings in examples
docs: dt: fix several broken doc references
docs: dt: fix several broken references due to renames
MAINTAINERS: clean up PCIE DRIVER FOR CAVIUM THUNDERX
Pull vgacon fix from Daniel Vetter:
"One vgacon input check for stable"
* tag 'drm-fixes-2020-03-06-1' of git://anongit.freedesktop.org/drm/drm:
vgacon: Fix a UAF in vgacon_invert_region
Pull btrfs fix from David Sterba:
"One fixup for DIO when in use with the new checksums, a missed case
where the checksum size was still assuming u32"
* tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
btrfs: fix RAID direct I/O reads with alternate csums
Pull file locking fixes from Jeff Layton:
"Just a couple of late-breaking patches for the file locking code. The
second patch (from yangerkun) fixes a rather nasty looking potential
use-after-free that should go to stable.
The other patch could technically wait for 5.7, but it's fairly
innocuous so I figured we might as well take it"
* tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux:
locks: fix a potential use-after-free problem when wakeup a waiter
fcntl: Distribute switch variables for initialization
Pull spi fixes from Mark Brown:
"A selection of small fixes, mostly for drivers, that have arrived
since the merge window. None of them are earth shattering in
themselves but all useful for affected systems"
* tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: spi_register_controller(): free bus id on error paths
spi: bcm63xx-hsspi: Really keep pll clk enabled
spi: atmel-quadspi: fix possible MMIO window size overrun
spi/zynqmp: remove entry that causes a cs glitch
spi: pxa2xx: Add CS control clock quirk
spi: spidev: Fix CS polarity if GPIO descriptors are used
spi: qup: call spi_qup_pm_resume_runtime before suspending
spi: spi-omap2-mcspi: Support probe deferral for DMA channels
spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x
Pull regulator fixes from Mark Brown:
"A couple of small fixes, one for a minor issue in the stm32-vrefbuf
driver and a documentation fix in the Qualcomm code"
* tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling
regulator: qcom_spmi: Fix docs for PM8004
Pull hwmon fixes from Guenter Roeck:
"Fix an error return in the adt7462 driver, bad voltage limits reported
by the xdpe12284 driver, and a broken documentation reference in the
adm1177 driver documentation"
* tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
hwmon: (pmbus/xdpe12284) Add callback for vout limits conversion
docs: adm1177: fix a broken reference
Pull arm64 fixes from Will Deacon:
"Here are another three arm64 fixes for 5.6, all pretty minor. Main
thing is fixing a silly bug in the fsl_imx8_ddr PMU driver where we
would zero the counters when disabling them.
- Fix misreporting of ASID limit when KPTI is enabled
- Fix busted NULL pointer checks for GICC structure in ACPI PMU code
- Avoid nobbling the "fsl_imx8_ddr" PMU counters when disabling them"
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
arm64: context: Fix ASID limit in boot messages
drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition
When syzkaller tests, there is a UAF:
BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
ffff880000100000
Read of size 2 by task syz-executor.1/16489
page:ffffea0000004000 count:0 mapcount:-127 mapping: (null)
index:0x0
page flags: 0xfffff00000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
[<ffffffffb119f309>] dump_stack+0x1e/0x20
[<ffffffffb04af957>] kasan_report+0x577/0x950
[<ffffffffb04ae652>] __asan_load2+0x62/0x80
[<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
[<ffffffffb0a39d95>] invert_screen+0xe5/0x470
[<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
[<ffffffffb0a3bfae>] tioclinux+0xee/0x490
[<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
[<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
[<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
[<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
[<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
Memory state around the buggy address:
ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
>ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff
It can be reproduce in the linux mainline by the program:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <linux/vt.h>
struct tiocl_selection {
unsigned short xs; /* X start */
unsigned short ys; /* Y start */
unsigned short xe; /* X end */
unsigned short ye; /* Y end */
unsigned short sel_mode; /* selection mode */
};
#define TIOCL_SETSEL 2
struct tiocl {
unsigned char type;
unsigned char pad;
struct tiocl_selection sel;
};
int main()
{
int fd = 0;
const char *dev = "/dev/char/4:1";
struct vt_consize v = {0};
struct tiocl tioc = {0};
fd = open(dev, O_RDWR, 0);
v.v_rows = 3346;
ioctl(fd, VT_RESIZEX, &v);
tioc.type = TIOCL_SETSEL;
ioctl(fd, TIOCLINUX, &tioc);
return 0;
}
When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.
So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.
Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:
if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
return -EINVAL;
Fixes: 0aec4867dc ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
The hierarchical topology with power-domain should be described through
child nodes, rather than as currently described in the PSCI root node. Fix
this by adding a patternProperties with a corresponding reference to the
power-domain DT binding.
Additionally, update the example to conform to the new pattern, but also to
the adjusted domain-idle-state DT binding.
Fixes: a3f048b542 ("dt: psci: Update DT bindings to support hierarchical PSCI states")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[robh: Add missing allOf, tweak power-domain node name]
Signed-off-by: Rob Herring <robh@kernel.org>
The existing binding requires the nodename to have a '@', which is a bit
limiting for the wider use case. Therefore, let's extend the pattern to
allow either '@' or '-'.
Fixes: a3f048b542 ("dt: psci: Update DT bindings to support hierarchical PSCI states")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[robh: drop example change]
Signed-off-by: Rob Herring <robh@kernel.org>
The percpu refcount protects this structure, and we can have an atomic
switch in progress when exiting. This makes it unsafe to just free the
struct normally, and can trigger the following KASAN warning:
BUG: KASAN: use-after-free in percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
Read of size 1 at addr ffff888181a19a30 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc4+ #5747
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
<IRQ>
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x3b/0x60
? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
__kasan_report.cold+0x1a/0x3d
? percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
percpu_ref_switch_to_atomic_rcu+0xfa/0x1b0
rcu_core+0x370/0x830
? percpu_ref_exit+0x50/0x50
? rcu_note_context_switch+0x7b0/0x7b0
? run_rebalance_domains+0x11d/0x140
__do_softirq+0x10a/0x3e9
irq_exit+0xd5/0xe0
smp_apic_timer_interrupt+0x86/0x200
apic_timer_interrupt+0xf/0x20
</IRQ>
RIP: 0010:default_idle+0x26/0x1f0
Fix this by punting the final exit and free of the struct to RCU, then
we know that it's safe to do so. Jann suggested the approach of using a
double rcu callback to achieve this. It's important that we do a nested
call_rcu() callback, as otherwise the free could be ordered before the
atomic switch, even if the latter was already queued.
Reported-by: syzbot+e017e49c39ab484ac87a@syzkaller.appspotmail.com
Suggested-by: Jann Horn <jannh@google.com>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
