From afbe5b55dca7457576bab41647c568062a24e6ee Mon Sep 17 00:00:00 2001 From: Jonathan Cameron Date: Tue, 22 Oct 2024 11:31:00 +0800 Subject: [PATCH 1/8] ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() stable inclusion from stable-v4.19.322 commit a30476afbaac69face9537cd8d0694d46d5d1ef5 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a30476afbaac69face9537cd8d0694d46d5d1ef5 -------------------------------- [ Upstream commit fadf231f0a06a6748a7fc4a2c29ac9ef7bca6bfd ] Rafael observed [1] that returning 0 from processor_add() will result in acpi_default_enumeration() being called which will attempt to create a platform device, but that makes little sense when the processor is known to be not available. So just return the error code from acpi_processor_get_info() instead. Link: https://lore.kernel.org/all/CAJZ5v0iKU8ra9jR+EmgxbuNm=Uwx2m1-8vn_RAZ+aCiUVLe3Pw@mail.gmail.com/ [1] Suggested-by: Rafael J. Wysocki Acked-by: Rafael J. Wysocki Reviewed-by: Gavin Shan Signed-off-by: Jonathan Cameron Link: https://lore.kernel.org/r/20240529133446.28446-5-Jonathan.Cameron@huawei.com Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin Signed-off-by: Xiongfeng Wang --- drivers/acpi/acpi_processor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c index cfdf7cf6d8f1..8029a733652f 100644 --- a/drivers/acpi/acpi_processor.c +++ b/drivers/acpi/acpi_processor.c @@ -391,7 +391,7 @@ static int acpi_processor_add(struct acpi_device *device, result = acpi_processor_get_info(device); if (result) /* Processor is not physically present or unavailable */ - return 0; + return result; BUG_ON(pr->id >= nr_cpu_ids); -- Gitee From 8b36fce474835fd2d7360addde35bbb9d609a0fe Mon Sep 17 00:00:00 2001 From: Zqiang Date: Tue, 22 Oct 2024 11:31:01 +0800 Subject: [PATCH 2/8] smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() stable inclusion from stable-v4.19.322 commit 2d6a7a1ee3862d129c0e0fbd3cc147e185a379dc category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2d6a7a1ee3862d129c0e0fbd3cc147e185a379dc -------------------------------- [ Upstream commit 77aeb1b685f9db73d276bad4bb30d48505a6fd23 ] For CONFIG_DEBUG_OBJECTS_WORK=y kernels sscs.work defined by INIT_WORK_ONSTACK() is initialized by debug_object_init_on_stack() for the debug check in __init_work() to work correctly. But this lacks the counterpart to remove the tracked object from debug objects again, which will cause a debug object warning once the stack is freed. Add the missing destroy_work_on_stack() invocation to cure that. [ tglx: Massaged changelog ] Signed-off-by: Zqiang Signed-off-by: Thomas Gleixner Tested-by: Paul E. McKenney Link: https://lore.kernel.org/r/20240704065213.13559-1-qiang.zhang1211@gmail.com Signed-off-by: Sasha Levin Signed-off-by: Xiongfeng Wang --- kernel/smp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/smp.c b/kernel/smp.c index be15d3a57954..826d6905112e 100644 --- a/kernel/smp.c +++ b/kernel/smp.c @@ -791,6 +791,7 @@ int smp_call_on_cpu(unsigned int cpu, int (*func)(void *), void *par, bool phys) queue_work_on(cpu, system_wq, &sscs.work); wait_for_completion(&sscs.done); + destroy_work_on_stack(&sscs.work); return sscs.ret; } -- Gitee From f32b28c0cf7e43d66f66d958ec48e32120453720 Mon Sep 17 00:00:00 2001 From: Phil Chang Date: Tue, 22 Oct 2024 11:31:02 +0800 Subject: [PATCH 3/8] hrtimer: Prevent queuing of hrtimer without a function callback stable inclusion from stable-v4.19.321 commit ccef3adcb84816a30b8e535c8c4fcb167904e7b1 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ccef3adcb84816a30b8e535c8c4fcb167904e7b1 -------------------------------- [ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ] The hrtimer function callback must not be NULL. It has to be specified by the call side but it is not validated by the hrtimer code. When a hrtimer is queued without a function callback, the kernel crashes with a null pointer dereference when trying to execute the callback in __run_hrtimer(). Introduce a validation before queuing the hrtimer in hrtimer_start_range_ns(). [anna-maria: Rephrase commit message] Signed-off-by: Phil Chang Signed-off-by: Anna-Maria Behnsen Signed-off-by: Thomas Gleixner Reviewed-by: Anna-Maria Behnsen Signed-off-by: Sasha Levin Signed-off-by: Xiongfeng Wang --- kernel/time/hrtimer.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c index 8512f06f0ebe..ce8fe5adafb0 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c @@ -1171,6 +1171,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, struct hrtimer_clock_base *base; unsigned long flags; + if (WARN_ON_ONCE(!timer->function)) + return; /* * Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft * match. -- Gitee From 4e755250116225eb0473bdf483f3bd650aa5a2a7 Mon Sep 17 00:00:00 2001 From: Haibo Xu Date: Tue, 22 Oct 2024 11:31:03 +0800 Subject: [PATCH 4/8] arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE stable inclusion from stable-v4.19.321 commit 2fbc3c6736cb0a1c2738664bf9381d0c96fb7a06 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2fbc3c6736cb0a1c2738664bf9381d0c96fb7a06 -------------------------------- commit a21dcf0ea8566ebbe011c79d6ed08cdfea771de3 upstream. Currently, only acpi_early_node_map[0] was initialized to NUMA_NO_NODE. To ensure all the values were properly initialized, switch to initialize all of them to NUMA_NO_NODE. Fixes: e18962491696 ("arm64: numa: rework ACPI NUMA initialization") Cc: # 4.19.x Reported-by: Andrew Jones Suggested-by: Andrew Jones Signed-off-by: Haibo Xu Reviewed-by: Anshuman Khandual Reviewed-by: Sunil V L Reviewed-by: Andrew Jones Acked-by: Catalin Marinas Acked-by: Lorenzo Pieralisi Reviewed-by: Hanjun Guo Link: https://lore.kernel.org/r/853d7f74aa243f6f5999e203246f0d1ae92d2b61.1722828421.git.haibo1.xu@intel.com Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman Signed-off-by: Xiongfeng Wang --- arch/arm64/kernel/acpi_numa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kernel/acpi_numa.c b/arch/arm64/kernel/acpi_numa.c index b63705407e5d..fc1ccf2b3b5f 100644 --- a/arch/arm64/kernel/acpi_numa.c +++ b/arch/arm64/kernel/acpi_numa.c @@ -28,7 +28,7 @@ #include -static int acpi_early_node_map[NR_CPUS] __initdata = { NUMA_NO_NODE }; +static int acpi_early_node_map[NR_CPUS] __initdata = { [0 ... NR_CPUS - 1] = NUMA_NO_NODE }; int __init acpi_numa_get_nid(unsigned int cpu) { -- Gitee From b4fb4ba1fc690a677359edca85530b6ea1f48ef4 Mon Sep 17 00:00:00 2001 From: Xiongfeng Wang Date: Tue, 22 Oct 2024 11:31:04 +0800 Subject: [PATCH 5/8] Revert "ntp: Avoid undefined behaviour in second_overflow()" hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA -------------------------------- This reverts commit d8df4fe5da0c687788bc2431bfc18b2e7ba3defd. Revert hulk inclusion patch. The next patch will apply the mainline modification. Signed-off-by: Xiongfeng Wang --- kernel/time/ntp.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index 2b728ceb5da5..e1110a7bd3e6 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -687,8 +687,6 @@ static inline void process_adjtimex_modes(const struct timex *txc, s32 *time_tai if (txc->modes & ADJ_MAXERROR) time_maxerror = txc->maxerror; - if (time_maxerror > NTP_PHASE_LIMIT) - time_maxerror = NTP_PHASE_LIMIT; if (txc->modes & ADJ_ESTERROR) time_esterror = txc->esterror; -- Gitee From 98301283207fcd2a29d4b024488b3b52fa2d4476 Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Tue, 22 Oct 2024 11:31:05 +0800 Subject: [PATCH 6/8] ntp: Clamp maxerror and esterror to operating range stable inclusion from stable-v4.19.320 commit 9dfe2eef1ecfbb1f29e678700247de6010784eb9 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9dfe2eef1ecfbb1f29e678700247de6010784eb9 -------------------------------- [ Upstream commit 87d571d6fb77ec342a985afa8744bb9bb75b3622 ] Using syzkaller alongside the newly reintroduced signed integer overflow sanitizer spits out this report: UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16 9223372036854775807 + 500 cannot be represented in type 'long' Call Trace: handle_overflow+0x171/0x1b0 second_overflow+0x2d6/0x500 accumulate_nsecs_to_secs+0x60/0x160 timekeeping_advance+0x1fe/0x890 update_wall_time+0x10/0x30 time_maxerror is unconditionally incremented and the result is checked against NTP_PHASE_LIMIT, but the increment itself can overflow, resulting in wrap-around to negative space. Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user supplied value was sanity checked to be in the operating range. That change removed the sanity check and relied on clamping in handle_overflow() which does not work correctly when the user supplied value is in the overflow zone of the '+ 500' operation. The operation requires CAP_SYS_TIME and the side effect of the overflow is NTP getting out of sync. Miroslav confirmed that the input value should be clamped to the operating range and the same applies to time_esterror. The latter is not used by the kernel, but the value still should be in the operating range as it was before the sanity check got removed. Clamp them to the operating range. [ tglx: Changed it to clamping and included time_esterror ] Fixes: eea83d896e31 ("ntp: NTP4 user space bits update") Signed-off-by: Justin Stitt Signed-off-by: Thomas Gleixner Cc: Miroslav Lichvar Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-usec-v2-1-d539180f2b79@google.com Closes: https://github.com/KSPP/linux/issues/354 Signed-off-by: Sasha Levin [ cast things to __kernel_long_t to fix compiler warnings - gregkh ] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Xiongfeng Wang --- kernel/time/ntp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index e1110a7bd3e6..b32b42c424e0 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -686,10 +686,10 @@ static inline void process_adjtimex_modes(const struct timex *txc, s32 *time_tai } if (txc->modes & ADJ_MAXERROR) - time_maxerror = txc->maxerror; + time_maxerror = clamp(txc->maxerror, (__kernel_long_t)0, (__kernel_long_t)NTP_PHASE_LIMIT); if (txc->modes & ADJ_ESTERROR) - time_esterror = txc->esterror; + time_esterror = clamp(txc->esterror, (__kernel_long_t)0, (__kernel_long_t)NTP_PHASE_LIMIT); if (txc->modes & ADJ_TIMECONST) { time_constant = txc->constant; -- Gitee From 19cc2285d67d37fe2e28177578ecd68798e8ff32 Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Tue, 22 Oct 2024 11:31:06 +0800 Subject: [PATCH 7/8] ntp: Safeguard against time_constant overflow stable inclusion from stable-v4.19.320 commit a13f8b269b6f4c9371ab149ecb65d2edb52e9669 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a13f8b269b6f4c9371ab149ecb65d2edb52e9669 -------------------------------- commit 06c03c8edce333b9ad9c6b207d93d3a5ae7c10c0 upstream. Using syzkaller with the recently reintroduced signed integer overflow sanitizer produces this UBSAN report: UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:738:18 9223372036854775806 + 4 cannot be represented in type 'long' Call Trace: handle_overflow+0x171/0x1b0 __do_adjtimex+0x1236/0x1440 do_adjtimex+0x2be/0x740 The user supplied time_constant value is incremented by four and then clamped to the operating range. Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user supplied value was sanity checked to be in the operating range. That change removed the sanity check and relied on clamping after incrementing which does not work correctly when the user supplied value is in the overflow zone of the '+ 4' operation. The operation requires CAP_SYS_TIME and the side effect of the overflow is NTP getting out of sync. Similar to the fixups for time_maxerror and time_esterror, clamp the user space supplied value to the operating range. [ tglx: Switch to clamping ] Fixes: eea83d896e31 ("ntp: NTP4 user space bits update") Signed-off-by: Justin Stitt Signed-off-by: Thomas Gleixner Cc: Miroslav Lichvar Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-c-v2-1-f3a80096f36f@google.com Closes: https://github.com/KSPP/linux/issues/352 Signed-off-by: Greg Kroah-Hartman Signed-off-by: Xiongfeng Wang --- kernel/time/ntp.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index b32b42c424e0..58aba0a3484d 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -692,11 +692,10 @@ static inline void process_adjtimex_modes(const struct timex *txc, s32 *time_tai time_esterror = clamp(txc->esterror, (__kernel_long_t)0, (__kernel_long_t)NTP_PHASE_LIMIT); if (txc->modes & ADJ_TIMECONST) { - time_constant = txc->constant; + time_constant = clamp(txc->constant, (__kernel_long_t)0, (__kernel_long_t)MAXTC); if (!(time_status & STA_NANO)) time_constant += 4; - time_constant = min(time_constant, (long)MAXTC); - time_constant = max(time_constant, 0l); + time_constant = clamp(time_constant, (long)0, (long)MAXTC); } if (txc->modes & ADJ_TAI && -- Gitee From 1d271d7c3ead90117caed30ef113628a43125ca0 Mon Sep 17 00:00:00 2001 From: Jonathan Cameron Date: Tue, 22 Oct 2024 11:31:07 +0800 Subject: [PATCH 8/8] ACPI: processor: Fix memory leaks in error paths of processor_add() stable inclusion from stable-v4.19.322 commit 00259ae5206a713234e3ac12a8a0f731e86b754b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=00259ae5206a713234e3ac12a8a0f731e86b754b -------------------------------- [ Upstream commit 47ec9b417ed9b6b8ec2a941cd84d9de62adc358a ] If acpi_processor_get_info() returned an error, pr and the associated pr->throttling.shared_cpu_map were leaked. The unwind code was in the wrong order wrt to setup, relying on some unwind actions having no affect (clearing variables that were never set etc). That makes it harder to reason about so reorder and add appropriate labels to only undo what was actually set up in the first place. Acked-by: Rafael J. Wysocki Reviewed-by: Gavin Shan Signed-off-by: Jonathan Cameron Link: https://lore.kernel.org/r/20240529133446.28446-6-Jonathan.Cameron@huawei.com Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin Signed-off-by: Xiongfeng Wang --- drivers/acpi/acpi_processor.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c index 8029a733652f..fa5dc338a65a 100644 --- a/drivers/acpi/acpi_processor.c +++ b/drivers/acpi/acpi_processor.c @@ -391,7 +391,7 @@ static int acpi_processor_add(struct acpi_device *device, result = acpi_processor_get_info(device); if (result) /* Processor is not physically present or unavailable */ - return result; + goto err_clear_driver_data; BUG_ON(pr->id >= nr_cpu_ids); @@ -406,7 +406,7 @@ static int acpi_processor_add(struct acpi_device *device, "BIOS reported wrong ACPI id %d for the processor\n", pr->id); /* Give up, but do not abort the namespace scan. */ - goto err; + goto err_clear_driver_data; } /* * processor_device_array is not cleared on errors to allow buggy BIOS @@ -418,12 +418,12 @@ static int acpi_processor_add(struct acpi_device *device, dev = get_cpu_device(pr->id); if (!dev) { result = -ENODEV; - goto err; + goto err_clear_per_cpu; } result = acpi_bind_one(dev, device); if (result) - goto err; + goto err_clear_per_cpu; pr->dev = dev; @@ -434,10 +434,11 @@ static int acpi_processor_add(struct acpi_device *device, dev_err(dev, "Processor driver could not be attached\n"); acpi_unbind_one(dev); - err: - free_cpumask_var(pr->throttling.shared_cpu_map); - device->driver_data = NULL; + err_clear_per_cpu: per_cpu(processors, pr->id) = NULL; + err_clear_driver_data: + device->driver_data = NULL; + free_cpumask_var(pr->throttling.shared_cpu_map); err_free_pr: kfree(pr); return result; -- Gitee