From: Nikolai Merinov n.merinov@inango-systems.com
mainline inclusion from mainline-5.7-rc1 commit d5528d5e91041e68e8eab9792ce627705a0ed273 category: bugfix bugzilla: 32454 CVE: NA ---------------------------
GUID partition entry defined to have a partition name as 36 UTF-16LE code units. This means that on big-endian platforms ASCII symbols would be read with 0xXX00 efi_char16_t character code. In order to correctly extract ASCII characters from a partition name field we should be converted from 16LE to CPU architecture.
The problem exists on all big endian platforms.
[ mingo: Minor edits. ]
Fixes: eec7ecfede74 ("genhd, efi: add efi partition metadata to hd_structs") Reviewed-by: Christoph Hellwig hch@lst.de Signed-off-by: Nikolai Merinov n.merinov@inango-systems.com Signed-off-by: Ard Biesheuvel ardb@kernel.org Signed-off-by: Ingo Molnar mingo@kernel.org Link: https://lore.kernel.org/r/20200308080859.21568-29-ardb@kernel.org Link: https://lore.kernel.org/r/797777312.1324734.1582544319435.JavaMail.zimbra@in... Signed-off-by: yangerkun yangerkun@huawei.com Reviewed-by: Yufen Yu yuyufen@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- block/partitions/efi.c | 35 ++++++++++++++++++++++++++--------- block/partitions/efi.h | 2 +- 2 files changed, 27 insertions(+), 10 deletions(-)
diff --git a/block/partitions/efi.c b/block/partitions/efi.c index 39f70d968754..b9beaa0a9b36 100644 --- a/block/partitions/efi.c +++ b/block/partitions/efi.c @@ -670,6 +670,31 @@ static int find_valid_gpt(struct parsed_partitions *state, gpt_header **gpt, return 0; }
+/** + * utf16_le_to_7bit(): Naively converts a UTF-16LE string to 7-bit ASCII characters + * @in: input UTF-16LE string + * @size: size of the input string + * @out: output string ptr, should be capable to store @size+1 characters + * + * Description: Converts @size UTF16-LE symbols from @in string to 7-bit + * ASCII characters and stores them to @out. Adds trailing zero to @out array. + */ +static void utf16_le_to_7bit(const __le16 *in, unsigned int size, u8 *out) +{ + unsigned int i = 0; + + out[size] = 0; + + while (i < size) { + u8 c = le16_to_cpu(in[i]) & 0xff; + + if (c && !isprint(c)) + c = '!'; + out[i] = c; + i++; + } +} + /** * efi_partition(struct parsed_partitions *state) * @state: disk parsed partitions @@ -706,7 +731,6 @@ int efi_partition(struct parsed_partitions *state)
for (i = 0; i < le32_to_cpu(gpt->num_partition_entries) && i < state->limit-1; i++) { struct partition_meta_info *info; - unsigned label_count = 0; unsigned label_max; u64 start = le64_to_cpu(ptes[i].starting_lba); u64 size = le64_to_cpu(ptes[i].ending_lba) - @@ -727,14 +751,7 @@ int efi_partition(struct parsed_partitions *state) /* Naively convert UTF16-LE to 7 bits. */ label_max = min(ARRAY_SIZE(info->volname) - 1, ARRAY_SIZE(ptes[i].partition_name)); - info->volname[label_max] = 0; - while (label_count < label_max) { - u8 c = ptes[i].partition_name[label_count] & 0xff; - if (c && !isprint(c)) - c = '!'; - info->volname[label_count] = c; - label_count++; - } + utf16_le_to_7bit(ptes[i].partition_name, label_max, info->volname); state->parts[i + 1].has_info = true; } kfree(ptes); diff --git a/block/partitions/efi.h b/block/partitions/efi.h index abd0b19288a6..42db2513ecfa 100644 --- a/block/partitions/efi.h +++ b/block/partitions/efi.h @@ -102,7 +102,7 @@ typedef struct _gpt_entry { __le64 starting_lba; __le64 ending_lba; gpt_entry_attributes attributes; - efi_char16_t partition_name[72 / sizeof (efi_char16_t)]; + __le16 partition_name[72/sizeof(__le16)]; } __packed gpt_entry;
typedef struct _gpt_mbr_record {
From: Hanjun Guo guohanjun@huawei.com
hulk inclusion category: bugfix bugzilla: NA CVE: NA
----------------------------------------
With check_early_ioremap_leak(), we got warning:
[ 2.599829] ------------[ cut here ]------------ [ 2.604436] Debug warning: early ioremap leak of 1 areas detected. [ 2.604436] please boot with early_ioremap_debug and report the dmesg. [ 2.617135] WARNING: CPU: 0 PID: 1 at mm/early_ioremap.c:99 check_early_ioremap_leak+0x4c/0x60 [ 2.625731] Modules linked in: [ 2.628775] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.90+ #32 [ 2.634941] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 [ 2.643451] pstate: 60c00009 (nZCv daif +PAN +UAO) [ 2.648229] pc : check_early_ioremap_leak+0x4c/0x60 [ 2.653093] lr : check_early_ioremap_leak+0x4c/0x60 [ 2.657956] sp : ffff00008222fd90 [ 2.661257] x29: ffff00008222fd90 x28: ffff000080f41070 [ 2.666555] x27: ffff000080e507b0 x26: ffff000081480000 [ 2.671854] x25: 0000000000000008 x24: 0000000000000007 [ 2.677152] x23: ffff000080e3ae58 x22: ffff000081480000 [ 2.682450] x21: 0000000000000000 x20: ffff000080e811b0 [ 2.687748] x19: ffff0000812f3000 x18: ffffffffffffffff [ 2.693046] x17: 000000008c2a0cd7 x16: 00000000e2c72cdd [ 2.698344] x15: ffff0000812f3708 x14: 00017 [ 2.724834] x5 : 000000000000000f x4 : 0000000000000000 [ 2.730132] x3 : 0000000000000000 x2 : ffffffffffffffff [ 2.735430] x1 : 612b3b9664d69500 x0 : 0000000000000000 [ 2.740729] Call trace: [ 2.743163] check_early_ioremap_leak+0x4c/0x60 [ 2.747681] do_one_initcall+0x54/0x200 [ 2.751504] kernel_init_freeable+0x2a0/0x34c [ 2.755849] kernel_init+0x18/0x118 [ 2.759324] ret_from_fork+0x10/0x18 [ 2.762887] ---[ end trace a57e2a42868dc894 ]---
adding early_ioremap_debug=1 in boot cmdline,
[ 0.000000] ------------[ cut here ]------------ [ 0.000000] __early_ioremap(396f0000, 00010000) [1] => 00000000 + ffff7fdffe620000 [ 0.000000] WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:162 __early_ioremap+0x18c/0x1c8 [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 4.19.90+ #31 [ 0.000000] pstate: 60000089 (nZCv daIf -PAN -UAO) [ 0.000000] pc : __early_ioremap+0x18c/0x1c8 [ 0.000000] lr : __early_ioremap+0x18c/0x1c8 [ 0.000000] sp : ffff0000812afc00 [ 0.000000] x29: ffff0000812afc00 x28: ffff000080f2c878 [ 0.000000] x27: 0000000000000000 x26: 0000000000000001 [ 0.000000] x25: 0068000000000713 x24: 00000000396e0000 [ 0.000000] x23: 0000000000000001 x22: 0000000000000000 [ 0.000000] x21: 0000000000010000 x20: 00000000396f0000 [ 0.000000] x19: ffff000080f2c000 x18: ffffffffffffffff [ 0.000000] x17: 0000000000000000 x16: 0000000000000000 [ 0.000000] x15: ffff0000812d3708 x14: 3030323665666664 [ 0.000000] x13: 663766666666202b x12: 2030303030303030 [ 0.000000] x11: 30203e3d205d315b x10: 2029303030303130 [ 0.000000] x9 : 3030202c30303030 x8 : 0000000000001181 [ 0.000000] x7 : 65726f695f796c72 x6 : ffff0000814ec9ed [ 0.000000] x5 : 0000000000000000 x4 : 0000000000000000 [ 0.000000] x3 : 0000000000000000 x2 : ffffffffffffffff [ 0.000000] x1 : ed48fa59d999c400 x0 : 0000000000000000 [ 0.000000] Call trace: [ 0.000000] __early_ioremap+0x18c/0x1c8 [ 0.000000] early_memremap+0x7c/0x88 [ 0.000000] __acpi_map_table+0x2c/0x40 [ 0.000000] acpi_os_map_iomem+0x134/0x208 [ 0.000000] acpi_os_map_memory+0x28/0x38 [ 0.000000] acpi_tb_acquire_table+0x58/0x8c [ 0.000000] acpi_tb_validate_table+0x34/0x58 [ 0.000000] acpi_tb_get_table+0x4c/0x90 [ 0.000000] acpi_get_table+0x94/0xc4 [ 0.000000] acpi_table_parse_entries_array+0x98/0x224 [ 0.000000] acpi_table_parse_entries+0x70/0x98 [ 0.000000] acpi_table_parse_madt+0x40/0x50 [ 0.000000] __acpi_probe_device_table+0x90/0xf0 [ 0.000000] irqchip_init+0x38/0x40 [ 0.000000] init_IRQ+0x10c/0x140 [ 0.000000] start_kernel+0x35c/0x4fc [ 0.000000] ---[ end trace f68728a0d3053bc0 ]---
It turns out that we missed the acpi_put_table() after get the table, fix it.
Reported-by: Chao Gao gaochao24@huawei.com Signed-off-by: Hanjun Guo guohanjun@huawei.com Reviewed-by: Xiongfeng Wang wangxiongfeng2@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/irqchip/irq-gic-v3.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c index 99cc646819f5..7bf14acdcd28 100644 --- a/drivers/irqchip/irq-gic-v3.c +++ b/drivers/irqchip/irq-gic-v3.c @@ -940,6 +940,8 @@ static void gic_check_hisi_workaround(void) break; } } + + acpi_put_table(tbl); }
static void gic_compute_nr_gicr(void)
From: Hanjun Guo guohanjun@huawei.com
hulk inclusion category: bugfix bugzilla: NA CVE: NA
----------------------------------------
acpi_get_table() should be coupled with acpi_put_table(), or it will leat to memory leak, fix the memory leak to call acpi_put_table().
Signed-off-by: Hanjun Guo guohanjun@huawei.com Reviewed-by: Xiongfeng Wang wangxiongfeng2@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/tty/serial/amba-pl011.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c index f55e4d9596cb..8d2cffedbe37 100644 --- a/drivers/tty/serial/amba-pl011.c +++ b/drivers/tty/serial/amba-pl011.c @@ -1523,6 +1523,8 @@ static void pl011_check_hisi_workaround(void) break; } } + + acpi_put_table(tbl); }
#else
From: Hanjun Guo guohanjun@huawei.com
mainline inclusion from mainline-v5.6-rc1 commit c740237937c039c06e9cda32b9a37dde8b0d1e63 category: bugfix bugzilla: NA CVE: NA
--------------------------------
Bail out if we match the OEM information, to save some possible extra iteration.
Also update the code to fix minor coding style issue.
Signed-off-by: Hanjun Guo guohanjun@huawei.com [ rjw: Subject ] Signed-off-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Reviewed-by: Xiongfeng Wang wangxiongfeng2@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/cpufreq/cppc_cpufreq.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c index 9d4da48a4004..22d98c6db945 100644 --- a/drivers/cpufreq/cppc_cpufreq.c +++ b/drivers/cpufreq/cppc_cpufreq.c @@ -43,7 +43,7 @@ static struct cppc_cpudata **all_cpu_data;
struct cppc_workaround_oem_info { - char oem_id[ACPI_OEM_ID_SIZE +1]; + char oem_id[ACPI_OEM_ID_SIZE + 1]; char oem_table_id[ACPI_OEM_TABLE_ID_SIZE + 1]; u32 oem_revision; }; @@ -97,8 +97,10 @@ static void cppc_check_hisi_workaround(void) for (i = 0; i < ARRAY_SIZE(wa_info); i++) { if (!memcmp(wa_info[i].oem_id, tbl->oem_id, ACPI_OEM_ID_SIZE) && !memcmp(wa_info[i].oem_table_id, tbl->oem_table_id, ACPI_OEM_TABLE_ID_SIZE) && - wa_info[i].oem_revision == tbl->oem_revision) + wa_info[i].oem_revision == tbl->oem_revision) { apply_hisi_workaround = true; + break; + } } }
From: Hanjun Guo guohanjun@huawei.com
mainline inclusion from mainline-v5.6-rc1 commit 80e8b1e59f0399b94a6088bcb9477bd798cc5eba category: bugfix bugzilla: NA CVE: NA
--------------------------------
Put the ACPI table to release the table mapping after using it successfully.
Signed-off-by: Hanjun Guo guohanjun@huawei.com [ rjw: Subject & changelog ] Signed-off-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Reviewed-by: Xiongfeng Wang wangxiongfeng2@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/cpufreq/cppc_cpufreq.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c index 22d98c6db945..0a245f1caa95 100644 --- a/drivers/cpufreq/cppc_cpufreq.c +++ b/drivers/cpufreq/cppc_cpufreq.c @@ -102,6 +102,8 @@ static void cppc_check_hisi_workaround(void) break; } } + + acpi_put_table(tbl); }
/* Callback function used to retrieve the max frequency from DMI */
-
Yang Yingliang