diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-29 15:35:42 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-29 15:35:42 +0100 |
commit | 21eb4072e67e107e56eaac35c686a0f91c077049 (patch) | |
tree | fab2e20350126885682d53863f2acc7813bf625f | |
parent | 4fb194dbfa9a2c871216f19028d5335f4759e754 (diff) | |
download | queue-3.18-21eb4072e67e107e56eaac35c686a0f91c077049.tar.gz |
drop patches already applied
22 files changed, 0 insertions, 1260 deletions
diff --git a/alsa-pcm-oss-avoid-potential-buffer-overflows.patch b/alsa-pcm-oss-avoid-potential-buffer-overflows.patch deleted file mode 100644 index 2156367..0000000 --- a/alsa-pcm-oss-avoid-potential-buffer-overflows.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 4cc8d6505ab82db3357613d36e6c58a297f57f7c Mon Sep 17 00:00:00 2001 -From: Takashi Iwai <tiwai@suse.de> -Date: Wed, 4 Dec 2019 15:48:24 +0100 -Subject: ALSA: pcm: oss: Avoid potential buffer overflows - -From: Takashi Iwai <tiwai@suse.de> - -commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. - -syzkaller reported an invalid access in PCM OSS read, and this seems -to be an overflow of the internal buffer allocated for a plugin. -Since the rate plugin adjusts its transfer size dynamically, the -calculation for the chained plugin might be bigger than the given -buffer size in some extreme cases, which lead to such an buffer -overflow as caught by KASAN. - -Fix it by limiting the max transfer size properly by checking against -the destination size in each plugin transfer callback. - -Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com -Cc: <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de -Signed-off-by: Takashi Iwai <tiwai@suse.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/core/oss/linear.c | 2 ++ - sound/core/oss/mulaw.c | 2 ++ - sound/core/oss/route.c | 2 ++ - 3 files changed, 6 insertions(+) - ---- a/sound/core/oss/linear.c -+++ b/sound/core/oss/linear.c -@@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer - } - } - #endif -+ if (frames > dst_channels[0].frames) -+ frames = dst_channels[0].frames; - convert(plugin, src_channels, dst_channels, frames); - return frames; - } ---- a/sound/core/oss/mulaw.c -+++ b/sound/core/oss/mulaw.c -@@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer( - } - } - #endif -+ if (frames > dst_channels[0].frames) -+ frames = dst_channels[0].frames; - data = (struct mulaw_priv *)plugin->extra_data; - data->func(plugin, src_channels, dst_channels, frames); - return frames; ---- a/sound/core/oss/route.c -+++ b/sound/core/oss/route.c -@@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer( - return -ENXIO; - if (frames == 0) - return 0; -+ if (frames > dst_channels[0].frames) -+ frames = dst_channels[0].frames; - - nsrcs = plugin->src_format.channels; - ndsts = plugin->dst_format.channels; diff --git a/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch b/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch deleted file mode 100644 index 223116b..0000000 --- a/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 9804501fa1228048857910a6bf23e085aade37cc Mon Sep 17 00:00:00 2001 -From: YueHaibing <yuehaibing@huawei.com> -Date: Thu, 14 Mar 2019 13:47:59 +0800 -Subject: appletalk: Fix potential NULL pointer dereference in unregister_snap_client - -From: YueHaibing <yuehaibing@huawei.com> - -commit 9804501fa1228048857910a6bf23e085aade37cc upstream. - -register_snap_client may return NULL, all the callers -check it, but only print a warning. This will result in -NULL pointer dereference in unregister_snap_client and other -places. - -It has always been used like this since v2.6 - -Reported-by: Dan Carpenter <dan.carpenter@oracle.com> -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[bwh: Backported to <4.15: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - include/linux/atalk.h | 2 +- - net/appletalk/aarp.c | 15 ++++++++++++--- - net/appletalk/ddp.c | 20 ++++++++++++-------- - 3 files changed, 25 insertions(+), 12 deletions(-) - ---- a/include/linux/atalk.h -+++ b/include/linux/atalk.h -@@ -107,7 +107,7 @@ static __inline__ struct elapaarp *aarp_ - #define AARP_RESOLVE_TIME (10 * HZ) - - extern struct datalink_proto *ddp_dl, *aarp_dl; --extern void aarp_proto_init(void); -+extern int aarp_proto_init(void); - - /* Inter module exports */ - ---- a/net/appletalk/aarp.c -+++ b/net/appletalk/aarp.c -@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifi - - static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 }; - --void __init aarp_proto_init(void) -+int __init aarp_proto_init(void) - { -+ int rc; -+ - aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv); -- if (!aarp_dl) -+ if (!aarp_dl) { - printk(KERN_CRIT "Unable to register AARP with SNAP.\n"); -+ return -ENOMEM; -+ } - setup_timer(&aarp_timer, aarp_expire_timeout, 0); - aarp_timer.expires = jiffies + sysctl_aarp_expiry_time; - add_timer(&aarp_timer); -- register_netdevice_notifier(&aarp_notifier); -+ rc = register_netdevice_notifier(&aarp_notifier); -+ if (rc) { -+ del_timer_sync(&aarp_timer); -+ unregister_snap_client(aarp_dl); -+ } -+ return rc; - } - - /* Remove the AARP entries associated with a device. */ ---- a/net/appletalk/ddp.c -+++ b/net/appletalk/ddp.c -@@ -1912,9 +1912,6 @@ static unsigned char ddp_snap_id[] = { 0 - EXPORT_SYMBOL(atrtr_get_dev); - EXPORT_SYMBOL(atalk_find_dev_addr); - --static const char atalk_err_snap[] __initconst = -- KERN_CRIT "Unable to register DDP with SNAP.\n"; -- - /* Called by proto.c on kernel start up */ - static int __init atalk_init(void) - { -@@ -1929,17 +1926,22 @@ static int __init atalk_init(void) - goto out_proto; - - ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); -- if (!ddp_dl) -- printk(atalk_err_snap); -+ if (!ddp_dl) { -+ pr_crit("Unable to register DDP with SNAP.\n"); -+ goto out_sock; -+ } - - dev_add_pack(<alk_packet_type); - dev_add_pack(&ppptalk_packet_type); - - rc = register_netdevice_notifier(&ddp_notifier); - if (rc) -- goto out_sock; -+ goto out_snap; -+ -+ rc = aarp_proto_init(); -+ if (rc) -+ goto out_dev; - -- aarp_proto_init(); - rc = atalk_proc_init(); - if (rc) - goto out_aarp; -@@ -1953,11 +1955,13 @@ out_proc: - atalk_proc_exit(); - out_aarp: - aarp_cleanup_module(); -+out_dev: - unregister_netdevice_notifier(&ddp_notifier); --out_sock: -+out_snap: - dev_remove_pack(&ppptalk_packet_type); - dev_remove_pack(<alk_packet_type); - unregister_snap_client(ddp_dl); -+out_sock: - sock_unregister(PF_APPLETALK); - out_proto: - proto_unregister(&ddp_proto); diff --git a/appletalk-set-error-code-if-register_snap_client-failed.patch b/appletalk-set-error-code-if-register_snap_client-failed.patch deleted file mode 100644 index 9256e73..0000000 --- a/appletalk-set-error-code-if-register_snap_client-failed.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c93ad1337ad06a718890a89cdd85188ff9a5a5cc Mon Sep 17 00:00:00 2001 -From: YueHaibing <yuehaibing@huawei.com> -Date: Tue, 30 Apr 2019 19:34:08 +0800 -Subject: appletalk: Set error code if register_snap_client failed - -From: YueHaibing <yuehaibing@huawei.com> - -commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream. - -If register_snap_client fails in atalk_init, -error code should be set, otherwise it will -triggers NULL pointer dereference while unloading -module. - -Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client") -Signed-off-by: YueHaibing <yuehaibing@huawei.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/appletalk/ddp.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/net/appletalk/ddp.c -+++ b/net/appletalk/ddp.c -@@ -1928,6 +1928,7 @@ static int __init atalk_init(void) - ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); - if (!ddp_dl) { - pr_crit("Unable to register DDP with SNAP.\n"); -+ rc = -ENOMEM; - goto out_sock; - } - diff --git a/can-slcan-fix-use-after-free-read-in-slcan_open.patch b/can-slcan-fix-use-after-free-read-in-slcan_open.patch deleted file mode 100644 index d8601d1..0000000 --- a/can-slcan-fix-use-after-free-read-in-slcan_open.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 9ebd796e24008f33f06ebea5a5e6aceb68b51794 Mon Sep 17 00:00:00 2001 -From: Jouni Hogander <jouni.hogander@unikie.com> -Date: Wed, 27 Nov 2019 08:40:26 +0200 -Subject: can: slcan: Fix use-after-free Read in slcan_open - -From: Jouni Hogander <jouni.hogander@unikie.com> - -commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream. - -Slcan_open doesn't clean-up device which registration failed from the -slcan_devs device list. On next open this list is iterated and freed -device is accessed. Fix this by calling slc_free_netdev in error path. - -Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was -identified in slip_open by syzboz. Same bug is in slcan.c. Here is the -trace from the Syzbot slip report: - -__dump_stack lib/dump_stack.c:77 [inline] -dump_stack+0x197/0x210 lib/dump_stack.c:118 -print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 -__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 -kasan_report+0x12/0x20 mm/kasan/common.c:634 -__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 -sl_sync drivers/net/slip/slip.c:725 [inline] -slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801 -tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469 -tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596 -tiocsetd drivers/tty/tty_io.c:2334 [inline] -tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594 -vfs_ioctl fs/ioctl.c:46 [inline] -file_ioctl fs/ioctl.c:509 [inline] -do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696 -ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 -__do_sys_ioctl fs/ioctl.c:720 [inline] -__se_sys_ioctl fs/ioctl.c:718 [inline] -__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 -do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 -entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path") -Cc: Wolfgang Grandegger <wg@grandegger.com> -Cc: Marc Kleine-Budde <mkl@pengutronix.de> -Cc: David Miller <davem@davemloft.net> -Cc: Oliver Hartkopp <socketcan@hartkopp.net> -Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com> -Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com> -Cc: linux-stable <stable@vger.kernel.org> # >= v5.4 -Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> -Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/net/can/slcan.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/net/can/slcan.c -+++ b/drivers/net/can/slcan.c -@@ -615,6 +615,7 @@ err_free_chan: - sl->tty = NULL; - tty->disc_data = NULL; - clear_bit(SLF_INUSE, &sl->flags); -+ slc_free_netdev(sl->dev); - free_netdev(sl->dev); - - err_exit: diff --git a/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch b/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch deleted file mode 100644 index 056e20b..0000000 --- a/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 746c908c4d72e49068ab216c3926d2720d71a90d Mon Sep 17 00:00:00 2001 -From: Christian Lamparter <chunkeey@gmail.com> -Date: Thu, 31 Oct 2019 17:14:38 +0100 -Subject: crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr - -From: Christian Lamparter <chunkeey@gmail.com> - -commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream. - -This patch fixes a crash that can happen during probe -when the available dma memory is not enough (this can -happen if the crypto4xx is built as a module). - -The descriptor window mapping would end up being free'd -twice, once in crypto4xx_build_pdr() and the second time -in crypto4xx_destroy_sdr(). - -Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak") -Cc: <stable@vger.kernel.org> -Signed-off-by: Christian Lamparter <chunkeey@gmail.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/crypto/amcc/crypto4xx_core.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - ---- a/drivers/crypto/amcc/crypto4xx_core.c -+++ b/drivers/crypto/amcc/crypto4xx_core.c -@@ -399,12 +399,8 @@ static u32 crypto4xx_build_sdr(struct cr - dma_alloc_coherent(dev->core_dev->device, - dev->scatter_buffer_size * PPC4XX_NUM_SD, - &dev->scatter_buffer_pa, GFP_ATOMIC); -- if (!dev->scatter_buffer_va) { -- dma_free_coherent(dev->core_dev->device, -- sizeof(struct ce_sd) * PPC4XX_NUM_SD, -- dev->sdr, dev->sdr_pa); -+ if (!dev->scatter_buffer_va) - return -ENOMEM; -- } - - sd_array = dev->sdr; - diff --git a/crypto-user-fix-memory-leak-in-crypto_report.patch b/crypto-user-fix-memory-leak-in-crypto_report.patch deleted file mode 100644 index ef2cbbd..0000000 --- a/crypto-user-fix-memory-leak-in-crypto_report.patch +++ /dev/null @@ -1,36 +0,0 @@ -From ffdde5932042600c6807d46c1550b28b0db6a3bc Mon Sep 17 00:00:00 2001 -From: Navid Emamdoost <navid.emamdoost@gmail.com> -Date: Fri, 4 Oct 2019 14:29:16 -0500 -Subject: crypto: user - fix memory leak in crypto_report - -From: Navid Emamdoost <navid.emamdoost@gmail.com> - -commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream. - -In crypto_report, a new skb is created via nlmsg_new(). This skb should -be released if crypto_report_alg() fails. - -Fixes: a38f7907b926 ("crypto: Add userspace configuration API") -Cc: <stable@vger.kernel.org> -Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - crypto/crypto_user.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/crypto/crypto_user.c -+++ b/crypto/crypto_user.c -@@ -221,8 +221,10 @@ static int crypto_report(struct sk_buff - info.nlmsg_flags = 0; - - err = crypto_report_alg(alg, &info); -- if (err) -+ if (err) { -+ kfree_skb(skb); - return err; -+ } - - return nlmsg_unicast(crypto_nlsk, skb, NETLINK_CB(in_skb).portid); - } diff --git a/drm-i810-prevent-underflow-in-ioctl.patch b/drm-i810-prevent-underflow-in-ioctl.patch deleted file mode 100644 index 4b3aa30..0000000 --- a/drm-i810-prevent-underflow-in-ioctl.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 4f69851fbaa26b155330be35ce8ac393e93e7442 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Fri, 4 Oct 2019 13:22:51 +0300 -Subject: drm/i810: Prevent underflow in ioctl - -From: Dan Carpenter <dan.carpenter@oracle.com> - -commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream. - -The "used" variables here come from the user in the ioctl and it can be -negative. It could result in an out of bounds write. - -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> -Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> -Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/gpu/drm/i810/i810_dma.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/gpu/drm/i810/i810_dma.c -+++ b/drivers/gpu/drm/i810/i810_dma.c -@@ -723,7 +723,7 @@ static void i810_dma_dispatch_vertex(str - if (nbox > I810_NR_SAREA_CLIPRECTS) - nbox = I810_NR_SAREA_CLIPRECTS; - -- if (used > 4 * 1024) -+ if (used < 0 || used > 4 * 1024) - used = 0; - - if (sarea_priv->dirty) -@@ -1043,7 +1043,7 @@ static void i810_dma_dispatch_mc(struct - if (u != I810_BUF_CLIENT) - DRM_DEBUG("MC found buffer that isn't mine!\n"); - -- if (used > 4 * 1024) -+ if (used < 0 || used > 4 * 1024) - used = 0; - - sarea_priv->dirty = 0x7f; diff --git a/fuse-verify-attributes.patch b/fuse-verify-attributes.patch deleted file mode 100644 index 9143c2f..0000000 --- a/fuse-verify-attributes.patch +++ /dev/null @@ -1,121 +0,0 @@ -From eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5 Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi <mszeredi@redhat.com> -Date: Tue, 12 Nov 2019 11:49:04 +0100 -Subject: fuse: verify attributes - -From: Miklos Szeredi <mszeredi@redhat.com> - -commit eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5 upstream. - -If a filesystem returns negative inode sizes, future reads on the file were -causing the cpu to spin on truncate_pagecache. - -Create a helper to validate the attributes. This now does two things: - - - check the file mode - - check if the file size fits in i_size without overflowing - -Reported-by: Arijit Banerjee <arijit@rubrik.com> -Fixes: d8a5ba45457e ("[PATCH] FUSE - core") -Cc: <stable@vger.kernel.org> # v2.6.14 -Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/fuse/dir.c | 24 +++++++++++++++++------- - fs/fuse/fuse_i.h | 2 ++ - 2 files changed, 19 insertions(+), 7 deletions(-) - ---- a/fs/fuse/dir.c -+++ b/fs/fuse/dir.c -@@ -250,7 +250,8 @@ static int fuse_dentry_revalidate(struct - spin_unlock(&fc->lock); - } - kfree(forget); -- if (err || (outarg.attr.mode ^ inode->i_mode) & S_IFMT) -+ if (ret || fuse_invalid_attr(&outarg.attr) || -+ (outarg.attr.mode ^ inode->i_mode) & S_IFMT) - goto invalid; - - fuse_change_attributes(inode, &outarg.attr, -@@ -337,6 +338,12 @@ int fuse_valid_type(int m) - S_ISBLK(m) || S_ISFIFO(m) || S_ISSOCK(m); - } - -+bool fuse_invalid_attr(struct fuse_attr *attr) -+{ -+ return !fuse_valid_type(attr->mode) || -+ attr->size > LLONG_MAX; -+} -+ - int fuse_lookup_name(struct super_block *sb, u64 nodeid, struct qstr *name, - struct fuse_entry_out *outarg, struct inode **inode) - { -@@ -376,7 +383,7 @@ int fuse_lookup_name(struct super_block - err = -EIO; - if (!outarg->nodeid) - goto out_put_forget; -- if (!fuse_valid_type(outarg->attr.mode)) -+ if (fuse_invalid_attr(&outarg->attr)) - goto out_put_forget; - - *inode = fuse_iget(sb, outarg->nodeid, outarg->generation, -@@ -506,7 +513,8 @@ static int fuse_create_open(struct inode - goto out_free_ff; - - err = -EIO; -- if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid)) -+ if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid) || -+ fuse_invalid_attr(&outentry.attr)) - goto out_free_ff; - - fuse_put_request(fc, req); -@@ -622,7 +630,7 @@ static int create_new_entry(struct fuse_ - goto out_put_forget_req; - - err = -EIO; -- if (invalid_nodeid(outarg.nodeid)) -+ if (invalid_nodeid(outarg.nodeid) || fuse_invalid_attr(&outarg.attr)) - goto out_put_forget_req; - - if ((outarg.attr.mode ^ mode) & S_IFMT) -@@ -1008,7 +1016,8 @@ static int fuse_do_getattr(struct inode - err = req->out.h.error; - fuse_put_request(fc, req); - if (!err) { -- if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) { -+ if (fuse_invalid_attr(&outarg.attr) || -+ (inode->i_mode ^ outarg.attr.mode) & S_IFMT) { - make_bad_inode(inode); - err = -EIO; - } else { -@@ -1319,7 +1328,7 @@ static int fuse_direntplus_link(struct f - - if (invalid_nodeid(o->nodeid)) - return -EIO; -- if (!fuse_valid_type(o->attr.mode)) -+ if (fuse_invalid_attr(&o->attr)) - return -EIO; - - fc = get_fuse_conn(dir); -@@ -1829,7 +1838,8 @@ int fuse_do_setattr(struct dentry *dentr - goto error; - } - -- if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) { -+ if (fuse_invalid_attr(&outarg.attr) || -+ (inode->i_mode ^ outarg.attr.mode) & S_IFMT) { - make_bad_inode(inode); - err = -EIO; - goto error; ---- a/fs/fuse/fuse_i.h -+++ b/fs/fuse/fuse_i.h -@@ -834,6 +834,8 @@ void fuse_ctl_remove_conn(struct fuse_co - */ - int fuse_valid_type(int m); - -+bool fuse_invalid_attr(struct fuse_attr *attr); -+ - /** - * Is current process allowed to perform filesystem operation? - */ diff --git a/fuse-verify-nlink.patch b/fuse-verify-nlink.patch deleted file mode 100644 index 97089aa..0000000 --- a/fuse-verify-nlink.patch +++ /dev/null @@ -1,32 +0,0 @@ -From c634da718db9b2fac201df2ae1b1b095344ce5eb Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi <mszeredi@redhat.com> -Date: Tue, 12 Nov 2019 11:49:04 +0100 -Subject: fuse: verify nlink - -From: Miklos Szeredi <mszeredi@redhat.com> - -commit c634da718db9b2fac201df2ae1b1b095344ce5eb upstream. - -When adding a new hard link, make sure that i_nlink doesn't overflow. - -Fixes: ac45d61357e8 ("fuse: fix nlink after unlink") -Cc: <stable@vger.kernel.org> # v3.4 -Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/fuse/dir.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/fs/fuse/dir.c -+++ b/fs/fuse/dir.c -@@ -918,7 +918,8 @@ static int fuse_link(struct dentry *entr - - spin_lock(&fc->lock); - fi->attr_version = ++fc->attr_version; -- inc_nlink(inode); -+ if (likely(inode->i_nlink < UINT_MAX)) -+ inc_nlink(inode); - spin_unlock(&fc->lock); - fuse_invalidate_attr(inode); - fuse_update_ctime(inode); diff --git a/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch b/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch deleted file mode 100644 index 2de854f..0000000 --- a/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch +++ /dev/null @@ -1,49 +0,0 @@ -From add3efdd78b8a0478ce423bb9d4df6bd95e8b335 Mon Sep 17 00:00:00 2001 -From: Jan Kara <jack@suse.cz> -Date: Tue, 5 Nov 2019 17:44:07 +0100 -Subject: jbd2: Fix possible overflow in jbd2_log_space_left() - -From: Jan Kara <jack@suse.cz> - -commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream. - -When number of free space in the journal is very low, the arithmetic in -jbd2_log_space_left() could underflow resulting in very high number of -free blocks and thus triggering assertion failure in transaction commit -code complaining there's not enough space in the journal: - -J_ASSERT(journal->j_free > 1); - -Properly check for the low number of free blocks. - -CC: stable@vger.kernel.org -Reviewed-by: Theodore Ts'o <tytso@mit.edu> -Signed-off-by: Jan Kara <jack@suse.cz> -Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - include/linux/jbd2.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/include/linux/jbd2.h -+++ b/include/linux/jbd2.h -@@ -1340,7 +1340,7 @@ static inline int jbd2_space_needed(jour - static inline unsigned long jbd2_log_space_left(journal_t *journal) - { - /* Allow for rounding errors */ -- unsigned long free = journal->j_free - 32; -+ long free = journal->j_free - 32; - - if (journal->j_committing_transaction) { - unsigned long committing = atomic_read(&journal-> -@@ -1349,7 +1349,7 @@ static inline unsigned long jbd2_log_spa - /* Transaction + control blocks */ - free -= committing + (committing >> JBD2_CONTROL_BLOCKS_SHIFT); - } -- return free; -+ return max_t(long, free, 0); - } - - /* diff --git a/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch b/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch deleted file mode 100644 index 2abbd74..0000000 --- a/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch +++ /dev/null @@ -1,51 +0,0 @@ -From de1fca5d6e0105c9d33924e1247e2f386efc3ece Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Mon, 18 Nov 2019 12:23:00 -0500 -Subject: KVM: x86: do not modify masked bits of shared MSRs - -From: Paolo Bonzini <pbonzini@redhat.com> - -commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream. - -"Shared MSRs" are guest MSRs that are written to the host MSRs but -keep their value until the next return to userspace. They support -a mask, so that some bits keep the host value, but this mask is -only used to skip an unnecessary MSR write and the value written -to the MSR is always the guest MSR. - -Fix this and, while at it, do not update smsr->values[slot].curr if -for whatever reason the wrmsr fails. This should only happen due to -reserved bits, so the value written to smsr->values[slot].curr -will not match when the user-return notifier and the host value will -always be restored. However, it is untidy and in rare cases this -can actually avoid spurious WRMSRs on return to userspace. - -Cc: stable@vger.kernel.org -Reviewed-by: Jim Mattson <jmattson@google.com> -Tested-by: Jim Mattson <jmattson@google.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/x86/kvm/x86.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -235,13 +235,14 @@ int kvm_set_shared_msr(unsigned slot, u6 - struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); - int err; - -- if (((value ^ smsr->values[slot].curr) & mask) == 0) -+ value = (value & mask) | (smsr->values[slot].host & ~mask); -+ if (value == smsr->values[slot].curr) - return 0; -- smsr->values[slot].curr = value; - err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); - if (err) - return 1; - -+ smsr->values[slot].curr = value; - if (!smsr->registered) { - smsr->urn.on_user_return = kvm_on_user_return; - user_return_notifier_register(&smsr->urn); diff --git a/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch b/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch deleted file mode 100644 index b4e0c3b..0000000 --- a/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Wed, 4 Dec 2019 10:28:54 +0100 -Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) - -From: Paolo Bonzini <pbonzini@redhat.com> - -commit 433f4ba1904100da65a311033f17a9bf586b287e upstream. - -The bounds check was present in KVM_GET_SUPPORTED_CPUID but not -KVM_GET_EMULATED_CPUID. - -Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com -Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29) -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Cc: Ben Hutchings <ben@decadent.org.uk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/x86/kvm/cpuid.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -332,7 +332,7 @@ static inline int __do_cpuid_ent(struct - - r = -E2BIG; - -- if (*nent >= maxnent) -+ if (WARN_ON(*nent >= maxnent)) - goto out; - - do_cpuid_1_ent(entry, function, index); -@@ -575,6 +575,9 @@ out: - static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func, - u32 idx, int *nent, int maxnent, unsigned int type) - { -+ if (*nent >= maxnent) -+ return -E2BIG; -+ - if (type == KVM_GET_EMULATED_CPUID) - return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent); - diff --git a/rdma-qib-validate-show-store-callbacks-before-calling-them.patch b/rdma-qib-validate-show-store-callbacks-before-calling-them.patch deleted file mode 100644 index 24a1abb..0000000 --- a/rdma-qib-validate-show-store-callbacks-before-calling-them.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 7ee23491b39259ae83899dd93b2a29ef0f22f0a7 Mon Sep 17 00:00:00 2001 -From: Viresh Kumar <viresh.kumar@linaro.org> -Date: Thu, 7 Nov 2019 08:50:25 +0530 -Subject: RDMA/qib: Validate ->show()/store() callbacks before calling them - -From: Viresh Kumar <viresh.kumar@linaro.org> - -commit 7ee23491b39259ae83899dd93b2a29ef0f22f0a7 upstream. - -The permissions of the read-only or write-only sysfs files can be -changed (as root) and the user can then try to read a write-only file or -write to a read-only file which will lead to kernel crash here. - -Protect against that by always validating the show/store callbacks. - -Link: https://lore.kernel.org/r/d45cc26361a174ae12dbb86c994ef334d257924b.1573096807.git.viresh.kumar@linaro.org -Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> -Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> -Signed-off-by: Sasha Levin <sashal@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/infiniband/hw/qib/qib_sysfs.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/drivers/infiniband/hw/qib/qib_sysfs.c -+++ b/drivers/infiniband/hw/qib/qib_sysfs.c -@@ -301,6 +301,9 @@ static ssize_t qib_portattr_show(struct - struct qib_pportdata *ppd = - container_of(kobj, struct qib_pportdata, pport_kobj); - -+ if (!pattr->show) -+ return -EIO; -+ - return pattr->show(ppd, buf); - } - -@@ -312,6 +315,9 @@ static ssize_t qib_portattr_store(struct - struct qib_pportdata *ppd = - container_of(kobj, struct qib_pportdata, pport_kobj); - -+ if (!pattr->store) -+ return -EIO; -+ - return pattr->store(ppd, buf, len); - } - diff --git a/revert-mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch b/revert-mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch deleted file mode 100644 index ae86260..0000000 --- a/revert-mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 07bcc411567cb96f9d1fc84fff8d387118a2920d Mon Sep 17 00:00:00 2001 -From: Faiz Abbas <faiz_abbas@ti.com> -Date: Thu, 28 Nov 2019 16:34:22 +0530 -Subject: Revert "mmc: sdhci: Fix incorrect switch to HS mode" - -From: Faiz Abbas <faiz_abbas@ti.com> - -commit 07bcc411567cb96f9d1fc84fff8d387118a2920d upstream. - -This reverts commit c894e33ddc1910e14d6f2a2016f60ab613fd8b37. - -This commit aims to treat SD High speed and SDR25 as the same while -setting UHS Timings in HOST_CONTROL2 which leads to failures with some -SD cards in AM65x. Revert this commit. - -The issue this commit was trying to fix can be implemented in a platform -specific callback instead of common sdhci code. - -Cc: <stable@vger.kernel.org> -Signed-off-by: Faiz Abbas <faiz_abbas@ti.com> -Acked-by: Adrian Hunter <adrian.hunter@intel.com> -Link: https://lore.kernel.org/r/20191128110422.25917-1-faiz_abbas@ti.com -Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/mmc/host/sdhci.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - ---- a/drivers/mmc/host/sdhci.c -+++ b/drivers/mmc/host/sdhci.c -@@ -1450,9 +1450,7 @@ void sdhci_set_uhs_signaling(struct sdhc - ctrl_2 |= SDHCI_CTRL_UHS_SDR104; - else if (timing == MMC_TIMING_UHS_SDR12) - ctrl_2 |= SDHCI_CTRL_UHS_SDR12; -- else if (timing == MMC_TIMING_SD_HS || -- timing == MMC_TIMING_MMC_HS || -- timing == MMC_TIMING_UHS_SDR25) -+ else if (timing == MMC_TIMING_UHS_SDR25) - ctrl_2 |= SDHCI_CTRL_UHS_SDR25; - else if (timing == MMC_TIMING_UHS_SDR50) - ctrl_2 |= SDHCI_CTRL_UHS_SDR50; diff --git a/serial-ifx6x60-add-missed-pm_runtime_disable.patch b/serial-ifx6x60-add-missed-pm_runtime_disable.patch deleted file mode 100644 index 99c554f..0000000 --- a/serial-ifx6x60-add-missed-pm_runtime_disable.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 50b2b571c5f3df721fc81bf9a12c521dfbe019ba Mon Sep 17 00:00:00 2001 -From: Chuhong Yuan <hslester96@gmail.com> -Date: Mon, 18 Nov 2019 10:48:33 +0800 -Subject: serial: ifx6x60: add missed pm_runtime_disable - -From: Chuhong Yuan <hslester96@gmail.com> - -commit 50b2b571c5f3df721fc81bf9a12c521dfbe019ba upstream. - -The driver forgets to call pm_runtime_disable in remove. -Add the missed calls to fix it. - -Signed-off-by: Chuhong Yuan <hslester96@gmail.com> -Cc: stable <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/20191118024833.21587-1-hslester96@gmail.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/tty/serial/ifx6x60.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/tty/serial/ifx6x60.c -+++ b/drivers/tty/serial/ifx6x60.c -@@ -1242,6 +1242,9 @@ static int ifx_spi_spi_remove(struct spi - struct ifx_spi_device *ifx_dev = spi_get_drvdata(spi); - /* stop activity */ - tasklet_kill(&ifx_dev->io_work_tasklet); -+ -+ pm_runtime_disable(&spi->dev); -+ - /* free irq */ - free_irq(gpio_to_irq(ifx_dev->gpio.reset_out), (void *)ifx_dev); - free_irq(gpio_to_irq(ifx_dev->gpio.srdy), (void *)ifx_dev); diff --git a/serial-pl011-fix-dma-flush_buffer.patch b/serial-pl011-fix-dma-flush_buffer.patch deleted file mode 100644 index 266e84a..0000000 --- a/serial-pl011-fix-dma-flush_buffer.patch +++ /dev/null @@ -1,73 +0,0 @@ -From f6a196477184b99a31d16366a8e826558aa11f6d Mon Sep 17 00:00:00 2001 -From: Vincent Whitchurch <vincent.whitchurch@axis.com> -Date: Mon, 18 Nov 2019 10:25:47 +0100 -Subject: serial: pl011: Fix DMA ->flush_buffer() - -From: Vincent Whitchurch <vincent.whitchurch@axis.com> - -commit f6a196477184b99a31d16366a8e826558aa11f6d upstream. - -PL011's ->flush_buffer() implementation releases and reacquires the port -lock. Due to a race condition here, data can end up being added to the -circular buffer but neither being discarded nor being sent out. This -leads to, for example, tcdrain(2) waiting indefinitely. - -Process A Process B - -uart_flush_buffer() - - acquire lock - - circ_clear - - pl011_flush_buffer() - -- release lock - -- dmaengine_terminate_all() - - uart_write() - - acquire lock - - add chars to circ buffer - - start_tx() - -- start DMA - - release lock - - -- acquire lock - -- turn off DMA - -- release lock - - // Data in circ buffer but DMA is off - -According to the comment in the code, the releasing of the lock around -dmaengine_terminate_all() is to avoid a deadlock with the DMA engine -callback. However, since the time this code was written, the DMA engine -API documentation seems to have been clarified to say that -dmaengine_terminate_all() (in the identically implemented but -differently named dmaengine_terminate_async() variant) does not wait for -any running complete callback to be completed and can even be called -from a complete callback. So there is no possibility of deadlock if the -DMA engine driver implements this API correctly. - -So we should be able to just remove this release and reacquire of the -lock to prevent the aforementioned race condition. - -Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> -Cc: stable <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/20191118092547.32135-1-vincent.whitchurch@axis.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/tty/serial/amba-pl011.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - ---- a/drivers/tty/serial/amba-pl011.c -+++ b/drivers/tty/serial/amba-pl011.c -@@ -684,10 +684,8 @@ __acquires(&uap->port.lock) - if (!uap->using_tx_dma) - return; - -- /* Avoid deadlock with the DMA engine callback */ -- spin_unlock(&uap->port.lock); -- dmaengine_terminate_all(uap->dmatx.chan); -- spin_lock(&uap->port.lock); -+ dmaengine_terminate_async(uap->dmatx.chan); -+ - if (uap->dmatx.queued) { - dma_unmap_sg(uap->dmatx.chan->device->dev, &uap->dmatx.sg, 1, - DMA_TO_DEVICE); diff --git a/serial-serial_core-perform-null-checks-for-break_ctl-ops.patch b/serial-serial_core-perform-null-checks-for-break_ctl-ops.patch deleted file mode 100644 index ae977a9..0000000 --- a/serial-serial_core-perform-null-checks-for-break_ctl-ops.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 7d73170e1c282576419f8b50a771f1fcd2b81a94 Mon Sep 17 00:00:00 2001 -From: Jiangfeng Xiao <xiaojiangfeng@huawei.com> -Date: Wed, 20 Nov 2019 23:18:53 +0800 -Subject: serial: serial_core: Perform NULL checks for break_ctl ops - -From: Jiangfeng Xiao <xiaojiangfeng@huawei.com> - -commit 7d73170e1c282576419f8b50a771f1fcd2b81a94 upstream. - -Doing fuzz test on sbsa uart device, causes a kernel crash -due to NULL pointer dereference: - -------------[ cut here ]------------ -Unable to handle kernel paging request at virtual address fffffffffffffffc -pgd = ffffffe331723000 -[fffffffffffffffc] *pgd=0000002333595003, *pud=0000002333595003, *pmd=00000 -Internal error: Oops: 96000005 [#1] PREEMPT SMP -Modules linked in: ping(O) jffs2 rtos_snapshot(O) pramdisk(O) hisi_sfc(O) -Drv_Nandc_K(O) Drv_SysCtl_K(O) Drv_SysClk_K(O) bsp_reg(O) hns3(O) -hns3_uio_enet(O) hclgevf(O) hclge(O) hnae3(O) mdio_factory(O) -mdio_registry(O) mdio_dev(O) mdio(O) hns3_info(O) rtos_kbox_panic(O) -uart_suspend(O) rsm(O) stp llc tunnel4 xt_tcpudp ipt_REJECT nf_reject_ipv4 -iptable_filter ip_tables x_tables sd_mod xhci_plat_hcd xhci_pci xhci_hcd -usbmon usbhid usb_storage ohci_platform ohci_pci ohci_hcd hid_generic hid -ehci_platform ehci_pci ehci_hcd vfat fat usbcore usb_common scsi_mod -yaffs2multi(O) ext4 jbd2 ext2 mbcache ofpart i2c_dev i2c_core uio ubi nand -nand_ecc nand_ids cfi_cmdset_0002 cfi_cmdset_0001 cfi_probe gen_probe -cmdlinepart chipreg mtdblock mtd_blkdevs mtd nfsd auth_rpcgss oid_registry -nfsv3 nfs nfs_acl lockd sunrpc grace autofs4 -CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G O 4.4.193 #1 -task: ffffffe32b23f110 task.stack: ffffffe32bda4000 -PC is at uart_break_ctl+0x44/0x84 -LR is at uart_break_ctl+0x34/0x84 -pc : [<ffffff8393196098>] lr : [<ffffff8393196088>] pstate: 80000005 -sp : ffffffe32bda7cc0 -x29: ffffffe32bda7cc0 x28: ffffffe32b23f110 -x27: ffffff8393402000 x26: 0000000000000000 -x25: ffffffe32b233f40 x24: ffffffc07a8ec680 -x23: 0000000000005425 x22: 00000000ffffffff -x21: ffffffe33ed73c98 x20: 0000000000000000 -x19: ffffffe33ed94168 x18: 0000000000000004 -x17: 0000007f92ae9d30 x16: ffffff8392fa6064 -x15: 0000000000000010 x14: 0000000000000000 -x13: 0000000000000000 x12: 0000000000000000 -x11: 0000000000000020 x10: 0000007ffdac1708 -x9 : 0000000000000078 x8 : 000000000000001d -x7 : 0000000052a64887 x6 : ffffffe32bda7e08 -x5 : ffffffe32b23c000 x4 : 0000005fbc5b0000 -x3 : ffffff83938d5018 x2 : 0000000000000080 -x1 : ffffffe32b23c040 x0 : ffffff83934428f8 -virtual start addr offset is 38ac00000 -module base offset is 2cd4cf1000 -linear region base offset is : 0 -Process tty_fuzz_test (pid: 2385, stack limit = 0xffffffe32bda4000) -Stack: (0xffffffe32bda7cc0 to 0xffffffe32bda8000) -7cc0: ffffffe32bda7cf0 ffffff8393177718 ffffffc07a8ec680 ffffff8393196054 -7ce0: 000000001739f2e0 0000007ffdac1978 ffffffe32bda7d20 ffffff8393179a1c -7d00: 0000000000000000 ffffff8393c0a000 ffffffc07a8ec680 cb88537fdc8ba600 -7d20: ffffffe32bda7df0 ffffff8392fa5a40 ffffff8393c0a000 0000000000005425 -7d40: 0000007ffdac1978 ffffffe32b233f40 ffffff8393178dcc 0000000000000003 -7d60: 000000000000011d 000000000000001d ffffffe32b23f110 000000000000029e -7d80: ffffffe34fe8d5d0 0000000000000000 ffffffe32bda7e14 cb88537fdc8ba600 -7da0: ffffffe32bda7e30 ffffff8393042cfc ffffff8393c41720 ffffff8393c46410 -7dc0: ffffff839304fa68 ffffffe32b233f40 0000000000005425 0000007ffdac1978 -7de0: 000000000000011d cb88537fdc8ba600 ffffffe32bda7e70 ffffff8392fa60cc -7e00: 0000000000000000 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 -7e20: 0000000000005425 0000007ffdac1978 ffffffe32bda7e70 ffffff8392fa60b0 -7e40: 0000000000000280 ffffffe32b233f40 ffffffe32b233f40 0000000000000003 -7e60: 0000000000005425 cb88537fdc8ba600 0000000000000000 ffffff8392e02e78 -7e80: 0000000000000280 0000005fbc5b0000 ffffffffffffffff 0000007f92ae9d3c -7ea0: 0000000060000000 0000000000000015 0000000000000003 0000000000005425 -7ec0: 0000007ffdac1978 0000000000000000 00000000a54c910e 0000007f92b95014 -7ee0: 0000007f92b95090 0000000052a64887 000000000000001d 0000000000000078 -7f00: 0000007ffdac1708 0000000000000020 0000000000000000 0000000000000000 -7f20: 0000000000000000 0000000000000010 000000556acf0090 0000007f92ae9d30 -7f40: 0000000000000004 000000556acdef10 0000000000000000 000000556acdebd0 -7f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -7f80: 0000000000000000 0000000000000000 0000000000000000 0000007ffdac1840 -7fa0: 000000556acdedcc 0000007ffdac1840 0000007f92ae9d3c 0000000060000000 -7fc0: 0000000000000000 0000000000000000 0000000000000003 000000000000001d -7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 -Call trace: -Exception stack(0xffffffe32bda7ab0 to 0xffffffe32bda7bf0) -7aa0: 0000000000001000 0000007fffffffff -7ac0: ffffffe32bda7cc0 ffffff8393196098 0000000080000005 0000000000000025 -7ae0: ffffffe32b233f40 ffffff83930d777c ffffffe32bda7b30 ffffff83930d777c -7b00: ffffffe32bda7be0 ffffff83938d5000 ffffffe32bda7be0 ffffffe32bda7c20 -7b20: ffffffe32bda7b60 ffffff83930d777c ffffffe32bda7c10 ffffff83938d5000 -7b40: ffffffe32bda7c10 ffffffe32bda7c50 ffffff8393c0a000 ffffffe32b23f110 -7b60: ffffffe32bda7b70 ffffff8392e09df4 ffffffe32bda7bb0 cb88537fdc8ba600 -7b80: ffffff83934428f8 ffffffe32b23c040 0000000000000080 ffffff83938d5018 -7ba0: 0000005fbc5b0000 ffffffe32b23c000 ffffffe32bda7e08 0000000052a64887 -7bc0: 000000000000001d 0000000000000078 0000007ffdac1708 0000000000000020 -7be0: 0000000000000000 0000000000000000 -[<ffffff8393196098>] uart_break_ctl+0x44/0x84 -[<ffffff8393177718>] send_break+0xa0/0x114 -[<ffffff8393179a1c>] tty_ioctl+0xc50/0xe84 -[<ffffff8392fa5a40>] do_vfs_ioctl+0xc4/0x6e8 -[<ffffff8392fa60cc>] SyS_ioctl+0x68/0x9c -[<ffffff8392e02e78>] __sys_trace_return+0x0/0x4 -Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280) ----[ end trace 8606094f1960c5e0 ]--- -Kernel panic - not syncing: Fatal exception - -Fix this problem by adding NULL checks prior to calling break_ctl ops. - -Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com> -Cc: stable <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/tty/serial/serial_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/tty/serial/serial_core.c -+++ b/drivers/tty/serial/serial_core.c -@@ -1003,7 +1003,7 @@ static int uart_break_ctl(struct tty_str - - mutex_lock(&port->mutex); - -- if (uport->type != PORT_UNKNOWN) -+ if (uport->type != PORT_UNKNOWN && uport->ops->break_ctl) - uport->ops->break_ctl(uport, break_state); - - mutex_unlock(&port->mutex); @@ -1,24 +1,3 @@ -revert-mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch -usb-gadget-u_serial-add-missing-port-entry-locking.patch -tty-serial-msm_serial-fix-flow-control.patch -serial-pl011-fix-dma-flush_buffer.patch -serial-serial_core-perform-null-checks-for-break_ctl-ops.patch -serial-ifx6x60-add-missed-pm_runtime_disable.patch -fuse-verify-nlink.patch -fuse-verify-attributes.patch -alsa-pcm-oss-avoid-potential-buffer-overflows.patch -x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch -tty-vt-keyboard-reject-invalid-keycodes.patch -can-slcan-fix-use-after-free-read-in-slcan_open.patch -jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch -drm-i810-prevent-underflow-in-ioctl.patch -kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch -crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch -crypto-user-fix-memory-leak-in-crypto_report.patch -rdma-qib-validate-show-store-callbacks-before-calling-them.patch -kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch -appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch -appletalk-set-error-code-if-register_snap_client-failed.patch staging-rtl8188eu-fix-interface-sanity-check.patch staging-rtl8712-fix-interface-sanity-check.patch staging-gigaset-fix-general-protection-fault-on-probe.patch diff --git a/tty-serial-msm_serial-fix-flow-control.patch b/tty-serial-msm_serial-fix-flow-control.patch deleted file mode 100644 index 2ff362a..0000000 --- a/tty-serial-msm_serial-fix-flow-control.patch +++ /dev/null @@ -1,69 +0,0 @@ -From b027ce258369cbfa88401a691c23dad01deb9f9b Mon Sep 17 00:00:00 2001 -From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com> -Date: Mon, 21 Oct 2019 08:46:16 -0700 -Subject: tty: serial: msm_serial: Fix flow control - -From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com> - -commit b027ce258369cbfa88401a691c23dad01deb9f9b upstream. - -hci_qca interfaces to the wcn3990 via a uart_dm on the msm8998 mtp and -Lenovo Miix 630 laptop. As part of initializing the wcn3990, hci_qca -disables flow, configures the uart baudrate, and then reenables flow - at -which point an event is expected to be received over the uart from the -wcn3990. It is observed that this event comes after the baudrate change -but before hci_qca re-enables flow. This is unexpected, and is a result of -msm_reset() being broken. - -According to the uart_dm hardware documentation, it is recommended that -automatic hardware flow control be enabled by setting RX_RDY_CTL. Auto -hw flow control will manage RFR based on the configured watermark. When -there is space to receive data, the hw will assert RFR. When the watermark -is hit, the hw will de-assert RFR. - -The hardware documentation indicates that RFR can me manually managed via -CR when RX_RDY_CTL is not set. SET_RFR asserts RFR, and RESET_RFR -de-asserts RFR. - -msm_reset() is broken because after resetting the hardware, it -unconditionally asserts RFR via SET_RFR. This enables flow regardless of -the current configuration, and would undo a previous flow disable -operation. It should instead de-assert RFR via RESET_RFR to block flow -until the hardware is reconfigured. msm_serial should rely on the client -to specify that flow should be enabled, either via mctrl() or the termios -structure, and only assert RFR in response to those triggers. - -Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.") -Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com> -Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> -Cc: stable <stable@vger.kernel.org> -Reviewed-by: Andy Gross <agross@kernel.org> -Link: https://lore.kernel.org/r/20191021154616.25457-1-jeffrey.l.hugo@gmail.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/tty/serial/msm_serial.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/tty/serial/msm_serial.c -+++ b/drivers/tty/serial/msm_serial.c -@@ -321,6 +321,7 @@ static unsigned int msm_get_mctrl(struct - static void msm_reset(struct uart_port *port) - { - struct msm_port *msm_port = UART_TO_MSM(port); -+ unsigned int mr; - - /* reset everything */ - msm_write(port, UART_CR_CMD_RESET_RX, UART_CR); -@@ -328,7 +329,10 @@ static void msm_reset(struct uart_port * - msm_write(port, UART_CR_CMD_RESET_ERR, UART_CR); - msm_write(port, UART_CR_CMD_RESET_BREAK_INT, UART_CR); - msm_write(port, UART_CR_CMD_RESET_CTS, UART_CR); -- msm_write(port, UART_CR_CMD_SET_RFR, UART_CR); -+ msm_write(port, UART_CR_CMD_RESET_RFR, UART_CR); -+ mr = msm_read(port, UART_MR1); -+ mr &= ~UART_MR1_RX_RDY_CTL; -+ msm_write(port, mr, UART_MR1); - - /* Disable DM modes */ - if (msm_port->is_uartdm) diff --git a/tty-vt-keyboard-reject-invalid-keycodes.patch b/tty-vt-keyboard-reject-invalid-keycodes.patch deleted file mode 100644 index 09c9933..0000000 --- a/tty-vt-keyboard-reject-invalid-keycodes.patch +++ /dev/null @@ -1,52 +0,0 @@ -From b2b2dd71e0859436d4e05b2f61f86140250ed3f8 Mon Sep 17 00:00:00 2001 -From: Dmitry Torokhov <dmitry.torokhov@gmail.com> -Date: Fri, 22 Nov 2019 12:42:20 -0800 -Subject: tty: vt: keyboard: reject invalid keycodes - -From: Dmitry Torokhov <dmitry.torokhov@gmail.com> - -commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream. - -Do not try to handle keycodes that are too big, otherwise we risk doing -out-of-bounds writes: - -BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] -BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] -BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 -Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 -... - kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] - kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 - input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 - input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 - input_pass_values drivers/input/input.c:949 [inline] - input_set_keycode+0x290/0x320 drivers/input/input.c:954 - evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 - evdev_do_ioctl drivers/input/evdev.c:1150 [inline] - -In this case we were dealing with a fuzzed HID device that declared over -12K buttons, and while HID layer should not be reporting to us such big -keycodes, we should also be defensive and reject invalid data ourselves as -well. - -Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com -Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> -Cc: stable <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/tty/vt/keyboard.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/tty/vt/keyboard.c -+++ b/drivers/tty/vt/keyboard.c -@@ -1358,7 +1358,7 @@ static void kbd_event(struct input_handl - - if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev)) - kbd_rawcode(value); -- if (event_type == EV_KEY) -+ if (event_type == EV_KEY && event_code <= KEY_MAX) - kbd_keycode(event_code, value, HW_RAW(handle->dev)); - - spin_unlock(&kbd_event_lock); diff --git a/usb-gadget-u_serial-add-missing-port-entry-locking.patch b/usb-gadget-u_serial-add-missing-port-entry-locking.patch deleted file mode 100644 index 51737b6..0000000 --- a/usb-gadget-u_serial-add-missing-port-entry-locking.patch +++ /dev/null @@ -1,39 +0,0 @@ -From daf82bd24e308c5a83758047aff1bd81edda4f11 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl> -Date: Sat, 10 Aug 2019 10:42:48 +0200 -Subject: usb: gadget: u_serial: add missing port entry locking -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Michał Mirosław <mirq-linux@rere.qmqm.pl> - -commit daf82bd24e308c5a83758047aff1bd81edda4f11 upstream. - -gserial_alloc_line() misses locking (for a release barrier) while -resetting port entry on TTY allocation failure. Fix this. - -Cc: stable@vger.kernel.org -Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> -Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Tested-by: Ladislav Michl <ladis@linux-mips.org> -Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/gadget/function/u_serial.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/usb/gadget/function/u_serial.c -+++ b/drivers/usb/gadget/function/u_serial.c -@@ -1129,8 +1129,10 @@ int gserial_alloc_line(unsigned char *li - __func__, port_num, PTR_ERR(tty_dev)); - - ret = PTR_ERR(tty_dev); -+ mutex_lock(&ports[port_num].lock); - port = ports[port_num].port; - ports[port_num].port = NULL; -+ mutex_unlock(&ports[port_num].lock); - gserial_free_port(port); - goto err; - } diff --git a/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch b/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch deleted file mode 100644 index a3630c7..0000000 --- a/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 7e8ce0e2b036dbc6617184317983aea4f2c52099 Mon Sep 17 00:00:00 2001 -From: Kai-Heng Feng <kai.heng.feng@canonical.com> -Date: Mon, 2 Sep 2019 22:52:52 +0800 -Subject: x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect - -From: Kai-Heng Feng <kai.heng.feng@canonical.com> - -commit 7e8ce0e2b036dbc6617184317983aea4f2c52099 upstream. - -The AMD FCH USB XHCI Controller advertises support for generating PME# -while in D0. When in D0, it does signal PME# for USB 3.0 connect events, -but not for USB 2.0 or USB 1.1 connect events, which means the controller -doesn't wake correctly for those events. - - 00:10.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] FCH USB XHCI Controller [1022:7914] (rev 20) (prog-if 30 [XHCI]) - Subsystem: Dell FCH USB XHCI Controller [1028:087e] - Capabilities: [50] Power Management version 3 - Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+) - -Clear PCI_PM_CAP_PME_D0 in dev->pme_support to indicate the device will not -assert PME# from D0 so we don't rely on it. - -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203673 -Link: https://lore.kernel.org/r/20190902145252.32111-1-kai.heng.feng@canonical.com -Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> -Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/x86/pci/fixup.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - ---- a/arch/x86/pci/fixup.c -+++ b/arch/x86/pci/fixup.c -@@ -555,6 +555,17 @@ static void twinhead_reserve_killing_zon - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone); - - /* -+ * Device [1022:7914] -+ * When in D0, PME# doesn't get asserted when plugging USB 2.0 device. -+ */ -+static void pci_fixup_amd_fch_xhci_pme(struct pci_dev *dev) -+{ -+ dev_info(&dev->dev, "PME# does not work under D0, disabling it\n"); -+ dev->pme_support &= ~(PCI_PM_CAP_PME_D0 >> PCI_PM_CAP_PME_SHIFT); -+} -+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x7914, pci_fixup_amd_fch_xhci_pme); -+ -+/* - * Broadwell EP Home Agent BARs erroneously return non-zero values when read. - * - * See http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html |