diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-18 13:48:11 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-18 13:48:11 +0100 |
| commit | c653948aebf07eaa287a4ce1638acd92ef1061ac (patch) | |
| tree | aefd48755b487e38f40d4621ca38d2c7b7168a77 | |
| parent | 76a40e6ccaef8b9608c60ef23587101ed0f6ad2e (diff) | |
| download | queue-3.18-c653948aebf07eaa287a4ce1638acd92ef1061ac.tar.gz | |
more patches
45 files changed, 2572 insertions, 0 deletions
diff --git a/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch b/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch new file mode 100644 index 0000000..7711a7e --- /dev/null +++ b/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch @@ -0,0 +1,59 @@ +From 627ead724eff33673597216f5020b72118827de4 Mon Sep 17 00:00:00 2001 +From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com> +Date: Thu, 28 Nov 2019 15:58:29 +0530 +Subject: ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() + +From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com> + +commit 627ead724eff33673597216f5020b72118827de4 upstream. + +kmemleak reported backtrace: + [<bbee0454>] kmem_cache_alloc_trace+0x128/0x260 + [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0 + [<1180f4fc>] i2c_register_adapter+0x186/0x400 + [<6083baf7>] i2c_add_adapter+0x4e/0x70 + [<a3ddf966>] intel_gmbus_setup+0x1a2/0x2c0 [i915] + [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915] + [<81911d4b>] i915_pci_probe+0x48/0x160 [i915] + [<4b159af1>] pci_device_probe+0xdc/0x160 + [<b3c64704>] really_probe+0x1ee/0x450 + [<bc029f5a>] driver_probe_device+0x142/0x1b0 + [<d8829d20>] device_driver_attach+0x49/0x50 + [<de71f045>] __driver_attach+0xc9/0x150 + [<df33ac83>] bus_for_each_dev+0x56/0xa0 + [<80089bba>] driver_attach+0x19/0x20 + [<cc73f583>] bus_add_driver+0x177/0x220 + [<7b29d8c7>] driver_register+0x56/0xf0 + +In i2c_acpi_remove_space_handler(), a leak occurs whenever the +"data" parameter is initialized to 0 before being passed to +acpi_bus_get_private_data(). + +This is because the NULL pointer check in acpi_bus_get_private_data() +(condition->if(!*data)) returns EINVAL and, in consequence, memory is +never freed in i2c_acpi_remove_space_handler(). + +Fix the NULL pointer check in acpi_bus_get_private_data() to follow +the analogous check in acpi_get_data_full(). + +Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com> +[ rjw: Subject & changelog ] +Cc: All applicable <stable@vger.kernel.org> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/acpi/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -158,7 +158,7 @@ int acpi_bus_get_private_data(acpi_handl + { + acpi_status status; + +- if (!*data) ++ if (!data) + return -EINVAL; + + status = acpi_get_data(handle, acpi_bus_private_data_handler, data); diff --git a/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch b/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch new file mode 100644 index 0000000..7691036 --- /dev/null +++ b/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch @@ -0,0 +1,53 @@ +From b9ea0bae260f6aae546db224daa6ac1bd9d94b91 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> +Date: Wed, 4 Dec 2019 02:54:27 +0100 +Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices + +From: Rafael J. Wysocki <rafael.j.wysocki@intel.com> + +commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream. + +Certain ACPI-enumerated devices represented as platform devices in +Linux, like fans, require special low-level power management handling +implemented by their drivers that is not in agreement with the ACPI +PM domain behavior. That leads to problems with managing ACPI fans +during system-wide suspend and resume. + +For this reason, make acpi_dev_pm_attach() skip the affected devices +by adding a list of device IDs to avoid to it and putting the IDs of +the affected devices into that list. + +Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems) +Reported-by: Zhang Rui <rui.zhang@intel.com> +Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com> +Cc: 3.10+ <stable@vger.kernel.org> # 3.10+ +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/acpi/device_pm.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -1102,9 +1102,19 @@ static void acpi_dev_pm_detach(struct de + */ + int acpi_dev_pm_attach(struct device *dev, bool power_on) + { ++ /* ++ * Skip devices whose ACPI companions match the device IDs below, ++ * because they require special power management handling incompatible ++ * with the generic ACPI PM domain. ++ */ ++ static const struct acpi_device_id special_pm_ids[] = { ++ {"PNP0C0B", }, /* Generic ACPI fan */ ++ {"INT3404", }, /* Fan */ ++ {} ++ }; + struct acpi_device *adev = ACPI_COMPANION(dev); + +- if (!adev) ++ if (!adev || !acpi_match_device_ids(adev, special_pm_ids)) + return -ENODEV; + + if (dev->pm_domain) diff --git a/alsa-pcm-oss-avoid-potential-buffer-overflows.patch b/alsa-pcm-oss-avoid-potential-buffer-overflows.patch new file mode 100644 index 0000000..2156367 --- /dev/null +++ b/alsa-pcm-oss-avoid-potential-buffer-overflows.patch @@ -0,0 +1,64 @@ +From 4cc8d6505ab82db3357613d36e6c58a297f57f7c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 4 Dec 2019 15:48:24 +0100 +Subject: ALSA: pcm: oss: Avoid potential buffer overflows + +From: Takashi Iwai <tiwai@suse.de> + +commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. + +syzkaller reported an invalid access in PCM OSS read, and this seems +to be an overflow of the internal buffer allocated for a plugin. +Since the rate plugin adjusts its transfer size dynamically, the +calculation for the chained plugin might be bigger than the given +buffer size in some extreme cases, which lead to such an buffer +overflow as caught by KASAN. + +Fix it by limiting the max transfer size properly by checking against +the destination size in each plugin transfer callback. + +Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + sound/core/oss/linear.c | 2 ++ + sound/core/oss/mulaw.c | 2 ++ + sound/core/oss/route.c | 2 ++ + 3 files changed, 6 insertions(+) + +--- a/sound/core/oss/linear.c ++++ b/sound/core/oss/linear.c +@@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer + } + } + #endif ++ if (frames > dst_channels[0].frames) ++ frames = dst_channels[0].frames; + convert(plugin, src_channels, dst_channels, frames); + return frames; + } +--- a/sound/core/oss/mulaw.c ++++ b/sound/core/oss/mulaw.c +@@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer( + } + } + #endif ++ if (frames > dst_channels[0].frames) ++ frames = dst_channels[0].frames; + data = (struct mulaw_priv *)plugin->extra_data; + data->func(plugin, src_channels, dst_channels, frames); + return frames; +--- a/sound/core/oss/route.c ++++ b/sound/core/oss/route.c +@@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer( + return -ENXIO; + if (frames == 0) + return 0; ++ if (frames > dst_channels[0].frames) ++ frames = dst_channels[0].frames; + + nsrcs = plugin->src_format.channels; + ndsts = plugin->dst_format.channels; diff --git a/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch b/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch new file mode 100644 index 0000000..223116b --- /dev/null +++ b/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch @@ -0,0 +1,124 @@ +From 9804501fa1228048857910a6bf23e085aade37cc Mon Sep 17 00:00:00 2001 +From: YueHaibing <yuehaibing@huawei.com> +Date: Thu, 14 Mar 2019 13:47:59 +0800 +Subject: appletalk: Fix potential NULL pointer dereference in unregister_snap_client + +From: YueHaibing <yuehaibing@huawei.com> + +commit 9804501fa1228048857910a6bf23e085aade37cc upstream. + +register_snap_client may return NULL, all the callers +check it, but only print a warning. This will result in +NULL pointer dereference in unregister_snap_client and other +places. + +It has always been used like this since v2.6 + +Reported-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to <4.15: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + include/linux/atalk.h | 2 +- + net/appletalk/aarp.c | 15 ++++++++++++--- + net/appletalk/ddp.c | 20 ++++++++++++-------- + 3 files changed, 25 insertions(+), 12 deletions(-) + +--- a/include/linux/atalk.h ++++ b/include/linux/atalk.h +@@ -107,7 +107,7 @@ static __inline__ struct elapaarp *aarp_ + #define AARP_RESOLVE_TIME (10 * HZ) + + extern struct datalink_proto *ddp_dl, *aarp_dl; +-extern void aarp_proto_init(void); ++extern int aarp_proto_init(void); + + /* Inter module exports */ + +--- a/net/appletalk/aarp.c ++++ b/net/appletalk/aarp.c +@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifi + + static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 }; + +-void __init aarp_proto_init(void) ++int __init aarp_proto_init(void) + { ++ int rc; ++ + aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv); +- if (!aarp_dl) ++ if (!aarp_dl) { + printk(KERN_CRIT "Unable to register AARP with SNAP.\n"); ++ return -ENOMEM; ++ } + setup_timer(&aarp_timer, aarp_expire_timeout, 0); + aarp_timer.expires = jiffies + sysctl_aarp_expiry_time; + add_timer(&aarp_timer); +- register_netdevice_notifier(&aarp_notifier); ++ rc = register_netdevice_notifier(&aarp_notifier); ++ if (rc) { ++ del_timer_sync(&aarp_timer); ++ unregister_snap_client(aarp_dl); ++ } ++ return rc; + } + + /* Remove the AARP entries associated with a device. */ +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1912,9 +1912,6 @@ static unsigned char ddp_snap_id[] = { 0 + EXPORT_SYMBOL(atrtr_get_dev); + EXPORT_SYMBOL(atalk_find_dev_addr); + +-static const char atalk_err_snap[] __initconst = +- KERN_CRIT "Unable to register DDP with SNAP.\n"; +- + /* Called by proto.c on kernel start up */ + static int __init atalk_init(void) + { +@@ -1929,17 +1926,22 @@ static int __init atalk_init(void) + goto out_proto; + + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); +- if (!ddp_dl) +- printk(atalk_err_snap); ++ if (!ddp_dl) { ++ pr_crit("Unable to register DDP with SNAP.\n"); ++ goto out_sock; ++ } + + dev_add_pack(<alk_packet_type); + dev_add_pack(&ppptalk_packet_type); + + rc = register_netdevice_notifier(&ddp_notifier); + if (rc) +- goto out_sock; ++ goto out_snap; ++ ++ rc = aarp_proto_init(); ++ if (rc) ++ goto out_dev; + +- aarp_proto_init(); + rc = atalk_proc_init(); + if (rc) + goto out_aarp; +@@ -1953,11 +1955,13 @@ out_proc: + atalk_proc_exit(); + out_aarp: + aarp_cleanup_module(); ++out_dev: + unregister_netdevice_notifier(&ddp_notifier); +-out_sock: ++out_snap: + dev_remove_pack(&ppptalk_packet_type); + dev_remove_pack(<alk_packet_type); + unregister_snap_client(ddp_dl); ++out_sock: + sock_unregister(PF_APPLETALK); + out_proto: + proto_unregister(&ddp_proto); diff --git a/appletalk-set-error-code-if-register_snap_client-failed.patch b/appletalk-set-error-code-if-register_snap_client-failed.patch new file mode 100644 index 0000000..9256e73 --- /dev/null +++ b/appletalk-set-error-code-if-register_snap_client-failed.patch @@ -0,0 +1,33 @@ +From c93ad1337ad06a718890a89cdd85188ff9a5a5cc Mon Sep 17 00:00:00 2001 +From: YueHaibing <yuehaibing@huawei.com> +Date: Tue, 30 Apr 2019 19:34:08 +0800 +Subject: appletalk: Set error code if register_snap_client failed + +From: YueHaibing <yuehaibing@huawei.com> + +commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream. + +If register_snap_client fails in atalk_init, +error code should be set, otherwise it will +triggers NULL pointer dereference while unloading +module. + +Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + net/appletalk/ddp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1928,6 +1928,7 @@ static int __init atalk_init(void) + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); + if (!ddp_dl) { + pr_crit("Unable to register DDP with SNAP.\n"); ++ rc = -ENOMEM; + goto out_sock; + } + diff --git a/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch b/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch new file mode 100644 index 0000000..f6bdaca --- /dev/null +++ b/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch @@ -0,0 +1,40 @@ +From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001 +From: Denis Efremov <efremov@linux.com> +Date: Mon, 30 Sep 2019 23:31:47 +0300 +Subject: ar5523: check NULL before memcpy() in ar5523_cmd() + +From: Denis Efremov <efremov@linux.com> + +commit 315cee426f87658a6799815845788fde965ddaad upstream. + +memcpy() call with "idata == NULL && ilen == 0" results in undefined +behavior in ar5523_cmd(). For example, NULL is passed in callchain +"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch +adds ilen check before memcpy() call in ar5523_cmd() to prevent an +undefined behavior. + +Cc: Pontus Fuchs <pontus.fuchs@gmail.com> +Cc: Kalle Valo <kvalo@codeaurora.org> +Cc: "David S. Miller" <davem@davemloft.net> +Cc: David Laight <David.Laight@ACULAB.COM> +Cc: stable@vger.kernel.org +Signed-off-by: Denis Efremov <efremov@linux.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, + + if (flags & AR5523_CMD_FLAG_MAGIC) + hdr->magic = cpu_to_be32(1 << 24); +- memcpy(hdr + 1, idata, ilen); ++ if (ilen) ++ memcpy(hdr + 1, idata, ilen); + + cmd->odata = odata; + cmd->olen = olen; diff --git a/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch b/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch new file mode 100644 index 0000000..67eb4a3 --- /dev/null +++ b/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch @@ -0,0 +1,37 @@ +From 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f Mon Sep 17 00:00:00 2001 +From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com> +Date: Tue, 12 Nov 2019 14:02:36 +0100 +Subject: ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report + +From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com> + +commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream. + +Check for existance of jack before tracing. +NULL pointer dereference has been reported by KASAN while unloading +machine driver (snd_soc_cnl_rt274). + +Signed-off-by: Pawel Harlozinski <pawel.harlozinski@linux.intel.com> +Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + sound/soc/soc-jack.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/soc/soc-jack.c ++++ b/sound/soc/soc-jack.c +@@ -69,10 +69,9 @@ void snd_soc_jack_report(struct snd_soc_ + unsigned int sync = 0; + int enable; + +- trace_snd_soc_jack_report(jack, mask, status); +- + if (!jack) + return; ++ trace_snd_soc_jack_report(jack, mask, status); + + codec = jack->codec; + dapm = &codec->dapm; diff --git a/can-slcan-fix-use-after-free-read-in-slcan_open.patch b/can-slcan-fix-use-after-free-read-in-slcan_open.patch new file mode 100644 index 0000000..d8601d1 --- /dev/null +++ b/can-slcan-fix-use-after-free-read-in-slcan_open.patch @@ -0,0 +1,65 @@ +From 9ebd796e24008f33f06ebea5a5e6aceb68b51794 Mon Sep 17 00:00:00 2001 +From: Jouni Hogander <jouni.hogander@unikie.com> +Date: Wed, 27 Nov 2019 08:40:26 +0200 +Subject: can: slcan: Fix use-after-free Read in slcan_open + +From: Jouni Hogander <jouni.hogander@unikie.com> + +commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream. + +Slcan_open doesn't clean-up device which registration failed from the +slcan_devs device list. On next open this list is iterated and freed +device is accessed. Fix this by calling slc_free_netdev in error path. + +Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was +identified in slip_open by syzboz. Same bug is in slcan.c. Here is the +trace from the Syzbot slip report: + +__dump_stack lib/dump_stack.c:77 [inline] +dump_stack+0x197/0x210 lib/dump_stack.c:118 +print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 +__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 +kasan_report+0x12/0x20 mm/kasan/common.c:634 +__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 +sl_sync drivers/net/slip/slip.c:725 [inline] +slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801 +tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469 +tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596 +tiocsetd drivers/tty/tty_io.c:2334 [inline] +tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594 +vfs_ioctl fs/ioctl.c:46 [inline] +file_ioctl fs/ioctl.c:509 [inline] +do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696 +ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 +__do_sys_ioctl fs/ioctl.c:720 [inline] +__se_sys_ioctl fs/ioctl.c:718 [inline] +__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 +do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 +entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path") +Cc: Wolfgang Grandegger <wg@grandegger.com> +Cc: Marc Kleine-Budde <mkl@pengutronix.de> +Cc: David Miller <davem@davemloft.net> +Cc: Oliver Hartkopp <socketcan@hartkopp.net> +Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com> +Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com> +Cc: linux-stable <stable@vger.kernel.org> # >= v5.4 +Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/can/slcan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -615,6 +615,7 @@ err_free_chan: + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); ++ slc_free_netdev(sl->dev); + free_netdev(sl->dev); + + err_exit: diff --git a/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch b/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch new file mode 100644 index 0000000..3fc653f --- /dev/null +++ b/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch @@ -0,0 +1,58 @@ +From 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan <zhenzhong.duan@oracle.com> +Date: Wed, 23 Oct 2019 09:57:14 +0800 +Subject: cpuidle: Do not unset the driver if it is there already + +From: Zhenzhong Duan <zhenzhong.duan@oracle.com> + +commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream. + +Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has +a driver different from drv already and, if so, return -EBUSY before +updating any cpuidle_drivers per-CPU pointers. + +Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support") +Cc: 3.11+ <stable@vger.kernel.org> # 3.11+ +Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com> +[ rjw: Subject & changelog ] +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/cpuidle/driver.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/cpuidle/driver.c ++++ b/drivers/cpuidle/driver.c +@@ -60,24 +60,23 @@ static inline void __cpuidle_unset_drive + * __cpuidle_set_driver - set per CPU driver variables for the given driver. + * @drv: a valid pointer to a struct cpuidle_driver + * +- * For each CPU in the driver's cpumask, unset the registered driver per CPU +- * to @drv. +- * +- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already. ++ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver ++ * different from drv already. + */ + static inline int __cpuidle_set_driver(struct cpuidle_driver *drv) + { + int cpu; + + for_each_cpu(cpu, drv->cpumask) { ++ struct cpuidle_driver *old_drv; + +- if (__cpuidle_get_cpu_driver(cpu)) { +- __cpuidle_unset_driver(drv); ++ old_drv = __cpuidle_get_cpu_driver(cpu); ++ if (old_drv && old_drv != drv) + return -EBUSY; +- } ++ } + ++ for_each_cpu(cpu, drv->cpumask) + per_cpu(cpuidle_drivers, cpu) = drv; +- } + + return 0; + } diff --git a/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch b/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch new file mode 100644 index 0000000..056e20b --- /dev/null +++ b/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch @@ -0,0 +1,43 @@ +From 746c908c4d72e49068ab216c3926d2720d71a90d Mon Sep 17 00:00:00 2001 +From: Christian Lamparter <chunkeey@gmail.com> +Date: Thu, 31 Oct 2019 17:14:38 +0100 +Subject: crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr + +From: Christian Lamparter <chunkeey@gmail.com> + +commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream. + +This patch fixes a crash that can happen during probe +when the available dma memory is not enough (this can +happen if the crypto4xx is built as a module). + +The descriptor window mapping would end up being free'd +twice, once in crypto4xx_build_pdr() and the second time +in crypto4xx_destroy_sdr(). + +Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak") +Cc: <stable@vger.kernel.org> +Signed-off-by: Christian Lamparter <chunkeey@gmail.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/crypto/amcc/crypto4xx_core.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/crypto/amcc/crypto4xx_core.c ++++ b/drivers/crypto/amcc/crypto4xx_core.c +@@ -399,12 +399,8 @@ static u32 crypto4xx_build_sdr(struct cr + dma_alloc_coherent(dev->core_dev->device, + dev->scatter_buffer_size * PPC4XX_NUM_SD, + &dev->scatter_buffer_pa, GFP_ATOMIC); +- if (!dev->scatter_buffer_va) { +- dma_free_coherent(dev->core_dev->device, +- sizeof(struct ce_sd) * PPC4XX_NUM_SD, +- dev->sdr, dev->sdr_pa); ++ if (!dev->scatter_buffer_va) + return -ENOMEM; +- } + + sd_array = dev->sdr; + diff --git a/crypto-user-fix-memory-leak-in-crypto_report.patch b/crypto-user-fix-memory-leak-in-crypto_report.patch new file mode 100644 index 0000000..ef2cbbd --- /dev/null +++ b/crypto-user-fix-memory-leak-in-crypto_report.patch @@ -0,0 +1,36 @@ +From ffdde5932042600c6807d46c1550b28b0db6a3bc Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Fri, 4 Oct 2019 14:29:16 -0500 +Subject: crypto: user - fix memory leak in crypto_report + +From: Navid Emamdoost <navid.emamdoost@gmail.com> + +commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream. + +In crypto_report, a new skb is created via nlmsg_new(). This skb should +be released if crypto_report_alg() fails. + +Fixes: a38f7907b926 ("crypto: Add userspace configuration API") +Cc: <stable@vger.kernel.org> +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + crypto/crypto_user.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -221,8 +221,10 @@ static int crypto_report(struct sk_buff + info.nlmsg_flags = 0; + + err = crypto_report_alg(alg, &info); +- if (err) ++ if (err) { ++ kfree_skb(skb); + return err; ++ } + + return nlmsg_unicast(crypto_nlsk, skb, NETLINK_CB(in_skb).portid); + } diff --git a/drm-i810-prevent-underflow-in-ioctl.patch b/drm-i810-prevent-underflow-in-ioctl.patch new file mode 100644 index 0000000..4b3aa30 --- /dev/null +++ b/drm-i810-prevent-underflow-in-ioctl.patch @@ -0,0 +1,43 @@ +From 4f69851fbaa26b155330be35ce8ac393e93e7442 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 4 Oct 2019 13:22:51 +0300 +Subject: drm/i810: Prevent underflow in ioctl + +From: Dan Carpenter <dan.carpenter@oracle.com> + +commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream. + +The "used" variables here come from the user in the ioctl and it can be +negative. It could result in an out of bounds write. + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/gpu/drm/i810/i810_dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i810/i810_dma.c ++++ b/drivers/gpu/drm/i810/i810_dma.c +@@ -723,7 +723,7 @@ static void i810_dma_dispatch_vertex(str + if (nbox > I810_NR_SAREA_CLIPRECTS) + nbox = I810_NR_SAREA_CLIPRECTS; + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + if (sarea_priv->dirty) +@@ -1043,7 +1043,7 @@ static void i810_dma_dispatch_mc(struct + if (u != I810_BUF_CLIENT) + DRM_DEBUG("MC found buffer that isn't mine!\n"); + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + sarea_priv->dirty = 0x7f; diff --git a/inet-protect-against-too-small-mtu-values.patch b/inet-protect-against-too-small-mtu-values.patch new file mode 100644 index 0000000..d172ec6 --- /dev/null +++ b/inet-protect-against-too-small-mtu-values.patch @@ -0,0 +1,176 @@ +From foo@baz Tue 17 Dec 2019 09:44:32 PM CET +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 5 Dec 2019 20:43:46 -0800 +Subject: inet: protect against too small mtu values. + +From: Eric Dumazet <edumazet@google.com> + +[ Upstream commit 501a90c945103e8627406763dac418f20f3837b2 ] + +syzbot was once again able to crash a host by setting a very small mtu +on loopback device. + +Let's make inetdev_valid_mtu() available in include/net/ip.h, +and use it in ip_setup_cork(), so that we protect both ip_append_page() +and __ip_append_data() + +Also add a READ_ONCE() when the device mtu is read. + +Pairs this lockless read with one WRITE_ONCE() in __dev_set_mtu(), +even if other code paths might write over this field. + +Add a big comment in include/linux/netdevice.h about dev->mtu +needing READ_ONCE()/WRITE_ONCE() annotations. + +Hopefully we will add the missing ones in followup patches. + +[1] + +refcount_t: saturated; leaking memory. +WARNING: CPU: 0 PID: 9464 at lib/refcount.c:22 refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22 +Kernel panic - not syncing: panic_on_warn set ... +CPU: 0 PID: 9464 Comm: syz-executor850 Not tainted 5.4.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + panic+0x2e3/0x75c kernel/panic.c:221 + __warn.cold+0x2f/0x3e kernel/panic.c:582 + report_bug+0x289/0x300 lib/bug.c:195 + fixup_bug arch/x86/kernel/traps.c:174 [inline] + fixup_bug arch/x86/kernel/traps.c:169 [inline] + do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 + do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286 + invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 +RIP: 0010:refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22 +Code: 06 31 ff 89 de e8 c8 f5 e6 fd 84 db 0f 85 6f ff ff ff e8 7b f4 e6 fd 48 c7 c7 e0 71 4f 88 c6 05 56 a6 a4 06 01 e8 c7 a8 b7 fd <0f> 0b e9 50 ff ff ff e8 5c f4 e6 fd 0f b6 1d 3d a6 a4 06 31 ff 89 +RSP: 0018:ffff88809689f550 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffffffff815e4336 RDI: ffffed1012d13e9c +RBP: ffff88809689f560 R08: ffff88809c50a3c0 R09: fffffbfff15d31b1 +R10: fffffbfff15d31b0 R11: ffffffff8ae98d87 R12: 0000000000000001 +R13: 0000000000040100 R14: ffff888099041104 R15: ffff888218d96e40 + refcount_add include/linux/refcount.h:193 [inline] + skb_set_owner_w+0x2b6/0x410 net/core/sock.c:1999 + sock_wmalloc+0xf1/0x120 net/core/sock.c:2096 + ip_append_page+0x7ef/0x1190 net/ipv4/ip_output.c:1383 + udp_sendpage+0x1c7/0x480 net/ipv4/udp.c:1276 + inet_sendpage+0xdb/0x150 net/ipv4/af_inet.c:821 + kernel_sendpage+0x92/0xf0 net/socket.c:3794 + sock_sendpage+0x8b/0xc0 net/socket.c:936 + pipe_to_sendpage+0x2da/0x3c0 fs/splice.c:458 + splice_from_pipe_feed fs/splice.c:512 [inline] + __splice_from_pipe+0x3ee/0x7c0 fs/splice.c:636 + splice_from_pipe+0x108/0x170 fs/splice.c:671 + generic_splice_sendpage+0x3c/0x50 fs/splice.c:842 + do_splice_from fs/splice.c:861 [inline] + direct_splice_actor+0x123/0x190 fs/splice.c:1035 + splice_direct_to_actor+0x3b4/0xa30 fs/splice.c:990 + do_splice_direct+0x1da/0x2a0 fs/splice.c:1078 + do_sendfile+0x597/0xd00 fs/read_write.c:1464 + __do_sys_sendfile64 fs/read_write.c:1525 [inline] + __se_sys_sendfile64 fs/read_write.c:1511 [inline] + __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x441409 +Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fffb64c4f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441409 +RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005 +RBP: 0000000000073b8a R08: 0000000000000010 R09: 0000000000000010 +R10: 0000000000010001 R11: 0000000000000246 R12: 0000000000402180 +R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 +Kernel Offset: disabled +Rebooting in 86400 seconds.. + +Fixes: 1470ddf7f8ce ("inet: Remove explicit write references to sk/inet in ip_append_data") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/netdevice.h | 5 +++++ + include/net/ip.h | 5 +++++ + net/core/dev.c | 3 ++- + net/ipv4/devinet.c | 5 ----- + net/ipv4/ip_output.c | 14 +++++++++----- + 5 files changed, 21 insertions(+), 11 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1537,6 +1537,11 @@ struct net_device { + unsigned char if_port; + unsigned char dma; + ++ /* Note : dev->mtu is often read without holding a lock. ++ * Writers usually hold RTNL. ++ * It is recommended to use READ_ONCE() to annotate the reads, ++ * and to use WRITE_ONCE() to annotate the writes. ++ */ + unsigned int mtu; + unsigned short type; + unsigned short hard_header_len; +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -558,4 +558,9 @@ extern int sysctl_icmp_msgs_burst; + int ip_misc_proc_init(void); + #endif + ++static inline bool inetdev_valid_mtu(unsigned int mtu) ++{ ++ return likely(mtu >= IPV4_MIN_MTU); ++} ++ + #endif /* _IP_H */ +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -5723,7 +5723,8 @@ static int __dev_set_mtu(struct net_devi + if (ops->ndo_change_mtu) + return ops->ndo_change_mtu(dev, new_mtu); + +- dev->mtu = new_mtu; ++ /* Pairs with all the lockless reads of dev->mtu in the stack */ ++ WRITE_ONCE(dev->mtu, new_mtu); + return 0; + } + +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1326,11 +1326,6 @@ skip: + } + } + +-static bool inetdev_valid_mtu(unsigned int mtu) +-{ +- return mtu >= IPV4_MIN_MTU; +-} +- + static void inetdev_send_gratuitous_arp(struct net_device *dev, + struct in_device *in_dev) + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1112,13 +1112,17 @@ static int ip_setup_cork(struct sock *sk + rt = *rtp; + if (unlikely(!rt)) + return -EFAULT; +- /* +- * We steal reference to this route, caller should not release it +- */ +- *rtp = NULL; ++ + cork->fragsize = ip_sk_use_pmtu(sk) ? +- dst_mtu(&rt->dst) : rt->dst.dev->mtu; ++ dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); ++ ++ if (!inetdev_valid_mtu(cork->fragsize)) ++ return -ENETUNREACH; ++ + cork->dst = &rt->dst; ++ /* We stole this route, caller should not release it. */ ++ *rtp = NULL; ++ + cork->length = 0; + cork->ttl = ipc->ttl; + cork->tos = ipc->tos; diff --git a/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch b/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch new file mode 100644 index 0000000..2de854f --- /dev/null +++ b/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch @@ -0,0 +1,49 @@ +From add3efdd78b8a0478ce423bb9d4df6bd95e8b335 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Tue, 5 Nov 2019 17:44:07 +0100 +Subject: jbd2: Fix possible overflow in jbd2_log_space_left() + +From: Jan Kara <jack@suse.cz> + +commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream. + +When number of free space in the journal is very low, the arithmetic in +jbd2_log_space_left() could underflow resulting in very high number of +free blocks and thus triggering assertion failure in transaction commit +code complaining there's not enough space in the journal: + +J_ASSERT(journal->j_free > 1); + +Properly check for the low number of free blocks. + +CC: stable@vger.kernel.org +Reviewed-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + include/linux/jbd2.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1340,7 +1340,7 @@ static inline int jbd2_space_needed(jour + static inline unsigned long jbd2_log_space_left(journal_t *journal) + { + /* Allow for rounding errors */ +- unsigned long free = journal->j_free - 32; ++ long free = journal->j_free - 32; + + if (journal->j_committing_transaction) { + unsigned long committing = atomic_read(&journal-> +@@ -1349,7 +1349,7 @@ static inline unsigned long jbd2_log_spa + /* Transaction + control blocks */ + free -= committing + (committing >> JBD2_CONTROL_BLOCKS_SHIFT); + } +- return free; ++ return max_t(long, free, 0); + } + + /* diff --git a/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch b/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch new file mode 100644 index 0000000..2abbd74 --- /dev/null +++ b/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch @@ -0,0 +1,51 @@ +From de1fca5d6e0105c9d33924e1247e2f386efc3ece Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Mon, 18 Nov 2019 12:23:00 -0500 +Subject: KVM: x86: do not modify masked bits of shared MSRs + +From: Paolo Bonzini <pbonzini@redhat.com> + +commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream. + +"Shared MSRs" are guest MSRs that are written to the host MSRs but +keep their value until the next return to userspace. They support +a mask, so that some bits keep the host value, but this mask is +only used to skip an unnecessary MSR write and the value written +to the MSR is always the guest MSR. + +Fix this and, while at it, do not update smsr->values[slot].curr if +for whatever reason the wrmsr fails. This should only happen due to +reserved bits, so the value written to smsr->values[slot].curr +will not match when the user-return notifier and the host value will +always be restored. However, it is untidy and in rare cases this +can actually avoid spurious WRMSRs on return to userspace. + +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson <jmattson@google.com> +Tested-by: Jim Mattson <jmattson@google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + arch/x86/kvm/x86.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -235,13 +235,14 @@ int kvm_set_shared_msr(unsigned slot, u6 + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); + int err; + +- if (((value ^ smsr->values[slot].curr) & mask) == 0) ++ value = (value & mask) | (smsr->values[slot].host & ~mask); ++ if (value == smsr->values[slot].curr) + return 0; +- smsr->values[slot].curr = value; + err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); + if (err) + return 1; + ++ smsr->values[slot].curr = value; + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); diff --git a/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch b/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch new file mode 100644 index 0000000..b4e0c3b --- /dev/null +++ b/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch @@ -0,0 +1,43 @@ +From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Wed, 4 Dec 2019 10:28:54 +0100 +Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) + +From: Paolo Bonzini <pbonzini@redhat.com> + +commit 433f4ba1904100da65a311033f17a9bf586b287e upstream. + +The bounds check was present in KVM_GET_SUPPORTED_CPUID but not +KVM_GET_EMULATED_CPUID. + +Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com +Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29) +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Cc: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + arch/x86/kvm/cpuid.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -332,7 +332,7 @@ static inline int __do_cpuid_ent(struct + + r = -E2BIG; + +- if (*nent >= maxnent) ++ if (WARN_ON(*nent >= maxnent)) + goto out; + + do_cpuid_1_ent(entry, function, index); +@@ -575,6 +575,9 @@ out: + static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func, + u32 idx, int *nent, int maxnent, unsigned int type) + { ++ if (*nent >= maxnent) ++ return -E2BIG; ++ + if (type == KVM_GET_EMULATED_CPUID) + return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent); + diff --git a/lib-raid6-fix-awk-build-warnings.patch b/lib-raid6-fix-awk-build-warnings.patch new file mode 100644 index 0000000..009d71d --- /dev/null +++ b/lib-raid6-fix-awk-build-warnings.patch @@ -0,0 +1,38 @@ +From 702600eef73033ddd4eafcefcbb6560f3e3a90f7 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Fri, 6 Dec 2019 16:26:00 +0100 +Subject: lib: raid6: fix awk build warnings + +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +commit 702600eef73033ddd4eafcefcbb6560f3e3a90f7 upstream. + +Newer versions of awk spit out these fun warnings: + awk: ../lib/raid6/unroll.awk:16: warning: regexp escape sequence `\#' is not a known regexp operator + +As commit 700c1018b86d ("x86/insn: Fix awk regexp warnings") showed, it +turns out that there are a number of awk strings that do not need to be +escaped and newer versions of awk now warn about this. + +Fix the string up so that no warning is produced. The exact same kernel +module gets created before and after this patch, showing that it wasn't +needed. + +Link: https://lore.kernel.org/r/20191206152600.GA75093@kroah.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + lib/raid6/unroll.awk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/raid6/unroll.awk ++++ b/lib/raid6/unroll.awk +@@ -13,7 +13,7 @@ BEGIN { + for (i = 0; i < rep; ++i) { + tmp = $0 + gsub(/\$\$/, i, tmp) +- gsub(/\$\#/, n, tmp) ++ gsub(/\$#/, n, tmp) + gsub(/\$\*/, "$", tmp) + print tmp + } diff --git a/media-radio-wl1273-fix-interrupt-masking-on-release.patch b/media-radio-wl1273-fix-interrupt-masking-on-release.patch new file mode 100644 index 0000000..75ef2f1 --- /dev/null +++ b/media-radio-wl1273-fix-interrupt-masking-on-release.patch @@ -0,0 +1,40 @@ +From 1091eb830627625dcf79958d99353c2391f41708 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Thu, 10 Oct 2019 10:13:32 -0300 +Subject: media: radio: wl1273: fix interrupt masking on release + +From: Johan Hovold <johan@kernel.org> + +commit 1091eb830627625dcf79958d99353c2391f41708 upstream. + +If a process is interrupted while accessing the radio device and the +core lock is contended, release() could return early and fail to update +the interrupt mask. + +Note that the return value of the v4l2 release file operation is +ignored. + +Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver") +Cc: stable <stable@vger.kernel.org> # 2.6.38 +Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/media/radio/radio-wl1273.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/radio/radio-wl1273.c ++++ b/drivers/media/radio/radio-wl1273.c +@@ -1142,8 +1142,7 @@ static int wl1273_fm_fops_release(struct + if (radio->rds_users > 0) { + radio->rds_users--; + if (radio->rds_users == 0) { +- if (mutex_lock_interruptible(&core->lock)) +- return -EINTR; ++ mutex_lock(&core->lock); + + radio->irq_flags &= ~WL1273_RDS_EVENT; + diff --git a/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch b/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch new file mode 100644 index 0000000..5cdd8fd --- /dev/null +++ b/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch @@ -0,0 +1,73 @@ +From aa71ecd8d86500da6081a72da6b0b524007e0627 Mon Sep 17 00:00:00 2001 +From: Chen Jun <chenjun102@huawei.com> +Date: Sat, 30 Nov 2019 17:58:11 -0800 +Subject: mm/shmem.c: cast the type of unmap_start to u64 + +From: Chen Jun <chenjun102@huawei.com> + +commit aa71ecd8d86500da6081a72da6b0b524007e0627 upstream. + +In 64bit system. sb->s_maxbytes of shmem filesystem is MAX_LFS_FILESIZE, +which equal LLONG_MAX. + +If offset > LLONG_MAX - PAGE_SIZE, offset + len < LLONG_MAX in +shmem_fallocate, which will pass the checking in vfs_fallocate. + + /* Check for wrap through zero too */ + if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0)) + return -EFBIG; + +loff_t unmap_start = round_up(offset, PAGE_SIZE) in shmem_fallocate +causes a overflow. + +Syzkaller reports a overflow problem in mm/shmem: + + UBSAN: Undefined behaviour in mm/shmem.c:2014:10 + signed integer overflow: '9223372036854775807 + 1' cannot be represented in type 'long long int' + CPU: 0 PID:17076 Comm: syz-executor0 Not tainted 4.1.46+ #1 + Hardware name: linux, dummy-virt (DT) + Call trace: + dump_backtrace+0x0/0x2c8 arch/arm64/kernel/traps.c:100 + show_stack+0x20/0x30 arch/arm64/kernel/traps.c:238 + __dump_stack lib/dump_stack.c:15 [inline] + ubsan_epilogue+0x18/0x70 lib/ubsan.c:164 + handle_overflow+0x158/0x1b0 lib/ubsan.c:195 + shmem_fallocate+0x6d0/0x820 mm/shmem.c:2104 + vfs_fallocate+0x238/0x428 fs/open.c:312 + SYSC_fallocate fs/open.c:335 [inline] + SyS_fallocate+0x54/0xc8 fs/open.c:239 + +The highest bit of unmap_start will be appended with sign bit 1 +(overflow) when calculate shmem_falloc.start: + + shmem_falloc.start = unmap_start >> PAGE_SHIFT. + +Fix it by casting the type of unmap_start to u64, when right shifted. + +This bug is found in LTS Linux 4.1. It also seems to exist in mainline. + +Link: http://lkml.kernel.org/r/1573867464-5107-1-git-send-email-chenjun102@huawei.com +Signed-off-by: Chen Jun <chenjun102@huawei.com> +Reviewed-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Hugh Dickins <hughd@google.com> +Cc: Qian Cai <cai@lca.pw> +Cc: Kefeng Wang <wangkefeng.wang@huawei.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + mm/shmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2077,7 +2077,7 @@ static long shmem_fallocate(struct file + } + + shmem_falloc.waitq = &shmem_falloc_waitq; +- shmem_falloc.start = unmap_start >> PAGE_SHIFT; ++ shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT; + shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; + spin_lock(&inode->i_lock); + inode->i_private = &shmem_falloc; diff --git a/mtd-spear_smi-fix-write-burst-mode.patch b/mtd-spear_smi-fix-write-burst-mode.patch new file mode 100644 index 0000000..12e89ae --- /dev/null +++ b/mtd-spear_smi-fix-write-burst-mode.patch @@ -0,0 +1,107 @@ +From 69c7f4618c16b4678f8a4949b6bb5ace259c0033 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal <miquel.raynal@bootlin.com> +Date: Tue, 22 Oct 2019 16:58:59 +0200 +Subject: mtd: spear_smi: Fix Write Burst mode + +From: Miquel Raynal <miquel.raynal@bootlin.com> + +commit 69c7f4618c16b4678f8a4949b6bb5ace259c0033 upstream. + +Any write with either dd or flashcp to a device driven by the +spear_smi.c driver will pass through the spear_smi_cpy_toio() +function. This function will get called for chunks of up to 256 bytes. +If the amount of data is smaller, we may have a problem if the data +length is not 4-byte aligned. In this situation, the kernel panics +during the memcpy: + + # dd if=/dev/urandom bs=1001 count=1 of=/dev/mtd6 + spear_smi_cpy_toio [620] dest c9070000, src c7be8800, len 256 + spear_smi_cpy_toio [620] dest c9070100, src c7be8900, len 256 + spear_smi_cpy_toio [620] dest c9070200, src c7be8a00, len 256 + spear_smi_cpy_toio [620] dest c9070300, src c7be8b00, len 233 + Unhandled fault: external abort on non-linefetch (0x808) at 0xc90703e8 + [...] + PC is at memcpy+0xcc/0x330 + +The above error occurs because the implementation of memcpy_toio() +tries to optimize the number of I/O by writing 4 bytes at a time as +much as possible, until there are less than 4 bytes left and then +switches to word or byte writes. + +Unfortunately, the specification states about the Write Burst mode: + + "the next AHB Write request should point to the next + incremented address and should have the same size (byte, + half-word or word)" + +This means ARM architecture implementation of memcpy_toio() cannot +reliably be used blindly here. Workaround this situation by update the +write path to stick to byte access when the burst length is not +multiple of 4. + +Fixes: f18dbbb1bfe0 ("mtd: ST SPEAr: Add SMI driver for serial NOR flash") +Cc: Russell King <linux@armlinux.org.uk> +Cc: Boris Brezillon <boris.brezillon@collabora.com> +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> +Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/mtd/devices/spear_smi.c | 38 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/devices/spear_smi.c ++++ b/drivers/mtd/devices/spear_smi.c +@@ -595,6 +595,26 @@ static int spear_mtd_read(struct mtd_inf + return 0; + } + ++/* ++ * The purpose of this function is to ensure a memcpy_toio() with byte writes ++ * only. Its structure is inspired from the ARM implementation of _memcpy_toio() ++ * which also does single byte writes but cannot be used here as this is just an ++ * implementation detail and not part of the API. Not mentioning the comment ++ * stating that _memcpy_toio() should be optimized. ++ */ ++static void spear_smi_memcpy_toio_b(volatile void __iomem *dest, ++ const void *src, size_t len) ++{ ++ const unsigned char *from = src; ++ ++ while (len) { ++ len--; ++ writeb(*from, dest); ++ from++; ++ dest++; ++ } ++} ++ + static inline int spear_smi_cpy_toio(struct spear_smi *dev, u32 bank, + void __iomem *dest, const void *src, size_t len) + { +@@ -617,7 +637,23 @@ static inline int spear_smi_cpy_toio(str + ctrlreg1 = readl(dev->io_base + SMI_CR1); + writel((ctrlreg1 | WB_MODE) & ~SW_MODE, dev->io_base + SMI_CR1); + +- memcpy_toio(dest, src, len); ++ /* ++ * In Write Burst mode (WB_MODE), the specs states that writes must be: ++ * - incremental ++ * - of the same size ++ * The ARM implementation of memcpy_toio() will optimize the number of ++ * I/O by using as much 4-byte writes as possible, surrounded by ++ * 2-byte/1-byte access if: ++ * - the destination is not 4-byte aligned ++ * - the length is not a multiple of 4-byte. ++ * Avoid this alternance of write access size by using our own 'byte ++ * access' helper if at least one of the two conditions above is true. ++ */ ++ if (IS_ALIGNED(len, sizeof(u32)) && ++ IS_ALIGNED((uintptr_t)dest, sizeof(u32))) ++ memcpy_toio(dest, src, len); ++ else ++ spear_smi_memcpy_toio_b(dest, src, len); + + writel(ctrlreg1, dev->io_base + SMI_CR1); + diff --git a/net-bridge-deny-dev_set_mac_address-when-unregistering.patch b/net-bridge-deny-dev_set_mac_address-when-unregistering.patch new file mode 100644 index 0000000..eab9f69 --- /dev/null +++ b/net-bridge-deny-dev_set_mac_address-when-unregistering.patch @@ -0,0 +1,76 @@ +From foo@baz Wed 18 Dec 2019 01:37:17 PM CET +From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Date: Tue, 3 Dec 2019 16:48:06 +0200 +Subject: net: bridge: deny dev_set_mac_address() when unregistering + +From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> + +[ Upstream commit c4b4c421857dc7b1cf0dccbd738472360ff2cd70 ] + +We have an interesting memory leak in the bridge when it is being +unregistered and is a slave to a master device which would change the +mac of its slaves on unregister (e.g. bond, team). This is a very +unusual setup but we do end up leaking 1 fdb entry because +dev_set_mac_address() would cause the bridge to insert the new mac address +into its table after all fdbs are flushed, i.e. after dellink() on the +bridge has finished and we call NETDEV_UNREGISTER the bond/team would +release it and will call dev_set_mac_address() to restore its original +address and that in turn will add an fdb in the bridge. +One fix is to check for the bridge dev's reg_state in its +ndo_set_mac_address callback and return an error if the bridge is not in +NETREG_REGISTERED. + +Easy steps to reproduce: + 1. add bond in mode != A/B + 2. add any slave to the bond + 3. add bridge dev as a slave to the bond + 4. destroy the bridge device + +Trace: + unreferenced object 0xffff888035c4d080 (size 128): + comm "ip", pid 4068, jiffies 4296209429 (age 1413.753s) + hex dump (first 32 bytes): + 41 1d c9 36 80 88 ff ff 00 00 00 00 00 00 00 00 A..6............ + d2 19 c9 5e 3f d7 00 00 00 00 00 00 00 00 00 00 ...^?........... + backtrace: + [<00000000ddb525dc>] kmem_cache_alloc+0x155/0x26f + [<00000000633ff1e0>] fdb_create+0x21/0x486 [bridge] + [<0000000092b17e9c>] fdb_insert+0x91/0xdc [bridge] + [<00000000f2a0f0ff>] br_fdb_change_mac_address+0xb3/0x175 [bridge] + [<000000001de02dbd>] br_stp_change_bridge_id+0xf/0xff [bridge] + [<00000000ac0e32b1>] br_set_mac_address+0x76/0x99 [bridge] + [<000000006846a77f>] dev_set_mac_address+0x63/0x9b + [<00000000d30738fc>] __bond_release_one+0x3f6/0x455 [bonding] + [<00000000fc7ec01d>] bond_netdev_event+0x2f2/0x400 [bonding] + [<00000000305d7795>] notifier_call_chain+0x38/0x56 + [<0000000028885d4a>] call_netdevice_notifiers+0x1e/0x23 + [<000000008279477b>] rollback_registered_many+0x353/0x6a4 + [<0000000018ef753a>] unregister_netdevice_many+0x17/0x6f + [<00000000ba854b7a>] rtnl_delete_link+0x3c/0x43 + [<00000000adf8618d>] rtnl_dellink+0x1dc/0x20a + [<000000009b6395fd>] rtnetlink_rcv_msg+0x23d/0x268 + +Fixes: 43598813386f ("bridge: add local MAC address to forwarding table (v2)") +Reported-by: syzbot+2add91c08eb181fea1bf@syzkaller.appspotmail.com +Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/bridge/br_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -198,6 +198,12 @@ static int br_set_mac_address(struct net + if (!is_valid_ether_addr(addr->sa_data)) + return -EADDRNOTAVAIL; + ++ /* dev_set_mac_addr() can be called by a master device on bridge's ++ * NETDEV_UNREGISTER, but since it's being destroyed do nothing ++ */ ++ if (dev->reg_state != NETREG_REGISTERED) ++ return -EBUSY; ++ + spin_lock_bh(&br->lock); + if (!ether_addr_equal(dev->dev_addr, addr->sa_data)) { + /* Mac address will be changed in br_stp_change_bridge_id(). */ diff --git a/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch b/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch new file mode 100644 index 0000000..1f54095 --- /dev/null +++ b/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch @@ -0,0 +1,58 @@ +From a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski <krzk@kernel.org> +Date: Mon, 5 Aug 2019 18:27:10 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in init code + +From: Krzysztof Kozlowski <krzk@kernel.org> + +commit a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 upstream. + +Several functions use for_each_child_of_node() loop with a break to find +a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: <stable@vger.kernel.org> +Fixes: 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple pinmux/pinconf nodes") +Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -291,6 +291,7 @@ static int samsung_dt_node_to_map(struct + &reserved_maps, num_maps); + if (ret < 0) { + samsung_dt_free_map(pctldev, *map, *num_maps); ++ of_node_put(np); + return ret; + } + } +@@ -758,8 +759,10 @@ static struct samsung_pmx_func *samsung_ + if (!of_get_child_count(cfg_np)) { + ret = samsung_pinctrl_create_function(dev, drvdata, + cfg_np, func); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(cfg_np); + return ERR_PTR(ret); ++ } + if (ret > 0) { + ++func; + ++func_cnt; +@@ -770,8 +773,11 @@ static struct samsung_pmx_func *samsung_ + for_each_child_of_node(cfg_np, func_np) { + ret = samsung_pinctrl_create_function(dev, drvdata, + func_np, func); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(func_np); ++ of_node_put(cfg_np); + return ERR_PTR(ret); ++ } + if (ret > 0) { + ++func; + ++func_cnt; diff --git a/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch b/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch new file mode 100644 index 0000000..c19e240 --- /dev/null +++ b/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch @@ -0,0 +1,46 @@ +From f9ec11165301982585e5e5f606739b5bae5331f3 Mon Sep 17 00:00:00 2001 +From: Alastair D'Silva <alastair@d-silva.org> +Date: Mon, 4 Nov 2019 13:32:54 +1100 +Subject: powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB + +From: Alastair D'Silva <alastair@d-silva.org> + +commit f9ec11165301982585e5e5f606739b5bae5331f3 upstream. + +When calling __kernel_sync_dicache with a size >4GB, we were masking +off the upper 32 bits, so we would incorrectly flush a range smaller +than intended. + +This patch replaces the 32 bit shifts with 64 bit ones, so that +the full size is accounted for. + +Signed-off-by: Alastair D'Silva <alastair@d-silva.org> +Cc: stable@vger.kernel.org +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20191104023305.9581-3-alastair@au1.ibm.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + arch/powerpc/kernel/vdso64/cacheflush.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/vdso64/cacheflush.S ++++ b/arch/powerpc/kernel/vdso64/cacheflush.S +@@ -39,7 +39,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache) + subf r8,r6,r4 /* compute length */ + add r8,r8,r5 /* ensure we get enough */ + lwz r9,CFG_DCACHE_LOGBLOCKSZ(r10) +- srw. r8,r8,r9 /* compute line count */ ++ srd. r8,r8,r9 /* compute line count */ + crclr cr0*4+so + beqlr /* nothing to do? */ + mtctr r8 +@@ -56,7 +56,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache) + subf r8,r6,r4 /* compute length */ + add r8,r8,r5 + lwz r9,CFG_ICACHE_LOGBLOCKSZ(r10) +- srw. r8,r8,r9 /* compute line count */ ++ srd. r8,r8,r9 /* compute line count */ + crclr cr0*4+so + beqlr /* nothing to do? */ + mtctr r8 diff --git a/quota-check-that-quota-is-not-dirty-before-release.patch b/quota-check-that-quota-is-not-dirty-before-release.patch new file mode 100644 index 0000000..b313874 --- /dev/null +++ b/quota-check-that-quota-is-not-dirty-before-release.patch @@ -0,0 +1,85 @@ +From df4bb5d128e2c44848aeb36b7ceceba3ac85080d Mon Sep 17 00:00:00 2001 +From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Date: Thu, 31 Oct 2019 10:39:20 +0000 +Subject: quota: Check that quota is not dirty before release + +From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> + +commit df4bb5d128e2c44848aeb36b7ceceba3ac85080d upstream. + +There is a race window where quota was redirted once we drop dq_list_lock inside dqput(), +but before we grab dquot->dq_lock inside dquot_release() + +TASK1 TASK2 (chowner) +->dqput() + we_slept: + spin_lock(&dq_list_lock) + if (dquot_dirty(dquot)) { + spin_unlock(&dq_list_lock); + dquot->dq_sb->dq_op->write_dquot(dquot); + goto we_slept + if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { + spin_unlock(&dq_list_lock); + dquot->dq_sb->dq_op->release_dquot(dquot); + dqget() + mark_dquot_dirty() + dqput() + goto we_slept; + } +So dquot dirty quota will be released by TASK1, but on next we_sleept loop +we detect this and call ->write_dquot() for it. +XFSTEST: https://github.com/dmonakhov/xfstests/commit/440a80d4cbb39e9234df4d7240aee1d551c36107 + +Link: https://lore.kernel.org/r/20191031103920.3919-2-dmonakhov@openvz.org +CC: stable@vger.kernel.org +Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + fs/ocfs2/quota_global.c | 2 +- + fs/quota/dquot.c | 2 +- + include/linux/quotaops.h | 10 ++++++++++ + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/quota_global.c ++++ b/fs/ocfs2/quota_global.c +@@ -714,7 +714,7 @@ static int ocfs2_release_dquot(struct dq + + mutex_lock(&dquot->dq_lock); + /* Check whether we are not racing with some other dqget() */ +- if (atomic_read(&dquot->dq_count) > 1) ++ if (dquot_is_busy(dquot)) + goto out; + /* Running from downconvert thread? Postpone quota processing to wq */ + if (current == osb->dc_task) { +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -472,7 +472,7 @@ int dquot_release(struct dquot *dquot) + + mutex_lock(&dquot->dq_lock); + /* Check whether we are not racing with some other dqget() */ +- if (atomic_read(&dquot->dq_count) > 1) ++ if (dquot_is_busy(dquot)) + goto out_dqlock; + mutex_lock(&dqopt->dqio_mutex); + if (dqopt->ops[dquot->dq_id.type]->release_dqblk) { +--- a/include/linux/quotaops.h ++++ b/include/linux/quotaops.h +@@ -54,6 +54,16 @@ static inline struct dquot *dqgrab(struc + atomic_inc(&dquot->dq_count); + return dquot; + } ++ ++static inline bool dquot_is_busy(struct dquot *dquot) ++{ ++ if (test_bit(DQ_MOD_B, &dquot->dq_flags)) ++ return true; ++ if (atomic_read(&dquot->dq_count) > 1) ++ return true; ++ return false; ++} ++ + void dqput(struct dquot *dquot); + int dquot_scan_active(struct super_block *sb, + int (*fn)(struct dquot *dquot, unsigned long priv), diff --git a/quota-fix-livelock-in-dquot_writeback_dquots.patch b/quota-fix-livelock-in-dquot_writeback_dquots.patch new file mode 100644 index 0000000..f9a933e --- /dev/null +++ b/quota-fix-livelock-in-dquot_writeback_dquots.patch @@ -0,0 +1,49 @@ +From 6ff33d99fc5c96797103b48b7b0902c296f09c05 Mon Sep 17 00:00:00 2001 +From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Date: Thu, 31 Oct 2019 10:39:19 +0000 +Subject: quota: fix livelock in dquot_writeback_dquots + +From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> + +commit 6ff33d99fc5c96797103b48b7b0902c296f09c05 upstream. + +Write only quotas which are dirty at entry. + +XFSTEST: https://github.com/dmonakhov/xfstests/commit/b10ad23566a5bf75832a6f500e1236084083cddc + +Link: https://lore.kernel.org/r/20191031103920.3919-1-dmonakhov@openvz.org +CC: stable@vger.kernel.org +Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> +Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + fs/quota/dquot.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -604,7 +604,7 @@ EXPORT_SYMBOL(dquot_scan_active); + /* Write all dquot structures to quota files */ + int dquot_writeback_dquots(struct super_block *sb, int type) + { +- struct list_head *dirty; ++ struct list_head dirty; + struct dquot *dquot; + struct quota_info *dqopt = sb_dqopt(sb); + int cnt; +@@ -617,9 +617,10 @@ int dquot_writeback_dquots(struct super_ + if (!sb_has_quota_active(sb, cnt)) + continue; + spin_lock(&dq_list_lock); +- dirty = &dqopt->info[cnt].dqi_dirty_list; +- while (!list_empty(dirty)) { +- dquot = list_first_entry(dirty, struct dquot, ++ /* Move list away to avoid livelock. */ ++ list_replace_init(&dqopt->info[cnt].dqi_dirty_list, &dirty); ++ while (!list_empty(&dirty)) { ++ dquot = list_first_entry(&dirty, struct dquot, + dq_dirty); + /* Dirty and inactive can be only bad dquot... */ + if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { diff --git a/rdma-qib-validate-show-store-callbacks-before-calling-them.patch b/rdma-qib-validate-show-store-callbacks-before-calling-them.patch new file mode 100644 index 0000000..24a1abb --- /dev/null +++ b/rdma-qib-validate-show-store-callbacks-before-calling-them.patch @@ -0,0 +1,48 @@ +From 7ee23491b39259ae83899dd93b2a29ef0f22f0a7 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar <viresh.kumar@linaro.org> +Date: Thu, 7 Nov 2019 08:50:25 +0530 +Subject: RDMA/qib: Validate ->show()/store() callbacks before calling them + +From: Viresh Kumar <viresh.kumar@linaro.org> + +commit 7ee23491b39259ae83899dd93b2a29ef0f22f0a7 upstream. + +The permissions of the read-only or write-only sysfs files can be +changed (as root) and the user can then try to read a write-only file or +write to a read-only file which will lead to kernel crash here. + +Protect against that by always validating the show/store callbacks. + +Link: https://lore.kernel.org/r/d45cc26361a174ae12dbb86c994ef334d257924b.1573096807.git.viresh.kumar@linaro.org +Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/infiniband/hw/qib/qib_sysfs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/infiniband/hw/qib/qib_sysfs.c ++++ b/drivers/infiniband/hw/qib/qib_sysfs.c +@@ -301,6 +301,9 @@ static ssize_t qib_portattr_show(struct + struct qib_pportdata *ppd = + container_of(kobj, struct qib_pportdata, pport_kobj); + ++ if (!pattr->show) ++ return -EIO; ++ + return pattr->show(ppd, buf); + } + +@@ -312,6 +315,9 @@ static ssize_t qib_portattr_store(struct + struct qib_pportdata *ppd = + container_of(kobj, struct qib_pportdata, pport_kobj); + ++ if (!pattr->store) ++ return -EIO; ++ + return pattr->store(ppd, buf, len); + } + diff --git a/rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch b/rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch new file mode 100644 index 0000000..fab3fac --- /dev/null +++ b/rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch @@ -0,0 +1,72 @@ +From 3155db7613edea8fb943624062baf1e4f9cfbfd6 Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Mon, 11 Nov 2019 13:40:45 -0600 +Subject: rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer + +From: Larry Finger <Larry.Finger@lwfinger.net> + +commit 3155db7613edea8fb943624062baf1e4f9cfbfd6 upstream. + +In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for +new drivers"), a callback needed to check if the hardware has released +a buffer indicating that a DMA operation is completed was not added. + +Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers") +Cc: Stable <stable@vger.kernel.org> # v3.18+ +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/wireless/rtlwifi/rtl8192de/sw.c | 1 + + drivers/net/wireless/rtlwifi/rtl8192de/trx.c | 17 +++++++++++++++++ + drivers/net/wireless/rtlwifi/rtl8192de/trx.h | 2 ++ + 3 files changed, 20 insertions(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8192de/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192de/sw.c +@@ -242,6 +242,7 @@ static struct rtl_hal_ops rtl8192de_hal_ + .led_control = rtl92de_led_control, + .set_desc = rtl92de_set_desc, + .get_desc = rtl92de_get_desc, ++ .is_tx_desc_closed = rtl92de_is_tx_desc_closed, + .tx_polling = rtl92de_tx_polling, + .enable_hw_sec = rtl92de_enable_hw_security_config, + .set_key = rtl92de_set_key, +--- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c +@@ -863,6 +863,23 @@ u32 rtl92de_get_desc(u8 *p_desc, bool is + return ret; + } + ++bool rtl92de_is_tx_desc_closed(struct ieee80211_hw *hw, ++ u8 hw_queue, u16 index) ++{ ++ struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); ++ struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[hw_queue]; ++ u8 *entry = (u8 *)(&ring->desc[ring->idx]); ++ u8 own = (u8)rtl92de_get_desc(entry, true, HW_DESC_OWN); ++ ++ /* a beacon packet will only use the first ++ * descriptor by defaut, and the own bit may not ++ * be cleared by the hardware ++ */ ++ if (own) ++ return false; ++ return true; ++} ++ + void rtl92de_tx_polling(struct ieee80211_hw *hw, u8 hw_queue) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); +--- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.h ++++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.h +@@ -740,6 +740,8 @@ bool rtl92de_rx_query_desc(struct ieee80 + void rtl92de_set_desc(struct ieee80211_hw *hw, u8 *pdesc, bool istx, + u8 desc_name, u8 *val); + u32 rtl92de_get_desc(u8 *pdesc, bool istx, u8 desc_name); ++bool rtl92de_is_tx_desc_closed(struct ieee80211_hw *hw, ++ u8 hw_queue, u16 index); + void rtl92de_tx_polling(struct ieee80211_hw *hw, u8 hw_queue); + void rtl92de_tx_fill_cmddesc(struct ieee80211_hw *hw, u8 *pdesc, + bool b_firstseg, bool b_lastseg, diff --git a/rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch b/rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch new file mode 100644 index 0000000..ef08301 --- /dev/null +++ b/rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch @@ -0,0 +1,46 @@ +From 0e531cc575c4e9e3dd52ad287b49d3c2dc74c810 Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Mon, 11 Nov 2019 13:40:44 -0600 +Subject: rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address + +From: Larry Finger <Larry.Finger@lwfinger.net> + +commit 0e531cc575c4e9e3dd52ad287b49d3c2dc74c810 upstream. + +In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for +new drivers"), a callback to get the RX buffer address was added to +the PCI driver. Unfortunately, driver rtl8192de was not modified +appropriately and the code runs into a WARN_ONCE() call. The use +of an incorrect array is also fixed. + +Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers") +Cc: Stable <stable@vger.kernel.org> # 3.18+ +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/wireless/rtlwifi/rtl8192de/trx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c +@@ -844,13 +844,15 @@ u32 rtl92de_get_desc(u8 *p_desc, bool is + break; + } + } else { +- struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc; + switch (desc_name) { + case HW_DESC_OWN: +- ret = GET_RX_DESC_OWN(pdesc); ++ ret = GET_RX_DESC_OWN(p_desc); + break; + case HW_DESC_RXPKT_LEN: +- ret = GET_RX_DESC_PKT_LEN(pdesc); ++ ret = GET_RX_DESC_PKT_LEN(p_desc); ++ break; ++ case HW_DESC_RXBUFF_ADDR: ++ ret = GET_RX_DESC_BUFF_ADDR(p_desc); + break; + default: + RT_ASSERT(false, "ERR rxdesc :%d not process\n", diff --git a/rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch b/rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch new file mode 100644 index 0000000..1613b53 --- /dev/null +++ b/rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch @@ -0,0 +1,67 @@ +From 330bb7117101099c687e9c7f13d48068670b9c62 Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Mon, 11 Nov 2019 13:40:46 -0600 +Subject: rtlwifi: rtl8192de: Fix missing enable interrupt flag + +From: Larry Finger <Larry.Finger@lwfinger.net> + +commit 330bb7117101099c687e9c7f13d48068670b9c62 upstream. + +In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for +new drivers"), the flag that indicates that interrupts are enabled was +never set. + +In addition, there are several places when enable/disable interrupts +were commented out are restored. A sychronize_interrupts() call is +removed. + +Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers") +Cc: Stable <stable@vger.kernel.org> # v3.18+ +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/wireless/rtlwifi/rtl8192de/hw.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192de/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192de/hw.c +@@ -1206,6 +1206,7 @@ void rtl92de_enable_interrupt(struct iee + + rtl_write_dword(rtlpriv, REG_HIMR, rtlpci->irq_mask[0] & 0xFFFFFFFF); + rtl_write_dword(rtlpriv, REG_HIMRE, rtlpci->irq_mask[1] & 0xFFFFFFFF); ++ rtlpci->irq_enabled = true; + } + + void rtl92de_disable_interrupt(struct ieee80211_hw *hw) +@@ -1215,7 +1216,7 @@ void rtl92de_disable_interrupt(struct ie + + rtl_write_dword(rtlpriv, REG_HIMR, IMR8190_DISABLED); + rtl_write_dword(rtlpriv, REG_HIMRE, IMR8190_DISABLED); +- synchronize_irq(rtlpci->pdev->irq); ++ rtlpci->irq_enabled = false; + } + + static void _rtl92de_poweroff_adapter(struct ieee80211_hw *hw) +@@ -1386,7 +1387,7 @@ void rtl92de_set_beacon_related_register + + bcn_interval = mac->beacon_interval; + atim_window = 2; +- /*rtl92de_disable_interrupt(hw); */ ++ rtl92de_disable_interrupt(hw); + rtl_write_word(rtlpriv, REG_ATIMWND, atim_window); + rtl_write_word(rtlpriv, REG_BCN_INTERVAL, bcn_interval); + rtl_write_word(rtlpriv, REG_BCNTCFG, 0x660f); +@@ -1406,9 +1407,9 @@ void rtl92de_set_beacon_interval(struct + + RT_TRACE(rtlpriv, COMP_BEACON, DBG_DMESG, + "beacon_interval:%d\n", bcn_interval); +- /* rtl92de_disable_interrupt(hw); */ ++ rtl92de_disable_interrupt(hw); + rtl_write_word(rtlpriv, REG_BCN_INTERVAL, bcn_interval); +- /* rtl92de_enable_interrupt(hw); */ ++ rtl92de_enable_interrupt(hw); + } + + void rtl92de_update_interrupt_mask(struct ieee80211_hw *hw, @@ -10,3 +10,42 @@ x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch tty-vt-keyboard-reject-invalid-keycodes.patch can-slcan-fix-use-after-free-read-in-slcan_open.patch jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch +drm-i810-prevent-underflow-in-ioctl.patch +kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch +crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch +crypto-user-fix-memory-leak-in-crypto_report.patch +rdma-qib-validate-show-store-callbacks-before-calling-them.patch +kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch +appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch +appletalk-set-error-code-if-register_snap_client-failed.patch +staging-rtl8188eu-fix-interface-sanity-check.patch +staging-rtl8712-fix-interface-sanity-check.patch +staging-gigaset-fix-general-protection-fault-on-probe.patch +staging-gigaset-fix-illegal-free-on-probe-errors.patch +staging-gigaset-add-endpoint-type-sanity-check.patch +xhci-increase-sts_halt-timeout-in-xhci_suspend.patch +usb-atm-ueagle-atm-add-missing-endpoint-check.patch +usb-idmouse-fix-interface-sanity-checks.patch +usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch +usb-adutux-fix-interface-sanity-check.patch +usb-core-urb-fix-urb-structure-initialization-function.patch +usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch +mtd-spear_smi-fix-write-burst-mode.patch +rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch +rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch +rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch +lib-raid6-fix-awk-build-warnings.patch +asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch +ar5523-check-null-before-memcpy-in-ar5523_cmd.patch +media-radio-wl1273-fix-interrupt-masking-on-release.patch +cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch +acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch +acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch +powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch +quota-check-that-quota-is-not-dirty-before-release.patch +quota-fix-livelock-in-dquot_writeback_dquots.patch +mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch +net-bridge-deny-dev_set_mac_address-when-unregistering.patch +tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch +inet-protect-against-too-small-mtu-values.patch diff --git a/staging-gigaset-add-endpoint-type-sanity-check.patch b/staging-gigaset-add-endpoint-type-sanity-check.patch new file mode 100644 index 0000000..3820681 --- /dev/null +++ b/staging-gigaset-add-endpoint-type-sanity-check.patch @@ -0,0 +1,51 @@ +From ed9ed5a89acba51b82bdff61144d4e4a4245ec8a Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Mon, 2 Dec 2019 09:56:10 +0100 +Subject: staging: gigaset: add endpoint-type sanity check + +From: Johan Hovold <johan@kernel.org> + +commit ed9ed5a89acba51b82bdff61144d4e4a4245ec8a upstream. + +Add missing endpoint-type sanity checks to probe. + +This specifically prevents a warning in USB core on URB submission when +fuzzing USB descriptors. + +Signed-off-by: Johan Hovold <johan@kernel.org> +Cc: stable <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20191202085610.12719-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/isdn/gigaset/usb-gigaset.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -713,6 +713,12 @@ static int gigaset_probe(struct usb_inte + + endpoint = &hostif->endpoint[0].desc; + ++ if (!usb_endpoint_is_bulk_out(endpoint)) { ++ dev_err(&interface->dev, "missing bulk-out endpoint\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ + buffer_size = le16_to_cpu(endpoint->wMaxPacketSize); + ucs->bulk_out_size = buffer_size; + ucs->bulk_out_epnum = usb_endpoint_num(endpoint); +@@ -732,6 +738,12 @@ static int gigaset_probe(struct usb_inte + + endpoint = &hostif->endpoint[1].desc; + ++ if (!usb_endpoint_is_int_in(endpoint)) { ++ dev_err(&interface->dev, "missing int-in endpoint\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ + ucs->busy = 0; + + ucs->read_urb = usb_alloc_urb(0, GFP_KERNEL); diff --git a/staging-gigaset-fix-general-protection-fault-on-probe.patch b/staging-gigaset-fix-general-protection-fault-on-probe.patch new file mode 100644 index 0000000..a83e87d --- /dev/null +++ b/staging-gigaset-fix-general-protection-fault-on-probe.patch @@ -0,0 +1,40 @@ +From 53f35a39c3860baac1e5ca80bf052751cfb24a99 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Mon, 2 Dec 2019 09:56:08 +0100 +Subject: staging: gigaset: fix general protection fault on probe + +From: Johan Hovold <johan@kernel.org> + +commit 53f35a39c3860baac1e5ca80bf052751cfb24a99 upstream. + +Fix a general protection fault when accessing the endpoint descriptors +which could be triggered by a malicious device due to missing sanity +checks on the number of endpoints. + +Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com +Fixes: 07dc1f9f2f80 ("[PATCH] isdn4linux: Siemens Gigaset drivers - M105 USB DECT adapter") +Cc: stable <stable@vger.kernel.org> # 2.6.17 +Cc: Hansjoerg Lipp <hjlipp@web.de> +Cc: Tilman Schmidt <tilman@imap.cc> +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191202085610.12719-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/isdn/gigaset/usb-gigaset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -693,6 +693,11 @@ static int gigaset_probe(struct usb_inte + return -ENODEV; + } + ++ if (hostif->desc.bNumEndpoints < 2) { ++ dev_err(&interface->dev, "missing endpoints\n"); ++ return -ENODEV; ++ } ++ + dev_info(&udev->dev, "%s: Device matched ... !\n", __func__); + + /* allocate memory for our device state and initialize it */ diff --git a/staging-gigaset-fix-illegal-free-on-probe-errors.patch b/staging-gigaset-fix-illegal-free-on-probe-errors.patch new file mode 100644 index 0000000..f9e9981 --- /dev/null +++ b/staging-gigaset-fix-illegal-free-on-probe-errors.patch @@ -0,0 +1,47 @@ +From 84f60ca7b326ed8c08582417493982fe2573a9ad Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Mon, 2 Dec 2019 09:56:09 +0100 +Subject: staging: gigaset: fix illegal free on probe errors + +From: Johan Hovold <johan@kernel.org> + +commit 84f60ca7b326ed8c08582417493982fe2573a9ad upstream. + +The driver failed to initialise its receive-buffer pointer, something +which could lead to an illegal free on late probe errors. + +Fix this by making sure to clear all driver data at allocation. + +Fixes: 2032e2c2309d ("usb_gigaset: code cleanup") +Cc: stable <stable@vger.kernel.org> # 2.6.33 +Cc: Tilman Schmidt <tilman@imap.cc> +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191202085610.12719-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/isdn/gigaset/usb-gigaset.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -579,8 +579,7 @@ static int gigaset_initcshw(struct cards + { + struct usb_cardstate *ucs; + +- cs->hw.usb = ucs = +- kmalloc(sizeof(struct usb_cardstate), GFP_KERNEL); ++ cs->hw.usb = ucs = kzalloc(sizeof(struct usb_cardstate), GFP_KERNEL); + if (!ucs) { + pr_err("out of memory\n"); + return -ENOMEM; +@@ -592,9 +591,6 @@ static int gigaset_initcshw(struct cards + ucs->bchars[3] = 0; + ucs->bchars[4] = 0x11; + ucs->bchars[5] = 0x13; +- ucs->bulk_out_buffer = NULL; +- ucs->bulk_out_urb = NULL; +- ucs->read_urb = NULL; + tasklet_init(&cs->write_tasklet, + gigaset_modem_fill, (unsigned long) cs); + diff --git a/staging-rtl8188eu-fix-interface-sanity-check.patch b/staging-rtl8188eu-fix-interface-sanity-check.patch new file mode 100644 index 0000000..1921cbb --- /dev/null +++ b/staging-rtl8188eu-fix-interface-sanity-check.patch @@ -0,0 +1,36 @@ +From 74ca34118a0e05793935d804ccffcedd6eb56596 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:47:50 +0100 +Subject: staging: rtl8188eu: fix interface sanity check + +From: Johan Hovold <johan@kernel.org> + +commit 74ca34118a0e05793935d804ccffcedd6eb56596 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: c2478d39076b ("staging: r8188eu: Add files for new driver - part 20") +Cc: stable <stable@vger.kernel.org> # 3.12 +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210114751.5119-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -86,7 +86,7 @@ static struct dvobj_priv *usb_dvobj_init + phost_conf = pusbd->actconfig; + pconf_desc = &phost_conf->desc; + +- phost_iface = &usb_intf->altsetting[0]; ++ phost_iface = usb_intf->cur_altsetting; + piface_desc = &phost_iface->desc; + + pdvobjpriv->NumInterfaces = pconf_desc->bNumInterfaces; diff --git a/staging-rtl8712-fix-interface-sanity-check.patch b/staging-rtl8712-fix-interface-sanity-check.patch new file mode 100644 index 0000000..e5b22bc --- /dev/null +++ b/staging-rtl8712-fix-interface-sanity-check.patch @@ -0,0 +1,36 @@ +From c724f776f048538ecfdf53a52b7a522309f5c504 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:47:51 +0100 +Subject: staging: rtl8712: fix interface sanity check + +From: Johan Hovold <johan@kernel.org> + +commit c724f776f048538ecfdf53a52b7a522309f5c504 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") +Cc: stable <stable@vger.kernel.org> # 2.6.37 +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210114751.5119-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/staging/rtl8712/usb_intf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -268,7 +268,7 @@ static uint r8712_usb_dvobj_init(struct + pdev_desc = &pusbd->descriptor; + phost_conf = pusbd->actconfig; + pconf_desc = &phost_conf->desc; +- phost_iface = &pintf->altsetting[0]; ++ phost_iface = pintf->cur_altsetting; + piface_desc = &phost_iface->desc; + pdvobjpriv->nr_endpoint = piface_desc->bNumEndpoints; + if (pusbd->speed == USB_SPEED_HIGH) { diff --git a/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch b/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch new file mode 100644 index 0000000..eadf33d --- /dev/null +++ b/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch @@ -0,0 +1,46 @@ +From foo@baz Wed 18 Dec 2019 01:37:17 PM CET +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 5 Dec 2019 10:10:15 -0800 +Subject: tcp: md5: fix potential overestimation of TCP option space + +From: Eric Dumazet <edumazet@google.com> + +[ Upstream commit 9424e2e7ad93ffffa88f882c9bc5023570904b55 ] + +Back in 2008, Adam Langley fixed the corner case of packets for flows +having all of the following options : MD5 TS SACK + +Since MD5 needs 20 bytes, and TS needs 12 bytes, no sack block +can be cooked from the remaining 8 bytes. + +tcp_established_options() correctly sets opts->num_sack_blocks +to zero, but returns 36 instead of 32. + +This means TCP cooks packets with 4 extra bytes at the end +of options, containing unitialized bytes. + +Fixes: 33ad798c924b ("tcp: options clean up") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Acked-by: Neal Cardwell <ncardwell@google.com> +Acked-by: Soheil Hassas Yeganeh <soheil@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/ipv4/tcp_output.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -693,8 +693,9 @@ static unsigned int tcp_established_opti + min_t(unsigned int, eff_sacks, + (remaining - TCPOLEN_SACK_BASE_ALIGNED) / + TCPOLEN_SACK_PERBLOCK); +- size += TCPOLEN_SACK_BASE_ALIGNED + +- opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK; ++ if (likely(opts->num_sack_blocks)) ++ size += TCPOLEN_SACK_BASE_ALIGNED + ++ opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK; + } + + return size; diff --git a/tty-vt-keyboard-reject-invalid-keycodes.patch b/tty-vt-keyboard-reject-invalid-keycodes.patch new file mode 100644 index 0000000..09c9933 --- /dev/null +++ b/tty-vt-keyboard-reject-invalid-keycodes.patch @@ -0,0 +1,52 @@ +From b2b2dd71e0859436d4e05b2f61f86140250ed3f8 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Date: Fri, 22 Nov 2019 12:42:20 -0800 +Subject: tty: vt: keyboard: reject invalid keycodes + +From: Dmitry Torokhov <dmitry.torokhov@gmail.com> + +commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream. + +Do not try to handle keycodes that are too big, otherwise we risk doing +out-of-bounds writes: + +BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] +BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] +BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 +Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 +... + kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] + kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 + input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 + input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 + input_pass_values drivers/input/input.c:949 [inline] + input_set_keycode+0x290/0x320 drivers/input/input.c:954 + evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 + evdev_do_ioctl drivers/input/evdev.c:1150 [inline] + +In this case we were dealing with a fuzzed HID device that declared over +12K buttons, and while HID layer should not be reporting to us such big +keycodes, we should also be defensive and reject invalid data ourselves as +well. + +Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Cc: stable <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/tty/vt/keyboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -1358,7 +1358,7 @@ static void kbd_event(struct input_handl + + if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev)) + kbd_rawcode(value); +- if (event_type == EV_KEY) ++ if (event_type == EV_KEY && event_code <= KEY_MAX) + kbd_keycode(event_code, value, HW_RAW(handle->dev)); + + spin_unlock(&kbd_event_lock); diff --git a/usb-adutux-fix-interface-sanity-check.patch b/usb-adutux-fix-interface-sanity-check.patch new file mode 100644 index 0000000..631b320 --- /dev/null +++ b/usb-adutux-fix-interface-sanity-check.patch @@ -0,0 +1,36 @@ +From 3c11c4bed02b202e278c0f5c319ae435d7fb9815 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:25:59 +0100 +Subject: USB: adutux: fix interface sanity check + +From: Johan Hovold <johan@kernel.org> + +commit 3c11c4bed02b202e278c0f5c319ae435d7fb9815 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 03270634e242 ("USB: Add ADU support for Ontrak ADU devices") +Cc: stable <stable@vger.kernel.org> # 2.6.19 +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210112601.3561-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/usb/misc/adutux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -686,7 +686,7 @@ static int adu_probe(struct usb_interfac + init_waitqueue_head(&dev->read_wait); + init_waitqueue_head(&dev->write_wait); + +- iface_desc = &interface->altsetting[0]; ++ iface_desc = &interface->cur_altsetting[0]; + + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { diff --git a/usb-atm-ueagle-atm-add-missing-endpoint-check.patch b/usb-atm-ueagle-atm-add-missing-endpoint-check.patch new file mode 100644 index 0000000..8eaeb3e --- /dev/null +++ b/usb-atm-ueagle-atm-add-missing-endpoint-check.patch @@ -0,0 +1,90 @@ +From 09068c1ad53fb077bdac288869dec2435420bdc4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:25:58 +0100 +Subject: USB: atm: ueagle-atm: add missing endpoint check + +From: Johan Hovold <johan@kernel.org> + +commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream. + +Make sure that the interrupt interface has an endpoint before trying to +access its endpoint descriptors to avoid dereferencing a NULL pointer. + +The driver binds to the interrupt interface with interface number 0, but +must not assume that this interface or its current alternate setting are +the first entries in the corresponding configuration arrays. + +Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") +Cc: stable <stable@vger.kernel.org> # 2.6.16 +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/usb/atm/ueagle-atm.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/usb/atm/ueagle-atm.c ++++ b/drivers/usb/atm/ueagle-atm.c +@@ -2167,10 +2167,11 @@ resubmit: + /* + * Start the modem : init the data and start kernel thread + */ +-static int uea_boot(struct uea_softc *sc) ++static int uea_boot(struct uea_softc *sc, struct usb_interface *intf) + { +- int ret, size; + struct intr_pkt *intr; ++ int ret = -ENOMEM; ++ int size; + + uea_enters(INS_TO_USBDEV(sc)); + +@@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc + if (UEA_CHIP_VERSION(sc) == ADI930) + load_XILINX_firmware(sc); + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { ++ ret = -ENODEV; ++ goto err0; ++ } ++ + intr = kmalloc(size, GFP_KERNEL); + if (!intr) { + uea_err(INS_TO_USBDEV(sc), +@@ -2211,8 +2217,7 @@ static int uea_boot(struct uea_softc *sc + usb_fill_int_urb(sc->urb_int, sc->usb_dev, + usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE), + intr, size, uea_intr, sc, +- sc->usb_dev->actconfig->interface[0]->altsetting[0]. +- endpoint[0].desc.bInterval); ++ intf->cur_altsetting->endpoint[0].desc.bInterval); + + ret = usb_submit_urb(sc->urb_int, GFP_KERNEL); + if (ret < 0) { +@@ -2227,6 +2232,7 @@ static int uea_boot(struct uea_softc *sc + sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm"); + if (IS_ERR(sc->kthread)) { + uea_err(INS_TO_USBDEV(sc), "failed to create thread\n"); ++ ret = PTR_ERR(sc->kthread); + goto err2; + } + +@@ -2241,7 +2247,7 @@ err1: + kfree(intr); + err0: + uea_leaves(INS_TO_USBDEV(sc)); +- return -ENOMEM; ++ return ret; + } + + /* +@@ -2604,7 +2610,7 @@ static int uea_bind(struct usbatm_data * + if (ret < 0) + goto error; + +- ret = uea_boot(sc); ++ ret = uea_boot(sc, intf); + if (ret < 0) + goto error_rm_grp; + diff --git a/usb-core-urb-fix-urb-structure-initialization-function.patch b/usb-core-urb-fix-urb-structure-initialization-function.patch new file mode 100644 index 0000000..d7e95aa --- /dev/null +++ b/usb-core-urb-fix-urb-structure-initialization-function.patch @@ -0,0 +1,34 @@ +From 1cd17f7f0def31e3695501c4f86cd3faf8489840 Mon Sep 17 00:00:00 2001 +From: Emiliano Ingrassia <ingrassia@epigenesys.com> +Date: Wed, 27 Nov 2019 17:03:55 +0100 +Subject: usb: core: urb: fix URB structure initialization function + +From: Emiliano Ingrassia <ingrassia@epigenesys.com> + +commit 1cd17f7f0def31e3695501c4f86cd3faf8489840 upstream. + +Explicitly initialize URB structure urb_list field in usb_init_urb(). +This field can be potentially accessed uninitialized and its +initialization is coherent with the usage of list_del_init() in +usb_hcd_unlink_urb_from_ep() and usb_giveback_urb_bh() and its +explicit initialization in usb_hcd_submit_urb() error path. + +Signed-off-by: Emiliano Ingrassia <ingrassia@epigenesys.com> +Cc: stable <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20191127160355.GA27196@ingrassia.epigenesys.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/usb/core/urb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -40,6 +40,7 @@ void usb_init_urb(struct urb *urb) + if (urb) { + memset(urb, 0, sizeof(*urb)); + kref_init(&urb->kref); ++ INIT_LIST_HEAD(&urb->urb_list); + INIT_LIST_HEAD(&urb->anchor_list); + } + } diff --git a/usb-idmouse-fix-interface-sanity-checks.patch b/usb-idmouse-fix-interface-sanity-checks.patch new file mode 100644 index 0000000..b23e015 --- /dev/null +++ b/usb-idmouse-fix-interface-sanity-checks.patch @@ -0,0 +1,36 @@ +From 59920635b89d74b9207ea803d5e91498d39e8b69 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:26:00 +0100 +Subject: USB: idmouse: fix interface sanity checks + +From: Johan Hovold <johan@kernel.org> + +commit 59920635b89d74b9207ea803d5e91498d39e8b69 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210112601.3561-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/usb/misc/idmouse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -342,7 +342,7 @@ static int idmouse_probe(struct usb_inte + int result; + + /* check if we have gotten the data or the hid interface */ +- iface_desc = &interface->altsetting[0]; ++ iface_desc = interface->cur_altsetting; + if (iface_desc->desc.bInterfaceClass != 0x0A) + return -ENODEV; + diff --git a/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch b/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch new file mode 100644 index 0000000..71f5b14 --- /dev/null +++ b/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch @@ -0,0 +1,104 @@ +From 19e6317d24c25ee737c65d1ffb7483bdda4bb54a Mon Sep 17 00:00:00 2001 +From: Pete Zaitcev <zaitcev@redhat.com> +Date: Wed, 4 Dec 2019 20:39:41 -0600 +Subject: usb: mon: Fix a deadlock in usbmon between mmap and read + +From: Pete Zaitcev <zaitcev@redhat.com> + +commit 19e6317d24c25ee737c65d1ffb7483bdda4bb54a upstream. + +The problem arises because our read() function grabs a lock of the +circular buffer, finds something of interest, then invokes copy_to_user() +straight from the buffer, which in turn takes mm->mmap_sem. In the same +time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem. +It attempts to take the fetch lock and deadlocks. + +This patch does away with protecting of our page list with any +semaphores, and instead relies on the kernel not close the device +while mmap is active in a process. + +In addition, we prohibit re-sizing of a buffer while mmap is active. +This way, when (now unlocked) fault is processed, it works with the +page that is intended to be mapped-in, and not some other random page. +Note that this may have an ABI impact, but hopefully no legitimate +program is this wrong. + +Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> +Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com +Reviewed-by: Alan Stern <stern@rowland.harvard.edu> +Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger") +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/usb/mon/mon_bin.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +--- a/drivers/usb/mon/mon_bin.c ++++ b/drivers/usb/mon/mon_bin.c +@@ -1034,12 +1034,18 @@ static long mon_bin_ioctl(struct file *f + + mutex_lock(&rp->fetch_lock); + spin_lock_irqsave(&rp->b_lock, flags); +- mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); +- kfree(rp->b_vec); +- rp->b_vec = vec; +- rp->b_size = size; +- rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; +- rp->cnt_lost = 0; ++ if (rp->mmap_active) { ++ mon_free_buff(vec, size/CHUNK_SIZE); ++ kfree(vec); ++ ret = -EBUSY; ++ } else { ++ mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); ++ kfree(rp->b_vec); ++ rp->b_vec = vec; ++ rp->b_size = size; ++ rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; ++ rp->cnt_lost = 0; ++ } + spin_unlock_irqrestore(&rp->b_lock, flags); + mutex_unlock(&rp->fetch_lock); + } +@@ -1211,13 +1217,21 @@ mon_bin_poll(struct file *file, struct p + static void mon_bin_vma_open(struct vm_area_struct *vma) + { + struct mon_reader_bin *rp = vma->vm_private_data; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&rp->b_lock, flags); + rp->mmap_active++; ++ spin_unlock_irqrestore(&rp->b_lock, flags); + } + + static void mon_bin_vma_close(struct vm_area_struct *vma) + { ++ unsigned long flags; ++ + struct mon_reader_bin *rp = vma->vm_private_data; ++ spin_lock_irqsave(&rp->b_lock, flags); + rp->mmap_active--; ++ spin_unlock_irqrestore(&rp->b_lock, flags); + } + + /* +@@ -1229,16 +1243,12 @@ static int mon_bin_vma_fault(struct vm_a + unsigned long offset, chunk_idx; + struct page *pageptr; + +- mutex_lock(&rp->fetch_lock); + offset = vmf->pgoff << PAGE_SHIFT; +- if (offset >= rp->b_size) { +- mutex_unlock(&rp->fetch_lock); ++ if (offset >= rp->b_size) + return VM_FAULT_SIGBUS; +- } + chunk_idx = offset / CHUNK_SIZE; + pageptr = rp->b_vec[chunk_idx].pg; + get_page(pageptr); +- mutex_unlock(&rp->fetch_lock); + vmf->page = pageptr; + return 0; + } diff --git a/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch b/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch new file mode 100644 index 0000000..1678c30 --- /dev/null +++ b/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch @@ -0,0 +1,50 @@ +From 7c5a2df3367a2c4984f1300261345817d95b71f8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:26:01 +0100 +Subject: USB: serial: io_edgeport: fix epic endpoint lookup + +From: Johan Hovold <johan@kernel.org> + +commit 7c5a2df3367a2c4984f1300261345817d95b71f8 upstream. + +Make sure to use the current alternate setting when looking up the +endpoints on epic devices to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") +Cc: stable <stable@vger.kernel.org> # 2.6.21 +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210112601.3561-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/usb/serial/io_edgeport.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2854,16 +2854,18 @@ static int edge_startup(struct usb_seria + response = 0; + + if (edge_serial->is_epic) { ++ struct usb_host_interface *alt; ++ ++ alt = serial->interface->cur_altsetting; ++ + /* EPIC thing, set up our interrupt polling now and our read + * urb, so that the device knows it really is connected. */ + interrupt_in_found = bulk_in_found = bulk_out_found = false; +- for (i = 0; i < serial->interface->altsetting[0] +- .desc.bNumEndpoints; ++i) { ++ for (i = 0; i < alt->desc.bNumEndpoints; ++i) { + struct usb_endpoint_descriptor *endpoint; + int buffer_size; + +- endpoint = &serial->interface->altsetting[0]. +- endpoint[i].desc; ++ endpoint = &alt->endpoint[i].desc; + buffer_size = usb_endpoint_maxp(endpoint); + if (!interrupt_in_found && + (usb_endpoint_is_int_in(endpoint))) { diff --git a/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch b/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch new file mode 100644 index 0000000..a3630c7 --- /dev/null +++ b/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch @@ -0,0 +1,53 @@ +From 7e8ce0e2b036dbc6617184317983aea4f2c52099 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng <kai.heng.feng@canonical.com> +Date: Mon, 2 Sep 2019 22:52:52 +0800 +Subject: x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect + +From: Kai-Heng Feng <kai.heng.feng@canonical.com> + +commit 7e8ce0e2b036dbc6617184317983aea4f2c52099 upstream. + +The AMD FCH USB XHCI Controller advertises support for generating PME# +while in D0. When in D0, it does signal PME# for USB 3.0 connect events, +but not for USB 2.0 or USB 1.1 connect events, which means the controller +doesn't wake correctly for those events. + + 00:10.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] FCH USB XHCI Controller [1022:7914] (rev 20) (prog-if 30 [XHCI]) + Subsystem: Dell FCH USB XHCI Controller [1028:087e] + Capabilities: [50] Power Management version 3 + Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+) + +Clear PCI_PM_CAP_PME_D0 in dev->pme_support to indicate the device will not +assert PME# from D0 so we don't rely on it. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203673 +Link: https://lore.kernel.org/r/20190902145252.32111-1-kai.heng.feng@canonical.com +Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + arch/x86/pci/fixup.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -555,6 +555,17 @@ static void twinhead_reserve_killing_zon + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone); + + /* ++ * Device [1022:7914] ++ * When in D0, PME# doesn't get asserted when plugging USB 2.0 device. ++ */ ++static void pci_fixup_amd_fch_xhci_pme(struct pci_dev *dev) ++{ ++ dev_info(&dev->dev, "PME# does not work under D0, disabling it\n"); ++ dev->pme_support &= ~(PCI_PM_CAP_PME_D0 >> PCI_PM_CAP_PME_SHIFT); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x7914, pci_fixup_amd_fch_xhci_pme); ++ ++/* + * Broadwell EP Home Agent BARs erroneously return non-zero values when read. + * + * See http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html diff --git a/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch b/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch new file mode 100644 index 0000000..2be8423 --- /dev/null +++ b/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch @@ -0,0 +1,43 @@ +From 7c67cf6658cec70d8a43229f2ce74ca1443dc95e Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng <kai.heng.feng@canonical.com> +Date: Wed, 11 Dec 2019 16:20:05 +0200 +Subject: xhci: Increase STS_HALT timeout in xhci_suspend() + +From: Kai-Heng Feng <kai.heng.feng@canonical.com> + +commit 7c67cf6658cec70d8a43229f2ce74ca1443dc95e upstream. + +I've recently observed failed xHCI suspend attempt on AMD Raven Ridge +system: +kernel: xhci_hcd 0000:04:00.4: WARN: xHC CMD_RUN timeout +kernel: PM: suspend_common(): xhci_pci_suspend+0x0/0xd0 returns -110 +kernel: PM: pci_pm_suspend(): hcd_pci_suspend+0x0/0x30 returns -110 +kernel: PM: dpm_run_callback(): pci_pm_suspend+0x0/0x150 returns -110 +kernel: PM: Device 0000:04:00.4 failed to suspend async: error -110 + +Similar to commit ac343366846a ("xhci: Increase STS_SAVE timeout in +xhci_suspend()") we also need to increase the HALT timeout to make it be +able to suspend again. + +Cc: <stable@vger.kernel.org> # 5.2+ +Fixes: f7fac17ca925 ("xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()") +Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Link: https://lore.kernel.org/r/20191211142007.8847-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/usb/host/xhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -898,7 +898,7 @@ static void xhci_disable_port_wake_on_bi + int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup) + { + int rc = 0; +- unsigned int delay = XHCI_MAX_HALT_USEC; ++ unsigned int delay = XHCI_MAX_HALT_USEC * 2; + struct usb_hcd *hcd = xhci_to_hcd(xhci); + u32 command; + |