diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-05-20 12:53:04 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-05-20 12:53:04 +0200 |
commit | f12350f3368b40b389804934b0de914d614f213e (patch) | |
tree | aec89c90f41a65ceb701cc20968d1a4bec6a0cdf | |
parent | 08e216dc990ea45365fd1190798c4fe8e351f9ad (diff) | |
download | queue-3.18-f12350f3368b40b389804934b0de914d614f213e.tar.gz |
more 3.18 patches
17 files changed, 1131 insertions, 0 deletions
diff --git a/alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch b/alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch new file mode 100644 index 0000000..f2dfd64 --- /dev/null +++ b/alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch @@ -0,0 +1,58 @@ +From 7f641e26a6df9269cb25dd7a4b0a91d6586ed441 Mon Sep 17 00:00:00 2001 +From: Hui Wang <hui.wang@canonical.com> +Date: Mon, 6 May 2019 22:09:32 +0800 +Subject: ALSA: hda/hdmi - Consider eld_valid when reporting jack event + +From: Hui Wang <hui.wang@canonical.com> + +commit 7f641e26a6df9269cb25dd7a4b0a91d6586ed441 upstream. + +On the machines with AMD GPU or Nvidia GPU, we often meet this issue: +after s3, there are 4 HDMI/DP audio devices in the gnome-sound-setting +even there is no any monitors plugged. + +When this problem happens, we check the /proc/asound/cardX/eld#N.M, we +will find the monitor_present=1, eld_valid=0. + +The root cause is BIOS or GPU driver makes the PRESENCE valid even no +monitor plugged, and of course the driver will not get the valid +eld_data subsequently. + +In this situation, we should not report the jack_plugged event, to do +so, let us change the function hdmi_present_sense_via_verbs(). In this +function, it reads the pin_sense via snd_hda_pin_sense(), after +calling this function, the jack_dirty is 0, and before exiting +via_verbs(), we change the shadow pin_sense according to both +monitor_present and eld_valid, then in the snd_hda_jack_report_sync(), +since the jack_dirty is still 0, it will report jack event according +to this modified shadow pin_sense. + +After this change, the driver will not report Jack_is_plugged event +through hdmi_present_sense_via_verbs() if monitor_present is 1 and +eld_valid is 0. + +Signed-off-by: Hui Wang <hui.wang@canonical.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + sound/pci/hda/patch_hdmi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1635,9 +1635,11 @@ static bool hdmi_present_sense(struct hd + ret = !repoll || !pin_eld->monitor_present || pin_eld->eld_valid; + + jack = snd_hda_jack_tbl_get(codec, pin_nid); +- if (jack) ++ if (jack) { + jack->block_report = !ret; +- ++ jack->pin_sense = (eld->monitor_present && eld->eld_valid) ? ++ AC_PINSENSE_PRESENCE : 0; ++ } + mutex_unlock(&per_pin->lock); + snd_hda_power_down(codec); + return ret; diff --git a/alsa-hda-realtek-eapd-turn-on-later.patch b/alsa-hda-realtek-eapd-turn-on-later.patch new file mode 100644 index 0000000..c894f07 --- /dev/null +++ b/alsa-hda-realtek-eapd-turn-on-later.patch @@ -0,0 +1,40 @@ +From 607ca3bd220f4022e6f5356026b19dafc363863a Mon Sep 17 00:00:00 2001 +From: Kailang Yang <kailang@realtek.com> +Date: Fri, 26 Apr 2019 16:35:41 +0800 +Subject: ALSA: hda/realtek - EAPD turn on later + +From: Kailang Yang <kailang@realtek.com> + +commit 607ca3bd220f4022e6f5356026b19dafc363863a upstream. + +Let EAPD turn on after set pin output. + +[ NOTE: This change is supposed to reduce the possible click noises at + (runtime) PM resume. The functionality should be same (i.e. the + verbs are executed correctly) no matter which order is, so this + should be safe to apply for all codecs -- tiwai ] + +Signed-off-by: Kailang Yang <kailang@realtek.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + sound/pci/hda/patch_realtek.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -755,11 +755,10 @@ static int alc_init(struct hda_codec *co + if (spec->init_hook) + spec->init_hook(codec); + ++ snd_hda_gen_init(codec); + alc_fix_pll(codec); + alc_auto_init_amp(codec, spec->init_amp); + +- snd_hda_gen_init(codec); +- + snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT); + + return 0; diff --git a/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch b/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch new file mode 100644 index 0000000..42fe459 --- /dev/null +++ b/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch @@ -0,0 +1,41 @@ +From 56df90b631fc027fe28b70d41352d820797239bb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Wadowski?= <wadosm@gmail.com> +Date: Tue, 14 May 2019 16:58:00 +0200 +Subject: ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Wadowski <wadosm@gmail.com> + +commit 56df90b631fc027fe28b70d41352d820797239bb upstream. + +Add patch for realtek codec in Lenovo B50-70 that fixes inverted +internal microphone channel. +Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70, +but first one is about fix the noise and it didn't seem help in a +later kernel version. +So I replaced IdeaPad Y410P device description with B50-70 and apply +inverted microphone fix. + +Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215 +Signed-off-by: Michał Wadowski <wadosm@gmail.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5471,7 +5471,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), +- SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), ++ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK), diff --git a/alsa-usb-audio-fix-a-memory-leak-bug.patch b/alsa-usb-audio-fix-a-memory-leak-bug.patch new file mode 100644 index 0000000..30f4dd5 --- /dev/null +++ b/alsa-usb-audio-fix-a-memory-leak-bug.patch @@ -0,0 +1,40 @@ +From cb5173594d50c72b7bfa14113dfc5084b4d2f726 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang <wang6495@umn.edu> +Date: Sat, 27 Apr 2019 01:06:46 -0500 +Subject: ALSA: usb-audio: Fix a memory leak bug + +From: Wenwen Wang <wang6495@umn.edu> + +commit cb5173594d50c72b7bfa14113dfc5084b4d2f726 upstream. + +In parse_audio_selector_unit(), the string array 'namelist' is allocated +through kmalloc_array(), and each string pointer in this array, i.e., +'namelist[]', is allocated through kmalloc() in the following for loop. +Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If +an error occurs during the creation process, the string array 'namelist', +including all string pointers in the array 'namelist[]', should be freed, +before the error code ENOMEM is returned. However, the current code does +not free 'namelist[]', resulting in memory leaks. + +To fix the above issue, free all string pointers 'namelist[]' in a loop. + +Signed-off-by: Wenwen Wang <wang6495@umn.edu> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2103,6 +2103,8 @@ static int parse_audio_selector_unit(str + kctl = snd_ctl_new1(&mixer_selectunit_ctl, cval); + if (! kctl) { + usb_audio_err(state->chip, "cannot malloc kcontrol\n"); ++ for (i = 0; i < desc->bNrInPins; i++) ++ kfree(namelist[i]); + kfree(namelist); + kfree(cval); + return -ENOMEM; diff --git a/asoc-max98090-fix-restore-of-dapm-muxes.patch b/asoc-max98090-fix-restore-of-dapm-muxes.patch new file mode 100644 index 0000000..cf4f32e --- /dev/null +++ b/asoc-max98090-fix-restore-of-dapm-muxes.patch @@ -0,0 +1,53 @@ +From ecb2795c08bc825ebd604997e5be440b060c5b18 Mon Sep 17 00:00:00 2001 +From: Jon Hunter <jonathanh@nvidia.com> +Date: Wed, 1 May 2019 15:29:38 +0100 +Subject: ASoC: max98090: Fix restore of DAPM Muxes + +From: Jon Hunter <jonathanh@nvidia.com> + +commit ecb2795c08bc825ebd604997e5be440b060c5b18 upstream. + +The max98090 driver defines 3 DAPM muxes; one for the right line output +(LINMOD Mux), one for the left headphone mixer source (MIXHPLSEL Mux) +and one for the right headphone mixer source (MIXHPRSEL Mux). The same +bit is used for the mux as well as the DAPM enable, and although the mux +can be correctly configured, after playback has completed, the mux will +be reset during the disable phase. This is preventing the state of these +muxes from being saved and restored correctly on system reboot. Fix this +by marking these muxes as SND_SOC_NOPM. + +Note this has been verified this on the Tegra124 Nyan Big which features +the MAX98090 codec. + +Signed-off-by: Jon Hunter <jonathanh@nvidia.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + sound/soc/codecs/max98090.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/sound/soc/codecs/max98090.c ++++ b/sound/soc/codecs/max98090.c +@@ -1265,14 +1265,14 @@ static const struct snd_soc_dapm_widget + &max98090_right_rcv_mixer_controls[0], + ARRAY_SIZE(max98090_right_rcv_mixer_controls)), + +- SND_SOC_DAPM_MUX("LINMOD Mux", M98090_REG_LOUTR_MIXER, +- M98090_LINMOD_SHIFT, 0, &max98090_linmod_mux), ++ SND_SOC_DAPM_MUX("LINMOD Mux", SND_SOC_NOPM, 0, 0, ++ &max98090_linmod_mux), + +- SND_SOC_DAPM_MUX("MIXHPLSEL Mux", M98090_REG_HP_CONTROL, +- M98090_MIXHPLSEL_SHIFT, 0, &max98090_mixhplsel_mux), ++ SND_SOC_DAPM_MUX("MIXHPLSEL Mux", SND_SOC_NOPM, 0, 0, ++ &max98090_mixhplsel_mux), + +- SND_SOC_DAPM_MUX("MIXHPRSEL Mux", M98090_REG_HP_CONTROL, +- M98090_MIXHPRSEL_SHIFT, 0, &max98090_mixhprsel_mux), ++ SND_SOC_DAPM_MUX("MIXHPRSEL Mux", SND_SOC_NOPM, 0, 0, ++ &max98090_mixhprsel_mux), + + SND_SOC_DAPM_PGA("HP Left Out", M98090_REG_OUTPUT_ENABLE, + M98090_HPLEN_SHIFT, 0, NULL, 0), diff --git a/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch b/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch new file mode 100644 index 0000000..7a57c10 --- /dev/null +++ b/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch @@ -0,0 +1,81 @@ +From a4b732a248d12cbdb46999daf0bf288c011335eb Mon Sep 17 00:00:00 2001 +From: Liang Chen <liangchen.linux@gmail.com> +Date: Thu, 25 Apr 2019 00:48:31 +0800 +Subject: bcache: fix a race between cache register and cacheset unregister + +From: Liang Chen <liangchen.linux@gmail.com> + +commit a4b732a248d12cbdb46999daf0bf288c011335eb upstream. + +There is a race between cache device register and cache set unregister. +For an already registered cache device, register_bcache will call +bch_is_open to iterate through all cachesets and check every cache +there. The race occurs if cache_set_free executes at the same time and +clears the caches right before ca is dereferenced in bch_is_open_cache. +To close the race, let's make sure the clean up work is protected by +the bch_register_lock as well. + +This issue can be reproduced as follows, +while true; do echo /dev/XXX> /sys/fs/bcache/register ; done& +while true; do echo 1> /sys/block/XXX/bcache/set/unregister ; done & + +and results in the following oops, + +[ +0.000053] BUG: unable to handle kernel NULL pointer dereference at 0000000000000998 +[ +0.000457] #PF error: [normal kernel read fault] +[ +0.000464] PGD 800000003ca9d067 P4D 800000003ca9d067 PUD 3ca9c067 PMD 0 +[ +0.000388] Oops: 0000 [#1] SMP PTI +[ +0.000269] CPU: 1 PID: 3266 Comm: bash Not tainted 5.0.0+ #6 +[ +0.000346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014 +[ +0.000472] RIP: 0010:register_bcache+0x1829/0x1990 [bcache] +[ +0.000344] Code: b0 48 83 e8 50 48 81 fa e0 e1 10 c0 0f 84 a9 00 00 00 48 89 c6 48 89 ca 0f b7 ba 54 04 00 00 4c 8b 82 60 0c 00 00 85 ff 74 2f <49> 3b a8 98 09 00 00 74 4e 44 8d 47 ff 31 ff 49 c1 e0 03 eb 0d +[ +0.000839] RSP: 0018:ffff92ee804cbd88 EFLAGS: 00010202 +[ +0.000328] RAX: ffffffffc010e190 RBX: ffff918b5c6b5000 RCX: ffff918b7d8e0000 +[ +0.000399] RDX: ffff918b7d8e0000 RSI: ffffffffc010e190 RDI: 0000000000000001 +[ +0.000398] RBP: ffff918b7d318340 R08: 0000000000000000 R09: ffffffffb9bd2d7a +[ +0.000385] R10: ffff918b7eb253c0 R11: ffffb95980f51200 R12: ffffffffc010e1a0 +[ +0.000411] R13: fffffffffffffff2 R14: 000000000000000b R15: ffff918b7e232620 +[ +0.000384] FS: 00007f955bec2740(0000) GS:ffff918b7eb00000(0000) knlGS:0000000000000000 +[ +0.000420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0.000801] CR2: 0000000000000998 CR3: 000000003cad6000 CR4: 00000000001406e0 +[ +0.000837] Call Trace: +[ +0.000682] ? _cond_resched+0x10/0x20 +[ +0.000691] ? __kmalloc+0x131/0x1b0 +[ +0.000710] kernfs_fop_write+0xfa/0x170 +[ +0.000733] __vfs_write+0x2e/0x190 +[ +0.000688] ? inode_security+0x10/0x30 +[ +0.000698] ? selinux_file_permission+0xd2/0x120 +[ +0.000752] ? security_file_permission+0x2b/0x100 +[ +0.000753] vfs_write+0xa8/0x1a0 +[ +0.000676] ksys_write+0x4d/0xb0 +[ +0.000699] do_syscall_64+0x3a/0xf0 +[ +0.000692] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Liang Chen <liangchen.linux@gmail.com> +Cc: stable@vger.kernel.org +Signed-off-by: Coly Li <colyli@suse.de> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/md/bcache/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1375,6 +1375,7 @@ static void cache_set_free(struct closur + bch_btree_cache_free(c); + bch_journal_free(c); + ++ mutex_lock(&bch_register_lock); + for_each_cache(ca, c, i) + if (ca) { + ca->set = NULL; +@@ -1397,7 +1398,6 @@ static void cache_set_free(struct closur + mempool_destroy(c->search); + kfree(c->devices); + +- mutex_lock(&bch_register_lock); + list_del(&c->list); + mutex_unlock(&bch_register_lock); + diff --git a/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch b/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch new file mode 100644 index 0000000..14ba611 --- /dev/null +++ b/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch @@ -0,0 +1,96 @@ +From 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc Mon Sep 17 00:00:00 2001 +From: Coly Li <colyli@suse.de> +Date: Thu, 25 Apr 2019 00:48:33 +0800 +Subject: bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() + +From: Coly Li <colyli@suse.de> + +commit 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc upstream. + +In journal_reclaim() ja->cur_idx of each cache will be update to +reclaim available journal buckets. Variable 'int n' is used to count how +many cache is successfully reclaimed, then n is set to c->journal.key +by SET_KEY_PTRS(). Later in journal_write_unlocked(), a for_each_cache() +loop will write the jset data onto each cache. + +The problem is, if all jouranl buckets on each cache is full, the +following code in journal_reclaim(), + +529 for_each_cache(ca, c, iter) { +530 struct journal_device *ja = &ca->journal; +531 unsigned int next = (ja->cur_idx + 1) % ca->sb.njournal_buckets; +532 +533 /* No space available on this device */ +534 if (next == ja->discard_idx) +535 continue; +536 +537 ja->cur_idx = next; +538 k->ptr[n++] = MAKE_PTR(0, +539 bucket_to_sector(c, ca->sb.d[ja->cur_idx]), +540 ca->sb.nr_this_dev); +541 } +542 +543 bkey_init(k); +544 SET_KEY_PTRS(k, n); + +If there is no available bucket to reclaim, the if() condition at line +534 will always true, and n remains 0. Then at line 544, SET_KEY_PTRS() +will set KEY_PTRS field of c->journal.key to 0. + +Setting KEY_PTRS field of c->journal.key to 0 is wrong. Because in +journal_write_unlocked() the journal data is written in following loop, + +649 for (i = 0; i < KEY_PTRS(k); i++) { +650-671 submit journal data to cache device +672 } + +If KEY_PTRS field is set to 0 in jouranl_reclaim(), the journal data +won't be written to cache device here. If system crahed or rebooted +before bkeys of the lost journal entries written into btree nodes, data +corruption will be reported during bcache reload after rebooting the +system. + +Indeed there is only one cache in a cache set, there is no need to set +KEY_PTRS field in journal_reclaim() at all. But in order to keep the +for_each_cache() logic consistent for now, this patch fixes the above +problem by not setting 0 KEY_PTRS of journal key, if there is no bucket +available to reclaim. + +Signed-off-by: Coly Li <colyli@suse.de> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/md/bcache/journal.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -513,11 +513,11 @@ static void journal_reclaim(struct cache + ca->sb.nr_this_dev); + } + +- bkey_init(k); +- SET_KEY_PTRS(k, n); +- +- if (n) ++ if (n) { ++ bkey_init(k); ++ SET_KEY_PTRS(k, n); + c->journal.blocks_free = c->sb.bucket_size >> c->block_bits; ++ } + out: + if (!journal_full(&c->journal)) + __closure_wake_up(&c->journal.wait); +@@ -639,6 +639,9 @@ static void journal_write_unlocked(struc + ca->journal.seq[ca->journal.cur_idx] = w->data->seq; + } + ++ /* If KEY_PTRS(k) == 0, this jset gets lost in air */ ++ BUG_ON(i == 0); ++ + atomic_dec_bug(&fifo_back(&c->journal.pin)); + bch_journal_next(&c->journal); + journal_reclaim(c); diff --git a/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch b/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch new file mode 100644 index 0000000..6ebfc20 --- /dev/null +++ b/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch @@ -0,0 +1,52 @@ +From 767f015ea0b7ab9d60432ff6cd06b664fd71f50f Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 9 Apr 2019 23:46:31 -0700 +Subject: crypto: arm/aes-neonbs - don't access already-freed walk.iv + +From: Eric Biggers <ebiggers@google.com> + +commit 767f015ea0b7ab9d60432ff6cd06b664fd71f50f upstream. + +If the user-provided IV needs to be aligned to the algorithm's +alignmask, then skcipher_walk_virt() copies the IV into a new aligned +buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then +if the caller unconditionally accesses walk.iv, it's a use-after-free. + +arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't +affected by this despite unconditionally accessing walk.iv. However +this is more subtle than desired, and it was actually broken prior to +the alignmask being removed by commit cc477bf64573 ("crypto: arm/aes - +replace bit-sliced OpenSSL NEON code"). Thus, update xts-aes-neonbs to +start checking the return value of skcipher_walk_virt(). + +Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions") +Cc: <stable@vger.kernel.org> # v3.13+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + + +--- + arch/arm/crypto/aesbs-glue.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm/crypto/aesbs-glue.c ++++ b/arch/arm/crypto/aesbs-glue.c +@@ -259,6 +259,8 @@ static int aesbs_xts_encrypt(struct blkc + + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); ++ if (err) ++ return err; + + /* generate the initial tweak */ + AES_encrypt(walk.iv, walk.iv, &ctx->twkey); +@@ -283,6 +285,8 @@ static int aesbs_xts_decrypt(struct blkc + + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); ++ if (err) ++ return err; + + /* generate the initial tweak */ + AES_encrypt(walk.iv, walk.iv, &ctx->twkey); diff --git a/crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch b/crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch new file mode 100644 index 0000000..4666e4b --- /dev/null +++ b/crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch @@ -0,0 +1,36 @@ +From 9b40f79c08e81234d759f188b233980d7e81df6c Mon Sep 17 00:00:00 2001 +From: Wei Yongjun <weiyongjun1@huawei.com> +Date: Mon, 17 Oct 2016 15:10:06 +0000 +Subject: crypto: gcm - Fix error return code in crypto_gcm_create_common() + +From: Wei Yongjun <weiyongjun1@huawei.com> + +commit 9b40f79c08e81234d759f188b233980d7e81df6c upstream. + +Fix to return error code -EINVAL from the invalid alg ivsize error +handling case instead of 0, as done elsewhere in this function. + +Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + crypto/gcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/gcm.c ++++ b/crypto/gcm.c +@@ -742,11 +742,11 @@ static struct crypto_instance *crypto_gc + ctr = crypto_skcipher_spawn_alg(&ctx->ctr); + + /* We only support 16-byte blocks. */ ++ err = -EINVAL; + if (ctr->cra_ablkcipher.ivsize != 16) + goto out_put_ctr; + + /* Not a stream cipher? */ +- err = -EINVAL; + if (ctr->cra_blocksize != 1) + goto out_put_ctr; + diff --git a/crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch b/crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch new file mode 100644 index 0000000..023c521 --- /dev/null +++ b/crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch @@ -0,0 +1,139 @@ +From f699594d436960160f6d5ba84ed4a222f20d11cd Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Thu, 18 Apr 2019 14:43:02 -0700 +Subject: crypto: gcm - fix incompatibility between "gcm" and "gcm_base" + +From: Eric Biggers <ebiggers@google.com> + +commit f699594d436960160f6d5ba84ed4a222f20d11cd upstream. + +GCM instances can be created by either the "gcm" template, which only +allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base", +which allows choosing the ctr and ghash implementations, e.g. +"gcm_base(ctr(aes-generic),ghash-generic)". + +However, a "gcm_base" instance prevents a "gcm" instance from being +registered using the same implementations. Nor will the instance be +found by lookups of "gcm". This can be used as a denial of service. +Moreover, "gcm_base" instances are never tested by the crypto +self-tests, even if there are compatible "gcm" tests. + +The root cause of these problems is that instances of the two templates +use different cra_names. Therefore, fix these problems by making +"gcm_base" instances set the same cra_name as "gcm" instances, e.g. +"gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)". + +This requires extracting the block cipher name from the name of the ctr +algorithm. It also requires starting to verify that the algorithms are +really ctr and ghash, not something else entirely. But it would be +bizarre if anyone were actually using non-gcm-compatible algorithms with +gcm_base, so this shouldn't break anyone in practice. + +Fixes: d00aa19b507b ("[CRYPTO] gcm: Allow block cipher parameter") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + + +diff --git a/crypto/gcm.c b/crypto/gcm.c +index f1c16589af8bb..9d3bffc0238f0 100644 +--- a/crypto/gcm.c ++++ b/crypto/gcm.c +@@ -616,7 +616,6 @@ static void crypto_gcm_free(struct aead_instance *inst) + + static int crypto_gcm_create_common(struct crypto_template *tmpl, + struct rtattr **tb, +- const char *full_name, + const char *ctr_name, + const char *ghash_name) + { +@@ -657,7 +656,8 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl, + goto err_free_inst; + + err = -EINVAL; +- if (ghash->digestsize != 16) ++ if (strcmp(ghash->base.cra_name, "ghash") != 0 || ++ ghash->digestsize != 16) + goto err_drop_ghash; + + crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst)); +@@ -669,24 +669,24 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl, + + ctr = crypto_skcipher_spawn_alg(&ctx->ctr); + +- /* We only support 16-byte blocks. */ ++ /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */ + err = -EINVAL; +- if (ctr->cra_ablkcipher.ivsize != 16) ++ if (strncmp(ctr->cra_name, "ctr(", 4) != 0 || ++ ctr->cra_ablkcipher.ivsize != 16 || ++ ctr->cra_blocksize != 1) + goto out_put_ctr; + +- /* Not a stream cipher? */ +- if (ctr->cra_blocksize != 1) ++ err = -ENAMETOOLONG; ++ if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, ++ "gcm(%s", ctr->cra_name + 4) >= CRYPTO_MAX_ALG_NAME) + goto out_put_ctr; + +- err = -ENAMETOOLONG; + if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, + "gcm_base(%s,%s)", ctr->cra_driver_name, + ghash_alg->cra_driver_name) >= + CRYPTO_MAX_ALG_NAME) + goto out_put_ctr; + +- memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME); +- + inst->alg.base.cra_flags = (ghash->base.cra_flags | ctr->cra_flags) & + CRYPTO_ALG_ASYNC; + inst->alg.base.cra_priority = (ghash->base.cra_priority + +@@ -727,7 +727,6 @@ static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb) + { + const char *cipher_name; + char ctr_name[CRYPTO_MAX_ALG_NAME]; +- char full_name[CRYPTO_MAX_ALG_NAME]; + + cipher_name = crypto_attr_alg_name(tb[1]); + if (IS_ERR(cipher_name)) +@@ -737,12 +736,7 @@ static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb) + CRYPTO_MAX_ALG_NAME) + return -ENAMETOOLONG; + +- if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >= +- CRYPTO_MAX_ALG_NAME) +- return -ENAMETOOLONG; +- +- return crypto_gcm_create_common(tmpl, tb, full_name, +- ctr_name, "ghash"); ++ return crypto_gcm_create_common(tmpl, tb, ctr_name, "ghash"); + } + + static struct crypto_template crypto_gcm_tmpl = { +@@ -756,7 +750,6 @@ static int crypto_gcm_base_create(struct crypto_template *tmpl, + { + const char *ctr_name; + const char *ghash_name; +- char full_name[CRYPTO_MAX_ALG_NAME]; + + ctr_name = crypto_attr_alg_name(tb[1]); + if (IS_ERR(ctr_name)) +@@ -766,12 +759,7 @@ static int crypto_gcm_base_create(struct crypto_template *tmpl, + if (IS_ERR(ghash_name)) + return PTR_ERR(ghash_name); + +- if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)", +- ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME) +- return -ENAMETOOLONG; +- +- return crypto_gcm_create_common(tmpl, tb, full_name, +- ctr_name, ghash_name); ++ return crypto_gcm_create_common(tmpl, tb, ctr_name, ghash_name); + } + + static struct crypto_template crypto_gcm_base_tmpl = { +-- +2.21.0.1020.gf2820cf01a-goog + diff --git a/crypto-salsa20-don-t-access-already-freed-walk.iv.patch b/crypto-salsa20-don-t-access-already-freed-walk.iv.patch new file mode 100644 index 0000000..2e94806 --- /dev/null +++ b/crypto-salsa20-don-t-access-already-freed-walk.iv.patch @@ -0,0 +1,45 @@ +From edaf28e996af69222b2cb40455dbb5459c2b875a Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 9 Apr 2019 23:46:30 -0700 +Subject: crypto: salsa20 - don't access already-freed walk.iv + +From: Eric Biggers <ebiggers@google.com> + +commit edaf28e996af69222b2cb40455dbb5459c2b875a upstream. + +If the user-provided IV needs to be aligned to the algorithm's +alignmask, then skcipher_walk_virt() copies the IV into a new aligned +buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then +if the caller unconditionally accesses walk.iv, it's a use-after-free. + +salsa20-generic doesn't set an alignmask, so currently it isn't affected +by this despite unconditionally accessing walk.iv. However this is more +subtle than desired, and it was actually broken prior to the alignmask +being removed by commit b62b3db76f73 ("crypto: salsa20-generic - cleanup +and convert to skcipher API"). + +Since salsa20-generic does not update the IV and does not need any IV +alignment, update it to use req->iv instead of walk.iv. + +Fixes: 2407d60872dd ("[CRYPTO] salsa20: Salsa20 stream cipher") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + + +--- + crypto/salsa20_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/salsa20_generic.c ++++ b/crypto/salsa20_generic.c +@@ -186,7 +186,7 @@ static int encrypt(struct blkcipher_desc + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, 64); + +- salsa20_ivsetup(ctx, walk.iv); ++ salsa20_ivsetup(ctx, desc->info); + + while (walk.nbytes >= 64) { + salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, diff --git a/ext4-actually-request-zeroing-of-inode-table-after-grow.patch b/ext4-actually-request-zeroing-of-inode-table-after-grow.patch new file mode 100644 index 0000000..73740fc --- /dev/null +++ b/ext4-actually-request-zeroing-of-inode-table-after-grow.patch @@ -0,0 +1,37 @@ +From 310a997fd74de778b9a4848a64be9cda9f18764a Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai <ktkhai@virtuozzo.com> +Date: Thu, 25 Apr 2019 13:06:18 -0400 +Subject: ext4: actually request zeroing of inode table after grow + +From: Kirill Tkhai <ktkhai@virtuozzo.com> + +commit 310a997fd74de778b9a4848a64be9cda9f18764a upstream. + +It is never possible, that number of block groups decreases, +since only online grow is supported. + +But after a growing occured, we have to zero inode tables +for just created new block groups. + +Fixes: 19c5246d2516 ("ext4: add new online resize interface") +Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Jan Kara <jack@suse.cz> +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + fs/ext4/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -577,7 +577,7 @@ group_add_out: + if (err == 0) + err = err2; + mnt_drop_write_file(filp); +- if (!err && (o_group > EXT4_SB(sb)->s_groups_count) && ++ if (!err && (o_group < EXT4_SB(sb)->s_groups_count) && + ext4_has_group_desc_csum(sb) && + test_opt(sb, INIT_INODE_TABLE)) + err = ext4_register_li_request(sb, o_group); diff --git a/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch b/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch new file mode 100644 index 0000000..e81ef9a --- /dev/null +++ b/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch @@ -0,0 +1,82 @@ +From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001 +From: Sriram Rajagopalan <sriramr@arista.com> +Date: Fri, 10 May 2019 19:28:06 -0400 +Subject: ext4: zero out the unused memory region in the extent tree block + +From: Sriram Rajagopalan <sriramr@arista.com> + +commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream. + +This commit zeroes out the unused memory region in the buffer_head +corresponding to the extent metablock after writing the extent header +and the corresponding extent node entries. + +This is done to prevent random uninitialized data from getting into +the filesystem when the extent block is synced. + +This fixes CVE-2019-11833. + +Signed-off-by: Sriram Rajagopalan <sriramr@arista.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + fs/ext4/extents.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1043,6 +1043,7 @@ static int ext4_ext_split(handle_t *hand + __le32 border; + ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ + int err = 0; ++ size_t ext_size = 0; + + /* make decision: where to split? */ + /* FIXME: now decision is simplest: at current extent */ +@@ -1134,6 +1135,10 @@ static int ext4_ext_split(handle_t *hand + le16_add_cpu(&neh->eh_entries, m); + } + ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1213,6 +1218,11 @@ static int ext4_ext_split(handle_t *hand + sizeof(struct ext4_extent_idx) * m); + le16_add_cpu(&neh->eh_entries, m); + } ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); ++ memset(bh->b_data + ext_size, 0, ++ inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1278,6 +1288,7 @@ static int ext4_ext_grow_indepth(handle_ + ext4_fsblk_t newblock, goal = 0; + struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; + int err = 0; ++ size_t ext_size = 0; + + /* Try to prepend new index to old one */ + if (ext_depth(inode)) +@@ -1303,9 +1314,11 @@ static int ext4_ext_grow_indepth(handle_ + goto out; + } + ++ ext_size = sizeof(EXT4_I(inode)->i_data); + /* move top-level index/leaf into new block */ +- memmove(bh->b_data, EXT4_I(inode)->i_data, +- sizeof(EXT4_I(inode)->i_data)); ++ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); ++ /* zero out unused area in the extent block */ ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + + /* set size of new block */ + neh = ext_block_hdr(bh); diff --git a/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch b/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch new file mode 100644 index 0000000..37942a9 --- /dev/null +++ b/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch @@ -0,0 +1,97 @@ +From 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Tue, 2 Apr 2019 08:19:15 -0700 +Subject: KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes + +From: Sean Christopherson <sean.j.christopherson@intel.com> + +commit 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 upstream. + +KVM allows userspace to violate consistency checks related to the +guest's CPUID model to some degree. Generally speaking, userspace has +carte blanche when it comes to guest state so long as jamming invalid +state won't negatively affect the host. + +Currently this is seems to be a non-issue as most of the interesting +EFER checks are missing, e.g. NX and LME, but those will be added +shortly. Proactively exempt userspace from the CPUID checks so as not +to break userspace. + +Note, the efer_reserved_bits check still applies to userspace writes as +that mask reflects the host's capabilities, e.g. KVM shouldn't allow a +guest to run with NX=1 if it has been disabled in the host. + +Fixes: d80174745ba39 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + arch/x86/kvm/x86.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -935,11 +935,8 @@ static const u32 emulated_msrs[] = { + MSR_IA32_MCG_CTL, + }; + +-bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) + { +- if (efer & efer_reserved_bits) +- return false; +- + if (efer & EFER_FFXSR) { + struct kvm_cpuid_entry2 *feat; + +@@ -957,19 +954,33 @@ bool kvm_valid_efer(struct kvm_vcpu *vcp + } + + return true; ++ ++} ++bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++{ ++ if (efer & efer_reserved_bits) ++ return false; ++ ++ return __kvm_valid_efer(vcpu, efer); + } + EXPORT_SYMBOL_GPL(kvm_valid_efer); + +-static int set_efer(struct kvm_vcpu *vcpu, u64 efer) ++static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + { + u64 old_efer = vcpu->arch.efer; ++ u64 efer = msr_info->data; + +- if (!kvm_valid_efer(vcpu, efer)) +- return 1; ++ if (efer & efer_reserved_bits) ++ return false; + +- if (is_paging(vcpu) +- && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) +- return 1; ++ if (!msr_info->host_initiated) { ++ if (!__kvm_valid_efer(vcpu, efer)) ++ return 1; ++ ++ if (is_paging(vcpu) && ++ (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) ++ return 1; ++ } + + efer &= ~EFER_LMA; + efer |= vcpu->arch.efer & EFER_LMA; +@@ -2097,7 +2108,7 @@ int kvm_set_msr_common(struct kvm_vcpu * + break; + + case MSR_EFER: +- return set_efer(vcpu, data); ++ return set_efer(vcpu, msr_info); + case MSR_K7_HWCR: + data &= ~(u64)0x40; /* ignore flush filter disable */ + data &= ~(u64)0x100; /* ignore ignne emulation enable */ diff --git a/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch b/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch new file mode 100644 index 0000000..e35cb17 --- /dev/null +++ b/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch @@ -0,0 +1,39 @@ +From 6b4814a9451add06d457e198be418bf6a3e6a990 Mon Sep 17 00:00:00 2001 +From: Steve Twiss <stwiss.opensource@diasemi.com> +Date: Fri, 26 Apr 2019 14:33:35 +0100 +Subject: mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L + +From: Steve Twiss <stwiss.opensource@diasemi.com> + +commit 6b4814a9451add06d457e198be418bf6a3e6a990 upstream. + +Mismatch between what is found in the Datasheets for DA9063 and DA9063L +provided by Dialog Semiconductor, and the register names provided in the +MFD registers file. The changes are for the OTP (one-time-programming) +control registers. The two naming errors are OPT instead of OTP, and +COUNT instead of CONT (i.e. control). + +Cc: Stable <stable@vger.kernel.org> +Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> +Signed-off-by: Lee Jones <lee.jones@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + include/linux/mfd/da9063/registers.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/linux/mfd/da9063/registers.h ++++ b/include/linux/mfd/da9063/registers.h +@@ -215,9 +215,9 @@ + + /* DA9063 Configuration registers */ + /* OTP */ +-#define DA9063_REG_OPT_COUNT 0x101 +-#define DA9063_REG_OPT_ADDR 0x102 +-#define DA9063_REG_OPT_DATA 0x103 ++#define DA9063_REG_OTP_CONT 0x101 ++#define DA9063_REG_OTP_ADDR 0x102 ++#define DA9063_REG_OTP_DATA 0x103 + + /* Customer Trim and Configuration */ + #define DA9063_REG_T_OFFSET 0x104 @@ -4,3 +4,15 @@ alsa-usb-audio-fix-a-memory-leak-bug.patch alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch alsa-hda-realtek-eapd-turn-on-later.patch asoc-max98090-fix-restore-of-dapm-muxes.patch +mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch +tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch +ext4-actually-request-zeroing-of-inode-table-after-grow.patch +bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch +bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch +crypto-salsa20-don-t-access-already-freed-walk.iv.patch +crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch +ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch +alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch +kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch +crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch +crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch diff --git a/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch b/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch new file mode 100644 index 0000000..69382db --- /dev/null +++ b/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch @@ -0,0 +1,183 @@ +From 46ca3f735f345c9d87383dd3a09fa5d43870770e Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich <slyfox@gentoo.org> +Date: Sun, 10 Mar 2019 21:24:15 +0000 +Subject: tty/vt: fix write/write race in ioctl(KDSKBSENT) handler + +From: Sergei Trofimovich <slyfox@gentoo.org> + +commit 46ca3f735f345c9d87383dd3a09fa5d43870770e upstream. + +The bug manifests as an attempt to access deallocated memory: + + BUG: unable to handle kernel paging request at ffff9c8735448000 + #PF error: [PROT] [WRITE] + PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161 + Oops: 0003 [#1] PREEMPT SMP + CPU: 6 PID: 388 Comm: loadkeys Tainted: G C 5.0.0-rc6-00153-g5ded5871030e #91 + Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013 + RIP: 0010:__memmove+0x81/0x1a0 + Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49 + RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203 + RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf + RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb + RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b + R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000 + R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c + FS: 00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0 + Call Trace: + vt_do_kdgkb_ioctl+0x34d/0x440 + vt_ioctl+0xba3/0x1190 + ? __bpf_prog_run32+0x39/0x60 + ? mem_cgroup_commit_charge+0x7b/0x4e0 + tty_ioctl+0x23f/0x920 + ? preempt_count_sub+0x98/0xe0 + ? __seccomp_filter+0x67/0x600 + do_vfs_ioctl+0xa2/0x6a0 + ? syscall_trace_enter+0x192/0x2d0 + ksys_ioctl+0x3a/0x70 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x54/0xe0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The bug manifests on systemd systems with multiple vtcon devices: + # cat /sys/devices/virtual/vtconsole/vtcon0/name + (S) dummy device + # cat /sys/devices/virtual/vtconsole/vtcon1/name + (M) frame buffer device + +There systemd runs 'loadkeys' tool in tapallel for each vtcon +instance. This causes two parallel ioctl(KDSKBSENT) calls to +race into adding the same entry into 'func_table' array at: + + drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl() + +The function has no locking around writes to 'func_table'. + +The simplest reproducer is to have initrams with the following +init on a 8-CPU machine x86_64: + + #!/bin/sh + + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + wait + +The change adds lock on write path only. Reads are still racy. + +CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +CC: Jiri Slaby <jslaby@suse.com> +Link: https://lkml.org/lkml/2019/2/17/256 +Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/tty/vt/keyboard.c | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -120,6 +120,7 @@ static const int NR_TYPES = ARRAY_SIZE(m + static struct input_handler kbd_handler; + static DEFINE_SPINLOCK(kbd_event_lock); + static DEFINE_SPINLOCK(led_lock); ++static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */ + static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */ + static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */ + static bool dead_key_next; +@@ -1865,11 +1866,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + char *p; + u_char *q; + u_char __user *up; +- int sz; ++ int sz, fnw_sz; + int delta; + char *first_free, *fj, *fnw; + int i, j, k; + int ret; ++ unsigned long flags; + + if (!capable(CAP_SYS_TTY_CONFIG)) + perm = 0; +@@ -1912,7 +1914,14 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + goto reterr; + } + ++ fnw = NULL; ++ fnw_sz = 0; ++ /* race aginst other writers */ ++ again: ++ spin_lock_irqsave(&func_buf_lock, flags); + q = func_table[i]; ++ ++ /* fj pointer to next entry after 'q' */ + first_free = funcbufptr + (funcbufsize - funcbufleft); + for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++) + ; +@@ -1920,10 +1929,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + fj = func_table[j]; + else + fj = first_free; +- ++ /* buffer usage increase by new entry */ + delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string); ++ + if (delta <= funcbufleft) { /* it fits in current buf */ + if (j < MAX_NR_FUNC) { ++ /* make enough space for new entry at 'fj' */ + memmove(fj + delta, fj, first_free - fj); + for (k = j; k < MAX_NR_FUNC; k++) + if (func_table[k]) +@@ -1936,20 +1947,28 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + sz = 256; + while (sz < funcbufsize - funcbufleft + delta) + sz <<= 1; +- fnw = kmalloc(sz, GFP_KERNEL); +- if(!fnw) { +- ret = -ENOMEM; +- goto reterr; ++ if (fnw_sz != sz) { ++ spin_unlock_irqrestore(&func_buf_lock, flags); ++ kfree(fnw); ++ fnw = kmalloc(sz, GFP_KERNEL); ++ fnw_sz = sz; ++ if (!fnw) { ++ ret = -ENOMEM; ++ goto reterr; ++ } ++ goto again; + } + + if (!q) + func_table[i] = fj; ++ /* copy data before insertion point to new location */ + if (fj > funcbufptr) + memmove(fnw, funcbufptr, fj - funcbufptr); + for (k = 0; k < j; k++) + if (func_table[k]) + func_table[k] = fnw + (func_table[k] - funcbufptr); + ++ /* copy data after insertion point to new location */ + if (first_free > fj) { + memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj); + for (k = j; k < MAX_NR_FUNC; k++) +@@ -1962,7 +1981,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + funcbufleft = funcbufleft - delta + sz - funcbufsize; + funcbufsize = sz; + } ++ /* finally insert item itself */ + strcpy(func_table[i], kbs->kb_string); ++ spin_unlock_irqrestore(&func_buf_lock, flags); + break; + } + ret = 0; |