--- /dev/null
+From aa57157be69fb599bd4c38a4b75c5aad74a60ec0 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Tue, 29 Oct 2019 15:30:51 +0000
+Subject: arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit aa57157be69fb599bd4c38a4b75c5aad74a60ec0 upstream.
+
+Shared and writable mappings (__S.1.) should be clean (!dirty) initially
+and made dirty on a subsequent write either through the hardware DBM
+(dirty bit management) mechanism or through a write page fault. A clean
+pte for the arm64 kernel is one that has PTE_RDONLY set and PTE_DIRTY
+clear.
+
+The PAGE_SHARED{,_EXEC} attributes have PTE_WRITE set (PTE_DBM) and
+PTE_DIRTY clear. Prior to commit 73e86cb03cf2 ("arm64: Move PTE_RDONLY
+bit handling out of set_pte_at()"), it was the responsibility of
+set_pte_at() to set the PTE_RDONLY bit and mark the pte clean if the
+software PTE_DIRTY bit was not set. However, the above commit removed
+the pte_sw_dirty() check and the subsequent setting of PTE_RDONLY in
+set_pte_at() while leaving the PAGE_SHARED{,_EXEC} definitions
+unchanged. The result is that shared+writable mappings are now dirty by
+default
+
+Fix the above by explicitly setting PTE_RDONLY in PAGE_SHARED{,_EXEC}.
+In addition, remove the superfluous PTE_DIRTY bit from the kernel PROT_*
+attributes.
+
+Fixes: 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()")
+Cc: <stable@vger.kernel.org> # 4.14.x-
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/pgtable-prot.h | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/arch/arm64/include/asm/pgtable-prot.h
++++ b/arch/arm64/include/asm/pgtable-prot.h
+@@ -43,11 +43,11 @@
+ #define PROT_DEFAULT (_PROT_DEFAULT | PTE_MAYBE_NG)
+ #define PROT_SECT_DEFAULT (_PROT_SECT_DEFAULT | PMD_MAYBE_NG)
+
+-#define PROT_DEVICE_nGnRnE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE))
+-#define PROT_DEVICE_nGnRE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE))
+-#define PROT_NORMAL_NC (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_NC))
+-#define PROT_NORMAL_WT (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_WT))
+-#define PROT_NORMAL (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL))
++#define PROT_DEVICE_nGnRnE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE))
++#define PROT_DEVICE_nGnRE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE))
++#define PROT_NORMAL_NC (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_NC))
++#define PROT_NORMAL_WT (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_WT))
++#define PROT_NORMAL (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL))
+
+ #define PROT_SECT_DEVICE_nGnRE (PROT_SECT_DEFAULT | PMD_SECT_PXN | PMD_SECT_UXN | PMD_ATTRINDX(MT_DEVICE_nGnRE))
+ #define PROT_SECT_NORMAL (PROT_SECT_DEFAULT | PMD_SECT_PXN | PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL))
+@@ -71,8 +71,9 @@
+ #define PAGE_S2_DEVICE __pgprot(_PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_UXN)
+
+ #define PAGE_NONE __pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | PTE_PROT_NONE | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN)
+-#define PAGE_SHARED __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE)
+-#define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_WRITE)
++/* shared+writable pages are clean by default, hence PTE_RDONLY|PTE_WRITE */
++#define PAGE_SHARED __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE)
++#define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE)
+ #define PAGE_READONLY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN)
+ #define PAGE_READONLY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN)
+ #define PAGE_EXECONLY __pgprot(_PAGE_DEFAULT | PTE_RDONLY | PTE_NG | PTE_PXN)
--- /dev/null
+From bacdcb6675e170bb2e8d3824da220e10274f42a7 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Wed, 23 Oct 2019 08:31:38 -0700
+Subject: dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit bacdcb6675e170bb2e8d3824da220e10274f42a7 upstream.
+
+Yegor Yefremov <yegorslists@googlemail.com> reported that musb and ftdi
+uart can fail for the first open of the uart unless connected using
+a hub.
+
+This is because the first dma call done by musb_ep_program() must wait
+if cppi41 is PM runtime suspended. Otherwise musb_ep_program() continues
+with other non-dma packets before the DMA transfer is started causing at
+least ftdi uarts to fail to receive data.
+
+Let's fix the issue by waking up cppi41 with PM runtime calls added to
+cppi41_dma_prep_slave_sg() and return NULL if still idled. This way we
+have musb_ep_program() continue with PIO until cppi41 is awake.
+
+Fixes: fdea2d09b997 ("dmaengine: cppi41: Add basic PM runtime support")
+Reported-by: Yegor Yefremov <yegorslists@googlemail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Cc: stable@vger.kernel.org # v4.9+
+Link: https://lore.kernel.org/r/20191023153138.23442-1-tony@atomide.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/cppi41.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma/cppi41.c
++++ b/drivers/dma/cppi41.c
+@@ -585,9 +585,22 @@ static struct dma_async_tx_descriptor *c
+ enum dma_transfer_direction dir, unsigned long tx_flags, void *context)
+ {
+ struct cppi41_channel *c = to_cpp41_chan(chan);
++ struct dma_async_tx_descriptor *txd = NULL;
++ struct cppi41_dd *cdd = c->cdd;
+ struct cppi41_desc *d;
+ struct scatterlist *sg;
+ unsigned int i;
++ int error;
++
++ error = pm_runtime_get(cdd->ddev.dev);
++ if (error < 0) {
++ pm_runtime_put_noidle(cdd->ddev.dev);
++
++ return NULL;
++ }
++
++ if (cdd->is_suspended)
++ goto err_out_not_ready;
+
+ d = c->desc;
+ for_each_sg(sgl, sg, sg_len, i) {
+@@ -610,7 +623,13 @@ static struct dma_async_tx_descriptor *c
+ d++;
+ }
+
+- return &c->txd;
++ txd = &c->txd;
++
++err_out_not_ready:
++ pm_runtime_mark_last_busy(cdd->ddev.dev);
++ pm_runtime_put_autosuspend(cdd->ddev.dev);
++
++ return txd;
+ }
+
+ static void cppi41_compute_td_desc(struct cppi41_desc *d)
--- /dev/null
+From 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 Mon Sep 17 00:00:00 2001
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+Date: Tue, 29 Oct 2019 10:30:03 +0100
+Subject: nl80211: fix validation of mesh path nexthop
+
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+
+commit 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 upstream.
+
+Mesh path nexthop should be a ethernet address, but current validation
+checks against 4 byte integers.
+
+Cc: stable@vger.kernel.org
+Fixes: 2ec600d672e74 ("nl80211/cfg80211: support for mesh, sta dumping")
+Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
+Link: https://lore.kernel.org/r/20191029093003.10355-1-markus.theil@tu-ilmenau.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -283,7 +283,8 @@ static const struct nla_policy nl80211_p
+ [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
+ [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
+ .len = IEEE80211_MAX_MESH_ID_LEN },
+- [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
++ [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_BINARY,
++ .len = ETH_ALEN },
+
+ [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
+ [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
--- /dev/null
+From 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Fri, 18 Oct 2019 07:43:21 -0400
+Subject: rtlwifi: Fix potential overflow on P2P code
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream.
+
+Nicolas Waisman noticed that even though noa_len is checked for
+a compatible length it's still possible to overrun the buffers
+of p2pinfo since there's no check on the upper bound of noa_num.
+Bound noa_num against P2P_MAX_NOA_NUM.
+
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
+@@ -774,6 +774,9 @@ static void rtl_p2p_noa_ie(struct ieee80
+ return;
+ } else {
+ noa_num = (noa_len - 2) / 13;
++ if (noa_num > P2P_MAX_NOA_NUM)
++ noa_num = P2P_MAX_NOA_NUM;
++
+ }
+ noa_index = ie[3];
+ if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
+@@ -868,6 +871,9 @@ static void rtl_p2p_action_ie(struct iee
+ return;
+ } else {
+ noa_num = (noa_len - 2) / 13;
++ if (noa_num > P2P_MAX_NOA_NUM)
++ noa_num = P2P_MAX_NOA_NUM;
++
+ }
+ noa_index = ie[3];
+ if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
--- /dev/null
+From b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f Mon Sep 17 00:00:00 2001
+From: Yihui ZENG <yzeng56@asu.edu>
+Date: Fri, 25 Oct 2019 12:31:48 +0300
+Subject: s390/cmm: fix information leak in cmm_timeout_handler()
+
+From: Yihui ZENG <yzeng56@asu.edu>
+
+commit b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f upstream.
+
+The problem is that we were putting the NUL terminator too far:
+
+ buf[sizeof(buf) - 1] = '\0';
+
+If the user input isn't NUL terminated and they haven't initialized the
+whole buffer then it leads to an info leak. The NUL terminator should
+be:
+
+ buf[len - 1] = '\0';
+
+Signed-off-by: Yihui Zeng <yzeng56@asu.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+[heiko.carstens@de.ibm.com: keep semantics of how *lenp and *ppos are handled]
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/mm/cmm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/s390/mm/cmm.c
++++ b/arch/s390/mm/cmm.c
+@@ -307,16 +307,16 @@ static int cmm_timeout_handler(struct ct
+ }
+
+ if (write) {
+- len = *lenp;
+- if (copy_from_user(buf, buffer,
+- len > sizeof(buf) ? sizeof(buf) : len))
++ len = min(*lenp, sizeof(buf));
++ if (copy_from_user(buf, buffer, len))
+ return -EFAULT;
+- buf[sizeof(buf) - 1] = '\0';
++ buf[len - 1] = '\0';
+ cmm_skip_blanks(buf, &p);
+ nr = simple_strtoul(p, &p, 0);
+ cmm_skip_blanks(p, &p);
+ seconds = simple_strtoul(p, &p, 0);
+ cmm_set_timeout(nr, seconds);
++ *ppos += *lenp;
+ } else {
+ len = sprintf(buf, "%ld %ld\n",
+ cmm_timeout_pages, cmm_timeout_seconds);
+@@ -324,9 +324,9 @@ static int cmm_timeout_handler(struct ct
+ len = *lenp;
+ if (copy_to_user(buffer, buf, len))
+ return -EFAULT;
++ *lenp = len;
++ *ppos += len;
+ }
+- *lenp = len;
+- *ppos += len;
+ return 0;
+ }
+
--- /dev/null
+From 3d7efa4edd07be5c5c3ffa95ba63e97e070e1f3f Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Mon, 28 Oct 2019 11:03:27 +0100
+Subject: s390/idle: fix cpu idle time calculation
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit 3d7efa4edd07be5c5c3ffa95ba63e97e070e1f3f upstream.
+
+The idle time reported in /proc/stat sometimes incorrectly contains
+huge values on s390. This is caused by a bug in arch_cpu_idle_time().
+
+The kernel tries to figure out when a different cpu entered idle by
+accessing its per-cpu data structure. There is an ordering problem: if
+the remote cpu has an idle_enter value which is not zero, and an
+idle_exit value which is zero, it is assumed it is idle since
+"now". The "now" timestamp however is taken before the idle_enter
+value is read.
+
+Which in turn means that "now" can be smaller than idle_enter of the
+remote cpu. Unconditionally subtracting idle_enter from "now" can thus
+lead to a negative value (aka large unsigned value).
+
+Fix this by moving the get_tod_clock() invocation out of the
+loop. While at it also make the code a bit more readable.
+
+A similar bug also exists for show_idle_time(). Fix this is as well.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/idle.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+--- a/arch/s390/kernel/idle.c
++++ b/arch/s390/kernel/idle.c
+@@ -69,18 +69,26 @@ DEVICE_ATTR(idle_count, 0444, show_idle_
+ static ssize_t show_idle_time(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
++ unsigned long long now, idle_time, idle_enter, idle_exit, in_idle;
+ struct s390_idle_data *idle = &per_cpu(s390_idle, dev->id);
+- unsigned long long now, idle_time, idle_enter, idle_exit;
+ unsigned int seq;
+
+ do {
+- now = get_tod_clock();
+ seq = read_seqcount_begin(&idle->seqcount);
+ idle_time = READ_ONCE(idle->idle_time);
+ idle_enter = READ_ONCE(idle->clock_idle_enter);
+ idle_exit = READ_ONCE(idle->clock_idle_exit);
+ } while (read_seqcount_retry(&idle->seqcount, seq));
+- idle_time += idle_enter ? ((idle_exit ? : now) - idle_enter) : 0;
++ in_idle = 0;
++ now = get_tod_clock();
++ if (idle_enter) {
++ if (idle_exit) {
++ in_idle = idle_exit - idle_enter;
++ } else if (now > idle_enter) {
++ in_idle = now - idle_enter;
++ }
++ }
++ idle_time += in_idle;
+ return sprintf(buf, "%llu\n", idle_time >> 12);
+ }
+ DEVICE_ATTR(idle_time_us, 0444, show_idle_time, NULL);
+@@ -88,17 +96,24 @@ DEVICE_ATTR(idle_time_us, 0444, show_idl
+ u64 arch_cpu_idle_time(int cpu)
+ {
+ struct s390_idle_data *idle = &per_cpu(s390_idle, cpu);
+- unsigned long long now, idle_enter, idle_exit;
++ unsigned long long now, idle_enter, idle_exit, in_idle;
+ unsigned int seq;
+
+ do {
+- now = get_tod_clock();
+ seq = read_seqcount_begin(&idle->seqcount);
+ idle_enter = READ_ONCE(idle->clock_idle_enter);
+ idle_exit = READ_ONCE(idle->clock_idle_exit);
+ } while (read_seqcount_retry(&idle->seqcount, seq));
+-
+- return cputime_to_nsecs(idle_enter ? ((idle_exit ?: now) - idle_enter) : 0);
++ in_idle = 0;
++ now = get_tod_clock();
++ if (idle_enter) {
++ if (idle_exit) {
++ in_idle = idle_exit - idle_enter;
++ } else if (now > idle_enter) {
++ in_idle = now - idle_enter;
++ }
++ }
++ return cputime_to_nsecs(in_idle);
+ }
+
+ void arch_cpu_idle_enter(void)
hid-i2c-hid-add-trekstor-primebook-c11b-to-descriptor-override.patch
hid-fix-assumption-that-devices-have-inputs.patch
hid-fix-error-message-in-hid_open_report.patch
+nl80211-fix-validation-of-mesh-path-nexthop.patch
+s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch
+s390-idle-fix-cpu-idle-time-calculation.patch
+arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch
+rtlwifi-fix-potential-overflow-on-p2p-code.patch
+dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
