--- /dev/null
+From e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb Mon Sep 17 00:00:00 2001
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+Date: Sun, 30 May 2021 20:24:05 +0530
+Subject: btrfs: return value from btrfs_mark_extent_written() in case of error
+
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+
+commit e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb upstream.
+
+We always return 0 even in case of an error in btrfs_mark_extent_written().
+Fix it to return proper error value in case of a failure. All callers
+handle it.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -1089,7 +1089,7 @@ int btrfs_mark_extent_written(struct btr
+ int del_nr = 0;
+ int del_slot = 0;
+ int recow;
+- int ret;
++ int ret = 0;
+ u64 ino = btrfs_ino(inode);
+
+ path = btrfs_alloc_path();
+@@ -1284,7 +1284,7 @@ again:
+ }
+ out:
+ btrfs_free_path(path);
+- return 0;
++ return ret;
+ }
+
+ /*
--- /dev/null
+From b7e24eb1caa5f8da20d405d262dba67943aedc42 Mon Sep 17 00:00:00 2001
+From: Alexander Kuznetsov <wwfq@yandex-team.ru>
+Date: Wed, 9 Jun 2021 10:17:19 +0300
+Subject: cgroup1: don't allow '\n' in renaming
+
+From: Alexander Kuznetsov <wwfq@yandex-team.ru>
+
+commit b7e24eb1caa5f8da20d405d262dba67943aedc42 upstream.
+
+cgroup_mkdir() have restriction on newline usage in names:
+$ mkdir $'/sys/fs/cgroup/cpu/test\ntest2'
+mkdir: cannot create directory
+'/sys/fs/cgroup/cpu/test\ntest2': Invalid argument
+
+But in cgroup1_rename() such check is missed.
+This allows us to make /proc/<pid>/cgroup unparsable:
+$ mkdir /sys/fs/cgroup/cpu/test
+$ mv /sys/fs/cgroup/cpu/test $'/sys/fs/cgroup/cpu/test\ntest2'
+$ echo $$ > $'/sys/fs/cgroup/cpu/test\ntest2'
+$ cat /proc/self/cgroup
+11:pids:/
+10:freezer:/
+9:hugetlb:/
+8:cpuset:/
+7:blkio:/user.slice
+6:memory:/user.slice
+5:net_cls,net_prio:/
+4:perf_event:/
+3:devices:/user.slice
+2:cpu,cpuacct:/test
+test2
+1:name=systemd:/
+0::/
+
+Signed-off-by: Alexander Kuznetsov <wwfq@yandex-team.ru>
+Reported-by: Andrey Krasichkov <buglloc@yandex-team.ru>
+Acked-by: Dmitry Yakunin <zeil@yandex-team.ru>
+Cc: stable@vger.kernel.org
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -3310,6 +3310,10 @@ static int cgroup_rename(struct kernfs_n
+ struct cgroup *cgrp = kn->priv;
+ int ret;
+
++ /* do not accept '\n' to prevent making /proc/<pid>/cgroup unparsable */
++ if (strchr(new_name_str, '\n'))
++ return -EINVAL;
++
+ if (kernfs_type(kn) != KERNFS_DIR)
+ return -ENOTDIR;
+ if (kn->parent != new_parent)
--- /dev/null
+From da27a83fd6cc7780fea190e1f5c19e87019da65c Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 8 Jun 2021 15:31:42 -0400
+Subject: kvm: avoid speculation-based attacks from out-of-range memslot accesses
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream.
+
+KVM's mechanism for accessing guest memory translates a guest physical
+address (gpa) to a host virtual address using the right-shifted gpa
+(also known as gfn) and a struct kvm_memory_slot. The translation is
+performed in __gfn_to_hva_memslot using the following formula:
+
+ hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE
+
+It is expected that gfn falls within the boundaries of the guest's
+physical memory. However, a guest can access invalid physical addresses
+in such a way that the gfn is invalid.
+
+__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first
+retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot
+does check that the gfn falls within the boundaries of the guest's
+physical memory or not, a CPU can speculate the result of the check and
+continue execution speculatively using an illegal gfn. The speculation
+can result in calculating an out-of-bounds hva. If the resulting host
+virtual address is used to load another guest physical address, this
+is effectively a Spectre gadget consisting of two consecutive reads,
+the second of which is data dependent on the first.
+
+Right now it's not clear if there are any cases in which this is
+exploitable. One interesting case was reported by the original author
+of this patch, and involves visiting guest page tables on x86. Right
+now these are not vulnerable because the hva read goes through get_user(),
+which contains an LFENCE speculation barrier. However, there are
+patches in progress for x86 uaccess.h to mask kernel addresses instead of
+using LFENCE; once these land, a guest could use speculation to read
+from the VMM's ring 3 address space. Other architectures such as ARM
+already use the address masking method, and would be susceptible to
+this same kind of data-dependent access gadgets. Therefore, this patch
+proactively protects from these attacks by masking out-of-bounds gfns
+in __gfn_to_hva_memslot, which blocks speculation of invalid hvas.
+
+Sean Christopherson noted that this patch does not cover
+kvm_read_guest_offset_cached. This however is limited to a few bytes
+past the end of the cache, and therefore it is unlikely to be useful in
+the context of building a chain of data dependent accesses.
+
+Reported-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
+Co-developed-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kvm_host.h | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -25,6 +25,7 @@
+ #include <linux/irqflags.h>
+ #include <linux/context_tracking.h>
+ #include <linux/irqbypass.h>
++#include <linux/nospec.h>
+ #include <asm/signal.h>
+
+ #include <linux/kvm.h>
+@@ -952,7 +953,15 @@ __gfn_to_memslot(struct kvm_memslots *sl
+ static inline unsigned long
+ __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn)
+ {
+- return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE;
++ /*
++ * The index was checked originally in search_memslots. To avoid
++ * that a malicious guest builds a Spectre gadget out of e.g. page
++ * table walks, do not let the processor speculate loads outside
++ * the guest's registered memslots.
++ */
++ unsigned long offset = array_index_nospec(gfn - slot->base_gfn,
++ slot->npages);
++ return slot->userspace_addr + offset * PAGE_SIZE;
+ }
+
+ static inline int memslot_id(struct kvm *kvm, gfn_t gfn)
powerpc-fsl-set-fsl-i2c-erratum-a004447-flag-for-p10.patch
i2c-mpc-make-use-of-i2c_recover_bus.patch
i2c-mpc-implement-erratum-a-004447-workaround.patch
+kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch
+btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch
+cgroup1-don-t-allow-n-in-renaming.patch
+usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch
+usb-dwc3-ep0-fix-null-pointer-exception.patch
+usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch
+usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch
+usb-serial-quatech2-fix-control-request-directions.patch
+usb-gadget-eem-fix-wrong-eem-header-operation.patch
--- /dev/null
+From d00889080ab60051627dab1d85831cd9db750e2a Mon Sep 17 00:00:00 2001
+From: Marian-Cristian Rotariu <marian.c.rotariu@gmail.com>
+Date: Tue, 8 Jun 2021 19:26:50 +0300
+Subject: usb: dwc3: ep0: fix NULL pointer exception
+
+From: Marian-Cristian Rotariu <marian.c.rotariu@gmail.com>
+
+commit d00889080ab60051627dab1d85831cd9db750e2a upstream.
+
+There is no validation of the index from dwc3_wIndex_to_dep() and we might
+be referring a non-existing ep and trigger a NULL pointer exception. In
+certain configurations we might use fewer eps and the index might wrongly
+indicate a larger ep index than existing.
+
+By adding this validation from the patch we can actually report a wrong
+index back to the caller.
+
+In our usecase we are using a composite device on an older kernel, but
+upstream might use this fix also. Unfortunately, I cannot describe the
+hardware for others to reproduce the issue as it is a proprietary
+implementation.
+
+[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4
+[ 82.966891] Mem abort info:
+[ 82.969663] ESR = 0x96000006
+[ 82.972703] Exception class = DABT (current EL), IL = 32 bits
+[ 82.978603] SET = 0, FnV = 0
+[ 82.981642] EA = 0, S1PTW = 0
+[ 82.984765] Data abort info:
+[ 82.987631] ISV = 0, ISS = 0x00000006
+[ 82.991449] CM = 0, WnR = 0
+[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc
+[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000
+[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP
+[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)
+[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1
+[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)
+[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c
+[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94
+
+...
+
+[ 83.141788] Call trace:
+[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c
+[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94
+[ 83.181546] ---[ end trace aac6b5267d84c32f ]---
+
+Signed-off-by: Marian-Cristian Rotariu <marian.c.rotariu@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210608162650.58426-1-marian.c.rotariu@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/ep0.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/dwc3/ep0.c
++++ b/drivers/usb/dwc3/ep0.c
+@@ -331,6 +331,9 @@ static struct dwc3_ep *dwc3_wIndex_to_de
+ epnum |= 1;
+
+ dep = dwc->eps[epnum];
++ if (dep == NULL)
++ return NULL;
++
+ if (dep->flags & DWC3_EP_ENABLED)
+ return dep;
+
--- /dev/null
+From 3370139745853f7826895293e8ac3aec1430508e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
+Date: Mon, 7 Jun 2021 17:53:44 -0700
+Subject: USB: f_ncm: ncm_bitrate (speed) is unsigned
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+commit 3370139745853f7826895293e8ac3aec1430508e upstream.
+
+[ 190.544755] configfs-gadget gadget: notify speed -44967296
+
+This is because 4250000000 - 2**32 is -44967296.
+
+Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added")
+Cc: Brooke Basile <brookebasile@gmail.com>
+Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Cc: Yauheni Kaliuta <yauheni.kaliuta@nokia.com>
+Cc: Linux USB Mailing List <linux-usb@vger.kernel.org>
+Acked-By: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210608005344.3762668-1-zenczykowski@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_ncm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -514,7 +514,7 @@ static void ncm_do_notify(struct f_ncm *
+ data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
+ data[1] = data[0];
+
+- DBG(cdev, "notify speed %d\n", ncm_bitrate(cdev->gadget));
++ DBG(cdev, "notify speed %u\n", ncm_bitrate(cdev->gadget));
+ ncm->notify_state = NCM_NOTIFY_CONNECT;
+ break;
+ }
--- /dev/null
+From 305f670846a31a261462577dd0b967c4fa796871 Mon Sep 17 00:00:00 2001
+From: Linyu Yuan <linyyuan@codeaurora.com>
+Date: Wed, 9 Jun 2021 07:35:47 +0800
+Subject: usb: gadget: eem: fix wrong eem header operation
+
+From: Linyu Yuan <linyyuan@codeaurora.com>
+
+commit 305f670846a31a261462577dd0b967c4fa796871 upstream.
+
+when skb_clone() or skb_copy_expand() fail,
+it should pull skb with lengh indicated by header,
+or not it will read network data and check it as header.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Linyu Yuan <linyyuan@codeaurora.com>
+Link: https://lore.kernel.org/r/20210608233547.3767-1-linyyuan@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_eem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_eem.c
++++ b/drivers/usb/gadget/function/f_eem.c
+@@ -498,7 +498,7 @@ static int eem_unwrap(struct gether *por
+ skb2 = skb_clone(skb, GFP_ATOMIC);
+ if (unlikely(!skb2)) {
+ DBG(cdev, "unable to unframe EEM packet\n");
+- continue;
++ goto next;
+ }
+ skb_trim(skb2, len - ETH_FCS_LEN);
+
+@@ -509,7 +509,7 @@ static int eem_unwrap(struct gether *por
+ if (unlikely(!skb3)) {
+ DBG(cdev, "unable to realign EEM packet\n");
+ dev_kfree_skb_any(skb2);
+- continue;
++ goto next;
+ }
+ dev_kfree_skb_any(skb2);
+ skb_queue_tail(list, skb3);
--- /dev/null
+From bc96c72df33ee81b24d87eab953c73f7bcc04f29 Mon Sep 17 00:00:00 2001
+From: George McCollister <george.mccollister@gmail.com>
+Date: Thu, 3 Jun 2021 19:32:08 -0500
+Subject: USB: serial: ftdi_sio: add NovaTech OrionMX product ID
+
+From: George McCollister <george.mccollister@gmail.com>
+
+commit bc96c72df33ee81b24d87eab953c73f7bcc04f29 upstream.
+
+Add PID for the NovaTech OrionMX so it can be automatically detected.
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 1 +
+ drivers/usb/serial/ftdi_sio_ids.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -606,6 +606,7 @@ static const struct usb_device_id id_tab
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) },
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -580,6 +580,7 @@
+ #define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */
+ #define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */
+ #define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */
++#define FTDI_NT_ORIONMX_PID 0x7c93 /* OrionMX */
+
+ /*
+ * Synapse Wireless product ids (FTDI_VID)
--- /dev/null
+From fc0b3dc9a11771c3919eaaaf9d649138b095aa0f Mon Sep 17 00:00:00 2001
+From: Alexandre GRIVEAUX <agriveaux@deutnet.info>
+Date: Sun, 23 May 2021 18:35:21 +0200
+Subject: USB: serial: omninet: add device id for Zyxel Omni 56K Plus
+
+From: Alexandre GRIVEAUX <agriveaux@deutnet.info>
+
+commit fc0b3dc9a11771c3919eaaaf9d649138b095aa0f upstream.
+
+Add device id for Zyxel Omni 56K Plus modem, this modem include:
+
+USB chip:
+NetChip
+NET2888
+
+Main chip:
+901041A
+F721501APGF
+
+Another modem using the same chips is the Zyxel Omni 56K DUO/NEO,
+could be added with the right USB ID.
+
+Signed-off-by: Alexandre GRIVEAUX <agriveaux@deutnet.info>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/omninet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/omninet.c
++++ b/drivers/usb/serial/omninet.c
+@@ -27,6 +27,7 @@
+
+ #define ZYXEL_VENDOR_ID 0x0586
+ #define ZYXEL_OMNINET_ID 0x1000
++#define ZYXEL_OMNI_56K_PLUS_ID 0x1500
+ /* This one seems to be a re-branded ZyXEL device */
+ #define BT_IGNITIONPRO_ID 0x2000
+
+@@ -44,6 +45,7 @@ static int omninet_port_remove(struct us
+
+ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNINET_ID) },
++ { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNI_56K_PLUS_ID) },
+ { USB_DEVICE(ZYXEL_VENDOR_ID, BT_IGNITIONPRO_ID) },
+ { } /* Terminating entry */
+ };
--- /dev/null
+From eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 24 May 2021 11:17:05 +0200
+Subject: USB: serial: quatech2: fix control-request directions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Fix the three requests which erroneously used usb_rcvctrlpipe().
+
+Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
+Cc: stable@vger.kernel.org # 3.5
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/quatech2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/serial/quatech2.c
++++ b/drivers/usb/serial/quatech2.c
+@@ -419,7 +419,7 @@ static void qt2_close(struct usb_serial_
+
+ /* flush the port transmit buffer */
+ i = usb_control_msg(serial->dev,
+- usb_rcvctrlpipe(serial->dev, 0),
++ usb_sndctrlpipe(serial->dev, 0),
+ QT2_FLUSH_DEVICE, 0x40, 1,
+ port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT);
+
+@@ -429,7 +429,7 @@ static void qt2_close(struct usb_serial_
+
+ /* flush the port receive buffer */
+ i = usb_control_msg(serial->dev,
+- usb_rcvctrlpipe(serial->dev, 0),
++ usb_sndctrlpipe(serial->dev, 0),
+ QT2_FLUSH_DEVICE, 0x40, 0,
+ port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT);
+
+@@ -701,7 +701,7 @@ static int qt2_attach(struct usb_serial
+ int status;
+
+ /* power on unit */
+- status = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
++ status = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
+ 0xc2, 0x40, 0x8000, 0, NULL, 0,
+ QT2_USB_TIMEOUT);
+ if (status < 0) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
