--- /dev/null
+dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch
+clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch
+asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch
+asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch
+alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch
+fix-built-in-early-load-intel-microcode-alignment.patch
+block-fix-an-integer-overflow-in-logical-block-size.patch
+arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch
--- /dev/null
+arm-dts-meson8-fix-the-size-of-the-pmu-registers.patch
+clk-qcom-gcc-sdm845-add-missing-flag-to-votable-gdscs.patch
+dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch
+arm-dts-imx6q-dhcom-fix-rtc-compatible.patch
+clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch
+asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch
+asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch
+asoc-msm8916-wcd-analog-fix-mic-bias-internal1.patch
+arm-dts-imx6q-dhcom-fix-sgtl5000-vddio-regulator-connection.patch
+alsa-dice-fix-fallback-from-protocol-extension-into-limited-functionality.patch
+alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch
+alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch
+arm64-dts-allwinner-a64-olinuxino-fix-sdio-supply-regulator.patch
+fix-built-in-early-load-intel-microcode-alignment.patch
+block-fix-an-integer-overflow-in-logical-block-size.patch
+arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch
--- /dev/null
+From 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 15 Jan 2020 21:37:33 +0100
+Subject: ALSA: seq: Fix racy access for queue timer in proc read
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream.
+
+snd_seq_info_timer_read() reads the information of the timer assigned
+for each queue, but it's done in a racy way which may lead to UAF as
+spotted by syzkaller.
+
+This patch applies the missing q->timer_mutex lock while accessing the
+timer object as well as a slight code change to adapt the standard
+coding style.
+
+Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_timer.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/sound/core/seq/seq_timer.c
++++ b/sound/core/seq/seq_timer.c
+@@ -484,15 +484,19 @@ void snd_seq_info_timer_read(struct snd_
+ q = queueptr(idx);
+ if (q == NULL)
+ continue;
+- if ((tmr = q->timer) == NULL ||
+- (ti = tmr->timeri) == NULL) {
+- queuefree(q);
+- continue;
+- }
++ mutex_lock(&q->timer_mutex);
++ tmr = q->timer;
++ if (!tmr)
++ goto unlock;
++ ti = tmr->timeri;
++ if (!ti)
++ goto unlock;
+ snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name);
+ resolution = snd_timer_resolution(ti) * tmr->ticks;
+ snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000);
+ snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base);
++unlock:
++ mutex_unlock(&q->timer_mutex);
+ queuefree(q);
+ }
+ }
--- /dev/null
+From ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 15 Jan 2020 08:35:25 -0500
+Subject: block: fix an integer overflow in logical block size
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 upstream.
+
+Logical block size has type unsigned short. That means that it can be at
+most 32768. However, there are architectures that can run with 64k pages
+(for example arm64) and on these architectures, it may be possible to
+create block devices with 64k block size.
+
+For exmaple (run this on an architecture with 64k pages):
+
+Mount will fail with this error because it tries to read the superblock using 2-sector
+access:
+ device-mapper: writecache: I/O is not aligned, sector 2, size 1024, block size 65536
+ EXT4-fs (dm-0): unable to read superblock
+
+This patch changes the logical block size from unsigned short to unsigned
+int to avoid the overflow.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-settings.c | 2 +-
+ drivers/md/dm-snap-persistent.c | 2 +-
+ drivers/md/raid0.c | 2 +-
+ include/linux/blkdev.h | 8 ++++----
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -349,7 +349,7 @@ EXPORT_SYMBOL(blk_queue_max_segment_size
+ * storage device can address. The default of 512 covers most
+ * hardware.
+ **/
+-void blk_queue_logical_block_size(struct request_queue *q, unsigned short size)
++void blk_queue_logical_block_size(struct request_queue *q, unsigned int size)
+ {
+ q->limits.logical_block_size = size;
+
+--- a/drivers/md/dm-snap-persistent.c
++++ b/drivers/md/dm-snap-persistent.c
+@@ -17,7 +17,7 @@
+ #include "dm-bufio.h"
+
+ #define DM_MSG_PREFIX "persistent snapshot"
+-#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32 /* 16KB */
++#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32U /* 16KB */
+
+ #define DM_PREFETCH_CHUNKS 12
+
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -83,7 +83,7 @@ static int create_strip_zones(struct mdd
+ char b[BDEVNAME_SIZE];
+ char b2[BDEVNAME_SIZE];
+ struct r0conf *conf = kzalloc(sizeof(*conf), GFP_KERNEL);
+- unsigned short blksize = 512;
++ unsigned blksize = 512;
+
+ if (!conf)
+ return -ENOMEM;
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -264,6 +264,7 @@ struct queue_limits {
+ unsigned int max_sectors;
+ unsigned int max_segment_size;
+ unsigned int physical_block_size;
++ unsigned int logical_block_size;
+ unsigned int alignment_offset;
+ unsigned int io_min;
+ unsigned int io_opt;
+@@ -273,7 +274,6 @@ struct queue_limits {
+ unsigned int discard_granularity;
+ unsigned int discard_alignment;
+
+- unsigned short logical_block_size;
+ unsigned short max_segments;
+ unsigned short max_integrity_segments;
+
+@@ -975,7 +975,7 @@ extern void blk_queue_max_discard_sector
+ unsigned int max_discard_sectors);
+ extern void blk_queue_max_write_same_sectors(struct request_queue *q,
+ unsigned int max_write_same_sectors);
+-extern void blk_queue_logical_block_size(struct request_queue *, unsigned short);
++extern void blk_queue_logical_block_size(struct request_queue *, unsigned int);
+ extern void blk_queue_physical_block_size(struct request_queue *, unsigned int);
+ extern void blk_queue_alignment_offset(struct request_queue *q,
+ unsigned int alignment);
+@@ -1193,7 +1193,7 @@ static inline unsigned int queue_max_seg
+ return q->limits.max_segment_size;
+ }
+
+-static inline unsigned short queue_logical_block_size(struct request_queue *q)
++static inline unsigned queue_logical_block_size(struct request_queue *q)
+ {
+ int retval = 512;
+
+@@ -1203,7 +1203,7 @@ static inline unsigned short queue_logic
+ return retval;
+ }
+
+-static inline unsigned short bdev_logical_block_size(struct block_device *bdev)
++static inline unsigned int bdev_logical_block_size(struct block_device *bdev)
+ {
+ return queue_logical_block_size(bdev_get_queue(bdev));
+ }
--- /dev/null
+From f5ae2ea6347a308cfe91f53b53682ce635497d0d Mon Sep 17 00:00:00 2001
+From: Jari Ruusu <jari.ruusu@gmail.com>
+Date: Sun, 12 Jan 2020 15:00:53 +0200
+Subject: Fix built-in early-load Intel microcode alignment
+
+From: Jari Ruusu <jari.ruusu@gmail.com>
+
+commit f5ae2ea6347a308cfe91f53b53682ce635497d0d upstream.
+
+Intel Software Developer's Manual, volume 3, chapter 9.11.6 says:
+
+ "Note that the microcode update must be aligned on a 16-byte boundary
+ and the size of the microcode update must be 1-KByte granular"
+
+When early-load Intel microcode is loaded from initramfs, userspace tool
+'iucode_tool' has already 16-byte aligned those microcode bits in that
+initramfs image. Image that was created something like this:
+
+ iucode_tool --write-earlyfw=FOO.cpio microcode-files...
+
+However, when early-load Intel microcode is loaded from built-in
+firmware BLOB using CONFIG_EXTRA_FIRMWARE= kernel config option, that
+16-byte alignment is not guaranteed.
+
+Fix this by forcing all built-in firmware BLOBs to 16-byte alignment.
+
+[ If we end up having other firmware with much bigger alignment
+ requirements, we might need to introduce some method for the firmware
+ to specify it, this is the minimal "just increase the alignment a bit
+ to account for this one special case" patch - Linus ]
+
+Signed-off-by: Jari Ruusu <jari.ruusu@gmail.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ firmware/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/firmware/Makefile
++++ b/firmware/Makefile
+@@ -156,7 +156,7 @@ quiet_cmd_fwbin = MK_FW $@
+ PROGBITS=$(if $(CONFIG_ARM),%,@)progbits; \
+ echo "/* Generated by firmware/Makefile */" > $@;\
+ echo " .section .rodata" >>$@;\
+- echo " .p2align $${ASM_ALIGN}" >>$@;\
++ echo " .p2align 4" >>$@;\
+ echo "_fw_$${FWSTR}_bin:" >>$@;\
+ echo " .incbin \"$(2)\"" >>$@;\
+ echo "_fw_end:" >>$@;\
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/ocfs2/journal.c | 8 ++++++++
+ fs/ocfs2/journal.c | 8 ++++++++
1 file changed, 8 insertions(+)
-diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
-index 2301011428a1..bbf1634ff427 100644
--- a/fs/ocfs2/journal.c
+++ b/fs/ocfs2/journal.c
-@@ -1080,6 +1080,14 @@ int ocfs2_journal_load(struct ocfs2_journal *journal, int local, int replayed)
+@@ -1080,6 +1080,14 @@ int ocfs2_journal_load(struct ocfs2_jour
ocfs2_clear_journal_error(osb->sb, journal->j_journal, osb->slot_num);
status = ocfs2_journal_toggle_dirty(osb, 1, replayed);
if (status < 0) {
mlog_errno(status);
---
-2.20.1
-
rseq-selftests-turn-off-timeout-setting.patch
hexagon-work-around-compiler-crash.patch
ocfs2-call-journal-flush-to-mark-journal-as-empty-af.patch
+alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch
+fix-built-in-early-load-intel-microcode-alignment.patch
+block-fix-an-integer-overflow-in-logical-block-size.patch
hexagon-parenthesize-registers-in-asm-predicates.patch
hexagon-work-around-compiler-crash.patch
ocfs2-call-journal-flush-to-mark-journal-as-empty-af.patch
+dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch
+clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch
+alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch
+fix-built-in-early-load-intel-microcode-alignment.patch
+block-fix-an-integer-overflow-in-logical-block-size.patch
--- /dev/null
+arm-dts-meson8-fix-the-size-of-the-pmu-registers.patch
+clk-qcom-gcc-sdm845-add-missing-flag-to-votable-gdscs.patch
+soc-amlogic-meson-ee-pwrc-propagate-pd-provider-registration-errors.patch
+soc-amlogic-meson-ee-pwrc-propagate-errors-from-pm_genpd_init.patch
+dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch
+arm-dts-imx6q-dhcom-fix-rtc-compatible.patch
+arm64-dts-ls1028a-fix-endian-setting-for-dcfg.patch
+arm64-dts-imx8mm-change-sdma1-ahb-clock-for-imx8mm.patch
+bus-ti-sysc-fix-iterating-over-clocks.patch
+clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch
+revert-gpio-thunderx-switch-to-gpiolib_irqchip.patch
+arm64-dts-imx8mq-librem5-devkit-use-correct-interrupt-for-the-magnetometer.patch
+asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch
+asoc-stm32-sai-fix-possible-circular-locking.patch
+asoc-stm32-dfsdm-fix-16-bits-record.patch
+asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch
+asoc-msm8916-wcd-analog-fix-mic-bias-internal1.patch
+arm-omap2-fix-ti_sysc_find_one_clockdomain-to-check-for-to_clk_hw_omap.patch
+arm-dts-imx7ulp-fix-reg-of-cpu-node.patch
+arm-dts-imx6q-dhcom-fix-sgtl5000-vddio-regulator-connection.patch
+asoc-intel-bytcht_es8316-fix-irbis-nb41-netbook-quirk.patch
+alsa-dice-fix-fallback-from-protocol-extension-into-limited-functionality.patch
+alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch
+alsa-firewire-tascam-fix-corruption-due-to-spin-lock-without-restoration-in-softirq-context.patch
+alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch
+arm64-dts-allwinner-a64-olinuxino-fix-sdio-supply-regulator.patch
+arm64-dts-allwinner-a64-olinuxino-fix-emmc-supply-regulator.patch
+arm64-dts-agilex-stratix10-fix-pmu-interrupt-numbers.patch
+fix-built-in-early-load-intel-microcode-alignment.patch
+clk-sunxi-ng-r40-allow-setting-parent-rate-for-external-clock-outputs.patch
+block-fix-an-integer-overflow-in-logical-block-size.patch
+fuse-fix-fuse_send_readpages-in-the-syncronous-read-case.patch
+io_uring-only-allow-submit-from-owning-task.patch
+cpuidle-teo-fix-intervals-array-indexing-bug.patch
+arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch
+arm-davinci-select-config_reset_controller.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
