--- /dev/null
+From 746c908c4d72e49068ab216c3926d2720d71a90d Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Thu, 31 Oct 2019 17:14:38 +0100
+Subject: crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream.
+
+This patch fixes a crash that can happen during probe
+when the available dma memory is not enough (this can
+happen if the crypto4xx is built as a module).
+
+The descriptor window mapping would end up being free'd
+twice, once in crypto4xx_build_pdr() and the second time
+in crypto4xx_destroy_sdr().
+
+Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/amcc/crypto4xx_core.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/crypto/amcc/crypto4xx_core.c
++++ b/drivers/crypto/amcc/crypto4xx_core.c
+@@ -399,12 +399,8 @@ static u32 crypto4xx_build_sdr(struct cr
+ dma_alloc_coherent(dev->core_dev->device,
+ dev->scatter_buffer_size * PPC4XX_NUM_SD,
+ &dev->scatter_buffer_pa, GFP_ATOMIC);
+- if (!dev->scatter_buffer_va) {
+- dma_free_coherent(dev->core_dev->device,
+- sizeof(struct ce_sd) * PPC4XX_NUM_SD,
+- dev->sdr, dev->sdr_pa);
++ if (!dev->scatter_buffer_va)
+ return -ENOMEM;
+- }
+
+ sd_array = dev->sdr;
+
--- /dev/null
+From ffdde5932042600c6807d46c1550b28b0db6a3bc Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 4 Oct 2019 14:29:16 -0500
+Subject: crypto: user - fix memory leak in crypto_report
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream.
+
+In crypto_report, a new skb is created via nlmsg_new(). This skb should
+be released if crypto_report_alg() fails.
+
+Fixes: a38f7907b926 ("crypto: Add userspace configuration API")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/crypto_user.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/crypto/crypto_user.c
++++ b/crypto/crypto_user.c
+@@ -249,8 +249,10 @@ static int crypto_report(struct sk_buff
+ drop_alg:
+ crypto_mod_put(alg);
+
+- if (err)
++ if (err) {
++ kfree_skb(skb);
+ return err;
++ }
+
+ return nlmsg_unicast(crypto_nlsk, skb, NETLINK_CB(in_skb).portid);
+ }
--- /dev/null
+From 4f69851fbaa26b155330be35ce8ac393e93e7442 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 4 Oct 2019 13:22:51 +0300
+Subject: drm/i810: Prevent underflow in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream.
+
+The "used" variables here come from the user in the ioctl and it can be
+negative. It could result in an out of bounds write.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i810/i810_dma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i810/i810_dma.c
++++ b/drivers/gpu/drm/i810/i810_dma.c
+@@ -723,7 +723,7 @@ static void i810_dma_dispatch_vertex(str
+ if (nbox > I810_NR_SAREA_CLIPRECTS)
+ nbox = I810_NR_SAREA_CLIPRECTS;
+
+- if (used > 4 * 1024)
++ if (used < 0 || used > 4 * 1024)
+ used = 0;
+
+ if (sarea_priv->dirty)
+@@ -1043,7 +1043,7 @@ static void i810_dma_dispatch_mc(struct
+ if (u != I810_BUF_CLIENT)
+ DRM_DEBUG("MC found buffer that isn't mine!\n");
+
+- if (used > 4 * 1024)
++ if (used < 0 || used > 4 * 1024)
+ used = 0;
+
+ sarea_priv->dirty = 0x7f;
--- /dev/null
+From de1fca5d6e0105c9d33924e1247e2f386efc3ece Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 18 Nov 2019 12:23:00 -0500
+Subject: KVM: x86: do not modify masked bits of shared MSRs
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream.
+
+"Shared MSRs" are guest MSRs that are written to the host MSRs but
+keep their value until the next return to userspace. They support
+a mask, so that some bits keep the host value, but this mask is
+only used to skip an unnecessary MSR write and the value written
+to the MSR is always the guest MSR.
+
+Fix this and, while at it, do not update smsr->values[slot].curr if
+for whatever reason the wrmsr fails. This should only happen due to
+reserved bits, so the value written to smsr->values[slot].curr
+will not match when the user-return notifier and the host value will
+always be restored. However, it is untidy and in rare cases this
+can actually avoid spurious WRMSRs on return to userspace.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Tested-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -260,13 +260,14 @@ int kvm_set_shared_msr(unsigned slot, u6
+ struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
+ int err;
+
+- if (((value ^ smsr->values[slot].curr) & mask) == 0)
++ value = (value & mask) | (smsr->values[slot].host & ~mask);
++ if (value == smsr->values[slot].curr)
+ return 0;
+- smsr->values[slot].curr = value;
+ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
+ if (err)
+ return 1;
+
++ smsr->values[slot].curr = value;
+ if (!smsr->registered) {
+ smsr->urn.on_user_return = kvm_on_user_return;
+ user_return_notifier_register(&smsr->urn);
--- /dev/null
+From cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 18 Nov 2019 18:58:26 +0100
+Subject: KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b upstream.
+
+KVM does not implement MSR_IA32_TSX_CTRL, so it must not be presented
+to the guests. It is also confusing to have !ARCH_CAP_TSX_CTRL_MSR &&
+!RTM && ARCH_CAP_TAA_NO: lack of MSR_IA32_TSX_CTRL suggests TSX was not
+hidden (it actually was), yet the value says that TSX is not vulnerable
+to microarchitectural data sampling. Fix both.
+
+Cc: stable@vger.kernel.org
+Tested-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1024,10 +1024,15 @@ u64 kvm_get_arch_capabilities(void)
+ * If TSX is disabled on the system, guests are also mitigated against
+ * TAA and clear CPU buffer mitigation is not required for guests.
+ */
+- if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) &&
+- (data & ARCH_CAP_TSX_CTRL_MSR))
++ if (!boot_cpu_has(X86_FEATURE_RTM))
++ data &= ~ARCH_CAP_TAA_NO;
++ else if (!boot_cpu_has_bug(X86_BUG_TAA))
++ data |= ARCH_CAP_TAA_NO;
++ else if (data & ARCH_CAP_TSX_CTRL_MSR)
+ data &= ~ARCH_CAP_MDS_NO;
+
++ /* KVM does not emulate MSR_IA32_TSX_CTRL. */
++ data &= ~ARCH_CAP_TSX_CTRL_MSR;
+ return data;
+ }
+
tty-vt-keyboard-reject-invalid-keycodes.patch
can-slcan-fix-use-after-free-read-in-slcan_open.patch
jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch
+drm-i810-prevent-underflow-in-ioctl.patch
+kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch
+kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch
+crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch
+crypto-user-fix-memory-leak-in-crypto_report.patch
+spi-atmel-fix-cs-high-support.patch
--- /dev/null
+From 7cbb16b2122c09f2ae393a1542fed628505b9da6 Mon Sep 17 00:00:00 2001
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+Date: Thu, 17 Oct 2019 16:18:41 +0200
+Subject: spi: atmel: Fix CS high support
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+commit 7cbb16b2122c09f2ae393a1542fed628505b9da6 upstream.
+
+Until a few years ago, this driver was only used with CS GPIO. The
+only exception is CS0 on AT91RM9200 which has to use internal CS. A
+limitation of the internal CS is that they don't support CS High.
+
+So by using the CS GPIO the CS high configuration was available except
+for the particular case CS0 on RM9200.
+
+When the support for the internal chip-select was added, the check of
+the CS high support was not updated. Due to this the driver accepts
+this configuration for all the SPI controller v2 (used by all SoCs
+excepting the AT91RM9200) whereas the hardware doesn't support it for
+infernal CS.
+
+This patch fixes the test to match the hardware capabilities.
+
+Fixes: 4820303480a1 ("spi: atmel: add support for the internal chip-select of the spi controller")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Link: https://lore.kernel.org/r/20191017141846.7523-3-gregory.clement@bootlin.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-atmel.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-atmel.c
++++ b/drivers/spi/spi-atmel.c
+@@ -1209,10 +1209,8 @@ static int atmel_spi_setup(struct spi_de
+ as = spi_master_get_devdata(spi->master);
+
+ /* see notes above re chipselect */
+- if (!atmel_spi_is_v2(as)
+- && spi->chip_select == 0
+- && (spi->mode & SPI_CS_HIGH)) {
+- dev_dbg(&spi->dev, "setup: can't be active-high\n");
++ if (!as->use_cs_gpios && (spi->mode & SPI_CS_HIGH)) {
++ dev_warn(&spi->dev, "setup: non GPIO CS can't be active-high\n");
+ return -EINVAL;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
