--- /dev/null
+From 9b00f1b78809309163dda2d044d9e94a3c0248a3 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 10 Feb 2021 14:14:42 +0100
+Subject: bpf: Fix truncation handling for mod32 dst reg wrt zero
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit 9b00f1b78809309163dda2d044d9e94a3c0248a3 upstream.
+
+Recently noticed that when mod32 with a known src reg of 0 is performed,
+then the dst register is 32-bit truncated in verifier:
+
+ 0: R1=ctx(id=0,off=0,imm=0) R10=fp0
+ 0: (b7) r0 = 0
+ 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0
+ 1: (b7) r1 = -1
+ 2: R0_w=inv0 R1_w=inv-1 R10=fp0
+ 2: (b4) w2 = -1
+ 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0
+ 3: (9c) w1 %= w0
+ 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0
+ 4: (b7) r0 = 1
+ 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0
+ 5: (1d) if r1 == r2 goto pc+1
+ R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0
+ 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0
+ 6: (b7) r0 = 2
+ 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0
+ 7: (95) exit
+ 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0
+ 7: (95) exit
+
+However, as a runtime result, we get 2 instead of 1, meaning the dst
+register does not contain (u32)-1 in this case. The reason is fairly
+straight forward given the 0 test leaves the dst register as-is:
+
+ # ./bpftool p d x i 23
+ 0: (b7) r0 = 0
+ 1: (b7) r1 = -1
+ 2: (b4) w2 = -1
+ 3: (16) if w0 == 0x0 goto pc+1
+ 4: (9c) w1 %= w0
+ 5: (b7) r0 = 1
+ 6: (1d) if r1 == r2 goto pc+1
+ 7: (b7) r0 = 2
+ 8: (95) exit
+
+This was originally not an issue given the dst register was marked as
+completely unknown (aka 64 bit unknown). However, after 468f6eafa6c4
+("bpf: fix 32-bit ALU op verification") the verifier casts the register
+output to 32 bit, and hence it becomes 32 bit unknown. Note that for
+the case where the src register is unknown, the dst register is marked
+64 bit unknown. After the fix, the register is truncated by the runtime
+and the test passes:
+
+ # ./bpftool p d x i 23
+ 0: (b7) r0 = 0
+ 1: (b7) r1 = -1
+ 2: (b4) w2 = -1
+ 3: (16) if w0 == 0x0 goto pc+2
+ 4: (9c) w1 %= w0
+ 5: (05) goto pc+1
+ 6: (bc) w1 = w1
+ 7: (b7) r0 = 1
+ 8: (1d) if r1 == r2 goto pc+1
+ 9: (b7) r0 = 2
+ 10: (95) exit
+
+Semantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div
+has always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows:
+
+ mod32: mod64:
+
+ (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1
+ (9c) w1 %= w0 (9f) r1 %= r0
+ (05) goto pc+1
+ (bc) w1 = w1
+
+Fixes: 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -10869,7 +10869,7 @@ static int fixup_bpf_calls(struct bpf_ve
+ bool isdiv = BPF_OP(insn->code) == BPF_DIV;
+ struct bpf_insn *patchlet;
+ struct bpf_insn chk_and_div[] = {
+- /* Rx div 0 -> 0 */
++ /* [R,W]x div 0 -> 0 */
+ BPF_RAW_INSN((is64 ? BPF_JMP : BPF_JMP32) |
+ BPF_JNE | BPF_K, insn->src_reg,
+ 0, 2, 0),
+@@ -10878,16 +10878,18 @@ static int fixup_bpf_calls(struct bpf_ve
+ *insn,
+ };
+ struct bpf_insn chk_and_mod[] = {
+- /* Rx mod 0 -> Rx */
++ /* [R,W]x mod 0 -> [R,W]x */
+ BPF_RAW_INSN((is64 ? BPF_JMP : BPF_JMP32) |
+ BPF_JEQ | BPF_K, insn->src_reg,
+- 0, 1, 0),
++ 0, 1 + (is64 ? 0 : 1), 0),
+ *insn,
++ BPF_JMP_IMM(BPF_JA, 0, 0, 1),
++ BPF_MOV32_REG(insn->dst_reg, insn->dst_reg),
+ };
+
+ patchlet = isdiv ? chk_and_div : chk_and_mod;
+ cnt = isdiv ? ARRAY_SIZE(chk_and_div) :
+- ARRAY_SIZE(chk_and_mod);
++ ARRAY_SIZE(chk_and_mod) - (is64 ? 2 : 0);
+
+ new_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt);
+ if (!new_prog)
--- /dev/null
+From ed9be64eefe26d7d8b0b5b9fa3ffdf425d87a01f Mon Sep 17 00:00:00 2001
+From: Will McVicker <willmcvicker@google.com>
+Date: Sat, 5 Dec 2020 00:48:48 +0000
+Subject: HID: make arrays usage and value to be the same
+
+From: Will McVicker <willmcvicker@google.com>
+
+commit ed9be64eefe26d7d8b0b5b9fa3ffdf425d87a01f upstream.
+
+The HID subsystem allows an "HID report field" to have a different
+number of "values" and "usages" when it is allocated. When a field
+struct is created, the size of the usage array is guaranteed to be at
+least as large as the values array, but it may be larger. This leads to
+a potential out-of-bounds write in
+__hidinput_change_resolution_multipliers() and an out-of-bounds read in
+hidinput_count_leds().
+
+To fix this, let's make sure that both the usage and value arrays are
+the same size.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Will McVicker <willmcvicker@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -90,7 +90,7 @@ EXPORT_SYMBOL_GPL(hid_register_report);
+ * Register a new field for this report.
+ */
+
+-static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values)
++static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages)
+ {
+ struct hid_field *field;
+
+@@ -101,7 +101,7 @@ static struct hid_field *hid_register_fi
+
+ field = kzalloc((sizeof(struct hid_field) +
+ usages * sizeof(struct hid_usage) +
+- values * sizeof(unsigned)), GFP_KERNEL);
++ usages * sizeof(unsigned)), GFP_KERNEL);
+ if (!field)
+ return NULL;
+
+@@ -300,7 +300,7 @@ static int hid_add_field(struct hid_pars
+ usages = max_t(unsigned, parser->local.usage_index,
+ parser->global.report_count);
+
+- field = hid_register_field(report, usages, parser->global.report_count);
++ field = hid_register_field(report, usages);
+ if (!field)
+ return 0;
+
--- /dev/null
+From 22dd4c707673129ed17e803b4bf68a567b2731db Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 6 Nov 2020 19:19:35 +0100
+Subject: nvme-rdma: Use ibdev_to_node instead of dereferencing ->dma_device
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 22dd4c707673129ed17e803b4bf68a567b2731db upstream.
+
+->dma_device is a private implementation detail of the RDMA core. Use the
+ibdev_to_node helper to get the NUMA node for a ib_device instead of
+poking into ->dma_device.
+
+Link: https://lore.kernel.org/r/20201106181941.1878556-5-hch@lst.de
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Krishnamraju Eraparaju <krishna2@chelsio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -860,7 +860,7 @@ static int nvme_rdma_configure_admin_que
+ return error;
+
+ ctrl->device = ctrl->queues[0].device;
+- ctrl->ctrl.numa_node = dev_to_node(ctrl->device->dev->dma_device);
++ ctrl->ctrl.numa_node = ibdev_to_node(ctrl->device->dev);
+
+ /* T10-PI support */
+ if (ctrl->device->dev->attrs.device_cap_flags &
--- /dev/null
+From 8ecfca68dc4cbee1272a0161e3f2fb9387dc6930 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 6 Nov 2020 19:19:34 +0100
+Subject: RDMA: Lift ibdev_to_node from rds to common code
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 8ecfca68dc4cbee1272a0161e3f2fb9387dc6930 upstream.
+
+Lift the ibdev_to_node from rds to common code and document it.
+
+Link: https://lore.kernel.org/r/20201106181941.1878556-4-hch@lst.de
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Krishnamraju Eraparaju <krishna2@chelsio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/rdma/ib_verbs.h | 13 +++++++++++++
+ net/rds/ib.h | 7 -------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -4643,6 +4643,19 @@ static inline struct ib_device *rdma_dev
+ }
+
+ /**
++ * ibdev_to_node - return the NUMA node for a given ib_device
++ * @dev: device to get the NUMA node for.
++ */
++static inline int ibdev_to_node(struct ib_device *ibdev)
++{
++ struct device *parent = ibdev->dev.parent;
++
++ if (!parent)
++ return NUMA_NO_NODE;
++ return dev_to_node(parent);
++}
++
++/**
+ * rdma_device_to_drv_device - Helper macro to reach back to driver's
+ * ib_device holder structure from device pointer.
+ *
+--- a/net/rds/ib.h
++++ b/net/rds/ib.h
+@@ -264,13 +264,6 @@ struct rds_ib_device {
+ int *vector_load;
+ };
+
+-static inline int ibdev_to_node(struct ib_device *ibdev)
+-{
+- struct device *parent;
+-
+- parent = ibdev->dev.parent;
+- return parent ? dev_to_node(parent) : NUMA_NO_NODE;
+-}
+ #define rdsibdev_to_node(rdsibdev) ibdev_to_node(rdsibdev->dev)
+
+ /* bits for i_ack_flags */
--- /dev/null
+From 1ebe718bb48278105816ba03a0408ecc2d6cf47f Mon Sep 17 00:00:00 2001
+From: Stefan Ursella <stefan.ursella@wolfvision.net>
+Date: Wed, 10 Feb 2021 15:07:11 +0100
+Subject: usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable
+
+From: Stefan Ursella <stefan.ursella@wolfvision.net>
+
+commit 1ebe718bb48278105816ba03a0408ecc2d6cf47f upstream.
+
+Without this quirk starting a video capture from the device often fails with
+
+kernel: uvcvideo: Failed to set UVC probe control : -110 (exp. 34).
+
+Signed-off-by: Stefan Ursella <stefan.ursella@wolfvision.net>
+Link: https://lore.kernel.org/r/20210210140713.18711-1-stefan.ursella@wolfvision.net
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -391,6 +391,9 @@ static const struct usb_device_id usb_qu
+ /* X-Rite/Gretag-Macbeth Eye-One Pro display colorimeter */
+ { USB_DEVICE(0x0971, 0x2000), .driver_info = USB_QUIRK_NO_SET_INTF },
+
++ /* ELMO L-12F document camera */
++ { USB_DEVICE(0x09a1, 0x0028), .driver_info = USB_QUIRK_DELAY_CTRL_MSG },
++
+ /* Broadcom BCM92035DGROM BT dongle */
+ { USB_DEVICE(0x0a5c, 0x2021), .driver_info = USB_QUIRK_RESET_RESUME },
+
--- /dev/null
+From 43861d29c0810a70792bf69d37482efb7bb6677d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 10 Feb 2021 12:17:46 +0100
+Subject: USB: quirks: sort quirk entries
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 43861d29c0810a70792bf69d37482efb7bb6677d upstream.
+
+Move the last entry to its proper place to maintain the VID/PID sort
+order.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210210111746.13360-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -415,6 +415,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x10d6, 0x2200), .driver_info =
+ USB_QUIRK_STRING_FETCH_255 },
+
++ /* novation SoundControl XL */
++ { USB_DEVICE(0x1235, 0x0061), .driver_info = USB_QUIRK_RESET_RESUME },
++
+ /* Huawei 4G LTE module */
+ { USB_DEVICE(0x12d1, 0x15bb), .driver_info =
+ USB_QUIRK_DISCONNECT_SUSPEND },
+@@ -495,9 +498,6 @@ static const struct usb_device_id usb_qu
+ /* INTEL VALUE SSD */
+ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
+
+- /* novation SoundControl XL */
+- { USB_DEVICE(0x1235, 0x0061), .driver_info = USB_QUIRK_RESET_RESUME },
+-
+ { } /* terminating entry must be last */
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
