--- /dev/null
+From a58015d638cd4e4555297b04bec9b49028369075 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 7 Jan 2021 23:23:48 -0800
+Subject: ACPI: scan: Harden acpi_device_add() against device ID overflows
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit a58015d638cd4e4555297b04bec9b49028369075 upstream.
+
+Linux VM on Hyper-V crashes with the latest mainline:
+
+[ 4.069624] detected buffer overflow in strcpy
+[ 4.077733] kernel BUG at lib/string.c:1149!
+..
+[ 4.085819] RIP: 0010:fortify_panic+0xf/0x11
+...
+[ 4.085819] Call Trace:
+[ 4.085819] acpi_device_add.cold.15+0xf2/0xfb
+[ 4.085819] acpi_add_single_object+0x2a6/0x690
+[ 4.085819] acpi_bus_check_add+0xc6/0x280
+[ 4.085819] acpi_ns_walk_namespace+0xda/0x1aa
+[ 4.085819] acpi_walk_namespace+0x9a/0xc2
+[ 4.085819] acpi_bus_scan+0x78/0x90
+[ 4.085819] acpi_scan_init+0xfa/0x248
+[ 4.085819] acpi_init+0x2c1/0x321
+[ 4.085819] do_one_initcall+0x44/0x1d0
+[ 4.085819] kernel_init_freeable+0x1ab/0x1f4
+
+This is because of the recent buffer overflow detection in the
+commit 6a39e62abbaf ("lib: string.h: detect intra-object overflow in
+fortified string functions")
+
+Here acpi_device_bus_id->bus_id can only hold 14 characters, while the
+the acpi_device_hid(device) returns a 22-char string
+"HYPER_V_GEN_COUNTER_V1".
+
+Per ACPI Spec v6.2, Section 6.1.5 _HID (Hardware ID), if the ID is a
+string, it must be of the form AAA#### or NNNN####, i.e. 7 chars or 8
+chars.
+
+The field bus_id in struct acpi_device_bus_id was originally defined as
+char bus_id[9], and later was enlarged to char bus_id[15] in 2007 in the
+commit bb0958544f3c ("ACPI: use more understandable bus_id for ACPI
+devices")
+
+Fix the issue by changing the field bus_id to const char *, and use
+kstrdup_const() to initialize it.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Tested-By: Jethro Beekman <jethro@fortanix.com>
+[ rjw: Subject change, whitespace adjustment ]
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/internal.h | 2 +-
+ drivers/acpi/scan.c | 15 ++++++++++++++-
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/internal.h
++++ b/drivers/acpi/internal.h
+@@ -98,7 +98,7 @@ void acpi_scan_table_handler(u32 event,
+ extern struct list_head acpi_bus_id_list;
+
+ struct acpi_device_bus_id {
+- char bus_id[15];
++ const char *bus_id;
+ unsigned int instance_no;
+ struct list_head node;
+ };
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -485,6 +485,7 @@ static void acpi_device_del(struct acpi_
+ acpi_device_bus_id->instance_no--;
+ else {
+ list_del(&acpi_device_bus_id->node);
++ kfree_const(acpi_device_bus_id->bus_id);
+ kfree(acpi_device_bus_id);
+ }
+ break;
+@@ -673,7 +674,14 @@ int acpi_device_add(struct acpi_device *
+ }
+ if (!found) {
+ acpi_device_bus_id = new_bus_id;
+- strcpy(acpi_device_bus_id->bus_id, acpi_device_hid(device));
++ acpi_device_bus_id->bus_id =
++ kstrdup_const(acpi_device_hid(device), GFP_KERNEL);
++ if (!acpi_device_bus_id->bus_id) {
++ pr_err(PREFIX "Memory allocation error for bus id\n");
++ result = -ENOMEM;
++ goto err_free_new_bus_id;
++ }
++
+ acpi_device_bus_id->instance_no = 0;
+ list_add_tail(&acpi_device_bus_id->node, &acpi_bus_id_list);
+ }
+@@ -708,6 +716,11 @@ int acpi_device_add(struct acpi_device *
+ if (device->parent)
+ list_del(&device->node);
+ list_del(&device->wakeup_list);
++
++ err_free_new_bus_id:
++ if (!found)
++ kfree(new_bus_id);
++
+ mutex_unlock(&acpi_device_lock);
+
+ err_detach:
--- /dev/null
+From 5c6679b5cb120f07652418524ab186ac47680b49 Mon Sep 17 00:00:00 2001
+From: Thomas Hebb <tommyhebb@gmail.com>
+Date: Sat, 12 Dec 2020 17:20:12 -0800
+Subject: ASoC: dapm: remove widget from dirty list on free
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+commit 5c6679b5cb120f07652418524ab186ac47680b49 upstream.
+
+A widget's "dirty" list_head, much like its "list" list_head, eventually
+chains back to a list_head on the snd_soc_card itself. This means that
+the list can stick around even after the widget (or all widgets) have
+been freed. Currently, however, widgets that are in the dirty list when
+freed remain there, corrupting the entire list and leading to memory
+errors and undefined behavior when the list is next accessed or
+modified.
+
+I encountered this issue when a component failed to probe relatively
+late in snd_soc_bind_card(), causing it to bail out and call
+soc_cleanup_card_resources(), which eventually called
+snd_soc_dapm_free() with widgets that were still dirty from when they'd
+been added.
+
+Fixes: db432b414e20 ("ASoC: Do DAPM power checks only for widgets changed since last run")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/f8b5f031d50122bf1a9bfc9cae046badf4a7a31a.1607822410.git.tommyhebb@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-dapm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -2434,6 +2434,7 @@ void snd_soc_dapm_free_widget(struct snd
+ enum snd_soc_dapm_direction dir;
+
+ list_del(&w->list);
++ list_del(&w->dirty);
+ /*
+ * remove source and sink paths associated to this widget.
+ * While removing the path, remove reference to it from both
--- /dev/null
+From fcc42338375a1e67b8568dbb558f8b784d0f3b01 Mon Sep 17 00:00:00 2001
+From: Akilesh Kailash <akailash@google.com>
+Date: Mon, 28 Dec 2020 07:14:07 +0000
+Subject: dm snapshot: flush merged data before committing metadata
+
+From: Akilesh Kailash <akailash@google.com>
+
+commit fcc42338375a1e67b8568dbb558f8b784d0f3b01 upstream.
+
+If the origin device has a volatile write-back cache and the following
+events occur:
+
+1: After finishing merge operation of one set of exceptions,
+ merge_callback() is invoked.
+2: Update the metadata in COW device tracking the merge completion.
+ This update to COW device is flushed cleanly.
+3: System crashes and the origin device's cache where the recent
+ merge was completed has not been flushed.
+
+During the next cycle when we read the metadata from the COW device,
+we will skip reading those metadata whose merge was completed in
+step (1). This will lead to data loss/corruption.
+
+To address this, flush the origin device post merge IO before
+updating the metadata.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Akilesh Kailash <akailash@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-snap.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -137,6 +137,11 @@ struct dm_snapshot {
+ * for them to be committed.
+ */
+ struct bio_list bios_queued_during_merge;
++
++ /*
++ * Flush data after merge.
++ */
++ struct bio flush_bio;
+ };
+
+ /*
+@@ -1060,6 +1065,17 @@ shut:
+
+ static void error_bios(struct bio *bio);
+
++static int flush_data(struct dm_snapshot *s)
++{
++ struct bio *flush_bio = &s->flush_bio;
++
++ bio_reset(flush_bio);
++ bio_set_dev(flush_bio, s->origin->bdev);
++ flush_bio->bi_opf = REQ_OP_WRITE | REQ_PREFLUSH;
++
++ return submit_bio_wait(flush_bio);
++}
++
+ static void merge_callback(int read_err, unsigned long write_err, void *context)
+ {
+ struct dm_snapshot *s = context;
+@@ -1073,6 +1089,11 @@ static void merge_callback(int read_err,
+ goto shut;
+ }
+
++ if (flush_data(s) < 0) {
++ DMERR("Flush after merge failed: shutting down merge");
++ goto shut;
++ }
++
+ if (s->store->type->commit_merge(s->store,
+ s->num_merging_chunks) < 0) {
+ DMERR("Write error in exception store: shutting down merge");
+@@ -1197,6 +1218,7 @@ static int snapshot_ctr(struct dm_target
+ s->first_merging_chunk = 0;
+ s->num_merging_chunks = 0;
+ bio_list_init(&s->bios_queued_during_merge);
++ bio_init(&s->flush_bio, NULL, 0);
+
+ /* Allocate hash table for COW data */
+ if (init_hash_tables(s)) {
+@@ -1391,6 +1413,8 @@ static void snapshot_dtr(struct dm_targe
+
+ mutex_destroy(&s->lock);
+
++ bio_uninit(&s->flush_bio);
++
+ dm_put_device(ti, s->cow);
+
+ dm_put_device(ti, s->origin);
--- /dev/null
+From 4d4f9c1a17a3480f8fe523673f7232b254d724b7 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Wed, 16 Dec 2020 23:39:56 +0000
+Subject: MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 4d4f9c1a17a3480f8fe523673f7232b254d724b7 upstream.
+
+The compressed payload is not necesarily 4-byte aligned, at least when
+compiling with Clang. In that case, the 4-byte value appended to the
+compressed payload that corresponds to the uncompressed kernel image
+size must be read using get_unaligned_le32().
+
+This fixes Clang-built kernels not booting on MIPS (tested on a Ingenic
+JZ4770 board).
+
+Fixes: b8f54f2cde78 ("MIPS: ZBOOT: copy appended dtb to the end of the kernel")
+Cc: <stable@vger.kernel.org> # v4.7
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/boot/compressed/decompress.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/boot/compressed/decompress.c
++++ b/arch/mips/boot/compressed/decompress.c
+@@ -17,6 +17,7 @@
+ #include <linux/libfdt.h>
+
+ #include <asm/addrspace.h>
++#include <asm/unaligned.h>
+
+ /*
+ * These two variables specify the free mem region
+@@ -124,7 +125,7 @@ void decompress_kernel(unsigned long boo
+ dtb_size = fdt_totalsize((void *)&__appended_dtb);
+
+ /* last four bytes is always image size in little endian */
+- image_size = le32_to_cpup((void *)&__image_end - 4);
++ image_size = get_unaligned_le32((void *)&__image_end - 4);
+
+ /* copy dtb to where the booted kernel will expect it */
+ memcpy((void *)VMLINUX_LOAD_ADDRESS_ULL + image_size,
--- /dev/null
+From 698222457465ce343443be81c5512edda86e5914 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 24 Dec 2020 19:44:38 +0000
+Subject: MIPS: Fix malformed NT_FILE and NT_SIGINFO in 32bit coredumps
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 698222457465ce343443be81c5512edda86e5914 upstream.
+
+Patches that introduced NT_FILE and NT_SIGINFO notes back in 2012
+had taken care of native (fs/binfmt_elf.c) and compat (fs/compat_binfmt_elf.c)
+coredumps; unfortunately, compat on mips (which does not go through the
+usual compat_binfmt_elf.c) had not been noticed.
+
+As the result, both N32 and O32 coredumps on 64bit mips kernels
+have those sections malformed enough to confuse the living hell out of
+all gdb and readelf versions (up to and including the tip of binutils-gdb.git).
+
+Longer term solution is to make both O32 and N32 compat use the
+regular compat_binfmt_elf.c, but that's too much for backports. The minimal
+solution is to do in arch/mips/kernel/binfmt_elf[on]32.c the same thing
+those patches have done in fs/compat_binfmt_elf.c
+
+Cc: stable@kernel.org # v3.7+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/binfmt_elfn32.c | 7 +++++++
+ arch/mips/kernel/binfmt_elfo32.c | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+--- a/arch/mips/kernel/binfmt_elfn32.c
++++ b/arch/mips/kernel/binfmt_elfn32.c
+@@ -103,4 +103,11 @@ jiffies_to_compat_timeval(unsigned long
+ #undef ns_to_timeval
+ #define ns_to_timeval ns_to_compat_timeval
+
++/*
++ * Some data types as stored in coredump.
++ */
++#define user_long_t compat_long_t
++#define user_siginfo_t compat_siginfo_t
++#define copy_siginfo_to_external copy_siginfo_to_external32
++
+ #include "../../../fs/binfmt_elf.c"
+--- a/arch/mips/kernel/binfmt_elfo32.c
++++ b/arch/mips/kernel/binfmt_elfo32.c
+@@ -106,4 +106,11 @@ jiffies_to_compat_timeval(unsigned long
+ #undef ns_to_timeval
+ #define ns_to_timeval ns_to_compat_timeval
+
++/*
++ * Some data types as stored in coredump.
++ */
++#define user_long_t compat_long_t
++#define user_siginfo_t compat_siginfo_t
++#define copy_siginfo_to_external copy_siginfo_to_external32
++
+ #include "../../../fs/binfmt_elf.c"
--- /dev/null
+From 69e976831cd53f9ba304fd20305b2025ecc78eab Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <alobakin@pm.me>
+Date: Sun, 10 Jan 2021 14:21:05 +0000
+Subject: MIPS: relocatable: fix possible boot hangup with KASLR enabled
+
+From: Alexander Lobakin <alobakin@pm.me>
+
+commit 69e976831cd53f9ba304fd20305b2025ecc78eab upstream.
+
+LLVM-built Linux triggered a boot hangup with KASLR enabled.
+
+arch/mips/kernel/relocate.c:get_random_boot() uses linux_banner,
+which is a string constant, as a random seed, but accesses it
+as an array of unsigned long (in rotate_xor()).
+When the address of linux_banner is not aligned to sizeof(long),
+such access emits unaligned access exception and hangs the kernel.
+
+Use PTR_ALIGN() to align input address to sizeof(long) and also
+align down the input length to prevent possible access-beyond-end.
+
+Fixes: 405bc8fd12f5 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE")
+Cc: stable@vger.kernel.org # 4.7+
+Signed-off-by: Alexander Lobakin <alobakin@pm.me>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/relocate.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/relocate.c
++++ b/arch/mips/kernel/relocate.c
+@@ -187,8 +187,14 @@ static int __init relocate_exception_tab
+ static inline __init unsigned long rotate_xor(unsigned long hash,
+ const void *area, size_t size)
+ {
+- size_t i;
+- unsigned long *ptr = (unsigned long *)area;
++ const typeof(hash) *ptr = PTR_ALIGN(area, sizeof(hash));
++ size_t diff, i;
++
++ diff = (void *)ptr - area;
++ if (unlikely(size < diff + sizeof(hash)))
++ return hash;
++
++ size = ALIGN_DOWN(size - diff, sizeof(hash));
+
+ for (i = 0; i < size / sizeof(hash); i++) {
+ /* Rotate by odd number of bits and XOR. */
--- /dev/null
+From 0eb98f1588c2cc7a79816d84ab18a55d254f481c Mon Sep 17 00:00:00 2001
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Tue, 12 Jan 2021 15:49:24 -0800
+Subject: mm/hugetlb: fix potential missing huge page size info
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+commit 0eb98f1588c2cc7a79816d84ab18a55d254f481c upstream.
+
+The huge page size is encoded for VM_FAULT_HWPOISON errors only. So if
+we return VM_FAULT_HWPOISON, huge page size would just be ignored.
+
+Link: https://lkml.kernel.org/r/20210107123449.38481-1-linmiaohe@huawei.com
+Fixes: aa50d3a7aa81 ("Encode huge page size for VM_FAULT_HWPOISON errors")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3797,7 +3797,7 @@ retry:
+ * So we need to block hugepage fault by PG_hwpoison bit check.
+ */
+ if (unlikely(PageHWPoison(page))) {
+- ret = VM_FAULT_HWPOISON |
++ ret = VM_FAULT_HWPOISON_LARGE |
+ VM_FAULT_SET_HINDEX(hstate_index(h));
+ goto backout_unlocked;
+ }
--- /dev/null
+From cb82a54904a99df9e8f9e9d282046055dae5a730 Mon Sep 17 00:00:00 2001
+From: Leon Schuermann <leon@is.currently.online>
+Date: Mon, 11 Jan 2021 20:03:13 +0100
+Subject: r8152: Add Lenovo Powered USB-C Travel Hub
+
+From: Leon Schuermann <leon@is.currently.online>
+
+commit cb82a54904a99df9e8f9e9d282046055dae5a730 upstream.
+
+This USB-C Hub (17ef:721e) based on the Realtek RTL8153B chip used to
+use the cdc_ether driver. However, using this driver, with the system
+suspended the device constantly sends pause-frames as soon as the
+receive buffer fills up. This causes issues with other devices, where
+some Ethernet switches stop forwarding packets altogether.
+
+Using the Realtek driver (r8152) fixes this issue. Pause frames are no
+longer sent while the host system is suspended.
+
+Signed-off-by: Leon Schuermann <leon@is.currently.online>
+Tested-by: Leon Schuermann <leon@is.currently.online>
+Link: https://lore.kernel.org/r/20210111190312.12589-2-leon@is.currently.online
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/cdc_ether.c | 7 +++++++
+ drivers/net/usb/r8152.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -800,6 +800,13 @@ static const struct usb_device_id produc
+ .driver_info = 0,
+ },
+
++/* Lenovo Powered USB-C Travel Hub (4X90S92381, based on Realtek RTL8153) */
++{
++ USB_DEVICE_AND_INTERFACE_INFO(LENOVO_VENDOR_ID, 0x721e, USB_CLASS_COMM,
++ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
++ .driver_info = 0,
++},
++
+ /* ThinkPad USB-C Dock Gen 2 (based on Realtek RTL8153) */
+ {
+ USB_DEVICE_AND_INTERFACE_INFO(LENOVO_VENDOR_ID, 0xa387, USB_CLASS_COMM,
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -5337,6 +5337,7 @@ static const struct usb_device_id rtl815
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x7205)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x720c)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x7214)},
++ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x721e)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0xa387)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LINKSYS, 0x0041)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_NVIDIA, 0x09ff)},
+asoc-dapm-remove-widget-from-dirty-list-on-free.patch
+mips-boot-fix-unaligned-access-with-config_mips_raw_appended_dtb.patch
+mips-fix-malformed-nt_file-and-nt_siginfo-in-32bit-coredumps.patch
+mips-relocatable-fix-possible-boot-hangup-with-kaslr-enabled.patch
+acpi-scan-harden-acpi_device_add-against-device-id-overflows.patch
+mm-hugetlb-fix-potential-missing-huge-page-size-info.patch
+dm-snapshot-flush-merged-data-before-committing-metadata.patch
+r8152-add-lenovo-powered-usb-c-travel-hub.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
