--- /dev/null
+From foo@baz Thu Oct 18 11:14:02 CEST 2018
+From: Jozef Balga <jozef.balga@gmail.com>
+Date: Tue, 21 Aug 2018 05:01:04 -0400
+Subject: media: af9035: prevent buffer overflow on write
+
+From: Jozef Balga <jozef.balga@gmail.com>
+
+[ Upstream commit 312f73b648626a0526a3aceebb0a3192aaba05ce ]
+
+When less than 3 bytes are written to the device, memcpy is called with
+negative array size which leads to buffer overflow and kernel panic. This
+patch adds a condition and returns -EOPNOTSUPP instead.
+Fixes bugzilla issue 64871
+
+[mchehab+samsung@kernel.org: fix a merge conflict and changed the
+ condition to match the patch's comment, e. g. len == 3 could
+ also be valid]
+Signed-off-by: Jozef Balga <jozef.balga@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb-v2/af9035.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/af9035.c
++++ b/drivers/media/usb/dvb-usb-v2/af9035.c
+@@ -389,8 +389,10 @@ static int af9035_i2c_master_xfer(struct
+ msg[0].addr == (state->af9033_i2c_addr[1] >> 1))
+ reg |= 0x100000;
+
+- ret = af9035_wr_regs(d, reg, &msg[0].buf[3],
+- msg[0].len - 3);
++ ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg,
++ &msg[0].buf[3],
++ msg[0].len - 3)
++ : -EOPNOTSUPP;
+ } else {
+ /* I2C write */
+ u8 buf[MAX_XFER_SIZE];
--- /dev/null
+From foo@baz Thu Oct 18 11:14:02 CEST 2018
+From: Michael Neuling <mikey@neuling.org>
+Date: Tue, 25 Sep 2018 19:36:47 +1000
+Subject: powerpc/tm: Avoid possible userspace r1 corruption on reclaim
+
+From: Michael Neuling <mikey@neuling.org>
+
+[ Upstream commit 96dc89d526ef77604376f06220e3d2931a0bfd58 ]
+
+Current we store the userspace r1 to PACATMSCRATCH before finally
+saving it to the thread struct.
+
+In theory an exception could be taken here (like a machine check or
+SLB miss) that could write PACATMSCRATCH and hence corrupt the
+userspace r1. The SLB fault currently doesn't touch PACATMSCRATCH, but
+others do.
+
+We've never actually seen this happen but it's theoretically
+possible. Either way, the code is fragile as it is.
+
+This patch saves r1 to the kernel stack (which can't fault) before we
+turn MSR[RI] back on. PACATMSCRATCH is still used but only with
+MSR[RI] off. We then copy r1 from the kernel stack to the thread
+struct once we have MSR[RI] back on.
+
+Suggested-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/tm.S | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/tm.S
++++ b/arch/powerpc/kernel/tm.S
+@@ -202,6 +202,13 @@ dont_backup_fp:
+ std r11, GPR11(r1) /* Temporary stash */
+
+ /*
++ * Move the saved user r1 to the kernel stack in case PACATMSCRATCH is
++ * clobbered by an exception once we turn on MSR_RI below.
++ */
++ ld r11, PACATMSCRATCH(r13)
++ std r11, GPR1(r1)
++
++ /*
+ * Store r13 away so we can free up the scratch SPR for the SLB fault
+ * handler (needed once we start accessing the thread_struct).
+ */
+@@ -237,7 +244,7 @@ dont_backup_fp:
+ SAVE_GPR(8, r7) /* user r8 */
+ SAVE_GPR(9, r7) /* user r9 */
+ SAVE_GPR(10, r7) /* user r10 */
+- ld r3, PACATMSCRATCH(r13) /* user r1 */
++ ld r3, GPR1(r1) /* user r1 */
+ ld r4, GPR7(r1) /* user r7 */
+ ld r5, GPR11(r1) /* user r11 */
+ ld r6, GPR12(r1) /* user r12 */
--- /dev/null
+From foo@baz Thu Oct 18 11:14:02 CEST 2018
+From: Michael Neuling <mikey@neuling.org>
+Date: Mon, 24 Sep 2018 17:27:04 +1000
+Subject: powerpc/tm: Fix userspace r13 corruption
+
+From: Michael Neuling <mikey@neuling.org>
+
+[ Upstream commit cf13435b730a502e814c63c84d93db131e563f5f ]
+
+When we treclaim we store the userspace checkpointed r13 to a scratch
+SPR and then later save the scratch SPR to the user thread struct.
+
+Unfortunately, this doesn't work as accessing the user thread struct
+can take an SLB fault and the SLB fault handler will write the same
+scratch SPRG that now contains the userspace r13.
+
+To fix this, we store r13 to the kernel stack (which can't fault)
+before we access the user thread struct.
+
+Found by running P8 guest + powervm + disable_1tb_segments + TM. Seen
+as a random userspace segfault with r13 looking like a kernel address.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/tm.S | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/tm.S
++++ b/arch/powerpc/kernel/tm.S
+@@ -199,13 +199,20 @@ dont_backup_fp:
+ std r1, PACATMSCRATCH(r13)
+ ld r1, PACAR1(r13)
+
+- /* Store the PPR in r11 and reset to decent value */
+ std r11, GPR11(r1) /* Temporary stash */
+
++ /*
++ * Store r13 away so we can free up the scratch SPR for the SLB fault
++ * handler (needed once we start accessing the thread_struct).
++ */
++ GET_SCRATCH0(r11)
++ std r11, GPR13(r1)
++
+ /* Reset MSR RI so we can take SLB faults again */
+ li r11, MSR_RI
+ mtmsrd r11, 1
+
++ /* Store the PPR in r11 and reset to decent value */
+ mfspr r11, SPRN_PPR
+ HMT_MEDIUM
+
+@@ -234,7 +241,7 @@ dont_backup_fp:
+ ld r4, GPR7(r1) /* user r7 */
+ ld r5, GPR11(r1) /* user r11 */
+ ld r6, GPR12(r1) /* user r12 */
+- GET_SCRATCH0(8) /* user r13 */
++ ld r8, GPR13(r1) /* user r13 */
+ std r3, GPR1(r7)
+ std r4, GPR7(r7)
+ std r5, GPR11(r7)
--- /dev/null
+From foo@baz Thu Oct 18 11:14:02 CEST 2018
+From: James Cowgill <jcowgill@debian.org>
+Date: Thu, 6 Sep 2018 22:57:56 +0100
+Subject: RISC-V: include linux/ftrace.h in asm-prototypes.h
+
+From: James Cowgill <jcowgill@debian.org>
+
+[ Upstream commit 57a489786de9ec37d6e25ef1305dc337047f0236 ]
+
+Building a riscv kernel with CONFIG_FUNCTION_TRACER and
+CONFIG_MODVERSIONS enabled results in these two warnings:
+
+ MODPOST vmlinux.o
+WARNING: EXPORT symbol "return_to_handler" [vmlinux] version generation failed, symbol will not be versioned.
+WARNING: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned.
+
+When exporting symbols from an assembly file, the MODVERSIONS code
+requires their prototypes to be defined in asm-prototypes.h (see
+scripts/Makefile.build). Since both of these symbols have prototypes
+defined in linux/ftrace.h, include this header from RISC-V's
+asm-prototypes.h.
+
+Reported-by: Karsten Merker <merker@debian.org>
+Signed-off-by: James Cowgill <jcowgill@debian.org>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/asm-prototypes.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+ create mode 100644 arch/riscv/include/asm/asm-prototypes.h
+
+--- /dev/null
++++ b/arch/riscv/include/asm/asm-prototypes.h
+@@ -0,0 +1,7 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef _ASM_RISCV_PROTOTYPES_H
++
++#include <linux/ftrace.h>
++#include <asm-generic/asm-prototypes.h>
++
++#endif /* _ASM_RISCV_PROTOTYPES_H */
net-systemport-fix-wake-up-interrupt-race-during-resume.patch
rtnl-limit-ifla_num_tx_queues-and-ifla_num_rx_queues-to-4096.patch
ip6_tunnel-be-careful-when-accessing-the-inner-header.patch
+media-af9035-prevent-buffer-overflow-on-write.patch
+risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch
+powerpc-tm-fix-userspace-r13-corruption.patch
+powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
