--- /dev/null
+From 3f8809499bf02ef7874254c5e23fc764a47a21a0 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 25 Jul 2019 14:57:37 +0800
+Subject: ALSA: hda - Add a conexant codec entry to let mute led work
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 3f8809499bf02ef7874254c5e23fc764a47a21a0 upstream.
+
+This conexant codec isn't in the supported codec list yet, the hda
+generic driver can drive this codec well, but on a Lenovo machine
+with mute/mic-mute leds, we need to apply CXT_FIXUP_THINKPAD_ACPI
+to make the leds work. After adding this codec to the list, the
+driver patch_conexant.c will apply THINKPAD_ACPI to this machine.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -1008,6 +1008,7 @@ static int patch_conexant_auto(struct hd
+ */
+
+ static const struct hda_device_id snd_hda_id_conexant[] = {
++ HDA_CODEC_ENTRY(0x14f11f86, "CX8070", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f15045, "CX20549 (Venice)", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f15047, "CX20551 (Waikiki)", patch_conexant_auto),
--- /dev/null
+From 70256b42caaf3e13c2932c2be7903a73fbe8bb8b Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 18 Jul 2019 17:53:13 +0800
+Subject: ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 70256b42caaf3e13c2932c2be7903a73fbe8bb8b upstream.
+
+Commit 7b9584fa1c0b ("staging: line6: Move altsetting to properties")
+set a wrong altsetting for LINE6_PODHD500_1 during refactoring.
+
+Set the correct altsetting number to fix the issue.
+
+BugLink: https://bugs.launchpad.net/bugs/1790595
+Fixes: 7b9584fa1c0b ("staging: line6: Move altsetting to properties")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/podhd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/line6/podhd.c
++++ b/sound/usb/line6/podhd.c
+@@ -155,7 +155,7 @@ static const struct line6_properties pod
+ .capabilities = LINE6_CAP_CONTROL
+ | LINE6_CAP_PCM
+ | LINE6_CAP_HWMON,
+- .altsetting = 1,
++ .altsetting = 0,
+ .ep_ctrl_r = 0x81,
+ .ep_ctrl_w = 0x01,
+ .ep_audio_r = 0x86,
--- /dev/null
+From 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Thu, 11 Jul 2019 21:27:57 +0800
+Subject: hpet: Fix division by zero in hpet_time_div()
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+commit 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 upstream.
+
+The base value in do_div() called by hpet_time_div() is truncated from
+unsigned long to uint32_t, resulting in a divide-by-zero exception.
+
+UBSAN: Undefined behaviour in ../drivers/char/hpet.c:572:2
+division by zero
+CPU: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+ 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561
+ ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20
+ 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0
+Call Trace:
+ [<ffffffff81ad7561>] __dump_stack lib/dump_stack.c:15 [inline]
+ [<ffffffff81ad7561>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
+ [<ffffffff81b8f25e>] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166
+ [<ffffffff81b900cb>] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262
+ [<ffffffff823560dd>] hpet_time_div drivers/char/hpet.c:572 [inline]
+ [<ffffffff823560dd>] hpet_ioctl_common drivers/char/hpet.c:663 [inline]
+ [<ffffffff823560dd>] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577
+ [<ffffffff81e63d56>] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676
+ [<ffffffff81711590>] vfs_ioctl fs/ioctl.c:43 [inline]
+ [<ffffffff81711590>] file_ioctl fs/ioctl.c:470 [inline]
+ [<ffffffff81711590>] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605
+ [<ffffffff81711eb4>] SYSC_ioctl fs/ioctl.c:622 [inline]
+ [<ffffffff81711eb4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613
+ [<ffffffff82846003>] tracesys_phase2+0x90/0x95
+
+The main C reproducer autogenerated by syzkaller,
+
+ syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+ memcpy((void*)0x20000100, "/dev/hpet\000", 10);
+ syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0);
+ syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000);
+
+Fix it by using div64_ul().
+
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Zhang HongJun <zhanghongjun2@huawei.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20190711132757.130092-1-wangkefeng.wang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/hpet.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/char/hpet.c
++++ b/drivers/char/hpet.c
+@@ -569,8 +569,7 @@ static inline unsigned long hpet_time_di
+ unsigned long long m;
+
+ m = hpets->hp_tick_freq + (dis >> 1);
+- do_div(m, dis);
+- return (unsigned long)m;
++ return div64_ul(m, dis);
+ }
+
+ static int
--- /dev/null
+From f16d80b75a096c52354c6e0a574993f3b0dfbdfe Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Fri, 19 Jul 2019 15:05:02 +1000
+Subject: powerpc/tm: Fix oops on sigreturn on systems without TM
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream.
+
+On systems like P9 powernv where we have no TM (or P8 booted with
+ppc_tm=off), userspace can construct a signal context which still has
+the MSR TS bits set. The kernel tries to restore this context which
+results in the following crash:
+
+ Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
+ Oops: Unrecoverable exception, sig: 6 [#1]
+ LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+ Modules linked in:
+ CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
+ NIP: c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
+ REGS: c00000003fffbd70 TRAP: 0700 Not tainted (5.2.0-11045-g7142b497d8)
+ MSR: 8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]> CR: 42004242 XER: 00000000
+ CFAR: c0000000000022e0 IRQMASK: 0
+ GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
+ GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
+ GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
+ GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
+ GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
+ GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
+ GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
+ NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
+ LR [00007fffb2d67e48] 0x7fffb2d67e48
+ Call Trace:
+ Instruction dump:
+ e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
+ e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
+
+The problem is the signal code assumes TM is enabled when
+CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as
+with P9 powernv or if `ppc_tm=off` is used on P8.
+
+This means any local user can crash the system.
+
+Fix the problem by returning a bad stack frame to the user if they try
+to set the MSR TS bits with sigreturn() on systems where TM is not
+supported.
+
+Found with sigfuz kernel selftest on P9.
+
+This fixes CVE-2019-13648.
+
+Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
+Cc: stable@vger.kernel.org # v3.9
+Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/signal_32.c | 3 +++
+ arch/powerpc/kernel/signal_64.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -1261,6 +1261,9 @@ long sys_rt_sigreturn(int r3, int r4, in
+ goto bad;
+
+ if (MSR_TM_ACTIVE(msr_hi<<32)) {
++ /* Trying to start TM on non TM system */
++ if (!cpu_has_feature(CPU_FTR_TM))
++ goto bad;
+ /* We only recheckpoint on return if we're
+ * transaction.
+ */
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -695,6 +695,11 @@ int sys_rt_sigreturn(unsigned long r3, u
+ if (MSR_TM_ACTIVE(msr)) {
+ /* We recheckpoint on return. */
+ struct ucontext __user *uc_transact;
++
++ /* Trying to start TM on non TM system */
++ if (!cpu_has_feature(CPU_FTR_TM))
++ goto badframe;
++
+ if (__get_user(uc_transact, &uc->uc_link))
+ goto badframe;
+ if (restore_tm_sigcontexts(regs, &uc->uc_mcontext,
usb-pci-quirks-correct-amd-pll-quirk-detection.patch
x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch
x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
+hpet-fix-division-by-zero-in-hpet_time_div.patch
+alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch
+alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch
+powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch
Link: https://lkml.kernel.org/r/1564022349-17338-1-git-send-email-zhenzhong.duan@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 66ca906aa790..801ecd1c3fd5 100644
+---
+ arch/x86/kernel/cpu/bugs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -1226,7 +1226,7 @@ static ssize_t l1tf_show_state(char *buf)
-
+@@ -1094,7 +1094,7 @@ static void __init l1tf_select_mitigatio
static ssize_t mds_show_state(char *buf)
{
-- if (!hypervisor_is_type(X86_HYPER_NATIVE)) {
+ #ifdef CONFIG_HYPERVISOR_GUEST
+- if (x86_hyper) {
+ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
return sprintf(buf, "%s; SMT Host state unknown\n",
mds_strings[mds_mitigation]);
projects / thirdparty / kernel / stable-queue.git / commitdiff
