From: Greg Kroah-Hartman Date: Fri, 7 Sep 2018 12:57:08 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v4.18.7~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=189d2f00aea466289a8a2faa4320cf77a5cb2649;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: arm64-mm-always-enable-config_holes_in_zone.patch bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch cap_inode_getsecurity-use-d_find_any_alias-instead-of-d_find_alias.patch cpuidle-menu-retain-tick-when-shallow-state-is-selected.patch crypto-aesni-use-unaligned-loads-from-gcm_context_data.patch crypto-arm64-sm4-ce-check-for-the-right-cpu-feature-bit.patch crypto-caam-fix-dma-mapping-direction-for-rsa-forms-2-3.patch crypto-caam-jr-fix-descriptor-dma-unmapping.patch crypto-caam-qi-fix-error-path-in-xts-setkey.patch crypto-vmx-fix-sleep-in-atomic-bugs.patch fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch fs-quota-fix-spectre-gadget-in-do_quotactl.patch getxattr-use-correct-xattr-length.patch iommu-ipmmu-vmsa-don-t-register-as-bus-iommu-if-machine-doesn-t-have-ipmmu-vmsa.patch iommu-vt-d-add-definitions-for-pfsid.patch iommu-vt-d-fix-dev-iotlb-pfsid-use.patch kconfig-fix-can-t-open-...-in-parallel-build.patch libnvdimm-fix-ars_status-output-length-calculation.patch libnvdimm-use-max-contiguous-area-for-namespace-size.patch mm-dev_pagemap-do-not-clear-mapping-on-final-put.patch mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch perf-auxtrace-fix-queue-resize.patch pwm-omap-dmtimer-return-eprobe_defer-if-no-dmtimer-platform-data.patch pwm-tiehrpwm-don-t-use-emulation-mode-bits-to-control-pwm-output.patch pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch revert-ubifs-fix-potential-integer-overflow-in-allocation.patch sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch ubifs-check-data-node-size-before-truncate.patch ubifs-fix-directory-size-calculation-for-symlinks.patch ubifs-fix-memory-leak-in-lprobs-self-check.patch ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch ubifs-xattr-don-t-operate-on-deleted-inodes.patch udf-fix-mounting-of-win7-created-udf-filesystems.patch udlfb-don-t-switch-if-we-are-switching-to-the-same-videomode.patch udlfb-fix-display-corruption-of-the-last-line.patch udlfb-fix-semaphore-value-leak.patch udlfb-handle-allocation-failure.patch udlfb-make-a-local-copy-of-fb_ops.patch udlfb-set-line_length-in-dlfb_ops_set_par.patch udlfb-set-optimal-write-delay.patch userns-move-user-access-out-of-the-mutex.patch --- diff --git a/queue-4.18/arm64-mm-always-enable-config_holes_in_zone.patch b/queue-4.18/arm64-mm-always-enable-config_holes_in_zone.patch new file mode 100644 index 00000000000..1f2b5aa2cb3 --- /dev/null +++ b/queue-4.18/arm64-mm-always-enable-config_holes_in_zone.patch @@ -0,0 +1,100 @@ +From f52bb98f5aded4c43e52f5ce19fb83f7261e9e73 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 30 Aug 2018 16:05:32 +0100 +Subject: arm64: mm: always enable CONFIG_HOLES_IN_ZONE + +From: James Morse + +commit f52bb98f5aded4c43e52f5ce19fb83f7261e9e73 upstream. + +Commit 6d526ee26ccd ("arm64: mm: enable CONFIG_HOLES_IN_ZONE for NUMA") +only enabled HOLES_IN_ZONE for NUMA systems because the NUMA code was +choking on the missing zone for nomap pages. This problem doesn't just +apply to NUMA systems. + +If the architecture doesn't set HAVE_ARCH_PFN_VALID, pfn_valid() will +return true if the pfn is part of a valid sparsemem section. + +When working with multiple pages, the mm code uses pfn_valid_within() +to test each page it uses within the sparsemem section is valid. On +most systems memory comes in MAX_ORDER_NR_PAGES chunks which all +have valid/initialised struct pages. In this case pfn_valid_within() +is optimised out. + +Systems where this isn't true (e.g. due to nomap) should set +HOLES_IN_ZONE and provide HAVE_ARCH_PFN_VALID so that mm tests each +page as it works with it. + +Currently non-NUMA arm64 systems can't enable HOLES_IN_ZONE, leading to +a VM_BUG_ON(): + +| page:fffffdff802e1780 is uninitialized and poisoned +| raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff +| raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff +| page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) +| ------------[ cut here ]------------ +| kernel BUG at include/linux/mm.h:978! +| Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +[...] +| CPU: 1 PID: 25236 Comm: dd Not tainted 4.18.0 #7 +| Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +| pstate: 40000085 (nZcv daIf -PAN -UAO) +| pc : move_freepages_block+0x144/0x248 +| lr : move_freepages_block+0x144/0x248 +| sp : fffffe0071177680 +[...] +| Process dd (pid: 25236, stack limit = 0x0000000094cc07fb) +| Call trace: +| move_freepages_block+0x144/0x248 +| steal_suitable_fallback+0x100/0x16c +| get_page_from_freelist+0x440/0xb20 +| __alloc_pages_nodemask+0xe8/0x838 +| new_slab+0xd4/0x418 +| ___slab_alloc.constprop.27+0x380/0x4a8 +| __slab_alloc.isra.21.constprop.26+0x24/0x34 +| kmem_cache_alloc+0xa8/0x180 +| alloc_buffer_head+0x1c/0x90 +| alloc_page_buffers+0x68/0xb0 +| create_empty_buffers+0x20/0x1ec +| create_page_buffers+0xb0/0xf0 +| __block_write_begin_int+0xc4/0x564 +| __block_write_begin+0x10/0x18 +| block_write_begin+0x48/0xd0 +| blkdev_write_begin+0x28/0x30 +| generic_perform_write+0x98/0x16c +| __generic_file_write_iter+0x138/0x168 +| blkdev_write_iter+0x80/0xf0 +| __vfs_write+0xe4/0x10c +| vfs_write+0xb4/0x168 +| ksys_write+0x44/0x88 +| sys_write+0xc/0x14 +| el0_svc_naked+0x30/0x34 +| Code: aa1303e0 90001a01 91296421 94008902 (d4210000) +| ---[ end trace 1601ba47f6e883fe ]--- + +Remove the NUMA dependency. + +Link: https://www.spinics.net/lists/arm-kernel/msg671851.html +Cc: +Cc: Ard Biesheuvel +Reported-by: Mikulas Patocka +Reviewed-by: Pavel Tatashin +Tested-by: Mikulas Patocka +Signed-off-by: James Morse +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -754,7 +754,6 @@ config NEED_PER_CPU_EMBED_FIRST_CHUNK + + config HOLES_IN_ZONE + def_bool y +- depends on NUMA + + source kernel/Kconfig.preempt + source kernel/Kconfig.hz diff --git a/queue-4.18/bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch b/queue-4.18/bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch new file mode 100644 index 00000000000..e66e5765412 --- /dev/null +++ b/queue-4.18/bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch @@ -0,0 +1,39 @@ +From 3943b040f11ed0cc6d4585fd286a623ca8634547 Mon Sep 17 00:00:00 2001 +From: Shan Hai +Date: Thu, 23 Aug 2018 02:02:56 +0800 +Subject: bcache: release dc->writeback_lock properly in bch_writeback_thread() + +From: Shan Hai + +commit 3943b040f11ed0cc6d4585fd286a623ca8634547 upstream. + +The writeback thread would exit with a lock held when the cache device +is detached via sysfs interface, fix it by releasing the held lock +before exiting the while-loop. + +Fixes: fadd94e05c02 (bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set) +Signed-off-by: Shan Hai +Signed-off-by: Coly Li +Tested-by: Shenghui Wang +Cc: stable@vger.kernel.org #4.17+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/writeback.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -645,8 +645,10 @@ static int bch_writeback_thread(void *ar + * data on cache. BCACHE_DEV_DETACHING flag is set in + * bch_cached_dev_detach(). + */ +- if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) ++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) { ++ up_write(&dc->writeback_lock); + break; ++ } + } + + up_write(&dc->writeback_lock); diff --git a/queue-4.18/cap_inode_getsecurity-use-d_find_any_alias-instead-of-d_find_alias.patch b/queue-4.18/cap_inode_getsecurity-use-d_find_any_alias-instead-of-d_find_alias.patch new file mode 100644 index 00000000000..0feba3805c9 --- /dev/null +++ b/queue-4.18/cap_inode_getsecurity-use-d_find_any_alias-instead-of-d_find_alias.patch @@ -0,0 +1,97 @@ +From 355139a8dba446cc11a424cddbf7afebc3041ba1 Mon Sep 17 00:00:00 2001 +From: "Eddie.Horng" +Date: Fri, 20 Jul 2018 15:30:00 +0800 +Subject: cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias() + +From: Eddie.Horng + +commit 355139a8dba446cc11a424cddbf7afebc3041ba1 upstream. + +The code in cap_inode_getsecurity(), introduced by commit 8db6c34f1dbc +("Introduce v3 namespaced file capabilities"), should use +d_find_any_alias() instead of d_find_alias() do handle unhashed dentry +correctly. This is needed, for example, if execveat() is called with an +open but unlinked overlayfs file, because overlayfs unhashes dentry on +unlink. +This is a regression of real life application, first reported at +https://www.spinics.net/lists/linux-unionfs/msg05363.html + +Below reproducer and setup can reproduce the case. + const char* exec="echo"; + const char *newargv[] = { "echo", "hello", NULL}; + const char *newenviron[] = { NULL }; + int fd, err; + + fd = open(exec, O_PATH); + unlink(exec); + err = syscall(322/*SYS_execveat*/, fd, "", newargv, newenviron, +AT_EMPTY_PATH); + if(err<0) + fprintf(stderr, "execveat: %s\n", strerror(errno)); + +gcc compile into ~/test/a.out +mount -t overlay -orw,lowerdir=/mnt/l,upperdir=/mnt/u,workdir=/mnt/w +none /mnt/m +cd /mnt/m +cp /bin/echo . +~/test/a.out + +Expected result: +hello +Actually result: +execveat: Invalid argument +dmesg: +Invalid argument reading file caps for /dev/fd/3 + +The 2nd reproducer and setup emulates similar case but for +regular filesystem: + const char* exec="echo"; + int fd, err; + char buf[256]; + + fd = open(exec, O_RDONLY); + unlink(exec); + err = fgetxattr(fd, "security.capability", buf, 256); + if(err<0) + fprintf(stderr, "fgetxattr: %s\n", strerror(errno)); + +gcc compile into ~/test_fgetxattr + +cd /tmp +cp /bin/echo . +~/test_fgetxattr + +Result: +fgetxattr: Invalid argument + +On regular filesystem, for example, ext4 read xattr from +disk and return to execveat(), will not trigger this issue, however, +the overlay attr handler pass real dentry to vfs_getxattr() will. +This reproducer calls fgetxattr() with an unlinked fd, involkes +vfs_getxattr() then reproduced the case that d_find_alias() in +cap_inode_getsecurity() can't find the unlinked dentry. + +Suggested-by: Amir Goldstein +Acked-by: Amir Goldstein +Acked-by: Serge E. Hallyn +Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") +Cc: # v4.14 +Signed-off-by: Eddie Horng +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + security/commoncap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -388,7 +388,7 @@ int cap_inode_getsecurity(struct inode * + if (strcmp(name, "capability") != 0) + return -EOPNOTSUPP; + +- dentry = d_find_alias(inode); ++ dentry = d_find_any_alias(inode); + if (!dentry) + return -EINVAL; + diff --git a/queue-4.18/cpuidle-menu-retain-tick-when-shallow-state-is-selected.patch b/queue-4.18/cpuidle-menu-retain-tick-when-shallow-state-is-selected.patch new file mode 100644 index 00000000000..d8633362054 --- /dev/null +++ b/queue-4.18/cpuidle-menu-retain-tick-when-shallow-state-is-selected.patch @@ -0,0 +1,66 @@ +From 757ab15c3f4968b5a29caf3fe8b67660ce84c3cd Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 21 Aug 2018 10:44:10 +0200 +Subject: cpuidle: menu: Retain tick when shallow state is selected + +From: Rafael J. Wysocki + +commit 757ab15c3f4968b5a29caf3fe8b67660ce84c3cd upstream. + +The case addressed by commit 5ef499cd571c (cpuidle: menu: Handle +stopped tick more aggressively) in the stopped tick case is present +when the tick has not been stopped yet too. Namely, if only two CPU +idle states, shallow state A with target residency significantly +below the tick boundary and deep state B with target residency +significantly above it, are available and the predicted idle +duration is above the tick boundary, but below the target residency +of state B, state A will be selected and the CPU may spend indefinite +amount of time in it, which is not quite energy-efficient. + +However, if the tick has not been stopped yet and the governor is +about to select a shallow idle state for the CPU even though the idle +duration predicted by it is above the tick boundary, it should be +fine to wake up the CPU early, so the tick can be retained then and +the governor will have a chance to select a deeper state when it runs +next time. + +[Note that when this really happens, it will make the idle duration + predictor believe that the CPU might be idle longer than predicted, + which will make it more likely to predict longer idle durations going + forward, but that will also cause deeper idle states to be selected + going forward, on average, which is what's needed here.] + +Fixes: 87c9fe6ee495 (cpuidle: menu: Avoid selecting shallow states with stopped tick) +Reported-by: Leo Yan +Cc: 4.17+ # 4.17+: 5ef499cd571c (cpuidle: menu: Handle ...) +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/governors/menu.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/cpuidle/governors/menu.c ++++ b/drivers/cpuidle/governors/menu.c +@@ -380,9 +380,20 @@ static int menu_select(struct cpuidle_dr + if (idx == -1) + idx = i; /* first enabled state */ + if (s->target_residency > data->predicted_us) { +- if (!tick_nohz_tick_stopped()) ++ if (data->predicted_us < TICK_USEC) + break; + ++ if (!tick_nohz_tick_stopped()) { ++ /* ++ * If the state selected so far is shallow, ++ * waking up early won't hurt, so retain the ++ * tick in that case and let the governor run ++ * again in the next iteration of the loop. ++ */ ++ expected_interval = drv->states[idx].target_residency; ++ break; ++ } ++ + /* + * If the state selected so far is shallow and this + * state's target residency matches the time till the diff --git a/queue-4.18/crypto-aesni-use-unaligned-loads-from-gcm_context_data.patch b/queue-4.18/crypto-aesni-use-unaligned-loads-from-gcm_context_data.patch new file mode 100644 index 00000000000..0bd2baf182a --- /dev/null +++ b/queue-4.18/crypto-aesni-use-unaligned-loads-from-gcm_context_data.patch @@ -0,0 +1,283 @@ +From e5b954e8d11fdde55eed35017370a3a0d8837754 Mon Sep 17 00:00:00 2001 +From: Dave Watson +Date: Wed, 15 Aug 2018 10:29:42 -0700 +Subject: crypto: aesni - Use unaligned loads from gcm_context_data + +From: Dave Watson + +commit e5b954e8d11fdde55eed35017370a3a0d8837754 upstream. + +A regression was reported bisecting to 1476db2d12 +"Move HashKey computation from stack to gcm_context". That diff +moved HashKey computation from the stack, which was explicitly aligned +in the asm, to a struct provided from the C code, depending on +AESNI_ALIGN_ATTR for alignment. It appears some compilers may not +align this struct correctly, resulting in a crash on the movdqa +instruction when attempting to encrypt or decrypt data. + +Fix by using unaligned loads for the HashKeys. On modern +hardware there is no perf difference between the unaligned and +aligned loads. All other accesses to gcm_context_data already use +unaligned loads. + +Reported-by: Mauro Rossi +Fixes: 1476db2d12 ("Move HashKey computation from stack to gcm_context") +Cc: +Signed-off-by: Dave Watson +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/aesni-intel_asm.S | 66 +++++++++++++++++++------------------- + 1 file changed, 33 insertions(+), 33 deletions(-) + +--- a/arch/x86/crypto/aesni-intel_asm.S ++++ b/arch/x86/crypto/aesni-intel_asm.S +@@ -223,34 +223,34 @@ ALL_F: .octa 0xffffffffffffffffffff + pcmpeqd TWOONE(%rip), \TMP2 + pand POLY(%rip), \TMP2 + pxor \TMP2, \TMP3 +- movdqa \TMP3, HashKey(%arg2) ++ movdqu \TMP3, HashKey(%arg2) + + movdqa \TMP3, \TMP5 + pshufd $78, \TMP3, \TMP1 + pxor \TMP3, \TMP1 +- movdqa \TMP1, HashKey_k(%arg2) ++ movdqu \TMP1, HashKey_k(%arg2) + + GHASH_MUL \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7 + # TMP5 = HashKey^2<<1 (mod poly) +- movdqa \TMP5, HashKey_2(%arg2) ++ movdqu \TMP5, HashKey_2(%arg2) + # HashKey_2 = HashKey^2<<1 (mod poly) + pshufd $78, \TMP5, \TMP1 + pxor \TMP5, \TMP1 +- movdqa \TMP1, HashKey_2_k(%arg2) ++ movdqu \TMP1, HashKey_2_k(%arg2) + + GHASH_MUL \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7 + # TMP5 = HashKey^3<<1 (mod poly) +- movdqa \TMP5, HashKey_3(%arg2) ++ movdqu \TMP5, HashKey_3(%arg2) + pshufd $78, \TMP5, \TMP1 + pxor \TMP5, \TMP1 +- movdqa \TMP1, HashKey_3_k(%arg2) ++ movdqu \TMP1, HashKey_3_k(%arg2) + + GHASH_MUL \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7 + # TMP5 = HashKey^3<<1 (mod poly) +- movdqa \TMP5, HashKey_4(%arg2) ++ movdqu \TMP5, HashKey_4(%arg2) + pshufd $78, \TMP5, \TMP1 + pxor \TMP5, \TMP1 +- movdqa \TMP1, HashKey_4_k(%arg2) ++ movdqu \TMP1, HashKey_4_k(%arg2) + .endm + + # GCM_INIT initializes a gcm_context struct to prepare for encoding/decoding. +@@ -271,7 +271,7 @@ ALL_F: .octa 0xffffffffffffffffffff + movdqu %xmm0, CurCount(%arg2) # ctx_data.current_counter = iv + + PRECOMPUTE \SUBKEY, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, +- movdqa HashKey(%arg2), %xmm13 ++ movdqu HashKey(%arg2), %xmm13 + + CALC_AAD_HASH %xmm13, \AAD, \AADLEN, %xmm0, %xmm1, %xmm2, %xmm3, \ + %xmm4, %xmm5, %xmm6 +@@ -997,7 +997,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + pshufd $78, \XMM5, \TMP6 + pxor \XMM5, \TMP6 + paddd ONE(%rip), \XMM0 # INCR CNT +- movdqa HashKey_4(%arg2), \TMP5 ++ movdqu HashKey_4(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP4 # TMP4 = a1*b1 + movdqa \XMM0, \XMM1 + paddd ONE(%rip), \XMM0 # INCR CNT +@@ -1016,7 +1016,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + pxor (%arg1), \XMM2 + pxor (%arg1), \XMM3 + pxor (%arg1), \XMM4 +- movdqa HashKey_4_k(%arg2), \TMP5 ++ movdqu HashKey_4_k(%arg2), \TMP5 + PCLMULQDQ 0x00, \TMP5, \TMP6 # TMP6 = (a1+a0)*(b1+b0) + movaps 0x10(%arg1), \TMP1 + AESENC \TMP1, \XMM1 # Round 1 +@@ -1031,7 +1031,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + movdqa \XMM6, \TMP1 + pshufd $78, \XMM6, \TMP2 + pxor \XMM6, \TMP2 +- movdqa HashKey_3(%arg2), \TMP5 ++ movdqu HashKey_3(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1 * b1 + movaps 0x30(%arg1), \TMP3 + AESENC \TMP3, \XMM1 # Round 3 +@@ -1044,7 +1044,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + AESENC \TMP3, \XMM2 + AESENC \TMP3, \XMM3 + AESENC \TMP3, \XMM4 +- movdqa HashKey_3_k(%arg2), \TMP5 ++ movdqu HashKey_3_k(%arg2), \TMP5 + PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + movaps 0x50(%arg1), \TMP3 + AESENC \TMP3, \XMM1 # Round 5 +@@ -1058,7 +1058,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + movdqa \XMM7, \TMP1 + pshufd $78, \XMM7, \TMP2 + pxor \XMM7, \TMP2 +- movdqa HashKey_2(%arg2), \TMP5 ++ movdqu HashKey_2(%arg2), \TMP5 + + # Multiply TMP5 * HashKey using karatsuba + +@@ -1074,7 +1074,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + AESENC \TMP3, \XMM2 + AESENC \TMP3, \XMM3 + AESENC \TMP3, \XMM4 +- movdqa HashKey_2_k(%arg2), \TMP5 ++ movdqu HashKey_2_k(%arg2), \TMP5 + PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + movaps 0x80(%arg1), \TMP3 + AESENC \TMP3, \XMM1 # Round 8 +@@ -1092,7 +1092,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + movdqa \XMM8, \TMP1 + pshufd $78, \XMM8, \TMP2 + pxor \XMM8, \TMP2 +- movdqa HashKey(%arg2), \TMP5 ++ movdqu HashKey(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1 + movaps 0x90(%arg1), \TMP3 + AESENC \TMP3, \XMM1 # Round 9 +@@ -1121,7 +1121,7 @@ aes_loop_par_enc_done\@: + AESENCLAST \TMP3, \XMM2 + AESENCLAST \TMP3, \XMM3 + AESENCLAST \TMP3, \XMM4 +- movdqa HashKey_k(%arg2), \TMP5 ++ movdqu HashKey_k(%arg2), \TMP5 + PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + movdqu (%arg4,%r11,1), \TMP3 + pxor \TMP3, \XMM1 # Ciphertext/Plaintext XOR EK +@@ -1205,7 +1205,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + pshufd $78, \XMM5, \TMP6 + pxor \XMM5, \TMP6 + paddd ONE(%rip), \XMM0 # INCR CNT +- movdqa HashKey_4(%arg2), \TMP5 ++ movdqu HashKey_4(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP4 # TMP4 = a1*b1 + movdqa \XMM0, \XMM1 + paddd ONE(%rip), \XMM0 # INCR CNT +@@ -1224,7 +1224,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + pxor (%arg1), \XMM2 + pxor (%arg1), \XMM3 + pxor (%arg1), \XMM4 +- movdqa HashKey_4_k(%arg2), \TMP5 ++ movdqu HashKey_4_k(%arg2), \TMP5 + PCLMULQDQ 0x00, \TMP5, \TMP6 # TMP6 = (a1+a0)*(b1+b0) + movaps 0x10(%arg1), \TMP1 + AESENC \TMP1, \XMM1 # Round 1 +@@ -1239,7 +1239,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + movdqa \XMM6, \TMP1 + pshufd $78, \XMM6, \TMP2 + pxor \XMM6, \TMP2 +- movdqa HashKey_3(%arg2), \TMP5 ++ movdqu HashKey_3(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1 * b1 + movaps 0x30(%arg1), \TMP3 + AESENC \TMP3, \XMM1 # Round 3 +@@ -1252,7 +1252,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + AESENC \TMP3, \XMM2 + AESENC \TMP3, \XMM3 + AESENC \TMP3, \XMM4 +- movdqa HashKey_3_k(%arg2), \TMP5 ++ movdqu HashKey_3_k(%arg2), \TMP5 + PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + movaps 0x50(%arg1), \TMP3 + AESENC \TMP3, \XMM1 # Round 5 +@@ -1266,7 +1266,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + movdqa \XMM7, \TMP1 + pshufd $78, \XMM7, \TMP2 + pxor \XMM7, \TMP2 +- movdqa HashKey_2(%arg2), \TMP5 ++ movdqu HashKey_2(%arg2), \TMP5 + + # Multiply TMP5 * HashKey using karatsuba + +@@ -1282,7 +1282,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + AESENC \TMP3, \XMM2 + AESENC \TMP3, \XMM3 + AESENC \TMP3, \XMM4 +- movdqa HashKey_2_k(%arg2), \TMP5 ++ movdqu HashKey_2_k(%arg2), \TMP5 + PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + movaps 0x80(%arg1), \TMP3 + AESENC \TMP3, \XMM1 # Round 8 +@@ -1300,7 +1300,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 + movdqa \XMM8, \TMP1 + pshufd $78, \XMM8, \TMP2 + pxor \XMM8, \TMP2 +- movdqa HashKey(%arg2), \TMP5 ++ movdqu HashKey(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1 + movaps 0x90(%arg1), \TMP3 + AESENC \TMP3, \XMM1 # Round 9 +@@ -1329,7 +1329,7 @@ aes_loop_par_dec_done\@: + AESENCLAST \TMP3, \XMM2 + AESENCLAST \TMP3, \XMM3 + AESENCLAST \TMP3, \XMM4 +- movdqa HashKey_k(%arg2), \TMP5 ++ movdqu HashKey_k(%arg2), \TMP5 + PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + movdqu (%arg4,%r11,1), \TMP3 + pxor \TMP3, \XMM1 # Ciphertext/Plaintext XOR EK +@@ -1405,10 +1405,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst + movdqa \XMM1, \TMP6 + pshufd $78, \XMM1, \TMP2 + pxor \XMM1, \TMP2 +- movdqa HashKey_4(%arg2), \TMP5 ++ movdqu HashKey_4(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP6 # TMP6 = a1*b1 + PCLMULQDQ 0x00, \TMP5, \XMM1 # XMM1 = a0*b0 +- movdqa HashKey_4_k(%arg2), \TMP4 ++ movdqu HashKey_4_k(%arg2), \TMP4 + PCLMULQDQ 0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + movdqa \XMM1, \XMMDst + movdqa \TMP2, \XMM1 # result in TMP6, XMMDst, XMM1 +@@ -1418,10 +1418,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst + movdqa \XMM2, \TMP1 + pshufd $78, \XMM2, \TMP2 + pxor \XMM2, \TMP2 +- movdqa HashKey_3(%arg2), \TMP5 ++ movdqu HashKey_3(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1 + PCLMULQDQ 0x00, \TMP5, \XMM2 # XMM2 = a0*b0 +- movdqa HashKey_3_k(%arg2), \TMP4 ++ movdqu HashKey_3_k(%arg2), \TMP4 + PCLMULQDQ 0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + pxor \TMP1, \TMP6 + pxor \XMM2, \XMMDst +@@ -1433,10 +1433,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst + movdqa \XMM3, \TMP1 + pshufd $78, \XMM3, \TMP2 + pxor \XMM3, \TMP2 +- movdqa HashKey_2(%arg2), \TMP5 ++ movdqu HashKey_2(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1 + PCLMULQDQ 0x00, \TMP5, \XMM3 # XMM3 = a0*b0 +- movdqa HashKey_2_k(%arg2), \TMP4 ++ movdqu HashKey_2_k(%arg2), \TMP4 + PCLMULQDQ 0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + pxor \TMP1, \TMP6 + pxor \XMM3, \XMMDst +@@ -1446,10 +1446,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst + movdqa \XMM4, \TMP1 + pshufd $78, \XMM4, \TMP2 + pxor \XMM4, \TMP2 +- movdqa HashKey(%arg2), \TMP5 ++ movdqu HashKey(%arg2), \TMP5 + PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1 + PCLMULQDQ 0x00, \TMP5, \XMM4 # XMM4 = a0*b0 +- movdqa HashKey_k(%arg2), \TMP4 ++ movdqu HashKey_k(%arg2), \TMP4 + PCLMULQDQ 0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0) + pxor \TMP1, \TMP6 + pxor \XMM4, \XMMDst diff --git a/queue-4.18/crypto-arm64-sm4-ce-check-for-the-right-cpu-feature-bit.patch b/queue-4.18/crypto-arm64-sm4-ce-check-for-the-right-cpu-feature-bit.patch new file mode 100644 index 00000000000..ad2ee1d0616 --- /dev/null +++ b/queue-4.18/crypto-arm64-sm4-ce-check-for-the-right-cpu-feature-bit.patch @@ -0,0 +1,34 @@ +From 7fa885e2a22fd0f91a2c23d9275f5021f618ff5a Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Tue, 7 Aug 2018 23:18:36 +0200 +Subject: crypto: arm64/sm4-ce - check for the right CPU feature bit + +From: Ard Biesheuvel + +commit 7fa885e2a22fd0f91a2c23d9275f5021f618ff5a upstream. + +ARMv8.2 specifies special instructions for the SM3 cryptographic hash +and the SM4 symmetric cipher. While it is unlikely that a core would +implement one and not the other, we should only use SM4 instructions +if the SM4 CPU feature bit is set, and we currently check the SM3 +feature bit instead. So fix that. + +Fixes: e99ce921c468 ("crypto: arm64 - add support for SM4...") +Cc: +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/crypto/sm4-ce-glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/crypto/sm4-ce-glue.c ++++ b/arch/arm64/crypto/sm4-ce-glue.c +@@ -69,5 +69,5 @@ static void __exit sm4_ce_mod_fini(void) + crypto_unregister_alg(&sm4_ce_alg); + } + +-module_cpu_feature_match(SM3, sm4_ce_mod_init); ++module_cpu_feature_match(SM4, sm4_ce_mod_init); + module_exit(sm4_ce_mod_fini); diff --git a/queue-4.18/crypto-caam-fix-dma-mapping-direction-for-rsa-forms-2-3.patch b/queue-4.18/crypto-caam-fix-dma-mapping-direction-for-rsa-forms-2-3.patch new file mode 100644 index 00000000000..bab7c587c9a --- /dev/null +++ b/queue-4.18/crypto-caam-fix-dma-mapping-direction-for-rsa-forms-2-3.patch @@ -0,0 +1,104 @@ +From f1bf9e60a0779ec97de9ecdc353e1d01cdd73f43 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Mon, 6 Aug 2018 15:29:55 +0300 +Subject: crypto: caam - fix DMA mapping direction for RSA forms 2 & 3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit f1bf9e60a0779ec97de9ecdc353e1d01cdd73f43 upstream. + +Crypto engine needs some temporary locations in external memory for +running RSA decrypt forms 2 and 3 (CRT). +These are named "tmp1" and "tmp2" in the PDB. + +Update DMA mapping direction of tmp1 and tmp2 from TO_DEVICE to +BIDIRECTIONAL, since engine needs r/w access. + +Cc: # 4.13+ +Fixes: 52e26d77b8b3 ("crypto: caam - add support for RSA key form 2") +Fixes: 4a651b122adb ("crypto: caam - add support for RSA key form 3") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caampkc.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/crypto/caam/caampkc.c ++++ b/drivers/crypto/caam/caampkc.c +@@ -71,8 +71,8 @@ static void rsa_priv_f2_unmap(struct dev + dma_unmap_single(dev, pdb->d_dma, key->d_sz, DMA_TO_DEVICE); + dma_unmap_single(dev, pdb->p_dma, p_sz, DMA_TO_DEVICE); + dma_unmap_single(dev, pdb->q_dma, q_sz, DMA_TO_DEVICE); +- dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_TO_DEVICE); +- dma_unmap_single(dev, pdb->tmp2_dma, q_sz, DMA_TO_DEVICE); ++ dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_BIDIRECTIONAL); ++ dma_unmap_single(dev, pdb->tmp2_dma, q_sz, DMA_BIDIRECTIONAL); + } + + static void rsa_priv_f3_unmap(struct device *dev, struct rsa_edesc *edesc, +@@ -90,8 +90,8 @@ static void rsa_priv_f3_unmap(struct dev + dma_unmap_single(dev, pdb->dp_dma, p_sz, DMA_TO_DEVICE); + dma_unmap_single(dev, pdb->dq_dma, q_sz, DMA_TO_DEVICE); + dma_unmap_single(dev, pdb->c_dma, p_sz, DMA_TO_DEVICE); +- dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_TO_DEVICE); +- dma_unmap_single(dev, pdb->tmp2_dma, q_sz, DMA_TO_DEVICE); ++ dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_BIDIRECTIONAL); ++ dma_unmap_single(dev, pdb->tmp2_dma, q_sz, DMA_BIDIRECTIONAL); + } + + /* RSA Job Completion handler */ +@@ -417,13 +417,13 @@ static int set_rsa_priv_f2_pdb(struct ak + goto unmap_p; + } + +- pdb->tmp1_dma = dma_map_single(dev, key->tmp1, p_sz, DMA_TO_DEVICE); ++ pdb->tmp1_dma = dma_map_single(dev, key->tmp1, p_sz, DMA_BIDIRECTIONAL); + if (dma_mapping_error(dev, pdb->tmp1_dma)) { + dev_err(dev, "Unable to map RSA tmp1 memory\n"); + goto unmap_q; + } + +- pdb->tmp2_dma = dma_map_single(dev, key->tmp2, q_sz, DMA_TO_DEVICE); ++ pdb->tmp2_dma = dma_map_single(dev, key->tmp2, q_sz, DMA_BIDIRECTIONAL); + if (dma_mapping_error(dev, pdb->tmp2_dma)) { + dev_err(dev, "Unable to map RSA tmp2 memory\n"); + goto unmap_tmp1; +@@ -451,7 +451,7 @@ static int set_rsa_priv_f2_pdb(struct ak + return 0; + + unmap_tmp1: +- dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_TO_DEVICE); ++ dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_BIDIRECTIONAL); + unmap_q: + dma_unmap_single(dev, pdb->q_dma, q_sz, DMA_TO_DEVICE); + unmap_p: +@@ -504,13 +504,13 @@ static int set_rsa_priv_f3_pdb(struct ak + goto unmap_dq; + } + +- pdb->tmp1_dma = dma_map_single(dev, key->tmp1, p_sz, DMA_TO_DEVICE); ++ pdb->tmp1_dma = dma_map_single(dev, key->tmp1, p_sz, DMA_BIDIRECTIONAL); + if (dma_mapping_error(dev, pdb->tmp1_dma)) { + dev_err(dev, "Unable to map RSA tmp1 memory\n"); + goto unmap_qinv; + } + +- pdb->tmp2_dma = dma_map_single(dev, key->tmp2, q_sz, DMA_TO_DEVICE); ++ pdb->tmp2_dma = dma_map_single(dev, key->tmp2, q_sz, DMA_BIDIRECTIONAL); + if (dma_mapping_error(dev, pdb->tmp2_dma)) { + dev_err(dev, "Unable to map RSA tmp2 memory\n"); + goto unmap_tmp1; +@@ -538,7 +538,7 @@ static int set_rsa_priv_f3_pdb(struct ak + return 0; + + unmap_tmp1: +- dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_TO_DEVICE); ++ dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_BIDIRECTIONAL); + unmap_qinv: + dma_unmap_single(dev, pdb->c_dma, p_sz, DMA_TO_DEVICE); + unmap_dq: diff --git a/queue-4.18/crypto-caam-jr-fix-descriptor-dma-unmapping.patch b/queue-4.18/crypto-caam-jr-fix-descriptor-dma-unmapping.patch new file mode 100644 index 00000000000..8b8befd094d --- /dev/null +++ b/queue-4.18/crypto-caam-jr-fix-descriptor-dma-unmapping.patch @@ -0,0 +1,38 @@ +From cc98963dbaaea93d17608641b8d6942a5327fc31 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Mon, 6 Aug 2018 15:29:09 +0300 +Subject: crypto: caam/jr - fix descriptor DMA unmapping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit cc98963dbaaea93d17608641b8d6942a5327fc31 upstream. + +Descriptor address needs to be swapped to CPU endianness before being +DMA unmapped. + +Cc: # 4.8+ +Fixes: 261ea058f016 ("crypto: caam - handle core endianness != caam endianness") +Reported-by: Laurentiu Tudor +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/jr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/caam/jr.c ++++ b/drivers/crypto/caam/jr.c +@@ -190,7 +190,8 @@ static void caam_jr_dequeue(unsigned lon + BUG_ON(CIRC_CNT(head, tail + i, JOBR_DEPTH) <= 0); + + /* Unmap just-run descriptor so we can post-process */ +- dma_unmap_single(dev, jrp->outring[hw_idx].desc, ++ dma_unmap_single(dev, ++ caam_dma_to_cpu(jrp->outring[hw_idx].desc), + jrp->entinfo[sw_idx].desc_size, + DMA_TO_DEVICE); + diff --git a/queue-4.18/crypto-caam-qi-fix-error-path-in-xts-setkey.patch b/queue-4.18/crypto-caam-qi-fix-error-path-in-xts-setkey.patch new file mode 100644 index 00000000000..98f2c3590db --- /dev/null +++ b/queue-4.18/crypto-caam-qi-fix-error-path-in-xts-setkey.patch @@ -0,0 +1,48 @@ +From ad876a18048f43b1f66f5d474b7598538668c5de Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Mon, 6 Aug 2018 15:29:39 +0300 +Subject: crypto: caam/qi - fix error path in xts setkey +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit ad876a18048f43b1f66f5d474b7598538668c5de upstream. + +xts setkey callback returns 0 on some error paths. +Fix this by returning -EINVAL. + +Cc: # 4.12+ +Fixes: b189817cf789 ("crypto: caam/qi - add ablkcipher and authenc algorithms") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamalg_qi.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/caam/caamalg_qi.c ++++ b/drivers/crypto/caam/caamalg_qi.c +@@ -679,10 +679,8 @@ static int xts_ablkcipher_setkey(struct + int ret = 0; + + if (keylen != 2 * AES_MIN_KEY_SIZE && keylen != 2 * AES_MAX_KEY_SIZE) { +- crypto_ablkcipher_set_flags(ablkcipher, +- CRYPTO_TFM_RES_BAD_KEY_LEN); + dev_err(jrdev, "key size mismatch\n"); +- return -EINVAL; ++ goto badkey; + } + + ctx->cdata.keylen = keylen; +@@ -715,7 +713,7 @@ static int xts_ablkcipher_setkey(struct + return ret; + badkey: + crypto_ablkcipher_set_flags(ablkcipher, CRYPTO_TFM_RES_BAD_KEY_LEN); +- return 0; ++ return -EINVAL; + } + + /* diff --git a/queue-4.18/crypto-vmx-fix-sleep-in-atomic-bugs.patch b/queue-4.18/crypto-vmx-fix-sleep-in-atomic-bugs.patch new file mode 100644 index 00000000000..888fc003311 --- /dev/null +++ b/queue-4.18/crypto-vmx-fix-sleep-in-atomic-bugs.patch @@ -0,0 +1,162 @@ +From 0522236d4f9c5ab2e79889cb020d1acbe5da416e Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 22 Aug 2018 08:26:31 +0200 +Subject: crypto: vmx - Fix sleep-in-atomic bugs + +From: Ondrej Mosnacek + +commit 0522236d4f9c5ab2e79889cb020d1acbe5da416e upstream. + +This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX +implementations. The problem is that the blkcipher_* functions should +not be called in atomic context. + +The bugs can be reproduced via the AF_ALG interface by trying to +encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the +VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then +trigger BUG in crypto_yield(): + +[ 891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424 +[ 891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc +[ 891.864739] 1 lock held by kcapi-enc/12347: +[ 891.864811] #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530 +[ 891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1 +[ 891.865251] Call Trace: +[ 891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable) +[ 891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310 +[ 891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0 +[ 891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto] +[ 891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80 +[ 891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530 +[ 891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0 +[ 891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0 +[ 891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0 +[ 891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70 + +Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module") +Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") +Cc: stable@vger.kernel.org +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/vmx/aes_cbc.c | 30 ++++++++++++++---------------- + drivers/crypto/vmx/aes_xts.c | 21 ++++++++++++++------- + 2 files changed, 28 insertions(+), 23 deletions(-) + +--- a/drivers/crypto/vmx/aes_cbc.c ++++ b/drivers/crypto/vmx/aes_cbc.c +@@ -107,24 +107,23 @@ static int p8_aes_cbc_encrypt(struct blk + ret = crypto_skcipher_encrypt(req); + skcipher_request_zero(req); + } else { +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_vsx(); +- + blkcipher_walk_init(&walk, dst, src, nbytes); + ret = blkcipher_walk_virt(desc, &walk); + while ((nbytes = walk.nbytes)) { ++ preempt_disable(); ++ pagefault_disable(); ++ enable_kernel_vsx(); + aes_p8_cbc_encrypt(walk.src.virt.addr, + walk.dst.virt.addr, + nbytes & AES_BLOCK_MASK, + &ctx->enc_key, walk.iv, 1); ++ disable_kernel_vsx(); ++ pagefault_enable(); ++ preempt_enable(); ++ + nbytes &= AES_BLOCK_SIZE - 1; + ret = blkcipher_walk_done(desc, &walk, nbytes); + } +- +- disable_kernel_vsx(); +- pagefault_enable(); +- preempt_enable(); + } + + return ret; +@@ -147,24 +146,23 @@ static int p8_aes_cbc_decrypt(struct blk + ret = crypto_skcipher_decrypt(req); + skcipher_request_zero(req); + } else { +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_vsx(); +- + blkcipher_walk_init(&walk, dst, src, nbytes); + ret = blkcipher_walk_virt(desc, &walk); + while ((nbytes = walk.nbytes)) { ++ preempt_disable(); ++ pagefault_disable(); ++ enable_kernel_vsx(); + aes_p8_cbc_encrypt(walk.src.virt.addr, + walk.dst.virt.addr, + nbytes & AES_BLOCK_MASK, + &ctx->dec_key, walk.iv, 0); ++ disable_kernel_vsx(); ++ pagefault_enable(); ++ preempt_enable(); ++ + nbytes &= AES_BLOCK_SIZE - 1; + ret = blkcipher_walk_done(desc, &walk, nbytes); + } +- +- disable_kernel_vsx(); +- pagefault_enable(); +- preempt_enable(); + } + + return ret; +--- a/drivers/crypto/vmx/aes_xts.c ++++ b/drivers/crypto/vmx/aes_xts.c +@@ -116,32 +116,39 @@ static int p8_aes_xts_crypt(struct blkci + ret = enc? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req); + skcipher_request_zero(req); + } else { ++ blkcipher_walk_init(&walk, dst, src, nbytes); ++ ++ ret = blkcipher_walk_virt(desc, &walk); ++ + preempt_disable(); + pagefault_disable(); + enable_kernel_vsx(); + +- blkcipher_walk_init(&walk, dst, src, nbytes); +- +- ret = blkcipher_walk_virt(desc, &walk); + iv = walk.iv; + memset(tweak, 0, AES_BLOCK_SIZE); + aes_p8_encrypt(iv, tweak, &ctx->tweak_key); + ++ disable_kernel_vsx(); ++ pagefault_enable(); ++ preempt_enable(); ++ + while ((nbytes = walk.nbytes)) { ++ preempt_disable(); ++ pagefault_disable(); ++ enable_kernel_vsx(); + if (enc) + aes_p8_xts_encrypt(walk.src.virt.addr, walk.dst.virt.addr, + nbytes & AES_BLOCK_MASK, &ctx->enc_key, NULL, tweak); + else + aes_p8_xts_decrypt(walk.src.virt.addr, walk.dst.virt.addr, + nbytes & AES_BLOCK_MASK, &ctx->dec_key, NULL, tweak); ++ disable_kernel_vsx(); ++ pagefault_enable(); ++ preempt_enable(); + + nbytes &= AES_BLOCK_SIZE - 1; + ret = blkcipher_walk_done(desc, &walk, nbytes); + } +- +- disable_kernel_vsx(); +- pagefault_enable(); +- preempt_enable(); + } + return ret; + } diff --git a/queue-4.18/fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch b/queue-4.18/fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch new file mode 100644 index 00000000000..2e6b520523e --- /dev/null +++ b/queue-4.18/fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch @@ -0,0 +1,124 @@ +From 8c5b044299951acd91e830a688dd920477ea1eda Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 25 Jul 2018 15:41:54 +0200 +Subject: fb: fix lost console when the user unplugs a USB adapter + +From: Mikulas Patocka + +commit 8c5b044299951acd91e830a688dd920477ea1eda upstream. + +I have a USB display adapter using the udlfb driver and I use it on an ARM +board that doesn't have any graphics card. When I plug the adapter in, the +console is properly displayed, however when I unplug and re-plug the +adapter, the console is not displayed and I can't access it until I reboot +the board. + +The reason is this: +When the adapter is unplugged, dlfb_usb_disconnect calls +unlink_framebuffer, then it waits until the reference count drops to zero +and then it deallocates the framebuffer. However, the console that is +attached to the framebuffer device keeps the reference count non-zero, so +the framebuffer device is never destroyed. When the USB adapter is plugged +again, it creates a new device /dev/fb1 and the console is not attached to +it. + +This patch fixes the bug by unbinding the console from unlink_framebuffer. +The code to unbind the console is moved from do_unregister_framebuffer to +a function unbind_console. When the console is unbound, the reference +count drops to zero and the udlfb driver frees the framebuffer. When the +adapter is plugged back, a new framebuffer is created and the console is +attached to it. + +Signed-off-by: Mikulas Patocka +Cc: Dave Airlie +Cc: Bernie Thompson +Cc: Ladislav Michl +Cc: stable@vger.kernel.org +[b.zolnierkie: preserve old behavior for do_unregister_framebuffer()] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/core/fbmem.c | 38 ++++++++++++++++++++++++++++++++------ + 1 file changed, 32 insertions(+), 6 deletions(-) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1704,12 +1704,12 @@ static int do_register_framebuffer(struc + return 0; + } + +-static int do_unregister_framebuffer(struct fb_info *fb_info) ++static int unbind_console(struct fb_info *fb_info) + { + struct fb_event event; +- int i, ret = 0; ++ int ret; ++ int i = fb_info->node; + +- i = fb_info->node; + if (i < 0 || i >= FB_MAX || registered_fb[i] != fb_info) + return -EINVAL; + +@@ -1724,17 +1724,29 @@ static int do_unregister_framebuffer(str + unlock_fb_info(fb_info); + console_unlock(); + ++ return ret; ++} ++ ++static int __unlink_framebuffer(struct fb_info *fb_info); ++ ++static int do_unregister_framebuffer(struct fb_info *fb_info) ++{ ++ struct fb_event event; ++ int ret; ++ ++ ret = unbind_console(fb_info); ++ + if (ret) + return -EINVAL; + + pm_vt_switch_unregister(fb_info->dev); + +- unlink_framebuffer(fb_info); ++ __unlink_framebuffer(fb_info); + if (fb_info->pixmap.addr && + (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT)) + kfree(fb_info->pixmap.addr); + fb_destroy_modelist(&fb_info->modelist); +- registered_fb[i] = NULL; ++ registered_fb[fb_info->node] = NULL; + num_registered_fb--; + fb_cleanup_device(fb_info); + event.info = fb_info; +@@ -1747,7 +1759,7 @@ static int do_unregister_framebuffer(str + return 0; + } + +-int unlink_framebuffer(struct fb_info *fb_info) ++static int __unlink_framebuffer(struct fb_info *fb_info) + { + int i; + +@@ -1759,6 +1771,20 @@ int unlink_framebuffer(struct fb_info *f + device_destroy(fb_class, MKDEV(FB_MAJOR, i)); + fb_info->dev = NULL; + } ++ ++ return 0; ++} ++ ++int unlink_framebuffer(struct fb_info *fb_info) ++{ ++ int ret; ++ ++ ret = __unlink_framebuffer(fb_info); ++ if (ret) ++ return ret; ++ ++ unbind_console(fb_info); ++ + return 0; + } + EXPORT_SYMBOL(unlink_framebuffer); diff --git a/queue-4.18/fs-quota-fix-spectre-gadget-in-do_quotactl.patch b/queue-4.18/fs-quota-fix-spectre-gadget-in-do_quotactl.patch new file mode 100644 index 00000000000..efa3ca15885 --- /dev/null +++ b/queue-4.18/fs-quota-fix-spectre-gadget-in-do_quotactl.patch @@ -0,0 +1,76 @@ +From 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 Mon Sep 17 00:00:00 2001 +From: Jeremy Cline +Date: Tue, 31 Jul 2018 01:37:31 +0000 +Subject: fs/quota: Fix spectre gadget in do_quotactl + +From: Jeremy Cline + +commit 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 upstream. + +'type' is user-controlled, so sanitize it after the bounds check to +avoid using it in speculative execution. This covers the following +potential gadgets detected with the help of smatch: + +* fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue + 'sb_dqopt(sb)->files' [r] +* fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue + 'sb_dqopt(sb)->files' [r] +* fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue + 'sb_dqopt(sb)->files' [r] +* fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue + 'sb_dqopt(sb)->files' [r] +* fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue + 'sb_dqopt(sb)->info' [w] +* fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue + 'dquots' [r] +* fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre + issue 'dqopt->ops' [r] +* fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre + issue 'dqopt->files' [w] (local cap) +* fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre + issue 'dqopt->ops' [w] (local cap) +* fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre + issue 'dqopt->info' [w] (local cap) +* fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue + 'sb_dqopt(sb)->info' [r] +* fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre + issue 'quota_magics' [w] +* fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre + issue 'quota_versions' [w] +* fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre + issue 'dqopt->info' [r] +* fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre + issue 'dqopt->info' [r] + +Additionally, a quick inspection indicates there are array accesses with +'type' in quota_on() and quota_off() functions which are also addressed +by this. + +Cc: Josh Poimboeuf +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Cline +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/quota.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/quota/quota.c ++++ b/fs/quota/quota.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + static int check_quotactl_permission(struct super_block *sb, int type, int cmd, + qid_t id) +@@ -703,6 +704,7 @@ static int do_quotactl(struct super_bloc + + if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS)) + return -EINVAL; ++ type = array_index_nospec(type, MAXQUOTAS); + /* + * Quota not supported on this fs? Check this before s_quota_types + * since they needn't be set if quota is not supported at all. diff --git a/queue-4.18/getxattr-use-correct-xattr-length.patch b/queue-4.18/getxattr-use-correct-xattr-length.patch new file mode 100644 index 00000000000..2ba65eb994e --- /dev/null +++ b/queue-4.18/getxattr-use-correct-xattr-length.patch @@ -0,0 +1,134 @@ +From 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 7 Jun 2018 13:43:48 +0200 +Subject: getxattr: use correct xattr length + +From: Christian Brauner + +commit 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 upstream. + +When running in a container with a user namespace, if you call getxattr +with name = "system.posix_acl_access" and size % 8 != 4, then getxattr +silently skips the user namespace fixup that it normally does resulting in +un-fixed-up data being returned. +This is caused by posix_acl_fix_xattr_to_user() being passed the total +buffer size and not the actual size of the xattr as returned by +vfs_getxattr(). +This commit passes the actual length of the xattr as returned by +vfs_getxattr() down. + +A reproducer for the issue is: + + touch acl_posix + + setfacl -m user:0:rwx acl_posix + +and the compile: + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + + /* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */ + int main(int argc, void **argv) + { + ssize_t ret1, ret2; + char buf1[128], buf2[132]; + int fret = EXIT_SUCCESS; + char *file; + + if (argc < 2) { + fprintf(stderr, + "Please specify a file with " + "\"system.posix_acl_access\" permissions set\n"); + _exit(EXIT_FAILURE); + } + file = argv[1]; + + ret1 = getxattr(file, "system.posix_acl_access", + buf1, sizeof(buf1)); + if (ret1 < 0) { + fprintf(stderr, "%s - Failed to retrieve " + "\"system.posix_acl_access\" " + "from \"%s\"\n", strerror(errno), file); + _exit(EXIT_FAILURE); + } + + ret2 = getxattr(file, "system.posix_acl_access", + buf2, sizeof(buf2)); + if (ret2 < 0) { + fprintf(stderr, "%s - Failed to retrieve " + "\"system.posix_acl_access\" " + "from \"%s\"\n", strerror(errno), file); + _exit(EXIT_FAILURE); + } + + if (ret1 != ret2) { + fprintf(stderr, "The value of \"system.posix_acl_" + "access\" for file \"%s\" changed " + "between two successive calls\n", file); + _exit(EXIT_FAILURE); + } + + for (ssize_t i = 0; i < ret2; i++) { + if (buf1[i] == buf2[i]) + continue; + + fprintf(stderr, + "Unexpected different in byte %zd: " + "%02x != %02x\n", i, buf1[i], buf2[i]); + fret = EXIT_FAILURE; + } + + if (fret == EXIT_SUCCESS) + fprintf(stderr, "Test passed\n"); + else + fprintf(stderr, "Test failed\n"); + + _exit(fret); + } +and run: + + ./tester acl_posix + +On a non-fixed up kernel this should return something like: + + root@c1:/# ./t + Unexpected different in byte 16: ffffffa0 != 00 + Unexpected different in byte 17: ffffff86 != 00 + Unexpected different in byte 18: 01 != 00 + +and on a fixed kernel: + + root@c1:~# ./t + Test passed + +Cc: stable@vger.kernel.org +Fixes: 2f6f0654ab61 ("userns: Convert vfs posix_acl support to use kuids and kgids") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945 +Reported-by: Colin Watson +Signed-off-by: Christian Brauner +Acked-by: Serge Hallyn +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -539,7 +539,7 @@ getxattr(struct dentry *d, const char __ + if (error > 0) { + if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || + (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) +- posix_acl_fix_xattr_to_user(kvalue, size); ++ posix_acl_fix_xattr_to_user(kvalue, error); + if (size && copy_to_user(value, kvalue, error)) + error = -EFAULT; + } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) { diff --git a/queue-4.18/iommu-ipmmu-vmsa-don-t-register-as-bus-iommu-if-machine-doesn-t-have-ipmmu-vmsa.patch b/queue-4.18/iommu-ipmmu-vmsa-don-t-register-as-bus-iommu-if-machine-doesn-t-have-ipmmu-vmsa.patch new file mode 100644 index 00000000000..aa53f7ac9fe --- /dev/null +++ b/queue-4.18/iommu-ipmmu-vmsa-don-t-register-as-bus-iommu-if-machine-doesn-t-have-ipmmu-vmsa.patch @@ -0,0 +1,43 @@ +From 5c5c87411488af3cd082221e567498d813d0fe83 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Fri, 27 Jul 2018 00:19:16 +0300 +Subject: iommu/ipmmu-vmsa: Don't register as BUS IOMMU if machine doesn't have IPMMU-VMSA + +From: Dmitry Osipenko + +commit 5c5c87411488af3cd082221e567498d813d0fe83 upstream. + +This fixes kernel crashing on NVIDIA Tegra if kernel is compiled in +a multiplatform configuration and IPMMU-VMSA driver is enabled. + +Cc: # v3.20+ +Signed-off-by: Dmitry Osipenko +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/ipmmu-vmsa.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iommu/ipmmu-vmsa.c ++++ b/drivers/iommu/ipmmu-vmsa.c +@@ -1081,12 +1081,19 @@ static struct platform_driver ipmmu_driv + + static int __init ipmmu_init(void) + { ++ struct device_node *np; + static bool setup_done; + int ret; + + if (setup_done) + return 0; + ++ np = of_find_matching_node(NULL, ipmmu_of_ids); ++ if (!np) ++ return 0; ++ ++ of_node_put(np); ++ + ret = platform_driver_register(&ipmmu_driver); + if (ret < 0) + return ret; diff --git a/queue-4.18/iommu-vt-d-add-definitions-for-pfsid.patch b/queue-4.18/iommu-vt-d-add-definitions-for-pfsid.patch new file mode 100644 index 00000000000..cbe5a6a7fe4 --- /dev/null +++ b/queue-4.18/iommu-vt-d-add-definitions-for-pfsid.patch @@ -0,0 +1,64 @@ +From 0f725561e168485eff7277d683405c05b192f537 Mon Sep 17 00:00:00 2001 +From: Jacob Pan +Date: Thu, 7 Jun 2018 09:56:59 -0700 +Subject: iommu/vt-d: Add definitions for PFSID + +From: Jacob Pan + +commit 0f725561e168485eff7277d683405c05b192f537 upstream. + +When SRIOV VF device IOTLB is invalidated, we need to provide +the PF source ID such that IOMMU hardware can gauge the depth +of invalidation queue which is shared among VFs. This is needed +when device invalidation throttle (DIT) capability is supported. + +This patch adds bit definitions for checking and tracking PFSID. + +Signed-off-by: Jacob Pan +Cc: stable@vger.kernel.org +Cc: "Ashok Raj" +Cc: "Lu Baolu" +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 1 + + include/linux/intel-iommu.h | 3 +++ + 2 files changed, 4 insertions(+) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -421,6 +421,7 @@ struct device_domain_info { + struct list_head global; /* link to global list */ + u8 bus; /* PCI bus number */ + u8 devfn; /* PCI devfn number */ ++ u16 pfsid; /* SRIOV physical function source ID */ + u8 pasid_supported:3; + u8 pasid_enabled:1; + u8 pri_supported:1; +--- a/include/linux/intel-iommu.h ++++ b/include/linux/intel-iommu.h +@@ -114,6 +114,7 @@ + * Extended Capability Register + */ + ++#define ecap_dit(e) ((e >> 41) & 0x1) + #define ecap_pasid(e) ((e >> 40) & 0x1) + #define ecap_pss(e) ((e >> 35) & 0x1f) + #define ecap_eafs(e) ((e >> 34) & 0x1) +@@ -284,6 +285,7 @@ enum { + #define QI_DEV_IOTLB_SID(sid) ((u64)((sid) & 0xffff) << 32) + #define QI_DEV_IOTLB_QDEP(qdep) (((qdep) & 0x1f) << 16) + #define QI_DEV_IOTLB_ADDR(addr) ((u64)(addr) & VTD_PAGE_MASK) ++#define QI_DEV_IOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52)) + #define QI_DEV_IOTLB_SIZE 1 + #define QI_DEV_IOTLB_MAX_INVS 32 + +@@ -308,6 +310,7 @@ enum { + #define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32) + #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16) + #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4) ++#define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52)) + #define QI_DEV_EIOTLB_MAX_INVS 32 + + #define QI_PGRP_IDX(idx) (((u64)(idx)) << 55) diff --git a/queue-4.18/iommu-vt-d-fix-dev-iotlb-pfsid-use.patch b/queue-4.18/iommu-vt-d-fix-dev-iotlb-pfsid-use.patch new file mode 100644 index 00000000000..72405107666 --- /dev/null +++ b/queue-4.18/iommu-vt-d-fix-dev-iotlb-pfsid-use.patch @@ -0,0 +1,94 @@ +From 1c48db44924298ad0cb5a6386b88017539be8822 Mon Sep 17 00:00:00 2001 +From: Jacob Pan +Date: Thu, 7 Jun 2018 09:57:00 -0700 +Subject: iommu/vt-d: Fix dev iotlb pfsid use + +From: Jacob Pan + +commit 1c48db44924298ad0cb5a6386b88017539be8822 upstream. + +PFSID should be used in the invalidation descriptor for flushing +device IOTLBs on SRIOV VFs. + +Signed-off-by: Jacob Pan +Cc: stable@vger.kernel.org +Cc: "Ashok Raj" +Cc: "Lu Baolu" +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/dmar.c | 6 +++--- + drivers/iommu/intel-iommu.c | 17 ++++++++++++++++- + include/linux/intel-iommu.h | 5 ++--- + 3 files changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -1339,8 +1339,8 @@ void qi_flush_iotlb(struct intel_iommu * + qi_submit_sync(&desc, iommu); + } + +-void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep, +- u64 addr, unsigned mask) ++void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid, ++ u16 qdep, u64 addr, unsigned mask) + { + struct qi_desc desc; + +@@ -1355,7 +1355,7 @@ void qi_flush_dev_iotlb(struct intel_iom + qdep = 0; + + desc.low = QI_DEV_IOTLB_SID(sid) | QI_DEV_IOTLB_QDEP(qdep) | +- QI_DIOTLB_TYPE; ++ QI_DIOTLB_TYPE | QI_DEV_IOTLB_PFSID(pfsid); + + qi_submit_sync(&desc, iommu); + } +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1502,6 +1502,20 @@ static void iommu_enable_dev_iotlb(struc + return; + + pdev = to_pci_dev(info->dev); ++ /* For IOMMU that supports device IOTLB throttling (DIT), we assign ++ * PFSID to the invalidation desc of a VF such that IOMMU HW can gauge ++ * queue depth at PF level. If DIT is not set, PFSID will be treated as ++ * reserved, which should be set to 0. ++ */ ++ if (!ecap_dit(info->iommu->ecap)) ++ info->pfsid = 0; ++ else { ++ struct pci_dev *pf_pdev; ++ ++ /* pdev will be returned if device is not a vf */ ++ pf_pdev = pci_physfn(pdev); ++ info->pfsid = PCI_DEVID(pf_pdev->bus->number, pf_pdev->devfn); ++ } + + #ifdef CONFIG_INTEL_IOMMU_SVM + /* The PCIe spec, in its wisdom, declares that the behaviour of +@@ -1567,7 +1581,8 @@ static void iommu_flush_dev_iotlb(struct + + sid = info->bus << 8 | info->devfn; + qdep = info->ats_qdep; +- qi_flush_dev_iotlb(info->iommu, sid, qdep, addr, mask); ++ qi_flush_dev_iotlb(info->iommu, sid, info->pfsid, ++ qdep, addr, mask); + } + spin_unlock_irqrestore(&device_domain_lock, flags); + } +--- a/include/linux/intel-iommu.h ++++ b/include/linux/intel-iommu.h +@@ -456,9 +456,8 @@ extern void qi_flush_context(struct inte + u8 fm, u64 type); + extern void qi_flush_iotlb(struct intel_iommu *iommu, u16 did, u64 addr, + unsigned int size_order, u64 type); +-extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep, +- u64 addr, unsigned mask); +- ++extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid, ++ u16 qdep, u64 addr, unsigned mask); + extern int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu); + + extern int dmar_ir_support(void); diff --git a/queue-4.18/kconfig-fix-can-t-open-...-in-parallel-build.patch b/queue-4.18/kconfig-fix-can-t-open-...-in-parallel-build.patch new file mode 100644 index 00000000000..9409b9eeb64 --- /dev/null +++ b/queue-4.18/kconfig-fix-can-t-open-...-in-parallel-build.patch @@ -0,0 +1,72 @@ +From 98a4afbfafd226636cd6bb6a1208b3693daff2b1 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Thu, 16 Aug 2018 13:36:48 +0900 +Subject: kconfig: fix "Can't open ..." in parallel build + +From: Masahiro Yamada + +commit 98a4afbfafd226636cd6bb6a1208b3693daff2b1 upstream. + +If you run "make menuconfig" or "make nconfig" with -j option in a +fresh source tree, you will see several "Can't open ..." messages: + + $ make -j8 menuconfig + HOSTCC scripts/basic/fixdep + YACC scripts/kconfig/zconf.tab.c + LEX scripts/kconfig/zconf.lex.c + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + /bin/sh: 1: .: HOSTCC scripts/kconfig/lxdialog/checklist.o + Can't open scripts/kconfig/.mconf-cfg + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + HOSTCC scripts/kconfig/lxdialog/inputbox.o + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + UPD scripts/kconfig/.mconf-cfg + /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg + HOSTCC scripts/kconfig/lxdialog/menubox.o + HOSTCC scripts/kconfig/lxdialog/textbox.o + HOSTCC scripts/kconfig/lxdialog/util.o + HOSTCC scripts/kconfig/lxdialog/yesno.o + HOSTCC scripts/kconfig/mconf.o + HOSTCC scripts/kconfig/zconf.tab.o + HOSTLD scripts/kconfig/mconf + +Correct dependencies to fix this problem. + +Fixes: 1c5af5cf9308 ("kconfig: refactor ncurses package checks for building mconf and nconf") +Cc: linux-stable # v4.18 +Reported-by: Borislav Petkov +Signed-off-by: Masahiro Yamada +Tested-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/kconfig/Makefile | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/scripts/kconfig/Makefile ++++ b/scripts/kconfig/Makefile +@@ -173,7 +173,7 @@ HOSTLOADLIBES_nconf = $(shell . $(obj)/. + HOSTCFLAGS_nconf.o = $(shell . $(obj)/.nconf-cfg && echo $$cflags) + HOSTCFLAGS_nconf.gui.o = $(shell . $(obj)/.nconf-cfg && echo $$cflags) + +-$(obj)/nconf.o: $(obj)/.nconf-cfg ++$(obj)/nconf.o $(obj)/nconf.gui.o: $(obj)/.nconf-cfg + + # mconf: Used for the menuconfig target based on lxdialog + hostprogs-y += mconf +@@ -184,7 +184,8 @@ HOSTLOADLIBES_mconf = $(shell . $(obj)/. + $(foreach f, mconf.o $(lxdialog), \ + $(eval HOSTCFLAGS_$f = $$(shell . $(obj)/.mconf-cfg && echo $$$$cflags))) + +-$(addprefix $(obj)/, mconf.o $(lxdialog)): $(obj)/.mconf-cfg ++$(obj)/mconf.o: $(obj)/.mconf-cfg ++$(addprefix $(obj)/lxdialog/, $(lxdialog)): $(obj)/.mconf-cfg + + # qconf: Used for the xconfig target based on Qt + hostprogs-y += qconf diff --git a/queue-4.18/libnvdimm-fix-ars_status-output-length-calculation.patch b/queue-4.18/libnvdimm-fix-ars_status-output-length-calculation.patch new file mode 100644 index 00000000000..e99332ed986 --- /dev/null +++ b/queue-4.18/libnvdimm-fix-ars_status-output-length-calculation.patch @@ -0,0 +1,58 @@ +From 286e87718103acdf85f4ed323a37e4839a8a7c05 Mon Sep 17 00:00:00 2001 +From: Vishal Verma +Date: Fri, 10 Aug 2018 13:23:15 -0600 +Subject: libnvdimm: fix ars_status output length calculation + +From: Vishal Verma + +commit 286e87718103acdf85f4ed323a37e4839a8a7c05 upstream. + +Commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling") +Introduced additional hardening for ambiguity in the ACPI spec for +ars_status output sizing. However, it had a couple of cases mixed up. +Where it should have been checking for (and returning) "out_field[1] - +4" it was using "out_field[1] - 8" and vice versa. + +This caused a four byte discrepancy in the buffer size passed on to +the command handler, and in some cases, this caused memory corruption +like: + + ./daxdev-errors.sh: line 76: 24104 Aborted (core dumped) ./daxdev-errors $busdev $region + malloc(): memory corruption + Program received signal SIGABRT, Aborted. + [...] + #5 0x00007ffff7865a2e in calloc () from /lib64/libc.so.6 + #6 0x00007ffff7bc2970 in ndctl_bus_cmd_new_ars_status (ars_cap=ars_cap@entry=0x6153b0) at ars.c:136 + #7 0x0000000000401644 in check_ars_status (check=0x7fffffffdeb0, bus=0x604c20) at daxdev-errors.c:144 + #8 test_daxdev_clear_error (region_name=, bus_name=) + at daxdev-errors.c:332 + +Cc: +Cc: Dave Jiang +Cc: Keith Busch +Cc: Lukasz Dorau +Cc: Dan Williams +Fixes: efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling") +Signed-off-by: Vishal Verma +Reviewed-by: Keith Busch +Signed-of-by: Dave Jiang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -812,9 +812,9 @@ u32 nd_cmd_out_size(struct nvdimm *nvdim + * overshoots the remainder by 4 bytes, assume it was + * including 'status'. + */ +- if (out_field[1] - 8 == remainder) ++ if (out_field[1] - 4 == remainder) + return remainder; +- return out_field[1] - 4; ++ return out_field[1] - 8; + } else if (cmd == ND_CMD_CALL) { + struct nd_cmd_pkg *pkg = (struct nd_cmd_pkg *) in_field; + diff --git a/queue-4.18/libnvdimm-use-max-contiguous-area-for-namespace-size.patch b/queue-4.18/libnvdimm-use-max-contiguous-area-for-namespace-size.patch new file mode 100644 index 00000000000..3298d0d846e --- /dev/null +++ b/queue-4.18/libnvdimm-use-max-contiguous-area-for-namespace-size.patch @@ -0,0 +1,151 @@ +From 12e3129e29b406c41bc89231092a20d79dbf802c Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Tue, 24 Jul 2018 15:07:57 -0600 +Subject: libnvdimm: Use max contiguous area for namespace size + +From: Keith Busch + +commit 12e3129e29b406c41bc89231092a20d79dbf802c upstream. + +This patch will find the max contiguous area to determine the largest +pmem namespace size that can be created. If the requested size exceeds +the largest available, ENOSPC error will be returned. + +This fixes the allocation underrun error and wrong error return code +that have otherwise been observed as the following kernel warning: + + WARNING: CPU: PID: at drivers/nvdimm/namespace_devs.c:913 size_store + +Fixes: a1f3e4d6a0c3 ("libnvdimm, region: update nd_region_available_dpa() for multi-pmem support") +Cc: +Signed-off-by: Keith Busch +Reviewed-by: Vishal Verma +Signed-off-by: Dave Jiang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/dimm_devs.c | 31 +++++++++++++++++++++++++++++++ + drivers/nvdimm/namespace_devs.c | 6 +++--- + drivers/nvdimm/nd-core.h | 8 ++++++++ + drivers/nvdimm/region_devs.c | 24 ++++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 3 deletions(-) + +--- a/drivers/nvdimm/dimm_devs.c ++++ b/drivers/nvdimm/dimm_devs.c +@@ -537,6 +537,37 @@ resource_size_t nd_blk_available_dpa(str + } + + /** ++ * nd_pmem_max_contiguous_dpa - For the given dimm+region, return the max ++ * contiguous unallocated dpa range. ++ * @nd_region: constrain available space check to this reference region ++ * @nd_mapping: container of dpa-resource-root + labels ++ */ ++resource_size_t nd_pmem_max_contiguous_dpa(struct nd_region *nd_region, ++ struct nd_mapping *nd_mapping) ++{ ++ struct nvdimm_drvdata *ndd = to_ndd(nd_mapping); ++ struct nvdimm_bus *nvdimm_bus; ++ resource_size_t max = 0; ++ struct resource *res; ++ ++ /* if a dimm is disabled the available capacity is zero */ ++ if (!ndd) ++ return 0; ++ ++ nvdimm_bus = walk_to_nvdimm_bus(ndd->dev); ++ if (__reserve_free_pmem(&nd_region->dev, nd_mapping->nvdimm)) ++ return 0; ++ for_each_dpa_resource(ndd, res) { ++ if (strcmp(res->name, "pmem-reserve") != 0) ++ continue; ++ if (resource_size(res) > max) ++ max = resource_size(res); ++ } ++ release_free_pmem(nvdimm_bus, nd_mapping); ++ return max; ++} ++ ++/** + * nd_pmem_available_dpa - for the given dimm+region account unallocated dpa + * @nd_mapping: container of dpa-resource-root + labels + * @nd_region: constrain available space check to this reference region +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -799,7 +799,7 @@ static int merge_dpa(struct nd_region *n + return 0; + } + +-static int __reserve_free_pmem(struct device *dev, void *data) ++int __reserve_free_pmem(struct device *dev, void *data) + { + struct nvdimm *nvdimm = data; + struct nd_region *nd_region; +@@ -836,7 +836,7 @@ static int __reserve_free_pmem(struct de + return 0; + } + +-static void release_free_pmem(struct nvdimm_bus *nvdimm_bus, ++void release_free_pmem(struct nvdimm_bus *nvdimm_bus, + struct nd_mapping *nd_mapping) + { + struct nvdimm_drvdata *ndd = to_ndd(nd_mapping); +@@ -1032,7 +1032,7 @@ static ssize_t __size_store(struct devic + + allocated += nvdimm_allocated_dpa(ndd, &label_id); + } +- available = nd_region_available_dpa(nd_region); ++ available = nd_region_allocatable_dpa(nd_region); + + if (val > available + allocated) + return -ENOSPC; +--- a/drivers/nvdimm/nd-core.h ++++ b/drivers/nvdimm/nd-core.h +@@ -100,6 +100,14 @@ struct nd_region; + struct nvdimm_drvdata; + struct nd_mapping; + void nd_mapping_free_labels(struct nd_mapping *nd_mapping); ++ ++int __reserve_free_pmem(struct device *dev, void *data); ++void release_free_pmem(struct nvdimm_bus *nvdimm_bus, ++ struct nd_mapping *nd_mapping); ++ ++resource_size_t nd_pmem_max_contiguous_dpa(struct nd_region *nd_region, ++ struct nd_mapping *nd_mapping); ++resource_size_t nd_region_allocatable_dpa(struct nd_region *nd_region); + resource_size_t nd_pmem_available_dpa(struct nd_region *nd_region, + struct nd_mapping *nd_mapping, resource_size_t *overlap); + resource_size_t nd_blk_available_dpa(struct nd_region *nd_region); +--- a/drivers/nvdimm/region_devs.c ++++ b/drivers/nvdimm/region_devs.c +@@ -389,6 +389,30 @@ resource_size_t nd_region_available_dpa( + return available; + } + ++resource_size_t nd_region_allocatable_dpa(struct nd_region *nd_region) ++{ ++ resource_size_t available = 0; ++ int i; ++ ++ if (is_memory(&nd_region->dev)) ++ available = PHYS_ADDR_MAX; ++ ++ WARN_ON(!is_nvdimm_bus_locked(&nd_region->dev)); ++ for (i = 0; i < nd_region->ndr_mappings; i++) { ++ struct nd_mapping *nd_mapping = &nd_region->mapping[i]; ++ ++ if (is_memory(&nd_region->dev)) ++ available = min(available, ++ nd_pmem_max_contiguous_dpa(nd_region, ++ nd_mapping)); ++ else if (is_nd_blk(&nd_region->dev)) ++ available += nd_blk_available_dpa(nd_region); ++ } ++ if (is_memory(&nd_region->dev)) ++ return available * nd_region->ndr_mappings; ++ return available; ++} ++ + static ssize_t available_size_show(struct device *dev, + struct device_attribute *attr, char *buf) + { diff --git a/queue-4.18/mm-dev_pagemap-do-not-clear-mapping-on-final-put.patch b/queue-4.18/mm-dev_pagemap-do-not-clear-mapping-on-final-put.patch new file mode 100644 index 00000000000..858a18e2256 --- /dev/null +++ b/queue-4.18/mm-dev_pagemap-do-not-clear-mapping-on-final-put.patch @@ -0,0 +1,58 @@ +From 2fa147bdbf672c53386a8f5f2c7fe358004c3ef8 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Fri, 13 Jul 2018 21:50:01 -0700 +Subject: mm, dev_pagemap: Do not clear ->mapping on final put +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Williams + +commit 2fa147bdbf672c53386a8f5f2c7fe358004c3ef8 upstream. + +MEMORY_DEVICE_FS_DAX relies on typical page semantics whereby ->mapping +is only ever cleared by truncation, not final put. + +Without this fix dax pages may forget their mapping association at the +end of every page pin event. + +Move this atypical behavior that HMM wants into the HMM ->page_free() +callback. + +Cc: +Cc: Jan Kara +Cc: Jérôme Glisse +Cc: Andrew Morton +Cc: Ross Zwisler +Fixes: d2c997c0f145 ("fs, dax: use page->mapping...") +Signed-off-by: Dan Williams +Acked-by: Jérôme Glisse +Signed-off-by: Dave Jiang +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/memremap.c | 1 - + mm/hmm.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/memremap.c ++++ b/kernel/memremap.c +@@ -355,7 +355,6 @@ void __put_devmap_managed_page(struct pa + __ClearPageActive(page); + __ClearPageWaiters(page); + +- page->mapping = NULL; + mem_cgroup_uncharge(page); + + page->pgmap->page_free(page, page->pgmap->data); +--- a/mm/hmm.c ++++ b/mm/hmm.c +@@ -963,6 +963,8 @@ static void hmm_devmem_free(struct page + { + struct hmm_devmem *devmem = data; + ++ page->mapping = NULL; ++ + devmem->ops->free(devmem, page); + } + diff --git a/queue-4.18/mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch b/queue-4.18/mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch new file mode 100644 index 00000000000..4a4fe99f5b1 --- /dev/null +++ b/queue-4.18/mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch @@ -0,0 +1,52 @@ +From a6f572084fbee8b30f91465f4a085d7a90901c57 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 22 Aug 2018 17:30:14 +0200 +Subject: mm/tlb: Remove tlb_remove_table() non-concurrent condition + +From: Peter Zijlstra + +commit a6f572084fbee8b30f91465f4a085d7a90901c57 upstream. + +Will noted that only checking mm_users is incorrect; we should also +check mm_count in order to cover CPUs that have a lazy reference to +this mm (and could do speculative TLB operations). + +If removing this turns out to be a performance issue, we can +re-instate a more complete check, but in tlb_table_flush() eliding the +call_rcu_sched(). + +Fixes: 267239116987 ("mm, powerpc: move the RCU page-table freeing into generic code") +Reported-by: Will Deacon +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Rik van Riel +Acked-by: Will Deacon +Cc: Nicholas Piggin +Cc: David Miller +Cc: Martin Schwidefsky +Cc: Michael Ellerman +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -391,15 +391,6 @@ void tlb_remove_table(struct mmu_gather + { + struct mmu_table_batch **batch = &tlb->batch; + +- /* +- * When there's less then two users of this mm there cannot be a +- * concurrent page-table walk. +- */ +- if (atomic_read(&tlb->mm->mm_users) < 2) { +- __tlb_remove_table(table); +- return; +- } +- + if (*batch == NULL) { + *batch = (struct mmu_table_batch *)__get_free_page(GFP_NOWAIT | __GFP_NOWARN); + if (*batch == NULL) { diff --git a/queue-4.18/perf-auxtrace-fix-queue-resize.patch b/queue-4.18/perf-auxtrace-fix-queue-resize.patch new file mode 100644 index 00000000000..1c9d54ea9a2 --- /dev/null +++ b/queue-4.18/perf-auxtrace-fix-queue-resize.patch @@ -0,0 +1,37 @@ +From 99cbbe56eb8bede625f410ab62ba34673ffa7d21 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 14 Aug 2018 11:46:08 +0300 +Subject: perf auxtrace: Fix queue resize + +From: Adrian Hunter + +commit 99cbbe56eb8bede625f410ab62ba34673ffa7d21 upstream. + +When the number of queues grows beyond 32, the array of queues is +resized but not all members were being copied. Fix by also copying +'tid', 'cpu' and 'set'. + +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Cc: stable@vger.kernel.org +Fixes: e502789302a6e ("perf auxtrace: Add helpers for queuing AUX area tracing data") +Link: http://lkml.kernel.org/r/20180814084608.6563-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/auxtrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/tools/perf/util/auxtrace.c ++++ b/tools/perf/util/auxtrace.c +@@ -202,6 +202,9 @@ static int auxtrace_queues__grow(struct + for (i = 0; i < queues->nr_queues; i++) { + list_splice_tail(&queues->queue_array[i].head, + &queue_array[i].head); ++ queue_array[i].tid = queues->queue_array[i].tid; ++ queue_array[i].cpu = queues->queue_array[i].cpu; ++ queue_array[i].set = queues->queue_array[i].set; + queue_array[i].priv = queues->queue_array[i].priv; + } + diff --git a/queue-4.18/pwm-omap-dmtimer-return-eprobe_defer-if-no-dmtimer-platform-data.patch b/queue-4.18/pwm-omap-dmtimer-return-eprobe_defer-if-no-dmtimer-platform-data.patch new file mode 100644 index 00000000000..1a39ad165cc --- /dev/null +++ b/queue-4.18/pwm-omap-dmtimer-return-eprobe_defer-if-no-dmtimer-platform-data.patch @@ -0,0 +1,40 @@ +From 43725feb593127b16318b871e3a9bf89a96d66cb Mon Sep 17 00:00:00 2001 +From: David Rivshin +Date: Wed, 1 Aug 2018 10:17:29 -0400 +Subject: pwm: omap-dmtimer: Return -EPROBE_DEFER if no dmtimer platform data + +From: David Rivshin + +commit 43725feb593127b16318b871e3a9bf89a96d66cb upstream. + +If a pwm-omap-dmtimer is probed before the dmtimer it uses, the platform +data won't be set yet. + +Fixes: ac30751df953 ("ARM: OMAP: pdata-quirks: Remove unused timer pdata") +Cc: # 4.17+ +Signed-off-by: David Rivshin +Acked-by: Pavel Machek +Tested-by: Pavel Machek +Acked-by: Ladislav Michl +Tested-by: Andreas Kemnade +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pwm/pwm-omap-dmtimer.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pwm/pwm-omap-dmtimer.c ++++ b/drivers/pwm/pwm-omap-dmtimer.c +@@ -264,8 +264,9 @@ static int pwm_omap_dmtimer_probe(struct + + timer_pdata = dev_get_platdata(&timer_pdev->dev); + if (!timer_pdata) { +- dev_err(&pdev->dev, "dmtimer pdata structure NULL\n"); +- ret = -EINVAL; ++ dev_dbg(&pdev->dev, ++ "dmtimer pdata structure NULL, deferring probe\n"); ++ ret = -EPROBE_DEFER; + goto put; + } + diff --git a/queue-4.18/pwm-tiehrpwm-don-t-use-emulation-mode-bits-to-control-pwm-output.patch b/queue-4.18/pwm-tiehrpwm-don-t-use-emulation-mode-bits-to-control-pwm-output.patch new file mode 100644 index 00000000000..be6c8290dc8 --- /dev/null +++ b/queue-4.18/pwm-tiehrpwm-don-t-use-emulation-mode-bits-to-control-pwm-output.patch @@ -0,0 +1,67 @@ +From aa49d628f6e016bcec8c6f8e704b9b18ee697329 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Mon, 11 Jun 2018 11:39:55 +0530 +Subject: pwm: tiehrpwm: Don't use emulation mode bits to control PWM output + +From: Vignesh R + +commit aa49d628f6e016bcec8c6f8e704b9b18ee697329 upstream. + +As per AM335x TRM SPRUH73P "15.2.2.11 ePWM Behavior During Emulation", +TBCTL[15:14] only have effect during emulation suspend events (IOW, +to stop PWM when debugging using a debugger). These bits have no effect +on PWM output during normal running of system. Hence, remove code +accessing these bits as they have no role in enabling/disabling PWMs. + +Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM") +Cc: stable@vger.kernel.org +Signed-off-by: Vignesh R +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pwm/pwm-tiehrpwm.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +--- a/drivers/pwm/pwm-tiehrpwm.c ++++ b/drivers/pwm/pwm-tiehrpwm.c +@@ -33,10 +33,6 @@ + #define TBCTL 0x00 + #define TBPRD 0x0A + +-#define TBCTL_RUN_MASK (BIT(15) | BIT(14)) +-#define TBCTL_STOP_NEXT 0 +-#define TBCTL_STOP_ON_CYCLE BIT(14) +-#define TBCTL_FREE_RUN (BIT(15) | BIT(14)) + #define TBCTL_PRDLD_MASK BIT(3) + #define TBCTL_PRDLD_SHDW 0 + #define TBCTL_PRDLD_IMDT BIT(3) +@@ -360,7 +356,7 @@ static int ehrpwm_pwm_enable(struct pwm_ + /* Channels polarity can be configured from action qualifier module */ + configure_polarity(pc, pwm->hwpwm); + +- /* Enable TBCLK before enabling PWM device */ ++ /* Enable TBCLK */ + ret = clk_enable(pc->tbclk); + if (ret) { + dev_err(chip->dev, "Failed to enable TBCLK for %s: %d\n", +@@ -368,9 +364,6 @@ static int ehrpwm_pwm_enable(struct pwm_ + return ret; + } + +- /* Enable time counter for free_run */ +- ehrpwm_modify(pc->mmio_base, TBCTL, TBCTL_RUN_MASK, TBCTL_FREE_RUN); +- + return 0; + } + +@@ -400,9 +393,6 @@ static void ehrpwm_pwm_disable(struct pw + /* Disabling TBCLK on PWM disable */ + clk_disable(pc->tbclk); + +- /* Stop Time base counter */ +- ehrpwm_modify(pc->mmio_base, TBCTL, TBCTL_RUN_MASK, TBCTL_STOP_NEXT); +- + /* Disable clock on PWM disable */ + pm_runtime_put_sync(chip->dev); + } diff --git a/queue-4.18/pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch b/queue-4.18/pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch new file mode 100644 index 00000000000..4c4a2735950 --- /dev/null +++ b/queue-4.18/pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch @@ -0,0 +1,39 @@ +From 38dabd91ff0bde33352ca3cc65ef515599b77a05 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Mon, 11 Jun 2018 11:39:56 +0530 +Subject: pwm: tiehrpwm: Fix disabling of output of PWMs + +From: Vignesh R + +commit 38dabd91ff0bde33352ca3cc65ef515599b77a05 upstream. + +pwm-tiehrpwm driver disables PWM output by putting it in low output +state via active AQCSFRC register in ehrpwm_pwm_disable(). But, the +AQCSFRC shadow register is not updated. Therefore, when shadow AQCSFRC +register is re-enabled in ehrpwm_pwm_enable() (say to enable second PWM +output), previous settings are lost as shadow register value is loaded +into active register. This results in things like PWMA getting enabled +automatically, when PWMB is enabled and vice versa. Fix this by +updating AQCSFRC shadow register as well during ehrpwm_pwm_disable(). + +Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM") +Cc: stable@vger.kernel.org +Signed-off-by: Vignesh R +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pwm/pwm-tiehrpwm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pwm/pwm-tiehrpwm.c ++++ b/drivers/pwm/pwm-tiehrpwm.c +@@ -381,6 +381,8 @@ static void ehrpwm_pwm_disable(struct pw + aqcsfrc_mask = AQCSFRC_CSFA_MASK; + } + ++ /* Update shadow register first before modifying active register */ ++ ehrpwm_modify(pc->mmio_base, AQCSFRC, aqcsfrc_mask, aqcsfrc_val); + /* + * Changes to immediate action on Action Qualifier. This puts + * Action Qualifier control on PWM output from next TBCLK diff --git a/queue-4.18/revert-ubifs-fix-potential-integer-overflow-in-allocation.patch b/queue-4.18/revert-ubifs-fix-potential-integer-overflow-in-allocation.patch new file mode 100644 index 00000000000..1339ce65786 --- /dev/null +++ b/queue-4.18/revert-ubifs-fix-potential-integer-overflow-in-allocation.patch @@ -0,0 +1,39 @@ +From 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sun, 1 Jul 2018 23:20:50 +0200 +Subject: Revert "UBIFS: Fix potential integer overflow in allocation" + +From: Richard Weinberger + +commit 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 upstream. + +This reverts commit 353748a359f1821ee934afc579cf04572406b420. +It bypassed the linux-mtd review process and fixes the issue not as it +should. + +Cc: Kees Cook +Cc: Silvio Cesare +Cc: stable@vger.kernel.org +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/journal.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -1282,11 +1282,10 @@ static int truncate_data_node(const stru + int *new_len) + { + void *buf; +- int err, compr_type; +- u32 dlen, out_len, old_dlen; ++ int err, dlen, compr_type, out_len, old_dlen; + + out_len = le32_to_cpu(dn->size); +- buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS); ++ buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS); + if (!buf) + return -ENOMEM; + diff --git a/queue-4.18/series b/queue-4.18/series index 456d17a63d4..0cdee98ecf2 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -102,3 +102,44 @@ nfsv4-fix-locking-in-pnfs_generic_recover_commit_reqs.patch nfsv4-fix-a-sleep-in-atomic-context-in-nfs4_callback_sequence.patch arm-tegra-fix-tegra30-cardhu-pca954x-reset.patch arm-dts-am57xx-idk-enable-dual-role-for-usb2-port.patch +pwm-omap-dmtimer-return-eprobe_defer-if-no-dmtimer-platform-data.patch +mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch +iommu-ipmmu-vmsa-don-t-register-as-bus-iommu-if-machine-doesn-t-have-ipmmu-vmsa.patch +iommu-vt-d-add-definitions-for-pfsid.patch +iommu-vt-d-fix-dev-iotlb-pfsid-use.patch +sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch +userns-move-user-access-out-of-the-mutex.patch +ubifs-fix-memory-leak-in-lprobs-self-check.patch +revert-ubifs-fix-potential-integer-overflow-in-allocation.patch +ubifs-check-data-node-size-before-truncate.patch +ubifs-xattr-don-t-operate-on-deleted-inodes.patch +ubifs-fix-directory-size-calculation-for-symlinks.patch +ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch +pwm-tiehrpwm-don-t-use-emulation-mode-bits-to-control-pwm-output.patch +pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch +fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch +udlfb-fix-semaphore-value-leak.patch +udlfb-fix-display-corruption-of-the-last-line.patch +udlfb-don-t-switch-if-we-are-switching-to-the-same-videomode.patch +udlfb-set-optimal-write-delay.patch +udlfb-make-a-local-copy-of-fb_ops.patch +udlfb-handle-allocation-failure.patch +udlfb-set-line_length-in-dlfb_ops_set_par.patch +getxattr-use-correct-xattr-length.patch +libnvdimm-use-max-contiguous-area-for-namespace-size.patch +libnvdimm-fix-ars_status-output-length-calculation.patch +bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch +kconfig-fix-can-t-open-...-in-parallel-build.patch +cap_inode_getsecurity-use-d_find_any_alias-instead-of-d_find_alias.patch +mm-dev_pagemap-do-not-clear-mapping-on-final-put.patch +perf-auxtrace-fix-queue-resize.patch +crypto-vmx-fix-sleep-in-atomic-bugs.patch +crypto-aesni-use-unaligned-loads-from-gcm_context_data.patch +crypto-arm64-sm4-ce-check-for-the-right-cpu-feature-bit.patch +crypto-caam-fix-dma-mapping-direction-for-rsa-forms-2-3.patch +crypto-caam-jr-fix-descriptor-dma-unmapping.patch +crypto-caam-qi-fix-error-path-in-xts-setkey.patch +fs-quota-fix-spectre-gadget-in-do_quotactl.patch +udf-fix-mounting-of-win7-created-udf-filesystems.patch +cpuidle-menu-retain-tick-when-shallow-state-is-selected.patch +arm64-mm-always-enable-config_holes_in_zone.patch diff --git a/queue-4.18/sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch b/queue-4.18/sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch new file mode 100644 index 00000000000..d7c55e27f8d --- /dev/null +++ b/queue-4.18/sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch @@ -0,0 +1,453 @@ +From 42a0cc3478584d4d63f68f2f5af021ddbea771fa Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 25 Jun 2018 18:34:10 +0200 +Subject: sys: don't hold uts_sem while accessing userspace memory + +From: Jann Horn + +commit 42a0cc3478584d4d63f68f2f5af021ddbea771fa upstream. + +Holding uts_sem as a writer while accessing userspace memory allows a +namespace admin to stall all processes that attempt to take uts_sem. +Instead, move data through stack buffers and don't access userspace memory +while uts_sem is held. + +Cc: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jann Horn +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/kernel/osf_sys.c | 51 +++++++++----------- + arch/sparc/kernel/sys_sparc_32.c | 22 +++++---- + arch/sparc/kernel/sys_sparc_64.c | 20 ++++---- + kernel/sys.c | 95 ++++++++++++++++++--------------------- + kernel/utsname_sysctl.c | 41 ++++++++++------ + 5 files changed, 119 insertions(+), 110 deletions(-) + +--- a/arch/alpha/kernel/osf_sys.c ++++ b/arch/alpha/kernel/osf_sys.c +@@ -530,24 +530,19 @@ SYSCALL_DEFINE4(osf_mount, unsigned long + SYSCALL_DEFINE1(osf_utsname, char __user *, name) + { + int error; ++ char tmp[5 * 32]; + + down_read(&uts_sem); +- error = -EFAULT; +- if (copy_to_user(name + 0, utsname()->sysname, 32)) +- goto out; +- if (copy_to_user(name + 32, utsname()->nodename, 32)) +- goto out; +- if (copy_to_user(name + 64, utsname()->release, 32)) +- goto out; +- if (copy_to_user(name + 96, utsname()->version, 32)) +- goto out; +- if (copy_to_user(name + 128, utsname()->machine, 32)) +- goto out; ++ memcpy(tmp + 0 * 32, utsname()->sysname, 32); ++ memcpy(tmp + 1 * 32, utsname()->nodename, 32); ++ memcpy(tmp + 2 * 32, utsname()->release, 32); ++ memcpy(tmp + 3 * 32, utsname()->version, 32); ++ memcpy(tmp + 4 * 32, utsname()->machine, 32); ++ up_read(&uts_sem); + +- error = 0; +- out: +- up_read(&uts_sem); +- return error; ++ if (copy_to_user(name, tmp, sizeof(tmp))) ++ return -EFAULT; ++ return 0; + } + + SYSCALL_DEFINE0(getpagesize) +@@ -567,18 +562,21 @@ SYSCALL_DEFINE2(osf_getdomainname, char + { + int len, err = 0; + char *kname; ++ char tmp[32]; + +- if (namelen > 32) ++ if (namelen < 0 || namelen > 32) + namelen = 32; + + down_read(&uts_sem); + kname = utsname()->domainname; + len = strnlen(kname, namelen); +- if (copy_to_user(name, kname, min(len + 1, namelen))) +- err = -EFAULT; ++ len = min(len + 1, namelen); ++ memcpy(tmp, kname, len); + up_read(&uts_sem); + +- return err; ++ if (copy_to_user(name, tmp, len)) ++ return -EFAULT; ++ return 0; + } + + /* +@@ -739,13 +737,14 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman + }; + unsigned long offset; + const char *res; +- long len, err = -EINVAL; ++ long len; ++ char tmp[__NEW_UTS_LEN + 1]; + + offset = command-1; + if (offset >= ARRAY_SIZE(sysinfo_table)) { + /* Digital UNIX has a few unpublished interfaces here */ + printk("sysinfo(%d)", command); +- goto out; ++ return -EINVAL; + } + + down_read(&uts_sem); +@@ -753,13 +752,11 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman + len = strlen(res)+1; + if ((unsigned long)len > (unsigned long)count) + len = count; +- if (copy_to_user(buf, res, len)) +- err = -EFAULT; +- else +- err = 0; ++ memcpy(tmp, res, len); + up_read(&uts_sem); +- out: +- return err; ++ if (copy_to_user(buf, tmp, len)) ++ return -EFAULT; ++ return 0; + } + + SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer, +--- a/arch/sparc/kernel/sys_sparc_32.c ++++ b/arch/sparc/kernel/sys_sparc_32.c +@@ -197,23 +197,27 @@ SYSCALL_DEFINE5(rt_sigaction, int, sig, + + SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len) + { +- int nlen, err; +- ++ int nlen, err; ++ char tmp[__NEW_UTS_LEN + 1]; ++ + if (len < 0) + return -EINVAL; + +- down_read(&uts_sem); +- ++ down_read(&uts_sem); ++ + nlen = strlen(utsname()->domainname) + 1; + err = -EINVAL; + if (nlen > len) +- goto out; ++ goto out_unlock; ++ memcpy(tmp, utsname()->domainname, nlen); ++ ++ up_read(&uts_sem); + +- err = -EFAULT; +- if (!copy_to_user(name, utsname()->domainname, nlen)) +- err = 0; ++ if (copy_to_user(name, tmp, nlen)) ++ return -EFAULT; ++ return 0; + +-out: ++out_unlock: + up_read(&uts_sem); + return err; + } +--- a/arch/sparc/kernel/sys_sparc_64.c ++++ b/arch/sparc/kernel/sys_sparc_64.c +@@ -519,23 +519,27 @@ asmlinkage void sparc_breakpoint(struct + + SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len) + { +- int nlen, err; ++ int nlen, err; ++ char tmp[__NEW_UTS_LEN + 1]; + + if (len < 0) + return -EINVAL; + +- down_read(&uts_sem); +- ++ down_read(&uts_sem); ++ + nlen = strlen(utsname()->domainname) + 1; + err = -EINVAL; + if (nlen > len) +- goto out; ++ goto out_unlock; ++ memcpy(tmp, utsname()->domainname, nlen); ++ ++ up_read(&uts_sem); + +- err = -EFAULT; +- if (!copy_to_user(name, utsname()->domainname, nlen)) +- err = 0; ++ if (copy_to_user(name, tmp, nlen)) ++ return -EFAULT; ++ return 0; + +-out: ++out_unlock: + up_read(&uts_sem); + return err; + } +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1237,18 +1237,19 @@ static int override_release(char __user + + SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name) + { +- int errno = 0; ++ struct new_utsname tmp; + + down_read(&uts_sem); +- if (copy_to_user(name, utsname(), sizeof *name)) +- errno = -EFAULT; ++ memcpy(&tmp, utsname(), sizeof(tmp)); + up_read(&uts_sem); ++ if (copy_to_user(name, &tmp, sizeof(tmp))) ++ return -EFAULT; + +- if (!errno && override_release(name->release, sizeof(name->release))) +- errno = -EFAULT; +- if (!errno && override_architecture(name)) +- errno = -EFAULT; +- return errno; ++ if (override_release(name->release, sizeof(name->release))) ++ return -EFAULT; ++ if (override_architecture(name)) ++ return -EFAULT; ++ return 0; + } + + #ifdef __ARCH_WANT_SYS_OLD_UNAME +@@ -1257,55 +1258,46 @@ SYSCALL_DEFINE1(newuname, struct new_uts + */ + SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) + { +- int error = 0; ++ struct old_utsname tmp; + + if (!name) + return -EFAULT; + + down_read(&uts_sem); +- if (copy_to_user(name, utsname(), sizeof(*name))) +- error = -EFAULT; ++ memcpy(&tmp, utsname(), sizeof(tmp)); + up_read(&uts_sem); ++ if (copy_to_user(name, &tmp, sizeof(tmp))) ++ return -EFAULT; + +- if (!error && override_release(name->release, sizeof(name->release))) +- error = -EFAULT; +- if (!error && override_architecture(name)) +- error = -EFAULT; +- return error; ++ if (override_release(name->release, sizeof(name->release))) ++ return -EFAULT; ++ if (override_architecture(name)) ++ return -EFAULT; ++ return 0; + } + + SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) + { +- int error; ++ struct oldold_utsname tmp = {}; + + if (!name) + return -EFAULT; +- if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname))) +- return -EFAULT; + + down_read(&uts_sem); +- error = __copy_to_user(&name->sysname, &utsname()->sysname, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->sysname + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->nodename, &utsname()->nodename, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->nodename + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->release, &utsname()->release, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->release + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->version, &utsname()->version, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->version + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->machine, &utsname()->machine, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->machine + __OLD_UTS_LEN); ++ memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN); ++ memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN); ++ memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN); ++ memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN); ++ memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN); + up_read(&uts_sem); ++ if (copy_to_user(name, &tmp, sizeof(tmp))) ++ return -EFAULT; + +- if (!error && override_architecture(name)) +- error = -EFAULT; +- if (!error && override_release(name->release, sizeof(name->release))) +- error = -EFAULT; +- return error ? -EFAULT : 0; ++ if (override_architecture(name)) ++ return -EFAULT; ++ if (override_release(name->release, sizeof(name->release))) ++ return -EFAULT; ++ return 0; + } + #endif + +@@ -1319,17 +1311,18 @@ SYSCALL_DEFINE2(sethostname, char __user + + if (len < 0 || len > __NEW_UTS_LEN) + return -EINVAL; +- down_write(&uts_sem); + errno = -EFAULT; + if (!copy_from_user(tmp, name, len)) { +- struct new_utsname *u = utsname(); ++ struct new_utsname *u; + ++ down_write(&uts_sem); ++ u = utsname(); + memcpy(u->nodename, tmp, len); + memset(u->nodename + len, 0, sizeof(u->nodename) - len); + errno = 0; + uts_proc_notify(UTS_PROC_HOSTNAME); ++ up_write(&uts_sem); + } +- up_write(&uts_sem); + return errno; + } + +@@ -1337,8 +1330,9 @@ SYSCALL_DEFINE2(sethostname, char __user + + SYSCALL_DEFINE2(gethostname, char __user *, name, int, len) + { +- int i, errno; ++ int i; + struct new_utsname *u; ++ char tmp[__NEW_UTS_LEN + 1]; + + if (len < 0) + return -EINVAL; +@@ -1347,11 +1341,11 @@ SYSCALL_DEFINE2(gethostname, char __user + i = 1 + strlen(u->nodename); + if (i > len) + i = len; +- errno = 0; +- if (copy_to_user(name, u->nodename, i)) +- errno = -EFAULT; ++ memcpy(tmp, u->nodename, i); + up_read(&uts_sem); +- return errno; ++ if (copy_to_user(name, tmp, i)) ++ return -EFAULT; ++ return 0; + } + + #endif +@@ -1370,17 +1364,18 @@ SYSCALL_DEFINE2(setdomainname, char __us + if (len < 0 || len > __NEW_UTS_LEN) + return -EINVAL; + +- down_write(&uts_sem); + errno = -EFAULT; + if (!copy_from_user(tmp, name, len)) { +- struct new_utsname *u = utsname(); ++ struct new_utsname *u; + ++ down_write(&uts_sem); ++ u = utsname(); + memcpy(u->domainname, tmp, len); + memset(u->domainname + len, 0, sizeof(u->domainname) - len); + errno = 0; + uts_proc_notify(UTS_PROC_DOMAINNAME); ++ up_write(&uts_sem); + } +- up_write(&uts_sem); + return errno; + } + +--- a/kernel/utsname_sysctl.c ++++ b/kernel/utsname_sysctl.c +@@ -18,7 +18,7 @@ + + #ifdef CONFIG_PROC_SYSCTL + +-static void *get_uts(struct ctl_table *table, int write) ++static void *get_uts(struct ctl_table *table) + { + char *which = table->data; + struct uts_namespace *uts_ns; +@@ -26,21 +26,9 @@ static void *get_uts(struct ctl_table *t + uts_ns = current->nsproxy->uts_ns; + which = (which - (char *)&init_uts_ns) + (char *)uts_ns; + +- if (!write) +- down_read(&uts_sem); +- else +- down_write(&uts_sem); + return which; + } + +-static void put_uts(struct ctl_table *table, int write, void *which) +-{ +- if (!write) +- up_read(&uts_sem); +- else +- up_write(&uts_sem); +-} +- + /* + * Special case of dostring for the UTS structure. This has locks + * to observe. Should this be in kernel/sys.c ???? +@@ -50,13 +38,34 @@ static int proc_do_uts_string(struct ctl + { + struct ctl_table uts_table; + int r; ++ char tmp_data[__NEW_UTS_LEN + 1]; ++ + memcpy(&uts_table, table, sizeof(uts_table)); +- uts_table.data = get_uts(table, write); ++ uts_table.data = tmp_data; ++ ++ /* ++ * Buffer the value in tmp_data so that proc_dostring() can be called ++ * without holding any locks. ++ * We also need to read the original value in the write==1 case to ++ * support partial writes. ++ */ ++ down_read(&uts_sem); ++ memcpy(tmp_data, get_uts(table), sizeof(tmp_data)); ++ up_read(&uts_sem); + r = proc_dostring(&uts_table, write, buffer, lenp, ppos); +- put_uts(table, write, uts_table.data); + +- if (write) ++ if (write) { ++ /* ++ * Write back the new value. ++ * Note that, since we dropped uts_sem, the result can ++ * theoretically be incorrect if there are two parallel writes ++ * at non-zero offsets to the same sysctl. ++ */ ++ down_write(&uts_sem); ++ memcpy(get_uts(table), tmp_data, sizeof(tmp_data)); ++ up_write(&uts_sem); + proc_sys_poll_notify(table->poll); ++ } + + return r; + } diff --git a/queue-4.18/ubifs-check-data-node-size-before-truncate.patch b/queue-4.18/ubifs-check-data-node-size-before-truncate.patch new file mode 100644 index 00000000000..b8ac561493b --- /dev/null +++ b/queue-4.18/ubifs-check-data-node-size-before-truncate.patch @@ -0,0 +1,46 @@ +From 95a22d2084d72ea067d8323cc85677dba5d97cae Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sun, 1 Jul 2018 23:20:51 +0200 +Subject: ubifs: Check data node size before truncate + +From: Richard Weinberger + +commit 95a22d2084d72ea067d8323cc85677dba5d97cae upstream. + +Check whether the size is within bounds before using it. +If the size is not correct, abort and dump the bad data node. + +Cc: Kees Cook +Cc: Silvio Cesare +Cc: stable@vger.kernel.org +Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") +Reported-by: Silvio Cesare +Signed-off-by: Richard Weinberger +Reviewed-by: Kees Cook +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/journal.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -1387,7 +1387,16 @@ int ubifs_jnl_truncate(struct ubifs_info + else if (err) + goto out_free; + else { +- if (le32_to_cpu(dn->size) <= dlen) ++ int dn_len = le32_to_cpu(dn->size); ++ ++ if (dn_len <= 0 || dn_len > UBIFS_BLOCK_SIZE) { ++ ubifs_err(c, "bad data node (block %u, inode %lu)", ++ blk, inode->i_ino); ++ ubifs_dump_node(c, dn); ++ goto out_free; ++ } ++ ++ if (dn_len <= dlen) + dlen = 0; /* Nothing to do */ + else { + err = truncate_data_node(c, inode, blk, dn, &dlen); diff --git a/queue-4.18/ubifs-fix-directory-size-calculation-for-symlinks.patch b/queue-4.18/ubifs-fix-directory-size-calculation-for-symlinks.patch new file mode 100644 index 00000000000..0cb933d4192 --- /dev/null +++ b/queue-4.18/ubifs-fix-directory-size-calculation-for-symlinks.patch @@ -0,0 +1,41 @@ +From 00ee8b60102862f4daf0814d12a2ea2744fc0b9b Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 11 Jun 2018 23:41:09 +0200 +Subject: ubifs: Fix directory size calculation for symlinks + +From: Richard Weinberger + +commit 00ee8b60102862f4daf0814d12a2ea2744fc0b9b upstream. + +We have to account the name of the symlink and not the target length. + +Fixes: ca7f85be8d6c ("ubifs: Add support for encrypted symlinks") +Cc: +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/dir.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -1123,8 +1123,7 @@ static int ubifs_symlink(struct inode *d + struct ubifs_inode *ui; + struct ubifs_inode *dir_ui = ubifs_inode(dir); + struct ubifs_info *c = dir->i_sb->s_fs_info; +- int err, len = strlen(symname); +- int sz_change = CALC_DENT_SIZE(len); ++ int err, sz_change, len = strlen(symname); + struct fscrypt_str disk_link; + struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1, + .new_ino_d = ALIGN(len, 8), +@@ -1151,6 +1150,8 @@ static int ubifs_symlink(struct inode *d + if (err) + goto out_budg; + ++ sz_change = CALC_DENT_SIZE(fname_len(&nm)); ++ + inode = ubifs_new_inode(c, dir, S_IFLNK | S_IRWXUGO); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); diff --git a/queue-4.18/ubifs-fix-memory-leak-in-lprobs-self-check.patch b/queue-4.18/ubifs-fix-memory-leak-in-lprobs-self-check.patch new file mode 100644 index 00000000000..8ec6bdd62ee --- /dev/null +++ b/queue-4.18/ubifs-fix-memory-leak-in-lprobs-self-check.patch @@ -0,0 +1,45 @@ +From eef19816ada3abd56d9f20c88794cc2fea83ebb2 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 12 Jun 2018 20:49:45 +0200 +Subject: ubifs: Fix memory leak in lprobs self-check + +From: Richard Weinberger + +commit eef19816ada3abd56d9f20c88794cc2fea83ebb2 upstream. + +Allocate the buffer after we return early. +Otherwise memory is being leaked. + +Cc: +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/lprops.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/ubifs/lprops.c ++++ b/fs/ubifs/lprops.c +@@ -1089,10 +1089,6 @@ static int scan_check_cb(struct ubifs_in + } + } + +- buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL); +- if (!buf) +- return -ENOMEM; +- + /* + * After an unclean unmount, empty and freeable LEBs + * may contain garbage - do not scan them. +@@ -1111,6 +1107,10 @@ static int scan_check_cb(struct ubifs_in + return LPT_SCAN_CONTINUE; + } + ++ buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ + sleb = ubifs_scan(c, lnum, 0, buf, 0); + if (IS_ERR(sleb)) { + ret = PTR_ERR(sleb); diff --git a/queue-4.18/ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch b/queue-4.18/ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch new file mode 100644 index 00000000000..e079dd78749 --- /dev/null +++ b/queue-4.18/ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch @@ -0,0 +1,41 @@ +From 59965593205fa4044850d35ee3557cf0b7edcd14 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 12 Jun 2018 00:52:28 +0200 +Subject: ubifs: Fix synced_i_size calculation for xattr inodes + +From: Richard Weinberger + +commit 59965593205fa4044850d35ee3557cf0b7edcd14 upstream. + +In ubifs_jnl_update() we sync parent and child inodes to the flash, +in case of xattrs, the parent inode (AKA host inode) has a non-zero +data_len. Therefore we need to adjust synced_i_size too. + +This issue was reported by ubifs self tests unter a xattr related work +load. +UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: ui_size is 4, synced_i_size is 0, but inode is clean +UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: i_ino 65, i_mode 0x81a4, i_size 4 + +Cc: +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/journal.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -664,6 +664,11 @@ int ubifs_jnl_update(struct ubifs_info * + spin_lock(&ui->ui_lock); + ui->synced_i_size = ui->ui_size; + spin_unlock(&ui->ui_lock); ++ if (xent) { ++ spin_lock(&host_ui->ui_lock); ++ host_ui->synced_i_size = host_ui->ui_size; ++ spin_unlock(&host_ui->ui_lock); ++ } + mark_inode_clean(c, ui); + mark_inode_clean(c, host_ui); + return 0; diff --git a/queue-4.18/ubifs-xattr-don-t-operate-on-deleted-inodes.patch b/queue-4.18/ubifs-xattr-don-t-operate-on-deleted-inodes.patch new file mode 100644 index 00000000000..368ef1c976f --- /dev/null +++ b/queue-4.18/ubifs-xattr-don-t-operate-on-deleted-inodes.patch @@ -0,0 +1,98 @@ +From 11a6fc3dc743e22fb50f2196ec55bee5140d3c52 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sun, 8 Jul 2018 23:33:25 +0200 +Subject: ubifs: xattr: Don't operate on deleted inodes + +From: Richard Weinberger + +commit 11a6fc3dc743e22fb50f2196ec55bee5140d3c52 upstream. + +xattr operations can race with unlink and the following assert triggers: +UBIFS assert failed in ubifs_jnl_change_xattr at 1606 (pid 6256) + +Fix this by checking i_nlink before working on the host inode. + +Cc: +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/xattr.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/fs/ubifs/xattr.c ++++ b/fs/ubifs/xattr.c +@@ -152,6 +152,12 @@ static int create_xattr(struct ubifs_inf + ui->data_len = size; + + mutex_lock(&host_ui->ui_mutex); ++ ++ if (!host->i_nlink) { ++ err = -ENOENT; ++ goto out_noent; ++ } ++ + host->i_ctime = current_time(host); + host_ui->xattr_cnt += 1; + host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm)); +@@ -184,6 +190,7 @@ out_cancel: + host_ui->xattr_size -= CALC_XATTR_BYTES(size); + host_ui->xattr_names -= fname_len(nm); + host_ui->flags &= ~UBIFS_CRYPT_FL; ++out_noent: + mutex_unlock(&host_ui->ui_mutex); + out_free: + make_bad_inode(inode); +@@ -235,6 +242,12 @@ static int change_xattr(struct ubifs_inf + mutex_unlock(&ui->ui_mutex); + + mutex_lock(&host_ui->ui_mutex); ++ ++ if (!host->i_nlink) { ++ err = -ENOENT; ++ goto out_noent; ++ } ++ + host->i_ctime = current_time(host); + host_ui->xattr_size -= CALC_XATTR_BYTES(old_size); + host_ui->xattr_size += CALC_XATTR_BYTES(size); +@@ -256,6 +269,7 @@ static int change_xattr(struct ubifs_inf + out_cancel: + host_ui->xattr_size -= CALC_XATTR_BYTES(size); + host_ui->xattr_size += CALC_XATTR_BYTES(old_size); ++out_noent: + mutex_unlock(&host_ui->ui_mutex); + make_bad_inode(inode); + out_free: +@@ -482,6 +496,12 @@ static int remove_xattr(struct ubifs_inf + return err; + + mutex_lock(&host_ui->ui_mutex); ++ ++ if (!host->i_nlink) { ++ err = -ENOENT; ++ goto out_noent; ++ } ++ + host->i_ctime = current_time(host); + host_ui->xattr_cnt -= 1; + host_ui->xattr_size -= CALC_DENT_SIZE(fname_len(nm)); +@@ -501,6 +521,7 @@ out_cancel: + host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm)); + host_ui->xattr_size += CALC_XATTR_BYTES(ui->data_len); + host_ui->xattr_names += fname_len(nm); ++out_noent: + mutex_unlock(&host_ui->ui_mutex); + ubifs_release_budget(c, &req); + make_bad_inode(inode); +@@ -540,6 +561,9 @@ static int ubifs_xattr_remove(struct ino + + ubifs_assert(inode_is_locked(host)); + ++ if (!host->i_nlink) ++ return -ENOENT; ++ + if (fname_len(&nm) > UBIFS_MAX_NLEN) + return -ENAMETOOLONG; + diff --git a/queue-4.18/udf-fix-mounting-of-win7-created-udf-filesystems.patch b/queue-4.18/udf-fix-mounting-of-win7-created-udf-filesystems.patch new file mode 100644 index 00000000000..f382c074cee --- /dev/null +++ b/queue-4.18/udf-fix-mounting-of-win7-created-udf-filesystems.patch @@ -0,0 +1,111 @@ +From ee4af50ca94f58afc3532662779b9cf80bbe27c8 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 21 Aug 2018 14:52:34 +0200 +Subject: udf: Fix mounting of Win7 created UDF filesystems + +From: Jan Kara + +commit ee4af50ca94f58afc3532662779b9cf80bbe27c8 upstream. + +Win7 is creating UDF filesystems with single partition with number 8192. +Current partition descriptor scanning code does not handle this well as +it incorrectly assumes that partition numbers will form mostly contiguous +space of small numbers. This results in unmountable media due to errors +like: + +UDF-fs: error (device dm-1): udf_read_tagged: tag version 0x0000 != 0x0002 || 0x0003, block 0 +UDF-fs: warning (device dm-1): udf_fill_super: No fileset found + +Fix the problem by handling partition descriptors in a way that sparse +partition numbering does not matter. + +Reported-and-tested-by: jean-luc malet +CC: stable@vger.kernel.org +Fixes: 7b78fd02fb19530fd101ae137a1f46aa466d9bb6 +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/super.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1570,10 +1570,16 @@ static void udf_load_logicalvolint(struc + */ + #define PART_DESC_ALLOC_STEP 32 + ++struct part_desc_seq_scan_data { ++ struct udf_vds_record rec; ++ u32 partnum; ++}; ++ + struct desc_seq_scan_data { + struct udf_vds_record vds[VDS_POS_LENGTH]; + unsigned int size_part_descs; +- struct udf_vds_record *part_descs_loc; ++ unsigned int num_part_descs; ++ struct part_desc_seq_scan_data *part_descs_loc; + }; + + static struct udf_vds_record *handle_partition_descriptor( +@@ -1582,10 +1588,14 @@ static struct udf_vds_record *handle_par + { + struct partitionDesc *desc = (struct partitionDesc *)bh->b_data; + int partnum; ++ int i; + + partnum = le16_to_cpu(desc->partitionNumber); +- if (partnum >= data->size_part_descs) { +- struct udf_vds_record *new_loc; ++ for (i = 0; i < data->num_part_descs; i++) ++ if (partnum == data->part_descs_loc[i].partnum) ++ return &(data->part_descs_loc[i].rec); ++ if (data->num_part_descs >= data->size_part_descs) { ++ struct part_desc_seq_scan_data *new_loc; + unsigned int new_size = ALIGN(partnum, PART_DESC_ALLOC_STEP); + + new_loc = kcalloc(new_size, sizeof(*new_loc), GFP_KERNEL); +@@ -1597,7 +1607,7 @@ static struct udf_vds_record *handle_par + data->part_descs_loc = new_loc; + data->size_part_descs = new_size; + } +- return &(data->part_descs_loc[partnum]); ++ return &(data->part_descs_loc[data->num_part_descs++].rec); + } + + +@@ -1647,6 +1657,7 @@ static noinline int udf_process_sequence + + memset(data.vds, 0, sizeof(struct udf_vds_record) * VDS_POS_LENGTH); + data.size_part_descs = PART_DESC_ALLOC_STEP; ++ data.num_part_descs = 0; + data.part_descs_loc = kcalloc(data.size_part_descs, + sizeof(*data.part_descs_loc), + GFP_KERNEL); +@@ -1658,7 +1669,6 @@ static noinline int udf_process_sequence + * are in it. + */ + for (; (!done && block <= lastblock); block++) { +- + bh = udf_read_tagged(sb, block, block, &ident); + if (!bh) + break; +@@ -1730,13 +1740,10 @@ static noinline int udf_process_sequence + } + + /* Now handle prevailing Partition Descriptors */ +- for (i = 0; i < data.size_part_descs; i++) { +- if (data.part_descs_loc[i].block) { +- ret = udf_load_partdesc(sb, +- data.part_descs_loc[i].block); +- if (ret < 0) +- return ret; +- } ++ for (i = 0; i < data.num_part_descs; i++) { ++ ret = udf_load_partdesc(sb, data.part_descs_loc[i].rec.block); ++ if (ret < 0) ++ return ret; + } + + return 0; diff --git a/queue-4.18/udlfb-don-t-switch-if-we-are-switching-to-the-same-videomode.patch b/queue-4.18/udlfb-don-t-switch-if-we-are-switching-to-the-same-videomode.patch new file mode 100644 index 00000000000..e88d80aa936 --- /dev/null +++ b/queue-4.18/udlfb-don-t-switch-if-we-are-switching-to-the-same-videomode.patch @@ -0,0 +1,76 @@ +From 564f1807379298dfdb12ed0d5b25fcb89c238527 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 25 Jul 2018 15:41:55 +0200 +Subject: udlfb: don't switch if we are switching to the same videomode + +From: Mikulas Patocka + +commit 564f1807379298dfdb12ed0d5b25fcb89c238527 upstream. + +The udlfb driver reprograms the hardware everytime the user switches the +console, that makes quite unusable when working on the console. + +This patch makes the driver remember the videomode we are in and avoid +reprogramming the hardware if we switch to the same videomode. + +We mask the "activate" field and the "FB_VMODE_SMOOTH_XPAN" flag when +comparing the videomode, because they cause spurious switches when +switching to and from the Xserver. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/udlfb.c | 18 ++++++++++++++++-- + include/video/udlfb.h | 1 + + 2 files changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1041,10 +1041,24 @@ static int dlfb_ops_set_par(struct fb_in + int result; + u16 *pix_framebuffer; + int i; ++ struct fb_var_screeninfo fvs; ++ ++ /* clear the activate field because it causes spurious miscompares */ ++ fvs = info->var; ++ fvs.activate = 0; ++ fvs.vmode &= ~FB_VMODE_SMOOTH_XPAN; ++ ++ if (!memcmp(&dlfb->current_mode, &fvs, sizeof(struct fb_var_screeninfo))) ++ return 0; + + result = dlfb_set_video_mode(dlfb, &info->var); + +- if ((result == 0) && (dlfb->fb_count == 0)) { ++ if (result) ++ return result; ++ ++ dlfb->current_mode = fvs; ++ ++ if (dlfb->fb_count == 0) { + + /* paint greenscreen */ + +@@ -1056,7 +1070,7 @@ static int dlfb_ops_set_par(struct fb_in + info->screen_base); + } + +- return result; ++ return 0; + } + + /* To fonzi the jukebox (e.g. make blanking changes take effect) */ +--- a/include/video/udlfb.h ++++ b/include/video/udlfb.h +@@ -56,6 +56,7 @@ struct dlfb_data { + atomic_t bytes_identical; /* saved effort with backbuffer comparison */ + atomic_t bytes_sent; /* to usb, after compression including overhead */ + atomic_t cpu_kcycles_used; /* transpired during pixel processing */ ++ struct fb_var_screeninfo current_mode; + }; + + #define NR_USB_REQUEST_I2C_SUB_IO 0x02 diff --git a/queue-4.18/udlfb-fix-display-corruption-of-the-last-line.patch b/queue-4.18/udlfb-fix-display-corruption-of-the-last-line.patch new file mode 100644 index 00000000000..1d4db534c82 --- /dev/null +++ b/queue-4.18/udlfb-fix-display-corruption-of-the-last-line.patch @@ -0,0 +1,112 @@ +From 4e705e17ce3409a1f492cfd5dadcf6a4f6075842 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 25 Jul 2018 15:41:54 +0200 +Subject: udlfb: fix display corruption of the last line + +From: Mikulas Patocka + +commit 4e705e17ce3409a1f492cfd5dadcf6a4f6075842 upstream. + +The displaylink hardware has such a peculiarity that it doesn't render a +command until next command is received. This produces occasional +corruption, such as when setting 22x11 font on the console, only the first +line of the cursor will be blinking if the cursor is located at some +specific columns. + +When we end up with a repeating pixel, the driver has a bug that it leaves +one uninitialized byte after the command (and this byte is enough to flush +the command and render it - thus it fixes the screen corruption), however +whe we end up with a non-repeating pixel, there is no byte appended and +this results in temporary screen corruption. + +This patch fixes the screen corruption by always appending a byte 0xAF at +the end of URB. It also removes the uninitialized byte. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/udlfb.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include