From: Greg Kroah-Hartman Date: Wed, 11 Dec 2019 14:28:51 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.3~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1a385c994b76a1869438d429e3b942a7668456ad;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: binder-fix-race-between-mmap-and-binder_alloc_print_pages.patch binder-handle-start-null-in-binder_update_page_range.patch binder-prevent-repeated-use-of-mmap-via-null-mapping.patch iomap-fix-pipe-page-leakage-during-splicing.patch revert-serial-8250-add-support-for-ni-serial-pxi-pxie-485-devices.patch thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch vcs-prevent-write-access-to-vcsu-devices.patch --- diff --git a/queue-5.4/binder-fix-race-between-mmap-and-binder_alloc_print_pages.patch b/queue-5.4/binder-fix-race-between-mmap-and-binder_alloc_print_pages.patch new file mode 100644 index 00000000000..589007a8ff9 --- /dev/null +++ b/queue-5.4/binder-fix-race-between-mmap-and-binder_alloc_print_pages.patch @@ -0,0 +1,63 @@ +From 8eb52a1ee37aafd9b796713aa0b3ab9cbc455be3 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 18 Oct 2019 22:56:29 +0200 +Subject: binder: Fix race between mmap() and binder_alloc_print_pages() + +From: Jann Horn + +commit 8eb52a1ee37aafd9b796713aa0b3ab9cbc455be3 upstream. + +binder_alloc_print_pages() iterates over +alloc->pages[0..alloc->buffer_size-1] under alloc->mutex. +binder_alloc_mmap_handler() writes alloc->pages and alloc->buffer_size +without holding that lock, and even writes them before the last bailout +point. + +Unfortunately we can't take the alloc->mutex in the ->mmap() handler +because mmap_sem can be taken while alloc->mutex is held. +So instead, we have to locklessly check whether the binder_alloc has been +fully initialized with binder_alloc_get_vma(), like in +binder_alloc_new_buf_locked(). + +Fixes: 8ef4665aa129 ("android: binder: Add page usage in binder stats") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Acked-by: Christian Brauner +Link: https://lore.kernel.org/r/20191018205631.248274-1-jannh@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder_alloc.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -841,14 +841,20 @@ void binder_alloc_print_pages(struct seq + int free = 0; + + mutex_lock(&alloc->mutex); +- for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { +- page = &alloc->pages[i]; +- if (!page->page_ptr) +- free++; +- else if (list_empty(&page->lru)) +- active++; +- else +- lru++; ++ /* ++ * Make sure the binder_alloc is fully initialized, otherwise we might ++ * read inconsistent state. ++ */ ++ if (binder_alloc_get_vma(alloc) != NULL) { ++ for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) { ++ page = &alloc->pages[i]; ++ if (!page->page_ptr) ++ free++; ++ else if (list_empty(&page->lru)) ++ active++; ++ else ++ lru++; ++ } + } + mutex_unlock(&alloc->mutex); + seq_printf(m, " pages: %d:%d:%d\n", active, lru, free); diff --git a/queue-5.4/binder-handle-start-null-in-binder_update_page_range.patch b/queue-5.4/binder-handle-start-null-in-binder_update_page_range.patch new file mode 100644 index 00000000000..d9cfb8096d6 --- /dev/null +++ b/queue-5.4/binder-handle-start-null-in-binder_update_page_range.patch @@ -0,0 +1,65 @@ +From 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 18 Oct 2019 22:56:31 +0200 +Subject: binder: Handle start==NULL in binder_update_page_range() + +From: Jann Horn + +commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream. + +The old loop wouldn't stop when reaching `start` if `start==NULL`, instead +continuing backwards to index -1 and crashing. + +Luckily you need to be highly privileged to map things at NULL, so it's not +a big problem. + +Fix it by adjusting the loop so that the loop variable is always in bounds. + +This patch is deliberately minimal to simplify backporting, but IMO this +function could use a refactor. The jump labels in the second loop body are +horrible (the error gotos should be jumping to free_range instead), and +both loops would look nicer if they just iterated upwards through indices. +And the up_read()+mmput() shouldn't be duplicated like that. + +Cc: stable@vger.kernel.org +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Signed-off-by: Jann Horn +Acked-by: Christian Brauner +Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder_alloc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -277,8 +277,7 @@ static int binder_update_page_range(stru + return 0; + + free_range: +- for (page_addr = end - PAGE_SIZE; page_addr >= start; +- page_addr -= PAGE_SIZE) { ++ for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) { + bool ret; + size_t index; + +@@ -291,6 +290,8 @@ free_range: + WARN_ON(!ret); + + trace_binder_free_lru_end(alloc, index); ++ if (page_addr == start) ++ break; + continue; + + err_vm_insert_page_failed: +@@ -298,7 +299,8 @@ err_vm_insert_page_failed: + page->page_ptr = NULL; + err_alloc_page_failed: + err_page_ptr_cleared: +- ; ++ if (page_addr == start) ++ break; + } + err_no_vma: + if (mm) { diff --git a/queue-5.4/binder-prevent-repeated-use-of-mmap-via-null-mapping.patch b/queue-5.4/binder-prevent-repeated-use-of-mmap-via-null-mapping.patch new file mode 100644 index 00000000000..330d9838ee0 --- /dev/null +++ b/queue-5.4/binder-prevent-repeated-use-of-mmap-via-null-mapping.patch @@ -0,0 +1,72 @@ +From a7a74d7ff55a0c657bc46238b050460b9eacea95 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 18 Oct 2019 22:56:30 +0200 +Subject: binder: Prevent repeated use of ->mmap() via NULL mapping + +From: Jann Horn + +commit a7a74d7ff55a0c657bc46238b050460b9eacea95 upstream. + +binder_alloc_mmap_handler() attempts to detect the use of ->mmap() on a +binder_proc whose binder_alloc has already been initialized by checking +whether alloc->buffer is non-zero. + +Before commit 880211667b20 ("binder: remove kernel vm_area for buffer +space"), alloc->buffer was a kernel mapping address, which is always +non-zero, but since that commit, it is a userspace mapping address. + +A sufficiently privileged user can map /dev/binder at NULL, tricking +binder_alloc_mmap_handler() into assuming that the binder_proc has not been +mapped yet. This leads to memory unsafety. +Luckily, no context on Android has such privileges, and on a typical Linux +desktop system, you need to be root to do that. + +Fix it by using the mapping size instead of the mapping address to +distinguish the mapped case. A valid VMA can't have size zero. + +Fixes: 880211667b20 ("binder: remove kernel vm_area for buffer space") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Acked-by: Christian Brauner +Link: https://lore.kernel.org/r/20191018205631.248274-2-jannh@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder_alloc.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -681,17 +681,17 @@ int binder_alloc_mmap_handler(struct bin + struct binder_buffer *buffer; + + mutex_lock(&binder_alloc_mmap_lock); +- if (alloc->buffer) { ++ if (alloc->buffer_size) { + ret = -EBUSY; + failure_string = "already mapped"; + goto err_already_mapped; + } ++ alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start, ++ SZ_4M); ++ mutex_unlock(&binder_alloc_mmap_lock); + + alloc->buffer = (void __user *)vma->vm_start; +- mutex_unlock(&binder_alloc_mmap_lock); + +- alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start, +- SZ_4M); + alloc->pages = kcalloc(alloc->buffer_size / PAGE_SIZE, + sizeof(alloc->pages[0]), + GFP_KERNEL); +@@ -722,8 +722,9 @@ err_alloc_buf_struct_failed: + kfree(alloc->pages); + alloc->pages = NULL; + err_alloc_pages_failed: +- mutex_lock(&binder_alloc_mmap_lock); + alloc->buffer = NULL; ++ mutex_lock(&binder_alloc_mmap_lock); ++ alloc->buffer_size = 0; + err_already_mapped: + mutex_unlock(&binder_alloc_mmap_lock); + binder_alloc_debug(BINDER_DEBUG_USER_ERROR, diff --git a/queue-5.4/iomap-fix-pipe-page-leakage-during-splicing.patch b/queue-5.4/iomap-fix-pipe-page-leakage-during-splicing.patch new file mode 100644 index 00000000000..6bb24bc3887 --- /dev/null +++ b/queue-5.4/iomap-fix-pipe-page-leakage-during-splicing.patch @@ -0,0 +1,52 @@ +From 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 21 Nov 2019 16:14:38 -0800 +Subject: iomap: Fix pipe page leakage during splicing + +From: Jan Kara + +commit 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 upstream. + +When splicing using iomap_dio_rw() to a pipe, we may leak pipe pages +because bio_iov_iter_get_pages() records that the pipe will have full +extent worth of data however if file size is not block size aligned +iomap_dio_rw() returns less than what bio_iov_iter_get_pages() set up +and splice code gets confused leaking a pipe page with the file tail. + +Handle the situation similarly to the old direct IO implementation and +revert iter to actually returned read amount which makes iter consistent +with value returned from iomap_dio_rw() and thus the splice code is +happy. + +Fixes: ff6a9292e6f6 ("iomap: implement direct I/O") +CC: stable@vger.kernel.org +Reported-by: syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + fs/iomap/direct-io.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/iomap/direct-io.c ++++ b/fs/iomap/direct-io.c +@@ -497,8 +497,15 @@ iomap_dio_rw(struct kiocb *iocb, struct + } + pos += ret; + +- if (iov_iter_rw(iter) == READ && pos >= dio->i_size) ++ if (iov_iter_rw(iter) == READ && pos >= dio->i_size) { ++ /* ++ * We only report that we've read data up to i_size. ++ * Revert iter to a state corresponding to that as ++ * some callers (such as splice code) rely on it. ++ */ ++ iov_iter_revert(iter, pos - dio->i_size); + break; ++ } + } while ((count = iov_iter_count(iter)) > 0); + blk_finish_plug(&plug); + diff --git a/queue-5.4/revert-serial-8250-add-support-for-ni-serial-pxi-pxie-485-devices.patch b/queue-5.4/revert-serial-8250-add-support-for-ni-serial-pxi-pxie-485-devices.patch new file mode 100644 index 00000000000..31310fcf420 --- /dev/null +++ b/queue-5.4/revert-serial-8250-add-support-for-ni-serial-pxi-pxie-485-devices.patch @@ -0,0 +1,383 @@ +From 27ed14d0ecb38516b6f3c6fdcd62c25c9454f979 Mon Sep 17 00:00:00 2001 +From: Je Yen Tam +Date: Wed, 27 Nov 2019 15:53:01 +0800 +Subject: Revert "serial/8250: Add support for NI-Serial PXI/PXIe+485 devices" + +From: Je Yen Tam + +commit 27ed14d0ecb38516b6f3c6fdcd62c25c9454f979 upstream. + +This reverts commit fdc2de87124f5183a98ea7eced1f76dbdba22951 ("serial/8250: +Add support for NI-Serial PXI/PXIe+485 devices"). + +The commit fdc2de87124f ("serial/8250: Add support for NI-Serial +PXI/PXIe+485 devices") introduced a breakage on NI-Serial PXI(e)-RS485 +devices, RS-232 variants have no issue. The Linux system can enumerate the +NI-Serial PXI(e)-RS485 devices, but it broke the R/W operation on the +ports. + +However, the implementation is working on the NI internal Linux RT kernel +but it does not work in the Linux main tree kernel. This is only affecting +NI products, specifically the RS-485 variants. Reverting the upstream +until a proper implementation that can apply to both NI internal Linux +kernel and Linux mainline kernel is figured out. + +Signed-off-by: Je Yen Tam +Fixes: fdc2de87124f ("serial/8250: Add support for NI-Serial PXI/PXIe+485 devices") +Cc: stable +Link: https://lore.kernel.org/r/20191127075301.9866-1-je.yen.tam@ni.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 292 ------------------------------------- + 1 file changed, 4 insertions(+), 288 deletions(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -745,16 +745,8 @@ static int pci_ni8430_init(struct pci_de + } + + /* UART Port Control Register */ +-#define NI16550_PCR_OFFSET 0x0f +-#define NI16550_PCR_RS422 0x00 +-#define NI16550_PCR_ECHO_RS485 0x01 +-#define NI16550_PCR_DTR_RS485 0x02 +-#define NI16550_PCR_AUTO_RS485 0x03 +-#define NI16550_PCR_WIRE_MODE_MASK 0x03 +-#define NI16550_PCR_TXVR_ENABLE_BIT BIT(3) +-#define NI16550_PCR_RS485_TERMINATION_BIT BIT(6) +-#define NI16550_ACR_DTR_AUTO_DTR (0x2 << 3) +-#define NI16550_ACR_DTR_MANUAL_DTR (0x0 << 3) ++#define NI8430_PORTCON 0x0f ++#define NI8430_PORTCON_TXVR_ENABLE (1 << 3) + + static int + pci_ni8430_setup(struct serial_private *priv, +@@ -776,117 +768,14 @@ pci_ni8430_setup(struct serial_private * + return -ENOMEM; + + /* enable the transceiver */ +- writeb(readb(p + offset + NI16550_PCR_OFFSET) | NI16550_PCR_TXVR_ENABLE_BIT, +- p + offset + NI16550_PCR_OFFSET); ++ writeb(readb(p + offset + NI8430_PORTCON) | NI8430_PORTCON_TXVR_ENABLE, ++ p + offset + NI8430_PORTCON); + + iounmap(p); + + return setup_port(priv, port, bar, offset, board->reg_shift); + } + +-static int pci_ni8431_config_rs485(struct uart_port *port, +- struct serial_rs485 *rs485) +-{ +- u8 pcr, acr; +- struct uart_8250_port *up; +- +- up = container_of(port, struct uart_8250_port, port); +- acr = up->acr; +- pcr = port->serial_in(port, NI16550_PCR_OFFSET); +- pcr &= ~NI16550_PCR_WIRE_MODE_MASK; +- +- if (rs485->flags & SER_RS485_ENABLED) { +- /* RS-485 */ +- if ((rs485->flags & SER_RS485_RX_DURING_TX) && +- (rs485->flags & SER_RS485_RTS_ON_SEND)) { +- dev_dbg(port->dev, "Invalid 2-wire mode\n"); +- return -EINVAL; +- } +- +- if (rs485->flags & SER_RS485_RX_DURING_TX) { +- /* Echo */ +- dev_vdbg(port->dev, "2-wire DTR with echo\n"); +- pcr |= NI16550_PCR_ECHO_RS485; +- acr |= NI16550_ACR_DTR_MANUAL_DTR; +- } else { +- /* Auto or DTR */ +- if (rs485->flags & SER_RS485_RTS_ON_SEND) { +- /* Auto */ +- dev_vdbg(port->dev, "2-wire Auto\n"); +- pcr |= NI16550_PCR_AUTO_RS485; +- acr |= NI16550_ACR_DTR_AUTO_DTR; +- } else { +- /* DTR-controlled */ +- /* No Echo */ +- dev_vdbg(port->dev, "2-wire DTR no echo\n"); +- pcr |= NI16550_PCR_DTR_RS485; +- acr |= NI16550_ACR_DTR_MANUAL_DTR; +- } +- } +- } else { +- /* RS-422 */ +- dev_vdbg(port->dev, "4-wire\n"); +- pcr |= NI16550_PCR_RS422; +- acr |= NI16550_ACR_DTR_MANUAL_DTR; +- } +- +- dev_dbg(port->dev, "write pcr: 0x%08x\n", pcr); +- port->serial_out(port, NI16550_PCR_OFFSET, pcr); +- +- up->acr = acr; +- port->serial_out(port, UART_SCR, UART_ACR); +- port->serial_out(port, UART_ICR, up->acr); +- +- /* Update the cache. */ +- port->rs485 = *rs485; +- +- return 0; +-} +- +-static int pci_ni8431_setup(struct serial_private *priv, +- const struct pciserial_board *board, +- struct uart_8250_port *uart, int idx) +-{ +- u8 pcr, acr; +- struct pci_dev *dev = priv->dev; +- void __iomem *addr; +- unsigned int bar, offset = board->first_offset; +- +- if (idx >= board->num_ports) +- return 1; +- +- bar = FL_GET_BASE(board->flags); +- offset += idx * board->uart_offset; +- +- addr = pci_ioremap_bar(dev, bar); +- if (!addr) +- return -ENOMEM; +- +- /* enable the transceiver */ +- writeb(readb(addr + NI16550_PCR_OFFSET) | NI16550_PCR_TXVR_ENABLE_BIT, +- addr + NI16550_PCR_OFFSET); +- +- pcr = readb(addr + NI16550_PCR_OFFSET); +- pcr &= ~NI16550_PCR_WIRE_MODE_MASK; +- +- /* set wire mode to default RS-422 */ +- pcr |= NI16550_PCR_RS422; +- acr = NI16550_ACR_DTR_MANUAL_DTR; +- +- /* write port configuration to register */ +- writeb(pcr, addr + NI16550_PCR_OFFSET); +- +- /* access and write to UART acr register */ +- writeb(UART_ACR, addr + UART_SCR); +- writeb(acr, addr + UART_ICR); +- +- uart->port.rs485_config = &pci_ni8431_config_rs485; +- +- iounmap(addr); +- +- return setup_port(priv, uart, bar, offset, board->reg_shift); +-} +- + static int pci_netmos_9900_setup(struct serial_private *priv, + const struct pciserial_board *board, + struct uart_8250_port *port, int idx) +@@ -2023,15 +1912,6 @@ pci_moxa_setup(struct serial_private *pr + #define PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM 0x10E9 + #define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM 0x11D8 + +-#define PCIE_DEVICE_ID_NI_PXIE8430_2328 0x74C2 +-#define PCIE_DEVICE_ID_NI_PXIE8430_23216 0x74C1 +-#define PCI_DEVICE_ID_NI_PXI8431_4852 0x7081 +-#define PCI_DEVICE_ID_NI_PXI8431_4854 0x70DE +-#define PCI_DEVICE_ID_NI_PXI8431_4858 0x70E3 +-#define PCI_DEVICE_ID_NI_PXI8433_4852 0x70E9 +-#define PCI_DEVICE_ID_NI_PXI8433_4854 0x70ED +-#define PCIE_DEVICE_ID_NI_PXIE8431_4858 0x74C4 +-#define PCIE_DEVICE_ID_NI_PXIE8431_48516 0x74C3 + + #define PCI_DEVICE_ID_MOXA_CP102E 0x1024 + #define PCI_DEVICE_ID_MOXA_CP102EL 0x1025 +@@ -2269,87 +2149,6 @@ static struct pci_serial_quirk pci_seria + .setup = pci_ni8430_setup, + .exit = pci_ni8430_exit, + }, +- { +- .vendor = PCI_VENDOR_ID_NI, +- .device = PCIE_DEVICE_ID_NI_PXIE8430_2328, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .init = pci_ni8430_init, +- .setup = pci_ni8430_setup, +- .exit = pci_ni8430_exit, +- }, +- { +- .vendor = PCI_VENDOR_ID_NI, +- .device = PCIE_DEVICE_ID_NI_PXIE8430_23216, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .init = pci_ni8430_init, +- .setup = pci_ni8430_setup, +- .exit = pci_ni8430_exit, +- }, +- { +- .vendor = PCI_VENDOR_ID_NI, +- .device = PCI_DEVICE_ID_NI_PXI8431_4852, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .init = pci_ni8430_init, +- .setup = pci_ni8431_setup, +- .exit = pci_ni8430_exit, +- }, +- { +- .vendor = PCI_VENDOR_ID_NI, +- .device = PCI_DEVICE_ID_NI_PXI8431_4854, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .init = pci_ni8430_init, +- .setup = pci_ni8431_setup, +- .exit = pci_ni8430_exit, +- }, +- { +- .vendor = PCI_VENDOR_ID_NI, +- .device = PCI_DEVICE_ID_NI_PXI8431_4858, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .init = pci_ni8430_init, +- .setup = pci_ni8431_setup, +- .exit = pci_ni8430_exit, +- }, +- { +- .vendor = PCI_VENDOR_ID_NI, +- .device = PCI_DEVICE_ID_NI_PXI8433_4852, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .init = pci_ni8430_init, +- .setup = pci_ni8431_setup, +- .exit = pci_ni8430_exit, +- }, +- { +- .vendor = PCI_VENDOR_ID_NI, +- .device = PCI_DEVICE_ID_NI_PXI8433_4854, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .init = pci_ni8430_init, +- .setup = pci_ni8431_setup, +- .exit = pci_ni8430_exit, +- }, +- { +- .vendor = PCI_VENDOR_ID_NI, +- .device = PCIE_DEVICE_ID_NI_PXIE8431_4858, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .init = pci_ni8430_init, +- .setup = pci_ni8431_setup, +- .exit = pci_ni8430_exit, +- }, +- { +- .vendor = PCI_VENDOR_ID_NI, +- .device = PCIE_DEVICE_ID_NI_PXIE8431_48516, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .init = pci_ni8430_init, +- .setup = pci_ni8431_setup, +- .exit = pci_ni8430_exit, +- }, + /* Quatech */ + { + .vendor = PCI_VENDOR_ID_QUATECH, +@@ -3106,13 +2905,6 @@ enum pci_board_num_t { + pbn_ni8430_4, + pbn_ni8430_8, + pbn_ni8430_16, +- pbn_ni8430_pxie_8, +- pbn_ni8430_pxie_16, +- pbn_ni8431_2, +- pbn_ni8431_4, +- pbn_ni8431_8, +- pbn_ni8431_pxie_8, +- pbn_ni8431_pxie_16, + pbn_ADDIDATA_PCIe_1_3906250, + pbn_ADDIDATA_PCIe_2_3906250, + pbn_ADDIDATA_PCIe_4_3906250, +@@ -3765,55 +3557,6 @@ static struct pciserial_board pci_boards + .uart_offset = 0x10, + .first_offset = 0x800, + }, +- [pbn_ni8430_pxie_16] = { +- .flags = FL_BASE0, +- .num_ports = 16, +- .base_baud = 3125000, +- .uart_offset = 0x10, +- .first_offset = 0x800, +- }, +- [pbn_ni8430_pxie_8] = { +- .flags = FL_BASE0, +- .num_ports = 8, +- .base_baud = 3125000, +- .uart_offset = 0x10, +- .first_offset = 0x800, +- }, +- [pbn_ni8431_8] = { +- .flags = FL_BASE0, +- .num_ports = 8, +- .base_baud = 3686400, +- .uart_offset = 0x10, +- .first_offset = 0x800, +- }, +- [pbn_ni8431_4] = { +- .flags = FL_BASE0, +- .num_ports = 4, +- .base_baud = 3686400, +- .uart_offset = 0x10, +- .first_offset = 0x800, +- }, +- [pbn_ni8431_2] = { +- .flags = FL_BASE0, +- .num_ports = 2, +- .base_baud = 3686400, +- .uart_offset = 0x10, +- .first_offset = 0x800, +- }, +- [pbn_ni8431_pxie_16] = { +- .flags = FL_BASE0, +- .num_ports = 16, +- .base_baud = 3125000, +- .uart_offset = 0x10, +- .first_offset = 0x800, +- }, +- [pbn_ni8431_pxie_8] = { +- .flags = FL_BASE0, +- .num_ports = 8, +- .base_baud = 3125000, +- .uart_offset = 0x10, +- .first_offset = 0x800, +- }, + /* + * ADDI-DATA GmbH PCI-Express communication cards + */ +@@ -5567,33 +5310,6 @@ static const struct pci_device_id serial + { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PCI8432_2324, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_ni8430_4 }, +- { PCI_VENDOR_ID_NI, PCIE_DEVICE_ID_NI_PXIE8430_2328, +- PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_ni8430_pxie_8 }, +- { PCI_VENDOR_ID_NI, PCIE_DEVICE_ID_NI_PXIE8430_23216, +- PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_ni8430_pxie_16 }, +- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8431_4852, +- PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_ni8431_2 }, +- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8431_4854, +- PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_ni8431_4 }, +- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8431_4858, +- PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_ni8431_8 }, +- { PCI_VENDOR_ID_NI, PCIE_DEVICE_ID_NI_PXIE8431_4858, +- PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_ni8431_pxie_8 }, +- { PCI_VENDOR_ID_NI, PCIE_DEVICE_ID_NI_PXIE8431_48516, +- PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_ni8431_pxie_16 }, +- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8433_4852, +- PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_ni8431_2 }, +- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8433_4854, +- PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_ni8431_4 }, + + /* + * MOXA diff --git a/queue-5.4/series b/queue-5.4/series index e4c15bdf269..a3a9316e0e4 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -83,3 +83,10 @@ rdma-qib-validate-show-store-callbacks-before-calling-them.patch rfkill-allocate-static-minor.patch bdev-factor-out-bdev-revalidation-into-a-common-helper.patch bdev-refresh-bdev-size-for-disks-without-partitioning.patch +iomap-fix-pipe-page-leakage-during-splicing.patch +thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch +vcs-prevent-write-access-to-vcsu-devices.patch +revert-serial-8250-add-support-for-ni-serial-pxi-pxie-485-devices.patch +binder-fix-race-between-mmap-and-binder_alloc_print_pages.patch +binder-prevent-repeated-use-of-mmap-via-null-mapping.patch +binder-handle-start-null-in-binder_update_page_range.patch diff --git a/queue-5.4/thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch b/queue-5.4/thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch new file mode 100644 index 00000000000..5cd373d8392 --- /dev/null +++ b/queue-5.4/thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch @@ -0,0 +1,96 @@ +From 163b00cde7cf2206e248789d2780121ad5e6a70b Mon Sep 17 00:00:00 2001 +From: Wei Wang +Date: Tue, 12 Nov 2019 12:42:23 -0800 +Subject: thermal: Fix deadlock in thermal thermal_zone_device_check + +From: Wei Wang + +commit 163b00cde7cf2206e248789d2780121ad5e6a70b upstream. + +1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone +device") changed cancel_delayed_work to cancel_delayed_work_sync to avoid +a use-after-free issue. However, cancel_delayed_work_sync could be called +insides the WQ causing deadlock. + +[54109.642398] c0 1162 kworker/u17:1 D 0 11030 2 0x00000000 +[54109.642437] c0 1162 Workqueue: thermal_passive_wq thermal_zone_device_check +[54109.642447] c0 1162 Call trace: +[54109.642456] c0 1162 __switch_to+0x138/0x158 +[54109.642467] c0 1162 __schedule+0xba4/0x1434 +[54109.642480] c0 1162 schedule_timeout+0xa0/0xb28 +[54109.642492] c0 1162 wait_for_common+0x138/0x2e8 +[54109.642511] c0 1162 flush_work+0x348/0x40c +[54109.642522] c0 1162 __cancel_work_timer+0x180/0x218 +[54109.642544] c0 1162 handle_thermal_trip+0x2c4/0x5a4 +[54109.642553] c0 1162 thermal_zone_device_update+0x1b4/0x25c +[54109.642563] c0 1162 thermal_zone_device_check+0x18/0x24 +[54109.642574] c0 1162 process_one_work+0x3cc/0x69c +[54109.642583] c0 1162 worker_thread+0x49c/0x7c0 +[54109.642593] c0 1162 kthread+0x17c/0x1b0 +[54109.642602] c0 1162 ret_from_fork+0x10/0x18 +[54109.643051] c0 1162 kworker/u17:2 D 0 16245 2 0x00000000 +[54109.643067] c0 1162 Workqueue: thermal_passive_wq thermal_zone_device_check +[54109.643077] c0 1162 Call trace: +[54109.643085] c0 1162 __switch_to+0x138/0x158 +[54109.643095] c0 1162 __schedule+0xba4/0x1434 +[54109.643104] c0 1162 schedule_timeout+0xa0/0xb28 +[54109.643114] c0 1162 wait_for_common+0x138/0x2e8 +[54109.643122] c0 1162 flush_work+0x348/0x40c +[54109.643131] c0 1162 __cancel_work_timer+0x180/0x218 +[54109.643141] c0 1162 handle_thermal_trip+0x2c4/0x5a4 +[54109.643150] c0 1162 thermal_zone_device_update+0x1b4/0x25c +[54109.643159] c0 1162 thermal_zone_device_check+0x18/0x24 +[54109.643167] c0 1162 process_one_work+0x3cc/0x69c +[54109.643177] c0 1162 worker_thread+0x49c/0x7c0 +[54109.643186] c0 1162 kthread+0x17c/0x1b0 +[54109.643195] c0 1162 ret_from_fork+0x10/0x18 +[54109.644500] c0 1162 cat D 0 7766 1 0x00000001 +[54109.644515] c0 1162 Call trace: +[54109.644524] c0 1162 __switch_to+0x138/0x158 +[54109.644536] c0 1162 __schedule+0xba4/0x1434 +[54109.644546] c0 1162 schedule_preempt_disabled+0x80/0xb0 +[54109.644555] c0 1162 __mutex_lock+0x3a8/0x7f0 +[54109.644563] c0 1162 __mutex_lock_slowpath+0x14/0x20 +[54109.644575] c0 1162 thermal_zone_get_temp+0x84/0x360 +[54109.644586] c0 1162 temp_show+0x30/0x78 +[54109.644609] c0 1162 dev_attr_show+0x5c/0xf0 +[54109.644628] c0 1162 sysfs_kf_seq_show+0xcc/0x1a4 +[54109.644636] c0 1162 kernfs_seq_show+0x48/0x88 +[54109.644656] c0 1162 seq_read+0x1f4/0x73c +[54109.644664] c0 1162 kernfs_fop_read+0x84/0x318 +[54109.644683] c0 1162 __vfs_read+0x50/0x1bc +[54109.644692] c0 1162 vfs_read+0xa4/0x140 +[54109.644701] c0 1162 SyS_read+0xbc/0x144 +[54109.644708] c0 1162 el0_svc_naked+0x34/0x38 +[54109.845800] c0 1162 D 720.000s 1->7766->7766 cat [panic] + +Fixes: 1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone device") +Cc: stable@vger.kernel.org +Signed-off-by: Wei Wang +Signed-off-by: Zhang Rui +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thermal/thermal_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -304,7 +304,7 @@ static void thermal_zone_device_set_poll + &tz->poll_queue, + msecs_to_jiffies(delay)); + else +- cancel_delayed_work_sync(&tz->poll_queue); ++ cancel_delayed_work(&tz->poll_queue); + } + + static void monitor_thermal_zone(struct thermal_zone_device *tz) +@@ -1414,7 +1414,7 @@ void thermal_zone_device_unregister(stru + + mutex_unlock(&thermal_list_lock); + +- thermal_zone_device_set_polling(tz, 0); ++ cancel_delayed_work_sync(&tz->poll_queue); + + thermal_set_governor(tz, NULL); + diff --git a/queue-5.4/vcs-prevent-write-access-to-vcsu-devices.patch b/queue-5.4/vcs-prevent-write-access-to-vcsu-devices.patch new file mode 100644 index 00000000000..5d093ea4d07 --- /dev/null +++ b/queue-5.4/vcs-prevent-write-access-to-vcsu-devices.patch @@ -0,0 +1,38 @@ +From 0c9acb1af77a3cb8707e43f45b72c95266903cee Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Tue, 5 Nov 2019 10:33:16 +0100 +Subject: vcs: prevent write access to vcsu devices + +From: Nicolas Pitre + +commit 0c9acb1af77a3cb8707e43f45b72c95266903cee upstream. + +Commit d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") guarded +against using devices containing attributes as this is not yet +implemented. It however failed to guard against writes to any devices +as this is also unimplemented. + +Reported-by: Or Cohen +Signed-off-by: Nicolas Pitre +Cc: # v4.19+ +Cc: Jiri Slaby +Fixes: d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") +Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.1911051030580.30289@knanqh.ubzr +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vc_screen.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/vt/vc_screen.c ++++ b/drivers/tty/vt/vc_screen.c +@@ -456,6 +456,9 @@ vcs_write(struct file *file, const char + size_t ret; + char *con_buf; + ++ if (use_unicode(inode)) ++ return -EOPNOTSUPP; ++ + con_buf = (char *) __get_free_page(GFP_KERNEL); + if (!con_buf) + return -ENOMEM;