From: Greg Kroah-Hartman Date: Mon, 4 Nov 2019 10:25:59 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.199~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1aa2c07ec035b02fc93e9a2ba84e13dcb15b4980;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch nl80211-fix-validation-of-mesh-path-nexthop.patch rtlwifi-fix-potential-overflow-on-p2p-code.patch s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch s390-idle-fix-cpu-idle-time-calculation.patch --- diff --git a/queue-4.14/arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch b/queue-4.14/arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch new file mode 100644 index 00000000000..2a331a7c16c --- /dev/null +++ b/queue-4.14/arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch @@ -0,0 +1,71 @@ +From aa57157be69fb599bd4c38a4b75c5aad74a60ec0 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Tue, 29 Oct 2019 15:30:51 +0000 +Subject: arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default + +From: Catalin Marinas + +commit aa57157be69fb599bd4c38a4b75c5aad74a60ec0 upstream. + +Shared and writable mappings (__S.1.) should be clean (!dirty) initially +and made dirty on a subsequent write either through the hardware DBM +(dirty bit management) mechanism or through a write page fault. A clean +pte for the arm64 kernel is one that has PTE_RDONLY set and PTE_DIRTY +clear. + +The PAGE_SHARED{,_EXEC} attributes have PTE_WRITE set (PTE_DBM) and +PTE_DIRTY clear. Prior to commit 73e86cb03cf2 ("arm64: Move PTE_RDONLY +bit handling out of set_pte_at()"), it was the responsibility of +set_pte_at() to set the PTE_RDONLY bit and mark the pte clean if the +software PTE_DIRTY bit was not set. However, the above commit removed +the pte_sw_dirty() check and the subsequent setting of PTE_RDONLY in +set_pte_at() while leaving the PAGE_SHARED{,_EXEC} definitions +unchanged. The result is that shared+writable mappings are now dirty by +default + +Fix the above by explicitly setting PTE_RDONLY in PAGE_SHARED{,_EXEC}. +In addition, remove the superfluous PTE_DIRTY bit from the kernel PROT_* +attributes. + +Fixes: 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()") +Cc: # 4.14.x- +Cc: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/pgtable-prot.h | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -43,11 +43,11 @@ + #define PROT_DEFAULT (_PROT_DEFAULT | PTE_MAYBE_NG) + #define PROT_SECT_DEFAULT (_PROT_SECT_DEFAULT | PMD_MAYBE_NG) + +-#define PROT_DEVICE_nGnRnE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE)) +-#define PROT_DEVICE_nGnRE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE)) +-#define PROT_NORMAL_NC (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_NC)) +-#define PROT_NORMAL_WT (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_WT)) +-#define PROT_NORMAL (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL)) ++#define PROT_DEVICE_nGnRnE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE)) ++#define PROT_DEVICE_nGnRE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE)) ++#define PROT_NORMAL_NC (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_NC)) ++#define PROT_NORMAL_WT (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_WT)) ++#define PROT_NORMAL (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL)) + + #define PROT_SECT_DEVICE_nGnRE (PROT_SECT_DEFAULT | PMD_SECT_PXN | PMD_SECT_UXN | PMD_ATTRINDX(MT_DEVICE_nGnRE)) + #define PROT_SECT_NORMAL (PROT_SECT_DEFAULT | PMD_SECT_PXN | PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL)) +@@ -71,8 +71,9 @@ + #define PAGE_S2_DEVICE __pgprot(_PROT_DEFAULT | PTE_S2_MEMATTR(MT_S2_DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_UXN) + + #define PAGE_NONE __pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | PTE_PROT_NONE | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN) +-#define PAGE_SHARED __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE) +-#define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_WRITE) ++/* shared+writable pages are clean by default, hence PTE_RDONLY|PTE_WRITE */ ++#define PAGE_SHARED __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE) ++#define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE) + #define PAGE_READONLY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN) + #define PAGE_READONLY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN) + #define PAGE_EXECONLY __pgprot(_PAGE_DEFAULT | PTE_RDONLY | PTE_NG | PTE_PXN) diff --git a/queue-4.14/dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch b/queue-4.14/dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch new file mode 100644 index 00000000000..ccaf0566576 --- /dev/null +++ b/queue-4.14/dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch @@ -0,0 +1,74 @@ +From bacdcb6675e170bb2e8d3824da220e10274f42a7 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Wed, 23 Oct 2019 08:31:38 -0700 +Subject: dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle + +From: Tony Lindgren + +commit bacdcb6675e170bb2e8d3824da220e10274f42a7 upstream. + +Yegor Yefremov reported that musb and ftdi +uart can fail for the first open of the uart unless connected using +a hub. + +This is because the first dma call done by musb_ep_program() must wait +if cppi41 is PM runtime suspended. Otherwise musb_ep_program() continues +with other non-dma packets before the DMA transfer is started causing at +least ftdi uarts to fail to receive data. + +Let's fix the issue by waking up cppi41 with PM runtime calls added to +cppi41_dma_prep_slave_sg() and return NULL if still idled. This way we +have musb_ep_program() continue with PIO until cppi41 is awake. + +Fixes: fdea2d09b997 ("dmaengine: cppi41: Add basic PM runtime support") +Reported-by: Yegor Yefremov +Signed-off-by: Tony Lindgren +Cc: stable@vger.kernel.org # v4.9+ +Link: https://lore.kernel.org/r/20191023153138.23442-1-tony@atomide.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/cppi41.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/drivers/dma/cppi41.c ++++ b/drivers/dma/cppi41.c +@@ -585,9 +585,22 @@ static struct dma_async_tx_descriptor *c + enum dma_transfer_direction dir, unsigned long tx_flags, void *context) + { + struct cppi41_channel *c = to_cpp41_chan(chan); ++ struct dma_async_tx_descriptor *txd = NULL; ++ struct cppi41_dd *cdd = c->cdd; + struct cppi41_desc *d; + struct scatterlist *sg; + unsigned int i; ++ int error; ++ ++ error = pm_runtime_get(cdd->ddev.dev); ++ if (error < 0) { ++ pm_runtime_put_noidle(cdd->ddev.dev); ++ ++ return NULL; ++ } ++ ++ if (cdd->is_suspended) ++ goto err_out_not_ready; + + d = c->desc; + for_each_sg(sgl, sg, sg_len, i) { +@@ -610,7 +623,13 @@ static struct dma_async_tx_descriptor *c + d++; + } + +- return &c->txd; ++ txd = &c->txd; ++ ++err_out_not_ready: ++ pm_runtime_mark_last_busy(cdd->ddev.dev); ++ pm_runtime_put_autosuspend(cdd->ddev.dev); ++ ++ return txd; + } + + static void cppi41_compute_td_desc(struct cppi41_desc *d) diff --git a/queue-4.14/nl80211-fix-validation-of-mesh-path-nexthop.patch b/queue-4.14/nl80211-fix-validation-of-mesh-path-nexthop.patch new file mode 100644 index 00000000000..454efd7a8a6 --- /dev/null +++ b/queue-4.14/nl80211-fix-validation-of-mesh-path-nexthop.patch @@ -0,0 +1,35 @@ +From 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 Mon Sep 17 00:00:00 2001 +From: Markus Theil +Date: Tue, 29 Oct 2019 10:30:03 +0100 +Subject: nl80211: fix validation of mesh path nexthop + +From: Markus Theil + +commit 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 upstream. + +Mesh path nexthop should be a ethernet address, but current validation +checks against 4 byte integers. + +Cc: stable@vger.kernel.org +Fixes: 2ec600d672e74 ("nl80211/cfg80211: support for mesh, sta dumping") +Signed-off-by: Markus Theil +Link: https://lore.kernel.org/r/20191029093003.10355-1-markus.theil@tu-ilmenau.de +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -283,7 +283,8 @@ static const struct nla_policy nl80211_p + [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ }, + [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY, + .len = IEEE80211_MAX_MESH_ID_LEN }, +- [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 }, ++ [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_BINARY, ++ .len = ETH_ALEN }, + + [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 }, + [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED }, diff --git a/queue-4.14/rtlwifi-fix-potential-overflow-on-p2p-code.patch b/queue-4.14/rtlwifi-fix-potential-overflow-on-p2p-code.patch new file mode 100644 index 00000000000..01643020c0b --- /dev/null +++ b/queue-4.14/rtlwifi-fix-potential-overflow-on-p2p-code.patch @@ -0,0 +1,46 @@ +From 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Fri, 18 Oct 2019 07:43:21 -0400 +Subject: rtlwifi: Fix potential overflow on P2P code + +From: Laura Abbott + +commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream. + +Nicolas Waisman noticed that even though noa_len is checked for +a compatible length it's still possible to overrun the buffers +of p2pinfo since there's no check on the upper bound of noa_num. +Bound noa_num against P2P_MAX_NOA_NUM. + +Reported-by: Nicolas Waisman +Signed-off-by: Laura Abbott +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/ps.c ++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c +@@ -774,6 +774,9 @@ static void rtl_p2p_noa_ie(struct ieee80 + return; + } else { + noa_num = (noa_len - 2) / 13; ++ if (noa_num > P2P_MAX_NOA_NUM) ++ noa_num = P2P_MAX_NOA_NUM; ++ + } + noa_index = ie[3]; + if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == +@@ -868,6 +871,9 @@ static void rtl_p2p_action_ie(struct iee + return; + } else { + noa_num = (noa_len - 2) / 13; ++ if (noa_num > P2P_MAX_NOA_NUM) ++ noa_num = P2P_MAX_NOA_NUM; ++ + } + noa_index = ie[3]; + if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == diff --git a/queue-4.14/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch b/queue-4.14/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch new file mode 100644 index 00000000000..47dfb9515ee --- /dev/null +++ b/queue-4.14/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch @@ -0,0 +1,66 @@ +From b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f Mon Sep 17 00:00:00 2001 +From: Yihui ZENG +Date: Fri, 25 Oct 2019 12:31:48 +0300 +Subject: s390/cmm: fix information leak in cmm_timeout_handler() + +From: Yihui ZENG + +commit b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f upstream. + +The problem is that we were putting the NUL terminator too far: + + buf[sizeof(buf) - 1] = '\0'; + +If the user input isn't NUL terminated and they haven't initialized the +whole buffer then it leads to an info leak. The NUL terminator should +be: + + buf[len - 1] = '\0'; + +Signed-off-by: Yihui Zeng +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +[heiko.carstens@de.ibm.com: keep semantics of how *lenp and *ppos are handled] +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/cmm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/s390/mm/cmm.c ++++ b/arch/s390/mm/cmm.c +@@ -307,16 +307,16 @@ static int cmm_timeout_handler(struct ct + } + + if (write) { +- len = *lenp; +- if (copy_from_user(buf, buffer, +- len > sizeof(buf) ? sizeof(buf) : len)) ++ len = min(*lenp, sizeof(buf)); ++ if (copy_from_user(buf, buffer, len)) + return -EFAULT; +- buf[sizeof(buf) - 1] = '\0'; ++ buf[len - 1] = '\0'; + cmm_skip_blanks(buf, &p); + nr = simple_strtoul(p, &p, 0); + cmm_skip_blanks(p, &p); + seconds = simple_strtoul(p, &p, 0); + cmm_set_timeout(nr, seconds); ++ *ppos += *lenp; + } else { + len = sprintf(buf, "%ld %ld\n", + cmm_timeout_pages, cmm_timeout_seconds); +@@ -324,9 +324,9 @@ static int cmm_timeout_handler(struct ct + len = *lenp; + if (copy_to_user(buffer, buf, len)) + return -EFAULT; ++ *lenp = len; ++ *ppos += len; + } +- *lenp = len; +- *ppos += len; + return 0; + } + diff --git a/queue-4.14/s390-idle-fix-cpu-idle-time-calculation.patch b/queue-4.14/s390-idle-fix-cpu-idle-time-calculation.patch new file mode 100644 index 00000000000..41344b7fee1 --- /dev/null +++ b/queue-4.14/s390-idle-fix-cpu-idle-time-calculation.patch @@ -0,0 +1,98 @@ +From 3d7efa4edd07be5c5c3ffa95ba63e97e070e1f3f Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 28 Oct 2019 11:03:27 +0100 +Subject: s390/idle: fix cpu idle time calculation + +From: Heiko Carstens + +commit 3d7efa4edd07be5c5c3ffa95ba63e97e070e1f3f upstream. + +The idle time reported in /proc/stat sometimes incorrectly contains +huge values on s390. This is caused by a bug in arch_cpu_idle_time(). + +The kernel tries to figure out when a different cpu entered idle by +accessing its per-cpu data structure. There is an ordering problem: if +the remote cpu has an idle_enter value which is not zero, and an +idle_exit value which is zero, it is assumed it is idle since +"now". The "now" timestamp however is taken before the idle_enter +value is read. + +Which in turn means that "now" can be smaller than idle_enter of the +remote cpu. Unconditionally subtracting idle_enter from "now" can thus +lead to a negative value (aka large unsigned value). + +Fix this by moving the get_tod_clock() invocation out of the +loop. While at it also make the code a bit more readable. + +A similar bug also exists for show_idle_time(). Fix this is as well. + +Cc: +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/idle.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +--- a/arch/s390/kernel/idle.c ++++ b/arch/s390/kernel/idle.c +@@ -69,18 +69,26 @@ DEVICE_ATTR(idle_count, 0444, show_idle_ + static ssize_t show_idle_time(struct device *dev, + struct device_attribute *attr, char *buf) + { ++ unsigned long long now, idle_time, idle_enter, idle_exit, in_idle; + struct s390_idle_data *idle = &per_cpu(s390_idle, dev->id); +- unsigned long long now, idle_time, idle_enter, idle_exit; + unsigned int seq; + + do { +- now = get_tod_clock(); + seq = read_seqcount_begin(&idle->seqcount); + idle_time = READ_ONCE(idle->idle_time); + idle_enter = READ_ONCE(idle->clock_idle_enter); + idle_exit = READ_ONCE(idle->clock_idle_exit); + } while (read_seqcount_retry(&idle->seqcount, seq)); +- idle_time += idle_enter ? ((idle_exit ? : now) - idle_enter) : 0; ++ in_idle = 0; ++ now = get_tod_clock(); ++ if (idle_enter) { ++ if (idle_exit) { ++ in_idle = idle_exit - idle_enter; ++ } else if (now > idle_enter) { ++ in_idle = now - idle_enter; ++ } ++ } ++ idle_time += in_idle; + return sprintf(buf, "%llu\n", idle_time >> 12); + } + DEVICE_ATTR(idle_time_us, 0444, show_idle_time, NULL); +@@ -88,17 +96,24 @@ DEVICE_ATTR(idle_time_us, 0444, show_idl + u64 arch_cpu_idle_time(int cpu) + { + struct s390_idle_data *idle = &per_cpu(s390_idle, cpu); +- unsigned long long now, idle_enter, idle_exit; ++ unsigned long long now, idle_enter, idle_exit, in_idle; + unsigned int seq; + + do { +- now = get_tod_clock(); + seq = read_seqcount_begin(&idle->seqcount); + idle_enter = READ_ONCE(idle->clock_idle_enter); + idle_exit = READ_ONCE(idle->clock_idle_exit); + } while (read_seqcount_retry(&idle->seqcount, seq)); +- +- return cputime_to_nsecs(idle_enter ? ((idle_exit ?: now) - idle_enter) : 0); ++ in_idle = 0; ++ now = get_tod_clock(); ++ if (idle_enter) { ++ if (idle_exit) { ++ in_idle = idle_exit - idle_enter; ++ } else if (now > idle_enter) { ++ in_idle = now - idle_enter; ++ } ++ } ++ return cputime_to_nsecs(in_idle); + } + + void arch_cpu_idle_enter(void) diff --git a/queue-4.14/series b/queue-4.14/series index 14ea0b77056..73bf8158462 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -75,3 +75,9 @@ scsi-target-cxgbit-fix-cxgbit_fw4_ack.patch hid-i2c-hid-add-trekstor-primebook-c11b-to-descriptor-override.patch hid-fix-assumption-that-devices-have-inputs.patch hid-fix-error-message-in-hid_open_report.patch +nl80211-fix-validation-of-mesh-path-nexthop.patch +s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch +s390-idle-fix-cpu-idle-time-calculation.patch +arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch +rtlwifi-fix-potential-overflow-on-p2p-code.patch +dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch