From: Greg Kroah-Hartman Date: Mon, 8 Oct 2018 17:56:43 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v4.4.160~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35646c7782ea88ca7d25eacf43c5605d674f56e0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch b43-fix-dma-error-related-regression-with-proprietary-firmware.patch cpufreq-qcom-kryo-fix-section-annotations.patch crypto-caam-jr-fix-ablkcipher_edesc-pointer-arithmetic.patch crypto-chelsio-fix-memory-corruption-in-dma-mapped-buffers.patch crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch drivers-hv-vmbus-use-get-put_cpu-in-vmbus_connect.patch firmware-always-initialize-the-fw_priv-list-object.patch firmware-fix-security-issue-with-request_firmware_into_buf.patch gpiolib-free-the-last-requested-descriptor.patch hid-i2c-hid-disable-runtime-pm-operations-on-hantick-touchpad.patch iommu-amd-clear-memory-encryption-mask-from-physical-address.patch ixgbe-check-return-value-of-napi_complete_done.patch new-primitive-discard_new_inode.patch ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch ovl-fix-access-beyond-unterminated-strings.patch ovl-fix-format-of-setxattr-debug.patch ovl-fix-memory-leak-on-unlink-of-indexed-file.patch ovl-set-i_creating-on-inode-being-created.patch proc-restrict-kernel-stack-dumps-to-root.patch smb2-fix-missing-files-in-root-share-directory-listing.patch sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch tools-hv-fcopy-set-error-in-case-an-unknown-operation-was-requested.patch vfs-don-t-evict-uninitialized-inode.patch --- diff --git a/queue-4.18/alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch b/queue-4.18/alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch new file mode 100644 index 00000000000..2d1404c8898 --- /dev/null +++ b/queue-4.18/alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch @@ -0,0 +1,35 @@ +From 709ae62e8e6d9ac4df7dadb3b8ae432675c45ef9 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Thu, 4 Oct 2018 11:39:42 +0800 +Subject: ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 + +From: Kai-Heng Feng + +commit 709ae62e8e6d9ac4df7dadb3b8ae432675c45ef9 upstream. + +The issue is the same as commit dd9aa335c880 ("ALSA: hda/realtek - Can't +adjust speaker's volume on a Dell AIO"), the output requires to connect +to a node with Amp-out capability. + +Applying the same fixup ALC298_FIXUP_SPK_VOLUME can fix the issue. + +BugLink: https://bugs.launchpad.net/bugs/1775068 +Signed-off-by: Kai-Heng Feng +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6455,6 +6455,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1028, 0x0706, "Dell Inspiron 7559", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER), + SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE), + SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), ++ SND_PCI_QUIRK(0x1028, 0x075c, "Dell XPS 27 7760", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x1028, 0x07b0, "Dell Precision 7520", ALC295_FIXUP_DISABLE_DAC3), + SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER), diff --git a/queue-4.18/b43-fix-dma-error-related-regression-with-proprietary-firmware.patch b/queue-4.18/b43-fix-dma-error-related-regression-with-proprietary-firmware.patch new file mode 100644 index 00000000000..ee481ef2761 --- /dev/null +++ b/queue-4.18/b43-fix-dma-error-related-regression-with-proprietary-firmware.patch @@ -0,0 +1,53 @@ +From 2823c8716c687d6c7e261a3a02b3cab43809fe9c Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 27 Aug 2018 10:34:07 -0500 +Subject: b43: fix DMA error related regression with proprietary firmware + +From: Larry Finger + +commit 2823c8716c687d6c7e261a3a02b3cab43809fe9c upstream. + +In commit 66cffd6daab7 ("b43: fix transmit failure when VT is switched"), +a condition is noted where the network controller needs to be reset. Note +that this situation happens when running the open-source firmware +(http://netweb.ing.unibs.it/~openfwwf/), plus a number of other special +conditions. + +for a different card model, it is reported that this change breaks +operation running the proprietary firmware +(https://marc.info/?l=linux-wireless&m=153504546924558&w=2). Rather +than reverting the previous patch, the code is tweaked to avoid the +reset unless the open-source firmware is being used. + +Fixes: 66cffd6daab7 ("b43: fix transmit failure when VT is switched") +Cc: Stable # 4.18+ +Cc: Taketo Kabe +Reported-and-tested-by: D. Prabhu +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/b43/dma.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/b43/dma.c ++++ b/drivers/net/wireless/broadcom/b43/dma.c +@@ -1518,13 +1518,15 @@ void b43_dma_handle_txstatus(struct b43_ + } + } else { + /* More than a single header/data pair were missed. +- * Report this error, and reset the controller to ++ * Report this error. If running with open-source ++ * firmware, then reset the controller to + * revive operation. + */ + b43dbg(dev->wl, + "Out of order TX status report on DMA ring %d. Expected %d, but got %d\n", + ring->index, firstused, slot); +- b43_controller_restart(dev, "Out of order TX"); ++ if (dev->fw.opensource) ++ b43_controller_restart(dev, "Out of order TX"); + return; + } + } diff --git a/queue-4.18/cpufreq-qcom-kryo-fix-section-annotations.patch b/queue-4.18/cpufreq-qcom-kryo-fix-section-annotations.patch new file mode 100644 index 00000000000..0d9a8460d4a --- /dev/null +++ b/queue-4.18/cpufreq-qcom-kryo-fix-section-annotations.patch @@ -0,0 +1,59 @@ +From d51aea13dd6753186a2bea7619029c460bdf0c4c Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 19 Sep 2018 17:22:21 -0700 +Subject: cpufreq: qcom-kryo: Fix section annotations + +From: Nathan Chancellor + +commit d51aea13dd6753186a2bea7619029c460bdf0c4c upstream. + +There is currently a warning when building the Kryo cpufreq driver into +the kernel image: + +WARNING: vmlinux.o(.text+0x8aa424): Section mismatch in reference from +the function qcom_cpufreq_kryo_probe() to the function +.init.text:qcom_cpufreq_kryo_get_msm_id() +The function qcom_cpufreq_kryo_probe() references +the function __init qcom_cpufreq_kryo_get_msm_id(). +This is often because qcom_cpufreq_kryo_probe lacks a __init +annotation or the annotation of qcom_cpufreq_kryo_get_msm_id is wrong. + +Remove the '__init' annotation from qcom_cpufreq_kryo_get_msm_id +so that there is no more mismatch warning. + +Additionally, Nick noticed that the remove function was marked as +'__init' when it should really be marked as '__exit'. + +Fixes: 46e2856b8e18 (cpufreq: Add Kryo CPU scaling driver) +Fixes: 5ad7346b4ae2 (cpufreq: kryo: Add module remove and exit) +Reported-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Acked-by: Viresh Kumar +Cc: 4.18+ # 4.18+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/qcom-cpufreq-kryo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/qcom-cpufreq-kryo.c ++++ b/drivers/cpufreq/qcom-cpufreq-kryo.c +@@ -44,7 +44,7 @@ enum _msm8996_version { + + struct platform_device *cpufreq_dt_pdev, *kryo_cpufreq_pdev; + +-static enum _msm8996_version __init qcom_cpufreq_kryo_get_msm_id(void) ++static enum _msm8996_version qcom_cpufreq_kryo_get_msm_id(void) + { + size_t len; + u32 *msm_id; +@@ -221,7 +221,7 @@ static int __init qcom_cpufreq_kryo_init + } + module_init(qcom_cpufreq_kryo_init); + +-static void __init qcom_cpufreq_kryo_exit(void) ++static void __exit qcom_cpufreq_kryo_exit(void) + { + platform_device_unregister(kryo_cpufreq_pdev); + platform_driver_unregister(&qcom_cpufreq_kryo_driver); diff --git a/queue-4.18/crypto-caam-jr-fix-ablkcipher_edesc-pointer-arithmetic.patch b/queue-4.18/crypto-caam-jr-fix-ablkcipher_edesc-pointer-arithmetic.patch new file mode 100644 index 00000000000..7f519daac15 --- /dev/null +++ b/queue-4.18/crypto-caam-jr-fix-ablkcipher_edesc-pointer-arithmetic.patch @@ -0,0 +1,59 @@ +From 13cc6f48c7434ce46ba6dbc90003a136a263d75a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Fri, 14 Sep 2018 18:34:28 +0300 +Subject: crypto: caam/jr - fix ablkcipher_edesc pointer arithmetic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 13cc6f48c7434ce46ba6dbc90003a136a263d75a upstream. + +In some cases the zero-length hw_desc array at the end of +ablkcipher_edesc struct requires for 4B of tail padding. + +Due to tail padding and the way pointers to S/G table and IV +are computed: + edesc->sec4_sg = (void *)edesc + sizeof(struct ablkcipher_edesc) + + desc_bytes; + iv = (u8 *)edesc->hw_desc + desc_bytes + sec4_sg_bytes; +first 4 bytes of IV are overwritten by S/G table. + +Update computation of pointer to S/G table to rely on offset of hw_desc +member and not on sizeof() operator. + +Cc: # 4.13+ +Fixes: 115957bb3e59 ("crypto: caam - fix IV DMA mapping and updating") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamalg.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/caam/caamalg.c ++++ b/drivers/crypto/caam/caamalg.c +@@ -1553,8 +1553,8 @@ static struct ablkcipher_edesc *ablkciph + edesc->src_nents = src_nents; + edesc->dst_nents = dst_nents; + edesc->sec4_sg_bytes = sec4_sg_bytes; +- edesc->sec4_sg = (void *)edesc + sizeof(struct ablkcipher_edesc) + +- desc_bytes; ++ edesc->sec4_sg = (struct sec4_sg_entry *)((u8 *)edesc->hw_desc + ++ desc_bytes); + edesc->iv_dir = DMA_TO_DEVICE; + + /* Make sure IV is located in a DMAable area */ +@@ -1757,8 +1757,8 @@ static struct ablkcipher_edesc *ablkciph + edesc->src_nents = src_nents; + edesc->dst_nents = dst_nents; + edesc->sec4_sg_bytes = sec4_sg_bytes; +- edesc->sec4_sg = (void *)edesc + sizeof(struct ablkcipher_edesc) + +- desc_bytes; ++ edesc->sec4_sg = (struct sec4_sg_entry *)((u8 *)edesc->hw_desc + ++ desc_bytes); + edesc->iv_dir = DMA_FROM_DEVICE; + + /* Make sure IV is located in a DMAable area */ diff --git a/queue-4.18/crypto-chelsio-fix-memory-corruption-in-dma-mapped-buffers.patch b/queue-4.18/crypto-chelsio-fix-memory-corruption-in-dma-mapped-buffers.patch new file mode 100644 index 00000000000..1042c65b8e6 --- /dev/null +++ b/queue-4.18/crypto-chelsio-fix-memory-corruption-in-dma-mapped-buffers.patch @@ -0,0 +1,131 @@ +From add92a817e60e308a419693413a38d9d1e663aff Mon Sep 17 00:00:00 2001 +From: Harsh Jain +Date: Wed, 19 Sep 2018 22:42:16 +0530 +Subject: crypto: chelsio - Fix memory corruption in DMA Mapped buffers. + +From: Harsh Jain + +commit add92a817e60e308a419693413a38d9d1e663aff upstream. + +Update PCI Id in "cpl_rx_phys_dsgl" header. In case pci_chan_id and +tx_chan_id are not derived from same queue, H/W can send request +completion indication before completing DMA Transfer. + +Herbert, It would be good if fix can be merge to stable tree. +For 4.14 kernel, It requires some update to avoid mege conficts. + +Cc: +Signed-off-by: Harsh Jain +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/chelsio/chcr_algo.c | 32 ++++++++++++++++++++++---------- + drivers/crypto/chelsio/chcr_crypto.h | 2 ++ + 2 files changed, 24 insertions(+), 10 deletions(-) + +--- a/drivers/crypto/chelsio/chcr_algo.c ++++ b/drivers/crypto/chelsio/chcr_algo.c +@@ -367,7 +367,8 @@ static inline void dsgl_walk_init(struct + walk->to = (struct phys_sge_pairs *)(dsgl + 1); + } + +-static inline void dsgl_walk_end(struct dsgl_walk *walk, unsigned short qid) ++static inline void dsgl_walk_end(struct dsgl_walk *walk, unsigned short qid, ++ int pci_chan_id) + { + struct cpl_rx_phys_dsgl *phys_cpl; + +@@ -385,6 +386,7 @@ static inline void dsgl_walk_end(struct + phys_cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR; + phys_cpl->rss_hdr_int.qid = htons(qid); + phys_cpl->rss_hdr_int.hash_val = 0; ++ phys_cpl->rss_hdr_int.channel = pci_chan_id; + } + + static inline void dsgl_walk_add_page(struct dsgl_walk *walk, +@@ -718,7 +720,7 @@ static inline void create_wreq(struct ch + FILL_WR_RX_Q_ID(ctx->dev->rx_channel_id, qid, + !!lcb, ctx->tx_qidx); + +- chcr_req->ulptx.cmd_dest = FILL_ULPTX_CMD_DEST(ctx->dev->tx_channel_id, ++ chcr_req->ulptx.cmd_dest = FILL_ULPTX_CMD_DEST(ctx->tx_chan_id, + qid); + chcr_req->ulptx.len = htonl((DIV_ROUND_UP(len16, 16) - + ((sizeof(chcr_req->wreq)) >> 4))); +@@ -1339,16 +1341,23 @@ static int chcr_device_init(struct chcr_ + adap->vres.ncrypto_fc); + rxq_perchan = u_ctx->lldi.nrxq / u_ctx->lldi.nchan; + txq_perchan = ntxq / u_ctx->lldi.nchan; +- rxq_idx = ctx->dev->tx_channel_id * rxq_perchan; +- rxq_idx += id % rxq_perchan; +- txq_idx = ctx->dev->tx_channel_id * txq_perchan; +- txq_idx += id % txq_perchan; + spin_lock(&ctx->dev->lock_chcr_dev); +- ctx->rx_qidx = rxq_idx; +- ctx->tx_qidx = txq_idx; ++ ctx->tx_chan_id = ctx->dev->tx_channel_id; + ctx->dev->tx_channel_id = !ctx->dev->tx_channel_id; + ctx->dev->rx_channel_id = 0; + spin_unlock(&ctx->dev->lock_chcr_dev); ++ rxq_idx = ctx->tx_chan_id * rxq_perchan; ++ rxq_idx += id % rxq_perchan; ++ txq_idx = ctx->tx_chan_id * txq_perchan; ++ txq_idx += id % txq_perchan; ++ ctx->rx_qidx = rxq_idx; ++ ctx->tx_qidx = txq_idx; ++ /* Channel Id used by SGE to forward packet to Host. ++ * Same value should be used in cpl_fw6_pld RSS_CH field ++ * by FW. Driver programs PCI channel ID to be used in fw ++ * at the time of queue allocation with value "pi->tx_chan" ++ */ ++ ctx->pci_chan_id = txq_idx / txq_perchan; + } + out: + return err; +@@ -2503,6 +2512,7 @@ void chcr_add_aead_dst_ent(struct aead_r + struct crypto_aead *tfm = crypto_aead_reqtfm(req); + struct dsgl_walk dsgl_walk; + unsigned int authsize = crypto_aead_authsize(tfm); ++ struct chcr_context *ctx = a_ctx(tfm); + u32 temp; + + dsgl_walk_init(&dsgl_walk, phys_cpl); +@@ -2512,7 +2522,7 @@ void chcr_add_aead_dst_ent(struct aead_r + dsgl_walk_add_page(&dsgl_walk, IV, &reqctx->iv_dma); + temp = req->cryptlen + (reqctx->op ? -authsize : authsize); + dsgl_walk_add_sg(&dsgl_walk, req->dst, temp, req->assoclen); +- dsgl_walk_end(&dsgl_walk, qid); ++ dsgl_walk_end(&dsgl_walk, qid, ctx->pci_chan_id); + } + + void chcr_add_cipher_src_ent(struct ablkcipher_request *req, +@@ -2544,6 +2554,8 @@ void chcr_add_cipher_dst_ent(struct ablk + unsigned short qid) + { + struct chcr_blkcipher_req_ctx *reqctx = ablkcipher_request_ctx(req); ++ struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(wrparam->req); ++ struct chcr_context *ctx = c_ctx(tfm); + struct dsgl_walk dsgl_walk; + + dsgl_walk_init(&dsgl_walk, phys_cpl); +@@ -2552,7 +2564,7 @@ void chcr_add_cipher_dst_ent(struct ablk + reqctx->dstsg = dsgl_walk.last_sg; + reqctx->dst_ofst = dsgl_walk.last_sg_len; + +- dsgl_walk_end(&dsgl_walk, qid); ++ dsgl_walk_end(&dsgl_walk, qid, ctx->pci_chan_id); + } + + void chcr_add_hash_src_ent(struct ahash_request *req, +--- a/drivers/crypto/chelsio/chcr_crypto.h ++++ b/drivers/crypto/chelsio/chcr_crypto.h +@@ -255,6 +255,8 @@ struct chcr_context { + struct chcr_dev *dev; + unsigned char tx_qidx; + unsigned char rx_qidx; ++ unsigned char tx_chan_id; ++ unsigned char pci_chan_id; + struct __crypto_ctx crypto_ctx[0]; + }; + diff --git a/queue-4.18/crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch b/queue-4.18/crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch new file mode 100644 index 00000000000..cd027777254 --- /dev/null +++ b/queue-4.18/crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch @@ -0,0 +1,154 @@ +From d80771c08363ad7fbf0f56f5301e7ca65065c582 Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Fri, 21 Sep 2018 18:03:18 +0300 +Subject: crypto: mxs-dcp - Fix wait logic on chan threads + +From: Leonard Crestez + +commit d80771c08363ad7fbf0f56f5301e7ca65065c582 upstream. + +When compiling with CONFIG_DEBUG_ATOMIC_SLEEP=y the mxs-dcp driver +prints warnings such as: + +WARNING: CPU: 0 PID: 120 at kernel/sched/core.c:7736 __might_sleep+0x98/0x9c +do not call blocking ops when !TASK_RUNNING; state=1 set at [<8081978c>] dcp_chan_thread_sha+0x3c/0x2ec + +The problem is that blocking ops will manipulate current->state +themselves so it is not allowed to call them between +set_current_state(TASK_INTERRUPTIBLE) and schedule(). + +Fix this by converting the per-chan mutex to a spinlock (it only +protects tiny list ops anyway) and rearranging the wait logic so that +callbacks are called current->state as TASK_RUNNING. Those callbacks +will indeed call blocking ops themselves so this is required. + +Cc: +Signed-off-by: Leonard Crestez +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/mxs-dcp.c | 53 ++++++++++++++++++++++++++--------------------- + 1 file changed, 30 insertions(+), 23 deletions(-) + +--- a/drivers/crypto/mxs-dcp.c ++++ b/drivers/crypto/mxs-dcp.c +@@ -63,7 +63,7 @@ struct dcp { + struct dcp_coherent_block *coh; + + struct completion completion[DCP_MAX_CHANS]; +- struct mutex mutex[DCP_MAX_CHANS]; ++ spinlock_t lock[DCP_MAX_CHANS]; + struct task_struct *thread[DCP_MAX_CHANS]; + struct crypto_queue queue[DCP_MAX_CHANS]; + }; +@@ -349,13 +349,20 @@ static int dcp_chan_thread_aes(void *dat + + int ret; + +- do { +- __set_current_state(TASK_INTERRUPTIBLE); ++ while (!kthread_should_stop()) { ++ set_current_state(TASK_INTERRUPTIBLE); + +- mutex_lock(&sdcp->mutex[chan]); ++ spin_lock(&sdcp->lock[chan]); + backlog = crypto_get_backlog(&sdcp->queue[chan]); + arq = crypto_dequeue_request(&sdcp->queue[chan]); +- mutex_unlock(&sdcp->mutex[chan]); ++ spin_unlock(&sdcp->lock[chan]); ++ ++ if (!backlog && !arq) { ++ schedule(); ++ continue; ++ } ++ ++ set_current_state(TASK_RUNNING); + + if (backlog) + backlog->complete(backlog, -EINPROGRESS); +@@ -363,11 +370,8 @@ static int dcp_chan_thread_aes(void *dat + if (arq) { + ret = mxs_dcp_aes_block_crypt(arq); + arq->complete(arq, ret); +- continue; + } +- +- schedule(); +- } while (!kthread_should_stop()); ++ } + + return 0; + } +@@ -409,9 +413,9 @@ static int mxs_dcp_aes_enqueue(struct ab + rctx->ecb = ecb; + actx->chan = DCP_CHAN_CRYPTO; + +- mutex_lock(&sdcp->mutex[actx->chan]); ++ spin_lock(&sdcp->lock[actx->chan]); + ret = crypto_enqueue_request(&sdcp->queue[actx->chan], &req->base); +- mutex_unlock(&sdcp->mutex[actx->chan]); ++ spin_unlock(&sdcp->lock[actx->chan]); + + wake_up_process(sdcp->thread[actx->chan]); + +@@ -640,13 +644,20 @@ static int dcp_chan_thread_sha(void *dat + struct ahash_request *req; + int ret, fini; + +- do { +- __set_current_state(TASK_INTERRUPTIBLE); ++ while (!kthread_should_stop()) { ++ set_current_state(TASK_INTERRUPTIBLE); + +- mutex_lock(&sdcp->mutex[chan]); ++ spin_lock(&sdcp->lock[chan]); + backlog = crypto_get_backlog(&sdcp->queue[chan]); + arq = crypto_dequeue_request(&sdcp->queue[chan]); +- mutex_unlock(&sdcp->mutex[chan]); ++ spin_unlock(&sdcp->lock[chan]); ++ ++ if (!backlog && !arq) { ++ schedule(); ++ continue; ++ } ++ ++ set_current_state(TASK_RUNNING); + + if (backlog) + backlog->complete(backlog, -EINPROGRESS); +@@ -658,12 +669,8 @@ static int dcp_chan_thread_sha(void *dat + ret = dcp_sha_req_to_buf(arq); + fini = rctx->fini; + arq->complete(arq, ret); +- if (!fini) +- continue; + } +- +- schedule(); +- } while (!kthread_should_stop()); ++ } + + return 0; + } +@@ -721,9 +728,9 @@ static int dcp_sha_update_fx(struct ahas + rctx->init = 1; + } + +- mutex_lock(&sdcp->mutex[actx->chan]); ++ spin_lock(&sdcp->lock[actx->chan]); + ret = crypto_enqueue_request(&sdcp->queue[actx->chan], &req->base); +- mutex_unlock(&sdcp->mutex[actx->chan]); ++ spin_unlock(&sdcp->lock[actx->chan]); + + wake_up_process(sdcp->thread[actx->chan]); + mutex_unlock(&actx->mutex); +@@ -997,7 +1004,7 @@ static int mxs_dcp_probe(struct platform + platform_set_drvdata(pdev, sdcp); + + for (i = 0; i < DCP_MAX_CHANS; i++) { +- mutex_init(&sdcp->mutex[i]); ++ spin_lock_init(&sdcp->lock[i]); + init_completion(&sdcp->completion[i]); + crypto_init_queue(&sdcp->queue[i], 50); + } diff --git a/queue-4.18/crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch b/queue-4.18/crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch new file mode 100644 index 00000000000..14a29cb1bff --- /dev/null +++ b/queue-4.18/crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch @@ -0,0 +1,219 @@ +From ba439a6cbfa2936a6713f64cb499de7943673fe3 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Sat, 22 Sep 2018 20:41:55 -0400 +Subject: crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() + +From: Waiman Long + +commit ba439a6cbfa2936a6713f64cb499de7943673fe3 upstream. + +The following KASAN warning was printed when booting a 64-bit kernel +on some systems with Intel CPUs: + +[ 44.512826] ================================================================== +[ 44.520165] BUG: KASAN: stack-out-of-bounds in find_first_bit+0xb0/0xc0 +[ 44.526786] Read of size 8 at addr ffff88041e02fc50 by task kworker/0:2/124 + +[ 44.535253] CPU: 0 PID: 124 Comm: kworker/0:2 Tainted: G X --------- --- 4.18.0-12.el8.x86_64+debug #1 +[ 44.545858] Hardware name: Intel Corporation PURLEY/PURLEY, BIOS BKVDTRL1.86B.0005.D08.1712070559 12/07/2017 +[ 44.555682] Workqueue: events work_for_cpu_fn +[ 44.560043] Call Trace: +[ 44.562502] dump_stack+0x9a/0xe9 +[ 44.565832] print_address_description+0x65/0x22e +[ 44.570683] ? find_first_bit+0xb0/0xc0 +[ 44.570689] kasan_report.cold.6+0x92/0x19f +[ 44.578726] find_first_bit+0xb0/0xc0 +[ 44.578737] adf_probe+0x9eb/0x19a0 [qat_c62x] +[ 44.578751] ? adf_remove+0x110/0x110 [qat_c62x] +[ 44.591490] ? mark_held_locks+0xc8/0x140 +[ 44.591498] ? _raw_spin_unlock+0x30/0x30 +[ 44.591505] ? trace_hardirqs_on_caller+0x381/0x570 +[ 44.604418] ? adf_remove+0x110/0x110 [qat_c62x] +[ 44.604427] local_pci_probe+0xd4/0x180 +[ 44.604432] ? pci_device_shutdown+0x110/0x110 +[ 44.617386] work_for_cpu_fn+0x51/0xa0 +[ 44.621145] process_one_work+0x8fe/0x16e0 +[ 44.625263] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 +[ 44.629799] ? lock_acquire+0x14c/0x400 +[ 44.633645] ? move_linked_works+0x12e/0x2a0 +[ 44.637928] worker_thread+0x536/0xb50 +[ 44.641690] ? __kthread_parkme+0xb6/0x180 +[ 44.645796] ? process_one_work+0x16e0/0x16e0 +[ 44.650160] kthread+0x30c/0x3d0 +[ 44.653400] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 44.658457] ret_from_fork+0x3a/0x50 + +[ 44.663557] The buggy address belongs to the page: +[ 44.668350] page:ffffea0010780bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 44.676356] flags: 0x17ffffc0000000() +[ 44.680023] raw: 0017ffffc0000000 ffffea0010780bc8 ffffea0010780bc8 0000000000000000 +[ 44.687769] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 44.695510] page dumped because: kasan: bad access detected + +[ 44.702578] Memory state around the buggy address: +[ 44.707372] ffff88041e02fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 44.714593] ffff88041e02fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 44.721810] >ffff88041e02fc00: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 +[ 44.729028] ^ +[ 44.734864] ffff88041e02fc80: f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 +[ 44.742082] ffff88041e02fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 44.749299] ================================================================== + +Looking into the code: + + int ret, bar_mask; + : + for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, + +It is casting a 32-bit integer pointer to a 64-bit unsigned long +pointer. There are two problems here. First, the 32-bit pointer address +may not be 64-bit aligned. Secondly, it is accessing an extra 4 bytes. + +This is fixed by changing the bar_mask type to unsigned long. + +Cc: +Signed-off-by: Waiman Long +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/qat/qat_c3xxx/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_c3xxxvf/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_c62x/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_c62xvf/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_dh895xcc/adf_drv.c | 6 +++--- + drivers/crypto/qat/qat_dh895xccvf/adf_drv.c | 6 +++--- + 6 files changed, 18 insertions(+), 18 deletions(-) + +--- a/drivers/crypto/qat/qat_c3xxx/adf_drv.c ++++ b/drivers/crypto/qat/qat_c3xxx/adf_drv.c +@@ -123,7 +123,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_C3XXX_PCI_DEVICE_ID: +@@ -235,8 +236,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c ++++ b/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c +@@ -125,7 +125,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_C3XXXIOV_PCI_DEVICE_ID: +@@ -215,8 +216,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_c62x/adf_drv.c ++++ b/drivers/crypto/qat/qat_c62x/adf_drv.c +@@ -123,7 +123,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_C62X_PCI_DEVICE_ID: +@@ -235,8 +236,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = (hw_data->fuses & ADF_DEVICE_FUSECTL_MASK) ? 1 : 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_c62xvf/adf_drv.c ++++ b/drivers/crypto/qat/qat_c62xvf/adf_drv.c +@@ -125,7 +125,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_C62XIOV_PCI_DEVICE_ID: +@@ -215,8 +216,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_dh895xcc/adf_drv.c ++++ b/drivers/crypto/qat/qat_dh895xcc/adf_drv.c +@@ -123,7 +123,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_DH895XCC_PCI_DEVICE_ID: +@@ -237,8 +238,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); +--- a/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c ++++ b/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c +@@ -125,7 +125,8 @@ static int adf_probe(struct pci_dev *pde + struct adf_hw_device_data *hw_data; + char name[ADF_DEVICE_NAME_LENGTH]; + unsigned int i, bar_nr; +- int ret, bar_mask; ++ unsigned long bar_mask; ++ int ret; + + switch (ent->device) { + case ADF_DH895XCCIOV_PCI_DEVICE_ID: +@@ -215,8 +216,7 @@ static int adf_probe(struct pci_dev *pde + /* Find and map all the device's BARS */ + i = 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); +- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, +- ADF_PCI_MAX_BARS * 2) { ++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) { + struct adf_bar *bar = &accel_pci_dev->pci_bars[i++]; + + bar->base_addr = pci_resource_start(pdev, bar_nr); diff --git a/queue-4.18/drivers-hv-vmbus-use-get-put_cpu-in-vmbus_connect.patch b/queue-4.18/drivers-hv-vmbus-use-get-put_cpu-in-vmbus_connect.patch new file mode 100644 index 00000000000..7e28f16caef --- /dev/null +++ b/queue-4.18/drivers-hv-vmbus-use-get-put_cpu-in-vmbus_connect.patch @@ -0,0 +1,57 @@ +From 41e270f6898e7502be9fd6920ee0a108ca259d36 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Mon, 17 Sep 2018 04:14:54 +0000 +Subject: Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect() + +From: Dexuan Cui + +commit 41e270f6898e7502be9fd6920ee0a108ca259d36 upstream. + +With CONFIG_DEBUG_PREEMPT=y, I always see this warning: +BUG: using smp_processor_id() in preemptible [00000000] + +Fix the false warning by using get/put_cpu(). + +Here vmbus_connect() sends a message to the host and waits for the +host's response. The host will deliver the response message and an +interrupt on CPU msg->target_vcpu, and later the interrupt handler +will wake up vmbus_connect(). vmbus_connect() doesn't really have +to run on the same cpu as CPU msg->target_vcpu, so it's safe to +call put_cpu() just here. + +Signed-off-by: Dexuan Cui +Cc: stable@vger.kernel.org +Cc: K. Y. Srinivasan +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/connection.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/hv/connection.c ++++ b/drivers/hv/connection.c +@@ -76,6 +76,7 @@ static int vmbus_negotiate_version(struc + __u32 version) + { + int ret = 0; ++ unsigned int cur_cpu; + struct vmbus_channel_initiate_contact *msg; + unsigned long flags; + +@@ -118,9 +119,10 @@ static int vmbus_negotiate_version(struc + * the CPU attempting to connect may not be CPU 0. + */ + if (version >= VERSION_WIN8_1) { +- msg->target_vcpu = +- hv_cpu_number_to_vp_number(smp_processor_id()); +- vmbus_connection.connect_cpu = smp_processor_id(); ++ cur_cpu = get_cpu(); ++ msg->target_vcpu = hv_cpu_number_to_vp_number(cur_cpu); ++ vmbus_connection.connect_cpu = cur_cpu; ++ put_cpu(); + } else { + msg->target_vcpu = 0; + vmbus_connection.connect_cpu = 0; diff --git a/queue-4.18/firmware-always-initialize-the-fw_priv-list-object.patch b/queue-4.18/firmware-always-initialize-the-fw_priv-list-object.patch new file mode 100644 index 00000000000..945421498c8 --- /dev/null +++ b/queue-4.18/firmware-always-initialize-the-fw_priv-list-object.patch @@ -0,0 +1,41 @@ +From 7012040576c6ae25a47035659ee48673612c2c27 Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Wed, 19 Sep 2018 18:09:38 -0700 +Subject: firmware: Always initialize the fw_priv list object + +From: Bjorn Andersson + +commit 7012040576c6ae25a47035659ee48673612c2c27 upstream. + +When freeing the fw_priv the item is taken off the list. This causes an +oops in the FW_OPT_NOCACHE case as the list object is not initialized. + +Make sure to initialize the list object regardless of this flag. + +Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") +Cc: stable@vger.kernel.org +Cc: Rishabh Bhatnagar +Signed-off-by: Bjorn Andersson +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/firmware_loader/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/base/firmware_loader/main.c ++++ b/drivers/base/firmware_loader/main.c +@@ -226,8 +226,11 @@ static int alloc_lookup_fw_priv(const ch + } + + tmp = __allocate_fw_priv(fw_name, fwc, dbuf, size); +- if (tmp && !(opt_flags & FW_OPT_NOCACHE)) +- list_add(&tmp->list, &fwc->head); ++ if (tmp) { ++ INIT_LIST_HEAD(&tmp->list); ++ if (!(opt_flags & FW_OPT_NOCACHE)) ++ list_add(&tmp->list, &fwc->head); ++ } + spin_unlock(&fwc->lock); + + *fw_priv = tmp; diff --git a/queue-4.18/firmware-fix-security-issue-with-request_firmware_into_buf.patch b/queue-4.18/firmware-fix-security-issue-with-request_firmware_into_buf.patch new file mode 100644 index 00000000000..23b30628857 --- /dev/null +++ b/queue-4.18/firmware-fix-security-issue-with-request_firmware_into_buf.patch @@ -0,0 +1,102 @@ +From 422b3db2a5036add39a82425b1dd9fb6c96481e8 Mon Sep 17 00:00:00 2001 +From: Rishabh Bhatnagar +Date: Fri, 31 Aug 2018 08:43:31 -0700 +Subject: firmware: Fix security issue with request_firmware_into_buf() + +From: Rishabh Bhatnagar + +commit 422b3db2a5036add39a82425b1dd9fb6c96481e8 upstream. + +When calling request_firmware_into_buf() with the FW_OPT_NOCACHE flag +it is expected that firmware is loaded into buffer from memory. +But inside alloc_lookup_fw_priv every new firmware that is loaded is +added to the firmware cache (fwc) list head. So if any driver requests +a firmware that is already loaded the code iterates over the above +mentioned list and it can end up giving a pointer to other device driver's +firmware buffer. +Also the existing copy may either be modified by drivers, remote processors +or even freed. This causes a potential security issue with batched requests +when using request_firmware_into_buf. + +Fix alloc_lookup_fw_priv to not add to the fwc head list if FW_OPT_NOCACHE +is set, and also don't do the lookup in the list. + +Fixes: 0e742e9275 ("firmware: provide infrastructure to make fw caching optional") +[mcgrof: broken since feature introduction on v4.8] + +Cc: stable@vger.kernel.org # v4.8+ +Signed-off-by: Vikram Mulukutla +Signed-off-by: Rishabh Bhatnagar +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/firmware_loader/main.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +--- a/drivers/base/firmware_loader/main.c ++++ b/drivers/base/firmware_loader/main.c +@@ -209,21 +209,24 @@ static struct fw_priv *__lookup_fw_priv( + static int alloc_lookup_fw_priv(const char *fw_name, + struct firmware_cache *fwc, + struct fw_priv **fw_priv, void *dbuf, +- size_t size) ++ size_t size, enum fw_opt opt_flags) + { + struct fw_priv *tmp; + + spin_lock(&fwc->lock); +- tmp = __lookup_fw_priv(fw_name); +- if (tmp) { +- kref_get(&tmp->ref); +- spin_unlock(&fwc->lock); +- *fw_priv = tmp; +- pr_debug("batched request - sharing the same struct fw_priv and lookup for multiple requests\n"); +- return 1; ++ if (!(opt_flags & FW_OPT_NOCACHE)) { ++ tmp = __lookup_fw_priv(fw_name); ++ if (tmp) { ++ kref_get(&tmp->ref); ++ spin_unlock(&fwc->lock); ++ *fw_priv = tmp; ++ pr_debug("batched request - sharing the same struct fw_priv and lookup for multiple requests\n"); ++ return 1; ++ } + } ++ + tmp = __allocate_fw_priv(fw_name, fwc, dbuf, size); +- if (tmp) ++ if (tmp && !(opt_flags & FW_OPT_NOCACHE)) + list_add(&tmp->list, &fwc->head); + spin_unlock(&fwc->lock); + +@@ -493,7 +496,8 @@ int assign_fw(struct firmware *fw, struc + */ + static int + _request_firmware_prepare(struct firmware **firmware_p, const char *name, +- struct device *device, void *dbuf, size_t size) ++ struct device *device, void *dbuf, size_t size, ++ enum fw_opt opt_flags) + { + struct firmware *firmware; + struct fw_priv *fw_priv; +@@ -511,7 +515,8 @@ _request_firmware_prepare(struct firmwar + return 0; /* assigned */ + } + +- ret = alloc_lookup_fw_priv(name, &fw_cache, &fw_priv, dbuf, size); ++ ret = alloc_lookup_fw_priv(name, &fw_cache, &fw_priv, dbuf, size, ++ opt_flags); + + /* + * bind with 'priv' now to avoid warning in failure path +@@ -571,7 +576,8 @@ _request_firmware(const struct firmware + goto out; + } + +- ret = _request_firmware_prepare(&fw, name, device, buf, size); ++ ret = _request_firmware_prepare(&fw, name, device, buf, size, ++ opt_flags); + if (ret <= 0) /* error or already assigned */ + goto out; + diff --git a/queue-4.18/gpiolib-free-the-last-requested-descriptor.patch b/queue-4.18/gpiolib-free-the-last-requested-descriptor.patch new file mode 100644 index 00000000000..2f4e71da9cd --- /dev/null +++ b/queue-4.18/gpiolib-free-the-last-requested-descriptor.patch @@ -0,0 +1,37 @@ +From 19a4fbffc94e41abaa2a623a25ce2641d69eccf0 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda Delgado +Date: Thu, 13 Sep 2018 15:37:04 +0200 +Subject: gpiolib: Free the last requested descriptor + +From: Ricardo Ribalda Delgado + +commit 19a4fbffc94e41abaa2a623a25ce2641d69eccf0 upstream. + +The current code only frees N-1 gpios if an error occurs during +gpiod_set_transitory, gpiod_direction_output or gpiod_direction_input. +Leading to gpios that cannot be used by userspace nor other drivers. + +Cc: Timur Tabi +Cc: stable@vger.kernel.org +Fixes: ab3dbcf78f60f46d ("gpioib: do not free unrequested descriptors) +Reported-by: Jan Lorenzen +Reported-by: Jim Paris +Signed-off-by: Ricardo Ribalda Delgado +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -565,7 +565,7 @@ static int linehandle_create(struct gpio + if (ret) + goto out_free_descs; + lh->descs[i] = desc; +- count = i; ++ count = i + 1; + + if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) + set_bit(FLAG_ACTIVE_LOW, &desc->flags); diff --git a/queue-4.18/hid-i2c-hid-disable-runtime-pm-operations-on-hantick-touchpad.patch b/queue-4.18/hid-i2c-hid-disable-runtime-pm-operations-on-hantick-touchpad.patch new file mode 100644 index 00000000000..7c18f476a5d --- /dev/null +++ b/queue-4.18/hid-i2c-hid-disable-runtime-pm-operations-on-hantick-touchpad.patch @@ -0,0 +1,77 @@ +From 807588ac92018bde88a1958f546438e840eb0158 Mon Sep 17 00:00:00 2001 +From: Anisse Astier +Date: Wed, 12 Sep 2018 15:07:05 +0200 +Subject: HID: i2c-hid: disable runtime PM operations on hantick touchpad +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anisse Astier + +commit 807588ac92018bde88a1958f546438e840eb0158 upstream. + +This hantick HTIX5288 touchpad can quickly fall in a wrong state if +there are too many open/close operations. This will either make it stop +reporting any input, or will shift all the input reads by a few bytes, +making it impossible to decode. + +Here, we never release the probed touchpad runtime pm while the driver +is loaded, which should disable all runtime pm suspend/resumes. + +This fast repetition of sleep/wakeup is also more likely to happen when +using runtime PM, which is why the quirk is done there, and not for all +power downs, which would include suspend or module removal. + +Signed-off-by: Anisse Astier +Cc: stable@vger.kernel.org +Acked-by: Benjamin Tissoires +Reviewed-by: Hans de Goede +Tested-by: Philip Müller +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/i2c-hid/i2c-hid.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -48,6 +48,7 @@ + #define I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV BIT(0) + #define I2C_HID_QUIRK_NO_IRQ_AFTER_RESET BIT(1) + #define I2C_HID_QUIRK_RESEND_REPORT_DESCR BIT(2) ++#define I2C_HID_QUIRK_NO_RUNTIME_PM BIT(3) + + /* flags */ + #define I2C_HID_STARTED 0 +@@ -169,7 +170,8 @@ static const struct i2c_hid_quirks { + { USB_VENDOR_ID_WEIDA, USB_DEVICE_ID_WEIDA_8755, + I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV }, + { I2C_VENDOR_ID_HANTICK, I2C_PRODUCT_ID_HANTICK_5288, +- I2C_HID_QUIRK_NO_IRQ_AFTER_RESET }, ++ I2C_HID_QUIRK_NO_IRQ_AFTER_RESET | ++ I2C_HID_QUIRK_NO_RUNTIME_PM }, + { USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS10FB_TOUCH, + I2C_HID_QUIRK_RESEND_REPORT_DESCR }, + { 0, 0 } +@@ -1106,7 +1108,9 @@ static int i2c_hid_probe(struct i2c_clie + goto err_mem_free; + } + +- pm_runtime_put(&client->dev); ++ if (!(ihid->quirks & I2C_HID_QUIRK_NO_RUNTIME_PM)) ++ pm_runtime_put(&client->dev); ++ + return 0; + + err_mem_free: +@@ -1132,7 +1136,8 @@ static int i2c_hid_remove(struct i2c_cli + struct i2c_hid *ihid = i2c_get_clientdata(client); + struct hid_device *hid; + +- pm_runtime_get_sync(&client->dev); ++ if (!(ihid->quirks & I2C_HID_QUIRK_NO_RUNTIME_PM)) ++ pm_runtime_get_sync(&client->dev); + pm_runtime_disable(&client->dev); + pm_runtime_set_suspended(&client->dev); + pm_runtime_put_noidle(&client->dev); diff --git a/queue-4.18/iommu-amd-clear-memory-encryption-mask-from-physical-address.patch b/queue-4.18/iommu-amd-clear-memory-encryption-mask-from-physical-address.patch new file mode 100644 index 00000000000..91ce1e3d281 --- /dev/null +++ b/queue-4.18/iommu-amd-clear-memory-encryption-mask-from-physical-address.patch @@ -0,0 +1,55 @@ +From b3e9b515b08e407ab3a026dc2e4d935c48d05f69 Mon Sep 17 00:00:00 2001 +From: "Singh, Brijesh" +Date: Thu, 4 Oct 2018 21:40:23 +0000 +Subject: iommu/amd: Clear memory encryption mask from physical address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Singh, Brijesh + +commit b3e9b515b08e407ab3a026dc2e4d935c48d05f69 upstream. + +Boris Ostrovsky reported a memory leak with device passthrough when SME +is active. + +The VFIO driver uses iommu_iova_to_phys() to get the physical address for +an iova. This physical address is later passed into vfio_unmap_unpin() to +unpin the memory. The vfio_unmap_unpin() uses pfn_valid() before unpinning +the memory. The pfn_valid() check was failing because encryption mask was +part of the physical address returned. This resulted in the memory not +being unpinned and therefore leaked after the guest terminates. + +The memory encryption mask must be cleared from the physical address in +iommu_iova_to_phys(). + +Fixes: 2543a786aa25 ("iommu/amd: Allow the AMD IOMMU to work with memory encryption") +Reported-by: Boris Ostrovsky +Cc: Tom Lendacky +Cc: Joerg Roedel +Cc: +Cc: Borislav Petkov +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: kvm@vger.kernel.org +Cc: Boris Ostrovsky +Cc: # 4.14+ +Signed-off-by: Brijesh Singh +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -3073,7 +3073,7 @@ static phys_addr_t amd_iommu_iova_to_phy + return 0; + + offset_mask = pte_pgsize - 1; +- __pte = *pte & PM_ADDR_MASK; ++ __pte = __sme_clr(*pte & PM_ADDR_MASK); + + return (__pte & ~offset_mask) | (iova & offset_mask); + } diff --git a/queue-4.18/ixgbe-check-return-value-of-napi_complete_done.patch b/queue-4.18/ixgbe-check-return-value-of-napi_complete_done.patch new file mode 100644 index 00000000000..5bca8c4f1c9 --- /dev/null +++ b/queue-4.18/ixgbe-check-return-value-of-napi_complete_done.patch @@ -0,0 +1,45 @@ +From 4233cfe6ec4683497d7318f55ce7617e97f2e610 Mon Sep 17 00:00:00 2001 +From: Song Liu +Date: Wed, 3 Oct 2018 11:30:35 -0700 +Subject: ixgbe: check return value of napi_complete_done() + +From: Song Liu + +commit 4233cfe6ec4683497d7318f55ce7617e97f2e610 upstream. + +The NIC driver should only enable interrupts when napi_complete_done() +returns true. This patch adds the check for ixgbe. + +Cc: stable@vger.kernel.org # 4.10+ +Suggested-by: Eric Dumazet +Signed-off-by: Song Liu +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -3196,11 +3196,13 @@ int ixgbe_poll(struct napi_struct *napi, + return budget; + + /* all work done, exit the polling mode */ +- napi_complete_done(napi, work_done); +- if (adapter->rx_itr_setting & 1) +- ixgbe_set_itr(q_vector); +- if (!test_bit(__IXGBE_DOWN, &adapter->state)) +- ixgbe_irq_enable_queues(adapter, BIT_ULL(q_vector->v_idx)); ++ if (likely(napi_complete_done(napi, work_done))) { ++ if (adapter->rx_itr_setting & 1) ++ ixgbe_set_itr(q_vector); ++ if (!test_bit(__IXGBE_DOWN, &adapter->state)) ++ ixgbe_irq_enable_queues(adapter, ++ BIT_ULL(q_vector->v_idx)); ++ } + + return min(work_done, budget - 1); + } diff --git a/queue-4.18/new-primitive-discard_new_inode.patch b/queue-4.18/new-primitive-discard_new_inode.patch new file mode 100644 index 00000000000..74d65935818 --- /dev/null +++ b/queue-4.18/new-primitive-discard_new_inode.patch @@ -0,0 +1,209 @@ +From c2b6d621c4ffe9936adf7a55c8b1c769672c306f Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 28 Jun 2018 15:53:17 -0400 +Subject: new primitive: discard_new_inode() + +From: Al Viro + +commit c2b6d621c4ffe9936adf7a55c8b1c769672c306f upstream. + + We don't want open-by-handle picking half-set-up in-core +struct inode from e.g. mkdir() having failed halfway through. +In other words, we don't want such inodes returned by iget_locked() +on their way to extinction. However, we can't just have them +unhashed - otherwise open-by-handle immediately *after* that would've +ended up creating a new in-core inode over the on-disk one that +is in process of being freed right under us. + + Solution: new flag (I_CREATING) set by insert_inode_locked() and +removed by unlock_new_inode() and a new primitive (discard_new_inode()) +to be used by such halfway-through-setup failure exits instead of +unlock_new_inode() / iput() combinations. That primitive unlocks new +inode, but leaves I_CREATING in place. + + iget_locked() treats finding an I_CREATING inode as failure +(-ESTALE, once we sort out the error propagation). + insert_inode_locked() treats the same as instant -EBUSY. + ilookup() treats those as icache miss. + +[Fix by Dan Carpenter folded in] + +Signed-off-by: Al Viro +Cc: Miklos Szeredi +Cc: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 2 +- + fs/inode.c | 45 +++++++++++++++++++++++++++++++++++++++++---- + include/linux/fs.h | 6 +++++- + 3 files changed, 47 insertions(+), 6 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1890,7 +1890,7 @@ void d_instantiate_new(struct dentry *en + spin_lock(&inode->i_lock); + __d_instantiate(entry, inode); + WARN_ON(!(inode->i_state & I_NEW)); +- inode->i_state &= ~I_NEW; ++ inode->i_state &= ~I_NEW & ~I_CREATING; + smp_mb(); + wake_up_bit(&inode->i_state, __I_NEW); + spin_unlock(&inode->i_lock); +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -804,6 +804,10 @@ repeat: + __wait_on_freeing_inode(inode); + goto repeat; + } ++ if (unlikely(inode->i_state & I_CREATING)) { ++ spin_unlock(&inode->i_lock); ++ return ERR_PTR(-ESTALE); ++ } + __iget(inode); + spin_unlock(&inode->i_lock); + return inode; +@@ -831,6 +835,10 @@ repeat: + __wait_on_freeing_inode(inode); + goto repeat; + } ++ if (unlikely(inode->i_state & I_CREATING)) { ++ spin_unlock(&inode->i_lock); ++ return ERR_PTR(-ESTALE); ++ } + __iget(inode); + spin_unlock(&inode->i_lock); + return inode; +@@ -961,13 +969,26 @@ void unlock_new_inode(struct inode *inod + lockdep_annotate_inode_mutex_key(inode); + spin_lock(&inode->i_lock); + WARN_ON(!(inode->i_state & I_NEW)); +- inode->i_state &= ~I_NEW; ++ inode->i_state &= ~I_NEW & ~I_CREATING; + smp_mb(); + wake_up_bit(&inode->i_state, __I_NEW); + spin_unlock(&inode->i_lock); + } + EXPORT_SYMBOL(unlock_new_inode); + ++void discard_new_inode(struct inode *inode) ++{ ++ lockdep_annotate_inode_mutex_key(inode); ++ spin_lock(&inode->i_lock); ++ WARN_ON(!(inode->i_state & I_NEW)); ++ inode->i_state &= ~I_NEW; ++ smp_mb(); ++ wake_up_bit(&inode->i_state, __I_NEW); ++ spin_unlock(&inode->i_lock); ++ iput(inode); ++} ++EXPORT_SYMBOL(discard_new_inode); ++ + /** + * lock_two_nondirectories - take two i_mutexes on non-directory objects + * +@@ -1039,6 +1060,8 @@ again: + * Use the old inode instead of the preallocated one. + */ + spin_unlock(&inode_hash_lock); ++ if (IS_ERR(old)) ++ return NULL; + wait_on_inode(old); + if (unlikely(inode_unhashed(old))) { + iput(old); +@@ -1128,6 +1151,8 @@ again: + inode = find_inode_fast(sb, head, ino); + spin_unlock(&inode_hash_lock); + if (inode) { ++ if (IS_ERR(inode)) ++ return NULL; + wait_on_inode(inode); + if (unlikely(inode_unhashed(inode))) { + iput(inode); +@@ -1165,6 +1190,8 @@ again: + */ + spin_unlock(&inode_hash_lock); + destroy_inode(inode); ++ if (IS_ERR(old)) ++ return NULL; + inode = old; + wait_on_inode(inode); + if (unlikely(inode_unhashed(inode))) { +@@ -1282,7 +1309,7 @@ struct inode *ilookup5_nowait(struct sup + inode = find_inode(sb, head, test, data); + spin_unlock(&inode_hash_lock); + +- return inode; ++ return IS_ERR(inode) ? NULL : inode; + } + EXPORT_SYMBOL(ilookup5_nowait); + +@@ -1338,6 +1365,8 @@ again: + spin_unlock(&inode_hash_lock); + + if (inode) { ++ if (IS_ERR(inode)) ++ return NULL; + wait_on_inode(inode); + if (unlikely(inode_unhashed(inode))) { + iput(inode); +@@ -1421,12 +1450,17 @@ int insert_inode_locked(struct inode *in + } + if (likely(!old)) { + spin_lock(&inode->i_lock); +- inode->i_state |= I_NEW; ++ inode->i_state |= I_NEW | I_CREATING; + hlist_add_head(&inode->i_hash, head); + spin_unlock(&inode->i_lock); + spin_unlock(&inode_hash_lock); + return 0; + } ++ if (unlikely(old->i_state & I_CREATING)) { ++ spin_unlock(&old->i_lock); ++ spin_unlock(&inode_hash_lock); ++ return -EBUSY; ++ } + __iget(old); + spin_unlock(&old->i_lock); + spin_unlock(&inode_hash_lock); +@@ -1443,7 +1477,10 @@ EXPORT_SYMBOL(insert_inode_locked); + int insert_inode_locked4(struct inode *inode, unsigned long hashval, + int (*test)(struct inode *, void *), void *data) + { +- struct inode *old = inode_insert5(inode, hashval, test, NULL, data); ++ struct inode *old; ++ ++ inode->i_state |= I_CREATING; ++ old = inode_insert5(inode, hashval, test, NULL, data); + + if (old != inode) { + iput(old); +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -2014,6 +2014,8 @@ static inline void init_sync_kiocb(struc + * I_OVL_INUSE Used by overlayfs to get exclusive ownership on upper + * and work dirs among overlayfs mounts. + * ++ * I_CREATING New object's inode in the middle of setting up. ++ * + * Q: What is the difference between I_WILL_FREE and I_FREEING? + */ + #define I_DIRTY_SYNC (1 << 0) +@@ -2034,7 +2036,8 @@ static inline void init_sync_kiocb(struc + #define __I_DIRTY_TIME_EXPIRED 12 + #define I_DIRTY_TIME_EXPIRED (1 << __I_DIRTY_TIME_EXPIRED) + #define I_WB_SWITCH (1 << 13) +-#define I_OVL_INUSE (1 << 14) ++#define I_OVL_INUSE (1 << 14) ++#define I_CREATING (1 << 15) + + #define I_DIRTY_INODE (I_DIRTY_SYNC | I_DIRTY_DATASYNC) + #define I_DIRTY (I_DIRTY_INODE | I_DIRTY_PAGES) +@@ -2918,6 +2921,7 @@ extern void lockdep_annotate_inode_mutex + static inline void lockdep_annotate_inode_mutex_key(struct inode *inode) { }; + #endif + extern void unlock_new_inode(struct inode *); ++extern void discard_new_inode(struct inode *); + extern unsigned int get_next_ino(void); + extern void evict_inodes(struct super_block *sb); + diff --git a/queue-4.18/ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch b/queue-4.18/ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch new file mode 100644 index 00000000000..9b0d98c0bf2 --- /dev/null +++ b/queue-4.18/ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch @@ -0,0 +1,47 @@ +From cbe355f57c8074bc4f452e5b6e35509044c6fa23 Mon Sep 17 00:00:00 2001 +From: Ashish Samant +Date: Fri, 5 Oct 2018 15:52:15 -0700 +Subject: ocfs2: fix locking for res->tracking and dlm->tracking_list + +From: Ashish Samant + +commit cbe355f57c8074bc4f452e5b6e35509044c6fa23 upstream. + +In dlm_init_lockres() we access and modify res->tracking and +dlm->tracking_list without holding dlm->track_lock. This can cause list +corruptions and can end up in kernel panic. + +Fix this by locking res->tracking and dlm->tracking_list with +dlm->track_lock instead of dlm->spinlock. + +Link: http://lkml.kernel.org/r/1529951192-4686-1-git-send-email-ashish.samant@oracle.com +Signed-off-by: Ashish Samant +Reviewed-by: Changwei Ge +Acked-by: Joseph Qi +Acked-by: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlm/dlmmaster.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/dlm/dlmmaster.c ++++ b/fs/ocfs2/dlm/dlmmaster.c +@@ -584,9 +584,9 @@ static void dlm_init_lockres(struct dlm_ + + res->last_used = 0; + +- spin_lock(&dlm->spinlock); ++ spin_lock(&dlm->track_lock); + list_add_tail(&res->tracking, &dlm->tracking_list); +- spin_unlock(&dlm->spinlock); ++ spin_unlock(&dlm->track_lock); + + memset(res->lvb, 0, DLM_LVB_LEN); + memset(res->refmap, 0, sizeof(res->refmap)); diff --git a/queue-4.18/ovl-fix-access-beyond-unterminated-strings.patch b/queue-4.18/ovl-fix-access-beyond-unterminated-strings.patch new file mode 100644 index 00000000000..6b838dc4428 --- /dev/null +++ b/queue-4.18/ovl-fix-access-beyond-unterminated-strings.patch @@ -0,0 +1,42 @@ +From 601350ff58d5415a001769532f6b8333820e5786 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Fri, 28 Sep 2018 21:00:48 +0300 +Subject: ovl: fix access beyond unterminated strings + +From: Amir Goldstein + +commit 601350ff58d5415a001769532f6b8333820e5786 upstream. + +KASAN detected slab-out-of-bounds access in printk from overlayfs, +because string format used %*s instead of %.*s. + +> BUG: KASAN: slab-out-of-bounds in string+0x298/0x2d0 lib/vsprintf.c:604 +> Read of size 1 at addr ffff8801c36c66ba by task syz-executor2/27811 +> +> CPU: 0 PID: 27811 Comm: syz-executor2 Not tainted 4.19.0-rc5+ #36 +... +> printk+0xa7/0xcf kernel/printk/printk.c:1996 +> ovl_lookup_index.cold.15+0xe8/0x1f8 fs/overlayfs/namei.c:689 + +Reported-by: syzbot+376cea2b0ef340db3dd4@syzkaller.appspotmail.com +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin") +Cc: # v4.13 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/overlayfs/namei.c ++++ b/fs/overlayfs/namei.c +@@ -705,7 +705,7 @@ struct dentry *ovl_lookup_index(struct o + index = NULL; + goto out; + } +- pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n" ++ pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n" + "overlayfs: mount with '-o index=off' to disable inodes index.\n", + d_inode(origin)->i_ino, name.len, name.name, + err); diff --git a/queue-4.18/ovl-fix-format-of-setxattr-debug.patch b/queue-4.18/ovl-fix-format-of-setxattr-debug.patch new file mode 100644 index 00000000000..064b803d98d --- /dev/null +++ b/queue-4.18/ovl-fix-format-of-setxattr-debug.patch @@ -0,0 +1,36 @@ +From 1a8f8d2a443ef9ad9a3065ba8c8119df714240fa Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 4 Oct 2018 14:49:10 +0200 +Subject: ovl: fix format of setxattr debug + +From: Miklos Szeredi + +commit 1a8f8d2a443ef9ad9a3065ba8c8119df714240fa upstream. + +Format has a typo: it was meant to be "%.*s", not "%*s". But at some point +callers grew nonprintable values as well, so use "%*pE" instead with a +maximized length. + +Reported-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Fixes: 3a1e819b4e80 ("ovl: store file handle of lower inode on copy up") +Cc: # v4.12 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/overlayfs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/overlayfs.h ++++ b/fs/overlayfs/overlayfs.h +@@ -147,8 +147,8 @@ static inline int ovl_do_setxattr(struct + const void *value, size_t size, int flags) + { + int err = vfs_setxattr(dentry, name, value, size, flags); +- pr_debug("setxattr(%pd2, \"%s\", \"%*s\", 0x%x) = %i\n", +- dentry, name, (int) size, (char *) value, flags, err); ++ pr_debug("setxattr(%pd2, \"%s\", \"%*pE\", %zu, 0x%x) = %i\n", ++ dentry, name, min((int)size, 48), value, size, flags, err); + return err; + } + diff --git a/queue-4.18/ovl-fix-memory-leak-on-unlink-of-indexed-file.patch b/queue-4.18/ovl-fix-memory-leak-on-unlink-of-indexed-file.patch new file mode 100644 index 00000000000..448e00dc1d8 --- /dev/null +++ b/queue-4.18/ovl-fix-memory-leak-on-unlink-of-indexed-file.patch @@ -0,0 +1,41 @@ +From 63e132528032ce937126aba591a7b37ec593a6bb Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Tue, 18 Sep 2018 16:34:31 +0300 +Subject: ovl: fix memory leak on unlink of indexed file + +From: Amir Goldstein + +commit 63e132528032ce937126aba591a7b37ec593a6bb upstream. + +The memory leak was detected by kmemleak when running xfstests +overlay/051,053 + +Fixes: caf70cb2ba5d ("ovl: cleanup orphan index entries") +Cc: # v4.13 +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/util.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/util.c ++++ b/fs/overlayfs/util.c +@@ -531,7 +531,7 @@ static void ovl_cleanup_index(struct den + struct dentry *upperdentry = ovl_dentry_upper(dentry); + struct dentry *index = NULL; + struct inode *inode; +- struct qstr name; ++ struct qstr name = { }; + int err; + + err = ovl_get_index_name(lowerdentry, &name); +@@ -574,6 +574,7 @@ static void ovl_cleanup_index(struct den + goto fail; + + out: ++ kfree(name.name); + dput(index); + return; + diff --git a/queue-4.18/ovl-set-i_creating-on-inode-being-created.patch b/queue-4.18/ovl-set-i_creating-on-inode-being-created.patch new file mode 100644 index 00000000000..9f5d26e5c53 --- /dev/null +++ b/queue-4.18/ovl-set-i_creating-on-inode-being-created.patch @@ -0,0 +1,35 @@ +From 6faf05c2b2b4fe70d9068067437649401531de0a Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 22 Aug 2018 10:55:22 +0200 +Subject: ovl: set I_CREATING on inode being created + +From: Miklos Szeredi + +commit 6faf05c2b2b4fe70d9068067437649401531de0a upstream. + +...otherwise there will be list corruption due to inode_sb_list_add() being +called for inode already on the sb list. + +Signed-off-by: Miklos Szeredi +Fixes: e950564b97fd ("vfs: don't evict uninitialized inode") +Signed-off-by: Linus Torvalds +To: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/dir.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -601,6 +601,10 @@ static int ovl_create_object(struct dent + if (!inode) + goto out_drop_write; + ++ spin_lock(&inode->i_lock); ++ inode->i_state |= I_CREATING; ++ spin_unlock(&inode->i_lock); ++ + inode_init_owner(inode, dentry->d_parent->d_inode, mode); + attr.mode = inode->i_mode; + diff --git a/queue-4.18/proc-restrict-kernel-stack-dumps-to-root.patch b/queue-4.18/proc-restrict-kernel-stack-dumps-to-root.patch new file mode 100644 index 00000000000..aa8c565d91a --- /dev/null +++ b/queue-4.18/proc-restrict-kernel-stack-dumps-to-root.patch @@ -0,0 +1,73 @@ +From f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 5 Oct 2018 15:51:58 -0700 +Subject: proc: restrict kernel stack dumps to root + +From: Jann Horn + +commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream. + +Currently, you can use /proc/self/task/*/stack to cause a stack walk on +a task you control while it is running on another CPU. That means that +the stack can change under the stack walker. The stack walker does +have guards against going completely off the rails and into random +kernel memory, but it can interpret random data from your kernel stack +as instruction pointers and stack pointers. This can cause exposure of +kernel stack contents to userspace. + +Restrict the ability to inspect kernel stacks of arbitrary tasks to root +in order to prevent a local attacker from exploiting racy stack unwinding +to leak kernel task stack contents. See the added comment for a longer +rationale. + +There don't seem to be any users of this userspace API that can't +gracefully bail out if reading from the file fails. Therefore, I believe +that this change is unlikely to break things. In the case that this patch +does end up needing a revert, the next-best solution might be to fake a +single-entry stack based on wchan. + +Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com +Fixes: 2ec220e27f50 ("proc: add /proc/*/stack") +Signed-off-by: Jann Horn +Acked-by: Kees Cook +Cc: Alexey Dobriyan +Cc: Ken Chen +Cc: Will Deacon +Cc: Laura Abbott +Cc: Andy Lutomirski +Cc: Catalin Marinas +Cc: Josh Poimboeuf +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: "H . Peter Anvin" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -407,6 +407,20 @@ static int proc_pid_stack(struct seq_fil + unsigned long *entries; + int err; + ++ /* ++ * The ability to racily run the kernel stack unwinder on a running task ++ * and then observe the unwinder output is scary; while it is useful for ++ * debugging kernel issues, it can also allow an attacker to leak kernel ++ * stack contents. ++ * Doing this in a manner that is at least safe from races would require ++ * some work to ensure that the remote task can not be scheduled; and ++ * even then, this would still expose the unwinder as local attack ++ * surface. ++ * Therefore, this interface is restricted to root. ++ */ ++ if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) ++ return -EACCES; ++ + entries = kmalloc_array(MAX_STACK_TRACE_DEPTH, sizeof(*entries), + GFP_KERNEL); + if (!entries) diff --git a/queue-4.18/series b/queue-4.18/series index af1221be1e2..a3e8c2b5166 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -141,3 +141,28 @@ xen-manage-don-t-complain-about-an-empty-value-in-control-sysrq-node.patch xen-avoid-crash-in-disable_hotplug_cpu.patch xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch x86-apm-fix-build-warning-when-proc_fs-is-not-enabled.patch +new-primitive-discard_new_inode.patch +vfs-don-t-evict-uninitialized-inode.patch +ovl-set-i_creating-on-inode-being-created.patch +ovl-fix-access-beyond-unterminated-strings.patch +ovl-fix-memory-leak-on-unlink-of-indexed-file.patch +ovl-fix-format-of-setxattr-debug.patch +sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch +b43-fix-dma-error-related-regression-with-proprietary-firmware.patch +firmware-fix-security-issue-with-request_firmware_into_buf.patch +firmware-always-initialize-the-fw_priv-list-object.patch +cpufreq-qcom-kryo-fix-section-annotations.patch +smb2-fix-missing-files-in-root-share-directory-listing.patch +iommu-amd-clear-memory-encryption-mask-from-physical-address.patch +alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch +crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch +crypto-chelsio-fix-memory-corruption-in-dma-mapped-buffers.patch +crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch +crypto-caam-jr-fix-ablkcipher_edesc-pointer-arithmetic.patch +gpiolib-free-the-last-requested-descriptor.patch +drivers-hv-vmbus-use-get-put_cpu-in-vmbus_connect.patch +tools-hv-fcopy-set-error-in-case-an-unknown-operation-was-requested.patch +proc-restrict-kernel-stack-dumps-to-root.patch +ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch +hid-i2c-hid-disable-runtime-pm-operations-on-hantick-touchpad.patch +ixgbe-check-return-value-of-napi_complete_done.patch diff --git a/queue-4.18/smb2-fix-missing-files-in-root-share-directory-listing.patch b/queue-4.18/smb2-fix-missing-files-in-root-share-directory-listing.patch new file mode 100644 index 00000000000..641e991414d --- /dev/null +++ b/queue-4.18/smb2-fix-missing-files-in-root-share-directory-listing.patch @@ -0,0 +1,175 @@ +From 0595751f267994c3c7027377058e4185b3a28e75 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Thu, 17 May 2018 16:35:07 +0200 +Subject: smb2: fix missing files in root share directory listing + +From: Aurelien Aptel + +commit 0595751f267994c3c7027377058e4185b3a28e75 upstream. + +When mounting a Windows share that is the root of a drive (eg. C$) +the server does not return . and .. directory entries. This results in +the smb2 code path erroneously skipping the 2 first entries. + +Pseudo-code of the readdir() code path: + +cifs_readdir(struct file, struct dir_context) + initiate_cifs_search <-- if no reponse cached yet + server->ops->query_dir_first + + dir_emit_dots + dir_emit <-- adds "." and ".." if we're at pos=0 + + find_cifs_entry + initiate_cifs_search <-- if pos < start of current response + (restart search) + server->ops->query_dir_next <-- if pos > end of current response + (fetch next search res) + + for(...) <-- loops over cur response entries + starting at pos + cifs_filldir <-- skip . and .., emit entry + cifs_fill_dirent + dir_emit + pos++ + +A) dir_emit_dots() always adds . & .. + and sets the current dir pos to 2 (0 and 1 are done). + +Therefore we always want the index_to_find to be 2 regardless of if +the response has . and .. + +B) smb1 code initializes index_of_last_entry with a +2 offset + + in cifssmb.c CIFSFindFirst(): + psrch_inf->index_of_last_entry = 2 /* skip . and .. */ + + psrch_inf->entries_in_buffer; + +Later in find_cifs_entry() we want to find the next dir entry at pos=2 +as a result of (A) + + first_entry_in_buffer = cfile->srch_inf.index_of_last_entry - + cfile->srch_inf.entries_in_buffer; + +This var is the dir pos that the first entry in the buffer will +have therefore it must be 2 in the first call. + +If we don't offset index_of_last_entry by 2 (like in (B)), +first_entry_in_buffer=0 but we were instructed to get pos=2 so this +code in find_cifs_entry() skips the 2 first which is ok for non-root +shares, as it skips . and .. from the response but is not ok for root +shares where the 2 first are actual files + + pos_in_buf = index_to_find - first_entry_in_buffer; + // pos_in_buf=2 + // we skip 2 first response entries :( + for (i = 0; (i < (pos_in_buf)) && (cur_ent != NULL); i++) { + /* go entry by entry figuring out which is first */ + cur_ent = nxt_dir_entry(cur_ent, end_of_smb, + cfile->srch_inf.info_level); + } + +C) cifs_filldir() skips . and .. so we can safely ignore them for now. + +Sample program: + +int main(int argc, char **argv) +{ + const char *path = argc >= 2 ? argv[1] : "."; + DIR *dh; + struct dirent *de; + + printf("listing path <%s>\n", path); + dh = opendir(path); + if (!dh) { + printf("opendir error %d\n", errno); + return 1; + } + + while (1) { + de = readdir(dh); + if (!de) { + if (errno) { + printf("readdir error %d\n", errno); + return 1; + } + printf("end of listing\n"); + break; + } + printf("off=%lu <%s>\n", de->d_off, de->d_name); + } + + return 0; +} + +Before the fix with SMB1 on root shares: + +<.> off=1 +<..> off=2 +<$Recycle.Bin> off=3 + off=4 + +and on non-root shares: + +<.> off=1 +<..> off=4 <-- after adding .., the offsets jumps to +2 because +<2536> off=5 we skipped . and .. from response buffer (C) +<411> off=6 but still incremented pos + off=7 + off=8 + +Therefore the fix for smb2 is to mimic smb1 behaviour and offset the +index_of_last_entry by 2. + +Test results comparing smb1 and smb2 before/after the fix on root +share, non-root shares and on large directories (ie. multi-response +dir listing): + +PRE FIX +======= +pre-1-root VS pre-2-root: + ERR pre-2-root is missing [bootmgr, $Recycle.Bin] +pre-1-nonroot VS pre-2-nonroot: + OK~ same files, same order, different offsets +pre-1-nonroot-large VS pre-2-nonroot-large: + OK~ same files, same order, different offsets + +POST FIX +======== +post-1-root VS post-2-root: + OK same files, same order, same offsets +post-1-nonroot VS post-2-nonroot: + OK same files, same order, same offsets +post-1-nonroot-large VS post-2-nonroot-large: + OK same files, same order, same offsets + +REGRESSION? +=========== +pre-1-root VS post-1-root: + OK same files, same order, same offsets +pre-1-nonroot VS post-1-nonroot: + OK same files, same order, same offsets + +BugLink: https://bugzilla.samba.org/show_bug.cgi?id=13107 +Signed-off-by: Aurelien Aptel +Signed-off-by: Paulo Alcantara +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1484,7 +1484,7 @@ smb2_query_dir_first(const unsigned int + } + + srch_inf->entries_in_buffer = 0; +- srch_inf->index_of_last_entry = 0; ++ srch_inf->index_of_last_entry = 2; + + rc = SMB2_query_directory(xid, tcon, fid->persistent_fid, + fid->volatile_fid, 0, srch_inf); diff --git a/queue-4.18/sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch b/queue-4.18/sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch new file mode 100644 index 00000000000..e5d08d2a6c2 --- /dev/null +++ b/queue-4.18/sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch @@ -0,0 +1,67 @@ +From ffc4c92227db5699493e43eb140b4cb5904c30ff Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Tue, 18 Sep 2018 00:36:36 -0400 +Subject: sysfs: Do not return POSIX ACL xattrs via listxattr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andreas Gruenbacher + +commit ffc4c92227db5699493e43eb140b4cb5904c30ff upstream. + +Commit 786534b92f3c introduced a regression that caused listxattr to +return the POSIX ACL attribute names even though sysfs doesn't support +POSIX ACLs. This happens because simple_xattr_list checks for NULL +i_acl / i_default_acl, but inode_init_always initializes those fields +to ACL_NOT_CACHED ((void *)-1). For example: + $ getfattr -m- -d /sys + /sys: system.posix_acl_access: Operation not supported + /sys: system.posix_acl_default: Operation not supported +Fix this in simple_xattr_list by checking if the filesystem supports POSIX ACLs. + +Fixes: 786534b92f3c ("tmpfs: listxattr should include POSIX ACL xattrs") +Reported-by: Marc Aurèle La France +Tested-by: Marc Aurèle La France +Signed-off-by: Andreas Gruenbacher +Cc: stable@vger.kernel.org # v4.5+ +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xattr.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -949,17 +949,19 @@ ssize_t simple_xattr_list(struct inode * + int err = 0; + + #ifdef CONFIG_FS_POSIX_ACL +- if (inode->i_acl) { +- err = xattr_list_one(&buffer, &remaining_size, +- XATTR_NAME_POSIX_ACL_ACCESS); +- if (err) +- return err; +- } +- if (inode->i_default_acl) { +- err = xattr_list_one(&buffer, &remaining_size, +- XATTR_NAME_POSIX_ACL_DEFAULT); +- if (err) +- return err; ++ if (IS_POSIXACL(inode)) { ++ if (inode->i_acl) { ++ err = xattr_list_one(&buffer, &remaining_size, ++ XATTR_NAME_POSIX_ACL_ACCESS); ++ if (err) ++ return err; ++ } ++ if (inode->i_default_acl) { ++ err = xattr_list_one(&buffer, &remaining_size, ++ XATTR_NAME_POSIX_ACL_DEFAULT); ++ if (err) ++ return err; ++ } + } + #endif + diff --git a/queue-4.18/tools-hv-fcopy-set-error-in-case-an-unknown-operation-was-requested.patch b/queue-4.18/tools-hv-fcopy-set-error-in-case-an-unknown-operation-was-requested.patch new file mode 100644 index 00000000000..176adecc357 --- /dev/null +++ b/queue-4.18/tools-hv-fcopy-set-error-in-case-an-unknown-operation-was-requested.patch @@ -0,0 +1,32 @@ +From c2d68afba86d1ff01e7300c68bc16a9234dcd8e9 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Mon, 17 Sep 2018 04:14:55 +0000 +Subject: tools: hv: fcopy: set 'error' in case an unknown operation was requested + +From: Vitaly Kuznetsov + +commit c2d68afba86d1ff01e7300c68bc16a9234dcd8e9 upstream. + +'error' variable is left uninitialized in case we see an unknown operation. +As we don't immediately return and proceed to pwrite() we need to set it +to something, HV_E_FAIL sounds good enough. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: K. Y. Srinivasan +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + tools/hv/hv_fcopy_daemon.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/hv/hv_fcopy_daemon.c ++++ b/tools/hv/hv_fcopy_daemon.c +@@ -234,6 +234,7 @@ int main(int argc, char *argv[]) + break; + + default: ++ error = HV_E_FAIL; + syslog(LOG_ERR, "Unknown operation: %d", + buffer.hdr.operation); + diff --git a/queue-4.18/vfs-don-t-evict-uninitialized-inode.patch b/queue-4.18/vfs-don-t-evict-uninitialized-inode.patch new file mode 100644 index 00000000000..bbe28ac2c7a --- /dev/null +++ b/queue-4.18/vfs-don-t-evict-uninitialized-inode.patch @@ -0,0 +1,62 @@ +From e950564b97fd0f541b02eb207685d0746f5ecf29 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 24 Jul 2018 15:01:55 +0200 +Subject: vfs: don't evict uninitialized inode + +From: Miklos Szeredi + +commit e950564b97fd0f541b02eb207685d0746f5ecf29 upstream. + +iput() ends up calling ->evict() on new inode, which is not yet initialized +by owning fs. So use destroy_inode() instead. + +Add to sb->s_inodes list only if inode is not in I_CREATING state (meaning +that it wasn't allocated with new_inode(), which already does the +insertion). + +Reported-by: Al Viro +Signed-off-by: Miklos Szeredi +Fixes: 80ea09a002bf ("vfs: factor out inode_insert5()") +Signed-off-by: Al Viro +Cc: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman + +--- + fs/inode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1050,6 +1050,7 @@ struct inode *inode_insert5(struct inode + { + struct hlist_head *head = inode_hashtable + hash(inode->i_sb, hashval); + struct inode *old; ++ bool creating = inode->i_state & I_CREATING; + + again: + spin_lock(&inode_hash_lock); +@@ -1083,6 +1084,8 @@ again: + inode->i_state |= I_NEW; + hlist_add_head(&inode->i_hash, head); + spin_unlock(&inode->i_lock); ++ if (!creating) ++ inode_sb_list_add(inode); + unlock: + spin_unlock(&inode_hash_lock); + +@@ -1117,12 +1120,13 @@ struct inode *iget5_locked(struct super_ + struct inode *inode = ilookup5(sb, hashval, test, data); + + if (!inode) { +- struct inode *new = new_inode(sb); ++ struct inode *new = alloc_inode(sb); + + if (new) { ++ new->i_state = 0; + inode = inode_insert5(new, hashval, test, set, data); + if (unlikely(inode != new)) +- iput(new); ++ destroy_inode(new); + } + } + return inode;