From: Greg Kroah-Hartman Date: Mon, 29 Jul 2019 15:58:51 +0000 (+0200) Subject: 5.2-stable patches X-Git-Tag: v5.2.5~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=361e4efcf927ec6a610803186fa52dc2343569f6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.2-stable patches added patches: btrfs-inode-don-t-compress-if-nodatasum-or-nodatacow-set.patch kvm-ppc-book3s-hv-always-save-guest-pmu-for-guest-capable-of-nesting.patch kvm-ppc-book3s-hv-save-and-restore-guest-visible-psscr-bits-on-pseries.patch kvm-ppc-book3s-hv-xive-fix-rollback-when-kvmppc_xive_create-fails.patch kvm-x86-fix-fpu-state-crash-in-kvm-guest.patch media-videodev2.h-change-v4l2_pix_fmt_bgra444-define-fourcc-was-already-in-use.patch revert-usb-usb251xb-add-us-lanes-inversion-dts-bindings.patch revert-usb-usb251xb-add-us-port-lanes-inversion-property.patch selinux-check-sidtab-limit-before-adding-a-new-entry.patch usb-pci-quirks-correct-amd-pll-quirk-detection.patch usb-storage-add-a-limitation-for-blk_queue_max_hw_sectors.patch usb-usb251xb-reallow-swap-dx-lanes-to-apply-to-the-upstream-port.patch usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch x86-stacktrace-prevent-access_ok-warnings-in-arch_stack_walk_user.patch x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch xhci-fix-crash-if-scatter-gather-is-used-with-immediate-data-transfer-idt.patch --- diff --git a/queue-5.2/btrfs-inode-don-t-compress-if-nodatasum-or-nodatacow-set.patch b/queue-5.2/btrfs-inode-don-t-compress-if-nodatasum-or-nodatacow-set.patch new file mode 100644 index 00000000000..987aa18a592 --- /dev/null +++ b/queue-5.2/btrfs-inode-don-t-compress-if-nodatasum-or-nodatacow-set.patch @@ -0,0 +1,101 @@ +From 42c16da6d684391db83788eb680accd84f6c2083 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Mon, 1 Jul 2019 05:12:46 +0000 +Subject: btrfs: inode: Don't compress if NODATASUM or NODATACOW set + +From: Qu Wenruo + +commit 42c16da6d684391db83788eb680accd84f6c2083 upstream. + +As btrfs(5) specified: + + Note + If nodatacow or nodatasum are enabled, compression is disabled. + +If NODATASUM or NODATACOW set, we should not compress the extent. + +Normally NODATACOW is detected properly in run_delalloc_range() so +compression won't happen for NODATACOW. + +However for NODATASUM we don't have any check, and it can cause +compressed extent without csum pretty easily, just by: + mkfs.btrfs -f $dev + mount $dev $mnt -o nodatasum + touch $mnt/foobar + mount -o remount,datasum,compress $mnt + xfs_io -f -c "pwrite 0 128K" $mnt/foobar + +And in fact, we have a bug report about corrupted compressed extent +without proper data checksum so even RAID1 can't recover the corruption. +(https://bugzilla.kernel.org/show_bug.cgi?id=199707) + +Running compression without proper checksum could cause more damage when +corruption happens, as compressed data could make the whole extent +unreadable, so there is no need to allow compression for +NODATACSUM. + +The fix will refactor the inode compression check into two parts: + +- inode_can_compress() + As the hard requirement, checked at btrfs_run_delalloc_range(), so no + compression will happen for NODATASUM inode at all. + +- inode_need_compress() + As the soft requirement, checked at btrfs_run_delalloc_range() and + compress_file_range(). + +Reported-by: James Harvey +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -394,10 +394,31 @@ static noinline int add_async_extent(str + return 0; + } + ++/* ++ * Check if the inode has flags compatible with compression ++ */ ++static inline bool inode_can_compress(struct inode *inode) ++{ ++ if (BTRFS_I(inode)->flags & BTRFS_INODE_NODATACOW || ++ BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM) ++ return false; ++ return true; ++} ++ ++/* ++ * Check if the inode needs to be submitted to compression, based on mount ++ * options, defragmentation, properties or heuristics. ++ */ + static inline int inode_need_compress(struct inode *inode, u64 start, u64 end) + { + struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb); + ++ if (!inode_can_compress(inode)) { ++ WARN(IS_ENABLED(CONFIG_BTRFS_DEBUG), ++ KERN_ERR "BTRFS: unexpected compression for ino %llu\n", ++ btrfs_ino(BTRFS_I(inode))); ++ return 0; ++ } + /* force compress */ + if (btrfs_test_opt(fs_info, FORCE_COMPRESS)) + return 1; +@@ -1630,7 +1651,8 @@ int btrfs_run_delalloc_range(struct inod + } else if (BTRFS_I(inode)->flags & BTRFS_INODE_PREALLOC && !force_cow) { + ret = run_delalloc_nocow(inode, locked_page, start, end, + page_started, 0, nr_written); +- } else if (!inode_need_compress(inode, start, end)) { ++ } else if (!inode_can_compress(inode) || ++ !inode_need_compress(inode, start, end)) { + ret = cow_file_range(inode, locked_page, start, end, end, + page_started, nr_written, 1, NULL); + } else { diff --git a/queue-5.2/kvm-ppc-book3s-hv-always-save-guest-pmu-for-guest-capable-of-nesting.patch b/queue-5.2/kvm-ppc-book3s-hv-always-save-guest-pmu-for-guest-capable-of-nesting.patch new file mode 100644 index 00000000000..81f2eb2c6d9 --- /dev/null +++ b/queue-5.2/kvm-ppc-book3s-hv-always-save-guest-pmu-for-guest-capable-of-nesting.patch @@ -0,0 +1,60 @@ +From 63279eeb7f93abb1692573c26f1e038e1a87358b Mon Sep 17 00:00:00 2001 +From: Suraj Jitindar Singh +Date: Wed, 3 Jul 2019 11:20:20 +1000 +Subject: KVM: PPC: Book3S HV: Always save guest pmu for guest capable of nesting + +From: Suraj Jitindar Singh + +commit 63279eeb7f93abb1692573c26f1e038e1a87358b upstream. + +The performance monitoring unit (PMU) registers are saved on guest +exit when the guest has set the pmcregs_in_use flag in its lppaca, if +it exists, or unconditionally if it doesn't. If a nested guest is +being run then the hypervisor doesn't, and in most cases can't, know +if the PMU registers are in use since it doesn't know the location of +the lppaca for the nested guest, although it may have one for its +immediate guest. This results in the values of these registers being +lost across nested guest entry and exit in the case where the nested +guest was making use of the performance monitoring facility while it's +nested guest hypervisor wasn't. + +Further more the hypervisor could interrupt a guest hypervisor between +when it has loaded up the PMU registers and it calling H_ENTER_NESTED +or between returning from the nested guest to the guest hypervisor and +the guest hypervisor reading the PMU registers, in +kvmhv_p9_guest_entry(). This means that it isn't sufficient to just +save the PMU registers when entering or exiting a nested guest, but +that it is necessary to always save the PMU registers whenever a guest +is capable of running nested guests to ensure the register values +aren't lost in the context switch. + +Ensure the PMU register values are preserved by always saving their +value into the vcpu struct when a guest is capable of running nested +guests. + +This should have minimal performance impact however any impact can be +avoided by booting a guest with "-machine pseries,cap-nested-hv=false" +on the qemu commandline. + +Fixes: 95a6432ce903 ("KVM: PPC: Book3S HV: Streamlined guest entry/exit path on P9 for radix guests") +Cc: stable@vger.kernel.org # v4.20+ +Signed-off-by: Suraj Jitindar Singh +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190703012022.15644-1-sjitindarsingh@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -3654,6 +3654,8 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu + vcpu->arch.vpa.dirty = 1; + save_pmu = lp->pmcregs_in_use; + } ++ /* Must save pmu if this guest is capable of running nested guests */ ++ save_pmu |= nesting_enabled(vcpu->kvm); + + kvmhv_save_guest_pmu(vcpu, save_pmu); + diff --git a/queue-5.2/kvm-ppc-book3s-hv-save-and-restore-guest-visible-psscr-bits-on-pseries.patch b/queue-5.2/kvm-ppc-book3s-hv-save-and-restore-guest-visible-psscr-bits-on-pseries.patch new file mode 100644 index 00000000000..e24384b4352 --- /dev/null +++ b/queue-5.2/kvm-ppc-book3s-hv-save-and-restore-guest-visible-psscr-bits-on-pseries.patch @@ -0,0 +1,82 @@ +From c8b4083db915dfe5a3b4a755ad2317e0509b43f1 Mon Sep 17 00:00:00 2001 +From: Suraj Jitindar Singh +Date: Wed, 3 Jul 2019 11:20:22 +1000 +Subject: KVM: PPC: Book3S HV: Save and restore guest visible PSSCR bits on pseries + +From: Suraj Jitindar Singh + +commit c8b4083db915dfe5a3b4a755ad2317e0509b43f1 upstream. + +The Performance Stop Status and Control Register (PSSCR) is used to +control the power saving facilities of the processor. This register +has various fields, some of which can be modified only in hypervisor +state, and others which can be modified in both hypervisor and +privileged non-hypervisor state. The bits which can be modified in +privileged non-hypervisor state are referred to as guest visible. + +Currently the L0 hypervisor saves and restores both it's own host +value as well as the guest value of the PSSCR when context switching +between the hypervisor and guest. However a nested hypervisor running +it's own nested guests (as indicated by kvmhv_on_pseries()) doesn't +context switch the PSSCR register. That means if a nested (L2) guest +modifies the PSSCR then the L1 guest hypervisor will run with that +modified value, and if the L1 guest hypervisor modifies the PSSCR and +then goes to run the nested (L2) guest again then the L2 PSSCR value +will be lost. + +Fix this by having the (L1) nested hypervisor save and restore both +its host and the guest PSSCR value when entering and exiting a +nested (L2) guest. Note that only the guest visible parts of the PSSCR +are context switched since this is all the L1 nested hypervisor can +access, this is fine however as these are the only fields the L0 +hypervisor provides guest control of anyway and so all other fields +are ignored. + +This could also have been implemented by adding the PSSCR register to +the hv_regs passed to the L0 hypervisor as input to the H_ENTER_NESTED +hcall, however this would have meant updating the structure layout and +thus required modifications to both the L0 and L1 kernels. Whereas the +approach used doesn't require L0 kernel modifications while achieving +the same result. + +Fixes: 95a6432ce903 ("KVM: PPC: Book3S HV: Streamlined guest entry/exit path on P9 for radix guests") +Cc: stable@vger.kernel.org # v4.20+ +Signed-off-by: Suraj Jitindar Singh +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190703012022.15644-3-sjitindarsingh@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -3569,9 +3569,18 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu + mtspr(SPRN_DEC, vcpu->arch.dec_expires - mftb()); + + if (kvmhv_on_pseries()) { ++ /* ++ * We need to save and restore the guest visible part of the ++ * psscr (i.e. using SPRN_PSSCR_PR) since the hypervisor ++ * doesn't do this for us. Note only required if pseries since ++ * this is done in kvmhv_load_hv_regs_and_go() below otherwise. ++ */ ++ unsigned long host_psscr; + /* call our hypervisor to load up HV regs and go */ + struct hv_guest_state hvregs; + ++ host_psscr = mfspr(SPRN_PSSCR_PR); ++ mtspr(SPRN_PSSCR_PR, vcpu->arch.psscr); + kvmhv_save_hv_regs(vcpu, &hvregs); + hvregs.lpcr = lpcr; + vcpu->arch.regs.msr = vcpu->arch.shregs.msr; +@@ -3590,6 +3599,8 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu + vcpu->arch.shregs.msr = vcpu->arch.regs.msr; + vcpu->arch.shregs.dar = mfspr(SPRN_DAR); + vcpu->arch.shregs.dsisr = mfspr(SPRN_DSISR); ++ vcpu->arch.psscr = mfspr(SPRN_PSSCR_PR); ++ mtspr(SPRN_PSSCR_PR, host_psscr); + + /* H_CEDE has to be handled now, not later */ + if (trap == BOOK3S_INTERRUPT_SYSCALL && !vcpu->arch.nested && diff --git a/queue-5.2/kvm-ppc-book3s-hv-xive-fix-rollback-when-kvmppc_xive_create-fails.patch b/queue-5.2/kvm-ppc-book3s-hv-xive-fix-rollback-when-kvmppc_xive_create-fails.patch new file mode 100644 index 00000000000..2ab227b7391 --- /dev/null +++ b/queue-5.2/kvm-ppc-book3s-hv-xive-fix-rollback-when-kvmppc_xive_create-fails.patch @@ -0,0 +1,58 @@ +From 9798f4ea71eaf8eaad7e688c5b298528089c7bf8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= +Date: Thu, 18 Jul 2019 23:51:54 +0200 +Subject: KVM: PPC: Book3S HV: XIVE: fix rollback when kvmppc_xive_create fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cédric Le Goater + +commit 9798f4ea71eaf8eaad7e688c5b298528089c7bf8 upstream. + +The XIVE device structure is now allocated in kvmppc_xive_get_device() +and kfree'd in kvmppc_core_destroy_vm(). In case of an OPAL error when +allocating the XIVE VPs, the kfree() call in kvmppc_xive_*create() +will result in a double free and corrupt the host memory. + +Fixes: 5422e95103cf ("KVM: PPC: Book3S HV: XIVE: Replace the 'destroy' method by a 'release' method") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Cédric Le Goater +Tested-by: Michael Ellerman +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/6ea6998b-a890-2511-01d1-747d7621eb19@kaod.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_xive.c | 4 +--- + arch/powerpc/kvm/book3s_xive_native.c | 4 ++-- + 2 files changed, 3 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/kvm/book3s_xive.c ++++ b/arch/powerpc/kvm/book3s_xive.c +@@ -1986,10 +1986,8 @@ static int kvmppc_xive_create(struct kvm + + xive->single_escalation = xive_native_has_single_escalation(); + +- if (ret) { +- kfree(xive); ++ if (ret) + return ret; +- } + + return 0; + } +--- a/arch/powerpc/kvm/book3s_xive_native.c ++++ b/arch/powerpc/kvm/book3s_xive_native.c +@@ -1090,9 +1090,9 @@ static int kvmppc_xive_native_create(str + xive->ops = &kvmppc_xive_native_ops; + + if (ret) +- kfree(xive); ++ return ret; + +- return ret; ++ return 0; + } + + /* diff --git a/queue-5.2/kvm-x86-fix-fpu-state-crash-in-kvm-guest.patch b/queue-5.2/kvm-x86-fix-fpu-state-crash-in-kvm-guest.patch new file mode 100644 index 00000000000..7e2d3349593 --- /dev/null +++ b/queue-5.2/kvm-x86-fix-fpu-state-crash-in-kvm-guest.patch @@ -0,0 +1,75 @@ +From e751732486eb3f159089a64d1901992b1357e7cc Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 22 Jul 2019 12:26:20 +0800 +Subject: KVM: X86: Fix fpu state crash in kvm guest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit e751732486eb3f159089a64d1901992b1357e7cc upstream. + +The idea before commit 240c35a37 (which has just been reverted) +was that we have the following FPU states: + + userspace (QEMU) guest +--------------------------------------------------------------------------- + processor vcpu->arch.guest_fpu +>>> KVM_RUN: kvm_load_guest_fpu + vcpu->arch.user_fpu processor +>>> preempt out + vcpu->arch.user_fpu current->thread.fpu +>>> preempt in + vcpu->arch.user_fpu processor +>>> back to userspace +>>> kvm_put_guest_fpu + processor vcpu->arch.guest_fpu +--------------------------------------------------------------------------- + +With the new lazy model we want to get the state back to the processor +when schedule in from current->thread.fpu. + +Reported-by: Thomas Lambertz +Reported-by: anthony +Tested-by: anthony +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Thomas Lambertz +Cc: anthony +Cc: stable@vger.kernel.org +Fixes: 5f409e20b (x86/fpu: Defer FPU state load until return to userspace) +Signed-off-by: Wanpeng Li +[Add a comment in front of the warning. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3264,6 +3264,10 @@ void kvm_arch_vcpu_load(struct kvm_vcpu + + kvm_x86_ops->vcpu_load(vcpu, cpu); + ++ fpregs_assert_state_consistent(); ++ if (test_thread_flag(TIF_NEED_FPU_LOAD)) ++ switch_fpu_return(); ++ + /* Apply any externally detected TSC adjustments (due to suspend) */ + if (unlikely(vcpu->arch.tsc_offset_adjustment)) { + adjust_tsc_offset_host(vcpu, vcpu->arch.tsc_offset_adjustment); +@@ -7955,9 +7959,8 @@ static int vcpu_enter_guest(struct kvm_v + wait_lapic_expire(vcpu); + guest_enter_irqoff(); + +- fpregs_assert_state_consistent(); +- if (test_thread_flag(TIF_NEED_FPU_LOAD)) +- switch_fpu_return(); ++ /* The preempt notifier should have taken care of the FPU already. */ ++ WARN_ON_ONCE(test_thread_flag(TIF_NEED_FPU_LOAD)); + + if (unlikely(vcpu->arch.switch_db_regs)) { + set_debugreg(0, 7); diff --git a/queue-5.2/media-videodev2.h-change-v4l2_pix_fmt_bgra444-define-fourcc-was-already-in-use.patch b/queue-5.2/media-videodev2.h-change-v4l2_pix_fmt_bgra444-define-fourcc-was-already-in-use.patch new file mode 100644 index 00000000000..61d5f43b4cd --- /dev/null +++ b/queue-5.2/media-videodev2.h-change-v4l2_pix_fmt_bgra444-define-fourcc-was-already-in-use.patch @@ -0,0 +1,41 @@ +From 22be8233b34f4f468934c5fefcbe6151766fb8f2 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 11 Jul 2019 04:53:25 -0400 +Subject: media: videodev2.h: change V4L2_PIX_FMT_BGRA444 define: fourcc was already in use + +From: Hans Verkuil + +commit 22be8233b34f4f468934c5fefcbe6151766fb8f2 upstream. + +The V4L2_PIX_FMT_BGRA444 define clashed with the pre-existing V4L2_PIX_FMT_SGRBG12 +which strangely enough used the same fourcc, even though that fourcc made no sense +for a Bayer format. In any case, you can't have duplicates, so change the fourcc of +V4L2_PIX_FMT_BGRA444. + +Signed-off-by: Hans Verkuil +Cc: # for v5.2 and up +Fixes: 6c84f9b1d2900 ("media: v4l: Add definitions for missing 16-bit RGB4444 formats") +Reviewed-by: Laurent Pinchart +Reviewed-by: Kieran Bingham +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index 9d9705ceda76..2427bc4d8eba 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -518,7 +518,13 @@ struct v4l2_pix_format { + #define V4L2_PIX_FMT_RGBX444 v4l2_fourcc('R', 'X', '1', '2') /* 16 rrrrgggg bbbbxxxx */ + #define V4L2_PIX_FMT_ABGR444 v4l2_fourcc('A', 'B', '1', '2') /* 16 aaaabbbb ggggrrrr */ + #define V4L2_PIX_FMT_XBGR444 v4l2_fourcc('X', 'B', '1', '2') /* 16 xxxxbbbb ggggrrrr */ +-#define V4L2_PIX_FMT_BGRA444 v4l2_fourcc('B', 'A', '1', '2') /* 16 bbbbgggg rrrraaaa */ ++ ++/* ++ * Originally this had 'BA12' as fourcc, but this clashed with the older ++ * V4L2_PIX_FMT_SGRBG12 which inexplicably used that same fourcc. ++ * So use 'GA12' instead for V4L2_PIX_FMT_BGRA444. ++ */ ++#define V4L2_PIX_FMT_BGRA444 v4l2_fourcc('G', 'A', '1', '2') /* 16 bbbbgggg rrrraaaa */ + #define V4L2_PIX_FMT_BGRX444 v4l2_fourcc('B', 'X', '1', '2') /* 16 bbbbgggg rrrrxxxx */ + #define V4L2_PIX_FMT_RGB555 v4l2_fourcc('R', 'G', 'B', 'O') /* 16 RGB-5-5-5 */ + #define V4L2_PIX_FMT_ARGB555 v4l2_fourcc('A', 'R', '1', '5') /* 16 ARGB-1-5-5-5 */ diff --git a/queue-5.2/revert-usb-usb251xb-add-us-lanes-inversion-dts-bindings.patch b/queue-5.2/revert-usb-usb251xb-add-us-lanes-inversion-dts-bindings.patch new file mode 100644 index 00000000000..e966ceccdd7 --- /dev/null +++ b/queue-5.2/revert-usb-usb251xb-add-us-lanes-inversion-dts-bindings.patch @@ -0,0 +1,38 @@ +From bafe64e5f0edaa689e72e2f8dc236641da37fed4 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 19 Jul 2019 10:44:05 +0200 +Subject: Revert "usb: usb251xb: Add US lanes inversion dts-bindings" + +From: Lucas Stach + +commit bafe64e5f0edaa689e72e2f8dc236641da37fed4 upstream. + +This reverts commit 3342ce35a1, as there is no need for this separate +property and it breaks compatibility with existing devicetree files +(arch/arm64/boot/dts/freescale/imx8mq.dtsi). + +CC: stable@vger.kernel.org #5.2 +Fixes: 3342ce35a183 ("usb: usb251xb: Add US lanes inversion dts-bindings") +Signed-off-by: Lucas Stach +Link: https://lore.kernel.org/r/20190719084407.28041-1-l.stach@pengutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/usb/usb251xb.txt | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/Documentation/devicetree/bindings/usb/usb251xb.txt ++++ b/Documentation/devicetree/bindings/usb/usb251xb.txt +@@ -64,10 +64,8 @@ Optional properties : + - power-on-time-ms : Specifies the time it takes from the time the host + initiates the power-on sequence to a port until the port has adequate + power. The value is given in ms in a 0 - 510 range (default is 100ms). +- - swap-dx-lanes : Specifies the downstream ports which will swap the +- differential-pair (D+/D-), default is not-swapped. +- - swap-us-lanes : Selects the upstream port differential-pair (D+/D-) +- swapping (boolean, default is not-swapped) ++ - swap-dx-lanes : Specifies the ports which will swap the differential-pair ++ (D+/D-), default is not-swapped. + + Examples: + usb2512b@2c { diff --git a/queue-5.2/revert-usb-usb251xb-add-us-port-lanes-inversion-property.patch b/queue-5.2/revert-usb-usb251xb-add-us-port-lanes-inversion-property.patch new file mode 100644 index 00000000000..22631f78e43 --- /dev/null +++ b/queue-5.2/revert-usb-usb251xb-add-us-port-lanes-inversion-property.patch @@ -0,0 +1,33 @@ +From 79f6fafad4e2a874015cb67d735f9f87f1834367 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 19 Jul 2019 10:44:06 +0200 +Subject: Revert "usb: usb251xb: Add US port lanes inversion property" + +From: Lucas Stach + +commit 79f6fafad4e2a874015cb67d735f9f87f1834367 upstream. + +This property isn't needed and not yet used anywhere. The swap-dx-lanes +property is perfectly fine for doing the swap on the upstream port +lanes. + +CC: stable@vger.kernel.org #5.2 +Signed-off-by: Lucas Stach +Link: https://lore.kernel.org/r/20190719084407.28041-2-l.stach@pengutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/usb251xb.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/misc/usb251xb.c ++++ b/drivers/usb/misc/usb251xb.c +@@ -574,8 +574,6 @@ static int usb251xb_get_ofdata(struct us + hub->port_swap = USB251XB_DEF_PORT_SWAP; + usb251xb_get_ports_field(hub, "swap-dx-lanes", data->port_cnt, + &hub->port_swap); +- if (of_get_property(np, "swap-us-lanes", NULL)) +- hub->port_swap |= BIT(0); + + /* The following parameters are currently not exposed to devicetree, but + * may be as soon as needed. diff --git a/queue-5.2/selinux-check-sidtab-limit-before-adding-a-new-entry.patch b/queue-5.2/selinux-check-sidtab-limit-before-adding-a-new-entry.patch new file mode 100644 index 00000000000..a5c1b9de09c --- /dev/null +++ b/queue-5.2/selinux-check-sidtab-limit-before-adding-a-new-entry.patch @@ -0,0 +1,38 @@ +From acbc372e6109c803cbee4733769d02008381740f Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Tue, 23 Jul 2019 08:50:59 +0200 +Subject: selinux: check sidtab limit before adding a new entry + +From: Ondrej Mosnacek + +commit acbc372e6109c803cbee4733769d02008381740f upstream. + +We need to error out when trying to add an entry above SIDTAB_MAX in +sidtab_reverse_lookup() to avoid overflow on the odd chance that this +happens. + +Cc: stable@vger.kernel.org +Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Kees Cook +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/sidtab.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/security/selinux/ss/sidtab.c ++++ b/security/selinux/ss/sidtab.c +@@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct + ++count; + } + ++ /* bail out if we already reached max entries */ ++ rc = -EOVERFLOW; ++ if (count >= SIDTAB_MAX) ++ goto out_unlock; ++ + /* insert context into new entry */ + rc = -ENOMEM; + dst = sidtab_do_lookup(s, count, 1); diff --git a/queue-5.2/series b/queue-5.2/series index 6738de9397c..01a69b64d5a 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -164,3 +164,20 @@ locking-lockdep-fix-lock-used-or-unused-stats-error.patch mm-use-down_read_killable-for-locking-mmap_sem-in-ac.patch mm-swap-fix-race-between-swapoff-and-some-swap-opera.patch locking-lockdep-hide-unused-class-variable.patch +xhci-fix-crash-if-scatter-gather-is-used-with-immediate-data-transfer-idt.patch +usb-storage-add-a-limitation-for-blk_queue_max_hw_sectors.patch +usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch +usb-pci-quirks-correct-amd-pll-quirk-detection.patch +revert-usb-usb251xb-add-us-lanes-inversion-dts-bindings.patch +revert-usb-usb251xb-add-us-port-lanes-inversion-property.patch +usb-usb251xb-reallow-swap-dx-lanes-to-apply-to-the-upstream-port.patch +kvm-x86-fix-fpu-state-crash-in-kvm-guest.patch +kvm-ppc-book3s-hv-always-save-guest-pmu-for-guest-capable-of-nesting.patch +kvm-ppc-book3s-hv-save-and-restore-guest-visible-psscr-bits-on-pseries.patch +kvm-ppc-book3s-hv-xive-fix-rollback-when-kvmppc_xive_create-fails.patch +media-videodev2.h-change-v4l2_pix_fmt_bgra444-define-fourcc-was-already-in-use.patch +btrfs-inode-don-t-compress-if-nodatasum-or-nodatacow-set.patch +selinux-check-sidtab-limit-before-adding-a-new-entry.patch +x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch +x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch +x86-stacktrace-prevent-access_ok-warnings-in-arch_stack_walk_user.patch diff --git a/queue-5.2/usb-pci-quirks-correct-amd-pll-quirk-detection.patch b/queue-5.2/usb-pci-quirks-correct-amd-pll-quirk-detection.patch new file mode 100644 index 00000000000..596182f6483 --- /dev/null +++ b/queue-5.2/usb-pci-quirks-correct-amd-pll-quirk-detection.patch @@ -0,0 +1,103 @@ +From f3dccdaade4118070a3a47bef6b18321431f9ac6 Mon Sep 17 00:00:00 2001 +From: Ryan Kennedy +Date: Thu, 4 Jul 2019 11:35:28 -0400 +Subject: usb: pci-quirks: Correct AMD PLL quirk detection + +From: Ryan Kennedy + +commit f3dccdaade4118070a3a47bef6b18321431f9ac6 upstream. + +The AMD PLL USB quirk is incorrectly enabled on newer Ryzen +chipsets. The logic in usb_amd_find_chipset_info currently checks +for unaffected chipsets rather than affected ones. This broke +once a new chipset was added in e788787ef. It makes more sense +to reverse the logic so it won't need to be updated as new +chipsets are added. Note that the core of the workaround in +usb_amd_quirk_pll does correctly check the chipset. + +Signed-off-by: Ryan Kennedy +Fixes: e788787ef4f9 ("usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume") +Cc: stable +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20190704153529.9429-2-ryan5544@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/pci-quirks.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +--- a/drivers/usb/host/pci-quirks.c ++++ b/drivers/usb/host/pci-quirks.c +@@ -205,7 +205,7 @@ int usb_amd_find_chipset_info(void) + { + unsigned long flags; + struct amd_chipset_info info; +- int ret; ++ int need_pll_quirk = 0; + + spin_lock_irqsave(&amd_lock, flags); + +@@ -219,21 +219,28 @@ int usb_amd_find_chipset_info(void) + spin_unlock_irqrestore(&amd_lock, flags); + + if (!amd_chipset_sb_type_init(&info)) { +- ret = 0; + goto commit; + } + +- /* Below chipset generations needn't enable AMD PLL quirk */ +- if (info.sb_type.gen == AMD_CHIPSET_UNKNOWN || +- info.sb_type.gen == AMD_CHIPSET_SB600 || +- info.sb_type.gen == AMD_CHIPSET_YANGTZE || +- (info.sb_type.gen == AMD_CHIPSET_SB700 && +- info.sb_type.rev > 0x3b)) { ++ switch (info.sb_type.gen) { ++ case AMD_CHIPSET_SB700: ++ need_pll_quirk = info.sb_type.rev <= 0x3B; ++ break; ++ case AMD_CHIPSET_SB800: ++ case AMD_CHIPSET_HUDSON2: ++ case AMD_CHIPSET_BOLTON: ++ need_pll_quirk = 1; ++ break; ++ default: ++ need_pll_quirk = 0; ++ break; ++ } ++ ++ if (!need_pll_quirk) { + if (info.smbus_dev) { + pci_dev_put(info.smbus_dev); + info.smbus_dev = NULL; + } +- ret = 0; + goto commit; + } + +@@ -252,7 +259,7 @@ int usb_amd_find_chipset_info(void) + } + } + +- ret = info.probe_result = 1; ++ need_pll_quirk = info.probe_result = 1; + printk(KERN_DEBUG "QUIRK: Enable AMD PLL fix\n"); + + commit: +@@ -263,7 +270,7 @@ commit: + + /* Mark that we where here */ + amd_chipset.probe_count++; +- ret = amd_chipset.probe_result; ++ need_pll_quirk = amd_chipset.probe_result; + + spin_unlock_irqrestore(&amd_lock, flags); + +@@ -277,7 +284,7 @@ commit: + spin_unlock_irqrestore(&amd_lock, flags); + } + +- return ret; ++ return need_pll_quirk; + } + EXPORT_SYMBOL_GPL(usb_amd_find_chipset_info); + diff --git a/queue-5.2/usb-storage-add-a-limitation-for-blk_queue_max_hw_sectors.patch b/queue-5.2/usb-storage-add-a-limitation-for-blk_queue_max_hw_sectors.patch new file mode 100644 index 00000000000..ed0380ed55f --- /dev/null +++ b/queue-5.2/usb-storage-add-a-limitation-for-blk_queue_max_hw_sectors.patch @@ -0,0 +1,83 @@ +From d74ffae8b8dd17eaa8b82fc163e6aa2076dc8fb1 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 22 Jul 2019 19:58:25 +0900 +Subject: usb-storage: Add a limitation for blk_queue_max_hw_sectors() + +From: Yoshihiro Shimoda + +commit d74ffae8b8dd17eaa8b82fc163e6aa2076dc8fb1 upstream. + +This patch fixes an issue that the following error happens on +swiotlb environment: + + xhci-hcd ee000000.usb: swiotlb buffer is full (sz: 524288 bytes), total 32768 (slots), used 1338 (slots) + +On the kernel v5.1, block settings of a usb-storage with SuperSpeed +were the following so that the block layer will allocate buffers +up to 64 KiB, and then the issue didn't happen. + + max_segment_size = 65536 + max_hw_sectors_kb = 1024 + +After the commit 09324d32d2a0 ("block: force an unlimited segment +size on queues with a virt boundary") is applied, the block settings +are the following. So, the block layer will allocate buffers up to +1024 KiB, and then the issue happens: + + max_segment_size = 4294967295 + max_hw_sectors_kb = 1024 + +To fix the issue, the usb-storage driver checks the maximum size of +a mapping for the device and then adjusts the max_hw_sectors_kb +if required. After this patch is applied, the block settings will +be the following, and then the issue doesn't happen. + + max_segment_size = 4294967295 + max_hw_sectors_kb = 256 + +Fixes: 09324d32d2a0 ("block: force an unlimited segment size on queues with a virt boundary") +Cc: stable +Signed-off-by: Yoshihiro Shimoda +Acked-by: Alan Stern +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/1563793105-20597-1-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/scsiglue.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -28,6 +28,8 @@ + * status of a command. + */ + ++#include ++#include + #include + #include + +@@ -99,6 +101,7 @@ static int slave_alloc (struct scsi_devi + static int slave_configure(struct scsi_device *sdev) + { + struct us_data *us = host_to_us(sdev->host); ++ struct device *dev = us->pusb_dev->bus->sysdev; + + /* + * Many devices have trouble transferring more than 32KB at a time, +@@ -129,6 +132,14 @@ static int slave_configure(struct scsi_d + } + + /* ++ * The max_hw_sectors should be up to maximum size of a mapping for ++ * the device. Otherwise, a DMA API might fail on swiotlb environment. ++ */ ++ blk_queue_max_hw_sectors(sdev->request_queue, ++ min_t(size_t, queue_max_hw_sectors(sdev->request_queue), ++ dma_max_mapping_size(dev) >> SECTOR_SHIFT)); ++ ++ /* + * Some USB host controllers can't do DMA; they have to use PIO. + * They indicate this by setting their dma_mask to NULL. For + * such controllers we need to make sure the block layer sets diff --git a/queue-5.2/usb-usb251xb-reallow-swap-dx-lanes-to-apply-to-the-upstream-port.patch b/queue-5.2/usb-usb251xb-reallow-swap-dx-lanes-to-apply-to-the-upstream-port.patch new file mode 100644 index 00000000000..8865a4ad560 --- /dev/null +++ b/queue-5.2/usb-usb251xb-reallow-swap-dx-lanes-to-apply-to-the-upstream-port.patch @@ -0,0 +1,80 @@ +From 4849ee6129702dcb05d36f9c7c61b4661fcd751f Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 19 Jul 2019 10:44:07 +0200 +Subject: usb: usb251xb: Reallow swap-dx-lanes to apply to the upstream port + +From: Lucas Stach + +commit 4849ee6129702dcb05d36f9c7c61b4661fcd751f upstream. + +This is a partial revert of 73d31def1aab "usb: usb251xb: Create a ports +field collector method", which broke a existing devicetree +(arch/arm64/boot/dts/freescale/imx8mq.dtsi). + +There is no reason why the swap-dx-lanes property should not apply to +the upstream port. The reason given in the breaking commit was that it's +inconsitent with respect to other port properties, but in fact it is not. +All other properties which only apply to the downstream ports explicitly +reject port 0, so there is pretty strong precedence that the driver +referred to the upstream port as port 0. So there is no inconsistency in +this property at all, other than the swapping being also applicable to +the upstream port. + +CC: stable@vger.kernel.org #5.2 +Signed-off-by: Lucas Stach +Link: https://lore.kernel.org/r/20190719084407.28041-3-l.stach@pengutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/usb251xb.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/usb/misc/usb251xb.c ++++ b/drivers/usb/misc/usb251xb.c +@@ -375,7 +375,8 @@ out_err: + + #ifdef CONFIG_OF + static void usb251xb_get_ports_field(struct usb251xb *hub, +- const char *prop_name, u8 port_cnt, u8 *fld) ++ const char *prop_name, u8 port_cnt, ++ bool ds_only, u8 *fld) + { + struct device *dev = hub->dev; + struct property *prop; +@@ -383,7 +384,7 @@ static void usb251xb_get_ports_field(str + u32 port; + + of_property_for_each_u32(dev->of_node, prop_name, prop, p, port) { +- if ((port >= 1) && (port <= port_cnt)) ++ if ((port >= ds_only ? 1 : 0) && (port <= port_cnt)) + *fld |= BIT(port); + else + dev_warn(dev, "port %u doesn't exist\n", port); +@@ -501,15 +502,15 @@ static int usb251xb_get_ofdata(struct us + + hub->non_rem_dev = USB251XB_DEF_NON_REMOVABLE_DEVICES; + usb251xb_get_ports_field(hub, "non-removable-ports", data->port_cnt, +- &hub->non_rem_dev); ++ true, &hub->non_rem_dev); + + hub->port_disable_sp = USB251XB_DEF_PORT_DISABLE_SELF; + usb251xb_get_ports_field(hub, "sp-disabled-ports", data->port_cnt, +- &hub->port_disable_sp); ++ true, &hub->port_disable_sp); + + hub->port_disable_bp = USB251XB_DEF_PORT_DISABLE_BUS; + usb251xb_get_ports_field(hub, "bp-disabled-ports", data->port_cnt, +- &hub->port_disable_bp); ++ true, &hub->port_disable_bp); + + hub->max_power_sp = USB251XB_DEF_MAX_POWER_SELF; + if (!of_property_read_u32(np, "sp-max-total-current-microamp", +@@ -573,7 +574,7 @@ static int usb251xb_get_ofdata(struct us + */ + hub->port_swap = USB251XB_DEF_PORT_SWAP; + usb251xb_get_ports_field(hub, "swap-dx-lanes", data->port_cnt, +- &hub->port_swap); ++ false, &hub->port_swap); + + /* The following parameters are currently not exposed to devicetree, but + * may be as soon as needed. diff --git a/queue-5.2/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch b/queue-5.2/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch new file mode 100644 index 00000000000..a553ae6ecde --- /dev/null +++ b/queue-5.2/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch @@ -0,0 +1,61 @@ +From f90bf1ece48a736097ea224430578fe586a9544c Mon Sep 17 00:00:00 2001 +From: Phong Tran +Date: Wed, 24 Jul 2019 09:06:01 +0700 +Subject: usb: wusbcore: fix unbalanced get/put cluster_id + +From: Phong Tran + +commit f90bf1ece48a736097ea224430578fe586a9544c upstream. + +syzboot reported that +https://syzkaller.appspot.com/bug?extid=fd2bd7df88c606eea4ef + +There is not consitency parameter in cluste_id_get/put calling. +In case of getting the id with result is failure, the wusbhc->cluster_id +will not be updated and this can not be used for wusb_cluster_id_put(). + +Tested report +https://groups.google.com/d/msg/syzkaller-bugs/0znZopp3-9k/oxOrhLkLEgAJ + +Reproduce and gdb got the details: + +139 addr = wusb_cluster_id_get(); +(gdb) n +140 if (addr == 0) +(gdb) print addr +$1 = 254 '\376' +(gdb) n +142 result = __hwahc_set_cluster_id(hwahc, addr); +(gdb) print result +$2 = -71 +(gdb) break wusb_cluster_id_put +Breakpoint 3 at 0xffffffff836e3f20: file drivers/usb/wusbcore/wusbhc.c, line 384. +(gdb) s +Thread 2 hit Breakpoint 3, wusb_cluster_id_put (id=0 '\000') at drivers/usb/wusbcore/wusbhc.c:384 +384 id = 0xff - id; +(gdb) n +385 BUG_ON(id >= CLUSTER_IDS); +(gdb) print id +$3 = 255 '\377' + +Reported-by: syzbot+fd2bd7df88c606eea4ef@syzkaller.appspotmail.com +Signed-off-by: Phong Tran +Cc: stable +Link: https://lore.kernel.org/r/20190724020601.15257-1-tranmanphong@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/hwa-hc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/hwa-hc.c ++++ b/drivers/usb/host/hwa-hc.c +@@ -159,7 +159,7 @@ out: + return result; + + error_set_cluster_id: +- wusb_cluster_id_put(wusbhc->cluster_id); ++ wusb_cluster_id_put(addr); + error_cluster_id_get: + goto out; + diff --git a/queue-5.2/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch b/queue-5.2/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch new file mode 100644 index 00000000000..9bdd8e8279a --- /dev/null +++ b/queue-5.2/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch @@ -0,0 +1,41 @@ +From 517c3ba00916383af6411aec99442c307c23f684 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Thu, 25 Jul 2019 10:39:09 +0800 +Subject: x86/speculation/mds: Apply more accurate check on hypervisor platform + +From: Zhenzhong Duan + +commit 517c3ba00916383af6411aec99442c307c23f684 upstream. + +X86_HYPER_NATIVE isn't accurate for checking if running on native platform, +e.g. CONFIG_HYPERVISOR_GUEST isn't set or "nopv" is enabled. + +Checking the CPU feature bit X86_FEATURE_HYPERVISOR to determine if it's +running on native platform is more accurate. + +This still doesn't cover the platforms on which X86_FEATURE_HYPERVISOR is +unsupported, e.g. VMware, but there is nothing which can be done about this +scenario. + +Fixes: 8a4b06d391b0 ("x86/speculation/mds: Add sysfs reporting for MDS") +Signed-off-by: Zhenzhong Duan +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1564022349-17338-1-git-send-email-zhenzhong.duan@oracle.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/bugs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1226,7 +1226,7 @@ static ssize_t l1tf_show_state(char *buf + + static ssize_t mds_show_state(char *buf) + { +- if (!hypervisor_is_type(X86_HYPER_NATIVE)) { ++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) { + return sprintf(buf, "%s; SMT Host state unknown\n", + mds_strings[mds_mitigation]); + } diff --git a/queue-5.2/x86-stacktrace-prevent-access_ok-warnings-in-arch_stack_walk_user.patch b/queue-5.2/x86-stacktrace-prevent-access_ok-warnings-in-arch_stack_walk_user.patch new file mode 100644 index 00000000000..2cf5d7975d7 --- /dev/null +++ b/queue-5.2/x86-stacktrace-prevent-access_ok-warnings-in-arch_stack_walk_user.patch @@ -0,0 +1,62 @@ +From 2af7c85714d8cafadf925d55441458eae312cd6b Mon Sep 17 00:00:00 2001 +From: Eiichi Tsukata +Date: Mon, 22 Jul 2019 17:32:16 +0900 +Subject: x86/stacktrace: Prevent access_ok() warnings in arch_stack_walk_user() + +From: Eiichi Tsukata + +commit 2af7c85714d8cafadf925d55441458eae312cd6b upstream. + +When arch_stack_walk_user() is called from atomic contexts, access_ok() can +trigger the following warning if compiled with CONFIG_DEBUG_ATOMIC_SLEEP=y. + +Reproducer: + + // CONFIG_DEBUG_ATOMIC_SLEEP=y + # cd /sys/kernel/debug/tracing + # echo 1 > options/userstacktrace + # echo 1 > events/irq/irq_handler_entry/enable + + WARNING: CPU: 0 PID: 2649 at arch/x86/kernel/stacktrace.c:103 arch_stack_walk_user+0x6e/0xf6 + CPU: 0 PID: 2649 Comm: bash Not tainted 5.3.0-rc1+ #99 + RIP: 0010:arch_stack_walk_user+0x6e/0xf6 + Call Trace: + + stack_trace_save_user+0x10a/0x16d + trace_buffer_unlock_commit_regs+0x185/0x240 + trace_event_buffer_commit+0xec/0x330 + trace_event_raw_event_irq_handler_entry+0x159/0x1e0 + __handle_irq_event_percpu+0x22d/0x440 + handle_irq_event_percpu+0x70/0x100 + handle_irq_event+0x5a/0x8b + handle_edge_irq+0x12f/0x3f0 + handle_irq+0x34/0x40 + do_IRQ+0xa6/0x1f0 + common_interrupt+0xf/0xf + + +Fix it by calling __range_not_ok() directly instead of access_ok() as +copy_from_user_nmi() does. This is fine here because the actual copy is +inside a pagefault disabled region. + +Reported-by: Juri Lelli +Signed-off-by: Eiichi Tsukata +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190722083216.16192-2-devel@etsukata.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/stacktrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/stacktrace.c ++++ b/arch/x86/kernel/stacktrace.c +@@ -100,7 +100,7 @@ copy_stack_frame(const void __user *fp, + { + int ret; + +- if (!access_ok(fp, sizeof(*frame))) ++ if (__range_not_ok(fp, sizeof(*frame), TASK_SIZE)) + return 0; + + ret = 1; diff --git a/queue-5.2/x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch b/queue-5.2/x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch new file mode 100644 index 00000000000..04e5430b5d5 --- /dev/null +++ b/queue-5.2/x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch @@ -0,0 +1,91 @@ +From d02f1aa39189e0619c3525d5cd03254e61bf606a Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 21 Jul 2019 17:24:18 +0200 +Subject: x86/sysfb_efi: Add quirks for some devices with swapped width and height + +From: Hans de Goede + +commit d02f1aa39189e0619c3525d5cd03254e61bf606a upstream. + +Some Lenovo 2-in-1s with a detachable keyboard have a portrait screen but +advertise a landscape resolution and pitch, resulting in a messed up +display if the kernel tries to show anything on the efifb (because of the +wrong pitch). + +Fix this by adding a new DMI match table for devices which need to have +their width and height swapped. + +At first it was tried to use the existing table for overriding some of the +efifb parameters, but some of the affected devices have variants with +different LCD resolutions which will not work with hardcoded override +values. + +Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1730783 +Signed-off-by: Hans de Goede +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190721152418.11644-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/sysfb_efi.c | 46 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +--- a/arch/x86/kernel/sysfb_efi.c ++++ b/arch/x86/kernel/sysfb_efi.c +@@ -230,9 +230,55 @@ static const struct dmi_system_id efifb_ + {}, + }; + ++/* ++ * Some devices have a portrait LCD but advertise a landscape resolution (and ++ * pitch). We simply swap width and height for these devices so that we can ++ * correctly deal with some of them coming with multiple resolutions. ++ */ ++static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = { ++ { ++ /* ++ * Lenovo MIIX310-10ICR, only some batches have the troublesome ++ * 800x1280 portrait screen. Luckily the portrait version has ++ * its own BIOS version, so we match on that. ++ */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "MIIX 310-10ICR"), ++ DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1HCN44WW"), ++ }, ++ }, ++ { ++ /* Lenovo MIIX 320-10ICR with 800x1280 portrait screen */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, ++ "Lenovo MIIX 320-10ICR"), ++ }, ++ }, ++ { ++ /* Lenovo D330 with 800x1280 or 1200x1920 portrait screen */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, ++ "Lenovo ideapad D330-10IGM"), ++ }, ++ }, ++ {}, ++}; ++ + __init void sysfb_apply_efi_quirks(void) + { + if (screen_info.orig_video_isVGA != VIDEO_TYPE_EFI || + !(screen_info.capabilities & VIDEO_CAPABILITY_SKIP_QUIRKS)) + dmi_check_system(efifb_dmi_system_table); ++ ++ if (screen_info.orig_video_isVGA == VIDEO_TYPE_EFI && ++ dmi_check_system(efifb_dmi_swap_width_height)) { ++ u16 temp = screen_info.lfb_width; ++ ++ screen_info.lfb_width = screen_info.lfb_height; ++ screen_info.lfb_height = temp; ++ screen_info.lfb_linelength = 4 * screen_info.lfb_width; ++ } + } diff --git a/queue-5.2/xhci-fix-crash-if-scatter-gather-is-used-with-immediate-data-transfer-idt.patch b/queue-5.2/xhci-fix-crash-if-scatter-gather-is-used-with-immediate-data-transfer-idt.patch new file mode 100644 index 00000000000..79dfdacbde8 --- /dev/null +++ b/queue-5.2/xhci-fix-crash-if-scatter-gather-is-used-with-immediate-data-transfer-idt.patch @@ -0,0 +1,49 @@ +From d39b5bad8658d6d94cb2d98a44a7e159db4f5030 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 25 Jul 2019 11:54:21 +0300 +Subject: xhci: Fix crash if scatter gather is used with Immediate Data Transfer (IDT). + +From: Mathias Nyman + +commit d39b5bad8658d6d94cb2d98a44a7e159db4f5030 upstream. + +A second regression was found in the immediate data transfer (IDT) +support which was added to 5.2 kernel + +IDT is used to transfer small amounts of data (up to 8 bytes) in the +field normally used for data dma address, thus avoiding dma mapping. + +If the data was not already dma mapped, then IDT support assumed data was +in urb->transfer_buffer, and did not take into accound that even +small amounts of data (8 bytes) can be in a scatterlist instead. + +This caused a NULL pointer dereference when sg_dma_len() was used +with non-dma mapped data. + +Solve this by not using IDT if scatter gather buffer list is used. + +Fixes: 33e39350ebd2 ("usb: xhci: add Immediate Data Transfer support") +Cc: # v5.2 +Reported-by: Maik Stohn +Tested-by: Maik Stohn +CC: Nicolas Saenz Julienne +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/1564044861-1445-1-git-send-email-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -2170,7 +2170,8 @@ static inline bool xhci_urb_suitable_for + if (!usb_endpoint_xfer_isoc(&urb->ep->desc) && usb_urb_dir_out(urb) && + usb_endpoint_maxp(&urb->ep->desc) >= TRB_IDT_MAX_SIZE && + urb->transfer_buffer_length <= TRB_IDT_MAX_SIZE && +- !(urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP)) ++ !(urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP) && ++ !urb->num_sgs) + return true; + + return false;