From: Greg Kroah-Hartman Date: Wed, 24 Feb 2021 09:05:52 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.11.2~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3c8fba29b329216576e40a3ff8fc2710d7784b9f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bpf-fix-truncation-handling-for-mod32-dst-reg-wrt-zero.patch hid-make-arrays-usage-and-value-to-be-the-same.patch nvme-rdma-use-ibdev_to_node-instead-of-dereferencing-dma_device.patch rdma-lift-ibdev_to_node-from-rds-to-common-code.patch usb-quirks-add-quirk-to-start-video-capture-on-elmo-l-12f-document-camera-reliable.patch usb-quirks-sort-quirk-entries.patch --- diff --git a/queue-5.10/bpf-fix-truncation-handling-for-mod32-dst-reg-wrt-zero.patch b/queue-5.10/bpf-fix-truncation-handling-for-mod32-dst-reg-wrt-zero.patch new file mode 100644 index 00000000000..1a404686558 --- /dev/null +++ b/queue-5.10/bpf-fix-truncation-handling-for-mod32-dst-reg-wrt-zero.patch @@ -0,0 +1,120 @@ +From 9b00f1b78809309163dda2d044d9e94a3c0248a3 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Wed, 10 Feb 2021 14:14:42 +0100 +Subject: bpf: Fix truncation handling for mod32 dst reg wrt zero + +From: Daniel Borkmann + +commit 9b00f1b78809309163dda2d044d9e94a3c0248a3 upstream. + +Recently noticed that when mod32 with a known src reg of 0 is performed, +then the dst register is 32-bit truncated in verifier: + + 0: R1=ctx(id=0,off=0,imm=0) R10=fp0 + 0: (b7) r0 = 0 + 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0 + 1: (b7) r1 = -1 + 2: R0_w=inv0 R1_w=inv-1 R10=fp0 + 2: (b4) w2 = -1 + 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0 + 3: (9c) w1 %= w0 + 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 + 4: (b7) r0 = 1 + 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 + 5: (1d) if r1 == r2 goto pc+1 + R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 + 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 + 6: (b7) r0 = 2 + 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 + 7: (95) exit + 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0 + 7: (95) exit + +However, as a runtime result, we get 2 instead of 1, meaning the dst +register does not contain (u32)-1 in this case. The reason is fairly +straight forward given the 0 test leaves the dst register as-is: + + # ./bpftool p d x i 23 + 0: (b7) r0 = 0 + 1: (b7) r1 = -1 + 2: (b4) w2 = -1 + 3: (16) if w0 == 0x0 goto pc+1 + 4: (9c) w1 %= w0 + 5: (b7) r0 = 1 + 6: (1d) if r1 == r2 goto pc+1 + 7: (b7) r0 = 2 + 8: (95) exit + +This was originally not an issue given the dst register was marked as +completely unknown (aka 64 bit unknown). However, after 468f6eafa6c4 +("bpf: fix 32-bit ALU op verification") the verifier casts the register +output to 32 bit, and hence it becomes 32 bit unknown. Note that for +the case where the src register is unknown, the dst register is marked +64 bit unknown. After the fix, the register is truncated by the runtime +and the test passes: + + # ./bpftool p d x i 23 + 0: (b7) r0 = 0 + 1: (b7) r1 = -1 + 2: (b4) w2 = -1 + 3: (16) if w0 == 0x0 goto pc+2 + 4: (9c) w1 %= w0 + 5: (05) goto pc+1 + 6: (bc) w1 = w1 + 7: (b7) r0 = 1 + 8: (1d) if r1 == r2 goto pc+1 + 9: (b7) r0 = 2 + 10: (95) exit + +Semantics also match with {R,W}x mod{64,32} 0 -> {R,W}x. Invalid div +has always been {R,W}x div{64,32} 0 -> 0. Rewrites are as follows: + + mod32: mod64: + + (16) if w0 == 0x0 goto pc+2 (15) if r0 == 0x0 goto pc+1 + (9c) w1 %= w0 (9f) r1 %= r0 + (05) goto pc+1 + (bc) w1 = w1 + +Fixes: 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification") +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -10869,7 +10869,7 @@ static int fixup_bpf_calls(struct bpf_ve + bool isdiv = BPF_OP(insn->code) == BPF_DIV; + struct bpf_insn *patchlet; + struct bpf_insn chk_and_div[] = { +- /* Rx div 0 -> 0 */ ++ /* [R,W]x div 0 -> 0 */ + BPF_RAW_INSN((is64 ? BPF_JMP : BPF_JMP32) | + BPF_JNE | BPF_K, insn->src_reg, + 0, 2, 0), +@@ -10878,16 +10878,18 @@ static int fixup_bpf_calls(struct bpf_ve + *insn, + }; + struct bpf_insn chk_and_mod[] = { +- /* Rx mod 0 -> Rx */ ++ /* [R,W]x mod 0 -> [R,W]x */ + BPF_RAW_INSN((is64 ? BPF_JMP : BPF_JMP32) | + BPF_JEQ | BPF_K, insn->src_reg, +- 0, 1, 0), ++ 0, 1 + (is64 ? 0 : 1), 0), + *insn, ++ BPF_JMP_IMM(BPF_JA, 0, 0, 1), ++ BPF_MOV32_REG(insn->dst_reg, insn->dst_reg), + }; + + patchlet = isdiv ? chk_and_div : chk_and_mod; + cnt = isdiv ? ARRAY_SIZE(chk_and_div) : +- ARRAY_SIZE(chk_and_mod); ++ ARRAY_SIZE(chk_and_mod) - (is64 ? 2 : 0); + + new_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt); + if (!new_prog) diff --git a/queue-5.10/hid-make-arrays-usage-and-value-to-be-the-same.patch b/queue-5.10/hid-make-arrays-usage-and-value-to-be-the-same.patch new file mode 100644 index 00000000000..5b540828ad8 --- /dev/null +++ b/queue-5.10/hid-make-arrays-usage-and-value-to-be-the-same.patch @@ -0,0 +1,57 @@ +From ed9be64eefe26d7d8b0b5b9fa3ffdf425d87a01f Mon Sep 17 00:00:00 2001 +From: Will McVicker +Date: Sat, 5 Dec 2020 00:48:48 +0000 +Subject: HID: make arrays usage and value to be the same + +From: Will McVicker + +commit ed9be64eefe26d7d8b0b5b9fa3ffdf425d87a01f upstream. + +The HID subsystem allows an "HID report field" to have a different +number of "values" and "usages" when it is allocated. When a field +struct is created, the size of the usage array is guaranteed to be at +least as large as the values array, but it may be larger. This leads to +a potential out-of-bounds write in +__hidinput_change_resolution_multipliers() and an out-of-bounds read in +hidinput_count_leds(). + +To fix this, let's make sure that both the usage and value arrays are +the same size. + +Cc: stable@vger.kernel.org +Signed-off-by: Will McVicker +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -90,7 +90,7 @@ EXPORT_SYMBOL_GPL(hid_register_report); + * Register a new field for this report. + */ + +-static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values) ++static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages) + { + struct hid_field *field; + +@@ -101,7 +101,7 @@ static struct hid_field *hid_register_fi + + field = kzalloc((sizeof(struct hid_field) + + usages * sizeof(struct hid_usage) + +- values * sizeof(unsigned)), GFP_KERNEL); ++ usages * sizeof(unsigned)), GFP_KERNEL); + if (!field) + return NULL; + +@@ -300,7 +300,7 @@ static int hid_add_field(struct hid_pars + usages = max_t(unsigned, parser->local.usage_index, + parser->global.report_count); + +- field = hid_register_field(report, usages, parser->global.report_count); ++ field = hid_register_field(report, usages); + if (!field) + return 0; + diff --git a/queue-5.10/nvme-rdma-use-ibdev_to_node-instead-of-dereferencing-dma_device.patch b/queue-5.10/nvme-rdma-use-ibdev_to_node-instead-of-dereferencing-dma_device.patch new file mode 100644 index 00000000000..4181bf09db0 --- /dev/null +++ b/queue-5.10/nvme-rdma-use-ibdev_to_node-instead-of-dereferencing-dma_device.patch @@ -0,0 +1,33 @@ +From 22dd4c707673129ed17e803b4bf68a567b2731db Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 6 Nov 2020 19:19:35 +0100 +Subject: nvme-rdma: Use ibdev_to_node instead of dereferencing ->dma_device + +From: Christoph Hellwig + +commit 22dd4c707673129ed17e803b4bf68a567b2731db upstream. + +->dma_device is a private implementation detail of the RDMA core. Use the +ibdev_to_node helper to get the NUMA node for a ib_device instead of +poking into ->dma_device. + +Link: https://lore.kernel.org/r/20201106181941.1878556-5-hch@lst.de +Signed-off-by: Christoph Hellwig +Signed-off-by: Jason Gunthorpe +Cc: Krishnamraju Eraparaju +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -860,7 +860,7 @@ static int nvme_rdma_configure_admin_que + return error; + + ctrl->device = ctrl->queues[0].device; +- ctrl->ctrl.numa_node = dev_to_node(ctrl->device->dev->dma_device); ++ ctrl->ctrl.numa_node = ibdev_to_node(ctrl->device->dev); + + /* T10-PI support */ + if (ctrl->device->dev->attrs.device_cap_flags & diff --git a/queue-5.10/rdma-lift-ibdev_to_node-from-rds-to-common-code.patch b/queue-5.10/rdma-lift-ibdev_to_node-from-rds-to-common-code.patch new file mode 100644 index 00000000000..cc1338cbf6f --- /dev/null +++ b/queue-5.10/rdma-lift-ibdev_to_node-from-rds-to-common-code.patch @@ -0,0 +1,59 @@ +From 8ecfca68dc4cbee1272a0161e3f2fb9387dc6930 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Fri, 6 Nov 2020 19:19:34 +0100 +Subject: RDMA: Lift ibdev_to_node from rds to common code + +From: Christoph Hellwig + +commit 8ecfca68dc4cbee1272a0161e3f2fb9387dc6930 upstream. + +Lift the ibdev_to_node from rds to common code and document it. + +Link: https://lore.kernel.org/r/20201106181941.1878556-4-hch@lst.de +Signed-off-by: Christoph Hellwig +Signed-off-by: Jason Gunthorpe +Cc: Krishnamraju Eraparaju +Signed-off-by: Greg Kroah-Hartman +--- + include/rdma/ib_verbs.h | 13 +++++++++++++ + net/rds/ib.h | 7 ------- + 2 files changed, 13 insertions(+), 7 deletions(-) + +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -4643,6 +4643,19 @@ static inline struct ib_device *rdma_dev + } + + /** ++ * ibdev_to_node - return the NUMA node for a given ib_device ++ * @dev: device to get the NUMA node for. ++ */ ++static inline int ibdev_to_node(struct ib_device *ibdev) ++{ ++ struct device *parent = ibdev->dev.parent; ++ ++ if (!parent) ++ return NUMA_NO_NODE; ++ return dev_to_node(parent); ++} ++ ++/** + * rdma_device_to_drv_device - Helper macro to reach back to driver's + * ib_device holder structure from device pointer. + * +--- a/net/rds/ib.h ++++ b/net/rds/ib.h +@@ -264,13 +264,6 @@ struct rds_ib_device { + int *vector_load; + }; + +-static inline int ibdev_to_node(struct ib_device *ibdev) +-{ +- struct device *parent; +- +- parent = ibdev->dev.parent; +- return parent ? dev_to_node(parent) : NUMA_NO_NODE; +-} + #define rdsibdev_to_node(rdsibdev) ibdev_to_node(rdsibdev->dev) + + /* bits for i_ack_flags */ diff --git a/queue-5.10/usb-quirks-add-quirk-to-start-video-capture-on-elmo-l-12f-document-camera-reliable.patch b/queue-5.10/usb-quirks-add-quirk-to-start-video-capture-on-elmo-l-12f-document-camera-reliable.patch new file mode 100644 index 00000000000..6c62fa08234 --- /dev/null +++ b/queue-5.10/usb-quirks-add-quirk-to-start-video-capture-on-elmo-l-12f-document-camera-reliable.patch @@ -0,0 +1,33 @@ +From 1ebe718bb48278105816ba03a0408ecc2d6cf47f Mon Sep 17 00:00:00 2001 +From: Stefan Ursella +Date: Wed, 10 Feb 2021 15:07:11 +0100 +Subject: usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable + +From: Stefan Ursella + +commit 1ebe718bb48278105816ba03a0408ecc2d6cf47f upstream. + +Without this quirk starting a video capture from the device often fails with + +kernel: uvcvideo: Failed to set UVC probe control : -110 (exp. 34). + +Signed-off-by: Stefan Ursella +Link: https://lore.kernel.org/r/20210210140713.18711-1-stefan.ursella@wolfvision.net +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -391,6 +391,9 @@ static const struct usb_device_id usb_qu + /* X-Rite/Gretag-Macbeth Eye-One Pro display colorimeter */ + { USB_DEVICE(0x0971, 0x2000), .driver_info = USB_QUIRK_NO_SET_INTF }, + ++ /* ELMO L-12F document camera */ ++ { USB_DEVICE(0x09a1, 0x0028), .driver_info = USB_QUIRK_DELAY_CTRL_MSG }, ++ + /* Broadcom BCM92035DGROM BT dongle */ + { USB_DEVICE(0x0a5c, 0x2021), .driver_info = USB_QUIRK_RESET_RESUME }, + diff --git a/queue-5.10/usb-quirks-sort-quirk-entries.patch b/queue-5.10/usb-quirks-sort-quirk-entries.patch new file mode 100644 index 00000000000..82936caf823 --- /dev/null +++ b/queue-5.10/usb-quirks-sort-quirk-entries.patch @@ -0,0 +1,42 @@ +From 43861d29c0810a70792bf69d37482efb7bb6677d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 10 Feb 2021 12:17:46 +0100 +Subject: USB: quirks: sort quirk entries + +From: Johan Hovold + +commit 43861d29c0810a70792bf69d37482efb7bb6677d upstream. + +Move the last entry to its proper place to maintain the VID/PID sort +order. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210210111746.13360-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -415,6 +415,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x10d6, 0x2200), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, + ++ /* novation SoundControl XL */ ++ { USB_DEVICE(0x1235, 0x0061), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Huawei 4G LTE module */ + { USB_DEVICE(0x12d1, 0x15bb), .driver_info = + USB_QUIRK_DISCONNECT_SUSPEND }, +@@ -495,9 +498,6 @@ static const struct usb_device_id usb_qu + /* INTEL VALUE SSD */ + { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, + +- /* novation SoundControl XL */ +- { USB_DEVICE(0x1235, 0x0061), .driver_info = USB_QUIRK_RESET_RESUME }, +- + { } /* terminating entry must be last */ + }; +