From: Greg Kroah-Hartman Date: Wed, 19 Aug 2020 11:52:32 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.14.194~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d742521cd4429283019f683028a4072b2ea22f9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch xtensa-fix-xtensa_pmu_setup-prototype.patch --- diff --git a/queue-4.19/cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch b/queue-4.19/cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch new file mode 100644 index 00000000000..1f7c686abd4 --- /dev/null +++ b/queue-4.19/cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch @@ -0,0 +1,164 @@ +From baf57b56d3604880ccb3956ec6c62ea894f5de99 Mon Sep 17 00:00:00 2001 +From: Paul Aurich +Date: Thu, 9 Jul 2020 22:01:16 -0700 +Subject: cifs: Fix leak when handling lease break for cached root fid + +From: Paul Aurich + +commit baf57b56d3604880ccb3956ec6c62ea894f5de99 upstream. + +Handling a lease break for the cached root didn't free the +smb2_lease_break_work allocation, resulting in a leak: + + unreferenced object 0xffff98383a5af480 (size 128): + comm "cifsd", pid 684, jiffies 4294936606 (age 534.868s) + hex dump (first 32 bytes): + c0 ff ff ff 1f 00 00 00 88 f4 5a 3a 38 98 ff ff ..........Z:8... + 88 f4 5a 3a 38 98 ff ff 80 88 d6 8a ff ff ff ff ..Z:8........... + backtrace: + [<0000000068957336>] smb2_is_valid_oplock_break+0x1fa/0x8c0 + [<0000000073b70b9e>] cifs_demultiplex_thread+0x73d/0xcc0 + [<00000000905fa372>] kthread+0x11c/0x150 + [<0000000079378e4e>] ret_from_fork+0x22/0x30 + +Avoid this leak by only allocating when necessary. + +Fixes: a93864d93977 ("cifs: add lease tracking to the cached root fid") +Signed-off-by: Paul Aurich +CC: Stable # v4.18+ +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2misc.c | 73 +++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 52 insertions(+), 21 deletions(-) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -509,15 +509,31 @@ cifs_ses_oplock_break(struct work_struct + kfree(lw); + } + ++static void ++smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key, ++ __le32 new_lease_state) ++{ ++ struct smb2_lease_break_work *lw; ++ ++ lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); ++ if (!lw) { ++ cifs_put_tlink(tlink); ++ return; ++ } ++ ++ INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); ++ lw->tlink = tlink; ++ lw->lease_state = new_lease_state; ++ memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE); ++ queue_work(cifsiod_wq, &lw->lease_break); ++} ++ + static bool +-smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, +- struct smb2_lease_break_work *lw) ++smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp) + { +- bool found; + __u8 lease_state; + struct list_head *tmp; + struct cifsFileInfo *cfile; +- struct cifs_pending_open *open; + struct cifsInodeInfo *cinode; + int ack_req = le32_to_cpu(rsp->Flags & + SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); +@@ -556,22 +572,29 @@ smb2_tcon_has_lease(struct cifs_tcon *tc + &cinode->flags); + + cifs_queue_oplock_break(cfile); +- kfree(lw); + return true; + } + +- found = false; ++ return false; ++} ++ ++static struct cifs_pending_open * ++smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon, ++ struct smb2_lease_break *rsp) ++{ ++ __u8 lease_state = le32_to_cpu(rsp->NewLeaseState); ++ int ack_req = le32_to_cpu(rsp->Flags & ++ SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); ++ struct cifs_pending_open *open; ++ struct cifs_pending_open *found = NULL; ++ + list_for_each_entry(open, &tcon->pending_opens, olist) { + if (memcmp(open->lease_key, rsp->LeaseKey, + SMB2_LEASE_KEY_SIZE)) + continue; + + if (!found && ack_req) { +- found = true; +- memcpy(lw->lease_key, open->lease_key, +- SMB2_LEASE_KEY_SIZE); +- lw->tlink = cifs_get_tlink(open->tlink); +- queue_work(cifsiod_wq, &lw->lease_break); ++ found = open; + } + + cifs_dbg(FYI, "found in the pending open list\n"); +@@ -592,14 +615,7 @@ smb2_is_valid_lease_break(char *buffer) + struct TCP_Server_Info *server; + struct cifs_ses *ses; + struct cifs_tcon *tcon; +- struct smb2_lease_break_work *lw; +- +- lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); +- if (!lw) +- return false; +- +- INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); +- lw->lease_state = rsp->NewLeaseState; ++ struct cifs_pending_open *open; + + cifs_dbg(FYI, "Checking for lease break\n"); + +@@ -617,11 +633,27 @@ smb2_is_valid_lease_break(char *buffer) + spin_lock(&tcon->open_file_lock); + cifs_stats_inc( + &tcon->stats.cifs_stats.num_oplock_brks); +- if (smb2_tcon_has_lease(tcon, rsp, lw)) { ++ if (smb2_tcon_has_lease(tcon, rsp)) { + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); + return true; + } ++ open = smb2_tcon_find_pending_open_lease(tcon, ++ rsp); ++ if (open) { ++ __u8 lease_key[SMB2_LEASE_KEY_SIZE]; ++ struct tcon_link *tlink; ++ ++ tlink = cifs_get_tlink(open->tlink); ++ memcpy(lease_key, open->lease_key, ++ SMB2_LEASE_KEY_SIZE); ++ spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_tcp_ses_lock); ++ smb2_queue_pending_open_break(tlink, ++ lease_key, ++ rsp->NewLeaseState); ++ return true; ++ } + spin_unlock(&tcon->open_file_lock); + + if (tcon->crfid.is_valid && +@@ -639,7 +671,6 @@ smb2_is_valid_lease_break(char *buffer) + } + } + spin_unlock(&cifs_tcp_ses_lock); +- kfree(lw); + cifs_dbg(FYI, "Can not process lease break - no lease matched\n"); + return false; + } diff --git a/queue-4.19/dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch b/queue-4.19/dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch new file mode 100644 index 00000000000..8d3b53a31a2 --- /dev/null +++ b/queue-4.19/dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch @@ -0,0 +1,34 @@ +From add48ba425192c6e04ce70549129cacd01e2a09e Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Mon, 27 Jul 2020 12:16:05 +0200 +Subject: dt-bindings: iio: io-channel-mux: Fix compatible string in example code + +From: Christian Eggers + +commit add48ba425192c6e04ce70549129cacd01e2a09e upstream. + +The correct compatible string is "gpio-mux" (see +bindings/mux/gpio-mux.txt). + +Cc: stable@vger.kernel.org # v4.13+ +Reviewed-by: Peter Rosin +Signed-off-by: Christian Eggers +Link: https://lore.kernel.org/r/20200727101605.24384-1-ceggers@arri.de +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt ++++ b/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt +@@ -21,7 +21,7 @@ controller state. The mux controller sta + + Example: + mux: mux-controller { +- compatible = "mux-gpio"; ++ compatible = "gpio-mux"; + #mux-control-cells = <0>; + + mux-gpios = <&pioA 0 GPIO_ACTIVE_HIGH>, diff --git a/queue-4.19/iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch b/queue-4.19/iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch new file mode 100644 index 00000000000..7cacef77cec --- /dev/null +++ b/queue-4.19/iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch @@ -0,0 +1,47 @@ +From 65afb0932a81c1de719ceee0db0b276094b10ac8 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Mon, 6 Jul 2020 14:02:57 +0300 +Subject: iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw() + +From: Alexandru Ardelean + +commit 65afb0932a81c1de719ceee0db0b276094b10ac8 upstream. + +There are 2 exit paths where the lock isn't held, but try to unlock the +mutex when exiting. In these places we should just return from the +function. + +A neater approach would be to cleanup the ad5592r_read_raw(), but that +would make this patch more difficult to backport to stable versions. + +Fixes 56ca9db862bf3: ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs") +Reported-by: Charles Stanhope +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/dac/ad5592r-base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/dac/ad5592r-base.c ++++ b/drivers/iio/dac/ad5592r-base.c +@@ -417,7 +417,7 @@ static int ad5592r_read_raw(struct iio_d + s64 tmp = *val * (3767897513LL / 25LL); + *val = div_s64_rem(tmp, 1000000000LL, val2); + +- ret = IIO_VAL_INT_PLUS_MICRO; ++ return IIO_VAL_INT_PLUS_MICRO; + } else { + int mult; + +@@ -448,7 +448,7 @@ static int ad5592r_read_raw(struct iio_d + ret = IIO_VAL_INT; + break; + default: +- ret = -EINVAL; ++ return -EINVAL; + } + + unlock: diff --git a/queue-4.19/media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch b/queue-4.19/media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch new file mode 100644 index 00000000000..540205bf6fe --- /dev/null +++ b/queue-4.19/media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch @@ -0,0 +1,102 @@ +From c92d30e4b78dc331909f8c6056c2792aa14e2166 Mon Sep 17 00:00:00 2001 +From: Eugeniu Rosca +Date: Tue, 2 Jun 2020 21:50:16 +0200 +Subject: media: vsp1: dl: Fix NULL pointer dereference on unbind + +From: Eugeniu Rosca + +commit c92d30e4b78dc331909f8c6056c2792aa14e2166 upstream. + +In commit f3b98e3c4d2e16 ("media: vsp1: Provide support for extended +command pools"), the vsp pointer used for referencing the VSP1 device +structure from a command pool during vsp1_dl_ext_cmd_pool_destroy() was +not populated. + +Correctly assign the pointer to prevent the following +null-pointer-dereference when removing the device: + +[*] h3ulcb-kf #> +echo fea28000.vsp > /sys/bus/platform/devices/fea28000.vsp/driver/unbind + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 + Mem abort info: + ESR = 0x96000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=00000007318be000 + [0000000000000028] pgd=00000007333a1003, pud=00000007333a6003, pmd=0000000000000000 + Internal error: Oops: 96000006 [#1] PREEMPT SMP + Modules linked in: + CPU: 1 PID: 486 Comm: sh Not tainted 5.7.0-rc6-arm64-renesas-00118-ge644645abf47 #185 + Hardware name: Renesas H3ULCB Kingfisher board based on r8a77951 (DT) + pstate: 40000005 (nZcv daif -PAN -UAO) + pc : vsp1_dlm_destroy+0xe4/0x11c + lr : vsp1_dlm_destroy+0xc8/0x11c + sp : ffff800012963b60 + x29: ffff800012963b60 x28: ffff0006f83fc440 + x27: 0000000000000000 x26: ffff0006f5e13e80 + x25: ffff0006f5e13ed0 x24: ffff0006f5e13ed0 + x23: ffff0006f5e13ed0 x22: dead000000000122 + x21: ffff0006f5e3a080 x20: ffff0006f5df2938 + x19: ffff0006f5df2980 x18: 0000000000000003 + x17: 0000000000000000 x16: 0000000000000016 + x15: 0000000000000003 x14: 00000000000393c0 + x13: ffff800011a5ec18 x12: ffff800011d8d000 + x11: ffff0006f83fcc68 x10: ffff800011a53d70 + x9 : ffff8000111f3000 x8 : 0000000000000000 + x7 : 0000000000210d00 x6 : 0000000000000000 + x5 : ffff800010872e60 x4 : 0000000000000004 + x3 : 0000000078068000 x2 : ffff800012781000 + x1 : 0000000000002c00 x0 : 0000000000000000 + Call trace: + vsp1_dlm_destroy+0xe4/0x11c + vsp1_wpf_destroy+0x10/0x20 + vsp1_entity_destroy+0x24/0x4c + vsp1_destroy_entities+0x54/0x130 + vsp1_remove+0x1c/0x40 + platform_drv_remove+0x28/0x50 + __device_release_driver+0x178/0x220 + device_driver_detach+0x44/0xc0 + unbind_store+0xe0/0x104 + drv_attr_store+0x20/0x30 + sysfs_kf_write+0x48/0x70 + kernfs_fop_write+0x148/0x230 + __vfs_write+0x18/0x40 + vfs_write+0xdc/0x1c4 + ksys_write+0x68/0xf0 + __arm64_sys_write+0x18/0x20 + el0_svc_common.constprop.0+0x70/0x170 + do_el0_svc+0x20/0x80 + el0_sync_handler+0x134/0x1b0 + el0_sync+0x140/0x180 + Code: b40000c2 f9403a60 d2800084 a9400663 (f9401400) + ---[ end trace 3875369841fb288a ]--- + +Fixes: f3b98e3c4d2e16 ("media: vsp1: Provide support for extended command pools") +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Eugeniu Rosca +Reviewed-by: Kieran Bingham +Tested-by: Kieran Bingham +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vsp1/vsp1_dl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/vsp1/vsp1_dl.c ++++ b/drivers/media/platform/vsp1/vsp1_dl.c +@@ -431,6 +431,8 @@ vsp1_dl_cmd_pool_create(struct vsp1_devi + if (!pool) + return NULL; + ++ pool->vsp1 = vsp1; ++ + spin_lock_init(&pool->lock); + INIT_LIST_HEAD(&pool->free); + diff --git a/queue-4.19/powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch b/queue-4.19/powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch new file mode 100644 index 00000000000..d212fbdaafd --- /dev/null +++ b/queue-4.19/powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch @@ -0,0 +1,184 @@ +From 63dee5df43a31f3844efabc58972f0a206ca4534 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Fri, 24 Jul 2020 19:25:25 +1000 +Subject: powerpc: Allow 4224 bytes of stack expansion for the signal frame + +From: Michael Ellerman + +commit 63dee5df43a31f3844efabc58972f0a206ca4534 upstream. + +We have powerpc specific logic in our page fault handling to decide if +an access to an unmapped address below the stack pointer should expand +the stack VMA. + +The code was originally added in 2004 "ported from 2.4". The rough +logic is that the stack is allowed to grow to 1MB with no extra +checking. Over 1MB the access must be within 2048 bytes of the stack +pointer, or be from a user instruction that updates the stack pointer. + +The 2048 byte allowance below the stack pointer is there to cover the +288 byte "red zone" as well as the "about 1.5kB" needed by the signal +delivery code. + +Unfortunately since then the signal frame has expanded, and is now +4224 bytes on 64-bit kernels with transactional memory enabled. This +means if a process has consumed more than 1MB of stack, and its stack +pointer lies less than 4224 bytes from the next page boundary, signal +delivery will fault when trying to expand the stack and the process +will see a SEGV. + +The total size of the signal frame is the size of struct rt_sigframe +(which includes the red zone) plus __SIGNAL_FRAMESIZE (128 bytes on +64-bit). + +The 2048 byte allowance was correct until 2008 as the signal frame +was: + +struct rt_sigframe { + struct ucontext uc; /* 0 1440 */ + /* --- cacheline 11 boundary (1408 bytes) was 32 bytes ago --- */ + long unsigned int _unused[2]; /* 1440 16 */ + unsigned int tramp[6]; /* 1456 24 */ + struct siginfo * pinfo; /* 1480 8 */ + void * puc; /* 1488 8 */ + struct siginfo info; /* 1496 128 */ + /* --- cacheline 12 boundary (1536 bytes) was 88 bytes ago --- */ + char abigap[288]; /* 1624 288 */ + + /* size: 1920, cachelines: 15, members: 7 */ + /* padding: 8 */ +}; + +1920 + 128 = 2048 + +Then in commit ce48b2100785 ("powerpc: Add VSX context save/restore, +ptrace and signal support") (Jul 2008) the signal frame expanded to +2304 bytes: + +struct rt_sigframe { + struct ucontext uc; /* 0 1696 */ <-- + /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ + long unsigned int _unused[2]; /* 1696 16 */ + unsigned int tramp[6]; /* 1712 24 */ + struct siginfo * pinfo; /* 1736 8 */ + void * puc; /* 1744 8 */ + struct siginfo info; /* 1752 128 */ + /* --- cacheline 14 boundary (1792 bytes) was 88 bytes ago --- */ + char abigap[288]; /* 1880 288 */ + + /* size: 2176, cachelines: 17, members: 7 */ + /* padding: 8 */ +}; + +2176 + 128 = 2304 + +At this point we should have been exposed to the bug, though as far as +I know it was never reported. I no longer have a system old enough to +easily test on. + +Then in 2010 commit 320b2b8de126 ("mm: keep a guard page below a +grow-down stack segment") caused our stack expansion code to never +trigger, as there was always a VMA found for a write up to PAGE_SIZE +below r1. + +That meant the bug was hidden as we continued to expand the signal +frame in commit 2b0a576d15e0 ("powerpc: Add new transactional memory +state to the signal context") (Feb 2013): + +struct rt_sigframe { + struct ucontext uc; /* 0 1696 */ + /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ + struct ucontext uc_transact; /* 1696 1696 */ <-- + /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */ + long unsigned int _unused[2]; /* 3392 16 */ + unsigned int tramp[6]; /* 3408 24 */ + struct siginfo * pinfo; /* 3432 8 */ + void * puc; /* 3440 8 */ + struct siginfo info; /* 3448 128 */ + /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */ + char abigap[288]; /* 3576 288 */ + + /* size: 3872, cachelines: 31, members: 8 */ + /* padding: 8 */ + /* last cacheline: 32 bytes */ +}; + +3872 + 128 = 4000 + +And commit 573ebfa6601f ("powerpc: Increase stack redzone for 64-bit +userspace to 512 bytes") (Feb 2014): + +struct rt_sigframe { + struct ucontext uc; /* 0 1696 */ + /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ + struct ucontext uc_transact; /* 1696 1696 */ + /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */ + long unsigned int _unused[2]; /* 3392 16 */ + unsigned int tramp[6]; /* 3408 24 */ + struct siginfo * pinfo; /* 3432 8 */ + void * puc; /* 3440 8 */ + struct siginfo info; /* 3448 128 */ + /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */ + char abigap[512]; /* 3576 512 */ <-- + + /* size: 4096, cachelines: 32, members: 8 */ + /* padding: 8 */ +}; + +4096 + 128 = 4224 + +Then finally in 2017, commit 1be7107fbe18 ("mm: larger stack guard +gap, between vmas") exposed us to the existing bug, because it changed +the stack VMA to be the correct/real size, meaning our stack expansion +code is now triggered. + +Fix it by increasing the allowance to 4224 bytes. + +Hard-coding 4224 is obviously unsafe against future expansions of the +signal frame in the same way as the existing code. We can't easily use +sizeof() because the signal frame structure is not in a header. We +will either fix that, or rip out all the custom stack expansion +checking logic entirely. + +Fixes: ce48b2100785 ("powerpc: Add VSX context save/restore, ptrace and signal support") +Cc: stable@vger.kernel.org # v2.6.27+ +Reported-by: Tom Lane +Tested-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200724092528.1578671-2-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/fault.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/mm/fault.c ++++ b/arch/powerpc/mm/fault.c +@@ -233,6 +233,9 @@ static bool bad_kernel_fault(bool is_exe + return is_exec || (address >= TASK_SIZE); + } + ++// This comes from 64-bit struct rt_sigframe + __SIGNAL_FRAMESIZE ++#define SIGFRAME_MAX_SIZE (4096 + 128) ++ + static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, + struct vm_area_struct *vma, unsigned int flags, + bool *must_retry) +@@ -240,7 +243,7 @@ static bool bad_stack_expansion(struct p + /* + * N.B. The POWER/Open ABI allows programs to access up to + * 288 bytes below the stack pointer. +- * The kernel signal delivery code writes up to about 1.5kB ++ * The kernel signal delivery code writes a bit over 4KB + * below the stack pointer (r1) before decrementing it. + * The exec code can write slightly over 640kB to the stack + * before setting the user r1. Thus we allow the stack to +@@ -265,7 +268,7 @@ static bool bad_stack_expansion(struct p + * between the last mapped region and the stack will + * expand the stack rather than segfaulting. + */ +- if (address + 2048 >= uregs->gpr[1]) ++ if (address + SIGFRAME_MAX_SIZE >= uregs->gpr[1]) + return false; + + if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) && diff --git a/queue-4.19/powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch b/queue-4.19/powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch new file mode 100644 index 00000000000..ced8e21f9f0 --- /dev/null +++ b/queue-4.19/powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch @@ -0,0 +1,66 @@ +From 0c83b277ada72b585e6a3e52b067669df15bcedb Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 4 Aug 2020 22:44:06 +1000 +Subject: powerpc: Fix circular dependency between percpu.h and mmu.h + +From: Michael Ellerman + +commit 0c83b277ada72b585e6a3e52b067669df15bcedb upstream. + +Recently random.h started including percpu.h (see commit +f227e3ec3b5c ("random32: update the net random state on interrupt and +activity")), which broke corenet64_smp_defconfig: + + In file included from /linux/arch/powerpc/include/asm/paca.h:18, + from /linux/arch/powerpc/include/asm/percpu.h:13, + from /linux/include/linux/random.h:14, + from /linux/lib/uuid.c:14: + /linux/arch/powerpc/include/asm/mmu.h:139:22: error: unknown type name 'next_tlbcam_idx' + 139 | DECLARE_PER_CPU(int, next_tlbcam_idx); + +This is due to a circular header dependency: + asm/mmu.h includes asm/percpu.h, which includes asm/paca.h, which + includes asm/mmu.h + +Which means DECLARE_PER_CPU() isn't defined when mmu.h needs it. + +We can fix it by moving the include of paca.h below the include of +asm-generic/percpu.h. + +This moves the include of paca.h out of the #ifdef __powerpc64__, but +that is OK because paca.h is almost entirely inside #ifdef +CONFIG_PPC64 anyway. + +It also moves the include of paca.h out of the #ifdef CONFIG_SMP, +which could possibly break something, but seems to have no ill +effects. + +Fixes: f227e3ec3b5c ("random32: update the net random state on interrupt and activity") +Cc: stable@vger.kernel.org # v5.8 +Reported-by: Stephen Rothwell +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200804130558.292328-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/percpu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/percpu.h ++++ b/arch/powerpc/include/asm/percpu.h +@@ -10,8 +10,6 @@ + + #ifdef CONFIG_SMP + +-#include +- + #define __my_cpu_offset local_paca->data_offset + + #endif /* CONFIG_SMP */ +@@ -19,4 +17,6 @@ + + #include + ++#include ++ + #endif /* _ASM_POWERPC_PERCPU_H_ */ diff --git a/queue-4.19/series b/queue-4.19/series index 783cfe96ed0..63188b5bc9d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -15,3 +15,10 @@ btrfs-fix-messages-after-changing-compression-level-by-remount.patch btrfs-only-search-for-left_info-if-there-is-no-right_info-in-try_merge_free_space.patch btrfs-fix-memory-leaks-after-failure-to-lookup-checksums-during-inode-logging.patch btrfs-fix-return-value-mixup-in-btrfs_get_extent.patch +dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch +iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch +xtensa-fix-xtensa_pmu_setup-prototype.patch +cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch +powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch +powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch +media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch diff --git a/queue-4.19/xtensa-fix-xtensa_pmu_setup-prototype.patch b/queue-4.19/xtensa-fix-xtensa_pmu_setup-prototype.patch new file mode 100644 index 00000000000..d56e9dce1d5 --- /dev/null +++ b/queue-4.19/xtensa-fix-xtensa_pmu_setup-prototype.patch @@ -0,0 +1,38 @@ +From 6d65d3769d1910379e1cfa61ebf387efc6bfb22c Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Fri, 31 Jul 2020 12:37:32 -0700 +Subject: xtensa: fix xtensa_pmu_setup prototype +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Max Filippov + +commit 6d65d3769d1910379e1cfa61ebf387efc6bfb22c upstream. + +Fix the following build error in configurations with +CONFIG_XTENSA_VARIANT_HAVE_PERF_EVENTS=y: + + arch/xtensa/kernel/perf_event.c:420:29: error: passing argument 3 of + ‘cpuhp_setup_state’ from incompatible pointer type + +Cc: stable@vger.kernel.org +Fixes: 25a77b55e74c ("xtensa/perf: Convert the hotplug notifier to state machine callbacks") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/perf_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/kernel/perf_event.c ++++ b/arch/xtensa/kernel/perf_event.c +@@ -404,7 +404,7 @@ static struct pmu xtensa_pmu = { + .read = xtensa_pmu_read, + }; + +-static int xtensa_pmu_setup(int cpu) ++static int xtensa_pmu_setup(unsigned int cpu) + { + unsigned i; +