From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 19 Mar 2020 10:06:32 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.217~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5f888021fb20b285fcf92639ea69c744803035c9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	arm-8958-1-rename-missed-uaccess-.fixup-section.patch
	efi-fix-debugobjects-warning-on-efi_rts_work.patch
	hid-google-add-moonball-usb-id.patch
	mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch
---

diff --git a/queue-4.19/arm-8958-1-rename-missed-uaccess-.fixup-section.patch b/queue-4.19/arm-8958-1-rename-missed-uaccess-.fixup-section.patch
new file mode 100644
index 00000000000..be1db17c6b2
--- /dev/null
+++ b/queue-4.19/arm-8958-1-rename-missed-uaccess-.fixup-section.patch
@@ -0,0 +1,43 @@
+From f87b1c49bc675da30d8e1e8f4b60b800312c7b90 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 10 Feb 2020 02:04:17 +0100
+Subject: ARM: 8958/1: rename missed uaccess .fixup section
+
+From: Kees Cook <keescook@chromium.org>
+
+commit f87b1c49bc675da30d8e1e8f4b60b800312c7b90 upstream.
+
+When the uaccess .fixup section was renamed to .text.fixup, one case was
+missed. Under ld.bfd, the orphaned section was moved close to .text
+(since they share the "ax" bits), so things would work normally on
+uaccess faults. Under ld.lld, the orphaned section was placed outside
+the .text section, making it unreachable.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/282
+Link: https://bugs.chromium.org/p/chromium/issues/detail?id=1020633#c44
+Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.1912032147340.17114@knanqh.ubzr
+Link: https://lore.kernel.org/lkml/202002071754.F5F073F1D@keescook/
+
+Fixes: c4a84ae39b4a5 ("ARM: 8322/1: keep .text and .fixup regions closer together")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/lib/copy_from_user.S |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/lib/copy_from_user.S
++++ b/arch/arm/lib/copy_from_user.S
+@@ -100,7 +100,7 @@ ENTRY(arm_copy_from_user)
+ 
+ ENDPROC(arm_copy_from_user)
+ 
+-	.pushsection .fixup,"ax"
++	.pushsection .text.fixup,"ax"
+ 	.align 0
+ 	copy_abort_preamble
+ 	ldmfd	sp!, {r1, r2, r3}
diff --git a/queue-4.19/efi-fix-debugobjects-warning-on-efi_rts_work.patch b/queue-4.19/efi-fix-debugobjects-warning-on-efi_rts_work.patch
new file mode 100644
index 00000000000..4390e205e8c
--- /dev/null
+++ b/queue-4.19/efi-fix-debugobjects-warning-on-efi_rts_work.patch
@@ -0,0 +1,49 @@
+From ef1491e791308317bb9851a0ad380c4a68b58d54 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Wed, 14 Nov 2018 09:55:40 -0800
+Subject: efi: Fix debugobjects warning on 'efi_rts_work'
+
+From: Waiman Long <longman@redhat.com>
+
+commit ef1491e791308317bb9851a0ad380c4a68b58d54 upstream.
+
+The following commit:
+
+  9dbbedaa6171 ("efi: Make efi_rts_work accessible to efi page fault handler")
+
+converted 'efi_rts_work' from an auto variable to a global variable.
+However, when submitting the work, INIT_WORK_ONSTACK() was still used,
+causing the following complaint from debugobjects:
+
+  ODEBUG: object 00000000ed27b500 is NOT on stack 00000000c7d38760, but annotated.
+
+Change the macro to just INIT_WORK() to eliminate the warning.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Fixes: 9dbbedaa6171 ("efi: Make efi_rts_work accessible to efi page fault handler")
+Link: http://lkml.kernel.org/r/20181114175544.12860-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/runtime-wrappers.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/runtime-wrappers.c
++++ b/drivers/firmware/efi/runtime-wrappers.c
+@@ -62,7 +62,7 @@ struct efi_runtime_work efi_rts_work;
+ 	efi_rts_work.status = EFI_ABORTED;				\
+ 									\
+ 	init_completion(&efi_rts_work.efi_rts_comp);			\
+-	INIT_WORK_ONSTACK(&efi_rts_work.work, efi_call_rts);		\
++	INIT_WORK(&efi_rts_work.work, efi_call_rts);			\
+ 	efi_rts_work.arg1 = _arg1;					\
+ 	efi_rts_work.arg2 = _arg2;					\
+ 	efi_rts_work.arg3 = _arg3;					\
diff --git a/queue-4.19/hid-google-add-moonball-usb-id.patch b/queue-4.19/hid-google-add-moonball-usb-id.patch
new file mode 100644
index 00000000000..f7dcb4975bd
--- /dev/null
+++ b/queue-4.19/hid-google-add-moonball-usb-id.patch
@@ -0,0 +1,42 @@
+From 58322a1590fc189a8e1e349d309637d4a4942840 Mon Sep 17 00:00:00 2001
+From: Chen-Tsung Hsieh <chentsung@chromium.org>
+Date: Mon, 16 Mar 2020 15:24:19 +0800
+Subject: HID: google: add moonball USB id
+
+From: Chen-Tsung Hsieh <chentsung@chromium.org>
+
+commit 58322a1590fc189a8e1e349d309637d4a4942840 upstream.
+
+Add 1 additional hammer-like device.
+
+Signed-off-by: Chen-Tsung Hsieh <chentsung@chromium.org>
+Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-google-hammer.c |    2 ++
+ drivers/hid/hid-ids.h           |    1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-google-hammer.c
++++ b/drivers/hid/hid-google-hammer.c
+@@ -125,6 +125,8 @@ static const struct hid_device_id hammer
+ 	{ HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+ 		     USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_MASTERBALL) },
+ 	{ HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
++		     USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_MOONBALL) },
++	{ HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+ 		     USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_STAFF) },
+ 	{ HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+ 		     USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_WAND) },
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -468,6 +468,7 @@
+ #define USB_DEVICE_ID_GOOGLE_WHISKERS	0x5030
+ #define USB_DEVICE_ID_GOOGLE_MASTERBALL	0x503c
+ #define USB_DEVICE_ID_GOOGLE_MAGNEMITE	0x503d
++#define USB_DEVICE_ID_GOOGLE_MOONBALL	0x5044
+ 
+ #define USB_VENDOR_ID_GOTOP		0x08f2
+ #define USB_DEVICE_ID_SUPER_Q2		0x007f
diff --git a/queue-4.19/mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch b/queue-4.19/mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch
new file mode 100644
index 00000000000..f462b10dfa3
--- /dev/null
+++ b/queue-4.19/mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch
@@ -0,0 +1,46 @@
+From fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 17 Mar 2020 01:28:45 +0100
+Subject: mm: slub: add missing TID bump in kmem_cache_alloc_bulk()
+
+From: Jann Horn <jannh@google.com>
+
+commit fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8 upstream.
+
+When kmem_cache_alloc_bulk() attempts to allocate N objects from a percpu
+freelist of length M, and N > M > 0, it will first remove the M elements
+from the percpu freelist, then call ___slab_alloc() to allocate the next
+element and repopulate the percpu freelist. ___slab_alloc() can re-enable
+IRQs via allocate_slab(), so the TID must be bumped before ___slab_alloc()
+to properly commit the freelist head change.
+
+Fix it by unconditionally bumping c->tid when entering the slowpath.
+
+Cc: stable@vger.kernel.org
+Fixes: ebe909e0fdb3 ("slub: improve bulk alloc strategy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -3104,6 +3104,15 @@ int kmem_cache_alloc_bulk(struct kmem_ca
+ 
+ 		if (unlikely(!object)) {
+ 			/*
++			 * We may have removed an object from c->freelist using
++			 * the fastpath in the previous iteration; in that case,
++			 * c->tid has not been bumped yet.
++			 * Since ___slab_alloc() may reenable interrupts while
++			 * allocating memory, we should bump c->tid now.
++			 */
++			c->tid = next_tid(c->tid);
++
++			/*
+ 			 * Invoking slow path likely have side-effect
+ 			 * of re-populating per CPU c->freelist
+ 			 */
diff --git a/queue-4.19/series b/queue-4.19/series
index dca9e2a2a3f..bf795c172ce 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -41,3 +41,7 @@ driver-core-remove-device-link-creation-limitation.patch
 driver-core-fix-creation-of-device-links-with-pm-runtime-flags.patch
 net-qrtr-fix-len-of-skb_put_padto-in-qrtr_node_enqueue.patch
 arm-8957-1-vdso-match-armv8-timer-in-cntvct_functional.patch
+arm-8958-1-rename-missed-uaccess-.fixup-section.patch
+mm-slub-add-missing-tid-bump-in-kmem_cache_alloc_bulk.patch
+hid-google-add-moonball-usb-id.patch
+efi-fix-debugobjects-warning-on-efi_rts_work.patch