From: Greg Kroah-Hartman Date: Mon, 28 Jan 2019 13:53:51 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.154~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f913835ab1ba33fc01f40bb5b503747edd4f39c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-nfit-block-function-zero-dsms.patch acpi-nfit-fix-command-supported-detection.patch compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch dm-thin-fix-passdown_double_checking_shared_status.patch input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch input-xpad-add-support-for-steelseries-stratus-duo.patch kvm-x86-fix-single-step-debugging.patch x86-kaslr-fix-incorrect-i8254-outb-parameters.patch x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch --- diff --git a/queue-4.9/acpi-nfit-block-function-zero-dsms.patch b/queue-4.9/acpi-nfit-block-function-zero-dsms.patch new file mode 100644 index 00000000000..a88b00c3335 --- /dev/null +++ b/queue-4.9/acpi-nfit-block-function-zero-dsms.patch @@ -0,0 +1,40 @@ +From 5e9e38d0db1d29efed1dd4cf9a70115d33521be7 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 14 Jan 2019 14:07:19 -0800 +Subject: acpi/nfit: Block function zero DSMs + +From: Dan Williams + +commit 5e9e38d0db1d29efed1dd4cf9a70115d33521be7 upstream. + +In preparation for using function number 0 as an error value, prevent it +from being considered a valid function value by acpi_nfit_ctl(). + +Cc: +Cc: stuart hayes +Fixes: e02fb7264d8a ("nfit: add Microsoft NVDIMM DSM command set...") +Reported-by: Jeff Moyer +Reviewed-by: Jeff Moyer +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/nfit/core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -1433,6 +1433,13 @@ static int acpi_nfit_add_dimm(struct acp + return 0; + } + ++ /* ++ * Function 0 is the command interrogation function, don't ++ * export it to potential userspace use, and enable it to be ++ * used as an error value in acpi_nfit_ctl(). ++ */ ++ dsm_mask &= ~1UL; ++ + uuid = to_nfit_uuid(nfit_mem->family); + for_each_set_bit(i, &dsm_mask, BITS_PER_LONG) + if (acpi_check_dsm(adev_dimm->handle, uuid, 1, 1ULL << i)) diff --git a/queue-4.9/acpi-nfit-fix-command-supported-detection.patch b/queue-4.9/acpi-nfit-fix-command-supported-detection.patch new file mode 100644 index 00000000000..755f4ce361a --- /dev/null +++ b/queue-4.9/acpi-nfit-fix-command-supported-detection.patch @@ -0,0 +1,126 @@ +From 11189c1089da413aa4b5fd6be4c4d47c78968819 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Sat, 19 Jan 2019 10:55:04 -0800 +Subject: acpi/nfit: Fix command-supported detection + +From: Dan Williams + +commit 11189c1089da413aa4b5fd6be4c4d47c78968819 upstream. + +The _DSM function number validation only happens to succeed when the +generic Linux command number translation corresponds with a +DSM-family-specific function number. This breaks NVDIMM-N +implementations that correctly implement _LSR, _LSW, and _LSI, but do +not happen to publish support for DSM function numbers 4, 5, and 6. + +Recall that the support for _LS{I,R,W} family of methods results in the +DIMM being marked as supporting those command numbers at +acpi_nfit_register_dimms() time. The DSM function mask is only used for +ND_CMD_CALL support of non-NVDIMM_FAMILY_INTEL devices. + +Fixes: 31eca76ba2fc ("nfit, libnvdimm: limited/whitelisted dimm command...") +Cc: +Link: https://github.com/pmem/ndctl/issues/78 +Reported-by: Sujith Pandel +Tested-by: Sujith Pandel +Reviewed-by: Vishal Verma +Reviewed-by: Jeff Moyer +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/nfit/core.c | 50 +++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 40 insertions(+), 10 deletions(-) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -185,6 +185,32 @@ static int xlat_status(struct nvdimm *nv + return 0; + } + ++static int cmd_to_func(struct nfit_mem *nfit_mem, unsigned int cmd, ++ struct nd_cmd_pkg *call_pkg) ++{ ++ if (call_pkg) { ++ int i; ++ ++ if (nfit_mem->family != call_pkg->nd_family) ++ return -ENOTTY; ++ ++ for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++) ++ if (call_pkg->nd_reserved2[i]) ++ return -EINVAL; ++ return call_pkg->nd_command; ++ } ++ ++ /* Linux ND commands == NVDIMM_FAMILY_INTEL function numbers */ ++ if (nfit_mem->family == NVDIMM_FAMILY_INTEL) ++ return cmd; ++ ++ /* ++ * Force function number validation to fail since 0 is never ++ * published as a valid function in dsm_mask. ++ */ ++ return 0; ++} ++ + int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc) + { +@@ -197,17 +223,11 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + unsigned long cmd_mask, dsm_mask; + u32 offset, fw_status = 0; + acpi_handle handle; +- unsigned int func; + const u8 *uuid; +- int rc, i; ++ int func, rc, i; + + if (cmd_rc) + *cmd_rc = -EINVAL; +- func = cmd; +- if (cmd == ND_CMD_CALL) { +- call_pkg = buf; +- func = call_pkg->nd_command; +- } + + if (nvdimm) { + struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm); +@@ -215,9 +235,12 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + + if (!adev) + return -ENOTTY; +- if (call_pkg && nfit_mem->family != call_pkg->nd_family) +- return -ENOTTY; + ++ if (cmd == ND_CMD_CALL) ++ call_pkg = buf; ++ func = cmd_to_func(nfit_mem, cmd, call_pkg); ++ if (func < 0) ++ return func; + dimm_name = nvdimm_name(nvdimm); + cmd_name = nvdimm_cmd_name(cmd); + cmd_mask = nvdimm_cmd_mask(nvdimm); +@@ -228,6 +251,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + } else { + struct acpi_device *adev = to_acpi_dev(acpi_desc); + ++ func = cmd; + cmd_name = nvdimm_bus_cmd_name(cmd); + cmd_mask = nd_desc->cmd_mask; + dsm_mask = cmd_mask; +@@ -240,7 +264,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + if (!desc || (cmd && (desc->out_num + desc->in_num == 0))) + return -ENOTTY; + +- if (!test_bit(cmd, &cmd_mask) || !test_bit(func, &dsm_mask)) ++ /* ++ * Check for a valid command. For ND_CMD_CALL, we also have to ++ * make sure that the DSM function is supported. ++ */ ++ if (cmd == ND_CMD_CALL && !test_bit(func, &dsm_mask)) ++ return -ENOTTY; ++ else if (!test_bit(cmd, &cmd_mask)) + return -ENOTTY; + + in_obj.type = ACPI_TYPE_PACKAGE; diff --git a/queue-4.9/compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch b/queue-4.9/compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch new file mode 100644 index 00000000000..3d3dbbe6c89 --- /dev/null +++ b/queue-4.9/compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch @@ -0,0 +1,324 @@ +From f0907827a8a9152aedac2833ed1b674a7b2a44f2 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Tue, 8 May 2018 00:36:27 +0200 +Subject: compiler.h: enable builtin overflow checkers and add fallback code + +From: Rasmus Villemoes + +commit f0907827a8a9152aedac2833ed1b674a7b2a44f2 upstream. + +This adds wrappers for the __builtin overflow checkers present in gcc +5.1+ as well as fallback implementations for earlier compilers. It's not +that easy to implement the fully generic __builtin_X_overflow(T1 a, T2 +b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are +the same. We obviously don't want the wrappers to have different +semantics depending on $GCC_VERSION, so we also insist on that even when +using the builtins. + +There are a few problems with the 'a+b < a' idiom for checking for +overflow: For signed types, it relies on undefined behaviour and is +not actually complete (it doesn't check underflow; +e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it +is wrong for all types (signed and unsigned) narrower than +int. Similarly, when a and b does not have the same type, there are +subtle cases like + + u32 a; + + if (a + sizeof(foo) < a) + return -EOVERFLOW; + a += sizeof(foo); + +where the test is always false on 64 bit platforms. Add to that that it +is not always possible to determine the types involved at a glance. + +The new overflow.h is somewhat bulky, but that's mostly a result of +trying to be type-generic, complete (e.g. catching not only overflow +but also signed underflow) and not relying on undefined behaviour. + +Linus is of course right [1] that for unsigned subtraction a-b, the +right way to check for overflow (underflow) is "b > a" and not +"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases +covered here, and included mostly for completeness. + +So is it worth it? I think it is, if nothing else for the documentation +value of seeing + + if (check_add_overflow(a, b, &d)) + return -EGOAWAY; + do_stuff_with(d); + +instead of the open-coded (and possibly wrong and/or incomplete and/or +UBsan-tickling) + + if (a+b < a) + return -EGOAWAY; + do_stuff_with(a+b); + +While gcc does recognize the 'a+b < a' idiom for testing unsigned add +overflow, it doesn't do nearly as good for unsigned multiplication +(there's also no single well-established idiom). So using +check_mul_overflow in kcalloc and friends may also make gcc generate +slightly better code. + +[1] https://lkml.org/lkml/2015/11/2/658 + +Signed-off-by: Rasmus Villemoes +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/compiler-clang.h | 14 ++ + include/linux/compiler-gcc.h | 4 + include/linux/compiler-intel.h | 4 + include/linux/overflow.h | 205 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 227 insertions(+) + +--- a/include/linux/compiler-clang.h ++++ b/include/linux/compiler-clang.h +@@ -23,3 +23,17 @@ + #ifdef __noretpoline + #undef __noretpoline + #endif ++ ++/* ++ * Not all versions of clang implement the the type-generic versions ++ * of the builtin overflow checkers. Fortunately, clang implements ++ * __has_builtin allowing us to avoid awkward version ++ * checks. Unfortunately, we don't know which version of gcc clang ++ * pretends to be, so the macro may or may not be defined. ++ */ ++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW ++#if __has_builtin(__builtin_mul_overflow) && \ ++ __has_builtin(__builtin_add_overflow) && \ ++ __has_builtin(__builtin_sub_overflow) ++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 ++#endif +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -334,3 +334,7 @@ + * code + */ + #define uninitialized_var(x) x = x ++ ++#if GCC_VERSION >= 50100 ++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 ++#endif +--- a/include/linux/compiler-intel.h ++++ b/include/linux/compiler-intel.h +@@ -43,3 +43,7 @@ + #define __builtin_bswap16 _bswap16 + #endif + ++/* ++ * icc defines __GNUC__, but does not implement the builtin overflow checkers. ++ */ ++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW +--- /dev/null ++++ b/include/linux/overflow.h +@@ -0,0 +1,205 @@ ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */ ++#ifndef __LINUX_OVERFLOW_H ++#define __LINUX_OVERFLOW_H ++ ++#include ++ ++/* ++ * In the fallback code below, we need to compute the minimum and ++ * maximum values representable in a given type. These macros may also ++ * be useful elsewhere, so we provide them outside the ++ * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block. ++ * ++ * It would seem more obvious to do something like ++ * ++ * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0) ++ * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0) ++ * ++ * Unfortunately, the middle expressions, strictly speaking, have ++ * undefined behaviour, and at least some versions of gcc warn about ++ * the type_max expression (but not if -fsanitize=undefined is in ++ * effect; in that case, the warning is deferred to runtime...). ++ * ++ * The slightly excessive casting in type_min is to make sure the ++ * macros also produce sensible values for the exotic type _Bool. [The ++ * overflow checkers only almost work for _Bool, but that's ++ * a-feature-not-a-bug, since people shouldn't be doing arithmetic on ++ * _Bools. Besides, the gcc builtins don't allow _Bool* as third ++ * argument.] ++ * ++ * Idea stolen from ++ * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html - ++ * credit to Christian Biere. ++ */ ++#define is_signed_type(type) (((type)(-1)) < (type)1) ++#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type))) ++#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T))) ++#define type_min(T) ((T)((T)-type_max(T)-(T)1)) ++ ++ ++#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW ++/* ++ * For simplicity and code hygiene, the fallback code below insists on ++ * a, b and *d having the same type (similar to the min() and max() ++ * macros), whereas gcc's type-generic overflow checkers accept ++ * different types. Hence we don't just make check_add_overflow an ++ * alias for __builtin_add_overflow, but add type checks similar to ++ * below. ++ */ ++#define check_add_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ __builtin_add_overflow(__a, __b, __d); \ ++}) ++ ++#define check_sub_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ __builtin_sub_overflow(__a, __b, __d); \ ++}) ++ ++#define check_mul_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ __builtin_mul_overflow(__a, __b, __d); \ ++}) ++ ++#else ++ ++ ++/* Checking for unsigned overflow is relatively easy without causing UB. */ ++#define __unsigned_add_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = __a + __b; \ ++ *__d < __a; \ ++}) ++#define __unsigned_sub_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = __a - __b; \ ++ __a < __b; \ ++}) ++/* ++ * If one of a or b is a compile-time constant, this avoids a division. ++ */ ++#define __unsigned_mul_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = __a * __b; \ ++ __builtin_constant_p(__b) ? \ ++ __b > 0 && __a > type_max(typeof(__a)) / __b : \ ++ __a > 0 && __b > type_max(typeof(__b)) / __a; \ ++}) ++ ++/* ++ * For signed types, detecting overflow is much harder, especially if ++ * we want to avoid UB. But the interface of these macros is such that ++ * we must provide a result in *d, and in fact we must produce the ++ * result promised by gcc's builtins, which is simply the possibly ++ * wrapped-around value. Fortunately, we can just formally do the ++ * operations in the widest relevant unsigned type (u64) and then ++ * truncate the result - gcc is smart enough to generate the same code ++ * with and without the (u64) casts. ++ */ ++ ++/* ++ * Adding two signed integers can overflow only if they have the same ++ * sign, and overflow has happened iff the result has the opposite ++ * sign. ++ */ ++#define __signed_add_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = (u64)__a + (u64)__b; \ ++ (((~(__a ^ __b)) & (*__d ^ __a)) \ ++ & type_min(typeof(__a))) != 0; \ ++}) ++ ++/* ++ * Subtraction is similar, except that overflow can now happen only ++ * when the signs are opposite. In this case, overflow has happened if ++ * the result has the opposite sign of a. ++ */ ++#define __signed_sub_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = (u64)__a - (u64)__b; \ ++ ((((__a ^ __b)) & (*__d ^ __a)) \ ++ & type_min(typeof(__a))) != 0; \ ++}) ++ ++/* ++ * Signed multiplication is rather hard. gcc always follows C99, so ++ * division is truncated towards 0. This means that we can write the ++ * overflow check like this: ++ * ++ * (a > 0 && (b > MAX/a || b < MIN/a)) || ++ * (a < -1 && (b > MIN/a || b < MAX/a) || ++ * (a == -1 && b == MIN) ++ * ++ * The redundant casts of -1 are to silence an annoying -Wtype-limits ++ * (included in -Wextra) warning: When the type is u8 or u16, the ++ * __b_c_e in check_mul_overflow obviously selects ++ * __unsigned_mul_overflow, but unfortunately gcc still parses this ++ * code and warns about the limited range of __b. ++ */ ++ ++#define __signed_mul_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ typeof(a) __tmax = type_max(typeof(a)); \ ++ typeof(a) __tmin = type_min(typeof(a)); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = (u64)__a * (u64)__b; \ ++ (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \ ++ (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \ ++ (__b == (typeof(__b))-1 && __a == __tmin); \ ++}) ++ ++ ++#define check_add_overflow(a, b, d) \ ++ __builtin_choose_expr(is_signed_type(typeof(a)), \ ++ __signed_add_overflow(a, b, d), \ ++ __unsigned_add_overflow(a, b, d)) ++ ++#define check_sub_overflow(a, b, d) \ ++ __builtin_choose_expr(is_signed_type(typeof(a)), \ ++ __signed_sub_overflow(a, b, d), \ ++ __unsigned_sub_overflow(a, b, d)) ++ ++#define check_mul_overflow(a, b, d) \ ++ __builtin_choose_expr(is_signed_type(typeof(a)), \ ++ __signed_mul_overflow(a, b, d), \ ++ __unsigned_mul_overflow(a, b, d)) ++ ++ ++#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ ++ ++#endif /* __LINUX_OVERFLOW_H */ diff --git a/queue-4.9/dm-thin-fix-passdown_double_checking_shared_status.patch b/queue-4.9/dm-thin-fix-passdown_double_checking_shared_status.patch new file mode 100644 index 00000000000..aee2c533ecf --- /dev/null +++ b/queue-4.9/dm-thin-fix-passdown_double_checking_shared_status.patch @@ -0,0 +1,107 @@ +From d445bd9cec1a850c2100fcf53684c13b3fd934f2 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Tue, 15 Jan 2019 13:27:01 -0500 +Subject: dm thin: fix passdown_double_checking_shared_status() + +From: Joe Thornber + +commit d445bd9cec1a850c2100fcf53684c13b3fd934f2 upstream. + +Commit 00a0ea33b495 ("dm thin: do not queue freed thin mapping for next +stage processing") changed process_prepared_discard_passdown_pt1() to +increment all the blocks being discarded until after the passdown had +completed to avoid them being prematurely reused. + +IO issued to a thin device that breaks sharing with a snapshot, followed +by a discard issued to snapshot(s) that previously shared the block(s), +results in passdown_double_checking_shared_status() being called to +iterate through the blocks double checking their reference count is zero +and issuing the passdown if so. So a side effect of commit 00a0ea33b495 +is passdown_double_checking_shared_status() was broken. + +Fix this by checking if the block reference count is greater than 1. +Also, rename dm_pool_block_is_used() to dm_pool_block_is_shared(). + +Fixes: 00a0ea33b495 ("dm thin: do not queue freed thin mapping for next stage processing") +Cc: stable@vger.kernel.org # 4.9+ +Reported-by: ryan.p.norwood@gmail.com +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin-metadata.c | 4 ++-- + drivers/md/dm-thin-metadata.h | 2 +- + drivers/md/dm-thin.c | 10 +++++----- + 3 files changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -1689,7 +1689,7 @@ int dm_thin_remove_range(struct dm_thin_ + return r; + } + +-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result) ++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result) + { + int r; + uint32_t ref_count; +@@ -1697,7 +1697,7 @@ int dm_pool_block_is_used(struct dm_pool + down_read(&pmd->root_lock); + r = dm_sm_get_count(pmd->data_sm, b, &ref_count); + if (!r) +- *result = (ref_count != 0); ++ *result = (ref_count > 1); + up_read(&pmd->root_lock); + + return r; +--- a/drivers/md/dm-thin-metadata.h ++++ b/drivers/md/dm-thin-metadata.h +@@ -195,7 +195,7 @@ int dm_pool_get_metadata_dev_size(struct + + int dm_pool_get_data_dev_size(struct dm_pool_metadata *pmd, dm_block_t *result); + +-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result); ++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result); + + int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e); + int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e); +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -1017,7 +1017,7 @@ static void passdown_double_checking_sha + * passdown we have to check that these blocks are now unused. + */ + int r = 0; +- bool used = true; ++ bool shared = true; + struct thin_c *tc = m->tc; + struct pool *pool = tc->pool; + dm_block_t b = m->data_block, e, end = m->data_block + m->virt_end - m->virt_begin; +@@ -1027,11 +1027,11 @@ static void passdown_double_checking_sha + while (b != end) { + /* find start of unmapped run */ + for (; b < end; b++) { +- r = dm_pool_block_is_used(pool->pmd, b, &used); ++ r = dm_pool_block_is_shared(pool->pmd, b, &shared); + if (r) + goto out; + +- if (!used) ++ if (!shared) + break; + } + +@@ -1040,11 +1040,11 @@ static void passdown_double_checking_sha + + /* find end of run */ + for (e = b + 1; e != end; e++) { +- r = dm_pool_block_is_used(pool->pmd, e, &used); ++ r = dm_pool_block_is_shared(pool->pmd, e, &shared); + if (r) + goto out; + +- if (used) ++ if (shared) + break; + } + diff --git a/queue-4.9/input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch b/queue-4.9/input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch new file mode 100644 index 00000000000..6b25f66309a --- /dev/null +++ b/queue-4.9/input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch @@ -0,0 +1,51 @@ +From d77651a227f8920dd7ec179b84e400cce844eeb3 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 14 Jan 2019 13:54:55 -0800 +Subject: Input: uinput - fix undefined behavior in uinput_validate_absinfo() + +From: Dmitry Torokhov + +commit d77651a227f8920dd7ec179b84e400cce844eeb3 upstream. + +An integer overflow may arise in uinput_validate_absinfo() if "max - min" +can't be represented by an "int". We should check for overflow before +trying to use the result. + +Reported-by: Kyungtae Kim +Reviewed-by: Peter Hutterer +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/uinput.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + #include + #include "../input-compat.h" + +@@ -335,7 +336,7 @@ static int uinput_open(struct inode *ino + static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, + const struct input_absinfo *abs) + { +- int min, max; ++ int min, max, range; + + min = abs->minimum; + max = abs->maximum; +@@ -347,7 +348,7 @@ static int uinput_validate_absinfo(struc + return -EINVAL; + } + +- if (abs->flat > max - min) { ++ if (!check_sub_overflow(max, min, &range) && abs->flat > range) { + printk(KERN_DEBUG + "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n", + UINPUT_NAME, code, abs->flat, min, max); diff --git a/queue-4.9/input-xpad-add-support-for-steelseries-stratus-duo.patch b/queue-4.9/input-xpad-add-support-for-steelseries-stratus-duo.patch new file mode 100644 index 00000000000..d51e75c5c48 --- /dev/null +++ b/queue-4.9/input-xpad-add-support-for-steelseries-stratus-duo.patch @@ -0,0 +1,43 @@ +From fe2bfd0d40c935763812973ce15f5764f1c12833 Mon Sep 17 00:00:00 2001 +From: Tom Panfil +Date: Fri, 11 Jan 2019 17:49:40 -0800 +Subject: Input: xpad - add support for SteelSeries Stratus Duo + +From: Tom Panfil + +commit fe2bfd0d40c935763812973ce15f5764f1c12833 upstream. + +Add support for the SteelSeries Stratus Duo, a wireless Xbox 360 +controller. The Stratus Duo ships with a USB dongle to enable wireless +connectivity, but it can also function as a wired controller by connecting +it directly to a PC via USB, hence the need for two USD PIDs. 0x1430 is the +dongle, and 0x1431 is the controller. + +Signed-off-by: Tom Panfil +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/xpad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -255,6 +255,8 @@ static const struct xpad_device { + { 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX }, + { 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX }, + { 0x102c, 0xff0c, "Joytech Wireless Advanced Controller", 0, XTYPE_XBOX }, ++ { 0x1038, 0x1430, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 }, ++ { 0x1038, 0x1431, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 }, + { 0x11c9, 0x55f0, "Nacon GC-100XF", 0, XTYPE_XBOX360 }, + { 0x12ab, 0x0004, "Honey Bee Xbox360 dancepad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x12ab, 0x0301, "PDP AFTERGLOW AX.1", 0, XTYPE_XBOX360 }, +@@ -431,6 +433,7 @@ static const struct usb_device_id xpad_t + XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f X-Box One controllers */ + XPAD_XBOX360_VENDOR(0x0f0d), /* Hori Controllers */ + XPAD_XBOXONE_VENDOR(0x0f0d), /* Hori Controllers */ ++ XPAD_XBOX360_VENDOR(0x1038), /* SteelSeries Controllers */ + XPAD_XBOX360_VENDOR(0x11c9), /* Nacon GC100XF */ + XPAD_XBOX360_VENDOR(0x12ab), /* X-Box 360 dance pads */ + XPAD_XBOX360_VENDOR(0x1430), /* RedOctane X-Box 360 controllers */ diff --git a/queue-4.9/kvm-x86-fix-single-step-debugging.patch b/queue-4.9/kvm-x86-fix-single-step-debugging.patch new file mode 100644 index 00000000000..cd83a2521a3 --- /dev/null +++ b/queue-4.9/kvm-x86-fix-single-step-debugging.patch @@ -0,0 +1,43 @@ +From 5cc244a20b86090c087073c124284381cdf47234 Mon Sep 17 00:00:00 2001 +From: Alexander Popov +Date: Mon, 21 Jan 2019 15:48:40 +0300 +Subject: KVM: x86: Fix single-step debugging + +From: Alexander Popov + +commit 5cc244a20b86090c087073c124284381cdf47234 upstream. + +The single-step debugging of KVM guests on x86 is broken: if we run +gdb 'stepi' command at the breakpoint when the guest interrupts are +enabled, RIP always jumps to native_apic_mem_write(). Then other +nasty effects follow. + +Long investigation showed that on Jun 7, 2017 the +commit c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall") +introduced the kvm_run.debug corruption: kvm_vcpu_do_singlestep() can +be called without X86_EFLAGS_TF set. + +Let's fix it. Please consider that for -stable. + +Signed-off-by: Alexander Popov +Cc: stable@vger.kernel.org +Fixes: c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall") +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5795,8 +5795,7 @@ restart: + toggle_interruptibility(vcpu, ctxt->interruptibility); + vcpu->arch.emulate_regs_need_sync_to_vcpu = false; + kvm_rip_write(vcpu, ctxt->eip); +- if (r == EMULATE_DONE && +- (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP))) ++ if (r == EMULATE_DONE && ctxt->tf) + kvm_vcpu_do_singlestep(vcpu, &r); + if (!ctxt->have_exception || + exception_type(ctxt->exception.vector) == EXCPT_TRAP) diff --git a/queue-4.9/series b/queue-4.9/series index 1faee3dd4e6..3e47f43e87a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -21,3 +21,12 @@ uart-fix-crash-in-uart_write-and-uart_put_char.patch tty-n_hdlc-fix-__might_sleep-warning.patch cifs-fix-possible-hang-during-async-mtu-reads-and-writes.patch cifs-do-not-reconnect-tcp-session-in-add_credits.patch +input-xpad-add-support-for-steelseries-stratus-duo.patch +compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch +input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch +acpi-nfit-block-function-zero-dsms.patch +acpi-nfit-fix-command-supported-detection.patch +dm-thin-fix-passdown_double_checking_shared_status.patch +kvm-x86-fix-single-step-debugging.patch +x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch +x86-kaslr-fix-incorrect-i8254-outb-parameters.patch diff --git a/queue-4.9/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch b/queue-4.9/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch new file mode 100644 index 00000000000..901567c71f5 --- /dev/null +++ b/queue-4.9/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch @@ -0,0 +1,39 @@ +From 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4 Mon Sep 17 00:00:00 2001 +From: Daniel Drake +Date: Mon, 7 Jan 2019 11:40:24 +0800 +Subject: x86/kaslr: Fix incorrect i8254 outb() parameters + +From: Daniel Drake + +commit 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4 upstream. + +The outb() function takes parameters value and port, in that order. Fix +the parameters used in the kalsr i8254 fallback code. + +Fixes: 5bfce5ef55cb ("x86, kaslr: Provide randomness functions") +Signed-off-by: Daniel Drake +Signed-off-by: Thomas Gleixner +Cc: bp@alien8.de +Cc: hpa@zytor.com +Cc: linux@endlessm.com +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190107034024.15005-1-drake@endlessm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/lib/kaslr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/lib/kaslr.c ++++ b/arch/x86/lib/kaslr.c +@@ -35,8 +35,8 @@ static inline u16 i8254(void) + u16 status, timer; + + do { +- outb(I8254_PORT_CONTROL, +- I8254_CMD_READBACK | I8254_SELECT_COUNTER0); ++ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0, ++ I8254_PORT_CONTROL); + status = inb(I8254_PORT_COUNTER0); + timer = inb(I8254_PORT_COUNTER0); + timer |= inb(I8254_PORT_COUNTER0) << 8; diff --git a/queue-4.9/x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch b/queue-4.9/x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch new file mode 100644 index 00000000000..ffcdbe504b6 --- /dev/null +++ b/queue-4.9/x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch @@ -0,0 +1,115 @@ +From e1812933b17be7814f51b6c310c5d1ced7a9a5f5 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 2 Jan 2019 13:56:57 -0800 +Subject: x86/selftests/pkeys: Fork() to check for state being preserved + +From: Dave Hansen + +commit e1812933b17be7814f51b6c310c5d1ced7a9a5f5 upstream. + +There was a bug where the per-mm pkey state was not being preserved across +fork() in the child. fork() is performed in the pkey selftests, but all of +the pkey activity is performed in the parent. The child does not perform +any actions sensitive to pkey state. + +To make the test more sensitive to these kinds of bugs, add a fork() where +the parent exits, and execution continues in the child. + +To achieve this let the key exhaustion test not terminate at the first +allocation failure and fork after 2*NR_PKEYS loops and continue in the +child. + +Signed-off-by: Dave Hansen +Signed-off-by: Thomas Gleixner +Cc: bp@alien8.de +Cc: hpa@zytor.com +Cc: peterz@infradead.org +Cc: mpe@ellerman.id.au +Cc: will.deacon@arm.com +Cc: luto@kernel.org +Cc: jroedel@suse.de +Cc: stable@vger.kernel.org +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Peter Zijlstra +Cc: Michael Ellerman +Cc: Will Deacon +Cc: Andy Lutomirski +Cc: Joerg Roedel +Link: https://lkml.kernel.org/r/20190102215657.585704B7@viggo.jf.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/protection_keys.c | 41 +++++++++++++++++++------- + 1 file changed, 31 insertions(+), 10 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1129,6 +1129,21 @@ void test_pkey_syscalls_bad_args(int *pt + pkey_assert(err); + } + ++void become_child(void) ++{ ++ pid_t forkret; ++ ++ forkret = fork(); ++ pkey_assert(forkret >= 0); ++ dprintf3("[%d] fork() ret: %d\n", getpid(), forkret); ++ ++ if (!forkret) { ++ /* in the child */ ++ return; ++ } ++ exit(0); ++} ++ + /* Assumes that all pkeys other than 'pkey' are unallocated */ + void test_pkey_alloc_exhaust(int *ptr, u16 pkey) + { +@@ -1139,7 +1154,7 @@ void test_pkey_alloc_exhaust(int *ptr, u + int nr_allocated_pkeys = 0; + int i; + +- for (i = 0; i < NR_PKEYS*2; i++) { ++ for (i = 0; i < NR_PKEYS*3; i++) { + int new_pkey; + dprintf1("%s() alloc loop: %d\n", __func__, i); + new_pkey = alloc_pkey(); +@@ -1150,21 +1165,27 @@ void test_pkey_alloc_exhaust(int *ptr, u + if ((new_pkey == -1) && (errno == ENOSPC)) { + dprintf2("%s() failed to allocate pkey after %d tries\n", + __func__, nr_allocated_pkeys); +- break; ++ } else { ++ /* ++ * Ensure the number of successes never ++ * exceeds the number of keys supported ++ * in the hardware. ++ */ ++ pkey_assert(nr_allocated_pkeys < NR_PKEYS); ++ allocated_pkeys[nr_allocated_pkeys++] = new_pkey; + } +- pkey_assert(nr_allocated_pkeys < NR_PKEYS); +- allocated_pkeys[nr_allocated_pkeys++] = new_pkey; ++ ++ /* ++ * Make sure that allocation state is properly ++ * preserved across fork(). ++ */ ++ if (i == NR_PKEYS*2) ++ become_child(); + } + + dprintf3("%s()::%d\n", __func__, __LINE__); + + /* +- * ensure it did not reach the end of the loop without +- * failure: +- */ +- pkey_assert(i < NR_PKEYS*2); +- +- /* + * There are 16 pkeys supported in hardware. One is taken + * up for the default (0) and another can be taken up by + * an execute-only mapping. Ensure that we can allocate