From: Greg Kroah-Hartman Date: Sat, 27 Mar 2021 14:27:27 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.11.11~61 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=721165fcf253e6e56e207c618b910bb0d6a6f510;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch dm-verity-fix-dm_verity_opts_max-value.patch gcov-fix-clang-11-support.patch integrity-double-check-iint_cache-was-initialized.patch kasan-fix-per-page-tags-for-non-page_alloc-pages.patch netsec-restore-phy-power-state-after-controller-reset.patch platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch squashfs-fix-inode-lookup-sanity-checks.patch squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch --- diff --git a/queue-5.4/acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch b/queue-5.4/acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch new file mode 100644 index 00000000000..46382adfc43 --- /dev/null +++ b/queue-5.4/acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch @@ -0,0 +1,35 @@ +From c1d1e25a8c542816ae8dee41b81a18d30c7519a0 Mon Sep 17 00:00:00 2001 +From: Chris Chiu +Date: Fri, 12 Mar 2021 11:24:30 +0800 +Subject: ACPI: video: Add missing callback back for Sony VPCEH3U1E + +From: Chris Chiu + +commit c1d1e25a8c542816ae8dee41b81a18d30c7519a0 upstream. + +The .callback of the quirk for Sony VPCEH3U1E was unintetionally +removed by the commit 25417185e9b5 ("ACPI: video: Add DMI quirk +for GIGABYTE GB-BXBT-2807"). Add it back to make sure the quirk +for Sony VPCEH3U1E works as expected. + +Fixes: 25417185e9b5 ("ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807") +Signed-off-by: Chris Chiu +Reported-by: Pavel Machek +Reviewed-by: Pavel Machek (CIP) +Cc: 5.11+ # 5.11+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/video_detect.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -150,6 +150,7 @@ static const struct dmi_system_id video_ + }, + }, + { ++ .callback = video_detect_force_vendor, + .ident = "Sony VPCEH3U1E", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), diff --git a/queue-5.4/arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch b/queue-5.4/arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch new file mode 100644 index 00000000000..1b9a46a6f83 --- /dev/null +++ b/queue-5.4/arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch @@ -0,0 +1,40 @@ +From 221c3a09ddf70a0a51715e6c2878d8305e95c558 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 11 Apr 2018 19:05:03 +0300 +Subject: ARM: dts: at91-sama5d27_som1: fix phy address to 7 + +From: Claudiu Beznea + +commit 221c3a09ddf70a0a51715e6c2878d8305e95c558 upstream. + +Fix the phy address to 7 for Ethernet PHY on SAMA5D27 SOM1. No +connection established if phy address 0 is used. + +The board uses the 24 pins version of the KSZ8081RNA part, KSZ8081RNA +pin 16 REFCLK as PHYAD bit [2] has weak internal pull-down. But at +reset, connected to PD09 of the MPU it's connected with an internal +pull-up forming PHYAD[2:0] = 7. + +Signed-off-by: Claudiu Beznea +Fixes: 2f61929eb10a ("ARM: dts: at91: at91-sama5d27_som1: fix PHY ID") +Cc: Ludovic Desroches +Signed-off-by: Nicolas Ferre +Cc: # 4.14+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-sama5d27_som1.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/at91-sama5d27_som1.dtsi ++++ b/arch/arm/boot/dts/at91-sama5d27_som1.dtsi +@@ -44,8 +44,8 @@ + pinctrl-0 = <&pinctrl_macb0_default>; + phy-mode = "rmii"; + +- ethernet-phy@0 { +- reg = <0x0>; ++ ethernet-phy@7 { ++ reg = <0x7>; + interrupt-parent = <&pioA>; + interrupts = ; + pinctrl-names = "default"; diff --git a/queue-5.4/arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch b/queue-5.4/arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch new file mode 100644 index 00000000000..e0b178e7cec --- /dev/null +++ b/queue-5.4/arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch @@ -0,0 +1,38 @@ +From ba8da03fa7dff59d9400250aebd38f94cde3cb0f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sun, 7 Mar 2021 22:47:37 +0200 +Subject: arm64: dts: ls1012a: mark crypto engine dma coherent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit ba8da03fa7dff59d9400250aebd38f94cde3cb0f upstream. + +Crypto engine (CAAM) on LS1012A platform is configured HW-coherent, +mark accordingly the DT node. + +Lack of "dma-coherent" property for an IP that is configured HW-coherent +can lead to problems, similar to what has been reported for LS1046A. + +Cc: # v4.12+ +Fixes: 85b85c569507 ("arm64: dts: ls1012a: add crypto node") +Signed-off-by: Horia Geantă +Acked-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi +@@ -177,6 +177,7 @@ + ranges = <0x0 0x00 0x1700000 0x100000>; + reg = <0x00 0x1700000 0x0 0x100000>; + interrupts = ; ++ dma-coherent; + + sec_jr0: jr@10000 { + compatible = "fsl,sec-v5.4-job-ring", diff --git a/queue-5.4/arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch b/queue-5.4/arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch new file mode 100644 index 00000000000..9eae63513b5 --- /dev/null +++ b/queue-5.4/arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch @@ -0,0 +1,39 @@ +From 4fb3a074755b7737c4081cffe0ccfa08c2f2d29d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sun, 7 Mar 2021 22:47:36 +0200 +Subject: arm64: dts: ls1043a: mark crypto engine dma coherent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 4fb3a074755b7737c4081cffe0ccfa08c2f2d29d upstream. + +Crypto engine (CAAM) on LS1043A platform is configured HW-coherent, +mark accordingly the DT node. + +Lack of "dma-coherent" property for an IP that is configured HW-coherent +can lead to problems, similar to what has been reported for LS1046A. + +Cc: # v4.8+ +Fixes: 63dac35b58f4 ("arm64: dts: ls1043a: add crypto node") +Link: https://lore.kernel.org/linux-crypto/fe6faa24-d8f7-d18f-adfa-44fa0caa1598@arm.com +Signed-off-by: Horia Geantă +Acked-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi +@@ -241,6 +241,7 @@ + ranges = <0x0 0x00 0x1700000 0x100000>; + reg = <0x00 0x1700000 0x0 0x100000>; + interrupts = <0 75 0x4>; ++ dma-coherent; + + sec_jr0: jr@10000 { + compatible = "fsl,sec-v5.4-job-ring", diff --git a/queue-5.4/arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch b/queue-5.4/arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch new file mode 100644 index 00000000000..211ae4b7d94 --- /dev/null +++ b/queue-5.4/arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch @@ -0,0 +1,87 @@ +From 9c3a16f88385e671b63a0de7b82b85e604a80f42 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sun, 7 Mar 2021 22:47:35 +0200 +Subject: arm64: dts: ls1046a: mark crypto engine dma coherent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 9c3a16f88385e671b63a0de7b82b85e604a80f42 upstream. + +Crypto engine (CAAM) on LS1046A platform is configured HW-coherent, +mark accordingly the DT node. + +As reported by Greg and Sascha, and explained by Robin, lack of +"dma-coherent" property for an IP that is configured HW-coherent +can lead to problems, e.g. on v5.11: + +> kernel BUG at drivers/crypto/caam/jr.c:247! +> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +> Modules linked in: +> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.11.0-20210225-3-00039-g434215968816-dirty #12 +> Hardware name: TQ TQMLS1046A SoM on Arkona AT1130 (C300) board (DT) +> pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) +> pc : caam_jr_dequeue+0x98/0x57c +> lr : caam_jr_dequeue+0x98/0x57c +> sp : ffff800010003d50 +> x29: ffff800010003d50 x28: ffff8000118d4000 +> x27: ffff8000118d4328 x26: 00000000000001f0 +> x25: ffff0008022be480 x24: ffff0008022c6410 +> x23: 00000000000001f1 x22: ffff8000118d4329 +> x21: 0000000000004d80 x20: 00000000000001f1 +> x19: 0000000000000001 x18: 0000000000000020 +> x17: 0000000000000000 x16: 0000000000000015 +> x15: ffff800011690230 x14: 2e2e2e2e2e2e2e2e +> x13: 2e2e2e2e2e2e2020 x12: 3030303030303030 +> x11: ffff800011700a38 x10: 00000000fffff000 +> x9 : ffff8000100ada30 x8 : ffff8000116a8a38 +> x7 : 0000000000000001 x6 : 0000000000000000 +> x5 : 0000000000000000 x4 : 0000000000000000 +> x3 : 00000000ffffffff x2 : 0000000000000000 +> x1 : 0000000000000000 x0 : 0000000000001800 +> Call trace: +> caam_jr_dequeue+0x98/0x57c +> tasklet_action_common.constprop.0+0x164/0x18c +> tasklet_action+0x44/0x54 +> __do_softirq+0x160/0x454 +> __irq_exit_rcu+0x164/0x16c +> irq_exit+0x1c/0x30 +> __handle_domain_irq+0xc0/0x13c +> gic_handle_irq+0x5c/0xf0 +> el1_irq+0xb4/0x180 +> arch_cpu_idle+0x18/0x30 +> default_idle_call+0x3c/0x1c0 +> do_idle+0x23c/0x274 +> cpu_startup_entry+0x34/0x70 +> rest_init+0xdc/0xec +> arch_call_rest_init+0x1c/0x28 +> start_kernel+0x4ac/0x4e4 +> Code: 91392021 912c2000 d377d8c6 97f24d96 (d4210000) + +Cc: # v4.10+ +Fixes: 8126d88162a5 ("arm64: dts: add QorIQ LS1046A SoC support") +Link: https://lore.kernel.org/linux-crypto/fe6faa24-d8f7-d18f-adfa-44fa0caa1598@arm.com +Reported-by: Greg Ungerer +Reported-by: Sascha Hauer +Tested-by: Sascha Hauer +Signed-off-by: Horia Geantă +Acked-by: Greg Ungerer +Acked-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi +@@ -244,6 +244,7 @@ + ranges = <0x0 0x00 0x1700000 0x100000>; + reg = <0x00 0x1700000 0x0 0x100000>; + interrupts = ; ++ dma-coherent; + + sec_jr0: jr@10000 { + compatible = "fsl,sec-v5.4-job-ring", diff --git a/queue-5.4/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch b/queue-5.4/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch new file mode 100644 index 00000000000..87941f54bbc --- /dev/null +++ b/queue-5.4/dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch @@ -0,0 +1,37 @@ +From 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 26 Mar 2021 14:32:32 -0400 +Subject: dm ioctl: fix out of bounds array access when no devices + +From: Mikulas Patocka + +commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream. + +If there are not any dm devices, we need to zero the "dev" argument in +the first structure dm_name_list. However, this can cause out of +bounds write, because the "needed" variable is zero and len may be +less than eight. + +Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is +too small to hold the "nl->dev" value. + +Signed-off-by: Mikulas Patocka +Reported-by: Dan Carpenter +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -529,7 +529,7 @@ static int list_devices(struct file *fil + * Grab our output buffer. + */ + nl = orig_nl = get_result_buffer(param, param_size, &len); +- if (len < needed) { ++ if (len < needed || len < sizeof(nl->dev)) { + param->flags |= DM_BUFFER_FULL_FLAG; + goto out; + } diff --git a/queue-5.4/dm-verity-fix-dm_verity_opts_max-value.patch b/queue-5.4/dm-verity-fix-dm_verity_opts_max-value.patch new file mode 100644 index 00000000000..510602685ac --- /dev/null +++ b/queue-5.4/dm-verity-fix-dm_verity_opts_max-value.patch @@ -0,0 +1,33 @@ +From 160f99db943224e55906dd83880da1a704c6e6b9 Mon Sep 17 00:00:00 2001 +From: JeongHyeon Lee +Date: Thu, 11 Mar 2021 21:10:50 +0900 +Subject: dm verity: fix DM_VERITY_OPTS_MAX value + +From: JeongHyeon Lee + +commit 160f99db943224e55906dd83880da1a704c6e6b9 upstream. + +Three optional parameters must be accepted at once in a DM verity table, e.g.: + (verity_error_handling_mode) (ignore_zero_block) (check_at_most_once) +Fix this to be possible by incrementing DM_VERITY_OPTS_MAX. + +Signed-off-by: JeongHyeon Lee +Fixes: 843f38d382b1 ("dm verity: add 'check_at_most_once' option to only validate hashes once") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -33,7 +33,7 @@ + #define DM_VERITY_OPT_IGN_ZEROES "ignore_zero_blocks" + #define DM_VERITY_OPT_AT_MOST_ONCE "check_at_most_once" + +-#define DM_VERITY_OPTS_MAX (2 + DM_VERITY_OPTS_FEC + \ ++#define DM_VERITY_OPTS_MAX (3 + DM_VERITY_OPTS_FEC + \ + DM_VERITY_ROOT_HASH_VERIFICATION_OPTS) + + static unsigned dm_verity_prefetch_cluster = DM_VERITY_DEFAULT_PREFETCH_SIZE; diff --git a/queue-5.4/gcov-fix-clang-11-support.patch b/queue-5.4/gcov-fix-clang-11-support.patch new file mode 100644 index 00000000000..9d61ea79564 --- /dev/null +++ b/queue-5.4/gcov-fix-clang-11-support.patch @@ -0,0 +1,163 @@ +From 60bcf728ee7c60ac2a1f9a0eaceb3a7b3954cd2b Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Wed, 24 Mar 2021 21:37:44 -0700 +Subject: gcov: fix clang-11+ support + +From: Nick Desaulniers + +commit 60bcf728ee7c60ac2a1f9a0eaceb3a7b3954cd2b upstream. + +LLVM changed the expected function signatures for llvm_gcda_start_file() +and llvm_gcda_emit_function() in the clang-11 release. Users of +clang-11 or newer may have noticed their kernels failing to boot due to +a panic when enabling CONFIG_GCOV_KERNEL=y +CONFIG_GCOV_PROFILE_ALL=y. +Fix up the function signatures so calling these functions doesn't panic +the kernel. + +Link: https://reviews.llvm.org/rGcdd683b516d147925212724b09ec6fb792a40041 +Link: https://reviews.llvm.org/rG13a633b438b6500ecad9e4f936ebadf3411d0f44 +Link: https://lkml.kernel.org/r/20210312224132.3413602-2-ndesaulniers@google.com +Signed-off-by: Nick Desaulniers +Reported-by: Prasad Sodagudi +Suggested-by: Nathan Chancellor +Reviewed-by: Fangrui Song +Tested-by: Nathan Chancellor +Acked-by: Peter Oberparleiter +Reviewed-by: Nathan Chancellor +Cc: [5.4+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/gcov/clang.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 69 insertions(+) + +--- a/kernel/gcov/clang.c ++++ b/kernel/gcov/clang.c +@@ -75,7 +75,9 @@ struct gcov_fn_info { + + u32 num_counters; + u64 *counters; ++#if CONFIG_CLANG_VERSION < 110000 + const char *function_name; ++#endif + }; + + static struct gcov_info *current_info; +@@ -105,6 +107,7 @@ void llvm_gcov_init(llvm_gcov_callback w + } + EXPORT_SYMBOL(llvm_gcov_init); + ++#if CONFIG_CLANG_VERSION < 110000 + void llvm_gcda_start_file(const char *orig_filename, const char version[4], + u32 checksum) + { +@@ -113,7 +116,17 @@ void llvm_gcda_start_file(const char *or + current_info->checksum = checksum; + } + EXPORT_SYMBOL(llvm_gcda_start_file); ++#else ++void llvm_gcda_start_file(const char *orig_filename, u32 version, u32 checksum) ++{ ++ current_info->filename = orig_filename; ++ current_info->version = version; ++ current_info->checksum = checksum; ++} ++EXPORT_SYMBOL(llvm_gcda_start_file); ++#endif + ++#if CONFIG_CLANG_VERSION < 110000 + void llvm_gcda_emit_function(u32 ident, const char *function_name, + u32 func_checksum, u8 use_extra_checksum, u32 cfg_checksum) + { +@@ -133,6 +146,24 @@ void llvm_gcda_emit_function(u32 ident, + list_add_tail(&info->head, ¤t_info->functions); + } + EXPORT_SYMBOL(llvm_gcda_emit_function); ++#else ++void llvm_gcda_emit_function(u32 ident, u32 func_checksum, ++ u8 use_extra_checksum, u32 cfg_checksum) ++{ ++ struct gcov_fn_info *info = kzalloc(sizeof(*info), GFP_KERNEL); ++ ++ if (!info) ++ return; ++ ++ INIT_LIST_HEAD(&info->head); ++ info->ident = ident; ++ info->checksum = func_checksum; ++ info->use_extra_checksum = use_extra_checksum; ++ info->cfg_checksum = cfg_checksum; ++ list_add_tail(&info->head, ¤t_info->functions); ++} ++EXPORT_SYMBOL(llvm_gcda_emit_function); ++#endif + + void llvm_gcda_emit_arcs(u32 num_counters, u64 *counters) + { +@@ -295,6 +326,7 @@ void gcov_info_add(struct gcov_info *dst + } + } + ++#if CONFIG_CLANG_VERSION < 110000 + static struct gcov_fn_info *gcov_fn_info_dup(struct gcov_fn_info *fn) + { + size_t cv_size; /* counter values size */ +@@ -322,6 +354,28 @@ err_name: + kfree(fn_dup); + return NULL; + } ++#else ++static struct gcov_fn_info *gcov_fn_info_dup(struct gcov_fn_info *fn) ++{ ++ size_t cv_size; /* counter values size */ ++ struct gcov_fn_info *fn_dup = kmemdup(fn, sizeof(*fn), ++ GFP_KERNEL); ++ if (!fn_dup) ++ return NULL; ++ INIT_LIST_HEAD(&fn_dup->head); ++ ++ cv_size = fn->num_counters * sizeof(fn->counters[0]); ++ fn_dup->counters = vmalloc(cv_size); ++ if (!fn_dup->counters) { ++ kfree(fn_dup); ++ return NULL; ++ } ++ ++ memcpy(fn_dup->counters, fn->counters, cv_size); ++ ++ return fn_dup; ++} ++#endif + + /** + * gcov_info_dup - duplicate profiling data set +@@ -362,6 +416,7 @@ err: + * gcov_info_free - release memory for profiling data set duplicate + * @info: profiling data set duplicate to free + */ ++#if CONFIG_CLANG_VERSION < 110000 + void gcov_info_free(struct gcov_info *info) + { + struct gcov_fn_info *fn, *tmp; +@@ -375,6 +430,20 @@ void gcov_info_free(struct gcov_info *in + kfree(info->filename); + kfree(info); + } ++#else ++void gcov_info_free(struct gcov_info *info) ++{ ++ struct gcov_fn_info *fn, *tmp; ++ ++ list_for_each_entry_safe(fn, tmp, &info->functions, head) { ++ vfree(fn->counters); ++ list_del(&fn->head); ++ kfree(fn); ++ } ++ kfree(info->filename); ++ kfree(info); ++} ++#endif + + #define ITER_STRIDE PAGE_SIZE + diff --git a/queue-5.4/integrity-double-check-iint_cache-was-initialized.patch b/queue-5.4/integrity-double-check-iint_cache-was-initialized.patch new file mode 100644 index 00000000000..339912feb4d --- /dev/null +++ b/queue-5.4/integrity-double-check-iint_cache-was-initialized.patch @@ -0,0 +1,98 @@ +From 92063f3ca73aab794bd5408d3361fd5b5ea33079 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Fri, 19 Mar 2021 11:17:23 -0400 +Subject: integrity: double check iint_cache was initialized + +From: Mimi Zohar + +commit 92063f3ca73aab794bd5408d3361fd5b5ea33079 upstream. + +The kernel may be built with multiple LSMs, but only a subset may be +enabled on the boot command line by specifying "lsm=". Not including +"integrity" on the ordered LSM list may result in a NULL deref. + +As reported by Dmitry Vyukov: +in qemu: +qemu-system-x86_64 -enable-kvm -machine q35,nvdimm -cpu +max,migratable=off -smp 4 -m 4G,slots=4,maxmem=16G -hda +wheezy.img -kernel arch/x86/boot/bzImage -nographic -vga std + -soundhw all -usb -usbdevice tablet -bt hci -bt device:keyboard + -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net +nic,model=virtio-net-pci -object +memory-backend-file,id=pmem1,share=off,mem-path=/dev/zero,size=64M + -device nvdimm,id=nvdimm1,memdev=pmem1 -append "console=ttyS0 +root=/dev/sda earlyprintk=serial rodata=n oops=panic panic_on_warn=1 +panic=86400 lsm=smack numa=fake=2 nopcid dummy_hcd.num=8" -pidfile +vm_pid -m 2G -cpu host + +But it crashes on NULL deref in integrity_inode_get during boot: + +Run /sbin/init as init process +BUG: kernel NULL pointer dereference, address: 000000000000001c +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP KASAN +CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc2+ #97 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS +rel-1.13.0-44-g88ab0c15525c-prebuilt.qemu.org 04/01/2014 +RIP: 0010:kmem_cache_alloc+0x2b/0x370 mm/slub.c:2920 +Code: 57 41 56 41 55 41 54 41 89 f4 55 48 89 fd 53 48 83 ec 10 44 8b +3d d9 1f 90 0b 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 <8b> 5f +1c 4cf +RSP: 0000:ffffc9000032f9d8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff888017fc4f00 RCX: 0000000000000000 +RDX: ffff888040220000 RSI: 0000000000000c40 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888019263627 +R10: ffffffff83937cd1 R11: 0000000000000000 R12: 0000000000000c40 +R13: ffff888019263538 R14: 0000000000000000 R15: 0000000000ffffff +FS: 0000000000000000(0000) GS:ffff88802d180000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000000001c CR3: 000000000b48e000 CR4: 0000000000750ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + integrity_inode_get+0x47/0x260 security/integrity/iint.c:105 + process_measurement+0x33d/0x17e0 security/integrity/ima/ima_main.c:237 + ima_bprm_check+0xde/0x210 security/integrity/ima/ima_main.c:474 + security_bprm_check+0x7d/0xa0 security/security.c:845 + search_binary_handler fs/exec.c:1708 [inline] + exec_binprm fs/exec.c:1761 [inline] + bprm_execve fs/exec.c:1830 [inline] + bprm_execve+0x764/0x19a0 fs/exec.c:1792 + kernel_execve+0x370/0x460 fs/exec.c:1973 + try_to_run_init_process+0x14/0x4e init/main.c:1366 + kernel_init+0x11d/0x1b8 init/main.c:1477 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 +Modules linked in: +CR2: 000000000000001c +---[ end trace 22d601a500de7d79 ]--- + +Since LSMs and IMA may be configured at build time, but not enabled at +run time, panic the system if "integrity" was not initialized before use. + +Reported-by: Dmitry Vyukov +Fixes: 79f7865d844c ("LSM: Introduce "lsm=" for boottime LSM selection") +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/iint.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/security/integrity/iint.c ++++ b/security/integrity/iint.c +@@ -98,6 +98,14 @@ struct integrity_iint_cache *integrity_i + struct rb_node *node, *parent = NULL; + struct integrity_iint_cache *iint, *test_iint; + ++ /* ++ * The integrity's "iint_cache" is initialized at security_init(), ++ * unless it is not included in the ordered list of LSMs enabled ++ * on the boot command line. ++ */ ++ if (!iint_cache) ++ panic("%s: lsm=integrity required.\n", __func__); ++ + iint = integrity_iint_find(inode); + if (iint) + return iint; diff --git a/queue-5.4/kasan-fix-per-page-tags-for-non-page_alloc-pages.patch b/queue-5.4/kasan-fix-per-page-tags-for-non-page_alloc-pages.patch new file mode 100644 index 00000000000..81e808ab391 --- /dev/null +++ b/queue-5.4/kasan-fix-per-page-tags-for-non-page_alloc-pages.patch @@ -0,0 +1,87 @@ +From cf10bd4c4aff8dd64d1aa7f2a529d0c672bc16af Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 24 Mar 2021 21:37:20 -0700 +Subject: kasan: fix per-page tags for non-page_alloc pages + +From: Andrey Konovalov + +commit cf10bd4c4aff8dd64d1aa7f2a529d0c672bc16af upstream. + +To allow performing tag checks on page_alloc addresses obtained via +page_address(), tag-based KASAN modes store tags for page_alloc +allocations in page->flags. + +Currently, the default tag value stored in page->flags is 0x00. +Therefore, page_address() returns a 0x00ffff... address for pages that +were not allocated via page_alloc. + +This might cause problems. A particular case we encountered is a +conflict with KFENCE. If a KFENCE-allocated slab object is being freed +via kfree(page_address(page) + offset), the address passed to kfree() +will get tagged with 0x00 (as slab pages keep the default per-page +tags). This leads to is_kfence_address() check failing, and a KFENCE +object ending up in normal slab freelist, which causes memory +corruptions. + +This patch changes the way KASAN stores tag in page-flags: they are now +stored xor'ed with 0xff. This way, KASAN doesn't need to initialize +per-page flags for every created page, which might be slow. + +With this change, page_address() returns natively-tagged (with 0xff) +pointers for pages that didn't have tags set explicitly. + +This patch fixes the encountered conflict with KFENCE and prevents more +similar issues that can occur in the future. + +Link: https://lkml.kernel.org/r/1a41abb11c51b264511d9e71c303bb16d5cb367b.1615475452.git.andreyknvl@google.com +Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc") +Signed-off-by: Andrey Konovalov +Reviewed-by: Marco Elver +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Vincenzo Frascino +Cc: Dmitry Vyukov +Cc: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Peter Collingbourne +Cc: Evgenii Stepanov +Cc: Branislav Rankov +Cc: Kevin Brodsky +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mm.h | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1226,13 +1226,26 @@ static inline bool cpupid_match_pid(stru + #endif /* CONFIG_NUMA_BALANCING */ + + #ifdef CONFIG_KASAN_SW_TAGS ++ ++/* ++ * KASAN per-page tags are stored xor'ed with 0xff. This allows to avoid ++ * setting tags for all pages to native kernel tag value 0xff, as the default ++ * value 0x00 maps to 0xff. ++ */ ++ + static inline u8 page_kasan_tag(const struct page *page) + { +- return (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK; ++ u8 tag; ++ ++ tag = (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK; ++ tag ^= 0xff; ++ ++ return tag; + } + + static inline void page_kasan_tag_set(struct page *page, u8 tag) + { ++ tag ^= 0xff; + page->flags &= ~(KASAN_TAG_MASK << KASAN_TAG_PGSHIFT); + page->flags |= (tag & KASAN_TAG_MASK) << KASAN_TAG_PGSHIFT; + } diff --git a/queue-5.4/netsec-restore-phy-power-state-after-controller-reset.patch b/queue-5.4/netsec-restore-phy-power-state-after-controller-reset.patch new file mode 100644 index 00000000000..b30cf477ac3 --- /dev/null +++ b/queue-5.4/netsec-restore-phy-power-state-after-controller-reset.patch @@ -0,0 +1,50 @@ +From 804741ac7b9f2fdebe3740cb0579cb8d94d49e60 Mon Sep 17 00:00:00 2001 +From: Mian Yousaf Kaukab +Date: Thu, 18 Mar 2021 09:50:26 +0100 +Subject: netsec: restore phy power state after controller reset + +From: Mian Yousaf Kaukab + +commit 804741ac7b9f2fdebe3740cb0579cb8d94d49e60 upstream. + +Since commit 8e850f25b581 ("net: socionext: Stop PHY before resetting +netsec") netsec_netdev_init() power downs phy before resetting the +controller. However, the state is not restored once the reset is +complete. As a result it is not possible to bring up network on a +platform with Broadcom BCM5482 phy. + +Fix the issue by restoring phy power state after controller reset is +complete. + +Fixes: 8e850f25b581 ("net: socionext: Stop PHY before resetting netsec") +Cc: stable@vger.kernel.org +Signed-off-by: Mian Yousaf Kaukab +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/socionext/netsec.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/socionext/netsec.c ++++ b/drivers/net/ethernet/socionext/netsec.c +@@ -1693,14 +1693,17 @@ static int netsec_netdev_init(struct net + goto err1; + + /* set phy power down */ +- data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR) | +- BMCR_PDOWN; +- netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data); ++ data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR); ++ netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, ++ data | BMCR_PDOWN); + + ret = netsec_reset_hardware(priv, true); + if (ret) + goto err2; + ++ /* Restore phy power state */ ++ netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data); ++ + spin_lock_init(&priv->desc_ring[NETSEC_RING_TX].lock); + spin_lock_init(&priv->desc_ring[NETSEC_RING_RX].lock); + diff --git a/queue-5.4/platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch b/queue-5.4/platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch new file mode 100644 index 00000000000..e1b385e33d5 --- /dev/null +++ b/queue-5.4/platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch @@ -0,0 +1,61 @@ +From 538d2dd0b9920334e6596977a664e9e7bac73703 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 21 Mar 2021 17:35:13 +0100 +Subject: platform/x86: intel-vbtn: Stop reporting SW_DOCK events + +From: Hans de Goede + +commit 538d2dd0b9920334e6596977a664e9e7bac73703 upstream. + +Stop reporting SW_DOCK events because this breaks suspend-on-lid-close. + +SW_DOCK should only be reported for docking stations, but all the DSDTs in +my DSDT collection which use the intel-vbtn code, always seem to use this +for 2-in-1s / convertibles and set SW_DOCK=1 when in laptop-mode (in tandem +with setting SW_TABLET_MODE=0). + +This causes userspace to think the laptop is docked to a port-replicator +and to disable suspend-on-lid-close, which is undesirable. + +Map the dock events to KEY_IGNORE to avoid this broken SW_DOCK reporting. + +Note this may theoretically cause us to stop reporting SW_DOCK on some +device where the 0xCA and 0xCB intel-vbtn events are actually used for +reporting docking to a classic docking-station / port-replicator but +I'm not aware of any such devices. + +Also the most important thing is that we only report SW_DOCK when it +reliably reports being docked to a classic docking-station without any +false positives, which clearly is not the case here. If there is a +chance of reporting false positives then it is better to not report +SW_DOCK at all. + +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210321163513.72328-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel-vbtn.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -46,8 +46,16 @@ static const struct key_entry intel_vbtn + }; + + static const struct key_entry intel_vbtn_switchmap[] = { +- { KE_SW, 0xCA, { .sw = { SW_DOCK, 1 } } }, /* Docked */ +- { KE_SW, 0xCB, { .sw = { SW_DOCK, 0 } } }, /* Undocked */ ++ /* ++ * SW_DOCK should only be reported for docking stations, but DSDTs using the ++ * intel-vbtn code, always seem to use this for 2-in-1s / convertibles and set ++ * SW_DOCK=1 when in laptop-mode (in tandem with setting SW_TABLET_MODE=0). ++ * This causes userspace to think the laptop is docked to a port-replicator ++ * and to disable suspend-on-lid-close, which is undesirable. ++ * Map the dock events to KEY_IGNORE to avoid this broken SW_DOCK reporting. ++ */ ++ { KE_IGNORE, 0xCA, { .sw = { SW_DOCK, 1 } } }, /* Docked */ ++ { KE_IGNORE, 0xCB, { .sw = { SW_DOCK, 0 } } }, /* Undocked */ + { KE_SW, 0xCC, { .sw = { SW_TABLET_MODE, 1 } } }, /* Tablet */ + { KE_SW, 0xCD, { .sw = { SW_TABLET_MODE, 0 } } }, /* Laptop */ + }; diff --git a/queue-5.4/series b/queue-5.4/series index d09173e4bca..e2253e6c334 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -36,3 +36,17 @@ nfs-we-don-t-support-removing-system.nfs4_acl.patch block-suppress-uevent-for-hidden-device-when-removed.patch ia64-fix-ia64_syscall_get_set_arguments-for-break-ba.patch ia64-fix-ptrace-ptrace_syscall_info_exit-sign.patch +netsec-restore-phy-power-state-after-controller-reset.patch +platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch +squashfs-fix-inode-lookup-sanity-checks.patch +squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch +kasan-fix-per-page-tags-for-non-page_alloc-pages.patch +gcov-fix-clang-11-support.patch +acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch +arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch +arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch +arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch +arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch +integrity-double-check-iint_cache-was-initialized.patch +dm-verity-fix-dm_verity_opts_max-value.patch +dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch diff --git a/queue-5.4/squashfs-fix-inode-lookup-sanity-checks.patch b/queue-5.4/squashfs-fix-inode-lookup-sanity-checks.patch new file mode 100644 index 00000000000..bcaa1500683 --- /dev/null +++ b/queue-5.4/squashfs-fix-inode-lookup-sanity-checks.patch @@ -0,0 +1,61 @@ +From c1b2028315c6b15e8d6725e0d5884b15887d3daa Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Wed, 24 Mar 2021 21:37:32 -0700 +Subject: squashfs: fix inode lookup sanity checks + +From: Sean Nyekjaer + +commit c1b2028315c6b15e8d6725e0d5884b15887d3daa upstream. + +When mouting a squashfs image created without inode compression it fails +with: "unable to read inode lookup table" + +It turns out that the BLOCK_OFFSET is missing when checking the +SQUASHFS_METADATA_SIZE agaist the actual size. + +Link: https://lkml.kernel.org/r/20210226092903.1473545-1-sean@geanix.com +Fixes: eabac19e40c0 ("squashfs: add more sanity checks in inode lookup") +Signed-off-by: Sean Nyekjaer +Acked-by: Phillip Lougher +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/export.c | 8 ++++++-- + fs/squashfs/squashfs_fs.h | 1 + + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/squashfs/export.c ++++ b/fs/squashfs/export.c +@@ -152,14 +152,18 @@ __le64 *squashfs_read_inode_lookup_table + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end ++ || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= lookup_table_start || (lookup_table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= lookup_table_start || ++ (lookup_table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } +--- a/fs/squashfs/squashfs_fs.h ++++ b/fs/squashfs/squashfs_fs.h +@@ -17,6 +17,7 @@ + + /* size of metadata (inode and directory) blocks */ + #define SQUASHFS_METADATA_SIZE 8192 ++#define SQUASHFS_BLOCK_OFFSET 2 + + /* default size of block device I/O */ + #ifdef CONFIG_SQUASHFS_4K_DEVBLK_SIZE diff --git a/queue-5.4/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch b/queue-5.4/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch new file mode 100644 index 00000000000..85ce8b9e63a --- /dev/null +++ b/queue-5.4/squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch @@ -0,0 +1,67 @@ +From 8b44ca2b634527151af07447a8090a5f3a043321 Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Wed, 24 Mar 2021 21:37:35 -0700 +Subject: squashfs: fix xattr id and id lookup sanity checks + +From: Phillip Lougher + +commit 8b44ca2b634527151af07447a8090a5f3a043321 upstream. + +The checks for maximum metadata block size is missing +SQUASHFS_BLOCK_OFFSET (the two byte length count). + +Link: https://lkml.kernel.org/r/2069685113.2081245.1614583677427@webmail.123-reg.co.uk +Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup") +Signed-off-by: Phillip Lougher +Cc: Sean Nyekjaer +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/id.c | 6 ++++-- + fs/squashfs/xattr_id.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/squashfs/id.c ++++ b/fs/squashfs/id.c +@@ -97,14 +97,16 @@ __le64 *squashfs_read_id_index_table(str + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= id_table_start || (id_table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -109,14 +109,16 @@ __le64 *squashfs_read_xattr_id_table(str + start = le64_to_cpu(table[n]); + end = le64_to_cpu(table[n + 1]); + +- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= end || (end - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + } + } + + start = le64_to_cpu(table[indexes - 1]); +- if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) { ++ if (start >= table_start || (table_start - start) > ++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) { + kfree(table); + return ERR_PTR(-EINVAL); + }