From: Greg Kroah-Hartman Date: Mon, 9 Mar 2020 19:22:07 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.216~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8d1e3d23567eb95557e3fe0bf8ddb2dce85c4af8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch alsa-hda-realtek-add-headset-mic-supported.patch alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-master.patch arm-dts-dra76x-fix-mmc3-max-frequency.patch cifs-don-t-leak-eagain-for-stat-during-reconnect.patch fat-fix-uninit-memory-access-for-partial-initialized-inode.patch mm-fix-possible-pmd-dirty-bit-lost-in-set_pmd_migration_entry.patch mm-numa-fix-bad-pmd-by-atomically-check-for-pmd_trans_huge-when-marking-page-tables-prot_numa.patch serial-8250_exar-add-support-for-acces-cards.patch tty-serial-mvebu-uart-fix-a-wrong-return.patch usb-core-hub-do-error-out-if-usb_autopm_get_interface-fails.patch usb-core-hub-fix-unhandled-return-by-employing-a-void-function.patch usb-core-port-do-error-out-if-usb_autopm_get_interface-fails.patch usb-dwc3-gadget-update-chain-bit-correctly-when-using-sg-list.patch usb-quirks-add-no_lpm-quirk-for-logitech-screen-share.patch usb-storage-add-quirk-for-samsung-fit-flash.patch vgacon-fix-a-uaf-in-vgacon_invert_region.patch vt-selection-close-sel_buffer-race.patch vt-selection-push-console-lock-down.patch --- diff --git a/queue-4.19/alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch b/queue-4.19/alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch new file mode 100644 index 00000000000..99c01e8ac6b --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch @@ -0,0 +1,58 @@ +From 76f7dec08fd64e9e3ad0810a1a8a60b0a846d348 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Mon, 10 Feb 2020 16:30:26 +0800 +Subject: ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 + +From: Kailang Yang + +commit 76f7dec08fd64e9e3ad0810a1a8a60b0a846d348 upstream. + +ThinkPad want to support Headset Button control. +This patch will enable it. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/7f0b7128f40f41f6b5582ff610adc33d@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5725,7 +5725,7 @@ enum { + ALC289_FIXUP_DUAL_SPK, + ALC294_FIXUP_SPK2_TO_DAC1, + ALC294_FIXUP_ASUS_DUAL_SPK, +- ++ ALC285_FIXUP_THINKPAD_HEADSET_JACK, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -6813,7 +6813,12 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC294_FIXUP_SPK2_TO_DAC1 + }, +- ++ [ALC285_FIXUP_THINKPAD_HEADSET_JACK] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_headset_jack, ++ .chained = true, ++ .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1 ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -7049,8 +7054,8 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), +- SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Yoga 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1), +- SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1), ++ SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Yoga 7th", ALC285_FIXUP_THINKPAD_HEADSET_JACK), ++ SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_THINKPAD_HEADSET_JACK), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), diff --git a/queue-4.19/alsa-hda-realtek-add-headset-mic-supported.patch b/queue-4.19/alsa-hda-realtek-add-headset-mic-supported.patch new file mode 100644 index 00000000000..080f76642b0 --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-add-headset-mic-supported.patch @@ -0,0 +1,34 @@ +From 78def224f59c05d00e815be946ec229719ccf377 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 20 Feb 2020 15:21:54 +0800 +Subject: ALSA: hda/realtek - Add Headset Mic supported + +From: Kailang Yang + +commit 78def224f59c05d00e815be946ec229719ccf377 upstream. + +Dell desktop platform supported headset Mic. +Add pin verb to enable headset Mic. +This platform only support fixed type headset for Iphone type. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/b9da28d772ef43088791b0f3675929e7@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6888,6 +6888,8 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB), + SND_PCI_QUIRK(0x1028, 0x097e, "Dell Precision", ALC289_FIXUP_DUAL_SPK), + SND_PCI_QUIRK(0x1028, 0x097d, "Dell Precision", ALC289_FIXUP_DUAL_SPK), ++ SND_PCI_QUIRK(0x1028, 0x098d, "Dell Precision", ALC233_FIXUP_ASUS_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1028, 0x09bf, "Dell Precision", ALC233_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2), diff --git a/queue-4.19/alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch b/queue-4.19/alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch new file mode 100644 index 00000000000..8cdced7f97e --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch @@ -0,0 +1,59 @@ +From 8b33a134a9cc2a501f8fc731d91caef39237d495 Mon Sep 17 00:00:00 2001 +From: Jian-Hong Pan +Date: Tue, 25 Feb 2020 15:29:21 +0800 +Subject: ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 + +From: Jian-Hong Pan + +commit 8b33a134a9cc2a501f8fc731d91caef39237d495 upstream. + +A headset on the laptop like ASUS B9450FA does not work, until quirk +ALC294_FIXUP_ASUS_HPE is applied. + +Signed-off-by: Jian-Hong Pan +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/20200225072920.109199-1-jian-hong@endlessm.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5727,6 +5727,7 @@ enum { + ALC294_FIXUP_SPK2_TO_DAC1, + ALC294_FIXUP_ASUS_DUAL_SPK, + ALC285_FIXUP_THINKPAD_HEADSET_JACK, ++ ALC294_FIXUP_ASUS_HPE, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -6820,6 +6821,17 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1 + }, ++ [ALC294_FIXUP_ASUS_HPE] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ /* Set EAPD high */ ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x0f }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x7774 }, ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC294_FIXUP_ASUS_HEADSET_MIC ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -6985,6 +6997,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK), + SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1043, 0x19ce, "ASUS B9450FA", ALC294_FIXUP_ASUS_HPE), + SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW), + SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC), diff --git a/queue-4.19/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-master.patch b/queue-4.19/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-master.patch new file mode 100644 index 00000000000..f746fc77451 --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-master.patch @@ -0,0 +1,34 @@ +From 0d45e86d2267d5bdf7bbb631499788da1c27ceb2 Mon Sep 17 00:00:00 2001 +From: Christian Lachner +Date: Sun, 23 Feb 2020 10:24:16 +0100 +Subject: ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master + +From: Christian Lachner + +commit 0d45e86d2267d5bdf7bbb631499788da1c27ceb2 upstream. + +The Gigabyte X570 Aorus Master motherboard with ALC1220 codec +requires a similar workaround for Clevo laptops to enforce the +DAC/mixer connection path. Set up a quirk entry for that. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205275 +Signed-off-by: Christian Lachner +Cc: +Link: https://lore.kernel.org/r/20200223092416.15016-2-gladiac@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2442,6 +2442,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD), + SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE), + SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), ++ SND_PCI_QUIRK(0x1458, 0xa0cd, "Gigabyte X570 Aorus Master", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1228, "MSI-GP63", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1293, "MSI-GP65", ALC1220_FIXUP_CLEVO_P950), diff --git a/queue-4.19/arm-dts-dra76x-fix-mmc3-max-frequency.patch b/queue-4.19/arm-dts-dra76x-fix-mmc3-max-frequency.patch new file mode 100644 index 00000000000..88b41b84119 --- /dev/null +++ b/queue-4.19/arm-dts-dra76x-fix-mmc3-max-frequency.patch @@ -0,0 +1,34 @@ +From fa63c0039787b8fbacf4d6a51e3ff44288f5b90b Mon Sep 17 00:00:00 2001 +From: Faiz Abbas +Date: Tue, 28 Jan 2020 19:17:59 +0530 +Subject: arm: dts: dra76x: Fix mmc3 max-frequency + +From: Faiz Abbas + +commit fa63c0039787b8fbacf4d6a51e3ff44288f5b90b upstream. + +dra76x is not affected by i887 which requires mmc3 node to be limited to +a max frequency of 64 MHz. Fix this by overwriting the correct value in +the the dra76 specific dtsi. + +Fixes: 895bd4b3e5ec ("ARM: dts: Add support for dra76-evm") +Cc: stable@vger.kernel.org +Signed-off-by: Faiz Abbas +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/dra76x.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/arm/boot/dts/dra76x.dtsi ++++ b/arch/arm/boot/dts/dra76x.dtsi +@@ -81,3 +81,8 @@ + reg = <0x3fc>; + }; + }; ++ ++&mmc3 { ++ /* dra76x is not affected by i887 */ ++ max-frequency = <96000000>; ++}; diff --git a/queue-4.19/cifs-don-t-leak-eagain-for-stat-during-reconnect.patch b/queue-4.19/cifs-don-t-leak-eagain-for-stat-during-reconnect.patch new file mode 100644 index 00000000000..604e860fdb0 --- /dev/null +++ b/queue-4.19/cifs-don-t-leak-eagain-for-stat-during-reconnect.patch @@ -0,0 +1,61 @@ +From fc513fac56e1b626ae48a74d7551d9c35c50129e Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 19 Feb 2020 06:01:03 +1000 +Subject: cifs: don't leak -EAGAIN for stat() during reconnect + +From: Ronnie Sahlberg + +commit fc513fac56e1b626ae48a74d7551d9c35c50129e upstream. + +If from cifs_revalidate_dentry_attr() the SMB2/QUERY_INFO call fails with an +error, such as STATUS_SESSION_EXPIRED, causing the session to be reconnected +it is possible we will leak -EAGAIN back to the application even for +system calls such as stat() where this is not a valid error. + +Fix this by re-trying the operation from within cifs_revalidate_dentry_attr() +if cifs_get_inode_info*() returns -EAGAIN. + +This fixes stat() and possibly also other system calls that uses +cifs_revalidate_dentry*(). + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Reviewed-by: Aurelien Aptel +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -2003,6 +2003,7 @@ int cifs_revalidate_dentry_attr(struct d + struct inode *inode = d_inode(dentry); + struct super_block *sb = dentry->d_sb; + char *full_path = NULL; ++ int count = 0; + + if (inode == NULL) + return -ENOENT; +@@ -2024,15 +2025,18 @@ int cifs_revalidate_dentry_attr(struct d + full_path, inode, inode->i_count.counter, + dentry, cifs_get_time(dentry), jiffies); + ++again: + if (cifs_sb_master_tcon(CIFS_SB(sb))->unix_ext) + rc = cifs_get_inode_info_unix(&inode, full_path, sb, xid); + else + rc = cifs_get_inode_info(&inode, full_path, NULL, sb, + xid, NULL); +- ++ if (rc == -EAGAIN && count++ < 10) ++ goto again; + out: + kfree(full_path); + free_xid(xid); ++ + return rc; + } + diff --git a/queue-4.19/fat-fix-uninit-memory-access-for-partial-initialized-inode.patch b/queue-4.19/fat-fix-uninit-memory-access-for-partial-initialized-inode.patch new file mode 100644 index 00000000000..f285fd91e7f --- /dev/null +++ b/queue-4.19/fat-fix-uninit-memory-access-for-partial-initialized-inode.patch @@ -0,0 +1,74 @@ +From bc87302a093f0eab45cd4e250c2021299f712ec6 Mon Sep 17 00:00:00 2001 +From: OGAWA Hirofumi +Date: Thu, 5 Mar 2020 22:28:36 -0800 +Subject: fat: fix uninit-memory access for partial initialized inode + +From: OGAWA Hirofumi + +commit bc87302a093f0eab45cd4e250c2021299f712ec6 upstream. + +When get an error in the middle of reading an inode, some fields in the +inode might be still not initialized. And then the evict_inode path may +access those fields via iput(). + +To fix, this makes sure that inode fields are initialized. + +Reported-by: syzbot+9d82b8de2992579da5d0@syzkaller.appspotmail.com +Signed-off-by: Andrew Morton +Signed-off-by: OGAWA Hirofumi +Cc: +Link: http://lkml.kernel.org/r/871rqnreqx.fsf@mail.parknet.co.jp +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fat/inode.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -743,6 +743,13 @@ static struct inode *fat_alloc_inode(str + return NULL; + + init_rwsem(&ei->truncate_lock); ++ /* Zeroing to allow iput() even if partial initialized inode. */ ++ ei->mmu_private = 0; ++ ei->i_start = 0; ++ ei->i_logstart = 0; ++ ei->i_attrs = 0; ++ ei->i_pos = 0; ++ + return &ei->vfs_inode; + } + +@@ -1373,16 +1380,6 @@ out: + return 0; + } + +-static void fat_dummy_inode_init(struct inode *inode) +-{ +- /* Initialize this dummy inode to work as no-op. */ +- MSDOS_I(inode)->mmu_private = 0; +- MSDOS_I(inode)->i_start = 0; +- MSDOS_I(inode)->i_logstart = 0; +- MSDOS_I(inode)->i_attrs = 0; +- MSDOS_I(inode)->i_pos = 0; +-} +- + static int fat_read_root(struct inode *inode) + { + struct msdos_sb_info *sbi = MSDOS_SB(inode->i_sb); +@@ -1827,13 +1824,11 @@ int fat_fill_super(struct super_block *s + fat_inode = new_inode(sb); + if (!fat_inode) + goto out_fail; +- fat_dummy_inode_init(fat_inode); + sbi->fat_inode = fat_inode; + + fsinfo_inode = new_inode(sb); + if (!fsinfo_inode) + goto out_fail; +- fat_dummy_inode_init(fsinfo_inode); + fsinfo_inode->i_ino = MSDOS_FSINFO_INO; + sbi->fsinfo_inode = fsinfo_inode; + insert_inode_hash(fsinfo_inode); diff --git a/queue-4.19/mm-fix-possible-pmd-dirty-bit-lost-in-set_pmd_migration_entry.patch b/queue-4.19/mm-fix-possible-pmd-dirty-bit-lost-in-set_pmd_migration_entry.patch new file mode 100644 index 00000000000..3e9e117b5c1 --- /dev/null +++ b/queue-4.19/mm-fix-possible-pmd-dirty-bit-lost-in-set_pmd_migration_entry.patch @@ -0,0 +1,56 @@ +From 8a8683ad9ba48b4b52a57f013513d1635c1ca5c4 Mon Sep 17 00:00:00 2001 +From: Huang Ying +Date: Thu, 5 Mar 2020 22:28:29 -0800 +Subject: mm: fix possible PMD dirty bit lost in set_pmd_migration_entry() + +From: Huang Ying + +commit 8a8683ad9ba48b4b52a57f013513d1635c1ca5c4 upstream. + +In set_pmd_migration_entry(), pmdp_invalidate() is used to change PMD +atomically. But the PMD is read before that with an ordinary memory +reading. If the THP (transparent huge page) is written between the PMD +reading and pmdp_invalidate(), the PMD dirty bit may be lost, and cause +data corruption. The race window is quite small, but still possible in +theory, so need to be fixed. + +The race is fixed via using the return value of pmdp_invalidate() to get +the original content of PMD, which is a read/modify/write atomic +operation. So no THP writing can occur in between. + +The race has been introduced when the THP migration support is added in +the commit 616b8371539a ("mm: thp: enable thp migration in generic path"). +But this fix depends on the commit d52605d7cb30 ("mm: do not lose dirty +and accessed bits in pmdp_invalidate()"). So it's easy to be backported +after v4.16. But the race window is really small, so it may be fine not +to backport the fix at all. + +Signed-off-by: Andrew Morton +Signed-off-by: "Huang, Ying" +Reviewed-by: Zi Yan +Reviewed-by: William Kucharski +Acked-by: Kirill A. Shutemov +Cc: +Cc: Vlastimil Babka +Cc: Michal Hocko +Cc: Andrea Arcangeli +Link: http://lkml.kernel.org/r/20200220075220.2327056-1-ying.huang@intel.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/huge_memory.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2949,8 +2949,7 @@ void set_pmd_migration_entry(struct page + return; + + flush_cache_range(vma, address, address + HPAGE_PMD_SIZE); +- pmdval = *pvmw->pmd; +- pmdp_invalidate(vma, address, pvmw->pmd); ++ pmdval = pmdp_invalidate(vma, address, pvmw->pmd); + if (pmd_dirty(pmdval)) + set_page_dirty(page); + entry = make_migration_entry(page, pmd_write(pmdval)); diff --git a/queue-4.19/mm-numa-fix-bad-pmd-by-atomically-check-for-pmd_trans_huge-when-marking-page-tables-prot_numa.patch b/queue-4.19/mm-numa-fix-bad-pmd-by-atomically-check-for-pmd_trans_huge-when-marking-page-tables-prot_numa.patch new file mode 100644 index 00000000000..57c9fb72a89 --- /dev/null +++ b/queue-4.19/mm-numa-fix-bad-pmd-by-atomically-check-for-pmd_trans_huge-when-marking-page-tables-prot_numa.patch @@ -0,0 +1,134 @@ +From 8b272b3cbbb50a6a8e62d8a15affd473a788e184 Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Thu, 5 Mar 2020 22:28:26 -0800 +Subject: mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa + +From: Mel Gorman + +commit 8b272b3cbbb50a6a8e62d8a15affd473a788e184 upstream. + +: A user reported a bug against a distribution kernel while running a +: proprietary workload described as "memory intensive that is not swapping" +: that is expected to apply to mainline kernels. The workload is +: read/write/modifying ranges of memory and checking the contents. They +: reported that within a few hours that a bad PMD would be reported followed +: by a memory corruption where expected data was all zeros. A partial +: report of the bad PMD looked like +: +: [ 5195.338482] ../mm/pgtable-generic.c:33: bad pmd ffff8888157ba008(000002e0396009e2) +: [ 5195.341184] ------------[ cut here ]------------ +: [ 5195.356880] kernel BUG at ../mm/pgtable-generic.c:35! +: .... +: [ 5195.410033] Call Trace: +: [ 5195.410471] [] change_protection_range+0x7dd/0x930 +: [ 5195.410716] [] change_prot_numa+0x18/0x30 +: [ 5195.410918] [] task_numa_work+0x1fe/0x310 +: [ 5195.411200] [] task_work_run+0x72/0x90 +: [ 5195.411246] [] exit_to_usermode_loop+0x91/0xc2 +: [ 5195.411494] [] prepare_exit_to_usermode+0x31/0x40 +: [ 5195.411739] [] retint_user+0x8/0x10 +: +: Decoding revealed that the PMD was a valid prot_numa PMD and the bad PMD +: was a false detection. The bug does not trigger if automatic NUMA +: balancing or transparent huge pages is disabled. +: +: The bug is due a race in change_pmd_range between a pmd_trans_huge and +: pmd_nond_or_clear_bad check without any locks held. During the +: pmd_trans_huge check, a parallel protection update under lock can have +: cleared the PMD and filled it with a prot_numa entry between the transhuge +: check and the pmd_none_or_clear_bad check. +: +: While this could be fixed with heavy locking, it's only necessary to make +: a copy of the PMD on the stack during change_pmd_range and avoid races. A +: new helper is created for this as the check if quite subtle and the +: existing similar helpful is not suitable. This passed 154 hours of +: testing (usually triggers between 20 minutes and 24 hours) without +: detecting bad PMDs or corruption. A basic test of an autonuma-intensive +: workload showed no significant change in behaviour. + +Although Mel withdrew the patch on the face of LKML comment +https://lkml.org/lkml/2017/4/10/922 the race window aforementioned is +still open, and we have reports of Linpack test reporting bad residuals +after the bad PMD warning is observed. In addition to that, bad +rss-counter and non-zero pgtables assertions are triggered on mm teardown +for the task hitting the bad PMD. + + host kernel: mm/pgtable-generic.c:40: bad pmd 00000000b3152f68(8000000d2d2008e7) + .... + host kernel: BUG: Bad rss-counter state mm:00000000b583043d idx:1 val:512 + host kernel: BUG: non-zero pgtables_bytes on freeing mm: 4096 + +The issue is observed on a v4.18-based distribution kernel, but the race +window is expected to be applicable to mainline kernels, as well. + +[akpm@linux-foundation.org: fix comment typo, per Rafael] +Signed-off-by: Andrew Morton +Signed-off-by: Rafael Aquini +Signed-off-by: Mel Gorman +Cc: +Cc: Zi Yan +Cc: "Kirill A. Shutemov" +Cc: Vlastimil Babka +Cc: Michal Hocko +Link: http://lkml.kernel.org/r/20200216191800.22423-1-aquini@redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mprotect.c | 38 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 36 insertions(+), 2 deletions(-) + +--- a/mm/mprotect.c ++++ b/mm/mprotect.c +@@ -162,6 +162,31 @@ static unsigned long change_pte_range(st + return pages; + } + ++/* ++ * Used when setting automatic NUMA hinting protection where it is ++ * critical that a numa hinting PMD is not confused with a bad PMD. ++ */ ++static inline int pmd_none_or_clear_bad_unless_trans_huge(pmd_t *pmd) ++{ ++ pmd_t pmdval = pmd_read_atomic(pmd); ++ ++ /* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */ ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ barrier(); ++#endif ++ ++ if (pmd_none(pmdval)) ++ return 1; ++ if (pmd_trans_huge(pmdval)) ++ return 0; ++ if (unlikely(pmd_bad(pmdval))) { ++ pmd_clear_bad(pmd); ++ return 1; ++ } ++ ++ return 0; ++} ++ + static inline unsigned long change_pmd_range(struct vm_area_struct *vma, + pud_t *pud, unsigned long addr, unsigned long end, + pgprot_t newprot, int dirty_accountable, int prot_numa) +@@ -178,8 +203,17 @@ static inline unsigned long change_pmd_r + unsigned long this_pages; + + next = pmd_addr_end(addr, end); +- if (!is_swap_pmd(*pmd) && !pmd_trans_huge(*pmd) && !pmd_devmap(*pmd) +- && pmd_none_or_clear_bad(pmd)) ++ ++ /* ++ * Automatic NUMA balancing walks the tables with mmap_sem ++ * held for read. It's possible a parallel update to occur ++ * between pmd_trans_huge() and a pmd_none_or_clear_bad() ++ * check leading to a false positive and clearing. ++ * Hence, it's necessary to atomically read the PMD value ++ * for all the checks. ++ */ ++ if (!is_swap_pmd(*pmd) && !pmd_devmap(*pmd) && ++ pmd_none_or_clear_bad_unless_trans_huge(pmd)) + goto next; + + /* invoke the mmu notifier if the pmd is populated */ diff --git a/queue-4.19/serial-8250_exar-add-support-for-acces-cards.patch b/queue-4.19/serial-8250_exar-add-support-for-acces-cards.patch new file mode 100644 index 00000000000..8e14cfdb6b3 --- /dev/null +++ b/queue-4.19/serial-8250_exar-add-support-for-acces-cards.patch @@ -0,0 +1,76 @@ +From 10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab Mon Sep 17 00:00:00 2001 +From: Jay Dolan +Date: Thu, 5 Mar 2020 06:05:04 -0800 +Subject: serial: 8250_exar: add support for ACCES cards + +From: Jay Dolan + +commit 10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab upstream. + +Add ACCES VIDs and PIDs that use the Exar chips + +Signed-off-by: Jay Dolan +Cc: stable +Link: https://lore.kernel.org/r/20200305140504.22237-1-jay.dolan@accesio.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_exar.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +--- a/drivers/tty/serial/8250/8250_exar.c ++++ b/drivers/tty/serial/8250/8250_exar.c +@@ -24,6 +24,14 @@ + + #include "8250.h" + ++#define PCI_DEVICE_ID_ACCES_COM_2S 0x1052 ++#define PCI_DEVICE_ID_ACCES_COM_4S 0x105d ++#define PCI_DEVICE_ID_ACCES_COM_8S 0x106c ++#define PCI_DEVICE_ID_ACCES_COM232_8 0x10a8 ++#define PCI_DEVICE_ID_ACCES_COM_2SM 0x10d2 ++#define PCI_DEVICE_ID_ACCES_COM_4SM 0x10db ++#define PCI_DEVICE_ID_ACCES_COM_8SM 0x10ea ++ + #define PCI_DEVICE_ID_COMMTECH_4224PCI335 0x0002 + #define PCI_DEVICE_ID_COMMTECH_4222PCI335 0x0004 + #define PCI_DEVICE_ID_COMMTECH_2324PCI335 0x000a +@@ -571,6 +579,22 @@ static int __maybe_unused exar_resume(st + + static SIMPLE_DEV_PM_OPS(exar_pci_pm, exar_suspend, exar_resume); + ++static const struct exar8250_board acces_com_2x = { ++ .num_ports = 2, ++ .setup = pci_xr17c154_setup, ++}; ++ ++static const struct exar8250_board acces_com_4x = { ++ .num_ports = 4, ++ .setup = pci_xr17c154_setup, ++}; ++ ++static const struct exar8250_board acces_com_8x = { ++ .num_ports = 8, ++ .setup = pci_xr17c154_setup, ++}; ++ ++ + static const struct exar8250_board pbn_fastcom335_2 = { + .num_ports = 2, + .setup = pci_fastcom335_setup, +@@ -639,6 +663,15 @@ static const struct exar8250_board pbn_e + } + + static const struct pci_device_id exar_pci_tbl[] = { ++ EXAR_DEVICE(ACCESSIO, ACCES_COM_2S, acces_com_2x), ++ EXAR_DEVICE(ACCESSIO, ACCES_COM_4S, acces_com_4x), ++ EXAR_DEVICE(ACCESSIO, ACCES_COM_8S, acces_com_8x), ++ EXAR_DEVICE(ACCESSIO, ACCES_COM232_8, acces_com_8x), ++ EXAR_DEVICE(ACCESSIO, ACCES_COM_2SM, acces_com_2x), ++ EXAR_DEVICE(ACCESSIO, ACCES_COM_4SM, acces_com_4x), ++ EXAR_DEVICE(ACCESSIO, ACCES_COM_8SM, acces_com_8x), ++ ++ + CONNECT_DEVICE(XR17C152, UART_2_232, pbn_connect), + CONNECT_DEVICE(XR17C154, UART_4_232, pbn_connect), + CONNECT_DEVICE(XR17C158, UART_8_232, pbn_connect), diff --git a/queue-4.19/series b/queue-4.19/series index bbcf6d8bb74..ea6765c5dc8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -29,3 +29,23 @@ nvme-fix-uninitialized-variable-warning.patch ice-don-t-tell-the-os-that-link-is-going-down.patch x86-xen-distribute-switch-variables-for-initializati.patch net-thunderx-workaround-bgx-tx-underflow-issue.patch +alsa-hda-realtek-add-headset-mic-supported.patch +alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch +alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-master.patch +alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch +cifs-don-t-leak-eagain-for-stat-during-reconnect.patch +usb-storage-add-quirk-for-samsung-fit-flash.patch +usb-quirks-add-no_lpm-quirk-for-logitech-screen-share.patch +usb-dwc3-gadget-update-chain-bit-correctly-when-using-sg-list.patch +usb-core-hub-fix-unhandled-return-by-employing-a-void-function.patch +usb-core-hub-do-error-out-if-usb_autopm_get_interface-fails.patch +usb-core-port-do-error-out-if-usb_autopm_get_interface-fails.patch +vgacon-fix-a-uaf-in-vgacon_invert_region.patch +mm-numa-fix-bad-pmd-by-atomically-check-for-pmd_trans_huge-when-marking-page-tables-prot_numa.patch +mm-fix-possible-pmd-dirty-bit-lost-in-set_pmd_migration_entry.patch +fat-fix-uninit-memory-access-for-partial-initialized-inode.patch +arm-dts-dra76x-fix-mmc3-max-frequency.patch +tty-serial-mvebu-uart-fix-a-wrong-return.patch +serial-8250_exar-add-support-for-acces-cards.patch +vt-selection-close-sel_buffer-race.patch +vt-selection-push-console-lock-down.patch diff --git a/queue-4.19/tty-serial-mvebu-uart-fix-a-wrong-return.patch b/queue-4.19/tty-serial-mvebu-uart-fix-a-wrong-return.patch new file mode 100644 index 00000000000..5d559292241 --- /dev/null +++ b/queue-4.19/tty-serial-mvebu-uart-fix-a-wrong-return.patch @@ -0,0 +1,34 @@ +From 4a3e208474204e879d22a310b244cb2f39e5b1f8 Mon Sep 17 00:00:00 2001 +From: tangbin +Date: Thu, 5 Mar 2020 09:38:23 +0800 +Subject: tty:serial:mvebu-uart:fix a wrong return + +From: tangbin + +commit 4a3e208474204e879d22a310b244cb2f39e5b1f8 upstream. + +in this place, the function should return a +negative value and the PTR_ERR already returns +a negative,so return -PTR_ERR() is wrong. + +Signed-off-by: tangbin +Cc: stable +Acked-by: Jiri Slaby +Link: https://lore.kernel.org/r/20200305013823.20976-1-tangbin@cmss.chinamobile.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/mvebu-uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -840,7 +840,7 @@ static int mvebu_uart_probe(struct platf + + port->membase = devm_ioremap_resource(&pdev->dev, reg); + if (IS_ERR(port->membase)) +- return -PTR_ERR(port->membase); ++ return PTR_ERR(port->membase); + + mvuart = devm_kzalloc(&pdev->dev, sizeof(struct mvebu_uart), + GFP_KERNEL); diff --git a/queue-4.19/usb-core-hub-do-error-out-if-usb_autopm_get_interface-fails.patch b/queue-4.19/usb-core-hub-do-error-out-if-usb_autopm_get_interface-fails.patch new file mode 100644 index 00000000000..6b5338fa7b0 --- /dev/null +++ b/queue-4.19/usb-core-hub-do-error-out-if-usb_autopm_get_interface-fails.patch @@ -0,0 +1,57 @@ +From 60e3f6e4ac5b0fda43dad01c32e09409ec710045 Mon Sep 17 00:00:00 2001 +From: Eugeniu Rosca +Date: Wed, 26 Feb 2020 18:50:35 +0100 +Subject: usb: core: hub: do error out if usb_autopm_get_interface() fails + +From: Eugeniu Rosca + +commit 60e3f6e4ac5b0fda43dad01c32e09409ec710045 upstream. + +Reviewing a fresh portion of coverity defects in USB core +(specifically CID 1458999), Alan Stern noted below in [1]: + +On Tue, Feb 25, 2020 at 02:39:23PM -0500, Alan Stern wrote: + > A revised search finds line 997 in drivers/usb/core/hub.c and lines + > 216, 269 in drivers/usb/core/port.c. (I didn't try looking in any + > other directories.) AFAICT all three of these should check the + > return value, although a error message in the kernel log probably + > isn't needed. + +Factor out the usb_remove_device() change into a standalone patch to +allow conflict-free integration on top of the earliest stable branches. + +[1] https://lore.kernel.org/lkml/Pine.LNX.4.44L0.2002251419120.1485-100000@iolanthe.rowland.org + +Fixes: 253e05724f9230 ("USB: add a "remove hardware" sysfs attribute") +Cc: stable@vger.kernel.org # v2.6.33+ +Suggested-by: Alan Stern +Signed-off-by: Eugeniu Rosca +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20200226175036.14946-2-erosca@de.adit-jv.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -961,13 +961,17 @@ int usb_remove_device(struct usb_device + { + struct usb_hub *hub; + struct usb_interface *intf; ++ int ret; + + if (!udev->parent) /* Can't remove a root hub */ + return -EINVAL; + hub = usb_hub_to_struct_hub(udev->parent); + intf = to_usb_interface(hub->intfdev); + +- usb_autopm_get_interface(intf); ++ ret = usb_autopm_get_interface(intf); ++ if (ret < 0) ++ return ret; ++ + set_bit(udev->portnum, hub->removed_bits); + hub_port_logical_disconnect(hub, udev->portnum); + usb_autopm_put_interface(intf); diff --git a/queue-4.19/usb-core-hub-fix-unhandled-return-by-employing-a-void-function.patch b/queue-4.19/usb-core-hub-fix-unhandled-return-by-employing-a-void-function.patch new file mode 100644 index 00000000000..07d47645099 --- /dev/null +++ b/queue-4.19/usb-core-hub-fix-unhandled-return-by-employing-a-void-function.patch @@ -0,0 +1,26 @@ +From 63d6d7ed475c53dc1cabdfedf63de1fd8dcd72ee Mon Sep 17 00:00:00 2001 +From: Eugeniu Rosca +Date: Wed, 26 Feb 2020 18:50:34 +0100 +Subject: usb: core: hub: fix unhandled return by employing a void function + +From: Eugeniu Rosca + +commit 63d6d7ed475c53dc1cabdfedf63de1fd8dcd72ee upstream. + +Address below Coverity complaint (Feb 25, 2020, 8:06 AM CET): + +--- + drivers/usb/core/hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1833,7 +1833,7 @@ static int hub_probe(struct usb_interfac + + if (id->driver_info & HUB_QUIRK_DISABLE_AUTOSUSPEND) { + hub->quirk_disable_autosuspend = 1; +- usb_autopm_get_interface(intf); ++ usb_autopm_get_interface_no_resume(intf); + } + + if (hub_configure(hub, &desc->endpoint[0].desc) >= 0) diff --git a/queue-4.19/usb-core-port-do-error-out-if-usb_autopm_get_interface-fails.patch b/queue-4.19/usb-core-port-do-error-out-if-usb_autopm_get_interface-fails.patch new file mode 100644 index 00000000000..fa4f41944b7 --- /dev/null +++ b/queue-4.19/usb-core-port-do-error-out-if-usb_autopm_get_interface-fails.patch @@ -0,0 +1,62 @@ +From 1f8b39bc99a31759e97a0428a5c3f64802c1e61d Mon Sep 17 00:00:00 2001 +From: Eugeniu Rosca +Date: Wed, 26 Feb 2020 18:50:36 +0100 +Subject: usb: core: port: do error out if usb_autopm_get_interface() fails + +From: Eugeniu Rosca + +commit 1f8b39bc99a31759e97a0428a5c3f64802c1e61d upstream. + +Reviewing a fresh portion of coverity defects in USB core +(specifically CID 1458999), Alan Stern noted below in [1]: + +On Tue, Feb 25, 2020 at 02:39:23PM -0500, Alan Stern wrote: + > A revised search finds line 997 in drivers/usb/core/hub.c and lines + > 216, 269 in drivers/usb/core/port.c. (I didn't try looking in any + > other directories.) AFAICT all three of these should check the + > return value, although a error message in the kernel log probably + > isn't needed. + +Factor out the usb_port_runtime_{resume,suspend}() changes into a +standalone patch to allow conflict-free porting on top of stable v3.9+. + +[1] https://lore.kernel.org/lkml/Pine.LNX.4.44L0.2002251419120.1485-100000@iolanthe.rowland.org + +Fixes: 971fcd492cebf5 ("usb: add runtime pm support for usb port device") +Cc: stable@vger.kernel.org # v3.9+ +Suggested-by: Alan Stern +Signed-off-by: Eugeniu Rosca +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20200226175036.14946-3-erosca@de.adit-jv.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/port.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/port.c ++++ b/drivers/usb/core/port.c +@@ -203,7 +203,10 @@ static int usb_port_runtime_resume(struc + if (!port_dev->is_superspeed && peer) + pm_runtime_get_sync(&peer->dev); + +- usb_autopm_get_interface(intf); ++ retval = usb_autopm_get_interface(intf); ++ if (retval < 0) ++ return retval; ++ + retval = usb_hub_set_port_power(hdev, hub, port1, true); + msleep(hub_power_on_good_delay(hub)); + if (udev && !retval) { +@@ -256,7 +259,10 @@ static int usb_port_runtime_suspend(stru + if (usb_port_block_power_off) + return -EBUSY; + +- usb_autopm_get_interface(intf); ++ retval = usb_autopm_get_interface(intf); ++ if (retval < 0) ++ return retval; ++ + retval = usb_hub_set_port_power(hdev, hub, port1, false); + usb_clear_port_feature(hdev, port1, USB_PORT_FEAT_C_CONNECTION); + if (!port_dev->is_superspeed) diff --git a/queue-4.19/usb-dwc3-gadget-update-chain-bit-correctly-when-using-sg-list.patch b/queue-4.19/usb-dwc3-gadget-update-chain-bit-correctly-when-using-sg-list.patch new file mode 100644 index 00000000000..148817cf612 --- /dev/null +++ b/queue-4.19/usb-dwc3-gadget-update-chain-bit-correctly-when-using-sg-list.patch @@ -0,0 +1,66 @@ +From dad2aff3e827b112f27fa5e6f2bf87a110067c3f Mon Sep 17 00:00:00 2001 +From: Pratham Pratap +Date: Mon, 2 Mar 2020 21:44:43 +0000 +Subject: usb: dwc3: gadget: Update chain bit correctly when using sg list + +From: Pratham Pratap + +commit dad2aff3e827b112f27fa5e6f2bf87a110067c3f upstream. + +If scatter-gather operation is allowed, a large USB request is split +into multiple TRBs. For preparing TRBs for sg list, driver iterates +over the list and creates TRB for each sg and mark the chain bit to +false for the last sg. The current IOMMU driver is clubbing the list +of sgs which shares a page boundary into one and giving it to USB driver. +With this the number of sgs mapped it not equal to the the number of sgs +passed. Because of this USB driver is not marking the chain bit to false +since it couldn't iterate to the last sg. This patch addresses this issue +by marking the chain bit to false if it is the last mapped sg. + +At a practical level, this patch resolves USB transfer stalls +seen with adb on dwc3 based db845c, pixel3 and other qcom +hardware after functionfs gadget added scatter-gather support +around v4.20. + +Credit also to Anurag Kumar Vulisha +who implemented a very similar fix to this issue. + +Cc: Felipe Balbi +Cc: Yang Fei +Cc: Thinh Nguyen +Cc: Tejas Joglekar +Cc: Andrzej Pietrasiewicz +Cc: Jack Pham +Cc: Todd Kjos +Cc: Greg KH +Cc: Linux USB List +Cc: stable #4.20+ +Signed-off-by: Pratham Pratap +[jstultz: Slight tweak to remove sg_is_last() usage, reworked + commit message, minor comment tweak] +Signed-off-by: John Stultz +Link: https://lore.kernel.org/r/20200302214443.55783-1-john.stultz@linaro.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1067,7 +1067,14 @@ static void dwc3_prepare_one_trb_sg(stru + unsigned int rem = length % maxp; + unsigned chain = true; + +- if (sg_is_last(s)) ++ /* ++ * IOMMU driver is coalescing the list of sgs which shares a ++ * page boundary into one and giving it to USB driver. With ++ * this the number of sgs mapped is not equal to the number of ++ * sgs passed. So mark the chain bit to false if it isthe last ++ * mapped sg. ++ */ ++ if (i == remaining - 1) + chain = false; + + if (rem && usb_endpoint_dir_out(dep->endpoint.desc) && !chain) { diff --git a/queue-4.19/usb-quirks-add-no_lpm-quirk-for-logitech-screen-share.patch b/queue-4.19/usb-quirks-add-no_lpm-quirk-for-logitech-screen-share.patch new file mode 100644 index 00000000000..59ebbc9210a --- /dev/null +++ b/queue-4.19/usb-quirks-add-no_lpm-quirk-for-logitech-screen-share.patch @@ -0,0 +1,34 @@ +From b96ed52d781a2026d0c0daa5787c6f3d45415862 Mon Sep 17 00:00:00 2001 +From: Dan Lazewatsky +Date: Wed, 26 Feb 2020 14:34:38 +0000 +Subject: usb: quirks: add NO_LPM quirk for Logitech Screen Share + +From: Dan Lazewatsky + +commit b96ed52d781a2026d0c0daa5787c6f3d45415862 upstream. + +LPM on the device appears to cause xHCI host controllers to claim +that there isn't enough bandwidth to support additional devices. + +Signed-off-by: Dan Lazewatsky +Cc: stable +Signed-off-by: Gustavo Padovan +Link: https://lore.kernel.org/r/20200226143438.1445-1-gustavo.padovan@collabora.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -231,6 +231,9 @@ static const struct usb_device_id usb_qu + /* Logitech PTZ Pro Camera */ + { USB_DEVICE(0x046d, 0x0853), .driver_info = USB_QUIRK_DELAY_INIT }, + ++ /* Logitech Screen Share */ ++ { USB_DEVICE(0x046d, 0x086c), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Logitech Quickcam Fusion */ + { USB_DEVICE(0x046d, 0x08c1), .driver_info = USB_QUIRK_RESET_RESUME }, + diff --git a/queue-4.19/usb-storage-add-quirk-for-samsung-fit-flash.patch b/queue-4.19/usb-storage-add-quirk-for-samsung-fit-flash.patch new file mode 100644 index 00000000000..b8edfac51e4 --- /dev/null +++ b/queue-4.19/usb-storage-add-quirk-for-samsung-fit-flash.patch @@ -0,0 +1,45 @@ +From 86d92f5465958752481269348d474414dccb1552 Mon Sep 17 00:00:00 2001 +From: Jim Lin +Date: Mon, 2 Mar 2020 22:21:35 +0800 +Subject: usb: storage: Add quirk for Samsung Fit flash + +From: Jim Lin + +commit 86d92f5465958752481269348d474414dccb1552 upstream. + +Current driver has 240 (USB2.0) and 2048 (USB3.0) as max_sectors, +e.g., /sys/bus/scsi/devices/0:0:0:0/max_sectors + +If data access times out, driver error handling will issue a port +reset. +Sometimes Samsung Fit (090C:1000) flash disk will not respond to +later Set Address or Get Descriptor command. + +Adding this quirk to limit max_sectors to 64 sectors to avoid issue +occurring. + +Signed-off-by: Jim Lin +Acked-by: Alan Stern +Cc: stable +Link: https://lore.kernel.org/r/1583158895-31342-1-git-send-email-jilin@nvidia.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1258,6 +1258,12 @@ UNUSUAL_DEV( 0x090a, 0x1200, 0x0000, 0x9 + USB_SC_RBC, USB_PR_BULK, NULL, + 0 ), + ++UNUSUAL_DEV(0x090c, 0x1000, 0x1100, 0x1100, ++ "Samsung", ++ "Flash Drive FIT", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_MAX_SECTORS_64), ++ + /* aeb */ + UNUSUAL_DEV( 0x090c, 0x1132, 0x0000, 0xffff, + "Feiya", diff --git a/queue-4.19/vgacon-fix-a-uaf-in-vgacon_invert_region.patch b/queue-4.19/vgacon-fix-a-uaf-in-vgacon_invert_region.patch new file mode 100644 index 00000000000..22436cbb0ad --- /dev/null +++ b/queue-4.19/vgacon-fix-a-uaf-in-vgacon_invert_region.patch @@ -0,0 +1,130 @@ +From 513dc792d6060d5ef572e43852683097a8420f56 Mon Sep 17 00:00:00 2001 +From: Zhang Xiaoxu +Date: Wed, 4 Mar 2020 10:24:29 +0800 +Subject: vgacon: Fix a UAF in vgacon_invert_region + +From: Zhang Xiaoxu + +commit 513dc792d6060d5ef572e43852683097a8420f56 upstream. + +When syzkaller tests, there is a UAF: + BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr + ffff880000100000 + Read of size 2 by task syz-executor.1/16489 + page:ffffea0000004000 count:0 mapcount:-127 mapping: (null) + index:0x0 + page flags: 0xfffff00000000() + page dumped because: kasan: bad access detected + CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 + Call Trace: + [] dump_stack+0x1e/0x20 + [] kasan_report+0x577/0x950 + [] __asan_load2+0x62/0x80 + [] vgacon_invert_region+0x9d/0x110 + [] invert_screen+0xe5/0x470 + [] set_selection+0x44b/0x12f0 + [] tioclinux+0xee/0x490 + [] vt_ioctl+0xff4/0x2670 + [] tty_ioctl+0x46a/0x1a10 + [] do_vfs_ioctl+0x5bd/0xc40 + [] SyS_ioctl+0x132/0x170 + [] system_call_fastpath+0x22/0x27 + Memory state around the buggy address: + ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 + ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 + >ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff + ff ff ff + +It can be reproduce in the linux mainline by the program: + #include + #include + #include + #include + #include + #include + #include + #include + + struct tiocl_selection { + unsigned short xs; /* X start */ + unsigned short ys; /* Y start */ + unsigned short xe; /* X end */ + unsigned short ye; /* Y end */ + unsigned short sel_mode; /* selection mode */ + }; + + #define TIOCL_SETSEL 2 + struct tiocl { + unsigned char type; + unsigned char pad; + struct tiocl_selection sel; + }; + + int main() + { + int fd = 0; + const char *dev = "/dev/char/4:1"; + + struct vt_consize v = {0}; + struct tiocl tioc = {0}; + + fd = open(dev, O_RDWR, 0); + + v.v_rows = 3346; + ioctl(fd, VT_RESIZEX, &v); + + tioc.type = TIOCL_SETSEL; + ioctl(fd, TIOCLINUX, &tioc); + + return 0; + } + +When resize the screen, update the 'vc->vc_size_row' to the new_row_size, +but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base' +for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe +smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc +the offset, it maybe larger than the vga_vram_size in vgacon driver, then +bad access. +Also, if set an larger screenbuf firstly, then set an more larger +screenbuf, when copy old_origin to new_origin, a bad access may happen. + +So, If the screen size larger than vga_vram, resize screen should be +failed. This alse fix CVE-2020-8649 and CVE-2020-8647. + +Linus pointed out that overflow checking seems absent. We're saved by +the existing bounds checks in vc_do_resize() with rather strict +limits: + + if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW) + return -EINVAL; + +Fixes: 0aec4867dca14 ("[PATCH] SVGATextMode fix") +Reference: CVE-2020-8647 and CVE-2020-8649 +Reported-by: Hulk Robot +Signed-off-by: Zhang Xiaoxu +[danvet: augment commit message to point out overflow safety] +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/vgacon.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -1316,6 +1316,9 @@ static int vgacon_font_get(struct vc_dat + static int vgacon_resize(struct vc_data *c, unsigned int width, + unsigned int height, unsigned int user) + { ++ if ((width << 1) * height > vga_vram_size) ++ return -EINVAL; ++ + if (width % 2 || width > screen_info.orig_video_cols || + height > (screen_info.orig_video_lines * vga_default_font_height)/ + c->vc_font.height) diff --git a/queue-4.19/vt-selection-close-sel_buffer-race.patch b/queue-4.19/vt-selection-close-sel_buffer-race.patch new file mode 100644 index 00000000000..5871ad25c37 --- /dev/null +++ b/queue-4.19/vt-selection-close-sel_buffer-race.patch @@ -0,0 +1,155 @@ +From 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 10 Feb 2020 09:11:31 +0100 +Subject: vt: selection, close sel_buffer race + +From: Jiri Slaby + +commit 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 upstream. + +syzkaller reported this UAF: +BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 +Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184 + +CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +Call Trace: +... + kasan_report+0xe/0x20 mm/kasan/common.c:634 + n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 + tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461 + paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372 + tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044 + vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364 + tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657 + vfs_ioctl fs/ioctl.c:47 [inline] + +It is due to a race between parallel paste_selection (TIOCL_PASTESEL) +and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer, +while the other frees it and reallocates a new one for another +selection. Add a mutex to close this race. + +The mutex takes care properly of sel_buffer and sel_buffer_lth only. The +other selection global variables (like sel_start, sel_end, and sel_cons) +are protected only in set_selection_user. The other functions need quite +some more work to close the races of the variables there. This is going +to happen later. + +This likely fixes (I am unsure as there is no reproducer provided) bug +206361 too. It was marked as CVE-2020-8648. + +Signed-off-by: Jiri Slaby +Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com +References: https://bugzilla.kernel.org/show_bug.cgi?id=206361 +Cc: stable +Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/selection.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/tty/vt/selection.c ++++ b/drivers/tty/vt/selection.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -43,6 +44,7 @@ static volatile int sel_start = -1; /* + static int sel_end; + static int sel_buffer_lth; + static char *sel_buffer; ++static DEFINE_MUTEX(sel_lock); + + /* clear_selection, highlight and highlight_pointer can be called + from interrupt (via scrollback/front) */ +@@ -173,7 +175,7 @@ int set_selection(const struct tiocl_sel + char *bp, *obp; + int i, ps, pe, multiplier; + u32 c; +- int mode; ++ int mode, ret = 0; + + poke_blanked_console(); + if (copy_from_user(&v, sel, sizeof(*sel))) +@@ -200,6 +202,7 @@ int set_selection(const struct tiocl_sel + if (ps > pe) /* make sel_start <= sel_end */ + swap(ps, pe); + ++ mutex_lock(&sel_lock); + if (sel_cons != vc_cons[fg_console].d) { + clear_selection(); + sel_cons = vc_cons[fg_console].d; +@@ -245,9 +248,10 @@ int set_selection(const struct tiocl_sel + break; + case TIOCL_SELPOINTER: + highlight_pointer(pe); +- return 0; ++ goto unlock; + default: +- return -EINVAL; ++ ret = -EINVAL; ++ goto unlock; + } + + /* remove the pointer */ +@@ -269,7 +273,7 @@ int set_selection(const struct tiocl_sel + else if (new_sel_start == sel_start) + { + if (new_sel_end == sel_end) /* no action required */ +- return 0; ++ goto unlock; + else if (new_sel_end > sel_end) /* extend to right */ + highlight(sel_end + 2, new_sel_end); + else /* contract from right */ +@@ -297,7 +301,8 @@ int set_selection(const struct tiocl_sel + if (!bp) { + printk(KERN_WARNING "selection: kmalloc() failed\n"); + clear_selection(); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto unlock; + } + kfree(sel_buffer); + sel_buffer = bp; +@@ -322,7 +327,9 @@ int set_selection(const struct tiocl_sel + } + } + sel_buffer_lth = bp - sel_buffer; +- return 0; ++unlock: ++ mutex_unlock(&sel_lock); ++ return ret; + } + + /* Insert the contents of the selection buffer into the +@@ -351,6 +358,7 @@ int paste_selection(struct tty_struct *t + tty_buffer_lock_exclusive(&vc->port); + + add_wait_queue(&vc->paste_wait, &wait); ++ mutex_lock(&sel_lock); + while (sel_buffer && sel_buffer_lth > pasted) { + set_current_state(TASK_INTERRUPTIBLE); + if (signal_pending(current)) { +@@ -358,7 +366,9 @@ int paste_selection(struct tty_struct *t + break; + } + if (tty_throttled(tty)) { ++ mutex_unlock(&sel_lock); + schedule(); ++ mutex_lock(&sel_lock); + continue; + } + __set_current_state(TASK_RUNNING); +@@ -367,6 +377,7 @@ int paste_selection(struct tty_struct *t + count); + pasted += count; + } ++ mutex_unlock(&sel_lock); + remove_wait_queue(&vc->paste_wait, &wait); + __set_current_state(TASK_RUNNING); + diff --git a/queue-4.19/vt-selection-push-console-lock-down.patch b/queue-4.19/vt-selection-push-console-lock-down.patch new file mode 100644 index 00000000000..52b4344181e --- /dev/null +++ b/queue-4.19/vt-selection-push-console-lock-down.patch @@ -0,0 +1,67 @@ +From 4b70dd57a15d2f4685ac6e38056bad93e81e982f Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 28 Feb 2020 12:54:05 +0100 +Subject: vt: selection, push console lock down + +From: Jiri Slaby + +commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f upstream. + +We need to nest the console lock in sel_lock, so we have to push it down +a bit. Fortunately, the callers of set_selection_* just lock the console +lock around the function call. So moving it down is easy. + +In the next patch, we switch the order. + +Signed-off-by: Jiri Slaby +Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race") +Cc: stable +Link: https://lore.kernel.org/r/20200228115406.5735-1-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/selection.c | 13 ++++++++++++- + drivers/tty/vt/vt.c | 2 -- + 2 files changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/tty/vt/selection.c ++++ b/drivers/tty/vt/selection.c +@@ -167,7 +167,7 @@ static int store_utf8(u32 c, char *p) + * The entire selection process is managed under the console_lock. It's + * a lot under the lock but its hardly a performance path + */ +-int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty) ++static int __set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty) + { + struct vc_data *vc = vc_cons[fg_console].d; + int new_sel_start, new_sel_end, spc; +@@ -332,6 +332,17 @@ unlock: + return ret; + } + ++int set_selection(const struct tiocl_selection __user *v, struct tty_struct *tty) ++{ ++ int ret; ++ ++ console_lock(); ++ ret = __set_selection(v, tty); ++ console_unlock(); ++ ++ return ret; ++} ++ + /* Insert the contents of the selection buffer into the + * queue of the tty associated with the current console. + * Invoked by ioctl(). +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -3022,9 +3022,7 @@ int tioclinux(struct tty_struct *tty, un + switch (type) + { + case TIOCL_SETSEL: +- console_lock(); + ret = set_selection((struct tiocl_selection __user *)(p+1), tty); +- console_unlock(); + break; + case TIOCL_PASTESEL: + ret = paste_selection(tty);