From: Greg Kroah-Hartman Date: Mon, 2 Mar 2020 18:40:10 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.19.108~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92d1775607257a0511a620c7c08bdd1f417015f6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: acpi-watchdog-fix-gas-access_width-usage.patch acpica-introduce-acpi_access_byte_width-macro.patch amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch audit-fix-error-handling-in-audit_data_to_entry.patch cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch drm-amdgpu-drop-driver_use_agp.patch drm-radeon-inline-drm_get_pci_dev.patch ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch hid-core-increase-hid-report-buffer-size-to-8kib.patch hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch tracing-disable-trace_printk-on-post-poned-tests.patch --- diff --git a/queue-5.4/acpi-watchdog-fix-gas-access_width-usage.patch b/queue-5.4/acpi-watchdog-fix-gas-access_width-usage.patch new file mode 100644 index 00000000000..0ed64531623 --- /dev/null +++ b/queue-5.4/acpi-watchdog-fix-gas-access_width-usage.patch @@ -0,0 +1,54 @@ +From 2ba33a4e9e22ac4dda928d3e9b5978a3a2ded4e0 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 12 Feb 2020 17:59:40 +0300 +Subject: ACPI: watchdog: Fix gas->access_width usage + +From: Mika Westerberg + +commit 2ba33a4e9e22ac4dda928d3e9b5978a3a2ded4e0 upstream. + +ACPI Generic Address Structure (GAS) access_width field is not in bytes +as the driver seems to expect in few places so fix this by using the +newly introduced macro ACPI_ACCESS_BYTE_WIDTH(). + +Fixes: b1abf6fc4982 ("ACPI / watchdog: Fix off-by-one error at resource assignment") +Fixes: 058dfc767008 ("ACPI / watchdog: Add support for WDAT hardware watchdog") +Reported-by: Jean Delvare +Signed-off-by: Mika Westerberg +Reviewed-by: Jean Delvare +Cc: 4.16+ # 4.16+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_watchdog.c | 3 +-- + drivers/watchdog/wdat_wdt.c | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/acpi_watchdog.c ++++ b/drivers/acpi/acpi_watchdog.c +@@ -126,12 +126,11 @@ void __init acpi_watchdog_init(void) + gas = &entries[i].register_region; + + res.start = gas->address; ++ res.end = res.start + ACPI_ACCESS_BYTE_WIDTH(gas->access_width) - 1; + if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { + res.flags = IORESOURCE_MEM; +- res.end = res.start + ALIGN(gas->access_width, 4) - 1; + } else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { + res.flags = IORESOURCE_IO; +- res.end = res.start + gas->access_width - 1; + } else { + pr_warn("Unsupported address space: %u\n", + gas->space_id); +--- a/drivers/watchdog/wdat_wdt.c ++++ b/drivers/watchdog/wdat_wdt.c +@@ -389,7 +389,7 @@ static int wdat_wdt_probe(struct platfor + + memset(&r, 0, sizeof(r)); + r.start = gas->address; +- r.end = r.start + gas->access_width - 1; ++ r.end = r.start + ACPI_ACCESS_BYTE_WIDTH(gas->access_width) - 1; + if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { + r.flags = IORESOURCE_MEM; + } else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { diff --git a/queue-5.4/acpica-introduce-acpi_access_byte_width-macro.patch b/queue-5.4/acpica-introduce-acpi_access_byte_width-macro.patch new file mode 100644 index 00000000000..5d681d00194 --- /dev/null +++ b/queue-5.4/acpica-introduce-acpi_access_byte_width-macro.patch @@ -0,0 +1,39 @@ +From 1dade3a7048ccfc675650cd2cf13d578b095e5fb Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 12 Feb 2020 17:59:39 +0300 +Subject: ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro + +From: Mika Westerberg + +commit 1dade3a7048ccfc675650cd2cf13d578b095e5fb upstream. + +Sometimes it is useful to find the access_width field value in bytes and +not in bits so add a helper that can be used for this purpose. + +Suggested-by: Jean Delvare +Signed-off-by: Mika Westerberg +Reviewed-by: Jean Delvare +Cc: 4.16+ # 4.16+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + include/acpi/actypes.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -532,11 +532,12 @@ typedef u64 acpi_integer; + strnlen (a, ACPI_NAMESEG_SIZE) == ACPI_NAMESEG_SIZE) + + /* +- * Algorithm to obtain access bit width. ++ * Algorithm to obtain access bit or byte width. + * Can be used with access_width of struct acpi_generic_address and access_size of + * struct acpi_resource_generic_register. + */ + #define ACPI_ACCESS_BIT_WIDTH(size) (1 << ((size) + 2)) ++#define ACPI_ACCESS_BYTE_WIDTH(size) (1 << ((size) - 1)) + + /******************************************************************************* + * diff --git a/queue-5.4/amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch b/queue-5.4/amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch new file mode 100644 index 00000000000..1b41f14d9c3 --- /dev/null +++ b/queue-5.4/amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch @@ -0,0 +1,114 @@ +From a3ed353cf8015ba84a0407a5dc3ffee038166ab0 Mon Sep 17 00:00:00 2001 +From: Shirish S +Date: Mon, 27 Jan 2020 16:35:24 +0530 +Subject: amdgpu/gmc_v9: save/restore sdpif regs during S3 + +From: Shirish S + +commit a3ed353cf8015ba84a0407a5dc3ffee038166ab0 upstream. + +fixes S3 issue with IOMMU + S/G enabled @ 64M VRAM. + +Suggested-by: Alex Deucher +Signed-off-by: Shirish S +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.h | 1 + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 37 ++++++++++++- + drivers/gpu/drm/amd/include/asic_reg/dce/dce_12_0_offset.h | 2 + 3 files changed, 39 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.h +@@ -157,6 +157,7 @@ struct amdgpu_gmc { + uint32_t srbm_soft_reset; + bool prt_warning; + uint64_t stolen_size; ++ uint32_t sdpif_register; + /* apertures */ + u64 shared_aperture_start; + u64 shared_aperture_end; +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -1383,6 +1383,19 @@ static void gmc_v9_0_init_golden_registe + } + + /** ++ * gmc_v9_0_restore_registers - restores regs ++ * ++ * @adev: amdgpu_device pointer ++ * ++ * This restores register values, saved at suspend. ++ */ ++static void gmc_v9_0_restore_registers(struct amdgpu_device *adev) ++{ ++ if (adev->asic_type == CHIP_RAVEN) ++ WREG32(mmDCHUBBUB_SDPIF_MMIO_CNTRL_0, adev->gmc.sdpif_register); ++} ++ ++/** + * gmc_v9_0_gart_enable - gart enable + * + * @adev: amdgpu_device pointer +@@ -1479,6 +1492,20 @@ static int gmc_v9_0_hw_init(void *handle + } + + /** ++ * gmc_v9_0_save_registers - saves regs ++ * ++ * @adev: amdgpu_device pointer ++ * ++ * This saves potential register values that should be ++ * restored upon resume ++ */ ++static void gmc_v9_0_save_registers(struct amdgpu_device *adev) ++{ ++ if (adev->asic_type == CHIP_RAVEN) ++ adev->gmc.sdpif_register = RREG32(mmDCHUBBUB_SDPIF_MMIO_CNTRL_0); ++} ++ ++/** + * gmc_v9_0_gart_disable - gart disable + * + * @adev: amdgpu_device pointer +@@ -1514,9 +1541,16 @@ static int gmc_v9_0_hw_fini(void *handle + + static int gmc_v9_0_suspend(void *handle) + { ++ int r; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + +- return gmc_v9_0_hw_fini(adev); ++ r = gmc_v9_0_hw_fini(adev); ++ if (r) ++ return r; ++ ++ gmc_v9_0_save_registers(adev); ++ ++ return 0; + } + + static int gmc_v9_0_resume(void *handle) +@@ -1524,6 +1558,7 @@ static int gmc_v9_0_resume(void *handle) + int r; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ gmc_v9_0_restore_registers(adev); + r = gmc_v9_0_hw_init(adev); + if (r) + return r; +--- a/drivers/gpu/drm/amd/include/asic_reg/dce/dce_12_0_offset.h ++++ b/drivers/gpu/drm/amd/include/asic_reg/dce/dce_12_0_offset.h +@@ -7376,6 +7376,8 @@ + #define mmCRTC4_CRTC_DRR_CONTROL 0x0f3e + #define mmCRTC4_CRTC_DRR_CONTROL_BASE_IDX 2 + ++#define mmDCHUBBUB_SDPIF_MMIO_CNTRL_0 0x395d ++#define mmDCHUBBUB_SDPIF_MMIO_CNTRL_0_BASE_IDX 2 + + // addressBlock: dce_dc_fmt4_dispdec + // base address: 0x2000 diff --git a/queue-5.4/audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch b/queue-5.4/audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch new file mode 100644 index 00000000000..eb7bd245c3f --- /dev/null +++ b/queue-5.4/audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch @@ -0,0 +1,148 @@ +From 756125289285f6e55a03861bf4b6257aa3d19a93 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Mon, 24 Feb 2020 16:38:57 -0500 +Subject: audit: always check the netlink payload length in audit_receive_msg() + +From: Paul Moore + +commit 756125289285f6e55a03861bf4b6257aa3d19a93 upstream. + +This patch ensures that we always check the netlink payload length +in audit_receive_msg() before we take any action on the payload +itself. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com +Reported-by: syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 40 +++++++++++++++++++++------------------- + 1 file changed, 21 insertions(+), 19 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1100,13 +1100,11 @@ static void audit_log_feature_change(int + audit_log_end(ab); + } + +-static int audit_set_feature(struct sk_buff *skb) ++static int audit_set_feature(struct audit_features *uaf) + { +- struct audit_features *uaf; + int i; + + BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names)); +- uaf = nlmsg_data(nlmsg_hdr(skb)); + + /* if there is ever a version 2 we should handle that here */ + +@@ -1174,6 +1172,7 @@ static int audit_receive_msg(struct sk_b + { + u32 seq; + void *data; ++ int data_len; + int err; + struct audit_buffer *ab; + u16 msg_type = nlh->nlmsg_type; +@@ -1187,6 +1186,7 @@ static int audit_receive_msg(struct sk_b + + seq = nlh->nlmsg_seq; + data = nlmsg_data(nlh); ++ data_len = nlmsg_len(nlh); + + switch (msg_type) { + case AUDIT_GET: { +@@ -1210,7 +1210,7 @@ static int audit_receive_msg(struct sk_b + struct audit_status s; + memset(&s, 0, sizeof(s)); + /* guard against past and future API changes */ +- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); ++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); + if (s.mask & AUDIT_STATUS_ENABLED) { + err = audit_set_enabled(s.enabled); + if (err < 0) +@@ -1314,7 +1314,9 @@ static int audit_receive_msg(struct sk_b + return err; + break; + case AUDIT_SET_FEATURE: +- err = audit_set_feature(skb); ++ if (data_len < sizeof(struct audit_features)) ++ return -EINVAL; ++ err = audit_set_feature(data); + if (err) + return err; + break; +@@ -1326,6 +1328,8 @@ static int audit_receive_msg(struct sk_b + + err = audit_filter(msg_type, AUDIT_FILTER_USER); + if (err == 1) { /* match or error */ ++ char *str = data; ++ + err = 0; + if (msg_type == AUDIT_USER_TTY) { + err = tty_audit_push(); +@@ -1333,26 +1337,24 @@ static int audit_receive_msg(struct sk_b + break; + } + audit_log_user_recv_msg(&ab, msg_type); +- if (msg_type != AUDIT_USER_TTY) ++ if (msg_type != AUDIT_USER_TTY) { ++ /* ensure NULL termination */ ++ str[data_len - 1] = '\0'; + audit_log_format(ab, " msg='%.*s'", + AUDIT_MESSAGE_TEXT_MAX, +- (char *)data); +- else { +- int size; +- ++ str); ++ } else { + audit_log_format(ab, " data="); +- size = nlmsg_len(nlh); +- if (size > 0 && +- ((unsigned char *)data)[size - 1] == '\0') +- size--; +- audit_log_n_untrustedstring(ab, data, size); ++ if (data_len > 0 && str[data_len - 1] == '\0') ++ data_len--; ++ audit_log_n_untrustedstring(ab, str, data_len); + } + audit_log_end(ab); + } + break; + case AUDIT_ADD_RULE: + case AUDIT_DEL_RULE: +- if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) ++ if (data_len < sizeof(struct audit_rule_data)) + return -EINVAL; + if (audit_enabled == AUDIT_LOCKED) { + audit_log_common_recv_msg(audit_context(), &ab, +@@ -1364,7 +1366,7 @@ static int audit_receive_msg(struct sk_b + audit_log_end(ab); + return -EPERM; + } +- err = audit_rule_change(msg_type, seq, data, nlmsg_len(nlh)); ++ err = audit_rule_change(msg_type, seq, data, data_len); + break; + case AUDIT_LIST_RULES: + err = audit_list_rules_send(skb, seq); +@@ -1379,7 +1381,7 @@ static int audit_receive_msg(struct sk_b + case AUDIT_MAKE_EQUIV: { + void *bufp = data; + u32 sizes[2]; +- size_t msglen = nlmsg_len(nlh); ++ size_t msglen = data_len; + char *old, *new; + + err = -EINVAL; +@@ -1455,7 +1457,7 @@ static int audit_receive_msg(struct sk_b + + memset(&s, 0, sizeof(s)); + /* guard against past and future API changes */ +- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); ++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); + /* check if new data is valid */ + if ((s.enabled != 0 && s.enabled != 1) || + (s.log_passwd != 0 && s.log_passwd != 1)) diff --git a/queue-5.4/audit-fix-error-handling-in-audit_data_to_entry.patch b/queue-5.4/audit-fix-error-handling-in-audit_data_to_entry.patch new file mode 100644 index 00000000000..2c84b8b2a97 --- /dev/null +++ b/queue-5.4/audit-fix-error-handling-in-audit_data_to_entry.patch @@ -0,0 +1,203 @@ +From 2ad3e17ebf94b7b7f3f64c050ff168f9915345eb Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Sat, 22 Feb 2020 20:36:47 -0500 +Subject: audit: fix error handling in audit_data_to_entry() + +From: Paul Moore + +commit 2ad3e17ebf94b7b7f3f64c050ff168f9915345eb upstream. + +Commit 219ca39427bf ("audit: use union for audit_field values since +they are mutually exclusive") combined a number of separate fields in +the audit_field struct into a single union. Generally this worked +just fine because they are generally mutually exclusive. +Unfortunately in audit_data_to_entry() the overlap can be a problem +when a specific error case is triggered that causes the error path +code to attempt to cleanup an audit_field struct and the cleanup +involves attempting to free a stored LSM string (the lsm_str field). +Currently the code always has a non-NULL value in the +audit_field.lsm_str field as the top of the for-loop transfers a +value into audit_field.val (both .lsm_str and .val are part of the +same union); if audit_data_to_entry() fails and the audit_field +struct is specified to contain a LSM string, but the +audit_field.lsm_str has not yet been properly set, the error handling +code will attempt to free the bogus audit_field.lsm_str value that +was set with audit_field.val at the top of the for-loop. + +This patch corrects this by ensuring that the audit_field.val is only +set when needed (it is cleared when the audit_field struct is +allocated with kcalloc()). It also corrects a few other issues to +ensure that in case of error the proper error code is returned. + +Cc: stable@vger.kernel.org +Fixes: 219ca39427bf ("audit: use union for audit_field values since they are mutually exclusive") +Reported-by: syzbot+1f4d90ead370d72e450b@syzkaller.appspotmail.com +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditfilter.c | 71 ++++++++++++++++++++++++++++----------------------- + 1 file changed, 39 insertions(+), 32 deletions(-) + +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -456,6 +456,7 @@ static struct audit_entry *audit_data_to + bufp = data->buf; + for (i = 0; i < data->field_count; i++) { + struct audit_field *f = &entry->rule.fields[i]; ++ u32 f_val; + + err = -EINVAL; + +@@ -464,12 +465,12 @@ static struct audit_entry *audit_data_to + goto exit_free; + + f->type = data->fields[i]; +- f->val = data->values[i]; ++ f_val = data->values[i]; + + /* Support legacy tests for a valid loginuid */ +- if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { ++ if ((f->type == AUDIT_LOGINUID) && (f_val == AUDIT_UID_UNSET)) { + f->type = AUDIT_LOGINUID_SET; +- f->val = 0; ++ f_val = 0; + entry->rule.pflags |= AUDIT_LOGINUID_LEGACY; + } + +@@ -485,7 +486,7 @@ static struct audit_entry *audit_data_to + case AUDIT_SUID: + case AUDIT_FSUID: + case AUDIT_OBJ_UID: +- f->uid = make_kuid(current_user_ns(), f->val); ++ f->uid = make_kuid(current_user_ns(), f_val); + if (!uid_valid(f->uid)) + goto exit_free; + break; +@@ -494,11 +495,12 @@ static struct audit_entry *audit_data_to + case AUDIT_SGID: + case AUDIT_FSGID: + case AUDIT_OBJ_GID: +- f->gid = make_kgid(current_user_ns(), f->val); ++ f->gid = make_kgid(current_user_ns(), f_val); + if (!gid_valid(f->gid)) + goto exit_free; + break; + case AUDIT_ARCH: ++ f->val = f_val; + entry->rule.arch_f = f; + break; + case AUDIT_SUBJ_USER: +@@ -511,11 +513,13 @@ static struct audit_entry *audit_data_to + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; +- ++ } ++ entry->rule.buflen += f_val; ++ f->lsm_str = str; + err = security_audit_rule_init(f->type, f->op, str, + (void **)&f->lsm_rule); + /* Keep currently invalid fields around in case they +@@ -524,68 +528,71 @@ static struct audit_entry *audit_data_to + pr_warn("audit rule for LSM \'%s\' is invalid\n", + str); + err = 0; +- } +- if (err) { +- kfree(str); ++ } else if (err) + goto exit_free; +- } else +- f->lsm_str = str; + break; + case AUDIT_WATCH: +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; +- +- err = audit_to_watch(&entry->rule, str, f->val, f->op); ++ } ++ err = audit_to_watch(&entry->rule, str, f_val, f->op); + if (err) { + kfree(str); + goto exit_free; + } ++ entry->rule.buflen += f_val; + break; + case AUDIT_DIR: +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; +- ++ } + err = audit_make_tree(&entry->rule, str, f->op); + kfree(str); + if (err) + goto exit_free; ++ entry->rule.buflen += f_val; + break; + case AUDIT_INODE: ++ f->val = f_val; + err = audit_to_inode(&entry->rule, f); + if (err) + goto exit_free; + break; + case AUDIT_FILTERKEY: +- if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) ++ if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN) + goto exit_free; +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; ++ } ++ entry->rule.buflen += f_val; + entry->rule.filterkey = str; + break; + case AUDIT_EXE: +- if (entry->rule.exe || f->val > PATH_MAX) ++ if (entry->rule.exe || f_val > PATH_MAX) + goto exit_free; +- str = audit_unpack_string(&bufp, &remain, f->val); ++ str = audit_unpack_string(&bufp, &remain, f_val); + if (IS_ERR(str)) { + err = PTR_ERR(str); + goto exit_free; + } +- entry->rule.buflen += f->val; +- +- audit_mark = audit_alloc_mark(&entry->rule, str, f->val); ++ audit_mark = audit_alloc_mark(&entry->rule, str, f_val); + if (IS_ERR(audit_mark)) { + kfree(str); + err = PTR_ERR(audit_mark); + goto exit_free; + } ++ entry->rule.buflen += f_val; + entry->rule.exe = audit_mark; + break; ++ default: ++ f->val = f_val; ++ break; + } + } + diff --git a/queue-5.4/cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch b/queue-5.4/cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch new file mode 100644 index 00000000000..9d073f76945 --- /dev/null +++ b/queue-5.4/cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch @@ -0,0 +1,52 @@ +From f5739cb0b56590d68d8df8a44659893b6d0084c3 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 26 Feb 2020 22:39:27 +0100 +Subject: cpufreq: Fix policy initialization for internal governor drivers + +From: Rafael J. Wysocki + +commit f5739cb0b56590d68d8df8a44659893b6d0084c3 upstream. + +Before commit 1e4f63aecb53 ("cpufreq: Avoid creating excessively +large stack frames") the initial value of the policy field in struct +cpufreq_policy set by the driver's ->init() callback was implicitly +passed from cpufreq_init_policy() to cpufreq_set_policy() if the +default governor was neither "performance" nor "powersave". After +that commit, however, cpufreq_init_policy() must take that case into +consideration explicitly and handle it as appropriate, so make that +happen. + +Fixes: 1e4f63aecb53 ("cpufreq: Avoid creating excessively large stack frames") +Link: https://lore.kernel.org/linux-pm/39fb762880c27da110086741315ca8b111d781cd.camel@gmail.com/ +Reported-by: Artem Bityutskiy +Cc: 5.4+ # 5.4+ +Signed-off-by: Rafael J. Wysocki +Acked-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/cpufreq.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1071,9 +1071,17 @@ static int cpufreq_init_policy(struct cp + pol = policy->last_policy; + } else if (def_gov) { + pol = cpufreq_parse_policy(def_gov->name); +- } else { +- return -ENODATA; ++ /* ++ * In case the default governor is neiter "performance" ++ * nor "powersave", fall back to the initial policy ++ * value set by the driver. ++ */ ++ if (pol == CPUFREQ_POLICY_UNKNOWN) ++ pol = policy->policy; + } ++ if (pol != CPUFREQ_POLICY_PERFORMANCE && ++ pol != CPUFREQ_POLICY_POWERSAVE) ++ return -ENODATA; + } + + return cpufreq_set_policy(policy, gov, pol); diff --git a/queue-5.4/drm-amdgpu-drop-driver_use_agp.patch b/queue-5.4/drm-amdgpu-drop-driver_use_agp.patch new file mode 100644 index 00000000000..18fdbefe86e --- /dev/null +++ b/queue-5.4/drm-amdgpu-drop-driver_use_agp.patch @@ -0,0 +1,56 @@ +From 8a3bddf67ce88b96531fb22c5a75d7f4dc41d155 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sat, 22 Feb 2020 18:54:31 +0100 +Subject: drm/amdgpu: Drop DRIVER_USE_AGP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Vetter + +commit 8a3bddf67ce88b96531fb22c5a75d7f4dc41d155 upstream. + +This doesn't do anything except auto-init drm_agp support when you +call drm_get_pci_dev(). Which amdgpu stopped doing with + +commit b58c11314a1706bf094c489ef5cb28f76478c704 +Author: Alex Deucher +Date: Fri Jun 2 17:16:31 2017 -0400 + + drm/amdgpu: drop deprecated drm_get_pci_dev and drm_put_dev + +No idea whether this was intentional or accidental breakage, but I +guess anyone who manages to boot a this modern gpu behind an agp +bridge deserves a price. A price I never expect anyone to ever collect +:-) + +Cc: Alex Deucher +Cc: "Christian König" +Cc: Hawking Zhang +Cc: Xiaojie Yuan +Cc: Evan Quan +Cc: "Tianci.Yin" +Cc: "Marek Olšák" +Cc: Hans de Goede +Reviewed-by: Emil Velikov +Reviewed-by: Alex Deucher +Signed-off-by: Daniel Vetter +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1421,7 +1421,7 @@ amdgpu_get_crtc_scanout_position(struct + + static struct drm_driver kms_driver = { + .driver_features = +- DRIVER_USE_AGP | DRIVER_ATOMIC | ++ DRIVER_ATOMIC | + DRIVER_GEM | + DRIVER_RENDER | DRIVER_MODESET | DRIVER_SYNCOBJ, + .load = amdgpu_driver_load_kms, diff --git a/queue-5.4/drm-radeon-inline-drm_get_pci_dev.patch b/queue-5.4/drm-radeon-inline-drm_get_pci_dev.patch new file mode 100644 index 00000000000..cefa91c0d4e --- /dev/null +++ b/queue-5.4/drm-radeon-inline-drm_get_pci_dev.patch @@ -0,0 +1,135 @@ +From eb12c957735b582607e5842a06d1f4c62e185c1d Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sat, 22 Feb 2020 18:54:32 +0100 +Subject: drm/radeon: Inline drm_get_pci_dev +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Vetter + +commit eb12c957735b582607e5842a06d1f4c62e185c1d upstream. + +It's the last user, and more importantly, it's the last non-legacy +user of anything in drm_pci.c. + +The only tricky bit is the agp initialization. But a close look shows +that radeon does not use the drm_agp midlayer (the main use of that is +drm_bufs for legacy drivers), and instead could use the agp subsystem +directly (like nouveau does already). Hence we can just pull this in +too. + +A further step would be to entirely drop the use of drm_device->agp, +but feels like too much churn just for this patch. + +Signed-off-by: Daniel Vetter +Cc: Alex Deucher +Cc: "Christian König" +Cc: "David (ChunMing) Zhou" +Cc: amd-gfx@lists.freedesktop.org +Reviewed-by: Alex Deucher +Reviewed-by: Emil Velikov +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_drv.c | 43 ++++++++++++++++++++++++++++++++++-- + drivers/gpu/drm/radeon/radeon_kms.c | 6 +++++ + 2 files changed, 47 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -37,6 +37,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -325,6 +326,7 @@ static int radeon_pci_probe(struct pci_d + const struct pci_device_id *ent) + { + unsigned long flags = 0; ++ struct drm_device *dev; + int ret; + + if (!ent) +@@ -365,7 +367,44 @@ static int radeon_pci_probe(struct pci_d + if (ret) + return ret; + +- return drm_get_pci_dev(pdev, ent, &kms_driver); ++ dev = drm_dev_alloc(&kms_driver, &pdev->dev); ++ if (IS_ERR(dev)) ++ return PTR_ERR(dev); ++ ++ ret = pci_enable_device(pdev); ++ if (ret) ++ goto err_free; ++ ++ dev->pdev = pdev; ++#ifdef __alpha__ ++ dev->hose = pdev->sysdata; ++#endif ++ ++ pci_set_drvdata(pdev, dev); ++ ++ if (pci_find_capability(dev->pdev, PCI_CAP_ID_AGP)) ++ dev->agp = drm_agp_init(dev); ++ if (dev->agp) { ++ dev->agp->agp_mtrr = arch_phys_wc_add( ++ dev->agp->agp_info.aper_base, ++ dev->agp->agp_info.aper_size * ++ 1024 * 1024); ++ } ++ ++ ret = drm_dev_register(dev, ent->driver_data); ++ if (ret) ++ goto err_agp; ++ ++ return 0; ++ ++err_agp: ++ if (dev->agp) ++ arch_phys_wc_del(dev->agp->agp_mtrr); ++ kfree(dev->agp); ++ pci_disable_device(pdev); ++err_free: ++ drm_dev_put(dev); ++ return ret; + } + + static void +@@ -578,7 +617,7 @@ radeon_get_crtc_scanout_position(struct + + static struct drm_driver kms_driver = { + .driver_features = +- DRIVER_USE_AGP | DRIVER_GEM | DRIVER_RENDER, ++ DRIVER_GEM | DRIVER_RENDER, + .load = radeon_driver_load_kms, + .open = radeon_driver_open_kms, + .postclose = radeon_driver_postclose_kms, +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -31,6 +31,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -77,6 +78,11 @@ void radeon_driver_unload_kms(struct drm + radeon_modeset_fini(rdev); + radeon_device_fini(rdev); + ++ if (dev->agp) ++ arch_phys_wc_del(dev->agp->agp_mtrr); ++ kfree(dev->agp); ++ dev->agp = NULL; ++ + done_free: + kfree(rdev); + dev->dev_private = NULL; diff --git a/queue-5.4/ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch b/queue-5.4/ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch new file mode 100644 index 00000000000..1e7882ea68e --- /dev/null +++ b/queue-5.4/ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch @@ -0,0 +1,50 @@ +From 37b0b6b8b99c0e1c1f11abbe7cf49b6d03795b3f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 28 Feb 2020 12:22:56 +0300 +Subject: ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() + +From: Dan Carpenter + +commit 37b0b6b8b99c0e1c1f11abbe7cf49b6d03795b3f upstream. + +If sbi->s_flex_groups_allocated is zero and the first allocation fails +then this code will crash. The problem is that "i--" will set "i" to +-1 but when we compare "i >= sbi->s_flex_groups_allocated" then the -1 +is type promoted to unsigned and becomes UINT_MAX. Since UINT_MAX +is more than zero, the condition is true so we call kvfree(new_groups[-1]). +The loop will carry on freeing invalid memory until it crashes. + +Fixes: 7c990728b99e ("ext4: fix potential race between s_flex_groups online resizing and access") +Reviewed-by: Suraj Jitindar Singh +Signed-off-by: Dan Carpenter +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20200228092142.7irbc44yaz3by7nb@kili.mountain +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2343,7 +2343,7 @@ int ext4_alloc_flex_bg_array(struct supe + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct flex_groups **old_groups, **new_groups; +- int size, i; ++ int size, i, j; + + if (!sbi->s_log_groups_per_flex) + return 0; +@@ -2364,8 +2364,8 @@ int ext4_alloc_flex_bg_array(struct supe + sizeof(struct flex_groups)), + GFP_KERNEL); + if (!new_groups[i]) { +- for (i--; i >= sbi->s_flex_groups_allocated; i--) +- kvfree(new_groups[i]); ++ for (j = sbi->s_flex_groups_allocated; j < i; j++) ++ kvfree(new_groups[j]); + kvfree(new_groups); + ext4_msg(sb, KERN_ERR, + "not enough memory for %d flex groups", size); diff --git a/queue-5.4/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch b/queue-5.4/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch new file mode 100644 index 00000000000..39b4bfe3561 --- /dev/null +++ b/queue-5.4/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch @@ -0,0 +1,46 @@ +From 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f Mon Sep 17 00:00:00 2001 +From: Johan Korsnes +Date: Fri, 17 Jan 2020 13:08:35 +0100 +Subject: HID: core: fix off-by-one memset in hid_report_raw_event() + +From: Johan Korsnes + +commit 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f upstream. + +In case a report is greater than HID_MAX_BUFFER_SIZE, it is truncated, +but the report-number byte is not correctly handled. This results in a +off-by-one in the following memset, causing a kernel Oops and ensuing +system crash. + +Note: With commit 8ec321e96e05 ("HID: Fix slab-out-of-bounds read in +hid_field_extract") I no longer hit the kernel Oops as we instead fail +"controlled" at probe if there is a report too long in the HID +report-descriptor. hid_report_raw_event() is an exported symbol, so +presumabely we cannot always rely on this being the case. + +Fixes: 966922f26c7f ("HID: fix a crash in hid_report_raw_event() + function.") +Signed-off-by: Johan Korsnes +Cc: Armando Visconti +Cc: Jiri Kosina +Cc: Alan Stern +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1741,7 +1741,9 @@ int hid_report_raw_event(struct hid_devi + + rsize = ((report->size - 1) >> 3) + 1; + +- if (rsize > HID_MAX_BUFFER_SIZE) ++ if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE) ++ rsize = HID_MAX_BUFFER_SIZE - 1; ++ else if (rsize > HID_MAX_BUFFER_SIZE) + rsize = HID_MAX_BUFFER_SIZE; + + if (csize < rsize) { diff --git a/queue-5.4/hid-core-increase-hid-report-buffer-size-to-8kib.patch b/queue-5.4/hid-core-increase-hid-report-buffer-size-to-8kib.patch new file mode 100644 index 00000000000..950cf9838c2 --- /dev/null +++ b/queue-5.4/hid-core-increase-hid-report-buffer-size-to-8kib.patch @@ -0,0 +1,37 @@ +From 84a4062632462c4320704fcdf8e99e89e94c0aba Mon Sep 17 00:00:00 2001 +From: Johan Korsnes +Date: Fri, 17 Jan 2020 13:08:36 +0100 +Subject: HID: core: increase HID report buffer size to 8KiB + +From: Johan Korsnes + +commit 84a4062632462c4320704fcdf8e99e89e94c0aba upstream. + +We have a HID touch device that reports its opens and shorts test +results in HID buffers of size 8184 bytes. The maximum size of the HID +buffer is currently set to 4096 bytes, causing probe of this device to +fail. With this patch we increase the maximum size of the HID buffer to +8192 bytes, making device probe and acquisition of said buffers succeed. + +Signed-off-by: Johan Korsnes +Cc: Alan Stern +Cc: Armando Visconti +Cc: Jiri Kosina +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/hid.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -492,7 +492,7 @@ struct hid_report_enum { + }; + + #define HID_MIN_BUFFER_SIZE 64 /* make sure there is at least a packet size of space */ +-#define HID_MAX_BUFFER_SIZE 4096 /* 4kb */ ++#define HID_MAX_BUFFER_SIZE 8192 /* 8kb */ + #define HID_CONTROL_FIFO_SIZE 256 /* to init devices with >100 reports */ + #define HID_OUTPUT_FIFO_SIZE 64 + diff --git a/queue-5.4/hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch b/queue-5.4/hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch new file mode 100644 index 00000000000..b3ec0f0d646 --- /dev/null +++ b/queue-5.4/hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch @@ -0,0 +1,64 @@ +From beae56192a2570578ae45050e73c5ff9254f63e6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 1 Feb 2020 12:56:48 +0100 +Subject: HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit beae56192a2570578ae45050e73c5ff9254f63e6 upstream. + +Commit 8f18eca9ebc5 ("HID: ite: Add USB id match for Acer SW5-012 keyboard +dock") added the USB id for the Acer SW5-012's keyboard dock to the +hid-ite driver to fix the rfkill driver not working. + +Most keyboard docks with an ITE 8595 keyboard/touchpad controller have the +"Wireless Radio Control" bits which need the special hid-ite driver on the +second USB interface (the mouse interface) and their touchpad only supports +mouse emulation, so using generic hid-input handling for anything but +the "Wireless Radio Control" bits is fine. On these devices we simply bind +to all USB interfaces. + +But unlike other ITE8595 using keyboard docks, the Acer Aspire Switch 10 +(SW5-012)'s touchpad not only does mouse emulation it also supports +HID-multitouch and all the keys including the "Wireless Radio Control" +bits have been moved to the first USB interface (the keyboard intf). + +So we need hid-ite to handle the first (keyboard) USB interface and have +it NOT bind to the second (mouse) USB interface so that that can be +handled by hid-multitouch.c and we get proper multi-touch support. + +This commit changes the hid_device_id for the SW5-012 keyboard dock to +only match on hid devices from the HID_GROUP_GENERIC group, this way +hid-ite will not bind the the mouse/multi-touch interface which has +HID_GROUP_MULTITOUCH_WIN_8 as group. +This fixes the regression to mouse-emulation mode introduced by adding +the keyboard dock USB id. + +Cc: stable@vger.kernel.org +Fixes: 8f18eca9ebc5 ("HID: ite: Add USB id match for Acer SW5-012 keyboard dock") +Reported-by: Zdeněk Rampas +Signed-off-by: Hans de Goede +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ite.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-ite.c ++++ b/drivers/hid/hid-ite.c +@@ -41,8 +41,9 @@ static const struct hid_device_id ite_de + { HID_USB_DEVICE(USB_VENDOR_ID_ITE, USB_DEVICE_ID_ITE8595) }, + { HID_USB_DEVICE(USB_VENDOR_ID_258A, USB_DEVICE_ID_258A_6A88) }, + /* ITE8595 USB kbd ctlr, with Synaptics touchpad connected to it. */ +- { HID_USB_DEVICE(USB_VENDOR_ID_SYNAPTICS, +- USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) }, ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_SYNAPTICS, ++ USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) }, + { } + }; + MODULE_DEVICE_TABLE(hid, ite_devices); diff --git a/queue-5.4/io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch b/queue-5.4/io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch new file mode 100644 index 00000000000..a4489878239 --- /dev/null +++ b/queue-5.4/io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch @@ -0,0 +1,39 @@ +From d876836204897b6d7d911f942084f69a1e9d5c4d Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 27 Feb 2020 14:17:49 -0700 +Subject: io_uring: fix 32-bit compatability with sendmsg/recvmsg + +From: Jens Axboe + +commit d876836204897b6d7d911f942084f69a1e9d5c4d upstream. + +We must set MSG_CMSG_COMPAT if we're in compatability mode, otherwise +the iovec import for these commands will not do the right thing and fail +the command with -EINVAL. + +Found by running the test suite compiled as 32-bit. + +Cc: stable@vger.kernel.org +Fixes: aa1fa28fc73e ("io_uring: add support for recvmsg()") +Fixes: 0fa03c624d8f ("io_uring: add support for sendmsg()") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1657,6 +1657,11 @@ static int io_send_recvmsg(struct io_kio + else if (force_nonblock) + flags |= MSG_DONTWAIT; + ++#ifdef CONFIG_COMPAT ++ if (req->ctx->compat) ++ flags |= MSG_CMSG_COMPAT; ++#endif ++ + msg = (struct user_msghdr __user *) (unsigned long) + READ_ONCE(sqe->addr); + diff --git a/queue-5.4/kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch b/queue-5.4/kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch new file mode 100644 index 00000000000..69a8a7cb888 --- /dev/null +++ b/queue-5.4/kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch @@ -0,0 +1,61 @@ +From 86f7e90ce840aa1db407d3ea6e9b3a52b2ce923c Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Sat, 29 Feb 2020 11:30:14 -0800 +Subject: KVM: VMX: check descriptor table exits on instruction emulation + +From: Oliver Upton + +commit 86f7e90ce840aa1db407d3ea6e9b3a52b2ce923c upstream. + +KVM emulates UMIP on hardware that doesn't support it by setting the +'descriptor table exiting' VM-execution control and performing +instruction emulation. When running nested, this emulation is broken as +KVM refuses to emulate L2 instructions by default. + +Correct this regression by allowing the emulation of descriptor table +instructions if L1 hasn't requested 'descriptor table exiting'. + +Fixes: 07721feee46b ("KVM: nVMX: Don't emulate instructions in guest mode") +Reported-by: Jan Kiszka +Cc: stable@vger.kernel.org +Cc: Paolo Bonzini +Cc: Jim Mattson +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx/vmx.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -7165,6 +7165,7 @@ static int vmx_check_intercept_io(struct + else + intercept = nested_vmx_check_io_bitmaps(vcpu, port, size); + ++ /* FIXME: produce nested vmexit and return X86EMUL_INTERCEPTED. */ + return intercept ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; + } + +@@ -7194,6 +7195,20 @@ static int vmx_check_intercept(struct kv + case x86_intercept_outs: + return vmx_check_intercept_io(vcpu, info); + ++ case x86_intercept_lgdt: ++ case x86_intercept_lidt: ++ case x86_intercept_lldt: ++ case x86_intercept_ltr: ++ case x86_intercept_sgdt: ++ case x86_intercept_sidt: ++ case x86_intercept_sldt: ++ case x86_intercept_str: ++ if (!nested_cpu_has2(vmcs12, SECONDARY_EXEC_DESC)) ++ return X86EMUL_CONTINUE; ++ ++ /* FIXME: produce nested vmexit and return X86EMUL_INTERCEPTED. */ ++ break; ++ + /* TODO: check more intercepts... */ + default: + break; diff --git a/queue-5.4/macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch b/queue-5.4/macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch new file mode 100644 index 00000000000..69076c50925 --- /dev/null +++ b/queue-5.4/macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch @@ -0,0 +1,136 @@ +From 38b17afb0ebb9ecd41418d3c08bcf9198af4349d Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Tue, 25 Feb 2020 15:12:29 +0100 +Subject: macintosh: therm_windtunnel: fix regression when instantiating devices + +From: Wolfram Sang + +commit 38b17afb0ebb9ecd41418d3c08bcf9198af4349d upstream. + +Removing attach_adapter from this driver caused a regression for at +least some machines. Those machines had the sensors described in their +DT, too, so they didn't need manual creation of the sensor devices. The +old code worked, though, because manual creation came first. Creation of +DT devices then failed later and caused error logs, but the sensors +worked nonetheless because of the manually created devices. + +When removing attach_adaper, manual creation now comes later and loses +the race. The sensor devices were already registered via DT, yet with +another binding, so the driver could not be bound to it. + +This fix refactors the code to remove the race and only manually creates +devices if there are no DT nodes present. Also, the DT binding is updated +to match both, the DT and manually created devices. Because we don't +know which device creation will be used at runtime, the code to start +the kthread is moved to do_probe() which will be called by both methods. + +Fixes: 3e7bed52719d ("macintosh: therm_windtunnel: drop using attach_adapter") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=201723 +Reported-by: Erhard Furtner +Tested-by: Erhard Furtner +Acked-by: Michael Ellerman (powerpc) +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org # v4.19+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/macintosh/therm_windtunnel.c | 52 ++++++++++++++++++++--------------- + 1 file changed, 31 insertions(+), 21 deletions(-) + +--- a/drivers/macintosh/therm_windtunnel.c ++++ b/drivers/macintosh/therm_windtunnel.c +@@ -300,9 +300,11 @@ static int control_loop(void *dummy) + /* i2c probing and setup */ + /************************************************************************/ + +-static int +-do_attach( struct i2c_adapter *adapter ) ++static void do_attach(struct i2c_adapter *adapter) + { ++ struct i2c_board_info info = { }; ++ struct device_node *np; ++ + /* scan 0x48-0x4f (DS1775) and 0x2c-2x2f (ADM1030) */ + static const unsigned short scan_ds1775[] = { + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, +@@ -313,25 +315,24 @@ do_attach( struct i2c_adapter *adapter ) + I2C_CLIENT_END + }; + +- if( strncmp(adapter->name, "uni-n", 5) ) +- return 0; +- +- if( !x.running ) { +- struct i2c_board_info info; ++ if (x.running || strncmp(adapter->name, "uni-n", 5)) ++ return; + +- memset(&info, 0, sizeof(struct i2c_board_info)); +- strlcpy(info.type, "therm_ds1775", I2C_NAME_SIZE); ++ np = of_find_compatible_node(adapter->dev.of_node, NULL, "MAC,ds1775"); ++ if (np) { ++ of_node_put(np); ++ } else { ++ strlcpy(info.type, "MAC,ds1775", I2C_NAME_SIZE); + i2c_new_probed_device(adapter, &info, scan_ds1775, NULL); ++ } + +- strlcpy(info.type, "therm_adm1030", I2C_NAME_SIZE); ++ np = of_find_compatible_node(adapter->dev.of_node, NULL, "MAC,adm1030"); ++ if (np) { ++ of_node_put(np); ++ } else { ++ strlcpy(info.type, "MAC,adm1030", I2C_NAME_SIZE); + i2c_new_probed_device(adapter, &info, scan_adm1030, NULL); +- +- if( x.thermostat && x.fan ) { +- x.running = 1; +- x.poll_task = kthread_run(control_loop, NULL, "g4fand"); +- } + } +- return 0; + } + + static int +@@ -404,8 +405,8 @@ out: + enum chip { ds1775, adm1030 }; + + static const struct i2c_device_id therm_windtunnel_id[] = { +- { "therm_ds1775", ds1775 }, +- { "therm_adm1030", adm1030 }, ++ { "MAC,ds1775", ds1775 }, ++ { "MAC,adm1030", adm1030 }, + { } + }; + MODULE_DEVICE_TABLE(i2c, therm_windtunnel_id); +@@ -414,6 +415,7 @@ static int + do_probe(struct i2c_client *cl, const struct i2c_device_id *id) + { + struct i2c_adapter *adapter = cl->adapter; ++ int ret = 0; + + if( !i2c_check_functionality(adapter, I2C_FUNC_SMBUS_WORD_DATA + | I2C_FUNC_SMBUS_WRITE_BYTE) ) +@@ -421,11 +423,19 @@ do_probe(struct i2c_client *cl, const st + + switch (id->driver_data) { + case adm1030: +- return attach_fan( cl ); ++ ret = attach_fan(cl); ++ break; + case ds1775: +- return attach_thermostat(cl); ++ ret = attach_thermostat(cl); ++ break; + } +- return 0; ++ ++ if (!x.running && x.thermostat && x.fan) { ++ x.running = 1; ++ x.poll_task = kthread_run(control_loop, NULL, "g4fand"); ++ } ++ ++ return ret; + } + + static struct i2c_driver g4fan_driver = { diff --git a/queue-5.4/revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch b/queue-5.4/revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch new file mode 100644 index 00000000000..03d92ebfb4a --- /dev/null +++ b/queue-5.4/revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch @@ -0,0 +1,54 @@ +From 66d0e797bf095d407479c89952d42b1d96ef0a7f Mon Sep 17 00:00:00 2001 +From: Orson Zhai +Date: Fri, 21 Feb 2020 01:37:04 +0800 +Subject: Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs" + +From: Orson Zhai + +commit 66d0e797bf095d407479c89952d42b1d96ef0a7f upstream. + +This reverts commit 4585fbcb5331fc910b7e553ad3efd0dd7b320d14. + +The name changing as devfreq(X) breaks some user space applications, +such as Android HAL from Unisoc and Hikey [1]. +The device name will be changed unexpectly after every boot depending +on module init sequence. It will make trouble to setup some system +configuration like selinux for Android. + +So we'd like to revert it back to old naming rule before any better +way being found. + +[1] https://lkml.org/lkml/2018/5/8/1042 + +Cc: John Stultz +Cc: Greg Kroah-Hartman +Cc: stable@vger.kernel.org +Signed-off-by: Orson Zhai +Acked-by: Greg Kroah-Hartman +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/devfreq/devfreq.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -613,7 +613,6 @@ struct devfreq *devfreq_add_device(struc + { + struct devfreq *devfreq; + struct devfreq_governor *governor; +- static atomic_t devfreq_no = ATOMIC_INIT(-1); + int err = 0; + + if (!dev || !profile || !governor_name) { +@@ -677,8 +676,7 @@ struct devfreq *devfreq_add_device(struc + devfreq->suspend_freq = dev_pm_opp_get_suspend_opp_freq(dev); + atomic_set(&devfreq->suspend_count, 0); + +- dev_set_name(&devfreq->dev, "devfreq%d", +- atomic_inc_return(&devfreq_no)); ++ dev_set_name(&devfreq->dev, "%s", dev_name(dev)); + err = device_register(&devfreq->dev); + if (err) { + mutex_unlock(&devfreq->lock); diff --git a/queue-5.4/series b/queue-5.4/series index 247e522584d..a84269fff3c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -67,3 +67,20 @@ net-hns3-fix-a-copying-ipv6-address-error-in-hclge_f.patch nvme-tcp-fix-bug-on-double-requeue-when-send-fails.patch nvme-prevent-warning-triggered-by-nvme_stop_keep_ali.patch nvme-pci-move-cqe-check-after-device-shutdown.patch +ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch +audit-fix-error-handling-in-audit_data_to_entry.patch +audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch +acpica-introduce-acpi_access_byte_width-macro.patch +acpi-watchdog-fix-gas-access_width-usage.patch +kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch +hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch +hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch +hid-core-increase-hid-report-buffer-size-to-8kib.patch +drm-amdgpu-drop-driver_use_agp.patch +drm-radeon-inline-drm_get_pci_dev.patch +macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch +tracing-disable-trace_printk-on-post-poned-tests.patch +revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch +amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch +cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch +io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch diff --git a/queue-5.4/tracing-disable-trace_printk-on-post-poned-tests.patch b/queue-5.4/tracing-disable-trace_printk-on-post-poned-tests.patch new file mode 100644 index 00000000000..854c5f77942 --- /dev/null +++ b/queue-5.4/tracing-disable-trace_printk-on-post-poned-tests.patch @@ -0,0 +1,51 @@ +From 78041c0c9e935d9ce4086feeff6c569ed88ddfd4 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 20 Feb 2020 15:38:01 -0500 +Subject: tracing: Disable trace_printk() on post poned tests + +From: Steven Rostedt (VMware) + +commit 78041c0c9e935d9ce4086feeff6c569ed88ddfd4 upstream. + +The tracing seftests checks various aspects of the tracing infrastructure, +and one is filtering. If trace_printk() is active during a self test, it can +cause the filtering to fail, which will disable that part of the trace. + +To keep the selftests from failing because of trace_printk() calls, +trace_printk() checks the variable tracing_selftest_running, and if set, it +does not write to the tracing buffer. + +As some tracers were registered earlier in boot, the selftest they triggered +would fail because not all the infrastructure was set up for the full +selftest. Thus, some of the tests were post poned to when their +infrastructure was ready (namely file system code). The postpone code did +not set the tracing_seftest_running variable, and could fail if a +trace_printk() was added and executed during their run. + +Cc: stable@vger.kernel.org +Fixes: 9afecfbb95198 ("tracing: Postpone tracer start-up tests till the system is more robust") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1743,6 +1743,7 @@ static __init int init_trace_selftests(v + + pr_info("Running postponed tracer tests:\n"); + ++ tracing_selftest_running = true; + list_for_each_entry_safe(p, n, &postponed_selftests, list) { + /* This loop can take minutes when sanitizers are enabled, so + * lets make sure we allow RCU processing. +@@ -1765,6 +1766,7 @@ static __init int init_trace_selftests(v + list_del(&p->list); + kfree(p); + } ++ tracing_selftest_running = false; + + out: + mutex_unlock(&trace_types_lock);