From: Greg Kroah-Hartman Date: Mon, 17 Aug 2020 10:59:50 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.140~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=94ed7e7bc486f87f9478fcf8c658de1c279b1c3d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: 9p-fix-memory-leak-in-v9fs_mount.patch alsa-hda-fix-the-micmute-led-status-for-lenovo-thinkcentre-aio.patch alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch alsa-usb-audio-work-around-streaming-quirk-for-macrosilicon-ms2109.patch bitfield.h-don-t-compile-time-validate-_val-in-field_fit.patch crypto-ccp-fix-use-of-merged-scatterlists.patch crypto-cpt-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch crypto-hisilicon-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch fs-minix-check-return-value-of-sb_getblk.patch fs-minix-don-t-allow-getting-deleted-inodes.patch fs-minix-reject-too-large-maximum-file-size.patch io_uring-set-ctx-sq-cq-entry-count-earlier.patch media-media-request-fix-crash-if-memory-allocation-fails.patch nfs-don-t-move-layouts-to-plh_return_segs-list-while-in-use.patch nfs-don-t-return-layout-segments-that-are-in-use.patch pstore-fix-linking-when-crypto-api-disabled.patch tpm-unify-the-mismatching-tpm-space-buffer-sizes.patch usb-serial-cp210x-enable-usb-generic-throttle-unthrottle.patch usb-serial-cp210x-re-enable-auto-rts-on-open.patch --- diff --git a/queue-5.4/9p-fix-memory-leak-in-v9fs_mount.patch b/queue-5.4/9p-fix-memory-leak-in-v9fs_mount.patch new file mode 100644 index 00000000000..4a8d8d5a14a --- /dev/null +++ b/queue-5.4/9p-fix-memory-leak-in-v9fs_mount.patch @@ -0,0 +1,48 @@ +From cb0aae0e31c632c407a2cab4307be85a001d4d98 Mon Sep 17 00:00:00 2001 +From: Zheng Bin +Date: Mon, 15 Jun 2020 09:21:53 +0800 +Subject: 9p: Fix memory leak in v9fs_mount + +From: Zheng Bin + +commit cb0aae0e31c632c407a2cab4307be85a001d4d98 upstream. + +v9fs_mount + v9fs_session_init + v9fs_cache_session_get_cookie + v9fs_random_cachetag -->alloc cachetag + v9ses->fscache = fscache_acquire_cookie -->maybe NULL + sb = sget -->fail, goto clunk +clunk_fid: + v9fs_session_close + if (v9ses->fscache) -->NULL + kfree(v9ses->cachetag) + +Thus memleak happens. + +Link: http://lkml.kernel.org/r/20200615012153.89538-1-zhengbin13@huawei.com +Fixes: 60e78d2c993e ("9p: Add fscache support to 9p") +Cc: # v2.6.32+ +Signed-off-by: Zheng Bin +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/v9fs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/9p/v9fs.c ++++ b/fs/9p/v9fs.c +@@ -500,10 +500,9 @@ void v9fs_session_close(struct v9fs_sess + } + + #ifdef CONFIG_9P_FSCACHE +- if (v9ses->fscache) { ++ if (v9ses->fscache) + v9fs_cache_session_put_cookie(v9ses); +- kfree(v9ses->cachetag); +- } ++ kfree(v9ses->cachetag); + #endif + kfree(v9ses->uname); + kfree(v9ses->aname); diff --git a/queue-5.4/alsa-hda-fix-the-micmute-led-status-for-lenovo-thinkcentre-aio.patch b/queue-5.4/alsa-hda-fix-the-micmute-led-status-for-lenovo-thinkcentre-aio.patch new file mode 100644 index 00000000000..fbe7cd4bd7a --- /dev/null +++ b/queue-5.4/alsa-hda-fix-the-micmute-led-status-for-lenovo-thinkcentre-aio.patch @@ -0,0 +1,36 @@ +From 386a6539992b82fe9ac4f9dc3f548956fd894d8c Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Mon, 10 Aug 2020 10:16:59 +0800 +Subject: ALSA: hda - fix the micmute led status for Lenovo ThinkCentre AIO + +From: Hui Wang + +commit 386a6539992b82fe9ac4f9dc3f548956fd894d8c upstream. + +After installing the Ubuntu Linux, the micmute led status is not +correct. Users expect that the led is on if the capture is disabled, +but with the current kernel, the led is off with the capture disabled. + +We tried the old linux kernel like linux-4.15, there is no this issue. +It looks like we introduced this issue when switching to the led_cdev. + +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20200810021659.7429-1-hui.wang@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4391,6 +4391,7 @@ static void alc233_fixup_lenovo_line2_mi + { + struct alc_spec *spec = codec->spec; + ++ spec->micmute_led_polarity = 1; + alc_fixup_hp_gpio_led(codec, action, 0, 0x04); + if (action == HDA_FIXUP_ACT_PRE_PROBE) { + spec->init_amp = ALC_INIT_DEFAULT; diff --git a/queue-5.4/alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch b/queue-5.4/alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch new file mode 100644 index 00000000000..99ef3546cb2 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch @@ -0,0 +1,87 @@ +From 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 Mon Sep 17 00:00:00 2001 +From: Hector Martin +Date: Mon, 10 Aug 2020 17:25:02 +0900 +Subject: ALSA: usb-audio: add quirk for Pioneer DDJ-RB + +From: Hector Martin + +commit 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 upstream. + +This is just another Pioneer device with fixed endpoints. Input is dummy +but used as feedback (it always returns silence). + +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin +Link: https://lore.kernel.org/r/20200810082502.225979-1-marcan@marcan.st +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks-table.h | 56 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3570,6 +3570,62 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + } + } + }, ++{ ++ /* ++ * PIONEER DJ DDJ-RB ++ * PCM is 4 channels out, 2 dummy channels in @ 44.1 fixed ++ * The feedback for the output is the dummy input. ++ */ ++ USB_DEVICE_VENDOR_SPEC(0x2b73, 0x000e), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 4, ++ .iface = 0, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x01, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC| ++ USB_ENDPOINT_SYNC_ASYNC, ++ .rates = SNDRV_PCM_RATE_44100, ++ .rate_min = 44100, ++ .rate_max = 44100, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { 44100 } ++ } ++ }, ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 2, ++ .iface = 0, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x82, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC| ++ USB_ENDPOINT_SYNC_ASYNC| ++ USB_ENDPOINT_USAGE_IMPLICIT_FB, ++ .rates = SNDRV_PCM_RATE_44100, ++ .rate_min = 44100, ++ .rate_max = 44100, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { 44100 } ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + + #define ALC1220_VB_DESKTOP(vend, prod) { \ + USB_DEVICE(vend, prod), \ diff --git a/queue-5.4/alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch b/queue-5.4/alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch new file mode 100644 index 00000000000..28ed1724527 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch @@ -0,0 +1,34 @@ +From fec9008828cde0076aae595ac031bfcf49d335a4 Mon Sep 17 00:00:00 2001 +From: Mirko Dietrich +Date: Thu, 6 Aug 2020 14:48:50 +0200 +Subject: ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support + +From: Mirko Dietrich + +commit fec9008828cde0076aae595ac031bfcf49d335a4 upstream. + +Adds an entry for Creative USB X-Fi to the rc_config array in +mixer_quirks.c to allow use of volume knob on the device. +Adds support for newer X-Fi Pro card, known as "Model No. SB1095" +with USB ID "041e:3263" + +Signed-off-by: Mirko Dietrich +Cc: +Link: https://lore.kernel.org/r/20200806124850.20334-1-buzz@l4m1.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -184,6 +184,7 @@ static const struct rc_config { + { USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 */ + { USB_ID(0x041e, 0x30df), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3237), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ ++ { USB_ID(0x041e, 0x3263), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3048), 2, 2, 6, 6, 2, 0x6e91 }, /* Toshiba SB0500 */ + }; + diff --git a/queue-5.4/alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch b/queue-5.4/alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch new file mode 100644 index 00000000000..9d542ccf6b7 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch @@ -0,0 +1,40 @@ +From 14a720dc1f5332f3bdf30a23a3bc549e81be974c Mon Sep 17 00:00:00 2001 +From: Hector Martin +Date: Mon, 10 Aug 2020 13:53:19 +0900 +Subject: ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 + +From: Hector Martin + +commit 14a720dc1f5332f3bdf30a23a3bc549e81be974c upstream. + +Matching by device matches all interfaces, which breaks the video/HID +portions of the device depending on module load order. + +Fixes: e337bf19f6af ("ALSA: usb-audio: add quirk for MacroSilicon MS2109") +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin +Link: https://lore.kernel.org/r/20200810045319.128745-1-marcan@marcan.st +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks-table.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3623,7 +3623,13 @@ ALC1220_VB_DESKTOP(0x26ce, 0x0a01), /* A + * with. + */ + { +- USB_DEVICE(0x534d, 0x2109), ++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | ++ USB_DEVICE_ID_MATCH_INT_CLASS | ++ USB_DEVICE_ID_MATCH_INT_SUBCLASS, ++ .idVendor = 0x534d, ++ .idProduct = 0x2109, ++ .bInterfaceClass = USB_CLASS_AUDIO, ++ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, + .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { + .vendor_name = "MacroSilicon", + .product_name = "MS2109", diff --git a/queue-5.4/alsa-usb-audio-work-around-streaming-quirk-for-macrosilicon-ms2109.patch b/queue-5.4/alsa-usb-audio-work-around-streaming-quirk-for-macrosilicon-ms2109.patch new file mode 100644 index 00000000000..4c89bcae571 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-work-around-streaming-quirk-for-macrosilicon-ms2109.patch @@ -0,0 +1,80 @@ +From 1b7ecc241a67ad6b584e071bd791a54e0cd5f097 Mon Sep 17 00:00:00 2001 +From: Hector Martin +Date: Mon, 10 Aug 2020 17:24:00 +0900 +Subject: ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 + +From: Hector Martin + +commit 1b7ecc241a67ad6b584e071bd791a54e0cd5f097 upstream. + +Further investigation of the L-R swap problem on the MS2109 reveals that +the problem isn't that the channels are swapped, but rather that they +are swapped and also out of phase by one sample. In other words, the +issue is actually that the very first frame that comes from the hardware +is a half-frame containing only the right channel, and after that +everything becomes offset. + +So introduce a new quirk field to drop the very first 2 bytes that come +in after the format is configured and a capture stream starts. This puts +the channels in phase and in the correct order. + +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin +Link: https://lore.kernel.org/r/20200810082400.225858-1-marcan@marcan.st +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/card.h | 1 + + sound/usb/pcm.c | 6 ++++++ + sound/usb/quirks.c | 3 +++ + sound/usb/stream.c | 1 + + 4 files changed, 11 insertions(+) + +--- a/sound/usb/card.h ++++ b/sound/usb/card.h +@@ -133,6 +133,7 @@ struct snd_usb_substream { + unsigned int tx_length_quirk:1; /* add length specifier to transfers */ + unsigned int fmt_type; /* USB audio format type (1-3) */ + unsigned int pkt_offset_adj; /* Bytes to drop from beginning of packets (for non-compliant devices) */ ++ unsigned int stream_offset_adj; /* Bytes to drop from beginning of stream (for non-compliant devices) */ + + unsigned int running: 1; /* running status */ + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1417,6 +1417,12 @@ static void retire_capture_urb(struct sn + // continue; + } + bytes = urb->iso_frame_desc[i].actual_length; ++ if (subs->stream_offset_adj > 0) { ++ unsigned int adj = min(subs->stream_offset_adj, bytes); ++ cp += adj; ++ bytes -= adj; ++ subs->stream_offset_adj -= adj; ++ } + frames = bytes / stride; + if (!subs->txfr_quirk) + bytes = frames * stride; +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1432,6 +1432,9 @@ void snd_usb_set_format_quirk(struct snd + case USB_ID(0x041e, 0x3f19): /* E-Mu 0204 USB */ + set_format_emu_quirk(subs, fmt); + break; ++ case USB_ID(0x534d, 0x2109): /* MacroSilicon MS2109 */ ++ subs->stream_offset_adj = 2; ++ break; + } + } + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -94,6 +94,7 @@ static void snd_usb_init_substream(struc + subs->tx_length_quirk = as->chip->tx_length_quirk; + subs->speed = snd_usb_get_speed(subs->dev); + subs->pkt_offset_adj = 0; ++ subs->stream_offset_adj = 0; + + snd_usb_set_pcm_ops(as->pcm, stream); + diff --git a/queue-5.4/bitfield.h-don-t-compile-time-validate-_val-in-field_fit.patch b/queue-5.4/bitfield.h-don-t-compile-time-validate-_val-in-field_fit.patch new file mode 100644 index 00000000000..24f13e3e4ba --- /dev/null +++ b/queue-5.4/bitfield.h-don-t-compile-time-validate-_val-in-field_fit.patch @@ -0,0 +1,55 @@ +From 444da3f52407d74c9aa12187ac6b01f76ee47d62 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Mon, 10 Aug 2020 11:21:11 -0700 +Subject: bitfield.h: don't compile-time validate _val in FIELD_FIT + +From: Jakub Kicinski + +commit 444da3f52407d74c9aa12187ac6b01f76ee47d62 upstream. + +When ur_load_imm_any() is inlined into jeq_imm(), it's possible for the +compiler to deduce a case where _val can only have the value of -1 at +compile time. Specifically, + +/* struct bpf_insn: _s32 imm */ +u64 imm = insn->imm; /* sign extend */ +if (imm >> 32) { /* non-zero only if insn->imm is negative */ + /* inlined from ur_load_imm_any */ + u32 __imm = imm >> 32; /* therefore, always 0xffffffff */ + if (__builtin_constant_p(__imm) && __imm > 255) + compiletime_assert_XXX() + +This can result in tripping a BUILD_BUG_ON() in __BF_FIELD_CHECK() that +checks that a given value is representable in one byte (interpreted as +unsigned). + +FIELD_FIT() should return true or false at runtime for whether a value +can fit for not. Don't break the build over a value that's too large for +the mask. We'd prefer to keep the inlining and compiler optimizations +though we know this case will always return false. + +Cc: stable@vger.kernel.org +Fixes: 1697599ee301a ("bitfield.h: add FIELD_FIT() helper") +Link: https://lore.kernel.org/kernel-hardening/CAK7LNASvb0UDJ0U5wkYYRzTAdnEs64HjXpEUL7d=V0CXiAXcNw@mail.gmail.com/ +Reported-by: Masahiro Yamada +Debugged-by: Sami Tolvanen +Signed-off-by: Jakub Kicinski +Signed-off-by: Nick Desaulniers +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/bitfield.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/bitfield.h ++++ b/include/linux/bitfield.h +@@ -64,7 +64,7 @@ + */ + #define FIELD_FIT(_mask, _val) \ + ({ \ +- __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_FIT: "); \ ++ __BF_FIELD_CHECK(_mask, 0ULL, 0ULL, "FIELD_FIT: "); \ + !((((typeof(_mask))_val) << __bf_shf(_mask)) & ~(_mask)); \ + }) + diff --git a/queue-5.4/crypto-ccp-fix-use-of-merged-scatterlists.patch b/queue-5.4/crypto-ccp-fix-use-of-merged-scatterlists.patch new file mode 100644 index 00000000000..d5eeca1f93b --- /dev/null +++ b/queue-5.4/crypto-ccp-fix-use-of-merged-scatterlists.patch @@ -0,0 +1,176 @@ +From 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 Mon Sep 17 00:00:00 2001 +From: John Allen +Date: Mon, 22 Jun 2020 15:24:02 -0500 +Subject: crypto: ccp - Fix use of merged scatterlists + +From: John Allen + +commit 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 upstream. + +Running the crypto manager self tests with +CONFIG_CRYPTO_MANAGER_EXTRA_TESTS may result in several types of errors +when using the ccp-crypto driver: + +alg: skcipher: cbc-des3-ccp encryption failed on test vector 0; expected_error=0, actual_error=-5 ... + +alg: skcipher: ctr-aes-ccp decryption overran dst buffer on test vector 0 ... + +alg: ahash: sha224-ccp test failed (wrong result) on test vector ... + +These errors are the result of improper processing of scatterlists mapped +for DMA. + +Given a scatterlist in which entries are merged as part of mapping the +scatterlist for DMA, the DMA length of a merged entry will reflect the +combined length of the entries that were merged. The subsequent +scatterlist entry will contain DMA information for the scatterlist entry +after the last merged entry, but the non-DMA information will be that of +the first merged entry. + +The ccp driver does not take this scatterlist merging into account. To +address this, add a second scatterlist pointer to track the current +position in the DMA mapped representation of the scatterlist. Both the DMA +representation and the original representation of the scatterlist must be +tracked as while most of the driver can use just the DMA representation, +scatterlist_map_and_copy() must use the original representation and +expects the scatterlist pointer to be accurate to the original +representation. + +In order to properly walk the original scatterlist, the scatterlist must +be walked until the combined lengths of the entries seen is equal to the +DMA length of the current entry being processed in the DMA mapped +representation. + +Fixes: 63b945091a070 ("crypto: ccp - CCP device driver and interface support") +Signed-off-by: John Allen +Cc: stable@vger.kernel.org +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-dev.h | 1 + + drivers/crypto/ccp/ccp-ops.c | 37 ++++++++++++++++++++++++++----------- + 2 files changed, 27 insertions(+), 11 deletions(-) + +--- a/drivers/crypto/ccp/ccp-dev.h ++++ b/drivers/crypto/ccp/ccp-dev.h +@@ -469,6 +469,7 @@ struct ccp_sg_workarea { + unsigned int sg_used; + + struct scatterlist *dma_sg; ++ struct scatterlist *dma_sg_head; + struct device *dma_dev; + unsigned int dma_count; + enum dma_data_direction dma_dir; +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -63,7 +63,7 @@ static u32 ccp_gen_jobid(struct ccp_devi + static void ccp_sg_free(struct ccp_sg_workarea *wa) + { + if (wa->dma_count) +- dma_unmap_sg(wa->dma_dev, wa->dma_sg, wa->nents, wa->dma_dir); ++ dma_unmap_sg(wa->dma_dev, wa->dma_sg_head, wa->nents, wa->dma_dir); + + wa->dma_count = 0; + } +@@ -92,6 +92,7 @@ static int ccp_init_sg_workarea(struct c + return 0; + + wa->dma_sg = sg; ++ wa->dma_sg_head = sg; + wa->dma_dev = dev; + wa->dma_dir = dma_dir; + wa->dma_count = dma_map_sg(dev, sg, wa->nents, dma_dir); +@@ -104,14 +105,28 @@ static int ccp_init_sg_workarea(struct c + static void ccp_update_sg_workarea(struct ccp_sg_workarea *wa, unsigned int len) + { + unsigned int nbytes = min_t(u64, len, wa->bytes_left); ++ unsigned int sg_combined_len = 0; + + if (!wa->sg) + return; + + wa->sg_used += nbytes; + wa->bytes_left -= nbytes; +- if (wa->sg_used == wa->sg->length) { +- wa->sg = sg_next(wa->sg); ++ if (wa->sg_used == sg_dma_len(wa->dma_sg)) { ++ /* Advance to the next DMA scatterlist entry */ ++ wa->dma_sg = sg_next(wa->dma_sg); ++ ++ /* In the case that the DMA mapped scatterlist has entries ++ * that have been merged, the non-DMA mapped scatterlist ++ * must be advanced multiple times for each merged entry. ++ * This ensures that the current non-DMA mapped entry ++ * corresponds to the current DMA mapped entry. ++ */ ++ do { ++ sg_combined_len += wa->sg->length; ++ wa->sg = sg_next(wa->sg); ++ } while (wa->sg_used > sg_combined_len); ++ + wa->sg_used = 0; + } + } +@@ -299,7 +314,7 @@ static unsigned int ccp_queue_buf(struct + /* Update the structures and generate the count */ + buf_count = 0; + while (sg_wa->bytes_left && (buf_count < dm_wa->length)) { +- nbytes = min(sg_wa->sg->length - sg_wa->sg_used, ++ nbytes = min(sg_dma_len(sg_wa->dma_sg) - sg_wa->sg_used, + dm_wa->length - buf_count); + nbytes = min_t(u64, sg_wa->bytes_left, nbytes); + +@@ -331,11 +346,11 @@ static void ccp_prepare_data(struct ccp_ + * and destination. The resulting len values will always be <= UINT_MAX + * because the dma length is an unsigned int. + */ +- sg_src_len = sg_dma_len(src->sg_wa.sg) - src->sg_wa.sg_used; ++ sg_src_len = sg_dma_len(src->sg_wa.dma_sg) - src->sg_wa.sg_used; + sg_src_len = min_t(u64, src->sg_wa.bytes_left, sg_src_len); + + if (dst) { +- sg_dst_len = sg_dma_len(dst->sg_wa.sg) - dst->sg_wa.sg_used; ++ sg_dst_len = sg_dma_len(dst->sg_wa.dma_sg) - dst->sg_wa.sg_used; + sg_dst_len = min_t(u64, src->sg_wa.bytes_left, sg_dst_len); + op_len = min(sg_src_len, sg_dst_len); + } else { +@@ -365,7 +380,7 @@ static void ccp_prepare_data(struct ccp_ + /* Enough data in the sg element, but we need to + * adjust for any previously copied data + */ +- op->src.u.dma.address = sg_dma_address(src->sg_wa.sg); ++ op->src.u.dma.address = sg_dma_address(src->sg_wa.dma_sg); + op->src.u.dma.offset = src->sg_wa.sg_used; + op->src.u.dma.length = op_len & ~(block_size - 1); + +@@ -386,7 +401,7 @@ static void ccp_prepare_data(struct ccp_ + /* Enough room in the sg element, but we need to + * adjust for any previously used area + */ +- op->dst.u.dma.address = sg_dma_address(dst->sg_wa.sg); ++ op->dst.u.dma.address = sg_dma_address(dst->sg_wa.dma_sg); + op->dst.u.dma.offset = dst->sg_wa.sg_used; + op->dst.u.dma.length = op->src.u.dma.length; + } +@@ -2028,7 +2043,7 @@ ccp_run_passthru_cmd(struct ccp_cmd_queu + dst.sg_wa.sg_used = 0; + for (i = 1; i <= src.sg_wa.dma_count; i++) { + if (!dst.sg_wa.sg || +- (dst.sg_wa.sg->length < src.sg_wa.sg->length)) { ++ (sg_dma_len(dst.sg_wa.sg) < sg_dma_len(src.sg_wa.sg))) { + ret = -EINVAL; + goto e_dst; + } +@@ -2054,8 +2069,8 @@ ccp_run_passthru_cmd(struct ccp_cmd_queu + goto e_dst; + } + +- dst.sg_wa.sg_used += src.sg_wa.sg->length; +- if (dst.sg_wa.sg_used == dst.sg_wa.sg->length) { ++ dst.sg_wa.sg_used += sg_dma_len(src.sg_wa.sg); ++ if (dst.sg_wa.sg_used == sg_dma_len(dst.sg_wa.sg)) { + dst.sg_wa.sg = sg_next(dst.sg_wa.sg); + dst.sg_wa.sg_used = 0; + } diff --git a/queue-5.4/crypto-cpt-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch b/queue-5.4/crypto-cpt-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch new file mode 100644 index 00000000000..ed5e482ac7f --- /dev/null +++ b/queue-5.4/crypto-cpt-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch @@ -0,0 +1,103 @@ +From 9e27c99104707f083dccd3b4d79762859b5a0614 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 17 Jun 2020 09:48:56 -0400 +Subject: crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified + +From: Mikulas Patocka + +commit 9e27c99104707f083dccd3b4d79762859b5a0614 upstream. + +There is this call chain: +cvm_encrypt -> cvm_enc_dec -> cptvf_do_request -> process_request -> kzalloc +where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP +was not specified. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org # v4.11+ +Fixes: c694b233295b ("crypto: cavium - Add the Virtual Function driver for CPT") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/cavium/cpt/cptvf_algs.c | 1 + + drivers/crypto/cavium/cpt/cptvf_reqmanager.c | 12 ++++++------ + drivers/crypto/cavium/cpt/request_manager.h | 2 ++ + 3 files changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/cavium/cpt/cptvf_algs.c ++++ b/drivers/crypto/cavium/cpt/cptvf_algs.c +@@ -200,6 +200,7 @@ static inline int cvm_enc_dec(struct abl + int status; + + memset(req_info, 0, sizeof(struct cpt_request_info)); ++ req_info->may_sleep = (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) != 0; + memset(fctx, 0, sizeof(struct fc_context)); + create_input_list(req, enc, enc_iv_len); + create_output_list(req, enc_iv_len); +--- a/drivers/crypto/cavium/cpt/cptvf_reqmanager.c ++++ b/drivers/crypto/cavium/cpt/cptvf_reqmanager.c +@@ -133,7 +133,7 @@ static inline int setup_sgio_list(struct + + /* Setup gather (input) components */ + g_sz_bytes = ((req->incnt + 3) / 4) * sizeof(struct sglist_component); +- info->gather_components = kzalloc(g_sz_bytes, GFP_KERNEL); ++ info->gather_components = kzalloc(g_sz_bytes, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (!info->gather_components) { + ret = -ENOMEM; + goto scatter_gather_clean; +@@ -150,7 +150,7 @@ static inline int setup_sgio_list(struct + + /* Setup scatter (output) components */ + s_sz_bytes = ((req->outcnt + 3) / 4) * sizeof(struct sglist_component); +- info->scatter_components = kzalloc(s_sz_bytes, GFP_KERNEL); ++ info->scatter_components = kzalloc(s_sz_bytes, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (!info->scatter_components) { + ret = -ENOMEM; + goto scatter_gather_clean; +@@ -167,7 +167,7 @@ static inline int setup_sgio_list(struct + + /* Create and initialize DPTR */ + info->dlen = g_sz_bytes + s_sz_bytes + SG_LIST_HDR_SIZE; +- info->in_buffer = kzalloc(info->dlen, GFP_KERNEL); ++ info->in_buffer = kzalloc(info->dlen, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (!info->in_buffer) { + ret = -ENOMEM; + goto scatter_gather_clean; +@@ -195,7 +195,7 @@ static inline int setup_sgio_list(struct + } + + /* Create and initialize RPTR */ +- info->out_buffer = kzalloc(COMPLETION_CODE_SIZE, GFP_KERNEL); ++ info->out_buffer = kzalloc(COMPLETION_CODE_SIZE, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (!info->out_buffer) { + ret = -ENOMEM; + goto scatter_gather_clean; +@@ -421,7 +421,7 @@ int process_request(struct cpt_vf *cptvf + struct cpt_vq_command vq_cmd; + union cpt_inst_s cptinst; + +- info = kzalloc(sizeof(*info), GFP_KERNEL); ++ info = kzalloc(sizeof(*info), req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (unlikely(!info)) { + dev_err(&pdev->dev, "Unable to allocate memory for info_buffer\n"); + return -ENOMEM; +@@ -443,7 +443,7 @@ int process_request(struct cpt_vf *cptvf + * Get buffer for union cpt_res_s response + * structure and its physical address + */ +- info->completion_addr = kzalloc(sizeof(union cpt_res_s), GFP_KERNEL); ++ info->completion_addr = kzalloc(sizeof(union cpt_res_s), req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (unlikely(!info->completion_addr)) { + dev_err(&pdev->dev, "Unable to allocate memory for completion_addr\n"); + ret = -ENOMEM; +--- a/drivers/crypto/cavium/cpt/request_manager.h ++++ b/drivers/crypto/cavium/cpt/request_manager.h +@@ -62,6 +62,8 @@ struct cpt_request_info { + union ctrl_info ctrl; /* User control information */ + struct cptvf_request req; /* Request Information (Core specific) */ + ++ bool may_sleep; ++ + struct buf_ptr in[MAX_BUF_CNT]; + struct buf_ptr out[MAX_BUF_CNT]; + diff --git a/queue-5.4/crypto-hisilicon-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch b/queue-5.4/crypto-hisilicon-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch new file mode 100644 index 00000000000..478483e1447 --- /dev/null +++ b/queue-5.4/crypto-hisilicon-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch @@ -0,0 +1,173 @@ +From 5ead051780404b5cb22147170acadd1994dc3236 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 17 Jun 2020 09:49:52 -0400 +Subject: crypto: hisilicon - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified + +From: Mikulas Patocka + +commit 5ead051780404b5cb22147170acadd1994dc3236 upstream. + +There is this call chain: +sec_alg_skcipher_encrypt -> sec_alg_skcipher_crypto -> +sec_alg_alloc_and_calc_split_sizes -> kcalloc +where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP +was not specified. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org # v4.19+ +Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver") +Acked-by: Jonathan Cameron +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/hisilicon/sec/sec_algs.c | 34 ++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/drivers/crypto/hisilicon/sec/sec_algs.c ++++ b/drivers/crypto/hisilicon/sec/sec_algs.c +@@ -175,7 +175,8 @@ static int sec_alloc_and_fill_hw_sgl(str + dma_addr_t *psec_sgl, + struct scatterlist *sgl, + int count, +- struct sec_dev_info *info) ++ struct sec_dev_info *info, ++ gfp_t gfp) + { + struct sec_hw_sgl *sgl_current = NULL; + struct sec_hw_sgl *sgl_next; +@@ -190,7 +191,7 @@ static int sec_alloc_and_fill_hw_sgl(str + sge_index = i % SEC_MAX_SGE_NUM; + if (sge_index == 0) { + sgl_next = dma_pool_zalloc(info->hw_sgl_pool, +- GFP_KERNEL, &sgl_next_dma); ++ gfp, &sgl_next_dma); + if (!sgl_next) { + ret = -ENOMEM; + goto err_free_hw_sgls; +@@ -545,14 +546,14 @@ void sec_alg_callback(struct sec_bd_info + } + + static int sec_alg_alloc_and_calc_split_sizes(int length, size_t **split_sizes, +- int *steps) ++ int *steps, gfp_t gfp) + { + size_t *sizes; + int i; + + /* Split into suitable sized blocks */ + *steps = roundup(length, SEC_REQ_LIMIT) / SEC_REQ_LIMIT; +- sizes = kcalloc(*steps, sizeof(*sizes), GFP_KERNEL); ++ sizes = kcalloc(*steps, sizeof(*sizes), gfp); + if (!sizes) + return -ENOMEM; + +@@ -568,7 +569,7 @@ static int sec_map_and_split_sg(struct s + int steps, struct scatterlist ***splits, + int **splits_nents, + int sgl_len_in, +- struct device *dev) ++ struct device *dev, gfp_t gfp) + { + int ret, count; + +@@ -576,12 +577,12 @@ static int sec_map_and_split_sg(struct s + if (!count) + return -EINVAL; + +- *splits = kcalloc(steps, sizeof(struct scatterlist *), GFP_KERNEL); ++ *splits = kcalloc(steps, sizeof(struct scatterlist *), gfp); + if (!*splits) { + ret = -ENOMEM; + goto err_unmap_sg; + } +- *splits_nents = kcalloc(steps, sizeof(int), GFP_KERNEL); ++ *splits_nents = kcalloc(steps, sizeof(int), gfp); + if (!*splits_nents) { + ret = -ENOMEM; + goto err_free_splits; +@@ -589,7 +590,7 @@ static int sec_map_and_split_sg(struct s + + /* output the scatter list before and after this */ + ret = sg_split(sgl, count, 0, steps, split_sizes, +- *splits, *splits_nents, GFP_KERNEL); ++ *splits, *splits_nents, gfp); + if (ret) { + ret = -ENOMEM; + goto err_free_splits_nents; +@@ -630,13 +631,13 @@ static struct sec_request_el + int el_size, bool different_dest, + struct scatterlist *sgl_in, int n_ents_in, + struct scatterlist *sgl_out, int n_ents_out, +- struct sec_dev_info *info) ++ struct sec_dev_info *info, gfp_t gfp) + { + struct sec_request_el *el; + struct sec_bd_info *req; + int ret; + +- el = kzalloc(sizeof(*el), GFP_KERNEL); ++ el = kzalloc(sizeof(*el), gfp); + if (!el) + return ERR_PTR(-ENOMEM); + el->el_length = el_size; +@@ -668,7 +669,7 @@ static struct sec_request_el + el->sgl_in = sgl_in; + + ret = sec_alloc_and_fill_hw_sgl(&el->in, &el->dma_in, el->sgl_in, +- n_ents_in, info); ++ n_ents_in, info, gfp); + if (ret) + goto err_free_el; + +@@ -679,7 +680,7 @@ static struct sec_request_el + el->sgl_out = sgl_out; + ret = sec_alloc_and_fill_hw_sgl(&el->out, &el->dma_out, + el->sgl_out, +- n_ents_out, info); ++ n_ents_out, info, gfp); + if (ret) + goto err_free_hw_sgl_in; + +@@ -720,6 +721,7 @@ static int sec_alg_skcipher_crypto(struc + int *splits_out_nents = NULL; + struct sec_request_el *el, *temp; + bool split = skreq->src != skreq->dst; ++ gfp_t gfp = skreq->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : GFP_ATOMIC; + + mutex_init(&sec_req->lock); + sec_req->req_base = &skreq->base; +@@ -728,13 +730,13 @@ static int sec_alg_skcipher_crypto(struc + sec_req->len_in = sg_nents(skreq->src); + + ret = sec_alg_alloc_and_calc_split_sizes(skreq->cryptlen, &split_sizes, +- &steps); ++ &steps, gfp); + if (ret) + return ret; + sec_req->num_elements = steps; + ret = sec_map_and_split_sg(skreq->src, split_sizes, steps, &splits_in, + &splits_in_nents, sec_req->len_in, +- info->dev); ++ info->dev, gfp); + if (ret) + goto err_free_split_sizes; + +@@ -742,7 +744,7 @@ static int sec_alg_skcipher_crypto(struc + sec_req->len_out = sg_nents(skreq->dst); + ret = sec_map_and_split_sg(skreq->dst, split_sizes, steps, + &splits_out, &splits_out_nents, +- sec_req->len_out, info->dev); ++ sec_req->len_out, info->dev, gfp); + if (ret) + goto err_unmap_in_sg; + } +@@ -775,7 +777,7 @@ static int sec_alg_skcipher_crypto(struc + splits_in[i], splits_in_nents[i], + split ? splits_out[i] : NULL, + split ? splits_out_nents[i] : 0, +- info); ++ info, gfp); + if (IS_ERR(el)) { + ret = PTR_ERR(el); + goto err_free_elements; diff --git a/queue-5.4/crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch b/queue-5.4/crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch new file mode 100644 index 00000000000..cebc13c5f88 --- /dev/null +++ b/queue-5.4/crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch @@ -0,0 +1,91 @@ +From c06c76602e03bde24ee69a2022a829127e504202 Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Mon, 13 Jul 2020 07:06:34 -0700 +Subject: crypto: qat - fix double free in qat_uclo_create_batch_init_list + +From: Tom Rix + +commit c06c76602e03bde24ee69a2022a829127e504202 upstream. + +clang static analysis flags this error + +qat_uclo.c:297:3: warning: Attempt to free released memory + [unix.Malloc] + kfree(*init_tab_base); + ^~~~~~~~~~~~~~~~~~~~~ + +When input *init_tab_base is null, the function allocates memory for +the head of the list. When there is problem allocating other list +elements the list is unwound and freed. Then a check is made if the +list head was allocated and is also freed. + +Keeping track of the what may need to be freed is the variable 'tail_old'. +The unwinding/freeing block is + + while (tail_old) { + mem_init = tail_old->next; + kfree(tail_old); + tail_old = mem_init; + } + +The problem is that the first element of tail_old is also what was +allocated for the list head + + init_header = kzalloc(sizeof(*init_header), GFP_KERNEL); + ... + *init_tab_base = init_header; + flag = 1; + } + tail_old = init_header; + +So *init_tab_base/init_header are freed twice. + +There is another problem. +When the input *init_tab_base is non null the tail_old is calculated by +traveling down the list to first non null entry. + + tail_old = init_header; + while (tail_old->next) + tail_old = tail_old->next; + +When the unwinding free happens, the last entry of the input list will +be freed. + +So the freeing needs a general changed. +If locally allocated the first element of tail_old is freed, else it +is skipped. As a bit of cleanup, reset *init_tab_base if it came in +as null. + +Fixes: b4b7e67c917f ("crypto: qat - Intel(R) QAT ucode part of fw loader") +Cc: +Signed-off-by: Tom Rix +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/qat/qat_common/qat_uclo.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/qat/qat_common/qat_uclo.c ++++ b/drivers/crypto/qat/qat_common/qat_uclo.c +@@ -332,13 +332,18 @@ static int qat_uclo_create_batch_init_li + } + return 0; + out_err: ++ /* Do not free the list head unless we allocated it. */ ++ tail_old = tail_old->next; ++ if (flag) { ++ kfree(*init_tab_base); ++ *init_tab_base = NULL; ++ } ++ + while (tail_old) { + mem_init = tail_old->next; + kfree(tail_old); + tail_old = mem_init; + } +- if (flag) +- kfree(*init_tab_base); + return -ENOMEM; + } + diff --git a/queue-5.4/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch b/queue-5.4/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch new file mode 100644 index 00000000000..1dc67a7d316 --- /dev/null +++ b/queue-5.4/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch @@ -0,0 +1,76 @@ +From 5de5b6ecf97a021f29403aa272cb4e03318ef586 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 28 Jul 2020 14:17:36 +1000 +Subject: drm/ttm/nouveau: don't call tt destroy callback on alloc failure. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dave Airlie + +commit 5de5b6ecf97a021f29403aa272cb4e03318ef586 upstream. + +This is confusing, and from my reading of all the drivers only +nouveau got this right. + +Just make the API act under driver control of it's own allocation +failing, and don't call destroy, if the page table fails to +create there is nothing to cleanup here. + +(I'm willing to believe I've missed something here, so please +review deeply). + +Reviewed-by: Christian König +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20200728041736.20689-1-airlied@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nouveau_sgdma.c | 9 +++------ + drivers/gpu/drm/ttm/ttm_tt.c | 3 --- + 2 files changed, 3 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_sgdma.c ++++ b/drivers/gpu/drm/nouveau/nouveau_sgdma.c +@@ -96,12 +96,9 @@ nouveau_sgdma_create_ttm(struct ttm_buff + else + nvbe->ttm.ttm.func = &nv50_sgdma_backend; + +- if (ttm_dma_tt_init(&nvbe->ttm, bo, page_flags)) +- /* +- * A failing ttm_dma_tt_init() will call ttm_tt_destroy() +- * and thus our nouveau_sgdma_destroy() hook, so we don't need +- * to free nvbe here. +- */ ++ if (ttm_dma_tt_init(&nvbe->ttm, bo, page_flags)) { ++ kfree(nvbe); + return NULL; ++ } + return &nvbe->ttm.ttm; + } +--- a/drivers/gpu/drm/ttm/ttm_tt.c ++++ b/drivers/gpu/drm/ttm/ttm_tt.c +@@ -241,7 +241,6 @@ int ttm_tt_init(struct ttm_tt *ttm, stru + ttm_tt_init_fields(ttm, bo, page_flags); + + if (ttm_tt_alloc_page_directory(ttm)) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } +@@ -265,7 +264,6 @@ int ttm_dma_tt_init(struct ttm_dma_tt *t + + INIT_LIST_HEAD(&ttm_dma->pages_list); + if (ttm_dma_tt_alloc_page_directory(ttm_dma)) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } +@@ -287,7 +285,6 @@ int ttm_sg_tt_init(struct ttm_dma_tt *tt + else + ret = ttm_dma_tt_alloc_page_directory(ttm_dma); + if (ret) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } diff --git a/queue-5.4/fs-minix-check-return-value-of-sb_getblk.patch b/queue-5.4/fs-minix-check-return-value-of-sb_getblk.patch new file mode 100644 index 00000000000..9206dd73de3 --- /dev/null +++ b/queue-5.4/fs-minix-check-return-value-of-sb_getblk.patch @@ -0,0 +1,78 @@ +From da27e0a0e5f655f0d58d4e153c3182bb2b290f64 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 11 Aug 2020 18:35:24 -0700 +Subject: fs/minix: check return value of sb_getblk() + +From: Eric Biggers + +commit da27e0a0e5f655f0d58d4e153c3182bb2b290f64 upstream. + +Patch series "fs/minix: fix syzbot bugs and set s_maxbytes". + +This series fixes all syzbot bugs in the minix filesystem: + + KASAN: null-ptr-deref Write in get_block + KASAN: use-after-free Write in get_block + KASAN: use-after-free Read in get_block + WARNING in inc_nlink + KMSAN: uninit-value in get_block + WARNING in drop_nlink + +It also fixes the minix filesystem to set s_maxbytes correctly, so that +userspace sees the correct behavior when exceeding the max file size. + +This patch (of 6): + +sb_getblk() can fail, so check its return value. + +This fixes a NULL pointer dereference. + +Originally from Qiujun Huang. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Cc: Qiujun Huang +Cc: Alexander Viro +Cc: +Link: http://lkml.kernel.org/r/20200628060846.682158-1-ebiggers@kernel.org +Link: http://lkml.kernel.org/r/20200628060846.682158-2-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/minix/itree_common.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/minix/itree_common.c ++++ b/fs/minix/itree_common.c +@@ -75,6 +75,7 @@ static int alloc_branch(struct inode *in + int n = 0; + int i; + int parent = minix_new_block(inode); ++ int err = -ENOSPC; + + branch[0].key = cpu_to_block(parent); + if (parent) for (n = 1; n < num; n++) { +@@ -85,6 +86,11 @@ static int alloc_branch(struct inode *in + break; + branch[n].key = cpu_to_block(nr); + bh = sb_getblk(inode->i_sb, parent); ++ if (!bh) { ++ minix_free_block(inode, nr); ++ err = -ENOMEM; ++ break; ++ } + lock_buffer(bh); + memset(bh->b_data, 0, bh->b_size); + branch[n].bh = bh; +@@ -103,7 +109,7 @@ static int alloc_branch(struct inode *in + bforget(branch[i].bh); + for (i = 0; i < n; i++) + minix_free_block(inode, block_to_cpu(branch[i].key)); +- return -ENOSPC; ++ return err; + } + + static inline int splice_branch(struct inode *inode, diff --git a/queue-5.4/fs-minix-don-t-allow-getting-deleted-inodes.patch b/queue-5.4/fs-minix-don-t-allow-getting-deleted-inodes.patch new file mode 100644 index 00000000000..f92d6b79a1c --- /dev/null +++ b/queue-5.4/fs-minix-don-t-allow-getting-deleted-inodes.patch @@ -0,0 +1,59 @@ +From facb03dddec04e4aac1bb2139accdceb04deb1f3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 11 Aug 2020 18:35:27 -0700 +Subject: fs/minix: don't allow getting deleted inodes + +From: Eric Biggers + +commit facb03dddec04e4aac1bb2139accdceb04deb1f3 upstream. + +If an inode has no links, we need to mark it bad rather than allowing it +to be accessed. This avoids WARNINGs in inc_nlink() and drop_nlink() when +doing directory operations on a fuzzed filesystem. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com +Reported-by: syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Cc: Alexander Viro +Cc: Qiujun Huang +Cc: +Link: http://lkml.kernel.org/r/20200628060846.682158-3-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/minix/inode.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/minix/inode.c ++++ b/fs/minix/inode.c +@@ -468,6 +468,13 @@ static struct inode *V1_minix_iget(struc + iget_failed(inode); + return ERR_PTR(-EIO); + } ++ if (raw_inode->i_nlinks == 0) { ++ printk("MINIX-fs: deleted inode referenced: %lu\n", ++ inode->i_ino); ++ brelse(bh); ++ iget_failed(inode); ++ return ERR_PTR(-ESTALE); ++ } + inode->i_mode = raw_inode->i_mode; + i_uid_write(inode, raw_inode->i_uid); + i_gid_write(inode, raw_inode->i_gid); +@@ -501,6 +508,13 @@ static struct inode *V2_minix_iget(struc + iget_failed(inode); + return ERR_PTR(-EIO); + } ++ if (raw_inode->i_nlinks == 0) { ++ printk("MINIX-fs: deleted inode referenced: %lu\n", ++ inode->i_ino); ++ brelse(bh); ++ iget_failed(inode); ++ return ERR_PTR(-ESTALE); ++ } + inode->i_mode = raw_inode->i_mode; + i_uid_write(inode, raw_inode->i_uid); + i_gid_write(inode, raw_inode->i_gid); diff --git a/queue-5.4/fs-minix-reject-too-large-maximum-file-size.patch b/queue-5.4/fs-minix-reject-too-large-maximum-file-size.patch new file mode 100644 index 00000000000..5b871d10fb6 --- /dev/null +++ b/queue-5.4/fs-minix-reject-too-large-maximum-file-size.patch @@ -0,0 +1,76 @@ +From 270ef41094e9fa95273f288d7d785313ceab2ff3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 11 Aug 2020 18:35:30 -0700 +Subject: fs/minix: reject too-large maximum file size + +From: Eric Biggers + +commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. + +If the minix filesystem tries to map a very large logical block number to +its on-disk location, block_to_path() can return offsets that are too +large, causing out-of-bounds memory accesses when accessing indirect index +blocks. This should be prevented by the check against the maximum file +size, but this doesn't work because the maximum file size is read directly +from the on-disk superblock and isn't validated itself. + +Fix this by validating the maximum file size at mount time. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com +Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com +Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Cc: Alexander Viro +Cc: Qiujun Huang +Cc: +Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/minix/inode.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/fs/minix/inode.c ++++ b/fs/minix/inode.c +@@ -150,6 +150,23 @@ static int minix_remount (struct super_b + return 0; + } + ++static bool minix_check_superblock(struct minix_sb_info *sbi) ++{ ++ if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) ++ return false; ++ ++ /* ++ * s_max_size must not exceed the block mapping limitation. This check ++ * is only needed for V1 filesystems, since V2/V3 support an extra level ++ * of indirect blocks which places the limit well above U32_MAX. ++ */ ++ if (sbi->s_version == MINIX_V1 && ++ sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE) ++ return false; ++ ++ return true; ++} ++ + static int minix_fill_super(struct super_block *s, void *data, int silent) + { + struct buffer_head *bh; +@@ -228,11 +245,12 @@ static int minix_fill_super(struct super + } else + goto out_no_fs; + ++ if (!minix_check_superblock(sbi)) ++ goto out_illegal_sb; ++ + /* + * Allocate the buffer map to keep the superblock small. + */ +- if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) +- goto out_illegal_sb; + i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh); + map = kzalloc(i, GFP_KERNEL); + if (!map) diff --git a/queue-5.4/io_uring-set-ctx-sq-cq-entry-count-earlier.patch b/queue-5.4/io_uring-set-ctx-sq-cq-entry-count-earlier.patch new file mode 100644 index 00000000000..b286285f288 --- /dev/null +++ b/queue-5.4/io_uring-set-ctx-sq-cq-entry-count-earlier.patch @@ -0,0 +1,52 @@ +From bd74048108c179cea0ff52979506164c80f29da7 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 5 Aug 2020 12:58:23 -0600 +Subject: io_uring: set ctx sq/cq entry count earlier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jens Axboe + +commit bd74048108c179cea0ff52979506164c80f29da7 upstream. + +If we hit an earlier error path in io_uring_create(), then we will have +accounted memory, but not set ctx->{sq,cq}_entries yet. Then when the +ring is torn down in error, we use those values to unaccount the memory. + +Ensure we set the ctx entries before we're able to hit a potential error +path. + +Cc: stable@vger.kernel.org +Reported-by: Tomáš Chaloupka +Tested-by: Tomáš Chaloupka +Reviewed-by: Stefano Garzarella +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -3857,6 +3857,10 @@ static int io_allocate_scq_urings(struct + struct io_rings *rings; + size_t size, sq_array_offset; + ++ /* make sure these are sane, as we already accounted them */ ++ ctx->sq_entries = p->sq_entries; ++ ctx->cq_entries = p->cq_entries; ++ + size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset); + if (size == SIZE_MAX) + return -EOVERFLOW; +@@ -3873,8 +3877,6 @@ static int io_allocate_scq_urings(struct + rings->cq_ring_entries = p->cq_entries; + ctx->sq_mask = rings->sq_ring_mask; + ctx->cq_mask = rings->cq_ring_mask; +- ctx->sq_entries = rings->sq_ring_entries; +- ctx->cq_entries = rings->cq_ring_entries; + + size = array_size(sizeof(struct io_uring_sqe), p->sq_entries); + if (size == SIZE_MAX) { diff --git a/queue-5.4/media-media-request-fix-crash-if-memory-allocation-fails.patch b/queue-5.4/media-media-request-fix-crash-if-memory-allocation-fails.patch new file mode 100644 index 00000000000..0774156ab69 --- /dev/null +++ b/queue-5.4/media-media-request-fix-crash-if-memory-allocation-fails.patch @@ -0,0 +1,118 @@ +From e30cc79cc80fd919b697a15c5000d9f57487de8e Mon Sep 17 00:00:00 2001 +From: Tuomas Tynkkynen +Date: Sun, 21 Jun 2020 13:30:40 +0200 +Subject: media: media-request: Fix crash if memory allocation fails + +From: Tuomas Tynkkynen + +commit e30cc79cc80fd919b697a15c5000d9f57487de8e upstream. + +Syzbot reports a NULL-ptr deref in the kref_put() call: + +BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline] + kref_put include/linux/kref.h:64 [inline] + media_request_put drivers/media/mc/mc-request.c:81 [inline] + media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89 + __fput+0x2ed/0x750 fs/file_table.c:281 + task_work_run+0x147/0x1d0 kernel/task_work.c:123 + tracehook_notify_resume include/linux/tracehook.h:188 [inline] + exit_to_usermode_loop arch/x86/entry/common.c:165 [inline] + prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196 + +What led to this crash was an injected memory allocation failure in +media_request_alloc(): + +FAULT_INJECTION: forcing a failure. +name failslab, interval 1, probability 0, space 0, times 0 + should_failslab+0x5/0x20 + kmem_cache_alloc_trace+0x57/0x300 + ? anon_inode_getfile+0xe5/0x170 + media_request_alloc+0x339/0x440 + media_device_request_alloc+0x94/0xc0 + media_device_ioctl+0x1fb/0x330 + ? do_vfs_ioctl+0x6ea/0x1a00 + ? media_ioctl+0x101/0x120 + ? __media_device_usb_init+0x430/0x430 + ? media_poll+0x110/0x110 + __se_sys_ioctl+0xf9/0x160 + do_syscall_64+0xf3/0x1b0 + +When that allocation fails, filp->private_data is left uninitialized +which media_request_close() does not expect and crashes. + +To avoid this, reorder media_request_alloc() such that +allocating the struct file happens as the last step thus +media_request_close() will no longer get called for a partially created +media request. + +Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Tuomas Tynkkynen +Fixes: 10905d70d788 ("media: media-request: implement media requests") +Reviewed-by: Hans Verkuil +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/mc/mc-request.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +--- a/drivers/media/mc/mc-request.c ++++ b/drivers/media/mc/mc-request.c +@@ -296,9 +296,18 @@ int media_request_alloc(struct media_dev + if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free)) + return -ENOMEM; + ++ if (mdev->ops->req_alloc) ++ req = mdev->ops->req_alloc(mdev); ++ else ++ req = kzalloc(sizeof(*req), GFP_KERNEL); ++ if (!req) ++ return -ENOMEM; ++ + fd = get_unused_fd_flags(O_CLOEXEC); +- if (fd < 0) +- return fd; ++ if (fd < 0) { ++ ret = fd; ++ goto err_free_req; ++ } + + filp = anon_inode_getfile("request", &request_fops, NULL, O_CLOEXEC); + if (IS_ERR(filp)) { +@@ -306,15 +315,6 @@ int media_request_alloc(struct media_dev + goto err_put_fd; + } + +- if (mdev->ops->req_alloc) +- req = mdev->ops->req_alloc(mdev); +- else +- req = kzalloc(sizeof(*req), GFP_KERNEL); +- if (!req) { +- ret = -ENOMEM; +- goto err_fput; +- } +- + filp->private_data = req; + req->mdev = mdev; + req->state = MEDIA_REQUEST_STATE_IDLE; +@@ -336,12 +336,15 @@ int media_request_alloc(struct media_dev + + return 0; + +-err_fput: +- fput(filp); +- + err_put_fd: + put_unused_fd(fd); + ++err_free_req: ++ if (mdev->ops->req_free) ++ mdev->ops->req_free(req); ++ else ++ kfree(req); ++ + return ret; + } + diff --git a/queue-5.4/nfs-don-t-move-layouts-to-plh_return_segs-list-while-in-use.patch b/queue-5.4/nfs-don-t-move-layouts-to-plh_return_segs-list-while-in-use.patch new file mode 100644 index 00000000000..f4d50c4e28b --- /dev/null +++ b/queue-5.4/nfs-don-t-move-layouts-to-plh_return_segs-list-while-in-use.patch @@ -0,0 +1,50 @@ +From ff041727e9e029845857cac41aae118ead5e261b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 4 Aug 2020 16:30:30 -0400 +Subject: NFS: Don't move layouts to plh_return_segs list while in use + +From: Trond Myklebust + +commit ff041727e9e029845857cac41aae118ead5e261b upstream. + +If the layout segment is still in use for a read or a write, we should +not move it to the layout plh_return_segs list. If we do, we can end +up returning the layout while I/O is still in progress. + +Fixes: e0b7d420f72a ("pNFS: Don't discard layout segments that are marked for return") +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -2362,16 +2362,6 @@ out_forget: + return ERR_PTR(-EAGAIN); + } + +-static int +-mark_lseg_invalid_or_return(struct pnfs_layout_segment *lseg, +- struct list_head *tmp_list) +-{ +- if (!mark_lseg_invalid(lseg, tmp_list)) +- return 0; +- pnfs_cache_lseg_for_layoutreturn(lseg->pls_layout, lseg); +- return 1; +-} +- + /** + * pnfs_mark_matching_lsegs_return - Free or return matching layout segments + * @lo: pointer to layout header +@@ -2408,7 +2398,7 @@ pnfs_mark_matching_lsegs_return(struct p + lseg, lseg->pls_range.iomode, + lseg->pls_range.offset, + lseg->pls_range.length); +- if (mark_lseg_invalid_or_return(lseg, tmp_list)) ++ if (mark_lseg_invalid(lseg, tmp_list)) + continue; + remaining++; + set_bit(NFS_LSEG_LAYOUTRETURN, &lseg->pls_flags); diff --git a/queue-5.4/nfs-don-t-return-layout-segments-that-are-in-use.patch b/queue-5.4/nfs-don-t-return-layout-segments-that-are-in-use.patch new file mode 100644 index 00000000000..e259f15f981 --- /dev/null +++ b/queue-5.4/nfs-don-t-return-layout-segments-that-are-in-use.patch @@ -0,0 +1,71 @@ +From d474f96104bd4377573526ebae2ee212205a6839 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 5 Aug 2020 09:03:56 -0400 +Subject: NFS: Don't return layout segments that are in use + +From: Trond Myklebust + +commit d474f96104bd4377573526ebae2ee212205a6839 upstream. + +If the NFS_LAYOUT_RETURN_REQUESTED flag is set, we want to return the +layout as soon as possible, meaning that the affected layout segments +should be marked as invalid, and should no longer be in use for I/O. + +Fixes: f0b429819b5f ("pNFS: Ignore non-recalled layouts in pnfs_layout_need_return()") +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1198,31 +1198,27 @@ out: + return status; + } + ++static bool ++pnfs_layout_segments_returnable(struct pnfs_layout_hdr *lo, ++ enum pnfs_iomode iomode, ++ u32 seq) ++{ ++ struct pnfs_layout_range recall_range = { ++ .length = NFS4_MAX_UINT64, ++ .iomode = iomode, ++ }; ++ return pnfs_mark_matching_lsegs_return(lo, &lo->plh_return_segs, ++ &recall_range, seq) != -EBUSY; ++} ++ + /* Return true if layoutreturn is needed */ + static bool + pnfs_layout_need_return(struct pnfs_layout_hdr *lo) + { +- struct pnfs_layout_segment *s; +- enum pnfs_iomode iomode; +- u32 seq; +- + if (!test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags)) + return false; +- +- seq = lo->plh_return_seq; +- iomode = lo->plh_return_iomode; +- +- /* Defer layoutreturn until all recalled lsegs are done */ +- list_for_each_entry(s, &lo->plh_segs, pls_list) { +- if (seq && pnfs_seqid_is_newer(s->pls_seq, seq)) +- continue; +- if (iomode != IOMODE_ANY && s->pls_range.iomode != iomode) +- continue; +- if (test_bit(NFS_LSEG_LAYOUTRETURN, &s->pls_flags)) +- return false; +- } +- +- return true; ++ return pnfs_layout_segments_returnable(lo, lo->plh_return_iomode, ++ lo->plh_return_seq); + } + + static void pnfs_layoutreturn_before_put_layout_hdr(struct pnfs_layout_hdr *lo) diff --git a/queue-5.4/pstore-fix-linking-when-crypto-api-disabled.patch b/queue-5.4/pstore-fix-linking-when-crypto-api-disabled.patch new file mode 100644 index 00000000000..3490b9a4587 --- /dev/null +++ b/queue-5.4/pstore-fix-linking-when-crypto-api-disabled.patch @@ -0,0 +1,53 @@ +From fd49e03280e596e54edb93a91bc96170f8e97e4a Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Mon, 6 Jul 2020 19:37:36 -0700 +Subject: pstore: Fix linking when crypto API disabled + +From: Matteo Croce + +commit fd49e03280e596e54edb93a91bc96170f8e97e4a upstream. + +When building a kernel with CONFIG_PSTORE=y and CONFIG_CRYPTO not set, +a build error happens: + + ld: fs/pstore/platform.o: in function `pstore_dump': + platform.c:(.text+0x3f9): undefined reference to `crypto_comp_compress' + ld: fs/pstore/platform.o: in function `pstore_get_backend_records': + platform.c:(.text+0x784): undefined reference to `crypto_comp_decompress' + +This because some pstore code uses crypto_comp_(de)compress regardless +of the CONFIG_CRYPTO status. Fix it by wrapping the (de)compress usage +by IS_ENABLED(CONFIG_PSTORE_COMPRESS) + +Signed-off-by: Matteo Croce +Link: https://lore.kernel.org/lkml/20200706234045.9516-1-mcroce@linux.microsoft.com +Fixes: cb3bee0369bc ("pstore: Use crypto compress API") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + fs/pstore/platform.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/pstore/platform.c ++++ b/fs/pstore/platform.c +@@ -275,6 +275,9 @@ static int pstore_compress(const void *i + { + int ret; + ++ if (!IS_ENABLED(CONFIG_PSTORE_COMPRESSION)) ++ return -EINVAL; ++ + ret = crypto_comp_compress(tfm, in, inlen, out, &outlen); + if (ret) { + pr_err("crypto_comp_compress failed, ret = %d!\n", ret); +@@ -661,7 +664,7 @@ static void decompress_record(struct pst + int unzipped_len; + char *unzipped, *workspace; + +- if (!record->compressed) ++ if (!IS_ENABLED(CONFIG_PSTORE_COMPRESSION) || !record->compressed) + return; + + /* Only PSTORE_TYPE_DMESG support compression. */ diff --git a/queue-5.4/series b/queue-5.4/series index a2b39e6229b..e44756d46b3 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -225,3 +225,26 @@ tcp-correct-read-of-tfo-keys-on-big-endian-systems.patch vmxnet3-use-correct-tcp-hdr-length-when-packet-is-encapsulated.patch net-refactor-bind_bucket-fastreuse-into-helper.patch net-initialize-fastreuse-on-inet_inherit_port.patch +usb-serial-cp210x-re-enable-auto-rts-on-open.patch +usb-serial-cp210x-enable-usb-generic-throttle-unthrottle.patch +alsa-hda-fix-the-micmute-led-status-for-lenovo-thinkcentre-aio.patch +alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch +alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch +alsa-usb-audio-work-around-streaming-quirk-for-macrosilicon-ms2109.patch +9p-fix-memory-leak-in-v9fs_mount.patch +media-media-request-fix-crash-if-memory-allocation-fails.patch +drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch +io_uring-set-ctx-sq-cq-entry-count-earlier.patch +nfs-don-t-move-layouts-to-plh_return_segs-list-while-in-use.patch +nfs-don-t-return-layout-segments-that-are-in-use.patch +alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch +tpm-unify-the-mismatching-tpm-space-buffer-sizes.patch +pstore-fix-linking-when-crypto-api-disabled.patch +crypto-hisilicon-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch +crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch +crypto-ccp-fix-use-of-merged-scatterlists.patch +crypto-cpt-don-t-sleep-of-crypto_tfm_req_may_sleep-was-not-specified.patch +bitfield.h-don-t-compile-time-validate-_val-in-field_fit.patch +fs-minix-check-return-value-of-sb_getblk.patch +fs-minix-don-t-allow-getting-deleted-inodes.patch +fs-minix-reject-too-large-maximum-file-size.patch diff --git a/queue-5.4/tpm-unify-the-mismatching-tpm-space-buffer-sizes.patch b/queue-5.4/tpm-unify-the-mismatching-tpm-space-buffer-sizes.patch new file mode 100644 index 00000000000..bdcc89f0c24 --- /dev/null +++ b/queue-5.4/tpm-unify-the-mismatching-tpm-space-buffer-sizes.patch @@ -0,0 +1,165 @@ +From 6c4e79d99e6f42b79040f1a33cd4018f5425030b Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Fri, 3 Jul 2020 01:55:59 +0300 +Subject: tpm: Unify the mismatching TPM space buffer sizes + +From: Jarkko Sakkinen + +commit 6c4e79d99e6f42b79040f1a33cd4018f5425030b upstream. + +The size of the buffers for storing context's and sessions can vary from +arch to arch as PAGE_SIZE can be anything between 4 kB and 256 kB (the +maximum for PPC64). Define a fixed buffer size set to 16 kB. This should be +enough for most use with three handles (that is how many we allow at the +moment). Parametrize the buffer size while doing this, so that it is easier +to revisit this later on if required. + +Cc: stable@vger.kernel.org +Reported-by: Stefan Berger +Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") +Reviewed-by: Jerry Snitselaar +Tested-by: Stefan Berger +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-chip.c | 9 ++------- + drivers/char/tpm/tpm.h | 5 ++++- + drivers/char/tpm/tpm2-space.c | 26 ++++++++++++++++---------- + drivers/char/tpm/tpmrm-dev.c | 2 +- + include/linux/tpm.h | 1 + + 5 files changed, 24 insertions(+), 19 deletions(-) + +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -386,13 +386,8 @@ struct tpm_chip *tpm_chip_alloc(struct d + chip->cdev.owner = THIS_MODULE; + chip->cdevs.owner = THIS_MODULE; + +- chip->work_space.context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); +- if (!chip->work_space.context_buf) { +- rc = -ENOMEM; +- goto out; +- } +- chip->work_space.session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); +- if (!chip->work_space.session_buf) { ++ rc = tpm2_init_space(&chip->work_space, TPM2_SPACE_BUFFER_SIZE); ++ if (rc) { + rc = -ENOMEM; + goto out; + } +--- a/drivers/char/tpm/tpm.h ++++ b/drivers/char/tpm/tpm.h +@@ -177,6 +177,9 @@ struct tpm_header { + + #define TPM_TAG_RQU_COMMAND 193 + ++/* TPM2 specific constants. */ ++#define TPM2_SPACE_BUFFER_SIZE 16384 /* 16 kB */ ++ + struct stclear_flags_t { + __be16 tag; + u8 deactivated; +@@ -456,7 +459,7 @@ void tpm2_shutdown(struct tpm_chip *chip + unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal); + int tpm2_probe(struct tpm_chip *chip); + int tpm2_find_cc(struct tpm_chip *chip, u32 cc); +-int tpm2_init_space(struct tpm_space *space); ++int tpm2_init_space(struct tpm_space *space, unsigned int buf_size); + void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space); + void tpm2_flush_space(struct tpm_chip *chip); + int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u8 *cmd, +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -38,18 +38,21 @@ static void tpm2_flush_sessions(struct t + } + } + +-int tpm2_init_space(struct tpm_space *space) ++int tpm2_init_space(struct tpm_space *space, unsigned int buf_size) + { +- space->context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); ++ space->context_buf = kzalloc(buf_size, GFP_KERNEL); + if (!space->context_buf) + return -ENOMEM; + +- space->session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); ++ space->session_buf = kzalloc(buf_size, GFP_KERNEL); + if (space->session_buf == NULL) { + kfree(space->context_buf); ++ /* Prevent caller getting a dangling pointer. */ ++ space->context_buf = NULL; + return -ENOMEM; + } + ++ space->buf_size = buf_size; + return 0; + } + +@@ -311,8 +314,10 @@ int tpm2_prepare_space(struct tpm_chip * + sizeof(space->context_tbl)); + memcpy(&chip->work_space.session_tbl, &space->session_tbl, + sizeof(space->session_tbl)); +- memcpy(chip->work_space.context_buf, space->context_buf, PAGE_SIZE); +- memcpy(chip->work_space.session_buf, space->session_buf, PAGE_SIZE); ++ memcpy(chip->work_space.context_buf, space->context_buf, ++ space->buf_size); ++ memcpy(chip->work_space.session_buf, space->session_buf, ++ space->buf_size); + + rc = tpm2_load_space(chip); + if (rc) { +@@ -492,7 +497,7 @@ static int tpm2_save_space(struct tpm_ch + continue; + + rc = tpm2_save_context(chip, space->context_tbl[i], +- space->context_buf, PAGE_SIZE, ++ space->context_buf, space->buf_size, + &offset); + if (rc == -ENOENT) { + space->context_tbl[i] = 0; +@@ -509,9 +514,8 @@ static int tpm2_save_space(struct tpm_ch + continue; + + rc = tpm2_save_context(chip, space->session_tbl[i], +- space->session_buf, PAGE_SIZE, ++ space->session_buf, space->buf_size, + &offset); +- + if (rc == -ENOENT) { + /* handle error saving session, just forget it */ + space->session_tbl[i] = 0; +@@ -557,8 +561,10 @@ int tpm2_commit_space(struct tpm_chip *c + sizeof(space->context_tbl)); + memcpy(&space->session_tbl, &chip->work_space.session_tbl, + sizeof(space->session_tbl)); +- memcpy(space->context_buf, chip->work_space.context_buf, PAGE_SIZE); +- memcpy(space->session_buf, chip->work_space.session_buf, PAGE_SIZE); ++ memcpy(space->context_buf, chip->work_space.context_buf, ++ space->buf_size); ++ memcpy(space->session_buf, chip->work_space.session_buf, ++ space->buf_size); + + return 0; + out: +--- a/drivers/char/tpm/tpmrm-dev.c ++++ b/drivers/char/tpm/tpmrm-dev.c +@@ -21,7 +21,7 @@ static int tpmrm_open(struct inode *inod + if (priv == NULL) + return -ENOMEM; + +- rc = tpm2_init_space(&priv->space); ++ rc = tpm2_init_space(&priv->space, TPM2_SPACE_BUFFER_SIZE); + if (rc) { + kfree(priv); + return -ENOMEM; +--- a/include/linux/tpm.h ++++ b/include/linux/tpm.h +@@ -93,6 +93,7 @@ struct tpm_space { + u8 *context_buf; + u32 session_tbl[3]; + u8 *session_buf; ++ u32 buf_size; + }; + + struct tpm_bios_log { diff --git a/queue-5.4/usb-serial-cp210x-enable-usb-generic-throttle-unthrottle.patch b/queue-5.4/usb-serial-cp210x-enable-usb-generic-throttle-unthrottle.patch new file mode 100644 index 00000000000..3484e89d090 --- /dev/null +++ b/queue-5.4/usb-serial-cp210x-enable-usb-generic-throttle-unthrottle.patch @@ -0,0 +1,38 @@ +From 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 Mon Sep 17 00:00:00 2001 +From: Brant Merryman +Date: Fri, 26 Jun 2020 04:22:58 +0000 +Subject: USB: serial: cp210x: enable usb generic throttle/unthrottle + +From: Brant Merryman + +commit 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 upstream. + +Assign the .throttle and .unthrottle functions to be generic function +in the driver structure to prevent data loss that can otherwise occur +if the host does not enable USB throttling. + +Signed-off-by: Brant Merryman +Co-developed-by: Phu Luu +Signed-off-by: Phu Luu +Link: https://lore.kernel.org/r/57401AF3-9961-461F-95E1-F8AFC2105F5E@silabs.com +[ johan: fix up tags ] +Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control") +Cc: stable # 2.6.12 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -272,6 +272,8 @@ static struct usb_serial_driver cp210x_d + .break_ctl = cp210x_break_ctl, + .set_termios = cp210x_set_termios, + .tx_empty = cp210x_tx_empty, ++ .throttle = usb_serial_generic_throttle, ++ .unthrottle = usb_serial_generic_unthrottle, + .tiocmget = cp210x_tiocmget, + .tiocmset = cp210x_tiocmset, + .attach = cp210x_attach, diff --git a/queue-5.4/usb-serial-cp210x-re-enable-auto-rts-on-open.patch b/queue-5.4/usb-serial-cp210x-re-enable-auto-rts-on-open.patch new file mode 100644 index 00000000000..3f672318399 --- /dev/null +++ b/queue-5.4/usb-serial-cp210x-re-enable-auto-rts-on-open.patch @@ -0,0 +1,61 @@ +From c7614ff9b73a1e6fb2b1b51396da132ed22fecdb Mon Sep 17 00:00:00 2001 +From: Brant Merryman +Date: Fri, 26 Jun 2020 04:24:20 +0000 +Subject: USB: serial: cp210x: re-enable auto-RTS on open + +From: Brant Merryman + +commit c7614ff9b73a1e6fb2b1b51396da132ed22fecdb upstream. + +CP210x hardware disables auto-RTS but leaves auto-CTS when in hardware +flow control mode and UART on cp210x hardware is disabled. When +re-opening the port, if auto-CTS is enabled on the cp210x, then auto-RTS +must be re-enabled in the driver. + +Signed-off-by: Brant Merryman +Co-developed-by: Phu Luu +Signed-off-by: Phu Luu +Link: https://lore.kernel.org/r/ECCF8E73-91F3-4080-BE17-1714BC8818FB@silabs.com +[ johan: fix up tags and problem description ] +Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control") +Cc: stable # 2.6.12 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -915,6 +915,7 @@ static void cp210x_get_termios_port(stru + u32 baud; + u16 bits; + u32 ctl_hs; ++ u32 flow_repl; + + cp210x_read_u32_reg(port, CP210X_GET_BAUDRATE, &baud); + +@@ -1015,6 +1016,22 @@ static void cp210x_get_termios_port(stru + ctl_hs = le32_to_cpu(flow_ctl.ulControlHandshake); + if (ctl_hs & CP210X_SERIAL_CTS_HANDSHAKE) { + dev_dbg(dev, "%s - flow control = CRTSCTS\n", __func__); ++ /* ++ * When the port is closed, the CP210x hardware disables ++ * auto-RTS and RTS is deasserted but it leaves auto-CTS when ++ * in hardware flow control mode. When re-opening the port, if ++ * auto-CTS is enabled on the cp210x, then auto-RTS must be ++ * re-enabled in the driver. ++ */ ++ flow_repl = le32_to_cpu(flow_ctl.ulFlowReplace); ++ flow_repl &= ~CP210X_SERIAL_RTS_MASK; ++ flow_repl |= CP210X_SERIAL_RTS_SHIFT(CP210X_SERIAL_RTS_FLOW_CTL); ++ flow_ctl.ulFlowReplace = cpu_to_le32(flow_repl); ++ cp210x_write_reg_block(port, ++ CP210X_SET_FLOW, ++ &flow_ctl, ++ sizeof(flow_ctl)); ++ + cflag |= CRTSCTS; + } else { + dev_dbg(dev, "%s - flow control = NONE\n", __func__);