From: Greg Kroah-Hartman Date: Tue, 18 Jan 2022 08:21:30 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.16.2~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a041f9b723021f79e46c10493889b77d53d4a6ea;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: kvm-s390-clarify-sigp-orders-versus-stop-restart.patch media-uvcvideo-fix-division-by-zero-at-stream-start.patch orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch --- diff --git a/queue-4.19/kvm-s390-clarify-sigp-orders-versus-stop-restart.patch b/queue-4.19/kvm-s390-clarify-sigp-orders-versus-stop-restart.patch new file mode 100644 index 00000000000..3e4815c5787 --- /dev/null +++ b/queue-4.19/kvm-s390-clarify-sigp-orders-versus-stop-restart.patch @@ -0,0 +1,121 @@ +From 812de04661c4daa7ac385c0dfd62594540538034 Mon Sep 17 00:00:00 2001 +From: Eric Farman +Date: Mon, 13 Dec 2021 22:05:50 +0100 +Subject: KVM: s390: Clarify SIGP orders versus STOP/RESTART + +From: Eric Farman + +commit 812de04661c4daa7ac385c0dfd62594540538034 upstream. + +With KVM_CAP_S390_USER_SIGP, there are only five Signal Processor +orders (CONDITIONAL EMERGENCY SIGNAL, EMERGENCY SIGNAL, EXTERNAL CALL, +SENSE, and SENSE RUNNING STATUS) which are intended for frequent use +and thus are processed in-kernel. The remainder are sent to userspace +with the KVM_CAP_S390_USER_SIGP capability. Of those, three orders +(RESTART, STOP, and STOP AND STORE STATUS) have the potential to +inject work back into the kernel, and thus are asynchronous. + +Let's look for those pending IRQs when processing one of the in-kernel +SIGP orders, and return BUSY (CC2) if one is in process. This is in +agreement with the Principles of Operation, which states that only one +order can be "active" on a CPU at a time. + +Cc: stable@vger.kernel.org +Suggested-by: David Hildenbrand +Signed-off-by: Eric Farman +Reviewed-by: Christian Borntraeger +Acked-by: David Hildenbrand +Link: https://lore.kernel.org/r/20211213210550.856213-2-farman@linux.ibm.com +[borntraeger@linux.ibm.com: add stable tag] +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/interrupt.c | 7 +++++++ + arch/s390/kvm/kvm-s390.c | 9 +++++++-- + arch/s390/kvm/kvm-s390.h | 1 + + arch/s390/kvm/sigp.c | 28 ++++++++++++++++++++++++++++ + 4 files changed, 43 insertions(+), 2 deletions(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1900,6 +1900,13 @@ int kvm_s390_is_stop_irq_pending(struct + return test_bit(IRQ_PEND_SIGP_STOP, &li->pending_irqs); + } + ++int kvm_s390_is_restart_irq_pending(struct kvm_vcpu *vcpu) ++{ ++ struct kvm_s390_local_interrupt *li = &vcpu->arch.local_int; ++ ++ return test_bit(IRQ_PEND_RESTART, &li->pending_irqs); ++} ++ + void kvm_s390_clear_stop_irq(struct kvm_vcpu *vcpu) + { + struct kvm_s390_local_interrupt *li = &vcpu->arch.local_int; +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3844,10 +3844,15 @@ void kvm_s390_vcpu_stop(struct kvm_vcpu + spin_lock(&vcpu->kvm->arch.start_stop_lock); + online_vcpus = atomic_read(&vcpu->kvm->online_vcpus); + +- /* SIGP STOP and SIGP STOP AND STORE STATUS has been fully processed */ ++ /* ++ * Set the VCPU to STOPPED and THEN clear the interrupt flag, ++ * now that the SIGP STOP and SIGP STOP AND STORE STATUS orders ++ * have been fully processed. This will ensure that the VCPU ++ * is kept BUSY if another VCPU is inquiring with SIGP SENSE. ++ */ ++ kvm_s390_set_cpuflags(vcpu, CPUSTAT_STOPPED); + kvm_s390_clear_stop_irq(vcpu); + +- kvm_s390_set_cpuflags(vcpu, CPUSTAT_STOPPED); + __disable_ibs_on_vcpu(vcpu); + + for (i = 0; i < online_vcpus; i++) { +--- a/arch/s390/kvm/kvm-s390.h ++++ b/arch/s390/kvm/kvm-s390.h +@@ -372,6 +372,7 @@ void kvm_s390_destroy_adapters(struct kv + int kvm_s390_ext_call_pending(struct kvm_vcpu *vcpu); + extern struct kvm_device_ops kvm_flic_ops; + int kvm_s390_is_stop_irq_pending(struct kvm_vcpu *vcpu); ++int kvm_s390_is_restart_irq_pending(struct kvm_vcpu *vcpu); + void kvm_s390_clear_stop_irq(struct kvm_vcpu *vcpu); + int kvm_s390_set_irq_state(struct kvm_vcpu *vcpu, + void __user *buf, int len); +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -288,6 +288,34 @@ static int handle_sigp_dst(struct kvm_vc + if (!dst_vcpu) + return SIGP_CC_NOT_OPERATIONAL; + ++ /* ++ * SIGP RESTART, SIGP STOP, and SIGP STOP AND STORE STATUS orders ++ * are processed asynchronously. Until the affected VCPU finishes ++ * its work and calls back into KVM to clear the (RESTART or STOP) ++ * interrupt, we need to return any new non-reset orders "busy". ++ * ++ * This is important because a single VCPU could issue: ++ * 1) SIGP STOP $DESTINATION ++ * 2) SIGP SENSE $DESTINATION ++ * ++ * If the SIGP SENSE would not be rejected as "busy", it could ++ * return an incorrect answer as to whether the VCPU is STOPPED ++ * or OPERATING. ++ */ ++ if (order_code != SIGP_INITIAL_CPU_RESET && ++ order_code != SIGP_CPU_RESET) { ++ /* ++ * Lockless check. Both SIGP STOP and SIGP (RE)START ++ * properly synchronize everything while processing ++ * their orders, while the guest cannot observe a ++ * difference when issuing other orders from two ++ * different VCPUs. ++ */ ++ if (kvm_s390_is_stop_irq_pending(dst_vcpu) || ++ kvm_s390_is_restart_irq_pending(dst_vcpu)) ++ return SIGP_CC_BUSY; ++ } ++ + switch (order_code) { + case SIGP_SENSE: + vcpu->stat.instruction_sigp_sense++; diff --git a/queue-4.19/media-uvcvideo-fix-division-by-zero-at-stream-start.patch b/queue-4.19/media-uvcvideo-fix-division-by-zero-at-stream-start.patch new file mode 100644 index 00000000000..c2b68b1f635 --- /dev/null +++ b/queue-4.19/media-uvcvideo-fix-division-by-zero-at-stream-start.patch @@ -0,0 +1,43 @@ +From 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 26 Oct 2021 11:55:11 +0200 +Subject: media: uvcvideo: fix division by zero at stream start + +From: Johan Hovold + +commit 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df upstream. + +Add the missing bulk-endpoint max-packet sanity check to +uvc_video_start_transfer() to avoid division by zero in +uvc_alloc_urb_buffers() in case a malicious device has broken +descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org # 2.6.26 +Signed-off-by: Johan Hovold +Reviewed-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1854,6 +1854,10 @@ static int uvc_init_video(struct uvc_str + if (ep == NULL) + return -EIO; + ++ /* Reject broken descriptors. */ ++ if (usb_endpoint_maxp(&ep->desc) == 0) ++ return -EIO; ++ + ret = uvc_init_video_bulk(stream, ep, gfp_flags); + } + diff --git a/queue-4.19/orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch b/queue-4.19/orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch new file mode 100644 index 00000000000..d167d7058f2 --- /dev/null +++ b/queue-4.19/orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch @@ -0,0 +1,61 @@ +From 40a74870b2d1d3d44e13b3b73c6571dd34f5614d Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Mon, 27 Dec 2021 19:09:18 +0100 +Subject: orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc() + +From: Christophe JAILLET + +commit 40a74870b2d1d3d44e13b3b73c6571dd34f5614d upstream. + +'buffer_index_array' really looks like a bitmap. So it should be allocated +as such. +When kzalloc is called, a number of bytes is expected, but a number of +longs is passed instead. + +In get(), if not enough memory is allocated, un-allocated memory may be +read or written. + +So use bitmap_zalloc() to safely allocate the correct memory size and +avoid un-expected behavior. + +While at it, change the corresponding kfree() into bitmap_free() to keep +the semantic. + +Fixes: ea2c9c9f6574 ("orangefs: bufmap rewrite") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mike Marshall +Signed-off-by: Greg Kroah-Hartman +--- + fs/orangefs/orangefs-bufmap.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/orangefs/orangefs-bufmap.c ++++ b/fs/orangefs/orangefs-bufmap.c +@@ -179,7 +179,7 @@ orangefs_bufmap_free(struct orangefs_buf + { + kfree(bufmap->page_array); + kfree(bufmap->desc_array); +- kfree(bufmap->buffer_index_array); ++ bitmap_free(bufmap->buffer_index_array); + kfree(bufmap); + } + +@@ -229,8 +229,7 @@ orangefs_bufmap_alloc(struct ORANGEFS_de + bufmap->desc_size = user_desc->size; + bufmap->desc_shift = ilog2(bufmap->desc_size); + +- bufmap->buffer_index_array = +- kzalloc(DIV_ROUND_UP(bufmap->desc_count, BITS_PER_LONG), GFP_KERNEL); ++ bufmap->buffer_index_array = bitmap_zalloc(bufmap->desc_count, GFP_KERNEL); + if (!bufmap->buffer_index_array) + goto out_free_bufmap; + +@@ -253,7 +252,7 @@ orangefs_bufmap_alloc(struct ORANGEFS_de + out_free_desc_array: + kfree(bufmap->desc_array); + out_free_index_array: +- kfree(bufmap->buffer_index_array); ++ bitmap_free(bufmap->buffer_index_array); + out_free_bufmap: + kfree(bufmap); + out: diff --git a/queue-4.19/rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch b/queue-4.19/rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch new file mode 100644 index 00000000000..36f0f560f84 --- /dev/null +++ b/queue-4.19/rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch @@ -0,0 +1,45 @@ +From 8b144dedb928e4e2f433a328d58f44c3c098d63e Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 15 Dec 2021 11:11:05 -0600 +Subject: rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled + +From: Larry Finger + +commit 8b144dedb928e4e2f433a328d58f44c3c098d63e upstream. + +Syzbot reports the following WARNING: + +[200~raw_local_irq_restore() called with IRQs enabled +WARNING: CPU: 1 PID: 1206 at kernel/locking/irqflag-debug.c:10 + warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10 + +Hardware initialization for the rtl8188cu can run for as long as 350 ms, +and the routine may be called with interrupts disabled. To avoid locking +the machine for this long, the current routine saves the interrupt flags +and enables local interrupts. The problem is that it restores the flags +at the end without disabling local interrupts first. + +This patch fixes commit a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long +disable of IRQs"). + +Reported-by: syzbot+cce1ee31614c171f5595@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Fixes: a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long disable of IRQs") +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211215171105.20623-1-Larry.Finger@lwfinger.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c +@@ -1020,6 +1020,7 @@ int rtl92cu_hw_init(struct ieee80211_hw + _InitPABias(hw); + rtl92c_dm_init(hw); + exit: ++ local_irq_disable(); + local_irq_restore(flags); + return err; + } diff --git a/queue-4.19/series b/queue-4.19/series index 85e980325b4..e9c601c38e3 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -11,3 +11,7 @@ random-fix-data-race-on-crng-init-time.patch staging-wlan-ng-avoid-bitwise-vs-logical-or-warning-in-hfa384x_usb_throttlefn.patch drm-i915-avoid-bitwise-vs-logical-or-warning-in-snb_wm_latency_quirk.patch kbuild-add-kbuild_hostldflags-to-has_libelf-test.patch +orangefs-fix-the-size-of-a-memory-allocation-in-orangefs_bufmap_alloc.patch +kvm-s390-clarify-sigp-orders-versus-stop-restart.patch +media-uvcvideo-fix-division-by-zero-at-stream-start.patch +rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch