From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 29 Jul 2019 16:29:28 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.2.5~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b669bb06152119ae8b04a8f0c9fbba8b0008b275;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch
	alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch
	hpet-fix-division-by-zero-in-hpet_time_div.patch
	powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch
---

diff --git a/queue-4.9/alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch b/queue-4.9/alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch
new file mode 100644
index 00000000000..282fdebe446
--- /dev/null
+++ b/queue-4.9/alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch
@@ -0,0 +1,34 @@
+From 3f8809499bf02ef7874254c5e23fc764a47a21a0 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 25 Jul 2019 14:57:37 +0800
+Subject: ALSA: hda - Add a conexant codec entry to let mute led work
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 3f8809499bf02ef7874254c5e23fc764a47a21a0 upstream.
+
+This conexant codec isn't in the supported codec list yet, the hda
+generic driver can drive this codec well, but on a Lenovo machine
+with mute/mic-mute leds, we need to apply CXT_FIXUP_THINKPAD_ACPI
+to make the leds work. After adding this codec to the list, the
+driver patch_conexant.c will apply THINKPAD_ACPI to this machine.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -1011,6 +1011,7 @@ static int patch_conexant_auto(struct hd
+  */
+ 
+ static const struct hda_device_id snd_hda_id_conexant[] = {
++	HDA_CODEC_ENTRY(0x14f11f86, "CX8070", patch_conexant_auto),
+ 	HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto),
+ 	HDA_CODEC_ENTRY(0x14f15045, "CX20549 (Venice)", patch_conexant_auto),
+ 	HDA_CODEC_ENTRY(0x14f15047, "CX20551 (Waikiki)", patch_conexant_auto),
diff --git a/queue-4.9/alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch b/queue-4.9/alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch
new file mode 100644
index 00000000000..1e3d99a7e8c
--- /dev/null
+++ b/queue-4.9/alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch
@@ -0,0 +1,36 @@
+From 70256b42caaf3e13c2932c2be7903a73fbe8bb8b Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 18 Jul 2019 17:53:13 +0800
+Subject: ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 70256b42caaf3e13c2932c2be7903a73fbe8bb8b upstream.
+
+Commit 7b9584fa1c0b ("staging: line6: Move altsetting to properties")
+set a wrong altsetting for LINE6_PODHD500_1 during refactoring.
+
+Set the correct altsetting number to fix the issue.
+
+BugLink: https://bugs.launchpad.net/bugs/1790595
+Fixes: 7b9584fa1c0b ("staging: line6: Move altsetting to properties")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/podhd.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/line6/podhd.c
++++ b/sound/usb/line6/podhd.c
+@@ -385,7 +385,7 @@ static const struct line6_properties pod
+ 		.name = "POD HD500",
+ 		.capabilities	= LINE6_CAP_PCM
+ 				| LINE6_CAP_HWMON,
+-		.altsetting = 1,
++		.altsetting = 0,
+ 		.ep_ctrl_r = 0x81,
+ 		.ep_ctrl_w = 0x01,
+ 		.ep_audio_r = 0x86,
diff --git a/queue-4.9/hpet-fix-division-by-zero-in-hpet_time_div.patch b/queue-4.9/hpet-fix-division-by-zero-in-hpet_time_div.patch
new file mode 100644
index 00000000000..b640cd1e38e
--- /dev/null
+++ b/queue-4.9/hpet-fix-division-by-zero-in-hpet_time_div.patch
@@ -0,0 +1,67 @@
+From 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Thu, 11 Jul 2019 21:27:57 +0800
+Subject: hpet: Fix division by zero in hpet_time_div()
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+commit 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 upstream.
+
+The base value in do_div() called by hpet_time_div() is truncated from
+unsigned long to uint32_t, resulting in a divide-by-zero exception.
+
+UBSAN: Undefined behaviour in ../drivers/char/hpet.c:572:2
+division by zero
+CPU: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+ 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561
+ ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20
+ 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0
+Call Trace:
+ [<ffffffff81ad7561>] __dump_stack lib/dump_stack.c:15 [inline]
+ [<ffffffff81ad7561>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
+ [<ffffffff81b8f25e>] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166
+ [<ffffffff81b900cb>] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262
+ [<ffffffff823560dd>] hpet_time_div drivers/char/hpet.c:572 [inline]
+ [<ffffffff823560dd>] hpet_ioctl_common drivers/char/hpet.c:663 [inline]
+ [<ffffffff823560dd>] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577
+ [<ffffffff81e63d56>] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676
+ [<ffffffff81711590>] vfs_ioctl fs/ioctl.c:43 [inline]
+ [<ffffffff81711590>] file_ioctl fs/ioctl.c:470 [inline]
+ [<ffffffff81711590>] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605
+ [<ffffffff81711eb4>] SYSC_ioctl fs/ioctl.c:622 [inline]
+ [<ffffffff81711eb4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613
+ [<ffffffff82846003>] tracesys_phase2+0x90/0x95
+
+The main C reproducer autogenerated by syzkaller,
+
+  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+  memcpy((void*)0x20000100, "/dev/hpet\000", 10);
+  syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0);
+  syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000);
+
+Fix it by using div64_ul().
+
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Zhang HongJun <zhanghongjun2@huawei.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20190711132757.130092-1-wangkefeng.wang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/hpet.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/char/hpet.c
++++ b/drivers/char/hpet.c
+@@ -569,8 +569,7 @@ static inline unsigned long hpet_time_di
+ 	unsigned long long m;
+ 
+ 	m = hpets->hp_tick_freq + (dis >> 1);
+-	do_div(m, dis);
+-	return (unsigned long)m;
++	return div64_ul(m, dis);
+ }
+ 
+ static int
diff --git a/queue-4.9/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch b/queue-4.9/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch
new file mode 100644
index 00000000000..4951be162c8
--- /dev/null
+++ b/queue-4.9/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch
@@ -0,0 +1,91 @@
+From f16d80b75a096c52354c6e0a574993f3b0dfbdfe Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Fri, 19 Jul 2019 15:05:02 +1000
+Subject: powerpc/tm: Fix oops on sigreturn on systems without TM
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream.
+
+On systems like P9 powernv where we have no TM (or P8 booted with
+ppc_tm=off), userspace can construct a signal context which still has
+the MSR TS bits set. The kernel tries to restore this context which
+results in the following crash:
+
+  Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
+  Oops: Unrecoverable exception, sig: 6 [#1]
+  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+  Modules linked in:
+  CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
+  NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
+  REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
+  MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
+  CFAR: c0000000000022e0 IRQMASK: 0
+  GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
+  GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
+  GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+  GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
+  GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
+  GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
+  GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
+  GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
+  NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
+  LR [00007fffb2d67e48] 0x7fffb2d67e48
+  Call Trace:
+  Instruction dump:
+  e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
+  e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
+
+The problem is the signal code assumes TM is enabled when
+CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as
+with P9 powernv or if `ppc_tm=off` is used on P8.
+
+This means any local user can crash the system.
+
+Fix the problem by returning a bad stack frame to the user if they try
+to set the MSR TS bits with sigreturn() on systems where TM is not
+supported.
+
+Found with sigfuz kernel selftest on P9.
+
+This fixes CVE-2019-13648.
+
+Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
+Cc: stable@vger.kernel.org # v3.9
+Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/signal_32.c |    3 +++
+ arch/powerpc/kernel/signal_64.c |    5 +++++
+ 2 files changed, 8 insertions(+)
+
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -1281,6 +1281,9 @@ long sys_rt_sigreturn(int r3, int r4, in
+ 			goto bad;
+ 
+ 		if (MSR_TM_ACTIVE(msr_hi<<32)) {
++			/* Trying to start TM on non TM system */
++			if (!cpu_has_feature(CPU_FTR_TM))
++				goto bad;
+ 			/* We only recheckpoint on return if we're
+ 			 * transaction.
+ 			 */
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -741,6 +741,11 @@ int sys_rt_sigreturn(unsigned long r3, u
+ 	if (MSR_TM_ACTIVE(msr)) {
+ 		/* We recheckpoint on return. */
+ 		struct ucontext __user *uc_transact;
++
++		/* Trying to start TM on non TM system */
++		if (!cpu_has_feature(CPU_FTR_TM))
++			goto badframe;
++
+ 		if (__get_user(uc_transact, &uc->uc_link))
+ 			goto badframe;
+ 		if (restore_tm_sigcontexts(current, &uc->uc_mcontext,
diff --git a/queue-4.9/series b/queue-4.9/series
index 31472a93d54..3d9cb443da8 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -203,3 +203,7 @@ usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch
 usb-pci-quirks-correct-amd-pll-quirk-detection.patch
 x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch
 x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
+hpet-fix-division-by-zero-in-hpet_time_div.patch
+alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch
+alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch
+powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch