From: Greg Kroah-Hartman Date: Tue, 8 Oct 2019 07:57:29 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.14.149~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c3eaf31dec57afe2636c05c8b8c71deec81e5c56;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: asoc-define-a-set-of-dapm-pre-post-up-events.patch can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch crypto-qat-silence-smp_processor_id-warning.patch kvm-nvmx-handle-page-fault-in-vmread-fix.patch kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch s390-cio-avoid-calling-strlen-on-null-pointer.patch s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch s390-topology-avoid-firing-events-before-kobjs-are-created.patch timer-read-jiffies-once-when-forwarding-base-clk.patch usercopy-avoid-highmem-pfn-warning.patch --- diff --git a/queue-4.9/asoc-define-a-set-of-dapm-pre-post-up-events.patch b/queue-4.9/asoc-define-a-set-of-dapm-pre-post-up-events.patch new file mode 100644 index 00000000000..83fac04cbe4 --- /dev/null +++ b/queue-4.9/asoc-define-a-set-of-dapm-pre-post-up-events.patch @@ -0,0 +1,36 @@ +From cfc8f568aada98f9608a0a62511ca18d647613e2 Mon Sep 17 00:00:00 2001 +From: Oleksandr Suvorov +Date: Fri, 19 Jul 2019 10:05:30 +0000 +Subject: ASoC: Define a set of DAPM pre/post-up events + +From: Oleksandr Suvorov + +commit cfc8f568aada98f9608a0a62511ca18d647613e2 upstream. + +Prepare to use SND_SOC_DAPM_PRE_POST_PMU definition to +reduce coming code size and make it more readable. + +Cc: stable@vger.kernel.org +Signed-off-by: Oleksandr Suvorov +Reviewed-by: Marcel Ziswiler +Reviewed-by: Igor Opaniuk +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/r/20190719100524.23300-2-oleksandr.suvorov@toradex.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/soc-dapm.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/sound/soc-dapm.h ++++ b/include/sound/soc-dapm.h +@@ -339,6 +339,8 @@ struct device; + #define SND_SOC_DAPM_WILL_PMD 0x80 /* called at start of sequence */ + #define SND_SOC_DAPM_PRE_POST_PMD \ + (SND_SOC_DAPM_PRE_PMD | SND_SOC_DAPM_POST_PMD) ++#define SND_SOC_DAPM_PRE_POST_PMU \ ++ (SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMU) + + /* convenience event type detection */ + #define SND_SOC_DAPM_EVENT_ON(e) \ diff --git a/queue-4.9/can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch b/queue-4.9/can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch new file mode 100644 index 00000000000..48af9488572 --- /dev/null +++ b/queue-4.9/can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch @@ -0,0 +1,57 @@ +From d84ea2123f8d27144e3f4d58cd88c9c6ddc799de Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Tue, 13 Aug 2019 16:01:02 +0200 +Subject: can: mcp251x: mcp251x_hw_reset(): allow more time after a reset + +From: Marc Kleine-Budde + +commit d84ea2123f8d27144e3f4d58cd88c9c6ddc799de upstream. + +Some boards take longer than 5ms to power up after a reset, so allow +some retries attempts before giving up. + +Fixes: ff06d611a31c ("can: mcp251x: Improve mcp251x_hw_reset()") +Cc: linux-stable +Tested-by: Sean Nyekjaer +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/spi/mcp251x.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -627,7 +627,7 @@ static int mcp251x_setup(struct net_devi + static int mcp251x_hw_reset(struct spi_device *spi) + { + struct mcp251x_priv *priv = spi_get_drvdata(spi); +- u8 reg; ++ unsigned long timeout; + int ret; + + /* Wait for oscillator startup timer after power up */ +@@ -641,10 +641,19 @@ static int mcp251x_hw_reset(struct spi_d + /* Wait for oscillator startup timer after reset */ + mdelay(MCP251X_OST_DELAY_MS); + +- reg = mcp251x_read_reg(spi, CANSTAT); +- if ((reg & CANCTRL_REQOP_MASK) != CANCTRL_REQOP_CONF) +- return -ENODEV; +- ++ /* Wait for reset to finish */ ++ timeout = jiffies + HZ; ++ while ((mcp251x_read_reg(spi, CANSTAT) & CANCTRL_REQOP_MASK) != ++ CANCTRL_REQOP_CONF) { ++ usleep_range(MCP251X_OST_DELAY_MS * 1000, ++ MCP251X_OST_DELAY_MS * 1000 * 2); ++ ++ if (time_after(jiffies, timeout)) { ++ dev_err(&spi->dev, ++ "MCP251x didn't enter in conf mode after reset\n"); ++ return -EBUSY; ++ } ++ } + return 0; + } + diff --git a/queue-4.9/crypto-qat-silence-smp_processor_id-warning.patch b/queue-4.9/crypto-qat-silence-smp_processor_id-warning.patch new file mode 100644 index 00000000000..569785b995c --- /dev/null +++ b/queue-4.9/crypto-qat-silence-smp_processor_id-warning.patch @@ -0,0 +1,68 @@ +From 1b82feb6c5e1996513d0fb0bbb475417088b4954 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Tue, 23 Jul 2019 07:24:01 +0000 +Subject: crypto: qat - Silence smp_processor_id() warning + +From: Alexander Sverdlin + +commit 1b82feb6c5e1996513d0fb0bbb475417088b4954 upstream. + +It seems that smp_processor_id() is only used for a best-effort +load-balancing, refer to qat_crypto_get_instance_node(). It's not feasible +to disable preemption for the duration of the crypto requests. Therefore, +just silence the warning. This commit is similar to e7a9b05ca4 +("crypto: cavium - Fix smp_processor_id() warnings"). + +Silences the following splat: +BUG: using smp_processor_id() in preemptible [00000000] code: cryptomgr_test/2904 +caller is qat_alg_ablkcipher_setkey+0x300/0x4a0 [intel_qat] +CPU: 1 PID: 2904 Comm: cryptomgr_test Tainted: P O 4.14.69 #1 +... +Call Trace: + dump_stack+0x5f/0x86 + check_preemption_disabled+0xd3/0xe0 + qat_alg_ablkcipher_setkey+0x300/0x4a0 [intel_qat] + skcipher_setkey_ablkcipher+0x2b/0x40 + __test_skcipher+0x1f3/0xb20 + ? cpumask_next_and+0x26/0x40 + ? find_busiest_group+0x10e/0x9d0 + ? preempt_count_add+0x49/0xa0 + ? try_module_get+0x61/0xf0 + ? crypto_mod_get+0x15/0x30 + ? __kmalloc+0x1df/0x1f0 + ? __crypto_alloc_tfm+0x116/0x180 + ? crypto_skcipher_init_tfm+0xa6/0x180 + ? crypto_create_tfm+0x4b/0xf0 + test_skcipher+0x21/0xa0 + alg_test_skcipher+0x3f/0xa0 + alg_test.part.6+0x126/0x2a0 + ? finish_task_switch+0x21b/0x260 + ? __schedule+0x1e9/0x800 + ? __wake_up_common+0x8d/0x140 + cryptomgr_test+0x40/0x50 + kthread+0xff/0x130 + ? cryptomgr_notify+0x540/0x540 + ? kthread_create_on_node+0x70/0x70 + ret_from_fork+0x24/0x50 + +Fixes: ed8ccaef52 ("crypto: qat - Add support for SRIOV") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Sverdlin +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/qat/qat_common/adf_common_drv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/qat/qat_common/adf_common_drv.h ++++ b/drivers/crypto/qat/qat_common/adf_common_drv.h +@@ -95,7 +95,7 @@ struct service_hndl { + + static inline int get_current_node(void) + { +- return topology_physical_package_id(smp_processor_id()); ++ return topology_physical_package_id(raw_smp_processor_id()); + } + + int adf_service_register(struct service_hndl *service); diff --git a/queue-4.9/kvm-nvmx-handle-page-fault-in-vmread-fix.patch b/queue-4.9/kvm-nvmx-handle-page-fault-in-vmread-fix.patch new file mode 100644 index 00000000000..3ff45c10d12 --- /dev/null +++ b/queue-4.9/kvm-nvmx-handle-page-fault-in-vmread-fix.patch @@ -0,0 +1,60 @@ +From jinpuwang@gmail.com Tue Oct 8 09:22:17 2019 +From: Jack Wang +Date: Mon, 7 Oct 2019 14:36:53 +0200 +Subject: KVM: nVMX: handle page fault in vmread fix +To: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org, pbonzini@redhat.com +Cc: Jack Wang +Message-ID: <20191007123653.17961-1-jinpuwang@gmail.com> + +From: Jack Wang + +During backport f7eea636c3d5 ("KVM: nVMX: handle page fault in vmread"), +there was a mistake the exception reference should be passed to function +kvm_write_guest_virt_system, instead of NULL, other wise, we will get +NULL pointer deref, eg + +kvm-unit-test triggered a NULL pointer deref below: +[ 948.518437] kvm [24114]: vcpu0, guest rIP: 0x407ef9 kvm_set_msr_common: MSR_IA32_DEBUGCTLMSR 0x3, nop +[ 949.106464] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +[ 949.106707] PGD 0 P4D 0 +[ 949.106872] Oops: 0002 [#1] SMP +[ 949.107038] CPU: 2 PID: 24126 Comm: qemu-2.7 Not tainted 4.19.77-pserver #4.19.77-1+feature+daily+update+20191005.1625+a4168bb~deb9 +[ 949.107283] Hardware name: Dell Inc. Precision Tower 3620/09WH54, BIOS 2.7.3 01/31/2018 +[ 949.107549] RIP: 0010:kvm_write_guest_virt_system+0x12/0x40 [kvm] +[ 949.107719] Code: c0 5d 41 5c 41 5d 41 5e 83 f8 03 41 0f 94 c0 41 c1 e0 02 e9 b0 ed ff ff 0f 1f 44 00 00 48 89 f0 c6 87 59 56 00 00 01 48 89 d6 <49> c7 00 00 00 00 00 89 ca 49 c7 40 08 00 00 00 00 49 c7 40 10 00 +[ 949.108044] RSP: 0018:ffffb31b0a953cb0 EFLAGS: 00010202 +[ 949.108216] RAX: 000000000046b4d8 RBX: ffff9e9f415b0000 RCX: 0000000000000008 +[ 949.108389] RDX: ffffb31b0a953cc0 RSI: ffffb31b0a953cc0 RDI: ffff9e9f415b0000 +[ 949.108562] RBP: 00000000d2e14928 R08: 0000000000000000 R09: 0000000000000000 +[ 949.108733] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffc8 +[ 949.108907] R13: 0000000000000002 R14: ffff9e9f4f26f2e8 R15: 0000000000000000 +[ 949.109079] FS: 00007eff8694c700(0000) GS:ffff9e9f51a80000(0000) knlGS:0000000031415928 +[ 949.109318] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 949.109495] CR2: 0000000000000000 CR3: 00000003be53b002 CR4: 00000000003626e0 +[ 949.109671] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 949.109845] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 949.110017] Call Trace: +[ 949.110186] handle_vmread+0x22b/0x2f0 [kvm_intel] +[ 949.110356] ? vmexit_fill_RSB+0xc/0x30 [kvm_intel] +[ 949.110549] kvm_arch_vcpu_ioctl_run+0xa98/0x1b30 [kvm] +[ 949.110725] ? kvm_vcpu_ioctl+0x388/0x5d0 [kvm] +[ 949.110901] kvm_vcpu_ioctl+0x388/0x5d0 [kvm] +[ 949.111072] do_vfs_ioctl+0xa2/0x620 + +Signed-off-by: Jack Wang +Acked-by: Paolo Bonzini +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7668,7 +7668,7 @@ static int handle_vmread(struct kvm_vcpu + /* _system ok, as nested_vmx_check_permission verified cpl=0 */ + if (kvm_write_guest_virt_system(vcpu, gva, &field_value, + (is_long_mode(vcpu) ? 8 : 4), +- NULL)) ++ &e)) + kvm_inject_page_fault(vcpu, &e); + } + diff --git a/queue-4.9/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch b/queue-4.9/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch new file mode 100644 index 00000000000..a45bd3698cd --- /dev/null +++ b/queue-4.9/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch @@ -0,0 +1,50 @@ +From a13b03bbb4575b350b46090af4dfd30e735aaed1 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 29 Aug 2019 14:25:17 +0200 +Subject: KVM: s390: Test for bad access register and size at the start of S390_MEM_OP + +From: Thomas Huth + +commit a13b03bbb4575b350b46090af4dfd30e735aaed1 upstream. + +If the KVM_S390_MEM_OP ioctl is called with an access register >= 16, +then there is certainly a bug in the calling userspace application. +We check for wrong access registers, but only if the vCPU was already +in the access register mode before (i.e. the SIE block has recorded +it). The check is also buried somewhere deep in the calling chain (in +the function ar_translation()), so this is somewhat hard to find. + +It's better to always report an error to the userspace in case this +field is set wrong, and it's safer in the KVM code if we block wrong +values here early instead of relying on a check somewhere deep down +the calling chain, so let's add another check to kvm_s390_guest_mem_op() +directly. + +We also should check that the "size" is non-zero here (thanks to Janosch +Frank for the hint!). If we do not check the size, we could call vmalloc() +with this 0 value, and this will cause a kernel warning. + +Signed-off-by: Thomas Huth +Link: https://lkml.kernel.org/r/20190829122517.31042-1-thuth@redhat.com +Reviewed-by: Cornelia Huck +Reviewed-by: Janosch Frank +Reviewed-by: David Hildenbrand +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3033,7 +3033,7 @@ static long kvm_s390_guest_mem_op(struct + const u64 supported_flags = KVM_S390_MEMOP_F_INJECT_EXCEPTION + | KVM_S390_MEMOP_F_CHECK_ONLY; + +- if (mop->flags & ~supported_flags) ++ if (mop->flags & ~supported_flags || mop->ar >= NUM_ACRS || !mop->size) + return -EINVAL; + + if (mop->size > MEM_OP_MAX_SIZE) diff --git a/queue-4.9/powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch b/queue-4.9/powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch new file mode 100644 index 00000000000..8f37e5775a5 --- /dev/null +++ b/queue-4.9/powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch @@ -0,0 +1,54 @@ +From e7de4f7b64c23e503a8c42af98d56f2a7462bd6d Mon Sep 17 00:00:00 2001 +From: Andrew Donnellan +Date: Fri, 3 May 2019 17:52:53 +1000 +Subject: powerpc/powernv: Restrict OPAL symbol map to only be readable by root + +From: Andrew Donnellan + +commit e7de4f7b64c23e503a8c42af98d56f2a7462bd6d upstream. + +Currently the OPAL symbol map is globally readable, which seems bad as +it contains physical addresses. + +Restrict it to root. + +Fixes: c8742f85125d ("powerpc/powernv: Expose OPAL firmware symbol map") +Cc: stable@vger.kernel.org # v3.19+ +Suggested-by: Michael Ellerman +Signed-off-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190503075253.22798-1-ajd@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/platforms/powernv/opal.c ++++ b/arch/powerpc/platforms/powernv/opal.c +@@ -579,7 +579,10 @@ static ssize_t symbol_map_read(struct fi + bin_attr->size); + } + +-static BIN_ATTR_RO(symbol_map, 0); ++static struct bin_attribute symbol_map_attr = { ++ .attr = {.name = "symbol_map", .mode = 0400}, ++ .read = symbol_map_read ++}; + + static void opal_export_symmap(void) + { +@@ -596,10 +599,10 @@ static void opal_export_symmap(void) + return; + + /* Setup attributes */ +- bin_attr_symbol_map.private = __va(be64_to_cpu(syms[0])); +- bin_attr_symbol_map.size = be64_to_cpu(syms[1]); ++ symbol_map_attr.private = __va(be64_to_cpu(syms[0])); ++ symbol_map_attr.size = be64_to_cpu(syms[1]); + +- rc = sysfs_create_bin_file(opal_kobj, &bin_attr_symbol_map); ++ rc = sysfs_create_bin_file(opal_kobj, &symbol_map_attr); + if (rc) + pr_warn("Error %d creating OPAL symbols file\n", rc); + } diff --git a/queue-4.9/s390-cio-avoid-calling-strlen-on-null-pointer.patch b/queue-4.9/s390-cio-avoid-calling-strlen-on-null-pointer.patch new file mode 100644 index 00000000000..2407f59abd2 --- /dev/null +++ b/queue-4.9/s390-cio-avoid-calling-strlen-on-null-pointer.patch @@ -0,0 +1,55 @@ +From ea298e6ee8b34b3ed4366be7eb799d0650ebe555 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 17 Sep 2019 20:04:04 +0200 +Subject: s390/cio: avoid calling strlen on null pointer + +From: Vasily Gorbik + +commit ea298e6ee8b34b3ed4366be7eb799d0650ebe555 upstream. + +Fix the following kasan finding: +BUG: KASAN: global-out-of-bounds in ccwgroup_create_dev+0x850/0x1140 +Read of size 1 at addr 0000000000000000 by task systemd-udevd.r/561 + +CPU: 30 PID: 561 Comm: systemd-udevd.r Tainted: G B +Hardware name: IBM 3906 M04 704 (LPAR) +Call Trace: +([<0000000231b3db7e>] show_stack+0x14e/0x1a8) + [<0000000233826410>] dump_stack+0x1d0/0x218 + [<000000023216fac4>] print_address_description+0x64/0x380 + [<000000023216f5a8>] __kasan_report+0x138/0x168 + [<00000002331b8378>] ccwgroup_create_dev+0x850/0x1140 + [<00000002332b618a>] group_store+0x3a/0x50 + [<00000002323ac706>] kernfs_fop_write+0x246/0x3b8 + [<00000002321d409a>] vfs_write+0x132/0x450 + [<00000002321d47da>] ksys_write+0x122/0x208 + [<0000000233877102>] system_call+0x2a6/0x2c8 + +Triggered by: +openat(AT_FDCWD, "/sys/bus/ccwgroup/drivers/qeth/group", + O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 16 +write(16, "0.0.bd00,0.0.bd01,0.0.bd02", 26) = 26 + +The problem is that __get_next_id in ccwgroup_create_dev might set "buf" +buffer pointer to NULL and explicit check for that is required. + +Cc: stable@vger.kernel.org +Reviewed-by: Sebastian Ott +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/ccwgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/cio/ccwgroup.c ++++ b/drivers/s390/cio/ccwgroup.c +@@ -369,7 +369,7 @@ int ccwgroup_create_dev(struct device *p + goto error; + } + /* Check for trailing stuff. */ +- if (i == num_devices && strlen(buf) > 0) { ++ if (i == num_devices && buf && strlen(buf) > 0) { + rc = -EINVAL; + goto error; + } diff --git a/queue-4.9/s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch b/queue-4.9/s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch new file mode 100644 index 00000000000..8db59f1ea5f --- /dev/null +++ b/queue-4.9/s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch @@ -0,0 +1,54 @@ +From ab5758848039de9a4b249d46e4ab591197eebaf2 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Thu, 19 Sep 2019 15:55:17 +0200 +Subject: s390/cio: exclude subchannels with no parent from pseudo check + +From: Vasily Gorbik + +commit ab5758848039de9a4b249d46e4ab591197eebaf2 upstream. + +ccw console is created early in start_kernel and used before css is +initialized or ccw console subchannel is registered. Until then console +subchannel does not have a parent. For that reason assume subchannels +with no parent are not pseudo subchannels. This fixes the following +kasan finding: + +BUG: KASAN: global-out-of-bounds in sch_is_pseudo_sch+0x8e/0x98 +Read of size 8 at addr 00000000000005e8 by task swapper/0/0 + +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.0-rc8-07370-g6ac43dd12538 #2 +Hardware name: IBM 2964 NC9 702 (z/VM 6.4.0) +Call Trace: +([<000000000012cd76>] show_stack+0x14e/0x1e0) + [<0000000001f7fb44>] dump_stack+0x1a4/0x1f8 + [<00000000007d7afc>] print_address_description+0x64/0x3c8 + [<00000000007d75f6>] __kasan_report+0x14e/0x180 + [<00000000018a2986>] sch_is_pseudo_sch+0x8e/0x98 + [<000000000189b950>] cio_enable_subchannel+0x1d0/0x510 + [<00000000018cac7c>] ccw_device_recognition+0x12c/0x188 + [<0000000002ceb1a8>] ccw_device_enable_console+0x138/0x340 + [<0000000002cf1cbe>] con3215_init+0x25e/0x300 + [<0000000002c8770a>] console_init+0x68a/0x9b8 + [<0000000002c6a3d6>] start_kernel+0x4fe/0x728 + [<0000000000100070>] startup_continue+0x70/0xd0 + +Cc: stable@vger.kernel.org +Reviewed-by: Sebastian Ott +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/css.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/s390/cio/css.c ++++ b/drivers/s390/cio/css.c +@@ -1120,6 +1120,8 @@ device_initcall(cio_settle_init); + + int sch_is_pseudo_sch(struct subchannel *sch) + { ++ if (!sch->dev.parent) ++ return 0; + return sch == to_css(sch->dev.parent)->pseudo_subchannel; + } + diff --git a/queue-4.9/s390-topology-avoid-firing-events-before-kobjs-are-created.patch b/queue-4.9/s390-topology-avoid-firing-events-before-kobjs-are-created.patch new file mode 100644 index 00000000000..d900df0181a --- /dev/null +++ b/queue-4.9/s390-topology-avoid-firing-events-before-kobjs-are-created.patch @@ -0,0 +1,61 @@ +From f3122a79a1b0a113d3aea748e0ec26f2cb2889de Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 17 Sep 2019 22:59:03 +0200 +Subject: s390/topology: avoid firing events before kobjs are created + +From: Vasily Gorbik + +commit f3122a79a1b0a113d3aea748e0ec26f2cb2889de upstream. + +arch_update_cpu_topology is first called from: +kernel_init_freeable->sched_init_smp->sched_init_domains + +even before cpus has been registered in: +kernel_init_freeable->do_one_initcall->s390_smp_init + +Do not trigger kobject_uevent change events until cpu devices are +actually created. Fixes the following kasan findings: + +BUG: KASAN: global-out-of-bounds in kobject_uevent_env+0xb40/0xee0 +Read of size 8 at addr 0000000000000020 by task swapper/0/1 + +BUG: KASAN: global-out-of-bounds in kobject_uevent_env+0xb36/0xee0 +Read of size 8 at addr 0000000000000018 by task swapper/0/1 + +CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B +Hardware name: IBM 3906 M04 704 (LPAR) +Call Trace: +([<0000000143c6db7e>] show_stack+0x14e/0x1a8) + [<0000000145956498>] dump_stack+0x1d0/0x218 + [<000000014429fb4c>] print_address_description+0x64/0x380 + [<000000014429f630>] __kasan_report+0x138/0x168 + [<0000000145960b96>] kobject_uevent_env+0xb36/0xee0 + [<0000000143c7c47c>] arch_update_cpu_topology+0x104/0x108 + [<0000000143df9e22>] sched_init_domains+0x62/0xe8 + [<000000014644c94a>] sched_init_smp+0x3a/0xc0 + [<0000000146433a20>] kernel_init_freeable+0x558/0x958 + [<000000014599002a>] kernel_init+0x22/0x160 + [<00000001459a71d4>] ret_from_fork+0x28/0x30 + [<00000001459a71dc>] kernel_thread_starter+0x0/0x10 + +Cc: stable@vger.kernel.org +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/topology.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/s390/kernel/topology.c ++++ b/arch/s390/kernel/topology.c +@@ -256,7 +256,8 @@ int arch_update_cpu_topology(void) + topology_update_polarization_simple(); + for_each_online_cpu(cpu) { + dev = get_cpu_device(cpu); +- kobject_uevent(&dev->kobj, KOBJ_CHANGE); ++ if (dev) ++ kobject_uevent(&dev->kobj, KOBJ_CHANGE); + } + return rc; + } diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..8fbe2949b45 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,11 @@ +kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch +s390-topology-avoid-firing-events-before-kobjs-are-created.patch +s390-cio-avoid-calling-strlen-on-null-pointer.patch +s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch +kvm-nvmx-handle-page-fault-in-vmread-fix.patch +asoc-define-a-set-of-dapm-pre-post-up-events.patch +powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch +can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch +crypto-qat-silence-smp_processor_id-warning.patch +usercopy-avoid-highmem-pfn-warning.patch +timer-read-jiffies-once-when-forwarding-base-clk.patch diff --git a/queue-4.9/timer-read-jiffies-once-when-forwarding-base-clk.patch b/queue-4.9/timer-read-jiffies-once-when-forwarding-base-clk.patch new file mode 100644 index 00000000000..23a8dd6975e --- /dev/null +++ b/queue-4.9/timer-read-jiffies-once-when-forwarding-base-clk.patch @@ -0,0 +1,75 @@ +From e430d802d6a3aaf61bd3ed03d9404888a29b9bf9 Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Thu, 19 Sep 2019 20:04:47 +0800 +Subject: timer: Read jiffies once when forwarding base clk + +From: Li RongQing + +commit e430d802d6a3aaf61bd3ed03d9404888a29b9bf9 upstream. + +The timer delayed for more than 3 seconds warning was triggered during +testing. + + Workqueue: events_unbound sched_tick_remote + RIP: 0010:sched_tick_remote+0xee/0x100 + ... + Call Trace: + process_one_work+0x18c/0x3a0 + worker_thread+0x30/0x380 + kthread+0x113/0x130 + ret_from_fork+0x22/0x40 + +The reason is that the code in collect_expired_timers() uses jiffies +unprotected: + + if (next_event > jiffies) + base->clk = jiffies; + +As the compiler is allowed to reload the value base->clk can advance +between the check and the store and in the worst case advance farther than +next event. That causes the timer expiry to be delayed until the wheel +pointer wraps around. + +Convert the code to use READ_ONCE() + +Fixes: 236968383cf5 ("timers: Optimize collect_expired_timers() for NOHZ") +Signed-off-by: Li RongQing +Signed-off-by: Liang ZhiCheng +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1568894687-14499-1-git-send-email-lirongqing@baidu.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timer.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1586,21 +1586,23 @@ void timer_clear_idle(void) + static int collect_expired_timers(struct timer_base *base, + struct hlist_head *heads) + { ++ unsigned long now = READ_ONCE(jiffies); ++ + /* + * NOHZ optimization. After a long idle sleep we need to forward the + * base to current jiffies. Avoid a loop by searching the bitfield for + * the next expiring timer. + */ +- if ((long)(jiffies - base->clk) > 2) { ++ if ((long)(now - base->clk) > 2) { + unsigned long next = __next_timer_interrupt(base); + + /* + * If the next timer is ahead of time forward to current + * jiffies, otherwise forward to the next expiry time: + */ +- if (time_after(next, jiffies)) { ++ if (time_after(next, now)) { + /* The call site will increment clock! */ +- base->clk = jiffies - 1; ++ base->clk = now - 1; + return 0; + } + base->clk = next; diff --git a/queue-4.9/usercopy-avoid-highmem-pfn-warning.patch b/queue-4.9/usercopy-avoid-highmem-pfn-warning.patch new file mode 100644 index 00000000000..b8af7d14452 --- /dev/null +++ b/queue-4.9/usercopy-avoid-highmem-pfn-warning.patch @@ -0,0 +1,88 @@ +From 314eed30ede02fa925990f535652254b5bad6b65 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 17 Sep 2019 11:00:25 -0700 +Subject: usercopy: Avoid HIGHMEM pfn warning + +From: Kees Cook + +commit 314eed30ede02fa925990f535652254b5bad6b65 upstream. + +When running on a system with >512MB RAM with a 32-bit kernel built with: + + CONFIG_DEBUG_VIRTUAL=y + CONFIG_HIGHMEM=y + CONFIG_HARDENED_USERCOPY=y + +all execve()s will fail due to argv copying into kmap()ed pages, and on +usercopy checking the calls ultimately of virt_to_page() will be looking +for "bad" kmap (highmem) pointers due to CONFIG_DEBUG_VIRTUAL=y: + + ------------[ cut here ]------------ + kernel BUG at ../arch/x86/mm/physaddr.c:83! + invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC + CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.3.0-rc8 #6 + Hardware name: Dell Inc. Inspiron 1318/0C236D, BIOS A04 01/15/2009 + EIP: __phys_addr+0xaf/0x100 + ... + Call Trace: + __check_object_size+0xaf/0x3c0 + ? __might_sleep+0x80/0xa0 + copy_strings+0x1c2/0x370 + copy_strings_kernel+0x2b/0x40 + __do_execve_file+0x4ca/0x810 + ? kmem_cache_alloc+0x1c7/0x370 + do_execve+0x1b/0x20 + ... + +The check is from arch/x86/mm/physaddr.c: + + VIRTUAL_BUG_ON((phys_addr >> PAGE_SHIFT) > max_low_pfn); + +Due to the kmap() in fs/exec.c: + + kaddr = kmap(kmapped_page); + ... + if (copy_from_user(kaddr+offset, str, bytes_to_copy)) ... + +Now we can fetch the correct page to avoid the pfn check. In both cases, +hardened usercopy will need to walk the page-span checker (if enabled) +to do sanity checking. + +Reported-by: Randy Dunlap +Tested-by: Randy Dunlap +Fixes: f5509cc18daa ("mm: Hardened usercopy") +Cc: Matthew Wilcox +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Matthew Wilcox (Oracle) +Link: https://lore.kernel.org/r/201909171056.7F2FFD17@keescook +Signed-off-by: Greg Kroah-Hartman + +--- + mm/usercopy.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/usercopy.c ++++ b/mm/usercopy.c +@@ -15,6 +15,7 @@ + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + + #include ++#include + #include + #include + +@@ -217,7 +218,12 @@ static inline const char *check_heap_obj + if (!virt_addr_valid(ptr)) + return NULL; + +- page = virt_to_head_page(ptr); ++ /* ++ * When CONFIG_HIGHMEM=y, kmap_to_page() will give either the ++ * highmem page or fallback to virt_to_page(). The following ++ * is effectively a highmem-aware virt_to_head_page(). ++ */ ++ page = compound_head(kmap_to_page((void *)ptr)); + + /* Check slab allocator for flags and size. */ + if (PageSlab(page))