From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 11 Oct 2020 08:39:35 +0000 (+0200)
Subject: 5.8-stable patches
X-Git-Tag: v4.4.239~47
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3f479bd3d0db578c04ae128064dcf3f8f5e68b4;p=thirdparty%2Fkernel%2Fstable-queue.git

5.8-stable patches

added patches:
	gpiolib-disable-compat-read-code-in-uml-case.patch
	macsec-avoid-use-after-free-in-macsec_handle_frame.patch
	nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch
	risc-v-make-sure-memblock-reserves-the-memory-containing-dt.patch
---

diff --git a/queue-5.8/gpiolib-disable-compat-read-code-in-uml-case.patch b/queue-5.8/gpiolib-disable-compat-read-code-in-uml-case.patch
new file mode 100644
index 00000000000..60f7e80941f
--- /dev/null
+++ b/queue-5.8/gpiolib-disable-compat-read-code-in-uml-case.patch
@@ -0,0 +1,38 @@
+From 47e538d86d5776ac8152146c3ed3d22326243190 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 5 Oct 2020 16:10:44 +0300
+Subject: gpiolib: Disable compat ->read() code in UML case
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 47e538d86d5776ac8152146c3ed3d22326243190 upstream.
+
+It appears that UML (arch/um) has no compat.h header defined and hence
+can't compile a recently provided piece of code in GPIO library.
+
+Disable compat ->read() code in UML case to avoid compilation errors.
+
+While at it, use pattern which is already being used in the kernel elsewhere.
+
+Fixes: 5ad284ab3a01 ("gpiolib: Fix line event handling in syscall compatible mode")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20201005131044.87276-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -838,7 +838,7 @@ static __poll_t lineevent_poll(struct fi
+ 
+ static ssize_t lineevent_get_size(void)
+ {
+-#ifdef __x86_64__
++#if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
+ 	/* i386 has no padding after 'id' */
+ 	if (in_ia32_syscall()) {
+ 		struct compat_gpioeevent_data {
diff --git a/queue-5.8/macsec-avoid-use-after-free-in-macsec_handle_frame.patch b/queue-5.8/macsec-avoid-use-after-free-in-macsec_handle_frame.patch
new file mode 100644
index 00000000000..d85619a726e
--- /dev/null
+++ b/queue-5.8/macsec-avoid-use-after-free-in-macsec_handle_frame.patch
@@ -0,0 +1,45 @@
+From c7cc9200e9b4a2ac172e990ef1975cd42975dad6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 7 Oct 2020 01:42:46 -0700
+Subject: macsec: avoid use-after-free in macsec_handle_frame()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit c7cc9200e9b4a2ac172e990ef1975cd42975dad6 upstream.
+
+De-referencing skb after call to gro_cells_receive() is not allowed.
+We need to fetch skb->len earlier.
+
+Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/macsec.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1077,6 +1077,7 @@ static rx_handler_result_t macsec_handle
+ 	struct macsec_rx_sa *rx_sa;
+ 	struct macsec_rxh_data *rxd;
+ 	struct macsec_dev *macsec;
++	unsigned int len;
+ 	sci_t sci;
+ 	u32 hdr_pn;
+ 	bool cbit;
+@@ -1232,9 +1233,10 @@ deliver:
+ 	macsec_rxsc_put(rx_sc);
+ 
+ 	skb_orphan(skb);
++	len = skb->len;
+ 	ret = gro_cells_receive(&macsec->gro_cells, skb);
+ 	if (ret == NET_RX_SUCCESS)
+-		count_rx(dev, skb->len);
++		count_rx(dev, len);
+ 	else
+ 		macsec->secy.netdev->stats.rx_dropped++;
+ 
diff --git a/queue-5.8/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch b/queue-5.8/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch
new file mode 100644
index 00000000000..f1a156259e8
--- /dev/null
+++ b/queue-5.8/nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch
@@ -0,0 +1,39 @@
+From 4bab69093044ca81f394bd0780be1b71c5a4d308 Mon Sep 17 00:00:00 2001
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Date: Tue, 6 Oct 2020 16:36:47 -0700
+Subject: nvme-core: put ctrl ref when module ref get fail
+
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+
+commit 4bab69093044ca81f394bd0780be1b71c5a4d308 upstream.
+
+When try_module_get() fails in the nvme_dev_open() it returns without
+releasing the ctrl reference which was taken earlier.
+
+Put the ctrl reference which is taken before calling the
+try_module_get() in the error return code path.
+
+Fixes: 52a3974feb1a "nvme-core: get/put ctrl and transport module in nvme_dev_open/release()"
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/core.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3061,8 +3061,10 @@ static int nvme_dev_open(struct inode *i
+ 	}
+ 
+ 	nvme_get_ctrl(ctrl);
+-	if (!try_module_get(ctrl->ops->module))
++	if (!try_module_get(ctrl->ops->module)) {
++		nvme_put_ctrl(ctrl);
+ 		return -EINVAL;
++	}
+ 
+ 	file->private_data = ctrl;
+ 	return 0;
diff --git a/queue-5.8/risc-v-make-sure-memblock-reserves-the-memory-containing-dt.patch b/queue-5.8/risc-v-make-sure-memblock-reserves-the-memory-containing-dt.patch
new file mode 100644
index 00000000000..627d184e8d8
--- /dev/null
+++ b/queue-5.8/risc-v-make-sure-memblock-reserves-the-memory-containing-dt.patch
@@ -0,0 +1,34 @@
+From a78c6f5956a949b496a5b087188dde52483edf51 Mon Sep 17 00:00:00 2001
+From: Atish Patra <atish.patra@wdc.com>
+Date: Thu, 1 Oct 2020 12:04:56 -0700
+Subject: RISC-V: Make sure memblock reserves the memory containing DT
+
+From: Atish Patra <atish.patra@wdc.com>
+
+commit a78c6f5956a949b496a5b087188dde52483edf51 upstream.
+
+Currently, the memory containing DT is not reserved. Thus, that region
+of memory can be reallocated or reused for other purposes. This may result
+in  corrupted DT for nommu virt board in Qemu. We may not face any issue
+in kendryte as DT is embedded in the kernel image for that.
+
+Fixes: 6bd33e1ece52 ("riscv: add nommu support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Atish Patra <atish.patra@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/riscv/mm/init.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -515,6 +515,7 @@ asmlinkage void __init setup_vm(uintptr_
+ #else
+ 	dtb_early_va = (void *)dtb_pa;
+ #endif
++	dtb_early_pa = dtb_pa;
+ }
+ 
+ static inline void setup_vm_final(void)
diff --git a/queue-5.8/series b/queue-5.8/series
index a53a70c0434..c236bb89804 100644
--- a/queue-5.8/series
+++ b/queue-5.8/series
@@ -23,3 +23,7 @@ bpf-prevent-.btf-section-elimination.patch
 r8169-consider-that-phy-reset-may-still-be-in-progress-after-applying-firmware.patch
 platform-x86-intel-vbtn-switch-to-an-allow-list-for-sw_tablet_mode-reporting.patch
 platform-x86-thinkpad_acpi-re-initialize-acpi-buffer-size-when-reuse.patch
+nvme-core-put-ctrl-ref-when-module-ref-get-fail.patch
+macsec-avoid-use-after-free-in-macsec_handle_frame.patch
+risc-v-make-sure-memblock-reserves-the-memory-containing-dt.patch
+gpiolib-disable-compat-read-code-in-uml-case.patch