From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 19 Sep 2019 14:02:20 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.194~39
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e583ad1e6186bea0d245ab2322cec7b66956ab07;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	kvm-coalesced_mmio-add-bounds-checking.patch
	serial-sprd-correct-the-wrong-sequence-of-arguments.patch
	tty-serial-atmel-reschedule-tx-after-rx-was-started.patch
---

diff --git a/queue-4.9/kvm-coalesced_mmio-add-bounds-checking.patch b/queue-4.9/kvm-coalesced_mmio-add-bounds-checking.patch
new file mode 100644
index 00000000000..99dc7401b84
--- /dev/null
+++ b/queue-4.9/kvm-coalesced_mmio-add-bounds-checking.patch
@@ -0,0 +1,82 @@
+From b60fe990c6b07ef6d4df67bc0530c7c90a62623a Mon Sep 17 00:00:00 2001
+From: Matt Delco <delco@chromium.org>
+Date: Mon, 16 Sep 2019 14:16:54 -0700
+Subject: KVM: coalesced_mmio: add bounds checking
+
+From: Matt Delco <delco@chromium.org>
+
+commit b60fe990c6b07ef6d4df67bc0530c7c90a62623a upstream.
+
+The first/last indexes are typically shared with a user app.
+The app can change the 'last' index that the kernel uses
+to store the next result.  This change sanity checks the index
+before using it for writing to a potentially arbitrary address.
+
+This fixes CVE-2019-14821.
+
+Cc: stable@vger.kernel.org
+Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
+Signed-off-by: Matt Delco <delco@chromium.org>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
+[Use READ_ONCE. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/coalesced_mmio.c |   17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/virt/kvm/coalesced_mmio.c
++++ b/virt/kvm/coalesced_mmio.c
+@@ -39,7 +39,7 @@ static int coalesced_mmio_in_range(struc
+ 	return 1;
+ }
+ 
+-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
++static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
+ {
+ 	struct kvm_coalesced_mmio_ring *ring;
+ 	unsigned avail;
+@@ -51,7 +51,7 @@ static int coalesced_mmio_has_room(struc
+ 	 * there is always one unused entry in the buffer
+ 	 */
+ 	ring = dev->kvm->coalesced_mmio_ring;
+-	avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
++	avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
+ 	if (avail == 0) {
+ 		/* full */
+ 		return 0;
+@@ -66,24 +66,27 @@ static int coalesced_mmio_write(struct k
+ {
+ 	struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
+ 	struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
++	__u32 insert;
+ 
+ 	if (!coalesced_mmio_in_range(dev, addr, len))
+ 		return -EOPNOTSUPP;
+ 
+ 	spin_lock(&dev->kvm->ring_lock);
+ 
+-	if (!coalesced_mmio_has_room(dev)) {
++	insert = READ_ONCE(ring->last);
++	if (!coalesced_mmio_has_room(dev, insert) ||
++	    insert >= KVM_COALESCED_MMIO_MAX) {
+ 		spin_unlock(&dev->kvm->ring_lock);
+ 		return -EOPNOTSUPP;
+ 	}
+ 
+ 	/* copy data in first free entry of the ring */
+ 
+-	ring->coalesced_mmio[ring->last].phys_addr = addr;
+-	ring->coalesced_mmio[ring->last].len = len;
+-	memcpy(ring->coalesced_mmio[ring->last].data, val, len);
++	ring->coalesced_mmio[insert].phys_addr = addr;
++	ring->coalesced_mmio[insert].len = len;
++	memcpy(ring->coalesced_mmio[insert].data, val, len);
+ 	smp_wmb();
+-	ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
++	ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
+ 	spin_unlock(&dev->kvm->ring_lock);
+ 	return 0;
+ }
diff --git a/queue-4.9/serial-sprd-correct-the-wrong-sequence-of-arguments.patch b/queue-4.9/serial-sprd-correct-the-wrong-sequence-of-arguments.patch
new file mode 100644
index 00000000000..cae17958af5
--- /dev/null
+++ b/queue-4.9/serial-sprd-correct-the-wrong-sequence-of-arguments.patch
@@ -0,0 +1,35 @@
+From 9c801e313195addaf11c16e155f50789d6ebfd19 Mon Sep 17 00:00:00 2001
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Date: Thu, 5 Sep 2019 15:41:51 +0800
+Subject: serial: sprd: correct the wrong sequence of arguments
+
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+
+commit 9c801e313195addaf11c16e155f50789d6ebfd19 upstream.
+
+The sequence of arguments which was passed to handle_lsr_errors() didn't
+match the parameters defined in that function, &lsr was passed to flag
+and &flag was passed to lsr, this patch fixed that.
+
+Fixes: b7396a38fb28 ("tty/serial: Add Spreadtrum sc9836-uart driver support")
+Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Signed-off-by: Chunyan Zhang <zhang.lyra@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190905074151.5268-1-zhang.lyra@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/sprd_serial.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/sprd_serial.c
++++ b/drivers/tty/serial/sprd_serial.c
+@@ -240,7 +240,7 @@ static inline void sprd_rx(struct uart_p
+ 
+ 		if (lsr & (SPRD_LSR_BI | SPRD_LSR_PE |
+ 			SPRD_LSR_FE | SPRD_LSR_OE))
+-			if (handle_lsr_errors(port, &lsr, &flag))
++			if (handle_lsr_errors(port, &flag, &lsr))
+ 				continue;
+ 		if (uart_handle_sysrq_char(port, ch))
+ 			continue;
diff --git a/queue-4.9/series b/queue-4.9/series
index 25faceed63b..ae588821fca 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -37,3 +37,6 @@ media-tm6000-double-free-if-usb-disconnect-while-streaming.patch
 powerpc-mm-radix-use-the-right-page-size-for-vmemmap-mapping.patch
 x86-boot-add-missing-bootparam-that-breaks-boot-on-some-platforms.patch
 xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch
+kvm-coalesced_mmio-add-bounds-checking.patch
+serial-sprd-correct-the-wrong-sequence-of-arguments.patch
+tty-serial-atmel-reschedule-tx-after-rx-was-started.patch
diff --git a/queue-4.9/tty-serial-atmel-reschedule-tx-after-rx-was-started.patch b/queue-4.9/tty-serial-atmel-reschedule-tx-after-rx-was-started.patch
new file mode 100644
index 00000000000..2f57a7132b8
--- /dev/null
+++ b/queue-4.9/tty-serial-atmel-reschedule-tx-after-rx-was-started.patch
@@ -0,0 +1,34 @@
+From d2ace81bf902a9f11d52e59e5d232d2255a0e353 Mon Sep 17 00:00:00 2001
+From: Razvan Stefanescu <razvan.stefanescu@microchip.com>
+Date: Tue, 13 Aug 2019 10:40:25 +0300
+Subject: tty/serial: atmel: reschedule TX after RX was started
+
+From: Razvan Stefanescu <razvan.stefanescu@microchip.com>
+
+commit d2ace81bf902a9f11d52e59e5d232d2255a0e353 upstream.
+
+When half-duplex RS485 communication is used, after RX is started, TX
+tasklet still needs to be  scheduled tasklet. This avoids console freezing
+when more data is to be transmitted, if the serial communication is not
+closed.
+
+Fixes: 69646d7a3689 ("tty/serial: atmel: RS485 HD w/DMA: enable RX after TX is stopped")
+Signed-off-by: Razvan Stefanescu <razvan.stefanescu@microchip.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190813074025.16218-1-razvan.stefanescu@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -1279,7 +1279,6 @@ atmel_handle_transmit(struct uart_port *
+ 
+ 			atmel_port->hd_start_rx = false;
+ 			atmel_start_rx(port);
+-			return;
+ 		}
+ 
+ 		atmel_tasklet_schedule(atmel_port, &atmel_port->tasklet_tx);