From: Greg Kroah-Hartman Date: Mon, 6 May 2019 14:25:07 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.9.174~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=efa860ba17da6ea33aa93ebd82b4a92093363606;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: clk-x86-add-system-specific-quirk-to-mark-clocks-as-critical.patch gpio-mxc-add-check-to-return-defer-probe-if-clock-tree-not-ready.patch i2c-i2c-stm32f7-fix-sdadel-minimum-formula.patch ib-core-destroy-qp-if-xrc-qp-fails.patch ib-core-fix-potential-memory-leak-while-creating-mad-agents.patch ib-core-unregister-notifier-before-freeing-mad-security.patch input-snvs_pwrkey-initialize-necessary-driver-data-before-enabling-irq.patch input-stmfts-acknowledge-that-setting-brightness-is-a-blocking-call.patch mac80211-honor-sw_crypto_control-for-unicast-keys-in-ap-vlan-mode.patch media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area-topdown-search.patch selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch selinux-never-allow-relabeling-on-context-mounts.patch x86-mce-improve-error-message-when-kernel-cannot-recover-p2.patch x86-mm-fix-a-crash-with-kmemleak_scan.patch x86-mm-kaslr-fix-the-size-of-the-direct-mapping-section.patch x86-mm-tlb-revert-x86-mm-align-tlb-invalidation-info.patch --- diff --git a/queue-4.19/clk-x86-add-system-specific-quirk-to-mark-clocks-as-critical.patch b/queue-4.19/clk-x86-add-system-specific-quirk-to-mark-clocks-as-critical.patch new file mode 100644 index 00000000000..0b27147b003 --- /dev/null +++ b/queue-4.19/clk-x86-add-system-specific-quirk-to-mark-clocks-as-critical.patch @@ -0,0 +1,136 @@ +From 7c2e07130090ae001a97a6b65597830d6815e93e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?David=20M=C3=BCller?= +Date: Mon, 8 Apr 2019 15:33:54 +0200 +Subject: clk: x86: Add system specific quirk to mark clocks as critical +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Müller + +commit 7c2e07130090ae001a97a6b65597830d6815e93e upstream. + +Since commit 648e921888ad ("clk: x86: Stop marking clocks as +CLK_IS_CRITICAL"), the pmc_plt_clocks of the Bay Trail SoC are +unconditionally gated off. Unfortunately this will break systems where these +clocks are used for external purposes beyond the kernel's knowledge. Fix it +by implementing a system specific quirk to mark the necessary pmc_plt_clks as +critical. + +Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") +Signed-off-by: David Müller +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/x86/clk-pmc-atom.c | 14 +++++++++++--- + drivers/platform/x86/pmc_atom.c | 21 +++++++++++++++++++++ + include/linux/platform_data/x86/clk-pmc-atom.h | 3 +++ + 3 files changed, 35 insertions(+), 3 deletions(-) + +--- a/drivers/clk/x86/clk-pmc-atom.c ++++ b/drivers/clk/x86/clk-pmc-atom.c +@@ -165,7 +165,7 @@ static const struct clk_ops plt_clk_ops + }; + + static struct clk_plt *plt_clk_register(struct platform_device *pdev, int id, +- void __iomem *base, ++ const struct pmc_clk_data *pmc_data, + const char **parent_names, + int num_parents) + { +@@ -184,9 +184,17 @@ static struct clk_plt *plt_clk_register( + init.num_parents = num_parents; + + pclk->hw.init = &init; +- pclk->reg = base + PMC_CLK_CTL_OFFSET + id * PMC_CLK_CTL_SIZE; ++ pclk->reg = pmc_data->base + PMC_CLK_CTL_OFFSET + id * PMC_CLK_CTL_SIZE; + spin_lock_init(&pclk->lock); + ++ /* ++ * On some systems, the pmc_plt_clocks already enabled by the ++ * firmware are being marked as critical to avoid them being ++ * gated by the clock framework. ++ */ ++ if (pmc_data->critical && plt_clk_is_enabled(&pclk->hw)) ++ init.flags |= CLK_IS_CRITICAL; ++ + ret = devm_clk_hw_register(&pdev->dev, &pclk->hw); + if (ret) { + pclk = ERR_PTR(ret); +@@ -332,7 +340,7 @@ static int plt_clk_probe(struct platform + return PTR_ERR(parent_names); + + for (i = 0; i < PMC_CLK_NUM; i++) { +- data->clks[i] = plt_clk_register(pdev, i, pmc_data->base, ++ data->clks[i] = plt_clk_register(pdev, i, pmc_data, + parent_names, data->nparents); + if (IS_ERR(data->clks[i])) { + err = PTR_ERR(data->clks[i]); +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -17,6 +17,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -391,11 +392,27 @@ static int pmc_dbgfs_register(struct pmc + } + #endif /* CONFIG_DEBUG_FS */ + ++/* ++ * Some systems need one or more of their pmc_plt_clks to be ++ * marked as critical. ++ */ ++static const struct dmi_system_id critclk_systems[] __initconst = { ++ { ++ .ident = "MPL CEC1x", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MPL AG"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CEC10 Family"), ++ }, ++ }, ++ { /*sentinel*/ } ++}; ++ + static int pmc_setup_clks(struct pci_dev *pdev, void __iomem *pmc_regmap, + const struct pmc_data *pmc_data) + { + struct platform_device *clkdev; + struct pmc_clk_data *clk_data; ++ const struct dmi_system_id *d = dmi_first_match(critclk_systems); + + clk_data = kzalloc(sizeof(*clk_data), GFP_KERNEL); + if (!clk_data) +@@ -403,6 +420,10 @@ static int pmc_setup_clks(struct pci_dev + + clk_data->base = pmc_regmap; /* offset is added by client */ + clk_data->clks = pmc_data->clks; ++ if (d) { ++ clk_data->critical = true; ++ pr_info("%s critclks quirk enabled\n", d->ident); ++ } + + clkdev = platform_device_register_data(&pdev->dev, "clk-pmc-atom", + PLATFORM_DEVID_NONE, +--- a/include/linux/platform_data/x86/clk-pmc-atom.h ++++ b/include/linux/platform_data/x86/clk-pmc-atom.h +@@ -35,10 +35,13 @@ struct pmc_clk { + * + * @base: PMC clock register base offset + * @clks: pointer to set of registered clocks, typically 0..5 ++ * @critical: flag to indicate if firmware enabled pmc_plt_clks ++ * should be marked as critial or not + */ + struct pmc_clk_data { + void __iomem *base; + const struct pmc_clk *clks; ++ bool critical; + }; + + #endif /* __PLATFORM_DATA_X86_CLK_PMC_ATOM_H */ diff --git a/queue-4.19/gpio-mxc-add-check-to-return-defer-probe-if-clock-tree-not-ready.patch b/queue-4.19/gpio-mxc-add-check-to-return-defer-probe-if-clock-tree-not-ready.patch new file mode 100644 index 00000000000..f8f16746e83 --- /dev/null +++ b/queue-4.19/gpio-mxc-add-check-to-return-defer-probe-if-clock-tree-not-ready.patch @@ -0,0 +1,39 @@ +From a329bbe707cee2cf8c660890ef2ad0d00ec7e8a3 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Sat, 23 Feb 2019 03:18:25 +0000 +Subject: gpio: mxc: add check to return defer probe if clock tree NOT ready + +From: Anson Huang + +commit a329bbe707cee2cf8c660890ef2ad0d00ec7e8a3 upstream. + +On i.MX8MQ platform, clock driver uses platform driver +model and it is probed after GPIO driver, so when GPIO +driver fails to get clock, it should check the error type +to decide whether to return defer probe or just ignore +the clock operation. + +Fixes: 2808801aab8a ("gpio: mxc: add clock operation") +Signed-off-by: Anson Huang +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-mxc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-mxc.c ++++ b/drivers/gpio/gpio-mxc.c +@@ -438,8 +438,11 @@ static int mxc_gpio_probe(struct platfor + + /* the controller clock is optional */ + port->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(port->clk)) ++ if (IS_ERR(port->clk)) { ++ if (PTR_ERR(port->clk) == -EPROBE_DEFER) ++ return -EPROBE_DEFER; + port->clk = NULL; ++ } + + err = clk_prepare_enable(port->clk); + if (err) { diff --git a/queue-4.19/i2c-i2c-stm32f7-fix-sdadel-minimum-formula.patch b/queue-4.19/i2c-i2c-stm32f7-fix-sdadel-minimum-formula.patch new file mode 100644 index 00000000000..509eb69513e --- /dev/null +++ b/queue-4.19/i2c-i2c-stm32f7-fix-sdadel-minimum-formula.patch @@ -0,0 +1,33 @@ +From c86da50cfd840edf223a242580913692acddbcf6 Mon Sep 17 00:00:00 2001 +From: Nicolas Le Bayon +Date: Wed, 6 Mar 2019 15:12:16 +0000 +Subject: i2c: i2c-stm32f7: Fix SDADEL minimum formula + +From: Nicolas Le Bayon + +commit c86da50cfd840edf223a242580913692acddbcf6 upstream. + +It conforms with Reference Manual I2C timing section. + +Fixes: aeb068c57214 ("i2c: i2c-stm32f7: add driver") +Signed-off-by: Nicolas Le Bayon +Signed-off-by: Bich Hemon +Reviewed-by: Pierre-Yves MORDRET +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-stm32f7.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -424,7 +424,7 @@ static int stm32f7_i2c_compute_timing(st + STM32F7_I2C_ANALOG_FILTER_DELAY_MAX : 0); + dnf_delay = setup->dnf * i2cclk; + +- sdadel_min = setup->fall_time - i2c_specs[setup->speed].hddat_min - ++ sdadel_min = i2c_specs[setup->speed].hddat_min + setup->fall_time - + af_delay_min - (setup->dnf + 3) * i2cclk; + + sdadel_max = i2c_specs[setup->speed].vddat_max - setup->rise_time - diff --git a/queue-4.19/ib-core-destroy-qp-if-xrc-qp-fails.patch b/queue-4.19/ib-core-destroy-qp-if-xrc-qp-fails.patch new file mode 100644 index 00000000000..bb4f4762561 --- /dev/null +++ b/queue-4.19/ib-core-destroy-qp-if-xrc-qp-fails.patch @@ -0,0 +1,111 @@ +From 535005ca8e5e71918d64074032f4b9d4fef8981e Mon Sep 17 00:00:00 2001 +From: Yuval Avnery +Date: Tue, 22 Jan 2019 09:02:05 +0200 +Subject: IB/core: Destroy QP if XRC QP fails + +From: Yuval Avnery + +commit 535005ca8e5e71918d64074032f4b9d4fef8981e upstream. + +The open-coded variant missed destroy of SELinux created QP, reuse already +existing ib_detroy_qp() call and use this opportunity to clean +ib_create_qp() from double prints and unclear exit paths. + +Reported-by: Parav Pandit +Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs") +Signed-off-by: Yuval Avnery +Reviewed-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/verbs.c | 41 +++++++++++++++++++++++----------------- + 1 file changed, 24 insertions(+), 17 deletions(-) + +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -1087,8 +1087,8 @@ struct ib_qp *ib_open_qp(struct ib_xrcd + } + EXPORT_SYMBOL(ib_open_qp); + +-static struct ib_qp *ib_create_xrc_qp(struct ib_qp *qp, +- struct ib_qp_init_attr *qp_init_attr) ++static struct ib_qp *create_xrc_qp(struct ib_qp *qp, ++ struct ib_qp_init_attr *qp_init_attr) + { + struct ib_qp *real_qp = qp; + +@@ -1103,10 +1103,10 @@ static struct ib_qp *ib_create_xrc_qp(st + + qp = __ib_open_qp(real_qp, qp_init_attr->event_handler, + qp_init_attr->qp_context); +- if (!IS_ERR(qp)) +- __ib_insert_xrcd_qp(qp_init_attr->xrcd, real_qp); +- else +- real_qp->device->destroy_qp(real_qp); ++ if (IS_ERR(qp)) ++ return qp; ++ ++ __ib_insert_xrcd_qp(qp_init_attr->xrcd, real_qp); + return qp; + } + +@@ -1137,10 +1137,8 @@ struct ib_qp *ib_create_qp(struct ib_pd + return qp; + + ret = ib_create_qp_security(qp, device); +- if (ret) { +- ib_destroy_qp(qp); +- return ERR_PTR(ret); +- } ++ if (ret) ++ goto err; + + qp->real_qp = qp; + qp->qp_type = qp_init_attr->qp_type; +@@ -1153,8 +1151,15 @@ struct ib_qp *ib_create_qp(struct ib_pd + INIT_LIST_HEAD(&qp->sig_mrs); + qp->port = 0; + +- if (qp_init_attr->qp_type == IB_QPT_XRC_TGT) +- return ib_create_xrc_qp(qp, qp_init_attr); ++ if (qp_init_attr->qp_type == IB_QPT_XRC_TGT) { ++ struct ib_qp *xrc_qp = create_xrc_qp(qp, qp_init_attr); ++ ++ if (IS_ERR(xrc_qp)) { ++ ret = PTR_ERR(xrc_qp); ++ goto err; ++ } ++ return xrc_qp; ++ } + + qp->event_handler = qp_init_attr->event_handler; + qp->qp_context = qp_init_attr->qp_context; +@@ -1181,11 +1186,8 @@ struct ib_qp *ib_create_qp(struct ib_pd + + if (qp_init_attr->cap.max_rdma_ctxs) { + ret = rdma_rw_init_mrs(qp, qp_init_attr); +- if (ret) { +- pr_err("failed to init MR pool ret= %d\n", ret); +- ib_destroy_qp(qp); +- return ERR_PTR(ret); +- } ++ if (ret) ++ goto err; + } + + /* +@@ -1198,6 +1200,11 @@ struct ib_qp *ib_create_qp(struct ib_pd + device->attrs.max_sge_rd); + + return qp; ++ ++err: ++ ib_destroy_qp(qp); ++ return ERR_PTR(ret); ++ + } + EXPORT_SYMBOL(ib_create_qp); + diff --git a/queue-4.19/ib-core-fix-potential-memory-leak-while-creating-mad-agents.patch b/queue-4.19/ib-core-fix-potential-memory-leak-while-creating-mad-agents.patch new file mode 100644 index 00000000000..54c87cbe2c7 --- /dev/null +++ b/queue-4.19/ib-core-fix-potential-memory-leak-while-creating-mad-agents.patch @@ -0,0 +1,50 @@ +From 6e88e672b69f0e627acdae74a527b730ea224b6b Mon Sep 17 00:00:00 2001 +From: Daniel Jurgens +Date: Sat, 2 Feb 2019 11:09:43 +0200 +Subject: IB/core: Fix potential memory leak while creating MAD agents + +From: Daniel Jurgens + +commit 6e88e672b69f0e627acdae74a527b730ea224b6b upstream. + +If the MAD agents isn't allowed to manage the subnet, or fails to register +for the LSM notifier, the security context is leaked. Free the context in +these cases. + +Fixes: 47a2b338fe63 ("IB/core: Enforce security on management datagrams") +Signed-off-by: Daniel Jurgens +Reviewed-by: Parav Pandit +Reported-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/security.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/security.c ++++ b/drivers/infiniband/core/security.c +@@ -711,16 +711,20 @@ int ib_mad_agent_security_setup(struct i + agent->device->name, + agent->port_num); + if (ret) +- return ret; ++ goto free_security; + + agent->lsm_nb.notifier_call = ib_mad_agent_security_change; + ret = register_lsm_notifier(&agent->lsm_nb); + if (ret) +- return ret; ++ goto free_security; + + agent->smp_allowed = true; + agent->lsm_nb_reg = true; + return 0; ++ ++free_security: ++ security_ib_free_security(agent->security); ++ return ret; + } + + void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent) diff --git a/queue-4.19/ib-core-unregister-notifier-before-freeing-mad-security.patch b/queue-4.19/ib-core-unregister-notifier-before-freeing-mad-security.patch new file mode 100644 index 00000000000..3758b91b3e4 --- /dev/null +++ b/queue-4.19/ib-core-unregister-notifier-before-freeing-mad-security.patch @@ -0,0 +1,37 @@ +From d60667fc398ed34b3c7456b020481c55c760e503 Mon Sep 17 00:00:00 2001 +From: Daniel Jurgens +Date: Sat, 2 Feb 2019 11:09:42 +0200 +Subject: IB/core: Unregister notifier before freeing MAD security + +From: Daniel Jurgens + +commit d60667fc398ed34b3c7456b020481c55c760e503 upstream. + +If the notifier runs after the security context is freed an access of +freed memory can occur. + +Fixes: 47a2b338fe63 ("IB/core: Enforce security on management datagrams") +Signed-off-by: Daniel Jurgens +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/security.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/security.c ++++ b/drivers/infiniband/core/security.c +@@ -728,9 +728,10 @@ void ib_mad_agent_security_cleanup(struc + if (!rdma_protocol_ib(agent->device, agent->port_num)) + return; + +- security_ib_free_security(agent->security); + if (agent->lsm_nb_reg) + unregister_lsm_notifier(&agent->lsm_nb); ++ ++ security_ib_free_security(agent->security); + } + + int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index) diff --git a/queue-4.19/input-snvs_pwrkey-initialize-necessary-driver-data-before-enabling-irq.patch b/queue-4.19/input-snvs_pwrkey-initialize-necessary-driver-data-before-enabling-irq.patch new file mode 100644 index 00000000000..c1cddeba351 --- /dev/null +++ b/queue-4.19/input-snvs_pwrkey-initialize-necessary-driver-data-before-enabling-irq.patch @@ -0,0 +1,46 @@ +From bf2a7ca39fd3ab47ef71c621a7ee69d1813b1f97 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Wed, 3 Apr 2019 15:14:44 -0700 +Subject: Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ + +From: Anson Huang + +commit bf2a7ca39fd3ab47ef71c621a7ee69d1813b1f97 upstream. + +SNVS IRQ is requested before necessary driver data initialized, +if there is a pending IRQ during driver probe phase, kernel +NULL pointer panic will occur in IRQ handler. To avoid such +scenario, just initialize necessary driver data before enabling +IRQ. This patch is inspired by NXP's internal kernel tree. + +Fixes: d3dc6e232215 ("input: keyboard: imx: add snvs power key driver") +Signed-off-by: Anson Huang +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/keyboard/snvs_pwrkey.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/input/keyboard/snvs_pwrkey.c ++++ b/drivers/input/keyboard/snvs_pwrkey.c +@@ -148,6 +148,9 @@ static int imx_snvs_pwrkey_probe(struct + return error; + } + ++ pdata->input = input; ++ platform_set_drvdata(pdev, pdata); ++ + error = devm_request_irq(&pdev->dev, pdata->irq, + imx_snvs_pwrkey_interrupt, + 0, pdev->name, pdev); +@@ -163,9 +166,6 @@ static int imx_snvs_pwrkey_probe(struct + return error; + } + +- pdata->input = input; +- platform_set_drvdata(pdev, pdata); +- + device_init_wakeup(&pdev->dev, pdata->wakeup); + + return 0; diff --git a/queue-4.19/input-stmfts-acknowledge-that-setting-brightness-is-a-blocking-call.patch b/queue-4.19/input-stmfts-acknowledge-that-setting-brightness-is-a-blocking-call.patch new file mode 100644 index 00000000000..1630020a7c6 --- /dev/null +++ b/queue-4.19/input-stmfts-acknowledge-that-setting-brightness-is-a-blocking-call.patch @@ -0,0 +1,76 @@ +From 937c4e552fd1174784045684740edfcea536159d Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 5 Feb 2019 14:40:40 -0800 +Subject: Input: stmfts - acknowledge that setting brightness is a blocking call + +From: Dmitry Torokhov + +commit 937c4e552fd1174784045684740edfcea536159d upstream. + +We need to turn regulators on and off when switching brightness, and +that may block, therefore we have to set stmfts_brightness_set() as +LED's brightness_set_blocking() method. + +Fixes: 78bcac7b2ae1 ("Input: add support for the STMicroelectronics FingerTip touchscreen") +Acked-by: Andi Shyti +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/stmfts.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +--- a/drivers/input/touchscreen/stmfts.c ++++ b/drivers/input/touchscreen/stmfts.c +@@ -106,27 +106,29 @@ struct stmfts_data { + bool running; + }; + +-static void stmfts_brightness_set(struct led_classdev *led_cdev, ++static int stmfts_brightness_set(struct led_classdev *led_cdev, + enum led_brightness value) + { + struct stmfts_data *sdata = container_of(led_cdev, + struct stmfts_data, led_cdev); + int err; + +- if (value == sdata->led_status || !sdata->ledvdd) +- return; +- +- if (!value) { +- regulator_disable(sdata->ledvdd); +- } else { +- err = regulator_enable(sdata->ledvdd); +- if (err) +- dev_warn(&sdata->client->dev, +- "failed to disable ledvdd regulator: %d\n", +- err); ++ if (value != sdata->led_status && sdata->ledvdd) { ++ if (!value) { ++ regulator_disable(sdata->ledvdd); ++ } else { ++ err = regulator_enable(sdata->ledvdd); ++ if (err) { ++ dev_warn(&sdata->client->dev, ++ "failed to disable ledvdd regulator: %d\n", ++ err); ++ return err; ++ } ++ } ++ sdata->led_status = value; + } + +- sdata->led_status = value; ++ return 0; + } + + static enum led_brightness stmfts_brightness_get(struct led_classdev *led_cdev) +@@ -608,7 +610,7 @@ static int stmfts_enable_led(struct stmf + sdata->led_cdev.name = STMFTS_DEV_NAME; + sdata->led_cdev.max_brightness = LED_ON; + sdata->led_cdev.brightness = LED_OFF; +- sdata->led_cdev.brightness_set = stmfts_brightness_set; ++ sdata->led_cdev.brightness_set_blocking = stmfts_brightness_set; + sdata->led_cdev.brightness_get = stmfts_brightness_get; + + err = devm_led_classdev_register(&sdata->client->dev, &sdata->led_cdev); diff --git a/queue-4.19/mac80211-honor-sw_crypto_control-for-unicast-keys-in-ap-vlan-mode.patch b/queue-4.19/mac80211-honor-sw_crypto_control-for-unicast-keys-in-ap-vlan-mode.patch new file mode 100644 index 00000000000..024dcb80d5b --- /dev/null +++ b/queue-4.19/mac80211-honor-sw_crypto_control-for-unicast-keys-in-ap-vlan-mode.patch @@ -0,0 +1,59 @@ +From 78ad2341521d5ea96cb936244ed4c4c4ef9ec13b Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Sat, 9 Feb 2019 15:01:38 +0100 +Subject: mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode + +From: Alexander Wetzel + +commit 78ad2341521d5ea96cb936244ed4c4c4ef9ec13b upstream. + +Restore SW_CRYPTO_CONTROL operation on AP_VLAN interfaces for unicast +keys, the original override was intended to be done for group keys as +those are treated specially by mac80211 and would always have been +rejected. + +Now the situation is that AP_VLAN support must be enabled by the driver +if it can support it (meaning it can support software crypto GTK TX). + +Thus, also simplify the code - if we get here with AP_VLAN and non- +pairwise key, software crypto must be used (driver doesn't know about +the interface) and can be used (driver must've advertised AP_VLAN if +it also uses SW_CRYPTO_CONTROL). + +Fixes: db3bdcb9c3ff ("mac80211: allow AP_VLAN operation on crypto controlled devices") +Signed-off-by: Alexander Wetzel +[rewrite commit message] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/key.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -167,8 +167,10 @@ static int ieee80211_key_enable_hw_accel + * The driver doesn't know anything about VLAN interfaces. + * Hence, don't send GTKs for VLAN interfaces to the driver. + */ +- if (!(key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) ++ if (!(key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) { ++ ret = 1; + goto out_unsupported; ++ } + } + + ret = drv_set_key(key->local, SET_KEY, sdata, +@@ -213,11 +215,8 @@ static int ieee80211_key_enable_hw_accel + /* all of these we can do in software - if driver can */ + if (ret == 1) + return 0; +- if (ieee80211_hw_check(&key->local->hw, SW_CRYPTO_CONTROL)) { +- if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) +- return 0; ++ if (ieee80211_hw_check(&key->local->hw, SW_CRYPTO_CONTROL)) + return -EINVAL; +- } + return 0; + default: + return -EINVAL; diff --git a/queue-4.19/media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch b/queue-4.19/media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch new file mode 100644 index 00000000000..a8d96b619ef --- /dev/null +++ b/queue-4.19/media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch @@ -0,0 +1,82 @@ +From 61da76beef1e4f0b6ba7be4f8d0cf0dac7ce1f55 Mon Sep 17 00:00:00 2001 +From: Jacopo Mondi +Date: Fri, 29 Dec 2017 07:22:26 -0500 +Subject: media: v4l2: i2c: ov7670: Fix PLL bypass register values + +From: Jacopo Mondi + +commit 61da76beef1e4f0b6ba7be4f8d0cf0dac7ce1f55 upstream. + +The following commits: +commit f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675") +commit 04ee6d92047e ("[media] media: ov7670: add possibility to bypass pll for ov7675") +introduced the ability to bypass PLL multiplier and use input clock (xvclk) +as pixel clock output frequency for ov7675 sensor. + +PLL is bypassed using register DBLV[7:6], according to ov7670 and ov7675 +sensor manuals. Macros used to set DBLV register seem wrong in the +driver, as their values do not match what reported in the datasheet. + +Fix by changing DBLV_* macros to use bits [7:6] and set bits [3:0] to +default 0x0a reserved value (according to datasheets). + +While at there, remove a write to DBLV register in +"ov7675_set_framerate()" that over-writes the previous one to the same +register that takes "info->pll_bypass" flag into account instead of setting PLL +multiplier to 4x unconditionally. + +And, while at there, since "info->pll_bypass" is only used in +set/get_framerate() functions used by ov7675 only, it is not necessary +to check for the device id at probe time to make sure that when using +ov7670 "info->pll_bypass" is set to false. + +Fixes: f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675") + +Signed-off-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/ov7670.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/drivers/media/i2c/ov7670.c ++++ b/drivers/media/i2c/ov7670.c +@@ -159,10 +159,10 @@ MODULE_PARM_DESC(debug, "Debug level (0- + #define REG_GFIX 0x69 /* Fix gain control */ + + #define REG_DBLV 0x6b /* PLL control an debugging */ +-#define DBLV_BYPASS 0x00 /* Bypass PLL */ +-#define DBLV_X4 0x01 /* clock x4 */ +-#define DBLV_X6 0x10 /* clock x6 */ +-#define DBLV_X8 0x11 /* clock x8 */ ++#define DBLV_BYPASS 0x0a /* Bypass PLL */ ++#define DBLV_X4 0x4a /* clock x4 */ ++#define DBLV_X6 0x8a /* clock x6 */ ++#define DBLV_X8 0xca /* clock x8 */ + + #define REG_SCALING_XSC 0x70 /* Test pattern and horizontal scale factor */ + #define TEST_PATTTERN_0 0x80 +@@ -862,7 +862,7 @@ static int ov7675_set_framerate(struct v + if (ret < 0) + return ret; + +- return ov7670_write(sd, REG_DBLV, DBLV_X4); ++ return 0; + } + + static void ov7670_get_framerate_legacy(struct v4l2_subdev *sd, +@@ -1797,11 +1797,7 @@ static int ov7670_probe(struct i2c_clien + if (config->clock_speed) + info->clock_speed = config->clock_speed; + +- /* +- * It should be allowed for ov7670 too when it is migrated to +- * the new frame rate formula. +- */ +- if (config->pll_bypass && id->driver_data != MODEL_OV7670) ++ if (config->pll_bypass) + info->pll_bypass = true; + + if (config->pclk_hb_disable) diff --git a/queue-4.19/powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area-topdown-search.patch b/queue-4.19/powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area-topdown-search.patch new file mode 100644 index 00000000000..32c2b06e7ac --- /dev/null +++ b/queue-4.19/powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area-topdown-search.patch @@ -0,0 +1,70 @@ +From 3b4d07d2674f6b4a9281031f99d1f7efd325b16d Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Tue, 26 Feb 2019 10:09:35 +0530 +Subject: powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search + +From: Aneesh Kumar K.V + +commit 3b4d07d2674f6b4a9281031f99d1f7efd325b16d upstream. + +When doing top-down search the low_limit is not PAGE_SIZE but rather +max(PAGE_SIZE, mmap_min_addr). This handle cases in which mmap_min_addr > +PAGE_SIZE. + +Fixes: fba2369e6ceb ("mm: use vm_unmapped_area() on powerpc architecture") +Reviewed-by: Laurent Dufour +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/slice.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/mm/slice.c ++++ b/arch/powerpc/mm/slice.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -376,6 +377,7 @@ static unsigned long slice_find_area_top + int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT); + unsigned long addr, found, prev; + struct vm_unmapped_area_info info; ++ unsigned long min_addr = max(PAGE_SIZE, mmap_min_addr); + + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; +@@ -392,7 +394,7 @@ static unsigned long slice_find_area_top + if (high_limit > DEFAULT_MAP_WINDOW) + addr += mm->context.slb_addr_limit - DEFAULT_MAP_WINDOW; + +- while (addr > PAGE_SIZE) { ++ while (addr > min_addr) { + info.high_limit = addr; + if (!slice_scan_available(addr - 1, available, 0, &addr)) + continue; +@@ -404,8 +406,8 @@ static unsigned long slice_find_area_top + * Check if we need to reduce the range, or if we can + * extend it to cover the previous available slice. + */ +- if (addr < PAGE_SIZE) +- addr = PAGE_SIZE; ++ if (addr < min_addr) ++ addr = min_addr; + else if (slice_scan_available(addr - 1, available, 0, &prev)) { + addr = prev; + goto prev_slice; +@@ -527,7 +529,7 @@ unsigned long slice_get_unmapped_area(un + addr = _ALIGN_UP(addr, page_size); + slice_dbg(" aligned addr=%lx\n", addr); + /* Ignore hint if it's too large or overlaps a VMA */ +- if (addr > high_limit - len || ++ if (addr > high_limit - len || addr < mmap_min_addr || + !slice_area_is_free(mm, addr, len)) + addr = 0; + } diff --git a/queue-4.19/selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch b/queue-4.19/selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch new file mode 100644 index 00000000000..2adf20beba6 --- /dev/null +++ b/queue-4.19/selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch @@ -0,0 +1,104 @@ +From 3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Wed, 12 Dec 2018 10:10:55 -0500 +Subject: selinux: avoid silent denials in permissive mode under RCU walk + +From: Stephen Smalley + +commit 3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e upstream. + +commit 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") +results in no audit messages at all if in permissive mode because the +cache is updated during the rcu walk and thus no denial occurs on +the subsequent ref walk. Fix this by not updating the cache when +performing a non-blocking permission check. This only affects search +and symlink read checks during rcu walk. + +Fixes: 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") +Reported-by: BMK +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/avc.c | 23 +++++++++++++++++++++-- + security/selinux/hooks.c | 4 +++- + security/selinux/include/avc.h | 1 + + 3 files changed, 25 insertions(+), 3 deletions(-) + +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -838,6 +838,7 @@ out: + * @ssid,@tsid,@tclass : identifier of an AVC entry + * @seqno : sequence number when decision was made + * @xpd: extended_perms_decision to be added to the node ++ * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0. + * + * if a valid AVC entry doesn't exist,this function returns -ENOENT. + * if kmalloc() called internal returns NULL, this function returns -ENOMEM. +@@ -856,6 +857,23 @@ static int avc_update_node(struct selinu + struct hlist_head *head; + spinlock_t *lock; + ++ /* ++ * If we are in a non-blocking code path, e.g. VFS RCU walk, ++ * then we must not add permissions to a cache entry ++ * because we cannot safely audit the denial. Otherwise, ++ * during the subsequent blocking retry (e.g. VFS ref walk), we ++ * will find the permissions already granted in the cache entry ++ * and won't audit anything at all, leading to silent denials in ++ * permissive mode that only appear when in enforcing mode. ++ * ++ * See the corresponding handling in slow_avc_audit(), and the ++ * logic in selinux_inode_follow_link and selinux_inode_permission ++ * for the VFS MAY_NOT_BLOCK flag, which is transliterated into ++ * AVC_NONBLOCKING for avc_has_perm_noaudit(). ++ */ ++ if (flags & AVC_NONBLOCKING) ++ return 0; ++ + node = avc_alloc_node(avc); + if (!node) { + rc = -ENOMEM; +@@ -1115,7 +1133,7 @@ decision: + * @tsid: target security identifier + * @tclass: target security class + * @requested: requested permissions, interpreted based on @tclass +- * @flags: AVC_STRICT or 0 ++ * @flags: AVC_STRICT, AVC_NONBLOCKING, or 0 + * @avd: access vector decisions + * + * Check the AVC to determine whether the @requested permissions are granted +@@ -1199,7 +1217,8 @@ int avc_has_perm_flags(struct selinux_st + struct av_decision avd; + int rc, rc2; + +- rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0, ++ rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, ++ (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, + &avd); + + rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc, +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3199,7 +3199,9 @@ static int selinux_inode_permission(stru + return PTR_ERR(isec); + + rc = avc_has_perm_noaudit(&selinux_state, +- sid, isec->sid, isec->sclass, perms, 0, &avd); ++ sid, isec->sid, isec->sclass, perms, ++ (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, ++ &avd); + audited = avc_audit_required(perms, &avd, rc, + from_access ? FILE__AUDIT_ACCESS : 0, + &denied); +--- a/security/selinux/include/avc.h ++++ b/security/selinux/include/avc.h +@@ -142,6 +142,7 @@ static inline int avc_audit(struct selin + + #define AVC_STRICT 1 /* Ignore permissive mode. */ + #define AVC_EXTENDED_PERMS 2 /* update extended permissions */ ++#define AVC_NONBLOCKING 4 /* non blocking */ + int avc_has_perm_noaudit(struct selinux_state *state, + u32 ssid, u32 tsid, + u16 tclass, u32 requested, diff --git a/queue-4.19/selinux-never-allow-relabeling-on-context-mounts.patch b/queue-4.19/selinux-never-allow-relabeling-on-context-mounts.patch new file mode 100644 index 00000000000..f063818cb77 --- /dev/null +++ b/queue-4.19/selinux-never-allow-relabeling-on-context-mounts.patch @@ -0,0 +1,85 @@ +From a83d6ddaebe541570291205cb538e35ad4ff94f9 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Fri, 21 Dec 2018 21:18:52 +0100 +Subject: selinux: never allow relabeling on context mounts + +From: Ondrej Mosnacek + +commit a83d6ddaebe541570291205cb538e35ad4ff94f9 upstream. + +In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling +files/directories, so we should never set the SBLABEL_MNT flag. The +'special handling' in selinux_is_sblabel_mnt() is only intended for when +the behavior is set to SECURITY_FS_USE_GENFS. + +While there, make the logic in selinux_is_sblabel_mnt() more explicit +and add a BUILD_BUG_ON() to make sure that introducing a new +SECURITY_FS_USE_* forces a review of the logic. + +Fixes: d5f3a5f6e7e7 ("selinux: add security in-core xattr support for pstore and debugfs") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/hooks.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -497,16 +497,10 @@ static int may_context_mount_inode_relab + return rc; + } + +-static int selinux_is_sblabel_mnt(struct super_block *sb) ++static int selinux_is_genfs_special_handling(struct super_block *sb) + { +- struct superblock_security_struct *sbsec = sb->s_security; +- +- return sbsec->behavior == SECURITY_FS_USE_XATTR || +- sbsec->behavior == SECURITY_FS_USE_TRANS || +- sbsec->behavior == SECURITY_FS_USE_TASK || +- sbsec->behavior == SECURITY_FS_USE_NATIVE || +- /* Special handling. Genfs but also in-core setxattr handler */ +- !strcmp(sb->s_type->name, "sysfs") || ++ /* Special handling. Genfs but also in-core setxattr handler */ ++ return !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "pstore") || + !strcmp(sb->s_type->name, "debugfs") || + !strcmp(sb->s_type->name, "tracefs") || +@@ -516,6 +510,34 @@ static int selinux_is_sblabel_mnt(struct + !strcmp(sb->s_type->name, "cgroup2"))); + } + ++static int selinux_is_sblabel_mnt(struct super_block *sb) ++{ ++ struct superblock_security_struct *sbsec = sb->s_security; ++ ++ /* ++ * IMPORTANT: Double-check logic in this function when adding a new ++ * SECURITY_FS_USE_* definition! ++ */ ++ BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); ++ ++ switch (sbsec->behavior) { ++ case SECURITY_FS_USE_XATTR: ++ case SECURITY_FS_USE_TRANS: ++ case SECURITY_FS_USE_TASK: ++ case SECURITY_FS_USE_NATIVE: ++ return 1; ++ ++ case SECURITY_FS_USE_GENFS: ++ return selinux_is_genfs_special_handling(sb); ++ ++ /* Never allow relabeling on context mounts */ ++ case SECURITY_FS_USE_MNTPOINT: ++ case SECURITY_FS_USE_NONE: ++ default: ++ return 0; ++ } ++} ++ + static int sb_finish_set_opts(struct super_block *sb) + { + struct superblock_security_struct *sbsec = sb->s_security; diff --git a/queue-4.19/series b/queue-4.19/series index 1ebf855e247..1d423c6b668 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -80,3 +80,20 @@ asoc-wm_adsp-correct-handling-of-compressed-streams-that-restart.patch asoc-stm32-fix-sai-driver-name-initialisation.patch platform-x86-intel_pmc_core-fix-pch-ip-name.patch platform-x86-intel_pmc_core-handle-cfl-regmap-properly.patch +ib-core-unregister-notifier-before-freeing-mad-security.patch +ib-core-fix-potential-memory-leak-while-creating-mad-agents.patch +ib-core-destroy-qp-if-xrc-qp-fails.patch +input-snvs_pwrkey-initialize-necessary-driver-data-before-enabling-irq.patch +input-stmfts-acknowledge-that-setting-brightness-is-a-blocking-call.patch +gpio-mxc-add-check-to-return-defer-probe-if-clock-tree-not-ready.patch +selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch +selinux-never-allow-relabeling-on-context-mounts.patch +mac80211-honor-sw_crypto_control-for-unicast-keys-in-ap-vlan-mode.patch +powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area-topdown-search.patch +x86-mce-improve-error-message-when-kernel-cannot-recover-p2.patch +clk-x86-add-system-specific-quirk-to-mark-clocks-as-critical.patch +x86-mm-kaslr-fix-the-size-of-the-direct-mapping-section.patch +x86-mm-fix-a-crash-with-kmemleak_scan.patch +x86-mm-tlb-revert-x86-mm-align-tlb-invalidation-info.patch +i2c-i2c-stm32f7-fix-sdadel-minimum-formula.patch +media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch diff --git a/queue-4.19/x86-mce-improve-error-message-when-kernel-cannot-recover-p2.patch b/queue-4.19/x86-mce-improve-error-message-when-kernel-cannot-recover-p2.patch new file mode 100644 index 00000000000..9960c3dfc08 --- /dev/null +++ b/queue-4.19/x86-mce-improve-error-message-when-kernel-cannot-recover-p2.patch @@ -0,0 +1,50 @@ +From 41f035a86b5b72a4f947c38e94239d20d595352a Mon Sep 17 00:00:00 2001 +From: Tony Luck +Date: Mon, 25 Feb 2019 12:59:40 -0800 +Subject: x86/mce: Improve error message when kernel cannot recover, p2 + +From: Tony Luck + +commit 41f035a86b5b72a4f947c38e94239d20d595352a upstream. + +In + + c7d606f560e4 ("x86/mce: Improve error message when kernel cannot recover") + +a case was added for a machine check caused by a DATA access to poison +memory from the kernel. A case should have been added also for an +uncorrectable error during an instruction fetch in the kernel. + +Add that extra case so the error message now reads: + + mce: [Hardware Error]: Machine check: Instruction fetch error in kernel + +Fixes: c7d606f560e4 ("x86/mce: Improve error message when kernel cannot recover") +Signed-off-by: Tony Luck +Signed-off-by: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Pu Wen +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190225205940.15226-1-tony.luck@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce-severity.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kernel/cpu/mcheck/mce-severity.c ++++ b/arch/x86/kernel/cpu/mcheck/mce-severity.c +@@ -165,6 +165,11 @@ static struct severity { + SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_DATA), + KERNEL + ), ++ MCESEV( ++ PANIC, "Instruction fetch error in kernel", ++ SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_INSTR), ++ KERNEL ++ ), + #endif + MCESEV( + PANIC, "Action required: unknown MCACOD", diff --git a/queue-4.19/x86-mm-fix-a-crash-with-kmemleak_scan.patch b/queue-4.19/x86-mm-fix-a-crash-with-kmemleak_scan.patch new file mode 100644 index 00000000000..e12842ce72d --- /dev/null +++ b/queue-4.19/x86-mm-fix-a-crash-with-kmemleak_scan.patch @@ -0,0 +1,82 @@ +From 0d02113b31b2017dd349ec9df2314e798a90fa6e Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 23 Apr 2019 12:58:11 -0400 +Subject: x86/mm: Fix a crash with kmemleak_scan() + +From: Qian Cai + +commit 0d02113b31b2017dd349ec9df2314e798a90fa6e upstream. + +The first kmemleak_scan() call after boot would trigger the crash below +because this callpath: + + kernel_init + free_initmem + mem_encrypt_free_decrypted_mem + free_init_pages + +unmaps memory inside the .bss when DEBUG_PAGEALLOC=y. + +kmemleak_init() will register the .data/.bss sections and then +kmemleak_scan() will scan those addresses and dereference them looking +for pointer references. If free_init_pages() frees and unmaps pages in +those sections, kmemleak_scan() will crash if referencing one of those +addresses: + + BUG: unable to handle kernel paging request at ffffffffbd402000 + CPU: 12 PID: 325 Comm: kmemleak Not tainted 5.1.0-rc4+ #4 + RIP: 0010:scan_block + Call Trace: + scan_gray_list + kmemleak_scan + kmemleak_scan_thread + kthread + ret_from_fork + +Since kmemleak_free_part() is tolerant to unknown objects (not tracked +by kmemleak), it is fine to call it from free_init_pages() even if not +all address ranges passed to this function are known to kmemleak. + + [ bp: Massage. ] + +Fixes: b3f0907c71e0 ("x86/mm: Add .bss..decrypted section to hold shared variables") +Signed-off-by: Qian Cai +Signed-off-by: Borislav Petkov +Reviewed-by: Catalin Marinas +Cc: Andy Lutomirski +Cc: Brijesh Singh +Cc: Dave Hansen +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190423165811.36699-1-cai@lca.pw +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/init.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -6,6 +6,7 @@ + #include /* for max_low_pfn */ + #include + #include ++#include + + #include + #include +@@ -767,6 +768,11 @@ void free_init_pages(char *what, unsigne + if (debug_pagealloc_enabled()) { + pr_info("debug: unmapping init [mem %#010lx-%#010lx]\n", + begin, end - 1); ++ /* ++ * Inform kmemleak about the hole in the memory since the ++ * corresponding pages will be unmapped. ++ */ ++ kmemleak_free_part((void *)begin, end - begin); + set_memory_np(begin, (end - begin) >> PAGE_SHIFT); + } else { + /* diff --git a/queue-4.19/x86-mm-kaslr-fix-the-size-of-the-direct-mapping-section.patch b/queue-4.19/x86-mm-kaslr-fix-the-size-of-the-direct-mapping-section.patch new file mode 100644 index 00000000000..922281557b9 --- /dev/null +++ b/queue-4.19/x86-mm-kaslr-fix-the-size-of-the-direct-mapping-section.patch @@ -0,0 +1,88 @@ +From ec3937107ab43f3e8b2bc9dad95710043c462ff7 Mon Sep 17 00:00:00 2001 +From: Baoquan He +Date: Thu, 4 Apr 2019 10:03:13 +0800 +Subject: x86/mm/KASLR: Fix the size of the direct mapping section + +From: Baoquan He + +commit ec3937107ab43f3e8b2bc9dad95710043c462ff7 upstream. + +kernel_randomize_memory() uses __PHYSICAL_MASK_SHIFT to calculate +the maximum amount of system RAM supported. The size of the direct +mapping section is obtained from the smaller one of the below two +values: + + (actual system RAM size + padding size) vs (max system RAM size supported) + +This calculation is wrong since commit + + b83ce5ee9147 ("x86/mm/64: Make __PHYSICAL_MASK_SHIFT always 52"). + +In it, __PHYSICAL_MASK_SHIFT was changed to be 52, regardless of whether +the kernel is using 4-level or 5-level page tables. Thus, it will always +use 4 PB as the maximum amount of system RAM, even in 4-level paging +mode where it should actually be 64 TB. + +Thus, the size of the direct mapping section will always +be the sum of the actual system RAM size plus the padding size. + +Even when the amount of system RAM is 64 TB, the following layout will +still be used. Obviously KALSR will be weakened significantly. + + |____|_______actual RAM_______|_padding_|______the rest_______| + 0 64TB ~120TB + +Instead, it should be like this: + + |____|_______actual RAM_______|_________the rest______________| + 0 64TB ~120TB + +The size of padding region is controlled by +CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING, which is 10 TB by default. + +The above issue only exists when +CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING is set to a non-zero value, +which is the case when CONFIG_MEMORY_HOTPLUG is enabled. Otherwise, +using __PHYSICAL_MASK_SHIFT doesn't affect KASLR. + +Fix it by replacing __PHYSICAL_MASK_SHIFT with MAX_PHYSMEM_BITS. + + [ bp: Massage commit message. ] + +Fixes: b83ce5ee9147 ("x86/mm/64: Make __PHYSICAL_MASK_SHIFT always 52") +Signed-off-by: Baoquan He +Signed-off-by: Borislav Petkov +Reviewed-by: Thomas Garnier +Acked-by: Kirill A. Shutemov +Cc: "H. Peter Anvin" +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Ingo Molnar +Cc: Kees Cook +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: frank.ramsay@hpe.com +Cc: herbert@gondor.apana.org.au +Cc: kirill@shutemov.name +Cc: mike.travis@hpe.com +Cc: thgarnie@google.com +Cc: x86-ml +Cc: yamada.masahiro@socionext.com +Link: https://lkml.kernel.org/r/20190417083536.GE7065@MiWiFi-R3L-srv +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/kaslr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/mm/kaslr.c ++++ b/arch/x86/mm/kaslr.c +@@ -93,7 +93,7 @@ void __init kernel_randomize_memory(void + if (!kaslr_memory_enabled()) + return; + +- kaslr_regions[0].size_tb = 1 << (__PHYSICAL_MASK_SHIFT - TB_SHIFT); ++ kaslr_regions[0].size_tb = 1 << (MAX_PHYSMEM_BITS - TB_SHIFT); + kaslr_regions[1].size_tb = VMALLOC_SIZE_TB; + + /* diff --git a/queue-4.19/x86-mm-tlb-revert-x86-mm-align-tlb-invalidation-info.patch b/queue-4.19/x86-mm-tlb-revert-x86-mm-align-tlb-invalidation-info.patch new file mode 100644 index 00000000000..8497e0f0d15 --- /dev/null +++ b/queue-4.19/x86-mm-tlb-revert-x86-mm-align-tlb-invalidation-info.patch @@ -0,0 +1,49 @@ +From 780e0106d468a2962b16b52fdf42898f2639e0a0 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Tue, 16 Apr 2019 10:03:35 +0200 +Subject: x86/mm/tlb: Revert "x86/mm: Align TLB invalidation info" + +From: Peter Zijlstra + +commit 780e0106d468a2962b16b52fdf42898f2639e0a0 upstream. + +Revert the following commit: + + 515ab7c41306: ("x86/mm: Align TLB invalidation info") + +I found out (the hard way) that under some .config options (notably L1_CACHE_SHIFT=7) +and compiler combinations this on-stack alignment leads to a 320 byte +stack usage, which then triggers a KASAN stack warning elsewhere. + +Using 320 bytes of stack space for a 40 byte structure is ludicrous and +clearly not right. + +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Linus Torvalds +Acked-by: Nadav Amit +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 515ab7c41306 ("x86/mm: Align TLB invalidation info") +Link: http://lkml.kernel.org/r/20190416080335.GM7905@worktop.programming.kicks-ass.net +[ Minor changelog edits. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/tlb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -694,7 +694,7 @@ void flush_tlb_mm_range(struct mm_struct + { + int cpu; + +- struct flush_tlb_info info __aligned(SMP_CACHE_BYTES) = { ++ struct flush_tlb_info info = { + .mm = mm, + }; +