From: Greg Kroah-Hartman Date: Mon, 1 Apr 2019 12:04:45 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v3.18.138~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f2086f9be29937ad261f0dc5f6953240261297dc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bpf-do-not-restore-dst_reg-when-cur_state-is-freed.patch drivers-base-helpers-for-adding-device-connection-descriptions.patch platform-x86-intel_cht_int33fe-add-connection-for-the-dp-alt-mode.patch platform-x86-intel_cht_int33fe-add-connections-for-the-usb-type-c-port.patch platform-x86-intel_cht_int33fe-register-all-connections-at-once.patch platform-x86-intel_cht_int33fe-remove-the-old-connections-for-the-muxes.patch staging-erofs-fix-error-handling-when-failed-to-read-compresssed-data.patch staging-erofs-keep-corrupted-fs-from-crashing-kernel-in-erofs_readdir.patch usb-typec-class-don-t-use-port-parent-for-getting-mux-handles.patch --- diff --git a/queue-4.19/bpf-do-not-restore-dst_reg-when-cur_state-is-freed.patch b/queue-4.19/bpf-do-not-restore-dst_reg-when-cur_state-is-freed.patch new file mode 100644 index 00000000000..0ffc910beeb --- /dev/null +++ b/queue-4.19/bpf-do-not-restore-dst_reg-when-cur_state-is-freed.patch @@ -0,0 +1,71 @@ +From 0803278b0b4d8eeb2b461fb698785df65a725d9e Mon Sep 17 00:00:00 2001 +From: Xu Yu +Date: Thu, 21 Mar 2019 18:00:35 +0800 +Subject: bpf: do not restore dst_reg when cur_state is freed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Yu + +commit 0803278b0b4d8eeb2b461fb698785df65a725d9e upstream. + +Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug. + +Call trace: + + dump_stack+0xbf/0x12e + print_address_description+0x6a/0x280 + kasan_report+0x237/0x360 + sanitize_ptr_alu+0x85a/0x8d0 + adjust_ptr_min_max_vals+0x8f2/0x1ca0 + adjust_reg_min_max_vals+0x8ed/0x22e0 + do_check+0x1ca6/0x5d00 + bpf_check+0x9ca/0x2570 + bpf_prog_load+0xc91/0x1030 + __se_sys_bpf+0x61e/0x1f00 + do_syscall_64+0xc8/0x550 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fault injection trace: + +  kfree+0xea/0x290 +  free_func_state+0x4a/0x60 +  free_verifier_state+0x61/0xe0 +  push_stack+0x216/0x2f0 <- inject failslab +  sanitize_ptr_alu+0x2b1/0x8d0 +  adjust_ptr_min_max_vals+0x8f2/0x1ca0 +  adjust_reg_min_max_vals+0x8ed/0x22e0 +  do_check+0x1ca6/0x5d00 +  bpf_check+0x9ca/0x2570 +  bpf_prog_load+0xc91/0x1030 +  __se_sys_bpf+0x61e/0x1f00 +  do_syscall_64+0xc8/0x550 +  entry_SYSCALL_64_after_hwframe+0x49/0xbe + +When kzalloc() fails in push_stack(), free_verifier_state() will free +current verifier state. As push_stack() returns, dst_reg was restored +if ptr_is_dst_reg is false. However, as member of the cur_state, +dst_reg is also freed, and error occurs when dereferencing dst_reg. +Simply fix it by testing ret of push_stack() before restoring dst_reg. + +Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic") +Signed-off-by: Xu Yu +Signed-off-by: Daniel Borkmann +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/verifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2815,7 +2815,7 @@ do_sim: + *dst_reg = *ptr_reg; + } + ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); +- if (!ptr_is_dst_reg) ++ if (!ptr_is_dst_reg && ret) + *dst_reg = tmp; + return !ret ? -EFAULT : 0; + } diff --git a/queue-4.19/drivers-base-helpers-for-adding-device-connection-descriptions.patch b/queue-4.19/drivers-base-helpers-for-adding-device-connection-descriptions.patch new file mode 100644 index 00000000000..3322f5465da --- /dev/null +++ b/queue-4.19/drivers-base-helpers-for-adding-device-connection-descriptions.patch @@ -0,0 +1,54 @@ +From cd7753d371388e712e3ee52b693459f9b71aaac2 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 20 Sep 2018 14:23:40 +0300 +Subject: drivers: base: Helpers for adding device connection descriptions + +From: Heikki Krogerus + +commit cd7753d371388e712e3ee52b693459f9b71aaac2 upstream. + +Introducing helpers for adding and removing multiple device +connection descriptions at once. + +Acked-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/device.h | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/include/linux/device.h ++++ b/include/linux/device.h +@@ -774,6 +774,30 @@ void device_connection_add(struct device + void device_connection_remove(struct device_connection *con); + + /** ++ * device_connections_add - Add multiple device connections at once ++ * @cons: Zero terminated array of device connection descriptors ++ */ ++static inline void device_connections_add(struct device_connection *cons) ++{ ++ struct device_connection *c; ++ ++ for (c = cons; c->endpoint[0]; c++) ++ device_connection_add(c); ++} ++ ++/** ++ * device_connections_remove - Remove multiple device connections at once ++ * @cons: Zero terminated array of device connection descriptors ++ */ ++static inline void device_connections_remove(struct device_connection *cons) ++{ ++ struct device_connection *c; ++ ++ for (c = cons; c->endpoint[0]; c++) ++ device_connection_remove(c); ++} ++ ++/** + * enum device_link_state - Device link states. + * @DL_STATE_NONE: The presence of the drivers is not being tracked. + * @DL_STATE_DORMANT: None of the supplier/consumer drivers is present. diff --git a/queue-4.19/platform-x86-intel_cht_int33fe-add-connection-for-the-dp-alt-mode.patch b/queue-4.19/platform-x86-intel_cht_int33fe-add-connection-for-the-dp-alt-mode.patch new file mode 100644 index 00000000000..ef98f627c16 --- /dev/null +++ b/queue-4.19/platform-x86-intel_cht_int33fe-add-connection-for-the-dp-alt-mode.patch @@ -0,0 +1,50 @@ +From 78d2b54b134ea6059e2b1554ad53fab2300a4cc6 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 20 Sep 2018 14:23:42 +0300 +Subject: platform: x86: intel_cht_int33fe: Add connection for the DP alt mode + +From: Heikki Krogerus + +commit 78d2b54b134ea6059e2b1554ad53fab2300a4cc6 upstream. + +Adding a connection for the DisplayPort alternate mode. +PI3USB30532 is used for muxing the port to DisplayPort on +CHT platforms. The connection allows the alternate mode +device to get handle to the mux, and therefore make it +possible to use the USB Type-C connector as DisplayPort. + +Acked-by: Andy Shevchenko +Acked-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/intel_cht_int33fe.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/intel_cht_int33fe.c ++++ b/drivers/platform/x86/intel_cht_int33fe.c +@@ -34,7 +34,7 @@ struct cht_int33fe_data { + struct i2c_client *fusb302; + struct i2c_client *pi3usb30532; + /* Contain a list-head must be per device */ +- struct device_connection connections[4]; ++ struct device_connection connections[5]; + }; + + /* +@@ -181,8 +181,11 @@ static int cht_int33fe_probe(struct i2c_ + data->connections[1].endpoint[1] = "i2c-pi3usb30532"; + data->connections[1].id = "typec-mux"; + data->connections[2].endpoint[0] = "i2c-fusb302"; +- data->connections[2].endpoint[1] = "intel_xhci_usb_sw-role-switch"; +- data->connections[2].id = "usb-role-switch"; ++ data->connections[2].endpoint[1] = "i2c-pi3usb30532"; ++ data->connections[2].id = "idff01m01"; ++ data->connections[3].endpoint[0] = "i2c-fusb302"; ++ data->connections[3].endpoint[1] = "intel_xhci_usb_sw-role-switch"; ++ data->connections[3].id = "usb-role-switch"; + + device_connections_add(data->connections); + diff --git a/queue-4.19/platform-x86-intel_cht_int33fe-add-connections-for-the-usb-type-c-port.patch b/queue-4.19/platform-x86-intel_cht_int33fe-add-connections-for-the-usb-type-c-port.patch new file mode 100644 index 00000000000..334dd4a2705 --- /dev/null +++ b/queue-4.19/platform-x86-intel_cht_int33fe-add-connections-for-the-usb-type-c-port.patch @@ -0,0 +1,56 @@ +From 495965a1002a0b301bf4fbfd1aed3233f3e7db1b Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 20 Sep 2018 14:23:43 +0300 +Subject: platform: x86: intel_cht_int33fe: Add connections for the USB Type-C port + +From: Heikki Krogerus + +commit 495965a1002a0b301bf4fbfd1aed3233f3e7db1b upstream. + +Assigning the mux to the USB Type-C port on top of fusb302. +That will prepare this driver for the change in the USB +Type-C class code, where the class driver will assume the +muxes to be always assigned to the ports and not the +controllers. + +Once the USB Type-C class driver has been updated, the +connections between the mux and fusb302 can be dropped. + +Acked-by: Andy Shevchenko +Acked-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/intel_cht_int33fe.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/intel_cht_int33fe.c ++++ b/drivers/platform/x86/intel_cht_int33fe.c +@@ -34,7 +34,7 @@ struct cht_int33fe_data { + struct i2c_client *fusb302; + struct i2c_client *pi3usb30532; + /* Contain a list-head must be per device */ +- struct device_connection connections[5]; ++ struct device_connection connections[8]; + }; + + /* +@@ -187,6 +187,16 @@ static int cht_int33fe_probe(struct i2c_ + data->connections[3].endpoint[1] = "intel_xhci_usb_sw-role-switch"; + data->connections[3].id = "usb-role-switch"; + ++ data->connections[4].endpoint[0] = "port0"; ++ data->connections[4].endpoint[1] = "i2c-pi3usb30532"; ++ data->connections[4].id = "typec-switch"; ++ data->connections[5].endpoint[0] = "port0"; ++ data->connections[5].endpoint[1] = "i2c-pi3usb30532"; ++ data->connections[5].id = "typec-mux"; ++ data->connections[6].endpoint[0] = "port0"; ++ data->connections[6].endpoint[1] = "i2c-pi3usb30532"; ++ data->connections[6].id = "idff01m01"; ++ + device_connections_add(data->connections); + + memset(&board_info, 0, sizeof(board_info)); diff --git a/queue-4.19/platform-x86-intel_cht_int33fe-register-all-connections-at-once.patch b/queue-4.19/platform-x86-intel_cht_int33fe-register-all-connections-at-once.patch new file mode 100644 index 00000000000..e71411c6293 --- /dev/null +++ b/queue-4.19/platform-x86-intel_cht_int33fe-register-all-connections-at-once.patch @@ -0,0 +1,66 @@ +From 140a4ec4adddda615b4e8e8055ca37a30c7fe5e8 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 20 Sep 2018 14:23:41 +0300 +Subject: platform: x86: intel_cht_int33fe: Register all connections at once + +From: Heikki Krogerus + +commit 140a4ec4adddda615b4e8e8055ca37a30c7fe5e8 upstream. + +We can register all device connection descriptors with a +single call to device_connections_add(). + +Acked-by: Andy Shevchenko +Acked-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/intel_cht_int33fe.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/drivers/platform/x86/intel_cht_int33fe.c ++++ b/drivers/platform/x86/intel_cht_int33fe.c +@@ -34,7 +34,7 @@ struct cht_int33fe_data { + struct i2c_client *fusb302; + struct i2c_client *pi3usb30532; + /* Contain a list-head must be per device */ +- struct device_connection connections[3]; ++ struct device_connection connections[4]; + }; + + /* +@@ -184,9 +184,7 @@ static int cht_int33fe_probe(struct i2c_ + data->connections[2].endpoint[1] = "intel_xhci_usb_sw-role-switch"; + data->connections[2].id = "usb-role-switch"; + +- device_connection_add(&data->connections[0]); +- device_connection_add(&data->connections[1]); +- device_connection_add(&data->connections[2]); ++ device_connections_add(data->connections); + + memset(&board_info, 0, sizeof(board_info)); + strlcpy(board_info.type, "typec_fusb302", I2C_NAME_SIZE); +@@ -217,9 +215,7 @@ out_unregister_max17047: + if (data->max17047) + i2c_unregister_device(data->max17047); + +- device_connection_remove(&data->connections[2]); +- device_connection_remove(&data->connections[1]); +- device_connection_remove(&data->connections[0]); ++ device_connections_remove(data->connections); + + return -EPROBE_DEFER; /* Wait for the i2c-adapter to load */ + } +@@ -233,9 +229,7 @@ static int cht_int33fe_remove(struct i2c + if (data->max17047) + i2c_unregister_device(data->max17047); + +- device_connection_remove(&data->connections[2]); +- device_connection_remove(&data->connections[1]); +- device_connection_remove(&data->connections[0]); ++ device_connections_remove(data->connections); + + return 0; + } diff --git a/queue-4.19/platform-x86-intel_cht_int33fe-remove-the-old-connections-for-the-muxes.patch b/queue-4.19/platform-x86-intel_cht_int33fe-remove-the-old-connections-for-the-muxes.patch new file mode 100644 index 00000000000..e31016774fb --- /dev/null +++ b/queue-4.19/platform-x86-intel_cht_int33fe-remove-the-old-connections-for-the-muxes.patch @@ -0,0 +1,67 @@ +From 148b0aa78e4e1077e38f928124bbc9c2d2d24006 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 20 Sep 2018 14:23:45 +0300 +Subject: platform: x86: intel_cht_int33fe: Remove the old connections for the muxes + +From: Heikki Krogerus + +commit 148b0aa78e4e1077e38f928124bbc9c2d2d24006 upstream. + +USB Type-C class driver now expects the muxes to be always +assigned to the ports and not controllers, so the +connections for the mux and fusb302 can be removed. + +Acked-by: Andy Shevchenko +Acked-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/intel_cht_int33fe.c | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +--- a/drivers/platform/x86/intel_cht_int33fe.c ++++ b/drivers/platform/x86/intel_cht_int33fe.c +@@ -34,7 +34,7 @@ struct cht_int33fe_data { + struct i2c_client *fusb302; + struct i2c_client *pi3usb30532; + /* Contain a list-head must be per device */ +- struct device_connection connections[8]; ++ struct device_connection connections[5]; + }; + + /* +@@ -174,29 +174,19 @@ static int cht_int33fe_probe(struct i2c_ + return -EPROBE_DEFER; /* Wait for i2c-adapter to load */ + } + +- data->connections[0].endpoint[0] = "i2c-fusb302"; ++ data->connections[0].endpoint[0] = "port0"; + data->connections[0].endpoint[1] = "i2c-pi3usb30532"; + data->connections[0].id = "typec-switch"; +- data->connections[1].endpoint[0] = "i2c-fusb302"; ++ data->connections[1].endpoint[0] = "port0"; + data->connections[1].endpoint[1] = "i2c-pi3usb30532"; + data->connections[1].id = "typec-mux"; +- data->connections[2].endpoint[0] = "i2c-fusb302"; ++ data->connections[2].endpoint[0] = "port0"; + data->connections[2].endpoint[1] = "i2c-pi3usb30532"; + data->connections[2].id = "idff01m01"; + data->connections[3].endpoint[0] = "i2c-fusb302"; + data->connections[3].endpoint[1] = "intel_xhci_usb_sw-role-switch"; + data->connections[3].id = "usb-role-switch"; + +- data->connections[4].endpoint[0] = "port0"; +- data->connections[4].endpoint[1] = "i2c-pi3usb30532"; +- data->connections[4].id = "typec-switch"; +- data->connections[5].endpoint[0] = "port0"; +- data->connections[5].endpoint[1] = "i2c-pi3usb30532"; +- data->connections[5].id = "typec-mux"; +- data->connections[6].endpoint[0] = "port0"; +- data->connections[6].endpoint[1] = "i2c-pi3usb30532"; +- data->connections[6].id = "idff01m01"; +- + device_connections_add(data->connections); + + memset(&board_info, 0, sizeof(board_info)); diff --git a/queue-4.19/series b/queue-4.19/series index 692bfaa5095..533dd9d28e8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -123,3 +123,12 @@ x86-smp-enforce-config_hotplug_cpu-when-smp-y.patch kvm-reject-device-ioctls-from-processes-other-than-the-vm-s-creator.patch kvm-x86-update-rip-after-emulating-io.patch kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch +staging-erofs-fix-error-handling-when-failed-to-read-compresssed-data.patch +staging-erofs-keep-corrupted-fs-from-crashing-kernel-in-erofs_readdir.patch +bpf-do-not-restore-dst_reg-when-cur_state-is-freed.patch +drivers-base-helpers-for-adding-device-connection-descriptions.patch +platform-x86-intel_cht_int33fe-register-all-connections-at-once.patch +platform-x86-intel_cht_int33fe-add-connection-for-the-dp-alt-mode.patch +platform-x86-intel_cht_int33fe-add-connections-for-the-usb-type-c-port.patch +usb-typec-class-don-t-use-port-parent-for-getting-mux-handles.patch +platform-x86-intel_cht_int33fe-remove-the-old-connections-for-the-muxes.patch diff --git a/queue-4.19/staging-erofs-fix-error-handling-when-failed-to-read-compresssed-data.patch b/queue-4.19/staging-erofs-fix-error-handling-when-failed-to-read-compresssed-data.patch new file mode 100644 index 00000000000..ced856dc013 --- /dev/null +++ b/queue-4.19/staging-erofs-fix-error-handling-when-failed-to-read-compresssed-data.patch @@ -0,0 +1,105 @@ +From b6391ac73400eff38377a4a7364bd3df5efb5178 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Mon, 25 Mar 2019 11:40:07 +0800 +Subject: staging: erofs: fix error handling when failed to read compresssed data + +From: Gao Xiang + +commit b6391ac73400eff38377a4a7364bd3df5efb5178 upstream. + +Complete read error handling paths for all three kinds of +compressed pages: + + 1) For cache-managed pages, PG_uptodate will be checked since + read_endio will unlock and SetPageUptodate for these pages; + + 2) For inplaced pages, read_endio cannot SetPageUptodate directly + since it should be used to mark the final decompressed data, + PG_error will be set with page locked for IO error instead; + + 3) For staging pages, PG_error is used, which is similar to + what we do for inplaced pages. + +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Cc: # 4.19+ +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/staging/erofs/unzip_vle.c | 42 ++++++++++++++++++++++++++------------ + 1 file changed, 29 insertions(+), 13 deletions(-) + +--- a/drivers/staging/erofs/unzip_vle.c ++++ b/drivers/staging/erofs/unzip_vle.c +@@ -885,6 +885,7 @@ repeat: + overlapped = false; + compressed_pages = grp->compressed_pages; + ++ err = 0; + for (i = 0; i < clusterpages; ++i) { + unsigned pagenr; + +@@ -894,26 +895,39 @@ repeat: + DBG_BUGON(page == NULL); + DBG_BUGON(page->mapping == NULL); + +- if (z_erofs_is_stagingpage(page)) +- continue; ++ if (!z_erofs_is_stagingpage(page)) { + #ifdef EROFS_FS_HAS_MANAGED_CACHE +- if (page->mapping == mngda) { +- DBG_BUGON(!PageUptodate(page)); +- continue; +- } ++ if (page->mapping == mngda) { ++ if (unlikely(!PageUptodate(page))) ++ err = -EIO; ++ continue; ++ } + #endif + +- /* only non-head page could be reused as a compressed page */ +- pagenr = z_erofs_onlinepage_index(page); ++ /* ++ * only if non-head page can be selected ++ * for inplace decompression ++ */ ++ pagenr = z_erofs_onlinepage_index(page); ++ ++ DBG_BUGON(pagenr >= nr_pages); ++ DBG_BUGON(pages[pagenr]); ++ ++sparsemem_pages; ++ pages[pagenr] = page; + +- DBG_BUGON(pagenr >= nr_pages); +- DBG_BUGON(pages[pagenr]); +- ++sparsemem_pages; +- pages[pagenr] = page; ++ overlapped = true; ++ } + +- overlapped = true; ++ /* PG_error needs checking for inplaced and staging pages */ ++ if (unlikely(PageError(page))) { ++ DBG_BUGON(PageUptodate(page)); ++ err = -EIO; ++ } + } + ++ if (unlikely(err)) ++ goto out; ++ + llen = (nr_pages << PAGE_SHIFT) - work->pageofs; + + if (z_erofs_vle_workgrp_fmt(grp) == Z_EROFS_VLE_WORKGRP_FMT_PLAIN) { +@@ -1082,6 +1096,8 @@ static inline bool recover_managed_page( + return true; + + lock_page(page); ++ ClearPageError(page); ++ + if (unlikely(!PagePrivate(page))) { + set_page_private(page, (unsigned long)grp); + SetPagePrivate(page); diff --git a/queue-4.19/staging-erofs-keep-corrupted-fs-from-crashing-kernel-in-erofs_readdir.patch b/queue-4.19/staging-erofs-keep-corrupted-fs-from-crashing-kernel-in-erofs_readdir.patch new file mode 100644 index 00000000000..b34e2b5a711 --- /dev/null +++ b/queue-4.19/staging-erofs-keep-corrupted-fs-from-crashing-kernel-in-erofs_readdir.patch @@ -0,0 +1,100 @@ +From 33bac912840fe64dbc15556302537dc6a17cac63 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Fri, 29 Mar 2019 04:14:58 +0800 +Subject: staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir() + +From: Gao Xiang + +commit 33bac912840fe64dbc15556302537dc6a17cac63 upstream. + +After commit 419d6efc50e9, kernel cannot be crashed in the namei +path. However, corrupted nameoff can do harm in the process of +readdir for scenerios without dm-verity as well. Fix it now. + +Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations") +Cc: # 4.19+ +Signed-off-by: Gao Xiang +Reviewed-by: Chao Yu +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/staging/erofs/dir.c | 45 ++++++++++++++++++++++++-------------------- + 1 file changed, 25 insertions(+), 20 deletions(-) + +--- a/drivers/staging/erofs/dir.c ++++ b/drivers/staging/erofs/dir.c +@@ -23,6 +23,21 @@ static const unsigned char erofs_filetyp + [EROFS_FT_SYMLINK] = DT_LNK, + }; + ++static void debug_one_dentry(unsigned char d_type, const char *de_name, ++ unsigned int de_namelen) ++{ ++#ifdef CONFIG_EROFS_FS_DEBUG ++ /* since the on-disk name could not have the trailing '\0' */ ++ unsigned char dbg_namebuf[EROFS_NAME_LEN + 1]; ++ ++ memcpy(dbg_namebuf, de_name, de_namelen); ++ dbg_namebuf[de_namelen] = '\0'; ++ ++ debugln("found dirent %s de_len %u d_type %d", dbg_namebuf, ++ de_namelen, d_type); ++#endif ++} ++ + static int erofs_fill_dentries(struct dir_context *ctx, + void *dentry_blk, unsigned *ofs, + unsigned nameoff, unsigned maxsize) +@@ -33,14 +48,10 @@ static int erofs_fill_dentries(struct di + de = dentry_blk + *ofs; + while (de < end) { + const char *de_name; +- int de_namelen; ++ unsigned int de_namelen; + unsigned char d_type; +-#ifdef CONFIG_EROFS_FS_DEBUG +- unsigned dbg_namelen; +- unsigned char dbg_namebuf[EROFS_NAME_LEN]; +-#endif + +- if (unlikely(de->file_type < EROFS_FT_MAX)) ++ if (de->file_type < EROFS_FT_MAX) + d_type = erofs_filetype_table[de->file_type]; + else + d_type = DT_UNKNOWN; +@@ -48,26 +59,20 @@ static int erofs_fill_dentries(struct di + nameoff = le16_to_cpu(de->nameoff); + de_name = (char *)dentry_blk + nameoff; + +- de_namelen = unlikely(de + 1 >= end) ? +- /* last directory entry */ +- strnlen(de_name, maxsize - nameoff) : +- le16_to_cpu(de[1].nameoff) - nameoff; ++ /* the last dirent in the block? */ ++ if (de + 1 >= end) ++ de_namelen = strnlen(de_name, maxsize - nameoff); ++ else ++ de_namelen = le16_to_cpu(de[1].nameoff) - nameoff; + + /* a corrupted entry is found */ +- if (unlikely(de_namelen < 0)) { ++ if (unlikely(nameoff + de_namelen > maxsize || ++ de_namelen > EROFS_NAME_LEN)) { + DBG_BUGON(1); + return -EIO; + } + +-#ifdef CONFIG_EROFS_FS_DEBUG +- dbg_namelen = min(EROFS_NAME_LEN - 1, de_namelen); +- memcpy(dbg_namebuf, de_name, dbg_namelen); +- dbg_namebuf[dbg_namelen] = '\0'; +- +- debugln("%s, found de_name %s de_len %d d_type %d", __func__, +- dbg_namebuf, de_namelen, d_type); +-#endif +- ++ debug_one_dentry(d_type, de_name, de_namelen); + if (!dir_emit(ctx, de_name, de_namelen, + le64_to_cpu(de->nid), d_type)) + /* stoped by some reason */ diff --git a/queue-4.19/usb-typec-class-don-t-use-port-parent-for-getting-mux-handles.patch b/queue-4.19/usb-typec-class-don-t-use-port-parent-for-getting-mux-handles.patch new file mode 100644 index 00000000000..80f149b8cf4 --- /dev/null +++ b/queue-4.19/usb-typec-class-don-t-use-port-parent-for-getting-mux-handles.patch @@ -0,0 +1,101 @@ +From 23481121c81d984193edf1532f5e123637e50903 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 20 Sep 2018 14:23:44 +0300 +Subject: usb: typec: class: Don't use port parent for getting mux handles + +From: Heikki Krogerus + +commit 23481121c81d984193edf1532f5e123637e50903 upstream. + +It is not possible to use the parent of the port device when +requesting mux handles as the parent may be a multiport USB +Type-C or PD controller. The muxes must be assigned to the +ports, not the controllers. + +This will also move the requesting of the muxes after the +port device is initialized. + +Acked-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/usb/typec/class.c | 38 +++++++++++++++----------------------- + 1 file changed, 15 insertions(+), 23 deletions(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -1500,7 +1500,7 @@ typec_port_register_altmode(struct typec + + sprintf(id, "id%04xm%02x", desc->svid, desc->mode); + +- mux = typec_mux_get(port->dev.parent, id); ++ mux = typec_mux_get(&port->dev, id); + if (IS_ERR(mux)) + return ERR_CAST(mux); + +@@ -1540,18 +1540,6 @@ struct typec_port *typec_register_port(s + return ERR_PTR(id); + } + +- port->sw = typec_switch_get(cap->fwnode ? &port->dev : parent); +- if (IS_ERR(port->sw)) { +- ret = PTR_ERR(port->sw); +- goto err_switch; +- } +- +- port->mux = typec_mux_get(parent, "typec-mux"); +- if (IS_ERR(port->mux)) { +- ret = PTR_ERR(port->mux); +- goto err_mux; +- } +- + switch (cap->type) { + case TYPEC_PORT_SRC: + port->pwr_role = TYPEC_SOURCE; +@@ -1592,13 +1580,26 @@ struct typec_port *typec_register_port(s + port->port_type = cap->type; + port->prefer_role = cap->prefer_role; + ++ device_initialize(&port->dev); + port->dev.class = typec_class; + port->dev.parent = parent; + port->dev.fwnode = cap->fwnode; + port->dev.type = &typec_port_dev_type; + dev_set_name(&port->dev, "port%d", id); + +- ret = device_register(&port->dev); ++ port->sw = typec_switch_get(&port->dev); ++ if (IS_ERR(port->sw)) { ++ put_device(&port->dev); ++ return ERR_CAST(port->sw); ++ } ++ ++ port->mux = typec_mux_get(&port->dev, "typec-mux"); ++ if (IS_ERR(port->mux)) { ++ put_device(&port->dev); ++ return ERR_CAST(port->mux); ++ } ++ ++ ret = device_add(&port->dev); + if (ret) { + dev_err(parent, "failed to register port (%d)\n", ret); + put_device(&port->dev); +@@ -1606,15 +1607,6 @@ struct typec_port *typec_register_port(s + } + + return port; +- +-err_mux: +- typec_switch_put(port->sw); +- +-err_switch: +- ida_simple_remove(&typec_index_ida, port->id); +- kfree(port); +- +- return ERR_PTR(ret); + } + EXPORT_SYMBOL_GPL(typec_register_port); +