From: Greg Kroah-Hartman Date: Sun, 22 Apr 2018 09:17:16 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.106~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f2ed39084733bea4f49522030f0a67fc21a38750;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-hda-new-via-controller-suppor-no-snoop-path.patch alsa-line6-use-correct-endpoint-type-for-midi-output.patch alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch mips-memset.s-eva-fault-support-for-small_memset.patch mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch powerpc-eeh-fix-enabling-bridge-mmio-windows.patch powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch random-add-new-ioctl-rndreseedcrng.patch random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch random-fix-crng_ready-test.patch random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch --- diff --git a/queue-4.9/alsa-hda-new-via-controller-suppor-no-snoop-path.patch b/queue-4.9/alsa-hda-new-via-controller-suppor-no-snoop-path.patch new file mode 100644 index 00000000000..6364866c0c2 --- /dev/null +++ b/queue-4.9/alsa-hda-new-via-controller-suppor-no-snoop-path.patch @@ -0,0 +1,35 @@ +From af52f9982e410edac21ca4b49563053ffc9da1eb Mon Sep 17 00:00:00 2001 +From: David Wang +Date: Mon, 16 Apr 2018 17:48:09 +0800 +Subject: ALSA: hda - New VIA controller suppor no-snoop path + +From: David Wang + +commit af52f9982e410edac21ca4b49563053ffc9da1eb upstream. + +This patch is used to tell kernel that new VIA HDAC controller also +support no-snoop path. + +[ minor coding style fix by tiwai ] + +Signed-off-by: David Wang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1514,7 +1514,8 @@ static void azx_check_snoop_available(st + */ + u8 val; + pci_read_config_byte(chip->pci, 0x42, &val); +- if (!(val & 0x80) && chip->pci->revision == 0x30) ++ if (!(val & 0x80) && (chip->pci->revision == 0x30 || ++ chip->pci->revision == 0x20)) + snoop = false; + } + diff --git a/queue-4.9/alsa-line6-use-correct-endpoint-type-for-midi-output.patch b/queue-4.9/alsa-line6-use-correct-endpoint-type-for-midi-output.patch new file mode 100644 index 00000000000..3f7bcc4e774 --- /dev/null +++ b/queue-4.9/alsa-line6-use-correct-endpoint-type-for-midi-output.patch @@ -0,0 +1,47 @@ +From 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabi=C3=A1n=20Inostroza?= +Date: Thu, 12 Apr 2018 00:37:35 -0300 +Subject: ALSA: line6: Use correct endpoint type for midi output +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabián Inostroza + +commit 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 upstream. + +Sending MIDI messages to a PODxt through the USB connection shows +"usb_submit_urb failed" in dmesg and the message is not received by +the POD. + +The error is caused because in the funcion send_midi_async() in midi.c +there is a call to usb_sndbulkpipe() for endpoint 3 OUT, but the PODxt +USB descriptor shows that this endpoint it's an interrupt endpoint. + +Patch tested with PODxt only. + +[ The bug has been present from the very beginning in the staging + driver time, but Fixes below points to the commit moving to sound/ + directory so that the fix can be cleanly applied -- tiwai ] + +Fixes: 61864d844c29 ("ALSA: move line6 usb driver into sound/usb") +Signed-off-by: Fabián Inostroza +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/midi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/line6/midi.c ++++ b/sound/usb/line6/midi.c +@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_li + } + + usb_fill_int_urb(urb, line6->usbdev, +- usb_sndbulkpipe(line6->usbdev, ++ usb_sndintpipe(line6->usbdev, + line6->properties->ep_ctrl_w), + transfer_buffer, length, midi_sent, line6, + line6->interval); diff --git a/queue-4.9/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch b/queue-4.9/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch new file mode 100644 index 00000000000..e3ed8925ba3 --- /dev/null +++ b/queue-4.9/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch @@ -0,0 +1,93 @@ +From 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 19 Apr 2018 18:16:15 +0200 +Subject: ALSA: rawmidi: Fix missing input substream checks in compat ioctls + +From: Takashi Iwai + +commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream. + +Some rawmidi compat ioctls lack of the input substream checks +(although they do check only for rfile->output). This many eventually +lead to an Oops as NULL substream is passed to the rawmidi core +functions. + +Fix it by adding the proper checks before each function call. + +The bug was spotted by syzkaller. + +Reported-by: syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi_compat.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/sound/core/rawmidi_compat.c ++++ b/sound/core/rawmidi_compat.c +@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_comp + struct snd_rawmidi_params params; + unsigned int val; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(params.stream, &src->stream) || + get_user(params.buffer_size, &src->buffer_size) || + get_user(params.avail_min, &src->avail_min) || +@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_comp + params.no_active_sensing = val; + switch (params.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + return snd_rawmidi_output_params(rfile->output, ¶ms); + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + return snd_rawmidi_input_params(rfile->input, ¶ms); + } + return -EINVAL; +@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_comp + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: +@@ -112,16 +116,18 @@ static int snd_rawmidi_ioctl_status_x32( + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: diff --git a/queue-4.9/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch b/queue-4.9/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch new file mode 100644 index 00000000000..98e30cd5370 --- /dev/null +++ b/queue-4.9/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch @@ -0,0 +1,40 @@ +From a955358d54695e4ad9f7d6489a7ac4d69a8fc711 Mon Sep 17 00:00:00 2001 +From: Rodrigo Rivas Costa +Date: Fri, 6 Apr 2018 01:09:36 +0200 +Subject: HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device + +From: Rodrigo Rivas Costa + +commit a955358d54695e4ad9f7d6489a7ac4d69a8fc711 upstream. + +Doing `ioctl(HIDIOCGFEATURE)` in a tight loop on a hidraw device +and then disconnecting the device, or unloading the driver, can +cause a NULL pointer dereference. + +When a hidraw device is destroyed it sets 0 to `dev->exist`. +Most functions check 'dev->exist' before doing its work, but +`hidraw_get_report()` was missing that check. + +Cc: stable@vger.kernel.org +Signed-off-by: Rodrigo Rivas Costa +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hidraw.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -192,6 +192,11 @@ static ssize_t hidraw_get_report(struct + int ret = 0, len; + unsigned char report_number; + ++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { ++ ret = -ENODEV; ++ goto out; ++ } ++ + dev = hidraw_table[minor]->hid; + + if (!dev->ll_driver->raw_request) { diff --git a/queue-4.9/mips-memset.s-eva-fault-support-for-small_memset.patch b/queue-4.9/mips-memset.s-eva-fault-support-for-small_memset.patch new file mode 100644 index 00000000000..519af842334 --- /dev/null +++ b/queue-4.9/mips-memset.s-eva-fault-support-for-small_memset.patch @@ -0,0 +1,65 @@ +From 8a8158c85e1e774a44fbe81106fa41138580dfd1 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Thu, 29 Mar 2018 10:28:23 +0100 +Subject: MIPS: memset.S: EVA & fault support for small_memset + +From: Matt Redfearn + +commit 8a8158c85e1e774a44fbe81106fa41138580dfd1 upstream. + +The MIPS kernel memset / bzero implementation includes a small_memset +branch which is used when the region to be set is smaller than a long (4 +bytes on 32bit, 8 bytes on 64bit). The current small_memset +implementation uses a simple store byte loop to write the destination. +There are 2 issues with this implementation: + +1. When EVA mode is active, user and kernel address spaces may overlap. +Currently the use of the sb instruction means kernel mode addressing is +always used and an intended write to userspace may actually overwrite +some critical kernel data. + +2. If the write triggers a page fault, for example by calling +__clear_user(NULL, 2), instead of gracefully handling the fault, an OOPS +is triggered. + +Fix these issues by replacing the sb instruction with the EX() macro, +which will emit EVA compatible instuctions as required. Additionally +implement a fault fixup for small_memset which sets a2 to the number of +bytes that could not be cleared (as defined by __clear_user). + +Reported-by: Chuanhua Lei +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/18975/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -218,7 +218,7 @@ + 1: PTR_ADDIU a0, 1 /* fill bytewise */ + R10KCBARRIER(0(ra)) + bne t1, a0, 1b +- sb a1, -1(a0) ++ EX(sb, a1, -1(a0), .Lsmall_fixup\@) + + 2: jr ra /* done */ + move a2, zero +@@ -259,6 +259,11 @@ + jr ra + andi v1, a2, STORMASK + ++.Lsmall_fixup\@: ++ PTR_SUBU a2, t1, a0 ++ jr ra ++ PTR_ADDIU a2, 1 ++ + .endm + + /* diff --git a/queue-4.9/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch b/queue-4.9/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch new file mode 100644 index 00000000000..cc9619d405d --- /dev/null +++ b/queue-4.9/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch @@ -0,0 +1,77 @@ +From c96eebf07692e53bf4dd5987510d8b550e793598 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 17 Apr 2018 16:40:00 +0100 +Subject: MIPS: memset.S: Fix clobber of v1 in last_fixup + +From: Matt Redfearn + +commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream. + +The label .Llast_fixup\@ is jumped to on page fault within the final +byte set loop of memset (on < MIPSR6 architectures). For some reason, in +this fault handler, the v1 register is randomly set to a2 & STORMASK. +This clobbers v1 for the calling function. This can be observed with the +following test code: + +static int __init __attribute__((optimize("O0"))) test_clear_user(void) +{ + register int t asm("v1"); + char *test; + int j, k; + + pr_info("\n\n\nTesting clear_user\n"); + test = vmalloc(PAGE_SIZE); + + for (j = 256; j < 512; j++) { + t = 0xa5a5a5a5; + if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { + pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); + } + if (t != 0xa5a5a5a5) { + pr_err("v1 was clobbered to 0x%x!\n", t); + } + } + + return 0; +} +late_initcall(test_clear_user); + +Which demonstrates that v1 is indeed clobbered (MIPS64): + +Testing clear_user +v1 was clobbered to 0x1! +v1 was clobbered to 0x2! +v1 was clobbered to 0x3! +v1 was clobbered to 0x4! +v1 was clobbered to 0x5! +v1 was clobbered to 0x6! +v1 was clobbered to 0x7! + +Since the number of bytes that could not be set is already contained in +a2, the andi placing a value in v1 is not necessary and actively +harmful in clobbering v1. + +Reported-by: James Hogan +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19109/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -257,7 +257,7 @@ + + .Llast_fixup\@: + jr ra +- andi v1, a2, STORMASK ++ nop + + .Lsmall_fixup\@: + PTR_SUBU a2, t1, a0 diff --git a/queue-4.9/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch b/queue-4.9/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch new file mode 100644 index 00000000000..faed63356ab --- /dev/null +++ b/queue-4.9/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch @@ -0,0 +1,57 @@ +From daf70d89f80c6e1772233da9e020114b1254e7e0 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 17 Apr 2018 15:52:21 +0100 +Subject: MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup + +From: Matt Redfearn + +commit daf70d89f80c6e1772233da9e020114b1254e7e0 upstream. + +The __clear_user function is defined to return the number of bytes that +could not be cleared. From the underlying memset / bzero implementation +this means setting register a2 to that number on return. Currently if a +page fault is triggered within the memset_partial block, the value +loaded into a2 on return is meaningless. + +The label .Lpartial_fixup\@ is jumped to on page fault. In order to work +out how many bytes failed to copy, the exception handler should find how +many bytes left in the partial block (andi a2, STORMASK), add that to +the partial block end address (a2), and subtract the faulting address to +get the remainder. Currently it incorrectly subtracts the partial block +start address (t1), which has additionally been clobbered to generate a +jump target in memset_partial. Fix this by adding the block end address +instead. + +This issue was found with the following test code: + int j, k; + for (j = 0; j < 512; j++) { + if ((k = clear_user(NULL, j)) != j) { + pr_err("clear_user (NULL %d) returned %d\n", j, k); + } + } +Which now passes on Creator Ci40 (MIPS32) and Cavium Octeon II (MIPS64). + +Suggested-by: James Hogan +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19108/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -251,7 +251,7 @@ + PTR_L t0, TI_TASK($28) + andi a2, STORMASK + LONG_L t0, THREAD_BUADDR(t0) +- LONG_ADDU a2, t1 ++ LONG_ADDU a2, a0 + jr ra + LONG_SUBU a2, t0 + diff --git a/queue-4.9/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch b/queue-4.9/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch new file mode 100644 index 00000000000..49f7229e362 --- /dev/null +++ b/queue-4.9/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch @@ -0,0 +1,60 @@ +From b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 17 Apr 2018 16:40:01 +0100 +Subject: MIPS: uaccess: Add micromips clobbers to bzero invocation + +From: Matt Redfearn + +commit b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 upstream. + +The micromips implementation of bzero additionally clobbers registers t7 +& t8. Specify this in the clobbers list when invoking bzero. + +Fixes: 26c5e07d1478 ("MIPS: microMIPS: Optimise 'memset' core library function.") +Reported-by: James Hogan +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: # 3.10+ +Patchwork: https://patchwork.linux-mips.org/patch/19110/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/uaccess.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/mips/include/asm/uaccess.h ++++ b/arch/mips/include/asm/uaccess.h +@@ -1257,6 +1257,13 @@ __clear_user(void __user *addr, __kernel + { + __kernel_size_t res; + ++#ifdef CONFIG_CPU_MICROMIPS ++/* micromips memset / bzero also clobbers t7 & t8 */ ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31" ++#else ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31" ++#endif /* CONFIG_CPU_MICROMIPS */ ++ + if (eva_kernel_access()) { + __asm__ __volatile__( + "move\t$4, %1\n\t" +@@ -1266,7 +1273,7 @@ __clear_user(void __user *addr, __kernel + "move\t%0, $6" + : "=r" (res) + : "r" (addr), "r" (size) +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); ++ : bzero_clobbers); + } else { + might_fault(); + __asm__ __volatile__( +@@ -1277,7 +1284,7 @@ __clear_user(void __user *addr, __kernel + "move\t%0, $6" + : "=r" (res) + : "r" (addr), "r" (size) +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); ++ : bzero_clobbers); + } + + return res; diff --git a/queue-4.9/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch b/queue-4.9/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch new file mode 100644 index 00000000000..6c44c0dddbc --- /dev/null +++ b/queue-4.9/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch @@ -0,0 +1,56 @@ +From 13a83eac373c49c0a081cbcd137e79210fe78acd Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Wed, 11 Apr 2018 13:37:58 +1000 +Subject: powerpc/eeh: Fix enabling bridge MMIO windows + +From: Michael Neuling + +commit 13a83eac373c49c0a081cbcd137e79210fe78acd upstream. + +On boot we save the configuration space of PCIe bridges. We do this so +when we get an EEH event and everything gets reset that we can restore +them. + +Unfortunately we save this state before we've enabled the MMIO space +on the bridges. Hence if we have to reset the bridge when we come back +MMIO is not enabled and we end up taking an PE freeze when the driver +starts accessing again. + +This patch forces the memory/MMIO and bus mastering on when restoring +bridges on EEH. Ideally we'd do this correctly by saving the +configuration space writes later, but that will have to come later in +a larger EEH rewrite. For now we have this simple fix. + +The original bug can be triggered on a boston machine by doing: + echo 0x8000000000000000 > /sys/kernel/debug/powerpc/PCI0001/err_injct_outbound +On boston, this PHB has a PCIe switch on it. Without this patch, +you'll see two EEH events, 1 expected and 1 the failure we are fixing +here. The second EEH event causes the anything under the PHB to +disappear (i.e. the i40e eth). + +With this patch, only 1 EEH event occurs and devices properly recover. + +Fixes: 652defed4875 ("powerpc/eeh: Check PCIe link after reset") +Cc: stable@vger.kernel.org # v3.11+ +Reported-by: Pridhiviraj Paidipeddi +Signed-off-by: Michael Neuling +Acked-by: Russell Currey +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh_pe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -795,7 +795,8 @@ static void eeh_restore_bridge_bars(stru + eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]); + + /* PCI Command: 0x4 */ +- eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]); ++ eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] | ++ PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER); + + /* Check the PCIe link is ready */ + eeh_bridge_check_link(edev); diff --git a/queue-4.9/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch b/queue-4.9/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch new file mode 100644 index 00000000000..bed780fe095 --- /dev/null +++ b/queue-4.9/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch @@ -0,0 +1,53 @@ +From b8858581febb050688e276b956796bc4a78299ed Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Mon, 16 Apr 2018 23:25:19 +1000 +Subject: powerpc/lib: Fix off-by-one in alternate feature patching + +From: Michael Ellerman + +commit b8858581febb050688e276b956796bc4a78299ed upstream. + +When we patch an alternate feature section, we have to adjust any +relative branches that branch out of the alternate section. + +But currently we have a bug if we have a branch that points to past +the last instruction of the alternate section, eg: + + FTR_SECTION_ELSE + 1: b 2f + or 6,6,6 + 2: + ALT_FTR_SECTION_END(...) + nop + +This will result in a relative branch at 1 with a target that equals +the end of the alternate section. + +That branch does not need adjusting when it's moved to the non-else +location. Currently we do adjust it, resulting in a branch that goes +off into the link-time location of the else section, which is junk. + +The fix is to not patch branches that have a target == end of the +alternate section. + +Fixes: d20fe50a7b3c ("KVM: PPC: Book3S HV: Branch inside feature section") +Fixes: 9b1a735de64c ("powerpc: Add logic to patch alternative feature sections") +Cc: stable@vger.kernel.org # v2.6.27+ +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/feature-fixups.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/lib/feature-fixups.c ++++ b/arch/powerpc/lib/feature-fixups.c +@@ -55,7 +55,7 @@ static int patch_alt_instruction(unsigne + unsigned int *target = (unsigned int *)branch_target(src); + + /* Branch within the section doesn't need translating */ +- if (target < alt_start || target >= alt_end) { ++ if (target < alt_start || target > alt_end) { + instr = translate_branch(dest, src); + if (!instr) + return 1; diff --git a/queue-4.9/random-add-new-ioctl-rndreseedcrng.patch b/queue-4.9/random-add-new-ioctl-rndreseedcrng.patch new file mode 100644 index 00000000000..415dc98301b --- /dev/null +++ b/queue-4.9/random-add-new-ioctl-rndreseedcrng.patch @@ -0,0 +1,75 @@ +From d848e5f8e1ebdb227d045db55fe4f825e82965fa Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 11 Apr 2018 16:32:17 -0400 +Subject: random: add new ioctl RNDRESEEDCRNG + +From: Theodore Ts'o + +commit d848e5f8e1ebdb227d045db55fe4f825e82965fa upstream. + +Add a new ioctl which forces the the crng to be reseeded. + +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 13 ++++++++++++- + include/uapi/linux/random.h | 3 +++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -436,6 +436,7 @@ struct crng_state primary_crng = { + static int crng_init = 0; + #define crng_ready() (likely(crng_init > 1)) + static int crng_init_cnt = 0; ++static unsigned long crng_global_init_time = 0; + #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE) + static void _extract_crng(struct crng_state *crng, + __u8 out[CHACHA20_BLOCK_SIZE]); +@@ -874,7 +875,8 @@ static void _extract_crng(struct crng_st + unsigned long v, flags; + + if (crng_ready() && +- time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)) ++ (time_after(crng_global_init_time, crng->init_time) || ++ time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))) + crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); + spin_lock_irqsave(&crng->lock, flags); + if (arch_get_random_long(&v)) +@@ -1689,6 +1691,7 @@ static int rand_initialize(void) + init_std_data(&input_pool); + init_std_data(&blocking_pool); + crng_initialize(&primary_crng); ++ crng_global_init_time = jiffies; + return 0; + } + early_initcall(rand_initialize); +@@ -1862,6 +1865,14 @@ static long random_ioctl(struct file *f, + input_pool.entropy_count = 0; + blocking_pool.entropy_count = 0; + return 0; ++ case RNDRESEEDCRNG: ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ if (crng_init < 2) ++ return -ENODATA; ++ crng_reseed(&primary_crng, NULL); ++ crng_global_init_time = jiffies - 1; ++ return 0; + default: + return -EINVAL; + } +--- a/include/uapi/linux/random.h ++++ b/include/uapi/linux/random.h +@@ -34,6 +34,9 @@ + /* Clear the entropy pool and associated counters. (Superuser only.) */ + #define RNDCLEARPOOL _IO( 'R', 0x06 ) + ++/* Reseed CRNG. (Superuser only.) */ ++#define RNDRESEEDCRNG _IO( 'R', 0x07 ) ++ + struct rand_pool_info { + int entropy_count; + int buf_size; diff --git a/queue-4.9/random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch b/queue-4.9/random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch new file mode 100644 index 00000000000..1ecea42e0ec --- /dev/null +++ b/queue-4.9/random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch @@ -0,0 +1,40 @@ +From 0bb29a849a6433b72e249eea7695477b02056e94 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 12 Apr 2018 00:50:45 -0400 +Subject: random: crng_reseed() should lock the crng instance that it is modifying + +From: Theodore Ts'o + +commit 0bb29a849a6433b72e249eea7695477b02056e94 upstream. + +Reported-by: Jann Horn +Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...") +Cc: stable@kernel.org # 4.8+ +Signed-off-by: Theodore Ts'o +Reviewed-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -836,7 +836,7 @@ static void crng_reseed(struct crng_stat + _crng_backtrack_protect(&primary_crng, buf.block, + CHACHA20_KEY_SIZE); + } +- spin_lock_irqsave(&primary_crng.lock, flags); ++ spin_lock_irqsave(&crng->lock, flags); + for (i = 0; i < 8; i++) { + unsigned long rv; + if (!arch_get_random_seed_long(&rv) && +@@ -853,7 +853,7 @@ static void crng_reseed(struct crng_stat + wake_up_interruptible(&crng_init_wait); + pr_notice("random: crng init done\n"); + } +- spin_unlock_irqrestore(&primary_crng.lock, flags); ++ spin_unlock_irqrestore(&crng->lock, flags); + } + + static inline void maybe_reseed_primary_crng(void) diff --git a/queue-4.9/random-fix-crng_ready-test.patch b/queue-4.9/random-fix-crng_ready-test.patch new file mode 100644 index 00000000000..1995f4546be --- /dev/null +++ b/queue-4.9/random-fix-crng_ready-test.patch @@ -0,0 +1,78 @@ +From 43838a23a05fbd13e47d750d3dfd77001536dd33 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 11 Apr 2018 13:27:52 -0400 +Subject: random: fix crng_ready() test + +From: Theodore Ts'o + +commit 43838a23a05fbd13e47d750d3dfd77001536dd33 upstream. + +The crng_init variable has three states: + +0: The CRNG is not initialized at all +1: The CRNG has a small amount of entropy, hopefully good enough for + early-boot, non-cryptographical use cases +2: The CRNG is fully initialized and we are sure it is safe for + cryptographic use cases. + +The crng_ready() function should only return true once we are in the +last state. This addresses CVE-2018-1108. + +Reported-by: Jann Horn +Fixes: e192be9d9a30 ("random: replace non-blocking pool...") +Cc: stable@kernel.org # 4.8+ +Signed-off-by: Theodore Ts'o +Reviewed-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -434,7 +434,7 @@ struct crng_state primary_crng = { + * its value (from 0->1->2). + */ + static int crng_init = 0; +-#define crng_ready() (likely(crng_init > 0)) ++#define crng_ready() (likely(crng_init > 1)) + static int crng_init_cnt = 0; + #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE) + static void _extract_crng(struct crng_state *crng, +@@ -800,7 +800,7 @@ static int crng_fast_load(const char *cp + + if (!spin_trylock_irqsave(&primary_crng.lock, flags)) + return 0; +- if (crng_ready()) { ++ if (crng_init != 0) { + spin_unlock_irqrestore(&primary_crng.lock, flags); + return 0; + } +@@ -872,7 +872,7 @@ static void _extract_crng(struct crng_st + { + unsigned long v, flags; + +- if (crng_init > 1 && ++ if (crng_ready() && + time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL)) + crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); + spin_lock_irqsave(&crng->lock, flags); +@@ -1153,7 +1153,7 @@ void add_interrupt_randomness(int irq, i + fast_mix(fast_pool); + add_interrupt_bench(cycles); + +- if (!crng_ready()) { ++ if (unlikely(crng_init == 0)) { + if ((fast_pool->count >= 64) && + crng_fast_load((char *) fast_pool->pool, + sizeof(fast_pool->pool))) { +@@ -2148,7 +2148,7 @@ void add_hwgenerator_randomness(const ch + { + struct entropy_store *poolp = &input_pool; + +- if (!crng_ready()) { ++ if (unlikely(crng_init == 0)) { + crng_fast_load(buffer, count); + return; + } diff --git a/queue-4.9/random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch b/queue-4.9/random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch new file mode 100644 index 00000000000..12e35d42406 --- /dev/null +++ b/queue-4.9/random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch @@ -0,0 +1,98 @@ +From 8ef35c866f8862df074a49a93b0309725812dea8 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 11 Apr 2018 15:23:56 -0400 +Subject: random: set up the NUMA crng instances after the CRNG is fully initialized + +From: Theodore Ts'o + +commit 8ef35c866f8862df074a49a93b0309725812dea8 upstream. + +Until the primary_crng is fully initialized, don't initialize the NUMA +crng nodes. Otherwise users of /dev/urandom on NUMA systems before +the CRNG is fully initialized can get very bad quality randomness. Of +course everyone should move to getrandom(2) where this won't be an +issue, but there's a lot of legacy code out there. This related to +CVE-2018-1108. + +Reported-by: Jann Horn +Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly...") +Cc: stable@kernel.org # 4.8+ +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 46 +++++++++++++++++++++++++++------------------- + 1 file changed, 27 insertions(+), 19 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -847,6 +847,7 @@ static void crng_reseed(struct crng_stat + memzero_explicit(&buf, sizeof(buf)); + crng->init_time = jiffies; + if (crng == &primary_crng && crng_init < 2) { ++ numa_crng_init(); + crng_init = 2; + process_random_ready_list(); + wake_up_interruptible(&crng_init_wait); +@@ -897,6 +898,32 @@ static void extract_crng(__u8 out[CHACHA + _extract_crng(crng, out); + } + ++#ifdef CONFIG_NUMA ++static void numa_crng_init(void) ++{ ++ int i; ++ struct crng_state *crng; ++ struct crng_state **pool; ++ ++ pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL); ++ for_each_online_node(i) { ++ crng = kmalloc_node(sizeof(struct crng_state), ++ GFP_KERNEL | __GFP_NOFAIL, i); ++ spin_lock_init(&crng->lock); ++ crng_initialize(crng); ++ pool[i] = crng; ++ } ++ mb(); ++ if (cmpxchg(&crng_node_pool, NULL, pool)) { ++ for_each_node(i) ++ kfree(pool[i]); ++ kfree(pool); ++ } ++} ++#else ++static void numa_crng_init(void) {} ++#endif ++ + /* + * Use the leftover bytes from the CRNG block output (if there is + * enough) to mutate the CRNG key to provide backtracking protection. +@@ -1659,28 +1686,9 @@ static void init_std_data(struct entropy + */ + static int rand_initialize(void) + { +-#ifdef CONFIG_NUMA +- int i; +- struct crng_state *crng; +- struct crng_state **pool; +-#endif +- + init_std_data(&input_pool); + init_std_data(&blocking_pool); + crng_initialize(&primary_crng); +- +-#ifdef CONFIG_NUMA +- pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL); +- for_each_online_node(i) { +- crng = kmalloc_node(sizeof(struct crng_state), +- GFP_KERNEL | __GFP_NOFAIL, i); +- spin_lock_init(&crng->lock); +- crng_initialize(crng); +- pool[i] = crng; +- } +- mb(); +- crng_node_pool = pool; +-#endif + return 0; + } + early_initcall(rand_initialize); diff --git a/queue-4.9/series b/queue-4.9/series index e2efe652ad5..12b9df58d5d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -68,3 +68,18 @@ drm-amdgpu-fix-always_valid-bos-multiple-lru-insertions.patch drm-amdgpu-fix-pcie-lane-width-calculation.patch drm-rockchip-clear-all-interrupts-before-requesting-the-irq.patch drm-radeon-fix-pcie-lane-width-calculation.patch +alsa-line6-use-correct-endpoint-type-for-midi-output.patch +alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch +alsa-hda-new-via-controller-suppor-no-snoop-path.patch +random-fix-crng_ready-test.patch +random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch +random-crng_reseed-should-lock-the-crng-instance-that-it-is-modifying.patch +random-add-new-ioctl-rndreseedcrng.patch +hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch +mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch +mips-memset.s-eva-fault-support-for-small_memset.patch +mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch +mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch +powerpc-eeh-fix-enabling-bridge-mmio-windows.patch +powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch +udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch diff --git a/queue-4.9/udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch b/queue-4.9/udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch new file mode 100644 index 00000000000..c324f95d588 --- /dev/null +++ b/queue-4.9/udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch @@ -0,0 +1,50 @@ +From 44f06ba8297c7e9dfd0e49b40cbe119113cca094 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 12 Apr 2018 17:22:23 +0200 +Subject: udf: Fix leak of UTF-16 surrogates into encoded strings + +From: Jan Kara + +commit 44f06ba8297c7e9dfd0e49b40cbe119113cca094 upstream. + +OSTA UDF specification does not mention whether the CS0 charset in case +of two bytes per character encoding should be treated in UTF-16 or +UCS-2. The sample code in the standard does not treat UTF-16 surrogates +in any special way but on systems such as Windows which work in UTF-16 +internally, filenames would be treated as being in UTF-16 effectively. +In Linux it is more difficult to handle characters outside of Base +Multilingual plane (beyond 0xffff) as NLS framework works with 2-byte +characters only. Just make sure we don't leak UTF-16 surrogates into the +resulting string when loading names from the filesystem for now. + +CC: stable@vger.kernel.org # >= v4.6 +Reported-by: Mingye Wang +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/unicode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -28,6 +28,9 @@ + + #include "udf_sb.h" + ++#define SURROGATE_MASK 0xfffff800 ++#define SURROGATE_PAIR 0x0000d800 ++ + static int udf_uni2char_utf8(wchar_t uni, + unsigned char *out, + int boundlen) +@@ -37,6 +40,9 @@ static int udf_uni2char_utf8(wchar_t uni + if (boundlen <= 0) + return -ENAMETOOLONG; + ++ if ((uni & SURROGATE_MASK) == SURROGATE_PAIR) ++ return -EINVAL; ++ + if (uni < 0x80) { + out[u_len++] = (unsigned char)uni; + } else if (uni < 0x800) {