From: Greg Kroah-Hartman Date: Thu, 23 Aug 2018 07:04:23 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.18.5~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f99ff3117c59e95c9332f3951048158461d89059;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: i2c-core-acpi-properly-set-status-byte-to-0-for-multi-byte-writes.patch i2c-imx-fix-race-condition-in-dma-read.patch pci-acpi-pm-resume-all-bridges-on-suspend-to-ram.patch pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch pci-pciehp-fix-unprotected-list-iteration-in-irq-handler.patch pci-pciehp-fix-use-after-free-on-unplug.patch pci-restore-resized-bar-state-on-resume.patch pci-skip-mps-logic-for-virtual-functions-vfs.patch reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch --- diff --git a/queue-4.17/i2c-core-acpi-properly-set-status-byte-to-0-for-multi-byte-writes.patch b/queue-4.17/i2c-core-acpi-properly-set-status-byte-to-0-for-multi-byte-writes.patch new file mode 100644 index 00000000000..2c3ad8a40e6 --- /dev/null +++ b/queue-4.17/i2c-core-acpi-properly-set-status-byte-to-0-for-multi-byte-writes.patch @@ -0,0 +1,61 @@ +From c463a158cb6c5d9a85b7d894cd4f8116e8bd6be0 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 12 Aug 2018 12:53:20 +0200 +Subject: i2c: core: ACPI: Properly set status byte to 0 for multi-byte writes + +From: Hans de Goede + +commit c463a158cb6c5d9a85b7d894cd4f8116e8bd6be0 upstream. + +acpi_gsb_i2c_write_bytes() returns i2c_transfer()'s return value, which +is the number of transfers executed on success, so 1. + +The ACPI code expects us to store 0 in gsb->status for success, not 1. + +Specifically this breaks the following code in the Thinkpad 8 DSDT: + + ECWR = I2CW = ECWR /* \_SB_.I2C1.BAT0.ECWR */ + If ((ECST == Zero)) + { + ECRD = I2CR /* \_SB_.I2C1.I2CR */ + } + +Before this commit we set ECST to 1, causing the read to never happen +breaking battery monitoring on the Thinkpad 8. + +This commit makes acpi_gsb_i2c_write_bytes() return 0 when i2c_transfer() +returns 1, so the single write transfer completed successfully, and +makes it return -EIO on for other (unexpected) return values >= 0. + +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Acked-by: Mika Westerberg +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/i2c-core-acpi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -482,11 +482,16 @@ static int acpi_gsb_i2c_write_bytes(stru + msgs[0].buf = buffer; + + ret = i2c_transfer(client->adapter, msgs, ARRAY_SIZE(msgs)); +- if (ret < 0) +- dev_err(&client->adapter->dev, "i2c write failed\n"); + + kfree(buffer); +- return ret; ++ ++ if (ret < 0) { ++ dev_err(&client->adapter->dev, "i2c write failed: %d\n", ret); ++ return ret; ++ } ++ ++ /* 1 transfer must have completed successfully */ ++ return (ret == 1) ? 0 : -EIO; + } + + static acpi_status diff --git a/queue-4.17/i2c-imx-fix-race-condition-in-dma-read.patch b/queue-4.17/i2c-imx-fix-race-condition-in-dma-read.patch new file mode 100644 index 00000000000..80bf225c8bb --- /dev/null +++ b/queue-4.17/i2c-imx-fix-race-condition-in-dma-read.patch @@ -0,0 +1,65 @@ +From bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Thu, 16 Aug 2018 10:43:12 +0200 +Subject: i2c: imx: Fix race condition in dma read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Esben Haabendal + +commit bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 upstream. + +This fixes a race condition, where the DMAEN bit ends up being set after +I2C slave has transmitted a byte following the dummy read. When that +happens, an interrupt is generated instead, and no DMA request is generated +to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec). + +Fixed by setting the DMAEN bit before the dummy read. + +Signed-off-by: Esben Haabendal +Acked-by: Uwe Kleine-König +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-imx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -677,9 +677,6 @@ static int i2c_imx_dma_read(struct imx_i + struct imx_i2c_dma *dma = i2c_imx->dma; + struct device *dev = &i2c_imx->adapter.dev; + +- temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR); +- temp |= I2CR_DMAEN; +- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR); + + dma->chan_using = dma->chan_rx; + dma->dma_transfer_dir = DMA_DEV_TO_MEM; +@@ -792,6 +789,7 @@ static int i2c_imx_read(struct imx_i2c_s + int i, result; + unsigned int temp; + int block_data = msgs->flags & I2C_M_RECV_LEN; ++ int use_dma = i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data; + + dev_dbg(&i2c_imx->adapter.dev, + "<%s> write slave address: addr=0x%x\n", +@@ -818,12 +816,14 @@ static int i2c_imx_read(struct imx_i2c_s + */ + if ((msgs->len - 1) || block_data) + temp &= ~I2CR_TXAK; ++ if (use_dma) ++ temp |= I2CR_DMAEN; + imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR); + imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR); /* dummy read */ + + dev_dbg(&i2c_imx->adapter.dev, "<%s> read data\n", __func__); + +- if (i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data) ++ if (use_dma) + return i2c_imx_dma_read(i2c_imx, msgs, is_lastmsg); + + /* read data */ diff --git a/queue-4.17/pci-acpi-pm-resume-all-bridges-on-suspend-to-ram.patch b/queue-4.17/pci-acpi-pm-resume-all-bridges-on-suspend-to-ram.patch new file mode 100644 index 00000000000..331767d3409 --- /dev/null +++ b/queue-4.17/pci-acpi-pm-resume-all-bridges-on-suspend-to-ram.patch @@ -0,0 +1,66 @@ +From 9d64b539b738fc181442caab95f1f76d9bd58539 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 16 Aug 2018 12:56:46 +0200 +Subject: PCI / ACPI / PM: Resume all bridges on suspend-to-RAM + +From: Rafael J. Wysocki + +commit 9d64b539b738fc181442caab95f1f76d9bd58539 upstream. + +Commit 26112ddc254c (PCI / ACPI / PM: Resume bridges w/o drivers on +suspend-to-RAM) attempted to fix a functional regression resulting +from commit c62ec4610c40 (PM / core: Fix direct_complete handling +for devices with no callbacks) by resuming PCI bridges without +drivers (that is, "parallel PCI" ones) during system-wide suspend if +the target system state is not ACPI S0 (working state). + +That turns out insufficient, however, as it is reported that, at +least in one case, the platform firmware gets confused if a PCIe +root port is suspended before entering the ACPI S3 sleep state. +That issue was exposed by commit 77b3729ca03 (PCI / PM: Use +SMART_SUSPEND and LEAVE_SUSPENDED flags for PCIe ports) that allowed +PCIe ports to stay in runtime suspend during system-wide suspend +(which is OK for suspend-to-idle, but turns out to be problematic +otherwise). + +For this reason, drop the driver check from acpi_pci_need_resume() +and resume all bridges (including PCIe ports with drivers) during +system-wide suspend if the target system state is not ACPI S0. + +[If the target system state is ACPI S0, it means suspend-to-idle + and the platform firmware is not going to be invoked to actually + suspend the system, so there is no need to resume the bridges in + that case.] + +Fixes: 77b3729ca03 (PCI / PM: Use SMART_SUSPEND and LEAVE_SUSPENDED flags for PCIe ports) +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200675 +Reported-by: teika kazura +Tested-by: teika kazura +Reviewed-by: Mika Westerberg +Acked-by: Bjorn Helgaas +Cc: 4.16+ # 4.16+: 26112ddc254c (PCI / ACPI / PM: Resume bridges ...) +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-acpi.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -601,13 +601,11 @@ static bool acpi_pci_need_resume(struct + /* + * In some cases (eg. Samsung 305V4A) leaving a bridge in suspend over + * system-wide suspend/resume confuses the platform firmware, so avoid +- * doing that, unless the bridge has a driver that should take care of +- * the PM handling. According to Section 16.1.6 of ACPI 6.2, endpoint ++ * doing that. According to Section 16.1.6 of ACPI 6.2, endpoint + * devices are expected to be in D3 before invoking the S3 entry path + * from the firmware, so they should not be affected by this issue. + */ +- if (pci_is_bridge(dev) && !dev->driver && +- acpi_target_system_state() != ACPI_STATE_S0) ++ if (pci_is_bridge(dev) && acpi_target_system_state() != ACPI_STATE_S0) + return true; + + if (!adev || !acpi_device_power_manageable(adev)) diff --git a/queue-4.17/pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch b/queue-4.17/pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch new file mode 100644 index 00000000000..c8d1429b465 --- /dev/null +++ b/queue-4.17/pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch @@ -0,0 +1,48 @@ +From 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 19 Jul 2018 17:27:31 -0500 +Subject: PCI: hotplug: Don't leak pci_slot on registration failure + +From: Lukas Wunner + +commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream. + +If addition of sysfs files fails on registration of a hotplug slot, the +struct pci_slot as well as the entry in the slot_list is leaked. The +issue has been present since the hotplug core was introduced in 2002: +https://git.kernel.org/tglx/history/c/a8a2069f432c + +Perhaps the idea was that even though sysfs addition fails, the slot +should still be usable. But that's not how drivers use the interface, +they abort probe if a non-zero value is returned. + +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v2.4.15+ +Cc: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/pci_hotplug_core.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/pci/hotplug/pci_hotplug_core.c ++++ b/drivers/pci/hotplug/pci_hotplug_core.c +@@ -438,8 +438,17 @@ int __pci_hp_register(struct hotplug_slo + list_add(&slot->slot_list, &pci_hotplug_slot_list); + + result = fs_add_slot(pci_slot); ++ if (result) ++ goto err_list_del; ++ + kobject_uevent(&pci_slot->kobj, KOBJ_ADD); + dbg("Added slot %s to the list\n", name); ++ goto out; ++ ++err_list_del: ++ list_del(&slot->slot_list); ++ pci_slot->hotplug = NULL; ++ pci_destroy_slot(pci_slot); + out: + mutex_unlock(&pci_hp_mutex); + return result; diff --git a/queue-4.17/pci-pciehp-fix-unprotected-list-iteration-in-irq-handler.patch b/queue-4.17/pci-pciehp-fix-unprotected-list-iteration-in-irq-handler.patch new file mode 100644 index 00000000000..e0e0aada2e1 --- /dev/null +++ b/queue-4.17/pci-pciehp-fix-unprotected-list-iteration-in-irq-handler.patch @@ -0,0 +1,64 @@ +From 1204e35bedf4e5015cda559ed8c84789a6dae24e Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 19 Jul 2018 17:27:34 -0500 +Subject: PCI: pciehp: Fix unprotected list iteration in IRQ handler + +From: Lukas Wunner + +commit 1204e35bedf4e5015cda559ed8c84789a6dae24e upstream. + +Commit b440bde74f04 ("PCI: Add pci_ignore_hotplug() to ignore hotplug +events for a device") iterates over the devices on a hotplug port's +subordinate bus in pciehp's IRQ handler without acquiring pci_bus_sem. +It is thus possible for a user to cause a crash by concurrently +manipulating the device list, e.g. by disabling slot power via sysfs +on a different CPU or by initiating a remove/rescan via sysfs. + +This can't be fixed by acquiring pci_bus_sem because it may sleep. +The simplest fix is to avoid the list iteration altogether and just +check the ignore_hotplug flag on the port itself. This works because +pci_ignore_hotplug() sets the flag both on the device as well as on its +parent bridge. + +We do lose the ability to print the name of the device blocking hotplug +in the debug message, but that's probably bearable. + +Fixes: b440bde74f04 ("PCI: Add pci_ignore_hotplug() to ignore hotplug events for a device") +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/pciehp_hpc.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -545,8 +545,6 @@ static irqreturn_t pciehp_isr(int irq, v + { + struct controller *ctrl = (struct controller *)dev_id; + struct pci_dev *pdev = ctrl_dev(ctrl); +- struct pci_bus *subordinate = pdev->subordinate; +- struct pci_dev *dev; + struct slot *slot = ctrl->slot; + u16 status, events; + u8 present; +@@ -594,14 +592,9 @@ static irqreturn_t pciehp_isr(int irq, v + wake_up(&ctrl->queue); + } + +- if (subordinate) { +- list_for_each_entry(dev, &subordinate->devices, bus_list) { +- if (dev->ignore_hotplug) { +- ctrl_dbg(ctrl, "ignoring hotplug event %#06x (%s requested no hotplug)\n", +- events, pci_name(dev)); +- return IRQ_HANDLED; +- } +- } ++ if (pdev->ignore_hotplug) { ++ ctrl_dbg(ctrl, "ignoring hotplug event %#06x\n", events); ++ return IRQ_HANDLED; + } + + /* Check Attention Button Pressed */ diff --git a/queue-4.17/pci-pciehp-fix-use-after-free-on-unplug.patch b/queue-4.17/pci-pciehp-fix-use-after-free-on-unplug.patch new file mode 100644 index 00000000000..48a94ff5be8 --- /dev/null +++ b/queue-4.17/pci-pciehp-fix-use-after-free-on-unplug.patch @@ -0,0 +1,106 @@ +From 281e878eab191cce4259abbbf1a0322e3adae02c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 19 Jul 2018 17:27:32 -0500 +Subject: PCI: pciehp: Fix use-after-free on unplug + +From: Lukas Wunner + +commit 281e878eab191cce4259abbbf1a0322e3adae02c upstream. + +When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the +hotplug_slot struct is deregistered and thus freed before freeing the +IRQ. The IRQ handler and the work items it schedules print the slot +name referenced from the freed structure in various informational and +debug log messages, each time resulting in a quadruple dereference of +freed pointers (hotplug_slot -> pci_slot -> kobject -> name). + +At best the slot name is logged as "(null)", at worst kernel memory is +exposed in logs or the driver crashes: + + pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present + +An attacker may provoke the bug by unplugging multiple devices on a +Thunderbolt daisy chain at once. Unplugging can also be simulated by +powering down slots via sysfs. The bug is particularly easy to trigger +in poll mode. + +It has been present since the driver's introduction in 2004: +https://git.kernel.org/tglx/history/c/c16b4b14d980 + +Fix by rearranging teardown such that the IRQ is freed first. Run the +work items queued by the IRQ handler to completion before freeing the +hotplug_slot struct by draining the work queue from the ->release_slot +callback which is invoked by pci_hp_deregister(). + +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v2.6.4 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/pciehp.h | 1 + + drivers/pci/hotplug/pciehp_core.c | 7 +++++++ + drivers/pci/hotplug/pciehp_hpc.c | 5 ++--- + 3 files changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/pci/hotplug/pciehp.h ++++ b/drivers/pci/hotplug/pciehp.h +@@ -119,6 +119,7 @@ int pciehp_unconfigure_device(struct slo + void pciehp_queue_pushbutton_work(struct work_struct *work); + struct controller *pcie_init(struct pcie_device *dev); + int pcie_init_notification(struct controller *ctrl); ++void pcie_shutdown_notification(struct controller *ctrl); + int pciehp_enable_slot(struct slot *p_slot); + int pciehp_disable_slot(struct slot *p_slot); + void pcie_reenable_notification(struct controller *ctrl); +--- a/drivers/pci/hotplug/pciehp_core.c ++++ b/drivers/pci/hotplug/pciehp_core.c +@@ -62,6 +62,12 @@ static int reset_slot(struct hotplug_slo + */ + static void release_slot(struct hotplug_slot *hotplug_slot) + { ++ struct slot *slot = hotplug_slot->private; ++ ++ /* queued work needs hotplug_slot name */ ++ cancel_delayed_work(&slot->work); ++ drain_workqueue(slot->wq); ++ + kfree(hotplug_slot->ops); + kfree(hotplug_slot->info); + kfree(hotplug_slot); +@@ -264,6 +270,7 @@ static void pciehp_remove(struct pcie_de + { + struct controller *ctrl = get_service_data(dev); + ++ pcie_shutdown_notification(ctrl); + cleanup_slot(ctrl); + pciehp_release_ctrl(ctrl); + } +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -771,7 +771,7 @@ int pcie_init_notification(struct contro + return 0; + } + +-static void pcie_shutdown_notification(struct controller *ctrl) ++void pcie_shutdown_notification(struct controller *ctrl) + { + if (ctrl->notification_enabled) { + pcie_disable_notification(ctrl); +@@ -806,7 +806,7 @@ abort: + static void pcie_cleanup_slot(struct controller *ctrl) + { + struct slot *slot = ctrl->slot; +- cancel_delayed_work(&slot->work); ++ + destroy_workqueue(slot->wq); + kfree(slot); + } +@@ -898,7 +898,6 @@ abort: + + void pciehp_release_ctrl(struct controller *ctrl) + { +- pcie_shutdown_notification(ctrl); + pcie_cleanup_slot(ctrl); + kfree(ctrl); + } diff --git a/queue-4.17/pci-restore-resized-bar-state-on-resume.patch b/queue-4.17/pci-restore-resized-bar-state-on-resume.patch new file mode 100644 index 00000000000..225a2eec9e0 --- /dev/null +++ b/queue-4.17/pci-restore-resized-bar-state-on-resume.patch @@ -0,0 +1,70 @@ +From d3252ace0bc652a1a244455556b6a549f969bf99 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Fri, 29 Jun 2018 19:54:55 -0500 +Subject: PCI: Restore resized BAR state on resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit d3252ace0bc652a1a244455556b6a549f969bf99 upstream. + +Resize BARs after resume to the expected size again. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199959 +Fixes: d6895ad39f3b ("drm/amdgpu: resize VRAM BAR for CPU access v6") +Fixes: 276b738deb5b ("PCI: Add resizable BAR infrastructure") +Signed-off-by: Christian König +Signed-off-by: Bjorn Helgaas +CC: stable@vger.kernel.org # v4.15+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1163,6 +1163,33 @@ static void pci_restore_config_space(str + } + } + ++static void pci_restore_rebar_state(struct pci_dev *pdev) ++{ ++ unsigned int pos, nbars, i; ++ u32 ctrl; ++ ++ pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_REBAR); ++ if (!pos) ++ return; ++ ++ pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl); ++ nbars = (ctrl & PCI_REBAR_CTRL_NBAR_MASK) >> ++ PCI_REBAR_CTRL_NBAR_SHIFT; ++ ++ for (i = 0; i < nbars; i++, pos += 8) { ++ struct resource *res; ++ int bar_idx, size; ++ ++ pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl); ++ bar_idx = ctrl & PCI_REBAR_CTRL_BAR_IDX; ++ res = pdev->resource + bar_idx; ++ size = order_base_2((resource_size(res) >> 20) | 1) - 1; ++ ctrl &= ~PCI_REBAR_CTRL_BAR_SIZE; ++ ctrl |= size << 8; ++ pci_write_config_dword(pdev, pos + PCI_REBAR_CTRL, ctrl); ++ } ++} ++ + /** + * pci_restore_state - Restore the saved state of a PCI device + * @dev: - PCI device that we're dealing with +@@ -1178,6 +1205,7 @@ void pci_restore_state(struct pci_dev *d + pci_restore_pri_state(dev); + pci_restore_ats_state(dev); + pci_restore_vc_state(dev); ++ pci_restore_rebar_state(dev); + + pci_cleanup_aer_error_status_regs(dev); + diff --git a/queue-4.17/pci-skip-mps-logic-for-virtual-functions-vfs.patch b/queue-4.17/pci-skip-mps-logic-for-virtual-functions-vfs.patch new file mode 100644 index 00000000000..ee07343e48a --- /dev/null +++ b/queue-4.17/pci-skip-mps-logic-for-virtual-functions-vfs.patch @@ -0,0 +1,51 @@ +From 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 Mon Sep 17 00:00:00 2001 +From: Myron Stowe +Date: Mon, 13 Aug 2018 12:19:39 -0600 +Subject: PCI: Skip MPS logic for Virtual Functions (VFs) + +From: Myron Stowe + +commit 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 upstream. + +PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both +Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for +VFs. Just prior to the table it states: + + "PF and VF functionality is defined in Section 7.5.3.4 except where + noted in Table 9-16. For VF fields marked 'RsvdP', the PF setting + applies to the VF." + +All of which implies that with respect to Max_Payload_Size Supported +(MPSS), MPS, and MRRS values, we should not be paying any attention to the +VF's fields, but rather only to the PF's. Only looking at the PF's fields +also logically makes sense as it's the sole physical interface to the PCIe +bus. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527 +Fixes: 27d868b5e6cf ("PCI: Set MPS to match upstream bridge") +Signed-off-by: Myron Stowe +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # 4.3+ +Cc: Keith Busch +Cc: Sinan Kaya +Cc: Dongdong Liu +Cc: Jon Mason +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/probe.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1677,6 +1677,10 @@ static void pci_configure_mps(struct pci + if (!pci_is_pcie(dev) || !bridge || !pci_is_pcie(bridge)) + return; + ++ /* MPS and MRRS fields are of type 'RsvdP' for VFs, short-circuit out */ ++ if (dev->is_virtfn) ++ return; ++ + mps = pcie_get_mps(dev); + p_mps = pcie_get_mps(bridge); + diff --git a/queue-4.17/reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch b/queue-4.17/reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch new file mode 100644 index 00000000000..13c389028cd --- /dev/null +++ b/queue-4.17/reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch @@ -0,0 +1,59 @@ +From a13f085d111e90469faf2d9965eb39b11c114d7e Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 21 Aug 2018 21:59:37 -0700 +Subject: reiserfs: fix broken xattr handling (heap corruption, bad retval) + +From: Jann Horn + +commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream. + +This fixes the following issues: + +- When a buffer size is supplied to reiserfs_listxattr() such that each + individual name fits, but the concatenation of all names doesn't fit, + reiserfs_listxattr() overflows the supplied buffer. This leads to a + kernel heap overflow (verified using KASAN) followed by an out-of-bounds + usercopy and is therefore a security bug. + +- When a buffer size is supplied to reiserfs_listxattr() such that a + name doesn't fit, -ERANGE should be returned. But reiserfs instead just + truncates the list of names; I have verified that if the only xattr on a + file has a longer name than the supplied buffer length, listxattr() + incorrectly returns zero. + +With my patch applied, -ERANGE is returned in both cases and the memory +corruption doesn't happen anymore. + +Credit for making me clean this code up a bit goes to Al Viro, who pointed +out that the ->actor calling convention is suboptimal and should be +changed. + +Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com +Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers") +Signed-off-by: Jann Horn +Acked-by: Jeff Mahoney +Cc: Eric Biggers +Cc: Al Viro +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/xattr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/reiserfs/xattr.c ++++ b/fs/reiserfs/xattr.c +@@ -792,8 +792,10 @@ static int listxattr_filler(struct dir_c + return 0; + size = namelen + 1; + if (b->buf) { +- if (size > b->size) ++ if (b->pos + size > b->size) { ++ b->pos = -ERANGE; + return -ERANGE; ++ } + memcpy(b->buf + b->pos, name, namelen); + b->buf[b->pos + namelen] = 0; + } diff --git a/queue-4.17/series b/queue-4.17/series index 93eec85dea7..d79dcc7631d 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -314,3 +314,12 @@ xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch net-smc-no-shutdown-in-state-smc_listen.patch +pci-restore-resized-bar-state-on-resume.patch +pci-acpi-pm-resume-all-bridges-on-suspend-to-ram.patch +pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch +pci-skip-mps-logic-for-virtual-functions-vfs.patch +pci-pciehp-fix-use-after-free-on-unplug.patch +pci-pciehp-fix-unprotected-list-iteration-in-irq-handler.patch +i2c-core-acpi-properly-set-status-byte-to-0-for-multi-byte-writes.patch +i2c-imx-fix-race-condition-in-dma-read.patch +reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch