From 291973ade249160699986defeaaa45217e9e3951 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 8 Oct 2019 09:56:02 +0200 Subject: [PATCH] 4.14-stable patches added patches: asoc-define-a-set-of-dapm-pre-post-up-events.patch can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch crypto-caam-fix-concurrency-issue-in-givencrypt-descriptor.patch crypto-cavium-zip-add-missing-single_release.patch crypto-qat-silence-smp_processor_id-warning.patch crypto-skcipher-unmap-pages-after-an-external-error.patch kvm-nvmx-handle-page-fault-in-vmread-fix.patch kvm-ppc-book3s-hv-don-t-lose-pending-doorbell-request-on-migration-on-p9.patch kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch mips-treat-loongson-extensions-as-ases.patch pm-devfreq-tegra-fix-khz-to-hz-conversion.patch powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch s390-cio-avoid-calling-strlen-on-null-pointer.patch s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch s390-process-avoid-potential-reading-of-freed-stack.patch s390-topology-avoid-firing-events-before-kobjs-are-created.patch timer-read-jiffies-once-when-forwarding-base-clk.patch tools-lib-traceevent-fix-robust-test-of-do_generate_dynamic_list_file.patch usercopy-avoid-highmem-pfn-warning.patch --- ...ine-a-set-of-dapm-pre-post-up-events.patch | 36 ++++++ ..._reset-allow-more-time-after-a-reset.patch | 57 +++++++++ ...rency-issue-in-givencrypt-descriptor.patch | 95 ++++++++++++++ ...avium-zip-add-missing-single_release.patch | 48 +++++++ ...qat-silence-smp_processor_id-warning.patch | 68 ++++++++++ ...-unmap-pages-after-an-external-error.patch | 121 ++++++++++++++++++ ...nvmx-handle-page-fault-in-vmread-fix.patch | 60 +++++++++ ...-doorbell-request-on-migration-on-p9.patch | 52 ++++++++ ...and-size-at-the-start-of-s390_mem_op.patch | 50 ++++++++ ...ps-treat-loongson-extensions-as-ases.patch | 107 ++++++++++++++++ ...vfreq-tegra-fix-khz-to-hz-conversion.patch | 75 +++++++++++ ...mbol-map-to-only-be-readable-by-root.patch | 54 ++++++++ ...avoid-calling-strlen-on-null-pointer.patch | 55 ++++++++ ...els-with-no-parent-from-pseudo-check.patch | 54 ++++++++ ...oid-potential-reading-of-freed-stack.patch | 62 +++++++++ ...ring-events-before-kobjs-are-created.patch | 61 +++++++++ queue-4.14/series | 19 +++ ...iffies-once-when-forwarding-base-clk.patch | 75 +++++++++++ ...est-of-do_generate_dynamic_list_file.patch | 55 ++++++++ .../usercopy-avoid-highmem-pfn-warning.patch | 88 +++++++++++++ 20 files changed, 1292 insertions(+) create mode 100644 queue-4.14/asoc-define-a-set-of-dapm-pre-post-up-events.patch create mode 100644 queue-4.14/can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch create mode 100644 queue-4.14/crypto-caam-fix-concurrency-issue-in-givencrypt-descriptor.patch create mode 100644 queue-4.14/crypto-cavium-zip-add-missing-single_release.patch create mode 100644 queue-4.14/crypto-qat-silence-smp_processor_id-warning.patch create mode 100644 queue-4.14/crypto-skcipher-unmap-pages-after-an-external-error.patch create mode 100644 queue-4.14/kvm-nvmx-handle-page-fault-in-vmread-fix.patch create mode 100644 queue-4.14/kvm-ppc-book3s-hv-don-t-lose-pending-doorbell-request-on-migration-on-p9.patch create mode 100644 queue-4.14/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch create mode 100644 queue-4.14/mips-treat-loongson-extensions-as-ases.patch create mode 100644 queue-4.14/pm-devfreq-tegra-fix-khz-to-hz-conversion.patch create mode 100644 queue-4.14/powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch create mode 100644 queue-4.14/s390-cio-avoid-calling-strlen-on-null-pointer.patch create mode 100644 queue-4.14/s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch create mode 100644 queue-4.14/s390-process-avoid-potential-reading-of-freed-stack.patch create mode 100644 queue-4.14/s390-topology-avoid-firing-events-before-kobjs-are-created.patch create mode 100644 queue-4.14/series create mode 100644 queue-4.14/timer-read-jiffies-once-when-forwarding-base-clk.patch create mode 100644 queue-4.14/tools-lib-traceevent-fix-robust-test-of-do_generate_dynamic_list_file.patch create mode 100644 queue-4.14/usercopy-avoid-highmem-pfn-warning.patch diff --git a/queue-4.14/asoc-define-a-set-of-dapm-pre-post-up-events.patch b/queue-4.14/asoc-define-a-set-of-dapm-pre-post-up-events.patch new file mode 100644 index 00000000000..918a56f7500 --- /dev/null +++ b/queue-4.14/asoc-define-a-set-of-dapm-pre-post-up-events.patch @@ -0,0 +1,36 @@ +From cfc8f568aada98f9608a0a62511ca18d647613e2 Mon Sep 17 00:00:00 2001 +From: Oleksandr Suvorov +Date: Fri, 19 Jul 2019 10:05:30 +0000 +Subject: ASoC: Define a set of DAPM pre/post-up events + +From: Oleksandr Suvorov + +commit cfc8f568aada98f9608a0a62511ca18d647613e2 upstream. + +Prepare to use SND_SOC_DAPM_PRE_POST_PMU definition to +reduce coming code size and make it more readable. + +Cc: stable@vger.kernel.org +Signed-off-by: Oleksandr Suvorov +Reviewed-by: Marcel Ziswiler +Reviewed-by: Igor Opaniuk +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/r/20190719100524.23300-2-oleksandr.suvorov@toradex.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/soc-dapm.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/sound/soc-dapm.h ++++ b/include/sound/soc-dapm.h +@@ -349,6 +349,8 @@ struct device; + #define SND_SOC_DAPM_WILL_PMD 0x80 /* called at start of sequence */ + #define SND_SOC_DAPM_PRE_POST_PMD \ + (SND_SOC_DAPM_PRE_PMD | SND_SOC_DAPM_POST_PMD) ++#define SND_SOC_DAPM_PRE_POST_PMU \ ++ (SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMU) + + /* convenience event type detection */ + #define SND_SOC_DAPM_EVENT_ON(e) \ diff --git a/queue-4.14/can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch b/queue-4.14/can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch new file mode 100644 index 00000000000..48af9488572 --- /dev/null +++ b/queue-4.14/can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch @@ -0,0 +1,57 @@ +From d84ea2123f8d27144e3f4d58cd88c9c6ddc799de Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Tue, 13 Aug 2019 16:01:02 +0200 +Subject: can: mcp251x: mcp251x_hw_reset(): allow more time after a reset + +From: Marc Kleine-Budde + +commit d84ea2123f8d27144e3f4d58cd88c9c6ddc799de upstream. + +Some boards take longer than 5ms to power up after a reset, so allow +some retries attempts before giving up. + +Fixes: ff06d611a31c ("can: mcp251x: Improve mcp251x_hw_reset()") +Cc: linux-stable +Tested-by: Sean Nyekjaer +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/spi/mcp251x.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -627,7 +627,7 @@ static int mcp251x_setup(struct net_devi + static int mcp251x_hw_reset(struct spi_device *spi) + { + struct mcp251x_priv *priv = spi_get_drvdata(spi); +- u8 reg; ++ unsigned long timeout; + int ret; + + /* Wait for oscillator startup timer after power up */ +@@ -641,10 +641,19 @@ static int mcp251x_hw_reset(struct spi_d + /* Wait for oscillator startup timer after reset */ + mdelay(MCP251X_OST_DELAY_MS); + +- reg = mcp251x_read_reg(spi, CANSTAT); +- if ((reg & CANCTRL_REQOP_MASK) != CANCTRL_REQOP_CONF) +- return -ENODEV; +- ++ /* Wait for reset to finish */ ++ timeout = jiffies + HZ; ++ while ((mcp251x_read_reg(spi, CANSTAT) & CANCTRL_REQOP_MASK) != ++ CANCTRL_REQOP_CONF) { ++ usleep_range(MCP251X_OST_DELAY_MS * 1000, ++ MCP251X_OST_DELAY_MS * 1000 * 2); ++ ++ if (time_after(jiffies, timeout)) { ++ dev_err(&spi->dev, ++ "MCP251x didn't enter in conf mode after reset\n"); ++ return -EBUSY; ++ } ++ } + return 0; + } + diff --git a/queue-4.14/crypto-caam-fix-concurrency-issue-in-givencrypt-descriptor.patch b/queue-4.14/crypto-caam-fix-concurrency-issue-in-givencrypt-descriptor.patch new file mode 100644 index 00000000000..3b7be1266da --- /dev/null +++ b/queue-4.14/crypto-caam-fix-concurrency-issue-in-givencrypt-descriptor.patch @@ -0,0 +1,95 @@ +From 48f89d2a2920166c35b1c0b69917dbb0390ebec7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Tue, 30 Jul 2019 08:48:33 +0300 +Subject: crypto: caam - fix concurrency issue in givencrypt descriptor +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 48f89d2a2920166c35b1c0b69917dbb0390ebec7 upstream. + +IV transfer from ofifo to class2 (set up at [29][30]) is not guaranteed +to be scheduled before the data transfer from ofifo to external memory +(set up at [38]: + +[29] 10FA0004 ld: ind-nfifo (len=4) imm +[30] 81F00010 class2 type=msg len=16> +[31] 14820004 ld: ccb2-datasz len=4 offs=0 imm +[32] 00000010 data:0x00000010 +[33] 8210010D operation: cls1-op aes cbc init-final enc +[34] A8080B04 math: (seqin + math0)->vseqout len=4 +[35] 28000010 seqfifold: skip len=16 +[36] A8080A04 math: (seqin + math0)->vseqin len=4 +[37] 2F1E0000 seqfifold: both msg1->2-last2-last1 len=vseqinsz +[38] 69300000 seqfifostr: msg len=vseqoutsz +[39] 5C20000C seqstr: ccb2 ctx len=12 offs=0 + +If ofifo -> external memory transfer happens first, DECO will hang +(issuing a Watchdog Timeout error, if WDOG is enabled) waiting for +data availability in ofifo for the ofifo -> c2 ififo transfer. + +Make sure IV transfer happens first by waiting for all CAAM internal +transfers to end before starting payload transfer. + +New descriptor with jump command inserted at [37]: + +[..] +[36] A8080A04 math: (seqin + math0)->vseqin len=4 +[37] A1000401 jump: jsl1 all-match[!nfifopend] offset=[01] local->[38] +[38] 2F1E0000 seqfifold: both msg1->2-last2-last1 len=vseqinsz +[39] 69300000 seqfifostr: msg len=vseqoutsz +[40] 5C20000C seqstr: ccb2 ctx len=12 offs=0 + +[Note: the issue is present in the descriptor from the very beginning +(cf. Fixes tag). However I've marked it v4.19+ since it's the oldest +maintained kernel that the patch applies clean against.] + +Cc: # v4.19+ +Fixes: 1acebad3d8db8 ("crypto: caam - faster aead implementation") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamalg_desc.c | 9 +++++++++ + drivers/crypto/caam/caamalg_desc.h | 2 +- + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/caam/caamalg_desc.c ++++ b/drivers/crypto/caam/caamalg_desc.c +@@ -476,6 +476,7 @@ void cnstr_shdsc_aead_givencap(u32 * con + const bool is_qi) + { + u32 geniv, moveiv; ++ u32 *wait_cmd; + + /* Note: Context registers are saved. */ + init_sh_desc_key_aead(desc, cdata, adata, is_rfc3686, nonce); +@@ -566,6 +567,14 @@ copy_iv: + + /* Will read cryptlen */ + append_math_add(desc, VARSEQINLEN, SEQINLEN, REG0, CAAM_CMD_SZ); ++ ++ /* ++ * Wait for IV transfer (ofifo -> class2) to finish before starting ++ * ciphertext transfer (ofifo -> external memory). ++ */ ++ wait_cmd = append_jump(desc, JUMP_JSL | JUMP_TEST_ALL | JUMP_COND_NIFP); ++ set_jump_tgt_here(desc, wait_cmd); ++ + append_seq_fifo_load(desc, 0, FIFOLD_CLASS_BOTH | KEY_VLF | + FIFOLD_TYPE_MSG1OUT2 | FIFOLD_TYPE_LASTBOTH); + append_seq_fifo_store(desc, 0, FIFOST_TYPE_MESSAGE_DATA | KEY_VLF); +--- a/drivers/crypto/caam/caamalg_desc.h ++++ b/drivers/crypto/caam/caamalg_desc.h +@@ -12,7 +12,7 @@ + #define DESC_AEAD_BASE (4 * CAAM_CMD_SZ) + #define DESC_AEAD_ENC_LEN (DESC_AEAD_BASE + 11 * CAAM_CMD_SZ) + #define DESC_AEAD_DEC_LEN (DESC_AEAD_BASE + 15 * CAAM_CMD_SZ) +-#define DESC_AEAD_GIVENC_LEN (DESC_AEAD_ENC_LEN + 7 * CAAM_CMD_SZ) ++#define DESC_AEAD_GIVENC_LEN (DESC_AEAD_ENC_LEN + 8 * CAAM_CMD_SZ) + #define DESC_QI_AEAD_ENC_LEN (DESC_AEAD_ENC_LEN + 3 * CAAM_CMD_SZ) + #define DESC_QI_AEAD_DEC_LEN (DESC_AEAD_DEC_LEN + 3 * CAAM_CMD_SZ) + #define DESC_QI_AEAD_GIVENC_LEN (DESC_AEAD_GIVENC_LEN + 3 * CAAM_CMD_SZ) diff --git a/queue-4.14/crypto-cavium-zip-add-missing-single_release.patch b/queue-4.14/crypto-cavium-zip-add-missing-single_release.patch new file mode 100644 index 00000000000..87de1a3b2f9 --- /dev/null +++ b/queue-4.14/crypto-cavium-zip-add-missing-single_release.patch @@ -0,0 +1,48 @@ +From c552ffb5c93d9d65aaf34f5f001c4e7e8484ced1 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Wed, 4 Sep 2019 14:18:09 +0000 +Subject: crypto: cavium/zip - Add missing single_release() + +From: Wei Yongjun + +commit c552ffb5c93d9d65aaf34f5f001c4e7e8484ced1 upstream. + +When using single_open() for opening, single_release() should be +used instead of seq_release(), otherwise there is a memory leak. + +Fixes: 09ae5d37e093 ("crypto: zip - Add Compression/Decompression statistics") +Cc: +Signed-off-by: Wei Yongjun +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/cavium/zip/zip_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/crypto/cavium/zip/zip_main.c ++++ b/drivers/crypto/cavium/zip/zip_main.c +@@ -595,6 +595,7 @@ static const struct file_operations zip_ + .owner = THIS_MODULE, + .open = zip_stats_open, + .read = seq_read, ++ .release = single_release, + }; + + static int zip_clear_open(struct inode *inode, struct file *file) +@@ -606,6 +607,7 @@ static const struct file_operations zip_ + .owner = THIS_MODULE, + .open = zip_clear_open, + .read = seq_read, ++ .release = single_release, + }; + + static int zip_regs_open(struct inode *inode, struct file *file) +@@ -617,6 +619,7 @@ static const struct file_operations zip_ + .owner = THIS_MODULE, + .open = zip_regs_open, + .read = seq_read, ++ .release = single_release, + }; + + /* Root directory for thunderx_zip debugfs entry */ diff --git a/queue-4.14/crypto-qat-silence-smp_processor_id-warning.patch b/queue-4.14/crypto-qat-silence-smp_processor_id-warning.patch new file mode 100644 index 00000000000..569785b995c --- /dev/null +++ b/queue-4.14/crypto-qat-silence-smp_processor_id-warning.patch @@ -0,0 +1,68 @@ +From 1b82feb6c5e1996513d0fb0bbb475417088b4954 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Tue, 23 Jul 2019 07:24:01 +0000 +Subject: crypto: qat - Silence smp_processor_id() warning + +From: Alexander Sverdlin + +commit 1b82feb6c5e1996513d0fb0bbb475417088b4954 upstream. + +It seems that smp_processor_id() is only used for a best-effort +load-balancing, refer to qat_crypto_get_instance_node(). It's not feasible +to disable preemption for the duration of the crypto requests. Therefore, +just silence the warning. This commit is similar to e7a9b05ca4 +("crypto: cavium - Fix smp_processor_id() warnings"). + +Silences the following splat: +BUG: using smp_processor_id() in preemptible [00000000] code: cryptomgr_test/2904 +caller is qat_alg_ablkcipher_setkey+0x300/0x4a0 [intel_qat] +CPU: 1 PID: 2904 Comm: cryptomgr_test Tainted: P O 4.14.69 #1 +... +Call Trace: + dump_stack+0x5f/0x86 + check_preemption_disabled+0xd3/0xe0 + qat_alg_ablkcipher_setkey+0x300/0x4a0 [intel_qat] + skcipher_setkey_ablkcipher+0x2b/0x40 + __test_skcipher+0x1f3/0xb20 + ? cpumask_next_and+0x26/0x40 + ? find_busiest_group+0x10e/0x9d0 + ? preempt_count_add+0x49/0xa0 + ? try_module_get+0x61/0xf0 + ? crypto_mod_get+0x15/0x30 + ? __kmalloc+0x1df/0x1f0 + ? __crypto_alloc_tfm+0x116/0x180 + ? crypto_skcipher_init_tfm+0xa6/0x180 + ? crypto_create_tfm+0x4b/0xf0 + test_skcipher+0x21/0xa0 + alg_test_skcipher+0x3f/0xa0 + alg_test.part.6+0x126/0x2a0 + ? finish_task_switch+0x21b/0x260 + ? __schedule+0x1e9/0x800 + ? __wake_up_common+0x8d/0x140 + cryptomgr_test+0x40/0x50 + kthread+0xff/0x130 + ? cryptomgr_notify+0x540/0x540 + ? kthread_create_on_node+0x70/0x70 + ret_from_fork+0x24/0x50 + +Fixes: ed8ccaef52 ("crypto: qat - Add support for SRIOV") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Sverdlin +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/qat/qat_common/adf_common_drv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/qat/qat_common/adf_common_drv.h ++++ b/drivers/crypto/qat/qat_common/adf_common_drv.h +@@ -95,7 +95,7 @@ struct service_hndl { + + static inline int get_current_node(void) + { +- return topology_physical_package_id(smp_processor_id()); ++ return topology_physical_package_id(raw_smp_processor_id()); + } + + int adf_service_register(struct service_hndl *service); diff --git a/queue-4.14/crypto-skcipher-unmap-pages-after-an-external-error.patch b/queue-4.14/crypto-skcipher-unmap-pages-after-an-external-error.patch new file mode 100644 index 00000000000..9f84d712b1a --- /dev/null +++ b/queue-4.14/crypto-skcipher-unmap-pages-after-an-external-error.patch @@ -0,0 +1,121 @@ +From 0ba3c026e685573bd3534c17e27da7c505ac99c4 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 6 Sep 2019 13:13:06 +1000 +Subject: crypto: skcipher - Unmap pages after an external error + +From: Herbert Xu + +commit 0ba3c026e685573bd3534c17e27da7c505ac99c4 upstream. + +skcipher_walk_done may be called with an error by internal or +external callers. For those internal callers we shouldn't unmap +pages but for external callers we must unmap any pages that are +in use. + +This patch distinguishes between the two cases by checking whether +walk->nbytes is zero or not. For internal callers, we now set +walk->nbytes to zero prior to the call. For external callers, +walk->nbytes has always been non-zero (as zero is used to indicate +the termination of a walk). + +Reported-by: Ard Biesheuvel +Fixes: 5cde0af2a982 ("[CRYPTO] cipher: Added block cipher type") +Cc: +Signed-off-by: Herbert Xu +Tested-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/skcipher.c | 42 +++++++++++++++++++++++------------------- + 1 file changed, 23 insertions(+), 19 deletions(-) + +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -95,7 +95,7 @@ static inline u8 *skcipher_get_spot(u8 * + return max(start, end_page); + } + +-static void skcipher_done_slow(struct skcipher_walk *walk, unsigned int bsize) ++static int skcipher_done_slow(struct skcipher_walk *walk, unsigned int bsize) + { + u8 *addr; + +@@ -103,19 +103,21 @@ static void skcipher_done_slow(struct sk + addr = skcipher_get_spot(addr, bsize); + scatterwalk_copychunks(addr, &walk->out, bsize, + (walk->flags & SKCIPHER_WALK_PHYS) ? 2 : 1); ++ return 0; + } + + int skcipher_walk_done(struct skcipher_walk *walk, int err) + { +- unsigned int n; /* bytes processed */ +- bool more; ++ unsigned int n = walk->nbytes; ++ unsigned int nbytes = 0; + +- if (unlikely(err < 0)) ++ if (!n) + goto finish; + +- n = walk->nbytes - err; +- walk->total -= n; +- more = (walk->total != 0); ++ if (likely(err >= 0)) { ++ n -= err; ++ nbytes = walk->total - n; ++ } + + if (likely(!(walk->flags & (SKCIPHER_WALK_PHYS | + SKCIPHER_WALK_SLOW | +@@ -131,7 +133,7 @@ unmap_src: + memcpy(walk->dst.virt.addr, walk->page, n); + skcipher_unmap_dst(walk); + } else if (unlikely(walk->flags & SKCIPHER_WALK_SLOW)) { +- if (err) { ++ if (err > 0) { + /* + * Didn't process all bytes. Either the algorithm is + * broken, or this was the last step and it turned out +@@ -139,27 +141,29 @@ unmap_src: + * the algorithm requires it. + */ + err = -EINVAL; +- goto finish; +- } +- skcipher_done_slow(walk, n); +- goto already_advanced; ++ nbytes = 0; ++ } else ++ n = skcipher_done_slow(walk, n); + } + ++ if (err > 0) ++ err = 0; ++ ++ walk->total = nbytes; ++ walk->nbytes = 0; ++ + scatterwalk_advance(&walk->in, n); + scatterwalk_advance(&walk->out, n); +-already_advanced: +- scatterwalk_done(&walk->in, 0, more); +- scatterwalk_done(&walk->out, 1, more); ++ scatterwalk_done(&walk->in, 0, nbytes); ++ scatterwalk_done(&walk->out, 1, nbytes); + +- if (more) { ++ if (nbytes) { + crypto_yield(walk->flags & SKCIPHER_WALK_SLEEP ? + CRYPTO_TFM_REQ_MAY_SLEEP : 0); + return skcipher_walk_next(walk); + } +- err = 0; +-finish: +- walk->nbytes = 0; + ++finish: + /* Short-circuit for the common/fast path. */ + if (!((unsigned long)walk->buffer | (unsigned long)walk->page)) + goto out; diff --git a/queue-4.14/kvm-nvmx-handle-page-fault-in-vmread-fix.patch b/queue-4.14/kvm-nvmx-handle-page-fault-in-vmread-fix.patch new file mode 100644 index 00000000000..9e27e4f0d04 --- /dev/null +++ b/queue-4.14/kvm-nvmx-handle-page-fault-in-vmread-fix.patch @@ -0,0 +1,60 @@ +From jinpuwang@gmail.com Tue Oct 8 09:22:17 2019 +From: Jack Wang +Date: Mon, 7 Oct 2019 14:36:53 +0200 +Subject: KVM: nVMX: handle page fault in vmread fix +To: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org, pbonzini@redhat.com +Cc: Jack Wang +Message-ID: <20191007123653.17961-1-jinpuwang@gmail.com> + +From: Jack Wang + +During backport f7eea636c3d5 ("KVM: nVMX: handle page fault in vmread"), +there was a mistake the exception reference should be passed to function +kvm_write_guest_virt_system, instead of NULL, other wise, we will get +NULL pointer deref, eg + +kvm-unit-test triggered a NULL pointer deref below: +[ 948.518437] kvm [24114]: vcpu0, guest rIP: 0x407ef9 kvm_set_msr_common: MSR_IA32_DEBUGCTLMSR 0x3, nop +[ 949.106464] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +[ 949.106707] PGD 0 P4D 0 +[ 949.106872] Oops: 0002 [#1] SMP +[ 949.107038] CPU: 2 PID: 24126 Comm: qemu-2.7 Not tainted 4.19.77-pserver #4.19.77-1+feature+daily+update+20191005.1625+a4168bb~deb9 +[ 949.107283] Hardware name: Dell Inc. Precision Tower 3620/09WH54, BIOS 2.7.3 01/31/2018 +[ 949.107549] RIP: 0010:kvm_write_guest_virt_system+0x12/0x40 [kvm] +[ 949.107719] Code: c0 5d 41 5c 41 5d 41 5e 83 f8 03 41 0f 94 c0 41 c1 e0 02 e9 b0 ed ff ff 0f 1f 44 00 00 48 89 f0 c6 87 59 56 00 00 01 48 89 d6 <49> c7 00 00 00 00 00 89 ca 49 c7 40 08 00 00 00 00 49 c7 40 10 00 +[ 949.108044] RSP: 0018:ffffb31b0a953cb0 EFLAGS: 00010202 +[ 949.108216] RAX: 000000000046b4d8 RBX: ffff9e9f415b0000 RCX: 0000000000000008 +[ 949.108389] RDX: ffffb31b0a953cc0 RSI: ffffb31b0a953cc0 RDI: ffff9e9f415b0000 +[ 949.108562] RBP: 00000000d2e14928 R08: 0000000000000000 R09: 0000000000000000 +[ 949.108733] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffc8 +[ 949.108907] R13: 0000000000000002 R14: ffff9e9f4f26f2e8 R15: 0000000000000000 +[ 949.109079] FS: 00007eff8694c700(0000) GS:ffff9e9f51a80000(0000) knlGS:0000000031415928 +[ 949.109318] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 949.109495] CR2: 0000000000000000 CR3: 00000003be53b002 CR4: 00000000003626e0 +[ 949.109671] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 949.109845] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 949.110017] Call Trace: +[ 949.110186] handle_vmread+0x22b/0x2f0 [kvm_intel] +[ 949.110356] ? vmexit_fill_RSB+0xc/0x30 [kvm_intel] +[ 949.110549] kvm_arch_vcpu_ioctl_run+0xa98/0x1b30 [kvm] +[ 949.110725] ? kvm_vcpu_ioctl+0x388/0x5d0 [kvm] +[ 949.110901] kvm_vcpu_ioctl+0x388/0x5d0 [kvm] +[ 949.111072] do_vfs_ioctl+0xa2/0x620 + +Signed-off-by: Jack Wang +Acked-by: Paolo Bonzini +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8026,7 +8026,7 @@ static int handle_vmread(struct kvm_vcpu + /* _system ok, nested_vmx_check_permission has verified cpl=0 */ + if (kvm_write_guest_virt_system(vcpu, gva, &field_value, + (is_long_mode(vcpu) ? 8 : 4), +- NULL)) ++ &e)) + kvm_inject_page_fault(vcpu, &e); + } + diff --git a/queue-4.14/kvm-ppc-book3s-hv-don-t-lose-pending-doorbell-request-on-migration-on-p9.patch b/queue-4.14/kvm-ppc-book3s-hv-don-t-lose-pending-doorbell-request-on-migration-on-p9.patch new file mode 100644 index 00000000000..f6aeb1e92a1 --- /dev/null +++ b/queue-4.14/kvm-ppc-book3s-hv-don-t-lose-pending-doorbell-request-on-migration-on-p9.patch @@ -0,0 +1,52 @@ +From ff42df49e75f053a8a6b4c2533100cdcc23afe69 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Tue, 27 Aug 2019 11:35:40 +1000 +Subject: KVM: PPC: Book3S HV: Don't lose pending doorbell request on migration on P9 + +From: Paul Mackerras + +commit ff42df49e75f053a8a6b4c2533100cdcc23afe69 upstream. + +On POWER9, when userspace reads the value of the DPDES register on a +vCPU, it is possible for 0 to be returned although there is a doorbell +interrupt pending for the vCPU. This can lead to a doorbell interrupt +being lost across migration. If the guest kernel uses doorbell +interrupts for IPIs, then it could malfunction because of the lost +interrupt. + +This happens because a newly-generated doorbell interrupt is signalled +by setting vcpu->arch.doorbell_request to 1; the DPDES value in +vcpu->arch.vcore->dpdes is not updated, because it can only be updated +when holding the vcpu mutex, in order to avoid races. + +To fix this, we OR in vcpu->arch.doorbell_request when reading the +DPDES value. + +Cc: stable@vger.kernel.org # v4.13+ +Fixes: 579006944e0d ("KVM: PPC: Book3S HV: Virtualize doorbell facility on POWER9") +Signed-off-by: Paul Mackerras +Tested-by: Alexey Kardashevskiy +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -1356,7 +1356,14 @@ static int kvmppc_get_one_reg_hv(struct + *val = get_reg_val(id, vcpu->arch.pspb); + break; + case KVM_REG_PPC_DPDES: +- *val = get_reg_val(id, vcpu->arch.vcore->dpdes); ++ /* ++ * On POWER9, where we are emulating msgsndp etc., ++ * we return 1 bit for each vcpu, which can come from ++ * either vcore->dpdes or doorbell_request. ++ * On POWER8, doorbell_request is 0. ++ */ ++ *val = get_reg_val(id, vcpu->arch.vcore->dpdes | ++ vcpu->arch.doorbell_request); + break; + case KVM_REG_PPC_VTB: + *val = get_reg_val(id, vcpu->arch.vcore->vtb); diff --git a/queue-4.14/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch b/queue-4.14/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch new file mode 100644 index 00000000000..42b203db71e --- /dev/null +++ b/queue-4.14/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch @@ -0,0 +1,50 @@ +From a13b03bbb4575b350b46090af4dfd30e735aaed1 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 29 Aug 2019 14:25:17 +0200 +Subject: KVM: s390: Test for bad access register and size at the start of S390_MEM_OP + +From: Thomas Huth + +commit a13b03bbb4575b350b46090af4dfd30e735aaed1 upstream. + +If the KVM_S390_MEM_OP ioctl is called with an access register >= 16, +then there is certainly a bug in the calling userspace application. +We check for wrong access registers, but only if the vCPU was already +in the access register mode before (i.e. the SIE block has recorded +it). The check is also buried somewhere deep in the calling chain (in +the function ar_translation()), so this is somewhat hard to find. + +It's better to always report an error to the userspace in case this +field is set wrong, and it's safer in the KVM code if we block wrong +values here early instead of relying on a check somewhere deep down +the calling chain, so let's add another check to kvm_s390_guest_mem_op() +directly. + +We also should check that the "size" is non-zero here (thanks to Janosch +Frank for the hint!). If we do not check the size, we could call vmalloc() +with this 0 value, and this will cause a kernel warning. + +Signed-off-by: Thomas Huth +Link: https://lkml.kernel.org/r/20190829122517.31042-1-thuth@redhat.com +Reviewed-by: Cornelia Huck +Reviewed-by: Janosch Frank +Reviewed-by: David Hildenbrand +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3658,7 +3658,7 @@ static long kvm_s390_guest_mem_op(struct + const u64 supported_flags = KVM_S390_MEMOP_F_INJECT_EXCEPTION + | KVM_S390_MEMOP_F_CHECK_ONLY; + +- if (mop->flags & ~supported_flags) ++ if (mop->flags & ~supported_flags || mop->ar >= NUM_ACRS || !mop->size) + return -EINVAL; + + if (mop->size > MEM_OP_MAX_SIZE) diff --git a/queue-4.14/mips-treat-loongson-extensions-as-ases.patch b/queue-4.14/mips-treat-loongson-extensions-as-ases.patch new file mode 100644 index 00000000000..85d97d726b2 --- /dev/null +++ b/queue-4.14/mips-treat-loongson-extensions-as-ases.patch @@ -0,0 +1,107 @@ +From d2f965549006acb865c4638f1f030ebcefdc71f6 Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Wed, 29 May 2019 16:42:59 +0800 +Subject: MIPS: Treat Loongson Extensions as ASEs + +From: Jiaxun Yang + +commit d2f965549006acb865c4638f1f030ebcefdc71f6 upstream. + +Recently, binutils had split Loongson-3 Extensions into four ASEs: +MMI, CAM, EXT, EXT2. This patch do the samething in kernel and expose +them in cpuinfo so applications can probe supported ASEs at runtime. + +Signed-off-by: Jiaxun Yang +Cc: Huacai Chen +Cc: Yunqiang Su +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/cpu-features.h | 16 ++++++++++++++++ + arch/mips/include/asm/cpu.h | 4 ++++ + arch/mips/kernel/cpu-probe.c | 6 ++++++ + arch/mips/kernel/proc.c | 4 ++++ + 4 files changed, 30 insertions(+) + +--- a/arch/mips/include/asm/cpu-features.h ++++ b/arch/mips/include/asm/cpu-features.h +@@ -348,6 +348,22 @@ + #define cpu_has_dsp3 (cpu_data[0].ases & MIPS_ASE_DSP3) + #endif + ++#ifndef cpu_has_loongson_mmi ++#define cpu_has_loongson_mmi __ase(MIPS_ASE_LOONGSON_MMI) ++#endif ++ ++#ifndef cpu_has_loongson_cam ++#define cpu_has_loongson_cam __ase(MIPS_ASE_LOONGSON_CAM) ++#endif ++ ++#ifndef cpu_has_loongson_ext ++#define cpu_has_loongson_ext __ase(MIPS_ASE_LOONGSON_EXT) ++#endif ++ ++#ifndef cpu_has_loongson_ext2 ++#define cpu_has_loongson_ext2 __ase(MIPS_ASE_LOONGSON_EXT2) ++#endif ++ + #ifndef cpu_has_mipsmt + #define cpu_has_mipsmt (cpu_data[0].ases & MIPS_ASE_MIPSMT) + #endif +--- a/arch/mips/include/asm/cpu.h ++++ b/arch/mips/include/asm/cpu.h +@@ -433,5 +433,9 @@ enum cpu_type_enum { + #define MIPS_ASE_MSA 0x00000100 /* MIPS SIMD Architecture */ + #define MIPS_ASE_DSP3 0x00000200 /* Signal Processing ASE Rev 3*/ + #define MIPS_ASE_MIPS16E2 0x00000400 /* MIPS16e2 */ ++#define MIPS_ASE_LOONGSON_MMI 0x00000800 /* Loongson MultiMedia extensions Instructions */ ++#define MIPS_ASE_LOONGSON_CAM 0x00001000 /* Loongson CAM */ ++#define MIPS_ASE_LOONGSON_EXT 0x00002000 /* Loongson EXTensions */ ++#define MIPS_ASE_LOONGSON_EXT2 0x00004000 /* Loongson EXTensions R2 */ + + #endif /* _ASM_CPU_H */ +--- a/arch/mips/kernel/cpu-probe.c ++++ b/arch/mips/kernel/cpu-probe.c +@@ -1478,6 +1478,8 @@ static inline void cpu_probe_legacy(stru + __cpu_name[cpu] = "ICT Loongson-3"; + set_elf_platform(cpu, "loongson3a"); + set_isa(c, MIPS_CPU_ISA_M64R1); ++ c->ases |= (MIPS_ASE_LOONGSON_MMI | MIPS_ASE_LOONGSON_CAM | ++ MIPS_ASE_LOONGSON_EXT); + break; + case PRID_REV_LOONGSON3B_R1: + case PRID_REV_LOONGSON3B_R2: +@@ -1485,6 +1487,8 @@ static inline void cpu_probe_legacy(stru + __cpu_name[cpu] = "ICT Loongson-3"; + set_elf_platform(cpu, "loongson3b"); + set_isa(c, MIPS_CPU_ISA_M64R1); ++ c->ases |= (MIPS_ASE_LOONGSON_MMI | MIPS_ASE_LOONGSON_CAM | ++ MIPS_ASE_LOONGSON_EXT); + break; + } + +@@ -1845,6 +1849,8 @@ static inline void cpu_probe_loongson(st + decode_configs(c); + c->options |= MIPS_CPU_FTLB | MIPS_CPU_TLBINV | MIPS_CPU_LDPTE; + c->writecombine = _CACHE_UNCACHED_ACCELERATED; ++ c->ases |= (MIPS_ASE_LOONGSON_MMI | MIPS_ASE_LOONGSON_CAM | ++ MIPS_ASE_LOONGSON_EXT | MIPS_ASE_LOONGSON_EXT2); + break; + default: + panic("Unknown Loongson Processor ID!"); +--- a/arch/mips/kernel/proc.c ++++ b/arch/mips/kernel/proc.c +@@ -124,6 +124,10 @@ static int show_cpuinfo(struct seq_file + if (cpu_has_eva) seq_printf(m, "%s", " eva"); + if (cpu_has_htw) seq_printf(m, "%s", " htw"); + if (cpu_has_xpa) seq_printf(m, "%s", " xpa"); ++ if (cpu_has_loongson_mmi) seq_printf(m, "%s", " loongson-mmi"); ++ if (cpu_has_loongson_cam) seq_printf(m, "%s", " loongson-cam"); ++ if (cpu_has_loongson_ext) seq_printf(m, "%s", " loongson-ext"); ++ if (cpu_has_loongson_ext2) seq_printf(m, "%s", " loongson-ext2"); + seq_printf(m, "\n"); + + if (cpu_has_mmips) { diff --git a/queue-4.14/pm-devfreq-tegra-fix-khz-to-hz-conversion.patch b/queue-4.14/pm-devfreq-tegra-fix-khz-to-hz-conversion.patch new file mode 100644 index 00000000000..9f3e781da26 --- /dev/null +++ b/queue-4.14/pm-devfreq-tegra-fix-khz-to-hz-conversion.patch @@ -0,0 +1,75 @@ +From 62bacb06b9f08965c4ef10e17875450490c948c0 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 2 May 2019 02:38:00 +0300 +Subject: PM / devfreq: tegra: Fix kHz to Hz conversion + +From: Dmitry Osipenko + +commit 62bacb06b9f08965c4ef10e17875450490c948c0 upstream. + +The kHz to Hz is incorrectly converted in a few places in the code, +this results in a wrong frequency being calculated because devfreq core +uses OPP frequencies that are given in Hz to clamp the rate, while +tegra-devfreq gives to the core value in kHz and then it also expects to +receive value in kHz from the core. In a result memory freq is always set +to a value which is close to ULONG_MAX because of the bug. Hence the EMC +frequency is always capped to the maximum and the driver doesn't do +anything useful. This patch was tested on Tegra30 and Tegra124 SoC's, EMC +frequency scaling works properly now. + +Cc: # 4.14+ +Tested-by: Steev Klimaszewski +Reviewed-by: Chanwoo Choi +Signed-off-by: Dmitry Osipenko +Acked-by: Thierry Reding +Signed-off-by: MyungJoo Ham +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/devfreq/tegra-devfreq.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/devfreq/tegra-devfreq.c ++++ b/drivers/devfreq/tegra-devfreq.c +@@ -485,11 +485,11 @@ static int tegra_devfreq_target(struct d + { + struct tegra_devfreq *tegra = dev_get_drvdata(dev); + struct dev_pm_opp *opp; +- unsigned long rate = *freq * KHZ; ++ unsigned long rate; + +- opp = devfreq_recommended_opp(dev, &rate, flags); ++ opp = devfreq_recommended_opp(dev, freq, flags); + if (IS_ERR(opp)) { +- dev_err(dev, "Failed to find opp for %lu KHz\n", *freq); ++ dev_err(dev, "Failed to find opp for %lu Hz\n", *freq); + return PTR_ERR(opp); + } + rate = dev_pm_opp_get_freq(opp); +@@ -498,8 +498,6 @@ static int tegra_devfreq_target(struct d + clk_set_min_rate(tegra->emc_clock, rate); + clk_set_rate(tegra->emc_clock, 0); + +- *freq = rate; +- + return 0; + } + +@@ -509,7 +507,7 @@ static int tegra_devfreq_get_dev_status( + struct tegra_devfreq *tegra = dev_get_drvdata(dev); + struct tegra_devfreq_device *actmon_dev; + +- stat->current_frequency = tegra->cur_freq; ++ stat->current_frequency = tegra->cur_freq * KHZ; + + /* To be used by the tegra governor */ + stat->private_data = tegra; +@@ -564,7 +562,7 @@ static int tegra_governor_get_target(str + target_freq = max(target_freq, dev->target_freq); + } + +- *freq = target_freq; ++ *freq = target_freq * KHZ; + + return 0; + } diff --git a/queue-4.14/powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch b/queue-4.14/powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch new file mode 100644 index 00000000000..86d725d25ae --- /dev/null +++ b/queue-4.14/powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch @@ -0,0 +1,54 @@ +From e7de4f7b64c23e503a8c42af98d56f2a7462bd6d Mon Sep 17 00:00:00 2001 +From: Andrew Donnellan +Date: Fri, 3 May 2019 17:52:53 +1000 +Subject: powerpc/powernv: Restrict OPAL symbol map to only be readable by root + +From: Andrew Donnellan + +commit e7de4f7b64c23e503a8c42af98d56f2a7462bd6d upstream. + +Currently the OPAL symbol map is globally readable, which seems bad as +it contains physical addresses. + +Restrict it to root. + +Fixes: c8742f85125d ("powerpc/powernv: Expose OPAL firmware symbol map") +Cc: stable@vger.kernel.org # v3.19+ +Suggested-by: Michael Ellerman +Signed-off-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190503075253.22798-1-ajd@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/platforms/powernv/opal.c ++++ b/arch/powerpc/platforms/powernv/opal.c +@@ -617,7 +617,10 @@ static ssize_t symbol_map_read(struct fi + bin_attr->size); + } + +-static BIN_ATTR_RO(symbol_map, 0); ++static struct bin_attribute symbol_map_attr = { ++ .attr = {.name = "symbol_map", .mode = 0400}, ++ .read = symbol_map_read ++}; + + static void opal_export_symmap(void) + { +@@ -634,10 +637,10 @@ static void opal_export_symmap(void) + return; + + /* Setup attributes */ +- bin_attr_symbol_map.private = __va(be64_to_cpu(syms[0])); +- bin_attr_symbol_map.size = be64_to_cpu(syms[1]); ++ symbol_map_attr.private = __va(be64_to_cpu(syms[0])); ++ symbol_map_attr.size = be64_to_cpu(syms[1]); + +- rc = sysfs_create_bin_file(opal_kobj, &bin_attr_symbol_map); ++ rc = sysfs_create_bin_file(opal_kobj, &symbol_map_attr); + if (rc) + pr_warn("Error %d creating OPAL symbols file\n", rc); + } diff --git a/queue-4.14/s390-cio-avoid-calling-strlen-on-null-pointer.patch b/queue-4.14/s390-cio-avoid-calling-strlen-on-null-pointer.patch new file mode 100644 index 00000000000..2407f59abd2 --- /dev/null +++ b/queue-4.14/s390-cio-avoid-calling-strlen-on-null-pointer.patch @@ -0,0 +1,55 @@ +From ea298e6ee8b34b3ed4366be7eb799d0650ebe555 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 17 Sep 2019 20:04:04 +0200 +Subject: s390/cio: avoid calling strlen on null pointer + +From: Vasily Gorbik + +commit ea298e6ee8b34b3ed4366be7eb799d0650ebe555 upstream. + +Fix the following kasan finding: +BUG: KASAN: global-out-of-bounds in ccwgroup_create_dev+0x850/0x1140 +Read of size 1 at addr 0000000000000000 by task systemd-udevd.r/561 + +CPU: 30 PID: 561 Comm: systemd-udevd.r Tainted: G B +Hardware name: IBM 3906 M04 704 (LPAR) +Call Trace: +([<0000000231b3db7e>] show_stack+0x14e/0x1a8) + [<0000000233826410>] dump_stack+0x1d0/0x218 + [<000000023216fac4>] print_address_description+0x64/0x380 + [<000000023216f5a8>] __kasan_report+0x138/0x168 + [<00000002331b8378>] ccwgroup_create_dev+0x850/0x1140 + [<00000002332b618a>] group_store+0x3a/0x50 + [<00000002323ac706>] kernfs_fop_write+0x246/0x3b8 + [<00000002321d409a>] vfs_write+0x132/0x450 + [<00000002321d47da>] ksys_write+0x122/0x208 + [<0000000233877102>] system_call+0x2a6/0x2c8 + +Triggered by: +openat(AT_FDCWD, "/sys/bus/ccwgroup/drivers/qeth/group", + O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 16 +write(16, "0.0.bd00,0.0.bd01,0.0.bd02", 26) = 26 + +The problem is that __get_next_id in ccwgroup_create_dev might set "buf" +buffer pointer to NULL and explicit check for that is required. + +Cc: stable@vger.kernel.org +Reviewed-by: Sebastian Ott +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/ccwgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/cio/ccwgroup.c ++++ b/drivers/s390/cio/ccwgroup.c +@@ -369,7 +369,7 @@ int ccwgroup_create_dev(struct device *p + goto error; + } + /* Check for trailing stuff. */ +- if (i == num_devices && strlen(buf) > 0) { ++ if (i == num_devices && buf && strlen(buf) > 0) { + rc = -EINVAL; + goto error; + } diff --git a/queue-4.14/s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch b/queue-4.14/s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch new file mode 100644 index 00000000000..74d05a087d2 --- /dev/null +++ b/queue-4.14/s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch @@ -0,0 +1,54 @@ +From ab5758848039de9a4b249d46e4ab591197eebaf2 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Thu, 19 Sep 2019 15:55:17 +0200 +Subject: s390/cio: exclude subchannels with no parent from pseudo check + +From: Vasily Gorbik + +commit ab5758848039de9a4b249d46e4ab591197eebaf2 upstream. + +ccw console is created early in start_kernel and used before css is +initialized or ccw console subchannel is registered. Until then console +subchannel does not have a parent. For that reason assume subchannels +with no parent are not pseudo subchannels. This fixes the following +kasan finding: + +BUG: KASAN: global-out-of-bounds in sch_is_pseudo_sch+0x8e/0x98 +Read of size 8 at addr 00000000000005e8 by task swapper/0/0 + +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.0-rc8-07370-g6ac43dd12538 #2 +Hardware name: IBM 2964 NC9 702 (z/VM 6.4.0) +Call Trace: +([<000000000012cd76>] show_stack+0x14e/0x1e0) + [<0000000001f7fb44>] dump_stack+0x1a4/0x1f8 + [<00000000007d7afc>] print_address_description+0x64/0x3c8 + [<00000000007d75f6>] __kasan_report+0x14e/0x180 + [<00000000018a2986>] sch_is_pseudo_sch+0x8e/0x98 + [<000000000189b950>] cio_enable_subchannel+0x1d0/0x510 + [<00000000018cac7c>] ccw_device_recognition+0x12c/0x188 + [<0000000002ceb1a8>] ccw_device_enable_console+0x138/0x340 + [<0000000002cf1cbe>] con3215_init+0x25e/0x300 + [<0000000002c8770a>] console_init+0x68a/0x9b8 + [<0000000002c6a3d6>] start_kernel+0x4fe/0x728 + [<0000000000100070>] startup_continue+0x70/0xd0 + +Cc: stable@vger.kernel.org +Reviewed-by: Sebastian Ott +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/css.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/s390/cio/css.c ++++ b/drivers/s390/cio/css.c +@@ -1178,6 +1178,8 @@ device_initcall(cio_settle_init); + + int sch_is_pseudo_sch(struct subchannel *sch) + { ++ if (!sch->dev.parent) ++ return 0; + return sch == to_css(sch->dev.parent)->pseudo_subchannel; + } + diff --git a/queue-4.14/s390-process-avoid-potential-reading-of-freed-stack.patch b/queue-4.14/s390-process-avoid-potential-reading-of-freed-stack.patch new file mode 100644 index 00000000000..92a0abcb752 --- /dev/null +++ b/queue-4.14/s390-process-avoid-potential-reading-of-freed-stack.patch @@ -0,0 +1,62 @@ +From 8769f610fe6d473e5e8e221709c3ac402037da6c Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 13 Aug 2019 20:11:08 +0200 +Subject: s390/process: avoid potential reading of freed stack + +From: Vasily Gorbik + +commit 8769f610fe6d473e5e8e221709c3ac402037da6c upstream. + +With THREAD_INFO_IN_TASK (which is selected on s390) task's stack usage +is refcounted and should always be protected by get/put when touching +other task's stack to avoid race conditions with task's destruction code. + +Fixes: d5c352cdd022 ("s390: move thread_info into task_struct") +Cc: stable@vger.kernel.org # v4.10+ +Acked-by: Ilya Leoshkevich +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/process.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/arch/s390/kernel/process.c ++++ b/arch/s390/kernel/process.c +@@ -185,20 +185,30 @@ unsigned long get_wchan(struct task_stru + + if (!p || p == current || p->state == TASK_RUNNING || !task_stack_page(p)) + return 0; ++ ++ if (!try_get_task_stack(p)) ++ return 0; ++ + low = task_stack_page(p); + high = (struct stack_frame *) task_pt_regs(p); + sf = (struct stack_frame *) p->thread.ksp; +- if (sf <= low || sf > high) +- return 0; ++ if (sf <= low || sf > high) { ++ return_address = 0; ++ goto out; ++ } + for (count = 0; count < 16; count++) { + sf = (struct stack_frame *) sf->back_chain; +- if (sf <= low || sf > high) +- return 0; ++ if (sf <= low || sf > high) { ++ return_address = 0; ++ goto out; ++ } + return_address = sf->gprs[8]; + if (!in_sched_functions(return_address)) +- return return_address; ++ goto out; + } +- return 0; ++out: ++ put_task_stack(p); ++ return return_address; + } + + unsigned long arch_align_stack(unsigned long sp) diff --git a/queue-4.14/s390-topology-avoid-firing-events-before-kobjs-are-created.patch b/queue-4.14/s390-topology-avoid-firing-events-before-kobjs-are-created.patch new file mode 100644 index 00000000000..5e2435d76f8 --- /dev/null +++ b/queue-4.14/s390-topology-avoid-firing-events-before-kobjs-are-created.patch @@ -0,0 +1,61 @@ +From f3122a79a1b0a113d3aea748e0ec26f2cb2889de Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 17 Sep 2019 22:59:03 +0200 +Subject: s390/topology: avoid firing events before kobjs are created + +From: Vasily Gorbik + +commit f3122a79a1b0a113d3aea748e0ec26f2cb2889de upstream. + +arch_update_cpu_topology is first called from: +kernel_init_freeable->sched_init_smp->sched_init_domains + +even before cpus has been registered in: +kernel_init_freeable->do_one_initcall->s390_smp_init + +Do not trigger kobject_uevent change events until cpu devices are +actually created. Fixes the following kasan findings: + +BUG: KASAN: global-out-of-bounds in kobject_uevent_env+0xb40/0xee0 +Read of size 8 at addr 0000000000000020 by task swapper/0/1 + +BUG: KASAN: global-out-of-bounds in kobject_uevent_env+0xb36/0xee0 +Read of size 8 at addr 0000000000000018 by task swapper/0/1 + +CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B +Hardware name: IBM 3906 M04 704 (LPAR) +Call Trace: +([<0000000143c6db7e>] show_stack+0x14e/0x1a8) + [<0000000145956498>] dump_stack+0x1d0/0x218 + [<000000014429fb4c>] print_address_description+0x64/0x380 + [<000000014429f630>] __kasan_report+0x138/0x168 + [<0000000145960b96>] kobject_uevent_env+0xb36/0xee0 + [<0000000143c7c47c>] arch_update_cpu_topology+0x104/0x108 + [<0000000143df9e22>] sched_init_domains+0x62/0xe8 + [<000000014644c94a>] sched_init_smp+0x3a/0xc0 + [<0000000146433a20>] kernel_init_freeable+0x558/0x958 + [<000000014599002a>] kernel_init+0x22/0x160 + [<00000001459a71d4>] ret_from_fork+0x28/0x30 + [<00000001459a71dc>] kernel_thread_starter+0x0/0x10 + +Cc: stable@vger.kernel.org +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/topology.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/s390/kernel/topology.c ++++ b/arch/s390/kernel/topology.c +@@ -300,7 +300,8 @@ int arch_update_cpu_topology(void) + rc = __arch_update_cpu_topology(); + for_each_online_cpu(cpu) { + dev = get_cpu_device(cpu); +- kobject_uevent(&dev->kobj, KOBJ_CHANGE); ++ if (dev) ++ kobject_uevent(&dev->kobj, KOBJ_CHANGE); + } + return rc; + } diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..5ed789cf33b --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,19 @@ +s390-process-avoid-potential-reading-of-freed-stack.patch +kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch +s390-topology-avoid-firing-events-before-kobjs-are-created.patch +s390-cio-avoid-calling-strlen-on-null-pointer.patch +s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch +kvm-ppc-book3s-hv-don-t-lose-pending-doorbell-request-on-migration-on-p9.patch +kvm-nvmx-handle-page-fault-in-vmread-fix.patch +pm-devfreq-tegra-fix-khz-to-hz-conversion.patch +asoc-define-a-set-of-dapm-pre-post-up-events.patch +powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch +can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch +tools-lib-traceevent-fix-robust-test-of-do_generate_dynamic_list_file.patch +crypto-qat-silence-smp_processor_id-warning.patch +crypto-skcipher-unmap-pages-after-an-external-error.patch +crypto-cavium-zip-add-missing-single_release.patch +crypto-caam-fix-concurrency-issue-in-givencrypt-descriptor.patch +mips-treat-loongson-extensions-as-ases.patch +usercopy-avoid-highmem-pfn-warning.patch +timer-read-jiffies-once-when-forwarding-base-clk.patch diff --git a/queue-4.14/timer-read-jiffies-once-when-forwarding-base-clk.patch b/queue-4.14/timer-read-jiffies-once-when-forwarding-base-clk.patch new file mode 100644 index 00000000000..27197308e46 --- /dev/null +++ b/queue-4.14/timer-read-jiffies-once-when-forwarding-base-clk.patch @@ -0,0 +1,75 @@ +From e430d802d6a3aaf61bd3ed03d9404888a29b9bf9 Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Thu, 19 Sep 2019 20:04:47 +0800 +Subject: timer: Read jiffies once when forwarding base clk + +From: Li RongQing + +commit e430d802d6a3aaf61bd3ed03d9404888a29b9bf9 upstream. + +The timer delayed for more than 3 seconds warning was triggered during +testing. + + Workqueue: events_unbound sched_tick_remote + RIP: 0010:sched_tick_remote+0xee/0x100 + ... + Call Trace: + process_one_work+0x18c/0x3a0 + worker_thread+0x30/0x380 + kthread+0x113/0x130 + ret_from_fork+0x22/0x40 + +The reason is that the code in collect_expired_timers() uses jiffies +unprotected: + + if (next_event > jiffies) + base->clk = jiffies; + +As the compiler is allowed to reload the value base->clk can advance +between the check and the store and in the worst case advance farther than +next event. That causes the timer expiry to be delayed until the wheel +pointer wraps around. + +Convert the code to use READ_ONCE() + +Fixes: 236968383cf5 ("timers: Optimize collect_expired_timers() for NOHZ") +Signed-off-by: Li RongQing +Signed-off-by: Liang ZhiCheng +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1568894687-14499-1-git-send-email-lirongqing@baidu.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timer.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1545,21 +1545,23 @@ void timer_clear_idle(void) + static int collect_expired_timers(struct timer_base *base, + struct hlist_head *heads) + { ++ unsigned long now = READ_ONCE(jiffies); ++ + /* + * NOHZ optimization. After a long idle sleep we need to forward the + * base to current jiffies. Avoid a loop by searching the bitfield for + * the next expiring timer. + */ +- if ((long)(jiffies - base->clk) > 2) { ++ if ((long)(now - base->clk) > 2) { + unsigned long next = __next_timer_interrupt(base); + + /* + * If the next timer is ahead of time forward to current + * jiffies, otherwise forward to the next expiry time: + */ +- if (time_after(next, jiffies)) { ++ if (time_after(next, now)) { + /* The call site will increment clock! */ +- base->clk = jiffies - 1; ++ base->clk = now - 1; + return 0; + } + base->clk = next; diff --git a/queue-4.14/tools-lib-traceevent-fix-robust-test-of-do_generate_dynamic_list_file.patch b/queue-4.14/tools-lib-traceevent-fix-robust-test-of-do_generate_dynamic_list_file.patch new file mode 100644 index 00000000000..11af9d4aaa2 --- /dev/null +++ b/queue-4.14/tools-lib-traceevent-fix-robust-test-of-do_generate_dynamic_list_file.patch @@ -0,0 +1,55 @@ +From 82a2f88458d70704be843961e10b5cef9a6e95d3 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Mon, 5 Aug 2019 13:01:50 -0400 +Subject: tools lib traceevent: Fix "robust" test of do_generate_dynamic_list_file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steven Rostedt (VMware) + +commit 82a2f88458d70704be843961e10b5cef9a6e95d3 upstream. + +The tools/lib/traceevent/Makefile had a test added to it to detect a failure +of the "nm" when making the dynamic list file (whatever that is). The +problem is that the test sorts the values "U W w" and some versions of sort +will place "w" ahead of "W" (even though it has a higher ASCII value, and +break the test. + +Add 'tr "w" "W"' to merge the two and not worry about the ordering. + +Reported-by: Tzvetomir Stoyanov +Signed-off-by: Steven Rostedt (VMware) +Cc: Alexander Shishkin +Cc: David Carrillo-Cisneros +Cc: He Kuang +Cc: Jiri Olsa +Cc: Michal rarek +Cc: Paul Turner +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Uwe Kleine-König +Cc: Wang Nan +Cc: stable@vger.kernel.org +Fixes: 6467753d61399 ("tools lib traceevent: Robustify do_generate_dynamic_list_file") +Link: http://lkml.kernel.org/r/20190805130150.25acfeb1@gandalf.local.home +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/traceevent/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/lib/traceevent/Makefile ++++ b/tools/lib/traceevent/Makefile +@@ -259,8 +259,8 @@ endef + + define do_generate_dynamic_list_file + symbol_type=`$(NM) -u -D $1 | awk 'NF>1 {print $$1}' | \ +- xargs echo "U W w" | tr ' ' '\n' | sort -u | xargs echo`;\ +- if [ "$$symbol_type" = "U W w" ];then \ ++ xargs echo "U w W" | tr 'w ' 'W\n' | sort -u | xargs echo`;\ ++ if [ "$$symbol_type" = "U W" ];then \ + (echo '{'; \ + $(NM) -u -D $1 | awk 'NF>1 {print "\t"$$2";"}' | sort -u;\ + echo '};'; \ diff --git a/queue-4.14/usercopy-avoid-highmem-pfn-warning.patch b/queue-4.14/usercopy-avoid-highmem-pfn-warning.patch new file mode 100644 index 00000000000..f01769f3ab4 --- /dev/null +++ b/queue-4.14/usercopy-avoid-highmem-pfn-warning.patch @@ -0,0 +1,88 @@ +From 314eed30ede02fa925990f535652254b5bad6b65 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 17 Sep 2019 11:00:25 -0700 +Subject: usercopy: Avoid HIGHMEM pfn warning + +From: Kees Cook + +commit 314eed30ede02fa925990f535652254b5bad6b65 upstream. + +When running on a system with >512MB RAM with a 32-bit kernel built with: + + CONFIG_DEBUG_VIRTUAL=y + CONFIG_HIGHMEM=y + CONFIG_HARDENED_USERCOPY=y + +all execve()s will fail due to argv copying into kmap()ed pages, and on +usercopy checking the calls ultimately of virt_to_page() will be looking +for "bad" kmap (highmem) pointers due to CONFIG_DEBUG_VIRTUAL=y: + + ------------[ cut here ]------------ + kernel BUG at ../arch/x86/mm/physaddr.c:83! + invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC + CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.3.0-rc8 #6 + Hardware name: Dell Inc. Inspiron 1318/0C236D, BIOS A04 01/15/2009 + EIP: __phys_addr+0xaf/0x100 + ... + Call Trace: + __check_object_size+0xaf/0x3c0 + ? __might_sleep+0x80/0xa0 + copy_strings+0x1c2/0x370 + copy_strings_kernel+0x2b/0x40 + __do_execve_file+0x4ca/0x810 + ? kmem_cache_alloc+0x1c7/0x370 + do_execve+0x1b/0x20 + ... + +The check is from arch/x86/mm/physaddr.c: + + VIRTUAL_BUG_ON((phys_addr >> PAGE_SHIFT) > max_low_pfn); + +Due to the kmap() in fs/exec.c: + + kaddr = kmap(kmapped_page); + ... + if (copy_from_user(kaddr+offset, str, bytes_to_copy)) ... + +Now we can fetch the correct page to avoid the pfn check. In both cases, +hardened usercopy will need to walk the page-span checker (if enabled) +to do sanity checking. + +Reported-by: Randy Dunlap +Tested-by: Randy Dunlap +Fixes: f5509cc18daa ("mm: Hardened usercopy") +Cc: Matthew Wilcox +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Matthew Wilcox (Oracle) +Link: https://lore.kernel.org/r/201909171056.7F2FFD17@keescook +Signed-off-by: Greg Kroah-Hartman + +--- + mm/usercopy.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/usercopy.c ++++ b/mm/usercopy.c +@@ -15,6 +15,7 @@ + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + + #include ++#include + #include + #include + #include +@@ -203,7 +204,12 @@ static inline const char *check_heap_obj + if (!virt_addr_valid(ptr)) + return NULL; + +- page = virt_to_head_page(ptr); ++ /* ++ * When CONFIG_HIGHMEM=y, kmap_to_page() will give either the ++ * highmem page or fallback to virt_to_page(). The following ++ * is effectively a highmem-aware virt_to_head_page(). ++ */ ++ page = compound_head(kmap_to_page((void *)ptr)); + + /* Check slab allocator for flags and size. */ + if (PageSlab(page)) -- 2.47.2