From 29d9c2e5cdb044cf046ae5cab50dfa2a49aad0b3 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 23 Sep 2021 10:07:09 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	arm-qualify-enabling-of-swiotlb_init.patch
	console-consume-apc-dm-dcs.patch
	s390-pci_mmio-fully-validate-the-vma-before-calling-follow_pte.patch
---
 ...arm-qualify-enabling-of-swiotlb_init.patch |  36 +++++
 queue-5.10/console-consume-apc-dm-dcs.patch   | 137 ++++++++++++++++++
 ...te-the-vma-before-calling-follow_pte.patch |  39 +++++
 queue-5.10/series                             |   3 +
 4 files changed, 215 insertions(+)
 create mode 100644 queue-5.10/arm-qualify-enabling-of-swiotlb_init.patch
 create mode 100644 queue-5.10/console-consume-apc-dm-dcs.patch
 create mode 100644 queue-5.10/s390-pci_mmio-fully-validate-the-vma-before-calling-follow_pte.patch

diff --git a/queue-5.10/arm-qualify-enabling-of-swiotlb_init.patch b/queue-5.10/arm-qualify-enabling-of-swiotlb_init.patch
new file mode 100644
index 00000000000..bc7beaf04d1
--- /dev/null
+++ b/queue-5.10/arm-qualify-enabling-of-swiotlb_init.patch
@@ -0,0 +1,36 @@
+From fcf044891c84e38fc90eb736b818781bccf94e38 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 18 Mar 2021 21:03:33 -0700
+Subject: ARM: Qualify enabling of swiotlb_init()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit fcf044891c84e38fc90eb736b818781bccf94e38 upstream.
+
+We do not need a SWIOTLB unless we have DRAM that is addressable beyond
+the arm_dma_limit. Compare max_pfn with arm_dma_pfn_limit to determine
+whether we do need a SWIOTLB to be initialized.
+
+Fixes: ad3c7b18c5b3 ("arm: use swiotlb for bounce buffering on LPAE configs")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/init.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mm/init.c
++++ b/arch/arm/mm/init.c
+@@ -378,7 +378,11 @@ static void __init free_highpages(void)
+ void __init mem_init(void)
+ {
+ #ifdef CONFIG_ARM_LPAE
+-	swiotlb_init(1);
++	if (swiotlb_force == SWIOTLB_FORCE ||
++	    max_pfn > arm_dma_pfn_limit)
++		swiotlb_init(1);
++	else
++		swiotlb_force = SWIOTLB_NO_FORCE;
+ #endif
+ 
+ 	set_max_mapnr(pfn_to_page(max_pfn) - mem_map);
diff --git a/queue-5.10/console-consume-apc-dm-dcs.patch b/queue-5.10/console-consume-apc-dm-dcs.patch
new file mode 100644
index 00000000000..e0880c51267
--- /dev/null
+++ b/queue-5.10/console-consume-apc-dm-dcs.patch
@@ -0,0 +1,137 @@
+From 3a2b2eb55681158d3e3ef464fbf47574cf0c517c Mon Sep 17 00:00:00 2001
+From: nick black <dankamongmen@gmail.com>
+Date: Mon, 30 Aug 2021 04:56:15 -0400
+Subject: console: consume APC, DM, DCS
+
+From: nick black <dankamongmen@gmail.com>
+
+commit 3a2b2eb55681158d3e3ef464fbf47574cf0c517c upstream.
+
+The Linux console's VT102 implementation already consumes OSC
+("Operating System Command") sequences, probably because that's how
+palette changes are transmitted.
+
+In addition to OSC, there are three other major clases of ANSI control
+strings: APC ("Application Program Command"), PM ("Privacy Message"),
+and DCS ("Device Control String").  They are handled similarly to OSC in
+terms of termination.
+
+Source: vt100.net
+
+Add three new enumerated states, one for each of these types.  All three
+are handled the same way right now--they simply consume input until
+terminated.  I hope to expand upon this firmament in the future.  Add
+new predicate ansi_control_string(), returning true for any of these
+states.  Replace explicit checks against ESosc with calls to this
+function.  Transition to these states appropriately from the escape
+initiation (ESesc) state.
+
+This was motivated by the following Notcurses bugs:
+
+ https://github.com/dankamongmen/notcurses/issues/2050
+ https://github.com/dankamongmen/notcurses/issues/1828
+ https://github.com/dankamongmen/notcurses/issues/2069
+
+where standard VT sequences are not consumed by the Linux console.  It's
+not necessary that the Linux console *support* these sequences, but it
+ought *consume* these well-specified classes of sequences.
+
+Tested by sending a variety of escape sequences to the console, and
+verifying that they still worked, or were now properly consumed.
+Verified that the escapes were properly terminated at a generic level.
+Verified that the Notcurses tools continued to show expected output on
+the Linux console, except now without escape bleedthrough.
+
+Link: https://lore.kernel.org/lkml/YSydL0q8iaUfkphg@schwarzgerat.orthanc/
+Signed-off-by: nick black <dankamongmen@gmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt.c |   31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -2060,7 +2060,7 @@ static void restore_cur(struct vc_data *
+ 
+ enum { ESnormal, ESesc, ESsquare, ESgetpars, ESfunckey,
+ 	EShash, ESsetG0, ESsetG1, ESpercent, EScsiignore, ESnonstd,
+-	ESpalette, ESosc };
++	ESpalette, ESosc, ESapc, ESpm, ESdcs };
+ 
+ /* console_lock is held (except via vc_init()) */
+ static void reset_terminal(struct vc_data *vc, int do_clear)
+@@ -2134,20 +2134,28 @@ static void vc_setGx(struct vc_data *vc,
+ 		vc->vc_translate = set_translate(*charset, vc);
+ }
+ 
++/* is this state an ANSI control string? */
++static bool ansi_control_string(unsigned int state)
++{
++	if (state == ESosc || state == ESapc || state == ESpm || state == ESdcs)
++		return true;
++	return false;
++}
++
+ /* console_lock is held */
+ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c)
+ {
+ 	/*
+ 	 *  Control characters can be used in the _middle_
+-	 *  of an escape sequence.
++	 *  of an escape sequence, aside from ANSI control strings.
+ 	 */
+-	if (vc->vc_state == ESosc && c>=8 && c<=13) /* ... except for OSC */
++	if (ansi_control_string(vc->vc_state) && c >= 8 && c <= 13)
+ 		return;
+ 	switch (c) {
+ 	case 0:
+ 		return;
+ 	case 7:
+-		if (vc->vc_state == ESosc)
++		if (ansi_control_string(vc->vc_state))
+ 			vc->vc_state = ESnormal;
+ 		else if (vc->vc_bell_duration)
+ 			kd_mksound(vc->vc_bell_pitch, vc->vc_bell_duration);
+@@ -2208,6 +2216,12 @@ static void do_con_trol(struct tty_struc
+ 		case ']':
+ 			vc->vc_state = ESnonstd;
+ 			return;
++		case '_':
++			vc->vc_state = ESapc;
++			return;
++		case '^':
++			vc->vc_state = ESpm;
++			return;
+ 		case '%':
+ 			vc->vc_state = ESpercent;
+ 			return;
+@@ -2225,6 +2239,9 @@ static void do_con_trol(struct tty_struc
+ 			if (vc->state.x < VC_TABSTOPS_COUNT)
+ 				set_bit(vc->state.x, vc->vc_tab_stop);
+ 			return;
++		case 'P':
++			vc->vc_state = ESdcs;
++			return;
+ 		case 'Z':
+ 			respond_ID(tty);
+ 			return;
+@@ -2521,8 +2538,14 @@ static void do_con_trol(struct tty_struc
+ 		vc_setGx(vc, 1, c);
+ 		vc->vc_state = ESnormal;
+ 		return;
++	case ESapc:
++		return;
+ 	case ESosc:
+ 		return;
++	case ESpm:
++		return;
++	case ESdcs:
++		return;
+ 	default:
+ 		vc->vc_state = ESnormal;
+ 	}
diff --git a/queue-5.10/s390-pci_mmio-fully-validate-the-vma-before-calling-follow_pte.patch b/queue-5.10/s390-pci_mmio-fully-validate-the-vma-before-calling-follow_pte.patch
new file mode 100644
index 00000000000..9fee0a494fa
--- /dev/null
+++ b/queue-5.10/s390-pci_mmio-fully-validate-the-vma-before-calling-follow_pte.patch
@@ -0,0 +1,39 @@
+From a8b92b8c1eac8d655a97b1e90f4d83c25d9b9a18 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Thu, 9 Sep 2021 16:59:42 +0200
+Subject: s390/pci_mmio: fully validate the VMA before calling follow_pte()
+
+From: David Hildenbrand <david@redhat.com>
+
+commit a8b92b8c1eac8d655a97b1e90f4d83c25d9b9a18 upstream.
+
+We should not walk/touch page tables outside of VMA boundaries when
+holding only the mmap sem in read mode. Evil user space can modify the
+VMA layout just before this function runs and e.g., trigger races with
+page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
+with read mmap_sem in munmap").
+
+find_vma() does not check if the address is >= the VMA start address;
+use vma_lookup() instead.
+
+Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/pci/pci_mmio.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/pci/pci_mmio.c
++++ b/arch/s390/pci/pci_mmio.c
+@@ -128,7 +128,7 @@ static long get_pfn(unsigned long user_a
+ 	mmap_read_lock(current->mm);
+ 	ret = -EINVAL;
+ 	vma = find_vma(current->mm, user_addr);
+-	if (!vma)
++	if (!vma || user_addr < vma->vm_start)
+ 		goto out;
+ 	ret = -EACCES;
+ 	if (!(vma->vm_flags & access))
diff --git a/queue-5.10/series b/queue-5.10/series
index 552a0c3d64b..c2e6b580f02 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -1,2 +1,5 @@
 pci-pci-bridge-emul-add-pcie-root-capabilities-register.patch
 pci-aardvark-fix-reporting-crs-value.patch
+console-consume-apc-dm-dcs.patch
+s390-pci_mmio-fully-validate-the-vma-before-calling-follow_pte.patch
+arm-qualify-enabling-of-swiotlb_init.patch
-- 
2.47.3