From 68146c8e2fb5de1ce4c2243502029e1fc1fe8ca5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 25 Jan 2021 17:57:22 +0100 Subject: [PATCH] 5.10-stable patches added patches: asoc-sof-intel-hda-avoid-checking-jack-on-system-suspend.patch bpf-local-storage-helpers-should-check-nullness-of-owner-ptr-passed.patch drm-i915-hdcp-get-conn-while-content_type-changed.patch interconnect-imx8mq-use-icc_sync_state.patch kernfs-implement-read_iter.patch kernfs-implement-write_iter.patch kernfs-wire-up-splice_read-and-splice_write.patch net-systemport-free-dev-before-on-error-path.patch tcp-fix-potential-use-after-free-due-to-double-kfree.patch tty-fix-up-hung_up_tty_write-conversion.patch tty-implement-write_iter.patch x86-sev-es-handle-string-port-io-to-kernel-memory-properly.patch x86-sev-fix-nonistr-violation.patch --- ...void-checking-jack-on-system-suspend.patch | 87 +++++++++ ...d-check-nullness-of-owner-ptr-passed.patch | 61 +++++++ ...-get-conn-while-content_type-changed.patch | 38 ++++ ...terconnect-imx8mq-use-icc_sync_state.patch | 41 +++++ queue-5.10/kernfs-implement-read_iter.patch | 104 +++++++++++ queue-5.10/kernfs-implement-write_iter.patch | 106 +++++++++++ ...wire-up-splice_read-and-splice_write.patch | 35 ++++ ...emport-free-dev-before-on-error-path.patch | 37 ++++ queue-5.10/series | 13 ++ ...l-use-after-free-due-to-double-kfree.patch | 76 ++++++++ ...-fix-up-hung_up_tty_write-conversion.patch | 57 ++++++ queue-5.10/tty-implement-write_iter.patch | 167 ++++++++++++++++++ ...ng-port-io-to-kernel-memory-properly.patch | 60 +++++++ .../x86-sev-fix-nonistr-violation.patch | 35 ++++ 14 files changed, 917 insertions(+) create mode 100644 queue-5.10/asoc-sof-intel-hda-avoid-checking-jack-on-system-suspend.patch create mode 100644 queue-5.10/bpf-local-storage-helpers-should-check-nullness-of-owner-ptr-passed.patch create mode 100644 queue-5.10/drm-i915-hdcp-get-conn-while-content_type-changed.patch create mode 100644 queue-5.10/interconnect-imx8mq-use-icc_sync_state.patch create mode 100644 queue-5.10/kernfs-implement-read_iter.patch create mode 100644 queue-5.10/kernfs-implement-write_iter.patch create mode 100644 queue-5.10/kernfs-wire-up-splice_read-and-splice_write.patch create mode 100644 queue-5.10/net-systemport-free-dev-before-on-error-path.patch create mode 100644 queue-5.10/tcp-fix-potential-use-after-free-due-to-double-kfree.patch create mode 100644 queue-5.10/tty-fix-up-hung_up_tty_write-conversion.patch create mode 100644 queue-5.10/tty-implement-write_iter.patch create mode 100644 queue-5.10/x86-sev-es-handle-string-port-io-to-kernel-memory-properly.patch create mode 100644 queue-5.10/x86-sev-fix-nonistr-violation.patch diff --git a/queue-5.10/asoc-sof-intel-hda-avoid-checking-jack-on-system-suspend.patch b/queue-5.10/asoc-sof-intel-hda-avoid-checking-jack-on-system-suspend.patch new file mode 100644 index 00000000000..acc8ca7fe97 --- /dev/null +++ b/queue-5.10/asoc-sof-intel-hda-avoid-checking-jack-on-system-suspend.patch @@ -0,0 +1,87 @@ +From ef4d764c99f792b725d4754a3628830f094f5c58 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 13 Jan 2021 02:11:25 +0800 +Subject: ASoC: SOF: Intel: hda: Avoid checking jack on system suspend + +From: Kai-Heng Feng + +commit ef4d764c99f792b725d4754a3628830f094f5c58 upstream. + +System takes a very long time to suspend after commit 215a22ed31a1 +("ALSA: hda: Refactor codec PM to use direct-complete optimization"): +[ 90.065964] PM: suspend entry (s2idle) +[ 90.067337] Filesystems sync: 0.001 seconds +[ 90.185758] Freezing user space processes ... (elapsed 0.002 seconds) done. +[ 90.188713] OOM killer disabled. +[ 90.188714] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. +[ 90.190024] printk: Suspending console(s) (use no_console_suspend to debug) +[ 90.904912] intel_pch_thermal 0000:00:12.0: CPU-PCH is cool [49C], continue to suspend +[ 321.262505] snd_hda_codec_realtek ehdaudio0D0: Unable to sync register 0x2b8000. -5 +[ 328.426919] snd_hda_codec_realtek ehdaudio0D0: Unable to sync register 0x2b8000. -5 +[ 329.490933] ACPI: EC: interrupt blocked + +That commit keeps the codec suspended during the system suspend. However, +mute/micmute LED will clear codec's direct-complete flag by +dpm_clear_superiors_direct_complete(). + +This doesn't play well with SOF driver. When its runtime resume is +called for system suspend, hda_codec_jack_check() schedules +jackpoll_work which uses snd_hdac_is_power_on() to check whether codec +is suspended. Because the direct-complete path isn't taken, +pm_runtime_disable() isn't called so snd_hdac_is_power_on() returns +false and jackpoll continues to run, and snd_hda_power_up_pm() cannot +power up an already suspended codec in multiple attempts, causes the +long delay on system suspend: + +if (dev->power.direct_complete) { + if (pm_runtime_status_suspended(dev)) { + pm_runtime_disable(dev); + if (pm_runtime_status_suspended(dev)) { + pm_dev_dbg(dev, state, "direct-complete "); + goto Complete; + } + + pm_runtime_enable(dev); + } + dev->power.direct_complete = false; +} + +When direct-complete path is taken, snd_hdac_is_power_on() returns true +and hda_jackpoll_work() is skipped by accident. So this is still not +correct. + +If we were to use snd_hdac_is_power_on() in system PM path, +pm_runtime_status_suspended() should be used instead of +pm_runtime_suspended(), otherwise pm_runtime_{enable,disable}() may +change the outcome of snd_hdac_is_power_on(). + +Because devices suspend in reverse order (i.e. child first), it doesn't +make much sense to resume an already suspended codec from audio +controller. So avoid the issue by making sure jackpoll isn't used in +system PM process. + +Fixes: 215a22ed31a1 ("ALSA: hda: Refactor codec PM to use direct-complete optimization") +Signed-off-by: Kai-Heng Feng +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20210112181128.1229827-3-kai.heng.feng@canonical.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/intel/hda-dsp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/soc/sof/intel/hda-dsp.c ++++ b/sound/soc/sof/intel/hda-dsp.c +@@ -683,8 +683,10 @@ static int hda_resume(struct snd_sof_dev + + #if IS_ENABLED(CONFIG_SND_SOC_SOF_HDA) + /* check jack status */ +- if (runtime_resume) +- hda_codec_jack_check(sdev); ++ if (runtime_resume) { ++ if (sdev->system_suspend_target == SOF_SUSPEND_NONE) ++ hda_codec_jack_check(sdev); ++ } + + /* turn off the links that were off before suspend */ + list_for_each_entry(hlink, &bus->hlink_list, list) { diff --git a/queue-5.10/bpf-local-storage-helpers-should-check-nullness-of-owner-ptr-passed.patch b/queue-5.10/bpf-local-storage-helpers-should-check-nullness-of-owner-ptr-passed.patch new file mode 100644 index 00000000000..7304a45e40c --- /dev/null +++ b/queue-5.10/bpf-local-storage-helpers-should-check-nullness-of-owner-ptr-passed.patch @@ -0,0 +1,61 @@ +From 1a9c72ad4c26821e215a396167c14959cf24a7f1 Mon Sep 17 00:00:00 2001 +From: KP Singh +Date: Tue, 12 Jan 2021 07:55:24 +0000 +Subject: bpf: Local storage helpers should check nullness of owner ptr passed + +From: KP Singh + +commit 1a9c72ad4c26821e215a396167c14959cf24a7f1 upstream. + +The verifier allows ARG_PTR_TO_BTF_ID helper arguments to be NULL, so +helper implementations need to check this before dereferencing them. +This was already fixed for the socket storage helpers but not for task +and inode. + +The issue can be reproduced by attaching an LSM program to +inode_rename hook (called when moving files) which tries to get the +inode of the new file without checking for its nullness and then trying +to move an existing file to a new path: + + mv existing_file new_file_does_not_exist + +The report including the sample program and the steps for reproducing +the bug: + + https://lore.kernel.org/bpf/CANaYP3HWkH91SN=wTNO9FL_2ztHfqcXKX38SSE-JJ2voh+vssw@mail.gmail.com + +Fixes: 4cf1bc1f1045 ("bpf: Implement task local storage") +Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes") +Reported-by: Gilad Reti +Signed-off-by: KP Singh +Signed-off-by: Daniel Borkmann +Acked-by: Martin KaFai Lau +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210112075525.256820-3-kpsingh@kernel.org +[ just take 1/2 of this patch for 5.10.y - gregkh ] +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/bpf_inode_storage.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/bpf_inode_storage.c ++++ b/kernel/bpf/bpf_inode_storage.c +@@ -176,7 +176,7 @@ BPF_CALL_4(bpf_inode_storage_get, struct + * bpf_local_storage_update expects the owner to have a + * valid storage pointer. + */ +- if (!inode_storage_ptr(inode)) ++ if (!inode || !inode_storage_ptr(inode)) + return (unsigned long)NULL; + + sdata = inode_storage_lookup(inode, map, true); +@@ -200,6 +200,9 @@ BPF_CALL_4(bpf_inode_storage_get, struct + BPF_CALL_2(bpf_inode_storage_delete, + struct bpf_map *, map, struct inode *, inode) + { ++ if (!inode) ++ return -EINVAL; ++ + /* This helper must only called from where the inode is gurranteed + * to have a refcount and cannot be freed. + */ diff --git a/queue-5.10/drm-i915-hdcp-get-conn-while-content_type-changed.patch b/queue-5.10/drm-i915-hdcp-get-conn-while-content_type-changed.patch new file mode 100644 index 00000000000..84059b28a5a --- /dev/null +++ b/queue-5.10/drm-i915-hdcp-get-conn-while-content_type-changed.patch @@ -0,0 +1,38 @@ +From 8662e1119a7d1baa1b2001689b2923e9050754bd Mon Sep 17 00:00:00 2001 +From: Anshuman Gupta +Date: Mon, 11 Jan 2021 13:41:03 +0530 +Subject: drm/i915/hdcp: Get conn while content_type changed + +From: Anshuman Gupta + +commit 8662e1119a7d1baa1b2001689b2923e9050754bd upstream. + +Get DRM connector reference count while scheduling a prop work +to avoid any possible destroy of DRM connector when it is in +DRM_CONNECTOR_REGISTERED state. + +Fixes: a6597faa2d59 ("drm/i915: Protect workers against disappearing connectors") +Cc: Sean Paul +Cc: Ramalingam C +Reviewed-by: Uma Shankar +Reviewed-by: Ramalingam C +Tested-by: Karthik B S +Signed-off-by: Anshuman Gupta +Link: https://patchwork.freedesktop.org/patch/msgid/20210111081120.28417-3-anshuman.gupta@intel.com +(cherry picked from commit b3c6661aad979ec3d4f5675cf3e6a35828607d6a) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_hdcp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/display/intel_hdcp.c ++++ b/drivers/gpu/drm/i915/display/intel_hdcp.c +@@ -2187,6 +2187,7 @@ void intel_hdcp_update_pipe(struct intel + if (content_protection_type_changed) { + mutex_lock(&hdcp->mutex); + hdcp->value = DRM_MODE_CONTENT_PROTECTION_DESIRED; ++ drm_connector_get(&connector->base); + schedule_work(&hdcp->prop_work); + mutex_unlock(&hdcp->mutex); + } diff --git a/queue-5.10/interconnect-imx8mq-use-icc_sync_state.patch b/queue-5.10/interconnect-imx8mq-use-icc_sync_state.patch new file mode 100644 index 00000000000..0e9f169ac38 --- /dev/null +++ b/queue-5.10/interconnect-imx8mq-use-icc_sync_state.patch @@ -0,0 +1,41 @@ +From 67288f74d4837b82ef937170da3389b0779c17be Mon Sep 17 00:00:00 2001 +From: Martin Kepplinger +Date: Mon, 28 Dec 2020 14:03:02 +0200 +Subject: interconnect: imx8mq: Use icc_sync_state + +From: Martin Kepplinger + +commit 67288f74d4837b82ef937170da3389b0779c17be upstream. + +Add the icc_sync_state callback to notify the framework when consumers +are probed and the bandwidth doesn't have to be kept at maximum anymore. + +Signed-off-by: Martin Kepplinger +Suggested-by: Georgi Djakov +Fixes: 7d3b0b0d8184 ("interconnect: qcom: Use icc_sync_state") +Link: https://lore.kernel.org/r/20201210100906.18205-6-martin.kepplinger@puri.sm +Signed-off-by: Georgi Djakov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/interconnect/imx/imx8mq.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/interconnect/imx/imx8mq.c ++++ b/drivers/interconnect/imx/imx8mq.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + #include + + #include "imx.h" +@@ -94,6 +95,7 @@ static struct platform_driver imx8mq_icc + .remove = imx8mq_icc_remove, + .driver = { + .name = "imx8mq-interconnect", ++ .sync_state = icc_sync_state, + }, + }; + diff --git a/queue-5.10/kernfs-implement-read_iter.patch b/queue-5.10/kernfs-implement-read_iter.patch new file mode 100644 index 00000000000..badb32328d5 --- /dev/null +++ b/queue-5.10/kernfs-implement-read_iter.patch @@ -0,0 +1,104 @@ +From 4eaad21a6ac9865df7f31983232ed5928450458d Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 20 Jan 2021 21:46:29 +0100 +Subject: kernfs: implement ->read_iter + +From: Christoph Hellwig + +commit 4eaad21a6ac9865df7f31983232ed5928450458d upstream. + +Switch kernfs to implement the read_iter method instead of plain old +read to prepare to supporting splice and sendfile again. + +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210120204631.274206-2-hch@lst.de +Signed-off-by: Greg Kroah-Hartman +--- + fs/kernfs/file.c | 35 ++++++++++++----------------------- + 1 file changed, 12 insertions(+), 23 deletions(-) + +--- a/fs/kernfs/file.c ++++ b/fs/kernfs/file.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include "kernfs-internal.h" + +@@ -180,11 +181,10 @@ static const struct seq_operations kernf + * it difficult to use seq_file. Implement simplistic custom buffering for + * bin files. + */ +-static ssize_t kernfs_file_direct_read(struct kernfs_open_file *of, +- char __user *user_buf, size_t count, +- loff_t *ppos) ++static ssize_t kernfs_file_read_iter(struct kiocb *iocb, struct iov_iter *iter) + { +- ssize_t len = min_t(size_t, count, PAGE_SIZE); ++ struct kernfs_open_file *of = kernfs_of(iocb->ki_filp); ++ ssize_t len = min_t(size_t, iov_iter_count(iter), PAGE_SIZE); + const struct kernfs_ops *ops; + char *buf; + +@@ -210,7 +210,7 @@ static ssize_t kernfs_file_direct_read(s + of->event = atomic_read(&of->kn->attr.open->event); + ops = kernfs_ops(of->kn); + if (ops->read) +- len = ops->read(of, buf, len, *ppos); ++ len = ops->read(of, buf, len, iocb->ki_pos); + else + len = -EINVAL; + +@@ -220,12 +220,12 @@ static ssize_t kernfs_file_direct_read(s + if (len < 0) + goto out_free; + +- if (copy_to_user(user_buf, buf, len)) { ++ if (copy_to_iter(buf, len, iter) != len) { + len = -EFAULT; + goto out_free; + } + +- *ppos += len; ++ iocb->ki_pos += len; + + out_free: + if (buf == of->prealloc_buf) +@@ -235,22 +235,11 @@ static ssize_t kernfs_file_direct_read(s + return len; + } + +-/** +- * kernfs_fop_read - kernfs vfs read callback +- * @file: file pointer +- * @user_buf: data to write +- * @count: number of bytes +- * @ppos: starting offset +- */ +-static ssize_t kernfs_fop_read(struct file *file, char __user *user_buf, +- size_t count, loff_t *ppos) ++static ssize_t kernfs_fop_read_iter(struct kiocb *iocb, struct iov_iter *iter) + { +- struct kernfs_open_file *of = kernfs_of(file); +- +- if (of->kn->flags & KERNFS_HAS_SEQ_SHOW) +- return seq_read(file, user_buf, count, ppos); +- else +- return kernfs_file_direct_read(of, user_buf, count, ppos); ++ if (kernfs_of(iocb->ki_filp)->kn->flags & KERNFS_HAS_SEQ_SHOW) ++ return seq_read_iter(iocb, iter); ++ return kernfs_file_read_iter(iocb, iter); + } + + /** +@@ -960,7 +949,7 @@ void kernfs_notify(struct kernfs_node *k + EXPORT_SYMBOL_GPL(kernfs_notify); + + const struct file_operations kernfs_file_fops = { +- .read = kernfs_fop_read, ++ .read_iter = kernfs_fop_read_iter, + .write = kernfs_fop_write, + .llseek = generic_file_llseek, + .mmap = kernfs_fop_mmap, diff --git a/queue-5.10/kernfs-implement-write_iter.patch b/queue-5.10/kernfs-implement-write_iter.patch new file mode 100644 index 00000000000..c4cb0c7c266 --- /dev/null +++ b/queue-5.10/kernfs-implement-write_iter.patch @@ -0,0 +1,106 @@ +From cc099e0b399889c6485c88368b19824b087c9f8c Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 20 Jan 2021 21:46:30 +0100 +Subject: kernfs: implement ->write_iter + +From: Christoph Hellwig + +commit cc099e0b399889c6485c88368b19824b087c9f8c upstream. + +Switch kernfs to implement the write_iter method instead of plain old +write to prepare to supporting splice and sendfile again. + +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210120204631.274206-3-hch@lst.de +Signed-off-by: Greg Kroah-Hartman +--- + fs/kernfs/file.c | 28 ++++++++++------------------ + 1 file changed, 10 insertions(+), 18 deletions(-) + +--- a/fs/kernfs/file.c ++++ b/fs/kernfs/file.c +@@ -242,13 +242,7 @@ static ssize_t kernfs_fop_read_iter(stru + return kernfs_file_read_iter(iocb, iter); + } + +-/** +- * kernfs_fop_write - kernfs vfs write callback +- * @file: file pointer +- * @user_buf: data to write +- * @count: number of bytes +- * @ppos: starting offset +- * ++/* + * Copy data in from userland and pass it to the matching kernfs write + * operation. + * +@@ -258,20 +252,18 @@ static ssize_t kernfs_fop_read_iter(stru + * modify only the the value you're changing, then write entire buffer + * back. + */ +-static ssize_t kernfs_fop_write(struct file *file, const char __user *user_buf, +- size_t count, loff_t *ppos) ++static ssize_t kernfs_fop_write_iter(struct kiocb *iocb, struct iov_iter *iter) + { +- struct kernfs_open_file *of = kernfs_of(file); ++ struct kernfs_open_file *of = kernfs_of(iocb->ki_filp); ++ ssize_t len = iov_iter_count(iter); + const struct kernfs_ops *ops; +- ssize_t len; + char *buf; + + if (of->atomic_write_len) { +- len = count; + if (len > of->atomic_write_len) + return -E2BIG; + } else { +- len = min_t(size_t, count, PAGE_SIZE); ++ len = min_t(size_t, len, PAGE_SIZE); + } + + buf = of->prealloc_buf; +@@ -282,7 +274,7 @@ static ssize_t kernfs_fop_write(struct f + if (!buf) + return -ENOMEM; + +- if (copy_from_user(buf, user_buf, len)) { ++ if (copy_from_iter(buf, len, iter) != len) { + len = -EFAULT; + goto out_free; + } +@@ -301,7 +293,7 @@ static ssize_t kernfs_fop_write(struct f + + ops = kernfs_ops(of->kn); + if (ops->write) +- len = ops->write(of, buf, len, *ppos); ++ len = ops->write(of, buf, len, iocb->ki_pos); + else + len = -EINVAL; + +@@ -309,7 +301,7 @@ static ssize_t kernfs_fop_write(struct f + mutex_unlock(&of->mutex); + + if (len > 0) +- *ppos += len; ++ iocb->ki_pos += len; + + out_free: + if (buf == of->prealloc_buf) +@@ -662,7 +654,7 @@ static int kernfs_fop_open(struct inode + + /* + * Write path needs to atomic_write_len outside active reference. +- * Cache it in open_file. See kernfs_fop_write() for details. ++ * Cache it in open_file. See kernfs_fop_write_iter() for details. + */ + of->atomic_write_len = ops->atomic_write_len; + +@@ -950,7 +942,7 @@ EXPORT_SYMBOL_GPL(kernfs_notify); + + const struct file_operations kernfs_file_fops = { + .read_iter = kernfs_fop_read_iter, +- .write = kernfs_fop_write, ++ .write_iter = kernfs_fop_write_iter, + .llseek = generic_file_llseek, + .mmap = kernfs_fop_mmap, + .open = kernfs_fop_open, diff --git a/queue-5.10/kernfs-wire-up-splice_read-and-splice_write.patch b/queue-5.10/kernfs-wire-up-splice_read-and-splice_write.patch new file mode 100644 index 00000000000..161c9066f77 --- /dev/null +++ b/queue-5.10/kernfs-wire-up-splice_read-and-splice_write.patch @@ -0,0 +1,35 @@ +From f2d6c2708bd84ca953fa6b6ca5717e79eb0140c7 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 20 Jan 2021 21:46:31 +0100 +Subject: kernfs: wire up ->splice_read and ->splice_write + +From: Christoph Hellwig + +commit f2d6c2708bd84ca953fa6b6ca5717e79eb0140c7 upstream. + +Wire up the splice_read and splice_write methods to the default +helpers using ->read_iter and ->write_iter now that those are +implemented for kernfs. This restores support to use splice and +sendfile on kernfs files. + +Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops") +Reported-by: Siddharth Gupta +Tested-by: Siddharth Gupta +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210120204631.274206-4-hch@lst.de +Signed-off-by: Greg Kroah-Hartman +--- + fs/kernfs/file.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/kernfs/file.c ++++ b/fs/kernfs/file.c +@@ -949,6 +949,8 @@ const struct file_operations kernfs_file + .release = kernfs_fop_release, + .poll = kernfs_fop_poll, + .fsync = noop_fsync, ++ .splice_read = generic_file_splice_read, ++ .splice_write = iter_file_splice_write, + }; + + /** diff --git a/queue-5.10/net-systemport-free-dev-before-on-error-path.patch b/queue-5.10/net-systemport-free-dev-before-on-error-path.patch new file mode 100644 index 00000000000..8d4e271a3b2 --- /dev/null +++ b/queue-5.10/net-systemport-free-dev-before-on-error-path.patch @@ -0,0 +1,37 @@ +From 0c630a66bf10991b0ef13d27c93d7545e692ef5b Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Tue, 19 Jan 2021 20:44:23 -0800 +Subject: net: systemport: free dev before on error path + +From: Pan Bian + +commit 0c630a66bf10991b0ef13d27c93d7545e692ef5b upstream. + +On the error path, it should goto the error handling label to free +allocated memory rather than directly return. + +Fixes: 31bc72d97656 ("net: systemport: fetch and use clock resources") +Signed-off-by: Pan Bian +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20210120044423.1704-1-bianpan2016@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -2503,8 +2503,10 @@ static int bcm_sysport_probe(struct plat + priv = netdev_priv(dev); + + priv->clk = devm_clk_get_optional(&pdev->dev, "sw_sysport"); +- if (IS_ERR(priv->clk)) +- return PTR_ERR(priv->clk); ++ if (IS_ERR(priv->clk)) { ++ ret = PTR_ERR(priv->clk); ++ goto err_free_netdev; ++ } + + /* Allocate number of TX rings */ + priv->tx_rings = devm_kcalloc(&pdev->dev, txq, diff --git a/queue-5.10/series b/queue-5.10/series index 9fce8153b9e..b3ffe95e03f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -184,3 +184,16 @@ pinctrl-qcom-allow-socs-to-specify-a-gpio-function-that-s-not-0.patch pinctrl-qcom-no-need-to-read-modify-write-the-interrupt-status.patch pinctrl-qcom-properly-clear-intr_ack_high-interrupts-when-unmasking.patch pinctrl-qcom-don-t-clear-pending-interrupts-when-enabling.patch +x86-sev-fix-nonistr-violation.patch +tty-implement-write_iter.patch +tty-fix-up-hung_up_tty_write-conversion.patch +net-systemport-free-dev-before-on-error-path.patch +x86-sev-es-handle-string-port-io-to-kernel-memory-properly.patch +tcp-fix-potential-use-after-free-due-to-double-kfree.patch +asoc-sof-intel-hda-avoid-checking-jack-on-system-suspend.patch +drm-i915-hdcp-get-conn-while-content_type-changed.patch +bpf-local-storage-helpers-should-check-nullness-of-owner-ptr-passed.patch +kernfs-implement-read_iter.patch +kernfs-implement-write_iter.patch +kernfs-wire-up-splice_read-and-splice_write.patch +interconnect-imx8mq-use-icc_sync_state.patch diff --git a/queue-5.10/tcp-fix-potential-use-after-free-due-to-double-kfree.patch b/queue-5.10/tcp-fix-potential-use-after-free-due-to-double-kfree.patch new file mode 100644 index 00000000000..8445cd43249 --- /dev/null +++ b/queue-5.10/tcp-fix-potential-use-after-free-due-to-double-kfree.patch @@ -0,0 +1,76 @@ +From c89dffc70b340780e5b933832d8c3e045ef3791e Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Mon, 18 Jan 2021 14:59:20 +0900 +Subject: tcp: Fix potential use-after-free due to double kfree() + +From: Kuniyuki Iwashima + +commit c89dffc70b340780e5b933832d8c3e045ef3791e upstream. + +Receiving ACK with a valid SYN cookie, cookie_v4_check() allocates struct +request_sock and then can allocate inet_rsk(req)->ireq_opt. After that, +tcp_v4_syn_recv_sock() allocates struct sock and copies ireq_opt to +inet_sk(sk)->inet_opt. Normally, tcp_v4_syn_recv_sock() inserts the full +socket into ehash and sets NULL to ireq_opt. Otherwise, +tcp_v4_syn_recv_sock() has to reset inet_opt by NULL and free the full +socket. + +The commit 01770a1661657 ("tcp: fix race condition when creating child +sockets from syncookies") added a new path, in which more than one cores +create full sockets for the same SYN cookie. Currently, the core which +loses the race frees the full socket without resetting inet_opt, resulting +in that both sock_put() and reqsk_put() call kfree() for the same memory: + + sock_put + sk_free + __sk_free + sk_destruct + __sk_destruct + sk->sk_destruct/inet_sock_destruct + kfree(rcu_dereference_protected(inet->inet_opt, 1)); + + reqsk_put + reqsk_free + __reqsk_free + req->rsk_ops->destructor/tcp_v4_reqsk_destructor + kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1)); + +Calling kmalloc() between the double kfree() can lead to use-after-free, so +this patch fixes it by setting NULL to inet_opt before sock_put(). + +As a side note, this kind of issue does not happen for IPv6. This is +because tcp_v6_syn_recv_sock() clones both ipv6_opt and pktopts which +correspond to ireq_opt in IPv4. + +Fixes: 01770a166165 ("tcp: fix race condition when creating child sockets from syncookies") +CC: Ricardo Dias +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Benjamin Herrenschmidt +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20210118055920.82516-1-kuniyu@amazon.co.jp +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1590,6 +1590,8 @@ struct sock *tcp_v4_syn_recv_sock(const + tcp_move_syn(newtp, req); + ireq->ireq_opt = NULL; + } else { ++ newinet->inet_opt = NULL; ++ + if (!req_unhash && found_dup_sk) { + /* This code path should only be executed in the + * syncookie case only +@@ -1597,8 +1599,6 @@ struct sock *tcp_v4_syn_recv_sock(const + bh_unlock_sock(newsk); + sock_put(newsk); + newsk = NULL; +- } else { +- newinet->inet_opt = NULL; + } + } + return newsk; diff --git a/queue-5.10/tty-fix-up-hung_up_tty_write-conversion.patch b/queue-5.10/tty-fix-up-hung_up_tty_write-conversion.patch new file mode 100644 index 00000000000..8e065a4b2c7 --- /dev/null +++ b/queue-5.10/tty-fix-up-hung_up_tty_write-conversion.patch @@ -0,0 +1,57 @@ +From 17749851eb9ca2298e7c3b81aae4228961b36f28 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 21 Jan 2021 10:04:27 -0800 +Subject: tty: fix up hung_up_tty_write() conversion + +From: Linus Torvalds + +commit 17749851eb9ca2298e7c3b81aae4228961b36f28 upstream. + +In commit "tty: implement write_iter", I left the write_iter conversion +of the hung up tty case alone, because I incorrectly thought it didn't +matter. + +Jiri showed me the errors of my ways, and pointed out the problems with +that incomplete conversion. Fix it all up. + +Reported-by: Jiri Slaby +Signed-off-by: Linus Torvalds +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/CAHk-=wh+-rGsa=xruEWdg_fJViFG8rN9bpLrfLz=_yBYh2tBhA@mail.gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_io.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -437,8 +437,7 @@ static ssize_t hung_up_tty_read(struct f + return 0; + } + +-static ssize_t hung_up_tty_write(struct file *file, const char __user *buf, +- size_t count, loff_t *ppos) ++static ssize_t hung_up_tty_write(struct kiocb *iocb, struct iov_iter *from) + { + return -EIO; + } +@@ -504,7 +503,7 @@ static const struct file_operations cons + static const struct file_operations hung_up_tty_fops = { + .llseek = no_llseek, + .read = hung_up_tty_read, +- .write = hung_up_tty_write, ++ .write_iter = hung_up_tty_write, + .poll = hung_up_tty_poll, + .unlocked_ioctl = hung_up_tty_ioctl, + .compat_ioctl = hung_up_tty_compat_ioctl, +@@ -1045,7 +1044,9 @@ static ssize_t tty_write(struct kiocb *i + if (tty->ops->write_room == NULL) + tty_err(tty, "missing write_room method\n"); + ld = tty_ldisc_ref_wait(tty); +- if (!ld || !ld->ops->write) ++ if (!ld) ++ return hung_up_tty_write(iocb, from); ++ if (!ld->ops->write) + ret = -EIO; + else + ret = do_tty_write(ld->ops->write, tty, file, from); diff --git a/queue-5.10/tty-implement-write_iter.patch b/queue-5.10/tty-implement-write_iter.patch new file mode 100644 index 00000000000..404b5e7fb33 --- /dev/null +++ b/queue-5.10/tty-implement-write_iter.patch @@ -0,0 +1,167 @@ +From 9bb48c82aced07698a2d08ee0f1475a6c4f6b266 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 19 Jan 2021 11:41:16 -0800 +Subject: tty: implement write_iter + +From: Linus Torvalds + +commit 9bb48c82aced07698a2d08ee0f1475a6c4f6b266 upstream. + +This makes the tty layer use the .write_iter() function instead of the +traditional .write() functionality. + +That allows writev(), but more importantly also makes it possible to +enable .splice_write() for ttys, reinstating the "splice to tty" +functionality that was lost in commit 36e2c7421f02 ("fs: don't allow +splice read/write without explicit ops"). + +Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops") +Reported-by: Oliver Giles +Cc: Christoph Hellwig +Cc: Greg Kroah-Hartman +Cc: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 48 ++++++++++++++++++++++++++---------------------- + 1 file changed, 26 insertions(+), 22 deletions(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -143,9 +143,8 @@ LIST_HEAD(tty_drivers); /* linked list + DEFINE_MUTEX(tty_mutex); + + static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *); +-static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *); +-ssize_t redirected_tty_write(struct file *, const char __user *, +- size_t, loff_t *); ++static ssize_t tty_write(struct kiocb *, struct iov_iter *); ++ssize_t redirected_tty_write(struct kiocb *, struct iov_iter *); + static __poll_t tty_poll(struct file *, poll_table *); + static int tty_open(struct inode *, struct file *); + long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg); +@@ -478,7 +477,8 @@ static void tty_show_fdinfo(struct seq_f + static const struct file_operations tty_fops = { + .llseek = no_llseek, + .read = tty_read, +- .write = tty_write, ++ .write_iter = tty_write, ++ .splice_write = iter_file_splice_write, + .poll = tty_poll, + .unlocked_ioctl = tty_ioctl, + .compat_ioctl = tty_compat_ioctl, +@@ -491,7 +491,8 @@ static const struct file_operations tty_ + static const struct file_operations console_fops = { + .llseek = no_llseek, + .read = tty_read, +- .write = redirected_tty_write, ++ .write_iter = redirected_tty_write, ++ .splice_write = iter_file_splice_write, + .poll = tty_poll, + .unlocked_ioctl = tty_ioctl, + .compat_ioctl = tty_compat_ioctl, +@@ -607,9 +608,9 @@ static void __tty_hangup(struct tty_stru + /* This breaks for file handles being sent over AF_UNIX sockets ? */ + list_for_each_entry(priv, &tty->tty_files, list) { + filp = priv->file; +- if (filp->f_op->write == redirected_tty_write) ++ if (filp->f_op->write_iter == redirected_tty_write) + cons_filp = filp; +- if (filp->f_op->write != tty_write) ++ if (filp->f_op->write_iter != tty_write) + continue; + closecount++; + __tty_fasync(-1, filp, 0); /* can't block */ +@@ -902,9 +903,9 @@ static inline ssize_t do_tty_write( + ssize_t (*write)(struct tty_struct *, struct file *, const unsigned char *, size_t), + struct tty_struct *tty, + struct file *file, +- const char __user *buf, +- size_t count) ++ struct iov_iter *from) + { ++ size_t count = iov_iter_count(from); + ssize_t ret, written = 0; + unsigned int chunk; + +@@ -956,14 +957,20 @@ static inline ssize_t do_tty_write( + size_t size = count; + if (size > chunk) + size = chunk; ++ + ret = -EFAULT; +- if (copy_from_user(tty->write_buf, buf, size)) ++ if (copy_from_iter(tty->write_buf, size, from) != size) + break; ++ + ret = write(tty, file, tty->write_buf, size); + if (ret <= 0) + break; ++ ++ /* FIXME! Have Al check this! */ ++ if (ret != size) ++ iov_iter_revert(from, size-ret); ++ + written += ret; +- buf += ret; + count -= ret; + if (!count) + break; +@@ -1023,9 +1030,9 @@ void tty_write_message(struct tty_struct + * write method will not be invoked in parallel for each device. + */ + +-static ssize_t tty_write(struct file *file, const char __user *buf, +- size_t count, loff_t *ppos) ++static ssize_t tty_write(struct kiocb *iocb, struct iov_iter *from) + { ++ struct file *file = iocb->ki_filp; + struct tty_struct *tty = file_tty(file); + struct tty_ldisc *ld; + ssize_t ret; +@@ -1038,18 +1045,15 @@ static ssize_t tty_write(struct file *fi + if (tty->ops->write_room == NULL) + tty_err(tty, "missing write_room method\n"); + ld = tty_ldisc_ref_wait(tty); +- if (!ld) +- return hung_up_tty_write(file, buf, count, ppos); +- if (!ld->ops->write) ++ if (!ld || !ld->ops->write) + ret = -EIO; + else +- ret = do_tty_write(ld->ops->write, tty, file, buf, count); ++ ret = do_tty_write(ld->ops->write, tty, file, from); + tty_ldisc_deref(ld); + return ret; + } + +-ssize_t redirected_tty_write(struct file *file, const char __user *buf, +- size_t count, loff_t *ppos) ++ssize_t redirected_tty_write(struct kiocb *iocb, struct iov_iter *iter) + { + struct file *p = NULL; + +@@ -1060,11 +1064,11 @@ ssize_t redirected_tty_write(struct file + + if (p) { + ssize_t res; +- res = vfs_write(p, buf, count, &p->f_pos); ++ res = vfs_iocb_iter_write(p, iocb, iter); + fput(p); + return res; + } +- return tty_write(file, buf, count, ppos); ++ return tty_write(iocb, iter); + } + + /** +@@ -2293,7 +2297,7 @@ static int tioccons(struct file *file) + { + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +- if (file->f_op->write == redirected_tty_write) { ++ if (file->f_op->write_iter == redirected_tty_write) { + struct file *f; + spin_lock(&redirect_lock); + f = redirect; diff --git a/queue-5.10/x86-sev-es-handle-string-port-io-to-kernel-memory-properly.patch b/queue-5.10/x86-sev-es-handle-string-port-io-to-kernel-memory-properly.patch new file mode 100644 index 00000000000..b3496edcdeb --- /dev/null +++ b/queue-5.10/x86-sev-es-handle-string-port-io-to-kernel-memory-properly.patch @@ -0,0 +1,60 @@ +From 7024f60d655272bd2ca1d3a4c9e0a63319b1eea1 Mon Sep 17 00:00:00 2001 +From: "Hyunwook (Wooky) Baek" +Date: Sat, 9 Jan 2021 23:11:02 -0800 +Subject: x86/sev-es: Handle string port IO to kernel memory properly + +From: Hyunwook (Wooky) Baek + +commit 7024f60d655272bd2ca1d3a4c9e0a63319b1eea1 upstream. + +Don't assume dest/source buffers are userspace addresses when manually +copying data for string I/O or MOVS MMIO, as {get,put}_user() will fail +if handed a kernel address and ultimately lead to a kernel panic. + +When invoking INSB/OUTSB instructions in kernel space in a +SEV-ES-enabled VM, the kernel crashes with the following message: + + "SEV-ES: Unsupported exception in #VC instruction emulation - can't continue" + +Handle that case properly. + + [ bp: Massage commit message. ] + +Fixes: f980f9c31a92 ("x86/sev-es: Compile early handler code into kernel image") +Signed-off-by: Hyunwook (Wooky) Baek +Signed-off-by: Borislav Petkov +Acked-by: David Rientjes +Link: https://lkml.kernel.org/r/20210110071102.2576186-1-baekhw@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/sev-es.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/x86/kernel/sev-es.c ++++ b/arch/x86/kernel/sev-es.c +@@ -286,6 +286,12 @@ static enum es_result vc_write_mem(struc + u16 d2; + u8 d1; + ++ /* If instruction ran in kernel mode and the I/O buffer is in kernel space */ ++ if (!user_mode(ctxt->regs) && !access_ok(target, size)) { ++ memcpy(dst, buf, size); ++ return ES_OK; ++ } ++ + switch (size) { + case 1: + memcpy(&d1, buf, 1); +@@ -335,6 +341,12 @@ static enum es_result vc_read_mem(struct + u16 d2; + u8 d1; + ++ /* If instruction ran in kernel mode and the I/O buffer is in kernel space */ ++ if (!user_mode(ctxt->regs) && !access_ok(s, size)) { ++ memcpy(buf, src, size); ++ return ES_OK; ++ } ++ + switch (size) { + case 1: + if (get_user(d1, s)) diff --git a/queue-5.10/x86-sev-fix-nonistr-violation.patch b/queue-5.10/x86-sev-fix-nonistr-violation.patch new file mode 100644 index 00000000000..27b6042baf8 --- /dev/null +++ b/queue-5.10/x86-sev-fix-nonistr-violation.patch @@ -0,0 +1,35 @@ +From a1d5c98aac33a5a0004ecf88905dcc261c52f988 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 6 Jan 2021 15:36:21 +0100 +Subject: x86/sev: Fix nonistr violation + +From: Peter Zijlstra + +commit a1d5c98aac33a5a0004ecf88905dcc261c52f988 upstream. + +When the compiler fails to inline, it violates nonisntr: + + vmlinux.o: warning: objtool: __sev_es_nmi_complete()+0xc7: call to sev_es_wr_ghcb_msr() leaves .noinstr.text section + +Fixes: 4ca68e023b11 ("x86/sev-es: Handle NMI State") +Reported-by: Randy Dunlap +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20210106144017.532902065@infradead.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/sev-es.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/sev-es.c ++++ b/arch/x86/kernel/sev-es.c +@@ -225,7 +225,7 @@ static inline u64 sev_es_rd_ghcb_msr(voi + return __rdmsr(MSR_AMD64_SEV_ES_GHCB); + } + +-static inline void sev_es_wr_ghcb_msr(u64 val) ++static __always_inline void sev_es_wr_ghcb_msr(u64 val) + { + u32 low, high; + -- 2.47.2