From df81ca7cf558c99f5d434746e524cb4036979a24 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 14 Feb 2021 11:44:57 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...revert-set-default-clock-rate-of-hcl.patch | 47 ++++ ...ignal-page-contains-defined-contents.patch | 54 +++++ ...c-fix-oops-after-tlb-are-invalidated.patch | 204 ++++++++++++++++++ ...hip-fix-pcie-dt-properties-on-rk3399.patch | 50 +++++ ...rt-bfq-fix-computation-of-shallow-de.patch | 68 ++++++ .../cap-fix-conversions-on-getxattr.patch | 145 +++++++++++++ ...fix-dc_sink-kref-count-in-emulated_l.patch | 44 ++++ ...free-atomic-state-after-drm_atomic_c.patch | 73 +++++++ ...form-vfs_getxattr-with-mounter-creds.patch | 40 ++++ ...ovl-skip-getxattr-of-security-labels.patch | 74 +++++++ ...wmi-disable-tablet-mode-reporting-by.patch | 102 +++++++++ ...valid-must-check-the-address-belongs.patch | 46 ++++ queue-4.19/series | 12 ++ 13 files changed, 959 insertions(+) create mode 100644 queue-4.19/arm-dts-lpc32xx-revert-set-default-clock-rate-of-hcl.patch create mode 100644 queue-4.19/arm-ensure-the-signal-page-contains-defined-contents.patch create mode 100644 queue-4.19/arm-kexec-fix-oops-after-tlb-are-invalidated.patch create mode 100644 queue-4.19/arm64-dts-rockchip-fix-pcie-dt-properties-on-rk3399.patch create mode 100644 queue-4.19/bfq-iosched-revert-bfq-fix-computation-of-shallow-de.patch create mode 100644 queue-4.19/cap-fix-conversions-on-getxattr.patch create mode 100644 queue-4.19/drm-amd-display-fix-dc_sink-kref-count-in-emulated_l.patch create mode 100644 queue-4.19/drm-amd-display-free-atomic-state-after-drm_atomic_c.patch create mode 100644 queue-4.19/ovl-perform-vfs_getxattr-with-mounter-creds.patch create mode 100644 queue-4.19/ovl-skip-getxattr-of-security-labels.patch create mode 100644 queue-4.19/platform-x86-hp-wmi-disable-tablet-mode-reporting-by.patch create mode 100644 queue-4.19/riscv-virt_addr_valid-must-check-the-address-belongs.patch diff --git a/queue-4.19/arm-dts-lpc32xx-revert-set-default-clock-rate-of-hcl.patch b/queue-4.19/arm-dts-lpc32xx-revert-set-default-clock-rate-of-hcl.patch new file mode 100644 index 00000000000..8c9d723aed7 --- /dev/null +++ b/queue-4.19/arm-dts-lpc32xx-revert-set-default-clock-rate-of-hcl.patch @@ -0,0 +1,47 @@ +From a15284d9ebb70342c08366734c6f076e9d6cbe54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Feb 2021 10:03:20 +0100 +Subject: ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL + +From: Alexandre Belloni + +[ Upstream commit 5638159f6d93b99ec9743ac7f65563fca3cf413d ] + +This reverts commit c17e9377aa81664d94b4f2102559fcf2a01ec8e7. + +The lpc32xx clock driver is not able to actually change the PLL rate as +this would require reparenting ARM_CLK, DDRAM_CLK, PERIPH_CLK to SYSCLK, +then stop the PLL, update the register, restart the PLL and wait for the +PLL to lock and finally reparent ARM_CLK, DDRAM_CLK, PERIPH_CLK to HCLK +PLL. + +Currently, the HCLK driver simply updates the registers but this has no +real effect and all the clock rate calculation end up being wrong. This is +especially annoying for the peripheral (e.g. UARTs, I2C, SPI). + +Signed-off-by: Alexandre Belloni +Tested-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20210203090320.GA3760268@piout.net' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/lpc32xx.dtsi | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/arm/boot/dts/lpc32xx.dtsi b/arch/arm/boot/dts/lpc32xx.dtsi +index 9ad3df11db0d8..abef034987a27 100644 +--- a/arch/arm/boot/dts/lpc32xx.dtsi ++++ b/arch/arm/boot/dts/lpc32xx.dtsi +@@ -323,9 +323,6 @@ + + clocks = <&xtal_32k>, <&xtal>; + clock-names = "xtal_32k", "xtal"; +- +- assigned-clocks = <&clk LPC32XX_CLK_HCLK_PLL>; +- assigned-clock-rates = <208000000>; + }; + }; + +-- +2.27.0 + diff --git a/queue-4.19/arm-ensure-the-signal-page-contains-defined-contents.patch b/queue-4.19/arm-ensure-the-signal-page-contains-defined-contents.patch new file mode 100644 index 00000000000..fd8d6b55a54 --- /dev/null +++ b/queue-4.19/arm-ensure-the-signal-page-contains-defined-contents.patch @@ -0,0 +1,54 @@ +From 897d9e37bb611560617bec239337a3ac82cec35a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 10:19:07 +0000 +Subject: ARM: ensure the signal page contains defined contents + +From: Russell King + +[ Upstream commit 9c698bff66ab4914bb3d71da7dc6112519bde23e ] + +Ensure that the signal page contains our poison instruction to increase +the protection against ROP attacks and also contains well defined +contents. + +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/signal.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c +index b908382b69ff5..1c01358b9b6db 100644 +--- a/arch/arm/kernel/signal.c ++++ b/arch/arm/kernel/signal.c +@@ -697,18 +697,20 @@ struct page *get_signal_page(void) + + addr = page_address(page); + ++ /* Poison the entire page */ ++ memset32(addr, __opcode_to_mem_arm(0xe7fddef1), ++ PAGE_SIZE / sizeof(u32)); ++ + /* Give the signal return code some randomness */ + offset = 0x200 + (get_random_int() & 0x7fc); + signal_return_offset = offset; + +- /* +- * Copy signal return handlers into the vector page, and +- * set sigreturn to be a pointer to these. +- */ ++ /* Copy signal return handlers into the page */ + memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes)); + +- ptr = (unsigned long)addr + offset; +- flush_icache_range(ptr, ptr + sizeof(sigreturn_codes)); ++ /* Flush out all instructions in this page */ ++ ptr = (unsigned long)addr; ++ flush_icache_range(ptr, ptr + PAGE_SIZE); + + return page; + } +-- +2.27.0 + diff --git a/queue-4.19/arm-kexec-fix-oops-after-tlb-are-invalidated.patch b/queue-4.19/arm-kexec-fix-oops-after-tlb-are-invalidated.patch new file mode 100644 index 00000000000..1285514717a --- /dev/null +++ b/queue-4.19/arm-kexec-fix-oops-after-tlb-are-invalidated.patch @@ -0,0 +1,204 @@ +From 2d409baae1a8a543b7d8007c5b43a0ac7a6c1e8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Feb 2021 19:40:01 +0000 +Subject: ARM: kexec: fix oops after TLB are invalidated + +From: Russell King + +[ Upstream commit 4d62e81b60d4025e2dfcd5ea531cc1394ce9226f ] + +Giancarlo Ferrari reports the following oops while trying to use kexec: + + Unable to handle kernel paging request at virtual address 80112f38 + pgd = fd7ef03e + [80112f38] *pgd=0001141e(bad) + Internal error: Oops: 80d [#1] PREEMPT SMP ARM + ... + +This is caused by machine_kexec() trying to set the kernel text to be +read/write, so it can poke values into the relocation code before +copying it - and an interrupt occuring which changes the page tables. +The subsequent writes then hit read-only sections that trigger a +data abort resulting in the above oops. + +Fix this by copying the relocation code, and then writing the variables +into the destination, thereby avoiding the need to make the kernel text +read/write. + +Reported-by: Giancarlo Ferrari +Tested-by: Giancarlo Ferrari +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/kexec-internal.h | 12 +++++++++ + arch/arm/kernel/asm-offsets.c | 5 ++++ + arch/arm/kernel/machine_kexec.c | 20 ++++++-------- + arch/arm/kernel/relocate_kernel.S | 38 ++++++++------------------- + 4 files changed, 36 insertions(+), 39 deletions(-) + create mode 100644 arch/arm/include/asm/kexec-internal.h + +diff --git a/arch/arm/include/asm/kexec-internal.h b/arch/arm/include/asm/kexec-internal.h +new file mode 100644 +index 0000000000000..ecc2322db7aa1 +--- /dev/null ++++ b/arch/arm/include/asm/kexec-internal.h +@@ -0,0 +1,12 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _ARM_KEXEC_INTERNAL_H ++#define _ARM_KEXEC_INTERNAL_H ++ ++struct kexec_relocate_data { ++ unsigned long kexec_start_address; ++ unsigned long kexec_indirection_page; ++ unsigned long kexec_mach_type; ++ unsigned long kexec_r2; ++}; ++ ++#endif +diff --git a/arch/arm/kernel/asm-offsets.c b/arch/arm/kernel/asm-offsets.c +index 3968d6c22455b..ae85f67a63520 100644 +--- a/arch/arm/kernel/asm-offsets.c ++++ b/arch/arm/kernel/asm-offsets.c +@@ -18,6 +18,7 @@ + #include + #endif + #include ++#include + #include + #include + #include +@@ -189,5 +190,9 @@ int main(void) + DEFINE(MPU_RGN_PRBAR, offsetof(struct mpu_rgn, prbar)); + DEFINE(MPU_RGN_PRLAR, offsetof(struct mpu_rgn, prlar)); + #endif ++ DEFINE(KEXEC_START_ADDR, offsetof(struct kexec_relocate_data, kexec_start_address)); ++ DEFINE(KEXEC_INDIR_PAGE, offsetof(struct kexec_relocate_data, kexec_indirection_page)); ++ DEFINE(KEXEC_MACH_TYPE, offsetof(struct kexec_relocate_data, kexec_mach_type)); ++ DEFINE(KEXEC_R2, offsetof(struct kexec_relocate_data, kexec_r2)); + return 0; + } +diff --git a/arch/arm/kernel/machine_kexec.c b/arch/arm/kernel/machine_kexec.c +index 76300f3813e89..734adeb42df87 100644 +--- a/arch/arm/kernel/machine_kexec.c ++++ b/arch/arm/kernel/machine_kexec.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -24,11 +25,6 @@ + extern void relocate_new_kernel(void); + extern const unsigned int relocate_new_kernel_size; + +-extern unsigned long kexec_start_address; +-extern unsigned long kexec_indirection_page; +-extern unsigned long kexec_mach_type; +-extern unsigned long kexec_boot_atags; +- + static atomic_t waiting_for_crash_ipi; + + /* +@@ -161,6 +157,7 @@ void (*kexec_reinit)(void); + void machine_kexec(struct kimage *image) + { + unsigned long page_list, reboot_entry_phys; ++ struct kexec_relocate_data *data; + void (*reboot_entry)(void); + void *reboot_code_buffer; + +@@ -176,18 +173,17 @@ void machine_kexec(struct kimage *image) + + reboot_code_buffer = page_address(image->control_code_page); + +- /* Prepare parameters for reboot_code_buffer*/ +- set_kernel_text_rw(); +- kexec_start_address = image->start; +- kexec_indirection_page = page_list; +- kexec_mach_type = machine_arch_type; +- kexec_boot_atags = image->arch.kernel_r2; +- + /* copy our kernel relocation code to the control code page */ + reboot_entry = fncpy(reboot_code_buffer, + &relocate_new_kernel, + relocate_new_kernel_size); + ++ data = reboot_code_buffer + relocate_new_kernel_size; ++ data->kexec_start_address = image->start; ++ data->kexec_indirection_page = page_list; ++ data->kexec_mach_type = machine_arch_type; ++ data->kexec_r2 = image->arch.kernel_r2; ++ + /* get the identity mapping physical address for the reboot code */ + reboot_entry_phys = virt_to_idmap(reboot_entry); + +diff --git a/arch/arm/kernel/relocate_kernel.S b/arch/arm/kernel/relocate_kernel.S +index 7eaa2ae7aff58..5e15b5912cb05 100644 +--- a/arch/arm/kernel/relocate_kernel.S ++++ b/arch/arm/kernel/relocate_kernel.S +@@ -5,14 +5,16 @@ + + #include + #include ++#include + #include + + .align 3 /* not needed for this code, but keeps fncpy() happy */ + + ENTRY(relocate_new_kernel) + +- ldr r0,kexec_indirection_page +- ldr r1,kexec_start_address ++ adr r7, relocate_new_kernel_end ++ ldr r0, [r7, #KEXEC_INDIR_PAGE] ++ ldr r1, [r7, #KEXEC_START_ADDR] + + /* + * If there is no indirection page (we are doing crashdumps) +@@ -57,34 +59,16 @@ ENTRY(relocate_new_kernel) + + 2: + /* Jump to relocated kernel */ +- mov lr,r1 +- mov r0,#0 +- ldr r1,kexec_mach_type +- ldr r2,kexec_boot_atags +- ARM( ret lr ) +- THUMB( bx lr ) +- +- .align +- +- .globl kexec_start_address +-kexec_start_address: +- .long 0x0 +- +- .globl kexec_indirection_page +-kexec_indirection_page: +- .long 0x0 +- +- .globl kexec_mach_type +-kexec_mach_type: +- .long 0x0 +- +- /* phy addr of the atags for the new kernel */ +- .globl kexec_boot_atags +-kexec_boot_atags: +- .long 0x0 ++ mov lr, r1 ++ mov r0, #0 ++ ldr r1, [r7, #KEXEC_MACH_TYPE] ++ ldr r2, [r7, #KEXEC_R2] ++ ARM( ret lr ) ++ THUMB( bx lr ) + + ENDPROC(relocate_new_kernel) + ++ .align 3 + relocate_new_kernel_end: + + .globl relocate_new_kernel_size +-- +2.27.0 + diff --git a/queue-4.19/arm64-dts-rockchip-fix-pcie-dt-properties-on-rk3399.patch b/queue-4.19/arm64-dts-rockchip-fix-pcie-dt-properties-on-rk3399.patch new file mode 100644 index 00000000000..4640f35a9b0 --- /dev/null +++ b/queue-4.19/arm64-dts-rockchip-fix-pcie-dt-properties-on-rk3399.patch @@ -0,0 +1,50 @@ +From 404154c5af4f4bcf446ecbdab8355fe691625a44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Aug 2020 13:51:12 +0100 +Subject: arm64: dts: rockchip: Fix PCIe DT properties on rk3399 + +From: Marc Zyngier + +[ Upstream commit 43f20b1c6140896916f4e91aacc166830a7ba849 ] + +It recently became apparent that the lack of a 'device_type = "pci"' +in the PCIe root complex node for rk3399 is a violation of the PCI +binding, as documented in IEEE Std 1275-1994. Changes to the kernel's +parsing of the DT made such violation fatal, as drivers cannot +probe the controller anymore. + +Add the missing property makes the PCIe node compliant. While we +are at it, drop the pointless linux,pci-domain property, which only +makes sense when there are multiple host bridges. + +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20200815125112.462652-3-maz@kernel.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +index f4ee7c4f83b8b..b1c1a88a1c20c 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +@@ -198,6 +198,7 @@ + reg = <0x0 0xf8000000 0x0 0x2000000>, + <0x0 0xfd000000 0x0 0x1000000>; + reg-names = "axi-base", "apb-base"; ++ device_type = "pci"; + #address-cells = <3>; + #size-cells = <2>; + #interrupt-cells = <1>; +@@ -216,7 +217,6 @@ + <0 0 0 2 &pcie0_intc 1>, + <0 0 0 3 &pcie0_intc 2>, + <0 0 0 4 &pcie0_intc 3>; +- linux,pci-domain = <0>; + max-link-speed = <1>; + msi-map = <0x0 &its 0x0 0x1000>; + phys = <&pcie_phy 0>, <&pcie_phy 1>, +-- +2.27.0 + diff --git a/queue-4.19/bfq-iosched-revert-bfq-fix-computation-of-shallow-de.patch b/queue-4.19/bfq-iosched-revert-bfq-fix-computation-of-shallow-de.patch new file mode 100644 index 00000000000..37e51a509c3 --- /dev/null +++ b/queue-4.19/bfq-iosched-revert-bfq-fix-computation-of-shallow-de.patch @@ -0,0 +1,68 @@ +From b26265043888cbc0d00ef65a4cfb04de62dc28f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 07:18:23 -0700 +Subject: bfq-iosched: Revert "bfq: Fix computation of shallow depth" + +From: Lin Feng + +[ Upstream commit 388c705b95f23f317fa43e6abf9ff07b583b721a ] + +This reverts commit 6d4d273588378c65915acaf7b2ee74e9dd9c130a. + +bfq.limit_depth passes word_depths[] as shallow_depth down to sbitmap core +sbitmap_get_shallow, which uses just the number to limit the scan depth of +each bitmap word, formula: +scan_percentage_for_each_word = shallow_depth / (1 << sbimap->shift) * 100% + +That means the comments's percentiles 50%, 75%, 18%, 37% of bfq are correct. +But after commit patch 'bfq: Fix computation of shallow depth', we use +sbitmap.depth instead, as a example in following case: + +sbitmap.depth = 256, map_nr = 4, shift = 6; sbitmap_word.depth = 64. +The resulsts of computed bfqd->word_depths[] are {128, 192, 48, 96}, and +three of the numbers exceed core dirver's 'sbitmap_word.depth=64' limit +nothing. + +Signed-off-by: Lin Feng +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index b7ad8ac6bb41e..5198ed1b36690 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5280,13 +5280,13 @@ static unsigned int bfq_update_depths(struct bfq_data *bfqd, + * limit 'something'. + */ + /* no more than 50% of tags for async I/O */ +- bfqd->word_depths[0][0] = max(bt->sb.depth >> 1, 1U); ++ bfqd->word_depths[0][0] = max((1U << bt->sb.shift) >> 1, 1U); + /* + * no more than 75% of tags for sync writes (25% extra tags + * w.r.t. async I/O, to prevent async I/O from starving sync + * writes) + */ +- bfqd->word_depths[0][1] = max((bt->sb.depth * 3) >> 2, 1U); ++ bfqd->word_depths[0][1] = max(((1U << bt->sb.shift) * 3) >> 2, 1U); + + /* + * In-word depths in case some bfq_queue is being weight- +@@ -5296,9 +5296,9 @@ static unsigned int bfq_update_depths(struct bfq_data *bfqd, + * shortage. + */ + /* no more than ~18% of tags for async I/O */ +- bfqd->word_depths[1][0] = max((bt->sb.depth * 3) >> 4, 1U); ++ bfqd->word_depths[1][0] = max(((1U << bt->sb.shift) * 3) >> 4, 1U); + /* no more than ~37% of tags for sync writes (~20% extra tags) */ +- bfqd->word_depths[1][1] = max((bt->sb.depth * 6) >> 4, 1U); ++ bfqd->word_depths[1][1] = max(((1U << bt->sb.shift) * 6) >> 4, 1U); + + for (i = 0; i < 2; i++) + for (j = 0; j < 2; j++) +-- +2.27.0 + diff --git a/queue-4.19/cap-fix-conversions-on-getxattr.patch b/queue-4.19/cap-fix-conversions-on-getxattr.patch new file mode 100644 index 00000000000..b3b6bd5bfae --- /dev/null +++ b/queue-4.19/cap-fix-conversions-on-getxattr.patch @@ -0,0 +1,145 @@ +From e9d6e699f3ed1c67f530ce822e87b4815f3fde69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 10:22:48 +0100 +Subject: cap: fix conversions on getxattr + +From: Miklos Szeredi + +[ Upstream commit f2b00be488730522d0fb7a8a5de663febdcefe0a ] + +If a capability is stored on disk in v2 format cap_inode_getsecurity() will +currently return in v2 format unconditionally. + +This is wrong: v2 cap should be equivalent to a v3 cap with zero rootid, +and so the same conversions performed on it. + +If the rootid cannot be mapped, v3 is returned unconverted. Fix this so +that both v2 and v3 return -EOVERFLOW if the rootid (or the owner of the fs +user namespace in case of v2) cannot be mapped into the current user +namespace. + +Signed-off-by: Miklos Szeredi +Acked-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +--- + security/commoncap.c | 67 ++++++++++++++++++++++++++++---------------- + 1 file changed, 43 insertions(+), 24 deletions(-) + +diff --git a/security/commoncap.c b/security/commoncap.c +index f86557a8e43f6..a1dee0ab345a2 100644 +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -377,10 +377,11 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer, + { + int size, ret; + kuid_t kroot; ++ u32 nsmagic, magic; + uid_t root, mappedroot; + char *tmpbuf = NULL; + struct vfs_cap_data *cap; +- struct vfs_ns_cap_data *nscap; ++ struct vfs_ns_cap_data *nscap = NULL; + struct dentry *dentry; + struct user_namespace *fs_ns; + +@@ -402,46 +403,61 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer, + fs_ns = inode->i_sb->s_user_ns; + cap = (struct vfs_cap_data *) tmpbuf; + if (is_v2header((size_t) ret, cap)) { +- /* If this is sizeof(vfs_cap_data) then we're ok with the +- * on-disk value, so return that. */ +- if (alloc) +- *buffer = tmpbuf; +- else +- kfree(tmpbuf); +- return ret; +- } else if (!is_v3header((size_t) ret, cap)) { +- kfree(tmpbuf); +- return -EINVAL; ++ root = 0; ++ } else if (is_v3header((size_t) ret, cap)) { ++ nscap = (struct vfs_ns_cap_data *) tmpbuf; ++ root = le32_to_cpu(nscap->rootid); ++ } else { ++ size = -EINVAL; ++ goto out_free; + } + +- nscap = (struct vfs_ns_cap_data *) tmpbuf; +- root = le32_to_cpu(nscap->rootid); + kroot = make_kuid(fs_ns, root); + + /* If the root kuid maps to a valid uid in current ns, then return + * this as a nscap. */ + mappedroot = from_kuid(current_user_ns(), kroot); + if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) { ++ size = sizeof(struct vfs_ns_cap_data); + if (alloc) { +- *buffer = tmpbuf; ++ if (!nscap) { ++ /* v2 -> v3 conversion */ ++ nscap = kzalloc(size, GFP_ATOMIC); ++ if (!nscap) { ++ size = -ENOMEM; ++ goto out_free; ++ } ++ nsmagic = VFS_CAP_REVISION_3; ++ magic = le32_to_cpu(cap->magic_etc); ++ if (magic & VFS_CAP_FLAGS_EFFECTIVE) ++ nsmagic |= VFS_CAP_FLAGS_EFFECTIVE; ++ memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); ++ nscap->magic_etc = cpu_to_le32(nsmagic); ++ } else { ++ /* use allocated v3 buffer */ ++ tmpbuf = NULL; ++ } + nscap->rootid = cpu_to_le32(mappedroot); +- } else +- kfree(tmpbuf); +- return size; ++ *buffer = nscap; ++ } ++ goto out_free; + } + + if (!rootid_owns_currentns(kroot)) { +- kfree(tmpbuf); +- return -EOPNOTSUPP; ++ size = -EOVERFLOW; ++ goto out_free; + } + + /* This comes from a parent namespace. Return as a v2 capability */ + size = sizeof(struct vfs_cap_data); + if (alloc) { +- *buffer = kmalloc(size, GFP_ATOMIC); +- if (*buffer) { +- struct vfs_cap_data *cap = *buffer; +- __le32 nsmagic, magic; ++ if (nscap) { ++ /* v3 -> v2 conversion */ ++ cap = kzalloc(size, GFP_ATOMIC); ++ if (!cap) { ++ size = -ENOMEM; ++ goto out_free; ++ } + magic = VFS_CAP_REVISION_2; + nsmagic = le32_to_cpu(nscap->magic_etc); + if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE) +@@ -449,9 +465,12 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer, + memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32); + cap->magic_etc = cpu_to_le32(magic); + } else { +- size = -ENOMEM; ++ /* use unconverted v2 */ ++ tmpbuf = NULL; + } ++ *buffer = cap; + } ++out_free: + kfree(tmpbuf); + return size; + } +-- +2.27.0 + diff --git a/queue-4.19/drm-amd-display-fix-dc_sink-kref-count-in-emulated_l.patch b/queue-4.19/drm-amd-display-fix-dc_sink-kref-count-in-emulated_l.patch new file mode 100644 index 00000000000..c8496c6d9cc --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-dc_sink-kref-count-in-emulated_l.patch @@ -0,0 +1,44 @@ +From 787a09706d05486106aa80de4a5eef69f3db9532 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jan 2021 22:24:14 -0500 +Subject: drm/amd/display: Fix dc_sink kref count in emulated_link_detect + +From: Victor Lu + +[ Upstream commit 3ddc818d9bb877c64f5c649beab97af86c403702 ] + +[why] +prev_sink is not used anywhere else in the function and the reference to +it from dc_link is replaced with a new dc_sink. + +[how] +Change dc_sink_retain(prev_sink) to dc_sink_release(prev_sink). + +Signed-off-by: Victor Lu +Reviewed-by: Nicholas Kazlauskas +Acked-by: Anson Jacob +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 3b07a316680c2..7b00e96705b6d 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -668,8 +668,8 @@ static void emulated_link_detect(struct dc_link *link) + link->type = dc_connection_none; + prev_sink = link->local_sink; + +- if (prev_sink != NULL) +- dc_sink_retain(prev_sink); ++ if (prev_sink) ++ dc_sink_release(prev_sink); + + switch (link->connector_signal) { + case SIGNAL_TYPE_HDMI_TYPE_A: { +-- +2.27.0 + diff --git a/queue-4.19/drm-amd-display-free-atomic-state-after-drm_atomic_c.patch b/queue-4.19/drm-amd-display-free-atomic-state-after-drm_atomic_c.patch new file mode 100644 index 00000000000..f4258351108 --- /dev/null +++ b/queue-4.19/drm-amd-display-free-atomic-state-after-drm_atomic_c.patch @@ -0,0 +1,73 @@ +From 4cdd71661434b756705d9d8cde5aee6f98d49c04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jan 2021 16:27:07 -0500 +Subject: drm/amd/display: Free atomic state after drm_atomic_commit + +From: Victor Lu + +[ Upstream commit 2abaa323d744011982b20b8f3886184d56d23946 ] + +[why] +drm_atomic_commit was changed so that the caller must free their +drm_atomic_state reference on successes. + +[how] +Add drm_atomic_commit_put after drm_atomic_commit call in +dm_force_atomic_commit. + +Signed-off-by: Victor Lu +Reviewed-by: Roman Li +Acked-by: Anson Jacob +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 7b00e96705b6d..62a2f0491117d 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4732,14 +4732,14 @@ static int dm_force_atomic_commit(struct drm_connector *connector) + + ret = PTR_ERR_OR_ZERO(conn_state); + if (ret) +- goto err; ++ goto out; + + /* Attach crtc to drm_atomic_state*/ + crtc_state = drm_atomic_get_crtc_state(state, &disconnected_acrtc->base); + + ret = PTR_ERR_OR_ZERO(crtc_state); + if (ret) +- goto err; ++ goto out; + + /* force a restore */ + crtc_state->mode_changed = true; +@@ -4749,17 +4749,15 @@ static int dm_force_atomic_commit(struct drm_connector *connector) + + ret = PTR_ERR_OR_ZERO(plane_state); + if (ret) +- goto err; +- ++ goto out; + + /* Call commit internally with the state we just constructed */ + ret = drm_atomic_commit(state); +- if (!ret) +- return 0; + +-err: +- DRM_ERROR("Restoring old state failed with %i\n", ret); ++out: + drm_atomic_state_put(state); ++ if (ret) ++ DRM_ERROR("Restoring old state failed with %i\n", ret); + + return ret; + } +-- +2.27.0 + diff --git a/queue-4.19/ovl-perform-vfs_getxattr-with-mounter-creds.patch b/queue-4.19/ovl-perform-vfs_getxattr-with-mounter-creds.patch new file mode 100644 index 00000000000..6e9330b32af --- /dev/null +++ b/queue-4.19/ovl-perform-vfs_getxattr-with-mounter-creds.patch @@ -0,0 +1,40 @@ +From 5bc985b45628b8b2fa066130a78e7524899302a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 10:22:48 +0100 +Subject: ovl: perform vfs_getxattr() with mounter creds + +From: Miklos Szeredi + +[ Upstream commit 554677b97257b0b69378bd74e521edb7e94769ff ] + +The vfs_getxattr() in ovl_xattr_set() is used to check whether an xattr +exist on a lower layer file that is to be removed. If the xattr does not +exist, then no need to copy up the file. + +This call of vfs_getxattr() wasn't wrapped in credential override, and this +is probably okay. But for consitency wrap this instance as well. + +Reported-by: "Eric W. Biederman" +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/overlayfs/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c +index 8b3c284ce92ea..08e60a6df77c3 100644 +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -340,7 +340,9 @@ int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name, + goto out; + + if (!value && !upperdentry) { ++ old_cred = ovl_override_creds(dentry->d_sb); + err = vfs_getxattr(realdentry, name, NULL, 0); ++ revert_creds(old_cred); + if (err < 0) + goto out_drop_write; + } +-- +2.27.0 + diff --git a/queue-4.19/ovl-skip-getxattr-of-security-labels.patch b/queue-4.19/ovl-skip-getxattr-of-security-labels.patch new file mode 100644 index 00000000000..816da01ff50 --- /dev/null +++ b/queue-4.19/ovl-skip-getxattr-of-security-labels.patch @@ -0,0 +1,74 @@ +From 866bfe1926fb6e6e271f8cf59a14f9d870df96af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Dec 2020 12:16:08 +0200 +Subject: ovl: skip getxattr of security labels + +From: Amir Goldstein + +[ Upstream commit 03fedf93593c82538b18476d8c4f0e8f8435ea70 ] + +When inode has no listxattr op of its own (e.g. squashfs) vfs_listxattr +calls the LSM inode_listsecurity hooks to list the xattrs that LSMs will +intercept in inode_getxattr hooks. + +When selinux LSM is installed but not initialized, it will list the +security.selinux xattr in inode_listsecurity, but will not intercept it +in inode_getxattr. This results in -ENODATA for a getxattr call for an +xattr returned by listxattr. + +This situation was manifested as overlayfs failure to copy up lower +files from squashfs when selinux is built-in but not initialized, +because ovl_copy_xattr() iterates the lower inode xattrs by +vfs_listxattr() and vfs_getxattr(). + +ovl_copy_xattr() skips copy up of security labels that are indentified by +inode_copy_up_xattr LSM hooks, but it does that after vfs_getxattr(). +Since we are not going to copy them, skip vfs_getxattr() of the security +labels. + +Reported-by: Michael Labriola +Tested-by: Michael Labriola +Link: https://lore.kernel.org/linux-unionfs/2nv9d47zt7.fsf@aldarion.sourceruckus.org/ +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/overlayfs/copy_up.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index 6eb0b882ad231..e164f489d01d9 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -79,6 +79,14 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new) + + if (ovl_is_private_xattr(name)) + continue; ++ ++ error = security_inode_copy_up_xattr(name); ++ if (error < 0 && error != -EOPNOTSUPP) ++ break; ++ if (error == 1) { ++ error = 0; ++ continue; /* Discard */ ++ } + retry: + size = vfs_getxattr(old, name, value, value_size); + if (size == -ERANGE) +@@ -102,13 +110,6 @@ retry: + goto retry; + } + +- error = security_inode_copy_up_xattr(name); +- if (error < 0 && error != -EOPNOTSUPP) +- break; +- if (error == 1) { +- error = 0; +- continue; /* Discard */ +- } + error = vfs_setxattr(new, name, value, size, 0); + if (error) + break; +-- +2.27.0 + diff --git a/queue-4.19/platform-x86-hp-wmi-disable-tablet-mode-reporting-by.patch b/queue-4.19/platform-x86-hp-wmi-disable-tablet-mode-reporting-by.patch new file mode 100644 index 00000000000..d6cfa2ccf15 --- /dev/null +++ b/queue-4.19/platform-x86-hp-wmi-disable-tablet-mode-reporting-by.patch @@ -0,0 +1,102 @@ +From be31b44a29c1918e7b1b215b1654943c6c6b6c67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 13:49:41 +0100 +Subject: platform/x86: hp-wmi: Disable tablet-mode reporting by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit 67fbe02a5cebc3c653610f12e3c0424e58450153 ] + +Recently userspace has started making more use of SW_TABLET_MODE +(when an input-dev reports this). + +Specifically recent GNOME3 versions will: + +1. When SW_TABLET_MODE is reported and is reporting 0: +1.1 Disable accelerometer-based screen auto-rotation +1.2 Disable automatically showing the on-screen keyboard when a + text-input field is focussed + +2. When SW_TABLET_MODE is reported and is reporting 1: +2.1 Ignore input-events from the builtin keyboard and touchpad + (this is for 360° hinges style 2-in-1s where the keyboard and + touchpads are accessible on the back of the tablet when folded + into tablet-mode) + +This means that claiming to support SW_TABLET_MODE when it does not +actually work / reports correct values has bad side-effects. + +The check in the hp-wmi code which is used to decide if the input-dev +should claim SW_TABLET_MODE support, only checks if the +HPWMI_HARDWARE_QUERY is supported. It does *not* check if the hardware +actually is capable of reporting SW_TABLET_MODE. + +This leads to the hp-wmi input-dev claiming SW_TABLET_MODE support, +while in reality it will always report 0 as SW_TABLET_MODE value. +This has been seen on a "HP ENVY x360 Convertible 15-cp0xxx" and +this likely is the case on a whole lot of other HP models. + +This problem causes both auto-rotation and on-screen keyboard +support to not work on affected x360 models. + +There is no easy fix for this, but since userspace expects +SW_TABLET_MODE reporting to be reliable when advertised it is +better to not claim/report SW_TABLET_MODE support at all, then +to claim to support it while it does not work. + +To avoid the mentioned problems, add a new enable_tablet_mode_sw +module-parameter which defaults to false. + +Note I've made this an int using the standard -1=auto, 0=off, 1=on +triplett, with the hope that in the future we can come up with a +better way to detect SW_TABLET_MODE support. ATM the default +auto option just does the same as off. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1918255 +Cc: Stefan Brüns +Signed-off-by: Hans de Goede +Acked-by: Mark Gross +Link: https://lore.kernel.org/r/20210120124941.73409-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp-wmi.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index 952544ca0d84d..93fadd4abf14d 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -45,6 +45,10 @@ MODULE_LICENSE("GPL"); + MODULE_ALIAS("wmi:95F24279-4D7B-4334-9387-ACCDC67EF61C"); + MODULE_ALIAS("wmi:5FB7F034-2C63-45e9-BE91-3D44E2C707E4"); + ++static int enable_tablet_mode_sw = -1; ++module_param(enable_tablet_mode_sw, int, 0444); ++MODULE_PARM_DESC(enable_tablet_mode_sw, "Enable SW_TABLET_MODE reporting (-1=auto, 0=no, 1=yes)"); ++ + #define HPWMI_EVENT_GUID "95F24279-4D7B-4334-9387-ACCDC67EF61C" + #define HPWMI_BIOS_GUID "5FB7F034-2C63-45e9-BE91-3D44E2C707E4" + +@@ -656,10 +660,12 @@ static int __init hp_wmi_input_setup(void) + } + + /* Tablet mode */ +- val = hp_wmi_hw_state(HPWMI_TABLET_MASK); +- if (!(val < 0)) { +- __set_bit(SW_TABLET_MODE, hp_wmi_input_dev->swbit); +- input_report_switch(hp_wmi_input_dev, SW_TABLET_MODE, val); ++ if (enable_tablet_mode_sw > 0) { ++ val = hp_wmi_hw_state(HPWMI_TABLET_MASK); ++ if (val >= 0) { ++ __set_bit(SW_TABLET_MODE, hp_wmi_input_dev->swbit); ++ input_report_switch(hp_wmi_input_dev, SW_TABLET_MODE, val); ++ } + } + + err = sparse_keymap_setup(hp_wmi_input_dev, hp_wmi_keymap, NULL); +-- +2.27.0 + diff --git a/queue-4.19/riscv-virt_addr_valid-must-check-the-address-belongs.patch b/queue-4.19/riscv-virt_addr_valid-must-check-the-address-belongs.patch new file mode 100644 index 00000000000..bd044d869f8 --- /dev/null +++ b/queue-4.19/riscv-virt_addr_valid-must-check-the-address-belongs.patch @@ -0,0 +1,46 @@ +From e34ef64a447827871d38d3603dd38cb20a9a4a63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 12:31:05 -0500 +Subject: riscv: virt_addr_valid must check the address belongs to linear + mapping + +From: Alexandre Ghiti + +[ Upstream commit 2ab543823322b564f205cb15d0f0302803c87d11 ] + +virt_addr_valid macro checks that a virtual address is valid, ie that +the address belongs to the linear mapping and that the corresponding + physical page exists. + +Add the missing check that ensures the virtual address belongs to the +linear mapping, otherwise __virt_to_phys, when compiled with +CONFIG_DEBUG_VIRTUAL enabled, raises a WARN that is interpreted as a +kernel bug by syzbot. + +Signed-off-by: Alexandre Ghiti +Reviewed-by: Atish Patra +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/page.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/include/asm/page.h b/arch/riscv/include/asm/page.h +index 06cfbb3aacbb0..abc147aeff8b0 100644 +--- a/arch/riscv/include/asm/page.h ++++ b/arch/riscv/include/asm/page.h +@@ -115,7 +115,10 @@ extern unsigned long min_low_pfn; + + #endif /* __ASSEMBLY__ */ + +-#define virt_addr_valid(vaddr) (pfn_valid(virt_to_pfn(vaddr))) ++#define virt_addr_valid(vaddr) ({ \ ++ unsigned long _addr = (unsigned long)vaddr; \ ++ (unsigned long)(_addr) >= PAGE_OFFSET && pfn_valid(virt_to_pfn(_addr)); \ ++}) + + #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | \ + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) +-- +2.27.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 7afe5cd8e5d..fd6907d949b 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,3 +1,15 @@ tracing-do-not-count-ftrace-events-in-top-level-enable-output.patch tracing-check-length-before-giving-out-the-filter-buffer.patch arm-xen-don-t-probe-xenbus-as-part-of-an-early-initcall.patch +arm64-dts-rockchip-fix-pcie-dt-properties-on-rk3399.patch +platform-x86-hp-wmi-disable-tablet-mode-reporting-by.patch +ovl-perform-vfs_getxattr-with-mounter-creds.patch +cap-fix-conversions-on-getxattr.patch +ovl-skip-getxattr-of-security-labels.patch +drm-amd-display-fix-dc_sink-kref-count-in-emulated_l.patch +drm-amd-display-free-atomic-state-after-drm_atomic_c.patch +riscv-virt_addr_valid-must-check-the-address-belongs.patch +bfq-iosched-revert-bfq-fix-computation-of-shallow-de.patch +arm-dts-lpc32xx-revert-set-default-clock-rate-of-hcl.patch +arm-ensure-the-signal-page-contains-defined-contents.patch +arm-kexec-fix-oops-after-tlb-are-invalidated.patch -- 2.47.2