From f3f729282da39a826b0bac899d5800f6f13a9757 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 28 Jan 2019 14:28:19 +0100 Subject: [PATCH] 4.20-stable patches added patches: acpi-nfit-block-function-zero-dsms.patch acpi-nfit-fix-command-supported-detection.patch dm-crypt-fix-parsing-of-extended-iv-arguments.patch dm-thin-fix-passdown_double_checking_shared_status.patch drm-amdgpu-add-aptx-quirk-for-lenovo-laptop.patch edac-altera-fix-s10-persistent-register-offset.patch input-input_event-provide-override-for-sparc64.patch input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch input-xpad-add-support-for-steelseries-stratus-duo.patch kvm-x86-fix-pv-ipis-for-32-bit-kvm-host.patch kvm-x86-fix-single-step-debugging.patch kvm-x86-vmx-use-kzalloc-for-cached_vmcs12.patch kvm-x86-warn_once-if-sending-a-pv-ipi-returns-a-fatal-error.patch scsi-ufs-use-explicit-access-size-in-ufshcd_dump_regs.patch x86-entry-64-compat-fix-stack-switching-for-xen-pv.patch x86-kaslr-fix-incorrect-i8254-outb-parameters.patch x86-pkeys-properly-copy-pkey-state-at-fork.patch x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch --- .../acpi-nfit-block-function-zero-dsms.patch | 40 ++++++ ...nfit-fix-command-supported-detection.patch | 129 ++++++++++++++++++ ...fix-parsing-of-extended-iv-arguments.patch | 84 ++++++++++++ ...ssdown_double_checking_shared_status.patch | 107 +++++++++++++++ ...gpu-add-aptx-quirk-for-lenovo-laptop.patch | 31 +++++ ...a-fix-s10-persistent-register-offset.patch | 43 ++++++ ...t_event-provide-override-for-sparc64.patch | 53 +++++++ ...-behavior-in-uinput_validate_absinfo.patch | 51 +++++++ ...-support-for-steelseries-stratus-duo.patch | 43 ++++++ ...-x86-fix-pv-ipis-for-32-bit-kvm-host.patch | 40 ++++++ .../kvm-x86-fix-single-step-debugging.patch | 43 ++++++ ...86-vmx-use-kzalloc-for-cached_vmcs12.patch | 68 +++++++++ ...nding-a-pv-ipi-returns-a-fatal-error.patch | 57 ++++++++ ...icit-access-size-in-ufshcd_dump_regs.patch | 87 ++++++++++++ queue-4.20/series | 18 +++ ...ompat-fix-stack-switching-for-xen-pv.patch | 62 +++++++++ ...-fix-incorrect-i8254-outb-parameters.patch | 39 ++++++ ...eys-properly-copy-pkey-state-at-fork.patch | 101 ++++++++++++++ ...k-to-check-for-state-being-preserved.patch | 115 ++++++++++++++++ 19 files changed, 1211 insertions(+) create mode 100644 queue-4.20/acpi-nfit-block-function-zero-dsms.patch create mode 100644 queue-4.20/acpi-nfit-fix-command-supported-detection.patch create mode 100644 queue-4.20/dm-crypt-fix-parsing-of-extended-iv-arguments.patch create mode 100644 queue-4.20/dm-thin-fix-passdown_double_checking_shared_status.patch create mode 100644 queue-4.20/drm-amdgpu-add-aptx-quirk-for-lenovo-laptop.patch create mode 100644 queue-4.20/edac-altera-fix-s10-persistent-register-offset.patch create mode 100644 queue-4.20/input-input_event-provide-override-for-sparc64.patch create mode 100644 queue-4.20/input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch create mode 100644 queue-4.20/input-xpad-add-support-for-steelseries-stratus-duo.patch create mode 100644 queue-4.20/kvm-x86-fix-pv-ipis-for-32-bit-kvm-host.patch create mode 100644 queue-4.20/kvm-x86-fix-single-step-debugging.patch create mode 100644 queue-4.20/kvm-x86-vmx-use-kzalloc-for-cached_vmcs12.patch create mode 100644 queue-4.20/kvm-x86-warn_once-if-sending-a-pv-ipi-returns-a-fatal-error.patch create mode 100644 queue-4.20/scsi-ufs-use-explicit-access-size-in-ufshcd_dump_regs.patch create mode 100644 queue-4.20/x86-entry-64-compat-fix-stack-switching-for-xen-pv.patch create mode 100644 queue-4.20/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch create mode 100644 queue-4.20/x86-pkeys-properly-copy-pkey-state-at-fork.patch create mode 100644 queue-4.20/x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch diff --git a/queue-4.20/acpi-nfit-block-function-zero-dsms.patch b/queue-4.20/acpi-nfit-block-function-zero-dsms.patch new file mode 100644 index 00000000000..487e1ec7114 --- /dev/null +++ b/queue-4.20/acpi-nfit-block-function-zero-dsms.patch @@ -0,0 +1,40 @@ +From 5e9e38d0db1d29efed1dd4cf9a70115d33521be7 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 14 Jan 2019 14:07:19 -0800 +Subject: acpi/nfit: Block function zero DSMs + +From: Dan Williams + +commit 5e9e38d0db1d29efed1dd4cf9a70115d33521be7 upstream. + +In preparation for using function number 0 as an error value, prevent it +from being considered a valid function value by acpi_nfit_ctl(). + +Cc: +Cc: stuart hayes +Fixes: e02fb7264d8a ("nfit: add Microsoft NVDIMM DSM command set...") +Reported-by: Jeff Moyer +Reviewed-by: Jeff Moyer +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/nfit/core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -1844,6 +1844,13 @@ static int acpi_nfit_add_dimm(struct acp + return 0; + } + ++ /* ++ * Function 0 is the command interrogation function, don't ++ * export it to potential userspace use, and enable it to be ++ * used as an error value in acpi_nfit_ctl(). ++ */ ++ dsm_mask &= ~1UL; ++ + guid = to_nfit_uuid(nfit_mem->family); + for_each_set_bit(i, &dsm_mask, BITS_PER_LONG) + if (acpi_check_dsm(adev_dimm->handle, guid, diff --git a/queue-4.20/acpi-nfit-fix-command-supported-detection.patch b/queue-4.20/acpi-nfit-fix-command-supported-detection.patch new file mode 100644 index 00000000000..d6dd6605bf8 --- /dev/null +++ b/queue-4.20/acpi-nfit-fix-command-supported-detection.patch @@ -0,0 +1,129 @@ +From 11189c1089da413aa4b5fd6be4c4d47c78968819 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Sat, 19 Jan 2019 10:55:04 -0800 +Subject: acpi/nfit: Fix command-supported detection + +From: Dan Williams + +commit 11189c1089da413aa4b5fd6be4c4d47c78968819 upstream. + +The _DSM function number validation only happens to succeed when the +generic Linux command number translation corresponds with a +DSM-family-specific function number. This breaks NVDIMM-N +implementations that correctly implement _LSR, _LSW, and _LSI, but do +not happen to publish support for DSM function numbers 4, 5, and 6. + +Recall that the support for _LS{I,R,W} family of methods results in the +DIMM being marked as supporting those command numbers at +acpi_nfit_register_dimms() time. The DSM function mask is only used for +ND_CMD_CALL support of non-NVDIMM_FAMILY_INTEL devices. + +Fixes: 31eca76ba2fc ("nfit, libnvdimm: limited/whitelisted dimm command...") +Cc: +Link: https://github.com/pmem/ndctl/issues/78 +Reported-by: Sujith Pandel +Tested-by: Sujith Pandel +Reviewed-by: Vishal Verma +Reviewed-by: Jeff Moyer +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/nfit/core.c | 54 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 40 insertions(+), 14 deletions(-) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -394,6 +394,32 @@ static u8 nfit_dsm_revid(unsigned family + return id; + } + ++static int cmd_to_func(struct nfit_mem *nfit_mem, unsigned int cmd, ++ struct nd_cmd_pkg *call_pkg) ++{ ++ if (call_pkg) { ++ int i; ++ ++ if (nfit_mem->family != call_pkg->nd_family) ++ return -ENOTTY; ++ ++ for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++) ++ if (call_pkg->nd_reserved2[i]) ++ return -EINVAL; ++ return call_pkg->nd_command; ++ } ++ ++ /* Linux ND commands == NVDIMM_FAMILY_INTEL function numbers */ ++ if (nfit_mem->family == NVDIMM_FAMILY_INTEL) ++ return cmd; ++ ++ /* ++ * Force function number validation to fail since 0 is never ++ * published as a valid function in dsm_mask. ++ */ ++ return 0; ++} ++ + int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc) + { +@@ -407,30 +433,23 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + unsigned long cmd_mask, dsm_mask; + u32 offset, fw_status = 0; + acpi_handle handle; +- unsigned int func; + const guid_t *guid; +- int rc, i; ++ int func, rc, i; + + if (cmd_rc) + *cmd_rc = -EINVAL; +- func = cmd; +- if (cmd == ND_CMD_CALL) { +- call_pkg = buf; +- func = call_pkg->nd_command; +- +- for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++) +- if (call_pkg->nd_reserved2[i]) +- return -EINVAL; +- } + + if (nvdimm) { + struct acpi_device *adev = nfit_mem->adev; + + if (!adev) + return -ENOTTY; +- if (call_pkg && nfit_mem->family != call_pkg->nd_family) +- return -ENOTTY; + ++ if (cmd == ND_CMD_CALL) ++ call_pkg = buf; ++ func = cmd_to_func(nfit_mem, cmd, call_pkg); ++ if (func < 0) ++ return func; + dimm_name = nvdimm_name(nvdimm); + cmd_name = nvdimm_cmd_name(cmd); + cmd_mask = nvdimm_cmd_mask(nvdimm); +@@ -441,6 +460,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + } else { + struct acpi_device *adev = to_acpi_dev(acpi_desc); + ++ func = cmd; + cmd_name = nvdimm_bus_cmd_name(cmd); + cmd_mask = nd_desc->cmd_mask; + dsm_mask = cmd_mask; +@@ -455,7 +475,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + if (!desc || (cmd && (desc->out_num + desc->in_num == 0))) + return -ENOTTY; + +- if (!test_bit(cmd, &cmd_mask) || !test_bit(func, &dsm_mask)) ++ /* ++ * Check for a valid command. For ND_CMD_CALL, we also have to ++ * make sure that the DSM function is supported. ++ */ ++ if (cmd == ND_CMD_CALL && !test_bit(func, &dsm_mask)) ++ return -ENOTTY; ++ else if (!test_bit(cmd, &cmd_mask)) + return -ENOTTY; + + in_obj.type = ACPI_TYPE_PACKAGE; diff --git a/queue-4.20/dm-crypt-fix-parsing-of-extended-iv-arguments.patch b/queue-4.20/dm-crypt-fix-parsing-of-extended-iv-arguments.patch new file mode 100644 index 00000000000..1499f45210a --- /dev/null +++ b/queue-4.20/dm-crypt-fix-parsing-of-extended-iv-arguments.patch @@ -0,0 +1,84 @@ +From 1856b9f7bcc8e9bdcccc360aabb56fbd4dd6c565 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Wed, 9 Jan 2019 11:57:14 +0100 +Subject: dm crypt: fix parsing of extended IV arguments + +From: Milan Broz + +commit 1856b9f7bcc8e9bdcccc360aabb56fbd4dd6c565 upstream. + +The dm-crypt cipher specification in a mapping table is defined as: + cipher[:keycount]-chainmode-ivmode[:ivopts] +or (new crypt API format): + capi:cipher_api_spec-ivmode[:ivopts] + +For ESSIV, the parameter includes hash specification, for example: +aes-cbc-essiv:sha256 + +The implementation expected that additional IV option to never include +another dash '-' character. + +But, with SHA3, there are names like sha3-256; so the mapping table +parser fails: + +dmsetup create test --table "0 8 crypt aes-cbc-essiv:sha3-256 9c1185a5c5e9fc54612808977ee8f5b9e 0 /dev/sdb 0" + or (new crypt API format) +dmsetup create test --table "0 8 crypt capi:cbc(aes)-essiv:sha3-256 9c1185a5c5e9fc54612808977ee8f5b9e 0 /dev/sdb 0" + + device-mapper: crypt: Ignoring unexpected additional cipher options + device-mapper: table: 253:0: crypt: Error creating IV + device-mapper: ioctl: error adding target to table + +Fix the dm-crypt constructor to ignore additional dash in IV options and +also remove a bogus warning (that is ignored anyway). + +Cc: stable@vger.kernel.org # 4.12+ +Signed-off-by: Milan Broz +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-crypt.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2405,9 +2405,21 @@ static int crypt_ctr_cipher_new(struct d + * capi:cipher_api_spec-iv:ivopts + */ + tmp = &cipher_in[strlen("capi:")]; +- cipher_api = strsep(&tmp, "-"); +- *ivmode = strsep(&tmp, ":"); +- *ivopts = tmp; ++ ++ /* Separate IV options if present, it can contain another '-' in hash name */ ++ *ivopts = strrchr(tmp, ':'); ++ if (*ivopts) { ++ **ivopts = '\0'; ++ (*ivopts)++; ++ } ++ /* Parse IV mode */ ++ *ivmode = strrchr(tmp, '-'); ++ if (*ivmode) { ++ **ivmode = '\0'; ++ (*ivmode)++; ++ } ++ /* The rest is crypto API spec */ ++ cipher_api = tmp; + + if (*ivmode && !strcmp(*ivmode, "lmk")) + cc->tfms_count = 64; +@@ -2477,11 +2489,8 @@ static int crypt_ctr_cipher_old(struct d + goto bad_mem; + + chainmode = strsep(&tmp, "-"); +- *ivopts = strsep(&tmp, "-"); +- *ivmode = strsep(&*ivopts, ":"); +- +- if (tmp) +- DMWARN("Ignoring unexpected additional cipher options"); ++ *ivmode = strsep(&tmp, ":"); ++ *ivopts = tmp; + + /* + * For compatibility with the original dm-crypt mapping format, if diff --git a/queue-4.20/dm-thin-fix-passdown_double_checking_shared_status.patch b/queue-4.20/dm-thin-fix-passdown_double_checking_shared_status.patch new file mode 100644 index 00000000000..b1ab8487785 --- /dev/null +++ b/queue-4.20/dm-thin-fix-passdown_double_checking_shared_status.patch @@ -0,0 +1,107 @@ +From d445bd9cec1a850c2100fcf53684c13b3fd934f2 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Tue, 15 Jan 2019 13:27:01 -0500 +Subject: dm thin: fix passdown_double_checking_shared_status() + +From: Joe Thornber + +commit d445bd9cec1a850c2100fcf53684c13b3fd934f2 upstream. + +Commit 00a0ea33b495 ("dm thin: do not queue freed thin mapping for next +stage processing") changed process_prepared_discard_passdown_pt1() to +increment all the blocks being discarded until after the passdown had +completed to avoid them being prematurely reused. + +IO issued to a thin device that breaks sharing with a snapshot, followed +by a discard issued to snapshot(s) that previously shared the block(s), +results in passdown_double_checking_shared_status() being called to +iterate through the blocks double checking their reference count is zero +and issuing the passdown if so. So a side effect of commit 00a0ea33b495 +is passdown_double_checking_shared_status() was broken. + +Fix this by checking if the block reference count is greater than 1. +Also, rename dm_pool_block_is_used() to dm_pool_block_is_shared(). + +Fixes: 00a0ea33b495 ("dm thin: do not queue freed thin mapping for next stage processing") +Cc: stable@vger.kernel.org # 4.9+ +Reported-by: ryan.p.norwood@gmail.com +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin-metadata.c | 4 ++-- + drivers/md/dm-thin-metadata.h | 2 +- + drivers/md/dm-thin.c | 10 +++++----- + 3 files changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -1678,7 +1678,7 @@ int dm_thin_remove_range(struct dm_thin_ + return r; + } + +-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result) ++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result) + { + int r; + uint32_t ref_count; +@@ -1686,7 +1686,7 @@ int dm_pool_block_is_used(struct dm_pool + down_read(&pmd->root_lock); + r = dm_sm_get_count(pmd->data_sm, b, &ref_count); + if (!r) +- *result = (ref_count != 0); ++ *result = (ref_count > 1); + up_read(&pmd->root_lock); + + return r; +--- a/drivers/md/dm-thin-metadata.h ++++ b/drivers/md/dm-thin-metadata.h +@@ -195,7 +195,7 @@ int dm_pool_get_metadata_dev_size(struct + + int dm_pool_get_data_dev_size(struct dm_pool_metadata *pmd, dm_block_t *result); + +-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result); ++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result); + + int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e); + int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e); +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -1048,7 +1048,7 @@ static void passdown_double_checking_sha + * passdown we have to check that these blocks are now unused. + */ + int r = 0; +- bool used = true; ++ bool shared = true; + struct thin_c *tc = m->tc; + struct pool *pool = tc->pool; + dm_block_t b = m->data_block, e, end = m->data_block + m->virt_end - m->virt_begin; +@@ -1058,11 +1058,11 @@ static void passdown_double_checking_sha + while (b != end) { + /* find start of unmapped run */ + for (; b < end; b++) { +- r = dm_pool_block_is_used(pool->pmd, b, &used); ++ r = dm_pool_block_is_shared(pool->pmd, b, &shared); + if (r) + goto out; + +- if (!used) ++ if (!shared) + break; + } + +@@ -1071,11 +1071,11 @@ static void passdown_double_checking_sha + + /* find end of run */ + for (e = b + 1; e != end; e++) { +- r = dm_pool_block_is_used(pool->pmd, e, &used); ++ r = dm_pool_block_is_shared(pool->pmd, e, &shared); + if (r) + goto out; + +- if (used) ++ if (shared) + break; + } + diff --git a/queue-4.20/drm-amdgpu-add-aptx-quirk-for-lenovo-laptop.patch b/queue-4.20/drm-amdgpu-add-aptx-quirk-for-lenovo-laptop.patch new file mode 100644 index 00000000000..8dab362d8a4 --- /dev/null +++ b/queue-4.20/drm-amdgpu-add-aptx-quirk-for-lenovo-laptop.patch @@ -0,0 +1,31 @@ +From f15f3eb26e8d9d25ea2330ed1273473df2f039df Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 15 Jan 2019 12:09:09 -0500 +Subject: drm/amdgpu: Add APTX quirk for Lenovo laptop + +From: Alex Deucher + +commit f15f3eb26e8d9d25ea2330ed1273473df2f039df upstream. + +Needs ATPX rather than _PR3 for dGPU power control. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=202263 +Reviewed-by: Jim Qu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c +@@ -576,6 +576,7 @@ static const struct amdgpu_px_quirk amdg + { 0x1002, 0x6900, 0x1028, 0x0812, AMDGPU_PX_QUIRK_FORCE_ATPX }, + { 0x1002, 0x6900, 0x1028, 0x0813, AMDGPU_PX_QUIRK_FORCE_ATPX }, + { 0x1002, 0x6900, 0x1025, 0x125A, AMDGPU_PX_QUIRK_FORCE_ATPX }, ++ { 0x1002, 0x6900, 0x17AA, 0x3806, AMDGPU_PX_QUIRK_FORCE_ATPX }, + { 0, 0, 0, 0, 0 }, + }; + diff --git a/queue-4.20/edac-altera-fix-s10-persistent-register-offset.patch b/queue-4.20/edac-altera-fix-s10-persistent-register-offset.patch new file mode 100644 index 00000000000..a59ec6ddd2a --- /dev/null +++ b/queue-4.20/edac-altera-fix-s10-persistent-register-offset.patch @@ -0,0 +1,43 @@ +From 245b6c6558128327d330549b23d09594c46f58df Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Tue, 22 Jan 2019 11:48:04 -0600 +Subject: EDAC, altera: Fix S10 persistent register offset + +From: Thor Thayer + +commit 245b6c6558128327d330549b23d09594c46f58df upstream. + +Correct the persistent register offset where address and status are +stored. + +Fixes: 08f08bfb7b4c ("EDAC, altera: Merge Stratix10 into the Arria10 SDRAM probe routine") +Signed-off-by: Thor Thayer +Signed-off-by: Borislav Petkov +Cc: James Morse +Cc: Mauro Carvalho Chehab +Cc: devicetree@vger.kernel.org +Cc: dinguyen@kernel.org +Cc: linux-edac +Cc: mark.rutland@arm.com +Cc: robh+dt@kernel.org +Cc: stable +Link: https://lkml.kernel.org/r/1548179287-21760-2-git-send-email-thor.thayer@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/altera_edac.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/edac/altera_edac.h ++++ b/drivers/edac/altera_edac.h +@@ -295,8 +295,8 @@ struct altr_sdram_mc_data { + #define S10_SYSMGR_ECC_INTSTAT_DERR_OFST 0xA0 + + /* Sticky registers for Uncorrected Errors */ +-#define S10_SYSMGR_UE_VAL_OFST 0x120 +-#define S10_SYSMGR_UE_ADDR_OFST 0x124 ++#define S10_SYSMGR_UE_VAL_OFST 0x220 ++#define S10_SYSMGR_UE_ADDR_OFST 0x224 + + #define S10_DDR0_IRQ_MASK BIT(16) + diff --git a/queue-4.20/input-input_event-provide-override-for-sparc64.patch b/queue-4.20/input-input_event-provide-override-for-sparc64.patch new file mode 100644 index 00000000000..da9a758ef3f --- /dev/null +++ b/queue-4.20/input-input_event-provide-override-for-sparc64.patch @@ -0,0 +1,53 @@ +From 2e746942ebacf1565caa72cf980745e5ce297c48 Mon Sep 17 00:00:00 2001 +From: Deepa Dinamani +Date: Sun, 13 Jan 2019 22:28:05 -0800 +Subject: Input: input_event - provide override for sparc64 + +From: Deepa Dinamani + +commit 2e746942ebacf1565caa72cf980745e5ce297c48 upstream. + +The usec part of the timeval is defined as +__kernel_suseconds_t tv_usec; /* microseconds */ + +Arnd noticed that sparc64 is the only architecture that defines +__kernel_suseconds_t as int rather than long. + +This breaks the current y2038 fix for kernel as we only access and define +the timeval struct for non-kernel use cases. But, this was hidden by an +another typo in the use of __KERNEL__ qualifier. + +Fix the typo, and provide an override for sparc64. + +Fixes: 152194fe9c3f ("Input: extend usable life of event timestamps to 2106 on 32 bit systems") +Reported-by: Arnd Bergmann +Signed-off-by: Deepa Dinamani +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/input.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/include/uapi/linux/input.h ++++ b/include/uapi/linux/input.h +@@ -26,13 +26,17 @@ + */ + + struct input_event { +-#if (__BITS_PER_LONG != 32 || !defined(__USE_TIME_BITS64)) && !defined(__KERNEL) ++#if (__BITS_PER_LONG != 32 || !defined(__USE_TIME_BITS64)) && !defined(__KERNEL__) + struct timeval time; + #define input_event_sec time.tv_sec + #define input_event_usec time.tv_usec + #else + __kernel_ulong_t __sec; ++#ifdef CONFIG_SPARC64 ++ unsigned int __usec; ++#else + __kernel_ulong_t __usec; ++#endif + #define input_event_sec __sec + #define input_event_usec __usec + #endif diff --git a/queue-4.20/input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch b/queue-4.20/input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch new file mode 100644 index 00000000000..d0e69a833ec --- /dev/null +++ b/queue-4.20/input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch @@ -0,0 +1,51 @@ +From d77651a227f8920dd7ec179b84e400cce844eeb3 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 14 Jan 2019 13:54:55 -0800 +Subject: Input: uinput - fix undefined behavior in uinput_validate_absinfo() + +From: Dmitry Torokhov + +commit d77651a227f8920dd7ec179b84e400cce844eeb3 upstream. + +An integer overflow may arise in uinput_validate_absinfo() if "max - min" +can't be represented by an "int". We should check for overflow before +trying to use the result. + +Reported-by: Kyungtae Kim +Reviewed-by: Peter Hutterer +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/uinput.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + #include + #include "../input-compat.h" + +@@ -405,7 +406,7 @@ static int uinput_open(struct inode *ino + static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, + const struct input_absinfo *abs) + { +- int min, max; ++ int min, max, range; + + min = abs->minimum; + max = abs->maximum; +@@ -417,7 +418,7 @@ static int uinput_validate_absinfo(struc + return -EINVAL; + } + +- if (abs->flat > max - min) { ++ if (!check_sub_overflow(max, min, &range) && abs->flat > range) { + printk(KERN_DEBUG + "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n", + UINPUT_NAME, code, abs->flat, min, max); diff --git a/queue-4.20/input-xpad-add-support-for-steelseries-stratus-duo.patch b/queue-4.20/input-xpad-add-support-for-steelseries-stratus-duo.patch new file mode 100644 index 00000000000..e409b24206e --- /dev/null +++ b/queue-4.20/input-xpad-add-support-for-steelseries-stratus-duo.patch @@ -0,0 +1,43 @@ +From fe2bfd0d40c935763812973ce15f5764f1c12833 Mon Sep 17 00:00:00 2001 +From: Tom Panfil +Date: Fri, 11 Jan 2019 17:49:40 -0800 +Subject: Input: xpad - add support for SteelSeries Stratus Duo + +From: Tom Panfil + +commit fe2bfd0d40c935763812973ce15f5764f1c12833 upstream. + +Add support for the SteelSeries Stratus Duo, a wireless Xbox 360 +controller. The Stratus Duo ships with a USB dongle to enable wireless +connectivity, but it can also function as a wired controller by connecting +it directly to a PC via USB, hence the need for two USD PIDs. 0x1430 is the +dongle, and 0x1431 is the controller. + +Signed-off-by: Tom Panfil +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/xpad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -252,6 +252,8 @@ static const struct xpad_device { + { 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX }, + { 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX }, + { 0x102c, 0xff0c, "Joytech Wireless Advanced Controller", 0, XTYPE_XBOX }, ++ { 0x1038, 0x1430, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 }, ++ { 0x1038, 0x1431, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 }, + { 0x11c9, 0x55f0, "Nacon GC-100XF", 0, XTYPE_XBOX360 }, + { 0x12ab, 0x0004, "Honey Bee Xbox360 dancepad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x12ab, 0x0301, "PDP AFTERGLOW AX.1", 0, XTYPE_XBOX360 }, +@@ -428,6 +430,7 @@ static const struct usb_device_id xpad_t + XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f X-Box One controllers */ + XPAD_XBOX360_VENDOR(0x0f0d), /* Hori Controllers */ + XPAD_XBOXONE_VENDOR(0x0f0d), /* Hori Controllers */ ++ XPAD_XBOX360_VENDOR(0x1038), /* SteelSeries Controllers */ + XPAD_XBOX360_VENDOR(0x11c9), /* Nacon GC100XF */ + XPAD_XBOX360_VENDOR(0x12ab), /* X-Box 360 dance pads */ + XPAD_XBOX360_VENDOR(0x1430), /* RedOctane X-Box 360 controllers */ diff --git a/queue-4.20/kvm-x86-fix-pv-ipis-for-32-bit-kvm-host.patch b/queue-4.20/kvm-x86-fix-pv-ipis-for-32-bit-kvm-host.patch new file mode 100644 index 00000000000..7bc86615c5b --- /dev/null +++ b/queue-4.20/kvm-x86-fix-pv-ipis-for-32-bit-kvm-host.patch @@ -0,0 +1,40 @@ +From 1ed199a41c70ad7bfaee8b14f78e791fcf43b278 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Jan 2019 09:22:39 -0800 +Subject: KVM: x86: Fix PV IPIs for 32-bit KVM host + +From: Sean Christopherson + +commit 1ed199a41c70ad7bfaee8b14f78e791fcf43b278 upstream. + +The recognition of the KVM_HC_SEND_IPI hypercall was unintentionally +wrapped in "#ifdef CONFIG_X86_64", causing 32-bit KVM hosts to reject +any and all PV IPI requests despite advertising the feature. This +results in all KVM paravirtualized guests hanging during SMP boot due +to IPIs never being delivered. + +Fixes: 4180bf1b655a ("KVM: X86: Implement "send IPI" hypercall") +Cc: stable@vger.kernel.org +Cc: Wanpeng Li +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6997,10 +6997,10 @@ int kvm_emulate_hypercall(struct kvm_vcp + case KVM_HC_CLOCK_PAIRING: + ret = kvm_pv_clock_pairing(vcpu, a0, a1); + break; ++#endif + case KVM_HC_SEND_IPI: + ret = kvm_pv_send_ipi(vcpu->kvm, a0, a1, a2, a3, op_64_bit); + break; +-#endif + default: + ret = -KVM_ENOSYS; + break; diff --git a/queue-4.20/kvm-x86-fix-single-step-debugging.patch b/queue-4.20/kvm-x86-fix-single-step-debugging.patch new file mode 100644 index 00000000000..75fe1655f7c --- /dev/null +++ b/queue-4.20/kvm-x86-fix-single-step-debugging.patch @@ -0,0 +1,43 @@ +From 5cc244a20b86090c087073c124284381cdf47234 Mon Sep 17 00:00:00 2001 +From: Alexander Popov +Date: Mon, 21 Jan 2019 15:48:40 +0300 +Subject: KVM: x86: Fix single-step debugging + +From: Alexander Popov + +commit 5cc244a20b86090c087073c124284381cdf47234 upstream. + +The single-step debugging of KVM guests on x86 is broken: if we run +gdb 'stepi' command at the breakpoint when the guest interrupts are +enabled, RIP always jumps to native_apic_mem_write(). Then other +nasty effects follow. + +Long investigation showed that on Jun 7, 2017 the +commit c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall") +introduced the kvm_run.debug corruption: kvm_vcpu_do_singlestep() can +be called without X86_EFLAGS_TF set. + +Let's fix it. Please consider that for -stable. + +Signed-off-by: Alexander Popov +Cc: stable@vger.kernel.org +Fixes: c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall") +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6407,8 +6407,7 @@ restart: + toggle_interruptibility(vcpu, ctxt->interruptibility); + vcpu->arch.emulate_regs_need_sync_to_vcpu = false; + kvm_rip_write(vcpu, ctxt->eip); +- if (r == EMULATE_DONE && +- (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP))) ++ if (r == EMULATE_DONE && ctxt->tf) + kvm_vcpu_do_singlestep(vcpu, &r); + if (!ctxt->have_exception || + exception_type(ctxt->exception.vector) == EXCPT_TRAP) diff --git a/queue-4.20/kvm-x86-vmx-use-kzalloc-for-cached_vmcs12.patch b/queue-4.20/kvm-x86-vmx-use-kzalloc-for-cached_vmcs12.patch new file mode 100644 index 00000000000..99726a2b7c6 --- /dev/null +++ b/queue-4.20/kvm-x86-vmx-use-kzalloc-for-cached_vmcs12.patch @@ -0,0 +1,68 @@ +From 3a33d030daaa7c507e1c12d5adcf828248429593 Mon Sep 17 00:00:00 2001 +From: Tom Roeder +Date: Thu, 24 Jan 2019 13:48:20 -0800 +Subject: kvm: x86/vmx: Use kzalloc for cached_vmcs12 + +From: Tom Roeder + +commit 3a33d030daaa7c507e1c12d5adcf828248429593 upstream. + +This changes the allocation of cached_vmcs12 to use kzalloc instead of +kmalloc. This removes the information leak found by Syzkaller (see +Reported-by) in this case and prevents similar leaks from happening +based on cached_vmcs12. + +It also changes vmx_get_nested_state to copy out the full 4k VMCS12_SIZE +in copy_to_user rather than only the size of the struct. + +Tested: rebuilt against head, booted, and ran the syszkaller repro + https://syzkaller.appspot.com/text?tag=ReproC&x=174efca3400000 without + observing any problems. + +Reported-by: syzbot+ded1696f6b50b615b630@syzkaller.appspotmail.com +Fixes: 8fcc4b5923af5de58b80b53a069453b135693304 +Cc: stable@vger.kernel.org +Signed-off-by: Tom Roeder +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8315,11 +8315,11 @@ static int enter_vmx_operation(struct kv + if (r < 0) + goto out_vmcs02; + +- vmx->nested.cached_vmcs12 = kmalloc(VMCS12_SIZE, GFP_KERNEL); ++ vmx->nested.cached_vmcs12 = kzalloc(VMCS12_SIZE, GFP_KERNEL); + if (!vmx->nested.cached_vmcs12) + goto out_cached_vmcs12; + +- vmx->nested.cached_shadow_vmcs12 = kmalloc(VMCS12_SIZE, GFP_KERNEL); ++ vmx->nested.cached_shadow_vmcs12 = kzalloc(VMCS12_SIZE, GFP_KERNEL); + if (!vmx->nested.cached_shadow_vmcs12) + goto out_cached_shadow_vmcs12; + +@@ -14853,13 +14853,17 @@ static int vmx_get_nested_state(struct k + copy_shadow_to_vmcs12(vmx); + } + +- if (copy_to_user(user_kvm_nested_state->data, vmcs12, sizeof(*vmcs12))) ++ /* ++ * Copy over the full allocated size of vmcs12 rather than just the size ++ * of the struct. ++ */ ++ if (copy_to_user(user_kvm_nested_state->data, vmcs12, VMCS12_SIZE)) + return -EFAULT; + + if (nested_cpu_has_shadow_vmcs(vmcs12) && + vmcs12->vmcs_link_pointer != -1ull) { + if (copy_to_user(user_kvm_nested_state->data + VMCS12_SIZE, +- get_shadow_vmcs12(vcpu), sizeof(*vmcs12))) ++ get_shadow_vmcs12(vcpu), VMCS12_SIZE)) + return -EFAULT; + } + diff --git a/queue-4.20/kvm-x86-warn_once-if-sending-a-pv-ipi-returns-a-fatal-error.patch b/queue-4.20/kvm-x86-warn_once-if-sending-a-pv-ipi-returns-a-fatal-error.patch new file mode 100644 index 00000000000..363f6c0a4c4 --- /dev/null +++ b/queue-4.20/kvm-x86-warn_once-if-sending-a-pv-ipi-returns-a-fatal-error.patch @@ -0,0 +1,57 @@ +From de81c2f912ef57917bdc6d63b410c534c3e07982 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Jan 2019 09:22:40 -0800 +Subject: KVM: x86: WARN_ONCE if sending a PV IPI returns a fatal error + +From: Sean Christopherson + +commit de81c2f912ef57917bdc6d63b410c534c3e07982 upstream. + +KVM hypercalls return a negative value error code in case of a fatal +error, e.g. when the hypercall isn't supported or was made with invalid +parameters. WARN_ONCE on fatal errors when sending PV IPIs as any such +error all but guarantees an SMP system will hang due to a missing IPI. + +Fixes: aaffcfd1e82d ("KVM: X86: Implement PV IPIs in linux guest") +Cc: stable@vger.kernel.org +Cc: Wanpeng Li +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kvm.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -457,6 +457,7 @@ static void __send_ipi_mask(const struct + #else + u64 ipi_bitmap = 0; + #endif ++ long ret; + + if (cpumask_empty(mask)) + return; +@@ -482,8 +483,9 @@ static void __send_ipi_mask(const struct + } else if (apic_id < min + KVM_IPI_CLUSTER_SIZE) { + max = apic_id < max ? max : apic_id; + } else { +- kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap, ++ ret = kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap, + (unsigned long)(ipi_bitmap >> BITS_PER_LONG), min, icr); ++ WARN_ONCE(ret < 0, "KVM: failed to send PV IPI: %ld", ret); + min = max = apic_id; + ipi_bitmap = 0; + } +@@ -491,8 +493,9 @@ static void __send_ipi_mask(const struct + } + + if (ipi_bitmap) { +- kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap, ++ ret = kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap, + (unsigned long)(ipi_bitmap >> BITS_PER_LONG), min, icr); ++ WARN_ONCE(ret < 0, "KVM: failed to send PV IPI: %ld", ret); + } + + local_irq_restore(flags); diff --git a/queue-4.20/scsi-ufs-use-explicit-access-size-in-ufshcd_dump_regs.patch b/queue-4.20/scsi-ufs-use-explicit-access-size-in-ufshcd_dump_regs.patch new file mode 100644 index 00000000000..69eaa9675b2 --- /dev/null +++ b/queue-4.20/scsi-ufs-use-explicit-access-size-in-ufshcd_dump_regs.patch @@ -0,0 +1,87 @@ +From d67247566450cf89a693307c9bc9f05a32d96cea Mon Sep 17 00:00:00 2001 +From: Marc Gonzalez +Date: Tue, 22 Jan 2019 18:29:22 +0100 +Subject: scsi: ufs: Use explicit access size in ufshcd_dump_regs + +From: Marc Gonzalez + +commit d67247566450cf89a693307c9bc9f05a32d96cea upstream. + +memcpy_fromio() doesn't provide any control over access size. For example, +on arm64, it is implemented using readb and readq. This may trigger a +synchronous external abort: + +[ 3.729943] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP +[ 3.737000] Modules linked in: +[ 3.744371] CPU: 2 PID: 1 Comm: swapper/0 Tainted: G S 4.20.0-rc4 #16 +[ 3.747413] Hardware name: Qualcomm Technologies, Inc. MSM8998 v1 MTP (DT) +[ 3.755295] pstate: 00000005 (nzcv daif -PAN -UAO) +[ 3.761978] pc : __memcpy_fromio+0x68/0x80 +[ 3.766718] lr : ufshcd_dump_regs+0x50/0xb0 +[ 3.770767] sp : ffff00000807ba00 +[ 3.774830] x29: ffff00000807ba00 x28: 00000000fffffffb +[ 3.778344] x27: ffff0000089db068 x26: ffff8000f6e58000 +[ 3.783728] x25: 000000000000000e x24: 0000000000000800 +[ 3.789023] x23: ffff8000f6e587c8 x22: 0000000000000800 +[ 3.794319] x21: ffff000008908368 x20: ffff8000f6e1ab80 +[ 3.799615] x19: 000000000000006c x18: ffffffffffffffff +[ 3.804910] x17: 0000000000000000 x16: 0000000000000000 +[ 3.810206] x15: ffff000009199648 x14: ffff000089244187 +[ 3.815502] x13: ffff000009244195 x12: ffff0000091ab000 +[ 3.820797] x11: 0000000005f5e0ff x10: ffff0000091998a0 +[ 3.826093] x9 : 0000000000000000 x8 : ffff8000f6e1ac00 +[ 3.831389] x7 : 0000000000000000 x6 : 0000000000000068 +[ 3.836676] x5 : ffff8000f6e1abe8 x4 : 0000000000000000 +[ 3.841971] x3 : ffff00000928c868 x2 : ffff8000f6e1abec +[ 3.847267] x1 : ffff00000928c868 x0 : ffff8000f6e1abe8 +[ 3.852567] Process swapper/0 (pid: 1, stack limit = 0x(____ptrval____)) +[ 3.857900] Call trace: +[ 3.864473] __memcpy_fromio+0x68/0x80 +[ 3.866683] ufs_qcom_dump_dbg_regs+0x1c0/0x370 +[ 3.870522] ufshcd_print_host_regs+0x168/0x190 +[ 3.874946] ufshcd_init+0xd4c/0xde0 +[ 3.879459] ufshcd_pltfrm_init+0x3c8/0x550 +[ 3.883264] ufs_qcom_probe+0x24/0x60 +[ 3.887188] platform_drv_probe+0x50/0xa0 + +Assuming aligned 32-bit registers, let's use readl, after making sure +that 'offset' and 'len' are indeed multiples of 4. + +Fixes: ba80917d9932d ("scsi: ufs: ufshcd_dump_regs to use memcpy_fromio") +Cc: +Signed-off-by: Marc Gonzalez +Acked-by: Tomas Winkler +Reviewed-by: Jeffrey Hugo +Reviewed-by: Bjorn Andersson +Tested-by: Evan Green +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ufs/ufshcd.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -110,13 +110,19 @@ + int ufshcd_dump_regs(struct ufs_hba *hba, size_t offset, size_t len, + const char *prefix) + { +- u8 *regs; ++ u32 *regs; ++ size_t pos; ++ ++ if (offset % 4 != 0 || len % 4 != 0) /* keep readl happy */ ++ return -EINVAL; + + regs = kzalloc(len, GFP_KERNEL); + if (!regs) + return -ENOMEM; + +- memcpy_fromio(regs, hba->mmio_base + offset, len); ++ for (pos = 0; pos < len; pos += 4) ++ regs[pos / 4] = ufshcd_readl(hba, offset + pos); ++ + ufshcd_hex_dump(prefix, regs, len); + kfree(regs); + diff --git a/queue-4.20/series b/queue-4.20/series index db29ed94eb3..168471e993d 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -63,3 +63,21 @@ cifs-fix-credits-calculations-for-reads-with-errors.patch cifs-fix-credit-calculation-for-encrypted-reads-with-errors.patch cifs-do-not-reconnect-tcp-session-in-add_credits.patch smb3-add-credits-we-receive-from-oplock-break-pdus.patch +input-xpad-add-support-for-steelseries-stratus-duo.patch +input-input_event-provide-override-for-sparc64.patch +input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch +acpi-nfit-block-function-zero-dsms.patch +acpi-nfit-fix-command-supported-detection.patch +scsi-ufs-use-explicit-access-size-in-ufshcd_dump_regs.patch +dm-thin-fix-passdown_double_checking_shared_status.patch +dm-crypt-fix-parsing-of-extended-iv-arguments.patch +drm-amdgpu-add-aptx-quirk-for-lenovo-laptop.patch +edac-altera-fix-s10-persistent-register-offset.patch +kvm-x86-fix-single-step-debugging.patch +kvm-x86-fix-pv-ipis-for-32-bit-kvm-host.patch +kvm-x86-warn_once-if-sending-a-pv-ipi-returns-a-fatal-error.patch +kvm-x86-vmx-use-kzalloc-for-cached_vmcs12.patch +x86-pkeys-properly-copy-pkey-state-at-fork.patch +x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch +x86-kaslr-fix-incorrect-i8254-outb-parameters.patch +x86-entry-64-compat-fix-stack-switching-for-xen-pv.patch diff --git a/queue-4.20/x86-entry-64-compat-fix-stack-switching-for-xen-pv.patch b/queue-4.20/x86-entry-64-compat-fix-stack-switching-for-xen-pv.patch new file mode 100644 index 00000000000..05e663d1463 --- /dev/null +++ b/queue-4.20/x86-entry-64-compat-fix-stack-switching-for-xen-pv.patch @@ -0,0 +1,62 @@ +From fc24d75a7f91837d7918e40719575951820b2b8f Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 15 Jan 2019 09:58:16 -0700 +Subject: x86/entry/64/compat: Fix stack switching for XEN PV + +From: Jan Beulich + +commit fc24d75a7f91837d7918e40719575951820b2b8f upstream. + +While in the native case entry into the kernel happens on the trampoline +stack, PV Xen kernels get entered with the current thread stack right +away. Hence source and destination stacks are identical in that case, +and special care is needed. + +Other than in sync_regs() the copying done on the INT80 path isn't +NMI / #MC safe, as either of these events occurring in the middle of the +stack copying would clobber data on the (source) stack. + +There is similar code in interrupt_entry() and nmi(), but there is no fixup +required because those code paths are unreachable in XEN PV guests. + +[ tglx: Sanitized subject, changelog, Fixes tag and stable mail address. Sigh ] + +Fixes: 7f2590a110b8 ("x86/entry/64: Use a per-CPU trampoline stack for IDT entries") +Signed-off-by: Jan Beulich +Signed-off-by: Thomas Gleixner +Reviewed-by: Juergen Gross +Acked-by: Andy Lutomirski +Cc: Peter Anvin +Cc: xen-devel@lists.xenproject.org> +Cc: Boris Ostrovsky +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/5C3E1128020000780020DFAD@prv1-mh.provo.novell.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64_compat.S | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/entry/entry_64_compat.S ++++ b/arch/x86/entry/entry_64_compat.S +@@ -361,7 +361,8 @@ ENTRY(entry_INT80_compat) + + /* Need to switch before accessing the thread stack. */ + SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi +- movq %rsp, %rdi ++ /* In the Xen PV case we already run on the thread stack. */ ++ ALTERNATIVE "movq %rsp, %rdi", "jmp .Lint80_keep_stack", X86_FEATURE_XENPV + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp + + pushq 6*8(%rdi) /* regs->ss */ +@@ -370,8 +371,9 @@ ENTRY(entry_INT80_compat) + pushq 3*8(%rdi) /* regs->cs */ + pushq 2*8(%rdi) /* regs->ip */ + pushq 1*8(%rdi) /* regs->orig_ax */ +- + pushq (%rdi) /* pt_regs->di */ ++.Lint80_keep_stack: ++ + pushq %rsi /* pt_regs->si */ + xorl %esi, %esi /* nospec si */ + pushq %rdx /* pt_regs->dx */ diff --git a/queue-4.20/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch b/queue-4.20/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch new file mode 100644 index 00000000000..3e6397ba989 --- /dev/null +++ b/queue-4.20/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch @@ -0,0 +1,39 @@ +From 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4 Mon Sep 17 00:00:00 2001 +From: Daniel Drake +Date: Mon, 7 Jan 2019 11:40:24 +0800 +Subject: x86/kaslr: Fix incorrect i8254 outb() parameters + +From: Daniel Drake + +commit 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4 upstream. + +The outb() function takes parameters value and port, in that order. Fix +the parameters used in the kalsr i8254 fallback code. + +Fixes: 5bfce5ef55cb ("x86, kaslr: Provide randomness functions") +Signed-off-by: Daniel Drake +Signed-off-by: Thomas Gleixner +Cc: bp@alien8.de +Cc: hpa@zytor.com +Cc: linux@endlessm.com +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190107034024.15005-1-drake@endlessm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/lib/kaslr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/lib/kaslr.c ++++ b/arch/x86/lib/kaslr.c +@@ -36,8 +36,8 @@ static inline u16 i8254(void) + u16 status, timer; + + do { +- outb(I8254_PORT_CONTROL, +- I8254_CMD_READBACK | I8254_SELECT_COUNTER0); ++ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0, ++ I8254_PORT_CONTROL); + status = inb(I8254_PORT_COUNTER0); + timer = inb(I8254_PORT_COUNTER0); + timer |= inb(I8254_PORT_COUNTER0) << 8; diff --git a/queue-4.20/x86-pkeys-properly-copy-pkey-state-at-fork.patch b/queue-4.20/x86-pkeys-properly-copy-pkey-state-at-fork.patch new file mode 100644 index 00000000000..9c28aac8acd --- /dev/null +++ b/queue-4.20/x86-pkeys-properly-copy-pkey-state-at-fork.patch @@ -0,0 +1,101 @@ +From a31e184e4f69965c99c04cc5eb8a4920e0c63737 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 2 Jan 2019 13:56:55 -0800 +Subject: x86/pkeys: Properly copy pkey state at fork() + +From: Dave Hansen + +commit a31e184e4f69965c99c04cc5eb8a4920e0c63737 upstream. + +Memory protection key behavior should be the same in a child as it was +in the parent before a fork. But, there is a bug that resets the +state in the child at fork instead of preserving it. + +The creation of new mm's is a bit convoluted. At fork(), the code +does: + + 1. memcpy() the parent mm to initialize child + 2. mm_init() to initalize some select stuff stuff + 3. dup_mmap() to create true copies that memcpy() did not do right + +For pkeys two bits of state need to be preserved across a fork: +'execute_only_pkey' and 'pkey_allocation_map'. + +Those are preserved by the memcpy(), but mm_init() invokes +init_new_context() which overwrites 'execute_only_pkey' and +'pkey_allocation_map' with "new" values. + +The author of the code erroneously believed that init_new_context is *only* +called at execve()-time. But, alas, init_new_context() is used at execve() +and fork(). + +The result is that, after a fork(), the child's pkey state ends up looking +like it does after an execve(), which is totally wrong. pkeys that are +already allocated can be allocated again, for instance. + +To fix this, add code called by dup_mmap() to copy the pkey state from +parent to child explicitly. Also add a comment above init_new_context() to +make it more clear to the next poor sod what this code is used for. + +Fixes: e8c24d3a23a ("x86/pkeys: Allocation/free syscalls") +Signed-off-by: Dave Hansen +Signed-off-by: Thomas Gleixner +Reviewed-by: Thomas Gleixner +Cc: bp@alien8.de +Cc: hpa@zytor.com +Cc: peterz@infradead.org +Cc: mpe@ellerman.id.au +Cc: will.deacon@arm.com +Cc: luto@kernel.org +Cc: jroedel@suse.de +Cc: stable@vger.kernel.org +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Peter Zijlstra +Cc: Michael Ellerman +Cc: Will Deacon +Cc: Andy Lutomirski +Cc: Joerg Roedel +Link: https://lkml.kernel.org/r/20190102215655.7A69518C@viggo.jf.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/mmu_context.h | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -178,6 +178,10 @@ static inline void switch_ldt(struct mm_ + + void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk); + ++/* ++ * Init a new mm. Used on mm copies, like at fork() ++ * and on mm's that are brand-new, like at execve(). ++ */ + static inline int init_new_context(struct task_struct *tsk, + struct mm_struct *mm) + { +@@ -228,8 +232,22 @@ do { \ + } while (0) + #endif + ++static inline void arch_dup_pkeys(struct mm_struct *oldmm, ++ struct mm_struct *mm) ++{ ++#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS ++ if (!cpu_feature_enabled(X86_FEATURE_OSPKE)) ++ return; ++ ++ /* Duplicate the oldmm pkey state in mm: */ ++ mm->context.pkey_allocation_map = oldmm->context.pkey_allocation_map; ++ mm->context.execute_only_pkey = oldmm->context.execute_only_pkey; ++#endif ++} ++ + static inline int arch_dup_mmap(struct mm_struct *oldmm, struct mm_struct *mm) + { ++ arch_dup_pkeys(oldmm, mm); + paravirt_arch_dup_mmap(oldmm, mm); + return ldt_dup_context(oldmm, mm); + } diff --git a/queue-4.20/x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch b/queue-4.20/x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch new file mode 100644 index 00000000000..cee1dc59858 --- /dev/null +++ b/queue-4.20/x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch @@ -0,0 +1,115 @@ +From e1812933b17be7814f51b6c310c5d1ced7a9a5f5 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 2 Jan 2019 13:56:57 -0800 +Subject: x86/selftests/pkeys: Fork() to check for state being preserved + +From: Dave Hansen + +commit e1812933b17be7814f51b6c310c5d1ced7a9a5f5 upstream. + +There was a bug where the per-mm pkey state was not being preserved across +fork() in the child. fork() is performed in the pkey selftests, but all of +the pkey activity is performed in the parent. The child does not perform +any actions sensitive to pkey state. + +To make the test more sensitive to these kinds of bugs, add a fork() where +the parent exits, and execution continues in the child. + +To achieve this let the key exhaustion test not terminate at the first +allocation failure and fork after 2*NR_PKEYS loops and continue in the +child. + +Signed-off-by: Dave Hansen +Signed-off-by: Thomas Gleixner +Cc: bp@alien8.de +Cc: hpa@zytor.com +Cc: peterz@infradead.org +Cc: mpe@ellerman.id.au +Cc: will.deacon@arm.com +Cc: luto@kernel.org +Cc: jroedel@suse.de +Cc: stable@vger.kernel.org +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Peter Zijlstra +Cc: Michael Ellerman +Cc: Will Deacon +Cc: Andy Lutomirski +Cc: Joerg Roedel +Link: https://lkml.kernel.org/r/20190102215657.585704B7@viggo.jf.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/protection_keys.c | 41 +++++++++++++++++++------- + 1 file changed, 31 insertions(+), 10 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1133,6 +1133,21 @@ void test_pkey_syscalls_bad_args(int *pt + pkey_assert(err); + } + ++void become_child(void) ++{ ++ pid_t forkret; ++ ++ forkret = fork(); ++ pkey_assert(forkret >= 0); ++ dprintf3("[%d] fork() ret: %d\n", getpid(), forkret); ++ ++ if (!forkret) { ++ /* in the child */ ++ return; ++ } ++ exit(0); ++} ++ + /* Assumes that all pkeys other than 'pkey' are unallocated */ + void test_pkey_alloc_exhaust(int *ptr, u16 pkey) + { +@@ -1141,7 +1156,7 @@ void test_pkey_alloc_exhaust(int *ptr, u + int nr_allocated_pkeys = 0; + int i; + +- for (i = 0; i < NR_PKEYS*2; i++) { ++ for (i = 0; i < NR_PKEYS*3; i++) { + int new_pkey; + dprintf1("%s() alloc loop: %d\n", __func__, i); + new_pkey = alloc_pkey(); +@@ -1152,21 +1167,27 @@ void test_pkey_alloc_exhaust(int *ptr, u + if ((new_pkey == -1) && (errno == ENOSPC)) { + dprintf2("%s() failed to allocate pkey after %d tries\n", + __func__, nr_allocated_pkeys); +- break; ++ } else { ++ /* ++ * Ensure the number of successes never ++ * exceeds the number of keys supported ++ * in the hardware. ++ */ ++ pkey_assert(nr_allocated_pkeys < NR_PKEYS); ++ allocated_pkeys[nr_allocated_pkeys++] = new_pkey; + } +- pkey_assert(nr_allocated_pkeys < NR_PKEYS); +- allocated_pkeys[nr_allocated_pkeys++] = new_pkey; ++ ++ /* ++ * Make sure that allocation state is properly ++ * preserved across fork(). ++ */ ++ if (i == NR_PKEYS*2) ++ become_child(); + } + + dprintf3("%s()::%d\n", __func__, __LINE__); + + /* +- * ensure it did not reach the end of the loop without +- * failure: +- */ +- pkey_assert(i < NR_PKEYS*2); +- +- /* + * There are 16 pkeys supported in hardware. Three are + * allocated by the time we get here: + * 1. The default key (0) -- 2.47.2