--- /dev/null
+From d3d19d6fc5736a798b118971935ce274f7deaa82 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 13 Jan 2020 14:08:14 +0300
+Subject: fbdev: potential information leak in do_fb_ioctl()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d3d19d6fc5736a798b118971935ce274f7deaa82 upstream.
+
+The "fix" struct has a 2 byte hole after ->ywrapstep and the
+"fix = info->fix;" assignment doesn't necessarily clear it. It depends
+on the compiler. The solution is just to replace the assignment with an
+memcpy().
+
+Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Andrea Righi <righi.andrea@gmail.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: Peter Rosin <peda@axentia.se>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200113100132.ixpaymordi24n3av@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/core/fbmem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -1132,7 +1132,7 @@ static long do_fb_ioctl(struct fb_info *
+ case FBIOGET_FSCREENINFO:
+ if (!lock_fb_info(info))
+ return -ENODEV;
+- fix = info->fix;
++ memcpy(&fix, &info->fix, sizeof(fix));
+ unlock_fb_info(info);
+
+ ret = copy_to_user(argp, &fix, sizeof(fix)) ? -EFAULT : 0;
--- /dev/null
+From 80c503e0e68fbe271680ab48f0fe29bc034b01b7 Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@kernel.org>
+Date: Thu, 23 Jan 2020 09:19:01 -0800
+Subject: locktorture: Print ratio of acquisitions, not failures
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+commit 80c503e0e68fbe271680ab48f0fe29bc034b01b7 upstream.
+
+The __torture_print_stats() function in locktorture.c carefully
+initializes local variable "min" to statp[0].n_lock_acquired, but
+then compares it to statp[i].n_lock_fail. Given that the .n_lock_fail
+field should normally be zero, and given the initialization, it seems
+reasonable to display the maximum and minimum number acquisitions
+instead of miscomputing the maximum and minimum number of failures.
+This commit therefore switches from failures to acquisitions.
+
+And this turns out to be not only a day-zero bug, but entirely my
+own fault. I hate it when that happens!
+
+Fixes: 0af3fe1efa53 ("locktorture: Add a lock-torture kernel module")
+Reported-by: Will Deacon <will@kernel.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Acked-by: Will Deacon <will@kernel.org>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Josh Triplett <josh@joshtriplett.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/locking/locktorture.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/locking/locktorture.c
++++ b/kernel/locking/locktorture.c
+@@ -655,10 +655,10 @@ static void __torture_print_stats(char *
+ if (statp[i].n_lock_fail)
+ fail = true;
+ sum += statp[i].n_lock_acquired;
+- if (max < statp[i].n_lock_fail)
+- max = statp[i].n_lock_fail;
+- if (min > statp[i].n_lock_fail)
+- min = statp[i].n_lock_fail;
++ if (max < statp[i].n_lock_acquired)
++ max = statp[i].n_lock_acquired;
++ if (min > statp[i].n_lock_acquired)
++ min = statp[i].n_lock_acquired;
+ }
+ page += sprintf(page,
+ "%s: Total: %lld Max/Min: %ld/%ld %s Fail: %d %s\n",
--- /dev/null
+From 4da0ea71ea934af18db4c63396ba2af1a679ef02 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 28 Feb 2020 12:25:54 +0300
+Subject: mtd: lpddr: Fix a double free in probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4da0ea71ea934af18db4c63396ba2af1a679ef02 upstream.
+
+This function is only called from lpddr_probe(). We free "lpddr" both
+here and in the caller, so it's a double free. The best place to free
+"lpddr" is in lpddr_probe() so let's delete this one.
+
+Fixes: 8dc004395d5e ("[MTD] LPDDR qinfo probing.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200228092554.o57igp3nqhyvf66t@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/lpddr/lpddr_cmds.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/mtd/lpddr/lpddr_cmds.c
++++ b/drivers/mtd/lpddr/lpddr_cmds.c
+@@ -81,7 +81,6 @@ struct mtd_info *lpddr_cmdset(struct map
+ shared = kmalloc(sizeof(struct flchip_shared) * lpddr->numchips,
+ GFP_KERNEL);
+ if (!shared) {
+- kfree(lpddr);
+ kfree(mtd);
+ return NULL;
+ }
--- /dev/null
+From 49c64df880570034308e4a9a49c4bc95cf8cdb33 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wenyang@linux.alibaba.com>
+Date: Wed, 18 Mar 2020 23:31:56 +0800
+Subject: mtd: phram: fix a double free issue in error path
+
+From: Wen Yang <wenyang@linux.alibaba.com>
+
+commit 49c64df880570034308e4a9a49c4bc95cf8cdb33 upstream.
+
+The variable 'name' is released multiple times in the error path,
+which may cause double free issues.
+This problem is avoided by adding a goto label to release the memory
+uniformly. And this change also makes the code a bit more cleaner.
+
+Fixes: 4f678a58d335 ("mtd: fix memory leaks in phram_setup")
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Cc: Joern Engel <joern@lazybastard.org>
+Cc: Miquel Raynal <miquel.raynal@bootlin.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Vignesh Raghavendra <vigneshr@ti.com>
+Cc: linux-mtd@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200318153156.25612-1-wenyang@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/devices/phram.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/mtd/devices/phram.c
++++ b/drivers/mtd/devices/phram.c
+@@ -247,22 +247,25 @@ static int phram_setup(const char *val)
+
+ ret = parse_num64(&start, token[1]);
+ if (ret) {
+- kfree(name);
+ parse_err("illegal start address\n");
++ goto error;
+ }
+
+ ret = parse_num64(&len, token[2]);
+ if (ret) {
+- kfree(name);
+ parse_err("illegal device length\n");
++ goto error;
+ }
+
+ ret = register_device(name, start, len);
+- if (!ret)
+- pr_info("%s device: %#llx at %#llx\n", name, len, start);
+- else
+- kfree(name);
++ if (ret)
++ goto error;
+
++ pr_info("%s device: %#llx at %#llx\n", name, len, start);
++ return 0;
++
++error:
++ kfree(name);
+ return ret;
+ }
+
nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch
ext2-fix-empty-body-warnings-when-wextra-is-used.patch
iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch
+fbdev-potential-information-leak-in-do_fb_ioctl.patch
+tty-evh_bytechan-fix-out-of-bounds-accesses.patch
+locktorture-print-ratio-of-acquisitions-not-failures.patch
+mtd-lpddr-fix-a-double-free-in-probe.patch
+mtd-phram-fix-a-double-free-issue-in-error-path.patch
+x86-cpu-add-native-cpuid-variants-returning-a-single-datum.patch
+x86-microcode-intel-replace-sync_core-with-native_cpuid_reg-eax.patch
+x86-vdso-fix-lsl-operand-order.patch
--- /dev/null
+From 3670664b5da555a2a481449b3baafff113b0ac35 Mon Sep 17 00:00:00 2001
+From: Stephen Rothwell <sfr@canb.auug.org.au>
+Date: Thu, 9 Jan 2020 18:39:12 +1100
+Subject: tty: evh_bytechan: Fix out of bounds accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephen Rothwell <sfr@canb.auug.org.au>
+
+commit 3670664b5da555a2a481449b3baafff113b0ac35 upstream.
+
+ev_byte_channel_send() assumes that its third argument is a 16 byte
+array. Some places where it is called it may not be (or we can't
+easily tell if it is). Newer compilers have started producing warnings
+about this, so make sure we actually pass a 16 byte array.
+
+There may be more elegant solutions to this, but the driver is quite
+old and hasn't been updated in many years.
+
+The warnings (from a powerpc allyesconfig build) are:
+
+ In file included from include/linux/byteorder/big_endian.h:5,
+ from arch/powerpc/include/uapi/asm/byteorder.h:14,
+ from include/asm-generic/bitops/le.h:6,
+ from arch/powerpc/include/asm/bitops.h:250,
+ from include/linux/bitops.h:29,
+ from include/linux/kernel.h:12,
+ from include/asm-generic/bug.h:19,
+ from arch/powerpc/include/asm/bug.h:109,
+ from include/linux/bug.h:5,
+ from include/linux/mmdebug.h:5,
+ from include/linux/gfp.h:5,
+ from include/linux/slab.h:15,
+ from drivers/tty/ehv_bytechan.c:24:
+ drivers/tty/ehv_bytechan.c: In function ‘ehv_bc_udbg_putc’:
+ arch/powerpc/include/asm/epapr_hcalls.h:298:20: warning: array subscript 1 is outside array bounds of ‘const char[1]’ [-Warray-bounds]
+ 298 | r6 = be32_to_cpu(p[1]);
+ include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of macro ‘__be32_to_cpu’
+ 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
+ | ^
+ arch/powerpc/include/asm/epapr_hcalls.h:298:7: note: in expansion of macro ‘be32_to_cpu’
+ 298 | r6 = be32_to_cpu(p[1]);
+ | ^~~~~~~~~~~
+ drivers/tty/ehv_bytechan.c:166:13: note: while referencing ‘data’
+ 166 | static void ehv_bc_udbg_putc(char c)
+ | ^~~~~~~~~~~~~~~~
+
+Fixes: dcd83aaff1c8 ("tty/powerpc: introduce the ePAPR embedded hypervisor byte channel driver")
+Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Tested-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+[mpe: Trim warnings from change log]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200109183912.5fcb52aa@canb.auug.org.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/ehv_bytechan.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/ehv_bytechan.c
++++ b/drivers/tty/ehv_bytechan.c
+@@ -140,6 +140,21 @@ static int find_console_handle(void)
+ return 1;
+ }
+
++static unsigned int local_ev_byte_channel_send(unsigned int handle,
++ unsigned int *count,
++ const char *p)
++{
++ char buffer[EV_BYTE_CHANNEL_MAX_BYTES];
++ unsigned int c = *count;
++
++ if (c < sizeof(buffer)) {
++ memcpy(buffer, p, c);
++ memset(&buffer[c], 0, sizeof(buffer) - c);
++ p = buffer;
++ }
++ return ev_byte_channel_send(handle, count, p);
++}
++
+ /*************************** EARLY CONSOLE DRIVER ***************************/
+
+ #ifdef CONFIG_PPC_EARLY_DEBUG_EHV_BC
+@@ -158,7 +173,7 @@ static void byte_channel_spin_send(const
+
+ do {
+ count = 1;
+- ret = ev_byte_channel_send(CONFIG_PPC_EARLY_DEBUG_EHV_BC_HANDLE,
++ ret = local_ev_byte_channel_send(CONFIG_PPC_EARLY_DEBUG_EHV_BC_HANDLE,
+ &count, &data);
+ } while (ret == EV_EAGAIN);
+ }
+@@ -225,7 +240,7 @@ static int ehv_bc_console_byte_channel_s
+ while (count) {
+ len = min_t(unsigned int, count, EV_BYTE_CHANNEL_MAX_BYTES);
+ do {
+- ret = ev_byte_channel_send(handle, &len, s);
++ ret = local_ev_byte_channel_send(handle, &len, s);
+ } while (ret == EV_EAGAIN);
+ count -= len;
+ s += len;
+@@ -405,7 +420,7 @@ static void ehv_bc_tx_dequeue(struct ehv
+ CIRC_CNT_TO_END(bc->head, bc->tail, BUF_SIZE),
+ EV_BYTE_CHANNEL_MAX_BYTES);
+
+- ret = ev_byte_channel_send(bc->handle, &len, bc->buf + bc->tail);
++ ret = local_ev_byte_channel_send(bc->handle, &len, bc->buf + bc->tail);
+
+ /* 'len' is valid only if the return code is 0 or EV_EAGAIN */
+ if (!ret || (ret == EV_EAGAIN))
--- /dev/null
+From 5dedade6dfa243c130b85d1e4daba6f027805033 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Mon, 9 Jan 2017 12:41:43 +0100
+Subject: x86/CPU: Add native CPUID variants returning a single datum
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 5dedade6dfa243c130b85d1e4daba6f027805033 upstream.
+
+... similarly to the cpuid_<reg>() variants.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: http://lkml.kernel.org/r/20170109114147.5082-2-bp@alien8.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Evalds Iodzevics <evalds.iodzevics@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/processor.h | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -212,6 +212,24 @@ static inline void native_cpuid(unsigned
+ : "memory");
+ }
+
++#define native_cpuid_reg(reg) \
++static inline unsigned int native_cpuid_##reg(unsigned int op) \
++{ \
++ unsigned int eax = op, ebx, ecx = 0, edx; \
++ \
++ native_cpuid(&eax, &ebx, &ecx, &edx); \
++ \
++ return reg; \
++}
++
++/*
++ * Native CPUID functions returning a single datum.
++ */
++native_cpuid_reg(eax)
++native_cpuid_reg(ebx)
++native_cpuid_reg(ecx)
++native_cpuid_reg(edx)
++
+ static inline void load_cr3(pgd_t *pgdir)
+ {
+ write_cr3(__pa(pgdir));
--- /dev/null
+From evalds.iodzevics@gmail.com Wed Apr 22 10:26:17 2020
+From: Evalds Iodzevics <evalds.iodzevics@gmail.com>
+Date: Wed, 22 Apr 2020 11:17:59 +0300
+Subject: x86/microcode/intel: replace sync_core() with native_cpuid_reg(eax)
+To: linux-kernel@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, tglx@linutronix.de, ben@decadent.org.uk, bp@suse.de, Evalds Iodzevics <evalds.iodzevics@gmail.com>, stable@vger.kernel.org
+Message-ID: <20200422081759.1632-1-evalds.iodzevics@gmail.com>
+
+From: Evalds Iodzevics <evalds.iodzevics@gmail.com>
+
+On Intel it is required to do CPUID(1) before reading the microcode
+revision MSR. Current code in 4.4 an 4.9 relies on sync_core() to call
+CPUID, unfortunately on 32 bit machines code inside sync_core() always
+jumps past CPUID instruction as it depends on data structure boot_cpu_data
+witch are not populated correctly so early in boot sequence.
+
+It depends on:
+commit 5dedade6dfa2 ("x86/CPU: Add native CPUID variants returning a single
+datum")
+
+This patch is for 4.4 but also should apply to 4.9
+
+Signed-off-by: Evalds Iodzevics <evalds.iodzevics@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/microcode_intel.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/microcode_intel.h
++++ b/arch/x86/include/asm/microcode_intel.h
+@@ -60,7 +60,7 @@ static inline u32 intel_get_microcode_re
+ native_wrmsrl(MSR_IA32_UCODE_REV, 0);
+
+ /* As documented in the SDM: Do a CPUID 1 here */
+- sync_core();
++ native_cpuid_eax(1);
+
+ /* get the current revision from MSR 0x8B */
+ native_rdmsr(MSR_IA32_UCODE_REV, dummy, rev);
--- /dev/null
+From e78e5a91456fcecaa2efbb3706572fe043766f4d Mon Sep 17 00:00:00 2001
+From: Samuel Neves <sneves@dei.uc.pt>
+Date: Sat, 1 Sep 2018 21:14:52 +0100
+Subject: x86/vdso: Fix lsl operand order
+
+From: Samuel Neves <sneves@dei.uc.pt>
+
+commit e78e5a91456fcecaa2efbb3706572fe043766f4d upstream.
+
+In the __getcpu function, lsl is using the wrong target and destination
+registers. Luckily, the compiler tends to choose %eax for both variables,
+so it has been working so far.
+
+Fixes: a582c540ac1b ("x86/vdso: Use RDPID in preference to LSL when available")
+Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Andy Lutomirski <luto@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180901201452.27828-1-sneves@dei.uc.pt
+Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/vgtod.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/vgtod.h
++++ b/arch/x86/include/asm/vgtod.h
+@@ -86,7 +86,7 @@ static inline unsigned int __getcpu(void
+ *
+ * If RDPID is available, use it.
+ */
+- alternative_io ("lsl %[p],%[seg]",
++ alternative_io ("lsl %[seg],%[p]",
+ ".byte 0xf3,0x0f,0xc7,0xf8", /* RDPID %eax/rax */
+ X86_FEATURE_RDPID,
+ [p] "=a" (p), [seg] "r" (__PER_CPU_SEG));
projects / thirdparty / kernel / stable-queue.git / commitdiff
