--- /dev/null
+From 1c826792586f526a5a5cd21d55aad388f5bb0b23 Mon Sep 17 00:00:00 2001
+From: Alexander Tsoy <alexander@tsoy.me>
+Date: Sat, 18 Apr 2020 20:58:15 +0300
+Subject: ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices
+
+From: Alexander Tsoy <alexander@tsoy.me>
+
+commit 1c826792586f526a5a5cd21d55aad388f5bb0b23 upstream.
+
+Many Focusrite devices supports a limited set of sample rates per
+altsetting. These includes audio interfaces with ADAT ports:
+ - Scarlett 18i6, 18i8 1st gen, 18i20 1st gen;
+ - Scarlett 18i8 2nd gen, 18i20 2nd gen;
+ - Scarlett 18i8 3rd gen, 18i20 3rd gen;
+ - Clarett 2Pre USB, 4Pre USB, 8Pre USB.
+
+Maximum rate is exposed in the last 4 bytes of Format Type descriptor
+which has a non-standard bLength = 10.
+
+Tested-by: Alexey Skobkin <skobkin-ru@ya.ru>
+Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200418175815.12211-1-alexander@tsoy.me
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/format.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 52 insertions(+)
+
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -221,6 +221,52 @@ static int parse_audio_format_rates_v1(s
+ }
+
+ /*
++ * Many Focusrite devices supports a limited set of sampling rates per
++ * altsetting. Maximum rate is exposed in the last 4 bytes of Format Type
++ * descriptor which has a non-standard bLength = 10.
++ */
++static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip,
++ struct audioformat *fp,
++ unsigned int rate)
++{
++ struct usb_interface *iface;
++ struct usb_host_interface *alts;
++ unsigned char *fmt;
++ unsigned int max_rate;
++
++ iface = usb_ifnum_to_if(chip->dev, fp->iface);
++ if (!iface)
++ return true;
++
++ alts = &iface->altsetting[fp->altset_idx];
++ fmt = snd_usb_find_csint_desc(alts->extra, alts->extralen,
++ NULL, UAC_FORMAT_TYPE);
++ if (!fmt)
++ return true;
++
++ if (fmt[0] == 10) { /* bLength */
++ max_rate = combine_quad(&fmt[6]);
++
++ /* Validate max rate */
++ if (max_rate != 48000 &&
++ max_rate != 96000 &&
++ max_rate != 192000 &&
++ max_rate != 384000) {
++
++ usb_audio_info(chip,
++ "%u:%d : unexpected max rate: %u\n",
++ fp->iface, fp->altsetting, max_rate);
++
++ return true;
++ }
++
++ return rate <= max_rate;
++ }
++
++ return true;
++}
++
++/*
+ * Helper function to walk the array of sample rate triplets reported by
+ * the device. The problem is that we need to parse whole array first to
+ * get to know how many sample rates we have to expect.
+@@ -256,6 +302,11 @@ static int parse_uac2_sample_rate_range(
+ }
+
+ for (rate = min; rate <= max; rate += res) {
++ /* Filter out invalid rates on Focusrite devices */
++ if (USB_ID_VENDOR(chip->usb_id) == 0x1235 &&
++ !focusrite_valid_sample_rate(chip, fp, rate))
++ goto skip_rate;
++
+ if (fp->rate_table)
+ fp->rate_table[nr_rates] = rate;
+ if (!fp->rate_min || rate < fp->rate_min)
+@@ -270,6 +321,7 @@ static int parse_uac2_sample_rate_range(
+ break;
+ }
+
++skip_rate:
+ /* avoid endless loop */
+ if (res == 0)
+ break;
--- /dev/null
+From 59e1947ca09ebd1cae147c08c7c41f3141233c84 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Thu, 23 Apr 2020 12:54:19 +0800
+Subject: ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit 59e1947ca09ebd1cae147c08c7c41f3141233c84 upstream.
+
+snd_microii_spdif_default_get() invokes snd_usb_lock_shutdown(), which
+increases the refcount of the snd_usb_audio object "chip".
+
+When snd_microii_spdif_default_get() returns, local variable "chip"
+becomes invalid, so the refcount should be decreased to keep refcount
+balanced.
+
+The reference counting issue happens in several exception handling paths
+of snd_microii_spdif_default_get(). When those error scenarios occur
+such as usb_ifnum_to_if() returns NULL, the function forgets to decrease
+the refcnt increased by snd_usb_lock_shutdown(), causing a refcnt leak.
+
+Fix this issue by jumping to "end" label when those error scenarios
+occur.
+
+Fixes: 447d6275f0c2 ("ALSA: usb-audio: Add sanity checks for endpoint accesses")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1587617711-13200-1-git-send-email-xiyuyang19@fudan.edu.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer_quirks.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -1519,11 +1519,15 @@ static int snd_microii_spdif_default_get
+
+ /* use known values for that card: interface#1 altsetting#1 */
+ iface = usb_ifnum_to_if(chip->dev, 1);
+- if (!iface || iface->num_altsetting < 2)
+- return -EINVAL;
++ if (!iface || iface->num_altsetting < 2) {
++ err = -EINVAL;
++ goto end;
++ }
+ alts = &iface->altsetting[1];
+- if (get_iface_desc(alts)->bNumEndpoints < 1)
+- return -EINVAL;
++ if (get_iface_desc(alts)->bNumEndpoints < 1) {
++ err = -EINVAL;
++ goto end;
++ }
+ ep = get_endpoint(alts, 0)->bEndpointAddress;
+
+ err = snd_usb_ctl_msg(chip->dev,
--- /dev/null
+From 7686e3485253635c529cdd5f416fc640abaf076f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 20 Apr 2020 09:55:29 +0200
+Subject: ALSA: usx2y: Fix potential NULL dereference
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7686e3485253635c529cdd5f416fc640abaf076f upstream.
+
+The error handling code in usX2Y_rate_set() may hit a potential NULL
+dereference when an error occurs before allocating all us->urb[].
+Add a proper NULL check for fixing the corner case.
+
+Reported-by: Lin Yi <teroincn@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200420075529.27203-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/usx2y/usbusx2yaudio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/usx2y/usbusx2yaudio.c
++++ b/sound/usb/usx2y/usbusx2yaudio.c
+@@ -691,6 +691,8 @@ static int usX2Y_rate_set(struct usX2Yde
+ us->submitted = 2*NOOF_SETRATE_URBS;
+ for (i = 0; i < NOOF_SETRATE_URBS; ++i) {
+ struct urb *urb = us->urb[i];
++ if (!urb)
++ continue;
+ if (urb->status) {
+ if (!err)
+ err = -ENODEV;
--- /dev/null
+From ebf1474745b4373fdde0fcf32d9d1f369b50b212 Mon Sep 17 00:00:00 2001
+From: Gyeongtaek Lee <gt82.lee@samsung.com>
+Date: Sat, 18 Apr 2020 13:13:20 +0900
+Subject: ASoC: dapm: fixup dapm kcontrol widget
+
+From: Gyeongtaek Lee <gt82.lee@samsung.com>
+
+commit ebf1474745b4373fdde0fcf32d9d1f369b50b212 upstream.
+
+snd_soc_dapm_kcontrol widget which is created by autodisable control
+should contain correct on_val, mask and shift because it is set when the
+widget is powered and changed value is applied on registers by following
+code in dapm_seq_run_coalesced().
+
+ mask |= w->mask << w->shift;
+ if (w->power)
+ value |= w->on_val << w->shift;
+ else
+ value |= w->off_val << w->shift;
+
+Shift on the mask in dapm_kcontrol_data_alloc() is removed to prevent
+double shift.
+And, on_val in dapm_kcontrol_set_value() is modified to get correct
+value in the dapm_seq_run_coalesced().
+
+Signed-off-by: Gyeongtaek Lee <gt82.lee@samsung.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/000001d61537$b212f620$1638e260$@samsung.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-dapm.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -384,7 +384,7 @@ static int dapm_kcontrol_data_alloc(stru
+
+ memset(&template, 0, sizeof(template));
+ template.reg = e->reg;
+- template.mask = e->mask << e->shift_l;
++ template.mask = e->mask;
+ template.shift = e->shift_l;
+ template.off_val = snd_soc_enum_item_to_val(e, 0);
+ template.on_val = template.off_val;
+@@ -510,8 +510,22 @@ static bool dapm_kcontrol_set_value(cons
+ if (data->value == value)
+ return false;
+
+- if (data->widget)
+- data->widget->on_val = value;
++ if (data->widget) {
++ switch (dapm_kcontrol_get_wlist(kcontrol)->widgets[0]->id) {
++ case snd_soc_dapm_switch:
++ case snd_soc_dapm_mixer:
++ case snd_soc_dapm_mixer_named_ctl:
++ data->widget->on_val = value & data->widget->mask;
++ break;
++ case snd_soc_dapm_demux:
++ case snd_soc_dapm_mux:
++ data->widget->on_val = value >> data->widget->shift;
++ break;
++ default:
++ data->widget->on_val = value;
++ break;
++ }
++ }
+
+ data->value = value;
+
--- /dev/null
+From 763dafc520add02a1f4639b500c509acc0ea8e5b Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Mon, 20 Apr 2020 16:24:34 -0400
+Subject: audit: check the length of userspace generated audit records
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream.
+
+Commit 756125289285 ("audit: always check the netlink payload length
+in audit_receive_msg()") fixed a number of missing message length
+checks, but forgot to check the length of userspace generated audit
+records. The good news is that you need CAP_AUDIT_WRITE to submit
+userspace audit records, which is generally only given to trusted
+processes, so the impact should be limited.
+
+Cc: stable@vger.kernel.org
+Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()")
+Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -941,6 +941,9 @@ static int audit_receive_msg(struct sk_b
+ case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC)
+ return 0;
++ /* exit early if there isn't at least one character to print */
++ if (data_len < 2)
++ return -EINVAL;
+
+ err = audit_filter(msg_type, AUDIT_FILTER_USER);
+ if (err == 1) { /* match or error */
--- /dev/null
+From b6467ab142b708dd076f6186ca274f14af379c72 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 7 Apr 2020 23:40:58 -0700
+Subject: KVM: Check validity of resolved slot when searching memslots
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit b6467ab142b708dd076f6186ca274f14af379c72 upstream.
+
+Check that the resolved slot (somewhat confusingly named 'start') is a
+valid/allocated slot before doing the final comparison to see if the
+specified gfn resides in the associated slot. The resolved slot can be
+invalid if the binary search loop terminated because the search index
+was incremented beyond the number of used slots.
+
+This bug has existed since the binary search algorithm was introduced,
+but went unnoticed because KVM statically allocated memory for the max
+number of slots, i.e. the access would only be truly out-of-bounds if
+all possible slots were allocated and the specified gfn was less than
+the base of the lowest memslot. Commit 36947254e5f98 ("KVM: Dynamically
+size memslot array based on number of used slots") eliminated the "all
+possible slots allocated" condition and made the bug embarrasingly easy
+to hit.
+
+Fixes: 9c1a5d38780e6 ("kvm: optimize GFN to memslot lookup with large slots amount")
+Reported-by: syzbot+d889b59b2bb87d4047a2@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200408064059.8957-2-sean.j.christopherson@intel.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/kvm_host.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -914,7 +914,7 @@ search_memslots(struct kvm_memslots *slo
+ start = slot + 1;
+ }
+
+- if (gfn >= memslots[start].base_gfn &&
++ if (start < slots->used_slots && gfn >= memslots[start].base_gfn &&
+ gfn < memslots[start].base_gfn + memslots[start].npages) {
+ atomic_set(&slots->lru_slot, start);
+ return &memslots[start];
--- /dev/null
+From fb56baae5ea509e63c2a068d66a4d8ea91969fca Mon Sep 17 00:00:00 2001
+From: Uros Bizjak <ubizjak@gmail.com>
+Date: Tue, 14 Apr 2020 09:14:14 +0200
+Subject: KVM: VMX: Enable machine check support for 32bit targets
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+commit fb56baae5ea509e63c2a068d66a4d8ea91969fca upstream.
+
+There is no reason to limit the use of do_machine_check
+to 64bit targets. MCE handling works for both target familes.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Fixes: a0861c02a981 ("KVM: Add VT-x machine check support")
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Message-Id: <20200414071414.45636-1-ubizjak@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5785,7 +5785,7 @@ static int handle_rmode_exception(struct
+ */
+ static void kvm_machine_check(void)
+ {
+-#if defined(CONFIG_X86_MCE) && defined(CONFIG_X86_64)
++#if defined(CONFIG_X86_MCE)
+ struct pt_regs regs = {
+ .cs = 3, /* Fake ring 3 no matter what the guest ran on */
+ .flags = X86_EFLAGS_IF,
--- /dev/null
+From 0c66847793d1982d1083dc6f7adad60fa265ce9c Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@mellanox.com>
+Date: Wed, 1 Aug 2018 14:25:39 -0700
+Subject: overflow.h: Add arithmetic shift helper
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit 0c66847793d1982d1083dc6f7adad60fa265ce9c upstream.
+
+Add shift_overflow() helper to assist driver authors in ensuring that
+shift operations don't cause overflows or other odd conditions.
+
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+[kees: tweaked comments and commit log, dropped unneeded assignment]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/overflow.h | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+--- a/include/linux/overflow.h
++++ b/include/linux/overflow.h
+@@ -202,4 +202,35 @@
+
+ #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
+
++/** check_shl_overflow() - Calculate a left-shifted value and check overflow
++ *
++ * @a: Value to be shifted
++ * @s: How many bits left to shift
++ * @d: Pointer to where to store the result
++ *
++ * Computes *@d = (@a << @s)
++ *
++ * Returns true if '*d' cannot hold the result or when 'a << s' doesn't
++ * make sense. Example conditions:
++ * - 'a << s' causes bits to be lost when stored in *d.
++ * - 's' is garbage (e.g. negative) or so large that the result of
++ * 'a << s' is guaranteed to be 0.
++ * - 'a' is negative.
++ * - 'a << s' sets the sign bit, if any, in '*d'.
++ *
++ * '*d' will hold the results of the attempted shift, but is not
++ * considered "safe for use" if false is returned.
++ */
++#define check_shl_overflow(a, s, d) ({ \
++ typeof(a) _a = a; \
++ typeof(s) _s = s; \
++ typeof(d) _d = d; \
++ u64 _a_full = _a; \
++ unsigned int _to_shift = \
++ _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0; \
++ *_d = (_a_full << _to_shift); \
++ (_to_shift != _s || *_d < 0 || _a < 0 || \
++ (*_d >> _to_shift) != _a); \
++})
++
+ #endif /* __LINUX_OVERFLOW_H */
usb-add-usb_quirk_delay_ctrl_msg-and-usb_quirk_delay_init-for-corsair-k70-rgb-rapidfire.patch
usb-core-fix-free-while-in-use-bug-in-the-usb-s-glibrary.patch
usb-hub-fix-handling-of-connect-changes-during-sleep.patch
+overflow.h-add-arithmetic-shift-helper.patch
+vmalloc-fix-remap_vmalloc_range-bounds-checks.patch
+alsa-usx2y-fix-potential-null-dereference.patch
+alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch
+alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch
+tpm-tpm_tis-free-irq-if-probing-fails.patch
+kvm-check-validity-of-resolved-slot-when-searching-memslots.patch
+kvm-vmx-enable-machine-check-support-for-32bit-targets.patch
+tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch
+tty-rocket-avoid-oob-access.patch
+usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch
+audit-check-the-length-of-userspace-generated-audit-records.patch
+asoc-dapm-fixup-dapm-kcontrol-widget.patch
--- /dev/null
+From b160c94be5d2816b62c8ac338605668304242959 Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Date: Sun, 12 Apr 2020 20:04:12 +0300
+Subject: tpm/tpm_tis: Free IRQ if probing fails
+
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+
+commit b160c94be5d2816b62c8ac338605668304242959 upstream.
+
+Call disable_interrupts() if we have to revert to polling in order not to
+unnecessarily reserve the IRQ for the life-cycle of the driver.
+
+Cc: stable@vger.kernel.org # 4.5.x
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Fixes: e3837e74a06d ("tpm_tis: Refactor the interrupt setup")
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_tis_core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -329,6 +329,9 @@ static void disable_interrupts(struct tp
+ u32 intmask;
+ int rc;
+
++ if (priv->irq == 0)
++ return;
++
+ rc = tpm_tis_read32(priv, TPM_INT_ENABLE(priv->locality), &intmask);
+ if (rc < 0)
+ intmask = 0;
+@@ -786,9 +789,12 @@ int tpm_tis_core_init(struct device *dev
+ if (irq) {
+ tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED,
+ irq);
+- if (!(chip->flags & TPM_CHIP_FLAG_IRQ))
++ if (!(chip->flags & TPM_CHIP_FLAG_IRQ)) {
+ dev_err(&chip->dev, FW_BUG
+ "TPM interrupt not working, polling instead\n");
++
++ disable_interrupts(chip);
++ }
+ } else {
+ tpm_tis_probe_irq(chip, intmask);
+ }
--- /dev/null
+From 9a9fc42b86c06120744555fea43fdcabe297c656 Mon Sep 17 00:00:00 2001
+From: Andrew Melnychenko <andrew@daynix.com>
+Date: Tue, 14 Apr 2020 22:15:03 +0300
+Subject: tty: hvc: fix buffer overflow during hvc_alloc().
+
+From: Andrew Melnychenko <andrew@daynix.com>
+
+commit 9a9fc42b86c06120744555fea43fdcabe297c656 upstream.
+
+If there is a lot(more then 16) of virtio-console devices
+or virtio_console module is reloaded
+- buffers 'vtermnos' and 'cons_ops' are overflowed.
+In older kernels it overruns spinlock which leads to kernel freezing:
+https://bugzilla.redhat.com/show_bug.cgi?id=1786239
+
+To reproduce the issue, you can try simple script that
+loads/unloads module. Something like this:
+while [ 1 ]
+do
+ modprobe virtio_console
+ sleep 2
+ modprobe -r virtio_console
+ sleep 2
+done
+
+Description of problem:
+Guest get 'Call Trace' when loading module "virtio_console"
+and unloading it frequently - clearly reproduced on kernel-4.18.0:
+
+[ 81.498208] ------------[ cut here ]------------
+[ 81.499263] pvqspinlock: lock 0xffffffff92080020 has corrupted value 0xc0774ca0!
+[ 81.501000] WARNING: CPU: 0 PID: 785 at kernel/locking/qspinlock_paravirt.h:500 __pv_queued_spin_unlock_slowpath+0xc0/0xd0
+[ 81.503173] Modules linked in: virtio_console fuse xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nft_counter nf_nat_tftp nft_objref nf_conntrack_tftp tun bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nft_chain_route_ipv6 nft_chain_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nft_chain_route_ipv4 ip6_tables nft_compat ip_set nf_tables nfnetlink sunrpc bochs_drm drm_vram_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm i2c_piix4 pcspkr crct10dif_pclmul crc32_pclmul joydev ghash_clmulni_intel ip_tables xfs libcrc32c sd_mod sg ata_generic ata_piix virtio_net libata crc32c_intel net_failover failover serio_raw virtio_scsi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: virtio_console]
+[ 81.517019] CPU: 0 PID: 785 Comm: kworker/0:2 Kdump: loaded Not tainted 4.18.0-167.el8.x86_64 #1
+[ 81.518639] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014
+[ 81.520205] Workqueue: events control_work_handler [virtio_console]
+[ 81.521354] RIP: 0010:__pv_queued_spin_unlock_slowpath+0xc0/0xd0
+[ 81.522450] Code: 07 00 48 63 7a 10 e8 bf 64 f5 ff 66 90 c3 8b 05 e6 cf d6 01 85 c0 74 01 c3 8b 17 48 89 fe 48 c7 c7 38 4b 29 91 e8 3a 6c fa ff <0f> 0b c3 0f 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48
+[ 81.525830] RSP: 0018:ffffb51a01ffbd70 EFLAGS: 00010282
+[ 81.526798] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000
+[ 81.528110] RDX: ffff9e66f1826480 RSI: ffff9e66f1816a08 RDI: ffff9e66f1816a08
+[ 81.529437] RBP: ffffffff9153ff10 R08: 000000000000026c R09: 0000000000000053
+[ 81.530732] R10: 0000000000000000 R11: ffffb51a01ffbc18 R12: ffff9e66cd682200
+[ 81.532133] R13: ffffffff9153ff10 R14: ffff9e6685569500 R15: ffff9e66cd682000
+[ 81.533442] FS: 0000000000000000(0000) GS:ffff9e66f1800000(0000) knlGS:0000000000000000
+[ 81.534914] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 81.535971] CR2: 00005624c55b14d0 CR3: 00000003a023c000 CR4: 00000000003406f0
+[ 81.537283] Call Trace:
+[ 81.537763] __raw_callee_save___pv_queued_spin_unlock_slowpath+0x11/0x20
+[ 81.539011] .slowpath+0x9/0xe
+[ 81.539585] hvc_alloc+0x25e/0x300
+[ 81.540237] init_port_console+0x28/0x100 [virtio_console]
+[ 81.541251] handle_control_message.constprop.27+0x1c4/0x310 [virtio_console]
+[ 81.542546] control_work_handler+0x70/0x10c [virtio_console]
+[ 81.543601] process_one_work+0x1a7/0x3b0
+[ 81.544356] worker_thread+0x30/0x390
+[ 81.545025] ? create_worker+0x1a0/0x1a0
+[ 81.545749] kthread+0x112/0x130
+[ 81.546358] ? kthread_flush_work_fn+0x10/0x10
+[ 81.547183] ret_from_fork+0x22/0x40
+[ 81.547842] ---[ end trace aa97649bd16c8655 ]---
+[ 83.546539] general protection fault: 0000 [#1] SMP NOPTI
+[ 83.547422] CPU: 5 PID: 3225 Comm: modprobe Kdump: loaded Tainted: G W --------- - - 4.18.0-167.el8.x86_64 #1
+[ 83.549191] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014
+[ 83.550544] RIP: 0010:__pv_queued_spin_lock_slowpath+0x19a/0x2a0
+[ 83.551504] Code: c4 c1 ea 12 41 be 01 00 00 00 4c 8d 6d 14 41 83 e4 03 8d 42 ff 49 c1 e4 05 48 98 49 81 c4 40 a5 02 00 4c 03 24 c5 60 48 34 91 <49> 89 2c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84
+[ 83.554449] RSP: 0018:ffffb51a0323fdb0 EFLAGS: 00010202
+[ 83.555290] RAX: 000000000000301c RBX: ffffffff92080020 RCX: 0000000000000001
+[ 83.556426] RDX: 000000000000301d RSI: 0000000000000000 RDI: 0000000000000000
+[ 83.557556] RBP: ffff9e66f196a540 R08: 000000000000028a R09: ffff9e66d2757788
+[ 83.558688] R10: 0000000000000000 R11: 0000000000000000 R12: 646e61725f770b07
+[ 83.559821] R13: ffff9e66f196a554 R14: 0000000000000001 R15: 0000000000180000
+[ 83.560958] FS: 00007fd5032e8740(0000) GS:ffff9e66f1940000(0000) knlGS:0000000000000000
+[ 83.562233] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 83.563149] CR2: 00007fd5022b0da0 CR3: 000000038c334000 CR4: 00000000003406e0
+
+Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200414191503.3471783-1-andrew@daynix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/hvc/hvc_console.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/drivers/tty/hvc/hvc_console.c
++++ b/drivers/tty/hvc/hvc_console.c
+@@ -289,10 +289,6 @@ int hvc_instantiate(uint32_t vtermno, in
+ vtermnos[index] = vtermno;
+ cons_ops[index] = ops;
+
+- /* reserve all indices up to and including this index */
+- if (last_hvc < index)
+- last_hvc = index;
+-
+ /* check if we need to re-register the kernel console */
+ hvc_check_console(index);
+
+@@ -896,13 +892,22 @@ struct hvc_struct *hvc_alloc(uint32_t vt
+ cons_ops[i] == hp->ops)
+ break;
+
+- /* no matching slot, just use a counter */
+- if (i >= MAX_NR_HVC_CONSOLES)
+- i = ++last_hvc;
++ if (i >= MAX_NR_HVC_CONSOLES) {
++
++ /* find 'empty' slot for console */
++ for (i = 0; i < MAX_NR_HVC_CONSOLES && vtermnos[i] != -1; i++) {
++ }
++
++ /* no matching slot, just use a counter */
++ if (i == MAX_NR_HVC_CONSOLES)
++ i = ++last_hvc + MAX_NR_HVC_CONSOLES;
++ }
+
+ hp->index = i;
+- cons_ops[i] = ops;
+- vtermnos[i] = vtermno;
++ if (i < MAX_NR_HVC_CONSOLES) {
++ cons_ops[i] = ops;
++ vtermnos[i] = vtermno;
++ }
+
+ list_add_tail(&(hp->next), &hvc_structs);
+ spin_unlock(&hvc_structs_lock);
--- /dev/null
+From 7127d24372bf23675a36edc64d092dc7fd92ebe8 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Fri, 17 Apr 2020 12:59:59 +0200
+Subject: tty: rocket, avoid OOB access
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 7127d24372bf23675a36edc64d092dc7fd92ebe8 upstream.
+
+init_r_port can access pc104 array out of bounds. pc104 is a 2D array
+defined to have 4 members. Each member has 8 submembers.
+* we can have more than 4 (PCI) boards, i.e. [board] can be OOB
+* line is not modulo-ed by anything, so the first line on the second
+ board can be 4, on the 3rd 12 or alike (depending on previously
+ registered boards). It's zero only on the first line of the first
+ board. So even [line] can be OOB, quite soon (with the 2nd registered
+ board already).
+
+This code is broken for ages, so just avoid the OOB accesses and don't
+try to fix it as we would need to find out the correct line number. Use
+the default: RS232, if we are out.
+
+Generally, if anyone needs to set the interface types, a module parameter
+is past the last thing that should be used for this purpose. The
+parameters' description says it's for ISA cards anyway.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/r/20200417105959.15201-2-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/rocket.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+--- a/drivers/tty/rocket.c
++++ b/drivers/tty/rocket.c
+@@ -645,18 +645,21 @@ init_r_port(int board, int aiop, int cha
+ tty_port_init(&info->port);
+ info->port.ops = &rocket_port_ops;
+ info->flags &= ~ROCKET_MODE_MASK;
+- switch (pc104[board][line]) {
+- case 422:
+- info->flags |= ROCKET_MODE_RS422;
+- break;
+- case 485:
+- info->flags |= ROCKET_MODE_RS485;
+- break;
+- case 232:
+- default:
++ if (board < ARRAY_SIZE(pc104) && line < ARRAY_SIZE(pc104_1))
++ switch (pc104[board][line]) {
++ case 422:
++ info->flags |= ROCKET_MODE_RS422;
++ break;
++ case 485:
++ info->flags |= ROCKET_MODE_RS485;
++ break;
++ case 232:
++ default:
++ info->flags |= ROCKET_MODE_RS232;
++ break;
++ }
++ else
+ info->flags |= ROCKET_MODE_RS232;
+- break;
+- }
+
+ info->intmask = RXF_TRIG | TXFIFO_MT | SRC_INT | DELTA_CD | DELTA_CTS | DELTA_DSR;
+ if (sInitChan(ctlp, &info->channel, aiop, chan) == 0) {
--- /dev/null
+From 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 22 Apr 2020 16:14:57 -0400
+Subject: usb-storage: Add unusual_devs entry for JMicron JMS566
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b upstream.
+
+Cyril Roelandt reports that his JMicron JMS566 USB-SATA bridge fails
+to handle WRITE commands with the FUA bit set, even though it claims
+to support FUA. (Oddly enough, a later version of the same bridge,
+version 2.03 as opposed to 1.14, doesn't claim to support FUA. Also
+oddly, the bridge _does_ support FUA when using the UAS transport
+instead of the Bulk-Only transport -- but this device was blacklisted
+for uas in commit bc3bdb12bbb3 ("usb-storage: Disable UAS on JMicron
+SATA enclosure") for apparently unrelated reasons.)
+
+This patch adds a usb-storage unusual_devs entry with the BROKEN_FUA
+flag. This allows the bridge to work properly with usb-storage.
+
+Reported-and-tested-by: Cyril Roelandt <tipecaml@gmail.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2004221613110.11262-100000@iolanthe.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2342,6 +2342,13 @@ UNUSUAL_DEV( 0x3340, 0xffff, 0x0000, 0x
+ USB_SC_DEVICE,USB_PR_DEVICE,NULL,
+ US_FL_MAX_SECTORS_64 ),
+
++/* Reported by Cyril Roelandt <tipecaml@gmail.com> */
++UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x0114,
++ "JMicron",
++ "USB to ATA/ATAPI Bridge",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_BROKEN_FUA ),
++
+ /* Reported by Andrey Rahmatullin <wrar@altlinux.org> */
+ UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100,
+ "iRiver",
--- /dev/null
+From bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 20 Apr 2020 18:14:11 -0700
+Subject: vmalloc: fix remap_vmalloc_range() bounds checks
+
+From: Jann Horn <jannh@google.com>
+
+commit bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 upstream.
+
+remap_vmalloc_range() has had various issues with the bounds checks it
+promises to perform ("This function checks that addr is a valid
+vmalloc'ed area, and that it is big enough to cover the vma") over time,
+e.g.:
+
+ - not detecting pgoff<<PAGE_SHIFT overflow
+
+ - not detecting (pgoff<<PAGE_SHIFT)+usize overflow
+
+ - not checking whether addr and addr+(pgoff<<PAGE_SHIFT) are the same
+ vmalloc allocation
+
+ - comparing a potentially wildly out-of-bounds pointer with the end of
+ the vmalloc region
+
+In particular, since commit fc9702273e2e ("bpf: Add mmap() support for
+BPF_MAP_TYPE_ARRAY"), unprivileged users can cause kernel null pointer
+dereferences by calling mmap() on a BPF map with a size that is bigger
+than the distance from the start of the BPF map to the end of the
+address space.
+
+This could theoretically be used as a kernel ASLR bypass, by using
+whether mmap() with a given offset oopses or returns an error code to
+perform a binary search over the possible address range.
+
+To allow remap_vmalloc_range_partial() to verify that addr and
+addr+(pgoff<<PAGE_SHIFT) are in the same vmalloc region, pass the offset
+to remap_vmalloc_range_partial() instead of adding it to the pointer in
+remap_vmalloc_range().
+
+In remap_vmalloc_range_partial(), fix the check against
+get_vm_area_size() by using size comparisons instead of pointer
+comparisons, and add checks for pgoff.
+
+Fixes: 833423143c3a ("[PATCH] mm: introduce remap_vmalloc_range()")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: KP Singh <kpsingh@chromium.org>
+Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/vmcore.c | 2 +-
+ include/linux/vmalloc.h | 2 +-
+ mm/vmalloc.c | 16 +++++++++++++---
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/fs/proc/vmcore.c
++++ b/fs/proc/vmcore.c
+@@ -459,7 +459,7 @@ static int mmap_vmcore(struct file *file
+ tsz = min(elfcorebuf_sz + elfnotes_sz - (size_t)start, size);
+ kaddr = elfnotes_buf + start - elfcorebuf_sz;
+ if (remap_vmalloc_range_partial(vma, vma->vm_start + len,
+- kaddr, tsz))
++ kaddr, 0, tsz))
+ goto fail;
+ size -= tsz;
+ start += tsz;
+--- a/include/linux/vmalloc.h
++++ b/include/linux/vmalloc.h
+@@ -89,7 +89,7 @@ extern void vunmap(const void *addr);
+
+ extern int remap_vmalloc_range_partial(struct vm_area_struct *vma,
+ unsigned long uaddr, void *kaddr,
+- unsigned long size);
++ unsigned long pgoff, unsigned long size);
+
+ extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
+ unsigned long pgoff);
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -31,6 +31,7 @@
+ #include <linux/compiler.h>
+ #include <linux/llist.h>
+ #include <linux/bitops.h>
++#include <linux/overflow.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/tlbflush.h>
+@@ -2173,6 +2174,7 @@ finished:
+ * @vma: vma to cover
+ * @uaddr: target user address to start at
+ * @kaddr: virtual address of vmalloc kernel memory
++ * @pgoff: offset from @kaddr to start at
+ * @size: size of map area
+ *
+ * Returns: 0 for success, -Exxx on failure
+@@ -2185,9 +2187,15 @@ finished:
+ * Similar to remap_pfn_range() (see mm/memory.c)
+ */
+ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
+- void *kaddr, unsigned long size)
++ void *kaddr, unsigned long pgoff,
++ unsigned long size)
+ {
+ struct vm_struct *area;
++ unsigned long off;
++ unsigned long end_index;
++
++ if (check_shl_overflow(pgoff, PAGE_SHIFT, &off))
++ return -EINVAL;
+
+ size = PAGE_ALIGN(size);
+
+@@ -2201,8 +2209,10 @@ int remap_vmalloc_range_partial(struct v
+ if (!(area->flags & VM_USERMAP))
+ return -EINVAL;
+
+- if (kaddr + size > area->addr + get_vm_area_size(area))
++ if (check_add_overflow(size, off, &end_index) ||
++ end_index > get_vm_area_size(area))
+ return -EINVAL;
++ kaddr += off;
+
+ do {
+ struct page *page = vmalloc_to_page(kaddr);
+@@ -2241,7 +2251,7 @@ int remap_vmalloc_range(struct vm_area_s
+ unsigned long pgoff)
+ {
+ return remap_vmalloc_range_partial(vma, vma->vm_start,
+- addr + (pgoff << PAGE_SHIFT),
++ addr, pgoff,
+ vma->vm_end - vma->vm_start);
+ }
+ EXPORT_SYMBOL(remap_vmalloc_range);
projects / thirdparty / kernel / stable-queue.git / commitdiff
