From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 6 Dec 2020 10:20:38 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.14.211~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=135a79dbd1eec5018347ab8b49a1095054dbc90d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	alsa-usb-audio-us16x08-fix-value-count-for-level-meters.patch
	input-i8042-add-bytespeed-touchpad-to-noloop-table.patch
	input-xpad-support-ardwiino-controllers.patch
	rdma-i40iw-address-an-mmap-handler-exploit-in-i40iw.patch
	tracing-remove-warn_on-in-start_thread.patch
---

diff --git a/queue-4.19/alsa-usb-audio-us16x08-fix-value-count-for-level-meters.patch b/queue-4.19/alsa-usb-audio-us16x08-fix-value-count-for-level-meters.patch
new file mode 100644
index 00000000000..4c3ff33941d
--- /dev/null
+++ b/queue-4.19/alsa-usb-audio-us16x08-fix-value-count-for-level-meters.patch
@@ -0,0 +1,35 @@
+From 402d5840b0d40a2a26c8651165d29b534abb6d36 Mon Sep 17 00:00:00 2001
+From: Hector Martin <marcan@marcan.st>
+Date: Fri, 27 Nov 2020 22:26:35 +0900
+Subject: ALSA: usb-audio: US16x08: fix value count for level meters
+
+From: Hector Martin <marcan@marcan.st>
+
+commit 402d5840b0d40a2a26c8651165d29b534abb6d36 upstream.
+
+The level meter control returns 34 integers of info. This fixes:
+
+snd-usb-audio 3-1:1.0: control 2:0:0:Level Meter:0: access overflow
+
+Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Link: https://lore.kernel.org/r/20201127132635.18947-1-marcan@marcan.st
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer_us16x08.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/mixer_us16x08.c
++++ b/sound/usb/mixer_us16x08.c
+@@ -617,7 +617,7 @@ static int snd_us16x08_eq_put(struct snd
+ static int snd_us16x08_meter_info(struct snd_kcontrol *kcontrol,
+ 	struct snd_ctl_elem_info *uinfo)
+ {
+-	uinfo->count = 1;
++	uinfo->count = 34;
+ 	uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
+ 	uinfo->value.integer.max = 0x7FFF;
+ 	uinfo->value.integer.min = 0;
diff --git a/queue-4.19/input-i8042-add-bytespeed-touchpad-to-noloop-table.patch b/queue-4.19/input-i8042-add-bytespeed-touchpad-to-noloop-table.patch
new file mode 100644
index 00000000000..186eec40a03
--- /dev/null
+++ b/queue-4.19/input-i8042-add-bytespeed-touchpad-to-noloop-table.patch
@@ -0,0 +1,38 @@
+From a48491c65b513e5cdc3e7a886a4db915f848a5f5 Mon Sep 17 00:00:00 2001
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Date: Mon, 30 Nov 2020 22:39:40 -0800
+Subject: Input: i8042 - add ByteSpeed touchpad to noloop table
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+commit a48491c65b513e5cdc3e7a886a4db915f848a5f5 upstream.
+
+It looks like the C15B laptop got another vendor: ByteSpeed LLC.
+
+Avoid AUX loopback on this touchpad as well, thus input subsystem will
+be able to recognize a Synaptics touchpad in the AUX port.
+
+BugLink: https://bugs.launchpad.net/bugs/1906128
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Link: https://lore.kernel.org/r/20201201054723.5939-1-po-hsu.lin@canonical.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -223,6 +223,10 @@ static const struct dmi_system_id __init
+ 			DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"),
+ 			DMI_MATCH(DMI_PRODUCT_NAME, "C15B"),
+ 		},
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "ByteSpeed LLC"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "ByteSpeed Laptop C15B"),
++		},
+ 	},
+ 	{ }
+ };
diff --git a/queue-4.19/input-xpad-support-ardwiino-controllers.patch b/queue-4.19/input-xpad-support-ardwiino-controllers.patch
new file mode 100644
index 00000000000..7a4316abc0d
--- /dev/null
+++ b/queue-4.19/input-xpad-support-ardwiino-controllers.patch
@@ -0,0 +1,39 @@
+From 2aab1561439032be2e98811dd0ddbeb5b2ae4c61 Mon Sep 17 00:00:00 2001
+From: Sanjay Govind <sanjay.govind9@gmail.com>
+Date: Mon, 30 Nov 2020 23:41:48 -0800
+Subject: Input: xpad - support Ardwiino Controllers
+
+From: Sanjay Govind <sanjay.govind9@gmail.com>
+
+commit 2aab1561439032be2e98811dd0ddbeb5b2ae4c61 upstream.
+
+This commit adds support for Ardwiino Controllers
+
+Signed-off-by: Sanjay Govind <sanjay.govind9@gmail.com>
+Link: https://lore.kernel.org/r/20201201071922.131666-1-sanjay.govind9@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -255,6 +255,7 @@ static const struct xpad_device {
+ 	{ 0x1038, 0x1430, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
+ 	{ 0x1038, 0x1431, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
+ 	{ 0x11c9, 0x55f0, "Nacon GC-100XF", 0, XTYPE_XBOX360 },
++	{ 0x1209, 0x2882, "Ardwiino Controller", 0, XTYPE_XBOX360 },
+ 	{ 0x12ab, 0x0004, "Honey Bee Xbox360 dancepad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360 },
+ 	{ 0x12ab, 0x0301, "PDP AFTERGLOW AX.1", 0, XTYPE_XBOX360 },
+ 	{ 0x12ab, 0x0303, "Mortal Kombat Klassic FightStick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 },
+@@ -432,6 +433,7 @@ static const struct usb_device_id xpad_t
+ 	XPAD_XBOXONE_VENDOR(0x0f0d),		/* Hori Controllers */
+ 	XPAD_XBOX360_VENDOR(0x1038),		/* SteelSeries Controllers */
+ 	XPAD_XBOX360_VENDOR(0x11c9),		/* Nacon GC100XF */
++	XPAD_XBOX360_VENDOR(0x1209),		/* Ardwiino Controllers */
+ 	XPAD_XBOX360_VENDOR(0x12ab),		/* X-Box 360 dance pads */
+ 	XPAD_XBOX360_VENDOR(0x1430),		/* RedOctane X-Box 360 controllers */
+ 	XPAD_XBOX360_VENDOR(0x146b),		/* BigBen Interactive Controllers */
diff --git a/queue-4.19/rdma-i40iw-address-an-mmap-handler-exploit-in-i40iw.patch b/queue-4.19/rdma-i40iw-address-an-mmap-handler-exploit-in-i40iw.patch
new file mode 100644
index 00000000000..6be13e17db7
--- /dev/null
+++ b/queue-4.19/rdma-i40iw-address-an-mmap-handler-exploit-in-i40iw.patch
@@ -0,0 +1,105 @@
+From 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 Mon Sep 17 00:00:00 2001
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+Date: Tue, 24 Nov 2020 18:56:16 -0600
+Subject: RDMA/i40iw: Address an mmap handler exploit in i40iw
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+commit 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 upstream.
+
+i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap
+vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range
+without any validation. This is vulnerable to an mmap exploit as described
+in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com
+
+The push feature is disabled in the driver currently and therefore no push
+mmaps are issued from user-space. The feature does not work as expected in
+the x722 product.
+
+Remove the push module parameter and all VMA attribute manipulations for
+this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user
+mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound
+to a single page.
+
+Cc: <stable@kernel.org>
+Fixes: d37498417947 ("i40iw: add files for iwarp interface")
+Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@intel.com
+Reported-by: Di Zhu <zhudi21@huawei.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_main.c  |    5 ----
+ drivers/infiniband/hw/i40iw/i40iw_verbs.c |   36 +++++-------------------------
+ 2 files changed, 7 insertions(+), 34 deletions(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_main.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_main.c
+@@ -54,10 +54,6 @@
+ #define DRV_VERSION	__stringify(DRV_VERSION_MAJOR) "."		\
+ 	__stringify(DRV_VERSION_MINOR) "." __stringify(DRV_VERSION_BUILD)
+ 
+-static int push_mode;
+-module_param(push_mode, int, 0644);
+-MODULE_PARM_DESC(push_mode, "Low latency mode: 0=disabled (default), 1=enabled)");
+-
+ static int debug;
+ module_param(debug, int, 0644);
+ MODULE_PARM_DESC(debug, "debug flags: 0=disabled (default), 0x7fffffff=all");
+@@ -1584,7 +1580,6 @@ static enum i40iw_status_code i40iw_setu
+ 	if (status)
+ 		goto exit;
+ 	iwdev->obj_next = iwdev->obj_mem;
+-	iwdev->push_mode = push_mode;
+ 
+ 	init_waitqueue_head(&iwdev->vchnl_waitq);
+ 	init_waitqueue_head(&dev->vf_reqs);
+--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+@@ -201,38 +201,16 @@ static int i40iw_dealloc_ucontext(struct
+  */
+ static int i40iw_mmap(struct ib_ucontext *context, struct vm_area_struct *vma)
+ {
+-	struct i40iw_ucontext *ucontext;
+-	u64 db_addr_offset;
+-	u64 push_offset;
++	struct i40iw_ucontext *ucontext = to_ucontext(context);
++	u64 dbaddr;
+ 
+-	ucontext = to_ucontext(context);
+-	if (ucontext->iwdev->sc_dev.is_pf) {
+-		db_addr_offset = I40IW_DB_ADDR_OFFSET;
+-		push_offset = I40IW_PUSH_OFFSET;
+-		if (vma->vm_pgoff)
+-			vma->vm_pgoff += I40IW_PF_FIRST_PUSH_PAGE_INDEX - 1;
+-	} else {
+-		db_addr_offset = I40IW_VF_DB_ADDR_OFFSET;
+-		push_offset = I40IW_VF_PUSH_OFFSET;
+-		if (vma->vm_pgoff)
+-			vma->vm_pgoff += I40IW_VF_FIRST_PUSH_PAGE_INDEX - 1;
+-	}
++	if (vma->vm_pgoff || vma->vm_end - vma->vm_start != PAGE_SIZE)
++		return -EINVAL;
+ 
+-	vma->vm_pgoff += db_addr_offset >> PAGE_SHIFT;
++	dbaddr = I40IW_DB_ADDR_OFFSET + pci_resource_start(ucontext->iwdev->ldev->pcidev, 0);
+ 
+-	if (vma->vm_pgoff == (db_addr_offset >> PAGE_SHIFT)) {
+-		vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+-		vma->vm_private_data = ucontext;
+-	} else {
+-		if ((vma->vm_pgoff - (push_offset >> PAGE_SHIFT)) % 2)
+-			vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+-		else
+-			vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
+-	}
+-
+-	if (io_remap_pfn_range(vma, vma->vm_start,
+-			       vma->vm_pgoff + (pci_resource_start(ucontext->iwdev->ldev->pcidev, 0) >> PAGE_SHIFT),
+-			       PAGE_SIZE, vma->vm_page_prot))
++	if (io_remap_pfn_range(vma, vma->vm_start, dbaddr >> PAGE_SHIFT, PAGE_SIZE,
++			       pgprot_noncached(vma->vm_page_prot)))
+ 		return -EAGAIN;
+ 
+ 	return 0;
diff --git a/queue-4.19/series b/queue-4.19/series
index 35b46493d3a..357037dc6f1 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -25,3 +25,8 @@ net-mvpp2-fix-error-return-code-in-mvpp2_open.patch
 net-mlx5-fix-wrong-address-reclaim-when-command-interface-is-down.patch
 chelsio-chtls-fix-panic-during-unload-reload-chtls.patch
 dt-bindings-net-correct-interrupt-flags-in-examples.patch
+alsa-usb-audio-us16x08-fix-value-count-for-level-meters.patch
+input-xpad-support-ardwiino-controllers.patch
+input-i8042-add-bytespeed-touchpad-to-noloop-table.patch
+tracing-remove-warn_on-in-start_thread.patch
+rdma-i40iw-address-an-mmap-handler-exploit-in-i40iw.patch
diff --git a/queue-4.19/tracing-remove-warn_on-in-start_thread.patch b/queue-4.19/tracing-remove-warn_on-in-start_thread.patch
new file mode 100644
index 00000000000..a09da250a01
--- /dev/null
+++ b/queue-4.19/tracing-remove-warn_on-in-start_thread.patch
@@ -0,0 +1,56 @@
+From 310e3a4b5a4fc718a72201c1e4cf5c64ac6f5442 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 18 Nov 2020 15:05:20 +0300
+Subject: tracing: Remove WARN_ON in start_thread()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 310e3a4b5a4fc718a72201c1e4cf5c64ac6f5442 upstream.
+
+This patch reverts commit 978defee11a5 ("tracing: Do a WARN_ON()
+ if start_thread() in hwlat is called when thread exists")
+
+.start hook can be legally called several times if according
+tracer is stopped
+
+screen window 1
+[root@localhost ~]# echo 1 > /sys/kernel/tracing/events/kmem/kfree/enable
+[root@localhost ~]# echo 1 > /sys/kernel/tracing/options/pause-on-trace
+[root@localhost ~]# less -F /sys/kernel/tracing/trace
+
+screen window 2
+[root@localhost ~]# cat /sys/kernel/debug/tracing/tracing_on
+0
+[root@localhost ~]# echo hwlat >  /sys/kernel/debug/tracing/current_tracer
+[root@localhost ~]# echo 1 > /sys/kernel/debug/tracing/tracing_on
+[root@localhost ~]# cat /sys/kernel/debug/tracing/tracing_on
+0
+[root@localhost ~]# echo 2 > /sys/kernel/debug/tracing/tracing_on
+
+triggers warning in dmesg:
+WARNING: CPU: 3 PID: 1403 at kernel/trace/trace_hwlat.c:371 hwlat_tracer_start+0xc9/0xd0
+
+Link: https://lkml.kernel.org/r/bd4d3e70-400d-9c82-7b73-a2d695e86b58@virtuozzo.com
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 978defee11a5 ("tracing: Do a WARN_ON() if start_thread() in hwlat is called when thread exists")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_hwlat.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_hwlat.c
++++ b/kernel/trace/trace_hwlat.c
+@@ -355,7 +355,7 @@ static int start_kthread(struct trace_ar
+ 	struct task_struct *kthread;
+ 	int next_cpu;
+ 
+-	if (WARN_ON(hwlat_kthread))
++	if (hwlat_kthread)
+ 		return 0;
+ 
+ 	/* Just pick the first CPU on first iteration */