From: Sasha Levin Date: Fri, 10 Jul 2020 00:37:25 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v5.7.9~42 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27ef8bb8a3e3a464f8ec4eb9fa37ddb8c407681d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch b/queue-4.9/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch new file mode 100644 index 00000000000..56ec538bc6e --- /dev/null +++ b/queue-4.9/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch @@ -0,0 +1,71 @@ +From 57d92ce20ccb3060a38877b52218712a500dd5ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:54:49 +0800 +Subject: ARM: imx6: add missing put_device() call in imx6q_suspend_init() + +From: yu kuai + +[ Upstream commit 4845446036fc9c13f43b54a65c9b757c14f5141b ] + +if of_find_device_by_node() succeed, imx6q_suspend_init() doesn't have a +corresponding put_device(). Thus add a jump target to fix the exception +handling for this function implementation. + +Signed-off-by: yu kuai +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/pm-imx6.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c +index dd9eb3f14f45c..6da26692f2fde 100644 +--- a/arch/arm/mach-imx/pm-imx6.c ++++ b/arch/arm/mach-imx/pm-imx6.c +@@ -481,14 +481,14 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata) + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, MX6Q_SUSPEND_OCRAM_SIZE); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -511,7 +511,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata) + ret = imx6_pm_get_base(&pm_info->mmdc_base, socdata->mmdc_compat); + if (ret) { + pr_warn("%s: failed to get mmdc base %d!\n", __func__, ret); +- goto put_node; ++ goto put_device; + } + + ret = imx6_pm_get_base(&pm_info->src_base, socdata->src_compat); +@@ -558,7 +558,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata) + &imx6_suspend, + MX6Q_SUSPEND_OCRAM_SIZE - sizeof(*pm_info)); + +- goto put_node; ++ goto put_device; + + pl310_cache_map_failed: + iounmap(pm_info->gpc_base.vbase); +@@ -568,6 +568,8 @@ iomuxc_map_failed: + iounmap(pm_info->src_base.vbase); + src_map_failed: + iounmap(pm_info->mmdc_base.vbase); ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(node); + +-- +2.25.1 + diff --git a/queue-4.9/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch b/queue-4.9/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch new file mode 100644 index 00000000000..4713590681c --- /dev/null +++ b/queue-4.9/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch @@ -0,0 +1,106 @@ +From 96929d575b8921e10268c7f8456188ca6c14b0df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 12:50:23 -0700 +Subject: arm64: entry: Place an SB sequence following an ERET instruction + +From: Will Deacon + +commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 upstream + +Some CPUs can speculate past an ERET instruction and potentially perform +speculative accesses to memory before processing the exception return. +Since the register state is often controlled by a lower privilege level +at the point of an ERET, this could potentially be used as part of a +side-channel attack. + +This patch emits an SB sequence after each ERET so that speculation is +held up on exception return. + +Signed-off-by: Will Deacon +[florian: Adjust hyp-entry.S to account for the label + added change to hyp/entry.S] +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/entry.S | 2 ++ + arch/arm64/kvm/hyp/entry.S | 2 ++ + arch/arm64/kvm/hyp/hyp-entry.S | 4 ++++ + 3 files changed, 8 insertions(+) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index ca978d7d98eb4..3408c782702c2 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -255,6 +255,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0 + .else + eret + .endif ++ sb + .endm + + .macro get_thread_info, rd +@@ -945,6 +946,7 @@ __ni_sys_trace: + mrs x30, far_el1 + .endif + eret ++ sb + .endm + + .align 11 +diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S +index a360ac6e89e9d..93704e6894d2e 100644 +--- a/arch/arm64/kvm/hyp/entry.S ++++ b/arch/arm64/kvm/hyp/entry.S +@@ -83,6 +83,7 @@ ENTRY(__guest_enter) + + // Do not touch any register after this! + eret ++ sb + ENDPROC(__guest_enter) + + ENTRY(__guest_exit) +@@ -195,4 +196,5 @@ alternative_endif + ldp x0, x1, [sp], #16 + + eret ++ sb + ENDPROC(__fpsimd_guest_restore) +diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S +index bf4988f9dae8f..3675e7f0ab726 100644 +--- a/arch/arm64/kvm/hyp/hyp-entry.S ++++ b/arch/arm64/kvm/hyp/hyp-entry.S +@@ -97,6 +97,7 @@ el1_sync: // Guest trapped into EL2 + do_el2_call + + 2: eret ++ sb + + el1_hvc_guest: + /* +@@ -147,6 +148,7 @@ wa_epilogue: + mov x0, xzr + add sp, sp, #16 + eret ++ sb + + el1_trap: + get_vcpu_ptr x1, x0 +@@ -198,6 +200,7 @@ el2_error: + b.ne __hyp_panic + mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) + eret ++ sb + + ENTRY(__hyp_do_panic) + mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\ +@@ -206,6 +209,7 @@ ENTRY(__hyp_do_panic) + ldr lr, =panic + msr elr_el2, lr + eret ++ sb + ENDPROC(__hyp_do_panic) + + ENTRY(__hyp_panic) +-- +2.25.1 + diff --git a/queue-4.9/cifs-update-ctime-and-mtime-during-truncate.patch b/queue-4.9/cifs-update-ctime-and-mtime-during-truncate.patch new file mode 100644 index 00000000000..eb9f0d9224f --- /dev/null +++ b/queue-4.9/cifs-update-ctime-and-mtime-during-truncate.patch @@ -0,0 +1,49 @@ +From b8d41ab8b1a2823293543a075345460b38aca61d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jun 2020 22:51:29 -0400 +Subject: cifs: update ctime and mtime during truncate + +From: Zhang Xiaoxu + +[ Upstream commit 5618303d8516f8ac5ecfe53ee8e8bc9a40eaf066 ] + +As the man description of the truncate, if the size changed, +then the st_ctime and st_mtime fields should be updated. But +in cifs, we doesn't do it. + +It lead the xfstests generic/313 failed. + +So, add the ATTR_MTIME|ATTR_CTIME flags on attrs when change +the file size + +Reported-by: Hulk Robot +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/inode.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index 3dad943da956f..acd8e0dccab4c 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -2194,6 +2194,15 @@ set_size_out: + if (rc == 0) { + cifsInode->server_eof = attrs->ia_size; + cifs_setsize(inode, attrs->ia_size); ++ ++ /* ++ * The man page of truncate says if the size changed, ++ * then the st_ctime and st_mtime fields for the file ++ * are updated. ++ */ ++ attrs->ia_ctime = attrs->ia_mtime = current_time(inode); ++ attrs->ia_valid |= ATTR_CTIME | ATTR_MTIME; ++ + cifs_truncate_page(inode->i_mapping, inode->i_size); + } + +-- +2.25.1 + diff --git a/queue-4.9/gpu-host1x-detach-driver-on-unregister.patch b/queue-4.9/gpu-host1x-detach-driver-on-unregister.patch new file mode 100644 index 00000000000..0d6681d914a --- /dev/null +++ b/queue-4.9/gpu-host1x-detach-driver-on-unregister.patch @@ -0,0 +1,55 @@ +From d71bf4bf34ec8339d83fe1c1fad7a40ea0aaa2b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2020 19:38:02 +0200 +Subject: gpu: host1x: Detach driver on unregister + +From: Thierry Reding + +[ Upstream commit d9a0a05bf8c76e6dc79230669a8b5d685b168c30 ] + +Currently when a host1x device driver is unregistered, it is not +detached from the host1x controller, which means that the device +will stay around and when the driver is registered again, it may +bind to the old, stale device rather than the new one that was +created from scratch upon driver registration. This in turn can +cause various weird crashes within the driver core because it is +confronted with a device that was already deleted. + +Fix this by detaching the driver from the host1x controller when +it is unregistered. This ensures that the deleted device also is +no longer present in the device list that drivers will bind to. + +Reported-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Tested-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/bus.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c +index c27858ae05529..6ef89e8a515a9 100644 +--- a/drivers/gpu/host1x/bus.c ++++ b/drivers/gpu/host1x/bus.c +@@ -542,8 +542,17 @@ EXPORT_SYMBOL(host1x_driver_register_full); + + void host1x_driver_unregister(struct host1x_driver *driver) + { ++ struct host1x *host1x; ++ + driver_unregister(&driver->driver); + ++ mutex_lock(&devices_lock); ++ ++ list_for_each_entry(host1x, &devices, list) ++ host1x_detach_driver(host1x, driver); ++ ++ mutex_unlock(&devices_lock); ++ + mutex_lock(&drivers_lock); + list_del_init(&driver->list); + mutex_unlock(&drivers_lock); +-- +2.25.1 + diff --git a/queue-4.9/s390-kasan-fix-early-pgm-check-handler-execution.patch b/queue-4.9/s390-kasan-fix-early-pgm-check-handler-execution.patch new file mode 100644 index 00000000000..11a97f5ff17 --- /dev/null +++ b/queue-4.9/s390-kasan-fix-early-pgm-check-handler-execution.patch @@ -0,0 +1,42 @@ +From faf0f85f8d2a23571fd5a99ca98a3d6567c8f164 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 15:05:49 +0200 +Subject: s390/kasan: fix early pgm check handler execution + +From: Vasily Gorbik + +[ Upstream commit 998f5bbe3dbdab81c1cfb1aef7c3892f5d24f6c7 ] + +Currently if early_pgm_check_handler is called it ends up in pgm check +loop. The problem is that early_pgm_check_handler is instrumented by +KASAN but executed without DAT flag enabled which leads to addressing +exception when KASAN checks try to access shadow memory. + +Fix that by executing early handlers with DAT flag on under KASAN as +expected. + +Reported-and-tested-by: Alexander Egorenkov +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/early.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c +index a651c2bc94ef8..f862cc27fe98f 100644 +--- a/arch/s390/kernel/early.c ++++ b/arch/s390/kernel/early.c +@@ -288,6 +288,8 @@ static noinline __init void setup_lowcore_early(void) + psw_t psw; + + psw.mask = PSW_MASK_BASE | PSW_DEFAULT_KEY | PSW_MASK_EA | PSW_MASK_BA; ++ if (IS_ENABLED(CONFIG_KASAN)) ++ psw.mask |= PSW_MASK_DAT; + psw.addr = (unsigned long) s390_base_ext_handler; + S390_lowcore.external_new_psw = psw; + psw.addr = (unsigned long) s390_base_pgm_handler; +-- +2.25.1 + diff --git a/queue-4.9/scsi-mptscsih-fix-read-sense-data-size.patch b/queue-4.9/scsi-mptscsih-fix-read-sense-data-size.patch new file mode 100644 index 00000000000..e99219094f9 --- /dev/null +++ b/queue-4.9/scsi-mptscsih-fix-read-sense-data-size.patch @@ -0,0 +1,50 @@ +From 20fa7a0913fbffce4581a7d22ee85d58e6b35339 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 17:04:46 +0200 +Subject: scsi: mptscsih: Fix read sense data size + +From: Tomas Henzl + +[ Upstream commit afe89f115e84edbc76d316759e206580a06c6973 ] + +The sense data buffer in sense_buf_pool is allocated with size of +MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth) while SNS_LEN(sc)(96) +is used when reading the data. That may lead to a read from unallocated +area, sometimes from another (unallocated) page. To fix this, limit the +read size to MPT_SENSE_BUFFER_ALLOC. + +Link: https://lore.kernel.org/r/20200616150446.4840-1-thenzl@redhat.com +Co-developed-by: Stanislav Saner +Signed-off-by: Stanislav Saner +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/message/fusion/mptscsih.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c +index 6c9fc11efb872..e77185e143ab7 100644 +--- a/drivers/message/fusion/mptscsih.c ++++ b/drivers/message/fusion/mptscsih.c +@@ -118,8 +118,6 @@ int mptscsih_suspend(struct pci_dev *pdev, pm_message_t state); + int mptscsih_resume(struct pci_dev *pdev); + #endif + +-#define SNS_LEN(scp) SCSI_SENSE_BUFFERSIZE +- + + /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ + /* +@@ -2427,7 +2425,7 @@ mptscsih_copy_sense_data(struct scsi_cmnd *sc, MPT_SCSI_HOST *hd, MPT_FRAME_HDR + /* Copy the sense received into the scsi command block. */ + req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx); + sense_data = ((u8 *)ioc->sense_buf_pool + (req_index * MPT_SENSE_BUFFER_ALLOC)); +- memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc)); ++ memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC); + + /* Log SMART data (asc = 0x5D, non-IM case only) if required. + */ +-- +2.25.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 6f2e982ca83..0ad97058e85 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,9 @@ kvm-s390-reduce-number-of-io-pins-to-1.patch +arm64-entry-place-an-sb-sequence-following-an-eret-i.patch +gpu-host1x-detach-driver-on-unregister.patch +spi-spidev-fix-a-race-between-spidev_release-and-spi.patch +spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch +s390-kasan-fix-early-pgm-check-handler-execution.patch +cifs-update-ctime-and-mtime-during-truncate.patch +arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch +scsi-mptscsih-fix-read-sense-data-size.patch diff --git a/queue-4.9/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch b/queue-4.9/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch new file mode 100644 index 00000000000..fa199e8a15c --- /dev/null +++ b/queue-4.9/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch @@ -0,0 +1,76 @@ +From 628e71ff9fd87e83f7aea133c79d22d64ebe3f19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 11:21:25 +0800 +Subject: spi: spidev: fix a potential use-after-free in spidev_release() + +From: Zhenzhong Duan + +[ Upstream commit 06096cc6c5a84ced929634b0d79376b94c65a4bd ] + +If an spi device is unbounded from the driver before the release +process, there will be an NULL pointer reference when it's +referenced in spi_slave_abort(). + +Fix it by checking it's already freed before reference. + +Signed-off-by: Zhenzhong Duan +Link: https://lore.kernel.org/r/20200618032125.4650-2-zhenzhong.duan@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index 67ad7e46da42d..c364d9ce6d4b5 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -636,15 +636,20 @@ err_find_dev: + static int spidev_release(struct inode *inode, struct file *filp) + { + struct spidev_data *spidev; ++ int dofree; + + mutex_lock(&device_list_lock); + spidev = filp->private_data; + filp->private_data = NULL; + ++ spin_lock_irq(&spidev->spi_lock); ++ /* ... after we unbound from the underlying device? */ ++ dofree = (spidev->spi == NULL); ++ spin_unlock_irq(&spidev->spi_lock); ++ + /* last close? */ + spidev->users--; + if (!spidev->users) { +- int dofree; + + kfree(spidev->tx_buffer); + spidev->tx_buffer = NULL; +@@ -652,19 +657,14 @@ static int spidev_release(struct inode *inode, struct file *filp) + kfree(spidev->rx_buffer); + spidev->rx_buffer = NULL; + +- spin_lock_irq(&spidev->spi_lock); +- if (spidev->spi) +- spidev->speed_hz = spidev->spi->max_speed_hz; +- +- /* ... after we unbound from the underlying device? */ +- dofree = (spidev->spi == NULL); +- spin_unlock_irq(&spidev->spi_lock); +- + if (dofree) + kfree(spidev); ++ else ++ spidev->speed_hz = spidev->spi->max_speed_hz; + } + #ifdef CONFIG_SPI_SLAVE +- spi_slave_abort(spidev->spi); ++ if (!dofree) ++ spi_slave_abort(spidev->spi); + #endif + mutex_unlock(&device_list_lock); + +-- +2.25.1 + diff --git a/queue-4.9/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch b/queue-4.9/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch new file mode 100644 index 00000000000..0e5e5d26fe4 --- /dev/null +++ b/queue-4.9/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch @@ -0,0 +1,62 @@ +From 16b8e159c4fed32fad73c2c23e4022cecc9d33e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 11:21:24 +0800 +Subject: spi: spidev: fix a race between spidev_release and spidev_remove + +From: Zhenzhong Duan + +[ Upstream commit abd42781c3d2155868821f1b947ae45bbc33330d ] + +Imagine below scene, spidev is referenced after it's freed. + +spidev_release() spidev_remove() +... + spin_lock_irq(&spidev->spi_lock); + spidev->spi = NULL; + spin_unlock_irq(&spidev->spi_lock); +mutex_lock(&device_list_lock); +dofree = (spidev->spi == NULL); +if (dofree) + kfree(spidev); +mutex_unlock(&device_list_lock); + mutex_lock(&device_list_lock); + list_del(&spidev->device_entry); + device_destroy(spidev_class, spidev->devt); + clear_bit(MINOR(spidev->devt), minors); + if (spidev->users == 0) + kfree(spidev); + mutex_unlock(&device_list_lock); + +Fix it by resetting spidev->spi in device_list_lock's protection. + +Signed-off-by: Zhenzhong Duan +Link: https://lore.kernel.org/r/20200618032125.4650-1-zhenzhong.duan@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index a685c6114a8d5..67ad7e46da42d 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -809,13 +809,13 @@ static int spidev_remove(struct spi_device *spi) + { + struct spidev_data *spidev = spi_get_drvdata(spi); + ++ /* prevent new opens */ ++ mutex_lock(&device_list_lock); + /* make sure ops on existing fds can abort cleanly */ + spin_lock_irq(&spidev->spi_lock); + spidev->spi = NULL; + spin_unlock_irq(&spidev->spi_lock); + +- /* prevent new opens */ +- mutex_lock(&device_list_lock); + list_del(&spidev->device_entry); + device_destroy(spidev_class, spidev->devt); + clear_bit(MINOR(spidev->devt), minors); +-- +2.25.1 +