From: Greg Kroah-Hartman Date: Mon, 27 Apr 2020 16:14:43 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.119~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=46b8f6ba790b5e89f1cc1b125f7fa7ea5020061b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-hda-hdmi-add-module-option-to-disable-audio-component-binding.patch alsa-hda-realtek-add-new-codec-supported-for-alc245.patch alsa-hda-realtek-fix-unexpected-init_amp-override.patch alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch alsa-usx2y-fix-potential-null-dereference.patch asoc-dapm-fixup-dapm-kcontrol-widget.patch audit-check-the-length-of-userspace-generated-audit-records.patch coredump-fix-null-pointer-dereference-on-coredump.patch iwlwifi-mvm-beacon-statistics-shouldn-t-go-backwards.patch iwlwifi-mvm-do-not-declare-support-for-ack-enabled-aggregation.patch iwlwifi-mvm-fix-inactive-tid-removal-return-value-usage.patch iwlwifi-mvm-limit-maximum-queue-appropriately.patch iwlwifi-pcie-actually-release-queue-memory-in-tvqm.patch kvm-check-validity-of-resolved-slot-when-searching-memslots.patch kvm-s390-return-last-valid-slot-if-approx-index-is-out-of-bounds.patch kvm-vmx-enable-machine-check-support-for-32bit-targets.patch mac80211-populate-debugfs-only-after-cfg80211-init.patch mm-hugetlb-fix-a-addressing-exception-caused-by-huge_pte_offset.patch mm-ksm-fix-null-pointer-dereference-when-ksm-zero-page-is-enabled.patch signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch staging-gasket-fix-incongruency-in-handling-of-sysfs-entries-creation.patch sunrpc-fix-backchannel-rpc-soft-lockups.patch tools-vm-fix-cross-compile-build.patch tpm-fix-wrong-return-value-in-tpm_pcr_extend.patch tpm-ibmvtpm-retry-on-h_closed-in-tpm_ibmvtpm_send.patch tpm-tpm_tis-free-irq-if-probing-fails.patch tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch tty-rocket-avoid-oob-access.patch usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch vmalloc-fix-remap_vmalloc_range-bounds-checks.patch --- diff --git a/queue-5.4/alsa-hda-hdmi-add-module-option-to-disable-audio-component-binding.patch b/queue-5.4/alsa-hda-hdmi-add-module-option-to-disable-audio-component-binding.patch new file mode 100644 index 00000000000..77911c8a6af --- /dev/null +++ b/queue-5.4/alsa-hda-hdmi-add-module-option-to-disable-audio-component-binding.patch @@ -0,0 +1,49 @@ +From b392350ec3f229ad9603d3816f753479e441d99a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 15 Apr 2020 18:25:23 +0200 +Subject: ALSA: hda/hdmi: Add module option to disable audio component binding + +From: Takashi Iwai + +commit b392350ec3f229ad9603d3816f753479e441d99a upstream. + +As the recent regression showed, we want sometimes to turn off the +audio component binding just for debugging. This patch adds the +module option to control it easily without compilation. + +Fixes: ade49db337a9 ("ALSA: hda/hdmi - Allow audio component for AMD/ATI and Nvidia HDMI") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207223 +Cc: +Link: https://lore.kernel.org/r/20200415162523.27499-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_hdmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -57,6 +57,10 @@ MODULE_PARM_DESC(static_hdmi_pcm, "Don't + #define is_cherryview(codec) ((codec)->core.vendor_id == 0x80862883) + #define is_valleyview_plus(codec) (is_valleyview(codec) || is_cherryview(codec)) + ++static bool enable_acomp = true; ++module_param(enable_acomp, bool, 0444); ++MODULE_PARM_DESC(enable_acomp, "Enable audio component binding (default=yes)"); ++ + struct hdmi_spec_per_cvt { + hda_nid_t cvt_nid; + int assigned; +@@ -2550,6 +2554,11 @@ static void generic_acomp_init(struct hd + { + struct hdmi_spec *spec = codec->spec; + ++ if (!enable_acomp) { ++ codec_info(codec, "audio component disabled by module option\n"); ++ return; ++ } ++ + spec->port2pin = port2pin; + setup_drm_audio_ops(codec, ops); + if (!snd_hdac_acomp_init(&codec->bus->core, &spec->drm_audio_ops, diff --git a/queue-5.4/alsa-hda-realtek-add-new-codec-supported-for-alc245.patch b/queue-5.4/alsa-hda-realtek-add-new-codec-supported-for-alc245.patch new file mode 100644 index 00000000000..4cabc891455 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-new-codec-supported-for-alc245.patch @@ -0,0 +1,47 @@ +From 7fbdcd8301a84c09cebfa64f1317a6dafeec9188 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 23 Apr 2020 14:18:31 +0800 +Subject: ALSA: hda/realtek - Add new codec supported for ALC245 + +From: Kailang Yang + +commit 7fbdcd8301a84c09cebfa64f1317a6dafeec9188 upstream. + +Enable new codec supported for ALC245. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/8c0804738b2c42439f59c39c8437817f@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -369,6 +369,7 @@ static void alc_fill_eapd_coef(struct hd + case 0x10ec0233: + case 0x10ec0235: + case 0x10ec0236: ++ case 0x10ec0245: + case 0x10ec0255: + case 0x10ec0256: + case 0x10ec0257: +@@ -8102,6 +8103,7 @@ static int patch_alc269(struct hda_codec + spec->gen.mixer_nid = 0; + break; + case 0x10ec0215: ++ case 0x10ec0245: + case 0x10ec0285: + case 0x10ec0289: + spec->codec_variant = ALC269_TYPE_ALC215; +@@ -9363,6 +9365,7 @@ static const struct hda_device_id snd_hd + HDA_CODEC_ENTRY(0x10ec0234, "ALC234", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0235, "ALC233", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0236, "ALC236", patch_alc269), ++ HDA_CODEC_ENTRY(0x10ec0245, "ALC245", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0255, "ALC255", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0256, "ALC256", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0257, "ALC257", patch_alc269), diff --git a/queue-5.4/alsa-hda-realtek-fix-unexpected-init_amp-override.patch b/queue-5.4/alsa-hda-realtek-fix-unexpected-init_amp-override.patch new file mode 100644 index 00000000000..9cbda245890 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-fix-unexpected-init_amp-override.patch @@ -0,0 +1,53 @@ +From 67791202c5e069cf2ba51db0718d56c634709e78 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 18 Apr 2020 21:06:39 +0200 +Subject: ALSA: hda/realtek - Fix unexpected init_amp override + +From: Takashi Iwai + +commit 67791202c5e069cf2ba51db0718d56c634709e78 upstream. + +The commit 1c76aa5fb48d ("ALSA: hda/realtek - Allow skipping +spec->init_amp detection") changed the way to assign spec->init_amp +field that specifies the way to initialize the amp. Along with the +change, the commit also replaced a few fixups that set spec->init_amp +in HDA_FIXUP_ACT_PROBE with HDA_FIXUP_ACT_PRE_PROBE. This was rather +aligning to the other fixups, and not supposed to change the actual +behavior. + +However, this change turned out to cause a regression on FSC S7020, +which hit exactly the above. The reason was that there is still one +place that overrides spec->init_amp after HDA_FIXUP_ACT_PRE_PROBE +call, namely in alc_ssid_check(). + +This patch fixes the regression by adding the proper spec->init_amp +override check, i.e. verifying whether it's still ALC_INIT_UNDEFINED. + +Fixes: 1c76aa5fb48d ("ALSA: hda/realtek - Allow skipping spec->init_amp detection") +Cc: +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207329 +Link: https://lore.kernel.org/r/20200418190639.10082-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -789,9 +789,11 @@ static void alc_ssid_check(struct hda_co + { + if (!alc_subsystem_id(codec, ports)) { + struct alc_spec *spec = codec->spec; +- codec_dbg(codec, +- "realtek: Enable default setup for auto mode as fallback\n"); +- spec->init_amp = ALC_INIT_DEFAULT; ++ if (spec->init_amp == ALC_INIT_UNDEFINED) { ++ codec_dbg(codec, ++ "realtek: Enable default setup for auto mode as fallback\n"); ++ spec->init_amp = ALC_INIT_DEFAULT; ++ } + } + } + diff --git a/queue-5.4/alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch b/queue-5.4/alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch new file mode 100644 index 00000000000..9477ff0ae33 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch @@ -0,0 +1,105 @@ +From 1c826792586f526a5a5cd21d55aad388f5bb0b23 Mon Sep 17 00:00:00 2001 +From: Alexander Tsoy +Date: Sat, 18 Apr 2020 20:58:15 +0300 +Subject: ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices + +From: Alexander Tsoy + +commit 1c826792586f526a5a5cd21d55aad388f5bb0b23 upstream. + +Many Focusrite devices supports a limited set of sample rates per +altsetting. These includes audio interfaces with ADAT ports: + - Scarlett 18i6, 18i8 1st gen, 18i20 1st gen; + - Scarlett 18i8 2nd gen, 18i20 2nd gen; + - Scarlett 18i8 3rd gen, 18i20 3rd gen; + - Clarett 2Pre USB, 4Pre USB, 8Pre USB. + +Maximum rate is exposed in the last 4 bytes of Format Type descriptor +which has a non-standard bLength = 10. + +Tested-by: Alexey Skobkin +Signed-off-by: Alexander Tsoy +Cc: +Link: https://lore.kernel.org/r/20200418175815.12211-1-alexander@tsoy.me +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/format.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 52 insertions(+) + +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -227,6 +227,52 @@ static int parse_audio_format_rates_v1(s + } + + /* ++ * Many Focusrite devices supports a limited set of sampling rates per ++ * altsetting. Maximum rate is exposed in the last 4 bytes of Format Type ++ * descriptor which has a non-standard bLength = 10. ++ */ ++static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip, ++ struct audioformat *fp, ++ unsigned int rate) ++{ ++ struct usb_interface *iface; ++ struct usb_host_interface *alts; ++ unsigned char *fmt; ++ unsigned int max_rate; ++ ++ iface = usb_ifnum_to_if(chip->dev, fp->iface); ++ if (!iface) ++ return true; ++ ++ alts = &iface->altsetting[fp->altset_idx]; ++ fmt = snd_usb_find_csint_desc(alts->extra, alts->extralen, ++ NULL, UAC_FORMAT_TYPE); ++ if (!fmt) ++ return true; ++ ++ if (fmt[0] == 10) { /* bLength */ ++ max_rate = combine_quad(&fmt[6]); ++ ++ /* Validate max rate */ ++ if (max_rate != 48000 && ++ max_rate != 96000 && ++ max_rate != 192000 && ++ max_rate != 384000) { ++ ++ usb_audio_info(chip, ++ "%u:%d : unexpected max rate: %u\n", ++ fp->iface, fp->altsetting, max_rate); ++ ++ return true; ++ } ++ ++ return rate <= max_rate; ++ } ++ ++ return true; ++} ++ ++/* + * Helper function to walk the array of sample rate triplets reported by + * the device. The problem is that we need to parse whole array first to + * get to know how many sample rates we have to expect. +@@ -262,6 +308,11 @@ static int parse_uac2_sample_rate_range( + } + + for (rate = min; rate <= max; rate += res) { ++ /* Filter out invalid rates on Focusrite devices */ ++ if (USB_ID_VENDOR(chip->usb_id) == 0x1235 && ++ !focusrite_valid_sample_rate(chip, fp, rate)) ++ goto skip_rate; ++ + if (fp->rate_table) + fp->rate_table[nr_rates] = rate; + if (!fp->rate_min || rate < fp->rate_min) +@@ -276,6 +327,7 @@ static int parse_uac2_sample_rate_range( + break; + } + ++skip_rate: + /* avoid endless loop */ + if (res == 0) + break; diff --git a/queue-5.4/alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch b/queue-5.4/alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch new file mode 100644 index 00000000000..e6539ec0f59 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch @@ -0,0 +1,58 @@ +From 59e1947ca09ebd1cae147c08c7c41f3141233c84 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Thu, 23 Apr 2020 12:54:19 +0800 +Subject: ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif + +From: Xiyu Yang + +commit 59e1947ca09ebd1cae147c08c7c41f3141233c84 upstream. + +snd_microii_spdif_default_get() invokes snd_usb_lock_shutdown(), which +increases the refcount of the snd_usb_audio object "chip". + +When snd_microii_spdif_default_get() returns, local variable "chip" +becomes invalid, so the refcount should be decreased to keep refcount +balanced. + +The reference counting issue happens in several exception handling paths +of snd_microii_spdif_default_get(). When those error scenarios occur +such as usb_ifnum_to_if() returns NULL, the function forgets to decrease +the refcnt increased by snd_usb_lock_shutdown(), causing a refcnt leak. + +Fix this issue by jumping to "end" label when those error scenarios +occur. + +Fixes: 447d6275f0c2 ("ALSA: usb-audio: Add sanity checks for endpoint accesses") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Cc: +Link: https://lore.kernel.org/r/1587617711-13200-1-git-send-email-xiyuyang19@fudan.edu.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_quirks.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1508,11 +1508,15 @@ static int snd_microii_spdif_default_get + + /* use known values for that card: interface#1 altsetting#1 */ + iface = usb_ifnum_to_if(chip->dev, 1); +- if (!iface || iface->num_altsetting < 2) +- return -EINVAL; ++ if (!iface || iface->num_altsetting < 2) { ++ err = -EINVAL; ++ goto end; ++ } + alts = &iface->altsetting[1]; +- if (get_iface_desc(alts)->bNumEndpoints < 1) +- return -EINVAL; ++ if (get_iface_desc(alts)->bNumEndpoints < 1) { ++ err = -EINVAL; ++ goto end; ++ } + ep = get_endpoint(alts, 0)->bEndpointAddress; + + err = snd_usb_ctl_msg(chip->dev, diff --git a/queue-5.4/alsa-usx2y-fix-potential-null-dereference.patch b/queue-5.4/alsa-usx2y-fix-potential-null-dereference.patch new file mode 100644 index 00000000000..63ff4ae3db3 --- /dev/null +++ b/queue-5.4/alsa-usx2y-fix-potential-null-dereference.patch @@ -0,0 +1,34 @@ +From 7686e3485253635c529cdd5f416fc640abaf076f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 20 Apr 2020 09:55:29 +0200 +Subject: ALSA: usx2y: Fix potential NULL dereference + +From: Takashi Iwai + +commit 7686e3485253635c529cdd5f416fc640abaf076f upstream. + +The error handling code in usX2Y_rate_set() may hit a potential NULL +dereference when an error occurs before allocating all us->urb[]. +Add a proper NULL check for fixing the corner case. + +Reported-by: Lin Yi +Cc: +Link: https://lore.kernel.org/r/20200420075529.27203-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/usx2y/usbusx2yaudio.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/usx2y/usbusx2yaudio.c ++++ b/sound/usb/usx2y/usbusx2yaudio.c +@@ -681,6 +681,8 @@ static int usX2Y_rate_set(struct usX2Yde + us->submitted = 2*NOOF_SETRATE_URBS; + for (i = 0; i < NOOF_SETRATE_URBS; ++i) { + struct urb *urb = us->urb[i]; ++ if (!urb) ++ continue; + if (urb->status) { + if (!err) + err = -ENODEV; diff --git a/queue-5.4/asoc-dapm-fixup-dapm-kcontrol-widget.patch b/queue-5.4/asoc-dapm-fixup-dapm-kcontrol-widget.patch new file mode 100644 index 00000000000..afa3ce0f1cd --- /dev/null +++ b/queue-5.4/asoc-dapm-fixup-dapm-kcontrol-widget.patch @@ -0,0 +1,71 @@ +From ebf1474745b4373fdde0fcf32d9d1f369b50b212 Mon Sep 17 00:00:00 2001 +From: Gyeongtaek Lee +Date: Sat, 18 Apr 2020 13:13:20 +0900 +Subject: ASoC: dapm: fixup dapm kcontrol widget + +From: Gyeongtaek Lee + +commit ebf1474745b4373fdde0fcf32d9d1f369b50b212 upstream. + +snd_soc_dapm_kcontrol widget which is created by autodisable control +should contain correct on_val, mask and shift because it is set when the +widget is powered and changed value is applied on registers by following +code in dapm_seq_run_coalesced(). + + mask |= w->mask << w->shift; + if (w->power) + value |= w->on_val << w->shift; + else + value |= w->off_val << w->shift; + +Shift on the mask in dapm_kcontrol_data_alloc() is removed to prevent +double shift. +And, on_val in dapm_kcontrol_set_value() is modified to get correct +value in the dapm_seq_run_coalesced(). + +Signed-off-by: Gyeongtaek Lee +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/000001d61537$b212f620$1638e260$@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-dapm.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -423,7 +423,7 @@ static int dapm_kcontrol_data_alloc(stru + + memset(&template, 0, sizeof(template)); + template.reg = e->reg; +- template.mask = e->mask << e->shift_l; ++ template.mask = e->mask; + template.shift = e->shift_l; + template.off_val = snd_soc_enum_item_to_val(e, 0); + template.on_val = template.off_val; +@@ -546,8 +546,22 @@ static bool dapm_kcontrol_set_value(cons + if (data->value == value) + return false; + +- if (data->widget) +- data->widget->on_val = value; ++ if (data->widget) { ++ switch (dapm_kcontrol_get_wlist(kcontrol)->widgets[0]->id) { ++ case snd_soc_dapm_switch: ++ case snd_soc_dapm_mixer: ++ case snd_soc_dapm_mixer_named_ctl: ++ data->widget->on_val = value & data->widget->mask; ++ break; ++ case snd_soc_dapm_demux: ++ case snd_soc_dapm_mux: ++ data->widget->on_val = value >> data->widget->shift; ++ break; ++ default: ++ data->widget->on_val = value; ++ break; ++ } ++ } + + data->value = value; + diff --git a/queue-5.4/audit-check-the-length-of-userspace-generated-audit-records.patch b/queue-5.4/audit-check-the-length-of-userspace-generated-audit-records.patch new file mode 100644 index 00000000000..6f44d965dd3 --- /dev/null +++ b/queue-5.4/audit-check-the-length-of-userspace-generated-audit-records.patch @@ -0,0 +1,38 @@ +From 763dafc520add02a1f4639b500c509acc0ea8e5b Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Mon, 20 Apr 2020 16:24:34 -0400 +Subject: audit: check the length of userspace generated audit records + +From: Paul Moore + +commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream. + +Commit 756125289285 ("audit: always check the netlink payload length +in audit_receive_msg()") fixed a number of missing message length +checks, but forgot to check the length of userspace generated audit +records. The good news is that you need CAP_AUDIT_WRITE to submit +userspace audit records, which is generally only given to trusted +processes, so the impact should be limited. + +Cc: stable@vger.kernel.org +Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()") +Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1325,6 +1325,9 @@ static int audit_receive_msg(struct sk_b + case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: + if (!audit_enabled && msg_type != AUDIT_USER_AVC) + return 0; ++ /* exit early if there isn't at least one character to print */ ++ if (data_len < 2) ++ return -EINVAL; + + err = audit_filter(msg_type, AUDIT_FILTER_USER); + if (err == 1) { /* match or error */ diff --git a/queue-5.4/coredump-fix-null-pointer-dereference-on-coredump.patch b/queue-5.4/coredump-fix-null-pointer-dereference-on-coredump.patch new file mode 100644 index 00000000000..9ad27ac82dd --- /dev/null +++ b/queue-5.4/coredump-fix-null-pointer-dereference-on-coredump.patch @@ -0,0 +1,50 @@ +From db973a7289dad24e6c017dcedc6aee886579dc3a Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Mon, 20 Apr 2020 18:14:20 -0700 +Subject: coredump: fix null pointer dereference on coredump + +From: Sudip Mukherjee + +commit db973a7289dad24e6c017dcedc6aee886579dc3a upstream. + +If the core_pattern is set to "|" and any process segfaults then we get +a null pointer derefernce while trying to coredump. The call stack shows: + + RIP: do_coredump+0x628/0x11c0 + +When the core_pattern has only "|" there is no use of trying the +coredump and we can check that while formating the corename and exit +with an error. + +After this change I get: + + format_corename failed + Aborting core + +Fixes: 315c69261dd3 ("coredump: split pipe command whitespace before expanding template") +Reported-by: Matthew Ruffell +Signed-off-by: Sudip Mukherjee +Signed-off-by: Andrew Morton +Cc: Paul Wise +Cc: Alexander Viro +Cc: Neil Horman +Cc: +Link: http://lkml.kernel.org/r/20200416194612.21418-1-sudipm.mukherjee@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/coredump.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -211,6 +211,8 @@ static int format_corename(struct core_n + return -ENOMEM; + (*argv)[(*argc)++] = 0; + ++pat_ptr; ++ if (!(*pat_ptr)) ++ return -ENOMEM; + } + + /* Repeat as long as we have more pattern to process and more output diff --git a/queue-5.4/iwlwifi-mvm-beacon-statistics-shouldn-t-go-backwards.patch b/queue-5.4/iwlwifi-mvm-beacon-statistics-shouldn-t-go-backwards.patch new file mode 100644 index 00000000000..2b18ab6c80f --- /dev/null +++ b/queue-5.4/iwlwifi-mvm-beacon-statistics-shouldn-t-go-backwards.patch @@ -0,0 +1,73 @@ +From 290d5e4951832e39d10f4184610dbf09038f8483 Mon Sep 17 00:00:00 2001 +From: Mordechay Goodstein +Date: Fri, 17 Apr 2020 10:08:10 +0300 +Subject: iwlwifi: mvm: beacon statistics shouldn't go backwards + +From: Mordechay Goodstein + +commit 290d5e4951832e39d10f4184610dbf09038f8483 upstream. + +We reset statistics also in case that we didn't reassoc so in +this cases keep last beacon counter. + +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Mordechay Goodstein +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20200417100405.1f9142751fbc.Ifbfd0f928a0a761110b8f4f2ca5483a61fb21131@changeid +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/rx.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c +@@ -8,7 +8,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH +- * Copyright(c) 2018 - 2019 Intel Corporation ++ * Copyright(c) 2018 - 2020 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -31,7 +31,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH +- * Copyright(c) 2018 - 2019 Intel Corporation ++ * Copyright(c) 2018 - 2020 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -566,6 +566,7 @@ void iwl_mvm_rx_rx_mpdu(struct iwl_mvm * + + struct iwl_mvm_stat_data { + struct iwl_mvm *mvm; ++ __le32 flags; + __le32 mac_id; + u8 beacon_filter_average_energy; + void *general; +@@ -606,6 +607,13 @@ static void iwl_mvm_stat_iterator(void * + -general->beacon_average_energy[vif_id]; + } + ++ /* make sure that beacon statistics don't go backwards with TCM ++ * request to clear statistics ++ */ ++ if (le32_to_cpu(data->flags) & IWL_STATISTICS_REPLY_FLG_CLEAR) ++ mvmvif->beacon_stats.accu_num_beacons += ++ mvmvif->beacon_stats.num_beacons; ++ + if (mvmvif->id != id) + return; + +@@ -763,6 +771,7 @@ void iwl_mvm_handle_rx_statistics(struct + + flags = stats->flag; + } ++ data.flags = flags; + + iwl_mvm_rx_stats_check_trigger(mvm, pkt); + diff --git a/queue-5.4/iwlwifi-mvm-do-not-declare-support-for-ack-enabled-aggregation.patch b/queue-5.4/iwlwifi-mvm-do-not-declare-support-for-ack-enabled-aggregation.patch new file mode 100644 index 00000000000..597b39fce51 --- /dev/null +++ b/queue-5.4/iwlwifi-mvm-do-not-declare-support-for-ack-enabled-aggregation.patch @@ -0,0 +1,44 @@ +From 38af8d5a90a8c3b41ff0484855e24bd55b43ce9d Mon Sep 17 00:00:00 2001 +From: Ilan Peer +Date: Fri, 17 Apr 2020 10:08:13 +0300 +Subject: iwlwifi: mvm: Do not declare support for ACK Enabled Aggregation + +From: Ilan Peer + +commit 38af8d5a90a8c3b41ff0484855e24bd55b43ce9d upstream. + +As this was not supposed to be enabled to begin with. + +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20200417100405.53dbc3c6c36b.Idfe118546b92cc31548b2211472a5303c7de5909@changeid +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c +@@ -525,8 +525,7 @@ static struct ieee80211_sband_iftype_dat + IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_16US | + IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_8, + .mac_cap_info[2] = +- IEEE80211_HE_MAC_CAP2_32BIT_BA_BITMAP | +- IEEE80211_HE_MAC_CAP2_ACK_EN, ++ IEEE80211_HE_MAC_CAP2_32BIT_BA_BITMAP, + .mac_cap_info[3] = + IEEE80211_HE_MAC_CAP3_OMI_CONTROL | + IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_VHT_2, +@@ -610,8 +609,7 @@ static struct ieee80211_sband_iftype_dat + IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_16US | + IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_8, + .mac_cap_info[2] = +- IEEE80211_HE_MAC_CAP2_BSR | +- IEEE80211_HE_MAC_CAP2_ACK_EN, ++ IEEE80211_HE_MAC_CAP2_BSR, + .mac_cap_info[3] = + IEEE80211_HE_MAC_CAP3_OMI_CONTROL | + IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_VHT_2, diff --git a/queue-5.4/iwlwifi-mvm-fix-inactive-tid-removal-return-value-usage.patch b/queue-5.4/iwlwifi-mvm-fix-inactive-tid-removal-return-value-usage.patch new file mode 100644 index 00000000000..0d7b3cad052 --- /dev/null +++ b/queue-5.4/iwlwifi-mvm-fix-inactive-tid-removal-return-value-usage.patch @@ -0,0 +1,40 @@ +From e6d419f943318e2b903e380dfd52a8dda6db3021 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 17 Apr 2020 10:08:14 +0300 +Subject: iwlwifi: mvm: fix inactive TID removal return value usage + +From: Johannes Berg + +commit e6d419f943318e2b903e380dfd52a8dda6db3021 upstream. + +The function iwl_mvm_remove_inactive_tids() returns bool, so we +should just check "if (ret)", not "if (ret >= 0)" (which would +do nothing useful here). We obviously therefore cannot use the +return value of the function for the free_queue, we need to use +the queue (i) we're currently dealing with instead. + +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20200417100405.9d862ed72535.I9e27ccc3ee3c8855fc13682592b571581925dfbd@changeid +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -1169,9 +1169,9 @@ static int iwl_mvm_inactivity_check(stru + inactive_tid_bitmap, + &unshare_queues, + &changetid_queues); +- if (ret >= 0 && free_queue < 0) { ++ if (ret && free_queue < 0) { + queue_owner = sta; +- free_queue = ret; ++ free_queue = i; + } + /* only unlock sta lock - we still need the queue info lock */ + spin_unlock_bh(&mvmsta->lock); diff --git a/queue-5.4/iwlwifi-mvm-limit-maximum-queue-appropriately.patch b/queue-5.4/iwlwifi-mvm-limit-maximum-queue-appropriately.patch new file mode 100644 index 00000000000..8e77c465f1d --- /dev/null +++ b/queue-5.4/iwlwifi-mvm-limit-maximum-queue-appropriately.patch @@ -0,0 +1,76 @@ +From e5b72e3bc4763152e24bf4b8333bae21cc526c56 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 17 Apr 2020 10:08:12 +0300 +Subject: iwlwifi: mvm: limit maximum queue appropriately + +From: Johannes Berg + +commit e5b72e3bc4763152e24bf4b8333bae21cc526c56 upstream. + +Due to some hardware issues, queue 31 isn't usable on devices that have +32 queues (7000, 8000, 9000 families), which is correctly reflected in +the configuration and TX queue initialization. + +However, the firmware API and queue allocation code assumes that there +are 32 queues, and if something actually attempts to use #31 this leads +to a NULL-pointer dereference since it's not allocated. + +Fix this by limiting to 31 in the IWL_MVM_DQA_MAX_DATA_QUEUE, and also +add some code to catch this earlier in the future, if the configuration +changes perhaps. + +Cc: stable@vger.kernel.org # v4.9+ +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20200417100405.98a79be2db6a.I3a4af6b03b87a6bc18db9b1ff9a812f397bee1fc@changeid +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/fw/api/txq.h | 6 +++--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 5 +++++ + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/fw/api/txq.h ++++ b/drivers/net/wireless/intel/iwlwifi/fw/api/txq.h +@@ -8,7 +8,7 @@ + * Copyright(c) 2007 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH +- * Copyright(c) 2019 Intel Corporation ++ * Copyright(c) 2019 - 2020 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -31,7 +31,7 @@ + * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH +- * Copyright(c) 2019 Intel Corporation ++ * Copyright(c) 2019 - 2020 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -99,7 +99,7 @@ enum iwl_mvm_dqa_txq { + IWL_MVM_DQA_MAX_MGMT_QUEUE = 8, + IWL_MVM_DQA_AP_PROBE_RESP_QUEUE = 9, + IWL_MVM_DQA_MIN_DATA_QUEUE = 10, +- IWL_MVM_DQA_MAX_DATA_QUEUE = 31, ++ IWL_MVM_DQA_MAX_DATA_QUEUE = 30, + }; + + enum iwl_mvm_tx_fifo { +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -722,6 +722,11 @@ static int iwl_mvm_find_free_queue(struc + + lockdep_assert_held(&mvm->mutex); + ++ if (WARN(maxq >= mvm->trans->trans_cfg->base_params->num_of_queues, ++ "max queue %d >= num_of_queues (%d)", maxq, ++ mvm->trans->trans_cfg->base_params->num_of_queues)) ++ maxq = mvm->trans->trans_cfg->base_params->num_of_queues - 1; ++ + /* This should not be hit with new TX path */ + if (WARN_ON(iwl_mvm_has_new_tx_api(mvm))) + return -ENOSPC; diff --git a/queue-5.4/iwlwifi-pcie-actually-release-queue-memory-in-tvqm.patch b/queue-5.4/iwlwifi-pcie-actually-release-queue-memory-in-tvqm.patch new file mode 100644 index 00000000000..5541079971f --- /dev/null +++ b/queue-5.4/iwlwifi-pcie-actually-release-queue-memory-in-tvqm.patch @@ -0,0 +1,47 @@ +From b98b33d5560a2d940f3b80f6768a6177bf3dfbc0 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 17 Apr 2020 10:08:09 +0300 +Subject: iwlwifi: pcie: actually release queue memory in TVQM + +From: Johannes Berg + +commit b98b33d5560a2d940f3b80f6768a6177bf3dfbc0 upstream. + +The iwl_trans_pcie_dyn_txq_free() function only releases the frames +that may be left on the queue by calling iwl_pcie_gen2_txq_unmap(), +but doesn't actually free the DMA ring or byte-count tables for the +queue. This leads to pretty large memory leaks (at least before my +queue size improvements), in particular in monitor/sniffer mode on +channel hopping since this happens on every channel change. + +This was also now more evident after the move to a DMA pool for the +byte count tables, showing messages such as + + BUG iwlwifi:bc (...): Objects remaining in iwlwifi:bc on __kmem_cache_shutdown() + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=206811. + +Signed-off-by: Johannes Berg +Fixes: 6b35ff91572f ("iwlwifi: pcie: introduce a000 TX queues management") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20200417100405.f5f4c4193ec1.Id5feebc9b4318041913a9c89fc1378bb5454292c@changeid +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c +@@ -1283,6 +1283,9 @@ void iwl_trans_pcie_dyn_txq_free(struct + + iwl_pcie_gen2_txq_unmap(trans, queue); + ++ iwl_pcie_gen2_txq_free_memory(trans, trans_pcie->txq[queue]); ++ trans_pcie->txq[queue] = NULL; ++ + IWL_DEBUG_TX_QUEUES(trans, "Deactivate queue %d\n", queue); + } + diff --git a/queue-5.4/kvm-check-validity-of-resolved-slot-when-searching-memslots.patch b/queue-5.4/kvm-check-validity-of-resolved-slot-when-searching-memslots.patch new file mode 100644 index 00000000000..7700102c9bc --- /dev/null +++ b/queue-5.4/kvm-check-validity-of-resolved-slot-when-searching-memslots.patch @@ -0,0 +1,48 @@ +From b6467ab142b708dd076f6186ca274f14af379c72 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 7 Apr 2020 23:40:58 -0700 +Subject: KVM: Check validity of resolved slot when searching memslots + +From: Sean Christopherson + +commit b6467ab142b708dd076f6186ca274f14af379c72 upstream. + +Check that the resolved slot (somewhat confusingly named 'start') is a +valid/allocated slot before doing the final comparison to see if the +specified gfn resides in the associated slot. The resolved slot can be +invalid if the binary search loop terminated because the search index +was incremented beyond the number of used slots. + +This bug has existed since the binary search algorithm was introduced, +but went unnoticed because KVM statically allocated memory for the max +number of slots, i.e. the access would only be truly out-of-bounds if +all possible slots were allocated and the specified gfn was less than +the base of the lowest memslot. Commit 36947254e5f98 ("KVM: Dynamically +size memslot array based on number of used slots") eliminated the "all +possible slots allocated" condition and made the bug embarrasingly easy +to hit. + +Fixes: 9c1a5d38780e6 ("kvm: optimize GFN to memslot lookup with large slots amount") +Reported-by: syzbot+d889b59b2bb87d4047a2@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200408064059.8957-2-sean.j.christopherson@intel.com> +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1027,7 +1027,7 @@ search_memslots(struct kvm_memslots *slo + start = slot + 1; + } + +- if (gfn >= memslots[start].base_gfn && ++ if (start < slots->used_slots && gfn >= memslots[start].base_gfn && + gfn < memslots[start].base_gfn + memslots[start].npages) { + atomic_set(&slots->lru_slot, start); + return &memslots[start]; diff --git a/queue-5.4/kvm-s390-return-last-valid-slot-if-approx-index-is-out-of-bounds.patch b/queue-5.4/kvm-s390-return-last-valid-slot-if-approx-index-is-out-of-bounds.patch new file mode 100644 index 00000000000..1b08f8f35da --- /dev/null +++ b/queue-5.4/kvm-s390-return-last-valid-slot-if-approx-index-is-out-of-bounds.patch @@ -0,0 +1,42 @@ +From 97daa028f3f621adff2c4f7b15fe0874e5b5bd6c Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 7 Apr 2020 23:40:59 -0700 +Subject: KVM: s390: Return last valid slot if approx index is out-of-bounds + +From: Sean Christopherson + +commit 97daa028f3f621adff2c4f7b15fe0874e5b5bd6c upstream. + +Return the index of the last valid slot from gfn_to_memslot_approx() if +its binary search loop yielded an out-of-bounds index. The index can +be out-of-bounds if the specified gfn is less than the base of the +lowest memslot (which is also the last valid memslot). + +Note, the sole caller, kvm_s390_get_cmma(), ensures used_slots is +non-zero. + +Fixes: afdad61615cc3 ("KVM: s390: Fix storage attributes migration with memory slots") +Cc: stable@vger.kernel.org # 4.19.x: 0774a964ef56: KVM: Fix out of range accesses to memslots +Cc: stable@vger.kernel.org # 4.19.x +Signed-off-by: Sean Christopherson +Message-Id: <20200408064059.8957-3-sean.j.christopherson@intel.com> +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -1932,6 +1932,9 @@ static int gfn_to_memslot_approx(struct + start = slot + 1; + } + ++ if (start >= slots->used_slots) ++ return slots->used_slots - 1; ++ + if (gfn >= memslots[start].base_gfn && + gfn < memslots[start].base_gfn + memslots[start].npages) { + atomic_set(&slots->lru_slot, start); diff --git a/queue-5.4/kvm-vmx-enable-machine-check-support-for-32bit-targets.patch b/queue-5.4/kvm-vmx-enable-machine-check-support-for-32bit-targets.patch new file mode 100644 index 00000000000..696c593263d --- /dev/null +++ b/queue-5.4/kvm-vmx-enable-machine-check-support-for-32bit-targets.patch @@ -0,0 +1,36 @@ +From fb56baae5ea509e63c2a068d66a4d8ea91969fca Mon Sep 17 00:00:00 2001 +From: Uros Bizjak +Date: Tue, 14 Apr 2020 09:14:14 +0200 +Subject: KVM: VMX: Enable machine check support for 32bit targets + +From: Uros Bizjak + +commit fb56baae5ea509e63c2a068d66a4d8ea91969fca upstream. + +There is no reason to limit the use of do_machine_check +to 64bit targets. MCE handling works for both target familes. + +Cc: Paolo Bonzini +Cc: Sean Christopherson +Cc: stable@vger.kernel.org +Fixes: a0861c02a981 ("KVM: Add VT-x machine check support") +Signed-off-by: Uros Bizjak +Message-Id: <20200414071414.45636-1-ubizjak@gmail.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -4566,7 +4566,7 @@ static int handle_rmode_exception(struct + */ + static void kvm_machine_check(void) + { +-#if defined(CONFIG_X86_MCE) && defined(CONFIG_X86_64) ++#if defined(CONFIG_X86_MCE) + struct pt_regs regs = { + .cs = 3, /* Fake ring 3 no matter what the guest ran on */ + .flags = X86_EFLAGS_IF, diff --git a/queue-5.4/mac80211-populate-debugfs-only-after-cfg80211-init.patch b/queue-5.4/mac80211-populate-debugfs-only-after-cfg80211-init.patch new file mode 100644 index 00000000000..93d72dcb800 --- /dev/null +++ b/queue-5.4/mac80211-populate-debugfs-only-after-cfg80211-init.patch @@ -0,0 +1,252 @@ +From 6cb5f3ea4654faf8c28b901266e960b1a4787b26 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 23 Apr 2020 11:13:49 +0200 +Subject: mac80211: populate debugfs only after cfg80211 init + +From: Johannes Berg + +commit 6cb5f3ea4654faf8c28b901266e960b1a4787b26 upstream. + +When fixing the initialization race, we neglected to account for +the fact that debugfs is initialized in wiphy_register(), and +some debugfs things went missing (or rather were rerooted to the +global debugfs root). + +Fix this by adding debugfs entries only after wiphy_register(). +This requires some changes in the rate control code since it +currently adds debugfs at alloc time, which can no longer be +done after the reordering. + +Reported-by: Jouni Malinen +Reported-by: kernel test robot +Reported-by: Hauke Mehrtens +Reported-by: Felix Fietkau +Cc: stable@vger.kernel.org +Fixes: 52e04b4ce5d0 ("mac80211: fix race in ieee80211_register_hw()") +Signed-off-by: Johannes Berg +Acked-by: Sumit Garg +Link: https://lore.kernel.org/r/20200423111344.0e00d3346f12.Iadc76a03a55093d94391fc672e996a458702875d@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlegacy/3945-rs.c | 2 +- + drivers/net/wireless/intel/iwlegacy/4965-rs.c | 2 +- + drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +- + drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/rc.c | 2 +- + include/net/mac80211.h | 4 +++- + net/mac80211/main.c | 5 +++-- + net/mac80211/rate.c | 15 ++++----------- + net/mac80211/rate.h | 23 +++++++++++++++++++++++ + net/mac80211/rc80211_minstrel_ht.c | 19 +++++++++++++------ + 10 files changed, 51 insertions(+), 25 deletions(-) + +--- a/drivers/net/wireless/intel/iwlegacy/3945-rs.c ++++ b/drivers/net/wireless/intel/iwlegacy/3945-rs.c +@@ -374,7 +374,7 @@ out: + } + + static void * +-il3945_rs_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir) ++il3945_rs_alloc(struct ieee80211_hw *hw) + { + return hw->priv; + } +--- a/drivers/net/wireless/intel/iwlegacy/4965-rs.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-rs.c +@@ -2474,7 +2474,7 @@ il4965_rs_fill_link_cmd(struct il_priv * + } + + static void * +-il4965_rs_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir) ++il4965_rs_alloc(struct ieee80211_hw *hw) + { + return hw->priv; + } +--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +@@ -3019,7 +3019,7 @@ static void rs_fill_link_cmd(struct iwl_ + cpu_to_le16(priv->lib->bt_params->agg_time_limit); + } + +-static void *rs_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir) ++static void *rs_alloc(struct ieee80211_hw *hw) + { + return hw->priv; + } +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +@@ -3663,7 +3663,7 @@ static void rs_fill_lq_cmd(struct iwl_mv + cpu_to_le16(iwl_mvm_coex_agg_time_limit(mvm, sta)); + } + +-static void *rs_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir) ++static void *rs_alloc(struct ieee80211_hw *hw) + { + return hw->priv; + } +--- a/drivers/net/wireless/realtek/rtlwifi/rc.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rc.c +@@ -261,7 +261,7 @@ static void rtl_rate_update(void *ppriv, + { + } + +-static void *rtl_rate_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir) ++static void *rtl_rate_alloc(struct ieee80211_hw *hw) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); + return rtlpriv; +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -5933,7 +5933,9 @@ enum rate_control_capabilities { + struct rate_control_ops { + unsigned long capa; + const char *name; +- void *(*alloc)(struct ieee80211_hw *hw, struct dentry *debugfsdir); ++ void *(*alloc)(struct ieee80211_hw *hw); ++ void (*add_debugfs)(struct ieee80211_hw *hw, void *priv, ++ struct dentry *debugfsdir); + void (*free)(void *priv); + + void *(*alloc_sta)(void *priv, struct ieee80211_sta *sta, gfp_t gfp); +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1155,8 +1155,6 @@ int ieee80211_register_hw(struct ieee802 + local->tx_headroom = max_t(unsigned int , local->hw.extra_tx_headroom, + IEEE80211_TX_STATUS_HEADROOM); + +- debugfs_hw_add(local); +- + /* + * if the driver doesn't specify a max listen interval we + * use 5 which should be a safe default +@@ -1248,6 +1246,9 @@ int ieee80211_register_hw(struct ieee802 + if (result < 0) + goto fail_wiphy_register; + ++ debugfs_hw_add(local); ++ rate_control_add_debugfs(local); ++ + rtnl_lock(); + + /* add one default STA interface if supported */ +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -214,17 +214,16 @@ static ssize_t rcname_read(struct file * + ref->ops->name, len); + } + +-static const struct file_operations rcname_ops = { ++const struct file_operations rcname_ops = { + .read = rcname_read, + .open = simple_open, + .llseek = default_llseek, + }; + #endif + +-static struct rate_control_ref *rate_control_alloc(const char *name, +- struct ieee80211_local *local) ++static struct rate_control_ref * ++rate_control_alloc(const char *name, struct ieee80211_local *local) + { +- struct dentry *debugfsdir = NULL; + struct rate_control_ref *ref; + + ref = kmalloc(sizeof(struct rate_control_ref), GFP_KERNEL); +@@ -234,13 +233,7 @@ static struct rate_control_ref *rate_con + if (!ref->ops) + goto free; + +-#ifdef CONFIG_MAC80211_DEBUGFS +- debugfsdir = debugfs_create_dir("rc", local->hw.wiphy->debugfsdir); +- local->debugfs.rcdir = debugfsdir; +- debugfs_create_file("name", 0400, debugfsdir, ref, &rcname_ops); +-#endif +- +- ref->priv = ref->ops->alloc(&local->hw, debugfsdir); ++ ref->priv = ref->ops->alloc(&local->hw); + if (!ref->priv) + goto free; + return ref; +--- a/net/mac80211/rate.h ++++ b/net/mac80211/rate.h +@@ -60,6 +60,29 @@ static inline void rate_control_add_sta_ + #endif + } + ++extern const struct file_operations rcname_ops; ++ ++static inline void rate_control_add_debugfs(struct ieee80211_local *local) ++{ ++#ifdef CONFIG_MAC80211_DEBUGFS ++ struct dentry *debugfsdir; ++ ++ if (!local->rate_ctrl) ++ return; ++ ++ if (!local->rate_ctrl->ops->add_debugfs) ++ return; ++ ++ debugfsdir = debugfs_create_dir("rc", local->hw.wiphy->debugfsdir); ++ local->debugfs.rcdir = debugfsdir; ++ debugfs_create_file("name", 0400, debugfsdir, ++ local->rate_ctrl, &rcname_ops); ++ ++ local->rate_ctrl->ops->add_debugfs(&local->hw, local->rate_ctrl->priv, ++ debugfsdir); ++#endif ++} ++ + void ieee80211_check_rate_mask(struct ieee80211_sub_if_data *sdata); + + /* Get a reference to the rate control algorithm. If `name' is NULL, get the +--- a/net/mac80211/rc80211_minstrel_ht.c ++++ b/net/mac80211/rc80211_minstrel_ht.c +@@ -1631,7 +1631,7 @@ minstrel_ht_init_cck_rates(struct minstr + } + + static void * +-minstrel_ht_alloc(struct ieee80211_hw *hw, struct dentry *debugfsdir) ++minstrel_ht_alloc(struct ieee80211_hw *hw) + { + struct minstrel_priv *mp; + +@@ -1668,18 +1668,24 @@ minstrel_ht_alloc(struct ieee80211_hw *h + mp->hw = hw; + mp->update_interval = 100; + ++ minstrel_ht_init_cck_rates(mp); ++ ++ return mp; ++} ++ + #ifdef CONFIG_MAC80211_DEBUGFS ++static void minstrel_ht_add_debugfs(struct ieee80211_hw *hw, void *priv, ++ struct dentry *debugfsdir) ++{ ++ struct minstrel_priv *mp = priv; ++ + mp->fixed_rate_idx = (u32) -1; + debugfs_create_u32("fixed_rate_idx", S_IRUGO | S_IWUGO, debugfsdir, + &mp->fixed_rate_idx); + debugfs_create_u32("sample_switch", S_IRUGO | S_IWUSR, debugfsdir, + &mp->sample_switch); +-#endif +- +- minstrel_ht_init_cck_rates(mp); +- +- return mp; + } ++#endif + + static void + minstrel_ht_free(void *priv) +@@ -1718,6 +1724,7 @@ static const struct rate_control_ops mac + .alloc = minstrel_ht_alloc, + .free = minstrel_ht_free, + #ifdef CONFIG_MAC80211_DEBUGFS ++ .add_debugfs = minstrel_ht_add_debugfs, + .add_sta_debugfs = minstrel_ht_add_sta_debugfs, + #endif + .get_expected_throughput = minstrel_ht_get_expected_throughput, diff --git a/queue-5.4/mm-hugetlb-fix-a-addressing-exception-caused-by-huge_pte_offset.patch b/queue-5.4/mm-hugetlb-fix-a-addressing-exception-caused-by-huge_pte_offset.patch new file mode 100644 index 00000000000..64f00c47f13 --- /dev/null +++ b/queue-5.4/mm-hugetlb-fix-a-addressing-exception-caused-by-huge_pte_offset.patch @@ -0,0 +1,122 @@ +From 3c1d7e6ccb644d517a12f73a7ff200870926f865 Mon Sep 17 00:00:00 2001 +From: Longpeng +Date: Mon, 20 Apr 2020 18:13:51 -0700 +Subject: mm/hugetlb: fix a addressing exception caused by huge_pte_offset + +From: Longpeng + +commit 3c1d7e6ccb644d517a12f73a7ff200870926f865 upstream. + +Our machine encountered a panic(addressing exception) after run for a +long time and the calltrace is: + + RIP: hugetlb_fault+0x307/0xbe0 + RSP: 0018:ffff9567fc27f808 EFLAGS: 00010286 + RAX: e800c03ff1258d48 RBX: ffffd3bb003b69c0 RCX: e800c03ff1258d48 + RDX: 17ff3fc00eda72b7 RSI: 00003ffffffff000 RDI: e800c03ff1258d48 + RBP: ffff9567fc27f8c8 R08: e800c03ff1258d48 R09: 0000000000000080 + R10: ffffaba0704c22a8 R11: 0000000000000001 R12: ffff95c87b4b60d8 + R13: 00005fff00000000 R14: 0000000000000000 R15: ffff9567face8074 + FS: 00007fe2d9ffb700(0000) GS:ffff956900e40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffd3bb003b69c0 CR3: 000000be67374000 CR4: 00000000003627e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + follow_hugetlb_page+0x175/0x540 + __get_user_pages+0x2a0/0x7e0 + __get_user_pages_unlocked+0x15d/0x210 + __gfn_to_pfn_memslot+0x3c5/0x460 [kvm] + try_async_pf+0x6e/0x2a0 [kvm] + tdp_page_fault+0x151/0x2d0 [kvm] + ... + kvm_arch_vcpu_ioctl_run+0x330/0x490 [kvm] + kvm_vcpu_ioctl+0x309/0x6d0 [kvm] + do_vfs_ioctl+0x3f0/0x540 + SyS_ioctl+0xa1/0xc0 + system_call_fastpath+0x22/0x27 + +For 1G hugepages, huge_pte_offset() wants to return NULL or pudp, but it +may return a wrong 'pmdp' if there is a race. Please look at the +following code snippet: + + ... + pud = pud_offset(p4d, addr); + if (sz != PUD_SIZE && pud_none(*pud)) + return NULL; + /* hugepage or swap? */ + if (pud_huge(*pud) || !pud_present(*pud)) + return (pte_t *)pud; + + pmd = pmd_offset(pud, addr); + if (sz != PMD_SIZE && pmd_none(*pmd)) + return NULL; + /* hugepage or swap? */ + if (pmd_huge(*pmd) || !pmd_present(*pmd)) + return (pte_t *)pmd; + ... + +The following sequence would trigger this bug: + + - CPU0: sz = PUD_SIZE and *pud = 0 , continue + - CPU0: "pud_huge(*pud)" is false + - CPU1: calling hugetlb_no_page and set *pud to xxxx8e7(PRESENT) + - CPU0: "!pud_present(*pud)" is false, continue + - CPU0: pmd = pmd_offset(pud, addr) and maybe return a wrong pmdp + +However, we want CPU0 to return NULL or pudp in this case. + +We must make sure there is exactly one dereference of pud and pmd. + +Signed-off-by: Longpeng +Signed-off-by: Andrew Morton +Reviewed-by: Mike Kravetz +Reviewed-by: Jason Gunthorpe +Cc: Matthew Wilcox +Cc: Sean Christopherson +Cc: +Link: http://lkml.kernel.org/r/20200413010342.771-1-longpeng2@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -5016,8 +5016,8 @@ pte_t *huge_pte_offset(struct mm_struct + { + pgd_t *pgd; + p4d_t *p4d; +- pud_t *pud; +- pmd_t *pmd; ++ pud_t *pud, pud_entry; ++ pmd_t *pmd, pmd_entry; + + pgd = pgd_offset(mm, addr); + if (!pgd_present(*pgd)) +@@ -5027,17 +5027,19 @@ pte_t *huge_pte_offset(struct mm_struct + return NULL; + + pud = pud_offset(p4d, addr); +- if (sz != PUD_SIZE && pud_none(*pud)) ++ pud_entry = READ_ONCE(*pud); ++ if (sz != PUD_SIZE && pud_none(pud_entry)) + return NULL; + /* hugepage or swap? */ +- if (pud_huge(*pud) || !pud_present(*pud)) ++ if (pud_huge(pud_entry) || !pud_present(pud_entry)) + return (pte_t *)pud; + + pmd = pmd_offset(pud, addr); +- if (sz != PMD_SIZE && pmd_none(*pmd)) ++ pmd_entry = READ_ONCE(*pmd); ++ if (sz != PMD_SIZE && pmd_none(pmd_entry)) + return NULL; + /* hugepage or swap? */ +- if (pmd_huge(*pmd) || !pmd_present(*pmd)) ++ if (pmd_huge(pmd_entry) || !pmd_present(pmd_entry)) + return (pte_t *)pmd; + + return NULL; diff --git a/queue-5.4/mm-ksm-fix-null-pointer-dereference-when-ksm-zero-page-is-enabled.patch b/queue-5.4/mm-ksm-fix-null-pointer-dereference-when-ksm-zero-page-is-enabled.patch new file mode 100644 index 00000000000..738e073cfba --- /dev/null +++ b/queue-5.4/mm-ksm-fix-null-pointer-dereference-when-ksm-zero-page-is-enabled.patch @@ -0,0 +1,87 @@ +From 56df70a63ed5d989c1d36deee94cae14342be6e9 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Mon, 20 Apr 2020 18:14:04 -0700 +Subject: mm/ksm: fix NULL pointer dereference when KSM zero page is enabled + +From: Muchun Song + +commit 56df70a63ed5d989c1d36deee94cae14342be6e9 upstream. + +find_mergeable_vma() can return NULL. In this case, it leads to a crash +when we access vm_mm(its offset is 0x40) later in write_protect_page. +And this case did happen on our server. The following call trace is +captured in kernel 4.19 with the following patch applied and KSM zero +page enabled on our server. + + commit e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring") + +So add a vma check to fix it. + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 + Oops: 0000 [#1] SMP NOPTI + CPU: 9 PID: 510 Comm: ksmd Kdump: loaded Tainted: G OE 4.19.36.bsk.9-amd64 #4.19.36.bsk.9 + RIP: try_to_merge_one_page+0xc7/0x760 + Code: 24 58 65 48 33 34 25 28 00 00 00 89 e8 0f 85 a3 06 00 00 48 83 c4 + 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8b 46 08 a8 01 75 b8 <49> + 8b 44 24 40 4c 8d 7c 24 20 b9 07 00 00 00 4c 89 e6 4c 89 ff 48 + RSP: 0018:ffffadbdd9fffdb0 EFLAGS: 00010246 + RAX: ffffda83ffd4be08 RBX: ffffda83ffd4be40 RCX: 0000002c6e800000 + RDX: 0000000000000000 RSI: ffffda83ffd4be40 RDI: 0000000000000000 + RBP: ffffa11939f02ec0 R08: 0000000094e1a447 R09: 00000000abe76577 + R10: 0000000000000962 R11: 0000000000004e6a R12: 0000000000000000 + R13: ffffda83b1e06380 R14: ffffa18f31f072c0 R15: ffffda83ffd4be40 + FS: 0000000000000000(0000) GS:ffffa0da43b80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000040 CR3: 0000002c77c0a003 CR4: 00000000007626e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + ksm_scan_thread+0x115e/0x1960 + kthread+0xf5/0x130 + ret_from_fork+0x1f/0x30 + +[songmuchun@bytedance.com: if the vma is out of date, just exit] + Link: http://lkml.kernel.org/r/20200416025034.29780-1-songmuchun@bytedance.com +[akpm@linux-foundation.org: add the conventional braces, replace /** with /*] +Fixes: e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring") +Co-developed-by: Xiongchun Duan +Signed-off-by: Muchun Song +Signed-off-by: Andrew Morton +Reviewed-by: David Hildenbrand +Reviewed-by: Kirill Tkhai +Cc: Hugh Dickins +Cc: Yang Shi +Cc: Claudio Imbrenda +Cc: Markus Elfring +Cc: +Link: http://lkml.kernel.org/r/20200416025034.29780-1-songmuchun@bytedance.com +Link: http://lkml.kernel.org/r/20200414132905.83819-1-songmuchun@bytedance.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/ksm.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -2112,8 +2112,16 @@ static void cmp_and_merge_page(struct pa + + down_read(&mm->mmap_sem); + vma = find_mergeable_vma(mm, rmap_item->address); +- err = try_to_merge_one_page(vma, page, +- ZERO_PAGE(rmap_item->address)); ++ if (vma) { ++ err = try_to_merge_one_page(vma, page, ++ ZERO_PAGE(rmap_item->address)); ++ } else { ++ /* ++ * If the vma is out of date, we do not need to ++ * continue. ++ */ ++ err = 0; ++ } + up_read(&mm->mmap_sem); + /* + * In case of failure, the page was not really empty, so we diff --git a/queue-5.4/series b/queue-5.4/series index cf5023dbbcb..8ac746a5d6c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -99,3 +99,34 @@ usb-core-fix-free-while-in-use-bug-in-the-usb-s-glibrary.patch usb-hub-fix-handling-of-connect-changes-during-sleep.patch usb-hub-revert-commit-bd0e6c9614b9-usb-hub-try-old-enumeration-scheme-first-for-high-speed-devices.patch tty-serial-owl-add-much-needed-clk_prepare_enable.patch +vmalloc-fix-remap_vmalloc_range-bounds-checks.patch +staging-gasket-fix-incongruency-in-handling-of-sysfs-entries-creation.patch +coredump-fix-null-pointer-dereference-on-coredump.patch +mm-hugetlb-fix-a-addressing-exception-caused-by-huge_pte_offset.patch +mm-ksm-fix-null-pointer-dereference-when-ksm-zero-page-is-enabled.patch +tools-vm-fix-cross-compile-build.patch +alsa-usx2y-fix-potential-null-dereference.patch +alsa-hda-realtek-fix-unexpected-init_amp-override.patch +alsa-hda-realtek-add-new-codec-supported-for-alc245.patch +alsa-hda-hdmi-add-module-option-to-disable-audio-component-binding.patch +alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch +alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch +tpm-tpm_tis-free-irq-if-probing-fails.patch +tpm-fix-wrong-return-value-in-tpm_pcr_extend.patch +tpm-ibmvtpm-retry-on-h_closed-in-tpm_ibmvtpm_send.patch +kvm-s390-return-last-valid-slot-if-approx-index-is-out-of-bounds.patch +kvm-check-validity-of-resolved-slot-when-searching-memslots.patch +kvm-vmx-enable-machine-check-support-for-32bit-targets.patch +tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch +tty-rocket-avoid-oob-access.patch +usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch +signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch +audit-check-the-length-of-userspace-generated-audit-records.patch +asoc-dapm-fixup-dapm-kcontrol-widget.patch +mac80211-populate-debugfs-only-after-cfg80211-init.patch +sunrpc-fix-backchannel-rpc-soft-lockups.patch +iwlwifi-pcie-actually-release-queue-memory-in-tvqm.patch +iwlwifi-mvm-beacon-statistics-shouldn-t-go-backwards.patch +iwlwifi-mvm-limit-maximum-queue-appropriately.patch +iwlwifi-mvm-do-not-declare-support-for-ack-enabled-aggregation.patch +iwlwifi-mvm-fix-inactive-tid-removal-return-value-usage.patch diff --git a/queue-5.4/signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch b/queue-5.4/signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch new file mode 100644 index 00000000000..e6079d346e1 --- /dev/null +++ b/queue-5.4/signal-avoid-corrupting-si_pid-and-si_uid-in-do_notify_parent.patch @@ -0,0 +1,180 @@ +From 61e713bdca3678e84815f2427f7a063fc353a1fc Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 20 Apr 2020 11:41:50 -0500 +Subject: signal: Avoid corrupting si_pid and si_uid in do_notify_parent + +From: Eric W. Biederman + +commit 61e713bdca3678e84815f2427f7a063fc353a1fc upstream. + +Christof Meerwald writes: +> Hi, +> +> this is probably related to commit +> 7a0cf094944e2540758b7f957eb6846d5126f535 (signal: Correct namespace +> fixups of si_pid and si_uid). +> +> With a 5.6.5 kernel I am seeing SIGCHLD signals that don't include a +> properly set si_pid field - this seems to happen for multi-threaded +> child processes. +> +> A simple test program (based on the sample from the signalfd man page): +> +> #include +> #include +> #include +> #include +> #include +> #include +> +> #define handle_error(msg) \ +> do { perror(msg); exit(EXIT_FAILURE); } while (0) +> +> int main(int argc, char *argv[]) +> { +> sigset_t mask; +> int sfd; +> struct signalfd_siginfo fdsi; +> ssize_t s; +> +> sigemptyset(&mask); +> sigaddset(&mask, SIGCHLD); +> +> if (sigprocmask(SIG_BLOCK, &mask, NULL) == -1) +> handle_error("sigprocmask"); +> +> pid_t chldpid; +> char *chldargv[] = { "./sfdclient", NULL }; +> posix_spawn(&chldpid, "./sfdclient", NULL, NULL, chldargv, NULL); +> +> sfd = signalfd(-1, &mask, 0); +> if (sfd == -1) +> handle_error("signalfd"); +> +> for (;;) { +> s = read(sfd, &fdsi, sizeof(struct signalfd_siginfo)); +> if (s != sizeof(struct signalfd_siginfo)) +> handle_error("read"); +> +> if (fdsi.ssi_signo == SIGCHLD) { +> printf("Got SIGCHLD %d %d %d %d\n", +> fdsi.ssi_status, fdsi.ssi_code, +> fdsi.ssi_uid, fdsi.ssi_pid); +> return 0; +> } else { +> printf("Read unexpected signal\n"); +> } +> } +> } +> +> +> and a multi-threaded client to test with: +> +> #include +> #include +> +> void *f(void *arg) +> { +> sleep(100); +> } +> +> int main() +> { +> pthread_t t[8]; +> +> for (int i = 0; i != 8; ++i) +> { +> pthread_create(&t[i], NULL, f, NULL); +> } +> } +> +> I tried to do a bit of debugging and what seems to be happening is +> that +> +> /* From an ancestor pid namespace? */ +> if (!task_pid_nr_ns(current, task_active_pid_ns(t))) { +> +> fails inside task_pid_nr_ns because the check for "pid_alive" fails. +> +> This code seems to be called from do_notify_parent and there we +> actually have "tsk != current" (I am assuming both are threads of the +> current process?) + +I instrumented the code with a warning and received the following backtrace: +> WARNING: CPU: 0 PID: 777 at kernel/pid.c:501 __task_pid_nr_ns.cold.6+0xc/0x15 +> Modules linked in: +> CPU: 0 PID: 777 Comm: sfdclient Not tainted 5.7.0-rc1userns+ #2924 +> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +> RIP: 0010:__task_pid_nr_ns.cold.6+0xc/0x15 +> Code: ff 66 90 48 83 ec 08 89 7c 24 04 48 8d 7e 08 48 8d 74 24 04 e8 9a b6 44 00 48 83 c4 08 c3 48 c7 c7 59 9f ac 82 e8 c2 c4 04 00 <0f> 0b e9 3fd +> RSP: 0018:ffffc9000042fbf8 EFLAGS: 00010046 +> RAX: 000000000000000c RBX: 0000000000000000 RCX: ffffc9000042faf4 +> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81193d29 +> RBP: ffffc9000042fc18 R08: 0000000000000000 R09: 0000000000000001 +> R10: 000000100f938416 R11: 0000000000000309 R12: ffff8880b941c140 +> R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880b941c140 +> FS: 0000000000000000(0000) GS:ffff8880bca00000(0000) knlGS:0000000000000000 +> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +> CR2: 00007f2e8c0a32e0 CR3: 0000000002e10000 CR4: 00000000000006f0 +> Call Trace: +> send_signal+0x1c8/0x310 +> do_notify_parent+0x50f/0x550 +> release_task.part.21+0x4fd/0x620 +> do_exit+0x6f6/0xaf0 +> do_group_exit+0x42/0xb0 +> get_signal+0x13b/0xbb0 +> do_signal+0x2b/0x670 +> ? __audit_syscall_exit+0x24d/0x2b0 +> ? rcu_read_lock_sched_held+0x4d/0x60 +> ? kfree+0x24c/0x2b0 +> do_syscall_64+0x176/0x640 +> ? trace_hardirqs_off_thunk+0x1a/0x1c +> entry_SYSCALL_64_after_hwframe+0x49/0xb3 + +The immediate problem is as Christof noticed that "pid_alive(current) == false". +This happens because do_notify_parent is called from the last thread to exit +in a process after that thread has been reaped. + +The bigger issue is that do_notify_parent can be called from any +process that manages to wait on a thread of a multi-threaded process +from wait_task_zombie. So any logic based upon current for +do_notify_parent is just nonsense, as current can be pretty much +anything. + +So change do_notify_parent to call __send_signal directly. + +Inspecting the code it appears this problem has existed since the pid +namespace support started handling this case in 2.6.30. This fix only +backports to 7a0cf094944e ("signal: Correct namespace fixups of si_pid and si_uid") +where the problem logic was moved out of __send_signal and into send_signal. + +Cc: stable@vger.kernel.org +Fixes: 6588c1e3ff01 ("signals: SI_USER: Masquerade si_pid when crossing pid ns boundary") +Ref: 921cf9f63089 ("signals: protect cinit from unblocked SIG_DFL signals") +Link: https://lore.kernel.org/lkml/20200419201336.GI22017@edge.cmeerw.net/ +Reported-by: Christof Meerwald +Acked-by: Oleg Nesterov +Acked-by: Christian Brauner +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1993,8 +1993,12 @@ bool do_notify_parent(struct task_struct + if (psig->action[SIGCHLD-1].sa.sa_handler == SIG_IGN) + sig = 0; + } ++ /* ++ * Send with __send_signal as si_pid and si_uid are in the ++ * parent's namespaces. ++ */ + if (valid_signal(sig) && sig) +- __group_send_sig_info(sig, &info, tsk->parent); ++ __send_signal(sig, &info, tsk->parent, PIDTYPE_TGID, false); + __wake_up_parent(tsk, tsk->parent); + spin_unlock_irqrestore(&psig->siglock, flags); + diff --git a/queue-5.4/staging-gasket-fix-incongruency-in-handling-of-sysfs-entries-creation.patch b/queue-5.4/staging-gasket-fix-incongruency-in-handling-of-sysfs-entries-creation.patch new file mode 100644 index 00000000000..6a5579dec53 --- /dev/null +++ b/queue-5.4/staging-gasket-fix-incongruency-in-handling-of-sysfs-entries-creation.patch @@ -0,0 +1,49 @@ +From 9195d762042b0e5e4ded63606b4b30a93cba4400 Mon Sep 17 00:00:00 2001 +From: Luis Mendes +Date: Fri, 3 Apr 2020 16:15:34 +0100 +Subject: staging: gasket: Fix incongruency in handling of sysfs entries creation + +From: Luis Mendes + +commit 9195d762042b0e5e4ded63606b4b30a93cba4400 upstream. + +Fix incongruency in handling of sysfs entries creation. +This issue could cause invalid memory accesses, by not properly +detecting the end of the sysfs attributes array. + +Fixes: 84c45d5f3bf1 ("staging: gasket: Replace macro __ATTR with __ATTR_NULL") +Signed-off-by: Luis Mendes +Cc: stable +Link: https://lore.kernel.org/r/20200403151534.20753-1-luis.p.mendes@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/gasket/gasket_sysfs.c | 3 +-- + drivers/staging/gasket/gasket_sysfs.h | 4 ---- + 2 files changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/staging/gasket/gasket_sysfs.c ++++ b/drivers/staging/gasket/gasket_sysfs.c +@@ -228,8 +228,7 @@ int gasket_sysfs_create_entries(struct d + } + + mutex_lock(&mapping->mutex); +- for (i = 0; strcmp(attrs[i].attr.attr.name, GASKET_ARRAY_END_MARKER); +- i++) { ++ for (i = 0; attrs[i].attr.attr.name != NULL; i++) { + if (mapping->attribute_count == GASKET_SYSFS_MAX_NODES) { + dev_err(device, + "Maximum number of sysfs nodes reached for device\n"); +--- a/drivers/staging/gasket/gasket_sysfs.h ++++ b/drivers/staging/gasket/gasket_sysfs.h +@@ -30,10 +30,6 @@ + */ + #define GASKET_SYSFS_MAX_NODES 196 + +-/* End markers for sysfs struct arrays. */ +-#define GASKET_ARRAY_END_TOKEN GASKET_RESERVED_ARRAY_END +-#define GASKET_ARRAY_END_MARKER __stringify(GASKET_ARRAY_END_TOKEN) +- + /* + * Terminator struct for a gasket_sysfs_attr array. Must be at the end of + * all gasket_sysfs_attribute arrays. diff --git a/queue-5.4/sunrpc-fix-backchannel-rpc-soft-lockups.patch b/queue-5.4/sunrpc-fix-backchannel-rpc-soft-lockups.patch new file mode 100644 index 00000000000..d74ae454651 --- /dev/null +++ b/queue-5.4/sunrpc-fix-backchannel-rpc-soft-lockups.patch @@ -0,0 +1,92 @@ +From 6221f1d9b63fed6260273e59a2b89ab30537a811 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 17 Apr 2020 12:40:31 -0400 +Subject: SUNRPC: Fix backchannel RPC soft lockups + +From: Chuck Lever + +commit 6221f1d9b63fed6260273e59a2b89ab30537a811 upstream. + +Currently, after the forward channel connection goes away, +backchannel operations are causing soft lockups on the server +because call_transmit_status's SOFTCONN logic ignores ENOTCONN. +Such backchannel Calls are aggressively retried until the client +reconnects. + +Backchannel Calls should use RPC_TASK_NOCONNECT rather than +RPC_TASK_SOFTCONN. If there is no forward connection, the server is +not capable of establishing a connection back to the client, thus +that backchannel request should fail before the server attempts to +send it. Commit 58255a4e3ce5 ("NFSD: NFSv4 callback client should +use RPC_TASK_SOFTCONN") was merged several years before +RPC_TASK_NOCONNECT was available. + +Because setup_callback_client() explicitly sets NOPING, the NFSv4.0 +callback connection depends on the first callback RPC to initiate +a connection to the client. Thus NFSv4.0 needs to continue to use +RPC_TASK_SOFTCONN. + +Suggested-by: Trond Myklebust +Signed-off-by: Chuck Lever +Cc: # v4.20+ +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4callback.c | 4 +++- + net/sunrpc/svc_xprt.c | 2 ++ + net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 2 ++ + net/sunrpc/xprtsock.c | 1 + + 4 files changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -1241,6 +1241,7 @@ nfsd4_run_cb_work(struct work_struct *wo + container_of(work, struct nfsd4_callback, cb_work); + struct nfs4_client *clp = cb->cb_clp; + struct rpc_clnt *clnt; ++ int flags; + + if (cb->cb_need_restart) { + cb->cb_need_restart = false; +@@ -1269,7 +1270,8 @@ nfsd4_run_cb_work(struct work_struct *wo + } + + cb->cb_msg.rpc_cred = clp->cl_cb_cred; +- rpc_call_async(clnt, &cb->cb_msg, RPC_TASK_SOFT | RPC_TASK_SOFTCONN, ++ flags = clp->cl_minorversion ? RPC_TASK_NOCONNECT : RPC_TASK_SOFTCONN; ++ rpc_call_async(clnt, &cb->cb_msg, RPC_TASK_SOFT | flags, + cb->cb_ops ? &nfsd4_cb_ops : &nfsd4_cb_probe_ops, cb); + } + +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -1028,6 +1028,8 @@ static void svc_delete_xprt(struct svc_x + + dprintk("svc: svc_delete_xprt(%p)\n", xprt); + xprt->xpt_ops->xpo_detach(xprt); ++ if (xprt->xpt_bc_xprt) ++ xprt->xpt_bc_xprt->ops->close(xprt->xpt_bc_xprt); + + spin_lock_bh(&serv->sv_lock); + list_del_init(&xprt->xpt_list); +--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +@@ -242,6 +242,8 @@ static void + xprt_rdma_bc_close(struct rpc_xprt *xprt) + { + dprintk("svcrdma: %s: xprt %p\n", __func__, xprt); ++ ++ xprt_disconnect_done(xprt); + xprt->cwnd = RPC_CWNDSHIFT; + } + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2714,6 +2714,7 @@ static int bc_send_request(struct rpc_rq + + static void bc_close(struct rpc_xprt *xprt) + { ++ xprt_disconnect_done(xprt); + } + + /* diff --git a/queue-5.4/tools-vm-fix-cross-compile-build.patch b/queue-5.4/tools-vm-fix-cross-compile-build.patch new file mode 100644 index 00000000000..a9dbc83b84f --- /dev/null +++ b/queue-5.4/tools-vm-fix-cross-compile-build.patch @@ -0,0 +1,40 @@ +From cf01699ee220c38099eb3e43ce3d10690c8b7060 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Mon, 20 Apr 2020 18:14:23 -0700 +Subject: tools/vm: fix cross-compile build + +From: Lucas Stach + +commit cf01699ee220c38099eb3e43ce3d10690c8b7060 upstream. + +Commit 7ed1c1901fe5 ("tools: fix cross-compile var clobbering") moved +the setup of the CC variable to tools/scripts/Makefile.include to make +the behavior consistent across all the tools Makefiles. + +As the vm tools missed the include we end up with the wrong CC in a +cross-compiling evironment. + +Fixes: 7ed1c1901fe5 (tools: fix cross-compile var clobbering) +Signed-off-by: Lucas Stach +Signed-off-by: Andrew Morton +Cc: Martin Kelly +Cc: +Link: http://lkml.kernel.org/r/20200416104748.25243-1-l.stach@pengutronix.de +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + tools/vm/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/vm/Makefile ++++ b/tools/vm/Makefile +@@ -1,6 +1,8 @@ + # SPDX-License-Identifier: GPL-2.0 + # Makefile for vm tools + # ++include ../scripts/Makefile.include ++ + TARGETS=page-types slabinfo page_owner_sort + + LIB_DIR = ../lib/api diff --git a/queue-5.4/tpm-fix-wrong-return-value-in-tpm_pcr_extend.patch b/queue-5.4/tpm-fix-wrong-return-value-in-tpm_pcr_extend.patch new file mode 100644 index 00000000000..1872b77050c --- /dev/null +++ b/queue-5.4/tpm-fix-wrong-return-value-in-tpm_pcr_extend.patch @@ -0,0 +1,37 @@ +From 29cb79795e324a8b65e7891d76f8f6ca911ba440 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Tue, 14 Apr 2020 19:42:26 +0800 +Subject: tpm: fix wrong return value in tpm_pcr_extend + +From: Tianjia Zhang + +commit 29cb79795e324a8b65e7891d76f8f6ca911ba440 upstream. + +For the algorithm that does not match the bank, a positive +value EINVAL is returned here. I think this is a typo error. +It is necessary to return an error value. + +Cc: stable@vger.kernel.org # 5.4.x +Fixes: 9f75c8224631 ("KEYS: trusted: correctly initialize digests and fix locking issue") +Signed-off-by: Tianjia Zhang +Reviewed-by: Roberto Sassu +Reviewed-by: Jerry Snitselaar +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-interface.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -322,7 +322,7 @@ int tpm_pcr_extend(struct tpm_chip *chip + + for (i = 0; i < chip->nr_allocated_banks; i++) { + if (digests[i].alg_id != chip->allocated_banks[i].alg_id) { +- rc = EINVAL; ++ rc = -EINVAL; + goto out; + } + } diff --git a/queue-5.4/tpm-ibmvtpm-retry-on-h_closed-in-tpm_ibmvtpm_send.patch b/queue-5.4/tpm-ibmvtpm-retry-on-h_closed-in-tpm_ibmvtpm_send.patch new file mode 100644 index 00000000000..9d67b7b142f --- /dev/null +++ b/queue-5.4/tpm-ibmvtpm-retry-on-h_closed-in-tpm_ibmvtpm_send.patch @@ -0,0 +1,219 @@ +From eba5cf3dcb844c82f54d4a857e124824e252206d Mon Sep 17 00:00:00 2001 +From: George Wilson +Date: Thu, 19 Mar 2020 23:27:58 -0400 +Subject: tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() + +From: George Wilson + +commit eba5cf3dcb844c82f54d4a857e124824e252206d upstream. + +tpm_ibmvtpm_send() can fail during PowerVM Live Partition Mobility resume +with an H_CLOSED return from ibmvtpm_send_crq(). The PAPR says, 'The +"partner partition suspended" transport event disables the associated CRQ +such that any H_SEND_CRQ hcall() to the associated CRQ returns H_Closed +until the CRQ has been explicitly enabled using the H_ENABLE_CRQ hcall.' +This patch adds a check in tpm_ibmvtpm_send() for an H_CLOSED return from +ibmvtpm_send_crq() and in that case calls tpm_ibmvtpm_resume() and +retries the ibmvtpm_send_crq() once. + +Cc: stable@vger.kernel.org # 3.7.x +Fixes: 132f76294744 ("drivers/char/tpm: Add new device driver to support IBM vTPM") +Reported-by: Linh Pham +Reviewed-by: Stefan Berger +Signed-off-by: George Wilson +Tested-by: Linh Pham +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_ibmvtpm.c | 136 ++++++++++++++++++++++------------------- + 1 file changed, 73 insertions(+), 63 deletions(-) + +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (C) 2012 IBM Corporation ++ * Copyright (C) 2012-2020 IBM Corporation + * + * Author: Ashley Lai + * +@@ -134,6 +134,64 @@ static int tpm_ibmvtpm_recv(struct tpm_c + } + + /** ++ * ibmvtpm_crq_send_init - Send a CRQ initialize message ++ * @ibmvtpm: vtpm device struct ++ * ++ * Return: ++ * 0 on success. ++ * Non-zero on failure. ++ */ ++static int ibmvtpm_crq_send_init(struct ibmvtpm_dev *ibmvtpm) ++{ ++ int rc; ++ ++ rc = ibmvtpm_send_crq_word(ibmvtpm->vdev, INIT_CRQ_CMD); ++ if (rc != H_SUCCESS) ++ dev_err(ibmvtpm->dev, ++ "%s failed rc=%d\n", __func__, rc); ++ ++ return rc; ++} ++ ++/** ++ * tpm_ibmvtpm_resume - Resume from suspend ++ * ++ * @dev: device struct ++ * ++ * Return: Always 0. ++ */ ++static int tpm_ibmvtpm_resume(struct device *dev) ++{ ++ struct tpm_chip *chip = dev_get_drvdata(dev); ++ struct ibmvtpm_dev *ibmvtpm = dev_get_drvdata(&chip->dev); ++ int rc = 0; ++ ++ do { ++ if (rc) ++ msleep(100); ++ rc = plpar_hcall_norets(H_ENABLE_CRQ, ++ ibmvtpm->vdev->unit_address); ++ } while (rc == H_IN_PROGRESS || rc == H_BUSY || H_IS_LONG_BUSY(rc)); ++ ++ if (rc) { ++ dev_err(dev, "Error enabling ibmvtpm rc=%d\n", rc); ++ return rc; ++ } ++ ++ rc = vio_enable_interrupts(ibmvtpm->vdev); ++ if (rc) { ++ dev_err(dev, "Error vio_enable_interrupts rc=%d\n", rc); ++ return rc; ++ } ++ ++ rc = ibmvtpm_crq_send_init(ibmvtpm); ++ if (rc) ++ dev_err(dev, "Error send_init rc=%d\n", rc); ++ ++ return rc; ++} ++ ++/** + * tpm_ibmvtpm_send() - Send a TPM command + * @chip: tpm chip struct + * @buf: buffer contains data to send +@@ -146,6 +204,7 @@ static int tpm_ibmvtpm_recv(struct tpm_c + static int tpm_ibmvtpm_send(struct tpm_chip *chip, u8 *buf, size_t count) + { + struct ibmvtpm_dev *ibmvtpm = dev_get_drvdata(&chip->dev); ++ bool retry = true; + int rc, sig; + + if (!ibmvtpm->rtce_buf) { +@@ -179,18 +238,27 @@ static int tpm_ibmvtpm_send(struct tpm_c + */ + ibmvtpm->tpm_processing_cmd = true; + ++again: + rc = ibmvtpm_send_crq(ibmvtpm->vdev, + IBMVTPM_VALID_CMD, VTPM_TPM_COMMAND, + count, ibmvtpm->rtce_dma_handle); + if (rc != H_SUCCESS) { ++ /* ++ * H_CLOSED can be returned after LPM resume. Call ++ * tpm_ibmvtpm_resume() to re-enable the CRQ then retry ++ * ibmvtpm_send_crq() once before failing. ++ */ ++ if (rc == H_CLOSED && retry) { ++ tpm_ibmvtpm_resume(ibmvtpm->dev); ++ retry = false; ++ goto again; ++ } + dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc); +- rc = 0; + ibmvtpm->tpm_processing_cmd = false; +- } else +- rc = 0; ++ } + + spin_unlock(&ibmvtpm->rtce_lock); +- return rc; ++ return 0; + } + + static void tpm_ibmvtpm_cancel(struct tpm_chip *chip) +@@ -269,26 +337,6 @@ static int ibmvtpm_crq_send_init_complet + } + + /** +- * ibmvtpm_crq_send_init - Send a CRQ initialize message +- * @ibmvtpm: vtpm device struct +- * +- * Return: +- * 0 on success. +- * Non-zero on failure. +- */ +-static int ibmvtpm_crq_send_init(struct ibmvtpm_dev *ibmvtpm) +-{ +- int rc; +- +- rc = ibmvtpm_send_crq_word(ibmvtpm->vdev, INIT_CRQ_CMD); +- if (rc != H_SUCCESS) +- dev_err(ibmvtpm->dev, +- "ibmvtpm_crq_send_init failed rc=%d\n", rc); +- +- return rc; +-} +- +-/** + * tpm_ibmvtpm_remove - ibm vtpm remove entry point + * @vdev: vio device struct + * +@@ -400,44 +448,6 @@ static int ibmvtpm_reset_crq(struct ibmv + ibmvtpm->crq_dma_handle, CRQ_RES_BUF_SIZE); + } + +-/** +- * tpm_ibmvtpm_resume - Resume from suspend +- * +- * @dev: device struct +- * +- * Return: Always 0. +- */ +-static int tpm_ibmvtpm_resume(struct device *dev) +-{ +- struct tpm_chip *chip = dev_get_drvdata(dev); +- struct ibmvtpm_dev *ibmvtpm = dev_get_drvdata(&chip->dev); +- int rc = 0; +- +- do { +- if (rc) +- msleep(100); +- rc = plpar_hcall_norets(H_ENABLE_CRQ, +- ibmvtpm->vdev->unit_address); +- } while (rc == H_IN_PROGRESS || rc == H_BUSY || H_IS_LONG_BUSY(rc)); +- +- if (rc) { +- dev_err(dev, "Error enabling ibmvtpm rc=%d\n", rc); +- return rc; +- } +- +- rc = vio_enable_interrupts(ibmvtpm->vdev); +- if (rc) { +- dev_err(dev, "Error vio_enable_interrupts rc=%d\n", rc); +- return rc; +- } +- +- rc = ibmvtpm_crq_send_init(ibmvtpm); +- if (rc) +- dev_err(dev, "Error send_init rc=%d\n", rc); +- +- return rc; +-} +- + static bool tpm_ibmvtpm_req_canceled(struct tpm_chip *chip, u8 status) + { + return (status == 0); diff --git a/queue-5.4/tpm-tpm_tis-free-irq-if-probing-fails.patch b/queue-5.4/tpm-tpm_tis-free-irq-if-probing-fails.patch new file mode 100644 index 00000000000..a6c8506d4b3 --- /dev/null +++ b/queue-5.4/tpm-tpm_tis-free-irq-if-probing-fails.patch @@ -0,0 +1,48 @@ +From b160c94be5d2816b62c8ac338605668304242959 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Sun, 12 Apr 2020 20:04:12 +0300 +Subject: tpm/tpm_tis: Free IRQ if probing fails + +From: Jarkko Sakkinen + +commit b160c94be5d2816b62c8ac338605668304242959 upstream. + +Call disable_interrupts() if we have to revert to polling in order not to +unnecessarily reserve the IRQ for the life-cycle of the driver. + +Cc: stable@vger.kernel.org # 4.5.x +Reported-by: Hans de Goede +Fixes: e3837e74a06d ("tpm_tis: Refactor the interrupt setup") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_tis_core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -433,6 +433,9 @@ static void disable_interrupts(struct tp + u32 intmask; + int rc; + ++ if (priv->irq == 0) ++ return; ++ + rc = tpm_tis_read32(priv, TPM_INT_ENABLE(priv->locality), &intmask); + if (rc < 0) + intmask = 0; +@@ -983,9 +986,12 @@ int tpm_tis_core_init(struct device *dev + if (irq) { + tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED, + irq); +- if (!(chip->flags & TPM_CHIP_FLAG_IRQ)) ++ if (!(chip->flags & TPM_CHIP_FLAG_IRQ)) { + dev_err(&chip->dev, FW_BUG + "TPM interrupt not working, polling instead\n"); ++ ++ disable_interrupts(chip); ++ } + } else { + tpm_tis_probe_irq(chip, intmask); + } diff --git a/queue-5.4/tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch b/queue-5.4/tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch new file mode 100644 index 00000000000..4e649c7e99e --- /dev/null +++ b/queue-5.4/tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch @@ -0,0 +1,126 @@ +From 9a9fc42b86c06120744555fea43fdcabe297c656 Mon Sep 17 00:00:00 2001 +From: Andrew Melnychenko +Date: Tue, 14 Apr 2020 22:15:03 +0300 +Subject: tty: hvc: fix buffer overflow during hvc_alloc(). + +From: Andrew Melnychenko + +commit 9a9fc42b86c06120744555fea43fdcabe297c656 upstream. + +If there is a lot(more then 16) of virtio-console devices +or virtio_console module is reloaded +- buffers 'vtermnos' and 'cons_ops' are overflowed. +In older kernels it overruns spinlock which leads to kernel freezing: +https://bugzilla.redhat.com/show_bug.cgi?id=1786239 + +To reproduce the issue, you can try simple script that +loads/unloads module. Something like this: +while [ 1 ] +do + modprobe virtio_console + sleep 2 + modprobe -r virtio_console + sleep 2 +done + +Description of problem: +Guest get 'Call Trace' when loading module "virtio_console" +and unloading it frequently - clearly reproduced on kernel-4.18.0: + +[ 81.498208] ------------[ cut here ]------------ +[ 81.499263] pvqspinlock: lock 0xffffffff92080020 has corrupted value 0xc0774ca0! +[ 81.501000] WARNING: CPU: 0 PID: 785 at kernel/locking/qspinlock_paravirt.h:500 __pv_queued_spin_unlock_slowpath+0xc0/0xd0 +[ 81.503173] Modules linked in: virtio_console fuse xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nft_counter nf_nat_tftp nft_objref nf_conntrack_tftp tun bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nft_chain_route_ipv6 nft_chain_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nft_chain_route_ipv4 ip6_tables nft_compat ip_set nf_tables nfnetlink sunrpc bochs_drm drm_vram_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm i2c_piix4 pcspkr crct10dif_pclmul crc32_pclmul joydev ghash_clmulni_intel ip_tables xfs libcrc32c sd_mod sg ata_generic ata_piix virtio_net libata crc32c_intel net_failover failover serio_raw virtio_scsi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: virtio_console] +[ 81.517019] CPU: 0 PID: 785 Comm: kworker/0:2 Kdump: loaded Not tainted 4.18.0-167.el8.x86_64 #1 +[ 81.518639] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014 +[ 81.520205] Workqueue: events control_work_handler [virtio_console] +[ 81.521354] RIP: 0010:__pv_queued_spin_unlock_slowpath+0xc0/0xd0 +[ 81.522450] Code: 07 00 48 63 7a 10 e8 bf 64 f5 ff 66 90 c3 8b 05 e6 cf d6 01 85 c0 74 01 c3 8b 17 48 89 fe 48 c7 c7 38 4b 29 91 e8 3a 6c fa ff <0f> 0b c3 0f 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 +[ 81.525830] RSP: 0018:ffffb51a01ffbd70 EFLAGS: 00010282 +[ 81.526798] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 +[ 81.528110] RDX: ffff9e66f1826480 RSI: ffff9e66f1816a08 RDI: ffff9e66f1816a08 +[ 81.529437] RBP: ffffffff9153ff10 R08: 000000000000026c R09: 0000000000000053 +[ 81.530732] R10: 0000000000000000 R11: ffffb51a01ffbc18 R12: ffff9e66cd682200 +[ 81.532133] R13: ffffffff9153ff10 R14: ffff9e6685569500 R15: ffff9e66cd682000 +[ 81.533442] FS: 0000000000000000(0000) GS:ffff9e66f1800000(0000) knlGS:0000000000000000 +[ 81.534914] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 81.535971] CR2: 00005624c55b14d0 CR3: 00000003a023c000 CR4: 00000000003406f0 +[ 81.537283] Call Trace: +[ 81.537763] __raw_callee_save___pv_queued_spin_unlock_slowpath+0x11/0x20 +[ 81.539011] .slowpath+0x9/0xe +[ 81.539585] hvc_alloc+0x25e/0x300 +[ 81.540237] init_port_console+0x28/0x100 [virtio_console] +[ 81.541251] handle_control_message.constprop.27+0x1c4/0x310 [virtio_console] +[ 81.542546] control_work_handler+0x70/0x10c [virtio_console] +[ 81.543601] process_one_work+0x1a7/0x3b0 +[ 81.544356] worker_thread+0x30/0x390 +[ 81.545025] ? create_worker+0x1a0/0x1a0 +[ 81.545749] kthread+0x112/0x130 +[ 81.546358] ? kthread_flush_work_fn+0x10/0x10 +[ 81.547183] ret_from_fork+0x22/0x40 +[ 81.547842] ---[ end trace aa97649bd16c8655 ]--- +[ 83.546539] general protection fault: 0000 [#1] SMP NOPTI +[ 83.547422] CPU: 5 PID: 3225 Comm: modprobe Kdump: loaded Tainted: G W --------- - - 4.18.0-167.el8.x86_64 #1 +[ 83.549191] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014 +[ 83.550544] RIP: 0010:__pv_queued_spin_lock_slowpath+0x19a/0x2a0 +[ 83.551504] Code: c4 c1 ea 12 41 be 01 00 00 00 4c 8d 6d 14 41 83 e4 03 8d 42 ff 49 c1 e4 05 48 98 49 81 c4 40 a5 02 00 4c 03 24 c5 60 48 34 91 <49> 89 2c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84 +[ 83.554449] RSP: 0018:ffffb51a0323fdb0 EFLAGS: 00010202 +[ 83.555290] RAX: 000000000000301c RBX: ffffffff92080020 RCX: 0000000000000001 +[ 83.556426] RDX: 000000000000301d RSI: 0000000000000000 RDI: 0000000000000000 +[ 83.557556] RBP: ffff9e66f196a540 R08: 000000000000028a R09: ffff9e66d2757788 +[ 83.558688] R10: 0000000000000000 R11: 0000000000000000 R12: 646e61725f770b07 +[ 83.559821] R13: ffff9e66f196a554 R14: 0000000000000001 R15: 0000000000180000 +[ 83.560958] FS: 00007fd5032e8740(0000) GS:ffff9e66f1940000(0000) knlGS:0000000000000000 +[ 83.562233] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 83.563149] CR2: 00007fd5022b0da0 CR3: 000000038c334000 CR4: 00000000003406e0 + +Signed-off-by: Andrew Melnychenko +Cc: stable +Link: https://lore.kernel.org/r/20200414191503.3471783-1-andrew@daynix.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/hvc/hvc_console.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -302,10 +302,6 @@ int hvc_instantiate(uint32_t vtermno, in + vtermnos[index] = vtermno; + cons_ops[index] = ops; + +- /* reserve all indices up to and including this index */ +- if (last_hvc < index) +- last_hvc = index; +- + /* check if we need to re-register the kernel console */ + hvc_check_console(index); + +@@ -960,13 +956,22 @@ struct hvc_struct *hvc_alloc(uint32_t vt + cons_ops[i] == hp->ops) + break; + +- /* no matching slot, just use a counter */ +- if (i >= MAX_NR_HVC_CONSOLES) +- i = ++last_hvc; ++ if (i >= MAX_NR_HVC_CONSOLES) { ++ ++ /* find 'empty' slot for console */ ++ for (i = 0; i < MAX_NR_HVC_CONSOLES && vtermnos[i] != -1; i++) { ++ } ++ ++ /* no matching slot, just use a counter */ ++ if (i == MAX_NR_HVC_CONSOLES) ++ i = ++last_hvc + MAX_NR_HVC_CONSOLES; ++ } + + hp->index = i; +- cons_ops[i] = ops; +- vtermnos[i] = vtermno; ++ if (i < MAX_NR_HVC_CONSOLES) { ++ cons_ops[i] = ops; ++ vtermnos[i] = vtermno; ++ } + + list_add_tail(&(hp->next), &hvc_structs); + mutex_unlock(&hvc_structs_mutex); diff --git a/queue-5.4/tty-rocket-avoid-oob-access.patch b/queue-5.4/tty-rocket-avoid-oob-access.patch new file mode 100644 index 00000000000..a5422dd7f8f --- /dev/null +++ b/queue-5.4/tty-rocket-avoid-oob-access.patch @@ -0,0 +1,72 @@ +From 7127d24372bf23675a36edc64d092dc7fd92ebe8 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 17 Apr 2020 12:59:59 +0200 +Subject: tty: rocket, avoid OOB access + +From: Jiri Slaby + +commit 7127d24372bf23675a36edc64d092dc7fd92ebe8 upstream. + +init_r_port can access pc104 array out of bounds. pc104 is a 2D array +defined to have 4 members. Each member has 8 submembers. +* we can have more than 4 (PCI) boards, i.e. [board] can be OOB +* line is not modulo-ed by anything, so the first line on the second + board can be 4, on the 3rd 12 or alike (depending on previously + registered boards). It's zero only on the first line of the first + board. So even [line] can be OOB, quite soon (with the 2nd registered + board already). + +This code is broken for ages, so just avoid the OOB accesses and don't +try to fix it as we would need to find out the correct line number. Use +the default: RS232, if we are out. + +Generally, if anyone needs to set the interface types, a module parameter +is past the last thing that should be used for this purpose. The +parameters' description says it's for ISA cards anyway. + +Signed-off-by: Jiri Slaby +Cc: stable +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/20200417105959.15201-2-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/rocket.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/drivers/tty/rocket.c ++++ b/drivers/tty/rocket.c +@@ -632,18 +632,21 @@ init_r_port(int board, int aiop, int cha + tty_port_init(&info->port); + info->port.ops = &rocket_port_ops; + info->flags &= ~ROCKET_MODE_MASK; +- switch (pc104[board][line]) { +- case 422: +- info->flags |= ROCKET_MODE_RS422; +- break; +- case 485: +- info->flags |= ROCKET_MODE_RS485; +- break; +- case 232: +- default: ++ if (board < ARRAY_SIZE(pc104) && line < ARRAY_SIZE(pc104_1)) ++ switch (pc104[board][line]) { ++ case 422: ++ info->flags |= ROCKET_MODE_RS422; ++ break; ++ case 485: ++ info->flags |= ROCKET_MODE_RS485; ++ break; ++ case 232: ++ default: ++ info->flags |= ROCKET_MODE_RS232; ++ break; ++ } ++ else + info->flags |= ROCKET_MODE_RS232; +- break; +- } + + info->intmask = RXF_TRIG | TXFIFO_MT | SRC_INT | DELTA_CD | DELTA_CTS | DELTA_DSR; + if (sInitChan(ctlp, &info->channel, aiop, chan) == 0) { diff --git a/queue-5.4/usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch b/queue-5.4/usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch new file mode 100644 index 00000000000..25c7f6dfa10 --- /dev/null +++ b/queue-5.4/usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch @@ -0,0 +1,47 @@ +From 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 22 Apr 2020 16:14:57 -0400 +Subject: usb-storage: Add unusual_devs entry for JMicron JMS566 + +From: Alan Stern + +commit 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b upstream. + +Cyril Roelandt reports that his JMicron JMS566 USB-SATA bridge fails +to handle WRITE commands with the FUA bit set, even though it claims +to support FUA. (Oddly enough, a later version of the same bridge, +version 2.03 as opposed to 1.14, doesn't claim to support FUA. Also +oddly, the bridge _does_ support FUA when using the UAS transport +instead of the Bulk-Only transport -- but this device was blacklisted +for uas in commit bc3bdb12bbb3 ("usb-storage: Disable UAS on JMicron +SATA enclosure") for apparently unrelated reasons.) + +This patch adds a usb-storage unusual_devs entry with the BROKEN_FUA +flag. This allows the bridge to work properly with usb-storage. + +Reported-and-tested-by: Cyril Roelandt +Signed-off-by: Alan Stern +CC: +Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2004221613110.11262-100000@iolanthe.rowland.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2323,6 +2323,13 @@ UNUSUAL_DEV( 0x3340, 0xffff, 0x0000, 0x + USB_SC_DEVICE,USB_PR_DEVICE,NULL, + US_FL_MAX_SECTORS_64 ), + ++/* Reported by Cyril Roelandt */ ++UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x0114, ++ "JMicron", ++ "USB to ATA/ATAPI Bridge", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA ), ++ + /* Reported by Andrey Rahmatullin */ + UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100, + "iRiver", diff --git a/queue-5.4/vmalloc-fix-remap_vmalloc_range-bounds-checks.patch b/queue-5.4/vmalloc-fix-remap_vmalloc_range-bounds-checks.patch new file mode 100644 index 00000000000..1bd895d007e --- /dev/null +++ b/queue-5.4/vmalloc-fix-remap_vmalloc_range-bounds-checks.patch @@ -0,0 +1,165 @@ +From bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 20 Apr 2020 18:14:11 -0700 +Subject: vmalloc: fix remap_vmalloc_range() bounds checks + +From: Jann Horn + +commit bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 upstream. + +remap_vmalloc_range() has had various issues with the bounds checks it +promises to perform ("This function checks that addr is a valid +vmalloc'ed area, and that it is big enough to cover the vma") over time, +e.g.: + + - not detecting pgoff< +Signed-off-by: Andrew Morton +Cc: stable@vger.kernel.org +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Martin KaFai Lau +Cc: Song Liu +Cc: Yonghong Song +Cc: Andrii Nakryiko +Cc: John Fastabend +Cc: KP Singh +Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/vmcore.c | 5 +++-- + include/linux/vmalloc.h | 2 +- + mm/vmalloc.c | 16 +++++++++++++--- + samples/vfio-mdev/mdpy.c | 2 +- + 4 files changed, 18 insertions(+), 7 deletions(-) + +--- a/fs/proc/vmcore.c ++++ b/fs/proc/vmcore.c +@@ -266,7 +266,8 @@ static int vmcoredd_mmap_dumps(struct vm + if (start < offset + dump->size) { + tsz = min(offset + (u64)dump->size - start, (u64)size); + buf = dump->buf + start - offset; +- if (remap_vmalloc_range_partial(vma, dst, buf, tsz)) { ++ if (remap_vmalloc_range_partial(vma, dst, buf, 0, ++ tsz)) { + ret = -EFAULT; + goto out_unlock; + } +@@ -624,7 +625,7 @@ static int mmap_vmcore(struct file *file + tsz = min(elfcorebuf_sz + elfnotes_sz - (size_t)start, size); + kaddr = elfnotes_buf + start - elfcorebuf_sz - vmcoredd_orig_sz; + if (remap_vmalloc_range_partial(vma, vma->vm_start + len, +- kaddr, tsz)) ++ kaddr, 0, tsz)) + goto fail; + + size -= tsz; +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -122,7 +122,7 @@ extern void vunmap(const void *addr); + + extern int remap_vmalloc_range_partial(struct vm_area_struct *vma, + unsigned long uaddr, void *kaddr, +- unsigned long size); ++ unsigned long pgoff, unsigned long size); + + extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr, + unsigned long pgoff); +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2976,6 +2977,7 @@ finished: + * @vma: vma to cover + * @uaddr: target user address to start at + * @kaddr: virtual address of vmalloc kernel memory ++ * @pgoff: offset from @kaddr to start at + * @size: size of map area + * + * Returns: 0 for success, -Exxx on failure +@@ -2988,9 +2990,15 @@ finished: + * Similar to remap_pfn_range() (see mm/memory.c) + */ + int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr, +- void *kaddr, unsigned long size) ++ void *kaddr, unsigned long pgoff, ++ unsigned long size) + { + struct vm_struct *area; ++ unsigned long off; ++ unsigned long end_index; ++ ++ if (check_shl_overflow(pgoff, PAGE_SHIFT, &off)) ++ return -EINVAL; + + size = PAGE_ALIGN(size); + +@@ -3004,8 +3012,10 @@ int remap_vmalloc_range_partial(struct v + if (!(area->flags & (VM_USERMAP | VM_DMA_COHERENT))) + return -EINVAL; + +- if (kaddr + size > area->addr + get_vm_area_size(area)) ++ if (check_add_overflow(size, off, &end_index) || ++ end_index > get_vm_area_size(area)) + return -EINVAL; ++ kaddr += off; + + do { + struct page *page = vmalloc_to_page(kaddr); +@@ -3044,7 +3054,7 @@ int remap_vmalloc_range(struct vm_area_s + unsigned long pgoff) + { + return remap_vmalloc_range_partial(vma, vma->vm_start, +- addr + (pgoff << PAGE_SHIFT), ++ addr, pgoff, + vma->vm_end - vma->vm_start); + } + EXPORT_SYMBOL(remap_vmalloc_range); +--- a/samples/vfio-mdev/mdpy.c ++++ b/samples/vfio-mdev/mdpy.c +@@ -418,7 +418,7 @@ static int mdpy_mmap(struct mdev_device + return -EINVAL; + + return remap_vmalloc_range_partial(vma, vma->vm_start, +- mdev_state->memblk, ++ mdev_state->memblk, 0, + vma->vm_end - vma->vm_start); + } +