From: Greg Kroah-Hartman Date: Mon, 18 May 2020 14:04:23 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.224~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6954f3fda78891964562ea8b6ebbe5784a854fe2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch cifs-fix-leaked-reference-on-requeued-write.patch clk-rockchip-fix-incorrect-configuration-of-rk3228-aclk_gpu-clocks.patch dwc3-remove-check-for-hwo-flag-in-dwc3_gadget_ep_reclaim_trb_sg.patch exec-move-would_dump-into-flush_old_exec.patch usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch x86-fix-early-boot-crash-on-gcc-10-third-try.patch x86-unwind-orc-fix-error-handling-in-__unwind_start.patch --- diff --git a/queue-4.19/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch b/queue-4.19/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch new file mode 100644 index 00000000000..365a8457983 --- /dev/null +++ b/queue-4.19/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch @@ -0,0 +1,59 @@ +From 90d4d3f4ea45370d482fa609dbae4d2281b4074f Mon Sep 17 00:00:00 2001 +From: Kishon Vijay Abraham I +Date: Fri, 17 Apr 2020 12:13:40 +0530 +Subject: ARM: dts: dra7: Fix bus_dma_limit for PCIe + +From: Kishon Vijay Abraham I + +commit 90d4d3f4ea45370d482fa609dbae4d2281b4074f upstream. + +Even though commit cfb5d65f2595 ("ARM: dts: dra7: Add bus_dma_limit +for L3 bus") added bus_dma_limit for L3 bus, the PCIe controller +gets incorrect value of bus_dma_limit. + +Fix it by adding empty dma-ranges property to axi@0 and axi@1 +(parent device tree node of PCIe controller). + +Cc: stable@kernel.org +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/dra7.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -312,6 +312,7 @@ + #address-cells = <1>; + ranges = <0x51000000 0x51000000 0x3000 + 0x0 0x20000000 0x10000000>; ++ dma-ranges; + /** + * To enable PCI endpoint mode, disable the pcie1_rc + * node and enable pcie1_ep mode. +@@ -325,7 +326,6 @@ + device_type = "pci"; + ranges = <0x81000000 0 0 0x03000 0 0x00010000 + 0x82000000 0 0x20013000 0x13000 0 0xffed000>; +- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>; + bus-range = <0x00 0xff>; + #interrupt-cells = <1>; + num-lanes = <1>; +@@ -368,6 +368,7 @@ + #address-cells = <1>; + ranges = <0x51800000 0x51800000 0x3000 + 0x0 0x30000000 0x10000000>; ++ dma-ranges; + status = "disabled"; + pcie2_rc: pcie@51800000 { + reg = <0x51800000 0x2000>, <0x51802000 0x14c>, <0x1000 0x2000>; +@@ -378,7 +379,6 @@ + device_type = "pci"; + ranges = <0x81000000 0 0 0x03000 0 0x00010000 + 0x82000000 0 0x30013000 0x13000 0 0xffed000>; +- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>; + bus-range = <0x00 0xff>; + #interrupt-cells = <1>; + num-lanes = <1>; diff --git a/queue-4.19/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch b/queue-4.19/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch new file mode 100644 index 00000000000..3f23a31e98b --- /dev/null +++ b/queue-4.19/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch @@ -0,0 +1,43 @@ +From 0caf34350a25907515d929a9c77b9b206aac6d1e Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 27 Mar 2020 10:36:24 -0300 +Subject: ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries + +From: Fabio Estevam + +commit 0caf34350a25907515d929a9c77b9b206aac6d1e upstream. + +The I2C2 pins are already used and the following errors are seen: + +imx27-pinctrl 10015000.iomuxc: pin MX27_PAD_I2C2_SDA already requested by 10012000.i2c; cannot claim for 1001d000.i2c +imx27-pinctrl 10015000.iomuxc: pin-69 (1001d000.i2c) status -22 +imx27-pinctrl 10015000.iomuxc: could not request pin 69 (MX27_PAD_I2C2_SDA) from group i2c2grp on device 10015000.iomuxc +imx-i2c 1001d000.i2c: Error applying setting, reverse things back +imx-i2c: probe of 1001d000.i2c failed with error -22 + +Fix it by adding the correct I2C1 IOMUX entries for the pinctrl_i2c1 group. + +Cc: +Fixes: 61664d0b432a ("ARM: dts: imx27 phyCARD-S pinctrl") +Signed-off-by: Fabio Estevam +Reviewed-by: Stefan Riedmueller +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts ++++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts +@@ -81,8 +81,8 @@ + imx27-phycard-s-rdk { + pinctrl_i2c1: i2c1grp { + fsl,pins = < +- MX27_PAD_I2C2_SDA__I2C2_SDA 0x0 +- MX27_PAD_I2C2_SCL__I2C2_SCL 0x0 ++ MX27_PAD_I2C_DATA__I2C_DATA 0x0 ++ MX27_PAD_I2C_CLK__I2C_CLK 0x0 + >; + }; + diff --git a/queue-4.19/cifs-fix-leaked-reference-on-requeued-write.patch b/queue-4.19/cifs-fix-leaked-reference-on-requeued-write.patch new file mode 100644 index 00000000000..37eefe910c8 --- /dev/null +++ b/queue-4.19/cifs-fix-leaked-reference-on-requeued-write.patch @@ -0,0 +1,40 @@ +From a48137996063d22ffba77e077425f49873856ca5 Mon Sep 17 00:00:00 2001 +From: Adam McCoy +Date: Wed, 13 May 2020 11:53:30 +0000 +Subject: cifs: fix leaked reference on requeued write + +From: Adam McCoy + +commit a48137996063d22ffba77e077425f49873856ca5 upstream. + +Failed async writes that are requeued may not clean up a refcount +on the file, which can result in a leaked open. This scenario arises +very reliably when using persistent handles and a reconnect occurs +while writing. + +cifs_writev_requeue only releases the reference if the write fails +(rc != 0). The server->ops->async_writev operation will take its own +reference, so the initial reference can always be released. + +Signed-off-by: Adam McCoy +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifssmb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -2051,8 +2051,8 @@ cifs_writev_requeue(struct cifs_writedat + } + } + ++ kref_put(&wdata2->refcount, cifs_writedata_release); + if (rc) { +- kref_put(&wdata2->refcount, cifs_writedata_release); + if (is_retryable_error(rc)) + continue; + i += nr_pages; diff --git a/queue-4.19/clk-rockchip-fix-incorrect-configuration-of-rk3228-aclk_gpu-clocks.patch b/queue-4.19/clk-rockchip-fix-incorrect-configuration-of-rk3228-aclk_gpu-clocks.patch new file mode 100644 index 00000000000..63863202391 --- /dev/null +++ b/queue-4.19/clk-rockchip-fix-incorrect-configuration-of-rk3228-aclk_gpu-clocks.patch @@ -0,0 +1,77 @@ +From cec9d101d70a3509da9bd2e601e0b242154ce616 Mon Sep 17 00:00:00 2001 +From: Justin Swartz +Date: Tue, 14 Jan 2020 16:25:02 +0000 +Subject: clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks + +From: Justin Swartz + +commit cec9d101d70a3509da9bd2e601e0b242154ce616 upstream. + +The following changes prevent the unrecoverable freezes and rcu_sched +stall warnings experienced in each of my attempts to take advantage of +lima. + +Replace the COMPOSITE_NOGATE definition of aclk_gpu_pre with a +COMPOSITE that retains the selection of HDMIPHY as the PLL source, but +instead makes uses of the aclk_gpu PLL source gate and parent names +defined by mux_pll_src_4plls_p rather than mux_aclk_gpu_pre_p. + +Remove the now unused mux_aclk_gpu_pre_p and the four named but also +unused definitions (cpll_gpu, gpll_gpu, hdmiphy_gpu and usb480m_gpu) +of the aclk_gpu PLL source gate. + +Use the correct gate offset for aclk_gpu and aclk_gpu_noc. + +Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228") +Cc: stable@vger.kernel.org +Signed-off-by: Justin Swartz +[double-checked against SoC manual and added fixes tag] +Link: https://lore.kernel.org/r/20200114162503.7548-1-justin.swartz@risingedge.co.za +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/rockchip/clk-rk3228.c | 17 ++++------------- + 1 file changed, 4 insertions(+), 13 deletions(-) + +--- a/drivers/clk/rockchip/clk-rk3228.c ++++ b/drivers/clk/rockchip/clk-rk3228.c +@@ -163,8 +163,6 @@ PNAME(mux_i2s_out_p) = { "i2s1_pre", "x + PNAME(mux_i2s2_p) = { "i2s2_src", "i2s2_frac", "xin12m" }; + PNAME(mux_sclk_spdif_p) = { "sclk_spdif_src", "spdif_frac", "xin12m" }; + +-PNAME(mux_aclk_gpu_pre_p) = { "cpll_gpu", "gpll_gpu", "hdmiphy_gpu", "usb480m_gpu" }; +- + PNAME(mux_uart0_p) = { "uart0_src", "uart0_frac", "xin24m" }; + PNAME(mux_uart1_p) = { "uart1_src", "uart1_frac", "xin24m" }; + PNAME(mux_uart2_p) = { "uart2_src", "uart2_frac", "xin24m" }; +@@ -475,16 +473,9 @@ static struct rockchip_clk_branch rk3228 + RK2928_CLKSEL_CON(24), 6, 10, DFLAGS, + RK2928_CLKGATE_CON(2), 8, GFLAGS), + +- GATE(0, "cpll_gpu", "cpll", 0, +- RK2928_CLKGATE_CON(3), 13, GFLAGS), +- GATE(0, "gpll_gpu", "gpll", 0, +- RK2928_CLKGATE_CON(3), 13, GFLAGS), +- GATE(0, "hdmiphy_gpu", "hdmiphy", 0, +- RK2928_CLKGATE_CON(3), 13, GFLAGS), +- GATE(0, "usb480m_gpu", "usb480m", 0, ++ COMPOSITE(0, "aclk_gpu_pre", mux_pll_src_4plls_p, 0, ++ RK2928_CLKSEL_CON(34), 5, 2, MFLAGS, 0, 5, DFLAGS, + RK2928_CLKGATE_CON(3), 13, GFLAGS), +- COMPOSITE_NOGATE(0, "aclk_gpu_pre", mux_aclk_gpu_pre_p, 0, +- RK2928_CLKSEL_CON(34), 5, 2, MFLAGS, 0, 5, DFLAGS), + + COMPOSITE(SCLK_SPI0, "sclk_spi0", mux_pll_src_2plls_p, 0, + RK2928_CLKSEL_CON(25), 8, 1, MFLAGS, 0, 7, DFLAGS, +@@ -589,8 +580,8 @@ static struct rockchip_clk_branch rk3228 + GATE(0, "pclk_peri_noc", "pclk_peri", CLK_IGNORE_UNUSED, RK2928_CLKGATE_CON(12), 2, GFLAGS), + + /* PD_GPU */ +- GATE(ACLK_GPU, "aclk_gpu", "aclk_gpu_pre", 0, RK2928_CLKGATE_CON(13), 14, GFLAGS), +- GATE(0, "aclk_gpu_noc", "aclk_gpu_pre", 0, RK2928_CLKGATE_CON(13), 15, GFLAGS), ++ GATE(ACLK_GPU, "aclk_gpu", "aclk_gpu_pre", 0, RK2928_CLKGATE_CON(7), 14, GFLAGS), ++ GATE(0, "aclk_gpu_noc", "aclk_gpu_pre", 0, RK2928_CLKGATE_CON(7), 15, GFLAGS), + + /* PD_BUS */ + GATE(0, "sclk_initmem_mbist", "aclk_cpu", 0, RK2928_CLKGATE_CON(8), 1, GFLAGS), diff --git a/queue-4.19/dwc3-remove-check-for-hwo-flag-in-dwc3_gadget_ep_reclaim_trb_sg.patch b/queue-4.19/dwc3-remove-check-for-hwo-flag-in-dwc3_gadget_ep_reclaim_trb_sg.patch new file mode 100644 index 00000000000..d582708e1f0 --- /dev/null +++ b/queue-4.19/dwc3-remove-check-for-hwo-flag-in-dwc3_gadget_ep_reclaim_trb_sg.patch @@ -0,0 +1,54 @@ +From 00e21763f2c8cab21b7befa52996d1b18bde5c42 Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Mon, 4 May 2020 23:12:15 +0000 +Subject: dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg() + +From: John Stultz + +commit 00e21763f2c8cab21b7befa52996d1b18bde5c42 upstream. + +The check for the HWO flag in dwc3_gadget_ep_reclaim_trb_sg() +causes us to break out of the loop before we call +dwc3_gadget_ep_reclaim_completed_trb(), which is what likely +should be clearing the HWO flag. + +This can cause odd behavior where we never reclaim all the trbs +in the sg list, so we never call giveback on a usb req, and that +will causes transfer stalls. + +This effectively resovles the adb stalls seen on HiKey960 +after userland changes started only using AIO in adbd. + +Cc: YongQin Liu +Cc: Anurag Kumar Vulisha +Cc: Yang Fei +Cc: Thinh Nguyen +Cc: Tejas Joglekar +Cc: Andrzej Pietrasiewicz +Cc: Jack Pham +Cc: Josh Gao +Cc: Todd Kjos +Cc: Felipe Balbi +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Cc: stable@vger.kernel.org #4.20+ +Signed-off-by: John Stultz +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2279,9 +2279,6 @@ static int dwc3_gadget_ep_reclaim_trb_sg + for_each_sg(sg, s, pending, i) { + trb = &dep->trb_pool[dep->trb_dequeue]; + +- if (trb->ctrl & DWC3_TRB_CTRL_HWO) +- break; +- + req->sg = sg_next(s); + req->num_pending_sgs--; + diff --git a/queue-4.19/exec-move-would_dump-into-flush_old_exec.patch b/queue-4.19/exec-move-would_dump-into-flush_old_exec.patch new file mode 100644 index 00000000000..d0998e197ed --- /dev/null +++ b/queue-4.19/exec-move-would_dump-into-flush_old_exec.patch @@ -0,0 +1,58 @@ +From f87d1c9559164294040e58f5e3b74a162bf7c6e8 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sat, 16 May 2020 16:29:20 -0500 +Subject: exec: Move would_dump into flush_old_exec + +From: Eric W. Biederman + +commit f87d1c9559164294040e58f5e3b74a162bf7c6e8 upstream. + +I goofed when I added mm->user_ns support to would_dump. I missed the +fact that in the case of binfmt_loader, binfmt_em86, binfmt_misc, and +binfmt_script bprm->file is reassigned. Which made the move of +would_dump from setup_new_exec to __do_execve_file before exec_binprm +incorrect as it can result in would_dump running on the script instead +of the interpreter of the script. + +The net result is that the code stopped making unreadable interpreters +undumpable. Which allows them to be ptraced and written to disk +without special permissions. Oops. + +The move was necessary because the call in set_new_exec was after +bprm->mm was no longer valid. + +To correct this mistake move the misplaced would_dump from +__do_execve_file into flos_old_exec, before exec_mmap is called. + +I tested and confirmed that without this fix I can attach with gdb to +a script with an unreadable interpreter, and with this fix I can not. + +Cc: stable@vger.kernel.org +Fixes: f84df2a6f268 ("exec: Ensure mm->user_ns contains the execed files") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1269,6 +1269,8 @@ int flush_old_exec(struct linux_binprm * + */ + set_mm_exe_file(bprm->mm, bprm->file); + ++ would_dump(bprm, bprm->file); ++ + /* + * Release all of the old mmap stuff + */ +@@ -1814,8 +1816,6 @@ static int __do_execve_file(int fd, stru + if (retval < 0) + goto out; + +- would_dump(bprm, bprm->file); +- + retval = exec_binprm(bprm); + if (retval < 0) + goto out; diff --git a/queue-4.19/series b/queue-4.19/series index 0d60330be0a..ebaa8a54423 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -54,3 +54,14 @@ alsa-hda-realtek-limit-int-mic-boost-for-thinkpad-t530.patch alsa-rawmidi-fix-racy-buffer-resize-under-concurrent-accesses.patch alsa-usb-audio-add-control-message-quirk-delay-for-kingston-hyperx-headset.patch usb-core-hub-limit-hub_quirk_disable_autosuspend-to-usb5534b.patch +usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch +usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch +usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch +arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch +arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch +cifs-fix-leaked-reference-on-requeued-write.patch +x86-fix-early-boot-crash-on-gcc-10-third-try.patch +x86-unwind-orc-fix-error-handling-in-__unwind_start.patch +exec-move-would_dump-into-flush_old_exec.patch +clk-rockchip-fix-incorrect-configuration-of-rk3228-aclk_gpu-clocks.patch +dwc3-remove-check-for-hwo-flag-in-dwc3_gadget_ep_reclaim_trb_sg.patch diff --git a/queue-4.19/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch b/queue-4.19/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch new file mode 100644 index 00000000000..19732650e7a --- /dev/null +++ b/queue-4.19/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch @@ -0,0 +1,75 @@ +From 15753588bcd4bbffae1cca33c8ced5722477fe1f Mon Sep 17 00:00:00 2001 +From: Kyungtae Kim +Date: Sun, 10 May 2020 05:43:34 +0000 +Subject: USB: gadget: fix illegal array access in binding with UDC + +From: Kyungtae Kim + +commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream. + +FuzzUSB (a variant of syzkaller) found an illegal array access +using an incorrect index while binding a gadget with UDC. + +Reference: https://www.spinics.net/lists/linux-usb/msg194331.html + +This bug occurs when a size variable used for a buffer +is misused to access its strcpy-ed buffer. +Given a buffer along with its size variable (taken from user input), +from which, a new buffer is created using kstrdup(). +Due to the original buffer containing 0 value in the middle, +the size of the kstrdup-ed buffer becomes smaller than that of the original. +So accessing the kstrdup-ed buffer with the same size variable +triggers memory access violation. + +The fix makes sure no zero value in the buffer, +by comparing the strlen() of the orignal buffer with the size variable, +so that the access to the kstrdup-ed buffer is safe. + +BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200 +drivers/usb/gadget/configfs.c:266 +Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208 + +CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xce/0x128 lib/dump_stack.c:118 + print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 + __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 + gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 + flush_write_buffer fs/configfs/file.c:251 [inline] + configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283 + __vfs_write+0x85/0x110 fs/read_write.c:494 + vfs_write+0x1cd/0x510 fs/read_write.c:558 + ksys_write+0x18a/0x220 fs/read_write.c:611 + __do_sys_write fs/read_write.c:623 [inline] + __se_sys_write fs/read_write.c:620 [inline] + __x64_sys_write+0x73/0xb0 fs/read_write.c:620 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Signed-off-by: Kyungtae Kim +Reported-and-tested-by: Kyungtae Kim +Cc: Felipe Balbi +Cc: stable +Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -260,6 +260,9 @@ static ssize_t gadget_dev_desc_UDC_store + char *name; + int ret; + ++ if (strlen(page) < len) ++ return -EOVERFLOW; ++ + name = kstrdup(page, GFP_KERNEL); + if (!name) + return -ENOMEM; diff --git a/queue-4.19/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch b/queue-4.19/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch new file mode 100644 index 00000000000..a4f73ad84ac --- /dev/null +++ b/queue-4.19/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch @@ -0,0 +1,135 @@ +From 1449cb2c2253d37d998c3714aa9b95416d16d379 Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Thu, 14 May 2020 14:04:32 +0300 +Subject: usb: host: xhci-plat: keep runtime active when removing host + +From: Li Jun + +commit 1449cb2c2253d37d998c3714aa9b95416d16d379 upstream. + +While removing the host (e.g. for USB role switch from host to device), +if runtime pm is enabled by user, below oops occurs on dwc3 and cdns3 +platforms. +Keeping the xhci-plat device active during host removal, and disabling +runtime pm before calling pm_runtime_set_suspended() fixes them. + +oops1: +Unable to handle kernel NULL pointer dereference at virtual address +0000000000000240 +Internal error: Oops: 96000004 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.4.3-00107-g64d454a-dirty +Hardware name: FSL i.MX8MP EVK (DT) +Workqueue: pm pm_runtime_work +pstate: 60000005 (nZCv daif -PAN -UAO) +pc : xhci_suspend+0x34/0x698 +lr : xhci_plat_runtime_suspend+0x2c/0x38 +sp : ffff800011ddbbc0 +Call trace: + xhci_suspend+0x34/0x698 + xhci_plat_runtime_suspend+0x2c/0x38 + pm_generic_runtime_suspend+0x28/0x40 + __rpm_callback+0xd8/0x138 + rpm_callback+0x24/0x98 + rpm_suspend+0xe0/0x448 + rpm_idle+0x124/0x140 + pm_runtime_work+0xa0/0xf8 + process_one_work+0x1dc/0x370 + worker_thread+0x48/0x468 + kthread+0xf0/0x120 + ret_from_fork+0x10/0x1c + +oops2: +usb 2-1: USB disconnect, device number 2 +xhci-hcd xhci-hcd.1.auto: remove, state 4 +usb usb2: USB disconnect, device number 1 +xhci-hcd xhci-hcd.1.auto: USB bus 2 deregistered +xhci-hcd xhci-hcd.1.auto: remove, state 4 +usb usb1: USB disconnect, device number 1 +Unable to handle kernel NULL pointer dereference at virtual address +0000000000000138 +Internal error: Oops: 96000004 [#1] PREEMPT SMP +Modules linked in: +CPU: 2 PID: 7 Comm: kworker/u8:0 Not tainted 5.6.0-rc4-next-20200304-03578 +Hardware name: Freescale i.MX8QXP MEK (DT) +Workqueue: 1-0050 tcpm_state_machine_work +pstate: 20000005 (nzCv daif -PAN -UAO) +pc : xhci_free_dev+0x214/0x270 +lr : xhci_plat_runtime_resume+0x78/0x88 +sp : ffff80001006b5b0 +Call trace: + xhci_free_dev+0x214/0x270 + xhci_plat_runtime_resume+0x78/0x88 + pm_generic_runtime_resume+0x30/0x48 + __rpm_callback+0x90/0x148 + rpm_callback+0x28/0x88 + rpm_resume+0x568/0x758 + rpm_resume+0x260/0x758 + rpm_resume+0x260/0x758 + __pm_runtime_resume+0x40/0x88 + device_release_driver_internal+0xa0/0x1c8 + device_release_driver+0x1c/0x28 + bus_remove_device+0xd4/0x158 + device_del+0x15c/0x3a0 + usb_disable_device+0xb0/0x268 + usb_disconnect+0xcc/0x300 + usb_remove_hcd+0xf4/0x1dc + xhci_plat_remove+0x78/0xe0 + platform_drv_remove+0x30/0x50 + device_release_driver_internal+0xfc/0x1c8 + device_release_driver+0x1c/0x28 + bus_remove_device+0xd4/0x158 + device_del+0x15c/0x3a0 + platform_device_del.part.0+0x20/0x90 + platform_device_unregister+0x28/0x40 + cdns3_host_exit+0x20/0x40 + cdns3_role_stop+0x60/0x90 + cdns3_role_set+0x64/0xd8 + usb_role_switch_set_role.part.0+0x3c/0x68 + usb_role_switch_set_role+0x20/0x30 + tcpm_mux_set+0x60/0xf8 + tcpm_reset_port+0xa4/0xf0 + tcpm_detach.part.0+0x28/0x50 + tcpm_state_machine_work+0x12ac/0x2360 + process_one_work+0x1c8/0x470 + worker_thread+0x50/0x428 + kthread+0xfc/0x128 + ret_from_fork+0x10/0x18 +Code: c8037c02 35ffffa3 17ffe7c3 f9800011 (c85f7c01) +---[ end trace 45b1a173d2679e44 ]--- + +[minor commit message cleanup -Mathias] +Cc: Baolin Wang +Cc: +Fixes: b0c69b4bace3 ("usb: host: plat: Enable xHCI plat runtime PM") +Reviewed-by: Peter Chen +Tested-by: Peter Chen +Signed-off-by: Li Jun +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200514110432.25564-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-plat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -361,6 +361,7 @@ static int xhci_plat_remove(struct platf + struct clk *reg_clk = xhci->reg_clk; + struct usb_hcd *shared_hcd = xhci->shared_hcd; + ++ pm_runtime_get_sync(&dev->dev); + xhci->xhc_state |= XHCI_STATE_REMOVING; + + usb_remove_hcd(shared_hcd); +@@ -374,8 +375,9 @@ static int xhci_plat_remove(struct platf + clk_disable_unprepare(reg_clk); + usb_put_hcd(hcd); + +- pm_runtime_set_suspended(&dev->dev); + pm_runtime_disable(&dev->dev); ++ pm_runtime_put_noidle(&dev->dev); ++ pm_runtime_set_suspended(&dev->dev); + + return 0; + } diff --git a/queue-4.19/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch b/queue-4.19/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch new file mode 100644 index 00000000000..e438a7bd585 --- /dev/null +++ b/queue-4.19/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch @@ -0,0 +1,74 @@ +From 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a Mon Sep 17 00:00:00 2001 +From: Sriharsha Allenki +Date: Thu, 14 May 2020 14:04:31 +0300 +Subject: usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list + +From: Sriharsha Allenki + +commit 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a upstream. + +On platforms with IOMMU enabled, multiple SGs can be coalesced into one +by the IOMMU driver. In that case the SG list processing as part of the +completion of a urb on a bulk endpoint can result into a NULL pointer +dereference with the below stack dump. + +<6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c +<6> pgd = c0004000 +<6> [0000000c] *pgd=00000000 +<6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM +<2> PC is at xhci_queue_bulk_tx+0x454/0x80c +<2> LR is at xhci_queue_bulk_tx+0x44c/0x80c +<2> pc : [] lr : [] psr: 000000d3 +<2> sp : ca337c80 ip : 00000000 fp : ffffffff +<2> r10: 00000000 r9 : 50037000 r8 : 00004000 +<2> r7 : 00000000 r6 : 00004000 r5 : 00000000 r4 : 00000000 +<2> r3 : 00000000 r2 : 00000082 r1 : c2c1a200 r0 : 00000000 +<2> Flags: nzcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none +<2> Control: 10c0383d Table: b412c06a DAC: 00000051 +<6> Process usb-storage (pid: 5961, stack limit = 0xca336210) + +<2> [] (xhci_queue_bulk_tx) +<2> [] (xhci_urb_enqueue) +<2> [] (usb_hcd_submit_urb) +<2> [] (usb_sg_wait) +<2> [] (usb_stor_bulk_transfer_sglist) +<2> [] (usb_stor_bulk_srb) +<2> [] (usb_stor_Bulk_transport) +<2> [] (usb_stor_invoke_transport) +<2> [] (usb_stor_control_thread) +<2> [] (kthread) + +The above NULL pointer dereference is the result of block_len and the +sent_len set to zero after the first SG of the list when IOMMU driver +is enabled. Because of this the loop of processing the SGs has run +more than num_sgs which resulted in a sg_next on the last SG of the +list which has SG_END set. + +Fix this by check for the sg before any attributes of the sg are +accessed. + +[modified reason for null pointer dereference in commit message subject -Mathias] +Fixes: f9c589e142d04 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer") +Cc: stable@vger.kernel.org +Signed-off-by: Sriharsha Allenki +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -3331,8 +3331,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd * + /* New sg entry */ + --num_sgs; + sent_len -= block_len; +- if (num_sgs != 0) { +- sg = sg_next(sg); ++ sg = sg_next(sg); ++ if (num_sgs != 0 && sg) { + block_len = sg_dma_len(sg); + addr = (u64) sg_dma_address(sg); + addr += sent_len; diff --git a/queue-4.19/x86-fix-early-boot-crash-on-gcc-10-third-try.patch b/queue-4.19/x86-fix-early-boot-crash-on-gcc-10-third-try.patch new file mode 100644 index 00000000000..df7fb67304c --- /dev/null +++ b/queue-4.19/x86-fix-early-boot-crash-on-gcc-10-third-try.patch @@ -0,0 +1,144 @@ +From a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 22 Apr 2020 18:11:30 +0200 +Subject: x86: Fix early boot crash on gcc-10, third try +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +commit a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e upstream. + +... or the odyssey of trying to disable the stack protector for the +function which generates the stack canary value. + +The whole story started with Sergei reporting a boot crash with a kernel +built with gcc-10: + + Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary + CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139 + Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013 + Call Trace: + dump_stack + panic + ? start_secondary + __stack_chk_fail + start_secondary + secondary_startup_64 + -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary + +This happens because gcc-10 tail-call optimizes the last function call +in start_secondary() - cpu_startup_entry() - and thus emits a stack +canary check which fails because the canary value changes after the +boot_init_stack_canary() call. + +To fix that, the initial attempt was to mark the one function which +generates the stack canary with: + + __attribute__((optimize("-fno-stack-protector"))) ... start_secondary(void *unused) + +however, using the optimize attribute doesn't work cumulatively +as the attribute does not add to but rather replaces previously +supplied optimization options - roughly all -fxxx options. + +The key one among them being -fno-omit-frame-pointer and thus leading to +not present frame pointer - frame pointer which the kernel needs. + +The next attempt to prevent compilers from tail-call optimizing +the last function call cpu_startup_entry(), shy of carving out +start_secondary() into a separate compilation unit and building it with +-fno-stack-protector, was to add an empty asm(""). + +This current solution was short and sweet, and reportedly, is supported +by both compilers but we didn't get very far this time: future (LTO?) +optimization passes could potentially eliminate this, which leads us +to the third attempt: having an actual memory barrier there which the +compiler cannot ignore or move around etc. + +That should hold for a long time, but hey we said that about the other +two solutions too so... + +Reported-by: Sergei Trofimovich +Signed-off-by: Borislav Petkov +Tested-by: Kalle Valo +Cc: +Link: https://lkml.kernel.org/r/20200314164451.346497-1-slyfox@gentoo.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/stackprotector.h | 7 ++++++- + arch/x86/kernel/smpboot.c | 8 ++++++++ + arch/x86/xen/smp_pv.c | 1 + + include/linux/compiler.h | 6 ++++++ + init/main.c | 2 ++ + 5 files changed, 23 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/stackprotector.h ++++ b/arch/x86/include/asm/stackprotector.h +@@ -55,8 +55,13 @@ + /* + * Initialize the stackprotector canary value. + * +- * NOTE: this must only be called from functions that never return, ++ * NOTE: this must only be called from functions that never return + * and it must always be inlined. ++ * ++ * In addition, it should be called from a compilation unit for which ++ * stack protector is disabled. Alternatively, the caller should not end ++ * with a function call which gets tail-call optimized as that would ++ * lead to checking a modified canary value. + */ + static __always_inline void boot_init_stack_canary(void) + { +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -269,6 +269,14 @@ static void notrace start_secondary(void + + wmb(); + cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); ++ ++ /* ++ * Prevent tail call to cpu_startup_entry() because the stack protector ++ * guard has been changed a couple of function calls up, in ++ * boot_init_stack_canary() and must not be checked before tail calling ++ * another function. ++ */ ++ prevent_tail_call_optimization(); + } + + /** +--- a/arch/x86/xen/smp_pv.c ++++ b/arch/x86/xen/smp_pv.c +@@ -89,6 +89,7 @@ asmlinkage __visible void cpu_bringup_an + { + cpu_bringup(); + cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); ++ prevent_tail_call_optimization(); + } + + void xen_smp_intr_free_pv(unsigned int cpu) +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -351,4 +351,10 @@ static inline void *offset_to_ptr(const + compiletime_assert(__native_word(t), \ + "Need native word sized stores/loads for atomicity.") + ++/* ++ * This is needed in functions which generate the stack canary, see ++ * arch/x86/kernel/smpboot.c::start_secondary() for an example. ++ */ ++#define prevent_tail_call_optimization() mb() ++ + #endif /* __LINUX_COMPILER_H */ +--- a/init/main.c ++++ b/init/main.c +@@ -735,6 +735,8 @@ asmlinkage __visible void __init start_k + + /* Do the rest non-__init'ed, we're now alive */ + rest_init(); ++ ++ prevent_tail_call_optimization(); + } + + /* Call all constructor functions linked into the kernel. */ diff --git a/queue-4.19/x86-unwind-orc-fix-error-handling-in-__unwind_start.patch b/queue-4.19/x86-unwind-orc-fix-error-handling-in-__unwind_start.patch new file mode 100644 index 00000000000..a96e57c5bb7 --- /dev/null +++ b/queue-4.19/x86-unwind-orc-fix-error-handling-in-__unwind_start.patch @@ -0,0 +1,81 @@ +From 71c95825289f585014fe9741b051d32a7a916680 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Thu, 14 May 2020 15:31:10 -0500 +Subject: x86/unwind/orc: Fix error handling in __unwind_start() + +From: Josh Poimboeuf + +commit 71c95825289f585014fe9741b051d32a7a916680 upstream. + +The unwind_state 'error' field is used to inform the reliable unwinding +code that the stack trace can't be trusted. Set this field for all +errors in __unwind_start(). + +Also, move the zeroing out of the unwind_state struct to before the ORC +table initialization check, to prevent the caller from reading +uninitialized data if the ORC table is corrupted. + +Fixes: af085d9084b4 ("stacktrace/x86: add function for detecting reliable stack traces") +Fixes: d3a09104018c ("x86/unwinder/orc: Dont bail on stack overflow") +Fixes: 98d0c8ebf77e ("x86/unwind/orc: Prevent unwinding before ORC initialization") +Reported-by: Pavel Machek +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/d6ac7215a84ca92b895fdd2e1aa546729417e6e6.1589487277.git.jpoimboe@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/unwind_orc.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/unwind_orc.c ++++ b/arch/x86/kernel/unwind_orc.c +@@ -589,23 +589,23 @@ EXPORT_SYMBOL_GPL(unwind_next_frame); + void __unwind_start(struct unwind_state *state, struct task_struct *task, + struct pt_regs *regs, unsigned long *first_frame) + { +- if (!orc_init) +- goto done; +- + memset(state, 0, sizeof(*state)); + state->task = task; + ++ if (!orc_init) ++ goto err; ++ + /* + * Refuse to unwind the stack of a task while it's executing on another + * CPU. This check is racy, but that's ok: the unwinder has other + * checks to prevent it from going off the rails. + */ + if (task_on_another_cpu(task)) +- goto done; ++ goto err; + + if (regs) { + if (user_mode(regs)) +- goto done; ++ goto the_end; + + state->ip = regs->ip; + state->sp = kernel_stack_pointer(regs); +@@ -638,6 +638,7 @@ void __unwind_start(struct unwind_state + * generate some kind of backtrace if this happens. + */ + void *next_page = (void *)PAGE_ALIGN((unsigned long)state->sp); ++ state->error = true; + if (get_stack_info(next_page, state->task, &state->stack_info, + &state->stack_mask)) + return; +@@ -663,8 +664,9 @@ void __unwind_start(struct unwind_state + + return; + +-done: ++err: ++ state->error = true; ++the_end: + state->stack_info.type = STACK_TYPE_UNKNOWN; +- return; + } + EXPORT_SYMBOL_GPL(__unwind_start);