From: Greg Kroah-Hartman Date: Tue, 21 Apr 2020 13:54:20 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.118~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e06f5d646fb48d1afa3435edba67dadc66b3229;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-hda-honor-pm-disablement-in-pm-freeze-and-thaw_noirq-ops.patch arm-bpf-fix-offset-overflow-for-bpf_mem-bpf_dw.patch objtool-fix-switch-table-detection-in-.text.unlikely.patch scsi-sg-add-sg_remove_request-in-sg_common_write.patch --- diff --git a/queue-5.4/alsa-hda-honor-pm-disablement-in-pm-freeze-and-thaw_noirq-ops.patch b/queue-5.4/alsa-hda-honor-pm-disablement-in-pm-freeze-and-thaw_noirq-ops.patch new file mode 100644 index 00000000000..72514779c31 --- /dev/null +++ b/queue-5.4/alsa-hda-honor-pm-disablement-in-pm-freeze-and-thaw_noirq-ops.patch @@ -0,0 +1,43 @@ +From 10db5bccc390e8e4bd9fcd1fbd4f1b23f271a405 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 13 Apr 2020 10:20:30 +0200 +Subject: ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops + +From: Takashi Iwai + +commit 10db5bccc390e8e4bd9fcd1fbd4f1b23f271a405 upstream. + +freeze_noirq and thaw_noirq need to check the PM availability like +other PM ops. There are cases where the device got disabled due to +the error, and the PM operation should be ignored for that. + +Fixes: 3e6db33aaf1d ("ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207043 +Link: https://lore.kernel.org/r/20200413082034.25166-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1068,6 +1068,8 @@ static int azx_freeze_noirq(struct devic + struct azx *chip = card->private_data; + struct pci_dev *pci = to_pci_dev(dev); + ++ if (!azx_is_pm_ready(card)) ++ return 0; + if (chip->driver_type == AZX_DRIVER_SKL) + pci_set_power_state(pci, PCI_D3hot); + +@@ -1080,6 +1082,8 @@ static int azx_thaw_noirq(struct device + struct azx *chip = card->private_data; + struct pci_dev *pci = to_pci_dev(dev); + ++ if (!azx_is_pm_ready(card)) ++ return 0; + if (chip->driver_type == AZX_DRIVER_SKL) + pci_set_power_state(pci, PCI_D0); + diff --git a/queue-5.4/arm-bpf-fix-offset-overflow-for-bpf_mem-bpf_dw.patch b/queue-5.4/arm-bpf-fix-offset-overflow-for-bpf_mem-bpf_dw.patch new file mode 100644 index 00000000000..1c0abd0ef93 --- /dev/null +++ b/queue-5.4/arm-bpf-fix-offset-overflow-for-bpf_mem-bpf_dw.patch @@ -0,0 +1,109 @@ +From 4178417cc5359c329790a4a8f4a6604612338cca Mon Sep 17 00:00:00 2001 +From: Luke Nelson +Date: Thu, 9 Apr 2020 15:17:52 -0700 +Subject: arm, bpf: Fix offset overflow for BPF_MEM BPF_DW + +From: Luke Nelson + +commit 4178417cc5359c329790a4a8f4a6604612338cca upstream. + +This patch fixes an incorrect check in how immediate memory offsets are +computed for BPF_DW on arm. + +For BPF_LDX/ST/STX + BPF_DW, the 32-bit arm JIT breaks down an 8-byte +access into two separate 4-byte accesses using off+0 and off+4. If off +fits in imm12, the JIT emits a ldr/str instruction with the immediate +and avoids the use of a temporary register. While the current check off +<= 0xfff ensures that the first immediate off+0 doesn't overflow imm12, +it's not sufficient for the second immediate off+4, which may cause the +second access of BPF_DW to read/write the wrong address. + +This patch fixes the problem by changing the check to +off <= 0xfff - 4 for BPF_DW, ensuring off+4 will never overflow. + +A side effect of simplifying the check is that it now allows using +negative immediate offsets in ldr/str. This means that small negative +offsets can also avoid the use of a temporary register. + +This patch introduces no new failures in test_verifier or test_bpf.c. + +Fixes: c5eae692571d6 ("ARM: net: bpf: improve 64-bit store implementation") +Fixes: ec19e02b343db ("ARM: net: bpf: fix LDX instructions") +Co-developed-by: Xi Wang +Signed-off-by: Xi Wang +Signed-off-by: Luke Nelson +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20200409221752.28448-1-luke.r.nels@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/net/bpf_jit_32.c | 40 ++++++++++++++++++++++++---------------- + 1 file changed, 24 insertions(+), 16 deletions(-) + +--- a/arch/arm/net/bpf_jit_32.c ++++ b/arch/arm/net/bpf_jit_32.c +@@ -992,21 +992,35 @@ static inline void emit_a32_mul_r64(cons + arm_bpf_put_reg32(dst_hi, rd[0], ctx); + } + ++static bool is_ldst_imm(s16 off, const u8 size) ++{ ++ s16 off_max = 0; ++ ++ switch (size) { ++ case BPF_B: ++ case BPF_W: ++ off_max = 0xfff; ++ break; ++ case BPF_H: ++ off_max = 0xff; ++ break; ++ case BPF_DW: ++ /* Need to make sure off+4 does not overflow. */ ++ off_max = 0xfff - 4; ++ break; ++ } ++ return -off_max <= off && off <= off_max; ++} ++ + /* *(size *)(dst + off) = src */ + static inline void emit_str_r(const s8 dst, const s8 src[], +- s32 off, struct jit_ctx *ctx, const u8 sz){ ++ s16 off, struct jit_ctx *ctx, const u8 sz){ + const s8 *tmp = bpf2a32[TMP_REG_1]; +- s32 off_max; + s8 rd; + + rd = arm_bpf_get_reg32(dst, tmp[1], ctx); + +- if (sz == BPF_H) +- off_max = 0xff; +- else +- off_max = 0xfff; +- +- if (off < 0 || off > off_max) { ++ if (!is_ldst_imm(off, sz)) { + emit_a32_mov_i(tmp[0], off, ctx); + emit(ARM_ADD_R(tmp[0], tmp[0], rd), ctx); + rd = tmp[0]; +@@ -1035,18 +1049,12 @@ static inline void emit_str_r(const s8 d + + /* dst = *(size*)(src + off) */ + static inline void emit_ldx_r(const s8 dst[], const s8 src, +- s32 off, struct jit_ctx *ctx, const u8 sz){ ++ s16 off, struct jit_ctx *ctx, const u8 sz){ + const s8 *tmp = bpf2a32[TMP_REG_1]; + const s8 *rd = is_stacked(dst_lo) ? tmp : dst; + s8 rm = src; +- s32 off_max; +- +- if (sz == BPF_H) +- off_max = 0xff; +- else +- off_max = 0xfff; + +- if (off < 0 || off > off_max) { ++ if (!is_ldst_imm(off, sz)) { + emit_a32_mov_i(tmp[0], off, ctx); + emit(ARM_ADD_R(tmp[0], tmp[0], src), ctx); + rm = tmp[0]; diff --git a/queue-5.4/objtool-fix-switch-table-detection-in-.text.unlikely.patch b/queue-5.4/objtool-fix-switch-table-detection-in-.text.unlikely.patch new file mode 100644 index 00000000000..9942f90f7e9 --- /dev/null +++ b/queue-5.4/objtool-fix-switch-table-detection-in-.text.unlikely.patch @@ -0,0 +1,45 @@ +From b401efc120a399dfda1f4d2858a4de365c9b08ef Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 1 Apr 2020 13:23:28 -0500 +Subject: objtool: Fix switch table detection in .text.unlikely + +From: Josh Poimboeuf + +commit b401efc120a399dfda1f4d2858a4de365c9b08ef upstream. + +If a switch jump table's indirect branch is in a ".cold" subfunction in +.text.unlikely, objtool doesn't detect it, and instead prints a false +warning: + + drivers/media/v4l2-core/v4l2-ioctl.o: warning: objtool: v4l_print_format.cold()+0xd6: sibling call from callable instruction with modified stack frame + drivers/hwmon/max6650.o: warning: objtool: max6650_probe.cold()+0xa5: sibling call from callable instruction with modified stack frame + drivers/media/dvb-frontends/drxk_hard.o: warning: objtool: init_drxk.cold()+0x16f: sibling call from callable instruction with modified stack frame + +Fix it by comparing the function, instead of the section and offset. + +Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") +Signed-off-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +Reviewed-by: Miroslav Benes +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/157c35d42ca9b6354bbb1604fe9ad7d1153ccb21.1585761021.git.jpoimboe@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/objtool/check.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -1010,10 +1010,7 @@ static struct rela *find_jump_table(stru + * it. + */ + for (; +- &insn->list != &file->insn_list && +- insn->sec == func->sec && +- insn->offset >= func->offset; +- ++ &insn->list != &file->insn_list && insn->func && insn->func->pfunc == func; + insn = insn->first_jump_src ?: list_prev_entry(insn, list)) { + + if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC) diff --git a/queue-5.4/scsi-sg-add-sg_remove_request-in-sg_common_write.patch b/queue-5.4/scsi-sg-add-sg_remove_request-in-sg_common_write.patch new file mode 100644 index 00000000000..d8a09a38259 --- /dev/null +++ b/queue-5.4/scsi-sg-add-sg_remove_request-in-sg_common_write.patch @@ -0,0 +1,37 @@ +From 849f8583e955dbe3a1806e03ecacd5e71cce0a08 Mon Sep 17 00:00:00 2001 +From: Li Bin +Date: Mon, 13 Apr 2020 19:29:21 +0800 +Subject: scsi: sg: add sg_remove_request in sg_common_write + +From: Li Bin + +commit 849f8583e955dbe3a1806e03ecacd5e71cce0a08 upstream. + +If the dxfer_len is greater than 256M then the request is invalid and we +need to call sg_remove_request in sg_common_write. + +Link: https://lore.kernel.org/r/1586777361-17339-1-git-send-email-huawei.libin@huawei.com +Fixes: f930c7043663 ("scsi: sg: only check for dxfer_len greater than 256M") +Acked-by: Douglas Gilbert +Signed-off-by: Li Bin +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -803,8 +803,10 @@ sg_common_write(Sg_fd * sfp, Sg_request + "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n", + (int) cmnd[0], (int) hp->cmd_len)); + +- if (hp->dxfer_len >= SZ_256M) ++ if (hp->dxfer_len >= SZ_256M) { ++ sg_remove_request(sfp, srp); + return -EINVAL; ++ } + + k = sg_start_req(srp, cmnd); + if (k) { diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..132426f5008 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,4 @@ +arm-bpf-fix-offset-overflow-for-bpf_mem-bpf_dw.patch +objtool-fix-switch-table-detection-in-.text.unlikely.patch +scsi-sg-add-sg_remove_request-in-sg_common_write.patch +alsa-hda-honor-pm-disablement-in-pm-freeze-and-thaw_noirq-ops.patch