From: Greg Kroah-Hartman Date: Mon, 27 Apr 2020 16:13:36 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.19.119~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a7ca59a27cf859979271bc2ffbd851fc61fd7ead;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch alsa-usx2y-fix-potential-null-dereference.patch asoc-dapm-fixup-dapm-kcontrol-widget.patch audit-check-the-length-of-userspace-generated-audit-records.patch kvm-check-validity-of-resolved-slot-when-searching-memslots.patch kvm-vmx-enable-machine-check-support-for-32bit-targets.patch overflow.h-add-arithmetic-shift-helper.patch tpm-tpm_tis-free-irq-if-probing-fails.patch tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch tty-rocket-avoid-oob-access.patch usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch vmalloc-fix-remap_vmalloc_range-bounds-checks.patch --- diff --git a/queue-4.9/alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch b/queue-4.9/alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch new file mode 100644 index 00000000000..91c7b320c31 --- /dev/null +++ b/queue-4.9/alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch @@ -0,0 +1,105 @@ +From 1c826792586f526a5a5cd21d55aad388f5bb0b23 Mon Sep 17 00:00:00 2001 +From: Alexander Tsoy +Date: Sat, 18 Apr 2020 20:58:15 +0300 +Subject: ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices + +From: Alexander Tsoy + +commit 1c826792586f526a5a5cd21d55aad388f5bb0b23 upstream. + +Many Focusrite devices supports a limited set of sample rates per +altsetting. These includes audio interfaces with ADAT ports: + - Scarlett 18i6, 18i8 1st gen, 18i20 1st gen; + - Scarlett 18i8 2nd gen, 18i20 2nd gen; + - Scarlett 18i8 3rd gen, 18i20 3rd gen; + - Clarett 2Pre USB, 4Pre USB, 8Pre USB. + +Maximum rate is exposed in the last 4 bytes of Format Type descriptor +which has a non-standard bLength = 10. + +Tested-by: Alexey Skobkin +Signed-off-by: Alexander Tsoy +Cc: +Link: https://lore.kernel.org/r/20200418175815.12211-1-alexander@tsoy.me +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/format.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 52 insertions(+) + +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -221,6 +221,52 @@ static int parse_audio_format_rates_v1(s + } + + /* ++ * Many Focusrite devices supports a limited set of sampling rates per ++ * altsetting. Maximum rate is exposed in the last 4 bytes of Format Type ++ * descriptor which has a non-standard bLength = 10. ++ */ ++static bool focusrite_valid_sample_rate(struct snd_usb_audio *chip, ++ struct audioformat *fp, ++ unsigned int rate) ++{ ++ struct usb_interface *iface; ++ struct usb_host_interface *alts; ++ unsigned char *fmt; ++ unsigned int max_rate; ++ ++ iface = usb_ifnum_to_if(chip->dev, fp->iface); ++ if (!iface) ++ return true; ++ ++ alts = &iface->altsetting[fp->altset_idx]; ++ fmt = snd_usb_find_csint_desc(alts->extra, alts->extralen, ++ NULL, UAC_FORMAT_TYPE); ++ if (!fmt) ++ return true; ++ ++ if (fmt[0] == 10) { /* bLength */ ++ max_rate = combine_quad(&fmt[6]); ++ ++ /* Validate max rate */ ++ if (max_rate != 48000 && ++ max_rate != 96000 && ++ max_rate != 192000 && ++ max_rate != 384000) { ++ ++ usb_audio_info(chip, ++ "%u:%d : unexpected max rate: %u\n", ++ fp->iface, fp->altsetting, max_rate); ++ ++ return true; ++ } ++ ++ return rate <= max_rate; ++ } ++ ++ return true; ++} ++ ++/* + * Helper function to walk the array of sample rate triplets reported by + * the device. The problem is that we need to parse whole array first to + * get to know how many sample rates we have to expect. +@@ -256,6 +302,11 @@ static int parse_uac2_sample_rate_range( + } + + for (rate = min; rate <= max; rate += res) { ++ /* Filter out invalid rates on Focusrite devices */ ++ if (USB_ID_VENDOR(chip->usb_id) == 0x1235 && ++ !focusrite_valid_sample_rate(chip, fp, rate)) ++ goto skip_rate; ++ + if (fp->rate_table) + fp->rate_table[nr_rates] = rate; + if (!fp->rate_min || rate < fp->rate_min) +@@ -270,6 +321,7 @@ static int parse_uac2_sample_rate_range( + break; + } + ++skip_rate: + /* avoid endless loop */ + if (res == 0) + break; diff --git a/queue-4.9/alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch b/queue-4.9/alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch new file mode 100644 index 00000000000..e30fc4fec58 --- /dev/null +++ b/queue-4.9/alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch @@ -0,0 +1,58 @@ +From 59e1947ca09ebd1cae147c08c7c41f3141233c84 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Thu, 23 Apr 2020 12:54:19 +0800 +Subject: ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif + +From: Xiyu Yang + +commit 59e1947ca09ebd1cae147c08c7c41f3141233c84 upstream. + +snd_microii_spdif_default_get() invokes snd_usb_lock_shutdown(), which +increases the refcount of the snd_usb_audio object "chip". + +When snd_microii_spdif_default_get() returns, local variable "chip" +becomes invalid, so the refcount should be decreased to keep refcount +balanced. + +The reference counting issue happens in several exception handling paths +of snd_microii_spdif_default_get(). When those error scenarios occur +such as usb_ifnum_to_if() returns NULL, the function forgets to decrease +the refcnt increased by snd_usb_lock_shutdown(), causing a refcnt leak. + +Fix this issue by jumping to "end" label when those error scenarios +occur. + +Fixes: 447d6275f0c2 ("ALSA: usb-audio: Add sanity checks for endpoint accesses") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Cc: +Link: https://lore.kernel.org/r/1587617711-13200-1-git-send-email-xiyuyang19@fudan.edu.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_quirks.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1519,11 +1519,15 @@ static int snd_microii_spdif_default_get + + /* use known values for that card: interface#1 altsetting#1 */ + iface = usb_ifnum_to_if(chip->dev, 1); +- if (!iface || iface->num_altsetting < 2) +- return -EINVAL; ++ if (!iface || iface->num_altsetting < 2) { ++ err = -EINVAL; ++ goto end; ++ } + alts = &iface->altsetting[1]; +- if (get_iface_desc(alts)->bNumEndpoints < 1) +- return -EINVAL; ++ if (get_iface_desc(alts)->bNumEndpoints < 1) { ++ err = -EINVAL; ++ goto end; ++ } + ep = get_endpoint(alts, 0)->bEndpointAddress; + + err = snd_usb_ctl_msg(chip->dev, diff --git a/queue-4.9/alsa-usx2y-fix-potential-null-dereference.patch b/queue-4.9/alsa-usx2y-fix-potential-null-dereference.patch new file mode 100644 index 00000000000..600404f9614 --- /dev/null +++ b/queue-4.9/alsa-usx2y-fix-potential-null-dereference.patch @@ -0,0 +1,34 @@ +From 7686e3485253635c529cdd5f416fc640abaf076f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 20 Apr 2020 09:55:29 +0200 +Subject: ALSA: usx2y: Fix potential NULL dereference + +From: Takashi Iwai + +commit 7686e3485253635c529cdd5f416fc640abaf076f upstream. + +The error handling code in usX2Y_rate_set() may hit a potential NULL +dereference when an error occurs before allocating all us->urb[]. +Add a proper NULL check for fixing the corner case. + +Reported-by: Lin Yi +Cc: +Link: https://lore.kernel.org/r/20200420075529.27203-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/usx2y/usbusx2yaudio.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/usx2y/usbusx2yaudio.c ++++ b/sound/usb/usx2y/usbusx2yaudio.c +@@ -691,6 +691,8 @@ static int usX2Y_rate_set(struct usX2Yde + us->submitted = 2*NOOF_SETRATE_URBS; + for (i = 0; i < NOOF_SETRATE_URBS; ++i) { + struct urb *urb = us->urb[i]; ++ if (!urb) ++ continue; + if (urb->status) { + if (!err) + err = -ENODEV; diff --git a/queue-4.9/asoc-dapm-fixup-dapm-kcontrol-widget.patch b/queue-4.9/asoc-dapm-fixup-dapm-kcontrol-widget.patch new file mode 100644 index 00000000000..8a691e68320 --- /dev/null +++ b/queue-4.9/asoc-dapm-fixup-dapm-kcontrol-widget.patch @@ -0,0 +1,71 @@ +From ebf1474745b4373fdde0fcf32d9d1f369b50b212 Mon Sep 17 00:00:00 2001 +From: Gyeongtaek Lee +Date: Sat, 18 Apr 2020 13:13:20 +0900 +Subject: ASoC: dapm: fixup dapm kcontrol widget + +From: Gyeongtaek Lee + +commit ebf1474745b4373fdde0fcf32d9d1f369b50b212 upstream. + +snd_soc_dapm_kcontrol widget which is created by autodisable control +should contain correct on_val, mask and shift because it is set when the +widget is powered and changed value is applied on registers by following +code in dapm_seq_run_coalesced(). + + mask |= w->mask << w->shift; + if (w->power) + value |= w->on_val << w->shift; + else + value |= w->off_val << w->shift; + +Shift on the mask in dapm_kcontrol_data_alloc() is removed to prevent +double shift. +And, on_val in dapm_kcontrol_set_value() is modified to get correct +value in the dapm_seq_run_coalesced(). + +Signed-off-by: Gyeongtaek Lee +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/000001d61537$b212f620$1638e260$@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-dapm.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -384,7 +384,7 @@ static int dapm_kcontrol_data_alloc(stru + + memset(&template, 0, sizeof(template)); + template.reg = e->reg; +- template.mask = e->mask << e->shift_l; ++ template.mask = e->mask; + template.shift = e->shift_l; + template.off_val = snd_soc_enum_item_to_val(e, 0); + template.on_val = template.off_val; +@@ -510,8 +510,22 @@ static bool dapm_kcontrol_set_value(cons + if (data->value == value) + return false; + +- if (data->widget) +- data->widget->on_val = value; ++ if (data->widget) { ++ switch (dapm_kcontrol_get_wlist(kcontrol)->widgets[0]->id) { ++ case snd_soc_dapm_switch: ++ case snd_soc_dapm_mixer: ++ case snd_soc_dapm_mixer_named_ctl: ++ data->widget->on_val = value & data->widget->mask; ++ break; ++ case snd_soc_dapm_demux: ++ case snd_soc_dapm_mux: ++ data->widget->on_val = value >> data->widget->shift; ++ break; ++ default: ++ data->widget->on_val = value; ++ break; ++ } ++ } + + data->value = value; + diff --git a/queue-4.9/audit-check-the-length-of-userspace-generated-audit-records.patch b/queue-4.9/audit-check-the-length-of-userspace-generated-audit-records.patch new file mode 100644 index 00000000000..19082dbc75d --- /dev/null +++ b/queue-4.9/audit-check-the-length-of-userspace-generated-audit-records.patch @@ -0,0 +1,38 @@ +From 763dafc520add02a1f4639b500c509acc0ea8e5b Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Mon, 20 Apr 2020 16:24:34 -0400 +Subject: audit: check the length of userspace generated audit records + +From: Paul Moore + +commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream. + +Commit 756125289285 ("audit: always check the netlink payload length +in audit_receive_msg()") fixed a number of missing message length +checks, but forgot to check the length of userspace generated audit +records. The good news is that you need CAP_AUDIT_WRITE to submit +userspace audit records, which is generally only given to trusted +processes, so the impact should be limited. + +Cc: stable@vger.kernel.org +Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()") +Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -941,6 +941,9 @@ static int audit_receive_msg(struct sk_b + case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: + if (!audit_enabled && msg_type != AUDIT_USER_AVC) + return 0; ++ /* exit early if there isn't at least one character to print */ ++ if (data_len < 2) ++ return -EINVAL; + + err = audit_filter(msg_type, AUDIT_FILTER_USER); + if (err == 1) { /* match or error */ diff --git a/queue-4.9/kvm-check-validity-of-resolved-slot-when-searching-memslots.patch b/queue-4.9/kvm-check-validity-of-resolved-slot-when-searching-memslots.patch new file mode 100644 index 00000000000..ba0d1ea6d7b --- /dev/null +++ b/queue-4.9/kvm-check-validity-of-resolved-slot-when-searching-memslots.patch @@ -0,0 +1,48 @@ +From b6467ab142b708dd076f6186ca274f14af379c72 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 7 Apr 2020 23:40:58 -0700 +Subject: KVM: Check validity of resolved slot when searching memslots + +From: Sean Christopherson + +commit b6467ab142b708dd076f6186ca274f14af379c72 upstream. + +Check that the resolved slot (somewhat confusingly named 'start') is a +valid/allocated slot before doing the final comparison to see if the +specified gfn resides in the associated slot. The resolved slot can be +invalid if the binary search loop terminated because the search index +was incremented beyond the number of used slots. + +This bug has existed since the binary search algorithm was introduced, +but went unnoticed because KVM statically allocated memory for the max +number of slots, i.e. the access would only be truly out-of-bounds if +all possible slots were allocated and the specified gfn was less than +the base of the lowest memslot. Commit 36947254e5f98 ("KVM: Dynamically +size memslot array based on number of used slots") eliminated the "all +possible slots allocated" condition and made the bug embarrasingly easy +to hit. + +Fixes: 9c1a5d38780e6 ("kvm: optimize GFN to memslot lookup with large slots amount") +Reported-by: syzbot+d889b59b2bb87d4047a2@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200408064059.8957-2-sean.j.christopherson@intel.com> +Reviewed-by: Cornelia Huck +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -914,7 +914,7 @@ search_memslots(struct kvm_memslots *slo + start = slot + 1; + } + +- if (gfn >= memslots[start].base_gfn && ++ if (start < slots->used_slots && gfn >= memslots[start].base_gfn && + gfn < memslots[start].base_gfn + memslots[start].npages) { + atomic_set(&slots->lru_slot, start); + return &memslots[start]; diff --git a/queue-4.9/kvm-vmx-enable-machine-check-support-for-32bit-targets.patch b/queue-4.9/kvm-vmx-enable-machine-check-support-for-32bit-targets.patch new file mode 100644 index 00000000000..2738ce364fc --- /dev/null +++ b/queue-4.9/kvm-vmx-enable-machine-check-support-for-32bit-targets.patch @@ -0,0 +1,36 @@ +From fb56baae5ea509e63c2a068d66a4d8ea91969fca Mon Sep 17 00:00:00 2001 +From: Uros Bizjak +Date: Tue, 14 Apr 2020 09:14:14 +0200 +Subject: KVM: VMX: Enable machine check support for 32bit targets + +From: Uros Bizjak + +commit fb56baae5ea509e63c2a068d66a4d8ea91969fca upstream. + +There is no reason to limit the use of do_machine_check +to 64bit targets. MCE handling works for both target familes. + +Cc: Paolo Bonzini +Cc: Sean Christopherson +Cc: stable@vger.kernel.org +Fixes: a0861c02a981 ("KVM: Add VT-x machine check support") +Signed-off-by: Uros Bizjak +Message-Id: <20200414071414.45636-1-ubizjak@gmail.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5785,7 +5785,7 @@ static int handle_rmode_exception(struct + */ + static void kvm_machine_check(void) + { +-#if defined(CONFIG_X86_MCE) && defined(CONFIG_X86_64) ++#if defined(CONFIG_X86_MCE) + struct pt_regs regs = { + .cs = 3, /* Fake ring 3 no matter what the guest ran on */ + .flags = X86_EFLAGS_IF, diff --git a/queue-4.9/overflow.h-add-arithmetic-shift-helper.patch b/queue-4.9/overflow.h-add-arithmetic-shift-helper.patch new file mode 100644 index 00000000000..77af642ca09 --- /dev/null +++ b/queue-4.9/overflow.h-add-arithmetic-shift-helper.patch @@ -0,0 +1,60 @@ +From 0c66847793d1982d1083dc6f7adad60fa265ce9c Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 1 Aug 2018 14:25:39 -0700 +Subject: overflow.h: Add arithmetic shift helper + +From: Jason Gunthorpe + +commit 0c66847793d1982d1083dc6f7adad60fa265ce9c upstream. + +Add shift_overflow() helper to assist driver authors in ensuring that +shift operations don't cause overflows or other odd conditions. + +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +[kees: tweaked comments and commit log, dropped unneeded assignment] +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/overflow.h | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -202,4 +202,35 @@ + + #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ + ++/** check_shl_overflow() - Calculate a left-shifted value and check overflow ++ * ++ * @a: Value to be shifted ++ * @s: How many bits left to shift ++ * @d: Pointer to where to store the result ++ * ++ * Computes *@d = (@a << @s) ++ * ++ * Returns true if '*d' cannot hold the result or when 'a << s' doesn't ++ * make sense. Example conditions: ++ * - 'a << s' causes bits to be lost when stored in *d. ++ * - 's' is garbage (e.g. negative) or so large that the result of ++ * 'a << s' is guaranteed to be 0. ++ * - 'a' is negative. ++ * - 'a << s' sets the sign bit, if any, in '*d'. ++ * ++ * '*d' will hold the results of the attempted shift, but is not ++ * considered "safe for use" if false is returned. ++ */ ++#define check_shl_overflow(a, s, d) ({ \ ++ typeof(a) _a = a; \ ++ typeof(s) _s = s; \ ++ typeof(d) _d = d; \ ++ u64 _a_full = _a; \ ++ unsigned int _to_shift = \ ++ _s >= 0 && _s < 8 * sizeof(*d) ? _s : 0; \ ++ *_d = (_a_full << _to_shift); \ ++ (_to_shift != _s || *_d < 0 || _a < 0 || \ ++ (*_d >> _to_shift) != _a); \ ++}) ++ + #endif /* __LINUX_OVERFLOW_H */ diff --git a/queue-4.9/series b/queue-4.9/series index 4ddd84ec9c1..7d0bccffde6 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -35,3 +35,16 @@ usb-sisusbvga-change-port-variable-from-signed-to-unsigned.patch usb-add-usb_quirk_delay_ctrl_msg-and-usb_quirk_delay_init-for-corsair-k70-rgb-rapidfire.patch usb-core-fix-free-while-in-use-bug-in-the-usb-s-glibrary.patch usb-hub-fix-handling-of-connect-changes-during-sleep.patch +overflow.h-add-arithmetic-shift-helper.patch +vmalloc-fix-remap_vmalloc_range-bounds-checks.patch +alsa-usx2y-fix-potential-null-dereference.patch +alsa-usb-audio-fix-usb-audio-refcnt-leak-when-getting-spdif.patch +alsa-usb-audio-filter-out-unsupported-sample-rates-on-focusrite-devices.patch +tpm-tpm_tis-free-irq-if-probing-fails.patch +kvm-check-validity-of-resolved-slot-when-searching-memslots.patch +kvm-vmx-enable-machine-check-support-for-32bit-targets.patch +tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch +tty-rocket-avoid-oob-access.patch +usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch +audit-check-the-length-of-userspace-generated-audit-records.patch +asoc-dapm-fixup-dapm-kcontrol-widget.patch diff --git a/queue-4.9/tpm-tpm_tis-free-irq-if-probing-fails.patch b/queue-4.9/tpm-tpm_tis-free-irq-if-probing-fails.patch new file mode 100644 index 00000000000..98d86117c4d --- /dev/null +++ b/queue-4.9/tpm-tpm_tis-free-irq-if-probing-fails.patch @@ -0,0 +1,48 @@ +From b160c94be5d2816b62c8ac338605668304242959 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Sun, 12 Apr 2020 20:04:12 +0300 +Subject: tpm/tpm_tis: Free IRQ if probing fails + +From: Jarkko Sakkinen + +commit b160c94be5d2816b62c8ac338605668304242959 upstream. + +Call disable_interrupts() if we have to revert to polling in order not to +unnecessarily reserve the IRQ for the life-cycle of the driver. + +Cc: stable@vger.kernel.org # 4.5.x +Reported-by: Hans de Goede +Fixes: e3837e74a06d ("tpm_tis: Refactor the interrupt setup") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_tis_core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -329,6 +329,9 @@ static void disable_interrupts(struct tp + u32 intmask; + int rc; + ++ if (priv->irq == 0) ++ return; ++ + rc = tpm_tis_read32(priv, TPM_INT_ENABLE(priv->locality), &intmask); + if (rc < 0) + intmask = 0; +@@ -786,9 +789,12 @@ int tpm_tis_core_init(struct device *dev + if (irq) { + tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED, + irq); +- if (!(chip->flags & TPM_CHIP_FLAG_IRQ)) ++ if (!(chip->flags & TPM_CHIP_FLAG_IRQ)) { + dev_err(&chip->dev, FW_BUG + "TPM interrupt not working, polling instead\n"); ++ ++ disable_interrupts(chip); ++ } + } else { + tpm_tis_probe_irq(chip, intmask); + } diff --git a/queue-4.9/tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch b/queue-4.9/tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch new file mode 100644 index 00000000000..02ad8619beb --- /dev/null +++ b/queue-4.9/tty-hvc-fix-buffer-overflow-during-hvc_alloc.patch @@ -0,0 +1,126 @@ +From 9a9fc42b86c06120744555fea43fdcabe297c656 Mon Sep 17 00:00:00 2001 +From: Andrew Melnychenko +Date: Tue, 14 Apr 2020 22:15:03 +0300 +Subject: tty: hvc: fix buffer overflow during hvc_alloc(). + +From: Andrew Melnychenko + +commit 9a9fc42b86c06120744555fea43fdcabe297c656 upstream. + +If there is a lot(more then 16) of virtio-console devices +or virtio_console module is reloaded +- buffers 'vtermnos' and 'cons_ops' are overflowed. +In older kernels it overruns spinlock which leads to kernel freezing: +https://bugzilla.redhat.com/show_bug.cgi?id=1786239 + +To reproduce the issue, you can try simple script that +loads/unloads module. Something like this: +while [ 1 ] +do + modprobe virtio_console + sleep 2 + modprobe -r virtio_console + sleep 2 +done + +Description of problem: +Guest get 'Call Trace' when loading module "virtio_console" +and unloading it frequently - clearly reproduced on kernel-4.18.0: + +[ 81.498208] ------------[ cut here ]------------ +[ 81.499263] pvqspinlock: lock 0xffffffff92080020 has corrupted value 0xc0774ca0! +[ 81.501000] WARNING: CPU: 0 PID: 785 at kernel/locking/qspinlock_paravirt.h:500 __pv_queued_spin_unlock_slowpath+0xc0/0xd0 +[ 81.503173] Modules linked in: virtio_console fuse xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nft_counter nf_nat_tftp nft_objref nf_conntrack_tftp tun bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nft_chain_route_ipv6 nft_chain_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nft_chain_route_ipv4 ip6_tables nft_compat ip_set nf_tables nfnetlink sunrpc bochs_drm drm_vram_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm i2c_piix4 pcspkr crct10dif_pclmul crc32_pclmul joydev ghash_clmulni_intel ip_tables xfs libcrc32c sd_mod sg ata_generic ata_piix virtio_net libata crc32c_intel net_failover failover serio_raw virtio_scsi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: virtio_console] +[ 81.517019] CPU: 0 PID: 785 Comm: kworker/0:2 Kdump: loaded Not tainted 4.18.0-167.el8.x86_64 #1 +[ 81.518639] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014 +[ 81.520205] Workqueue: events control_work_handler [virtio_console] +[ 81.521354] RIP: 0010:__pv_queued_spin_unlock_slowpath+0xc0/0xd0 +[ 81.522450] Code: 07 00 48 63 7a 10 e8 bf 64 f5 ff 66 90 c3 8b 05 e6 cf d6 01 85 c0 74 01 c3 8b 17 48 89 fe 48 c7 c7 38 4b 29 91 e8 3a 6c fa ff <0f> 0b c3 0f 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 +[ 81.525830] RSP: 0018:ffffb51a01ffbd70 EFLAGS: 00010282 +[ 81.526798] RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000 +[ 81.528110] RDX: ffff9e66f1826480 RSI: ffff9e66f1816a08 RDI: ffff9e66f1816a08 +[ 81.529437] RBP: ffffffff9153ff10 R08: 000000000000026c R09: 0000000000000053 +[ 81.530732] R10: 0000000000000000 R11: ffffb51a01ffbc18 R12: ffff9e66cd682200 +[ 81.532133] R13: ffffffff9153ff10 R14: ffff9e6685569500 R15: ffff9e66cd682000 +[ 81.533442] FS: 0000000000000000(0000) GS:ffff9e66f1800000(0000) knlGS:0000000000000000 +[ 81.534914] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 81.535971] CR2: 00005624c55b14d0 CR3: 00000003a023c000 CR4: 00000000003406f0 +[ 81.537283] Call Trace: +[ 81.537763] __raw_callee_save___pv_queued_spin_unlock_slowpath+0x11/0x20 +[ 81.539011] .slowpath+0x9/0xe +[ 81.539585] hvc_alloc+0x25e/0x300 +[ 81.540237] init_port_console+0x28/0x100 [virtio_console] +[ 81.541251] handle_control_message.constprop.27+0x1c4/0x310 [virtio_console] +[ 81.542546] control_work_handler+0x70/0x10c [virtio_console] +[ 81.543601] process_one_work+0x1a7/0x3b0 +[ 81.544356] worker_thread+0x30/0x390 +[ 81.545025] ? create_worker+0x1a0/0x1a0 +[ 81.545749] kthread+0x112/0x130 +[ 81.546358] ? kthread_flush_work_fn+0x10/0x10 +[ 81.547183] ret_from_fork+0x22/0x40 +[ 81.547842] ---[ end trace aa97649bd16c8655 ]--- +[ 83.546539] general protection fault: 0000 [#1] SMP NOPTI +[ 83.547422] CPU: 5 PID: 3225 Comm: modprobe Kdump: loaded Tainted: G W --------- - - 4.18.0-167.el8.x86_64 #1 +[ 83.549191] Hardware name: Red Hat KVM, BIOS 1.12.0-5.scrmod+el8.2.0+5159+d8aa4d83 04/01/2014 +[ 83.550544] RIP: 0010:__pv_queued_spin_lock_slowpath+0x19a/0x2a0 +[ 83.551504] Code: c4 c1 ea 12 41 be 01 00 00 00 4c 8d 6d 14 41 83 e4 03 8d 42 ff 49 c1 e4 05 48 98 49 81 c4 40 a5 02 00 4c 03 24 c5 60 48 34 91 <49> 89 2c 24 b8 00 80 00 00 eb 15 84 c0 75 0a 41 0f b6 54 24 14 84 +[ 83.554449] RSP: 0018:ffffb51a0323fdb0 EFLAGS: 00010202 +[ 83.555290] RAX: 000000000000301c RBX: ffffffff92080020 RCX: 0000000000000001 +[ 83.556426] RDX: 000000000000301d RSI: 0000000000000000 RDI: 0000000000000000 +[ 83.557556] RBP: ffff9e66f196a540 R08: 000000000000028a R09: ffff9e66d2757788 +[ 83.558688] R10: 0000000000000000 R11: 0000000000000000 R12: 646e61725f770b07 +[ 83.559821] R13: ffff9e66f196a554 R14: 0000000000000001 R15: 0000000000180000 +[ 83.560958] FS: 00007fd5032e8740(0000) GS:ffff9e66f1940000(0000) knlGS:0000000000000000 +[ 83.562233] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 83.563149] CR2: 00007fd5022b0da0 CR3: 000000038c334000 CR4: 00000000003406e0 + +Signed-off-by: Andrew Melnychenko +Cc: stable +Link: https://lore.kernel.org/r/20200414191503.3471783-1-andrew@daynix.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/hvc/hvc_console.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -289,10 +289,6 @@ int hvc_instantiate(uint32_t vtermno, in + vtermnos[index] = vtermno; + cons_ops[index] = ops; + +- /* reserve all indices up to and including this index */ +- if (last_hvc < index) +- last_hvc = index; +- + /* check if we need to re-register the kernel console */ + hvc_check_console(index); + +@@ -896,13 +892,22 @@ struct hvc_struct *hvc_alloc(uint32_t vt + cons_ops[i] == hp->ops) + break; + +- /* no matching slot, just use a counter */ +- if (i >= MAX_NR_HVC_CONSOLES) +- i = ++last_hvc; ++ if (i >= MAX_NR_HVC_CONSOLES) { ++ ++ /* find 'empty' slot for console */ ++ for (i = 0; i < MAX_NR_HVC_CONSOLES && vtermnos[i] != -1; i++) { ++ } ++ ++ /* no matching slot, just use a counter */ ++ if (i == MAX_NR_HVC_CONSOLES) ++ i = ++last_hvc + MAX_NR_HVC_CONSOLES; ++ } + + hp->index = i; +- cons_ops[i] = ops; +- vtermnos[i] = vtermno; ++ if (i < MAX_NR_HVC_CONSOLES) { ++ cons_ops[i] = ops; ++ vtermnos[i] = vtermno; ++ } + + list_add_tail(&(hp->next), &hvc_structs); + spin_unlock(&hvc_structs_lock); diff --git a/queue-4.9/tty-rocket-avoid-oob-access.patch b/queue-4.9/tty-rocket-avoid-oob-access.patch new file mode 100644 index 00000000000..d75d307e7f0 --- /dev/null +++ b/queue-4.9/tty-rocket-avoid-oob-access.patch @@ -0,0 +1,72 @@ +From 7127d24372bf23675a36edc64d092dc7fd92ebe8 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 17 Apr 2020 12:59:59 +0200 +Subject: tty: rocket, avoid OOB access + +From: Jiri Slaby + +commit 7127d24372bf23675a36edc64d092dc7fd92ebe8 upstream. + +init_r_port can access pc104 array out of bounds. pc104 is a 2D array +defined to have 4 members. Each member has 8 submembers. +* we can have more than 4 (PCI) boards, i.e. [board] can be OOB +* line is not modulo-ed by anything, so the first line on the second + board can be 4, on the 3rd 12 or alike (depending on previously + registered boards). It's zero only on the first line of the first + board. So even [line] can be OOB, quite soon (with the 2nd registered + board already). + +This code is broken for ages, so just avoid the OOB accesses and don't +try to fix it as we would need to find out the correct line number. Use +the default: RS232, if we are out. + +Generally, if anyone needs to set the interface types, a module parameter +is past the last thing that should be used for this purpose. The +parameters' description says it's for ISA cards anyway. + +Signed-off-by: Jiri Slaby +Cc: stable +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/20200417105959.15201-2-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/rocket.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/drivers/tty/rocket.c ++++ b/drivers/tty/rocket.c +@@ -645,18 +645,21 @@ init_r_port(int board, int aiop, int cha + tty_port_init(&info->port); + info->port.ops = &rocket_port_ops; + info->flags &= ~ROCKET_MODE_MASK; +- switch (pc104[board][line]) { +- case 422: +- info->flags |= ROCKET_MODE_RS422; +- break; +- case 485: +- info->flags |= ROCKET_MODE_RS485; +- break; +- case 232: +- default: ++ if (board < ARRAY_SIZE(pc104) && line < ARRAY_SIZE(pc104_1)) ++ switch (pc104[board][line]) { ++ case 422: ++ info->flags |= ROCKET_MODE_RS422; ++ break; ++ case 485: ++ info->flags |= ROCKET_MODE_RS485; ++ break; ++ case 232: ++ default: ++ info->flags |= ROCKET_MODE_RS232; ++ break; ++ } ++ else + info->flags |= ROCKET_MODE_RS232; +- break; +- } + + info->intmask = RXF_TRIG | TXFIFO_MT | SRC_INT | DELTA_CD | DELTA_CTS | DELTA_DSR; + if (sInitChan(ctlp, &info->channel, aiop, chan) == 0) { diff --git a/queue-4.9/usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch b/queue-4.9/usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch new file mode 100644 index 00000000000..ee492a0e84b --- /dev/null +++ b/queue-4.9/usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch @@ -0,0 +1,47 @@ +From 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 22 Apr 2020 16:14:57 -0400 +Subject: usb-storage: Add unusual_devs entry for JMicron JMS566 + +From: Alan Stern + +commit 94f9c8c3c404ee1f7aaff81ad4f24aec4e34a78b upstream. + +Cyril Roelandt reports that his JMicron JMS566 USB-SATA bridge fails +to handle WRITE commands with the FUA bit set, even though it claims +to support FUA. (Oddly enough, a later version of the same bridge, +version 2.03 as opposed to 1.14, doesn't claim to support FUA. Also +oddly, the bridge _does_ support FUA when using the UAS transport +instead of the Bulk-Only transport -- but this device was blacklisted +for uas in commit bc3bdb12bbb3 ("usb-storage: Disable UAS on JMicron +SATA enclosure") for apparently unrelated reasons.) + +This patch adds a usb-storage unusual_devs entry with the BROKEN_FUA +flag. This allows the bridge to work properly with usb-storage. + +Reported-and-tested-by: Cyril Roelandt +Signed-off-by: Alan Stern +CC: +Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2004221613110.11262-100000@iolanthe.rowland.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2342,6 +2342,13 @@ UNUSUAL_DEV( 0x3340, 0xffff, 0x0000, 0x + USB_SC_DEVICE,USB_PR_DEVICE,NULL, + US_FL_MAX_SECTORS_64 ), + ++/* Reported by Cyril Roelandt */ ++UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x0114, ++ "JMicron", ++ "USB to ATA/ATAPI Bridge", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA ), ++ + /* Reported by Andrey Rahmatullin */ + UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100, + "iRiver", diff --git a/queue-4.9/vmalloc-fix-remap_vmalloc_range-bounds-checks.patch b/queue-4.9/vmalloc-fix-remap_vmalloc_range-bounds-checks.patch new file mode 100644 index 00000000000..2f3ef92611b --- /dev/null +++ b/queue-4.9/vmalloc-fix-remap_vmalloc_range-bounds-checks.patch @@ -0,0 +1,143 @@ +From bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 20 Apr 2020 18:14:11 -0700 +Subject: vmalloc: fix remap_vmalloc_range() bounds checks + +From: Jann Horn + +commit bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 upstream. + +remap_vmalloc_range() has had various issues with the bounds checks it +promises to perform ("This function checks that addr is a valid +vmalloc'ed area, and that it is big enough to cover the vma") over time, +e.g.: + + - not detecting pgoff< +Signed-off-by: Andrew Morton +Cc: stable@vger.kernel.org +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Martin KaFai Lau +Cc: Song Liu +Cc: Yonghong Song +Cc: Andrii Nakryiko +Cc: John Fastabend +Cc: KP Singh +Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/vmcore.c | 2 +- + include/linux/vmalloc.h | 2 +- + mm/vmalloc.c | 16 +++++++++++++--- + 3 files changed, 15 insertions(+), 5 deletions(-) + +--- a/fs/proc/vmcore.c ++++ b/fs/proc/vmcore.c +@@ -459,7 +459,7 @@ static int mmap_vmcore(struct file *file + tsz = min(elfcorebuf_sz + elfnotes_sz - (size_t)start, size); + kaddr = elfnotes_buf + start - elfcorebuf_sz; + if (remap_vmalloc_range_partial(vma, vma->vm_start + len, +- kaddr, tsz)) ++ kaddr, 0, tsz)) + goto fail; + size -= tsz; + start += tsz; +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -89,7 +89,7 @@ extern void vunmap(const void *addr); + + extern int remap_vmalloc_range_partial(struct vm_area_struct *vma, + unsigned long uaddr, void *kaddr, +- unsigned long size); ++ unsigned long pgoff, unsigned long size); + + extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr, + unsigned long pgoff); +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2173,6 +2174,7 @@ finished: + * @vma: vma to cover + * @uaddr: target user address to start at + * @kaddr: virtual address of vmalloc kernel memory ++ * @pgoff: offset from @kaddr to start at + * @size: size of map area + * + * Returns: 0 for success, -Exxx on failure +@@ -2185,9 +2187,15 @@ finished: + * Similar to remap_pfn_range() (see mm/memory.c) + */ + int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr, +- void *kaddr, unsigned long size) ++ void *kaddr, unsigned long pgoff, ++ unsigned long size) + { + struct vm_struct *area; ++ unsigned long off; ++ unsigned long end_index; ++ ++ if (check_shl_overflow(pgoff, PAGE_SHIFT, &off)) ++ return -EINVAL; + + size = PAGE_ALIGN(size); + +@@ -2201,8 +2209,10 @@ int remap_vmalloc_range_partial(struct v + if (!(area->flags & VM_USERMAP)) + return -EINVAL; + +- if (kaddr + size > area->addr + get_vm_area_size(area)) ++ if (check_add_overflow(size, off, &end_index) || ++ end_index > get_vm_area_size(area)) + return -EINVAL; ++ kaddr += off; + + do { + struct page *page = vmalloc_to_page(kaddr); +@@ -2241,7 +2251,7 @@ int remap_vmalloc_range(struct vm_area_s + unsigned long pgoff) + { + return remap_vmalloc_range_partial(vma, vma->vm_start, +- addr + (pgoff << PAGE_SHIFT), ++ addr, pgoff, + vma->vm_end - vma->vm_start); + } + EXPORT_SYMBOL(remap_vmalloc_range);