From 8b5830976a44c1489f8427112af2a82c695c650f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 5 Jun 2020 12:59:53 +0200 Subject: [PATCH] 4.9-stable patches added patches: hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch mm-fix-mremap-not-considering-huge-pmd-devmap.patch mmc-fix-compilation-of-user-api.patch p54usb-add-airvast-usb-stick-device-id.patch --- ...der-scl142alm-to-descriptor-override.patch | 38 ++++++++++ ..._percpu-returning-null-in-relay_open.patch | 71 +++++++++++++++++++ ...emap-not-considering-huge-pmd-devmap.patch | 56 +++++++++++++++ .../mmc-fix-compilation-of-user-api.patch | 41 +++++++++++ ...4usb-add-airvast-usb-stick-device-id.patch | 35 +++++++++ queue-4.9/series | 5 ++ 6 files changed, 246 insertions(+) create mode 100644 queue-4.9/hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch create mode 100644 queue-4.9/kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch create mode 100644 queue-4.9/mm-fix-mremap-not-considering-huge-pmd-devmap.patch create mode 100644 queue-4.9/mmc-fix-compilation-of-user-api.patch create mode 100644 queue-4.9/p54usb-add-airvast-usb-stick-device-id.patch diff --git a/queue-4.9/hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch b/queue-4.9/hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch new file mode 100644 index 00000000000..f05513a876f --- /dev/null +++ b/queue-4.9/hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch @@ -0,0 +1,38 @@ +From 6507ef10660efdfee93f0f3b9fac24b5e4d83e56 Mon Sep 17 00:00:00 2001 +From: Julian Sax +Date: Tue, 5 May 2020 17:10:42 +0200 +Subject: HID: i2c-hid: add Schneider SCL142ALM to descriptor override + +From: Julian Sax + +commit 6507ef10660efdfee93f0f3b9fac24b5e4d83e56 upstream. + +This device uses the SIPODEV SP1064 touchpad, which does not +supply descriptors, so it has to be added to the override list. + +Cc: stable@vger.kernel.org +Signed-off-by: Julian Sax +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c ++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +@@ -381,6 +381,14 @@ static const struct dmi_system_id i2c_hi + }, + .driver_data = (void *)&sipodev_desc + }, ++ { ++ .ident = "Schneider SCL142ALM", ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SCHNEIDER"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "SCL142ALM"), ++ }, ++ .driver_data = (void *)&sipodev_desc ++ }, + { } /* Terminate list */ + }; + diff --git a/queue-4.9/kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch b/queue-4.9/kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch new file mode 100644 index 00000000000..9fba0a0f369 --- /dev/null +++ b/queue-4.9/kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch @@ -0,0 +1,71 @@ +From 54e200ab40fc14c863bcc80a51e20b7906608fce Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Thu, 4 Jun 2020 16:51:27 -0700 +Subject: kernel/relay.c: handle alloc_percpu returning NULL in relay_open + +From: Daniel Axtens + +commit 54e200ab40fc14c863bcc80a51e20b7906608fce upstream. + +alloc_percpu() may return NULL, which means chan->buf may be set to NULL. +In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an +invalid pointer: + + BUG: Unable to handle kernel data access at 0x7dae0000 + Faulting instruction address: 0xc0000000003f3fec + ... + NIP relay_open+0x29c/0x600 + LR relay_open+0x270/0x600 + Call Trace: + relay_open+0x264/0x600 (unreliable) + __blk_trace_setup+0x254/0x600 + blk_trace_setup+0x68/0xa0 + sg_ioctl+0x7bc/0x2e80 + do_vfs_ioctl+0x13c/0x1300 + ksys_ioctl+0x94/0x130 + sys_ioctl+0x48/0xb0 + system_call+0x5c/0x68 + +Check if alloc_percpu returns NULL. + +This was found by syzkaller both on x86 and powerpc, and the reproducer +it found on powerpc is capable of hitting the issue as an unprivileged +user. + +Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") +Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com +Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com +Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com +Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com +Signed-off-by: Daniel Axtens +Signed-off-by: Andrew Morton +Reviewed-by: Michael Ellerman +Reviewed-by: Andrew Donnellan +Acked-by: David Rientjes +Cc: Akash Goel +Cc: Andrew Donnellan +Cc: Guenter Roeck +Cc: Salvatore Bonaccorso +Cc: [4.10+] +Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/relay.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -578,6 +578,11 @@ struct rchan *relay_open(const char *bas + return NULL; + + chan->buf = alloc_percpu(struct rchan_buf *); ++ if (!chan->buf) { ++ kfree(chan); ++ return NULL; ++ } ++ + chan->version = RELAYFS_CHANNEL_VERSION; + chan->n_subbufs = n_subbufs; + chan->subbuf_size = subbuf_size; diff --git a/queue-4.9/mm-fix-mremap-not-considering-huge-pmd-devmap.patch b/queue-4.9/mm-fix-mremap-not-considering-huge-pmd-devmap.patch new file mode 100644 index 00000000000..6ee887ae185 --- /dev/null +++ b/queue-4.9/mm-fix-mremap-not-considering-huge-pmd-devmap.patch @@ -0,0 +1,56 @@ +From 5bfea2d9b17f1034a68147a8b03b9789af5700f9 Mon Sep 17 00:00:00 2001 +From: Fan Yang +Date: Thu, 4 Jun 2020 18:22:07 +0800 +Subject: mm: Fix mremap not considering huge pmd devmap + +From: Fan Yang + +commit 5bfea2d9b17f1034a68147a8b03b9789af5700f9 upstream. + +The original code in mm/mremap.c checks huge pmd by: + + if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { + +However, a DAX mapped nvdimm is mapped as huge page (by default) but it +is not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit +changes the condition to include the case. + +This addresses CVE-2020-10757. + +Fixes: 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd") +Cc: +Reported-by: Fan Yang +Signed-off-by: Fan Yang +Tested-by: Fan Yang +Tested-by: Dan Williams +Reviewed-by: Dan Williams +Acked-by: Kirill A. Shutemov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pgtable.h | 1 + + mm/mremap.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -203,6 +203,7 @@ static inline int pmd_large(pmd_t pte) + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE ++/* NOTE: when predicate huge page, consider also pmd_devmap, or use pmd_large */ + static inline int pmd_trans_huge(pmd_t pmd) + { + return (pmd_val(pmd) & (_PAGE_PSE|_PAGE_DEVMAP)) == _PAGE_PSE; +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -212,7 +212,7 @@ unsigned long move_page_tables(struct vm + new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr); + if (!new_pmd) + break; +- if (pmd_trans_huge(*old_pmd)) { ++ if (pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) { + if (extent == HPAGE_PMD_SIZE) { + bool moved; + /* See comment in move_ptes() */ diff --git a/queue-4.9/mmc-fix-compilation-of-user-api.patch b/queue-4.9/mmc-fix-compilation-of-user-api.patch new file mode 100644 index 00000000000..f99a225695e --- /dev/null +++ b/queue-4.9/mmc-fix-compilation-of-user-api.patch @@ -0,0 +1,41 @@ +From 83fc5dd57f86c3ec7d6d22565a6ff6c948853b64 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Pouiller?= +Date: Mon, 11 May 2020 18:19:02 +0200 +Subject: mmc: fix compilation of user API +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jérôme Pouiller + +commit 83fc5dd57f86c3ec7d6d22565a6ff6c948853b64 upstream. + +The definitions of MMC_IOC_CMD and of MMC_IOC_MULTI_CMD rely on +MMC_BLOCK_MAJOR: + + #define MMC_IOC_CMD _IOWR(MMC_BLOCK_MAJOR, 0, struct mmc_ioc_cmd) + #define MMC_IOC_MULTI_CMD _IOWR(MMC_BLOCK_MAJOR, 1, struct mmc_ioc_multi_cmd) + +However, MMC_BLOCK_MAJOR is defined in linux/major.h and +linux/mmc/ioctl.h did not include it. + +Signed-off-by: Jérôme Pouiller +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200511161902.191405-1-Jerome.Pouiller@silabs.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/mmc/ioctl.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/uapi/linux/mmc/ioctl.h ++++ b/include/uapi/linux/mmc/ioctl.h +@@ -2,6 +2,7 @@ + #define LINUX_MMC_IOCTL_H + + #include ++#include + + struct mmc_ioc_cmd { + /* Implies direction of data. true = write, false = read */ diff --git a/queue-4.9/p54usb-add-airvast-usb-stick-device-id.patch b/queue-4.9/p54usb-add-airvast-usb-stick-device-id.patch new file mode 100644 index 00000000000..5b4c59f63ce --- /dev/null +++ b/queue-4.9/p54usb-add-airvast-usb-stick-device-id.patch @@ -0,0 +1,35 @@ +From 63e49a9fdac1b4e97ac26cb3fe953f210d83bc53 Mon Sep 17 00:00:00 2001 +From: Giuseppe Marco Randazzo +Date: Mon, 6 Apr 2020 00:06:59 +0200 +Subject: p54usb: add AirVasT USB stick device-id + +From: Giuseppe Marco Randazzo + +commit 63e49a9fdac1b4e97ac26cb3fe953f210d83bc53 upstream. + +This patch adds the AirVasT USB wireless devices 124a:4026 +to the list of supported devices. It's using the ISL3886 +usb firmware. Without this modification, the wiki adapter +is not recognized. + +Cc: +Signed-off-by: Giuseppe Marco Randazzo +Signed-off-by: Christian Lamparter [formatted, reworded] +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200405220659.45621-1-chunkeey@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/p54usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/intersil/p54/p54usb.c ++++ b/drivers/net/wireless/intersil/p54/p54usb.c +@@ -64,6 +64,7 @@ static struct usb_device_id p54u_table[] + {USB_DEVICE(0x0db0, 0x6826)}, /* MSI UB54G (MS-6826) */ + {USB_DEVICE(0x107b, 0x55f2)}, /* Gateway WGU-210 (Gemtek) */ + {USB_DEVICE(0x124a, 0x4023)}, /* Shuttle PN15, Airvast WM168g, IOGear GWU513 */ ++ {USB_DEVICE(0x124a, 0x4026)}, /* AirVasT USB wireless device */ + {USB_DEVICE(0x1435, 0x0210)}, /* Inventel UR054G */ + {USB_DEVICE(0x15a9, 0x0002)}, /* Gemtek WUBI-100GW 802.11g */ + {USB_DEVICE(0x1630, 0x0005)}, /* 2Wire 802.11g USB (v1) / Z-Com */ diff --git a/queue-4.9/series b/queue-4.9/series index ca3b625e6ff..28b785a1b22 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -10,3 +10,8 @@ net-ethernet-freescale-rework-quiesce-activate-for-u.patch net-ethernet-stmmac-enable-interface-clocks-on-probe.patch net-smsc911x-fix-runtime-pm-imbalance-on-error.patch pppoe-only-process-padt-targeted-at-local-interfaces.patch +mm-fix-mremap-not-considering-huge-pmd-devmap.patch +hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch +p54usb-add-airvast-usb-stick-device-id.patch +kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch +mmc-fix-compilation-of-user-api.patch -- 2.47.3