--- /dev/null
+From 77e70d351db7de07a46ac49b87a6c3c7a60fca7e Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 26 Oct 2020 13:36:17 -0700
+Subject: Input: sunkbd - avoid use-after-free in teardown paths
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 77e70d351db7de07a46ac49b87a6c3c7a60fca7e upstream.
+
+We need to make sure we cancel the reinit work before we tear down the
+driver structures.
+
+Reported-by: Bodong Zhao <nopitydays@gmail.com>
+Tested-by: Bodong Zhao <nopitydays@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/keyboard/sunkbd.c | 41 ++++++++++++++++++++++++++++++++--------
+ 1 file changed, 33 insertions(+), 8 deletions(-)
+
+--- a/drivers/input/keyboard/sunkbd.c
++++ b/drivers/input/keyboard/sunkbd.c
+@@ -99,7 +99,8 @@ static irqreturn_t sunkbd_interrupt(stru
+ switch (data) {
+
+ case SUNKBD_RET_RESET:
+- schedule_work(&sunkbd->tq);
++ if (sunkbd->enabled)
++ schedule_work(&sunkbd->tq);
+ sunkbd->reset = -1;
+ break;
+
+@@ -200,16 +201,12 @@ static int sunkbd_initialize(struct sunk
+ }
+
+ /*
+- * sunkbd_reinit() sets leds and beeps to a state the computer remembers they
+- * were in.
++ * sunkbd_set_leds_beeps() sets leds and beeps to a state the computer remembers
++ * they were in.
+ */
+
+-static void sunkbd_reinit(struct work_struct *work)
++static void sunkbd_set_leds_beeps(struct sunkbd *sunkbd)
+ {
+- struct sunkbd *sunkbd = container_of(work, struct sunkbd, tq);
+-
+- wait_event_interruptible_timeout(sunkbd->wait, sunkbd->reset >= 0, HZ);
+-
+ serio_write(sunkbd->serio, SUNKBD_CMD_SETLED);
+ serio_write(sunkbd->serio,
+ (!!test_bit(LED_CAPSL, sunkbd->dev->led) << 3) |
+@@ -222,11 +219,39 @@ static void sunkbd_reinit(struct work_st
+ SUNKBD_CMD_BELLOFF - !!test_bit(SND_BELL, sunkbd->dev->snd));
+ }
+
++
++/*
++ * sunkbd_reinit() wait for the keyboard reset to complete and restores state
++ * of leds and beeps.
++ */
++
++static void sunkbd_reinit(struct work_struct *work)
++{
++ struct sunkbd *sunkbd = container_of(work, struct sunkbd, tq);
++
++ /*
++ * It is OK that we check sunkbd->enabled without pausing serio,
++ * as we only want to catch true->false transition that will
++ * happen once and we will be woken up for it.
++ */
++ wait_event_interruptible_timeout(sunkbd->wait,
++ sunkbd->reset >= 0 || !sunkbd->enabled,
++ HZ);
++
++ if (sunkbd->reset >= 0 && sunkbd->enabled)
++ sunkbd_set_leds_beeps(sunkbd);
++}
++
+ static void sunkbd_enable(struct sunkbd *sunkbd, bool enable)
+ {
+ serio_pause_rx(sunkbd->serio);
+ sunkbd->enabled = enable;
+ serio_continue_rx(sunkbd->serio);
++
++ if (!enable) {
++ wake_up_interruptible(&sunkbd->wait);
++ cancel_work_sync(&sunkbd->tq);
++ }
+ }
+
+ /*
--- /dev/null
+From f9317ae5523f99999fb54c513ebabbb2bc887ddf Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Tue, 22 Sep 2020 23:41:12 +0200
+Subject: net: lantiq: Add locking for TX DMA channel
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit f9317ae5523f99999fb54c513ebabbb2bc887ddf upstream.
+
+The TX DMA channel data is accessed by the xrx200_start_xmit() and the
+xrx200_tx_housekeeping() function from different threads. Make sure the
+accesses are synchronized by acquiring the netif_tx_lock() in the
+xrx200_tx_housekeeping() function too. This lock is acquired by the
+kernel before calling xrx200_start_xmit().
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/lantiq_xrx200.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/lantiq_xrx200.c
++++ b/drivers/net/ethernet/lantiq_xrx200.c
+@@ -245,6 +245,7 @@ static int xrx200_tx_housekeeping(struct
+ int pkts = 0;
+ int bytes = 0;
+
++ netif_tx_lock(net_dev);
+ while (pkts < budget) {
+ struct ltq_dma_desc *desc = &ch->dma.desc_base[ch->tx_free];
+
+@@ -268,6 +269,7 @@ static int xrx200_tx_housekeeping(struct
+ net_dev->stats.tx_bytes += bytes;
+ netdev_completed_queue(ch->priv->net_dev, pkts, bytes);
+
++ netif_tx_unlock(net_dev);
+ if (netif_queue_stopped(net_dev))
+ netif_wake_queue(net_dev);
+
--- /dev/null
+From 29daf869cbab69088fe1755d9dd224e99ba78b56 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Mon, 12 Oct 2020 08:54:31 +0000
+Subject: powerpc/8xx: Always fault when _PAGE_ACCESSED is not set
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit 29daf869cbab69088fe1755d9dd224e99ba78b56 upstream.
+
+The kernel expects pte_young() to work regardless of CONFIG_SWAP.
+
+Make sure a minor fault is taken to set _PAGE_ACCESSED when it
+is not already set, regardless of the selection of CONFIG_SWAP.
+
+This adds at least 3 instructions to the TLB miss exception
+handlers fast path. Following patch will reduce this overhead.
+
+Also update the rotation instruction to the correct number of bits
+to reflect all changes done to _PAGE_ACCESSED over time.
+
+Fixes: d069cb4373fe ("powerpc/8xx: Don't touch ACCESSED when no SWAP.")
+Fixes: 5f356497c384 ("powerpc/8xx: remove unused _PAGE_WRITETHRU")
+Fixes: e0a8e0d90a9f ("powerpc/8xx: Handle PAGE_USER via APG bits")
+Fixes: 5b2753fc3e8a ("powerpc/8xx: Implementation of PAGE_EXEC")
+Fixes: a891c43b97d3 ("powerpc/8xx: Prepare handlers for _PAGE_HUGE for 512k pages.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/af834e8a0f1fa97bfae65664950f0984a70c4750.1602492856.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/head_8xx.S | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+--- a/arch/powerpc/kernel/head_8xx.S
++++ b/arch/powerpc/kernel/head_8xx.S
+@@ -229,9 +229,7 @@ SystemCall:
+
+ InstructionTLBMiss:
+ mtspr SPRN_SPRG_SCRATCH0, r10
+-#if defined(ITLB_MISS_KERNEL) || defined(CONFIG_SWAP)
+ mtspr SPRN_SPRG_SCRATCH1, r11
+-#endif
+
+ /* If we are faulting a kernel address, we have to use the
+ * kernel page tables.
+@@ -278,11 +276,9 @@ InstructionTLBMiss:
+ #ifdef ITLB_MISS_KERNEL
+ mtcr r11
+ #endif
+-#ifdef CONFIG_SWAP
+- rlwinm r11, r10, 32-5, _PAGE_PRESENT
++ rlwinm r11, r10, 32-7, _PAGE_PRESENT
+ and r11, r11, r10
+ rlwimi r10, r11, 0, _PAGE_PRESENT
+-#endif
+ /* The Linux PTE won't go exactly into the MMU TLB.
+ * Software indicator bits 20 and 23 must be clear.
+ * Software indicator bits 22, 24, 25, 26, and 27 must be
+@@ -296,9 +292,7 @@ InstructionTLBMiss:
+
+ /* Restore registers */
+ 0: mfspr r10, SPRN_SPRG_SCRATCH0
+-#if defined(ITLB_MISS_KERNEL) || defined(CONFIG_SWAP)
+ mfspr r11, SPRN_SPRG_SCRATCH1
+-#endif
+ rfi
+ patch_site 0b, patch__itlbmiss_exit_1
+
+@@ -308,9 +302,7 @@ InstructionTLBMiss:
+ addi r10, r10, 1
+ stw r10, (itlb_miss_counter - PAGE_OFFSET)@l(0)
+ mfspr r10, SPRN_SPRG_SCRATCH0
+-#if defined(ITLB_MISS_KERNEL) || defined(CONFIG_SWAP)
+ mfspr r11, SPRN_SPRG_SCRATCH1
+-#endif
+ rfi
+ #endif
+
+@@ -394,11 +386,9 @@ DataStoreTLBMiss:
+ * r11 = ((r10 & PRESENT) & ((r10 & ACCESSED) >> 5));
+ * r10 = (r10 & ~PRESENT) | r11;
+ */
+-#ifdef CONFIG_SWAP
+- rlwinm r11, r10, 32-5, _PAGE_PRESENT
++ rlwinm r11, r10, 32-7, _PAGE_PRESENT
+ and r11, r11, r10
+ rlwimi r10, r11, 0, _PAGE_PRESENT
+-#endif
+ /* The Linux PTE won't go exactly into the MMU TLB.
+ * Software indicator bits 24, 25, 26, and 27 must be
+ * set. All other Linux PTE bits control the behavior
net-mlx5-poll-cmd-eq-in-case-of-command-timeout.patch
net-mlx5-fix-a-race-when-moving-command-interface-to-events-mode.patch
net-mlx5-add-retry-mechanism-to-the-command-entry-index-allocation.patch
+powerpc-8xx-always-fault-when-_page_accessed-is-not-set.patch
+net-lantiq-add-locking-for-tx-dma-channel.patch
+input-sunkbd-avoid-use-after-free-in-teardown-paths.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
