diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-08-01 13:49:37 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-08-01 13:50:04 -0400 |
commit | d69481a24940def3a0deaaeb6d71ade17520a29e (patch) | |
tree | db63b71b865efb52f50f20a0882161b98b4c7c26 | |
parent | b71c5d14e5999e5a6cb8dcb067524219c6bbb95d (diff) | |
download | longterm-queue-4.12-d69481a24940def3a0deaaeb6d71ade17520a29e.tar.gz |
drop patches with post-4.12 "Fixes:" commit IDs
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
18 files changed, 0 insertions, 1258 deletions
diff --git a/queue/ALSA-hda-realtek-Fix-Dell-AIO-LineOut-issue.patch b/queue/ALSA-hda-realtek-Fix-Dell-AIO-LineOut-issue.patch deleted file mode 100644 index 175bf95..0000000 --- a/queue/ALSA-hda-realtek-Fix-Dell-AIO-LineOut-issue.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 9226665159f0367ad08bc7d5dd194aeadb90316f Mon Sep 17 00:00:00 2001 -From: Kailang Yang <kailang@realtek.com> -Date: Thu, 14 Dec 2017 15:28:58 +0800 -Subject: [PATCH] ALSA: hda/realtek - Fix Dell AIO LineOut issue - -commit 9226665159f0367ad08bc7d5dd194aeadb90316f upstream. - -Dell AIO had LineOut jack. -Add LineOut verb into this patch. - -[ Additional notes: - the ALC274 codec seems requiring the fixed pin / DAC connections for - HP / line-out pins for enabling EQ for speakers; i.e. the HP / LO - pins expect to be connected with NID 0x03 while keeping the speaker - with NID 0x02. However, by adding a new line-out pin, the - auto-parser assigns the NID 0x02 for HP/LO pins as primary outputs. - As an easy workaround, we provide the preferred_pairs[] to map - forcibly for these pins. -- tiwai ] - -Fixes: 75ee94b20b46 ("ALSA: hda - fix headset mic problem for Dell machines with alc274") -Signed-off-by: Kailang Yang <kailang@realtek.com> -Cc: <stable@vger.kernel.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 4b21f71d685c..6a4db00511ab 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5185,6 +5185,22 @@ static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec, - } - } - -+/* Forcibly assign NID 0x03 to HP/LO while NID 0x02 to SPK for EQ */ -+static void alc274_fixup_bind_dacs(struct hda_codec *codec, -+ const struct hda_fixup *fix, int action) -+{ -+ struct alc_spec *spec = codec->spec; -+ static hda_nid_t preferred_pairs[] = { -+ 0x21, 0x03, 0x1b, 0x03, 0x16, 0x02, -+ 0 -+ }; -+ -+ if (action != HDA_FIXUP_ACT_PRE_PROBE) -+ return; -+ -+ spec->gen.preferred_dacs = preferred_pairs; -+} -+ - /* for hda_fixup_thinkpad_acpi() */ - #include "thinkpad_helper.c" - -@@ -5302,6 +5318,8 @@ enum { - ALC233_FIXUP_LENOVO_MULTI_CODECS, - ALC294_FIXUP_LENOVO_MIC_LOCATION, - ALC700_FIXUP_INTEL_REFERENCE, -+ ALC274_FIXUP_DELL_BIND_DACS, -+ ALC274_FIXUP_DELL_AIO_LINEOUT_VERB, - }; - - static const struct hda_fixup alc269_fixups[] = { -@@ -6112,6 +6130,21 @@ static const struct hda_fixup alc269_fixups[] = { - {} - } - }, -+ [ALC274_FIXUP_DELL_BIND_DACS] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = alc274_fixup_bind_dacs, -+ .chained = true, -+ .chain_id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE -+ }, -+ [ALC274_FIXUP_DELL_AIO_LINEOUT_VERB] = { -+ .type = HDA_FIXUP_PINS, -+ .v.pins = (const struct hda_pintbl[]) { -+ { 0x1b, 0x0401102f }, -+ { } -+ }, -+ .chained = true, -+ .chain_id = ALC274_FIXUP_DELL_BIND_DACS -+ }, - }; - - static const struct snd_pci_quirk alc269_fixup_tbl[] = { -@@ -6578,7 +6611,7 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { - {0x14, 0x90170110}, - {0x1b, 0x90a70130}, - {0x21, 0x03211020}), -- SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, -+ SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB, - {0x12, 0xb7a60130}, - {0x13, 0xb8a61140}, - {0x16, 0x90170110}, --- -2.15.0 - diff --git a/queue/KVM-MMU-Fix-infinite-loop-when-there-is-no-available.patch b/queue/KVM-MMU-Fix-infinite-loop-when-there-is-no-available.patch deleted file mode 100644 index 2e9b1db..0000000 --- a/queue/KVM-MMU-Fix-infinite-loop-when-there-is-no-available.patch +++ /dev/null @@ -1,97 +0,0 @@ -From ed52870f4676489124d8697fd00e6ae6c504e586 Mon Sep 17 00:00:00 2001 -From: Wanpeng Li <wanpeng.li@hotmail.com> -Date: Mon, 4 Dec 2017 22:21:30 -0800 -Subject: [PATCH] KVM: MMU: Fix infinite loop when there is no available mmu - page -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit ed52870f4676489124d8697fd00e6ae6c504e586 upstream. - -The below test case can cause infinite loop in kvm when ept=0. - - #include <unistd.h> - #include <sys/syscall.h> - #include <string.h> - #include <stdint.h> - #include <linux/kvm.h> - #include <fcntl.h> - #include <sys/ioctl.h> - - long r[5]; - int main() - { - r[2] = open("/dev/kvm", O_RDONLY); - r[3] = ioctl(r[2], KVM_CREATE_VM, 0); - r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7); - ioctl(r[4], KVM_RUN, 0); - } - -It doesn't setup the memory regions, mmu_alloc_shadow/direct_roots() in -kvm return 1 when kvm fails to allocate root page table which can result -in beblow infinite loop: - - vcpu_run() { - for (;;) { - r = vcpu_enter_guest()::kvm_mmu_reload() returns 1 - if (r <= 0) - break; - if (need_resched()) - cond_resched(); - } - } - -This patch fixes it by returning -ENOSPC when there is no available kvm mmu -page for root page table. - -Cc: Paolo Bonzini <pbonzini@redhat.com> -Cc: Radim Krčmář <rkrcmar@redhat.com> -Cc: stable@vger.kernel.org -Fixes: 26eeb53cf0f (KVM: MMU: Bail out immediately if there is no available mmu page) -Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> - -diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c -index e5e66e5c6640..c4deb1f34faa 100644 ---- a/arch/x86/kvm/mmu.c -+++ b/arch/x86/kvm/mmu.c -@@ -3395,7 +3395,7 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu) - spin_lock(&vcpu->kvm->mmu_lock); - if(make_mmu_pages_available(vcpu) < 0) { - spin_unlock(&vcpu->kvm->mmu_lock); -- return 1; -+ return -ENOSPC; - } - sp = kvm_mmu_get_page(vcpu, 0, 0, - vcpu->arch.mmu.shadow_root_level, 1, ACC_ALL); -@@ -3410,7 +3410,7 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu) - spin_lock(&vcpu->kvm->mmu_lock); - if (make_mmu_pages_available(vcpu) < 0) { - spin_unlock(&vcpu->kvm->mmu_lock); -- return 1; -+ return -ENOSPC; - } - sp = kvm_mmu_get_page(vcpu, i << (30 - PAGE_SHIFT), - i << 30, PT32_ROOT_LEVEL, 1, ACC_ALL); -@@ -3450,7 +3450,7 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu) - spin_lock(&vcpu->kvm->mmu_lock); - if (make_mmu_pages_available(vcpu) < 0) { - spin_unlock(&vcpu->kvm->mmu_lock); -- return 1; -+ return -ENOSPC; - } - sp = kvm_mmu_get_page(vcpu, root_gfn, 0, - vcpu->arch.mmu.shadow_root_level, 0, ACC_ALL); -@@ -3487,7 +3487,7 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu) - spin_lock(&vcpu->kvm->mmu_lock); - if (make_mmu_pages_available(vcpu) < 0) { - spin_unlock(&vcpu->kvm->mmu_lock); -- return 1; -+ return -ENOSPC; - } - sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30, PT32_ROOT_LEVEL, - 0, ACC_ALL); --- -2.15.0 - diff --git a/queue/PCI-PM-Force-devices-to-D0-in-pci_pm_thaw_noirq.patch b/queue/PCI-PM-Force-devices-to-D0-in-pci_pm_thaw_noirq.patch deleted file mode 100644 index 91da6d3..0000000 --- a/queue/PCI-PM-Force-devices-to-D0-in-pci_pm_thaw_noirq.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 5839ee7389e893a31e4e3c9cf17b50d14103c902 Mon Sep 17 00:00:00 2001 -From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> -Date: Fri, 15 Dec 2017 03:07:18 +0100 -Subject: [PATCH] PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() - -commit 5839ee7389e893a31e4e3c9cf17b50d14103c902 upstream. - -It is incorrect to call pci_restore_state() for devices in low-power -states (D1-D3), as that involves the restoration of MSI setup which -requires MMIO to be operational and that is only the case in D0. - -However, pci_pm_thaw_noirq() may do that if the driver's "freeze" -callbacks put the device into a low-power state, so fix it by making -it force devices into D0 via pci_set_power_state() instead of trying -to "update" their power state which is pointless. - -Fixes: e60514bd4485 (PCI/PM: Restore the status of PCI devices across hibernation) -Cc: 4.13+ <stable@vger.kernel.org> # 4.13+ -Reported-by: Thomas Gleixner <tglx@linutronix.de> -Reported-by: Maarten Lankhorst <dev@mblankhorst.nl> -Tested-by: Thomas Gleixner <tglx@linutronix.de> -Tested-by: Maarten Lankhorst <dev@mblankhorst.nl> -Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> -Acked-by: Bjorn Helgaas <bhelgaas@google.com> - -diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c -index 945099d49f8f..14fd865a5120 100644 ---- a/drivers/pci/pci-driver.c -+++ b/drivers/pci/pci-driver.c -@@ -1012,7 +1012,12 @@ static int pci_pm_thaw_noirq(struct device *dev) - if (pci_has_legacy_pm_support(pci_dev)) - return pci_legacy_resume_early(dev); - -- pci_update_current_state(pci_dev, PCI_D0); -+ /* -+ * pci_restore_state() requires the device to be in D0 (because of MSI -+ * restoration among other things), so force it into D0 in case the -+ * driver's "freeze" callbacks put it into a low-power state directly. -+ */ -+ pci_set_power_state(pci_dev, PCI_D0); - pci_restore_state(pci_dev); - - if (drv && drv->pm && drv->pm->thaw_noirq) --- -2.15.0 - diff --git a/queue/block-unalign-call_single_data-in-struct-request.patch b/queue/block-unalign-call_single_data-in-struct-request.patch deleted file mode 100644 index 1aa8717..0000000 --- a/queue/block-unalign-call_single_data-in-struct-request.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 4ccafe032005e9b96acbef2e389a4de5b1254add Mon Sep 17 00:00:00 2001 -From: Jens Axboe <axboe@kernel.dk> -Date: Wed, 20 Dec 2017 13:13:58 -0700 -Subject: [PATCH] block: unalign call_single_data in struct request - -commit 4ccafe032005e9b96acbef2e389a4de5b1254add upstream. - -A previous change blindly added massive alignment to the -call_single_data structure in struct request. This ballooned it in size -from 296 to 320 bytes on my setup, for no valid reason at all. - -Use the unaligned struct __call_single_data variant instead. - -Fixes: 966a967116e69 ("smp: Avoid using two cache lines for struct call_single_data") -Cc: stable@vger.kernel.org # v4.14 -Signed-off-by: Jens Axboe <axboe@kernel.dk> - -diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h -index 100d0df38026..0ce8a372d506 100644 ---- a/include/linux/blkdev.h -+++ b/include/linux/blkdev.h -@@ -135,7 +135,7 @@ typedef __u32 __bitwise req_flags_t; - struct request { - struct list_head queuelist; - union { -- call_single_data_t csd; -+ struct __call_single_data csd; - u64 fifo_time; - }; - --- -2.15.0 - diff --git a/queue/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch b/queue/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch deleted file mode 100644 index a472206..0000000 --- a/queue/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 179d1c5602997fef5a940c6ddcf31212cbfebd14 Mon Sep 17 00:00:00 2001 -From: Jann Horn <jannh@google.com> -Date: Mon, 18 Dec 2017 20:11:59 -0800 -Subject: [PATCH] bpf: don't prune branches when a scalar is replaced with a - pointer - -commit 179d1c5602997fef5a940c6ddcf31212cbfebd14 upstream. - -This could be made safe by passing through a reference to env and checking -for env->allow_ptr_leaks, but it would only work one way and is probably -not worth the hassle - not doing it will not directly lead to program -rejection. - -Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") -Signed-off-by: Jann Horn <jannh@google.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 102c519836f6..982bd9ec721a 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -3467,15 +3467,14 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur, - return range_within(rold, rcur) && - tnum_in(rold->var_off, rcur->var_off); - } else { -- /* if we knew anything about the old value, we're not -- * equal, because we can't know anything about the -- * scalar value of the pointer in the new value. -+ /* We're trying to use a pointer in place of a scalar. -+ * Even if the scalar was unbounded, this could lead to -+ * pointer leaks because scalars are allowed to leak -+ * while pointers are not. We could make this safe in -+ * special cases if root is calling us, but it's -+ * probably not worth the hassle. - */ -- return rold->umin_value == 0 && -- rold->umax_value == U64_MAX && -- rold->smin_value == S64_MIN && -- rold->smax_value == S64_MAX && -- tnum_is_unknown(rold->var_off); -+ return false; - } - case PTR_TO_MAP_VALUE: - /* If the new min/max/var_off satisfy the old ones and --- -2.15.0 - diff --git a/queue/bpf-fix-32-bit-ALU-op-verification.patch b/queue/bpf-fix-32-bit-ALU-op-verification.patch deleted file mode 100644 index 3c7d210..0000000 --- a/queue/bpf-fix-32-bit-ALU-op-verification.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 468f6eafa6c44cb2c5d8aad35e12f06c240a812a Mon Sep 17 00:00:00 2001 -From: Jann Horn <jannh@google.com> -Date: Mon, 18 Dec 2017 20:11:56 -0800 -Subject: [PATCH] bpf: fix 32-bit ALU op verification - -commit 468f6eafa6c44cb2c5d8aad35e12f06c240a812a upstream. - -32-bit ALU ops operate on 32-bit values and have 32-bit outputs. -Adjust the verifier accordingly. - -Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") -Signed-off-by: Jann Horn <jannh@google.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index f716bdf29dd0..ecdc265244ca 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2017,6 +2017,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, - return 0; - } - -+/* WARNING: This function does calculations on 64-bit values, but the actual -+ * execution may occur on 32-bit values. Therefore, things like bitshifts -+ * need extra checks in the 32-bit case. -+ */ - static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - struct bpf_insn *insn, - struct bpf_reg_state *dst_reg, -@@ -2027,12 +2031,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - bool src_known, dst_known; - s64 smin_val, smax_val; - u64 umin_val, umax_val; -+ u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; - -- if (BPF_CLASS(insn->code) != BPF_ALU64) { -- /* 32-bit ALU ops are (32,32)->64 */ -- coerce_reg_to_size(dst_reg, 4); -- coerce_reg_to_size(&src_reg, 4); -- } - smin_val = src_reg.smin_value; - smax_val = src_reg.smax_value; - umin_val = src_reg.umin_value; -@@ -2168,9 +2168,9 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - __update_reg_bounds(dst_reg); - break; - case BPF_LSH: -- if (umax_val > 63) { -- /* Shifts greater than 63 are undefined. This includes -- * shifts by a negative number. -+ if (umax_val >= insn_bitness) { -+ /* Shifts greater than 31 or 63 are undefined. -+ * This includes shifts by a negative number. - */ - mark_reg_unknown(env, regs, insn->dst_reg); - break; -@@ -2196,9 +2196,9 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - __update_reg_bounds(dst_reg); - break; - case BPF_RSH: -- if (umax_val > 63) { -- /* Shifts greater than 63 are undefined. This includes -- * shifts by a negative number. -+ if (umax_val >= insn_bitness) { -+ /* Shifts greater than 31 or 63 are undefined. -+ * This includes shifts by a negative number. - */ - mark_reg_unknown(env, regs, insn->dst_reg); - break; -@@ -2234,6 +2234,12 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - break; - } - -+ if (BPF_CLASS(insn->code) != BPF_ALU64) { -+ /* 32-bit ALU ops are (32,32)->32 */ -+ coerce_reg_to_size(dst_reg, 4); -+ coerce_reg_to_size(&src_reg, 4); -+ } -+ - __reg_deduce_bounds(dst_reg); - __reg_bound_offset(dst_reg); - return 0; --- -2.15.0 - diff --git a/queue/bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_ev.patch b/queue/bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_ev.patch deleted file mode 100644 index 9c2dbfa..0000000 --- a/queue/bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_ev.patch +++ /dev/null @@ -1,57 +0,0 @@ -From ab95477e7cb35557ecfc837687007b646bab9a9f Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Tue, 12 Dec 2017 02:25:31 +0100 -Subject: [PATCH] bpf: fix build issues on um due to mising bpf_perf_event.h - -commit ab95477e7cb35557ecfc837687007b646bab9a9f upstream. - -[ Note, this is a Git cherry-pick of the following commit: - - a23f06f06dbe ("bpf: fix build issues on um due to mising bpf_perf_event.h") - - ... for easier x86 PTI code testing and back-porting. ] - -Since c895f6f703ad ("bpf: correct broken uapi for -BPF_PROG_TYPE_PERF_EVENT program type") um (uml) won't build -on i386 or x86_64: - - [...] - CC init/main.o - In file included from ../include/linux/perf_event.h:18:0, - from ../include/linux/trace_events.h:10, - from ../include/trace/syscall.h:7, - from ../include/linux/syscalls.h:82, - from ../init/main.c:20: - ../include/uapi/linux/bpf_perf_event.h:11:32: fatal error: - asm/bpf_perf_event.h: No such file or directory #include - <asm/bpf_perf_event.h> - [...] - -Lets add missing bpf_perf_event.h also to um arch. This seems -to be the only one still missing. - -Fixes: c895f6f703ad ("bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type") -Reported-by: Randy Dunlap <rdunlap@infradead.org> -Suggested-by: Richard Weinberger <richard@sigma-star.at> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Tested-by: Randy Dunlap <rdunlap@infradead.org> -Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com> -Cc: Richard Weinberger <richard@sigma-star.at> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Acked-by: Richard Weinberger <richard@nod.at> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Ingo Molnar <mingo@kernel.org> - -diff --git a/arch/um/include/asm/Kbuild b/arch/um/include/asm/Kbuild -index 50a32c33d729..73c57f614c9e 100644 ---- a/arch/um/include/asm/Kbuild -+++ b/arch/um/include/asm/Kbuild -@@ -1,4 +1,5 @@ - generic-y += barrier.h -+generic-y += bpf_perf_event.h - generic-y += bug.h - generic-y += clkdev.h - generic-y += current.h --- -2.15.0 - diff --git a/queue/bpf-fix-corruption-on-concurrent-perf_event_output-c.patch b/queue/bpf-fix-corruption-on-concurrent-perf_event_output-c.patch deleted file mode 100644 index 70c786d..0000000 --- a/queue/bpf-fix-corruption-on-concurrent-perf_event_output-c.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 283ca526a9bd75aed7350220d7b1f8027d99c3fd Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Tue, 12 Dec 2017 02:25:30 +0100 -Subject: [PATCH] bpf: fix corruption on concurrent perf_event_output calls - -commit 283ca526a9bd75aed7350220d7b1f8027d99c3fd upstream. - -When tracing and networking programs are both attached in the -system and both use event-output helpers that eventually call -into perf_event_output(), then we could end up in a situation -where the tracing attached program runs in user context while -a cls_bpf program is triggered on that same CPU out of softirq -context. - -Since both rely on the same per-cpu perf_sample_data, we could -potentially corrupt it. This can only ever happen in a combination -of the two types; all tracing programs use a bpf_prog_active -counter to bail out in case a program is already running on -that CPU out of a different context. XDP and cls_bpf programs -by themselves don't have this issue as they run in the same -context only. Therefore, split both perf_sample_data so they -cannot be accessed from each other. - -Fixes: 20b9d7ac4852 ("bpf: avoid excessive stack usage for perf_sample_data") -Reported-by: Alexei Starovoitov <ast@fb.com> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Tested-by: Song Liu <songliubraving@fb.com> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> - -diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c -index 0ce99c379c30..40207c2a4113 100644 ---- a/kernel/trace/bpf_trace.c -+++ b/kernel/trace/bpf_trace.c -@@ -343,14 +343,13 @@ static const struct bpf_func_proto bpf_perf_event_read_value_proto = { - .arg4_type = ARG_CONST_SIZE, - }; - --static DEFINE_PER_CPU(struct perf_sample_data, bpf_sd); -+static DEFINE_PER_CPU(struct perf_sample_data, bpf_trace_sd); - - static __always_inline u64 - __bpf_perf_event_output(struct pt_regs *regs, struct bpf_map *map, -- u64 flags, struct perf_raw_record *raw) -+ u64 flags, struct perf_sample_data *sd) - { - struct bpf_array *array = container_of(map, struct bpf_array, map); -- struct perf_sample_data *sd = this_cpu_ptr(&bpf_sd); - unsigned int cpu = smp_processor_id(); - u64 index = flags & BPF_F_INDEX_MASK; - struct bpf_event_entry *ee; -@@ -373,8 +372,6 @@ __bpf_perf_event_output(struct pt_regs *regs, struct bpf_map *map, - if (unlikely(event->oncpu != cpu)) - return -EOPNOTSUPP; - -- perf_sample_data_init(sd, 0, 0); -- sd->raw = raw; - perf_event_output(event, sd, regs); - return 0; - } -@@ -382,6 +379,7 @@ __bpf_perf_event_output(struct pt_regs *regs, struct bpf_map *map, - BPF_CALL_5(bpf_perf_event_output, struct pt_regs *, regs, struct bpf_map *, map, - u64, flags, void *, data, u64, size) - { -+ struct perf_sample_data *sd = this_cpu_ptr(&bpf_trace_sd); - struct perf_raw_record raw = { - .frag = { - .size = size, -@@ -392,7 +390,10 @@ BPF_CALL_5(bpf_perf_event_output, struct pt_regs *, regs, struct bpf_map *, map, - if (unlikely(flags & ~(BPF_F_INDEX_MASK))) - return -EINVAL; - -- return __bpf_perf_event_output(regs, map, flags, &raw); -+ perf_sample_data_init(sd, 0, 0); -+ sd->raw = &raw; -+ -+ return __bpf_perf_event_output(regs, map, flags, sd); - } - - static const struct bpf_func_proto bpf_perf_event_output_proto = { -@@ -407,10 +408,12 @@ static const struct bpf_func_proto bpf_perf_event_output_proto = { - }; - - static DEFINE_PER_CPU(struct pt_regs, bpf_pt_regs); -+static DEFINE_PER_CPU(struct perf_sample_data, bpf_misc_sd); - - u64 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size, - void *ctx, u64 ctx_size, bpf_ctx_copy_t ctx_copy) - { -+ struct perf_sample_data *sd = this_cpu_ptr(&bpf_misc_sd); - struct pt_regs *regs = this_cpu_ptr(&bpf_pt_regs); - struct perf_raw_frag frag = { - .copy = ctx_copy, -@@ -428,8 +431,10 @@ u64 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size, - }; - - perf_fetch_caller_regs(regs); -+ perf_sample_data_init(sd, 0, 0); -+ sd->raw = &raw; - -- return __bpf_perf_event_output(regs, map, flags, &raw); -+ return __bpf_perf_event_output(regs, map, flags, sd); - } - - BPF_CALL_0(bpf_get_current_task) --- -2.15.0 - diff --git a/queue/bpf-fix-incorrect-tracking-of-register-size-truncati.patch b/queue/bpf-fix-incorrect-tracking-of-register-size-truncati.patch deleted file mode 100644 index 2013381..0000000 --- a/queue/bpf-fix-incorrect-tracking-of-register-size-truncati.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 0c17d1d2c61936401f4702e1846e2c19b200f958 Mon Sep 17 00:00:00 2001 -From: Jann Horn <jannh@google.com> -Date: Mon, 18 Dec 2017 20:11:55 -0800 -Subject: [PATCH] bpf: fix incorrect tracking of register size truncation - -commit 0c17d1d2c61936401f4702e1846e2c19b200f958 upstream. - -Properly handle register truncation to a smaller size. - -The old code first mirrors the clearing of the high 32 bits in the bitwise -tristate representation, which is correct. But then, it computes the new -arithmetic bounds as the intersection between the old arithmetic bounds and -the bounds resulting from the bitwise tristate representation. Therefore, -when coerce_reg_to_32() is called on a number with bounds -[0xffff'fff8, 0x1'0000'0007], the verifier computes -[0xffff'fff8, 0xffff'ffff] as bounds of the truncated number. -This is incorrect: The truncated number could also be in the range [0, 7], -and no meaningful arithmetic bounds can be computed in that case apart from -the obvious [0, 0xffff'ffff]. - -Starting with v4.14, this is exploitable by unprivileged users as long as -the unprivileged_bpf_disabled sysctl isn't set. - -Debian assigned CVE-2017-16996 for this issue. - -v2: - - flip the mask during arithmetic bounds calculation (Ben Hutchings) -v3: - - add CVE number (Ben Hutchings) - -Fixes: b03c9f9fdc37 ("bpf/verifier: track signed and unsigned min/max values") -Signed-off-by: Jann Horn <jannh@google.com> -Acked-by: Edward Cree <ecree@solarflare.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index c086010ae51e..f716bdf29dd0 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -1067,6 +1067,29 @@ static int check_ptr_alignment(struct bpf_verifier_env *env, - strict); - } - -+/* truncate register to smaller size (in bytes) -+ * must be called with size < BPF_REG_SIZE -+ */ -+static void coerce_reg_to_size(struct bpf_reg_state *reg, int size) -+{ -+ u64 mask; -+ -+ /* clear high bits in bit representation */ -+ reg->var_off = tnum_cast(reg->var_off, size); -+ -+ /* fix arithmetic bounds */ -+ mask = ((u64)1 << (size * 8)) - 1; -+ if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) { -+ reg->umin_value &= mask; -+ reg->umax_value &= mask; -+ } else { -+ reg->umin_value = 0; -+ reg->umax_value = mask; -+ } -+ reg->smin_value = reg->umin_value; -+ reg->smax_value = reg->umax_value; -+} -+ - /* check whether memory at (regno + off) is accessible for t = (read | write) - * if t==write, value_regno is a register which value is stored into memory - * if t==read, value_regno is a register which will receive the value from memory -@@ -1200,9 +1223,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn - if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ && - regs[value_regno].type == SCALAR_VALUE) { - /* b/h/w load zero-extends, mark upper bits as known 0 */ -- regs[value_regno].var_off = -- tnum_cast(regs[value_regno].var_off, size); -- __update_reg_bounds(®s[value_regno]); -+ coerce_reg_to_size(®s[value_regno], size); - } - return err; - } -@@ -1772,14 +1793,6 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) - return 0; - } - --static void coerce_reg_to_32(struct bpf_reg_state *reg) --{ -- /* clear high 32 bits */ -- reg->var_off = tnum_cast(reg->var_off, 4); -- /* Update bounds */ -- __update_reg_bounds(reg); --} -- - static bool signed_add_overflows(s64 a, s64 b) - { - /* Do the add in u64, where overflow is well-defined */ -@@ -2017,8 +2030,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - - if (BPF_CLASS(insn->code) != BPF_ALU64) { - /* 32-bit ALU ops are (32,32)->64 */ -- coerce_reg_to_32(dst_reg); -- coerce_reg_to_32(&src_reg); -+ coerce_reg_to_size(dst_reg, 4); -+ coerce_reg_to_size(&src_reg, 4); - } - smin_val = src_reg.smin_value; - smax_val = src_reg.smax_value; -@@ -2398,10 +2411,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) - return -EACCES; - } - mark_reg_unknown(env, regs, insn->dst_reg); -- /* high 32 bits are known zero. */ -- regs[insn->dst_reg].var_off = tnum_cast( -- regs[insn->dst_reg].var_off, 4); -- __update_reg_bounds(®s[insn->dst_reg]); -+ coerce_reg_to_size(®s[insn->dst_reg], 4); - } - } else { - /* case: R = imm --- -2.15.0 - diff --git a/queue/bpf-fix-integer-overflows.patch b/queue/bpf-fix-integer-overflows.patch deleted file mode 100644 index f431312..0000000 --- a/queue/bpf-fix-integer-overflows.patch +++ /dev/null @@ -1,126 +0,0 @@ -From bb7f0f989ca7de1153bd128a40a71709e339fa03 Mon Sep 17 00:00:00 2001 -From: Alexei Starovoitov <ast@kernel.org> -Date: Mon, 18 Dec 2017 20:12:00 -0800 -Subject: [PATCH] bpf: fix integer overflows - -commit bb7f0f989ca7de1153bd128a40a71709e339fa03 upstream. - -There were various issues related to the limited size of integers used in -the verifier: - - `off + size` overflow in __check_map_access() - - `off + reg->off` overflow in check_mem_access() - - `off + reg->var_off.value` overflow or 32-bit truncation of - `reg->var_off.value` in check_mem_access() - - 32-bit truncation in check_stack_boundary() - -Make sure that any integer math cannot overflow by not allowing -pointer math with large values. - -Also reduce the scope of "scalar op scalar" tracking. - -Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") -Reported-by: Jann Horn <jannh@google.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> - -diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h -index c561b986bab0..1632bb13ad8a 100644 ---- a/include/linux/bpf_verifier.h -+++ b/include/linux/bpf_verifier.h -@@ -15,11 +15,11 @@ - * In practice this is far bigger than any realistic pointer offset; this limit - * ensures that umax_value + (int)off + (int)size cannot overflow a u64. - */ --#define BPF_MAX_VAR_OFF (1ULL << 31) -+#define BPF_MAX_VAR_OFF (1 << 29) - /* Maximum variable size permitted for ARG_CONST_SIZE[_OR_ZERO]. This ensures - * that converting umax_value to int cannot overflow. - */ --#define BPF_MAX_VAR_SIZ INT_MAX -+#define BPF_MAX_VAR_SIZ (1 << 29) - - /* Liveness marks, used for registers and spilled-regs (in stack slots). - * Read marks propagate upwards until they find a write mark; they record that -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 982bd9ec721a..86dfe6b5c243 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -1819,6 +1819,41 @@ static bool signed_sub_overflows(s64 a, s64 b) - return res > a; - } - -+static bool check_reg_sane_offset(struct bpf_verifier_env *env, -+ const struct bpf_reg_state *reg, -+ enum bpf_reg_type type) -+{ -+ bool known = tnum_is_const(reg->var_off); -+ s64 val = reg->var_off.value; -+ s64 smin = reg->smin_value; -+ -+ if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) { -+ verbose(env, "math between %s pointer and %lld is not allowed\n", -+ reg_type_str[type], val); -+ return false; -+ } -+ -+ if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) { -+ verbose(env, "%s pointer offset %d is not allowed\n", -+ reg_type_str[type], reg->off); -+ return false; -+ } -+ -+ if (smin == S64_MIN) { -+ verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n", -+ reg_type_str[type]); -+ return false; -+ } -+ -+ if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) { -+ verbose(env, "value %lld makes %s pointer be out of bounds\n", -+ smin, reg_type_str[type]); -+ return false; -+ } -+ -+ return true; -+} -+ - /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. - * Caller should also handle BPF_MOV case separately. - * If we return -EACCES, caller may want to try again treating pointer as a -@@ -1887,6 +1922,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, - dst_reg->type = ptr_reg->type; - dst_reg->id = ptr_reg->id; - -+ if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) || -+ !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) -+ return -EINVAL; -+ - switch (opcode) { - case BPF_ADD: - /* We can take a fixed offset as long as it doesn't overflow -@@ -2017,6 +2056,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, - return -EACCES; - } - -+ if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type)) -+ return -EINVAL; -+ - __update_reg_bounds(dst_reg); - __reg_deduce_bounds(dst_reg); - __reg_bound_offset(dst_reg); -@@ -2046,6 +2088,12 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - src_known = tnum_is_const(src_reg.var_off); - dst_known = tnum_is_const(dst_reg->var_off); - -+ if (!src_known && -+ opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) { -+ __mark_reg_unknown(dst_reg); -+ return 0; -+ } -+ - switch (opcode) { - case BPF_ADD: - if (signed_add_overflows(dst_reg->smin_value, smin_val) || --- -2.15.0 - diff --git a/queue/bpf-force-strict-alignment-checks-for-stack-pointers.patch b/queue/bpf-force-strict-alignment-checks-for-stack-pointers.patch deleted file mode 100644 index 717ef8b..0000000 --- a/queue/bpf-force-strict-alignment-checks-for-stack-pointers.patch +++ /dev/null @@ -1,35 +0,0 @@ -From a5ec6ae161d72f01411169a938fa5f8baea16e8f Mon Sep 17 00:00:00 2001 -From: Jann Horn <jannh@google.com> -Date: Mon, 18 Dec 2017 20:11:58 -0800 -Subject: [PATCH] bpf: force strict alignment checks for stack pointers - -commit a5ec6ae161d72f01411169a938fa5f8baea16e8f upstream. - -Force strict alignment checks for stack pointers because the tracking of -stack spills relies on it; unaligned stack accesses can lead to corruption -of spilled registers, which is exploitable. - -Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") -Signed-off-by: Jann Horn <jannh@google.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 77e4b5223867..102c519836f6 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -1059,6 +1059,11 @@ static int check_ptr_alignment(struct bpf_verifier_env *env, - break; - case PTR_TO_STACK: - pointer_desc = "stack "; -+ /* The stack spill tracking logic in check_stack_write() -+ * and check_stack_read() relies on stack accesses being -+ * aligned. -+ */ -+ strict = true; - break; - default: - break; --- -2.15.0 - diff --git a/queue/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch b/queue/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch deleted file mode 100644 index b336f66..0000000 --- a/queue/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4374f256ce8182019353c0c639bb8d0695b4c941 Mon Sep 17 00:00:00 2001 -From: Edward Cree <ecree@solarflare.com> -Date: Mon, 18 Dec 2017 20:11:53 -0800 -Subject: [PATCH] bpf/verifier: fix bounds calculation on BPF_RSH - -commit 4374f256ce8182019353c0c639bb8d0695b4c941 upstream. - -Incorrect signed bounds were being computed. -If the old upper signed bound was positive and the old lower signed bound was -negative, this could cause the new upper signed bound to be too low, -leading to security issues. - -Fixes: b03c9f9fdc37 ("bpf/verifier: track signed and unsigned min/max values") -Reported-by: Jann Horn <jannh@google.com> -Signed-off-by: Edward Cree <ecree@solarflare.com> -Acked-by: Alexei Starovoitov <ast@kernel.org> -[jannh@google.com: changed description to reflect bug impact] -Signed-off-by: Jann Horn <jannh@google.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index e39b01317b6f..625e358ca765 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2190,20 +2190,22 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, - mark_reg_unknown(env, regs, insn->dst_reg); - break; - } -- /* BPF_RSH is an unsigned shift, so make the appropriate casts */ -- if (dst_reg->smin_value < 0) { -- if (umin_val) { -- /* Sign bit will be cleared */ -- dst_reg->smin_value = 0; -- } else { -- /* Lost sign bit information */ -- dst_reg->smin_value = S64_MIN; -- dst_reg->smax_value = S64_MAX; -- } -- } else { -- dst_reg->smin_value = -- (u64)(dst_reg->smin_value) >> umax_val; -- } -+ /* BPF_RSH is an unsigned shift. If the value in dst_reg might -+ * be negative, then either: -+ * 1) src_reg might be zero, so the sign bit of the result is -+ * unknown, so we lose our signed bounds -+ * 2) it's known negative, thus the unsigned bounds capture the -+ * signed bounds -+ * 3) the signed bounds cross zero, so they tell us nothing -+ * about the result -+ * If the value in dst_reg is known nonnegative, then again the -+ * unsigned bounts capture the signed bounds. -+ * Thus, in all cases it suffices to blow away our signed bounds -+ * and rely on inferring new ones from the unsigned bounds and -+ * var_off of the result. -+ */ -+ dst_reg->smin_value = S64_MIN; -+ dst_reg->smax_value = S64_MAX; - if (src_known) - dst_reg->var_off = tnum_rshift(dst_reg->var_off, - umin_val); --- -2.15.0 - diff --git a/queue/crypto-af_alg-fix-race-accessing-cipher-request.patch b/queue/crypto-af_alg-fix-race-accessing-cipher-request.patch deleted file mode 100644 index 1b4e0eb..0000000 --- a/queue/crypto-af_alg-fix-race-accessing-cipher-request.patch +++ /dev/null @@ -1,87 +0,0 @@ -From d53c5135792319e095bb126bc43b2ee98586f7fe Mon Sep 17 00:00:00 2001 -From: Stephan Mueller <smueller@chronox.de> -Date: Fri, 8 Dec 2017 11:50:37 +0100 -Subject: [PATCH] crypto: af_alg - fix race accessing cipher request - -commit d53c5135792319e095bb126bc43b2ee98586f7fe upstream. - -When invoking an asynchronous cipher operation, the invocation of the -callback may be performed before the subsequent operations in the -initial code path are invoked. The callback deletes the cipher request -data structure which implies that after the invocation of the -asynchronous cipher operation, this data structure must not be accessed -any more. - -The setting of the return code size with the request data structure must -therefore be moved before the invocation of the asynchronous cipher -operation. - -Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") -Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") -Reported-by: syzbot <syzkaller@googlegroups.com> -Cc: <stable@vger.kernel.org> # v4.14+ -Signed-off-by: Stephan Mueller <smueller@chronox.de> -Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> - -diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c -index c8a32bef208a..b73db2b27656 100644 ---- a/crypto/algif_aead.c -+++ b/crypto/algif_aead.c -@@ -291,6 +291,10 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, - /* AIO operation */ - sock_hold(sk); - areq->iocb = msg->msg_iocb; -+ -+ /* Remember output size that will be generated. */ -+ areq->outlen = outlen; -+ - aead_request_set_callback(&areq->cra_u.aead_req, - CRYPTO_TFM_REQ_MAY_BACKLOG, - af_alg_async_cb, areq); -@@ -298,12 +302,8 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, - crypto_aead_decrypt(&areq->cra_u.aead_req); - - /* AIO operation in progress */ -- if (err == -EINPROGRESS || err == -EBUSY) { -- /* Remember output size that will be generated. */ -- areq->outlen = outlen; -- -+ if (err == -EINPROGRESS || err == -EBUSY) - return -EIOCBQUEUED; -- } - - sock_put(sk); - } else { -diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c -index 6fb595cd63ac..baef9bfccdda 100644 ---- a/crypto/algif_skcipher.c -+++ b/crypto/algif_skcipher.c -@@ -125,6 +125,10 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, - /* AIO operation */ - sock_hold(sk); - areq->iocb = msg->msg_iocb; -+ -+ /* Remember output size that will be generated. */ -+ areq->outlen = len; -+ - skcipher_request_set_callback(&areq->cra_u.skcipher_req, - CRYPTO_TFM_REQ_MAY_SLEEP, - af_alg_async_cb, areq); -@@ -133,12 +137,8 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, - crypto_skcipher_decrypt(&areq->cra_u.skcipher_req); - - /* AIO operation in progress */ -- if (err == -EINPROGRESS || err == -EBUSY) { -- /* Remember output size that will be generated. */ -- areq->outlen = len; -- -+ if (err == -EINPROGRESS || err == -EBUSY) - return -EIOCBQUEUED; -- } - - sock_put(sk); - } else { --- -2.15.0 - diff --git a/queue/crypto-af_alg-wait-for-data-at-beginning-of-recvmsg.patch b/queue/crypto-af_alg-wait-for-data-at-beginning-of-recvmsg.patch deleted file mode 100644 index b732590..0000000 --- a/queue/crypto-af_alg-wait-for-data-at-beginning-of-recvmsg.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 11edb555966ed2c66c533d17c604f9d7e580a829 Mon Sep 17 00:00:00 2001 -From: Stephan Mueller <smueller@chronox.de> -Date: Wed, 29 Nov 2017 12:02:23 +0100 -Subject: [PATCH] crypto: af_alg - wait for data at beginning of recvmsg - -commit 11edb555966ed2c66c533d17c604f9d7e580a829 upstream. - -The wait for data is a non-atomic operation that can sleep and therefore -potentially release the socket lock. The release of the socket lock -allows another thread to modify the context data structure. The waiting -operation for new data therefore must be called at the beginning of -recvmsg. This prevents a race condition where checks of the members of -the context data structure are performed by recvmsg while there is a -potential for modification of these values. - -Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") -Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") -Reported-by: syzbot <syzkaller@googlegroups.com> -Cc: <stable@vger.kernel.org> # v4.14+ -Signed-off-by: Stephan Mueller <smueller@chronox.de> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> - -diff --git a/crypto/af_alg.c b/crypto/af_alg.c -index 358749c38894..f1a2caf1b59b 100644 ---- a/crypto/af_alg.c -+++ b/crypto/af_alg.c -@@ -1137,12 +1137,6 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags, - if (!af_alg_readable(sk)) - break; - -- if (!ctx->used) { -- err = af_alg_wait_for_data(sk, flags); -- if (err) -- return err; -- } -- - seglen = min_t(size_t, (maxsize - len), - msg_data_left(msg)); - -diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c -index 805f485ddf1b..c8a32bef208a 100644 ---- a/crypto/algif_aead.c -+++ b/crypto/algif_aead.c -@@ -111,6 +111,12 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, - size_t usedpages = 0; /* [in] RX bufs to be used from user */ - size_t processed = 0; /* [in] TX bufs to be consumed */ - -+ if (!ctx->used) { -+ err = af_alg_wait_for_data(sk, flags); -+ if (err) -+ return err; -+ } -+ - /* - * Data length provided by caller via sendmsg/sendpage that has not - * yet been processed. -diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c -index 30cff827dd8f..6fb595cd63ac 100644 ---- a/crypto/algif_skcipher.c -+++ b/crypto/algif_skcipher.c -@@ -72,6 +72,12 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, - int err = 0; - size_t len = 0; - -+ if (!ctx->used) { -+ err = af_alg_wait_for_data(sk, flags); -+ if (err) -+ return err; -+ } -+ - /* Allocate cipher request for current operation. */ - areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) + - crypto_skcipher_reqsize(tfm)); --- -2.15.0 - diff --git a/queue/crypto-skcipher-set-walk.iv-for-zero-length-inputs.patch b/queue/crypto-skcipher-set-walk.iv-for-zero-length-inputs.patch deleted file mode 100644 index 4795d22..0000000 --- a/queue/crypto-skcipher-set-walk.iv-for-zero-length-inputs.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 2b4f27c36bcd46e820ddb9a8e6fe6a63fa4250b8 Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Wed, 29 Nov 2017 01:18:57 -0800 -Subject: [PATCH] crypto: skcipher - set walk.iv for zero-length inputs - -commit 2b4f27c36bcd46e820ddb9a8e6fe6a63fa4250b8 upstream. - -All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS -algorithms call skcipher_walk_virt(), then access the IV (walk.iv) -before checking whether any bytes need to be processed (walk.nbytes). - -But if the input is empty, then skcipher_walk_virt() doesn't set the IV, -and the algorithms crash trying to use the uninitialized IV pointer. - -Fix it by setting the IV earlier in skcipher_walk_virt(). Also fix it -for the AEAD walk functions. - -This isn't a perfect solution because we can't actually align the IV to -->cra_alignmask unless there are bytes to process, for one because the -temporary buffer for the aligned IV is freed by skcipher_walk_done(), -which is only called when there are bytes to process. Thus, algorithms -that require aligned IVs will still need to avoid accessing the IV when -walk.nbytes == 0. Still, many algorithms/architectures are fine with -IVs having any alignment, and even for those that aren't, a misaligned -pointer bug is much less severe than an uninitialized pointer bug. - -This change also matches the behavior of the older blkcipher_walk API. - -Fixes: 0cabf2af6f5a ("crypto: skcipher - Fix crash on zero-length input") -Reported-by: syzbot <syzkaller@googlegroups.com> -Cc: <stable@vger.kernel.org> # v4.14+ -Signed-off-by: Eric Biggers <ebiggers@google.com> -Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> - -diff --git a/crypto/skcipher.c b/crypto/skcipher.c -index 778e0ff42bfa..11af5fd6a443 100644 ---- a/crypto/skcipher.c -+++ b/crypto/skcipher.c -@@ -449,6 +449,8 @@ static int skcipher_walk_skcipher(struct skcipher_walk *walk, - - walk->total = req->cryptlen; - walk->nbytes = 0; -+ walk->iv = req->iv; -+ walk->oiv = req->iv; - - if (unlikely(!walk->total)) - return 0; -@@ -456,9 +458,6 @@ static int skcipher_walk_skcipher(struct skcipher_walk *walk, - scatterwalk_start(&walk->in, req->src); - scatterwalk_start(&walk->out, req->dst); - -- walk->iv = req->iv; -- walk->oiv = req->iv; -- - walk->flags &= ~SKCIPHER_WALK_SLEEP; - walk->flags |= req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ? - SKCIPHER_WALK_SLEEP : 0; -@@ -510,6 +509,8 @@ static int skcipher_walk_aead_common(struct skcipher_walk *walk, - int err; - - walk->nbytes = 0; -+ walk->iv = req->iv; -+ walk->oiv = req->iv; - - if (unlikely(!walk->total)) - return 0; -@@ -525,9 +526,6 @@ static int skcipher_walk_aead_common(struct skcipher_walk *walk, - scatterwalk_done(&walk->in, 0, walk->total); - scatterwalk_done(&walk->out, 0, walk->total); - -- walk->iv = req->iv; -- walk->oiv = req->iv; -- - if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) - walk->flags |= SKCIPHER_WALK_SLEEP; - else --- -2.15.0 - diff --git a/queue/ip_gre-check-packet-length-and-mtu-correctly-in-ersp.patch b/queue/ip_gre-check-packet-length-and-mtu-correctly-in-ersp.patch deleted file mode 100644 index e608279..0000000 --- a/queue/ip_gre-check-packet-length-and-mtu-correctly-in-ersp.patch +++ /dev/null @@ -1,48 +0,0 @@ -From f192970de860d3ab90aa9e2a22853201a57bde78 Mon Sep 17 00:00:00 2001 -From: William Tu <u9012063@gmail.com> -Date: Thu, 5 Oct 2017 12:07:12 -0700 -Subject: [PATCH] ip_gre: check packet length and mtu correctly in erspan tx - -commit f192970de860d3ab90aa9e2a22853201a57bde78 upstream. - -Similarly to early patch for erspan_xmit(), the ARPHDR_ETHER device -is the length of the whole ether packet. So skb->len should subtract -the dev->hard_header_len. - -Fixes: 1a66a836da63 ("gre: add collect_md mode to ERSPAN tunnel") -Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN") -Signed-off-by: William Tu <u9012063@gmail.com> -Cc: Xin Long <lucien.xin@gmail.com> -Cc: David Laight <David.Laight@aculab.com> -Reviewed-by: Xin Long <lucien.xin@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> - -diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index dc2317776499..c105a315b1a3 100644 ---- a/net/ipv4/ip_gre.c -+++ b/net/ipv4/ip_gre.c -@@ -579,8 +579,8 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev, - if (gre_handle_offloads(skb, false)) - goto err_free_rt; - -- if (skb->len > dev->mtu) { -- pskb_trim(skb, dev->mtu); -+ if (skb->len > dev->mtu + dev->hard_header_len) { -+ pskb_trim(skb, dev->mtu + dev->hard_header_len); - truncate = true; - } - -@@ -731,8 +731,8 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb, - if (skb_cow_head(skb, dev->needed_headroom)) - goto free_skb; - -- if (skb->len - dev->hard_header_len > dev->mtu) { -- pskb_trim(skb, dev->mtu); -+ if (skb->len > dev->mtu + dev->hard_header_len) { -+ pskb_trim(skb, dev->mtu + dev->hard_header_len); - truncate = true; - } - --- -2.15.0 - diff --git a/queue/parisc-Fix-indenting-in-puts.patch b/queue/parisc-Fix-indenting-in-puts.patch deleted file mode 100644 index 1ac8ac1..0000000 --- a/queue/parisc-Fix-indenting-in-puts.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 203c110b39a89b48156c7450504e454fedb7f7f6 Mon Sep 17 00:00:00 2001 -From: Helge Deller <deller@gmx.de> -Date: Tue, 12 Dec 2017 21:32:16 +0100 -Subject: [PATCH] parisc: Fix indenting in puts() - -commit 203c110b39a89b48156c7450504e454fedb7f7f6 upstream. - -Static analysis tools complain that we intended to have curly braces -around this indent block. In this case this assumption is wrong, so fix -the indenting. - -Fixes: 2f3c7b8137ef ("parisc: Add core code for self-extracting kernel") -Reported-by: Dan Carpenter <dan.carpenter@oracle.com> -Signed-off-by: Helge Deller <deller@gmx.de> -Cc: <stable@vger.kernel.org> # v4.14+ - -diff --git a/arch/parisc/boot/compressed/misc.c b/arch/parisc/boot/compressed/misc.c -index 9345b44b86f0..f57118e1f6b4 100644 ---- a/arch/parisc/boot/compressed/misc.c -+++ b/arch/parisc/boot/compressed/misc.c -@@ -123,8 +123,8 @@ int puts(const char *s) - while ((nuline = strchr(s, '\n')) != NULL) { - if (nuline != s) - pdc_iodc_print(s, nuline - s); -- pdc_iodc_print("\r\n", 2); -- s = nuline + 1; -+ pdc_iodc_print("\r\n", 2); -+ s = nuline + 1; - } - if (*s != '\0') - pdc_iodc_print(s, strlen(s)); --- -2.15.0 - diff --git a/queue/series b/queue/series index 6c25c23..d021abf 100644 --- a/queue/series +++ b/queue/series @@ -1,6 +1,5 @@ ACPI-APEI-adjust-a-local-variable-type-in-ghes_iorem.patch x86-platform-UV-Convert-timers-to-use-timer_setup.patch -bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_ev.patch optee-fix-invalid-of_node_put-in-optee_driver_init.patch backlight-pwm_bl-Fix-overflow-condition.patch drm-Add-retries-for-lspcon-mode-detection.patch @@ -22,7 +21,6 @@ ixgbe-fix-use-of-uninitialized-padding.patch IB-rxe-check-for-allocation-failure-on-elem.patch block-bfq-Disable-writeback-throttling.patch md-always-set-THREAD_WAKEUP-and-wake-up-wqueue-if-th.patch -ip_gre-check-packet-length-and-mtu-correctly-in-ersp.patch leds-pca955x-Don-t-invert-requested-value-in-pca955x.patch Bluetooth-hci_uart_set_flow_control-Fix-NULL-deref-w.patch Bluetooth-hci_bcm-Fix-setting-of-irq-trigger-type.patch @@ -60,45 +58,30 @@ thermal-drivers-hisi-Simplify-the-temperature-step-c.patch thermal-drivers-hisi-Fix-multiple-alarm-interrupts-f.patch platform-x86-asus-wireless-send-an-EV_SYN-SYN_REPORT.patch bpf-fix-branch-pruning-logic.patch -bpf-fix-corruption-on-concurrent-perf_event_output-c.patch bpf-s390x-do-not-reload-skb-pointers-in-non-skb-cont.patch bpf-ppc64-do-not-reload-skb-pointers-in-non-skb-cont.patch bpf-sparc-fix-usage-of-wrong-reg-for-load_skb_regs-a.patch -bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch bpf-fix-incorrect-sign-extension-in-check_alu_op.patch -bpf-fix-incorrect-tracking-of-register-size-truncati.patch -bpf-fix-32-bit-ALU-op-verification.patch -bpf-force-strict-alignment-checks-for-stack-pointers.patch -bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch -bpf-fix-integer-overflows.patch selftests-bpf-add-tests-for-recent-bugfixes.patch linux-compiler.h-Split-into-compiler.h-and-compiler_.patch tools-headers-Sync-objtool-UAPI-header.patch x86-insn-eval-Add-utility-functions-to-get-segment-s.patch ACPI-APEI-ERST-Fix-missing-error-handling-in-erst_re.patch acpi-nfit-fix-health-event-notification.patch -crypto-skcipher-set-walk.iv-for-zero-length-inputs.patch crypto-mcryptd-protect-the-per-CPU-queue-with-a-lock.patch -crypto-af_alg-wait-for-data-at-beginning-of-recvmsg.patch -crypto-af_alg-fix-race-accessing-cipher-request.patch mfd-cros-ec-spi-Don-t-send-first-message-too-soon.patch mfd-twl4030-audio-Fix-sibling-node-lookup.patch mfd-twl6040-Fix-child-node-lookup.patch ALSA-rawmidi-Avoid-racy-info-ioctl-via-ctl-device.patch -ALSA-hda-realtek-Fix-Dell-AIO-LineOut-issue.patch ALSA-hda-Add-vendor-id-for-Cannonlake-HDMI-codec.patch ALSA-usb-audio-Add-native-DSD-support-for-Esoteric-D.patch -PCI-PM-Force-devices-to-D0-in-pci_pm_thaw_noirq.patch -block-unalign-call_single_data-in-struct-request.patch block-throttle-avoid-double-charge.patch parisc-Align-os_hpmc_size-on-word-boundary.patch -parisc-Fix-indenting-in-puts.patch parisc-Hide-Diva-built-in-serial-aux-and-graphics-ca.patch Revert-parisc-Re-enable-interrupts-early.patch spi-xilinx-Detect-stall-with-Unknown-commands.patch spi-a3700-Fix-clk-prescaling-for-coefficient-over-15.patch pinctrl-cherryview-Mask-all-interrupts-on-Intel_Stra.patch -KVM-MMU-Fix-infinite-loop-when-there-is-no-available.patch clk-sunxi-sun9i-mmc-Implement-reset-callback-for-res.patch powerpc-perf-Dereference-BHRB-entries-safely.patch drm-i915-Flush-pending-GTT-writes-before-unbinding.patch |