1. 15 5月, 2019 25 次提交
  2. 10 5月, 2019 15 次提交
    • G
      Linux 4.19.42 · 9c2556f4
      Greg Kroah-Hartman 提交于
      9c2556f4
    • W
      arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP · 9ccdbde1
      Will Deacon 提交于
      commit 03110a5cb2161690ae5ac04994d47ed0cd6cef75 upstream.
      
      Our futex implementation makes use of LDXR/STXR loops to perform atomic
      updates to user memory from atomic context. This can lead to latency
      problems if we end up spinning around the LL/SC sequence at the expense
      of doing something useful.
      
      Rework our futex atomic operations so that we return -EAGAIN if we fail
      to update the futex word after 128 attempts. The core futex code will
      reschedule if necessary and we'll try again later.
      
      Cc: <stable@kernel.org>
      Fixes: 6170a974 ("arm64: Atomic operations")
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ccdbde1
    • W
      locking/futex: Allow low-level atomic operations to return -EAGAIN · 0f4ef8fb
      Will Deacon 提交于
      commit 6b4f4bc9cb22875f97023984a625386f0c7cc1c0 upstream.
      
      Some futex() operations, including FUTEX_WAKE_OP, require the kernel to
      perform an atomic read-modify-write of the futex word via the userspace
      mapping. These operations are implemented by each architecture in
      arch_futex_atomic_op_inuser() and futex_atomic_cmpxchg_inatomic(), which
      are called in atomic context with the relevant hash bucket locks held.
      
      Although these routines may return -EFAULT in response to a page fault
      generated when accessing userspace, they are expected to succeed (i.e.
      return 0) in all other cases. This poses a problem for architectures
      that do not provide bounded forward progress guarantees or fairness of
      contended atomic operations and can lead to starvation in some cases.
      
      In these problematic scenarios, we must return back to the core futex
      code so that we can drop the hash bucket locks and reschedule if
      necessary, much like we do in the case of a page fault.
      
      Allow architectures to return -EAGAIN from their implementations of
      arch_futex_atomic_op_inuser() and futex_atomic_cmpxchg_inatomic(), which
      will cause the core futex code to reschedule if necessary and return
      back to the architecture code later on.
      
      Cc: <stable@kernel.org>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f4ef8fb
    • R
      ASoC: Intel: avoid Oops if DMA setup fails · 6fee3987
      Ross Zwisler 提交于
      commit 0efa3334d65b7f421ba12382dfa58f6ff5bf83c4 upstream.
      
      Currently in sst_dsp_new() if we get an error return from sst_dma_new()
      we just print an error message and then still complete the function
      successfully.  This means that we are trying to run without sst->dma
      properly set up, which will result in NULL pointer dereference when
      sst->dma is later used.  This was happening for me in
      sst_dsp_dma_get_channel():
      
              struct sst_dma *dma = dsp->dma;
      	...
              dma->ch = dma_request_channel(mask, dma_chan_filter, dsp);
      
      This resulted in:
      
         BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
         IP: sst_dsp_dma_get_channel+0x4f/0x125 [snd_soc_sst_firmware]
      
      Fix this by adding proper error handling for the case where we fail to
      set up DMA.
      
      This change only affects Haswell and Broadwell systems.  Baytrail
      systems explicilty opt-out of DMA via sst->pdata->resindex_dma_base
      being set to -1.
      Signed-off-by: NRoss Zwisler <zwisler@google.com>
      Cc: stable@vger.kernel.org
      Acked-by: NPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6fee3987
    • O
      UAS: fix alignment of scatter/gather segments · c3b3955f
      Oliver Neukum 提交于
      commit 3ae62a42090f1ed48e2313ed256a1182a85fb575 upstream.
      
      This is the UAS version of
      
      747668dbc061b3e62bc1982767a3a1f9815fcf0e
      usb-storage: Set virt_boundary_mask to avoid SG overflows
      
      We are not as likely to be vulnerable as storage, as it is unlikelier
      that UAS is run over a controller without native support for SG,
      but the issue exists.
      The issue has been existing since the inception of the driver.
      
      Fixes: 115bb1ff ("USB: Add UAS driver")
      Signed-off-by: NOliver Neukum <oneukum@suse.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3b3955f
    • M
      Bluetooth: Align minimum encryption key size for LE and BR/EDR connections · 38f092c4
      Marcel Holtmann 提交于
      commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream.
      
      The minimum encryption key size for LE connections is 56 bits and to
      align LE with BR/EDR, enforce 56 bits of minimum encryption key size for
      BR/EDR connections as well.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38f092c4
    • Y
      Bluetooth: hidp: fix buffer overflow · c6d1f9b4
      Young Xiao 提交于
      commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream.
      
      Struct ca is copied from userspace. It is not checked whether the "name"
      field is NULL terminated, which allows local users to obtain potentially
      sensitive information from kernel stack memory, via a HIDPCONNADD command.
      
      This vulnerability is similar to CVE-2011-1079.
      Signed-off-by: NYoung Xiao <YangX92@hotmail.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c6d1f9b4
    • Q
      scsi: qla2xxx: Fix device staying in blocked state · de7fe08b
      Quinn Tran 提交于
      commit 2137490f2147a8d0799b72b9a1023efb012d40c7 upstream.
      
      This patch fixes issue reported by some of the customers, who discovered
      that after cable pull scenario the devices disappear and path seems to
      remain in blocked state. Once the device reappears, driver does not seem to
      update path to online. This issue appears because of the defer flag
      creating race condition where the same session reappears.  This patch fixes
      this issue by indicating SCSI-ML of device lost when
      qlt_free_session_done() is called from qlt_unreg_sess().
      
      Fixes: 41dc529a ("qla2xxx: Improve RSCN handling in driver")
      Signed-off-by: NQuinn Tran <qtran@marvell.com>
      Cc: stable@vger.kernel.org #4.19
      Signed-off-by: NHimanshu Madhani <hmadhani@marvell.com>
      Reviewed-by: NEwan D. Milne <emilne@redhat.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      de7fe08b
    • A
      scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines · ef7014d7
      Andrew Vasquez 提交于
      commit 5cbdae10bf11f96e30b4d14de7b08c8b490e903c upstream.
      
      Commit e6f77540 ("scsi: qla2xxx: Fix an integer overflow in sysfs
      code") incorrectly set 'optrom_region_size' to 'start+size', which can
      overflow option-rom boundaries when 'start' is non-zero.  Continue setting
      optrom_region_size to the proper adjusted value of 'size'.
      
      Fixes: e6f77540 ("scsi: qla2xxx: Fix an integer overflow in sysfs code")
      Cc: stable@vger.kernel.org
      Signed-off-by: NAndrew Vasquez <andrewv@marvell.com>
      Signed-off-by: NHimanshu Madhani <hmadhani@marvell.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef7014d7
    • S
      scsi: lpfc: change snprintf to scnprintf for possible overflow · 7a793ca1
      Silvio Cesare 提交于
      commit e7f7b6f38a44697428f5a2e7c606de028df2b0e3 upstream.
      
      Change snprintf to scnprintf. There are generally two cases where using
      snprintf causes problems.
      
      1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
      In this case, if snprintf would have written more characters than what the
      buffer size (SIZE) is, then size will end up larger than SIZE. In later
      uses of snprintf, SIZE - size will result in a negative number, leading
      to problems. Note that size might already be too large by using
      size = snprintf before the code reaches a case of size += snprintf.
      
      2) If size is ultimately used as a length parameter for a copy back to user
      space, then it will potentially allow for a buffer overflow and information
      disclosure when size is greater than SIZE. When the size is used to index
      the buffer directly, we can have memory corruption. This also means when
      size = snprintf... is used, it may also cause problems since size may become
      large.  Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
      configuration.
      
      The solution to these issues is to use scnprintf which returns the number of
      characters actually written to the buffer, so the size variable will never
      exceed SIZE.
      Signed-off-by: NSilvio Cesare <silvio.cesare@gmail.com>
      Signed-off-by: NWilly Tarreau <w@1wt.eu>
      Signed-off-by: NJames Smart <james.smart@broadcom.com>
      Cc: Dick Kennedy <dick.kennedy@broadcom.com>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a793ca1
    • S
      soc: sunxi: Fix missing dependency on REGMAP_MMIO · 8b330b3e
      Samuel Holland 提交于
      commit a84014e1db35d8e7af09878d0b4bf30804fb17d5 upstream.
      
      When enabling ARCH_SUNXI from allnoconfig, SUNXI_SRAM is enabled, but
      not REGMAP_MMIO, so the kernel fails to link with an undefined reference
      to __devm_regmap_init_mmio_clk. Select REGMAP_MMIO, as suggested in
      drivers/base/regmap/Kconfig.
      
      This creates the following dependency loop:
      
        drivers/of/Kconfig:68:                symbol OF_IRQ depends on IRQ_DOMAIN
        kernel/irq/Kconfig:63:                symbol IRQ_DOMAIN is selected by REGMAP
        drivers/base/regmap/Kconfig:7:        symbol REGMAP default is visible depending on REGMAP_MMIO
        drivers/base/regmap/Kconfig:39:       symbol REGMAP_MMIO is selected by SUNXI_SRAM
        drivers/soc/sunxi/Kconfig:4:          symbol SUNXI_SRAM is selected by USB_MUSB_SUNXI
        drivers/usb/musb/Kconfig:63:          symbol USB_MUSB_SUNXI depends on GENERIC_PHY
        drivers/phy/Kconfig:7:                symbol GENERIC_PHY is selected by PHY_BCM_NS_USB3
        drivers/phy/broadcom/Kconfig:29:      symbol PHY_BCM_NS_USB3 depends on MDIO_BUS
        drivers/net/phy/Kconfig:12:           symbol MDIO_BUS default is visible depending on PHYLIB
        drivers/net/phy/Kconfig:181:          symbol PHYLIB is selected by ARC_EMAC_CORE
        drivers/net/ethernet/arc/Kconfig:18:  symbol ARC_EMAC_CORE is selected by ARC_EMAC
        drivers/net/ethernet/arc/Kconfig:24:  symbol ARC_EMAC depends on OF_IRQ
      
      To fix the circular dependency, make USB_MUSB_SUNXI select GENERIC_PHY
      instead of depending on it. This matches the use of GENERIC_PHY by all
      but two other drivers.
      
      Cc: <stable@vger.kernel.org> # 4.19
      Fixes: 5828729b ("soc: sunxi: export a regmap for EMAC clock reg on A64")
      Signed-off-by: NSamuel Holland <samuel@sholland.org>
      Acked-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NBin Liu <b-liu@ti.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b330b3e
    • G
      cpufreq: armada-37xx: fix frequency calculation for opp · 557be577
      Gregory CLEMENT 提交于
      commit 8db82563451f976597ab7b282ec655e4390a4088 upstream.
      
      The frequency calculation was based on the current(max) frequency of the
      CPU. However for low frequency, the value used was already the parent
      frequency divided by a factor of 2.
      
      Instead of using this frequency, this fix directly get the frequency from
      the parent clock.
      
      Fixes: 92ce45fb ("cpufreq: Add DVFS support for Armada 37xx")
      Cc: <stable@vger.kernel.org>
      Reported-by: NChristian Neubert <christian.neubert.86@gmail.com>
      Signed-off-by: NGregory CLEMENT <gregory.clement@bootlin.com>
      Signed-off-by: NViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      557be577
    • A
      intel_th: pci: Add Comet Lake support · 6b7daf1f
      Alexander Shishkin 提交于
      commit e60e9a4b231a20a199d7a61caadc48693c30d695 upstream.
      
      This adds support for Intel TH on Comet Lake.
      Signed-off-by: NAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b7daf1f
    • A
      usb-storage: Set virt_boundary_mask to avoid SG overflows · 5b2ba943
      Alan Stern 提交于
      commit 747668dbc061b3e62bc1982767a3a1f9815fcf0e upstream.
      
      The USB subsystem has always had an unusual requirement for its
      scatter-gather transfers: Each element in the scatterlist (except the
      last one) must have a length divisible by the bulk maxpacket size.
      This is a particular issue for USB mass storage, which uses SG lists
      created by the block layer rather than setting up its own.
      
      So far we have scraped by okay because most devices have a logical
      block size of 512 bytes or larger, and the bulk maxpacket sizes for
      USB 2 and below are all <= 512.  However, USB 3 has a bulk maxpacket
      size of 1024.  Since the xhci-hcd driver includes native SG support,
      this hasn't mattered much.  But now people are trying to use USB-3
      mass storage devices with USBIP, and the vhci-hcd driver currently
      does not have full SG support.
      
      The result is an overflow error, when the driver attempts to implement
      an SG transfer of 63 512-byte blocks as a single
      3584-byte (7 blocks) transfer followed by seven 4096-byte (8 blocks)
      transfers.  The device instead sends 31 1024-byte packets followed by
      a 512-byte packet, and this overruns the first SG buffer.
      
      Ideally this would be fixed by adding better SG support to vhci-hcd.
      But for now it appears we can work around the problem by
      asking the block layer to respect the maxpacket limitation, through
      the use of the virt_boundary_mask.
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      Reported-by: NSeth Bollinger <Seth.Bollinger@digi.com>
      Tested-by: NSeth Bollinger <Seth.Bollinger@digi.com>
      CC: Ming Lei <tom.leiming@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b2ba943
    • J
      USB: cdc-acm: fix unthrottle races · 18e6f302
      Johan Hovold 提交于
      commit 764478f41130f1b8d8057575b89e69980a0f600d upstream.
      
      Fix two long-standing bugs which could potentially lead to memory
      corruption or leave the port throttled until it is reopened (on weakly
      ordered systems), respectively, when read-URB completion races with
      unthrottle().
      
      First, the URB must not be marked as free before processing is complete
      to prevent it from being submitted by unthrottle() on another CPU.
      
      	CPU 1				CPU 2
      	================		================
      	complete()			unthrottle()
      	  process_urb();
      	  smp_mb__before_atomic();
      	  set_bit(i, free);		  if (test_and_clear_bit(i, free))
      						  submit_urb();
      
      Second, the URB must be marked as free before checking the throttled
      flag to prevent unthrottle() on another CPU from failing to observe that
      the URB needs to be submitted if complete() sees that the throttled flag
      is set.
      
      	CPU 1				CPU 2
      	================		================
      	complete()			unthrottle()
      	  set_bit(i, free);		  throttled = 0;
      	  smp_mb__after_atomic();	  smp_mb();
      	  if (throttled)		  if (test_and_clear_bit(i, free))
      		  return;			  submit_urb();
      
      Note that test_and_clear_bit() only implies barriers when the test is
      successful. To handle the case where the URB is still in use an explicit
      barrier needs to be added to unthrottle() for the second race condition.
      
      Also note that the first race was fixed by 36e59e0d ("cdc-acm: fix
      race between callback and unthrottle") back in 2015, but the bug was
      reintroduced a year later.
      
      Fixes: 1aba579f ("cdc-acm: handle read pipe errors")
      Fixes: 088c64f8 ("USB: cdc-acm: re-write read processing")
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Acked-by: NOliver Neukum <oneukum@suse.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18e6f302