commit c58091a3ea4c1fa8a71f38842c877fbd4c54b45d Author: Greg Kroah-Hartman Date: Wed Jun 10 20:21:45 2020 +0200 Linux 5.7.2 commit 516c0cb6a5bb6c0a8812e283506a778e548a4da7 Author: Oleg Nesterov Date: Mon May 4 18:47:25 2020 +0200 uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned commit 013b2deba9a6b80ca02f4fafd7dedf875e9b4450 upstream. uprobe_write_opcode() must not cross page boundary; prepare_uprobe() relies on arch_uprobe_analyze_insn() which should validate "vaddr" but some architectures (csky, s390, and sparc) don't do this. We can remove the BUG_ON() check in prepare_uprobe() and validate the offset early in __uprobe_register(). The new IS_ALIGNED() check matches the alignment check in arch_prepare_kprobe() on supported architectures, so I think that all insns must be aligned to UPROBE_SWBP_INSN_SIZE. Another problem is __update_ref_ctr() which was wrong from the very beginning, it can read/write outside of kmap'ed page unless "vaddr" is aligned to sizeof(short), __uprobe_register() should check this too. Reported-by: Linus Torvalds Suggested-by: Linus Torvalds Signed-off-by: Oleg Nesterov Reviewed-by: Srikar Dronamraju Acked-by: Christian Borntraeger Tested-by: Sven Schnelle Cc: Steven Rostedt Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8af4d7727299be70d77e9678a2ea6cd19ff5825c Author: Josh Poimboeuf Date: Mon Apr 27 20:46:13 2020 +0200 x86/speculation: Add Ivy Bridge to affected list commit 3798cc4d106e91382bfe016caa2edada27c2bb3f upstream Make the docs match the code. Signed-off-by: Josh Poimboeuf Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 73c5cad3af0228fd0c2679ef0db5fbacbfafbe13 Author: Mark Gross Date: Thu Apr 16 18:21:51 2020 +0200 x86/speculation: Add SRBDS vulnerability and mitigation documentation commit 7222a1b5b87417f22265c92deea76a6aecd0fb0f upstream Add documentation for the SRBDS vulnerability and its mitigation. [ bp: Massage. jpoimboe: sysfs table strings. ] Signed-off-by: Mark Gross Signed-off-by: Borislav Petkov Reviewed-by: Tony Luck Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit cdf4110fb3fa02aeaef93c7f67b5b5b5d116d595 Author: Mark Gross Date: Thu Apr 16 17:54:04 2020 +0200 x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation commit 7e5b3c267d256822407a22fdce6afdf9cd13f9fb upstream SRBDS is an MDS-like speculative side channel that can leak bits from the random number generator (RNG) across cores and threads. New microcode serializes the processor access during the execution of RDRAND and RDSEED. This ensures that the shared buffer is overwritten before it is released for reuse. While it is present on all affected CPU models, the microcode mitigation is not needed on models that enumerate ARCH_CAPABILITIES[MDS_NO] in the cases where TSX is not supported or has been disabled with TSX_CTRL. The mitigation is activated by default on affected processors and it increases latency for RDRAND and RDSEED instructions. Among other effects this will reduce throughput from /dev/urandom. * Enable administrator to configure the mitigation off when desired using either mitigations=off or srbds=off. * Export vulnerability status via sysfs * Rename file-scoped macros to apply for non-whitelist table initializations. [ bp: Massage, - s/VULNBL_INTEL_STEPPING/VULNBL_INTEL_STEPPINGS/g, - do not read arch cap MSR a second time in tsx_fused_off() - just pass it in, - flip check in cpu_set_bug_bits() to save an indentation level, - reflow comments. jpoimboe: s/Mitigated/Mitigation/ in user-visible strings tglx: Dropped the fused off magic for now ] Signed-off-by: Mark Gross Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Tony Luck Reviewed-by: Pawan Gupta Reviewed-by: Josh Poimboeuf Tested-by: Neelima Krishnan Signed-off-by: Greg Kroah-Hartman commit 468e86c304bd2e32307b438b67d61c0075a9beb9 Author: Mark Gross Date: Thu Apr 16 17:32:42 2020 +0200 x86/cpu: Add 'table' argument to cpu_matches() commit 93920f61c2ad7edb01e63323832585796af75fc9 upstream To make cpu_matches() reusable for other matching tables, have it take a pointer to a x86_cpu_id table as an argument. [ bp: Flip arguments order. ] Signed-off-by: Mark Gross Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit dc7919a5a32ccb88b5884a802269524d0e56dce0 Author: Mark Gross Date: Thu Apr 16 17:23:10 2020 +0200 x86/cpu: Add a steppings field to struct x86_cpu_id commit e9d7144597b10ff13ff2264c059f7d4a7fbc89ac upstream Intel uses the same family/model for several CPUs. Sometimes the stepping must be checked to tell them apart. On x86 there can be at most 16 steppings. Add a steppings bitmask to x86_cpu_id and a X86_MATCH_VENDOR_FAMILY_MODEL_STEPPING_FEATURE macro and support for matching against family/model/stepping. [ bp: Massage. ] Signed-off-by: Mark Gross Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Reviewed-by: Tony Luck Reviewed-by: Josh Poimboeuf Signed-off-by: Greg Kroah-Hartman commit 7885998debc6befe805ebb245fe80a757014683c Author: Srinivas Kandagatla Date: Fri May 22 12:33:41 2020 +0100 nvmem: qfprom: remove incorrect write support commit 8d9eb0d6d59a5d7028c80a30831143d3e75515a7 upstream. qfprom has different address spaces for read and write. Reads are always done from corrected address space, where as writes are done on raw address space. Writing to corrected address space is invalid and ignored, so it does not make sense to have this support in the driver which only supports corrected address space regions at the moment. Fixes: 4ab11996b489 ("nvmem: qfprom: Add Qualcomm QFPROM support.") Signed-off-by: Srinivas Kandagatla Reviewed-by: Douglas Anderson Cc: stable Link: https://lore.kernel.org/r/20200522113341.7728-1-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit d08cc4db8fe5bfb0554e34bc17e504a94f57bee4 Author: Oliver Neukum Date: Tue May 26 14:44:20 2020 +0200 CDC-ACM: heed quirk also in error handling commit 97fe809934dd2b0b37dfef3a2fc70417f485d7af upstream. If buffers are iterated over in the error case, the lower limits for quirky devices must be heeded. Signed-off-by: Oliver Neukum Reported-by: Jean Rene Dawin Fixes: a4e7279cd1d19 ("cdc-acm: introduce a cool down") Cc: stable Link: https://lore.kernel.org/r/20200526124420.22160-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit 9a07c5a296e8f98a34affdf1c7700b3f3b8925e5 Author: Pascal Terjan Date: Sat May 23 22:12:47 2020 +0100 staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK commit 15ea976a1f12b5fd76b1bd6ff3eb5132fd28047f upstream. The value in shared headers was fixed 9 years ago in commit 8d661f1e462d ("ieee80211: correct IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK macro") and while looking at using shared headers for other duplicated constants I noticed this driver uses the old value. The macros are also defined twice in this file so I am deleting the second definition. Signed-off-by: Pascal Terjan Cc: stable Link: https://lore.kernel.org/r/20200523211247.23262-1-pterjan@google.com Signed-off-by: Greg Kroah-Hartman commit 4d18b3f94eefc4f1b22fa6fdbb083485cb5323e4 Author: Jiri Slaby Date: Tue May 26 16:56:32 2020 +0200 tty: hvc_console, fix crashes on parallel open/close commit 24eb2377f977fe06d84fca558f891f95bc28a449 upstream. hvc_open sets tty->driver_data to NULL when open fails at some point. Typically, the failure happens in hp->ops->notifier_add(). If there is a racing process which tries to open such mangled tty, which was not closed yet, the process will crash in hvc_open as tty->driver_data is NULL. All this happens because close wants to know whether open failed or not. But ->open should not NULL this and other tty fields for ->close to be happy. ->open should call tty_port_set_initialized(true) and close should check by tty_port_initialized() instead. So do this properly in this driver. So this patch removes these from ->open: * tty_port_tty_set(&hp->port, NULL). This happens on last close. * tty->driver_data = NULL. Dtto. * tty_port_put(&hp->port). This happens in shutdown and until now, this must have been causing a reference underflow, if I am not missing something. Signed-off-by: Jiri Slaby Cc: stable Reported-and-tested-by: Raghavendra Link: https://lore.kernel.org/r/20200526145632.13879-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit 7ca8cd811dcc6550be059813caf4f2cf888a7616 Author: Dmitry Torokhov Date: Mon May 25 16:27:40 2020 -0700 vt: keyboard: avoid signed integer overflow in k_ascii commit b86dab054059b970111b5516ae548efaae5b3aae upstream. When k_ascii is invoked several times in a row there is a potential for signed integer overflow: UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow: 10 * 1111111111 cannot be represented in type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 ubsan_epilogue+0xe/0x30 lib/ubsan.c:154 handle_overflow+0xdc/0xf0 lib/ubsan.c:184 __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205 k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888 kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline] kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495 While it can be worked around by using check_mul_overflow()/ check_add_overflow(), it is better to introduce a separate flag to signal that number pad is being used to compose a symbol, and change type of the accumulator from signed to unsigned, thus avoiding undefined behavior when it overflows. Reported-by: Kyungtae Kim Signed-off-by: Dmitry Torokhov Cc: stable Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-ws Signed-off-by: Greg Kroah-Hartman commit 740049da812ce7d935c985997bc2341993586ed9 Author: Josh Triplett Date: Tue May 26 09:13:57 2020 -0700 serial: 8250: Enable 16550A variants by default on non-x86 commit 15a3f03d5ec0118f1e5db3fc1018686e72744e37 upstream. Some embedded devices still use these serial ports; make sure they're still enabled by default on architectures more likely to have them, to avoid rendering someone's console unavailable. Reported-by: Vladimir Oltean Reported-by: Maxim Kochetkov Fixes: dc56ecb81a0a ("serial: 8250: Support disabling mdelay-filled probes of 16550A variants") Cc: stable Signed-off-by: Josh Triplett Link: https://lore.kernel.org/r/a20b5fb7dd295cfb48160eecf4bdebd76332d67d.1590509426.git.josh@joshtriplett.org Signed-off-by: Greg Kroah-Hartman commit 665cc6af906a93ac33f456acbb33d78efc965bb8 Author: Paul Cercueil Date: Sun May 24 21:50:48 2020 -0500 usb: musb: jz4740: Prevent lockup when CONFIG_SMP is set commit 685f5f24108a5f3481da70ee75a1b18b9de34257 upstream. The function dma_controller_irq() locks up the exact same spinlock we locked before calling it, which obviously resulted in a deadlock when CONFIG_SMP was enabled. This flew under the radar as none of the boards supported by this driver needs SMP. Fixes: 57aadb46bd63 ("usb: musb: jz4740: Add support for DMA") Cc: stable@vger.kernel.org Signed-off-by: Paul Cercueil Signed-off-by: Bin Liu Link: https://lore.kernel.org/r/20200525025049.3400-6-b-liu@ti.com Signed-off-by: Greg Kroah-Hartman commit b23a5312fc0d48cb42e52ae94c978b6ccef8eb0e Author: Dinghao Liu Date: Sun May 24 21:50:49 2020 -0500 usb: musb: Fix runtime PM imbalance on error commit e4befc121df03dc8ed2ac1031c98f9538e244bae upstream. When copy_from_user() returns an error code, there is a runtime PM usage counter imbalance. Fix this by moving copy_from_user() to the beginning of this function. Fixes: 7b6c1b4c0e1e ("usb: musb: fix runtime PM in debugfs") Signed-off-by: Dinghao Liu Cc: stable@vger.kernel.org Signed-off-by: Bin Liu Link: https://lore.kernel.org/r/20200525025049.3400-7-b-liu@ti.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 788481763e9337eecb7bc1953e2ef816b40e2df4 Author: Bin Liu Date: Sun May 24 21:50:45 2020 -0500 usb: musb: start session in resume for host port commit 7f88a5ac393f39319f69b8b20cc8d5759878d1a1 upstream. Commit 17539f2f4f0b ("usb: musb: fix enumeration after resume") replaced musb_start() in musb_resume() to not override softconnect bit, but it doesn't restart the session for host port which was done in musb_start(). The session could be disabled in musb_suspend(), which leads the host port doesn't stay in host mode. So let's start the session specifically for host port in musb_resume(). Fixes: 17539f2f4f0b ("usb: musb: fix enumeration after resume") Cc: stable@vger.kernel.org Signed-off-by: Bin Liu Link: https://lore.kernel.org/r/20200525025049.3400-3-b-liu@ti.com Signed-off-by: Greg Kroah-Hartman commit 538dbbb3208942313fe5de79d2757905d27f5e0e Author: Fabrice Gasnier Date: Tue May 12 15:27:05 2020 +0200 iio: adc: stm32-adc: fix a wrong error message when probing interrupts commit 10134ec3f8cefa6a40fe84987f1795e9e0da9715 upstream. A wrong error message is printed out currently, like on STM32MP15: - stm32-adc-core 48003000.adc: IRQ index 2 not found. This is seen since commit 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()"). The STM32 ADC core driver wrongly requests up to 3 interrupt lines. It should request only the necessary IRQs, based on the compatible: - stm32f4/h7 ADCs share a common interrupt - stm32mp1, has one interrupt line per ADC. So add the number of required interrupts to the compatible data. Fixes: d58c67d1d851 ("iio: adc: stm32-adc: add support for STM32MP1") Signed-off-by: Fabrice Gasnier Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit baccc9971670e9e95b079b3753c7d4938a0e8c2b Author: Jonathan Cameron Date: Sun May 17 18:30:00 2020 +0100 iio:chemical:pms7003: Fix timestamp alignment and prevent data leak. commit 13e945631c2ffb946c0af342812a3cd39227de6e upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: a1d642266c14 ("iio: chemical: add support for Plantower PMS7003 sensor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Acked-by: Tomasz Duszynski Signed-off-by: Greg Kroah-Hartman commit b2f58645347640c6f516b6e9add8fb38e841ca94 Author: Mathieu Othacehe Date: Sun May 3 11:29:55 2020 +0200 iio: vcnl4000: Fix i2c swapped word reading. commit 18dfb5326370991c81a6d1ed6d1aeee055cb8c05 upstream. The bytes returned by the i2c reading need to be swapped unconditionally. Otherwise, on be16 platforms, an incorrect value will be returned. Taking the slow path via next merge window as its been around a while and we have a patch set dependent on this which would be held up. Fixes: 62a1efb9f868 ("iio: add vcnl4000 combined ALS and proximity sensor") Signed-off-by: Mathieu Othacehe Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 15c5184ff111eb5443c16f28f866ef9fc3b1c251 Author: Jonathan Cameron Date: Sun May 17 18:29:59 2020 +0100 iio:chemical:sps30: Fix timestamp alignment commit a5bf6fdd19c327bcfd9073a8740fa19ca4525fd4 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Fixes: 232e0f6ddeae ("iio: chemical: add support for Sensirion SPS30 sensor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Acked-by: Tomasz Duszynski Signed-off-by: Greg Kroah-Hartman commit 4c88f55316d9e87bf65c363f3b3a8e41bfd57d25 Author: Johan Hovold Date: Thu May 14 11:36:45 2020 +0200 USB: serial: ch341: fix lockup of devices with limited prescaler commit c432df155919582a3cefa35a8f86256c830fa9a4 upstream. Michael Hanselmann reports that [a] subset of all CH341 devices stop responding to bulk transfers, usually after the third byte, when the highest prescaler bit (0b100) is set. There is one exception, namely a prescaler of exactly 0b111 (fact=1, ps=3). Fix this by forcing a lower base clock (fact = 0) whenever needed. This specifically makes the standard rates 110, 134 and 200 bps work again with these devices. Fixes: 35714565089e ("USB: serial: ch341: reimplement line-speed handling") Cc: stable # 5.5 Reported-by: Michael Hanselmann Link: https://lore.kernel.org/r/20200514141743.GE25962@localhost Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 43e424a2d8ed3d795036631a8b85bbc71f14ddd8 Author: Michael Hanselmann Date: Tue Mar 31 23:37:18 2020 +0000 USB: serial: ch341: add basis for quirk detection commit c404bf4aa9236cb4d1068e499ae42acf48a6ff97 upstream. A subset of CH341 devices does not support all features, namely the prescaler is limited to a reduced precision and there is no support for sending a RS232 break condition. This patch adds a detection function which will be extended to set quirk flags as they're implemented. The author's affected device has an imprint of "340" on the turquoise-colored plug, but not all such devices appear to be affected. Signed-off-by: Michael Hanselmann Link: https://lore.kernel.org/r/1e1ae0da6082bb528a44ef323d4e1d3733d38858.1585697281.git.public@hansmi.ch [ johan: use long type for quirks; rephrase and use port device for messages; handle short reads; set quirk flags directly in helper function ] Cc: stable # 5.5 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2aa7a88feac2dbff3e2bfdb969fd59703d815864 Author: Daniele Palmas Date: Mon May 25 23:11:06 2020 +0200 USB: serial: option: add Telit LE910C1-EUX compositions commit 399ad9477c523f721f8e51d4f824bdf7267f120c upstream. Add Telit LE910C1-EUX compositions: 0x1031: tty, tty, tty, rmnet 0x1033: tty, tty, tty, ecm Signed-off-by: Daniele Palmas Link: https://lore.kernel.org/r/20200525211106.27338-1-dnlplm@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e55b113a0bfe1a425a9581f144d94e2ad886d7c1 Author: Bin Liu Date: Wed May 13 16:36:46 2020 -0500 USB: serial: usb_wwan: do not resubmit rx urb on fatal errors commit 986c1748c84d7727defeaeca74a73b37f7d5cce1 upstream. usb_wwan_indat_callback() shouldn't resubmit rx urb if the previous urb status is a fatal error. Or the usb controller would keep processing the new urbs then run into interrupt storm, and has no chance to recover. Fixes: 6c1ee66a0b2b ("USB-Serial: Fix error handling of usb_wwan") Cc: stable@vger.kernel.org Signed-off-by: Bin Liu Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 42cf5f017f31f45767e2a66f1962dc414dbed544 Author: Matt Jolly Date: Thu May 21 10:43:58 2020 +1000 USB: serial: qcserial: add DW5816e QDL support commit 3429444abdd9dbd5faebd9bee552ec6162b17ad6 upstream. Add support for Dell Wireless 5816e Download Mode (AKA boot & hold mode / QDL download mode) to drivers/usb/serial/qcserial.c This is required to update device firmware. Signed-off-by: Matt Jolly Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman