Refresh patches.
Remove upstreamed patches:
- backport/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
- pending/510-f2fs-fix-sanity_check_raw_super-on-big-endian-machines.patch
- brcm2708/950-0415-qmi_wwan-apply-SET_DTR-quirk-to-the-SIMCOM-shared-de.patch
Compile-tested: ar71xx, ath79, brcm2708/bcm27{08,10}, octeon, x86/64
Runtime-tested: ar71xx, ath79, brcm2708/bcm27{08,10}, octeon, x86/64
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
master
Stijn Tintel
5 years ago
parent
7a4075bd10
commit
8c6f00ef4f
@ -1,45 +0,0 @@ |
||||
From d0b55a012bbf2ffe4307f2632165dc1f8cdc351f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
|
||||
Date: Fri, 25 May 2018 15:00:20 +0200
|
||||
Subject: [PATCH 415/454] qmi_wwan: apply SET_DTR quirk to the SIMCOM shared
|
||||
device ID
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
commit 102cd909635612c0be784a519651954a7924c786 upstream.
|
||||
|
||||
SIMCOM are reusing a single device ID for many (all of their?)
|
||||
different modems, based on different chipsets and firmwares. Newer
|
||||
Qualcomm chipset generations require setting DTR to wake the QMI
|
||||
function. The SIM7600E modem is using such a chipset, making it
|
||||
fail to work with this driver despite the device ID match.
|
||||
|
||||
Fix by unconditionally enabling the SET_DTR quirk for all SIMCOM
|
||||
modems using this specific device ID. This is similar to what
|
||||
we already have done for another case of device IDs recycled over
|
||||
multiple chipset generations: 14cf4a771b30 ("drivers: net: usb:
|
||||
qmi_wwan: add QMI_QUIRK_SET_DTR for Telit PID 0x1201")
|
||||
|
||||
Initial testing on an older SIM7100 modem shows no immediate side
|
||||
effects.
|
||||
|
||||
Reported-by: Sebastian Sjoholm <sebastian.sjoholm@gmail.com>
|
||||
Cc: Reinhard Speyerer <rspmn@arcor.de>
|
||||
Signed-off-by: Bjørn Mork <bjorn@mork.no>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/usb/qmi_wwan.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/net/usb/qmi_wwan.c
|
||||
+++ b/drivers/net/usb/qmi_wwan.c
|
||||
@@ -1250,7 +1250,7 @@ static const struct usb_device_id produc
|
||||
{QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
|
||||
{QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */
|
||||
{QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
|
||||
- {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */
|
||||
+ {QMI_QUIRK_SET_DTR(0x1e0e, 0x9001, 5)}, /* SIMCom 7100E, 7230E, 7600E ++ */
|
||||
{QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */
|
||||
{QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */
|
||||
{QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
|
||||
@ -1,119 +0,0 @@ |
||||
From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Burton <paul.burton@mips.com>
|
||||
Date: Thu, 20 Dec 2018 17:45:43 +0000
|
||||
Subject: MIPS: math-emu: Write-protect delay slot emulation pages
|
||||
|
||||
Mapping the delay slot emulation page as both writeable & executable
|
||||
presents a security risk, in that if an exploit can write to & jump into
|
||||
the page then it can be used as an easy way to execute arbitrary code.
|
||||
|
||||
Prevent this by mapping the page read-only for userland, and using
|
||||
access_process_vm() with the FOLL_FORCE flag to write to it from
|
||||
mips_dsemul().
|
||||
|
||||
This will likely be less efficient due to copy_to_user_page() performing
|
||||
cache maintenance on a whole page, rather than a single line as in the
|
||||
previous use of flush_cache_sigtramp(). However this delay slot
|
||||
emulation code ought not to be running in any performance critical paths
|
||||
anyway so this isn't really a problem, and we can probably do better in
|
||||
copy_to_user_page() anyway in future.
|
||||
|
||||
A major advantage of this approach is that the fix is small & simple to
|
||||
backport to stable kernels.
|
||||
|
||||
Reported-by: Andy Lutomirski <luto@kernel.org>
|
||||
Signed-off-by: Paul Burton <paul.burton@mips.com>
|
||||
Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
|
||||
Cc: stable@vger.kernel.org # v4.8+
|
||||
Cc: linux-mips@vger.kernel.org
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
Cc: Rich Felker <dalias@libc.org>
|
||||
Cc: David Daney <david.daney@cavium.com>
|
||||
---
|
||||
arch/mips/kernel/vdso.c | 4 ++--
|
||||
arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
|
||||
2 files changed, 22 insertions(+), 20 deletions(-)
|
||||
|
||||
--- a/arch/mips/kernel/vdso.c
|
||||
+++ b/arch/mips/kernel/vdso.c
|
||||
@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l
|
||||
|
||||
/* Map delay slot emulation page */
|
||||
base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
|
||||
- VM_READ|VM_WRITE|VM_EXEC|
|
||||
- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
|
||||
+ VM_READ | VM_EXEC |
|
||||
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
|
||||
0, NULL);
|
||||
if (IS_ERR_VALUE(base)) {
|
||||
ret = base;
|
||||
--- a/arch/mips/math-emu/dsemul.c
|
||||
+++ b/arch/mips/math-emu/dsemul.c
|
||||
@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi
|
||||
{
|
||||
int isa16 = get_isa16_mode(regs->cp0_epc);
|
||||
mips_instruction break_math;
|
||||
- struct emuframe __user *fr;
|
||||
- int err, fr_idx;
|
||||
+ unsigned long fr_uaddr;
|
||||
+ struct emuframe fr;
|
||||
+ int fr_idx, ret;
|
||||
|
||||
/* NOP is easy */
|
||||
if (ir == 0)
|
||||
@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi
|
||||
fr_idx = alloc_emuframe();
|
||||
if (fr_idx == BD_EMUFRAME_NONE)
|
||||
return SIGBUS;
|
||||
- fr = &dsemul_page()[fr_idx];
|
||||
|
||||
/* Retrieve the appropriately encoded break instruction */
|
||||
break_math = BREAK_MATH(isa16);
|
||||
|
||||
/* Write the instructions to the frame */
|
||||
if (isa16) {
|
||||
- err = __put_user(ir >> 16,
|
||||
- (u16 __user *)(&fr->emul));
|
||||
- err |= __put_user(ir & 0xffff,
|
||||
- (u16 __user *)((long)(&fr->emul) + 2));
|
||||
- err |= __put_user(break_math >> 16,
|
||||
- (u16 __user *)(&fr->badinst));
|
||||
- err |= __put_user(break_math & 0xffff,
|
||||
- (u16 __user *)((long)(&fr->badinst) + 2));
|
||||
+ union mips_instruction _emul = {
|
||||
+ .halfword = { ir >> 16, ir }
|
||||
+ };
|
||||
+ union mips_instruction _badinst = {
|
||||
+ .halfword = { break_math >> 16, break_math }
|
||||
+ };
|
||||
+
|
||||
+ fr.emul = _emul.word;
|
||||
+ fr.badinst = _badinst.word;
|
||||
} else {
|
||||
- err = __put_user(ir, &fr->emul);
|
||||
- err |= __put_user(break_math, &fr->badinst);
|
||||
+ fr.emul = ir;
|
||||
+ fr.badinst = break_math;
|
||||
}
|
||||
|
||||
- if (unlikely(err)) {
|
||||
+ /* Write the frame to user memory */
|
||||
+ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
|
||||
+ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
|
||||
+ FOLL_FORCE | FOLL_WRITE);
|
||||
+ if (unlikely(ret != sizeof(fr))) {
|
||||
MIPS_FPU_EMU_INC_STATS(errors);
|
||||
free_emuframe(fr_idx, current->mm);
|
||||
return SIGBUS;
|
||||
@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi
|
||||
atomic_set(¤t->thread.bd_emu_frame, fr_idx);
|
||||
|
||||
/* Change user register context to execute the frame */
|
||||
- regs->cp0_epc = (unsigned long)&fr->emul | isa16;
|
||||
-
|
||||
- /* Ensure the icache observes our newly written frame */
|
||||
- flush_cache_sigtramp((unsigned long)&fr->emul);
|
||||
+ regs->cp0_epc = fr_uaddr | isa16;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -1,51 +0,0 @@ |
||||
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
|
||||
To: linux-f2fs-devel@lists.sourceforge.net, yuchao0@huawei.com,
|
||||
jaegeuk@kernel.org
|
||||
Subject: [PATCH v2 1/1] f2fs: fix validation of the block count in
|
||||
sanity_check_raw_super
|
||||
Date: Sat, 22 Dec 2018 11:22:26 +0100
|
||||
Message-Id: <20181222102226.10050-2-martin.blumenstingl@googlemail.com>
|
||||
|
||||
Treat "block_count" from struct f2fs_super_block as 64-bit little endian
|
||||
value in sanity_check_raw_super() because struct f2fs_super_block
|
||||
declares "block_count" as "__le64".
|
||||
|
||||
This fixes a bug where the superblock validation fails on big endian
|
||||
devices with the following error:
|
||||
F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
|
||||
F2FS-fs (sda1): Can't find valid F2FS filesystem in 1th superblock
|
||||
F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
|
||||
F2FS-fs (sda1): Can't find valid F2FS filesystem in 2th superblock
|
||||
As result of this the partition cannot be mounted.
|
||||
|
||||
With this patch applied the superblock validation works fine and the
|
||||
partition can be mounted again:
|
||||
F2FS-fs (sda1): Mounted with checkpoint version = 7c84
|
||||
|
||||
My little endian x86-64 hardware was able to mount the partition without
|
||||
this fix.
|
||||
To confirm that mounting f2fs filesystems works on big endian machines
|
||||
again I tested this on a 32-bit MIPS big endian (lantiq) device.
|
||||
|
||||
Fixes: 0cfe75c5b01199 ("f2fs: enhance sanity_check_raw_super() to avoid potential overflows")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
|
||||
Reviewed-by: Chao Yu <yuchao0@huawei.com>
|
||||
---
|
||||
|
||||
--- a/fs/f2fs/super.c
|
||||
+++ b/fs/f2fs/super.c
|
||||
@@ -1897,10 +1897,10 @@ static int sanity_check_raw_super(struct
|
||||
return 1;
|
||||
}
|
||||
|
||||
- if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) {
|
||||
+ if (segment_count > (le64_to_cpu(raw_super->block_count) >> 9)) {
|
||||
f2fs_msg(sb, KERN_INFO,
|
||||
- "Wrong segment_count / block_count (%u > %u)",
|
||||
- segment_count, le32_to_cpu(raw_super->block_count));
|
||||
+ "Wrong segment_count / block_count (%u > %llu)",
|
||||
+ segment_count, le64_to_cpu(raw_super->block_count));
|
||||
return 1;
|
||||
}
|
||||
|
||||
Loading…
Reference in new issue