Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.9.322 2022-07-07T15:30:12+00:00 2022-07-07T15:30:12+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2022-07-07T15:30:12+00:00 urn:sha1:445514206988935e5ef0e80588d7481aa3cd3b7b Link: https://lore.kernel.org/r/20220705115605.742248854@linuxfoundation.org Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Florian Fainelli <f.fainelli@gmail.com> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Tested-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07T15:30:12+00:00 Daniele Palmas dnlplm@gmail.com 2021-12-10T09:57:22+00:00 urn:sha1:abc8b899f3120042241206a45eb396c242258345 commit 94f2a444f28a649926c410eb9a38afb13a83ebe0 upstream. Add the following Telit FN990 composition: 0x1070: tty, adb, rmnet, tty, tty, tty, tty Signed-off-by: Daniele Palmas <dnlplm@gmail.com> Acked-by: Bjørn Mork <bjorn@mork.no> Link: https://lore.kernel.org/r/20211210095722.22269-1-dnlplm@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Cc: Fabio Porcedda <fabio.porcedda@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07T15:30:12+00:00 Carlo Lobrano c.lobrano@gmail.com 2021-09-03T12:09:53+00:00 urn:sha1:a8ca6326a7b3fcee0a97eed39f323e3b63add618 commit 8d17a33b076d24aa4861f336a125c888fb918605 upstream. This patch adds support for Telit LN920 0x1060 composition 0x1060: tty, adb, rmnet, tty, tty, tty, tty Signed-off-by: Carlo Lobrano <c.lobrano@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Fabio Porcedda <fabio.porcedda@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07T15:30:12+00:00 Daniele Palmas dnlplm@gmail.com 2020-11-02T11:01:08+00:00 urn:sha1:cd7f1b31f1d20db0ee4fbbb771ccd4ada976557e commit 5fd8477ed8ca77e64b93d44a6dae4aa70c191396 upstream. Add support for Telit LE910Cx 0x1230 composition: 0x1230: tty, adb, rmnet, audio, tty, tty, tty, tty Signed-off-by: Daniele Palmas <dnlplm@gmail.com> Acked-by: Bjørn Mork <bjorn@mork.no> Link: https://lore.kernel.org/r/20201102110108.17244-1-dnlplm@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Cc: Fabio Porcedda <fabio.porcedda@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07T15:30:12+00:00 Daniele Palmas dnlplm@gmail.com 2019-05-15T15:29:43+00:00 urn:sha1:d9c6caf6af0ad88945ede0bf629174ae764ec809 commit b4e467c82f8c12af78b6f6fa5730cb7dea7af1b4 upstream. Added support for Telit LE910Cx 0x1260 and 0x1261 compositions. Signed-off-by: Daniele Palmas <dnlplm@gmail.com> Acked-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Fabio Porcedda <fabio.porcedda@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07T15:30:11+00:00 Jörgen Storvist jorgen.storvist@gmail.com 2018-12-13T16:00:35+00:00 urn:sha1:cf1d2a01b19ba473af59e05a21394244847a572a commit 1986af16e8ed355822600c24b3d2f0be46b573df upstream. Added support for the Telit LN940 series cellular modules QMI interface. QMI_QUIRK_SET_DTR quirk requied for Qualcomm MDM9x40 chipset. Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> Acked-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07T15:30:11+00:00 Oleksandr Tyshchenko oleksandr_tyshchenko@epam.com 2022-07-01T07:57:42+00:00 urn:sha1:856d1b8e6e826b5087f1ea3fdbabda3557d73599 commit b75cd218274e01d026dc5240e86fdeb44bbed0c8 upstream. During the PV driver life cycle the mappings are added to the RB-tree by set_foreign_p2m_mapping(), which is called from gnttab_map_refs() and are removed by clear_foreign_p2m_mapping() which is called from gnttab_unmap_refs(). As both functions end up calling __set_phys_to_machine_multi() which updates the RB-tree, this function can be called concurrently. There is already a "p2m_lock" to protect against concurrent accesses, but the problem is that the first read of "phys_to_mach.rb_node" in __set_phys_to_machine_multi() is not covered by it, so this might lead to the incorrect mappings update (removing in our case) in RB-tree. In my environment the related issue happens rarely and only when PV net backend is running, the xen_add_phys_to_mach_entry() claims that it cannot add new pfn <-> mfn mapping to the tree since it is already exists which results in a failure when mapping foreign pages. But there might be other bad consequences related to the non-protected root reads such use-after-free, etc. While at it, also fix the similar usage in __pfn_to_mfn(), so initialize "struct rb_node *n" with the "p2m_lock" held in both functions to avoid possible bad consequences. This is CVE-2022-33744 / XSA-406. Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07T15:30:11+00:00 Roger Pau Monne roger.pau@citrix.com 2022-04-07T11:04:24+00:00 urn:sha1:8dad9a67100245295373523375610be850999b37 commit 2400617da7eebf9167d71a46122828bc479d64c9 upstream. Split the current bounce buffering logic used with persistent grants into it's own option, and allow enabling it independently of persistent grants. This allows to reuse the same code paths to perform the bounce buffering required to avoid leaking contiguous data in shared pages not part of the request fragments. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33742, part of XSA-403. Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07T15:30:11+00:00 Roger Pau Monne roger.pau@citrix.com 2022-04-07T10:20:06+00:00 urn:sha1:c6e941364608d911ac7b055d27d86e360fd94aed commit 4491001c2e0fa69efbb748c96ec96b100a5cdb7e upstream. Bounce all data on the skbs to be transmitted into zeroed pages if the backend is untrusted. This avoids leaking data present in the pages shared with the backend but not part of the skb fragments. This requires introducing a new helper in order to allocate skbs with a size multiple of XEN_PAGE_SIZE so we don't leak contiguous data on the granted pages. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33741, part of XSA-403. Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-07-07T15:30:11+00:00 Roger Pau Monne roger.pau@citrix.com 2022-04-06T15:38:04+00:00 urn:sha1:d1d69e0c838c2df7089357ec27000942086325c4 commit 307c8de2b02344805ebead3440d8feed28f2f010 upstream. When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-33740, part of XSA-403. Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>