--- /dev/null
+From foo@baz Thu Dec 20 09:24:42 CET 2018
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Wed, 14 Jun 2017 19:30:03 +0900
+Subject: ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit e11f0f90a626f93899687b1cc909ee37dd6c5809 upstream.
+
+Drivers can implement 'struct snd_pcm_ops.ioctl' to handle some requests
+from ALSA PCM core. These requests are internal purpose in kernel land.
+Usually common set of operations are used for it.
+
+SNDRV_PCM_IOCTL1_INFO is one of the requests. According to code comment,
+it has been obsoleted in the old days.
+
+We can see old releases in ftp.alsa-project.org. The command was firstly
+introduced in v0.5.0 release as SND_PCM_IOCTL1_INFO, to allow drivers to
+fill data of 'struct snd_pcm_channel_info' type. In v0.9.0 release,
+this was obsoleted by the other commands for ioctl(2) such as
+SNDRV_PCM_IOCTL_CHANNEL_INFO.
+
+This commit removes the long-abandoned command, bye.
+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/sound/pcm.h | 2 +-
+ sound/core/pcm_lib.c | 2 --
+ sound/core/pcm_native.c | 6 +-----
+ 3 files changed, 2 insertions(+), 8 deletions(-)
+
+--- a/include/sound/pcm.h
++++ b/include/sound/pcm.h
+@@ -98,7 +98,7 @@ struct snd_pcm_ops {
+ #define SNDRV_PCM_IOCTL1_TRUE ((void *)1)
+
+ #define SNDRV_PCM_IOCTL1_RESET 0
+-#define SNDRV_PCM_IOCTL1_INFO 1
++/* 1 is absent slot. */
+ #define SNDRV_PCM_IOCTL1_CHANNEL_INFO 2
+ #define SNDRV_PCM_IOCTL1_GSTATE 3
+ #define SNDRV_PCM_IOCTL1_FIFO_SIZE 4
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -1818,8 +1818,6 @@ int snd_pcm_lib_ioctl(struct snd_pcm_sub
+ unsigned int cmd, void *arg)
+ {
+ switch (cmd) {
+- case SNDRV_PCM_IOCTL1_INFO:
+- return 0;
+ case SNDRV_PCM_IOCTL1_RESET:
+ return snd_pcm_lib_ioctl_reset(substream, arg);
+ case SNDRV_PCM_IOCTL1_CHANNEL_INFO:
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -216,11 +216,7 @@ int snd_pcm_info(struct snd_pcm_substrea
+ info->subdevices_avail = pstr->substream_count - pstr->substream_opened;
+ strlcpy(info->subname, substream->name, sizeof(info->subname));
+ runtime = substream->runtime;
+- /* AB: FIXME!!! This is definitely nonsense */
+- if (runtime) {
+- info->sync = runtime->sync;
+- substream->ops->ioctl(substream, SNDRV_PCM_IOCTL1_INFO, info);
+- }
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Thu Dec 20 09:24:42 CET 2018
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Thu, 1 Nov 2018 13:02:38 -0700
+Subject: posix-timers: Sanitize overrun handling
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 78c9c4dfbf8c04883941445a195276bb4bb92c76 upstream.
+
+The posix timer overrun handling is broken because the forwarding functions
+can return a huge number of overruns which does not fit in an int. As a
+consequence timer_getoverrun(2) and siginfo::si_overrun can turn into
+random number generators.
+
+The k_clock::timer_forward() callbacks return a 64 bit value now. Make
+k_itimer::ti_overrun[_last] 64bit as well, so the kernel internal
+accounting is correct. 3Remove the temporary (int) casts.
+
+Add a helper function which clamps the overrun value returned to user space
+via timer_getoverrun(2) or siginfo::si_overrun limited to a positive value
+between 0 and INT_MAX. INT_MAX is an indicator for user space that the
+overrun value has been clamped.
+
+Reported-by: Team OWL337 <icytxw@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: John Stultz <john.stultz@linaro.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Michael Kerrisk <mtk.manpages@gmail.com>
+Link: https://lkml.kernel.org/r/20180626132705.018623573@linutronix.de
+[florian: Make patch apply to v4.9.135]
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/posix-timers.h | 4 ++--
+ kernel/time/posix-cpu-timers.c | 2 +-
+ kernel/time/posix-timers.c | 29 +++++++++++++++++++----------
+ 3 files changed, 22 insertions(+), 13 deletions(-)
+
+--- a/include/linux/posix-timers.h
++++ b/include/linux/posix-timers.h
+@@ -65,8 +65,8 @@ struct k_itimer {
+ spinlock_t it_lock;
+ clockid_t it_clock; /* which timer type */
+ timer_t it_id; /* timer id */
+- int it_overrun; /* overrun on pending signal */
+- int it_overrun_last; /* overrun on last delivered signal */
++ s64 it_overrun; /* overrun on pending signal */
++ s64 it_overrun_last; /* overrun on last delivered signal */
+ int it_requeue_pending; /* waiting to requeue this timer */
+ #define REQUEUE_PENDING 1
+ int it_sigev_notify; /* notify word of sigevent struct */
+--- a/kernel/time/posix-cpu-timers.c
++++ b/kernel/time/posix-cpu-timers.c
+@@ -103,7 +103,7 @@ static void bump_cpu_timer(struct k_itim
+ continue;
+
+ timer->it.cpu.expires += incr;
+- timer->it_overrun += 1 << i;
++ timer->it_overrun += 1LL << i;
+ delta -= incr;
+ }
+ }
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -348,6 +348,17 @@ static __init int init_posix_timers(void
+
+ __initcall(init_posix_timers);
+
++/*
++ * The siginfo si_overrun field and the return value of timer_getoverrun(2)
++ * are of type int. Clamp the overrun value to INT_MAX
++ */
++static inline int timer_overrun_to_int(struct k_itimer *timr, int baseval)
++{
++ s64 sum = timr->it_overrun_last + (s64)baseval;
++
++ return sum > (s64)INT_MAX ? INT_MAX : (int)sum;
++}
++
+ static void schedule_next_timer(struct k_itimer *timr)
+ {
+ struct hrtimer *timer = &timr->it.real.timer;
+@@ -355,12 +366,11 @@ static void schedule_next_timer(struct k
+ if (timr->it.real.interval.tv64 == 0)
+ return;
+
+- timr->it_overrun += (unsigned int) hrtimer_forward(timer,
+- timer->base->get_time(),
+- timr->it.real.interval);
++ timr->it_overrun += hrtimer_forward(timer, timer->base->get_time(),
++ timr->it.real.interval);
+
+ timr->it_overrun_last = timr->it_overrun;
+- timr->it_overrun = -1;
++ timr->it_overrun = -1LL;
+ ++timr->it_requeue_pending;
+ hrtimer_restart(timer);
+ }
+@@ -389,7 +399,7 @@ void do_schedule_next_timer(struct sigin
+ else
+ schedule_next_timer(timr);
+
+- info->si_overrun += timr->it_overrun_last;
++ info->si_overrun = timer_overrun_to_int(timr, info->si_overrun);
+ }
+
+ if (timr)
+@@ -484,8 +494,7 @@ static enum hrtimer_restart posix_timer_
+ now = ktime_add(now, kj);
+ }
+ #endif
+- timr->it_overrun += (unsigned int)
+- hrtimer_forward(timer, now,
++ timr->it_overrun += hrtimer_forward(timer, now,
+ timr->it.real.interval);
+ ret = HRTIMER_RESTART;
+ ++timr->it_requeue_pending;
+@@ -626,7 +635,7 @@ SYSCALL_DEFINE3(timer_create, const cloc
+ it_id_set = IT_ID_SET;
+ new_timer->it_id = (timer_t) new_timer_id;
+ new_timer->it_clock = which_clock;
+- new_timer->it_overrun = -1;
++ new_timer->it_overrun = -1LL;
+
+ if (timer_event_spec) {
+ if (copy_from_user(&event, timer_event_spec, sizeof (event))) {
+@@ -755,7 +764,7 @@ common_timer_get(struct k_itimer *timr,
+ */
+ if (iv.tv64 && (timr->it_requeue_pending & REQUEUE_PENDING ||
+ timr->it_sigev_notify == SIGEV_NONE))
+- timr->it_overrun += (unsigned int) hrtimer_forward(timer, now, iv);
++ timr->it_overrun += hrtimer_forward(timer, now, iv);
+
+ remaining = ktime_sub(hrtimer_get_expires(timer), now);
+ /* Return 0 only, when the timer is expired and not pending */
+@@ -817,7 +826,7 @@ SYSCALL_DEFINE1(timer_getoverrun, timer_
+ if (!timr)
+ return -EINVAL;
+
+- overrun = timr->it_overrun_last;
++ overrun = timer_overrun_to_int(timr, 0);
+ unlock_timer(timr, flags);
+
+ return overrun;
cifs-in-kconfig-config_cifs_posix-needs-depends-on-l.patch
i2c-scmi-fix-probe-error-on-devices-with-an-empty-sm.patch
alsa-isa-wavefront-prevent-some-out-of-bound-writes.patch
+alsa-pcm-remove-sndrv_pcm_ioctl1_info-internal-command.patch
+posix-timers-sanitize-overrun-handling.patch
+sr-pass-down-correctly-sized-scsi-sense-buffer.patch
+swiotlb-clean-up-reporting.patch
+wil6210-missing-length-check-in-wmi_set_ie.patch
--- /dev/null
+From foo@baz Thu Dec 20 09:24:42 CET 2018
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 21 May 2018 12:21:14 -0600
+Subject: sr: pass down correctly sized SCSI sense buffer
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit f7068114d45ec55996b9040e98111afa56e010fe upstream.
+
+We're casting the CDROM layer request_sense to the SCSI sense
+buffer, but the former is 64 bytes and the latter is 96 bytes.
+As we generally allocate these on the stack, we end up blowing
+up the stack.
+
+Fix this by wrapping the scsi_execute() call with a properly
+sized sense buffer, and copying back the bits for the CDROM
+layer.
+
+Reported-by: Piotr Gabriel Kosinski <pg.kosinski@gmail.com>
+Reported-by: Daniel Shapira <daniel@twistlock.com>
+Tested-by: Kees Cook <keescook@chromium.org>
+Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[bwh: Despite what the "Fixes" field says, a buffer overrun was already
+ possible if the sense data was really > 64 bytes long.
+ Backported to 4.4:
+ - We always need to allocate a sense buffer in order to call
+ scsi_normalize_sense()
+ - Remove the existing conditional heap-allocation of the sense buffer]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sr_ioctl.c | 21 +++++++--------------
+ 1 file changed, 7 insertions(+), 14 deletions(-)
+
+--- a/drivers/scsi/sr_ioctl.c
++++ b/drivers/scsi/sr_ioctl.c
+@@ -187,30 +187,25 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack
+ struct scsi_device *SDev;
+ struct scsi_sense_hdr sshdr;
+ int result, err = 0, retries = 0;
+- struct request_sense *sense = cgc->sense;
++ unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE];
+
+ SDev = cd->device;
+
+- if (!sense) {
+- sense = kmalloc(SCSI_SENSE_BUFFERSIZE, GFP_KERNEL);
+- if (!sense) {
+- err = -ENOMEM;
+- goto out;
+- }
+- }
+-
+ retry:
+ if (!scsi_block_when_processing_errors(SDev)) {
+ err = -ENODEV;
+ goto out;
+ }
+
+- memset(sense, 0, sizeof(*sense));
++ memset(sense_buffer, 0, sizeof(sense_buffer));
+ result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
+- cgc->buffer, cgc->buflen, (char *)sense,
++ cgc->buffer, cgc->buflen, sense_buffer,
+ cgc->timeout, IOCTL_RETRIES, 0, NULL);
+
+- scsi_normalize_sense((char *)sense, sizeof(*sense), &sshdr);
++ scsi_normalize_sense(sense_buffer, sizeof(sense_buffer), &sshdr);
++
++ if (cgc->sense)
++ memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
+
+ /* Minimal error checking. Ignore cases we know about, and report the rest. */
+ if (driver_byte(result) != 0) {
+@@ -272,8 +267,6 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack
+
+ /* Wake up a process waiting for device */
+ out:
+- if (!cgc->sense)
+- kfree(sense);
+ cgc->stat = err;
+ return err;
+ }
--- /dev/null
+From foo@baz Thu Dec 20 09:24:42 CET 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 10 Jul 2018 16:22:22 -0700
+Subject: swiotlb: clean up reporting
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 7d63fb3af87aa67aa7d24466e792f9d7c57d8e79 upstream.
+
+This removes needless use of '%p', and refactors the printk calls to
+use pr_*() helpers instead.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+[bwh: Backported to 4.4:
+ - Adjust filename
+ - Remove "swiotlb: " prefix from an additional log message]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/swiotlb.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/lib/swiotlb.c
++++ b/lib/swiotlb.c
+@@ -17,6 +17,8 @@
+ * 08/12/11 beckyb Add highmem support
+ */
+
++#define pr_fmt(fmt) "software IO TLB: " fmt
++
+ #include <linux/cache.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/mm.h>
+@@ -143,20 +145,16 @@ static bool no_iotlb_memory;
+ void swiotlb_print_info(void)
+ {
+ unsigned long bytes = io_tlb_nslabs << IO_TLB_SHIFT;
+- unsigned char *vstart, *vend;
+
+ if (no_iotlb_memory) {
+- pr_warn("software IO TLB: No low mem\n");
++ pr_warn("No low mem\n");
+ return;
+ }
+
+- vstart = phys_to_virt(io_tlb_start);
+- vend = phys_to_virt(io_tlb_end);
+-
+- printk(KERN_INFO "software IO TLB [mem %#010llx-%#010llx] (%luMB) mapped at [%p-%p]\n",
++ pr_info("mapped [mem %#010llx-%#010llx] (%luMB)\n",
+ (unsigned long long)io_tlb_start,
+ (unsigned long long)io_tlb_end,
+- bytes >> 20, vstart, vend - 1);
++ bytes >> 20);
+ }
+
+ int __init swiotlb_init_with_tbl(char *tlb, unsigned long nslabs, int verbose)
+@@ -230,7 +228,7 @@ swiotlb_init(int verbose)
+ if (io_tlb_start)
+ memblock_free_early(io_tlb_start,
+ PAGE_ALIGN(io_tlb_nslabs << IO_TLB_SHIFT));
+- pr_warn("Cannot allocate SWIOTLB buffer");
++ pr_warn("Cannot allocate buffer");
+ no_iotlb_memory = true;
+ }
+
+@@ -272,8 +270,8 @@ swiotlb_late_init_with_default_size(size
+ return -ENOMEM;
+ }
+ if (order != get_order(bytes)) {
+- printk(KERN_WARNING "Warning: only able to allocate %ld MB "
+- "for software IO TLB\n", (PAGE_SIZE << order) >> 20);
++ pr_warn("only able to allocate %ld MB\n",
++ (PAGE_SIZE << order) >> 20);
+ io_tlb_nslabs = SLABS_PER_PAGE << order;
+ }
+ rc = swiotlb_late_init_with_tbl(vstart, io_tlb_nslabs);
--- /dev/null
+From foo@baz Thu Dec 20 09:24:42 CET 2018
+From: Lior David <qca_liord@qca.qualcomm.com>
+Date: Tue, 14 Nov 2017 15:25:39 +0200
+Subject: wil6210: missing length check in wmi_set_ie
+
+From: Lior David <qca_liord@qca.qualcomm.com>
+
+commit b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a upstream.
+
+Add a length check in wmi_set_ie to detect unsigned integer
+overflow.
+
+Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wil6210/wmi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -969,7 +969,12 @@ int wmi_set_ie(struct wil6210_priv *wil,
+ {
+ int rc;
+ u16 len = sizeof(struct wmi_set_appie_cmd) + ie_len;
+- struct wmi_set_appie_cmd *cmd = kzalloc(len, GFP_KERNEL);
++ struct wmi_set_appie_cmd *cmd;
++
++ if (len < ie_len)
++ return -EINVAL;
++
++ cmd = kzalloc(len, GFP_KERNEL);
+
+ if (!cmd)
+ return -ENOMEM;
projects / thirdparty / kernel / stable-queue.git / commitdiff
