--- /dev/null
+From a538e3ff9dabcdf6c3f477a373c629213d1c3066 Mon Sep 17 00:00:00 2001
+From: Jeff Moyer <jmoyer@redhat.com>
+Date: Tue, 11 Dec 2018 12:37:49 -0500
+Subject: aio: fix spectre gadget in lookup_ioctx
+
+From: Jeff Moyer <jmoyer@redhat.com>
+
+commit a538e3ff9dabcdf6c3f477a373c629213d1c3066 upstream.
+
+Matthew pointed out that the ioctx_table is susceptible to spectre v1,
+because the index can be controlled by an attacker. The below patch
+should mitigate the attack for all of the aio system calls.
+
+Cc: stable@vger.kernel.org
+Reported-by: Matthew Wilcox <willy@infradead.org>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -40,6 +40,7 @@
+ #include <linux/ramfs.h>
+ #include <linux/percpu-refcount.h>
+ #include <linux/mount.h>
++#include <linux/nospec.h>
+
+ #include <asm/kmap_types.h>
+ #include <asm/uaccess.h>
+@@ -1063,6 +1064,7 @@ static struct kioctx *lookup_ioctx(unsig
+ if (!table || id >= table->nr)
+ goto out;
+
++ id = array_index_nospec(id, table->nr);
+ ctx = rcu_dereference(table->table[id]);
+ if (ctx && ctx->user_id == ctx_id) {
+ if (percpu_ref_tryget_live(&ctx->users))
--- /dev/null
+From e8cde625bfe8a714a856e1366bcbb259d7346095 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Tue, 20 Nov 2018 01:14:00 +0200
+Subject: MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit e8cde625bfe8a714a856e1366bcbb259d7346095 upstream.
+
+Since v2.6.22 or so there has been reports [1] about OMAP MMC being
+broken on OMAP15XX based hardware (OMAP5910 and OMAP310). The breakage
+seems to have been caused by commit 46a6730e3ff9 ("mmc-omap: Fix
+omap to use MMC_POWER_ON") that changed clock enabling to be done
+on MMC_POWER_ON. This can happen multiple times in a row, and on 15XX
+the hardware doesn't seem to like it and the MMC just stops responding.
+Fix by memorizing the power mode and do the init only when necessary.
+
+Before the patch (on Palm TE):
+
+ mmc0: new SD card at address b368
+ mmcblk0: mmc0:b368 SDC 977 MiB
+ mmci-omap mmci-omap.0: command timeout (CMD18)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD12) [x 6]
+ mmci-omap mmci-omap.0: command timeout (CMD13) [x 6]
+ mmcblk0: error -110 requesting status
+ mmci-omap mmci-omap.0: command timeout (CMD8)
+ mmci-omap mmci-omap.0: command timeout (CMD18)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD12) [x 6]
+ mmci-omap mmci-omap.0: command timeout (CMD13) [x 6]
+ mmcblk0: error -110 requesting status
+ mmcblk0: recovery failed!
+ print_req_error: I/O error, dev mmcblk0, sector 0
+ Buffer I/O error on dev mmcblk0, logical block 0, async page read
+ mmcblk0: unable to read partition table
+
+After the patch:
+
+ mmc0: new SD card at address b368
+ mmcblk0: mmc0:b368 SDC 977 MiB
+ mmcblk0: p1
+
+The patch is based on a fix and analysis done by Ladislav Michl.
+
+Tested on OMAP15XX/OMAP310 (Palm TE), OMAP1710 (Nokia 770)
+and OMAP2420 (Nokia N810).
+
+[1] https://marc.info/?t=123175197000003&r=1&w=2
+
+Fixes: 46a6730e3ff9 ("mmc-omap: Fix omap to use MMC_POWER_ON")
+Reported-by: Ladislav Michl <ladis@linux-mips.org>
+Reported-by: Andrzej Zaborowski <balrogg@gmail.com>
+Tested-by: Ladislav Michl <ladis@linux-mips.org>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/omap.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/omap.c
++++ b/drivers/mmc/host/omap.c
+@@ -105,6 +105,7 @@ struct mmc_omap_slot {
+ unsigned int vdd;
+ u16 saved_con;
+ u16 bus_mode;
++ u16 power_mode;
+ unsigned int fclk_freq;
+
+ struct tasklet_struct cover_tasklet;
+@@ -1156,7 +1157,7 @@ static void mmc_omap_set_ios(struct mmc_
+ struct mmc_omap_slot *slot = mmc_priv(mmc);
+ struct mmc_omap_host *host = slot->host;
+ int i, dsor;
+- int clk_enabled;
++ int clk_enabled, init_stream;
+
+ mmc_omap_select_slot(slot, 0);
+
+@@ -1166,6 +1167,7 @@ static void mmc_omap_set_ios(struct mmc_
+ slot->vdd = ios->vdd;
+
+ clk_enabled = 0;
++ init_stream = 0;
+ switch (ios->power_mode) {
+ case MMC_POWER_OFF:
+ mmc_omap_set_power(slot, 0, ios->vdd);
+@@ -1173,13 +1175,17 @@ static void mmc_omap_set_ios(struct mmc_
+ case MMC_POWER_UP:
+ /* Cannot touch dsor yet, just power up MMC */
+ mmc_omap_set_power(slot, 1, ios->vdd);
++ slot->power_mode = ios->power_mode;
+ goto exit;
+ case MMC_POWER_ON:
+ mmc_omap_fclk_enable(host, 1);
+ clk_enabled = 1;
+ dsor |= 1 << 11;
++ if (slot->power_mode != MMC_POWER_ON)
++ init_stream = 1;
+ break;
+ }
++ slot->power_mode = ios->power_mode;
+
+ if (slot->bus_mode != ios->bus_mode) {
+ if (slot->pdata->set_bus_mode != NULL)
+@@ -1195,7 +1201,7 @@ static void mmc_omap_set_ios(struct mmc_
+ for (i = 0; i < 2; i++)
+ OMAP_MMC_WRITE(host, CON, dsor);
+ slot->saved_con = dsor;
+- if (ios->power_mode == MMC_POWER_ON) {
++ if (init_stream) {
+ /* worst case at 400kHz, 80 cycles makes 200 microsecs */
+ int usecs = 250;
+
+@@ -1233,6 +1239,7 @@ static int mmc_omap_new_slot(struct mmc_
+ slot->host = host;
+ slot->mmc = mmc;
+ slot->id = id;
++ slot->power_mode = MMC_POWER_UNDEFINED;
+ slot->pdata = &host->pdata->slots[id];
+
+ host->slots[id] = slot;
--- /dev/null
+From 478b6767ad26ab86d9ecc341027dd09a87b1f997 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Tue, 4 Dec 2018 17:04:57 +0800
+Subject: pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 478b6767ad26ab86d9ecc341027dd09a87b1f997 upstream.
+
+Pin PH11 is used on various A83T board to detect a change in the OTG
+port's ID pin, as in when an OTG host cable is plugged in.
+
+The incorrect offset meant the gpiochip/irqchip was activating the wrong
+pin for interrupts.
+
+Fixes: 4730f33f0d82 ("pinctrl: sunxi: add allwinner A83T PIO controller support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c
+@@ -568,7 +568,7 @@ static const struct sunxi_desc_pin sun8i
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(H, 11),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION_IRQ_BANK(0x6, 2, 1)), /* PH_EINT11 */
++ SUNXI_FUNCTION_IRQ_BANK(0x6, 2, 11)), /* PH_EINT11 */
+ };
+
+ static const struct sunxi_pinctrl_desc sun8i_a83t_pinctrl_data = {
--- /dev/null
+From 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa Mon Sep 17 00:00:00 2001
+From: Radu Rendec <radu.rendec@gmail.com>
+Date: Tue, 27 Nov 2018 22:20:48 -0500
+Subject: powerpc/msi: Fix NULL pointer access in teardown code
+
+From: Radu Rendec <radu.rendec@gmail.com>
+
+commit 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa upstream.
+
+The arch_teardown_msi_irqs() function assumes that controller ops
+pointers were already checked in arch_setup_msi_irqs(), but this
+assumption is wrong: arch_teardown_msi_irqs() can be called even when
+arch_setup_msi_irqs() returns an error (-ENOSYS).
+
+This can happen in the following scenario:
+ - msi_capability_init() calls pci_msi_setup_msi_irqs()
+ - pci_msi_setup_msi_irqs() returns -ENOSYS
+ - msi_capability_init() notices the error and calls free_msi_irqs()
+ - free_msi_irqs() calls pci_msi_teardown_msi_irqs()
+
+This is easier to see when CONFIG_PCI_MSI_IRQ_DOMAIN is not set and
+pci_msi_setup_msi_irqs() and pci_msi_teardown_msi_irqs() are just
+aliases to arch_setup_msi_irqs() and arch_teardown_msi_irqs().
+
+The call to free_msi_irqs() upon pci_msi_setup_msi_irqs() failure
+seems legit, as it does additional cleanup; e.g.
+list_del(&entry->list) and kfree(entry) inside free_msi_irqs() do
+happen (MSI descriptors are allocated before pci_msi_setup_msi_irqs()
+is called and need to be cleaned up if that fails).
+
+Fixes: 6b2fd7efeb88 ("PCI/MSI/PPC: Remove arch_msi_check_device()")
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Radu Rendec <radu.rendec@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/msi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/msi.c
++++ b/arch/powerpc/kernel/msi.c
+@@ -34,5 +34,10 @@ void arch_teardown_msi_irqs(struct pci_d
+ {
+ struct pci_controller *phb = pci_bus_to_host(dev->bus);
+
+- phb->controller_ops.teardown_msi_irqs(dev);
++ /*
++ * We can be called even when arch_setup_msi_irqs() returns -ENOSYS,
++ * so check the pointer again.
++ */
++ if (phb->controller_ops.teardown_msi_irqs)
++ phb->controller_ops.teardown_msi_irqs(dev);
+ }
--- /dev/null
+From 63238173b2faf3d6b85a416f1c69af6c7be2413f Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 5 Dec 2018 10:16:57 -0800
+Subject: Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec"
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 63238173b2faf3d6b85a416f1c69af6c7be2413f upstream.
+
+This reverts commit 7f3ef5dedb146e3d5063b6845781ad1bb59b92b5.
+
+It causes new warnings [1] on shutdown when running the Google Kevin or
+Scarlet (RK3399) boards under Chrome OS. Presumably our usage of DRM is
+different than what Marc and Heiko test.
+
+We're looking at a different approach (e.g., [2]) to replace this, but
+IMO the revert should be taken first, as it already propagated to
+-stable.
+
+[1] Report here:
+http://lkml.kernel.org/lkml/20181205030127.GA200921@google.com
+
+WARNING: CPU: 4 PID: 2035 at drivers/gpu/drm/drm_mode_config.c:477 drm_mode_config_cleanup+0x1c4/0x294
+...
+ Call trace:
+ drm_mode_config_cleanup+0x1c4/0x294
+ rockchip_drm_unbind+0x4c/0x8c
+ component_master_del+0x88/0xb8
+ rockchip_drm_platform_remove+0x2c/0x44
+ rockchip_drm_platform_shutdown+0x20/0x2c
+ platform_drv_shutdown+0x2c/0x38
+ device_shutdown+0x164/0x1b8
+ kernel_restart_prepare+0x40/0x48
+ kernel_restart+0x20/0x68
+...
+ Memory manager not clean during takedown.
+ WARNING: CPU: 4 PID: 2035 at drivers/gpu/drm/drm_mm.c:950 drm_mm_takedown+0x34/0x44
+...
+ drm_mm_takedown+0x34/0x44
+ rockchip_drm_unbind+0x64/0x8c
+ component_master_del+0x88/0xb8
+ rockchip_drm_platform_remove+0x2c/0x44
+ rockchip_drm_platform_shutdown+0x20/0x2c
+ platform_drv_shutdown+0x2c/0x38
+ device_shutdown+0x164/0x1b8
+ kernel_restart_prepare+0x40/0x48
+ kernel_restart+0x20/0x68
+...
+
+[2] https://patchwork.kernel.org/patch/10556151/
+ https://www.spinics.net/lists/linux-rockchip/msg21342.html
+ [PATCH] drm/rockchip: shutdown drm subsystem on shutdown
+
+Fixes: 7f3ef5dedb14 ("drm/rockchip: Allow driver to be shutdown on reboot/kexec")
+Cc: Jeffy Chen <jeffy.chen@rock-chips.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Vicente Bergas <vicencb@gmail.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Heiko Stuebner <heiko@sntech.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181205181657.177703-1-briannorris@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
+@@ -547,11 +547,6 @@ static int rockchip_drm_platform_remove(
+ return 0;
+ }
+
+-static void rockchip_drm_platform_shutdown(struct platform_device *pdev)
+-{
+- rockchip_drm_platform_remove(pdev);
+-}
+-
+ static const struct of_device_id rockchip_drm_dt_ids[] = {
+ { .compatible = "rockchip,display-subsystem", },
+ { /* sentinel */ },
+@@ -561,7 +556,6 @@ MODULE_DEVICE_TABLE(of, rockchip_drm_dt_
+ static struct platform_driver rockchip_drm_platform_driver = {
+ .probe = rockchip_drm_platform_probe,
+ .remove = rockchip_drm_platform_remove,
+- .shutdown = rockchip_drm_platform_shutdown,
+ .driver = {
+ .name = "rockchip-drm",
+ .of_match_table = rockchip_drm_dt_ids,
lib-interval_tree_test.c-allow-users-to-limit-scope-.patch
timer-debug-change-proc-timer_list-from-0444-to-0400.patch
powerpc-boot-fix-random-libfdt-related-build-errors.patch
+pinctrl-sunxi-a83t-fix-irq-offset-typo-for-ph11.patch
+aio-fix-spectre-gadget-in-lookup_ioctx.patch
+mmc-omap-fix-broken-mmc-on-omap15xx-omap5910-omap310.patch
+tracing-fix-memory-leak-in-set_trigger_filter.patch
+tracing-fix-memory-leak-of-instance-function-hash-filters.patch
+powerpc-msi-fix-null-pointer-access-in-teardown-code.patch
+revert-drm-rockchip-allow-driver-to-be-shutdown-on-reboot-kexec.patch
--- /dev/null
+From 3cec638b3d793b7cacdec5b8072364b41caeb0e1 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Sun, 9 Dec 2018 21:17:30 -0500
+Subject: tracing: Fix memory leak in set_trigger_filter()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 3cec638b3d793b7cacdec5b8072364b41caeb0e1 upstream.
+
+When create_event_filter() fails in set_trigger_filter(), the filter may
+still be allocated and needs to be freed. The caller expects the
+data->filter to be updated with the new filter, even if the new filter
+failed (we could add an error message by setting set_str parameter of
+create_event_filter(), but that's another update).
+
+But because the error would just exit, filter was left hanging and
+nothing could free it.
+
+Found by kmemleak detector.
+
+Cc: stable@vger.kernel.org
+Fixes: bac5fb97a173a ("tracing: Add and use generic set_trigger_filter() implementation")
+Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -727,8 +727,10 @@ static int set_trigger_filter(char *filt
+
+ /* The filter is for the 'trigger' event, not the triggered event */
+ ret = create_event_filter(file->event_call, filter_str, false, &filter);
+- if (ret)
+- goto out;
++ /*
++ * If create_event_filter() fails, filter still needs to be freed.
++ * Which the calling code will do with data->filter.
++ */
+ assign:
+ tmp = rcu_access_pointer(data->filter);
+
--- /dev/null
+From 2840f84f74035e5a535959d5f17269c69fa6edc5 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Mon, 10 Dec 2018 23:58:01 -0500
+Subject: tracing: Fix memory leak of instance function hash filters
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 2840f84f74035e5a535959d5f17269c69fa6edc5 upstream.
+
+The following commands will cause a memory leak:
+
+ # cd /sys/kernel/tracing
+ # mkdir instances/foo
+ # echo schedule > instance/foo/set_ftrace_filter
+ # rmdir instances/foo
+
+The reason is that the hashes that hold the filters to set_ftrace_filter and
+set_ftrace_notrace are not freed if they contain any data on the instance
+and the instance is removed.
+
+Found by kmemleak detector.
+
+Cc: stable@vger.kernel.org
+Fixes: 591dffdade9f ("ftrace: Allow for function tracing instance to filter functions")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -4767,6 +4767,7 @@ void ftrace_destroy_filter_files(struct
+ if (ops->flags & FTRACE_OPS_FL_ENABLED)
+ ftrace_shutdown(ops, 0);
+ ops->flags |= FTRACE_OPS_FL_DELETED;
++ ftrace_free_filter(ops);
+ mutex_unlock(&ftrace_lock);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
