--- /dev/null
+From bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <eha@deif.com>
+Date: Thu, 16 Aug 2018 10:43:12 +0200
+Subject: i2c: imx: Fix race condition in dma read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Esben Haabendal <eha@deif.com>
+
+commit bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 upstream.
+
+This fixes a race condition, where the DMAEN bit ends up being set after
+I2C slave has transmitted a byte following the dummy read. When that
+happens, an interrupt is generated instead, and no DMA request is generated
+to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).
+
+Fixed by setting the DMAEN bit before the dummy read.
+
+Signed-off-by: Esben Haabendal <eha@deif.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-imx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -677,9 +677,6 @@ static int i2c_imx_dma_read(struct imx_i
+ struct imx_i2c_dma *dma = i2c_imx->dma;
+ struct device *dev = &i2c_imx->adapter.dev;
+
+- temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
+- temp |= I2CR_DMAEN;
+- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+
+ dma->chan_using = dma->chan_rx;
+ dma->dma_transfer_dir = DMA_DEV_TO_MEM;
+@@ -792,6 +789,7 @@ static int i2c_imx_read(struct imx_i2c_s
+ int i, result;
+ unsigned int temp;
+ int block_data = msgs->flags & I2C_M_RECV_LEN;
++ int use_dma = i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data;
+
+ dev_dbg(&i2c_imx->adapter.dev,
+ "<%s> write slave address: addr=0x%x\n",
+@@ -818,12 +816,14 @@ static int i2c_imx_read(struct imx_i2c_s
+ */
+ if ((msgs->len - 1) || block_data)
+ temp &= ~I2CR_TXAK;
++ if (use_dma)
++ temp |= I2CR_DMAEN;
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+ imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR); /* dummy read */
+
+ dev_dbg(&i2c_imx->adapter.dev, "<%s> read data\n", __func__);
+
+- if (i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data)
++ if (use_dma)
+ return i2c_imx_dma_read(i2c_imx, msgs, is_lastmsg);
+
+ /* read data */
--- /dev/null
+From 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:31 -0500
+Subject: PCI: hotplug: Don't leak pci_slot on registration failure
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.
+
+If addition of sysfs files fails on registration of a hotplug slot, the
+struct pci_slot as well as the entry in the slot_list is leaked. The
+issue has been present since the hotplug core was introduced in 2002:
+https://git.kernel.org/tglx/history/c/a8a2069f432c
+
+Perhaps the idea was that even though sysfs addition fails, the slot
+should still be usable. But that's not how drivers use the interface,
+they abort probe if a non-zero value is returned.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v2.4.15+
+Cc: Greg Kroah-Hartman <greg@kroah.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pci_hotplug_core.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/pci/hotplug/pci_hotplug_core.c
++++ b/drivers/pci/hotplug/pci_hotplug_core.c
+@@ -457,8 +457,17 @@ int __pci_hp_register(struct hotplug_slo
+ list_add(&slot->slot_list, &pci_hotplug_slot_list);
+
+ result = fs_add_slot(pci_slot);
++ if (result)
++ goto err_list_del;
++
+ kobject_uevent(&pci_slot->kobj, KOBJ_ADD);
+ dbg("Added slot %s to the list\n", name);
++ goto out;
++
++err_list_del:
++ list_del(&slot->slot_list);
++ pci_slot->hotplug = NULL;
++ pci_destroy_slot(pci_slot);
+ out:
+ mutex_unlock(&pci_hp_mutex);
+ return result;
--- /dev/null
+From 281e878eab191cce4259abbbf1a0322e3adae02c Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:32 -0500
+Subject: PCI: pciehp: Fix use-after-free on unplug
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 281e878eab191cce4259abbbf1a0322e3adae02c upstream.
+
+When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
+hotplug_slot struct is deregistered and thus freed before freeing the
+IRQ. The IRQ handler and the work items it schedules print the slot
+name referenced from the freed structure in various informational and
+debug log messages, each time resulting in a quadruple dereference of
+freed pointers (hotplug_slot -> pci_slot -> kobject -> name).
+
+At best the slot name is logged as "(null)", at worst kernel memory is
+exposed in logs or the driver crashes:
+
+ pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present
+
+An attacker may provoke the bug by unplugging multiple devices on a
+Thunderbolt daisy chain at once. Unplugging can also be simulated by
+powering down slots via sysfs. The bug is particularly easy to trigger
+in poll mode.
+
+It has been present since the driver's introduction in 2004:
+https://git.kernel.org/tglx/history/c/c16b4b14d980
+
+Fix by rearranging teardown such that the IRQ is freed first. Run the
+work items queued by the IRQ handler to completion before freeing the
+hotplug_slot struct by draining the work queue from the ->release_slot
+callback which is invoked by pci_hp_deregister().
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v2.6.4
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pciehp.h | 1 +
+ drivers/pci/hotplug/pciehp_core.c | 7 +++++++
+ drivers/pci/hotplug/pciehp_hpc.c | 5 ++---
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/hotplug/pciehp.h
++++ b/drivers/pci/hotplug/pciehp.h
+@@ -132,6 +132,7 @@ int pciehp_unconfigure_device(struct slo
+ void pciehp_queue_pushbutton_work(struct work_struct *work);
+ struct controller *pcie_init(struct pcie_device *dev);
+ int pcie_init_notification(struct controller *ctrl);
++void pcie_shutdown_notification(struct controller *ctrl);
+ int pciehp_enable_slot(struct slot *p_slot);
+ int pciehp_disable_slot(struct slot *p_slot);
+ void pcie_reenable_notification(struct controller *ctrl);
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -77,6 +77,12 @@ static int reset_slot (struct hotplug_s
+ */
+ static void release_slot(struct hotplug_slot *hotplug_slot)
+ {
++ struct slot *slot = hotplug_slot->private;
++
++ /* queued work needs hotplug_slot name */
++ cancel_delayed_work(&slot->work);
++ drain_workqueue(slot->wq);
++
+ kfree(hotplug_slot->ops);
+ kfree(hotplug_slot->info);
+ kfree(hotplug_slot);
+@@ -276,6 +282,7 @@ static void pciehp_remove(struct pcie_de
+ {
+ struct controller *ctrl = get_service_data(dev);
+
++ pcie_shutdown_notification(ctrl);
+ cleanup_slot(ctrl);
+ pciehp_release_ctrl(ctrl);
+ }
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -741,7 +741,7 @@ int pcie_init_notification(struct contro
+ return 0;
+ }
+
+-static void pcie_shutdown_notification(struct controller *ctrl)
++void pcie_shutdown_notification(struct controller *ctrl)
+ {
+ if (ctrl->notification_enabled) {
+ pcie_disable_notification(ctrl);
+@@ -776,7 +776,7 @@ abort:
+ static void pcie_cleanup_slot(struct controller *ctrl)
+ {
+ struct slot *slot = ctrl->slot;
+- cancel_delayed_work(&slot->work);
++
+ destroy_workqueue(slot->wq);
+ kfree(slot);
+ }
+@@ -853,7 +853,6 @@ abort:
+
+ void pciehp_release_ctrl(struct controller *ctrl)
+ {
+- pcie_shutdown_notification(ctrl);
+ pcie_cleanup_slot(ctrl);
+ kfree(ctrl);
+ }
--- /dev/null
+From 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 Mon Sep 17 00:00:00 2001
+From: Myron Stowe <myron.stowe@redhat.com>
+Date: Mon, 13 Aug 2018 12:19:39 -0600
+Subject: PCI: Skip MPS logic for Virtual Functions (VFs)
+
+From: Myron Stowe <myron.stowe@redhat.com>
+
+commit 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 upstream.
+
+PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
+Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
+VFs. Just prior to the table it states:
+
+ "PF and VF functionality is defined in Section 7.5.3.4 except where
+ noted in Table 9-16. For VF fields marked 'RsvdP', the PF setting
+ applies to the VF."
+
+All of which implies that with respect to Max_Payload_Size Supported
+(MPSS), MPS, and MRRS values, we should not be paying any attention to the
+VF's fields, but rather only to the PF's. Only looking at the PF's fields
+also logically makes sense as it's the sole physical interface to the PCIe
+bus.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
+Fixes: 27d868b5e6cf ("PCI: Set MPS to match upstream bridge")
+Signed-off-by: Myron Stowe <myron.stowe@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # 4.3+
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Sinan Kaya <okaya@kernel.org>
+Cc: Dongdong Liu <liudongdong3@huawei.com>
+Cc: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/probe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1338,6 +1338,10 @@ static void pci_configure_mps(struct pci
+ if (!pci_is_pcie(dev) || !bridge || !pci_is_pcie(bridge))
+ return;
+
++ /* MPS and MRRS fields are of type 'RsvdP' for VFs, short-circuit out */
++ if (dev->is_virtfn)
++ return;
++
+ mps = pcie_get_mps(dev);
+ p_mps = pcie_get_mps(bridge);
+
--- /dev/null
+From a13f085d111e90469faf2d9965eb39b11c114d7e Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 21 Aug 2018 21:59:37 -0700
+Subject: reiserfs: fix broken xattr handling (heap corruption, bad retval)
+
+From: Jann Horn <jannh@google.com>
+
+commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.
+
+This fixes the following issues:
+
+- When a buffer size is supplied to reiserfs_listxattr() such that each
+ individual name fits, but the concatenation of all names doesn't fit,
+ reiserfs_listxattr() overflows the supplied buffer. This leads to a
+ kernel heap overflow (verified using KASAN) followed by an out-of-bounds
+ usercopy and is therefore a security bug.
+
+- When a buffer size is supplied to reiserfs_listxattr() such that a
+ name doesn't fit, -ERANGE should be returned. But reiserfs instead just
+ truncates the list of names; I have verified that if the only xattr on a
+ file has a longer name than the supplied buffer length, listxattr()
+ incorrectly returns zero.
+
+With my patch applied, -ERANGE is returned in both cases and the memory
+corruption doesn't happen anymore.
+
+Credit for making me clean this code up a bit goes to Al Viro, who pointed
+out that the ->actor calling convention is suboptimal and should be
+changed.
+
+Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
+Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Cc: Eric Biggers <ebiggers@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/xattr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -791,8 +791,10 @@ static int listxattr_filler(struct dir_c
+ size = handler->list(handler, b->dentry,
+ b->buf + b->pos, b->size, name,
+ namelen);
+- if (size > b->size)
++ if (b->pos + size > b->size) {
++ b->pos = -ERANGE;
+ return -ERANGE;
++ }
+ } else {
+ size = handler->list(handler, b->dentry,
+ NULL, 0, name, namelen);
packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch
bridge-propagate-vlan-add-failure-to-user.patch
parisc-remove-unnecessary-barriers-from-spinlock.h.patch
+pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch
+pci-skip-mps-logic-for-virtual-functions-vfs.patch
+pci-pciehp-fix-use-after-free-on-unplug.patch
+i2c-imx-fix-race-condition-in-dma-read.patch
+reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
