--- /dev/null
+From 8eb52a1ee37aafd9b796713aa0b3ab9cbc455be3 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 18 Oct 2019 22:56:29 +0200
+Subject: binder: Fix race between mmap() and binder_alloc_print_pages()
+
+From: Jann Horn <jannh@google.com>
+
+commit 8eb52a1ee37aafd9b796713aa0b3ab9cbc455be3 upstream.
+
+binder_alloc_print_pages() iterates over
+alloc->pages[0..alloc->buffer_size-1] under alloc->mutex.
+binder_alloc_mmap_handler() writes alloc->pages and alloc->buffer_size
+without holding that lock, and even writes them before the last bailout
+point.
+
+Unfortunately we can't take the alloc->mutex in the ->mmap() handler
+because mmap_sem can be taken while alloc->mutex is held.
+So instead, we have to locklessly check whether the binder_alloc has been
+fully initialized with binder_alloc_get_vma(), like in
+binder_alloc_new_buf_locked().
+
+Fixes: 8ef4665aa129 ("android: binder: Add page usage in binder stats")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Link: https://lore.kernel.org/r/20191018205631.248274-1-jannh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder_alloc.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -841,14 +841,20 @@ void binder_alloc_print_pages(struct seq
+ int free = 0;
+
+ mutex_lock(&alloc->mutex);
+- for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
+- page = &alloc->pages[i];
+- if (!page->page_ptr)
+- free++;
+- else if (list_empty(&page->lru))
+- active++;
+- else
+- lru++;
++ /*
++ * Make sure the binder_alloc is fully initialized, otherwise we might
++ * read inconsistent state.
++ */
++ if (binder_alloc_get_vma(alloc) != NULL) {
++ for (i = 0; i < alloc->buffer_size / PAGE_SIZE; i++) {
++ page = &alloc->pages[i];
++ if (!page->page_ptr)
++ free++;
++ else if (list_empty(&page->lru))
++ active++;
++ else
++ lru++;
++ }
+ }
+ mutex_unlock(&alloc->mutex);
+ seq_printf(m, " pages: %d:%d:%d\n", active, lru, free);
--- /dev/null
+From 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 18 Oct 2019 22:56:31 +0200
+Subject: binder: Handle start==NULL in binder_update_page_range()
+
+From: Jann Horn <jannh@google.com>
+
+commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream.
+
+The old loop wouldn't stop when reaching `start` if `start==NULL`, instead
+continuing backwards to index -1 and crashing.
+
+Luckily you need to be highly privileged to map things at NULL, so it's not
+a big problem.
+
+Fix it by adjusting the loop so that the loop variable is always in bounds.
+
+This patch is deliberately minimal to simplify backporting, but IMO this
+function could use a refactor. The jump labels in the second loop body are
+horrible (the error gotos should be jumping to free_range instead), and
+both loops would look nicer if they just iterated upwards through indices.
+And the up_read()+mmput() shouldn't be duplicated like that.
+
+Cc: stable@vger.kernel.org
+Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder_alloc.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -277,8 +277,7 @@ static int binder_update_page_range(stru
+ return 0;
+
+ free_range:
+- for (page_addr = end - PAGE_SIZE; page_addr >= start;
+- page_addr -= PAGE_SIZE) {
++ for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) {
+ bool ret;
+ size_t index;
+
+@@ -291,6 +290,8 @@ free_range:
+ WARN_ON(!ret);
+
+ trace_binder_free_lru_end(alloc, index);
++ if (page_addr == start)
++ break;
+ continue;
+
+ err_vm_insert_page_failed:
+@@ -298,7 +299,8 @@ err_vm_insert_page_failed:
+ page->page_ptr = NULL;
+ err_alloc_page_failed:
+ err_page_ptr_cleared:
+- ;
++ if (page_addr == start)
++ break;
+ }
+ err_no_vma:
+ if (mm) {
--- /dev/null
+From a7a74d7ff55a0c657bc46238b050460b9eacea95 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 18 Oct 2019 22:56:30 +0200
+Subject: binder: Prevent repeated use of ->mmap() via NULL mapping
+
+From: Jann Horn <jannh@google.com>
+
+commit a7a74d7ff55a0c657bc46238b050460b9eacea95 upstream.
+
+binder_alloc_mmap_handler() attempts to detect the use of ->mmap() on a
+binder_proc whose binder_alloc has already been initialized by checking
+whether alloc->buffer is non-zero.
+
+Before commit 880211667b20 ("binder: remove kernel vm_area for buffer
+space"), alloc->buffer was a kernel mapping address, which is always
+non-zero, but since that commit, it is a userspace mapping address.
+
+A sufficiently privileged user can map /dev/binder at NULL, tricking
+binder_alloc_mmap_handler() into assuming that the binder_proc has not been
+mapped yet. This leads to memory unsafety.
+Luckily, no context on Android has such privileges, and on a typical Linux
+desktop system, you need to be root to do that.
+
+Fix it by using the mapping size instead of the mapping address to
+distinguish the mapped case. A valid VMA can't have size zero.
+
+Fixes: 880211667b20 ("binder: remove kernel vm_area for buffer space")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Link: https://lore.kernel.org/r/20191018205631.248274-2-jannh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder_alloc.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -681,17 +681,17 @@ int binder_alloc_mmap_handler(struct bin
+ struct binder_buffer *buffer;
+
+ mutex_lock(&binder_alloc_mmap_lock);
+- if (alloc->buffer) {
++ if (alloc->buffer_size) {
+ ret = -EBUSY;
+ failure_string = "already mapped";
+ goto err_already_mapped;
+ }
++ alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start,
++ SZ_4M);
++ mutex_unlock(&binder_alloc_mmap_lock);
+
+ alloc->buffer = (void __user *)vma->vm_start;
+- mutex_unlock(&binder_alloc_mmap_lock);
+
+- alloc->buffer_size = min_t(unsigned long, vma->vm_end - vma->vm_start,
+- SZ_4M);
+ alloc->pages = kcalloc(alloc->buffer_size / PAGE_SIZE,
+ sizeof(alloc->pages[0]),
+ GFP_KERNEL);
+@@ -722,8 +722,9 @@ err_alloc_buf_struct_failed:
+ kfree(alloc->pages);
+ alloc->pages = NULL;
+ err_alloc_pages_failed:
+- mutex_lock(&binder_alloc_mmap_lock);
+ alloc->buffer = NULL;
++ mutex_lock(&binder_alloc_mmap_lock);
++ alloc->buffer_size = 0;
+ err_already_mapped:
+ mutex_unlock(&binder_alloc_mmap_lock);
+ binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
--- /dev/null
+From 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 21 Nov 2019 16:14:38 -0800
+Subject: iomap: Fix pipe page leakage during splicing
+
+From: Jan Kara <jack@suse.cz>
+
+commit 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 upstream.
+
+When splicing using iomap_dio_rw() to a pipe, we may leak pipe pages
+because bio_iov_iter_get_pages() records that the pipe will have full
+extent worth of data however if file size is not block size aligned
+iomap_dio_rw() returns less than what bio_iov_iter_get_pages() set up
+and splice code gets confused leaking a pipe page with the file tail.
+
+Handle the situation similarly to the old direct IO implementation and
+revert iter to actually returned read amount which makes iter consistent
+with value returned from iomap_dio_rw() and thus the splice code is
+happy.
+
+Fixes: ff6a9292e6f6 ("iomap: implement direct I/O")
+CC: stable@vger.kernel.org
+Reported-by: syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/iomap/direct-io.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/iomap/direct-io.c
++++ b/fs/iomap/direct-io.c
+@@ -497,8 +497,15 @@ iomap_dio_rw(struct kiocb *iocb, struct
+ }
+ pos += ret;
+
+- if (iov_iter_rw(iter) == READ && pos >= dio->i_size)
++ if (iov_iter_rw(iter) == READ && pos >= dio->i_size) {
++ /*
++ * We only report that we've read data up to i_size.
++ * Revert iter to a state corresponding to that as
++ * some callers (such as splice code) rely on it.
++ */
++ iov_iter_revert(iter, pos - dio->i_size);
+ break;
++ }
+ } while ((count = iov_iter_count(iter)) > 0);
+ blk_finish_plug(&plug);
+
--- /dev/null
+From 27ed14d0ecb38516b6f3c6fdcd62c25c9454f979 Mon Sep 17 00:00:00 2001
+From: Je Yen Tam <je.yen.tam@ni.com>
+Date: Wed, 27 Nov 2019 15:53:01 +0800
+Subject: Revert "serial/8250: Add support for NI-Serial PXI/PXIe+485 devices"
+
+From: Je Yen Tam <je.yen.tam@ni.com>
+
+commit 27ed14d0ecb38516b6f3c6fdcd62c25c9454f979 upstream.
+
+This reverts commit fdc2de87124f5183a98ea7eced1f76dbdba22951 ("serial/8250:
+Add support for NI-Serial PXI/PXIe+485 devices").
+
+The commit fdc2de87124f ("serial/8250: Add support for NI-Serial
+PXI/PXIe+485 devices") introduced a breakage on NI-Serial PXI(e)-RS485
+devices, RS-232 variants have no issue. The Linux system can enumerate the
+NI-Serial PXI(e)-RS485 devices, but it broke the R/W operation on the
+ports.
+
+However, the implementation is working on the NI internal Linux RT kernel
+but it does not work in the Linux main tree kernel. This is only affecting
+NI products, specifically the RS-485 variants. Reverting the upstream
+until a proper implementation that can apply to both NI internal Linux
+kernel and Linux mainline kernel is figured out.
+
+Signed-off-by: Je Yen Tam <je.yen.tam@ni.com>
+Fixes: fdc2de87124f ("serial/8250: Add support for NI-Serial PXI/PXIe+485 devices")
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191127075301.9866-1-je.yen.tam@ni.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c | 292 -------------------------------------
+ 1 file changed, 4 insertions(+), 288 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -745,16 +745,8 @@ static int pci_ni8430_init(struct pci_de
+ }
+
+ /* UART Port Control Register */
+-#define NI16550_PCR_OFFSET 0x0f
+-#define NI16550_PCR_RS422 0x00
+-#define NI16550_PCR_ECHO_RS485 0x01
+-#define NI16550_PCR_DTR_RS485 0x02
+-#define NI16550_PCR_AUTO_RS485 0x03
+-#define NI16550_PCR_WIRE_MODE_MASK 0x03
+-#define NI16550_PCR_TXVR_ENABLE_BIT BIT(3)
+-#define NI16550_PCR_RS485_TERMINATION_BIT BIT(6)
+-#define NI16550_ACR_DTR_AUTO_DTR (0x2 << 3)
+-#define NI16550_ACR_DTR_MANUAL_DTR (0x0 << 3)
++#define NI8430_PORTCON 0x0f
++#define NI8430_PORTCON_TXVR_ENABLE (1 << 3)
+
+ static int
+ pci_ni8430_setup(struct serial_private *priv,
+@@ -776,117 +768,14 @@ pci_ni8430_setup(struct serial_private *
+ return -ENOMEM;
+
+ /* enable the transceiver */
+- writeb(readb(p + offset + NI16550_PCR_OFFSET) | NI16550_PCR_TXVR_ENABLE_BIT,
+- p + offset + NI16550_PCR_OFFSET);
++ writeb(readb(p + offset + NI8430_PORTCON) | NI8430_PORTCON_TXVR_ENABLE,
++ p + offset + NI8430_PORTCON);
+
+ iounmap(p);
+
+ return setup_port(priv, port, bar, offset, board->reg_shift);
+ }
+
+-static int pci_ni8431_config_rs485(struct uart_port *port,
+- struct serial_rs485 *rs485)
+-{
+- u8 pcr, acr;
+- struct uart_8250_port *up;
+-
+- up = container_of(port, struct uart_8250_port, port);
+- acr = up->acr;
+- pcr = port->serial_in(port, NI16550_PCR_OFFSET);
+- pcr &= ~NI16550_PCR_WIRE_MODE_MASK;
+-
+- if (rs485->flags & SER_RS485_ENABLED) {
+- /* RS-485 */
+- if ((rs485->flags & SER_RS485_RX_DURING_TX) &&
+- (rs485->flags & SER_RS485_RTS_ON_SEND)) {
+- dev_dbg(port->dev, "Invalid 2-wire mode\n");
+- return -EINVAL;
+- }
+-
+- if (rs485->flags & SER_RS485_RX_DURING_TX) {
+- /* Echo */
+- dev_vdbg(port->dev, "2-wire DTR with echo\n");
+- pcr |= NI16550_PCR_ECHO_RS485;
+- acr |= NI16550_ACR_DTR_MANUAL_DTR;
+- } else {
+- /* Auto or DTR */
+- if (rs485->flags & SER_RS485_RTS_ON_SEND) {
+- /* Auto */
+- dev_vdbg(port->dev, "2-wire Auto\n");
+- pcr |= NI16550_PCR_AUTO_RS485;
+- acr |= NI16550_ACR_DTR_AUTO_DTR;
+- } else {
+- /* DTR-controlled */
+- /* No Echo */
+- dev_vdbg(port->dev, "2-wire DTR no echo\n");
+- pcr |= NI16550_PCR_DTR_RS485;
+- acr |= NI16550_ACR_DTR_MANUAL_DTR;
+- }
+- }
+- } else {
+- /* RS-422 */
+- dev_vdbg(port->dev, "4-wire\n");
+- pcr |= NI16550_PCR_RS422;
+- acr |= NI16550_ACR_DTR_MANUAL_DTR;
+- }
+-
+- dev_dbg(port->dev, "write pcr: 0x%08x\n", pcr);
+- port->serial_out(port, NI16550_PCR_OFFSET, pcr);
+-
+- up->acr = acr;
+- port->serial_out(port, UART_SCR, UART_ACR);
+- port->serial_out(port, UART_ICR, up->acr);
+-
+- /* Update the cache. */
+- port->rs485 = *rs485;
+-
+- return 0;
+-}
+-
+-static int pci_ni8431_setup(struct serial_private *priv,
+- const struct pciserial_board *board,
+- struct uart_8250_port *uart, int idx)
+-{
+- u8 pcr, acr;
+- struct pci_dev *dev = priv->dev;
+- void __iomem *addr;
+- unsigned int bar, offset = board->first_offset;
+-
+- if (idx >= board->num_ports)
+- return 1;
+-
+- bar = FL_GET_BASE(board->flags);
+- offset += idx * board->uart_offset;
+-
+- addr = pci_ioremap_bar(dev, bar);
+- if (!addr)
+- return -ENOMEM;
+-
+- /* enable the transceiver */
+- writeb(readb(addr + NI16550_PCR_OFFSET) | NI16550_PCR_TXVR_ENABLE_BIT,
+- addr + NI16550_PCR_OFFSET);
+-
+- pcr = readb(addr + NI16550_PCR_OFFSET);
+- pcr &= ~NI16550_PCR_WIRE_MODE_MASK;
+-
+- /* set wire mode to default RS-422 */
+- pcr |= NI16550_PCR_RS422;
+- acr = NI16550_ACR_DTR_MANUAL_DTR;
+-
+- /* write port configuration to register */
+- writeb(pcr, addr + NI16550_PCR_OFFSET);
+-
+- /* access and write to UART acr register */
+- writeb(UART_ACR, addr + UART_SCR);
+- writeb(acr, addr + UART_ICR);
+-
+- uart->port.rs485_config = &pci_ni8431_config_rs485;
+-
+- iounmap(addr);
+-
+- return setup_port(priv, uart, bar, offset, board->reg_shift);
+-}
+-
+ static int pci_netmos_9900_setup(struct serial_private *priv,
+ const struct pciserial_board *board,
+ struct uart_8250_port *port, int idx)
+@@ -2023,15 +1912,6 @@ pci_moxa_setup(struct serial_private *pr
+ #define PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM 0x10E9
+ #define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM 0x11D8
+
+-#define PCIE_DEVICE_ID_NI_PXIE8430_2328 0x74C2
+-#define PCIE_DEVICE_ID_NI_PXIE8430_23216 0x74C1
+-#define PCI_DEVICE_ID_NI_PXI8431_4852 0x7081
+-#define PCI_DEVICE_ID_NI_PXI8431_4854 0x70DE
+-#define PCI_DEVICE_ID_NI_PXI8431_4858 0x70E3
+-#define PCI_DEVICE_ID_NI_PXI8433_4852 0x70E9
+-#define PCI_DEVICE_ID_NI_PXI8433_4854 0x70ED
+-#define PCIE_DEVICE_ID_NI_PXIE8431_4858 0x74C4
+-#define PCIE_DEVICE_ID_NI_PXIE8431_48516 0x74C3
+
+ #define PCI_DEVICE_ID_MOXA_CP102E 0x1024
+ #define PCI_DEVICE_ID_MOXA_CP102EL 0x1025
+@@ -2269,87 +2149,6 @@ static struct pci_serial_quirk pci_seria
+ .setup = pci_ni8430_setup,
+ .exit = pci_ni8430_exit,
+ },
+- {
+- .vendor = PCI_VENDOR_ID_NI,
+- .device = PCIE_DEVICE_ID_NI_PXIE8430_2328,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- .init = pci_ni8430_init,
+- .setup = pci_ni8430_setup,
+- .exit = pci_ni8430_exit,
+- },
+- {
+- .vendor = PCI_VENDOR_ID_NI,
+- .device = PCIE_DEVICE_ID_NI_PXIE8430_23216,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- .init = pci_ni8430_init,
+- .setup = pci_ni8430_setup,
+- .exit = pci_ni8430_exit,
+- },
+- {
+- .vendor = PCI_VENDOR_ID_NI,
+- .device = PCI_DEVICE_ID_NI_PXI8431_4852,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- .init = pci_ni8430_init,
+- .setup = pci_ni8431_setup,
+- .exit = pci_ni8430_exit,
+- },
+- {
+- .vendor = PCI_VENDOR_ID_NI,
+- .device = PCI_DEVICE_ID_NI_PXI8431_4854,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- .init = pci_ni8430_init,
+- .setup = pci_ni8431_setup,
+- .exit = pci_ni8430_exit,
+- },
+- {
+- .vendor = PCI_VENDOR_ID_NI,
+- .device = PCI_DEVICE_ID_NI_PXI8431_4858,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- .init = pci_ni8430_init,
+- .setup = pci_ni8431_setup,
+- .exit = pci_ni8430_exit,
+- },
+- {
+- .vendor = PCI_VENDOR_ID_NI,
+- .device = PCI_DEVICE_ID_NI_PXI8433_4852,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- .init = pci_ni8430_init,
+- .setup = pci_ni8431_setup,
+- .exit = pci_ni8430_exit,
+- },
+- {
+- .vendor = PCI_VENDOR_ID_NI,
+- .device = PCI_DEVICE_ID_NI_PXI8433_4854,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- .init = pci_ni8430_init,
+- .setup = pci_ni8431_setup,
+- .exit = pci_ni8430_exit,
+- },
+- {
+- .vendor = PCI_VENDOR_ID_NI,
+- .device = PCIE_DEVICE_ID_NI_PXIE8431_4858,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- .init = pci_ni8430_init,
+- .setup = pci_ni8431_setup,
+- .exit = pci_ni8430_exit,
+- },
+- {
+- .vendor = PCI_VENDOR_ID_NI,
+- .device = PCIE_DEVICE_ID_NI_PXIE8431_48516,
+- .subvendor = PCI_ANY_ID,
+- .subdevice = PCI_ANY_ID,
+- .init = pci_ni8430_init,
+- .setup = pci_ni8431_setup,
+- .exit = pci_ni8430_exit,
+- },
+ /* Quatech */
+ {
+ .vendor = PCI_VENDOR_ID_QUATECH,
+@@ -3106,13 +2905,6 @@ enum pci_board_num_t {
+ pbn_ni8430_4,
+ pbn_ni8430_8,
+ pbn_ni8430_16,
+- pbn_ni8430_pxie_8,
+- pbn_ni8430_pxie_16,
+- pbn_ni8431_2,
+- pbn_ni8431_4,
+- pbn_ni8431_8,
+- pbn_ni8431_pxie_8,
+- pbn_ni8431_pxie_16,
+ pbn_ADDIDATA_PCIe_1_3906250,
+ pbn_ADDIDATA_PCIe_2_3906250,
+ pbn_ADDIDATA_PCIe_4_3906250,
+@@ -3765,55 +3557,6 @@ static struct pciserial_board pci_boards
+ .uart_offset = 0x10,
+ .first_offset = 0x800,
+ },
+- [pbn_ni8430_pxie_16] = {
+- .flags = FL_BASE0,
+- .num_ports = 16,
+- .base_baud = 3125000,
+- .uart_offset = 0x10,
+- .first_offset = 0x800,
+- },
+- [pbn_ni8430_pxie_8] = {
+- .flags = FL_BASE0,
+- .num_ports = 8,
+- .base_baud = 3125000,
+- .uart_offset = 0x10,
+- .first_offset = 0x800,
+- },
+- [pbn_ni8431_8] = {
+- .flags = FL_BASE0,
+- .num_ports = 8,
+- .base_baud = 3686400,
+- .uart_offset = 0x10,
+- .first_offset = 0x800,
+- },
+- [pbn_ni8431_4] = {
+- .flags = FL_BASE0,
+- .num_ports = 4,
+- .base_baud = 3686400,
+- .uart_offset = 0x10,
+- .first_offset = 0x800,
+- },
+- [pbn_ni8431_2] = {
+- .flags = FL_BASE0,
+- .num_ports = 2,
+- .base_baud = 3686400,
+- .uart_offset = 0x10,
+- .first_offset = 0x800,
+- },
+- [pbn_ni8431_pxie_16] = {
+- .flags = FL_BASE0,
+- .num_ports = 16,
+- .base_baud = 3125000,
+- .uart_offset = 0x10,
+- .first_offset = 0x800,
+- },
+- [pbn_ni8431_pxie_8] = {
+- .flags = FL_BASE0,
+- .num_ports = 8,
+- .base_baud = 3125000,
+- .uart_offset = 0x10,
+- .first_offset = 0x800,
+- },
+ /*
+ * ADDI-DATA GmbH PCI-Express communication cards <info@addi-data.com>
+ */
+@@ -5567,33 +5310,6 @@ static const struct pci_device_id serial
+ { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PCI8432_2324,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_ni8430_4 },
+- { PCI_VENDOR_ID_NI, PCIE_DEVICE_ID_NI_PXIE8430_2328,
+- PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+- pbn_ni8430_pxie_8 },
+- { PCI_VENDOR_ID_NI, PCIE_DEVICE_ID_NI_PXIE8430_23216,
+- PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+- pbn_ni8430_pxie_16 },
+- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8431_4852,
+- PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+- pbn_ni8431_2 },
+- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8431_4854,
+- PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+- pbn_ni8431_4 },
+- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8431_4858,
+- PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+- pbn_ni8431_8 },
+- { PCI_VENDOR_ID_NI, PCIE_DEVICE_ID_NI_PXIE8431_4858,
+- PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+- pbn_ni8431_pxie_8 },
+- { PCI_VENDOR_ID_NI, PCIE_DEVICE_ID_NI_PXIE8431_48516,
+- PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+- pbn_ni8431_pxie_16 },
+- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8433_4852,
+- PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+- pbn_ni8431_2 },
+- { PCI_VENDOR_ID_NI, PCI_DEVICE_ID_NI_PXI8433_4854,
+- PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+- pbn_ni8431_4 },
+
+ /*
+ * MOXA
rfkill-allocate-static-minor.patch
bdev-factor-out-bdev-revalidation-into-a-common-helper.patch
bdev-refresh-bdev-size-for-disks-without-partitioning.patch
+iomap-fix-pipe-page-leakage-during-splicing.patch
+thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch
+vcs-prevent-write-access-to-vcsu-devices.patch
+revert-serial-8250-add-support-for-ni-serial-pxi-pxie-485-devices.patch
+binder-fix-race-between-mmap-and-binder_alloc_print_pages.patch
+binder-prevent-repeated-use-of-mmap-via-null-mapping.patch
+binder-handle-start-null-in-binder_update_page_range.patch
--- /dev/null
+From 163b00cde7cf2206e248789d2780121ad5e6a70b Mon Sep 17 00:00:00 2001
+From: Wei Wang <wvw@google.com>
+Date: Tue, 12 Nov 2019 12:42:23 -0800
+Subject: thermal: Fix deadlock in thermal thermal_zone_device_check
+
+From: Wei Wang <wvw@google.com>
+
+commit 163b00cde7cf2206e248789d2780121ad5e6a70b upstream.
+
+1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone
+device") changed cancel_delayed_work to cancel_delayed_work_sync to avoid
+a use-after-free issue. However, cancel_delayed_work_sync could be called
+insides the WQ causing deadlock.
+
+[54109.642398] c0 1162 kworker/u17:1 D 0 11030 2 0x00000000
+[54109.642437] c0 1162 Workqueue: thermal_passive_wq thermal_zone_device_check
+[54109.642447] c0 1162 Call trace:
+[54109.642456] c0 1162 __switch_to+0x138/0x158
+[54109.642467] c0 1162 __schedule+0xba4/0x1434
+[54109.642480] c0 1162 schedule_timeout+0xa0/0xb28
+[54109.642492] c0 1162 wait_for_common+0x138/0x2e8
+[54109.642511] c0 1162 flush_work+0x348/0x40c
+[54109.642522] c0 1162 __cancel_work_timer+0x180/0x218
+[54109.642544] c0 1162 handle_thermal_trip+0x2c4/0x5a4
+[54109.642553] c0 1162 thermal_zone_device_update+0x1b4/0x25c
+[54109.642563] c0 1162 thermal_zone_device_check+0x18/0x24
+[54109.642574] c0 1162 process_one_work+0x3cc/0x69c
+[54109.642583] c0 1162 worker_thread+0x49c/0x7c0
+[54109.642593] c0 1162 kthread+0x17c/0x1b0
+[54109.642602] c0 1162 ret_from_fork+0x10/0x18
+[54109.643051] c0 1162 kworker/u17:2 D 0 16245 2 0x00000000
+[54109.643067] c0 1162 Workqueue: thermal_passive_wq thermal_zone_device_check
+[54109.643077] c0 1162 Call trace:
+[54109.643085] c0 1162 __switch_to+0x138/0x158
+[54109.643095] c0 1162 __schedule+0xba4/0x1434
+[54109.643104] c0 1162 schedule_timeout+0xa0/0xb28
+[54109.643114] c0 1162 wait_for_common+0x138/0x2e8
+[54109.643122] c0 1162 flush_work+0x348/0x40c
+[54109.643131] c0 1162 __cancel_work_timer+0x180/0x218
+[54109.643141] c0 1162 handle_thermal_trip+0x2c4/0x5a4
+[54109.643150] c0 1162 thermal_zone_device_update+0x1b4/0x25c
+[54109.643159] c0 1162 thermal_zone_device_check+0x18/0x24
+[54109.643167] c0 1162 process_one_work+0x3cc/0x69c
+[54109.643177] c0 1162 worker_thread+0x49c/0x7c0
+[54109.643186] c0 1162 kthread+0x17c/0x1b0
+[54109.643195] c0 1162 ret_from_fork+0x10/0x18
+[54109.644500] c0 1162 cat D 0 7766 1 0x00000001
+[54109.644515] c0 1162 Call trace:
+[54109.644524] c0 1162 __switch_to+0x138/0x158
+[54109.644536] c0 1162 __schedule+0xba4/0x1434
+[54109.644546] c0 1162 schedule_preempt_disabled+0x80/0xb0
+[54109.644555] c0 1162 __mutex_lock+0x3a8/0x7f0
+[54109.644563] c0 1162 __mutex_lock_slowpath+0x14/0x20
+[54109.644575] c0 1162 thermal_zone_get_temp+0x84/0x360
+[54109.644586] c0 1162 temp_show+0x30/0x78
+[54109.644609] c0 1162 dev_attr_show+0x5c/0xf0
+[54109.644628] c0 1162 sysfs_kf_seq_show+0xcc/0x1a4
+[54109.644636] c0 1162 kernfs_seq_show+0x48/0x88
+[54109.644656] c0 1162 seq_read+0x1f4/0x73c
+[54109.644664] c0 1162 kernfs_fop_read+0x84/0x318
+[54109.644683] c0 1162 __vfs_read+0x50/0x1bc
+[54109.644692] c0 1162 vfs_read+0xa4/0x140
+[54109.644701] c0 1162 SyS_read+0xbc/0x144
+[54109.644708] c0 1162 el0_svc_naked+0x34/0x38
+[54109.845800] c0 1162 D 720.000s 1->7766->7766 cat [panic]
+
+Fixes: 1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wei Wang <wvw@google.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thermal/thermal_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -304,7 +304,7 @@ static void thermal_zone_device_set_poll
+ &tz->poll_queue,
+ msecs_to_jiffies(delay));
+ else
+- cancel_delayed_work_sync(&tz->poll_queue);
++ cancel_delayed_work(&tz->poll_queue);
+ }
+
+ static void monitor_thermal_zone(struct thermal_zone_device *tz)
+@@ -1414,7 +1414,7 @@ void thermal_zone_device_unregister(stru
+
+ mutex_unlock(&thermal_list_lock);
+
+- thermal_zone_device_set_polling(tz, 0);
++ cancel_delayed_work_sync(&tz->poll_queue);
+
+ thermal_set_governor(tz, NULL);
+
--- /dev/null
+From 0c9acb1af77a3cb8707e43f45b72c95266903cee Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nico@fluxnic.net>
+Date: Tue, 5 Nov 2019 10:33:16 +0100
+Subject: vcs: prevent write access to vcsu devices
+
+From: Nicolas Pitre <nico@fluxnic.net>
+
+commit 0c9acb1af77a3cb8707e43f45b72c95266903cee upstream.
+
+Commit d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") guarded
+against using devices containing attributes as this is not yet
+implemented. It however failed to guard against writes to any devices
+as this is also unimplemented.
+
+Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
+Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
+Cc: <stable@vger.kernel.org> # v4.19+
+Cc: Jiri Slaby <jslaby@suse.com>
+Fixes: d21b0be246bf ("vt: introduce unicode mode for /dev/vcs")
+Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.1911051030580.30289@knanqh.ubzr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vc_screen.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -456,6 +456,9 @@ vcs_write(struct file *file, const char
+ size_t ret;
+ char *con_buf;
+
++ if (use_unicode(inode))
++ return -EOPNOTSUPP;
++
+ con_buf = (char *) __get_free_page(GFP_KERNEL);
+ if (!con_buf)
+ return -ENOMEM;
projects / thirdparty / kernel / stable-queue.git / commitdiff
