--- /dev/null
+From a8394090a9129b40f9d90dcb7f4a49d60c727ca6 Mon Sep 17 00:00:00 2001
+From: Tang Junhui <tang.junhui@zte.com.cn>
+Date: Wed, 6 Sep 2017 14:25:56 +0800
+Subject: bcache: correct cache_dirty_target in __update_writeback_rate()
+
+From: Tang Junhui <tang.junhui@zte.com.cn>
+
+commit a8394090a9129b40f9d90dcb7f4a49d60c727ca6 upstream.
+
+__update_write_rate() uses a Proportion-Differentiation Controller
+algorithm to control writeback rate. A dirty target number is used in
+this PD controller to control writeback rate. A larger target number
+will make the writeback rate smaller, on the versus, a smaller target
+number will make the writeback rate larger.
+
+bcache uses the following steps to calculate the target number,
+1) cache_sectors = all-buckets-of-cache-set * buckets-size
+2) cache_dirty_target = cache_sectors * cached-device-writeback_percent
+3) target = cache_dirty_target *
+(sectors-of-cached-device/sectors-of-all-cached-devices-of-this-cache-set)
+
+The calculation at step 1) for cache_sectors is incorrect, which does
+not consider dirty blocks occupied by flash only volume.
+
+A flash only volume can be took as a bcache device without cached
+device. All data sectors allocated for it are persistent on cache device
+and marked dirty, they are not touched by bcache writeback and garbage
+collection code. So data blocks of flash only volume should be ignore
+when calculating cache_sectors of cache set.
+
+Current code does not subtract dirty sectors of flash only volume, which
+results a larger target number from the above 3 steps. And in sequence
+the cache device's writeback rate is smaller then a correct value,
+writeback speed is slower on all cached devices.
+
+This patch fixes the incorrect slower writeback rate by subtracting
+dirty sectors of flash only volumes in __update_writeback_rate().
+
+(Commit log composed by Coly Li to pass checkpatch.pl checking)
+
+Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/writeback.c | 3 ++-
+ drivers/md/bcache/writeback.h | 19 +++++++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -20,7 +20,8 @@
+ static void __update_writeback_rate(struct cached_dev *dc)
+ {
+ struct cache_set *c = dc->disk.c;
+- uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size;
++ uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size -
++ bcache_flash_devs_sectors_dirty(c);
+ uint64_t cache_dirty_target =
+ div_u64(cache_sectors * dc->writeback_percent, 100);
+
+--- a/drivers/md/bcache/writeback.h
++++ b/drivers/md/bcache/writeback.h
+@@ -14,6 +14,25 @@ static inline uint64_t bcache_dev_sector
+ return ret;
+ }
+
++static inline uint64_t bcache_flash_devs_sectors_dirty(struct cache_set *c)
++{
++ uint64_t i, ret = 0;
++
++ mutex_lock(&bch_register_lock);
++
++ for (i = 0; i < c->nr_uuids; i++) {
++ struct bcache_device *d = c->devices[i];
++
++ if (!d || !UUID_FLASH_ONLY(&c->uuids[i]))
++ continue;
++ ret += bcache_dev_sectors_dirty(d);
++ }
++
++ mutex_unlock(&bch_register_lock);
++
++ return ret;
++}
++
+ static inline unsigned offset_to_stripe(struct bcache_device *d,
+ uint64_t offset)
+ {
--- /dev/null
+From 77fa100f27475d08a569b9d51c17722130f089e7 Mon Sep 17 00:00:00 2001
+From: Tony Asleson <tasleson@redhat.com>
+Date: Wed, 6 Sep 2017 14:25:57 +0800
+Subject: bcache: Correct return value for sysfs attach errors
+
+From: Tony Asleson <tasleson@redhat.com>
+
+commit 77fa100f27475d08a569b9d51c17722130f089e7 upstream.
+
+If you encounter any errors in bch_cached_dev_attach it will return
+a negative error code. The variable 'v' which stores the result is
+unsigned, thus user space sees a very large value returned for bytes
+written which can cause incorrect user space behavior. Utilize 1
+signed variable to use throughout the function to preserve error return
+capability.
+
+Signed-off-by: Tony Asleson <tasleson@redhat.com>
+Acked-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/sysfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/bcache/sysfs.c
++++ b/drivers/md/bcache/sysfs.c
+@@ -191,7 +191,7 @@ STORE(__cached_dev)
+ {
+ struct cached_dev *dc = container_of(kobj, struct cached_dev,
+ disk.kobj);
+- unsigned v = size;
++ ssize_t v = size;
+ struct cache_set *c;
+ struct kobj_uevent_env *env;
+
+@@ -226,7 +226,7 @@ STORE(__cached_dev)
+ bch_cached_dev_run(dc);
+
+ if (attr == &sysfs_cache_mode) {
+- ssize_t v = bch_read_string_list(buf, bch_cache_modes + 1);
++ v = bch_read_string_list(buf, bch_cache_modes + 1);
+
+ if (v < 0)
+ return v;
--- /dev/null
+From 69daf03adef5f7bc13e0ac86b4b8007df1767aab Mon Sep 17 00:00:00 2001
+From: Tang Junhui <tang.junhui@zte.com.cn>
+Date: Wed, 6 Sep 2017 14:25:53 +0800
+Subject: bcache: do not subtract sectors_to_gc for bypassed IO
+
+From: Tang Junhui <tang.junhui@zte.com.cn>
+
+commit 69daf03adef5f7bc13e0ac86b4b8007df1767aab upstream.
+
+Since bypassed IOs use no bucket, so do not subtract sectors_to_gc to
+trigger gc thread.
+
+Signed-off-by: tang.junhui <tang.junhui@zte.com.cn>
+Acked-by: Coly Li <colyli@suse.de>
+Reviewed-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/request.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -196,12 +196,12 @@ static void bch_data_insert_start(struct
+ struct data_insert_op *op = container_of(cl, struct data_insert_op, cl);
+ struct bio *bio = op->bio, *n;
+
+- if (atomic_sub_return(bio_sectors(bio), &op->c->sectors_to_gc) < 0)
+- wake_up_gc(op->c);
+-
+ if (op->bypass)
+ return bch_data_invalidate(cl);
+
++ if (atomic_sub_return(bio_sectors(bio), &op->c->sectors_to_gc) < 0)
++ wake_up_gc(op->c);
++
+ /*
+ * Journal writes are marked REQ_PREFLUSH; if the original write was a
+ * flush, it'll wait on the journal write.
--- /dev/null
+From 9276717b9e297a62d1151a43d1cd286213f68eb7 Mon Sep 17 00:00:00 2001
+From: Michael Lyle <mlyle@lyle.org>
+Date: Wed, 6 Sep 2017 14:26:02 +0800
+Subject: bcache: fix bch_hprint crash and improve output
+
+From: Michael Lyle <mlyle@lyle.org>
+
+commit 9276717b9e297a62d1151a43d1cd286213f68eb7 upstream.
+
+Most importantly, solve a crash where %llu was used to format signed
+numbers. This would cause a buffer overflow when reading sysfs
+writeback_rate_debug, as only 20 bytes were allocated for this and
+%llu writes 20 characters plus a null.
+
+Always use the units mechanism rather than having different output
+paths for simplicity.
+
+Also, correct problems with display output where 1.10 was a larger
+number than 1.09, by multiplying by 10 and then dividing by 1024 instead
+of dividing by 100. (Remainders of >= 1000 would print as .10).
+
+Minor changes: Always display the decimal point instead of trying to
+omit it based on number of digits shown. Decide what units to use
+based on 1000 as a threshold, not 1024 (in other words, always print
+at most 3 digits before the decimal point).
+
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Reported-by: Dmitry Yu Okunev <dyokunev@ut.mephi.ru>
+Acked-by: Kent Overstreet <kent.overstreet@gmail.com>
+Reviewed-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/util.c | 46 +++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 33 insertions(+), 13 deletions(-)
+
+--- a/drivers/md/bcache/util.c
++++ b/drivers/md/bcache/util.c
+@@ -73,24 +73,44 @@ STRTO_H(strtouint, unsigned int)
+ STRTO_H(strtoll, long long)
+ STRTO_H(strtoull, unsigned long long)
+
++/**
++ * bch_hprint() - formats @v to human readable string for sysfs.
++ *
++ * @v - signed 64 bit integer
++ * @buf - the (at least 8 byte) buffer to format the result into.
++ *
++ * Returns the number of bytes used by format.
++ */
+ ssize_t bch_hprint(char *buf, int64_t v)
+ {
+ static const char units[] = "?kMGTPEZY";
+- char dec[4] = "";
+- int u, t = 0;
++ int u = 0, t;
+
+- for (u = 0; v >= 1024 || v <= -1024; u++) {
+- t = v & ~(~0 << 10);
+- v >>= 10;
+- }
++ uint64_t q;
+
+- if (!u)
+- return sprintf(buf, "%llu", v);
+-
+- if (v < 100 && v > -100)
+- snprintf(dec, sizeof(dec), ".%i", t / 100);
+-
+- return sprintf(buf, "%lli%s%c", v, dec, units[u]);
++ if (v < 0)
++ q = -v;
++ else
++ q = v;
++
++ /* For as long as the number is more than 3 digits, but at least
++ * once, shift right / divide by 1024. Keep the remainder for
++ * a digit after the decimal point.
++ */
++ do {
++ u++;
++
++ t = q & ~(~0 << 10);
++ q >>= 10;
++ } while (q >= 1000);
++
++ if (v < 0)
++ /* '-', up to 3 digits, '.', 1 digit, 1 character, null;
++ * yields 8 bytes.
++ */
++ return sprintf(buf, "-%llu.%i%c", q, t * 10 / 1024, units[u]);
++ else
++ return sprintf(buf, "%llu.%i%c", q, t * 10 / 1024, units[u]);
+ }
+
+ ssize_t bch_snprint_string_list(char *buf, size_t size, const char * const list[],
--- /dev/null
+From 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 Mon Sep 17 00:00:00 2001
+From: Tang Junhui <tang.junhui@zte.com.cn>
+Date: Wed, 6 Sep 2017 14:25:59 +0800
+Subject: bcache: fix for gc and write-back race
+
+From: Tang Junhui <tang.junhui@zte.com.cn>
+
+commit 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 upstream.
+
+gc and write-back get raced (see the email "bcache get stucked" I sended
+before):
+gc thread write-back thread
+| |bch_writeback_thread()
+|bch_gc_thread() |
+| |==>read_dirty()
+|==>bch_btree_gc() |
+|==>btree_root() //get btree root |
+| //node write locker |
+|==>bch_btree_gc_root() |
+| |==>read_dirty_submit()
+| |==>write_dirty()
+| |==>continue_at(cl,
+| | write_dirty_finish,
+| | system_wq);
+| |==>write_dirty_finish()//excute
+| | //in system_wq
+| |==>bch_btree_insert()
+| |==>bch_btree_map_leaf_nodes()
+| |==>__bch_btree_map_nodes()
+| |==>btree_root //try to get btree
+| | //root node read
+| | //lock
+| |-----stuck here
+|==>bch_btree_set_root()
+|==>bch_journal_meta()
+|==>bch_journal()
+|==>journal_try_write()
+|==>journal_write_unlocked() //journal_full(&c->journal)
+| //condition satisfied
+|==>continue_at(cl, journal_write, system_wq); //try to excute
+| //journal_write in system_wq
+| //but work queue is excuting
+| //write_dirty_finish()
+|==>closure_sync(); //wait journal_write execute
+| //over and wake up gc,
+|-------------stuck here
+|==>release root node write locker
+
+This patch alloc a separate work-queue for write-back thread to avoid such
+race.
+
+(Commit log re-organized by Coly Li to pass checkpatch.pl checking)
+
+Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
+Acked-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/bcache.h | 1 +
+ drivers/md/bcache/super.c | 2 ++
+ drivers/md/bcache/writeback.c | 9 +++++++--
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/bcache/bcache.h
++++ b/drivers/md/bcache/bcache.h
+@@ -333,6 +333,7 @@ struct cached_dev {
+ /* Limit number of writeback bios in flight */
+ struct semaphore in_flight;
+ struct task_struct *writeback_thread;
++ struct workqueue_struct *writeback_write_wq;
+
+ struct keybuf writeback_keys;
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1058,6 +1058,8 @@ static void cached_dev_free(struct closu
+ cancel_delayed_work_sync(&dc->writeback_rate_update);
+ if (!IS_ERR_OR_NULL(dc->writeback_thread))
+ kthread_stop(dc->writeback_thread);
++ if (dc->writeback_write_wq)
++ destroy_workqueue(dc->writeback_write_wq);
+
+ mutex_lock(&bch_register_lock);
+
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -187,7 +187,7 @@ static void write_dirty(struct closure *
+
+ closure_bio_submit(&io->bio, cl);
+
+- continue_at(cl, write_dirty_finish, system_wq);
++ continue_at(cl, write_dirty_finish, io->dc->writeback_write_wq);
+ }
+
+ static void read_dirty_endio(struct bio *bio)
+@@ -207,7 +207,7 @@ static void read_dirty_submit(struct clo
+
+ closure_bio_submit(&io->bio, cl);
+
+- continue_at(cl, write_dirty, system_wq);
++ continue_at(cl, write_dirty, io->dc->writeback_write_wq);
+ }
+
+ static void read_dirty(struct cached_dev *dc)
+@@ -517,6 +517,11 @@ void bch_cached_dev_writeback_init(struc
+
+ int bch_cached_dev_writeback_start(struct cached_dev *dc)
+ {
++ dc->writeback_write_wq = alloc_workqueue("bcache_writeback_wq",
++ WQ_MEM_RECLAIM, 0);
++ if (!dc->writeback_write_wq)
++ return -ENOMEM;
++
+ dc->writeback_thread = kthread_create(bch_writeback_thread, dc,
+ "bcache_writeback");
+ if (IS_ERR(dc->writeback_thread))
--- /dev/null
+From 4b758df21ee7081ab41448d21d60367efaa625b3 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 6 Sep 2017 14:25:51 +0800
+Subject: bcache: Fix leak of bdev reference
+
+From: Jan Kara <jack@suse.cz>
+
+commit 4b758df21ee7081ab41448d21d60367efaa625b3 upstream.
+
+If blkdev_get_by_path() in register_bcache() fails, we try to lookup the
+block device using lookup_bdev() to detect which situation we are in to
+properly report error. However we never drop the reference returned to
+us from lookup_bdev(). Fix that.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Acked-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1968,6 +1968,8 @@ static ssize_t register_bcache(struct ko
+ else
+ err = "device busy";
+ mutex_unlock(&bch_register_lock);
++ if (!IS_ERR(bdev))
++ bdput(bdev);
+ if (attr == &ksysfs_register_quiet)
+ goto out;
+ }
--- /dev/null
+From 175206cf9ab63161dec74d9cd7f9992e062491f5 Mon Sep 17 00:00:00 2001
+From: Tang Junhui <tang.junhui@zte.com.cn>
+Date: Thu, 7 Sep 2017 01:28:53 +0800
+Subject: bcache: initialize dirty stripes in flash_dev_run()
+
+From: Tang Junhui <tang.junhui@zte.com.cn>
+
+commit 175206cf9ab63161dec74d9cd7f9992e062491f5 upstream.
+
+bcache uses a Proportion-Differentiation Controller algorithm to control
+writeback rate to cached devices. In the PD controller algorithm, dirty
+stripes of thin flash device should not be counted in, because flash only
+volumes never write back dirty data.
+
+Currently dirty stripe counter for thin flash device is not initialized
+when the thin flash device starts. Which means the following calculation
+in PD controller will reference an undefined dirty stripes number, and
+all cached devices attached to the same cache set where the thin flash
+device lies on may have an inaccurate writeback rate.
+
+This patch calles bch_sectors_dirty_init() in flash_dev_run(), to
+correctly initialize dirty stripe counter when the thin flash device
+starts to run. This patch also does following parameter data type change,
+ -void bch_sectors_dirty_init(struct cached_dev *dc);
+ +void bch_sectors_dirty_init(struct bcache_device *);
+to call this function conveniently in flash_dev_run().
+
+(Commit log is composed by Coly Li)
+
+Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/super.c | 3 ++-
+ drivers/md/bcache/writeback.c | 8 ++++----
+ drivers/md/bcache/writeback.h | 2 +-
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1025,7 +1025,7 @@ int bch_cached_dev_attach(struct cached_
+ }
+
+ if (BDEV_STATE(&dc->sb) == BDEV_STATE_DIRTY) {
+- bch_sectors_dirty_init(dc);
++ bch_sectors_dirty_init(&dc->disk);
+ atomic_set(&dc->has_dirty, 1);
+ atomic_inc(&dc->count);
+ bch_writeback_queue(dc);
+@@ -1229,6 +1229,7 @@ static int flash_dev_run(struct cache_se
+ goto err;
+
+ bcache_device_attach(d, c, u - c->uuids);
++ bch_sectors_dirty_init(d);
+ bch_flash_dev_request_init(d);
+ add_disk(d->disk);
+
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -482,17 +482,17 @@ static int sectors_dirty_init_fn(struct
+ return MAP_CONTINUE;
+ }
+
+-void bch_sectors_dirty_init(struct cached_dev *dc)
++void bch_sectors_dirty_init(struct bcache_device *d)
+ {
+ struct sectors_dirty_init op;
+
+ bch_btree_op_init(&op.op, -1);
+- op.inode = dc->disk.id;
++ op.inode = d->id;
+
+- bch_btree_map_keys(&op.op, dc->disk.c, &KEY(op.inode, 0, 0),
++ bch_btree_map_keys(&op.op, d->c, &KEY(op.inode, 0, 0),
+ sectors_dirty_init_fn, 0);
+
+- dc->disk.sectors_dirty_last = bcache_dev_sectors_dirty(&dc->disk);
++ d->sectors_dirty_last = bcache_dev_sectors_dirty(d);
+ }
+
+ void bch_cached_dev_writeback_init(struct cached_dev *dc)
+--- a/drivers/md/bcache/writeback.h
++++ b/drivers/md/bcache/writeback.h
+@@ -85,7 +85,7 @@ static inline void bch_writeback_add(str
+
+ void bcache_dev_sectors_dirty_add(struct cache_set *, unsigned, uint64_t, int);
+
+-void bch_sectors_dirty_init(struct cached_dev *dc);
++void bch_sectors_dirty_init(struct bcache_device *);
+ void bch_cached_dev_writeback_init(struct cached_dev *);
+ int bch_cached_dev_writeback_start(struct cached_dev *);
+
--- /dev/null
+From 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Tue, 8 Aug 2017 08:56:21 -0400
+Subject: media: uvcvideo: Prevent heap overflow when accessing mapped controls
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba upstream.
+
+The size of uvc_control_mapping is user controlled leading to a
+potential heap overflow in the uvc driver. This adds a check to verify
+the user provided size fits within the bounds of the defined buffer
+size.
+
+Originally-from: Richard Simmons <rssimmo@amazon.com>
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_vide
+ goto done;
+ }
+
++ /* Validate the user-provided bit-size and offset */
++ if (mapping->size > 32 ||
++ mapping->offset + mapping->size > ctrl->info.size * 8) {
++ ret = -EINVAL;
++ goto done;
++ }
++
+ list_for_each_entry(map, &ctrl->info.mappings, list) {
+ if (mapping->id == map->id) {
+ uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "
--- /dev/null
+From 9c7ba1d7634cef490b85bc64c4091ff004821bfd Mon Sep 17 00:00:00 2001
+From: Daniel Mentz <danielmentz@google.com>
+Date: Wed, 2 Aug 2017 23:42:17 -0400
+Subject: media: v4l2-compat-ioctl32: Fix timespec conversion
+
+From: Daniel Mentz <danielmentz@google.com>
+
+commit 9c7ba1d7634cef490b85bc64c4091ff004821bfd upstream.
+
+Certain syscalls like recvmmsg support 64 bit timespec values for the
+X32 ABI. The helper function compat_put_timespec converts a timespec
+value to a 32 bit or 64 bit value depending on what ABI is used. The
+v4l2 compat layer, however, is not designed to support 64 bit timespec
+values and always uses 32 bit values. Hence, compat_put_timespec must
+not be used.
+
+Without this patch, user space will be provided with bad timestamp
+values from the VIDIOC_DQEVENT ioctl. Also, fields of the struct
+v4l2_event32 that come immediately after timestamp get overwritten,
+namely the field named id.
+
+Fixes: 81993e81a994 ("compat: Get rid of (get|put)_compat_time(val|spec)")
+Cc: H. Peter Anvin <hpa@linux.intel.com>
+Cc: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Cc: Tiffany Lin <tiffany.lin@mediatek.com>
+Cc: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Daniel Mentz <danielmentz@google.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -773,7 +773,8 @@ static int put_v4l2_event32(struct v4l2_
+ copy_to_user(&up->u, &kp->u, sizeof(kp->u)) ||
+ put_user(kp->pending, &up->pending) ||
+ put_user(kp->sequence, &up->sequence) ||
+- compat_put_timespec(&kp->timestamp, &up->timestamp) ||
++ put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
++ put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) ||
+ put_user(kp->id, &up->id) ||
+ copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32)))
+ return -EFAULT;
--- /dev/null
+From 9e14de1077e9c34f141cf98bdba60cdd5193d962 Mon Sep 17 00:00:00 2001
+From: Chanwoo Choi <cw00.choi@samsung.com>
+Date: Thu, 24 Aug 2017 10:42:48 +0900
+Subject: PM / devfreq: Fix memory leak when fail to register device
+
+From: Chanwoo Choi <cw00.choi@samsung.com>
+
+commit 9e14de1077e9c34f141cf98bdba60cdd5193d962 upstream.
+
+When the devfreq_add_device fails to register deivce, the memory
+leak of devfreq instance happen. So, this patch fix the memory
+leak issue. Before freeing the devfreq instance checks whether
+devfreq instance is NULL or not because the device_unregister()
+frees the devfreq instance when jumping to the 'err_init'.
+It is to prevent the duplicate the kfee(devfreq).
+
+Fixes: ac4b281176a5 ("PM / devfreq: fix duplicated kfree on devfreq pointer")
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/devfreq/devfreq.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -574,7 +574,7 @@ struct devfreq *devfreq_add_device(struc
+ err = device_register(&devfreq->dev);
+ if (err) {
+ mutex_unlock(&devfreq->lock);
+- goto err_out;
++ goto err_dev;
+ }
+
+ devfreq->trans_table = devm_kzalloc(&devfreq->dev, sizeof(unsigned int) *
+@@ -618,6 +618,9 @@ err_init:
+ mutex_unlock(&devfreq_list_lock);
+
+ device_unregister(&devfreq->dev);
++err_dev:
++ if (devfreq)
++ kfree(devfreq);
+ err_out:
+ return ERR_PTR(err);
+ }
net-netfilter-nf_conntrack_core-fix-net_conntrack_lock.patch
s390-mm-fix-local-tlb-flushing-vs.-detach-of-an-mm-address-space.patch
s390-mm-fix-race-on-mm-context.flush_mm.patch
+media-v4l2-compat-ioctl32-fix-timespec-conversion.patch
+media-uvcvideo-prevent-heap-overflow-when-accessing-mapped-controls.patch
+pm-devfreq-fix-memory-leak-when-fail-to-register-device.patch
+bcache-initialize-dirty-stripes-in-flash_dev_run.patch
+bcache-fix-leak-of-bdev-reference.patch
+bcache-do-not-subtract-sectors_to_gc-for-bypassed-io.patch
+bcache-correct-cache_dirty_target-in-__update_writeback_rate.patch
+bcache-correct-return-value-for-sysfs-attach-errors.patch
+bcache-fix-for-gc-and-write-back-race.patch
+bcache-fix-bch_hprint-crash-and-improve-output.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
