--- /dev/null
+From 39675f7a7c7e7702f7d5341f1e0d01db746543a0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 17 Jul 2018 17:26:43 +0200
+Subject: ALSA: rawmidi: Change resized buffers atomically
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0 upstream.
+
+The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the
+current code is racy. For example, the sequencer client may write to
+buffer while it being resized.
+
+As a simple workaround, let's switch to the resized buffer inside the
+stream runtime lock.
+
+Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -645,7 +645,7 @@ static int snd_rawmidi_info_select_user(
+ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
+ struct snd_rawmidi_params * params)
+ {
+- char *newbuf;
++ char *newbuf, *oldbuf;
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
+
+ if (substream->append && substream->use_count > 1)
+@@ -658,13 +658,17 @@ int snd_rawmidi_output_params(struct snd
+ return -EINVAL;
+ }
+ if (params->buffer_size != runtime->buffer_size) {
+- newbuf = krealloc(runtime->buffer, params->buffer_size,
+- GFP_KERNEL);
++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
+ if (!newbuf)
+ return -ENOMEM;
++ spin_lock_irq(&runtime->lock);
++ oldbuf = runtime->buffer;
+ runtime->buffer = newbuf;
+ runtime->buffer_size = params->buffer_size;
+ runtime->avail = runtime->buffer_size;
++ runtime->appl_ptr = runtime->hw_ptr = 0;
++ spin_unlock_irq(&runtime->lock);
++ kfree(oldbuf);
+ }
+ runtime->avail_min = params->avail_min;
+ substream->active_sensing = !params->no_active_sensing;
+@@ -675,7 +679,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params)
+ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
+ struct snd_rawmidi_params * params)
+ {
+- char *newbuf;
++ char *newbuf, *oldbuf;
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
+
+ snd_rawmidi_drain_input(substream);
+@@ -686,12 +690,16 @@ int snd_rawmidi_input_params(struct snd_
+ return -EINVAL;
+ }
+ if (params->buffer_size != runtime->buffer_size) {
+- newbuf = krealloc(runtime->buffer, params->buffer_size,
+- GFP_KERNEL);
++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
+ if (!newbuf)
+ return -ENOMEM;
++ spin_lock_irq(&runtime->lock);
++ oldbuf = runtime->buffer;
+ runtime->buffer = newbuf;
+ runtime->buffer_size = params->buffer_size;
++ runtime->appl_ptr = runtime->hw_ptr = 0;
++ spin_unlock_irq(&runtime->lock);
++ kfree(oldbuf);
+ }
+ runtime->avail_min = params->avail_min;
+ return 0;
--- /dev/null
+From 6e3761145a9ba3ce267c330b6bff51cf6a057b06 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <abrodkin@synopsys.com>
+Date: Thu, 28 Jun 2018 16:59:14 -0700
+Subject: ARC: Fix CONFIG_SWAP
+
+From: Alexey Brodkin <abrodkin@synopsys.com>
+
+commit 6e3761145a9ba3ce267c330b6bff51cf6a057b06 upstream.
+
+swap was broken on ARC due to silly copy-paste issue.
+
+We encode offset from swapcache page in __swp_entry() as (off << 13) but
+were not decoding back in __swp_offset() as (off >> 13) - it was still
+(off << 13).
+
+This finally fixes swap usage on ARC.
+
+| # mkswap /dev/sda2
+|
+| # swapon -a -e /dev/sda2
+| Adding 500728k swap on /dev/sda2. Priority:-2 extents:1 across:500728k
+|
+| # free
+| total used free shared buffers cached
+| Mem: 765104 13456 751648 4736 8 4736
+| -/+ buffers/cache: 8712 756392
+| Swap: 500728 0 500728
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/pgtable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/pgtable.h
++++ b/arch/arc/include/asm/pgtable.h
+@@ -372,7 +372,7 @@ void update_mmu_cache(struct vm_area_str
+
+ /* Decode a PTE containing swap "identifier "into constituents */
+ #define __swp_type(pte_lookalike) (((pte_lookalike).val) & 0x1f)
+-#define __swp_offset(pte_lookalike) ((pte_lookalike).val << 13)
++#define __swp_offset(pte_lookalike) ((pte_lookalike).val >> 13)
+
+ /* NOPs, to keep generic kernel happy */
+ #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) })
--- /dev/null
+From 93312b6da4df31e4102ce5420e6217135a16c7ea Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Wed, 11 Jul 2018 10:42:20 -0700
+Subject: ARC: mm: allow mprotect to make stack mappings executable
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 93312b6da4df31e4102ce5420e6217135a16c7ea upstream.
+
+mprotect(EXEC) was failing for stack mappings as default vm flags was
+missing MAYEXEC.
+
+This was triggered by glibc test suite nptl/tst-execstack testcase
+
+What is surprising is that despite running LTP for years on, we didn't
+catch this issue as it lacks a directed test case.
+
+gcc dejagnu tests with nested functions also requiring exec stack work
+fine though because they rely on the GNU_STACK segment spit out by
+compiler and handled in kernel elf loader.
+
+This glibc case is different as the stack is non exec to begin with and
+a dlopen of shared lib with GNU_STACK segment triggers the exec stack
+proceedings using a mprotect(PROT_EXEC) which was broken.
+
+CC: stable@vger.kernel.org
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/page.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/page.h
++++ b/arch/arc/include/asm/page.h
+@@ -97,7 +97,7 @@ typedef unsigned long pgtable_t;
+ #define virt_addr_valid(kaddr) pfn_valid(__pa(kaddr) >> PAGE_SHIFT)
+
+ /* Default Permissions for stack/heaps pages (Non Executable) */
+-#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE)
++#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
+ #define WANT_PAGE_VIRTUAL 1
+
--- /dev/null
+From 35033ab988c396ad7bce3b6d24060c16a9066db8 Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Fri, 20 Jul 2018 17:53:42 -0700
+Subject: fat: fix memory allocation failure handling of match_strdup()
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+commit 35033ab988c396ad7bce3b6d24060c16a9066db8 upstream.
+
+In parse_options(), if match_strdup() failed, parse_options() leaves
+opts->iocharset in unexpected state (i.e. still pointing the freed
+string). And this can be the cause of double free.
+
+To fix, this initialize opts->iocharset always when freeing.
+
+Link: http://lkml.kernel.org/r/8736wp9dzc.fsf@mail.parknet.co.jp
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reported-by: syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fat/inode.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/fs/fat/inode.c
++++ b/fs/fat/inode.c
+@@ -610,13 +610,21 @@ static void fat_set_state(struct super_b
+ brelse(bh);
+ }
+
++static void fat_reset_iocharset(struct fat_mount_options *opts)
++{
++ if (opts->iocharset != fat_default_iocharset) {
++ /* Note: opts->iocharset can be NULL here */
++ kfree(opts->iocharset);
++ opts->iocharset = fat_default_iocharset;
++ }
++}
++
+ static void delayed_free(struct rcu_head *p)
+ {
+ struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu);
+ unload_nls(sbi->nls_disk);
+ unload_nls(sbi->nls_io);
+- if (sbi->options.iocharset != fat_default_iocharset)
+- kfree(sbi->options.iocharset);
++ fat_reset_iocharset(&sbi->options);
+ kfree(sbi);
+ }
+
+@@ -1031,7 +1039,7 @@ static int parse_options(struct super_bl
+ opts->fs_fmask = opts->fs_dmask = current_umask();
+ opts->allow_utime = -1;
+ opts->codepage = fat_default_codepage;
+- opts->iocharset = fat_default_iocharset;
++ fat_reset_iocharset(opts);
+ if (is_vfat) {
+ opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95;
+ opts->rodir = 0;
+@@ -1181,8 +1189,7 @@ static int parse_options(struct super_bl
+
+ /* vfat specific */
+ case Opt_charset:
+- if (opts->iocharset != fat_default_iocharset)
+- kfree(opts->iocharset);
++ fat_reset_iocharset(opts);
+ iocharset = match_strdup(&args[0]);
+ if (!iocharset)
+ return -ENOMEM;
+@@ -1774,8 +1781,7 @@ out_fail:
+ iput(fat_inode);
+ unload_nls(sbi->nls_io);
+ unload_nls(sbi->nls_disk);
+- if (sbi->options.iocharset != fat_default_iocharset)
+- kfree(sbi->options.iocharset);
++ fat_reset_iocharset(&sbi->options);
+ sb->s_fs_info = NULL;
+ kfree(sbi);
+ return error;
--- /dev/null
+x86-mce-remove-min-interval-polling-limitation.patch
+fat-fix-memory-allocation-failure-handling-of-match_strdup.patch
+alsa-rawmidi-change-resized-buffers-atomically.patch
+arc-fix-config_swap.patch
+arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch
--- /dev/null
+From fbdb328c6bae0a7c78d75734a738b66b86dffc96 Mon Sep 17 00:00:00 2001
+From: Dewet Thibaut <thibaut.dewet@nokia.com>
+Date: Mon, 16 Jul 2018 10:49:27 +0200
+Subject: x86/MCE: Remove min interval polling limitation
+
+From: Dewet Thibaut <thibaut.dewet@nokia.com>
+
+commit fbdb328c6bae0a7c78d75734a738b66b86dffc96 upstream.
+
+commit b3b7c4795c ("x86/MCE: Serialize sysfs changes") introduced a min
+interval limitation when setting the check interval for polled MCEs.
+However, the logic is that 0 disables polling for corrected MCEs, see
+Documentation/x86/x86_64/machinecheck. The limitation prevents disabling.
+
+Remove this limitation and allow the value 0 to disable polling again.
+
+Fixes: b3b7c4795c ("x86/MCE: Serialize sysfs changes")
+Signed-off-by: Dewet Thibaut <thibaut.dewet@nokia.com>
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+[ Massage commit message. ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180716084927.24869-1-alexander.sverdlin@nokia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -2240,9 +2240,6 @@ static ssize_t store_int_with_restart(st
+ if (check_interval == old_check_interval)
+ return ret;
+
+- if (check_interval < 1)
+- check_interval = 1;
+-
+ mutex_lock(&mce_sysfs_mutex);
+ mce_restart();
+ mutex_unlock(&mce_sysfs_mutex);
--- /dev/null
+scsi-sd_zbc-fix-variable-type-and-bogus-comment.patch
+kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch
+x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch
+x86-events-intel-ds-fix-bts_interrupt_threshold-alignment.patch
+x86-mce-remove-min-interval-polling-limitation.patch
+fat-fix-memory-allocation-failure-handling-of-match_strdup.patch
+alsa-rawmidi-change-resized-buffers-atomically.patch
+alsa-hda-realtek-add-panasonic-cf-sz6-headset-jack-quirk.patch
+alsa-hda-add-mute-led-support-for-hp-probook-455-g5.patch
+arcv2-save-accl-reg-pair-by-default.patch
+arc-fix-config_swap.patch
+arc-configs-remove-config_initramfs_source-from-defconfigs.patch
+arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch
--- /dev/null
+scsi-sd_zbc-fix-variable-type-and-bogus-comment.patch
+scsi-qla2xxx-fix-inconsistent-dma-mem-alloc-free.patch
+scsi-qla2xxx-fix-kernel-crash-due-to-late-workqueue-allocation.patch
+scsi-qla2xxx-fix-null-pointer-dereference-for-fcport-search.patch
+kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch
+kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch
+kvm-vmx-mark-vmxarea-with-revision_id-of-physical-cpu-even-when-evmcs-enabled.patch
+x86-kvm-vmx-don-t-read-current-thread.-fs-gs-base-of-legacy-tasks.patch
+x86-kvmclock-set-pvti_cpu0_va-after-enabling-kvmclock.patch
+x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch
+x86-events-intel-ds-fix-bts_interrupt_threshold-alignment.patch
+x86-mce-remove-min-interval-polling-limitation.patch
+fat-fix-memory-allocation-failure-handling-of-match_strdup.patch
+alsa-rawmidi-change-resized-buffers-atomically.patch
+alsa-hda-realtek-add-panasonic-cf-sz6-headset-jack-quirk.patch
+alsa-hda-realtek-yet-another-clevo-p950-quirk-entry.patch
+alsa-hda-add-mute-led-support-for-hp-probook-455-g5.patch
+arcv2-save-accl-reg-pair-by-default.patch
+arc-fix-config_swap.patch
+arc-configs-remove-config_initramfs_source-from-defconfigs.patch
+arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch
--- /dev/null
+kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch
+x86-mce-remove-min-interval-polling-limitation.patch
+fat-fix-memory-allocation-failure-handling-of-match_strdup.patch
+alsa-rawmidi-change-resized-buffers-atomically.patch
+arc-fix-config_swap.patch
+arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch
--- /dev/null
+kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch
+x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch
+x86-mce-remove-min-interval-polling-limitation.patch
+fat-fix-memory-allocation-failure-handling-of-match_strdup.patch
+alsa-rawmidi-change-resized-buffers-atomically.patch
+arc-fix-config_swap.patch
+arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch
+arc-configs-remove-config_initramfs_source-from-defconfigs.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
