--- /dev/null
+From 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 27 Mar 2018 16:07:52 +0300
+Subject: ALSA: pcm: potential uninitialized return values
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream.
+
+Smatch complains that "tmp" can be uninitialized if we do a zero size
+write.
+
+Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_oss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1361,7 +1361,7 @@ static ssize_t snd_pcm_oss_write2(struct
+ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes)
+ {
+ size_t xfer = 0;
+- ssize_t tmp;
++ ssize_t tmp = 0;
+ struct snd_pcm_runtime *runtime = substream->runtime;
+
+ if (atomic_read(&substream->mmap_count))
+@@ -1468,7 +1468,7 @@ static ssize_t snd_pcm_oss_read2(struct
+ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes)
+ {
+ size_t xfer = 0;
+- ssize_t tmp;
++ ssize_t tmp = 0;
+ struct snd_pcm_runtime *runtime = substream->runtime;
+
+ if (atomic_read(&substream->mmap_count))
--- /dev/null
+From 9066ae7ff5d89c0b5daa271e2d573540097a94fa Mon Sep 17 00:00:00 2001
+From: Stefan Roese <sr@denx.de>
+Date: Mon, 26 Mar 2018 16:10:21 +0200
+Subject: ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
+
+From: Stefan Roese <sr@denx.de>
+
+commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream.
+
+When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
+will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
+area, as the page offset is outside of the VMA range (size), which is
+currently used as size parameter in snd_pcm_lib_default_mmap(). By
+using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
+can be mmapp'ed and the issue is fixed.
+
+This issue was detected on an ARM platform (TI AM57xx) using the RME
+HDSP MADI PCIe soundcard.
+
+Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available")
+Signed-off-by: Stefan Roese <sr@denx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_native.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -3408,7 +3408,7 @@ int snd_pcm_lib_default_mmap(struct snd_
+ area,
+ substream->runtime->dma_area,
+ substream->runtime->dma_addr,
+- area->vm_end - area->vm_start);
++ substream->runtime->dma_bytes);
+ #endif /* CONFIG_X86 */
+ /* mmap with fault handler */
+ area->vm_ops = &snd_pcm_vm_ops_data_fault;
--- /dev/null
+From 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Sat, 3 Mar 2018 23:29:03 +0100
+Subject: mtd: jedec_probe: Fix crash in jedec_read_mfr()
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.
+
+It turns out that the loop where we read manufacturer
+jedec_read_mfd() can under some circumstances get a
+CFI_MFR_CONTINUATION repeatedly, making the loop go
+over all banks and eventually hit the end of the
+map and crash because of an access violation:
+
+Unable to handle kernel paging request at virtual address c4980000
+pgd = (ptrval)
+[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
+Internal error: Oops: 7 [#1] PREEMPT ARM
+CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
+Hardware name: Gemini (Device Tree)
+PC is at jedec_probe_chip+0x6ec/0xcd0
+LR is at 0x4
+pc : [<c03a2bf4>] lr : [<00000004>] psr: 60000013
+sp : c382dd18 ip : 0000ffff fp : 00000000
+r10: c0626388 r9 : 00020000 r8 : c0626340
+r7 : 00000000 r6 : 00000001 r5 : c3a71afc r4 : c382dd70
+r3 : 00000001 r2 : c4900000 r1 : 00000002 r0 : 00080000
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 0000397f Table: 00004000 DAC: 00000053
+Process swapper (pid: 1, stack limit = 0x(ptrval))
+
+Fix this by breaking the loop with a return 0 if
+the offset exceeds the map size.
+
+Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/jedec_probe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/chips/jedec_probe.c
++++ b/drivers/mtd/chips/jedec_probe.c
+@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct
+ do {
+ uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
+ mask = (1 << (cfi->device_type * 8)) - 1;
++ if (ofs >= map->size)
++ return 0;
+ result = map_read(map, base + ofs);
+ bank++;
+ } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
--- /dev/null
+From f67b15037a7a50c57f72e69a6d59941ad90a0f0f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 26 Mar 2018 15:39:07 -1000
+Subject: perf/hwbp: Simplify the perf-hwbp code, fix documentation
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f upstream.
+
+Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the
+modification of a breakpoint - simplify it and remove the pointless
+local variables.
+
+Also update the stale Docbook while at it.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@vger.kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/hw_breakpoint.c | 30 +++++++-----------------------
+ 1 file changed, 7 insertions(+), 23 deletions(-)
+
+--- a/kernel/events/hw_breakpoint.c
++++ b/kernel/events/hw_breakpoint.c
+@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_break
+ * modify_user_hw_breakpoint - modify a user-space hardware breakpoint
+ * @bp: the breakpoint structure to modify
+ * @attr: new breakpoint attributes
+- * @triggered: callback to trigger when we hit the breakpoint
+- * @tsk: pointer to 'task_struct' of the process to which the address belongs
+ */
+ int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr)
+ {
+- u64 old_addr = bp->attr.bp_addr;
+- u64 old_len = bp->attr.bp_len;
+- int old_type = bp->attr.bp_type;
+- int err = 0;
+-
+ /*
+ * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it
+ * will not be possible to raise IPIs that invoke __perf_event_disable.
+@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct per
+ bp->attr.bp_addr = attr->bp_addr;
+ bp->attr.bp_type = attr->bp_type;
+ bp->attr.bp_len = attr->bp_len;
++ bp->attr.disabled = 1;
+
+- if (attr->disabled)
+- goto end;
+-
+- err = validate_hw_breakpoint(bp);
+- if (!err)
+- perf_event_enable(bp);
++ if (!attr->disabled) {
++ int err = validate_hw_breakpoint(bp);
+
+- if (err) {
+- bp->attr.bp_addr = old_addr;
+- bp->attr.bp_type = old_type;
+- bp->attr.bp_len = old_len;
+- if (!bp->attr.disabled)
+- perf_event_enable(bp);
++ if (err)
++ return err;
+
+- return err;
++ perf_event_enable(bp);
++ bp->attr.disabled = 0;
+ }
+
+-end:
+- bp->attr.disabled = attr->disabled;
+-
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint);
projects / thirdparty / kernel / stable-queue.git / commitdiff
