--- /dev/null
+From 45422b704db392a6d79d07ee3e3670b11048bd53 Mon Sep 17 00:00:00 2001
+From: John Pittman <jpittman@redhat.com>
+Date: Mon, 11 Nov 2019 16:43:20 -0800
+Subject: md/raid10: prevent access of uninitialized resync_pages offset
+
+From: John Pittman <jpittman@redhat.com>
+
+commit 45422b704db392a6d79d07ee3e3670b11048bd53 upstream.
+
+Due to unneeded multiplication in the out_free_pages portion of
+r10buf_pool_alloc(), when using a 3-copy raid10 layout, it is
+possible to access a resync_pages offset that has not been
+initialized. This access translates into a crash of the system
+within resync_free_pages() while passing a bad pointer to
+put_page(). Remove the multiplication, preventing access to the
+uninitialized area.
+
+Fixes: f0250618361db ("md: raid10: don't use bio's vec table to manage resync pages")
+Cc: stable@vger.kernel.org # 4.12+
+Signed-off-by: John Pittman <jpittman@redhat.com>
+Suggested-by: David Jeffery <djeffery@redhat.com>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid10.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -191,7 +191,7 @@ static void * r10buf_pool_alloc(gfp_t gf
+
+ out_free_pages:
+ while (--j >= 0)
+- resync_free_pages(&rps[j * 2]);
++ resync_free_pages(&rps[j]);
+
+ j = 0;
+ out_free_bio:
--- /dev/null
+From cef456cd354ef485f12d57000c455e83e416a2b6 Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Wed, 2 Oct 2019 06:46:26 -0500
+Subject: Revert "Bluetooth: hci_ll: set operational frequency earlier"
+
+From: Adam Ford <aford173@gmail.com>
+
+commit cef456cd354ef485f12d57000c455e83e416a2b6 upstream.
+
+As nice as it would be to update firmware faster, that patch broke
+at least two different boards, an OMAP4+WL1285 based Motorola Droid
+4, as reported by Sebasian Reichel and the Logic PD i.MX6Q +
+WL1837MOD.
+
+This reverts commit a2e02f38eff84f199c8e32359eb213f81f270047.
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Acked-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_ll.c | 39 ++++++++++++++++++---------------------
+ 1 file changed, 18 insertions(+), 21 deletions(-)
+
+--- a/drivers/bluetooth/hci_ll.c
++++ b/drivers/bluetooth/hci_ll.c
+@@ -621,13 +621,6 @@ static int ll_setup(struct hci_uart *hu)
+
+ serdev_device_set_flow_control(serdev, true);
+
+- if (hu->oper_speed)
+- speed = hu->oper_speed;
+- else if (hu->proto->oper_speed)
+- speed = hu->proto->oper_speed;
+- else
+- speed = 0;
+-
+ do {
+ /* Reset the Bluetooth device */
+ gpiod_set_value_cansleep(lldev->enable_gpio, 0);
+@@ -639,20 +632,6 @@ static int ll_setup(struct hci_uart *hu)
+ return err;
+ }
+
+- if (speed) {
+- __le32 speed_le = cpu_to_le32(speed);
+- struct sk_buff *skb;
+-
+- skb = __hci_cmd_sync(hu->hdev,
+- HCI_VS_UPDATE_UART_HCI_BAUDRATE,
+- sizeof(speed_le), &speed_le,
+- HCI_INIT_TIMEOUT);
+- if (!IS_ERR(skb)) {
+- kfree_skb(skb);
+- serdev_device_set_baudrate(serdev, speed);
+- }
+- }
+-
+ err = download_firmware(lldev);
+ if (!err)
+ break;
+@@ -677,7 +656,25 @@ static int ll_setup(struct hci_uart *hu)
+ }
+
+ /* Operational speed if any */
++ if (hu->oper_speed)
++ speed = hu->oper_speed;
++ else if (hu->proto->oper_speed)
++ speed = hu->proto->oper_speed;
++ else
++ speed = 0;
+
++ if (speed) {
++ __le32 speed_le = cpu_to_le32(speed);
++ struct sk_buff *skb;
++
++ skb = __hci_cmd_sync(hu->hdev, HCI_VS_UPDATE_UART_HCI_BAUDRATE,
++ sizeof(speed_le), &speed_le,
++ HCI_INIT_TIMEOUT);
++ if (!IS_ERR(skb)) {
++ kfree_skb(skb);
++ serdev_device_set_baudrate(serdev, speed);
++ }
++ }
+
+ return 0;
+ }
--- /dev/null
+From f612b2132db529feac4f965f28a1b9258ea7c22b Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Wed, 20 Nov 2019 17:27:39 -0500
+Subject: Revert "dm crypt: use WQ_HIGHPRI for the IO and crypt workqueues"
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit f612b2132db529feac4f965f28a1b9258ea7c22b upstream.
+
+This reverts commit a1b89132dc4f61071bdeaab92ea958e0953380a1.
+
+Revert required hand-patching due to subsequent changes that were
+applied since commit a1b89132dc4f61071bdeaab92ea958e0953380a1.
+
+Requires: ed0302e83098d ("dm crypt: make workqueue names device-specific")
+Cc: stable@vger.kernel.org
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=199857
+Reported-by: Vito Caputo <vcaputo@pengaru.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-crypt.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -2911,21 +2911,18 @@ static int crypt_ctr(struct dm_target *t
+ }
+
+ ret = -ENOMEM;
+- cc->io_queue = alloc_workqueue("kcryptd_io/%s",
+- WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM,
+- 1, devname);
++ cc->io_queue = alloc_workqueue("kcryptd_io/%s", WQ_MEM_RECLAIM, 1, devname);
+ if (!cc->io_queue) {
+ ti->error = "Couldn't create kcryptd io queue";
+ goto bad;
+ }
+
+ if (test_bit(DM_CRYPT_SAME_CPU, &cc->flags))
+- cc->crypt_queue = alloc_workqueue("kcryptd/%s",
+- WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM,
++ cc->crypt_queue = alloc_workqueue("kcryptd/%s", WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM,
+ 1, devname);
+ else
+ cc->crypt_queue = alloc_workqueue("kcryptd/%s",
+- WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM | WQ_UNBOUND,
++ WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM | WQ_UNBOUND,
+ num_online_cpus(), devname);
+ if (!cc->crypt_queue) {
+ ti->error = "Couldn't create kcryptd queue";
ath10k-fix-host-capability-qmi-incompatibility.patch
ath10k-fix-a-null-ptr-deref-bug-in-ath10k_usb_alloc_urb_from_pipe.patch
ath9k_hw-fix-uninitialized-variable-data.patch
+revert-bluetooth-hci_ll-set-operational-frequency-earlier.patch
+revert-dm-crypt-use-wq_highpri-for-the-io-and-crypt-workqueues.patch
+md-raid10-prevent-access-of-uninitialized-resync_pages-offset.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
