4.9-stable patches

added patches:
	alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch
	alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch
	alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch
	alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch
	alsa-firewire-tascam-fix-memory-leak-of-private-data.patch
	alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch
	alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch
	alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch
	alsa-oxfw-fix-memory-leak-of-private-data.patch
	asoc-cs4265-fix-mmtlr-data-switch-control.patch
	mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch
	nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch
	nfc-fix-the-number-of-pipes.patch
	platform-x86-alienware-wmi-correct-a-memory-leak.patch
	revert-pci-add-acs-quirk-for-intel-300-series.patch
	ring-buffer-allow-for-rescheduling-when-removing-pages.patch
	xen-netfront-don-t-bug-in-case-of-too-many-frags.patch
	xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch

diff --git a/queue-4.9/alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch b/queue-4.9/alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch
new file mode 100644 (file)
index 0000000..424e81b
--- /dev/null
+++ b/queue-4.9/alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch
@@ -0,0 +1,49 @@
+From b1fbebd4164b3d170ad916dcd692cf843c9c065d Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Mon, 17 Sep 2018 17:25:24 +0900
+Subject: ALSA: bebob: fix memory leak for M-Audio FW1814 and ProjectMix I/O at error path
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit b1fbebd4164b3d170ad916dcd692cf843c9c065d upstream.
+
+After allocating model-dependent data for M-Audio FW1814 and ProjectMix
+I/O, ALSA bebob driver has memory leak at error path.
+
+This commit releases the allocated data at the error path.
+
+Fixes: 04a2c73c97eb('ALSA: bebob: delayed registration of sound card')
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/bebob/bebob.c        |    2 ++
+ sound/firewire/bebob/bebob_maudio.c |    4 ----
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/sound/firewire/bebob/bebob.c
++++ b/sound/firewire/bebob/bebob.c
+@@ -263,6 +263,8 @@ do_registration(struct work_struct *work
+ error:
+       mutex_unlock(&devices_mutex);
+       snd_bebob_stream_destroy_duplex(bebob);
++      kfree(bebob->maudio_special_quirk);
++      bebob->maudio_special_quirk = NULL;
+       snd_card_free(bebob->card);
+       dev_info(&bebob->unit->device,
+                "Sound card registration failed: %d\n", err);
+--- a/sound/firewire/bebob/bebob_maudio.c
++++ b/sound/firewire/bebob/bebob_maudio.c
+@@ -290,10 +290,6 @@ snd_bebob_maudio_special_discover(struct
+               bebob->midi_output_ports = 2;
+       }
+ end:
+-      if (err < 0) {
+-              kfree(params);
+-              bebob->maudio_special_quirk = NULL;
+-      }
+       mutex_unlock(&bebob->mutex);
+       return err;
+ }

diff --git a/queue-4.9/alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch b/queue-4.9/alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch
new file mode 100644 (file)
index 0000000..6725ca1
--- /dev/null
+++ b/queue-4.9/alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch
@@ -0,0 +1,86 @@
+From 493626f2d87a74e6dbea1686499ed6e7e600484e Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 9 Sep 2018 22:25:12 +0900
+Subject: ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 493626f2d87a74e6dbea1686499ed6e7e600484e upstream.
+
+When executing 'fw_run_transaction()' with 'TCODE_WRITE_BLOCK_REQUEST',
+an address of 'payload' argument is used for streaming DMA mapping by
+'firewire_ohci' module if 'size' argument is larger than 8 byte.
+Although in this case the address should not be on kernel stack, current
+implementation of ALSA bebob driver uses data in kernel stack for a cue
+to boot M-Audio devices. This often brings unexpected result, especially
+for a case of CONFIG_VMAP_STACK=y.
+
+This commit fixes the bug.
+
+Reference: https://bugzilla.kernel.org/show_bug.cgi?id=201021
+Reference: https://forum.manjaro.org/t/firewire-m-audio-410-driver-wont-load-firmware/51165
+Fixes: a2b2a7798fb6('ALSA: bebob: Send a cue to load firmware for M-Audio Firewire series')
+Cc: <stable@vger.kernel.org> # v3.16+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/bebob/bebob_maudio.c |   24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+--- a/sound/firewire/bebob/bebob_maudio.c
++++ b/sound/firewire/bebob/bebob_maudio.c
+@@ -96,17 +96,13 @@ int snd_bebob_maudio_load_firmware(struc
+       struct fw_device *device = fw_parent_device(unit);
+       int err, rcode;
+       u64 date;
+-      __le32 cues[3] = {
+-              cpu_to_le32(MAUDIO_BOOTLOADER_CUE1),
+-              cpu_to_le32(MAUDIO_BOOTLOADER_CUE2),
+-              cpu_to_le32(MAUDIO_BOOTLOADER_CUE3)
+-      };
++      __le32 *cues;
+ 
+       /* check date of software used to build */
+       err = snd_bebob_read_block(unit, INFO_OFFSET_SW_DATE,
+                                  &date, sizeof(u64));
+       if (err < 0)
+-              goto end;
++              return err;
+       /*
+        * firmware version 5058 or later has date later than "20070401", but
+        * 'date' is not null-terminated.
+@@ -114,20 +110,28 @@ int snd_bebob_maudio_load_firmware(struc
+       if (date < 0x3230303730343031LL) {
+               dev_err(&unit->device,
+                       "Use firmware version 5058 or later\n");
+-              err = -ENOSYS;
+-              goto end;
++              return -ENXIO;
+       }
+ 
++      cues = kmalloc_array(3, sizeof(*cues), GFP_KERNEL);
++      if (!cues)
++              return -ENOMEM;
++
++      cues[0] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE1);
++      cues[1] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE2);
++      cues[2] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE3);
++
+       rcode = fw_run_transaction(device->card, TCODE_WRITE_BLOCK_REQUEST,
+                                  device->node_id, device->generation,
+                                  device->max_speed, BEBOB_ADDR_REG_REQ,
+-                                 cues, sizeof(cues));
++                                 cues, 3 * sizeof(*cues));
++      kfree(cues);
+       if (rcode != RCODE_COMPLETE) {
+               dev_err(&unit->device,
+                       "Failed to send a cue to load firmware\n");
+               err = -EIO;
+       }
+-end:
++
+       return err;
+ }
+ 

diff --git a/queue-4.9/alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch b/queue-4.9/alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch
new file mode 100644 (file)
index 0000000..5639033
--- /dev/null
+++ b/queue-4.9/alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch
@@ -0,0 +1,37 @@
+From 49434c6c575d2008c0abbc93e615019f39e01252 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sat, 8 Sep 2018 08:12:21 +0200
+Subject: ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit 49434c6c575d2008c0abbc93e615019f39e01252 upstream.
+
+snd_emu10k1_fx8010_ioctl(SNDRV_EMU10K1_IOCTL_INFO) allocates
+memory using kmalloc() and partially fills it by calling
+snd_emu10k1_fx8010_info() before returning the resulting
+structure to userspace, leaving uninitialized holes. Let's
+just use kzalloc() here.
+
+BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Cc: Jann Horn <jannh@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/emu10k1/emufx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/emu10k1/emufx.c
++++ b/sound/pci/emu10k1/emufx.c
+@@ -2520,7 +2520,7 @@ static int snd_emu10k1_fx8010_ioctl(stru
+               emu->support_tlv = 1;
+               return put_user(SNDRV_EMU10K1_VERSION, (int __user *)argp);
+       case SNDRV_EMU10K1_IOCTL_INFO:
+-              info = kmalloc(sizeof(*info), GFP_KERNEL);
++              info = kzalloc(sizeof(*info), GFP_KERNEL);
+               if (!info)
+                       return -ENOMEM;
+               snd_emu10k1_fx8010_info(emu, info);

diff --git a/queue-4.9/alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch b/queue-4.9/alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch
new file mode 100644 (file)
index 0000000..ae6ef10
--- /dev/null
+++ b/queue-4.9/alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch
@@ -0,0 +1,36 @@
+From a49a83ab05e34edd6c71a4fbd062c9a7ba6d18aa Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Thu, 13 Sep 2018 21:30:34 +0900
+Subject: ALSA: firewire-digi00x: fix memory leak of private data
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit a49a83ab05e34edd6c71a4fbd062c9a7ba6d18aa upstream.
+
+Although private data of sound card instance is usually allocated in the
+tail of the instance, drivers in ALSA firewire stack allocate the private
+data before allocating the instance. In this case, the private data
+should be released explicitly at .private_free callback of the instance.
+
+This commit fixes memory leak following to the above design.
+
+Fixes: 86c8dd7f4da3 ('ALSA: firewire-digi00x: delayed registration of sound card')
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/digi00x/digi00x.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/firewire/digi00x/digi00x.c
++++ b/sound/firewire/digi00x/digi00x.c
+@@ -49,6 +49,7 @@ static void dg00x_free(struct snd_dg00x
+       fw_unit_put(dg00x->unit);
+ 
+       mutex_destroy(&dg00x->mutex);
++      kfree(dg00x);
+ }
+ 
+ static void dg00x_card_free(struct snd_card *card)

diff --git a/queue-4.9/alsa-firewire-tascam-fix-memory-leak-of-private-data.patch b/queue-4.9/alsa-firewire-tascam-fix-memory-leak-of-private-data.patch
new file mode 100644 (file)
index 0000000..0a12c40
--- /dev/null
+++ b/queue-4.9/alsa-firewire-tascam-fix-memory-leak-of-private-data.patch
@@ -0,0 +1,36 @@
+From 8d28277c065a974873c6781d44b7bcdcd8fb4e8a Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Thu, 13 Sep 2018 21:31:05 +0900
+Subject: ALSA: firewire-tascam: fix memory leak of private data
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 8d28277c065a974873c6781d44b7bcdcd8fb4e8a upstream.
+
+Although private data of sound card instance is usually allocated in the
+tail of the instance, drivers in ALSA firewire stack allocate the private
+data before allocating the instance. In this case, the private data
+should be released explicitly at .private_free callback of the instance.
+
+This commit fixes memory leak following to the above design.
+
+Fixes: b610386c8afb ('ALSA: firewire-tascam: deleyed registration of sound card')
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/tascam/tascam.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/firewire/tascam/tascam.c
++++ b/sound/firewire/tascam/tascam.c
+@@ -93,6 +93,7 @@ static void tscm_free(struct snd_tscm *t
+       fw_unit_put(tscm->unit);
+ 
+       mutex_destroy(&tscm->mutex);
++      kfree(tscm);
+ }
+ 
+ static void tscm_card_free(struct snd_card *card)

diff --git a/queue-4.9/alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch b/queue-4.9/alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch
new file mode 100644 (file)
index 0000000..62de9f3
--- /dev/null
+++ b/queue-4.9/alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch
@@ -0,0 +1,35 @@
+From c3b55e2ec9c76e7a0de2a0b1dc851fdc9440385b Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Mon, 17 Sep 2018 17:26:41 +0900
+Subject: ALSA: fireworks: fix memory leak of response buffer at error path
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit c3b55e2ec9c76e7a0de2a0b1dc851fdc9440385b upstream.
+
+After allocating memory object for response buffer, ALSA fireworks
+driver has leak of the memory object at error path.
+
+This commit releases the object at the error path.
+
+Fixes: 7d3c1d5901aa('ALSA: fireworks: delayed registration of sound card')
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/fireworks/fireworks.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/firewire/fireworks/fireworks.c
++++ b/sound/firewire/fireworks/fireworks.c
+@@ -301,6 +301,8 @@ error:
+       snd_efw_transaction_remove_instance(efw);
+       snd_efw_stream_destroy_duplex(efw);
+       snd_card_free(efw->card);
++      kfree(efw->resp_buf);
++      efw->resp_buf = NULL;
+       dev_info(&efw->unit->device,
+                "Sound card registration failed: %d\n", err);
+ }

diff --git a/queue-4.9/alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch b/queue-4.9/alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch
new file mode 100644 (file)
index 0000000..441ef53
--- /dev/null
+++ b/queue-4.9/alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch
@@ -0,0 +1,35 @@
+From ce925f088b979537f22f9e05eb923ef9822ca139 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Mon, 17 Sep 2018 17:26:08 +0900
+Subject: ALSA: oxfw: fix memory leak for model-dependent data at error path
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit ce925f088b979537f22f9e05eb923ef9822ca139 upstream.
+
+After allocating model-dependent data, ALSA OXFW driver has memory leak
+of the data at error path.
+
+This commit releases the data at the error path.
+
+Fixes: 6c29230e2a5f ('ALSA: oxfw: delayed registration of sound card')
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/oxfw/oxfw.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/firewire/oxfw/oxfw.c
++++ b/sound/firewire/oxfw/oxfw.c
+@@ -275,6 +275,8 @@ error:
+       if (oxfw->has_output)
+               snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream);
+       snd_card_free(oxfw->card);
++      kfree(oxfw->spec);
++      oxfw->spec = NULL;
+       dev_info(&oxfw->unit->device,
+                "Sound card registration failed: %d\n", err);
+ }

diff --git a/queue-4.9/alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch b/queue-4.9/alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch
new file mode 100644 (file)
index 0000000..c53ef36
--- /dev/null
+++ b/queue-4.9/alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch
@@ -0,0 +1,47 @@
+From 1064bc685d359f549f91c2d5f111965a9284f328 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Mon, 17 Sep 2018 17:26:20 +0900
+Subject: ALSA: oxfw: fix memory leak of discovered stream formats at error path
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 1064bc685d359f549f91c2d5f111965a9284f328 upstream.
+
+After finishing discover of stream formats, ALSA OXFW driver has memory
+leak of allocated memory object at error path.
+
+This commit releases the memory object at the error path.
+
+Fixes: 6c29230e2a5f ('ALSA: oxfw: delayed registration of sound card')
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/oxfw/oxfw.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/firewire/oxfw/oxfw.c
++++ b/sound/firewire/oxfw/oxfw.c
+@@ -212,6 +212,7 @@ static int detect_quirks(struct snd_oxfw
+ static void do_registration(struct work_struct *work)
+ {
+       struct snd_oxfw *oxfw = container_of(work, struct snd_oxfw, dwork.work);
++      int i;
+       int err;
+ 
+       if (oxfw->registered)
+@@ -274,6 +275,12 @@ error:
+       snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->rx_stream);
+       if (oxfw->has_output)
+               snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream);
++      for (i = 0; i < SND_OXFW_STREAM_FORMAT_ENTRIES; ++i) {
++              kfree(oxfw->tx_stream_formats[i]);
++              oxfw->tx_stream_formats[i] = NULL;
++              kfree(oxfw->rx_stream_formats[i]);
++              oxfw->rx_stream_formats[i] = NULL;
++      }
+       snd_card_free(oxfw->card);
+       kfree(oxfw->spec);
+       oxfw->spec = NULL;

diff --git a/queue-4.9/alsa-oxfw-fix-memory-leak-of-private-data.patch b/queue-4.9/alsa-oxfw-fix-memory-leak-of-private-data.patch
new file mode 100644 (file)
index 0000000..d946f98
--- /dev/null
+++ b/queue-4.9/alsa-oxfw-fix-memory-leak-of-private-data.patch
@@ -0,0 +1,36 @@
+From 498fe23aad8e3b5a9554f55719c537603b4476ea Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Thu, 13 Sep 2018 21:31:18 +0900
+Subject: ALSA: oxfw: fix memory leak of private data
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 498fe23aad8e3b5a9554f55719c537603b4476ea upstream.
+
+Although private data of sound card instance is usually allocated in the
+tail of the instance, drivers in ALSA firewire stack allocate the private
+data before allocating the instance. In this case, the private data
+should be released explicitly at .private_free callback of the instance.
+
+This commit fixes memory leak following to the above design.
+
+Fixes: 6c29230e2a5f ('ALSA: oxfw: delayed registration of sound card')
+Cc: <stable@vger.kernel.org> # v4.7+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/oxfw/oxfw.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/firewire/oxfw/oxfw.c
++++ b/sound/firewire/oxfw/oxfw.c
+@@ -135,6 +135,7 @@ static void oxfw_free(struct snd_oxfw *o
+ 
+       kfree(oxfw->spec);
+       mutex_destroy(&oxfw->mutex);
++      kfree(oxfw);
+ }
+ 
+ /*

diff --git a/queue-4.9/asoc-cs4265-fix-mmtlr-data-switch-control.patch b/queue-4.9/asoc-cs4265-fix-mmtlr-data-switch-control.patch
new file mode 100644 (file)
index 0000000..c153037
--- /dev/null
+++ b/queue-4.9/asoc-cs4265-fix-mmtlr-data-switch-control.patch
@@ -0,0 +1,38 @@
+From 90a3b7f8aba3011badacd6d8121e03aa24ac79d1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=A9bastien=20Szymanski?=
+ <sebastien.szymanski@armadeus.com>
+Date: Thu, 6 Sep 2018 11:16:00 +0200
+Subject: ASoC: cs4265: fix MMTLR Data switch control
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+
+commit 90a3b7f8aba3011badacd6d8121e03aa24ac79d1 upstream.
+
+The MMTLR bit is in the CS4265_SPDIF_CTL2 register at address 0x12 bit 0
+and not at address 0x0 bit 1. Fix this.
+
+Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/cs4265.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/cs4265.c
++++ b/sound/soc/codecs/cs4265.c
+@@ -157,8 +157,8 @@ static const struct snd_kcontrol_new cs4
+       SOC_SINGLE("Validity Bit Control Switch", CS4265_SPDIF_CTL2,
+                               3, 1, 0),
+       SOC_ENUM("SPDIF Mono/Stereo", spdif_mono_stereo_enum),
+-      SOC_SINGLE("MMTLR Data Switch", 0,
+-                              1, 1, 0),
++      SOC_SINGLE("MMTLR Data Switch", CS4265_SPDIF_CTL2,
++                              0, 1, 0),
+       SOC_ENUM("Mono Channel Select", spdif_mono_select_enum),
+       SND_SOC_BYTES("C Data Buffer", CS4265_C_DATA_BUFF, 24),
+ };

diff --git a/queue-4.9/mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch b/queue-4.9/mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch
new file mode 100644 (file)
index 0000000..4c29205
--- /dev/null
+++ b/queue-4.9/mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch
@@ -0,0 +1,128 @@
+From b45d71fb89ab8adfe727b9d0ee188ed58582a647 Mon Sep 17 00:00:00 2001
+From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Date: Thu, 20 Sep 2018 12:22:39 -0700
+Subject: mm: shmem.c: Correctly annotate new inodes for lockdep
+
+From: Joel Fernandes (Google) <joel@joelfernandes.org>
+
+commit b45d71fb89ab8adfe727b9d0ee188ed58582a647 upstream.
+
+Directories and inodes don't necessarily need to be in the same lockdep
+class.  For ex, hugetlbfs splits them out too to prevent false positives
+in lockdep.  Annotate correctly after new inode creation.  If its a
+directory inode, it will be put into a different class.
+
+This should fix a lockdep splat reported by syzbot:
+
+> ======================================================
+> WARNING: possible circular locking dependency detected
+> 4.18.0-rc8-next-20180810+ #36 Not tainted
+> ------------------------------------------------------
+> syz-executor900/4483 is trying to acquire lock:
+> 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at: inode_lock
+> include/linux/fs.h:765 [inline]
+> 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at:
+> shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
+>
+> but task is already holding lock:
+> 0000000025208078 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630
+> drivers/staging/android/ashmem.c:448
+>
+> which lock already depends on the new lock.
+>
+> -> #2 (ashmem_mutex){+.+.}:
+>        __mutex_lock_common kernel/locking/mutex.c:925 [inline]
+>        __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073
+>        mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088
+>        ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361
+>        call_mmap include/linux/fs.h:1844 [inline]
+>        mmap_region+0xf27/0x1c50 mm/mmap.c:1762
+>        do_mmap+0xa10/0x1220 mm/mmap.c:1535
+>        do_mmap_pgoff include/linux/mm.h:2298 [inline]
+>        vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357
+>        ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585
+>        __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
+>        __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
+>        __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
+>        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+>        entry_SYSCALL_64_after_hwframe+0x49/0xbe
+>
+> -> #1 (&mm->mmap_sem){++++}:
+>        __might_fault+0x155/0x1e0 mm/memory.c:4568
+>        _copy_to_user+0x30/0x110 lib/usercopy.c:25
+>        copy_to_user include/linux/uaccess.h:155 [inline]
+>        filldir+0x1ea/0x3a0 fs/readdir.c:196
+>        dir_emit_dot include/linux/fs.h:3464 [inline]
+>        dir_emit_dots include/linux/fs.h:3475 [inline]
+>        dcache_readdir+0x13a/0x620 fs/libfs.c:193
+>        iterate_dir+0x48b/0x5d0 fs/readdir.c:51
+>        __do_sys_getdents fs/readdir.c:231 [inline]
+>        __se_sys_getdents fs/readdir.c:212 [inline]
+>        __x64_sys_getdents+0x29f/0x510 fs/readdir.c:212
+>        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+>        entry_SYSCALL_64_after_hwframe+0x49/0xbe
+>
+> -> #0 (&sb->s_type->i_mutex_key#9){++++}:
+>        lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
+>        down_write+0x8f/0x130 kernel/locking/rwsem.c:70
+>        inode_lock include/linux/fs.h:765 [inline]
+>        shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602
+>        ashmem_shrink_scan+0x236/0x630 drivers/staging/android/ashmem.c:455
+>        ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797
+>        vfs_ioctl fs/ioctl.c:46 [inline]
+>        file_ioctl fs/ioctl.c:501 [inline]
+>        do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
+>        ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
+>        __do_sys_ioctl fs/ioctl.c:709 [inline]
+>        __se_sys_ioctl fs/ioctl.c:707 [inline]
+>        __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
+>        do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+>        entry_SYSCALL_64_after_hwframe+0x49/0xbe
+>
+> other info that might help us debug this:
+>
+> Chain exists of:
+>   &sb->s_type->i_mutex_key#9 --> &mm->mmap_sem --> ashmem_mutex
+>
+>  Possible unsafe locking scenario:
+>
+>        CPU0                    CPU1
+>        ----                    ----
+>   lock(ashmem_mutex);
+>                                lock(&mm->mmap_sem);
+>                                lock(ashmem_mutex);
+>   lock(&sb->s_type->i_mutex_key#9);
+>
+>  *** DEADLOCK ***
+>
+> 1 lock held by syz-executor900/4483:
+>  #0: 0000000025208078 (ashmem_mutex){+.+.}, at:
+> ashmem_shrink_scan+0xb4/0x630 drivers/staging/android/ashmem.c:448
+
+Link: http://lkml.kernel.org/r/20180821231835.166639-1-joel@joelfernandes.org
+Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Suggested-by: NeilBrown <neilb@suse.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shmem.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2160,6 +2160,8 @@ static struct inode *shmem_get_inode(str
+                       mpol_shared_policy_init(&info->policy, NULL);
+                       break;
+               }
++
++              lockdep_annotate_inode_mutex_key(inode);
+       } else
+               shmem_free_inode(sb);
+       return inode;

diff --git a/queue-4.9/nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch b/queue-4.9/nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch
new file mode 100644 (file)
index 0000000..f6cb6c4
--- /dev/null
+++ b/queue-4.9/nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch
@@ -0,0 +1,63 @@
+From 674d9de02aa7d521ebdf66c3958758bdd9c64e11 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Mon, 17 Sep 2018 15:51:40 +0200
+Subject: NFC: Fix possible memory corruption when handling SHDLC I-Frame commands
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit 674d9de02aa7d521ebdf66c3958758bdd9c64e11 upstream.
+
+When handling SHDLC I-Frame commands "pipe" field used for indexing
+into an array should be checked before usage. If left unchecked it
+might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).
+
+Malformed NFC HCI frames could be injected by a malicious NFC device
+communicating with the device being attacked (remote attack vector),
+or even by an attacker with physical access to the I2C bus such that
+they could influence the data transfers on that bus (local attack vector).
+skb->data is controlled by the attacker and has only been sanitized in
+the most trivial ways (CRC check), therefore we can consider the
+create_info struct and all of its members to tainted. 'create_info->pipe'
+with max value of 255 (uint8) is used to take an offset of the
+hdev->pipes array of 127 elements which can lead to OOB write.
+
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Cc: Allen Pais <allen.pais@oracle.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Suggested-by: Kevin Deus <kdeus@google.com>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/hci/core.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/nfc/hci/core.c
++++ b/net/nfc/hci/core.c
+@@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci
+               }
+               create_info = (struct hci_create_pipe_resp *)skb->data;
+ 
++              if (create_info->pipe >= NFC_HCI_MAX_PIPES) {
++                      status = NFC_HCI_ANY_E_NOK;
++                      goto exit;
++              }
++
+               /* Save the new created pipe and bind with local gate,
+                * the description for skb->data[3] is destination gate id
+                * but since we received this cmd from host controller, we
+@@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci
+               }
+               delete_info = (struct hci_delete_pipe_noti *)skb->data;
+ 
++              if (delete_info->pipe >= NFC_HCI_MAX_PIPES) {
++                      status = NFC_HCI_ANY_E_NOK;
++                      goto exit;
++              }
++
+               hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;
+               hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;
+               break;

diff --git a/queue-4.9/nfc-fix-the-number-of-pipes.patch b/queue-4.9/nfc-fix-the-number-of-pipes.patch
new file mode 100644 (file)
index 0000000..dda4fe0
--- /dev/null
+++ b/queue-4.9/nfc-fix-the-number-of-pipes.patch
@@ -0,0 +1,45 @@
+From e285d5bfb7e9785d289663baef252dd315e171f8 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Mon, 17 Sep 2018 15:51:41 +0200
+Subject: NFC: Fix the number of pipes
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit e285d5bfb7e9785d289663baef252dd315e171f8 upstream.
+
+According to ETSI TS 102 622 specification chapter 4.4 pipe identifier
+is 7 bits long which allows for 128 unique pipe IDs. Because
+NFC_HCI_MAX_PIPES is used as the number of pipes supported and not
+as the max pipe ID, its value should be 128 instead of 127.
+
+nfc_hci_recv_from_llc extracts pipe ID from packet header using
+NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127.
+Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With
+pipes array having only 127 elements and pipe ID of 127 the OOB memory
+access will result.
+
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Cc: Allen Pais <allen.pais@oracle.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/nfc/hci.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/nfc/hci.h
++++ b/include/net/nfc/hci.h
+@@ -87,7 +87,7 @@ struct nfc_hci_pipe {
+  * According to specification 102 622 chapter 4.4 Pipes,
+  * the pipe identifier is 7 bits long.
+  */
+-#define NFC_HCI_MAX_PIPES             127
++#define NFC_HCI_MAX_PIPES             128
+ struct nfc_hci_init_data {
+       u8 gate_count;
+       struct nfc_hci_gate gates[NFC_HCI_MAX_CUSTOM_GATES];

diff --git a/queue-4.9/platform-x86-alienware-wmi-correct-a-memory-leak.patch b/queue-4.9/platform-x86-alienware-wmi-correct-a-memory-leak.patch
new file mode 100644 (file)
index 0000000..ef153d1
--- /dev/null
+++ b/queue-4.9/platform-x86-alienware-wmi-correct-a-memory-leak.patch
@@ -0,0 +1,30 @@
+From ff0e9f26288d2daee4950f42b37a3d3d30d36ec1 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@dell.com>
+Date: Mon, 10 Sep 2018 13:01:53 -0500
+Subject: platform/x86: alienware-wmi: Correct a memory leak
+
+From: Mario Limonciello <mario.limonciello@dell.com>
+
+commit ff0e9f26288d2daee4950f42b37a3d3d30d36ec1 upstream.
+
+An ACPI buffer that was allocated was not being freed after use.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@dell.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/alienware-wmi.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/platform/x86/alienware-wmi.c
++++ b/drivers/platform/x86/alienware-wmi.c
+@@ -518,6 +518,7 @@ static acpi_status alienware_wmax_comman
+               if (obj && obj->type == ACPI_TYPE_INTEGER)
+                       *out_data = (u32) obj->integer.value;
+       }
++      kfree(output.pointer);
+       return status;
+ 
+ }

diff --git a/queue-4.9/revert-pci-add-acs-quirk-for-intel-300-series.patch b/queue-4.9/revert-pci-add-acs-quirk-for-intel-300-series.patch
new file mode 100644 (file)
index 0000000..64e7044
--- /dev/null
+++ b/queue-4.9/revert-pci-add-acs-quirk-for-intel-300-series.patch
@@ -0,0 +1,50 @@
+From 50ca031b51106b1b46162d4e9ecccb7edc95682f Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 5 Sep 2018 14:09:54 +0300
+Subject: Revert "PCI: Add ACS quirk for Intel 300 series"
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 50ca031b51106b1b46162d4e9ecccb7edc95682f upstream.
+
+This reverts f154a718e6cc ("PCI: Add ACS quirk for Intel 300 series").
+
+It turns out that erratum "PCH PCIe* Controller Root Port (ACSCTLR) Appear
+As Read Only" has been fixed in 300 series chipsets, even though the
+datasheet [1] claims otherwise.  To make ACS work properly on 300 series
+root ports, revert the faulty commit.
+
+[1] https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/300-series-c240-series-chipset-pch-spec-update.pdf
+
+Fixes: f154a718e6cc ("PCI: Add ACS quirk for Intel 300 series")
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org     # v4.18+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/quirks.c |    6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4236,11 +4236,6 @@ static int pci_quirk_qcom_rp_acs(struct
+  *
+  * 0x9d10-0x9d1b PCI Express Root port #{1-12}
+  *
+- * The 300 series chipset suffers from the same bug so include those root
+- * ports here as well.
+- *
+- * 0xa32c-0xa343 PCI Express Root port #{0-24}
+- *
+  * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html
+  * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html
+  * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html
+@@ -4258,7 +4253,6 @@ static bool pci_quirk_intel_spt_pch_acs_
+       case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */
+       case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */
+       case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */
+-      case 0xa32c ... 0xa343:                         /* 300 series */
+               return true;
+       }
+ 

diff --git a/queue-4.9/ring-buffer-allow-for-rescheduling-when-removing-pages.patch b/queue-4.9/ring-buffer-allow-for-rescheduling-when-removing-pages.patch
new file mode 100644 (file)
index 0000000..edb0b71
--- /dev/null
+++ b/queue-4.9/ring-buffer-allow-for-rescheduling-when-removing-pages.patch
@@ -0,0 +1,44 @@
+From 83f365554e47997ec68dc4eca3f5dce525cd15c3 Mon Sep 17 00:00:00 2001
+From: Vaibhav Nagarnaik <vnagarnaik@google.com>
+Date: Fri, 7 Sep 2018 15:31:29 -0700
+Subject: ring-buffer: Allow for rescheduling when removing pages
+
+From: Vaibhav Nagarnaik <vnagarnaik@google.com>
+
+commit 83f365554e47997ec68dc4eca3f5dce525cd15c3 upstream.
+
+When reducing ring buffer size, pages are removed by scheduling a work
+item on each CPU for the corresponding CPU ring buffer. After the pages
+are removed from ring buffer linked list, the pages are free()d in a
+tight loop. The loop does not give up CPU until all pages are removed.
+In a worst case behavior, when lot of pages are to be freed, it can
+cause system stall.
+
+After the pages are removed from the list, the free() can happen while
+the work is rescheduled. Call cond_resched() in the loop to prevent the
+system hangup.
+
+Link: http://lkml.kernel.org/r/20180907223129.71994-1-vnagarnaik@google.com
+
+Cc: stable@vger.kernel.org
+Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
+Reported-by: Jason Behmer <jbehmer@google.com>
+Signed-off-by: Vaibhav Nagarnaik <vnagarnaik@google.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -1504,6 +1504,8 @@ rb_remove_pages(struct ring_buffer_per_c
+       tmp_iter_page = first_page;
+ 
+       do {
++              cond_resched();
++
+               to_remove_page = tmp_iter_page;
+               rb_inc_page(cpu_buffer, &tmp_iter_page);
+ 

diff --git a/queue-4.9/series b/queue-4.9/series
new file mode 100644 (file)
index 0000000..7a8cc92
--- /dev/null
+++ b/queue-4.9/series
@@ -0,0 +1,18 @@
+nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch
+nfc-fix-the-number-of-pipes.patch
+asoc-cs4265-fix-mmtlr-data-switch-control.patch
+alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch
+alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch
+alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch
+alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch
+alsa-firewire-tascam-fix-memory-leak-of-private-data.patch
+alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch
+alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch
+alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch
+alsa-oxfw-fix-memory-leak-of-private-data.patch
+platform-x86-alienware-wmi-correct-a-memory-leak.patch
+xen-netfront-don-t-bug-in-case-of-too-many-frags.patch
+xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch
+revert-pci-add-acs-quirk-for-intel-300-series.patch
+ring-buffer-allow-for-rescheduling-when-removing-pages.patch
+mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch

diff --git a/queue-4.9/xen-netfront-don-t-bug-in-case-of-too-many-frags.patch b/queue-4.9/xen-netfront-don-t-bug-in-case-of-too-many-frags.patch
new file mode 100644 (file)
index 0000000..60f545d
--- /dev/null
+++ b/queue-4.9/xen-netfront-don-t-bug-in-case-of-too-many-frags.patch
@@ -0,0 +1,51 @@
+From ad4f15dc2c70b1de5e0a64d27335962fbc9cf71c Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Tue, 11 Sep 2018 09:04:48 +0200
+Subject: xen/netfront: don't bug in case of too many frags
+
+From: Juergen Gross <jgross@suse.com>
+
+commit ad4f15dc2c70b1de5e0a64d27335962fbc9cf71c upstream.
+
+Commit 57f230ab04d291 ("xen/netfront: raise max number of slots in
+xennet_get_responses()") raised the max number of allowed slots by one.
+This seems to be problematic in some configurations with netback using
+a larger MAX_SKB_FRAGS value (e.g. old Linux kernel with MAX_SKB_FRAGS
+defined as 18 instead of nowadays 17).
+
+Instead of BUG_ON() in this case just fall back to retransmission.
+
+Fixes: 57f230ab04d291 ("xen/netfront: raise max number of slots in xennet_get_responses()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netfront.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -906,7 +906,11 @@ static RING_IDX xennet_fill_frags(struct
+                       BUG_ON(pull_to <= skb_headlen(skb));
+                       __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+               }
+-              BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS);
++              if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
++                      queue->rx.rsp_cons = ++cons;
++                      kfree_skb(nskb);
++                      return ~0U;
++              }
+ 
+               skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+                               skb_frag_page(nfrag),
+@@ -1043,6 +1047,8 @@ err:
+               skb->len += rx->status;
+ 
+               i = xennet_fill_frags(queue, skb, &tmpq);
++              if (unlikely(i == ~0U))
++                      goto err;
+ 
+               if (rx->flags & XEN_NETRXF_csum_blank)
+                       skb->ip_summed = CHECKSUM_PARTIAL;

diff --git a/queue-4.9/xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch b/queue-4.9/xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch
new file mode 100644 (file)
index 0000000..b0f1c0f
--- /dev/null
+++ b/queue-4.9/xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch
@@ -0,0 +1,33 @@
+From 70513d58751d7c6c1a0133557b13089b9f2e3e66 Mon Sep 17 00:00:00 2001
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Thu, 12 Jul 2018 13:27:00 -0400
+Subject: xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+commit 70513d58751d7c6c1a0133557b13089b9f2e3e66 upstream.
+
+Otherwise we may leak kernel stack for events that sample user
+registers.
+
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/pmu.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/xen/pmu.c
++++ b/arch/x86/xen/pmu.c
+@@ -477,7 +477,7 @@ static void xen_convert_regs(const struc
+ irqreturn_t xen_pmu_irq_handler(int irq, void *dev_id)
+ {
+       int err, ret = IRQ_NONE;
+-      struct pt_regs regs;
++      struct pt_regs regs = {0};
+       const struct xen_pmu_data *xenpmu_data = get_xenpmu_data();
+       uint8_t xenpmu_flags = get_xenpmu_flags();
+