--- /dev/null
+From c130b666a9a711f985a0a44b58699ebe14bb7245 Mon Sep 17 00:00:00 2001
+From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Date: Wed, 28 Dec 2016 16:42:00 -0200
+Subject: 8250_pci: Fix potential use-after-free in error path
+
+From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+
+commit c130b666a9a711f985a0a44b58699ebe14bb7245 upstream.
+
+Commit f209fa03fc9d ("serial: 8250_pci: Detach low-level driver during
+PCI error recovery") introduces a potential use-after-free in case the
+pciserial_init_ports call in serial8250_io_resume fails, which may
+happen if a memory allocation fails or if the .init quirk failed for
+whatever reason). If this happen, further pci_get_drvdata will return a
+pointer to freed memory.
+
+This patch reworks the PCI recovery resume hook to restore the old priv
+structure in this case, which should be ok, since the ports were already
+detached. Such error during recovery causes us to give up on the
+recovery.
+
+Fixes: f209fa03fc9d ("serial: 8250_pci: Detach low-level driver during PCI error recovery")
+Reported-by: Michal Suchanek <msuchanek@suse.com>
+Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -5621,17 +5621,15 @@ static pci_ers_result_t serial8250_io_sl
+ static void serial8250_io_resume(struct pci_dev *dev)
+ {
+ struct serial_private *priv = pci_get_drvdata(dev);
+- const struct pciserial_board *board;
++ struct serial_private *new;
+
+ if (!priv)
+ return;
+
+- board = priv->board;
+- kfree(priv);
+- priv = pciserial_init_ports(dev, board);
+-
+- if (!IS_ERR(priv)) {
+- pci_set_drvdata(dev, priv);
++ new = pciserial_init_ports(dev, priv->board);
++ if (!IS_ERR(new)) {
++ pci_set_drvdata(dev, new);
++ kfree(priv);
+ }
+ }
+
--- /dev/null
+From 8358378b22518d92424597503d3c1cd302a490b6 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sun, 12 Mar 2017 06:18:58 -0700
+Subject: hwmon: (it87) Avoid registering the same chip on both SIO addresses
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 8358378b22518d92424597503d3c1cd302a490b6 upstream.
+
+IT8705F is known to respond on both SIO addresses. Registering it twice
+may result in system lockups.
+
+Reported-by: Russell King <linux@armlinux.org.uk>
+Fixes: e84bd9535e2b ("hwmon: (it87) Add support for second Super-IO chip")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Cc: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/it87.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+--- a/drivers/hwmon/it87.c
++++ b/drivers/hwmon/it87.c
+@@ -3115,7 +3115,7 @@ static int __init sm_it87_init(void)
+ {
+ int sioaddr[2] = { REG_2E, REG_4E };
+ struct it87_sio_data sio_data;
+- unsigned short isa_address;
++ unsigned short isa_address[2];
+ bool found = false;
+ int i, err;
+
+@@ -3125,15 +3125,29 @@ static int __init sm_it87_init(void)
+
+ for (i = 0; i < ARRAY_SIZE(sioaddr); i++) {
+ memset(&sio_data, 0, sizeof(struct it87_sio_data));
+- isa_address = 0;
+- err = it87_find(sioaddr[i], &isa_address, &sio_data);
+- if (err || isa_address == 0)
++ isa_address[i] = 0;
++ err = it87_find(sioaddr[i], &isa_address[i], &sio_data);
++ if (err || isa_address[i] == 0)
+ continue;
++ /*
++ * Don't register second chip if its ISA address matches
++ * the first chip's ISA address.
++ */
++ if (i && isa_address[i] == isa_address[0])
++ break;
+
+- err = it87_device_add(i, isa_address, &sio_data);
++ err = it87_device_add(i, isa_address[i], &sio_data);
+ if (err)
+ goto exit_dev_unregister;
++
+ found = true;
++
++ /*
++ * IT8705F may respond on both SIO addresses.
++ * Stop probing after finding one.
++ */
++ if (sio_data.type == it87)
++ break;
+ }
+
+ if (!found) {
--- /dev/null
+From f1c635b439a5c01776fe3a25b1e2dc546ea82e6f Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Tue, 7 Mar 2017 09:15:53 -0800
+Subject: scsi: storvsc: Workaround for virtual DVD SCSI version
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+commit f1c635b439a5c01776fe3a25b1e2dc546ea82e6f upstream.
+
+Hyper-V host emulation of SCSI for virtual DVD device reports SCSI
+version 0 (UNKNOWN) but is still capable of supporting REPORTLUN.
+
+Without this patch, a GEN2 Linux guest on Hyper-V will not boot 4.11
+successfully with virtual DVD ROM device. What happens is that the SCSI
+scan process falls back to doing sequential probing by INQUIRY. But the
+storvsc driver has a previous workaround that masks/blocks all errors
+reports from INQUIRY (or MODE_SENSE) commands. This workaround causes
+the scan to then populate a full set of bogus LUN's on the target and
+then sends kernel spinning off into a death spiral doing block reads on
+the non-existent LUNs.
+
+By setting the correct blacklist flags, the target with the DVD device
+is scanned with REPORTLUN and that works correctly.
+
+Patch needs to go in current 4.11, it is safe but not necessary in older
+kernels.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/storvsc_drv.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -400,8 +400,6 @@ MODULE_PARM_DESC(storvsc_vcpus_per_sub_c
+ */
+ static int storvsc_timeout = 180;
+
+-static int msft_blist_flags = BLIST_TRY_VPD_PAGES;
+-
+ #if IS_ENABLED(CONFIG_SCSI_FC_ATTRS)
+ static struct scsi_transport_template *fc_transport_template;
+ #endif
+@@ -1283,6 +1281,22 @@ static int storvsc_do_io(struct hv_devic
+ return ret;
+ }
+
++static int storvsc_device_alloc(struct scsi_device *sdevice)
++{
++ /*
++ * Set blist flag to permit the reading of the VPD pages even when
++ * the target may claim SPC-2 compliance. MSFT targets currently
++ * claim SPC-2 compliance while they implement post SPC-2 features.
++ * With this flag we can correctly handle WRITE_SAME_16 issues.
++ *
++ * Hypervisor reports SCSI_UNKNOWN type for DVD ROM device but
++ * still supports REPORT LUN.
++ */
++ sdevice->sdev_bflags = BLIST_REPORTLUN2 | BLIST_TRY_VPD_PAGES;
++
++ return 0;
++}
++
+ static int storvsc_device_configure(struct scsi_device *sdevice)
+ {
+
+@@ -1298,14 +1312,6 @@ static int storvsc_device_configure(stru
+ sdevice->no_write_same = 1;
+
+ /*
+- * Add blist flags to permit the reading of the VPD pages even when
+- * the target may claim SPC-2 compliance. MSFT targets currently
+- * claim SPC-2 compliance while they implement post SPC-2 features.
+- * With this patch we can correctly handle WRITE_SAME_16 issues.
+- */
+- sdevice->sdev_bflags |= msft_blist_flags;
+-
+- /*
+ * If the host is WIN8 or WIN8 R2, claim conformance to SPC-3
+ * if the device is a MSFT virtual device. If the host is
+ * WIN10 or newer, allow write_same.
+@@ -1569,6 +1575,7 @@ static struct scsi_host_template scsi_dr
+ .eh_host_reset_handler = storvsc_host_reset_handler,
+ .proc_name = "storvsc_host",
+ .eh_timed_out = storvsc_eh_timed_out,
++ .slave_alloc = storvsc_device_alloc,
+ .slave_configure = storvsc_device_configure,
+ .cmd_per_lun = 255,
+ .this_id = -1,
timerfd-protect-the-might-cancel-mechanism-proper.patch
handle-mismatched-open-calls.patch
tpm_tis-use-default-timeout-value-if-chip-reports-it-as-zero.patch
+scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch
+hwmon-it87-avoid-registering-the-same-chip-on-both-sio-addresses.patch
+8250_pci-fix-potential-use-after-free-in-error-path.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
