From: Greg Kroah-Hartman Date: Sat, 18 Jan 2020 15:13:15 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.211~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b9cf36461d04d3586bdf5c89df5a2791332b031;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch block-fix-an-integer-overflow-in-logical-block-size.patch clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch fix-built-in-early-load-intel-microcode-alignment.patch --- diff --git a/queue-4.14/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch b/queue-4.14/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch new file mode 100644 index 00000000000..a720c7d0e2e --- /dev/null +++ b/queue-4.14/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch @@ -0,0 +1,54 @@ +From 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 15 Jan 2020 21:37:33 +0100 +Subject: ALSA: seq: Fix racy access for queue timer in proc read + +From: Takashi Iwai + +commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream. + +snd_seq_info_timer_read() reads the information of the timer assigned +for each queue, but it's done in a racy way which may lead to UAF as +spotted by syzkaller. + +This patch applies the missing q->timer_mutex lock while accessing the +timer object as well as a slight code change to adapt the standard +coding style. + +Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_timer.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -479,15 +479,19 @@ void snd_seq_info_timer_read(struct snd_ + q = queueptr(idx); + if (q == NULL) + continue; +- if ((tmr = q->timer) == NULL || +- (ti = tmr->timeri) == NULL) { +- queuefree(q); +- continue; +- } ++ mutex_lock(&q->timer_mutex); ++ tmr = q->timer; ++ if (!tmr) ++ goto unlock; ++ ti = tmr->timeri; ++ if (!ti) ++ goto unlock; + snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name); + resolution = snd_timer_resolution(ti) * tmr->ticks; + snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000); + snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base); ++unlock: ++ mutex_unlock(&q->timer_mutex); + queuefree(q); + } + } diff --git a/queue-4.14/arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch b/queue-4.14/arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch new file mode 100644 index 00000000000..d655bc8db2f --- /dev/null +++ b/queue-4.14/arm-dts-am571x-idk-fix-gpios-property-to-have-the-correct-gpio-number.patch @@ -0,0 +1,38 @@ +From 0c4eb2a6b3c6b0facd0a3bccda5db22e7b3b6f96 Mon Sep 17 00:00:00 2001 +From: Kishon Vijay Abraham I +Date: Tue, 17 Dec 2019 14:21:23 +0530 +Subject: ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number + +From: Kishon Vijay Abraham I + +commit 0c4eb2a6b3c6b0facd0a3bccda5db22e7b3b6f96 upstream. + +commit d23f3839fe97d8dce03d ("ARM: dts: DRA7: Add pcie1 dt node for +EP mode") while adding the dt node for EP mode for DRA7 platform, +added rc node for am571x-idk and populated gpios property with +"gpio3 23". However the GPIO_PCIE_SWRST line is actually connected +to "gpio5 18". Fix it here. (The patch adding "gpio3 23" was tested +with another am57x board in EP mode which doesn't rely on reset from +host). + +Cc: stable # 4.14+ +Fixes: d23f3839fe97d8dce03d ("ARM: dts: DRA7: Add pcie1 dt node for EP mode") +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/am571x-idk.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/am571x-idk.dts ++++ b/arch/arm/boot/dts/am571x-idk.dts +@@ -93,7 +93,7 @@ + + &pcie1_rc { + status = "okay"; +- gpios = <&gpio3 23 GPIO_ACTIVE_HIGH>; ++ gpios = <&gpio5 18 GPIO_ACTIVE_HIGH>; + }; + + &pcie1_ep { diff --git a/queue-4.14/asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch b/queue-4.14/asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch new file mode 100644 index 00000000000..ec380fe6df8 --- /dev/null +++ b/queue-4.14/asoc-msm8916-wcd-analog-fix-selected-events-for-mic-bias-external1.patch @@ -0,0 +1,44 @@ +From e0beec88397b163c7c4ea6fcfb67e8e07a2671dc Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Sat, 11 Jan 2020 17:40:03 +0100 +Subject: ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 + +From: Stephan Gerhold + +commit e0beec88397b163c7c4ea6fcfb67e8e07a2671dc upstream. + +MIC BIAS External1 sets pm8916_wcd_analog_enable_micbias_ext1() +as event handler, which ends up in pm8916_wcd_analog_enable_micbias_ext(). + +But pm8916_wcd_analog_enable_micbias_ext() only handles the POST_PMU +event, which is not specified in the event flags for MIC BIAS External1. +This means that the code in the event handler is never actually run. + +Set SND_SOC_DAPM_POST_PMU as the only event for the handler to fix this. + +Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec") +Cc: Srinivas Kandagatla +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200111164006.43074-2-stephan@gerhold.net +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/msm8916-wcd-analog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/msm8916-wcd-analog.c ++++ b/sound/soc/codecs/msm8916-wcd-analog.c +@@ -876,10 +876,10 @@ static const struct snd_soc_dapm_widget + + SND_SOC_DAPM_SUPPLY("MIC BIAS External1", CDC_A_MICB_1_EN, 7, 0, + pm8916_wcd_analog_enable_micbias_ext1, +- SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD), ++ SND_SOC_DAPM_POST_PMU), + SND_SOC_DAPM_SUPPLY("MIC BIAS External2", CDC_A_MICB_2_EN, 7, 0, + pm8916_wcd_analog_enable_micbias_ext2, +- SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD), ++ SND_SOC_DAPM_POST_PMU), + + SND_SOC_DAPM_ADC_E("ADC1", NULL, CDC_A_TX_1_EN, 7, 0, + pm8916_wcd_analog_enable_adc, diff --git a/queue-4.14/asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch b/queue-4.14/asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch new file mode 100644 index 00000000000..7123daa2751 --- /dev/null +++ b/queue-4.14/asoc-msm8916-wcd-digital-reset-rx-interpolation-path-after-use.patch @@ -0,0 +1,52 @@ +From 85578bbd642f65065039b1765ebe1a867d5435b0 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Sun, 5 Jan 2020 11:27:53 +0100 +Subject: ASoC: msm8916-wcd-digital: Reset RX interpolation path after use + +From: Stephan Gerhold + +commit 85578bbd642f65065039b1765ebe1a867d5435b0 upstream. + +For some reason, attempting to route audio through QDSP6 on MSM8916 +causes the RX interpolation path to get "stuck" after playing audio +a few times. In this situation, the analog codec part is still working, +but the RX path in the digital codec stops working, so you only hear +the analog parts powering up. After a reboot everything works again. + +So far I was not able to reproduce the problem when using lpass-cpu. + +The downstream kernel driver avoids this by resetting the RX +interpolation path after use. In mainline we do something similar +for the TX decimator (LPASS_CDC_CLK_TX_RESET_B1_CTL), but the +interpolator reset (LPASS_CDC_CLK_RX_RESET_CTL) got lost when the +msm8916-wcd driver was split into analog and digital. + +Fix this problem by adding the reset to +msm8916_wcd_digital_enable_interpolator(). + +Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec") +Cc: Srinivas Kandagatla +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200105102753.83108-1-stephan@gerhold.net +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/msm8916-wcd-digital.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/soc/codecs/msm8916-wcd-digital.c ++++ b/sound/soc/codecs/msm8916-wcd-digital.c +@@ -462,6 +462,12 @@ static int msm8916_wcd_digital_enable_dm + break; + } + break; ++ case SND_SOC_DAPM_POST_PMD: ++ snd_soc_component_update_bits(component, LPASS_CDC_CLK_RX_RESET_CTL, ++ 1 << w->shift, 1 << w->shift); ++ snd_soc_component_update_bits(component, LPASS_CDC_CLK_RX_RESET_CTL, ++ 1 << w->shift, 0x0); ++ break; + } + + return 0; diff --git a/queue-4.14/block-fix-an-integer-overflow-in-logical-block-size.patch b/queue-4.14/block-fix-an-integer-overflow-in-logical-block-size.patch new file mode 100644 index 00000000000..43f765d9181 --- /dev/null +++ b/queue-4.14/block-fix-an-integer-overflow-in-logical-block-size.patch @@ -0,0 +1,116 @@ +From ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 15 Jan 2020 08:35:25 -0500 +Subject: block: fix an integer overflow in logical block size + +From: Mikulas Patocka + +commit ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 upstream. + +Logical block size has type unsigned short. That means that it can be at +most 32768. However, there are architectures that can run with 64k pages +(for example arm64) and on these architectures, it may be possible to +create block devices with 64k block size. + +For exmaple (run this on an architecture with 64k pages): + +Mount will fail with this error because it tries to read the superblock using 2-sector +access: + device-mapper: writecache: I/O is not aligned, sector 2, size 1024, block size 65536 + EXT4-fs (dm-0): unable to read superblock + +This patch changes the logical block size from unsigned short to unsigned +int to avoid the overflow. + +Cc: stable@vger.kernel.org +Reviewed-by: Martin K. Petersen +Reviewed-by: Ming Lei +Signed-off-by: Mikulas Patocka +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-settings.c | 2 +- + drivers/md/dm-snap-persistent.c | 2 +- + drivers/md/raid0.c | 2 +- + include/linux/blkdev.h | 8 ++++---- + 4 files changed, 7 insertions(+), 7 deletions(-) + +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -379,7 +379,7 @@ EXPORT_SYMBOL(blk_queue_max_segment_size + * storage device can address. The default of 512 covers most + * hardware. + **/ +-void blk_queue_logical_block_size(struct request_queue *q, unsigned short size) ++void blk_queue_logical_block_size(struct request_queue *q, unsigned int size) + { + q->limits.logical_block_size = size; + +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -17,7 +17,7 @@ + #include "dm-bufio.h" + + #define DM_MSG_PREFIX "persistent snapshot" +-#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32 /* 16KB */ ++#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32U /* 16KB */ + + #define DM_PREFETCH_CHUNKS 12 + +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -94,7 +94,7 @@ static int create_strip_zones(struct mdd + char b[BDEVNAME_SIZE]; + char b2[BDEVNAME_SIZE]; + struct r0conf *conf = kzalloc(sizeof(*conf), GFP_KERNEL); +- unsigned short blksize = 512; ++ unsigned blksize = 512; + + *private_conf = ERR_PTR(-ENOMEM); + if (!conf) +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -343,6 +343,7 @@ struct queue_limits { + unsigned int max_sectors; + unsigned int max_segment_size; + unsigned int physical_block_size; ++ unsigned int logical_block_size; + unsigned int alignment_offset; + unsigned int io_min; + unsigned int io_opt; +@@ -353,7 +354,6 @@ struct queue_limits { + unsigned int discard_granularity; + unsigned int discard_alignment; + +- unsigned short logical_block_size; + unsigned short max_segments; + unsigned short max_integrity_segments; + unsigned short max_discard_segments; +@@ -1178,7 +1178,7 @@ extern void blk_queue_max_write_same_sec + unsigned int max_write_same_sectors); + extern void blk_queue_max_write_zeroes_sectors(struct request_queue *q, + unsigned int max_write_same_sectors); +-extern void blk_queue_logical_block_size(struct request_queue *, unsigned short); ++extern void blk_queue_logical_block_size(struct request_queue *, unsigned int); + extern void blk_queue_physical_block_size(struct request_queue *, unsigned int); + extern void blk_queue_alignment_offset(struct request_queue *q, + unsigned int alignment); +@@ -1436,7 +1436,7 @@ static inline unsigned int queue_max_seg + return q->limits.max_segment_size; + } + +-static inline unsigned short queue_logical_block_size(struct request_queue *q) ++static inline unsigned queue_logical_block_size(struct request_queue *q) + { + int retval = 512; + +@@ -1446,7 +1446,7 @@ static inline unsigned short queue_logic + return retval; + } + +-static inline unsigned short bdev_logical_block_size(struct block_device *bdev) ++static inline unsigned int bdev_logical_block_size(struct block_device *bdev) + { + return queue_logical_block_size(bdev_get_queue(bdev)); + } diff --git a/queue-4.14/clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch b/queue-4.14/clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch new file mode 100644 index 00000000000..38cf47053c7 --- /dev/null +++ b/queue-4.14/clk-don-t-try-to-enable-critical-clocks-if-prepare-failed.patch @@ -0,0 +1,65 @@ +From 12ead77432f2ce32dea797742316d15c5800cb32 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 25 Dec 2019 08:34:29 -0800 +Subject: clk: Don't try to enable critical clocks if prepare failed + +From: Guenter Roeck + +commit 12ead77432f2ce32dea797742316d15c5800cb32 upstream. + +The following traceback is seen if a critical clock fails to prepare. + +bcm2835-clk 3f101000.cprman: plld: couldn't lock PLL +------------[ cut here ]------------ +Enabling unprepared plld_per +WARNING: CPU: 1 PID: 1 at drivers/clk/clk.c:1014 clk_core_enable+0xcc/0x2c0 +... +Call trace: + clk_core_enable+0xcc/0x2c0 + __clk_register+0x5c4/0x788 + devm_clk_hw_register+0x4c/0xb0 + bcm2835_register_pll_divider+0xc0/0x150 + bcm2835_clk_probe+0x134/0x1e8 + platform_drv_probe+0x50/0xa0 + really_probe+0xd4/0x308 + driver_probe_device+0x54/0xe8 + device_driver_attach+0x6c/0x78 + __driver_attach+0x54/0xd8 +... + +Check return values from clk_core_prepare() and clk_core_enable() and +bail out if any of those functions returns an error. + +Cc: Jerome Brunet +Fixes: 99652a469df1 ("clk: migrate the count of orphaned clocks at init") +Signed-off-by: Guenter Roeck +Link: https://lkml.kernel.org/r/20191225163429.29694-1-linux@roeck-us.net +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2482,11 +2482,17 @@ static int __clk_core_init(struct clk_co + if (core->flags & CLK_IS_CRITICAL) { + unsigned long flags; + +- clk_core_prepare(core); ++ ret = clk_core_prepare(core); ++ if (ret) ++ goto out; + + flags = clk_enable_lock(); +- clk_core_enable(core); ++ ret = clk_core_enable(core); + clk_enable_unlock(flags); ++ if (ret) { ++ clk_core_unprepare(core); ++ goto out; ++ } + } + + /* diff --git a/queue-4.14/dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch b/queue-4.14/dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch new file mode 100644 index 00000000000..c07edf414b2 --- /dev/null +++ b/queue-4.14/dt-bindings-reset-meson8b-fix-duplicate-reset-ids.patch @@ -0,0 +1,42 @@ +From 4881873f4cc1460f63d85fa81363d56be328ccdc Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 30 Nov 2019 19:53:37 +0100 +Subject: dt-bindings: reset: meson8b: fix duplicate reset IDs + +From: Martin Blumenstingl + +commit 4881873f4cc1460f63d85fa81363d56be328ccdc upstream. + +According to the public S805 datasheet the RESET2 register uses the +following bits for the PIC_DC, PSC and NAND reset lines: +- PIC_DC is at bit 3 (meaning: RESET_VD_RMEM + 3) +- PSC is at bit 4 (meaning: RESET_VD_RMEM + 4) +- NAND is at bit 5 (meaning: RESET_VD_RMEM + 4) + +Update the reset IDs of these three reset lines so they don't conflict +with PIC_DC and map to the actual hardware reset lines. + +Fixes: 79795e20a184eb ("dt-bindings: reset: Add bindings for the Meson SoC Reset Controller") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + include/dt-bindings/reset/amlogic,meson8b-reset.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/dt-bindings/reset/amlogic,meson8b-reset.h ++++ b/include/dt-bindings/reset/amlogic,meson8b-reset.h +@@ -95,9 +95,9 @@ + #define RESET_VD_RMEM 64 + #define RESET_AUDIN 65 + #define RESET_DBLK 66 +-#define RESET_PIC_DC 66 +-#define RESET_PSC 66 +-#define RESET_NAND 66 ++#define RESET_PIC_DC 67 ++#define RESET_PSC 68 ++#define RESET_NAND 69 + #define RESET_GE2D 70 + #define RESET_PARSER_REG 71 + #define RESET_PARSER_FETCH 72 diff --git a/queue-4.14/fix-built-in-early-load-intel-microcode-alignment.patch b/queue-4.14/fix-built-in-early-load-intel-microcode-alignment.patch new file mode 100644 index 00000000000..94cce0bca3d --- /dev/null +++ b/queue-4.14/fix-built-in-early-load-intel-microcode-alignment.patch @@ -0,0 +1,54 @@ +From f5ae2ea6347a308cfe91f53b53682ce635497d0d Mon Sep 17 00:00:00 2001 +From: Jari Ruusu +Date: Sun, 12 Jan 2020 15:00:53 +0200 +Subject: Fix built-in early-load Intel microcode alignment + +From: Jari Ruusu + +commit f5ae2ea6347a308cfe91f53b53682ce635497d0d upstream. + +Intel Software Developer's Manual, volume 3, chapter 9.11.6 says: + + "Note that the microcode update must be aligned on a 16-byte boundary + and the size of the microcode update must be 1-KByte granular" + +When early-load Intel microcode is loaded from initramfs, userspace tool +'iucode_tool' has already 16-byte aligned those microcode bits in that +initramfs image. Image that was created something like this: + + iucode_tool --write-earlyfw=FOO.cpio microcode-files... + +However, when early-load Intel microcode is loaded from built-in +firmware BLOB using CONFIG_EXTRA_FIRMWARE= kernel config option, that +16-byte alignment is not guaranteed. + +Fix this by forcing all built-in firmware BLOBs to 16-byte alignment. + +[ If we end up having other firmware with much bigger alignment + requirements, we might need to introduce some method for the firmware + to specify it, this is the minimal "just increase the alignment a bit + to account for this one special case" patch - Linus ] + +Signed-off-by: Jari Ruusu +Cc: Borislav Petkov +Cc: Fenghua Yu +Cc: Luis Chamberlain +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + firmware/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/firmware/Makefile ++++ b/firmware/Makefile +@@ -19,7 +19,7 @@ quiet_cmd_fwbin = MK_FW $@ + PROGBITS=$(if $(CONFIG_ARM),%,@)progbits; \ + echo "/* Generated by firmware/Makefile */" > $@;\ + echo " .section .rodata" >>$@;\ +- echo " .p2align $${ASM_ALIGN}" >>$@;\ ++ echo " .p2align 4" >>$@;\ + echo "_fw_$${FWSTR}_bin:" >>$@;\ + echo " .incbin \"$(2)\"" >>$@;\ + echo "_fw_end:" >>$@;\