From: Greg Kroah-Hartman Date: Thu, 1 Feb 2018 12:34:33 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.115~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1546440fc70088cfd3157a97822304521f735391;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: crypto-aesni-handle-zero-length-dst-buffer.patch crypto-af_alg-whitelist-mask-and-type.patch crypto-ecdh-fix-typo-in-kpp-dependency-of-crypto_ecdh.patch crypto-sha3-generic-fixes-for-alignment-and-big-endian-operation.patch gpio-ath79-add-missing-module_description-license.patch gpio-fix-kernel-stack-leak-to-userspace.patch gpio-iop-add-missing-module_description-author-license.patch gpio-stmpe-i2c-transfer-are-forbiden-in-atomic-context.patch hid-wacom-ekr-ensure-devres-groups-at-higher-indexes-are-released.patch igb-free-irqs-when-device-is-hotplugged.patch mtd-nand-denali_pci-add-missing-module_description-author-license.patch power-reset-zx-reboot-add-missing-module_description-author-license.patch tools-gpio-fix-build-error-with-musl-libc.patch --- diff --git a/queue-4.9/crypto-aesni-handle-zero-length-dst-buffer.patch b/queue-4.9/crypto-aesni-handle-zero-length-dst-buffer.patch new file mode 100644 index 00000000000..033b888659d --- /dev/null +++ b/queue-4.9/crypto-aesni-handle-zero-length-dst-buffer.patch @@ -0,0 +1,42 @@ +From 9c674e1e2f9e24fa4392167efe343749008338e0 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Thu, 18 Jan 2018 20:41:09 +0100 +Subject: crypto: aesni - handle zero length dst buffer + +From: Stephan Mueller + +commit 9c674e1e2f9e24fa4392167efe343749008338e0 upstream. + +GCM can be invoked with a zero destination buffer. This is possible if +the AAD and the ciphertext have zero lengths and only the tag exists in +the source buffer (i.e. a source buffer cannot be zero). In this case, +the GCM cipher only performs the authentication and no decryption +operation. + +When the destination buffer has zero length, it is possible that no page +is mapped to the SG pointing to the destination. In this case, +sg_page(req->dst) is an invalid access. Therefore, page accesses should +only be allowed if the req->dst->length is non-zero which is the +indicator that a page must exist. + +This fixes a crash that can be triggered by user space via AF_ALG. + +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/aesni-intel_glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -906,7 +906,7 @@ static int helper_rfc4106_encrypt(struct + + if (sg_is_last(req->src) && + req->src->offset + req->src->length <= PAGE_SIZE && +- sg_is_last(req->dst) && +++ sg_is_last(req->dst) && req->dst->length && + req->dst->offset + req->dst->length <= PAGE_SIZE) { + one_entry_in_sg = 1; + scatterwalk_start(&src_sg_walk, req->src); diff --git a/queue-4.9/crypto-af_alg-whitelist-mask-and-type.patch b/queue-4.9/crypto-af_alg-whitelist-mask-and-type.patch new file mode 100644 index 00000000000..8253175407b --- /dev/null +++ b/queue-4.9/crypto-af_alg-whitelist-mask-and-type.patch @@ -0,0 +1,58 @@ +From bb30b8848c85e18ca7e371d0a869e94b3e383bdf Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Tue, 2 Jan 2018 08:55:25 +0100 +Subject: crypto: af_alg - whitelist mask and type + +From: Stephan Mueller + +commit bb30b8848c85e18ca7e371d0a869e94b3e383bdf upstream. + +The user space interface allows specifying the type and mask field used +to allocate the cipher. Only a subset of the possible flags are intended +for user space. Therefore, white-list the allowed flags. + +In case the user space caller uses at least one non-allowed flag, EINVAL +is returned. + +Reported-by: syzbot +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -149,7 +149,7 @@ EXPORT_SYMBOL_GPL(af_alg_release_parent) + + static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + { +- const u32 forbidden = CRYPTO_ALG_INTERNAL; ++ const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY; + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + struct sockaddr_alg *sa = (void *)uaddr; +@@ -157,6 +157,10 @@ static int alg_bind(struct socket *sock, + void *private; + int err; + ++ /* If caller uses non-allowed flag, return error. */ ++ if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) ++ return -EINVAL; ++ + if (sock->state == SS_CONNECTED) + return -EINVAL; + +@@ -175,9 +179,7 @@ static int alg_bind(struct socket *sock, + if (IS_ERR(type)) + return PTR_ERR(type); + +- private = type->bind(sa->salg_name, +- sa->salg_feat & ~forbidden, +- sa->salg_mask & ~forbidden); ++ private = type->bind(sa->salg_name, sa->salg_feat, sa->salg_mask); + if (IS_ERR(private)) { + module_put(type->owner); + return PTR_ERR(private); diff --git a/queue-4.9/crypto-ecdh-fix-typo-in-kpp-dependency-of-crypto_ecdh.patch b/queue-4.9/crypto-ecdh-fix-typo-in-kpp-dependency-of-crypto_ecdh.patch new file mode 100644 index 00000000000..a77d38b695c --- /dev/null +++ b/queue-4.9/crypto-ecdh-fix-typo-in-kpp-dependency-of-crypto_ecdh.patch @@ -0,0 +1,31 @@ +From b5b9007730ce1d90deaf25d7f678511550744bdc Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Sun, 26 Nov 2017 00:16:46 +0100 +Subject: crypto: ecdh - fix typo in KPP dependency of CRYPTO_ECDH + +From: Hauke Mehrtens + +commit b5b9007730ce1d90deaf25d7f678511550744bdc upstream. + +This fixes a typo in the CRYPTO_KPP dependency of CRYPTO_ECDH. + +Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support") +Signed-off-by: Hauke Mehrtens +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/Kconfig ++++ b/crypto/Kconfig +@@ -120,7 +120,7 @@ config CRYPTO_DH + + config CRYPTO_ECDH + tristate "ECDH algorithm" +- select CRYTPO_KPP ++ select CRYPTO_KPP + help + Generic implementation of the ECDH algorithm + diff --git a/queue-4.9/crypto-sha3-generic-fixes-for-alignment-and-big-endian-operation.patch b/queue-4.9/crypto-sha3-generic-fixes-for-alignment-and-big-endian-operation.patch new file mode 100644 index 00000000000..f59d474fe0c --- /dev/null +++ b/queue-4.9/crypto-sha3-generic-fixes-for-alignment-and-big-endian-operation.patch @@ -0,0 +1,51 @@ +From c013cee99d5a18aec8c71fee8f5f41369cd12595 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 19 Jan 2018 12:04:33 +0000 +Subject: crypto: sha3-generic - fixes for alignment and big endian operation + +From: Ard Biesheuvel + +commit c013cee99d5a18aec8c71fee8f5f41369cd12595 upstream. + +Ensure that the input is byte swabbed before injecting it into the +SHA3 transform. Use the get_unaligned() accessor for this so that +we don't perform unaligned access inadvertently on architectures +that do not support that. + +Fixes: 53964b9ee63b7075 ("crypto: sha3 - Add SHA-3 hash algorithm") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/sha3_generic.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/crypto/sha3_generic.c ++++ b/crypto/sha3_generic.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #define KECCAK_ROUNDS 24 + +@@ -149,7 +150,7 @@ static int sha3_update(struct shash_desc + unsigned int i; + + for (i = 0; i < sctx->rsizw; i++) +- sctx->st[i] ^= ((u64 *) src)[i]; ++ sctx->st[i] ^= get_unaligned_le64(src + 8 * i); + keccakf(sctx->st); + + done += sctx->rsiz; +@@ -174,7 +175,7 @@ static int sha3_final(struct shash_desc + sctx->buf[sctx->rsiz - 1] |= 0x80; + + for (i = 0; i < sctx->rsizw; i++) +- sctx->st[i] ^= ((u64 *) sctx->buf)[i]; ++ sctx->st[i] ^= get_unaligned_le64(sctx->buf + 8 * i); + + keccakf(sctx->st); + diff --git a/queue-4.9/gpio-ath79-add-missing-module_description-license.patch b/queue-4.9/gpio-ath79-add-missing-module_description-license.patch new file mode 100644 index 00000000000..e0c69cbe862 --- /dev/null +++ b/queue-4.9/gpio-ath79-add-missing-module_description-license.patch @@ -0,0 +1,37 @@ +From 539340f37e6d6ed4cd93e8e18c9b2e4eafd4b842 Mon Sep 17 00:00:00 2001 +From: Jesse Chan +Date: Mon, 20 Nov 2017 12:54:26 -0800 +Subject: gpio: ath79: add missing MODULE_DESCRIPTION/LICENSE + +From: Jesse Chan + +commit 539340f37e6d6ed4cd93e8e18c9b2e4eafd4b842 upstream. + +This change resolves a new compile-time warning +when built as a loadable module: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/gpio/gpio-ath79.o +see include/linux/module.h for more information + +This adds the license as "GPL v2", which matches the header of the file. + +MODULE_DESCRIPTION is also added. + +Signed-off-by: Jesse Chan +Acked-by: Alban Bedel +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-ath79.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpio/gpio-ath79.c ++++ b/drivers/gpio/gpio-ath79.c +@@ -323,3 +323,6 @@ static struct platform_driver ath79_gpio + }; + + module_platform_driver(ath79_gpio_driver); ++ ++MODULE_DESCRIPTION("Atheros AR71XX/AR724X/AR913X GPIO API support"); ++MODULE_LICENSE("GPL v2"); diff --git a/queue-4.9/gpio-fix-kernel-stack-leak-to-userspace.patch b/queue-4.9/gpio-fix-kernel-stack-leak-to-userspace.patch new file mode 100644 index 00000000000..428e0a80794 --- /dev/null +++ b/queue-4.9/gpio-fix-kernel-stack-leak-to-userspace.patch @@ -0,0 +1,35 @@ +From 24bd3efc9d1efb5f756a7c6f807a36ddb6adc671 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Mon, 22 Jan 2018 13:19:28 +0100 +Subject: gpio: Fix kernel stack leak to userspace + +From: Linus Walleij + +commit 24bd3efc9d1efb5f756a7c6f807a36ddb6adc671 upstream. + +The GPIO event descriptor was leaking kernel stack to +userspace because we don't zero the variable before +use. Ooops. Fix this. + +Reported-by: Arnd Bergmann +Reviewed-by: Bartosz Golaszewski +Reviewed-by: Arnd Bergmann +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -705,6 +705,9 @@ static irqreturn_t lineevent_irq_thread( + struct gpioevent_data ge; + int ret, level; + ++ /* Do not leak kernel stack to userspace */ ++ memset(&ge, 0, sizeof(ge)); ++ + ge.timestamp = ktime_get_real_ns(); + level = gpiod_get_value_cansleep(le->desc); + diff --git a/queue-4.9/gpio-iop-add-missing-module_description-author-license.patch b/queue-4.9/gpio-iop-add-missing-module_description-author-license.patch new file mode 100644 index 00000000000..735c5bc598d --- /dev/null +++ b/queue-4.9/gpio-iop-add-missing-module_description-author-license.patch @@ -0,0 +1,37 @@ +From 97b03136e1b637d7a9d2274c099e44ecf23f1103 Mon Sep 17 00:00:00 2001 +From: Jesse Chan +Date: Mon, 20 Nov 2017 12:54:52 -0800 +Subject: gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE + +From: Jesse Chan + +commit 97b03136e1b637d7a9d2274c099e44ecf23f1103 upstream. + +This change resolves a new compile-time warning +when built as a loadable module: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/gpio/gpio-iop.o +see include/linux/module.h for more information + +This adds the license as "GPL", which matches the header of the file. + +MODULE_DESCRIPTION and MODULE_AUTHOR are also added. + +Signed-off-by: Jesse Chan +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-iop.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpio/gpio-iop.c ++++ b/drivers/gpio/gpio-iop.c +@@ -58,3 +58,7 @@ static int __init iop3xx_gpio_init(void) + return platform_driver_register(&iop3xx_gpio_driver); + } + arch_initcall(iop3xx_gpio_init); ++ ++MODULE_DESCRIPTION("GPIO handling for Intel IOP3xx processors"); ++MODULE_AUTHOR("Lennert Buytenhek "); ++MODULE_LICENSE("GPL"); diff --git a/queue-4.9/gpio-stmpe-i2c-transfer-are-forbiden-in-atomic-context.patch b/queue-4.9/gpio-stmpe-i2c-transfer-are-forbiden-in-atomic-context.patch new file mode 100644 index 00000000000..ec115f97bee --- /dev/null +++ b/queue-4.9/gpio-stmpe-i2c-transfer-are-forbiden-in-atomic-context.patch @@ -0,0 +1,100 @@ +From b888fb6f2a278442933e3bfab70262e9a5365fb3 Mon Sep 17 00:00:00 2001 +From: Patrice Chotard +Date: Fri, 12 Jan 2018 13:16:08 +0100 +Subject: gpio: stmpe: i2c transfer are forbiden in atomic context + +From: Patrice Chotard + +commit b888fb6f2a278442933e3bfab70262e9a5365fb3 upstream. + +Move the workaround from stmpe_gpio_irq_unmask() which is executed +in atomic context to stmpe_gpio_irq_sync_unlock() which is not. + +It fixes the following issue: + +[ 1.500000] BUG: scheduling while atomic: swapper/1/0x00000002 +[ 1.500000] CPU: 0 PID: 1 Comm: swapper Not tainted 4.15.0-rc2-00020-gbd4301f-dirty #28 +[ 1.520000] Hardware name: STM32 (Device Tree Support) +[ 1.520000] [<0000bfc9>] (unwind_backtrace) from [<0000b347>] (show_stack+0xb/0xc) +[ 1.530000] [<0000b347>] (show_stack) from [<0001fc49>] (__schedule_bug+0x39/0x58) +[ 1.530000] [<0001fc49>] (__schedule_bug) from [<00168211>] (__schedule+0x23/0x2b2) +[ 1.550000] [<00168211>] (__schedule) from [<001684f7>] (schedule+0x57/0x64) +[ 1.550000] [<001684f7>] (schedule) from [<0016a513>] (schedule_timeout+0x137/0x164) +[ 1.550000] [<0016a513>] (schedule_timeout) from [<00168b91>] (wait_for_common+0x8d/0xfc) +[ 1.570000] [<00168b91>] (wait_for_common) from [<00139753>] (stm32f4_i2c_xfer+0xe9/0xfe) +[ 1.580000] [<00139753>] (stm32f4_i2c_xfer) from [<00138545>] (__i2c_transfer+0x111/0x148) +[ 1.590000] [<00138545>] (__i2c_transfer) from [<001385cf>] (i2c_transfer+0x53/0x70) +[ 1.590000] [<001385cf>] (i2c_transfer) from [<001388a5>] (i2c_smbus_xfer+0x12f/0x36e) +[ 1.600000] [<001388a5>] (i2c_smbus_xfer) from [<00138b49>] (i2c_smbus_read_byte_data+0x1f/0x2a) +[ 1.610000] [<00138b49>] (i2c_smbus_read_byte_data) from [<00124fdd>] (__stmpe_reg_read+0xd/0x24) +[ 1.620000] [<00124fdd>] (__stmpe_reg_read) from [<001252b3>] (stmpe_reg_read+0x19/0x24) +[ 1.630000] [<001252b3>] (stmpe_reg_read) from [<0002c4d1>] (unmask_irq+0x17/0x22) +[ 1.640000] [<0002c4d1>] (unmask_irq) from [<0002c57f>] (irq_startup+0x6f/0x78) +[ 1.650000] [<0002c57f>] (irq_startup) from [<0002b7a1>] (__setup_irq+0x319/0x47c) +[ 1.650000] [<0002b7a1>] (__setup_irq) from [<0002bad3>] (request_threaded_irq+0x6b/0xe8) +[ 1.660000] [<0002bad3>] (request_threaded_irq) from [<0002d0b9>] (devm_request_threaded_irq+0x3b/0x6a) +[ 1.670000] [<0002d0b9>] (devm_request_threaded_irq) from [<001446e7>] (mmc_gpiod_request_cd_irq+0x49/0x8a) +[ 1.680000] [<001446e7>] (mmc_gpiod_request_cd_irq) from [<0013d45d>] (mmc_start_host+0x49/0x60) +[ 1.690000] [<0013d45d>] (mmc_start_host) from [<0013e40b>] (mmc_add_host+0x3b/0x54) +[ 1.700000] [<0013e40b>] (mmc_add_host) from [<00148119>] (mmci_probe+0x4d1/0x60c) +[ 1.710000] [<00148119>] (mmci_probe) from [<000f903b>] (amba_probe+0x7b/0xbe) +[ 1.720000] [<000f903b>] (amba_probe) from [<001170e5>] (driver_probe_device+0x169/0x1f8) +[ 1.730000] [<001170e5>] (driver_probe_device) from [<001171b7>] (__driver_attach+0x43/0x5c) +[ 1.740000] [<001171b7>] (__driver_attach) from [<0011618d>] (bus_for_each_dev+0x3d/0x46) +[ 1.740000] [<0011618d>] (bus_for_each_dev) from [<001165cd>] (bus_add_driver+0xcd/0x124) +[ 1.740000] [<001165cd>] (bus_add_driver) from [<00117713>] (driver_register+0x4d/0x7a) +[ 1.760000] [<00117713>] (driver_register) from [<001fc765>] (do_one_initcall+0xbd/0xe8) +[ 1.770000] [<001fc765>] (do_one_initcall) from [<001fc88b>] (kernel_init_freeable+0xfb/0x134) +[ 1.780000] [<001fc88b>] (kernel_init_freeable) from [<00167ee3>] (kernel_init+0x7/0x9c) +[ 1.790000] [<00167ee3>] (kernel_init) from [<00009b65>] (ret_from_fork+0x11/0x2c) + +Signed-off-by: Alexandre TORGUE +Signed-off-by: Patrice Chotard +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-stmpe.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/gpio/gpio-stmpe.c ++++ b/drivers/gpio/gpio-stmpe.c +@@ -190,6 +190,16 @@ static void stmpe_gpio_irq_sync_unlock(s + }; + int i, j; + ++ /* ++ * STMPE1600: to be able to get IRQ from pins, ++ * a read must be done on GPMR register, or a write in ++ * GPSR or GPCR registers ++ */ ++ if (stmpe->partnum == STMPE1600) { ++ stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_LSB]); ++ stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_CSB]); ++ } ++ + for (i = 0; i < CACHE_NR_REGS; i++) { + /* STMPE801 and STMPE1600 don't have RE and FE registers */ + if ((stmpe->partnum == STMPE801 || +@@ -227,21 +237,11 @@ static void stmpe_gpio_irq_unmask(struct + { + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct stmpe_gpio *stmpe_gpio = gpiochip_get_data(gc); +- struct stmpe *stmpe = stmpe_gpio->stmpe; + int offset = d->hwirq; + int regoffset = offset / 8; + int mask = BIT(offset % 8); + + stmpe_gpio->regs[REG_IE][regoffset] |= mask; +- +- /* +- * STMPE1600 workaround: to be able to get IRQ from pins, +- * a read must be done on GPMR register, or a write in +- * GPSR or GPCR registers +- */ +- if (stmpe->partnum == STMPE1600) +- stmpe_reg_read(stmpe, +- stmpe->regs[STMPE_IDX_GPMR_LSB + regoffset]); + } + + static void stmpe_dbg_show_one(struct seq_file *s, diff --git a/queue-4.9/hid-wacom-ekr-ensure-devres-groups-at-higher-indexes-are-released.patch b/queue-4.9/hid-wacom-ekr-ensure-devres-groups-at-higher-indexes-are-released.patch new file mode 100644 index 00000000000..a38c66f6b17 --- /dev/null +++ b/queue-4.9/hid-wacom-ekr-ensure-devres-groups-at-higher-indexes-are-released.patch @@ -0,0 +1,102 @@ +From 791ae273731fa85d3332e45064dab177ae663e80 Mon Sep 17 00:00:00 2001 +From: Aaron Armstrong Skomra +Date: Thu, 7 Dec 2017 12:31:56 -0800 +Subject: HID: wacom: EKR: ensure devres groups at higher indexes are released + +From: Aaron Armstrong Skomra + +commit 791ae273731fa85d3332e45064dab177ae663e80 upstream. + +Background: ExpressKey Remotes communicate their events via usb dongle. +Each dongle can hold up to 5 pairings at one time and one EKR (identified +by its serial number) can unfortunately be paired with its dongle +more than once. The pairing takes place in a round-robin fashion. + +Input devices are only created once per EKR, when a new serial number +is seen in the list of pairings. However, if a device is created for +a "higher" paring index and subsequently a second pairing occurs at a +lower pairing index, unpairing the remote with that serial number from +any pairing index will currently cause a driver crash. This occurs +infrequently, as two remotes are necessary to trigger this bug and most +users have only one remote. + +As an illustration, to trigger the bug you need to have two remotes, +and pair them in this order: + +1. slot 0 -> remote 1 (input device created for remote 1) +2. slot 1 -> remote 1 (duplicate pairing - no device created) +3. slot 2 -> remote 1 (duplicate pairing - no device created) +4. slot 3 -> remote 1 (duplicate pairing - no device created) +5. slot 4 -> remote 2 (input device created for remote 2) + +6. slot 0 -> remote 2 (1 destroyed and recreated at slot 1) +7. slot 1 -> remote 2 (1 destroyed and recreated at slot 2) +8. slot 2 -> remote 2 (1 destroyed and recreated at slot 3) +9. slot 3 -> remote 2 (1 destroyed and not recreated) +10. slot 4 -> remote 2 (2 was already in this slot so no changes) + +11. slot 0 -> remote 1 (The current code sees remote 2 was paired over in + one of the dongle slots it occupied and attempts + to remove all information about remote 2 [1]. It + calls wacom_remote_destroy_one for remote 2, but + the destroy function assumes the lowest index is + where the remote's input device was created. The + code "cleans up" the other remote 2 pairings + including the one which the input device was based + on, assuming they were were just duplicate + pairings. However, the cleanup doesn't call the + devres release function for the input device that + was created in slot 4). + +This issue is fixed by this commit. + +[1] Remote 2 should subsequently be re-created on the next packet from the +EKR at the lowest numbered slot that it occupies (here slot 1). + +Fixes: f9036bd43602 ("HID: wacom: EKR: use devres groups to manage resources") +Signed-off-by: Aaron Armstrong Skomra +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_sys.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2192,23 +2192,23 @@ static void wacom_remote_destroy_one(str + int i; + unsigned long flags; + +- spin_lock_irqsave(&remote->remote_lock, flags); +- remote->remotes[index].registered = false; +- spin_unlock_irqrestore(&remote->remote_lock, flags); ++ for (i = 0; i < WACOM_MAX_REMOTES; i++) { ++ if (remote->remotes[i].serial == serial) { + +- if (remote->remotes[index].battery.battery) +- devres_release_group(&wacom->hdev->dev, +- &remote->remotes[index].battery.bat_desc); ++ spin_lock_irqsave(&remote->remote_lock, flags); ++ remote->remotes[i].registered = false; ++ spin_unlock_irqrestore(&remote->remote_lock, flags); + +- if (remote->remotes[index].group.name) +- devres_release_group(&wacom->hdev->dev, +- &remote->remotes[index]); ++ if (remote->remotes[i].battery.battery) ++ devres_release_group(&wacom->hdev->dev, ++ &remote->remotes[i].battery.bat_desc); ++ ++ if (remote->remotes[i].group.name) ++ devres_release_group(&wacom->hdev->dev, ++ &remote->remotes[i]); + +- for (i = 0; i < WACOM_MAX_REMOTES; i++) { +- if (remote->remotes[i].serial == serial) { + remote->remotes[i].serial = 0; + remote->remotes[i].group.name = NULL; +- remote->remotes[i].registered = false; + remote->remotes[i].battery.battery = NULL; + wacom->led.groups[i].select = WACOM_STATUS_UNKNOWN; + } diff --git a/queue-4.9/igb-free-irqs-when-device-is-hotplugged.patch b/queue-4.9/igb-free-irqs-when-device-is-hotplugged.patch new file mode 100644 index 00000000000..63cdbf9c8ce --- /dev/null +++ b/queue-4.9/igb-free-irqs-when-device-is-hotplugged.patch @@ -0,0 +1,90 @@ +From 888f22931478a05bc81ceb7295c626e1292bf0ed Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Tue, 12 Dec 2017 14:31:30 -0500 +Subject: igb: Free IRQs when device is hotplugged + +From: Lyude Paul + +commit 888f22931478a05bc81ceb7295c626e1292bf0ed upstream. + +Recently I got a Caldigit TS3 Thunderbolt 3 dock, and noticed that upon +hotplugging my kernel would immediately crash due to igb: + +[ 680.825801] kernel BUG at drivers/pci/msi.c:352! +[ 680.828388] invalid opcode: 0000 [#1] SMP +[ 680.829194] Modules linked in: igb(O) thunderbolt i2c_algo_bit joydev vfat fat btusb btrtl btbcm btintel bluetooth ecdh_generic hp_wmi sparse_keymap rfkill wmi_bmof iTCO_wdt intel_rapl x86_pkg_temp_thermal coretemp crc32_pclmul snd_pcm rtsx_pci_ms mei_me snd_timer memstick snd pcspkr mei soundcore i2c_i801 tpm_tis psmouse shpchp wmi tpm_tis_core tpm video hp_wireless acpi_pad rtsx_pci_sdmmc mmc_core crc32c_intel serio_raw rtsx_pci mfd_core xhci_pci xhci_hcd i2c_hid i2c_core [last unloaded: igb] +[ 680.831085] CPU: 1 PID: 78 Comm: kworker/u16:1 Tainted: G O 4.15.0-rc3Lyude-Test+ #6 +[ 680.831596] Hardware name: HP HP ZBook Studio G4/826B, BIOS P71 Ver. 01.03 06/09/2017 +[ 680.832168] Workqueue: kacpi_hotplug acpi_hotplug_work_fn +[ 680.832687] RIP: 0010:free_msi_irqs+0x180/0x1b0 +[ 680.833271] RSP: 0018:ffffc9000030fbf0 EFLAGS: 00010286 +[ 680.833761] RAX: ffff8803405f9c00 RBX: ffff88033e3d2e40 RCX: 000000000000002c +[ 680.834278] RDX: 0000000000000000 RSI: 00000000000000ac RDI: ffff880340be2178 +[ 680.834832] RBP: 0000000000000000 R08: ffff880340be1ff0 R09: ffff8803405f9c00 +[ 680.835342] R10: 0000000000000000 R11: 0000000000000040 R12: ffff88033d63a298 +[ 680.835822] R13: ffff88033d63a000 R14: 0000000000000060 R15: ffff880341959000 +[ 680.836332] FS: 0000000000000000(0000) GS:ffff88034f440000(0000) knlGS:0000000000000000 +[ 680.836817] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 680.837360] CR2: 000055e64044afdf CR3: 0000000001c09002 CR4: 00000000003606e0 +[ 680.837954] Call Trace: +[ 680.838853] pci_disable_msix+0xce/0xf0 +[ 680.839616] igb_reset_interrupt_capability+0x5d/0x60 [igb] +[ 680.840278] igb_remove+0x9d/0x110 [igb] +[ 680.840764] pci_device_remove+0x36/0xb0 +[ 680.841279] device_release_driver_internal+0x157/0x220 +[ 680.841739] pci_stop_bus_device+0x7d/0xa0 +[ 680.842255] pci_stop_bus_device+0x2b/0xa0 +[ 680.842722] pci_stop_bus_device+0x3d/0xa0 +[ 680.843189] pci_stop_and_remove_bus_device+0xe/0x20 +[ 680.843627] trim_stale_devices+0xf3/0x140 +[ 680.844086] trim_stale_devices+0x94/0x140 +[ 680.844532] trim_stale_devices+0xa6/0x140 +[ 680.845031] ? get_slot_status+0x90/0xc0 +[ 680.845536] acpiphp_check_bridge.part.5+0xfe/0x140 +[ 680.846021] acpiphp_hotplug_notify+0x175/0x200 +[ 680.846581] ? free_bridge+0x100/0x100 +[ 680.847113] acpi_device_hotplug+0x8a/0x490 +[ 680.847535] acpi_hotplug_work_fn+0x1a/0x30 +[ 680.848076] process_one_work+0x182/0x3a0 +[ 680.848543] worker_thread+0x2e/0x380 +[ 680.848963] ? process_one_work+0x3a0/0x3a0 +[ 680.849373] kthread+0x111/0x130 +[ 680.849776] ? kthread_create_worker_on_cpu+0x50/0x50 +[ 680.850188] ret_from_fork+0x1f/0x30 +[ 680.850601] Code: 43 14 85 c0 0f 84 d5 fe ff ff 31 ed eb 0f 83 c5 01 39 6b 14 0f 86 c5 fe ff ff 8b 7b 10 01 ef e8 b7 e4 d2 ff 48 83 78 70 00 74 e3 <0f> 0b 49 8d b5 a0 00 00 00 e8 62 6f d3 ff e9 c7 fe ff ff 48 8b +[ 680.851497] RIP: free_msi_irqs+0x180/0x1b0 RSP: ffffc9000030fbf0 + +As it turns out, normally the freeing of IRQs that would fix this is called +inside of the scope of __igb_close(). However, since the device is +already gone by the point we try to unregister the netdevice from the +driver due to a hotplug we end up seeing that the netif isn't present +and thus, forget to free any of the device IRQs. + +So: make sure that if we're in the process of dismantling the netdev, we +always allow __igb_close() to be called so that IRQs may be freed +normally. Additionally, only allow igb_close() to be called from +__igb_close() if it hasn't already been called for the given adapter. + +Signed-off-by: Lyude Paul +Fixes: 9474933caf21 ("igb: close/suspend race in netif_device_detach") +Cc: Todd Fujinaka +Cc: Stephen Hemminger +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3273,7 +3273,7 @@ static int __igb_close(struct net_device + + int igb_close(struct net_device *netdev) + { +- if (netif_device_present(netdev)) ++ if (netif_device_present(netdev) || netdev->dismantle) + return __igb_close(netdev, false); + return 0; + } diff --git a/queue-4.9/mtd-nand-denali_pci-add-missing-module_description-author-license.patch b/queue-4.9/mtd-nand-denali_pci-add-missing-module_description-author-license.patch new file mode 100644 index 00000000000..e3789dc3449 --- /dev/null +++ b/queue-4.9/mtd-nand-denali_pci-add-missing-module_description-author-license.patch @@ -0,0 +1,38 @@ +From d822401d1c6898a4a4ee03977b78b8cec402e88a Mon Sep 17 00:00:00 2001 +From: Jesse Chan +Date: Mon, 20 Nov 2017 12:57:13 -0800 +Subject: mtd: nand: denali_pci: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE + +From: Jesse Chan + +commit d822401d1c6898a4a4ee03977b78b8cec402e88a upstream. + +This change resolves a new compile-time warning +when built as a loadable module: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/mtd/nand/denali_pci.o +see include/linux/module.h for more information + +This adds the license as "GPL v2", which matches the header of the file. + +MODULE_DESCRIPTION and MODULE_AUTHOR are also added. + +Signed-off-by: Jesse Chan +Acked-by: Masahiro Yamada +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/denali_pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/nand/denali_pci.c ++++ b/drivers/mtd/nand/denali_pci.c +@@ -119,3 +119,7 @@ static struct pci_driver denali_pci_driv + }; + + module_pci_driver(denali_pci_driver); ++ ++MODULE_DESCRIPTION("PCI driver for Denali NAND controller"); ++MODULE_AUTHOR("Intel Corporation and its suppliers"); ++MODULE_LICENSE("GPL v2"); diff --git a/queue-4.9/power-reset-zx-reboot-add-missing-module_description-author-license.patch b/queue-4.9/power-reset-zx-reboot-add-missing-module_description-author-license.patch new file mode 100644 index 00000000000..8bf11cdf5a0 --- /dev/null +++ b/queue-4.9/power-reset-zx-reboot-add-missing-module_description-author-license.patch @@ -0,0 +1,37 @@ +From 348c7cf5fcbcb68838255759d4cb45d039af36d2 Mon Sep 17 00:00:00 2001 +From: Jesse Chan +Date: Mon, 20 Nov 2017 12:58:27 -0800 +Subject: power: reset: zx-reboot: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE + +From: Jesse Chan + +commit 348c7cf5fcbcb68838255759d4cb45d039af36d2 upstream. + +This change resolves a new compile-time warning +when built as a loadable module: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/power/reset/zx-reboot.o +see include/linux/module.h for more information + +This adds the license as "GPL v2", which matches the header of the file. + +MODULE_DESCRIPTION and MODULE_AUTHOR are also added. + +Signed-off-by: Jesse Chan +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/reset/zx-reboot.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/power/reset/zx-reboot.c ++++ b/drivers/power/reset/zx-reboot.c +@@ -81,3 +81,7 @@ static struct platform_driver zx_reboot_ + }, + }; + module_platform_driver(zx_reboot_driver); ++ ++MODULE_DESCRIPTION("ZTE SoCs reset driver"); ++MODULE_AUTHOR("Jun Nie "); ++MODULE_LICENSE("GPL v2"); diff --git a/queue-4.9/series b/queue-4.9/series index 6d2a2b6c54a..27850a1c084 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,3 +1,16 @@ loop-fix-concurrent-lo_open-lo_release.patch net-mlx5-define-interface-bits-for-fencing-umr-wqe.patch rdma-mlx5-set-umr-wqe-fence-according-to-hca-cap.patch +tools-gpio-fix-build-error-with-musl-libc.patch +gpio-stmpe-i2c-transfer-are-forbiden-in-atomic-context.patch +gpio-fix-kernel-stack-leak-to-userspace.patch +crypto-ecdh-fix-typo-in-kpp-dependency-of-crypto_ecdh.patch +crypto-aesni-handle-zero-length-dst-buffer.patch +crypto-sha3-generic-fixes-for-alignment-and-big-endian-operation.patch +crypto-af_alg-whitelist-mask-and-type.patch +hid-wacom-ekr-ensure-devres-groups-at-higher-indexes-are-released.patch +power-reset-zx-reboot-add-missing-module_description-author-license.patch +gpio-iop-add-missing-module_description-author-license.patch +gpio-ath79-add-missing-module_description-license.patch +mtd-nand-denali_pci-add-missing-module_description-author-license.patch +igb-free-irqs-when-device-is-hotplugged.patch diff --git a/queue-4.9/tools-gpio-fix-build-error-with-musl-libc.patch b/queue-4.9/tools-gpio-fix-build-error-with-musl-libc.patch new file mode 100644 index 00000000000..543ae7b01eb --- /dev/null +++ b/queue-4.9/tools-gpio-fix-build-error-with-musl-libc.patch @@ -0,0 +1,45 @@ +From 1696784eb7b52b13b62d160c028ef2c2c981d4f2 Mon Sep 17 00:00:00 2001 +From: Joel Stanley +Date: Thu, 21 Dec 2017 11:11:31 +1030 +Subject: tools/gpio: Fix build error with musl libc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joel Stanley + +commit 1696784eb7b52b13b62d160c028ef2c2c981d4f2 upstream. + +The GPIO tools build fails when using a buildroot toolchain that uses musl +as it's C library: + +arm-broomstick-linux-musleabi-gcc -Wp,-MD,./.gpio-event-mon.o.d \ + -Wp,-MT,gpio-event-mon.o -O2 -Wall -g -D_GNU_SOURCE \ + -Iinclude -D"BUILD_STR(s)=#s" -c -o gpio-event-mon.o gpio-event-mon.c +gpio-event-mon.c:30:6: error: unknown type name ‘u_int32_t’; did you mean ‘uint32_t’? + u_int32_t handleflags, + ^~~~~~~~~ + uint32_t + +The glibc headers installed on my laptop include sys/types.h in +unistd.h, but it appears that musl does not. + +Fixes: 97f69747d8b1 ("tools/gpio: add the gpio-event-mon tool") +Signed-off-by: Joel Stanley +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + tools/gpio/gpio-event-mon.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/gpio/gpio-event-mon.c ++++ b/tools/gpio/gpio-event-mon.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + + int monitor_device(const char *device_name,