From: Greg Kroah-Hartman Date: Sun, 1 Apr 2018 08:54:35 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.103~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2381c1ce4ca01efd48bb65a94c3065c4073a5990;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-pcm-potential-uninitialized-return-values.patch alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch --- diff --git a/queue-3.18/alsa-pcm-potential-uninitialized-return-values.patch b/queue-3.18/alsa-pcm-potential-uninitialized-return-values.patch new file mode 100644 index 00000000000..ef5bc4c552b --- /dev/null +++ b/queue-3.18/alsa-pcm-potential-uninitialized-return-values.patch @@ -0,0 +1,42 @@ +From 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 27 Mar 2018 16:07:52 +0300 +Subject: ALSA: pcm: potential uninitialized return values + +From: Dan Carpenter + +commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream. + +Smatch complains that "tmp" can be uninitialized if we do a zero size +write. + +Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write") +Signed-off-by: Dan Carpenter +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/pcm_oss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1362,7 +1362,7 @@ static ssize_t snd_pcm_oss_write2(struct + static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes) + { + size_t xfer = 0; +- ssize_t tmp; ++ ssize_t tmp = 0; + struct snd_pcm_runtime *runtime = substream->runtime; + + if (atomic_read(&substream->mmap_count)) +@@ -1469,7 +1469,7 @@ static ssize_t snd_pcm_oss_read2(struct + static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes) + { + size_t xfer = 0; +- ssize_t tmp; ++ ssize_t tmp = 0; + struct snd_pcm_runtime *runtime = substream->runtime; + + if (atomic_read(&substream->mmap_count)) diff --git a/queue-3.18/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch b/queue-3.18/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch new file mode 100644 index 00000000000..a2c667f7927 --- /dev/null +++ b/queue-3.18/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch @@ -0,0 +1,40 @@ +From 9066ae7ff5d89c0b5daa271e2d573540097a94fa Mon Sep 17 00:00:00 2001 +From: Stefan Roese +Date: Mon, 26 Mar 2018 16:10:21 +0200 +Subject: ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() + +From: Stefan Roese + +commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream. + +When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer +will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB +area, as the page offset is outside of the VMA range (size), which is +currently used as size parameter in snd_pcm_lib_default_mmap(). By +using the DMA buffer size (dma_bytes) instead, the complete DMA buffer +can be mmapp'ed and the issue is fixed. + +This issue was detected on an ARM platform (TI AM57xx) using the RME +HDSP MADI PCIe soundcard. + +Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available") +Signed-off-by: Stefan Roese +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_native.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -3394,7 +3394,7 @@ int snd_pcm_lib_default_mmap(struct snd_ + area, + substream->runtime->dma_area, + substream->runtime->dma_addr, +- area->vm_end - area->vm_start); ++ substream->runtime->dma_bytes); + #elif defined(CONFIG_MIPS) && defined(CONFIG_DMA_NONCOHERENT) + if (substream->dma_buffer.dev.type == SNDRV_DMA_TYPE_DEV && + !plat_device_is_coherent(substream->dma_buffer.dev.dev)) diff --git a/queue-3.18/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch b/queue-3.18/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch new file mode 100644 index 00000000000..1a7e906d5c6 --- /dev/null +++ b/queue-3.18/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch @@ -0,0 +1,56 @@ +From 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Sat, 3 Mar 2018 23:29:03 +0100 +Subject: mtd: jedec_probe: Fix crash in jedec_read_mfr() + +From: Linus Walleij + +commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream. + +It turns out that the loop where we read manufacturer +jedec_read_mfd() can under some circumstances get a +CFI_MFR_CONTINUATION repeatedly, making the loop go +over all banks and eventually hit the end of the +map and crash because of an access violation: + +Unable to handle kernel paging request at virtual address c4980000 +pgd = (ptrval) +[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000 +Internal error: Oops: 7 [#1] PREEMPT ARM +CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150 +Hardware name: Gemini (Device Tree) +PC is at jedec_probe_chip+0x6ec/0xcd0 +LR is at 0x4 +pc : [] lr : [<00000004>] psr: 60000013 +sp : c382dd18 ip : 0000ffff fp : 00000000 +r10: c0626388 r9 : 00020000 r8 : c0626340 +r7 : 00000000 r6 : 00000001 r5 : c3a71afc r4 : c382dd70 +r3 : 00000001 r2 : c4900000 r1 : 00000002 r0 : 00080000 +Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 0000397f Table: 00004000 DAC: 00000053 +Process swapper (pid: 1, stack limit = 0x(ptrval)) + +Fix this by breaking the loop with a return 0 if +the offset exceeds the map size. + +Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0") +Cc: +Signed-off-by: Linus Walleij +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/jedec_probe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/chips/jedec_probe.c ++++ b/drivers/mtd/chips/jedec_probe.c +@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct + do { + uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi); + mask = (1 << (cfi->device_type * 8)) - 1; ++ if (ofs >= map->size) ++ return 0; + result = map_read(map, base + ofs); + bank++; + } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION); diff --git a/queue-3.18/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch b/queue-3.18/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch new file mode 100644 index 00000000000..627fa6cfd29 --- /dev/null +++ b/queue-3.18/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch @@ -0,0 +1,87 @@ +From f67b15037a7a50c57f72e69a6d59941ad90a0f0f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 26 Mar 2018 15:39:07 -1000 +Subject: perf/hwbp: Simplify the perf-hwbp code, fix documentation + +From: Linus Torvalds + +commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f upstream. + +Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the +modification of a breakpoint - simplify it and remove the pointless +local variables. + +Also update the stale Docbook while at it. + +Signed-off-by: Linus Torvalds +Acked-by: Thomas Gleixner +Cc: +Cc: Alexander Shishkin +Cc: Andy Lutomirski +Cc: Arnaldo Carvalho de Melo +Cc: Frederic Weisbecker +Cc: Jiri Olsa +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Vince Weaver +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/hw_breakpoint.c | 30 +++++++----------------------- + 1 file changed, 7 insertions(+), 23 deletions(-) + +--- a/kernel/events/hw_breakpoint.c ++++ b/kernel/events/hw_breakpoint.c +@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_break + * modify_user_hw_breakpoint - modify a user-space hardware breakpoint + * @bp: the breakpoint structure to modify + * @attr: new breakpoint attributes +- * @triggered: callback to trigger when we hit the breakpoint +- * @tsk: pointer to 'task_struct' of the process to which the address belongs + */ + int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr) + { +- u64 old_addr = bp->attr.bp_addr; +- u64 old_len = bp->attr.bp_len; +- int old_type = bp->attr.bp_type; +- int err = 0; +- + /* + * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it + * will not be possible to raise IPIs that invoke __perf_event_disable. +@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct per + bp->attr.bp_addr = attr->bp_addr; + bp->attr.bp_type = attr->bp_type; + bp->attr.bp_len = attr->bp_len; ++ bp->attr.disabled = 1; + +- if (attr->disabled) +- goto end; +- +- err = validate_hw_breakpoint(bp); +- if (!err) +- perf_event_enable(bp); ++ if (!attr->disabled) { ++ int err = validate_hw_breakpoint(bp); + +- if (err) { +- bp->attr.bp_addr = old_addr; +- bp->attr.bp_type = old_type; +- bp->attr.bp_len = old_len; +- if (!bp->attr.disabled) +- perf_event_enable(bp); ++ if (err) ++ return err; + +- return err; ++ perf_event_enable(bp); ++ bp->attr.disabled = 0; + } + +-end: +- bp->attr.disabled = attr->disabled; +- + return 0; + } + EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint); diff --git a/queue-3.18/series b/queue-3.18/series index be12f825682..c7fdd0ad842 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -34,3 +34,7 @@ s390-qeth-when-thread-completes-wake-up-all-waiters.patch s390-qeth-lock-read-device-while-queueing-next-buffer.patch s390-qeth-on-channel-error-reject-further-cmd-requests.patch net-fec-fix-unbalanced-pm-runtime-calls.patch +mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch +alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch +alsa-pcm-potential-uninitialized-return-values.patch +perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..a9b1c892b95 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,16 @@ +arm-omap-fix-sram-w-x-mapping.patch +arm-8746-1-vfp-go-back-to-clearing-vfp_current_hw_state.patch +arm-dts-sun6i-a31s-bpi-m2-improve-pmic-properties.patch +arm-dts-sun6i-a31s-bpi-m2-add-missing-regulators.patch +mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch +mtd-nand-atmel-fix-get_sectorsize-function.patch +alsa-usb-audio-add-native-dsd-support-for-teac-ud-301.patch +alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch +alsa-pcm-potential-uninitialized-return-values.patch +x86-platform-uv-bau-add-apic-idt-entry.patch +perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch +ceph-only-dirty-iter_iovec-pages-for-direct-read.patch +ipc-shm.c-add-split-function-to-shm_vm_ops.patch +i2c-i2c-stm32f7-fix-no-check-on-returned-setup.patch +powerpc-64s-fix-lost-pending-interrupt-due-to-race-causing-lost-update-to-irq_happened.patch +powerpc-64s-fix-i-side-slb-miss-bad-address-handler-saving-nonvolatile-gprs.patch diff --git a/queue-4.15/series b/queue-4.15/series new file mode 100644 index 00000000000..219cdddde68 --- /dev/null +++ b/queue-4.15/series @@ -0,0 +1,18 @@ +arm-omap-fix-sram-w-x-mapping.patch +arm-8746-1-vfp-go-back-to-clearing-vfp_current_hw_state.patch +arm-dts-sun6i-a31s-bpi-m2-improve-pmic-properties.patch +arm-dts-sun6i-a31s-bpi-m2-add-missing-regulators.patch +mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch +mtd-nand-atmel-fix-get_sectorsize-function.patch +alsa-usb-audio-add-native-dsd-support-for-teac-ud-301.patch +alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch +alsa-pcm-potential-uninitialized-return-values.patch +x86-platform-uv-bau-add-apic-idt-entry.patch +perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch +ceph-only-dirty-iter_iovec-pages-for-direct-read.patch +ipc-shm.c-add-split-function-to-shm_vm_ops.patch +i2c-i2c-stm32f7-fix-no-check-on-returned-setup.patch +powerpc-mm-add-tracking-of-the-number-of-coprocessors-using-a-context.patch +powerpc-mm-workaround-nest-mmu-bug-with-tlb-invalidations.patch +powerpc-64s-fix-lost-pending-interrupt-due-to-race-causing-lost-update-to-irq_happened.patch +powerpc-64s-fix-i-side-slb-miss-bad-address-handler-saving-nonvolatile-gprs.patch diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..2df82f5ffb0 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,4 @@ +mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch +alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch +alsa-pcm-potential-uninitialized-return-values.patch +perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..276ca27a31c --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,10 @@ +arm-8746-1-vfp-go-back-to-clearing-vfp_current_hw_state.patch +mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch +alsa-usb-audio-add-native-dsd-support-for-teac-ud-301.patch +alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch +alsa-pcm-potential-uninitialized-return-values.patch +perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch +ceph-only-dirty-iter_iovec-pages-for-direct-read.patch +ipc-shm.c-add-split-function-to-shm_vm_ops.patch +powerpc-64s-fix-lost-pending-interrupt-due-to-race-causing-lost-update-to-irq_happened.patch +powerpc-64s-fix-i-side-slb-miss-bad-address-handler-saving-nonvolatile-gprs.patch