From: Greg Kroah-Hartman Date: Sun, 24 Mar 2019 19:36:50 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.9.166~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=33ed0cfa90b2679ae14c0766b424233f953bf874;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: drm-vmwgfx-don-t-double-free-the-mode-stored-in-par-set_mode.patch mips-fix-kernel-crash-for-r6-in-jump-label-branch-function.patch mips-loongson64-lemote-2f-add-irqf_no_suspend-to-cascade-irqaction.patch mmc-pxamci-fix-enum-type-confusion.patch udf-fix-crash-on-io-error-during-truncate.patch --- diff --git a/queue-4.4/drm-vmwgfx-don-t-double-free-the-mode-stored-in-par-set_mode.patch b/queue-4.4/drm-vmwgfx-don-t-double-free-the-mode-stored-in-par-set_mode.patch new file mode 100644 index 00000000000..868dbcf3d7c --- /dev/null +++ b/queue-4.4/drm-vmwgfx-don-t-double-free-the-mode-stored-in-par-set_mode.patch @@ -0,0 +1,64 @@ +From c2d311553855395764e2e5bf401d987ba65c2056 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Mon, 18 Mar 2019 15:47:58 +0100 +Subject: drm/vmwgfx: Don't double-free the mode stored in par->set_mode + +From: Thomas Zimmermann + +commit c2d311553855395764e2e5bf401d987ba65c2056 upstream. + +When calling vmw_fb_set_par(), the mode stored in par->set_mode gets free'd +twice. The first free is in vmw_fb_kms_detach(), the second is near the +end of vmw_fb_set_par() under the name of 'old_mode'. The mode-setting code +only works correctly if the mode doesn't actually change. Removing +'old_mode' in favor of using par->set_mode directly fixes the problem. + +Cc: +Fixes: a278724aa23c ("drm/vmwgfx: Implement fbdev on kms v2") +Signed-off-by: Thomas Zimmermann +Reviewed-by: Deepak Rawat +Signed-off-by: Thomas Hellstrom +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c +@@ -531,11 +531,9 @@ static int vmw_fb_set_par(struct fb_info + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC) + }; +- struct drm_display_mode *old_mode; + struct drm_display_mode *mode; + int ret; + +- old_mode = par->set_mode; + mode = drm_mode_duplicate(vmw_priv->dev, &new_mode); + if (!mode) { + DRM_ERROR("Could not create new fb mode.\n"); +@@ -546,11 +544,7 @@ static int vmw_fb_set_par(struct fb_info + mode->vdisplay = var->yres; + vmw_guess_mode_timing(mode); + +- if (old_mode && drm_mode_equal(old_mode, mode)) { +- drm_mode_destroy(vmw_priv->dev, mode); +- mode = old_mode; +- old_mode = NULL; +- } else if (!vmw_kms_validate_mode_vram(vmw_priv, ++ if (!vmw_kms_validate_mode_vram(vmw_priv, + mode->hdisplay * + DIV_ROUND_UP(var->bits_per_pixel, 8), + mode->vdisplay)) { +@@ -613,8 +607,8 @@ static int vmw_fb_set_par(struct fb_info + schedule_delayed_work(&par->local_work, 0); + + out_unlock: +- if (old_mode) +- drm_mode_destroy(vmw_priv->dev, old_mode); ++ if (par->set_mode) ++ drm_mode_destroy(vmw_priv->dev, par->set_mode); + par->set_mode = mode; + + drm_modeset_unlock_all(vmw_priv->dev); diff --git a/queue-4.4/mips-fix-kernel-crash-for-r6-in-jump-label-branch-function.patch b/queue-4.4/mips-fix-kernel-crash-for-r6-in-jump-label-branch-function.patch new file mode 100644 index 00000000000..b87e0f31291 --- /dev/null +++ b/queue-4.4/mips-fix-kernel-crash-for-r6-in-jump-label-branch-function.patch @@ -0,0 +1,51 @@ +From 47c25036b60f27b86ab44b66a8861bcf81cde39b Mon Sep 17 00:00:00 2001 +From: Archer Yan +Date: Fri, 8 Mar 2019 03:29:19 +0000 +Subject: MIPS: Fix kernel crash for R6 in jump label branch function + +From: Archer Yan + +commit 47c25036b60f27b86ab44b66a8861bcf81cde39b upstream. + +Insert Branch instruction instead of NOP to make sure assembler don't +patch code in forbidden slot. In jump label function, it might +be possible to patch Control Transfer Instructions(CTIs) into +forbidden slot, which will generate Reserved Instruction exception +in MIPS release 6. + +Signed-off-by: Archer Yan +Reviewed-by: Paul Burton +[paul.burton@mips.com: + - Add MIPS prefix to subject. + - Mark for stable from v4.0, which introduced r6 support, onwards.] +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Cc: stable@vger.kernel.org # v4.0+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/jump_label.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/include/asm/jump_label.h ++++ b/arch/mips/include/asm/jump_label.h +@@ -21,15 +21,15 @@ + #endif + + #ifdef CONFIG_CPU_MICROMIPS +-#define NOP_INSN "nop32" ++#define B_INSN "b32" + #else +-#define NOP_INSN "nop" ++#define B_INSN "b" + #endif + + static __always_inline bool arch_static_branch(struct static_key *key, bool branch) + { +- asm_volatile_goto("1:\t" NOP_INSN "\n\t" +- "nop\n\t" ++ asm_volatile_goto("1:\t" B_INSN " 2f\n\t" ++ "2:\tnop\n\t" + ".pushsection __jump_table, \"aw\"\n\t" + WORD_INSN " 1b, %l[l_yes], %0\n\t" + ".popsection\n\t" diff --git a/queue-4.4/mips-loongson64-lemote-2f-add-irqf_no_suspend-to-cascade-irqaction.patch b/queue-4.4/mips-loongson64-lemote-2f-add-irqf_no_suspend-to-cascade-irqaction.patch new file mode 100644 index 00000000000..07e251019f3 --- /dev/null +++ b/queue-4.4/mips-loongson64-lemote-2f-add-irqf_no_suspend-to-cascade-irqaction.patch @@ -0,0 +1,49 @@ +From 5f5f67da9781770df0403269bc57d7aae608fecd Mon Sep 17 00:00:00 2001 +From: Yifeng Li +Date: Tue, 5 Mar 2019 06:00:22 +0800 +Subject: mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction. + +From: Yifeng Li + +commit 5f5f67da9781770df0403269bc57d7aae608fecd upstream. + +Timekeeping IRQs from CS5536 MFGPT are routed to i8259, which then +triggers the "cascade" IRQ on MIPS CPU. Without IRQF_NO_SUSPEND in +cascade_irqaction, MFGPT interrupts will be masked in suspend mode, +and the machine would be unable to resume once suspended. + +Previously, MIPS IRQs were not disabled properly, so the original +code appeared to work. Commit a3e6c1eff5 ("MIPS: IRQ: Fix disable_irq on +CPU IRQs") uncovers the bug. To fix it, add IRQF_NO_SUSPEND to +cascade_irqaction. + +This commit is functionally identical to 0add9c2f1cff ("MIPS: +Loongson-3: Add IRQF_NO_SUSPEND to Cascade irqaction"), but it forgot +to apply the same fix to Loongson2. + +Signed-off-by: Yifeng Li +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Cc: Jiaxun Yang +Cc: Huacai Chen +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v3.19+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/loongson64/lemote-2f/irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/loongson64/lemote-2f/irq.c ++++ b/arch/mips/loongson64/lemote-2f/irq.c +@@ -102,7 +102,7 @@ static struct irqaction ip6_irqaction = + static struct irqaction cascade_irqaction = { + .handler = no_action, + .name = "cascade", +- .flags = IRQF_NO_THREAD, ++ .flags = IRQF_NO_THREAD | IRQF_NO_SUSPEND, + }; + + void __init mach_init_irq(void) diff --git a/queue-4.4/mmc-pxamci-fix-enum-type-confusion.patch b/queue-4.4/mmc-pxamci-fix-enum-type-confusion.patch new file mode 100644 index 00000000000..0b0ed09f174 --- /dev/null +++ b/queue-4.4/mmc-pxamci-fix-enum-type-confusion.patch @@ -0,0 +1,47 @@ +From e60a582bcde01158a64ff948fb799f21f5d31a11 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 7 Mar 2019 11:09:19 +0100 +Subject: mmc: pxamci: fix enum type confusion + +From: Arnd Bergmann + +commit e60a582bcde01158a64ff948fb799f21f5d31a11 upstream. + +clang points out several instances of mismatched types in this drivers, +all coming from a single declaration: + +drivers/mmc/host/pxamci.c:193:15: error: implicit conversion from enumeration type 'enum dma_transfer_direction' to + different enumeration type 'enum dma_data_direction' [-Werror,-Wenum-conversion] + direction = DMA_DEV_TO_MEM; + ~ ^~~~~~~~~~~~~~ +drivers/mmc/host/pxamci.c:212:62: error: implicit conversion from enumeration type 'enum dma_data_direction' to + different enumeration type 'enum dma_transfer_direction' [-Werror,-Wenum-conversion] + tx = dmaengine_prep_slave_sg(chan, data->sg, host->dma_len, direction, + +The behavior is correct, so this must be a simply typo from +dma_data_direction and dma_transfer_direction being similarly named +types with a similar purpose. + +Fixes: 6464b7140951 ("mmc: pxamci: switch over to dmaengine use") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Acked-by: Robert Jarzmik +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/pxamci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/pxamci.c ++++ b/drivers/mmc/host/pxamci.c +@@ -181,7 +181,7 @@ static void pxamci_dma_irq(void *param); + static void pxamci_setup_data(struct pxamci_host *host, struct mmc_data *data) + { + struct dma_async_tx_descriptor *tx; +- enum dma_data_direction direction; ++ enum dma_transfer_direction direction; + struct dma_slave_config config; + struct dma_chan *chan; + unsigned int nob = data->blocks; diff --git a/queue-4.4/udf-fix-crash-on-io-error-during-truncate.patch b/queue-4.4/udf-fix-crash-on-io-error-during-truncate.patch new file mode 100644 index 00000000000..56ca15cd51e --- /dev/null +++ b/queue-4.4/udf-fix-crash-on-io-error-during-truncate.patch @@ -0,0 +1,38 @@ +From d3ca4651d05c0ff7259d087d8c949bcf3e14fb46 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 11 Mar 2019 15:04:18 +0100 +Subject: udf: Fix crash on IO error during truncate + +From: Jan Kara + +commit d3ca4651d05c0ff7259d087d8c949bcf3e14fb46 upstream. + +When truncate(2) hits IO error when reading indirect extent block the +code just bugs with: + +kernel BUG at linux-4.15.0/fs/udf/truncate.c:249! +... + +Fix the problem by bailing out cleanly in case of IO error. + +CC: stable@vger.kernel.org +Reported-by: jean-luc malet +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/truncate.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/udf/truncate.c ++++ b/fs/udf/truncate.c +@@ -260,6 +260,9 @@ void udf_truncate_extents(struct inode * + epos.block = eloc; + epos.bh = udf_tread(sb, + udf_get_lb_pblock(sb, &eloc, 0)); ++ /* Error reading indirect block? */ ++ if (!epos.bh) ++ return; + if (elen) + indirect_ext_len = + (elen + sb->s_blocksize - 1) >>