From: Greg Kroah-Hartman Date: Wed, 25 Apr 2018 16:01:08 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.16.5~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3cd299089e3738fc58caec7cdbc03c917826e20f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ath9k_hw-check-if-the-chip-failed-to-wake-up.patch input-drv260x-fix-initializing-overdrive-voltage.patch jbd2-fix-use-after-free-in-kjournald2.patch --- diff --git a/queue-4.4/ath9k_hw-check-if-the-chip-failed-to-wake-up.patch b/queue-4.4/ath9k_hw-check-if-the-chip-failed-to-wake-up.patch new file mode 100644 index 00000000000..b99af635b0a --- /dev/null +++ b/queue-4.4/ath9k_hw-check-if-the-chip-failed-to-wake-up.patch @@ -0,0 +1,41 @@ +From a34d0a0da1abae46a5f6ebd06fb0ec484ca099d9 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 2 Feb 2017 10:14:51 +0100 +Subject: ath9k_hw: check if the chip failed to wake up + +From: Felix Fietkau + +commit a34d0a0da1abae46a5f6ebd06fb0ec484ca099d9 upstream. + +In an RFC patch, Sven Eckelmann and Simon Wunderlich reported: + +"QCA 802.11n chips (especially AR9330/AR9340) sometimes end up in a +state in which a read of AR_CFG always returns 0xdeadbeef. +This should not happen when when the power_mode of the device is +ATH9K_PM_AWAKE." + +Include the check for the default register state in the existing MAC +hang check. + +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Cc: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hw.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -1595,6 +1595,10 @@ bool ath9k_hw_check_alive(struct ath_hw + int count = 50; + u32 reg, last_val; + ++ /* Check if chip failed to wake up */ ++ if (REG_READ(ah, AR_CFG) == 0xdeadbeef) ++ return false; ++ + if (AR_SREV_9300(ah)) + return !ath9k_hw_detect_mac_hang(ah); + diff --git a/queue-4.4/input-drv260x-fix-initializing-overdrive-voltage.patch b/queue-4.4/input-drv260x-fix-initializing-overdrive-voltage.patch new file mode 100644 index 00000000000..911fe92efbd --- /dev/null +++ b/queue-4.4/input-drv260x-fix-initializing-overdrive-voltage.patch @@ -0,0 +1,32 @@ +From 74c82dae6c474933f2be401976e1530b5f623221 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Sat, 10 Dec 2016 22:56:21 -0800 +Subject: Input: drv260x - fix initializing overdrive voltage + +From: Dmitry Torokhov + +commit 74c82dae6c474933f2be401976e1530b5f623221 upstream. + +We were accidentally initializing haptics->rated_voltage twice, and did not +initialize overdrive voltage. + +Acked-by: Dan Murphy +Signed-off-by: Dmitry Torokhov +Cc: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/drv260x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/misc/drv260x.c ++++ b/drivers/input/misc/drv260x.c +@@ -521,7 +521,7 @@ static int drv260x_probe(struct i2c_clie + if (!haptics) + return -ENOMEM; + +- haptics->rated_voltage = DRV260X_DEF_OD_CLAMP_VOLT; ++ haptics->overdrive_voltage = DRV260X_DEF_OD_CLAMP_VOLT; + haptics->rated_voltage = DRV260X_DEF_RATED_VOLT; + + if (pdata) { diff --git a/queue-4.4/jbd2-fix-use-after-free-in-kjournald2.patch b/queue-4.4/jbd2-fix-use-after-free-in-kjournald2.patch new file mode 100644 index 00000000000..ea47adb4b57 --- /dev/null +++ b/queue-4.4/jbd2-fix-use-after-free-in-kjournald2.patch @@ -0,0 +1,70 @@ +From dbfcef6b0f4012c57bc0b6e0e660d5ed12a5eaed Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Wed, 1 Feb 2017 20:49:35 -0500 +Subject: jbd2: fix use after free in kjournald2() + +From: Sahitya Tummala + +commit dbfcef6b0f4012c57bc0b6e0e660d5ed12a5eaed upstream. + +Below is the synchronization issue between unmount and kjournald2 +contexts, which results into use after free issue in kjournald2(). +Fix this issue by using journal->j_state_lock to synchronize the +wait_event() done in journal_kill_thread() and the wake_up() done +in kjournald2(). + +TASK 1: +umount cmd: + |--jbd2_journal_destroy() { + |--journal_kill_thread() { + write_lock(&journal->j_state_lock); + journal->j_flags |= JBD2_UNMOUNT; + ... + write_unlock(&journal->j_state_lock); + wake_up(&journal->j_wait_commit); TASK 2 wakes up here: + kjournald2() { + ... + checks JBD2_UNMOUNT flag and calls goto end-loop; + ... + end_loop: + write_unlock(&journal->j_state_lock); + journal->j_task = NULL; --> If this thread gets + pre-empted here, then TASK 1 wait_event will + exit even before this thread is completely + done. + wait_event(journal->j_wait_done_commit, journal->j_task == NULL); + ... + write_lock(&journal->j_state_lock); + write_unlock(&journal->j_state_lock); + } + |--kfree(journal); + } +} + wake_up(&journal->j_wait_done_commit); --> this step + now results into use after free issue. + } + +Signed-off-by: Sahitya Tummala +Signed-off-by: Theodore Ts'o +Cc: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/journal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -275,11 +275,11 @@ loop: + goto loop; + + end_loop: +- write_unlock(&journal->j_state_lock); + del_timer_sync(&journal->j_commit_timer); + journal->j_task = NULL; + wake_up(&journal->j_wait_done_commit); + jbd_debug(1, "Journal thread exiting.\n"); ++ write_unlock(&journal->j_state_lock); + return 0; + } + diff --git a/queue-4.4/series b/queue-4.4/series index 82149704d38..5328ecbdb27 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -3,3 +3,6 @@ x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch perf-return-proper-values-for-user-stack-errors.patch staging-ion-donnot-wakeup-kswapd-in-ion-system-alloc.patch r8152-add-linksys-usb3gigv1-id.patch +input-drv260x-fix-initializing-overdrive-voltage.patch +ath9k_hw-check-if-the-chip-failed-to-wake-up.patch +jbd2-fix-use-after-free-in-kjournald2.patch