From: Greg Kroah-Hartman Date: Sat, 29 Sep 2018 12:06:34 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v4.18.12~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=46eff07abff8760cb240f9e04eb211544c586c03;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: 6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch alarmtimer-prevent-overflow-for-relative-nanosleep.patch alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch alsa-snd-aoa-add-of_node_put-in-error-path.patch arm-dts-dra7-fix-dcan-node-addresses.patch arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch audit-fix-extended-comparison-of-gid-egid.patch bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch crypto-skcipher-fix-wstringop-truncation-warnings.patch drivers-tty-add-error-handling-for-pcmcia_loop_config.patch edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch media-fsl-viu-fix-error-handling-in-viu_of_probe.patch media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch media-soc_camera-ov772x-correct-setting-of-banding-filter.patch media-tm6000-add-error-handling-for-dvb_register_adapter.patch module-exclude-shn_undef-symbols-from-kallsyms-api.patch nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch power-vexpress-fix-corruption-in-notifier-registration.patch powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch s390-extmem-fix-gcc-8-stringop-overflow-warning.patch scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch scsi-ibmvscsi-improve-strings-handling.patch scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch staging-android-ashmem-fix-mmap-size-validation.patch staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch tsl2550-fix-lux1_input-error-in-low-light.patch usb-serial-kobil_sct-fix-modem-status-error-handling.patch usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch uwb-hwa-rc-fix-memory-leak-at-probe.patch vmci-type-promotion-bug-in-qp_host_get_user_memory.patch wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch x86-entry-64-add-two-more-instruction-suffixes.patch x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch x86-tsc-add-missing-header-to-tsc_msr.c.patch --- diff --git a/queue-4.4/6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch b/queue-4.4/6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch new file mode 100644 index 00000000000..05210873cfb --- /dev/null +++ b/queue-4.4/6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Michael Scott +Date: Tue, 19 Jun 2018 16:44:06 -0700 +Subject: 6lowpan: iphc: reset mac_header after decompress to fix panic + +From: Michael Scott + +[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ] + +After decompression of 6lowpan socket data, an IPv6 header is inserted +before the existing socket payload. After this, we reset the +network_header value of the skb to account for the difference in payload +size from prior to decompression + the addition of the IPv6 header. + +However, we fail to reset the mac_header value. + +Leaving the mac_header value untouched here, can cause a calculation +error in net/packet/af_packet.c packet_rcv() function when an +AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan +interface. + +On line 2088, the data pointer is moved backward by the value returned +from skb_mac_header(). If skb->data is adjusted so that it is before +the skb->head pointer (which can happen when an old value of mac_header +is left in place) the kernel generates a panic in net/core/skbuff.c +line 1717. + +This panic can be generated by BLE 6lowpan interfaces (such as bt0) and +802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan +sources for compression and decompression. + +Signed-off-by: Michael Scott +Acked-by: Alexander Aring +Acked-by: Jukka Rissanen +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/6lowpan/iphc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/6lowpan/iphc.c ++++ b/net/6lowpan/iphc.c +@@ -569,6 +569,7 @@ int lowpan_header_decompress(struct sk_b + hdr.hop_limit, &hdr.daddr); + + skb_push(skb, sizeof(hdr)); ++ skb_reset_mac_header(skb); + skb_reset_network_header(skb); + skb_copy_to_linear_data(skb, &hdr, sizeof(hdr)); + diff --git a/queue-4.4/alarmtimer-prevent-overflow-for-relative-nanosleep.patch b/queue-4.4/alarmtimer-prevent-overflow-for-relative-nanosleep.patch new file mode 100644 index 00000000000..e4008af080c --- /dev/null +++ b/queue-4.4/alarmtimer-prevent-overflow-for-relative-nanosleep.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Thomas Gleixner +Date: Mon, 2 Jul 2018 09:34:29 +0200 +Subject: alarmtimer: Prevent overflow for relative nanosleep + +From: Thomas Gleixner + +[ Upstream commit 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef ] + +Air Icy reported: + + UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7 + signed integer overflow: + 1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int' + Call Trace: + alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811 + __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline] + __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline] + __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213 + do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290 + +alarm_timer_nsleep() uses ktime_add() to add the current time and the +relative expiry value. ktime_add() has no sanity checks so the addition +can overflow when the relative timeout is large enough. + +Use ktime_add_safe() which has the necessary sanity checks in place and +limits the result to the valid range. + +Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers") +Reported-by: Team OWL337 +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/alarmtimer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -773,7 +773,8 @@ static int alarm_timer_nsleep(const cloc + /* Convert (if necessary) to absolute time */ + if (flags != TIMER_ABSTIME) { + ktime_t now = alarm_bases[type].gettime(); +- exp = ktime_add(now, exp); ++ ++ exp = ktime_add_safe(now, exp); + } + + if (alarmtimer_do_nsleep(&alarm, exp)) diff --git a/queue-4.4/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch b/queue-4.4/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch new file mode 100644 index 00000000000..af3e39c60da --- /dev/null +++ b/queue-4.4/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Kai-Heng Feng +Date: Thu, 28 Jun 2018 15:28:24 +0800 +Subject: ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge + +From: Kai-Heng Feng + +[ Upstream commit 1adca4b0cd65c14cb8b8c9c257720385869c3d5f ] + +This patch can make audio controller in AMD Raven Ridge gets runtime +suspended to D3, to save ~1W power when it's not in use. + +Cc: Vijendar Mukunda +Signed-off-by: Kai-Heng Feng +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2360,7 +2360,8 @@ static const struct pci_device_id azx_id + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, + /* AMD Raven */ + { PCI_DEVICE(0x1022, 0x15e3), +- .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, ++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB | ++ AZX_DCAPS_PM_RUNTIME }, + /* ATI HDMI */ + { PCI_DEVICE(0x1002, 0x0002), + .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, diff --git a/queue-4.4/alsa-snd-aoa-add-of_node_put-in-error-path.patch b/queue-4.4/alsa-snd-aoa-add-of_node_put-in-error-path.patch new file mode 100644 index 00000000000..5d9271bc6ec --- /dev/null +++ b/queue-4.4/alsa-snd-aoa-add-of_node_put-in-error-path.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Nicholas Mc Guire +Date: Fri, 29 Jun 2018 19:07:42 +0200 +Subject: ALSA: snd-aoa: add of_node_put() in error path + +From: Nicholas Mc Guire + +[ Upstream commit 222bce5eb88d1af656419db04bcd84b2419fb900 ] + + Both calls to of_find_node_by_name() and of_get_next_child() return a +node pointer with refcount incremented thus it must be explicidly +decremented here after the last usage. As we are assured to have a +refcounted np either from the initial +of_find_node_by_name(NULL, name); or from the of_get_next_child(gpio, np) +in the while loop if we reached the error code path below, an +x of_node_put(np) is needed. + +Signed-off-by: Nicholas Mc Guire +Fixes: commit f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa") +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/aoa/core/gpio-feature.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/aoa/core/gpio-feature.c ++++ b/sound/aoa/core/gpio-feature.c +@@ -88,8 +88,10 @@ static struct device_node *get_gpio(char + } + + reg = of_get_property(np, "reg", NULL); +- if (!reg) ++ if (!reg) { ++ of_node_put(np); + return NULL; ++ } + + *gpioptr = *reg; + diff --git a/queue-4.4/arm-dts-dra7-fix-dcan-node-addresses.patch b/queue-4.4/arm-dts-dra7-fix-dcan-node-addresses.patch new file mode 100644 index 00000000000..e89bd1f4bc9 --- /dev/null +++ b/queue-4.4/arm-dts-dra7-fix-dcan-node-addresses.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Kevin Hilman +Date: Mon, 21 May 2018 13:08:32 -0700 +Subject: ARM: dts: dra7: fix DCAN node addresses + +From: Kevin Hilman + +[ Upstream commit 949bdcc8a97c6078f21c8d4966436b117f2e4cd3 ] + +Fix the DT node addresses to match the reg property addresses, +which were verified to match the TRM: +http://www.ti.com/lit/pdf/sprui30 + +Cc: Roger Quadros +Signed-off-by: Kevin Hilman +Acked-by: Roger Quadros +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/dra7.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -1549,7 +1549,7 @@ + }; + }; + +- dcan1: can@481cc000 { ++ dcan1: can@4ae3c000 { + compatible = "ti,dra7-d_can"; + ti,hwmods = "dcan1"; + reg = <0x4ae3c000 0x2000>; +@@ -1559,7 +1559,7 @@ + status = "disabled"; + }; + +- dcan2: can@481d0000 { ++ dcan2: can@48480000 { + compatible = "ti,dra7-d_can"; + ti,hwmods = "dcan2"; + reg = <0x48480000 0x2000>; diff --git a/queue-4.4/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch b/queue-4.4/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch new file mode 100644 index 00000000000..eadecfe9df3 --- /dev/null +++ b/queue-4.4/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch @@ -0,0 +1,62 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Ethan Tuttle +Date: Tue, 19 Jun 2018 21:31:08 -0700 +Subject: ARM: mvebu: declare asm symbols as character arrays in pmsu.c + +From: Ethan Tuttle + +[ Upstream commit d0d378ff451a66e486488eec842e507d28145813 ] + +With CONFIG_FORTIFY_SOURCE, memcpy uses the declared size of operands to +detect buffer overflows. If src or dest is declared as a char, attempts to +copy more than byte will result in a fortify_panic(). + +Address this problem in mvebu_setup_boot_addr_wa() by declaring +mvebu_boot_wa_start and mvebu_boot_wa_end as character arrays. Also remove +a couple addressof operators to avoid "arithmetic on pointer to an +incomplete type" compiler error. + +See commit 54a7d50b9205 ("x86: mark kprobe templates as character arrays, +not single characters") for a similar fix. + +Fixes "detected buffer overflow in memcpy" error during init on some mvebu +systems (armada-370-xp, armada-375): + +(fortify_panic) from (mvebu_setup_boot_addr_wa+0xb0/0xb4) +(mvebu_setup_boot_addr_wa) from (mvebu_v7_cpu_pm_init+0x154/0x204) +(mvebu_v7_cpu_pm_init) from (do_one_initcall+0x7c/0x1a8) +(do_one_initcall) from (kernel_init_freeable+0x1bc/0x254) +(kernel_init_freeable) from (kernel_init+0x8/0x114) +(kernel_init) from (ret_from_fork+0x14/0x2c) + +Signed-off-by: Ethan Tuttle +Tested-by: Ethan Tuttle +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-mvebu/pmsu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-mvebu/pmsu.c ++++ b/arch/arm/mach-mvebu/pmsu.c +@@ -117,8 +117,8 @@ void mvebu_pmsu_set_cpu_boot_addr(int hw + PMSU_BOOT_ADDR_REDIRECT_OFFSET(hw_cpu)); + } + +-extern unsigned char mvebu_boot_wa_start; +-extern unsigned char mvebu_boot_wa_end; ++extern unsigned char mvebu_boot_wa_start[]; ++extern unsigned char mvebu_boot_wa_end[]; + + /* + * This function sets up the boot address workaround needed for SMP +@@ -131,7 +131,7 @@ int mvebu_setup_boot_addr_wa(unsigned in + phys_addr_t resume_addr_reg) + { + void __iomem *sram_virt_base; +- u32 code_len = &mvebu_boot_wa_end - &mvebu_boot_wa_start; ++ u32 code_len = mvebu_boot_wa_end - mvebu_boot_wa_start; + + mvebu_mbus_del_window(BOOTROM_BASE, BOOTROM_SIZE); + mvebu_mbus_add_window_by_id(crypto_eng_target, crypto_eng_attribute, diff --git a/queue-4.4/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch b/queue-4.4/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch new file mode 100644 index 00000000000..71021c88af3 --- /dev/null +++ b/queue-4.4/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Liam Girdwood +Date: Thu, 14 Jun 2018 20:26:42 +0100 +Subject: ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs + +From: Liam Girdwood + +[ Upstream commit e01b4f624278d5efe5fb5da585ca371947b16680 ] + +Sometime a component or topology may configure a DAI widget with no +private data leading to a dev_dbg() dereferencne of this data. + +Fix this to check for non NULL private data and let users know if widget +is missing DAI. + +Signed-off-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-dapm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -3864,6 +3864,13 @@ int snd_soc_dapm_link_dai_widgets(struct + continue; + } + ++ /* let users know there is no DAI to link */ ++ if (!dai_w->priv) { ++ dev_dbg(card->dev, "dai widget %s has no DAI\n", ++ dai_w->name); ++ continue; ++ } ++ + dai = dai_w->priv; + + /* ...find all widgets with the same stream and link them */ diff --git a/queue-4.4/ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch b/queue-4.4/ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch new file mode 100644 index 00000000000..a64738bea2f --- /dev/null +++ b/queue-4.4/ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Ben Greear +Date: Mon, 18 Jun 2018 17:00:56 +0300 +Subject: ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock + +From: Ben Greear + +[ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ] + +While debugging driver crashes related to a buggy firmware +crashing under load, I noticed that ath10k_htt_rx_ring_free +could be called without being under lock. I'm not sure if this +is the root cause of the crash or not, but it seems prudent to +protect it. + +Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware +running on 9984 NIC. + +Signed-off-by: Ben Greear +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -212,11 +212,12 @@ int ath10k_htt_rx_ring_refill(struct ath + spin_lock_bh(&htt->rx_ring.lock); + ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level - + htt->rx_ring.fill_cnt)); +- spin_unlock_bh(&htt->rx_ring.lock); + + if (ret) + ath10k_htt_rx_ring_free(htt); + ++ spin_unlock_bh(&htt->rx_ring.lock); ++ + return ret; + } + +@@ -230,7 +231,9 @@ void ath10k_htt_rx_free(struct ath10k_ht + skb_queue_purge(&htt->rx_compl_q); + skb_queue_purge(&htt->rx_in_ord_compl_q); + ++ spin_lock_bh(&htt->rx_ring.lock); + ath10k_htt_rx_ring_free(htt); ++ spin_unlock_bh(&htt->rx_ring.lock); + + dma_free_coherent(htt->ar->dev, + (htt->rx_ring.size * diff --git a/queue-4.4/audit-fix-extended-comparison-of-gid-egid.patch b/queue-4.4/audit-fix-extended-comparison-of-gid-egid.patch new file mode 100644 index 00000000000..859b961c57d --- /dev/null +++ b/queue-4.4/audit-fix-extended-comparison-of-gid-egid.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: "Ondrej Mosnáček" +Date: Tue, 5 Jun 2018 11:00:10 +0200 +Subject: audit: Fix extended comparison of GID/EGID + +From: "Ondrej Mosnáček" + +[ Upstream commit af85d1772e31fed34165a1b3decef340cf4080c0 ] + +The audit_filter_rules() function in auditsc.c used the in_[e]group_p() +functions to check GID/EGID match, but these functions use the current +task's credentials, while the comparison should use the credentials of +the task given to audit_filter_rules() as a parameter (tsk). + +Note that we can use group_search(cred->group_info, ...) as a +replacement for both in_group_p and in_egroup_p as these functions only +compare the parameter to cred->fsgid/egid and then call group_search. + +In fact, the usage of in_group_p was even more incorrect: it compares to +cred->fsgid (which is usually equal to cred->egid) and not cred->gid. + +GitHub issue: +https://github.com/linux-audit/audit-kernel/issues/82 + +Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditsc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -489,20 +489,20 @@ static int audit_filter_rules(struct tas + result = audit_gid_comparator(cred->gid, f->op, f->gid); + if (f->op == Audit_equal) { + if (!result) +- result = in_group_p(f->gid); ++ result = groups_search(cred->group_info, f->gid); + } else if (f->op == Audit_not_equal) { + if (result) +- result = !in_group_p(f->gid); ++ result = !groups_search(cred->group_info, f->gid); + } + break; + case AUDIT_EGID: + result = audit_gid_comparator(cred->egid, f->op, f->gid); + if (f->op == Audit_equal) { + if (!result) +- result = in_egroup_p(f->gid); ++ result = groups_search(cred->group_info, f->gid); + } else if (f->op == Audit_not_equal) { + if (result) +- result = !in_egroup_p(f->gid); ++ result = !groups_search(cred->group_info, f->gid); + } + break; + case AUDIT_SGID: diff --git a/queue-4.4/bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch b/queue-4.4/bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch new file mode 100644 index 00000000000..217b8c38c0b --- /dev/null +++ b/queue-4.4/bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Jian-Hong Pan +Date: Fri, 25 May 2018 17:54:52 +0800 +Subject: Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 + +From: Jian-Hong Pan + +[ Upstream commit 45ae68b8cfc25bdbffc11248001c47ab1b76ff6e ] + +Without this patch we cannot turn on the Bluethooth adapter on HP +14-bs007la. + +T: Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=b009 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=802.11n WLAN Adapter +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Jian-Hong Pan +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -340,6 +340,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, + + /* Additional Realtek 8723DE Bluetooth devices */ ++ { USB_DEVICE(0x0bda, 0xb009), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK }, + + /* Additional Realtek 8821AE Bluetooth devices */ diff --git a/queue-4.4/crypto-skcipher-fix-wstringop-truncation-warnings.patch b/queue-4.4/crypto-skcipher-fix-wstringop-truncation-warnings.patch new file mode 100644 index 00000000000..33c4ee874f7 --- /dev/null +++ b/queue-4.4/crypto-skcipher-fix-wstringop-truncation-warnings.patch @@ -0,0 +1,63 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Stafford Horne +Date: Mon, 25 Jun 2018 21:45:37 +0900 +Subject: crypto: skcipher - Fix -Wstringop-truncation warnings + +From: Stafford Horne + +[ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ] + +As of GCC 9.0.0 the build is reporting warnings like: + + crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’: + crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation] + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(rblkcipher.geniv)); + ~~~~~~~~~~~~~~~~~~~~~~~~~ + +This means the strnycpy might create a non null terminated string. Fix this by +explicitly performing '\0' termination. + +Cc: Greg Kroah-Hartman +Cc: Arnd Bergmann +Cc: Max Filippov +Cc: Eric Biggers +Cc: Nick Desaulniers +Signed-off-by: Stafford Horne +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/ablkcipher.c | 2 ++ + crypto/blkcipher.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -384,6 +384,7 @@ static int crypto_ablkcipher_report(stru + strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; +@@ -465,6 +466,7 @@ static int crypto_givcipher_report(struc + strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; +--- a/crypto/blkcipher.c ++++ b/crypto/blkcipher.c +@@ -515,6 +515,7 @@ static int crypto_blkcipher_report(struc + strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; diff --git a/queue-4.4/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch b/queue-4.4/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch new file mode 100644 index 00000000000..26a6ebdb9f1 --- /dev/null +++ b/queue-4.4/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Zhouyang Jia +Date: Tue, 12 Jun 2018 12:36:25 +0800 +Subject: drivers/tty: add error handling for pcmcia_loop_config + +From: Zhouyang Jia + +[ Upstream commit 85c634e919bd6ef17427f26a52920aeba12e16ee ] + +When pcmcia_loop_config fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling pcmcia_loop_config. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/serial_cs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/serial_cs.c ++++ b/drivers/tty/serial/8250/serial_cs.c +@@ -629,8 +629,10 @@ static int serial_config(struct pcmcia_d + (link->has_func_id) && + (link->socket->pcmcia_pfc == 0) && + ((link->func_id == CISTPL_FUNCID_MULTI) || +- (link->func_id == CISTPL_FUNCID_SERIAL))) +- pcmcia_loop_config(link, serial_check_for_multi, info); ++ (link->func_id == CISTPL_FUNCID_SERIAL))) { ++ if (pcmcia_loop_config(link, serial_check_for_multi, info)) ++ goto failed; ++ } + + /* + * Apply any multi-port quirk. diff --git a/queue-4.4/edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch b/queue-4.4/edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch new file mode 100644 index 00000000000..9e234ce4cfe --- /dev/null +++ b/queue-4.4/edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch @@ -0,0 +1,81 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Johan Hovold +Date: Tue, 12 Jun 2018 14:43:35 +0200 +Subject: EDAC, i7core: Fix memleaks and use-after-free on probe and remove + +From: Johan Hovold + +[ Upstream commit 6c974d4dfafe5e9ee754f2a6fba0eb1864f1649e ] + +Make sure to free and deregister the addrmatch and chancounts devices +allocated during probe in all error paths. Also fix use-after-free in a +probe error path and in the remove success path where the devices were +being put before before deregistration. + +Signed-off-by: Johan Hovold +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Fixes: 356f0a30860d ("i7core_edac: change the mem allocation scheme to make Documentation/kobject.txt happy") +Link: http://lkml.kernel.org/r/20180612124335.6420-2-johan@kernel.org +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/i7core_edac.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/drivers/edac/i7core_edac.c ++++ b/drivers/edac/i7core_edac.c +@@ -1187,15 +1187,14 @@ static int i7core_create_sysfs_devices(s + + rc = device_add(pvt->addrmatch_dev); + if (rc < 0) +- return rc; ++ goto err_put_addrmatch; + + if (!pvt->is_registered) { + pvt->chancounts_dev = kzalloc(sizeof(*pvt->chancounts_dev), + GFP_KERNEL); + if (!pvt->chancounts_dev) { +- put_device(pvt->addrmatch_dev); +- device_del(pvt->addrmatch_dev); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto err_del_addrmatch; + } + + pvt->chancounts_dev->type = &all_channel_counts_type; +@@ -1209,9 +1208,18 @@ static int i7core_create_sysfs_devices(s + + rc = device_add(pvt->chancounts_dev); + if (rc < 0) +- return rc; ++ goto err_put_chancounts; + } + return 0; ++ ++err_put_chancounts: ++ put_device(pvt->chancounts_dev); ++err_del_addrmatch: ++ device_del(pvt->addrmatch_dev); ++err_put_addrmatch: ++ put_device(pvt->addrmatch_dev); ++ ++ return rc; + } + + static void i7core_delete_sysfs_devices(struct mem_ctl_info *mci) +@@ -1221,11 +1229,11 @@ static void i7core_delete_sysfs_devices( + edac_dbg(1, "\n"); + + if (!pvt->is_registered) { +- put_device(pvt->chancounts_dev); + device_del(pvt->chancounts_dev); ++ put_device(pvt->chancounts_dev); + } +- put_device(pvt->addrmatch_dev); + device_del(pvt->addrmatch_dev); ++ put_device(pvt->addrmatch_dev); + } + + /**************************************************************************** diff --git a/queue-4.4/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch b/queue-4.4/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch new file mode 100644 index 00000000000..d5194a93898 --- /dev/null +++ b/queue-4.4/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Zhouyang Jia +Date: Thu, 14 Jun 2018 21:37:17 +0800 +Subject: HID: hid-ntrig: add error handling for sysfs_create_group + +From: Zhouyang Jia + +[ Upstream commit 44d4d51de9a3534a2b63d69efda02a10e66541e4 ] + +When sysfs_create_group fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling sysfs_create_group. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ntrig.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -955,6 +955,8 @@ static int ntrig_probe(struct hid_device + + ret = sysfs_create_group(&hdev->dev.kobj, + &ntrig_attribute_group); ++ if (ret) ++ hid_err(hdev, "cannot create sysfs group\n"); + + return 0; + err_free: diff --git a/queue-4.4/md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch b/queue-4.4/md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch new file mode 100644 index 00000000000..30aba2c683e --- /dev/null +++ b/queue-4.4/md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch @@ -0,0 +1,72 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Guoqing Jiang +Date: Mon, 2 Jul 2018 16:26:24 +0800 +Subject: md-cluster: clear another node's suspend_area after the copy is finished + +From: Guoqing Jiang + +[ Upstream commit 010228e4a932ca1e8365e3b58c8e1e44c16ff793 ] + +When one node leaves cluster or stops the resyncing +(resync or recovery) array, then other nodes need to +call recover_bitmaps to continue the unfinished task. + +But we need to clear suspend_area later after other +nodes copy the resync information to their bitmap +(by call bitmap_copy_from_slot). Otherwise, all nodes +could write to the suspend_area even the suspend_area +is not handled by any node, because area_resyncing +returns 0 at the beginning of raid1_write_request. +Which means one node could write suspend_area while +another node is resyncing the same area, then data +could be inconsistent. + +So let's clear suspend_area later to avoid above issue +with the protection of bm lock. Also it is straightforward +to clear suspend_area after nodes have copied the resync +info to bitmap. + +Signed-off-by: Guoqing Jiang +Reviewed-by: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-cluster.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -239,15 +239,6 @@ static void recover_bitmaps(struct md_th + while (cinfo->recovery_map) { + slot = fls64((u64)cinfo->recovery_map) - 1; + +- /* Clear suspend_area associated with the bitmap */ +- spin_lock_irq(&cinfo->suspend_lock); +- list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list) +- if (slot == s->slot) { +- list_del(&s->list); +- kfree(s); +- } +- spin_unlock_irq(&cinfo->suspend_lock); +- + snprintf(str, 64, "bitmap%04d", slot); + bm_lockres = lockres_init(mddev, str, NULL, 1); + if (!bm_lockres) { +@@ -266,6 +257,16 @@ static void recover_bitmaps(struct md_th + pr_err("md-cluster: Could not copy data from bitmap %d\n", slot); + goto dlm_unlock; + } ++ ++ /* Clear suspend_area associated with the bitmap */ ++ spin_lock_irq(&cinfo->suspend_lock); ++ list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list) ++ if (slot == s->slot) { ++ list_del(&s->list); ++ kfree(s); ++ } ++ spin_unlock_irq(&cinfo->suspend_lock); ++ + if (hi > 0) { + /* TODO:Wait for current resync to get over */ + set_bit(MD_RECOVERY_NEEDED, &mddev->recovery); diff --git a/queue-4.4/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch b/queue-4.4/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch new file mode 100644 index 00000000000..f6b3f98f0c7 --- /dev/null +++ b/queue-4.4/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Sylwester Nawrocki +Date: Tue, 15 May 2018 05:21:45 -0400 +Subject: media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() + +From: Sylwester Nawrocki + +[ Upstream commit 7c1b9a5aeed91bef98988ac0fcf38c8c1f4f9a3a ] + +This patch fixes potential NULL pointer dereference as indicated +by the following static checker warning: + +drivers/media/platform/exynos4-is/fimc-isp-video.c:408 isp_video_try_fmt_mplane() +error: NULL dereference inside function '__isp_video_try_fmt(isp, &f->fmt.pix_mp, (0))()'. + +Fixes: 34947b8aebe3: ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver") + +Reported-by: Dan Carpenter +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/exynos4-is/fimc-isp-video.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c +@@ -391,12 +391,17 @@ static void __isp_video_try_fmt(struct f + struct v4l2_pix_format_mplane *pixm, + const struct fimc_fmt **fmt) + { +- *fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2); ++ const struct fimc_fmt *__fmt; ++ ++ __fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2); ++ ++ if (fmt) ++ *fmt = __fmt; + + pixm->colorspace = V4L2_COLORSPACE_SRGB; + pixm->field = V4L2_FIELD_NONE; +- pixm->num_planes = (*fmt)->memplanes; +- pixm->pixelformat = (*fmt)->fourcc; ++ pixm->num_planes = __fmt->memplanes; ++ pixm->pixelformat = __fmt->fourcc; + /* + * TODO: double check with the docmentation these width/height + * constraints are correct. diff --git a/queue-4.4/media-fsl-viu-fix-error-handling-in-viu_of_probe.patch b/queue-4.4/media-fsl-viu-fix-error-handling-in-viu_of_probe.patch new file mode 100644 index 00000000000..c212e8f5b89 --- /dev/null +++ b/queue-4.4/media-fsl-viu-fix-error-handling-in-viu_of_probe.patch @@ -0,0 +1,145 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Alexey Khoroshilov +Date: Fri, 29 Jun 2018 17:49:22 -0400 +Subject: media: fsl-viu: fix error handling in viu_of_probe() + +From: Alexey Khoroshilov + +[ Upstream commit 662a99e145661c2b35155cf375044deae9b79896 ] + +viu_of_probe() ignores fails in i2c_get_adapter(), +tries to unlock uninitialized mutex on error path. + +The patch streamlining the error handling in viu_of_probe(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/fsl-viu.c | 38 +++++++++++++++++++++++--------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +--- a/drivers/media/platform/fsl-viu.c ++++ b/drivers/media/platform/fsl-viu.c +@@ -1417,7 +1417,7 @@ static int viu_of_probe(struct platform_ + sizeof(struct viu_reg), DRV_NAME)) { + dev_err(&op->dev, "Error while requesting mem region\n"); + ret = -EBUSY; +- goto err; ++ goto err_irq; + } + + /* remap registers */ +@@ -1425,7 +1425,7 @@ static int viu_of_probe(struct platform_ + if (!viu_regs) { + dev_err(&op->dev, "Can't map register set\n"); + ret = -ENOMEM; +- goto err; ++ goto err_irq; + } + + /* Prepare our private structure */ +@@ -1433,7 +1433,7 @@ static int viu_of_probe(struct platform_ + if (!viu_dev) { + dev_err(&op->dev, "Can't allocate private structure\n"); + ret = -ENOMEM; +- goto err; ++ goto err_irq; + } + + viu_dev->vr = viu_regs; +@@ -1449,16 +1449,21 @@ static int viu_of_probe(struct platform_ + ret = v4l2_device_register(viu_dev->dev, &viu_dev->v4l2_dev); + if (ret < 0) { + dev_err(&op->dev, "v4l2_device_register() failed: %d\n", ret); +- goto err; ++ goto err_irq; + } + + ad = i2c_get_adapter(0); ++ if (!ad) { ++ ret = -EFAULT; ++ dev_err(&op->dev, "couldn't get i2c adapter\n"); ++ goto err_v4l2; ++ } + + v4l2_ctrl_handler_init(&viu_dev->hdl, 5); + if (viu_dev->hdl.error) { + ret = viu_dev->hdl.error; + dev_err(&op->dev, "couldn't register control\n"); +- goto err_vdev; ++ goto err_i2c; + } + /* This control handler will inherit the control(s) from the + sub-device(s). */ +@@ -1476,7 +1481,7 @@ static int viu_of_probe(struct platform_ + vdev = video_device_alloc(); + if (vdev == NULL) { + ret = -ENOMEM; +- goto err_vdev; ++ goto err_hdl; + } + + *vdev = viu_template; +@@ -1497,7 +1502,7 @@ static int viu_of_probe(struct platform_ + ret = video_register_device(viu_dev->vdev, VFL_TYPE_GRABBER, -1); + if (ret < 0) { + video_device_release(viu_dev->vdev); +- goto err_vdev; ++ goto err_unlock; + } + + /* enable VIU clock */ +@@ -1505,12 +1510,12 @@ static int viu_of_probe(struct platform_ + if (IS_ERR(clk)) { + dev_err(&op->dev, "failed to lookup the clock!\n"); + ret = PTR_ERR(clk); +- goto err_clk; ++ goto err_vdev; + } + ret = clk_prepare_enable(clk); + if (ret) { + dev_err(&op->dev, "failed to enable the clock!\n"); +- goto err_clk; ++ goto err_vdev; + } + viu_dev->clk = clk; + +@@ -1521,7 +1526,7 @@ static int viu_of_probe(struct platform_ + if (request_irq(viu_dev->irq, viu_intr, 0, "viu", (void *)viu_dev)) { + dev_err(&op->dev, "Request VIU IRQ failed.\n"); + ret = -ENODEV; +- goto err_irq; ++ goto err_clk; + } + + mutex_unlock(&viu_dev->lock); +@@ -1529,16 +1534,19 @@ static int viu_of_probe(struct platform_ + dev_info(&op->dev, "Freescale VIU Video Capture Board\n"); + return ret; + +-err_irq: +- clk_disable_unprepare(viu_dev->clk); + err_clk: +- video_unregister_device(viu_dev->vdev); ++ clk_disable_unprepare(viu_dev->clk); + err_vdev: +- v4l2_ctrl_handler_free(&viu_dev->hdl); ++ video_unregister_device(viu_dev->vdev); ++err_unlock: + mutex_unlock(&viu_dev->lock); ++err_hdl: ++ v4l2_ctrl_handler_free(&viu_dev->hdl); ++err_i2c: + i2c_put_adapter(ad); ++err_v4l2: + v4l2_device_unregister(&viu_dev->v4l2_dev); +-err: ++err_irq: + irq_dispose_mapping(viu_irq); + return ret; + } diff --git a/queue-4.4/media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch b/queue-4.4/media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch new file mode 100644 index 00000000000..65b2768ef3a --- /dev/null +++ b/queue-4.4/media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Javier Martinez Canillas +Date: Sat, 9 Jun 2018 08:22:45 -0400 +Subject: media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data + +From: Javier Martinez Canillas + +[ Upstream commit 2ec7debd44b49927a6e2861521994cc075a389ed ] + +The struct clk_init_data init variable is declared in the isp_xclk_init() +function so is an automatic variable allocated in the stack. But it's not +explicitly zero-initialized, so some init fields are left uninitialized. + +This causes the data structure to have undefined values that may confuse +the common clock framework when the clock is registered. + +For example, the uninitialized .flags field could have the CLK_IS_CRITICAL +bit set, causing the framework to wrongly prepare the clk on registration. +This leads to the isp_xclk_prepare() callback being called, which in turn +calls to the omap3isp_get() function that increments the isp dev refcount. + +Since this omap3isp_get() call is unexpected, this leads to an unbalanced +omap3isp_get() call that prevents the requested IRQ to be later enabled, +due the refcount not being 0 when the correct omap3isp_get() call happens. + +Fixes: 9b28ee3c9122 ("[media] omap3isp: Use the common clock framework") + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Sebastian Reichel +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/omap3isp/isp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -303,7 +303,7 @@ static struct clk *isp_xclk_src_get(stru + static int isp_xclk_init(struct isp_device *isp) + { + struct device_node *np = isp->dev->of_node; +- struct clk_init_data init; ++ struct clk_init_data init = { 0 }; + unsigned int i; + + for (i = 0; i < ARRAY_SIZE(isp->xclks); ++i) diff --git a/queue-4.4/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch b/queue-4.4/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch new file mode 100644 index 00000000000..757e9374591 --- /dev/null +++ b/queue-4.4/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Akinobu Mita +Date: Sun, 10 Jun 2018 11:42:01 -0400 +Subject: media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power + +From: Akinobu Mita + +[ Upstream commit 30ed2b83343bd1e07884ca7355dac70d25ffc158 ] + +When the subdevice doesn't provide s_power core ops callback, the +v4l2_subdev_call for s_power returns -ENOIOCTLCMD. If the subdevice +doesn't have the special handling for its power saving mode, the s_power +isn't required. So -ENOIOCTLCMD from the v4l2_subdev_call should be +ignored. + +Cc: Hans Verkuil +Signed-off-by: Akinobu Mita +Acked-by: Sylwester Nawrocki +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s3c-camif/camif-capture.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/s3c-camif/camif-capture.c ++++ b/drivers/media/platform/s3c-camif/camif-capture.c +@@ -117,6 +117,8 @@ static int sensor_set_power(struct camif + + if (camif->sensor.power_count == !on) + err = v4l2_subdev_call(sensor->sd, core, s_power, on); ++ if (err == -ENOIOCTLCMD) ++ err = 0; + if (!err) + sensor->power_count += on ? 1 : -1; + diff --git a/queue-4.4/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch b/queue-4.4/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch new file mode 100644 index 00000000000..133fa3b8563 --- /dev/null +++ b/queue-4.4/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Akinobu Mita +Date: Sun, 10 Jun 2018 11:42:26 -0400 +Subject: media: soc_camera: ov772x: correct setting of banding filter + +From: Akinobu Mita + +[ Upstream commit 22216ec41e919682c15345e95928f266e8ba6f9e ] + +The banding filter ON/OFF is controlled via bit 5 of COM8 register. It +is attempted to be enabled in ov772x_set_params() by the following line. + + ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1); + +But this unexpectedly results disabling the banding filter, because the +mask and set bits are exclusive. + +On the other hand, ov772x_s_ctrl() correctly sets the bit by: + + ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF); + +The same fix was already applied to non-soc_camera version of ov772x +driver in the commit commit a024ee14cd36 ("media: ov772x: correct setting +of banding filter") + +Cc: Jacopo Mondi +Cc: Laurent Pinchart +Cc: Hans Verkuil +Signed-off-by: Akinobu Mita +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/soc_camera/ov772x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/soc_camera/ov772x.c ++++ b/drivers/media/i2c/soc_camera/ov772x.c +@@ -834,7 +834,7 @@ static int ov772x_set_params(struct ov77 + * set COM8 + */ + if (priv->band_filter) { +- ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1); ++ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF); + if (!ret) + ret = ov772x_mask_set(client, BDBASE, + 0xff, 256 - priv->band_filter); diff --git a/queue-4.4/media-tm6000-add-error-handling-for-dvb_register_adapter.patch b/queue-4.4/media-tm6000-add-error-handling-for-dvb_register_adapter.patch new file mode 100644 index 00000000000..c42a54917f3 --- /dev/null +++ b/queue-4.4/media-tm6000-add-error-handling-for-dvb_register_adapter.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Zhouyang Jia +Date: Mon, 11 Jun 2018 00:39:20 -0400 +Subject: media: tm6000: add error handling for dvb_register_adapter + +From: Zhouyang Jia + +[ Upstream commit e95d7c6eb94c634852eaa5ff4caf3db05b5d2e86 ] + +When dvb_register_adapter fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling dvb_register_adapter. + +Signed-off-by: Zhouyang Jia +[hans.verkuil@cisco.com: use pr_err and fix typo: adater -> adapter] +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/tm6000/tm6000-dvb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/usb/tm6000/tm6000-dvb.c ++++ b/drivers/media/usb/tm6000/tm6000-dvb.c +@@ -275,6 +275,11 @@ static int register_dvb(struct tm6000_co + + ret = dvb_register_adapter(&dvb->adapter, "Trident TVMaster 6000 DVB-T", + THIS_MODULE, &dev->udev->dev, adapter_nr); ++ if (ret < 0) { ++ pr_err("tm6000: couldn't register the adapter!\n"); ++ goto err; ++ } ++ + dvb->adapter.priv = dev; + + if (dvb->frontend) { diff --git a/queue-4.4/module-exclude-shn_undef-symbols-from-kallsyms-api.patch b/queue-4.4/module-exclude-shn_undef-symbols-from-kallsyms-api.patch new file mode 100644 index 00000000000..5e0d820628b --- /dev/null +++ b/queue-4.4/module-exclude-shn_undef-symbols-from-kallsyms-api.patch @@ -0,0 +1,54 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Jessica Yu +Date: Tue, 5 Jun 2018 10:22:52 +0200 +Subject: module: exclude SHN_UNDEF symbols from kallsyms api + +From: Jessica Yu + +[ Upstream commit 9f2d1e68cf4d641def734adaccfc3823d3575e6c ] + +Livepatch modules are special in that we preserve their entire symbol +tables in order to be able to apply relocations after module load. The +unwanted side effect of this is that undefined (SHN_UNDEF) symbols of +livepatch modules are accessible via the kallsyms api and this can +confuse symbol resolution in livepatch (klp_find_object_symbol()) and +cause subtle bugs in livepatch. + +Have the module kallsyms api skip over SHN_UNDEF symbols. These symbols +are usually not available for normal modules anyway as we cut down their +symbol tables to just the core (non-undefined) symbols, so this should +really just affect livepatch modules. Note that this patch doesn't +affect the display of undefined symbols in /proc/kallsyms. + +Reported-by: Josh Poimboeuf +Tested-by: Josh Poimboeuf +Reviewed-by: Josh Poimboeuf +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/module.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3860,7 +3860,7 @@ static unsigned long mod_find_symname(st + + for (i = 0; i < kallsyms->num_symtab; i++) + if (strcmp(name, symname(kallsyms, i)) == 0 && +- kallsyms->symtab[i].st_info != 'U') ++ kallsyms->symtab[i].st_shndx != SHN_UNDEF) + return kallsyms->symtab[i].st_value; + return 0; + } +@@ -3906,6 +3906,10 @@ int module_kallsyms_on_each_symbol(int ( + if (mod->state == MODULE_STATE_UNFORMED) + continue; + for (i = 0; i < kallsyms->num_symtab; i++) { ++ ++ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF) ++ continue; ++ + ret = fn(data, symname(kallsyms, i), + mod, kallsyms->symtab[i].st_value); + if (ret != 0) diff --git a/queue-4.4/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch b/queue-4.4/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch new file mode 100644 index 00000000000..7282a81b989 --- /dev/null +++ b/queue-4.4/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: "J. Bruce Fields" +Date: Wed, 13 Jun 2018 15:21:35 -0400 +Subject: nfsd: fix corrupted reply to badly ordered compound + +From: "J. Bruce Fields" + +[ Upstream commit 5b7b15aee641904ae269be9846610a3950cbd64c ] + +We're encoding a single op in the reply but leaving the number of ops +zero, so the reply makes no sense. + +Somewhat academic as this isn't a case any real client will hit, though +in theory perhaps that could change in a future protocol extension. + +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1632,6 +1632,7 @@ nfsd4_proc_compound(struct svc_rqst *rqs + if (status) { + op = &args->ops[0]; + op->status = status; ++ resp->opcnt = 1; + goto encode_op; + } + diff --git a/queue-4.4/power-vexpress-fix-corruption-in-notifier-registration.patch b/queue-4.4/power-vexpress-fix-corruption-in-notifier-registration.patch new file mode 100644 index 00000000000..ceaf1cbfaca --- /dev/null +++ b/queue-4.4/power-vexpress-fix-corruption-in-notifier-registration.patch @@ -0,0 +1,70 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Sudeep Holla +Date: Mon, 18 Jun 2018 16:54:32 +0100 +Subject: power: vexpress: fix corruption in notifier registration + +From: Sudeep Holla + +[ Upstream commit 09bebb1adb21ecd04adf7ccb3b06f73e3a851e93 ] + +Vexpress platforms provide two different restart handlers: SYS_REBOOT +that restart the entire system, while DB_RESET only restarts the +daughter board containing the CPU. DB_RESET is overridden by SYS_REBOOT +if it exists. + +notifier_chain_register used in register_restart_handler by design +relies on notifiers to be registered once only, however vexpress restart +notifier can get registered twice. When this happen it corrupts list +of notifiers, as result some notifiers can be not called on proper +event, traverse on list can be cycled forever, and second unregister +can access already freed memory. + +So far, since this was the only restart handler in the system, no issue +was observed even if the same notifier was registered twice. However +commit 6c5c0d48b686 ("watchdog: sp805: add restart handler") added +support for SP805 restart handlers and since the system under test +contains two vexpress restart and two SP805 watchdog instances, it was +observed that during the boot traversing the restart handler list looped +forever as there's a cycle in that list resulting in boot hang. + +This patch fixes the issues by ensuring that the notifier is installed +only once. + +Cc: Sebastian Reichel +Signed-off-by: Sudeep Holla +Fixes: 46c99ac66222 ("power/reset: vexpress: Register with kernel restart handler") +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/reset/vexpress-poweroff.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/power/reset/vexpress-poweroff.c ++++ b/drivers/power/reset/vexpress-poweroff.c +@@ -35,6 +35,7 @@ static void vexpress_reset_do(struct dev + } + + static struct device *vexpress_power_off_device; ++static atomic_t vexpress_restart_nb_refcnt = ATOMIC_INIT(0); + + static void vexpress_power_off(void) + { +@@ -99,10 +100,13 @@ static int _vexpress_register_restart_ha + int err; + + vexpress_restart_device = dev; +- err = register_restart_handler(&vexpress_restart_nb); +- if (err) { +- dev_err(dev, "cannot register restart handler (err=%d)\n", err); +- return err; ++ if (atomic_inc_return(&vexpress_restart_nb_refcnt) == 1) { ++ err = register_restart_handler(&vexpress_restart_nb); ++ if (err) { ++ dev_err(dev, "cannot register restart handler (err=%d)\n", err); ++ atomic_dec(&vexpress_restart_nb_refcnt); ++ return err; ++ } + } + device_create_file(dev, &dev_attr_active); + diff --git a/queue-4.4/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch b/queue-4.4/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch new file mode 100644 index 00000000000..d0148cce09d --- /dev/null +++ b/queue-4.4/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Hari Bathini +Date: Thu, 28 Jun 2018 10:49:56 +0530 +Subject: powerpc/kdump: Handle crashkernel memory reservation failure + +From: Hari Bathini + +[ Upstream commit 8950329c4a64c6d3ca0bc34711a1afbd9ce05657 ] + +Memory reservation for crashkernel could fail if there are holes around +kdump kernel offset (128M). Fail gracefully in such cases and print an +error message. + +Signed-off-by: Hari Bathini +Tested-by: David Gibson +Reviewed-by: Dave Young +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/machine_kexec.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/machine_kexec.c ++++ b/arch/powerpc/kernel/machine_kexec.c +@@ -186,7 +186,12 @@ void __init reserve_crashkernel(void) + (unsigned long)(crashk_res.start >> 20), + (unsigned long)(memblock_phys_mem_size() >> 20)); + +- memblock_reserve(crashk_res.start, crash_size); ++ if (!memblock_is_region_memory(crashk_res.start, crash_size) || ++ memblock_reserve(crashk_res.start, crash_size)) { ++ pr_err("Failed to reserve memory for crashkernel!\n"); ++ crashk_res.start = crashk_res.end = 0; ++ return; ++ } + } + + int overlaps_crashkernel(unsigned long start, unsigned long size) diff --git a/queue-4.4/powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch b/queue-4.4/powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch new file mode 100644 index 00000000000..2bfce995fc2 --- /dev/null +++ b/queue-4.4/powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Alexey Kardashevskiy +Date: Fri, 1 Jun 2018 18:06:16 +1000 +Subject: powerpc/powernv/ioda2: Reduce upper limit for DMA window size + +From: Alexey Kardashevskiy + +[ Upstream commit d3d4ffaae439981e1e441ebb125aa3588627c5d8 ] + +We use PHB in mode1 which uses bit 59 to select a correct DMA window. +However there is mode2 which uses bits 59:55 and allows up to 32 DMA +windows per a PE. + +Even though documentation does not clearly specify that, it seems that +the actual hardware does not support bits 59:55 even in mode1, in other +words we can create a window as big as 1<<58 but DMA simply won't work. + +This reduces the upper limit from 59 to 55 bits to let the userspace know +about the hardware limits. + +Fixes: 7aafac11e3 "powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested" +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -2270,7 +2270,7 @@ static long pnv_pci_ioda2_table_alloc_pa + level_shift = entries_shift + 3; + level_shift = max_t(unsigned, level_shift, PAGE_SHIFT); + +- if ((level_shift - 3) * levels + page_shift >= 60) ++ if ((level_shift - 3) * levels + page_shift >= 55) + return -EINVAL; + + /* Allocate TCE table */ diff --git a/queue-4.4/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch b/queue-4.4/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch new file mode 100644 index 00000000000..1a6f49aad99 --- /dev/null +++ b/queue-4.4/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Dan Carpenter +Date: Tue, 5 Jun 2018 14:31:39 +0300 +Subject: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() + +From: Dan Carpenter + +[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ] + +This is a static checker fix, not something I have tested. The issue +is that on the second iteration through the loop, we jump forward by +le32_to_cpu(auth_req->length) bytes. The problem is that if the length +is more than "buflen" then we end up with a negative "buflen". A +negative buflen is type promoted to a high positive value and the loop +continues but it's accessing beyond the end of the buffer. + +I believe the "auth_req->length" comes from the firmware and if the +firmware is malicious or buggy, you're already toasted so the impact of +this bug is probably not very severe. + +Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rndis_wlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -2919,6 +2919,8 @@ static void rndis_wlan_auth_indication(s + + while (buflen >= sizeof(*auth_req)) { + auth_req = (void *)buf; ++ if (buflen < le32_to_cpu(auth_req->length)) ++ return; + type = "unknown"; + flags = le32_to_cpu(auth_req->flags); + pairwise_error = false; diff --git a/queue-4.4/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch b/queue-4.4/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch new file mode 100644 index 00000000000..b667ba77ea5 --- /dev/null +++ b/queue-4.4/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Vasily Gorbik +Date: Sun, 17 Jun 2018 00:30:43 +0200 +Subject: s390/extmem: fix gcc 8 stringop-overflow warning + +From: Vasily Gorbik + +[ Upstream commit 6b2ddf33baec23dace85bd647e3fc4ac070963e8 ] + +arch/s390/mm/extmem.c: In function '__segment_load': +arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals +source length [-Wstringop-overflow=] + strncat(seg->res_name, " (DCSS)", 7); + +What gcc complains about here is the misuse of strncat function, which +in this case does not limit a number of bytes taken from "src", so it is +in the end the same as strcat(seg->res_name, " (DCSS)"); + +Keeping in mind that a res_name is 15 bytes, strncat in this case +would overflow the buffer and write 0 into alignment byte between the +fields in the struct. To avoid that increasing res_name size to 16, +and reusing strlcat. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/extmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/mm/extmem.c ++++ b/arch/s390/mm/extmem.c +@@ -79,7 +79,7 @@ struct qin64 { + struct dcss_segment { + struct list_head list; + char dcss_name[8]; +- char res_name[15]; ++ char res_name[16]; + unsigned long start_addr; + unsigned long end; + atomic_t ref_count; +@@ -434,7 +434,7 @@ __segment_load (char *name, int do_nonsh + memcpy(&seg->res_name, seg->dcss_name, 8); + EBCASC(seg->res_name, 8); + seg->res_name[8] = '\0'; +- strncat(seg->res_name, " (DCSS)", 7); ++ strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name)); + seg->res->name = seg->res_name; + rc = seg->vm_segtype; + if (rc == SEG_TYPE_SC || diff --git a/queue-4.4/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch b/queue-4.4/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch new file mode 100644 index 00000000000..3ca67f63030 --- /dev/null +++ b/queue-4.4/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Zhouyang Jia +Date: Tue, 12 Jun 2018 11:13:00 +0800 +Subject: scsi: bnx2i: add error handling for ioremap_nocache + +From: Zhouyang Jia + +[ Upstream commit aa154ea885eb0c2407457ce9c1538d78c95456fa ] + +When ioremap_nocache fails, the lack of error-handling code may cause +unexpected results. + +This patch adds error-handling code after calling ioremap_nocache. + +Signed-off-by: Zhouyang Jia +Reviewed-by: Johannes Thumshirn +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bnx2i/bnx2i_hwi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/bnx2i/bnx2i_hwi.c ++++ b/drivers/scsi/bnx2i/bnx2i_hwi.c +@@ -2742,6 +2742,8 @@ int bnx2i_map_ep_dbell_regs(struct bnx2i + BNX2X_DOORBELL_PCI_BAR); + reg_off = (1 << BNX2X_DB_SHIFT) * (cid_num & 0x1FFFF); + ep->qp.ctx_base = ioremap_nocache(reg_base + reg_off, 4); ++ if (!ep->qp.ctx_base) ++ return -ENOMEM; + goto arm_cq; + } + diff --git a/queue-4.4/scsi-ibmvscsi-improve-strings-handling.patch b/queue-4.4/scsi-ibmvscsi-improve-strings-handling.patch new file mode 100644 index 00000000000..4f6125de736 --- /dev/null +++ b/queue-4.4/scsi-ibmvscsi-improve-strings-handling.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Breno Leitao +Date: Tue, 26 Jun 2018 17:35:16 -0300 +Subject: scsi: ibmvscsi: Improve strings handling + +From: Breno Leitao + +[ Upstream commit 1262dc09dc9ae7bf4ad00b6a2c5ed6a6936bcd10 ] + +Currently an open firmware property is copied into partition_name variable +without keeping a room for \0. + +Later one, this variable (partition_name), which is 97 bytes long, is +strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is +96 bytes long, possibly truncating it 'again' and removing the \0. + +This patch simply decreases the partition name to 96 and just copy using +strlcpy() which guarantees that the string is \0 terminated. I think there +is no issue if this there is a truncation in this very first copy, i.e, +when the open firmware property is read and copied into the driver for the +very first time; + +This issue also causes the following warning on GCC 8: + + drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: strncpy output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation] + ... + inlined from ibmvscsi_probe at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7: + drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: strncpy specified bound 97 equals destination size [-Wstringop-truncation] + +CC: Bart Van Assche +CC: Tyrel Datwyler +Signed-off-by: Breno Leitao +Acked-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ibmvscsi/ibmvscsi.c ++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c +@@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_R + static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2; + static int fast_fail = 1; + static int client_reserve = 1; +-static char partition_name[97] = "UNKNOWN"; ++static char partition_name[96] = "UNKNOWN"; + static unsigned int partition_number = -1; + + static struct scsi_transport_template *ibmvscsi_transport_template; +@@ -261,7 +261,7 @@ static void gather_partition_info(void) + + ppartition_name = of_get_property(rootdn, "ibm,partition-name", NULL); + if (ppartition_name) +- strncpy(partition_name, ppartition_name, ++ strlcpy(partition_name, ppartition_name, + sizeof(partition_name)); + p_number_ptr = of_get_property(rootdn, "ibm,partition-no", NULL); + if (p_number_ptr) diff --git a/queue-4.4/scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch b/queue-4.4/scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch new file mode 100644 index 00000000000..48fed7ca9dc --- /dev/null +++ b/queue-4.4/scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch @@ -0,0 +1,102 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Bart Van Assche +Date: Fri, 22 Jun 2018 14:54:49 -0700 +Subject: scsi: klist: Make it safe to use klists in atomic context + +From: Bart Van Assche + +[ Upstream commit 624fa7790f80575a4ec28fbdb2034097dc18d051 ] + +In the scsi_transport_srp implementation it cannot be avoided to +iterate over a klist from atomic context when using the legacy block +layer instead of blk-mq. Hence this patch that makes it safe to use +klists in atomic context. This patch avoids that lockdep reports the +following: + +WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&(&k->k_lock)->rlock); + local_irq_disable(); + lock(&(&q->__queue_lock)->rlock); + lock(&(&k->k_lock)->rlock); + + lock(&(&q->__queue_lock)->rlock); + +stack backtrace: +Workqueue: kblockd blk_timeout_work +Call Trace: + dump_stack+0xa4/0xf5 + check_usage+0x6e6/0x700 + __lock_acquire+0x185d/0x1b50 + lock_acquire+0xd2/0x260 + _raw_spin_lock+0x32/0x50 + klist_next+0x47/0x190 + device_for_each_child+0x8e/0x100 + srp_timed_out+0xaf/0x1d0 [scsi_transport_srp] + scsi_times_out+0xd4/0x410 [scsi_mod] + blk_rq_timed_out+0x36/0x70 + blk_timeout_work+0x1b5/0x220 + process_one_work+0x4fe/0xad0 + worker_thread+0x63/0x5a0 + kthread+0x1c1/0x1e0 + ret_from_fork+0x24/0x30 + +See also commit c9ddf73476ff ("scsi: scsi_transport_srp: Fix shost to +rport translation"). + +Signed-off-by: Bart Van Assche +Cc: Martin K. Petersen +Cc: James Bottomley +Acked-by: Greg Kroah-Hartman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/klist.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/lib/klist.c ++++ b/lib/klist.c +@@ -336,8 +336,9 @@ struct klist_node *klist_prev(struct kli + void (*put)(struct klist_node *) = i->i_klist->put; + struct klist_node *last = i->i_cur; + struct klist_node *prev; ++ unsigned long flags; + +- spin_lock(&i->i_klist->k_lock); ++ spin_lock_irqsave(&i->i_klist->k_lock, flags); + + if (last) { + prev = to_klist_node(last->n_node.prev); +@@ -356,7 +357,7 @@ struct klist_node *klist_prev(struct kli + prev = to_klist_node(prev->n_node.prev); + } + +- spin_unlock(&i->i_klist->k_lock); ++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags); + + if (put && last) + put(last); +@@ -377,8 +378,9 @@ struct klist_node *klist_next(struct kli + void (*put)(struct klist_node *) = i->i_klist->put; + struct klist_node *last = i->i_cur; + struct klist_node *next; ++ unsigned long flags; + +- spin_lock(&i->i_klist->k_lock); ++ spin_lock_irqsave(&i->i_klist->k_lock, flags); + + if (last) { + next = to_klist_node(last->n_node.next); +@@ -397,7 +399,7 @@ struct klist_node *klist_next(struct kli + next = to_klist_node(next->n_node.next); + } + +- spin_unlock(&i->i_klist->k_lock); ++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags); + + if (put && last) + put(last); diff --git a/queue-4.4/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch b/queue-4.4/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch new file mode 100644 index 00000000000..64e82ebb105 --- /dev/null +++ b/queue-4.4/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Bart Van Assche +Date: Fri, 22 Jun 2018 14:53:01 -0700 +Subject: scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size + +From: Bart Van Assche + +[ Upstream commit 35bea5c84fd13c643cce63f0b5cd4b148f8c901d ] + +Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1") +Signed-off-by: Bart Van Assche +Reviewed-by: Mike Christie +Cc: Mike Christie +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target_tpg.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_tpg.c ++++ b/drivers/target/iscsi/iscsi_target_tpg.c +@@ -637,8 +637,7 @@ int iscsit_ta_authentication(struct iscs + none = strstr(buf1, NONE); + if (none) + goto out; +- strncat(buf1, ",", strlen(",")); +- strncat(buf1, NONE, strlen(NONE)); ++ strlcat(buf1, "," NONE, sizeof(buf1)); + if (iscsi_update_param_value(param, buf1) < 0) + return -EINVAL; + } diff --git a/queue-4.4/staging-android-ashmem-fix-mmap-size-validation.patch b/queue-4.4/staging-android-ashmem-fix-mmap-size-validation.patch new file mode 100644 index 00000000000..5f0d562963d --- /dev/null +++ b/queue-4.4/staging-android-ashmem-fix-mmap-size-validation.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Alistair Strachan +Date: Tue, 19 Jun 2018 17:57:35 -0700 +Subject: staging: android: ashmem: Fix mmap size validation + +From: Alistair Strachan + +[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ] + +The ashmem driver did not check that the size/offset of the vma passed +to its .mmap() function was not larger than the ashmem object being +mapped. This could cause mmap() to succeed, even though accessing parts +of the mapping would later fail with a segmentation fault. + +Ensure an error is returned by the ashmem_mmap() function if the vma +size is larger than the ashmem object size. This enables safer handling +of the problem in userspace. + +Cc: Todd Kjos +Cc: devel@driverdev.osuosl.org +Cc: linux-kernel@vger.kernel.org +Cc: kernel-team@android.com +Cc: Joel Fernandes +Signed-off-by: Alistair Strachan +Acked-by: Joel Fernandes (Google) +Reviewed-by: Martijn Coenen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/android/ashmem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -370,6 +370,12 @@ static int ashmem_mmap(struct file *file + goto out; + } + ++ /* requested mapping size larger than object size */ ++ if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + /* requested protection bits must match our allowed protection mask */ + if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask)) & + calc_vm_prot_bits(PROT_MASK))) { diff --git a/queue-4.4/staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch b/queue-4.4/staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch new file mode 100644 index 00000000000..47fbfc97f77 --- /dev/null +++ b/queue-4.4/staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Colin Ian King +Date: Mon, 2 Jul 2018 14:27:35 +0100 +Subject: staging: rts5208: fix missing error check on call to rtsx_write_register + +From: Colin Ian King + +[ Upstream commit c5fae4f4fd28189b1062fb8ef7b21fec37cb8b17 ] + +Currently the check on error return from the call to rtsx_write_register +is checking the error status from the previous call. Fix this by adding +in the missing assignment of retval. + +Detected by CoverityScan, CID#709877 + +Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288") +Signed-off-by: Colin Ian King +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rts5208/sd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rts5208/sd.c ++++ b/drivers/staging/rts5208/sd.c +@@ -5031,7 +5031,7 @@ int sd_execute_write_data(struct scsi_cm + goto SD_Execute_Write_Cmd_Failed; + } + +- rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00); ++ retval = rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00); + if (retval != STATUS_SUCCESS) { + rtsx_trace(chip); + goto SD_Execute_Write_Cmd_Failed; diff --git a/queue-4.4/tsl2550-fix-lux1_input-error-in-low-light.patch b/queue-4.4/tsl2550-fix-lux1_input-error-in-low-light.patch new file mode 100644 index 00000000000..1e685e14c6e --- /dev/null +++ b/queue-4.4/tsl2550-fix-lux1_input-error-in-low-light.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Matt Ranostay +Date: Fri, 8 Jun 2018 23:58:15 -0700 +Subject: tsl2550: fix lux1_input error in low light + +From: Matt Ranostay + +[ Upstream commit ce054546cc2c26891cefa2f284d90d93b52205de ] + +ADC channel 0 photodiode detects both infrared + visible light, +but ADC channel 1 just detects infrared. However, the latter is a bit +more sensitive in that range so complete darkness or low light causes +a error condition in which the chan0 - chan1 is negative that +results in a -EAGAIN. + +This patch changes the resulting lux1_input sysfs attribute message from +"Resource temporarily unavailable" to a user-grokable lux value of 0. + +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Signed-off-by: Matt Ranostay +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/tsl2550.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/tsl2550.c ++++ b/drivers/misc/tsl2550.c +@@ -177,7 +177,7 @@ static int tsl2550_calculate_lux(u8 ch0, + } else + lux = 0; + else +- return -EAGAIN; ++ return 0; + + /* LUX range check */ + return lux > TSL2550_MAX_LUX ? TSL2550_MAX_LUX : lux; diff --git a/queue-4.4/usb-serial-kobil_sct-fix-modem-status-error-handling.patch b/queue-4.4/usb-serial-kobil_sct-fix-modem-status-error-handling.patch new file mode 100644 index 00000000000..e809b9d6361 --- /dev/null +++ b/queue-4.4/usb-serial-kobil_sct-fix-modem-status-error-handling.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Johan Hovold +Date: Wed, 4 Jul 2018 17:02:18 +0200 +Subject: USB: serial: kobil_sct: fix modem-status error handling + +From: Johan Hovold + +[ Upstream commit a420b5d939ee58f1d950f0ea782834056520aeaa ] + +Make sure to return -EIO in case of a short modem-status read request. + +While at it, split the debug message to not include the (zeroed) +transfer-buffer content in case of errors. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/kobil_sct.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/kobil_sct.c ++++ b/drivers/usb/serial/kobil_sct.c +@@ -408,12 +408,20 @@ static int kobil_tiocmget(struct tty_str + transfer_buffer_length, + KOBIL_TIMEOUT); + +- dev_dbg(&port->dev, "%s - Send get_status_line_state URB returns: %i. Statusline: %02x\n", +- __func__, result, transfer_buffer[0]); ++ dev_dbg(&port->dev, "Send get_status_line_state URB returns: %i\n", ++ result); ++ if (result < 1) { ++ if (result >= 0) ++ result = -EIO; ++ goto out_free; ++ } ++ ++ dev_dbg(&port->dev, "Statusline: %02x\n", transfer_buffer[0]); + + result = 0; + if ((transfer_buffer[0] & SUSBCR_GSL_DSR) != 0) + result = TIOCM_DSR; ++out_free: + kfree(transfer_buffer); + return result; + } diff --git a/queue-4.4/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch b/queue-4.4/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch new file mode 100644 index 00000000000..ca5cae292b2 --- /dev/null +++ b/queue-4.4/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Julia Lawall +Date: Sun, 1 Jul 2018 19:32:04 +0200 +Subject: usb: wusbcore: security: cast sizeof to int for comparison + +From: Julia Lawall + +[ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ] + +Comparing an int to a size, which is unsigned, causes the int to become +unsigned, giving the wrong result. usb_get_descriptor can return a +negative error code. + +A simplified version of the semantic match that finds this problem is as +follows: (http://coccinelle.lip6.fr/) + +// +@@ +int x; +expression e,e1; +identifier f; +@@ + +*x = f(...); +... when != x = e1 + when != if (x < 0 || ...) { ... return ...; } +*x < sizeof(e) +// + +Signed-off-by: Julia Lawall +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/wusbcore/security.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/wusbcore/security.c ++++ b/drivers/usb/wusbcore/security.c +@@ -230,7 +230,7 @@ int wusb_dev_sec_add(struct wusbhc *wusb + + result = usb_get_descriptor(usb_dev, USB_DT_SECURITY, + 0, secd, sizeof(*secd)); +- if (result < sizeof(*secd)) { ++ if (result < (int)sizeof(*secd)) { + dev_err(dev, "Can't read security descriptor or " + "not enough data: %d\n", result); + goto out; diff --git a/queue-4.4/uwb-hwa-rc-fix-memory-leak-at-probe.patch b/queue-4.4/uwb-hwa-rc-fix-memory-leak-at-probe.patch new file mode 100644 index 00000000000..0b0eb7f5c8a --- /dev/null +++ b/queue-4.4/uwb-hwa-rc-fix-memory-leak-at-probe.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Anton Vasilyev +Date: Fri, 6 Jul 2018 15:32:53 +0300 +Subject: uwb: hwa-rc: fix memory leak at probe + +From: Anton Vasilyev + +[ Upstream commit 11b71782c1d10d9bccc31825cf84291cd7588a1e ] + +hwarc_probe() allocates memory for hwarc, but does not free it +if uwb_rc_add() or hwarc_get_version() fail. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uwb/hwa-rc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/uwb/hwa-rc.c ++++ b/drivers/uwb/hwa-rc.c +@@ -875,6 +875,7 @@ error_get_version: + error_rc_add: + usb_put_intf(iface); + usb_put_dev(hwarc->usb_dev); ++ kfree(hwarc); + error_alloc: + uwb_rc_put(uwb_rc); + error_rc_alloc: diff --git a/queue-4.4/vmci-type-promotion-bug-in-qp_host_get_user_memory.patch b/queue-4.4/vmci-type-promotion-bug-in-qp_host_get_user_memory.patch new file mode 100644 index 00000000000..415bb2870fa --- /dev/null +++ b/queue-4.4/vmci-type-promotion-bug-in-qp_host_get_user_memory.patch @@ -0,0 +1,42 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Dan Carpenter +Date: Wed, 4 Jul 2018 12:33:34 +0300 +Subject: vmci: type promotion bug in qp_host_get_user_memory() + +From: Dan Carpenter + +[ Upstream commit 7fb2fd4e25fc1fb10dcb30b5519de257cfeae84c ] + +The problem is that if get_user_pages_fast() fails and returns a +negative error code, it gets type promoted to a high positive value and +treated as a success. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -755,7 +755,7 @@ static int qp_host_get_user_memory(u64 p + retval = get_user_pages_fast((uintptr_t) produce_uva, + produce_q->kernel_if->num_pages, 1, + produce_q->kernel_if->u.h.header_page); +- if (retval < produce_q->kernel_if->num_pages) { ++ if (retval < (int)produce_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(produce) failed (retval=%d)", + retval); + qp_release_pages(produce_q->kernel_if->u.h.header_page, +@@ -767,7 +767,7 @@ static int qp_host_get_user_memory(u64 p + retval = get_user_pages_fast((uintptr_t) consume_uva, + consume_q->kernel_if->num_pages, 1, + consume_q->kernel_if->u.h.header_page); +- if (retval < consume_q->kernel_if->num_pages) { ++ if (retval < (int)consume_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(consume) failed (retval=%d)", + retval); + qp_release_pages(consume_q->kernel_if->u.h.header_page, diff --git a/queue-4.4/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch b/queue-4.4/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch new file mode 100644 index 00000000000..9decd63ce2b --- /dev/null +++ b/queue-4.4/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Tony Lindgren +Date: Tue, 19 Jun 2018 02:43:35 -0700 +Subject: wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() + +From: Tony Lindgren + +[ Upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1 ] + +Otherwise we can get: + +WARNING: CPU: 0 PID: 55 at drivers/net/wireless/ti/wlcore/io.h:84 + +I've only seen this few times with the runtime PM patches enabled +so this one is probably not needed before that. This seems to +work currently based on the current PM implementation timer. Let's +apply this separately though in case others are hitting this issue. + +Signed-off-by: Tony Lindgren +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wlcore/cmd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/ti/wlcore/cmd.c ++++ b/drivers/net/wireless/ti/wlcore/cmd.c +@@ -35,6 +35,7 @@ + #include "wl12xx_80211.h" + #include "cmd.h" + #include "event.h" ++#include "ps.h" + #include "tx.h" + #include "hw_ops.h" + +@@ -191,6 +192,10 @@ int wlcore_cmd_wait_for_event_or_timeout + + timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT); + ++ ret = wl1271_ps_elp_wakeup(wl); ++ if (ret < 0) ++ return ret; ++ + do { + if (time_after(jiffies, timeout_time)) { + wl1271_debug(DEBUG_CMD, "timeout waiting for event %d", +@@ -222,6 +227,7 @@ int wlcore_cmd_wait_for_event_or_timeout + } while (!event); + + out: ++ wl1271_ps_elp_sleep(wl); + kfree(events_vector); + return ret; + } diff --git a/queue-4.4/x86-entry-64-add-two-more-instruction-suffixes.patch b/queue-4.4/x86-entry-64-add-two-more-instruction-suffixes.patch new file mode 100644 index 00000000000..d528b723d33 --- /dev/null +++ b/queue-4.4/x86-entry-64-add-two-more-instruction-suffixes.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Jan Beulich +Date: Mon, 2 Jul 2018 04:47:57 -0600 +Subject: x86/entry/64: Add two more instruction suffixes + +From: Jan Beulich + +[ Upstream commit 6709812f094d96543b443645c68daaa32d3d3e77 ] + +Sadly, other than claimed in: + + a368d7fd2a ("x86/entry/64: Add instruction suffix") + +... there are two more instances which want to be adjusted. + +As said there, omitting suffixes from instructions in AT&T mode is bad +practice when operand size cannot be determined by the assembler from +register operands, and is likely going to be warned about by upstream +gas in the future (mine does already). + +Add the other missing suffixes here as well. + +Signed-off-by: Jan Beulich +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/5B3A02DD02000078001CFB78@prv1-mh.provo.novell.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_64.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -90,7 +90,7 @@ ENDPROC(native_usergs_sysret64) + .endm + + .macro TRACE_IRQS_IRETQ_DEBUG +- bt $9, EFLAGS(%rsp) /* interrupts off? */ ++ btl $9, EFLAGS(%rsp) /* interrupts off? */ + jnc 1f + TRACE_IRQS_ON_DEBUG + 1: +@@ -620,7 +620,7 @@ retint_kernel: + #ifdef CONFIG_PREEMPT + /* Interrupts are off */ + /* Check if we need preemption */ +- bt $9, EFLAGS(%rsp) /* were interrupts off? */ ++ btl $9, EFLAGS(%rsp) /* were interrupts off? */ + jnc 1f + 0: cmpl $0, PER_CPU_VAR(__preempt_count) + jnz 1f diff --git a/queue-4.4/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch b/queue-4.4/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch new file mode 100644 index 00000000000..8c19a850497 --- /dev/null +++ b/queue-4.4/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Dan Williams +Date: Fri, 6 Jul 2018 09:08:01 -0700 +Subject: x86/numa_emulation: Fix emulated-to-physical node mapping + +From: Dan Williams + +[ Upstream commit 3b6c62f363a19ce82bf378187ab97c9dc01e3927 ] + +Without this change the distance table calculation for emulated nodes +may use the wrong numa node and report an incorrect distance. + +Signed-off-by: Dan Williams +Cc: David Rientjes +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Wei Yang +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/153089328103.27680.14778434392225818887.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/numa_emulation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/mm/numa_emulation.c ++++ b/arch/x86/mm/numa_emulation.c +@@ -60,7 +60,7 @@ static int __init emu_setup_memblk(struc + eb->nid = nid; + + if (emu_nid_to_phys[nid] == NUMA_NO_NODE) +- emu_nid_to_phys[nid] = nid; ++ emu_nid_to_phys[nid] = pb->nid; + + pb->start += size; + if (pb->start >= pb->end) { diff --git a/queue-4.4/x86-tsc-add-missing-header-to-tsc_msr.c.patch b/queue-4.4/x86-tsc-add-missing-header-to-tsc_msr.c.patch new file mode 100644 index 00000000000..324f42583d6 --- /dev/null +++ b/queue-4.4/x86-tsc-add-missing-header-to-tsc_msr.c.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:30:43 PDT 2018 +From: Andy Shevchenko +Date: Fri, 29 Jun 2018 22:31:10 +0300 +Subject: x86/tsc: Add missing header to tsc_msr.c + +From: Andy Shevchenko + +[ Upstream commit dbd0fbc76c77daac08ddd245afdcbade0d506e19 ] + +Add a missing header otherwise compiler warns about missed prototype: + +CC arch/x86/kernel/tsc_msr.o +arch/x86/kernel/tsc_msr.c:73:15: warning: no previous prototype for ‘cpu_khz_from_msr’ [-Wmissing-prototypes] + unsigned long cpu_khz_from_msr(void) + ^~~~~~~~~~~~~~~~ + +Signed-off-by: Andy Shevchenko +Signed-off-by: Thomas Gleixner +Cc: "H. Peter Anvin" +Cc: Pavel Tatashin +Link: https://lkml.kernel.org/r/20180629193113.84425-4-andriy.shevchenko@linux.intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/tsc_msr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/tsc_msr.c ++++ b/arch/x86/kernel/tsc_msr.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + /* CPU reference clock frequency: in KHz */ + #define FREQ_83 83200