From: Greg Kroah-Hartman Date: Sun, 29 Apr 2018 12:56:29 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.16.7~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5cdfdd0b61d8455fa3b9573095f154ad8a27bd63;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch libceph-validate-con-state-at-the-top-of-try_write.patch --- diff --git a/queue-3.18/asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch b/queue-3.18/asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch new file mode 100644 index 00000000000..7653bb1487e --- /dev/null +++ b/queue-3.18/asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch @@ -0,0 +1,47 @@ +From c656941df9bc80f7ec65b92ca73c42f8b0b62628 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Sun, 8 Apr 2018 16:57:35 -0700 +Subject: ASoC: fsl_esai: Fix divisor calculation failure at lower ratio + +From: Nicolin Chen + +commit c656941df9bc80f7ec65b92ca73c42f8b0b62628 upstream. + +When the desired ratio is less than 256, the savesub (tolerance) +in the calculation would become 0. This will then fail the loop- +search immediately without reporting any errors. + +But if the ratio is smaller enough, there is no need to calculate +the tolerance because PM divisor alone is enough to get the ratio. + +So a simple fix could be just to set PM directly instead of going +into the loop-search. + +Reported-by: Marek Vasut +Signed-off-by: Nicolin Chen +Tested-by: Marek Vasut +Reviewed-by: Fabio Estevam +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/fsl/fsl_esai.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -143,6 +143,13 @@ static int fsl_esai_divisor_cal(struct s + + psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8; + ++ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */ ++ if (ratio <= 256) { ++ pm = ratio; ++ fp = 1; ++ goto out; ++ } ++ + /* Set the max fluctuation -- 0.1% of the max devisor */ + savesub = (psr ? 1 : 8) * 256 * maxfp / 1000; + diff --git a/queue-3.18/libceph-validate-con-state-at-the-top-of-try_write.patch b/queue-3.18/libceph-validate-con-state-at-the-top-of-try_write.patch new file mode 100644 index 00000000000..bd9c79907ff --- /dev/null +++ b/queue-3.18/libceph-validate-con-state-at-the-top-of-try_write.patch @@ -0,0 +1,56 @@ +From 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Tue, 24 Apr 2018 19:10:55 +0200 +Subject: libceph: validate con->state at the top of try_write() + +From: Ilya Dryomov + +commit 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 upstream. + +ceph_con_workfn() validates con->state before calling try_read() and +then try_write(). However, try_read() temporarily releases con->mutex, +notably in process_message() and ceph_con_in_msg_alloc(), opening the +window for ceph_con_close() to sneak in, close the connection and +release con->sock. When try_write() is called on the assumption that +con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock +gets passed to the networking stack: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + IP: selinux_socket_sendmsg+0x5/0x20 + +Make sure con->state is valid at the top of try_write() and add an +explicit BUG_ON for this, similar to try_read(). + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/23706 +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/messenger.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2449,6 +2449,11 @@ static int try_write(struct ceph_connect + int ret = 1; + + dout("try_write start %p state %lu\n", con, con->state); ++ if (con->state != CON_STATE_PREOPEN && ++ con->state != CON_STATE_CONNECTING && ++ con->state != CON_STATE_NEGOTIATING && ++ con->state != CON_STATE_OPEN) ++ return 0; + + more: + dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes); +@@ -2474,6 +2479,8 @@ more: + } + + more_kvec: ++ BUG_ON(!con->sock); ++ + /* kvec data queued? */ + if (con->out_skip) { + ret = write_partial_skip(con); diff --git a/queue-3.18/series b/queue-3.18/series index e3de4c65c82..d3036e67a46 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -20,3 +20,5 @@ mtd-cfi-cmdset_0001-workaround-micron-erase-suspend-bug.patch mtd-cfi-cmdset_0002-do-not-allow-read-write-to-suspend-erase-block.patch kobject-don-t-use-warn-for-registration-failures.patch scsi-sd-defer-spinning-up-drive-while-sanitize-is-in-progress.patch +asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch +libceph-validate-con-state-at-the-top-of-try_write.patch