From: Greg Kroah-Hartman Date: Tue, 4 Jun 2019 12:21:25 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.1.8~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=638585f7111dabbe824e8f6cf424eaf51cf2ecee;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: arm64-fix-the-arm64_personality-syscall-wrapper-redirection.patch cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch cifs-fix-memory-leak-of-pneg_inbuf-on-eopnotsupp-ioctl-case.patch doc-cope-with-sphinx-logging-deprecations.patch doc-cope-with-the-deprecation-of-autoreporter.patch docs-fix-conf.py-for-sphinx-2.0.patch drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch evm-check-hash-algorithm-passed-to-init_desc.patch gcc-plugins-fix-build-failures-under-darwin-host.patch i2c-mlxcpld-fix-wrong-initialization-order-in-probe.patch i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch ima-show-rules-with-ima_inmask-correctly.patch kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch memcg-make-it-work-on-sparse-non-0-node-systems.patch revert-lockd-show-pid-of-lockd-for-remote-locks.patch serial-sh-sci-disable-dma-for-uart_console.patch staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch staging-wlan-ng-fix-adapter-initialization-failure.patch tty-max310x-fix-external-crystal-register-setup.patch tty-serial-msm_serial-fix-xon-xoff.patch vt-fbcon-deinitialize-resources-in-visual_init-after-failed-memory-allocation.patch --- diff --git a/queue-4.19/arm64-fix-the-arm64_personality-syscall-wrapper-redirection.patch b/queue-4.19/arm64-fix-the-arm64_personality-syscall-wrapper-redirection.patch new file mode 100644 index 00000000000..e05b26b836c --- /dev/null +++ b/queue-4.19/arm64-fix-the-arm64_personality-syscall-wrapper-redirection.patch @@ -0,0 +1,36 @@ +From 00377277166bac6939d8f72b429301369acaf2d8 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Tue, 28 May 2019 12:39:34 +0100 +Subject: arm64: Fix the arm64_personality() syscall wrapper redirection + +From: Catalin Marinas + +commit 00377277166bac6939d8f72b429301369acaf2d8 upstream. + +Following commit 4378a7d4be30 ("arm64: implement syscall wrappers"), the +syscall function names gained the '__arm64_' prefix. Ensure that we +have the correct #define for redirecting a default syscall through a +wrapper. + +Fixes: 4378a7d4be30 ("arm64: implement syscall wrappers") +Cc: # 4.19.x- +Acked-by: Mark Rutland +Signed-off-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/sys.c ++++ b/arch/arm64/kernel/sys.c +@@ -50,7 +50,7 @@ SYSCALL_DEFINE1(arm64_personality, unsig + /* + * Wrappers to pass the pt_regs argument. + */ +-#define sys_personality sys_arm64_personality ++#define __arm64_sys_personality __arm64_sys_arm64_personality + + asmlinkage long sys_ni_syscall(const struct pt_regs *); + #define __arm64_sys_ni_syscall sys_ni_syscall diff --git a/queue-4.19/cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch b/queue-4.19/cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch new file mode 100644 index 00000000000..e86c3399632 --- /dev/null +++ b/queue-4.19/cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch @@ -0,0 +1,37 @@ +From 31fad7d41e73731f05b8053d17078638cf850fa6 Mon Sep 17 00:00:00 2001 +From: Roberto Bergantinos Corpas +Date: Tue, 28 May 2019 09:38:14 +0200 +Subject: CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM + +From: Roberto Bergantinos Corpas + +commit 31fad7d41e73731f05b8053d17078638cf850fa6 upstream. + + In cifs_read_allocate_pages, in case of ENOMEM, we go through +whole rdata->pages array but we have failed the allocation before +nr_pages, therefore we may end up calling put_page with NULL +pointer, causing oops + +Signed-off-by: Roberto Bergantinos Corpas +Acked-by: Pavel Shilovsky +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -2988,7 +2988,9 @@ cifs_read_allocate_pages(struct cifs_rea + } + + if (rc) { +- for (i = 0; i < nr_pages; i++) { ++ unsigned int nr_page_failed = i; ++ ++ for (i = 0; i < nr_page_failed; i++) { + put_page(rdata->pages[i]); + rdata->pages[i] = NULL; + } diff --git a/queue-4.19/cifs-fix-memory-leak-of-pneg_inbuf-on-eopnotsupp-ioctl-case.patch b/queue-4.19/cifs-fix-memory-leak-of-pneg_inbuf-on-eopnotsupp-ioctl-case.patch new file mode 100644 index 00000000000..ef37e99adac --- /dev/null +++ b/queue-4.19/cifs-fix-memory-leak-of-pneg_inbuf-on-eopnotsupp-ioctl-case.patch @@ -0,0 +1,36 @@ +From 210782038b54ec8e9059a3c12d6f6ae173efa3a9 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 17 May 2019 09:12:33 +0100 +Subject: cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case + +From: Colin Ian King + +commit 210782038b54ec8e9059a3c12d6f6ae173efa3a9 upstream. + +Currently in the case where SMB2_ioctl returns the -EOPNOTSUPP error +there is a memory leak of pneg_inbuf. Fix this by returning via +the out_free_inbuf exit path that will perform the relevant kfree. + +Addresses-Coverity: ("Resource leak") +Fixes: 969ae8e8d4ee ("cifs: Accept validate negotiate if server return NT_STATUS_NOT_SUPPORTED") +CC: Stable # v5.1+ +Signed-off-by: Colin Ian King +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -887,7 +887,8 @@ int smb3_validate_negotiate(const unsign + * not supported error. Client should accept it. + */ + cifs_dbg(VFS, "Server does not support validate negotiate\n"); +- return 0; ++ rc = 0; ++ goto out_free_inbuf; + } else if (rc != 0) { + cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc); + rc = -EIO; diff --git a/queue-4.19/doc-cope-with-sphinx-logging-deprecations.patch b/queue-4.19/doc-cope-with-sphinx-logging-deprecations.patch new file mode 100644 index 00000000000..b8d0be2b1ba --- /dev/null +++ b/queue-4.19/doc-cope-with-sphinx-logging-deprecations.patch @@ -0,0 +1,227 @@ +From 096ea522e84ea68f8e6c41e5e7294731a81e29bc Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Tue, 21 May 2019 14:23:43 -0600 +Subject: doc: Cope with Sphinx logging deprecations + +From: Jonathan Corbet + +commit 096ea522e84ea68f8e6c41e5e7294731a81e29bc upstream. + +Recent versions of sphinx will emit messages like: + + Documentation/sphinx/kerneldoc.py:103: + RemovedInSphinx20Warning: app.warning() is now deprecated. + Use sphinx.util.logging instead. + +Switch to sphinx.util.logging to make this unsightly message go away. +Alas, that interface was only added in version 1.6, so we have to add a +version check to keep things working with older sphinxes. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/sphinx/kerneldoc.py | 12 +++++++---- + Documentation/sphinx/kernellog.py | 28 ++++++++++++++++++++++++++ + Documentation/sphinx/kfigure.py | 40 +++++++++++++++++++++----------------- + 3 files changed, 59 insertions(+), 21 deletions(-) + +--- a/Documentation/sphinx/kerneldoc.py ++++ b/Documentation/sphinx/kerneldoc.py +@@ -49,6 +49,8 @@ if Use_SSI: + else: + from sphinx.ext.autodoc import AutodocReporter + ++import kernellog ++ + __version__ = '1.0' + + class KernelDocDirective(Directive): +@@ -100,7 +102,8 @@ class KernelDocDirective(Directive): + cmd += [filename] + + try: +- env.app.verbose('calling kernel-doc \'%s\'' % (" ".join(cmd))) ++ kernellog.verbose(env.app, ++ 'calling kernel-doc \'%s\'' % (" ".join(cmd))) + + p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = p.communicate() +@@ -110,7 +113,8 @@ class KernelDocDirective(Directive): + if p.returncode != 0: + sys.stderr.write(err) + +- env.app.warn('kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode)) ++ kernellog.warn(env.app, ++ 'kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode)) + return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))] + elif env.config.kerneldoc_verbosity > 0: + sys.stderr.write(err) +@@ -136,8 +140,8 @@ class KernelDocDirective(Directive): + return node.children + + except Exception as e: # pylint: disable=W0703 +- env.app.warn('kernel-doc \'%s\' processing failed with: %s' % +- (" ".join(cmd), str(e))) ++ kernellog.warn(env.app, 'kernel-doc \'%s\' processing failed with: %s' % ++ (" ".join(cmd), str(e))) + return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))] + + def do_parse(self, result, node): +--- /dev/null ++++ b/Documentation/sphinx/kernellog.py +@@ -0,0 +1,28 @@ ++# SPDX-License-Identifier: GPL-2.0 ++# ++# Sphinx has deprecated its older logging interface, but the replacement ++# only goes back to 1.6. So here's a wrapper layer to keep around for ++# as long as we support 1.4. ++# ++import sphinx ++ ++if sphinx.__version__[:3] >= '1.6': ++ UseLogging = True ++ from sphinx.util import logging ++ logger = logging.getLogger('kerneldoc') ++else: ++ UseLogging = False ++ ++def warn(app, message): ++ if UseLogging: ++ logger.warning(message) ++ else: ++ app.warn(message) ++ ++def verbose(app, message): ++ if UseLogging: ++ logger.verbose(message) ++ else: ++ app.verbose(message) ++ ++ +--- a/Documentation/sphinx/kfigure.py ++++ b/Documentation/sphinx/kfigure.py +@@ -60,6 +60,8 @@ import sphinx + from sphinx.util.nodes import clean_astext + from six import iteritems + ++import kernellog ++ + PY3 = sys.version_info[0] == 3 + + if PY3: +@@ -171,20 +173,20 @@ def setupTools(app): + This function is called once, when the builder is initiated. + """ + global dot_cmd, convert_cmd # pylint: disable=W0603 +- app.verbose("kfigure: check installed tools ...") ++ kernellog.verbose(app, "kfigure: check installed tools ...") + + dot_cmd = which('dot') + convert_cmd = which('convert') + + if dot_cmd: +- app.verbose("use dot(1) from: " + dot_cmd) ++ kernellog.verbose(app, "use dot(1) from: " + dot_cmd) + else: +- app.warn("dot(1) not found, for better output quality install " +- "graphviz from http://www.graphviz.org") ++ kernellog.warn(app, "dot(1) not found, for better output quality install " ++ "graphviz from http://www.graphviz.org") + if convert_cmd: +- app.verbose("use convert(1) from: " + convert_cmd) ++ kernellog.verbose(app, "use convert(1) from: " + convert_cmd) + else: +- app.warn( ++ kernellog.warn(app, + "convert(1) not found, for SVG to PDF conversion install " + "ImageMagick (https://www.imagemagick.org)") + +@@ -220,12 +222,13 @@ def convert_image(img_node, translator, + + # in kernel builds, use 'make SPHINXOPTS=-v' to see verbose messages + +- app.verbose('assert best format for: ' + img_node['uri']) ++ kernellog.verbose(app, 'assert best format for: ' + img_node['uri']) + + if in_ext == '.dot': + + if not dot_cmd: +- app.verbose("dot from graphviz not available / include DOT raw.") ++ kernellog.verbose(app, ++ "dot from graphviz not available / include DOT raw.") + img_node.replace_self(file2literal(src_fname)) + + elif translator.builder.format == 'latex': +@@ -252,7 +255,8 @@ def convert_image(img_node, translator, + + if translator.builder.format == 'latex': + if convert_cmd is None: +- app.verbose("no SVG to PDF conversion available / include SVG raw.") ++ kernellog.verbose(app, ++ "no SVG to PDF conversion available / include SVG raw.") + img_node.replace_self(file2literal(src_fname)) + else: + dst_fname = path.join(translator.builder.outdir, fname + '.pdf') +@@ -265,18 +269,19 @@ def convert_image(img_node, translator, + _name = dst_fname[len(translator.builder.outdir) + 1:] + + if isNewer(dst_fname, src_fname): +- app.verbose("convert: {out}/%s already exists and is newer" % _name) ++ kernellog.verbose(app, ++ "convert: {out}/%s already exists and is newer" % _name) + + else: + ok = False + mkdir(path.dirname(dst_fname)) + + if in_ext == '.dot': +- app.verbose('convert DOT to: {out}/' + _name) ++ kernellog.verbose(app, 'convert DOT to: {out}/' + _name) + ok = dot2format(app, src_fname, dst_fname) + + elif in_ext == '.svg': +- app.verbose('convert SVG to: {out}/' + _name) ++ kernellog.verbose(app, 'convert SVG to: {out}/' + _name) + ok = svg2pdf(app, src_fname, dst_fname) + + if not ok: +@@ -305,7 +310,8 @@ def dot2format(app, dot_fname, out_fname + with open(out_fname, "w") as out: + exit_code = subprocess.call(cmd, stdout = out) + if exit_code != 0: +- app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd))) ++ kernellog.warn(app, ++ "Error #%d when calling: %s" % (exit_code, " ".join(cmd))) + return bool(exit_code == 0) + + def svg2pdf(app, svg_fname, pdf_fname): +@@ -322,7 +328,7 @@ def svg2pdf(app, svg_fname, pdf_fname): + # use stdout and stderr from parent + exit_code = subprocess.call(cmd) + if exit_code != 0: +- app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd))) ++ kernellog.warn(app, "Error #%d when calling: %s" % (exit_code, " ".join(cmd))) + return bool(exit_code == 0) + + +@@ -415,15 +421,15 @@ def visit_kernel_render(self, node): + app = self.builder.app + srclang = node.get('srclang') + +- app.verbose('visit kernel-render node lang: "%s"' % (srclang)) ++ kernellog.verbose(app, 'visit kernel-render node lang: "%s"' % (srclang)) + + tmp_ext = RENDER_MARKUP_EXT.get(srclang, None) + if tmp_ext is None: +- app.warn('kernel-render: "%s" unknown / include raw.' % (srclang)) ++ kernellog.warn(app, 'kernel-render: "%s" unknown / include raw.' % (srclang)) + return + + if not dot_cmd and tmp_ext == '.dot': +- app.verbose("dot from graphviz not available / include raw.") ++ kernellog.verbose(app, "dot from graphviz not available / include raw.") + return + + literal_block = node[0] diff --git a/queue-4.19/doc-cope-with-the-deprecation-of-autoreporter.patch b/queue-4.19/doc-cope-with-the-deprecation-of-autoreporter.patch new file mode 100644 index 00000000000..35a979f5ea1 --- /dev/null +++ b/queue-4.19/doc-cope-with-the-deprecation-of-autoreporter.patch @@ -0,0 +1,83 @@ +From 2404dad1f67f8917e30fc22a85e0dbcc85b99955 Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Tue, 21 May 2019 14:42:34 -0600 +Subject: doc: Cope with the deprecation of AutoReporter + +From: Jonathan Corbet + +commit 2404dad1f67f8917e30fc22a85e0dbcc85b99955 upstream. + +AutoReporter is going away; recent versions of sphinx emit a warning like: + + Documentation/sphinx/kerneldoc.py:125: + RemovedInSphinx20Warning: AutodocReporter is now deprecated. + Use sphinx.util.docutils.switch_source_input() instead. + +Make the switch. But switch_source_input() only showed up in 1.7, so we +have to do ugly version checks to keep things working in older versions. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/sphinx/kerneldoc.py | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +--- a/Documentation/sphinx/kerneldoc.py ++++ b/Documentation/sphinx/kerneldoc.py +@@ -37,7 +37,17 @@ import glob + from docutils import nodes, statemachine + from docutils.statemachine import ViewList + from docutils.parsers.rst import directives, Directive +-from sphinx.ext.autodoc import AutodocReporter ++ ++# ++# AutodocReporter is only good up to Sphinx 1.7 ++# ++import sphinx ++ ++Use_SSI = sphinx.__version__[:3] >= '1.7' ++if Use_SSI: ++ from sphinx.util.docutils import switch_source_input ++else: ++ from sphinx.ext.autodoc import AutodocReporter + + __version__ = '1.0' + +@@ -121,13 +131,7 @@ class KernelDocDirective(Directive): + lineoffset += 1 + + node = nodes.section() +- buf = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter +- self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter) +- self.state.memo.title_styles, self.state.memo.section_level = [], 0 +- try: +- self.state.nested_parse(result, 0, node, match_titles=1) +- finally: +- self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = buf ++ self.do_parse(result, node) + + return node.children + +@@ -136,6 +140,20 @@ class KernelDocDirective(Directive): + (" ".join(cmd), str(e))) + return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))] + ++ def do_parse(self, result, node): ++ if Use_SSI: ++ with switch_source_input(self.state, result): ++ self.state.nested_parse(result, 0, node, match_titles=1) ++ else: ++ save = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter ++ self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter) ++ self.state.memo.title_styles, self.state.memo.section_level = [], 0 ++ try: ++ self.state.nested_parse(result, 0, node, match_titles=1) ++ finally: ++ self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = save ++ ++ + def setup(app): + app.add_config_value('kerneldoc_bin', None, 'env') + app.add_config_value('kerneldoc_srctree', None, 'env') diff --git a/queue-4.19/docs-fix-conf.py-for-sphinx-2.0.patch b/queue-4.19/docs-fix-conf.py-for-sphinx-2.0.patch new file mode 100644 index 00000000000..cedf5e90172 --- /dev/null +++ b/queue-4.19/docs-fix-conf.py-for-sphinx-2.0.patch @@ -0,0 +1,32 @@ +From 3bc8088464712fdcb078eefb68837ccfcc413c88 Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Wed, 22 May 2019 14:30:45 -0600 +Subject: docs: Fix conf.py for Sphinx 2.0 + +From: Jonathan Corbet + +commit 3bc8088464712fdcb078eefb68837ccfcc413c88 upstream. + +Our version check in Documentation/conf.py never envisioned a world where +Sphinx moved beyond 1.x. Now that the unthinkable has happened, fix our +version check to handle higher version numbers correctly. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/conf.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/conf.py ++++ b/Documentation/conf.py +@@ -37,7 +37,7 @@ needs_sphinx = '1.3' + extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', 'cdomain', 'kfigure', 'sphinx.ext.ifconfig'] + + # The name of the math extension changed on Sphinx 1.4 +-if major == 1 and minor > 3: ++if (major == 1 and minor > 3) or (major > 1): + extensions.append("sphinx.ext.imgmath") + else: + extensions.append("sphinx.ext.pngmath") diff --git a/queue-4.19/drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch b/queue-4.19/drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch new file mode 100644 index 00000000000..abad96ec574 --- /dev/null +++ b/queue-4.19/drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch @@ -0,0 +1,265 @@ +From 342406e4fbba9a174125fbfe6aeac3d64ef90f76 Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Tue, 9 Apr 2019 16:23:30 -0400 +Subject: drm/nouveau/i2c: Disable i2c bus access after ->fini() + +From: Lyude Paul + +commit 342406e4fbba9a174125fbfe6aeac3d64ef90f76 upstream. + +For a while, we've had the problem of i2c bus access not grabbing +a runtime PM ref when it's being used in userspace by i2c-dev, resulting +in nouveau spamming the kernel log with errors if anything attempts to +access the i2c bus while the GPU is in runtime suspend. An example: + +[ 130.078386] nouveau 0000:01:00.0: i2c: aux 000d: begin idle timeout ffffffff + +Since the GPU is in runtime suspend, the MMIO region that the i2c bus is +on isn't accessible. On x86, the standard behavior for accessing an +unavailable MMIO region is to just return ~0. + +Except, that turned out to be a lie. While computers with a clean +concious will return ~0 in this scenario, some machines will actually +completely hang a CPU on certian bad MMIO accesses. This was witnessed +with someone's Lenovo ThinkPad P50, where sensors-detect attempting to +access the i2c bus while the GPU was suspended would result in a CPU +hang: + + CPU: 5 PID: 12438 Comm: sensors-detect Not tainted 5.0.0-0.rc4.git3.1.fc30.x86_64 #1 + Hardware name: LENOVO 20EQS64N17/20EQS64N17, BIOS N1EET74W (1.47 ) 11/21/2017 + RIP: 0010:ioread32+0x2b/0x30 + Code: 81 ff ff ff 03 00 77 20 48 81 ff 00 00 01 00 76 05 0f b7 d7 ed c3 + 48 c7 c6 e1 0c 36 96 e8 2d ff ff ff b8 ff ff ff ff c3 8b 07 0f 1f + 40 00 49 89 f0 48 81 fe ff ff 03 00 76 04 40 88 3e c3 48 + RSP: 0018:ffffaac3c5007b48 EFLAGS: 00000292 ORIG_RAX: ffffffffffffff13 + RAX: 0000000001111000 RBX: 0000000001111000 RCX: 0000043017a97186 + RDX: 0000000000000aaa RSI: 0000000000000005 RDI: ffffaac3c400e4e4 + RBP: ffff9e6443902c00 R08: ffffaac3c400e4e4 R09: ffffaac3c5007be7 + R10: 0000000000000004 R11: 0000000000000001 R12: ffff9e6445dd0000 + R13: 000000000000e4e4 R14: 00000000000003c4 R15: 0000000000000000 + FS: 00007f253155a740(0000) GS:ffff9e644f600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00005630d1500358 CR3: 0000000417c44006 CR4: 00000000003606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + g94_i2c_aux_xfer+0x326/0x850 [nouveau] + nvkm_i2c_aux_i2c_xfer+0x9e/0x140 [nouveau] + __i2c_transfer+0x14b/0x620 + i2c_smbus_xfer_emulated+0x159/0x680 + ? _raw_spin_unlock_irqrestore+0x1/0x60 + ? rt_mutex_slowlock.constprop.0+0x13d/0x1e0 + ? __lock_is_held+0x59/0xa0 + __i2c_smbus_xfer+0x138/0x5a0 + i2c_smbus_xfer+0x4f/0x80 + i2cdev_ioctl_smbus+0x162/0x2d0 [i2c_dev] + i2cdev_ioctl+0x1db/0x2c0 [i2c_dev] + do_vfs_ioctl+0x408/0x750 + ksys_ioctl+0x5e/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x60/0x1e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f25317f546b + Code: 0f 1e fa 48 8b 05 1d da 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff + ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 + f0 ff ff 73 01 c3 48 8b 0d ed d9 0c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffc88caab68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 00005630d0fe7260 RCX: 00007f25317f546b + RDX: 00005630d1598e80 RSI: 0000000000000720 RDI: 0000000000000003 + RBP: 00005630d155b968 R08: 0000000000000001 R09: 00005630d15a1da0 + R10: 0000000000000070 R11: 0000000000000246 R12: 00005630d1598e80 + R13: 00005630d12f3d28 R14: 0000000000000720 R15: 00005630d12f3ce0 + watchdog: BUG: soft lockup - CPU#5 stuck for 23s! [sensors-detect:12438] + +Yikes! While I wanted to try to make it so that accessing an i2c bus on +nouveau would wake up the GPU as needed, airlied pointed out that pretty +much any usecase for userspace accessing an i2c bus on a GPU (mainly for +the DDC brightness control that some displays have) is going to only be +useful while there's at least one display enabled on the GPU anyway, and +the GPU never sleeps while there's displays running. + +Since teaching the i2c bus to wake up the GPU on userspace accesses is a +good deal more difficult than it might seem, mostly due to the fact that +we have to use the i2c bus during runtime resume of the GPU, we instead +opt for the easiest solution: don't let userspace access i2c busses on +the GPU at all while it's in runtime suspend. + +Changes since v1: +* Also disable i2c busses that run over DP AUX + +Signed-off-by: Lyude Paul +Cc: stable@vger.kernel.org +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h | 2 + + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c | 26 +++++++++++++++++++++- + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h | 2 + + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c | 15 ++++++++++++ + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c | 21 ++++++++++++++++- + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h | 1 + 6 files changed, 65 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h +@@ -38,6 +38,7 @@ struct nvkm_i2c_bus { + struct mutex mutex; + struct list_head head; + struct i2c_adapter i2c; ++ u8 enabled; + }; + + int nvkm_i2c_bus_acquire(struct nvkm_i2c_bus *); +@@ -57,6 +58,7 @@ struct nvkm_i2c_aux { + struct mutex mutex; + struct list_head head; + struct i2c_adapter i2c; ++ u8 enabled; + + u32 intr; + }; +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c +@@ -105,9 +105,15 @@ nvkm_i2c_aux_acquire(struct nvkm_i2c_aux + { + struct nvkm_i2c_pad *pad = aux->pad; + int ret; ++ + AUX_TRACE(aux, "acquire"); + mutex_lock(&aux->mutex); +- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX); ++ ++ if (aux->enabled) ++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX); ++ else ++ ret = -EIO; ++ + if (ret) + mutex_unlock(&aux->mutex); + return ret; +@@ -145,6 +151,24 @@ nvkm_i2c_aux_del(struct nvkm_i2c_aux **p + } + } + ++void ++nvkm_i2c_aux_init(struct nvkm_i2c_aux *aux) ++{ ++ AUX_TRACE(aux, "init"); ++ mutex_lock(&aux->mutex); ++ aux->enabled = true; ++ mutex_unlock(&aux->mutex); ++} ++ ++void ++nvkm_i2c_aux_fini(struct nvkm_i2c_aux *aux) ++{ ++ AUX_TRACE(aux, "fini"); ++ mutex_lock(&aux->mutex); ++ aux->enabled = false; ++ mutex_unlock(&aux->mutex); ++} ++ + int + nvkm_i2c_aux_ctor(const struct nvkm_i2c_aux_func *func, + struct nvkm_i2c_pad *pad, int id, +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h +@@ -16,6 +16,8 @@ int nvkm_i2c_aux_ctor(const struct nvkm_ + int nvkm_i2c_aux_new_(const struct nvkm_i2c_aux_func *, struct nvkm_i2c_pad *, + int id, struct nvkm_i2c_aux **); + void nvkm_i2c_aux_del(struct nvkm_i2c_aux **); ++void nvkm_i2c_aux_init(struct nvkm_i2c_aux *); ++void nvkm_i2c_aux_fini(struct nvkm_i2c_aux *); + int nvkm_i2c_aux_xfer(struct nvkm_i2c_aux *, bool retry, u8 type, + u32 addr, u8 *data, u8 *size); + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c +@@ -160,8 +160,18 @@ nvkm_i2c_fini(struct nvkm_subdev *subdev + { + struct nvkm_i2c *i2c = nvkm_i2c(subdev); + struct nvkm_i2c_pad *pad; ++ struct nvkm_i2c_bus *bus; ++ struct nvkm_i2c_aux *aux; + u32 mask; + ++ list_for_each_entry(aux, &i2c->aux, head) { ++ nvkm_i2c_aux_fini(aux); ++ } ++ ++ list_for_each_entry(bus, &i2c->bus, head) { ++ nvkm_i2c_bus_fini(bus); ++ } ++ + if ((mask = (1 << i2c->func->aux) - 1), i2c->func->aux_stat) { + i2c->func->aux_mask(i2c, NVKM_I2C_ANY, mask, 0); + i2c->func->aux_stat(i2c, &mask, &mask, &mask, &mask); +@@ -180,6 +190,7 @@ nvkm_i2c_init(struct nvkm_subdev *subdev + struct nvkm_i2c *i2c = nvkm_i2c(subdev); + struct nvkm_i2c_bus *bus; + struct nvkm_i2c_pad *pad; ++ struct nvkm_i2c_aux *aux; + + list_for_each_entry(pad, &i2c->pad, head) { + nvkm_i2c_pad_init(pad); +@@ -189,6 +200,10 @@ nvkm_i2c_init(struct nvkm_subdev *subdev + nvkm_i2c_bus_init(bus); + } + ++ list_for_each_entry(aux, &i2c->aux, head) { ++ nvkm_i2c_aux_init(aux); ++ } ++ + return 0; + } + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c +@@ -110,6 +110,19 @@ nvkm_i2c_bus_init(struct nvkm_i2c_bus *b + BUS_TRACE(bus, "init"); + if (bus->func->init) + bus->func->init(bus); ++ ++ mutex_lock(&bus->mutex); ++ bus->enabled = true; ++ mutex_unlock(&bus->mutex); ++} ++ ++void ++nvkm_i2c_bus_fini(struct nvkm_i2c_bus *bus) ++{ ++ BUS_TRACE(bus, "fini"); ++ mutex_lock(&bus->mutex); ++ bus->enabled = false; ++ mutex_unlock(&bus->mutex); + } + + void +@@ -126,9 +139,15 @@ nvkm_i2c_bus_acquire(struct nvkm_i2c_bus + { + struct nvkm_i2c_pad *pad = bus->pad; + int ret; ++ + BUS_TRACE(bus, "acquire"); + mutex_lock(&bus->mutex); +- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C); ++ ++ if (bus->enabled) ++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C); ++ else ++ ret = -EIO; ++ + if (ret) + mutex_unlock(&bus->mutex); + return ret; +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h +@@ -18,6 +18,7 @@ int nvkm_i2c_bus_new_(const struct nvkm_ + int id, struct nvkm_i2c_bus **); + void nvkm_i2c_bus_del(struct nvkm_i2c_bus **); + void nvkm_i2c_bus_init(struct nvkm_i2c_bus *); ++void nvkm_i2c_bus_fini(struct nvkm_i2c_bus *); + + int nvkm_i2c_bit_xfer(struct nvkm_i2c_bus *, struct i2c_msg *, int); + diff --git a/queue-4.19/evm-check-hash-algorithm-passed-to-init_desc.patch b/queue-4.19/evm-check-hash-algorithm-passed-to-init_desc.patch new file mode 100644 index 00000000000..093d40d7f36 --- /dev/null +++ b/queue-4.19/evm-check-hash-algorithm-passed-to-init_desc.patch @@ -0,0 +1,36 @@ +From 221be106d75c1b511973301542f47d6000d0b63e Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Wed, 29 May 2019 15:30:33 +0200 +Subject: evm: check hash algorithm passed to init_desc() + +From: Roberto Sassu + +commit 221be106d75c1b511973301542f47d6000d0b63e upstream. + +This patch prevents memory access beyond the evm_tfm array by checking the +validity of the index (hash algorithm) passed to init_desc(). The hash +algorithm can be arbitrarily set if the security.ima xattr type is not +EVM_XATTR_HMAC. + +Fixes: 5feeb61183dde ("evm: Allow non-SHA1 digital signatures") +Signed-off-by: Roberto Sassu +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/evm/evm_crypto.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/security/integrity/evm/evm_crypto.c ++++ b/security/integrity/evm/evm_crypto.c +@@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char + tfm = &hmac_tfm; + algo = evm_hmac; + } else { ++ if (hash_algo >= HASH_ALGO__LAST) ++ return ERR_PTR(-EINVAL); ++ + tfm = &evm_tfm[hash_algo]; + algo = hash_algo_name[hash_algo]; + } diff --git a/queue-4.19/gcc-plugins-fix-build-failures-under-darwin-host.patch b/queue-4.19/gcc-plugins-fix-build-failures-under-darwin-host.patch new file mode 100644 index 00000000000..dc59ce6f02b --- /dev/null +++ b/queue-4.19/gcc-plugins-fix-build-failures-under-darwin-host.patch @@ -0,0 +1,52 @@ +From 7210e060155b9cf557fb13128353c3e494fa5ed3 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 20 May 2019 11:50:42 -0700 +Subject: gcc-plugins: Fix build failures under Darwin host + +From: Kees Cook + +commit 7210e060155b9cf557fb13128353c3e494fa5ed3 upstream. + +The gcc-common.h file did not take into account certain macros that +might have already been defined in the build environment. This updates +the header to avoid redefining the macros, as seen on a Darwin host +using gcc 4.9.2: + + HOSTCXX -fPIC scripts/gcc-plugins/arm_ssp_per_task_plugin.o - due to: scripts/gcc-plugins/gcc-common.h +In file included from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3:0: +scripts/gcc-plugins/gcc-common.h:153:0: warning: "__unused" redefined +^ +In file included from /usr/include/stdio.h:64:0, + from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/system.h:40, + from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/gcc-plugin.h:28, + from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/plugin.h:23, + from scripts/gcc-plugins/gcc-common.h:9, + from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3: +/usr/include/sys/cdefs.h:161:0: note: this is the location of the previous definition +^ + +Reported-and-tested-by: "H. Nikolaus Schaller" +Fixes: 189af4657186 ("ARM: smp: add support for per-task stack canaries") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/gcc-plugins/gcc-common.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -150,8 +150,12 @@ void print_gimple_expr(FILE *, gimple, i + void dump_gimple_stmt(pretty_printer *, gimple, int, int); + #endif + ++#ifndef __unused + #define __unused __attribute__((__unused__)) ++#endif ++#ifndef __visible + #define __visible __attribute__((visibility("default"))) ++#endif + + #define DECL_NAME_POINTER(node) IDENTIFIER_POINTER(DECL_NAME(node)) + #define DECL_NAME_LENGTH(node) IDENTIFIER_LENGTH(DECL_NAME(node)) diff --git a/queue-4.19/i2c-mlxcpld-fix-wrong-initialization-order-in-probe.patch b/queue-4.19/i2c-mlxcpld-fix-wrong-initialization-order-in-probe.patch new file mode 100644 index 00000000000..4d1aba15c14 --- /dev/null +++ b/queue-4.19/i2c-mlxcpld-fix-wrong-initialization-order-in-probe.patch @@ -0,0 +1,44 @@ +From 13067ef73f337336e3149f5bb9f3fd05fe7f87a0 Mon Sep 17 00:00:00 2001 +From: Vadim Pasternak +Date: Thu, 16 May 2019 17:15:41 +0000 +Subject: i2c: mlxcpld: Fix wrong initialization order in probe + +From: Vadim Pasternak + +commit 13067ef73f337336e3149f5bb9f3fd05fe7f87a0 upstream. + +Fix wrong order in probing routine initialization - field `base_addr' +is used before it's initialized. Move assignment of 'priv->base_addr` +to the beginning, prior the call to mlxcpld_i2c_read_comm(). +Wrong order caused the first read of capability register to be executed +at wrong offset 0x0 instead of 0x2000. By chance it was a "good +garbage" at 0x0 offset. + +Fixes: 313ce648b5a4 ("i2c: mlxcpld: Add support for extended transaction length for i2c-mlxcpld") +Signed-off-by: Vadim Pasternak +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-mlxcpld.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-mlxcpld.c ++++ b/drivers/i2c/busses/i2c-mlxcpld.c +@@ -503,6 +503,7 @@ static int mlxcpld_i2c_probe(struct plat + platform_set_drvdata(pdev, priv); + + priv->dev = &pdev->dev; ++ priv->base_addr = MLXPLAT_CPLD_LPC_I2C_BASE_ADDR; + + /* Register with i2c layer */ + mlxcpld_i2c_adapter.timeout = usecs_to_jiffies(MLXCPLD_I2C_XFER_TO); +@@ -518,7 +519,6 @@ static int mlxcpld_i2c_probe(struct plat + mlxcpld_i2c_adapter.nr = pdev->id; + priv->adap = mlxcpld_i2c_adapter; + priv->adap.dev.parent = &pdev->dev; +- priv->base_addr = MLXPLAT_CPLD_LPC_I2C_BASE_ADDR; + i2c_set_adapdata(&priv->adap, priv); + + err = i2c_add_numbered_adapter(&priv->adap); diff --git a/queue-4.19/i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch b/queue-4.19/i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch new file mode 100644 index 00000000000..ecb7f836252 --- /dev/null +++ b/queue-4.19/i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch @@ -0,0 +1,35 @@ +From ff9378904d9d7a3fcb8406604e089e535e357b1d Mon Sep 17 00:00:00 2001 +From: Masahisa Kojima +Date: Tue, 21 May 2019 10:33:50 +0900 +Subject: i2c: synquacer: fix synquacer_i2c_doxfer() return value + +From: Masahisa Kojima + +commit ff9378904d9d7a3fcb8406604e089e535e357b1d upstream. + +master_xfer should return the number of messages successfully +processed. + +Fixes: 0d676a6c4390 ("i2c: add support for Socionext SynQuacer I2C controller") +Cc: # v4.19+ +Signed-off-by: Okamoto Satoru +Signed-off-by: Masahisa Kojima +Acked-by: Ard Biesheuvel +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-synquacer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-synquacer.c ++++ b/drivers/i2c/busses/i2c-synquacer.c +@@ -356,7 +356,7 @@ static int synquacer_i2c_doxfer(struct s + /* wait 2 clock periods to ensure the stop has been through the bus */ + udelay(DIV_ROUND_UP(2 * 1000, i2c->speed_khz)); + +- return 0; ++ return ret; + } + + static irqreturn_t synquacer_i2c_isr(int irq, void *dev_id) diff --git a/queue-4.19/ima-show-rules-with-ima_inmask-correctly.patch b/queue-4.19/ima-show-rules-with-ima_inmask-correctly.patch new file mode 100644 index 00000000000..f00d181cafb --- /dev/null +++ b/queue-4.19/ima-show-rules-with-ima_inmask-correctly.patch @@ -0,0 +1,69 @@ +From 8cdc23a3d9ec0944000ad43bad588e36afdc38cd Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Wed, 29 May 2019 15:30:35 +0200 +Subject: ima: show rules with IMA_INMASK correctly + +From: Roberto Sassu + +commit 8cdc23a3d9ec0944000ad43bad588e36afdc38cd upstream. + +Show the '^' character when a policy rule has flag IMA_INMASK. + +Fixes: 80eae209d63ac ("IMA: allow reading back the current IMA policy") +Signed-off-by: Roberto Sassu +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_policy.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -1059,10 +1059,10 @@ enum { + }; + + static const char *const mask_tokens[] = { +- "MAY_EXEC", +- "MAY_WRITE", +- "MAY_READ", +- "MAY_APPEND" ++ "^MAY_EXEC", ++ "^MAY_WRITE", ++ "^MAY_READ", ++ "^MAY_APPEND" + }; + + #define __ima_hook_stringify(str) (#str), +@@ -1122,6 +1122,7 @@ int ima_policy_show(struct seq_file *m, + struct ima_rule_entry *entry = v; + int i; + char tbuf[64] = {0,}; ++ int offset = 0; + + rcu_read_lock(); + +@@ -1145,15 +1146,17 @@ int ima_policy_show(struct seq_file *m, + if (entry->flags & IMA_FUNC) + policy_func_show(m, entry->func); + +- if (entry->flags & IMA_MASK) { ++ if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { ++ if (entry->flags & IMA_MASK) ++ offset = 1; + if (entry->mask & MAY_EXEC) +- seq_printf(m, pt(Opt_mask), mt(mask_exec)); ++ seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); + if (entry->mask & MAY_WRITE) +- seq_printf(m, pt(Opt_mask), mt(mask_write)); ++ seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); + if (entry->mask & MAY_READ) +- seq_printf(m, pt(Opt_mask), mt(mask_read)); ++ seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); + if (entry->mask & MAY_APPEND) +- seq_printf(m, pt(Opt_mask), mt(mask_append)); ++ seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); + seq_puts(m, " "); + } + diff --git a/queue-4.19/kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch b/queue-4.19/kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch new file mode 100644 index 00000000000..59510e54c7f --- /dev/null +++ b/queue-4.19/kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch @@ -0,0 +1,50 @@ +From 98af37d624ed8c83f1953b1b6b2f6866011fc064 Mon Sep 17 00:00:00 2001 +From: Zhenliang Wei +Date: Fri, 31 May 2019 22:30:52 -0700 +Subject: kernel/signal.c: trace_signal_deliver when signal_group_exit + +From: Zhenliang Wei + +commit 98af37d624ed8c83f1953b1b6b2f6866011fc064 upstream. + +In the fixes commit, removing SIGKILL from each thread signal mask and +executing "goto fatal" directly will skip the call to +"trace_signal_deliver". At this point, the delivery tracking of the +SIGKILL signal will be inaccurate. + +Therefore, we need to add trace_signal_deliver before "goto fatal" after +executing sigdelset. + +Note: SEND_SIG_NOINFO matches the fact that SIGKILL doesn't have any info. + +Link: http://lkml.kernel.org/r/20190425025812.91424-1-weizhenliang@huawei.com +Fixes: cf43a757fd4944 ("signal: Restore the stop PTRACE_EVENT_EXIT") +Signed-off-by: Zhenliang Wei +Reviewed-by: Christian Brauner +Reviewed-by: Oleg Nesterov +Cc: Eric W. Biederman +Cc: Ivan Delalande +Cc: Arnd Bergmann +Cc: Thomas Gleixner +Cc: Deepa Dinamani +Cc: Greg Kroah-Hartman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2436,6 +2436,8 @@ relock: + if (signal_group_exit(signal)) { + ksig->info.si_signo = signr = SIGKILL; + sigdelset(¤t->pending.signal, SIGKILL); ++ trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO, ++ &sighand->action[SIGKILL - 1]); + recalc_sigpending(); + goto fatal; + } diff --git a/queue-4.19/memcg-make-it-work-on-sparse-non-0-node-systems.patch b/queue-4.19/memcg-make-it-work-on-sparse-non-0-node-systems.patch new file mode 100644 index 00000000000..4928eec6480 --- /dev/null +++ b/queue-4.19/memcg-make-it-work-on-sparse-non-0-node-systems.patch @@ -0,0 +1,97 @@ +From 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 31 May 2019 22:30:26 -0700 +Subject: memcg: make it work on sparse non-0-node systems + +From: Jiri Slaby + +commit 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 upstream. + +We have a single node system with node 0 disabled: + Scanning NUMA topology in Northbridge 24 + Number of physical nodes 2 + Skipping disabled node 0 + Node 1 MemBase 0000000000000000 Limit 00000000fbff0000 + NODE_DATA(1) allocated [mem 0xfbfda000-0xfbfeffff] + +This causes crashes in memcg when system boots: + BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + #PF error: [normal kernel read fault] +... + RIP: 0010:list_lru_add+0x94/0x170 +... + Call Trace: + d_lru_add+0x44/0x50 + dput.part.34+0xfc/0x110 + __fput+0x108/0x230 + task_work_run+0x9f/0xc0 + exit_to_usermode_loop+0xf5/0x100 + +It is reproducible as far as 4.12. I did not try older kernels. You have +to have a new enough systemd, e.g. 241 (the reason is unknown -- was not +investigated). Cannot be reproduced with systemd 234. + +The system crashes because the size of lru array is never updated in +memcg_update_all_list_lrus and the reads are past the zero-sized array, +causing dereferences of random memory. + +The root cause are list_lru_memcg_aware checks in the list_lru code. The +test in list_lru_memcg_aware is broken: it assumes node 0 is always +present, but it is not true on some systems as can be seen above. + +So fix this by avoiding checks on node 0. Remember the memcg-awareness by +a bool flag in struct list_lru. + +Link: http://lkml.kernel.org/r/20190522091940.3615-1-jslaby@suse.cz +Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists") +Signed-off-by: Jiri Slaby +Acked-by: Michal Hocko +Suggested-by: Vladimir Davydov +Acked-by: Vladimir Davydov +Reviewed-by: Shakeel Butt +Cc: Johannes Weiner +Cc: Raghavendra K T +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/list_lru.h | 1 + + mm/list_lru.c | 8 +++----- + 2 files changed, 4 insertions(+), 5 deletions(-) + +--- a/include/linux/list_lru.h ++++ b/include/linux/list_lru.h +@@ -54,6 +54,7 @@ struct list_lru { + #ifdef CONFIG_MEMCG_KMEM + struct list_head list; + int shrinker_id; ++ bool memcg_aware; + #endif + }; + +--- a/mm/list_lru.c ++++ b/mm/list_lru.c +@@ -37,11 +37,7 @@ static int lru_shrinker_id(struct list_l + + static inline bool list_lru_memcg_aware(struct list_lru *lru) + { +- /* +- * This needs node 0 to be always present, even +- * in the systems supporting sparse numa ids. +- */ +- return !!lru->node[0].memcg_lrus; ++ return lru->memcg_aware; + } + + static inline struct list_lru_one * +@@ -451,6 +447,8 @@ static int memcg_init_list_lru(struct li + { + int i; + ++ lru->memcg_aware = memcg_aware; ++ + if (!memcg_aware) + return 0; + diff --git a/queue-4.19/revert-lockd-show-pid-of-lockd-for-remote-locks.patch b/queue-4.19/revert-lockd-show-pid-of-lockd-for-remote-locks.patch new file mode 100644 index 00000000000..76a04a8f9fa --- /dev/null +++ b/queue-4.19/revert-lockd-show-pid-of-lockd-for-remote-locks.patch @@ -0,0 +1,68 @@ +From 141731d15d6eb2fd9aaefbf9b935ce86ae243074 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Mon, 20 May 2019 10:33:07 -0400 +Subject: Revert "lockd: Show pid of lockd for remote locks" + +From: Benjamin Coddington + +commit 141731d15d6eb2fd9aaefbf9b935ce86ae243074 upstream. + +This reverts most of commit b8eee0e90f97 ("lockd: Show pid of lockd for +remote locks"), which caused remote locks to not be differentiated between +remote processes for NLM. + +We retain the fixup for setting the client's fl_pid to a negative value. + +Fixes: b8eee0e90f97 ("lockd: Show pid of lockd for remote locks") +Cc: stable@vger.kernel.org + +Signed-off-by: Benjamin Coddington +Reviewed-by: XueWei Zhang +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/xdr.c | 4 ++-- + fs/lockd/xdr4.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/lockd/xdr.c ++++ b/fs/lockd/xdr.c +@@ -127,7 +127,7 @@ nlm_decode_lock(__be32 *p, struct nlm_lo + + locks_init_lock(fl); + fl->fl_owner = current->files; +- fl->fl_pid = current->tgid; ++ fl->fl_pid = (pid_t)lock->svid; + fl->fl_flags = FL_POSIX; + fl->fl_type = F_RDLCK; /* as good as anything else */ + start = ntohl(*p++); +@@ -269,7 +269,7 @@ nlmsvc_decode_shareargs(struct svc_rqst + memset(lock, 0, sizeof(*lock)); + locks_init_lock(&lock->fl); + lock->svid = ~(u32) 0; +- lock->fl.fl_pid = current->tgid; ++ lock->fl.fl_pid = (pid_t)lock->svid; + + if (!(p = nlm_decode_cookie(p, &argp->cookie)) + || !(p = xdr_decode_string_inplace(p, &lock->caller, +--- a/fs/lockd/xdr4.c ++++ b/fs/lockd/xdr4.c +@@ -119,7 +119,7 @@ nlm4_decode_lock(__be32 *p, struct nlm_l + + locks_init_lock(fl); + fl->fl_owner = current->files; +- fl->fl_pid = current->tgid; ++ fl->fl_pid = (pid_t)lock->svid; + fl->fl_flags = FL_POSIX; + fl->fl_type = F_RDLCK; /* as good as anything else */ + p = xdr_decode_hyper(p, &start); +@@ -266,7 +266,7 @@ nlm4svc_decode_shareargs(struct svc_rqst + memset(lock, 0, sizeof(*lock)); + locks_init_lock(&lock->fl); + lock->svid = ~(u32) 0; +- lock->fl.fl_pid = current->tgid; ++ lock->fl.fl_pid = (pid_t)lock->svid; + + if (!(p = nlm4_decode_cookie(p, &argp->cookie)) + || !(p = xdr_decode_string_inplace(p, &lock->caller, diff --git a/queue-4.19/serial-sh-sci-disable-dma-for-uart_console.patch b/queue-4.19/serial-sh-sci-disable-dma-for-uart_console.patch new file mode 100644 index 00000000000..39ce7c774a9 --- /dev/null +++ b/queue-4.19/serial-sh-sci-disable-dma-for-uart_console.patch @@ -0,0 +1,46 @@ +From 099506cbbc79c0bd52b19cb6b930f256dabc3950 Mon Sep 17 00:00:00 2001 +From: "George G. Davis" +Date: Tue, 14 May 2019 23:29:34 -0400 +Subject: serial: sh-sci: disable DMA for uart_console + +From: George G. Davis + +commit 099506cbbc79c0bd52b19cb6b930f256dabc3950 upstream. + +As noted in commit 84b40e3b57ee ("serial: 8250: omap: Disable DMA for +console UART"), UART console lines use low-level PIO only access functions +which will conflict with use of the line when DMA is enabled, e.g. when +the console line is also used for systemd messages. So disable DMA +support for UART console lines. + +Reported-by: Michael Rodin +Link: https://patchwork.kernel.org/patch/10929511/ +Tested-by: Eugeniu Rosca +Reviewed-by: Simon Horman +Reviewed-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org +Signed-off-by: George G. Davis +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/sh-sci.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1542,6 +1542,13 @@ static void sci_request_dma(struct uart_ + + dev_dbg(port->dev, "%s: port %d\n", __func__, port->line); + ++ /* ++ * DMA on console may interfere with Kernel log messages which use ++ * plain putchar(). So, simply don't use it with a console. ++ */ ++ if (uart_console(port)) ++ return; ++ + if (!port->dev->of_node) + return; + diff --git a/queue-4.19/series b/queue-4.19/series index 1950b858434..e73f1ece4cb 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -32,3 +32,24 @@ alsa-line6-assure-canceling-delayed-work-at-disconnection.patch alsa-hda-realtek-set-default-power-save-node-to-0.patch alsa-hda-realtek-improve-the-headset-mic-for-acer-aspire-laptops.patch kvm-s390-do-not-report-unusabled-ids-via-kvm_cap_max_vcpu_id.patch +drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch +i2c-mlxcpld-fix-wrong-initialization-order-in-probe.patch +i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch +tty-serial-msm_serial-fix-xon-xoff.patch +tty-max310x-fix-external-crystal-register-setup.patch +memcg-make-it-work-on-sparse-non-0-node-systems.patch +kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch +arm64-fix-the-arm64_personality-syscall-wrapper-redirection.patch +docs-fix-conf.py-for-sphinx-2.0.patch +doc-cope-with-the-deprecation-of-autoreporter.patch +doc-cope-with-sphinx-logging-deprecations.patch +ima-show-rules-with-ima_inmask-correctly.patch +evm-check-hash-algorithm-passed-to-init_desc.patch +vt-fbcon-deinitialize-resources-in-visual_init-after-failed-memory-allocation.patch +serial-sh-sci-disable-dma-for-uart_console.patch +staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch +staging-wlan-ng-fix-adapter-initialization-failure.patch +cifs-fix-memory-leak-of-pneg_inbuf-on-eopnotsupp-ioctl-case.patch +cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch +revert-lockd-show-pid-of-lockd-for-remote-locks.patch +gcc-plugins-fix-build-failures-under-darwin-host.patch diff --git a/queue-4.19/staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch b/queue-4.19/staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch new file mode 100644 index 00000000000..a76aa10c104 --- /dev/null +++ b/queue-4.19/staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch @@ -0,0 +1,56 @@ +From ca641bae6da977d638458e78cd1487b6160a2718 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 15 May 2019 12:38:33 +0300 +Subject: staging: vc04_services: prevent integer overflow in create_pagelist() + +From: Dan Carpenter + +commit ca641bae6da977d638458e78cd1487b6160a2718 upstream. + +The create_pagelist() "count" parameter comes from the user in +vchiq_ioctl() and it could overflow. If you look at how create_page() +is called in vchiq_prepare_bulk_data(), then the "size" variable is an +int so it doesn't make sense to allow negatives or larger than INT_MAX. + +I don't know this code terribly well, but I believe that typical values +of "count" are typically quite low and I don't think this check will +affect normal valid uses at all. + +The "pagelist_size" calculation can also overflow on 32 bit systems, but +not on 64 bit systems. I have added an integer overflow check for that +as well. + +The Raspberry PI doesn't offer the same level of memory protection that +x86 does so these sorts of bugs are probably not super critical to fix. + +Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver") +Signed-off-by: Dan Carpenter +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c +@@ -410,9 +410,18 @@ create_pagelist(char __user *buf, size_t + int dma_buffers; + dma_addr_t dma_addr; + ++ if (count >= INT_MAX - PAGE_SIZE) ++ return NULL; ++ + offset = ((unsigned int)(unsigned long)buf & (PAGE_SIZE - 1)); + num_pages = DIV_ROUND_UP(count + offset, PAGE_SIZE); + ++ if (num_pages > (SIZE_MAX - sizeof(struct pagelist) - ++ sizeof(struct vchiq_pagelist_info)) / ++ (sizeof(u32) + sizeof(pages[0]) + ++ sizeof(struct scatterlist))) ++ return NULL; ++ + pagelist_size = sizeof(PAGELIST_T) + + (num_pages * sizeof(u32)) + + (num_pages * sizeof(pages[0]) + diff --git a/queue-4.19/staging-wlan-ng-fix-adapter-initialization-failure.patch b/queue-4.19/staging-wlan-ng-fix-adapter-initialization-failure.patch new file mode 100644 index 00000000000..d5e59a17b37 --- /dev/null +++ b/queue-4.19/staging-wlan-ng-fix-adapter-initialization-failure.patch @@ -0,0 +1,52 @@ +From a67fedd788182764dc8ed59037c604b7e60349f1 Mon Sep 17 00:00:00 2001 +From: Tim Collier +Date: Sat, 11 May 2019 18:40:46 +0100 +Subject: staging: wlan-ng: fix adapter initialization failure + +From: Tim Collier + +commit a67fedd788182764dc8ed59037c604b7e60349f1 upstream. + +Commit e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long +code line warnings.") moved the retrieval of the transfer buffer from +the URB from the top of function hfa384x_usbin_callback to a point +after reposting of the URB via a call to submit_rx_urb. The reposting +of the URB allocates a new transfer buffer so the new buffer is +retrieved instead of the buffer containing the response passed into +the callback. This results in failure to initialize the adapter with +an error reported in the system log (something like "CTLX[1] error: +state(Request failed)"). + +This change moves the retrieval to just before the point where the URB +is reposted so that the correct transfer buffer is retrieved and +initialization of the device succeeds. + +Signed-off-by: Tim Collier +Fixes: e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long code line warnings.") +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlan-ng/hfa384x_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/wlan-ng/hfa384x_usb.c ++++ b/drivers/staging/wlan-ng/hfa384x_usb.c +@@ -3119,7 +3119,9 @@ static void hfa384x_usbin_callback(struc + break; + } + ++ /* Save values from the RX URB before reposting overwrites it. */ + urb_status = urb->status; ++ usbin = (union hfa384x_usbin *)urb->transfer_buffer; + + if (action != ABORT) { + /* Repost the RX URB */ +@@ -3136,7 +3138,6 @@ static void hfa384x_usbin_callback(struc + /* Note: the check of the sw_support field, the type field doesn't + * have bit 12 set like the docs suggest. + */ +- usbin = (union hfa384x_usbin *)urb->transfer_buffer; + type = le16_to_cpu(usbin->type); + if (HFA384x_USB_ISRXFRM(type)) { + if (action == HANDLE) { diff --git a/queue-4.19/tty-max310x-fix-external-crystal-register-setup.patch b/queue-4.19/tty-max310x-fix-external-crystal-register-setup.patch new file mode 100644 index 00000000000..64c23940f55 --- /dev/null +++ b/queue-4.19/tty-max310x-fix-external-crystal-register-setup.patch @@ -0,0 +1,42 @@ +From 5d24f455c182d5116dd5db8e1dc501115ecc9c2c Mon Sep 17 00:00:00 2001 +From: Joe Burmeister +Date: Mon, 13 May 2019 11:23:57 +0100 +Subject: tty: max310x: Fix external crystal register setup + +From: Joe Burmeister + +commit 5d24f455c182d5116dd5db8e1dc501115ecc9c2c upstream. + +The datasheet states: + + Bit 4: ClockEnSet the ClockEn bit high to enable an external clocking +(crystal or clock generator at XIN). Set the ClockEn bit to 0 to disable +clocking + Bit 1: CrystalEnSet the CrystalEn bit high to enable the crystal +oscillator. When using an external clock source at XIN, CrystalEn must +be set low. + +The bit 4, MAX310X_CLKSRC_EXTCLK_BIT, should be set and was not. + +This was required to make the MAX3107 with an external crystal on our +board able to send or receive data. + +Signed-off-by: Joe Burmeister +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/max310x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -576,7 +576,7 @@ static int max310x_set_ref_clk(struct de + } + + /* Configure clock source */ +- clksrc = xtal ? MAX310X_CLKSRC_CRYST_BIT : MAX310X_CLKSRC_EXTCLK_BIT; ++ clksrc = MAX310X_CLKSRC_EXTCLK_BIT | (xtal ? MAX310X_CLKSRC_CRYST_BIT : 0); + + /* Configure PLL */ + if (pllcfg) { diff --git a/queue-4.19/tty-serial-msm_serial-fix-xon-xoff.patch b/queue-4.19/tty-serial-msm_serial-fix-xon-xoff.patch new file mode 100644 index 00000000000..64b4ede753b --- /dev/null +++ b/queue-4.19/tty-serial-msm_serial-fix-xon-xoff.patch @@ -0,0 +1,53 @@ +From 61c0e37950b88bad590056286c1d766b1f167f4e Mon Sep 17 00:00:00 2001 +From: Jorge Ramirez-Ortiz +Date: Mon, 20 May 2019 20:38:48 +0200 +Subject: tty: serial: msm_serial: Fix XON/XOFF + +From: Jorge Ramirez-Ortiz + +commit 61c0e37950b88bad590056286c1d766b1f167f4e upstream. + +When the tty layer requests the uart to throttle, the current code +executing in msm_serial will trigger "Bad mode in Error Handler" and +generate an invalid stack frame in pstore before rebooting (that is if +pstore is indeed configured: otherwise the user shall just notice a +reboot with no further information dumped to the console). + +This patch replaces the PIO byte accessor with the word accessor +already used in PIO mode. + +Fixes: 68252424a7c7 ("tty: serial: msm: Support big-endian CPUs") +Cc: stable@vger.kernel.org +Signed-off-by: Jorge Ramirez-Ortiz +Reviewed-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/msm_serial.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -860,6 +860,7 @@ static void msm_handle_tx(struct uart_po + struct circ_buf *xmit = &msm_port->uart.state->xmit; + struct msm_dma *dma = &msm_port->tx_dma; + unsigned int pio_count, dma_count, dma_min; ++ char buf[4] = { 0 }; + void __iomem *tf; + int err = 0; + +@@ -869,10 +870,12 @@ static void msm_handle_tx(struct uart_po + else + tf = port->membase + UART_TF; + ++ buf[0] = port->x_char; ++ + if (msm_port->is_uartdm) + msm_reset_dm_count(port, 1); + +- iowrite8_rep(tf, &port->x_char, 1); ++ iowrite32_rep(tf, buf, 1); + port->icount.tx++; + port->x_char = 0; + return; diff --git a/queue-4.19/vt-fbcon-deinitialize-resources-in-visual_init-after-failed-memory-allocation.patch b/queue-4.19/vt-fbcon-deinitialize-resources-in-visual_init-after-failed-memory-allocation.patch new file mode 100644 index 00000000000..30615d05204 --- /dev/null +++ b/queue-4.19/vt-fbcon-deinitialize-resources-in-visual_init-after-failed-memory-allocation.patch @@ -0,0 +1,96 @@ +From a1ad1cc9704f64c169261a76e1aee1cf1ae51832 Mon Sep 17 00:00:00 2001 +From: Grzegorz Halat +Date: Fri, 26 Apr 2019 16:59:46 +0200 +Subject: vt/fbcon: deinitialize resources in visual_init() after failed memory allocation + +From: Grzegorz Halat + +commit a1ad1cc9704f64c169261a76e1aee1cf1ae51832 upstream. + +After memory allocation failure vc_allocate() doesn't clean up data +which has been initialized in visual_init(). In case of fbcon this +leads to divide-by-0 in fbcon_init() on next open of the same tty. + +memory allocation in vc_allocate() may fail here: +1097: vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); + +on next open() fbcon_init() skips vc_font.data initialization: +1088: if (!p->fontdata) { + +division by zero in fbcon_init() happens here: +1149: new_cols /= vc->vc_font.width; + +Additional check is needed in fbcon_deinit() to prevent +usage of uninitialized vc_screenbuf: + +1251: if (vc->vc_hi_font_mask && vc->vc_screenbuf) +1252: set_vc_hi_font(vc, false); + +Crash: + + #6 [ffffc90001eafa60] divide_error at ffffffff81a00be4 + [exception RIP: fbcon_init+463] + RIP: ffffffff814b860f RSP: ffffc90001eafb18 RFLAGS: 00010246 +... + #7 [ffffc90001eafb60] visual_init at ffffffff8154c36e + #8 [ffffc90001eafb80] vc_allocate at ffffffff8154f53c + #9 [ffffc90001eafbc8] con_install at ffffffff8154f624 +... + +Signed-off-by: Grzegorz Halat +Reviewed-by: Oleksandr Natalenko +Acked-by: Bartlomiej Zolnierkiewicz +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 11 +++++++++-- + drivers/video/fbdev/core/fbcon.c | 2 +- + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1059,6 +1059,13 @@ static void visual_init(struct vc_data * + vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row; + } + ++ ++static void visual_deinit(struct vc_data *vc) ++{ ++ vc->vc_sw->con_deinit(vc); ++ module_put(vc->vc_sw->owner); ++} ++ + int vc_allocate(unsigned int currcons) /* return 0 on success */ + { + struct vt_notifier_param param; +@@ -1106,6 +1113,7 @@ int vc_allocate(unsigned int currcons) / + + return 0; + err_free: ++ visual_deinit(vc); + kfree(vc); + vc_cons[currcons].d = NULL; + return -ENOMEM; +@@ -1334,9 +1342,8 @@ struct vc_data *vc_deallocate(unsigned i + param.vc = vc = vc_cons[currcons].d; + atomic_notifier_call_chain(&vt_notifier_list, VT_DEALLOCATE, ¶m); + vcs_remove_sysfs(currcons); +- vc->vc_sw->con_deinit(vc); ++ visual_deinit(vc); + put_pid(vc->vt_pid); +- module_put(vc->vc_sw->owner); + vc_uniscr_set(vc, NULL); + kfree(vc->vc_screenbuf); + vc_cons[currcons].d = NULL; +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -1237,7 +1237,7 @@ finished: + if (free_font) + vc->vc_font.data = NULL; + +- if (vc->vc_hi_font_mask) ++ if (vc->vc_hi_font_mask && vc->vc_screenbuf) + set_vc_hi_font(vc, false); + + if (!con_is_bound(&fb_con))