From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 6 May 2018 00:43:32 +0000 (-0700)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.99~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=63fa56500c5638c56b5e2ab97b571ecf11076975;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	drm-bridge-vga-dac-fix-edid-memory-leak.patch
	drm-vmwgfx-fix-a-buffer-object-leak.patch
	ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch
	test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch
---

diff --git a/queue-4.9/drm-bridge-vga-dac-fix-edid-memory-leak.patch b/queue-4.9/drm-bridge-vga-dac-fix-edid-memory-leak.patch
new file mode 100644
index 00000000000..2fd61fce5bd
--- /dev/null
+++ b/queue-4.9/drm-bridge-vga-dac-fix-edid-memory-leak.patch
@@ -0,0 +1,42 @@
+From 49ceda9de2da4d1827941d06701f3017c27c1855 Mon Sep 17 00:00:00 2001
+From: Sean Paul <seanpaul@chromium.org>
+Date: Fri, 20 Apr 2018 14:59:59 -0400
+Subject: drm/bridge: vga-dac: Fix edid memory leak
+
+From: Sean Paul <seanpaul@chromium.org>
+
+commit 49ceda9de2da4d1827941d06701f3017c27c1855 upstream.
+
+edid should be freed once it's finished being used.
+
+Fixes: 56fe8b6f4991 ("drm/bridge: Add RGB to VGA bridge support")
+Cc: Rob Herring <robh@kernel.org>
+Cc: Sean Paul <seanpaul@chromium.org>
+Cc: Maxime Ripard <maxime.ripard@free-electrons.com>
+Cc: Archit Taneja <architt@codeaurora.org>
+Cc: Andrzej Hajda <a.hajda@samsung.com>
+Cc: Laurent Pinchart <Laurent.pinchart@ideasonboard.com>
+Cc: <stable@vger.kernel.org> # v4.9+
+Reviewed-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180420190007.1572-1-seanpaul@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/bridge/dumb-vga-dac.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/bridge/dumb-vga-dac.c
++++ b/drivers/gpu/drm/bridge/dumb-vga-dac.c
+@@ -53,7 +53,9 @@ static int dumb_vga_get_modes(struct drm
+ 	}
+ 
+ 	drm_mode_connector_update_edid_property(connector, edid);
+-	return drm_add_edid_modes(connector, edid);
++	ret = drm_add_edid_modes(connector, edid);
++	kfree(edid);
++	return ret;
+ 
+ fallback:
+ 	/*
diff --git a/queue-4.9/drm-vmwgfx-fix-a-buffer-object-leak.patch b/queue-4.9/drm-vmwgfx-fix-a-buffer-object-leak.patch
new file mode 100644
index 00000000000..09fd1a6c546
--- /dev/null
+++ b/queue-4.9/drm-vmwgfx-fix-a-buffer-object-leak.patch
@@ -0,0 +1,33 @@
+From 13f149d47392782baafd96d54d4e65f3b5ca342f Mon Sep 17 00:00:00 2001
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Thu, 26 Apr 2018 09:59:30 +0200
+Subject: drm/vmwgfx: Fix a buffer object leak
+
+From: Thomas Hellstrom <thellstrom@vmware.com>
+
+commit 13f149d47392782baafd96d54d4e65f3b5ca342f upstream.
+
+A buffer object leak was introduced when fixing a premature buffer
+object release. Fix this.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 73a88250b709 ("Fix a destoy-while-held mutex problem.")
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Deepak Rawat <drawat@vmware.com>
+Reviewed-by: Sinclair Yeh <syeh@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -2014,6 +2014,7 @@ void vmw_kms_helper_resource_finish(stru
+ 		vmw_kms_helper_buffer_finish(res->dev_priv, NULL, ctx->buf,
+ 					     out_fence, NULL);
+ 
++	vmw_dmabuf_unreference(&ctx->buf);
+ 	vmw_resource_unreserve(res, false, NULL, 0);
+ 	mutex_unlock(&res->dev_priv->cmdbuf_mutex);
+ }
diff --git a/queue-4.9/ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch b/queue-4.9/ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch
new file mode 100644
index 00000000000..42d0b5d3d88
--- /dev/null
+++ b/queue-4.9/ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch
@@ -0,0 +1,79 @@
+From 45d924571a5e1329580811f2419da61b07ac3613 Mon Sep 17 00:00:00 2001
+From: Sebastian Sanchez <sebastian.sanchez@intel.com>
+Date: Tue, 1 May 2018 05:35:58 -0700
+Subject: IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used
+
+From: Sebastian Sanchez <sebastian.sanchez@intel.com>
+
+commit 45d924571a5e1329580811f2419da61b07ac3613 upstream.
+
+When an invalid num_vls is used as a module parameter, the code
+execution follows an exception path where the macro dd_dev_err()
+expects dd->pcidev->dev not to be NULL in hfi1_init_dd(). This
+causes a NULL pointer dereference.
+
+Fix hfi1_init_dd() by initializing dd->pcidev and dd->pcidev->dev
+earlier in the code. If a dd exists, then dd->pcidev and
+dd->pcidev->dev always exists.
+
+BUG: unable to handle kernel NULL pointer dereference
+at 00000000000000f0
+IP: __dev_printk+0x15/0x90
+Workqueue: events work_for_cpu_fn
+RIP: 0010:__dev_printk+0x15/0x90
+Call Trace:
+ dev_err+0x6c/0x90
+ ? hfi1_init_pportdata+0x38d/0x3f0 [hfi1]
+ hfi1_init_dd+0xdd/0x2530 [hfi1]
+ ? pci_conf1_read+0xb2/0xf0
+ ? pci_read_config_word.part.9+0x64/0x80
+ ? pci_conf1_write+0xb0/0xf0
+ ? pcie_capability_clear_and_set_word+0x57/0x80
+ init_one+0x141/0x490 [hfi1]
+ local_pci_probe+0x3f/0xa0
+ work_for_cpu_fn+0x10/0x20
+ process_one_work+0x152/0x350
+ worker_thread+0x1cf/0x3e0
+ kthread+0xf5/0x130
+ ? max_active_store+0x80/0x80
+ ? kthread_bind+0x10/0x10
+ ? do_syscall_64+0x6e/0x1a0
+ ? SyS_exit_group+0x10/0x10
+ ret_from_fork+0x35/0x40
+
+Cc: <stable@vger.kernel.org> # 4.9.x
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Sebastian Sanchez <sebastian.sanchez@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/init.c |    2 ++
+ drivers/infiniband/hw/hfi1/pcie.c |    3 ---
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -1049,6 +1049,8 @@ struct hfi1_devdata *hfi1_alloc_devdata(
+ 		return ERR_PTR(-ENOMEM);
+ 	dd->num_pports = nports;
+ 	dd->pport = (struct hfi1_pportdata *)(dd + 1);
++	dd->pcidev = pdev;
++	pci_set_drvdata(pdev, dd);
+ 
+ 	INIT_LIST_HEAD(&dd->list);
+ 	idr_preload(GFP_KERNEL);
+--- a/drivers/infiniband/hw/hfi1/pcie.c
++++ b/drivers/infiniband/hw/hfi1/pcie.c
+@@ -162,9 +162,6 @@ int hfi1_pcie_ddinit(struct hfi1_devdata
+ 	unsigned long len;
+ 	resource_size_t addr;
+ 
+-	dd->pcidev = pdev;
+-	pci_set_drvdata(pdev, dd);
+-
+ 	addr = pci_resource_start(pdev, 0);
+ 	len = pci_resource_len(pdev, 0);
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index b41b8b5d6be..c1006ae84d3 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -18,3 +18,7 @@ rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
 rdma-mlx5-protect-from-shift-operand-overflow.patch
 net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
 ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
+ib-hfi1-fix-null-pointer-dereference-when-invalid-num_vls-is-used.patch
+drm-vmwgfx-fix-a-buffer-object-leak.patch
+drm-bridge-vga-dac-fix-edid-memory-leak.patch
+test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch
diff --git a/queue-4.9/test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch b/queue-4.9/test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch
new file mode 100644
index 00000000000..855a906ed48
--- /dev/null
+++ b/queue-4.9/test_firmware-fix-setting-old-custom-fw-path-back-on-exit-second-try.patch
@@ -0,0 +1,44 @@
+From e538409257d0217a9bc715686100a5328db75a15 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Wed, 4 Apr 2018 22:38:49 +0200
+Subject: test_firmware: fix setting old custom fw path back on exit, second try
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit e538409257d0217a9bc715686100a5328db75a15 upstream.
+
+Commit 65c79230576 tried to clear the custom firmware path on exit by
+writing a single space to the firmware_class.path parameter.  This
+doesn't work because nothing strips this space from the value stored
+and fw_get_filesystem_firmware() only ignores zero-length paths.
+
+Instead, write a null byte.
+
+Fixes: 0a8adf58475 ("test: add firmware_class loader test")
+Fixes: 65c79230576 ("test_firmware: fix setting old custom fw path back on exit")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Acked-by: Luis R. Rodriguez <mcgrof@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ tools/testing/selftests/firmware/fw_filesystem.sh |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/firmware/fw_filesystem.sh
++++ b/tools/testing/selftests/firmware/fw_filesystem.sh
+@@ -29,9 +29,11 @@ test_finish()
+ 		echo "$OLD_TIMEOUT" >/sys/class/firmware/timeout
+ 	fi
+ 	if [ "$OLD_FWPATH" = "" ]; then
+-		OLD_FWPATH=" "
++		# A zero-length write won't work; write a null byte
++		printf '\000' >/sys/module/firmware_class/parameters/path
++	else
++		echo -n "$OLD_FWPATH" >/sys/module/firmware_class/parameters/path
+ 	fi
+-	echo -n "$OLD_FWPATH" >/sys/module/firmware_class/parameters/path
+ 	rm -f "$FW"
+ 	rmdir "$FWPATH"
+ }