From: Greg Kroah-Hartman Date: Mon, 17 Sep 2018 09:46:54 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.18.9~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=69b781d787d86ec9c2992b2835dbb50ee3f71f23;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-ad1816a-fix-sparse-warning-wrt-pcm-format-type.patch alsa-asihpi-fix-pcm-format-notations.patch alsa-riptide-properly-endian-notations.patch alsa-sb-fix-pcm-format-bit-calculation.patch alsa-sb-fix-sparse-warning-wrt-pcm-format-type.patch alsa-wss-fix-sparse-warning-wrt-pcm-format-type.patch ata-libahci-correct-setting-of-devslp-register.patch ath10k-prevent-active-scans-on-potential-unusable-channels.patch bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch macintosh-via-pmu-add-missing-mmio-accessors.patch md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch net-mvneta-fix-mtu-change-on-port-without-link.patch partitions-aix-append-null-character-to-print-data-from-disk.patch partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch scsi-target-fix-__transport_register_session-locking.patch tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch uio-potential-double-frees-if-__uio_register_device-fails.patch x86-kexec-allocate-8k-pgds-for-pti.patch x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch --- diff --git a/queue-3.18/alsa-ad1816a-fix-sparse-warning-wrt-pcm-format-type.patch b/queue-3.18/alsa-ad1816a-fix-sparse-warning-wrt-pcm-format-type.patch new file mode 100644 index 00000000000..03994a624f1 --- /dev/null +++ b/queue-3.18/alsa-ad1816a-fix-sparse-warning-wrt-pcm-format-type.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Sep 17 11:45:58 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:19:39 +0200 +Subject: ALSA: ad1816a: Fix sparse warning wrt PCM format type + +From: Takashi Iwai + +[ Upstream commit d63f33d3f083bdb3a7c2dfd623f4d811b2a8d772 ] + +The PCM format type is with __bitwise, and it can't be converted from +integer implicitly. Instead of an ugly cast, declare the function +argument of snd_ad1816a_get_format() with the proper snd_pcm_format_t +type. + +This fixes the sparse warning like: + sound/isa/ad1816a/ad1816a_lib.c:93:14: warning: restricted snd_pcm_format_t degrades to integer + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/ad1816a/ad1816a_lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/isa/ad1816a/ad1816a_lib.c ++++ b/sound/isa/ad1816a/ad1816a_lib.c +@@ -85,7 +85,8 @@ static void snd_ad1816a_write_mask(struc + + + static unsigned char snd_ad1816a_get_format(struct snd_ad1816a *chip, +- unsigned int format, int channels) ++ snd_pcm_format_t format, ++ int channels) + { + unsigned char retval = AD1816A_FMT_LINEAR_8; + diff --git a/queue-3.18/alsa-asihpi-fix-pcm-format-notations.patch b/queue-3.18/alsa-asihpi-fix-pcm-format-notations.patch new file mode 100644 index 00000000000..67c4e901493 --- /dev/null +++ b/queue-3.18/alsa-asihpi-fix-pcm-format-notations.patch @@ -0,0 +1,82 @@ +From foo@baz Mon Sep 17 11:45:58 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:19:41 +0200 +Subject: ALSA: asihpi: Fix PCM format notations + +From: Takashi Iwai + +[ Upstream commit a91a0e774984aa57090c39dc3269a812417737ed ] + +asihpi driver treats -1 as an own invalid PCM format, but this needs +a proper cast with __force prefix since PCM format type is __bitwise. +Define a constant with the proper type and use it allover. + +This fixes sparse warnings like: + sound/pci/asihpi/asihpi.c:315:9: warning: incorrect type in initializer (different base types) + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/asihpi/asihpi.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/sound/pci/asihpi/asihpi.c ++++ b/sound/pci/asihpi/asihpi.c +@@ -306,27 +306,29 @@ static void print_hwparams(struct snd_pc + + } + ++#define INVALID_FORMAT (__force snd_pcm_format_t)(-1) ++ + static snd_pcm_format_t hpi_to_alsa_formats[] = { +- -1, /* INVALID */ ++ INVALID_FORMAT, /* INVALID */ + SNDRV_PCM_FORMAT_U8, /* HPI_FORMAT_PCM8_UNSIGNED 1 */ + SNDRV_PCM_FORMAT_S16, /* HPI_FORMAT_PCM16_SIGNED 2 */ +- -1, /* HPI_FORMAT_MPEG_L1 3 */ ++ INVALID_FORMAT, /* HPI_FORMAT_MPEG_L1 3 */ + SNDRV_PCM_FORMAT_MPEG, /* HPI_FORMAT_MPEG_L2 4 */ + SNDRV_PCM_FORMAT_MPEG, /* HPI_FORMAT_MPEG_L3 5 */ +- -1, /* HPI_FORMAT_DOLBY_AC2 6 */ +- -1, /* HPI_FORMAT_DOLBY_AC3 7 */ ++ INVALID_FORMAT, /* HPI_FORMAT_DOLBY_AC2 6 */ ++ INVALID_FORMAT, /* HPI_FORMAT_DOLBY_AC3 7 */ + SNDRV_PCM_FORMAT_S16_BE,/* HPI_FORMAT_PCM16_BIGENDIAN 8 */ +- -1, /* HPI_FORMAT_AA_TAGIT1_HITS 9 */ +- -1, /* HPI_FORMAT_AA_TAGIT1_INSERTS 10 */ ++ INVALID_FORMAT, /* HPI_FORMAT_AA_TAGIT1_HITS 9 */ ++ INVALID_FORMAT, /* HPI_FORMAT_AA_TAGIT1_INSERTS 10 */ + SNDRV_PCM_FORMAT_S32, /* HPI_FORMAT_PCM32_SIGNED 11 */ +- -1, /* HPI_FORMAT_RAW_BITSTREAM 12 */ +- -1, /* HPI_FORMAT_AA_TAGIT1_HITS_EX1 13 */ ++ INVALID_FORMAT, /* HPI_FORMAT_RAW_BITSTREAM 12 */ ++ INVALID_FORMAT, /* HPI_FORMAT_AA_TAGIT1_HITS_EX1 13 */ + SNDRV_PCM_FORMAT_FLOAT, /* HPI_FORMAT_PCM32_FLOAT 14 */ + #if 1 + /* ALSA can't handle 3 byte sample size together with power-of-2 + * constraint on buffer_bytes, so disable this format + */ +- -1 ++ INVALID_FORMAT + #else + /* SNDRV_PCM_FORMAT_S24_3LE */ /* HPI_FORMAT_PCM24_SIGNED 15 */ + #endif +@@ -968,7 +970,7 @@ static u64 snd_card_asihpi_playback_form + format, sample_rate, 128000, 0); + if (!err) + err = hpi_outstream_query_format(h_stream, &hpi_format); +- if (!err && (hpi_to_alsa_formats[format] != -1)) ++ if (!err && (hpi_to_alsa_formats[format] != INVALID_FORMAT)) + formats |= pcm_format_to_bits(hpi_to_alsa_formats[format]); + } + return formats; +@@ -1144,7 +1146,7 @@ static u64 snd_card_asihpi_capture_forma + format, sample_rate, 128000, 0); + if (!err) + err = hpi_instream_query_format(h_stream, &hpi_format); +- if (!err && (hpi_to_alsa_formats[format] != -1)) ++ if (!err && (hpi_to_alsa_formats[format] != INVALID_FORMAT)) + formats |= pcm_format_to_bits(hpi_to_alsa_formats[format]); + } + return formats; diff --git a/queue-3.18/alsa-riptide-properly-endian-notations.patch b/queue-3.18/alsa-riptide-properly-endian-notations.patch new file mode 100644 index 00000000000..0f2fc9aa94e --- /dev/null +++ b/queue-3.18/alsa-riptide-properly-endian-notations.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:24:04 +0200 +Subject: ALSA: riptide: Properly endian notations + +From: Takashi Iwai + +[ Upstream commit be05e3de3a933156d472127f659d4473c461dcc5 ] + +The SG descriptor of Riptide contains the little-endian values, hence +we need to define with __le32 properly. This fixes sparse warnings +like: + sound/pci/riptide/riptide.c:1112:40: warning: cast to restricted __le32 + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/riptide/riptide.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/pci/riptide/riptide.c ++++ b/sound/pci/riptide/riptide.c +@@ -470,10 +470,10 @@ struct snd_riptide { + }; + + struct sgd { /* scatter gather desriptor */ +- u32 dwNextLink; +- u32 dwSegPtrPhys; +- u32 dwSegLen; +- u32 dwStat_Ctl; ++ __le32 dwNextLink; ++ __le32 dwSegPtrPhys; ++ __le32 dwSegLen; ++ __le32 dwStat_Ctl; + }; + + struct pcmhw { /* pcm descriptor */ diff --git a/queue-3.18/alsa-sb-fix-pcm-format-bit-calculation.patch b/queue-3.18/alsa-sb-fix-pcm-format-bit-calculation.patch new file mode 100644 index 00000000000..f488a0cfff3 --- /dev/null +++ b/queue-3.18/alsa-sb-fix-pcm-format-bit-calculation.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:19:43 +0200 +Subject: ALSA: sb: Fix PCM format bit calculation + +From: Takashi Iwai + +[ Upstream commit 55ff2d1ea5487fe131cce399baf4503dcf5cc8e1 ] + +The PCM format type in snd_pcm_format_t can't be treated as integer +implicitly since it's with __bitwise. We have already a helper +function to get the bit index of the given type, and use it in each +place instead. + +This fixes sparse warnings like: + sound/isa/sb/sb16_main.c:61:44: warning: restricted snd_pcm_format_t degrades to integer + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/sb/sb16_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/isa/sb/sb16_main.c ++++ b/sound/isa/sb/sb16_main.c +@@ -49,6 +49,9 @@ MODULE_AUTHOR("Jaroslav Kysela format)) ++ + #ifdef CONFIG_SND_SB16_CSP + static void snd_sb16_csp_playback_prepare(struct snd_sb *chip, struct snd_pcm_runtime *runtime) + { +@@ -58,7 +61,7 @@ static void snd_sb16_csp_playback_prepar + if (csp->running & SNDRV_SB_CSP_ST_LOADED) { + /* manually loaded codec */ + if ((csp->mode & SNDRV_SB_CSP_MODE_DSP_WRITE) && +- ((1U << runtime->format) == csp->acc_format)) { ++ (runtime_format_bits(runtime) == csp->acc_format)) { + /* Supported runtime PCM format for playback */ + if (csp->ops.csp_use(csp) == 0) { + /* If CSP was successfully acquired */ +@@ -66,7 +69,7 @@ static void snd_sb16_csp_playback_prepar + } + } else if ((csp->mode & SNDRV_SB_CSP_MODE_QSOUND) && (csp->q_enabled)) { + /* QSound decoder is loaded and enabled */ +- if ((1 << runtime->format) & (SNDRV_PCM_FMTBIT_S8 | SNDRV_PCM_FMTBIT_U8 | ++ if (runtime_format_bits(runtime) & (SNDRV_PCM_FMTBIT_S8 | SNDRV_PCM_FMTBIT_U8 | + SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_U16_LE)) { + /* Only for simple PCM formats */ + if (csp->ops.csp_use(csp) == 0) { +@@ -106,7 +109,7 @@ static void snd_sb16_csp_capture_prepare + if (csp->running & SNDRV_SB_CSP_ST_LOADED) { + /* manually loaded codec */ + if ((csp->mode & SNDRV_SB_CSP_MODE_DSP_READ) && +- ((1U << runtime->format) == csp->acc_format)) { ++ (runtime_format_bits(runtime) == csp->acc_format)) { + /* Supported runtime PCM format for capture */ + if (csp->ops.csp_use(csp) == 0) { + /* If CSP was successfully acquired */ diff --git a/queue-3.18/alsa-sb-fix-sparse-warning-wrt-pcm-format-type.patch b/queue-3.18/alsa-sb-fix-sparse-warning-wrt-pcm-format-type.patch new file mode 100644 index 00000000000..411f9f5f6a3 --- /dev/null +++ b/queue-3.18/alsa-sb-fix-sparse-warning-wrt-pcm-format-type.patch @@ -0,0 +1,65 @@ +From foo@baz Mon Sep 17 11:45:58 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:19:44 +0200 +Subject: ALSA: sb: Fix sparse warning wrt PCM format type + +From: Takashi Iwai + +[ Upstream commit e5d3765b6c4cb3ba64295a4205a2f68a4e8fe083 ] + +The PCM format type is with __bitwise, and it can't be converted from +integer implicitly. Instead of an ugly cast, declare the function +argument of snd_sb_csp_autoload() with the proper snd_pcm_format_t +type. + +This fixes the sparse warnings like: + sound/isa/sb/sb16_csp.c:743:22: warning: restricted snd_pcm_format_t degrades to integer + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/sb16_csp.h | 2 +- + sound/isa/sb/sb16_csp.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/include/sound/sb16_csp.h ++++ b/include/sound/sb16_csp.h +@@ -46,7 +46,7 @@ enum { + struct snd_sb_csp_ops { + int (*csp_use) (struct snd_sb_csp * p); + int (*csp_unuse) (struct snd_sb_csp * p); +- int (*csp_autoload) (struct snd_sb_csp * p, int pcm_sfmt, int play_rec_mode); ++ int (*csp_autoload) (struct snd_sb_csp * p, snd_pcm_format_t pcm_sfmt, int play_rec_mode); + int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels); + int (*csp_stop) (struct snd_sb_csp * p); + int (*csp_qsound_transfer) (struct snd_sb_csp * p); +--- a/sound/isa/sb/sb16_csp.c ++++ b/sound/isa/sb/sb16_csp.c +@@ -93,7 +93,7 @@ static int snd_sb_csp_riff_load(struct s + struct snd_sb_csp_microcode __user * code); + static int snd_sb_csp_unload(struct snd_sb_csp * p); + static int snd_sb_csp_load_user(struct snd_sb_csp * p, const unsigned char __user *buf, int size, int load_flags); +-static int snd_sb_csp_autoload(struct snd_sb_csp * p, int pcm_sfmt, int play_rec_mode); ++static int snd_sb_csp_autoload(struct snd_sb_csp * p, snd_pcm_format_t pcm_sfmt, int play_rec_mode); + static int snd_sb_csp_check_version(struct snd_sb_csp * p); + + static int snd_sb_csp_use(struct snd_sb_csp * p); +@@ -726,7 +726,7 @@ static int snd_sb_csp_firmware_load(stru + * autoload hardware codec if necessary + * return 0 if CSP is loaded and ready to run (p->running != 0) + */ +-static int snd_sb_csp_autoload(struct snd_sb_csp * p, int pcm_sfmt, int play_rec_mode) ++static int snd_sb_csp_autoload(struct snd_sb_csp * p, snd_pcm_format_t pcm_sfmt, int play_rec_mode) + { + unsigned long flags; + int err = 0; +@@ -736,7 +736,7 @@ static int snd_sb_csp_autoload(struct sn + return -EBUSY; + + /* autoload microcode only if requested hardware codec is not already loaded */ +- if (((1 << pcm_sfmt) & p->acc_format) && (play_rec_mode & p->mode)) { ++ if (((1U << (__force int)pcm_sfmt) & p->acc_format) && (play_rec_mode & p->mode)) { + p->running = SNDRV_SB_CSP_ST_AUTO; + } else { + switch (pcm_sfmt) { diff --git a/queue-3.18/alsa-wss-fix-sparse-warning-wrt-pcm-format-type.patch b/queue-3.18/alsa-wss-fix-sparse-warning-wrt-pcm-format-type.patch new file mode 100644 index 00000000000..dc2d4f148ae --- /dev/null +++ b/queue-3.18/alsa-wss-fix-sparse-warning-wrt-pcm-format-type.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:19:42 +0200 +Subject: ALSA: wss: Fix sparse warning wrt PCM format type + +From: Takashi Iwai + +[ Upstream commit 6be9a60efb401487a4d658ef23d652a9e6860b34 ] + +The PCM format type is with __bitwise, and it can't be converted from +integer implicitly. Instead of an ugly cast, declare the function +argument of snd_wss_get_format() with the proper snd_pcm_format_t +type. + +This fixes the sparse warnings like: + sound/isa/wss/wss_lib.c:551:14: warning: restricted snd_pcm_format_t degrades to integer + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/wss/wss_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/isa/wss/wss_lib.c ++++ b/sound/isa/wss/wss_lib.c +@@ -541,7 +541,7 @@ static unsigned char snd_wss_get_rate(un + } + + static unsigned char snd_wss_get_format(struct snd_wss *chip, +- int format, ++ snd_pcm_format_t format, + int channels) + { + unsigned char rformat; diff --git a/queue-3.18/ata-libahci-correct-setting-of-devslp-register.patch b/queue-3.18/ata-libahci-correct-setting-of-devslp-register.patch new file mode 100644 index 00000000000..d53086bb231 --- /dev/null +++ b/queue-3.18/ata-libahci-correct-setting-of-devslp-register.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Srinivas Pandruvada +Date: Mon, 2 Jul 2018 12:01:53 -0700 +Subject: ata: libahci: Correct setting of DEVSLP register + +From: Srinivas Pandruvada + +[ Upstream commit 2dbb3ec29a6c069035857a2fc4c24e80e5dfe3cc ] + +We have seen that on some platforms, SATA device never show any DEVSLP +residency. This prevent power gating of SATA IP, which prevent system +to transition to low power mode in systems with SLP_S0 aka modern +standby systems. The PHY logic is off only in DEVSLP not in slumber. +Reference: +https://www.intel.com/content/dam/www/public/us/en/documents/datasheets +/332995-skylake-i-o-platform-datasheet-volume-1.pdf +Section 28.7.6.1 + +Here driver is trying to do read-modify-write the devslp register. But +not resetting the bits for which this driver will modify values (DITO, +MDAT and DETO). So simply reset those bits before updating to new values. + +Signed-off-by: Srinivas Pandruvada +Reviewed-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libahci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -2052,6 +2052,8 @@ static void ahci_set_aggressive_devslp(s + deto = 20; + } + ++ /* Make dito, mdat, deto bits to 0s */ ++ devslp &= ~GENMASK_ULL(24, 2); + devslp |= ((dito << PORT_DEVSLP_DITO_OFFSET) | + (mdat << PORT_DEVSLP_MDAT_OFFSET) | + (deto << PORT_DEVSLP_DETO_OFFSET) | diff --git a/queue-3.18/ath10k-prevent-active-scans-on-potential-unusable-channels.patch b/queue-3.18/ath10k-prevent-active-scans-on-potential-unusable-channels.patch new file mode 100644 index 00000000000..7ba8ace909e --- /dev/null +++ b/queue-3.18/ath10k-prevent-active-scans-on-potential-unusable-channels.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Sven Eckelmann +Date: Thu, 26 Jul 2018 15:59:48 +0200 +Subject: ath10k: prevent active scans on potential unusable channels + +From: Sven Eckelmann + +[ Upstream commit 3f259111583801013cb605bb4414aa529adccf1c ] + +The QCA4019 hw1.0 firmware 10.4-3.2.1-00050 and 10.4-3.5.3-00053 (and most +likely all other) seem to ignore the WMI_CHAN_FLAG_DFS flag during the +scan. This results in transmission (probe requests) on channels which are +not "available" for transmissions. + +Since the firmware is closed source and nothing can be done from our side +to fix the problem in it, the driver has to work around this problem. The +WMI_CHAN_FLAG_PASSIVE seems to be interpreted by the firmware to not +scan actively on a channel unless an AP was detected on it. Simple probe +requests will then be transmitted by the STA on the channel. + +ath10k must therefore also use this flag when it queues a radar channel for +scanning. This should reduce the chance of an active scan when the channel +might be "unusable" for transmissions. + +Fixes: e8a50f8ba44b ("ath10k: introduce DFS implementation") +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -1728,6 +1728,13 @@ static int ath10k_update_channel_list(st + passive = channel->flags & IEEE80211_CHAN_NO_IR; + ch->passive = passive; + ++ /* the firmware is ignoring the "radar" flag of the ++ * channel and is scanning actively using Probe Requests ++ * on "Radar detection"/DFS channels which are not ++ * marked as "available" ++ */ ++ ch->passive |= ch->chan_radar; ++ + ch->freq = channel->center_freq; + ch->min_power = 0; + ch->max_power = channel->max_power * 2; diff --git a/queue-3.18/bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch b/queue-3.18/bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch new file mode 100644 index 00000000000..580e6a0cd81 --- /dev/null +++ b/queue-3.18/bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Johan Hedberg +Date: Sat, 4 Aug 2018 23:40:26 +0300 +Subject: Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV + +From: Johan Hedberg + +[ Upstream commit 6c3711ec64fd23a9abc8aaf59a9429569a6282df ] + +This driver was recently updated to use serdev, so add the appropriate +dependency. Without this one can get compiler warnings like this if +CONFIG_SERIAL_DEV_BUS is not enabled: + + CC [M] drivers/bluetooth/hci_h5.o +drivers/bluetooth/hci_h5.c:934:36: warning: ‘h5_serdev_driver’ defined but not used [-Wunused-variable] + static struct serdev_device_driver h5_serdev_driver = { + ^~~~~~~~~~~~~~~~ + +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/Kconfig ++++ b/drivers/bluetooth/Kconfig +@@ -85,6 +85,7 @@ config BT_HCIUART_LL + config BT_HCIUART_3WIRE + bool "Three-wire UART (H5) protocol support" + depends on BT_HCIUART ++ depends on BT_HCIUART_SERDEV + help + The HCI Three-wire UART Transport Layer makes it possible to + user the Bluetooth HCI over a serial port interface. The HCI diff --git a/queue-3.18/bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch b/queue-3.18/bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch new file mode 100644 index 00000000000..4507e39ca29 --- /dev/null +++ b/queue-3.18/bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Marcel Holtmann +Date: Mon, 30 Jul 2018 13:57:41 +0200 +Subject: Bluetooth: hidp: Fix handling of strncpy for hid->name information + +From: Marcel Holtmann + +[ Upstream commit b3cadaa485f0c20add1644a5c877b0765b285c0c ] + +This fixes two issues with setting hid->name information. + + CC net/bluetooth/hidp/core.o +In function ‘hidp_setup_hid’, + inlined from ‘hidp_session_dev_init’ at net/bluetooth/hidp/core.c:815:9, + inlined from ‘hidp_session_new’ at net/bluetooth/hidp/core.c:953:8, + inlined from ‘hidp_connection_add’ at net/bluetooth/hidp/core.c:1366:8: +net/bluetooth/hidp/core.c:778:2: warning: ‘strncpy’ output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation] + strncpy(hid->name, req->name, sizeof(req->name) - 1); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CC net/bluetooth/hidp/core.o +net/bluetooth/hidp/core.c: In function ‘hidp_setup_hid’: +net/bluetooth/hidp/core.c:778:38: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same expression as the source; did you mean to use the size of the destination? [-Wsizeof-pointer-memaccess] + strncpy(hid->name, req->name, sizeof(req->name)); + ^ + +Signed-off-by: Marcel Holtmann +Signed-off-by: Johan Hedberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hidp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -763,7 +763,7 @@ static int hidp_setup_hid(struct hidp_se + hid->version = req->version; + hid->country = req->country; + +- strncpy(hid->name, req->name, sizeof(req->name) - 1); ++ strncpy(hid->name, req->name, sizeof(hid->name)); + + snprintf(hid->phys, sizeof(hid->phys), "%pMR", + &l2cap_pi(session->ctrl_sock->sk)->chan->src); diff --git a/queue-3.18/f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch b/queue-3.18/f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch new file mode 100644 index 00000000000..eedeefc8e59 --- /dev/null +++ b/queue-3.18/f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch @@ -0,0 +1,223 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Chao Yu +Date: Sat, 23 Jun 2018 11:25:19 +0800 +Subject: f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize + +From: Chao Yu + +[ Upstream commit c77ec61ca0a49544ca81881cc5d5529858f7e196 ] + +This patch adds to do sanity check with {sit,nat}_ver_bitmap_bytesize +during mount, in order to avoid accessing across cache boundary with +this abnormal bitmap size. + +- Overview +buffer overrun in build_sit_info() when mounting a crafted f2fs image + +- Reproduce + +- Kernel message +[ 548.580867] F2FS-fs (loop0): Invalid log blocks per segment (8201) + +[ 548.580877] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock +[ 548.584979] ================================================================== +[ 548.586568] BUG: KASAN: use-after-free in kmemdup+0x36/0x50 +[ 548.587715] Read of size 64 at addr ffff8801e9c265ff by task mount/1295 + +[ 548.589428] CPU: 1 PID: 1295 Comm: mount Not tainted 4.18.0-rc1+ #4 +[ 548.589432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 548.589438] Call Trace: +[ 548.589474] dump_stack+0x7b/0xb5 +[ 548.589487] print_address_description+0x70/0x290 +[ 548.589492] kasan_report+0x291/0x390 +[ 548.589496] ? kmemdup+0x36/0x50 +[ 548.589509] check_memory_region+0x139/0x190 +[ 548.589514] memcpy+0x23/0x50 +[ 548.589518] kmemdup+0x36/0x50 +[ 548.589545] f2fs_build_segment_manager+0x8fa/0x3410 +[ 548.589551] ? __asan_loadN+0xf/0x20 +[ 548.589560] ? f2fs_sanity_check_ckpt+0x1be/0x240 +[ 548.589566] ? f2fs_flush_sit_entries+0x10c0/0x10c0 +[ 548.589587] ? __put_user_ns+0x40/0x40 +[ 548.589604] ? find_next_bit+0x57/0x90 +[ 548.589610] f2fs_fill_super+0x194b/0x2b40 +[ 548.589617] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.589637] ? set_blocksize+0x90/0x140 +[ 548.589651] mount_bdev+0x1c5/0x210 +[ 548.589655] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.589667] f2fs_mount+0x15/0x20 +[ 548.589672] mount_fs+0x60/0x1a0 +[ 548.589683] ? alloc_vfsmnt+0x309/0x360 +[ 548.589688] vfs_kern_mount+0x6b/0x1a0 +[ 548.589699] do_mount+0x34a/0x18c0 +[ 548.589710] ? lockref_put_or_lock+0xcf/0x160 +[ 548.589716] ? copy_mount_string+0x20/0x20 +[ 548.589728] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 548.589734] ? kasan_check_write+0x14/0x20 +[ 548.589740] ? _copy_from_user+0x6a/0x90 +[ 548.589744] ? memdup_user+0x42/0x60 +[ 548.589750] ksys_mount+0x83/0xd0 +[ 548.589755] __x64_sys_mount+0x67/0x80 +[ 548.589781] do_syscall_64+0x78/0x170 +[ 548.589797] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 548.589820] RIP: 0033:0x7f76fc331b9a +[ 548.589821] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 548.589880] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 548.589890] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a +[ 548.589892] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0 +[ 548.589895] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 548.589897] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0 +[ 548.589900] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003 + +[ 548.590242] The buggy address belongs to the page: +[ 548.591243] page:ffffea0007a70980 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 548.592886] flags: 0x2ffff0000000000() +[ 548.593665] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000 +[ 548.595258] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 548.603713] page dumped because: kasan: bad access detected + +[ 548.605203] Memory state around the buggy address: +[ 548.606198] ffff8801e9c26480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.607676] ffff8801e9c26500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.609157] >ffff8801e9c26580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.610629] ^ +[ 548.612088] ffff8801e9c26600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.613674] ffff8801e9c26680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.615141] ================================================================== +[ 548.616613] Disabling lock debugging due to kernel taint +[ 548.622871] WARNING: CPU: 1 PID: 1295 at mm/page_alloc.c:4065 __alloc_pages_slowpath+0xe4a/0x1420 +[ 548.622878] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy +[ 548.623217] CPU: 1 PID: 1295 Comm: mount Tainted: G B 4.18.0-rc1+ #4 +[ 548.623219] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 548.623226] RIP: 0010:__alloc_pages_slowpath+0xe4a/0x1420 +[ 548.623227] Code: ff ff 01 89 85 c8 fe ff ff e9 91 fc ff ff 41 89 c5 e9 5c fc ff ff 0f 0b 89 f8 25 ff ff f7 ff 89 85 8c fe ff ff e9 d5 f2 ff ff <0f> 0b e9 65 f2 ff ff 65 8b 05 38 81 d2 47 f6 c4 01 74 1c 65 48 8b +[ 548.623281] RSP: 0018:ffff8801f28c7678 EFLAGS: 00010246 +[ 548.623284] RAX: 0000000000000000 RBX: 00000000006040c0 RCX: ffffffffb82f73b7 +[ 548.623287] RDX: 1ffff1003e518eeb RSI: 000000000000000c RDI: 0000000000000000 +[ 548.623290] RBP: ffff8801f28c7880 R08: 0000000000000000 R09: ffffed0047fff2c5 +[ 548.623292] R10: 0000000000000001 R11: ffffed0047fff2c4 R12: ffff8801e88de040 +[ 548.623295] R13: 00000000006040c0 R14: 000000000000000c R15: ffff8801f28c7938 +[ 548.623299] FS: 00007f76fca51840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 +[ 548.623302] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 548.623304] CR2: 00007f19b9171760 CR3: 00000001ed952000 CR4: 00000000000006e0 +[ 548.623317] Call Trace: +[ 548.623325] ? kasan_check_read+0x11/0x20 +[ 548.623330] ? __zone_watermark_ok+0x92/0x240 +[ 548.623336] ? get_page_from_freelist+0x1c3/0x1d90 +[ 548.623347] ? _raw_spin_lock_irqsave+0x2a/0x60 +[ 548.623353] ? warn_alloc+0x250/0x250 +[ 548.623358] ? save_stack+0x46/0xd0 +[ 548.623361] ? kasan_kmalloc+0xad/0xe0 +[ 548.623366] ? __isolate_free_page+0x2a0/0x2a0 +[ 548.623370] ? mount_fs+0x60/0x1a0 +[ 548.623374] ? vfs_kern_mount+0x6b/0x1a0 +[ 548.623378] ? do_mount+0x34a/0x18c0 +[ 548.623383] ? ksys_mount+0x83/0xd0 +[ 548.623387] ? __x64_sys_mount+0x67/0x80 +[ 548.623391] ? do_syscall_64+0x78/0x170 +[ 548.623396] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 548.623401] __alloc_pages_nodemask+0x3c5/0x400 +[ 548.623407] ? __alloc_pages_slowpath+0x1420/0x1420 +[ 548.623412] ? __mutex_lock_slowpath+0x20/0x20 +[ 548.623417] ? kvmalloc_node+0x31/0x80 +[ 548.623424] alloc_pages_current+0x75/0x110 +[ 548.623436] kmalloc_order+0x24/0x60 +[ 548.623442] kmalloc_order_trace+0x24/0xb0 +[ 548.623448] __kmalloc_track_caller+0x207/0x220 +[ 548.623455] ? f2fs_build_node_manager+0x399/0xbb0 +[ 548.623460] kmemdup+0x20/0x50 +[ 548.623465] f2fs_build_node_manager+0x399/0xbb0 +[ 548.623470] f2fs_fill_super+0x195e/0x2b40 +[ 548.623477] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.623481] ? set_blocksize+0x90/0x140 +[ 548.623486] mount_bdev+0x1c5/0x210 +[ 548.623489] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.623495] f2fs_mount+0x15/0x20 +[ 548.623498] mount_fs+0x60/0x1a0 +[ 548.623503] ? alloc_vfsmnt+0x309/0x360 +[ 548.623508] vfs_kern_mount+0x6b/0x1a0 +[ 548.623513] do_mount+0x34a/0x18c0 +[ 548.623518] ? lockref_put_or_lock+0xcf/0x160 +[ 548.623523] ? copy_mount_string+0x20/0x20 +[ 548.623528] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 548.623533] ? kasan_check_write+0x14/0x20 +[ 548.623537] ? _copy_from_user+0x6a/0x90 +[ 548.623542] ? memdup_user+0x42/0x60 +[ 548.623547] ksys_mount+0x83/0xd0 +[ 548.623552] __x64_sys_mount+0x67/0x80 +[ 548.623557] do_syscall_64+0x78/0x170 +[ 548.623562] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 548.623566] RIP: 0033:0x7f76fc331b9a +[ 548.623567] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 548.623632] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 548.623636] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a +[ 548.623639] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0 +[ 548.623641] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 548.623643] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0 +[ 548.623646] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003 +[ 548.623650] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 548.623656] F2FS-fs (loop0): Failed to initialize F2FS node manager +[ 548.627936] F2FS-fs (loop0): Invalid log blocks per segment (8201) + +[ 548.627940] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock +[ 548.635835] F2FS-fs (loop0): Failed to initialize F2FS node manager + +- Location +https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.c#L3578 + + sit_i->sit_bitmap = kmemdup(src_bitmap, bitmap_size, GFP_KERNEL); + +Buffer overrun happens when doing memcpy. I suspect there is missing (inconsistent) checks on bitmap_size. + +Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech. + +Reported-by: Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -933,12 +933,17 @@ static int sanity_check_ckpt(struct f2fs + struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi); + struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); + unsigned int main_segs, blocks_per_seg; ++ unsigned int sit_segs, nat_segs; ++ unsigned int sit_bitmap_size, nat_bitmap_size; ++ unsigned int log_blocks_per_seg; + int i; + + total = le32_to_cpu(raw_super->segment_count); + fsmeta = le32_to_cpu(raw_super->segment_count_ckpt); +- fsmeta += le32_to_cpu(raw_super->segment_count_sit); +- fsmeta += le32_to_cpu(raw_super->segment_count_nat); ++ sit_segs = le32_to_cpu(raw_super->segment_count_sit); ++ fsmeta += sit_segs; ++ nat_segs = le32_to_cpu(raw_super->segment_count_nat); ++ fsmeta += nat_segs; + fsmeta += le32_to_cpu(ckpt->rsvd_segment_count); + fsmeta += le32_to_cpu(raw_super->segment_count_ssa); + +@@ -959,6 +964,18 @@ static int sanity_check_ckpt(struct f2fs + return 1; + } + ++ sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize); ++ nat_bitmap_size = le32_to_cpu(ckpt->nat_ver_bitmap_bytesize); ++ log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); ++ ++ if (sit_bitmap_size != ((sit_segs / 2) << log_blocks_per_seg) / 8 || ++ nat_bitmap_size != ((nat_segs / 2) << log_blocks_per_seg) / 8) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Wrong bitmap size: sit: %u, nat:%u", ++ sit_bitmap_size, nat_bitmap_size); ++ return 1; ++ } ++ + if (unlikely(f2fs_cp_error(sbi))) { + f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); + return 1; diff --git a/queue-3.18/gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch b/queue-3.18/gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch new file mode 100644 index 00000000000..c24fd85017e --- /dev/null +++ b/queue-3.18/gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Anton Vasilyev +Date: Mon, 23 Jul 2018 19:53:30 +0300 +Subject: gpio: ml-ioh: Fix buffer underwrite on probe error path + +From: Anton Vasilyev + +[ Upstream commit 4bf4eed44bfe288f459496eaf38089502ef91a79 ] + +If ioh_gpio_probe() fails on devm_irq_alloc_descs() then chip may point +to any element of chip_save array, so reverse iteration from pointer chip +may become chip_save[-1] and gpiochip_remove() will operate with wrong +memory. + +The patch fix the error path of ioh_gpio_probe() to correctly bypass +chip_save array. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-ml-ioh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-ml-ioh.c ++++ b/drivers/gpio/gpio-ml-ioh.c +@@ -495,9 +495,10 @@ err_irq_alloc_descs: + + chip = chip_save; + err_gpiochip_add: ++ chip = chip_save; + while (--i >= 0) { +- chip--; + gpiochip_remove(&chip->gpio); ++ chip++; + } + kfree(chip_save); + diff --git a/queue-3.18/macintosh-via-pmu-add-missing-mmio-accessors.patch b/queue-3.18/macintosh-via-pmu-add-missing-mmio-accessors.patch new file mode 100644 index 00000000000..48cbc4550fb --- /dev/null +++ b/queue-3.18/macintosh-via-pmu-add-missing-mmio-accessors.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Finn Thain +Date: Mon, 2 Jul 2018 04:21:18 -0400 +Subject: macintosh/via-pmu: Add missing mmio accessors + +From: Finn Thain + +[ Upstream commit 576d5290d678a651b9f36050fc1717e0573aca13 ] + +Add missing in_8() accessors to init_pmu() and pmu_sr_intr(). + +This fixes several sparse warnings: +drivers/macintosh/via-pmu.c:536:29: warning: dereference of noderef expression +drivers/macintosh/via-pmu.c:537:33: warning: dereference of noderef expression +drivers/macintosh/via-pmu.c:1455:17: warning: dereference of noderef expression +drivers/macintosh/via-pmu.c:1456:69: warning: dereference of noderef expression + +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/macintosh/via-pmu.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/macintosh/via-pmu.c ++++ b/drivers/macintosh/via-pmu.c +@@ -527,8 +527,9 @@ init_pmu(void) + int timeout; + struct adb_request req; + +- out_8(&via[B], via[B] | TREQ); /* negate TREQ */ +- out_8(&via[DIRB], (via[DIRB] | TREQ) & ~TACK); /* TACK in, TREQ out */ ++ /* Negate TREQ. Set TACK to input and TREQ to output. */ ++ out_8(&via[B], in_8(&via[B]) | TREQ); ++ out_8(&via[DIRB], (in_8(&via[DIRB]) | TREQ) & ~TACK); + + pmu_request(&req, NULL, 2, PMU_SET_INTR_MASK, pmu_intr_mask); + timeout = 100000; +@@ -1450,8 +1451,8 @@ pmu_sr_intr(void) + struct adb_request *req; + int bite = 0; + +- if (via[B] & TREQ) { +- printk(KERN_ERR "PMU: spurious SR intr (%x)\n", via[B]); ++ if (in_8(&via[B]) & TREQ) { ++ printk(KERN_ERR "PMU: spurious SR intr (%x)\n", in_8(&via[B])); + out_8(&via[IFR], SR_INT); + return NULL; + } diff --git a/queue-3.18/md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch b/queue-3.18/md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch new file mode 100644 index 00000000000..0b7a4cbd74e --- /dev/null +++ b/queue-3.18/md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: BingJing Chang +Date: Wed, 1 Aug 2018 17:08:36 +0800 +Subject: md/raid5: fix data corruption of replacements after originals dropped + +From: BingJing Chang + +[ Upstream commit d63e2fc804c46e50eee825c5d3a7228e07048b47 ] + +During raid5 replacement, the stripes can be marked with R5_NeedReplace +flag. Data can be read from being-replaced devices and written to +replacing spares without reading all other devices. (It's 'replace' +mode. s.replacing = 1) If a being-replaced device is dropped, the +replacement progress will be interrupted and resumed with pure recovery +mode. However, existing stripes before being interrupted cannot read +from the dropped device anymore. It prints lots of WARN_ON messages. +And it results in data corruption because existing stripes write +problematic data into its replacement device and update the progress. + +\# Erase disks (1MB + 2GB) +dd if=/dev/zero of=/dev/sda bs=1MB count=2049 +dd if=/dev/zero of=/dev/sdb bs=1MB count=2049 +dd if=/dev/zero of=/dev/sdc bs=1MB count=2049 +dd if=/dev/zero of=/dev/sdd bs=1MB count=2049 +mdadm -C /dev/md0 -amd -R -l5 -n3 -x0 /dev/sd[abc] -z 2097152 +\# Ensure array stores non-zero data +dd if=/root/data_4GB.iso of=/dev/md0 bs=1MB +\# Start replacement +mdadm /dev/md0 -a /dev/sdd +mdadm /dev/md0 --replace /dev/sda + +Then, Hot-plug out /dev/sda during recovery, and wait for recovery done. +echo check > /sys/block/md0/md/sync_action +cat /sys/block/md0/md/mismatch_cnt # it will be greater than 0. + +Soon after you hot-plug out /dev/sda, you will see many WARN_ON +messages. The replacement recovery will be interrupted shortly. After +the recovery finishes, it will result in data corruption. + +Actually, it's just an unhandled case of replacement. In commit + (md/raid5: fix interaction of 'replace' and 'recovery'.), +if a NeedReplace device is not UPTODATE then that is an error, the +commit just simply print WARN_ON but also mark these corrupted stripes +with R5_WantReplace. (it means it's ready for writes.) + +To fix this case, we can leverage 'sync and replace' mode mentioned in +commit <9a3e1101b827> (md/raid5: detect and handle replacements during +recovery.). We can add logics to detect and use 'sync and replace' mode +for these stripes. + +Reported-by: Alex Chen +Reviewed-by: Alex Wu +Reviewed-by: Chung-Chiang Cheng +Signed-off-by: BingJing Chang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3703,6 +3703,12 @@ static void analyse_stripe(struct stripe + s->failed++; + if (rdev && !test_bit(Faulty, &rdev->flags)) + do_recovery = 1; ++ else if (!rdev) { ++ rdev = rcu_dereference( ++ conf->disks[i].replacement); ++ if (rdev && !test_bit(Faulty, &rdev->flags)) ++ do_recovery = 1; ++ } + } + } + if (test_bit(STRIPE_SYNCING, &sh->state)) { diff --git a/queue-3.18/mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch b/queue-3.18/mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch new file mode 100644 index 00000000000..3fa327ad67a --- /dev/null +++ b/queue-3.18/mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch @@ -0,0 +1,61 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Zumeng Chen +Date: Wed, 4 Jul 2018 12:35:29 +0800 +Subject: mfd: ti_am335x_tscadc: Fix struct clk memory leak + +From: Zumeng Chen + +[ Upstream commit c2b1509c77a99a0dcea0a9051ca743cb88385f50 ] + +Use devm_elk_get() to let Linux manage struct clk memory to avoid the following +memory leakage report: + +unreferenced object 0xdd75efc0 (size 64): + comm "systemd-udevd", pid 186, jiffies 4294945126 (age 1195.750s) + hex dump (first 32 bytes): + 61 64 63 5f 74 73 63 5f 66 63 6b 00 00 00 00 00 adc_tsc_fck..... + 00 00 00 00 92 03 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x40/0x74 + [] __kmalloc_track_caller+0x198/0x388 + [] kstrdup+0x40/0x5c + [] kstrdup_const+0x30/0x3c + [] __clk_create_clk+0x60/0xac + [] clk_get_sys+0x74/0x144 + [] clk_get+0x5c/0x68 + [] ti_tscadc_probe+0x260/0x468 [ti_am335x_tscadc] + [] platform_drv_probe+0x60/0xac + [] driver_probe_device+0x214/0x2dc + [] __driver_attach+0x94/0xc0 + [] bus_for_each_dev+0x90/0xa0 + [] driver_attach+0x28/0x30 + [] bus_add_driver+0x184/0x1ec + [] driver_register+0xb0/0xf0 + [] __platform_driver_register+0x40/0x54 + +Signed-off-by: Zumeng Chen +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/ti_am335x_tscadc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/mfd/ti_am335x_tscadc.c ++++ b/drivers/mfd/ti_am335x_tscadc.c +@@ -227,14 +227,13 @@ static int ti_tscadc_probe(struct platfo + * The TSC_ADC_SS controller design assumes the OCP clock is + * at least 6x faster than the ADC clock. + */ +- clk = clk_get(&pdev->dev, "adc_tsc_fck"); ++ clk = devm_clk_get(&pdev->dev, "adc_tsc_fck"); + if (IS_ERR(clk)) { + dev_err(&pdev->dev, "failed to get TSC fck\n"); + err = PTR_ERR(clk); + goto err_disable_clk; + } + clock_rate = clk_get_rate(clk); +- clk_put(clk); + tscadc->clk_div = clock_rate / ADC_CLK; + + /* TSCADC_CLKDIV needs to be configured to the value minus 1 */ diff --git a/queue-3.18/mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch b/queue-3.18/mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch new file mode 100644 index 00000000000..6c64dcb100a --- /dev/null +++ b/queue-3.18/mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Paul Burton +Date: Fri, 27 Jul 2018 18:23:19 -0700 +Subject: MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET + +From: Paul Burton + +[ Upstream commit 0494d7ffdcebc6935410ea0719b24ab626675351 ] + +isa_virt_to_bus() & isa_bus_to_virt() claim to treat ISA bus addresses +as being identical to physical addresses, but they fail to do so in the +presence of a non-zero PHYS_OFFSET. + +Correct this by having them use virt_to_phys() & phys_to_virt(), which +consolidates the calculations to one place & ensures that ISA bus +addresses do indeed match physical addresses. + +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20047/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: Vladimir Kondratiev +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/io.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/include/asm/io.h ++++ b/arch/mips/include/asm/io.h +@@ -141,14 +141,14 @@ static inline void * phys_to_virt(unsign + /* + * ISA I/O bus memory addresses are 1:1 with the physical address. + */ +-static inline unsigned long isa_virt_to_bus(volatile void * address) ++static inline unsigned long isa_virt_to_bus(volatile void *address) + { +- return (unsigned long)address - PAGE_OFFSET; ++ return virt_to_phys(address); + } + +-static inline void * isa_bus_to_virt(unsigned long address) ++static inline void *isa_bus_to_virt(unsigned long address) + { +- return (void *)(address + PAGE_OFFSET); ++ return phys_to_virt(address); + } + + #define isa_page_to_bus page_to_phys diff --git a/queue-3.18/mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch b/queue-3.18/mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch new file mode 100644 index 00000000000..513c567b25d --- /dev/null +++ b/queue-3.18/mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Sep 17 11:45:58 CEST 2018 +From: Paul Burton +Date: Fri, 25 Nov 2016 18:46:09 +0000 +Subject: MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON + +From: Paul Burton + +[ Upstream commit d4da0e97baea8768b3d66ccef3967bebd50dfc3b ] + +If a driver causes DMA cache maintenance with a zero length then we +currently BUG and kill the kernel. As this is a scenario that we may +well be able to recover from, WARN & return in the condition instead. + +Signed-off-by: Paul Burton +Acked-by: Florian Fainelli +Patchwork: https://patchwork.linux-mips.org/patch/14623/ +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/c-r4k.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -703,7 +703,8 @@ static void r4k_flush_icache_range(unsig + static void r4k_dma_cache_wback_inv(unsigned long addr, unsigned long size) + { + /* Catch bad driver code */ +- BUG_ON(size == 0); ++ if (WARN_ON(size == 0)) ++ return; + + preempt_disable(); + if (cpu_has_inclusive_pcaches) { +@@ -736,7 +737,8 @@ static void r4k_dma_cache_wback_inv(unsi + static void r4k_dma_cache_inv(unsigned long addr, unsigned long size) + { + /* Catch bad driver code */ +- BUG_ON(size == 0); ++ if (WARN_ON(size == 0)) ++ return; + + preempt_disable(); + if (cpu_has_inclusive_pcaches) { diff --git a/queue-3.18/net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch b/queue-3.18/net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch new file mode 100644 index 00000000000..398c3c4f1ff --- /dev/null +++ b/queue-3.18/net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Petr Machata +Date: Fri, 27 Jul 2018 15:26:55 +0300 +Subject: net: dcb: For wild-card lookups, use priority -1, not 0 + +From: Petr Machata + +[ Upstream commit 08193d1a893c802c4b807e4d522865061f4e9f4f ] + +The function dcb_app_lookup walks the list of specified DCB APP entries, +looking for one that matches a given criteria: ifindex, selector, +protocol ID and optionally also priority. The "don't care" value for +priority is set to 0, because that priority has not been allowed under +CEE regime, which predates the IEEE standardization. + +Under IEEE, 0 is a valid priority number. But because dcb_app_lookup +considers zero a wild card, attempts to add an APP entry with priority 0 +fail when other entries exist for a given ifindex / selector / PID +triplet. + +Fix by changing the wild-card value to -1. + +Signed-off-by: Petr Machata +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1728,7 +1728,7 @@ static struct dcb_app_type *dcb_app_look + if (itr->app.selector == app->selector && + itr->app.protocol == app->protocol && + itr->ifindex == ifindex && +- (!prio || itr->app.priority == prio)) ++ ((prio == -1) || itr->app.priority == prio)) + return itr; + } + +@@ -1763,7 +1763,8 @@ u8 dcb_getapp(struct net_device *dev, st + u8 prio = 0; + + spin_lock_bh(&dcb_lock); +- if ((itr = dcb_app_lookup(app, dev->ifindex, 0))) ++ itr = dcb_app_lookup(app, dev->ifindex, -1); ++ if (itr) + prio = itr->app.priority; + spin_unlock_bh(&dcb_lock); + +@@ -1791,7 +1792,8 @@ int dcb_setapp(struct net_device *dev, s + + spin_lock_bh(&dcb_lock); + /* Search for existing match and replace */ +- if ((itr = dcb_app_lookup(new, dev->ifindex, 0))) { ++ itr = dcb_app_lookup(new, dev->ifindex, -1); ++ if (itr) { + if (new->priority) + itr->app.priority = new->priority; + else { +@@ -1824,7 +1826,8 @@ u8 dcb_ieee_getapp_mask(struct net_devic + u8 prio = 0; + + spin_lock_bh(&dcb_lock); +- if ((itr = dcb_app_lookup(app, dev->ifindex, 0))) ++ itr = dcb_app_lookup(app, dev->ifindex, -1); ++ if (itr) + prio |= 1 << itr->app.priority; + spin_unlock_bh(&dcb_lock); + diff --git a/queue-3.18/net-mvneta-fix-mtu-change-on-port-without-link.patch b/queue-3.18/net-mvneta-fix-mtu-change-on-port-without-link.patch new file mode 100644 index 00000000000..a90e9f8ada7 --- /dev/null +++ b/queue-3.18/net-mvneta-fix-mtu-change-on-port-without-link.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Yelena Krivosheev +Date: Wed, 18 Jul 2018 18:10:51 +0200 +Subject: net: mvneta: fix mtu change on port without link + +From: Yelena Krivosheev + +[ Upstream commit 8466baf788ec3e18836bd9c91ba0b1a07af25878 ] + +It is incorrect to enable TX/RX queues (call by mvneta_port_up()) for +port without link. Indeed MTU change for interface without link causes TX +queues to stuck. + +Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP +network unit") +Signed-off-by: Yelena Krivosheev +[gregory.clement: adding Fixes tags and rewording commit log] +Signed-off-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -2477,7 +2477,6 @@ static int mvneta_change_mtu(struct net_ + } + + mvneta_start_dev(pp); +- mvneta_port_up(pp); + + netdev_update_features(dev); + diff --git a/queue-3.18/partitions-aix-append-null-character-to-print-data-from-disk.patch b/queue-3.18/partitions-aix-append-null-character-to-print-data-from-disk.patch new file mode 100644 index 00000000000..b3659a223ea --- /dev/null +++ b/queue-3.18/partitions-aix-append-null-character-to-print-data-from-disk.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Mauricio Faria de Oliveira +Date: Wed, 25 Jul 2018 22:46:29 -0300 +Subject: partitions/aix: append null character to print data from disk + +From: Mauricio Faria de Oliveira + +[ Upstream commit d43fdae7bac2def8c4314b5a49822cb7f08a45f1 ] + +Even if properly initialized, the lvname array (i.e., strings) +is read from disk, and might contain corrupt data (e.g., lack +the null terminating character for strings). + +So, make sure the partition name string used in pr_warn() has +the null terminating character. + +Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files") +Suggested-by: Daniel J. Axtens +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/aix.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/block/partitions/aix.c ++++ b/block/partitions/aix.c +@@ -281,10 +281,14 @@ int aix_partition(struct parsed_partitio + next_lp_ix += 1; + } + for (i = 0; i < state->limit; i += 1) +- if (lvip[i].pps_found && !lvip[i].lv_is_contiguous) ++ if (lvip[i].pps_found && !lvip[i].lv_is_contiguous) { ++ char tmp[sizeof(n[i].name) + 1]; // null char ++ ++ snprintf(tmp, sizeof(tmp), "%s", n[i].name); + pr_warn("partition %s (%u pp's found) is " + "not contiguous\n", +- n[i].name, lvip[i].pps_found); ++ tmp, lvip[i].pps_found); ++ } + kfree(pvd); + } + kfree(n); diff --git a/queue-3.18/partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch b/queue-3.18/partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch new file mode 100644 index 00000000000..617c54bf456 --- /dev/null +++ b/queue-3.18/partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Mauricio Faria de Oliveira +Date: Wed, 25 Jul 2018 22:46:28 -0300 +Subject: partitions/aix: fix usage of uninitialized lv_info and lvname structures + +From: Mauricio Faria de Oliveira + +[ Upstream commit 14cb2c8a6c5dae57ee3e2da10fa3db2b9087e39e ] + +The if-block that sets a successful return value in aix_partition() +uses 'lvip[].pps_per_lv' and 'n[].name' potentially uninitialized. + +For example, if 'numlvs' is zero or alloc_lvn() fails, neither is +initialized, but are used anyway if alloc_pvd() succeeds after it. + +So, make the alloc_pvd() call conditional on their initialization. + +This has been hit when attaching an apparently corrupted/stressed +AIX LUN, misleading the kernel to pr_warn() invalid data and hang. + + [...] partition (null) (11 pp's found) is not contiguous + [...] partition (null) (2 pp's found) is not contiguous + [...] partition (null) (3 pp's found) is not contiguous + [...] partition (null) (64 pp's found) is not contiguous + +Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files") +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/aix.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/block/partitions/aix.c ++++ b/block/partitions/aix.c +@@ -177,7 +177,7 @@ int aix_partition(struct parsed_partitio + u32 vgda_sector = 0; + u32 vgda_len = 0; + int numlvs = 0; +- struct pvd *pvd; ++ struct pvd *pvd = NULL; + struct lv_info { + unsigned short pps_per_lv; + unsigned short pps_found; +@@ -231,10 +231,11 @@ int aix_partition(struct parsed_partitio + if (lvip[i].pps_per_lv) + foundlvs += 1; + } ++ /* pvd loops depend on n[].name and lvip[].pps_per_lv */ ++ pvd = alloc_pvd(state, vgda_sector + 17); + } + put_dev_sector(sect); + } +- pvd = alloc_pvd(state, vgda_sector + 17); + if (pvd) { + int numpps = be16_to_cpu(pvd->pp_count); + int psn_part1 = be32_to_cpu(pvd->psn_part1); diff --git a/queue-3.18/scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch b/queue-3.18/scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch new file mode 100644 index 00000000000..2b16fe6c4fc --- /dev/null +++ b/queue-3.18/scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch @@ -0,0 +1,105 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 16:51:57 +0300 +Subject: scsi: 3ware: fix return 0 on the error path of probe + +From: Anton Vasilyev + +[ Upstream commit 4dc98c1995482262e70e83ef029135247fafe0f2 ] + +tw_probe() returns 0 in case of fail of tw_initialize_device_extension(), +pci_resource_start() or tw_reset_sequence() and releases resources. +twl_probe() returns 0 in case of fail of twl_initialize_device_extension(), +pci_iomap() and twl_reset_sequence(). twa_probe() returns 0 in case of +fail of tw_initialize_device_extension(), ioremap() and +twa_reset_sequence(). + +The patch adds retval initialization for these cases. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Acked-by: Adam Radford +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/3w-9xxx.c | 6 +++++- + drivers/scsi/3w-sas.c | 3 +++ + drivers/scsi/3w-xxxx.c | 2 ++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -2057,6 +2057,7 @@ static int twa_probe(struct pci_dev *pde + + if (twa_initialize_device_extension(tw_dev)) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x25, "Failed to initialize device extension"); ++ retval = -ENOMEM; + goto out_free_device_extension; + } + +@@ -2079,6 +2080,7 @@ static int twa_probe(struct pci_dev *pde + tw_dev->base_addr = ioremap(mem_addr, mem_len); + if (!tw_dev->base_addr) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x35, "Failed to ioremap"); ++ retval = -ENOMEM; + goto out_release_mem_region; + } + +@@ -2086,8 +2088,10 @@ static int twa_probe(struct pci_dev *pde + TW_DISABLE_INTERRUPTS(tw_dev); + + /* Initialize the card */ +- if (twa_reset_sequence(tw_dev, 0)) ++ if (twa_reset_sequence(tw_dev, 0)) { ++ retval = -ENOMEM; + goto out_iounmap; ++ } + + /* Set host specific parameters */ + if ((pdev->device == PCI_DEVICE_ID_3WARE_9650SE) || +--- a/drivers/scsi/3w-sas.c ++++ b/drivers/scsi/3w-sas.c +@@ -1613,6 +1613,7 @@ static int twl_probe(struct pci_dev *pde + + if (twl_initialize_device_extension(tw_dev)) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1a, "Failed to initialize device extension"); ++ retval = -ENOMEM; + goto out_free_device_extension; + } + +@@ -1627,6 +1628,7 @@ static int twl_probe(struct pci_dev *pde + tw_dev->base_addr = pci_iomap(pdev, 1, 0); + if (!tw_dev->base_addr) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1c, "Failed to ioremap"); ++ retval = -ENOMEM; + goto out_release_mem_region; + } + +@@ -1636,6 +1638,7 @@ static int twl_probe(struct pci_dev *pde + /* Initialize the card */ + if (twl_reset_sequence(tw_dev, 0)) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1d, "Controller reset failed during probe"); ++ retval = -ENOMEM; + goto out_iounmap; + } + +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -2291,6 +2291,7 @@ static int tw_probe(struct pci_dev *pdev + + if (tw_initialize_device_extension(tw_dev)) { + printk(KERN_WARNING "3w-xxxx: Failed to initialize device extension."); ++ retval = -ENOMEM; + goto out_free_device_extension; + } + +@@ -2305,6 +2306,7 @@ static int tw_probe(struct pci_dev *pdev + tw_dev->base_addr = pci_resource_start(pdev, 0); + if (!tw_dev->base_addr) { + printk(KERN_WARNING "3w-xxxx: Failed to get io address."); ++ retval = -ENOMEM; + goto out_release_mem_region; + } + diff --git a/queue-3.18/scsi-target-fix-__transport_register_session-locking.patch b/queue-3.18/scsi-target-fix-__transport_register_session-locking.patch new file mode 100644 index 00000000000..0fcf2200c80 --- /dev/null +++ b/queue-3.18/scsi-target-fix-__transport_register_session-locking.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Mike Christie +Date: Thu, 2 Aug 2018 12:12:20 -0500 +Subject: scsi: target: fix __transport_register_session locking + +From: Mike Christie + +[ Upstream commit 6a64f6e1591322beb8ce16e952a53582caf2a15c ] + +When __transport_register_session is called from transport_register_session +irqs will already have been disabled, so we do not want the unlock irq call +to enable them until the higher level has done the final +spin_unlock_irqrestore/ spin_unlock_irq. + +This has __transport_register_session use the save/restore call. + +Signed-off-by: Mike Christie +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_transport.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -323,6 +323,7 @@ void __transport_register_session( + void *fabric_sess_ptr) + { + unsigned char buf[PR_REG_ISID_LEN]; ++ unsigned long flags; + + se_sess->se_tpg = se_tpg; + se_sess->fabric_sess_ptr = fabric_sess_ptr; +@@ -345,7 +346,7 @@ void __transport_register_session( + } + kref_get(&se_nacl->acl_kref); + +- spin_lock_irq(&se_nacl->nacl_sess_lock); ++ spin_lock_irqsave(&se_nacl->nacl_sess_lock, flags); + /* + * The se_nacl->nacl_sess pointer will be set to the + * last active I_T Nexus for each struct se_node_acl. +@@ -354,7 +355,7 @@ void __transport_register_session( + + list_add_tail(&se_sess->sess_acl_list, + &se_nacl->acl_sess_list); +- spin_unlock_irq(&se_nacl->nacl_sess_lock); ++ spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags); + } + list_add_tail(&se_sess->sess_list, &se_tpg->tpg_sess_list); + diff --git a/queue-3.18/series b/queue-3.18/series index aaea9bc4d22..158c87ee995 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -36,3 +36,30 @@ kthread-fix-use-after-free-if-kthread-fork-fails.patch kthread-fix-boot-hang-regression-on-mips-openrisc.patch staging-rt5208-fix-a-sleep-in-atomic-bug-in-xd_copy_page.patch staging-rts5208-fix-read-overflow-in-memcpy.patch +bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch +scsi-target-fix-__transport_register_session-locking.patch +md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch +uio-potential-double-frees-if-__uio_register_device-fails.patch +tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch +macintosh-via-pmu-add-missing-mmio-accessors.patch +ath10k-prevent-active-scans-on-potential-unusable-channels.patch +mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch +ata-libahci-correct-setting-of-devslp-register.patch +scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch +bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch +x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch +x86-kexec-allocate-8k-pgds-for-pti.patch +gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch +net-mvneta-fix-mtu-change-on-port-without-link.patch +net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch +partitions-aix-append-null-character-to-print-data-from-disk.patch +partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch +mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch +f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch +alsa-riptide-properly-endian-notations.patch +alsa-wss-fix-sparse-warning-wrt-pcm-format-type.patch +alsa-sb-fix-pcm-format-bit-calculation.patch +alsa-asihpi-fix-pcm-format-notations.patch +alsa-ad1816a-fix-sparse-warning-wrt-pcm-format-type.patch +alsa-sb-fix-sparse-warning-wrt-pcm-format-type.patch +mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch diff --git a/queue-3.18/tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch b/queue-3.18/tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch new file mode 100644 index 00000000000..f4b90fa8e44 --- /dev/null +++ b/queue-3.18/tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 16:39:31 +0300 +Subject: tty: rocket: Fix possible buffer overwrite on register_PCI + +From: Anton Vasilyev + +[ Upstream commit 0419056ec8fd01ddf5460d2dba0491aad22657dd ] + +If number of isa and pci boards exceed NUM_BOARDS on the path +rp_init()->init_PCI()->register_PCI() then buffer overwrite occurs +in register_PCI() on assign rcktpt_io_addr[i]. + +The patch adds check on upper bound for index of registered +board in register_PCI. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/rocket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/rocket.c ++++ b/drivers/tty/rocket.c +@@ -1928,7 +1928,7 @@ static __init int register_PCI(int i, st + ByteIO_t UPCIRingInd = 0; + + if (!dev || !pci_match_id(rocket_pci_ids, dev) || +- pci_enable_device(dev)) ++ pci_enable_device(dev) || i >= NUM_BOARDS) + return 0; + + rcktpt_io_addr[i] = pci_resource_start(dev, 0); diff --git a/queue-3.18/uio-potential-double-frees-if-__uio_register_device-fails.patch b/queue-3.18/uio-potential-double-frees-if-__uio_register_device-fails.patch new file mode 100644 index 00000000000..2cee82953c7 --- /dev/null +++ b/queue-3.18/uio-potential-double-frees-if-__uio_register_device-fails.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Dan Carpenter +Date: Thu, 2 Aug 2018 11:24:47 +0300 +Subject: uio: potential double frees if __uio_register_device() fails + +From: Dan Carpenter + +[ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ] + +The uio_unregister_device() function assumes that if "info->uio_dev" is +non-NULL that means "info" is fully allocated. Setting info->uio_de +has to be the last thing in the function. + +In the current code, if request_threaded_irq() fails then we return with +info->uio_dev set to non-NULL but info is not fully allocated and it can +lead to double frees. + +Fixes: beafc54c4e2f ("UIO: Add the User IO core code") +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -832,8 +832,6 @@ int __uio_register_device(struct module + if (ret) + goto err_uio_dev_add_attributes; + +- info->uio_dev = idev; +- + if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) { + ret = devm_request_irq(idev->dev, info->irq, uio_interrupt, + info->irq_flags, info->name, idev); +@@ -841,6 +839,7 @@ int __uio_register_device(struct module + goto err_request_irq; + } + ++ info->uio_dev = idev; + return 0; + + err_request_irq: diff --git a/queue-3.18/x86-kexec-allocate-8k-pgds-for-pti.patch b/queue-3.18/x86-kexec-allocate-8k-pgds-for-pti.patch new file mode 100644 index 00000000000..76924003ab7 --- /dev/null +++ b/queue-3.18/x86-kexec-allocate-8k-pgds-for-pti.patch @@ -0,0 +1,82 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Joerg Roedel +Date: Wed, 25 Jul 2018 17:48:03 +0200 +Subject: x86/kexec: Allocate 8k PGDs for PTI + +From: Joerg Roedel + +[ Upstream commit ca38dc8f2724d101038b1205122c93a1c7f38f11 ] + +Fuzzing the PTI-x86-32 code with trinity showed unhandled +kernel paging request oops-messages that looked a lot like +silent data corruption. + +Lot's of debugging and testing lead to the kexec-32bit code, +which is still allocating 4k PGDs when PTI is enabled. But +since it uses native_set_pud() to build the page-table, it +will unevitably call into __pti_set_user_pgtbl(), which +writes beyond the allocated 4k page. + +Use PGD_ALLOCATION_ORDER to allocate PGDs in the kexec code +to fix the issue. + +Signed-off-by: Joerg Roedel +Signed-off-by: Thomas Gleixner +Tested-by: David H. Gutteridge +Cc: "H . Peter Anvin" +Cc: linux-mm@kvack.org +Cc: Linus Torvalds +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Peter Zijlstra +Cc: Borislav Petkov +Cc: Jiri Kosina +Cc: Boris Ostrovsky +Cc: Brian Gerst +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: Andrea Arcangeli +Cc: Waiman Long +Cc: Pavel Machek +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: joro@8bytes.org +Link: https://lkml.kernel.org/r/1532533683-5988-4-git-send-email-joro@8bytes.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/machine_kexec_32.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/machine_kexec_32.c ++++ b/arch/x86/kernel/machine_kexec_32.c +@@ -69,7 +69,7 @@ static void load_segments(void) + + static void machine_kexec_free_page_tables(struct kimage *image) + { +- free_page((unsigned long)image->arch.pgd); ++ free_pages((unsigned long)image->arch.pgd, PGD_ALLOCATION_ORDER); + image->arch.pgd = NULL; + #ifdef CONFIG_X86_PAE + free_page((unsigned long)image->arch.pmd0); +@@ -85,7 +85,8 @@ static void machine_kexec_free_page_tabl + + static int machine_kexec_alloc_page_tables(struct kimage *image) + { +- image->arch.pgd = (pgd_t *)get_zeroed_page(GFP_KERNEL); ++ image->arch.pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, ++ PGD_ALLOCATION_ORDER); + #ifdef CONFIG_X86_PAE + image->arch.pmd0 = (pmd_t *)get_zeroed_page(GFP_KERNEL); + image->arch.pmd1 = (pmd_t *)get_zeroed_page(GFP_KERNEL); diff --git a/queue-3.18/x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch b/queue-3.18/x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch new file mode 100644 index 00000000000..4b57e37815c --- /dev/null +++ b/queue-3.18/x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Sep 17 11:45:57 CEST 2018 +From: Joerg Roedel +Date: Wed, 25 Jul 2018 17:48:01 +0200 +Subject: x86/mm: Remove in_nmi() warning from vmalloc_fault() + +From: Joerg Roedel + +[ Upstream commit 6863ea0cda8725072522cd78bda332d9a0b73150 ] + +It is perfectly okay to take page-faults, especially on the +vmalloc area while executing an NMI handler. Remove the +warning. + +Signed-off-by: Joerg Roedel +Signed-off-by: Thomas Gleixner +Tested-by: David H. Gutteridge +Cc: "H . Peter Anvin" +Cc: linux-mm@kvack.org +Cc: Linus Torvalds +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Peter Zijlstra +Cc: Borislav Petkov +Cc: Jiri Kosina +Cc: Boris Ostrovsky +Cc: Brian Gerst +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: Andrea Arcangeli +Cc: Waiman Long +Cc: Pavel Machek +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: joro@8bytes.org +Link: https://lkml.kernel.org/r/1532533683-5988-2-git-send-email-joro@8bytes.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/fault.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -271,8 +271,6 @@ static noinline int vmalloc_fault(unsign + if (!(address >= VMALLOC_START && address < VMALLOC_END)) + return -1; + +- WARN_ON_ONCE(in_nmi()); +- + /* + * Synchronize this task's top level page-table + * with the 'reference' page table.