From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 1 Apr 2018 08:56:28 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.103~62
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=69ce5afdf94b98da55b80a65fbf755f794b8859b;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	alsa-pcm-potential-uninitialized-return-values.patch
	alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch
	mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch
	perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch
---

diff --git a/queue-4.4/alsa-pcm-potential-uninitialized-return-values.patch b/queue-4.4/alsa-pcm-potential-uninitialized-return-values.patch
new file mode 100644
index 00000000000..b2b38847b8a
--- /dev/null
+++ b/queue-4.4/alsa-pcm-potential-uninitialized-return-values.patch
@@ -0,0 +1,42 @@
+From 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 27 Mar 2018 16:07:52 +0300
+Subject: ALSA: pcm: potential uninitialized return values
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream.
+
+Smatch complains that "tmp" can be uninitialized if we do a zero size
+write.
+
+Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_oss.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1361,7 +1361,7 @@ static ssize_t snd_pcm_oss_write2(struct
+ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes)
+ {
+ 	size_t xfer = 0;
+-	ssize_t tmp;
++	ssize_t tmp = 0;
+ 	struct snd_pcm_runtime *runtime = substream->runtime;
+ 
+ 	if (atomic_read(&substream->mmap_count))
+@@ -1468,7 +1468,7 @@ static ssize_t snd_pcm_oss_read2(struct
+ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes)
+ {
+ 	size_t xfer = 0;
+-	ssize_t tmp;
++	ssize_t tmp = 0;
+ 	struct snd_pcm_runtime *runtime = substream->runtime;
+ 
+ 	if (atomic_read(&substream->mmap_count))
diff --git a/queue-4.4/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch b/queue-4.4/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch
new file mode 100644
index 00000000000..47cc585fe16
--- /dev/null
+++ b/queue-4.4/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch
@@ -0,0 +1,40 @@
+From 9066ae7ff5d89c0b5daa271e2d573540097a94fa Mon Sep 17 00:00:00 2001
+From: Stefan Roese <sr@denx.de>
+Date: Mon, 26 Mar 2018 16:10:21 +0200
+Subject: ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
+
+From: Stefan Roese <sr@denx.de>
+
+commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream.
+
+When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
+will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
+area, as the page offset is outside of the VMA range (size), which is
+currently used as size parameter in snd_pcm_lib_default_mmap(). By
+using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
+can be mmapp'ed and the issue is fixed.
+
+This issue was detected on an ARM platform (TI AM57xx) using the RME
+HDSP MADI PCIe soundcard.
+
+Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available")
+Signed-off-by: Stefan Roese <sr@denx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_native.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -3408,7 +3408,7 @@ int snd_pcm_lib_default_mmap(struct snd_
+ 					 area,
+ 					 substream->runtime->dma_area,
+ 					 substream->runtime->dma_addr,
+-					 area->vm_end - area->vm_start);
++					 substream->runtime->dma_bytes);
+ #endif /* CONFIG_X86 */
+ 	/* mmap with fault handler */
+ 	area->vm_ops = &snd_pcm_vm_ops_data_fault;
diff --git a/queue-4.4/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch b/queue-4.4/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch
new file mode 100644
index 00000000000..1a7e906d5c6
--- /dev/null
+++ b/queue-4.4/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch
@@ -0,0 +1,56 @@
+From 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Sat, 3 Mar 2018 23:29:03 +0100
+Subject: mtd: jedec_probe: Fix crash in jedec_read_mfr()
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.
+
+It turns out that the loop where we read manufacturer
+jedec_read_mfd() can under some circumstances get a
+CFI_MFR_CONTINUATION repeatedly, making the loop go
+over all banks and eventually hit the end of the
+map and crash because of an access violation:
+
+Unable to handle kernel paging request at virtual address c4980000
+pgd = (ptrval)
+[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
+Internal error: Oops: 7 [#1] PREEMPT ARM
+CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
+Hardware name: Gemini (Device Tree)
+PC is at jedec_probe_chip+0x6ec/0xcd0
+LR is at 0x4
+pc : [<c03a2bf4>]    lr : [<00000004>]    psr: 60000013
+sp : c382dd18  ip : 0000ffff  fp : 00000000
+r10: c0626388  r9 : 00020000  r8 : c0626340
+r7 : 00000000  r6 : 00000001  r5 : c3a71afc  r4 : c382dd70
+r3 : 00000001  r2 : c4900000  r1 : 00000002  r0 : 00080000
+Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
+Control: 0000397f  Table: 00004000  DAC: 00000053
+Process swapper (pid: 1, stack limit = 0x(ptrval))
+
+Fix this by breaking the loop with a return 0 if
+the offset exceeds the map size.
+
+Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/jedec_probe.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/chips/jedec_probe.c
++++ b/drivers/mtd/chips/jedec_probe.c
+@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct
+ 	do {
+ 		uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
+ 		mask = (1 << (cfi->device_type * 8)) - 1;
++		if (ofs >= map->size)
++			return 0;
+ 		result = map_read(map, base + ofs);
+ 		bank++;
+ 	} while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
diff --git a/queue-4.4/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch b/queue-4.4/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch
new file mode 100644
index 00000000000..627fa6cfd29
--- /dev/null
+++ b/queue-4.4/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch
@@ -0,0 +1,87 @@
+From f67b15037a7a50c57f72e69a6d59941ad90a0f0f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 26 Mar 2018 15:39:07 -1000
+Subject: perf/hwbp: Simplify the perf-hwbp code, fix documentation
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f upstream.
+
+Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the
+modification of a breakpoint - simplify it and remove the pointless
+local variables.
+
+Also update the stale Docbook while at it.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@vger.kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/hw_breakpoint.c |   30 +++++++-----------------------
+ 1 file changed, 7 insertions(+), 23 deletions(-)
+
+--- a/kernel/events/hw_breakpoint.c
++++ b/kernel/events/hw_breakpoint.c
+@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_break
+  * modify_user_hw_breakpoint - modify a user-space hardware breakpoint
+  * @bp: the breakpoint structure to modify
+  * @attr: new breakpoint attributes
+- * @triggered: callback to trigger when we hit the breakpoint
+- * @tsk: pointer to 'task_struct' of the process to which the address belongs
+  */
+ int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr)
+ {
+-	u64 old_addr = bp->attr.bp_addr;
+-	u64 old_len = bp->attr.bp_len;
+-	int old_type = bp->attr.bp_type;
+-	int err = 0;
+-
+ 	/*
+ 	 * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it
+ 	 * will not be possible to raise IPIs that invoke __perf_event_disable.
+@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct per
+ 	bp->attr.bp_addr = attr->bp_addr;
+ 	bp->attr.bp_type = attr->bp_type;
+ 	bp->attr.bp_len = attr->bp_len;
++	bp->attr.disabled = 1;
+ 
+-	if (attr->disabled)
+-		goto end;
+-
+-	err = validate_hw_breakpoint(bp);
+-	if (!err)
+-		perf_event_enable(bp);
++	if (!attr->disabled) {
++		int err = validate_hw_breakpoint(bp);
+ 
+-	if (err) {
+-		bp->attr.bp_addr = old_addr;
+-		bp->attr.bp_type = old_type;
+-		bp->attr.bp_len = old_len;
+-		if (!bp->attr.disabled)
+-			perf_event_enable(bp);
++		if (err)
++			return err;
+ 
+-		return err;
++		perf_event_enable(bp);
++		bp->attr.disabled = 0;
+ 	}
+ 
+-end:
+-	bp->attr.disabled = attr->disabled;
+-
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint);