From: Greg Kroah-Hartman Date: Tue, 4 Jun 2019 12:21:03 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.1.8~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=712e71df83c49006a782b0e96ce5da964696022a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch doc-cope-with-sphinx-logging-deprecations.patch doc-cope-with-the-deprecation-of-autoreporter.patch docs-fix-conf.py-for-sphinx-2.0.patch drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch gcc-plugins-fix-build-failures-under-darwin-host.patch ima-show-rules-with-ima_inmask-correctly.patch kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch memcg-make-it-work-on-sparse-non-0-node-systems.patch revert-lockd-show-pid-of-lockd-for-remote-locks.patch serial-sh-sci-disable-dma-for-uart_console.patch staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch staging-wlan-ng-fix-adapter-initialization-failure.patch tty-max310x-fix-external-crystal-register-setup.patch tty-serial-msm_serial-fix-xon-xoff.patch --- diff --git a/queue-4.14/cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch b/queue-4.14/cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch new file mode 100644 index 0000000000..54ce334a4c --- /dev/null +++ b/queue-4.14/cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch @@ -0,0 +1,37 @@ +From 31fad7d41e73731f05b8053d17078638cf850fa6 Mon Sep 17 00:00:00 2001 +From: Roberto Bergantinos Corpas +Date: Tue, 28 May 2019 09:38:14 +0200 +Subject: CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM + +From: Roberto Bergantinos Corpas + +commit 31fad7d41e73731f05b8053d17078638cf850fa6 upstream. + + In cifs_read_allocate_pages, in case of ENOMEM, we go through +whole rdata->pages array but we have failed the allocation before +nr_pages, therefore we may end up calling put_page with NULL +pointer, causing oops + +Signed-off-by: Roberto Bergantinos Corpas +Acked-by: Pavel Shilovsky +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -2984,7 +2984,9 @@ cifs_read_allocate_pages(struct cifs_rea + } + + if (rc) { +- for (i = 0; i < nr_pages; i++) { ++ unsigned int nr_page_failed = i; ++ ++ for (i = 0; i < nr_page_failed; i++) { + put_page(rdata->pages[i]); + rdata->pages[i] = NULL; + } diff --git a/queue-4.14/doc-cope-with-sphinx-logging-deprecations.patch b/queue-4.14/doc-cope-with-sphinx-logging-deprecations.patch new file mode 100644 index 0000000000..8830904238 --- /dev/null +++ b/queue-4.14/doc-cope-with-sphinx-logging-deprecations.patch @@ -0,0 +1,227 @@ +From 096ea522e84ea68f8e6c41e5e7294731a81e29bc Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Tue, 21 May 2019 14:23:43 -0600 +Subject: doc: Cope with Sphinx logging deprecations + +From: Jonathan Corbet + +commit 096ea522e84ea68f8e6c41e5e7294731a81e29bc upstream. + +Recent versions of sphinx will emit messages like: + + Documentation/sphinx/kerneldoc.py:103: + RemovedInSphinx20Warning: app.warning() is now deprecated. + Use sphinx.util.logging instead. + +Switch to sphinx.util.logging to make this unsightly message go away. +Alas, that interface was only added in version 1.6, so we have to add a +version check to keep things working with older sphinxes. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/sphinx/kerneldoc.py | 12 +++++++---- + Documentation/sphinx/kernellog.py | 28 ++++++++++++++++++++++++++ + Documentation/sphinx/kfigure.py | 40 +++++++++++++++++++++----------------- + 3 files changed, 59 insertions(+), 21 deletions(-) + +--- a/Documentation/sphinx/kerneldoc.py ++++ b/Documentation/sphinx/kerneldoc.py +@@ -49,6 +49,8 @@ if Use_SSI: + else: + from sphinx.ext.autodoc import AutodocReporter + ++import kernellog ++ + __version__ = '1.0' + + class KernelDocDirective(Directive): +@@ -96,7 +98,8 @@ class KernelDocDirective(Directive): + cmd += [filename] + + try: +- env.app.verbose('calling kernel-doc \'%s\'' % (" ".join(cmd))) ++ kernellog.verbose(env.app, ++ 'calling kernel-doc \'%s\'' % (" ".join(cmd))) + + p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = p.communicate() +@@ -106,7 +109,8 @@ class KernelDocDirective(Directive): + if p.returncode != 0: + sys.stderr.write(err) + +- env.app.warn('kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode)) ++ kernellog.warn(env.app, ++ 'kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode)) + return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))] + elif env.config.kerneldoc_verbosity > 0: + sys.stderr.write(err) +@@ -132,8 +136,8 @@ class KernelDocDirective(Directive): + return node.children + + except Exception as e: # pylint: disable=W0703 +- env.app.warn('kernel-doc \'%s\' processing failed with: %s' % +- (" ".join(cmd), str(e))) ++ kernellog.warn(env.app, 'kernel-doc \'%s\' processing failed with: %s' % ++ (" ".join(cmd), str(e))) + return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))] + + def do_parse(self, result, node): +--- /dev/null ++++ b/Documentation/sphinx/kernellog.py +@@ -0,0 +1,28 @@ ++# SPDX-License-Identifier: GPL-2.0 ++# ++# Sphinx has deprecated its older logging interface, but the replacement ++# only goes back to 1.6. So here's a wrapper layer to keep around for ++# as long as we support 1.4. ++# ++import sphinx ++ ++if sphinx.__version__[:3] >= '1.6': ++ UseLogging = True ++ from sphinx.util import logging ++ logger = logging.getLogger('kerneldoc') ++else: ++ UseLogging = False ++ ++def warn(app, message): ++ if UseLogging: ++ logger.warning(message) ++ else: ++ app.warn(message) ++ ++def verbose(app, message): ++ if UseLogging: ++ logger.verbose(message) ++ else: ++ app.verbose(message) ++ ++ +--- a/Documentation/sphinx/kfigure.py ++++ b/Documentation/sphinx/kfigure.py +@@ -60,6 +60,8 @@ import sphinx + from sphinx.util.nodes import clean_astext + from six import iteritems + ++import kernellog ++ + PY3 = sys.version_info[0] == 3 + + if PY3: +@@ -171,20 +173,20 @@ def setupTools(app): + This function is called once, when the builder is initiated. + """ + global dot_cmd, convert_cmd # pylint: disable=W0603 +- app.verbose("kfigure: check installed tools ...") ++ kernellog.verbose(app, "kfigure: check installed tools ...") + + dot_cmd = which('dot') + convert_cmd = which('convert') + + if dot_cmd: +- app.verbose("use dot(1) from: " + dot_cmd) ++ kernellog.verbose(app, "use dot(1) from: " + dot_cmd) + else: +- app.warn("dot(1) not found, for better output quality install " +- "graphviz from http://www.graphviz.org") ++ kernellog.warn(app, "dot(1) not found, for better output quality install " ++ "graphviz from http://www.graphviz.org") + if convert_cmd: +- app.verbose("use convert(1) from: " + convert_cmd) ++ kernellog.verbose(app, "use convert(1) from: " + convert_cmd) + else: +- app.warn( ++ kernellog.warn(app, + "convert(1) not found, for SVG to PDF conversion install " + "ImageMagick (https://www.imagemagick.org)") + +@@ -220,12 +222,13 @@ def convert_image(img_node, translator, + + # in kernel builds, use 'make SPHINXOPTS=-v' to see verbose messages + +- app.verbose('assert best format for: ' + img_node['uri']) ++ kernellog.verbose(app, 'assert best format for: ' + img_node['uri']) + + if in_ext == '.dot': + + if not dot_cmd: +- app.verbose("dot from graphviz not available / include DOT raw.") ++ kernellog.verbose(app, ++ "dot from graphviz not available / include DOT raw.") + img_node.replace_self(file2literal(src_fname)) + + elif translator.builder.format == 'latex': +@@ -252,7 +255,8 @@ def convert_image(img_node, translator, + + if translator.builder.format == 'latex': + if convert_cmd is None: +- app.verbose("no SVG to PDF conversion available / include SVG raw.") ++ kernellog.verbose(app, ++ "no SVG to PDF conversion available / include SVG raw.") + img_node.replace_self(file2literal(src_fname)) + else: + dst_fname = path.join(translator.builder.outdir, fname + '.pdf') +@@ -265,18 +269,19 @@ def convert_image(img_node, translator, + _name = dst_fname[len(translator.builder.outdir) + 1:] + + if isNewer(dst_fname, src_fname): +- app.verbose("convert: {out}/%s already exists and is newer" % _name) ++ kernellog.verbose(app, ++ "convert: {out}/%s already exists and is newer" % _name) + + else: + ok = False + mkdir(path.dirname(dst_fname)) + + if in_ext == '.dot': +- app.verbose('convert DOT to: {out}/' + _name) ++ kernellog.verbose(app, 'convert DOT to: {out}/' + _name) + ok = dot2format(app, src_fname, dst_fname) + + elif in_ext == '.svg': +- app.verbose('convert SVG to: {out}/' + _name) ++ kernellog.verbose(app, 'convert SVG to: {out}/' + _name) + ok = svg2pdf(app, src_fname, dst_fname) + + if not ok: +@@ -305,7 +310,8 @@ def dot2format(app, dot_fname, out_fname + with open(out_fname, "w") as out: + exit_code = subprocess.call(cmd, stdout = out) + if exit_code != 0: +- app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd))) ++ kernellog.warn(app, ++ "Error #%d when calling: %s" % (exit_code, " ".join(cmd))) + return bool(exit_code == 0) + + def svg2pdf(app, svg_fname, pdf_fname): +@@ -322,7 +328,7 @@ def svg2pdf(app, svg_fname, pdf_fname): + # use stdout and stderr from parent + exit_code = subprocess.call(cmd) + if exit_code != 0: +- app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd))) ++ kernellog.warn(app, "Error #%d when calling: %s" % (exit_code, " ".join(cmd))) + return bool(exit_code == 0) + + +@@ -415,15 +421,15 @@ def visit_kernel_render(self, node): + app = self.builder.app + srclang = node.get('srclang') + +- app.verbose('visit kernel-render node lang: "%s"' % (srclang)) ++ kernellog.verbose('visit kernel-render node lang: "%s"' % (srclang)) + + tmp_ext = RENDER_MARKUP_EXT.get(srclang, None) + if tmp_ext is None: +- app.warn('kernel-render: "%s" unknow / include raw.' % (srclang)) ++ kernellog.warn('kernel-render: "%s" unknow / include raw.' % (srclang)) + return + + if not dot_cmd and tmp_ext == '.dot': +- app.verbose("dot from graphviz not available / include raw.") ++ kernellog.verbose("dot from graphviz not available / include raw.") + return + + literal_block = node[0] diff --git a/queue-4.14/doc-cope-with-the-deprecation-of-autoreporter.patch b/queue-4.14/doc-cope-with-the-deprecation-of-autoreporter.patch new file mode 100644 index 0000000000..1345b13e92 --- /dev/null +++ b/queue-4.14/doc-cope-with-the-deprecation-of-autoreporter.patch @@ -0,0 +1,83 @@ +From 2404dad1f67f8917e30fc22a85e0dbcc85b99955 Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Tue, 21 May 2019 14:42:34 -0600 +Subject: doc: Cope with the deprecation of AutoReporter + +From: Jonathan Corbet + +commit 2404dad1f67f8917e30fc22a85e0dbcc85b99955 upstream. + +AutoReporter is going away; recent versions of sphinx emit a warning like: + + Documentation/sphinx/kerneldoc.py:125: + RemovedInSphinx20Warning: AutodocReporter is now deprecated. + Use sphinx.util.docutils.switch_source_input() instead. + +Make the switch. But switch_source_input() only showed up in 1.7, so we +have to do ugly version checks to keep things working in older versions. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/sphinx/kerneldoc.py | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +--- a/Documentation/sphinx/kerneldoc.py ++++ b/Documentation/sphinx/kerneldoc.py +@@ -37,7 +37,17 @@ import glob + from docutils import nodes, statemachine + from docutils.statemachine import ViewList + from docutils.parsers.rst import directives, Directive +-from sphinx.ext.autodoc import AutodocReporter ++ ++# ++# AutodocReporter is only good up to Sphinx 1.7 ++# ++import sphinx ++ ++Use_SSI = sphinx.__version__[:3] >= '1.7' ++if Use_SSI: ++ from sphinx.util.docutils import switch_source_input ++else: ++ from sphinx.ext.autodoc import AutodocReporter + + __version__ = '1.0' + +@@ -117,13 +127,7 @@ class KernelDocDirective(Directive): + lineoffset += 1 + + node = nodes.section() +- buf = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter +- self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter) +- self.state.memo.title_styles, self.state.memo.section_level = [], 0 +- try: +- self.state.nested_parse(result, 0, node, match_titles=1) +- finally: +- self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = buf ++ self.do_parse(result, node) + + return node.children + +@@ -132,6 +136,20 @@ class KernelDocDirective(Directive): + (" ".join(cmd), str(e))) + return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))] + ++ def do_parse(self, result, node): ++ if Use_SSI: ++ with switch_source_input(self.state, result): ++ self.state.nested_parse(result, 0, node, match_titles=1) ++ else: ++ save = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter ++ self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter) ++ self.state.memo.title_styles, self.state.memo.section_level = [], 0 ++ try: ++ self.state.nested_parse(result, 0, node, match_titles=1) ++ finally: ++ self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = save ++ ++ + def setup(app): + app.add_config_value('kerneldoc_bin', None, 'env') + app.add_config_value('kerneldoc_srctree', None, 'env') diff --git a/queue-4.14/docs-fix-conf.py-for-sphinx-2.0.patch b/queue-4.14/docs-fix-conf.py-for-sphinx-2.0.patch new file mode 100644 index 0000000000..043c62db05 --- /dev/null +++ b/queue-4.14/docs-fix-conf.py-for-sphinx-2.0.patch @@ -0,0 +1,32 @@ +From 3bc8088464712fdcb078eefb68837ccfcc413c88 Mon Sep 17 00:00:00 2001 +From: Jonathan Corbet +Date: Wed, 22 May 2019 14:30:45 -0600 +Subject: docs: Fix conf.py for Sphinx 2.0 + +From: Jonathan Corbet + +commit 3bc8088464712fdcb078eefb68837ccfcc413c88 upstream. + +Our version check in Documentation/conf.py never envisioned a world where +Sphinx moved beyond 1.x. Now that the unthinkable has happened, fix our +version check to handle higher version numbers correctly. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/conf.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/conf.py ++++ b/Documentation/conf.py +@@ -37,7 +37,7 @@ needs_sphinx = '1.3' + extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', 'cdomain', 'kfigure'] + + # The name of the math extension changed on Sphinx 1.4 +-if major == 1 and minor > 3: ++if (major == 1 and minor > 3) or (major > 1): + extensions.append("sphinx.ext.imgmath") + else: + extensions.append("sphinx.ext.pngmath") diff --git a/queue-4.14/drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch b/queue-4.14/drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch new file mode 100644 index 0000000000..abad96ec57 --- /dev/null +++ b/queue-4.14/drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch @@ -0,0 +1,265 @@ +From 342406e4fbba9a174125fbfe6aeac3d64ef90f76 Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Tue, 9 Apr 2019 16:23:30 -0400 +Subject: drm/nouveau/i2c: Disable i2c bus access after ->fini() + +From: Lyude Paul + +commit 342406e4fbba9a174125fbfe6aeac3d64ef90f76 upstream. + +For a while, we've had the problem of i2c bus access not grabbing +a runtime PM ref when it's being used in userspace by i2c-dev, resulting +in nouveau spamming the kernel log with errors if anything attempts to +access the i2c bus while the GPU is in runtime suspend. An example: + +[ 130.078386] nouveau 0000:01:00.0: i2c: aux 000d: begin idle timeout ffffffff + +Since the GPU is in runtime suspend, the MMIO region that the i2c bus is +on isn't accessible. On x86, the standard behavior for accessing an +unavailable MMIO region is to just return ~0. + +Except, that turned out to be a lie. While computers with a clean +concious will return ~0 in this scenario, some machines will actually +completely hang a CPU on certian bad MMIO accesses. This was witnessed +with someone's Lenovo ThinkPad P50, where sensors-detect attempting to +access the i2c bus while the GPU was suspended would result in a CPU +hang: + + CPU: 5 PID: 12438 Comm: sensors-detect Not tainted 5.0.0-0.rc4.git3.1.fc30.x86_64 #1 + Hardware name: LENOVO 20EQS64N17/20EQS64N17, BIOS N1EET74W (1.47 ) 11/21/2017 + RIP: 0010:ioread32+0x2b/0x30 + Code: 81 ff ff ff 03 00 77 20 48 81 ff 00 00 01 00 76 05 0f b7 d7 ed c3 + 48 c7 c6 e1 0c 36 96 e8 2d ff ff ff b8 ff ff ff ff c3 8b 07 0f 1f + 40 00 49 89 f0 48 81 fe ff ff 03 00 76 04 40 88 3e c3 48 + RSP: 0018:ffffaac3c5007b48 EFLAGS: 00000292 ORIG_RAX: ffffffffffffff13 + RAX: 0000000001111000 RBX: 0000000001111000 RCX: 0000043017a97186 + RDX: 0000000000000aaa RSI: 0000000000000005 RDI: ffffaac3c400e4e4 + RBP: ffff9e6443902c00 R08: ffffaac3c400e4e4 R09: ffffaac3c5007be7 + R10: 0000000000000004 R11: 0000000000000001 R12: ffff9e6445dd0000 + R13: 000000000000e4e4 R14: 00000000000003c4 R15: 0000000000000000 + FS: 00007f253155a740(0000) GS:ffff9e644f600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00005630d1500358 CR3: 0000000417c44006 CR4: 00000000003606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + g94_i2c_aux_xfer+0x326/0x850 [nouveau] + nvkm_i2c_aux_i2c_xfer+0x9e/0x140 [nouveau] + __i2c_transfer+0x14b/0x620 + i2c_smbus_xfer_emulated+0x159/0x680 + ? _raw_spin_unlock_irqrestore+0x1/0x60 + ? rt_mutex_slowlock.constprop.0+0x13d/0x1e0 + ? __lock_is_held+0x59/0xa0 + __i2c_smbus_xfer+0x138/0x5a0 + i2c_smbus_xfer+0x4f/0x80 + i2cdev_ioctl_smbus+0x162/0x2d0 [i2c_dev] + i2cdev_ioctl+0x1db/0x2c0 [i2c_dev] + do_vfs_ioctl+0x408/0x750 + ksys_ioctl+0x5e/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x60/0x1e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f25317f546b + Code: 0f 1e fa 48 8b 05 1d da 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff + ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 + f0 ff ff 73 01 c3 48 8b 0d ed d9 0c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffc88caab68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 00005630d0fe7260 RCX: 00007f25317f546b + RDX: 00005630d1598e80 RSI: 0000000000000720 RDI: 0000000000000003 + RBP: 00005630d155b968 R08: 0000000000000001 R09: 00005630d15a1da0 + R10: 0000000000000070 R11: 0000000000000246 R12: 00005630d1598e80 + R13: 00005630d12f3d28 R14: 0000000000000720 R15: 00005630d12f3ce0 + watchdog: BUG: soft lockup - CPU#5 stuck for 23s! [sensors-detect:12438] + +Yikes! While I wanted to try to make it so that accessing an i2c bus on +nouveau would wake up the GPU as needed, airlied pointed out that pretty +much any usecase for userspace accessing an i2c bus on a GPU (mainly for +the DDC brightness control that some displays have) is going to only be +useful while there's at least one display enabled on the GPU anyway, and +the GPU never sleeps while there's displays running. + +Since teaching the i2c bus to wake up the GPU on userspace accesses is a +good deal more difficult than it might seem, mostly due to the fact that +we have to use the i2c bus during runtime resume of the GPU, we instead +opt for the easiest solution: don't let userspace access i2c busses on +the GPU at all while it's in runtime suspend. + +Changes since v1: +* Also disable i2c busses that run over DP AUX + +Signed-off-by: Lyude Paul +Cc: stable@vger.kernel.org +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h | 2 + + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c | 26 +++++++++++++++++++++- + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h | 2 + + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c | 15 ++++++++++++ + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c | 21 ++++++++++++++++- + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h | 1 + 6 files changed, 65 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h +@@ -38,6 +38,7 @@ struct nvkm_i2c_bus { + struct mutex mutex; + struct list_head head; + struct i2c_adapter i2c; ++ u8 enabled; + }; + + int nvkm_i2c_bus_acquire(struct nvkm_i2c_bus *); +@@ -57,6 +58,7 @@ struct nvkm_i2c_aux { + struct mutex mutex; + struct list_head head; + struct i2c_adapter i2c; ++ u8 enabled; + + u32 intr; + }; +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c +@@ -105,9 +105,15 @@ nvkm_i2c_aux_acquire(struct nvkm_i2c_aux + { + struct nvkm_i2c_pad *pad = aux->pad; + int ret; ++ + AUX_TRACE(aux, "acquire"); + mutex_lock(&aux->mutex); +- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX); ++ ++ if (aux->enabled) ++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX); ++ else ++ ret = -EIO; ++ + if (ret) + mutex_unlock(&aux->mutex); + return ret; +@@ -145,6 +151,24 @@ nvkm_i2c_aux_del(struct nvkm_i2c_aux **p + } + } + ++void ++nvkm_i2c_aux_init(struct nvkm_i2c_aux *aux) ++{ ++ AUX_TRACE(aux, "init"); ++ mutex_lock(&aux->mutex); ++ aux->enabled = true; ++ mutex_unlock(&aux->mutex); ++} ++ ++void ++nvkm_i2c_aux_fini(struct nvkm_i2c_aux *aux) ++{ ++ AUX_TRACE(aux, "fini"); ++ mutex_lock(&aux->mutex); ++ aux->enabled = false; ++ mutex_unlock(&aux->mutex); ++} ++ + int + nvkm_i2c_aux_ctor(const struct nvkm_i2c_aux_func *func, + struct nvkm_i2c_pad *pad, int id, +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h +@@ -16,6 +16,8 @@ int nvkm_i2c_aux_ctor(const struct nvkm_ + int nvkm_i2c_aux_new_(const struct nvkm_i2c_aux_func *, struct nvkm_i2c_pad *, + int id, struct nvkm_i2c_aux **); + void nvkm_i2c_aux_del(struct nvkm_i2c_aux **); ++void nvkm_i2c_aux_init(struct nvkm_i2c_aux *); ++void nvkm_i2c_aux_fini(struct nvkm_i2c_aux *); + int nvkm_i2c_aux_xfer(struct nvkm_i2c_aux *, bool retry, u8 type, + u32 addr, u8 *data, u8 *size); + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c +@@ -160,8 +160,18 @@ nvkm_i2c_fini(struct nvkm_subdev *subdev + { + struct nvkm_i2c *i2c = nvkm_i2c(subdev); + struct nvkm_i2c_pad *pad; ++ struct nvkm_i2c_bus *bus; ++ struct nvkm_i2c_aux *aux; + u32 mask; + ++ list_for_each_entry(aux, &i2c->aux, head) { ++ nvkm_i2c_aux_fini(aux); ++ } ++ ++ list_for_each_entry(bus, &i2c->bus, head) { ++ nvkm_i2c_bus_fini(bus); ++ } ++ + if ((mask = (1 << i2c->func->aux) - 1), i2c->func->aux_stat) { + i2c->func->aux_mask(i2c, NVKM_I2C_ANY, mask, 0); + i2c->func->aux_stat(i2c, &mask, &mask, &mask, &mask); +@@ -180,6 +190,7 @@ nvkm_i2c_init(struct nvkm_subdev *subdev + struct nvkm_i2c *i2c = nvkm_i2c(subdev); + struct nvkm_i2c_bus *bus; + struct nvkm_i2c_pad *pad; ++ struct nvkm_i2c_aux *aux; + + list_for_each_entry(pad, &i2c->pad, head) { + nvkm_i2c_pad_init(pad); +@@ -189,6 +200,10 @@ nvkm_i2c_init(struct nvkm_subdev *subdev + nvkm_i2c_bus_init(bus); + } + ++ list_for_each_entry(aux, &i2c->aux, head) { ++ nvkm_i2c_aux_init(aux); ++ } ++ + return 0; + } + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c +@@ -110,6 +110,19 @@ nvkm_i2c_bus_init(struct nvkm_i2c_bus *b + BUS_TRACE(bus, "init"); + if (bus->func->init) + bus->func->init(bus); ++ ++ mutex_lock(&bus->mutex); ++ bus->enabled = true; ++ mutex_unlock(&bus->mutex); ++} ++ ++void ++nvkm_i2c_bus_fini(struct nvkm_i2c_bus *bus) ++{ ++ BUS_TRACE(bus, "fini"); ++ mutex_lock(&bus->mutex); ++ bus->enabled = false; ++ mutex_unlock(&bus->mutex); + } + + void +@@ -126,9 +139,15 @@ nvkm_i2c_bus_acquire(struct nvkm_i2c_bus + { + struct nvkm_i2c_pad *pad = bus->pad; + int ret; ++ + BUS_TRACE(bus, "acquire"); + mutex_lock(&bus->mutex); +- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C); ++ ++ if (bus->enabled) ++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C); ++ else ++ ret = -EIO; ++ + if (ret) + mutex_unlock(&bus->mutex); + return ret; +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h +@@ -18,6 +18,7 @@ int nvkm_i2c_bus_new_(const struct nvkm_ + int id, struct nvkm_i2c_bus **); + void nvkm_i2c_bus_del(struct nvkm_i2c_bus **); + void nvkm_i2c_bus_init(struct nvkm_i2c_bus *); ++void nvkm_i2c_bus_fini(struct nvkm_i2c_bus *); + + int nvkm_i2c_bit_xfer(struct nvkm_i2c_bus *, struct i2c_msg *, int); + diff --git a/queue-4.14/gcc-plugins-fix-build-failures-under-darwin-host.patch b/queue-4.14/gcc-plugins-fix-build-failures-under-darwin-host.patch new file mode 100644 index 0000000000..dc59ce6f02 --- /dev/null +++ b/queue-4.14/gcc-plugins-fix-build-failures-under-darwin-host.patch @@ -0,0 +1,52 @@ +From 7210e060155b9cf557fb13128353c3e494fa5ed3 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 20 May 2019 11:50:42 -0700 +Subject: gcc-plugins: Fix build failures under Darwin host + +From: Kees Cook + +commit 7210e060155b9cf557fb13128353c3e494fa5ed3 upstream. + +The gcc-common.h file did not take into account certain macros that +might have already been defined in the build environment. This updates +the header to avoid redefining the macros, as seen on a Darwin host +using gcc 4.9.2: + + HOSTCXX -fPIC scripts/gcc-plugins/arm_ssp_per_task_plugin.o - due to: scripts/gcc-plugins/gcc-common.h +In file included from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3:0: +scripts/gcc-plugins/gcc-common.h:153:0: warning: "__unused" redefined +^ +In file included from /usr/include/stdio.h:64:0, + from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/system.h:40, + from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/gcc-plugin.h:28, + from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/plugin.h:23, + from scripts/gcc-plugins/gcc-common.h:9, + from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3: +/usr/include/sys/cdefs.h:161:0: note: this is the location of the previous definition +^ + +Reported-and-tested-by: "H. Nikolaus Schaller" +Fixes: 189af4657186 ("ARM: smp: add support for per-task stack canaries") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/gcc-plugins/gcc-common.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -150,8 +150,12 @@ void print_gimple_expr(FILE *, gimple, i + void dump_gimple_stmt(pretty_printer *, gimple, int, int); + #endif + ++#ifndef __unused + #define __unused __attribute__((__unused__)) ++#endif ++#ifndef __visible + #define __visible __attribute__((visibility("default"))) ++#endif + + #define DECL_NAME_POINTER(node) IDENTIFIER_POINTER(DECL_NAME(node)) + #define DECL_NAME_LENGTH(node) IDENTIFIER_LENGTH(DECL_NAME(node)) diff --git a/queue-4.14/ima-show-rules-with-ima_inmask-correctly.patch b/queue-4.14/ima-show-rules-with-ima_inmask-correctly.patch new file mode 100644 index 0000000000..1a1738c385 --- /dev/null +++ b/queue-4.14/ima-show-rules-with-ima_inmask-correctly.patch @@ -0,0 +1,69 @@ +From 8cdc23a3d9ec0944000ad43bad588e36afdc38cd Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Wed, 29 May 2019 15:30:35 +0200 +Subject: ima: show rules with IMA_INMASK correctly + +From: Roberto Sassu + +commit 8cdc23a3d9ec0944000ad43bad588e36afdc38cd upstream. + +Show the '^' character when a policy rule has flag IMA_INMASK. + +Fixes: 80eae209d63ac ("IMA: allow reading back the current IMA policy") +Signed-off-by: Roberto Sassu +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_policy.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -964,10 +964,10 @@ enum { + }; + + static const char *const mask_tokens[] = { +- "MAY_EXEC", +- "MAY_WRITE", +- "MAY_READ", +- "MAY_APPEND" ++ "^MAY_EXEC", ++ "^MAY_WRITE", ++ "^MAY_READ", ++ "^MAY_APPEND" + }; + + #define __ima_hook_stringify(str) (#str), +@@ -1027,6 +1027,7 @@ int ima_policy_show(struct seq_file *m, + struct ima_rule_entry *entry = v; + int i; + char tbuf[64] = {0,}; ++ int offset = 0; + + rcu_read_lock(); + +@@ -1046,15 +1047,17 @@ int ima_policy_show(struct seq_file *m, + if (entry->flags & IMA_FUNC) + policy_func_show(m, entry->func); + +- if (entry->flags & IMA_MASK) { ++ if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) { ++ if (entry->flags & IMA_MASK) ++ offset = 1; + if (entry->mask & MAY_EXEC) +- seq_printf(m, pt(Opt_mask), mt(mask_exec)); ++ seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset); + if (entry->mask & MAY_WRITE) +- seq_printf(m, pt(Opt_mask), mt(mask_write)); ++ seq_printf(m, pt(Opt_mask), mt(mask_write) + offset); + if (entry->mask & MAY_READ) +- seq_printf(m, pt(Opt_mask), mt(mask_read)); ++ seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); + if (entry->mask & MAY_APPEND) +- seq_printf(m, pt(Opt_mask), mt(mask_append)); ++ seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); + seq_puts(m, " "); + } + diff --git a/queue-4.14/kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch b/queue-4.14/kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch new file mode 100644 index 0000000000..990299883d --- /dev/null +++ b/queue-4.14/kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch @@ -0,0 +1,50 @@ +From 98af37d624ed8c83f1953b1b6b2f6866011fc064 Mon Sep 17 00:00:00 2001 +From: Zhenliang Wei +Date: Fri, 31 May 2019 22:30:52 -0700 +Subject: kernel/signal.c: trace_signal_deliver when signal_group_exit + +From: Zhenliang Wei + +commit 98af37d624ed8c83f1953b1b6b2f6866011fc064 upstream. + +In the fixes commit, removing SIGKILL from each thread signal mask and +executing "goto fatal" directly will skip the call to +"trace_signal_deliver". At this point, the delivery tracking of the +SIGKILL signal will be inaccurate. + +Therefore, we need to add trace_signal_deliver before "goto fatal" after +executing sigdelset. + +Note: SEND_SIG_NOINFO matches the fact that SIGKILL doesn't have any info. + +Link: http://lkml.kernel.org/r/20190425025812.91424-1-weizhenliang@huawei.com +Fixes: cf43a757fd4944 ("signal: Restore the stop PTRACE_EVENT_EXIT") +Signed-off-by: Zhenliang Wei +Reviewed-by: Christian Brauner +Reviewed-by: Oleg Nesterov +Cc: Eric W. Biederman +Cc: Ivan Delalande +Cc: Arnd Bergmann +Cc: Thomas Gleixner +Cc: Deepa Dinamani +Cc: Greg Kroah-Hartman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2271,6 +2271,8 @@ relock: + if (signal_group_exit(signal)) { + ksig->info.si_signo = signr = SIGKILL; + sigdelset(¤t->pending.signal, SIGKILL); ++ trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO, ++ &sighand->action[SIGKILL - 1]); + recalc_sigpending(); + goto fatal; + } diff --git a/queue-4.14/memcg-make-it-work-on-sparse-non-0-node-systems.patch b/queue-4.14/memcg-make-it-work-on-sparse-non-0-node-systems.patch new file mode 100644 index 0000000000..eec14c8b54 --- /dev/null +++ b/queue-4.14/memcg-make-it-work-on-sparse-non-0-node-systems.patch @@ -0,0 +1,97 @@ +From 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 31 May 2019 22:30:26 -0700 +Subject: memcg: make it work on sparse non-0-node systems + +From: Jiri Slaby + +commit 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 upstream. + +We have a single node system with node 0 disabled: + Scanning NUMA topology in Northbridge 24 + Number of physical nodes 2 + Skipping disabled node 0 + Node 1 MemBase 0000000000000000 Limit 00000000fbff0000 + NODE_DATA(1) allocated [mem 0xfbfda000-0xfbfeffff] + +This causes crashes in memcg when system boots: + BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + #PF error: [normal kernel read fault] +... + RIP: 0010:list_lru_add+0x94/0x170 +... + Call Trace: + d_lru_add+0x44/0x50 + dput.part.34+0xfc/0x110 + __fput+0x108/0x230 + task_work_run+0x9f/0xc0 + exit_to_usermode_loop+0xf5/0x100 + +It is reproducible as far as 4.12. I did not try older kernels. You have +to have a new enough systemd, e.g. 241 (the reason is unknown -- was not +investigated). Cannot be reproduced with systemd 234. + +The system crashes because the size of lru array is never updated in +memcg_update_all_list_lrus and the reads are past the zero-sized array, +causing dereferences of random memory. + +The root cause are list_lru_memcg_aware checks in the list_lru code. The +test in list_lru_memcg_aware is broken: it assumes node 0 is always +present, but it is not true on some systems as can be seen above. + +So fix this by avoiding checks on node 0. Remember the memcg-awareness by +a bool flag in struct list_lru. + +Link: http://lkml.kernel.org/r/20190522091940.3615-1-jslaby@suse.cz +Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists") +Signed-off-by: Jiri Slaby +Acked-by: Michal Hocko +Suggested-by: Vladimir Davydov +Acked-by: Vladimir Davydov +Reviewed-by: Shakeel Butt +Cc: Johannes Weiner +Cc: Raghavendra K T +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/list_lru.h | 1 + + mm/list_lru.c | 8 +++----- + 2 files changed, 4 insertions(+), 5 deletions(-) + +--- a/include/linux/list_lru.h ++++ b/include/linux/list_lru.h +@@ -52,6 +52,7 @@ struct list_lru { + struct list_lru_node *node; + #if defined(CONFIG_MEMCG) && !defined(CONFIG_SLOB) + struct list_head list; ++ bool memcg_aware; + #endif + }; + +--- a/mm/list_lru.c ++++ b/mm/list_lru.c +@@ -42,11 +42,7 @@ static void list_lru_unregister(struct l + #if defined(CONFIG_MEMCG) && !defined(CONFIG_SLOB) + static inline bool list_lru_memcg_aware(struct list_lru *lru) + { +- /* +- * This needs node 0 to be always present, even +- * in the systems supporting sparse numa ids. +- */ +- return !!lru->node[0].memcg_lrus; ++ return lru->memcg_aware; + } + + static inline struct list_lru_one * +@@ -389,6 +385,8 @@ static int memcg_init_list_lru(struct li + { + int i; + ++ lru->memcg_aware = memcg_aware; ++ + if (!memcg_aware) + return 0; + diff --git a/queue-4.14/revert-lockd-show-pid-of-lockd-for-remote-locks.patch b/queue-4.14/revert-lockd-show-pid-of-lockd-for-remote-locks.patch new file mode 100644 index 0000000000..76a04a8f9f --- /dev/null +++ b/queue-4.14/revert-lockd-show-pid-of-lockd-for-remote-locks.patch @@ -0,0 +1,68 @@ +From 141731d15d6eb2fd9aaefbf9b935ce86ae243074 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Mon, 20 May 2019 10:33:07 -0400 +Subject: Revert "lockd: Show pid of lockd for remote locks" + +From: Benjamin Coddington + +commit 141731d15d6eb2fd9aaefbf9b935ce86ae243074 upstream. + +This reverts most of commit b8eee0e90f97 ("lockd: Show pid of lockd for +remote locks"), which caused remote locks to not be differentiated between +remote processes for NLM. + +We retain the fixup for setting the client's fl_pid to a negative value. + +Fixes: b8eee0e90f97 ("lockd: Show pid of lockd for remote locks") +Cc: stable@vger.kernel.org + +Signed-off-by: Benjamin Coddington +Reviewed-by: XueWei Zhang +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/xdr.c | 4 ++-- + fs/lockd/xdr4.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/lockd/xdr.c ++++ b/fs/lockd/xdr.c +@@ -127,7 +127,7 @@ nlm_decode_lock(__be32 *p, struct nlm_lo + + locks_init_lock(fl); + fl->fl_owner = current->files; +- fl->fl_pid = current->tgid; ++ fl->fl_pid = (pid_t)lock->svid; + fl->fl_flags = FL_POSIX; + fl->fl_type = F_RDLCK; /* as good as anything else */ + start = ntohl(*p++); +@@ -269,7 +269,7 @@ nlmsvc_decode_shareargs(struct svc_rqst + memset(lock, 0, sizeof(*lock)); + locks_init_lock(&lock->fl); + lock->svid = ~(u32) 0; +- lock->fl.fl_pid = current->tgid; ++ lock->fl.fl_pid = (pid_t)lock->svid; + + if (!(p = nlm_decode_cookie(p, &argp->cookie)) + || !(p = xdr_decode_string_inplace(p, &lock->caller, +--- a/fs/lockd/xdr4.c ++++ b/fs/lockd/xdr4.c +@@ -119,7 +119,7 @@ nlm4_decode_lock(__be32 *p, struct nlm_l + + locks_init_lock(fl); + fl->fl_owner = current->files; +- fl->fl_pid = current->tgid; ++ fl->fl_pid = (pid_t)lock->svid; + fl->fl_flags = FL_POSIX; + fl->fl_type = F_RDLCK; /* as good as anything else */ + p = xdr_decode_hyper(p, &start); +@@ -266,7 +266,7 @@ nlm4svc_decode_shareargs(struct svc_rqst + memset(lock, 0, sizeof(*lock)); + locks_init_lock(&lock->fl); + lock->svid = ~(u32) 0; +- lock->fl.fl_pid = current->tgid; ++ lock->fl.fl_pid = (pid_t)lock->svid; + + if (!(p = nlm4_decode_cookie(p, &argp->cookie)) + || !(p = xdr_decode_string_inplace(p, &lock->caller, diff --git a/queue-4.14/serial-sh-sci-disable-dma-for-uart_console.patch b/queue-4.14/serial-sh-sci-disable-dma-for-uart_console.patch new file mode 100644 index 0000000000..d9ee86c3dd --- /dev/null +++ b/queue-4.14/serial-sh-sci-disable-dma-for-uart_console.patch @@ -0,0 +1,46 @@ +From 099506cbbc79c0bd52b19cb6b930f256dabc3950 Mon Sep 17 00:00:00 2001 +From: "George G. Davis" +Date: Tue, 14 May 2019 23:29:34 -0400 +Subject: serial: sh-sci: disable DMA for uart_console + +From: George G. Davis + +commit 099506cbbc79c0bd52b19cb6b930f256dabc3950 upstream. + +As noted in commit 84b40e3b57ee ("serial: 8250: omap: Disable DMA for +console UART"), UART console lines use low-level PIO only access functions +which will conflict with use of the line when DMA is enabled, e.g. when +the console line is also used for systemd messages. So disable DMA +support for UART console lines. + +Reported-by: Michael Rodin +Link: https://patchwork.kernel.org/patch/10929511/ +Tested-by: Eugeniu Rosca +Reviewed-by: Simon Horman +Reviewed-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org +Signed-off-by: George G. Davis +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/sh-sci.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1479,6 +1479,13 @@ static void sci_request_dma(struct uart_ + + dev_dbg(port->dev, "%s: port %d\n", __func__, port->line); + ++ /* ++ * DMA on console may interfere with Kernel log messages which use ++ * plain putchar(). So, simply don't use it with a console. ++ */ ++ if (uart_console(port)) ++ return; ++ + if (!port->dev->of_node) + return; + diff --git a/queue-4.14/series b/queue-4.14/series index f04d90d37e..38217ac4ff 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -44,3 +44,18 @@ kvm-ppc-book3s-hv-xive-do-not-clear-irq-data-of-passthrough-interrupts.patch powerpc-perf-fix-mmcra-corruption-by-bhrb_filter.patch alsa-hda-realtek-set-default-power-save-node-to-0.patch kvm-s390-do-not-report-unusabled-ids-via-kvm_cap_max_vcpu_id.patch +drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch +tty-serial-msm_serial-fix-xon-xoff.patch +tty-max310x-fix-external-crystal-register-setup.patch +memcg-make-it-work-on-sparse-non-0-node-systems.patch +kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch +docs-fix-conf.py-for-sphinx-2.0.patch +doc-cope-with-the-deprecation-of-autoreporter.patch +doc-cope-with-sphinx-logging-deprecations.patch +ima-show-rules-with-ima_inmask-correctly.patch +serial-sh-sci-disable-dma-for-uart_console.patch +staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch +staging-wlan-ng-fix-adapter-initialization-failure.patch +cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch +revert-lockd-show-pid-of-lockd-for-remote-locks.patch +gcc-plugins-fix-build-failures-under-darwin-host.patch diff --git a/queue-4.14/staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch b/queue-4.14/staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch new file mode 100644 index 0000000000..d8a97b5382 --- /dev/null +++ b/queue-4.14/staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch @@ -0,0 +1,56 @@ +From ca641bae6da977d638458e78cd1487b6160a2718 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 15 May 2019 12:38:33 +0300 +Subject: staging: vc04_services: prevent integer overflow in create_pagelist() + +From: Dan Carpenter + +commit ca641bae6da977d638458e78cd1487b6160a2718 upstream. + +The create_pagelist() "count" parameter comes from the user in +vchiq_ioctl() and it could overflow. If you look at how create_page() +is called in vchiq_prepare_bulk_data(), then the "size" variable is an +int so it doesn't make sense to allow negatives or larger than INT_MAX. + +I don't know this code terribly well, but I believe that typical values +of "count" are typically quite low and I don't think this check will +affect normal valid uses at all. + +The "pagelist_size" calculation can also overflow on 32 bit systems, but +not on 64 bit systems. I have added an integer overflow check for that +as well. + +The Raspberry PI doesn't offer the same level of memory protection that +x86 does so these sorts of bugs are probably not super critical to fix. + +Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver") +Signed-off-by: Dan Carpenter +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c +@@ -405,9 +405,18 @@ create_pagelist(char __user *buf, size_t + int dma_buffers; + dma_addr_t dma_addr; + ++ if (count >= INT_MAX - PAGE_SIZE) ++ return NULL; ++ + offset = ((unsigned int)(unsigned long)buf & (PAGE_SIZE - 1)); + num_pages = DIV_ROUND_UP(count + offset, PAGE_SIZE); + ++ if (num_pages > (SIZE_MAX - sizeof(struct pagelist) - ++ sizeof(struct vchiq_pagelist_info)) / ++ (sizeof(u32) + sizeof(pages[0]) + ++ sizeof(struct scatterlist))) ++ return NULL; ++ + pagelist_size = sizeof(PAGELIST_T) + + (num_pages * sizeof(u32)) + + (num_pages * sizeof(pages[0]) + diff --git a/queue-4.14/staging-wlan-ng-fix-adapter-initialization-failure.patch b/queue-4.14/staging-wlan-ng-fix-adapter-initialization-failure.patch new file mode 100644 index 0000000000..d5e59a17b3 --- /dev/null +++ b/queue-4.14/staging-wlan-ng-fix-adapter-initialization-failure.patch @@ -0,0 +1,52 @@ +From a67fedd788182764dc8ed59037c604b7e60349f1 Mon Sep 17 00:00:00 2001 +From: Tim Collier +Date: Sat, 11 May 2019 18:40:46 +0100 +Subject: staging: wlan-ng: fix adapter initialization failure + +From: Tim Collier + +commit a67fedd788182764dc8ed59037c604b7e60349f1 upstream. + +Commit e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long +code line warnings.") moved the retrieval of the transfer buffer from +the URB from the top of function hfa384x_usbin_callback to a point +after reposting of the URB via a call to submit_rx_urb. The reposting +of the URB allocates a new transfer buffer so the new buffer is +retrieved instead of the buffer containing the response passed into +the callback. This results in failure to initialize the adapter with +an error reported in the system log (something like "CTLX[1] error: +state(Request failed)"). + +This change moves the retrieval to just before the point where the URB +is reposted so that the correct transfer buffer is retrieved and +initialization of the device succeeds. + +Signed-off-by: Tim Collier +Fixes: e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long code line warnings.") +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlan-ng/hfa384x_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/wlan-ng/hfa384x_usb.c ++++ b/drivers/staging/wlan-ng/hfa384x_usb.c +@@ -3119,7 +3119,9 @@ static void hfa384x_usbin_callback(struc + break; + } + ++ /* Save values from the RX URB before reposting overwrites it. */ + urb_status = urb->status; ++ usbin = (union hfa384x_usbin *)urb->transfer_buffer; + + if (action != ABORT) { + /* Repost the RX URB */ +@@ -3136,7 +3138,6 @@ static void hfa384x_usbin_callback(struc + /* Note: the check of the sw_support field, the type field doesn't + * have bit 12 set like the docs suggest. + */ +- usbin = (union hfa384x_usbin *)urb->transfer_buffer; + type = le16_to_cpu(usbin->type); + if (HFA384x_USB_ISRXFRM(type)) { + if (action == HANDLE) { diff --git a/queue-4.14/tty-max310x-fix-external-crystal-register-setup.patch b/queue-4.14/tty-max310x-fix-external-crystal-register-setup.patch new file mode 100644 index 0000000000..f8b20c6ed2 --- /dev/null +++ b/queue-4.14/tty-max310x-fix-external-crystal-register-setup.patch @@ -0,0 +1,42 @@ +From 5d24f455c182d5116dd5db8e1dc501115ecc9c2c Mon Sep 17 00:00:00 2001 +From: Joe Burmeister +Date: Mon, 13 May 2019 11:23:57 +0100 +Subject: tty: max310x: Fix external crystal register setup + +From: Joe Burmeister + +commit 5d24f455c182d5116dd5db8e1dc501115ecc9c2c upstream. + +The datasheet states: + + Bit 4: ClockEnSet the ClockEn bit high to enable an external clocking +(crystal or clock generator at XIN). Set the ClockEn bit to 0 to disable +clocking + Bit 1: CrystalEnSet the CrystalEn bit high to enable the crystal +oscillator. When using an external clock source at XIN, CrystalEn must +be set low. + +The bit 4, MAX310X_CLKSRC_EXTCLK_BIT, should be set and was not. + +This was required to make the MAX3107 with an external crystal on our +board able to send or receive data. + +Signed-off-by: Joe Burmeister +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/max310x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -579,7 +579,7 @@ static int max310x_set_ref_clk(struct ma + } + + /* Configure clock source */ +- clksrc = xtal ? MAX310X_CLKSRC_CRYST_BIT : MAX310X_CLKSRC_EXTCLK_BIT; ++ clksrc = MAX310X_CLKSRC_EXTCLK_BIT | (xtal ? MAX310X_CLKSRC_CRYST_BIT : 0); + + /* Configure PLL */ + if (pllcfg) { diff --git a/queue-4.14/tty-serial-msm_serial-fix-xon-xoff.patch b/queue-4.14/tty-serial-msm_serial-fix-xon-xoff.patch new file mode 100644 index 0000000000..866f38149b --- /dev/null +++ b/queue-4.14/tty-serial-msm_serial-fix-xon-xoff.patch @@ -0,0 +1,53 @@ +From 61c0e37950b88bad590056286c1d766b1f167f4e Mon Sep 17 00:00:00 2001 +From: Jorge Ramirez-Ortiz +Date: Mon, 20 May 2019 20:38:48 +0200 +Subject: tty: serial: msm_serial: Fix XON/XOFF + +From: Jorge Ramirez-Ortiz + +commit 61c0e37950b88bad590056286c1d766b1f167f4e upstream. + +When the tty layer requests the uart to throttle, the current code +executing in msm_serial will trigger "Bad mode in Error Handler" and +generate an invalid stack frame in pstore before rebooting (that is if +pstore is indeed configured: otherwise the user shall just notice a +reboot with no further information dumped to the console). + +This patch replaces the PIO byte accessor with the word accessor +already used in PIO mode. + +Fixes: 68252424a7c7 ("tty: serial: msm: Support big-endian CPUs") +Cc: stable@vger.kernel.org +Signed-off-by: Jorge Ramirez-Ortiz +Reviewed-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/msm_serial.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -868,6 +868,7 @@ static void msm_handle_tx(struct uart_po + struct circ_buf *xmit = &msm_port->uart.state->xmit; + struct msm_dma *dma = &msm_port->tx_dma; + unsigned int pio_count, dma_count, dma_min; ++ char buf[4] = { 0 }; + void __iomem *tf; + int err = 0; + +@@ -877,10 +878,12 @@ static void msm_handle_tx(struct uart_po + else + tf = port->membase + UART_TF; + ++ buf[0] = port->x_char; ++ + if (msm_port->is_uartdm) + msm_reset_dm_count(port, 1); + +- iowrite8_rep(tf, &port->x_char, 1); ++ iowrite32_rep(tf, buf, 1); + port->icount.tx++; + port->x_char = 0; + return;