From: Sasha Levin Date: Wed, 28 Nov 2018 16:13:06 +0000 (-0500) Subject: patches for 4.4 X-Git-Tag: v4.19.6~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71c0bd103b27fd9923510b86bcc624d9c238ef5e;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/arm-make-lookup_processor_type-non-__init.patch b/queue-4.4/arm-make-lookup_processor_type-non-__init.patch new file mode 100644 index 00000000000..0ab250666d4 --- /dev/null +++ b/queue-4.4/arm-make-lookup_processor_type-non-__init.patch @@ -0,0 +1,44 @@ +From 33bdd9f95536a97b8008a8702ac79abcd19db2c0 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 19 Jul 2018 11:42:36 +0100 +Subject: ARM: make lookup_processor_type() non-__init + +[ Upstream commit 899a42f836678a595f7d2bc36a5a0c2b03d08cbc ] + +Move lookup_processor_type() out of the __init section so it is callable +from (eg) the secondary startup code during hotplug. + +Reviewed-by: Julien Thierry +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/head-common.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/kernel/head-common.S b/arch/arm/kernel/head-common.S +index 8733012d231f..7e662bdd5cb3 100644 +--- a/arch/arm/kernel/head-common.S ++++ b/arch/arm/kernel/head-common.S +@@ -122,6 +122,9 @@ __mmap_switched_data: + .long init_thread_union + THREAD_START_SP @ sp + .size __mmap_switched_data, . - __mmap_switched_data + ++ __FINIT ++ .text ++ + /* + * This provides a C-API version of __lookup_processor_type + */ +@@ -133,9 +136,6 @@ ENTRY(lookup_processor_type) + ldmfd sp!, {r4 - r6, r9, pc} + ENDPROC(lookup_processor_type) + +- __FINIT +- .text +- + /* + * Read processor ID register (CP#15, CR0), and look up in the linker-built + * supported processor list. Note that we can't use the absolute addresses +-- +2.17.1 + diff --git a/queue-4.4/arm64-remove-no-op-p-linker-flag.patch b/queue-4.4/arm64-remove-no-op-p-linker-flag.patch new file mode 100644 index 00000000000..b60a0d4e5c6 --- /dev/null +++ b/queue-4.4/arm64-remove-no-op-p-linker-flag.patch @@ -0,0 +1,50 @@ +From a1fa33dee93a4e48bd04eb4b760439b7e9eb4f46 Mon Sep 17 00:00:00 2001 +From: Greg Hackmann +Date: Tue, 27 Nov 2018 11:15:20 -0800 +Subject: arm64: remove no-op -p linker flag + +(commit 1a381d4a0a9a0f999a13faaba22bf6b3fc80dcb9 upstream) + +Linking the ARM64 defconfig kernel with LLVM lld fails with the error: + + ld.lld: error: unknown argument: -p + Makefile:1015: recipe for target 'vmlinux' failed + +Without this flag, the ARM64 defconfig kernel successfully links with +lld and boots on Dragonboard 410c. + +After digging through binutils source and changelogs, it turns out that +-p is only relevant to ancient binutils installations targeting 32-bit +ARM. binutils accepts -p for AArch64 too, but it's always been +undocumented and silently ignored. A comment in +ld/emultempl/aarch64elf.em explains that it's "Only here for backwards +compatibility". + +Since this flag is a no-op on ARM64, we can safely drop it. + +Acked-by: Will Deacon +Reviewed-by: Nick Desaulniers +Signed-off-by: Greg Hackmann +Signed-off-by: Catalin Marinas +Signed-off-by: Nick Desaulniers +Signed-off-by: Sasha Levin +--- + arch/arm64/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile +index c10bb98144b0..fb4ac87fc398 100644 +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -10,7 +10,7 @@ + # + # Copyright (C) 1995-2001 by Russell King + +-LDFLAGS_vmlinux :=-p --no-undefined -X ++LDFLAGS_vmlinux :=--no-undefined -X + CPPFLAGS_vmlinux.lds = -DTEXT_OFFSET=$(TEXT_OFFSET) + OBJCOPYFLAGS :=-O binary -R .note -R .note.gnu.build-id -R .comment -S + GZFLAGS :=-9 +-- +2.17.1 + diff --git a/queue-4.4/cpufreq-imx6q-add-return-value-check-for-voltage-sca.patch b/queue-4.4/cpufreq-imx6q-add-return-value-check-for-voltage-sca.patch new file mode 100644 index 00000000000..b055e27bcea --- /dev/null +++ b/queue-4.4/cpufreq-imx6q-add-return-value-check-for-voltage-sca.patch @@ -0,0 +1,40 @@ +From fe35dfea0fb7ecfdce22377d0b7c566580143579 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Mon, 5 Nov 2018 00:59:28 +0000 +Subject: cpufreq: imx6q: add return value check for voltage scale + +[ Upstream commit 6ef28a04d1ccf718eee069b72132ce4aa1e52ab9 ] + +Add return value check for voltage scale when ARM clock +rate change fail. + +Signed-off-by: Anson Huang +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/imx6q-cpufreq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c +index ef1fa8145419..fa86946d12aa 100644 +--- a/drivers/cpufreq/imx6q-cpufreq.c ++++ b/drivers/cpufreq/imx6q-cpufreq.c +@@ -130,8 +130,13 @@ static int imx6q_set_target(struct cpufreq_policy *policy, unsigned int index) + /* Ensure the arm clock divider is what we expect */ + ret = clk_set_rate(arm_clk, new_freq * 1000); + if (ret) { ++ int ret1; ++ + dev_err(cpu_dev, "failed to set clock rate: %d\n", ret); +- regulator_set_voltage_tol(arm_reg, volt_old, 0); ++ ret1 = regulator_set_voltage_tol(arm_reg, volt_old, 0); ++ if (ret1) ++ dev_warn(cpu_dev, ++ "failed to restore vddarm voltage: %d\n", ret1); + return ret; + } + +-- +2.17.1 + diff --git a/queue-4.4/kdb-use-strscpy-with-destination-buffer-size.patch b/queue-4.4/kdb-use-strscpy-with-destination-buffer-size.patch new file mode 100644 index 00000000000..e128621a03d --- /dev/null +++ b/queue-4.4/kdb-use-strscpy-with-destination-buffer-size.patch @@ -0,0 +1,126 @@ +From 2601bb02aede9d0753359fb105dccadf12bc0766 Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Thu, 20 Sep 2018 08:59:14 -0400 +Subject: kdb: Use strscpy with destination buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c2b94c72d93d0929f48157eef128c4f9d2e603ce ] + +gcc 8.1.0 warns with: + +kernel/debug/kdb/kdb_support.c: In function ‘kallsyms_symbol_next’: +kernel/debug/kdb/kdb_support.c:239:4: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=] + strncpy(prefix_name, name, strlen(name)+1); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +kernel/debug/kdb/kdb_support.c:239:31: note: length computed here + +Use strscpy() with the destination buffer size, and use ellipses when +displaying truncated symbols. + +v2: Use strscpy() + +Signed-off-by: Prarit Bhargava +Cc: Jonathan Toppins +Cc: Jason Wessel +Cc: Daniel Thompson +Cc: kgdb-bugreport@lists.sourceforge.net +Reviewed-by: Daniel Thompson +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 15 +++++++++------ + kernel/debug/kdb/kdb_private.h | 2 +- + kernel/debug/kdb/kdb_support.c | 10 +++++----- + 3 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 77777d918676..cc892a9e109d 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -215,7 +215,7 @@ static char *kdb_read(char *buffer, size_t bufsize) + int count; + int i; + int diag, dtab_count; +- int key; ++ int key, buf_size, ret; + + + diag = kdbgetintenv("DTABCOUNT", &dtab_count); +@@ -335,9 +335,8 @@ poll_again: + else + p_tmp = tmpbuffer; + len = strlen(p_tmp); +- count = kallsyms_symbol_complete(p_tmp, +- sizeof(tmpbuffer) - +- (p_tmp - tmpbuffer)); ++ buf_size = sizeof(tmpbuffer) - (p_tmp - tmpbuffer); ++ count = kallsyms_symbol_complete(p_tmp, buf_size); + if (tab == 2 && count > 0) { + kdb_printf("\n%d symbols are found.", count); + if (count > dtab_count) { +@@ -349,9 +348,13 @@ poll_again: + } + kdb_printf("\n"); + for (i = 0; i < count; i++) { +- if (WARN_ON(!kallsyms_symbol_next(p_tmp, i))) ++ ret = kallsyms_symbol_next(p_tmp, i, buf_size); ++ if (WARN_ON(!ret)) + break; +- kdb_printf("%s ", p_tmp); ++ if (ret != -E2BIG) ++ kdb_printf("%s ", p_tmp); ++ else ++ kdb_printf("%s... ", p_tmp); + *(p_tmp + len) = '\0'; + } + if (i >= dtab_count) +diff --git a/kernel/debug/kdb/kdb_private.h b/kernel/debug/kdb/kdb_private.h +index 75014d7f4568..533e04e75a9c 100644 +--- a/kernel/debug/kdb/kdb_private.h ++++ b/kernel/debug/kdb/kdb_private.h +@@ -83,7 +83,7 @@ typedef struct __ksymtab { + unsigned long sym_start; + unsigned long sym_end; + } kdb_symtab_t; +-extern int kallsyms_symbol_next(char *prefix_name, int flag); ++extern int kallsyms_symbol_next(char *prefix_name, int flag, int buf_size); + extern int kallsyms_symbol_complete(char *prefix_name, int max_len); + + /* Exported Symbols for kernel loadable modules to use. */ +diff --git a/kernel/debug/kdb/kdb_support.c b/kernel/debug/kdb/kdb_support.c +index d35cc2d3a4cc..2aed4a33521b 100644 +--- a/kernel/debug/kdb/kdb_support.c ++++ b/kernel/debug/kdb/kdb_support.c +@@ -221,11 +221,13 @@ int kallsyms_symbol_complete(char *prefix_name, int max_len) + * Parameters: + * prefix_name prefix of a symbol name to lookup + * flag 0 means search from the head, 1 means continue search. ++ * buf_size maximum length that can be written to prefix_name ++ * buffer + * Returns: + * 1 if a symbol matches the given prefix. + * 0 if no string found + */ +-int kallsyms_symbol_next(char *prefix_name, int flag) ++int kallsyms_symbol_next(char *prefix_name, int flag, int buf_size) + { + int prefix_len = strlen(prefix_name); + static loff_t pos; +@@ -235,10 +237,8 @@ int kallsyms_symbol_next(char *prefix_name, int flag) + pos = 0; + + while ((name = kdb_walk_kallsyms(&pos))) { +- if (strncmp(name, prefix_name, prefix_len) == 0) { +- strncpy(prefix_name, name, strlen(name)+1); +- return 1; +- } ++ if (!strncmp(name, prefix_name, prefix_len)) ++ return strscpy(prefix_name, name, buf_size); + } + return 0; + } +-- +2.17.1 + diff --git a/queue-4.4/kvm-ppc-move-and-undef-trace_include_path-file.patch b/queue-4.4/kvm-ppc-move-and-undef-trace_include_path-file.patch new file mode 100644 index 00000000000..7066086f00e --- /dev/null +++ b/queue-4.4/kvm-ppc-move-and-undef-trace_include_path-file.patch @@ -0,0 +1,143 @@ +From e0872cff2c0cd8b692b04bf360ef07c335c3610e Mon Sep 17 00:00:00 2001 +From: Scott Wood +Date: Tue, 6 Nov 2018 19:49:34 -0600 +Subject: KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE + +[ Upstream commit 28c5bcf74fa07c25d5bd118d1271920f51ce2a98 ] + +TRACE_INCLUDE_PATH and TRACE_INCLUDE_FILE are used by +, so like that #include, they should +be outside #ifdef protection. + +They also need to be #undefed before defining, in case multiple trace +headers are included by the same C file. This became the case on +book3e after commit cf4a6085151a ("powerpc/mm: Add missing tracepoint for +tlbie"), leading to the following build error: + + CC arch/powerpc/kvm/powerpc.o +In file included from arch/powerpc/kvm/powerpc.c:51:0: +arch/powerpc/kvm/trace.h:9:0: error: "TRACE_INCLUDE_PATH" redefined +[-Werror] + #define TRACE_INCLUDE_PATH . + ^ +In file included from arch/powerpc/kvm/../mm/mmu_decl.h:25:0, + from arch/powerpc/kvm/powerpc.c:48: +./arch/powerpc/include/asm/trace.h:224:0: note: this is the location of +the previous definition + #define TRACE_INCLUDE_PATH asm + ^ +cc1: all warnings being treated as errors + +Reported-by: Christian Zigotzky +Signed-off-by: Scott Wood +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/trace.h | 8 ++++++-- + arch/powerpc/kvm/trace_booke.h | 9 +++++++-- + arch/powerpc/kvm/trace_hv.h | 9 +++++++-- + arch/powerpc/kvm/trace_pr.h | 9 +++++++-- + 4 files changed, 27 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/kvm/trace.h b/arch/powerpc/kvm/trace.h +index 2e0e67ef3544..e8cedf32345a 100644 +--- a/arch/powerpc/kvm/trace.h ++++ b/arch/powerpc/kvm/trace.h +@@ -5,8 +5,6 @@ + + #undef TRACE_SYSTEM + #define TRACE_SYSTEM kvm +-#define TRACE_INCLUDE_PATH . +-#define TRACE_INCLUDE_FILE trace + + /* + * Tracepoint for guest mode entry. +@@ -119,4 +117,10 @@ TRACE_EVENT(kvm_check_requests, + #endif /* _TRACE_KVM_H */ + + /* This part must be outside protection */ ++#undef TRACE_INCLUDE_PATH ++#undef TRACE_INCLUDE_FILE ++ ++#define TRACE_INCLUDE_PATH . ++#define TRACE_INCLUDE_FILE trace ++ + #include +diff --git a/arch/powerpc/kvm/trace_booke.h b/arch/powerpc/kvm/trace_booke.h +index 7ec534d1db9f..7eadbf449a1f 100644 +--- a/arch/powerpc/kvm/trace_booke.h ++++ b/arch/powerpc/kvm/trace_booke.h +@@ -5,8 +5,6 @@ + + #undef TRACE_SYSTEM + #define TRACE_SYSTEM kvm_booke +-#define TRACE_INCLUDE_PATH . +-#define TRACE_INCLUDE_FILE trace_booke + + #define kvm_trace_symbol_exit \ + {0, "CRITICAL"}, \ +@@ -217,4 +215,11 @@ TRACE_EVENT(kvm_booke_queue_irqprio, + #endif + + /* This part must be outside protection */ ++ ++#undef TRACE_INCLUDE_PATH ++#undef TRACE_INCLUDE_FILE ++ ++#define TRACE_INCLUDE_PATH . ++#define TRACE_INCLUDE_FILE trace_booke ++ + #include +diff --git a/arch/powerpc/kvm/trace_hv.h b/arch/powerpc/kvm/trace_hv.h +index 33d9daff5783..d1bfe017d751 100644 +--- a/arch/powerpc/kvm/trace_hv.h ++++ b/arch/powerpc/kvm/trace_hv.h +@@ -8,8 +8,6 @@ + + #undef TRACE_SYSTEM + #define TRACE_SYSTEM kvm_hv +-#define TRACE_INCLUDE_PATH . +-#define TRACE_INCLUDE_FILE trace_hv + + #define kvm_trace_symbol_hcall \ + {H_REMOVE, "H_REMOVE"}, \ +@@ -474,4 +472,11 @@ TRACE_EVENT(kvmppc_run_vcpu_exit, + #endif /* _TRACE_KVM_HV_H */ + + /* This part must be outside protection */ ++ ++#undef TRACE_INCLUDE_PATH ++#undef TRACE_INCLUDE_FILE ++ ++#define TRACE_INCLUDE_PATH . ++#define TRACE_INCLUDE_FILE trace_hv ++ + #include +diff --git a/arch/powerpc/kvm/trace_pr.h b/arch/powerpc/kvm/trace_pr.h +index 810507cb688a..1e40aa2aa5af 100644 +--- a/arch/powerpc/kvm/trace_pr.h ++++ b/arch/powerpc/kvm/trace_pr.h +@@ -7,8 +7,6 @@ + + #undef TRACE_SYSTEM + #define TRACE_SYSTEM kvm_pr +-#define TRACE_INCLUDE_PATH . +-#define TRACE_INCLUDE_FILE trace_pr + + TRACE_EVENT(kvm_book3s_reenter, + TP_PROTO(int r, struct kvm_vcpu *vcpu), +@@ -271,4 +269,11 @@ TRACE_EVENT(kvm_unmap_hva, + #endif /* _TRACE_KVM_H */ + + /* This part must be outside protection */ ++ ++#undef TRACE_INCLUDE_PATH ++#undef TRACE_INCLUDE_FILE ++ ++#define TRACE_INCLUDE_PATH . ++#define TRACE_INCLUDE_FILE trace_pr ++ + #include +-- +2.17.1 + diff --git a/queue-4.4/net-bcmgenet-fix-of-child-node-lookup.patch b/queue-4.4/net-bcmgenet-fix-of-child-node-lookup.patch new file mode 100644 index 00000000000..2802bd33061 --- /dev/null +++ b/queue-4.4/net-bcmgenet-fix-of-child-node-lookup.patch @@ -0,0 +1,43 @@ +From 4a221ac558e5d18162c0cfb13a3e0114fc98b68e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:50 +0200 +Subject: net: bcmgenet: fix OF child-node lookup + +[ Upstream commit d397dbe606120a1ea1b11b0020c3f7a3852da5ac ] + +Use the new of_get_compatible_child() helper to lookup the mdio child +node instead of using of_find_compatible_node(), which searches the +entire tree from a given start node and thus can return an unrelated +(i.e. non-child) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the node of the device being probed). + +Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines") +Cc: stable # 3.15 +Cc: David S. Miller +Reviewed-by: Florian Fainelli +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c +index 4c73feca4842..0565efad6e6e 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -491,7 +491,7 @@ static int bcmgenet_mii_of_init(struct bcmgenet_priv *priv) + if (!compat) + return -ENOMEM; + +- priv->mdio_dn = of_find_compatible_node(dn, NULL, compat); ++ priv->mdio_dn = of_get_compatible_child(dn, compat); + kfree(compat); + if (!priv->mdio_dn) { + dev_err(kdev, "unable to find MDIO bus node\n"); +-- +2.17.1 + diff --git a/queue-4.4/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch b/queue-4.4/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch new file mode 100644 index 00000000000..6b0365edf5d --- /dev/null +++ b/queue-4.4/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch @@ -0,0 +1,48 @@ +From 54f69081afe2f51026e6f3dcf005ac96c2093b6d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:52 +0200 +Subject: NFC: nfcmrvl_uart: fix OF child-node lookup + +[ Upstream commit 5bf59773aaf36dd62117dc83d50e1bbf9ef432da ] + +Use the new of_get_compatible_child() helper to lookup the nfc child +node instead of using of_find_compatible_node(), which searches the +entire tree from a given start node and thus can return an unrelated +(i.e. non-child) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the parent node). + +Fixes: e097dc624f78 ("NFC: nfcmrvl: add UART driver") +Fixes: d8e018c0b321 ("NFC: nfcmrvl: update device tree bindings for Marvell NFC") +Cc: stable # 4.2 +Cc: Vincent Cuissard +Cc: Samuel Ortiz +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/nfc/nfcmrvl/uart.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/nfcmrvl/uart.c b/drivers/nfc/nfcmrvl/uart.c +index 6c0c301611c4..1b11ded79c4f 100644 +--- a/drivers/nfc/nfcmrvl/uart.c ++++ b/drivers/nfc/nfcmrvl/uart.c +@@ -73,10 +73,9 @@ static int nfcmrvl_uart_parse_dt(struct device_node *node, + struct device_node *matched_node; + int ret; + +- matched_node = of_find_compatible_node(node, NULL, "marvell,nfc-uart"); ++ matched_node = of_get_compatible_child(node, "marvell,nfc-uart"); + if (!matched_node) { +- matched_node = of_find_compatible_node(node, NULL, +- "mrvl,nfc-uart"); ++ matched_node = of_get_compatible_child(node, "mrvl,nfc-uart"); + if (!matched_node) + return -ENODEV; + } +-- +2.17.1 + diff --git a/queue-4.4/of-add-helper-to-lookup-compatible-child-node.patch b/queue-4.4/of-add-helper-to-lookup-compatible-child-node.patch new file mode 100644 index 00000000000..6ab06d3579e --- /dev/null +++ b/queue-4.4/of-add-helper-to-lookup-compatible-child-node.patch @@ -0,0 +1,91 @@ +From 9f914aeae99f53e7cbecbf997ad58f4dd07619c5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:45 +0200 +Subject: of: add helper to lookup compatible child node + +[ Upstream commit 36156f9241cb0f9e37d998052873ca7501ad4b36 ] + +Add of_get_compatible_child() helper that can be used to lookup +compatible child nodes. + +Several drivers currently use of_find_compatible_node() to lookup child +nodes while failing to notice that the of_find_ functions search the +entire tree depth-first (from a given start node) and therefore can +match unrelated nodes. The fact that these functions also drop a +reference to the node they start searching from (e.g. the parent node) +is typically also overlooked, something which can lead to use-after-free +bugs. + +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/base.c | 25 +++++++++++++++++++++++++ + include/linux/of.h | 8 ++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/drivers/of/base.c b/drivers/of/base.c +index 31341290cd91..c6e019208d17 100644 +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -712,6 +712,31 @@ struct device_node *of_get_next_available_child(const struct device_node *node, + } + EXPORT_SYMBOL(of_get_next_available_child); + ++/** ++ * of_get_compatible_child - Find compatible child node ++ * @parent: parent node ++ * @compatible: compatible string ++ * ++ * Lookup child node whose compatible property contains the given compatible ++ * string. ++ * ++ * Returns a node pointer with refcount incremented, use of_node_put() on it ++ * when done; or NULL if not found. ++ */ ++struct device_node *of_get_compatible_child(const struct device_node *parent, ++ const char *compatible) ++{ ++ struct device_node *child; ++ ++ for_each_child_of_node(parent, child) { ++ if (of_device_is_compatible(child, compatible)) ++ break; ++ } ++ ++ return child; ++} ++EXPORT_SYMBOL(of_get_compatible_child); ++ + /** + * of_get_child_by_name - Find the child node by name for a given parent + * @node: parent node +diff --git a/include/linux/of.h b/include/linux/of.h +index dd10626a615f..d9371c9cd88a 100644 +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -265,6 +265,8 @@ extern struct device_node *of_get_next_child(const struct device_node *node, + extern struct device_node *of_get_next_available_child( + const struct device_node *node, struct device_node *prev); + ++extern struct device_node *of_get_compatible_child(const struct device_node *parent, ++ const char *compatible); + extern struct device_node *of_get_child_by_name(const struct device_node *node, + const char *name); + +@@ -462,6 +464,12 @@ static inline bool of_have_populated_dt(void) + return false; + } + ++static inline struct device_node *of_get_compatible_child(const struct device_node *parent, ++ const char *compatible) ++{ ++ return NULL; ++} ++ + static inline struct device_node *of_get_child_by_name( + const struct device_node *node, + const char *name) +-- +2.17.1 + diff --git a/queue-4.4/powerpc-numa-suppress-vphn-is-not-supported-messages.patch b/queue-4.4/powerpc-numa-suppress-vphn-is-not-supported-messages.patch new file mode 100644 index 00000000000..f0b56760939 --- /dev/null +++ b/queue-4.4/powerpc-numa-suppress-vphn-is-not-supported-messages.patch @@ -0,0 +1,36 @@ +From 6beb5a5a8543f6d96f5d52301076a597d6d012be Mon Sep 17 00:00:00 2001 +From: Satheesh Rajendran +Date: Thu, 8 Nov 2018 10:47:56 +0530 +Subject: powerpc/numa: Suppress "VPHN is not supported" messages + +[ Upstream commit 437ccdc8ce629470babdda1a7086e2f477048cbd ] + +When VPHN function is not supported and during cpu hotplug event, +kernel prints message 'VPHN function not supported. Disabling +polling...'. Currently it prints on every hotplug event, it floods +dmesg when a KVM guest tries to hotplug huge number of vcpus, let's +just print once and suppress further kernel prints. + +Signed-off-by: Satheesh Rajendran +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/numa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c +index 3c4faa4c2742..bb3df222ae71 100644 +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -1319,7 +1319,7 @@ static long vphn_get_associativity(unsigned long cpu, + + switch (rc) { + case H_FUNCTION: +- printk(KERN_INFO ++ printk_once(KERN_INFO + "VPHN is not supported. Disabling polling...\n"); + stop_topology_update(); + break; +-- +2.17.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 343348bc85c..92a983ab020 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -15,3 +15,16 @@ can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-access can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch acpica-aml-interpreter-add-region-addresses-in-global-list-during-initialization.patch usb-xhci-prevent-bus-suspend-if-a-port-connect-change-or-polling-state-is-detected.patch +kvm-ppc-move-and-undef-trace_include_path-file.patch +cpufreq-imx6q-add-return-value-check-for-voltage-sca.patch +arm-make-lookup_processor_type-non-__init.patch +sunrpc-fix-a-bogus-get-put-in-generic_key_to_expire.patch +kdb-use-strscpy-with-destination-buffer-size.patch +powerpc-numa-suppress-vphn-is-not-supported-messages.patch +tmpfs-make-lseek-seek_data-sek_hole-return-enxio-wit.patch +of-add-helper-to-lookup-compatible-child-node.patch +nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch +net-bcmgenet-fix-of-child-node-lookup.patch +x86-entry-spell-ebx-register-correctly-in-documentat.patch +x86-entry-64-remove-ebx-handling-from-error_entry-ex.patch +arm64-remove-no-op-p-linker-flag.patch diff --git a/queue-4.4/sunrpc-fix-a-bogus-get-put-in-generic_key_to_expire.patch b/queue-4.4/sunrpc-fix-a-bogus-get-put-in-generic_key_to_expire.patch new file mode 100644 index 00000000000..1ab8311f524 --- /dev/null +++ b/queue-4.4/sunrpc-fix-a-bogus-get-put-in-generic_key_to_expire.patch @@ -0,0 +1,35 @@ +From 2d138a812c1d2d68423afb1355ad441fb0290424 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 12 Nov 2018 16:06:51 -0500 +Subject: SUNRPC: Fix a bogus get/put in generic_key_to_expire() + +[ Upstream commit e3d5e573a54dabdc0f9f3cb039d799323372b251 ] + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_generic.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/net/sunrpc/auth_generic.c b/net/sunrpc/auth_generic.c +index 41248b1820c7..cc27e38392ea 100644 +--- a/net/sunrpc/auth_generic.c ++++ b/net/sunrpc/auth_generic.c +@@ -272,13 +272,7 @@ static bool generic_key_to_expire(struct rpc_cred *cred) + { + struct auth_cred *acred = &container_of(cred, struct generic_cred, + gc_base)->acred; +- bool ret; +- +- get_rpccred(cred); +- ret = test_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags); +- put_rpccred(cred); +- +- return ret; ++ return test_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags); + } + + static const struct rpc_credops generic_credops = { +-- +2.17.1 + diff --git a/queue-4.4/tmpfs-make-lseek-seek_data-sek_hole-return-enxio-wit.patch b/queue-4.4/tmpfs-make-lseek-seek_data-sek_hole-return-enxio-wit.patch new file mode 100644 index 00000000000..bba114cc193 --- /dev/null +++ b/queue-4.4/tmpfs-make-lseek-seek_data-sek_hole-return-enxio-wit.patch @@ -0,0 +1,54 @@ +From f05e67d99d168c211bdb15ee80111c7687e956a6 Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Fri, 16 Nov 2018 15:08:39 -0800 +Subject: tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative + offset + +[ Upstream commit 1a413646931cb14442065cfc17561e50f5b5bb44 ] + +Other filesystems such as ext4, f2fs and ubifs all return ENXIO when +lseek (SEEK_DATA or SEEK_HOLE) requests a negative offset. + +man 2 lseek says + +: EINVAL whence is not valid. Or: the resulting file offset would be +: negative, or beyond the end of a seekable device. +: +: ENXIO whence is SEEK_DATA or SEEK_HOLE, and the file offset is beyond +: the end of the file. + +Make tmpfs return ENXIO under these circumstances as well. After this, +tmpfs also passes xfstests's generic/448. + +[akpm@linux-foundation.org: rewrite changelog] +Link: http://lkml.kernel.org/r/1540434176-14349-1-git-send-email-yuyufen@huawei.com +Signed-off-by: Yufen Yu +Reviewed-by: Andrew Morton +Cc: Al Viro +Cc: Hugh Dickins +Cc: William Kucharski +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index 8e506a45a6ef..d902b413941a 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1818,9 +1818,7 @@ static loff_t shmem_file_llseek(struct file *file, loff_t offset, int whence) + mutex_lock(&inode->i_mutex); + /* We're holding i_mutex so we can access i_size directly */ + +- if (offset < 0) +- offset = -EINVAL; +- else if (offset >= inode->i_size) ++ if (offset < 0 || offset >= inode->i_size) + offset = -ENXIO; + else { + start = offset >> PAGE_CACHE_SHIFT; +-- +2.17.1 + diff --git a/queue-4.4/x86-entry-64-remove-ebx-handling-from-error_entry-ex.patch b/queue-4.4/x86-entry-64-remove-ebx-handling-from-error_entry-ex.patch new file mode 100644 index 00000000000..540ba5568e8 --- /dev/null +++ b/queue-4.4/x86-entry-64-remove-ebx-handling-from-error_entry-ex.patch @@ -0,0 +1,144 @@ +From c65e0172791341b472c6dbf4ef1fde2756a5313a Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Sun, 22 Jul 2018 11:05:09 -0700 +Subject: x86/entry/64: Remove %ebx handling from error_entry/exit + +[ Upstream commit b3681dd548d06deb2e1573890829dff4b15abf46 ] + +error_entry and error_exit communicate the user vs. kernel status of +the frame using %ebx. This is unnecessary -- the information is in +regs->cs. Just use regs->cs. + +This makes error_entry simpler and makes error_exit more robust. + +It also fixes a nasty bug. Before all the Spectre nonsense, the +xen_failsafe_callback entry point returned like this: + + ALLOC_PT_GPREGS_ON_STACK + SAVE_C_REGS + SAVE_EXTRA_REGS + ENCODE_FRAME_POINTER + jmp error_exit + +And it did not go through error_entry. This was bogus: RBX +contained garbage, and error_exit expected a flag in RBX. + +Fortunately, it generally contained *nonzero* garbage, so the +correct code path was used. As part of the Spectre fixes, code was +added to clear RBX to mitigate certain speculation attacks. Now, +depending on kernel configuration, RBX got zeroed and, when running +some Wine workloads, the kernel crashes. This was introduced by: + + commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") + +With this patch applied, RBX is no longer needed as a flag, and the +problem goes away. + +I suspect that malicious userspace could use this bug to crash the +kernel even without the offending patch applied, though. + +[ Historical note: I wrote this patch as a cleanup before I was aware + of the bug it fixed. ] + +[ Note to stable maintainers: this should probably get applied to all + kernels. If you're nervous about that, a more conservative fix to + add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should + also fix the problem. ] + +Reported-and-tested-by: M. Vefa Bicakci +Signed-off-by: Andy Lutomirski +Cc: Boris Ostrovsky +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: Dominik Brodowski +Cc: Greg KH +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: xen-devel@lists.xenproject.org +Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") +Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/entry/entry_64.S | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index b569b46660fc..375ed605c83d 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -856,7 +856,7 @@ ENTRY(\sym) + + call \do_sym + +- jmp error_exit /* %ebx: no swapgs flag */ ++ jmp error_exit + .endif + END(\sym) + .endm +@@ -1118,7 +1118,6 @@ END(paranoid_exit) + + /* + * Save all registers in pt_regs, and switch gs if needed. +- * Return: EBX=0: came from user mode; EBX=1: otherwise + */ + ENTRY(error_entry) + cld +@@ -1131,7 +1130,6 @@ ENTRY(error_entry) + * the kernel CR3 here. + */ + SWITCH_KERNEL_CR3 +- xorl %ebx, %ebx + testb $3, CS+8(%rsp) + jz .Lerror_kernelspace + +@@ -1165,7 +1163,6 @@ ENTRY(error_entry) + * for these here too. + */ + .Lerror_kernelspace: +- incl %ebx + leaq native_irq_return_iret(%rip), %rcx + cmpq %rcx, RIP+8(%rsp) + je .Lerror_bad_iret +@@ -1196,28 +1193,19 @@ ENTRY(error_entry) + + /* + * Pretend that the exception came from user mode: set up pt_regs +- * as if we faulted immediately after IRET and clear EBX so that +- * error_exit knows that we will be returning to user mode. ++ * as if we faulted immediately after IRET. + */ + mov %rsp, %rdi + call fixup_bad_iret + mov %rax, %rsp +- decl %ebx + jmp .Lerror_entry_from_usermode_after_swapgs + END(error_entry) + +- +-/* +- * On entry, EBX is a "return to kernel mode" flag: +- * 1: already in kernel mode, don't need SWAPGS +- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode +- */ + ENTRY(error_exit) +- movl %ebx, %eax + DISABLE_INTERRUPTS(CLBR_NONE) + TRACE_IRQS_OFF +- testl %eax, %eax +- jnz retint_kernel ++ testb $3, CS(%rsp) ++ jz retint_kernel + jmp retint_user + END(error_exit) + +-- +2.17.1 + diff --git a/queue-4.4/x86-entry-spell-ebx-register-correctly-in-documentat.patch b/queue-4.4/x86-entry-spell-ebx-register-correctly-in-documentat.patch new file mode 100644 index 00000000000..ac6fea6d7a5 --- /dev/null +++ b/queue-4.4/x86-entry-spell-ebx-register-correctly-in-documentat.patch @@ -0,0 +1,34 @@ +From 667f304aa0bb348fba9e03042705c053409da9c2 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Fri, 29 Jul 2016 13:39:51 +0200 +Subject: x86/entry: spell EBX register correctly in documentation + +[ Upstream commit 75ca5b22260ef7b5ce39c6d521eee8b4cba44703 ] + +As EBS does not mean anything reasonable in the context it is used, it +seems like a misspelling for EBX. + +Signed-off-by: Nicolas Iooss +Acked-by: Borislav Petkov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + arch/x86/entry/entry_64.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index 8be48b1d7596..b569b46660fc 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -1208,7 +1208,7 @@ END(error_entry) + + + /* +- * On entry, EBS is a "return to kernel mode" flag: ++ * On entry, EBX is a "return to kernel mode" flag: + * 1: already in kernel mode, don't need SWAPGS + * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode + */ +-- +2.17.1 +