From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 13 Jul 2017 14:09:57 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.61~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9a6ca0ad791b752df93cdaf5b8c0b85caee1923f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	locking-rwsem-spinlock-fix-eintr-branch-in-__down_write_common.patch
	md-fix-incorrect-use-of-lexx_to_cpu-in-does_sb_need_changing.patch
	md-fix-super_offset-endianness-in-super_1_rdev_size_change.patch
	staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch
---

diff --git a/queue-4.9/locking-rwsem-spinlock-fix-eintr-branch-in-__down_write_common.patch b/queue-4.9/locking-rwsem-spinlock-fix-eintr-branch-in-__down_write_common.patch
new file mode 100644
index 00000000000..b3bfdfd7f9c
--- /dev/null
+++ b/queue-4.9/locking-rwsem-spinlock-fix-eintr-branch-in-__down_write_common.patch
@@ -0,0 +1,60 @@
+From a0c4acd2c220376b4e9690e75782d0c0afdaab9f Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Fri, 16 Jun 2017 16:44:34 +0300
+Subject: locking/rwsem-spinlock: Fix EINTR branch in __down_write_common()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit a0c4acd2c220376b4e9690e75782d0c0afdaab9f upstream.
+
+If a writer could been woken up, the above branch
+
+	if (sem->count == 0)
+		break;
+
+would have moved us to taking the sem. So, it's
+not the time to wake a writer now, and only readers
+are allowed now. Thus, 0 must be passed to __rwsem_do_wake().
+
+Next, __rwsem_do_wake() wakes readers unconditionally.
+But we mustn't do that if the sem is owned by writer
+in the moment. Otherwise, writer and reader own the sem
+the same time, which leads to memory corruption in
+callers.
+
+rwsem-xadd.c does not need that, as:
+
+  1) the similar check is made lockless there,
+  2) in __rwsem_mark_wake::try_reader_grant we test,
+
+that sem is not owned by writer.
+
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Niklas Cassel <niklas.cassel@axis.com>
+Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 17fcbd590d0c "locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y"
+Link: http://lkml.kernel.org/r/149762063282.19811.9129615532201147826.stgit@localhost.localdomain
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/locking/rwsem-spinlock.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/locking/rwsem-spinlock.c
++++ b/kernel/locking/rwsem-spinlock.c
+@@ -233,8 +233,8 @@ int __sched __down_write_common(struct r
+ 
+ out_nolock:
+ 	list_del(&waiter.list);
+-	if (!list_empty(&sem->wait_list))
+-		__rwsem_do_wake(sem, 1);
++	if (!list_empty(&sem->wait_list) && sem->count >= 0)
++		__rwsem_do_wake(sem, 0);
+ 	raw_spin_unlock_irqrestore(&sem->wait_lock, flags);
+ 
+ 	return -EINTR;
diff --git a/queue-4.9/md-fix-incorrect-use-of-lexx_to_cpu-in-does_sb_need_changing.patch b/queue-4.9/md-fix-incorrect-use-of-lexx_to_cpu-in-does_sb_need_changing.patch
new file mode 100644
index 00000000000..f2d818a52dc
--- /dev/null
+++ b/queue-4.9/md-fix-incorrect-use-of-lexx_to_cpu-in-does_sb_need_changing.patch
@@ -0,0 +1,30 @@
+From 1345921393ba23b60d3fcf15933e699232ad25ae Mon Sep 17 00:00:00 2001
+From: Jason Yan <yanaijie@huawei.com>
+Date: Fri, 10 Mar 2017 11:49:12 +0800
+Subject: md: fix incorrect use of lexx_to_cpu in does_sb_need_changing
+
+From: Jason Yan <yanaijie@huawei.com>
+
+commit 1345921393ba23b60d3fcf15933e699232ad25ae upstream.
+
+The sb->layout is of type __le32, so we shoud use le32_to_cpu.
+
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -2270,7 +2270,7 @@ static bool does_sb_need_changing(struct
+ 	/* Check if any mddev parameters have changed */
+ 	if ((mddev->dev_sectors != le64_to_cpu(sb->size)) ||
+ 	    (mddev->reshape_position != le64_to_cpu(sb->reshape_position)) ||
+-	    (mddev->layout != le64_to_cpu(sb->layout)) ||
++	    (mddev->layout != le32_to_cpu(sb->layout)) ||
+ 	    (mddev->raid_disks != le32_to_cpu(sb->raid_disks)) ||
+ 	    (mddev->chunk_sectors != le32_to_cpu(sb->chunksize)))
+ 		return true;
diff --git a/queue-4.9/md-fix-super_offset-endianness-in-super_1_rdev_size_change.patch b/queue-4.9/md-fix-super_offset-endianness-in-super_1_rdev_size_change.patch
new file mode 100644
index 00000000000..a49e875d618
--- /dev/null
+++ b/queue-4.9/md-fix-super_offset-endianness-in-super_1_rdev_size_change.patch
@@ -0,0 +1,31 @@
+From 3fb632e40d7667d8bedfabc28850ac06d5493f54 Mon Sep 17 00:00:00 2001
+From: Jason Yan <yanaijie@huawei.com>
+Date: Fri, 10 Mar 2017 11:27:23 +0800
+Subject: md: fix super_offset endianness in super_1_rdev_size_change
+
+From: Jason Yan <yanaijie@huawei.com>
+
+commit 3fb632e40d7667d8bedfabc28850ac06d5493f54 upstream.
+
+The sb->super_offset should be big-endian, but the rdev->sb_start is in
+host byte order, so fix this by adding cpu_to_le64.
+
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -1861,7 +1861,7 @@ super_1_rdev_size_change(struct md_rdev
+ 	}
+ 	sb = page_address(rdev->sb_page);
+ 	sb->data_size = cpu_to_le64(num_sectors);
+-	sb->super_offset = rdev->sb_start;
++	sb->super_offset = cpu_to_le64(rdev->sb_start);
+ 	sb->sb_csum = calc_sb_1_csum(sb);
+ 	md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size,
+ 		       rdev->sb_page);
diff --git a/queue-4.9/series b/queue-4.9/series
index 96c3e8ffba3..e4959702a87 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -13,3 +13,7 @@ perf-header-fix-handling-of-perf_event_update__scale.patch
 perf-scripting-perl-fix-compile-error-with-some-perl5-versions.patch
 perf-probe-fix-to-probe-on-gcc-generated-symbols-for-offline-kernel.patch
 perf-probe-add-error-checks-to-offline-probe-post-processing.patch
+md-fix-incorrect-use-of-lexx_to_cpu-in-does_sb_need_changing.patch
+md-fix-super_offset-endianness-in-super_1_rdev_size_change.patch
+locking-rwsem-spinlock-fix-eintr-branch-in-__down_write_common.patch
+staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch
diff --git a/queue-4.9/staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch b/queue-4.9/staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch
new file mode 100644
index 00000000000..d90454c512b
--- /dev/null
+++ b/queue-4.9/staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch
@@ -0,0 +1,30 @@
+From dc32190f2cd41c7dba25363ea7d618d4f5172b4e Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Sat, 29 Apr 2017 13:03:44 +0100
+Subject: staging: vt6556: vnt_start Fix missing call to vnt_key_init_table.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit dc32190f2cd41c7dba25363ea7d618d4f5172b4e upstream.
+
+The key table is not intialized correctly without this call.
+
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/main_usb.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/staging/vt6656/main_usb.c
++++ b/drivers/staging/vt6656/main_usb.c
+@@ -522,6 +522,9 @@ static int vnt_start(struct ieee80211_hw
+ 		goto free_all;
+ 	}
+ 
++	if (vnt_key_init_table(priv))
++		goto free_all;
++
+ 	priv->int_interval = 1;  /* bInterval is set to 1 */
+ 
+ 	vnt_int_start_interrupt(priv);