From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 11 Nov 2018 16:25:09 +0000 (-0800)
Subject: 4.9-stable patches
X-Git-Tag: v4.19.2~36
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a7ed6a56dea1fe521d17a99b42ff59e26d2f7d19;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	media-em28xx-fix-input-name-for-terratec-av-350.patch
	media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch
	media-em28xx-use-a-default-format-if-try_fmt-fails.patch
	media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch
	xen-fix-xen_qlock_wait.patch
---

diff --git a/queue-4.9/media-em28xx-fix-input-name-for-terratec-av-350.patch b/queue-4.9/media-em28xx-fix-input-name-for-terratec-av-350.patch
new file mode 100644
index 00000000000..b1cf7ffb425
--- /dev/null
+++ b/queue-4.9/media-em28xx-fix-input-name-for-terratec-av-350.patch
@@ -0,0 +1,39 @@
+From 15644bfa195bd166d0a5ed76ae2d587f719c3dac Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Date: Fri, 14 Sep 2018 00:20:21 -0400
+Subject: media: em28xx: fix input name for Terratec AV 350
+
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+
+commit 15644bfa195bd166d0a5ed76ae2d587f719c3dac upstream.
+
+Instead of using a register value, use an AMUX name, as otherwise
+VIDIOC_G_AUDIO would fail.
+
+Cc: stable@vger.kernel.org
+Fixes: 766ed64de554 ("V4L/DVB (11827): Add support for Terratec Grabster AV350")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/em28xx/em28xx-cards.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -2093,13 +2093,13 @@ struct em28xx_board em28xx_boards[] = {
+ 		.input           = { {
+ 			.type     = EM28XX_VMUX_COMPOSITE,
+ 			.vmux     = TVP5150_COMPOSITE1,
+-			.amux     = EM28XX_AUDIO_SRC_LINE,
++			.amux     = EM28XX_AMUX_LINE_IN,
+ 			.gpio     = terratec_av350_unmute_gpio,
+ 
+ 		}, {
+ 			.type     = EM28XX_VMUX_SVIDEO,
+ 			.vmux     = TVP5150_SVIDEO,
+-			.amux     = EM28XX_AUDIO_SRC_LINE,
++			.amux     = EM28XX_AMUX_LINE_IN,
+ 			.gpio     = terratec_av350_unmute_gpio,
+ 		} },
+ 	},
diff --git a/queue-4.9/media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch b/queue-4.9/media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch
new file mode 100644
index 00000000000..852681327db
--- /dev/null
+++ b/queue-4.9/media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch
@@ -0,0 +1,41 @@
+From afeaade90db4c5dab93f326d9582be1d5954a198 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Date: Thu, 13 Sep 2018 22:46:29 -0400
+Subject: media: em28xx: make v4l2-compliance happier by starting sequence on zero
+
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+
+commit afeaade90db4c5dab93f326d9582be1d5954a198 upstream.
+
+The v4l2-compliance tool complains if a video doesn't start
+with a zero sequence number.
+
+While this shouldn't cause any real problem for apps, let's
+make it happier, in order to better check the v4l2-compliance
+differences before and after patchsets.
+
+This is actually an old issue. It is there since at least its
+videobuf2 conversion, e. g. changeset 3829fadc461 ("[media]
+em28xx: convert to videobuf2"), if VB1 wouldn't suffer from
+the same issue.
+
+Cc: stable@vger.kernel.org
+Fixes: d3829fadc461 ("[media] em28xx: convert to videobuf2")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/em28xx/em28xx-video.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/usb/em28xx/em28xx-video.c
++++ b/drivers/media/usb/em28xx/em28xx-video.c
+@@ -1290,6 +1290,8 @@ static void em28xx_ctrl_notify(struct v4
+ {
+ 	struct em28xx *dev = priv;
+ 
++	dev->v4l2->field_count = 0;
++
+ 	/*
+ 	 * In the case of non-AC97 volume controls, we still need
+ 	 * to do some setups at em28xx, in order to mute/unmute
diff --git a/queue-4.9/media-em28xx-use-a-default-format-if-try_fmt-fails.patch b/queue-4.9/media-em28xx-use-a-default-format-if-try_fmt-fails.patch
new file mode 100644
index 00000000000..4c79fb4678c
--- /dev/null
+++ b/queue-4.9/media-em28xx-use-a-default-format-if-try_fmt-fails.patch
@@ -0,0 +1,40 @@
+From f823ce2a1202d47110a7ef86b65839f0be8adc38 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Date: Thu, 13 Sep 2018 23:22:40 -0400
+Subject: media: em28xx: use a default format if TRY_FMT fails
+
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+
+commit f823ce2a1202d47110a7ef86b65839f0be8adc38 upstream.
+
+Follow the V4L2 spec, as warned by v4l2-compliance:
+
+	warn: v4l2-test-formats.cpp(732): TRY_FMT cannot handle an invalid pixelformat.
+	warn: v4l2-test-formats.cpp(733): This may or may not be a problem. For more information see:
+
+warn: v4l2-test-formats.cpp(734): http://www.mail-archive.com/linux-media@vger.kernel.org/msg56550.html
+
+Cc: stable@vger.kernel.org
+Fixes: bddcf63313c6 ("V4L/DVB (9927): em28xx: use a more standard way to specify video formats")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/em28xx/em28xx-video.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-video.c
++++ b/drivers/media/usb/em28xx/em28xx-video.c
+@@ -1435,9 +1435,9 @@ static int vidioc_try_fmt_vid_cap(struct
+ 
+ 	fmt = format_by_fourcc(f->fmt.pix.pixelformat);
+ 	if (!fmt) {
+-		em28xx_videodbg("Fourcc format (%08x) invalid.\n",
+-				f->fmt.pix.pixelformat);
+-		return -EINVAL;
++		fmt = &format[0];
++		em28xx_videodbg("Fourcc format (%08x) invalid. Using default (%08x).\n",
++				f->fmt.pix.pixelformat, fmt->fourcc);
+ 	}
+ 
+ 	if (dev->board.is_em2800) {
diff --git a/queue-4.9/media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch b/queue-4.9/media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch
new file mode 100644
index 00000000000..9c634519f04
--- /dev/null
+++ b/queue-4.9/media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch
@@ -0,0 +1,80 @@
+From 5c4c4505b716cb782ad7263091edc466c4d1fbd4 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Date: Thu, 13 Sep 2018 16:49:51 -0400
+Subject: media: tvp5150: avoid going past array on v4l2_querymenu()
+
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+
+commit 5c4c4505b716cb782ad7263091edc466c4d1fbd4 upstream.
+
+The parameters of v4l2_ctrl_new_std_menu_items() are tricky: instead of
+the number of possible values, it requires the number of the maximum
+value. In other words, the ARRAY_SIZE() value should be decremented,
+otherwise it will go past the array bounds, as warned by KASAN:
+
+[  279.839688] BUG: KASAN: global-out-of-bounds in v4l2_querymenu+0x10d/0x180 [videodev]
+[  279.839709] Read of size 8 at addr ffffffffc10a4cb0 by task v4l2-compliance/16676
+
+[  279.839736] CPU: 1 PID: 16676 Comm: v4l2-compliance Not tainted 4.18.0-rc2+ #120
+[  279.839741] Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
+[  279.839743] Call Trace:
+[  279.839758]  dump_stack+0x71/0xab
+[  279.839807]  ? v4l2_querymenu+0x10d/0x180 [videodev]
+[  279.839817]  print_address_description+0x1c9/0x270
+[  279.839863]  ? v4l2_querymenu+0x10d/0x180 [videodev]
+[  279.839871]  kasan_report+0x237/0x360
+[  279.839918]  v4l2_querymenu+0x10d/0x180 [videodev]
+[  279.839964]  __video_do_ioctl+0x2c8/0x590 [videodev]
+[  279.840011]  ? copy_overflow+0x20/0x20 [videodev]
+[  279.840020]  ? avc_ss_reset+0xa0/0xa0
+[  279.840028]  ? check_stack_object+0x21/0x60
+[  279.840036]  ? __check_object_size+0xe7/0x240
+[  279.840080]  video_usercopy+0xed/0x730 [videodev]
+[  279.840123]  ? copy_overflow+0x20/0x20 [videodev]
+[  279.840167]  ? v4l_enumstd+0x40/0x40 [videodev]
+[  279.840177]  ? __handle_mm_fault+0x9f9/0x1ba0
+[  279.840186]  ? __pmd_alloc+0x2c0/0x2c0
+[  279.840193]  ? __vfs_write+0xb6/0x350
+[  279.840200]  ? kernel_read+0xa0/0xa0
+[  279.840244]  ? video_usercopy+0x730/0x730 [videodev]
+[  279.840284]  v4l2_ioctl+0xa1/0xb0 [videodev]
+[  279.840295]  do_vfs_ioctl+0x117/0x8a0
+[  279.840303]  ? selinux_file_ioctl+0x211/0x2f0
+[  279.840313]  ? ioctl_preallocate+0x120/0x120
+[  279.840319]  ? selinux_capable+0x20/0x20
+[  279.840332]  ksys_ioctl+0x70/0x80
+[  279.840342]  __x64_sys_ioctl+0x3d/0x50
+[  279.840351]  do_syscall_64+0x6d/0x1c0
+[  279.840361]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[  279.840367] RIP: 0033:0x7fdfb46275d7
+[  279.840369] Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48
+[  279.840474] RSP: 002b:00007ffee1179038 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+[  279.840483] RAX: ffffffffffffffda RBX: 00007ffee1179180 RCX: 00007fdfb46275d7
+[  279.840488] RDX: 00007ffee11790c0 RSI: 00000000c02c5625 RDI: 0000000000000003
+[  279.840493] RBP: 0000000000000002 R08: 0000000000000020 R09: 00000000009f0902
+[  279.840497] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffee117a5a0
+[  279.840501] R13: 00007ffee11790c0 R14: 0000000000000002 R15: 0000000000000000
+
+[  279.840515] The buggy address belongs to the variable:
+[  279.840535]  tvp5150_test_patterns+0x10/0xffffffffffffe360 [tvp5150]
+
+Fixes: c43875f66140 ("[media] tvp5150: replace MEDIA_ENT_F_CONN_TEST by a control")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/tvp5150.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/tvp5150.c
++++ b/drivers/media/i2c/tvp5150.c
+@@ -1527,7 +1527,7 @@ static int tvp5150_probe(struct i2c_clie
+ 			27000000, 1, 27000000);
+ 	v4l2_ctrl_new_std_menu_items(&core->hdl, &tvp5150_ctrl_ops,
+ 				     V4L2_CID_TEST_PATTERN,
+-				     ARRAY_SIZE(tvp5150_test_patterns),
++				     ARRAY_SIZE(tvp5150_test_patterns) - 1,
+ 				     0, 0, tvp5150_test_patterns);
+ 	sd->ctrl_handler = &core->hdl;
+ 	if (core->hdl.error) {
diff --git a/queue-4.9/series b/queue-4.9/series
index 6a0ace77e3c..d6a3515bece 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -119,3 +119,8 @@ mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch
 tc-set-dma-masks-for-devices.patch
 media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch
 kgdboc-passing-ekgdboc-to-command-line-causes-panic.patch
+xen-fix-xen_qlock_wait.patch
+media-em28xx-use-a-default-format-if-try_fmt-fails.patch
+media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch
+media-em28xx-fix-input-name-for-terratec-av-350.patch
+media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch
diff --git a/queue-4.9/xen-fix-xen_qlock_wait.patch b/queue-4.9/xen-fix-xen_qlock_wait.patch
new file mode 100644
index 00000000000..27f71a79fde
--- /dev/null
+++ b/queue-4.9/xen-fix-xen_qlock_wait.patch
@@ -0,0 +1,82 @@
+From d3132b3860f6cf35ff7609a76bbcdbb814bd027c Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 8 Nov 2018 08:35:06 +0100
+Subject: xen: fix xen_qlock_wait()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit d3132b3860f6cf35ff7609a76bbcdbb814bd027c upstream.
+
+Commit a856531951dc80 ("xen: make xen_qlock_wait() nestable")
+introduced a regression for Xen guests running fully virtualized
+(HVM or PVH mode). The Xen hypervisor wouldn't return from the poll
+hypercall with interrupts disabled in case of an interrupt (for PV
+guests it does).
+
+So instead of disabling interrupts in xen_qlock_wait() use a nesting
+counter to avoid calling xen_clear_irq_pending() in case
+xen_qlock_wait() is nested.
+
+Fixes: a856531951dc80 ("xen: make xen_qlock_wait() nestable")
+Cc: stable@vger.kernel.org
+Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Tested-by: Sander Eikelenboom <linux@eikelenboom.it>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/spinlock.c |   14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/xen/spinlock.c
++++ b/arch/x86/xen/spinlock.c
+@@ -8,6 +8,7 @@
+ #include <linux/log2.h>
+ #include <linux/gfp.h>
+ #include <linux/slab.h>
++#include <linux/atomic.h>
+ 
+ #include <asm/paravirt.h>
+ 
+@@ -19,6 +20,7 @@
+ 
+ static DEFINE_PER_CPU(int, lock_kicker_irq) = -1;
+ static DEFINE_PER_CPU(char *, irq_name);
++static DEFINE_PER_CPU(atomic_t, xen_qlock_wait_nest);
+ static bool xen_pvspin = true;
+ 
+ #include <asm/qspinlock.h>
+@@ -39,25 +41,25 @@ static void xen_qlock_kick(int cpu)
+  */
+ static void xen_qlock_wait(u8 *byte, u8 val)
+ {
+-	unsigned long flags;
+ 	int irq = __this_cpu_read(lock_kicker_irq);
++	atomic_t *nest_cnt = this_cpu_ptr(&xen_qlock_wait_nest);
+ 
+ 	/* If kicker interrupts not initialized yet, just spin */
+ 	if (irq == -1 || in_nmi())
+ 		return;
+ 
+-	/* Guard against reentry. */
+-	local_irq_save(flags);
++	/* Detect reentry. */
++	atomic_inc(nest_cnt);
+ 
+-	/* If irq pending already clear it. */
+-	if (xen_test_irq_pending(irq)) {
++	/* If irq pending already and no nested call clear it. */
++	if (atomic_read(nest_cnt) == 1 && xen_test_irq_pending(irq)) {
+ 		xen_clear_irq_pending(irq);
+ 	} else if (READ_ONCE(*byte) == val) {
+ 		/* Block until irq becomes pending (or a spurious wakeup) */
+ 		xen_poll_irq(irq);
+ 	}
+ 
+-	local_irq_restore(flags);
++	atomic_dec(nest_cnt);
+ }
+ 
+ static irqreturn_t dummy_handler(int irq, void *dev_id)