From: Greg Kroah-Hartman Date: Tue, 16 Oct 2018 14:06:19 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.9.134~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2a05e493e1865d278f8d053772e18234a3093b1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch jffs2-return-erange-when-xattr-buffer-is-too-small.patch xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch --- diff --git a/queue-4.4/i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch b/queue-4.4/i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch new file mode 100644 index 00000000000..3c444d77a3e --- /dev/null +++ b/queue-4.4/i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch @@ -0,0 +1,60 @@ +From 08d9db00fe0e300d6df976e6c294f974988226dd Mon Sep 17 00:00:00 2001 +From: Edgar Cherkasov +Date: Thu, 27 Sep 2018 11:56:03 +0300 +Subject: i2c: i2c-scmi: fix for i2c_smbus_write_block_data + +From: Edgar Cherkasov + +commit 08d9db00fe0e300d6df976e6c294f974988226dd upstream. + +The i2c-scmi driver crashes when the SMBus Write Block transaction is +executed: + +WARNING: CPU: 9 PID: 2194 at mm/page_alloc.c:3931 __alloc_pages_slowpath+0x9db/0xec0 + Call Trace: + ? get_page_from_freelist+0x49d/0x11f0 + ? alloc_pages_current+0x6a/0xe0 + ? new_slab+0x499/0x690 + __alloc_pages_nodemask+0x265/0x280 + alloc_pages_current+0x6a/0xe0 + kmalloc_order+0x18/0x40 + kmalloc_order_trace+0x24/0xb0 + ? acpi_ut_allocate_object_desc_dbg+0x62/0x10c + __kmalloc+0x203/0x220 + acpi_os_allocate_zeroed+0x34/0x36 + acpi_ut_copy_eobject_to_iobject+0x266/0x31e + acpi_evaluate_object+0x166/0x3b2 + acpi_smbus_cmi_access+0x144/0x530 [i2c_scmi] + i2c_smbus_xfer+0xda/0x370 + i2cdev_ioctl_smbus+0x1bd/0x270 + i2cdev_ioctl+0xaa/0x250 + do_vfs_ioctl+0xa4/0x600 + SyS_ioctl+0x79/0x90 + do_syscall_64+0x73/0x130 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +ACPI Error: Evaluating _SBW: 4 (20170831/smbus_cmi-185) + +This problem occurs because the length of ACPI Buffer object is not +defined/initialized in the code before a corresponding ACPI method is +called. The obvious patch below fixes this issue. + +Signed-off-by: Edgar Cherkasov +Acked-by: Viktor Krasnov +Acked-by: Michael Brunner +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-scmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/i2c/busses/i2c-scmi.c ++++ b/drivers/i2c/busses/i2c-scmi.c +@@ -152,6 +152,7 @@ acpi_smbus_cmi_access(struct i2c_adapter + mt_params[3].type = ACPI_TYPE_INTEGER; + mt_params[3].integer.value = len; + mt_params[4].type = ACPI_TYPE_BUFFER; ++ mt_params[4].buffer.length = len; + mt_params[4].buffer.pointer = data->block + 1; + } + break; diff --git a/queue-4.4/jffs2-return-erange-when-xattr-buffer-is-too-small.patch b/queue-4.4/jffs2-return-erange-when-xattr-buffer-is-too-small.patch new file mode 100644 index 00000000000..c5322bab279 --- /dev/null +++ b/queue-4.4/jffs2-return-erange-when-xattr-buffer-is-too-small.patch @@ -0,0 +1,52 @@ +From houtao1@huawei.com Tue Oct 16 15:52:02 2018 +From: Hou Tao +Date: Fri, 12 Oct 2018 14:01:26 +0800 +Subject: jffs2: return -ERANGE when xattr buffer is too small +To: , +Cc: , , , +Message-ID: <20181012060126.33739-1-houtao1@huawei.com> + +From: Hou Tao + +When a file have multiple xattrs and the passed buffer is +smaller than the required size, jffs2_listxattr() should +return -ERANGE instead of continue, else Oops may occur +due to memory corruption. + +Also remove the unnecessary check ("rc < 0"), because +xhandle->list(...) will not return an error number. + +Spotted by generic/377 in xfstests-dev. + +NB: The problem had been fixed by commit 764a5c6b1fa4 ("xattr +handlers: Simplify list operation") in v4.5-rc1, but the +modification in that commit may be too much because it modifies +all file-systems which implement xattr, so I create a single +patch for jffs2 to fix the problem. + +Signed-off-by: Hou Tao +Cc: David Woodhouse +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/xattr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/jffs2/xattr.c ++++ b/fs/jffs2/xattr.c +@@ -1004,12 +1004,14 @@ ssize_t jffs2_listxattr(struct dentry *d + rc = xhandle->list(xhandle, dentry, buffer + len, + size - len, xd->xname, + xd->name_len); ++ if (rc > size - len) { ++ rc = -ERANGE; ++ goto out; ++ } + } else { + rc = xhandle->list(xhandle, dentry, NULL, 0, + xd->xname, xd->name_len); + } +- if (rc < 0) +- goto out; + len += rc; + } + rc = len; diff --git a/queue-4.4/series b/queue-4.4/series index da1388ca53b..e0c1f7ce30c 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,6 @@ ext4-add-corruption-check-in-ext4_xattr_set_entry.patch mm-vmstat.c-fix-outdated-vmstat_text.patch mach64-detect-the-dot-clock-divider-correctly-on-sparc.patch perf-script-python-fix-export-to-postgresql.py-occasional-failure.patch +i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch +xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch +jffs2-return-erange-when-xattr-buffer-is-too-small.patch diff --git a/queue-4.4/xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch b/queue-4.4/xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch new file mode 100644 index 00000000000..8cec500f6fc --- /dev/null +++ b/queue-4.4/xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch @@ -0,0 +1,61 @@ +From 1208d8a84fdcae6b395c57911cdf907450d30e70 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 12 Feb 2018 14:24:47 +0200 +Subject: xhci: Don't print a warning when setting link state for disabled ports + +From: Mathias Nyman + +commit 1208d8a84fdcae6b395c57911cdf907450d30e70 upstream. + +When disabling a USB3 port the hub driver will set the port link state to +U3 to prevent "ejected" or "safely removed" devices that are still +physically connected from immediately re-enumerating. + +If the device was really unplugged, then error messages were printed +as the hub tries to set the U3 link state for a port that is no longer +enabled. + +xhci-hcd ee000000.usb: Cannot set link state. +usb usb8-port1: cannot disable (err = -32) + +Don't print error message in xhci-hub if hub tries to set port link state +for a disabled port. Return -ENODEV instead which also silences hub driver. + +Signed-off-by: Mathias Nyman +Tested-by: Yoshihiro Shimoda +Signed-off-by: Ross Zwisler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-hub.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1048,17 +1048,17 @@ int xhci_hub_control(struct usb_hcd *hcd + temp = readl(port_array[wIndex]); + break; + } +- +- /* Software should not attempt to set +- * port link state above '3' (U3) and the port +- * must be enabled. +- */ +- if ((temp & PORT_PE) == 0 || +- (link_state > USB_SS_PORT_LS_U3)) { +- xhci_warn(xhci, "Cannot set link state.\n"); ++ /* Port must be enabled */ ++ if (!(temp & PORT_PE)) { ++ retval = -ENODEV; ++ break; ++ } ++ /* Can't set port link state above '3' (U3) */ ++ if (link_state > USB_SS_PORT_LS_U3) { ++ xhci_warn(xhci, "Cannot set port %d link state %d\n", ++ wIndex, link_state); + goto error; + } +- + if (link_state == USB_SS_PORT_LS_U3) { + slot_id = xhci_find_slot_id_by_port(hcd, xhci, + wIndex + 1);