From: Greg Kroah-Hartman Date: Sun, 11 Nov 2018 18:14:29 +0000 (-0800) Subject: 4.14-stable patches X-Git-Tag: v4.19.2~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b55a0e1386bef7406a82a3aaf1e2ac3d74e3a22d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: arm-dts-socfpga-fix-sdram-node-address-for-arria10.patch arm64-dts-stratix10-correct-system-manager-register-size.patch cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch rpmsg-smd-fix-memory-leak-on-channel-create.patch selftests-powerpc-fix-ptrace-tm-failure.patch soc-tegra-pmc-fix-child-node-lookup.patch --- diff --git a/queue-4.14/arm-dts-socfpga-fix-sdram-node-address-for-arria10.patch b/queue-4.14/arm-dts-socfpga-fix-sdram-node-address-for-arria10.patch new file mode 100644 index 00000000000..7218a4c7c1f --- /dev/null +++ b/queue-4.14/arm-dts-socfpga-fix-sdram-node-address-for-arria10.patch @@ -0,0 +1,33 @@ +From ce3bf934f919a7d675c5b7fa4cc233ded9c6256e Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Tue, 25 Sep 2018 10:21:10 -0500 +Subject: ARM: dts: socfpga: Fix SDRAM node address for Arria10 + +From: Thor Thayer + +commit ce3bf934f919a7d675c5b7fa4cc233ded9c6256e upstream. + +The address in the SDRAM node was incorrect. Fix this to agree with the +correct address and to match the reg definition block. + +Cc: stable@vger.kernel.org +Fixes: 54b4a8f57848b("arm: socfpga: dts: Add Arria10 SDRAM EDAC DTS support") +Signed-off-by: Thor Thayer +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/socfpga_arria10.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga_arria10.dtsi ++++ b/arch/arm/boot/dts/socfpga_arria10.dtsi +@@ -601,7 +601,7 @@ + status = "disabled"; + }; + +- sdr: sdr@ffc25000 { ++ sdr: sdr@ffcfb100 { + compatible = "altr,sdr-ctl", "syscon"; + reg = <0xffcfb100 0x80>; + }; diff --git a/queue-4.14/arm64-dts-stratix10-correct-system-manager-register-size.patch b/queue-4.14/arm64-dts-stratix10-correct-system-manager-register-size.patch new file mode 100644 index 00000000000..0cab10e1243 --- /dev/null +++ b/queue-4.14/arm64-dts-stratix10-correct-system-manager-register-size.patch @@ -0,0 +1,32 @@ +From 74121b9aa3cd571ddfff014a9f47db36cae3cda9 Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Tue, 25 Sep 2018 10:31:52 -0500 +Subject: arm64: dts: stratix10: Correct System Manager register size + +From: Thor Thayer + +commit 74121b9aa3cd571ddfff014a9f47db36cae3cda9 upstream. + +Correct the register size of the System Manager node. + +Cc: stable@vger.kernel.org +Fixes: 78cd6a9d8e154 ("arm64: dts: Add base stratix 10 dtsi") +Signed-off-by: Thor Thayer +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi ++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi +@@ -249,7 +249,7 @@ + + sysmgr: sysmgr@ffd12000 { + compatible = "altr,sys-mgr", "syscon"; +- reg = <0xffd12000 0x1000>; ++ reg = <0xffd12000 0x228>; + }; + + /* Local timer */ diff --git a/queue-4.14/cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch b/queue-4.14/cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch new file mode 100644 index 00000000000..ca73afd996a --- /dev/null +++ b/queue-4.14/cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch @@ -0,0 +1,34 @@ +From 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Tue, 30 Oct 2018 13:26:15 -0400 +Subject: Cramfs: fix abad comparison when wrap-arounds occur + +From: Nicolas Pitre + +commit 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 upstream. + +It is possible for corrupted filesystem images to produce very large +block offsets that may wrap when a length is added, and wrongly pass +the buffer size test. + +Reported-by: Anatoly Trosinenko +Signed-off-by: Nicolas Pitre +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cramfs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/cramfs/inode.c ++++ b/fs/cramfs/inode.c +@@ -186,7 +186,8 @@ static void *cramfs_read(struct super_bl + continue; + blk_offset = (blocknr - buffer_blocknr[i]) << PAGE_SHIFT; + blk_offset += offset; +- if (blk_offset + len > BUFFER_SIZE) ++ if (blk_offset > BUFFER_SIZE || ++ blk_offset + len > BUFFER_SIZE) + continue; + return read_buffers[i] + blk_offset; + } diff --git a/queue-4.14/rpmsg-smd-fix-memory-leak-on-channel-create.patch b/queue-4.14/rpmsg-smd-fix-memory-leak-on-channel-create.patch new file mode 100644 index 00000000000..7015ecaa0cb --- /dev/null +++ b/queue-4.14/rpmsg-smd-fix-memory-leak-on-channel-create.patch @@ -0,0 +1,48 @@ +From 940c620d6af8fca7d115de40f19870fba415efac Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 27 Sep 2018 22:36:27 +0100 +Subject: rpmsg: smd: fix memory leak on channel create + +From: Colin Ian King + +commit 940c620d6af8fca7d115de40f19870fba415efac upstream. + +Currently a failed allocation of channel->name leads to an +immediate return without freeing channel. Fix this by setting +ret to -ENOMEM and jumping to an exit path that kfree's channel. + +Detected by CoverityScan, CID#1473692 ("Resource Leak") + +Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend") +Cc: stable@vger.kernel.org +Signed-off-by: Colin Ian King +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rpmsg/qcom_smd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -1049,8 +1049,10 @@ static struct qcom_smd_channel *qcom_smd + + channel->edge = edge; + channel->name = kstrdup(name, GFP_KERNEL); +- if (!channel->name) +- return ERR_PTR(-ENOMEM); ++ if (!channel->name) { ++ ret = -ENOMEM; ++ goto free_channel; ++ } + + mutex_init(&channel->tx_lock); + spin_lock_init(&channel->recv_lock); +@@ -1099,6 +1101,7 @@ static struct qcom_smd_channel *qcom_smd + + free_name_and_channel: + kfree(channel->name); ++free_channel: + kfree(channel); + + return ERR_PTR(ret); diff --git a/queue-4.14/selftests-powerpc-fix-ptrace-tm-failure.patch b/queue-4.14/selftests-powerpc-fix-ptrace-tm-failure.patch new file mode 100644 index 00000000000..34ca4184385 --- /dev/null +++ b/queue-4.14/selftests-powerpc-fix-ptrace-tm-failure.patch @@ -0,0 +1,60 @@ +From 48dc0ef19044bfb69193302fbe3a834e3331b7ae Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Mon, 22 Oct 2018 18:16:26 -0300 +Subject: selftests/powerpc: Fix ptrace tm failure + +From: Breno Leitao + +commit 48dc0ef19044bfb69193302fbe3a834e3331b7ae upstream. + +Test ptrace-tm-spd-gpr fails on current kernel (4.19) due to a segmentation +fault that happens on the child process prior to setting cptr[2] = 1. This +causes the parent process to wait forever at 'while (!pptr[2])' and the test to +be killed by the test harness framework by timeout, thus, failing. + +The segmentation fault happens because of a inline assembly being +generated as: + + 0x10000355c lfs f0, 0(0) + +This is reading memory position 0x0 and causing the segmentation fault. + +This code is being generated by ASM_LOAD_FPR_SINGLE_PRECISION(flt_4), where +flt_4 is passed to the inline assembly block as: + + [flt_4] "r" (&d) + +Since the inline assembly 'r' constraint means any GPR, gpr0 is being +chosen, thus causing this issue when issuing a Load Floating-Point Single +instruction. + +This patch simply changes the constraint to 'b', which specify that this +register will be used as base, and r0 is not allowed to be used, avoiding +this issue. + +Other than that, removing flt_2 register from the input operands, since it +is not used by the inline assembly code at all. + +Cc: stable@vger.kernel.org +Signed-off-by: Breno Leitao +Acked-by: Segher Boessenkool +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-gpr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-gpr.c ++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-gpr.c +@@ -67,8 +67,8 @@ trans: + "3: ;" + : [res] "=r" (result), [texasr] "=r" (texasr) + : [gpr_1]"i"(GPR_1), [gpr_2]"i"(GPR_2), [gpr_4]"i"(GPR_4), +- [sprn_texasr] "i" (SPRN_TEXASR), [flt_1] "r" (&a), +- [flt_2] "r" (&b), [flt_4] "r" (&d) ++ [sprn_texasr] "i" (SPRN_TEXASR), [flt_1] "b" (&a), ++ [flt_4] "b" (&d) + : "memory", "r5", "r6", "r7", + "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15", + "r16", "r17", "r18", "r19", "r20", "r21", "r22", "r23", diff --git a/queue-4.14/series b/queue-4.14/series index 1d3e82df5a7..e7d9c95c177 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -188,3 +188,9 @@ media-em28xx-fix-input-name-for-terratec-av-350.patch media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch media-media-colorspaces-.rst-rename-adobergb-to-oprgb.patch arm64-lse-remove-fcall-used-x0-flag.patch +rpmsg-smd-fix-memory-leak-on-channel-create.patch +cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch +arm-dts-socfpga-fix-sdram-node-address-for-arria10.patch +arm64-dts-stratix10-correct-system-manager-register-size.patch +soc-tegra-pmc-fix-child-node-lookup.patch +selftests-powerpc-fix-ptrace-tm-failure.patch diff --git a/queue-4.14/soc-tegra-pmc-fix-child-node-lookup.patch b/queue-4.14/soc-tegra-pmc-fix-child-node-lookup.patch new file mode 100644 index 00000000000..7572444884a --- /dev/null +++ b/queue-4.14/soc-tegra-pmc-fix-child-node-lookup.patch @@ -0,0 +1,39 @@ +From 1dc6bd5e39a29453bdcc17348dd2a89f1aa4004e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 15 Nov 2017 10:44:58 +0100 +Subject: soc/tegra: pmc: Fix child-node lookup + +From: Johan Hovold + +commit 1dc6bd5e39a29453bdcc17348dd2a89f1aa4004e upstream. + +Fix child-node lookup during probe, which ended up searching the whole +device tree depth-first starting at the parent rather than just matching +on its children. + +To make things worse, the parent pmc node could end up being prematurely +freed as of_find_node_by_name() drops a reference to its first argument. + +Fixes: 3568df3d31d6 ("soc: tegra: Add thermal reset (thermtrip) support to PMC") +Cc: stable # 4.0 +Cc: Mikko Perttunen +Signed-off-by: Johan Hovold +Reviewed-by: Mikko Perttunen +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/soc/tegra/pmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/tegra/pmc.c ++++ b/drivers/soc/tegra/pmc.c +@@ -1321,7 +1321,7 @@ static void tegra_pmc_init_tsense_reset( + if (!pmc->soc->has_tsense_reset) + return; + +- np = of_find_node_by_name(pmc->dev->of_node, "i2c-thermtrip"); ++ np = of_get_child_by_name(pmc->dev->of_node, "i2c-thermtrip"); + if (!np) { + dev_warn(dev, "i2c-thermtrip node not found, %s.\n", disabled); + return;