From: Greg Kroah-Hartman Date: Sun, 29 Apr 2018 11:32:20 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.16.7~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b5864f8f488cebb8cb59c73740aaa3c769c94823;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-core-report-audio_tstamp-in-snd_pcm_sync_ptr.patch alsa-seq-oss-fix-unbalanced-use-lock-for-synth-midi-device.patch mtd-cfi-cmdset_0001-do-not-allow-read-write-to-suspend-erase-block.patch mtd-cfi-cmdset_0001-workaround-micron-erase-suspend-bug.patch mtd-cfi-cmdset_0002-do-not-allow-read-write-to-suspend-erase-block.patch --- diff --git a/queue-3.18/alsa-core-report-audio_tstamp-in-snd_pcm_sync_ptr.patch b/queue-3.18/alsa-core-report-audio_tstamp-in-snd_pcm_sync_ptr.patch new file mode 100644 index 00000000000..c46ba8f1ac4 --- /dev/null +++ b/queue-3.18/alsa-core-report-audio_tstamp-in-snd_pcm_sync_ptr.patch @@ -0,0 +1,37 @@ +From f853dcaae2f5bbe021161e421bd1576845bae8f6 Mon Sep 17 00:00:00 2001 +From: David Henningsson +Date: Sat, 21 Apr 2018 14:57:40 +0200 +Subject: ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr + +From: David Henningsson + +commit f853dcaae2f5bbe021161e421bd1576845bae8f6 upstream. + +It looks like a simple mistake that this struct member +was forgotten. + +Audio_tstamp isn't used much, and on some archs (such as x86) this +ioctl is not used by default, so that might be the reason why this +has slipped for so long. + +Fixes: 4eeaaeaea1ce ("ALSA: core: add hooks for audio timestamps") +Signed-off-by: David Henningsson +Reviewed-by: Takashi Sakamoto +Cc: # v3.8+ +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_native.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2695,6 +2695,7 @@ static int snd_pcm_sync_ptr(struct snd_p + sync_ptr.s.status.hw_ptr = status->hw_ptr; + sync_ptr.s.status.tstamp = status->tstamp; + sync_ptr.s.status.suspended_state = status->suspended_state; ++ sync_ptr.s.status.audio_tstamp = status->audio_tstamp; + snd_pcm_stream_unlock_irq(substream); + if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr))) + return -EFAULT; diff --git a/queue-3.18/alsa-opl3-hardening-for-potential-spectre-v1.patch b/queue-3.18/alsa-opl3-hardening-for-potential-spectre-v1.patch deleted file mode 100644 index fe64365edbf..00000000000 --- a/queue-3.18/alsa-opl3-hardening-for-potential-spectre-v1.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 7f054a5bee0987f1e2d4e59daea462421c76f2cb Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Tue, 24 Apr 2018 07:56:07 +0200 -Subject: ALSA: opl3: Hardening for potential Spectre v1 - -From: Takashi Iwai - -commit 7f054a5bee0987f1e2d4e59daea462421c76f2cb upstream. - -As recently Smatch suggested, one place in OPL3 driver may expand the -array directly from the user-space value with speculation: - sound/drivers/opl3/opl3_synth.c:476 snd_opl3_set_voice() warn: potential spectre issue 'snd_opl3_regmap' - -This patch puts array_index_nospec() for hardening against it. - -BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2 -Reported-by: Dan Carpenter -Cc: -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman - ---- - sound/drivers/opl3/opl3_synth.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - ---- a/sound/drivers/opl3/opl3_synth.c -+++ b/sound/drivers/opl3/opl3_synth.c -@@ -21,6 +21,7 @@ - - #include - #include -+#include - #include - #include - -@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd - { - unsigned short reg_side; - unsigned char op_offset; -- unsigned char voice_offset; -+ unsigned char voice_offset, voice_op; - - unsigned short opl3_reg; - unsigned char reg_val; -@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd - voice_offset = voice->voice - MAX_OPL2_VOICES; - } - /* Get register offset of operator */ -- op_offset = snd_opl3_regmap[voice_offset][voice->op]; -+ voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES); -+ voice_op = array_index_nospec(voice->op, 4); -+ op_offset = snd_opl3_regmap[voice_offset][voice_op]; - - reg_val = 0x00; - /* Set amplitude modulation (tremolo) effect */ diff --git a/queue-3.18/alsa-seq-oss-fix-unbalanced-use-lock-for-synth-midi-device.patch b/queue-3.18/alsa-seq-oss-fix-unbalanced-use-lock-for-synth-midi-device.patch new file mode 100644 index 00000000000..ae3d0f1e245 --- /dev/null +++ b/queue-3.18/alsa-seq-oss-fix-unbalanced-use-lock-for-synth-midi-device.patch @@ -0,0 +1,46 @@ +From f5e94b4c6ebdabe0f602d796e0430180927521a0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 24 Apr 2018 07:26:59 +0200 +Subject: ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device + +From: Takashi Iwai + +commit f5e94b4c6ebdabe0f602d796e0430180927521a0 upstream. + +When get_synthdev() is called for a MIDI device, it returns the fixed +midi_synth_dev without the use refcounting. OTOH, the caller is +supposed to unreference unconditionally after the usage, so this would +lead to unbalanced refcount. + +This patch corrects the behavior and keep up the refcount balance also +for the MIDI synth device. + +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss_synth.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -363,10 +363,14 @@ get_synthdev(struct seq_oss_devinfo *dp, + return NULL; + if (! dp->synths[dev].opened) + return NULL; +- if (dp->synths[dev].is_midi) +- return &midi_synth_dev; +- if ((rec = get_sdev(dev)) == NULL) +- return NULL; ++ if (dp->synths[dev].is_midi) { ++ rec = &midi_synth_dev; ++ snd_use_lock_use(&rec->use_lock); ++ } else { ++ rec = get_sdev(dev); ++ if (!rec) ++ return NULL; ++ } + if (! rec->opened) { + snd_use_lock_free(&rec->use_lock); + return NULL; diff --git a/queue-3.18/mtd-cfi-cmdset_0001-do-not-allow-read-write-to-suspend-erase-block.patch b/queue-3.18/mtd-cfi-cmdset_0001-do-not-allow-read-write-to-suspend-erase-block.patch new file mode 100644 index 00000000000..6b86ad8248c --- /dev/null +++ b/queue-3.18/mtd-cfi-cmdset_0001-do-not-allow-read-write-to-suspend-erase-block.patch @@ -0,0 +1,85 @@ +From 6510bbc88e3258631831ade49033537081950605 Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Thu, 1 Mar 2018 14:39:39 +0100 +Subject: mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block. + +From: Joakim Tjernlund + +commit 6510bbc88e3258631831ade49033537081950605 upstream. + +Currently it is possible to read and/or write to suspend EB's. +Writing /dev/mtdX or /dev/mtdblockX from several processes may +break the flash state machine. + +Signed-off-by: Joakim Tjernlund +Cc: +Reviewed-by: Richard Weinberger +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0001.c | 16 +++++++++++----- + include/linux/mtd/flashchip.h | 1 + + 2 files changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0001.c ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c +@@ -825,21 +825,25 @@ static int chip_ready (struct map_info * + (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1)))) + goto sleep; + ++ /* Do not allow suspend iff read/write to EB address */ ++ if ((adr & chip->in_progress_block_mask) == ++ chip->in_progress_block_addr) ++ goto sleep; + + /* Erase suspend */ +- map_write(map, CMD(0xB0), adr); ++ map_write(map, CMD(0xB0), chip->in_progress_block_addr); + + /* If the flash has finished erasing, then 'erase suspend' + * appears to make some (28F320) flash devices switch to + * 'read' mode. Make sure that we switch to 'read status' + * mode so we get the right data. --rmk + */ +- map_write(map, CMD(0x70), adr); ++ map_write(map, CMD(0x70), chip->in_progress_block_addr); + chip->oldstate = FL_ERASING; + chip->state = FL_ERASE_SUSPENDING; + chip->erase_suspended = 1; + for (;;) { +- status = map_read(map, adr); ++ status = map_read(map, chip->in_progress_block_addr); + if (map_word_andequal(map, status, status_OK, status_OK)) + break; + +@@ -1035,8 +1039,8 @@ static void put_chip(struct map_info *ma + sending the 0x70 (Read Status) command to an erasing + chip and expecting it to be ignored, that's what we + do. */ +- map_write(map, CMD(0xd0), adr); +- map_write(map, CMD(0x70), adr); ++ map_write(map, CMD(0xd0), chip->in_progress_block_addr); ++ map_write(map, CMD(0x70), chip->in_progress_block_addr); + chip->oldstate = FL_READY; + chip->state = FL_ERASING; + break; +@@ -1927,6 +1931,8 @@ static int __xipram do_erase_oneblock(st + map_write(map, CMD(0xD0), adr); + chip->state = FL_ERASING; + chip->erase_suspended = 0; ++ chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(len - 1); + + ret = INVAL_CACHE_AND_WAIT(map, chip, adr, + adr, len, +--- a/include/linux/mtd/flashchip.h ++++ b/include/linux/mtd/flashchip.h +@@ -85,6 +85,7 @@ struct flchip { + unsigned int write_suspended:1; + unsigned int erase_suspended:1; + unsigned long in_progress_block_addr; ++ unsigned long in_progress_block_mask; + + struct mutex mutex; + wait_queue_head_t wq; /* Wait on here when we're waiting for the chip diff --git a/queue-3.18/mtd-cfi-cmdset_0001-workaround-micron-erase-suspend-bug.patch b/queue-3.18/mtd-cfi-cmdset_0001-workaround-micron-erase-suspend-bug.patch new file mode 100644 index 00000000000..88c4cbb951f --- /dev/null +++ b/queue-3.18/mtd-cfi-cmdset_0001-workaround-micron-erase-suspend-bug.patch @@ -0,0 +1,63 @@ +From 46a16a2283f9e678a4e26829175e0c37a5191860 Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Thu, 1 Mar 2018 14:39:40 +0100 +Subject: mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug. + +From: Joakim Tjernlund + +commit 46a16a2283f9e678a4e26829175e0c37a5191860 upstream. + +Some Micron chips does not work well wrt Erase suspend for +boot blocks. This avoids the issue by not allowing Erase suspend +for the boot blocks for the 28F00AP30(1GBit) chip. + +Signed-off-by: Joakim Tjernlund +Cc: +Reviewed-by: Richard Weinberger +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0001.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/mtd/chips/cfi_cmdset_0001.c ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c +@@ -45,6 +45,7 @@ + #define I82802AB 0x00ad + #define I82802AC 0x00ac + #define PF38F4476 0x881c ++#define M28F00AP30 0x8963 + /* STMicroelectronics chips */ + #define M50LPW080 0x002F + #define M50FLW080A 0x0080 +@@ -375,6 +376,17 @@ static void cfi_fixup_major_minor(struct + extp->MinorVersion = '1'; + } + ++static int cfi_is_micron_28F00AP30(struct cfi_private *cfi, struct flchip *chip) ++{ ++ /* ++ * Micron(was Numonyx) 1Gbit bottom boot are buggy w.r.t ++ * Erase Supend for their small Erase Blocks(0x8000) ++ */ ++ if (cfi->mfr == CFI_MFR_INTEL && cfi->id == M28F00AP30) ++ return 1; ++ return 0; ++} ++ + static inline struct cfi_pri_intelext * + read_pri_intelext(struct map_info *map, __u16 adr) + { +@@ -830,6 +842,11 @@ static int chip_ready (struct map_info * + chip->in_progress_block_addr) + goto sleep; + ++ /* do not suspend small EBs, buggy Micron Chips */ ++ if (cfi_is_micron_28F00AP30(cfi, chip) && ++ (chip->in_progress_block_mask == ~(0x8000-1))) ++ goto sleep; ++ + /* Erase suspend */ + map_write(map, CMD(0xB0), chip->in_progress_block_addr); + diff --git a/queue-3.18/mtd-cfi-cmdset_0002-do-not-allow-read-write-to-suspend-erase-block.patch b/queue-3.18/mtd-cfi-cmdset_0002-do-not-allow-read-write-to-suspend-erase-block.patch new file mode 100644 index 00000000000..36a3ee5e592 --- /dev/null +++ b/queue-3.18/mtd-cfi-cmdset_0002-do-not-allow-read-write-to-suspend-erase-block.patch @@ -0,0 +1,57 @@ +From 7b70eb14392a7cf505f9b358d06c33b5af73d1e7 Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Thu, 1 Mar 2018 14:39:41 +0100 +Subject: mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block. + +From: Joakim Tjernlund + +commit 7b70eb14392a7cf505f9b358d06c33b5af73d1e7 upstream. + +Currently it is possible to read and/or write to suspend EB's. +Writing /dev/mtdX or /dev/mtdblockX from several processes may +break the flash state machine. + +Taken from cfi_cmdset_0001 driver. + +Signed-off-by: Joakim Tjernlund +Cc: +Reviewed-by: Richard Weinberger +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -814,9 +814,10 @@ static int get_chip(struct map_info *map + (mode == FL_WRITING && (cfip->EraseSuspend & 0x2)))) + goto sleep; + +- /* We could check to see if we're trying to access the sector +- * that is currently being erased. However, no user will try +- * anything like that so we just wait for the timeout. */ ++ /* Do not allow suspend iff read/write to EB address */ ++ if ((adr & chip->in_progress_block_mask) == ++ chip->in_progress_block_addr) ++ goto sleep; + + /* Erase suspend */ + /* It's harmless to issue the Erase-Suspend and Erase-Resume +@@ -2265,6 +2266,7 @@ static int __xipram do_erase_chip(struct + chip->state = FL_ERASING; + chip->erase_suspended = 0; + chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(map->size - 1); + + INVALIDATE_CACHE_UDELAY(map, chip, + adr, map->size, +@@ -2354,6 +2356,7 @@ static int __xipram do_erase_oneblock(st + chip->state = FL_ERASING; + chip->erase_suspended = 0; + chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(len - 1); + + INVALIDATE_CACHE_UDELAY(map, chip, + adr, len, diff --git a/queue-3.18/series b/queue-3.18/series index caeb9b0b38e..58491b82908 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -13,4 +13,8 @@ virtio_console-free-buffers-after-reset.patch tty-n_gsm-fix-long-delays-with-control-frame-timeouts-in-adm-mode.patch tty-n_gsm-fix-dlci-handling-for-adm-mode-if-debug-2-is-not-set.patch tty-use-__gfp_nofail-for-tty_ldisc_get.patch -alsa-opl3-hardening-for-potential-spectre-v1.patch +alsa-core-report-audio_tstamp-in-snd_pcm_sync_ptr.patch +alsa-seq-oss-fix-unbalanced-use-lock-for-synth-midi-device.patch +mtd-cfi-cmdset_0001-do-not-allow-read-write-to-suspend-erase-block.patch +mtd-cfi-cmdset_0001-workaround-micron-erase-suspend-bug.patch +mtd-cfi-cmdset_0002-do-not-allow-read-write-to-suspend-erase-block.patch