From: Greg Kroah-Hartman Date: Thu, 18 Oct 2018 09:50:52 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.18.16~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be7e94f8f2f1253c35e533749fe648678d3c891c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: batman-adv-fix-backbone_gw-refcount-on-queue_work-failure.patch batman-adv-fix-hardif_neigh-refcount-on-queue_work-failure.patch batman-adv-fix-segfault-when-writing-to-sysfs-elp_interval.patch batman-adv-fix-segfault-when-writing-to-throughput_override.patch batman-adv-prevent-duplicated-global-tt-entry.patch batman-adv-prevent-duplicated-nc_node-entry.patch batman-adv-prevent-duplicated-softif_vlan-entry.patch batman-adv-prevent-duplicated-tvlv-handler.patch clocksource-drivers-ti-32k-add-clock_source_suspend_nonstop-flag-for-non-am43-socs.patch drm-mali-dp-call-drm_crtc_vblank_reset-on-device-init.patch input-atakbd-fix-atari-capslock-behaviour.patch input-atakbd-fix-atari-keymap.patch iommu-amd-return-devid-as-alias-for-acpi-hid-devices.patch media-af9035-prevent-buffer-overflow-on-write.patch net-mlx4-use-cpumask_available-for-eq-affinity_mask.patch powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch powerpc-tm-fix-userspace-r13-corruption.patch ravb-do-not-write-1-to-reserved-bits.patch risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch scsi-ibmvscsis-ensure-partition-name-is-properly-nul-terminated.patch scsi-ibmvscsis-fix-a-stringop-overflow-warning.patch scsi-sd-don-t-crash-the-host-on-invalid-commands.patch --- diff --git a/queue-4.9/batman-adv-fix-backbone_gw-refcount-on-queue_work-failure.patch b/queue-4.9/batman-adv-fix-backbone_gw-refcount-on-queue_work-failure.patch new file mode 100644 index 00000000000..cec6348266b --- /dev/null +++ b/queue-4.9/batman-adv-fix-backbone_gw-refcount-on-queue_work-failure.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Marek Lindner +Date: Fri, 7 Sep 2018 05:45:54 +0800 +Subject: batman-adv: fix backbone_gw refcount on queue_work() failure + +From: Marek Lindner + +[ Upstream commit 5af96b9c59c72fb2af2d19c5cc2f3cdcee391dff ] + +The backbone_gw refcounter is to be decreased by the queued work and +currently is never decreased if the queue_work() call fails. +Fix by checking the queue_work() return value and decrease refcount +if necessary. + +Signed-off-by: Marek Lindner +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1767,6 +1767,7 @@ batadv_bla_loopdetect_check(struct batad + { + struct batadv_bla_backbone_gw *backbone_gw; + struct ethhdr *ethhdr; ++ bool ret; + + ethhdr = eth_hdr(skb); + +@@ -1790,8 +1791,13 @@ batadv_bla_loopdetect_check(struct batad + if (unlikely(!backbone_gw)) + return true; + +- queue_work(batadv_event_workqueue, &backbone_gw->report_work); +- /* backbone_gw is unreferenced in the report work function function */ ++ ret = queue_work(batadv_event_workqueue, &backbone_gw->report_work); ++ ++ /* backbone_gw is unreferenced in the report work function function ++ * if queue_work() call was successful ++ */ ++ if (!ret) ++ batadv_backbone_gw_put(backbone_gw); + + return true; + } diff --git a/queue-4.9/batman-adv-fix-hardif_neigh-refcount-on-queue_work-failure.patch b/queue-4.9/batman-adv-fix-hardif_neigh-refcount-on-queue_work-failure.patch new file mode 100644 index 00000000000..83fab3f1ba7 --- /dev/null +++ b/queue-4.9/batman-adv-fix-hardif_neigh-refcount-on-queue_work-failure.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Marek Lindner +Date: Fri, 7 Sep 2018 05:45:55 +0800 +Subject: batman-adv: fix hardif_neigh refcount on queue_work() failure + +From: Marek Lindner + +[ Upstream commit 4c4af6900844ab04c9434c972021d7b48610e06a ] + +The hardif_neigh refcounter is to be decreased by the queued work and +currently is never decreased if the queue_work() call fails. +Fix by checking the queue_work() return value and decrease refcount +if necessary. + +Signed-off-by: Marek Lindner +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -243,6 +243,7 @@ static void batadv_v_elp_periodic_work(s + struct batadv_priv *bat_priv; + struct sk_buff *skb; + u32 elp_interval; ++ bool ret; + + bat_v = container_of(work, struct batadv_hard_iface_bat_v, elp_wq.work); + hard_iface = container_of(bat_v, struct batadv_hard_iface, bat_v); +@@ -304,8 +305,11 @@ static void batadv_v_elp_periodic_work(s + * may sleep and that is not allowed in an rcu protected + * context. Therefore schedule a task for that. + */ +- queue_work(batadv_event_workqueue, +- &hardif_neigh->bat_v.metric_work); ++ ret = queue_work(batadv_event_workqueue, ++ &hardif_neigh->bat_v.metric_work); ++ ++ if (!ret) ++ batadv_hardif_neigh_put(hardif_neigh); + } + rcu_read_unlock(); + diff --git a/queue-4.9/batman-adv-fix-segfault-when-writing-to-sysfs-elp_interval.patch b/queue-4.9/batman-adv-fix-segfault-when-writing-to-sysfs-elp_interval.patch new file mode 100644 index 00000000000..99d9f97097d --- /dev/null +++ b/queue-4.9/batman-adv-fix-segfault-when-writing-to-sysfs-elp_interval.patch @@ -0,0 +1,112 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Sven Eckelmann +Date: Fri, 31 Aug 2018 16:56:29 +0200 +Subject: batman-adv: Fix segfault when writing to sysfs elp_interval + +From: Sven Eckelmann + +[ Upstream commit a25bab9d723a08bd0bdafb1529faf9094c690b70 ] + +The per hardif sysfs file "batman_adv/elp_interval" is using the generic +functions to store/show uint values. The helper __batadv_store_uint_attr +requires the softif net_device as parameter to print the resulting change +as info text when the users writes to this file. It uses the helper +function batadv_info to add it at the same time to the kernel ring buffer +and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG is enabled). + +The function batadv_info requires as first parameter the batman-adv softif +net_device. This parameter is then used to find the private buffer which +contains the debug log for this batman-adv interface. But +batadv_store_throughput_override used as first argument the slave +net_device. This slave device doesn't have the batadv_priv private data +which is access by batadv_info. + +Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead +to a segfault or to memory corruption. + +Fixes: 0744ff8fa8fa ("batman-adv: Add hard_iface specific sysfs wrapper macros for UINT") +Signed-off-by: Sven Eckelmann +Acked-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/sysfs.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/net/batman-adv/sysfs.c ++++ b/net/batman-adv/sysfs.c +@@ -187,7 +187,8 @@ ssize_t batadv_store_##_name(struct kobj + \ + return __batadv_store_uint_attr(buff, count, _min, _max, \ + _post_func, attr, \ +- &bat_priv->_var, net_dev); \ ++ &bat_priv->_var, net_dev, \ ++ NULL); \ + } + + #define BATADV_ATTR_SIF_SHOW_UINT(_name, _var) \ +@@ -261,7 +262,9 @@ ssize_t batadv_store_##_name(struct kobj + \ + length = __batadv_store_uint_attr(buff, count, _min, _max, \ + _post_func, attr, \ +- &hard_iface->_var, net_dev); \ ++ &hard_iface->_var, \ ++ hard_iface->soft_iface, \ ++ net_dev); \ + \ + batadv_hardif_put(hard_iface); \ + return length; \ +@@ -355,10 +358,12 @@ __batadv_store_bool_attr(char *buff, siz + + static int batadv_store_uint_attr(const char *buff, size_t count, + struct net_device *net_dev, ++ struct net_device *slave_dev, + const char *attr_name, + unsigned int min, unsigned int max, + atomic_t *attr) + { ++ char ifname[IFNAMSIZ + 3] = ""; + unsigned long uint_val; + int ret; + +@@ -384,8 +389,11 @@ static int batadv_store_uint_attr(const + if (atomic_read(attr) == uint_val) + return count; + +- batadv_info(net_dev, "%s: Changing from: %i to: %lu\n", +- attr_name, atomic_read(attr), uint_val); ++ if (slave_dev) ++ snprintf(ifname, sizeof(ifname), "%s: ", slave_dev->name); ++ ++ batadv_info(net_dev, "%s: %sChanging from: %i to: %lu\n", ++ attr_name, ifname, atomic_read(attr), uint_val); + + atomic_set(attr, uint_val); + return count; +@@ -396,12 +404,13 @@ static ssize_t __batadv_store_uint_attr( + void (*post_func)(struct net_device *), + const struct attribute *attr, + atomic_t *attr_store, +- struct net_device *net_dev) ++ struct net_device *net_dev, ++ struct net_device *slave_dev) + { + int ret; + +- ret = batadv_store_uint_attr(buff, count, net_dev, attr->name, min, max, +- attr_store); ++ ret = batadv_store_uint_attr(buff, count, net_dev, slave_dev, ++ attr->name, min, max, attr_store); + if (post_func && ret) + post_func(net_dev); + +@@ -570,7 +579,7 @@ static ssize_t batadv_store_gw_sel_class + return __batadv_store_uint_attr(buff, count, 1, BATADV_TQ_MAX_VALUE, + batadv_post_gw_reselect, attr, + &bat_priv->gw.sel_class, +- bat_priv->soft_iface); ++ bat_priv->soft_iface, NULL); + } + + static ssize_t batadv_show_gw_bwidth(struct kobject *kobj, diff --git a/queue-4.9/batman-adv-fix-segfault-when-writing-to-throughput_override.patch b/queue-4.9/batman-adv-fix-segfault-when-writing-to-throughput_override.patch new file mode 100644 index 00000000000..e442cefd84b --- /dev/null +++ b/queue-4.9/batman-adv-fix-segfault-when-writing-to-throughput_override.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Sven Eckelmann +Date: Fri, 31 Aug 2018 16:46:47 +0200 +Subject: batman-adv: Fix segfault when writing to throughput_override + +From: Sven Eckelmann + +[ Upstream commit b9fd14c20871e6189f635e49b32d7789e430b3c8 ] + +The per hardif sysfs file "batman_adv/throughput_override" prints the +resulting change as info text when the users writes to this file. It uses +the helper function batadv_info to add it at the same time to the kernel +ring buffer and to the batman-adv debug log (when CONFIG_BATMAN_ADV_DEBUG +is enabled). + +The function batadv_info requires as first parameter the batman-adv softif +net_device. This parameter is then used to find the private buffer which +contains the debug log for this batman-adv interface. But +batadv_store_throughput_override used as first argument the slave +net_device. This slave device doesn't have the batadv_priv private data +which is access by batadv_info. + +Writing to this file with CONFIG_BATMAN_ADV_DEBUG enabled can either lead +to a segfault or to memory corruption. + +Fixes: 0b5ecc6811bd ("batman-adv: add throughput override attribute to hard_ifaces") +Signed-off-by: Sven Eckelmann +Acked-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/sysfs.c ++++ b/net/batman-adv/sysfs.c +@@ -1084,8 +1084,9 @@ static ssize_t batadv_store_throughput_o + if (old_tp_override == tp_override) + goto out; + +- batadv_info(net_dev, "%s: Changing from: %u.%u MBit to: %u.%u MBit\n", +- "throughput_override", ++ batadv_info(hard_iface->soft_iface, ++ "%s: %s: Changing from: %u.%u MBit to: %u.%u MBit\n", ++ "throughput_override", net_dev->name, + old_tp_override / 10, old_tp_override % 10, + tp_override / 10, tp_override % 10); + diff --git a/queue-4.9/batman-adv-prevent-duplicated-global-tt-entry.patch b/queue-4.9/batman-adv-prevent-duplicated-global-tt-entry.patch new file mode 100644 index 00000000000..12827d7336f --- /dev/null +++ b/queue-4.9/batman-adv-prevent-duplicated-global-tt-entry.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Sven Eckelmann +Date: Sun, 12 Aug 2018 21:04:44 +0200 +Subject: batman-adv: Prevent duplicated global TT entry + +From: Sven Eckelmann + +[ Upstream commit e7136e48ffdfb9f37b0820f619380485eb407361 ] + +The function batadv_tt_global_orig_entry_add is responsible for adding new +tt_orig_list_entry to the orig_list. It first checks whether the entry +already is in the list or not. If it is, then the creation of a new entry +is aborted. + +But the lock for the list is only held when the list is really modified. +This could lead to duplicated entries because another context could create +an entry with the same key between the check and the list manipulation. + +The check and the manipulation of the list must therefore be in the same +locked code section. + +Fixes: d657e621a0f5 ("batman-adv: add reference counting for type batadv_tt_orig_list_entry") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/translation-table.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -1550,6 +1550,8 @@ batadv_tt_global_orig_entry_add(struct b + { + struct batadv_tt_orig_list_entry *orig_entry; + ++ spin_lock_bh(&tt_global->list_lock); ++ + orig_entry = batadv_tt_global_orig_entry_find(tt_global, orig_node); + if (orig_entry) { + /* refresh the ttvn: the current value could be a bogus one that +@@ -1570,16 +1572,16 @@ batadv_tt_global_orig_entry_add(struct b + orig_entry->ttvn = ttvn; + kref_init(&orig_entry->refcount); + +- spin_lock_bh(&tt_global->list_lock); + kref_get(&orig_entry->refcount); + hlist_add_head_rcu(&orig_entry->list, + &tt_global->orig_list); +- spin_unlock_bh(&tt_global->list_lock); + atomic_inc(&tt_global->orig_list_count); + + out: + if (orig_entry) + batadv_tt_orig_list_entry_put(orig_entry); ++ ++ spin_unlock_bh(&tt_global->list_lock); + } + + /** diff --git a/queue-4.9/batman-adv-prevent-duplicated-nc_node-entry.patch b/queue-4.9/batman-adv-prevent-duplicated-nc_node-entry.patch new file mode 100644 index 00000000000..3c1a4f680c9 --- /dev/null +++ b/queue-4.9/batman-adv-prevent-duplicated-nc_node-entry.patch @@ -0,0 +1,88 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Sven Eckelmann +Date: Sun, 12 Aug 2018 21:04:42 +0200 +Subject: batman-adv: Prevent duplicated nc_node entry + +From: Sven Eckelmann + +[ Upstream commit fa122fec8640eb7186ce5a41b83a4c1744ceef8f ] + +The function batadv_nc_get_nc_node is responsible for adding new nc_nodes +to the in_coding_list and out_coding_list. It first checks whether the +entry already is in the list or not. If it is, then the creation of a new +entry is aborted. + +But the lock for the list is only held when the list is really modified. +This could lead to duplicated entries because another context could create +an entry with the same key between the check and the list manipulation. + +The check and the manipulation of the list must therefore be in the same +locked code section. + +Fixes: d56b1705e28c ("batman-adv: network coding - detect coding nodes and remove these after timeout") +Signed-off-by: Sven Eckelmann +Acked-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/network-coding.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -845,16 +845,27 @@ batadv_nc_get_nc_node(struct batadv_priv + spinlock_t *lock; /* Used to lock list selected by "int in_coding" */ + struct list_head *list; + ++ /* Select ingoing or outgoing coding node */ ++ if (in_coding) { ++ lock = &orig_neigh_node->in_coding_list_lock; ++ list = &orig_neigh_node->in_coding_list; ++ } else { ++ lock = &orig_neigh_node->out_coding_list_lock; ++ list = &orig_neigh_node->out_coding_list; ++ } ++ ++ spin_lock_bh(lock); ++ + /* Check if nc_node is already added */ + nc_node = batadv_nc_find_nc_node(orig_node, orig_neigh_node, in_coding); + + /* Node found */ + if (nc_node) +- return nc_node; ++ goto unlock; + + nc_node = kzalloc(sizeof(*nc_node), GFP_ATOMIC); + if (!nc_node) +- return NULL; ++ goto unlock; + + /* Initialize nc_node */ + INIT_LIST_HEAD(&nc_node->list); +@@ -863,22 +874,14 @@ batadv_nc_get_nc_node(struct batadv_priv + kref_get(&orig_neigh_node->refcount); + nc_node->orig_node = orig_neigh_node; + +- /* Select ingoing or outgoing coding node */ +- if (in_coding) { +- lock = &orig_neigh_node->in_coding_list_lock; +- list = &orig_neigh_node->in_coding_list; +- } else { +- lock = &orig_neigh_node->out_coding_list_lock; +- list = &orig_neigh_node->out_coding_list; +- } +- + batadv_dbg(BATADV_DBG_NC, bat_priv, "Adding nc_node %pM -> %pM\n", + nc_node->addr, nc_node->orig_node->orig); + + /* Add nc_node to orig_node */ +- spin_lock_bh(lock); + kref_get(&nc_node->refcount); + list_add_tail_rcu(&nc_node->list, list); ++ ++unlock: + spin_unlock_bh(lock); + + return nc_node; diff --git a/queue-4.9/batman-adv-prevent-duplicated-softif_vlan-entry.patch b/queue-4.9/batman-adv-prevent-duplicated-softif_vlan-entry.patch new file mode 100644 index 00000000000..6ca107e57c3 --- /dev/null +++ b/queue-4.9/batman-adv-prevent-duplicated-softif_vlan-entry.patch @@ -0,0 +1,84 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Sven Eckelmann +Date: Sun, 12 Aug 2018 21:04:43 +0200 +Subject: batman-adv: Prevent duplicated softif_vlan entry + +From: Sven Eckelmann + +[ Upstream commit 94cb82f594ed86be303398d6dfc7640a6f1d45d4 ] + +The function batadv_softif_vlan_get is responsible for adding new +softif_vlan to the softif_vlan_list. It first checks whether the entry +already is in the list or not. If it is, then the creation of a new entry +is aborted. + +But the lock for the list is only held when the list is really modified. +This could lead to duplicated entries because another context could create +an entry with the same key between the check and the list manipulation. + +The check and the manipulation of the list must therefore be in the same +locked code section. + +Fixes: 5d2c05b21337 ("batman-adv: add per VLAN interface attribute framework") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/soft-interface.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -565,15 +565,20 @@ int batadv_softif_create_vlan(struct bat + struct batadv_softif_vlan *vlan; + int err; + ++ spin_lock_bh(&bat_priv->softif_vlan_list_lock); ++ + vlan = batadv_softif_vlan_get(bat_priv, vid); + if (vlan) { + batadv_softif_vlan_put(vlan); ++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock); + return -EEXIST; + } + + vlan = kzalloc(sizeof(*vlan), GFP_ATOMIC); +- if (!vlan) ++ if (!vlan) { ++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock); + return -ENOMEM; ++ } + + vlan->bat_priv = bat_priv; + vlan->vid = vid; +@@ -581,17 +586,23 @@ int batadv_softif_create_vlan(struct bat + + atomic_set(&vlan->ap_isolation, 0); + ++ kref_get(&vlan->refcount); ++ hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list); ++ spin_unlock_bh(&bat_priv->softif_vlan_list_lock); ++ ++ /* batadv_sysfs_add_vlan cannot be in the spinlock section due to the ++ * sleeping behavior of the sysfs functions and the fs_reclaim lock ++ */ + err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan); + if (err) { +- kfree(vlan); ++ /* ref for the function */ ++ batadv_softif_vlan_put(vlan); ++ ++ /* ref for the list */ ++ batadv_softif_vlan_put(vlan); + return err; + } + +- spin_lock_bh(&bat_priv->softif_vlan_list_lock); +- kref_get(&vlan->refcount); +- hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list); +- spin_unlock_bh(&bat_priv->softif_vlan_list_lock); +- + /* add a new TT local entry. This one will be marked with the NOPURGE + * flag + */ diff --git a/queue-4.9/batman-adv-prevent-duplicated-tvlv-handler.patch b/queue-4.9/batman-adv-prevent-duplicated-tvlv-handler.patch new file mode 100644 index 00000000000..67def8c8939 --- /dev/null +++ b/queue-4.9/batman-adv-prevent-duplicated-tvlv-handler.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Sven Eckelmann +Date: Sun, 12 Aug 2018 21:04:45 +0200 +Subject: batman-adv: Prevent duplicated tvlv handler + +From: Sven Eckelmann + +[ Upstream commit ae3cdc97dc10c7a3b31f297dab429bfb774c9ccb ] + +The function batadv_tvlv_handler_register is responsible for adding new +tvlv_handler to the handler_list. It first checks whether the entry +already is in the list or not. If it is, then the creation of a new entry +is aborted. + +But the lock for the list is only held when the list is really modified. +This could lead to duplicated entries because another context could create +an entry with the same key between the check and the list manipulation. + +The check and the manipulation of the list must therefore be in the same +locked code section. + +Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/tvlv.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/tvlv.c ++++ b/net/batman-adv/tvlv.c +@@ -528,15 +528,20 @@ void batadv_tvlv_handler_register(struct + { + struct batadv_tvlv_handler *tvlv_handler; + ++ spin_lock_bh(&bat_priv->tvlv.handler_list_lock); ++ + tvlv_handler = batadv_tvlv_handler_get(bat_priv, type, version); + if (tvlv_handler) { ++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock); + batadv_tvlv_handler_put(tvlv_handler); + return; + } + + tvlv_handler = kzalloc(sizeof(*tvlv_handler), GFP_ATOMIC); +- if (!tvlv_handler) ++ if (!tvlv_handler) { ++ spin_unlock_bh(&bat_priv->tvlv.handler_list_lock); + return; ++ } + + tvlv_handler->ogm_handler = optr; + tvlv_handler->unicast_handler = uptr; +@@ -546,7 +551,6 @@ void batadv_tvlv_handler_register(struct + kref_init(&tvlv_handler->refcount); + INIT_HLIST_NODE(&tvlv_handler->list); + +- spin_lock_bh(&bat_priv->tvlv.handler_list_lock); + kref_get(&tvlv_handler->refcount); + hlist_add_head_rcu(&tvlv_handler->list, &bat_priv->tvlv.handler_list); + spin_unlock_bh(&bat_priv->tvlv.handler_list_lock); diff --git a/queue-4.9/clocksource-drivers-ti-32k-add-clock_source_suspend_nonstop-flag-for-non-am43-socs.patch b/queue-4.9/clocksource-drivers-ti-32k-add-clock_source_suspend_nonstop-flag-for-non-am43-socs.patch new file mode 100644 index 00000000000..dbb23fe3198 --- /dev/null +++ b/queue-4.9/clocksource-drivers-ti-32k-add-clock_source_suspend_nonstop-flag-for-non-am43-socs.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Keerthy +Date: Wed, 8 Aug 2018 18:44:59 +0530 +Subject: clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs + +From: Keerthy + +[ Upstream commit 3b7d96a0dbb6b630878597a1838fc39f808b761b ] + +The 32k clocksource is NONSTOP for non-am43 SoCs. Hence +add the flag for all the other SoCs. + +Reported-by: Tony Lindgren +Signed-off-by: Keerthy +Acked-by: Tony Lindgren +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-ti-32k.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/clocksource/timer-ti-32k.c ++++ b/drivers/clocksource/timer-ti-32k.c +@@ -98,6 +98,9 @@ static int __init ti_32k_timer_init(stru + return -ENXIO; + } + ++ if (!of_machine_is_compatible("ti,am43")) ++ ti_32k_timer.cs.flags |= CLOCK_SOURCE_SUSPEND_NONSTOP; ++ + ti_32k_timer.counter = ti_32k_timer.base; + + /* diff --git a/queue-4.9/drm-mali-dp-call-drm_crtc_vblank_reset-on-device-init.patch b/queue-4.9/drm-mali-dp-call-drm_crtc_vblank_reset-on-device-init.patch new file mode 100644 index 00000000000..e834bb60626 --- /dev/null +++ b/queue-4.9/drm-mali-dp-call-drm_crtc_vblank_reset-on-device-init.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Alexandru Gheorghe +Date: Mon, 16 Jul 2018 11:07:07 +0100 +Subject: drm: mali-dp: Call drm_crtc_vblank_reset on device init + +From: Alexandru Gheorghe + +[ Upstream commit 69be1984ded00a11b1ed0888c6d8e4f35370372f ] + +Currently, if userspace calls drm_wait_vblank before the crtc is +activated the crtc vblank_enable hook is called, which in case of +malidp driver triggers some warninngs. This happens because on +device init we don't inform the drm core about the vblank state +by calling drm_crtc_vblank_on/off/reset which together with +drm_vblank_get have some magic that prevents calling drm_vblank_enable +when crtc is off. + +Signed-off-by: Alexandru Gheorghe +Acked-by: Liviu Dudau +Signed-off-by: Liviu Dudau +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/arm/malidp_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/arm/malidp_drv.c ++++ b/drivers/gpu/drm/arm/malidp_drv.c +@@ -378,6 +378,7 @@ static int malidp_bind(struct device *de + goto irq_init_fail; + + ret = drm_vblank_init(drm, drm->mode_config.num_crtc); ++ drm_crtc_vblank_reset(&malidp->crtc); + if (ret < 0) { + DRM_ERROR("failed to initialise vblank\n"); + goto vblank_fail; diff --git a/queue-4.9/input-atakbd-fix-atari-capslock-behaviour.patch b/queue-4.9/input-atakbd-fix-atari-capslock-behaviour.patch new file mode 100644 index 00000000000..8851b69bed4 --- /dev/null +++ b/queue-4.9/input-atakbd-fix-atari-capslock-behaviour.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Michael Schmitz +Date: Mon, 17 Sep 2018 15:27:49 -0700 +Subject: Input: atakbd - fix Atari CapsLock behaviour + +From: Michael Schmitz + +[ Upstream commit 52d2c7bf7c90217fbe875d2d76f310979c48eb83 ] + +The CapsLock key on Atari keyboards is not a toggle, it does send the +normal make and break scancodes. + +Drop the CapsLock toggle handling code, which did cause the CapsLock +key to merely act as a Shift key. + +Tested-by: Michael Schmitz +Signed-off-by: Michael Schmitz +Signed-off-by: Andreas Schwab +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atakbd.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/input/keyboard/atakbd.c ++++ b/drivers/input/keyboard/atakbd.c +@@ -189,14 +189,8 @@ static void atakbd_interrupt(unsigned ch + + scancode = atakbd_keycode[scancode]; + +- if (scancode == KEY_CAPSLOCK) { /* CapsLock is a toggle switch key on Amiga */ +- input_report_key(atakbd_dev, scancode, 1); +- input_report_key(atakbd_dev, scancode, 0); +- input_sync(atakbd_dev); +- } else { +- input_report_key(atakbd_dev, scancode, down); +- input_sync(atakbd_dev); +- } ++ input_report_key(atakbd_dev, scancode, down); ++ input_sync(atakbd_dev); + } else /* scancodes >= 0xf3 are mouse data, most likely */ + printk(KERN_INFO "atakbd: unhandled scancode %x\n", scancode); + diff --git a/queue-4.9/input-atakbd-fix-atari-keymap.patch b/queue-4.9/input-atakbd-fix-atari-keymap.patch new file mode 100644 index 00000000000..781427015b7 --- /dev/null +++ b/queue-4.9/input-atakbd-fix-atari-keymap.patch @@ -0,0 +1,133 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Andreas Schwab +Date: Mon, 17 Sep 2018 12:43:34 -0700 +Subject: Input: atakbd - fix Atari keymap + +From: Andreas Schwab + +[ Upstream commit 9e62df51be993035c577371ffee5477697a56aad ] + +Fix errors in Atari keymap (mostly in keypad, help and undo keys). + +Patch provided on debian-68k ML by Andreas Schwab , +keymap array size and unhandled scancode limit adjusted to 0x73 by me. + +Tested-by: Michael Schmitz +Signed-off-by: Michael Schmitz +Signed-off-by: Andreas Schwab +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atakbd.c | 64 ++++++++++++++++------------------------ + 1 file changed, 26 insertions(+), 38 deletions(-) + +--- a/drivers/input/keyboard/atakbd.c ++++ b/drivers/input/keyboard/atakbd.c +@@ -79,8 +79,7 @@ MODULE_LICENSE("GPL"); + */ + + +-static unsigned char atakbd_keycode[0x72] = { /* American layout */ +- [0] = KEY_GRAVE, ++static unsigned char atakbd_keycode[0x73] = { /* American layout */ + [1] = KEY_ESC, + [2] = KEY_1, + [3] = KEY_2, +@@ -121,9 +120,9 @@ static unsigned char atakbd_keycode[0x72 + [38] = KEY_L, + [39] = KEY_SEMICOLON, + [40] = KEY_APOSTROPHE, +- [41] = KEY_BACKSLASH, /* FIXME, '#' */ ++ [41] = KEY_GRAVE, + [42] = KEY_LEFTSHIFT, +- [43] = KEY_GRAVE, /* FIXME: '~' */ ++ [43] = KEY_BACKSLASH, + [44] = KEY_Z, + [45] = KEY_X, + [46] = KEY_C, +@@ -149,45 +148,34 @@ static unsigned char atakbd_keycode[0x72 + [66] = KEY_F8, + [67] = KEY_F9, + [68] = KEY_F10, +- [69] = KEY_ESC, +- [70] = KEY_DELETE, +- [71] = KEY_KP7, +- [72] = KEY_KP8, +- [73] = KEY_KP9, ++ [71] = KEY_HOME, ++ [72] = KEY_UP, + [74] = KEY_KPMINUS, +- [75] = KEY_KP4, +- [76] = KEY_KP5, +- [77] = KEY_KP6, ++ [75] = KEY_LEFT, ++ [77] = KEY_RIGHT, + [78] = KEY_KPPLUS, +- [79] = KEY_KP1, +- [80] = KEY_KP2, +- [81] = KEY_KP3, +- [82] = KEY_KP0, +- [83] = KEY_KPDOT, +- [90] = KEY_KPLEFTPAREN, +- [91] = KEY_KPRIGHTPAREN, +- [92] = KEY_KPASTERISK, /* FIXME */ +- [93] = KEY_KPASTERISK, +- [94] = KEY_KPPLUS, +- [95] = KEY_HELP, ++ [80] = KEY_DOWN, ++ [82] = KEY_INSERT, ++ [83] = KEY_DELETE, + [96] = KEY_102ND, +- [97] = KEY_KPASTERISK, /* FIXME */ +- [98] = KEY_KPSLASH, ++ [97] = KEY_UNDO, ++ [98] = KEY_HELP, + [99] = KEY_KPLEFTPAREN, + [100] = KEY_KPRIGHTPAREN, + [101] = KEY_KPSLASH, + [102] = KEY_KPASTERISK, +- [103] = KEY_UP, +- [104] = KEY_KPASTERISK, /* FIXME */ +- [105] = KEY_LEFT, +- [106] = KEY_RIGHT, +- [107] = KEY_KPASTERISK, /* FIXME */ +- [108] = KEY_DOWN, +- [109] = KEY_KPASTERISK, /* FIXME */ +- [110] = KEY_KPASTERISK, /* FIXME */ +- [111] = KEY_KPASTERISK, /* FIXME */ +- [112] = KEY_KPASTERISK, /* FIXME */ +- [113] = KEY_KPASTERISK /* FIXME */ ++ [103] = KEY_KP7, ++ [104] = KEY_KP8, ++ [105] = KEY_KP9, ++ [106] = KEY_KP4, ++ [107] = KEY_KP5, ++ [108] = KEY_KP6, ++ [109] = KEY_KP1, ++ [110] = KEY_KP2, ++ [111] = KEY_KP3, ++ [112] = KEY_KP0, ++ [113] = KEY_KPDOT, ++ [114] = KEY_KPENTER, + }; + + static struct input_dev *atakbd_dev; +@@ -195,7 +183,7 @@ static struct input_dev *atakbd_dev; + static void atakbd_interrupt(unsigned char scancode, char down) + { + +- if (scancode < 0x72) { /* scancodes < 0xf2 are keys */ ++ if (scancode < 0x73) { /* scancodes < 0xf3 are keys */ + + // report raw events here? + +@@ -209,7 +197,7 @@ static void atakbd_interrupt(unsigned ch + input_report_key(atakbd_dev, scancode, down); + input_sync(atakbd_dev); + } +- } else /* scancodes >= 0xf2 are mouse data, most likely */ ++ } else /* scancodes >= 0xf3 are mouse data, most likely */ + printk(KERN_INFO "atakbd: unhandled scancode %x\n", scancode); + + return; diff --git a/queue-4.9/iommu-amd-return-devid-as-alias-for-acpi-hid-devices.patch b/queue-4.9/iommu-amd-return-devid-as-alias-for-acpi-hid-devices.patch new file mode 100644 index 00000000000..ca39b2ed503 --- /dev/null +++ b/queue-4.9/iommu-amd-return-devid-as-alias-for-acpi-hid-devices.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Arindam Nath +Date: Tue, 18 Sep 2018 15:40:58 +0530 +Subject: iommu/amd: Return devid as alias for ACPI HID devices + +From: Arindam Nath + +[ Upstream commit 5ebb1bc2d63d90dd204169e21fd7a0b4bb8c776e ] + +ACPI HID devices do not actually have an alias for +them in the IVRS. But dev_data->alias is still used +for indexing into the IOMMU device table for devices +being handled by the IOMMU. So for ACPI HID devices, +we simply return the corresponding devid as an alias, +as parsed from IVRS table. + +Signed-off-by: Arindam Nath +Fixes: 2bf9a0a12749 ('iommu/amd: Add iommu support for ACPI HID devices') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -288,7 +288,13 @@ static u16 get_alias(struct device *dev) + + /* The callers make sure that get_device_id() does not fail here */ + devid = get_device_id(dev); ++ ++ /* For ACPI HID devices, we simply return the devid as such */ ++ if (!dev_is_pci(dev)) ++ return devid; ++ + ivrs_alias = amd_iommu_alias_table[devid]; ++ + pci_for_each_dma_alias(pdev, __last_alias, &pci_alias); + + if (ivrs_alias == pci_alias) diff --git a/queue-4.9/media-af9035-prevent-buffer-overflow-on-write.patch b/queue-4.9/media-af9035-prevent-buffer-overflow-on-write.patch new file mode 100644 index 00000000000..852337c352e --- /dev/null +++ b/queue-4.9/media-af9035-prevent-buffer-overflow-on-write.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Jozef Balga +Date: Tue, 21 Aug 2018 05:01:04 -0400 +Subject: media: af9035: prevent buffer overflow on write + +From: Jozef Balga + +[ Upstream commit 312f73b648626a0526a3aceebb0a3192aaba05ce ] + +When less than 3 bytes are written to the device, memcpy is called with +negative array size which leads to buffer overflow and kernel panic. This +patch adds a condition and returns -EOPNOTSUPP instead. +Fixes bugzilla issue 64871 + +[mchehab+samsung@kernel.org: fix a merge conflict and changed the + condition to match the patch's comment, e. g. len == 3 could + also be valid] +Signed-off-by: Jozef Balga +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb-v2/af9035.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/dvb-usb-v2/af9035.c ++++ b/drivers/media/usb/dvb-usb-v2/af9035.c +@@ -406,8 +406,10 @@ static int af9035_i2c_master_xfer(struct + msg[0].addr == (state->af9033_i2c_addr[1] >> 1)) + reg |= 0x100000; + +- ret = af9035_wr_regs(d, reg, &msg[0].buf[3], +- msg[0].len - 3); ++ ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg, ++ &msg[0].buf[3], ++ msg[0].len - 3) ++ : -EOPNOTSUPP; + } else { + /* I2C write */ + u8 buf[MAX_XFER_SIZE]; diff --git a/queue-4.9/net-mlx4-use-cpumask_available-for-eq-affinity_mask.patch b/queue-4.9/net-mlx4-use-cpumask_available-for-eq-affinity_mask.patch new file mode 100644 index 00000000000..9d6d1afed55 --- /dev/null +++ b/queue-4.9/net-mlx4-use-cpumask_available-for-eq-affinity_mask.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Nathan Chancellor +Date: Fri, 21 Sep 2018 02:44:12 -0700 +Subject: net/mlx4: Use cpumask_available for eq->affinity_mask + +From: Nathan Chancellor + +[ Upstream commit 8ac1ee6f4d62e781e3b3fd8b9c42b70371427669 ] + +Clang warns that the address of a pointer will always evaluated as true +in a boolean context: + +drivers/net/ethernet/mellanox/mlx4/eq.c:243:11: warning: address of +array 'eq->affinity_mask' will always evaluate to 'true' +[-Wpointer-bool-conversion] + if (!eq->affinity_mask || cpumask_empty(eq->affinity_mask)) + ~~~~~^~~~~~~~~~~~~ +1 warning generated. + +Use cpumask_available, introduced in commit f7e30f01a9e2 ("cpumask: Add +helper cpumask_available()"), which does the proper checking and avoids +this warning. + +Link: https://github.com/ClangBuiltLinux/linux/issues/86 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/eq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c +@@ -240,7 +240,8 @@ static void mlx4_set_eq_affinity_hint(st + struct mlx4_dev *dev = &priv->dev; + struct mlx4_eq *eq = &priv->eq_table.eq[vec]; + +- if (!eq->affinity_mask || cpumask_empty(eq->affinity_mask)) ++ if (!cpumask_available(eq->affinity_mask) || ++ cpumask_empty(eq->affinity_mask)) + return; + + hint_err = irq_set_affinity_hint(eq->irq, eq->affinity_mask); diff --git a/queue-4.9/powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch b/queue-4.9/powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch new file mode 100644 index 00000000000..f9b7988e617 --- /dev/null +++ b/queue-4.9/powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch @@ -0,0 +1,59 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Michael Neuling +Date: Tue, 25 Sep 2018 19:36:47 +1000 +Subject: powerpc/tm: Avoid possible userspace r1 corruption on reclaim + +From: Michael Neuling + +[ Upstream commit 96dc89d526ef77604376f06220e3d2931a0bfd58 ] + +Current we store the userspace r1 to PACATMSCRATCH before finally +saving it to the thread struct. + +In theory an exception could be taken here (like a machine check or +SLB miss) that could write PACATMSCRATCH and hence corrupt the +userspace r1. The SLB fault currently doesn't touch PACATMSCRATCH, but +others do. + +We've never actually seen this happen but it's theoretically +possible. Either way, the code is fragile as it is. + +This patch saves r1 to the kernel stack (which can't fault) before we +turn MSR[RI] back on. PACATMSCRATCH is still used but only with +MSR[RI] off. We then copy r1 from the kernel stack to the thread +struct once we have MSR[RI] back on. + +Suggested-by: Breno Leitao +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/tm.S | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/tm.S ++++ b/arch/powerpc/kernel/tm.S +@@ -169,6 +169,13 @@ _GLOBAL(tm_reclaim) + std r11, GPR11(r1) /* Temporary stash */ + + /* ++ * Move the saved user r1 to the kernel stack in case PACATMSCRATCH is ++ * clobbered by an exception once we turn on MSR_RI below. ++ */ ++ ld r11, PACATMSCRATCH(r13) ++ std r11, GPR1(r1) ++ ++ /* + * Store r13 away so we can free up the scratch SPR for the SLB fault + * handler (needed once we start accessing the thread_struct). + */ +@@ -204,7 +211,7 @@ _GLOBAL(tm_reclaim) + SAVE_GPR(8, r7) /* user r8 */ + SAVE_GPR(9, r7) /* user r9 */ + SAVE_GPR(10, r7) /* user r10 */ +- ld r3, PACATMSCRATCH(r13) /* user r1 */ ++ ld r3, GPR1(r1) /* user r1 */ + ld r4, GPR7(r1) /* user r7 */ + ld r5, GPR11(r1) /* user r11 */ + ld r6, GPR12(r1) /* user r12 */ diff --git a/queue-4.9/powerpc-tm-fix-userspace-r13-corruption.patch b/queue-4.9/powerpc-tm-fix-userspace-r13-corruption.patch new file mode 100644 index 00000000000..d785b67036b --- /dev/null +++ b/queue-4.9/powerpc-tm-fix-userspace-r13-corruption.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Michael Neuling +Date: Mon, 24 Sep 2018 17:27:04 +1000 +Subject: powerpc/tm: Fix userspace r13 corruption + +From: Michael Neuling + +[ Upstream commit cf13435b730a502e814c63c84d93db131e563f5f ] + +When we treclaim we store the userspace checkpointed r13 to a scratch +SPR and then later save the scratch SPR to the user thread struct. + +Unfortunately, this doesn't work as accessing the user thread struct +can take an SLB fault and the SLB fault handler will write the same +scratch SPRG that now contains the userspace r13. + +To fix this, we store r13 to the kernel stack (which can't fault) +before we access the user thread struct. + +Found by running P8 guest + powervm + disable_1tb_segments + TM. Seen +as a random userspace segfault with r13 looking like a kernel address. + +Signed-off-by: Michael Neuling +Reviewed-by: Breno Leitao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/tm.S | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/tm.S ++++ b/arch/powerpc/kernel/tm.S +@@ -166,13 +166,20 @@ _GLOBAL(tm_reclaim) + std r1, PACATMSCRATCH(r13) + ld r1, PACAR1(r13) + +- /* Store the PPR in r11 and reset to decent value */ + std r11, GPR11(r1) /* Temporary stash */ + ++ /* ++ * Store r13 away so we can free up the scratch SPR for the SLB fault ++ * handler (needed once we start accessing the thread_struct). ++ */ ++ GET_SCRATCH0(r11) ++ std r11, GPR13(r1) ++ + /* Reset MSR RI so we can take SLB faults again */ + li r11, MSR_RI + mtmsrd r11, 1 + ++ /* Store the PPR in r11 and reset to decent value */ + mfspr r11, SPRN_PPR + HMT_MEDIUM + +@@ -201,7 +208,7 @@ _GLOBAL(tm_reclaim) + ld r4, GPR7(r1) /* user r7 */ + ld r5, GPR11(r1) /* user r11 */ + ld r6, GPR12(r1) /* user r12 */ +- GET_SCRATCH0(8) /* user r13 */ ++ ld r8, GPR13(r1) /* user r13 */ + std r3, GPR1(r7) + std r4, GPR7(r7) + std r5, GPR11(r7) diff --git a/queue-4.9/ravb-do-not-write-1-to-reserved-bits.patch b/queue-4.9/ravb-do-not-write-1-to-reserved-bits.patch new file mode 100644 index 00000000000..b6141266765 --- /dev/null +++ b/queue-4.9/ravb-do-not-write-1-to-reserved-bits.patch @@ -0,0 +1,128 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Kazuya Mizuguchi +Date: Tue, 18 Sep 2018 12:22:26 +0200 +Subject: ravb: do not write 1 to reserved bits + +From: Kazuya Mizuguchi + +[ Upstream commit 2fe397a3959de8a472f165e6d152f64cb77fa2cc ] + +EtherAVB hardware requires 0 to be written to status register bits in +order to clear them, however, care must be taken not to: + +1. Clear other bits, by writing zero to them +2. Write one to reserved bits + +This patch corrects the ravb driver with respect to the second point above. +This is done by defining reserved bit masks for the affected registers and, +after auditing the code, ensure all sites that may write a one to a +reserved bit use are suitably masked. + +Signed-off-by: Kazuya Mizuguchi +Signed-off-by: Simon Horman +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb.h | 5 +++++ + drivers/net/ethernet/renesas/ravb_main.c | 11 ++++++----- + drivers/net/ethernet/renesas/ravb_ptp.c | 2 +- + 3 files changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb.h ++++ b/drivers/net/ethernet/renesas/ravb.h +@@ -421,6 +421,7 @@ enum EIS_BIT { + EIS_CULF1 = 0x00000080, + EIS_TFFF = 0x00000100, + EIS_QFS = 0x00010000, ++ EIS_RESERVED = (GENMASK(31, 17) | GENMASK(15, 11)), + }; + + /* RIC0 */ +@@ -465,6 +466,7 @@ enum RIS0_BIT { + RIS0_FRF15 = 0x00008000, + RIS0_FRF16 = 0x00010000, + RIS0_FRF17 = 0x00020000, ++ RIS0_RESERVED = GENMASK(31, 18), + }; + + /* RIC1 */ +@@ -521,6 +523,7 @@ enum RIS2_BIT { + RIS2_QFF16 = 0x00010000, + RIS2_QFF17 = 0x00020000, + RIS2_RFFF = 0x80000000, ++ RIS2_RESERVED = GENMASK(30, 18), + }; + + /* TIC */ +@@ -537,6 +540,7 @@ enum TIS_BIT { + TIS_FTF1 = 0x00000002, /* Undocumented? */ + TIS_TFUF = 0x00000100, + TIS_TFWF = 0x00000200, ++ TIS_RESERVED = (GENMASK(31, 20) | GENMASK(15, 12) | GENMASK(7, 4)) + }; + + /* ISS */ +@@ -610,6 +614,7 @@ enum GIC_BIT { + enum GIS_BIT { + GIS_PTCF = 0x00000001, /* Undocumented? */ + GIS_PTMF = 0x00000004, ++ GIS_RESERVED = GENMASK(15, 10), + }; + + /* GIE (R-Car Gen3 only) */ +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -717,10 +717,11 @@ static void ravb_error_interrupt(struct + u32 eis, ris2; + + eis = ravb_read(ndev, EIS); +- ravb_write(ndev, ~EIS_QFS, EIS); ++ ravb_write(ndev, ~(EIS_QFS | EIS_RESERVED), EIS); + if (eis & EIS_QFS) { + ris2 = ravb_read(ndev, RIS2); +- ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF), RIS2); ++ ravb_write(ndev, ~(RIS2_QFF0 | RIS2_RFFF | RIS2_RESERVED), ++ RIS2); + + /* Receive Descriptor Empty int */ + if (ris2 & RIS2_QFF0) +@@ -773,7 +774,7 @@ static bool ravb_timestamp_interrupt(str + u32 tis = ravb_read(ndev, TIS); + + if (tis & TIS_TFUF) { +- ravb_write(ndev, ~TIS_TFUF, TIS); ++ ravb_write(ndev, ~(TIS_TFUF | TIS_RESERVED), TIS); + ravb_get_tx_tstamp(ndev); + return true; + } +@@ -908,7 +909,7 @@ static int ravb_poll(struct napi_struct + /* Processing RX Descriptor Ring */ + if (ris0 & mask) { + /* Clear RX interrupt */ +- ravb_write(ndev, ~mask, RIS0); ++ ravb_write(ndev, ~(mask | RIS0_RESERVED), RIS0); + if (ravb_rx(ndev, "a, q)) + goto out; + } +@@ -916,7 +917,7 @@ static int ravb_poll(struct napi_struct + if (tis & mask) { + spin_lock_irqsave(&priv->lock, flags); + /* Clear TX interrupt */ +- ravb_write(ndev, ~mask, TIS); ++ ravb_write(ndev, ~(mask | TIS_RESERVED), TIS); + ravb_tx_free(ndev, q, true); + netif_wake_subqueue(ndev, q); + mmiowb(); +--- a/drivers/net/ethernet/renesas/ravb_ptp.c ++++ b/drivers/net/ethernet/renesas/ravb_ptp.c +@@ -319,7 +319,7 @@ void ravb_ptp_interrupt(struct net_devic + } + } + +- ravb_write(ndev, ~gis, GIS); ++ ravb_write(ndev, ~(gis | GIS_RESERVED), GIS); + } + + void ravb_ptp_init(struct net_device *ndev, struct platform_device *pdev) diff --git a/queue-4.9/risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch b/queue-4.9/risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch new file mode 100644 index 00000000000..bc321e62ffb --- /dev/null +++ b/queue-4.9/risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: James Cowgill +Date: Thu, 6 Sep 2018 22:57:56 +0100 +Subject: RISC-V: include linux/ftrace.h in asm-prototypes.h + +From: James Cowgill + +[ Upstream commit 57a489786de9ec37d6e25ef1305dc337047f0236 ] + +Building a riscv kernel with CONFIG_FUNCTION_TRACER and +CONFIG_MODVERSIONS enabled results in these two warnings: + + MODPOST vmlinux.o +WARNING: EXPORT symbol "return_to_handler" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned. + +When exporting symbols from an assembly file, the MODVERSIONS code +requires their prototypes to be defined in asm-prototypes.h (see +scripts/Makefile.build). Since both of these symbols have prototypes +defined in linux/ftrace.h, include this header from RISC-V's +asm-prototypes.h. + +Reported-by: Karsten Merker +Signed-off-by: James Cowgill +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/asm-prototypes.h | 7 +++++++ + 1 file changed, 7 insertions(+) + create mode 100644 arch/riscv/include/asm/asm-prototypes.h + +--- /dev/null ++++ b/arch/riscv/include/asm/asm-prototypes.h +@@ -0,0 +1,7 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _ASM_RISCV_PROTOTYPES_H ++ ++#include ++#include ++ ++#endif /* _ASM_RISCV_PROTOTYPES_H */ diff --git a/queue-4.9/scsi-ibmvscsis-ensure-partition-name-is-properly-nul-terminated.patch b/queue-4.9/scsi-ibmvscsis-ensure-partition-name-is-properly-nul-terminated.patch new file mode 100644 index 00000000000..14b495afabf --- /dev/null +++ b/queue-4.9/scsi-ibmvscsis-ensure-partition-name-is-properly-nul-terminated.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Laura Abbott +Date: Tue, 11 Sep 2018 12:22:26 -0700 +Subject: scsi: ibmvscsis: Ensure partition name is properly NUL terminated + +From: Laura Abbott + +[ Upstream commit adad633af7b970bfa5dd1b624a4afc83cac9b235 ] + +While reviewing another part of the code, Kees noticed that the strncpy of the +partition name might not always be NUL terminated. Switch to using strscpy +which does this safely. + +Reported-by: Kees Cook +Signed-off-by: Laura Abbott +Reviewed-by: Kees Cook +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c ++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +@@ -3345,7 +3345,7 @@ static int ibmvscsis_probe(struct vio_de + snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI %s", vdev->name); + + vscsi->dds.unit_id = vdev->unit_address; +- strncpy(vscsi->dds.partition_name, partition_name, ++ strscpy(vscsi->dds.partition_name, partition_name, + sizeof(vscsi->dds.partition_name)); + vscsi->dds.partition_num = partition_number; + diff --git a/queue-4.9/scsi-ibmvscsis-fix-a-stringop-overflow-warning.patch b/queue-4.9/scsi-ibmvscsis-fix-a-stringop-overflow-warning.patch new file mode 100644 index 00000000000..c73a97b3f5b --- /dev/null +++ b/queue-4.9/scsi-ibmvscsis-fix-a-stringop-overflow-warning.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Laura Abbott +Date: Tue, 11 Sep 2018 12:22:25 -0700 +Subject: scsi: ibmvscsis: Fix a stringop-overflow warning + +From: Laura Abbott + +[ Upstream commit d792d4c4fc866ae224b0b0ca2aabd87d23b4d6cc ] + +There's currently a warning about string overflow with strncat: + +drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c: In function 'ibmvscsis_probe': +drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c:3479:2: error: 'strncat' specified +bound 64 equals destination size [-Werror=stringop-overflow=] + strncat(vscsi->eye, vdev->name, MAX_EYE); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Switch to a single snprintf instead of a strcpy + strcat to handle this +cleanly. + +Signed-off-by: Laura Abbott +Suggested-by: Kees Cook +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c ++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +@@ -3342,8 +3342,7 @@ static int ibmvscsis_probe(struct vio_de + vscsi->dds.window[LOCAL].liobn, + vscsi->dds.window[REMOTE].liobn); + +- strcpy(vscsi->eye, "VSCSI "); +- strncat(vscsi->eye, vdev->name, MAX_EYE); ++ snprintf(vscsi->eye, sizeof(vscsi->eye), "VSCSI %s", vdev->name); + + vscsi->dds.unit_id = vdev->unit_address; + strncpy(vscsi->dds.partition_name, partition_name, diff --git a/queue-4.9/scsi-sd-don-t-crash-the-host-on-invalid-commands.patch b/queue-4.9/scsi-sd-don-t-crash-the-host-on-invalid-commands.patch new file mode 100644 index 00000000000..aeff9c7229c --- /dev/null +++ b/queue-4.9/scsi-sd-don-t-crash-the-host-on-invalid-commands.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 18 11:11:32 CEST 2018 +From: Johannes Thumshirn +Date: Fri, 21 Sep 2018 09:01:01 +0200 +Subject: scsi: sd: don't crash the host on invalid commands + +From: Johannes Thumshirn + +[ Upstream commit f1f1fadacaf08b7cf11714c0c29f8fa4d4ef68a9 ] + +When sd_init_command() get's a command with a unknown req_op() it crashes the +system via BUG(). + +This makes debugging the actual reason for the broken request cmd_flags pretty +hard as the system is down before it's able to write out debugging data on the +serial console or the trace buffer. + +Change the BUG() to a WARN_ON() and return BLKPREP_KILL to fail gracefully and +return an I/O error to the producer of the request. + +Signed-off-by: Johannes Thumshirn +Cc: Hannes Reinecke +Cc: Bart Van Assche +Cc: Christoph Hellwig +Reviewed-by: Christoph Hellwig +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1158,7 +1158,8 @@ static int sd_init_command(struct scsi_c + case REQ_OP_WRITE: + return sd_setup_read_write_cmnd(cmd); + default: +- BUG(); ++ WARN_ON_ONCE(1); ++ return BLKPREP_KILL; + } + } +