From: Greg Kroah-Hartman Date: Thu, 6 Dec 2018 09:56:30 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.19.8~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bfe4d44685b06c4b2fb3e0529b68e442c8d6023d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-trident-suppress-gcc-string-warning.patch drm-ast-fix-incorrect-free-on-ioregs.patch drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch iser-set-sector-for-ambiguous-mr-status-errors.patch kgdboc-fix-restrict-error.patch mips-fix-mips_get_syscall_arg-o32-check.patch mips-ralink-fix-mt7620-nd_sd-pinmux.patch scsi-csiostor-avoid-content-leaks-and-casts.patch scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch x86-power-64-use-char-arrays-for-asm-function-names.patch --- diff --git a/queue-4.9/alsa-trident-suppress-gcc-string-warning.patch b/queue-4.9/alsa-trident-suppress-gcc-string-warning.patch new file mode 100644 index 00000000000..778b70d0d97 --- /dev/null +++ b/queue-4.9/alsa-trident-suppress-gcc-string-warning.patch @@ -0,0 +1,43 @@ +From d6b340d7cb33c816ef4abe8143764ec5ab14a5cc Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 26 Jul 2018 14:58:03 +0200 +Subject: ALSA: trident: Suppress gcc string warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit d6b340d7cb33c816ef4abe8143764ec5ab14a5cc upstream. + +The meddlesome gcc warns about the possible shortname string in +trident driver code: + sound/pci/trident/trident.c: In function ‘snd_trident_probe’: + sound/pci/trident/trident.c:126:2: warning: ‘strcat’ accessing 17 or more bytes at offsets 36 and 20 may overlap 1 byte at offset 36 [-Wrestrict] + strcat(card->shortname, card->driver); + +It happens since gcc calculates the possible string size from +card->driver, but this can't be true since we did set the string just +before that, and they are much shorter. + +For shutting it up, use the exactly same string set to card->driver +for strcat() to card->shortname, too. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/trident/trident.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/trident/trident.c ++++ b/sound/pci/trident/trident.c +@@ -123,7 +123,7 @@ static int snd_trident_probe(struct pci_ + } else { + strcpy(card->shortname, "Trident "); + } +- strcat(card->shortname, card->driver); ++ strcat(card->shortname, str); + sprintf(card->longname, "%s PCI Audio at 0x%lx, irq %d", + card->shortname, trident->port, trident->irq); + diff --git a/queue-4.9/drm-ast-fix-incorrect-free-on-ioregs.patch b/queue-4.9/drm-ast-fix-incorrect-free-on-ioregs.patch new file mode 100644 index 00000000000..b34ce6683f0 --- /dev/null +++ b/queue-4.9/drm-ast-fix-incorrect-free-on-ioregs.patch @@ -0,0 +1,38 @@ +From dc25ab067645eabd037f1a23d49a666f9e0b8c68 Mon Sep 17 00:00:00 2001 +From: Sam Bobroff +Date: Mon, 5 Nov 2018 16:57:47 +1100 +Subject: drm/ast: Fix incorrect free on ioregs + +From: Sam Bobroff + +commit dc25ab067645eabd037f1a23d49a666f9e0b8c68 upstream. + +If the platform has no IO space, ioregs is placed next to the already +allocated regs. In this case, it should not be separately freed. + +This prevents a kernel warning from __vunmap "Trying to vfree() +nonexistent vm area" when unloading the driver. + +Fixes: 0dd68309b9c5 ("drm/ast: Try to use MMIO registers when PIO isn't supported") + +Signed-off-by: Sam Bobroff +Cc: +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -556,7 +556,8 @@ int ast_driver_unload(struct drm_device + drm_mode_config_cleanup(dev); + + ast_mm_fini(ast); +- pci_iounmap(dev->pdev, ast->ioregs); ++ if (ast->ioregs != ast->regs + AST_IO_MM_OFFSET) ++ pci_iounmap(dev->pdev, ast->ioregs); + pci_iounmap(dev->pdev, ast->regs); + kfree(ast); + return 0; diff --git a/queue-4.9/drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch b/queue-4.9/drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch new file mode 100644 index 00000000000..aa7645fb7ee --- /dev/null +++ b/queue-4.9/drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch @@ -0,0 +1,107 @@ +From 23a336b34258aba3b50ea6863cca4e81b5ef6384 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 22 Nov 2018 02:33:29 -0300 +Subject: drm: set is_master to 0 upon drm_new_set_master() failure + +From: Sergio Correia + +commit 23a336b34258aba3b50ea6863cca4e81b5ef6384 upstream. + +When drm_new_set_master() fails, set is_master to 0, to prevent a +possible NULL pointer deref. + +Here is a problematic flow: we check is_master in drm_is_current_master(), +then proceed to call drm_lease_owner() passing master. If we do not restore +is_master status when drm_new_set_master() fails, we may have a situation +in which is_master will be 1 and master itself, NULL, leading to the deref +of a NULL pointer in drm_lease_owner(). + +This fixes the following OOPS, observed on an ArchLinux running a 4.19.2 +kernel: + +[ 97.804282] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 +[ 97.807224] PGD 0 P4D 0 +[ 97.807224] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 97.807224] CPU: 0 PID: 1348 Comm: xfwm4 Tainted: P OE 4.19.2-arch1-1-ARCH #1 +[ 97.807224] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./AB350 Pro4, BIOS P5.10 10/16/2018 +[ 97.807224] RIP: 0010:drm_lease_owner+0xd/0x20 [drm] +[ 97.807224] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44 +[ 97.807224] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202 +[ 97.807224] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88 +[ 97.807224] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 97.807224] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000 +[ 97.807224] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888 +[ 97.807224] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8 +[ 97.807224] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000 +[ 97.807224] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 97.807224] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0 +[ 97.807224] Call Trace: +[ 97.807224] drm_is_current_master+0x1a/0x30 [drm] +[ 97.807224] drm_master_release+0x3e/0x130 [drm] +[ 97.807224] drm_file_free.part.0+0x2be/0x2d0 [drm] +[ 97.807224] drm_open+0x1ba/0x1e0 [drm] +[ 97.807224] drm_stub_open+0xaf/0xe0 [drm] +[ 97.807224] chrdev_open+0xa3/0x1b0 +[ 97.807224] ? cdev_put.part.0+0x20/0x20 +[ 97.807224] do_dentry_open+0x132/0x340 +[ 97.807224] path_openat+0x2d1/0x14e0 +[ 97.807224] ? mem_cgroup_commit_charge+0x7a/0x520 +[ 97.807224] do_filp_open+0x93/0x100 +[ 97.807224] ? __check_object_size+0x102/0x189 +[ 97.807224] ? _raw_spin_unlock+0x16/0x30 +[ 97.807224] do_sys_open+0x186/0x210 +[ 97.807224] do_syscall_64+0x5b/0x170 +[ 97.807224] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 97.807224] RIP: 0033:0x7f4147b07976 +[ 97.807224] Code: 89 54 24 08 e8 7b f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f2 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 30 44 89 c7 89 44 24 08 e8 a6 f4 ff ff 8b 44 +[ 97.807224] RSP: 002b:00007ffcced96ca0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 +[ 97.807224] RAX: ffffffffffffffda RBX: 00005619d5037f80 RCX: 00007f4147b07976 +[ 97.807224] RDX: 0000000000000002 RSI: 00005619d46b969c RDI: 00000000ffffff9c +[ 98.040039] RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000000 +[ 98.040039] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000024 +[ 98.040039] R13: 0000000000000012 R14: 00005619d5035950 R15: 0000000000000012 +[ 98.040039] Modules linked in: nct6775 hwmon_vid algif_skcipher af_alg nls_iso8859_1 nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common arc4 videodev media snd_usb_audio snd_hda_codec_hdmi snd_usbmidi_lib snd_rawmidi snd_seq_device mousedev input_leds iwlmvm mac80211 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec edac_mce_amd kvm_amd snd_hda_core kvm iwlwifi snd_hwdep r8169 wmi_bmof cfg80211 snd_pcm irqbypass snd_timer snd libphy soundcore pinctrl_amd rfkill pcspkr sp5100_tco evdev gpio_amdpt k10temp mac_hid i2c_piix4 wmi pcc_cpufreq acpi_cpufreq vboxnetflt(OE) vboxnetadp(OE) vboxpci(OE) vboxdrv(OE) msr sg crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 fscrypto uas usb_storage dm_crypt hid_generic usbhid hid +[ 98.040039] dm_mod raid1 md_mod sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc ahci libahci aesni_intel aes_x86_64 libata crypto_simd cryptd glue_helper ccp xhci_pci rng_core scsi_mod xhci_hcd nvidia_drm(POE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart nvidia_uvm(POE) nvidia_modeset(POE) nvidia(POE) ipmi_devintf ipmi_msghandler +[ 98.040039] CR2: 0000000000000080 +[ 98.040039] ---[ end trace 3b65093b6fe62b2f ]--- +[ 98.040039] RIP: 0010:drm_lease_owner+0xd/0x20 [drm] +[ 98.040039] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44 +[ 98.040039] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202 +[ 98.040039] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88 +[ 98.040039] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 98.040039] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000 +[ 98.040039] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888 +[ 98.040039] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8 +[ 98.040039] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000 +[ 98.040039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 98.040039] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0 + +Signed-off-by: Sergio Correia +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20181122053329.2692-1-sergio@correia.cc +Signed-off-by: Sean Paul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_auth.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/drm_auth.c ++++ b/drivers/gpu/drm/drm_auth.c +@@ -133,6 +133,7 @@ static int drm_new_set_master(struct drm + + lockdep_assert_held_once(&dev->master_mutex); + ++ WARN_ON(fpriv->is_master); + old_master = fpriv->master; + fpriv->master = drm_master_create(dev); + if (!fpriv->master) { +@@ -161,6 +162,7 @@ out_err: + /* drop references and restore old master on failure */ + drm_master_put(&fpriv->master); + fpriv->master = old_master; ++ fpriv->is_master = 0; + + return ret; + } diff --git a/queue-4.9/ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch b/queue-4.9/ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch new file mode 100644 index 00000000000..c2608d845b2 --- /dev/null +++ b/queue-4.9/ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch @@ -0,0 +1,86 @@ +From db7a691a1551a748cb92d9c89c6b190ea87e28d5 Mon Sep 17 00:00:00 2001 +From: Michael Guralnik +Date: Wed, 21 Nov 2018 15:03:54 +0200 +Subject: IB/mlx5: Avoid load failure due to unknown link width + +From: Michael Guralnik + +commit db7a691a1551a748cb92d9c89c6b190ea87e28d5 upstream. + +If the firmware reports a connection width that is not 1x, 4x, 8x or 12x +it causes the driver to fail during initialization. + +To prevent this failure every time a new width is introduced to the RDMA +stack, we will set a default 4x width for these widths which ar unknown to +the driver. + +This is needed to allow to run old kernels with new firmware. + +Cc: # 4.1 +Fixes: 1b5daf11b015 ("IB/mlx5: Avoid using the MAD_IFC command under ISSI > 0 mode") +Signed-off-by: Michael Guralnik +Reviewed-by: Majd Dibbiny +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/main.c | 29 +++++++++++------------------ + 1 file changed, 11 insertions(+), 18 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -710,31 +710,26 @@ enum mlx5_ib_width { + MLX5_IB_WIDTH_12X = 1 << 4 + }; + +-static int translate_active_width(struct ib_device *ibdev, u8 active_width, ++static void translate_active_width(struct ib_device *ibdev, u8 active_width, + u8 *ib_width) + { + struct mlx5_ib_dev *dev = to_mdev(ibdev); +- int err = 0; + +- if (active_width & MLX5_IB_WIDTH_1X) { ++ if (active_width & MLX5_IB_WIDTH_1X) + *ib_width = IB_WIDTH_1X; +- } else if (active_width & MLX5_IB_WIDTH_2X) { +- mlx5_ib_dbg(dev, "active_width %d is not supported by IB spec\n", +- (int)active_width); +- err = -EINVAL; +- } else if (active_width & MLX5_IB_WIDTH_4X) { ++ else if (active_width & MLX5_IB_WIDTH_4X) + *ib_width = IB_WIDTH_4X; +- } else if (active_width & MLX5_IB_WIDTH_8X) { ++ else if (active_width & MLX5_IB_WIDTH_8X) + *ib_width = IB_WIDTH_8X; +- } else if (active_width & MLX5_IB_WIDTH_12X) { ++ else if (active_width & MLX5_IB_WIDTH_12X) + *ib_width = IB_WIDTH_12X; +- } else { +- mlx5_ib_dbg(dev, "Invalid active_width %d\n", ++ else { ++ mlx5_ib_dbg(dev, "Invalid active_width %d, setting width to default value: 4x\n", + (int)active_width); +- err = -EINVAL; ++ *ib_width = IB_WIDTH_4X; + } + +- return err; ++ return; + } + + static int mlx5_mtu_to_ib_mtu(int mtu) +@@ -842,10 +837,8 @@ static int mlx5_query_hca_port(struct ib + if (err) + goto out; + +- err = translate_active_width(ibdev, ib_link_width_oper, +- &props->active_width); +- if (err) +- goto out; ++ translate_active_width(ibdev, ib_link_width_oper, &props->active_width); ++ + err = mlx5_query_port_ib_proto_oper(mdev, &props->active_speed, port); + if (err) + goto out; diff --git a/queue-4.9/iser-set-sector-for-ambiguous-mr-status-errors.patch b/queue-4.9/iser-set-sector-for-ambiguous-mr-status-errors.patch new file mode 100644 index 00000000000..b3b8f7a1707 --- /dev/null +++ b/queue-4.9/iser-set-sector-for-ambiguous-mr-status-errors.patch @@ -0,0 +1,47 @@ +From 24c3456c8d5ee6fc1933ca40f7b4406130682668 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Wed, 14 Nov 2018 10:17:01 -0800 +Subject: iser: set sector for ambiguous mr status errors + +From: Sagi Grimberg + +commit 24c3456c8d5ee6fc1933ca40f7b4406130682668 upstream. + +If for some reason we failed to query the mr status, we need to make sure +to provide sufficient information for an ambiguous error (guard error on +sector 0). + +Fixes: 0a7a08ad6f5f ("IB/iser: Implement check_protection") +Cc: +Reported-by: Dan Carpenter +Signed-off-by: Sagi Grimberg +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/iser/iser_verbs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/ulp/iser/iser_verbs.c ++++ b/drivers/infiniband/ulp/iser/iser_verbs.c +@@ -1110,7 +1110,9 @@ u8 iser_check_task_pi_status(struct iscs + IB_MR_CHECK_SIG_STATUS, &mr_status); + if (ret) { + pr_err("ib_check_mr_status failed, ret %d\n", ret); +- goto err; ++ /* Not a lot we can do, return ambiguous guard error */ ++ *sector = 0; ++ return 0x1; + } + + if (mr_status.fail_status & IB_MR_CHECK_SIG_STATUS) { +@@ -1138,9 +1140,6 @@ u8 iser_check_task_pi_status(struct iscs + } + + return 0; +-err: +- /* Not alot we can do here, return ambiguous guard error */ +- return 0x1; + } + + void iser_err_comp(struct ib_wc *wc, const char *type) diff --git a/queue-4.9/kgdboc-fix-restrict-error.patch b/queue-4.9/kgdboc-fix-restrict-error.patch new file mode 100644 index 00000000000..01f2703916a --- /dev/null +++ b/queue-4.9/kgdboc-fix-restrict-error.patch @@ -0,0 +1,52 @@ +From 2dd453168643d9475028cd867c57e65956a0f7f9 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Mon, 10 Sep 2018 16:20:14 -0700 +Subject: kgdboc: Fix restrict error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Laura Abbott + +commit 2dd453168643d9475028cd867c57e65956a0f7f9 upstream. + +There's an error when compiled with restrict: + +drivers/tty/serial/kgdboc.c: In function ‘configure_kgdboc’: +drivers/tty/serial/kgdboc.c:137:2: error: ‘strcpy’ source argument is the same +as destination [-Werror=restrict] + strcpy(config, opt); + ^~~~~~~~~~~~~~~~~~~ + +As the error implies, this is from trying to use config as both source and +destination. Drop the call to the function where config is the argument +since nothing else happens in the function. + +Signed-off-by: Laura Abbott +Reviewed-by: Daniel Thompson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/kgdboc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -162,15 +162,13 @@ static int configure_kgdboc(void) + { + struct tty_driver *p; + int tty_line = 0; +- int err; ++ int err = -ENODEV; + char *cptr = config; + struct console *cons; + +- err = kgdboc_option_setup(config); +- if (err || !strlen(config) || isspace(config[0])) ++ if (!strlen(config) || isspace(config[0])) + goto noconfig; + +- err = -ENODEV; + kgdboc_io_ops.is_console = 0; + kgdb_tty_driver = NULL; + diff --git a/queue-4.9/mips-fix-mips_get_syscall_arg-o32-check.patch b/queue-4.9/mips-fix-mips_get_syscall_arg-o32-check.patch new file mode 100644 index 00000000000..07e4dc17d2a --- /dev/null +++ b/queue-4.9/mips-fix-mips_get_syscall_arg-o32-check.patch @@ -0,0 +1,42 @@ +From c50cbd85cd7027d32ac5945bb60217936b4f7eaf Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Wed, 21 Nov 2018 22:14:39 +0300 +Subject: mips: fix mips_get_syscall_arg o32 check + +From: Dmitry V. Levin + +commit c50cbd85cd7027d32ac5945bb60217936b4f7eaf upstream. + +When checking for TIF_32BIT_REGS flag, mips_get_syscall_arg() should +use the task specified as its argument instead of the current task. + +This potentially affects all syscall_get_arguments() users +who specify tasks different from the current. + +Fixes: c0ff3c53d4f99 ("MIPS: Enable HAVE_ARCH_TRACEHOOK.") +Signed-off-by: Dmitry V. Levin +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/21185/ +Cc: Elvira Khabirova +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/syscall.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/syscall.h ++++ b/arch/mips/include/asm/syscall.h +@@ -51,7 +51,7 @@ static inline unsigned long mips_get_sys + #ifdef CONFIG_64BIT + case 4: case 5: case 6: case 7: + #ifdef CONFIG_MIPS32_O32 +- if (test_thread_flag(TIF_32BIT_REGS)) ++ if (test_tsk_thread_flag(task, TIF_32BIT_REGS)) + return get_user(*arg, (int *)usp + n); + else + #endif diff --git a/queue-4.9/mips-ralink-fix-mt7620-nd_sd-pinmux.patch b/queue-4.9/mips-ralink-fix-mt7620-nd_sd-pinmux.patch new file mode 100644 index 00000000000..e44b292eb22 --- /dev/null +++ b/queue-4.9/mips-ralink-fix-mt7620-nd_sd-pinmux.patch @@ -0,0 +1,41 @@ +From 7d35baa4e9ec4b717bc0e58a39cdb6a1c50f5465 Mon Sep 17 00:00:00 2001 +From: Mathias Kresin +Date: Mon, 26 Nov 2018 11:25:40 +0100 +Subject: MIPS: ralink: Fix mt7620 nd_sd pinmux + +From: Mathias Kresin + +commit 7d35baa4e9ec4b717bc0e58a39cdb6a1c50f5465 upstream. + +In case the nd_sd group is set to the sd-card function, Pins 45 + 46 are +configured as GPIOs. If they are blocked by the sd function, they can't +be used as GPIOs. + +Reported-by: Kristian Evensen +Signed-off-by: Mathias Kresin +Signed-off-by: Paul Burton +Fixes: f576fb6a0700 ("MIPS: ralink: cleanup the soc specific pinmux data") +Patchwork: https://patchwork.linux-mips.org/patch/21220/ +Cc: John Crispin +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v3.18+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/ralink/mt7620.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/ralink/mt7620.c ++++ b/arch/mips/ralink/mt7620.c +@@ -81,7 +81,7 @@ static struct rt2880_pmx_func pcie_rst_g + }; + static struct rt2880_pmx_func nd_sd_grp[] = { + FUNC("nand", MT7620_GPIO_MODE_NAND, 45, 15), +- FUNC("sd", MT7620_GPIO_MODE_SD, 45, 15) ++ FUNC("sd", MT7620_GPIO_MODE_SD, 47, 13) + }; + + static struct rt2880_pmx_group mt7620a_pinmux_data[] = { diff --git a/queue-4.9/scsi-csiostor-avoid-content-leaks-and-casts.patch b/queue-4.9/scsi-csiostor-avoid-content-leaks-and-casts.patch new file mode 100644 index 00000000000..b5e1478ae33 --- /dev/null +++ b/queue-4.9/scsi-csiostor-avoid-content-leaks-and-casts.patch @@ -0,0 +1,145 @@ +From 42c335f7e67029d2e01711f2f2bc6252277c8993 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 9 May 2017 15:34:44 -0700 +Subject: scsi: csiostor: Avoid content leaks and casts + +From: Kees Cook + +commit 42c335f7e67029d2e01711f2f2bc6252277c8993 upstream. + +When copying attributes, the len argument was padded out and the +resulting memcpy() would copy beyond the end of the source buffer. +Avoid this, and use size_t for val_len to avoid all the casts. +Similarly, avoid source buffer casts and use void *. + +Additionally enforces val_len can be represented by u16 and that the DMA +buffer was not overflowed. Fixes the size of mfa, which is not +FC_FDMI_PORT_ATTR_MAXFRAMESIZE_LEN (but it will be padded up to 4). This +was noticed by the future CONFIG_FORTIFY_SOURCE checks. + +Cc: Daniel Micay +Signed-off-by: Kees Cook +Acked-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/csiostor/csio_lnode.c | 43 ++++++++++++++++++++++--------------- + 1 file changed, 26 insertions(+), 17 deletions(-) + +--- a/drivers/scsi/csiostor/csio_lnode.c ++++ b/drivers/scsi/csiostor/csio_lnode.c +@@ -238,14 +238,23 @@ csio_osname(uint8_t *buf, size_t buf_len + } + + static inline void +-csio_append_attrib(uint8_t **ptr, uint16_t type, uint8_t *val, uint16_t len) ++csio_append_attrib(uint8_t **ptr, uint16_t type, void *val, size_t val_len) + { ++ uint16_t len; + struct fc_fdmi_attr_entry *ae = (struct fc_fdmi_attr_entry *)*ptr; ++ ++ if (WARN_ON(val_len > U16_MAX)) ++ return; ++ ++ len = val_len; ++ + ae->type = htons(type); + len += 4; /* includes attribute type and length */ + len = (len + 3) & ~3; /* should be multiple of 4 bytes */ + ae->len = htons(len); +- memcpy(ae->value, val, len); ++ memcpy(ae->value, val, val_len); ++ if (len > val_len) ++ memset(ae->value + val_len, 0, len - val_len); + *ptr += len; + } + +@@ -335,7 +344,7 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h + numattrs++; + val = htonl(FC_PORTSPEED_1GBIT | FC_PORTSPEED_10GBIT); + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_SUPPORTEDSPEED, +- (uint8_t *)&val, ++ &val, + FC_FDMI_PORT_ATTR_SUPPORTEDSPEED_LEN); + numattrs++; + +@@ -346,23 +355,22 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h + else + val = htonl(CSIO_HBA_PORTSPEED_UNKNOWN); + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_CURRENTPORTSPEED, +- (uint8_t *)&val, +- FC_FDMI_PORT_ATTR_CURRENTPORTSPEED_LEN); ++ &val, FC_FDMI_PORT_ATTR_CURRENTPORTSPEED_LEN); + numattrs++; + + mfs = ln->ln_sparm.csp.sp_bb_data; + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_MAXFRAMESIZE, +- (uint8_t *)&mfs, FC_FDMI_PORT_ATTR_MAXFRAMESIZE_LEN); ++ &mfs, sizeof(mfs)); + numattrs++; + + strcpy(buf, "csiostor"); + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_OSDEVICENAME, buf, +- (uint16_t)strlen(buf)); ++ strlen(buf)); + numattrs++; + + if (!csio_hostname(buf, sizeof(buf))) { + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_HOSTNAME, +- buf, (uint16_t)strlen(buf)); ++ buf, strlen(buf)); + numattrs++; + } + attrib_blk->numattrs = htonl(numattrs); +@@ -444,33 +452,32 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *h + + strcpy(buf, "Chelsio Communications"); + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MANUFACTURER, buf, +- (uint16_t)strlen(buf)); ++ strlen(buf)); + numattrs++; + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_SERIALNUMBER, +- hw->vpd.sn, (uint16_t)sizeof(hw->vpd.sn)); ++ hw->vpd.sn, sizeof(hw->vpd.sn)); + numattrs++; + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MODEL, hw->vpd.id, +- (uint16_t)sizeof(hw->vpd.id)); ++ sizeof(hw->vpd.id)); + numattrs++; + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MODELDESCRIPTION, +- hw->model_desc, (uint16_t)strlen(hw->model_desc)); ++ hw->model_desc, strlen(hw->model_desc)); + numattrs++; + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_HARDWAREVERSION, +- hw->hw_ver, (uint16_t)sizeof(hw->hw_ver)); ++ hw->hw_ver, sizeof(hw->hw_ver)); + numattrs++; + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_FIRMWAREVERSION, +- hw->fwrev_str, (uint16_t)strlen(hw->fwrev_str)); ++ hw->fwrev_str, strlen(hw->fwrev_str)); + numattrs++; + + if (!csio_osname(buf, sizeof(buf))) { + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_OSNAMEVERSION, +- buf, (uint16_t)strlen(buf)); ++ buf, strlen(buf)); + numattrs++; + } + + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD, +- (uint8_t *)&maxpayload, +- FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN); ++ &maxpayload, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN); + len = (uint32_t)(pld - (uint8_t *)cmd); + numattrs++; + attrib_blk->numattrs = htonl(numattrs); +@@ -1794,6 +1801,8 @@ csio_ln_mgmt_submit_req(struct csio_iore + struct csio_mgmtm *mgmtm = csio_hw_to_mgmtm(hw); + int rv; + ++ BUG_ON(pld_len > pld->len); ++ + io_req->io_cbfn = io_cbfn; /* Upper layer callback handler */ + io_req->fw_handle = (uintptr_t) (io_req); + io_req->eq_idx = mgmtm->eq_idx; diff --git a/queue-4.9/scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch b/queue-4.9/scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch new file mode 100644 index 00000000000..7335111cec8 --- /dev/null +++ b/queue-4.9/scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch @@ -0,0 +1,64 @@ +From 81df022b688d43d2a3667518b2f755d384397910 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Mon, 27 Nov 2017 23:47:35 +0100 +Subject: scsi: scsi_devinfo: cleanly zero-pad devinfo strings + +From: Martin Wilck + +commit 81df022b688d43d2a3667518b2f755d384397910 upstream. + +Cleanly fill memory for "vendor" and "model" with 0-bytes for the +"compatible" case rather than adding only a single 0 byte. This +simplifies the devinfo code a a bit, and avoids mistakes in other places +of the code (not in current upstream, but we had one such mistake in the +SUSE kernel). + +[mkp: applied by hand and added braces] + +Signed-off-by: Martin Wilck +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_devinfo.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -33,7 +33,6 @@ struct scsi_dev_info_list_table { + }; + + +-static const char spaces[] = " "; /* 16 of them */ + static unsigned scsi_default_dev_flags; + static LIST_HEAD(scsi_dev_info_list); + static char scsi_dev_flags[256]; +@@ -298,20 +297,13 @@ static void scsi_strcpy_devinfo(char *na + size_t from_length; + + from_length = strlen(from); +- strncpy(to, from, min(to_length, from_length)); +- if (from_length < to_length) { +- if (compatible) { +- /* +- * NUL terminate the string if it is short. +- */ +- to[from_length] = '\0'; +- } else { +- /* +- * space pad the string if it is short. +- */ +- strncpy(&to[from_length], spaces, +- to_length - from_length); +- } ++ /* this zero-pads the destination */ ++ strncpy(to, from, to_length); ++ if (from_length < to_length && !compatible) { ++ /* ++ * space pad the string if it is short. ++ */ ++ memset(&to[from_length], ' ', to_length - from_length); + } + if (from_length > to_length) + printk(KERN_WARNING "%s: %s string '%s' is too long\n", diff --git a/queue-4.9/series b/queue-4.9/series index a514ec83b3f..fee9d9c5945 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -9,3 +9,15 @@ drm-gma500-fix-logic-error.patch scsi-bfa-convert-to-strlcpy-strlcat.patch staging-rts5208-fix-gcc-8-logic-error-warning.patch kdb-use-memmove-instead-of-overlapping-memcpy.patch +x86-power-64-use-char-arrays-for-asm-function-names.patch +iser-set-sector-for-ambiguous-mr-status-errors.patch +uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch +mips-ralink-fix-mt7620-nd_sd-pinmux.patch +mips-fix-mips_get_syscall_arg-o32-check.patch +ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch +drm-ast-fix-incorrect-free-on-ioregs.patch +drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch +scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch +alsa-trident-suppress-gcc-string-warning.patch +scsi-csiostor-avoid-content-leaks-and-casts.patch +kgdboc-fix-restrict-error.patch diff --git a/queue-4.9/uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch b/queue-4.9/uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch new file mode 100644 index 00000000000..23370a6d1b8 --- /dev/null +++ b/queue-4.9/uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch @@ -0,0 +1,79 @@ +From 09d3f015d1e1b4fee7e9bbdcf54201d239393391 Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Thu, 22 Nov 2018 17:10:31 +0100 +Subject: uprobes: Fix handle_swbp() vs. unregister() + register() race once more + +From: Andrea Parri + +commit 09d3f015d1e1b4fee7e9bbdcf54201d239393391 upstream. + +Commit: + + 142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race") + +added the UPROBE_COPY_INSN flag, and corresponding smp_wmb() and smp_rmb() +memory barriers, to ensure that handle_swbp() uses fully-initialized +uprobes only. + +However, the smp_rmb() is mis-placed: this barrier should be placed +after handle_swbp() has tested for the flag, thus guaranteeing that +(program-order) subsequent loads from the uprobe can see the initial +stores performed by prepare_uprobe(). + +Move the smp_rmb() accordingly. Also amend the comments associated +to the two memory barriers to indicate their actual locations. + +Signed-off-by: Andrea Parri +Acked-by: Oleg Nesterov +Cc: Alexander Shishkin +Cc: Andrew Morton +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: stable@kernel.org +Fixes: 142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race") +Link: http://lkml.kernel.org/r/20181122161031.15179-1-andrea.parri@amarulasolutions.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/uprobes.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -608,7 +608,7 @@ static int prepare_uprobe(struct uprobe + BUG_ON((uprobe->offset & ~PAGE_MASK) + + UPROBE_SWBP_INSN_SIZE > PAGE_SIZE); + +- smp_wmb(); /* pairs with rmb() in find_active_uprobe() */ ++ smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */ + set_bit(UPROBE_COPY_INSN, &uprobe->flags); + + out: +@@ -1902,10 +1902,18 @@ static void handle_swbp(struct pt_regs * + * After we hit the bp, _unregister + _register can install the + * new and not-yet-analyzed uprobe at the same address, restart. + */ +- smp_rmb(); /* pairs with wmb() in install_breakpoint() */ + if (unlikely(!test_bit(UPROBE_COPY_INSN, &uprobe->flags))) + goto out; + ++ /* ++ * Pairs with the smp_wmb() in prepare_uprobe(). ++ * ++ * Guarantees that if we see the UPROBE_COPY_INSN bit set, then ++ * we must also see the stores to &uprobe->arch performed by the ++ * prepare_uprobe() call. ++ */ ++ smp_rmb(); ++ + /* Tracing handlers use ->utask to communicate with fetch methods */ + if (!get_utask()) + goto out; diff --git a/queue-4.9/x86-power-64-use-char-arrays-for-asm-function-names.patch b/queue-4.9/x86-power-64-use-char-arrays-for-asm-function-names.patch new file mode 100644 index 00000000000..dd884100f4d --- /dev/null +++ b/queue-4.9/x86-power-64-use-char-arrays-for-asm-function-names.patch @@ -0,0 +1,63 @@ +From c0944883c97c0ddc71da67cc731590a7c878a1a2 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 9 May 2017 14:00:51 -0700 +Subject: x86/power/64: Use char arrays for asm function names + +From: Kees Cook + +commit c0944883c97c0ddc71da67cc731590a7c878a1a2 upstream. + +This switches the hibernate_64.S function names into character arrays +to match other areas of the kernel where this is done (e.g., linker +scripts). Specifically this fixes a compile-time error noticed by the +future CONFIG_FORTIFY_SOURCE routines that complained about PAGE_SIZE +being copied out of the "single byte" core_restore_code variable. + +Additionally drops the "acpi_save_state_mem" exern which does not +appear to be used anywhere else in the kernel. + +Signed-off-by: Kees Cook +Acked-by: Ingo Molnar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/suspend_64.h | 5 ++--- + arch/x86/power/hibernate_64.c | 6 +++--- + 2 files changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/suspend_64.h ++++ b/arch/x86/include/asm/suspend_64.h +@@ -42,8 +42,7 @@ struct saved_context { + set_debugreg((thread)->debugreg##register, register) + + /* routines for saving/restoring kernel state */ +-extern int acpi_save_state_mem(void); +-extern char core_restore_code; +-extern char restore_registers; ++extern char core_restore_code[]; ++extern char restore_registers[]; + + #endif /* _ASM_X86_SUSPEND_64_H */ +--- a/arch/x86/power/hibernate_64.c ++++ b/arch/x86/power/hibernate_64.c +@@ -126,7 +126,7 @@ static int relocate_restore_code(void) + if (!relocated_restore_code) + return -ENOMEM; + +- memcpy((void *)relocated_restore_code, &core_restore_code, PAGE_SIZE); ++ memcpy((void *)relocated_restore_code, core_restore_code, PAGE_SIZE); + + /* Make the page containing the relocated code executable */ + pgd = (pgd_t *)__va(read_cr3()) + pgd_index(relocated_restore_code); +@@ -197,8 +197,8 @@ int arch_hibernation_header_save(void *a + + if (max_size < sizeof(struct restore_data_record)) + return -EOVERFLOW; +- rdr->jump_address = (unsigned long)&restore_registers; +- rdr->jump_address_phys = __pa_symbol(&restore_registers); ++ rdr->jump_address = (unsigned long)restore_registers; ++ rdr->jump_address_phys = __pa_symbol(restore_registers); + rdr->cr3 = restore_cr3; + rdr->magic = RESTORE_MAGIC; + return 0;