From: Greg Kroah-Hartman Date: Tue, 23 Apr 2019 20:53:27 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.139~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c495ceb062188a2e23ae5f20706f6b7f909ffd5b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-core-fix-card-races-between-register-and-disconnect.patch arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch cifs-keep-fileinfo-handle-live-during-oplock-break.patch crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch iio-ad_sigma_delta-select-channel-when-reading-register.patch iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch io-accel-kxcjk1013-restore-the-range-after-resume.patch kprobes-fix-error-check-when-reusing-optimized-probes.patch kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch perf-x86-amd-add-event-map-for-amd-family-17h.patch revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch revert-svm-fix-avic-incomplete-ipi-emulation.patch rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch staging-iio-ad7192-fix-ad7193-channel-address.patch x86-kprobes-verify-stack-frame-on-kretprobe.patch --- diff --git a/queue-4.9/alsa-core-fix-card-races-between-register-and-disconnect.patch b/queue-4.9/alsa-core-fix-card-races-between-register-and-disconnect.patch new file mode 100644 index 00000000000..4bfda2ddd95 --- /dev/null +++ b/queue-4.9/alsa-core-fix-card-races-between-register-and-disconnect.patch @@ -0,0 +1,76 @@ +From 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 Apr 2019 17:06:33 +0200 +Subject: ALSA: core: Fix card races between register and disconnect + +From: Takashi Iwai + +commit 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac upstream. + +There is a small race window in the card disconnection code that +allows the registration of another card with the very same card id. +This leads to a warning in procfs creation as caught by syzkaller. + +The problem is that we delete snd_cards and snd_cards_lock entries at +the very beginning of the disconnection procedure. This makes the +slot available to be assigned for another card object while the +disconnection procedure is being processed. Then it becomes possible +to issue a procfs registration with the existing file name although we +check the conflict beforehand. + +The fix is simply to move the snd_cards and snd_cards_lock clearances +at the end of the disconnection procedure. The references to these +entries are merely either from the global proc files like +/proc/asound/cards or from the card registration / disconnection, so +it should be fine to shift at the very end. + +Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/init.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -408,14 +408,7 @@ int snd_card_disconnect(struct snd_card + card->shutdown = 1; + spin_unlock(&card->files_lock); + +- /* phase 1: disable fops (user space) operations for ALSA API */ +- mutex_lock(&snd_card_mutex); +- snd_cards[card->number] = NULL; +- clear_bit(card->number, snd_cards_lock); +- mutex_unlock(&snd_card_mutex); +- +- /* phase 2: replace file->f_op with special dummy operations */ +- ++ /* replace file->f_op with special dummy operations */ + spin_lock(&card->files_lock); + list_for_each_entry(mfile, &card->files_list, list) { + /* it's critical part, use endless loop */ +@@ -431,7 +424,7 @@ int snd_card_disconnect(struct snd_card + } + spin_unlock(&card->files_lock); + +- /* phase 3: notify all connected devices about disconnection */ ++ /* notify all connected devices about disconnection */ + /* at this point, they cannot respond to any calls except release() */ + + #if IS_ENABLED(CONFIG_SND_MIXER_OSS) +@@ -447,6 +440,13 @@ int snd_card_disconnect(struct snd_card + device_del(&card->card_dev); + card->registered = false; + } ++ ++ /* disable fops (user space) operations for ALSA API */ ++ mutex_lock(&snd_card_mutex); ++ snd_cards[card->number] = NULL; ++ clear_bit(card->number, snd_cards_lock); ++ mutex_unlock(&snd_card_mutex); ++ + #ifdef CONFIG_PM + wake_up(&card->power_sleep); + #endif diff --git a/queue-4.9/arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch b/queue-4.9/arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch new file mode 100644 index 00000000000..96237167252 --- /dev/null +++ b/queue-4.9/arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch @@ -0,0 +1,52 @@ +From ff8acf929014b7f87315588e0daf8597c8aa9d1c Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Apr 2019 00:21:21 -0700 +Subject: arm64: futex: Restore oldval initialization to work around buggy compilers + +From: Nathan Chancellor + +commit ff8acf929014b7f87315588e0daf8597c8aa9d1c upstream. + +Commit 045afc24124d ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with +non-zero result value") removed oldval's zero initialization in +arch_futex_atomic_op_inuser because it is not necessary. Unfortunately, +Android's arm64 GCC 4.9.4 [1] does not agree: + +../kernel/futex.c: In function 'do_futex': +../kernel/futex.c:1658:17: warning: 'oldval' may be used uninitialized +in this function [-Wmaybe-uninitialized] + return oldval == cmparg; + ^ +In file included from ../kernel/futex.c:73:0: +../arch/arm64/include/asm/futex.h:53:6: note: 'oldval' was declared here + int oldval, ret, tmp; + ^ + +GCC fails to follow that when ret is non-zero, futex_atomic_op_inuser +returns right away, avoiding the uninitialized use that it claims. +Restoring the zero initialization works around this issue. + +[1]: https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/ + +Cc: stable@vger.kernel.org +Fixes: 045afc24124d ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Nathan Chancellor +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/futex.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/futex.h ++++ b/arch/arm64/include/asm/futex.h +@@ -53,7 +53,7 @@ + static inline int + arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + { +- int oldval, ret, tmp; ++ int oldval = 0, ret, tmp; + + pagefault_disable(); + diff --git a/queue-4.9/cifs-keep-fileinfo-handle-live-during-oplock-break.patch b/queue-4.9/cifs-keep-fileinfo-handle-live-during-oplock-break.patch new file mode 100644 index 00000000000..37d94cbe76f --- /dev/null +++ b/queue-4.9/cifs-keep-fileinfo-handle-live-during-oplock-break.patch @@ -0,0 +1,179 @@ +From b98749cac4a695f084a5ff076f4510b23e353ecd Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Fri, 29 Mar 2019 10:49:12 +0100 +Subject: CIFS: keep FileInfo handle live during oplock break + +From: Aurelien Aptel + +commit b98749cac4a695f084a5ff076f4510b23e353ecd upstream. + +In the oplock break handler, writing pending changes from pages puts +the FileInfo handle. If the refcount reaches zero it closes the handle +and waits for any oplock break handler to return, thus causing a deadlock. + +To prevent this situation: + +* We add a wait flag to cifsFileInfo_put() to decide whether we should + wait for running/pending oplock break handlers + +* We keep an additionnal reference of the SMB FileInfo handle so that + for the rest of the handler putting the handle won't close it. + - The ref is bumped everytime we queue the handler via the + cifs_queue_oplock_break() helper. + - The ref is decremented at the end of the handler + +This bug was triggered by xfstest 464. + +Also important fix to address the various reports of +oops in smb2_push_mandatory_locks + +Signed-off-by: Aurelien Aptel +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsglob.h | 2 ++ + fs/cifs/file.c | 30 +++++++++++++++++++++++++----- + fs/cifs/misc.c | 25 +++++++++++++++++++++++-- + fs/cifs/smb2misc.c | 6 +++--- + 4 files changed, 53 insertions(+), 10 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1157,6 +1157,7 @@ cifsFileInfo_get_locked(struct cifsFileI + } + + struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file); ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr); + void cifsFileInfo_put(struct cifsFileInfo *cifs_file); + + #define CIFS_CACHE_READ_FLG 1 +@@ -1651,6 +1652,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock; + #endif /* CONFIG_CIFS_ACL */ + + void cifs_oplock_break(struct work_struct *work); ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile); + + extern const struct slow_work_ops cifs_oplock_break_ops; + extern struct workqueue_struct *cifsiod_wq; +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -358,13 +358,31 @@ cifsFileInfo_get(struct cifsFileInfo *ci + return cifs_file; + } + +-/* +- * Release a reference on the file private data. This may involve closing +- * the filehandle out on the server. Must be called without holding +- * tcon->open_file_lock and cifs_file->file_info_lock. ++/** ++ * cifsFileInfo_put - release a reference of file priv data ++ * ++ * Always potentially wait for oplock handler. See _cifsFileInfo_put(). + */ + void cifsFileInfo_put(struct cifsFileInfo *cifs_file) + { ++ _cifsFileInfo_put(cifs_file, true); ++} ++ ++/** ++ * _cifsFileInfo_put - release a reference of file priv data ++ * ++ * This may involve closing the filehandle @cifs_file out on the ++ * server. Must be called without holding tcon->open_file_lock and ++ * cifs_file->file_info_lock. ++ * ++ * If @wait_for_oplock_handler is true and we are releasing the last ++ * reference, wait for any running oplock break handler of the file ++ * and cancel any pending one. If calling this function from the ++ * oplock break handler, you need to pass false. ++ * ++ */ ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) ++{ + struct inode *inode = d_inode(cifs_file->dentry); + struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink); + struct TCP_Server_Info *server = tcon->ses->server; +@@ -411,7 +429,8 @@ void cifsFileInfo_put(struct cifsFileInf + + spin_unlock(&tcon->open_file_lock); + +- oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break); ++ oplock_break_cancelled = wait_oplock_handler ? ++ cancel_work_sync(&cifs_file->oplock_break) : false; + + if (!tcon->need_reconnect && !cifs_file->invalidHandle) { + struct TCP_Server_Info *server = tcon->ses->server; +@@ -3913,6 +3932,7 @@ void cifs_oplock_break(struct work_struc + cinode); + cifs_dbg(FYI, "Oplock release rc = %d\n", rc); + } ++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */); + cifs_done_oplock_break(cinode); + } + +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -494,8 +494,7 @@ is_valid_oplock_break(char *buffer, stru + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &pCifsInode->flags); + +- queue_work(cifsoplockd_wq, +- &netfile->oplock_break); ++ cifs_queue_oplock_break(netfile); + netfile->oplock_break_cancelled = false; + + spin_unlock(&tcon->open_file_lock); +@@ -592,6 +591,28 @@ void cifs_put_writer(struct cifsInodeInf + spin_unlock(&cinode->writers_lock); + } + ++/** ++ * cifs_queue_oplock_break - queue the oplock break handler for cfile ++ * ++ * This function is called from the demultiplex thread when it ++ * receives an oplock break for @cfile. ++ * ++ * Assumes the tcon->open_file_lock is held. ++ * Assumes cfile->file_info_lock is NOT held. ++ */ ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile) ++{ ++ /* ++ * Bump the handle refcount now while we hold the ++ * open_file_lock to enforce the validity of it for the oplock ++ * break handler. The matching put is done at the end of the ++ * handler. ++ */ ++ cifsFileInfo_get(cfile); ++ ++ queue_work(cifsoplockd_wq, &cfile->oplock_break); ++} ++ + void cifs_done_oplock_break(struct cifsInodeInfo *cinode) + { + clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -512,7 +512,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tc + clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + +- queue_work(cifsoplockd_wq, &cfile->oplock_break); ++ cifs_queue_oplock_break(cfile); + kfree(lw); + return true; + } +@@ -656,8 +656,8 @@ smb2_is_valid_oplock_break(char *buffer, + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + spin_unlock(&cfile->file_info_lock); +- queue_work(cifsoplockd_wq, +- &cfile->oplock_break); ++ ++ cifs_queue_oplock_break(cfile); + + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); diff --git a/queue-4.9/crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch b/queue-4.9/crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch new file mode 100644 index 00000000000..06e1175f5e8 --- /dev/null +++ b/queue-4.9/crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch @@ -0,0 +1,193 @@ +From 678cce4019d746da6c680c48ba9e6d417803e127 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 31 Mar 2019 13:04:11 -0700 +Subject: crypto: x86/poly1305 - fix overflow during partial reduction + +From: Eric Biggers + +commit 678cce4019d746da6c680c48ba9e6d417803e127 upstream. + +The x86_64 implementation of Poly1305 produces the wrong result on some +inputs because poly1305_4block_avx2() incorrectly assumes that when +partially reducing the accumulator, the bits carried from limb 'd4' to +limb 'h0' fit in a 32-bit integer. This is true for poly1305-generic +which processes only one block at a time. However, it's not true for +the AVX2 implementation, which processes 4 blocks at a time and +therefore can produce intermediate limbs about 4x larger. + +Fix it by making the relevant calculations use 64-bit arithmetic rather +than 32-bit. Note that most of the carries already used 64-bit +arithmetic, but the d4 -> h0 carry was different for some reason. + +To be safe I also made the same change to the corresponding SSE2 code, +though that only operates on 1 or 2 blocks at a time. I don't think +it's really needed for poly1305_block_sse2(), but it doesn't hurt +because it's already x86_64 code. It *might* be needed for +poly1305_2block_sse2(), but overflows aren't easy to reproduce there. + +This bug was originally detected by my patches that improve testmgr to +fuzz algorithms against their generic implementation. But also add a +test vector which reproduces it directly (in the AVX2 case). + +Fixes: b1ccc8f4b631 ("crypto: poly1305 - Add a four block AVX2 variant for x86_64") +Fixes: c70f4abef07a ("crypto: poly1305 - Add a SSE2 SIMD variant for x86_64") +Cc: # v4.3+ +Cc: Martin Willi +Cc: Jason A. Donenfeld +Signed-off-by: Eric Biggers +Reviewed-by: Martin Willi +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/poly1305-avx2-x86_64.S | 14 +++++++--- + arch/x86/crypto/poly1305-sse2-x86_64.S | 22 ++++++++++------ + crypto/testmgr.h | 44 ++++++++++++++++++++++++++++++++- + 3 files changed, 67 insertions(+), 13 deletions(-) + +--- a/arch/x86/crypto/poly1305-avx2-x86_64.S ++++ b/arch/x86/crypto/poly1305-avx2-x86_64.S +@@ -321,6 +321,12 @@ ENTRY(poly1305_4block_avx2) + vpaddq t2,t1,t1 + vmovq t1x,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -359,16 +365,16 @@ ENTRY(poly1305_4block_avx2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +--- a/arch/x86/crypto/poly1305-sse2-x86_64.S ++++ b/arch/x86/crypto/poly1305-sse2-x86_64.S +@@ -251,16 +251,16 @@ ENTRY(poly1305_block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +@@ -518,6 +518,12 @@ ENTRY(poly1305_2block_sse2) + paddq t2,t1 + movq t1,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -556,16 +562,16 @@ ENTRY(poly1305_2block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -4527,7 +4527,49 @@ static struct hash_testvec poly1305_tv_t + .psize = 80, + .digest = "\x13\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00", +- }, ++ }, { /* Regression test for overflow in AVX2 implementation */ ++ .plaintext = "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff", ++ .psize = 300, ++ .digest = "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8" ++ "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1", ++ } + }; + + /* diff --git a/queue-4.9/iio-ad_sigma_delta-select-channel-when-reading-register.patch b/queue-4.9/iio-ad_sigma_delta-select-channel-when-reading-register.patch new file mode 100644 index 00000000000..000c09d3e87 --- /dev/null +++ b/queue-4.9/iio-ad_sigma_delta-select-channel-when-reading-register.patch @@ -0,0 +1,35 @@ +From fccfb9ce70ed4ea7a145f77b86de62e38178517f Mon Sep 17 00:00:00 2001 +From: Dragos Bogdan +Date: Tue, 19 Mar 2019 12:47:00 +0200 +Subject: iio: ad_sigma_delta: select channel when reading register + +From: Dragos Bogdan + +commit fccfb9ce70ed4ea7a145f77b86de62e38178517f upstream. + +The desired channel has to be selected in order to correctly fill the +buffer with the corresponding data. +The `ad_sd_write_reg()` already does this, but for the +`ad_sd_read_reg_raw()` this was omitted. + +Fixes: af3008485ea03 ("iio:adc: Add common code for ADI Sigma Delta devices") +Signed-off-by: Dragos Bogdan +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad_sigma_delta.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_ + if (sigma_delta->info->has_registers) { + data[0] = reg << sigma_delta->info->addr_shift; + data[0] |= sigma_delta->info->read_mask; ++ data[0] |= sigma_delta->comm; + spi_message_add_tail(&t[0], &m); + } + spi_message_add_tail(&t[1], &m); diff --git a/queue-4.9/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch b/queue-4.9/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch new file mode 100644 index 00000000000..616e114b88f --- /dev/null +++ b/queue-4.9/iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch @@ -0,0 +1,69 @@ +From 09c6bdee51183a575bf7546890c8c137a75a2b44 Mon Sep 17 00:00:00 2001 +From: Georg Ottinger +Date: Wed, 30 Jan 2019 14:42:02 +0100 +Subject: iio: adc: at91: disable adc channel interrupt in timeout case + +From: Georg Ottinger + +commit 09c6bdee51183a575bf7546890c8c137a75a2b44 upstream. + +Having a brief look at at91_adc_read_raw() it is obvious that in the case +of a timeout the setting of AT91_ADC_CHDR and AT91_ADC_IDR registers is +omitted. If 2 different channels are queried we can end up with a +situation where two interrupts are enabled, but only one interrupt is +cleared in the interrupt handler. Resulting in a interrupt loop and a +system hang. + +Signed-off-by: Georg Ottinger +Acked-by: Ludovic Desroches +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -704,23 +704,29 @@ static int at91_adc_read_raw(struct iio_ + ret = wait_event_interruptible_timeout(st->wq_data_avail, + st->done, + msecs_to_jiffies(1000)); +- if (ret == 0) +- ret = -ETIMEDOUT; +- if (ret < 0) { +- mutex_unlock(&st->lock); +- return ret; +- } +- +- *val = st->last_value; + ++ /* Disable interrupts, regardless if adc conversion was ++ * successful or not ++ */ + at91_adc_writel(st, AT91_ADC_CHDR, + AT91_ADC_CH(chan->channel)); + at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel)); + +- st->last_value = 0; +- st->done = false; ++ if (ret > 0) { ++ /* a valid conversion took place */ ++ *val = st->last_value; ++ st->last_value = 0; ++ st->done = false; ++ ret = IIO_VAL_INT; ++ } else if (ret == 0) { ++ /* conversion timeout */ ++ dev_err(&idev->dev, "ADC Channel %d timeout.\n", ++ chan->channel); ++ ret = -ETIMEDOUT; ++ } ++ + mutex_unlock(&st->lock); +- return IIO_VAL_INT; ++ return ret; + + case IIO_CHAN_INFO_SCALE: + *val = st->vref_mv; diff --git a/queue-4.9/iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch b/queue-4.9/iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch new file mode 100644 index 00000000000..7aeb5d90eb5 --- /dev/null +++ b/queue-4.9/iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch @@ -0,0 +1,45 @@ +From 40a7198a4a01037003c7ca714f0d048a61e729ac Mon Sep 17 00:00:00 2001 +From: Mike Looijmans +Date: Wed, 13 Feb 2019 08:41:47 +0100 +Subject: iio/gyro/bmg160: Use millidegrees for temperature scale + +From: Mike Looijmans + +commit 40a7198a4a01037003c7ca714f0d048a61e729ac upstream. + +Standard unit for temperature is millidegrees Celcius, whereas this driver +was reporting in degrees. Fix the scale factor in the driver. + +Signed-off-by: Mike Looijmans +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/gyro/bmg160_core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -583,11 +583,10 @@ static int bmg160_read_raw(struct iio_de + case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY: + return bmg160_get_filter(data, val); + case IIO_CHAN_INFO_SCALE: +- *val = 0; + switch (chan->type) { + case IIO_TEMP: +- *val2 = 500000; +- return IIO_VAL_INT_PLUS_MICRO; ++ *val = 500; ++ return IIO_VAL_INT; + case IIO_ANGL_VEL: + { + int i; +@@ -595,6 +594,7 @@ static int bmg160_read_raw(struct iio_de + for (i = 0; i < ARRAY_SIZE(bmg160_scale_table); ++i) { + if (bmg160_scale_table[i].dps_range == + data->dps_range) { ++ *val = 0; + *val2 = bmg160_scale_table[i].scale; + return IIO_VAL_INT_PLUS_MICRO; + } diff --git a/queue-4.9/io-accel-kxcjk1013-restore-the-range-after-resume.patch b/queue-4.9/io-accel-kxcjk1013-restore-the-range-after-resume.patch new file mode 100644 index 00000000000..5dfcb6017c5 --- /dev/null +++ b/queue-4.9/io-accel-kxcjk1013-restore-the-range-after-resume.patch @@ -0,0 +1,35 @@ +From fe2d3df639a7940a125a33d6460529b9689c5406 Mon Sep 17 00:00:00 2001 +From: "he, bo" +Date: Wed, 6 Mar 2019 10:32:20 +0800 +Subject: io: accel: kxcjk1013: restore the range after resume. + +From: he, bo + +commit fe2d3df639a7940a125a33d6460529b9689c5406 upstream. + +On some laptops, kxcjk1013 is powered off when system enters S3. We need +restore the range regiter during resume. Otherwise, the sensor doesn't +work properly after S3. + +Signed-off-by: he, bo +Signed-off-by: Chen, Hu +Reviewed-by: Hans de Goede +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/kxcjk-1013.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -1340,6 +1340,8 @@ static int kxcjk1013_resume(struct devic + + mutex_lock(&data->mutex); + ret = kxcjk1013_set_mode(data, OPERATION); ++ if (ret == 0) ++ ret = kxcjk1013_set_range(data, data->range); + mutex_unlock(&data->mutex); + + return ret; diff --git a/queue-4.9/kprobes-fix-error-check-when-reusing-optimized-probes.patch b/queue-4.9/kprobes-fix-error-check-when-reusing-optimized-probes.patch new file mode 100644 index 00000000000..c384c9c1522 --- /dev/null +++ b/queue-4.9/kprobes-fix-error-check-when-reusing-optimized-probes.patch @@ -0,0 +1,82 @@ +From 5f843ed415581cfad4ef8fefe31c138a8346ca8a Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Mon, 15 Apr 2019 15:01:25 +0900 +Subject: kprobes: Fix error check when reusing optimized probes + +From: Masami Hiramatsu + +commit 5f843ed415581cfad4ef8fefe31c138a8346ca8a upstream. + +The following commit introduced a bug in one of our error paths: + + 819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()") + +it missed to handle the return value of kprobe_optready() as +error-value. In reality, the kprobe_optready() returns a bool +result, so "true" case must be passed instead of 0. + +This causes some errors on kprobe boot-time selftests on ARM: + + [ ] Beginning kprobe tests... + [ ] Probe ARM code + [ ] kprobe + [ ] kretprobe + [ ] ARM instruction simulation + [ ] Check decoding tables + [ ] Run test cases + [ ] FAIL: test_case_handler not run + [ ] FAIL: Test andge r10, r11, r14, asr r7 + [ ] FAIL: Scenario 11 + ... + [ ] FAIL: Scenario 7 + [ ] Total instruction simulation tests=1631, pass=1433 fail=198 + [ ] kprobe tests failed + +This can happen if an optimized probe is unregistered and next +kprobe is registered on same address until the previous probe +is not reclaimed. + +If this happens, a hidden aggregated probe may be kept in memory, +and no new kprobe can probe same address. Also, in that case +register_kprobe() will return "1" instead of minus error value, +which can mislead caller logic. + +Signed-off-by: Masami Hiramatsu +Cc: Anil S Keshavamurthy +Cc: David S . Miller +Cc: Linus Torvalds +Cc: Naveen N . Rao +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org # v5.0+ +Fixes: 819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()") +Link: http://lkml.kernel.org/r/155530808559.32517.539898325433642204.stgit@devnote2 +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -668,7 +668,6 @@ static void unoptimize_kprobe(struct kpr + static int reuse_unused_kprobe(struct kprobe *ap) + { + struct optimized_kprobe *op; +- int ret; + + BUG_ON(!kprobe_unused(ap)); + /* +@@ -682,9 +681,8 @@ static int reuse_unused_kprobe(struct kp + /* Enable the probe again */ + ap->flags &= ~KPROBE_FLAG_DISABLED; + /* Optimize it again (remove from op->list) */ +- ret = kprobe_optready(ap); +- if (ret) +- return ret; ++ if (!kprobe_optready(ap)) ++ return -EINVAL; + + optimize_kprobe(ap); + return 0; diff --git a/queue-4.9/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch b/queue-4.9/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch new file mode 100644 index 00000000000..e8ab565998c --- /dev/null +++ b/queue-4.9/kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch @@ -0,0 +1,72 @@ +From fabe38ab6b2bd9418350284c63825f13b8a6abba Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sun, 24 Feb 2019 01:50:20 +0900 +Subject: kprobes: Mark ftrace mcount handler functions nokprobe + +From: Masami Hiramatsu + +commit fabe38ab6b2bd9418350284c63825f13b8a6abba upstream. + +Mark ftrace mcount handler functions nokprobe since +probing on these functions with kretprobe pushes +return address incorrectly on kretprobe shadow stack. + +Reported-by: Francis Deslauriers +Tested-by: Andrea Righi +Signed-off-by: Masami Hiramatsu +Acked-by: Steven Rostedt +Acked-by: Steven Rostedt (VMware) +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/155094062044.6137.6419622920568680640.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + +@@ -5246,7 +5247,7 @@ void ftrace_reset_array_ops(struct trace + tr->ops->func = ftrace_stub; + } + +-static inline void ++static nokprobe_inline void + __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ignored, struct pt_regs *regs) + { +@@ -5309,11 +5310,13 @@ static void ftrace_ops_list_func(unsigne + { + __ftrace_ops_list_func(ip, parent_ip, NULL, regs); + } ++NOKPROBE_SYMBOL(ftrace_ops_list_func); + #else + static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip) + { + __ftrace_ops_list_func(ip, parent_ip, NULL, NULL); + } ++NOKPROBE_SYMBOL(ftrace_ops_no_ops); + #endif + + /* +@@ -5343,6 +5346,7 @@ static void ftrace_ops_assist_func(unsig + preempt_enable_notrace(); + trace_clear_recursion(bit); + } ++NOKPROBE_SYMBOL(ftrace_ops_assist_func); + + /** + * ftrace_ops_get_func - get the function a trampoline should call diff --git a/queue-4.9/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch b/queue-4.9/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch new file mode 100644 index 00000000000..d8899a77cc9 --- /dev/null +++ b/queue-4.9/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch @@ -0,0 +1,80 @@ +From 8f4dc2e77cdfaf7e644ef29693fa229db29ee1de Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 2 Apr 2019 08:10:47 -0700 +Subject: KVM: x86: Don't clear EFER during SMM transitions for 32-bit vCPU + +From: Sean Christopherson + +commit 8f4dc2e77cdfaf7e644ef29693fa229db29ee1de upstream. + +Neither AMD nor Intel CPUs have an EFER field in the legacy SMRAM save +state area, i.e. don't save/restore EFER across SMM transitions. KVM +somewhat models this, e.g. doesn't clear EFER on entry to SMM if the +guest doesn't support long mode. But during RSM, KVM unconditionally +clears EFER so that it can get back to pure 32-bit mode in order to +start loading CRs with their actual non-SMM values. + +Clear EFER only when it will be written when loading the non-SMM state +so as to preserve bits that can theoretically be set on 32-bit vCPUs, +e.g. KVM always emulates EFER_SCE. + +And because CR4.PAE is cleared only to play nice with EFER, wrap that +code in the long mode check as well. Note, this may result in a +compiler warning about cr4 being consumed uninitialized. Re-read CR4 +even though it's technically unnecessary, as doing so allows for more +readable code and RSM emulation is not a performance critical path. + +Fixes: 660a5d517aaab ("KVM: x86: save/load state on SMM switch") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2579,15 +2579,13 @@ static int em_rsm(struct x86_emulate_ctx + * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU + * supports long mode. + */ +- cr4 = ctxt->ops->get_cr(ctxt, 4); + if (emulator_has_longmode(ctxt)) { + struct desc_struct cs_desc; + + /* Zero CR4.PCIDE before CR0.PG. */ +- if (cr4 & X86_CR4_PCIDE) { ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PCIDE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); +- cr4 &= ~X86_CR4_PCIDE; +- } + + /* A 32-bit code segment is required to clear EFER.LMA. */ + memset(&cs_desc, 0, sizeof(cs_desc)); +@@ -2601,13 +2599,16 @@ static int em_rsm(struct x86_emulate_ctx + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); + +- /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ +- if (cr4 & X86_CR4_PAE) +- ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); +- +- /* And finally go back to 32-bit mode. */ +- efer = 0; +- ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ if (emulator_has_longmode(ctxt)) { ++ /* Clear CR4.PAE before clearing EFER.LME. */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PAE) ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ ++ /* And finally go back to 32-bit mode. */ ++ efer = 0; ++ ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ } + + smbase = ctxt->ops->get_smbase(ctxt); + if (emulator_has_longmode(ctxt)) diff --git a/queue-4.9/mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch b/queue-4.9/mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch new file mode 100644 index 00000000000..194267cfc19 --- /dev/null +++ b/queue-4.9/mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch @@ -0,0 +1,43 @@ +From 4856bfd230985e43e84c26473c91028ff0a533bd Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 1 Mar 2019 14:48:37 +0100 +Subject: mac80211: do not call driver wake_tx_queue op during reconfig + +From: Felix Fietkau + +commit 4856bfd230985e43e84c26473c91028ff0a533bd upstream. + +There are several scenarios in which mac80211 can call drv_wake_tx_queue +after ieee80211_restart_hw has been called and has not yet completed. +Driver private structs are considered uninitialized until mac80211 has +uploaded the vifs, stations and keys again, so using private tx queue +data during that time is not safe. + +The driver can also not rely on drv_reconfig_complete to figure out when +it is safe to accept drv_wake_tx_queue calls again, because it is only +called after all tx queues are woken again. + +To fix this, bail out early in drv_wake_tx_queue if local->in_reconfig +is set. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/driver-ops.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1163,6 +1163,9 @@ static inline void drv_wake_tx_queue(str + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif); + ++ if (local->in_reconfig) ++ return; ++ + if (!check_sdata_in_driver(sdata)) + return; + diff --git a/queue-4.9/perf-x86-amd-add-event-map-for-amd-family-17h.patch b/queue-4.9/perf-x86-amd-add-event-map-for-amd-family-17h.patch new file mode 100644 index 00000000000..28995fdf158 --- /dev/null +++ b/queue-4.9/perf-x86-amd-add-event-map-for-amd-family-17h.patch @@ -0,0 +1,103 @@ +From 3fe3331bb285700ab2253dbb07f8e478fcea2f1b Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Thu, 21 Mar 2019 21:15:22 +0000 +Subject: perf/x86/amd: Add event map for AMD Family 17h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kim Phillips + +commit 3fe3331bb285700ab2253dbb07f8e478fcea2f1b upstream. + +Family 17h differs from prior families by: + + - Does not support an L2 cache miss event + - It has re-enumerated PMC counters for: + - L2 cache references + - front & back end stalled cycles + +So we add a new amd_f17h_perfmon_event_map[] so that the generic +perf event names will resolve to the correct h/w events on +family 17h and above processors. + +Reference sections 2.1.13.3.3 (stalls) and 2.1.13.3.6 (L2): + + https://www.amd.com/system/files/TechDocs/54945_PPR_Family_17h_Models_00h-0Fh.pdf + +Signed-off-by: Kim Phillips +Cc: # v4.9+ +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Janakarajan Natarajan +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Martin LiÅ¡ka +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Pu Wen +Cc: Suravee Suthikulpanit +Cc: Thomas Gleixner +Cc: linux-kernel@vger.kernel.org +Fixes: e40ed1542dd7 ("perf/x86: Add perf support for AMD family-17h processors") +[ Improved the formatting a bit. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/amd/core.c | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -113,22 +113,39 @@ static __initconst const u64 amd_hw_cach + }; + + /* +- * AMD Performance Monitor K7 and later. ++ * AMD Performance Monitor K7 and later, up to and including Family 16h: + */ + static const u64 amd_perfmon_event_map[PERF_COUNT_HW_MAX] = + { +- [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, +- [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, +- [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d, +- [PERF_COUNT_HW_CACHE_MISSES] = 0x077e, +- [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, +- [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, +- [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */ +- [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */ ++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, ++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, ++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d, ++ [PERF_COUNT_HW_CACHE_MISSES] = 0x077e, ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, ++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, ++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */ ++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */ ++}; ++ ++/* ++ * AMD Performance Monitor Family 17h and later: ++ */ ++static const u64 amd_f17h_perfmon_event_map[PERF_COUNT_HW_MAX] = ++{ ++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, ++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, ++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0xff60, ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, ++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, ++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x0287, ++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x0187, + }; + + static u64 amd_pmu_event_map(int hw_event) + { ++ if (boot_cpu_data.x86 >= 0x17) ++ return amd_f17h_perfmon_event_map[hw_event]; ++ + return amd_perfmon_event_map[hw_event]; + } + diff --git a/queue-4.9/revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch b/queue-4.9/revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch new file mode 100644 index 00000000000..ca426c85793 --- /dev/null +++ b/queue-4.9/revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch @@ -0,0 +1,35 @@ +From 0228034d8e5915b98c33db35a98f5e909e848ae9 Mon Sep 17 00:00:00 2001 +From: Saurav Kashyap +Date: Thu, 18 Apr 2019 03:40:12 -0700 +Subject: Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" + +From: Saurav Kashyap + +commit 0228034d8e5915b98c33db35a98f5e909e848ae9 upstream. + +This patch clears FC_RP_STARTED flag during logoff, because of this +re-login(flogi) didn't happen to the switch. + +This reverts commit 1550ec458e0cf1a40a170ab1f4c46e3f52860f65. + +Fixes: 1550ec458e0c ("scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO") +Cc: # v4.18+ +Signed-off-by: Saurav Kashyap +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libfc/fc_rport.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/scsi/libfc/fc_rport.c ++++ b/drivers/scsi/libfc/fc_rport.c +@@ -1935,7 +1935,6 @@ static void fc_rport_recv_logo_req(struc + FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n", + fc_rport_state(rdata)); + +- rdata->flags &= ~FC_RP_STARTED; + fc_rport_enter_delete(rdata, RPORT_EV_STOP); + mutex_unlock(&rdata->rp_mutex); + kref_put(&rdata->kref, rdata->local_port->tt.rport_destroy); diff --git a/queue-4.9/revert-svm-fix-avic-incomplete-ipi-emulation.patch b/queue-4.9/revert-svm-fix-avic-incomplete-ipi-emulation.patch new file mode 100644 index 00000000000..28159f99bcf --- /dev/null +++ b/queue-4.9/revert-svm-fix-avic-incomplete-ipi-emulation.patch @@ -0,0 +1,71 @@ +From 4a58038b9e420276157785afa0a0bbb4b9bc2265 Mon Sep 17 00:00:00 2001 +From: "Suthikulpanit, Suravee" +Date: Wed, 20 Mar 2019 08:12:28 +0000 +Subject: Revert "svm: Fix AVIC incomplete IPI emulation" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Suthikulpanit, Suravee + +commit 4a58038b9e420276157785afa0a0bbb4b9bc2265 upstream. + +This reverts commit bb218fbcfaaa3b115d4cd7a43c0ca164f3a96e57. + +As Oren Twaig pointed out the old discussion: + + https://patchwork.kernel.org/patch/8292231/ + +that the change coud potentially cause an extra IPI to be sent to +the destination vcpu because the AVIC hardware already set the IRR bit +before the incomplete IPI #VMEXIT with id=1 (target vcpu is not running). +Since writting to ICR and ICR2 will also set the IRR. If something triggers +the destination vcpu to get scheduled before the emulation finishes, then +this could result in an additional IPI. + +Also, the issue mentioned in the commit bb218fbcfaaa was misdiagnosed. + +Cc: Radim Krčmář +Cc: Paolo Bonzini +Reported-by: Oren Twaig +Signed-off-by: Suravee Suthikulpanit +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3940,14 +3940,25 @@ static int avic_incomplete_ipi_intercept + kvm_lapic_reg_write(apic, APIC_ICR, icrl); + break; + case AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: { ++ int i; ++ struct kvm_vcpu *vcpu; ++ struct kvm *kvm = svm->vcpu.kvm; + struct kvm_lapic *apic = svm->vcpu.arch.apic; + + /* +- * Update ICR high and low, then emulate sending IPI, +- * which is handled when writing APIC_ICR. ++ * At this point, we expect that the AVIC HW has already ++ * set the appropriate IRR bits on the valid target ++ * vcpus. So, we just need to kick the appropriate vcpu. + */ +- kvm_lapic_reg_write(apic, APIC_ICR2, icrh); +- kvm_lapic_reg_write(apic, APIC_ICR, icrl); ++ kvm_for_each_vcpu(i, vcpu, kvm) { ++ bool m = kvm_apic_match_dest(vcpu, apic, ++ icrl & KVM_APIC_SHORT_MASK, ++ GET_APIC_DEST_FIELD(icrh), ++ icrl & KVM_APIC_DEST_MASK); ++ ++ if (m && !avic_vcpu_is_running(vcpu)) ++ kvm_vcpu_wake_up(vcpu); ++ } + break; + } + case AVIC_IPI_FAILURE_INVALID_TARGET: diff --git a/queue-4.9/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch b/queue-4.9/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch new file mode 100644 index 00000000000..42559548828 --- /dev/null +++ b/queue-4.9/rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch @@ -0,0 +1,99 @@ +From 746ba11f170603bf1eaade817553a6c2e9135bbe Mon Sep 17 00:00:00 2001 +From: Vijayakumar Durai +Date: Wed, 27 Mar 2019 11:03:17 +0100 +Subject: rt2x00: do not increment sequence number while re-transmitting + +From: Vijayakumar Durai + +commit 746ba11f170603bf1eaade817553a6c2e9135bbe upstream. + +Currently rt2x00 devices retransmit the management frames with +incremented sequence number if hardware is assigning the sequence. + +This is HW bug fixed already for non-QOS data frames, but it should +be fixed for management frames except beacon. + +Without fix retransmitted frames have wrong SN: + + AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1648, FN=0, Flags=........C Frame is not being retransmitted 1648 1 + AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1649, FN=0, Flags=....R...C Frame is being retransmitted 1649 1 + AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1650, FN=0, Flags=....R...C Frame is being retransmitted 1650 1 + +With the fix SN stays correctly the same: + + 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=........C + 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C + 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C + +Cc: stable@vger.kernel.org +Signed-off-by: Vijayakumar Durai +[sgruszka: simplify code, change comments and changelog] +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ralink/rt2x00/rt2x00.h | 1 - + drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 10 ---------- + drivers/net/wireless/ralink/rt2x00/rt2x00queue.c | 15 +++++++++------ + 3 files changed, 9 insertions(+), 17 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h +@@ -669,7 +669,6 @@ enum rt2x00_state_flags { + CONFIG_CHANNEL_HT40, + CONFIG_POWERSAVING, + CONFIG_HT_DISABLED, +- CONFIG_QOS_DISABLED, + CONFIG_MONITORING, + + /* +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +@@ -666,19 +666,9 @@ void rt2x00mac_bss_info_changed(struct i + rt2x00dev->intf_associated--; + + rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated); +- +- clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); + } + + /* +- * Check for access point which do not support 802.11e . We have to +- * generate data frames sequence number in S/W for such AP, because +- * of H/W bug. +- */ +- if (changes & BSS_CHANGED_QOS && !bss_conf->qos) +- set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); +- +- /* + * When the erp information has changed, we should perform + * additional configuration steps. For all other changes we are done. + */ +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c +@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descri + if (!rt2x00_has_cap_flag(rt2x00dev, REQUIRE_SW_SEQNO)) { + /* + * rt2800 has a H/W (or F/W) bug, device incorrectly increase +- * seqno on retransmited data (non-QOS) frames. To workaround +- * the problem let's generate seqno in software if QOS is +- * disabled. ++ * seqno on retransmitted data (non-QOS) and management frames. ++ * To workaround the problem let's generate seqno in software. ++ * Except for beacons which are transmitted periodically by H/W ++ * hence hardware has to assign seqno for them. + */ +- if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags)) +- __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); +- else ++ if (ieee80211_is_beacon(hdr->frame_control)) { ++ __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + /* H/W will generate sequence number */ + return; ++ } ++ ++ __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + } + + /* diff --git a/queue-4.9/series b/queue-4.9/series index 43c85b6fbfe..49694c9faa4 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -13,3 +13,25 @@ mmc-sdhci-fix-data-command-crc-error-handling.patch modpost-file2alias-go-back-to-simple-devtable-lookup.patch modpost-file2alias-check-prototype-of-handler.patch tpm-tpm_i2c_atmel-return-e2big-when-the-transfer-is-.patch +cifs-keep-fileinfo-handle-live-during-oplock-break.patch +kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch +staging-iio-ad7192-fix-ad7193-channel-address.patch +iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch +iio-ad_sigma_delta-select-channel-when-reading-register.patch +iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch +io-accel-kxcjk1013-restore-the-range-after-resume.patch +staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch +staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch +staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch +staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch +alsa-core-fix-card-races-between-register-and-disconnect.patch +revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch +revert-svm-fix-avic-incomplete-ipi-emulation.patch +crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch +arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch +x86-kprobes-verify-stack-frame-on-kretprobe.patch +kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch +kprobes-fix-error-check-when-reusing-optimized-probes.patch +rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch +mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch +perf-x86-amd-add-event-map-for-amd-family-17h.patch diff --git a/queue-4.9/staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch b/queue-4.9/staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch new file mode 100644 index 00000000000..9fa13ab4217 --- /dev/null +++ b/queue-4.9/staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch @@ -0,0 +1,44 @@ +From af4b54a2e5ba18259ff9aac445bf546dd60d037e Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:43:02 +0100 +Subject: staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf + +From: Ian Abbott + +commit af4b54a2e5ba18259ff9aac445bf546dd60d037e upstream. + +`ni6501_alloc_usb_buffers()` is called from `ni6501_auto_attach()` to +allocate RX and TX buffers for USB transfers. It allocates +`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the +allocation of `devpriv->usb_tx_buf` fails, it frees +`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an +error. Later, `ni6501_detach()` will be called from the core comedi +module code to clean up. `ni6501_detach()` also frees both +`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but +`devpriv->usb_rx_buf` may have already beed freed, leading to a +double-free error. Fix it bu removing the call to +`kfree(devpriv->usb_rx_buf)` from `ni6501_alloc_usb_buffers()`, relying +on `ni6501_detach()` to free the memory. + +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/ni_usb6501.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -472,10 +472,8 @@ static int ni6501_alloc_usb_buffers(stru + + size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } diff --git a/queue-4.9/staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch b/queue-4.9/staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch new file mode 100644 index 00000000000..9e9ff8290f4 --- /dev/null +++ b/queue-4.9/staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch @@ -0,0 +1,112 @@ +From 660cf4ce9d0f3497cc7456eaa6d74c8b71d6282c Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:43:01 +0100 +Subject: staging: comedi: ni_usb6501: Fix use of uninitialized mutex + +From: Ian Abbott + +commit 660cf4ce9d0f3497cc7456eaa6d74c8b71d6282c upstream. + +If `ni6501_auto_attach()` returns an error, the core comedi module code +will call `ni6501_detach()` to clean up. If `ni6501_auto_attach()` +successfully allocated the comedi device private data, `ni6501_detach()` +assumes that a `struct mutex mut` contained in the private data has been +initialized and uses it. Unfortunately, there are a couple of places +where `ni6501_auto_attach()` can return an error after allocating the +device private data but before initializing the mutex, so this +assumption is invalid. Fix it by initializing the mutex just after +allocating the private data in `ni6501_auto_attach()` before any other +errors can be retturned. Also move the call to `usb_set_intfdata()` +just to keep the code a bit neater (either position for the call is +fine). + +I believe this was the cause of the following syzbot crash report +: + +usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 +usb 1-1: config 0 descriptor?? +usb 1-1: string descriptor 0 read error: -71 +comedi comedi0: Wrong number of endpoints +ni6501 1-1:0.233: driver 'ni6501' failed to auto-configure device. +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +CPU: 0 PID: 585 Comm: kworker/0:3 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe8/0x16e lib/dump_stack.c:113 + assign_lock_key kernel/locking/lockdep.c:786 [inline] + register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095 + __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582 + lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 + __mutex_lock_common kernel/locking/mutex.c:925 [inline] + __mutex_lock+0xfe/0x12b0 kernel/locking/mutex.c:1072 + ni6501_detach+0x5b/0x110 drivers/staging/comedi/drivers/ni_usb6501.c:567 + comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204 + comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156 + comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline] + comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190 + comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline] + comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880 + comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068 + usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 + generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 + usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 + hub_port_connect drivers/usb/core/hub.c:5089 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] + port_event drivers/usb/core/hub.c:5350 [inline] + hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 + process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 + worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 + kthread+0x313/0x420 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + +Reported-by: syzbot+cf4f2b6c24aff0a3edf6@syzkaller.appspotmail.com +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/ni_usb6501.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -527,6 +527,9 @@ static int ni6501_auto_attach(struct com + if (!devpriv) + return -ENOMEM; + ++ mutex_init(&devpriv->mut); ++ usb_set_intfdata(intf, devpriv); ++ + ret = ni6501_find_endpoints(dev); + if (ret) + return ret; +@@ -535,9 +538,6 @@ static int ni6501_auto_attach(struct com + if (ret) + return ret; + +- mutex_init(&devpriv->mut); +- usb_set_intfdata(intf, devpriv); +- + ret = comedi_alloc_subdevices(dev, 2); + if (ret) + return ret; diff --git a/queue-4.9/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch b/queue-4.9/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch new file mode 100644 index 00000000000..5b40f07f1a9 --- /dev/null +++ b/queue-4.9/staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch @@ -0,0 +1,44 @@ +From 663d294b4768bfd89e529e069bffa544a830b5bf Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:52:30 +0100 +Subject: staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf + +From: Ian Abbott + +commit 663d294b4768bfd89e529e069bffa544a830b5bf upstream. + +`vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to +allocate RX and TX buffers for USB transfers. It allocates +`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the +allocation of `devpriv->usb_tx_buf` fails, it frees +`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an +error. Later, `vmk80xx_detach()` will be called from the core comedi +module code to clean up. `vmk80xx_detach()` also frees both +`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but +`devpriv->usb_rx_buf` may have already been freed, leading to a +double-free error. Fix it by removing the call to +`kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying +on `vmk80xx_detach()` to free the memory. + +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/vmk80xx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -691,10 +691,8 @@ static int vmk80xx_alloc_usb_buffers(str + + size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } diff --git a/queue-4.9/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch b/queue-4.9/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch new file mode 100644 index 00000000000..c32f8892492 --- /dev/null +++ b/queue-4.9/staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch @@ -0,0 +1,109 @@ +From 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 15 Apr 2019 12:10:14 +0100 +Subject: staging: comedi: vmk80xx: Fix use of uninitialized semaphore + +From: Ian Abbott + +commit 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e upstream. + +If `vmk80xx_auto_attach()` returns an error, the core comedi module code +will call `vmk80xx_detach()` to clean up. If `vmk80xx_auto_attach()` +successfully allocated the comedi device private data, +`vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained +in the private data has been initialized and uses it. Unfortunately, +there are a couple of places where `vmk80xx_auto_attach()` can return an +error after allocating the device private data but before initializing +the semaphore, so this assumption is invalid. Fix it by initializing +the semaphore just after allocating the private data in +`vmk80xx_auto_attach()` before any other errors can be returned. + +I believe this was the cause of the following syzbot crash report +: + +usb 1-1: config 0 has no interface number 0 +usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d +usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 +usb 1-1: config 0 descriptor?? +vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device. +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe8/0x16e lib/dump_stack.c:113 + assign_lock_key kernel/locking/lockdep.c:786 [inline] + register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095 + __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582 + lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152 + down+0x12/0x80 kernel/locking/semaphore.c:58 + vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829 + comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204 + comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156 + comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline] + comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190 + comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline] + comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880 + comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068 + usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 + generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 + usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 + really_probe+0x2da/0xb10 drivers/base/dd.c:509 + driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 + __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 + bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 + __device_attach+0x223/0x3a0 drivers/base/dd.c:844 + bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 + device_add+0xad2/0x16e0 drivers/base/core.c:2106 + usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 + hub_port_connect drivers/usb/core/hub.c:5089 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] + port_event drivers/usb/core/hub.c:5350 [inline] + hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 + process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 + worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 + kthread+0x313/0x420 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + +Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com +Signed-off-by: Ian Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/vmk80xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -809,6 +809,8 @@ static int vmk80xx_auto_attach(struct co + + devpriv->model = board->model; + ++ sema_init(&devpriv->limit_sem, 8); ++ + ret = vmk80xx_find_usb_endpoints(dev); + if (ret) + return ret; +@@ -817,8 +819,6 @@ static int vmk80xx_auto_attach(struct co + if (ret) + return ret; + +- sema_init(&devpriv->limit_sem, 8); +- + usb_set_intfdata(intf, devpriv); + + if (devpriv->model == VMK8055_MODEL) diff --git a/queue-4.9/staging-iio-ad7192-fix-ad7193-channel-address.patch b/queue-4.9/staging-iio-ad7192-fix-ad7193-channel-address.patch new file mode 100644 index 00000000000..049cc4dd324 --- /dev/null +++ b/queue-4.9/staging-iio-ad7192-fix-ad7193-channel-address.patch @@ -0,0 +1,37 @@ +From 7ce0f216221856a17fc4934b39284678a5fef2e9 Mon Sep 17 00:00:00 2001 +From: Mircea Caprioru +Date: Wed, 20 Feb 2019 13:08:20 +0200 +Subject: staging: iio: ad7192: Fix ad7193 channel address + +From: Mircea Caprioru + +commit 7ce0f216221856a17fc4934b39284678a5fef2e9 upstream. + +This patch fixes the differential channels addresses for the ad7193. + +Signed-off-by: Mircea Caprioru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/adc/ad7192.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/staging/iio/adc/ad7192.c ++++ b/drivers/staging/iio/adc/ad7192.c +@@ -109,10 +109,10 @@ + #define AD7192_CH_AIN3 BIT(6) /* AIN3 - AINCOM */ + #define AD7192_CH_AIN4 BIT(7) /* AIN4 - AINCOM */ + +-#define AD7193_CH_AIN1P_AIN2M 0x000 /* AIN1(+) - AIN2(-) */ +-#define AD7193_CH_AIN3P_AIN4M 0x001 /* AIN3(+) - AIN4(-) */ +-#define AD7193_CH_AIN5P_AIN6M 0x002 /* AIN5(+) - AIN6(-) */ +-#define AD7193_CH_AIN7P_AIN8M 0x004 /* AIN7(+) - AIN8(-) */ ++#define AD7193_CH_AIN1P_AIN2M 0x001 /* AIN1(+) - AIN2(-) */ ++#define AD7193_CH_AIN3P_AIN4M 0x002 /* AIN3(+) - AIN4(-) */ ++#define AD7193_CH_AIN5P_AIN6M 0x004 /* AIN5(+) - AIN6(-) */ ++#define AD7193_CH_AIN7P_AIN8M 0x008 /* AIN7(+) - AIN8(-) */ + #define AD7193_CH_TEMP 0x100 /* Temp senseor */ + #define AD7193_CH_AIN2P_AIN2M 0x200 /* AIN2(+) - AIN2(-) */ + #define AD7193_CH_AIN1 0x401 /* AIN1 - AINCOM */ diff --git a/queue-4.9/x86-kprobes-verify-stack-frame-on-kretprobe.patch b/queue-4.9/x86-kprobes-verify-stack-frame-on-kretprobe.patch new file mode 100644 index 00000000000..366b804ae04 --- /dev/null +++ b/queue-4.9/x86-kprobes-verify-stack-frame-on-kretprobe.patch @@ -0,0 +1,112 @@ +From 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sun, 24 Feb 2019 01:49:52 +0900 +Subject: x86/kprobes: Verify stack frame on kretprobe + +From: Masami Hiramatsu + +commit 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 upstream. + +Verify the stack frame pointer on kretprobe trampoline handler, +If the stack frame pointer does not match, it skips the wrong +entry and tries to find correct one. + +This can happen if user puts the kretprobe on the function +which can be used in the path of ftrace user-function call. +Such functions should not be probed, so this adds a warning +message that reports which function should be blacklisted. + +Tested-by: Andrea Righi +Signed-off-by: Masami Hiramatsu +Acked-by: Steven Rostedt +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/155094059185.6137.15527904013362842072.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kprobes/core.c | 26 ++++++++++++++++++++++++++ + include/linux/kprobes.h | 1 + + 2 files changed, 27 insertions(+) + +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -545,6 +545,7 @@ void arch_prepare_kretprobe(struct kretp + unsigned long *sara = stack_addr(regs); + + ri->ret_addr = (kprobe_opcode_t *) *sara; ++ ri->fp = sara; + + /* Replace the return addr with trampoline addr */ + *sara = (unsigned long) &kretprobe_trampoline; +@@ -746,15 +747,21 @@ __visible __used void *trampoline_handle + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; + kprobe_opcode_t *correct_ret_addr = NULL; ++ void *frame_pointer; ++ bool skipped = false; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ + #ifdef CONFIG_X86_64 + regs->cs = __KERNEL_CS; ++ /* On x86-64, we use pt_regs->sp for return address holder. */ ++ frame_pointer = ®s->sp; + #else + regs->cs = __KERNEL_CS | get_kernel_rpl(); + regs->gs = 0; ++ /* On x86-32, we use pt_regs->flags for return address holder. */ ++ frame_pointer = ®s->flags; + #endif + regs->ip = trampoline_address; + regs->orig_ax = ~0UL; +@@ -776,8 +783,25 @@ __visible __used void *trampoline_handle + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ /* ++ * Return probes must be pushed on this hash list correct ++ * order (same as return order) so that it can be poped ++ * correctly. However, if we find it is pushed it incorrect ++ * order, this means we find a function which should not be ++ * probed, because the wrong order entry is pushed on the ++ * path of processing other kretprobe itself. ++ */ ++ if (ri->fp != frame_pointer) { ++ if (!skipped) ++ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); ++ skipped = true; ++ continue; ++ } + + orig_ret_address = (unsigned long)ri->ret_addr; ++ if (skipped) ++ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", ++ ri->rp->kp.addr); + + if (orig_ret_address != trampoline_address) + /* +@@ -795,6 +819,8 @@ __visible __used void *trampoline_handle + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ if (ri->fp != frame_pointer) ++ continue; + + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -197,6 +197,7 @@ struct kretprobe_instance { + struct kretprobe *rp; + kprobe_opcode_t *ret_addr; + struct task_struct *task; ++ void *fp; + char data[0]; + }; +