From: Greg Kroah-Hartman Date: Wed, 14 Nov 2018 00:19:05 +0000 (-0800) Subject: 3.18-stable patches X-Git-Tag: v4.19.3~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cbfe0917295650beef3ed0c7ee508963ed332316;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: 9p-clear-dangling-pointers-in-p9stat_free.patch drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch media-pci-cx23885-handle-adding-to-list-failure.patch media-tvp5150-fix-width-alignment-during-set_selection.patch mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch tty-check-name-length-in-tty_find_polling_driver.patch --- diff --git a/queue-3.18/9p-clear-dangling-pointers-in-p9stat_free.patch b/queue-3.18/9p-clear-dangling-pointers-in-p9stat_free.patch new file mode 100644 index 00000000000..1d22dae3c78 --- /dev/null +++ b/queue-3.18/9p-clear-dangling-pointers-in-p9stat_free.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Nov 13 16:17:58 PST 2018 +From: Dominique Martinet +Date: Tue, 28 Aug 2018 07:32:35 +0900 +Subject: 9p: clear dangling pointers in p9stat_free + +From: Dominique Martinet + +[ Upstream commit 62e3941776fea8678bb8120607039410b1b61a65 ] + +p9stat_free is more of a cleanup function than a 'free' function as it +only frees the content of the struct; there are chances of use-after-free +if it is improperly used (e.g. p9stat_free called twice as it used to be +possible to) + +Clearing dangling pointers makes the function idempotent and safer to use. + +Link: http://lkml.kernel.org/r/1535410108-20650-2-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/9p/protocol.c ++++ b/net/9p/protocol.c +@@ -45,10 +45,15 @@ p9pdu_writef(struct p9_fcall *pdu, int p + void p9stat_free(struct p9_wstat *stbuf) + { + kfree(stbuf->name); ++ stbuf->name = NULL; + kfree(stbuf->uid); ++ stbuf->uid = NULL; + kfree(stbuf->gid); ++ stbuf->gid = NULL; + kfree(stbuf->muid); ++ stbuf->muid = NULL; + kfree(stbuf->extension); ++ stbuf->extension = NULL; + } + EXPORT_SYMBOL(p9stat_free); + diff --git a/queue-3.18/drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch b/queue-3.18/drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch new file mode 100644 index 00000000000..c14e4011212 --- /dev/null +++ b/queue-3.18/drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Nov 13 16:17:58 PST 2018 +From: Tomi Valkeinen +Date: Wed, 26 Sep 2018 12:11:27 +0300 +Subject: drm/omap: fix memory barrier bug in DMM driver + +From: Tomi Valkeinen + +[ Upstream commit 538f66ba204944470a653a4cccc5f8befdf97c22 ] + +A DMM timeout "timed out waiting for done" has been observed on DRA7 +devices. The timeout happens rarely, and only when the system is under +heavy load. + +Debugging showed that the timeout can be made to happen much more +frequently by optimizing the DMM driver, so that there's almost no code +between writing the last DMM descriptors to RAM, and writing to DMM +register which starts the DMM transaction. + +The current theory is that a wmb() does not properly ensure that the +data written to RAM is observable by all the components in the system. + +This DMM timeout has caused interesting (and rare) bugs as the error +handling was not functioning properly (the error handling has been fixed +in previous commits): + + * If a DMM timeout happened when a GEM buffer was being pinned for + display on the screen, a timeout error would be shown, but the driver + would continue programming DSS HW with broken buffer, leading to + SYNCLOST floods and possible crashes. + + * If a DMM timeout happened when other user (say, video decoder) was + pinning a GEM buffer, a timeout would be shown but if the user + handled the error properly, no other issues followed. + + * If a DMM timeout happened when a GEM buffer was being released, the + driver does not even notice the error, leading to crashes or hang + later. + +This patch adds wmb() and readl() calls after the last bit is written to +RAM, which should ensure that the execution proceeds only after the data +is actually in RAM, and thus observable by DMM. + +The read-back should not be needed. Further study is required to understand +if DMM is somehow special case and read-back is ok, or if DRA7's memory +barriers do not work correctly. + +Signed-off-by: Tomi Valkeinen +Signed-off-by: Peter Ujfalusi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -256,6 +256,17 @@ static int dmm_txn_commit(struct dmm_txn + } + + txn->last_pat->next_pa = 0; ++ /* ensure that the written descriptors are visible to DMM */ ++ wmb(); ++ ++ /* ++ * NOTE: the wmb() above should be enough, but there seems to be a bug ++ * in OMAP's memory barrier implementation, which in some rare cases may ++ * cause the writes not to be observable after wmb(). ++ */ ++ ++ /* read back to ensure the data is in RAM */ ++ readl(&txn->last_pat->next_pa); + + /* write to PAT_DESCR to clear out any pending transaction */ + writel(0x0, dmm->base + reg[PAT_DESCR][engine->id]); diff --git a/queue-3.18/media-pci-cx23885-handle-adding-to-list-failure.patch b/queue-3.18/media-pci-cx23885-handle-adding-to-list-failure.patch new file mode 100644 index 00000000000..8b2bbd3f9d0 --- /dev/null +++ b/queue-3.18/media-pci-cx23885-handle-adding-to-list-failure.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Nov 13 16:17:58 PST 2018 +From: Nicholas Mc Guire +Date: Sun, 9 Sep 2018 12:02:32 -0400 +Subject: media: pci: cx23885: handle adding to list failure + +From: Nicholas Mc Guire + +[ Upstream commit c5d59528e24ad22500347b199d52b9368e686a42 ] + +altera_hw_filt_init() which calls append_internal() assumes +that the node was successfully linked in while in fact it can +silently fail. So the call-site needs to set return to -ENOMEM +on append_internal() returning NULL and exit through the err path. + +Fixes: 349bcf02e361 ("[media] Altera FPGA based CI driver module") + +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/cx23885/altera-ci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/media/pci/cx23885/altera-ci.c ++++ b/drivers/media/pci/cx23885/altera-ci.c +@@ -662,6 +662,10 @@ static int altera_hw_filt_init(struct al + } + + temp_int = append_internal(inter); ++ if (!temp_int) { ++ ret = -ENOMEM; ++ goto err; ++ } + inter->filts_used = 1; + inter->dev = config->dev; + inter->fpga_rw = config->fpga_rw; +@@ -696,6 +700,7 @@ err: + __func__, ret); + + kfree(pid_filt); ++ kfree(inter); + + return ret; + } +@@ -731,6 +736,10 @@ int altera_ci_init(struct altera_ci_conf + } + + temp_int = append_internal(inter); ++ if (!temp_int) { ++ ret = -ENOMEM; ++ goto err; ++ } + inter->cis_used = 1; + inter->dev = config->dev; + inter->fpga_rw = config->fpga_rw; +@@ -799,6 +808,7 @@ err: + ci_dbg_print("%s: Cannot initialize CI: Error %d.\n", __func__, ret); + + kfree(state); ++ kfree(inter); + + return ret; + } diff --git a/queue-3.18/media-tvp5150-fix-width-alignment-during-set_selection.patch b/queue-3.18/media-tvp5150-fix-width-alignment-during-set_selection.patch new file mode 100644 index 00000000000..13f0bc49acb --- /dev/null +++ b/queue-3.18/media-tvp5150-fix-width-alignment-during-set_selection.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Nov 13 16:17:58 PST 2018 +From: Marco Felsch +Date: Thu, 28 Jun 2018 12:20:33 -0400 +Subject: media: tvp5150: fix width alignment during set_selection() + +From: Marco Felsch + +[ Upstream commit bd24db04101f45a9c1d874fe21b0c7eab7bcadec ] + +The driver ignored the width alignment which exists due to the UYVY +colorspace format. Fix the width alignment and make use of the the +provided v4l2 helper function to set the width, height and all +alignments in one. + +Fixes: 963ddc63e20d ("[media] media: tvp5150: Add cropping support") + +Signed-off-by: Marco Felsch +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/tvp5150.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -864,9 +864,6 @@ static int tvp5150_s_crop(struct v4l2_su + + /* tvp5150 has some special limits */ + rect.left = clamp(rect.left, 0, TVP5150_MAX_CROP_LEFT); +- rect.width = clamp_t(unsigned int, rect.width, +- TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left, +- TVP5150_H_MAX - rect.left); + rect.top = clamp(rect.top, 0, TVP5150_MAX_CROP_TOP); + + /* Calculate height based on current standard */ +@@ -880,9 +877,16 @@ static int tvp5150_s_crop(struct v4l2_su + else + hmax = TVP5150_V_MAX_OTHERS; + +- rect.height = clamp_t(unsigned int, rect.height, ++ /* ++ * alignments: ++ * - width = 2 due to UYVY colorspace ++ * - height, image = no special alignment ++ */ ++ v4l_bound_align_image(&rect.width, ++ TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left, ++ TVP5150_H_MAX - rect.left, 1, &rect.height, + hmax - TVP5150_MAX_CROP_TOP - rect.top, +- hmax - rect.top); ++ hmax - rect.top, 0, 0); + + tvp5150_write(sd, TVP5150_VERT_BLANKING_START, rect.top); + tvp5150_write(sd, TVP5150_VERT_BLANKING_STOP, diff --git a/queue-3.18/mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch b/queue-3.18/mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch new file mode 100644 index 00000000000..8442f76fcf8 --- /dev/null +++ b/queue-3.18/mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Nov 13 16:17:58 PST 2018 +From: Dengcheng Zhu +Date: Tue, 11 Sep 2018 14:49:20 -0700 +Subject: MIPS: kexec: Mark CPU offline before disabling local IRQ + +From: Dengcheng Zhu + +[ Upstream commit dc57aaf95a516f70e2d527d8287a0332c481a226 ] + +After changing CPU online status, it will not be sent any IPIs such as in +__flush_cache_all() on software coherency systems. Do this before disabling +local IRQ. + +Signed-off-by: Dengcheng Zhu +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20571/ +Cc: pburton@wavecomp.com +Cc: ralf@linux-mips.org +Cc: linux-mips@linux-mips.org +Cc: rachel.mozes@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/kernel/crash.c | 3 +++ + arch/mips/kernel/machine_kexec.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/arch/mips/kernel/crash.c ++++ b/arch/mips/kernel/crash.c +@@ -34,6 +34,9 @@ static void crash_shutdown_secondary(voi + if (!cpu_online(cpu)) + return; + ++ /* We won't be sent IPIs any more. */ ++ set_cpu_online(cpu, false); ++ + local_irq_disable(); + if (!cpu_isset(cpu, cpus_in_crash)) + crash_save_cpu(regs, cpu); +--- a/arch/mips/kernel/machine_kexec.c ++++ b/arch/mips/kernel/machine_kexec.c +@@ -95,6 +95,9 @@ machine_kexec(struct kimage *image) + *ptr = (unsigned long) phys_to_virt(*ptr); + } + ++ /* Mark offline BEFORE disabling local irq. */ ++ set_cpu_online(smp_processor_id(), false); ++ + /* + * we do not want to be bothered. + */ diff --git a/queue-3.18/powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch b/queue-3.18/powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch new file mode 100644 index 00000000000..b96dbaca86f --- /dev/null +++ b/queue-3.18/powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Nov 13 16:17:58 PST 2018 +From: Joel Stanley +Date: Fri, 14 Sep 2018 13:36:47 +0930 +Subject: powerpc/boot: Ensure _zimage_start is a weak symbol + +From: Joel Stanley + +[ Upstream commit ee9d21b3b3583712029a0db65a4b7c081d08d3b3 ] + +When building with clang crt0's _zimage_start is not marked weak, which +breaks the build when linking the kernel image: + + $ objdump -t arch/powerpc/boot/crt0.o |grep _zimage_start$ + 0000000000000058 g .text 0000000000000000 _zimage_start + + ld: arch/powerpc/boot/wrapper.a(crt0.o): in function '_zimage_start': + (.text+0x58): multiple definition of '_zimage_start'; + arch/powerpc/boot/pseries-head.o:(.text+0x0): first defined here + +Clang requires the .weak directive to appear after the symbol is +declared. The binutils manual says: + + This directive sets the weak attribute on the comma separated list of + symbol names. If the symbols do not already exist, they will be + created. + +So it appears this is different with clang. The only reference I could +see for this was an OpenBSD mailing list post[1]. + +Changing it to be after the declaration fixes building with Clang, and +still works with GCC. + + $ objdump -t arch/powerpc/boot/crt0.o |grep _zimage_start$ + 0000000000000058 w .text 0000000000000000 _zimage_start + +Reported to clang as https://bugs.llvm.org/show_bug.cgi?id=38921 + +[1] https://groups.google.com/forum/#!topic/fa.openbsd.tech/PAgKKen2YCY + +Signed-off-by: Joel Stanley +Reviewed-by: Nick Desaulniers +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/boot/crt0.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/boot/crt0.S ++++ b/arch/powerpc/boot/crt0.S +@@ -47,8 +47,10 @@ p_end: .long _end + p_pstack: .long _platform_stack_top + #endif + +- .weak _zimage_start + .globl _zimage_start ++ /* Clang appears to require the .weak directive to be after the symbol ++ * is defined. See https://bugs.llvm.org/show_bug.cgi?id=38921 */ ++ .weak _zimage_start + _zimage_start: + .globl _zimage_start_lib + _zimage_start_lib: diff --git a/queue-3.18/powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch b/queue-3.18/powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch new file mode 100644 index 00000000000..3a06d1ca220 --- /dev/null +++ b/queue-3.18/powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Nov 13 16:17:58 PST 2018 +From: Daniel Axtens +Date: Mon, 1 Oct 2018 16:21:51 +1000 +Subject: powerpc/nohash: fix undefined behaviour when testing page size support + +From: Daniel Axtens + +[ Upstream commit f5e284803a7206d43e26f9ffcae5de9626d95e37 ] + +When enumerating page size definitions to check hardware support, +we construct a constant which is (1U << (def->shift - 10)). + +However, the array of page size definitions is only initalised for +various MMU_PAGE_* constants, so it contains a number of 0-initialised +elements with def->shift == 0. This means we end up shifting by a +very large number, which gives the following UBSan splat: + +================================================================================ +UBSAN: Undefined behaviour in /home/dja/dev/linux/linux/arch/powerpc/mm/tlb_nohash.c:506:21 +shift exponent 4294967286 is too large for 32-bit type 'unsigned int' +CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc3-00045-ga604f927b012-dirty #6 +Call Trace: +[c00000000101bc20] [c000000000a13d54] .dump_stack+0xa8/0xec (unreliable) +[c00000000101bcb0] [c0000000004f20a8] .ubsan_epilogue+0x18/0x64 +[c00000000101bd30] [c0000000004f2b10] .__ubsan_handle_shift_out_of_bounds+0x110/0x1a4 +[c00000000101be20] [c000000000d21760] .early_init_mmu+0x1b4/0x5a0 +[c00000000101bf10] [c000000000d1ba28] .early_setup+0x100/0x130 +[c00000000101bf90] [c000000000000528] start_here_multiplatform+0x68/0x80 +================================================================================ + +Fix this by first checking if the element exists (shift != 0) before +constructing the constant. + +Signed-off-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/tlb_nohash.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/mm/tlb_nohash.c ++++ b/arch/powerpc/mm/tlb_nohash.c +@@ -479,6 +479,9 @@ static void setup_page_sizes(void) + for (psize = 0; psize < MMU_PAGE_COUNT; ++psize) { + struct mmu_psize_def *def = &mmu_psize_defs[psize]; + ++ if (!def->shift) ++ continue; ++ + if (tlb1ps & (1U << (def->shift - 10))) { + def->flags |= MMU_PAGE_SIZE_DIRECT; + diff --git a/queue-3.18/series b/queue-3.18/series index f8ed85f2759..4eea1b172c4 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -52,3 +52,11 @@ media-em28xx-fix-input-name-for-terratec-av-350.patch media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch dm-remove-duplicate-dm_get_live_table-in-__dm_destroy.patch +tty-check-name-length-in-tty_find_polling_driver.patch +powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch +drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch +media-pci-cx23885-handle-adding-to-list-failure.patch +mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch +powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch +media-tvp5150-fix-width-alignment-during-set_selection.patch +9p-clear-dangling-pointers-in-p9stat_free.patch diff --git a/queue-3.18/tty-check-name-length-in-tty_find_polling_driver.patch b/queue-3.18/tty-check-name-length-in-tty_find_polling_driver.patch new file mode 100644 index 00000000000..6d29e788a2a --- /dev/null +++ b/queue-3.18/tty-check-name-length-in-tty_find_polling_driver.patch @@ -0,0 +1,138 @@ +From foo@baz Tue Nov 13 16:17:58 PST 2018 +From: Miles Chen +Date: Mon, 8 Oct 2018 10:39:17 +0800 +Subject: tty: check name length in tty_find_polling_driver() + +From: Miles Chen + +[ Upstream commit 33a1a7be198657c8ca26ad406c4d2a89b7162bcc ] + +The issue is found by a fuzzing test. +If tty_find_polling_driver() recevies an incorrect input such as +',,' or '0b', the len becomes 0 and strncmp() always return 0. +In this case, a null p->ops->poll_init() is called and it causes a kernel +panic. + +Fix this by checking name length against zero in tty_find_polling_driver(). + +$echo ,, > /sys/module/kgdboc/parameters/kgdboc +[ 20.804451] WARNING: CPU: 1 PID: 104 at drivers/tty/serial/serial_core.c:457 +uart_get_baud_rate+0xe8/0x190 +[ 20.804917] Modules linked in: +[ 20.805317] CPU: 1 PID: 104 Comm: sh Not tainted 4.19.0-rc7ajb #8 +[ 20.805469] Hardware name: linux,dummy-virt (DT) +[ 20.805732] pstate: 20000005 (nzCv daif -PAN -UAO) +[ 20.805895] pc : uart_get_baud_rate+0xe8/0x190 +[ 20.806042] lr : uart_get_baud_rate+0xc0/0x190 +[ 20.806476] sp : ffffffc06acff940 +[ 20.806676] x29: ffffffc06acff940 x28: 0000000000002580 +[ 20.806977] x27: 0000000000009600 x26: 0000000000009600 +[ 20.807231] x25: ffffffc06acffad0 x24: 00000000ffffeff0 +[ 20.807576] x23: 0000000000000001 x22: 0000000000000000 +[ 20.807807] x21: 0000000000000001 x20: 0000000000000000 +[ 20.808049] x19: ffffffc06acffac8 x18: 0000000000000000 +[ 20.808277] x17: 0000000000000000 x16: 0000000000000000 +[ 20.808520] x15: ffffffffffffffff x14: ffffffff00000000 +[ 20.808757] x13: ffffffffffffffff x12: 0000000000000001 +[ 20.809011] x11: 0101010101010101 x10: ffffff880d59ff5f +[ 20.809292] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3 +[ 20.809549] x7 : 0000000000000000 x6 : ffffff880d59ff5f +[ 20.809803] x5 : 0000000080008001 x4 : 0000000000000003 +[ 20.810056] x3 : ffffff900853e6b4 x2 : dfffff9000000000 +[ 20.810693] x1 : ffffffc06acffad0 x0 : 0000000000000cb0 +[ 20.811005] Call trace: +[ 20.811214] uart_get_baud_rate+0xe8/0x190 +[ 20.811479] serial8250_do_set_termios+0xe0/0x6f4 +[ 20.811719] serial8250_set_termios+0x48/0x54 +[ 20.811928] uart_set_options+0x138/0x1bc +[ 20.812129] uart_poll_init+0x114/0x16c +[ 20.812330] tty_find_polling_driver+0x158/0x200 +[ 20.812545] configure_kgdboc+0xbc/0x1bc +[ 20.812745] param_set_kgdboc_var+0xb8/0x150 +[ 20.812960] param_attr_store+0xbc/0x150 +[ 20.813160] module_attr_store+0x40/0x58 +[ 20.813364] sysfs_kf_write+0x8c/0xa8 +[ 20.813563] kernfs_fop_write+0x154/0x290 +[ 20.813764] vfs_write+0xf0/0x278 +[ 20.813951] __arm64_sys_write+0x84/0xf4 +[ 20.814400] el0_svc_common+0xf4/0x1dc +[ 20.814616] el0_svc_handler+0x98/0xbc +[ 20.814804] el0_svc+0x8/0xc +[ 20.822005] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 20.826913] Mem abort info: +[ 20.827103] ESR = 0x84000006 +[ 20.827352] Exception class = IABT (current EL), IL = 16 bits +[ 20.827655] SET = 0, FnV = 0 +[ 20.827855] EA = 0, S1PTW = 0 +[ 20.828135] user pgtable: 4k pages, 39-bit VAs, pgdp = (____ptrval____) +[ 20.828484] [0000000000000000] pgd=00000000aadee003, pud=00000000aadee003, pmd=0000000000000000 +[ 20.829195] Internal error: Oops: 84000006 [#1] SMP +[ 20.829564] Modules linked in: +[ 20.829890] CPU: 1 PID: 104 Comm: sh Tainted: G W 4.19.0-rc7ajb #8 +[ 20.830545] Hardware name: linux,dummy-virt (DT) +[ 20.830829] pstate: 60000085 (nZCv daIf -PAN -UAO) +[ 20.831174] pc : (null) +[ 20.831457] lr : serial8250_do_set_termios+0x358/0x6f4 +[ 20.831727] sp : ffffffc06acff9b0 +[ 20.831936] x29: ffffffc06acff9b0 x28: ffffff9008d7c000 +[ 20.832267] x27: ffffff900969e16f x26: 0000000000000000 +[ 20.832589] x25: ffffff900969dfb0 x24: 0000000000000000 +[ 20.832906] x23: ffffffc06acffad0 x22: ffffff900969e160 +[ 20.833232] x21: 0000000000000000 x20: ffffffc06acffac8 +[ 20.833559] x19: ffffff900969df90 x18: 0000000000000000 +[ 20.833878] x17: 0000000000000000 x16: 0000000000000000 +[ 20.834491] x15: ffffffffffffffff x14: ffffffff00000000 +[ 20.834821] x13: ffffffffffffffff x12: 0000000000000001 +[ 20.835143] x11: 0101010101010101 x10: ffffff880d59ff5f +[ 20.835467] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3 +[ 20.835790] x7 : 0000000000000000 x6 : ffffff880d59ff5f +[ 20.836111] x5 : c06419717c314100 x4 : 0000000000000007 +[ 20.836419] x3 : 0000000000000000 x2 : 0000000000000000 +[ 20.836732] x1 : 0000000000000001 x0 : ffffff900969df90 +[ 20.837100] Process sh (pid: 104, stack limit = 0x(____ptrval____)) +[ 20.837396] Call trace: +[ 20.837566] (null) +[ 20.837816] serial8250_set_termios+0x48/0x54 +[ 20.838089] uart_set_options+0x138/0x1bc +[ 20.838570] uart_poll_init+0x114/0x16c +[ 20.838834] tty_find_polling_driver+0x158/0x200 +[ 20.839119] configure_kgdboc+0xbc/0x1bc +[ 20.839380] param_set_kgdboc_var+0xb8/0x150 +[ 20.839658] param_attr_store+0xbc/0x150 +[ 20.839920] module_attr_store+0x40/0x58 +[ 20.840183] sysfs_kf_write+0x8c/0xa8 +[ 20.840183] sysfs_kf_write+0x8c/0xa8 +[ 20.840440] kernfs_fop_write+0x154/0x290 +[ 20.840702] vfs_write+0xf0/0x278 +[ 20.840942] __arm64_sys_write+0x84/0xf4 +[ 20.841209] el0_svc_common+0xf4/0x1dc +[ 20.841471] el0_svc_handler+0x98/0xbc +[ 20.841713] el0_svc+0x8/0xc +[ 20.842057] Code: bad PC value +[ 20.842764] ---[ end trace a8835d7de79aaadf ]--- +[ 20.843134] Kernel panic - not syncing: Fatal exception +[ 20.843515] SMP: stopping secondary CPUs +[ 20.844289] Kernel Offset: disabled +[ 20.844634] CPU features: 0x0,21806002 +[ 20.844857] Memory Limit: none +[ 20.845172] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Signed-off-by: Miles Chen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -357,7 +357,7 @@ struct tty_driver *tty_find_polling_driv + mutex_lock(&tty_mutex); + /* Search through the tty devices to look for a match */ + list_for_each_entry(p, &tty_drivers, tty_drivers) { +- if (strncmp(name, p->name, len) != 0) ++ if (!len || strncmp(name, p->name, len) != 0) + continue; + stp = str; + if (*stp == ',')