From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 4 May 2017 19:34:56 +0000 (-0700)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.52~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d72afa340fab766c6e0ef1ea876e1798f240a8b4;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	8250_pci-fix-potential-use-after-free-in-error-path.patch
	hwmon-it87-avoid-registering-the-same-chip-on-both-sio-addresses.patch
	scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch
---

diff --git a/queue-4.9/8250_pci-fix-potential-use-after-free-in-error-path.patch b/queue-4.9/8250_pci-fix-potential-use-after-free-in-error-path.patch
new file mode 100644
index 00000000000..f86e1ce796c
--- /dev/null
+++ b/queue-4.9/8250_pci-fix-potential-use-after-free-in-error-path.patch
@@ -0,0 +1,56 @@
+From c130b666a9a711f985a0a44b58699ebe14bb7245 Mon Sep 17 00:00:00 2001
+From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Date: Wed, 28 Dec 2016 16:42:00 -0200
+Subject: 8250_pci: Fix potential use-after-free in error path
+
+From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+
+commit c130b666a9a711f985a0a44b58699ebe14bb7245 upstream.
+
+Commit f209fa03fc9d ("serial: 8250_pci: Detach low-level driver during
+PCI error recovery") introduces a potential use-after-free in case the
+pciserial_init_ports call in serial8250_io_resume fails, which may
+happen if a memory allocation fails or if the .init quirk failed for
+whatever reason).  If this happen, further pci_get_drvdata will return a
+pointer to freed memory.
+
+This patch reworks the PCI recovery resume hook to restore the old priv
+structure in this case, which should be ok, since the ports were already
+detached. Such error during recovery causes us to give up on the
+recovery.
+
+Fixes: f209fa03fc9d ("serial: 8250_pci: Detach low-level driver during PCI error recovery")
+Reported-by: Michal Suchanek <msuchanek@suse.com>
+Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c |   12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -5621,17 +5621,15 @@ static pci_ers_result_t serial8250_io_sl
+ static void serial8250_io_resume(struct pci_dev *dev)
+ {
+ 	struct serial_private *priv = pci_get_drvdata(dev);
+-	const struct pciserial_board *board;
++	struct serial_private *new;
+ 
+ 	if (!priv)
+ 		return;
+ 
+-	board = priv->board;
+-	kfree(priv);
+-	priv = pciserial_init_ports(dev, board);
+-
+-	if (!IS_ERR(priv)) {
+-		pci_set_drvdata(dev, priv);
++	new = pciserial_init_ports(dev, priv->board);
++	if (!IS_ERR(new)) {
++		pci_set_drvdata(dev, new);
++		kfree(priv);
+ 	}
+ }
+ 
diff --git a/queue-4.9/hwmon-it87-avoid-registering-the-same-chip-on-both-sio-addresses.patch b/queue-4.9/hwmon-it87-avoid-registering-the-same-chip-on-both-sio-addresses.patch
new file mode 100644
index 00000000000..4a7a1e6799e
--- /dev/null
+++ b/queue-4.9/hwmon-it87-avoid-registering-the-same-chip-on-both-sio-addresses.patch
@@ -0,0 +1,67 @@
+From 8358378b22518d92424597503d3c1cd302a490b6 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sun, 12 Mar 2017 06:18:58 -0700
+Subject: hwmon: (it87) Avoid registering the same chip on both SIO addresses
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 8358378b22518d92424597503d3c1cd302a490b6 upstream.
+
+IT8705F is known to respond on both SIO addresses. Registering it twice
+may result in system lockups.
+
+Reported-by: Russell King <linux@armlinux.org.uk>
+Fixes: e84bd9535e2b ("hwmon: (it87) Add support for second Super-IO chip")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Cc: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/it87.c |   24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+--- a/drivers/hwmon/it87.c
++++ b/drivers/hwmon/it87.c
+@@ -3115,7 +3115,7 @@ static int __init sm_it87_init(void)
+ {
+ 	int sioaddr[2] = { REG_2E, REG_4E };
+ 	struct it87_sio_data sio_data;
+-	unsigned short isa_address;
++	unsigned short isa_address[2];
+ 	bool found = false;
+ 	int i, err;
+ 
+@@ -3125,15 +3125,29 @@ static int __init sm_it87_init(void)
+ 
+ 	for (i = 0; i < ARRAY_SIZE(sioaddr); i++) {
+ 		memset(&sio_data, 0, sizeof(struct it87_sio_data));
+-		isa_address = 0;
+-		err = it87_find(sioaddr[i], &isa_address, &sio_data);
+-		if (err || isa_address == 0)
++		isa_address[i] = 0;
++		err = it87_find(sioaddr[i], &isa_address[i], &sio_data);
++		if (err || isa_address[i] == 0)
+ 			continue;
++		/*
++		 * Don't register second chip if its ISA address matches
++		 * the first chip's ISA address.
++		 */
++		if (i && isa_address[i] == isa_address[0])
++			break;
+ 
+-		err = it87_device_add(i, isa_address, &sio_data);
++		err = it87_device_add(i, isa_address[i], &sio_data);
+ 		if (err)
+ 			goto exit_dev_unregister;
++
+ 		found = true;
++
++		/*
++		 * IT8705F may respond on both SIO addresses.
++		 * Stop probing after finding one.
++		 */
++		if (sio_data.type == it87)
++			break;
+ 	}
+ 
+ 	if (!found) {
diff --git a/queue-4.9/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch b/queue-4.9/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch
new file mode 100644
index 00000000000..002bc6dc16e
--- /dev/null
+++ b/queue-4.9/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch
@@ -0,0 +1,94 @@
+From f1c635b439a5c01776fe3a25b1e2dc546ea82e6f Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Tue, 7 Mar 2017 09:15:53 -0800
+Subject: scsi: storvsc: Workaround for virtual DVD SCSI version
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+commit f1c635b439a5c01776fe3a25b1e2dc546ea82e6f upstream.
+
+Hyper-V host emulation of SCSI for virtual DVD device reports SCSI
+version 0 (UNKNOWN) but is still capable of supporting REPORTLUN.
+
+Without this patch, a GEN2 Linux guest on Hyper-V will not boot 4.11
+successfully with virtual DVD ROM device. What happens is that the SCSI
+scan process falls back to doing sequential probing by INQUIRY.  But the
+storvsc driver has a previous workaround that masks/blocks all errors
+reports from INQUIRY (or MODE_SENSE) commands.  This workaround causes
+the scan to then populate a full set of bogus LUN's on the target and
+then sends kernel spinning off into a death spiral doing block reads on
+the non-existent LUNs.
+
+By setting the correct blacklist flags, the target with the DVD device
+is scanned with REPORTLUN and that works correctly.
+
+Patch needs to go in current 4.11, it is safe but not necessary in older
+kernels.
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/storvsc_drv.c |   27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -400,8 +400,6 @@ MODULE_PARM_DESC(storvsc_vcpus_per_sub_c
+  */
+ static int storvsc_timeout = 180;
+ 
+-static int msft_blist_flags = BLIST_TRY_VPD_PAGES;
+-
+ #if IS_ENABLED(CONFIG_SCSI_FC_ATTRS)
+ static struct scsi_transport_template *fc_transport_template;
+ #endif
+@@ -1283,6 +1281,22 @@ static int storvsc_do_io(struct hv_devic
+ 	return ret;
+ }
+ 
++static int storvsc_device_alloc(struct scsi_device *sdevice)
++{
++	/*
++	 * Set blist flag to permit the reading of the VPD pages even when
++	 * the target may claim SPC-2 compliance. MSFT targets currently
++	 * claim SPC-2 compliance while they implement post SPC-2 features.
++	 * With this flag we can correctly handle WRITE_SAME_16 issues.
++	 *
++	 * Hypervisor reports SCSI_UNKNOWN type for DVD ROM device but
++	 * still supports REPORT LUN.
++	 */
++	sdevice->sdev_bflags = BLIST_REPORTLUN2 | BLIST_TRY_VPD_PAGES;
++
++	return 0;
++}
++
+ static int storvsc_device_configure(struct scsi_device *sdevice)
+ {
+ 
+@@ -1298,14 +1312,6 @@ static int storvsc_device_configure(stru
+ 	sdevice->no_write_same = 1;
+ 
+ 	/*
+-	 * Add blist flags to permit the reading of the VPD pages even when
+-	 * the target may claim SPC-2 compliance. MSFT targets currently
+-	 * claim SPC-2 compliance while they implement post SPC-2 features.
+-	 * With this patch we can correctly handle WRITE_SAME_16 issues.
+-	 */
+-	sdevice->sdev_bflags |= msft_blist_flags;
+-
+-	/*
+ 	 * If the host is WIN8 or WIN8 R2, claim conformance to SPC-3
+ 	 * if the device is a MSFT virtual device.  If the host is
+ 	 * WIN10 or newer, allow write_same.
+@@ -1569,6 +1575,7 @@ static struct scsi_host_template scsi_dr
+ 	.eh_host_reset_handler =	storvsc_host_reset_handler,
+ 	.proc_name =		"storvsc_host",
+ 	.eh_timed_out =		storvsc_eh_timed_out,
++	.slave_alloc =		storvsc_device_alloc,
+ 	.slave_configure =	storvsc_device_configure,
+ 	.cmd_per_lun =		255,
+ 	.this_id =		-1,
diff --git a/queue-4.9/series b/queue-4.9/series
index 0e01c72e030..753e3e4865f 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1,3 +1,6 @@
 timerfd-protect-the-might-cancel-mechanism-proper.patch
 handle-mismatched-open-calls.patch
 tpm_tis-use-default-timeout-value-if-chip-reports-it-as-zero.patch
+scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch
+hwmon-it87-avoid-registering-the-same-chip-on-both-sio-addresses.patch
+8250_pci-fix-potential-use-after-free-in-error-path.patch