From: Greg Kroah-Hartman Date: Sat, 29 Sep 2018 23:46:43 +0000 (-0700) Subject: 4.14-stable patches X-Git-Tag: v4.18.12~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e6352474190a9ef1ec6c6c5948092e73c200d163;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch intel_th-fix-device-removal-logic.patch regulator-fix-crash-caused-by-null-driver-data.patch serial-cpm_uart-return-immediately-from-console-poll.patch serial-imx-restore-handshaking-irq-for-imx1.patch spi-rspi-fix-interrupted-dma-transfers.patch spi-rspi-fix-invalid-spi-use-during-system-suspend.patch spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch spi-tegra20-slink-explicitly-enable-disable-clock.patch tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch usb-fix-error-handling-in-usb_driver_claim_interface.patch usb-handle-null-config-in-usb_find_alt_setting.patch usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch x86-mm-expand-static-page-table-for-fixmap-space.patch --- diff --git a/queue-4.14/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch b/queue-4.14/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch new file mode 100644 index 00000000000..c6ede24cc1c --- /dev/null +++ b/queue-4.14/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch @@ -0,0 +1,46 @@ +From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001 +From: Andy Whitcroft +Date: Thu, 20 Sep 2018 09:09:48 -0600 +Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl + +From: Andy Whitcroft + +commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream. + +The final field of a floppy_struct is the field "name", which is a pointer +to a string in kernel memory. The kernel pointer should not be copied to +user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, +including this "name" field. This pointer cannot be used by the user +and it will leak a kernel address to user-space, which will reveal the +location of kernel code and data and undermine KASLR protection. + +Model this code after the compat ioctl which copies the returned data +to a previously cleared temporary structure on the stack (excluding the +name pointer) and copy out to userspace from there. As we already have +an inparam union with an appropriate member and that memory is already +cleared even for read only calls make use of that as a temporary store. + +Based on an initial patch by Brian Belleville. + +CVE-2018-7755 +Signed-off-by: Andy Whitcroft +Broke up long line. +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3462,6 +3462,9 @@ static int fd_locked_ioctl(struct block_ + (struct floppy_struct **)&outparam); + if (ret) + return ret; ++ memcpy(&inparam.g, outparam, ++ offsetof(struct floppy_struct, name)); ++ outparam = &inparam.g; + break; + case FDMSGON: + UDP->flags |= FTD_MSG; diff --git a/queue-4.14/intel_th-fix-device-removal-logic.patch b/queue-4.14/intel_th-fix-device-removal-logic.patch new file mode 100644 index 00000000000..4c4982ad231 --- /dev/null +++ b/queue-4.14/intel_th-fix-device-removal-logic.patch @@ -0,0 +1,38 @@ +From 8801922cd94c918e4dc3a108ecaa500c4d40583f Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 18 Sep 2018 16:10:47 +0300 +Subject: intel_th: Fix device removal logic + +From: Alexander Shishkin + +commit 8801922cd94c918e4dc3a108ecaa500c4d40583f upstream. + +Commit a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") +brings in new subdevice addition/removal logic that's broken for "host +mode": the SWITCH device has no children to begin with, which is not +handled in the code. This results in a null dereference bug later down +the path. + +This patch fixes the subdevice removal code to handle host mode correctly. + +Signed-off-by: Alexander Shishkin +Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") +CC: stable@vger.kernel.org # v4.14+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -147,7 +147,8 @@ static int intel_th_remove(struct device + th->thdev[i] = NULL; + } + +- th->num_thdevs = lowest; ++ if (lowest >= 0) ++ th->num_thdevs = lowest; + } + + if (thdrv->attr_group) diff --git a/queue-4.14/regulator-fix-crash-caused-by-null-driver-data.patch b/queue-4.14/regulator-fix-crash-caused-by-null-driver-data.patch new file mode 100644 index 00000000000..0f765d7f19a --- /dev/null +++ b/queue-4.14/regulator-fix-crash-caused-by-null-driver-data.patch @@ -0,0 +1,42 @@ +From fb6de923ca3358a91525552b4907d4cb38730bdd Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Wed, 19 Sep 2018 15:30:51 -0600 +Subject: regulator: fix crash caused by null driver data + +From: Yu Zhao + +commit fb6de923ca3358a91525552b4907d4cb38730bdd upstream. + +dev_set_drvdata() needs to be called before device_register() +exposes device to userspace. Otherwise kernel crashes after it +gets null pointer from dev_get_drvdata() when userspace tries +to access sysfs entries. + +[Removed backtrace for length -- broonie] + +Signed-off-by: Yu Zhao +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -4115,13 +4115,13 @@ regulator_register(const struct regulato + !rdev->desc->fixed_uV) + rdev->is_switch = true; + ++ dev_set_drvdata(&rdev->dev, rdev); + ret = device_register(&rdev->dev); + if (ret != 0) { + put_device(&rdev->dev); + goto unset_supplies; + } + +- dev_set_drvdata(&rdev->dev, rdev); + rdev_init_debugfs(rdev); + + /* try to resolve regulators supply since a new one was registered */ diff --git a/queue-4.14/serial-cpm_uart-return-immediately-from-console-poll.patch b/queue-4.14/serial-cpm_uart-return-immediately-from-console-poll.patch new file mode 100644 index 00000000000..00c7cc229b5 --- /dev/null +++ b/queue-4.14/serial-cpm_uart-return-immediately-from-console-poll.patch @@ -0,0 +1,48 @@ +From be28c1e3ca29887e207f0cbcd294cefe5074bab6 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 14 Sep 2018 10:32:50 +0000 +Subject: serial: cpm_uart: return immediately from console poll + +From: Christophe Leroy + +commit be28c1e3ca29887e207f0cbcd294cefe5074bab6 upstream. + +kgdb expects poll function to return immediately and +returning NO_POLL_CHAR when no character is available. + +Fixes: f5316b4aea024 ("kgdb,8250,pl011: Return immediately from console poll") +Cc: Jason Wessel +Cc: +Signed-off-by: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -1068,8 +1068,8 @@ static int poll_wait_key(char *obuf, str + /* Get the address of the host memory buffer. + */ + bdp = pinfo->rx_cur; +- while (bdp->cbd_sc & BD_SC_EMPTY) +- ; ++ if (bdp->cbd_sc & BD_SC_EMPTY) ++ return NO_POLL_CHAR; + + /* If the buffer address is in the CPM DPRAM, don't + * convert it. +@@ -1104,7 +1104,11 @@ static int cpm_get_poll_char(struct uart + poll_chars = 0; + } + if (poll_chars <= 0) { +- poll_chars = poll_wait_key(poll_buf, pinfo); ++ int ret = poll_wait_key(poll_buf, pinfo); ++ ++ if (ret == NO_POLL_CHAR) ++ return ret; ++ poll_chars = ret; + pollp = poll_buf; + } + poll_chars--; diff --git a/queue-4.14/serial-imx-restore-handshaking-irq-for-imx1.patch b/queue-4.14/serial-imx-restore-handshaking-irq-for-imx1.patch new file mode 100644 index 00000000000..a0448b29f54 --- /dev/null +++ b/queue-4.14/serial-imx-restore-handshaking-irq-for-imx1.patch @@ -0,0 +1,42 @@ +From 7e620984b62532783912312e334f3c48cdacbd5d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Thu, 20 Sep 2018 14:11:17 +0200 +Subject: serial: imx: restore handshaking irq for imx1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 7e620984b62532783912312e334f3c48cdacbd5d upstream. + +Back in 2015 when irda was dropped from the driver imx1 was broken. This +change reintroduces the support for the third interrupt of the UART. + +Fixes: afe9cbb1a6ad ("serial: imx: drop support for IRDA") +Cc: stable +Signed-off-by: Uwe Kleine-König +Reviewed-by: Leonard Crestez +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/imx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2213,6 +2213,14 @@ static int serial_imx_probe(struct platf + ret); + return ret; + } ++ ++ ret = devm_request_irq(&pdev->dev, rtsirq, imx_uart_rtsint, 0, ++ dev_name(&pdev->dev), sport); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to request rts irq: %d\n", ++ ret); ++ return ret; ++ } + } else { + ret = devm_request_irq(&pdev->dev, rxirq, imx_int, 0, + dev_name(&pdev->dev), sport); diff --git a/queue-4.14/series b/queue-4.14/series index d0e041b9dd2..f7e95e7a751 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -81,3 +81,18 @@ fs-lock-skip-lock-owner-pid-translation-in-case-we-are-in-init_pid_ns.patch input-xen-kbdfront-fix-multi-touch-xenstore-node-s-locations.patch iio-104-quad-8-fix-off-by-one-error-in-register-selection.patch arm-dts-dra7-fix-dcan-node-addresses.patch +floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch +x86-mm-expand-static-page-table-for-fixmap-space.patch +tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch +serial-imx-restore-handshaking-irq-for-imx1.patch +serial-cpm_uart-return-immediately-from-console-poll.patch +intel_th-fix-device-removal-logic.patch +spi-tegra20-slink-explicitly-enable-disable-clock.patch +spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch +spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch +spi-rspi-fix-invalid-spi-use-during-system-suspend.patch +spi-rspi-fix-interrupted-dma-transfers.patch +regulator-fix-crash-caused-by-null-driver-data.patch +usb-fix-error-handling-in-usb_driver_claim_interface.patch +usb-handle-null-config-in-usb_find_alt_setting.patch +usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch diff --git a/queue-4.14/spi-rspi-fix-interrupted-dma-transfers.patch b/queue-4.14/spi-rspi-fix-interrupted-dma-transfers.patch new file mode 100644 index 00000000000..eee514a4dbe --- /dev/null +++ b/queue-4.14/spi-rspi-fix-interrupted-dma-transfers.patch @@ -0,0 +1,58 @@ +From 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Sep 2018 10:49:39 +0200 +Subject: spi: rspi: Fix interrupted DMA transfers + +From: Geert Uytterhoeven + +commit 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf upstream. + +When interrupted, wait_event_interruptible_timeout() returns +-ERESTARTSYS, and the SPI transfer in progress will fail, as expected: + + m25p80 spi0.0: SPI transfer failed: -512 + spi_master spi0: failed to transfer one message from queue + +However, as the underlying DMA transfers may not have completed, all +subsequent SPI transfers may start to fail: + + spi_master spi0: receive timeout + qspi_transfer_out_in() returned -110 + m25p80 spi0.0: SPI transfer failed: -110 + spi_master spi0: failed to transfer one message from queue + +Fix this by calling dmaengine_terminate_all() not only for timeouts, but +also for errors. + +This can be reproduced on r8a7991/koelsch, using "hd /dev/mtd0" followed +by CTRL-C. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rspi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -598,11 +598,13 @@ static int rspi_dma_transfer(struct rspi + + ret = wait_event_interruptible_timeout(rspi->wait, + rspi->dma_callbacked, HZ); +- if (ret > 0 && rspi->dma_callbacked) ++ if (ret > 0 && rspi->dma_callbacked) { + ret = 0; +- else if (!ret) { +- dev_err(&rspi->master->dev, "DMA timeout\n"); +- ret = -ETIMEDOUT; ++ } else { ++ if (!ret) { ++ dev_err(&rspi->master->dev, "DMA timeout\n"); ++ ret = -ETIMEDOUT; ++ } + if (tx) + dmaengine_terminate_all(rspi->master->dma_tx); + if (rx) diff --git a/queue-4.14/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch b/queue-4.14/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch new file mode 100644 index 00000000000..6afb3a479dd --- /dev/null +++ b/queue-4.14/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch @@ -0,0 +1,67 @@ +From c1ca59c22c56930b377a665fdd1b43351887830b Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Sep 2018 10:49:38 +0200 +Subject: spi: rspi: Fix invalid SPI use during system suspend + +From: Geert Uytterhoeven + +commit c1ca59c22c56930b377a665fdd1b43351887830b upstream. + +If the SPI queue is running during system suspend, the system may lock +up. + +Fix this by stopping/restarting the queue during system suspend/resume, +by calling spi_master_suspend()/spi_master_resume() from the PM +callbacks. In-kernel users will receive an -ESHUTDOWN error while +system suspend/resume is in progress. + +Based on a patch for sh-msiof by Gaku Inami. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rspi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -1352,12 +1352,36 @@ static const struct platform_device_id s + + MODULE_DEVICE_TABLE(platform, spi_driver_ids); + ++#ifdef CONFIG_PM_SLEEP ++static int rspi_suspend(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct rspi_data *rspi = platform_get_drvdata(pdev); ++ ++ return spi_master_suspend(rspi->master); ++} ++ ++static int rspi_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct rspi_data *rspi = platform_get_drvdata(pdev); ++ ++ return spi_master_resume(rspi->master); ++} ++ ++static SIMPLE_DEV_PM_OPS(rspi_pm_ops, rspi_suspend, rspi_resume); ++#define DEV_PM_OPS &rspi_pm_ops ++#else ++#define DEV_PM_OPS NULL ++#endif /* CONFIG_PM_SLEEP */ ++ + static struct platform_driver rspi_driver = { + .probe = rspi_probe, + .remove = rspi_remove, + .id_table = spi_driver_ids, + .driver = { + .name = "renesas_spi", ++ .pm = DEV_PM_OPS, + .of_match_table = of_match_ptr(rspi_of_match), + }, + }; diff --git a/queue-4.14/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch b/queue-4.14/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch new file mode 100644 index 00000000000..f879cd93937 --- /dev/null +++ b/queue-4.14/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch @@ -0,0 +1,38 @@ +From 31a5fae4c5a009898da6d177901d5328051641ff Mon Sep 17 00:00:00 2001 +From: Hiromitsu Yamasaki +Date: Wed, 5 Sep 2018 10:49:37 +0200 +Subject: spi: sh-msiof: Fix handling of write value for SISTR register + +From: Hiromitsu Yamasaki + +commit 31a5fae4c5a009898da6d177901d5328051641ff upstream. + +This patch changes writing to the SISTR register according to the H/W +user's manual. + +The TDREQ bit and RDREQ bits of SISTR are read-only, and must be written +their initial values of zero. + +Signed-off-by: Hiromitsu Yamasaki +[geert: reword] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh-msiof.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -384,7 +384,8 @@ static void sh_msiof_spi_set_mode_regs(s + + static void sh_msiof_reset_str(struct sh_msiof_spi_priv *p) + { +- sh_msiof_write(p, STR, sh_msiof_read(p, STR)); ++ sh_msiof_write(p, STR, ++ sh_msiof_read(p, STR) & ~(STR_TDREQ | STR_RDREQ)); + } + + static void sh_msiof_spi_write_fifo_8(struct sh_msiof_spi_priv *p, diff --git a/queue-4.14/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch b/queue-4.14/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch new file mode 100644 index 00000000000..82c6752bf55 --- /dev/null +++ b/queue-4.14/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch @@ -0,0 +1,69 @@ +From ffa69d6a16f686efe45269342474e421f2aa58b2 Mon Sep 17 00:00:00 2001 +From: Gaku Inami +Date: Wed, 5 Sep 2018 10:49:36 +0200 +Subject: spi: sh-msiof: Fix invalid SPI use during system suspend + +From: Gaku Inami + +commit ffa69d6a16f686efe45269342474e421f2aa58b2 upstream. + +If the SPI queue is running during system suspend, the system may lock +up. + +Fix this by stopping/restarting the queue during system suspend/resume +by calling spi_master_suspend()/spi_master_resume() from the PM +callbacks. In-kernel users will receive an -ESHUTDOWN error while +system suspend/resume is in progress. + +Signed-off-by: Gaku Inami +Signed-off-by: Hiromitsu Yamasaki +[geert: Cleanup, reword] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh-msiof.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -1361,12 +1361,37 @@ static const struct platform_device_id s + }; + MODULE_DEVICE_TABLE(platform, spi_driver_ids); + ++#ifdef CONFIG_PM_SLEEP ++static int sh_msiof_spi_suspend(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev); ++ ++ return spi_master_suspend(p->master); ++} ++ ++static int sh_msiof_spi_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev); ++ ++ return spi_master_resume(p->master); ++} ++ ++static SIMPLE_DEV_PM_OPS(sh_msiof_spi_pm_ops, sh_msiof_spi_suspend, ++ sh_msiof_spi_resume); ++#define DEV_PM_OPS &sh_msiof_spi_pm_ops ++#else ++#define DEV_PM_OPS NULL ++#endif /* CONFIG_PM_SLEEP */ ++ + static struct platform_driver sh_msiof_spi_drv = { + .probe = sh_msiof_spi_probe, + .remove = sh_msiof_spi_remove, + .id_table = spi_driver_ids, + .driver = { + .name = "spi_sh_msiof", ++ .pm = DEV_PM_OPS, + .of_match_table = of_match_ptr(sh_msiof_match), + }, + }; diff --git a/queue-4.14/spi-tegra20-slink-explicitly-enable-disable-clock.patch b/queue-4.14/spi-tegra20-slink-explicitly-enable-disable-clock.patch new file mode 100644 index 00000000000..f5a95fcec0e --- /dev/null +++ b/queue-4.14/spi-tegra20-slink-explicitly-enable-disable-clock.patch @@ -0,0 +1,84 @@ +From 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler +Date: Wed, 29 Aug 2018 08:47:57 +0200 +Subject: spi: tegra20-slink: explicitly enable/disable clock + +From: Marcel Ziswiler + +commit 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 upstream. + +Depending on the SPI instance one may get an interrupt storm upon +requesting resp. interrupt unless the clock is explicitly enabled +beforehand. This has been observed trying to bring up instance 4 on +T20. + +Signed-off-by: Marcel Ziswiler +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-tegra20-slink.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1063,6 +1063,24 @@ static int tegra_slink_probe(struct plat + goto exit_free_master; + } + ++ /* disabled clock may cause interrupt storm upon request */ ++ tspi->clk = devm_clk_get(&pdev->dev, NULL); ++ if (IS_ERR(tspi->clk)) { ++ ret = PTR_ERR(tspi->clk); ++ dev_err(&pdev->dev, "Can not get clock %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_prepare(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock prepare failed %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_enable(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock enable failed %d\n", ret); ++ goto exit_free_master; ++ } ++ + spi_irq = platform_get_irq(pdev, 0); + tspi->irq = spi_irq; + ret = request_threaded_irq(tspi->irq, tegra_slink_isr, +@@ -1071,14 +1089,7 @@ static int tegra_slink_probe(struct plat + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n", + tspi->irq); +- goto exit_free_master; +- } +- +- tspi->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(tspi->clk)) { +- dev_err(&pdev->dev, "can not get clock\n"); +- ret = PTR_ERR(tspi->clk); +- goto exit_free_irq; ++ goto exit_clk_disable; + } + + tspi->rst = devm_reset_control_get_exclusive(&pdev->dev, "spi"); +@@ -1138,6 +1149,8 @@ exit_rx_dma_free: + tegra_slink_deinit_dma_param(tspi, true); + exit_free_irq: + free_irq(spi_irq, tspi); ++exit_clk_disable: ++ clk_disable(tspi->clk); + exit_free_master: + spi_master_put(master); + return ret; +@@ -1150,6 +1163,8 @@ static int tegra_slink_remove(struct pla + + free_irq(tspi->irq, tspi); + ++ clk_disable(tspi->clk); ++ + if (tspi->tx_dma_chan) + tegra_slink_deinit_dma_param(tspi, false); + diff --git a/queue-4.14/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch b/queue-4.14/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch new file mode 100644 index 00000000000..c55b12a0489 --- /dev/null +++ b/queue-4.14/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch @@ -0,0 +1,39 @@ +From 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Tue, 28 Aug 2018 12:44:24 +0200 +Subject: tty: serial: lpuart: avoid leaking struct tty_struct + +From: Stefan Agner + +commit 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 upstream. + +The function tty_port_tty_get() gets a reference to the tty. Since +the code is not using tty_port_tty_set(), the reference is kept +even after closing the tty. + +Avoid using tty_port_tty_get() by directly access the tty instance. +Since lpuart_start_rx_dma() is called from the .startup() and +.set_termios() callback, it is safe to assume the tty instance is +valid. + +Cc: stable@vger.kernel.org # v4.9+ +Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx") +Signed-off-by: Stefan Agner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/fsl_lpuart.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -983,7 +983,8 @@ static inline int lpuart_start_rx_dma(st + struct circ_buf *ring = &sport->rx_ring; + int ret, nent; + int bits, baud; +- struct tty_struct *tty = tty_port_tty_get(&sport->port.state->port); ++ struct tty_port *port = &sport->port.state->port; ++ struct tty_struct *tty = port->tty; + struct ktermios *termios = &tty->termios; + + baud = tty_get_baud_rate(tty); diff --git a/queue-4.14/usb-fix-error-handling-in-usb_driver_claim_interface.patch b/queue-4.14/usb-fix-error-handling-in-usb_driver_claim_interface.patch new file mode 100644 index 00000000000..90077937452 --- /dev/null +++ b/queue-4.14/usb-fix-error-handling-in-usb_driver_claim_interface.patch @@ -0,0 +1,58 @@ +From bd729f9d67aa9a303d8925bb8c4f06af25f407d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 13:59:59 -0400 +Subject: USB: fix error handling in usb_driver_claim_interface() + +From: Alan Stern + +commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream. + +The syzbot fuzzing project found a use-after-free bug in the USB +core. The bug was caused by usbfs not unbinding from an interface +when the USB device file was closed, which led another process to +attempt the unbind later on, after the private data structure had been +deallocated. + +The reason usbfs did not unbind the interface at the appropriate time +was because it thought the interface had never been claimed in the +first place. This was caused by the fact that +usb_driver_claim_interface() does not clean up properly when +device_bind_driver() returns an error. Although the error code gets +passed back to the caller, the iface->dev.driver pointer remains set +and iface->condition remains equal to USB_INTERFACE_BOUND. + +This patch adds proper error handling to usb_driver_claim_interface(). + +Signed-off-by: Alan Stern +Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -565,6 +565,21 @@ int usb_driver_claim_interface(struct us + if (!lpm_disable_error) + usb_unlocked_enable_lpm(udev); + ++ if (retval) { ++ dev->driver = NULL; ++ usb_set_intfdata(iface, NULL); ++ iface->needs_remote_wakeup = 0; ++ iface->condition = USB_INTERFACE_UNBOUND; ++ ++ /* ++ * Unbound interfaces are always runtime-PM-disabled ++ * and runtime-PM-suspended ++ */ ++ if (driver->supports_autosuspend) ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ } ++ + return retval; + } + EXPORT_SYMBOL_GPL(usb_driver_claim_interface); diff --git a/queue-4.14/usb-handle-null-config-in-usb_find_alt_setting.patch b/queue-4.14/usb-handle-null-config-in-usb_find_alt_setting.patch new file mode 100644 index 00000000000..f1f15494147 --- /dev/null +++ b/queue-4.14/usb-handle-null-config-in-usb_find_alt_setting.patch @@ -0,0 +1,38 @@ +From c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 14:00:53 -0400 +Subject: USB: handle NULL config in usb_find_alt_setting() + +From: Alan Stern + +commit c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 upstream. + +usb_find_alt_setting() takes a pointer to a struct usb_host_config as +an argument; it searches for an interface with specified interface and +alternate setting numbers in that config. However, it crashes if the +usb_host_config pointer argument is NULL. + +Since this is a general-purpose routine, available for use in many +places, we want to to be more robust. This patch makes it return NULL +whenever the config argument is NULL. + +Signed-off-by: Alan Stern +Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -228,6 +228,8 @@ struct usb_host_interface *usb_find_alt_ + struct usb_interface_cache *intf_cache = NULL; + int i; + ++ if (!config) ++ return NULL; + for (i = 0; i < config->desc.bNumInterfaces; i++) { + if (config->intf_cache[i]->altsetting[0].desc.bInterfaceNumber + == iface_num) { diff --git a/queue-4.14/usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch b/queue-4.14/usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch new file mode 100644 index 00000000000..aab32de0185 --- /dev/null +++ b/queue-4.14/usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch @@ -0,0 +1,54 @@ +From 783f3b4e9ec50491c21746e7e05ec6c39c21f563 Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Mon, 17 Sep 2018 11:40:22 -0500 +Subject: usb: musb: dsps: do not disable CPPI41 irq in driver teardown + +From: Bin Liu + +commit 783f3b4e9ec50491c21746e7e05ec6c39c21f563 upstream. + +TI AM335x CPPI 4.1 module uses a single register bit for CPPI interrupts +in both musb controllers. So disabling the CPPI irq in one musb driver +breaks the other musb module. + +Since musb is already disabled before tearing down dma controller in +musb_remove(), it is safe to not disable CPPI irq in +musb_dma_controller_destroy(). + +Fixes: 255348289f71 ("usb: musb: dsps: Manage CPPI 4.1 DMA interrupt in DSPS") +Cc: stable@vger.kernel.org +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_dsps.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +--- a/drivers/usb/musb/musb_dsps.c ++++ b/drivers/usb/musb/musb_dsps.c +@@ -684,16 +684,6 @@ dsps_dma_controller_create(struct musb * + return controller; + } + +-static void dsps_dma_controller_destroy(struct dma_controller *c) +-{ +- struct musb *musb = c->musb; +- struct dsps_glue *glue = dev_get_drvdata(musb->controller->parent); +- void __iomem *usbss_base = glue->usbss_base; +- +- musb_writel(usbss_base, USBSS_IRQ_CLEARR, USBSS_IRQ_PD_COMP); +- cppi41_dma_controller_destroy(c); +-} +- + #ifdef CONFIG_PM_SLEEP + static void dsps_dma_controller_suspend(struct dsps_glue *glue) + { +@@ -723,7 +713,7 @@ static struct musb_platform_ops dsps_ops + + #ifdef CONFIG_USB_TI_CPPI41_DMA + .dma_init = dsps_dma_controller_create, +- .dma_exit = dsps_dma_controller_destroy, ++ .dma_exit = cppi41_dma_controller_destroy, + #endif + .enable = dsps_musb_enable, + .disable = dsps_musb_disable, diff --git a/queue-4.14/x86-mm-expand-static-page-table-for-fixmap-space.patch b/queue-4.14/x86-mm-expand-static-page-table-for-fixmap-space.patch new file mode 100644 index 00000000000..4354a37724c --- /dev/null +++ b/queue-4.14/x86-mm-expand-static-page-table-for-fixmap-space.patch @@ -0,0 +1,181 @@ +From 05ab1d8a4b36ee912b7087c6da127439ed0a903e Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Thu, 20 Sep 2018 10:58:28 +0800 +Subject: x86/mm: Expand static page table for fixmap space + +From: Feng Tang + +commit 05ab1d8a4b36ee912b7087c6da127439ed0a903e upstream. + +We met a kernel panic when enabling earlycon, which is due to the fixmap +address of earlycon is not statically setup. + +Currently the static fixmap setup in head_64.S only covers 2M virtual +address space, while it actually could be in 4M space with different +kernel configurations, e.g. when VSYSCALL emulation is disabled. + +So increase the static space to 4M for now by defining FIXMAP_PMD_NUM to 2, +and add a build time check to ensure that the fixmap is covered by the +initial static page tables. + +Fixes: 1ad83c858c7d ("x86_64,vsyscall: Make vsyscall emulation configurable") +Suggested-by: Thomas Gleixner +Signed-off-by: Feng Tang +Signed-off-by: Thomas Gleixner +Tested-by: kernel test robot +Reviewed-by: Juergen Gross (Xen parts) +Cc: H Peter Anvin +Cc: Peter Zijlstra +Cc: Michal Hocko +Cc: Yinghai Lu +Cc: Dave Hansen +Cc: Andi Kleen +Cc: Andy Lutomirsky +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20180920025828.23699-1-feng.tang@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/fixmap.h | 10 ++++++++++ + arch/x86/include/asm/pgtable_64.h | 3 ++- + arch/x86/kernel/head64.c | 4 +++- + arch/x86/kernel/head_64.S | 16 ++++++++++++---- + arch/x86/mm/pgtable.c | 9 +++++++++ + arch/x86/xen/mmu_pv.c | 8 ++++++-- + 6 files changed, 42 insertions(+), 8 deletions(-) + +--- a/arch/x86/include/asm/fixmap.h ++++ b/arch/x86/include/asm/fixmap.h +@@ -14,6 +14,16 @@ + #ifndef _ASM_X86_FIXMAP_H + #define _ASM_X86_FIXMAP_H + ++/* ++ * Exposed to assembly code for setting up initial page tables. Cannot be ++ * calculated in assembly code (fixmap entries are an enum), but is sanity ++ * checked in the actual fixmap C code to make sure that the fixmap is ++ * covered fully. ++ */ ++#define FIXMAP_PMD_NUM 2 ++/* fixmap starts downwards from the 507th entry in level2_fixmap_pgt */ ++#define FIXMAP_PMD_TOP 507 ++ + #ifndef __ASSEMBLY__ + #include + #include +--- a/arch/x86/include/asm/pgtable_64.h ++++ b/arch/x86/include/asm/pgtable_64.h +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + extern p4d_t level4_kernel_pgt[512]; + extern p4d_t level4_ident_pgt[512]; +@@ -22,7 +23,7 @@ extern pud_t level3_ident_pgt[512]; + extern pmd_t level2_kernel_pgt[512]; + extern pmd_t level2_fixmap_pgt[512]; + extern pmd_t level2_ident_pgt[512]; +-extern pte_t level1_fixmap_pgt[512]; ++extern pte_t level1_fixmap_pgt[512 * FIXMAP_PMD_NUM]; + extern pgd_t init_top_pgt[]; + + #define swapper_pg_dir init_top_pgt +--- a/arch/x86/kernel/head64.c ++++ b/arch/x86/kernel/head64.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + /* + * Manage page tables very early on. +@@ -93,7 +94,8 @@ unsigned long __head __startup_64(unsign + pud[511] += load_delta; + + pmd = fixup_pointer(level2_fixmap_pgt, physaddr); +- pmd[506] += load_delta; ++ for (i = FIXMAP_PMD_TOP; i > FIXMAP_PMD_TOP - FIXMAP_PMD_NUM; i--) ++ pmd[i] += load_delta; + + /* + * Set up the identity mapping for the switchover. These +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -24,6 +24,7 @@ + #include "../entry/calling.h" + #include + #include ++#include + + #ifdef CONFIG_PARAVIRT + #include +@@ -438,13 +439,20 @@ NEXT_PAGE(level2_kernel_pgt) + KERNEL_IMAGE_SIZE/PMD_SIZE) + + NEXT_PAGE(level2_fixmap_pgt) +- .fill 506,8,0 +- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE_NOENC +- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */ +- .fill 5,8,0 ++ .fill (512 - 4 - FIXMAP_PMD_NUM),8,0 ++ pgtno = 0 ++ .rept (FIXMAP_PMD_NUM) ++ .quad level1_fixmap_pgt + (pgtno << PAGE_SHIFT) - __START_KERNEL_map \ ++ + _PAGE_TABLE_NOENC; ++ pgtno = pgtno + 1 ++ .endr ++ /* 6 MB reserved space + a 2MB hole */ ++ .fill 4,8,0 + + NEXT_PAGE(level1_fixmap_pgt) ++ .rept (FIXMAP_PMD_NUM) + .fill 512,8,0 ++ .endr + + #undef PMDS + +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -573,6 +573,15 @@ void __native_set_fixmap(enum fixed_addr + { + unsigned long address = __fix_to_virt(idx); + ++#ifdef CONFIG_X86_64 ++ /* ++ * Ensure that the static initial page tables are covering the ++ * fixmap completely. ++ */ ++ BUILD_BUG_ON(__end_of_permanent_fixed_addresses > ++ (FIXMAP_PMD_NUM * PTRS_PER_PTE)); ++#endif ++ + if (idx >= __end_of_fixed_addresses) { + BUG(); + return; +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -1879,7 +1879,7 @@ void __init xen_setup_kernel_pagetable(p + /* L3_k[511] -> level2_fixmap_pgt */ + convert_pfn_mfn(level3_kernel_pgt); + +- /* L3_k[511][506] -> level1_fixmap_pgt */ ++ /* L3_k[511][508-FIXMAP_PMD_NUM ... 507] -> level1_fixmap_pgt */ + convert_pfn_mfn(level2_fixmap_pgt); + + /* We get [511][511] and have Xen's version of level2_kernel_pgt */ +@@ -1924,7 +1924,11 @@ void __init xen_setup_kernel_pagetable(p + set_page_prot(level2_ident_pgt, PAGE_KERNEL_RO); + set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO); + set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO); +- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO); ++ ++ for (i = 0; i < FIXMAP_PMD_NUM; i++) { ++ set_page_prot(level1_fixmap_pgt + i * PTRS_PER_PTE, ++ PAGE_KERNEL_RO); ++ } + + /* Pin down new L4 */ + pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,