From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 17 Nov 2016 07:51:34 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.33~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e732ccd691824c5811c17186e58cf8d527eb466b;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	iommu-amd-free-domain-id-when-free-a-domain-of-struct-dma_ops_domain.patch
	iommu-vt-d-fix-dead-locks-in-disable_dmar_iommu-path.patch
	mei-bus-fix-received-data-size-check-in-nfc-fixup.patch
---

diff --git a/queue-4.4/iommu-amd-free-domain-id-when-free-a-domain-of-struct-dma_ops_domain.patch b/queue-4.4/iommu-amd-free-domain-id-when-free-a-domain-of-struct-dma_ops_domain.patch
new file mode 100644
index 00000000000..17ccba7a84c
--- /dev/null
+++ b/queue-4.4/iommu-amd-free-domain-id-when-free-a-domain-of-struct-dma_ops_domain.patch
@@ -0,0 +1,33 @@
+From c3db901c54466a9c135d1e6e95fec452e8a42666 Mon Sep 17 00:00:00 2001
+From: Baoquan He <bhe@redhat.com>
+Date: Thu, 15 Sep 2016 16:50:52 +0800
+Subject: iommu/amd: Free domain id when free a domain of struct dma_ops_domain
+
+From: Baoquan He <bhe@redhat.com>
+
+commit c3db901c54466a9c135d1e6e95fec452e8a42666 upstream.
+
+The current code missed freeing domain id when free a domain of
+struct dma_ops_domain.
+
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Fixes: ec487d1a110a ('x86, AMD IOMMU: add domain allocation and deallocation functions')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -1833,6 +1833,9 @@ static void dma_ops_domain_free(struct d
+ 		kfree(dom->aperture[i]);
+ 	}
+ 
++	if (dom->domain.id)
++		domain_id_free(dom->domain.id);
++
+ 	kfree(dom);
+ }
+ 
diff --git a/queue-4.4/iommu-vt-d-fix-dead-locks-in-disable_dmar_iommu-path.patch b/queue-4.4/iommu-vt-d-fix-dead-locks-in-disable_dmar_iommu-path.patch
new file mode 100644
index 00000000000..d588f2ef192
--- /dev/null
+++ b/queue-4.4/iommu-vt-d-fix-dead-locks-in-disable_dmar_iommu-path.patch
@@ -0,0 +1,54 @@
+From bea64033dd7b5fb6296eda8266acab6364ce1554 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Tue, 8 Nov 2016 15:08:26 +0100
+Subject: iommu/vt-d: Fix dead-locks in disable_dmar_iommu() path
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit bea64033dd7b5fb6296eda8266acab6364ce1554 upstream.
+
+It turns out that the disable_dmar_iommu() code-path tried
+to get the device_domain_lock recursivly, which will
+dead-lock when this code runs on dmar removal. Fix both
+code-paths that could lead to the dead-lock.
+
+Fixes: 55d940430ab9 ('iommu/vt-d: Get rid of domain->iommu_lock')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c |   14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -1672,6 +1672,7 @@ static void disable_dmar_iommu(struct in
+ 	if (!iommu->domains || !iommu->domain_ids)
+ 		return;
+ 
++again:
+ 	spin_lock_irqsave(&device_domain_lock, flags);
+ 	list_for_each_entry_safe(info, tmp, &device_domain_list, global) {
+ 		struct dmar_domain *domain;
+@@ -1684,10 +1685,19 @@ static void disable_dmar_iommu(struct in
+ 
+ 		domain = info->domain;
+ 
+-		dmar_remove_one_dev_info(domain, info->dev);
++		__dmar_remove_one_dev_info(info);
+ 
+-		if (!domain_type_is_vm_or_si(domain))
++		if (!domain_type_is_vm_or_si(domain)) {
++			/*
++			 * The domain_exit() function  can't be called under
++			 * device_domain_lock, as it takes this lock itself.
++			 * So release the lock here and re-run the loop
++			 * afterwards.
++			 */
++			spin_unlock_irqrestore(&device_domain_lock, flags);
+ 			domain_exit(domain);
++			goto again;
++		}
+ 	}
+ 	spin_unlock_irqrestore(&device_domain_lock, flags);
+ 
diff --git a/queue-4.4/mei-bus-fix-received-data-size-check-in-nfc-fixup.patch b/queue-4.4/mei-bus-fix-received-data-size-check-in-nfc-fixup.patch
new file mode 100644
index 00000000000..b282ee8a958
--- /dev/null
+++ b/queue-4.4/mei-bus-fix-received-data-size-check-in-nfc-fixup.patch
@@ -0,0 +1,52 @@
+From 582ab27a063a506ccb55fc48afcc325342a2deba Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Mon, 31 Oct 2016 19:02:39 +0200
+Subject: mei: bus: fix received data size check in NFC fixup
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 582ab27a063a506ccb55fc48afcc325342a2deba upstream.
+
+NFC version reply size checked against only header size, not against
+full message size. That may lead potentially to uninitialized memory access
+in version data.
+
+That leads to warnings when version data is accessed:
+drivers/misc/mei/bus-fixup.c: warning: '*((void *)&ver+11)' may be used uninitialized in this function [-Wuninitialized]:  => 212:2
+
+Reported in
+Build regressions/improvements in v4.9-rc3
+https://lkml.org/lkml/2016/10/30/57
+
+Fixes: 59fcd7c63abf (mei: nfc: Initial nfc implementation)
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/bus-fixup.c |    2 +-
+ drivers/nfc/mei_phy.c        |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/mei/bus-fixup.c
++++ b/drivers/misc/mei/bus-fixup.c
+@@ -151,7 +151,7 @@ static int mei_nfc_if_version(struct mei
+ 
+ 	ret = 0;
+ 	bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length);
+-	if (bytes_recv < 0 || bytes_recv < sizeof(struct mei_nfc_reply)) {
++	if (bytes_recv < if_version_length) {
+ 		dev_err(bus->dev, "Could not read IF version\n");
+ 		ret = -EIO;
+ 		goto err;
+--- a/drivers/nfc/mei_phy.c
++++ b/drivers/nfc/mei_phy.c
+@@ -133,7 +133,7 @@ static int mei_nfc_if_version(struct nfc
+ 		return -ENOMEM;
+ 
+ 	bytes_recv = mei_cldev_recv(phy->cldev, (u8 *)reply, if_version_length);
+-	if (bytes_recv < 0 || bytes_recv < sizeof(struct mei_nfc_reply)) {
++	if (bytes_recv < 0 || bytes_recv < if_version_length) {
+ 		pr_err("Could not read IF version\n");
+ 		r = -EIO;
+ 		goto err;
diff --git a/queue-4.4/series b/queue-4.4/series
index 34366eefc24..82727d4cda0 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -25,3 +25,6 @@ kvm-mips-precalculate-mmio-load-resume-pc.patch
 drm-i915-respect-alternate_ddc_pin-for-all-ddi-ports.patch
 dmaengine-at_xdmac-fix-spurious-flag-status-for-mem2mem-transfers.patch
 tty-serial-at91-fix-hardware-handshake-on-atmel-platforms.patch
+iommu-amd-free-domain-id-when-free-a-domain-of-struct-dma_ops_domain.patch
+iommu-vt-d-fix-dead-locks-in-disable_dmar_iommu-path.patch
+mei-bus-fix-received-data-size-check-in-nfc-fixup.patch