From: Greg Kroah-Hartman Date: Sun, 2 Sep 2018 17:55:54 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.121~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eba19f6cc512eb811aaacd4013f2da3de1b4b6fe;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: asoc-dpcm-don-t-merge-format-from-invalid-codec-dai.patch asoc-sirf-fix-potential-null-pointer-dereference.patch b43-leds-ensure-nul-termination-of-led-name-string.patch b43legacy-leds-ensure-nul-termination-of-led-name-string.patch pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch udl-kms-change-down_interruptible-to-down.patch udl-kms-fix-crash-due-to-uninitialized-memory.patch udl-kms-handle-allocation-failure.patch --- diff --git a/queue-4.9/asoc-dpcm-don-t-merge-format-from-invalid-codec-dai.patch b/queue-4.9/asoc-dpcm-don-t-merge-format-from-invalid-codec-dai.patch new file mode 100644 index 00000000000..8a511021f63 --- /dev/null +++ b/queue-4.9/asoc-dpcm-don-t-merge-format-from-invalid-codec-dai.patch @@ -0,0 +1,45 @@ +From 4febced15ac8ddb9cf3e603edb111842e4863d9a Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Wed, 27 Jun 2018 17:36:38 +0200 +Subject: ASoC: dpcm: don't merge format from invalid codec dai + +From: Jerome Brunet + +commit 4febced15ac8ddb9cf3e603edb111842e4863d9a upstream. + +When merging codec formats, dpcm_runtime_base_format() should skip +the codecs which are not supporting the current stream direction. + +At the moment, if a BE link has more than one codec, and only one +of these codecs has no capture DAI, it becomes impossible to start +a capture stream because the merged format would be 0. + +Skipping invalid codec DAI solves the problem. + +Fixes: b073ed4e2126 ("ASoC: soc-pcm: DPCM cares BE format") +Signed-off-by: Jerome Brunet +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-pcm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -1621,6 +1621,14 @@ static u64 dpcm_runtime_base_format(stru + int i; + + for (i = 0; i < be->num_codecs; i++) { ++ /* ++ * Skip CODECs which don't support the current stream ++ * type. See soc_pcm_init_runtime_hw() for more details ++ */ ++ if (!snd_soc_dai_stream_valid(be->codec_dais[i], ++ stream)) ++ continue; ++ + codec_dai_drv = be->codec_dais[i]->driver; + if (stream == SNDRV_PCM_STREAM_PLAYBACK) + codec_stream = &codec_dai_drv->playback; diff --git a/queue-4.9/asoc-sirf-fix-potential-null-pointer-dereference.patch b/queue-4.9/asoc-sirf-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..4ba9c224b93 --- /dev/null +++ b/queue-4.9/asoc-sirf-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,44 @@ +From ae1c696a480c67c45fb23b35162183f72c6be0e1 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 26 Jul 2018 15:49:10 -0500 +Subject: ASoC: sirf: Fix potential NULL pointer dereference + +From: Gustavo A. R. Silva + +commit ae1c696a480c67c45fb23b35162183f72c6be0e1 upstream. + +There is a potential execution path in which function +platform_get_resource() returns NULL. If this happens, +we will end up having a NULL pointer dereference. + +Fix this by replacing devm_ioremap with devm_ioremap_resource, +which has the NULL check and the memory region request. + +This code was detected with the help of Coccinelle. + +Cc: stable@vger.kernel.org +Fixes: 2bd8d1d5cf89 ("ASoC: sirf: Add audio usp interface driver") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sirf/sirf-usp.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/sound/soc/sirf/sirf-usp.c ++++ b/sound/soc/sirf/sirf-usp.c +@@ -367,10 +367,9 @@ static int sirf_usp_pcm_probe(struct pla + platform_set_drvdata(pdev, usp); + + mem_res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- base = devm_ioremap(&pdev->dev, mem_res->start, +- resource_size(mem_res)); +- if (base == NULL) +- return -ENOMEM; ++ base = devm_ioremap_resource(&pdev->dev, mem_res); ++ if (IS_ERR(base)) ++ return PTR_ERR(base); + usp->regmap = devm_regmap_init_mmio(&pdev->dev, base, + &sirf_usp_regmap_config); + if (IS_ERR(usp->regmap)) diff --git a/queue-4.9/b43-leds-ensure-nul-termination-of-led-name-string.patch b/queue-4.9/b43-leds-ensure-nul-termination-of-led-name-string.patch new file mode 100644 index 00000000000..009379d074c --- /dev/null +++ b/queue-4.9/b43-leds-ensure-nul-termination-of-led-name-string.patch @@ -0,0 +1,32 @@ +From 2aa650d1950fce94f696ebd7db30b8830c2c946f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20B=C3=BCsch?= +Date: Tue, 31 Jul 2018 21:14:04 +0200 +Subject: b43/leds: Ensure NUL-termination of LED name string + +From: Michael Buesch + +commit 2aa650d1950fce94f696ebd7db30b8830c2c946f upstream. + +strncpy might not NUL-terminate the string, if the name equals the buffer size. +Use strlcpy instead. + +Signed-off-by: Michael Buesch +Cc: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/b43/leds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/b43/leds.c ++++ b/drivers/net/wireless/broadcom/b43/leds.c +@@ -131,7 +131,7 @@ static int b43_register_led(struct b43_w + led->wl = dev->wl; + led->index = led_index; + led->activelow = activelow; +- strncpy(led->name, name, sizeof(led->name)); ++ strlcpy(led->name, name, sizeof(led->name)); + atomic_set(&led->state, 0); + + led->led_dev.name = led->name; diff --git a/queue-4.9/b43legacy-leds-ensure-nul-termination-of-led-name-string.patch b/queue-4.9/b43legacy-leds-ensure-nul-termination-of-led-name-string.patch new file mode 100644 index 00000000000..aab1eb12587 --- /dev/null +++ b/queue-4.9/b43legacy-leds-ensure-nul-termination-of-led-name-string.patch @@ -0,0 +1,32 @@ +From 4d77a89e3924b12f4a5628b21237e57ab4703866 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20B=C3=BCsch?= +Date: Tue, 31 Jul 2018 21:14:16 +0200 +Subject: b43legacy/leds: Ensure NUL-termination of LED name string + +From: Michael Buesch + +commit 4d77a89e3924b12f4a5628b21237e57ab4703866 upstream. + +strncpy might not NUL-terminate the string, if the name equals the buffer size. +Use strlcpy instead. + +Signed-off-by: Michael Buesch +Cc: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/b43legacy/leds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/b43legacy/leds.c ++++ b/drivers/net/wireless/broadcom/b43legacy/leds.c +@@ -101,7 +101,7 @@ static int b43legacy_register_led(struct + led->dev = dev; + led->index = led_index; + led->activelow = activelow; +- strncpy(led->name, name, sizeof(led->name)); ++ strlcpy(led->name, name, sizeof(led->name)); + + led->led_dev.name = led->name; + led->led_dev.default_trigger = default_trigger; diff --git a/queue-4.9/kvm-x86-ensure-all-msrs-can-always-be-kvm_get-set_msr-d.patch b/queue-4.9/kvm-x86-ensure-all-msrs-can-always-be-kvm_get-set_msr-d.patch deleted file mode 100644 index 5bf5acbe7bf..00000000000 --- a/queue-4.9/kvm-x86-ensure-all-msrs-can-always-be-kvm_get-set_msr-d.patch +++ /dev/null @@ -1,185 +0,0 @@ -From 44883f01fe6ae436a8604c47d8435276fef369b0 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Thu, 26 Jul 2018 13:01:52 +0200 -Subject: KVM: x86: ensure all MSRs can always be KVM_GET/SET_MSR'd - -From: Paolo Bonzini - -commit 44883f01fe6ae436a8604c47d8435276fef369b0 upstream. - -Some of the MSRs returned by GET_MSR_INDEX_LIST currently cannot be sent back -to KVM_GET_MSR and/or KVM_SET_MSR; either they can never be sent back, or you -they are only accepted under special conditions. This makes the API a pain to -use. - -To avoid this pain, this patch makes it so that the result of the get-list -ioctl can always be used for host-initiated get and set. Since we don't have -a separate way to check for read-only MSRs, this means some Hyper-V MSRs are -ignored when written. Arguably they should not even be in the result of -GET_MSR_INDEX_LIST, but I am leaving there in case userspace is using the -outcome of GET_MSR_INDEX_LIST to derive the support for the corresponding -Hyper-V feature. - -Cc: stable@vger.kernel.org -Signed-off-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/kvm/hyperv.c | 27 ++++++++++++++++++++------- - arch/x86/kvm/hyperv.h | 2 +- - arch/x86/kvm/x86.c | 15 +++++++++------ - 3 files changed, 30 insertions(+), 14 deletions(-) - ---- a/arch/x86/kvm/hyperv.c -+++ b/arch/x86/kvm/hyperv.c -@@ -199,7 +199,7 @@ static int synic_set_msr(struct kvm_vcpu - struct kvm_vcpu *vcpu = synic_to_vcpu(synic); - int ret; - -- if (!synic->active) -+ if (!synic->active && !host) - return 1; - - trace_kvm_hv_synic_set_msr(vcpu->vcpu_id, msr, data, host); -@@ -257,11 +257,12 @@ static int synic_set_msr(struct kvm_vcpu - return ret; - } - --static int synic_get_msr(struct kvm_vcpu_hv_synic *synic, u32 msr, u64 *pdata) -+static int synic_get_msr(struct kvm_vcpu_hv_synic *synic, u32 msr, u64 *pdata, -+ bool host) - { - int ret; - -- if (!synic->active) -+ if (!synic->active && !host) - return 1; - - ret = 0; -@@ -947,6 +948,11 @@ static int kvm_hv_set_msr_pw(struct kvm_ - kvm_make_request(KVM_REQ_HV_RESET, vcpu); - } - break; -+ case HV_X64_MSR_TIME_REF_COUNT: -+ /* read-only, but still ignore it if host-initiated */ -+ if (!host) -+ return 1; -+ break; - default: - vcpu_unimpl(vcpu, "Hyper-V uhandled wrmsr: 0x%x data 0x%llx\n", - msr, data); -@@ -1028,6 +1034,12 @@ static int kvm_hv_set_msr(struct kvm_vcp - return stimer_set_count(vcpu_to_stimer(vcpu, timer_index), - data, host); - } -+ case HV_X64_MSR_TSC_FREQUENCY: -+ case HV_X64_MSR_APIC_FREQUENCY: -+ /* read-only, but still ignore it if host-initiated */ -+ if (!host) -+ return 1; -+ break; - default: - vcpu_unimpl(vcpu, "Hyper-V uhandled wrmsr: 0x%x data 0x%llx\n", - msr, data); -@@ -1074,7 +1086,8 @@ static int kvm_hv_get_msr_pw(struct kvm_ - return 0; - } - --static int kvm_hv_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata) -+static int kvm_hv_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, -+ bool host) - { - u64 data = 0; - struct kvm_vcpu_hv *hv = &vcpu->arch.hyperv; -@@ -1110,7 +1123,7 @@ static int kvm_hv_get_msr(struct kvm_vcp - case HV_X64_MSR_SIMP: - case HV_X64_MSR_EOM: - case HV_X64_MSR_SINT0 ... HV_X64_MSR_SINT15: -- return synic_get_msr(vcpu_to_synic(vcpu), msr, pdata); -+ return synic_get_msr(vcpu_to_synic(vcpu), msr, pdata, host); - case HV_X64_MSR_STIMER0_CONFIG: - case HV_X64_MSR_STIMER1_CONFIG: - case HV_X64_MSR_STIMER2_CONFIG: -@@ -1150,7 +1163,7 @@ int kvm_hv_set_msr_common(struct kvm_vcp - return kvm_hv_set_msr(vcpu, msr, data, host); - } - --int kvm_hv_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata) -+int kvm_hv_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host) - { - if (kvm_hv_msr_partition_wide(msr)) { - int r; -@@ -1160,7 +1173,7 @@ int kvm_hv_get_msr_common(struct kvm_vcp - mutex_unlock(&vcpu->kvm->lock); - return r; - } else -- return kvm_hv_get_msr(vcpu, msr, pdata); -+ return kvm_hv_get_msr(vcpu, msr, pdata, host); - } - - bool kvm_hv_hypercall_enabled(struct kvm *kvm) ---- a/arch/x86/kvm/hyperv.h -+++ b/arch/x86/kvm/hyperv.h -@@ -48,7 +48,7 @@ static inline struct kvm_vcpu *synic_to_ - } - - int kvm_hv_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data, bool host); --int kvm_hv_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata); -+int kvm_hv_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host); - - bool kvm_hv_hypercall_enabled(struct kvm *kvm); - int kvm_hv_hypercall(struct kvm_vcpu *vcpu); ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -2058,10 +2058,11 @@ static int set_msr_mce(struct kvm_vcpu * - vcpu->arch.mcg_status = data; - break; - case MSR_IA32_MCG_CTL: -- if (!(mcg_cap & MCG_CTL_P)) -+ if (!(mcg_cap & MCG_CTL_P) && -+ (data || !msr_info->host_initiated)) - return 1; - if (data != 0 && data != ~(u64)0) -- return -1; -+ return 1; - vcpu->arch.mcg_ctl = data; - break; - default: -@@ -2405,7 +2406,7 @@ int kvm_get_msr(struct kvm_vcpu *vcpu, s - } - EXPORT_SYMBOL_GPL(kvm_get_msr); - --static int get_msr_mce(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata) -+static int get_msr_mce(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host) - { - u64 data; - u64 mcg_cap = vcpu->arch.mcg_cap; -@@ -2420,7 +2421,7 @@ static int get_msr_mce(struct kvm_vcpu * - data = vcpu->arch.mcg_cap; - break; - case MSR_IA32_MCG_CTL: -- if (!(mcg_cap & MCG_CTL_P)) -+ if (!(mcg_cap & MCG_CTL_P) && !host) - return 1; - data = vcpu->arch.mcg_ctl; - break; -@@ -2545,7 +2546,8 @@ int kvm_get_msr_common(struct kvm_vcpu * - case MSR_IA32_MCG_CTL: - case MSR_IA32_MCG_STATUS: - case MSR_IA32_MC0_CTL ... MSR_IA32_MCx_CTL(KVM_MAX_MCE_BANKS) - 1: -- return get_msr_mce(vcpu, msr_info->index, &msr_info->data); -+ return get_msr_mce(vcpu, msr_info->index, &msr_info->data, -+ msr_info->host_initiated); - case MSR_K7_CLK_CTL: - /* - * Provide expected ramp-up count for K7. All other -@@ -2563,7 +2565,8 @@ int kvm_get_msr_common(struct kvm_vcpu * - case HV_X64_MSR_CRASH_CTL: - case HV_X64_MSR_STIMER0_CONFIG ... HV_X64_MSR_STIMER3_COUNT: - return kvm_hv_get_msr_common(vcpu, -- msr_info->index, &msr_info->data); -+ msr_info->index, &msr_info->data, -+ msr_info->host_initiated); - break; - case MSR_IA32_BBL_CR_CTL3: - /* This legacy MSR exists but isn't fully documented in current diff --git a/queue-4.9/pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch b/queue-4.9/pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch new file mode 100644 index 00000000000..b2202c90277 --- /dev/null +++ b/queue-4.9/pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch @@ -0,0 +1,39 @@ +From 19da44cd33a3a6ff7c97fff0189999ff15b241e4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 13 Jul 2018 17:55:15 +0300 +Subject: pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +commit 19da44cd33a3a6ff7c97fff0189999ff15b241e4 upstream. + +The info->groups[] array is allocated in imx1_pinctrl_parse_dt(). It +has info->ngroups elements. Thus the > here should be >= to prevent +reading one element beyond the end of the array. + +Cc: stable@vger.kernel.org +Fixes: 30612cd90005 ("pinctrl: imx1 core driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Uwe Kleine-König +Acked-by: Dong Aisheng +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/freescale/pinctrl-imx1-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/freescale/pinctrl-imx1-core.c ++++ b/drivers/pinctrl/freescale/pinctrl-imx1-core.c +@@ -433,7 +433,7 @@ static void imx1_pinconf_group_dbg_show( + const char *name; + int i, ret; + +- if (group > info->ngroups) ++ if (group >= info->ngroups) + return; + + seq_puts(s, "\n"); diff --git a/queue-4.9/series b/queue-4.9/series index 8060745acc9..6dda41f0649 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -68,7 +68,6 @@ x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch x86-speculation-l1tf-fix-off-by-one-error-when-warning-that-system-has-too-much-ram.patch x86-speculation-l1tf-suggest-what-to-do-on-systems-with-too-much-ram.patch x86-process-re-export-start_thread.patch -kvm-x86-ensure-all-msrs-can-always-be-kvm_get-set_msr-d.patch kvm-x86-svm-call-x86_spec_ctrl_set_guest-host-with-interrupts-disabled.patch x86-kvm-vmx-remove-duplicate-l1d-flush-definitions.patch fuse-don-t-access-pipe-buffers-without-pipe_lock.patch @@ -78,3 +77,11 @@ fuse-fix-unlocked-access-to-processing-queue.patch fuse-umount-should-wait-for-all-requests.patch fuse-fix-oops-at-process_init_reply.patch fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch +udl-kms-change-down_interruptible-to-down.patch +udl-kms-handle-allocation-failure.patch +udl-kms-fix-crash-due-to-uninitialized-memory.patch +b43legacy-leds-ensure-nul-termination-of-led-name-string.patch +b43-leds-ensure-nul-termination-of-led-name-string.patch +asoc-dpcm-don-t-merge-format-from-invalid-codec-dai.patch +asoc-sirf-fix-potential-null-pointer-dereference.patch +pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch diff --git a/queue-4.9/udl-kms-change-down_interruptible-to-down.patch b/queue-4.9/udl-kms-change-down_interruptible-to-down.patch new file mode 100644 index 00000000000..a3b53355734 --- /dev/null +++ b/queue-4.9/udl-kms-change-down_interruptible-to-down.patch @@ -0,0 +1,44 @@ +From 8456b99c16d193c4c3b7df305cf431e027f0189c Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 3 Jun 2018 16:40:55 +0200 +Subject: udl-kms: change down_interruptible to down + +From: Mikulas Patocka + +commit 8456b99c16d193c4c3b7df305cf431e027f0189c upstream. + +If we leave urbs around, it causes not only leak, but also memory +corruption. This patch fixes the function udl_free_urb_list, so that it +always waits for all urbs that are in progress. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/udl/udl_main.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/gpu/drm/udl/udl_main.c ++++ b/drivers/gpu/drm/udl/udl_main.c +@@ -169,18 +169,13 @@ static void udl_free_urb_list(struct drm + struct list_head *node; + struct urb_node *unode; + struct urb *urb; +- int ret; + unsigned long flags; + + DRM_DEBUG("Waiting for completes and freeing all render urbs\n"); + + /* keep waiting and freeing, until we've got 'em all */ + while (count--) { +- +- /* Getting interrupted means a leak, but ok at shutdown*/ +- ret = down_interruptible(&udl->urbs.limit_sem); +- if (ret) +- break; ++ down(&udl->urbs.limit_sem); + + spin_lock_irqsave(&udl->urbs.lock, flags); + diff --git a/queue-4.9/udl-kms-fix-crash-due-to-uninitialized-memory.patch b/queue-4.9/udl-kms-fix-crash-due-to-uninitialized-memory.patch new file mode 100644 index 00000000000..e7f1b670af2 --- /dev/null +++ b/queue-4.9/udl-kms-fix-crash-due-to-uninitialized-memory.patch @@ -0,0 +1,32 @@ +From 09a00abe3a9941c2715ca83eb88172cd2f54d8fd Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 3 Jun 2018 16:40:57 +0200 +Subject: udl-kms: fix crash due to uninitialized memory + +From: Mikulas Patocka + +commit 09a00abe3a9941c2715ca83eb88172cd2f54d8fd upstream. + +We must use kzalloc when allocating the fb_deferred_io structure. +Otherwise, the field first_io is undefined and it causes a crash. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/udl/udl_fb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/udl/udl_fb.c ++++ b/drivers/gpu/drm/udl/udl_fb.c +@@ -217,7 +217,7 @@ static int udl_fb_open(struct fb_info *i + + struct fb_deferred_io *fbdefio; + +- fbdefio = kmalloc(sizeof(struct fb_deferred_io), GFP_KERNEL); ++ fbdefio = kzalloc(sizeof(struct fb_deferred_io), GFP_KERNEL); + + if (fbdefio) { + fbdefio->delay = DL_DEFIO_WRITE_DELAY; diff --git a/queue-4.9/udl-kms-handle-allocation-failure.patch b/queue-4.9/udl-kms-handle-allocation-failure.patch new file mode 100644 index 00000000000..2734182d6bd --- /dev/null +++ b/queue-4.9/udl-kms-handle-allocation-failure.patch @@ -0,0 +1,89 @@ +From 542bb9788a1f485eb1a2229178f665d8ea166156 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 3 Jun 2018 16:40:56 +0200 +Subject: udl-kms: handle allocation failure + +From: Mikulas Patocka + +commit 542bb9788a1f485eb1a2229178f665d8ea166156 upstream. + +Allocations larger than PAGE_ALLOC_COSTLY_ORDER are unreliable and they +may fail anytime. This patch fixes the udl kms driver so that when a large +alloactions fails, it tries to do multiple smaller allocations. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/udl/udl_main.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/udl/udl_main.c ++++ b/drivers/gpu/drm/udl/udl_main.c +@@ -199,17 +199,22 @@ static void udl_free_urb_list(struct drm + static int udl_alloc_urb_list(struct drm_device *dev, int count, size_t size) + { + struct udl_device *udl = dev->dev_private; +- int i = 0; + struct urb *urb; + struct urb_node *unode; + char *buf; ++ size_t wanted_size = count * size; + + spin_lock_init(&udl->urbs.lock); + ++retry: + udl->urbs.size = size; + INIT_LIST_HEAD(&udl->urbs.list); + +- while (i < count) { ++ sema_init(&udl->urbs.limit_sem, 0); ++ udl->urbs.count = 0; ++ udl->urbs.available = 0; ++ ++ while (udl->urbs.count * size < wanted_size) { + unode = kzalloc(sizeof(struct urb_node), GFP_KERNEL); + if (!unode) + break; +@@ -225,11 +230,16 @@ static int udl_alloc_urb_list(struct drm + } + unode->urb = urb; + +- buf = usb_alloc_coherent(udl->udev, MAX_TRANSFER, GFP_KERNEL, ++ buf = usb_alloc_coherent(udl->udev, size, GFP_KERNEL, + &urb->transfer_dma); + if (!buf) { + kfree(unode); + usb_free_urb(urb); ++ if (size > PAGE_SIZE) { ++ size /= 2; ++ udl_free_urb_list(dev); ++ goto retry; ++ } + break; + } + +@@ -240,16 +250,14 @@ static int udl_alloc_urb_list(struct drm + + list_add_tail(&unode->entry, &udl->urbs.list); + +- i++; ++ up(&udl->urbs.limit_sem); ++ udl->urbs.count++; ++ udl->urbs.available++; + } + +- sema_init(&udl->urbs.limit_sem, i); +- udl->urbs.count = i; +- udl->urbs.available = i; +- +- DRM_DEBUG("allocated %d %d byte urbs\n", i, (int) size); ++ DRM_DEBUG("allocated %d %d byte urbs\n", udl->urbs.count, (int) size); + +- return i; ++ return udl->urbs.count; + } + + struct urb *udl_get_urb(struct drm_device *dev)