From: Greg Kroah-Hartman Date: Sat, 2 Feb 2019 12:09:37 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.20.7~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed43125dfb4358713ae50d5b635f5ab78805bc85;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-hda-realtek-fixed-hp_pin-no-value.patch arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch cifs-do-not-count-enodata-as-failure-for-query-directory.patch fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch gfs2-revert-fix-loop-in-gfs2_rbm_find.patch gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch gpio-pcf857x-fix-interrupts-on-multiple-instances.patch ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch --- diff --git a/queue-4.14/alsa-hda-realtek-fixed-hp_pin-no-value.patch b/queue-4.14/alsa-hda-realtek-fixed-hp_pin-no-value.patch new file mode 100644 index 00000000000..c473dd8a7ef --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-fixed-hp_pin-no-value.patch @@ -0,0 +1,155 @@ +From 693abe11aa6b27aed6eb8222162f8fb986325cef Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Tue, 29 Jan 2019 15:38:21 +0800 +Subject: ALSA: hda/realtek - Fixed hp_pin no value + +From: Kailang Yang + +commit 693abe11aa6b27aed6eb8222162f8fb986325cef upstream. + +Fix hp_pin always no value. + +[More notes on the changes: + + The hp_pin value that is referred in alc294_hp_init() is always zero + at the moment the function gets called, hence this is actually + useless as in the current code. + + And, this kind of init sequence should be called from the codec init + callback, instead of the parser function. So, the first fix in this + patch to move the call call into its own init_hook. + + OTOH, this function is needed to be called only once after the boot, + and it'd take too long for invoking at each resume (where the init + callback gets called). So we add a new flag and invoke this only + once as an additional fix. + + The one case is still not covered, though: S4 resume. But this + change itself won't lead to any regression in that regard, so we + leave S4 issue as is for now and fix it later. -- tiwai ] + +Fixes: bde1a7459623 ("ALSA: hda/realtek - Fixed headphone issue for ALC700") +Signed-off-by: Kailang Yang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 78 ++++++++++++++++++++++++------------------ + 1 file changed, 45 insertions(+), 33 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -118,6 +118,7 @@ struct alc_spec { + int codec_variant; /* flag for other variants */ + unsigned int has_alc5505_dsp:1; + unsigned int no_depop_delay:1; ++ unsigned int done_hp_init:1; + + /* for PLL fix */ + hda_nid_t pll_nid; +@@ -3213,6 +3214,48 @@ static void alc_default_shutup(struct hd + snd_hda_shutup_pins(codec); + } + ++static void alc294_hp_init(struct hda_codec *codec) ++{ ++ struct alc_spec *spec = codec->spec; ++ hda_nid_t hp_pin = spec->gen.autocfg.hp_pins[0]; ++ int i, val; ++ ++ if (!hp_pin) ++ return; ++ ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); ++ ++ msleep(100); ++ ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); ++ ++ alc_update_coef_idx(codec, 0x6f, 0x000f, 0);/* Set HP depop to manual mode */ ++ alc_update_coefex_idx(codec, 0x58, 0x00, 0x8000, 0x8000); /* HP depop procedure start */ ++ ++ /* Wait for depop procedure finish */ ++ val = alc_read_coefex_idx(codec, 0x58, 0x01); ++ for (i = 0; i < 20 && val & 0x0080; i++) { ++ msleep(50); ++ val = alc_read_coefex_idx(codec, 0x58, 0x01); ++ } ++ /* Set HP depop to auto mode */ ++ alc_update_coef_idx(codec, 0x6f, 0x000f, 0x000b); ++ msleep(50); ++} ++ ++static void alc294_init(struct hda_codec *codec) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (!spec->done_hp_init) { ++ alc294_hp_init(codec); ++ spec->done_hp_init = true; ++ } ++ alc_default_init(codec); ++} ++ + static void alc5505_coef_set(struct hda_codec *codec, unsigned int index_reg, + unsigned int val) + { +@@ -6981,37 +7024,6 @@ static void alc269_fill_coef(struct hda_ + alc_update_coef_idx(codec, 0x4, 0, 1<<11); + } + +-static void alc294_hp_init(struct hda_codec *codec) +-{ +- struct alc_spec *spec = codec->spec; +- hda_nid_t hp_pin = spec->gen.autocfg.hp_pins[0]; +- int i, val; +- +- if (!hp_pin) +- return; +- +- snd_hda_codec_write(codec, hp_pin, 0, +- AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); +- +- msleep(100); +- +- snd_hda_codec_write(codec, hp_pin, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); +- +- alc_update_coef_idx(codec, 0x6f, 0x000f, 0);/* Set HP depop to manual mode */ +- alc_update_coefex_idx(codec, 0x58, 0x00, 0x8000, 0x8000); /* HP depop procedure start */ +- +- /* Wait for depop procedure finish */ +- val = alc_read_coefex_idx(codec, 0x58, 0x01); +- for (i = 0; i < 20 && val & 0x0080; i++) { +- msleep(50); +- val = alc_read_coefex_idx(codec, 0x58, 0x01); +- } +- /* Set HP depop to auto mode */ +- alc_update_coef_idx(codec, 0x6f, 0x000f, 0x000b); +- msleep(50); +-} +- + /* + */ + static int patch_alc269(struct hda_codec *codec) +@@ -7148,7 +7160,7 @@ static int patch_alc269(struct hda_codec + spec->codec_variant = ALC269_TYPE_ALC294; + spec->gen.mixer_nid = 0; /* ALC2x4 does not have any loopback mixer path */ + alc_update_coef_idx(codec, 0x6b, 0x0018, (1<<4) | (1<<3)); /* UAJ MIC Vref control by verb */ +- alc294_hp_init(codec); ++ spec->init_hook = alc294_init; + break; + case 0x10ec0300: + spec->codec_variant = ALC269_TYPE_ALC300; +@@ -7160,7 +7172,7 @@ static int patch_alc269(struct hda_codec + spec->codec_variant = ALC269_TYPE_ALC700; + spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */ + alc_update_coef_idx(codec, 0x4a, 1 << 15, 0); /* Combo jack auto trigger control */ +- alc294_hp_init(codec); ++ spec->init_hook = alc294_init; + break; + + } diff --git a/queue-4.14/arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch b/queue-4.14/arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch new file mode 100644 index 00000000000..ca98b3f202f --- /dev/null +++ b/queue-4.14/arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch @@ -0,0 +1,67 @@ +From 65dbb423cf28232fed1732b779249d6164c5999b Mon Sep 17 00:00:00 2001 +From: Koen Vandeputte +Date: Thu, 31 Jan 2019 15:00:01 -0600 +Subject: ARM: cns3xxx: Fix writing to wrong PCI config registers after alignment + +From: Koen Vandeputte + +commit 65dbb423cf28232fed1732b779249d6164c5999b upstream. + +Originally, cns3xxx used its own functions for mapping, reading and +writing config registers. + +Commit 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config +accessors") removed the internal PCI config write function in favor of +the generic one: + + cns3xxx_pci_write_config() --> pci_generic_config_write() + +cns3xxx_pci_write_config() expected aligned addresses, being produced by +cns3xxx_pci_map_bus() while the generic one pci_generic_config_write() +actually expects the real address as both the function and hardware are +capable of byte-aligned writes. + +This currently leads to pci_generic_config_write() writing to the wrong +registers. + +For instance, upon ath9k module loading: + +- driver ath9k gets loaded +- The driver wants to write value 0xA8 to register PCI_LATENCY_TIMER, + located at 0x0D +- cns3xxx_pci_map_bus() aligns the address to 0x0C +- pci_generic_config_write() effectively writes 0xA8 into register 0x0C + (CACHE_LINE_SIZE) + +Fix the bug by removing the alignment in the cns3xxx mapping function. + +Fixes: 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config accessors") +Signed-off-by: Koen Vandeputte +[lorenzo.pieralisi@arm.com: updated commit log] +Signed-off-by: Lorenzo Pieralisi +Acked-by: Krzysztof Halasa +Acked-by: Tim Harvey +Acked-by: Arnd Bergmann +CC: stable@vger.kernel.org # v4.0+ +CC: Bjorn Helgaas +CC: Olof Johansson +CC: Robin Leblon +CC: Rob Herring +CC: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-cns3xxx/pcie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-cns3xxx/pcie.c ++++ b/arch/arm/mach-cns3xxx/pcie.c +@@ -83,7 +83,7 @@ static void __iomem *cns3xxx_pci_map_bus + } else /* remote PCI bus */ + base = cnspci->cfg1_regs + ((busno & 0xf) << 20); + +- return base + (where & 0xffc) + (devfn << 12); ++ return base + where + (devfn << 12); + } + + static int cns3xxx_pci_read_config(struct pci_bus *bus, unsigned int devfn, diff --git a/queue-4.14/arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch b/queue-4.14/arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch new file mode 100644 index 00000000000..f20dd2e19be --- /dev/null +++ b/queue-4.14/arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch @@ -0,0 +1,44 @@ +From f7daa9c8fd191724b9ab9580a7be55cd1a67d799 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 24 Jan 2019 16:32:57 +0000 +Subject: arm64: hibernate: Clean the __hyp_text to PoC after resume + +From: James Morse + +commit f7daa9c8fd191724b9ab9580a7be55cd1a67d799 upstream. + +During resume hibernate restores all physical memory. Any memory +that is accessed with the MMU disabled needs to be cleaned to the +PoC. + +KVMs __hyp_text was previously ommitted as it runs with the MMU +enabled, but now that the hyp-stub is located in this section, +we must clean __hyp_text too. + +This ensures secondary CPUs that come online after hibernate +has finished resuming, and load KVM via the freshly written +hyp-stub see the correct instructions. + +Signed-off-by: James Morse +Cc: stable@vger.kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/hibernate.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/hibernate.c ++++ b/arch/arm64/kernel/hibernate.c +@@ -299,8 +299,10 @@ int swsusp_arch_suspend(void) + dcache_clean_range(__idmap_text_start, __idmap_text_end); + + /* Clean kvm setup code to PoC? */ +- if (el2_reset_needed()) ++ if (el2_reset_needed()) { + dcache_clean_range(__hyp_idmap_text_start, __hyp_idmap_text_end); ++ dcache_clean_range(__hyp_text_start, __hyp_text_end); ++ } + + /* make the crash dump kernel image protected again */ + crash_post_resume(); diff --git a/queue-4.14/arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch b/queue-4.14/arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch new file mode 100644 index 00000000000..1eccd762b01 --- /dev/null +++ b/queue-4.14/arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch @@ -0,0 +1,37 @@ +From 8fac5cbdfe0f01254d9d265c6aa1a95f94f58595 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 24 Jan 2019 16:32:56 +0000 +Subject: arm64: hyp-stub: Forbid kprobing of the hyp-stub + +From: James Morse + +commit 8fac5cbdfe0f01254d9d265c6aa1a95f94f58595 upstream. + +The hyp-stub is loaded by the kernel's early startup code at EL2 +during boot, before KVM takes ownership later. The hyp-stub's +text is part of the regular kernel text, meaning it can be kprobed. + +A breakpoint in the hyp-stub causes the CPU to spin in el2_sync_invalid. + +Add it to the __hyp_text. + +Signed-off-by: James Morse +Cc: stable@vger.kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/hyp-stub.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kernel/hyp-stub.S ++++ b/arch/arm64/kernel/hyp-stub.S +@@ -28,6 +28,8 @@ + #include + + .text ++ .pushsection .hyp.text, "ax" ++ + .align 11 + + ENTRY(__hyp_stub_vectors) diff --git a/queue-4.14/arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch b/queue-4.14/arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch new file mode 100644 index 00000000000..097deb9d01b --- /dev/null +++ b/queue-4.14/arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch @@ -0,0 +1,46 @@ +From 8ea235932314311f15ea6cf65c1393ed7e31af70 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sun, 27 Jan 2019 09:29:42 +0100 +Subject: arm64: kaslr: ensure randomized quantities are clean also when kaslr is off + +From: Ard Biesheuvel + +commit 8ea235932314311f15ea6cf65c1393ed7e31af70 upstream. + +Commit 1598ecda7b23 ("arm64: kaslr: ensure randomized quantities are +clean to the PoC") added cache maintenance to ensure that global +variables set by the kaslr init routine are not wiped clean due to +cache invalidation occurring during the second round of page table +creation. + +However, if kaslr_early_init() exits early with no randomization +being applied (either due to the lack of a seed, or because the user +has disabled kaslr explicitly), no cache maintenance is performed, +leading to the same issue we attempted to fix earlier, as far as the +module_alloc_base variable is concerned. + +Note that module_alloc_base cannot be initialized statically, because +that would cause it to be subject to a R_AARCH64_RELATIVE relocation, +causing it to be overwritten by the second round of KASLR relocation +processing. + +Fixes: f80fb3a3d508 ("arm64: add support for kernel ASLR") +Cc: # v4.6+ +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/kaslr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/kernel/kaslr.c ++++ b/arch/arm64/kernel/kaslr.c +@@ -88,6 +88,7 @@ u64 __init kaslr_early_init(u64 dt_phys) + * we end up running with module randomization disabled. + */ + module_alloc_base = (u64)_etext - MODULES_VSIZE; ++ __flush_dcache_area(&module_alloc_base, sizeof(module_alloc_base)); + + /* + * Try to map the FDT early. If this fails, we simply bail, diff --git a/queue-4.14/cifs-do-not-count-enodata-as-failure-for-query-directory.patch b/queue-4.14/cifs-do-not-count-enodata-as-failure-for-query-directory.patch new file mode 100644 index 00000000000..9eadbf68fc0 --- /dev/null +++ b/queue-4.14/cifs-do-not-count-enodata-as-failure-for-query-directory.patch @@ -0,0 +1,31 @@ +From 8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Sat, 26 Jan 2019 12:21:32 -0800 +Subject: CIFS: Do not count -ENODATA as failure for query directory + +From: Pavel Shilovsky + +commit 8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79 upstream. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3071,8 +3071,8 @@ SMB2_query_directory(const unsigned int + rsp->hdr.sync_hdr.Status == STATUS_NO_MORE_FILES) { + srch_inf->endOfSearch = true; + rc = 0; +- } +- cifs_stats_fail_inc(tcon, SMB2_QUERY_DIRECTORY_HE); ++ } else ++ cifs_stats_fail_inc(tcon, SMB2_QUERY_DIRECTORY_HE); + goto qdir_exit; + } + diff --git a/queue-4.14/fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch b/queue-4.14/fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch new file mode 100644 index 00000000000..ca280edd18f --- /dev/null +++ b/queue-4.14/fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch @@ -0,0 +1,50 @@ +From 1dbd449c9943e3145148cc893c2461b72ba6fef0 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Wed, 30 Jan 2019 13:52:36 -0500 +Subject: fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() + +From: Waiman Long + +commit 1dbd449c9943e3145148cc893c2461b72ba6fef0 upstream. + +The nr_dentry_unused per-cpu counter tracks dentries in both the LRU +lists and the shrink lists where the DCACHE_LRU_LIST bit is set. + +The shrink_dcache_sb() function moves dentries from the LRU list to a +shrink list and subtracts the dentry count from nr_dentry_unused. This +is incorrect as the nr_dentry_unused count will also be decremented in +shrink_dentry_list() via d_shrink_del(). + +To fix this double decrement, the decrement in the shrink_dcache_sb() +function is taken out. + +Fixes: 4e717f5c1083 ("list_lru: remove special case function list_lru_dispose_all." +Cc: stable@kernel.org +Signed-off-by: Waiman Long +Reviewed-by: Dave Chinner +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1183,15 +1183,11 @@ static enum lru_status dentry_lru_isolat + */ + void shrink_dcache_sb(struct super_block *sb) + { +- long freed; +- + do { + LIST_HEAD(dispose); + +- freed = list_lru_walk(&sb->s_dentry_lru, ++ list_lru_walk(&sb->s_dentry_lru, + dentry_lru_isolate_shrink, &dispose, 1024); +- +- this_cpu_sub(nr_dentry_unused, freed); + shrink_dentry_list(&dispose); + cond_resched(); + } while (list_lru_count(&sb->s_dentry_lru) > 0); diff --git a/queue-4.14/gfs2-revert-fix-loop-in-gfs2_rbm_find.patch b/queue-4.14/gfs2-revert-fix-loop-in-gfs2_rbm_find.patch new file mode 100644 index 00000000000..49cc371965e --- /dev/null +++ b/queue-4.14/gfs2-revert-fix-loop-in-gfs2_rbm_find.patch @@ -0,0 +1,38 @@ +From e74c98ca2d6ae4376cc15fa2a22483430909d96b Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Wed, 30 Jan 2019 21:30:36 +0100 +Subject: gfs2: Revert "Fix loop in gfs2_rbm_find" + +From: Andreas Gruenbacher + +commit e74c98ca2d6ae4376cc15fa2a22483430909d96b upstream. + +This reverts commit 2d29f6b96d8f80322ed2dd895bca590491c38d34. + +It turns out that the fix can lead to a ~20 percent performance regression +in initial writes to the page cache according to iozone. Let's revert this +for now to have more time for a proper fix. + +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/rgrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1695,9 +1695,9 @@ static int gfs2_rbm_find(struct gfs2_rbm + goto next_iter; + } + if (ret == -E2BIG) { +- n += rbm->bii - initial_bii; + rbm->bii = 0; + rbm->offset = 0; ++ n += (rbm->bii - initial_bii); + goto res_covered_end_of_rgrp; + } + return ret; diff --git a/queue-4.14/gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch b/queue-4.14/gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch new file mode 100644 index 00000000000..30468ae0f79 --- /dev/null +++ b/queue-4.14/gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch @@ -0,0 +1,38 @@ +From 2095a45e345e669ea77a9b34bdd7de5ceb422f93 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Wed, 23 Jan 2019 08:00:57 +0800 +Subject: gpio: altera-a10sr: Set proper output level for direction_output + +From: Axel Lin + +commit 2095a45e345e669ea77a9b34bdd7de5ceb422f93 upstream. + +The altr_a10sr_gpio_direction_output should set proper output level +based on the value argument. + +Fixes: 26a48c4cc2f1 ("gpio: altera-a10sr: Add A10 System Resource Chip GPIO support.") +Cc: +Signed-off-by: Axel Lin +Tested by: Thor Thayer +Reviewed by: Thor Thayer +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-altera-a10sr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-altera-a10sr.c ++++ b/drivers/gpio/gpio-altera-a10sr.c +@@ -66,8 +66,10 @@ static int altr_a10sr_gpio_direction_inp + static int altr_a10sr_gpio_direction_output(struct gpio_chip *gc, + unsigned int nr, int value) + { +- if (nr <= (ALTR_A10SR_OUT_VALID_RANGE_HI - ALTR_A10SR_LED_VALID_SHIFT)) ++ if (nr <= (ALTR_A10SR_OUT_VALID_RANGE_HI - ALTR_A10SR_LED_VALID_SHIFT)) { ++ altr_a10sr_gpio_set(gc, nr, value); + return 0; ++ } + return -EINVAL; + } + diff --git a/queue-4.14/gpio-pcf857x-fix-interrupts-on-multiple-instances.patch b/queue-4.14/gpio-pcf857x-fix-interrupts-on-multiple-instances.patch new file mode 100644 index 00000000000..6fb47338628 --- /dev/null +++ b/queue-4.14/gpio-pcf857x-fix-interrupts-on-multiple-instances.patch @@ -0,0 +1,87 @@ +From 2486e67374aa8b7854c2de32869642c2873b3d53 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Wed, 9 Jan 2019 11:11:24 +0200 +Subject: gpio: pcf857x: Fix interrupts on multiple instances + +From: Roger Quadros + +commit 2486e67374aa8b7854c2de32869642c2873b3d53 upstream. + +When multiple instances of pcf857x chips are present, a fix up +message [1] is printed during the probe of the 2nd and later +instances. + +The issue is that the driver is using the same irq_chip data +structure between multiple instances. + +Fix this by allocating the irq_chip data structure per instance. + +[1] fix up message addressed by this patch +[ 1.212100] gpio gpiochip9: (pcf8575): detected irqchip that is shared with multiple gpiochips: please fix the driver. + +Cc: Stable +Signed-off-by: Roger Quadros +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-pcf857x.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +--- a/drivers/gpio/gpio-pcf857x.c ++++ b/drivers/gpio/gpio-pcf857x.c +@@ -84,6 +84,7 @@ MODULE_DEVICE_TABLE(of, pcf857x_of_table + */ + struct pcf857x { + struct gpio_chip chip; ++ struct irq_chip irqchip; + struct i2c_client *client; + struct mutex lock; /* protect 'out' */ + unsigned out; /* software latch */ +@@ -252,18 +253,6 @@ static void pcf857x_irq_bus_sync_unlock( + mutex_unlock(&gpio->lock); + } + +-static struct irq_chip pcf857x_irq_chip = { +- .name = "pcf857x", +- .irq_enable = pcf857x_irq_enable, +- .irq_disable = pcf857x_irq_disable, +- .irq_ack = noop, +- .irq_mask = noop, +- .irq_unmask = noop, +- .irq_set_wake = pcf857x_irq_set_wake, +- .irq_bus_lock = pcf857x_irq_bus_lock, +- .irq_bus_sync_unlock = pcf857x_irq_bus_sync_unlock, +-}; +- + /*-------------------------------------------------------------------------*/ + + static int pcf857x_probe(struct i2c_client *client, +@@ -376,8 +365,17 @@ static int pcf857x_probe(struct i2c_clie + + /* Enable irqchip if we have an interrupt */ + if (client->irq) { ++ gpio->irqchip.name = "pcf857x", ++ gpio->irqchip.irq_enable = pcf857x_irq_enable, ++ gpio->irqchip.irq_disable = pcf857x_irq_disable, ++ gpio->irqchip.irq_ack = noop, ++ gpio->irqchip.irq_mask = noop, ++ gpio->irqchip.irq_unmask = noop, ++ gpio->irqchip.irq_set_wake = pcf857x_irq_set_wake, ++ gpio->irqchip.irq_bus_lock = pcf857x_irq_bus_lock, ++ gpio->irqchip.irq_bus_sync_unlock = pcf857x_irq_bus_sync_unlock, + status = gpiochip_irqchip_add_nested(&gpio->chip, +- &pcf857x_irq_chip, ++ &gpio->irqchip, + 0, handle_level_irq, + IRQ_TYPE_NONE); + if (status) { +@@ -392,7 +390,7 @@ static int pcf857x_probe(struct i2c_clie + if (status) + goto fail; + +- gpiochip_set_nested_irqchip(&gpio->chip, &pcf857x_irq_chip, ++ gpiochip_set_nested_irqchip(&gpio->chip, &gpio->irqchip, + client->irq); + gpio->irq_parent = client->irq; + } diff --git a/queue-4.14/ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch b/queue-4.14/ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch new file mode 100644 index 00000000000..5bc4ad269bf --- /dev/null +++ b/queue-4.14/ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch @@ -0,0 +1,47 @@ +From 7709b0dc265f28695487712c45f02bbd1f98415d Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Thu, 17 Jan 2019 12:42:04 -0800 +Subject: IB/hfi1: Remove overly conservative VM_EXEC flag check + +From: Michael J. Ruhl + +commit 7709b0dc265f28695487712c45f02bbd1f98415d upstream. + +Applications that use the stack for execution purposes cause userspace PSM +jobs to fail during mmap(). + +Both Fortran (non-standard format parsing) and C (callback functions +located in the stack) applications can be written such that stack +execution is required. The linker notes this via the gnu_stack ELF flag. + +This causes READ_IMPLIES_EXEC to be set which forces all PROT_READ mmaps +to have PROT_EXEC for the process. + +Checking for VM_EXEC bit and failing the request with EPERM is overly +conservative and will break any PSM application using executable stacks. + +Cc: #v4.14+ +Fixes: 12220267645c ("IB/hfi: Protect against writable mmap") +Reviewed-by: Mike Marciniszyn +Reviewed-by: Dennis Dalessandro +Reviewed-by: Ira Weiny +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/file_ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -605,7 +605,7 @@ static int hfi1_file_mmap(struct file *f + vmf = 1; + break; + case STATUS: +- if (flags & (unsigned long)(VM_WRITE | VM_EXEC)) { ++ if (flags & VM_WRITE) { + ret = -EPERM; + goto done; + } diff --git a/queue-4.14/iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch b/queue-4.14/iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch new file mode 100644 index 00000000000..ed0143fa14f --- /dev/null +++ b/queue-4.14/iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch @@ -0,0 +1,43 @@ +From 198bc3252ea3a45b0c5d500e6a5b91cfdd08f001 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 16 Jan 2019 20:11:44 +0100 +Subject: iommu/vt-d: Fix memory leak in intel_iommu_put_resv_regions() + +From: Gerald Schaefer + +commit 198bc3252ea3a45b0c5d500e6a5b91cfdd08f001 upstream. + +Commit 9d3a4de4cb8d ("iommu: Disambiguate MSI region types") changed +the reserved region type in intel_iommu_get_resv_regions() from +IOMMU_RESV_RESERVED to IOMMU_RESV_MSI, but it forgot to also change +the type in intel_iommu_put_resv_regions(). + +This leads to a memory leak, because now the check in +intel_iommu_put_resv_regions() for IOMMU_RESV_RESERVED will never +be true, and no allocated regions will be freed. + +Fix this by changing the region type in intel_iommu_put_resv_regions() +to IOMMU_RESV_MSI, matching the type of the allocated regions. + +Fixes: 9d3a4de4cb8d ("iommu: Disambiguate MSI region types") +Cc: # v4.11+ +Signed-off-by: Gerald Schaefer +Reviewed-by: Eric Auger +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -5210,7 +5210,7 @@ static void intel_iommu_put_resv_regions + struct iommu_resv_region *entry, *next; + + list_for_each_entry_safe(entry, next, head, list) { +- if (entry->type == IOMMU_RESV_RESERVED) ++ if (entry->type == IOMMU_RESV_MSI) + kfree(entry); + } + } diff --git a/queue-4.14/mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch b/queue-4.14/mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch new file mode 100644 index 00000000000..e5a5f8ece65 --- /dev/null +++ b/queue-4.14/mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch @@ -0,0 +1,37 @@ +From 8c9620b1cc9b69e82fa8d4081d646d0016b602e7 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sat, 19 Jan 2019 16:31:00 +0100 +Subject: mmc: bcm2835: Fix DMA channel leak on probe error + +From: Lukas Wunner + +commit 8c9620b1cc9b69e82fa8d4081d646d0016b602e7 upstream. + +The BCM2835 MMC host driver requests a DMA channel on probe but neglects +to release the channel in the probe error path. The channel may +therefore be leaked, in particular if devm_clk_get() causes probe +deferral. Fix it. + +Fixes: 660fc733bd74 ("mmc: bcm2835: Add new driver for the sdhost controller.") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v4.12+ +Cc: Frank Pavlic +Tested-by: Stefan Wahren +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/bcm2835.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/host/bcm2835.c ++++ b/drivers/mmc/host/bcm2835.c +@@ -1427,6 +1427,8 @@ static int bcm2835_probe(struct platform + + err: + dev_dbg(dev, "%s -> err %d\n", __func__, ret); ++ if (host->dma_chan_rxtx) ++ dma_release_channel(host->dma_chan_rxtx); + mmc_free_host(mmc); + + return ret; diff --git a/queue-4.14/nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch b/queue-4.14/nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch new file mode 100644 index 00000000000..21c17fb218a --- /dev/null +++ b/queue-4.14/nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch @@ -0,0 +1,52 @@ +From 8fc75bed96bb94e23ca51bd9be4daf65c57697bf Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 29 Jan 2019 15:52:55 -0500 +Subject: NFS: Fix up return value on fatal errors in nfs_page_async_flush() + +From: Trond Myklebust + +commit 8fc75bed96bb94e23ca51bd9be4daf65c57697bf upstream. + +Ensure that we return the fatal error value that caused us to exit +nfs_page_async_flush(). + +Fixes: c373fff7bd25 ("NFSv4: Don't special case "launder"") +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org # v4.12+ +Reviewed-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/write.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -618,11 +618,12 @@ static int nfs_page_async_flush(struct n + nfs_set_page_writeback(page); + WARN_ON_ONCE(test_bit(PG_CLEAN, &req->wb_flags)); + +- ret = 0; ++ ret = req->wb_context->error; + /* If there is a fatal error that covers this write, just exit */ +- if (nfs_error_is_fatal_on_server(req->wb_context->error)) ++ if (nfs_error_is_fatal_on_server(ret)) + goto out_launder; + ++ ret = 0; + if (!nfs_pageio_add_request(pgio, req)) { + ret = pgio->pg_error; + /* +@@ -632,9 +633,9 @@ static int nfs_page_async_flush(struct n + nfs_context_set_write_error(req->wb_context, ret); + if (nfs_error_is_fatal_on_server(ret)) + goto out_launder; +- } ++ } else ++ ret = -EAGAIN; + nfs_redirty_request(req); +- ret = -EAGAIN; + } else + nfs_add_stats(page_file_mapping(page)->host, + NFSIOS_WRITEPAGES, 1); diff --git a/queue-4.14/selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch b/queue-4.14/selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch new file mode 100644 index 00000000000..7217914aaf0 --- /dev/null +++ b/queue-4.14/selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch @@ -0,0 +1,176 @@ +From ed5f13261cb65b02c611ae9971677f33581d4286 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 25 Jan 2019 10:33:59 -0800 +Subject: selftests/seccomp: Enhance per-arch ptrace syscall skip tests + +From: Kees Cook + +commit ed5f13261cb65b02c611ae9971677f33581d4286 upstream. + +Passing EPERM during syscall skipping was confusing since the test wasn't +actually exercising the errno evaluation -- it was just passing a literal +"1" (EPERM). Instead, expand the tests to check both direct value returns +(positive, 45000 in this case), and errno values (negative, -ESRCH in this +case) to check both fake success and fake failure during syscall skipping. + +Reported-by: Colin Ian King +Fixes: a33b2d0359a0 ("selftests/seccomp: Add tests for basic ptrace actions") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 72 ++++++++++++++++++++------ + 1 file changed, 57 insertions(+), 15 deletions(-) + +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -1554,7 +1554,16 @@ TEST_F(TRACE_poke, getpid_runs_normally) + #ifdef SYSCALL_NUM_RET_SHARE_REG + # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action) + #else +-# define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(val, action) ++# define EXPECT_SYSCALL_RETURN(val, action) \ ++ do { \ ++ errno = 0; \ ++ if (val < 0) { \ ++ EXPECT_EQ(-1, action); \ ++ EXPECT_EQ(-(val), errno); \ ++ } else { \ ++ EXPECT_EQ(val, action); \ ++ } \ ++ } while (0) + #endif + + /* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for +@@ -1593,7 +1602,7 @@ int get_syscall(struct __test_metadata * + + /* Architecture-specific syscall changing routine. */ + void change_syscall(struct __test_metadata *_metadata, +- pid_t tracee, int syscall) ++ pid_t tracee, int syscall, int result) + { + int ret; + ARCH_REGS regs; +@@ -1652,7 +1661,7 @@ void change_syscall(struct __test_metada + #ifdef SYSCALL_NUM_RET_SHARE_REG + TH_LOG("Can't modify syscall return on this architecture"); + #else +- regs.SYSCALL_RET = EPERM; ++ regs.SYSCALL_RET = result; + #endif + + #ifdef HAVE_GETREGS +@@ -1680,14 +1689,19 @@ void tracer_syscall(struct __test_metada + case 0x1002: + /* change getpid to getppid. */ + EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee)); +- change_syscall(_metadata, tracee, __NR_getppid); ++ change_syscall(_metadata, tracee, __NR_getppid, 0); + break; + case 0x1003: +- /* skip gettid. */ ++ /* skip gettid with valid return code. */ + EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee)); +- change_syscall(_metadata, tracee, -1); ++ change_syscall(_metadata, tracee, -1, 45000); + break; + case 0x1004: ++ /* skip openat with error. */ ++ EXPECT_EQ(__NR_openat, get_syscall(_metadata, tracee)); ++ change_syscall(_metadata, tracee, -1, -ESRCH); ++ break; ++ case 0x1005: + /* do nothing (allow getppid) */ + EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee)); + break; +@@ -1720,9 +1734,11 @@ void tracer_ptrace(struct __test_metadat + nr = get_syscall(_metadata, tracee); + + if (nr == __NR_getpid) +- change_syscall(_metadata, tracee, __NR_getppid); ++ change_syscall(_metadata, tracee, __NR_getppid, 0); ++ if (nr == __NR_gettid) ++ change_syscall(_metadata, tracee, -1, 45000); + if (nr == __NR_openat) +- change_syscall(_metadata, tracee, -1); ++ change_syscall(_metadata, tracee, -1, -ESRCH); + } + + FIXTURE_DATA(TRACE_syscall) { +@@ -1739,8 +1755,10 @@ FIXTURE_SETUP(TRACE_syscall) + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002), + BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003), +- BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), ++ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_openat, 0, 1), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004), ++ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), ++ BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1005), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + +@@ -1788,15 +1806,26 @@ TEST_F(TRACE_syscall, ptrace_syscall_red + EXPECT_NE(self->mypid, syscall(__NR_getpid)); + } + +-TEST_F(TRACE_syscall, ptrace_syscall_dropped) ++TEST_F(TRACE_syscall, ptrace_syscall_errno) ++{ ++ /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ ++ teardown_trace_fixture(_metadata, self->tracer); ++ self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, ++ true); ++ ++ /* Tracer should skip the open syscall, resulting in ESRCH. */ ++ EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat)); ++} ++ ++TEST_F(TRACE_syscall, ptrace_syscall_faked) + { + /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ + teardown_trace_fixture(_metadata, self->tracer); + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + true); + +- /* Tracer should skip the open syscall, resulting in EPERM. */ +- EXPECT_SYSCALL_RETURN(EPERM, syscall(__NR_openat)); ++ /* Tracer should skip the gettid syscall, resulting fake pid. */ ++ EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid)); + } + + TEST_F(TRACE_syscall, syscall_allowed) +@@ -1829,7 +1858,21 @@ TEST_F(TRACE_syscall, syscall_redirected + EXPECT_NE(self->mypid, syscall(__NR_getpid)); + } + +-TEST_F(TRACE_syscall, syscall_dropped) ++TEST_F(TRACE_syscall, syscall_errno) ++{ ++ long ret; ++ ++ ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ++ ASSERT_EQ(0, ret); ++ ++ ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); ++ ASSERT_EQ(0, ret); ++ ++ /* openat has been skipped and an errno return. */ ++ EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat)); ++} ++ ++TEST_F(TRACE_syscall, syscall_faked) + { + long ret; + +@@ -1840,8 +1883,7 @@ TEST_F(TRACE_syscall, syscall_dropped) + ASSERT_EQ(0, ret); + + /* gettid has been skipped and an altered return value stored. */ +- EXPECT_SYSCALL_RETURN(EPERM, syscall(__NR_gettid)); +- EXPECT_NE(self->mytid, syscall(__NR_gettid)); ++ EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid)); + } + + TEST_F(TRACE_syscall, skip_after_RET_TRACE) diff --git a/queue-4.14/series b/queue-4.14/series index c187e2d535f..60d1ce15375 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -17,3 +17,18 @@ sctp-improve-the-events-for-sctp-stream-reset.patch l2tp-remove-l2specific_len-dependency-in-l2tp_core.patch l2tp-fix-reading-optional-fields-of-l2tpv3.patch ipvlan-l3mdev-fix-broken-l3s-mode-wrt-local-routes.patch +cifs-do-not-count-enodata-as-failure-for-query-directory.patch +fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch +iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch +selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch +nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch +arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch +arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch +arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch +arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch +gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch +gpio-pcf857x-fix-interrupts-on-multiple-instances.patch +gfs2-revert-fix-loop-in-gfs2_rbm_find.patch +mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch +alsa-hda-realtek-fixed-hp_pin-no-value.patch +ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch