From: Greg Kroah-Hartman Date: Sun, 11 Nov 2018 01:49:48 +0000 (-0800) Subject: 4.9-stable patches X-Git-Tag: v4.19.2~61 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=efba3acb9ca6e1b143383934fa394a5dfe590a40;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm-dts-exynos-add-missing-cooling-device-properties-for-cpus.patch arm-dts-exynos-convert-exynos5250.dtsi-to-opp-v2-bindings.patch arm-dts-exynos-mark-1-ghz-cpu-opp-as-suspend-opp-on-exynos5250.patch arm-dts-exynos-remove-cooling-min-max-level-for-cpu-nodes.patch asoc-intel-skylake-add-missing-break-in-skl_tplg_get_token.patch asoc-sta32x-set-component-pointer-in-private-struct.patch crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch crypto-tcrypt-fix-ghash-generic-speed-test.patch drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch edac-i7core-sb-skx-_edac-fix-uncorrected-error-counting.patch edac-skx_edac-fix-logical-channel-intermediate-decoding.patch ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch ext4-propagate-error-from-dquot_initialize-in-ext4_ioc_fssetxattr.patch genirq-fix-race-on-spurious-interrupt-detection.patch gfs2_meta-mount-can-get-null-dev_name.patch hid-hiddev-fix-potential-spectre-v1.patch hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch iio-ad5064-fix-regulator-handling.patch iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch iio-adc-imx25-gcq-fix-leak-of-device_node-in-mx25_gcq_setup_cfgs.patch ima-fix-showing-large-violations-or-runtime_measurements_count.patch iwlwifi-mvm-check-return-value-of-rs_rate_from_ucode_rate.patch jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch kbuild-fix-kernel-bounds.c-w-1-warning.patch libertas-don-t-set-urb_zero_packet-on-in-usb-transfer.patch libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch net-ipv4-defensive-cipso-option-parsing.patch pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch signal-genwqe-fix-sending-of-sigkill.patch smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch tpm-restore-functionality-to-xen-vtpm-driver.patch usbip-vudc-bug-kmalloc-2048-not-tainted-poison-overwritten.patch w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch xen-blkfront-avoid-null-blkfront_info-dereference-on-device-removal.patch xen-fix-race-in-xen_qlock_wait.patch xen-make-xen_qlock_wait-nestable.patch xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch --- diff --git a/queue-4.9/arm-dts-exynos-add-missing-cooling-device-properties-for-cpus.patch b/queue-4.9/arm-dts-exynos-add-missing-cooling-device-properties-for-cpus.patch new file mode 100644 index 00000000000..2f9bfd8dbd1 --- /dev/null +++ b/queue-4.9/arm-dts-exynos-add-missing-cooling-device-properties-for-cpus.patch @@ -0,0 +1,111 @@ +From 672f33198bee21ee91e6af2cb8f67cfc8bc97ec1 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Fri, 25 May 2018 16:01:53 +0530 +Subject: arm: dts: exynos: Add missing cooling device properties for CPUs + +From: Viresh Kumar + +commit 672f33198bee21ee91e6af2cb8f67cfc8bc97ec1 upstream. + +The cooling device properties, like "#cooling-cells" and +"dynamic-power-coefficient", should either be present for all the CPUs +of a cluster or none. If these are present only for a subset of CPUs of +a cluster then things will start falling apart as soon as the CPUs are +brought online in a different order. For example, this will happen +because the operating system looks for such properties in the CPU node +it is trying to bring up, so that it can register a cooling device. + +Add such missing properties. + +Fix other missing properties (clocks, OPP, clock latency) as well to +make it all work. + +Signed-off-by: Viresh Kumar +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/exynos3250.dtsi | 16 ++++++++++++++++ + arch/arm/boot/dts/exynos4210.dtsi | 13 +++++++++++++ + arch/arm/boot/dts/exynos5250.dtsi | 23 +++++++++++++++++++++++ + 3 files changed, 52 insertions(+) + +--- a/arch/arm/boot/dts/exynos3250.dtsi ++++ b/arch/arm/boot/dts/exynos3250.dtsi +@@ -80,6 +80,22 @@ + compatible = "arm,cortex-a7"; + reg = <1>; + clock-frequency = <1000000000>; ++ clocks = <&cmu CLK_ARM_CLK>; ++ clock-names = "cpu"; ++ #cooling-cells = <2>; ++ ++ operating-points = < ++ 1000000 1150000 ++ 900000 1112500 ++ 800000 1075000 ++ 700000 1037500 ++ 600000 1000000 ++ 500000 962500 ++ 400000 925000 ++ 300000 887500 ++ 200000 850000 ++ 100000 850000 ++ >; + }; + }; + +--- a/arch/arm/boot/dts/exynos4210.dtsi ++++ b/arch/arm/boot/dts/exynos4210.dtsi +@@ -59,6 +59,19 @@ + device_type = "cpu"; + compatible = "arm,cortex-a9"; + reg = <0x901>; ++ clocks = <&clock CLK_ARM_CLK>; ++ clock-names = "cpu"; ++ clock-latency = <160000>; ++ ++ operating-points = < ++ 1200000 1250000 ++ 1000000 1150000 ++ 800000 1075000 ++ 500000 975000 ++ 400000 975000 ++ 200000 950000 ++ >; ++ #cooling-cells = <2>; /* min followed by max */ + }; + }; + +--- a/arch/arm/boot/dts/exynos5250.dtsi ++++ b/arch/arm/boot/dts/exynos5250.dtsi +@@ -87,6 +87,29 @@ + compatible = "arm,cortex-a15"; + reg = <1>; + clock-frequency = <1700000000>; ++ clocks = <&clock CLK_ARM_CLK>; ++ clock-names = "cpu"; ++ clock-latency = <140000>; ++ ++ operating-points = < ++ 1700000 1300000 ++ 1600000 1250000 ++ 1500000 1225000 ++ 1400000 1200000 ++ 1300000 1150000 ++ 1200000 1125000 ++ 1100000 1100000 ++ 1000000 1075000 ++ 900000 1050000 ++ 800000 1025000 ++ 700000 1012500 ++ 600000 1000000 ++ 500000 975000 ++ 400000 950000 ++ 300000 937500 ++ 200000 925000 ++ >; ++ #cooling-cells = <2>; /* min followed by max */ + }; + }; + diff --git a/queue-4.9/arm-dts-exynos-convert-exynos5250.dtsi-to-opp-v2-bindings.patch b/queue-4.9/arm-dts-exynos-convert-exynos5250.dtsi-to-opp-v2-bindings.patch new file mode 100644 index 00000000000..f95cb8fcf6a --- /dev/null +++ b/queue-4.9/arm-dts-exynos-convert-exynos5250.dtsi-to-opp-v2-bindings.patch @@ -0,0 +1,178 @@ +From eb9e16d8573e243f8175647f851eb5085dbe97a4 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Tue, 7 Aug 2018 12:48:48 +0200 +Subject: ARM: dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings + +From: Marek Szyprowski + +commit eb9e16d8573e243f8175647f851eb5085dbe97a4 upstream. + +Convert Exynos5250 to OPP-v2 bindings. This is a preparation to add proper +support for suspend operation point, which cannot be marked in opp-v1. + +Cc: # 4.3.x: cd6f55457eb4: ARM: dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes +Cc: # 4.3.x: 672f33198bee: arm: dts: exynos: Add missing cooling device properties for CPUs +Cc: # 4.3.x +Signed-off-by: Marek Szyprowski +Reviewed-by: Chanwoo Choi +Acked-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/exynos5250.dtsi | 130 +++++++++++++++++++++++++------------- + 1 file changed, 88 insertions(+), 42 deletions(-) + +--- a/arch/arm/boot/dts/exynos5250.dtsi ++++ b/arch/arm/boot/dts/exynos5250.dtsi +@@ -57,62 +57,108 @@ + device_type = "cpu"; + compatible = "arm,cortex-a15"; + reg = <0>; +- clock-frequency = <1700000000>; + clocks = <&clock CLK_ARM_CLK>; + clock-names = "cpu"; +- clock-latency = <140000>; +- +- operating-points = < +- 1700000 1300000 +- 1600000 1250000 +- 1500000 1225000 +- 1400000 1200000 +- 1300000 1150000 +- 1200000 1125000 +- 1100000 1100000 +- 1000000 1075000 +- 900000 1050000 +- 800000 1025000 +- 700000 1012500 +- 600000 1000000 +- 500000 975000 +- 400000 950000 +- 300000 937500 +- 200000 925000 +- >; ++ operating-points-v2 = <&cpu0_opp_table>; + #cooling-cells = <2>; /* min followed by max */ + }; + cpu@1 { + device_type = "cpu"; + compatible = "arm,cortex-a15"; + reg = <1>; +- clock-frequency = <1700000000>; + clocks = <&clock CLK_ARM_CLK>; + clock-names = "cpu"; +- clock-latency = <140000>; +- +- operating-points = < +- 1700000 1300000 +- 1600000 1250000 +- 1500000 1225000 +- 1400000 1200000 +- 1300000 1150000 +- 1200000 1125000 +- 1100000 1100000 +- 1000000 1075000 +- 900000 1050000 +- 800000 1025000 +- 700000 1012500 +- 600000 1000000 +- 500000 975000 +- 400000 950000 +- 300000 937500 +- 200000 925000 +- >; ++ operating-points-v2 = <&cpu0_opp_table>; + #cooling-cells = <2>; /* min followed by max */ + }; + }; + ++ cpu0_opp_table: opp_table0 { ++ compatible = "operating-points-v2"; ++ opp-shared; ++ ++ opp-200000000 { ++ opp-hz = /bits/ 64 <200000000>; ++ opp-microvolt = <925000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-300000000 { ++ opp-hz = /bits/ 64 <300000000>; ++ opp-microvolt = <937500>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-400000000 { ++ opp-hz = /bits/ 64 <400000000>; ++ opp-microvolt = <950000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-500000000 { ++ opp-hz = /bits/ 64 <500000000>; ++ opp-microvolt = <975000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-600000000 { ++ opp-hz = /bits/ 64 <600000000>; ++ opp-microvolt = <1000000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-700000000 { ++ opp-hz = /bits/ 64 <700000000>; ++ opp-microvolt = <1012500>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-800000000 { ++ opp-hz = /bits/ 64 <800000000>; ++ opp-microvolt = <1025000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-900000000 { ++ opp-hz = /bits/ 64 <900000000>; ++ opp-microvolt = <1050000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-1000000000 { ++ opp-hz = /bits/ 64 <1000000000>; ++ opp-microvolt = <1075000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-1100000000 { ++ opp-hz = /bits/ 64 <1100000000>; ++ opp-microvolt = <1100000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-1200000000 { ++ opp-hz = /bits/ 64 <1200000000>; ++ opp-microvolt = <1125000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-1300000000 { ++ opp-hz = /bits/ 64 <1300000000>; ++ opp-microvolt = <1150000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-1400000000 { ++ opp-hz = /bits/ 64 <1400000000>; ++ opp-microvolt = <1200000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-1500000000 { ++ opp-hz = /bits/ 64 <1500000000>; ++ opp-microvolt = <1225000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-1600000000 { ++ opp-hz = /bits/ 64 <1600000000>; ++ opp-microvolt = <1250000>; ++ clock-latency-ns = <140000>; ++ }; ++ opp-1700000000 { ++ opp-hz = /bits/ 64 <1700000000>; ++ opp-microvolt = <1300000>; ++ clock-latency-ns = <140000>; ++ }; ++ }; ++ + soc: soc { + sysram@02020000 { + compatible = "mmio-sram"; diff --git a/queue-4.9/arm-dts-exynos-mark-1-ghz-cpu-opp-as-suspend-opp-on-exynos5250.patch b/queue-4.9/arm-dts-exynos-mark-1-ghz-cpu-opp-as-suspend-opp-on-exynos5250.patch new file mode 100644 index 00000000000..9fa0e0cb052 --- /dev/null +++ b/queue-4.9/arm-dts-exynos-mark-1-ghz-cpu-opp-as-suspend-opp-on-exynos5250.patch @@ -0,0 +1,37 @@ +From 645b23da6f8b47f295fa87051335d41d139717a5 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Tue, 7 Aug 2018 12:48:49 +0200 +Subject: ARM: dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250 + +From: Marek Szyprowski + +commit 645b23da6f8b47f295fa87051335d41d139717a5 upstream. + +1 GHz CPU OPP is the default boot value for the Exynos5250 SOC, so mark it +as suspend OPP. This fixes suspend/resume on Samsung Exynos5250 Snow +Chomebook, which was broken since switching to generic cpufreq-dt driver +in v4.3. + +Cc: # 4.3.x: cd6f55457eb4: ARM: dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes +Cc: # 4.3.x: 672f33198bee: arm: dts: exynos: Add missing cooling device properties for CPUs +Cc: # 4.3.x +Signed-off-by: Marek Szyprowski +Reviewed-by: Chanwoo Choi +Acked-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/exynos5250.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/exynos5250.dtsi ++++ b/arch/arm/boot/dts/exynos5250.dtsi +@@ -121,6 +121,7 @@ + opp-hz = /bits/ 64 <1000000000>; + opp-microvolt = <1075000>; + clock-latency-ns = <140000>; ++ opp-suspend; + }; + opp-1100000000 { + opp-hz = /bits/ 64 <1100000000>; diff --git a/queue-4.9/arm-dts-exynos-remove-cooling-min-max-level-for-cpu-nodes.patch b/queue-4.9/arm-dts-exynos-remove-cooling-min-max-level-for-cpu-nodes.patch new file mode 100644 index 00000000000..10758978579 --- /dev/null +++ b/queue-4.9/arm-dts-exynos-remove-cooling-min-max-level-for-cpu-nodes.patch @@ -0,0 +1,208 @@ +From cd6f55457eb449a388e793abd676e3a5b73510bc Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Fri, 9 Feb 2018 14:28:01 +0530 +Subject: ARM: dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes + +From: Viresh Kumar + +commit cd6f55457eb449a388e793abd676e3a5b73510bc upstream. + +The "cooling-min-level" and "cooling-max-level" properties are not +parsed by any part of the kernel currently and the max cooling state of +a CPU cooling device is found by referring to the cpufreq table instead. + +Remove the unused properties from the CPU nodes. + +Signed-off-by: Viresh Kumar +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/exynos4210.dtsi | 2 -- + arch/arm/boot/dts/exynos4412.dtsi | 2 -- + arch/arm/boot/dts/exynos5250.dtsi | 2 -- + arch/arm/boot/dts/exynos5420-cpus.dtsi | 16 ---------------- + arch/arm/boot/dts/exynos5422-cpus.dtsi | 16 ---------------- + 5 files changed, 38 deletions(-) + +--- a/arch/arm/boot/dts/exynos4210.dtsi ++++ b/arch/arm/boot/dts/exynos4210.dtsi +@@ -52,8 +52,6 @@ + 400000 975000 + 200000 950000 + >; +- cooling-min-level = <4>; +- cooling-max-level = <2>; + #cooling-cells = <2>; /* min followed by max */ + }; + +--- a/arch/arm/boot/dts/exynos4412.dtsi ++++ b/arch/arm/boot/dts/exynos4412.dtsi +@@ -33,8 +33,6 @@ + clocks = <&clock CLK_ARM_CLK>; + clock-names = "cpu"; + operating-points-v2 = <&cpu0_opp_table>; +- cooling-min-level = <13>; +- cooling-max-level = <7>; + #cooling-cells = <2>; /* min followed by max */ + }; + +--- a/arch/arm/boot/dts/exynos5250.dtsi ++++ b/arch/arm/boot/dts/exynos5250.dtsi +@@ -80,8 +80,6 @@ + 300000 937500 + 200000 925000 + >; +- cooling-min-level = <15>; +- cooling-max-level = <9>; + #cooling-cells = <2>; /* min followed by max */ + }; + cpu@1 { +--- a/arch/arm/boot/dts/exynos5420-cpus.dtsi ++++ b/arch/arm/boot/dts/exynos5420-cpus.dtsi +@@ -33,8 +33,6 @@ + clock-frequency = <1800000000>; + cci-control-port = <&cci_control1>; + operating-points-v2 = <&cluster_a15_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <11>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -45,8 +43,6 @@ + clock-frequency = <1800000000>; + cci-control-port = <&cci_control1>; + operating-points-v2 = <&cluster_a15_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <11>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -57,8 +53,6 @@ + clock-frequency = <1800000000>; + cci-control-port = <&cci_control1>; + operating-points-v2 = <&cluster_a15_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <11>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -69,8 +63,6 @@ + clock-frequency = <1800000000>; + cci-control-port = <&cci_control1>; + operating-points-v2 = <&cluster_a15_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <11>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -82,8 +74,6 @@ + clock-frequency = <1000000000>; + cci-control-port = <&cci_control0>; + operating-points-v2 = <&cluster_a7_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <7>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -94,8 +84,6 @@ + clock-frequency = <1000000000>; + cci-control-port = <&cci_control0>; + operating-points-v2 = <&cluster_a7_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <7>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -106,8 +94,6 @@ + clock-frequency = <1000000000>; + cci-control-port = <&cci_control0>; + operating-points-v2 = <&cluster_a7_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <7>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -118,8 +104,6 @@ + clock-frequency = <1000000000>; + cci-control-port = <&cci_control0>; + operating-points-v2 = <&cluster_a7_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <7>; + #cooling-cells = <2>; /* min followed by max */ + }; + }; +--- a/arch/arm/boot/dts/exynos5422-cpus.dtsi ++++ b/arch/arm/boot/dts/exynos5422-cpus.dtsi +@@ -32,8 +32,6 @@ + clock-frequency = <1000000000>; + cci-control-port = <&cci_control0>; + operating-points-v2 = <&cluster_a7_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <11>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -44,8 +42,6 @@ + clock-frequency = <1000000000>; + cci-control-port = <&cci_control0>; + operating-points-v2 = <&cluster_a7_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <11>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -56,8 +52,6 @@ + clock-frequency = <1000000000>; + cci-control-port = <&cci_control0>; + operating-points-v2 = <&cluster_a7_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <11>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -68,8 +62,6 @@ + clock-frequency = <1000000000>; + cci-control-port = <&cci_control0>; + operating-points-v2 = <&cluster_a7_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <11>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -81,8 +73,6 @@ + clock-frequency = <1800000000>; + cci-control-port = <&cci_control1>; + operating-points-v2 = <&cluster_a15_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <15>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -93,8 +83,6 @@ + clock-frequency = <1800000000>; + cci-control-port = <&cci_control1>; + operating-points-v2 = <&cluster_a15_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <15>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -105,8 +93,6 @@ + clock-frequency = <1800000000>; + cci-control-port = <&cci_control1>; + operating-points-v2 = <&cluster_a15_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <15>; + #cooling-cells = <2>; /* min followed by max */ + }; + +@@ -117,8 +103,6 @@ + clock-frequency = <1800000000>; + cci-control-port = <&cci_control1>; + operating-points-v2 = <&cluster_a15_opp_table>; +- cooling-min-level = <0>; +- cooling-max-level = <15>; + #cooling-cells = <2>; /* min followed by max */ + }; + }; diff --git a/queue-4.9/asoc-intel-skylake-add-missing-break-in-skl_tplg_get_token.patch b/queue-4.9/asoc-intel-skylake-add-missing-break-in-skl_tplg_get_token.patch new file mode 100644 index 00000000000..3a8027cab8a --- /dev/null +++ b/queue-4.9/asoc-intel-skylake-add-missing-break-in-skl_tplg_get_token.patch @@ -0,0 +1,33 @@ +From 9c80c5a8831471e0a3e139aad1b0d4c0fdc50b2f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 3 Oct 2018 19:31:44 +0200 +Subject: ASoC: intel: skylake: Add missing break in skl_tplg_get_token() + +From: Takashi Iwai + +commit 9c80c5a8831471e0a3e139aad1b0d4c0fdc50b2f upstream. + +skl_tplg_get_token() misses a break in the big switch() block for +SKL_TKN_U8_CORE_ID entry. +Spotted nicely by -Wimplicit-fallthrough compiler option. + +Fixes: 6277e83292a2 ("ASoC: Intel: Skylake: Parse vendor tokens to build module data") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/skylake/skl-topology.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/intel/skylake/skl-topology.c ++++ b/sound/soc/intel/skylake/skl-topology.c +@@ -1780,6 +1780,7 @@ static int skl_tplg_get_token(struct dev + + case SKL_TKN_U8_CORE_ID: + mconfig->core_id = tkn_elem->value; ++ break; + + case SKL_TKN_U8_MOD_TYPE: + mconfig->m_type = tkn_elem->value; diff --git a/queue-4.9/asoc-sta32x-set-component-pointer-in-private-struct.patch b/queue-4.9/asoc-sta32x-set-component-pointer-in-private-struct.patch new file mode 100644 index 00000000000..e22d4d86a64 --- /dev/null +++ b/queue-4.9/asoc-sta32x-set-component-pointer-in-private-struct.patch @@ -0,0 +1,38 @@ +From 747df19747bc9752cd40b9cce761e17a033aa5c2 Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Thu, 11 Oct 2018 20:32:05 +0200 +Subject: ASoC: sta32x: set ->component pointer in private struct + +From: Daniel Mack + +commit 747df19747bc9752cd40b9cce761e17a033aa5c2 upstream. + +The ESD watchdog code in sta32x_watchdog() dereferences the pointer +which is never assigned. + +This is a regression from a1be4cead9b950 ("ASoC: sta32x: Convert to direct +regmap API usage.") which went unnoticed since nobody seems to use that ESD +workaround. + +Fixes: a1be4cead9b950 ("ASoC: sta32x: Convert to direct regmap API usage.") +Signed-off-by: Daniel Mack +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/sta32x.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/soc/codecs/sta32x.c ++++ b/sound/soc/codecs/sta32x.c +@@ -880,6 +880,9 @@ static int sta32x_probe(struct snd_soc_c + struct sta32x_priv *sta32x = snd_soc_codec_get_drvdata(codec); + struct sta32x_platform_data *pdata = sta32x->pdata; + int i, ret = 0, thermal = 0; ++ ++ sta32x->component = component; ++ + ret = regulator_bulk_enable(ARRAY_SIZE(sta32x->supplies), + sta32x->supplies); + if (ret != 0) { diff --git a/queue-4.9/crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch b/queue-4.9/crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch new file mode 100644 index 00000000000..1abba34f05f --- /dev/null +++ b/queue-4.9/crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch @@ -0,0 +1,40 @@ +From fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 13 Sep 2018 10:51:31 +0200 +Subject: crypto: lrw - Fix out-of bounds access on counter overflow + +From: Ondrej Mosnacek + +commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream. + +When the LRW block counter overflows, the current implementation returns +128 as the index to the precomputed multiplication table, which has 128 +entries. This patch fixes it to return the correct value (127). + +Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode") +Cc: # 2.6.20+ +Reported-by: Eric Biggers +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/lrw.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/crypto/lrw.c ++++ b/crypto/lrw.c +@@ -132,7 +132,12 @@ static inline int get_index128(be128 *bl + return x + ffz(val); + } + +- return x; ++ /* ++ * If we get here, then x == 128 and we are incrementing the counter ++ * from all ones to all zeros. This means we must return index 127, i.e. ++ * the one corresponding to key2*{ 1,...,1 }. ++ */ ++ return 127; + } + + static int crypt(struct blkcipher_desc *d, diff --git a/queue-4.9/crypto-tcrypt-fix-ghash-generic-speed-test.patch b/queue-4.9/crypto-tcrypt-fix-ghash-generic-speed-test.patch new file mode 100644 index 00000000000..bbb12bdf9ed --- /dev/null +++ b/queue-4.9/crypto-tcrypt-fix-ghash-generic-speed-test.patch @@ -0,0 +1,43 @@ +From 331351f89c36bf7d03561a28b6f64fa10a9f6f3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Wed, 12 Sep 2018 16:20:48 +0300 +Subject: crypto: tcrypt - fix ghash-generic speed test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 331351f89c36bf7d03561a28b6f64fa10a9f6f3a upstream. + +ghash is a keyed hash algorithm, thus setkey needs to be called. +Otherwise the following error occurs: +$ modprobe tcrypt mode=318 sec=1 +testing speed of async ghash-generic (ghash-generic) +tcrypt: test 0 ( 16 byte blocks, 16 bytes per update, 1 updates): +tcrypt: hashing failed ret=-126 + +Cc: # 4.6+ +Fixes: 0660511c0bee ("crypto: tcrypt - Use ahash") +Tested-by: Franck Lenormand +Signed-off-by: Horia Geantă +Acked-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/tcrypt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/tcrypt.c ++++ b/crypto/tcrypt.c +@@ -729,6 +729,9 @@ static void test_ahash_speed_common(cons + break; + } + ++ if (speed[i].klen) ++ crypto_ahash_setkey(tfm, tvmem[0], speed[i].klen); ++ + pr_info("test%3u " + "(%5u byte blocks,%5u bytes per update,%4u updates): ", + i, speed[i].blen, speed[i].plen, speed[i].blen / speed[i].plen); diff --git a/queue-4.9/drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch b/queue-4.9/drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch new file mode 100644 index 00000000000..cf74cb3cdf6 --- /dev/null +++ b/queue-4.9/drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch @@ -0,0 +1,64 @@ +From fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Sun, 23 Sep 2018 21:10:43 +0000 +Subject: Drivers: hv: kvp: Fix two "this statement may fall through" warnings + +From: Dexuan Cui + +commit fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d upstream. + +We don't need to call process_ib_ipinfo() if message->kvp_hdr.operation is +KVP_OP_GET_IP_INFO in kvp_send_key(), because here we just need to pass on +the op code from the host to the userspace; when the userspace returns +the info requested by the host, we pass the info on to the host in +kvp_respond_to_host() -> process_ob_ipinfo(). BTW, the current buggy code +actually doesn't cause any harm, because only message->kvp_hdr.operation +is used by the userspace, in the case of KVP_OP_GET_IP_INFO. + +The patch also adds a missing "break;" in kvp_send_key(). BTW, the current +buggy code actually doesn't cause any harm, because in the case of +KVP_OP_SET, the unexpected fall-through corrupts +message->body.kvp_set.data.key_size, but that is not really used: see +the definition of struct hv_kvp_exchg_msg_value. + +Signed-off-by: Dexuan Cui +Cc: K. Y. Srinivasan +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Cc: +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_kvp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/hv/hv_kvp.c ++++ b/drivers/hv/hv_kvp.c +@@ -340,7 +340,6 @@ static void process_ib_ipinfo(void *in_m + + out->body.kvp_ip_val.dhcp_enabled = in->kvp_ip_val.dhcp_enabled; + +- default: + utf16s_to_utf8s((wchar_t *)in->kvp_ip_val.adapter_id, + MAX_ADAPTER_ID_SIZE, + UTF16_LITTLE_ENDIAN, +@@ -393,7 +392,7 @@ kvp_send_key(struct work_struct *dummy) + process_ib_ipinfo(in_msg, message, KVP_OP_SET_IP_INFO); + break; + case KVP_OP_GET_IP_INFO: +- process_ib_ipinfo(in_msg, message, KVP_OP_GET_IP_INFO); ++ /* We only need to pass on message->kvp_hdr.operation. */ + break; + case KVP_OP_SET: + switch (in_msg->body.kvp_set.data.value_type) { +@@ -433,6 +432,9 @@ kvp_send_key(struct work_struct *dummy) + break; + + } ++ ++ break; ++ + case KVP_OP_GET: + message->body.kvp_set.data.key_size = + utf16s_to_utf8s( diff --git a/queue-4.9/edac-i7core-sb-skx-_edac-fix-uncorrected-error-counting.patch b/queue-4.9/edac-i7core-sb-skx-_edac-fix-uncorrected-error-counting.patch new file mode 100644 index 00000000000..3ba4b1f411f --- /dev/null +++ b/queue-4.9/edac-i7core-sb-skx-_edac-fix-uncorrected-error-counting.patch @@ -0,0 +1,62 @@ +From 432de7fd7630c84ad24f1c2acd1e3bb4ce3741ca Mon Sep 17 00:00:00 2001 +From: Tony Luck +Date: Fri, 28 Sep 2018 14:39:34 -0700 +Subject: EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting + +From: Tony Luck + +commit 432de7fd7630c84ad24f1c2acd1e3bb4ce3741ca upstream. + +The count of errors is picked up from bits 52:38 of the machine check +bank status register. But this is the count of *corrected* errors. If an +uncorrected error is being logged, the h/w sets this field to 0. Which +means that when edac_mc_handle_error() is called, the EDAC core will +carefully add zero to the appropriate uncorrected error counts. + +Signed-off-by: Tony Luck +[ Massage commit message. ] +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org +Cc: Aristeu Rozanski +Cc: Mauro Carvalho Chehab +Cc: Qiuxu Zhuo +Cc: linux-edac +Link: http://lkml.kernel.org/r/20180928213934.19890-1-tony.luck@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/i7core_edac.c | 1 + + drivers/edac/sb_edac.c | 1 + + drivers/edac/skx_edac.c | 1 + + 3 files changed, 3 insertions(+) + +--- a/drivers/edac/i7core_edac.c ++++ b/drivers/edac/i7core_edac.c +@@ -1711,6 +1711,7 @@ static void i7core_mce_output_error(stru + u32 errnum = find_first_bit(&error, 32); + + if (uncorrected_error) { ++ core_err_cnt = 1; + if (ripv) + tp_event = HW_EVENT_ERR_FATAL; + else +--- a/drivers/edac/sb_edac.c ++++ b/drivers/edac/sb_edac.c +@@ -2934,6 +2934,7 @@ static void sbridge_mce_output_error(str + recoverable = GET_BITFIELD(m->status, 56, 56); + + if (uncorrected_error) { ++ core_err_cnt = 1; + if (ripv) { + type = "FATAL"; + tp_event = HW_EVENT_ERR_FATAL; +--- a/drivers/edac/skx_edac.c ++++ b/drivers/edac/skx_edac.c +@@ -897,6 +897,7 @@ static void skx_mce_output_error(struct + recoverable = GET_BITFIELD(m->status, 56, 56); + + if (uncorrected_error) { ++ core_err_cnt = 1; + if (ripv) { + type = "FATAL"; + tp_event = HW_EVENT_ERR_FATAL; diff --git a/queue-4.9/edac-skx_edac-fix-logical-channel-intermediate-decoding.patch b/queue-4.9/edac-skx_edac-fix-logical-channel-intermediate-decoding.patch new file mode 100644 index 00000000000..f2a2c4df62a --- /dev/null +++ b/queue-4.9/edac-skx_edac-fix-logical-channel-intermediate-decoding.patch @@ -0,0 +1,41 @@ +From 8f18973877204dc8ca4ce1004a5d28683b9a7086 Mon Sep 17 00:00:00 2001 +From: Qiuxu Zhuo +Date: Tue, 9 Oct 2018 10:20:25 -0700 +Subject: EDAC, skx_edac: Fix logical channel intermediate decoding + +From: Qiuxu Zhuo + +commit 8f18973877204dc8ca4ce1004a5d28683b9a7086 upstream. + +The code "lchan = (lchan << 1) | ~lchan" for logical channel +intermediate decoding is wrong. The wrong intermediate decoding +result is {0xffffffff, 0xfffffffe}. + +Fix it by replacing '~' with '!'. The correct intermediate +decoding result is {0x1, 0x2}. + +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Signed-off-by: Borislav Petkov +CC: Aristeu Rozanski +CC: Mauro Carvalho Chehab +CC: linux-edac +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20181009172025.18594-1-tony.luck@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/skx_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/skx_edac.c ++++ b/drivers/edac/skx_edac.c +@@ -606,7 +606,7 @@ sad_found: + break; + case 2: + lchan = (addr >> shift) % 2; +- lchan = (lchan << 1) | ~lchan; ++ lchan = (lchan << 1) | !lchan; + break; + case 3: + lchan = ((addr >> shift) % 2) << 1; diff --git a/queue-4.9/ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch b/queue-4.9/ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch new file mode 100644 index 00000000000..7f575d30378 --- /dev/null +++ b/queue-4.9/ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch @@ -0,0 +1,34 @@ +From 625ef8a3acd111d5f496d190baf99d1a815bd03e Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Tue, 2 Oct 2018 21:18:45 -0400 +Subject: ext4: initialize retries variable in ext4_da_write_inline_data_begin() + +From: Lukas Czerner + +commit 625ef8a3acd111d5f496d190baf99d1a815bd03e upstream. + +Variable retries is not initialized in ext4_da_write_inline_data_begin() +which can lead to nondeterministic number of retries in case we hit +ENOSPC. Initialize retries to zero as we do everywhere else. + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Fixes: bc0ca9df3b2a ("ext4: retry allocation when inline->extent conversion failed") +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -860,7 +860,7 @@ int ext4_da_write_inline_data_begin(stru + handle_t *handle; + struct page *page; + struct ext4_iloc iloc; +- int retries; ++ int retries = 0; + + ret = ext4_get_inode_loc(inode, &iloc); + if (ret) diff --git a/queue-4.9/ext4-propagate-error-from-dquot_initialize-in-ext4_ioc_fssetxattr.patch b/queue-4.9/ext4-propagate-error-from-dquot_initialize-in-ext4_ioc_fssetxattr.patch new file mode 100644 index 00000000000..0491410fe20 --- /dev/null +++ b/queue-4.9/ext4-propagate-error-from-dquot_initialize-in-ext4_ioc_fssetxattr.patch @@ -0,0 +1,38 @@ +From 182a79e0c17147d2c2d3990a9a7b6b58a1561c7a Mon Sep 17 00:00:00 2001 +From: Wang Shilong +Date: Wed, 3 Oct 2018 12:19:21 -0400 +Subject: ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR + +From: Wang Shilong + +commit 182a79e0c17147d2c2d3990a9a7b6b58a1561c7a upstream. + +We return most failure of dquota_initialize() except +inode evict, this could make a bit sense, for example +we allow file removal even quota files are broken? + +But it dosen't make sense to allow setting project +if quota files etc are broken. + +Signed-off-by: Wang Shilong +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/ioctl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -345,7 +345,9 @@ static int ext4_ioctl_setproject(struct + } + brelse(iloc.bh); + +- dquot_initialize(inode); ++ err = dquot_initialize(inode); ++ if (err) ++ return err; + + handle = ext4_journal_start(inode, EXT4_HT_QUOTA, + EXT4_QUOTA_INIT_BLOCKS(sb) + diff --git a/queue-4.9/genirq-fix-race-on-spurious-interrupt-detection.patch b/queue-4.9/genirq-fix-race-on-spurious-interrupt-detection.patch new file mode 100644 index 00000000000..9805378d730 --- /dev/null +++ b/queue-4.9/genirq-fix-race-on-spurious-interrupt-detection.patch @@ -0,0 +1,96 @@ +From 746a923b863a1065ef77324e1e43f19b1a3eab5c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 18 Oct 2018 15:15:05 +0200 +Subject: genirq: Fix race on spurious interrupt detection + +From: Lukas Wunner + +commit 746a923b863a1065ef77324e1e43f19b1a3eab5c upstream. + +Commit 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of +threaded irqs") made detection of spurious interrupts work for threaded +handlers by: + +a) incrementing a counter every time the thread returns IRQ_HANDLED, and +b) checking whether that counter has increased every time the thread is + woken. + +However for oneshot interrupts, the commit unmasks the interrupt before +incrementing the counter. If another interrupt occurs right after +unmasking but before the counter is incremented, that interrupt is +incorrectly considered spurious: + +time + | irq_thread() + | irq_thread_fn() + | action->thread_fn() + | irq_finalize_oneshot() + | unmask_threaded_irq() /* interrupt is unmasked */ + | + | /* interrupt fires, incorrectly deemed spurious */ + | + | atomic_inc(&desc->threads_handled); /* counter is incremented */ + v + +This is observed with a hi3110 CAN controller receiving data at high volume +(from a separate machine sending with "cangen -g 0 -i -x"): The controller +signals a huge number of interrupts (hundreds of millions per day) and +every second there are about a dozen which are deemed spurious. + +In theory with high CPU load and the presence of higher priority tasks, the +number of incorrectly detected spurious interrupts might increase beyond +the 99,900 threshold and cause disablement of the interrupt. + +In practice it just increments the spurious interrupt count. But that can +cause people to waste time investigating it over and over. + +Fix it by moving the accounting before the invocation of +irq_finalize_oneshot(). + +[ tglx: Folded change log update ] + +Fixes: 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of threaded irqs") +Signed-off-by: Lukas Wunner +Signed-off-by: Thomas Gleixner +Cc: Mathias Duckeck +Cc: Akshay Bhat +Cc: Casey Fitzpatrick +Cc: stable@vger.kernel.org # v3.16+ +Link: https://lkml.kernel.org/r/1dfd8bbd16163940648045495e3e9698e63b50ad.1539867047.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/manage.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -878,6 +878,9 @@ irq_forced_thread_fn(struct irq_desc *de + + local_bh_disable(); + ret = action->thread_fn(action->irq, action->dev_id); ++ if (ret == IRQ_HANDLED) ++ atomic_inc(&desc->threads_handled); ++ + irq_finalize_oneshot(desc, action); + local_bh_enable(); + return ret; +@@ -894,6 +897,9 @@ static irqreturn_t irq_thread_fn(struct + irqreturn_t ret; + + ret = action->thread_fn(action->irq, action->dev_id); ++ if (ret == IRQ_HANDLED) ++ atomic_inc(&desc->threads_handled); ++ + irq_finalize_oneshot(desc, action); + return ret; + } +@@ -971,8 +977,6 @@ static int irq_thread(void *data) + irq_thread_check_affinity(desc, action); + + action_ret = handler_fn(desc, action); +- if (action_ret == IRQ_HANDLED) +- atomic_inc(&desc->threads_handled); + if (action_ret == IRQ_WAKE_THREAD) + irq_wake_secondary(desc, action); + diff --git a/queue-4.9/gfs2_meta-mount-can-get-null-dev_name.patch b/queue-4.9/gfs2_meta-mount-can-get-null-dev_name.patch new file mode 100644 index 00000000000..b0cff60be8a --- /dev/null +++ b/queue-4.9/gfs2_meta-mount-can-get-null-dev_name.patch @@ -0,0 +1,32 @@ +From 3df629d873f8683af6f0d34dfc743f637966d483 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 13 Oct 2018 00:19:13 -0400 +Subject: gfs2_meta: ->mount() can get NULL dev_name + +From: Al Viro + +commit 3df629d873f8683af6f0d34dfc743f637966d483 upstream. + +get in sync with mount_bdev() handling of the same + +Reported-by: syzbot+c54f8e94e6bba03b04e9@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/ops_fstype.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -1355,6 +1355,9 @@ static struct dentry *gfs2_mount_meta(st + struct path path; + int error; + ++ if (!dev_name || !*dev_name) ++ return ERR_PTR(-EINVAL); ++ + error = kern_path(dev_name, LOOKUP_FOLLOW, &path); + if (error) { + pr_warn("path_lookup on %s returned error %d\n", diff --git a/queue-4.9/hid-hiddev-fix-potential-spectre-v1.patch b/queue-4.9/hid-hiddev-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..5b06d14fc4c --- /dev/null +++ b/queue-4.9/hid-hiddev-fix-potential-spectre-v1.patch @@ -0,0 +1,76 @@ +From f11274396a538b31bc010f782e05c2ce3f804c13 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Fri, 19 Oct 2018 17:01:33 -0300 +Subject: HID: hiddev: fix potential Spectre v1 + +From: Breno Leitao + +commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream. + +uref->usage_index can be indirectly controlled by userspace, hence leading +to a potential exploitation of the Spectre variant 1 vulnerability. + +This field is used as an array index by the hiddev_ioctl_usage() function, +when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or +HIDIOCSUSAGES. + +For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to +field->maxusage and then used as an index to dereference field->usage +array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where +uref->usage_index is checked against an array maximum value and then it is +used as an index in an array. + +This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the +traditional Spectre V1 first load: + + copy_from_user(uref, user_arg, sizeof(*uref)) + if (uref->usage_index >= field->maxusage) + goto inval; + i = field->usage[uref->usage_index].collection_index; + return i; + +This patch fixes this by sanitizing field uref->usage_index before using it +to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in +HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load. + +Cc: +Signed-off-by: Breno Leitao +v2: Contemplate cmd == HIDIOC{G,S}USAGES case +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hiddev.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -521,14 +521,24 @@ static noinline int hiddev_ioctl_usage(s + if (cmd == HIDIOCGCOLLECTIONINDEX) { + if (uref->usage_index >= field->maxusage) + goto inval; ++ uref->usage_index = ++ array_index_nospec(uref->usage_index, ++ field->maxusage); + } else if (uref->usage_index >= field->report_count) + goto inval; + } + +- if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && +- (uref_multi->num_values > HID_MAX_MULTI_USAGES || +- uref->usage_index + uref_multi->num_values > field->report_count)) +- goto inval; ++ if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) { ++ if (uref_multi->num_values > HID_MAX_MULTI_USAGES || ++ uref->usage_index + uref_multi->num_values > ++ field->report_count) ++ goto inval; ++ ++ uref->usage_index = ++ array_index_nospec(uref->usage_index, ++ field->report_count - ++ uref_multi->num_values); ++ } + + switch (cmd) { + case HIDIOCGUSAGE: diff --git a/queue-4.9/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch b/queue-4.9/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch new file mode 100644 index 00000000000..bdb3754157a --- /dev/null +++ b/queue-4.9/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch @@ -0,0 +1,73 @@ +From 22146c3ce98962436e401f7b7016a6f664c9ffb5 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Fri, 26 Oct 2018 15:10:58 -0700 +Subject: hugetlbfs: dirty pages as they are added to pagecache + +From: Mike Kravetz + +commit 22146c3ce98962436e401f7b7016a6f664c9ffb5 upstream. + +Some test systems were experiencing negative huge page reserve counts and +incorrect file block counts. This was traced to /proc/sys/vm/drop_caches +removing clean pages from hugetlbfs file pagecaches. When non-hugetlbfs +explicit code removes the pages, the appropriate accounting is not +performed. + +This can be recreated as follows: + fallocate -l 2M /dev/hugepages/foo + echo 1 > /proc/sys/vm/drop_caches + fallocate -l 2M /dev/hugepages/foo + grep -i huge /proc/meminfo + AnonHugePages: 0 kB + ShmemHugePages: 0 kB + HugePages_Total: 2048 + HugePages_Free: 2047 + HugePages_Rsvd: 18446744073709551615 + HugePages_Surp: 0 + Hugepagesize: 2048 kB + Hugetlb: 4194304 kB + ls -lsh /dev/hugepages/foo + 4.0M -rw-r--r--. 1 root root 2.0M Oct 17 20:05 /dev/hugepages/foo + +To address this issue, dirty pages as they are added to pagecache. This +can easily be reproduced with fallocate as shown above. Read faulted +pages will eventually end up being marked dirty. But there is a window +where they are clean and could be impacted by code such as drop_caches. +So, just dirty them all as they are added to the pagecache. + +Link: http://lkml.kernel.org/r/b5be45b8-5afe-56cd-9482-28384699a049@oracle.com +Fixes: 6bda666a03f0 ("hugepages: fold find_or_alloc_pages into huge_no_page()") +Signed-off-by: Mike Kravetz +Acked-by: Mihcla Hocko +Reviewed-by: Khalid Aziz +Cc: Hugh Dickins +Cc: Naoya Horiguchi +Cc: "Aneesh Kumar K . V" +Cc: Andrea Arcangeli +Cc: "Kirill A . Shutemov" +Cc: Davidlohr Bueso +Cc: Alexander Viro +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3645,6 +3645,12 @@ int huge_add_to_page_cache(struct page * + return err; + ClearPagePrivate(page); + ++ /* ++ * set page dirty so that it will not be removed from cache/file ++ * by non-hugetlbfs specific code paths. ++ */ ++ set_page_dirty(page); ++ + spin_lock(&inode->i_lock); + inode->i_blocks += blocks_per_huge_page(h); + spin_unlock(&inode->i_lock); diff --git a/queue-4.9/iio-ad5064-fix-regulator-handling.patch b/queue-4.9/iio-ad5064-fix-regulator-handling.patch new file mode 100644 index 00000000000..0ee222cd8c6 --- /dev/null +++ b/queue-4.9/iio-ad5064-fix-regulator-handling.patch @@ -0,0 +1,96 @@ +From 8911a43bc198877fad9f4b0246a866b26bb547ab Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Fri, 28 Sep 2018 11:23:40 +0200 +Subject: iio: ad5064: Fix regulator handling + +From: Lars-Peter Clausen + +commit 8911a43bc198877fad9f4b0246a866b26bb547ab upstream. + +The correct way to handle errors returned by regualtor_get() and friends is +to propagate the error since that means that an regulator was specified, +but something went wrong when requesting it. + +For handling optional regulators, e.g. when the device has an internal +vref, regulator_get_optional() should be used to avoid getting the dummy +regulator that the regulator core otherwise provides. + +Signed-off-by: Lars-Peter Clausen +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/dac/ad5064.c | 53 +++++++++++++++++++++++++++++++++-------------- + 1 file changed, 38 insertions(+), 15 deletions(-) + +--- a/drivers/iio/dac/ad5064.c ++++ b/drivers/iio/dac/ad5064.c +@@ -760,6 +760,40 @@ static int ad5064_set_config(struct ad50 + return ad5064_write(st, cmd, 0, val, 0); + } + ++static int ad5064_request_vref(struct ad5064_state *st, struct device *dev) ++{ ++ unsigned int i; ++ int ret; ++ ++ for (i = 0; i < ad5064_num_vref(st); ++i) ++ st->vref_reg[i].supply = ad5064_vref_name(st, i); ++ ++ if (!st->chip_info->internal_vref) ++ return devm_regulator_bulk_get(dev, ad5064_num_vref(st), ++ st->vref_reg); ++ ++ /* ++ * This assumes that when the regulator has an internal VREF ++ * there is only one external VREF connection, which is ++ * currently the case for all supported devices. ++ */ ++ st->vref_reg[0].consumer = devm_regulator_get_optional(dev, "vref"); ++ if (!IS_ERR(st->vref_reg[0].consumer)) ++ return 0; ++ ++ ret = PTR_ERR(st->vref_reg[0].consumer); ++ if (ret != -ENODEV) ++ return ret; ++ ++ /* If no external regulator was supplied use the internal VREF */ ++ st->use_internal_vref = true; ++ ret = ad5064_set_config(st, AD5064_CONFIG_INT_VREF_ENABLE); ++ if (ret) ++ dev_err(dev, "Failed to enable internal vref: %d\n", ret); ++ ++ return ret; ++} ++ + static int ad5064_probe(struct device *dev, enum ad5064_type type, + const char *name, ad5064_write_func write) + { +@@ -780,22 +814,11 @@ static int ad5064_probe(struct device *d + st->dev = dev; + st->write = write; + +- for (i = 0; i < ad5064_num_vref(st); ++i) +- st->vref_reg[i].supply = ad5064_vref_name(st, i); ++ ret = ad5064_request_vref(st, dev); ++ if (ret) ++ return ret; + +- ret = devm_regulator_bulk_get(dev, ad5064_num_vref(st), +- st->vref_reg); +- if (ret) { +- if (!st->chip_info->internal_vref) +- return ret; +- st->use_internal_vref = true; +- ret = ad5064_set_config(st, AD5064_CONFIG_INT_VREF_ENABLE); +- if (ret) { +- dev_err(dev, "Failed to enable internal vref: %d\n", +- ret); +- return ret; +- } +- } else { ++ if (!st->use_internal_vref) { + ret = regulator_bulk_enable(ad5064_num_vref(st), st->vref_reg); + if (ret) + return ret; diff --git a/queue-4.9/iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch b/queue-4.9/iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch new file mode 100644 index 00000000000..382662d2830 --- /dev/null +++ b/queue-4.9/iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch @@ -0,0 +1,39 @@ +From bc1b45326223e7e890053cf6266357adfa61942d Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Mon, 24 Sep 2018 10:51:43 +0300 +Subject: iio: adc: at91: fix acking DRDY irq on simple conversions + +From: Eugen Hristev + +commit bc1b45326223e7e890053cf6266357adfa61942d upstream. + +When doing simple conversions, the driver did not acknowledge the DRDY irq. +If this irq status is not acked, it will be left pending, and as soon as a +trigger is enabled, the irq handler will be called, it doesn't know why +this status has occurred because no channel is pending, and then it will go +int a irq loop and board will hang. +To avoid this situation, read the LCDR after a raw conversion is done. + +Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.") +Cc: Maxime Ripard +Signed-off-by: Eugen Hristev +Acked-by: Ludovic Desroches +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -278,6 +278,8 @@ static void handle_adc_eoc_trigger(int i + iio_trigger_poll(idev->trig); + } else { + st->last_value = at91_adc_readl(st, AT91_ADC_CHAN(st, st->chnb)); ++ /* Needed to ACK the DRDY interruption */ ++ at91_adc_readl(st, AT91_ADC_LCDR); + st->done = true; + wake_up_interruptible(&st->wq_data_avail); + } diff --git a/queue-4.9/iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch b/queue-4.9/iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch new file mode 100644 index 00000000000..c63b64136cb --- /dev/null +++ b/queue-4.9/iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch @@ -0,0 +1,49 @@ +From aea835f2dc8a682942b859179c49ad1841a6c8b9 Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Mon, 24 Sep 2018 10:51:44 +0300 +Subject: iio: adc: at91: fix wrong channel number in triggered buffer mode + +From: Eugen Hristev + +commit aea835f2dc8a682942b859179c49ad1841a6c8b9 upstream. + +When channels are registered, the hardware channel number is not the +actual iio channel number. +This is because the driver is probed with a certain number of accessible +channels. Some pins are routed and some not, depending on the description of +the board in the DT. +Because of that, channels 0,1,2,3 can correspond to hardware channels +2,3,4,5 for example. +In the buffered triggered case, we need to do the translation accordingly. +Fixed the channel number to stop reading the wrong channel. + +Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.") +Cc: Maxime Ripard +Signed-off-by: Eugen Hristev +Acked-by: Ludovic Desroches +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -247,12 +247,14 @@ static irqreturn_t at91_adc_trigger_hand + struct iio_poll_func *pf = p; + struct iio_dev *idev = pf->indio_dev; + struct at91_adc_state *st = iio_priv(idev); ++ struct iio_chan_spec const *chan; + int i, j = 0; + + for (i = 0; i < idev->masklength; i++) { + if (!test_bit(i, idev->active_scan_mask)) + continue; +- st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, i)); ++ chan = idev->channels + i; ++ st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, chan->channel)); + j++; + } + diff --git a/queue-4.9/iio-adc-imx25-gcq-fix-leak-of-device_node-in-mx25_gcq_setup_cfgs.patch b/queue-4.9/iio-adc-imx25-gcq-fix-leak-of-device_node-in-mx25_gcq_setup_cfgs.patch new file mode 100644 index 00000000000..32bb58d5c53 --- /dev/null +++ b/queue-4.9/iio-adc-imx25-gcq-fix-leak-of-device_node-in-mx25_gcq_setup_cfgs.patch @@ -0,0 +1,73 @@ +From d3fa21c73c391975488818b085b894c2980ea052 Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 22 Sep 2018 00:58:02 +0300 +Subject: iio: adc: imx25-gcq: Fix leak of device_node in mx25_gcq_setup_cfgs() + +From: Alexey Khoroshilov + +commit d3fa21c73c391975488818b085b894c2980ea052 upstream. + +Leaving for_each_child_of_node loop we should release child device node, +if it is not stored for future use. + +Found by Linux Driver Verification project (linuxtesting.org). + +JC: I'm not sending this as a quick fix as it's been wrong for years, +but good to pick up for stable after the merge window. + +Signed-off-by: Alexey Khoroshilov +Fixes: 6df2e98c3ea56 ("iio: adc: Add imx25-gcq ADC driver") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/fsl-imx25-gcq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/iio/adc/fsl-imx25-gcq.c ++++ b/drivers/iio/adc/fsl-imx25-gcq.c +@@ -209,12 +209,14 @@ static int mx25_gcq_setup_cfgs(struct pl + ret = of_property_read_u32(child, "reg", ®); + if (ret) { + dev_err(dev, "Failed to get reg property\n"); ++ of_node_put(child); + return ret; + } + + if (reg >= MX25_NUM_CFGS) { + dev_err(dev, + "reg value is greater than the number of available configuration registers\n"); ++ of_node_put(child); + return -EINVAL; + } + +@@ -228,6 +230,7 @@ static int mx25_gcq_setup_cfgs(struct pl + if (IS_ERR(priv->vref[refp])) { + dev_err(dev, "Error, trying to use external voltage reference without a vref-%s regulator.", + mx25_gcq_refp_names[refp]); ++ of_node_put(child); + return PTR_ERR(priv->vref[refp]); + } + priv->channel_vref_mv[reg] = +@@ -240,6 +243,7 @@ static int mx25_gcq_setup_cfgs(struct pl + break; + default: + dev_err(dev, "Invalid positive reference %d\n", refp); ++ of_node_put(child); + return -EINVAL; + } + +@@ -254,10 +258,12 @@ static int mx25_gcq_setup_cfgs(struct pl + + if ((refp & MX25_ADCQ_CFG_REFP_MASK) != refp) { + dev_err(dev, "Invalid fsl,adc-refp property value\n"); ++ of_node_put(child); + return -EINVAL; + } + if ((refn & MX25_ADCQ_CFG_REFN_MASK) != refn) { + dev_err(dev, "Invalid fsl,adc-refn property value\n"); ++ of_node_put(child); + return -EINVAL; + } + diff --git a/queue-4.9/ima-fix-showing-large-violations-or-runtime_measurements_count.patch b/queue-4.9/ima-fix-showing-large-violations-or-runtime_measurements_count.patch new file mode 100644 index 00000000000..6873a0f4699 --- /dev/null +++ b/queue-4.9/ima-fix-showing-large-violations-or-runtime_measurements_count.patch @@ -0,0 +1,41 @@ +From 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 7 Sep 2018 14:33:24 -0700 +Subject: ima: fix showing large 'violations' or 'runtime_measurements_count' + +From: Eric Biggers + +commit 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 upstream. + +The 12 character temporary buffer is not necessarily long enough to hold +a 'long' value. Increase it. + +Signed-off-by: Eric Biggers +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_fs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/security/integrity/ima/ima_fs.c ++++ b/security/integrity/ima/ima_fs.c +@@ -29,14 +29,14 @@ + static DEFINE_MUTEX(ima_write_mutex); + + static int valid_policy = 1; +-#define TMPBUFLEN 12 ++ + static ssize_t ima_show_htable_value(char __user *buf, size_t count, + loff_t *ppos, atomic_long_t *val) + { +- char tmpbuf[TMPBUFLEN]; ++ char tmpbuf[32]; /* greater than largest 'long' string value */ + ssize_t len; + +- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val)); ++ len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val)); + return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); + } + diff --git a/queue-4.9/iwlwifi-mvm-check-return-value-of-rs_rate_from_ucode_rate.patch b/queue-4.9/iwlwifi-mvm-check-return-value-of-rs_rate_from_ucode_rate.patch new file mode 100644 index 00000000000..60cd4a12d08 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-check-return-value-of-rs_rate_from_ucode_rate.patch @@ -0,0 +1,81 @@ +From 3d71c3f1f50cf309bd20659422af549bc784bfff Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Sat, 13 Oct 2018 09:46:08 +0300 +Subject: iwlwifi: mvm: check return value of rs_rate_from_ucode_rate() + +From: Luca Coelho + +commit 3d71c3f1f50cf309bd20659422af549bc784bfff upstream. + +The rs_rate_from_ucode_rate() function may return -EINVAL if the rate +is invalid, but none of the callsites check for the error, potentially +making us access arrays with index IWL_RATE_INVALID, which is larger +than the arrays, causing an out-of-bounds access. This will trigger +KASAN warnings, such as the one reported in the bugzilla issue +mentioned below. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=200659 + +Cc: stable@vger.kernel.org +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +@@ -1207,7 +1207,11 @@ void iwl_mvm_rs_tx_status(struct iwl_mvm + !(info->flags & IEEE80211_TX_STAT_AMPDU)) + return; + +- rs_rate_from_ucode_rate(tx_resp_hwrate, info->band, &tx_resp_rate); ++ if (rs_rate_from_ucode_rate(tx_resp_hwrate, info->band, ++ &tx_resp_rate)) { ++ WARN_ON_ONCE(1); ++ return; ++ } + + #ifdef CONFIG_MAC80211_DEBUGFS + /* Disable last tx check if we are debugging with fixed rate but +@@ -1263,7 +1267,10 @@ void iwl_mvm_rs_tx_status(struct iwl_mvm + */ + table = &lq_sta->lq; + lq_hwrate = le32_to_cpu(table->rs_table[0]); +- rs_rate_from_ucode_rate(lq_hwrate, info->band, &lq_rate); ++ if (rs_rate_from_ucode_rate(lq_hwrate, info->band, &lq_rate)) { ++ WARN_ON_ONCE(1); ++ return; ++ } + + /* Here we actually compare this rate to the latest LQ command */ + if (!rs_rate_equal(&tx_resp_rate, &lq_rate, allow_ant_mismatch)) { +@@ -1365,8 +1372,12 @@ void iwl_mvm_rs_tx_status(struct iwl_mvm + /* Collect data for each rate used during failed TX attempts */ + for (i = 0; i <= retries; ++i) { + lq_hwrate = le32_to_cpu(table->rs_table[i]); +- rs_rate_from_ucode_rate(lq_hwrate, info->band, +- &lq_rate); ++ if (rs_rate_from_ucode_rate(lq_hwrate, info->band, ++ &lq_rate)) { ++ WARN_ON_ONCE(1); ++ return; ++ } ++ + /* + * Only collect stats if retried rate is in the same RS + * table as active/search. +@@ -3261,7 +3272,10 @@ static void rs_build_rates_table_from_fi + for (i = 0; i < num_rates; i++) + lq_cmd->rs_table[i] = ucode_rate_le32; + +- rs_rate_from_ucode_rate(ucode_rate, band, &rate); ++ if (rs_rate_from_ucode_rate(ucode_rate, band, &rate)) { ++ WARN_ON_ONCE(1); ++ return; ++ } + + if (is_mimo(&rate)) + lq_cmd->mimo_delim = num_rates - 1; diff --git a/queue-4.9/jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch b/queue-4.9/jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch new file mode 100644 index 00000000000..4ea9a3881a2 --- /dev/null +++ b/queue-4.9/jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch @@ -0,0 +1,69 @@ +From ccd3c4373eacb044eb3832966299d13d2631f66f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 5 Oct 2018 18:44:40 -0400 +Subject: jbd2: fix use after free in jbd2_log_do_checkpoint() + +From: Jan Kara + +commit ccd3c4373eacb044eb3832966299d13d2631f66f upstream. + +The code cleaning transaction's lists of checkpoint buffers has a bug +where it increases bh refcount only after releasing +journal->j_list_lock. Thus the following race is possible: + +CPU0 CPU1 +jbd2_log_do_checkpoint() + jbd2_journal_try_to_free_buffers() + __journal_try_to_free_buffer(bh) + ... + while (transaction->t_checkpoint_io_list) + ... + if (buffer_locked(bh)) { + +<-- IO completes now, buffer gets unlocked --> + + spin_unlock(&journal->j_list_lock); + spin_lock(&journal->j_list_lock); + __jbd2_journal_remove_checkpoint(jh); + spin_unlock(&journal->j_list_lock); + try_to_free_buffers(page); + get_bh(bh) <-- accesses freed bh + +Fix the problem by grabbing bh reference before unlocking +journal->j_list_lock. + +Fixes: dc6e8d669cf5 ("jbd2: don't call get_bh() before calling __jbd2_journal_remove_checkpoint()") +Fixes: be1158cc615f ("jbd2: fold __process_buffer() into jbd2_log_do_checkpoint()") +Reported-by: syzbot+7f4a27091759e2fe7453@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Reviewed-by: Lukas Czerner +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/checkpoint.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -254,8 +254,8 @@ restart: + bh = jh2bh(jh); + + if (buffer_locked(bh)) { +- spin_unlock(&journal->j_list_lock); + get_bh(bh); ++ spin_unlock(&journal->j_list_lock); + wait_on_buffer(bh); + /* the journal_head may have gone by now */ + BUFFER_TRACE(bh, "brelse"); +@@ -336,8 +336,8 @@ restart2: + jh = transaction->t_checkpoint_io_list; + bh = jh2bh(jh); + if (buffer_locked(bh)) { +- spin_unlock(&journal->j_list_lock); + get_bh(bh); ++ spin_unlock(&journal->j_list_lock); + wait_on_buffer(bh); + /* the journal_head may have gone by now */ + BUFFER_TRACE(bh, "brelse"); diff --git a/queue-4.9/kbuild-fix-kernel-bounds.c-w-1-warning.patch b/queue-4.9/kbuild-fix-kernel-bounds.c-w-1-warning.patch new file mode 100644 index 00000000000..e14d87f50fb --- /dev/null +++ b/queue-4.9/kbuild-fix-kernel-bounds.c-w-1-warning.patch @@ -0,0 +1,54 @@ +From 6a32c2469c3fbfee8f25bcd20af647326650a6cf Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 30 Oct 2018 15:07:32 -0700 +Subject: kbuild: fix kernel/bounds.c 'W=1' warning + +From: Arnd Bergmann + +commit 6a32c2469c3fbfee8f25bcd20af647326650a6cf upstream. + +Building any configuration with 'make W=1' produces a warning: + +kernel/bounds.c:16:6: warning: no previous prototype for 'foo' [-Wmissing-prototypes] + +When also passing -Werror, this prevents us from building any other files. +Nobody ever calls the function, but we can't make it 'static' either +since we want the compiler output. + +Calling it 'main' instead however avoids the warning, because gcc +does not insist on having a declaration for main. + +Link: http://lkml.kernel.org/r/20181005083313.2088252-1-arnd@arndb.de +Signed-off-by: Arnd Bergmann +Reported-by: Kieran Bingham +Reviewed-by: Kieran Bingham +Cc: David Laight +Cc: Masahiro Yamada +Cc: Greg Kroah-Hartman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bounds.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/bounds.c ++++ b/kernel/bounds.c +@@ -12,7 +12,7 @@ + #include + #include + +-void foo(void) ++int main(void) + { + /* The enum constants to put into include/generated/bounds.h */ + DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS); +@@ -22,4 +22,6 @@ void foo(void) + #endif + DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t)); + /* End of constants */ ++ ++ return 0; + } diff --git a/queue-4.9/libertas-don-t-set-urb_zero_packet-on-in-usb-transfer.patch b/queue-4.9/libertas-don-t-set-urb_zero_packet-on-in-usb-transfer.patch new file mode 100644 index 00000000000..dde8a38b89c --- /dev/null +++ b/queue-4.9/libertas-don-t-set-urb_zero_packet-on-in-usb-transfer.patch @@ -0,0 +1,64 @@ +From 6528d88047801b80d2a5370ad46fb6eff2f509e0 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Sat, 6 Oct 2018 22:12:32 +0200 +Subject: libertas: don't set URB_ZERO_PACKET on IN USB transfer + +From: Lubomir Rintel + +commit 6528d88047801b80d2a5370ad46fb6eff2f509e0 upstream. + +The USB core gets rightfully upset: + + usb 1-1: BOGUS urb flags, 240 --> 200 + WARNING: CPU: 0 PID: 60 at drivers/usb/core/urb.c:503 usb_submit_urb+0x2f8/0x3ed + Modules linked in: + CPU: 0 PID: 60 Comm: kworker/0:3 Not tainted 4.19.0-rc6-00319-g5206d00a45c7 #39 + Hardware name: OLPC XO/XO, BIOS OLPC Ver 1.00.01 06/11/2014 + Workqueue: events request_firmware_work_func + EIP: usb_submit_urb+0x2f8/0x3ed + Code: 75 06 8b 8f 80 00 00 00 8d 47 78 89 4d e4 89 55 e8 e8 35 1c f6 ff 8b 55 e8 56 52 8b 4d e4 51 50 68 e3 ce c7 c0 e8 ed 18 c6 ff <0f> 0b 83 c4 14 80 7d ef 01 74 0a 80 7d ef 03 0f 85 b8 00 00 00 8b + EAX: 00000025 EBX: ce7d4980 ECX: 00000000 EDX: 00000001 + ESI: 00000200 EDI: ce7d8800 EBP: ce7f5ea8 ESP: ce7f5e70 + DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 EFLAGS: 00210292 + CR0: 80050033 CR2: 00000000 CR3: 00e80000 CR4: 00000090 + Call Trace: + ? if_usb_fw_timeo+0x64/0x64 + __if_usb_submit_rx_urb+0x85/0xe6 + ? if_usb_fw_timeo+0x64/0x64 + if_usb_submit_rx_urb_fwload+0xd/0xf + if_usb_prog_firmware+0xc0/0x3db + ? _request_firmware+0x54/0x47b + ? _request_firmware+0x89/0x47b + ? if_usb_probe+0x412/0x412 + lbs_fw_loaded+0x55/0xa6 + ? debug_smp_processor_id+0x12/0x14 + helper_firmware_cb+0x3c/0x3f + request_firmware_work_func+0x37/0x6f + process_one_work+0x164/0x25a + worker_thread+0x1c4/0x284 + kthread+0xec/0xf1 + ? cancel_delayed_work_sync+0xf/0xf + ? kthread_create_on_node+0x1a/0x1a + ret_from_fork+0x2e/0x38 + ---[ end trace 3ef1e3b2dd53852f ]--- + +Cc: stable@vger.kernel.org +Signed-off-by: Lubomir Rintel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/libertas/if_usb.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/marvell/libertas/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas/if_usb.c +@@ -468,8 +468,6 @@ static int __if_usb_submit_rx_urb(struct + MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, + cardp); + +- cardp->rx_urb->transfer_flags |= URB_ZERO_PACKET; +- + lbs_deb_usb2(&cardp->udev->dev, "Pointer for rx_urb %p\n", cardp->rx_urb); + if ((ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC))) { + lbs_deb_usbd(&cardp->udev->dev, "Submit Rx URB failed: %d\n", ret); diff --git a/queue-4.9/libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch b/queue-4.9/libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch new file mode 100644 index 00000000000..ecef2aa85aa --- /dev/null +++ b/queue-4.9/libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch @@ -0,0 +1,46 @@ +From b6eae0f61db27748606cc00dafcfd1e2c032f0a5 Mon Sep 17 00:00:00 2001 +From: Alexander Duyck +Date: Tue, 25 Sep 2018 13:53:02 -0700 +Subject: libnvdimm: Hold reference on parent while scheduling async init + +From: Alexander Duyck + +commit b6eae0f61db27748606cc00dafcfd1e2c032f0a5 upstream. + +Unlike asynchronous initialization in the core we have not yet associated +the device with the parent, and as such the device doesn't hold a reference +to the parent. + +In order to resolve that we should be holding a reference on the parent +until the asynchronous initialization has completed. + +Cc: +Fixes: 4d88a97aa9e8 ("libnvdimm: ...base ... infrastructure") +Signed-off-by: Alexander Duyck +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/bus.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -424,6 +424,8 @@ static void nd_async_device_register(voi + put_device(dev); + } + put_device(dev); ++ if (dev->parent) ++ put_device(dev->parent); + } + + static void nd_async_device_unregister(void *d, async_cookie_t cookie) +@@ -443,6 +445,8 @@ void __nd_device_register(struct device + if (!dev) + return; + dev->bus = &nvdimm_bus_type; ++ if (dev->parent) ++ get_device(dev->parent); + get_device(dev); + async_schedule_domain(nd_async_device_register, dev, + &nd_async_domain); diff --git a/queue-4.9/net-ipv4-defensive-cipso-option-parsing.patch b/queue-4.9/net-ipv4-defensive-cipso-option-parsing.patch new file mode 100644 index 00000000000..5eb3223e3f7 --- /dev/null +++ b/queue-4.9/net-ipv4-defensive-cipso-option-parsing.patch @@ -0,0 +1,66 @@ +From 076ed3da0c9b2f88d9157dbe7044a45641ae369e Mon Sep 17 00:00:00 2001 +From: Stefan Nuernberger +Date: Mon, 17 Sep 2018 19:46:53 +0200 +Subject: net/ipv4: defensive cipso option parsing + +From: Stefan Nuernberger + +commit 076ed3da0c9b2f88d9157dbe7044a45641ae369e upstream. + +commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed +a possible infinite loop in the IP option parsing of CIPSO. The fix +assumes that ip_options_compile filtered out all zero length options and +that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist. +While this assumption currently holds true, add explicit checks for zero +length and invalid length options to be safe for the future. Even though +ip_options_compile should have validated the options, the introduction of +new one-byte options can still confuse this code without the additional +checks. + +Signed-off-by: Stefan Nuernberger +Cc: David Woodhouse +Cc: Simon Veith +Cc: stable@vger.kernel.org +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/cipso_ipv4.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1512,7 +1512,7 @@ static int cipso_v4_parsetag_loc(const s + * + * Description: + * Parse the packet's IP header looking for a CIPSO option. Returns a pointer +- * to the start of the CIPSO option on success, NULL if one if not found. ++ * to the start of the CIPSO option on success, NULL if one is not found. + * + */ + unsigned char *cipso_v4_optptr(const struct sk_buff *skb) +@@ -1522,10 +1522,8 @@ unsigned char *cipso_v4_optptr(const str + int optlen; + int taglen; + +- for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) { ++ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) { + switch (optptr[0]) { +- case IPOPT_CIPSO: +- return optptr; + case IPOPT_END: + return NULL; + case IPOPT_NOOP: +@@ -1534,6 +1532,11 @@ unsigned char *cipso_v4_optptr(const str + default: + taglen = optptr[1]; + } ++ if (!taglen || taglen > optlen) ++ return NULL; ++ if (optptr[0] == IPOPT_CIPSO) ++ return optptr; ++ + optlen -= taglen; + optptr += taglen; + } diff --git a/queue-4.9/pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch b/queue-4.9/pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch new file mode 100644 index 00000000000..af09424929a --- /dev/null +++ b/queue-4.9/pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch @@ -0,0 +1,51 @@ +From d0c9606b31a21028fb5b753c8ad79626292accfd Mon Sep 17 00:00:00 2001 +From: Bin Meng +Date: Wed, 26 Sep 2018 08:14:01 -0700 +Subject: PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk + +From: Bin Meng + +commit d0c9606b31a21028fb5b753c8ad79626292accfd upstream. + +Add Device IDs to the Intel GPU "spurious interrupt" quirk table. + +For these devices, unplugging the VGA cable and plugging it in again causes +spurious interrupts from the IGD. Linux eventually disables the interrupt, +but of course that disables any other devices sharing the interrupt. + +The theory is that this is a VGA BIOS defect: it should have disabled the +IGD interrupt but failed to do so. + +See f67fd55fa96f ("PCI: Add quirk for still enabled interrupts on Intel +Sandy Bridge GPUs") and 7c82126a94e6 ("PCI: Add new ID for Intel GPU +"spurious interrupt" quirk") for some history. + +[bhelgaas: See link below for discussion about how to fix this more +generically instead of adding device IDs for every new Intel GPU. I hope +this is the last patch to add device IDs.] + +Link: https://lore.kernel.org/linux-pci/1537974841-29928-1-git-send-email-bmeng.cn@gmail.com +Signed-off-by: Bin Meng +[bhelgaas: changelog] +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v3.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3124,7 +3124,11 @@ static void disable_igfx_irq(struct pci_ + + pci_iounmap(dev, regs); + } ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0042, disable_igfx_irq); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0046, disable_igfx_irq); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x004a, disable_igfx_irq); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0106, disable_igfx_irq); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0152, disable_igfx_irq); + diff --git a/queue-4.9/printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch b/queue-4.9/printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch new file mode 100644 index 00000000000..d3f6bd6bf97 --- /dev/null +++ b/queue-4.9/printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch @@ -0,0 +1,65 @@ +From 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Sun, 30 Sep 2018 00:45:50 +0800 +Subject: printk: Fix panic caused by passing log_buf_len to command line + +From: He Zhe + +commit 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 upstream. + +log_buf_len_setup does not check input argument before passing it to +simple_strtoull. The argument would be a NULL pointer if "log_buf_len", +without its value, is set in command line and thus causes the following +panic. + +PANIC: early exception 0xe3 IP 10:ffffffffaaeacd0d error 0 cr2 0x0 +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc4-yocto-standard+ #1 +[ 0.000000] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70 +... +[ 0.000000] Call Trace: +[ 0.000000] simple_strtoull+0x29/0x70 +[ 0.000000] memparse+0x26/0x90 +[ 0.000000] log_buf_len_setup+0x17/0x22 +[ 0.000000] do_early_param+0x57/0x8e +[ 0.000000] parse_args+0x208/0x320 +[ 0.000000] ? rdinit_setup+0x30/0x30 +[ 0.000000] parse_early_options+0x29/0x2d +[ 0.000000] ? rdinit_setup+0x30/0x30 +[ 0.000000] parse_early_param+0x36/0x4d +[ 0.000000] setup_arch+0x336/0x99e +[ 0.000000] start_kernel+0x6f/0x4ee +[ 0.000000] x86_64_start_reservations+0x24/0x26 +[ 0.000000] x86_64_start_kernel+0x6f/0x72 +[ 0.000000] secondary_startup_64+0xa4/0xb0 + +This patch adds a check to prevent the panic. + +Link: http://lkml.kernel.org/r/1538239553-81805-1-git-send-email-zhe.he@windriver.com +Cc: stable@vger.kernel.org +Cc: rostedt@goodmis.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: He Zhe +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -1010,7 +1010,12 @@ static void __init log_buf_len_update(un + /* save requested log_buf_len since it's too early to process it */ + static int __init log_buf_len_setup(char *str) + { +- unsigned size = memparse(str, &str); ++ unsigned int size; ++ ++ if (!str) ++ return -EINVAL; ++ ++ size = memparse(str, &str); + + log_buf_len_update(size); + diff --git a/queue-4.9/series b/queue-4.9/series index dfa02745975..a45427add1d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -70,3 +70,44 @@ scsi-lpfc-correct-soft-lockup-when-running-mds-diagnostics.patch signal-always-deliver-the-kernel-s-sigkill-and-sigstop-to-a-pid-namespace-init.patch dmaengine-dma-jz4780-return-error-if-not-probed-from-dt.patch alsa-hda-check-the-non-cached-stream-buffers-more-explicitly.patch +arm-dts-exynos-remove-cooling-min-max-level-for-cpu-nodes.patch +arm-dts-exynos-add-missing-cooling-device-properties-for-cpus.patch +arm-dts-exynos-convert-exynos5250.dtsi-to-opp-v2-bindings.patch +arm-dts-exynos-mark-1-ghz-cpu-opp-as-suspend-opp-on-exynos5250.patch +xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch +tpm-restore-functionality-to-xen-vtpm-driver.patch +xen-blkfront-avoid-null-blkfront_info-dereference-on-device-removal.patch +xen-fix-race-in-xen_qlock_wait.patch +xen-make-xen_qlock_wait-nestable.patch +libertas-don-t-set-urb_zero_packet-on-in-usb-transfer.patch +usbip-vudc-bug-kmalloc-2048-not-tainted-poison-overwritten.patch +iwlwifi-mvm-check-return-value-of-rs_rate_from_ucode_rate.patch +net-ipv4-defensive-cipso-option-parsing.patch +libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch +asoc-intel-skylake-add-missing-break-in-skl_tplg_get_token.patch +asoc-sta32x-set-component-pointer-in-private-struct.patch +jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch +gfs2_meta-mount-can-get-null-dev_name.patch +ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch +ext4-propagate-error-from-dquot_initialize-in-ext4_ioc_fssetxattr.patch +hid-hiddev-fix-potential-spectre-v1.patch +edac-i7core-sb-skx-_edac-fix-uncorrected-error-counting.patch +edac-skx_edac-fix-logical-channel-intermediate-decoding.patch +pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch +signal-genwqe-fix-sending-of-sigkill.patch +crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch +crypto-tcrypt-fix-ghash-generic-speed-test.patch +ima-fix-showing-large-violations-or-runtime_measurements_count.patch +hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch +kbuild-fix-kernel-bounds.c-w-1-warning.patch +iio-ad5064-fix-regulator-handling.patch +iio-adc-imx25-gcq-fix-leak-of-device_node-in-mx25_gcq_setup_cfgs.patch +iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch +iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch +drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch +w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch +smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch +smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch +smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch +printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch +genirq-fix-race-on-spurious-interrupt-detection.patch diff --git a/queue-4.9/signal-genwqe-fix-sending-of-sigkill.patch b/queue-4.9/signal-genwqe-fix-sending-of-sigkill.patch new file mode 100644 index 00000000000..e1485aa4fb3 --- /dev/null +++ b/queue-4.9/signal-genwqe-fix-sending-of-sigkill.patch @@ -0,0 +1,112 @@ +From 0ab93e9c99f8208c0a1a7b7170c827936268c996 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 13 Sep 2018 11:28:01 +0200 +Subject: signal/GenWQE: Fix sending of SIGKILL + +From: Eric W. Biederman + +commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream. + +The genweq_add_file and genwqe_del_file by caching current without +using reference counting embed the assumption that a file descriptor +will never be passed from one process to another. It even embeds the +assumption that the the thread that opened the file will be in +existence when the process terminates. Neither of which are +guaranteed to be true. + +Therefore replace caching the task_struct of the opener with +pid of the openers thread group id. All the knowledge of the +opener is used for is as the target of SIGKILL and a SIGKILL +will kill the entire process group. + +Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary +signal argument, update it's ownly caller, and use kill_pid +instead of force_sig. + +The work force_sig does in changing signal handling state is not +relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess +will be killed just with less work, and less confusion. The work done +by force_sig is really only needed for handling syncrhonous +exceptions. + +It will still be possible to cause genwqe_device_remove to wait +8 seconds by passing a file descriptor to another process but +the possible user after free is fixed. + +Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue") +Cc: stable@vger.kernel.org +Cc: Greg Kroah-Hartman +Cc: Frank Haverkamp +Cc: Joerg-Stephan Vogt +Cc: Michael Jung +Cc: Michael Ruettger +Cc: Kleber Sacilotto de Souza +Cc: Sebastian Ott +Cc: Eberhard S. Amann +Cc: Gabriel Krisman Bertazi +Cc: Guilherme G. Piccoli +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/genwqe/card_base.h | 2 +- + drivers/misc/genwqe/card_dev.c | 9 +++++---- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/misc/genwqe/card_base.h ++++ b/drivers/misc/genwqe/card_base.h +@@ -404,7 +404,7 @@ struct genwqe_file { + struct file *filp; + + struct fasync_struct *async_queue; +- struct task_struct *owner; ++ struct pid *opener; + struct list_head list; /* entry in list of open files */ + + spinlock_t map_lock; /* lock for dma_mappings */ +--- a/drivers/misc/genwqe/card_dev.c ++++ b/drivers/misc/genwqe/card_dev.c +@@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq + { + unsigned long flags; + +- cfile->owner = current; ++ cfile->opener = get_pid(task_tgid(current)); + spin_lock_irqsave(&cd->file_lock, flags); + list_add(&cfile->list, &cd->file_list); + spin_unlock_irqrestore(&cd->file_lock, flags); +@@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe + spin_lock_irqsave(&cd->file_lock, flags); + list_del(&cfile->list); + spin_unlock_irqrestore(&cd->file_lock, flags); ++ put_pid(cfile->opener); + + return 0; + } +@@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen + return files; + } + +-static int genwqe_force_sig(struct genwqe_dev *cd, int sig) ++static int genwqe_terminate(struct genwqe_dev *cd) + { + unsigned int files = 0; + unsigned long flags; +@@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq + + spin_lock_irqsave(&cd->file_lock, flags); + list_for_each_entry(cfile, &cd->file_list, list) { +- force_sig(sig, cfile->owner); ++ kill_pid(cfile->opener, SIGKILL, 1); + files++; + } + spin_unlock_irqrestore(&cd->file_lock, flags); +@@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces + dev_warn(&pci_dev->dev, + "[%s] send SIGKILL and wait ...\n", __func__); + +- rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */ ++ rc = genwqe_terminate(cd); + if (rc) { + /* Give kill_timout more seconds to end processes */ + for (i = 0; (i < genwqe_kill_timeout) && diff --git a/queue-4.9/smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch b/queue-4.9/smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch new file mode 100644 index 00000000000..6c27e778acb --- /dev/null +++ b/queue-4.9/smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch @@ -0,0 +1,34 @@ +From 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sat, 15 Sep 2018 23:04:41 -0500 +Subject: smb3: allow stats which track session and share reconnects to be reset + +From: Steve French + +commit 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 upstream. + +Currently, "echo 0 > /proc/fs/cifs/Stats" resets all of the stats +except the session and share reconnect counts. Fix it to +reset those as well. + +CC: Stable +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_debug.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/cifs/cifs_debug.c ++++ b/fs/cifs/cifs_debug.c +@@ -284,6 +284,9 @@ static ssize_t cifs_stats_proc_write(str + atomic_set(&totBufAllocCount, 0); + atomic_set(&totSmBufAllocCount, 0); + #endif /* CONFIG_CIFS_STATS2 */ ++ atomic_set(&tcpSesReconnectCount, 0); ++ atomic_set(&tconInfoReconnectCount, 0); ++ + spin_lock(&GlobalMid_Lock); + GlobalMaxActiveXid = 0; + GlobalCurrentXid = 0; diff --git a/queue-4.9/smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch b/queue-4.9/smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch new file mode 100644 index 00000000000..bf025e97b2a --- /dev/null +++ b/queue-4.9/smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch @@ -0,0 +1,45 @@ +From 1e77a8c204c9d1b655c61751b8ad0fde22421dbb Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 19 Oct 2018 00:45:21 -0500 +Subject: smb3: do not attempt cifs operation in smb3 query info error path + +From: Steve French + +commit 1e77a8c204c9d1b655c61751b8ad0fde22421dbb upstream. + +If backupuid mount option is sent, we can incorrectly retry +(on access denied on query info) with a cifs (FindFirst) operation +on an smb3 mount which causes the server to force the session close. + +We set backup intent on open so no need for this fallback. + +See kernel bugzilla 201435 + +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -768,7 +768,15 @@ cifs_get_inode_info(struct inode **inode + } else if (rc == -EREMOTE) { + cifs_create_dfs_fattr(&fattr, sb); + rc = 0; +- } else if (rc == -EACCES && backup_cred(cifs_sb)) { ++ } else if ((rc == -EACCES) && backup_cred(cifs_sb) && ++ (strcmp(server->vals->version_string, SMB1_VERSION_STRING) ++ == 0)) { ++ /* ++ * For SMB2 and later the backup intent flag is already ++ * sent if needed on open and there is no path based ++ * FindFirst operation to use to retry with ++ */ ++ + srchinf = kzalloc(sizeof(struct cifs_search_info), + GFP_KERNEL); + if (srchinf == NULL) { diff --git a/queue-4.9/smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch b/queue-4.9/smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch new file mode 100644 index 00000000000..d90a1430f2d --- /dev/null +++ b/queue-4.9/smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch @@ -0,0 +1,40 @@ +From 926674de6705f0f1dbf29a62fd758d0977f535d6 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sun, 28 Oct 2018 13:13:23 -0500 +Subject: smb3: on kerberos mount if server doesn't specify auth type use krb5 + +From: Steve French + +commit 926674de6705f0f1dbf29a62fd758d0977f535d6 upstream. + +Some servers (e.g. Azure) do not include a spnego blob in the SMB3 +negotiate protocol response, so on kerberos mounts ("sec=krb5") +we can fail, as we expected the server to list its supported +auth types (OIDs in the spnego blob in the negprot response). +Change this so that on krb5 mounts we default to trying krb5 if the +server doesn't list its supported protocol mechanisms. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_spnego.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifs_spnego.c ++++ b/fs/cifs/cifs_spnego.c +@@ -147,8 +147,10 @@ cifs_get_spnego_key(struct cifs_ses *ses + sprintf(dp, ";sec=krb5"); + else if (server->sec_mskerberos) + sprintf(dp, ";sec=mskrb5"); +- else +- goto out; ++ else { ++ cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n"); ++ sprintf(dp, ";sec=krb5"); ++ } + + dp = description + strlen(description); + sprintf(dp, ";uid=0x%x", diff --git a/queue-4.9/tpm-restore-functionality-to-xen-vtpm-driver.patch b/queue-4.9/tpm-restore-functionality-to-xen-vtpm-driver.patch new file mode 100644 index 00000000000..3e362c53296 --- /dev/null +++ b/queue-4.9/tpm-restore-functionality-to-xen-vtpm-driver.patch @@ -0,0 +1,59 @@ +From e487a0f52301293152a6f8c4e217f2a11dd808e3 Mon Sep 17 00:00:00 2001 +From: "Dr. Greg Wettstein" +Date: Mon, 17 Sep 2018 18:53:33 -0400 +Subject: tpm: Restore functionality to xen vtpm driver. + +From: Dr. Greg Wettstein + +commit e487a0f52301293152a6f8c4e217f2a11dd808e3 upstream. + +Functionality of the xen-tpmfront driver was lost secondary to +the introduction of xenbus multi-page support in commit ccc9d90a9a8b +("xenbus_client: Extend interface to support multi-page ring"). + +In this commit pointer to location of where the shared page address +is stored was being passed to the xenbus_grant_ring() function rather +then the address of the shared page itself. This resulted in a situation +where the driver would attach to the vtpm-stubdom but any attempt +to send a command to the stub domain would timeout. + +A diagnostic finding for this regression is the following error +message being generated when the xen-tpmfront driver probes for a +device: + +<3>vtpm vtpm-0: tpm_transmit: tpm_send: error -62 + +<3>vtpm vtpm-0: A TPM error (-62) occurred attempting to determine +the timeouts + +This fix is relevant to all kernels from 4.1 forward which is the +release in which multi-page xenbus support was introduced. + +Daniel De Graaf formulated the fix by code inspection after the +regression point was located. + +Fixes: ccc9d90a9a8b ("xenbus_client: Extend interface to support multi-page ring") +Signed-off-by: Dr. Greg Wettstein +Signed-off-by: Greg Kroah-Hartman + +[boris: Updated commit message, added Fixes tag] +Signed-off-by: Boris Ostrovsky +Cc: stable@vger.kernel.org # v4.1+ +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen + +--- + drivers/char/tpm/xen-tpmfront.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/xen-tpmfront.c ++++ b/drivers/char/tpm/xen-tpmfront.c +@@ -203,7 +203,7 @@ static int setup_ring(struct xenbus_devi + return -ENOMEM; + } + +- rv = xenbus_grant_ring(dev, &priv->shr, 1, &gref); ++ rv = xenbus_grant_ring(dev, priv->shr, 1, &gref); + if (rv < 0) + return rv; + diff --git a/queue-4.9/usbip-vudc-bug-kmalloc-2048-not-tainted-poison-overwritten.patch b/queue-4.9/usbip-vudc-bug-kmalloc-2048-not-tainted-poison-overwritten.patch new file mode 100644 index 00000000000..49857e6d375 --- /dev/null +++ b/queue-4.9/usbip-vudc-bug-kmalloc-2048-not-tainted-poison-overwritten.patch @@ -0,0 +1,67 @@ +From e28fd56ad5273be67d0fae5bedc7e1680e729952 Mon Sep 17 00:00:00 2001 +From: "Shuah Khan (Samsung OSG)" +Date: Thu, 18 Oct 2018 10:19:29 -0600 +Subject: usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten + +From: Shuah Khan (Samsung OSG) + +commit e28fd56ad5273be67d0fae5bedc7e1680e729952 upstream. + +In rmmod path, usbip_vudc does platform_device_put() twice once from +platform_device_unregister() and then from put_vudc_device(). + +The second put results in: + +BUG kmalloc-2048 (Not tainted): Poison overwritten error or +BUG: KASAN: use-after-free in kobject_put+0x1e/0x230 if KASAN is +enabled. + +[ 169.042156] calling init+0x0/0x1000 [usbip_vudc] @ 1697 +[ 169.042396] ============================================================================= +[ 169.043678] probe of usbip-vudc.0 returned 1 after 350 usecs +[ 169.044508] BUG kmalloc-2048 (Not tainted): Poison overwritten +[ 169.044509] ----------------------------------------------------------------------------- +... +[ 169.057849] INFO: Freed in device_release+0x2b/0x80 age=4223 cpu=3 pid=1693 +[ 169.057852] kobject_put+0x86/0x1b0 +[ 169.057853] 0xffffffffc0c30a96 +[ 169.057855] __x64_sys_delete_module+0x157/0x240 + +Fix it to call platform_device_del() instead and let put_vudc_device() do +the platform_device_put(). + +Reported-by: Randy Dunlap +Signed-off-by: Shuah Khan (Samsung OSG) +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/vudc_main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/usb/usbip/vudc_main.c ++++ b/drivers/usb/usbip/vudc_main.c +@@ -85,6 +85,10 @@ static int __init init(void) + cleanup: + list_for_each_entry_safe(udc_dev, udc_dev2, &vudc_devices, dev_entry) { + list_del(&udc_dev->dev_entry); ++ /* ++ * Just do platform_device_del() here, put_vudc_device() ++ * calls the platform_device_put() ++ */ + platform_device_del(udc_dev->pdev); + put_vudc_device(udc_dev); + } +@@ -101,7 +105,11 @@ static void __exit cleanup(void) + + list_for_each_entry_safe(udc_dev, udc_dev2, &vudc_devices, dev_entry) { + list_del(&udc_dev->dev_entry); +- platform_device_unregister(udc_dev->pdev); ++ /* ++ * Just do platform_device_del() here, put_vudc_device() ++ * calls the platform_device_put() ++ */ ++ platform_device_del(udc_dev->pdev); + put_vudc_device(udc_dev); + } + platform_driver_unregister(&vudc_driver); diff --git a/queue-4.9/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch b/queue-4.9/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch new file mode 100644 index 00000000000..e3db594d97f --- /dev/null +++ b/queue-4.9/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch @@ -0,0 +1,65 @@ +From a007734618fee1bf35556c04fa498d41d42c7301 Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Sat, 22 Sep 2018 21:20:54 +0200 +Subject: w1: omap-hdq: fix missing bus unregister at removal + +From: Andreas Kemnade + +commit a007734618fee1bf35556c04fa498d41d42c7301 upstream. + +The bus master was not removed after unloading the module +or unbinding the driver. That lead to oopses like this + +[ 127.842987] Unable to handle kernel paging request at virtual address bf01d04c +[ 127.850646] pgd = 70e3cd9a +[ 127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000 +[ 127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM +[ 127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq] +[ 127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12 +[ 127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree) +[ 127.890441] PC is at 0xbf01d04c +[ 127.893798] LR is at w1_search_process_cb+0x4c/0xfc +[ 127.898956] pc : [] lr : [] psr: a0070013 +[ 127.905609] sp : cf885f48 ip : bf01d04c fp : ddf1e11c +[ 127.911132] r10: cf8fe040 r9 : c05f8d00 r8 : cf8fe040 +[ 127.916656] r7 : 000000f0 r6 : cf8fe02c r5 : cf8fe000 r4 : cf8fe01c +[ 127.923553] r3 : c05f8d00 r2 : 000000f0 r1 : cf8fe000 r0 : dde1ef10 +[ 127.930450] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 127.938018] Control: 10c5387d Table: 8f8f0019 DAC: 00000051 +[ 127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f) +[ 127.951171] Stack: (0xcf885f48 to 0xcf886000) +[ 127.955810] 5f40: cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00 +[ 127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000 +[ 127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000 +[ 127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000 +[ 127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[ 128.007781] [] (w1_search_process_cb) from [] (w1_process+0x6c/0x118) +[ 128.016479] [] (w1_process) from [] (kthread+0x130/0x148) +[ 128.024047] [] (kthread) from [] (ret_from_fork+0x14/0x2c) +[ 128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8) +[ 128.037017] 5fa0: 00000000 00000000 00000000 00000000 +[ 128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +[ 128.061340] Code: bad PC value +[ 128.064697] ---[ end trace af066e33c0e14119 ]--- + +Cc: +Signed-off-by: Andreas Kemnade +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/w1/masters/omap_hdq.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/w1/masters/omap_hdq.c ++++ b/drivers/w1/masters/omap_hdq.c +@@ -784,6 +784,8 @@ static int omap_hdq_remove(struct platfo + /* remove module dependency */ + pm_runtime_disable(&pdev->dev); + ++ w1_remove_master_device(&omap_w1_master); ++ + return 0; + } + diff --git a/queue-4.9/xen-blkfront-avoid-null-blkfront_info-dereference-on-device-removal.patch b/queue-4.9/xen-blkfront-avoid-null-blkfront_info-dereference-on-device-removal.patch new file mode 100644 index 00000000000..564b18df2d0 --- /dev/null +++ b/queue-4.9/xen-blkfront-avoid-null-blkfront_info-dereference-on-device-removal.patch @@ -0,0 +1,58 @@ +From f92898e7f32e3533bfd95be174044bc349d416ca Mon Sep 17 00:00:00 2001 +From: Vasilis Liaskovitis +Date: Mon, 15 Oct 2018 15:25:08 +0200 +Subject: xen/blkfront: avoid NULL blkfront_info dereference on device removal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vasilis Liaskovitis + +commit f92898e7f32e3533bfd95be174044bc349d416ca upstream. + +If a block device is hot-added when we are out of grants, +gnttab_grant_foreign_access fails with -ENOSPC (log message "28 +granting access to ring page") in this code path: + + talk_to_blkback -> + setup_blkring -> + xenbus_grant_ring -> + gnttab_grant_foreign_access + +and the failing path in talk_to_blkback sets the driver_data to NULL: + + destroy_blkring: + blkif_free(info, 0); + + mutex_lock(&blkfront_mutex); + free_info(info); + mutex_unlock(&blkfront_mutex); + + dev_set_drvdata(&dev->dev, NULL); + +This results in a NULL pointer BUG when blkfront_remove and blkif_free +try to access the failing device's NULL struct blkfront_info. + +Cc: stable@vger.kernel.org # 4.5 and later +Signed-off-by: Vasilis Liaskovitis +Reviewed-by: Roger Pau Monné +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkfront.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -2524,6 +2524,9 @@ static int blkfront_remove(struct xenbus + + dev_dbg(&xbdev->dev, "%s removed", xbdev->nodename); + ++ if (!info) ++ return 0; ++ + blkif_free(info, 0); + + mutex_lock(&info->mutex); diff --git a/queue-4.9/xen-fix-race-in-xen_qlock_wait.patch b/queue-4.9/xen-fix-race-in-xen_qlock_wait.patch new file mode 100644 index 00000000000..c5e4e7e8b6a --- /dev/null +++ b/queue-4.9/xen-fix-race-in-xen_qlock_wait.patch @@ -0,0 +1,71 @@ +From 2ac2a7d4d9ff4e01e36f9c3d116582f6f655ab47 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Mon, 1 Oct 2018 07:57:42 +0200 +Subject: xen: fix race in xen_qlock_wait() + +From: Juergen Gross + +commit 2ac2a7d4d9ff4e01e36f9c3d116582f6f655ab47 upstream. + +In the following situation a vcpu waiting for a lock might not be +woken up from xen_poll_irq(): + +CPU 1: CPU 2: CPU 3: +takes a spinlock + tries to get lock + -> xen_qlock_wait() +frees the lock +-> xen_qlock_kick(cpu2) + -> xen_clear_irq_pending() + +takes lock again + tries to get lock + -> *lock = _Q_SLOW_VAL + -> *lock == _Q_SLOW_VAL ? + -> xen_poll_irq() +frees the lock +-> xen_qlock_kick(cpu3) + +And cpu 2 will sleep forever. + +This can be avoided easily by modifying xen_qlock_wait() to call +xen_poll_irq() only if the related irq was not pending and to call +xen_clear_irq_pending() only if it was pending. + +Cc: stable@vger.kernel.org +Cc: Waiman.Long@hp.com +Cc: peterz@infradead.org +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/spinlock.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/arch/x86/xen/spinlock.c ++++ b/arch/x86/xen/spinlock.c +@@ -45,17 +45,12 @@ static void xen_qlock_wait(u8 *byte, u8 + if (irq == -1) + return; + +- /* clear pending */ +- xen_clear_irq_pending(irq); +- barrier(); ++ /* If irq pending already clear it and return. */ ++ if (xen_test_irq_pending(irq)) { ++ xen_clear_irq_pending(irq); ++ return; ++ } + +- /* +- * We check the byte value after clearing pending IRQ to make sure +- * that we won't miss a wakeup event because of the clearing. +- * +- * The sync_clear_bit() call in xen_clear_irq_pending() is atomic. +- * So it is effectively a memory barrier for x86. +- */ + if (READ_ONCE(*byte) != val) + return; + diff --git a/queue-4.9/xen-make-xen_qlock_wait-nestable.patch b/queue-4.9/xen-make-xen_qlock_wait-nestable.patch new file mode 100644 index 00000000000..7c8605f12f6 --- /dev/null +++ b/queue-4.9/xen-make-xen_qlock_wait-nestable.patch @@ -0,0 +1,93 @@ +From a856531951dc8094359dfdac21d59cee5969c18e Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Mon, 1 Oct 2018 07:57:42 +0200 +Subject: xen: make xen_qlock_wait() nestable + +From: Juergen Gross + +commit a856531951dc8094359dfdac21d59cee5969c18e upstream. + +xen_qlock_wait() isn't safe for nested calls due to interrupts. A call +of xen_qlock_kick() might be ignored in case a deeper nesting level +was active right before the call of xen_poll_irq(): + +CPU 1: CPU 2: +spin_lock(lock1) + spin_lock(lock1) + -> xen_qlock_wait() + -> xen_clear_irq_pending() + Interrupt happens +spin_unlock(lock1) +-> xen_qlock_kick(CPU 2) +spin_lock_irqsave(lock2) + spin_lock_irqsave(lock2) + -> xen_qlock_wait() + -> xen_clear_irq_pending() + clears kick for lock1 + -> xen_poll_irq() +spin_unlock_irq_restore(lock2) +-> xen_qlock_kick(CPU 2) + wakes up + spin_unlock_irq_restore(lock2) + IRET + resumes in xen_qlock_wait() + -> xen_poll_irq() + never wakes up + +The solution is to disable interrupts in xen_qlock_wait() and not to +poll for the irq in case xen_qlock_wait() is called in nmi context. + +Cc: stable@vger.kernel.org +Cc: Waiman.Long@hp.com +Cc: peterz@infradead.org +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/spinlock.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +--- a/arch/x86/xen/spinlock.c ++++ b/arch/x86/xen/spinlock.c +@@ -39,29 +39,25 @@ static void xen_qlock_kick(int cpu) + */ + static void xen_qlock_wait(u8 *byte, u8 val) + { ++ unsigned long flags; + int irq = __this_cpu_read(lock_kicker_irq); + + /* If kicker interrupts not initialized yet, just spin */ +- if (irq == -1) ++ if (irq == -1 || in_nmi()) + return; + +- /* If irq pending already clear it and return. */ ++ /* Guard against reentry. */ ++ local_irq_save(flags); ++ ++ /* If irq pending already clear it. */ + if (xen_test_irq_pending(irq)) { + xen_clear_irq_pending(irq); +- return; ++ } else if (READ_ONCE(*byte) == val) { ++ /* Block until irq becomes pending (or a spurious wakeup) */ ++ xen_poll_irq(irq); + } + +- if (READ_ONCE(*byte) != val) +- return; +- +- /* +- * If an interrupt happens here, it will leave the wakeup irq +- * pending, which will cause xen_poll_irq() to return +- * immediately. +- */ +- +- /* Block until irq becomes pending (or perhaps a spurious wakeup) */ +- xen_poll_irq(irq); ++ local_irq_restore(flags); + } + + static irqreturn_t dummy_handler(int irq, void *dev_id) diff --git a/queue-4.9/xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch b/queue-4.9/xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch new file mode 100644 index 00000000000..544a786e453 --- /dev/null +++ b/queue-4.9/xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch @@ -0,0 +1,56 @@ +From 7250f422da0480d8512b756640f131b9b893ccda Mon Sep 17 00:00:00 2001 +From: Joe Jin +Date: Tue, 16 Oct 2018 15:21:16 -0700 +Subject: xen-swiotlb: use actually allocated size on check physical continuous + +From: Joe Jin + +commit 7250f422da0480d8512b756640f131b9b893ccda upstream. + +xen_swiotlb_{alloc,free}_coherent() allocate/free memory based on the +order of the pages and not size argument (bytes). This is inconsistent with +range_straddles_page_boundary and memset which use the 'size' value, +which may lead to not exchanging memory with Xen (range_straddles_page_boundary() +returned true). And then the call to xen_swiotlb_free_coherent() would +actually try to exchange the memory with Xen, leading to the kernel +hitting an BUG (as the hypercall returned an error). + +This patch fixes it by making the 'size' variable be of the same size +as the amount of memory allocated. + +CC: stable@vger.kernel.org +Signed-off-by: Joe Jin +Cc: Konrad Rzeszutek Wilk +Cc: Boris Ostrovsky +Cc: Christoph Helwig +Cc: Dongli Zhang +Cc: John Sobecki +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/swiotlb-xen.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -310,6 +310,9 @@ xen_swiotlb_alloc_coherent(struct device + */ + flags &= ~(__GFP_DMA | __GFP_HIGHMEM); + ++ /* Convert the size to actually allocated. */ ++ size = 1UL << (order + XEN_PAGE_SHIFT); ++ + /* On ARM this function returns an ioremap'ped virtual address for + * which virt_to_phys doesn't return the corresponding physical + * address. In fact on ARM virt_to_phys only works for kernel direct +@@ -359,6 +362,9 @@ xen_swiotlb_free_coherent(struct device + * physical address */ + phys = xen_bus_to_phys(dev_addr); + ++ /* Convert the size to actually allocated. */ ++ size = 1UL << (order + XEN_PAGE_SHIFT); ++ + if (((dev_addr + size - 1 <= dma_mask)) || + range_straddles_page_boundary(phys, size)) + xen_destroy_contiguous_region(phys, order);