From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 14 May 2019 08:22:38 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v5.1.2~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f4236fcac9d2770c53597563e28c91c77a68656e;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	cw1200-fix-missing-unlock-on-error-in-cw1200_hw_scan.patch
	x86-vdso-pass-eh-frame-hdr-to-the-linker.patch
---

diff --git a/queue-4.4/cw1200-fix-missing-unlock-on-error-in-cw1200_hw_scan.patch b/queue-4.4/cw1200-fix-missing-unlock-on-error-in-cw1200_hw_scan.patch
new file mode 100644
index 00000000000..4f2a03fb7a6
--- /dev/null
+++ b/queue-4.4/cw1200-fix-missing-unlock-on-error-in-cw1200_hw_scan.patch
@@ -0,0 +1,40 @@
+From 51c8d24101c79ffce3e79137e2cee5dfeb956dd7 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Sat, 22 Dec 2018 10:34:54 +0000
+Subject: cw1200: fix missing unlock on error in cw1200_hw_scan()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 51c8d24101c79ffce3e79137e2cee5dfeb956dd7 upstream.
+
+Add the missing unlock before return from function cw1200_hw_scan()
+in the error handling case.
+
+Fixes: 4f68ef64cd7f ("cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[iwamatsu: Change the patching file from drivers/net/wireless/st/cw1200/scan.c to
+drivers/net/wireless/cw1200/scan.c]
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/cw1200/scan.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/cw1200/scan.c
++++ b/drivers/net/wireless/cw1200/scan.c
+@@ -84,8 +84,11 @@ int cw1200_hw_scan(struct ieee80211_hw *
+ 
+ 	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+ 		req->ie_len);
+-	if (!frame.skb)
++	if (!frame.skb) {
++		mutex_unlock(&priv->conf_mutex);
++		up(&priv->scan.lock);
+ 		return -ENOMEM;
++	}
+ 
+ 	if (req->ie_len)
+ 		memcpy(skb_put(frame.skb, req->ie_len), req->ie, req->ie_len);
diff --git a/queue-4.4/gpu-ipu-v3-dp-fix-csc-handling.patch b/queue-4.4/gpu-ipu-v3-dp-fix-csc-handling.patch
index bbaf360fff9..d05a28e5b82 100644
--- a/queue-4.4/gpu-ipu-v3-dp-fix-csc-handling.patch
+++ b/queue-4.4/gpu-ipu-v3-dp-fix-csc-handling.patch
@@ -17,14 +17,12 @@ Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
 Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- drivers/gpu/ipu-v3/ipu-dp.c | 12 +++++++++---
+ drivers/gpu/ipu-v3/ipu-dp.c |   12 +++++++++---
  1 file changed, 9 insertions(+), 3 deletions(-)
 
-diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c
-index 98686edbcdbb0..33de3a1bac49f 100644
 --- a/drivers/gpu/ipu-v3/ipu-dp.c
 +++ b/drivers/gpu/ipu-v3/ipu-dp.c
-@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp,
+@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *
  		ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs,
  				DP_COM_CONF_CSC_DEF_BOTH);
  	} else {
@@ -34,7 +32,7 @@ index 98686edbcdbb0..33de3a1bac49f 100644
  			/*
  			 * foreground identical to output, apply color
  			 * conversion on background
-@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp)
+@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_d
  	struct ipu_dp_priv *priv = flow->priv;
  	u32 reg, csc;
  
@@ -43,7 +41,7 @@ index 98686edbcdbb0..33de3a1bac49f 100644
  	if (!dp->foreground)
  		return;
  
-@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp)
+@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_d
  
  	reg = readl(flow->base + DP_COM_CONF);
  	csc = reg & DP_COM_CONF_CSC_DEF_MASK;
@@ -55,7 +53,7 @@ index 98686edbcdbb0..33de3a1bac49f 100644
  
  	reg &= ~DP_COM_CONF_FG_EN;
  	writel(reg, flow->base + DP_COM_CONF);
-@@ -350,6 +354,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, unsigned long base)
+@@ -350,6 +354,8 @@ int ipu_dp_init(struct ipu_soc *ipu, str
  	mutex_init(&priv->mutex);
  
  	for (i = 0; i < IPUV3_NUM_FLOWS; i++) {
@@ -64,6 +62,3 @@ index 98686edbcdbb0..33de3a1bac49f 100644
  		priv->flow[i].foreground.foreground = true;
  		priv->flow[i].base = priv->base + ipu_dp_flow_base[i];
  		priv->flow[i].priv = priv;
--- 
-2.20.1
-
diff --git a/queue-4.4/series b/queue-4.4/series
index 0eedaf54665..1e7f9bfc02a 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -172,3 +172,5 @@ ipvs-do-not-schedule-icmp-errors-from-tunnels.patch
 s390-ctcm-fix-ctcm_new_device-error-return-code.patch
 selftests-net-correct-the-return-value-for-run_netso.patch
 gpu-ipu-v3-dp-fix-csc-handling.patch
+cw1200-fix-missing-unlock-on-error-in-cw1200_hw_scan.patch
+x86-vdso-pass-eh-frame-hdr-to-the-linker.patch
diff --git a/queue-4.4/x86-vdso-pass-eh-frame-hdr-to-the-linker.patch b/queue-4.4/x86-vdso-pass-eh-frame-hdr-to-the-linker.patch
new file mode 100644
index 00000000000..f33fdb3a885
--- /dev/null
+++ b/queue-4.4/x86-vdso-pass-eh-frame-hdr-to-the-linker.patch
@@ -0,0 +1,67 @@
+From cd01544a268ad8ee5b1dfe42c4393f1095f86879 Mon Sep 17 00:00:00 2001
+From: Alistair Strachan <astrachan@google.com>
+Date: Fri, 14 Dec 2018 14:36:37 -0800
+Subject: x86/vdso: Pass --eh-frame-hdr to the linker
+
+From: Alistair Strachan <astrachan@google.com>
+
+commit cd01544a268ad8ee5b1dfe42c4393f1095f86879 upstream.
+
+Commit
+
+  379d98ddf413 ("x86: vdso: Use $LD instead of $CC to link")
+
+accidentally broke unwinding from userspace, because ld would strip the
+.eh_frame sections when linking.
+
+Originally, the compiler would implicitly add --eh-frame-hdr when
+invoking the linker, but when this Makefile was converted from invoking
+ld via the compiler, to invoking it directly (like vmlinux does),
+the flag was missed. (The EH_FRAME section is important for the VDSO
+shared libraries, but not for vmlinux.)
+
+Fix the problem by explicitly specifying --eh-frame-hdr, which restores
+parity with the old method.
+
+See relevant bug reports for additional info:
+
+  https://bugzilla.kernel.org/show_bug.cgi?id=201741
+  https://bugzilla.redhat.com/show_bug.cgi?id=1659295
+
+Fixes: 379d98ddf413 ("x86: vdso: Use $LD instead of $CC to link")
+Reported-by: Florian Weimer <fweimer@redhat.com>
+Reported-by: Carlos O'Donell <carlos@redhat.com>
+Reported-by: "H. J. Lu" <hjl.tools@gmail.com>
+Signed-off-by: Alistair Strachan <astrachan@google.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: Laura Abbott <labbott@redhat.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Carlos O'Donell <carlos@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Joel Fernandes <joel@joelfernandes.org>
+Cc: kernel-team@android.com
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: X86 ML <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20181214223637.35954-1-astrachan@google.com
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/vdso/Makefile |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/entry/vdso/Makefile
++++ b/arch/x86/entry/vdso/Makefile
+@@ -159,7 +159,8 @@ quiet_cmd_vdso = VDSO    $@
+ 		 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
+ 
+ VDSO_LDFLAGS = -shared $(call ld-option, --hash-style=both) \
+-	$(call ld-option, --build-id) -Bsymbolic
++	$(call ld-option, --build-id) $(call ld-option, --eh-frame-hdr) \
++	-Bsymbolic
+ GCOV_PROFILE := n
+ 
+ #