From: Greg Kroah-Hartman Date: Sun, 11 Nov 2018 14:52:50 +0000 (-0800) Subject: 4.18-stable patches X-Git-Tag: v4.19.2~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f859b9e2976ec2aeb0f2097b94886b0e870708f4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: kgdboc-passing-ekgdboc-to-command-line-causes-panic.patch media-cec-integrate-cec_validate_phys_addr-in-cec-api.c.patch media-cec-make-cec_get_edid_spa_location-an-inline-function.patch revert-media-dvbsky-use-just-one-mutex-for-serializing-device-r-w-ops.patch --- diff --git a/queue-4.18/kgdboc-passing-ekgdboc-to-command-line-causes-panic.patch b/queue-4.18/kgdboc-passing-ekgdboc-to-command-line-causes-panic.patch new file mode 100644 index 00000000000..59500e079f8 --- /dev/null +++ b/queue-4.18/kgdboc-passing-ekgdboc-to-command-line-causes-panic.patch @@ -0,0 +1,59 @@ +From 1bd54d851f50dea6af30c3e6ff4f3e9aab5558f9 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Fri, 17 Aug 2018 22:42:28 +0800 +Subject: kgdboc: Passing ekgdboc to command line causes panic + +From: He Zhe + +commit 1bd54d851f50dea6af30c3e6ff4f3e9aab5558f9 upstream. + +kgdboc_option_setup does not check input argument before passing it +to strlen. The argument would be a NULL pointer if "ekgdboc", without +its value, is set in command line and thus cause the following panic. + +PANIC: early exception 0xe3 IP 10:ffffffff8fbbb620 error 0 cr2 0x0 +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.18-rc8+ #1 +[ 0.000000] RIP: 0010:strlen+0x0/0x20 +... +[ 0.000000] Call Trace +[ 0.000000] ? kgdboc_option_setup+0x9/0xa0 +[ 0.000000] ? kgdboc_early_init+0x6/0x1b +[ 0.000000] ? do_early_param+0x4d/0x82 +[ 0.000000] ? parse_args+0x212/0x330 +[ 0.000000] ? rdinit_setup+0x26/0x26 +[ 0.000000] ? parse_early_options+0x20/0x23 +[ 0.000000] ? rdinit_setup+0x26/0x26 +[ 0.000000] ? parse_early_param+0x2d/0x39 +[ 0.000000] ? setup_arch+0x2f7/0xbf4 +[ 0.000000] ? start_kernel+0x5e/0x4c2 +[ 0.000000] ? load_ucode_bsp+0x113/0x12f +[ 0.000000] ? secondary_startup_64+0xa5/0xb0 + +This patch adds a check to prevent the panic. + +Cc: stable@vger.kernel.org +Cc: jason.wessel@windriver.com +Cc: gregkh@linuxfoundation.org +Cc: jslaby@suse.com +Signed-off-by: He Zhe +Reviewed-by: Daniel Thompson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/kgdboc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -130,6 +130,11 @@ static void kgdboc_unregister_kbd(void) + + static int kgdboc_option_setup(char *opt) + { ++ if (!opt) { ++ pr_err("kgdboc: config string not provided\n"); ++ return -EINVAL; ++ } ++ + if (strlen(opt) >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdboc: config string too long\n"); + return -ENOSPC; diff --git a/queue-4.18/media-cec-integrate-cec_validate_phys_addr-in-cec-api.c.patch b/queue-4.18/media-cec-integrate-cec_validate_phys_addr-in-cec-api.c.patch new file mode 100644 index 00000000000..b5460f56056 --- /dev/null +++ b/queue-4.18/media-cec-integrate-cec_validate_phys_addr-in-cec-api.c.patch @@ -0,0 +1,58 @@ +From e81bff39489a06384822bb38ce7a59f9e365bbe9 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 13 Sep 2018 03:36:29 -0400 +Subject: media: cec: integrate cec_validate_phys_addr() in cec-api.c + +From: Hans Verkuil + +commit e81bff39489a06384822bb38ce7a59f9e365bbe9 upstream. + +The cec_phys_addr_validate() function will be moved to V4L2, +so use a simplified variant of that function in cec-api.c. +cec now no longer calls cec_phys_addr_validate() and it can +be safely moved to V4L2. + +Signed-off-by: Hans Verkuil +Cc: # for v4.17 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/cec/cec-api.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/drivers/media/cec/cec-api.c ++++ b/drivers/media/cec/cec-api.c +@@ -101,6 +101,23 @@ static long cec_adap_g_phys_addr(struct + return 0; + } + ++static int cec_validate_phys_addr(u16 phys_addr) ++{ ++ int i; ++ ++ if (phys_addr == CEC_PHYS_ADDR_INVALID) ++ return 0; ++ for (i = 0; i < 16; i += 4) ++ if (phys_addr & (0xf << i)) ++ break; ++ if (i == 16) ++ return 0; ++ for (i += 4; i < 16; i += 4) ++ if ((phys_addr & (0xf << i)) == 0) ++ return -EINVAL; ++ return 0; ++} ++ + static long cec_adap_s_phys_addr(struct cec_adapter *adap, struct cec_fh *fh, + bool block, __u16 __user *parg) + { +@@ -112,7 +129,7 @@ static long cec_adap_s_phys_addr(struct + if (copy_from_user(&phys_addr, parg, sizeof(phys_addr))) + return -EFAULT; + +- err = cec_phys_addr_validate(phys_addr, NULL, NULL); ++ err = cec_validate_phys_addr(phys_addr); + if (err) + return err; + mutex_lock(&adap->lock); diff --git a/queue-4.18/media-cec-make-cec_get_edid_spa_location-an-inline-function.patch b/queue-4.18/media-cec-make-cec_get_edid_spa_location-an-inline-function.patch new file mode 100644 index 00000000000..b399136b2d0 --- /dev/null +++ b/queue-4.18/media-cec-make-cec_get_edid_spa_location-an-inline-function.patch @@ -0,0 +1,174 @@ +From b915bf575d5b7774d0f22d57d6c143e07dcaade2 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 13 Sep 2018 03:25:59 -0400 +Subject: media: cec: make cec_get_edid_spa_location() an inline function + +From: Hans Verkuil + +commit b915bf575d5b7774d0f22d57d6c143e07dcaade2 upstream. + +This function is needed by both V4L2 and CEC, so move this to +cec.h as a static inline since there are no obvious shared +modules between the two subsystems. + +This patch, together with the following ones, fixes a +dependency bug: if CEC_CORE is disabled, then building adv7604 +(and other HDMI receivers) will fail because an essential +function is now stubbed out. + +Signed-off-by: Hans Verkuil +Cc: # for v4.17 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/cec/cec-edid.c | 60 ------------------------------------ + include/media/cec.h | 70 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 70 insertions(+), 60 deletions(-) + +--- a/drivers/media/cec/cec-edid.c ++++ b/drivers/media/cec/cec-edid.c +@@ -10,66 +10,6 @@ + #include + #include + +-/* +- * This EDID is expected to be a CEA-861 compliant, which means that there are +- * at least two blocks and one or more of the extensions blocks are CEA-861 +- * blocks. +- * +- * The returned location is guaranteed to be < size - 1. +- */ +-static unsigned int cec_get_edid_spa_location(const u8 *edid, unsigned int size) +-{ +- unsigned int blocks = size / 128; +- unsigned int block; +- u8 d; +- +- /* Sanity check: at least 2 blocks and a multiple of the block size */ +- if (blocks < 2 || size % 128) +- return 0; +- +- /* +- * If there are fewer extension blocks than the size, then update +- * 'blocks'. It is allowed to have more extension blocks than the size, +- * since some hardware can only read e.g. 256 bytes of the EDID, even +- * though more blocks are present. The first CEA-861 extension block +- * should normally be in block 1 anyway. +- */ +- if (edid[0x7e] + 1 < blocks) +- blocks = edid[0x7e] + 1; +- +- for (block = 1; block < blocks; block++) { +- unsigned int offset = block * 128; +- +- /* Skip any non-CEA-861 extension blocks */ +- if (edid[offset] != 0x02 || edid[offset + 1] != 0x03) +- continue; +- +- /* search Vendor Specific Data Block (tag 3) */ +- d = edid[offset + 2] & 0x7f; +- /* Check if there are Data Blocks */ +- if (d <= 4) +- continue; +- if (d > 4) { +- unsigned int i = offset + 4; +- unsigned int end = offset + d; +- +- /* Note: 'end' is always < 'size' */ +- do { +- u8 tag = edid[i] >> 5; +- u8 len = edid[i] & 0x1f; +- +- if (tag == 3 && len >= 5 && i + len <= end && +- edid[i + 1] == 0x03 && +- edid[i + 2] == 0x0c && +- edid[i + 3] == 0x00) +- return i + 4; +- i += len + 1; +- } while (i < end); +- } +- } +- return 0; +-} +- + u16 cec_get_edid_phys_addr(const u8 *edid, unsigned int size, + unsigned int *offset) + { +--- a/include/media/cec.h ++++ b/include/media/cec.h +@@ -451,4 +451,74 @@ static inline void cec_phys_addr_invalid + cec_s_phys_addr(adap, CEC_PHYS_ADDR_INVALID, false); + } + ++/** ++ * cec_get_edid_spa_location() - find location of the Source Physical Address ++ * ++ * @edid: the EDID ++ * @size: the size of the EDID ++ * ++ * This EDID is expected to be a CEA-861 compliant, which means that there are ++ * at least two blocks and one or more of the extensions blocks are CEA-861 ++ * blocks. ++ * ++ * The returned location is guaranteed to be <= size-2. ++ * ++ * This is an inline function since it is used by both CEC and V4L2. ++ * Ideally this would go in a module shared by both, but it is overkill to do ++ * that for just a single function. ++ */ ++static inline unsigned int cec_get_edid_spa_location(const u8 *edid, ++ unsigned int size) ++{ ++ unsigned int blocks = size / 128; ++ unsigned int block; ++ u8 d; ++ ++ /* Sanity check: at least 2 blocks and a multiple of the block size */ ++ if (blocks < 2 || size % 128) ++ return 0; ++ ++ /* ++ * If there are fewer extension blocks than the size, then update ++ * 'blocks'. It is allowed to have more extension blocks than the size, ++ * since some hardware can only read e.g. 256 bytes of the EDID, even ++ * though more blocks are present. The first CEA-861 extension block ++ * should normally be in block 1 anyway. ++ */ ++ if (edid[0x7e] + 1 < blocks) ++ blocks = edid[0x7e] + 1; ++ ++ for (block = 1; block < blocks; block++) { ++ unsigned int offset = block * 128; ++ ++ /* Skip any non-CEA-861 extension blocks */ ++ if (edid[offset] != 0x02 || edid[offset + 1] != 0x03) ++ continue; ++ ++ /* search Vendor Specific Data Block (tag 3) */ ++ d = edid[offset + 2] & 0x7f; ++ /* Check if there are Data Blocks */ ++ if (d <= 4) ++ continue; ++ if (d > 4) { ++ unsigned int i = offset + 4; ++ unsigned int end = offset + d; ++ ++ /* Note: 'end' is always < 'size' */ ++ do { ++ u8 tag = edid[i] >> 5; ++ u8 len = edid[i] & 0x1f; ++ ++ if (tag == 3 && len >= 5 && i + len <= end && ++ edid[i + 1] == 0x03 && ++ edid[i + 2] == 0x0c && ++ edid[i + 3] == 0x00) ++ return i + 4; ++ i += len + 1; ++ } while (i < end); ++ } ++ } ++ return 0; ++} ++ + #endif /* _MEDIA_CEC_H */ diff --git a/queue-4.18/revert-media-dvbsky-use-just-one-mutex-for-serializing-device-r-w-ops.patch b/queue-4.18/revert-media-dvbsky-use-just-one-mutex-for-serializing-device-r-w-ops.patch new file mode 100644 index 00000000000..5ecb0ee8ba1 --- /dev/null +++ b/queue-4.18/revert-media-dvbsky-use-just-one-mutex-for-serializing-device-r-w-ops.patch @@ -0,0 +1,71 @@ +From 9afc82194de9a1ce298f0d77d7d779d585bf962c Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 5 Oct 2018 10:21:25 -0400 +Subject: Revert "media: dvbsky: use just one mutex for serializing device R/W ops" + +From: Mauro Carvalho Chehab + +commit 9afc82194de9a1ce298f0d77d7d779d585bf962c upstream. + +As pointed at: + https://bugzilla.kernel.org/show_bug.cgi?id=199323 + +This patch causes a bad effect on RPi. I suspect that the root +cause is at the USB out of tree RPi driver, with uses high priority +interrupts instead of normal ones. Anyway, as this patch +is mostly a cleanup, better to revert it. + +This reverts commit 7d95fb746c4eece67308f1642a666ea1ebdbd2cc. + +Cc: stable@vger.kernel.org # For Kernel 4.18 +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb-v2/dvbsky.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/dvb-usb-v2/dvbsky.c ++++ b/drivers/media/usb/dvb-usb-v2/dvbsky.c +@@ -31,6 +31,7 @@ MODULE_PARM_DESC(disable_rc, "Disable in + DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr); + + struct dvbsky_state { ++ struct mutex stream_mutex; + u8 ibuf[DVBSKY_BUF_LEN]; + u8 obuf[DVBSKY_BUF_LEN]; + u8 last_lock; +@@ -67,17 +68,18 @@ static int dvbsky_usb_generic_rw(struct + + static int dvbsky_stream_ctrl(struct dvb_usb_device *d, u8 onoff) + { ++ struct dvbsky_state *state = d_to_priv(d); + int ret; +- static u8 obuf_pre[3] = { 0x37, 0, 0 }; +- static u8 obuf_post[3] = { 0x36, 3, 0 }; ++ u8 obuf_pre[3] = { 0x37, 0, 0 }; ++ u8 obuf_post[3] = { 0x36, 3, 0 }; + +- mutex_lock(&d->usb_mutex); +- ret = dvb_usbv2_generic_rw_locked(d, obuf_pre, 3, NULL, 0); ++ mutex_lock(&state->stream_mutex); ++ ret = dvbsky_usb_generic_rw(d, obuf_pre, 3, NULL, 0); + if (!ret && onoff) { + msleep(20); +- ret = dvb_usbv2_generic_rw_locked(d, obuf_post, 3, NULL, 0); ++ ret = dvbsky_usb_generic_rw(d, obuf_post, 3, NULL, 0); + } +- mutex_unlock(&d->usb_mutex); ++ mutex_unlock(&state->stream_mutex); + return ret; + } + +@@ -606,6 +608,8 @@ static int dvbsky_init(struct dvb_usb_de + if (ret) + return ret; + */ ++ mutex_init(&state->stream_mutex); ++ + state->last_lock = 0; + + return 0; diff --git a/queue-4.18/series b/queue-4.18/series index cbb605a57a9..f8a9e27c63b 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -285,3 +285,7 @@ iommu-arm-smmu-ensure-that-page-table-updates-are-visible-before-tlbi.patch tc-set-dma-masks-for-devices.patch net-bcmgenet-fix-of-child-node-lookup.patch media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch +revert-media-dvbsky-use-just-one-mutex-for-serializing-device-r-w-ops.patch +kgdboc-passing-ekgdboc-to-command-line-causes-panic.patch +media-cec-make-cec_get_edid_spa_location-an-inline-function.patch +media-cec-integrate-cec_validate_phys_addr-in-cec-api.c.patch