From: Greg Kroah-Hartman Date: Tue, 24 Oct 2017 08:01:58 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.78~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f941e2c8f8199f3d049294d9f9095296ddab6062;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-hda-remove-superfluous-added-by-printk-conversion.patch alsa-seq-enable-use-locking-in-all-configurations.patch brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch bus-mbus-fix-window-size-calculation-for-4gb-windows.patch clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch drm-nouveau-bsp-g92-disable-by-default.patch drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch keys-don-t-let-add_key-update-an-uninstantiated-key.patch keys-encrypted-fix-dereference-of-null-user_key_payload.patch lib-digsig-fix-dereference-of-null-user_key_payload.patch pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch rtlwifi-rtl8821ae-fix-connection-lost-problem.patch --- diff --git a/queue-4.4/alsa-hda-remove-superfluous-added-by-printk-conversion.patch b/queue-4.4/alsa-hda-remove-superfluous-added-by-printk-conversion.patch new file mode 100644 index 00000000000..4acb6fb3be4 --- /dev/null +++ b/queue-4.4/alsa-hda-remove-superfluous-added-by-printk-conversion.patch @@ -0,0 +1,35 @@ +From 6bf88a343db2b3c160edf9b82a74966b31cc80bd Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 17 Oct 2017 11:58:17 +0200 +Subject: ALSA: hda: Remove superfluous '-' added by printk conversion + +From: Takashi Iwai + +commit 6bf88a343db2b3c160edf9b82a74966b31cc80bd upstream. + +While converting the error messages to the standard macros in the +commit 4e76a8833fac ("ALSA: hda - Replace with standard printk"), a +superfluous '-' slipped in the code mistakenly. Its influence is +almost negligible, merely shows a dB value as negative integer instead +of positive integer (or vice versa) in the rare error message. +So let's kill this embarrassing byte to show more correct value. + +Fixes: 4e76a8833fac ("ALSA: hda - Replace with standard printk") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1755,7 +1755,7 @@ static int get_kctl_0dB_offset(struct hd + return -1; + if (*step_to_check && *step_to_check != step) { + codec_err(codec, "Mismatching dB step for vmaster slave (%d!=%d)\n", +-- *step_to_check, step); ++ *step_to_check, step); + return -1; + } + *step_to_check = step; diff --git a/queue-4.4/alsa-seq-enable-use-locking-in-all-configurations.patch b/queue-4.4/alsa-seq-enable-use-locking-in-all-configurations.patch new file mode 100644 index 00000000000..6d59fb73f20 --- /dev/null +++ b/queue-4.4/alsa-seq-enable-use-locking-in-all-configurations.patch @@ -0,0 +1,66 @@ +From 8009d506a1dd00cf436b0c4cca0dcec130580a21 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Wed, 18 Oct 2017 00:45:49 +0100 +Subject: ALSA: seq: Enable 'use' locking in all configurations + +From: Ben Hutchings + +commit 8009d506a1dd00cf436b0c4cca0dcec130580a21 upstream. + +The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is +enabled. This might once have been OK in non-preemptible +configurations, but even in that case snd_seq_read() may sleep while +relying on a 'use' lock. So always use the proper implementations. + +Signed-off-by: Ben Hutchings +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_lock.c | 4 ---- + sound/core/seq/seq_lock.h | 12 ------------ + 2 files changed, 16 deletions(-) + +--- a/sound/core/seq/seq_lock.c ++++ b/sound/core/seq/seq_lock.c +@@ -23,8 +23,6 @@ + #include + #include "seq_lock.h" + +-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG) +- + /* wait until all locks are released */ + void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line) + { +@@ -42,5 +40,3 @@ void snd_use_lock_sync_helper(snd_use_lo + } + + EXPORT_SYMBOL(snd_use_lock_sync_helper); +- +-#endif +--- a/sound/core/seq/seq_lock.h ++++ b/sound/core/seq/seq_lock.h +@@ -3,8 +3,6 @@ + + #include + +-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG) +- + typedef atomic_t snd_use_lock_t; + + /* initialize lock */ +@@ -20,14 +18,4 @@ typedef atomic_t snd_use_lock_t; + void snd_use_lock_sync_helper(snd_use_lock_t *lock, const char *file, int line); + #define snd_use_lock_sync(lockp) snd_use_lock_sync_helper(lockp, __BASE_FILE__, __LINE__) + +-#else /* SMP || CONFIG_SND_DEBUG */ +- +-typedef spinlock_t snd_use_lock_t; /* dummy */ +-#define snd_use_lock_init(lockp) /**/ +-#define snd_use_lock_use(lockp) /**/ +-#define snd_use_lock_free(lockp) /**/ +-#define snd_use_lock_sync(lockp) /**/ +- +-#endif /* SMP || CONFIG_SND_DEBUG */ +- + #endif /* __SND_SEQ_LOCK_H */ diff --git a/queue-4.4/brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch b/queue-4.4/brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch new file mode 100644 index 00000000000..5d1a24f3414 --- /dev/null +++ b/queue-4.4/brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch @@ -0,0 +1,431 @@ +From c503dd38f850be28867ef7a42d9abe5ade81a9bd Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Sep 2017 23:29:12 +0200 +Subject: brcmsmac: make some local variables 'static const' to reduce stack size + +From: Arnd Bergmann + +commit c503dd38f850be28867ef7a42d9abe5ade81a9bd upstream. + +With KASAN and a couple of other patches applied, this driver is one +of the few remaining ones that actually use more than 2048 bytes of +kernel stack: + +broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy_gainctrl': +broadcom/brcm80211/brcmsmac/phy/phy_n.c:16065:1: warning: the frame size of 3264 bytes is larger than 2048 bytes [-Wframe-larger-than=] +broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy': +broadcom/brcm80211/brcmsmac/phy/phy_n.c:17138:1: warning: the frame size of 2864 bytes is larger than 2048 bytes [-Wframe-larger-than=] + +Here, I'm reducing the stack size by marking as many local variables as +'static const' as I can without changing the actual code. + +This is the first of three patches to improve the stack usage in this +driver. It would be good to have this backported to stabl kernels +to get all drivers in 'allmodconfig' below the 2048 byte limit so +we can turn on the frame warning again globally, but I realize that +the patch is larger than the normal limit for stable backports. + +The other two patches do not need to be backported. + +Acked-by: Arend van Spriel +Signed-off-by: Arnd Bergmann +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmsmac/phy/phy_n.c | 197 +++++++++----------- + 1 file changed, 97 insertions(+), 100 deletions(-) + +--- a/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_n.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_n.c +@@ -14764,8 +14764,8 @@ static void wlc_phy_ipa_restore_tx_digi_ + } + + static void +-wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, u8 *events, u8 *dlys, +- u8 len) ++wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, const u8 *events, ++ const u8 *dlys, u8 len) + { + u32 t1_offset, t2_offset; + u8 ctr; +@@ -15240,16 +15240,16 @@ static void wlc_phy_workarounds_nphy_gai + static void wlc_phy_workarounds_nphy_gainctrl_2057_rev6(struct brcms_phy *pi) + { + u16 currband; +- s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 }; +- s8 *lna1_gain_db = NULL; +- s8 *lna1_gain_db_2 = NULL; +- s8 *lna2_gain_db = NULL; +- s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 }; +- s8 *tia_gain_db; +- s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 }; +- s8 *tia_gainbits; +- u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f }; +- u16 *rfseq_init_gain; ++ static const s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 }; ++ const s8 *lna1_gain_db = NULL; ++ const s8 *lna1_gain_db_2 = NULL; ++ const s8 *lna2_gain_db = NULL; ++ static const s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 }; ++ const s8 *tia_gain_db; ++ static const s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 }; ++ const s8 *tia_gainbits; ++ static const u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f }; ++ const u16 *rfseq_init_gain; + u16 init_gaincode; + u16 clip1hi_gaincode; + u16 clip1md_gaincode = 0; +@@ -15310,10 +15310,9 @@ static void wlc_phy_workarounds_nphy_gai + + if ((freq <= 5080) || (freq == 5825)) { + +- s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 }; +- s8 lna1A_gain_db_2_rev7[] = { +- 11, 17, 22, 25}; +- s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; ++ static const s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 }; ++ static const s8 lna1A_gain_db_2_rev7[] = { 11, 17, 22, 25}; ++ static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; + + crsminu_th = 0x3e; + lna1_gain_db = lna1A_gain_db_rev7; +@@ -15321,10 +15320,9 @@ static void wlc_phy_workarounds_nphy_gai + lna2_gain_db = lna2A_gain_db_rev7; + } else if ((freq >= 5500) && (freq <= 5700)) { + +- s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 }; +- s8 lna1A_gain_db_2_rev7[] = { +- 12, 18, 22, 26}; +- s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 }; ++ static const s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 }; ++ static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26}; ++ static const s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 }; + + crsminu_th = 0x45; + clip1md_gaincode_B = 0x14; +@@ -15335,10 +15333,9 @@ static void wlc_phy_workarounds_nphy_gai + lna2_gain_db = lna2A_gain_db_rev7; + } else { + +- s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 }; +- s8 lna1A_gain_db_2_rev7[] = { +- 12, 18, 22, 26}; +- s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; ++ static const s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 }; ++ static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26}; ++ static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; + + crsminu_th = 0x41; + lna1_gain_db = lna1A_gain_db_rev7; +@@ -15450,65 +15447,65 @@ static void wlc_phy_workarounds_nphy_gai + NPHY_RFSEQ_CMD_CLR_HIQ_DIS, + NPHY_RFSEQ_CMD_SET_HPF_BW + }; +- u8 rfseq_updategainu_dlys[] = { 10, 30, 1 }; +- s8 lna1G_gain_db[] = { 7, 11, 16, 23 }; +- s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 }; +- s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 }; +- s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 }; +- s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 }; +- s8 lna1A_gain_db[] = { 7, 11, 17, 23 }; +- s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 }; +- s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 }; +- s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 }; +- s8 *lna1_gain_db = NULL; +- s8 lna2G_gain_db[] = { -5, 6, 10, 14 }; +- s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 }; +- s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 }; +- s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 }; +- s8 lna2A_gain_db[] = { -6, 2, 6, 10 }; +- s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 }; +- s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 }; +- s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 }; +- s8 *lna2_gain_db = NULL; +- s8 tiaG_gain_db[] = { ++ static const u8 rfseq_updategainu_dlys[] = { 10, 30, 1 }; ++ static const s8 lna1G_gain_db[] = { 7, 11, 16, 23 }; ++ static const s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 }; ++ static const s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 }; ++ static const s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 }; ++ static const s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 }; ++ static const s8 lna1A_gain_db[] = { 7, 11, 17, 23 }; ++ static const s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 }; ++ static const s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 }; ++ static const s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 }; ++ const s8 *lna1_gain_db = NULL; ++ static const s8 lna2G_gain_db[] = { -5, 6, 10, 14 }; ++ static const s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 }; ++ static const s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 }; ++ static const s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 }; ++ static const s8 lna2A_gain_db[] = { -6, 2, 6, 10 }; ++ static const s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 }; ++ static const s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 }; ++ static const s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 }; ++ const s8 *lna2_gain_db = NULL; ++ static const s8 tiaG_gain_db[] = { + 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A }; +- s8 tiaA_gain_db[] = { ++ static const s8 tiaA_gain_db[] = { + 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13 }; +- s8 tiaA_gain_db_rev4[] = { ++ static const s8 tiaA_gain_db_rev4[] = { + 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d }; +- s8 tiaA_gain_db_rev5[] = { ++ static const s8 tiaA_gain_db_rev5[] = { + 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d }; +- s8 tiaA_gain_db_rev6[] = { ++ static const s8 tiaA_gain_db_rev6[] = { + 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d }; +- s8 *tia_gain_db; +- s8 tiaG_gainbits[] = { ++ const s8 *tia_gain_db; ++ static const s8 tiaG_gainbits[] = { + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 }; +- s8 tiaA_gainbits[] = { ++ static const s8 tiaA_gainbits[] = { + 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06 }; +- s8 tiaA_gainbits_rev4[] = { ++ static const s8 tiaA_gainbits_rev4[] = { + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 }; +- s8 tiaA_gainbits_rev5[] = { ++ static const s8 tiaA_gainbits_rev5[] = { + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 }; +- s8 tiaA_gainbits_rev6[] = { ++ static const s8 tiaA_gainbits_rev6[] = { + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 }; +- s8 *tia_gainbits; +- s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 }; +- s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 }; +- u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f }; +- u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f }; +- u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f }; +- u16 rfseqG_init_gain_rev5_elna[] = { ++ const s8 *tia_gainbits; ++ static const s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 }; ++ static const s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 }; ++ static const u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f }; ++ static const u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f }; ++ static const u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f }; ++ static const u16 rfseqG_init_gain_rev5_elna[] = { + 0x013f, 0x013f, 0x013f, 0x013f }; +- u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f }; +- u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f }; +- u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f }; +- u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f }; +- u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f }; +- u16 rfseqA_init_gain_rev4_elna[] = { ++ static const u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f }; ++ static const u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f }; ++ static const u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f }; ++ static const u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f }; ++ static const u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f }; ++ static const u16 rfseqA_init_gain_rev4_elna[] = { + 0x314f, 0x314f, 0x314f, 0x314f }; +- u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f }; +- u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f }; +- u16 *rfseq_init_gain; ++ static const u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f }; ++ static const u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f }; ++ const u16 *rfseq_init_gain; + u16 initG_gaincode = 0x627e; + u16 initG_gaincode_rev4 = 0x527e; + u16 initG_gaincode_rev5 = 0x427e; +@@ -15538,10 +15535,10 @@ static void wlc_phy_workarounds_nphy_gai + u16 clip1mdA_gaincode_rev6 = 0x2084; + u16 clip1md_gaincode = 0; + u16 clip1loG_gaincode = 0x0074; +- u16 clip1loG_gaincode_rev5[] = { ++ static const u16 clip1loG_gaincode_rev5[] = { + 0x0062, 0x0064, 0x006a, 0x106a, 0x106c, 0x1074, 0x107c, 0x207c + }; +- u16 clip1loG_gaincode_rev6[] = { ++ static const u16 clip1loG_gaincode_rev6[] = { + 0x106a, 0x106c, 0x1074, 0x107c, 0x007e, 0x107e, 0x207e, 0x307e + }; + u16 clip1loG_gaincode_rev6_224B0 = 0x1074; +@@ -16066,7 +16063,7 @@ static void wlc_phy_workarounds_nphy_gai + + static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + { +- u8 rfseq_rx2tx_events[] = { ++ static const u8 rfseq_rx2tx_events[] = { + NPHY_RFSEQ_CMD_NOP, + NPHY_RFSEQ_CMD_RXG_FBW, + NPHY_RFSEQ_CMD_TR_SWITCH, +@@ -16076,7 +16073,7 @@ static void wlc_phy_workarounds_nphy(str + NPHY_RFSEQ_CMD_EXT_PA + }; + u8 rfseq_rx2tx_dlys[] = { 8, 6, 6, 2, 4, 60, 1 }; +- u8 rfseq_tx2rx_events[] = { ++ static const u8 rfseq_tx2rx_events[] = { + NPHY_RFSEQ_CMD_NOP, + NPHY_RFSEQ_CMD_EXT_PA, + NPHY_RFSEQ_CMD_TX_GAIN, +@@ -16085,8 +16082,8 @@ static void wlc_phy_workarounds_nphy(str + NPHY_RFSEQ_CMD_RXG_FBW, + NPHY_RFSEQ_CMD_CLR_HIQ_DIS + }; +- u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 }; +- u8 rfseq_tx2rx_events_rev3[] = { ++ static const u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 }; ++ static const u8 rfseq_tx2rx_events_rev3[] = { + NPHY_REV3_RFSEQ_CMD_EXT_PA, + NPHY_REV3_RFSEQ_CMD_INT_PA_PU, + NPHY_REV3_RFSEQ_CMD_TX_GAIN, +@@ -16096,7 +16093,7 @@ static void wlc_phy_workarounds_nphy(str + NPHY_REV3_RFSEQ_CMD_CLR_HIQ_DIS, + NPHY_REV3_RFSEQ_CMD_END + }; +- u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 }; ++ static const u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 }; + u8 rfseq_rx2tx_events_rev3[] = { + NPHY_REV3_RFSEQ_CMD_NOP, + NPHY_REV3_RFSEQ_CMD_RXG_FBW, +@@ -16110,7 +16107,7 @@ static void wlc_phy_workarounds_nphy(str + }; + u8 rfseq_rx2tx_dlys_rev3[] = { 8, 6, 6, 4, 4, 18, 42, 1, 1 }; + +- u8 rfseq_rx2tx_events_rev3_ipa[] = { ++ static const u8 rfseq_rx2tx_events_rev3_ipa[] = { + NPHY_REV3_RFSEQ_CMD_NOP, + NPHY_REV3_RFSEQ_CMD_RXG_FBW, + NPHY_REV3_RFSEQ_CMD_TR_SWITCH, +@@ -16121,15 +16118,15 @@ static void wlc_phy_workarounds_nphy(str + NPHY_REV3_RFSEQ_CMD_INT_PA_PU, + NPHY_REV3_RFSEQ_CMD_END + }; +- u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 }; +- u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f }; ++ static const u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 }; ++ static const u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f }; + + s16 alpha0, alpha1, alpha2; + s16 beta0, beta1, beta2; + u32 leg_data_weights, ht_data_weights, nss1_data_weights, + stbc_data_weights; + u8 chan_freq_range = 0; +- u16 dac_control = 0x0002; ++ static const u16 dac_control = 0x0002; + u16 aux_adc_vmid_rev7_core0[] = { 0x8e, 0x96, 0x96, 0x96 }; + u16 aux_adc_vmid_rev7_core1[] = { 0x8f, 0x9f, 0x9f, 0x96 }; + u16 aux_adc_vmid_rev4[] = { 0xa2, 0xb4, 0xb4, 0x89 }; +@@ -16139,8 +16136,8 @@ static void wlc_phy_workarounds_nphy(str + u16 aux_adc_gain_rev4[] = { 0x02, 0x02, 0x02, 0x00 }; + u16 aux_adc_gain_rev3[] = { 0x02, 0x02, 0x02, 0x00 }; + u16 *aux_adc_gain; +- u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 }; +- u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 }; ++ static const u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 }; ++ static const u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 }; + s32 min_nvar_val = 0x18d; + s32 min_nvar_offset_6mbps = 20; + u8 pdetrange; +@@ -16151,9 +16148,9 @@ static void wlc_phy_workarounds_nphy(str + u16 rfseq_rx2tx_lpf_h_hpc_rev7 = 0x77; + u16 rfseq_tx2rx_lpf_h_hpc_rev7 = 0x77; + u16 rfseq_pktgn_lpf_h_hpc_rev7 = 0x77; +- u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 }; +- u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; +- u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; ++ static const u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 }; ++ static const u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; ++ static const u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; + u16 ipalvlshift_3p3_war_en = 0; + u16 rccal_bcap_val, rccal_scap_val; + u16 rccal_tx20_11b_bcap = 0; +@@ -24291,13 +24288,13 @@ static void wlc_phy_update_txcal_ladder_ + u16 bbmult; + u16 tblentry; + +- struct nphy_txiqcal_ladder ladder_lo[] = { ++ static const struct nphy_txiqcal_ladder ladder_lo[] = { + {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0}, + {25, 0}, {25, 1}, {25, 2}, {25, 3}, {25, 4}, {25, 5}, + {25, 6}, {25, 7}, {35, 7}, {50, 7}, {71, 7}, {100, 7} + }; + +- struct nphy_txiqcal_ladder ladder_iq[] = { ++ static const struct nphy_txiqcal_ladder ladder_iq[] = { + {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0}, + {25, 0}, {35, 0}, {50, 0}, {71, 0}, {100, 0}, {100, 1}, + {100, 2}, {100, 3}, {100, 4}, {100, 5}, {100, 6}, {100, 7} +@@ -25773,67 +25770,67 @@ wlc_phy_cal_txiqlo_nphy(struct brcms_phy + u16 cal_gain[2]; + struct nphy_iqcal_params cal_params[2]; + u32 tbl_len; +- void *tbl_ptr; ++ const void *tbl_ptr; + bool ladder_updated[2]; + u8 mphase_cal_lastphase = 0; + int bcmerror = 0; + bool phyhang_avoid_state = false; + +- u16 tbl_tx_iqlo_cal_loft_ladder_20[] = { ++ static const u16 tbl_tx_iqlo_cal_loft_ladder_20[] = { + 0x0300, 0x0500, 0x0700, 0x0900, 0x0d00, 0x1100, 0x1900, 0x1901, + 0x1902, + 0x1903, 0x1904, 0x1905, 0x1906, 0x1907, 0x2407, 0x3207, 0x4607, + 0x6407 + }; + +- u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = { ++ static const u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = { + 0x0200, 0x0300, 0x0600, 0x0900, 0x0d00, 0x1100, 0x1900, 0x2400, + 0x3200, + 0x4600, 0x6400, 0x6401, 0x6402, 0x6403, 0x6404, 0x6405, 0x6406, + 0x6407 + }; + +- u16 tbl_tx_iqlo_cal_loft_ladder_40[] = { ++ static const u16 tbl_tx_iqlo_cal_loft_ladder_40[] = { + 0x0200, 0x0300, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1201, + 0x1202, + 0x1203, 0x1204, 0x1205, 0x1206, 0x1207, 0x1907, 0x2307, 0x3207, + 0x4707 + }; + +- u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = { ++ static const u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = { + 0x0100, 0x0200, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1900, + 0x2300, + 0x3200, 0x4700, 0x4701, 0x4702, 0x4703, 0x4704, 0x4705, 0x4706, + 0x4707 + }; + +- u16 tbl_tx_iqlo_cal_startcoefs[] = { ++ static const u16 tbl_tx_iqlo_cal_startcoefs[] = { + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000 + }; + +- u16 tbl_tx_iqlo_cal_cmds_fullcal[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_fullcal[] = { + 0x8123, 0x8264, 0x8086, 0x8245, 0x8056, + 0x9123, 0x9264, 0x9086, 0x9245, 0x9056 + }; + +- u16 tbl_tx_iqlo_cal_cmds_recal[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_recal[] = { + 0x8101, 0x8253, 0x8053, 0x8234, 0x8034, + 0x9101, 0x9253, 0x9053, 0x9234, 0x9034 + }; + +- u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = { ++ static const u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = { + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000 + }; + +- u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = { + 0x8434, 0x8334, 0x8084, 0x8267, 0x8056, 0x8234, + 0x9434, 0x9334, 0x9084, 0x9267, 0x9056, 0x9234 + }; + +- u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = { + 0x8423, 0x8323, 0x8073, 0x8256, 0x8045, 0x8223, + 0x9423, 0x9323, 0x9073, 0x9256, 0x9045, 0x9223 + }; diff --git a/queue-4.4/bus-mbus-fix-window-size-calculation-for-4gb-windows.patch b/queue-4.4/bus-mbus-fix-window-size-calculation-for-4gb-windows.patch new file mode 100644 index 00000000000..3fd04e9301a --- /dev/null +++ b/queue-4.4/bus-mbus-fix-window-size-calculation-for-4gb-windows.patch @@ -0,0 +1,58 @@ +From 2bbbd96357ce76cc45ec722c00f654aa7b189112 Mon Sep 17 00:00:00 2001 +From: Jan Luebbe +Date: Mon, 28 Aug 2017 17:25:16 +0200 +Subject: bus: mbus: fix window size calculation for 4GB windows + +From: Jan Luebbe + +commit 2bbbd96357ce76cc45ec722c00f654aa7b189112 upstream. + +At least the Armada XP SoC supports 4GB on a single DRAM window. Because +the size register values contain the actual size - 1, the MSB is set in +that case. For example, the SDRAM window's control register's value is +0xffffffe1 for 4GB (bits 31 to 24 contain the size). + +The MBUS driver reads back each window's size from registers and +calculates the actual size as (control_reg | ~DDR_SIZE_MASK) + 1, which +overflows for 32 bit values, resulting in other miscalculations further +on (a bad RAM window for the CESA crypto engine calculated by +mvebu_mbus_setup_cpu_target_nooverlap() in my case). + +This patch changes the type in 'struct mbus_dram_window' from u32 to +u64, which allows us to keep using the same register calculation code in +most MBUS-using drivers (which calculate ->size - 1 again). + +Fixes: fddddb52a6c4 ("bus: introduce an Marvell EBU MBus driver") +Signed-off-by: Jan Luebbe +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/mvebu-mbus.c | 2 +- + include/linux/mbus.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/mvebu-mbus.c ++++ b/drivers/bus/mvebu-mbus.c +@@ -720,7 +720,7 @@ mvebu_mbus_default_setup_cpu_target(stru + if (mbus->hw_io_coherency) + w->mbus_attr |= ATTR_HW_COHERENCY; + w->base = base & DDR_BASE_CS_LOW_MASK; +- w->size = (size | ~DDR_SIZE_MASK) + 1; ++ w->size = (u64)(size | ~DDR_SIZE_MASK) + 1; + } + } + mvebu_mbus_dram_info.num_cs = cs; +--- a/include/linux/mbus.h ++++ b/include/linux/mbus.h +@@ -29,8 +29,8 @@ struct mbus_dram_target_info + struct mbus_dram_window { + u8 cs_index; + u8 mbus_attr; +- u32 base; +- u32 size; ++ u64 base; ++ u64 size; + } cs[4]; + }; + diff --git a/queue-4.4/clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch b/queue-4.4/clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch new file mode 100644 index 00000000000..7293eb2631a --- /dev/null +++ b/queue-4.4/clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch @@ -0,0 +1,45 @@ +From eb39a7c0355393c5a8d930f342ad7a6231b552c4 Mon Sep 17 00:00:00 2001 +From: David Kozub +Date: Thu, 19 Oct 2017 22:57:02 +0200 +Subject: clockevents/drivers/cs5535: Improve resilience to spurious interrupts + +From: David Kozub + +commit eb39a7c0355393c5a8d930f342ad7a6231b552c4 upstream. + +The interrupt handler mfgpt_tick() is not robust versus spurious interrupts +which happen before the clock event device is registered and fully +initialized. + +The reason is that the safe guard against spurious interrupts solely checks +for the clockevents shutdown state, but lacks a check for detached +state. If the interrupt hits while the device is in detached state it +passes the safe guard and dereferences the event handler call back which is +NULL. + +Add the missing state check. + +Fixes: 8f9327cbb6e8 ("clockevents/drivers/cs5535: Migrate to new 'set-state' interface") +Suggested-by: Thomas Gleixner +Signed-off-by: David Kozub +Signed-off-by: Thomas Gleixner +Cc: Daniel Lezcano +Link: https://lkml.kernel.org/r/20171020093103.3317F6004D@linux.fjfi.cvut.cz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clocksource/cs5535-clockevt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/clocksource/cs5535-clockevt.c ++++ b/drivers/clocksource/cs5535-clockevt.c +@@ -117,7 +117,8 @@ static irqreturn_t mfgpt_tick(int irq, v + /* Turn off the clock (and clear the event) */ + disable_timer(cs5535_event_clock); + +- if (clockevent_state_shutdown(&cs5535_clockevent)) ++ if (clockevent_state_detached(&cs5535_clockevent) || ++ clockevent_state_shutdown(&cs5535_clockevent)) + return IRQ_HANDLED; + + /* Clear the counter */ diff --git a/queue-4.4/drm-nouveau-bsp-g92-disable-by-default.patch b/queue-4.4/drm-nouveau-bsp-g92-disable-by-default.patch new file mode 100644 index 00000000000..98a3c09b593 --- /dev/null +++ b/queue-4.4/drm-nouveau-bsp-g92-disable-by-default.patch @@ -0,0 +1,35 @@ +From 194d68dd051c2dd5ac2b522ae16100e774e8d869 Mon Sep 17 00:00:00 2001 +From: Ilia Mirkin +Date: Sun, 1 Oct 2017 13:52:43 -0400 +Subject: drm/nouveau/bsp/g92: disable by default + +From: Ilia Mirkin + +commit 194d68dd051c2dd5ac2b522ae16100e774e8d869 upstream. + +G92's seem to require some additional bit of initialization before the +BSP engine can work. It feels like clocks are not set up for the +underlying VLD engine, which means that all commands submitted to the +xtensa chip end up hanging. VP seems to work fine though. + +This still allows people to force-enable the bsp engine if they want to +play around with it, but makes it harder for the card to hang by +default. + +Signed-off-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c +@@ -40,5 +40,5 @@ int + g84_bsp_new(struct nvkm_device *device, int index, struct nvkm_engine **pengine) + { + return nvkm_xtensa_new_(&g84_bsp, device, index, +- true, 0x103000, pengine); ++ device->chipset != 0x92, 0x103000, pengine); + } diff --git a/queue-4.4/drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch b/queue-4.4/drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch new file mode 100644 index 00000000000..98b03f9650a --- /dev/null +++ b/queue-4.4/drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch @@ -0,0 +1,33 @@ +From 77913bbcb43ac9a07a6fe849c2fd3bf85fc8bdd8 Mon Sep 17 00:00:00 2001 +From: Ben Skeggs +Date: Mon, 25 Sep 2017 15:05:38 +1000 +Subject: drm/nouveau/mmu: flush tlbs before deleting page tables + +From: Ben Skeggs + +commit 77913bbcb43ac9a07a6fe849c2fd3bf85fc8bdd8 upstream. + +Even though we've zeroed the PDE, the GPU may have cached the PD, so we +need to flush when deleting them. + +Noticed while working on replacement MMU code, but a backport might be a +good idea, so let's fix it in the current code too. + +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c +@@ -240,6 +240,8 @@ nvkm_vm_unmap_pgt(struct nvkm_vm *vm, in + mmu->func->map_pgt(vpgd->obj, pde, vpgt->mem); + } + ++ mmu->func->flush(vm); ++ + nvkm_memory_del(&pgt); + } + } diff --git a/queue-4.4/i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch b/queue-4.4/i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch new file mode 100644 index 00000000000..69c4df367af --- /dev/null +++ b/queue-4.4/i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch @@ -0,0 +1,58 @@ +From c6ebcedbab7ca78984959386012a17b21183e1a3 Mon Sep 17 00:00:00 2001 +From: Pontus Andersson +Date: Mon, 2 Oct 2017 14:45:19 +0200 +Subject: i2c: ismt: Separate I2C block read from SMBus block read + +From: Pontus Andersson + +commit c6ebcedbab7ca78984959386012a17b21183e1a3 upstream. + +Commit b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for +block reads") broke I2C block reads. It aimed to fix normal SMBus block +read, but changed the correct behavior of I2C block read in the process. + +According to Documentation/i2c/smbus-protocol, one vital difference +between normal SMBus block read and I2C block read is that there is no +byte count prefixed in the data sent on the wire: + + SMBus Block Read: i2c_smbus_read_block_data() + S Addr Wr [A] Comm [A] + S Addr Rd [A] [Count] A [Data] A [Data] A ... A [Data] NA P + + I2C Block Read: i2c_smbus_read_i2c_block_data() + S Addr Wr [A] Comm [A] + S Addr Rd [A] [Data] A [Data] A ... A [Data] NA P + +Therefore the two transaction types need to be processed differently in +the driver by copying of the dma_buffer as done previously for the +I2C_SMBUS_I2C_BLOCK_DATA case. + +Fixes: b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for block reads") +Signed-off-by: Pontus Andersson +Tested-by: Stephen Douthit +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-ismt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -338,12 +338,15 @@ static int ismt_process_desc(const struc + data->word = dma_buffer[0] | (dma_buffer[1] << 8); + break; + case I2C_SMBUS_BLOCK_DATA: +- case I2C_SMBUS_I2C_BLOCK_DATA: + if (desc->rxbytes != dma_buffer[0] + 1) + return -EMSGSIZE; + + memcpy(data->block, dma_buffer, desc->rxbytes); + break; ++ case I2C_SMBUS_I2C_BLOCK_DATA: ++ memcpy(&data->block[1], dma_buffer, desc->rxbytes); ++ data->block[0] = desc->rxbytes; ++ break; + } + return 0; + } diff --git a/queue-4.4/keys-don-t-let-add_key-update-an-uninstantiated-key.patch b/queue-4.4/keys-don-t-let-add_key-update-an-uninstantiated-key.patch new file mode 100644 index 00000000000..fded2f72da0 --- /dev/null +++ b/queue-4.4/keys-don-t-let-add_key-update-an-uninstantiated-key.patch @@ -0,0 +1,120 @@ +From 60ff5b2f547af3828aebafd54daded44cfb0807a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 12 Oct 2017 16:00:41 +0100 +Subject: KEYS: don't let add_key() update an uninstantiated key + +From: David Howells + +commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream. + +Currently, when passed a key that already exists, add_key() will call the +key's ->update() method if such exists. But this is heavily broken in the +case where the key is uninstantiated because it doesn't call +__key_instantiate_and_link(). Consequently, it doesn't do most of the +things that are supposed to happen when the key is instantiated, such as +setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and +awakening tasks waiting on it, and incrementing key->user->nikeys. + +It also never takes key_construction_mutex, which means that +->instantiate() can run concurrently with ->update() on the same key. In +the case of the "user" and "logon" key types this causes a memory leak, at +best. Maybe even worse, the ->update() methods of the "encrypted" and +"trusted" key types actually just dereference a NULL pointer when passed an +uninstantiated key. + +Change key_create_or_update() to wait interruptibly for the key to finish +construction before continuing. + +This patch only affects *uninstantiated* keys. For now we still allow a +negatively instantiated key to be updated (thereby positively +instantiating it), although that's broken too (the next patch fixes it) +and I'm not sure that anyone actually uses that functionality either. + +Here is a simple reproducer for the bug using the "encrypted" key type +(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug +pertained to more than just the "encrypted" key type: + + #include + #include + #include + + int main(void) + { + int ringid = keyctl_join_session_keyring(NULL); + + if (fork()) { + for (;;) { + const char payload[] = "update user:foo 32"; + + usleep(rand() % 10000); + add_key("encrypted", "desc", payload, sizeof(payload), ringid); + keyctl_clear(ringid); + } + } else { + for (;;) + request_key("encrypted", "desc", "callout_info", ringid); + } + } + +It causes: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 + IP: encrypted_update+0xb0/0x170 + PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0 + PREEMPT SMP + CPU: 0 PID: 340 Comm: reproduce Tainted: G D 4.14.0-rc1-00025-g428490e38b2e #796 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + task: ffff8a467a39a340 task.stack: ffffb15c40770000 + RIP: 0010:encrypted_update+0xb0/0x170 + RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000 + RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303 + RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17 + R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f + FS: 00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0 + Call Trace: + key_create_or_update+0x2bc/0x460 + SyS_add_key+0x10c/0x1d0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + RIP: 0033:0x7f5d7f211259 + RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 + RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259 + RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04 + RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004 + R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868 + R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000 + Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b + RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8 + CR2: 0000000000000018 + +Reported-by: Eric Biggers +Signed-off-by: David Howells +cc: Eric Biggers +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/key.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -907,6 +907,16 @@ error: + */ + __key_link_end(keyring, &index_key, edit); + ++ key = key_ref_to_ptr(key_ref); ++ if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) { ++ ret = wait_for_key_construction(key, true); ++ if (ret < 0) { ++ key_ref_put(key_ref); ++ key_ref = ERR_PTR(ret); ++ goto error_free_prep; ++ } ++ } ++ + key_ref = __key_update(key_ref, &prep); + goto error_free_prep; + } diff --git a/queue-4.4/keys-encrypted-fix-dereference-of-null-user_key_payload.patch b/queue-4.4/keys-encrypted-fix-dereference-of-null-user_key_payload.patch new file mode 100644 index 00000000000..4932d08b0bd --- /dev/null +++ b/queue-4.4/keys-encrypted-fix-dereference-of-null-user_key_payload.patch @@ -0,0 +1,51 @@ +From 13923d0865ca96312197962522e88bc0aedccd74 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 9 Oct 2017 12:37:49 -0700 +Subject: KEYS: encrypted: fix dereference of NULL user_key_payload + +From: Eric Biggers + +commit 13923d0865ca96312197962522e88bc0aedccd74 upstream. + +A key of type "encrypted" references a "master key" which is used to +encrypt and decrypt the encrypted key's payload. However, when we +accessed the master key's payload, we failed to handle the case where +the master key has been revoked, which sets the payload pointer to NULL. +Note that request_key() *does* skip revoked keys, but there is still a +window where the key can be revoked before we acquire its semaphore. + +Fix it by checking for a NULL payload, treating it like a key which was +already revoked at the time it was requested. + +This was an issue for master keys of type "user" only. Master keys can +also be of type "trusted", but those cannot be revoked. + +Fixes: 7e70cb497850 ("keys: add new key-type encrypted") +Reviewed-by: James Morris +Cc: Mimi Zohar +Cc: David Safford +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + + +--- + security/keys/encrypted-keys/encrypted.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -315,6 +315,13 @@ static struct key *request_user_key(cons + + down_read(&ukey->sem); + upayload = user_key_payload(ukey); ++ if (!upayload) { ++ /* key was revoked before we acquired its semaphore */ ++ up_read(&ukey->sem); ++ key_put(ukey); ++ ukey = ERR_PTR(-EKEYREVOKED); ++ goto error; ++ } + *master_key = upayload->data; + *master_keylen = upayload->datalen; + error: diff --git a/queue-4.4/lib-digsig-fix-dereference-of-null-user_key_payload.patch b/queue-4.4/lib-digsig-fix-dereference-of-null-user_key_payload.patch new file mode 100644 index 00000000000..ebbb13d8fe6 --- /dev/null +++ b/queue-4.4/lib-digsig-fix-dereference-of-null-user_key_payload.patch @@ -0,0 +1,43 @@ +From 192cabd6a296cbc57b3d8c05c4c89d87fc102506 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 9 Oct 2017 12:43:20 -0700 +Subject: lib/digsig: fix dereference of NULL user_key_payload + +From: Eric Biggers + +commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream. + +digsig_verify() requests a user key, then accesses its payload. +However, a revoked key has a NULL payload, and we failed to check for +this. request_key() *does* skip revoked keys, but there is still a +window where the key can be revoked before we acquire its semaphore. + +Fix it by checking for a NULL payload, treating it like a key which was +already revoked at the time it was requested. + +Fixes: 051dbb918c7f ("crypto: digital signature verification support") +Reviewed-by: James Morris +Cc: Dmitry Kasatkin +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + lib/digsig.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/lib/digsig.c ++++ b/lib/digsig.c +@@ -87,6 +87,12 @@ static int digsig_verify_rsa(struct key + down_read(&key->sem); + ukp = user_key_payload(key); + ++ if (!ukp) { ++ /* key was revoked before we acquired its semaphore */ ++ err = -EKEYREVOKED; ++ goto err1; ++ } ++ + if (ukp->datalen < sizeof(*pkh)) + goto err1; + diff --git a/queue-4.4/pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch b/queue-4.4/pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch new file mode 100644 index 00000000000..d53e3d3e855 --- /dev/null +++ b/queue-4.4/pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch @@ -0,0 +1,34 @@ +From 68a1fdbbf8bd3378325e45c19e167a165f9ffc3a Mon Sep 17 00:00:00 2001 +From: Eric Sesterhenn +Date: Sun, 8 Oct 2017 20:02:32 +0200 +Subject: pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. + +From: Eric Sesterhenn + +commit 68a1fdbbf8bd3378325e45c19e167a165f9ffc3a upstream. + +The ASN.1 parser does not necessarily set the sinfo field, +this patch prevents a NULL pointer dereference on broken +input. + +Fixes: 99db44350672 ("PKCS#7: Appropriately restrict authenticated attributes and content type") +Signed-off-by: Eric Sesterhenn +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/pkcs7_parser.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/asymmetric_keys/pkcs7_parser.c ++++ b/crypto/asymmetric_keys/pkcs7_parser.c +@@ -90,6 +90,9 @@ static int pkcs7_check_authattrs(struct + bool want; + + sinfo = msg->signed_infos; ++ if (!sinfo) ++ goto inconsistent; ++ + if (sinfo->authattrs) { + want = true; + msg->have_authattrs = true; diff --git a/queue-4.4/rtlwifi-rtl8821ae-fix-connection-lost-problem.patch b/queue-4.4/rtlwifi-rtl8821ae-fix-connection-lost-problem.patch new file mode 100644 index 00000000000..6fc03d4d446 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8821ae-fix-connection-lost-problem.patch @@ -0,0 +1,36 @@ +From b8b8b16352cd90c6083033fd4487f04fae935c18 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 20 Sep 2017 16:15:05 -0500 +Subject: rtlwifi: rtl8821ae: Fix connection lost problem + +From: Larry Finger + +commit b8b8b16352cd90c6083033fd4487f04fae935c18 upstream. + +In commit 40b368af4b75 ("rtlwifi: Fix alignment issues"), the read +of REG_DBI_READ was changed from 16 to 8 bits. For unknown reasonsi +this change results in reduced stability for the wireless connection. +This regression was located using bisection. + +Fixes: 40b368af4b75 ("rtlwifi: Fix alignment issues") +Reported-and-tested-by: James Cameron +Signed-off-by: Larry Finger +Cc: Ping-Ke Shih +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c +@@ -1127,7 +1127,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl + } + if (0 == tmp) { + read_addr = REG_DBI_RDATA + addr % 4; +- ret = rtl_read_byte(rtlpriv, read_addr); ++ ret = rtl_read_word(rtlpriv, read_addr); + } + return ret; + } diff --git a/queue-4.4/series b/queue-4.4/series index b7641e7da58..379c01578a1 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -9,3 +9,16 @@ can-gs_usb-fix-busy-loop-if-no-more-tx-context-is-available.patch usb-musb-sunxi-explicitly-release-usb-phy-on-exit.patch usb-musb-check-for-host-mode-using-is_host_active-on-reset-interrupt.patch can-esd_usb2-fix-can_dlc-value-for-received-rtr-frames.patch +drm-nouveau-bsp-g92-disable-by-default.patch +drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch +alsa-seq-enable-use-locking-in-all-configurations.patch +alsa-hda-remove-superfluous-added-by-printk-conversion.patch +i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch +brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch +bus-mbus-fix-window-size-calculation-for-4gb-windows.patch +clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch +rtlwifi-rtl8821ae-fix-connection-lost-problem.patch +keys-encrypted-fix-dereference-of-null-user_key_payload.patch +lib-digsig-fix-dereference-of-null-user_key_payload.patch +keys-don-t-let-add_key-update-an-uninstantiated-key.patch +pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch