From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 11 Nov 2018 18:15:06 +0000 (-0800)
Subject: 4.9-stable patches
X-Git-Tag: v4.19.2~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fa54b06c3c1df777c6796b32605b8b8c4ade4c5e;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	arm64-dts-stratix10-correct-system-manager-register-size.patch
	cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch
	rpmsg-smd-fix-memory-leak-on-channel-create.patch
	soc-tegra-pmc-fix-child-node-lookup.patch
---

diff --git a/queue-4.9/arm64-dts-stratix10-correct-system-manager-register-size.patch b/queue-4.9/arm64-dts-stratix10-correct-system-manager-register-size.patch
new file mode 100644
index 00000000000..0cab10e1243
--- /dev/null
+++ b/queue-4.9/arm64-dts-stratix10-correct-system-manager-register-size.patch
@@ -0,0 +1,32 @@
+From 74121b9aa3cd571ddfff014a9f47db36cae3cda9 Mon Sep 17 00:00:00 2001
+From: Thor Thayer <thor.thayer@linux.intel.com>
+Date: Tue, 25 Sep 2018 10:31:52 -0500
+Subject: arm64: dts: stratix10: Correct System Manager register size
+
+From: Thor Thayer <thor.thayer@linux.intel.com>
+
+commit 74121b9aa3cd571ddfff014a9f47db36cae3cda9 upstream.
+
+Correct the register size of the System Manager node.
+
+Cc: stable@vger.kernel.org
+Fixes: 78cd6a9d8e154 ("arm64: dts: Add base stratix 10 dtsi")
+Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
+@@ -249,7 +249,7 @@
+ 
+ 		sysmgr: sysmgr@ffd12000 {
+ 			compatible = "altr,sys-mgr", "syscon";
+-			reg = <0xffd12000 0x1000>;
++			reg = <0xffd12000 0x228>;
+ 		};
+ 
+ 		/* Local timer */
diff --git a/queue-4.9/cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch b/queue-4.9/cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch
new file mode 100644
index 00000000000..ca73afd996a
--- /dev/null
+++ b/queue-4.9/cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch
@@ -0,0 +1,34 @@
+From 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 30 Oct 2018 13:26:15 -0400
+Subject: Cramfs: fix abad comparison when wrap-arounds occur
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+commit 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 upstream.
+
+It is possible for corrupted filesystem images to produce very large
+block offsets that may wrap when a length is added, and wrongly pass
+the buffer size test.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cramfs/inode.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/cramfs/inode.c
++++ b/fs/cramfs/inode.c
+@@ -186,7 +186,8 @@ static void *cramfs_read(struct super_bl
+ 			continue;
+ 		blk_offset = (blocknr - buffer_blocknr[i]) << PAGE_SHIFT;
+ 		blk_offset += offset;
+-		if (blk_offset + len > BUFFER_SIZE)
++		if (blk_offset > BUFFER_SIZE ||
++		    blk_offset + len > BUFFER_SIZE)
+ 			continue;
+ 		return read_buffers[i] + blk_offset;
+ 	}
diff --git a/queue-4.9/rpmsg-smd-fix-memory-leak-on-channel-create.patch b/queue-4.9/rpmsg-smd-fix-memory-leak-on-channel-create.patch
new file mode 100644
index 00000000000..ba4aee1e87b
--- /dev/null
+++ b/queue-4.9/rpmsg-smd-fix-memory-leak-on-channel-create.patch
@@ -0,0 +1,48 @@
+From 940c620d6af8fca7d115de40f19870fba415efac Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 27 Sep 2018 22:36:27 +0100
+Subject: rpmsg: smd: fix memory leak on channel create
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 940c620d6af8fca7d115de40f19870fba415efac upstream.
+
+Currently a failed allocation of channel->name leads to an
+immediate return without freeing channel. Fix this by setting
+ret to -ENOMEM and jumping to an exit path that kfree's channel.
+
+Detected by CoverityScan, CID#1473692 ("Resource Leak")
+
+Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
+Cc: stable@vger.kernel.org
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rpmsg/qcom_smd.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/rpmsg/qcom_smd.c
++++ b/drivers/rpmsg/qcom_smd.c
+@@ -1012,8 +1012,10 @@ static struct qcom_smd_channel *qcom_smd
+ 
+ 	channel->edge = edge;
+ 	channel->name = kstrdup(name, GFP_KERNEL);
+-	if (!channel->name)
+-		return ERR_PTR(-ENOMEM);
++	if (!channel->name) {
++		ret = -ENOMEM;
++		goto free_channel;
++	}
+ 
+ 	mutex_init(&channel->tx_lock);
+ 	spin_lock_init(&channel->recv_lock);
+@@ -1062,6 +1064,7 @@ static struct qcom_smd_channel *qcom_smd
+ 
+ free_name_and_channel:
+ 	kfree(channel->name);
++free_channel:
+ 	kfree(channel);
+ 
+ 	return ERR_PTR(ret);
diff --git a/queue-4.9/series b/queue-4.9/series
index 2462cbe0f13..e5439d5fb0b 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -124,3 +124,7 @@ media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch
 media-em28xx-fix-input-name-for-terratec-av-350.patch
 media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch
 arm64-lse-remove-fcall-used-x0-flag.patch
+rpmsg-smd-fix-memory-leak-on-channel-create.patch
+cramfs-fix-abad-comparison-when-wrap-arounds-occur.patch
+arm64-dts-stratix10-correct-system-manager-register-size.patch
+soc-tegra-pmc-fix-child-node-lookup.patch
diff --git a/queue-4.9/soc-tegra-pmc-fix-child-node-lookup.patch b/queue-4.9/soc-tegra-pmc-fix-child-node-lookup.patch
new file mode 100644
index 00000000000..cd6138db190
--- /dev/null
+++ b/queue-4.9/soc-tegra-pmc-fix-child-node-lookup.patch
@@ -0,0 +1,39 @@
+From 1dc6bd5e39a29453bdcc17348dd2a89f1aa4004e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 15 Nov 2017 10:44:58 +0100
+Subject: soc/tegra: pmc: Fix child-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1dc6bd5e39a29453bdcc17348dd2a89f1aa4004e upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+To make things worse, the parent pmc node could end up being prematurely
+freed as of_find_node_by_name() drops a reference to its first argument.
+
+Fixes: 3568df3d31d6 ("soc: tegra: Add thermal reset (thermtrip) support to PMC")
+Cc: stable <stable@vger.kernel.org>     # 4.0
+Cc: Mikko Perttunen <mperttunen@nvidia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/soc/tegra/pmc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/tegra/pmc.c
++++ b/drivers/soc/tegra/pmc.c
+@@ -1189,7 +1189,7 @@ static void tegra_pmc_init_tsense_reset(
+ 	if (!pmc->soc->has_tsense_reset)
+ 		return;
+ 
+-	np = of_find_node_by_name(pmc->dev->of_node, "i2c-thermtrip");
++	np = of_get_child_by_name(pmc->dev->of_node, "i2c-thermtrip");
+ 	if (!np) {
+ 		dev_warn(dev, "i2c-thermtrip node not found, %s.\n", disabled);
+ 		return;