From 2cd7f5e0e882ac4dc22b67c718b68c7c363a28af Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 2 Sep 2018 19:54:42 +0200
Subject: [PATCH] 3.18-stable patches

added patches:
	asoc-sirf-fix-potential-null-pointer-dereference.patch
	pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch
	udl-kms-change-down_interruptible-to-down.patch
	udl-kms-fix-crash-due-to-uninitialized-memory.patch
	udl-kms-handle-allocation-failure.patch
---
 ...x-potential-null-pointer-dereference.patch | 44 +++++++++
 ...y-one-in-imx1_pinconf_group_dbg_show.patch | 39 ++++++++
 queue-3.18/series                             |  5 ++
 ...ms-change-down_interruptible-to-down.patch | 44 +++++++++
 ...ix-crash-due-to-uninitialized-memory.patch | 32 +++++++
 .../udl-kms-handle-allocation-failure.patch   | 89 +++++++++++++++++++
 6 files changed, 253 insertions(+)
 create mode 100644 queue-3.18/asoc-sirf-fix-potential-null-pointer-dereference.patch
 create mode 100644 queue-3.18/pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch
 create mode 100644 queue-3.18/udl-kms-change-down_interruptible-to-down.patch
 create mode 100644 queue-3.18/udl-kms-fix-crash-due-to-uninitialized-memory.patch
 create mode 100644 queue-3.18/udl-kms-handle-allocation-failure.patch

diff --git a/queue-3.18/asoc-sirf-fix-potential-null-pointer-dereference.patch b/queue-3.18/asoc-sirf-fix-potential-null-pointer-dereference.patch
new file mode 100644
index 00000000000..4ba9c224b93
--- /dev/null
+++ b/queue-3.18/asoc-sirf-fix-potential-null-pointer-dereference.patch
@@ -0,0 +1,44 @@
+From ae1c696a480c67c45fb23b35162183f72c6be0e1 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 26 Jul 2018 15:49:10 -0500
+Subject: ASoC: sirf: Fix potential NULL pointer dereference
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit ae1c696a480c67c45fb23b35162183f72c6be0e1 upstream.
+
+There is a potential execution path in which function
+platform_get_resource() returns NULL. If this happens,
+we will end up having a NULL pointer dereference.
+
+Fix this by replacing devm_ioremap with devm_ioremap_resource,
+which has the NULL check and the memory region request.
+
+This code was detected with the help of Coccinelle.
+
+Cc: stable@vger.kernel.org
+Fixes: 2bd8d1d5cf89 ("ASoC: sirf: Add audio usp interface driver")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sirf/sirf-usp.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/sirf/sirf-usp.c
++++ b/sound/soc/sirf/sirf-usp.c
+@@ -367,10 +367,9 @@ static int sirf_usp_pcm_probe(struct pla
+ 	platform_set_drvdata(pdev, usp);
+ 
+ 	mem_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+-	base = devm_ioremap(&pdev->dev, mem_res->start,
+-		resource_size(mem_res));
+-	if (base == NULL)
+-		return -ENOMEM;
++	base = devm_ioremap_resource(&pdev->dev, mem_res);
++	if (IS_ERR(base))
++		return PTR_ERR(base);
+ 	usp->regmap = devm_regmap_init_mmio(&pdev->dev, base,
+ 					    &sirf_usp_regmap_config);
+ 	if (IS_ERR(usp->regmap))
diff --git a/queue-3.18/pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch b/queue-3.18/pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch
new file mode 100644
index 00000000000..27d0b141624
--- /dev/null
+++ b/queue-3.18/pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch
@@ -0,0 +1,39 @@
+From 19da44cd33a3a6ff7c97fff0189999ff15b241e4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 13 Jul 2018 17:55:15 +0300
+Subject: pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 19da44cd33a3a6ff7c97fff0189999ff15b241e4 upstream.
+
+The info->groups[] array is allocated in imx1_pinctrl_parse_dt().  It
+has info->ngroups elements.  Thus the > here should be >= to prevent
+reading one element beyond the end of the array.
+
+Cc: stable@vger.kernel.org
+Fixes: 30612cd90005 ("pinctrl: imx1 core driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Uwe Kleine-König <u.kleine-könig@pengutronix.de>
+Acked-by: Dong Aisheng <Aisheng.dong@nxp.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/freescale/pinctrl-imx1-core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/freescale/pinctrl-imx1-core.c
++++ b/drivers/pinctrl/freescale/pinctrl-imx1-core.c
+@@ -435,7 +435,7 @@ static void imx1_pinconf_group_dbg_show(
+ 	const char *name;
+ 	int i, ret;
+ 
+-	if (group > info->ngroups)
++	if (group >= info->ngroups)
+ 		return;
+ 
+ 	seq_puts(s, "\n");
diff --git a/queue-3.18/series b/queue-3.18/series
index 6432e1a4685..f2b532b6e73 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -42,3 +42,8 @@ kvm-arm-arm64-skip-updating-pmd-entry-if-no-change.patch
 x86-process-re-export-start_thread.patch
 fuse-don-t-access-pipe-buffers-without-pipe_lock.patch
 fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch
+udl-kms-change-down_interruptible-to-down.patch
+udl-kms-handle-allocation-failure.patch
+udl-kms-fix-crash-due-to-uninitialized-memory.patch
+asoc-sirf-fix-potential-null-pointer-dereference.patch
+pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch
diff --git a/queue-3.18/udl-kms-change-down_interruptible-to-down.patch b/queue-3.18/udl-kms-change-down_interruptible-to-down.patch
new file mode 100644
index 00000000000..cae2abe08f3
--- /dev/null
+++ b/queue-3.18/udl-kms-change-down_interruptible-to-down.patch
@@ -0,0 +1,44 @@
+From 8456b99c16d193c4c3b7df305cf431e027f0189c Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 3 Jun 2018 16:40:55 +0200
+Subject: udl-kms: change down_interruptible to down
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 8456b99c16d193c4c3b7df305cf431e027f0189c upstream.
+
+If we leave urbs around, it causes not only leak, but also memory
+corruption. This patch fixes the function udl_free_urb_list, so that it
+always waits for all urbs that are in progress.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/udl/udl_main.c |    7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/udl/udl_main.c
++++ b/drivers/gpu/drm/udl/udl_main.c
+@@ -141,18 +141,13 @@ static void udl_free_urb_list(struct drm
+ 	struct list_head *node;
+ 	struct urb_node *unode;
+ 	struct urb *urb;
+-	int ret;
+ 	unsigned long flags;
+ 
+ 	DRM_DEBUG("Waiting for completes and freeing all render urbs\n");
+ 
+ 	/* keep waiting and freeing, until we've got 'em all */
+ 	while (count--) {
+-
+-		/* Getting interrupted means a leak, but ok at shutdown*/
+-		ret = down_interruptible(&udl->urbs.limit_sem);
+-		if (ret)
+-			break;
++		down(&udl->urbs.limit_sem);
+ 
+ 		spin_lock_irqsave(&udl->urbs.lock, flags);
+ 
diff --git a/queue-3.18/udl-kms-fix-crash-due-to-uninitialized-memory.patch b/queue-3.18/udl-kms-fix-crash-due-to-uninitialized-memory.patch
new file mode 100644
index 00000000000..f617a81ff2c
--- /dev/null
+++ b/queue-3.18/udl-kms-fix-crash-due-to-uninitialized-memory.patch
@@ -0,0 +1,32 @@
+From 09a00abe3a9941c2715ca83eb88172cd2f54d8fd Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 3 Jun 2018 16:40:57 +0200
+Subject: udl-kms: fix crash due to uninitialized memory
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 09a00abe3a9941c2715ca83eb88172cd2f54d8fd upstream.
+
+We must use kzalloc when allocating the fb_deferred_io structure.
+Otherwise, the field first_io is undefined and it causes a crash.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/udl/udl_fb.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/udl/udl_fb.c
++++ b/drivers/gpu/drm/udl/udl_fb.c
+@@ -341,7 +341,7 @@ static int udl_fb_open(struct fb_info *i
+ 
+ 		struct fb_deferred_io *fbdefio;
+ 
+-		fbdefio = kmalloc(sizeof(struct fb_deferred_io), GFP_KERNEL);
++		fbdefio = kzalloc(sizeof(struct fb_deferred_io), GFP_KERNEL);
+ 
+ 		if (fbdefio) {
+ 			fbdefio->delay = DL_DEFIO_WRITE_DELAY;
diff --git a/queue-3.18/udl-kms-handle-allocation-failure.patch b/queue-3.18/udl-kms-handle-allocation-failure.patch
new file mode 100644
index 00000000000..c094a6652d2
--- /dev/null
+++ b/queue-3.18/udl-kms-handle-allocation-failure.patch
@@ -0,0 +1,89 @@
+From 542bb9788a1f485eb1a2229178f665d8ea166156 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 3 Jun 2018 16:40:56 +0200
+Subject: udl-kms: handle allocation failure
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 542bb9788a1f485eb1a2229178f665d8ea166156 upstream.
+
+Allocations larger than PAGE_ALLOC_COSTLY_ORDER are unreliable and they
+may fail anytime. This patch fixes the udl kms driver so that when a large
+alloactions fails, it tries to do multiple smaller allocations.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/udl/udl_main.c |   28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/udl/udl_main.c
++++ b/drivers/gpu/drm/udl/udl_main.c
+@@ -171,17 +171,22 @@ static void udl_free_urb_list(struct drm
+ static int udl_alloc_urb_list(struct drm_device *dev, int count, size_t size)
+ {
+ 	struct udl_device *udl = dev->dev_private;
+-	int i = 0;
+ 	struct urb *urb;
+ 	struct urb_node *unode;
+ 	char *buf;
++	size_t wanted_size = count * size;
+ 
+ 	spin_lock_init(&udl->urbs.lock);
+ 
++retry:
+ 	udl->urbs.size = size;
+ 	INIT_LIST_HEAD(&udl->urbs.list);
+ 
+-	while (i < count) {
++	sema_init(&udl->urbs.limit_sem, 0);
++	udl->urbs.count = 0;
++	udl->urbs.available = 0;
++
++	while (udl->urbs.count * size < wanted_size) {
+ 		unode = kzalloc(sizeof(struct urb_node), GFP_KERNEL);
+ 		if (!unode)
+ 			break;
+@@ -197,11 +202,16 @@ static int udl_alloc_urb_list(struct drm
+ 		}
+ 		unode->urb = urb;
+ 
+-		buf = usb_alloc_coherent(udl->udev, MAX_TRANSFER, GFP_KERNEL,
++		buf = usb_alloc_coherent(udl->udev, size, GFP_KERNEL,
+ 					 &urb->transfer_dma);
+ 		if (!buf) {
+ 			kfree(unode);
+ 			usb_free_urb(urb);
++			if (size > PAGE_SIZE) {
++				size /= 2;
++				udl_free_urb_list(dev);
++				goto retry;
++			}
+ 			break;
+ 		}
+ 
+@@ -212,16 +222,14 @@ static int udl_alloc_urb_list(struct drm
+ 
+ 		list_add_tail(&unode->entry, &udl->urbs.list);
+ 
+-		i++;
++		up(&udl->urbs.limit_sem);
++		udl->urbs.count++;
++		udl->urbs.available++;
+ 	}
+ 
+-	sema_init(&udl->urbs.limit_sem, i);
+-	udl->urbs.count = i;
+-	udl->urbs.available = i;
+-
+-	DRM_DEBUG("allocated %d %d byte urbs\n", i, (int) size);
++	DRM_DEBUG("allocated %d %d byte urbs\n", udl->urbs.count, (int) size);
+ 
+-	return i;
++	return udl->urbs.count;
+ }
+ 
+ struct urb *udl_get_urb(struct drm_device *dev)
-- 
2.47.3