From 33c68eba0a216bd29d560f4eece463faa2f3a1b1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 15 Oct 2017 15:45:46 +0200 Subject: [PATCH] 4.13-stable patches added patches: alsa-seq-fix-use-after-free-at-creating-a-port.patch alsa-usb-audio-kill-stray-urb-at-exiting.patch crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch crypto-skcipher-fix-crash-on-zero-length-input.patch device-property-track-owner-device-of-device-property.patch dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch hid-usbhid-fix-out-of-bounds-bug.patch iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch kvm-mmu-always-terminate-page-walks-at-level-1.patch kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch mei-always-use-domain-runtime-pm-callbacks.patch mips-bpf-fix-uninitialised-target-compiler-error.patch mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch nfs-filelayout-fix-oops-when-freeing-filelayout-segment.patch nfs-fix-uninitialized-rpc_wait_queue.patch pinctrl-amd-fix-build-dependency-on-pinmux-code.patch revert-vmalloc-back-off-when-the-current-task-is-killed.patch usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch --- ...ix-use-after-free-at-creating-a-port.patch | 138 +++++++++++++++++ ...-usb-audio-kill-stray-urb-at-exiting.patch | 117 ++++++++++++++ ...zero-length-shash-ahash-digest-crash.patch | 47 ++++++ ...ipher-fix-crash-on-zero-length-input.patch | 74 +++++++++ ...rack-owner-device-of-device-property.patch | 108 +++++++++++++ ...py-acnt-array-size-with-the-transfer.patch | 77 ++++++++++ ...ssible-race-condition-with-dma_inuse.patch | 40 +++++ ...age_writepage-for-pages-with-buffers.patch | 91 +++++++++++ .../hid-usbhid-fix-out-of-bounds-bug.patch | 108 +++++++++++++ ...-finish-tlb-flush-in-amd_iommu_unmap.patch | 31 ++++ ...ways-terminate-page-walks-at-level-1.patch | 80 ++++++++++ ...loading-when-emulating-l2-to-l1-exit.patch | 55 +++++++ ...ways-use-domain-runtime-pm-callbacks.patch | 145 ++++++++++++++++++ ...-uninitialised-target-compiler-error.patch | 54 +++++++ ...emu-remove-pr_err-calls-from-fpu_emu.patch | 53 +++++++ ...oops-when-freeing-filelayout-segment.patch | 86 +++++++++++ ...nfs-fix-uninitialized-rpc_wait_queue.patch | 41 +++++ ...-fix-build-dependency-on-pinmux-code.patch | 43 ++++++ ...-off-when-the-current-task-is-killed.patch | 77 ++++++++++ queue-4.13/series | 21 +++ ...dlock-caused-by-disconnect-detection.patch | 107 +++++++++++++ ...nce-for-receiving-zero-length-packet.patch | 40 +++++ 22 files changed, 1633 insertions(+) create mode 100644 queue-4.13/alsa-seq-fix-use-after-free-at-creating-a-port.patch create mode 100644 queue-4.13/alsa-usb-audio-kill-stray-urb-at-exiting.patch create mode 100644 queue-4.13/crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch create mode 100644 queue-4.13/crypto-skcipher-fix-crash-on-zero-length-input.patch create mode 100644 queue-4.13/device-property-track-owner-device-of-device-property.patch create mode 100644 queue-4.13/dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch create mode 100644 queue-4.13/dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch create mode 100644 queue-4.13/fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch create mode 100644 queue-4.13/hid-usbhid-fix-out-of-bounds-bug.patch create mode 100644 queue-4.13/iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch create mode 100644 queue-4.13/kvm-mmu-always-terminate-page-walks-at-level-1.patch create mode 100644 queue-4.13/kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch create mode 100644 queue-4.13/mei-always-use-domain-runtime-pm-callbacks.patch create mode 100644 queue-4.13/mips-bpf-fix-uninitialised-target-compiler-error.patch create mode 100644 queue-4.13/mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch create mode 100644 queue-4.13/nfs-filelayout-fix-oops-when-freeing-filelayout-segment.patch create mode 100644 queue-4.13/nfs-fix-uninitialized-rpc_wait_queue.patch create mode 100644 queue-4.13/pinctrl-amd-fix-build-dependency-on-pinmux-code.patch create mode 100644 queue-4.13/revert-vmalloc-back-off-when-the-current-task-is-killed.patch create mode 100644 queue-4.13/series create mode 100644 queue-4.13/usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch create mode 100644 queue-4.13/usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch diff --git a/queue-4.13/alsa-seq-fix-use-after-free-at-creating-a-port.patch b/queue-4.13/alsa-seq-fix-use-after-free-at-creating-a-port.patch new file mode 100644 index 00000000000..9fa91e54164 --- /dev/null +++ b/queue-4.13/alsa-seq-fix-use-after-free-at-creating-a-port.patch @@ -0,0 +1,138 @@ +From 71105998845fb012937332fe2e806d443c09e026 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Oct 2017 11:09:20 +0200 +Subject: ALSA: seq: Fix use-after-free at creating a port + +From: Takashi Iwai + +commit 71105998845fb012937332fe2e806d443c09e026 upstream. + +There is a potential race window opened at creating and deleting a +port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates +a port object and returns its pointer, but it doesn't take the +refcount, thus it can be deleted immediately by another thread. +Meanwhile, snd_seq_ioctl_create_port() still calls the function +snd_seq_system_client_ev_port_start() with the created port object +that is being deleted, and this triggers use-after-free like: + + BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1 + ============================================================================= + BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected + ----------------------------------------------------------------------------- + INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511 + ___slab_alloc+0x425/0x460 + __slab_alloc+0x20/0x40 + kmem_cache_alloc_trace+0x150/0x190 + snd_seq_create_port+0x94/0x9b0 [snd_seq] + snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq] + snd_seq_do_ioctl+0x11c/0x190 [snd_seq] + snd_seq_ioctl+0x40/0x80 [snd_seq] + do_vfs_ioctl+0x54b/0xda0 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x16/0x75 + INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717 + __slab_free+0x204/0x310 + kfree+0x15f/0x180 + port_delete+0x136/0x1a0 [snd_seq] + snd_seq_delete_port+0x235/0x350 [snd_seq] + snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq] + snd_seq_do_ioctl+0x11c/0x190 [snd_seq] + snd_seq_ioctl+0x40/0x80 [snd_seq] + do_vfs_ioctl+0x54b/0xda0 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x16/0x75 + Call Trace: + [] dump_stack+0x63/0x82 + [] print_trailer+0xfb/0x160 + [] object_err+0x34/0x40 + [] kasan_report.part.2+0x223/0x520 + [] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] + [] __asan_report_load1_noabort+0x2e/0x30 + [] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] + [] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq] + [] ? taskstats_exit+0xbc0/0xbc0 + [] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] + [] snd_seq_ioctl+0x40/0x80 [snd_seq] + [] ? acct_account_cputime+0x63/0x80 + [] do_vfs_ioctl+0x54b/0xda0 + ..... + +We may fix this in a few different ways, and in this patch, it's fixed +simply by taking the refcount properly at snd_seq_create_port() and +letting the caller unref the object after use. Also, there is another +potential use-after-free by sprintf() call in snd_seq_create_port(), +and this is moved inside the lock. + +This fix covers CVE-2017-15265. + +Reported-and-tested-by: Michael23 Yu +Suggested-by: Linus Torvalds +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 6 +++++- + sound/core/seq/seq_ports.c | 7 +++++-- + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(str + struct snd_seq_port_info *info = arg; + struct snd_seq_client_port *port; + struct snd_seq_port_callback *callback; ++ int port_idx; + + /* it is not allowed to create the port for an another client */ + if (info->addr.client != client->number) +@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(str + return -ENOMEM; + + if (client->type == USER_CLIENT && info->kernel) { +- snd_seq_delete_port(client, port->addr.port); ++ port_idx = port->addr.port; ++ snd_seq_port_unlock(port); ++ snd_seq_delete_port(client, port_idx); + return -EINVAL; + } + if (client->type == KERNEL_CLIENT) { +@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(str + + snd_seq_set_port_info(port, info); + snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port); ++ snd_seq_port_unlock(port); + + return 0; + } +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -122,7 +122,9 @@ static void port_subs_info_init(struct s + } + + +-/* create a port, port number is returned (-1 on failure) */ ++/* create a port, port number is returned (-1 on failure); ++ * the caller needs to unref the port via snd_seq_port_unlock() appropriately ++ */ + struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, + int port) + { +@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_crea + snd_use_lock_init(&new_port->use_lock); + port_subs_info_init(&new_port->c_src); + port_subs_info_init(&new_port->c_dest); ++ snd_use_lock_use(&new_port->use_lock); + + num = port >= 0 ? port : 0; + mutex_lock(&client->ports_mutex); +@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_crea + list_add_tail(&new_port->list, &p->list); + client->num_ports++; + new_port->addr.port = num; /* store the port number in the port */ ++ sprintf(new_port->name, "port-%d", num); + write_unlock_irqrestore(&client->ports_lock, flags); + mutex_unlock(&client->ports_mutex); +- sprintf(new_port->name, "port-%d", num); + + return new_port; + } diff --git a/queue-4.13/alsa-usb-audio-kill-stray-urb-at-exiting.patch b/queue-4.13/alsa-usb-audio-kill-stray-urb-at-exiting.patch new file mode 100644 index 00000000000..80e3ec904f1 --- /dev/null +++ b/queue-4.13/alsa-usb-audio-kill-stray-urb-at-exiting.patch @@ -0,0 +1,117 @@ +From 124751d5e63c823092060074bd0abaae61aaa9c4 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 10 Oct 2017 14:10:32 +0200 +Subject: ALSA: usb-audio: Kill stray URB at exiting + +From: Takashi Iwai + +commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream. + +USB-audio driver may leave a stray URB for the mixer interrupt when it +exits by some error during probe. This leads to a use-after-free +error as spotted by syzkaller like: + ================================================================== + BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0 + Call Trace: + + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + print_address_description+0x78/0x280 mm/kasan/report.c:252 + kasan_report_error mm/kasan/report.c:351 + kasan_report+0x23d/0x350 mm/kasan/report.c:409 + __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430 + snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490 + __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779 + .... + + Allocated by task 1484: + save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 + kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772 + kmalloc ./include/linux/slab.h:493 + kzalloc ./include/linux/slab.h:666 + snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540 + create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516 + snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 + create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59 + snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 + usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618 + .... + + Freed by task 1484: + save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 + kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524 + slab_free_hook mm/slub.c:1390 + slab_free_freelist_hook mm/slub.c:1412 + slab_free mm/slub.c:2988 + kfree+0xf6/0x2f0 mm/slub.c:3919 + snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244 + snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250 + __snd_device_free+0x1ff/0x380 sound/core/device.c:91 + snd_device_free_all+0x8f/0xe0 sound/core/device.c:244 + snd_card_do_free sound/core/init.c:461 + release_card_device+0x47/0x170 sound/core/init.c:181 + device_release+0x13f/0x210 drivers/base/core.c:814 + .... + +Actually such a URB is killed properly at disconnection when the +device gets probed successfully, and what we need is to apply it for +the error-path, too. + +In this patch, we apply snd_usb_mixer_disconnect() at releasing. +Also introduce a new flag, disconnected, to struct usb_mixer_interface +for not performing the disconnection procedure twice. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 12 ++++++++++-- + sound/usb/mixer.h | 2 ++ + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2228,6 +2228,9 @@ static int parse_audio_unit(struct mixer + + static void snd_usb_mixer_free(struct usb_mixer_interface *mixer) + { ++ /* kill pending URBs */ ++ snd_usb_mixer_disconnect(mixer); ++ + kfree(mixer->id_elems); + if (mixer->urb) { + kfree(mixer->urb->transfer_buffer); +@@ -2578,8 +2581,13 @@ _error: + + void snd_usb_mixer_disconnect(struct usb_mixer_interface *mixer) + { +- usb_kill_urb(mixer->urb); +- usb_kill_urb(mixer->rc_urb); ++ if (mixer->disconnected) ++ return; ++ if (mixer->urb) ++ usb_kill_urb(mixer->urb); ++ if (mixer->rc_urb) ++ usb_kill_urb(mixer->rc_urb); ++ mixer->disconnected = true; + } + + #ifdef CONFIG_PM +--- a/sound/usb/mixer.h ++++ b/sound/usb/mixer.h +@@ -22,6 +22,8 @@ struct usb_mixer_interface { + struct urb *rc_urb; + struct usb_ctrlrequest *rc_setup_packet; + u8 rc_buffer[6]; ++ ++ bool disconnected; + }; + + #define MAX_CHANNELS 16 /* max logical channels */ diff --git a/queue-4.13/crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch b/queue-4.13/crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch new file mode 100644 index 00000000000..94447977e57 --- /dev/null +++ b/queue-4.13/crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch @@ -0,0 +1,47 @@ +From b61907bb42409adf9b3120f741af7c57dd7e3db2 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 9 Oct 2017 23:30:02 +0800 +Subject: crypto: shash - Fix zero-length shash ahash digest crash +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Herbert Xu + +commit b61907bb42409adf9b3120f741af7c57dd7e3db2 upstream. + +The shash ahash digest adaptor function may crash if given a +zero-length input together with a null SG list. This is because +it tries to read the SG list before looking at the length. + +This patch fixes it by checking the length first. + +Reported-by: Stephan Müller +Signed-off-by: Herbert Xu +Tested-by: Stephan Müller +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/shash.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/crypto/shash.c ++++ b/crypto/shash.c +@@ -275,12 +275,14 @@ static int shash_async_finup(struct ahas + + int shash_ahash_digest(struct ahash_request *req, struct shash_desc *desc) + { +- struct scatterlist *sg = req->src; +- unsigned int offset = sg->offset; + unsigned int nbytes = req->nbytes; ++ struct scatterlist *sg; ++ unsigned int offset; + int err; + +- if (nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset)) { ++ if (nbytes && ++ (sg = req->src, offset = sg->offset, ++ nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset))) { + void *data; + + data = kmap_atomic(sg_page(sg)); diff --git a/queue-4.13/crypto-skcipher-fix-crash-on-zero-length-input.patch b/queue-4.13/crypto-skcipher-fix-crash-on-zero-length-input.patch new file mode 100644 index 00000000000..e11f295a31b --- /dev/null +++ b/queue-4.13/crypto-skcipher-fix-crash-on-zero-length-input.patch @@ -0,0 +1,74 @@ +From 0cabf2af6f5ac3c88cb106c4e06087a5a39b8e1e Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Sat, 7 Oct 2017 11:29:48 +0800 +Subject: crypto: skcipher - Fix crash on zero-length input +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Herbert Xu + +commit 0cabf2af6f5ac3c88cb106c4e06087a5a39b8e1e upstream. + +The skcipher walk interface doesn't handle zero-length input +properly as the old blkcipher walk interface did. This is due +to the fact that the length check is done too late. + +This patch moves the length check forward so that it does the +right thing. + +Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk...") +Reported-by: Stephan Müller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/skcipher.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -426,14 +426,9 @@ static int skcipher_copy_iv(struct skcip + + static int skcipher_walk_first(struct skcipher_walk *walk) + { +- walk->nbytes = 0; +- + if (WARN_ON_ONCE(in_irq())) + return -EDEADLK; + +- if (unlikely(!walk->total)) +- return 0; +- + walk->buffer = NULL; + if (unlikely(((unsigned long)walk->iv & walk->alignmask))) { + int err = skcipher_copy_iv(walk); +@@ -452,10 +447,15 @@ static int skcipher_walk_skcipher(struct + { + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); + ++ walk->total = req->cryptlen; ++ walk->nbytes = 0; ++ ++ if (unlikely(!walk->total)) ++ return 0; ++ + scatterwalk_start(&walk->in, req->src); + scatterwalk_start(&walk->out, req->dst); + +- walk->total = req->cryptlen; + walk->iv = req->iv; + walk->oiv = req->iv; + +@@ -509,6 +509,11 @@ static int skcipher_walk_aead_common(str + struct crypto_aead *tfm = crypto_aead_reqtfm(req); + int err; + ++ walk->nbytes = 0; ++ ++ if (unlikely(!walk->total)) ++ return 0; ++ + walk->flags &= ~SKCIPHER_WALK_PHYS; + + scatterwalk_start(&walk->in, req->src); diff --git a/queue-4.13/device-property-track-owner-device-of-device-property.patch b/queue-4.13/device-property-track-owner-device-of-device-property.patch new file mode 100644 index 00000000000..3fbdcbf2d2e --- /dev/null +++ b/queue-4.13/device-property-track-owner-device-of-device-property.patch @@ -0,0 +1,108 @@ +From 5ab894aee0f171a682bcd90dd5d1930cb53c55dc Mon Sep 17 00:00:00 2001 +From: Jarkko Nikula +Date: Mon, 9 Oct 2017 16:28:37 +0300 +Subject: device property: Track owner device of device property + +From: Jarkko Nikula + +commit 5ab894aee0f171a682bcd90dd5d1930cb53c55dc upstream. + +Deletion of subdevice will remove device properties associated to parent +when they share the same firmware node after commit 478573c93abd (driver +core: Don't leak secondary fwnode on device removal). This was observed +with a driver adding subdevice that driver wasn't able to read device +properties after rmmod/modprobe cycle. + +Consider the lifecycle of it: + +parent device registration + ACPI_COMPANION_SET() + device_add_properties() + pset_copy_set() + set_secondary_fwnode(dev, &p->fwnode) + device_add() + +parent probe + read device properties + ACPI_COMPANION_SET(subdevice, ACPI_COMPANION(parent)) + device_add(subdevice) + +parent remove + device_del(subdevice) + device_remove_properties() + set_secondary_fwnode(dev, NULL); + pset_free() + +Parent device will have its primary firmware node pointing to an ACPI +node and secondary firmware node point to device properties. + +ACPI_COMPANION_SET() call in parent probe will set the subdevice's +firmware node to point to the same 'struct fwnode_handle' and the +associated secondary firmware node, i.e. the device properties as the +parent. + +When subdevice is deleted in parent remove that will remove those +device properties and attempt to read device properties in next +parent probe call will fail. + +Fix this by tracking the owner device of device properties and delete +them only when owner device is being deleted. + +Fixes: 478573c93abd (driver core: Don't leak secondary fwnode on device removal) +Signed-off-by: Jarkko Nikula +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/property.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/base/property.c ++++ b/drivers/base/property.c +@@ -21,6 +21,7 @@ + #include + + struct property_set { ++ struct device *dev; + struct fwnode_handle fwnode; + const struct property_entry *properties; + }; +@@ -855,6 +856,7 @@ static struct property_set *pset_copy_se + void device_remove_properties(struct device *dev) + { + struct fwnode_handle *fwnode; ++ struct property_set *pset; + + fwnode = dev_fwnode(dev); + if (!fwnode) +@@ -864,16 +866,16 @@ void device_remove_properties(struct dev + * the pset. If there is no real firmware node (ACPI/DT) primary + * will hold the pset. + */ +- if (is_pset_node(fwnode)) { ++ pset = to_pset_node(fwnode); ++ if (pset) { + set_primary_fwnode(dev, NULL); +- pset_free_set(to_pset_node(fwnode)); + } else { +- fwnode = fwnode->secondary; +- if (!IS_ERR(fwnode) && is_pset_node(fwnode)) { ++ pset = to_pset_node(fwnode->secondary); ++ if (pset && dev == pset->dev) + set_secondary_fwnode(dev, NULL); +- pset_free_set(to_pset_node(fwnode)); +- } + } ++ if (pset && dev == pset->dev) ++ pset_free_set(pset); + } + EXPORT_SYMBOL_GPL(device_remove_properties); + +@@ -903,6 +905,7 @@ int device_add_properties(struct device + p->fwnode.type = FWNODE_PDATA; + p->fwnode.ops = &pset_fwnode_ops; + set_secondary_fwnode(dev, &p->fwnode); ++ p->dev = dev; + return 0; + } + EXPORT_SYMBOL_GPL(device_add_properties); diff --git a/queue-4.13/dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch b/queue-4.13/dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch new file mode 100644 index 00000000000..957063ee2dc --- /dev/null +++ b/queue-4.13/dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch @@ -0,0 +1,77 @@ +From 87a2f622cc6446c7d09ac655b7b9b04886f16a4c Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Mon, 18 Sep 2017 11:16:26 +0300 +Subject: dmaengine: edma: Align the memcpy acnt array size with the transfer + +From: Peter Ujfalusi + +commit 87a2f622cc6446c7d09ac655b7b9b04886f16a4c upstream. + +Memory to Memory transfers does not have any special alignment needs +regarding to acnt array size, but if one of the areas are in memory mapped +regions (like PCIe memory), we need to make sure that the acnt array size +is aligned with the mem copy parameters. + +Before "dmaengine: edma: Optimize memcpy operation" change the memcpy was set +up in a different way: acnt == number of bytes in a word based on +__ffs((src | dest | len), bcnt and ccnt for looping the necessary number of +words to comlete the trasnfer. + +Instead of reverting the commit we can fix it to make sure that the ACNT size +is aligned to the traswnfer. + +Fixes: df6694f80365a (dmaengine: edma: Optimize memcpy operation) +Signed-off-by: Peter Ujfalusi +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/edma.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/dma/edma.c ++++ b/drivers/dma/edma.c +@@ -1143,11 +1143,24 @@ static struct dma_async_tx_descriptor *e + struct edma_desc *edesc; + struct device *dev = chan->device->dev; + struct edma_chan *echan = to_edma_chan(chan); +- unsigned int width, pset_len; ++ unsigned int width, pset_len, array_size; + + if (unlikely(!echan || !len)) + return NULL; + ++ /* Align the array size (acnt block) with the transfer properties */ ++ switch (__ffs((src | dest | len))) { ++ case 0: ++ array_size = SZ_32K - 1; ++ break; ++ case 1: ++ array_size = SZ_32K - 2; ++ break; ++ default: ++ array_size = SZ_32K - 4; ++ break; ++ } ++ + if (len < SZ_64K) { + /* + * Transfer size less than 64K can be handled with one paRAM +@@ -1169,7 +1182,7 @@ static struct dma_async_tx_descriptor *e + * When the full_length is multibple of 32767 one slot can be + * used to complete the transfer. + */ +- width = SZ_32K - 1; ++ width = array_size; + pset_len = rounddown(len, width); + /* One slot is enough for lengths multiple of (SZ_32K -1) */ + if (unlikely(pset_len == len)) +@@ -1217,7 +1230,7 @@ static struct dma_async_tx_descriptor *e + } + dest += pset_len; + src += pset_len; +- pset_len = width = len % (SZ_32K - 1); ++ pset_len = width = len % array_size; + + ret = edma_config_pset(chan, &edesc->pset[1], src, dest, 1, + width, pset_len, DMA_MEM_TO_MEM); diff --git a/queue-4.13/dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch b/queue-4.13/dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch new file mode 100644 index 00000000000..03442529bf8 --- /dev/null +++ b/queue-4.13/dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch @@ -0,0 +1,40 @@ +From 2ccb4837c938357233a0b8818e3ca3e58242c952 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Thu, 21 Sep 2017 14:35:32 +0300 +Subject: dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse + +From: Peter Ujfalusi + +commit 2ccb4837c938357233a0b8818e3ca3e58242c952 upstream. + +When looking for unused xbar_out lane we should also protect the set_bit() +call with the same mutex to protect against concurrent threads picking the +same ID. + +Fixes: ec9bfa1e1a796 ("dmaengine: ti-dma-crossbar: dra7: Use bitops instead of idr") +Signed-off-by: Peter Ujfalusi +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/ti-dma-crossbar.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/dma/ti-dma-crossbar.c ++++ b/drivers/dma/ti-dma-crossbar.c +@@ -262,13 +262,14 @@ static void *ti_dra7_xbar_route_allocate + mutex_lock(&xbar->mutex); + map->xbar_out = find_first_zero_bit(xbar->dma_inuse, + xbar->dma_requests); +- mutex_unlock(&xbar->mutex); + if (map->xbar_out == xbar->dma_requests) { ++ mutex_unlock(&xbar->mutex); + dev_err(&pdev->dev, "Run out of free DMA requests\n"); + kfree(map); + return ERR_PTR(-ENOMEM); + } + set_bit(map->xbar_out, xbar->dma_inuse); ++ mutex_unlock(&xbar->mutex); + + map->xbar_in = (u16)dma_spec->args[0]; + diff --git a/queue-4.13/fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch b/queue-4.13/fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch new file mode 100644 index 00000000000..0df452da63b --- /dev/null +++ b/queue-4.13/fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch @@ -0,0 +1,91 @@ +From f892760aa66a2d657deaf59538fb69433036767c Mon Sep 17 00:00:00 2001 +From: Matthew Wilcox +Date: Fri, 13 Oct 2017 15:58:15 -0700 +Subject: fs/mpage.c: fix mpage_writepage() for pages with buffers + +From: Matthew Wilcox + +commit f892760aa66a2d657deaf59538fb69433036767c upstream. + +When using FAT on a block device which supports rw_page, we can hit +BUG_ON(!PageLocked(page)) in try_to_free_buffers(). This is because we +call clean_buffers() after unlocking the page we've written. Introduce +a new clean_page_buffers() which cleans all buffers associated with a +page and call it from within bdev_write_page(). + +[akpm@linux-foundation.org: s/PAGE_SIZE/~0U/ per Linus and Matthew] +Link: http://lkml.kernel.org/r/20171006211541.GA7409@bombadil.infradead.org +Signed-off-by: Matthew Wilcox +Reported-by: Toshi Kani +Reported-by: OGAWA Hirofumi +Tested-by: Toshi Kani +Acked-by: Johannes Thumshirn +Cc: Ross Zwisler +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/block_dev.c | 6 ++++-- + fs/mpage.c | 14 +++++++++++--- + include/linux/buffer_head.h | 1 + + 3 files changed, 16 insertions(+), 5 deletions(-) + +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -716,10 +716,12 @@ int bdev_write_page(struct block_device + + set_page_writeback(page); + result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, true); +- if (result) ++ if (result) { + end_page_writeback(page); +- else ++ } else { ++ clean_page_buffers(page); + unlock_page(page); ++ } + blk_queue_exit(bdev->bd_queue); + return result; + } +--- a/fs/mpage.c ++++ b/fs/mpage.c +@@ -468,6 +468,16 @@ static void clean_buffers(struct page *p + try_to_free_buffers(page); + } + ++/* ++ * For situations where we want to clean all buffers attached to a page. ++ * We don't need to calculate how many buffers are attached to the page, ++ * we just need to specify a number larger than the maximum number of buffers. ++ */ ++void clean_page_buffers(struct page *page) ++{ ++ clean_buffers(page, ~0U); ++} ++ + static int __mpage_writepage(struct page *page, struct writeback_control *wbc, + void *data) + { +@@ -605,10 +615,8 @@ alloc_new: + if (bio == NULL) { + if (first_unmapped == blocks_per_page) { + if (!bdev_write_page(bdev, blocks[0] << (blkbits - 9), +- page, wbc)) { +- clean_buffers(page, first_unmapped); ++ page, wbc)) + goto out; +- } + } + bio = mpage_alloc(bdev, blocks[0] << (blkbits - 9), + BIO_MAX_PAGES, GFP_NOFS|__GFP_HIGH); +--- a/include/linux/buffer_head.h ++++ b/include/linux/buffer_head.h +@@ -232,6 +232,7 @@ int generic_write_end(struct file *, str + loff_t, unsigned, unsigned, + struct page *, void *); + void page_zero_new_buffers(struct page *page, unsigned from, unsigned to); ++void clean_page_buffers(struct page *page); + int cont_write_begin(struct file *, struct address_space *, loff_t, + unsigned, unsigned, struct page **, void **, + get_block_t *, loff_t *); diff --git a/queue-4.13/hid-usbhid-fix-out-of-bounds-bug.patch b/queue-4.13/hid-usbhid-fix-out-of-bounds-bug.patch new file mode 100644 index 00000000000..2f25d25dd92 --- /dev/null +++ b/queue-4.13/hid-usbhid-fix-out-of-bounds-bug.patch @@ -0,0 +1,108 @@ +From f043bfc98c193c284e2cd768fefabe18ac2fed9b Mon Sep 17 00:00:00 2001 +From: Jaejoong Kim +Date: Thu, 28 Sep 2017 19:16:30 +0900 +Subject: HID: usbhid: fix out-of-bounds bug + +From: Jaejoong Kim + +commit f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream. + +The hid descriptor identifies the length and type of subordinate +descriptors for a device. If the received hid descriptor is smaller than +the size of the struct hid_descriptor, it is possible to cause +out-of-bounds. + +In addition, if bNumDescriptors of the hid descriptor have an incorrect +value, this can also cause out-of-bounds while approaching hdesc->desc[n]. + +So check the size of hid descriptor and bNumDescriptors. + + BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20 + Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261 + + CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted + 4.14.0-rc1-42251-gebb2c2437d80 #169 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Workqueue: usb_hub_wq hub_event + Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + print_address_description+0x78/0x280 mm/kasan/report.c:252 + kasan_report_error mm/kasan/report.c:351 + kasan_report+0x22f/0x340 mm/kasan/report.c:409 + __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427 + usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004 + hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944 + usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369 + usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 + generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 + usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 + hub_port_connect drivers/usb/core/hub.c:4903 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x3a1/0x470 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 + +Reported-by: Andrey Konovalov +Signed-off-by: Jaejoong Kim +Tested-by: Andrey Konovalov +Acked-by: Alan Stern +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hid-core.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -975,6 +975,8 @@ static int usbhid_parse(struct hid_devic + unsigned int rsize = 0; + char *rdesc; + int ret, n; ++ int num_descriptors; ++ size_t offset = offsetof(struct hid_descriptor, desc); + + quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor), + le16_to_cpu(dev->descriptor.idProduct)); +@@ -997,10 +999,18 @@ static int usbhid_parse(struct hid_devic + return -ENODEV; + } + ++ if (hdesc->bLength < sizeof(struct hid_descriptor)) { ++ dbg_hid("hid descriptor is too short\n"); ++ return -EINVAL; ++ } ++ + hid->version = le16_to_cpu(hdesc->bcdHID); + hid->country = hdesc->bCountryCode; + +- for (n = 0; n < hdesc->bNumDescriptors; n++) ++ num_descriptors = min_t(int, hdesc->bNumDescriptors, ++ (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor)); ++ ++ for (n = 0; n < num_descriptors; n++) + if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT) + rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength); + diff --git a/queue-4.13/iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch b/queue-4.13/iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch new file mode 100644 index 00000000000..37749605c88 --- /dev/null +++ b/queue-4.13/iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch @@ -0,0 +1,31 @@ +From ce76353f169a6471542d999baf3d29b121dce9c0 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Fri, 13 Oct 2017 14:32:37 +0200 +Subject: iommu/amd: Finish TLB flush in amd_iommu_unmap() + +From: Joerg Roedel + +commit ce76353f169a6471542d999baf3d29b121dce9c0 upstream. + +The function only sends the flush command to the IOMMU(s), +but does not wait for its completion when it returns. Fix +that. + +Fixes: 601367d76bd1 ('x86/amd-iommu: Remove iommu_flush_domain function') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -3262,6 +3262,7 @@ static size_t amd_iommu_unmap(struct iom + mutex_unlock(&domain->api_lock); + + domain_flush_tlb_pde(domain); ++ domain_flush_complete(domain); + + return unmap_size; + } diff --git a/queue-4.13/kvm-mmu-always-terminate-page-walks-at-level-1.patch b/queue-4.13/kvm-mmu-always-terminate-page-walks-at-level-1.patch new file mode 100644 index 00000000000..efe8c7d0223 --- /dev/null +++ b/queue-4.13/kvm-mmu-always-terminate-page-walks-at-level-1.patch @@ -0,0 +1,80 @@ +From 829ee279aed43faa5cb1e4d65c0cad52f2426c53 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 5 Oct 2017 11:10:23 +0200 +Subject: KVM: MMU: always terminate page walks at level 1 + +From: Ladi Prosek + +commit 829ee279aed43faa5cb1e4d65c0cad52f2426c53 upstream. + +is_last_gpte() is not equivalent to the pseudo-code given in commit +6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect +value of last_nonleaf_level may override the result even if level == 1. + +It is critical for is_last_gpte() to return true on level == 1 to +terminate page walks. Otherwise memory corruption may occur as level +is used as an index to various data structures throughout the page +walking code. Even though the actual bug would be wherever the MMU is +initialized (as in the previous patch), be defensive and ensure here +that is_last_gpte() returns the correct value. + +This patch is also enough to fix CVE-2017-12188. + +Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2 +Cc: Andy Honig +Signed-off-by: Ladi Prosek +[Panic if walk_addr_generic gets an incorrect level; this is a serious + bug and it's not worth a WARN_ON where the recovery path might hide + further exploitable issues; suggested by Andrew Honig. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 14 +++++++------- + arch/x86/kvm/paging_tmpl.h | 3 ++- + 2 files changed, 9 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -3935,19 +3935,19 @@ static inline bool is_last_gpte(struct k + unsigned level, unsigned gpte) + { + /* +- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set +- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means +- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then. +- */ +- gpte |= level - PT_PAGE_TABLE_LEVEL - 1; +- +- /* + * The RHS has bit 7 set iff level < mmu->last_nonleaf_level. + * If it is clear, there are no large pages at this level, so clear + * PT_PAGE_SIZE_MASK in gpte if that is the case. + */ + gpte &= level - mmu->last_nonleaf_level; + ++ /* ++ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set ++ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means ++ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then. ++ */ ++ gpte |= level - PT_PAGE_TABLE_LEVEL - 1; ++ + return gpte & PT_PAGE_SIZE_MASK; + } + +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -334,10 +334,11 @@ retry_walk: + --walker->level; + + index = PT_INDEX(addr, walker->level); +- + table_gfn = gpte_to_gfn(pte); + offset = index * sizeof(pt_element_t); + pte_gpa = gfn_to_gpa(table_gfn) + offset; ++ ++ BUG_ON(walker->level < 1); + walker->table_gfn[walker->level - 1] = table_gfn; + walker->pte_gpa[walker->level - 1] = pte_gpa; + diff --git a/queue-4.13/kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch b/queue-4.13/kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch new file mode 100644 index 00000000000..a11d71253fb --- /dev/null +++ b/queue-4.13/kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch @@ -0,0 +1,55 @@ +From 8eb3f87d903168bdbd1222776a6b1e281f50513e Mon Sep 17 00:00:00 2001 +From: Haozhong Zhang +Date: Tue, 10 Oct 2017 15:01:22 +0800 +Subject: KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit + +From: Haozhong Zhang + +commit 8eb3f87d903168bdbd1222776a6b1e281f50513e upstream. + +When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the +guest CR4. Before this CR4 loading, the guest CR4 refers to L2 +CR4. Because these two CR4's are in different levels of guest, we +should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which +is used to handle guest writes to its CR4, checks the guest change to +CR4 and may fail if the change is invalid. + +The failure may cause trouble. Consider we start + a L1 guest with non-zero L1 PCID in use, + (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0) +and + a L2 guest with L2 PCID disabled, + (i.e. L2 CR4.PCIDE == 0) +and following events may happen: + +1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4 + into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because + of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e. + vcpu->arch.cr4) is left to the value of L2 CR4. + +2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit, + kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID, + because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1 + CR3.PCID != 0, L0 KVM will inject GP to L1 guest. + +Fixes: 4704d0befb072 ("KVM: nVMX: Exiting from L2 to L1") +Cc: qemu-stable@nongnu.org +Signed-off-by: Haozhong Zhang +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -11013,7 +11013,7 @@ static void load_vmcs12_host_state(struc + + /* Same as above - no reason to call set_cr4_guest_host_mask(). */ + vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK); +- kvm_set_cr4(vcpu, vmcs12->host_cr4); ++ vmx_set_cr4(vcpu, vmcs12->host_cr4); + + nested_ept_uninit_mmu_context(vcpu); + diff --git a/queue-4.13/mei-always-use-domain-runtime-pm-callbacks.patch b/queue-4.13/mei-always-use-domain-runtime-pm-callbacks.patch new file mode 100644 index 00000000000..b00b8a65f10 --- /dev/null +++ b/queue-4.13/mei-always-use-domain-runtime-pm-callbacks.patch @@ -0,0 +1,145 @@ +From b42dc0635bf0a6aa59fe4d7c826796ff659908c7 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Tue, 26 Sep 2017 09:18:27 +0300 +Subject: mei: always use domain runtime pm callbacks. + +From: Alexander Usyskin + +commit b42dc0635bf0a6aa59fe4d7c826796ff659908c7 upstream. + +This patch fixes a regression caused by the new changes +in the "run wake" handlers. + +The mei devices that support D0i3 are no longer receiving an interrupt +after entering runtime suspend state and will stall. + +pci_dev_run_wake function now returns "true" for some devices +(including mei) for which it used to return "false", +arguably incorrectly as "run wake" used to mean that +wakeup signals can be generated for a device in +the working state of the system, so it could not be enabled +or disabled before too. + +MEI maps runtime suspend/resume to its own defined +power gating (PG) states, (D0i3 or other depending on generation), +hence we need to go around the native PCI runtime service which +eventually brings the device into D3cold/hot state, +but the mei devices cannot wake up from D3 unlike from D0i3/PG state, +which keeps irq running. +To get around PCI device native runtime pm, +MEI uses runtime pm domain handlers which take precedence. + +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Acked-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/pci-me.c | 21 +++++++++++---------- + drivers/misc/mei/pci-txe.c | 30 +++++++++++------------------- + 2 files changed, 22 insertions(+), 29 deletions(-) + +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -222,12 +222,15 @@ static int mei_me_probe(struct pci_dev * + pdev->dev_flags |= PCI_DEV_FLAGS_NEEDS_RESUME; + + /* +- * For not wake-able HW runtime pm framework +- * can't be used on pci device level. +- * Use domain runtime pm callbacks instead. +- */ +- if (!pci_dev_run_wake(pdev)) +- mei_me_set_pm_domain(dev); ++ * ME maps runtime suspend/resume to D0i states, ++ * hence we need to go around native PCI runtime service which ++ * eventually brings the device into D3cold/hot state, ++ * but the mei device cannot wake up from D3 unlike from D0i3. ++ * To get around the PCI device native runtime pm, ++ * ME uses runtime pm domain handlers which take precedence ++ * over the driver's pm handlers. ++ */ ++ mei_me_set_pm_domain(dev); + + if (mei_pg_is_enabled(dev)) + pm_runtime_put_noidle(&pdev->dev); +@@ -267,8 +270,7 @@ static void mei_me_shutdown(struct pci_d + dev_dbg(&pdev->dev, "shutdown\n"); + mei_stop(dev); + +- if (!pci_dev_run_wake(pdev)) +- mei_me_unset_pm_domain(dev); ++ mei_me_unset_pm_domain(dev); + + mei_disable_interrupts(dev); + free_irq(pdev->irq, dev); +@@ -296,8 +298,7 @@ static void mei_me_remove(struct pci_dev + dev_dbg(&pdev->dev, "stop\n"); + mei_stop(dev); + +- if (!pci_dev_run_wake(pdev)) +- mei_me_unset_pm_domain(dev); ++ mei_me_unset_pm_domain(dev); + + mei_disable_interrupts(dev); + +--- a/drivers/misc/mei/pci-txe.c ++++ b/drivers/misc/mei/pci-txe.c +@@ -144,12 +144,14 @@ static int mei_txe_probe(struct pci_dev + pdev->dev_flags |= PCI_DEV_FLAGS_NEEDS_RESUME; + + /* +- * For not wake-able HW runtime pm framework +- * can't be used on pci device level. +- * Use domain runtime pm callbacks instead. +- */ +- if (!pci_dev_run_wake(pdev)) +- mei_txe_set_pm_domain(dev); ++ * TXE maps runtime suspend/resume to own power gating states, ++ * hence we need to go around native PCI runtime service which ++ * eventually brings the device into D3cold/hot state. ++ * But the TXE device cannot wake up from D3 unlike from own ++ * power gating. To get around PCI device native runtime pm, ++ * TXE uses runtime pm domain handlers which take precedence. ++ */ ++ mei_txe_set_pm_domain(dev); + + pm_runtime_put_noidle(&pdev->dev); + +@@ -186,8 +188,7 @@ static void mei_txe_shutdown(struct pci_ + dev_dbg(&pdev->dev, "shutdown\n"); + mei_stop(dev); + +- if (!pci_dev_run_wake(pdev)) +- mei_txe_unset_pm_domain(dev); ++ mei_txe_unset_pm_domain(dev); + + mei_disable_interrupts(dev); + free_irq(pdev->irq, dev); +@@ -215,8 +216,7 @@ static void mei_txe_remove(struct pci_de + + mei_stop(dev); + +- if (!pci_dev_run_wake(pdev)) +- mei_txe_unset_pm_domain(dev); ++ mei_txe_unset_pm_domain(dev); + + mei_disable_interrupts(dev); + free_irq(pdev->irq, dev); +@@ -318,15 +318,7 @@ static int mei_txe_pm_runtime_suspend(st + else + ret = -EAGAIN; + +- /* +- * If everything is okay we're about to enter PCI low +- * power state (D3) therefor we need to disable the +- * interrupts towards host. +- * However if device is not wakeable we do not enter +- * D-low state and we need to keep the interrupt kicking +- */ +- if (!ret && pci_dev_run_wake(pdev)) +- mei_disable_interrupts(dev); ++ /* keep irq on we are staying in D0 */ + + dev_dbg(&pdev->dev, "rpm: txe: runtime suspend ret=%d\n", ret); + diff --git a/queue-4.13/mips-bpf-fix-uninitialised-target-compiler-error.patch b/queue-4.13/mips-bpf-fix-uninitialised-target-compiler-error.patch new file mode 100644 index 00000000000..cc2be80f040 --- /dev/null +++ b/queue-4.13/mips-bpf-fix-uninitialised-target-compiler-error.patch @@ -0,0 +1,54 @@ +From 94c3390ab84a6b449accc7351ffda4a0c17bdb92 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Wed, 27 Sep 2017 09:14:58 +0100 +Subject: MIPS: bpf: Fix uninitialised target compiler error + +From: Matt Redfearn + +commit 94c3390ab84a6b449accc7351ffda4a0c17bdb92 upstream. + +Compiling ebpf_jit.c with gcc 4.9 results in a (likely spurious) +compiler warning, as gcc has detected that the variable "target" may be +used uninitialised. Since -Werror is active, this is treated as an error +and causes a kernel build failure whenever CONFIG_MIPS_EBPF_JIT is +enabled. + +arch/mips/net/ebpf_jit.c: In function 'build_one_insn': +arch/mips/net/ebpf_jit.c:1118:80: error: 'target' may be used +uninitialized in this function [-Werror=maybe-uninitialized] + emit_instr(ctx, j, target); + ^ +cc1: all warnings being treated as errors + +Fix this by initialising "target" to 0. If it really is used +uninitialised this would result in a jump to 0 and a detectable run time +failure. + +Signed-off-by: Matt Redfearn +Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.") +Cc: James Hogan +Cc: David Daney +Cc: David S. Miller +Cc: Colin Ian King +Cc: Daniel Borkmann +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/17375/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/net/ebpf_jit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/net/ebpf_jit.c ++++ b/arch/mips/net/ebpf_jit.c +@@ -679,7 +679,7 @@ static int build_one_insn(const struct b + { + int src, dst, r, td, ts, mem_off, b_off; + bool need_swap, did_move, cmp_eq; +- unsigned int target; ++ unsigned int target = 0; + u64 t64; + s64 t64s; + diff --git a/queue-4.13/mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch b/queue-4.13/mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch new file mode 100644 index 00000000000..f45c34766c6 --- /dev/null +++ b/queue-4.13/mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch @@ -0,0 +1,53 @@ +From ca8eb05b5f332a9e1ab3e2ece498d49f4d683470 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 8 Sep 2017 15:12:21 -0700 +Subject: MIPS: math-emu: Remove pr_err() calls from fpu_emu() + +From: Paul Burton + +commit ca8eb05b5f332a9e1ab3e2ece498d49f4d683470 upstream. + +The FPU emulator includes 2 calls to pr_err() which are triggered by +invalid instruction encodings for MIPSr6 cmp.cond.fmt instructions. +These cases are not kernel errors, merely invalid instructions which are +already handled by delivering a SIGILL which will provide notification +that something failed in cases where that makes sense. + +In cases where that SIGILL is somewhat expected & being handled, for +example when crashme happens to generate one of the affected bad +encodings, the message is printed with no useful context about what +triggered it & spams the kernel log for no good reason. + +Remove the pr_err() calls to make crashme run silently & treat the bad +encodings the same way we do others, with a SIGILL & no further kernel +log output. + +Signed-off-by: Paul Burton +Fixes: f8c3c6717a71 ("MIPS: math-emu: Add support for the CMP.condn.fmt R6 instruction") +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17253/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/cp1emu.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -2387,7 +2387,6 @@ dcopuop: + break; + default: + /* Reserved R6 ops */ +- pr_err("Reserved MIPS R6 CMP.condn.S operation\n"); + return SIGILL; + } + } +@@ -2461,7 +2460,6 @@ dcopuop: + break; + default: + /* Reserved R6 ops */ +- pr_err("Reserved MIPS R6 CMP.condn.D operation\n"); + return SIGILL; + } + } diff --git a/queue-4.13/nfs-filelayout-fix-oops-when-freeing-filelayout-segment.patch b/queue-4.13/nfs-filelayout-fix-oops-when-freeing-filelayout-segment.patch new file mode 100644 index 00000000000..b84f03a97d5 --- /dev/null +++ b/queue-4.13/nfs-filelayout-fix-oops-when-freeing-filelayout-segment.patch @@ -0,0 +1,86 @@ +From 0a47df11bfc31e1ceae7f91cea84d3bff500475d Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Fri, 29 Sep 2017 09:36:43 -0400 +Subject: nfs/filelayout: fix oops when freeing filelayout segment + +From: Scott Mayhew + +commit 0a47df11bfc31e1ceae7f91cea84d3bff500475d upstream. + +Check for a NULL dsaddr in filelayout_free_lseg() before calling +nfs4_fl_put_deviceid(). This fixes the following oops: + +[ 1967.645207] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 +[ 1967.646010] IP: [] nfs4_put_deviceid_node+0xa/0x90 [nfsv4] +[ 1967.646010] PGD c08bc067 PUD 915d3067 PMD 0 +[ 1967.753036] Oops: 0000 [#1] SMP +[ 1967.753036] Modules linked in: nfs_layout_nfsv41_files ext4 mbcache jbd2 loop rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache amd64_edac_mod ipmi_ssif edac_mce_amd edac_core kvm_amd sg kvm ipmi_si ipmi_devintf irqbypass pcspkr k8temp ipmi_msghandler i2c_piix4 shpchp nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_common amdkfd amd_iommu_v2 radeon i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops mptsas ttm scsi_transport_sas mptscsih drm mptbase serio_raw i2c_core bnx2 dm_mirror dm_region_hash dm_log dm_mod +[ 1967.790031] CPU: 2 PID: 1370 Comm: ls Not tainted 3.10.0-709.el7.test.bz1463784.x86_64 #1 +[ 1967.790031] Hardware name: IBM BladeCenter LS21 -[7971AC1]-/Server Blade, BIOS -[BAE155AUS-1.10]- 06/03/2009 +[ 1967.790031] task: ffff8800c42a3f40 ti: ffff8800c4064000 task.ti: ffff8800c4064000 +[ 1967.790031] RIP: 0010:[] [] nfs4_put_deviceid_node+0xa/0x90 [nfsv4] +[ 1967.790031] RSP: 0000:ffff8800c4067978 EFLAGS: 00010246 +[ 1967.790031] RAX: ffffffffc062f000 RBX: ffff8801d468a540 RCX: dead000000000200 +[ 1967.790031] RDX: ffff8800c40679f8 RSI: ffff8800c4067a0c RDI: 0000000000000000 +[ 1967.790031] RBP: ffff8800c4067980 R08: ffff8801d468a540 R09: 0000000000000000 +[ 1967.790031] R10: 0000000000000000 R11: ffffffffffffffff R12: ffff8801d468a540 +[ 1967.790031] R13: ffff8800c40679f8 R14: ffff8801d5645300 R15: ffff880126f15ff0 +[ 1967.790031] FS: 00007f11053c9800(0000) GS:ffff88012bd00000(0000) knlGS:0000000000000000 +[ 1967.790031] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 1967.790031] CR2: 0000000000000030 CR3: 0000000094b55000 CR4: 00000000000007e0 +[ 1967.790031] Stack: +[ 1967.790031] ffff8801d468a540 ffff8800c4067990 ffffffffc062d2fe ffff8800c40679b0 +[ 1967.790031] ffffffffc062b5b4 ffff8800c40679f8 ffff8801d468a540 ffff8800c40679d8 +[ 1967.790031] ffffffffc06d39af ffff8800c40679f8 ffff880126f16078 0000000000000001 +[ 1967.790031] Call Trace: +[ 1967.790031] [] nfs4_fl_put_deviceid+0xe/0x10 [nfs_layout_nfsv41_files] +[ 1967.790031] [] filelayout_free_lseg+0x24/0x90 [nfs_layout_nfsv41_files] +[ 1967.790031] [] pnfs_free_lseg_list+0x5f/0x80 [nfsv4] +[ 1967.790031] [] _pnfs_return_layout+0x157/0x270 [nfsv4] +[ 1967.790031] [] nfs4_evict_inode+0x4d/0x70 [nfsv4] +[ 1967.790031] [] evict+0xa9/0x180 +[ 1967.790031] [] iput+0xf9/0x190 +[ 1967.790031] [] nfs_dentry_iput+0x3a/0x50 [nfs] +[ 1967.790031] [] shrink_dentry_list+0x20f/0x490 +[ 1967.790031] [] d_invalidate+0xd8/0x150 +[ 1967.790031] [] nfs_readdir_page_filler+0x40b/0x600 [nfs] +[ 1967.790031] [] nfs_readdir_xdr_to_array+0x20d/0x3b0 [nfs] +[ 1967.790031] [] ? __mem_cgroup_commit_charge+0xe2/0x2f0 +[ 1967.790031] [] ? __add_to_page_cache_locked+0x48/0x170 +[ 1967.790031] [] ? nfs_readdir_xdr_to_array+0x3b0/0x3b0 [nfs] +[ 1967.790031] [] nfs_readdir_filler+0x22/0x90 [nfs] +[ 1967.790031] [] do_read_cache_page+0x7f/0x190 +[ 1967.790031] [] ? fillonedir+0xe0/0xe0 +[ 1967.790031] [] read_cache_page+0x1c/0x30 +[ 1967.790031] [] nfs_readdir+0x1ab/0x6b0 [nfs] +[ 1967.790031] [] ? nfs4_xdr_dec_layoutget+0x270/0x270 [nfsv4] +[ 1967.790031] [] ? fillonedir+0xe0/0xe0 +[ 1967.790031] [] vfs_readdir+0xb0/0xe0 +[ 1967.790031] [] SyS_getdents+0x95/0x120 +[ 1967.790031] [] system_call_fastpath+0x16/0x1b +[ 1967.790031] Code: 90 31 d2 48 89 d0 5d c3 85 f6 74 f5 8d 4e 01 89 f0 f0 0f b1 0f 39 f0 74 e2 89 c6 eb eb 0f 1f 40 00 66 66 66 66 90 55 48 89 e5 53 <48> 8b 47 30 48 89 fb a8 04 74 3b 8b 57 60 83 fa 02 74 19 8d 4a +[ 1967.790031] RIP [] nfs4_put_deviceid_node+0xa/0x90 [nfsv4] +[ 1967.790031] RSP +[ 1967.790031] CR2: 0000000000000030 + +Signed-off-by: Scott Mayhew +Fixes: 1ebf98012792 ("NFS/filelayout: Fix racy setting of fl->dsaddr...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/filelayout/filelayout.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/filelayout/filelayout.c ++++ b/fs/nfs/filelayout/filelayout.c +@@ -745,7 +745,8 @@ filelayout_free_lseg(struct pnfs_layout_ + struct nfs4_filelayout_segment *fl = FILELAYOUT_LSEG(lseg); + + dprintk("--> %s\n", __func__); +- nfs4_fl_put_deviceid(fl->dsaddr); ++ if (fl->dsaddr != NULL) ++ nfs4_fl_put_deviceid(fl->dsaddr); + /* This assumes a single RW lseg */ + if (lseg->pls_range.iomode == IOMODE_RW) { + struct nfs4_filelayout *flo; diff --git a/queue-4.13/nfs-fix-uninitialized-rpc_wait_queue.patch b/queue-4.13/nfs-fix-uninitialized-rpc_wait_queue.patch new file mode 100644 index 00000000000..31705116129 --- /dev/null +++ b/queue-4.13/nfs-fix-uninitialized-rpc_wait_queue.patch @@ -0,0 +1,41 @@ +From 68ebf8fe3bce8c167cf83fbd681c1eb1ed419c6c Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Fri, 22 Sep 2017 07:57:10 -0400 +Subject: NFS: Fix uninitialized rpc_wait_queue + +From: Benjamin Coddington + +commit 68ebf8fe3bce8c167cf83fbd681c1eb1ed419c6c upstream. + +Michael Sterrett reports a NULL pointer dereference on NFSv3 mounts when +CONFIG_NFS_V4 is not set because the NFS UOC rpc_wait_queue has not been +initialized. Move the initialization of the queue out of the CONFIG_NFS_V4 +conditional setion. + +Fixes: 7d6ddf88c4db ("NFS: Add an iocounter wait function for async RPC tasks") +Signed-off-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -218,7 +218,6 @@ static void nfs_cb_idr_remove_locked(str + static void pnfs_init_server(struct nfs_server *server) + { + rpc_init_wait_queue(&server->roc_rpcwaitq, "pNFS ROC"); +- rpc_init_wait_queue(&server->uoc_rpcwaitq, "NFS UOC"); + } + + #else +@@ -888,6 +887,7 @@ struct nfs_server *nfs_alloc_server(void + ida_init(&server->openowner_id); + ida_init(&server->lockowner_id); + pnfs_init_server(server); ++ rpc_init_wait_queue(&server->uoc_rpcwaitq, "NFS UOC"); + + return server; + } diff --git a/queue-4.13/pinctrl-amd-fix-build-dependency-on-pinmux-code.patch b/queue-4.13/pinctrl-amd-fix-build-dependency-on-pinmux-code.patch new file mode 100644 index 00000000000..b400e365823 --- /dev/null +++ b/queue-4.13/pinctrl-amd-fix-build-dependency-on-pinmux-code.patch @@ -0,0 +1,43 @@ +From 83b31c2a5fdd4fb3a4ec84c59a962e816d0bc9de Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Tue, 26 Sep 2017 15:51:28 +0200 +Subject: pinctrl/amd: Fix build dependency on pinmux code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Petr Mladek + +commit 83b31c2a5fdd4fb3a4ec84c59a962e816d0bc9de upstream. + +The commit 79d2c8bede2c93f943 ("pinctrl/amd: save pin registers over +suspend/resume") caused the following compilation errors: + +drivers/pinctrl/pinctrl-amd.c: In function ‘amd_gpio_should_save’: +drivers/pinctrl/pinctrl-amd.c:741:8: error: ‘const struct pin_desc’ has no member named ‘mux_owner’ + if (pd->mux_owner || pd->gpio_owner || + ^ +drivers/pinctrl/pinctrl-amd.c:741:25: error: ‘const struct pin_desc’ has no member named ‘gpio_owner’ + if (pd->mux_owner || pd->gpio_owner || + +We need to enable CONFIG_PINMUX for this driver as well. + +Fixes: 79d2c8bede2c93f943 ("pinctrl/amd: save pin registers over suspend/resume") +Signed-off-by: Petr Mladek +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -100,6 +100,7 @@ config PINCTRL_AMD + tristate "AMD GPIO pin control" + depends on GPIOLIB + select GPIOLIB_IRQCHIP ++ select PINMUX + select PINCONF + select GENERIC_PINCONF + help diff --git a/queue-4.13/revert-vmalloc-back-off-when-the-current-task-is-killed.patch b/queue-4.13/revert-vmalloc-back-off-when-the-current-task-is-killed.patch new file mode 100644 index 00000000000..85fa76c425d --- /dev/null +++ b/queue-4.13/revert-vmalloc-back-off-when-the-current-task-is-killed.patch @@ -0,0 +1,77 @@ +From b8c8a338f75e052d9fa2fed851259320af412e3f Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Fri, 13 Oct 2017 15:58:05 -0700 +Subject: Revert "vmalloc: back off when the current task is killed" + +From: Johannes Weiner + +commit b8c8a338f75e052d9fa2fed851259320af412e3f upstream. + +This reverts commits 5d17a73a2ebe ("vmalloc: back off when the current +task is killed") and 171012f56127 ("mm: don't warn when vmalloc() fails +due to a fatal signal"). + +Commit 5d17a73a2ebe ("vmalloc: back off when the current task is +killed") made all vmalloc allocations from a signal-killed task fail. +We have seen crashes in the tty driver from this, where a killed task +exiting tries to switch back to N_TTY, fails n_tty_open because of the +vmalloc failing, and later crashes when dereferencing tty->disc_data. + +Arguably, relying on a vmalloc() call to succeed in order to properly +exit a task is not the most robust way of doing things. There will be a +follow-up patch to the tty code to fall back to the N_NULL ldisc. + +But the justification to make that vmalloc() call fail like this isn't +convincing, either. The patch mentions an OOM victim exhausting the +memory reserves and thus deadlocking the machine. But the OOM killer is +only one, improbable source of fatal signals. It doesn't make sense to +fail allocations preemptively with plenty of memory in most cases. + +The patch doesn't mention real-life instances where vmalloc sites would +exhaust memory, which makes it sound more like a theoretical issue to +begin with. But just in case, the OOM access to memory reserves has +been restricted on the allocator side in cd04ae1e2dc8 ("mm, oom: do not +rely on TIF_MEMDIE for memory reserves access"), which should take care +of any theoretical concerns on that front. + +Revert this patch, and the follow-up that suppresses the allocation +warnings when we fail the allocations due to a signal. + +Link: http://lkml.kernel.org/r/20171004185906.GB2136@cmpxchg.org +Fixes: 171012f56127 ("mm: don't warn when vmalloc() fails due to a fatal signal") +Signed-off-by: Johannes Weiner +Acked-by: Vlastimil Babka +Acked-by: Michal Hocko +Cc: Alan Cox +Cc: Christoph Hellwig +Cc: Dmitry Vyukov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmalloc.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1697,11 +1697,6 @@ static void *__vmalloc_area_node(struct + for (i = 0; i < area->nr_pages; i++) { + struct page *page; + +- if (fatal_signal_pending(current)) { +- area->nr_pages = i; +- goto fail_no_warn; +- } +- + if (node == NUMA_NO_NODE) + page = alloc_page(alloc_mask|highmem_mask); + else +@@ -1725,7 +1720,6 @@ fail: + warn_alloc(gfp_mask, NULL, + "vmalloc: allocation failure, allocated %ld of %ld bytes", + (area->nr_pages*PAGE_SIZE), area->size); +-fail_no_warn: + vfree(area->addr); + return NULL; + } diff --git a/queue-4.13/series b/queue-4.13/series new file mode 100644 index 00000000000..85a11c0e021 --- /dev/null +++ b/queue-4.13/series @@ -0,0 +1,21 @@ +usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch +mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch +mips-bpf-fix-uninitialised-target-compiler-error.patch +mei-always-use-domain-runtime-pm-callbacks.patch +dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch +dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch +nfs-fix-uninitialized-rpc_wait_queue.patch +nfs-filelayout-fix-oops-when-freeing-filelayout-segment.patch +hid-usbhid-fix-out-of-bounds-bug.patch +crypto-skcipher-fix-crash-on-zero-length-input.patch +crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch +kvm-mmu-always-terminate-page-walks-at-level-1.patch +kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch +usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch +pinctrl-amd-fix-build-dependency-on-pinmux-code.patch +iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch +device-property-track-owner-device-of-device-property.patch +revert-vmalloc-back-off-when-the-current-task-is-killed.patch +fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch +alsa-usb-audio-kill-stray-urb-at-exiting.patch +alsa-seq-fix-use-after-free-at-creating-a-port.patch diff --git a/queue-4.13/usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch b/queue-4.13/usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch new file mode 100644 index 00000000000..a7227c4060f --- /dev/null +++ b/queue-4.13/usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch @@ -0,0 +1,107 @@ +From ab219221a5064abfff9f78c323c4a257b16cdb81 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 6 Oct 2017 10:27:44 -0400 +Subject: USB: dummy-hcd: Fix deadlock caused by disconnect detection + +From: Alan Stern + +commit ab219221a5064abfff9f78c323c4a257b16cdb81 upstream. + +The dummy-hcd driver calls the gadget driver's disconnect callback +under the wrong conditions. It should invoke the callback when Vbus +power is turned off, but instead it does so when the D+ pullup is +turned off. + +This can cause a deadlock in the composite core when a gadget driver +is unregistered: + +[ 88.361471] ============================================ +[ 88.362014] WARNING: possible recursive locking detected +[ 88.362580] 4.14.0-rc2+ #9 Not tainted +[ 88.363010] -------------------------------------------- +[ 88.363561] v4l_id/526 is trying to acquire lock: +[ 88.364062] (&(&cdev->lock)->rlock){....}, at: [] composite_disconnect+0x43/0x100 [libcomposite] +[ 88.365051] +[ 88.365051] but task is already holding lock: +[ 88.365826] (&(&cdev->lock)->rlock){....}, at: [] usb_function_deactivate+0x29/0x80 [libcomposite] +[ 88.366858] +[ 88.366858] other info that might help us debug this: +[ 88.368301] Possible unsafe locking scenario: +[ 88.368301] +[ 88.369304] CPU0 +[ 88.369701] ---- +[ 88.370101] lock(&(&cdev->lock)->rlock); +[ 88.370623] lock(&(&cdev->lock)->rlock); +[ 88.371145] +[ 88.371145] *** DEADLOCK *** +[ 88.371145] +[ 88.372211] May be due to missing lock nesting notation +[ 88.372211] +[ 88.373191] 2 locks held by v4l_id/526: +[ 88.373715] #0: (&(&cdev->lock)->rlock){....}, at: [] usb_function_deactivate+0x29/0x80 [libcomposite] +[ 88.374814] #1: (&(&dum_hcd->dum->lock)->rlock){....}, at: [] dummy_pullup+0x7d/0xf0 [dummy_hcd] +[ 88.376289] +[ 88.376289] stack backtrace: +[ 88.377726] CPU: 0 PID: 526 Comm: v4l_id Not tainted 4.14.0-rc2+ #9 +[ 88.378557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +[ 88.379504] Call Trace: +[ 88.380019] dump_stack+0x86/0xc7 +[ 88.380605] __lock_acquire+0x841/0x1120 +[ 88.381252] lock_acquire+0xd5/0x1c0 +[ 88.381865] ? composite_disconnect+0x43/0x100 [libcomposite] +[ 88.382668] _raw_spin_lock_irqsave+0x40/0x54 +[ 88.383357] ? composite_disconnect+0x43/0x100 [libcomposite] +[ 88.384290] composite_disconnect+0x43/0x100 [libcomposite] +[ 88.385490] set_link_state+0x2d4/0x3c0 [dummy_hcd] +[ 88.386436] dummy_pullup+0xa7/0xf0 [dummy_hcd] +[ 88.387195] usb_gadget_disconnect+0xd8/0x160 [udc_core] +[ 88.387990] usb_gadget_deactivate+0xd3/0x160 [udc_core] +[ 88.388793] usb_function_deactivate+0x64/0x80 [libcomposite] +[ 88.389628] uvc_function_disconnect+0x1e/0x40 [usb_f_uvc] + +This patch changes the code to test the port-power status bit rather +than the port-connect status bit when deciding whether to isue the +callback. + +Signed-off-by: Alan Stern +Reported-by: David Tulloh +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/dummy_hcd.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -420,6 +420,7 @@ static void set_link_state_by_speed(stru + static void set_link_state(struct dummy_hcd *dum_hcd) + { + struct dummy *dum = dum_hcd->dum; ++ unsigned int power_bit; + + dum_hcd->active = 0; + if (dum->pullup) +@@ -430,17 +431,19 @@ static void set_link_state(struct dummy_ + return; + + set_link_state_by_speed(dum_hcd); ++ power_bit = (dummy_hcd_to_hcd(dum_hcd)->speed == HCD_USB3 ? ++ USB_SS_PORT_STAT_POWER : USB_PORT_STAT_POWER); + + if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) == 0 || + dum_hcd->active) + dum_hcd->resuming = 0; + + /* Currently !connected or in reset */ +- if ((dum_hcd->port_status & USB_PORT_STAT_CONNECTION) == 0 || ++ if ((dum_hcd->port_status & power_bit) == 0 || + (dum_hcd->port_status & USB_PORT_STAT_RESET) != 0) { +- unsigned disconnect = USB_PORT_STAT_CONNECTION & ++ unsigned int disconnect = power_bit & + dum_hcd->old_status & (~dum_hcd->port_status); +- unsigned reset = USB_PORT_STAT_RESET & ++ unsigned int reset = USB_PORT_STAT_RESET & + (~dum_hcd->old_status) & dum_hcd->port_status; + + /* Report reset and disconnect events to the driver */ diff --git a/queue-4.13/usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch b/queue-4.13/usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch new file mode 100644 index 00000000000..fa667634502 --- /dev/null +++ b/queue-4.13/usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch @@ -0,0 +1,40 @@ +From 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 Mon Sep 17 00:00:00 2001 +From: Kazuya Mizuguchi +Date: Mon, 2 Oct 2017 14:01:41 +0900 +Subject: usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet + +From: Kazuya Mizuguchi + +commit 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 upstream. + +The DREQE bit of the DnFIFOSEL should be set to 1 after the DE bit of +USB-DMAC on R-Car SoCs is set to 1 after the USB-DMAC received a +zero-length packet. Otherwise, a transfer completion interruption +of USB-DMAC doesn't happen. Even if the driver changes the sequence, +normal operations (transmit/receive without zero-length packet) will +not cause any side-effects. So, this patch fixes the sequence anyway. + +Signed-off-by: Kazuya Mizuguchi +[shimoda: revise the commit log] +Fixes: e73a9891b3a1 ("usb: renesas_usbhs: add DMAEngine support") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/fifo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -857,9 +857,9 @@ static void xfer_work(struct work_struct + fifo->name, usbhs_pipe_number(pipe), pkt->length, pkt->zero); + + usbhs_pipe_running(pipe, 1); +- usbhsf_dma_start(pipe, fifo); + usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans); + dma_async_issue_pending(chan); ++ usbhsf_dma_start(pipe, fifo); + usbhs_pipe_enable(pipe); + + xfer_work_end: -- 2.47.3