From 89e7a3a9fb5eb3674ac9cd5c2d4820a96d28b475 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 20 Apr 2018 17:20:28 +0200 Subject: [PATCH] 4.4-stable patches added patches: asoc-ssm2602-replace-reg_default_raw-with-reg_default.patch ext4-add-validity-checks-for-bitmap-block-numbers.patch ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch hid-core-fix-size-as-type-u32.patch hid-fix-hid_report_len-usage.patch jbd2-if-the-journal-is-aborted-then-don-t-allow-update-of-the-log-tail.patch powerpc-64-fix-smp_wmb-barrier-definition-use-use-lwsync-consistently.patch powerpc-powernv-fix-opal-nvram-driver-opal_busy-loops.patch powerpc-powernv-handle-unknown-opal-errors-in-opal_nvram_write.patch random-use-a-tighter-cap-in-credit_entropy_bits_safe.patch thunderbolt-resume-control-channel-after-hibernation-image-is-created.patch --- ...ace-reg_default_raw-with-reg_default.patch | 77 ++++++++++++ ...dity-checks-for-bitmap-block-numbers.patch | 101 +++++++++++++++ ...-checksum-of-new-initialized-bitmaps.patch | 115 ++++++++++++++++++ ...et-for-root-directory-if-unallocated.patch | 45 +++++++ queue-4.4/hid-core-fix-size-as-type-u32.patch | 98 +++++++++++++++ queue-4.4/hid-fix-hid_report_len-usage.patch | 70 +++++++++++ ...n-don-t-allow-update-of-the-log-tail.patch | 41 +++++++ ...finition-use-use-lwsync-consistently.patch | 53 ++++++++ ...ix-opal-nvram-driver-opal_busy-loops.patch | 52 ++++++++ ...nown-opal-errors-in-opal_nvram_write.patch | 38 ++++++ ...hter-cap-in-credit_entropy_bits_safe.patch | 38 ++++++ queue-4.4/series | 12 ++ ...l-after-hibernation-image-is-created.patch | 38 ++++++ 13 files changed, 778 insertions(+) create mode 100644 queue-4.4/asoc-ssm2602-replace-reg_default_raw-with-reg_default.patch create mode 100644 queue-4.4/ext4-add-validity-checks-for-bitmap-block-numbers.patch create mode 100644 queue-4.4/ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch create mode 100644 queue-4.4/ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch create mode 100644 queue-4.4/hid-core-fix-size-as-type-u32.patch create mode 100644 queue-4.4/hid-fix-hid_report_len-usage.patch create mode 100644 queue-4.4/jbd2-if-the-journal-is-aborted-then-don-t-allow-update-of-the-log-tail.patch create mode 100644 queue-4.4/powerpc-64-fix-smp_wmb-barrier-definition-use-use-lwsync-consistently.patch create mode 100644 queue-4.4/powerpc-powernv-fix-opal-nvram-driver-opal_busy-loops.patch create mode 100644 queue-4.4/powerpc-powernv-handle-unknown-opal-errors-in-opal_nvram_write.patch create mode 100644 queue-4.4/random-use-a-tighter-cap-in-credit_entropy_bits_safe.patch create mode 100644 queue-4.4/thunderbolt-resume-control-channel-after-hibernation-image-is-created.patch diff --git a/queue-4.4/asoc-ssm2602-replace-reg_default_raw-with-reg_default.patch b/queue-4.4/asoc-ssm2602-replace-reg_default_raw-with-reg_default.patch new file mode 100644 index 00000000000..cddb368bda3 --- /dev/null +++ b/queue-4.4/asoc-ssm2602-replace-reg_default_raw-with-reg_default.patch @@ -0,0 +1,77 @@ +From a01df75ce737951ad13a08d101306e88c3f57cb2 Mon Sep 17 00:00:00 2001 +From: James Kelly +Date: Mon, 19 Mar 2018 21:29:50 +1100 +Subject: ASoC: ssm2602: Replace reg_default_raw with reg_default + +From: James Kelly + +commit a01df75ce737951ad13a08d101306e88c3f57cb2 upstream. + +SSM2602 driver is broken on recent kernels (at least +since 4.9). User space applications such as amixer or +alsamixer get EIO when attempting to access codec +controls via the relevant IOCTLs. + +Root cause of these failures is the regcache_hw_init +function in drivers/base/regmap/regcache.c, which +prevents regmap cache initalization from the +reg_defaults_raw element of the regmap_config structure +when registers are write only. It also disables the +regmap cache entirely when all registers are write only +or volatile as is the case for the SSM2602 driver. + +Using the reg_defaults element of the regmap_config +structure rather than the reg_defaults_raw element to +initalize the regmap cache avoids the logic in the +regcache_hw_init function entirely. It also makes this +driver consistent with other ASoC codec drivers, as +this driver was the ONLY codec driver that used the +reg_defaults_raw element to initalize the cache. + +Tested on Digilent Zybo Z7 development board which has +a SSM2603 codec chip connected to a Xilinx Zynq SoC. + +Signed-off-by: James Kelly +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/ssm2602.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/sound/soc/codecs/ssm2602.c ++++ b/sound/soc/codecs/ssm2602.c +@@ -54,10 +54,17 @@ struct ssm2602_priv { + * using 2 wire for device control, so we cache them instead. + * There is no point in caching the reset register + */ +-static const u16 ssm2602_reg[SSM2602_CACHEREGNUM] = { +- 0x0097, 0x0097, 0x0079, 0x0079, +- 0x000a, 0x0008, 0x009f, 0x000a, +- 0x0000, 0x0000 ++static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = { ++ { .reg = 0x00, .def = 0x0097 }, ++ { .reg = 0x01, .def = 0x0097 }, ++ { .reg = 0x02, .def = 0x0079 }, ++ { .reg = 0x03, .def = 0x0079 }, ++ { .reg = 0x04, .def = 0x000a }, ++ { .reg = 0x05, .def = 0x0008 }, ++ { .reg = 0x06, .def = 0x009f }, ++ { .reg = 0x07, .def = 0x000a }, ++ { .reg = 0x08, .def = 0x0000 }, ++ { .reg = 0x09, .def = 0x0000 } + }; + + +@@ -618,8 +625,8 @@ const struct regmap_config ssm2602_regma + .volatile_reg = ssm2602_register_volatile, + + .cache_type = REGCACHE_RBTREE, +- .reg_defaults_raw = ssm2602_reg, +- .num_reg_defaults_raw = ARRAY_SIZE(ssm2602_reg), ++ .reg_defaults = ssm2602_reg, ++ .num_reg_defaults = ARRAY_SIZE(ssm2602_reg), + }; + EXPORT_SYMBOL_GPL(ssm2602_regmap_config); + diff --git a/queue-4.4/ext4-add-validity-checks-for-bitmap-block-numbers.patch b/queue-4.4/ext4-add-validity-checks-for-bitmap-block-numbers.patch new file mode 100644 index 00000000000..eea464cec02 --- /dev/null +++ b/queue-4.4/ext4-add-validity-checks-for-bitmap-block-numbers.patch @@ -0,0 +1,101 @@ +From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 26 Mar 2018 23:54:10 -0400 +Subject: ext4: add validity checks for bitmap block numbers + +From: Theodore Ts'o + +commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream. + +An privileged attacker can cause a crash by mounting a crafted ext4 +image which triggers a out-of-bounds read in the function +ext4_valid_block_bitmap() in fs/ext4/balloc.c. + +This issue has been assigned CVE-2018-1093. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181 +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782 +Reported-by: Wen Xu +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/balloc.c | 16 ++++++++++++++-- + fs/ext4/ialloc.c | 7 +++++++ + 2 files changed, 21 insertions(+), 2 deletions(-) + +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -337,20 +337,25 @@ static ext4_fsblk_t ext4_valid_block_bit + /* check whether block bitmap block number is set */ + blk = ext4_block_bitmap(sb, desc); + offset = blk - group_first_block; +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + /* bad block bitmap */ + return blk; + + /* check whether the inode bitmap block number is set */ + blk = ext4_inode_bitmap(sb, desc); + offset = blk - group_first_block; +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + /* bad block bitmap */ + return blk; + + /* check whether the inode table block number is set */ + blk = ext4_inode_table(sb, desc); + offset = blk - group_first_block; ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || ++ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize) ++ return blk; + next_zero_bit = ext4_find_next_zero_bit(bh->b_data, + EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), + EXT4_B2C(sbi, offset)); +@@ -416,6 +421,7 @@ struct buffer_head * + ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + { + struct ext4_group_desc *desc; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + struct buffer_head *bh; + ext4_fsblk_t bitmap_blk; + int err; +@@ -424,6 +430,12 @@ ext4_read_block_bitmap_nowait(struct sup + if (!desc) + return ERR_PTR(-EFSCORRUPTED); + bitmap_blk = ext4_block_bitmap(sb, desc); ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { ++ ext4_error(sb, "Invalid block bitmap block %llu in " ++ "block_group %u", bitmap_blk, block_group); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + bh = sb_getblk(sb, bitmap_blk); + if (unlikely(!bh)) { + ext4_error(sb, "Cannot get buffer for block bitmap - " +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -119,6 +119,7 @@ static struct buffer_head * + ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + { + struct ext4_group_desc *desc; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + struct buffer_head *bh = NULL; + ext4_fsblk_t bitmap_blk; + int err; +@@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_bloc + return ERR_PTR(-EFSCORRUPTED); + + bitmap_blk = ext4_inode_bitmap(sb, desc); ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { ++ ext4_error(sb, "Invalid inode bitmap blk %llu in " ++ "block_group %u", bitmap_blk, block_group); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + bh = sb_getblk(sb, bitmap_blk); + if (unlikely(!bh)) { + ext4_error(sb, "Cannot read inode bitmap - " diff --git a/queue-4.4/ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch b/queue-4.4/ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch new file mode 100644 index 00000000000..f660b1eb006 --- /dev/null +++ b/queue-4.4/ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch @@ -0,0 +1,115 @@ +From 044e6e3d74a3d7103a0c8a9305dfd94d64000660 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 19 Feb 2018 14:16:47 -0500 +Subject: ext4: don't update checksum of new initialized bitmaps + +From: Theodore Ts'o + +commit 044e6e3d74a3d7103a0c8a9305dfd94d64000660 upstream. + +When reading the inode or block allocation bitmap, if the bitmap needs +to be initialized, do not update the checksum in the block group +descriptor. That's because we're not set up to journal those changes. +Instead, just set the verified bit on the bitmap block, so that it's +not necessary to validate the checksum. + +When a block or inode allocation actually happens, at that point the +checksum will be calculated, and update of the bg descriptor block +will be properly journalled. + +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/balloc.c | 3 +-- + fs/ext4/ialloc.c | 47 +++-------------------------------------------- + 2 files changed, 4 insertions(+), 46 deletions(-) + +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -242,8 +242,6 @@ static int ext4_init_block_bitmap(struct + */ + ext4_mark_bitmap_end(num_clusters_in_group(sb, block_group), + sb->s_blocksize * 8, bh->b_data); +- ext4_block_bitmap_csum_set(sb, block_group, gdp, bh); +- ext4_group_desc_csum_set(sb, block_group, gdp); + return 0; + } + +@@ -447,6 +445,7 @@ ext4_read_block_bitmap_nowait(struct sup + err = ext4_init_block_bitmap(sb, bh, block_group, desc); + set_bitmap_uptodate(bh); + set_buffer_uptodate(bh); ++ set_buffer_verified(bh); + ext4_unlock_group(sb, block_group); + unlock_buffer(bh); + if (err) { +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -63,44 +63,6 @@ void ext4_mark_bitmap_end(int start_bit, + memset(bitmap + (i >> 3), 0xff, (end_bit - i) >> 3); + } + +-/* Initializes an uninitialized inode bitmap */ +-static int ext4_init_inode_bitmap(struct super_block *sb, +- struct buffer_head *bh, +- ext4_group_t block_group, +- struct ext4_group_desc *gdp) +-{ +- struct ext4_group_info *grp; +- struct ext4_sb_info *sbi = EXT4_SB(sb); +- J_ASSERT_BH(bh, buffer_locked(bh)); +- +- /* If checksum is bad mark all blocks and inodes use to prevent +- * allocation, essentially implementing a per-group read-only flag. */ +- if (!ext4_group_desc_csum_verify(sb, block_group, gdp)) { +- grp = ext4_get_group_info(sb, block_group); +- if (!EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) +- percpu_counter_sub(&sbi->s_freeclusters_counter, +- grp->bb_free); +- set_bit(EXT4_GROUP_INFO_BBITMAP_CORRUPT_BIT, &grp->bb_state); +- if (!EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) { +- int count; +- count = ext4_free_inodes_count(sb, gdp); +- percpu_counter_sub(&sbi->s_freeinodes_counter, +- count); +- } +- set_bit(EXT4_GROUP_INFO_IBITMAP_CORRUPT_BIT, &grp->bb_state); +- return -EFSBADCRC; +- } +- +- memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); +- ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), sb->s_blocksize * 8, +- bh->b_data); +- ext4_inode_bitmap_csum_set(sb, block_group, gdp, bh, +- EXT4_INODES_PER_GROUP(sb) / 8); +- ext4_group_desc_csum_set(sb, block_group, gdp); +- +- return 0; +-} +- + void ext4_end_bitmap_read(struct buffer_head *bh, int uptodate) + { + if (uptodate) { +@@ -184,17 +146,14 @@ ext4_read_inode_bitmap(struct super_bloc + + ext4_lock_group(sb, block_group); + if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) { +- err = ext4_init_inode_bitmap(sb, bh, block_group, desc); ++ memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); ++ ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), ++ sb->s_blocksize * 8, bh->b_data); + set_bitmap_uptodate(bh); + set_buffer_uptodate(bh); + set_buffer_verified(bh); + ext4_unlock_group(sb, block_group); + unlock_buffer(bh); +- if (err) { +- ext4_error(sb, "Failed to init inode bitmap for group " +- "%u: %d", block_group, err); +- goto out; +- } + return bh; + } + ext4_unlock_group(sb, block_group); diff --git a/queue-4.4/ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch b/queue-4.4/ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch new file mode 100644 index 00000000000..ec381c0a79d --- /dev/null +++ b/queue-4.4/ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch @@ -0,0 +1,45 @@ +From 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 29 Mar 2018 21:56:09 -0400 +Subject: ext4: fail ext4_iget for root directory if unallocated + +From: Theodore Ts'o + +commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream. + +If the root directory has an i_links_count of zero, then when the file +system is mounted, then when ext4_fill_super() notices the problem and +tries to call iput() the root directory in the error return path, +ext4_evict_inode() will try to free the inode on disk, before all of +the file system structures are set up, and this will result in an OOPS +caused by a NULL pointer dereference. + +This issue has been assigned CVE-2018-1092. + +https://bugzilla.kernel.org/show_bug.cgi?id=199179 +https://bugzilla.redhat.com/show_bug.cgi?id=1560777 + +Reported-by: Wen Xu +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4231,6 +4231,12 @@ struct inode *ext4_iget(struct super_blo + goto bad_inode; + raw_inode = ext4_raw_inode(&iloc); + ++ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { ++ EXT4_ERROR_INODE(inode, "root inode unallocated"); ++ ret = -EFSCORRUPTED; ++ goto bad_inode; ++ } ++ + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { + ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > diff --git a/queue-4.4/hid-core-fix-size-as-type-u32.patch b/queue-4.4/hid-core-fix-size-as-type-u32.patch new file mode 100644 index 00000000000..5bd2c99cff5 --- /dev/null +++ b/queue-4.4/hid-core-fix-size-as-type-u32.patch @@ -0,0 +1,98 @@ +From 6de0b13cc0b4ba10e98a9263d7a83b940720b77a Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Mon, 8 Jan 2018 10:41:41 +0800 +Subject: HID: core: Fix size as type u32 + +From: Aaron Ma + +commit 6de0b13cc0b4ba10e98a9263d7a83b940720b77a upstream. + +When size is negative, calling memset will make segment fault. +Declare the size as type u32 to keep memset safe. + +size in struct hid_report is unsigned, fix return type of +hid_report_len to u32. + +Cc: stable@vger.kernel.org +Signed-off-by: Aaron Ma +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 10 +++++----- + include/linux/hid.h | 6 +++--- + 2 files changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1331,7 +1331,7 @@ u8 *hid_alloc_report_buf(struct hid_repo + * of implement() working on 8 byte chunks + */ + +- int len = hid_report_len(report) + 7; ++ u32 len = hid_report_len(report) + 7; + + return kmalloc(len, flags); + } +@@ -1396,7 +1396,7 @@ void __hid_request(struct hid_device *hi + { + char *buf; + int ret; +- int len; ++ u32 len; + + buf = hid_alloc_report_buf(report, GFP_KERNEL); + if (!buf) +@@ -1422,14 +1422,14 @@ out: + } + EXPORT_SYMBOL_GPL(__hid_request); + +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, + int interrupt) + { + struct hid_report_enum *report_enum = hid->report_enum + type; + struct hid_report *report; + struct hid_driver *hdrv; + unsigned int a; +- int rsize, csize = size; ++ u32 rsize, csize = size; + u8 *cdata = data; + int ret = 0; + +@@ -1487,7 +1487,7 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event); + * + * This is data entry for lower layers. + */ +-int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int interrupt) ++int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt) + { + struct hid_report_enum *report_enum; + struct hid_driver *hdrv; +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -793,7 +793,7 @@ extern int hidinput_connect(struct hid_d + extern void hidinput_disconnect(struct hid_device *); + + int hid_set_field(struct hid_field *, unsigned, __s32); +-int hid_input_report(struct hid_device *, int type, u8 *, int, int); ++int hid_input_report(struct hid_device *, int type, u8 *, u32, int); + int hidinput_find_field(struct hid_device *hid, unsigned int type, unsigned int code, struct hid_field **field); + struct hid_field *hidinput_get_led_field(struct hid_device *hid); + unsigned int hidinput_count_leds(struct hid_device *hid); +@@ -1098,13 +1098,13 @@ static inline void hid_hw_wait(struct hi + * + * @report: the report we want to know the length + */ +-static inline int hid_report_len(struct hid_report *report) ++static inline u32 hid_report_len(struct hid_report *report) + { + /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */ + return ((report->size - 1) >> 3) + 1 + (report->id > 0); + } + +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, + int interrupt); + + /* HID quirks API */ diff --git a/queue-4.4/hid-fix-hid_report_len-usage.patch b/queue-4.4/hid-fix-hid_report_len-usage.patch new file mode 100644 index 00000000000..a52bbfcaeee --- /dev/null +++ b/queue-4.4/hid-fix-hid_report_len-usage.patch @@ -0,0 +1,70 @@ +From 3064a03b94e60388f0955fcc29f3e8a978d28f75 Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Sat, 3 Feb 2018 23:57:15 +0800 +Subject: HID: Fix hid_report_len usage + +From: Aaron Ma + +commit 3064a03b94e60388f0955fcc29f3e8a978d28f75 upstream. + +Follow the change of return type u32 of hid_report_len, +fix all the types of variables those get the return value of +hid_report_len to u32, and all other code already uses u32. + +Cc: stable@vger.kernel.org +Signed-off-by: Aaron Ma +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-input.c | 3 ++- + drivers/hid/hid-multitouch.c | 5 +++-- + drivers/hid/hid-rmi.c | 4 ++-- + 3 files changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1258,7 +1258,8 @@ static void hidinput_led_worker(struct w + led_work); + struct hid_field *field; + struct hid_report *report; +- int len, ret; ++ int ret; ++ u32 len; + __u8 *buf; + + field = hidinput_get_led_field(hid); +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -314,7 +314,8 @@ static struct attribute_group mt_attribu + static void mt_get_feature(struct hid_device *hdev, struct hid_report *report) + { + struct mt_device *td = hid_get_drvdata(hdev); +- int ret, size = hid_report_len(report); ++ int ret; ++ u32 size = hid_report_len(report); + u8 *buf; + + /* +@@ -919,7 +920,7 @@ static void mt_set_input_mode(struct hid + struct hid_report_enum *re; + struct mt_class *cls = &td->mtclass; + char *buf; +- int report_len; ++ u32 report_len; + + if (td->inputmode < 0) + return; +--- a/drivers/hid/hid-rmi.c ++++ b/drivers/hid/hid-rmi.c +@@ -110,8 +110,8 @@ struct rmi_data { + u8 *writeReport; + u8 *readReport; + +- int input_report_size; +- int output_report_size; ++ u32 input_report_size; ++ u32 output_report_size; + + unsigned long flags; + diff --git a/queue-4.4/jbd2-if-the-journal-is-aborted-then-don-t-allow-update-of-the-log-tail.patch b/queue-4.4/jbd2-if-the-journal-is-aborted-then-don-t-allow-update-of-the-log-tail.patch new file mode 100644 index 00000000000..558376543a3 --- /dev/null +++ b/queue-4.4/jbd2-if-the-journal-is-aborted-then-don-t-allow-update-of-the-log-tail.patch @@ -0,0 +1,41 @@ +From 85e0c4e89c1b864e763c4e3bb15d0b6d501ad5d9 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 19 Feb 2018 12:22:53 -0500 +Subject: jbd2: if the journal is aborted then don't allow update of the log tail + +From: Theodore Ts'o + +commit 85e0c4e89c1b864e763c4e3bb15d0b6d501ad5d9 upstream. + +This updates the jbd2 superblock unnecessarily, and on an abort we +shouldn't truncate the log. + +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/journal.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -914,7 +914,7 @@ out: + } + + /* +- * This is a variaon of __jbd2_update_log_tail which checks for validity of ++ * This is a variation of __jbd2_update_log_tail which checks for validity of + * provided log tail and locks j_checkpoint_mutex. So it is safe against races + * with other threads updating log tail. + */ +@@ -1384,6 +1384,9 @@ int jbd2_journal_update_sb_log_tail(jour + journal_superblock_t *sb = journal->j_superblock; + int ret; + ++ if (is_journal_aborted(journal)) ++ return -EIO; ++ + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex)); + jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n", + tail_block, tail_tid); diff --git a/queue-4.4/powerpc-64-fix-smp_wmb-barrier-definition-use-use-lwsync-consistently.patch b/queue-4.4/powerpc-64-fix-smp_wmb-barrier-definition-use-use-lwsync-consistently.patch new file mode 100644 index 00000000000..4bcf2821256 --- /dev/null +++ b/queue-4.4/powerpc-64-fix-smp_wmb-barrier-definition-use-use-lwsync-consistently.patch @@ -0,0 +1,53 @@ +From 0bfdf598900fd62869659f360d3387ed80eb71cf Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Thu, 22 Mar 2018 20:41:46 +1000 +Subject: powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently + +From: Nicholas Piggin + +commit 0bfdf598900fd62869659f360d3387ed80eb71cf upstream. + +asm/barrier.h is not always included after asm/synch.h, which meant +it was missing __SUBARCH_HAS_LWSYNC, so in some files smp_wmb() would +be eieio when it should be lwsync. kernel/time/hrtimer.c is one case. + +__SUBARCH_HAS_LWSYNC is only used in one place, so just fold it in +to where it's used. Previously with my small simulator config, 377 +instances of eieio in the tree. After this patch there are 55. + +Fixes: 46d075be585e ("powerpc: Optimise smp_wmb") +Cc: stable@vger.kernel.org # v2.6.29+ +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/barrier.h | 3 ++- + arch/powerpc/include/asm/synch.h | 4 ---- + 2 files changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/include/asm/barrier.h ++++ b/arch/powerpc/include/asm/barrier.h +@@ -36,7 +36,8 @@ + + #define smp_store_mb(var, value) do { WRITE_ONCE(var, value); mb(); } while (0) + +-#ifdef __SUBARCH_HAS_LWSYNC ++/* The sub-arch has lwsync */ ++#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC) + # define SMPWMB LWSYNC + #else + # define SMPWMB eieio +--- a/arch/powerpc/include/asm/synch.h ++++ b/arch/powerpc/include/asm/synch.h +@@ -5,10 +5,6 @@ + #include + #include + +-#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC) +-#define __SUBARCH_HAS_LWSYNC +-#endif +- + #ifndef __ASSEMBLY__ + extern unsigned int __start___lwsync_fixup, __stop___lwsync_fixup; + extern void do_lwsync_fixups(unsigned long value, void *fixup_start, diff --git a/queue-4.4/powerpc-powernv-fix-opal-nvram-driver-opal_busy-loops.patch b/queue-4.4/powerpc-powernv-fix-opal-nvram-driver-opal_busy-loops.patch new file mode 100644 index 00000000000..0af35fc89bf --- /dev/null +++ b/queue-4.4/powerpc-powernv-fix-opal-nvram-driver-opal_busy-loops.patch @@ -0,0 +1,52 @@ +From 3b8070335f751aac9f1526ae2e012e6f5b8b0f21 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 10 Apr 2018 21:49:33 +1000 +Subject: powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops + +From: Nicholas Piggin + +commit 3b8070335f751aac9f1526ae2e012e6f5b8b0f21 upstream. + +The OPAL NVRAM driver does not sleep in case it gets OPAL_BUSY or +OPAL_BUSY_EVENT from firmware, which causes large scheduling +latencies, and various lockup errors to trigger (again, BMC reboot +can cause it). + +Fix this by converting it to the standard form OPAL_BUSY loop that +sleeps. + +Fixes: 628daa8d5abf ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks") +Depends-on: 34dd25de9fe3 ("powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops") +Cc: stable@vger.kernel.org # v3.2+ +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-nvram.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/opal-nvram.c ++++ b/arch/powerpc/platforms/powernv/opal-nvram.c +@@ -11,6 +11,7 @@ + + #define DEBUG + ++#include + #include + #include + #include +@@ -56,8 +57,12 @@ static ssize_t opal_nvram_write(char *bu + + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_write_nvram(__pa(buf), count, off); +- if (rc == OPAL_BUSY_EVENT) ++ if (rc == OPAL_BUSY_EVENT) { ++ msleep(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); ++ } else if (rc == OPAL_BUSY) { ++ msleep(OPAL_BUSY_DELAY_MS); ++ } + } + + if (rc) diff --git a/queue-4.4/powerpc-powernv-handle-unknown-opal-errors-in-opal_nvram_write.patch b/queue-4.4/powerpc-powernv-handle-unknown-opal-errors-in-opal_nvram_write.patch new file mode 100644 index 00000000000..41bc9a1e90e --- /dev/null +++ b/queue-4.4/powerpc-powernv-handle-unknown-opal-errors-in-opal_nvram_write.patch @@ -0,0 +1,38 @@ +From 741de617661794246f84a21a02fc5e327bffc9ad Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 27 Mar 2018 01:02:33 +1000 +Subject: powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write() + +From: Nicholas Piggin + +commit 741de617661794246f84a21a02fc5e327bffc9ad upstream. + +opal_nvram_write currently just assumes success if it encounters an +error other than OPAL_BUSY or OPAL_BUSY_EVENT. Have it return -EIO +on other errors instead. + +Fixes: 628daa8d5abf ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks") +Cc: stable@vger.kernel.org # v3.2+ +Signed-off-by: Nicholas Piggin +Reviewed-by: Vasant Hegde +Acked-by: Stewart Smith +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-nvram.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/platforms/powernv/opal-nvram.c ++++ b/arch/powerpc/platforms/powernv/opal-nvram.c +@@ -59,6 +59,10 @@ static ssize_t opal_nvram_write(char *bu + if (rc == OPAL_BUSY_EVENT) + opal_poll_events(NULL); + } ++ ++ if (rc) ++ return -EIO; ++ + *index += count; + return count; + } diff --git a/queue-4.4/random-use-a-tighter-cap-in-credit_entropy_bits_safe.patch b/queue-4.4/random-use-a-tighter-cap-in-credit_entropy_bits_safe.patch new file mode 100644 index 00000000000..69d7a717f6c --- /dev/null +++ b/queue-4.4/random-use-a-tighter-cap-in-credit_entropy_bits_safe.patch @@ -0,0 +1,38 @@ +From 9f886f4d1d292442b2f22a0a33321eae821bde40 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 25 Feb 2017 18:21:33 -0400 +Subject: random: use a tighter cap in credit_entropy_bits_safe() + +From: Theodore Ts'o + +commit 9f886f4d1d292442b2f22a0a33321eae821bde40 upstream. + +This fixes a harmless UBSAN where root could potentially end up +causing an overflow while bumping the entropy_total field (which is +ignored once the entropy pool has been initialized, and this generally +is completed during the boot sequence). + +This is marginal for the stable kernel series, but it's a really +trivial patch, and it fixes UBSAN warning that might cause security +folks to get overly excited for no reason. + +Signed-off-by: Theodore Ts'o +Reported-by: Chen Feng +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -724,7 +724,7 @@ retry: + + static int credit_entropy_bits_safe(struct entropy_store *r, int nbits) + { +- const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1)); ++ const int nbits_max = r->poolinfo->poolwords * 32; + + if (nbits < 0) + return -EINVAL; diff --git a/queue-4.4/series b/queue-4.4/series index 630c14743b5..f012d91e1cd 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -37,3 +37,15 @@ acpi-hotplug-pci-check-presence-of-slot-itself-in-get_slot_status.patch usb-fix-usb3-devices-behind-usb3-hubs-not-resuming-at-hibernate-thaw.patch usb-dwc3-pci-properly-cleanup-resource.patch hid-i2c-hid-fix-size-check-and-type-usage.patch +powerpc-powernv-handle-unknown-opal-errors-in-opal_nvram_write.patch +powerpc-64-fix-smp_wmb-barrier-definition-use-use-lwsync-consistently.patch +powerpc-powernv-fix-opal-nvram-driver-opal_busy-loops.patch +hid-fix-hid_report_len-usage.patch +hid-core-fix-size-as-type-u32.patch +asoc-ssm2602-replace-reg_default_raw-with-reg_default.patch +thunderbolt-resume-control-channel-after-hibernation-image-is-created.patch +random-use-a-tighter-cap-in-credit_entropy_bits_safe.patch +jbd2-if-the-journal-is-aborted-then-don-t-allow-update-of-the-log-tail.patch +ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch +ext4-add-validity-checks-for-bitmap-block-numbers.patch +ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch diff --git a/queue-4.4/thunderbolt-resume-control-channel-after-hibernation-image-is-created.patch b/queue-4.4/thunderbolt-resume-control-channel-after-hibernation-image-is-created.patch new file mode 100644 index 00000000000..b7e44534d90 --- /dev/null +++ b/queue-4.4/thunderbolt-resume-control-channel-after-hibernation-image-is-created.patch @@ -0,0 +1,38 @@ +From f2a659f7d8d5da803836583aa16df06bdf324252 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Tue, 19 Dec 2017 12:44:56 +0300 +Subject: thunderbolt: Resume control channel after hibernation image is created + +From: Mika Westerberg + +commit f2a659f7d8d5da803836583aa16df06bdf324252 upstream. + +The driver misses implementation of PM hook that undoes what +->freeze_noirq() does after the hibernation image is created. This means +the control channel is not resumed properly and the Thunderbolt bus +becomes useless in later stages of hibernation (when the image is stored +or if the operation fails). + +Fix this by pointing ->thaw_noirq to driver nhi_resume_noirq(). This +makes sure the control channel is resumed properly. + +Fixes: 23dd5bb49d98 ("thunderbolt: Add suspend/hibernate support") +Signed-off-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thunderbolt/nhi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -627,6 +627,7 @@ static const struct dev_pm_ops nhi_pm_op + * we just disable hotplug, the + * pci-tunnels stay alive. + */ ++ .thaw_noirq = nhi_resume_noirq, + .restore_noirq = nhi_resume_noirq, + }; + -- 2.47.3