From cae00f53fe9a08a3e3d05adcbd98a3ecaaf9f5a5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 10 Nov 2018 18:08:32 -0800 Subject: [PATCH] 4.9-stable patches added patches: dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch lockd-fix-access-beyond-unterminated-strings-in-prints.patch media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch net-bcmgenet-fix-of-child-node-lookup.patch nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch nfsd-fix-an-oops-in-free_session.patch nfsv4.1-fix-the-r-wsize-checking.patch powerpc-msi-fix-compile-error-on-mpc83xx.patch tc-set-dma-masks-for-devices.patch --- ...-copy_from_user-from-malicious-users.patch | 70 ++++++++++++ ...eyond-unterminated-strings-in-prints.patch | 32 ++++++ ...nel-oops-when-enabling-hflip-and-osd.patch | 38 +++++++ ...out-of-bounds-array-access-on-cn68xx.patch | 39 +++++++ ...et-bcmgenet-fix-of-child-node-lookup.patch | 41 +++++++ ...fcmrvl_uart-fix-of-child-node-lookup.patch | 46 ++++++++ .../nfsd-fix-an-oops-in-free_session.patch | 33 ++++++ .../nfsv4.1-fix-the-r-wsize-checking.patch | 76 +++++++++++++ ...rpc-msi-fix-compile-error-on-mpc83xx.patch | 45 ++++++++ queue-4.9/series | 10 ++ queue-4.9/tc-set-dma-masks-for-devices.patch | 107 ++++++++++++++++++ 11 files changed, 537 insertions(+) create mode 100644 queue-4.9/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch create mode 100644 queue-4.9/lockd-fix-access-beyond-unterminated-strings-in-prints.patch create mode 100644 queue-4.9/media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch create mode 100644 queue-4.9/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch create mode 100644 queue-4.9/net-bcmgenet-fix-of-child-node-lookup.patch create mode 100644 queue-4.9/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch create mode 100644 queue-4.9/nfsd-fix-an-oops-in-free_session.patch create mode 100644 queue-4.9/nfsv4.1-fix-the-r-wsize-checking.patch create mode 100644 queue-4.9/powerpc-msi-fix-compile-error-on-mpc83xx.patch create mode 100644 queue-4.9/tc-set-dma-masks-for-devices.patch diff --git a/queue-4.9/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch b/queue-4.9/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch new file mode 100644 index 00000000000..fee0828d3fb --- /dev/null +++ b/queue-4.9/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch @@ -0,0 +1,70 @@ +From 800a7340ab7dd667edf95e74d8e4f23a17e87076 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 3 Oct 2018 11:43:59 -0500 +Subject: dm ioctl: harden copy_params()'s copy_from_user() from malicious users + +From: Wenwen Wang + +commit 800a7340ab7dd667edf95e74d8e4f23a17e87076 upstream. + +In copy_params(), the struct 'dm_ioctl' is first copied from the user +space buffer 'user' to 'param_kernel' and the field 'data_size' is +checked against 'minimum_data_size' (size of 'struct dm_ioctl' payload +up to its 'data' member). If the check fails, an error code EINVAL will be +returned. Otherwise, param_kernel->data_size is used to do a second copy, +which copies from the same user-space buffer to 'dmi'. After the second +copy, only 'dmi->data_size' is checked against 'param_kernel->data_size'. +Given that the buffer 'user' resides in the user space, a malicious +user-space process can race to change the content in the buffer between +the two copies. This way, the attacker can inject inconsistent data +into 'dmi' (versus previously validated 'param_kernel'). + +Fix redundant copying of 'minimum_data_size' from user-space buffer by +using the first copy stored in 'param_kernel'. Also remove the +'data_size' check after the second copy because it is now unnecessary. + +Cc: stable@vger.kernel.org +Signed-off-by: Wenwen Wang +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-ioctl.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1692,8 +1692,7 @@ static void free_params(struct dm_ioctl + } + + static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel, +- int ioctl_flags, +- struct dm_ioctl **param, int *param_flags) ++ int ioctl_flags, struct dm_ioctl **param, int *param_flags) + { + struct dm_ioctl *dmi; + int secure_data; +@@ -1738,18 +1737,13 @@ static int copy_params(struct dm_ioctl _ + + *param_flags |= DM_PARAMS_MALLOC; + +- if (copy_from_user(dmi, user, param_kernel->data_size)) +- goto bad; ++ /* Copy from param_kernel (which was already copied from user) */ ++ memcpy(dmi, param_kernel, minimum_data_size); + +-data_copied: +- /* +- * Abort if something changed the ioctl data while it was being copied. +- */ +- if (dmi->data_size != param_kernel->data_size) { +- DMERR("rejecting ioctl: data size modified while processing parameters"); ++ if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size, ++ param_kernel->data_size - minimum_data_size)) + goto bad; +- } +- ++data_copied: + /* Wipe the user buffer so we do not return it to userspace */ + if (secure_data && clear_user(user, param_kernel->data_size)) + goto bad; diff --git a/queue-4.9/lockd-fix-access-beyond-unterminated-strings-in-prints.patch b/queue-4.9/lockd-fix-access-beyond-unterminated-strings-in-prints.patch new file mode 100644 index 00000000000..818165e6254 --- /dev/null +++ b/queue-4.9/lockd-fix-access-beyond-unterminated-strings-in-prints.patch @@ -0,0 +1,32 @@ +From 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Fri, 28 Sep 2018 20:41:48 +0300 +Subject: lockd: fix access beyond unterminated strings in prints + +From: Amir Goldstein + +commit 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee upstream. + +printk format used %*s instead of %.*s, so hostname_len does not limit +the number of bytes accessed from hostname. + +Signed-off-by: Amir Goldstein +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/lockd/host.c ++++ b/fs/lockd/host.c +@@ -340,7 +340,7 @@ struct nlm_host *nlmsvc_lookup_host(cons + }; + struct lockd_net *ln = net_generic(net, lockd_net_id); + +- dprintk("lockd: %s(host='%*s', vers=%u, proto=%s)\n", __func__, ++ dprintk("lockd: %s(host='%.*s', vers=%u, proto=%s)\n", __func__, + (int)hostname_len, hostname, rqstp->rq_vers, + (rqstp->rq_prot == IPPROTO_UDP ? "udp" : "tcp")); + diff --git a/queue-4.9/media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch b/queue-4.9/media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch new file mode 100644 index 00000000000..affc28e6e9d --- /dev/null +++ b/queue-4.9/media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch @@ -0,0 +1,38 @@ +From 250854eed5d45a73d81e4137dfd85180af6f2ec3 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 8 Oct 2018 15:08:27 -0400 +Subject: media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD + +From: Hans Verkuil + +commit 250854eed5d45a73d81e4137dfd85180af6f2ec3 upstream. + +When the OSD is on (i.e. vivid displays text on top of the test pattern), and +you enable hflip, then the driver crashes. + +The cause turned out to be a division of a negative number by an unsigned value. +You expect that -8 / 2U would be -4, but in reality it is 2147483644 :-( + +Fixes: 3e14e7a82c1ef ("vivid-tpg: add hor/vert downsampling support to tpg_gen_text") + +Signed-off-by: Hans Verkuil +Reported-by: Mauro Carvalho Chehab +Cc: # for v4.1 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +@@ -1650,7 +1650,7 @@ typedef struct { u16 __; u8 _; } __packe + pos[7] = (chr & (0x01 << 0) ? fg : bg); \ + } \ + \ +- pos += (tpg->hflip ? -8 : 8) / hdiv; \ ++ pos += (tpg->hflip ? -8 : 8) / (int)hdiv; \ + } \ + } \ + } while (0) diff --git a/queue-4.9/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch b/queue-4.9/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch new file mode 100644 index 00000000000..ce8a0895d94 --- /dev/null +++ b/queue-4.9/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch @@ -0,0 +1,39 @@ +From c0fae7e2452b90c31edd2d25eb3baf0c76b400ca Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sat, 27 Oct 2018 01:46:34 +0300 +Subject: MIPS: OCTEON: fix out of bounds array access on CN68XX + +From: Aaro Koskinen + +commit c0fae7e2452b90c31edd2d25eb3baf0c76b400ca upstream. + +The maximum number of interfaces is returned by +cvmx_helper_get_number_of_interfaces(), and the value is used to access +interface_port_count[]. When CN68XX support was added, we forgot +to increase the array size. Fix that. + +Fixes: 2c8c3f0201333 ("MIPS: Octeon: Support additional interfaces on CN68XX") +Signed-off-by: Aaro Koskinen +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20949/ +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/executive/cvmx-helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c ++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c +@@ -67,7 +67,7 @@ void (*cvmx_override_pko_queue_priority) + void (*cvmx_override_ipd_port_setup) (int ipd_port); + + /* Port count per interface */ +-static int interface_port_count[5]; ++static int interface_port_count[9]; + + /* Port last configured link info index by IPD/PKO port */ + static cvmx_helper_link_info_t diff --git a/queue-4.9/net-bcmgenet-fix-of-child-node-lookup.patch b/queue-4.9/net-bcmgenet-fix-of-child-node-lookup.patch new file mode 100644 index 00000000000..a7073513cb8 --- /dev/null +++ b/queue-4.9/net-bcmgenet-fix-of-child-node-lookup.patch @@ -0,0 +1,41 @@ +From d397dbe606120a1ea1b11b0020c3f7a3852da5ac Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:50 +0200 +Subject: net: bcmgenet: fix OF child-node lookup + +From: Johan Hovold + +commit d397dbe606120a1ea1b11b0020c3f7a3852da5ac upstream. + +Use the new of_get_compatible_child() helper to lookup the mdio child +node instead of using of_find_compatible_node(), which searches the +entire tree from a given start node and thus can return an unrelated +(i.e. non-child) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the node of the device being probed). + +Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines") +Cc: stable # 3.15 +Cc: David S. Miller +Reviewed-by: Florian Fainelli +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -483,7 +483,7 @@ static int bcmgenet_mii_of_init(struct b + if (!compat) + return -ENOMEM; + +- priv->mdio_dn = of_find_compatible_node(dn, NULL, compat); ++ priv->mdio_dn = of_get_compatible_child(dn, compat); + kfree(compat); + if (!priv->mdio_dn) { + dev_err(kdev, "unable to find MDIO bus node\n"); diff --git a/queue-4.9/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch b/queue-4.9/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch new file mode 100644 index 00000000000..63b412735cd --- /dev/null +++ b/queue-4.9/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch @@ -0,0 +1,46 @@ +From 5bf59773aaf36dd62117dc83d50e1bbf9ef432da Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:52 +0200 +Subject: NFC: nfcmrvl_uart: fix OF child-node lookup + +From: Johan Hovold + +commit 5bf59773aaf36dd62117dc83d50e1bbf9ef432da upstream. + +Use the new of_get_compatible_child() helper to lookup the nfc child +node instead of using of_find_compatible_node(), which searches the +entire tree from a given start node and thus can return an unrelated +(i.e. non-child) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the parent node). + +Fixes: e097dc624f78 ("NFC: nfcmrvl: add UART driver") +Fixes: d8e018c0b321 ("NFC: nfcmrvl: update device tree bindings for Marvell NFC") +Cc: stable # 4.2 +Cc: Vincent Cuissard +Cc: Samuel Ortiz +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/nfcmrvl/uart.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/nfc/nfcmrvl/uart.c ++++ b/drivers/nfc/nfcmrvl/uart.c +@@ -73,10 +73,9 @@ static int nfcmrvl_uart_parse_dt(struct + struct device_node *matched_node; + int ret; + +- matched_node = of_find_compatible_node(node, NULL, "marvell,nfc-uart"); ++ matched_node = of_get_compatible_child(node, "marvell,nfc-uart"); + if (!matched_node) { +- matched_node = of_find_compatible_node(node, NULL, +- "mrvl,nfc-uart"); ++ matched_node = of_get_compatible_child(node, "mrvl,nfc-uart"); + if (!matched_node) + return -ENODEV; + } diff --git a/queue-4.9/nfsd-fix-an-oops-in-free_session.patch b/queue-4.9/nfsd-fix-an-oops-in-free_session.patch new file mode 100644 index 00000000000..be7a9f3e455 --- /dev/null +++ b/queue-4.9/nfsd-fix-an-oops-in-free_session.patch @@ -0,0 +1,33 @@ +From bb6ad5572c0022e17e846b382d7413cdcf8055be Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 9 Oct 2018 15:54:15 -0400 +Subject: nfsd: Fix an Oops in free_session() + +From: Trond Myklebust + +commit bb6ad5572c0022e17e846b382d7413cdcf8055be upstream. + +In call_xpt_users(), we delete the entry from the list, but we +do not reinitialise it. This triggers the list poisoning when +we later call unregister_xpt_user() in nfsd4_del_conns(). + +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/svc_xprt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -1038,7 +1038,7 @@ static void call_xpt_users(struct svc_xp + spin_lock(&xprt->xpt_lock); + while (!list_empty(&xprt->xpt_users)) { + u = list_first_entry(&xprt->xpt_users, struct svc_xpt_user, list); +- list_del(&u->list); ++ list_del_init(&u->list); + u->callback(u); + } + spin_unlock(&xprt->xpt_lock); diff --git a/queue-4.9/nfsv4.1-fix-the-r-wsize-checking.patch b/queue-4.9/nfsv4.1-fix-the-r-wsize-checking.patch new file mode 100644 index 00000000000..0c2c158d974 --- /dev/null +++ b/queue-4.9/nfsv4.1-fix-the-r-wsize-checking.patch @@ -0,0 +1,76 @@ +From 943cff67b842839f4f35364ba2db5c2d3f025d94 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 18 Sep 2018 10:07:44 -0400 +Subject: NFSv4.1: Fix the r/wsize checking + +From: Trond Myklebust + +commit 943cff67b842839f4f35364ba2db5c2d3f025d94 upstream. + +The intention of nfs4_session_set_rwsize() was to cap the r/wsize to the +buffer sizes negotiated by the CREATE_SESSION. The initial code had a +bug whereby we would not check the values negotiated by nfs_probe_fsinfo() +(the assumption being that CREATE_SESSION will always negotiate buffer values +that are sane w.r.t. the server's preferred r/wsizes) but would only check +values set by the user in the 'mount' command. + +The code was changed in 4.11 to _always_ set the r/wsize, meaning that we +now never use the server preferred r/wsizes. This is the regression that +this patch fixes. +Also rename the function to nfs4_session_limit_rwsize() in order to avoid +future confusion. + +Fixes: 033853325fe3 (NFSv4.1 respect server's max size in CREATE_SESSION") +Cc: stable@vger.kernel.org # v4.11+ +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4client.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -988,10 +988,10 @@ EXPORT_SYMBOL_GPL(nfs4_set_ds_client); + + /* + * Session has been established, and the client marked ready. +- * Set the mount rsize and wsize with negotiated fore channel +- * attributes which will be bound checked in nfs_server_set_fsinfo. ++ * Limit the mount rsize, wsize and dtsize using negotiated fore ++ * channel attributes. + */ +-static void nfs4_session_set_rwsize(struct nfs_server *server) ++static void nfs4_session_limit_rwsize(struct nfs_server *server) + { + #ifdef CONFIG_NFS_V4_1 + struct nfs4_session *sess; +@@ -1004,9 +1004,11 @@ static void nfs4_session_set_rwsize(stru + server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead; + server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead; + +- if (!server->rsize || server->rsize > server_resp_sz) ++ if (server->dtsize > server_resp_sz) ++ server->dtsize = server_resp_sz; ++ if (server->rsize > server_resp_sz) + server->rsize = server_resp_sz; +- if (!server->wsize || server->wsize > server_rqst_sz) ++ if (server->wsize > server_rqst_sz) + server->wsize = server_rqst_sz; + #endif /* CONFIG_NFS_V4_1 */ + } +@@ -1053,12 +1055,12 @@ static int nfs4_server_common_setup(stru + (unsigned long long) server->fsid.minor); + nfs_display_fhandle(mntfh, "Pseudo-fs root FH"); + +- nfs4_session_set_rwsize(server); +- + error = nfs_probe_fsinfo(server, mntfh, fattr); + if (error < 0) + goto out; + ++ nfs4_session_limit_rwsize(server); ++ + if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN) + server->namelen = NFS4_MAXNAMLEN; + diff --git a/queue-4.9/powerpc-msi-fix-compile-error-on-mpc83xx.patch b/queue-4.9/powerpc-msi-fix-compile-error-on-mpc83xx.patch new file mode 100644 index 00000000000..87c9f5c4d76 --- /dev/null +++ b/queue-4.9/powerpc-msi-fix-compile-error-on-mpc83xx.patch @@ -0,0 +1,45 @@ +From 0f99153def98134403c9149128e59d3e1786cf04 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 19 Oct 2018 06:12:50 +0000 +Subject: powerpc/msi: Fix compile error on mpc83xx + +From: Christophe Leroy + +commit 0f99153def98134403c9149128e59d3e1786cf04 upstream. + +mpic_get_primary_version() is not defined when not using MPIC. +The compile error log like: + +arch/powerpc/sysdev/built-in.o: In function `fsl_of_msi_probe': +fsl_msi.c:(.text+0x150c): undefined reference to `fsl_mpic_primary_get_version' + +Signed-off-by: Jia Hongtao +Signed-off-by: Scott Wood +Reported-by: Radu Rendec +Fixes: 807d38b73b6 ("powerpc/mpic: Add get_version API both for internal and external use") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/mpic.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/powerpc/include/asm/mpic.h ++++ b/arch/powerpc/include/asm/mpic.h +@@ -392,7 +392,14 @@ extern struct bus_type mpic_subsys; + #define MPIC_REGSET_TSI108 MPIC_REGSET(1) /* Tsi108/109 PIC */ + + /* Get the version of primary MPIC */ ++#ifdef CONFIG_MPIC + extern u32 fsl_mpic_primary_get_version(void); ++#else ++static inline u32 fsl_mpic_primary_get_version(void) ++{ ++ return 0; ++} ++#endif + + /* Allocate the controller structure and setup the linux irq descs + * for the range if interrupts passed in. No HW initialization is diff --git a/queue-4.9/series b/queue-4.9/series index a45427add1d..5419bef110e 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -111,3 +111,13 @@ smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch genirq-fix-race-on-spurious-interrupt-detection.patch +nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch +nfsv4.1-fix-the-r-wsize-checking.patch +nfsd-fix-an-oops-in-free_session.patch +lockd-fix-access-beyond-unterminated-strings-in-prints.patch +dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch +powerpc-msi-fix-compile-error-on-mpc83xx.patch +mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch +tc-set-dma-masks-for-devices.patch +net-bcmgenet-fix-of-child-node-lookup.patch +media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch diff --git a/queue-4.9/tc-set-dma-masks-for-devices.patch b/queue-4.9/tc-set-dma-masks-for-devices.patch new file mode 100644 index 00000000000..a327dfd07ed --- /dev/null +++ b/queue-4.9/tc-set-dma-masks-for-devices.patch @@ -0,0 +1,107 @@ +From 3f2aa244ee1a0d17ed5b6c86564d2c1b24d1c96b Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Wed, 3 Oct 2018 13:21:07 +0100 +Subject: TC: Set DMA masks for devices + +From: Maciej W. Rozycki + +commit 3f2aa244ee1a0d17ed5b6c86564d2c1b24d1c96b upstream. + +Fix a TURBOchannel support regression with commit 205e1b7f51e4 +("dma-mapping: warn when there is no coherent_dma_mask") that caused +coherent DMA allocations to produce a warning such as: + +defxx: v1.11 2014/07/01 Lawrence V. Stefani and others +tc1: DEFTA at MMIO addr = 0x1e900000, IRQ = 20, Hardware addr = 08-00-2b-a3-a3-29 +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 dfx_dev_register+0x670/0x678 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 4.19.0-rc6 #2 +Stack : ffffffff8009ffc0 fffffffffffffec0 0000000000000000 ffffffff80647650 + 0000000000000000 0000000000000000 ffffffff806f5f80 ffffffffffffffff + 0000000000000000 0000000000000000 0000000000000001 ffffffff8065d4e8 + 98000000031b6300 ffffffff80563478 ffffffff805685b0 ffffffffffffffff + 0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8 + 0000000000000000 0000000000000009 ffffffff8053efd0 ffffffff806657d0 + 0000000000000000 ffffffff803177f8 0000000000000000 ffffffff806d0000 + 9800000003078000 980000000307b9e0 000000001e900000 ffffffff80067940 + 0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8 + ffffffff805176c0 ffffffff8004dc78 0000000000000000 ffffffff80067940 + ... +Call Trace: +[] show_stack+0xa0/0x130 +[] __warn+0x128/0x170 +---[ end trace b1d1e094f67f3bb2 ]--- + +This is because the TURBOchannel bus driver fails to set the coherent +DMA mask for devices enumerated. + +Set the regular and coherent DMA masks for TURBOchannel devices then, +observing that the bus protocol supports a 34-bit (16GiB) DMA address +space, by interpreting the value presented in the address cycle across +the 32 `ad' lines as a 32-bit word rather than byte address[1]. The +architectural size of the TURBOchannel DMA address space exceeds the +maximum amount of RAM any actual TURBOchannel system in existence may +have, hence both masks are the same. + +This removes the warning shown above. + +References: + +[1] "TURBOchannel Hardware Specification", EK-369AA-OD-007B, Digital + Equipment Corporation, January 1993, Section "DMA", pp. 1-15 -- 1-17 + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20835/ +Fixes: 205e1b7f51e4 ("dma-mapping: warn when there is no coherent_dma_mask") +Cc: stable@vger.kernel.org # 4.16+ +Cc: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tc/tc.c | 8 +++++++- + include/linux/tc.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/tc/tc.c ++++ b/drivers/tc/tc.c +@@ -2,7 +2,7 @@ + * TURBOchannel bus services. + * + * Copyright (c) Harald Koerfgen, 1998 +- * Copyright (c) 2001, 2003, 2005, 2006 Maciej W. Rozycki ++ * Copyright (c) 2001, 2003, 2005, 2006, 2018 Maciej W. Rozycki + * Copyright (c) 2005 James Simmons + * + * This file is subject to the terms and conditions of the GNU +@@ -10,6 +10,7 @@ + * directory of this archive for more details. + */ + #include ++#include + #include + #include + #include +@@ -92,6 +93,11 @@ static void __init tc_bus_add_devices(st + tdev->dev.bus = &tc_bus_type; + tdev->slot = slot; + ++ /* TURBOchannel has 34-bit DMA addressing (16GiB space). */ ++ tdev->dma_mask = DMA_BIT_MASK(34); ++ tdev->dev.dma_mask = &tdev->dma_mask; ++ tdev->dev.coherent_dma_mask = DMA_BIT_MASK(34); ++ + for (i = 0; i < 8; i++) { + tdev->firmware[i] = + readb(module + offset + TC_FIRM_VER + 4 * i); +--- a/include/linux/tc.h ++++ b/include/linux/tc.h +@@ -84,6 +84,7 @@ struct tc_dev { + device. */ + struct device dev; /* Generic device interface. */ + struct resource resource; /* Address space of this device. */ ++ u64 dma_mask; /* DMA addressable range. */ + char vendor[9]; + char name[9]; + char firmware[9]; -- 2.39.5