From f19546a917b12412112eff7daac25bb75e98b42d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 26 Sep 2018 13:32:10 +0200 Subject: [PATCH] 4.18-stable patches added patches: alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch alsa-fireface-fix-memory-leak-in-ff400_switch_fetching_mode.patch alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch alsa-firewire-tascam-fix-memory-leak-of-private-data.patch alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch alsa-oxfw-fix-memory-leak-of-private-data.patch asoc-cs4265-fix-mmtlr-data-switch-control.patch asoc-rsnd-fixup-not-to-call-clk_get-set-under-non-atomic.patch asoc-tas6424-save-last-fault-register-even-when-clear.patch asoc-uapi-fix-sound-skl-tplg-interface.h-userspace-compilation-errors.patch asoc-wm9712-fix-replace-codec-to-component.patch crypto-x86-aegis-morus-do-not-require-osxsave-for-sse2.patch fork-report-pid-exhaustion-correctly.patch mm-disable-deferred-struct-page-for-32-bit-arches.patch mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch mtd-devices-m25p80-make-sure-the-buffer-passed-in-op-is-dma-able.patch mtd-rawnand-denali-fix-a-race-condition-when-dma-is-kicked.patch nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch nfc-fix-the-number-of-pipes.patch platform-x86-alienware-wmi-correct-a-memory-leak.patch platform-x86-dell-smbios-wmi-correct-a-memory-leak.patch revert-pci-add-acs-quirk-for-intel-300-series.patch ring-buffer-allow-for-rescheduling-when-removing-pages.patch spi-fix-idr-collision-on-systems-with-both-fixed-and-dynamic-spi-bus-numbers.patch xen-netfront-don-t-bug-in-case-of-too-many-frags.patch xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch --- ...814-and-projectmix-i-o-at-error-path.patch | 49 ++++ ...rnel-stack-for-streaming-dma-mapping.patch | 86 ++++++ ...serspace-on-sndrv_emu10k1_ioctl_info.patch | 37 +++ ...y-leak-in-ff400_switch_fetching_mode.patch | 46 +++ ...i00x-fix-memory-leak-of-private-data.patch | 36 +++ ...scam-fix-memory-leak-of-private-data.patch | 36 +++ ...eak-of-response-buffer-at-error-path.patch | 35 +++ ...r-model-dependent-data-at-error-path.patch | 35 +++ ...covered-stream-formats-at-error-path.patch | 47 ++++ ...oxfw-fix-memory-leak-of-private-data.patch | 36 +++ ...cs4265-fix-mmtlr-data-switch-control.patch | 38 +++ ...to-call-clk_get-set-under-non-atomic.patch | 198 +++++++++++++ ...-last-fault-register-even-when-clear.patch | 63 +++++ ...rface.h-userspace-compilation-errors.patch | 265 ++++++++++++++++++ ...m9712-fix-replace-codec-to-component.patch | 56 ++++ ...orus-do-not-require-osxsave-for-sse2.patch | 78 ++++++ ...fork-report-pid-exhaustion-correctly.patch | 61 ++++ ...ferred-struct-page-for-32-bit-arches.patch | 80 ++++++ ...ctly-annotate-new-inodes-for-lockdep.patch | 128 +++++++++ ...-the-buffer-passed-in-op-is-dma-able.patch | 77 +++++ ...-a-race-condition-when-dma-is-kicked.patch | 44 +++ ...when-handling-shdlc-i-frame-commands.patch | 63 +++++ queue-4.18/nfc-fix-the-number-of-pipes.patch | 45 +++ ...-alienware-wmi-correct-a-memory-leak.patch | 30 ++ ...ell-smbios-wmi-correct-a-memory-leak.patch | 31 ++ ...i-add-acs-quirk-for-intel-300-series.patch | 50 ++++ ...for-rescheduling-when-removing-pages.patch | 44 +++ queue-4.18/series | 30 ++ ...th-fixed-and-dynamic-spi-bus-numbers.patch | 46 +++ ...-don-t-bug-in-case-of-too-many-frags.patch | 51 ++++ ...re-calling-into-sample-handling-code.patch | 33 +++ 31 files changed, 1954 insertions(+) create mode 100644 queue-4.18/alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch create mode 100644 queue-4.18/alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch create mode 100644 queue-4.18/alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch create mode 100644 queue-4.18/alsa-fireface-fix-memory-leak-in-ff400_switch_fetching_mode.patch create mode 100644 queue-4.18/alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch create mode 100644 queue-4.18/alsa-firewire-tascam-fix-memory-leak-of-private-data.patch create mode 100644 queue-4.18/alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch create mode 100644 queue-4.18/alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch create mode 100644 queue-4.18/alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch create mode 100644 queue-4.18/alsa-oxfw-fix-memory-leak-of-private-data.patch create mode 100644 queue-4.18/asoc-cs4265-fix-mmtlr-data-switch-control.patch create mode 100644 queue-4.18/asoc-rsnd-fixup-not-to-call-clk_get-set-under-non-atomic.patch create mode 100644 queue-4.18/asoc-tas6424-save-last-fault-register-even-when-clear.patch create mode 100644 queue-4.18/asoc-uapi-fix-sound-skl-tplg-interface.h-userspace-compilation-errors.patch create mode 100644 queue-4.18/asoc-wm9712-fix-replace-codec-to-component.patch create mode 100644 queue-4.18/crypto-x86-aegis-morus-do-not-require-osxsave-for-sse2.patch create mode 100644 queue-4.18/fork-report-pid-exhaustion-correctly.patch create mode 100644 queue-4.18/mm-disable-deferred-struct-page-for-32-bit-arches.patch create mode 100644 queue-4.18/mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch create mode 100644 queue-4.18/mtd-devices-m25p80-make-sure-the-buffer-passed-in-op-is-dma-able.patch create mode 100644 queue-4.18/mtd-rawnand-denali-fix-a-race-condition-when-dma-is-kicked.patch create mode 100644 queue-4.18/nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch create mode 100644 queue-4.18/nfc-fix-the-number-of-pipes.patch create mode 100644 queue-4.18/platform-x86-alienware-wmi-correct-a-memory-leak.patch create mode 100644 queue-4.18/platform-x86-dell-smbios-wmi-correct-a-memory-leak.patch create mode 100644 queue-4.18/revert-pci-add-acs-quirk-for-intel-300-series.patch create mode 100644 queue-4.18/ring-buffer-allow-for-rescheduling-when-removing-pages.patch create mode 100644 queue-4.18/spi-fix-idr-collision-on-systems-with-both-fixed-and-dynamic-spi-bus-numbers.patch create mode 100644 queue-4.18/xen-netfront-don-t-bug-in-case-of-too-many-frags.patch create mode 100644 queue-4.18/xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch diff --git a/queue-4.18/alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch b/queue-4.18/alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch new file mode 100644 index 00000000000..424e81b0f14 --- /dev/null +++ b/queue-4.18/alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch @@ -0,0 +1,49 @@ +From b1fbebd4164b3d170ad916dcd692cf843c9c065d Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Mon, 17 Sep 2018 17:25:24 +0900 +Subject: ALSA: bebob: fix memory leak for M-Audio FW1814 and ProjectMix I/O at error path + +From: Takashi Sakamoto + +commit b1fbebd4164b3d170ad916dcd692cf843c9c065d upstream. + +After allocating model-dependent data for M-Audio FW1814 and ProjectMix +I/O, ALSA bebob driver has memory leak at error path. + +This commit releases the allocated data at the error path. + +Fixes: 04a2c73c97eb('ALSA: bebob: delayed registration of sound card') +Cc: # v4.7+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/bebob/bebob.c | 2 ++ + sound/firewire/bebob/bebob_maudio.c | 4 ---- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/sound/firewire/bebob/bebob.c ++++ b/sound/firewire/bebob/bebob.c +@@ -263,6 +263,8 @@ do_registration(struct work_struct *work + error: + mutex_unlock(&devices_mutex); + snd_bebob_stream_destroy_duplex(bebob); ++ kfree(bebob->maudio_special_quirk); ++ bebob->maudio_special_quirk = NULL; + snd_card_free(bebob->card); + dev_info(&bebob->unit->device, + "Sound card registration failed: %d\n", err); +--- a/sound/firewire/bebob/bebob_maudio.c ++++ b/sound/firewire/bebob/bebob_maudio.c +@@ -290,10 +290,6 @@ snd_bebob_maudio_special_discover(struct + bebob->midi_output_ports = 2; + } + end: +- if (err < 0) { +- kfree(params); +- bebob->maudio_special_quirk = NULL; +- } + mutex_unlock(&bebob->mutex); + return err; + } diff --git a/queue-4.18/alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch b/queue-4.18/alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch new file mode 100644 index 00000000000..6725ca1bea1 --- /dev/null +++ b/queue-4.18/alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch @@ -0,0 +1,86 @@ +From 493626f2d87a74e6dbea1686499ed6e7e600484e Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 9 Sep 2018 22:25:12 +0900 +Subject: ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping + +From: Takashi Sakamoto + +commit 493626f2d87a74e6dbea1686499ed6e7e600484e upstream. + +When executing 'fw_run_transaction()' with 'TCODE_WRITE_BLOCK_REQUEST', +an address of 'payload' argument is used for streaming DMA mapping by +'firewire_ohci' module if 'size' argument is larger than 8 byte. +Although in this case the address should not be on kernel stack, current +implementation of ALSA bebob driver uses data in kernel stack for a cue +to boot M-Audio devices. This often brings unexpected result, especially +for a case of CONFIG_VMAP_STACK=y. + +This commit fixes the bug. + +Reference: https://bugzilla.kernel.org/show_bug.cgi?id=201021 +Reference: https://forum.manjaro.org/t/firewire-m-audio-410-driver-wont-load-firmware/51165 +Fixes: a2b2a7798fb6('ALSA: bebob: Send a cue to load firmware for M-Audio Firewire series') +Cc: # v3.16+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/bebob/bebob_maudio.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/sound/firewire/bebob/bebob_maudio.c ++++ b/sound/firewire/bebob/bebob_maudio.c +@@ -96,17 +96,13 @@ int snd_bebob_maudio_load_firmware(struc + struct fw_device *device = fw_parent_device(unit); + int err, rcode; + u64 date; +- __le32 cues[3] = { +- cpu_to_le32(MAUDIO_BOOTLOADER_CUE1), +- cpu_to_le32(MAUDIO_BOOTLOADER_CUE2), +- cpu_to_le32(MAUDIO_BOOTLOADER_CUE3) +- }; ++ __le32 *cues; + + /* check date of software used to build */ + err = snd_bebob_read_block(unit, INFO_OFFSET_SW_DATE, + &date, sizeof(u64)); + if (err < 0) +- goto end; ++ return err; + /* + * firmware version 5058 or later has date later than "20070401", but + * 'date' is not null-terminated. +@@ -114,20 +110,28 @@ int snd_bebob_maudio_load_firmware(struc + if (date < 0x3230303730343031LL) { + dev_err(&unit->device, + "Use firmware version 5058 or later\n"); +- err = -ENOSYS; +- goto end; ++ return -ENXIO; + } + ++ cues = kmalloc_array(3, sizeof(*cues), GFP_KERNEL); ++ if (!cues) ++ return -ENOMEM; ++ ++ cues[0] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE1); ++ cues[1] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE2); ++ cues[2] = cpu_to_le32(MAUDIO_BOOTLOADER_CUE3); ++ + rcode = fw_run_transaction(device->card, TCODE_WRITE_BLOCK_REQUEST, + device->node_id, device->generation, + device->max_speed, BEBOB_ADDR_REG_REQ, +- cues, sizeof(cues)); ++ cues, 3 * sizeof(*cues)); ++ kfree(cues); + if (rcode != RCODE_COMPLETE) { + dev_err(&unit->device, + "Failed to send a cue to load firmware\n"); + err = -EIO; + } +-end: ++ + return err; + } + diff --git a/queue-4.18/alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch b/queue-4.18/alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch new file mode 100644 index 00000000000..98160867ca3 --- /dev/null +++ b/queue-4.18/alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch @@ -0,0 +1,37 @@ +From 49434c6c575d2008c0abbc93e615019f39e01252 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Sat, 8 Sep 2018 08:12:21 +0200 +Subject: ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO + +From: Willy Tarreau + +commit 49434c6c575d2008c0abbc93e615019f39e01252 upstream. + +snd_emu10k1_fx8010_ioctl(SNDRV_EMU10K1_IOCTL_INFO) allocates +memory using kmalloc() and partially fills it by calling +snd_emu10k1_fx8010_info() before returning the resulting +structure to userspace, leaving uninitialized holes. Let's +just use kzalloc() here. + +BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html +Signed-off-by: Willy Tarreau +Cc: Jann Horn +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/emu10k1/emufx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -2540,7 +2540,7 @@ static int snd_emu10k1_fx8010_ioctl(stru + emu->support_tlv = 1; + return put_user(SNDRV_EMU10K1_VERSION, (int __user *)argp); + case SNDRV_EMU10K1_IOCTL_INFO: +- info = kmalloc(sizeof(*info), GFP_KERNEL); ++ info = kzalloc(sizeof(*info), GFP_KERNEL); + if (!info) + return -ENOMEM; + snd_emu10k1_fx8010_info(emu, info); diff --git a/queue-4.18/alsa-fireface-fix-memory-leak-in-ff400_switch_fetching_mode.patch b/queue-4.18/alsa-fireface-fix-memory-leak-in-ff400_switch_fetching_mode.patch new file mode 100644 index 00000000000..a1739739020 --- /dev/null +++ b/queue-4.18/alsa-fireface-fix-memory-leak-in-ff400_switch_fetching_mode.patch @@ -0,0 +1,46 @@ +From 36f3a6e02c143a7e9e4e143e416371f67bc1fae6 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 9 Sep 2018 22:25:52 +0900 +Subject: ALSA: fireface: fix memory leak in ff400_switch_fetching_mode() + +From: Takashi Sakamoto + +commit 36f3a6e02c143a7e9e4e143e416371f67bc1fae6 upstream. + +An allocated memory forgets to be released. + +Fixes: 76fdb3a9e13 ('ALSA: fireface: add support for Fireface 400') +Cc: # 4.12+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/fireface/ff-protocol-ff400.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/firewire/fireface/ff-protocol-ff400.c ++++ b/sound/firewire/fireface/ff-protocol-ff400.c +@@ -146,6 +146,7 @@ static int ff400_switch_fetching_mode(st + { + __le32 *reg; + int i; ++ int err; + + reg = kcalloc(18, sizeof(__le32), GFP_KERNEL); + if (reg == NULL) +@@ -163,9 +164,11 @@ static int ff400_switch_fetching_mode(st + reg[i] = cpu_to_le32(0x00000001); + } + +- return snd_fw_transaction(ff->unit, TCODE_WRITE_BLOCK_REQUEST, +- FF400_FETCH_PCM_FRAMES, reg, +- sizeof(__le32) * 18, 0); ++ err = snd_fw_transaction(ff->unit, TCODE_WRITE_BLOCK_REQUEST, ++ FF400_FETCH_PCM_FRAMES, reg, ++ sizeof(__le32) * 18, 0); ++ kfree(reg); ++ return err; + } + + static void ff400_dump_sync_status(struct snd_ff *ff, diff --git a/queue-4.18/alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch b/queue-4.18/alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch new file mode 100644 index 00000000000..ae6ef108fa2 --- /dev/null +++ b/queue-4.18/alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch @@ -0,0 +1,36 @@ +From a49a83ab05e34edd6c71a4fbd062c9a7ba6d18aa Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Thu, 13 Sep 2018 21:30:34 +0900 +Subject: ALSA: firewire-digi00x: fix memory leak of private data + +From: Takashi Sakamoto + +commit a49a83ab05e34edd6c71a4fbd062c9a7ba6d18aa upstream. + +Although private data of sound card instance is usually allocated in the +tail of the instance, drivers in ALSA firewire stack allocate the private +data before allocating the instance. In this case, the private data +should be released explicitly at .private_free callback of the instance. + +This commit fixes memory leak following to the above design. + +Fixes: 86c8dd7f4da3 ('ALSA: firewire-digi00x: delayed registration of sound card') +Cc: # v4.7+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/digi00x/digi00x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/firewire/digi00x/digi00x.c ++++ b/sound/firewire/digi00x/digi00x.c +@@ -49,6 +49,7 @@ static void dg00x_free(struct snd_dg00x + fw_unit_put(dg00x->unit); + + mutex_destroy(&dg00x->mutex); ++ kfree(dg00x); + } + + static void dg00x_card_free(struct snd_card *card) diff --git a/queue-4.18/alsa-firewire-tascam-fix-memory-leak-of-private-data.patch b/queue-4.18/alsa-firewire-tascam-fix-memory-leak-of-private-data.patch new file mode 100644 index 00000000000..0a12c40521f --- /dev/null +++ b/queue-4.18/alsa-firewire-tascam-fix-memory-leak-of-private-data.patch @@ -0,0 +1,36 @@ +From 8d28277c065a974873c6781d44b7bcdcd8fb4e8a Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Thu, 13 Sep 2018 21:31:05 +0900 +Subject: ALSA: firewire-tascam: fix memory leak of private data + +From: Takashi Sakamoto + +commit 8d28277c065a974873c6781d44b7bcdcd8fb4e8a upstream. + +Although private data of sound card instance is usually allocated in the +tail of the instance, drivers in ALSA firewire stack allocate the private +data before allocating the instance. In this case, the private data +should be released explicitly at .private_free callback of the instance. + +This commit fixes memory leak following to the above design. + +Fixes: b610386c8afb ('ALSA: firewire-tascam: deleyed registration of sound card') +Cc: # v4.7+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/tascam/tascam.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/firewire/tascam/tascam.c ++++ b/sound/firewire/tascam/tascam.c +@@ -93,6 +93,7 @@ static void tscm_free(struct snd_tscm *t + fw_unit_put(tscm->unit); + + mutex_destroy(&tscm->mutex); ++ kfree(tscm); + } + + static void tscm_card_free(struct snd_card *card) diff --git a/queue-4.18/alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch b/queue-4.18/alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch new file mode 100644 index 00000000000..62de9f36667 --- /dev/null +++ b/queue-4.18/alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch @@ -0,0 +1,35 @@ +From c3b55e2ec9c76e7a0de2a0b1dc851fdc9440385b Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Mon, 17 Sep 2018 17:26:41 +0900 +Subject: ALSA: fireworks: fix memory leak of response buffer at error path + +From: Takashi Sakamoto + +commit c3b55e2ec9c76e7a0de2a0b1dc851fdc9440385b upstream. + +After allocating memory object for response buffer, ALSA fireworks +driver has leak of the memory object at error path. + +This commit releases the object at the error path. + +Fixes: 7d3c1d5901aa('ALSA: fireworks: delayed registration of sound card') +Cc: # v4.7+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/fireworks/fireworks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/firewire/fireworks/fireworks.c ++++ b/sound/firewire/fireworks/fireworks.c +@@ -301,6 +301,8 @@ error: + snd_efw_transaction_remove_instance(efw); + snd_efw_stream_destroy_duplex(efw); + snd_card_free(efw->card); ++ kfree(efw->resp_buf); ++ efw->resp_buf = NULL; + dev_info(&efw->unit->device, + "Sound card registration failed: %d\n", err); + } diff --git a/queue-4.18/alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch b/queue-4.18/alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch new file mode 100644 index 00000000000..e3461e1ab57 --- /dev/null +++ b/queue-4.18/alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch @@ -0,0 +1,35 @@ +From ce925f088b979537f22f9e05eb923ef9822ca139 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Mon, 17 Sep 2018 17:26:08 +0900 +Subject: ALSA: oxfw: fix memory leak for model-dependent data at error path + +From: Takashi Sakamoto + +commit ce925f088b979537f22f9e05eb923ef9822ca139 upstream. + +After allocating model-dependent data, ALSA OXFW driver has memory leak +of the data at error path. + +This commit releases the data at the error path. + +Fixes: 6c29230e2a5f ('ALSA: oxfw: delayed registration of sound card') +Cc: # v4.7+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/oxfw/oxfw.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/firewire/oxfw/oxfw.c ++++ b/sound/firewire/oxfw/oxfw.c +@@ -270,6 +270,8 @@ error: + if (oxfw->has_output) + snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream); + snd_card_free(oxfw->card); ++ kfree(oxfw->spec); ++ oxfw->spec = NULL; + dev_info(&oxfw->unit->device, + "Sound card registration failed: %d\n", err); + } diff --git a/queue-4.18/alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch b/queue-4.18/alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch new file mode 100644 index 00000000000..060769a31d1 --- /dev/null +++ b/queue-4.18/alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch @@ -0,0 +1,47 @@ +From 1064bc685d359f549f91c2d5f111965a9284f328 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Mon, 17 Sep 2018 17:26:20 +0900 +Subject: ALSA: oxfw: fix memory leak of discovered stream formats at error path + +From: Takashi Sakamoto + +commit 1064bc685d359f549f91c2d5f111965a9284f328 upstream. + +After finishing discover of stream formats, ALSA OXFW driver has memory +leak of allocated memory object at error path. + +This commit releases the memory object at the error path. + +Fixes: 6c29230e2a5f ('ALSA: oxfw: delayed registration of sound card') +Cc: # v4.7+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/oxfw/oxfw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/firewire/oxfw/oxfw.c ++++ b/sound/firewire/oxfw/oxfw.c +@@ -207,6 +207,7 @@ static int detect_quirks(struct snd_oxfw + static void do_registration(struct work_struct *work) + { + struct snd_oxfw *oxfw = container_of(work, struct snd_oxfw, dwork.work); ++ int i; + int err; + + if (oxfw->registered) +@@ -269,6 +270,12 @@ error: + snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->rx_stream); + if (oxfw->has_output) + snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream); ++ for (i = 0; i < SND_OXFW_STREAM_FORMAT_ENTRIES; ++i) { ++ kfree(oxfw->tx_stream_formats[i]); ++ oxfw->tx_stream_formats[i] = NULL; ++ kfree(oxfw->rx_stream_formats[i]); ++ oxfw->rx_stream_formats[i] = NULL; ++ } + snd_card_free(oxfw->card); + kfree(oxfw->spec); + oxfw->spec = NULL; diff --git a/queue-4.18/alsa-oxfw-fix-memory-leak-of-private-data.patch b/queue-4.18/alsa-oxfw-fix-memory-leak-of-private-data.patch new file mode 100644 index 00000000000..1b63c38e0d7 --- /dev/null +++ b/queue-4.18/alsa-oxfw-fix-memory-leak-of-private-data.patch @@ -0,0 +1,36 @@ +From 498fe23aad8e3b5a9554f55719c537603b4476ea Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Thu, 13 Sep 2018 21:31:18 +0900 +Subject: ALSA: oxfw: fix memory leak of private data + +From: Takashi Sakamoto + +commit 498fe23aad8e3b5a9554f55719c537603b4476ea upstream. + +Although private data of sound card instance is usually allocated in the +tail of the instance, drivers in ALSA firewire stack allocate the private +data before allocating the instance. In this case, the private data +should be released explicitly at .private_free callback of the instance. + +This commit fixes memory leak following to the above design. + +Fixes: 6c29230e2a5f ('ALSA: oxfw: delayed registration of sound card') +Cc: # v4.7+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/oxfw/oxfw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/firewire/oxfw/oxfw.c ++++ b/sound/firewire/oxfw/oxfw.c +@@ -130,6 +130,7 @@ static void oxfw_free(struct snd_oxfw *o + + kfree(oxfw->spec); + mutex_destroy(&oxfw->mutex); ++ kfree(oxfw); + } + + /* diff --git a/queue-4.18/asoc-cs4265-fix-mmtlr-data-switch-control.patch b/queue-4.18/asoc-cs4265-fix-mmtlr-data-switch-control.patch new file mode 100644 index 00000000000..c1530374ce4 --- /dev/null +++ b/queue-4.18/asoc-cs4265-fix-mmtlr-data-switch-control.patch @@ -0,0 +1,38 @@ +From 90a3b7f8aba3011badacd6d8121e03aa24ac79d1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=A9bastien=20Szymanski?= + +Date: Thu, 6 Sep 2018 11:16:00 +0200 +Subject: ASoC: cs4265: fix MMTLR Data switch control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sébastien Szymanski + +commit 90a3b7f8aba3011badacd6d8121e03aa24ac79d1 upstream. + +The MMTLR bit is in the CS4265_SPDIF_CTL2 register at address 0x12 bit 0 +and not at address 0x0 bit 1. Fix this. + +Signed-off-by: Sébastien Szymanski +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/cs4265.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/cs4265.c ++++ b/sound/soc/codecs/cs4265.c +@@ -157,8 +157,8 @@ static const struct snd_kcontrol_new cs4 + SOC_SINGLE("Validity Bit Control Switch", CS4265_SPDIF_CTL2, + 3, 1, 0), + SOC_ENUM("SPDIF Mono/Stereo", spdif_mono_stereo_enum), +- SOC_SINGLE("MMTLR Data Switch", 0, +- 1, 1, 0), ++ SOC_SINGLE("MMTLR Data Switch", CS4265_SPDIF_CTL2, ++ 0, 1, 0), + SOC_ENUM("Mono Channel Select", spdif_mono_select_enum), + SND_SOC_BYTES("C Data Buffer", CS4265_C_DATA_BUFF, 24), + }; diff --git a/queue-4.18/asoc-rsnd-fixup-not-to-call-clk_get-set-under-non-atomic.patch b/queue-4.18/asoc-rsnd-fixup-not-to-call-clk_get-set-under-non-atomic.patch new file mode 100644 index 00000000000..66cabfd04a7 --- /dev/null +++ b/queue-4.18/asoc-rsnd-fixup-not-to-call-clk_get-set-under-non-atomic.patch @@ -0,0 +1,198 @@ +From 4d230d12710646788af581ba0155d83ab48b955c Mon Sep 17 00:00:00 2001 +From: Jiada Wang +Date: Mon, 3 Sep 2018 07:08:58 +0000 +Subject: ASoC: rsnd: fixup not to call clk_get/set under non-atomic + +From: Jiada Wang + +commit 4d230d12710646788af581ba0155d83ab48b955c upstream. + +Clocking operations clk_get/set_rate, are non-atomic, +they shouldn't be called in soc_pcm_trigger() which is atomic. + +Following issue was found due to execution of clk_get_rate() causes +sleep in soc_pcm_trigger(), which shouldn't be blocked. + +We can reproduce this issue by following + > enable CONFIG_DEBUG_ATOMIC_SLEEP=y + > compile, and boot + > mount -t debugfs none /sys/kernel/debug + > while true; do cat /sys/kernel/debug/clk/clk_summary > /dev/null; done & + > while true; do aplay xxx; done + +This patch adds support to .prepare callback, and moves non-atomic +clocking operations to it. As .prepare is non-atomic, it is always +called before trigger_start/trigger_stop. + + BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620 + in_atomic(): 1, irqs_disabled(): 128, pid: 2242, name: aplay + INFO: lockdep is turned off. + irq event stamp: 5964 + hardirqs last enabled at (5963): [] mutex_lock_nested+0x6e8/0x6f0 + hardirqs last disabled at (5964): [] _raw_spin_lock_irqsave+0x24/0x68 + softirqs last enabled at (5502): [] __do_softirq+0x560/0x10c0 + softirqs last disabled at (5495): [] irq_exit+0x160/0x25c + Preemption disabled at:[ 62.904063] [] snd_pcm_stream_lock+0xb4/0xc0 + CPU: 2 PID: 2242 Comm: aplay Tainted: G B C 4.9.54+ #186 + Hardware name: Renesas Salvator-X board based on r8a7795 (DT) + Call trace: + [] dump_backtrace+0x0/0x37c + [] show_stack+0x14/0x1c + [] dump_stack+0xfc/0x154 + [] ___might_sleep+0x57c/0x58c + [] __might_sleep+0x208/0x21c + [] mutex_lock_nested+0xb4/0x6f0 + [] clk_prepare_lock+0xb0/0x184 + [] clk_core_get_rate+0x14/0x54 + [] clk_get_rate+0x20/0x34 + [] rsnd_adg_ssi_clk_try_start+0x158/0x4f8 [snd_soc_rcar] + [] rsnd_ssi_init+0x668/0x7a0 [snd_soc_rcar] + [] rsnd_soc_dai_trigger+0x4bc/0xcf8 [snd_soc_rcar] + [] soc_pcm_trigger+0x2a4/0x2d4 + +Fixes: e7d850dd10f4 ("ASoC: rsnd: use mod base common method on SSI-parent") +Signed-off-by: Jiada Wang +Signed-off-by: Timo Wischer +[Kuninori: tidyup for upstream] +Signed-off-by: Kuninori Morimoto +Tested-by: Hiroyuki Yokoyama +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sh/rcar/core.c | 11 +++++++++++ + sound/soc/sh/rcar/rsnd.h | 7 +++++++ + sound/soc/sh/rcar/ssi.c | 16 ++++++++++------ + 3 files changed, 28 insertions(+), 6 deletions(-) + +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -953,12 +953,23 @@ static void rsnd_soc_dai_shutdown(struct + rsnd_dai_stream_quit(io); + } + ++static int rsnd_soc_dai_prepare(struct snd_pcm_substream *substream, ++ struct snd_soc_dai *dai) ++{ ++ struct rsnd_priv *priv = rsnd_dai_to_priv(dai); ++ struct rsnd_dai *rdai = rsnd_dai_to_rdai(dai); ++ struct rsnd_dai_stream *io = rsnd_rdai_to_io(rdai, substream); ++ ++ return rsnd_dai_call(prepare, io, priv); ++} ++ + static const struct snd_soc_dai_ops rsnd_soc_dai_ops = { + .startup = rsnd_soc_dai_startup, + .shutdown = rsnd_soc_dai_shutdown, + .trigger = rsnd_soc_dai_trigger, + .set_fmt = rsnd_soc_dai_set_fmt, + .set_tdm_slot = rsnd_soc_set_dai_tdm_slot, ++ .prepare = rsnd_soc_dai_prepare, + }; + + void rsnd_parse_connect_common(struct rsnd_dai *rdai, +--- a/sound/soc/sh/rcar/rsnd.h ++++ b/sound/soc/sh/rcar/rsnd.h +@@ -283,6 +283,9 @@ struct rsnd_mod_ops { + int (*nolock_stop)(struct rsnd_mod *mod, + struct rsnd_dai_stream *io, + struct rsnd_priv *priv); ++ int (*prepare)(struct rsnd_mod *mod, ++ struct rsnd_dai_stream *io, ++ struct rsnd_priv *priv); + }; + + struct rsnd_dai_stream; +@@ -312,6 +315,7 @@ struct rsnd_mod { + * H 0: fallback + * H 0: hw_params + * H 0: pointer ++ * H 0: prepare + */ + #define __rsnd_mod_shift_nolock_start 0 + #define __rsnd_mod_shift_nolock_stop 0 +@@ -326,6 +330,7 @@ struct rsnd_mod { + #define __rsnd_mod_shift_fallback 28 /* always called */ + #define __rsnd_mod_shift_hw_params 28 /* always called */ + #define __rsnd_mod_shift_pointer 28 /* always called */ ++#define __rsnd_mod_shift_prepare 28 /* always called */ + + #define __rsnd_mod_add_probe 0 + #define __rsnd_mod_add_remove 0 +@@ -340,6 +345,7 @@ struct rsnd_mod { + #define __rsnd_mod_add_fallback 0 + #define __rsnd_mod_add_hw_params 0 + #define __rsnd_mod_add_pointer 0 ++#define __rsnd_mod_add_prepare 0 + + #define __rsnd_mod_call_probe 0 + #define __rsnd_mod_call_remove 0 +@@ -354,6 +360,7 @@ struct rsnd_mod { + #define __rsnd_mod_call_pointer 0 + #define __rsnd_mod_call_nolock_start 0 + #define __rsnd_mod_call_nolock_stop 1 ++#define __rsnd_mod_call_prepare 0 + + #define rsnd_mod_to_priv(mod) ((mod)->priv) + #define rsnd_mod_name(mod) ((mod)->ops->name) +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -286,7 +286,7 @@ static int rsnd_ssi_master_clk_start(str + if (rsnd_ssi_is_multi_slave(mod, io)) + return 0; + +- if (ssi->usrcnt > 1) { ++ if (ssi->rate) { + if (ssi->rate != rate) { + dev_err(dev, "SSI parent/child should use same rate\n"); + return -EINVAL; +@@ -431,7 +431,6 @@ static int rsnd_ssi_init(struct rsnd_mod + struct rsnd_priv *priv) + { + struct rsnd_ssi *ssi = rsnd_mod_to_ssi(mod); +- int ret; + + if (!rsnd_ssi_is_run_mods(mod, io)) + return 0; +@@ -440,10 +439,6 @@ static int rsnd_ssi_init(struct rsnd_mod + + rsnd_mod_power_on(mod); + +- ret = rsnd_ssi_master_clk_start(mod, io); +- if (ret < 0) +- return ret; +- + rsnd_ssi_config_init(mod, io); + + rsnd_ssi_register_setup(mod); +@@ -846,6 +841,13 @@ static int rsnd_ssi_pio_pointer(struct r + return 0; + } + ++static int rsnd_ssi_prepare(struct rsnd_mod *mod, ++ struct rsnd_dai_stream *io, ++ struct rsnd_priv *priv) ++{ ++ return rsnd_ssi_master_clk_start(mod, io); ++} ++ + static struct rsnd_mod_ops rsnd_ssi_pio_ops = { + .name = SSI_NAME, + .probe = rsnd_ssi_common_probe, +@@ -858,6 +860,7 @@ static struct rsnd_mod_ops rsnd_ssi_pio_ + .pointer = rsnd_ssi_pio_pointer, + .pcm_new = rsnd_ssi_pcm_new, + .hw_params = rsnd_ssi_hw_params, ++ .prepare = rsnd_ssi_prepare, + }; + + static int rsnd_ssi_dma_probe(struct rsnd_mod *mod, +@@ -934,6 +937,7 @@ static struct rsnd_mod_ops rsnd_ssi_dma_ + .pcm_new = rsnd_ssi_pcm_new, + .fallback = rsnd_ssi_fallback, + .hw_params = rsnd_ssi_hw_params, ++ .prepare = rsnd_ssi_prepare, + }; + + int rsnd_ssi_is_dma_mode(struct rsnd_mod *mod) diff --git a/queue-4.18/asoc-tas6424-save-last-fault-register-even-when-clear.patch b/queue-4.18/asoc-tas6424-save-last-fault-register-even-when-clear.patch new file mode 100644 index 00000000000..f3890226cdc --- /dev/null +++ b/queue-4.18/asoc-tas6424-save-last-fault-register-even-when-clear.patch @@ -0,0 +1,63 @@ +From d40e3e9e44db4b3c8777f3b515ba6097ba26e3b2 Mon Sep 17 00:00:00 2001 +From: "Andrew F. Davis" +Date: Fri, 31 Aug 2018 10:14:05 -0500 +Subject: ASoC: tas6424: Save last fault register even when clear + +From: Andrew F. Davis + +commit d40e3e9e44db4b3c8777f3b515ba6097ba26e3b2 upstream. + +When there is no fault bit set in a fault register we skip the fault +reporting section for that register. This also skips over saving that +registers value. We save the value so we will not double report an +error, but if an error clears then returns we will also not report it +as we did not save the all cleared register value. Fix this by saving +the fault register value in the all clear path. + +Signed-off-by: Andrew F. Davis +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/tas6424.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/tas6424.c ++++ b/sound/soc/codecs/tas6424.c +@@ -424,8 +424,10 @@ static void tas6424_fault_check_work(str + TAS6424_FAULT_PVDD_UV | + TAS6424_FAULT_VBAT_UV; + +- if (reg) ++ if (!reg) { ++ tas6424->last_fault1 = reg; + goto check_global_fault2_reg; ++ } + + /* + * Only flag errors once for a given occurrence. This is needed as +@@ -461,8 +463,10 @@ check_global_fault2_reg: + TAS6424_FAULT_OTSD_CH3 | + TAS6424_FAULT_OTSD_CH4; + +- if (!reg) ++ if (!reg) { ++ tas6424->last_fault2 = reg; + goto check_warn_reg; ++ } + + if ((reg & TAS6424_FAULT_OTSD) && !(tas6424->last_fault2 & TAS6424_FAULT_OTSD)) + dev_crit(dev, "experienced a global overtemp shutdown\n"); +@@ -497,8 +501,10 @@ check_warn_reg: + TAS6424_WARN_VDD_OTW_CH3 | + TAS6424_WARN_VDD_OTW_CH4; + +- if (!reg) ++ if (!reg) { ++ tas6424->last_warn = reg; + goto out; ++ } + + if ((reg & TAS6424_WARN_VDD_UV) && !(tas6424->last_warn & TAS6424_WARN_VDD_UV)) + dev_warn(dev, "experienced a VDD under voltage condition\n"); diff --git a/queue-4.18/asoc-uapi-fix-sound-skl-tplg-interface.h-userspace-compilation-errors.patch b/queue-4.18/asoc-uapi-fix-sound-skl-tplg-interface.h-userspace-compilation-errors.patch new file mode 100644 index 00000000000..3ec74bf35b3 --- /dev/null +++ b/queue-4.18/asoc-uapi-fix-sound-skl-tplg-interface.h-userspace-compilation-errors.patch @@ -0,0 +1,265 @@ +From fb504caae7ef85be159743bd4b08ecde269ba55f Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Mon, 13 Aug 2018 18:50:02 +0300 +Subject: ASoC: uapi: fix sound/skl-tplg-interface.h userspace compilation errors + +From: Dmitry V. Levin + +commit fb504caae7ef85be159743bd4b08ecde269ba55f upstream. + +Include and consistently use types it provides +to fix the following sound/skl-tplg-interface.h userspace compilation errors: + +/usr/include/sound/skl-tplg-interface.h:146:2: error: unknown type name 'u32' + u32 set_params:2; +/usr/include/sound/skl-tplg-interface.h:147:2: error: unknown type name 'u32' + u32 rsvd:30; +/usr/include/sound/skl-tplg-interface.h:148:2: error: unknown type name 'u32' + u32 param_id; +/usr/include/sound/skl-tplg-interface.h:149:2: error: unknown type name 'u32' + u32 max; +/usr/include/sound/skl-tplg-interface.h:166:2: error: unknown type name 'u16' + u16 module_id; +/usr/include/sound/skl-tplg-interface.h:167:2: error: unknown type name 'u16' + u16 instance_id; +/usr/include/sound/skl-tplg-interface.h:171:2: error: unknown type name 'u32' + u32 channels; +/usr/include/sound/skl-tplg-interface.h:172:2: error: unknown type name 'u32' + u32 freq; +/usr/include/sound/skl-tplg-interface.h:173:2: error: unknown type name 'u32' + u32 bit_depth; +/usr/include/sound/skl-tplg-interface.h:174:2: error: unknown type name 'u32' + u32 valid_bit_depth; +/usr/include/sound/skl-tplg-interface.h:175:2: error: unknown type name 'u32' + u32 ch_cfg; +/usr/include/sound/skl-tplg-interface.h:176:2: error: unknown type name 'u32' + u32 interleaving_style; +/usr/include/sound/skl-tplg-interface.h:177:2: error: unknown type name 'u32' + u32 sample_type; +/usr/include/sound/skl-tplg-interface.h:178:2: error: unknown type name 'u32' + u32 ch_map; +/usr/include/sound/skl-tplg-interface.h:182:2: error: unknown type name 'u32' + u32 set_params:2; +/usr/include/sound/skl-tplg-interface.h:183:2: error: unknown type name 'u32' + u32 rsvd:30; +/usr/include/sound/skl-tplg-interface.h:184:2: error: unknown type name 'u32' + u32 param_id; +/usr/include/sound/skl-tplg-interface.h:185:2: error: unknown type name 'u32' + u32 caps_size; +/usr/include/sound/skl-tplg-interface.h:186:2: error: unknown type name 'u32' + u32 caps[HDA_SST_CFG_MAX]; +/usr/include/sound/skl-tplg-interface.h:190:2: error: unknown type name 'u8' + u8 pipe_id; +/usr/include/sound/skl-tplg-interface.h:191:2: error: unknown type name 'u8' + u8 pipe_priority; +/usr/include/sound/skl-tplg-interface.h:192:2: error: unknown type name 'u16' + u16 conn_type:4; +/usr/include/sound/skl-tplg-interface.h:193:2: error: unknown type name 'u16' + u16 rsvd:4; +/usr/include/sound/skl-tplg-interface.h:194:2: error: unknown type name 'u16' + u16 memory_pages:8; +/usr/include/sound/skl-tplg-interface.h:200:2: error: unknown type name 'u16' + u16 module_id; +/usr/include/sound/skl-tplg-interface.h:201:2: error: unknown type name 'u16' + u16 instance_id; +/usr/include/sound/skl-tplg-interface.h:202:2: error: unknown type name 'u32' + u32 max_mcps; +/usr/include/sound/skl-tplg-interface.h:203:2: error: unknown type name 'u32' + u32 mem_pages; +/usr/include/sound/skl-tplg-interface.h:204:2: error: unknown type name 'u32' + u32 obs; +/usr/include/sound/skl-tplg-interface.h:205:2: error: unknown type name 'u32' + u32 ibs; +/usr/include/sound/skl-tplg-interface.h:206:2: error: unknown type name 'u32' + u32 vbus_id; +/usr/include/sound/skl-tplg-interface.h:208:2: error: unknown type name 'u32' + u32 max_in_queue:8; +/usr/include/sound/skl-tplg-interface.h:209:2: error: unknown type name 'u32' + u32 max_out_queue:8; +/usr/include/sound/skl-tplg-interface.h:210:2: error: unknown type name 'u32' + u32 time_slot:8; +/usr/include/sound/skl-tplg-interface.h:211:2: error: unknown type name 'u32' + u32 core_id:4; +/usr/include/sound/skl-tplg-interface.h:212:2: error: unknown type name 'u32' + u32 rsvd1:4; +/usr/include/sound/skl-tplg-interface.h:214:2: error: unknown type name 'u32' + u32 module_type:8; +/usr/include/sound/skl-tplg-interface.h:215:2: error: unknown type name 'u32' + u32 conn_type:4; +/usr/include/sound/skl-tplg-interface.h:216:2: error: unknown type name 'u32' + u32 dev_type:4; +/usr/include/sound/skl-tplg-interface.h:217:2: error: unknown type name 'u32' + u32 hw_conn_type:4; +/usr/include/sound/skl-tplg-interface.h:218:2: error: unknown type name 'u32' + u32 rsvd2:12; +/usr/include/sound/skl-tplg-interface.h:220:2: error: unknown type name 'u32' + u32 params_fixup:8; +/usr/include/sound/skl-tplg-interface.h:221:2: error: unknown type name 'u32' + u32 converter:8; +/usr/include/sound/skl-tplg-interface.h:222:2: error: unknown type name 'u32' + u32 input_pin_type:1; +/usr/include/sound/skl-tplg-interface.h:223:2: error: unknown type name 'u32' + u32 output_pin_type:1; +/usr/include/sound/skl-tplg-interface.h:224:2: error: unknown type name 'u32' + u32 is_dynamic_in_pin:1; +/usr/include/sound/skl-tplg-interface.h:225:2: error: unknown type name 'u32' + u32 is_dynamic_out_pin:1; +/usr/include/sound/skl-tplg-interface.h:226:2: error: unknown type name 'u32' + u32 is_loadable:1; +/usr/include/sound/skl-tplg-interface.h:227:2: error: unknown type name 'u32' + u32 rsvd3:11; + +Fixes: 0c24fdc00244 ("ASoC: topology: Move skl-tplg-interface.h to uapi") +Signed-off-by: Dmitry V. Levin +Reviewed-by: Guenter Roeck +Signed-off-by: Mark Brown +Cc: # v4.18 +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/sound/skl-tplg-interface.h | 106 ++++++++++++++++---------------- + 1 file changed, 54 insertions(+), 52 deletions(-) + +--- a/include/uapi/sound/skl-tplg-interface.h ++++ b/include/uapi/sound/skl-tplg-interface.h +@@ -10,6 +10,8 @@ + #ifndef __HDA_TPLG_INTERFACE_H__ + #define __HDA_TPLG_INTERFACE_H__ + ++#include ++ + /* + * Default types range from 0~12. type can range from 0 to 0xff + * SST types start at higher to avoid any overlapping in future +@@ -143,10 +145,10 @@ enum skl_module_param_type { + }; + + struct skl_dfw_algo_data { +- u32 set_params:2; +- u32 rsvd:30; +- u32 param_id; +- u32 max; ++ __u32 set_params:2; ++ __u32 rsvd:30; ++ __u32 param_id; ++ __u32 max; + char params[0]; + } __packed; + +@@ -163,68 +165,68 @@ enum skl_tuple_type { + /* v4 configuration data */ + + struct skl_dfw_v4_module_pin { +- u16 module_id; +- u16 instance_id; ++ __u16 module_id; ++ __u16 instance_id; + } __packed; + + struct skl_dfw_v4_module_fmt { +- u32 channels; +- u32 freq; +- u32 bit_depth; +- u32 valid_bit_depth; +- u32 ch_cfg; +- u32 interleaving_style; +- u32 sample_type; +- u32 ch_map; ++ __u32 channels; ++ __u32 freq; ++ __u32 bit_depth; ++ __u32 valid_bit_depth; ++ __u32 ch_cfg; ++ __u32 interleaving_style; ++ __u32 sample_type; ++ __u32 ch_map; + } __packed; + + struct skl_dfw_v4_module_caps { +- u32 set_params:2; +- u32 rsvd:30; +- u32 param_id; +- u32 caps_size; +- u32 caps[HDA_SST_CFG_MAX]; ++ __u32 set_params:2; ++ __u32 rsvd:30; ++ __u32 param_id; ++ __u32 caps_size; ++ __u32 caps[HDA_SST_CFG_MAX]; + } __packed; + + struct skl_dfw_v4_pipe { +- u8 pipe_id; +- u8 pipe_priority; +- u16 conn_type:4; +- u16 rsvd:4; +- u16 memory_pages:8; ++ __u8 pipe_id; ++ __u8 pipe_priority; ++ __u16 conn_type:4; ++ __u16 rsvd:4; ++ __u16 memory_pages:8; + } __packed; + + struct skl_dfw_v4_module { + char uuid[SKL_UUID_STR_SZ]; + +- u16 module_id; +- u16 instance_id; +- u32 max_mcps; +- u32 mem_pages; +- u32 obs; +- u32 ibs; +- u32 vbus_id; +- +- u32 max_in_queue:8; +- u32 max_out_queue:8; +- u32 time_slot:8; +- u32 core_id:4; +- u32 rsvd1:4; +- +- u32 module_type:8; +- u32 conn_type:4; +- u32 dev_type:4; +- u32 hw_conn_type:4; +- u32 rsvd2:12; +- +- u32 params_fixup:8; +- u32 converter:8; +- u32 input_pin_type:1; +- u32 output_pin_type:1; +- u32 is_dynamic_in_pin:1; +- u32 is_dynamic_out_pin:1; +- u32 is_loadable:1; +- u32 rsvd3:11; ++ __u16 module_id; ++ __u16 instance_id; ++ __u32 max_mcps; ++ __u32 mem_pages; ++ __u32 obs; ++ __u32 ibs; ++ __u32 vbus_id; ++ ++ __u32 max_in_queue:8; ++ __u32 max_out_queue:8; ++ __u32 time_slot:8; ++ __u32 core_id:4; ++ __u32 rsvd1:4; ++ ++ __u32 module_type:8; ++ __u32 conn_type:4; ++ __u32 dev_type:4; ++ __u32 hw_conn_type:4; ++ __u32 rsvd2:12; ++ ++ __u32 params_fixup:8; ++ __u32 converter:8; ++ __u32 input_pin_type:1; ++ __u32 output_pin_type:1; ++ __u32 is_dynamic_in_pin:1; ++ __u32 is_dynamic_out_pin:1; ++ __u32 is_loadable:1; ++ __u32 rsvd3:11; + + struct skl_dfw_v4_pipe pipe; + struct skl_dfw_v4_module_fmt in_fmt[MAX_IN_QUEUE]; diff --git a/queue-4.18/asoc-wm9712-fix-replace-codec-to-component.patch b/queue-4.18/asoc-wm9712-fix-replace-codec-to-component.patch new file mode 100644 index 00000000000..627c8cd9411 --- /dev/null +++ b/queue-4.18/asoc-wm9712-fix-replace-codec-to-component.patch @@ -0,0 +1,56 @@ +From 5e4cfadaf5b73a0801b2fa7fb007f98400ebfe6e Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler +Date: Tue, 14 Aug 2018 00:35:56 +0200 +Subject: ASoC: wm9712: fix replace codec to component + +From: Marcel Ziswiler + +commit 5e4cfadaf5b73a0801b2fa7fb007f98400ebfe6e upstream. + +Since commit 143b44845d87 ("ASoC: wm9712: replace codec to component") +"wm9712-codec" got renamed to "wm9712-component", however, this change +never got propagated down to the actual board/platform drivers. E.g. on +Colibri T20 this lead to the following spew upon boot with sound/touch +being broken: + +[ 2.214121] tegra-snd-wm9712 sound: ASoC: CODEC DAI wm9712-hifi not registered +[ 2.222137] tegra-snd-wm9712 sound: snd_soc_register_card failed (-517) +... +[ 2.344384] tegra-snd-wm9712 sound: ASoC: CODEC DAI wm9712-hifi not registered +[ 2.351885] tegra-snd-wm9712 sound: snd_soc_register_card failed (-517) +... +[ 2.668339] tegra-snd-wm9712 sound: ASoC: CODEC DAI wm9712-hifi not registered +[ 2.675811] tegra-snd-wm9712 sound: snd_soc_register_card failed (-517) +... +[ 3.208408] tegra-snd-wm9712 sound: ASoC: CODEC DAI wm9712-hifi not registered +[ 3.216312] tegra-snd-wm9712 sound: snd_soc_register_card failed (-517) +... +[ 3.235397] tegra-snd-wm9712 sound: ASoC: CODEC DAI wm9712-hifi not registered +[ 3.248938] tegra-snd-wm9712 sound: snd_soc_register_card failed (-517) +... +[ 14.970443] ALSA device list: +[ 14.996628] No soundcards found. + +This commit finally fixes this again. + +Signed-off-by: Marcel Ziswiler +Acked-by: Charles Keepax +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm9712.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm9712.c ++++ b/sound/soc/codecs/wm9712.c +@@ -719,7 +719,7 @@ static int wm9712_probe(struct platform_ + + static struct platform_driver wm9712_component_driver = { + .driver = { +- .name = "wm9712-component", ++ .name = "wm9712-codec", + }, + + .probe = wm9712_probe, diff --git a/queue-4.18/crypto-x86-aegis-morus-do-not-require-osxsave-for-sse2.patch b/queue-4.18/crypto-x86-aegis-morus-do-not-require-osxsave-for-sse2.patch new file mode 100644 index 00000000000..8bcb11ea9ec --- /dev/null +++ b/queue-4.18/crypto-x86-aegis-morus-do-not-require-osxsave-for-sse2.patch @@ -0,0 +1,78 @@ +From 24568b47d48ec8c906fd0f589489a08b17e1edca Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 5 Sep 2018 09:26:41 +0200 +Subject: crypto: x86/aegis,morus - Do not require OSXSAVE for SSE2 + +From: Ondrej Mosnacek + +commit 24568b47d48ec8c906fd0f589489a08b17e1edca upstream. + +It turns out OSXSAVE needs to be checked only for AVX, not for SSE. +Without this patch the affected modules refuse to load on CPUs with SSE2 +but without AVX support. + +Fixes: 877ccce7cbe8 ("crypto: x86/aegis,morus - Fix and simplify CPUID checks") +Cc: # 4.18 +Reported-by: Zdenek Kaspar +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/aegis128-aesni-glue.c | 1 - + arch/x86/crypto/aegis128l-aesni-glue.c | 1 - + arch/x86/crypto/aegis256-aesni-glue.c | 1 - + arch/x86/crypto/morus1280-sse2-glue.c | 1 - + arch/x86/crypto/morus640-sse2-glue.c | 1 - + 5 files changed, 5 deletions(-) + +--- a/arch/x86/crypto/aegis128-aesni-glue.c ++++ b/arch/x86/crypto/aegis128-aesni-glue.c +@@ -379,7 +379,6 @@ static int __init crypto_aegis128_aesni_ + { + if (!boot_cpu_has(X86_FEATURE_XMM2) || + !boot_cpu_has(X86_FEATURE_AES) || +- !boot_cpu_has(X86_FEATURE_OSXSAVE) || + !cpu_has_xfeatures(XFEATURE_MASK_SSE, NULL)) + return -ENODEV; + +--- a/arch/x86/crypto/aegis128l-aesni-glue.c ++++ b/arch/x86/crypto/aegis128l-aesni-glue.c +@@ -379,7 +379,6 @@ static int __init crypto_aegis128l_aesni + { + if (!boot_cpu_has(X86_FEATURE_XMM2) || + !boot_cpu_has(X86_FEATURE_AES) || +- !boot_cpu_has(X86_FEATURE_OSXSAVE) || + !cpu_has_xfeatures(XFEATURE_MASK_SSE, NULL)) + return -ENODEV; + +--- a/arch/x86/crypto/aegis256-aesni-glue.c ++++ b/arch/x86/crypto/aegis256-aesni-glue.c +@@ -379,7 +379,6 @@ static int __init crypto_aegis256_aesni_ + { + if (!boot_cpu_has(X86_FEATURE_XMM2) || + !boot_cpu_has(X86_FEATURE_AES) || +- !boot_cpu_has(X86_FEATURE_OSXSAVE) || + !cpu_has_xfeatures(XFEATURE_MASK_SSE, NULL)) + return -ENODEV; + +--- a/arch/x86/crypto/morus1280-sse2-glue.c ++++ b/arch/x86/crypto/morus1280-sse2-glue.c +@@ -40,7 +40,6 @@ MORUS1280_DECLARE_ALGS(sse2, "morus1280- + static int __init crypto_morus1280_sse2_module_init(void) + { + if (!boot_cpu_has(X86_FEATURE_XMM2) || +- !boot_cpu_has(X86_FEATURE_OSXSAVE) || + !cpu_has_xfeatures(XFEATURE_MASK_SSE, NULL)) + return -ENODEV; + +--- a/arch/x86/crypto/morus640-sse2-glue.c ++++ b/arch/x86/crypto/morus640-sse2-glue.c +@@ -40,7 +40,6 @@ MORUS640_DECLARE_ALGS(sse2, "morus640-ss + static int __init crypto_morus640_sse2_module_init(void) + { + if (!boot_cpu_has(X86_FEATURE_XMM2) || +- !boot_cpu_has(X86_FEATURE_OSXSAVE) || + !cpu_has_xfeatures(XFEATURE_MASK_SSE, NULL)) + return -ENODEV; + diff --git a/queue-4.18/fork-report-pid-exhaustion-correctly.patch b/queue-4.18/fork-report-pid-exhaustion-correctly.patch new file mode 100644 index 00000000000..0c02f55dbb7 --- /dev/null +++ b/queue-4.18/fork-report-pid-exhaustion-correctly.patch @@ -0,0 +1,61 @@ +From f83606f5eb007adc33bc8541ede00590f477bdeb Mon Sep 17 00:00:00 2001 +From: KJ Tsanaktsidis +Date: Thu, 20 Sep 2018 12:22:25 -0700 +Subject: fork: report pid exhaustion correctly + +From: KJ Tsanaktsidis + +commit f83606f5eb007adc33bc8541ede00590f477bdeb upstream. + +Make the clone and fork syscalls return EAGAIN when the limit on the +number of pids /proc/sys/kernel/pid_max is exceeded. + +Currently, when the pid_max limit is exceeded, the kernel will return +ENOSPC from the fork and clone syscalls. This is contrary to the +documented behaviour, which explicitly calls out the pid_max case as one +where EAGAIN should be returned. It also leads to really confusing error +messages in userspace programs which will complain about a lack of disk +space when they fail to create processes/threads for this reason. + +This error is being returned because alloc_pid() uses the idr api to find +a new pid; when there are none available, idr_alloc_cyclic() returns +-ENOSPC, and this is being propagated back to userspace. + +This behaviour has been broken before, and was explicitly fixed in +commit 35f71bc0a09a ("fork: report pid reservation failure properly"), +so I think -EAGAIN is definitely the right thing to return in this case. +The current behaviour change dates from commit 95846ecf9dac ("pid: +replace pid bitmap implementation with IDR AIP") and was I believe +unintentional. + +This patch has no impact on the case where allocating a pid fails because +the child reaper for the namespace is dead; that case will still return +-ENOMEM. + +Link: http://lkml.kernel.org/r/20180903111016.46461-1-ktsanaktsidis@zendesk.com +Fixes: 95846ecf9dac ("pid: replace pid bitmap implementation with IDR AIP") +Signed-off-by: KJ Tsanaktsidis +Reviewed-by: Andrew Morton +Acked-by: Michal Hocko +Cc: Gargi Sharma +Cc: Rik van Riel +Cc: Oleg Nesterov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/pid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -195,7 +195,7 @@ struct pid *alloc_pid(struct pid_namespa + idr_preload_end(); + + if (nr < 0) { +- retval = nr; ++ retval = (nr == -ENOSPC) ? -EAGAIN : nr; + goto out_free; + } + diff --git a/queue-4.18/mm-disable-deferred-struct-page-for-32-bit-arches.patch b/queue-4.18/mm-disable-deferred-struct-page-for-32-bit-arches.patch new file mode 100644 index 00000000000..b6577ac5217 --- /dev/null +++ b/queue-4.18/mm-disable-deferred-struct-page-for-32-bit-arches.patch @@ -0,0 +1,80 @@ +From 889c695d419f19e5db52592dafbaf26143c36d1f Mon Sep 17 00:00:00 2001 +From: Pasha Tatashin +Date: Thu, 20 Sep 2018 12:22:30 -0700 +Subject: mm: disable deferred struct page for 32-bit arches + +From: Pasha Tatashin + +commit 889c695d419f19e5db52592dafbaf26143c36d1f upstream. + +Deferred struct page init is needed only on systems with large amount of +physical memory to improve boot performance. 32-bit systems do not +benefit from this feature. + +Jiri reported a problem where deferred struct pages do not work well with +x86-32: + +[ 0.035162] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes) +[ 0.035725] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes) +[ 0.036269] Initializing CPU#0 +[ 0.036513] Initializing HighMem for node 0 (00036ffe:0007ffe0) +[ 0.038459] page:f6780000 is uninitialized and poisoned +[ 0.038460] raw: ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff +[ 0.039509] page dumped because: VM_BUG_ON_PAGE(1 && PageCompound(page)) +[ 0.040038] ------------[ cut here ]------------ +[ 0.040399] kernel BUG at include/linux/page-flags.h:293! +[ 0.040823] invalid opcode: 0000 [#1] SMP PTI +[ 0.041166] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc1_pt_jiri #9 +[ 0.041694] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 +[ 0.042496] EIP: free_highmem_page+0x64/0x80 +[ 0.042839] Code: 13 46 d8 c1 e8 18 5d 83 e0 03 8d 04 c0 c1 e0 06 ff 80 ec 5f 44 d8 c3 8d b4 26 00 00 00 00 ba 08 65 28 d8 89 d8 e8 fc 71 02 00 <0f> 0b 8d 76 00 8d bc 27 00 00 00 00 ba d0 b1 26 d8 89 d8 e8 e4 71 +[ 0.044338] EAX: 0000003c EBX: f6780000 ECX: 00000000 EDX: d856cbe8 +[ 0.044868] ESI: 0007ffe0 EDI: d838df20 EBP: d838df00 ESP: d838defc +[ 0.045372] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00210086 +[ 0.045913] CR0: 80050033 CR2: 00000000 CR3: 18556000 CR4: 00040690 +[ 0.046413] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 +[ 0.046913] DR6: fffe0ff0 DR7: 00000400 +[ 0.047220] Call Trace: +[ 0.047419] add_highpages_with_active_regions+0xbd/0x10d +[ 0.047854] set_highmem_pages_init+0x5b/0x71 +[ 0.048202] mem_init+0x2b/0x1e8 +[ 0.048460] start_kernel+0x1d2/0x425 +[ 0.048757] i386_start_kernel+0x93/0x97 +[ 0.049073] startup_32_smp+0x164/0x168 +[ 0.049379] Modules linked in: +[ 0.049626] ---[ end trace 337949378db0abbb ]--- + +We free highmem pages before their struct pages are initialized: + +mem_init() + set_highmem_pages_init() + add_highpages_with_active_regions() + free_highmem_page() + .. Access uninitialized struct page here.. + +Because there is no reason to have this feature on 32-bit systems, just +disable it. + +Link: http://lkml.kernel.org/r/20180831150506.31246-1-pavel.tatashin@microsoft.com +Fixes: 2e3ca40f03bb ("mm: relax deferred struct page requirements") +Signed-off-by: Pavel Tatashin +Reported-by: Jiri Slaby +Acked-by: Michal Hocko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + mm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -637,6 +637,7 @@ config DEFERRED_STRUCT_PAGE_INIT + depends on NO_BOOTMEM + depends on SPARSEMEM + depends on !NEED_PER_CPU_KM ++ depends on 64BIT + help + Ordinarily all struct pages are initialised during early boot in a + single thread. On very large machines this can take a considerable diff --git a/queue-4.18/mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch b/queue-4.18/mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch new file mode 100644 index 00000000000..6573dad4ace --- /dev/null +++ b/queue-4.18/mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch @@ -0,0 +1,128 @@ +From b45d71fb89ab8adfe727b9d0ee188ed58582a647 Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Thu, 20 Sep 2018 12:22:39 -0700 +Subject: mm: shmem.c: Correctly annotate new inodes for lockdep + +From: Joel Fernandes (Google) + +commit b45d71fb89ab8adfe727b9d0ee188ed58582a647 upstream. + +Directories and inodes don't necessarily need to be in the same lockdep +class. For ex, hugetlbfs splits them out too to prevent false positives +in lockdep. Annotate correctly after new inode creation. If its a +directory inode, it will be put into a different class. + +This should fix a lockdep splat reported by syzbot: + +> ====================================================== +> WARNING: possible circular locking dependency detected +> 4.18.0-rc8-next-20180810+ #36 Not tainted +> ------------------------------------------------------ +> syz-executor900/4483 is trying to acquire lock: +> 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at: inode_lock +> include/linux/fs.h:765 [inline] +> 00000000d2bfc8fe (&sb->s_type->i_mutex_key#9){++++}, at: +> shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602 +> +> but task is already holding lock: +> 0000000025208078 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630 +> drivers/staging/android/ashmem.c:448 +> +> which lock already depends on the new lock. +> +> -> #2 (ashmem_mutex){+.+.}: +> __mutex_lock_common kernel/locking/mutex.c:925 [inline] +> __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073 +> mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088 +> ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361 +> call_mmap include/linux/fs.h:1844 [inline] +> mmap_region+0xf27/0x1c50 mm/mmap.c:1762 +> do_mmap+0xa10/0x1220 mm/mmap.c:1535 +> do_mmap_pgoff include/linux/mm.h:2298 [inline] +> vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357 +> ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585 +> __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] +> __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] +> __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 +> do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 +> entry_SYSCALL_64_after_hwframe+0x49/0xbe +> +> -> #1 (&mm->mmap_sem){++++}: +> __might_fault+0x155/0x1e0 mm/memory.c:4568 +> _copy_to_user+0x30/0x110 lib/usercopy.c:25 +> copy_to_user include/linux/uaccess.h:155 [inline] +> filldir+0x1ea/0x3a0 fs/readdir.c:196 +> dir_emit_dot include/linux/fs.h:3464 [inline] +> dir_emit_dots include/linux/fs.h:3475 [inline] +> dcache_readdir+0x13a/0x620 fs/libfs.c:193 +> iterate_dir+0x48b/0x5d0 fs/readdir.c:51 +> __do_sys_getdents fs/readdir.c:231 [inline] +> __se_sys_getdents fs/readdir.c:212 [inline] +> __x64_sys_getdents+0x29f/0x510 fs/readdir.c:212 +> do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 +> entry_SYSCALL_64_after_hwframe+0x49/0xbe +> +> -> #0 (&sb->s_type->i_mutex_key#9){++++}: +> lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924 +> down_write+0x8f/0x130 kernel/locking/rwsem.c:70 +> inode_lock include/linux/fs.h:765 [inline] +> shmem_fallocate+0x18b/0x12e0 mm/shmem.c:2602 +> ashmem_shrink_scan+0x236/0x630 drivers/staging/android/ashmem.c:455 +> ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797 +> vfs_ioctl fs/ioctl.c:46 [inline] +> file_ioctl fs/ioctl.c:501 [inline] +> do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685 +> ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702 +> __do_sys_ioctl fs/ioctl.c:709 [inline] +> __se_sys_ioctl fs/ioctl.c:707 [inline] +> __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707 +> do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 +> entry_SYSCALL_64_after_hwframe+0x49/0xbe +> +> other info that might help us debug this: +> +> Chain exists of: +> &sb->s_type->i_mutex_key#9 --> &mm->mmap_sem --> ashmem_mutex +> +> Possible unsafe locking scenario: +> +> CPU0 CPU1 +> ---- ---- +> lock(ashmem_mutex); +> lock(&mm->mmap_sem); +> lock(ashmem_mutex); +> lock(&sb->s_type->i_mutex_key#9); +> +> *** DEADLOCK *** +> +> 1 lock held by syz-executor900/4483: +> #0: 0000000025208078 (ashmem_mutex){+.+.}, at: +> ashmem_shrink_scan+0xb4/0x630 drivers/staging/android/ashmem.c:448 + +Link: http://lkml.kernel.org/r/20180821231835.166639-1-joel@joelfernandes.org +Signed-off-by: Joel Fernandes (Google) +Reported-by: syzbot +Reviewed-by: NeilBrown +Suggested-by: NeilBrown +Cc: Matthew Wilcox +Cc: Peter Zijlstra +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + mm/shmem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2226,6 +2226,8 @@ static struct inode *shmem_get_inode(str + mpol_shared_policy_init(&info->policy, NULL); + break; + } ++ ++ lockdep_annotate_inode_mutex_key(inode); + } else + shmem_free_inode(sb); + return inode; diff --git a/queue-4.18/mtd-devices-m25p80-make-sure-the-buffer-passed-in-op-is-dma-able.patch b/queue-4.18/mtd-devices-m25p80-make-sure-the-buffer-passed-in-op-is-dma-able.patch new file mode 100644 index 00000000000..e4df9c901f4 --- /dev/null +++ b/queue-4.18/mtd-devices-m25p80-make-sure-the-buffer-passed-in-op-is-dma-able.patch @@ -0,0 +1,77 @@ +From 4a3e85f2674cbfb81052059107d0165269778e2f Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Mon, 17 Sep 2018 16:31:30 +0200 +Subject: mtd: devices: m25p80: Make sure the buffer passed in op is DMA-able + +From: Boris Brezillon + +commit 4a3e85f2674cbfb81052059107d0165269778e2f upstream. + +As documented in spi-mem.h, spi_mem_op->data.buf.{in,out} must be +DMA-able, and commit 4120f8d158ef ("mtd: spi-nor: Use the spi_mem_xx() +API") failed to follow this rule as buffers passed to +->{read,write}_reg() are usually placed on the stack. + +Fix that by allocating a scratch buffer and copying the data around. + +Fixes: 4120f8d158ef ("mtd: spi-nor: Use the spi_mem_xx() API") +Reported-by: Jarkko Nikula +Cc: +Signed-off-by: Boris Brezillon +Tested-by: Jarkko Nikula +Reviewed-by: Jarkko Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/devices/m25p80.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/devices/m25p80.c ++++ b/drivers/mtd/devices/m25p80.c +@@ -41,13 +41,23 @@ static int m25p80_read_reg(struct spi_no + struct spi_mem_op op = SPI_MEM_OP(SPI_MEM_OP_CMD(code, 1), + SPI_MEM_OP_NO_ADDR, + SPI_MEM_OP_NO_DUMMY, +- SPI_MEM_OP_DATA_IN(len, val, 1)); ++ SPI_MEM_OP_DATA_IN(len, NULL, 1)); ++ void *scratchbuf; + int ret; + ++ scratchbuf = kmalloc(len, GFP_KERNEL); ++ if (!scratchbuf) ++ return -ENOMEM; ++ ++ op.data.buf.in = scratchbuf; + ret = spi_mem_exec_op(flash->spimem, &op); + if (ret < 0) + dev_err(&flash->spimem->spi->dev, "error %d reading %x\n", ret, + code); ++ else ++ memcpy(val, scratchbuf, len); ++ ++ kfree(scratchbuf); + + return ret; + } +@@ -58,9 +68,19 @@ static int m25p80_write_reg(struct spi_n + struct spi_mem_op op = SPI_MEM_OP(SPI_MEM_OP_CMD(opcode, 1), + SPI_MEM_OP_NO_ADDR, + SPI_MEM_OP_NO_DUMMY, +- SPI_MEM_OP_DATA_OUT(len, buf, 1)); ++ SPI_MEM_OP_DATA_OUT(len, NULL, 1)); ++ void *scratchbuf; ++ int ret; ++ ++ scratchbuf = kmemdup(buf, len, GFP_KERNEL); ++ if (!scratchbuf) ++ return -ENOMEM; + +- return spi_mem_exec_op(flash->spimem, &op); ++ op.data.buf.out = scratchbuf; ++ ret = spi_mem_exec_op(flash->spimem, &op); ++ kfree(scratchbuf); ++ ++ return ret; + } + + static ssize_t m25p80_write(struct spi_nor *nor, loff_t to, size_t len, diff --git a/queue-4.18/mtd-rawnand-denali-fix-a-race-condition-when-dma-is-kicked.patch b/queue-4.18/mtd-rawnand-denali-fix-a-race-condition-when-dma-is-kicked.patch new file mode 100644 index 00000000000..f7ff0774863 --- /dev/null +++ b/queue-4.18/mtd-rawnand-denali-fix-a-race-condition-when-dma-is-kicked.patch @@ -0,0 +1,44 @@ +From cf51e4b9c34407bf0c3d9b582b7837e047e1df47 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Thu, 13 Sep 2018 14:58:49 +0900 +Subject: mtd: rawnand: denali: fix a race condition when DMA is kicked + +From: Masahiro Yamada + +commit cf51e4b9c34407bf0c3d9b582b7837e047e1df47 upstream. + +I thought the read-back of the DMA_ENABLE register was unnecessary +(at least it is working on my boards), then deleted it in commit +586a2c52909d ("mtd: nand: denali: squash denali_enable_dma() helper +into caller"). Sorry, I was wrong - it caused a timing issue on +Cyclone5 SoCFPGAs. + +Revive the register read-back, commenting why this is necessary. + +Fixes: 586a2c52909d ("mtd: nand: denali: squash denali_enable_dma() helper into caller") +Cc: +Reported-by: Steffen Trumtrar +Signed-off-by: Masahiro Yamada +Reviewed-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/denali.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mtd/nand/raw/denali.c ++++ b/drivers/mtd/nand/raw/denali.c +@@ -604,6 +604,12 @@ static int denali_dma_xfer(struct denali + } + + iowrite32(DMA_ENABLE__FLAG, denali->reg + DMA_ENABLE); ++ /* ++ * The ->setup_dma() hook kicks DMA by using the data/command ++ * interface, which belongs to a different AXI port from the ++ * register interface. Read back the register to avoid a race. ++ */ ++ ioread32(denali->reg + DMA_ENABLE); + + denali_reset_irq(denali); + denali->setup_dma(denali, dma_addr, page, write); diff --git a/queue-4.18/nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch b/queue-4.18/nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch new file mode 100644 index 00000000000..f6cb6c488eb --- /dev/null +++ b/queue-4.18/nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch @@ -0,0 +1,63 @@ +From 674d9de02aa7d521ebdf66c3958758bdd9c64e11 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Mon, 17 Sep 2018 15:51:40 +0200 +Subject: NFC: Fix possible memory corruption when handling SHDLC I-Frame commands + +From: Suren Baghdasaryan + +commit 674d9de02aa7d521ebdf66c3958758bdd9c64e11 upstream. + +When handling SHDLC I-Frame commands "pipe" field used for indexing +into an array should be checked before usage. If left unchecked it +might access memory outside of the array of size NFC_HCI_MAX_PIPES(127). + +Malformed NFC HCI frames could be injected by a malicious NFC device +communicating with the device being attacked (remote attack vector), +or even by an attacker with physical access to the I2C bus such that +they could influence the data transfers on that bus (local attack vector). +skb->data is controlled by the attacker and has only been sanitized in +the most trivial ways (CRC check), therefore we can consider the +create_info struct and all of its members to tainted. 'create_info->pipe' +with max value of 255 (uint8) is used to take an offset of the +hdev->pipes array of 127 elements which can lead to OOB write. + +Cc: Samuel Ortiz +Cc: Allen Pais +Cc: "David S. Miller" +Suggested-by: Kevin Deus +Signed-off-by: Suren Baghdasaryan +Acked-by: Kees Cook +Cc: stable +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/hci/core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/nfc/hci/core.c ++++ b/net/nfc/hci/core.c +@@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci + } + create_info = (struct hci_create_pipe_resp *)skb->data; + ++ if (create_info->pipe >= NFC_HCI_MAX_PIPES) { ++ status = NFC_HCI_ANY_E_NOK; ++ goto exit; ++ } ++ + /* Save the new created pipe and bind with local gate, + * the description for skb->data[3] is destination gate id + * but since we received this cmd from host controller, we +@@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci + } + delete_info = (struct hci_delete_pipe_noti *)skb->data; + ++ if (delete_info->pipe >= NFC_HCI_MAX_PIPES) { ++ status = NFC_HCI_ANY_E_NOK; ++ goto exit; ++ } ++ + hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE; + hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST; + break; diff --git a/queue-4.18/nfc-fix-the-number-of-pipes.patch b/queue-4.18/nfc-fix-the-number-of-pipes.patch new file mode 100644 index 00000000000..dda4fe050a2 --- /dev/null +++ b/queue-4.18/nfc-fix-the-number-of-pipes.patch @@ -0,0 +1,45 @@ +From e285d5bfb7e9785d289663baef252dd315e171f8 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Mon, 17 Sep 2018 15:51:41 +0200 +Subject: NFC: Fix the number of pipes + +From: Suren Baghdasaryan + +commit e285d5bfb7e9785d289663baef252dd315e171f8 upstream. + +According to ETSI TS 102 622 specification chapter 4.4 pipe identifier +is 7 bits long which allows for 128 unique pipe IDs. Because +NFC_HCI_MAX_PIPES is used as the number of pipes supported and not +as the max pipe ID, its value should be 128 instead of 127. + +nfc_hci_recv_from_llc extracts pipe ID from packet header using +NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127. +Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With +pipes array having only 127 elements and pipe ID of 127 the OOB memory +access will result. + +Cc: Samuel Ortiz +Cc: Allen Pais +Cc: "David S. Miller" +Suggested-by: Dan Carpenter +Signed-off-by: Suren Baghdasaryan +Reviewed-by: Kees Cook +Cc: stable +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/nfc/hci.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/nfc/hci.h ++++ b/include/net/nfc/hci.h +@@ -87,7 +87,7 @@ struct nfc_hci_pipe { + * According to specification 102 622 chapter 4.4 Pipes, + * the pipe identifier is 7 bits long. + */ +-#define NFC_HCI_MAX_PIPES 127 ++#define NFC_HCI_MAX_PIPES 128 + struct nfc_hci_init_data { + u8 gate_count; + struct nfc_hci_gate gates[NFC_HCI_MAX_CUSTOM_GATES]; diff --git a/queue-4.18/platform-x86-alienware-wmi-correct-a-memory-leak.patch b/queue-4.18/platform-x86-alienware-wmi-correct-a-memory-leak.patch new file mode 100644 index 00000000000..9e3a5b07730 --- /dev/null +++ b/queue-4.18/platform-x86-alienware-wmi-correct-a-memory-leak.patch @@ -0,0 +1,30 @@ +From ff0e9f26288d2daee4950f42b37a3d3d30d36ec1 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 10 Sep 2018 13:01:53 -0500 +Subject: platform/x86: alienware-wmi: Correct a memory leak + +From: Mario Limonciello + +commit ff0e9f26288d2daee4950f42b37a3d3d30d36ec1 upstream. + +An ACPI buffer that was allocated was not being freed after use. + +Signed-off-by: Mario Limonciello +Cc: stable@vger.kernel.org +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/alienware-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/platform/x86/alienware-wmi.c ++++ b/drivers/platform/x86/alienware-wmi.c +@@ -536,6 +536,7 @@ static acpi_status alienware_wmax_comman + if (obj && obj->type == ACPI_TYPE_INTEGER) + *out_data = (u32) obj->integer.value; + } ++ kfree(output.pointer); + return status; + + } diff --git a/queue-4.18/platform-x86-dell-smbios-wmi-correct-a-memory-leak.patch b/queue-4.18/platform-x86-dell-smbios-wmi-correct-a-memory-leak.patch new file mode 100644 index 00000000000..34a830d0432 --- /dev/null +++ b/queue-4.18/platform-x86-dell-smbios-wmi-correct-a-memory-leak.patch @@ -0,0 +1,31 @@ +From affab51082174f60ef71ced8ab5fbe71f00e9ae3 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 10 Sep 2018 13:01:52 -0500 +Subject: platform/x86: dell-smbios-wmi: Correct a memory leak + +From: Mario Limonciello + +commit affab51082174f60ef71ced8ab5fbe71f00e9ae3 upstream. + +ACPI buffers were being allocated but never freed. + +Reported-by: Pinzhen Xu +Signed-off-by: Mario Limonciello +Cc: stable@vger.kernel.org +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/dell-smbios-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/platform/x86/dell-smbios-wmi.c ++++ b/drivers/platform/x86/dell-smbios-wmi.c +@@ -78,6 +78,7 @@ static int run_smbios_call(struct wmi_de + dev_dbg(&wdev->dev, "result: [%08x,%08x,%08x,%08x]\n", + priv->buf->std.output[0], priv->buf->std.output[1], + priv->buf->std.output[2], priv->buf->std.output[3]); ++ kfree(output.pointer); + + return 0; + } diff --git a/queue-4.18/revert-pci-add-acs-quirk-for-intel-300-series.patch b/queue-4.18/revert-pci-add-acs-quirk-for-intel-300-series.patch new file mode 100644 index 00000000000..08d81ad4924 --- /dev/null +++ b/queue-4.18/revert-pci-add-acs-quirk-for-intel-300-series.patch @@ -0,0 +1,50 @@ +From 50ca031b51106b1b46162d4e9ecccb7edc95682f Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 5 Sep 2018 14:09:54 +0300 +Subject: Revert "PCI: Add ACS quirk for Intel 300 series" + +From: Mika Westerberg + +commit 50ca031b51106b1b46162d4e9ecccb7edc95682f upstream. + +This reverts f154a718e6cc ("PCI: Add ACS quirk for Intel 300 series"). + +It turns out that erratum "PCH PCIe* Controller Root Port (ACSCTLR) Appear +As Read Only" has been fixed in 300 series chipsets, even though the +datasheet [1] claims otherwise. To make ACS work properly on 300 series +root ports, revert the faulty commit. + +[1] https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/300-series-c240-series-chipset-pch-spec-update.pdf + +Fixes: f154a718e6cc ("PCI: Add ACS quirk for Intel 300 series") +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4235,11 +4235,6 @@ static int pci_quirk_qcom_rp_acs(struct + * + * 0x9d10-0x9d1b PCI Express Root port #{1-12} + * +- * The 300 series chipset suffers from the same bug so include those root +- * ports here as well. +- * +- * 0xa32c-0xa343 PCI Express Root port #{0-24} +- * + * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html + * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html + * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html +@@ -4257,7 +4252,6 @@ static bool pci_quirk_intel_spt_pch_acs_ + case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */ + case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */ + case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */ +- case 0xa32c ... 0xa343: /* 300 series */ + return true; + } + diff --git a/queue-4.18/ring-buffer-allow-for-rescheduling-when-removing-pages.patch b/queue-4.18/ring-buffer-allow-for-rescheduling-when-removing-pages.patch new file mode 100644 index 00000000000..cc0013be450 --- /dev/null +++ b/queue-4.18/ring-buffer-allow-for-rescheduling-when-removing-pages.patch @@ -0,0 +1,44 @@ +From 83f365554e47997ec68dc4eca3f5dce525cd15c3 Mon Sep 17 00:00:00 2001 +From: Vaibhav Nagarnaik +Date: Fri, 7 Sep 2018 15:31:29 -0700 +Subject: ring-buffer: Allow for rescheduling when removing pages + +From: Vaibhav Nagarnaik + +commit 83f365554e47997ec68dc4eca3f5dce525cd15c3 upstream. + +When reducing ring buffer size, pages are removed by scheduling a work +item on each CPU for the corresponding CPU ring buffer. After the pages +are removed from ring buffer linked list, the pages are free()d in a +tight loop. The loop does not give up CPU until all pages are removed. +In a worst case behavior, when lot of pages are to be freed, it can +cause system stall. + +After the pages are removed from the list, the free() can happen while +the work is rescheduled. Call cond_resched() in the loop to prevent the +system hangup. + +Link: http://lkml.kernel.org/r/20180907223129.71994-1-vnagarnaik@google.com + +Cc: stable@vger.kernel.org +Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic") +Reported-by: Jason Behmer +Signed-off-by: Vaibhav Nagarnaik +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1545,6 +1545,8 @@ rb_remove_pages(struct ring_buffer_per_c + tmp_iter_page = first_page; + + do { ++ cond_resched(); ++ + to_remove_page = tmp_iter_page; + rb_inc_page(cpu_buffer, &tmp_iter_page); + diff --git a/queue-4.18/series b/queue-4.18/series index 8183ab1e67d..0f568f81a63 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -20,3 +20,33 @@ ipv6-use-rt6_info-members-when-dst-is-set-in-rt6_fill_node.patch net-ipv6-do-not-copy-dst-flags-on-rt-init.patch net-mvpp2-let-phylink-manage-the-carrier-state.patch net-rtnl_configure_link-fix-dev-flags-changes-arg-to-__dev_notify_flags.patch +nfc-fix-possible-memory-corruption-when-handling-shdlc-i-frame-commands.patch +nfc-fix-the-number-of-pipes.patch +asoc-wm9712-fix-replace-codec-to-component.patch +asoc-cs4265-fix-mmtlr-data-switch-control.patch +asoc-tas6424-save-last-fault-register-even-when-clear.patch +asoc-rsnd-fixup-not-to-call-clk_get-set-under-non-atomic.patch +asoc-uapi-fix-sound-skl-tplg-interface.h-userspace-compilation-errors.patch +alsa-bebob-fix-memory-leak-for-m-audio-fw1814-and-projectmix-i-o-at-error-path.patch +alsa-bebob-use-address-returned-by-kmalloc-instead-of-kernel-stack-for-streaming-dma-mapping.patch +alsa-emu10k1-fix-possible-info-leak-to-userspace-on-sndrv_emu10k1_ioctl_info.patch +alsa-fireface-fix-memory-leak-in-ff400_switch_fetching_mode.patch +alsa-firewire-digi00x-fix-memory-leak-of-private-data.patch +alsa-firewire-tascam-fix-memory-leak-of-private-data.patch +alsa-fireworks-fix-memory-leak-of-response-buffer-at-error-path.patch +alsa-oxfw-fix-memory-leak-for-model-dependent-data-at-error-path.patch +alsa-oxfw-fix-memory-leak-of-discovered-stream-formats-at-error-path.patch +alsa-oxfw-fix-memory-leak-of-private-data.patch +mtd-devices-m25p80-make-sure-the-buffer-passed-in-op-is-dma-able.patch +mtd-rawnand-denali-fix-a-race-condition-when-dma-is-kicked.patch +platform-x86-dell-smbios-wmi-correct-a-memory-leak.patch +platform-x86-alienware-wmi-correct-a-memory-leak.patch +xen-netfront-don-t-bug-in-case-of-too-many-frags.patch +xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch +spi-fix-idr-collision-on-systems-with-both-fixed-and-dynamic-spi-bus-numbers.patch +revert-pci-add-acs-quirk-for-intel-300-series.patch +ring-buffer-allow-for-rescheduling-when-removing-pages.patch +crypto-x86-aegis-morus-do-not-require-osxsave-for-sse2.patch +fork-report-pid-exhaustion-correctly.patch +mm-disable-deferred-struct-page-for-32-bit-arches.patch +mm-shmem.c-correctly-annotate-new-inodes-for-lockdep.patch diff --git a/queue-4.18/spi-fix-idr-collision-on-systems-with-both-fixed-and-dynamic-spi-bus-numbers.patch b/queue-4.18/spi-fix-idr-collision-on-systems-with-both-fixed-and-dynamic-spi-bus-numbers.patch new file mode 100644 index 00000000000..dcf144f2852 --- /dev/null +++ b/queue-4.18/spi-fix-idr-collision-on-systems-with-both-fixed-and-dynamic-spi-bus-numbers.patch @@ -0,0 +1,46 @@ +From 1a4327fbf4554d5b78d75b19a13d40d6de220159 Mon Sep 17 00:00:00 2001 +From: Kirill Kapranov +Date: Mon, 13 Aug 2018 19:48:10 +0300 +Subject: spi: fix IDR collision on systems with both fixed and dynamic SPI bus numbers + +From: Kirill Kapranov + +commit 1a4327fbf4554d5b78d75b19a13d40d6de220159 upstream. + +On systems where some controllers get a dynamic ID assigned and some have +a fixed number (e.g. from ACPI tables), the current implementation might +run into an IDR collision: in case of a fixed bus number is gotten by a +driver (but not marked busy in IDR tree) and a driver with dynamic bus +number gets the same ID and predictably fails. + +Fix this by means of checking-in fixed IDsin IDR as far as dynamic ones +at the moment of the controller registration. + +Fixes: 9b61e302210e (spi: Pick spi bus number from Linux idr or spi alias) +Signed-off-by: Kirill Kapranov +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -2170,6 +2170,15 @@ int spi_register_controller(struct spi_c + if (WARN(id < 0, "couldn't get idr")) + return id; + ctlr->bus_num = id; ++ } else { ++ /* devices with a fixed bus num must check-in with the num */ ++ mutex_lock(&board_lock); ++ id = idr_alloc(&spi_master_idr, ctlr, ctlr->bus_num, ++ ctlr->bus_num + 1, GFP_KERNEL); ++ mutex_unlock(&board_lock); ++ if (WARN(id < 0, "couldn't get idr")) ++ return id == -ENOSPC ? -EBUSY : id; ++ ctlr->bus_num = id; + } + INIT_LIST_HEAD(&ctlr->queue); + spin_lock_init(&ctlr->queue_lock); diff --git a/queue-4.18/xen-netfront-don-t-bug-in-case-of-too-many-frags.patch b/queue-4.18/xen-netfront-don-t-bug-in-case-of-too-many-frags.patch new file mode 100644 index 00000000000..d3d8d980c4d --- /dev/null +++ b/queue-4.18/xen-netfront-don-t-bug-in-case-of-too-many-frags.patch @@ -0,0 +1,51 @@ +From ad4f15dc2c70b1de5e0a64d27335962fbc9cf71c Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Tue, 11 Sep 2018 09:04:48 +0200 +Subject: xen/netfront: don't bug in case of too many frags + +From: Juergen Gross + +commit ad4f15dc2c70b1de5e0a64d27335962fbc9cf71c upstream. + +Commit 57f230ab04d291 ("xen/netfront: raise max number of slots in +xennet_get_responses()") raised the max number of allowed slots by one. +This seems to be problematic in some configurations with netback using +a larger MAX_SKB_FRAGS value (e.g. old Linux kernel with MAX_SKB_FRAGS +defined as 18 instead of nowadays 17). + +Instead of BUG_ON() in this case just fall back to retransmission. + +Fixes: 57f230ab04d291 ("xen/netfront: raise max number of slots in xennet_get_responses()") +Cc: stable@vger.kernel.org +Signed-off-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netfront.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -907,7 +907,11 @@ static RING_IDX xennet_fill_frags(struct + BUG_ON(pull_to <= skb_headlen(skb)); + __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); + } +- BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS); ++ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { ++ queue->rx.rsp_cons = ++cons; ++ kfree_skb(nskb); ++ return ~0U; ++ } + + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, + skb_frag_page(nfrag), +@@ -1044,6 +1048,8 @@ err: + skb->len += rx->status; + + i = xennet_fill_frags(queue, skb, &tmpq); ++ if (unlikely(i == ~0U)) ++ goto err; + + if (rx->flags & XEN_NETRXF_csum_blank) + skb->ip_summed = CHECKSUM_PARTIAL; diff --git a/queue-4.18/xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch b/queue-4.18/xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch new file mode 100644 index 00000000000..e0f88fa0acd --- /dev/null +++ b/queue-4.18/xen-x86-vpmu-zero-struct-pt_regs-before-calling-into-sample-handling-code.patch @@ -0,0 +1,33 @@ +From 70513d58751d7c6c1a0133557b13089b9f2e3e66 Mon Sep 17 00:00:00 2001 +From: Boris Ostrovsky +Date: Thu, 12 Jul 2018 13:27:00 -0400 +Subject: xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code + +From: Boris Ostrovsky + +commit 70513d58751d7c6c1a0133557b13089b9f2e3e66 upstream. + +Otherwise we may leak kernel stack for events that sample user +registers. + +Reported-by: Mark Rutland +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/xen/pmu.c ++++ b/arch/x86/xen/pmu.c +@@ -478,7 +478,7 @@ static void xen_convert_regs(const struc + irqreturn_t xen_pmu_irq_handler(int irq, void *dev_id) + { + int err, ret = IRQ_NONE; +- struct pt_regs regs; ++ struct pt_regs regs = {0}; + const struct xen_pmu_data *xenpmu_data = get_xenpmu_data(); + uint8_t xenpmu_flags = get_xenpmu_flags(); + -- 2.47.3