From: Greg Kroah-Hartman Date: Thu, 6 Feb 2020 16:15:16 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.103~131 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f81fae16da9613b25fc376425a56a79c62e89076;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch platform-x86-intel_scu_ipc-fix-interrupt-support.patch --- diff --git a/queue-4.14/irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch b/queue-4.14/irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch new file mode 100644 index 00000000000..64d920cf4fe --- /dev/null +++ b/queue-4.14/irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch @@ -0,0 +1,54 @@ +From 0f394daef89b38d58c91118a2b08b8a1b316703b Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Mon, 20 Jan 2020 12:35:47 +0800 +Subject: irqdomain: Fix a memory leak in irq_domain_push_irq() + +From: Kevin Hao + +commit 0f394daef89b38d58c91118a2b08b8a1b316703b upstream. + +Fix a memory leak reported by kmemleak: +unreferenced object 0xffff000bc6f50e80 (size 128): + comm "kworker/23:2", pid 201, jiffies 4294894947 (age 942.132s) + hex dump (first 32 bytes): + 00 00 00 00 41 00 00 00 86 c0 03 00 00 00 00 00 ....A........... + 00 a0 b2 c6 0b 00 ff ff 40 51 fd 10 00 80 ff ff ........@Q...... + backtrace: + [<00000000e62d2240>] kmem_cache_alloc_trace+0x1a4/0x320 + [<00000000279143c9>] irq_domain_push_irq+0x7c/0x188 + [<00000000d9f4c154>] thunderx_gpio_probe+0x3ac/0x438 + [<00000000fd09ec22>] pci_device_probe+0xe4/0x198 + [<00000000d43eca75>] really_probe+0xdc/0x320 + [<00000000d3ebab09>] driver_probe_device+0x5c/0xf0 + [<000000005b3ecaa0>] __device_attach_driver+0x88/0xc0 + [<000000004e5915f5>] bus_for_each_drv+0x7c/0xc8 + [<0000000079d4db41>] __device_attach+0xe4/0x140 + [<00000000883bbda9>] device_initial_probe+0x18/0x20 + [<000000003be59ef6>] bus_probe_device+0x98/0xa0 + [<0000000039b03d3f>] deferred_probe_work_func+0x74/0xa8 + [<00000000870934ce>] process_one_work+0x1c8/0x470 + [<00000000e3cce570>] worker_thread+0x1f8/0x428 + [<000000005d64975e>] kthread+0xfc/0x128 + [<00000000f0eaa764>] ret_from_fork+0x10/0x18 + +Fixes: 495c38d3001f ("irqdomain: Add irq_domain_{push,pop}_irq() functions") +Signed-off-by: Kevin Hao +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200120043547.22271-1-haokexin@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/irqdomain.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/irq/irqdomain.c ++++ b/kernel/irq/irqdomain.c +@@ -1538,6 +1538,7 @@ int irq_domain_push_irq(struct irq_domai + if (rv) { + /* Restore the original irq_data. */ + *root_irq_data = *child_irq_data; ++ kfree(child_irq_data); + goto error; + } + diff --git a/queue-4.14/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch b/queue-4.14/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch new file mode 100644 index 00000000000..778c8de365d --- /dev/null +++ b/queue-4.14/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch @@ -0,0 +1,39 @@ +From 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 30 Jan 2020 22:13:51 -0800 +Subject: lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() + +From: Gustavo A. R. Silva + +commit 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 upstream. + +In case memory resources for _ptr2_ were allocated, release them before +return. + +Notice that in case _ptr1_ happens to be NULL, krealloc() behaves +exactly like kmalloc(). + +Addresses-Coverity-ID: 1490594 ("Resource leak") +Link: http://lkml.kernel.org/r/20200123160115.GA4202@embeddedor +Fixes: 3f15801cdc23 ("lib: add kasan test module") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Dmitry Vyukov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/test_kasan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/test_kasan.c ++++ b/lib/test_kasan.c +@@ -126,6 +126,7 @@ static noinline void __init kmalloc_oob_ + if (!ptr1 || !ptr2) { + pr_err("Allocation failed\n"); + kfree(ptr1); ++ kfree(ptr2); + return; + } + diff --git a/queue-4.14/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch b/queue-4.14/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch new file mode 100644 index 00000000000..64ddf10bea9 --- /dev/null +++ b/queue-4.14/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch @@ -0,0 +1,64 @@ +From 3c7470b6f68434acae459482ab920d1e3fabd1c7 Mon Sep 17 00:00:00 2001 +From: John Hubbard +Date: Thu, 30 Jan 2020 22:12:50 -0800 +Subject: media/v4l2-core: set pages dirty upon releasing DMA buffers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Hubbard + +commit 3c7470b6f68434acae459482ab920d1e3fabd1c7 upstream. + +After DMA is complete, and the device and CPU caches are synchronized, +it's still required to mark the CPU pages as dirty, if the data was +coming from the device. However, this driver was just issuing a bare +put_page() call, without any set_page_dirty*() call. + +Fix the problem, by calling set_page_dirty_lock() if the CPU pages were +potentially receiving data from the device. + +Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com +Signed-off-by: John Hubbard +Reviewed-by: Christoph Hellwig +Acked-by: Hans Verkuil +Cc: Mauro Carvalho Chehab +Cc: +Cc: Alex Williamson +Cc: Aneesh Kumar K.V +Cc: Björn Töpel +Cc: Daniel Vetter +Cc: Dan Williams +Cc: Ira Weiny +Cc: Jan Kara +Cc: Jason Gunthorpe +Cc: Jason Gunthorpe +Cc: Jens Axboe +Cc: Jerome Glisse +Cc: Jonathan Corbet +Cc: Kirill A. Shutemov +Cc: Leon Romanovsky +Cc: Mike Rapoport +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf-dma-sg.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/videobuf-dma-sg.c ++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c +@@ -352,8 +352,11 @@ int videobuf_dma_free(struct videobuf_dm + BUG_ON(dma->sglen); + + if (dma->pages) { +- for (i = 0; i < dma->nr_pages; i++) ++ for (i = 0; i < dma->nr_pages; i++) { ++ if (dma->direction == DMA_FROM_DEVICE) ++ set_page_dirty_lock(dma->pages[i]); + put_page(dma->pages[i]); ++ } + kfree(dma->pages); + dma->pages = NULL; + } diff --git a/queue-4.14/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch b/queue-4.14/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch new file mode 100644 index 00000000000..12a9b63bc26 --- /dev/null +++ b/queue-4.14/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch @@ -0,0 +1,78 @@ +From f51e50db4c20d46930b33be3f208851265694f3e Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Tue, 17 Dec 2019 21:00:22 +0100 +Subject: media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments + +From: Helen Koike + +commit f51e50db4c20d46930b33be3f208851265694f3e upstream. + +boundary->width and boundary->height are sizes relative to +boundary->left and boundary->top coordinates, but they were not being +taken into consideration to adjust r->left and r->top, leading to the +following error: + +Consider the follow as initial values for boundary and r: + +struct v4l2_rect boundary = { + .left = 100, + .top = 100, + .width = 800, + .height = 600, +} + +struct v4l2_rect r = { + .left = 0, + .top = 0, + .width = 1920, + .height = 960, +} + +calling v4l2_rect_map_inside(&r, &boundary) was modifying r to: + +r = { + .left = 0, + .top = 0, + .width = 800, + .height = 600, +} + +Which is wrongly outside the boundary rectangle, because: + + v4l2_rect_set_max_size(r, boundary); // r->width = 800, r->height = 600 + ... + if (r->left + r->width > boundary->width) // true + r->left = boundary->width - r->width; // r->left = 800 - 800 + if (r->top + r->height > boundary->height) // true + r->top = boundary->height - r->height; // r->height = 600 - 600 + +Fix this by considering top/left coordinates from boundary. + +Fixes: ac49de8c49d7 ("[media] v4l2-rect.h: new header with struct v4l2_rect helper functions") +Signed-off-by: Helen Koike +Cc: # for v4.7 and up +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + include/media/v4l2-rect.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/media/v4l2-rect.h ++++ b/include/media/v4l2-rect.h +@@ -75,10 +75,10 @@ static inline void v4l2_rect_map_inside( + r->left = boundary->left; + if (r->top < boundary->top) + r->top = boundary->top; +- if (r->left + r->width > boundary->width) +- r->left = boundary->width - r->width; +- if (r->top + r->height > boundary->height) +- r->top = boundary->height - r->height; ++ if (r->left + r->width > boundary->left + boundary->width) ++ r->left = boundary->left + boundary->width - r->width; ++ if (r->top + r->height > boundary->top + boundary->height) ++ r->top = boundary->top + boundary->height - r->height; + } + + /** diff --git a/queue-4.14/platform-x86-intel_scu_ipc-fix-interrupt-support.patch b/queue-4.14/platform-x86-intel_scu_ipc-fix-interrupt-support.patch new file mode 100644 index 00000000000..3d73c9fb164 --- /dev/null +++ b/queue-4.14/platform-x86-intel_scu_ipc-fix-interrupt-support.patch @@ -0,0 +1,98 @@ +From e48b72a568bbd641c91dad354138d3c17d03ee6f Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 22 Jan 2020 19:28:04 +0300 +Subject: platform/x86: intel_scu_ipc: Fix interrupt support + +From: Mika Westerberg + +commit e48b72a568bbd641c91dad354138d3c17d03ee6f upstream. + +Currently the driver has disabled interrupt support for Tangier but +actually interrupt works just fine if the command is not written twice +in a row. Also we need to ack the interrupt in the handler. + +Signed-off-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/intel_scu_ipc.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +--- a/drivers/platform/x86/intel_scu_ipc.c ++++ b/drivers/platform/x86/intel_scu_ipc.c +@@ -69,26 +69,22 @@ + struct intel_scu_ipc_pdata_t { + u32 i2c_base; + u32 i2c_len; +- u8 irq_mode; + }; + + static const struct intel_scu_ipc_pdata_t intel_scu_ipc_lincroft_pdata = { + .i2c_base = 0xff12b000, + .i2c_len = 0x10, +- .irq_mode = 0, + }; + + /* Penwell and Cloverview */ + static const struct intel_scu_ipc_pdata_t intel_scu_ipc_penwell_pdata = { + .i2c_base = 0xff12b000, + .i2c_len = 0x10, +- .irq_mode = 1, + }; + + static const struct intel_scu_ipc_pdata_t intel_scu_ipc_tangier_pdata = { + .i2c_base = 0xff00d000, + .i2c_len = 0x10, +- .irq_mode = 0, + }; + + struct intel_scu_ipc_dev { +@@ -101,6 +97,9 @@ struct intel_scu_ipc_dev { + + static struct intel_scu_ipc_dev ipcdev; /* Only one for now */ + ++#define IPC_STATUS 0x04 ++#define IPC_STATUS_IRQ BIT(2) ++ + /* + * IPC Read Buffer (Read Only): + * 16 byte buffer for receiving data from SCU, if IPC command +@@ -122,11 +121,8 @@ static DEFINE_MUTEX(ipclock); /* lock us + */ + static inline void ipc_command(struct intel_scu_ipc_dev *scu, u32 cmd) + { +- if (scu->irq_mode) { +- reinit_completion(&scu->cmd_complete); +- writel(cmd | IPC_IOC, scu->ipc_base); +- } +- writel(cmd, scu->ipc_base); ++ reinit_completion(&scu->cmd_complete); ++ writel(cmd | IPC_IOC, scu->ipc_base); + } + + /* +@@ -612,9 +608,10 @@ EXPORT_SYMBOL(intel_scu_ipc_i2c_cntrl); + static irqreturn_t ioc(int irq, void *dev_id) + { + struct intel_scu_ipc_dev *scu = dev_id; ++ int status = ipc_read_status(scu); + +- if (scu->irq_mode) +- complete(&scu->cmd_complete); ++ writel(status | IPC_STATUS_IRQ, scu->ipc_base + IPC_STATUS); ++ complete(&scu->cmd_complete); + + return IRQ_HANDLED; + } +@@ -640,8 +637,6 @@ static int ipc_probe(struct pci_dev *pde + if (!pdata) + return -ENODEV; + +- scu->irq_mode = pdata->irq_mode; +- + err = pcim_enable_device(pdev); + if (err) + return err; diff --git a/queue-4.14/series b/queue-4.14/series index 60622c5f5b2..7cfa0a9b9cc 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -23,3 +23,8 @@ usb-gadget-legacy-set-max_speed-to-super-speed.patch usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch alsa-dummy-fix-pcm-format-loop-in-proc-output.patch +media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch +media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch +lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch +irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch +platform-x86-intel_scu_ipc-fix-interrupt-support.patch