From fb1f6de535477c2ace2352d1714e04ca39e99075 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 13 Feb 2019 11:21:55 +0100 Subject: [PATCH] 4.20-stable patches added patches: cfg80211-call-disconnect_wk-when-ap-stops.patch debugfs-fix-debugfs_rename-parameter-checking.patch iio-adc-axp288-fix-ts-pin-handling.patch iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch iio-ti-ads8688-update-buffer-allocation-for-timestamps.patch libata-add-nolpm-quirk-for-samsung-mz7te512hmhp-000l1-ssd.patch mei-me-add-ice-lake-point-device-id.patch misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch mtd-make-sure-mtd-erasesize-is-valid-even-if-the-partition-is-of-size-0.patch mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch mtd-spinand-fix-the-error-cleanup-path-in-spinand_init.patch mtd-spinand-handle-the-case-where-program-load-does-not-reset-the-cache.patch samples-mei-use-dev-mei0-instead-of-dev-mei.patch signal-always-attempt-to-allocate-siginfo-for-sigstop.patch signal-always-notice-exiting-tasks.patch signal-better-detection-of-synchronous-signals.patch tools-iio-iio_generic_buffer-make-num_loops-signed.patch --- ...211-call-disconnect_wk-when-ap-stops.patch | 60 ++++++ ...ix-debugfs_rename-parameter-checking.patch | 39 ++++ .../iio-adc-axp288-fix-ts-pin-handling.patch | 203 ++++++++++++++++++ ...rect-iio_temp-values-to-millicelsius.patch | 45 ++++ ...ate-buffer-allocation-for-timestamps.patch | 42 ++++ ...k-for-samsung-mz7te512hmhp-000l1-ssd.patch | 37 ++++ .../mei-me-add-ice-lake-point-device-id.patch | 42 ++++ ...s-off-by-one-in-vexpress_syscfg_exec.patch | 35 +++ ...d-even-if-the-partition-is-of-size-0.patch | 42 ++++ ...i-fix-mx28-bus-master-lockup-problem.patch | 84 ++++++++ ...e-error-cleanup-path-in-spinand_init.patch | 39 ++++ ...rogram-load-does-not-reset-the-cache.patch | 99 +++++++++ ...-mei-use-dev-mei0-instead-of-dev-mei.patch | 31 +++ queue-4.20/series | 17 ++ ...empt-to-allocate-siginfo-for-sigstop.patch | 72 +++++++ .../signal-always-notice-exiting-tasks.patch | 65 ++++++ ...ter-detection-of-synchronous-signals.patch | 116 ++++++++++ ...generic_buffer-make-num_loops-signed.patch | 40 ++++ 18 files changed, 1108 insertions(+) create mode 100644 queue-4.20/cfg80211-call-disconnect_wk-when-ap-stops.patch create mode 100644 queue-4.20/debugfs-fix-debugfs_rename-parameter-checking.patch create mode 100644 queue-4.20/iio-adc-axp288-fix-ts-pin-handling.patch create mode 100644 queue-4.20/iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch create mode 100644 queue-4.20/iio-ti-ads8688-update-buffer-allocation-for-timestamps.patch create mode 100644 queue-4.20/libata-add-nolpm-quirk-for-samsung-mz7te512hmhp-000l1-ssd.patch create mode 100644 queue-4.20/mei-me-add-ice-lake-point-device-id.patch create mode 100644 queue-4.20/misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch create mode 100644 queue-4.20/mtd-make-sure-mtd-erasesize-is-valid-even-if-the-partition-is-of-size-0.patch create mode 100644 queue-4.20/mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch create mode 100644 queue-4.20/mtd-spinand-fix-the-error-cleanup-path-in-spinand_init.patch create mode 100644 queue-4.20/mtd-spinand-handle-the-case-where-program-load-does-not-reset-the-cache.patch create mode 100644 queue-4.20/samples-mei-use-dev-mei0-instead-of-dev-mei.patch create mode 100644 queue-4.20/series create mode 100644 queue-4.20/signal-always-attempt-to-allocate-siginfo-for-sigstop.patch create mode 100644 queue-4.20/signal-always-notice-exiting-tasks.patch create mode 100644 queue-4.20/signal-better-detection-of-synchronous-signals.patch create mode 100644 queue-4.20/tools-iio-iio_generic_buffer-make-num_loops-signed.patch diff --git a/queue-4.20/cfg80211-call-disconnect_wk-when-ap-stops.patch b/queue-4.20/cfg80211-call-disconnect_wk-when-ap-stops.patch new file mode 100644 index 00000000000..57a87a26902 --- /dev/null +++ b/queue-4.20/cfg80211-call-disconnect_wk-when-ap-stops.patch @@ -0,0 +1,60 @@ +From e005bd7ddea06784c1eb91ac5bb6b171a94f3b05 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 1 Feb 2019 11:09:54 +0100 +Subject: cfg80211: call disconnect_wk when AP stops + +From: Johannes Berg + +commit e005bd7ddea06784c1eb91ac5bb6b171a94f3b05 upstream. + +Since we now prevent regulatory restore during STA disconnect +if concurrent AP interfaces are active, we need to reschedule +this check when the AP state changes. This fixes never doing +a restore when an AP is the last interface to stop. Or to put +it another way: we need to re-check after anything we check +here changes. + +Cc: stable@vger.kernel.org +Fixes: 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/ap.c | 2 ++ + net/wireless/core.h | 2 ++ + net/wireless/sme.c | 2 +- + 3 files changed, 5 insertions(+), 1 deletion(-) + +--- a/net/wireless/ap.c ++++ b/net/wireless/ap.c +@@ -41,6 +41,8 @@ int __cfg80211_stop_ap(struct cfg80211_r + cfg80211_sched_dfs_chan_update(rdev); + } + ++ schedule_work(&cfg80211_disconnect_work); ++ + return err; + } + +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -444,6 +444,8 @@ void cfg80211_process_wdev_events(struct + bool cfg80211_does_bw_fit_range(const struct ieee80211_freq_range *freq_range, + u32 center_freq_khz, u32 bw_khz); + ++extern struct work_struct cfg80211_disconnect_work; ++ + /** + * cfg80211_chandef_dfs_usable - checks if chandef is DFS usable + * @wiphy: the wiphy to validate against +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -667,7 +667,7 @@ static void disconnect_work(struct work_ + rtnl_unlock(); + } + +-static DECLARE_WORK(cfg80211_disconnect_work, disconnect_work); ++DECLARE_WORK(cfg80211_disconnect_work, disconnect_work); + + + /* diff --git a/queue-4.20/debugfs-fix-debugfs_rename-parameter-checking.patch b/queue-4.20/debugfs-fix-debugfs_rename-parameter-checking.patch new file mode 100644 index 00000000000..5bc8b5de1f8 --- /dev/null +++ b/queue-4.20/debugfs-fix-debugfs_rename-parameter-checking.patch @@ -0,0 +1,39 @@ +From d88c93f090f708c18195553b352b9f205e65418f Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 23 Jan 2019 11:27:02 +0100 +Subject: debugfs: fix debugfs_rename parameter checking + +From: Greg Kroah-Hartman + +commit d88c93f090f708c18195553b352b9f205e65418f upstream. + +debugfs_rename() needs to check that the dentries passed into it really +are valid, as sometimes they are not (i.e. if the return value of +another debugfs call is passed into this one.) So fix this up by +properly checking if the two parent directories are errors (they are +allowed to be NULL), and if the dentry to rename is not NULL or an +error. + +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/debugfs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -787,6 +787,13 @@ struct dentry *debugfs_rename(struct den + struct dentry *dentry = NULL, *trap; + struct name_snapshot old_name; + ++ if (IS_ERR(old_dir)) ++ return old_dir; ++ if (IS_ERR(new_dir)) ++ return new_dir; ++ if (IS_ERR_OR_NULL(old_dentry)) ++ return old_dentry; ++ + trap = lock_rename(new_dir, old_dir); + /* Source or destination directories don't exist? */ + if (d_really_is_negative(old_dir) || d_really_is_negative(new_dir)) diff --git a/queue-4.20/iio-adc-axp288-fix-ts-pin-handling.patch b/queue-4.20/iio-adc-axp288-fix-ts-pin-handling.patch new file mode 100644 index 00000000000..e3f2a6f482f --- /dev/null +++ b/queue-4.20/iio-adc-axp288-fix-ts-pin-handling.patch @@ -0,0 +1,203 @@ +From 9bcf15f75cac3c6a00d8f8083a635de9c8537799 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 5 Jan 2019 19:36:18 +0100 +Subject: iio: adc: axp288: Fix TS-pin handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit 9bcf15f75cac3c6a00d8f8083a635de9c8537799 upstream. + +Prior to this commit there were 3 issues with our handling of the TS-pin: + +1) There are 2 ways how the firmware can disable monitoring of the TS-pin +for designs which do not have a temperature-sensor for the battery: +a) Clearing bit 0 of the AXP20X_ADC_EN1 register +b) Setting bit 2 of the AXP288_ADC_TS_PIN_CTRL monitoring + +Prior to this commit we were unconditionally setting both bits to the +value used on devices with a TS. This causes the temperature protection to +kick in on devices without a TS, such as the Jumper ezbook v2, causing +them to not charge under Linux. + +This commit fixes this by using regmap_update_bits when updating these 2 +registers, leaving the 2 mentioned bits alone. + +The next 2 problems are related to our handling of the current-source +for the TS-pin. The current-source used for the battery temp-sensor (TS) +is shared with the GPADC. For proper fuel-gauge and charger operation the +TS current-source needs to be permanently on. But to read the GPADC we +need to temporary switch the TS current-source to ondemand, so that the +GPADC can use it, otherwise we will always read an all 0 value. + +2) Problem 2 is we were writing hardcoded values to the ADC TS pin-ctrl +register, overwriting various other unrelated bits. Specifically we were +overwriting the current-source setting for the TS and GPIO0 pins, forcing +it to 80ųA independent of its original setting. On a Chuwi Vi10 tablet +this was causing us to get a too high adc value (due to a too high +current-source) resulting in the following errors being logged: + +ACPI Error: AE_ERROR, Returned by Handler for [UserDefinedRegion] +ACPI Error: Method parse/execution failed \_SB.SXP1._TMP, AE_ERROR + +This commit fixes this by using regmap_update_bits to change only the +relevant bits. + +3) After reading the GPADC channel we were unconditionally enabling the +TS current-source even on devices where the TS-pin is not used and the +current-source thus was off before axp288_adc_read_raw call. + +This commit fixes this by making axp288_adc_set_ts a nop on devices where +the ADC is not enabled for the TS-pin. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1610545 +Fixes: 3091141d7803 ("iio: adc: axp288: Fix the GPADC pin ...") +Signed-off-by: Hans de Goede +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/axp288_adc.c | 76 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 60 insertions(+), 16 deletions(-) + +--- a/drivers/iio/adc/axp288_adc.c ++++ b/drivers/iio/adc/axp288_adc.c +@@ -27,9 +27,18 @@ + #include + #include + +-#define AXP288_ADC_EN_MASK 0xF1 +-#define AXP288_ADC_TS_PIN_GPADC 0xF2 +-#define AXP288_ADC_TS_PIN_ON 0xF3 ++/* ++ * This mask enables all ADCs except for the battery temp-sensor (TS), that is ++ * left as-is to avoid breaking charging on devices without a temp-sensor. ++ */ ++#define AXP288_ADC_EN_MASK 0xF0 ++#define AXP288_ADC_TS_ENABLE 0x01 ++ ++#define AXP288_ADC_TS_CURRENT_ON_OFF_MASK GENMASK(1, 0) ++#define AXP288_ADC_TS_CURRENT_OFF (0 << 0) ++#define AXP288_ADC_TS_CURRENT_ON_WHEN_CHARGING (1 << 0) ++#define AXP288_ADC_TS_CURRENT_ON_ONDEMAND (2 << 0) ++#define AXP288_ADC_TS_CURRENT_ON (3 << 0) + + enum axp288_adc_id { + AXP288_ADC_TS, +@@ -44,6 +53,7 @@ enum axp288_adc_id { + struct axp288_adc_info { + int irq; + struct regmap *regmap; ++ bool ts_enabled; + }; + + static const struct iio_chan_spec axp288_adc_channels[] = { +@@ -115,21 +125,33 @@ static int axp288_adc_read_channel(int * + return IIO_VAL_INT; + } + +-static int axp288_adc_set_ts(struct regmap *regmap, unsigned int mode, +- unsigned long address) ++/* ++ * The current-source used for the battery temp-sensor (TS) is shared ++ * with the GPADC. For proper fuel-gauge and charger operation the TS ++ * current-source needs to be permanently on. But to read the GPADC we ++ * need to temporary switch the TS current-source to ondemand, so that ++ * the GPADC can use it, otherwise we will always read an all 0 value. ++ */ ++static int axp288_adc_set_ts(struct axp288_adc_info *info, ++ unsigned int mode, unsigned long address) + { + int ret; + +- /* channels other than GPADC do not need to switch TS pin */ ++ /* No need to switch the current-source if the TS pin is disabled */ ++ if (!info->ts_enabled) ++ return 0; ++ ++ /* Channels other than GPADC do not need the current source */ + if (address != AXP288_GP_ADC_H) + return 0; + +- ret = regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, mode); ++ ret = regmap_update_bits(info->regmap, AXP288_ADC_TS_PIN_CTRL, ++ AXP288_ADC_TS_CURRENT_ON_OFF_MASK, mode); + if (ret) + return ret; + + /* When switching to the GPADC pin give things some time to settle */ +- if (mode == AXP288_ADC_TS_PIN_GPADC) ++ if (mode == AXP288_ADC_TS_CURRENT_ON_ONDEMAND) + usleep_range(6000, 10000); + + return 0; +@@ -145,14 +167,14 @@ static int axp288_adc_read_raw(struct ii + mutex_lock(&indio_dev->mlock); + switch (mask) { + case IIO_CHAN_INFO_RAW: +- if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_GPADC, ++ if (axp288_adc_set_ts(info, AXP288_ADC_TS_CURRENT_ON_ONDEMAND, + chan->address)) { + dev_err(&indio_dev->dev, "GPADC mode\n"); + ret = -EINVAL; + break; + } + ret = axp288_adc_read_channel(val, chan->address, info->regmap); +- if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_ON, ++ if (axp288_adc_set_ts(info, AXP288_ADC_TS_CURRENT_ON, + chan->address)) + dev_err(&indio_dev->dev, "TS pin restore\n"); + break; +@@ -164,13 +186,35 @@ static int axp288_adc_read_raw(struct ii + return ret; + } + +-static int axp288_adc_set_state(struct regmap *regmap) ++static int axp288_adc_initialize(struct axp288_adc_info *info) + { +- /* ADC should be always enabled for internal FG to function */ +- if (regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, AXP288_ADC_TS_PIN_ON)) +- return -EIO; ++ int ret, adc_enable_val; ++ ++ /* ++ * Determine if the TS pin is enabled and set the TS current-source ++ * accordingly. ++ */ ++ ret = regmap_read(info->regmap, AXP20X_ADC_EN1, &adc_enable_val); ++ if (ret) ++ return ret; ++ ++ if (adc_enable_val & AXP288_ADC_TS_ENABLE) { ++ info->ts_enabled = true; ++ ret = regmap_update_bits(info->regmap, AXP288_ADC_TS_PIN_CTRL, ++ AXP288_ADC_TS_CURRENT_ON_OFF_MASK, ++ AXP288_ADC_TS_CURRENT_ON); ++ } else { ++ info->ts_enabled = false; ++ ret = regmap_update_bits(info->regmap, AXP288_ADC_TS_PIN_CTRL, ++ AXP288_ADC_TS_CURRENT_ON_OFF_MASK, ++ AXP288_ADC_TS_CURRENT_OFF); ++ } ++ if (ret) ++ return ret; + +- return regmap_write(regmap, AXP20X_ADC_EN1, AXP288_ADC_EN_MASK); ++ /* Turn on the ADC for all channels except TS, leave TS as is */ ++ return regmap_update_bits(info->regmap, AXP20X_ADC_EN1, ++ AXP288_ADC_EN_MASK, AXP288_ADC_EN_MASK); + } + + static const struct iio_info axp288_adc_iio_info = { +@@ -200,7 +244,7 @@ static int axp288_adc_probe(struct platf + * Set ADC to enabled state at all time, including system suspend. + * otherwise internal fuel gauge functionality may be affected. + */ +- ret = axp288_adc_set_state(axp20x->regmap); ++ ret = axp288_adc_initialize(info); + if (ret) { + dev_err(&pdev->dev, "unable to enable ADC device\n"); + return ret; diff --git a/queue-4.20/iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch b/queue-4.20/iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch new file mode 100644 index 00000000000..8d42014a4e5 --- /dev/null +++ b/queue-4.20/iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch @@ -0,0 +1,45 @@ +From 0808831dc62e90023ad14ff8da4804c7846e904b Mon Sep 17 00:00:00 2001 +From: Matt Ranostay +Date: Sun, 30 Dec 2018 19:07:01 -0800 +Subject: iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius + +From: Matt Ranostay + +commit 0808831dc62e90023ad14ff8da4804c7846e904b upstream. + +IIO_TEMP scale value for temperature was incorrect and not in millicelsius +as required by the ABI documentation. + +Signed-off-by: Matt Ranostay +Fixes: 27dec00ecf2d (iio: chemical: add Atlas pH-SM sensor support) +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/chemical/atlas-ph-sensor.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/iio/chemical/atlas-ph-sensor.c ++++ b/drivers/iio/chemical/atlas-ph-sensor.c +@@ -444,9 +444,8 @@ static int atlas_read_raw(struct iio_dev + case IIO_CHAN_INFO_SCALE: + switch (chan->type) { + case IIO_TEMP: +- *val = 1; /* 0.01 */ +- *val2 = 100; +- break; ++ *val = 10; ++ return IIO_VAL_INT; + case IIO_PH: + *val = 1; /* 0.001 */ + *val2 = 1000; +@@ -477,7 +476,7 @@ static int atlas_write_raw(struct iio_de + int val, int val2, long mask) + { + struct atlas_data *data = iio_priv(indio_dev); +- __be32 reg = cpu_to_be32(val); ++ __be32 reg = cpu_to_be32(val / 10); + + if (val2 != 0 || val < 0 || val > 20000) + return -EINVAL; diff --git a/queue-4.20/iio-ti-ads8688-update-buffer-allocation-for-timestamps.patch b/queue-4.20/iio-ti-ads8688-update-buffer-allocation-for-timestamps.patch new file mode 100644 index 00000000000..5eeb7ece062 --- /dev/null +++ b/queue-4.20/iio-ti-ads8688-update-buffer-allocation-for-timestamps.patch @@ -0,0 +1,42 @@ +From f214ff521fb1f861c8d7f7d0af98b06bf61b3369 Mon Sep 17 00:00:00 2001 +From: Dan Murphy +Date: Fri, 11 Jan 2019 13:57:07 -0600 +Subject: iio: ti-ads8688: Update buffer allocation for timestamps + +From: Dan Murphy + +commit f214ff521fb1f861c8d7f7d0af98b06bf61b3369 upstream. + +Per Jonathan Cameron, the buffer needs to allocate room for a +64 bit timestamp as well as the channels. Change the buffer +to allocate this additional space. + +Fixes: 2a86487786b5c ("iio: adc: ti-ads8688: add trigger and buffer support") +Signed-off-by: Dan Murphy +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads8688.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/ti-ads8688.c ++++ b/drivers/iio/adc/ti-ads8688.c +@@ -41,6 +41,7 @@ + + #define ADS8688_VREF_MV 4096 + #define ADS8688_REALBITS 16 ++#define ADS8688_MAX_CHANNELS 8 + + /* + * enum ads8688_range - ADS8688 reference voltage range +@@ -385,7 +386,7 @@ static irqreturn_t ads8688_trigger_handl + { + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; +- u16 buffer[8]; ++ u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)]; + int i, j = 0; + + for (i = 0; i < indio_dev->masklength; i++) { diff --git a/queue-4.20/libata-add-nolpm-quirk-for-samsung-mz7te512hmhp-000l1-ssd.patch b/queue-4.20/libata-add-nolpm-quirk-for-samsung-mz7te512hmhp-000l1-ssd.patch new file mode 100644 index 00000000000..130bdb04ec1 --- /dev/null +++ b/queue-4.20/libata-add-nolpm-quirk-for-samsung-mz7te512hmhp-000l1-ssd.patch @@ -0,0 +1,37 @@ +From dd957493baa586f1431490f97f9c7c45eaf8ab10 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 3 Feb 2019 10:02:07 +0100 +Subject: libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD + +From: Hans de Goede + +commit dd957493baa586f1431490f97f9c7c45eaf8ab10 upstream. + +We've received a bugreport that using LPM with a SAMSUNG +MZ7TE512HMHP-000L1 SSD leads to system instability, we already have +a quirk for the MZ7TD256HAFV-000L9, which is also a Samsun EVO 840 / +PM851 OEM model, so it seems some of these models have a LPM issue. + +This commits adds a NOLPM quirk for the model string from the new +bugeport, to avoid the reported stability issues. + +Cc: stable@vger.kernel.org +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1571330 +Signed-off-by: Hans de Goede +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4554,6 +4554,7 @@ static const struct ata_blacklist_entry + { "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, }, + { "SAMSUNG SSD PM830 mSATA *", "CXM13D1Q", ATA_HORKAGE_NOLPM, }, + { "SAMSUNG MZ7TD256HAFV-000L9", NULL, ATA_HORKAGE_NOLPM, }, ++ { "SAMSUNG MZ7TE512HMHP-000L1", "EXT06L0Q", ATA_HORKAGE_NOLPM, }, + + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500IT_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | diff --git a/queue-4.20/mei-me-add-ice-lake-point-device-id.patch b/queue-4.20/mei-me-add-ice-lake-point-device-id.patch new file mode 100644 index 00000000000..76dc2fad667 --- /dev/null +++ b/queue-4.20/mei-me-add-ice-lake-point-device-id.patch @@ -0,0 +1,42 @@ +From efe814e90b98aed6d655b5a4092b9114b8b26e42 Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Thu, 24 Jan 2019 14:45:02 +0200 +Subject: mei: me: add ice lake point device id. + +From: Tomas Winkler + +commit efe814e90b98aed6d655b5a4092b9114b8b26e42 upstream. + +Add icelake mei device id. + +Cc: +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hw-me-regs.h | 2 ++ + drivers/misc/mei/pci-me.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -139,6 +139,8 @@ + #define MEI_DEV_ID_CNP_H 0xA360 /* Cannon Point H */ + #define MEI_DEV_ID_CNP_H_4 0xA364 /* Cannon Point H 4 (iTouch) */ + ++#define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */ ++ + /* + * MEI HW Section + */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -105,6 +105,8 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H, MEI_ME_PCH8_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H_4, MEI_ME_PCH8_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)}, ++ + /* required last entry */ + {0, } + }; diff --git a/queue-4.20/misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch b/queue-4.20/misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch new file mode 100644 index 00000000000..755ed66779a --- /dev/null +++ b/queue-4.20/misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch @@ -0,0 +1,35 @@ +From f8a70d8b889f180e6860cb1f85fed43d37844c5a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 3 Dec 2018 17:52:19 +0300 +Subject: misc: vexpress: Off by one in vexpress_syscfg_exec() + +From: Dan Carpenter + +commit f8a70d8b889f180e6860cb1f85fed43d37844c5a upstream. + +The > comparison should be >= to prevent reading beyond the end of the +func->template[] array. + +(The func->template array is allocated in vexpress_syscfg_regmap_init() +and it has func->num_templates elements.) + +Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells") +Signed-off-by: Dan Carpenter +Acked-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vexpress-syscfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/vexpress-syscfg.c ++++ b/drivers/misc/vexpress-syscfg.c +@@ -61,7 +61,7 @@ static int vexpress_syscfg_exec(struct v + int tries; + long timeout; + +- if (WARN_ON(index > func->num_templates)) ++ if (WARN_ON(index >= func->num_templates)) + return -EINVAL; + + command = readl(syscfg->base + SYS_CFGCTRL); diff --git a/queue-4.20/mtd-make-sure-mtd-erasesize-is-valid-even-if-the-partition-is-of-size-0.patch b/queue-4.20/mtd-make-sure-mtd-erasesize-is-valid-even-if-the-partition-is-of-size-0.patch new file mode 100644 index 00000000000..18021829e20 --- /dev/null +++ b/queue-4.20/mtd-make-sure-mtd-erasesize-is-valid-even-if-the-partition-is-of-size-0.patch @@ -0,0 +1,42 @@ +From ad4635153034c20c6f6e211e2ed3fd38b658649a Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Wed, 30 Jan 2019 12:55:52 +0100 +Subject: mtd: Make sure mtd->erasesize is valid even if the partition is of size 0 + +From: Boris Brezillon + +commit ad4635153034c20c6f6e211e2ed3fd38b658649a upstream. + +Commit 33f45c44d68b ("mtd: Do not allow MTD devices with inconsistent +erase properties") introduced a check to make sure ->erasesize and +->_erase values are consistent with the MTD_NO_ERASE flag. +This patch did not take the 0 bytes partition case into account which +can happen when the defined partition is outside the flash device memory +range. Fix that by setting the partition erasesize to the parent +erasesize. + +Fixes: 33f45c44d68b ("mtd: Do not allow MTD devices with inconsistent erase properties") +Reported-by: Geert Uytterhoeven +Cc: +Cc: Geert Uytterhoeven +Signed-off-by: Boris Brezillon +Tested-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtdpart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/mtdpart.c ++++ b/drivers/mtd/mtdpart.c +@@ -470,6 +470,10 @@ static struct mtd_part *allocate_partiti + /* let's register it anyway to preserve ordering */ + slave->offset = 0; + slave->mtd.size = 0; ++ ++ /* Initialize ->erasesize to make add_mtd_device() happy. */ ++ slave->mtd.erasesize = parent->erasesize; ++ + printk(KERN_ERR"mtd: partition \"%s\" is out of reach -- disabled\n", + part->name); + goto out_register; diff --git a/queue-4.20/mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch b/queue-4.20/mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch new file mode 100644 index 00000000000..79c76ee2f68 --- /dev/null +++ b/queue-4.20/mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch @@ -0,0 +1,84 @@ +From d5d27fd9826b59979b184ec288e4812abac0e988 Mon Sep 17 00:00:00 2001 +From: Martin Kepplinger +Date: Tue, 5 Feb 2019 16:52:51 +0100 +Subject: mtd: rawnand: gpmi: fix MX28 bus master lockup problem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Kepplinger + +commit d5d27fd9826b59979b184ec288e4812abac0e988 upstream. + +Disable BCH soft reset according to MX23 erratum #2847 ("BCH soft +reset may cause bus master lock up") for MX28 too. It has the same +problem. + +Observed problem: once per 100,000+ MX28 reboots NAND read failed on +DMA timeout errors: +[ 1.770823] UBI: attaching mtd3 to ubi0 +[ 2.768088] gpmi_nand: DMA timeout, last DMA :1 +[ 3.958087] gpmi_nand: BCH timeout, last DMA :1 +[ 4.156033] gpmi_nand: Error in ECC-based read: -110 +[ 4.161136] UBI warning: ubi_io_read: error -110 while reading 64 +bytes from PEB 0:0, read only 0 bytes, retry +[ 4.171283] step 1 error +[ 4.173846] gpmi_nand: Chip: 0, Error -1 + +Without BCH soft reset we successfully executed 1,000,000 MX28 reboots. + +I have a quote from NXP regarding this problem, from July 18th 2016: + +"As the i.MX23 and i.MX28 are of the same generation, they share many +characteristics. Unfortunately, also the erratas may be shared. +In case of the documented erratas and the workarounds, you can also +apply the workaround solution of one device on the other one. This have +been reported, but I’m afraid that there are not an estimated date for +updating the Errata documents. +Please accept our apologies for any inconveniences this may cause." + +Fixes: 6f2a6a52560a ("mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems") +Cc: stable@vger.kernel.org +Signed-off-by: Manfred Schlaegl +Signed-off-by: Martin Kepplinger +Reviewed-by: Miquel Raynal +Reviewed-by: Fabio Estevam +Acked-by: Han Xu +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c ++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c +@@ -155,9 +155,10 @@ int gpmi_init(struct gpmi_nand_data *thi + + /* + * Reset BCH here, too. We got failures otherwise :( +- * See later BCH reset for explanation of MX23 handling ++ * See later BCH reset for explanation of MX23 and MX28 handling + */ +- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this)); ++ ret = gpmi_reset_block(r->bch_regs, ++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this)); + if (ret) + goto err_out; + +@@ -263,12 +264,10 @@ int bch_set_geometry(struct gpmi_nand_da + /* + * Due to erratum #2847 of the MX23, the BCH cannot be soft reset on this + * chip, otherwise it will lock up. So we skip resetting BCH on the MX23. +- * On the other hand, the MX28 needs the reset, because one case has been +- * seen where the BCH produced ECC errors constantly after 10000 +- * consecutive reboots. The latter case has not been seen on the MX23 +- * yet, still we don't know if it could happen there as well. ++ * and MX28. + */ +- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this)); ++ ret = gpmi_reset_block(r->bch_regs, ++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this)); + if (ret) + goto err_out; + diff --git a/queue-4.20/mtd-spinand-fix-the-error-cleanup-path-in-spinand_init.patch b/queue-4.20/mtd-spinand-fix-the-error-cleanup-path-in-spinand_init.patch new file mode 100644 index 00000000000..008336d8996 --- /dev/null +++ b/queue-4.20/mtd-spinand-fix-the-error-cleanup-path-in-spinand_init.patch @@ -0,0 +1,39 @@ +From c3c7dbf4887ab3ed9d611cd1f6e16937f8700743 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Thu, 24 Jan 2019 15:46:54 +0100 +Subject: mtd: spinand: Fix the error/cleanup path in spinand_init() + +From: Boris Brezillon + +commit c3c7dbf4887ab3ed9d611cd1f6e16937f8700743 upstream. + +The manufacturer specific initialization has already been done when +block unlocking takes place, and if anything goes wrong during this +procedure we should call spinand_manufacturer_cleanup(). + +Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") +Cc: +Signed-off-by: Boris Brezillon +Acked-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/spi/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -1014,11 +1014,11 @@ static int spinand_init(struct spinand_d + for (i = 0; i < nand->memorg.ntargets; i++) { + ret = spinand_select_target(spinand, i); + if (ret) +- goto err_free_bufs; ++ goto err_manuf_cleanup; + + ret = spinand_lock_block(spinand, BL_ALL_UNLOCKED); + if (ret) +- goto err_free_bufs; ++ goto err_manuf_cleanup; + } + + ret = nanddev_init(nand, &spinand_ops, THIS_MODULE); diff --git a/queue-4.20/mtd-spinand-handle-the-case-where-program-load-does-not-reset-the-cache.patch b/queue-4.20/mtd-spinand-handle-the-case-where-program-load-does-not-reset-the-cache.patch new file mode 100644 index 00000000000..38b6f436b33 --- /dev/null +++ b/queue-4.20/mtd-spinand-handle-the-case-where-program-load-does-not-reset-the-cache.patch @@ -0,0 +1,99 @@ +From 13c15e07eedf26092054c8c71f2f47edb8388310 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Thu, 24 Jan 2019 15:20:07 +0100 +Subject: mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache + +From: Boris Brezillon + +commit 13c15e07eedf26092054c8c71f2f47edb8388310 upstream. + +Looks like PROGRAM LOAD (AKA write cache) does not necessarily reset +the cache content to 0xFF (depends on vendor implementation), so we +must fill the page cache entirely even if we only want to program the +data portion of the page, otherwise we might corrupt the BBM or user +data previously programmed in OOB area. + +Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") +Reported-by: Stefan Roese +Cc: +Signed-off-by: Boris Brezillon +Tested-by: Stefan Roese +Reviewed-by: Stefan Roese +Acked-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/spi/core.c | 42 ++++++++++++++++++++---------------------- + 1 file changed, 20 insertions(+), 22 deletions(-) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -304,24 +304,30 @@ static int spinand_write_to_cache_op(str + struct nand_device *nand = spinand_to_nand(spinand); + struct mtd_info *mtd = nanddev_to_mtd(nand); + struct nand_page_io_req adjreq = *req; +- unsigned int nbytes = 0; +- void *buf = NULL; ++ void *buf = spinand->databuf; ++ unsigned int nbytes; + u16 column = 0; + int ret; + +- memset(spinand->databuf, 0xff, +- nanddev_page_size(nand) + +- nanddev_per_page_oobsize(nand)); ++ /* ++ * Looks like PROGRAM LOAD (AKA write cache) does not necessarily reset ++ * the cache content to 0xFF (depends on vendor implementation), so we ++ * must fill the page cache entirely even if we only want to program ++ * the data portion of the page, otherwise we might corrupt the BBM or ++ * user data previously programmed in OOB area. ++ */ ++ nbytes = nanddev_page_size(nand) + nanddev_per_page_oobsize(nand); ++ memset(spinand->databuf, 0xff, nbytes); ++ adjreq.dataoffs = 0; ++ adjreq.datalen = nanddev_page_size(nand); ++ adjreq.databuf.out = spinand->databuf; ++ adjreq.ooblen = nanddev_per_page_oobsize(nand); ++ adjreq.ooboffs = 0; ++ adjreq.oobbuf.out = spinand->oobbuf; + +- if (req->datalen) { ++ if (req->datalen) + memcpy(spinand->databuf + req->dataoffs, req->databuf.out, + req->datalen); +- adjreq.dataoffs = 0; +- adjreq.datalen = nanddev_page_size(nand); +- adjreq.databuf.out = spinand->databuf; +- nbytes = adjreq.datalen; +- buf = spinand->databuf; +- } + + if (req->ooblen) { + if (req->mode == MTD_OPS_AUTO_OOB) +@@ -332,14 +338,6 @@ static int spinand_write_to_cache_op(str + else + memcpy(spinand->oobbuf + req->ooboffs, req->oobbuf.out, + req->ooblen); +- +- adjreq.ooblen = nanddev_per_page_oobsize(nand); +- adjreq.ooboffs = 0; +- nbytes += nanddev_per_page_oobsize(nand); +- if (!buf) { +- buf = spinand->oobbuf; +- column = nanddev_page_size(nand); +- } + } + + spinand_cache_op_adjust_colum(spinand, &adjreq, &column); +@@ -370,8 +368,8 @@ static int spinand_write_to_cache_op(str + + /* + * We need to use the RANDOM LOAD CACHE operation if there's +- * more than one iteration, because the LOAD operation resets +- * the cache to 0xff. ++ * more than one iteration, because the LOAD operation might ++ * reset the cache to 0xff. + */ + if (nbytes) { + column = op.addr.val; diff --git a/queue-4.20/samples-mei-use-dev-mei0-instead-of-dev-mei.patch b/queue-4.20/samples-mei-use-dev-mei0-instead-of-dev-mei.patch new file mode 100644 index 00000000000..d27003cd08b --- /dev/null +++ b/queue-4.20/samples-mei-use-dev-mei0-instead-of-dev-mei.patch @@ -0,0 +1,31 @@ +From c4a46acf1db3ce547d290c29e55b3476c78dd76c Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Thu, 24 Jan 2019 14:45:03 +0200 +Subject: samples: mei: use /dev/mei0 instead of /dev/mei + +From: Tomas Winkler + +commit c4a46acf1db3ce547d290c29e55b3476c78dd76c upstream. + +The device was moved from misc device to character devices +to support multiple mei devices. + +Cc: #v4.9+ +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + samples/mei/mei-amt-version.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/samples/mei/mei-amt-version.c ++++ b/samples/mei/mei-amt-version.c +@@ -117,7 +117,7 @@ static bool mei_init(struct mei *me, con + + me->verbose = verbose; + +- me->fd = open("/dev/mei", O_RDWR); ++ me->fd = open("/dev/mei0", O_RDWR); + if (me->fd == -1) { + mei_err(me, "Cannot establish a handle to the Intel MEI driver\n"); + goto err; diff --git a/queue-4.20/series b/queue-4.20/series new file mode 100644 index 00000000000..87b75004d6e --- /dev/null +++ b/queue-4.20/series @@ -0,0 +1,17 @@ +mtd-make-sure-mtd-erasesize-is-valid-even-if-the-partition-is-of-size-0.patch +mtd-spinand-handle-the-case-where-program-load-does-not-reset-the-cache.patch +mtd-spinand-fix-the-error-cleanup-path-in-spinand_init.patch +mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch +libata-add-nolpm-quirk-for-samsung-mz7te512hmhp-000l1-ssd.patch +tools-iio-iio_generic_buffer-make-num_loops-signed.patch +iio-adc-axp288-fix-ts-pin-handling.patch +iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch +iio-ti-ads8688-update-buffer-allocation-for-timestamps.patch +signal-always-attempt-to-allocate-siginfo-for-sigstop.patch +signal-always-notice-exiting-tasks.patch +signal-better-detection-of-synchronous-signals.patch +misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch +cfg80211-call-disconnect_wk-when-ap-stops.patch +mei-me-add-ice-lake-point-device-id.patch +samples-mei-use-dev-mei0-instead-of-dev-mei.patch +debugfs-fix-debugfs_rename-parameter-checking.patch diff --git a/queue-4.20/signal-always-attempt-to-allocate-siginfo-for-sigstop.patch b/queue-4.20/signal-always-attempt-to-allocate-siginfo-for-sigstop.patch new file mode 100644 index 00000000000..bef03e8db85 --- /dev/null +++ b/queue-4.20/signal-always-attempt-to-allocate-siginfo-for-sigstop.patch @@ -0,0 +1,72 @@ +From a692933a87691681e880feb708081681ff32400a Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Tue, 5 Feb 2019 07:19:11 -0600 +Subject: signal: Always attempt to allocate siginfo for SIGSTOP + +From: Eric W. Biederman + +commit a692933a87691681e880feb708081681ff32400a upstream. + +Since 2.5.34 the code has had the potential to not allocate siginfo +for SIGSTOP signals. Except for ptrace this is perfectly fine as only +ptrace can use PTRACE_PEEK_SIGINFO and see what the contents of +the delivered siginfo are. + +Users of PTRACE_PEEK_SIGINFO that care about the contents siginfo +for SIGSTOP are rare, but they do exist. A seccomp self test +has cared and lldb cares. + +Jack Andersen writes: + +> The patch titled +> `signal: Never allocate siginfo for SIGKILL or SIGSTOP` +> created a regression for users of PTRACE_GETSIGINFO needing to +> discern signals that were raised via the tgkill syscall. +> +> A notable user of this tgkill+ptrace combination is lldb while +> debugging a multithreaded program. Without the ability to detect a +> SIGSTOP originating from tgkill, lldb does not have a way to +> synchronize on a per-thread basis and falls back to SIGSTOP-ing the +> entire process. + +Everyone affected by this please note. The kernel can still fail to +allocate a siginfo structure. The allocation is with GFP_KERNEL and +is best effort only. If memory is tight when the signal allocation +comes in this will fail to allocate a siginfo. + +So I strongly recommend looking at more robust solutions for +synchronizing with a single thread such as PTRACE_INTERRUPT. Or if +that does not work persuading your friendly local kernel developer to +build the interface you need. + +Reported-by: Tycho Andersen +Reported-by: Kees Cook +Reported-by: Jack Andersen +Acked-by: Linus Torvalds +Reviewed-by: Christian Brauner +Cc: stable@vger.kernel.org +Fixes: f149b3155744 ("signal: Never allocate siginfo for SIGKILL or SIGSTOP") +Fixes: 6dfc88977e42 ("[PATCH] shared thread signals") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1057,10 +1057,9 @@ static int __send_signal(int sig, struct + + result = TRACE_SIGNAL_DELIVERED; + /* +- * Skip useless siginfo allocation for SIGKILL SIGSTOP, +- * and kernel threads. ++ * Skip useless siginfo allocation for SIGKILL and kernel threads. + */ +- if (sig_kernel_only(sig) || (t->flags & PF_KTHREAD)) ++ if ((sig == SIGKILL) || (t->flags & PF_KTHREAD)) + goto out_set; + + /* diff --git a/queue-4.20/signal-always-notice-exiting-tasks.patch b/queue-4.20/signal-always-notice-exiting-tasks.patch new file mode 100644 index 00000000000..6ce531a7eaa --- /dev/null +++ b/queue-4.20/signal-always-notice-exiting-tasks.patch @@ -0,0 +1,65 @@ +From 35634ffa1751b6efd8cf75010b509dcb0263e29b Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 6 Feb 2019 18:39:40 -0600 +Subject: signal: Always notice exiting tasks + +From: Eric W. Biederman + +commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream. + +Recently syzkaller was able to create unkillablle processes by +creating a timer that is delivered as a thread local signal on SIGHUP, +and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop +failing to deliver SIGHUP but always trying. + +Upon examination it turns out part of the problem is actually most of +the solution. Since 2.5 signal delivery has found all fatal signals, +marked the signal group for death, and queued SIGKILL in every threads +thread queue relying on signal->group_exit_code to preserve the +information of which was the actual fatal signal. + +The conversion of all fatal signals to SIGKILL results in the +synchronous signal heuristic in next_signal kicking in and preferring +SIGHUP to SIGKILL. Which is especially problematic as all +fatal signals have already been transformed into SIGKILL. + +Instead of dequeueing signals and depending upon SIGKILL to +be the first signal dequeued, first test if the signal group +has already been marked for death. This guarantees that +nothing in the signal queue can prevent a process that needs +to exit from exiting. + +Cc: stable@vger.kernel.org +Tested-by: Dmitry Vyukov +Reported-by: Dmitry Vyukov +Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2393,6 +2393,11 @@ relock: + goto relock; + } + ++ /* Has this task already been marked for death? */ ++ ksig->info.si_signo = signr = SIGKILL; ++ if (signal_group_exit(signal)) ++ goto fatal; ++ + for (;;) { + struct k_sigaction *ka; + +@@ -2488,6 +2493,7 @@ relock: + continue; + } + ++ fatal: + spin_unlock_irq(&sighand->siglock); + + /* diff --git a/queue-4.20/signal-better-detection-of-synchronous-signals.patch b/queue-4.20/signal-better-detection-of-synchronous-signals.patch new file mode 100644 index 00000000000..97001b8005f --- /dev/null +++ b/queue-4.20/signal-better-detection-of-synchronous-signals.patch @@ -0,0 +1,116 @@ +From 7146db3317c67b517258cb5e1b08af387da0618b Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 6 Feb 2019 17:51:47 -0600 +Subject: signal: Better detection of synchronous signals + +From: Eric W. Biederman + +commit 7146db3317c67b517258cb5e1b08af387da0618b upstream. + +Recently syzkaller was able to create unkillablle processes by +creating a timer that is delivered as a thread local signal on SIGHUP, +and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop failing +to deliver SIGHUP but always trying. + +When the stack overflows delivery of SIGHUP fails and force_sigsegv is +called. Unfortunately because SIGSEGV is numerically higher than +SIGHUP next_signal tries again to deliver a SIGHUP. + +From a quality of implementation standpoint attempting to deliver the +timer SIGHUP signal is wrong. We should attempt to deliver the +synchronous SIGSEGV signal we just forced. + +We can make that happening in a fairly straight forward manner by +instead of just looking at the signal number we also look at the +si_code. In particular for exceptions (aka synchronous signals) the +si_code is always greater than 0. + +That still has the potential to pick up a number of asynchronous +signals as in a few cases the same si_codes that are used +for synchronous signals are also used for asynchronous signals, +and SI_KERNEL is also included in the list of possible si_codes. + +Still the heuristic is much better and timer signals are definitely +excluded. Which is enough to prevent all known ways for someone +sending a process signals fast enough to cause unexpected and +arguably incorrect behavior. + +Cc: stable@vger.kernel.org +Fixes: a27341cd5fcb ("Prioritize synchronous signals over 'normal' signals") +Tested-by: Dmitry Vyukov +Reported-by: Dmitry Vyukov +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 51 insertions(+), 1 deletion(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -688,6 +688,48 @@ int dequeue_signal(struct task_struct *t + } + EXPORT_SYMBOL_GPL(dequeue_signal); + ++static int dequeue_synchronous_signal(kernel_siginfo_t *info) ++{ ++ struct task_struct *tsk = current; ++ struct sigpending *pending = &tsk->pending; ++ struct sigqueue *q, *sync = NULL; ++ ++ /* ++ * Might a synchronous signal be in the queue? ++ */ ++ if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK)) ++ return 0; ++ ++ /* ++ * Return the first synchronous signal in the queue. ++ */ ++ list_for_each_entry(q, &pending->list, list) { ++ /* Synchronous signals have a postive si_code */ ++ if ((q->info.si_code > SI_USER) && ++ (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) { ++ sync = q; ++ goto next; ++ } ++ } ++ return 0; ++next: ++ /* ++ * Check if there is another siginfo for the same signal. ++ */ ++ list_for_each_entry_continue(q, &pending->list, list) { ++ if (q->info.si_signo == sync->info.si_signo) ++ goto still_pending; ++ } ++ ++ sigdelset(&pending->signal, sync->info.si_signo); ++ recalc_sigpending(); ++still_pending: ++ list_del_init(&sync->list); ++ copy_siginfo(info, &sync->info); ++ __sigqueue_free(sync); ++ return info->si_signo; ++} ++ + /* + * Tell a process that it has a new active signal.. + * +@@ -2411,7 +2453,15 @@ relock: + goto relock; + } + +- signr = dequeue_signal(current, ¤t->blocked, &ksig->info); ++ /* ++ * Signals generated by the execution of an instruction ++ * need to be delivered before any other pending signals ++ * so that the instruction pointer in the signal stack ++ * frame points to the faulting instruction. ++ */ ++ signr = dequeue_synchronous_signal(&ksig->info); ++ if (!signr) ++ signr = dequeue_signal(current, ¤t->blocked, &ksig->info); + + if (!signr) + break; /* will return 0 */ diff --git a/queue-4.20/tools-iio-iio_generic_buffer-make-num_loops-signed.patch b/queue-4.20/tools-iio-iio_generic_buffer-make-num_loops-signed.patch new file mode 100644 index 00000000000..1c483db8df7 --- /dev/null +++ b/queue-4.20/tools-iio-iio_generic_buffer-make-num_loops-signed.patch @@ -0,0 +1,40 @@ +From b119d3bc328e7a9574861ebe0c2110e2776c2de1 Mon Sep 17 00:00:00 2001 +From: Martin Kelly +Date: Fri, 11 Jan 2019 23:13:09 +0000 +Subject: tools: iio: iio_generic_buffer: make num_loops signed + +From: Martin Kelly + +commit b119d3bc328e7a9574861ebe0c2110e2776c2de1 upstream. + +Currently, num_loops is unsigned, but it's set by strtoll, which returns a +(signed) long long int. This could lead to overflow, and it also makes the +check "num_loops < 0" always be false, since num_loops is unsigned. +Setting num_loops to -1 to loop forever is almost working because num_loops +is getting set to a very high number, but it's technically still incorrect. + +Fix this issue by making num_loops signed. This also fixes an error found +by Smatch. + +Signed-off-by: Martin Kelly +Reported-by: Dan Carpenter +Fixes: 55dda0abcf9d ("tools: iio: iio_generic_buffer: allow continuous looping") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + tools/iio/iio_generic_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/iio/iio_generic_buffer.c ++++ b/tools/iio/iio_generic_buffer.c +@@ -330,7 +330,7 @@ static const struct option longopts[] = + + int main(int argc, char **argv) + { +- unsigned long long num_loops = 2; ++ long long num_loops = 2; + unsigned long timedelay = 1000000; + unsigned long buf_len = 128; + -- 2.47.3