diff options
| -rw-r--r-- | 0001-media-uvcvideo-Prevent-setting-unavailable-flags.patch | 65 | ||||
| -rw-r--r-- | 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch | 95 | ||||
| -rw-r--r-- | 0001-socket-close-race-condition-between-sock_close-and-s.patch | 91 | ||||
| -rw-r--r-- | 0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch | 47 | ||||
| -rw-r--r-- | Revert-the-random-series-for-4.16.4.patch | 160 | ||||
| -rw-r--r-- | arm-dts-imx6qdl-udoo-Disable-usbh1-to-avoid-kernel-hang.patch | 41 | ||||
| -rw-r--r-- | bcm283x-clk-audio-fixes.patch | 55 | ||||
| -rw-r--r-- | kernel.spec | 35 | ||||
| -rw-r--r-- | sources | 2 |
9 files changed, 178 insertions, 413 deletions
diff --git a/0001-media-uvcvideo-Prevent-setting-unavailable-flags.patch b/0001-media-uvcvideo-Prevent-setting-unavailable-flags.patch deleted file mode 100644 index 76f2ce025..000000000 --- a/0001-media-uvcvideo-Prevent-setting-unavailable-flags.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 0dc68cabdb626e33d02561529e6a4c681b72a784 Mon Sep 17 00:00:00 2001 -From: Kieran Bingham <kieran.bingham@ideasonboard.com> -Date: Wed, 21 Mar 2018 11:43:08 -0400 -Subject: [PATCH] media: uvcvideo: Prevent setting unavailable flags - -The addition of an extra operation to use the GET_INFO command -overwrites all existing flags from the uvc_ctrls table. This includes -setting all controls as supporting GET_MIN, GET_MAX, GET_RES, and -GET_DEF regardless of whether they do or not. - -Move the initialisation of these control capabilities directly to the -uvc_ctrl_fill_xu_info() call where they were originally located in that -use case, and ensure that the new functionality in uvc_ctrl_get_flags() -will only set flags based on their reported capability from the GET_INFO -call. - -Fixes: 859086ae3636 ("media: uvcvideo: Apply flags from device to actual properties") - -Cc: stable@vger.kernel.org -Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com> -Tested-by: Guennadi Liakhovetski <guennadi.liakhovetski@intel.com> -Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> ---- - drivers/media/usb/uvc/uvc_ctrl.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c -index 102594ec3e97..a36b4fb949fa 100644 ---- a/drivers/media/usb/uvc/uvc_ctrl.c -+++ b/drivers/media/usb/uvc/uvc_ctrl.c -@@ -1607,14 +1607,12 @@ static int uvc_ctrl_get_flags(struct uvc_device *dev, - ret = uvc_query_ctrl(dev, UVC_GET_INFO, ctrl->entity->id, dev->intfnum, - info->selector, data, 1); - if (!ret) -- info->flags = UVC_CTRL_FLAG_GET_MIN | UVC_CTRL_FLAG_GET_MAX -- | UVC_CTRL_FLAG_GET_RES | UVC_CTRL_FLAG_GET_DEF -- | (data[0] & UVC_CONTROL_CAP_GET ? -- UVC_CTRL_FLAG_GET_CUR : 0) -- | (data[0] & UVC_CONTROL_CAP_SET ? -- UVC_CTRL_FLAG_SET_CUR : 0) -- | (data[0] & UVC_CONTROL_CAP_AUTOUPDATE ? -- UVC_CTRL_FLAG_AUTO_UPDATE : 0); -+ info->flags |= (data[0] & UVC_CONTROL_CAP_GET ? -+ UVC_CTRL_FLAG_GET_CUR : 0) -+ | (data[0] & UVC_CONTROL_CAP_SET ? -+ UVC_CTRL_FLAG_SET_CUR : 0) -+ | (data[0] & UVC_CONTROL_CAP_AUTOUPDATE ? -+ UVC_CTRL_FLAG_AUTO_UPDATE : 0); - - kfree(data); - return ret; -@@ -1689,6 +1687,9 @@ static int uvc_ctrl_fill_xu_info(struct uvc_device *dev, - - info->size = le16_to_cpup((__le16 *)data); - -+ info->flags = UVC_CTRL_FLAG_GET_MIN | UVC_CTRL_FLAG_GET_MAX -+ | UVC_CTRL_FLAG_GET_RES | UVC_CTRL_FLAG_GET_DEF; -+ - ret = uvc_ctrl_get_flags(dev, ctrl, info); - if (ret < 0) { - uvc_trace(UVC_TRACE_CONTROL, --- -2.17.1 - diff --git a/0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch b/0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch deleted file mode 100644 index 126593918..000000000 --- a/0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch +++ /dev/null @@ -1,95 +0,0 @@ -From f620d1d7afc7db57ab59f35000752840c91f67e7 Mon Sep 17 00:00:00 2001 -From: ming_qian <ming_qian@realsil.com.cn> -Date: Tue, 8 May 2018 22:13:08 -0400 -Subject: [PATCH] media: uvcvideo: Support realtek's UVC 1.5 device - -media: uvcvideo: Support UVC 1.5 video probe & commit controls - -The length of UVC 1.5 video control is 48, and it is 34 for UVC 1.1. -Change it to 48 for UVC 1.5 device, and the UVC 1.5 device can be -recognized. - -More changes to the driver are needed for full UVC 1.5 compatibility. -However, at least the UVC 1.5 Realtek RTS5847/RTS5852 cameras have been -reported to work well. - -[laurent.pinchart@ideasonboard.com: Factor out code to helper function, update size checks] - -Cc: stable@vger.kernel.org -Signed-off-by: ming_qian <ming_qian@realsil.com.cn> -Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> -Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com> -Tested-by: Ana Guerrero Lopez <ana.guerrero@collabora.com> -Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> ---- - drivers/media/usb/uvc/uvc_video.c | 24 ++++++++++++++++++------ - 1 file changed, 18 insertions(+), 6 deletions(-) - -diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c -index aa0082fe5833..b28c997a7ab0 100644 ---- a/drivers/media/usb/uvc/uvc_video.c -+++ b/drivers/media/usb/uvc/uvc_video.c -@@ -163,14 +163,27 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream, - } - } - -+static size_t uvc_video_ctrl_size(struct uvc_streaming *stream) -+{ -+ /* -+ * Return the size of the video probe and commit controls, which depends -+ * on the protocol version. -+ */ -+ if (stream->dev->uvc_version < 0x0110) -+ return 26; -+ else if (stream->dev->uvc_version < 0x0150) -+ return 34; -+ else -+ return 48; -+} -+ - static int uvc_get_video_ctrl(struct uvc_streaming *stream, - struct uvc_streaming_control *ctrl, int probe, u8 query) - { -+ u16 size = uvc_video_ctrl_size(stream); - u8 *data; -- u16 size; - int ret; - -- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26; - if ((stream->dev->quirks & UVC_QUIRK_PROBE_DEF) && - query == UVC_GET_DEF) - return -EIO; -@@ -225,7 +238,7 @@ static int uvc_get_video_ctrl(struct uvc_streaming *stream, - ctrl->dwMaxVideoFrameSize = get_unaligned_le32(&data[18]); - ctrl->dwMaxPayloadTransferSize = get_unaligned_le32(&data[22]); - -- if (size == 34) { -+ if (size >= 34) { - ctrl->dwClockFrequency = get_unaligned_le32(&data[26]); - ctrl->bmFramingInfo = data[30]; - ctrl->bPreferedVersion = data[31]; -@@ -254,11 +267,10 @@ static int uvc_get_video_ctrl(struct uvc_streaming *stream, - static int uvc_set_video_ctrl(struct uvc_streaming *stream, - struct uvc_streaming_control *ctrl, int probe) - { -+ u16 size = uvc_video_ctrl_size(stream); - u8 *data; -- u16 size; - int ret; - -- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26; - data = kzalloc(size, GFP_KERNEL); - if (data == NULL) - return -ENOMEM; -@@ -275,7 +287,7 @@ static int uvc_set_video_ctrl(struct uvc_streaming *stream, - put_unaligned_le32(ctrl->dwMaxVideoFrameSize, &data[18]); - put_unaligned_le32(ctrl->dwMaxPayloadTransferSize, &data[22]); - -- if (size == 34) { -+ if (size >= 34) { - put_unaligned_le32(ctrl->dwClockFrequency, &data[26]); - data[30] = ctrl->bmFramingInfo; - data[31] = ctrl->bPreferedVersion; --- -2.17.1 - diff --git a/0001-socket-close-race-condition-between-sock_close-and-s.patch b/0001-socket-close-race-condition-between-sock_close-and-s.patch deleted file mode 100644 index 90f52fc3f..000000000 --- a/0001-socket-close-race-condition-between-sock_close-and-s.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 6d8c50dcb029872b298eea68cc6209c866fd3e14 Mon Sep 17 00:00:00 2001 -From: Cong Wang <xiyou.wangcong@gmail.com> -Date: Thu, 7 Jun 2018 13:39:49 -0700 -Subject: [PATCH] socket: close race condition between sock_close() and - sockfs_setattr() - -fchownat() doesn't even hold refcnt of fd until it figures out -fd is really needed (otherwise is ignored) and releases it after -it resolves the path. This means sock_close() could race with -sockfs_setattr(), which leads to a NULL pointer dereference -since typically we set sock->sk to NULL in ->release(). - -As pointed out by Al, this is unique to sockfs. So we can fix this -in socket layer by acquiring inode_lock in sock_close() and -checking against NULL in sockfs_setattr(). - -sock_release() is called in many places, only the sock_close() -path matters here. And fortunately, this should not affect normal -sock_close() as it is only called when the last fd refcnt is gone. -It only affects sock_close() with a parallel sockfs_setattr() in -progress, which is not common. - -Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") -Reported-by: shankarapailoor <shankarapailoor@gmail.com> -Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> -Cc: Lorenzo Colitti <lorenzo@google.com> -Cc: Al Viro <viro@zeniv.linux.org.uk> -Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/socket.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/net/socket.c b/net/socket.c -index af57d85bcb48..8a109012608a 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -541,7 +541,10 @@ static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr) - if (!err && (iattr->ia_valid & ATTR_UID)) { - struct socket *sock = SOCKET_I(d_inode(dentry)); - -- sock->sk->sk_uid = iattr->ia_uid; -+ if (sock->sk) -+ sock->sk->sk_uid = iattr->ia_uid; -+ else -+ err = -ENOENT; - } - - return err; -@@ -590,12 +593,16 @@ EXPORT_SYMBOL(sock_alloc); - * an inode not a file. - */ - --void sock_release(struct socket *sock) -+static void __sock_release(struct socket *sock, struct inode *inode) - { - if (sock->ops) { - struct module *owner = sock->ops->owner; - -+ if (inode) -+ inode_lock(inode); - sock->ops->release(sock); -+ if (inode) -+ inode_unlock(inode); - sock->ops = NULL; - module_put(owner); - } -@@ -609,6 +616,11 @@ void sock_release(struct socket *sock) - } - sock->file = NULL; - } -+ -+void sock_release(struct socket *sock) -+{ -+ __sock_release(sock, NULL); -+} - EXPORT_SYMBOL(sock_release); - - void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags) -@@ -1171,7 +1183,7 @@ static int sock_mmap(struct file *file, struct vm_area_struct *vma) - - static int sock_close(struct inode *inode, struct file *filp) - { -- sock_release(SOCKET_I(inode)); -+ __sock_release(SOCKET_I(inode), inode); - return 0; - } - --- -2.17.1 - diff --git a/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch b/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch deleted file mode 100644 index ae10a4d1a..000000000 --- a/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch +++ /dev/null @@ -1,47 +0,0 @@ -From bd23a7269834dc7c1f93e83535d16ebc44b75eba Mon Sep 17 00:00:00 2001 -From: Wenwen Wang <wang6495@umn.edu> -Date: Tue, 8 May 2018 08:50:28 -0500 -Subject: [PATCH] virt: vbox: Only copy_from_user the request-header once - -In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from -the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the -'version', 'size_in', and 'size_out' fields of 'hdr' are verified. - -Before this commit, after the checks a buffer for the entire request would -be allocated and then all data including the verified header would be -copied from the userspace 'arg' pointer again. - -Given that the 'arg' pointer resides in userspace, a malicious userspace -process can race to change the data pointed to by 'arg' between the two -copies. By doing so, the user can bypass the verifications on the ioctl -argument. - -This commit fixes this by using the already checked copy of the header -to fill the header part of the allocated buffer and only copying the -remainder of the data from userspace. - -Signed-off-by: Wenwen Wang <wang6495@umn.edu> -Reviewed-by: Hans de Goede <hdegoede@redhat.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/virt/vboxguest/vboxguest_linux.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c -index 398d22693234..6e2a9619192d 100644 ---- a/drivers/virt/vboxguest/vboxguest_linux.c -+++ b/drivers/virt/vboxguest/vboxguest_linux.c -@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req, - if (!buf) - return -ENOMEM; - -- if (copy_from_user(buf, (void *)arg, hdr.size_in)) { -+ *((struct vbg_ioctl_hdr *)buf) = hdr; -+ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), -+ hdr.size_in - sizeof(hdr))) { - ret = -EFAULT; - goto out; - } --- -2.17.1 - diff --git a/Revert-the-random-series-for-4.16.4.patch b/Revert-the-random-series-for-4.16.4.patch new file mode 100644 index 000000000..f410fd310 --- /dev/null +++ b/Revert-the-random-series-for-4.16.4.patch @@ -0,0 +1,160 @@ +From 5744a0927df22f46e4b7f134b3dfb405fdfcf6ce Mon Sep 17 00:00:00 2001 +From: Jeremy Cline <jeremy@jcline.org> +Date: Wed, 2 May 2018 15:16:29 -0400 +Subject: [PATCH 1/2] Revert "random: use a different mixing algorithm for + add_device_randomness()" + +This reverts commit 89b59f050347d376c2ace8b1ceb908a218cfdc2e. + +Signed-off-by: Jeremy Cline <jeremy@jcline.org> +--- + drivers/char/random.c | 55 ++++--------------------------------------- + 1 file changed, 4 insertions(+), 51 deletions(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 8f4e11842c60..aa5b04af86c6 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -831,10 +831,6 @@ static void numa_crng_init(void) + static void numa_crng_init(void) {} + #endif + +-/* +- * crng_fast_load() can be called by code in the interrupt service +- * path. So we can't afford to dilly-dally. +- */ + static int crng_fast_load(const char *cp, size_t len) + { + unsigned long flags; +@@ -861,51 +857,6 @@ static int crng_fast_load(const char *cp, size_t len) + return 1; + } + +-/* +- * crng_slow_load() is called by add_device_randomness, which has two +- * attributes. (1) We can't trust the buffer passed to it is +- * guaranteed to be unpredictable (so it might not have any entropy at +- * all), and (2) it doesn't have the performance constraints of +- * crng_fast_load(). +- * +- * So we do something more comprehensive which is guaranteed to touch +- * all of the primary_crng's state, and which uses a LFSR with a +- * period of 255 as part of the mixing algorithm. Finally, we do +- * *not* advance crng_init_cnt since buffer we may get may be something +- * like a fixed DMI table (for example), which might very well be +- * unique to the machine, but is otherwise unvarying. +- */ +-static int crng_slow_load(const char *cp, size_t len) +-{ +- unsigned long flags; +- static unsigned char lfsr = 1; +- unsigned char tmp; +- unsigned i, max = CHACHA20_KEY_SIZE; +- const char * src_buf = cp; +- char * dest_buf = (char *) &primary_crng.state[4]; +- +- if (!spin_trylock_irqsave(&primary_crng.lock, flags)) +- return 0; +- if (crng_init != 0) { +- spin_unlock_irqrestore(&primary_crng.lock, flags); +- return 0; +- } +- if (len > max) +- max = len; +- +- for (i = 0; i < max ; i++) { +- tmp = lfsr; +- lfsr >>= 1; +- if (tmp & 1) +- lfsr ^= 0xE1; +- tmp = dest_buf[i % CHACHA20_KEY_SIZE]; +- dest_buf[i % CHACHA20_KEY_SIZE] ^= src_buf[i % len] ^ lfsr; +- lfsr += (tmp << 3) | (tmp >> 5); +- } +- spin_unlock_irqrestore(&primary_crng.lock, flags); +- return 1; +-} +- + static void crng_reseed(struct crng_state *crng, struct entropy_store *r) + { + unsigned long flags; +@@ -1089,8 +1040,10 @@ void add_device_randomness(const void *buf, unsigned int size) + unsigned long time = random_get_entropy() ^ jiffies; + unsigned long flags; + +- if (!crng_ready() && size) +- crng_slow_load(buf, size); ++ if (!crng_ready()) { ++ crng_fast_load(buf, size); ++ return; ++ } + + trace_add_device_randomness(size, _RET_IP_); + spin_lock_irqsave(&input_pool.lock, flags); +-- +2.17.0 + +From e1b1b5b62740b0e6ea8258a4eb81b2a336538fed Mon Sep 17 00:00:00 2001 +From: Jeremy Cline <jeremy@jcline.org> +Date: Wed, 2 May 2018 15:18:03 -0400 +Subject: [PATCH 2/2] Revert "random: fix crng_ready() test" + +This reverts commit cd8d7a5778a4abf76ee8fe8f1bfcf78976029f8d. + +Signed-off-by: Jeremy Cline <jeremy@jcline.org> +--- + drivers/char/random.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index aa5b04af86c6..ef05cc685b74 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -428,7 +428,7 @@ struct crng_state primary_crng = { + * its value (from 0->1->2). + */ + static int crng_init = 0; +-#define crng_ready() (likely(crng_init > 1)) ++#define crng_ready() (likely(crng_init > 0)) + static int crng_init_cnt = 0; + static unsigned long crng_global_init_time = 0; + #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE) +@@ -838,7 +838,7 @@ static int crng_fast_load(const char *cp, size_t len) + + if (!spin_trylock_irqsave(&primary_crng.lock, flags)) + return 0; +- if (crng_init != 0) { ++ if (crng_ready()) { + spin_unlock_irqrestore(&primary_crng.lock, flags); + return 0; + } +@@ -913,7 +913,7 @@ static void _extract_crng(struct crng_state *crng, + { + unsigned long v, flags; + +- if (crng_ready() && ++ if (crng_init > 1 && + (time_after(crng_global_init_time, crng->init_time) || + time_after(jiffies, crng->init_time + CRNG_RESEED_INTERVAL))) + crng_reseed(crng, crng == &primary_crng ? &input_pool : NULL); +@@ -1200,7 +1200,7 @@ void add_interrupt_randomness(int irq, int irq_flags) + fast_mix(fast_pool); + add_interrupt_bench(cycles); + +- if (unlikely(crng_init == 0)) { ++ if (!crng_ready()) { + if ((fast_pool->count >= 64) && + crng_fast_load((char *) fast_pool->pool, + sizeof(fast_pool->pool))) { +@@ -2269,7 +2269,7 @@ void add_hwgenerator_randomness(const char *buffer, size_t count, + { + struct entropy_store *poolp = &input_pool; + +- if (unlikely(crng_init == 0)) { ++ if (!crng_ready()) { + crng_fast_load(buffer, count); + return; + } +-- +2.17.0 + diff --git a/arm-dts-imx6qdl-udoo-Disable-usbh1-to-avoid-kernel-hang.patch b/arm-dts-imx6qdl-udoo-Disable-usbh1-to-avoid-kernel-hang.patch deleted file mode 100644 index 1100a148a..000000000 --- a/arm-dts-imx6qdl-udoo-Disable-usbh1-to-avoid-kernel-hang.patch +++ /dev/null @@ -1,41 +0,0 @@ -From patchwork Thu Jan 18 12:34:18 2018 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: ARM: dts: imx6qdl-udoo: Disable usbh1 to avoid kernel hang -From: Fabio Estevam <fabio.estevam@nxp.com> -X-Patchwork-Id: 10173115 -Message-Id: <1516278858-15464-1-git-send-email-fabio.estevam@nxp.com> -To: <shawnguo@kernel.org> -Cc: maggu2810@gmail.com, peter.chen@nxp.com, mail@maciej.szmigiero.name, - Fabio Estevam <fabio.estevam@nxp.com>, linux-arm-kernel@lists.infradead.org -Date: Thu, 18 Jan 2018 10:34:18 -0200 - -Currently the kernel hangs when USB Host1 is enabled due to the lack of -support for controlling the USB hub clock and GPIO reset line. - -Peter Chen has made several attempts to fix this problem, but his series -has not been applied yet, so better disable USB host1 for now to avoid -the kernel hang. - -Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com> -Acked-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name> -Tested-by: Markus Rathgeb <maggu2810@gmail.com> ---- - arch/arm/boot/dts/imx6qdl-udoo.dtsi | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/arm/boot/dts/imx6qdl-udoo.dtsi b/arch/arm/boot/dts/imx6qdl-udoo.dtsi -index 4161b7d..1f0b9f6 100644 ---- a/arch/arm/boot/dts/imx6qdl-udoo.dtsi -+++ b/arch/arm/boot/dts/imx6qdl-udoo.dtsi -@@ -274,7 +274,8 @@ - pinctrl-0 = <&pinctrl_usbh>; - vbus-supply = <®_usb_h1_vbus>; - clocks = <&clks IMX6QDL_CLK_CKO>; -- status = "okay"; -+ /* currently USB support causes a kernel hang. Disable it for now */ -+ status = "disabled"; - }; - - &usdhc3 { diff --git a/bcm283x-clk-audio-fixes.patch b/bcm283x-clk-audio-fixes.patch deleted file mode 100644 index 03369ccdb..000000000 --- a/bcm283x-clk-audio-fixes.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1b6867ee05d84cc6ec23b5ec0b78684187d3190a Mon Sep 17 00:00:00 2001 -From: Boris Brezillon <boris.brezillon@bootlin.com> -Date: Wed, 7 Mar 2018 15:41:14 +0100 -Subject: [PATCH] clk: bcm2835: Make sure the PLL is gated before changing its - rate - -All bcm2835 PLLs should be gated before their rate can be changed. -Setting CLK_SET_RATE_GATE will let the core enforce that, but this is -not enough to make the code work in all situations. Indeed, the -CLK_SET_RATE_GATE flag prevents a user from changing the rate while -the clock is enabled, but this check only guarantees there's no Linux -users. In our case, the clock might have been enabled by the -bootloader/FW, and, because we have CLK_IGNORE_UNUSED set, Linux never -disables the PLL. So we have to make sure the PLL is actually disabled -before changing the rate. - -Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks") -Cc: <stable@vger.kernel.org> -Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com> ---- - drivers/clk/bcm/clk-bcm2835.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c -index 6c5d4a8e426c..051ce769c109 100644 ---- a/drivers/clk/bcm/clk-bcm2835.c -+++ b/drivers/clk/bcm/clk-bcm2835.c -@@ -678,6 +678,18 @@ static int bcm2835_pll_set_rate(struct clk_hw *hw, - u32 ana[4]; - int i; - -+ /* -+ * Normally, the CLK_SET_RATE_GATE flag prevents a user from changing -+ * the rate while the clock is enabled, but this check only makes sure -+ * there's no Linux users. -+ * In our case, the clock might have been enabled by the bootloader/FW, -+ * and, since CLK_IGNORE_UNUSED flag is set, Linux never disables it. -+ * So we have to make sure the clk is actually disabled before changing -+ * the rate. -+ */ -+ if (bcm2835_pll_is_on(hw)) -+ bcm2835_pll_off(hw); -+ - if (rate > data->max_fb_rate) { - use_fb_prediv = true; - rate /= 2; -@@ -1318,7 +1330,7 @@ static struct clk_hw *bcm2835_register_pll(struct bcm2835_cprman *cprman, - init.num_parents = 1; - init.name = data->name; - init.ops = &bcm2835_pll_clk_ops; -- init.flags = CLK_IGNORE_UNUSED; -+ init.flags = CLK_IGNORE_UNUSED | CLK_SET_RATE_GATE; - - pll = kzalloc(sizeof(*pll), GFP_KERNEL); - if (!pll) diff --git a/kernel.spec b/kernel.spec index 13ff384f7..f12fbb288 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -600,9 +600,6 @@ Patch304: ACPI-irq-Workaround-firmware-issue-on-X-Gene-based-m400.patch # https://patchwork.kernel.org/patch/9820417/ Patch305: qcom-msm89xx-fixes.patch -# https://patchwork.kernel.org/patch/10173115/ -Patch306: arm-dts-imx6qdl-udoo-Disable-usbh1-to-avoid-kernel-hang.patch - # https://marc.info/?l=linux-kernel&m=152328880417846&w=2 Patch307: arm64-thunderx-crypto-zip-fixes.patch @@ -626,8 +623,6 @@ Patch312: arm64-msm8916-fix-gic_irq_domain_translate-warnings.patch # https://patchwork.kernel.org/patch/10133165/ Patch313: mvebu-a37xx-fixes.patch -Patch324: bcm283x-clk-audio-fixes.patch - # Enabling Patches for the RPi3+ Patch330: bcm2837-rpi-initial-3plus-support.patch Patch332: bcm2837-enable-pmu.patch @@ -650,9 +645,6 @@ Patch503: kexec-bzimage-verify-pe-signature-fix.patch # https://www.spinics.net/lists/linux-acpi/msg82405.html Patch504: mailbox-ACPI-erroneous-error-message-when-parsing-ACPI.patch -# CVE-2018-12232 rhbz 1590215 1590216 -Patch506: 0001-socket-close-race-condition-between-sock_close-and-s.patch - # https://www.spinics.net/lists/platform-driver-x86/msg15719.html Patch507: platform-x86-dell-laptop-Fix-keyboard-backlight-time.patch @@ -668,18 +660,12 @@ Patch509: rtc-nvmem-don-t-return-an-error-when-not-enabled.patch Patch510: 1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch -# CVE-2018-12633 rhbz 1594170 1594172 -Patch512: 0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch - -# rhbz 1590304 -Patch513: 0001-media-uvcvideo-Prevent-setting-unavailable-flags.patch - -# rhbz 1592454 -Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch - # rhbz 1591516 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch +# rhbz 1572944 +Patch517: Revert-the-random-series-for-4.16.4.patch + # END OF PATCH DEFINITIONS %endif @@ -1932,6 +1918,19 @@ fi # # %changelog +* Tue Jul 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.4-100 +- Linux v4.17.4 + +* Fri Jun 29 2018 Jeremy Cline <jeremy@jcline.org> +- Revert the CRNG init patches (rhbz 1572944) + +* Thu Jun 28 2018 Jeremy Cline <jeremy@jcline.org> +- Fix CVE-2018-12714 (rhbz 1595835 1595837) + +* Tue Jun 26 2018 Jeremy Cline <jcline@redhat.com> - 4.17.3-100 +- Linux v4.17.3 +- Don't log an error if RTC_NVMEM isn't enabled (rhbz 1568276) + * Mon Jun 25 2018 Laura Abbott <labbott@fedoraproject.org> - Some webcam fixes (rhbz 1592454 1590304) - Fix for armv7 siginfo ABI regression (rhbz 1591516) @@ -1,2 +1,2 @@ SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db -SHA512 (patch-4.17.3.xz) = c0b3dfb1c1d64edc74cb3b35a4d6160ccf80b5b58d19e5a11dde372ab515c350576f8981b3816e4e8689da38b792eb85b3ef46581d65d7c51c72943dea7409f4 +SHA512 (patch-4.17.4.xz) = 0a9f976e7cf2c2cc9ba29b5eb45a6b9722059674efa99153bf449537e022426138a0848cfdb69e1df4a1a3b71ee7c9de92b4086799d0e15f44f8356b2fd63754 |